From 521f9f18b34f61e23c0a6b500c82476d62d0e39b Mon Sep 17 00:00:00 2001
From: Hasan Turken <turkenh@gmail.com>
Date: Thu, 13 Apr 2023 14:19:03 +0300
Subject: [PATCH 1/5] Bump crossplane runtime and tools to the latest

Signed-off-by: Hasan Turken <turkenh@gmail.com>
---
 .../v1beta1/zz_generated.managed.go           |  20 +
 apis/account/v1beta1/zz_generated.managed.go  |  10 +
 apis/acm/v1beta1/zz_generated.managed.go      |  20 +
 apis/acmpca/v1beta1/zz_generated.managed.go   |  50 +
 apis/amp/v1beta1/zz_generated.managed.go      |  30 +
 apis/amplify/v1beta1/zz_generated.managed.go  |  40 +
 .../v1beta1/zz_generated.managed.go           | 240 +++++
 .../v1beta1/zz_generated.managed.go           | 120 +++
 .../v1beta1/zz_generated.managed.go           |  30 +
 .../appconfig/v1beta1/zz_generated.managed.go |  80 ++
 apis/appflow/v1beta1/zz_generated.managed.go  |  10 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/appmesh/v1beta1/zz_generated.managed.go  |  70 ++
 .../apprunner/v1beta1/zz_generated.managed.go |  50 +
 .../appstream/v1beta1/zz_generated.managed.go |  70 ++
 apis/appsync/v1beta1/zz_generated.managed.go  |  60 ++
 apis/athena/v1beta1/zz_generated.managed.go   |  40 +
 .../v1beta1/zz_generated.managed.go           |  80 ++
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/backup/v1beta1/zz_generated.managed.go   | 100 ++
 apis/batch/v1beta1/zz_generated.managed.go    |  10 +
 apis/budgets/v1beta1/zz_generated.managed.go  |  20 +
 apis/ce/v1beta1/zz_generated.managed.go       |  10 +
 apis/chime/v1beta1/zz_generated.managed.go    |  70 ++
 apis/cloud9/v1beta1/zz_generated.managed.go   |  20 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           | 130 +++
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           |  80 ++
 .../v1beta1/zz_generated.managed.go           |  80 ++
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           |  30 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           |  30 +
 .../v1beta1/zz_generated.managed.go           | 100 ++
 .../v1beta1/zz_generated.managed.go           |  70 ++
 apis/connect/v1beta1/zz_generated.managed.go  | 150 +++
 apis/cur/v1beta1/zz_generated.managed.go      |  10 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/dax/v1beta1/zz_generated.managed.go      |  30 +
 apis/deploy/v1beta1/zz_generated.managed.go   |  30 +
 .../detective/v1beta1/zz_generated.managed.go |  30 +
 .../v1beta1/zz_generated.managed.go           |  60 ++
 .../v1beta1/zz_generated.managed.go           | 160 +++
 apis/dlm/v1beta1/zz_generated.managed.go      |  10 +
 apis/dms/v1beta1/zz_generated.managed.go      |  70 ++
 apis/docdb/v1beta1/zz_generated.managed.go    |  70 ++
 apis/ds/v1beta1/zz_generated.managed.go       |  30 +
 apis/dynamodb/v1beta1/zz_generated.managed.go |  70 ++
 apis/ec2/v1beta1/zz_generated.managed.go      | 980 ++++++++++++++++++
 apis/ecr/v1beta1/zz_generated.managed.go      |  70 ++
 .../ecrpublic/v1beta1/zz_generated.managed.go |  20 +
 apis/ecs/v1beta1/zz_generated.managed.go      |  60 ++
 apis/efs/v1beta1/zz_generated.managed.go      |  60 ++
 apis/eks/v1beta1/zz_generated.managed.go      |  60 ++
 .../v1beta1/zz_generated.managed.go           |  60 ++
 .../v1beta1/zz_generated.managed.go           |  30 +
 .../v1beta1/zz_generated.managed.go           |  30 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 apis/elb/v1beta1/zz_generated.managed.go      |  90 ++
 apis/elbv2/v1beta1/zz_generated.managed.go    |  50 +
 apis/emr/v1beta1/zz_generated.managed.go      |  10 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../evidently/v1beta1/zz_generated.managed.go |  30 +
 apis/firehose/v1beta1/zz_generated.managed.go |  10 +
 apis/fis/v1beta1/zz_generated.managed.go      |  10 +
 apis/fsx/v1beta1/zz_generated.managed.go      |  60 ++
 apis/gamelift/v1beta1/zz_generated.managed.go |  50 +
 apis/glacier/v1beta1/zz_generated.managed.go  |  20 +
 .../v1beta1/zz_generated.managed.go           |  30 +
 apis/glue/v1beta1/zz_generated.managed.go     | 140 +++
 apis/grafana/v1beta1/zz_generated.managed.go  |  50 +
 .../guardduty/v1beta1/zz_generated.managed.go |  30 +
 apis/iam/v1beta1/zz_generated.managed.go      | 220 ++++
 .../v1beta1/zz_generated.managed.go           |  70 ++
 .../inspector/v1beta1/zz_generated.managed.go |  30 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/iot/v1beta1/zz_generated.managed.go      | 130 +++
 apis/ivs/v1beta1/zz_generated.managed.go      |  20 +
 apis/kafka/v1beta1/zz_generated.managed.go    |  20 +
 apis/kendra/v1beta1/zz_generated.managed.go   |  50 +
 .../keyspaces/v1beta1/zz_generated.managed.go |  20 +
 apis/kinesis/v1beta1/zz_generated.managed.go  |  20 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/kms/v1beta1/zz_generated.managed.go      |  70 ++
 .../v1beta1/zz_generated.managed.go           |  30 +
 apis/lambda/v1beta1/zz_generated.managed.go   | 110 ++
 .../lexmodels/v1beta1/zz_generated.managed.go |  40 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../lightsail/v1beta1/zz_generated.managed.go | 160 +++
 apis/location/v1beta1/zz_generated.managed.go |  50 +
 apis/macie2/v1beta1/zz_generated.managed.go   |  60 ++
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../medialive/v1beta1/zz_generated.managed.go |  40 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 apis/memorydb/v1beta1/zz_generated.managed.go |  50 +
 apis/mq/v1beta1/zz_generated.managed.go       |  20 +
 apis/neptune/v1beta1/zz_generated.managed.go  |  90 ++
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           | 130 +++
 .../v1beta1/zz_generated.managed.go           |  30 +
 apis/opsworks/v1beta1/zz_generated.managed.go | 170 +++
 .../v1beta1/zz_generated.managed.go           |  60 ++
 apis/pinpoint/v1beta1/zz_generated.managed.go |  20 +
 apis/qldb/v1beta1/zz_generated.managed.go     |  20 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 apis/ram/v1beta1/zz_generated.managed.go      |  20 +
 apis/rds/v1beta1/zz_generated.managed.go      | 220 ++++
 apis/redshift/v1beta1/zz_generated.managed.go | 120 +++
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/route53/v1beta1/zz_generated.managed.go  |  90 ++
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           |  30 +
 apis/rum/v1beta1/zz_generated.managed.go      |  20 +
 apis/s3/v1beta1/zz_generated.managed.go       | 230 ++++
 .../s3control/v1beta1/zz_generated.managed.go |  80 ++
 .../sagemaker/v1beta1/zz_generated.managed.go | 210 ++++
 .../scheduler/v1beta1/zz_generated.managed.go |  20 +
 apis/schemas/v1beta1/zz_generated.managed.go  |  30 +
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           |  80 ++
 .../v1beta1/zz_generated.managed.go           |  10 +
 .../v1beta1/zz_generated.managed.go           | 110 ++
 .../v1beta1/zz_generated.managed.go           |  40 +
 .../v1beta1/zz_generated.managed.go           |  10 +
 apis/ses/v1beta1/zz_generated.managed.go      | 130 +++
 apis/sesv2/v1beta1/zz_generated.managed.go    |  60 ++
 apis/sfn/v1beta1/zz_generated.managed.go      |  20 +
 apis/signer/v1beta1/zz_generated.managed.go   |  30 +
 apis/simpledb/v1beta1/zz_generated.managed.go |  10 +
 apis/sns/v1beta1/zz_generated.managed.go      |  50 +
 apis/sqs/v1beta1/zz_generated.managed.go      |  40 +
 apis/ssm/v1beta1/zz_generated.managed.go      | 120 +++
 apis/ssoadmin/v1beta1/zz_generated.managed.go |  40 +
 apis/swf/v1beta1/zz_generated.managed.go      |  10 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 .../v1beta1/zz_generated.managed.go           |  30 +
 apis/transfer/v1beta1/zz_generated.managed.go |  50 +
 apis/vpc/v1beta1/zz_generated.managed.go      |  10 +
 apis/waf/v1beta1/zz_generated.managed.go      | 110 ++
 .../v1beta1/zz_generated.managed.go           | 110 ++
 apis/wafv2/v1beta1/zz_generated.managed.go    |  20 +
 .../v1beta1/zz_generated.managed.go           |  20 +
 apis/xray/v1beta1/zz_generated.managed.go     |  30 +
 go.mod                                        |  26 +-
 go.sum                                        |  56 +-
 157 files changed, 9019 insertions(+), 43 deletions(-)

diff --git a/apis/accessanalyzer/v1beta1/zz_generated.managed.go b/apis/accessanalyzer/v1beta1/zz_generated.managed.go
index 1e443b8eaa..5d8c449679 100644
--- a/apis/accessanalyzer/v1beta1/zz_generated.managed.go
+++ b/apis/accessanalyzer/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Analyzer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Analyzer.
+func (mg *Analyzer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Analyzer.
 func (mg *Analyzer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Analyzer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Analyzer.
+func (mg *Analyzer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Analyzer.
 func (mg *Analyzer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ArchiveRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ArchiveRule.
+func (mg *ArchiveRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ArchiveRule.
 func (mg *ArchiveRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ArchiveRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ArchiveRule.
+func (mg *ArchiveRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ArchiveRule.
 func (mg *ArchiveRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/account/v1beta1/zz_generated.managed.go b/apis/account/v1beta1/zz_generated.managed.go
index 6404421a9e..d9e74a1f99 100644
--- a/apis/account/v1beta1/zz_generated.managed.go
+++ b/apis/account/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AlternateContact) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AlternateContact.
+func (mg *AlternateContact) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AlternateContact.
 func (mg *AlternateContact) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AlternateContact) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AlternateContact.
+func (mg *AlternateContact) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AlternateContact.
 func (mg *AlternateContact) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/acm/v1beta1/zz_generated.managed.go b/apis/acm/v1beta1/zz_generated.managed.go
index 70dbdd0989..a24762108a 100644
--- a/apis/acm/v1beta1/zz_generated.managed.go
+++ b/apis/acm/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Certificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Certificate.
+func (mg *Certificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Certificate.
 func (mg *Certificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Certificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Certificate.
+func (mg *Certificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Certificate.
 func (mg *Certificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CertificateValidation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CertificateValidation.
+func (mg *CertificateValidation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CertificateValidation.
 func (mg *CertificateValidation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CertificateValidation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CertificateValidation.
+func (mg *CertificateValidation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CertificateValidation.
 func (mg *CertificateValidation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/acmpca/v1beta1/zz_generated.managed.go b/apis/acmpca/v1beta1/zz_generated.managed.go
index 9aff5b4188..6a673be868 100644
--- a/apis/acmpca/v1beta1/zz_generated.managed.go
+++ b/apis/acmpca/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Certificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Certificate.
+func (mg *Certificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Certificate.
 func (mg *Certificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Certificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Certificate.
+func (mg *Certificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Certificate.
 func (mg *Certificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CertificateAuthority) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CertificateAuthority.
+func (mg *CertificateAuthority) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CertificateAuthority.
 func (mg *CertificateAuthority) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CertificateAuthority) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CertificateAuthority.
+func (mg *CertificateAuthority) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CertificateAuthority.
 func (mg *CertificateAuthority) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *CertificateAuthorityCertificate) GetDeletionPolicy() xpv1.DeletionPoli
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CertificateAuthorityCertificate.
+func (mg *CertificateAuthorityCertificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CertificateAuthorityCertificate.
 func (mg *CertificateAuthorityCertificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *CertificateAuthorityCertificate) SetDeletionPolicy(r xpv1.DeletionPoli
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CertificateAuthorityCertificate.
+func (mg *CertificateAuthorityCertificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CertificateAuthorityCertificate.
 func (mg *CertificateAuthorityCertificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Permission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Permission.
+func (mg *Permission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Permission.
 func (mg *Permission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Permission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Permission.
+func (mg *Permission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Permission.
 func (mg *Permission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/amp/v1beta1/zz_generated.managed.go b/apis/amp/v1beta1/zz_generated.managed.go
index 9373e1c687..9c203519fe 100644
--- a/apis/amp/v1beta1/zz_generated.managed.go
+++ b/apis/amp/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AlertManagerDefinition) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AlertManagerDefinition.
+func (mg *AlertManagerDefinition) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AlertManagerDefinition.
 func (mg *AlertManagerDefinition) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AlertManagerDefinition) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AlertManagerDefinition.
+func (mg *AlertManagerDefinition) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AlertManagerDefinition.
 func (mg *AlertManagerDefinition) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *RuleGroupNamespace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RuleGroupNamespace.
+func (mg *RuleGroupNamespace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RuleGroupNamespace.
 func (mg *RuleGroupNamespace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *RuleGroupNamespace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RuleGroupNamespace.
+func (mg *RuleGroupNamespace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RuleGroupNamespace.
 func (mg *RuleGroupNamespace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Workspace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workspace.
+func (mg *Workspace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workspace.
 func (mg *Workspace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Workspace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workspace.
+func (mg *Workspace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workspace.
 func (mg *Workspace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/amplify/v1beta1/zz_generated.managed.go b/apis/amplify/v1beta1/zz_generated.managed.go
index 88079909fa..d91c51c5ab 100644
--- a/apis/amplify/v1beta1/zz_generated.managed.go
+++ b/apis/amplify/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *App) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this App.
+func (mg *App) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this App.
 func (mg *App) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *App) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this App.
+func (mg *App) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this App.
 func (mg *App) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *BackendEnvironment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BackendEnvironment.
+func (mg *BackendEnvironment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BackendEnvironment.
 func (mg *BackendEnvironment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *BackendEnvironment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BackendEnvironment.
+func (mg *BackendEnvironment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BackendEnvironment.
 func (mg *BackendEnvironment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Branch) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Branch.
+func (mg *Branch) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Branch.
 func (mg *Branch) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Branch) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Branch.
+func (mg *Branch) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Branch.
 func (mg *Branch) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Webhook) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Webhook.
+func (mg *Webhook) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Webhook.
 func (mg *Webhook) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Webhook) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Webhook.
+func (mg *Webhook) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Webhook.
 func (mg *Webhook) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/apigateway/v1beta1/zz_generated.managed.go b/apis/apigateway/v1beta1/zz_generated.managed.go
index b7a42ae0d7..0726942c17 100644
--- a/apis/apigateway/v1beta1/zz_generated.managed.go
+++ b/apis/apigateway/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *APIKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this APIKey.
+func (mg *APIKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this APIKey.
 func (mg *APIKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *APIKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this APIKey.
+func (mg *APIKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this APIKey.
 func (mg *APIKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Account) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Account.
+func (mg *Account) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Account.
 func (mg *Account) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Account) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Account.
+func (mg *Account) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Account.
 func (mg *Account) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Authorizer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Authorizer.
+func (mg *Authorizer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Authorizer.
 func (mg *Authorizer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Authorizer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Authorizer.
+func (mg *Authorizer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Authorizer.
 func (mg *Authorizer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *BasePathMapping) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BasePathMapping.
+func (mg *BasePathMapping) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BasePathMapping.
 func (mg *BasePathMapping) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *BasePathMapping) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BasePathMapping.
+func (mg *BasePathMapping) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BasePathMapping.
 func (mg *BasePathMapping) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ClientCertificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClientCertificate.
+func (mg *ClientCertificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClientCertificate.
 func (mg *ClientCertificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ClientCertificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClientCertificate.
+func (mg *ClientCertificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClientCertificate.
 func (mg *ClientCertificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Deployment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Deployment.
+func (mg *Deployment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Deployment.
 func (mg *Deployment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Deployment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Deployment.
+func (mg *Deployment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Deployment.
 func (mg *Deployment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *DocumentationPart) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DocumentationPart.
+func (mg *DocumentationPart) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DocumentationPart.
 func (mg *DocumentationPart) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *DocumentationPart) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DocumentationPart.
+func (mg *DocumentationPart) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DocumentationPart.
 func (mg *DocumentationPart) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *DocumentationVersion) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DocumentationVersion.
+func (mg *DocumentationVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DocumentationVersion.
 func (mg *DocumentationVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *DocumentationVersion) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DocumentationVersion.
+func (mg *DocumentationVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DocumentationVersion.
 func (mg *DocumentationVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *DomainName) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainName.
+func (mg *DomainName) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainName.
 func (mg *DomainName) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *DomainName) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainName.
+func (mg *DomainName) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainName.
 func (mg *DomainName) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *GatewayResponse) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GatewayResponse.
+func (mg *GatewayResponse) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GatewayResponse.
 func (mg *GatewayResponse) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *GatewayResponse) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GatewayResponse.
+func (mg *GatewayResponse) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GatewayResponse.
 func (mg *GatewayResponse) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *Integration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Integration.
+func (mg *Integration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Integration.
 func (mg *Integration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *Integration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Integration.
+func (mg *Integration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Integration.
 func (mg *Integration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *IntegrationResponse) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IntegrationResponse.
+func (mg *IntegrationResponse) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IntegrationResponse.
 func (mg *IntegrationResponse) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *IntegrationResponse) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IntegrationResponse.
+func (mg *IntegrationResponse) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IntegrationResponse.
 func (mg *IntegrationResponse) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *Method) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Method.
+func (mg *Method) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Method.
 func (mg *Method) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *Method) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Method.
+func (mg *Method) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Method.
 func (mg *Method) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *MethodResponse) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MethodResponse.
+func (mg *MethodResponse) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MethodResponse.
 func (mg *MethodResponse) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *MethodResponse) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MethodResponse.
+func (mg *MethodResponse) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MethodResponse.
 func (mg *MethodResponse) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *MethodSettings) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MethodSettings.
+func (mg *MethodSettings) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MethodSettings.
 func (mg *MethodSettings) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *MethodSettings) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MethodSettings.
+func (mg *MethodSettings) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MethodSettings.
 func (mg *MethodSettings) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *Model) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Model.
+func (mg *Model) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Model.
 func (mg *Model) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *Model) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Model.
+func (mg *Model) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Model.
 func (mg *Model) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *RequestValidator) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RequestValidator.
+func (mg *RequestValidator) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RequestValidator.
 func (mg *RequestValidator) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *RequestValidator) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RequestValidator.
+func (mg *RequestValidator) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RequestValidator.
 func (mg *RequestValidator) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1139,6 +1309,11 @@ func (mg *Resource) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Resource.
+func (mg *Resource) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Resource.
 func (mg *Resource) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1172,6 +1347,11 @@ func (mg *Resource) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Resource.
+func (mg *Resource) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Resource.
 func (mg *Resource) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1205,6 +1385,11 @@ func (mg *RestAPI) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RestAPI.
+func (mg *RestAPI) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RestAPI.
 func (mg *RestAPI) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1238,6 +1423,11 @@ func (mg *RestAPI) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RestAPI.
+func (mg *RestAPI) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RestAPI.
 func (mg *RestAPI) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1271,6 +1461,11 @@ func (mg *RestAPIPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RestAPIPolicy.
+func (mg *RestAPIPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RestAPIPolicy.
 func (mg *RestAPIPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1304,6 +1499,11 @@ func (mg *RestAPIPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RestAPIPolicy.
+func (mg *RestAPIPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RestAPIPolicy.
 func (mg *RestAPIPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1337,6 +1537,11 @@ func (mg *Stage) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stage.
+func (mg *Stage) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stage.
 func (mg *Stage) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1370,6 +1575,11 @@ func (mg *Stage) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stage.
+func (mg *Stage) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stage.
 func (mg *Stage) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1403,6 +1613,11 @@ func (mg *UsagePlan) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UsagePlan.
+func (mg *UsagePlan) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UsagePlan.
 func (mg *UsagePlan) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1436,6 +1651,11 @@ func (mg *UsagePlan) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UsagePlan.
+func (mg *UsagePlan) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UsagePlan.
 func (mg *UsagePlan) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1469,6 +1689,11 @@ func (mg *UsagePlanKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UsagePlanKey.
+func (mg *UsagePlanKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UsagePlanKey.
 func (mg *UsagePlanKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1502,6 +1727,11 @@ func (mg *UsagePlanKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UsagePlanKey.
+func (mg *UsagePlanKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UsagePlanKey.
 func (mg *UsagePlanKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1535,6 +1765,11 @@ func (mg *VPCLink) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCLink.
+func (mg *VPCLink) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCLink.
 func (mg *VPCLink) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1568,6 +1803,11 @@ func (mg *VPCLink) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCLink.
+func (mg *VPCLink) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCLink.
 func (mg *VPCLink) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/apigatewayv2/v1beta1/zz_generated.managed.go b/apis/apigatewayv2/v1beta1/zz_generated.managed.go
index e686b3c6e5..d7d42ed022 100644
--- a/apis/apigatewayv2/v1beta1/zz_generated.managed.go
+++ b/apis/apigatewayv2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *API) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this API.
+func (mg *API) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this API.
 func (mg *API) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *API) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this API.
+func (mg *API) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this API.
 func (mg *API) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *APIMapping) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this APIMapping.
+func (mg *APIMapping) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this APIMapping.
 func (mg *APIMapping) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *APIMapping) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this APIMapping.
+func (mg *APIMapping) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this APIMapping.
 func (mg *APIMapping) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Authorizer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Authorizer.
+func (mg *Authorizer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Authorizer.
 func (mg *Authorizer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Authorizer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Authorizer.
+func (mg *Authorizer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Authorizer.
 func (mg *Authorizer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Deployment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Deployment.
+func (mg *Deployment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Deployment.
 func (mg *Deployment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Deployment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Deployment.
+func (mg *Deployment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Deployment.
 func (mg *Deployment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *DomainName) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainName.
+func (mg *DomainName) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainName.
 func (mg *DomainName) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *DomainName) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainName.
+func (mg *DomainName) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainName.
 func (mg *DomainName) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Integration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Integration.
+func (mg *Integration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Integration.
 func (mg *Integration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Integration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Integration.
+func (mg *Integration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Integration.
 func (mg *Integration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *IntegrationResponse) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IntegrationResponse.
+func (mg *IntegrationResponse) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IntegrationResponse.
 func (mg *IntegrationResponse) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *IntegrationResponse) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IntegrationResponse.
+func (mg *IntegrationResponse) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IntegrationResponse.
 func (mg *IntegrationResponse) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Model) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Model.
+func (mg *Model) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Model.
 func (mg *Model) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Model) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Model.
+func (mg *Model) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Model.
 func (mg *Model) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *Route) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Route.
+func (mg *Route) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Route.
 func (mg *Route) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *Route) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Route.
+func (mg *Route) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Route.
 func (mg *Route) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *RouteResponse) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RouteResponse.
+func (mg *RouteResponse) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RouteResponse.
 func (mg *RouteResponse) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *RouteResponse) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RouteResponse.
+func (mg *RouteResponse) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RouteResponse.
 func (mg *RouteResponse) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *Stage) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stage.
+func (mg *Stage) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stage.
 func (mg *Stage) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *Stage) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stage.
+func (mg *Stage) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stage.
 func (mg *Stage) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *VPCLink) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCLink.
+func (mg *VPCLink) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCLink.
 func (mg *VPCLink) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *VPCLink) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCLink.
+func (mg *VPCLink) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCLink.
 func (mg *VPCLink) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appautoscaling/v1beta1/zz_generated.managed.go b/apis/appautoscaling/v1beta1/zz_generated.managed.go
index c127034f66..77f9a20d23 100644
--- a/apis/appautoscaling/v1beta1/zz_generated.managed.go
+++ b/apis/appautoscaling/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ScheduledAction) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ScheduledAction.
+func (mg *ScheduledAction) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ScheduledAction.
 func (mg *ScheduledAction) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ScheduledAction) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ScheduledAction.
+func (mg *ScheduledAction) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ScheduledAction.
 func (mg *ScheduledAction) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Target) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Target.
+func (mg *Target) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Target.
 func (mg *Target) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Target) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Target.
+func (mg *Target) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Target.
 func (mg *Target) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appconfig/v1beta1/zz_generated.managed.go b/apis/appconfig/v1beta1/zz_generated.managed.go
index c62163b959..f547296efe 100644
--- a/apis/appconfig/v1beta1/zz_generated.managed.go
+++ b/apis/appconfig/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ConfigurationProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationProfile.
+func (mg *ConfigurationProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationProfile.
 func (mg *ConfigurationProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ConfigurationProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationProfile.
+func (mg *ConfigurationProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationProfile.
 func (mg *ConfigurationProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Deployment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Deployment.
+func (mg *Deployment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Deployment.
 func (mg *Deployment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Deployment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Deployment.
+func (mg *Deployment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Deployment.
 func (mg *Deployment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *DeploymentStrategy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DeploymentStrategy.
+func (mg *DeploymentStrategy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DeploymentStrategy.
 func (mg *DeploymentStrategy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *DeploymentStrategy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DeploymentStrategy.
+func (mg *DeploymentStrategy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DeploymentStrategy.
 func (mg *DeploymentStrategy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Environment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Environment.
+func (mg *Environment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Environment.
 func (mg *Environment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Environment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Environment.
+func (mg *Environment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Environment.
 func (mg *Environment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Extension) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Extension.
+func (mg *Extension) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Extension.
 func (mg *Extension) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Extension) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Extension.
+func (mg *Extension) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Extension.
 func (mg *Extension) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ExtensionAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ExtensionAssociation.
+func (mg *ExtensionAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ExtensionAssociation.
 func (mg *ExtensionAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ExtensionAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ExtensionAssociation.
+func (mg *ExtensionAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ExtensionAssociation.
 func (mg *ExtensionAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *HostedConfigurationVersion) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedConfigurationVersion.
+func (mg *HostedConfigurationVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedConfigurationVersion.
 func (mg *HostedConfigurationVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *HostedConfigurationVersion) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedConfigurationVersion.
+func (mg *HostedConfigurationVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedConfigurationVersion.
 func (mg *HostedConfigurationVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appflow/v1beta1/zz_generated.managed.go b/apis/appflow/v1beta1/zz_generated.managed.go
index f00326bdab..bd74b597fd 100644
--- a/apis/appflow/v1beta1/zz_generated.managed.go
+++ b/apis/appflow/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Flow) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Flow.
+func (mg *Flow) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Flow.
 func (mg *Flow) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Flow) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Flow.
+func (mg *Flow) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Flow.
 func (mg *Flow) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appintegrations/v1beta1/zz_generated.managed.go b/apis/appintegrations/v1beta1/zz_generated.managed.go
index 475b9bbdd9..dc862d4f75 100644
--- a/apis/appintegrations/v1beta1/zz_generated.managed.go
+++ b/apis/appintegrations/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *EventIntegration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventIntegration.
+func (mg *EventIntegration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventIntegration.
 func (mg *EventIntegration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *EventIntegration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventIntegration.
+func (mg *EventIntegration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventIntegration.
 func (mg *EventIntegration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/applicationinsights/v1beta1/zz_generated.managed.go b/apis/applicationinsights/v1beta1/zz_generated.managed.go
index 8782fe11f0..c2f45b1868 100644
--- a/apis/applicationinsights/v1beta1/zz_generated.managed.go
+++ b/apis/applicationinsights/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appmesh/v1beta1/zz_generated.managed.go b/apis/appmesh/v1beta1/zz_generated.managed.go
index 9f76c5b96d..9fa57bb614 100644
--- a/apis/appmesh/v1beta1/zz_generated.managed.go
+++ b/apis/appmesh/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *GatewayRoute) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GatewayRoute.
+func (mg *GatewayRoute) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GatewayRoute.
 func (mg *GatewayRoute) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *GatewayRoute) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GatewayRoute.
+func (mg *GatewayRoute) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GatewayRoute.
 func (mg *GatewayRoute) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Mesh) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Mesh.
+func (mg *Mesh) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Mesh.
 func (mg *Mesh) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Mesh) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Mesh.
+func (mg *Mesh) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Mesh.
 func (mg *Mesh) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Route) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Route.
+func (mg *Route) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Route.
 func (mg *Route) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Route) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Route.
+func (mg *Route) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Route.
 func (mg *Route) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *VirtualGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VirtualGateway.
+func (mg *VirtualGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VirtualGateway.
 func (mg *VirtualGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *VirtualGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VirtualGateway.
+func (mg *VirtualGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VirtualGateway.
 func (mg *VirtualGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *VirtualNode) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VirtualNode.
+func (mg *VirtualNode) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VirtualNode.
 func (mg *VirtualNode) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *VirtualNode) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VirtualNode.
+func (mg *VirtualNode) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VirtualNode.
 func (mg *VirtualNode) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *VirtualRouter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VirtualRouter.
+func (mg *VirtualRouter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VirtualRouter.
 func (mg *VirtualRouter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *VirtualRouter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VirtualRouter.
+func (mg *VirtualRouter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VirtualRouter.
 func (mg *VirtualRouter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *VirtualService) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VirtualService.
+func (mg *VirtualService) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VirtualService.
 func (mg *VirtualService) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *VirtualService) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VirtualService.
+func (mg *VirtualService) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VirtualService.
 func (mg *VirtualService) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/apprunner/v1beta1/zz_generated.managed.go b/apis/apprunner/v1beta1/zz_generated.managed.go
index 9dc4257016..f753b9796c 100644
--- a/apis/apprunner/v1beta1/zz_generated.managed.go
+++ b/apis/apprunner/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AutoScalingConfigurationVersion) GetDeletionPolicy() xpv1.DeletionPoli
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AutoScalingConfigurationVersion.
+func (mg *AutoScalingConfigurationVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AutoScalingConfigurationVersion.
 func (mg *AutoScalingConfigurationVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AutoScalingConfigurationVersion) SetDeletionPolicy(r xpv1.DeletionPoli
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AutoScalingConfigurationVersion.
+func (mg *AutoScalingConfigurationVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AutoScalingConfigurationVersion.
 func (mg *AutoScalingConfigurationVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Connection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Connection.
+func (mg *Connection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Connection.
 func (mg *Connection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Connection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Connection.
+func (mg *Connection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Connection.
 func (mg *Connection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ObservabilityConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ObservabilityConfiguration.
+func (mg *ObservabilityConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ObservabilityConfiguration.
 func (mg *ObservabilityConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ObservabilityConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ObservabilityConfiguration.
+func (mg *ObservabilityConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ObservabilityConfiguration.
 func (mg *ObservabilityConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Service) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Service.
+func (mg *Service) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Service.
 func (mg *Service) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Service) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Service.
+func (mg *Service) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Service.
 func (mg *Service) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *VPCConnector) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCConnector.
+func (mg *VPCConnector) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCConnector.
 func (mg *VPCConnector) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *VPCConnector) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCConnector.
+func (mg *VPCConnector) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCConnector.
 func (mg *VPCConnector) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appstream/v1beta1/zz_generated.managed.go b/apis/appstream/v1beta1/zz_generated.managed.go
index 6f720063c6..4b193ce5c5 100644
--- a/apis/appstream/v1beta1/zz_generated.managed.go
+++ b/apis/appstream/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DirectoryConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DirectoryConfig.
+func (mg *DirectoryConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DirectoryConfig.
 func (mg *DirectoryConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DirectoryConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DirectoryConfig.
+func (mg *DirectoryConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DirectoryConfig.
 func (mg *DirectoryConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Fleet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Fleet.
+func (mg *Fleet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Fleet.
 func (mg *Fleet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Fleet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Fleet.
+func (mg *Fleet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Fleet.
 func (mg *Fleet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *FleetStackAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FleetStackAssociation.
+func (mg *FleetStackAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FleetStackAssociation.
 func (mg *FleetStackAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *FleetStackAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FleetStackAssociation.
+func (mg *FleetStackAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FleetStackAssociation.
 func (mg *FleetStackAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ImageBuilder) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ImageBuilder.
+func (mg *ImageBuilder) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ImageBuilder.
 func (mg *ImageBuilder) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ImageBuilder) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ImageBuilder.
+func (mg *ImageBuilder) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ImageBuilder.
 func (mg *ImageBuilder) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Stack) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stack.
+func (mg *Stack) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stack.
 func (mg *Stack) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Stack) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stack.
+func (mg *Stack) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stack.
 func (mg *Stack) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *UserStackAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserStackAssociation.
+func (mg *UserStackAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserStackAssociation.
 func (mg *UserStackAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *UserStackAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserStackAssociation.
+func (mg *UserStackAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserStackAssociation.
 func (mg *UserStackAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/appsync/v1beta1/zz_generated.managed.go b/apis/appsync/v1beta1/zz_generated.managed.go
index 30a554f760..074aa4fcad 100644
--- a/apis/appsync/v1beta1/zz_generated.managed.go
+++ b/apis/appsync/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *APICache) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this APICache.
+func (mg *APICache) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this APICache.
 func (mg *APICache) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *APICache) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this APICache.
+func (mg *APICache) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this APICache.
 func (mg *APICache) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *APIKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this APIKey.
+func (mg *APIKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this APIKey.
 func (mg *APIKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *APIKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this APIKey.
+func (mg *APIKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this APIKey.
 func (mg *APIKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Datasource) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Datasource.
+func (mg *Datasource) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Datasource.
 func (mg *Datasource) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Datasource) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Datasource.
+func (mg *Datasource) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Datasource.
 func (mg *Datasource) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Function) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Function.
+func (mg *Function) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Function.
 func (mg *Function) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Function) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Function.
+func (mg *Function) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Function.
 func (mg *Function) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *GraphQLAPI) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GraphQLAPI.
+func (mg *GraphQLAPI) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GraphQLAPI.
 func (mg *GraphQLAPI) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *GraphQLAPI) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GraphQLAPI.
+func (mg *GraphQLAPI) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GraphQLAPI.
 func (mg *GraphQLAPI) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Resolver) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Resolver.
+func (mg *Resolver) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Resolver.
 func (mg *Resolver) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Resolver) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Resolver.
+func (mg *Resolver) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Resolver.
 func (mg *Resolver) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/athena/v1beta1/zz_generated.managed.go b/apis/athena/v1beta1/zz_generated.managed.go
index 091f7086c0..8f381f01ea 100644
--- a/apis/athena/v1beta1/zz_generated.managed.go
+++ b/apis/athena/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DataCatalog) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DataCatalog.
+func (mg *DataCatalog) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DataCatalog.
 func (mg *DataCatalog) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DataCatalog) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DataCatalog.
+func (mg *DataCatalog) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DataCatalog.
 func (mg *DataCatalog) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Database) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Database.
+func (mg *Database) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Database.
 func (mg *Database) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Database) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Database.
+func (mg *Database) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Database.
 func (mg *Database) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *NamedQuery) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NamedQuery.
+func (mg *NamedQuery) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NamedQuery.
 func (mg *NamedQuery) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *NamedQuery) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NamedQuery.
+func (mg *NamedQuery) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NamedQuery.
 func (mg *NamedQuery) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Workgroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workgroup.
+func (mg *Workgroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workgroup.
 func (mg *Workgroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Workgroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workgroup.
+func (mg *Workgroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workgroup.
 func (mg *Workgroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/autoscaling/v1beta1/zz_generated.managed.go b/apis/autoscaling/v1beta1/zz_generated.managed.go
index c7f49f839e..f079c597fd 100644
--- a/apis/autoscaling/v1beta1/zz_generated.managed.go
+++ b/apis/autoscaling/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Attachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Attachment.
+func (mg *Attachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Attachment.
 func (mg *Attachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Attachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Attachment.
+func (mg *Attachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Attachment.
 func (mg *Attachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *AutoscalingGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AutoscalingGroup.
+func (mg *AutoscalingGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AutoscalingGroup.
 func (mg *AutoscalingGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *AutoscalingGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AutoscalingGroup.
+func (mg *AutoscalingGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AutoscalingGroup.
 func (mg *AutoscalingGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *GroupTag) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GroupTag.
+func (mg *GroupTag) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GroupTag.
 func (mg *GroupTag) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *GroupTag) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GroupTag.
+func (mg *GroupTag) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GroupTag.
 func (mg *GroupTag) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *LaunchConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LaunchConfiguration.
+func (mg *LaunchConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LaunchConfiguration.
 func (mg *LaunchConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *LaunchConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LaunchConfiguration.
+func (mg *LaunchConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LaunchConfiguration.
 func (mg *LaunchConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *LifecycleHook) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LifecycleHook.
+func (mg *LifecycleHook) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LifecycleHook.
 func (mg *LifecycleHook) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *LifecycleHook) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LifecycleHook.
+func (mg *LifecycleHook) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LifecycleHook.
 func (mg *LifecycleHook) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Notification) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Notification.
+func (mg *Notification) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Notification.
 func (mg *Notification) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Notification) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Notification.
+func (mg *Notification) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Notification.
 func (mg *Notification) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Schedule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Schedule.
+func (mg *Schedule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Schedule.
 func (mg *Schedule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Schedule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Schedule.
+func (mg *Schedule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Schedule.
 func (mg *Schedule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/autoscalingplans/v1beta1/zz_generated.managed.go b/apis/autoscalingplans/v1beta1/zz_generated.managed.go
index 517aad59a0..3c73af4ed1 100644
--- a/apis/autoscalingplans/v1beta1/zz_generated.managed.go
+++ b/apis/autoscalingplans/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ScalingPlan) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ScalingPlan.
+func (mg *ScalingPlan) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ScalingPlan.
 func (mg *ScalingPlan) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ScalingPlan) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ScalingPlan.
+func (mg *ScalingPlan) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ScalingPlan.
 func (mg *ScalingPlan) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/backup/v1beta1/zz_generated.managed.go b/apis/backup/v1beta1/zz_generated.managed.go
index 3adfa8914f..341a6bcdc9 100644
--- a/apis/backup/v1beta1/zz_generated.managed.go
+++ b/apis/backup/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Framework) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Framework.
+func (mg *Framework) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Framework.
 func (mg *Framework) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Framework) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Framework.
+func (mg *Framework) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Framework.
 func (mg *Framework) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *GlobalSettings) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GlobalSettings.
+func (mg *GlobalSettings) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GlobalSettings.
 func (mg *GlobalSettings) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *GlobalSettings) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GlobalSettings.
+func (mg *GlobalSettings) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GlobalSettings.
 func (mg *GlobalSettings) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Plan) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Plan.
+func (mg *Plan) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Plan.
 func (mg *Plan) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Plan) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Plan.
+func (mg *Plan) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Plan.
 func (mg *Plan) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *RegionSettings) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegionSettings.
+func (mg *RegionSettings) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegionSettings.
 func (mg *RegionSettings) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *RegionSettings) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegionSettings.
+func (mg *RegionSettings) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegionSettings.
 func (mg *RegionSettings) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ReportPlan) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReportPlan.
+func (mg *ReportPlan) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReportPlan.
 func (mg *ReportPlan) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ReportPlan) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReportPlan.
+func (mg *ReportPlan) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReportPlan.
 func (mg *ReportPlan) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Selection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Selection.
+func (mg *Selection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Selection.
 func (mg *Selection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Selection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Selection.
+func (mg *Selection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Selection.
 func (mg *Selection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Vault) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Vault.
+func (mg *Vault) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Vault.
 func (mg *Vault) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Vault) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Vault.
+func (mg *Vault) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Vault.
 func (mg *Vault) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *VaultLockConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VaultLockConfiguration.
+func (mg *VaultLockConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VaultLockConfiguration.
 func (mg *VaultLockConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *VaultLockConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VaultLockConfiguration.
+func (mg *VaultLockConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VaultLockConfiguration.
 func (mg *VaultLockConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *VaultNotifications) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VaultNotifications.
+func (mg *VaultNotifications) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VaultNotifications.
 func (mg *VaultNotifications) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *VaultNotifications) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VaultNotifications.
+func (mg *VaultNotifications) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VaultNotifications.
 func (mg *VaultNotifications) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *VaultPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VaultPolicy.
+func (mg *VaultPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VaultPolicy.
 func (mg *VaultPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *VaultPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VaultPolicy.
+func (mg *VaultPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VaultPolicy.
 func (mg *VaultPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/batch/v1beta1/zz_generated.managed.go b/apis/batch/v1beta1/zz_generated.managed.go
index 43a247f945..5c7b75285e 100644
--- a/apis/batch/v1beta1/zz_generated.managed.go
+++ b/apis/batch/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *SchedulingPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SchedulingPolicy.
+func (mg *SchedulingPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SchedulingPolicy.
 func (mg *SchedulingPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *SchedulingPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SchedulingPolicy.
+func (mg *SchedulingPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SchedulingPolicy.
 func (mg *SchedulingPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/budgets/v1beta1/zz_generated.managed.go b/apis/budgets/v1beta1/zz_generated.managed.go
index 2258067944..22f3eea7ac 100644
--- a/apis/budgets/v1beta1/zz_generated.managed.go
+++ b/apis/budgets/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Budget) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Budget.
+func (mg *Budget) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Budget.
 func (mg *Budget) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Budget) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Budget.
+func (mg *Budget) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Budget.
 func (mg *Budget) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *BudgetAction) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BudgetAction.
+func (mg *BudgetAction) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BudgetAction.
 func (mg *BudgetAction) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *BudgetAction) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BudgetAction.
+func (mg *BudgetAction) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BudgetAction.
 func (mg *BudgetAction) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ce/v1beta1/zz_generated.managed.go b/apis/ce/v1beta1/zz_generated.managed.go
index fdfe6ad149..293ccb81e1 100644
--- a/apis/ce/v1beta1/zz_generated.managed.go
+++ b/apis/ce/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AnomalyMonitor) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AnomalyMonitor.
+func (mg *AnomalyMonitor) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AnomalyMonitor.
 func (mg *AnomalyMonitor) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AnomalyMonitor) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AnomalyMonitor.
+func (mg *AnomalyMonitor) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AnomalyMonitor.
 func (mg *AnomalyMonitor) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/chime/v1beta1/zz_generated.managed.go b/apis/chime/v1beta1/zz_generated.managed.go
index dc3eb65c1f..f4e230c057 100644
--- a/apis/chime/v1beta1/zz_generated.managed.go
+++ b/apis/chime/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *VoiceConnector) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnector.
+func (mg *VoiceConnector) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnector.
 func (mg *VoiceConnector) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *VoiceConnector) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnector.
+func (mg *VoiceConnector) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnector.
 func (mg *VoiceConnector) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *VoiceConnectorGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnectorGroup.
+func (mg *VoiceConnectorGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnectorGroup.
 func (mg *VoiceConnectorGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *VoiceConnectorGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnectorGroup.
+func (mg *VoiceConnectorGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnectorGroup.
 func (mg *VoiceConnectorGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *VoiceConnectorLogging) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnectorLogging.
+func (mg *VoiceConnectorLogging) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnectorLogging.
 func (mg *VoiceConnectorLogging) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *VoiceConnectorLogging) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnectorLogging.
+func (mg *VoiceConnectorLogging) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnectorLogging.
 func (mg *VoiceConnectorLogging) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *VoiceConnectorOrigination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnectorOrigination.
+func (mg *VoiceConnectorOrigination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnectorOrigination.
 func (mg *VoiceConnectorOrigination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *VoiceConnectorOrigination) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnectorOrigination.
+func (mg *VoiceConnectorOrigination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnectorOrigination.
 func (mg *VoiceConnectorOrigination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *VoiceConnectorStreaming) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnectorStreaming.
+func (mg *VoiceConnectorStreaming) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnectorStreaming.
 func (mg *VoiceConnectorStreaming) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *VoiceConnectorStreaming) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnectorStreaming.
+func (mg *VoiceConnectorStreaming) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnectorStreaming.
 func (mg *VoiceConnectorStreaming) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *VoiceConnectorTermination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnectorTermination.
+func (mg *VoiceConnectorTermination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnectorTermination.
 func (mg *VoiceConnectorTermination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *VoiceConnectorTermination) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnectorTermination.
+func (mg *VoiceConnectorTermination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnectorTermination.
 func (mg *VoiceConnectorTermination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *VoiceConnectorTerminationCredentials) GetDeletionPolicy() xpv1.Deletio
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VoiceConnectorTerminationCredentials.
+func (mg *VoiceConnectorTerminationCredentials) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VoiceConnectorTerminationCredentials.
 func (mg *VoiceConnectorTerminationCredentials) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *VoiceConnectorTerminationCredentials) SetDeletionPolicy(r xpv1.Deletio
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VoiceConnectorTerminationCredentials.
+func (mg *VoiceConnectorTerminationCredentials) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VoiceConnectorTerminationCredentials.
 func (mg *VoiceConnectorTerminationCredentials) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloud9/v1beta1/zz_generated.managed.go b/apis/cloud9/v1beta1/zz_generated.managed.go
index 319c73802c..263d9d18e0 100644
--- a/apis/cloud9/v1beta1/zz_generated.managed.go
+++ b/apis/cloud9/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *EnvironmentEC2) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EnvironmentEC2.
+func (mg *EnvironmentEC2) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EnvironmentEC2.
 func (mg *EnvironmentEC2) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *EnvironmentEC2) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EnvironmentEC2.
+func (mg *EnvironmentEC2) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EnvironmentEC2.
 func (mg *EnvironmentEC2) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *EnvironmentMembership) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EnvironmentMembership.
+func (mg *EnvironmentMembership) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EnvironmentMembership.
 func (mg *EnvironmentMembership) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *EnvironmentMembership) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EnvironmentMembership.
+func (mg *EnvironmentMembership) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EnvironmentMembership.
 func (mg *EnvironmentMembership) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudcontrol/v1beta1/zz_generated.managed.go b/apis/cloudcontrol/v1beta1/zz_generated.managed.go
index 887f63a329..22026e5ecf 100644
--- a/apis/cloudcontrol/v1beta1/zz_generated.managed.go
+++ b/apis/cloudcontrol/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Resource) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Resource.
+func (mg *Resource) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Resource.
 func (mg *Resource) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Resource) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Resource.
+func (mg *Resource) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Resource.
 func (mg *Resource) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudformation/v1beta1/zz_generated.managed.go b/apis/cloudformation/v1beta1/zz_generated.managed.go
index ec194fc4eb..c3b25eb351 100644
--- a/apis/cloudformation/v1beta1/zz_generated.managed.go
+++ b/apis/cloudformation/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Stack) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stack.
+func (mg *Stack) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stack.
 func (mg *Stack) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Stack) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stack.
+func (mg *Stack) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stack.
 func (mg *Stack) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *StackSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StackSet.
+func (mg *StackSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StackSet.
 func (mg *StackSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *StackSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StackSet.
+func (mg *StackSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StackSet.
 func (mg *StackSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudfront/v1beta1/zz_generated.managed.go b/apis/cloudfront/v1beta1/zz_generated.managed.go
index 2061906d97..441d431960 100644
--- a/apis/cloudfront/v1beta1/zz_generated.managed.go
+++ b/apis/cloudfront/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *CachePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CachePolicy.
+func (mg *CachePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CachePolicy.
 func (mg *CachePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *CachePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CachePolicy.
+func (mg *CachePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CachePolicy.
 func (mg *CachePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Distribution) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Distribution.
+func (mg *Distribution) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Distribution.
 func (mg *Distribution) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Distribution) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Distribution.
+func (mg *Distribution) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Distribution.
 func (mg *Distribution) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *FieldLevelEncryptionConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FieldLevelEncryptionConfig.
+func (mg *FieldLevelEncryptionConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FieldLevelEncryptionConfig.
 func (mg *FieldLevelEncryptionConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *FieldLevelEncryptionConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FieldLevelEncryptionConfig.
+func (mg *FieldLevelEncryptionConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FieldLevelEncryptionConfig.
 func (mg *FieldLevelEncryptionConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *FieldLevelEncryptionProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FieldLevelEncryptionProfile.
+func (mg *FieldLevelEncryptionProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FieldLevelEncryptionProfile.
 func (mg *FieldLevelEncryptionProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *FieldLevelEncryptionProfile) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FieldLevelEncryptionProfile.
+func (mg *FieldLevelEncryptionProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FieldLevelEncryptionProfile.
 func (mg *FieldLevelEncryptionProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Function) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Function.
+func (mg *Function) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Function.
 func (mg *Function) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Function) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Function.
+func (mg *Function) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Function.
 func (mg *Function) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *KeyGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this KeyGroup.
+func (mg *KeyGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this KeyGroup.
 func (mg *KeyGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *KeyGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this KeyGroup.
+func (mg *KeyGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this KeyGroup.
 func (mg *KeyGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *MonitoringSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MonitoringSubscription.
+func (mg *MonitoringSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MonitoringSubscription.
 func (mg *MonitoringSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *MonitoringSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MonitoringSubscription.
+func (mg *MonitoringSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MonitoringSubscription.
 func (mg *MonitoringSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *OriginAccessControl) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OriginAccessControl.
+func (mg *OriginAccessControl) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OriginAccessControl.
 func (mg *OriginAccessControl) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *OriginAccessControl) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OriginAccessControl.
+func (mg *OriginAccessControl) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OriginAccessControl.
 func (mg *OriginAccessControl) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *OriginAccessIdentity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OriginAccessIdentity.
+func (mg *OriginAccessIdentity) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OriginAccessIdentity.
 func (mg *OriginAccessIdentity) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *OriginAccessIdentity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OriginAccessIdentity.
+func (mg *OriginAccessIdentity) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OriginAccessIdentity.
 func (mg *OriginAccessIdentity) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *OriginRequestPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OriginRequestPolicy.
+func (mg *OriginRequestPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OriginRequestPolicy.
 func (mg *OriginRequestPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *OriginRequestPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OriginRequestPolicy.
+func (mg *OriginRequestPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OriginRequestPolicy.
 func (mg *OriginRequestPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *PublicKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PublicKey.
+func (mg *PublicKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PublicKey.
 func (mg *PublicKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *PublicKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PublicKey.
+func (mg *PublicKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PublicKey.
 func (mg *PublicKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *RealtimeLogConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RealtimeLogConfig.
+func (mg *RealtimeLogConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RealtimeLogConfig.
 func (mg *RealtimeLogConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *RealtimeLogConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RealtimeLogConfig.
+func (mg *RealtimeLogConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RealtimeLogConfig.
 func (mg *RealtimeLogConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *ResponseHeadersPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResponseHeadersPolicy.
+func (mg *ResponseHeadersPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResponseHeadersPolicy.
 func (mg *ResponseHeadersPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *ResponseHeadersPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResponseHeadersPolicy.
+func (mg *ResponseHeadersPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResponseHeadersPolicy.
 func (mg *ResponseHeadersPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudsearch/v1beta1/zz_generated.managed.go b/apis/cloudsearch/v1beta1/zz_generated.managed.go
index 6cff91decc..7572813d85 100644
--- a/apis/cloudsearch/v1beta1/zz_generated.managed.go
+++ b/apis/cloudsearch/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *DomainServiceAccessPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainServiceAccessPolicy.
+func (mg *DomainServiceAccessPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainServiceAccessPolicy.
 func (mg *DomainServiceAccessPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *DomainServiceAccessPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainServiceAccessPolicy.
+func (mg *DomainServiceAccessPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainServiceAccessPolicy.
 func (mg *DomainServiceAccessPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudtrail/v1beta1/zz_generated.managed.go b/apis/cloudtrail/v1beta1/zz_generated.managed.go
index 9bc03f0da2..0602c7146e 100644
--- a/apis/cloudtrail/v1beta1/zz_generated.managed.go
+++ b/apis/cloudtrail/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *EventDataStore) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventDataStore.
+func (mg *EventDataStore) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventDataStore.
 func (mg *EventDataStore) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *EventDataStore) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventDataStore.
+func (mg *EventDataStore) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventDataStore.
 func (mg *EventDataStore) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Trail) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Trail.
+func (mg *Trail) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Trail.
 func (mg *Trail) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Trail) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Trail.
+func (mg *Trail) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Trail.
 func (mg *Trail) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudwatch/v1beta1/zz_generated.managed.go b/apis/cloudwatch/v1beta1/zz_generated.managed.go
index 4d62828c8c..3a8126362c 100644
--- a/apis/cloudwatch/v1beta1/zz_generated.managed.go
+++ b/apis/cloudwatch/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *CompositeAlarm) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CompositeAlarm.
+func (mg *CompositeAlarm) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CompositeAlarm.
 func (mg *CompositeAlarm) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *CompositeAlarm) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CompositeAlarm.
+func (mg *CompositeAlarm) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CompositeAlarm.
 func (mg *CompositeAlarm) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Dashboard) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Dashboard.
+func (mg *Dashboard) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Dashboard.
 func (mg *Dashboard) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Dashboard) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Dashboard.
+func (mg *Dashboard) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Dashboard.
 func (mg *Dashboard) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *MetricAlarm) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MetricAlarm.
+func (mg *MetricAlarm) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MetricAlarm.
 func (mg *MetricAlarm) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *MetricAlarm) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MetricAlarm.
+func (mg *MetricAlarm) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MetricAlarm.
 func (mg *MetricAlarm) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *MetricStream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MetricStream.
+func (mg *MetricStream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MetricStream.
 func (mg *MetricStream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *MetricStream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MetricStream.
+func (mg *MetricStream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MetricStream.
 func (mg *MetricStream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudwatchevents/v1beta1/zz_generated.managed.go b/apis/cloudwatchevents/v1beta1/zz_generated.managed.go
index 14a9354fce..5d5a9c92a3 100644
--- a/apis/cloudwatchevents/v1beta1/zz_generated.managed.go
+++ b/apis/cloudwatchevents/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *APIDestination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this APIDestination.
+func (mg *APIDestination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this APIDestination.
 func (mg *APIDestination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *APIDestination) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this APIDestination.
+func (mg *APIDestination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this APIDestination.
 func (mg *APIDestination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Archive) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Archive.
+func (mg *Archive) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Archive.
 func (mg *Archive) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Archive) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Archive.
+func (mg *Archive) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Archive.
 func (mg *Archive) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Bus) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Bus.
+func (mg *Bus) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Bus.
 func (mg *Bus) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Bus) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Bus.
+func (mg *Bus) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Bus.
 func (mg *Bus) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *BusPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BusPolicy.
+func (mg *BusPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BusPolicy.
 func (mg *BusPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *BusPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BusPolicy.
+func (mg *BusPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BusPolicy.
 func (mg *BusPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Connection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Connection.
+func (mg *Connection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Connection.
 func (mg *Connection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Connection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Connection.
+func (mg *Connection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Connection.
 func (mg *Connection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Permission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Permission.
+func (mg *Permission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Permission.
 func (mg *Permission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Permission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Permission.
+func (mg *Permission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Permission.
 func (mg *Permission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Rule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Rule.
+func (mg *Rule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Rule.
 func (mg *Rule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Rule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Rule.
+func (mg *Rule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Rule.
 func (mg *Rule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Target) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Target.
+func (mg *Target) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Target.
 func (mg *Target) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Target) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Target.
+func (mg *Target) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Target.
 func (mg *Target) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cloudwatchlogs/v1beta1/zz_generated.managed.go b/apis/cloudwatchlogs/v1beta1/zz_generated.managed.go
index 2efc10e7fd..9381790203 100644
--- a/apis/cloudwatchlogs/v1beta1/zz_generated.managed.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Definition) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Definition.
+func (mg *Definition) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Definition.
 func (mg *Definition) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Definition) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Definition.
+func (mg *Definition) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Definition.
 func (mg *Definition) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Destination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Destination.
+func (mg *Destination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Destination.
 func (mg *Destination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Destination) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Destination.
+func (mg *Destination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Destination.
 func (mg *Destination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DestinationPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DestinationPolicy.
+func (mg *DestinationPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DestinationPolicy.
 func (mg *DestinationPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DestinationPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DestinationPolicy.
+func (mg *DestinationPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DestinationPolicy.
 func (mg *DestinationPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Group) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Group.
+func (mg *Group) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Group.
 func (mg *Group) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Group) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Group.
+func (mg *Group) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Group.
 func (mg *Group) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *MetricFilter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MetricFilter.
+func (mg *MetricFilter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MetricFilter.
 func (mg *MetricFilter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *MetricFilter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MetricFilter.
+func (mg *MetricFilter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MetricFilter.
 func (mg *MetricFilter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ResourcePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourcePolicy.
+func (mg *ResourcePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourcePolicy.
 func (mg *ResourcePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ResourcePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourcePolicy.
+func (mg *ResourcePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourcePolicy.
 func (mg *ResourcePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Stream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stream.
+func (mg *Stream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stream.
 func (mg *Stream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Stream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stream.
+func (mg *Stream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stream.
 func (mg *Stream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *SubscriptionFilter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubscriptionFilter.
+func (mg *SubscriptionFilter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubscriptionFilter.
 func (mg *SubscriptionFilter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *SubscriptionFilter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubscriptionFilter.
+func (mg *SubscriptionFilter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubscriptionFilter.
 func (mg *SubscriptionFilter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/codecommit/v1beta1/zz_generated.managed.go b/apis/codecommit/v1beta1/zz_generated.managed.go
index b72ea51335..4c95fbd6aa 100644
--- a/apis/codecommit/v1beta1/zz_generated.managed.go
+++ b/apis/codecommit/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ApprovalRuleTemplate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ApprovalRuleTemplate.
+func (mg *ApprovalRuleTemplate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ApprovalRuleTemplate.
 func (mg *ApprovalRuleTemplate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ApprovalRuleTemplate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ApprovalRuleTemplate.
+func (mg *ApprovalRuleTemplate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ApprovalRuleTemplate.
 func (mg *ApprovalRuleTemplate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ApprovalRuleTemplateAssociation) GetDeletionPolicy() xpv1.DeletionPoli
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ApprovalRuleTemplateAssociation.
+func (mg *ApprovalRuleTemplateAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ApprovalRuleTemplateAssociation.
 func (mg *ApprovalRuleTemplateAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ApprovalRuleTemplateAssociation) SetDeletionPolicy(r xpv1.DeletionPoli
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ApprovalRuleTemplateAssociation.
+func (mg *ApprovalRuleTemplateAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ApprovalRuleTemplateAssociation.
 func (mg *ApprovalRuleTemplateAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Repository) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Repository.
+func (mg *Repository) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Repository.
 func (mg *Repository) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Repository) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Repository.
+func (mg *Repository) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Repository.
 func (mg *Repository) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Trigger) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Trigger.
+func (mg *Trigger) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Trigger.
 func (mg *Trigger) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Trigger) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Trigger.
+func (mg *Trigger) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Trigger.
 func (mg *Trigger) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/codepipeline/v1beta1/zz_generated.managed.go b/apis/codepipeline/v1beta1/zz_generated.managed.go
index ee4e2d1319..413f4abc21 100644
--- a/apis/codepipeline/v1beta1/zz_generated.managed.go
+++ b/apis/codepipeline/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Codepipeline) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Codepipeline.
+func (mg *Codepipeline) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Codepipeline.
 func (mg *Codepipeline) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Codepipeline) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Codepipeline.
+func (mg *Codepipeline) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Codepipeline.
 func (mg *Codepipeline) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CustomActionType) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CustomActionType.
+func (mg *CustomActionType) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CustomActionType.
 func (mg *CustomActionType) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CustomActionType) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CustomActionType.
+func (mg *CustomActionType) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CustomActionType.
 func (mg *CustomActionType) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Webhook) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Webhook.
+func (mg *Webhook) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Webhook.
 func (mg *Webhook) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Webhook) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Webhook.
+func (mg *Webhook) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Webhook.
 func (mg *Webhook) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/codestarconnections/v1beta1/zz_generated.managed.go b/apis/codestarconnections/v1beta1/zz_generated.managed.go
index 1d0ebe9282..8b8bd009b0 100644
--- a/apis/codestarconnections/v1beta1/zz_generated.managed.go
+++ b/apis/codestarconnections/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Connection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Connection.
+func (mg *Connection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Connection.
 func (mg *Connection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Connection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Connection.
+func (mg *Connection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Connection.
 func (mg *Connection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Host) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Host.
+func (mg *Host) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Host.
 func (mg *Host) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Host) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Host.
+func (mg *Host) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Host.
 func (mg *Host) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/codestarnotifications/v1beta1/zz_generated.managed.go b/apis/codestarnotifications/v1beta1/zz_generated.managed.go
index 40b7123729..08e1edd14b 100644
--- a/apis/codestarnotifications/v1beta1/zz_generated.managed.go
+++ b/apis/codestarnotifications/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *NotificationRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NotificationRule.
+func (mg *NotificationRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NotificationRule.
 func (mg *NotificationRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *NotificationRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NotificationRule.
+func (mg *NotificationRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NotificationRule.
 func (mg *NotificationRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cognitoidentity/v1beta1/zz_generated.managed.go b/apis/cognitoidentity/v1beta1/zz_generated.managed.go
index 597b71b7a5..10c00abe92 100644
--- a/apis/cognitoidentity/v1beta1/zz_generated.managed.go
+++ b/apis/cognitoidentity/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *CognitoIdentityPoolProviderPrincipalTag) GetDeletionPolicy() xpv1.Dele
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CognitoIdentityPoolProviderPrincipalTag.
+func (mg *CognitoIdentityPoolProviderPrincipalTag) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CognitoIdentityPoolProviderPrincipalTag.
 func (mg *CognitoIdentityPoolProviderPrincipalTag) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *CognitoIdentityPoolProviderPrincipalTag) SetDeletionPolicy(r xpv1.Dele
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CognitoIdentityPoolProviderPrincipalTag.
+func (mg *CognitoIdentityPoolProviderPrincipalTag) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CognitoIdentityPoolProviderPrincipalTag.
 func (mg *CognitoIdentityPoolProviderPrincipalTag) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Pool) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Pool.
+func (mg *Pool) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Pool.
 func (mg *Pool) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Pool) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Pool.
+func (mg *Pool) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Pool.
 func (mg *Pool) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *PoolRolesAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PoolRolesAttachment.
+func (mg *PoolRolesAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PoolRolesAttachment.
 func (mg *PoolRolesAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *PoolRolesAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PoolRolesAttachment.
+func (mg *PoolRolesAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PoolRolesAttachment.
 func (mg *PoolRolesAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cognitoidp/v1beta1/zz_generated.managed.go b/apis/cognitoidp/v1beta1/zz_generated.managed.go
index 612f69f75c..91c72ce33f 100644
--- a/apis/cognitoidp/v1beta1/zz_generated.managed.go
+++ b/apis/cognitoidp/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *IdentityProvider) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IdentityProvider.
+func (mg *IdentityProvider) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IdentityProvider.
 func (mg *IdentityProvider) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *IdentityProvider) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IdentityProvider.
+func (mg *IdentityProvider) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IdentityProvider.
 func (mg *IdentityProvider) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ResourceServer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourceServer.
+func (mg *ResourceServer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourceServer.
 func (mg *ResourceServer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ResourceServer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourceServer.
+func (mg *ResourceServer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourceServer.
 func (mg *ResourceServer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *RiskConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RiskConfiguration.
+func (mg *RiskConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RiskConfiguration.
 func (mg *RiskConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *RiskConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RiskConfiguration.
+func (mg *RiskConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RiskConfiguration.
 func (mg *RiskConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *UserGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserGroup.
+func (mg *UserGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserGroup.
 func (mg *UserGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *UserGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserGroup.
+func (mg *UserGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserGroup.
 func (mg *UserGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *UserInGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserInGroup.
+func (mg *UserInGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserInGroup.
 func (mg *UserInGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *UserInGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserInGroup.
+func (mg *UserInGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserInGroup.
 func (mg *UserInGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *UserPool) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserPool.
+func (mg *UserPool) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserPool.
 func (mg *UserPool) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *UserPool) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserPool.
+func (mg *UserPool) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserPool.
 func (mg *UserPool) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *UserPoolClient) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserPoolClient.
+func (mg *UserPoolClient) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserPoolClient.
 func (mg *UserPoolClient) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *UserPoolClient) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserPoolClient.
+func (mg *UserPoolClient) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserPoolClient.
 func (mg *UserPoolClient) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *UserPoolDomain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserPoolDomain.
+func (mg *UserPoolDomain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserPoolDomain.
 func (mg *UserPoolDomain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *UserPoolDomain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserPoolDomain.
+func (mg *UserPoolDomain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserPoolDomain.
 func (mg *UserPoolDomain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *UserPoolUICustomization) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserPoolUICustomization.
+func (mg *UserPoolUICustomization) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserPoolUICustomization.
 func (mg *UserPoolUICustomization) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *UserPoolUICustomization) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserPoolUICustomization.
+func (mg *UserPoolUICustomization) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserPoolUICustomization.
 func (mg *UserPoolUICustomization) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/configservice/v1beta1/zz_generated.managed.go b/apis/configservice/v1beta1/zz_generated.managed.go
index dd6a343a43..4bac4b2701 100644
--- a/apis/configservice/v1beta1/zz_generated.managed.go
+++ b/apis/configservice/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AWSConfigurationRecorderStatus) GetDeletionPolicy() xpv1.DeletionPolic
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AWSConfigurationRecorderStatus.
+func (mg *AWSConfigurationRecorderStatus) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AWSConfigurationRecorderStatus.
 func (mg *AWSConfigurationRecorderStatus) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AWSConfigurationRecorderStatus) SetDeletionPolicy(r xpv1.DeletionPolic
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AWSConfigurationRecorderStatus.
+func (mg *AWSConfigurationRecorderStatus) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AWSConfigurationRecorderStatus.
 func (mg *AWSConfigurationRecorderStatus) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ConfigRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigRule.
+func (mg *ConfigRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigRule.
 func (mg *ConfigRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ConfigRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigRule.
+func (mg *ConfigRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigRule.
 func (mg *ConfigRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ConfigurationAggregator) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationAggregator.
+func (mg *ConfigurationAggregator) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationAggregator.
 func (mg *ConfigurationAggregator) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ConfigurationAggregator) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationAggregator.
+func (mg *ConfigurationAggregator) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationAggregator.
 func (mg *ConfigurationAggregator) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ConfigurationRecorder) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationRecorder.
+func (mg *ConfigurationRecorder) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationRecorder.
 func (mg *ConfigurationRecorder) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ConfigurationRecorder) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationRecorder.
+func (mg *ConfigurationRecorder) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationRecorder.
 func (mg *ConfigurationRecorder) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ConformancePack) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConformancePack.
+func (mg *ConformancePack) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConformancePack.
 func (mg *ConformancePack) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ConformancePack) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConformancePack.
+func (mg *ConformancePack) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConformancePack.
 func (mg *ConformancePack) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *DeliveryChannel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DeliveryChannel.
+func (mg *DeliveryChannel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DeliveryChannel.
 func (mg *DeliveryChannel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *DeliveryChannel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DeliveryChannel.
+func (mg *DeliveryChannel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DeliveryChannel.
 func (mg *DeliveryChannel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *RemediationConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RemediationConfiguration.
+func (mg *RemediationConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RemediationConfiguration.
 func (mg *RemediationConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *RemediationConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RemediationConfiguration.
+func (mg *RemediationConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RemediationConfiguration.
 func (mg *RemediationConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/connect/v1beta1/zz_generated.managed.go b/apis/connect/v1beta1/zz_generated.managed.go
index 8875d6937d..cb9c55d2b8 100644
--- a/apis/connect/v1beta1/zz_generated.managed.go
+++ b/apis/connect/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *BotAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BotAssociation.
+func (mg *BotAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BotAssociation.
 func (mg *BotAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *BotAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BotAssociation.
+func (mg *BotAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BotAssociation.
 func (mg *BotAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ContactFlow) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ContactFlow.
+func (mg *ContactFlow) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ContactFlow.
 func (mg *ContactFlow) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ContactFlow) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ContactFlow.
+func (mg *ContactFlow) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ContactFlow.
 func (mg *ContactFlow) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ContactFlowModule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ContactFlowModule.
+func (mg *ContactFlowModule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ContactFlowModule.
 func (mg *ContactFlowModule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ContactFlowModule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ContactFlowModule.
+func (mg *ContactFlowModule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ContactFlowModule.
 func (mg *ContactFlowModule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *HoursOfOperation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HoursOfOperation.
+func (mg *HoursOfOperation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HoursOfOperation.
 func (mg *HoursOfOperation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *HoursOfOperation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HoursOfOperation.
+func (mg *HoursOfOperation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HoursOfOperation.
 func (mg *HoursOfOperation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Instance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Instance.
+func (mg *Instance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Instance.
 func (mg *Instance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Instance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Instance.
+func (mg *Instance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Instance.
 func (mg *Instance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *InstanceStorageConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InstanceStorageConfig.
+func (mg *InstanceStorageConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InstanceStorageConfig.
 func (mg *InstanceStorageConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *InstanceStorageConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InstanceStorageConfig.
+func (mg *InstanceStorageConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InstanceStorageConfig.
 func (mg *InstanceStorageConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *LambdaFunctionAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LambdaFunctionAssociation.
+func (mg *LambdaFunctionAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LambdaFunctionAssociation.
 func (mg *LambdaFunctionAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *LambdaFunctionAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LambdaFunctionAssociation.
+func (mg *LambdaFunctionAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LambdaFunctionAssociation.
 func (mg *LambdaFunctionAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *PhoneNumber) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PhoneNumber.
+func (mg *PhoneNumber) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PhoneNumber.
 func (mg *PhoneNumber) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *PhoneNumber) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PhoneNumber.
+func (mg *PhoneNumber) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PhoneNumber.
 func (mg *PhoneNumber) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *Queue) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Queue.
+func (mg *Queue) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Queue.
 func (mg *Queue) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *Queue) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Queue.
+func (mg *Queue) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Queue.
 func (mg *Queue) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *QuickConnect) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this QuickConnect.
+func (mg *QuickConnect) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this QuickConnect.
 func (mg *QuickConnect) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *QuickConnect) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this QuickConnect.
+func (mg *QuickConnect) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this QuickConnect.
 func (mg *QuickConnect) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *RoutingProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RoutingProfile.
+func (mg *RoutingProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RoutingProfile.
 func (mg *RoutingProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *RoutingProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RoutingProfile.
+func (mg *RoutingProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RoutingProfile.
 func (mg *RoutingProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *SecurityProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecurityProfile.
+func (mg *SecurityProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecurityProfile.
 func (mg *SecurityProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *SecurityProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecurityProfile.
+func (mg *SecurityProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecurityProfile.
 func (mg *SecurityProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *UserHierarchyStructure) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserHierarchyStructure.
+func (mg *UserHierarchyStructure) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserHierarchyStructure.
 func (mg *UserHierarchyStructure) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *UserHierarchyStructure) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserHierarchyStructure.
+func (mg *UserHierarchyStructure) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserHierarchyStructure.
 func (mg *UserHierarchyStructure) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *Vocabulary) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Vocabulary.
+func (mg *Vocabulary) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Vocabulary.
 func (mg *Vocabulary) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *Vocabulary) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Vocabulary.
+func (mg *Vocabulary) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Vocabulary.
 func (mg *Vocabulary) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/cur/v1beta1/zz_generated.managed.go b/apis/cur/v1beta1/zz_generated.managed.go
index 59b810024e..38602adb29 100644
--- a/apis/cur/v1beta1/zz_generated.managed.go
+++ b/apis/cur/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ReportDefinition) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReportDefinition.
+func (mg *ReportDefinition) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReportDefinition.
 func (mg *ReportDefinition) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ReportDefinition) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReportDefinition.
+func (mg *ReportDefinition) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReportDefinition.
 func (mg *ReportDefinition) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/dataexchange/v1beta1/zz_generated.managed.go b/apis/dataexchange/v1beta1/zz_generated.managed.go
index c1d66e8333..4710e69ccf 100644
--- a/apis/dataexchange/v1beta1/zz_generated.managed.go
+++ b/apis/dataexchange/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DataSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DataSet.
+func (mg *DataSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DataSet.
 func (mg *DataSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DataSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DataSet.
+func (mg *DataSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DataSet.
 func (mg *DataSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Revision) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Revision.
+func (mg *Revision) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Revision.
 func (mg *Revision) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Revision) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Revision.
+func (mg *Revision) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Revision.
 func (mg *Revision) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/datapipeline/v1beta1/zz_generated.managed.go b/apis/datapipeline/v1beta1/zz_generated.managed.go
index 12643c6818..12b3c60bca 100644
--- a/apis/datapipeline/v1beta1/zz_generated.managed.go
+++ b/apis/datapipeline/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Pipeline) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Pipeline.
+func (mg *Pipeline) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Pipeline.
 func (mg *Pipeline) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Pipeline) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Pipeline.
+func (mg *Pipeline) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Pipeline.
 func (mg *Pipeline) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/dax/v1beta1/zz_generated.managed.go b/apis/dax/v1beta1/zz_generated.managed.go
index b53cdddec9..edd4600f54 100644
--- a/apis/dax/v1beta1/zz_generated.managed.go
+++ b/apis/dax/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/deploy/v1beta1/zz_generated.managed.go b/apis/deploy/v1beta1/zz_generated.managed.go
index 7589522542..12ed507979 100644
--- a/apis/deploy/v1beta1/zz_generated.managed.go
+++ b/apis/deploy/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *App) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this App.
+func (mg *App) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this App.
 func (mg *App) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *App) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this App.
+func (mg *App) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this App.
 func (mg *App) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *DeploymentConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DeploymentConfig.
+func (mg *DeploymentConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DeploymentConfig.
 func (mg *DeploymentConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *DeploymentConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DeploymentConfig.
+func (mg *DeploymentConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DeploymentConfig.
 func (mg *DeploymentConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DeploymentGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DeploymentGroup.
+func (mg *DeploymentGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DeploymentGroup.
 func (mg *DeploymentGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DeploymentGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DeploymentGroup.
+func (mg *DeploymentGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DeploymentGroup.
 func (mg *DeploymentGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/detective/v1beta1/zz_generated.managed.go b/apis/detective/v1beta1/zz_generated.managed.go
index 044be1caf2..967d3dd1fc 100644
--- a/apis/detective/v1beta1/zz_generated.managed.go
+++ b/apis/detective/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Graph) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Graph.
+func (mg *Graph) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Graph.
 func (mg *Graph) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Graph) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Graph.
+func (mg *Graph) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Graph.
 func (mg *Graph) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *InvitationAccepter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InvitationAccepter.
+func (mg *InvitationAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InvitationAccepter.
 func (mg *InvitationAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *InvitationAccepter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InvitationAccepter.
+func (mg *InvitationAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InvitationAccepter.
 func (mg *InvitationAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Member) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Member.
+func (mg *Member) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Member.
 func (mg *Member) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Member) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Member.
+func (mg *Member) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Member.
 func (mg *Member) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/devicefarm/v1beta1/zz_generated.managed.go b/apis/devicefarm/v1beta1/zz_generated.managed.go
index 13c939abbe..d313d56619 100644
--- a/apis/devicefarm/v1beta1/zz_generated.managed.go
+++ b/apis/devicefarm/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DevicePool) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DevicePool.
+func (mg *DevicePool) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DevicePool.
 func (mg *DevicePool) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DevicePool) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DevicePool.
+func (mg *DevicePool) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DevicePool.
 func (mg *DevicePool) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *InstanceProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InstanceProfile.
+func (mg *InstanceProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InstanceProfile.
 func (mg *InstanceProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *InstanceProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InstanceProfile.
+func (mg *InstanceProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InstanceProfile.
 func (mg *InstanceProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *NetworkProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkProfile.
+func (mg *NetworkProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkProfile.
 func (mg *NetworkProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *NetworkProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkProfile.
+func (mg *NetworkProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkProfile.
 func (mg *NetworkProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Project) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Project.
+func (mg *Project) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Project.
 func (mg *Project) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Project) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Project.
+func (mg *Project) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Project.
 func (mg *Project) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *TestGridProject) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TestGridProject.
+func (mg *TestGridProject) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TestGridProject.
 func (mg *TestGridProject) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *TestGridProject) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TestGridProject.
+func (mg *TestGridProject) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TestGridProject.
 func (mg *TestGridProject) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Upload) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Upload.
+func (mg *Upload) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Upload.
 func (mg *Upload) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Upload) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Upload.
+func (mg *Upload) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Upload.
 func (mg *Upload) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/directconnect/v1beta1/zz_generated.managed.go b/apis/directconnect/v1beta1/zz_generated.managed.go
index 5eb67d6710..86a4a60628 100644
--- a/apis/directconnect/v1beta1/zz_generated.managed.go
+++ b/apis/directconnect/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *BGPPeer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BGPPeer.
+func (mg *BGPPeer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BGPPeer.
 func (mg *BGPPeer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *BGPPeer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BGPPeer.
+func (mg *BGPPeer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BGPPeer.
 func (mg *BGPPeer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Connection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Connection.
+func (mg *Connection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Connection.
 func (mg *Connection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Connection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Connection.
+func (mg *Connection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Connection.
 func (mg *Connection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ConnectionAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConnectionAssociation.
+func (mg *ConnectionAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConnectionAssociation.
 func (mg *ConnectionAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ConnectionAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConnectionAssociation.
+func (mg *ConnectionAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConnectionAssociation.
 func (mg *ConnectionAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Gateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Gateway.
+func (mg *Gateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Gateway.
 func (mg *Gateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Gateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Gateway.
+func (mg *Gateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Gateway.
 func (mg *Gateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *GatewayAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GatewayAssociation.
+func (mg *GatewayAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GatewayAssociation.
 func (mg *GatewayAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *GatewayAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GatewayAssociation.
+func (mg *GatewayAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GatewayAssociation.
 func (mg *GatewayAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *GatewayAssociationProposal) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GatewayAssociationProposal.
+func (mg *GatewayAssociationProposal) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GatewayAssociationProposal.
 func (mg *GatewayAssociationProposal) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *GatewayAssociationProposal) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GatewayAssociationProposal.
+func (mg *GatewayAssociationProposal) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GatewayAssociationProposal.
 func (mg *GatewayAssociationProposal) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *HostedPrivateVirtualInterface) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedPrivateVirtualInterface.
+func (mg *HostedPrivateVirtualInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedPrivateVirtualInterface.
 func (mg *HostedPrivateVirtualInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *HostedPrivateVirtualInterface) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedPrivateVirtualInterface.
+func (mg *HostedPrivateVirtualInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedPrivateVirtualInterface.
 func (mg *HostedPrivateVirtualInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *HostedPrivateVirtualInterfaceAccepter) GetDeletionPolicy() xpv1.Deleti
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedPrivateVirtualInterfaceAccepter.
+func (mg *HostedPrivateVirtualInterfaceAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedPrivateVirtualInterfaceAccepter.
 func (mg *HostedPrivateVirtualInterfaceAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *HostedPrivateVirtualInterfaceAccepter) SetDeletionPolicy(r xpv1.Deleti
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedPrivateVirtualInterfaceAccepter.
+func (mg *HostedPrivateVirtualInterfaceAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedPrivateVirtualInterfaceAccepter.
 func (mg *HostedPrivateVirtualInterfaceAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *HostedPublicVirtualInterface) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedPublicVirtualInterface.
+func (mg *HostedPublicVirtualInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedPublicVirtualInterface.
 func (mg *HostedPublicVirtualInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *HostedPublicVirtualInterface) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedPublicVirtualInterface.
+func (mg *HostedPublicVirtualInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedPublicVirtualInterface.
 func (mg *HostedPublicVirtualInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *HostedPublicVirtualInterfaceAccepter) GetDeletionPolicy() xpv1.Deletio
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedPublicVirtualInterfaceAccepter.
+func (mg *HostedPublicVirtualInterfaceAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedPublicVirtualInterfaceAccepter.
 func (mg *HostedPublicVirtualInterfaceAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *HostedPublicVirtualInterfaceAccepter) SetDeletionPolicy(r xpv1.Deletio
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedPublicVirtualInterfaceAccepter.
+func (mg *HostedPublicVirtualInterfaceAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedPublicVirtualInterfaceAccepter.
 func (mg *HostedPublicVirtualInterfaceAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *HostedTransitVirtualInterface) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedTransitVirtualInterface.
+func (mg *HostedTransitVirtualInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedTransitVirtualInterface.
 func (mg *HostedTransitVirtualInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *HostedTransitVirtualInterface) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedTransitVirtualInterface.
+func (mg *HostedTransitVirtualInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedTransitVirtualInterface.
 func (mg *HostedTransitVirtualInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *HostedTransitVirtualInterfaceAccepter) GetDeletionPolicy() xpv1.Deleti
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedTransitVirtualInterfaceAccepter.
+func (mg *HostedTransitVirtualInterfaceAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedTransitVirtualInterfaceAccepter.
 func (mg *HostedTransitVirtualInterfaceAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *HostedTransitVirtualInterfaceAccepter) SetDeletionPolicy(r xpv1.Deleti
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedTransitVirtualInterfaceAccepter.
+func (mg *HostedTransitVirtualInterfaceAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedTransitVirtualInterfaceAccepter.
 func (mg *HostedTransitVirtualInterfaceAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *Lag) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Lag.
+func (mg *Lag) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Lag.
 func (mg *Lag) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *Lag) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Lag.
+func (mg *Lag) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Lag.
 func (mg *Lag) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *PrivateVirtualInterface) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PrivateVirtualInterface.
+func (mg *PrivateVirtualInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PrivateVirtualInterface.
 func (mg *PrivateVirtualInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *PrivateVirtualInterface) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PrivateVirtualInterface.
+func (mg *PrivateVirtualInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PrivateVirtualInterface.
 func (mg *PrivateVirtualInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *PublicVirtualInterface) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PublicVirtualInterface.
+func (mg *PublicVirtualInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PublicVirtualInterface.
 func (mg *PublicVirtualInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *PublicVirtualInterface) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PublicVirtualInterface.
+func (mg *PublicVirtualInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PublicVirtualInterface.
 func (mg *PublicVirtualInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *TransitVirtualInterface) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitVirtualInterface.
+func (mg *TransitVirtualInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitVirtualInterface.
 func (mg *TransitVirtualInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *TransitVirtualInterface) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitVirtualInterface.
+func (mg *TransitVirtualInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitVirtualInterface.
 func (mg *TransitVirtualInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/dlm/v1beta1/zz_generated.managed.go b/apis/dlm/v1beta1/zz_generated.managed.go
index 6ab44d411a..267b55e7b6 100644
--- a/apis/dlm/v1beta1/zz_generated.managed.go
+++ b/apis/dlm/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *LifecyclePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LifecyclePolicy.
+func (mg *LifecyclePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LifecyclePolicy.
 func (mg *LifecyclePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *LifecyclePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LifecyclePolicy.
+func (mg *LifecyclePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LifecyclePolicy.
 func (mg *LifecyclePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/dms/v1beta1/zz_generated.managed.go b/apis/dms/v1beta1/zz_generated.managed.go
index 79cf9ae918..85cdcfb0e6 100644
--- a/apis/dms/v1beta1/zz_generated.managed.go
+++ b/apis/dms/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Certificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Certificate.
+func (mg *Certificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Certificate.
 func (mg *Certificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Certificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Certificate.
+func (mg *Certificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Certificate.
 func (mg *Certificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Endpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Endpoint.
+func (mg *Endpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Endpoint.
 func (mg *Endpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Endpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Endpoint.
+func (mg *Endpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Endpoint.
 func (mg *Endpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *EventSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *EventSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ReplicationInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicationInstance.
+func (mg *ReplicationInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicationInstance.
 func (mg *ReplicationInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ReplicationInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicationInstance.
+func (mg *ReplicationInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicationInstance.
 func (mg *ReplicationInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ReplicationSubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicationSubnetGroup.
+func (mg *ReplicationSubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicationSubnetGroup.
 func (mg *ReplicationSubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ReplicationSubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicationSubnetGroup.
+func (mg *ReplicationSubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicationSubnetGroup.
 func (mg *ReplicationSubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ReplicationTask) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicationTask.
+func (mg *ReplicationTask) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicationTask.
 func (mg *ReplicationTask) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ReplicationTask) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicationTask.
+func (mg *ReplicationTask) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicationTask.
 func (mg *ReplicationTask) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *S3Endpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this S3Endpoint.
+func (mg *S3Endpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this S3Endpoint.
 func (mg *S3Endpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *S3Endpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this S3Endpoint.
+func (mg *S3Endpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this S3Endpoint.
 func (mg *S3Endpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/docdb/v1beta1/zz_generated.managed.go b/apis/docdb/v1beta1/zz_generated.managed.go
index adc6d0c196..5ed175509d 100644
--- a/apis/docdb/v1beta1/zz_generated.managed.go
+++ b/apis/docdb/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ClusterInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterInstance.
+func (mg *ClusterInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterInstance.
 func (mg *ClusterInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ClusterInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterInstance.
+func (mg *ClusterInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterInstance.
 func (mg *ClusterInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ClusterParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterParameterGroup.
+func (mg *ClusterParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterParameterGroup.
 func (mg *ClusterParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ClusterParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterParameterGroup.
+func (mg *ClusterParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterParameterGroup.
 func (mg *ClusterParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ClusterSnapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterSnapshot.
+func (mg *ClusterSnapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterSnapshot.
 func (mg *ClusterSnapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ClusterSnapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterSnapshot.
+func (mg *ClusterSnapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterSnapshot.
 func (mg *ClusterSnapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *EventSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *EventSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *GlobalCluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GlobalCluster.
+func (mg *GlobalCluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GlobalCluster.
 func (mg *GlobalCluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *GlobalCluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GlobalCluster.
+func (mg *GlobalCluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GlobalCluster.
 func (mg *GlobalCluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ds/v1beta1/zz_generated.managed.go b/apis/ds/v1beta1/zz_generated.managed.go
index 7ee92068b8..9e8ebfcf7f 100644
--- a/apis/ds/v1beta1/zz_generated.managed.go
+++ b/apis/ds/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ConditionalForwarder) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConditionalForwarder.
+func (mg *ConditionalForwarder) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConditionalForwarder.
 func (mg *ConditionalForwarder) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ConditionalForwarder) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConditionalForwarder.
+func (mg *ConditionalForwarder) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConditionalForwarder.
 func (mg *ConditionalForwarder) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Directory) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Directory.
+func (mg *Directory) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Directory.
 func (mg *Directory) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Directory) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Directory.
+func (mg *Directory) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Directory.
 func (mg *Directory) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *SharedDirectory) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SharedDirectory.
+func (mg *SharedDirectory) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SharedDirectory.
 func (mg *SharedDirectory) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *SharedDirectory) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SharedDirectory.
+func (mg *SharedDirectory) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SharedDirectory.
 func (mg *SharedDirectory) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/dynamodb/v1beta1/zz_generated.managed.go b/apis/dynamodb/v1beta1/zz_generated.managed.go
index ca9892c817..4bb13c32e3 100644
--- a/apis/dynamodb/v1beta1/zz_generated.managed.go
+++ b/apis/dynamodb/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ContributorInsights) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ContributorInsights.
+func (mg *ContributorInsights) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ContributorInsights.
 func (mg *ContributorInsights) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ContributorInsights) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ContributorInsights.
+func (mg *ContributorInsights) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ContributorInsights.
 func (mg *ContributorInsights) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *GlobalTable) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GlobalTable.
+func (mg *GlobalTable) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GlobalTable.
 func (mg *GlobalTable) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *GlobalTable) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GlobalTable.
+func (mg *GlobalTable) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GlobalTable.
 func (mg *GlobalTable) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *KinesisStreamingDestination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this KinesisStreamingDestination.
+func (mg *KinesisStreamingDestination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this KinesisStreamingDestination.
 func (mg *KinesisStreamingDestination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *KinesisStreamingDestination) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this KinesisStreamingDestination.
+func (mg *KinesisStreamingDestination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this KinesisStreamingDestination.
 func (mg *KinesisStreamingDestination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Table) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Table.
+func (mg *Table) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Table.
 func (mg *Table) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Table) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Table.
+func (mg *Table) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Table.
 func (mg *Table) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *TableItem) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TableItem.
+func (mg *TableItem) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TableItem.
 func (mg *TableItem) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *TableItem) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TableItem.
+func (mg *TableItem) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TableItem.
 func (mg *TableItem) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *TableReplica) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TableReplica.
+func (mg *TableReplica) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TableReplica.
 func (mg *TableReplica) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *TableReplica) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TableReplica.
+func (mg *TableReplica) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TableReplica.
 func (mg *TableReplica) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Tag) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Tag.
+func (mg *Tag) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Tag.
 func (mg *Tag) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Tag) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Tag.
+func (mg *Tag) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Tag.
 func (mg *Tag) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ec2/v1beta1/zz_generated.managed.go b/apis/ec2/v1beta1/zz_generated.managed.go
index 80c9f07b42..39495cff65 100644
--- a/apis/ec2/v1beta1/zz_generated.managed.go
+++ b/apis/ec2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AMI) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AMI.
+func (mg *AMI) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AMI.
 func (mg *AMI) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AMI) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AMI.
+func (mg *AMI) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AMI.
 func (mg *AMI) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *AMICopy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AMICopy.
+func (mg *AMICopy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AMICopy.
 func (mg *AMICopy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *AMICopy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AMICopy.
+func (mg *AMICopy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AMICopy.
 func (mg *AMICopy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *AMILaunchPermission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AMILaunchPermission.
+func (mg *AMILaunchPermission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AMILaunchPermission.
 func (mg *AMILaunchPermission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *AMILaunchPermission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AMILaunchPermission.
+func (mg *AMILaunchPermission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AMILaunchPermission.
 func (mg *AMILaunchPermission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *AvailabilityZoneGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AvailabilityZoneGroup.
+func (mg *AvailabilityZoneGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AvailabilityZoneGroup.
 func (mg *AvailabilityZoneGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *AvailabilityZoneGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AvailabilityZoneGroup.
+func (mg *AvailabilityZoneGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AvailabilityZoneGroup.
 func (mg *AvailabilityZoneGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *CapacityReservation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CapacityReservation.
+func (mg *CapacityReservation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CapacityReservation.
 func (mg *CapacityReservation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *CapacityReservation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CapacityReservation.
+func (mg *CapacityReservation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CapacityReservation.
 func (mg *CapacityReservation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *CarrierGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CarrierGateway.
+func (mg *CarrierGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CarrierGateway.
 func (mg *CarrierGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *CarrierGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CarrierGateway.
+func (mg *CarrierGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CarrierGateway.
 func (mg *CarrierGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *CustomerGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CustomerGateway.
+func (mg *CustomerGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CustomerGateway.
 func (mg *CustomerGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *CustomerGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CustomerGateway.
+func (mg *CustomerGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CustomerGateway.
 func (mg *CustomerGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *DefaultNetworkACL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultNetworkACL.
+func (mg *DefaultNetworkACL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultNetworkACL.
 func (mg *DefaultNetworkACL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *DefaultNetworkACL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultNetworkACL.
+func (mg *DefaultNetworkACL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultNetworkACL.
 func (mg *DefaultNetworkACL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *DefaultRouteTable) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultRouteTable.
+func (mg *DefaultRouteTable) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultRouteTable.
 func (mg *DefaultRouteTable) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *DefaultRouteTable) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultRouteTable.
+func (mg *DefaultRouteTable) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultRouteTable.
 func (mg *DefaultRouteTable) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *DefaultSecurityGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultSecurityGroup.
+func (mg *DefaultSecurityGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultSecurityGroup.
 func (mg *DefaultSecurityGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *DefaultSecurityGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultSecurityGroup.
+func (mg *DefaultSecurityGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultSecurityGroup.
 func (mg *DefaultSecurityGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *DefaultSubnet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultSubnet.
+func (mg *DefaultSubnet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultSubnet.
 func (mg *DefaultSubnet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *DefaultSubnet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultSubnet.
+func (mg *DefaultSubnet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultSubnet.
 func (mg *DefaultSubnet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *DefaultVPC) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultVPC.
+func (mg *DefaultVPC) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultVPC.
 func (mg *DefaultVPC) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *DefaultVPC) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultVPC.
+func (mg *DefaultVPC) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultVPC.
 func (mg *DefaultVPC) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *DefaultVPCDHCPOptions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultVPCDHCPOptions.
+func (mg *DefaultVPCDHCPOptions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultVPCDHCPOptions.
 func (mg *DefaultVPCDHCPOptions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *DefaultVPCDHCPOptions) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultVPCDHCPOptions.
+func (mg *DefaultVPCDHCPOptions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultVPCDHCPOptions.
 func (mg *DefaultVPCDHCPOptions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *EBSDefaultKMSKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EBSDefaultKMSKey.
+func (mg *EBSDefaultKMSKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EBSDefaultKMSKey.
 func (mg *EBSDefaultKMSKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *EBSDefaultKMSKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EBSDefaultKMSKey.
+func (mg *EBSDefaultKMSKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EBSDefaultKMSKey.
 func (mg *EBSDefaultKMSKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *EBSEncryptionByDefault) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EBSEncryptionByDefault.
+func (mg *EBSEncryptionByDefault) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EBSEncryptionByDefault.
 func (mg *EBSEncryptionByDefault) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *EBSEncryptionByDefault) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EBSEncryptionByDefault.
+func (mg *EBSEncryptionByDefault) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EBSEncryptionByDefault.
 func (mg *EBSEncryptionByDefault) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *EBSSnapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EBSSnapshot.
+func (mg *EBSSnapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EBSSnapshot.
 func (mg *EBSSnapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *EBSSnapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EBSSnapshot.
+func (mg *EBSSnapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EBSSnapshot.
 func (mg *EBSSnapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *EBSSnapshotCopy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EBSSnapshotCopy.
+func (mg *EBSSnapshotCopy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EBSSnapshotCopy.
 func (mg *EBSSnapshotCopy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *EBSSnapshotCopy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EBSSnapshotCopy.
+func (mg *EBSSnapshotCopy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EBSSnapshotCopy.
 func (mg *EBSSnapshotCopy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1139,6 +1309,11 @@ func (mg *EBSSnapshotImport) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EBSSnapshotImport.
+func (mg *EBSSnapshotImport) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EBSSnapshotImport.
 func (mg *EBSSnapshotImport) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1172,6 +1347,11 @@ func (mg *EBSSnapshotImport) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EBSSnapshotImport.
+func (mg *EBSSnapshotImport) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EBSSnapshotImport.
 func (mg *EBSSnapshotImport) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1205,6 +1385,11 @@ func (mg *EBSVolume) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EBSVolume.
+func (mg *EBSVolume) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EBSVolume.
 func (mg *EBSVolume) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1238,6 +1423,11 @@ func (mg *EBSVolume) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EBSVolume.
+func (mg *EBSVolume) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EBSVolume.
 func (mg *EBSVolume) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1271,6 +1461,11 @@ func (mg *EIP) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EIP.
+func (mg *EIP) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EIP.
 func (mg *EIP) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1304,6 +1499,11 @@ func (mg *EIP) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EIP.
+func (mg *EIP) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EIP.
 func (mg *EIP) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1337,6 +1537,11 @@ func (mg *EIPAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EIPAssociation.
+func (mg *EIPAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EIPAssociation.
 func (mg *EIPAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1370,6 +1575,11 @@ func (mg *EIPAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EIPAssociation.
+func (mg *EIPAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EIPAssociation.
 func (mg *EIPAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1403,6 +1613,11 @@ func (mg *EgressOnlyInternetGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EgressOnlyInternetGateway.
+func (mg *EgressOnlyInternetGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EgressOnlyInternetGateway.
 func (mg *EgressOnlyInternetGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1436,6 +1651,11 @@ func (mg *EgressOnlyInternetGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EgressOnlyInternetGateway.
+func (mg *EgressOnlyInternetGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EgressOnlyInternetGateway.
 func (mg *EgressOnlyInternetGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1469,6 +1689,11 @@ func (mg *FlowLog) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FlowLog.
+func (mg *FlowLog) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FlowLog.
 func (mg *FlowLog) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1502,6 +1727,11 @@ func (mg *FlowLog) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FlowLog.
+func (mg *FlowLog) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FlowLog.
 func (mg *FlowLog) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1535,6 +1765,11 @@ func (mg *Host) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Host.
+func (mg *Host) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Host.
 func (mg *Host) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1568,6 +1803,11 @@ func (mg *Host) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Host.
+func (mg *Host) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Host.
 func (mg *Host) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1601,6 +1841,11 @@ func (mg *Instance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Instance.
+func (mg *Instance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Instance.
 func (mg *Instance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1634,6 +1879,11 @@ func (mg *Instance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Instance.
+func (mg *Instance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Instance.
 func (mg *Instance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1667,6 +1917,11 @@ func (mg *InstanceState) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InstanceState.
+func (mg *InstanceState) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InstanceState.
 func (mg *InstanceState) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1700,6 +1955,11 @@ func (mg *InstanceState) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InstanceState.
+func (mg *InstanceState) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InstanceState.
 func (mg *InstanceState) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1733,6 +1993,11 @@ func (mg *InternetGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InternetGateway.
+func (mg *InternetGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InternetGateway.
 func (mg *InternetGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1766,6 +2031,11 @@ func (mg *InternetGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InternetGateway.
+func (mg *InternetGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InternetGateway.
 func (mg *InternetGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1799,6 +2069,11 @@ func (mg *KeyPair) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this KeyPair.
+func (mg *KeyPair) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this KeyPair.
 func (mg *KeyPair) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1832,6 +2107,11 @@ func (mg *KeyPair) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this KeyPair.
+func (mg *KeyPair) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this KeyPair.
 func (mg *KeyPair) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1865,6 +2145,11 @@ func (mg *LaunchTemplate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LaunchTemplate.
+func (mg *LaunchTemplate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LaunchTemplate.
 func (mg *LaunchTemplate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1898,6 +2183,11 @@ func (mg *LaunchTemplate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LaunchTemplate.
+func (mg *LaunchTemplate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LaunchTemplate.
 func (mg *LaunchTemplate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1931,6 +2221,11 @@ func (mg *MainRouteTableAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MainRouteTableAssociation.
+func (mg *MainRouteTableAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MainRouteTableAssociation.
 func (mg *MainRouteTableAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1964,6 +2259,11 @@ func (mg *MainRouteTableAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MainRouteTableAssociation.
+func (mg *MainRouteTableAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MainRouteTableAssociation.
 func (mg *MainRouteTableAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1997,6 +2297,11 @@ func (mg *ManagedPrefixList) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ManagedPrefixList.
+func (mg *ManagedPrefixList) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ManagedPrefixList.
 func (mg *ManagedPrefixList) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2030,6 +2335,11 @@ func (mg *ManagedPrefixList) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ManagedPrefixList.
+func (mg *ManagedPrefixList) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ManagedPrefixList.
 func (mg *ManagedPrefixList) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2063,6 +2373,11 @@ func (mg *ManagedPrefixListEntry) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ManagedPrefixListEntry.
+func (mg *ManagedPrefixListEntry) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ManagedPrefixListEntry.
 func (mg *ManagedPrefixListEntry) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2096,6 +2411,11 @@ func (mg *ManagedPrefixListEntry) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ManagedPrefixListEntry.
+func (mg *ManagedPrefixListEntry) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ManagedPrefixListEntry.
 func (mg *ManagedPrefixListEntry) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2129,6 +2449,11 @@ func (mg *NATGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NATGateway.
+func (mg *NATGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NATGateway.
 func (mg *NATGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2162,6 +2487,11 @@ func (mg *NATGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NATGateway.
+func (mg *NATGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NATGateway.
 func (mg *NATGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2195,6 +2525,11 @@ func (mg *NetworkACL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkACL.
+func (mg *NetworkACL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkACL.
 func (mg *NetworkACL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2228,6 +2563,11 @@ func (mg *NetworkACL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkACL.
+func (mg *NetworkACL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkACL.
 func (mg *NetworkACL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2261,6 +2601,11 @@ func (mg *NetworkACLRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkACLRule.
+func (mg *NetworkACLRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkACLRule.
 func (mg *NetworkACLRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2294,6 +2639,11 @@ func (mg *NetworkACLRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkACLRule.
+func (mg *NetworkACLRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkACLRule.
 func (mg *NetworkACLRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2327,6 +2677,11 @@ func (mg *NetworkInsightsAnalysis) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkInsightsAnalysis.
+func (mg *NetworkInsightsAnalysis) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkInsightsAnalysis.
 func (mg *NetworkInsightsAnalysis) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2360,6 +2715,11 @@ func (mg *NetworkInsightsAnalysis) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkInsightsAnalysis.
+func (mg *NetworkInsightsAnalysis) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkInsightsAnalysis.
 func (mg *NetworkInsightsAnalysis) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2393,6 +2753,11 @@ func (mg *NetworkInsightsPath) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkInsightsPath.
+func (mg *NetworkInsightsPath) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkInsightsPath.
 func (mg *NetworkInsightsPath) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2426,6 +2791,11 @@ func (mg *NetworkInsightsPath) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkInsightsPath.
+func (mg *NetworkInsightsPath) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkInsightsPath.
 func (mg *NetworkInsightsPath) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2459,6 +2829,11 @@ func (mg *NetworkInterface) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkInterface.
+func (mg *NetworkInterface) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkInterface.
 func (mg *NetworkInterface) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2492,6 +2867,11 @@ func (mg *NetworkInterface) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkInterface.
+func (mg *NetworkInterface) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkInterface.
 func (mg *NetworkInterface) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2525,6 +2905,11 @@ func (mg *NetworkInterfaceAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkInterfaceAttachment.
+func (mg *NetworkInterfaceAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkInterfaceAttachment.
 func (mg *NetworkInterfaceAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2558,6 +2943,11 @@ func (mg *NetworkInterfaceAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkInterfaceAttachment.
+func (mg *NetworkInterfaceAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkInterfaceAttachment.
 func (mg *NetworkInterfaceAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2591,6 +2981,11 @@ func (mg *NetworkInterfaceSgAttachment) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkInterfaceSgAttachment.
+func (mg *NetworkInterfaceSgAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkInterfaceSgAttachment.
 func (mg *NetworkInterfaceSgAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2624,6 +3019,11 @@ func (mg *NetworkInterfaceSgAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkInterfaceSgAttachment.
+func (mg *NetworkInterfaceSgAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkInterfaceSgAttachment.
 func (mg *NetworkInterfaceSgAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2657,6 +3057,11 @@ func (mg *PlacementGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PlacementGroup.
+func (mg *PlacementGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PlacementGroup.
 func (mg *PlacementGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2690,6 +3095,11 @@ func (mg *PlacementGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PlacementGroup.
+func (mg *PlacementGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PlacementGroup.
 func (mg *PlacementGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2723,6 +3133,11 @@ func (mg *Route) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Route.
+func (mg *Route) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Route.
 func (mg *Route) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2756,6 +3171,11 @@ func (mg *Route) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Route.
+func (mg *Route) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Route.
 func (mg *Route) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2789,6 +3209,11 @@ func (mg *RouteTable) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RouteTable.
+func (mg *RouteTable) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RouteTable.
 func (mg *RouteTable) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2822,6 +3247,11 @@ func (mg *RouteTable) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RouteTable.
+func (mg *RouteTable) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RouteTable.
 func (mg *RouteTable) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2855,6 +3285,11 @@ func (mg *RouteTableAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RouteTableAssociation.
+func (mg *RouteTableAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RouteTableAssociation.
 func (mg *RouteTableAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2888,6 +3323,11 @@ func (mg *RouteTableAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RouteTableAssociation.
+func (mg *RouteTableAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RouteTableAssociation.
 func (mg *RouteTableAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2921,6 +3361,11 @@ func (mg *SecurityGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecurityGroup.
+func (mg *SecurityGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecurityGroup.
 func (mg *SecurityGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -2954,6 +3399,11 @@ func (mg *SecurityGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecurityGroup.
+func (mg *SecurityGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecurityGroup.
 func (mg *SecurityGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -2987,6 +3437,11 @@ func (mg *SecurityGroupRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecurityGroupRule.
+func (mg *SecurityGroupRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecurityGroupRule.
 func (mg *SecurityGroupRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3020,6 +3475,11 @@ func (mg *SecurityGroupRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecurityGroupRule.
+func (mg *SecurityGroupRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecurityGroupRule.
 func (mg *SecurityGroupRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3053,6 +3513,11 @@ func (mg *SerialConsoleAccess) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SerialConsoleAccess.
+func (mg *SerialConsoleAccess) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SerialConsoleAccess.
 func (mg *SerialConsoleAccess) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3086,6 +3551,11 @@ func (mg *SerialConsoleAccess) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SerialConsoleAccess.
+func (mg *SerialConsoleAccess) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SerialConsoleAccess.
 func (mg *SerialConsoleAccess) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3119,6 +3589,11 @@ func (mg *SnapshotCreateVolumePermission) GetDeletionPolicy() xpv1.DeletionPolic
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SnapshotCreateVolumePermission.
+func (mg *SnapshotCreateVolumePermission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SnapshotCreateVolumePermission.
 func (mg *SnapshotCreateVolumePermission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3152,6 +3627,11 @@ func (mg *SnapshotCreateVolumePermission) SetDeletionPolicy(r xpv1.DeletionPolic
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SnapshotCreateVolumePermission.
+func (mg *SnapshotCreateVolumePermission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SnapshotCreateVolumePermission.
 func (mg *SnapshotCreateVolumePermission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3185,6 +3665,11 @@ func (mg *SpotDatafeedSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SpotDatafeedSubscription.
+func (mg *SpotDatafeedSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SpotDatafeedSubscription.
 func (mg *SpotDatafeedSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3218,6 +3703,11 @@ func (mg *SpotDatafeedSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SpotDatafeedSubscription.
+func (mg *SpotDatafeedSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SpotDatafeedSubscription.
 func (mg *SpotDatafeedSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3251,6 +3741,11 @@ func (mg *SpotFleetRequest) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SpotFleetRequest.
+func (mg *SpotFleetRequest) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SpotFleetRequest.
 func (mg *SpotFleetRequest) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3284,6 +3779,11 @@ func (mg *SpotFleetRequest) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SpotFleetRequest.
+func (mg *SpotFleetRequest) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SpotFleetRequest.
 func (mg *SpotFleetRequest) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3317,6 +3817,11 @@ func (mg *SpotInstanceRequest) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SpotInstanceRequest.
+func (mg *SpotInstanceRequest) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SpotInstanceRequest.
 func (mg *SpotInstanceRequest) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3350,6 +3855,11 @@ func (mg *SpotInstanceRequest) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SpotInstanceRequest.
+func (mg *SpotInstanceRequest) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SpotInstanceRequest.
 func (mg *SpotInstanceRequest) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3383,6 +3893,11 @@ func (mg *Subnet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Subnet.
+func (mg *Subnet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Subnet.
 func (mg *Subnet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3416,6 +3931,11 @@ func (mg *Subnet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Subnet.
+func (mg *Subnet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Subnet.
 func (mg *Subnet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3449,6 +3969,11 @@ func (mg *SubnetCidrReservation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetCidrReservation.
+func (mg *SubnetCidrReservation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetCidrReservation.
 func (mg *SubnetCidrReservation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3482,6 +4007,11 @@ func (mg *SubnetCidrReservation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetCidrReservation.
+func (mg *SubnetCidrReservation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetCidrReservation.
 func (mg *SubnetCidrReservation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3515,6 +4045,11 @@ func (mg *Tag) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Tag.
+func (mg *Tag) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Tag.
 func (mg *Tag) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3548,6 +4083,11 @@ func (mg *Tag) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Tag.
+func (mg *Tag) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Tag.
 func (mg *Tag) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3581,6 +4121,11 @@ func (mg *TrafficMirrorFilter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TrafficMirrorFilter.
+func (mg *TrafficMirrorFilter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TrafficMirrorFilter.
 func (mg *TrafficMirrorFilter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3614,6 +4159,11 @@ func (mg *TrafficMirrorFilter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TrafficMirrorFilter.
+func (mg *TrafficMirrorFilter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TrafficMirrorFilter.
 func (mg *TrafficMirrorFilter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3647,6 +4197,11 @@ func (mg *TrafficMirrorFilterRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TrafficMirrorFilterRule.
+func (mg *TrafficMirrorFilterRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TrafficMirrorFilterRule.
 func (mg *TrafficMirrorFilterRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3680,6 +4235,11 @@ func (mg *TrafficMirrorFilterRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TrafficMirrorFilterRule.
+func (mg *TrafficMirrorFilterRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TrafficMirrorFilterRule.
 func (mg *TrafficMirrorFilterRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3713,6 +4273,11 @@ func (mg *TransitGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGateway.
+func (mg *TransitGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGateway.
 func (mg *TransitGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3746,6 +4311,11 @@ func (mg *TransitGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGateway.
+func (mg *TransitGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGateway.
 func (mg *TransitGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3779,6 +4349,11 @@ func (mg *TransitGatewayConnect) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayConnect.
+func (mg *TransitGatewayConnect) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayConnect.
 func (mg *TransitGatewayConnect) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3812,6 +4387,11 @@ func (mg *TransitGatewayConnect) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayConnect.
+func (mg *TransitGatewayConnect) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayConnect.
 func (mg *TransitGatewayConnect) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3845,6 +4425,11 @@ func (mg *TransitGatewayConnectPeer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayConnectPeer.
+func (mg *TransitGatewayConnectPeer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayConnectPeer.
 func (mg *TransitGatewayConnectPeer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3878,6 +4463,11 @@ func (mg *TransitGatewayConnectPeer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayConnectPeer.
+func (mg *TransitGatewayConnectPeer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayConnectPeer.
 func (mg *TransitGatewayConnectPeer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3911,6 +4501,11 @@ func (mg *TransitGatewayMulticastDomain) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayMulticastDomain.
+func (mg *TransitGatewayMulticastDomain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayMulticastDomain.
 func (mg *TransitGatewayMulticastDomain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -3944,6 +4539,11 @@ func (mg *TransitGatewayMulticastDomain) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayMulticastDomain.
+func (mg *TransitGatewayMulticastDomain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayMulticastDomain.
 func (mg *TransitGatewayMulticastDomain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -3977,6 +4577,11 @@ func (mg *TransitGatewayMulticastDomainAssociation) GetDeletionPolicy() xpv1.Del
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayMulticastDomainAssociation.
+func (mg *TransitGatewayMulticastDomainAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayMulticastDomainAssociation.
 func (mg *TransitGatewayMulticastDomainAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4010,6 +4615,11 @@ func (mg *TransitGatewayMulticastDomainAssociation) SetDeletionPolicy(r xpv1.Del
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayMulticastDomainAssociation.
+func (mg *TransitGatewayMulticastDomainAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayMulticastDomainAssociation.
 func (mg *TransitGatewayMulticastDomainAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4043,6 +4653,11 @@ func (mg *TransitGatewayMulticastGroupMember) GetDeletionPolicy() xpv1.DeletionP
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayMulticastGroupMember.
+func (mg *TransitGatewayMulticastGroupMember) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayMulticastGroupMember.
 func (mg *TransitGatewayMulticastGroupMember) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4076,6 +4691,11 @@ func (mg *TransitGatewayMulticastGroupMember) SetDeletionPolicy(r xpv1.DeletionP
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayMulticastGroupMember.
+func (mg *TransitGatewayMulticastGroupMember) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayMulticastGroupMember.
 func (mg *TransitGatewayMulticastGroupMember) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4109,6 +4729,11 @@ func (mg *TransitGatewayMulticastGroupSource) GetDeletionPolicy() xpv1.DeletionP
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayMulticastGroupSource.
+func (mg *TransitGatewayMulticastGroupSource) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayMulticastGroupSource.
 func (mg *TransitGatewayMulticastGroupSource) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4142,6 +4767,11 @@ func (mg *TransitGatewayMulticastGroupSource) SetDeletionPolicy(r xpv1.DeletionP
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayMulticastGroupSource.
+func (mg *TransitGatewayMulticastGroupSource) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayMulticastGroupSource.
 func (mg *TransitGatewayMulticastGroupSource) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4175,6 +4805,11 @@ func (mg *TransitGatewayPeeringAttachment) GetDeletionPolicy() xpv1.DeletionPoli
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayPeeringAttachment.
+func (mg *TransitGatewayPeeringAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayPeeringAttachment.
 func (mg *TransitGatewayPeeringAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4208,6 +4843,11 @@ func (mg *TransitGatewayPeeringAttachment) SetDeletionPolicy(r xpv1.DeletionPoli
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayPeeringAttachment.
+func (mg *TransitGatewayPeeringAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayPeeringAttachment.
 func (mg *TransitGatewayPeeringAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4241,6 +4881,11 @@ func (mg *TransitGatewayPeeringAttachmentAccepter) GetDeletionPolicy() xpv1.Dele
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayPeeringAttachmentAccepter.
+func (mg *TransitGatewayPeeringAttachmentAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayPeeringAttachmentAccepter.
 func (mg *TransitGatewayPeeringAttachmentAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4274,6 +4919,11 @@ func (mg *TransitGatewayPeeringAttachmentAccepter) SetDeletionPolicy(r xpv1.Dele
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayPeeringAttachmentAccepter.
+func (mg *TransitGatewayPeeringAttachmentAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayPeeringAttachmentAccepter.
 func (mg *TransitGatewayPeeringAttachmentAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4307,6 +4957,11 @@ func (mg *TransitGatewayPolicyTable) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayPolicyTable.
+func (mg *TransitGatewayPolicyTable) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayPolicyTable.
 func (mg *TransitGatewayPolicyTable) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4340,6 +4995,11 @@ func (mg *TransitGatewayPolicyTable) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayPolicyTable.
+func (mg *TransitGatewayPolicyTable) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayPolicyTable.
 func (mg *TransitGatewayPolicyTable) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4373,6 +5033,11 @@ func (mg *TransitGatewayPrefixListReference) GetDeletionPolicy() xpv1.DeletionPo
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayPrefixListReference.
+func (mg *TransitGatewayPrefixListReference) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayPrefixListReference.
 func (mg *TransitGatewayPrefixListReference) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4406,6 +5071,11 @@ func (mg *TransitGatewayPrefixListReference) SetDeletionPolicy(r xpv1.DeletionPo
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayPrefixListReference.
+func (mg *TransitGatewayPrefixListReference) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayPrefixListReference.
 func (mg *TransitGatewayPrefixListReference) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4439,6 +5109,11 @@ func (mg *TransitGatewayRoute) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayRoute.
+func (mg *TransitGatewayRoute) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayRoute.
 func (mg *TransitGatewayRoute) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4472,6 +5147,11 @@ func (mg *TransitGatewayRoute) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayRoute.
+func (mg *TransitGatewayRoute) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayRoute.
 func (mg *TransitGatewayRoute) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4505,6 +5185,11 @@ func (mg *TransitGatewayRouteTable) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayRouteTable.
+func (mg *TransitGatewayRouteTable) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayRouteTable.
 func (mg *TransitGatewayRouteTable) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4538,6 +5223,11 @@ func (mg *TransitGatewayRouteTable) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayRouteTable.
+func (mg *TransitGatewayRouteTable) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayRouteTable.
 func (mg *TransitGatewayRouteTable) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4571,6 +5261,11 @@ func (mg *TransitGatewayRouteTableAssociation) GetDeletionPolicy() xpv1.Deletion
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayRouteTableAssociation.
+func (mg *TransitGatewayRouteTableAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayRouteTableAssociation.
 func (mg *TransitGatewayRouteTableAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4604,6 +5299,11 @@ func (mg *TransitGatewayRouteTableAssociation) SetDeletionPolicy(r xpv1.Deletion
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayRouteTableAssociation.
+func (mg *TransitGatewayRouteTableAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayRouteTableAssociation.
 func (mg *TransitGatewayRouteTableAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4637,6 +5337,11 @@ func (mg *TransitGatewayRouteTablePropagation) GetDeletionPolicy() xpv1.Deletion
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayRouteTablePropagation.
+func (mg *TransitGatewayRouteTablePropagation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayRouteTablePropagation.
 func (mg *TransitGatewayRouteTablePropagation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4670,6 +5375,11 @@ func (mg *TransitGatewayRouteTablePropagation) SetDeletionPolicy(r xpv1.Deletion
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayRouteTablePropagation.
+func (mg *TransitGatewayRouteTablePropagation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayRouteTablePropagation.
 func (mg *TransitGatewayRouteTablePropagation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4703,6 +5413,11 @@ func (mg *TransitGatewayVPCAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayVPCAttachment.
+func (mg *TransitGatewayVPCAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayVPCAttachment.
 func (mg *TransitGatewayVPCAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4736,6 +5451,11 @@ func (mg *TransitGatewayVPCAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayVPCAttachment.
+func (mg *TransitGatewayVPCAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayVPCAttachment.
 func (mg *TransitGatewayVPCAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4769,6 +5489,11 @@ func (mg *TransitGatewayVPCAttachmentAccepter) GetDeletionPolicy() xpv1.Deletion
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayVPCAttachmentAccepter.
+func (mg *TransitGatewayVPCAttachmentAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayVPCAttachmentAccepter.
 func (mg *TransitGatewayVPCAttachmentAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4802,6 +5527,11 @@ func (mg *TransitGatewayVPCAttachmentAccepter) SetDeletionPolicy(r xpv1.Deletion
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayVPCAttachmentAccepter.
+func (mg *TransitGatewayVPCAttachmentAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayVPCAttachmentAccepter.
 func (mg *TransitGatewayVPCAttachmentAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4835,6 +5565,11 @@ func (mg *VPC) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPC.
+func (mg *VPC) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPC.
 func (mg *VPC) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4868,6 +5603,11 @@ func (mg *VPC) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPC.
+func (mg *VPC) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPC.
 func (mg *VPC) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4901,6 +5641,11 @@ func (mg *VPCDHCPOptions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCDHCPOptions.
+func (mg *VPCDHCPOptions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCDHCPOptions.
 func (mg *VPCDHCPOptions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -4934,6 +5679,11 @@ func (mg *VPCDHCPOptions) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCDHCPOptions.
+func (mg *VPCDHCPOptions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCDHCPOptions.
 func (mg *VPCDHCPOptions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -4967,6 +5717,11 @@ func (mg *VPCDHCPOptionsAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCDHCPOptionsAssociation.
+func (mg *VPCDHCPOptionsAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCDHCPOptionsAssociation.
 func (mg *VPCDHCPOptionsAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5000,6 +5755,11 @@ func (mg *VPCDHCPOptionsAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCDHCPOptionsAssociation.
+func (mg *VPCDHCPOptionsAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCDHCPOptionsAssociation.
 func (mg *VPCDHCPOptionsAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5033,6 +5793,11 @@ func (mg *VPCEndpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpoint.
+func (mg *VPCEndpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpoint.
 func (mg *VPCEndpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5066,6 +5831,11 @@ func (mg *VPCEndpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpoint.
+func (mg *VPCEndpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpoint.
 func (mg *VPCEndpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5099,6 +5869,11 @@ func (mg *VPCEndpointConnectionNotification) GetDeletionPolicy() xpv1.DeletionPo
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpointConnectionNotification.
+func (mg *VPCEndpointConnectionNotification) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpointConnectionNotification.
 func (mg *VPCEndpointConnectionNotification) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5132,6 +5907,11 @@ func (mg *VPCEndpointConnectionNotification) SetDeletionPolicy(r xpv1.DeletionPo
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpointConnectionNotification.
+func (mg *VPCEndpointConnectionNotification) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpointConnectionNotification.
 func (mg *VPCEndpointConnectionNotification) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5165,6 +5945,11 @@ func (mg *VPCEndpointRouteTableAssociation) GetDeletionPolicy() xpv1.DeletionPol
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpointRouteTableAssociation.
+func (mg *VPCEndpointRouteTableAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpointRouteTableAssociation.
 func (mg *VPCEndpointRouteTableAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5198,6 +5983,11 @@ func (mg *VPCEndpointRouteTableAssociation) SetDeletionPolicy(r xpv1.DeletionPol
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpointRouteTableAssociation.
+func (mg *VPCEndpointRouteTableAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpointRouteTableAssociation.
 func (mg *VPCEndpointRouteTableAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5231,6 +6021,11 @@ func (mg *VPCEndpointSecurityGroupAssociation) GetDeletionPolicy() xpv1.Deletion
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpointSecurityGroupAssociation.
+func (mg *VPCEndpointSecurityGroupAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpointSecurityGroupAssociation.
 func (mg *VPCEndpointSecurityGroupAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5264,6 +6059,11 @@ func (mg *VPCEndpointSecurityGroupAssociation) SetDeletionPolicy(r xpv1.Deletion
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpointSecurityGroupAssociation.
+func (mg *VPCEndpointSecurityGroupAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpointSecurityGroupAssociation.
 func (mg *VPCEndpointSecurityGroupAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5297,6 +6097,11 @@ func (mg *VPCEndpointService) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpointService.
+func (mg *VPCEndpointService) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpointService.
 func (mg *VPCEndpointService) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5330,6 +6135,11 @@ func (mg *VPCEndpointService) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpointService.
+func (mg *VPCEndpointService) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpointService.
 func (mg *VPCEndpointService) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5363,6 +6173,11 @@ func (mg *VPCEndpointServiceAllowedPrincipal) GetDeletionPolicy() xpv1.DeletionP
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpointServiceAllowedPrincipal.
+func (mg *VPCEndpointServiceAllowedPrincipal) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpointServiceAllowedPrincipal.
 func (mg *VPCEndpointServiceAllowedPrincipal) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5396,6 +6211,11 @@ func (mg *VPCEndpointServiceAllowedPrincipal) SetDeletionPolicy(r xpv1.DeletionP
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpointServiceAllowedPrincipal.
+func (mg *VPCEndpointServiceAllowedPrincipal) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpointServiceAllowedPrincipal.
 func (mg *VPCEndpointServiceAllowedPrincipal) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5429,6 +6249,11 @@ func (mg *VPCEndpointSubnetAssociation) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCEndpointSubnetAssociation.
+func (mg *VPCEndpointSubnetAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCEndpointSubnetAssociation.
 func (mg *VPCEndpointSubnetAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5462,6 +6287,11 @@ func (mg *VPCEndpointSubnetAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCEndpointSubnetAssociation.
+func (mg *VPCEndpointSubnetAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCEndpointSubnetAssociation.
 func (mg *VPCEndpointSubnetAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5495,6 +6325,11 @@ func (mg *VPCIPv4CidrBlockAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCIPv4CidrBlockAssociation.
+func (mg *VPCIPv4CidrBlockAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCIPv4CidrBlockAssociation.
 func (mg *VPCIPv4CidrBlockAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5528,6 +6363,11 @@ func (mg *VPCIPv4CidrBlockAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCIPv4CidrBlockAssociation.
+func (mg *VPCIPv4CidrBlockAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCIPv4CidrBlockAssociation.
 func (mg *VPCIPv4CidrBlockAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5561,6 +6401,11 @@ func (mg *VPCIpam) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCIpam.
+func (mg *VPCIpam) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCIpam.
 func (mg *VPCIpam) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5594,6 +6439,11 @@ func (mg *VPCIpam) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCIpam.
+func (mg *VPCIpam) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCIpam.
 func (mg *VPCIpam) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5627,6 +6477,11 @@ func (mg *VPCIpamPool) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCIpamPool.
+func (mg *VPCIpamPool) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCIpamPool.
 func (mg *VPCIpamPool) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5660,6 +6515,11 @@ func (mg *VPCIpamPool) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCIpamPool.
+func (mg *VPCIpamPool) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCIpamPool.
 func (mg *VPCIpamPool) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5693,6 +6553,11 @@ func (mg *VPCIpamPoolCidr) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCIpamPoolCidr.
+func (mg *VPCIpamPoolCidr) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCIpamPoolCidr.
 func (mg *VPCIpamPoolCidr) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5726,6 +6591,11 @@ func (mg *VPCIpamPoolCidr) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCIpamPoolCidr.
+func (mg *VPCIpamPoolCidr) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCIpamPoolCidr.
 func (mg *VPCIpamPoolCidr) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5759,6 +6629,11 @@ func (mg *VPCIpamPoolCidrAllocation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCIpamPoolCidrAllocation.
+func (mg *VPCIpamPoolCidrAllocation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCIpamPoolCidrAllocation.
 func (mg *VPCIpamPoolCidrAllocation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5792,6 +6667,11 @@ func (mg *VPCIpamPoolCidrAllocation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCIpamPoolCidrAllocation.
+func (mg *VPCIpamPoolCidrAllocation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCIpamPoolCidrAllocation.
 func (mg *VPCIpamPoolCidrAllocation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5825,6 +6705,11 @@ func (mg *VPCIpamScope) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCIpamScope.
+func (mg *VPCIpamScope) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCIpamScope.
 func (mg *VPCIpamScope) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5858,6 +6743,11 @@ func (mg *VPCIpamScope) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCIpamScope.
+func (mg *VPCIpamScope) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCIpamScope.
 func (mg *VPCIpamScope) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5891,6 +6781,11 @@ func (mg *VPCPeeringConnection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCPeeringConnection.
+func (mg *VPCPeeringConnection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCPeeringConnection.
 func (mg *VPCPeeringConnection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5924,6 +6819,11 @@ func (mg *VPCPeeringConnection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCPeeringConnection.
+func (mg *VPCPeeringConnection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCPeeringConnection.
 func (mg *VPCPeeringConnection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -5957,6 +6857,11 @@ func (mg *VPCPeeringConnectionAccepter) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCPeeringConnectionAccepter.
+func (mg *VPCPeeringConnectionAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCPeeringConnectionAccepter.
 func (mg *VPCPeeringConnectionAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -5990,6 +6895,11 @@ func (mg *VPCPeeringConnectionAccepter) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCPeeringConnectionAccepter.
+func (mg *VPCPeeringConnectionAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCPeeringConnectionAccepter.
 func (mg *VPCPeeringConnectionAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6023,6 +6933,11 @@ func (mg *VPCPeeringConnectionOptions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCPeeringConnectionOptions.
+func (mg *VPCPeeringConnectionOptions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCPeeringConnectionOptions.
 func (mg *VPCPeeringConnectionOptions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6056,6 +6971,11 @@ func (mg *VPCPeeringConnectionOptions) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCPeeringConnectionOptions.
+func (mg *VPCPeeringConnectionOptions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCPeeringConnectionOptions.
 func (mg *VPCPeeringConnectionOptions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6089,6 +7009,11 @@ func (mg *VPNConnection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPNConnection.
+func (mg *VPNConnection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPNConnection.
 func (mg *VPNConnection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6122,6 +7047,11 @@ func (mg *VPNConnection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPNConnection.
+func (mg *VPNConnection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPNConnection.
 func (mg *VPNConnection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6155,6 +7085,11 @@ func (mg *VPNConnectionRoute) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPNConnectionRoute.
+func (mg *VPNConnectionRoute) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPNConnectionRoute.
 func (mg *VPNConnectionRoute) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6188,6 +7123,11 @@ func (mg *VPNConnectionRoute) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPNConnectionRoute.
+func (mg *VPNConnectionRoute) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPNConnectionRoute.
 func (mg *VPNConnectionRoute) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6221,6 +7161,11 @@ func (mg *VPNGateway) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPNGateway.
+func (mg *VPNGateway) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPNGateway.
 func (mg *VPNGateway) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6254,6 +7199,11 @@ func (mg *VPNGateway) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPNGateway.
+func (mg *VPNGateway) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPNGateway.
 func (mg *VPNGateway) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6287,6 +7237,11 @@ func (mg *VPNGatewayAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPNGatewayAttachment.
+func (mg *VPNGatewayAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPNGatewayAttachment.
 func (mg *VPNGatewayAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6320,6 +7275,11 @@ func (mg *VPNGatewayAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPNGatewayAttachment.
+func (mg *VPNGatewayAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPNGatewayAttachment.
 func (mg *VPNGatewayAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6353,6 +7313,11 @@ func (mg *VPNGatewayRoutePropagation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPNGatewayRoutePropagation.
+func (mg *VPNGatewayRoutePropagation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPNGatewayRoutePropagation.
 func (mg *VPNGatewayRoutePropagation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6386,6 +7351,11 @@ func (mg *VPNGatewayRoutePropagation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPNGatewayRoutePropagation.
+func (mg *VPNGatewayRoutePropagation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPNGatewayRoutePropagation.
 func (mg *VPNGatewayRoutePropagation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -6419,6 +7389,11 @@ func (mg *VolumeAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VolumeAttachment.
+func (mg *VolumeAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VolumeAttachment.
 func (mg *VolumeAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -6452,6 +7427,11 @@ func (mg *VolumeAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VolumeAttachment.
+func (mg *VolumeAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VolumeAttachment.
 func (mg *VolumeAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ecr/v1beta1/zz_generated.managed.go b/apis/ecr/v1beta1/zz_generated.managed.go
index df23cfd98a..b1c83da1ed 100644
--- a/apis/ecr/v1beta1/zz_generated.managed.go
+++ b/apis/ecr/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *LifecyclePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LifecyclePolicy.
+func (mg *LifecyclePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LifecyclePolicy.
 func (mg *LifecyclePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *LifecyclePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LifecyclePolicy.
+func (mg *LifecyclePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LifecyclePolicy.
 func (mg *LifecyclePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *PullThroughCacheRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PullThroughCacheRule.
+func (mg *PullThroughCacheRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PullThroughCacheRule.
 func (mg *PullThroughCacheRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *PullThroughCacheRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PullThroughCacheRule.
+func (mg *PullThroughCacheRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PullThroughCacheRule.
 func (mg *PullThroughCacheRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *RegistryPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegistryPolicy.
+func (mg *RegistryPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegistryPolicy.
 func (mg *RegistryPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *RegistryPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegistryPolicy.
+func (mg *RegistryPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegistryPolicy.
 func (mg *RegistryPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *RegistryScanningConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegistryScanningConfiguration.
+func (mg *RegistryScanningConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegistryScanningConfiguration.
 func (mg *RegistryScanningConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *RegistryScanningConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegistryScanningConfiguration.
+func (mg *RegistryScanningConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegistryScanningConfiguration.
 func (mg *RegistryScanningConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ReplicationConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicationConfiguration.
+func (mg *ReplicationConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicationConfiguration.
 func (mg *ReplicationConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ReplicationConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicationConfiguration.
+func (mg *ReplicationConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicationConfiguration.
 func (mg *ReplicationConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Repository) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Repository.
+func (mg *Repository) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Repository.
 func (mg *Repository) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Repository) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Repository.
+func (mg *Repository) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Repository.
 func (mg *Repository) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *RepositoryPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RepositoryPolicy.
+func (mg *RepositoryPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RepositoryPolicy.
 func (mg *RepositoryPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *RepositoryPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RepositoryPolicy.
+func (mg *RepositoryPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RepositoryPolicy.
 func (mg *RepositoryPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ecrpublic/v1beta1/zz_generated.managed.go b/apis/ecrpublic/v1beta1/zz_generated.managed.go
index cfc09c0119..0c94cafbf4 100644
--- a/apis/ecrpublic/v1beta1/zz_generated.managed.go
+++ b/apis/ecrpublic/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Repository) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Repository.
+func (mg *Repository) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Repository.
 func (mg *Repository) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Repository) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Repository.
+func (mg *Repository) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Repository.
 func (mg *Repository) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *RepositoryPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RepositoryPolicy.
+func (mg *RepositoryPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RepositoryPolicy.
 func (mg *RepositoryPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *RepositoryPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RepositoryPolicy.
+func (mg *RepositoryPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RepositoryPolicy.
 func (mg *RepositoryPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ecs/v1beta1/zz_generated.managed.go b/apis/ecs/v1beta1/zz_generated.managed.go
index 00adc235e9..bf18ccbb87 100644
--- a/apis/ecs/v1beta1/zz_generated.managed.go
+++ b/apis/ecs/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AccountSettingDefault) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccountSettingDefault.
+func (mg *AccountSettingDefault) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccountSettingDefault.
 func (mg *AccountSettingDefault) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AccountSettingDefault) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccountSettingDefault.
+func (mg *AccountSettingDefault) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccountSettingDefault.
 func (mg *AccountSettingDefault) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CapacityProvider) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CapacityProvider.
+func (mg *CapacityProvider) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CapacityProvider.
 func (mg *CapacityProvider) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CapacityProvider) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CapacityProvider.
+func (mg *CapacityProvider) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CapacityProvider.
 func (mg *CapacityProvider) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ClusterCapacityProviders) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterCapacityProviders.
+func (mg *ClusterCapacityProviders) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterCapacityProviders.
 func (mg *ClusterCapacityProviders) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ClusterCapacityProviders) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterCapacityProviders.
+func (mg *ClusterCapacityProviders) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterCapacityProviders.
 func (mg *ClusterCapacityProviders) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Service) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Service.
+func (mg *Service) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Service.
 func (mg *Service) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Service) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Service.
+func (mg *Service) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Service.
 func (mg *Service) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *TaskDefinition) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TaskDefinition.
+func (mg *TaskDefinition) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TaskDefinition.
 func (mg *TaskDefinition) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *TaskDefinition) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TaskDefinition.
+func (mg *TaskDefinition) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TaskDefinition.
 func (mg *TaskDefinition) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/efs/v1beta1/zz_generated.managed.go b/apis/efs/v1beta1/zz_generated.managed.go
index 77cec94c9c..65566ed079 100644
--- a/apis/efs/v1beta1/zz_generated.managed.go
+++ b/apis/efs/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AccessPoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccessPoint.
+func (mg *AccessPoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccessPoint.
 func (mg *AccessPoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AccessPoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccessPoint.
+func (mg *AccessPoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccessPoint.
 func (mg *AccessPoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *BackupPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BackupPolicy.
+func (mg *BackupPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BackupPolicy.
 func (mg *BackupPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *BackupPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BackupPolicy.
+func (mg *BackupPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BackupPolicy.
 func (mg *BackupPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *FileSystem) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FileSystem.
+func (mg *FileSystem) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FileSystem.
 func (mg *FileSystem) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *FileSystem) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FileSystem.
+func (mg *FileSystem) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FileSystem.
 func (mg *FileSystem) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *FileSystemPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FileSystemPolicy.
+func (mg *FileSystemPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FileSystemPolicy.
 func (mg *FileSystemPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *FileSystemPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FileSystemPolicy.
+func (mg *FileSystemPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FileSystemPolicy.
 func (mg *FileSystemPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *MountTarget) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MountTarget.
+func (mg *MountTarget) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MountTarget.
 func (mg *MountTarget) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *MountTarget) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MountTarget.
+func (mg *MountTarget) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MountTarget.
 func (mg *MountTarget) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ReplicationConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicationConfiguration.
+func (mg *ReplicationConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicationConfiguration.
 func (mg *ReplicationConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ReplicationConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicationConfiguration.
+func (mg *ReplicationConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicationConfiguration.
 func (mg *ReplicationConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/eks/v1beta1/zz_generated.managed.go b/apis/eks/v1beta1/zz_generated.managed.go
index e10482d760..dd421879bd 100644
--- a/apis/eks/v1beta1/zz_generated.managed.go
+++ b/apis/eks/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Addon) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Addon.
+func (mg *Addon) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Addon.
 func (mg *Addon) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Addon) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Addon.
+func (mg *Addon) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Addon.
 func (mg *Addon) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ClusterAuth) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterAuth.
+func (mg *ClusterAuth) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterAuth.
 func (mg *ClusterAuth) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ClusterAuth) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterAuth.
+func (mg *ClusterAuth) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterAuth.
 func (mg *ClusterAuth) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *FargateProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FargateProfile.
+func (mg *FargateProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FargateProfile.
 func (mg *FargateProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *FargateProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FargateProfile.
+func (mg *FargateProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FargateProfile.
 func (mg *FargateProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *IdentityProviderConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IdentityProviderConfig.
+func (mg *IdentityProviderConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IdentityProviderConfig.
 func (mg *IdentityProviderConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *IdentityProviderConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IdentityProviderConfig.
+func (mg *IdentityProviderConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IdentityProviderConfig.
 func (mg *IdentityProviderConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *NodeGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NodeGroup.
+func (mg *NodeGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NodeGroup.
 func (mg *NodeGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *NodeGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NodeGroup.
+func (mg *NodeGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NodeGroup.
 func (mg *NodeGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/elasticache/v1beta1/zz_generated.managed.go b/apis/elasticache/v1beta1/zz_generated.managed.go
index 46717cd5ac..6c14f33a52 100644
--- a/apis/elasticache/v1beta1/zz_generated.managed.go
+++ b/apis/elasticache/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ReplicationGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicationGroup.
+func (mg *ReplicationGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicationGroup.
 func (mg *ReplicationGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ReplicationGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicationGroup.
+func (mg *ReplicationGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicationGroup.
 func (mg *ReplicationGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *UserGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserGroup.
+func (mg *UserGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserGroup.
 func (mg *UserGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *UserGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserGroup.
+func (mg *UserGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserGroup.
 func (mg *UserGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/elasticbeanstalk/v1beta1/zz_generated.managed.go b/apis/elasticbeanstalk/v1beta1/zz_generated.managed.go
index b18fbe4ab5..c19727ed82 100644
--- a/apis/elasticbeanstalk/v1beta1/zz_generated.managed.go
+++ b/apis/elasticbeanstalk/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ApplicationVersion) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ApplicationVersion.
+func (mg *ApplicationVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ApplicationVersion.
 func (mg *ApplicationVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ApplicationVersion) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ApplicationVersion.
+func (mg *ApplicationVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ApplicationVersion.
 func (mg *ApplicationVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ConfigurationTemplate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationTemplate.
+func (mg *ConfigurationTemplate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationTemplate.
 func (mg *ConfigurationTemplate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ConfigurationTemplate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationTemplate.
+func (mg *ConfigurationTemplate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationTemplate.
 func (mg *ConfigurationTemplate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/elasticsearch/v1beta1/zz_generated.managed.go b/apis/elasticsearch/v1beta1/zz_generated.managed.go
index 440d249f2e..b5d561d2a3 100644
--- a/apis/elasticsearch/v1beta1/zz_generated.managed.go
+++ b/apis/elasticsearch/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *DomainPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainPolicy.
+func (mg *DomainPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainPolicy.
 func (mg *DomainPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *DomainPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainPolicy.
+func (mg *DomainPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainPolicy.
 func (mg *DomainPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DomainSAMLOptions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainSAMLOptions.
+func (mg *DomainSAMLOptions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainSAMLOptions.
 func (mg *DomainSAMLOptions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DomainSAMLOptions) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainSAMLOptions.
+func (mg *DomainSAMLOptions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainSAMLOptions.
 func (mg *DomainSAMLOptions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/elastictranscoder/v1beta1/zz_generated.managed.go b/apis/elastictranscoder/v1beta1/zz_generated.managed.go
index d0cdc3a028..c2b68a3c38 100644
--- a/apis/elastictranscoder/v1beta1/zz_generated.managed.go
+++ b/apis/elastictranscoder/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Pipeline) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Pipeline.
+func (mg *Pipeline) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Pipeline.
 func (mg *Pipeline) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Pipeline) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Pipeline.
+func (mg *Pipeline) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Pipeline.
 func (mg *Pipeline) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Preset) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Preset.
+func (mg *Preset) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Preset.
 func (mg *Preset) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Preset) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Preset.
+func (mg *Preset) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Preset.
 func (mg *Preset) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/elb/v1beta1/zz_generated.managed.go b/apis/elb/v1beta1/zz_generated.managed.go
index 1235798743..66082691e9 100644
--- a/apis/elb/v1beta1/zz_generated.managed.go
+++ b/apis/elb/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AppCookieStickinessPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AppCookieStickinessPolicy.
+func (mg *AppCookieStickinessPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AppCookieStickinessPolicy.
 func (mg *AppCookieStickinessPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AppCookieStickinessPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AppCookieStickinessPolicy.
+func (mg *AppCookieStickinessPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AppCookieStickinessPolicy.
 func (mg *AppCookieStickinessPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Attachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Attachment.
+func (mg *Attachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Attachment.
 func (mg *Attachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Attachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Attachment.
+func (mg *Attachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Attachment.
 func (mg *Attachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *BackendServerPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BackendServerPolicy.
+func (mg *BackendServerPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BackendServerPolicy.
 func (mg *BackendServerPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *BackendServerPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BackendServerPolicy.
+func (mg *BackendServerPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BackendServerPolicy.
 func (mg *BackendServerPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ELB) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ELB.
+func (mg *ELB) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ELB.
 func (mg *ELB) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ELB) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ELB.
+func (mg *ELB) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ELB.
 func (mg *ELB) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *LBCookieStickinessPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBCookieStickinessPolicy.
+func (mg *LBCookieStickinessPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBCookieStickinessPolicy.
 func (mg *LBCookieStickinessPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *LBCookieStickinessPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBCookieStickinessPolicy.
+func (mg *LBCookieStickinessPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBCookieStickinessPolicy.
 func (mg *LBCookieStickinessPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *LBSSLNegotiationPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBSSLNegotiationPolicy.
+func (mg *LBSSLNegotiationPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBSSLNegotiationPolicy.
 func (mg *LBSSLNegotiationPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *LBSSLNegotiationPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBSSLNegotiationPolicy.
+func (mg *LBSSLNegotiationPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBSSLNegotiationPolicy.
 func (mg *LBSSLNegotiationPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ListenerPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ListenerPolicy.
+func (mg *ListenerPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ListenerPolicy.
 func (mg *ListenerPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ListenerPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ListenerPolicy.
+func (mg *ListenerPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ListenerPolicy.
 func (mg *ListenerPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *ProxyProtocolPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProxyProtocolPolicy.
+func (mg *ProxyProtocolPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProxyProtocolPolicy.
 func (mg *ProxyProtocolPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *ProxyProtocolPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProxyProtocolPolicy.
+func (mg *ProxyProtocolPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProxyProtocolPolicy.
 func (mg *ProxyProtocolPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/elbv2/v1beta1/zz_generated.managed.go b/apis/elbv2/v1beta1/zz_generated.managed.go
index 86696e428e..077a821927 100644
--- a/apis/elbv2/v1beta1/zz_generated.managed.go
+++ b/apis/elbv2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *LB) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LB.
+func (mg *LB) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LB.
 func (mg *LB) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *LB) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LB.
+func (mg *LB) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LB.
 func (mg *LB) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *LBListener) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBListener.
+func (mg *LBListener) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBListener.
 func (mg *LBListener) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *LBListener) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBListener.
+func (mg *LBListener) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBListener.
 func (mg *LBListener) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *LBListenerRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBListenerRule.
+func (mg *LBListenerRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBListenerRule.
 func (mg *LBListenerRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *LBListenerRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBListenerRule.
+func (mg *LBListenerRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBListenerRule.
 func (mg *LBListenerRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *LBTargetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBTargetGroup.
+func (mg *LBTargetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBTargetGroup.
 func (mg *LBTargetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *LBTargetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBTargetGroup.
+func (mg *LBTargetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBTargetGroup.
 func (mg *LBTargetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *LBTargetGroupAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBTargetGroupAttachment.
+func (mg *LBTargetGroupAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBTargetGroupAttachment.
 func (mg *LBTargetGroupAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *LBTargetGroupAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBTargetGroupAttachment.
+func (mg *LBTargetGroupAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBTargetGroupAttachment.
 func (mg *LBTargetGroupAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/emr/v1beta1/zz_generated.managed.go b/apis/emr/v1beta1/zz_generated.managed.go
index a6b683551c..290173bd56 100644
--- a/apis/emr/v1beta1/zz_generated.managed.go
+++ b/apis/emr/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *SecurityConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecurityConfiguration.
+func (mg *SecurityConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecurityConfiguration.
 func (mg *SecurityConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *SecurityConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecurityConfiguration.
+func (mg *SecurityConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecurityConfiguration.
 func (mg *SecurityConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/emrserverless/v1beta1/zz_generated.managed.go b/apis/emrserverless/v1beta1/zz_generated.managed.go
index 8782fe11f0..c2f45b1868 100644
--- a/apis/emrserverless/v1beta1/zz_generated.managed.go
+++ b/apis/emrserverless/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/evidently/v1beta1/zz_generated.managed.go b/apis/evidently/v1beta1/zz_generated.managed.go
index bf97c24945..9c9f4a75ea 100644
--- a/apis/evidently/v1beta1/zz_generated.managed.go
+++ b/apis/evidently/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Feature) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Feature.
+func (mg *Feature) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Feature.
 func (mg *Feature) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Feature) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Feature.
+func (mg *Feature) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Feature.
 func (mg *Feature) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Project) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Project.
+func (mg *Project) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Project.
 func (mg *Project) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Project) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Project.
+func (mg *Project) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Project.
 func (mg *Project) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Segment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Segment.
+func (mg *Segment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Segment.
 func (mg *Segment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Segment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Segment.
+func (mg *Segment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Segment.
 func (mg *Segment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/firehose/v1beta1/zz_generated.managed.go b/apis/firehose/v1beta1/zz_generated.managed.go
index 641cbb2500..50c835f4c9 100644
--- a/apis/firehose/v1beta1/zz_generated.managed.go
+++ b/apis/firehose/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DeliveryStream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DeliveryStream.
+func (mg *DeliveryStream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DeliveryStream.
 func (mg *DeliveryStream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DeliveryStream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DeliveryStream.
+func (mg *DeliveryStream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DeliveryStream.
 func (mg *DeliveryStream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/fis/v1beta1/zz_generated.managed.go b/apis/fis/v1beta1/zz_generated.managed.go
index bdfbc642e1..1533ea5f85 100644
--- a/apis/fis/v1beta1/zz_generated.managed.go
+++ b/apis/fis/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ExperimentTemplate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ExperimentTemplate.
+func (mg *ExperimentTemplate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ExperimentTemplate.
 func (mg *ExperimentTemplate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ExperimentTemplate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ExperimentTemplate.
+func (mg *ExperimentTemplate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ExperimentTemplate.
 func (mg *ExperimentTemplate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/fsx/v1beta1/zz_generated.managed.go b/apis/fsx/v1beta1/zz_generated.managed.go
index 4b614e5b88..df0f8bcb07 100644
--- a/apis/fsx/v1beta1/zz_generated.managed.go
+++ b/apis/fsx/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Backup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Backup.
+func (mg *Backup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Backup.
 func (mg *Backup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Backup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Backup.
+func (mg *Backup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Backup.
 func (mg *Backup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *DataRepositoryAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DataRepositoryAssociation.
+func (mg *DataRepositoryAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DataRepositoryAssociation.
 func (mg *DataRepositoryAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *DataRepositoryAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DataRepositoryAssociation.
+func (mg *DataRepositoryAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DataRepositoryAssociation.
 func (mg *DataRepositoryAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *LustreFileSystem) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LustreFileSystem.
+func (mg *LustreFileSystem) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LustreFileSystem.
 func (mg *LustreFileSystem) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *LustreFileSystem) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LustreFileSystem.
+func (mg *LustreFileSystem) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LustreFileSystem.
 func (mg *LustreFileSystem) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *OntapFileSystem) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OntapFileSystem.
+func (mg *OntapFileSystem) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OntapFileSystem.
 func (mg *OntapFileSystem) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *OntapFileSystem) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OntapFileSystem.
+func (mg *OntapFileSystem) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OntapFileSystem.
 func (mg *OntapFileSystem) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *OntapStorageVirtualMachine) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OntapStorageVirtualMachine.
+func (mg *OntapStorageVirtualMachine) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OntapStorageVirtualMachine.
 func (mg *OntapStorageVirtualMachine) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *OntapStorageVirtualMachine) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OntapStorageVirtualMachine.
+func (mg *OntapStorageVirtualMachine) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OntapStorageVirtualMachine.
 func (mg *OntapStorageVirtualMachine) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *WindowsFileSystem) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this WindowsFileSystem.
+func (mg *WindowsFileSystem) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this WindowsFileSystem.
 func (mg *WindowsFileSystem) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *WindowsFileSystem) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this WindowsFileSystem.
+func (mg *WindowsFileSystem) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this WindowsFileSystem.
 func (mg *WindowsFileSystem) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/gamelift/v1beta1/zz_generated.managed.go b/apis/gamelift/v1beta1/zz_generated.managed.go
index 01cff19743..1d2847a056 100644
--- a/apis/gamelift/v1beta1/zz_generated.managed.go
+++ b/apis/gamelift/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Alias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Alias.
+func (mg *Alias) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Alias.
 func (mg *Alias) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Alias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Alias.
+func (mg *Alias) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Alias.
 func (mg *Alias) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Build) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Build.
+func (mg *Build) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Build.
 func (mg *Build) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Build) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Build.
+func (mg *Build) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Build.
 func (mg *Build) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Fleet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Fleet.
+func (mg *Fleet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Fleet.
 func (mg *Fleet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Fleet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Fleet.
+func (mg *Fleet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Fleet.
 func (mg *Fleet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *GameSessionQueue) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GameSessionQueue.
+func (mg *GameSessionQueue) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GameSessionQueue.
 func (mg *GameSessionQueue) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *GameSessionQueue) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GameSessionQueue.
+func (mg *GameSessionQueue) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GameSessionQueue.
 func (mg *GameSessionQueue) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Script) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Script.
+func (mg *Script) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Script.
 func (mg *Script) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Script) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Script.
+func (mg *Script) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Script.
 func (mg *Script) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/glacier/v1beta1/zz_generated.managed.go b/apis/glacier/v1beta1/zz_generated.managed.go
index 4b24d0f834..d13e650c23 100644
--- a/apis/glacier/v1beta1/zz_generated.managed.go
+++ b/apis/glacier/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Vault) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Vault.
+func (mg *Vault) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Vault.
 func (mg *Vault) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Vault) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Vault.
+func (mg *Vault) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Vault.
 func (mg *Vault) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *VaultLock) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VaultLock.
+func (mg *VaultLock) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VaultLock.
 func (mg *VaultLock) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *VaultLock) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VaultLock.
+func (mg *VaultLock) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VaultLock.
 func (mg *VaultLock) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/globalaccelerator/v1beta1/zz_generated.managed.go b/apis/globalaccelerator/v1beta1/zz_generated.managed.go
index 4622949847..da3f3410b6 100644
--- a/apis/globalaccelerator/v1beta1/zz_generated.managed.go
+++ b/apis/globalaccelerator/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Accelerator) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Accelerator.
+func (mg *Accelerator) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Accelerator.
 func (mg *Accelerator) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Accelerator) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Accelerator.
+func (mg *Accelerator) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Accelerator.
 func (mg *Accelerator) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *EndpointGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EndpointGroup.
+func (mg *EndpointGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EndpointGroup.
 func (mg *EndpointGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *EndpointGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EndpointGroup.
+func (mg *EndpointGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EndpointGroup.
 func (mg *EndpointGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Listener) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Listener.
+func (mg *Listener) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Listener.
 func (mg *Listener) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Listener) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Listener.
+func (mg *Listener) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Listener.
 func (mg *Listener) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/glue/v1beta1/zz_generated.managed.go b/apis/glue/v1beta1/zz_generated.managed.go
index 25c09c148d..36782f36bb 100644
--- a/apis/glue/v1beta1/zz_generated.managed.go
+++ b/apis/glue/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *CatalogDatabase) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CatalogDatabase.
+func (mg *CatalogDatabase) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CatalogDatabase.
 func (mg *CatalogDatabase) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *CatalogDatabase) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CatalogDatabase.
+func (mg *CatalogDatabase) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CatalogDatabase.
 func (mg *CatalogDatabase) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CatalogTable) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CatalogTable.
+func (mg *CatalogTable) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CatalogTable.
 func (mg *CatalogTable) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CatalogTable) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CatalogTable.
+func (mg *CatalogTable) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CatalogTable.
 func (mg *CatalogTable) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Classifier) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Classifier.
+func (mg *Classifier) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Classifier.
 func (mg *Classifier) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Classifier) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Classifier.
+func (mg *Classifier) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Classifier.
 func (mg *Classifier) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Connection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Connection.
+func (mg *Connection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Connection.
 func (mg *Connection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Connection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Connection.
+func (mg *Connection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Connection.
 func (mg *Connection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Crawler) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Crawler.
+func (mg *Crawler) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Crawler.
 func (mg *Crawler) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Crawler) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Crawler.
+func (mg *Crawler) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Crawler.
 func (mg *Crawler) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *DataCatalogEncryptionSettings) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DataCatalogEncryptionSettings.
+func (mg *DataCatalogEncryptionSettings) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DataCatalogEncryptionSettings.
 func (mg *DataCatalogEncryptionSettings) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *DataCatalogEncryptionSettings) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DataCatalogEncryptionSettings.
+func (mg *DataCatalogEncryptionSettings) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DataCatalogEncryptionSettings.
 func (mg *DataCatalogEncryptionSettings) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Job) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Job.
+func (mg *Job) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Job.
 func (mg *Job) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Job) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Job.
+func (mg *Job) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Job.
 func (mg *Job) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Registry) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Registry.
+func (mg *Registry) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Registry.
 func (mg *Registry) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Registry) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Registry.
+func (mg *Registry) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Registry.
 func (mg *Registry) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *ResourcePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourcePolicy.
+func (mg *ResourcePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourcePolicy.
 func (mg *ResourcePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *ResourcePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourcePolicy.
+func (mg *ResourcePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourcePolicy.
 func (mg *ResourcePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *Schema) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Schema.
+func (mg *Schema) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Schema.
 func (mg *Schema) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *Schema) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Schema.
+func (mg *Schema) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Schema.
 func (mg *Schema) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *SecurityConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecurityConfiguration.
+func (mg *SecurityConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecurityConfiguration.
 func (mg *SecurityConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *SecurityConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecurityConfiguration.
+func (mg *SecurityConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecurityConfiguration.
 func (mg *SecurityConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *Trigger) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Trigger.
+func (mg *Trigger) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Trigger.
 func (mg *Trigger) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *Trigger) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Trigger.
+func (mg *Trigger) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Trigger.
 func (mg *Trigger) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *UserDefinedFunction) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserDefinedFunction.
+func (mg *UserDefinedFunction) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserDefinedFunction.
 func (mg *UserDefinedFunction) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *UserDefinedFunction) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserDefinedFunction.
+func (mg *UserDefinedFunction) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserDefinedFunction.
 func (mg *UserDefinedFunction) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *Workflow) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workflow.
+func (mg *Workflow) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workflow.
 func (mg *Workflow) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *Workflow) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workflow.
+func (mg *Workflow) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workflow.
 func (mg *Workflow) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/grafana/v1beta1/zz_generated.managed.go b/apis/grafana/v1beta1/zz_generated.managed.go
index 4728a5ac45..db17123f8c 100644
--- a/apis/grafana/v1beta1/zz_generated.managed.go
+++ b/apis/grafana/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *LicenseAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LicenseAssociation.
+func (mg *LicenseAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LicenseAssociation.
 func (mg *LicenseAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *LicenseAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LicenseAssociation.
+func (mg *LicenseAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LicenseAssociation.
 func (mg *LicenseAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *RoleAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RoleAssociation.
+func (mg *RoleAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RoleAssociation.
 func (mg *RoleAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *RoleAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RoleAssociation.
+func (mg *RoleAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RoleAssociation.
 func (mg *RoleAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Workspace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workspace.
+func (mg *Workspace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workspace.
 func (mg *Workspace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Workspace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workspace.
+func (mg *Workspace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workspace.
 func (mg *Workspace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *WorkspaceAPIKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this WorkspaceAPIKey.
+func (mg *WorkspaceAPIKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this WorkspaceAPIKey.
 func (mg *WorkspaceAPIKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *WorkspaceAPIKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this WorkspaceAPIKey.
+func (mg *WorkspaceAPIKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this WorkspaceAPIKey.
 func (mg *WorkspaceAPIKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *WorkspaceSAMLConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this WorkspaceSAMLConfiguration.
+func (mg *WorkspaceSAMLConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this WorkspaceSAMLConfiguration.
 func (mg *WorkspaceSAMLConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *WorkspaceSAMLConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this WorkspaceSAMLConfiguration.
+func (mg *WorkspaceSAMLConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this WorkspaceSAMLConfiguration.
 func (mg *WorkspaceSAMLConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/guardduty/v1beta1/zz_generated.managed.go b/apis/guardduty/v1beta1/zz_generated.managed.go
index 54f32c348c..789c021e60 100644
--- a/apis/guardduty/v1beta1/zz_generated.managed.go
+++ b/apis/guardduty/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Detector) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Detector.
+func (mg *Detector) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Detector.
 func (mg *Detector) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Detector) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Detector.
+func (mg *Detector) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Detector.
 func (mg *Detector) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Filter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Filter.
+func (mg *Filter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Filter.
 func (mg *Filter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Filter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Filter.
+func (mg *Filter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Filter.
 func (mg *Filter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Member) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Member.
+func (mg *Member) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Member.
 func (mg *Member) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Member) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Member.
+func (mg *Member) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Member.
 func (mg *Member) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/iam/v1beta1/zz_generated.managed.go b/apis/iam/v1beta1/zz_generated.managed.go
index 6a292a6bde..4d084d384d 100644
--- a/apis/iam/v1beta1/zz_generated.managed.go
+++ b/apis/iam/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AccessKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccessKey.
+func (mg *AccessKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccessKey.
 func (mg *AccessKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AccessKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccessKey.
+func (mg *AccessKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccessKey.
 func (mg *AccessKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *AccountAlias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccountAlias.
+func (mg *AccountAlias) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccountAlias.
 func (mg *AccountAlias) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *AccountAlias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccountAlias.
+func (mg *AccountAlias) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccountAlias.
 func (mg *AccountAlias) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *AccountPasswordPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccountPasswordPolicy.
+func (mg *AccountPasswordPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccountPasswordPolicy.
 func (mg *AccountPasswordPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *AccountPasswordPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccountPasswordPolicy.
+func (mg *AccountPasswordPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccountPasswordPolicy.
 func (mg *AccountPasswordPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Group) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Group.
+func (mg *Group) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Group.
 func (mg *Group) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Group) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Group.
+func (mg *Group) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Group.
 func (mg *Group) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *GroupMembership) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GroupMembership.
+func (mg *GroupMembership) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GroupMembership.
 func (mg *GroupMembership) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *GroupMembership) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GroupMembership.
+func (mg *GroupMembership) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GroupMembership.
 func (mg *GroupMembership) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *GroupPolicyAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GroupPolicyAttachment.
+func (mg *GroupPolicyAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GroupPolicyAttachment.
 func (mg *GroupPolicyAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *GroupPolicyAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GroupPolicyAttachment.
+func (mg *GroupPolicyAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GroupPolicyAttachment.
 func (mg *GroupPolicyAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *InstanceProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InstanceProfile.
+func (mg *InstanceProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InstanceProfile.
 func (mg *InstanceProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *InstanceProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InstanceProfile.
+func (mg *InstanceProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InstanceProfile.
 func (mg *InstanceProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *OpenIDConnectProvider) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OpenIDConnectProvider.
+func (mg *OpenIDConnectProvider) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OpenIDConnectProvider.
 func (mg *OpenIDConnectProvider) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *OpenIDConnectProvider) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OpenIDConnectProvider.
+func (mg *OpenIDConnectProvider) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OpenIDConnectProvider.
 func (mg *OpenIDConnectProvider) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *Role) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Role.
+func (mg *Role) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Role.
 func (mg *Role) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *Role) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Role.
+func (mg *Role) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Role.
 func (mg *Role) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *RolePolicyAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RolePolicyAttachment.
+func (mg *RolePolicyAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RolePolicyAttachment.
 func (mg *RolePolicyAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *RolePolicyAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RolePolicyAttachment.
+func (mg *RolePolicyAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RolePolicyAttachment.
 func (mg *RolePolicyAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *SAMLProvider) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SAMLProvider.
+func (mg *SAMLProvider) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SAMLProvider.
 func (mg *SAMLProvider) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *SAMLProvider) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SAMLProvider.
+func (mg *SAMLProvider) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SAMLProvider.
 func (mg *SAMLProvider) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *ServerCertificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServerCertificate.
+func (mg *ServerCertificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServerCertificate.
 func (mg *ServerCertificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *ServerCertificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServerCertificate.
+func (mg *ServerCertificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServerCertificate.
 func (mg *ServerCertificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *ServiceLinkedRole) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServiceLinkedRole.
+func (mg *ServiceLinkedRole) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServiceLinkedRole.
 func (mg *ServiceLinkedRole) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *ServiceLinkedRole) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServiceLinkedRole.
+func (mg *ServiceLinkedRole) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServiceLinkedRole.
 func (mg *ServiceLinkedRole) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *ServiceSpecificCredential) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServiceSpecificCredential.
+func (mg *ServiceSpecificCredential) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServiceSpecificCredential.
 func (mg *ServiceSpecificCredential) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *ServiceSpecificCredential) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServiceSpecificCredential.
+func (mg *ServiceSpecificCredential) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServiceSpecificCredential.
 func (mg *ServiceSpecificCredential) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *SigningCertificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SigningCertificate.
+func (mg *SigningCertificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SigningCertificate.
 func (mg *SigningCertificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *SigningCertificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SigningCertificate.
+func (mg *SigningCertificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SigningCertificate.
 func (mg *SigningCertificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1139,6 +1309,11 @@ func (mg *UserGroupMembership) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserGroupMembership.
+func (mg *UserGroupMembership) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserGroupMembership.
 func (mg *UserGroupMembership) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1172,6 +1347,11 @@ func (mg *UserGroupMembership) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserGroupMembership.
+func (mg *UserGroupMembership) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserGroupMembership.
 func (mg *UserGroupMembership) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1205,6 +1385,11 @@ func (mg *UserLoginProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserLoginProfile.
+func (mg *UserLoginProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserLoginProfile.
 func (mg *UserLoginProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1238,6 +1423,11 @@ func (mg *UserLoginProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserLoginProfile.
+func (mg *UserLoginProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserLoginProfile.
 func (mg *UserLoginProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1271,6 +1461,11 @@ func (mg *UserPolicyAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserPolicyAttachment.
+func (mg *UserPolicyAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserPolicyAttachment.
 func (mg *UserPolicyAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1304,6 +1499,11 @@ func (mg *UserPolicyAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserPolicyAttachment.
+func (mg *UserPolicyAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserPolicyAttachment.
 func (mg *UserPolicyAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1337,6 +1537,11 @@ func (mg *UserSSHKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserSSHKey.
+func (mg *UserSSHKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserSSHKey.
 func (mg *UserSSHKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1370,6 +1575,11 @@ func (mg *UserSSHKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserSSHKey.
+func (mg *UserSSHKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserSSHKey.
 func (mg *UserSSHKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1403,6 +1613,11 @@ func (mg *VirtualMfaDevice) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VirtualMfaDevice.
+func (mg *VirtualMfaDevice) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VirtualMfaDevice.
 func (mg *VirtualMfaDevice) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1436,6 +1651,11 @@ func (mg *VirtualMfaDevice) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VirtualMfaDevice.
+func (mg *VirtualMfaDevice) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VirtualMfaDevice.
 func (mg *VirtualMfaDevice) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/imagebuilder/v1beta1/zz_generated.managed.go b/apis/imagebuilder/v1beta1/zz_generated.managed.go
index 47a53cd69a..531a1f1109 100644
--- a/apis/imagebuilder/v1beta1/zz_generated.managed.go
+++ b/apis/imagebuilder/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Component) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Component.
+func (mg *Component) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Component.
 func (mg *Component) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Component) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Component.
+func (mg *Component) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Component.
 func (mg *Component) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ContainerRecipe) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ContainerRecipe.
+func (mg *ContainerRecipe) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ContainerRecipe.
 func (mg *ContainerRecipe) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ContainerRecipe) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ContainerRecipe.
+func (mg *ContainerRecipe) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ContainerRecipe.
 func (mg *ContainerRecipe) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DistributionConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DistributionConfiguration.
+func (mg *DistributionConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DistributionConfiguration.
 func (mg *DistributionConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DistributionConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DistributionConfiguration.
+func (mg *DistributionConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DistributionConfiguration.
 func (mg *DistributionConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Image) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Image.
+func (mg *Image) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Image.
 func (mg *Image) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Image) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Image.
+func (mg *Image) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Image.
 func (mg *Image) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ImagePipeline) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ImagePipeline.
+func (mg *ImagePipeline) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ImagePipeline.
 func (mg *ImagePipeline) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ImagePipeline) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ImagePipeline.
+func (mg *ImagePipeline) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ImagePipeline.
 func (mg *ImagePipeline) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ImageRecipe) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ImageRecipe.
+func (mg *ImageRecipe) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ImageRecipe.
 func (mg *ImageRecipe) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ImageRecipe) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ImageRecipe.
+func (mg *ImageRecipe) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ImageRecipe.
 func (mg *ImageRecipe) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *InfrastructureConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InfrastructureConfiguration.
+func (mg *InfrastructureConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InfrastructureConfiguration.
 func (mg *InfrastructureConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *InfrastructureConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InfrastructureConfiguration.
+func (mg *InfrastructureConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InfrastructureConfiguration.
 func (mg *InfrastructureConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/inspector/v1beta1/zz_generated.managed.go b/apis/inspector/v1beta1/zz_generated.managed.go
index 62ad27ee69..1c8629254e 100644
--- a/apis/inspector/v1beta1/zz_generated.managed.go
+++ b/apis/inspector/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AssessmentTarget) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AssessmentTarget.
+func (mg *AssessmentTarget) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AssessmentTarget.
 func (mg *AssessmentTarget) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AssessmentTarget) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AssessmentTarget.
+func (mg *AssessmentTarget) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AssessmentTarget.
 func (mg *AssessmentTarget) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *AssessmentTemplate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AssessmentTemplate.
+func (mg *AssessmentTemplate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AssessmentTemplate.
 func (mg *AssessmentTemplate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *AssessmentTemplate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AssessmentTemplate.
+func (mg *AssessmentTemplate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AssessmentTemplate.
 func (mg *AssessmentTemplate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ResourceGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourceGroup.
+func (mg *ResourceGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourceGroup.
 func (mg *ResourceGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ResourceGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourceGroup.
+func (mg *ResourceGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourceGroup.
 func (mg *ResourceGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/inspector2/v1beta1/zz_generated.managed.go b/apis/inspector2/v1beta1/zz_generated.managed.go
index 0bf1e4d84b..8d9f017ace 100644
--- a/apis/inspector2/v1beta1/zz_generated.managed.go
+++ b/apis/inspector2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Enabler) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Enabler.
+func (mg *Enabler) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Enabler.
 func (mg *Enabler) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Enabler) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Enabler.
+func (mg *Enabler) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Enabler.
 func (mg *Enabler) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/iot/v1beta1/zz_generated.managed.go b/apis/iot/v1beta1/zz_generated.managed.go
index e6f9ba3b3b..5c679d8e21 100644
--- a/apis/iot/v1beta1/zz_generated.managed.go
+++ b/apis/iot/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Certificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Certificate.
+func (mg *Certificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Certificate.
 func (mg *Certificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Certificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Certificate.
+func (mg *Certificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Certificate.
 func (mg *Certificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *IndexingConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IndexingConfiguration.
+func (mg *IndexingConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IndexingConfiguration.
 func (mg *IndexingConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *IndexingConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IndexingConfiguration.
+func (mg *IndexingConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IndexingConfiguration.
 func (mg *IndexingConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *LoggingOptions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LoggingOptions.
+func (mg *LoggingOptions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LoggingOptions.
 func (mg *LoggingOptions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *LoggingOptions) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LoggingOptions.
+func (mg *LoggingOptions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LoggingOptions.
 func (mg *LoggingOptions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *PolicyAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PolicyAttachment.
+func (mg *PolicyAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PolicyAttachment.
 func (mg *PolicyAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *PolicyAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PolicyAttachment.
+func (mg *PolicyAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PolicyAttachment.
 func (mg *PolicyAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ProvisioningTemplate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProvisioningTemplate.
+func (mg *ProvisioningTemplate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProvisioningTemplate.
 func (mg *ProvisioningTemplate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ProvisioningTemplate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProvisioningTemplate.
+func (mg *ProvisioningTemplate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProvisioningTemplate.
 func (mg *ProvisioningTemplate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *RoleAlias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RoleAlias.
+func (mg *RoleAlias) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RoleAlias.
 func (mg *RoleAlias) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *RoleAlias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RoleAlias.
+func (mg *RoleAlias) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RoleAlias.
 func (mg *RoleAlias) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Thing) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Thing.
+func (mg *Thing) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Thing.
 func (mg *Thing) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Thing) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Thing.
+func (mg *Thing) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Thing.
 func (mg *Thing) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *ThingGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ThingGroup.
+func (mg *ThingGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ThingGroup.
 func (mg *ThingGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *ThingGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ThingGroup.
+func (mg *ThingGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ThingGroup.
 func (mg *ThingGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *ThingGroupMembership) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ThingGroupMembership.
+func (mg *ThingGroupMembership) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ThingGroupMembership.
 func (mg *ThingGroupMembership) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *ThingGroupMembership) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ThingGroupMembership.
+func (mg *ThingGroupMembership) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ThingGroupMembership.
 func (mg *ThingGroupMembership) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *ThingPrincipalAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ThingPrincipalAttachment.
+func (mg *ThingPrincipalAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ThingPrincipalAttachment.
 func (mg *ThingPrincipalAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *ThingPrincipalAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ThingPrincipalAttachment.
+func (mg *ThingPrincipalAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ThingPrincipalAttachment.
 func (mg *ThingPrincipalAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *ThingType) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ThingType.
+func (mg *ThingType) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ThingType.
 func (mg *ThingType) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *ThingType) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ThingType.
+func (mg *ThingType) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ThingType.
 func (mg *ThingType) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *TopicRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TopicRule.
+func (mg *TopicRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TopicRule.
 func (mg *TopicRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *TopicRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TopicRule.
+func (mg *TopicRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TopicRule.
 func (mg *TopicRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ivs/v1beta1/zz_generated.managed.go b/apis/ivs/v1beta1/zz_generated.managed.go
index 5719f6463a..fb0796a8cb 100644
--- a/apis/ivs/v1beta1/zz_generated.managed.go
+++ b/apis/ivs/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Channel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Channel.
+func (mg *Channel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Channel.
 func (mg *Channel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Channel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Channel.
+func (mg *Channel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Channel.
 func (mg *Channel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *RecordingConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RecordingConfiguration.
+func (mg *RecordingConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RecordingConfiguration.
 func (mg *RecordingConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *RecordingConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RecordingConfiguration.
+func (mg *RecordingConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RecordingConfiguration.
 func (mg *RecordingConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kafka/v1beta1/zz_generated.managed.go b/apis/kafka/v1beta1/zz_generated.managed.go
index d5e56c6312..a7f292ca1b 100644
--- a/apis/kafka/v1beta1/zz_generated.managed.go
+++ b/apis/kafka/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Configuration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Configuration.
+func (mg *Configuration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Configuration.
 func (mg *Configuration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Configuration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Configuration.
+func (mg *Configuration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Configuration.
 func (mg *Configuration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kendra/v1beta1/zz_generated.managed.go b/apis/kendra/v1beta1/zz_generated.managed.go
index e171f2ecee..f232f1cb1a 100644
--- a/apis/kendra/v1beta1/zz_generated.managed.go
+++ b/apis/kendra/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DataSource) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DataSource.
+func (mg *DataSource) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DataSource.
 func (mg *DataSource) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DataSource) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DataSource.
+func (mg *DataSource) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DataSource.
 func (mg *DataSource) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Experience) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Experience.
+func (mg *Experience) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Experience.
 func (mg *Experience) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Experience) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Experience.
+func (mg *Experience) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Experience.
 func (mg *Experience) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Index) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Index.
+func (mg *Index) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Index.
 func (mg *Index) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Index) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Index.
+func (mg *Index) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Index.
 func (mg *Index) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *QuerySuggestionsBlockList) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this QuerySuggestionsBlockList.
+func (mg *QuerySuggestionsBlockList) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this QuerySuggestionsBlockList.
 func (mg *QuerySuggestionsBlockList) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *QuerySuggestionsBlockList) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this QuerySuggestionsBlockList.
+func (mg *QuerySuggestionsBlockList) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this QuerySuggestionsBlockList.
 func (mg *QuerySuggestionsBlockList) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Thesaurus) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Thesaurus.
+func (mg *Thesaurus) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Thesaurus.
 func (mg *Thesaurus) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Thesaurus) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Thesaurus.
+func (mg *Thesaurus) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Thesaurus.
 func (mg *Thesaurus) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/keyspaces/v1beta1/zz_generated.managed.go b/apis/keyspaces/v1beta1/zz_generated.managed.go
index 6989662c62..ce87e3c47c 100644
--- a/apis/keyspaces/v1beta1/zz_generated.managed.go
+++ b/apis/keyspaces/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Keyspace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Keyspace.
+func (mg *Keyspace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Keyspace.
 func (mg *Keyspace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Keyspace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Keyspace.
+func (mg *Keyspace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Keyspace.
 func (mg *Keyspace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Table) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Table.
+func (mg *Table) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Table.
 func (mg *Table) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Table) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Table.
+func (mg *Table) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Table.
 func (mg *Table) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kinesis/v1beta1/zz_generated.managed.go b/apis/kinesis/v1beta1/zz_generated.managed.go
index a988213deb..0e5b98948d 100644
--- a/apis/kinesis/v1beta1/zz_generated.managed.go
+++ b/apis/kinesis/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Stream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stream.
+func (mg *Stream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stream.
 func (mg *Stream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Stream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stream.
+func (mg *Stream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stream.
 func (mg *Stream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *StreamConsumer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StreamConsumer.
+func (mg *StreamConsumer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StreamConsumer.
 func (mg *StreamConsumer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *StreamConsumer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StreamConsumer.
+func (mg *StreamConsumer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StreamConsumer.
 func (mg *StreamConsumer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kinesisanalytics/v1beta1/zz_generated.managed.go b/apis/kinesisanalytics/v1beta1/zz_generated.managed.go
index 8782fe11f0..c2f45b1868 100644
--- a/apis/kinesisanalytics/v1beta1/zz_generated.managed.go
+++ b/apis/kinesisanalytics/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kinesisanalyticsv2/v1beta1/zz_generated.managed.go b/apis/kinesisanalyticsv2/v1beta1/zz_generated.managed.go
index d5168654c3..c0e3421615 100644
--- a/apis/kinesisanalyticsv2/v1beta1/zz_generated.managed.go
+++ b/apis/kinesisanalyticsv2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ApplicationSnapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ApplicationSnapshot.
+func (mg *ApplicationSnapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ApplicationSnapshot.
 func (mg *ApplicationSnapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ApplicationSnapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ApplicationSnapshot.
+func (mg *ApplicationSnapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ApplicationSnapshot.
 func (mg *ApplicationSnapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kinesisvideo/v1beta1/zz_generated.managed.go b/apis/kinesisvideo/v1beta1/zz_generated.managed.go
index 5579612f3b..be71361d0b 100644
--- a/apis/kinesisvideo/v1beta1/zz_generated.managed.go
+++ b/apis/kinesisvideo/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Stream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stream.
+func (mg *Stream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stream.
 func (mg *Stream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Stream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stream.
+func (mg *Stream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stream.
 func (mg *Stream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/kms/v1beta1/zz_generated.managed.go b/apis/kms/v1beta1/zz_generated.managed.go
index 31c558cd92..95ef0f5ae1 100644
--- a/apis/kms/v1beta1/zz_generated.managed.go
+++ b/apis/kms/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Alias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Alias.
+func (mg *Alias) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Alias.
 func (mg *Alias) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Alias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Alias.
+func (mg *Alias) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Alias.
 func (mg *Alias) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Ciphertext) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Ciphertext.
+func (mg *Ciphertext) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Ciphertext.
 func (mg *Ciphertext) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Ciphertext) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Ciphertext.
+func (mg *Ciphertext) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Ciphertext.
 func (mg *Ciphertext) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ExternalKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ExternalKey.
+func (mg *ExternalKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ExternalKey.
 func (mg *ExternalKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ExternalKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ExternalKey.
+func (mg *ExternalKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ExternalKey.
 func (mg *ExternalKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Grant) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Grant.
+func (mg *Grant) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Grant.
 func (mg *Grant) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Grant) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Grant.
+func (mg *Grant) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Grant.
 func (mg *Grant) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Key) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Key.
+func (mg *Key) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Key.
 func (mg *Key) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Key) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Key.
+func (mg *Key) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Key.
 func (mg *Key) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ReplicaExternalKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicaExternalKey.
+func (mg *ReplicaExternalKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicaExternalKey.
 func (mg *ReplicaExternalKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ReplicaExternalKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicaExternalKey.
+func (mg *ReplicaExternalKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicaExternalKey.
 func (mg *ReplicaExternalKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ReplicaKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReplicaKey.
+func (mg *ReplicaKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReplicaKey.
 func (mg *ReplicaKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ReplicaKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReplicaKey.
+func (mg *ReplicaKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReplicaKey.
 func (mg *ReplicaKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/lakeformation/v1beta1/zz_generated.managed.go b/apis/lakeformation/v1beta1/zz_generated.managed.go
index f5fb404ae2..e75fd12856 100644
--- a/apis/lakeformation/v1beta1/zz_generated.managed.go
+++ b/apis/lakeformation/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DataLakeSettings) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DataLakeSettings.
+func (mg *DataLakeSettings) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DataLakeSettings.
 func (mg *DataLakeSettings) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DataLakeSettings) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DataLakeSettings.
+func (mg *DataLakeSettings) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DataLakeSettings.
 func (mg *DataLakeSettings) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Permissions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Permissions.
+func (mg *Permissions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Permissions.
 func (mg *Permissions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Permissions) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Permissions.
+func (mg *Permissions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Permissions.
 func (mg *Permissions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Resource) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Resource.
+func (mg *Resource) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Resource.
 func (mg *Resource) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Resource) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Resource.
+func (mg *Resource) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Resource.
 func (mg *Resource) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/lambda/v1beta1/zz_generated.managed.go b/apis/lambda/v1beta1/zz_generated.managed.go
index ddfce9ea85..0cf6ecae54 100644
--- a/apis/lambda/v1beta1/zz_generated.managed.go
+++ b/apis/lambda/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Alias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Alias.
+func (mg *Alias) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Alias.
 func (mg *Alias) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Alias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Alias.
+func (mg *Alias) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Alias.
 func (mg *Alias) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CodeSigningConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CodeSigningConfig.
+func (mg *CodeSigningConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CodeSigningConfig.
 func (mg *CodeSigningConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CodeSigningConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CodeSigningConfig.
+func (mg *CodeSigningConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CodeSigningConfig.
 func (mg *CodeSigningConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *EventSourceMapping) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventSourceMapping.
+func (mg *EventSourceMapping) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventSourceMapping.
 func (mg *EventSourceMapping) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *EventSourceMapping) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventSourceMapping.
+func (mg *EventSourceMapping) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventSourceMapping.
 func (mg *EventSourceMapping) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Function) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Function.
+func (mg *Function) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Function.
 func (mg *Function) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Function) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Function.
+func (mg *Function) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Function.
 func (mg *Function) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *FunctionEventInvokeConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FunctionEventInvokeConfig.
+func (mg *FunctionEventInvokeConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FunctionEventInvokeConfig.
 func (mg *FunctionEventInvokeConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *FunctionEventInvokeConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FunctionEventInvokeConfig.
+func (mg *FunctionEventInvokeConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FunctionEventInvokeConfig.
 func (mg *FunctionEventInvokeConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *FunctionURL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FunctionURL.
+func (mg *FunctionURL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FunctionURL.
 func (mg *FunctionURL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *FunctionURL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FunctionURL.
+func (mg *FunctionURL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FunctionURL.
 func (mg *FunctionURL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Invocation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Invocation.
+func (mg *Invocation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Invocation.
 func (mg *Invocation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Invocation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Invocation.
+func (mg *Invocation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Invocation.
 func (mg *Invocation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *LayerVersion) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LayerVersion.
+func (mg *LayerVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LayerVersion.
 func (mg *LayerVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *LayerVersion) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LayerVersion.
+func (mg *LayerVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LayerVersion.
 func (mg *LayerVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *LayerVersionPermission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LayerVersionPermission.
+func (mg *LayerVersionPermission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LayerVersionPermission.
 func (mg *LayerVersionPermission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *LayerVersionPermission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LayerVersionPermission.
+func (mg *LayerVersionPermission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LayerVersionPermission.
 func (mg *LayerVersionPermission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *Permission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Permission.
+func (mg *Permission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Permission.
 func (mg *Permission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *Permission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Permission.
+func (mg *Permission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Permission.
 func (mg *Permission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *ProvisionedConcurrencyConfig) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProvisionedConcurrencyConfig.
+func (mg *ProvisionedConcurrencyConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProvisionedConcurrencyConfig.
 func (mg *ProvisionedConcurrencyConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *ProvisionedConcurrencyConfig) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProvisionedConcurrencyConfig.
+func (mg *ProvisionedConcurrencyConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProvisionedConcurrencyConfig.
 func (mg *ProvisionedConcurrencyConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/lexmodels/v1beta1/zz_generated.managed.go b/apis/lexmodels/v1beta1/zz_generated.managed.go
index 262a8d8368..8fcb385ab8 100644
--- a/apis/lexmodels/v1beta1/zz_generated.managed.go
+++ b/apis/lexmodels/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Bot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Bot.
+func (mg *Bot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Bot.
 func (mg *Bot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Bot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Bot.
+func (mg *Bot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Bot.
 func (mg *Bot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *BotAlias) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BotAlias.
+func (mg *BotAlias) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BotAlias.
 func (mg *BotAlias) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *BotAlias) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BotAlias.
+func (mg *BotAlias) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BotAlias.
 func (mg *BotAlias) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Intent) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Intent.
+func (mg *Intent) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Intent.
 func (mg *Intent) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Intent) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Intent.
+func (mg *Intent) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Intent.
 func (mg *Intent) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *SlotType) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SlotType.
+func (mg *SlotType) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SlotType.
 func (mg *SlotType) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *SlotType) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SlotType.
+func (mg *SlotType) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SlotType.
 func (mg *SlotType) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/licensemanager/v1beta1/zz_generated.managed.go b/apis/licensemanager/v1beta1/zz_generated.managed.go
index 55d546eac8..9f0d580cca 100644
--- a/apis/licensemanager/v1beta1/zz_generated.managed.go
+++ b/apis/licensemanager/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Association) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Association.
+func (mg *Association) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Association.
 func (mg *Association) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Association) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Association.
+func (mg *Association) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Association.
 func (mg *Association) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *LicenseConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LicenseConfiguration.
+func (mg *LicenseConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LicenseConfiguration.
 func (mg *LicenseConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *LicenseConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LicenseConfiguration.
+func (mg *LicenseConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LicenseConfiguration.
 func (mg *LicenseConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/lightsail/v1beta1/zz_generated.managed.go b/apis/lightsail/v1beta1/zz_generated.managed.go
index 300e37520d..d64ae8f689 100644
--- a/apis/lightsail/v1beta1/zz_generated.managed.go
+++ b/apis/lightsail/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Bucket) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Bucket.
+func (mg *Bucket) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Bucket.
 func (mg *Bucket) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Bucket) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Bucket.
+func (mg *Bucket) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Bucket.
 func (mg *Bucket) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Certificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Certificate.
+func (mg *Certificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Certificate.
 func (mg *Certificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Certificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Certificate.
+func (mg *Certificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Certificate.
 func (mg *Certificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ContainerService) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ContainerService.
+func (mg *ContainerService) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ContainerService.
 func (mg *ContainerService) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ContainerService) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ContainerService.
+func (mg *ContainerService) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ContainerService.
 func (mg *ContainerService) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Disk) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Disk.
+func (mg *Disk) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Disk.
 func (mg *Disk) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Disk) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Disk.
+func (mg *Disk) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Disk.
 func (mg *Disk) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *DiskAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DiskAttachment.
+func (mg *DiskAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DiskAttachment.
 func (mg *DiskAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *DiskAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DiskAttachment.
+func (mg *DiskAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DiskAttachment.
 func (mg *DiskAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *DomainEntry) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainEntry.
+func (mg *DomainEntry) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainEntry.
 func (mg *DomainEntry) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *DomainEntry) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainEntry.
+func (mg *DomainEntry) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainEntry.
 func (mg *DomainEntry) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Instance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Instance.
+func (mg *Instance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Instance.
 func (mg *Instance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Instance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Instance.
+func (mg *Instance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Instance.
 func (mg *Instance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *InstancePublicPorts) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InstancePublicPorts.
+func (mg *InstancePublicPorts) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InstancePublicPorts.
 func (mg *InstancePublicPorts) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *InstancePublicPorts) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InstancePublicPorts.
+func (mg *InstancePublicPorts) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InstancePublicPorts.
 func (mg *InstancePublicPorts) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *KeyPair) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this KeyPair.
+func (mg *KeyPair) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this KeyPair.
 func (mg *KeyPair) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *KeyPair) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this KeyPair.
+func (mg *KeyPair) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this KeyPair.
 func (mg *KeyPair) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *LB) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LB.
+func (mg *LB) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LB.
 func (mg *LB) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *LB) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LB.
+func (mg *LB) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LB.
 func (mg *LB) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *LBAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBAttachment.
+func (mg *LBAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBAttachment.
 func (mg *LBAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *LBAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBAttachment.
+func (mg *LBAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBAttachment.
 func (mg *LBAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *LBCertificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBCertificate.
+func (mg *LBCertificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBCertificate.
 func (mg *LBCertificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *LBCertificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBCertificate.
+func (mg *LBCertificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBCertificate.
 func (mg *LBCertificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *LBStickinessPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LBStickinessPolicy.
+func (mg *LBStickinessPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LBStickinessPolicy.
 func (mg *LBStickinessPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *LBStickinessPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LBStickinessPolicy.
+func (mg *LBStickinessPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LBStickinessPolicy.
 func (mg *LBStickinessPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *StaticIP) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StaticIP.
+func (mg *StaticIP) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StaticIP.
 func (mg *StaticIP) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *StaticIP) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StaticIP.
+func (mg *StaticIP) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StaticIP.
 func (mg *StaticIP) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *StaticIPAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StaticIPAttachment.
+func (mg *StaticIPAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StaticIPAttachment.
 func (mg *StaticIPAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *StaticIPAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StaticIPAttachment.
+func (mg *StaticIPAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StaticIPAttachment.
 func (mg *StaticIPAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/location/v1beta1/zz_generated.managed.go b/apis/location/v1beta1/zz_generated.managed.go
index 7ef9758ccb..7de4e61a20 100644
--- a/apis/location/v1beta1/zz_generated.managed.go
+++ b/apis/location/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *GeofenceCollection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GeofenceCollection.
+func (mg *GeofenceCollection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GeofenceCollection.
 func (mg *GeofenceCollection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *GeofenceCollection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GeofenceCollection.
+func (mg *GeofenceCollection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GeofenceCollection.
 func (mg *GeofenceCollection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *PlaceIndex) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PlaceIndex.
+func (mg *PlaceIndex) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PlaceIndex.
 func (mg *PlaceIndex) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *PlaceIndex) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PlaceIndex.
+func (mg *PlaceIndex) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PlaceIndex.
 func (mg *PlaceIndex) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *RouteCalculator) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RouteCalculator.
+func (mg *RouteCalculator) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RouteCalculator.
 func (mg *RouteCalculator) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *RouteCalculator) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RouteCalculator.
+func (mg *RouteCalculator) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RouteCalculator.
 func (mg *RouteCalculator) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Tracker) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Tracker.
+func (mg *Tracker) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Tracker.
 func (mg *Tracker) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Tracker) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Tracker.
+func (mg *Tracker) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Tracker.
 func (mg *Tracker) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *TrackerAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TrackerAssociation.
+func (mg *TrackerAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TrackerAssociation.
 func (mg *TrackerAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *TrackerAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TrackerAssociation.
+func (mg *TrackerAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TrackerAssociation.
 func (mg *TrackerAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/macie2/v1beta1/zz_generated.managed.go b/apis/macie2/v1beta1/zz_generated.managed.go
index f6eb45487b..26c91f6606 100644
--- a/apis/macie2/v1beta1/zz_generated.managed.go
+++ b/apis/macie2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Account) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Account.
+func (mg *Account) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Account.
 func (mg *Account) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Account) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Account.
+func (mg *Account) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Account.
 func (mg *Account) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ClassificationJob) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClassificationJob.
+func (mg *ClassificationJob) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClassificationJob.
 func (mg *ClassificationJob) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ClassificationJob) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClassificationJob.
+func (mg *ClassificationJob) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClassificationJob.
 func (mg *ClassificationJob) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *CustomDataIdentifier) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CustomDataIdentifier.
+func (mg *CustomDataIdentifier) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CustomDataIdentifier.
 func (mg *CustomDataIdentifier) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *CustomDataIdentifier) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CustomDataIdentifier.
+func (mg *CustomDataIdentifier) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CustomDataIdentifier.
 func (mg *CustomDataIdentifier) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *FindingsFilter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FindingsFilter.
+func (mg *FindingsFilter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FindingsFilter.
 func (mg *FindingsFilter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *FindingsFilter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FindingsFilter.
+func (mg *FindingsFilter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FindingsFilter.
 func (mg *FindingsFilter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *InvitationAccepter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InvitationAccepter.
+func (mg *InvitationAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InvitationAccepter.
 func (mg *InvitationAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *InvitationAccepter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InvitationAccepter.
+func (mg *InvitationAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InvitationAccepter.
 func (mg *InvitationAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Member) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Member.
+func (mg *Member) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Member.
 func (mg *Member) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Member) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Member.
+func (mg *Member) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Member.
 func (mg *Member) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/mediaconvert/v1beta1/zz_generated.managed.go b/apis/mediaconvert/v1beta1/zz_generated.managed.go
index 0fadf2e944..f1f45431dd 100644
--- a/apis/mediaconvert/v1beta1/zz_generated.managed.go
+++ b/apis/mediaconvert/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Queue) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Queue.
+func (mg *Queue) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Queue.
 func (mg *Queue) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Queue) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Queue.
+func (mg *Queue) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Queue.
 func (mg *Queue) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/medialive/v1beta1/zz_generated.managed.go b/apis/medialive/v1beta1/zz_generated.managed.go
index 3aa68c70d3..2d189b12e2 100644
--- a/apis/medialive/v1beta1/zz_generated.managed.go
+++ b/apis/medialive/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Channel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Channel.
+func (mg *Channel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Channel.
 func (mg *Channel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Channel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Channel.
+func (mg *Channel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Channel.
 func (mg *Channel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Input) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Input.
+func (mg *Input) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Input.
 func (mg *Input) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Input) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Input.
+func (mg *Input) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Input.
 func (mg *Input) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *InputSecurityGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InputSecurityGroup.
+func (mg *InputSecurityGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InputSecurityGroup.
 func (mg *InputSecurityGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *InputSecurityGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InputSecurityGroup.
+func (mg *InputSecurityGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InputSecurityGroup.
 func (mg *InputSecurityGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Multiplex) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Multiplex.
+func (mg *Multiplex) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Multiplex.
 func (mg *Multiplex) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Multiplex) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Multiplex.
+func (mg *Multiplex) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Multiplex.
 func (mg *Multiplex) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/mediapackage/v1beta1/zz_generated.managed.go b/apis/mediapackage/v1beta1/zz_generated.managed.go
index 58152300e2..d27069f0ad 100644
--- a/apis/mediapackage/v1beta1/zz_generated.managed.go
+++ b/apis/mediapackage/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Channel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Channel.
+func (mg *Channel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Channel.
 func (mg *Channel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Channel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Channel.
+func (mg *Channel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Channel.
 func (mg *Channel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/mediastore/v1beta1/zz_generated.managed.go b/apis/mediastore/v1beta1/zz_generated.managed.go
index 8e33d52723..437633a707 100644
--- a/apis/mediastore/v1beta1/zz_generated.managed.go
+++ b/apis/mediastore/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Container) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Container.
+func (mg *Container) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Container.
 func (mg *Container) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Container) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Container.
+func (mg *Container) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Container.
 func (mg *Container) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ContainerPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ContainerPolicy.
+func (mg *ContainerPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ContainerPolicy.
 func (mg *ContainerPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ContainerPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ContainerPolicy.
+func (mg *ContainerPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ContainerPolicy.
 func (mg *ContainerPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/memorydb/v1beta1/zz_generated.managed.go b/apis/memorydb/v1beta1/zz_generated.managed.go
index f12a6762a0..84fedbeb4c 100644
--- a/apis/memorydb/v1beta1/zz_generated.managed.go
+++ b/apis/memorydb/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ACL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ACL.
+func (mg *ACL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ACL.
 func (mg *ACL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ACL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ACL.
+func (mg *ACL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ACL.
 func (mg *ACL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Snapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Snapshot.
+func (mg *Snapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Snapshot.
 func (mg *Snapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Snapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Snapshot.
+func (mg *Snapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Snapshot.
 func (mg *Snapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/mq/v1beta1/zz_generated.managed.go b/apis/mq/v1beta1/zz_generated.managed.go
index 393a24b0ba..f8130bfc2f 100644
--- a/apis/mq/v1beta1/zz_generated.managed.go
+++ b/apis/mq/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Broker) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Broker.
+func (mg *Broker) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Broker.
 func (mg *Broker) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Broker) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Broker.
+func (mg *Broker) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Broker.
 func (mg *Broker) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Configuration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Configuration.
+func (mg *Configuration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Configuration.
 func (mg *Configuration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Configuration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Configuration.
+func (mg *Configuration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Configuration.
 func (mg *Configuration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/neptune/v1beta1/zz_generated.managed.go b/apis/neptune/v1beta1/zz_generated.managed.go
index b4259c8b7e..11e9b5769a 100644
--- a/apis/neptune/v1beta1/zz_generated.managed.go
+++ b/apis/neptune/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ClusterEndpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterEndpoint.
+func (mg *ClusterEndpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterEndpoint.
 func (mg *ClusterEndpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ClusterEndpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterEndpoint.
+func (mg *ClusterEndpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterEndpoint.
 func (mg *ClusterEndpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ClusterInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterInstance.
+func (mg *ClusterInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterInstance.
 func (mg *ClusterInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ClusterInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterInstance.
+func (mg *ClusterInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterInstance.
 func (mg *ClusterInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ClusterParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterParameterGroup.
+func (mg *ClusterParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterParameterGroup.
 func (mg *ClusterParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ClusterParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterParameterGroup.
+func (mg *ClusterParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterParameterGroup.
 func (mg *ClusterParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ClusterSnapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterSnapshot.
+func (mg *ClusterSnapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterSnapshot.
 func (mg *ClusterSnapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ClusterSnapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterSnapshot.
+func (mg *ClusterSnapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterSnapshot.
 func (mg *ClusterSnapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *EventSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *EventSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *GlobalCluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GlobalCluster.
+func (mg *GlobalCluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GlobalCluster.
 func (mg *GlobalCluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *GlobalCluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GlobalCluster.
+func (mg *GlobalCluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GlobalCluster.
 func (mg *GlobalCluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *ParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *ParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/networkfirewall/v1beta1/zz_generated.managed.go b/apis/networkfirewall/v1beta1/zz_generated.managed.go
index 688ae092d8..9939f9987a 100644
--- a/apis/networkfirewall/v1beta1/zz_generated.managed.go
+++ b/apis/networkfirewall/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Firewall) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Firewall.
+func (mg *Firewall) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Firewall.
 func (mg *Firewall) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Firewall) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Firewall.
+func (mg *Firewall) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Firewall.
 func (mg *Firewall) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *FirewallPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FirewallPolicy.
+func (mg *FirewallPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FirewallPolicy.
 func (mg *FirewallPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *FirewallPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FirewallPolicy.
+func (mg *FirewallPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FirewallPolicy.
 func (mg *FirewallPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *LoggingConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LoggingConfiguration.
+func (mg *LoggingConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LoggingConfiguration.
 func (mg *LoggingConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *LoggingConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LoggingConfiguration.
+func (mg *LoggingConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LoggingConfiguration.
 func (mg *LoggingConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *RuleGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RuleGroup.
+func (mg *RuleGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RuleGroup.
 func (mg *RuleGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *RuleGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RuleGroup.
+func (mg *RuleGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RuleGroup.
 func (mg *RuleGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/networkmanager/v1beta1/zz_generated.managed.go b/apis/networkmanager/v1beta1/zz_generated.managed.go
index 4617b6504e..d8407508b3 100644
--- a/apis/networkmanager/v1beta1/zz_generated.managed.go
+++ b/apis/networkmanager/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AttachmentAccepter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AttachmentAccepter.
+func (mg *AttachmentAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AttachmentAccepter.
 func (mg *AttachmentAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AttachmentAccepter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AttachmentAccepter.
+func (mg *AttachmentAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AttachmentAccepter.
 func (mg *AttachmentAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ConnectAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConnectAttachment.
+func (mg *ConnectAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConnectAttachment.
 func (mg *ConnectAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ConnectAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConnectAttachment.
+func (mg *ConnectAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConnectAttachment.
 func (mg *ConnectAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Connection) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Connection.
+func (mg *Connection) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Connection.
 func (mg *Connection) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Connection) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Connection.
+func (mg *Connection) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Connection.
 func (mg *Connection) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *CoreNetwork) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CoreNetwork.
+func (mg *CoreNetwork) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CoreNetwork.
 func (mg *CoreNetwork) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *CoreNetwork) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CoreNetwork.
+func (mg *CoreNetwork) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CoreNetwork.
 func (mg *CoreNetwork) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *CustomerGatewayAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CustomerGatewayAssociation.
+func (mg *CustomerGatewayAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CustomerGatewayAssociation.
 func (mg *CustomerGatewayAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *CustomerGatewayAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CustomerGatewayAssociation.
+func (mg *CustomerGatewayAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CustomerGatewayAssociation.
 func (mg *CustomerGatewayAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Device) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Device.
+func (mg *Device) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Device.
 func (mg *Device) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Device) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Device.
+func (mg *Device) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Device.
 func (mg *Device) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *GlobalNetwork) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GlobalNetwork.
+func (mg *GlobalNetwork) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GlobalNetwork.
 func (mg *GlobalNetwork) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *GlobalNetwork) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GlobalNetwork.
+func (mg *GlobalNetwork) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GlobalNetwork.
 func (mg *GlobalNetwork) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Link) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Link.
+func (mg *Link) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Link.
 func (mg *Link) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Link) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Link.
+func (mg *Link) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Link.
 func (mg *Link) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *LinkAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LinkAssociation.
+func (mg *LinkAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LinkAssociation.
 func (mg *LinkAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *LinkAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LinkAssociation.
+func (mg *LinkAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LinkAssociation.
 func (mg *LinkAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *Site) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Site.
+func (mg *Site) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Site.
 func (mg *Site) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *Site) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Site.
+func (mg *Site) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Site.
 func (mg *Site) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *TransitGatewayConnectPeerAssociation) GetDeletionPolicy() xpv1.Deletio
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayConnectPeerAssociation.
+func (mg *TransitGatewayConnectPeerAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayConnectPeerAssociation.
 func (mg *TransitGatewayConnectPeerAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *TransitGatewayConnectPeerAssociation) SetDeletionPolicy(r xpv1.Deletio
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayConnectPeerAssociation.
+func (mg *TransitGatewayConnectPeerAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayConnectPeerAssociation.
 func (mg *TransitGatewayConnectPeerAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *TransitGatewayRegistration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TransitGatewayRegistration.
+func (mg *TransitGatewayRegistration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TransitGatewayRegistration.
 func (mg *TransitGatewayRegistration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *TransitGatewayRegistration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TransitGatewayRegistration.
+func (mg *TransitGatewayRegistration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TransitGatewayRegistration.
 func (mg *TransitGatewayRegistration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *VPCAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCAttachment.
+func (mg *VPCAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCAttachment.
 func (mg *VPCAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *VPCAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCAttachment.
+func (mg *VPCAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCAttachment.
 func (mg *VPCAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/opensearch/v1beta1/zz_generated.managed.go b/apis/opensearch/v1beta1/zz_generated.managed.go
index 440d249f2e..b5d561d2a3 100644
--- a/apis/opensearch/v1beta1/zz_generated.managed.go
+++ b/apis/opensearch/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *DomainPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainPolicy.
+func (mg *DomainPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainPolicy.
 func (mg *DomainPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *DomainPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainPolicy.
+func (mg *DomainPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainPolicy.
 func (mg *DomainPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DomainSAMLOptions) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainSAMLOptions.
+func (mg *DomainSAMLOptions) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainSAMLOptions.
 func (mg *DomainSAMLOptions) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DomainSAMLOptions) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainSAMLOptions.
+func (mg *DomainSAMLOptions) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainSAMLOptions.
 func (mg *DomainSAMLOptions) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/opsworks/v1beta1/zz_generated.managed.go b/apis/opsworks/v1beta1/zz_generated.managed.go
index dbc6194a19..fccab7badd 100644
--- a/apis/opsworks/v1beta1/zz_generated.managed.go
+++ b/apis/opsworks/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Application) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Application.
+func (mg *Application) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Application.
 func (mg *Application) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Application) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Application.
+func (mg *Application) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Application.
 func (mg *Application) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *CustomLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CustomLayer.
+func (mg *CustomLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CustomLayer.
 func (mg *CustomLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *CustomLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CustomLayer.
+func (mg *CustomLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CustomLayer.
 func (mg *CustomLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *EcsClusterLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EcsClusterLayer.
+func (mg *EcsClusterLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EcsClusterLayer.
 func (mg *EcsClusterLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *EcsClusterLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EcsClusterLayer.
+func (mg *EcsClusterLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EcsClusterLayer.
 func (mg *EcsClusterLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *GangliaLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GangliaLayer.
+func (mg *GangliaLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GangliaLayer.
 func (mg *GangliaLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *GangliaLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GangliaLayer.
+func (mg *GangliaLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GangliaLayer.
 func (mg *GangliaLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *HAProxyLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HAProxyLayer.
+func (mg *HAProxyLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HAProxyLayer.
 func (mg *HAProxyLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *HAProxyLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HAProxyLayer.
+func (mg *HAProxyLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HAProxyLayer.
 func (mg *HAProxyLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Instance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Instance.
+func (mg *Instance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Instance.
 func (mg *Instance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Instance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Instance.
+func (mg *Instance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Instance.
 func (mg *Instance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *JavaAppLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this JavaAppLayer.
+func (mg *JavaAppLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this JavaAppLayer.
 func (mg *JavaAppLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *JavaAppLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this JavaAppLayer.
+func (mg *JavaAppLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this JavaAppLayer.
 func (mg *JavaAppLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *MemcachedLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MemcachedLayer.
+func (mg *MemcachedLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MemcachedLayer.
 func (mg *MemcachedLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *MemcachedLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MemcachedLayer.
+func (mg *MemcachedLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MemcachedLayer.
 func (mg *MemcachedLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *MySQLLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MySQLLayer.
+func (mg *MySQLLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MySQLLayer.
 func (mg *MySQLLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *MySQLLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MySQLLayer.
+func (mg *MySQLLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MySQLLayer.
 func (mg *MySQLLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *NodeJSAppLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NodeJSAppLayer.
+func (mg *NodeJSAppLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NodeJSAppLayer.
 func (mg *NodeJSAppLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *NodeJSAppLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NodeJSAppLayer.
+func (mg *NodeJSAppLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NodeJSAppLayer.
 func (mg *NodeJSAppLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *PHPAppLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PHPAppLayer.
+func (mg *PHPAppLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PHPAppLayer.
 func (mg *PHPAppLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *PHPAppLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PHPAppLayer.
+func (mg *PHPAppLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PHPAppLayer.
 func (mg *PHPAppLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *Permission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Permission.
+func (mg *Permission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Permission.
 func (mg *Permission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *Permission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Permission.
+func (mg *Permission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Permission.
 func (mg *Permission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *RDSDBInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RDSDBInstance.
+func (mg *RDSDBInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RDSDBInstance.
 func (mg *RDSDBInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *RDSDBInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RDSDBInstance.
+func (mg *RDSDBInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RDSDBInstance.
 func (mg *RDSDBInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *RailsAppLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RailsAppLayer.
+func (mg *RailsAppLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RailsAppLayer.
 func (mg *RailsAppLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *RailsAppLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RailsAppLayer.
+func (mg *RailsAppLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RailsAppLayer.
 func (mg *RailsAppLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *Stack) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stack.
+func (mg *Stack) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stack.
 func (mg *Stack) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *Stack) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stack.
+func (mg *Stack) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stack.
 func (mg *Stack) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *StaticWebLayer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StaticWebLayer.
+func (mg *StaticWebLayer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StaticWebLayer.
 func (mg *StaticWebLayer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *StaticWebLayer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StaticWebLayer.
+func (mg *StaticWebLayer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StaticWebLayer.
 func (mg *StaticWebLayer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *UserProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserProfile.
+func (mg *UserProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserProfile.
 func (mg *UserProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *UserProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserProfile.
+func (mg *UserProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserProfile.
 func (mg *UserProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/organizations/v1beta1/zz_generated.managed.go b/apis/organizations/v1beta1/zz_generated.managed.go
index 146ce152c2..96e51b1fcd 100644
--- a/apis/organizations/v1beta1/zz_generated.managed.go
+++ b/apis/organizations/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Account) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Account.
+func (mg *Account) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Account.
 func (mg *Account) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Account) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Account.
+func (mg *Account) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Account.
 func (mg *Account) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *DelegatedAdministrator) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DelegatedAdministrator.
+func (mg *DelegatedAdministrator) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DelegatedAdministrator.
 func (mg *DelegatedAdministrator) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *DelegatedAdministrator) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DelegatedAdministrator.
+func (mg *DelegatedAdministrator) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DelegatedAdministrator.
 func (mg *DelegatedAdministrator) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Organization) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Organization.
+func (mg *Organization) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Organization.
 func (mg *Organization) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Organization) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Organization.
+func (mg *Organization) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Organization.
 func (mg *Organization) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *OrganizationalUnit) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OrganizationalUnit.
+func (mg *OrganizationalUnit) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OrganizationalUnit.
 func (mg *OrganizationalUnit) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *OrganizationalUnit) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OrganizationalUnit.
+func (mg *OrganizationalUnit) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OrganizationalUnit.
 func (mg *OrganizationalUnit) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Policy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Policy.
+func (mg *Policy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Policy.
 func (mg *Policy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Policy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Policy.
+func (mg *Policy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Policy.
 func (mg *Policy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *PolicyAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PolicyAttachment.
+func (mg *PolicyAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PolicyAttachment.
 func (mg *PolicyAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *PolicyAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PolicyAttachment.
+func (mg *PolicyAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PolicyAttachment.
 func (mg *PolicyAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/pinpoint/v1beta1/zz_generated.managed.go b/apis/pinpoint/v1beta1/zz_generated.managed.go
index 579521d2a6..78f705240a 100644
--- a/apis/pinpoint/v1beta1/zz_generated.managed.go
+++ b/apis/pinpoint/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *App) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this App.
+func (mg *App) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this App.
 func (mg *App) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *App) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this App.
+func (mg *App) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this App.
 func (mg *App) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *SMSChannel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SMSChannel.
+func (mg *SMSChannel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SMSChannel.
 func (mg *SMSChannel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *SMSChannel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SMSChannel.
+func (mg *SMSChannel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SMSChannel.
 func (mg *SMSChannel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/qldb/v1beta1/zz_generated.managed.go b/apis/qldb/v1beta1/zz_generated.managed.go
index bcf62420e7..5a2d910498 100644
--- a/apis/qldb/v1beta1/zz_generated.managed.go
+++ b/apis/qldb/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Ledger) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Ledger.
+func (mg *Ledger) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Ledger.
 func (mg *Ledger) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Ledger) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Ledger.
+func (mg *Ledger) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Ledger.
 func (mg *Ledger) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Stream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Stream.
+func (mg *Stream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Stream.
 func (mg *Stream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Stream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Stream.
+func (mg *Stream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Stream.
 func (mg *Stream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/quicksight/v1beta1/zz_generated.managed.go b/apis/quicksight/v1beta1/zz_generated.managed.go
index f9cbc5cb1a..edb461f8e4 100644
--- a/apis/quicksight/v1beta1/zz_generated.managed.go
+++ b/apis/quicksight/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Group) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Group.
+func (mg *Group) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Group.
 func (mg *Group) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Group) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Group.
+func (mg *Group) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Group.
 func (mg *Group) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ram/v1beta1/zz_generated.managed.go b/apis/ram/v1beta1/zz_generated.managed.go
index a73dfe28a2..62b8f9139f 100644
--- a/apis/ram/v1beta1/zz_generated.managed.go
+++ b/apis/ram/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ResourceAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourceAssociation.
+func (mg *ResourceAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourceAssociation.
 func (mg *ResourceAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ResourceAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourceAssociation.
+func (mg *ResourceAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourceAssociation.
 func (mg *ResourceAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ResourceShare) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourceShare.
+func (mg *ResourceShare) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourceShare.
 func (mg *ResourceShare) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ResourceShare) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourceShare.
+func (mg *ResourceShare) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourceShare.
 func (mg *ResourceShare) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/rds/v1beta1/zz_generated.managed.go b/apis/rds/v1beta1/zz_generated.managed.go
index 172807915e..5ed039bd8f 100644
--- a/apis/rds/v1beta1/zz_generated.managed.go
+++ b/apis/rds/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ClusterActivityStream) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterActivityStream.
+func (mg *ClusterActivityStream) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterActivityStream.
 func (mg *ClusterActivityStream) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ClusterActivityStream) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterActivityStream.
+func (mg *ClusterActivityStream) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterActivityStream.
 func (mg *ClusterActivityStream) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *ClusterEndpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterEndpoint.
+func (mg *ClusterEndpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterEndpoint.
 func (mg *ClusterEndpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *ClusterEndpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterEndpoint.
+func (mg *ClusterEndpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterEndpoint.
 func (mg *ClusterEndpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ClusterInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterInstance.
+func (mg *ClusterInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterInstance.
 func (mg *ClusterInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ClusterInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterInstance.
+func (mg *ClusterInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterInstance.
 func (mg *ClusterInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ClusterParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterParameterGroup.
+func (mg *ClusterParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterParameterGroup.
 func (mg *ClusterParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ClusterParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterParameterGroup.
+func (mg *ClusterParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterParameterGroup.
 func (mg *ClusterParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ClusterRoleAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterRoleAssociation.
+func (mg *ClusterRoleAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterRoleAssociation.
 func (mg *ClusterRoleAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ClusterRoleAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterRoleAssociation.
+func (mg *ClusterRoleAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterRoleAssociation.
 func (mg *ClusterRoleAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ClusterSnapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ClusterSnapshot.
+func (mg *ClusterSnapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ClusterSnapshot.
 func (mg *ClusterSnapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ClusterSnapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ClusterSnapshot.
+func (mg *ClusterSnapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ClusterSnapshot.
 func (mg *ClusterSnapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *DBInstanceAutomatedBackupsReplication) GetDeletionPolicy() xpv1.Deleti
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DBInstanceAutomatedBackupsReplication.
+func (mg *DBInstanceAutomatedBackupsReplication) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DBInstanceAutomatedBackupsReplication.
 func (mg *DBInstanceAutomatedBackupsReplication) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *DBInstanceAutomatedBackupsReplication) SetDeletionPolicy(r xpv1.Deleti
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DBInstanceAutomatedBackupsReplication.
+func (mg *DBInstanceAutomatedBackupsReplication) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DBInstanceAutomatedBackupsReplication.
 func (mg *DBInstanceAutomatedBackupsReplication) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *DBSnapshotCopy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DBSnapshotCopy.
+func (mg *DBSnapshotCopy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DBSnapshotCopy.
 func (mg *DBSnapshotCopy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *DBSnapshotCopy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DBSnapshotCopy.
+func (mg *DBSnapshotCopy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DBSnapshotCopy.
 func (mg *DBSnapshotCopy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *EventSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *EventSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *GlobalCluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GlobalCluster.
+func (mg *GlobalCluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GlobalCluster.
 func (mg *GlobalCluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *GlobalCluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GlobalCluster.
+func (mg *GlobalCluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GlobalCluster.
 func (mg *GlobalCluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *Instance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Instance.
+func (mg *Instance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Instance.
 func (mg *Instance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *Instance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Instance.
+func (mg *Instance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Instance.
 func (mg *Instance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *InstanceRoleAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InstanceRoleAssociation.
+func (mg *InstanceRoleAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InstanceRoleAssociation.
 func (mg *InstanceRoleAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *InstanceRoleAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InstanceRoleAssociation.
+func (mg *InstanceRoleAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InstanceRoleAssociation.
 func (mg *InstanceRoleAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *OptionGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this OptionGroup.
+func (mg *OptionGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this OptionGroup.
 func (mg *OptionGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *OptionGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this OptionGroup.
+func (mg *OptionGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this OptionGroup.
 func (mg *OptionGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *ParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *ParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *Proxy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Proxy.
+func (mg *Proxy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Proxy.
 func (mg *Proxy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *Proxy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Proxy.
+func (mg *Proxy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Proxy.
 func (mg *Proxy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *ProxyDefaultTargetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProxyDefaultTargetGroup.
+func (mg *ProxyDefaultTargetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProxyDefaultTargetGroup.
 func (mg *ProxyDefaultTargetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *ProxyDefaultTargetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProxyDefaultTargetGroup.
+func (mg *ProxyDefaultTargetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProxyDefaultTargetGroup.
 func (mg *ProxyDefaultTargetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1139,6 +1309,11 @@ func (mg *ProxyEndpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProxyEndpoint.
+func (mg *ProxyEndpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProxyEndpoint.
 func (mg *ProxyEndpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1172,6 +1347,11 @@ func (mg *ProxyEndpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProxyEndpoint.
+func (mg *ProxyEndpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProxyEndpoint.
 func (mg *ProxyEndpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1205,6 +1385,11 @@ func (mg *ProxyTarget) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProxyTarget.
+func (mg *ProxyTarget) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProxyTarget.
 func (mg *ProxyTarget) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1238,6 +1423,11 @@ func (mg *ProxyTarget) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProxyTarget.
+func (mg *ProxyTarget) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProxyTarget.
 func (mg *ProxyTarget) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1271,6 +1461,11 @@ func (mg *SecurityGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecurityGroup.
+func (mg *SecurityGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecurityGroup.
 func (mg *SecurityGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1304,6 +1499,11 @@ func (mg *SecurityGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecurityGroup.
+func (mg *SecurityGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecurityGroup.
 func (mg *SecurityGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1337,6 +1537,11 @@ func (mg *Snapshot) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Snapshot.
+func (mg *Snapshot) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Snapshot.
 func (mg *Snapshot) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1370,6 +1575,11 @@ func (mg *Snapshot) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Snapshot.
+func (mg *Snapshot) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Snapshot.
 func (mg *Snapshot) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1403,6 +1613,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1436,6 +1651,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/redshift/v1beta1/zz_generated.managed.go b/apis/redshift/v1beta1/zz_generated.managed.go
index 94f591d34b..5f14dbe983 100644
--- a/apis/redshift/v1beta1/zz_generated.managed.go
+++ b/apis/redshift/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AuthenticationProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AuthenticationProfile.
+func (mg *AuthenticationProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AuthenticationProfile.
 func (mg *AuthenticationProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AuthenticationProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AuthenticationProfile.
+func (mg *AuthenticationProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AuthenticationProfile.
 func (mg *AuthenticationProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *EventSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *EventSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventSubscription.
+func (mg *EventSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventSubscription.
 func (mg *EventSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *HSMClientCertificate) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HSMClientCertificate.
+func (mg *HSMClientCertificate) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HSMClientCertificate.
 func (mg *HSMClientCertificate) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *HSMClientCertificate) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HSMClientCertificate.
+func (mg *HSMClientCertificate) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HSMClientCertificate.
 func (mg *HSMClientCertificate) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *HSMConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HSMConfiguration.
+func (mg *HSMConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HSMConfiguration.
 func (mg *HSMConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *HSMConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HSMConfiguration.
+func (mg *HSMConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HSMConfiguration.
 func (mg *HSMConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ParameterGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ParameterGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ParameterGroup.
+func (mg *ParameterGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ParameterGroup.
 func (mg *ParameterGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ScheduledAction) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ScheduledAction.
+func (mg *ScheduledAction) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ScheduledAction.
 func (mg *ScheduledAction) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ScheduledAction) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ScheduledAction.
+func (mg *ScheduledAction) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ScheduledAction.
 func (mg *ScheduledAction) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *SnapshotCopyGrant) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SnapshotCopyGrant.
+func (mg *SnapshotCopyGrant) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SnapshotCopyGrant.
 func (mg *SnapshotCopyGrant) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *SnapshotCopyGrant) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SnapshotCopyGrant.
+func (mg *SnapshotCopyGrant) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SnapshotCopyGrant.
 func (mg *SnapshotCopyGrant) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *SnapshotSchedule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SnapshotSchedule.
+func (mg *SnapshotSchedule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SnapshotSchedule.
 func (mg *SnapshotSchedule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *SnapshotSchedule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SnapshotSchedule.
+func (mg *SnapshotSchedule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SnapshotSchedule.
 func (mg *SnapshotSchedule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *SnapshotScheduleAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SnapshotScheduleAssociation.
+func (mg *SnapshotScheduleAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SnapshotScheduleAssociation.
 func (mg *SnapshotScheduleAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *SnapshotScheduleAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SnapshotScheduleAssociation.
+func (mg *SnapshotScheduleAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SnapshotScheduleAssociation.
 func (mg *SnapshotScheduleAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *SubnetGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *SubnetGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SubnetGroup.
+func (mg *SubnetGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SubnetGroup.
 func (mg *SubnetGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *UsageLimit) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UsageLimit.
+func (mg *UsageLimit) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UsageLimit.
 func (mg *UsageLimit) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *UsageLimit) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UsageLimit.
+func (mg *UsageLimit) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UsageLimit.
 func (mg *UsageLimit) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/resourcegroups/v1beta1/zz_generated.managed.go b/apis/resourcegroups/v1beta1/zz_generated.managed.go
index cf5df6641c..df810498a2 100644
--- a/apis/resourcegroups/v1beta1/zz_generated.managed.go
+++ b/apis/resourcegroups/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Group) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Group.
+func (mg *Group) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Group.
 func (mg *Group) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Group) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Group.
+func (mg *Group) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Group.
 func (mg *Group) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/rolesanywhere/v1beta1/zz_generated.managed.go b/apis/rolesanywhere/v1beta1/zz_generated.managed.go
index 029412a49f..03b661bf93 100644
--- a/apis/rolesanywhere/v1beta1/zz_generated.managed.go
+++ b/apis/rolesanywhere/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Profile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Profile.
+func (mg *Profile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Profile.
 func (mg *Profile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Profile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Profile.
+func (mg *Profile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Profile.
 func (mg *Profile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/route53/v1beta1/zz_generated.managed.go b/apis/route53/v1beta1/zz_generated.managed.go
index 0d4792a546..f5b17ba63b 100644
--- a/apis/route53/v1beta1/zz_generated.managed.go
+++ b/apis/route53/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *DelegationSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DelegationSet.
+func (mg *DelegationSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DelegationSet.
 func (mg *DelegationSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *DelegationSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DelegationSet.
+func (mg *DelegationSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DelegationSet.
 func (mg *DelegationSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *HealthCheck) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HealthCheck.
+func (mg *HealthCheck) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HealthCheck.
 func (mg *HealthCheck) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *HealthCheck) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HealthCheck.
+func (mg *HealthCheck) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HealthCheck.
 func (mg *HealthCheck) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *HostedZoneDNSSEC) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HostedZoneDNSSEC.
+func (mg *HostedZoneDNSSEC) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HostedZoneDNSSEC.
 func (mg *HostedZoneDNSSEC) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *HostedZoneDNSSEC) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HostedZoneDNSSEC.
+func (mg *HostedZoneDNSSEC) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HostedZoneDNSSEC.
 func (mg *HostedZoneDNSSEC) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Record) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Record.
+func (mg *Record) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Record.
 func (mg *Record) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Record) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Record.
+func (mg *Record) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Record.
 func (mg *Record) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *ResolverConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResolverConfig.
+func (mg *ResolverConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResolverConfig.
 func (mg *ResolverConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *ResolverConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResolverConfig.
+func (mg *ResolverConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResolverConfig.
 func (mg *ResolverConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *TrafficPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TrafficPolicy.
+func (mg *TrafficPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TrafficPolicy.
 func (mg *TrafficPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *TrafficPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TrafficPolicy.
+func (mg *TrafficPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TrafficPolicy.
 func (mg *TrafficPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *TrafficPolicyInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TrafficPolicyInstance.
+func (mg *TrafficPolicyInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TrafficPolicyInstance.
 func (mg *TrafficPolicyInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *TrafficPolicyInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TrafficPolicyInstance.
+func (mg *TrafficPolicyInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TrafficPolicyInstance.
 func (mg *TrafficPolicyInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *VPCAssociationAuthorization) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VPCAssociationAuthorization.
+func (mg *VPCAssociationAuthorization) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VPCAssociationAuthorization.
 func (mg *VPCAssociationAuthorization) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *VPCAssociationAuthorization) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VPCAssociationAuthorization.
+func (mg *VPCAssociationAuthorization) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VPCAssociationAuthorization.
 func (mg *VPCAssociationAuthorization) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *Zone) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Zone.
+func (mg *Zone) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Zone.
 func (mg *Zone) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *Zone) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Zone.
+func (mg *Zone) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Zone.
 func (mg *Zone) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/route53recoverycontrolconfig/v1beta1/zz_generated.managed.go b/apis/route53recoverycontrolconfig/v1beta1/zz_generated.managed.go
index fbb341957a..ba30a48817 100644
--- a/apis/route53recoverycontrolconfig/v1beta1/zz_generated.managed.go
+++ b/apis/route53recoverycontrolconfig/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cluster) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cluster.
+func (mg *Cluster) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cluster.
 func (mg *Cluster) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cluster) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cluster.
+func (mg *Cluster) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cluster.
 func (mg *Cluster) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ControlPanel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ControlPanel.
+func (mg *ControlPanel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ControlPanel.
 func (mg *ControlPanel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ControlPanel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ControlPanel.
+func (mg *ControlPanel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ControlPanel.
 func (mg *ControlPanel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *RoutingControl) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RoutingControl.
+func (mg *RoutingControl) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RoutingControl.
 func (mg *RoutingControl) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *RoutingControl) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RoutingControl.
+func (mg *RoutingControl) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RoutingControl.
 func (mg *RoutingControl) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *SafetyRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SafetyRule.
+func (mg *SafetyRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SafetyRule.
 func (mg *SafetyRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *SafetyRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SafetyRule.
+func (mg *SafetyRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SafetyRule.
 func (mg *SafetyRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/route53recoveryreadiness/v1beta1/zz_generated.managed.go b/apis/route53recoveryreadiness/v1beta1/zz_generated.managed.go
index c1e0288de6..92091ede0a 100644
--- a/apis/route53recoveryreadiness/v1beta1/zz_generated.managed.go
+++ b/apis/route53recoveryreadiness/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Cell) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Cell.
+func (mg *Cell) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Cell.
 func (mg *Cell) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Cell) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Cell.
+func (mg *Cell) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Cell.
 func (mg *Cell) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ReadinessCheck) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReadinessCheck.
+func (mg *ReadinessCheck) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReadinessCheck.
 func (mg *ReadinessCheck) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ReadinessCheck) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReadinessCheck.
+func (mg *ReadinessCheck) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReadinessCheck.
 func (mg *ReadinessCheck) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *RecoveryGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RecoveryGroup.
+func (mg *RecoveryGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RecoveryGroup.
 func (mg *RecoveryGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *RecoveryGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RecoveryGroup.
+func (mg *RecoveryGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RecoveryGroup.
 func (mg *RecoveryGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *ResourceSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourceSet.
+func (mg *ResourceSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourceSet.
 func (mg *ResourceSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *ResourceSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourceSet.
+func (mg *ResourceSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourceSet.
 func (mg *ResourceSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/route53resolver/v1beta1/zz_generated.managed.go b/apis/route53resolver/v1beta1/zz_generated.managed.go
index 85fee0f4d0..c99fddb1db 100644
--- a/apis/route53resolver/v1beta1/zz_generated.managed.go
+++ b/apis/route53resolver/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Endpoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Endpoint.
+func (mg *Endpoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Endpoint.
 func (mg *Endpoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Endpoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Endpoint.
+func (mg *Endpoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Endpoint.
 func (mg *Endpoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Rule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Rule.
+func (mg *Rule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Rule.
 func (mg *Rule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Rule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Rule.
+func (mg *Rule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Rule.
 func (mg *Rule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *RuleAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RuleAssociation.
+func (mg *RuleAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RuleAssociation.
 func (mg *RuleAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *RuleAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RuleAssociation.
+func (mg *RuleAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RuleAssociation.
 func (mg *RuleAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/rum/v1beta1/zz_generated.managed.go b/apis/rum/v1beta1/zz_generated.managed.go
index 104866e0ca..5a60c6b684 100644
--- a/apis/rum/v1beta1/zz_generated.managed.go
+++ b/apis/rum/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AppMonitor) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AppMonitor.
+func (mg *AppMonitor) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AppMonitor.
 func (mg *AppMonitor) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AppMonitor) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AppMonitor.
+func (mg *AppMonitor) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AppMonitor.
 func (mg *AppMonitor) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *MetricsDestination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MetricsDestination.
+func (mg *MetricsDestination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MetricsDestination.
 func (mg *MetricsDestination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *MetricsDestination) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MetricsDestination.
+func (mg *MetricsDestination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MetricsDestination.
 func (mg *MetricsDestination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/s3/v1beta1/zz_generated.managed.go b/apis/s3/v1beta1/zz_generated.managed.go
index 25548c4ab0..b92203a78b 100644
--- a/apis/s3/v1beta1/zz_generated.managed.go
+++ b/apis/s3/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Bucket) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Bucket.
+func (mg *Bucket) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Bucket.
 func (mg *Bucket) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Bucket) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Bucket.
+func (mg *Bucket) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Bucket.
 func (mg *Bucket) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *BucketACL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketACL.
+func (mg *BucketACL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketACL.
 func (mg *BucketACL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *BucketACL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketACL.
+func (mg *BucketACL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketACL.
 func (mg *BucketACL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *BucketAccelerateConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketAccelerateConfiguration.
+func (mg *BucketAccelerateConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketAccelerateConfiguration.
 func (mg *BucketAccelerateConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *BucketAccelerateConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketAccelerateConfiguration.
+func (mg *BucketAccelerateConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketAccelerateConfiguration.
 func (mg *BucketAccelerateConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *BucketAnalyticsConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketAnalyticsConfiguration.
+func (mg *BucketAnalyticsConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketAnalyticsConfiguration.
 func (mg *BucketAnalyticsConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *BucketAnalyticsConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketAnalyticsConfiguration.
+func (mg *BucketAnalyticsConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketAnalyticsConfiguration.
 func (mg *BucketAnalyticsConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *BucketCorsConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketCorsConfiguration.
+func (mg *BucketCorsConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketCorsConfiguration.
 func (mg *BucketCorsConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *BucketCorsConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketCorsConfiguration.
+func (mg *BucketCorsConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketCorsConfiguration.
 func (mg *BucketCorsConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *BucketIntelligentTieringConfiguration) GetDeletionPolicy() xpv1.Deleti
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketIntelligentTieringConfiguration.
+func (mg *BucketIntelligentTieringConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketIntelligentTieringConfiguration.
 func (mg *BucketIntelligentTieringConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *BucketIntelligentTieringConfiguration) SetDeletionPolicy(r xpv1.Deleti
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketIntelligentTieringConfiguration.
+func (mg *BucketIntelligentTieringConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketIntelligentTieringConfiguration.
 func (mg *BucketIntelligentTieringConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *BucketInventory) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketInventory.
+func (mg *BucketInventory) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketInventory.
 func (mg *BucketInventory) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *BucketInventory) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketInventory.
+func (mg *BucketInventory) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketInventory.
 func (mg *BucketInventory) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *BucketLifecycleConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketLifecycleConfiguration.
+func (mg *BucketLifecycleConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketLifecycleConfiguration.
 func (mg *BucketLifecycleConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *BucketLifecycleConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketLifecycleConfiguration.
+func (mg *BucketLifecycleConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketLifecycleConfiguration.
 func (mg *BucketLifecycleConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *BucketLogging) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketLogging.
+func (mg *BucketLogging) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketLogging.
 func (mg *BucketLogging) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *BucketLogging) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketLogging.
+func (mg *BucketLogging) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketLogging.
 func (mg *BucketLogging) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *BucketMetric) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketMetric.
+func (mg *BucketMetric) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketMetric.
 func (mg *BucketMetric) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *BucketMetric) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketMetric.
+func (mg *BucketMetric) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketMetric.
 func (mg *BucketMetric) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *BucketNotification) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketNotification.
+func (mg *BucketNotification) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketNotification.
 func (mg *BucketNotification) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *BucketNotification) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketNotification.
+func (mg *BucketNotification) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketNotification.
 func (mg *BucketNotification) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *BucketObject) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketObject.
+func (mg *BucketObject) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketObject.
 func (mg *BucketObject) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *BucketObject) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketObject.
+func (mg *BucketObject) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketObject.
 func (mg *BucketObject) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *BucketObjectLockConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketObjectLockConfiguration.
+func (mg *BucketObjectLockConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketObjectLockConfiguration.
 func (mg *BucketObjectLockConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *BucketObjectLockConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketObjectLockConfiguration.
+func (mg *BucketObjectLockConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketObjectLockConfiguration.
 func (mg *BucketObjectLockConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *BucketOwnershipControls) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketOwnershipControls.
+func (mg *BucketOwnershipControls) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketOwnershipControls.
 func (mg *BucketOwnershipControls) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *BucketOwnershipControls) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketOwnershipControls.
+func (mg *BucketOwnershipControls) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketOwnershipControls.
 func (mg *BucketOwnershipControls) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *BucketPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketPolicy.
+func (mg *BucketPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketPolicy.
 func (mg *BucketPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *BucketPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketPolicy.
+func (mg *BucketPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketPolicy.
 func (mg *BucketPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *BucketPublicAccessBlock) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketPublicAccessBlock.
+func (mg *BucketPublicAccessBlock) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketPublicAccessBlock.
 func (mg *BucketPublicAccessBlock) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *BucketPublicAccessBlock) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketPublicAccessBlock.
+func (mg *BucketPublicAccessBlock) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketPublicAccessBlock.
 func (mg *BucketPublicAccessBlock) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *BucketReplicationConfiguration) GetDeletionPolicy() xpv1.DeletionPolic
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketReplicationConfiguration.
+func (mg *BucketReplicationConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketReplicationConfiguration.
 func (mg *BucketReplicationConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *BucketReplicationConfiguration) SetDeletionPolicy(r xpv1.DeletionPolic
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketReplicationConfiguration.
+func (mg *BucketReplicationConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketReplicationConfiguration.
 func (mg *BucketReplicationConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1139,6 +1309,11 @@ func (mg *BucketRequestPaymentConfiguration) GetDeletionPolicy() xpv1.DeletionPo
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketRequestPaymentConfiguration.
+func (mg *BucketRequestPaymentConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketRequestPaymentConfiguration.
 func (mg *BucketRequestPaymentConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1172,6 +1347,11 @@ func (mg *BucketRequestPaymentConfiguration) SetDeletionPolicy(r xpv1.DeletionPo
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketRequestPaymentConfiguration.
+func (mg *BucketRequestPaymentConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketRequestPaymentConfiguration.
 func (mg *BucketRequestPaymentConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1205,6 +1385,11 @@ func (mg *BucketServerSideEncryptionConfiguration) GetDeletionPolicy() xpv1.Dele
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketServerSideEncryptionConfiguration.
+func (mg *BucketServerSideEncryptionConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketServerSideEncryptionConfiguration.
 func (mg *BucketServerSideEncryptionConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1238,6 +1423,11 @@ func (mg *BucketServerSideEncryptionConfiguration) SetDeletionPolicy(r xpv1.Dele
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketServerSideEncryptionConfiguration.
+func (mg *BucketServerSideEncryptionConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketServerSideEncryptionConfiguration.
 func (mg *BucketServerSideEncryptionConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1271,6 +1461,11 @@ func (mg *BucketVersioning) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketVersioning.
+func (mg *BucketVersioning) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketVersioning.
 func (mg *BucketVersioning) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1304,6 +1499,11 @@ func (mg *BucketVersioning) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketVersioning.
+func (mg *BucketVersioning) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketVersioning.
 func (mg *BucketVersioning) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1337,6 +1537,11 @@ func (mg *BucketWebsiteConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BucketWebsiteConfiguration.
+func (mg *BucketWebsiteConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BucketWebsiteConfiguration.
 func (mg *BucketWebsiteConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1370,6 +1575,11 @@ func (mg *BucketWebsiteConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BucketWebsiteConfiguration.
+func (mg *BucketWebsiteConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BucketWebsiteConfiguration.
 func (mg *BucketWebsiteConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1403,6 +1613,11 @@ func (mg *Object) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Object.
+func (mg *Object) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Object.
 func (mg *Object) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1436,6 +1651,11 @@ func (mg *Object) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Object.
+func (mg *Object) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Object.
 func (mg *Object) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1469,6 +1689,11 @@ func (mg *ObjectCopy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ObjectCopy.
+func (mg *ObjectCopy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ObjectCopy.
 func (mg *ObjectCopy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1502,6 +1727,11 @@ func (mg *ObjectCopy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ObjectCopy.
+func (mg *ObjectCopy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ObjectCopy.
 func (mg *ObjectCopy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/s3control/v1beta1/zz_generated.managed.go b/apis/s3control/v1beta1/zz_generated.managed.go
index 0a3dc60d04..e2571723cf 100644
--- a/apis/s3control/v1beta1/zz_generated.managed.go
+++ b/apis/s3control/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AccessPoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccessPoint.
+func (mg *AccessPoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccessPoint.
 func (mg *AccessPoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AccessPoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccessPoint.
+func (mg *AccessPoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccessPoint.
 func (mg *AccessPoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *AccessPointPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccessPointPolicy.
+func (mg *AccessPointPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccessPointPolicy.
 func (mg *AccessPointPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *AccessPointPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccessPointPolicy.
+func (mg *AccessPointPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccessPointPolicy.
 func (mg *AccessPointPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *AccountPublicAccessBlock) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccountPublicAccessBlock.
+func (mg *AccountPublicAccessBlock) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccountPublicAccessBlock.
 func (mg *AccountPublicAccessBlock) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *AccountPublicAccessBlock) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccountPublicAccessBlock.
+func (mg *AccountPublicAccessBlock) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccountPublicAccessBlock.
 func (mg *AccountPublicAccessBlock) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *MultiRegionAccessPoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MultiRegionAccessPoint.
+func (mg *MultiRegionAccessPoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MultiRegionAccessPoint.
 func (mg *MultiRegionAccessPoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *MultiRegionAccessPoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MultiRegionAccessPoint.
+func (mg *MultiRegionAccessPoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MultiRegionAccessPoint.
 func (mg *MultiRegionAccessPoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *MultiRegionAccessPointPolicy) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MultiRegionAccessPointPolicy.
+func (mg *MultiRegionAccessPointPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MultiRegionAccessPointPolicy.
 func (mg *MultiRegionAccessPointPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *MultiRegionAccessPointPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MultiRegionAccessPointPolicy.
+func (mg *MultiRegionAccessPointPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MultiRegionAccessPointPolicy.
 func (mg *MultiRegionAccessPointPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *ObjectLambdaAccessPoint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ObjectLambdaAccessPoint.
+func (mg *ObjectLambdaAccessPoint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ObjectLambdaAccessPoint.
 func (mg *ObjectLambdaAccessPoint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *ObjectLambdaAccessPoint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ObjectLambdaAccessPoint.
+func (mg *ObjectLambdaAccessPoint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ObjectLambdaAccessPoint.
 func (mg *ObjectLambdaAccessPoint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ObjectLambdaAccessPointPolicy) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ObjectLambdaAccessPointPolicy.
+func (mg *ObjectLambdaAccessPointPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ObjectLambdaAccessPointPolicy.
 func (mg *ObjectLambdaAccessPointPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ObjectLambdaAccessPointPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ObjectLambdaAccessPointPolicy.
+func (mg *ObjectLambdaAccessPointPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ObjectLambdaAccessPointPolicy.
 func (mg *ObjectLambdaAccessPointPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *StorageLensConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StorageLensConfiguration.
+func (mg *StorageLensConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StorageLensConfiguration.
 func (mg *StorageLensConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *StorageLensConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StorageLensConfiguration.
+func (mg *StorageLensConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StorageLensConfiguration.
 func (mg *StorageLensConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/sagemaker/v1beta1/zz_generated.managed.go b/apis/sagemaker/v1beta1/zz_generated.managed.go
index 98d356e3df..d5a267f61a 100644
--- a/apis/sagemaker/v1beta1/zz_generated.managed.go
+++ b/apis/sagemaker/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *App) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this App.
+func (mg *App) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this App.
 func (mg *App) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *App) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this App.
+func (mg *App) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this App.
 func (mg *App) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *AppImageConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AppImageConfig.
+func (mg *AppImageConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AppImageConfig.
 func (mg *AppImageConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *AppImageConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AppImageConfig.
+func (mg *AppImageConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AppImageConfig.
 func (mg *AppImageConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *CodeRepository) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CodeRepository.
+func (mg *CodeRepository) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CodeRepository.
 func (mg *CodeRepository) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *CodeRepository) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CodeRepository.
+func (mg *CodeRepository) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CodeRepository.
 func (mg *CodeRepository) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Device) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Device.
+func (mg *Device) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Device.
 func (mg *Device) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Device) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Device.
+func (mg *Device) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Device.
 func (mg *Device) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *DeviceFleet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DeviceFleet.
+func (mg *DeviceFleet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DeviceFleet.
 func (mg *DeviceFleet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *DeviceFleet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DeviceFleet.
+func (mg *DeviceFleet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DeviceFleet.
 func (mg *DeviceFleet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *EndpointConfiguration) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EndpointConfiguration.
+func (mg *EndpointConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EndpointConfiguration.
 func (mg *EndpointConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *EndpointConfiguration) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EndpointConfiguration.
+func (mg *EndpointConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EndpointConfiguration.
 func (mg *EndpointConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *FeatureGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FeatureGroup.
+func (mg *FeatureGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FeatureGroup.
 func (mg *FeatureGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *FeatureGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FeatureGroup.
+func (mg *FeatureGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FeatureGroup.
 func (mg *FeatureGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *Image) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Image.
+func (mg *Image) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Image.
 func (mg *Image) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *Image) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Image.
+func (mg *Image) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Image.
 func (mg *Image) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *ImageVersion) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ImageVersion.
+func (mg *ImageVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ImageVersion.
 func (mg *ImageVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *ImageVersion) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ImageVersion.
+func (mg *ImageVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ImageVersion.
 func (mg *ImageVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *Model) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Model.
+func (mg *Model) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Model.
 func (mg *Model) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *Model) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Model.
+func (mg *Model) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Model.
 func (mg *Model) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *ModelPackageGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ModelPackageGroup.
+func (mg *ModelPackageGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ModelPackageGroup.
 func (mg *ModelPackageGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *ModelPackageGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ModelPackageGroup.
+func (mg *ModelPackageGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ModelPackageGroup.
 func (mg *ModelPackageGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *ModelPackageGroupPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ModelPackageGroupPolicy.
+func (mg *ModelPackageGroupPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ModelPackageGroupPolicy.
 func (mg *ModelPackageGroupPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *ModelPackageGroupPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ModelPackageGroupPolicy.
+func (mg *ModelPackageGroupPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ModelPackageGroupPolicy.
 func (mg *ModelPackageGroupPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -875,6 +1005,11 @@ func (mg *NotebookInstance) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NotebookInstance.
+func (mg *NotebookInstance) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NotebookInstance.
 func (mg *NotebookInstance) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -908,6 +1043,11 @@ func (mg *NotebookInstance) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NotebookInstance.
+func (mg *NotebookInstance) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NotebookInstance.
 func (mg *NotebookInstance) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -941,6 +1081,11 @@ func (mg *NotebookInstanceLifecycleConfiguration) GetDeletionPolicy() xpv1.Delet
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NotebookInstanceLifecycleConfiguration.
+func (mg *NotebookInstanceLifecycleConfiguration) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NotebookInstanceLifecycleConfiguration.
 func (mg *NotebookInstanceLifecycleConfiguration) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -974,6 +1119,11 @@ func (mg *NotebookInstanceLifecycleConfiguration) SetDeletionPolicy(r xpv1.Delet
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NotebookInstanceLifecycleConfiguration.
+func (mg *NotebookInstanceLifecycleConfiguration) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NotebookInstanceLifecycleConfiguration.
 func (mg *NotebookInstanceLifecycleConfiguration) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1007,6 +1157,11 @@ func (mg *ServicecatalogPortfolioStatus) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServicecatalogPortfolioStatus.
+func (mg *ServicecatalogPortfolioStatus) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServicecatalogPortfolioStatus.
 func (mg *ServicecatalogPortfolioStatus) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1040,6 +1195,11 @@ func (mg *ServicecatalogPortfolioStatus) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServicecatalogPortfolioStatus.
+func (mg *ServicecatalogPortfolioStatus) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServicecatalogPortfolioStatus.
 func (mg *ServicecatalogPortfolioStatus) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1073,6 +1233,11 @@ func (mg *Space) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Space.
+func (mg *Space) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Space.
 func (mg *Space) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1106,6 +1271,11 @@ func (mg *Space) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Space.
+func (mg *Space) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Space.
 func (mg *Space) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1139,6 +1309,11 @@ func (mg *StudioLifecycleConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StudioLifecycleConfig.
+func (mg *StudioLifecycleConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StudioLifecycleConfig.
 func (mg *StudioLifecycleConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1172,6 +1347,11 @@ func (mg *StudioLifecycleConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StudioLifecycleConfig.
+func (mg *StudioLifecycleConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StudioLifecycleConfig.
 func (mg *StudioLifecycleConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1205,6 +1385,11 @@ func (mg *UserProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this UserProfile.
+func (mg *UserProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this UserProfile.
 func (mg *UserProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1238,6 +1423,11 @@ func (mg *UserProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this UserProfile.
+func (mg *UserProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this UserProfile.
 func (mg *UserProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1271,6 +1461,11 @@ func (mg *Workforce) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workforce.
+func (mg *Workforce) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workforce.
 func (mg *Workforce) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1304,6 +1499,11 @@ func (mg *Workforce) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workforce.
+func (mg *Workforce) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workforce.
 func (mg *Workforce) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -1337,6 +1537,11 @@ func (mg *Workteam) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workteam.
+func (mg *Workteam) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workteam.
 func (mg *Workteam) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -1370,6 +1575,11 @@ func (mg *Workteam) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workteam.
+func (mg *Workteam) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workteam.
 func (mg *Workteam) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/scheduler/v1beta1/zz_generated.managed.go b/apis/scheduler/v1beta1/zz_generated.managed.go
index 217e444433..6971856c29 100644
--- a/apis/scheduler/v1beta1/zz_generated.managed.go
+++ b/apis/scheduler/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Schedule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Schedule.
+func (mg *Schedule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Schedule.
 func (mg *Schedule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Schedule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Schedule.
+func (mg *Schedule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Schedule.
 func (mg *Schedule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ScheduleGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ScheduleGroup.
+func (mg *ScheduleGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ScheduleGroup.
 func (mg *ScheduleGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ScheduleGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ScheduleGroup.
+func (mg *ScheduleGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ScheduleGroup.
 func (mg *ScheduleGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/schemas/v1beta1/zz_generated.managed.go b/apis/schemas/v1beta1/zz_generated.managed.go
index a0ccb85735..a85c0134df 100644
--- a/apis/schemas/v1beta1/zz_generated.managed.go
+++ b/apis/schemas/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Discoverer) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Discoverer.
+func (mg *Discoverer) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Discoverer.
 func (mg *Discoverer) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Discoverer) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Discoverer.
+func (mg *Discoverer) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Discoverer.
 func (mg *Discoverer) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Registry) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Registry.
+func (mg *Registry) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Registry.
 func (mg *Registry) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Registry) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Registry.
+func (mg *Registry) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Registry.
 func (mg *Registry) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Schema) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Schema.
+func (mg *Schema) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Schema.
 func (mg *Schema) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Schema) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Schema.
+func (mg *Schema) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Schema.
 func (mg *Schema) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/secretsmanager/v1beta1/zz_generated.managed.go b/apis/secretsmanager/v1beta1/zz_generated.managed.go
index 00747dee4e..1fdd4ba17a 100644
--- a/apis/secretsmanager/v1beta1/zz_generated.managed.go
+++ b/apis/secretsmanager/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Secret) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Secret.
+func (mg *Secret) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Secret.
 func (mg *Secret) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Secret) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Secret.
+func (mg *Secret) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Secret.
 func (mg *Secret) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *SecretPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecretPolicy.
+func (mg *SecretPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecretPolicy.
 func (mg *SecretPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *SecretPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecretPolicy.
+func (mg *SecretPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecretPolicy.
 func (mg *SecretPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *SecretRotation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecretRotation.
+func (mg *SecretRotation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecretRotation.
 func (mg *SecretRotation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *SecretRotation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecretRotation.
+func (mg *SecretRotation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecretRotation.
 func (mg *SecretRotation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *SecretVersion) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SecretVersion.
+func (mg *SecretVersion) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SecretVersion.
 func (mg *SecretVersion) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *SecretVersion) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SecretVersion.
+func (mg *SecretVersion) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SecretVersion.
 func (mg *SecretVersion) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/securityhub/v1beta1/zz_generated.managed.go b/apis/securityhub/v1beta1/zz_generated.managed.go
index 130f7d24da..fddbd741be 100644
--- a/apis/securityhub/v1beta1/zz_generated.managed.go
+++ b/apis/securityhub/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Account) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Account.
+func (mg *Account) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Account.
 func (mg *Account) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Account) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Account.
+func (mg *Account) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Account.
 func (mg *Account) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ActionTarget) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ActionTarget.
+func (mg *ActionTarget) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ActionTarget.
 func (mg *ActionTarget) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ActionTarget) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ActionTarget.
+func (mg *ActionTarget) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ActionTarget.
 func (mg *ActionTarget) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *FindingAggregator) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this FindingAggregator.
+func (mg *FindingAggregator) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this FindingAggregator.
 func (mg *FindingAggregator) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *FindingAggregator) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this FindingAggregator.
+func (mg *FindingAggregator) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this FindingAggregator.
 func (mg *FindingAggregator) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Insight) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Insight.
+func (mg *Insight) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Insight.
 func (mg *Insight) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Insight) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Insight.
+func (mg *Insight) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Insight.
 func (mg *Insight) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *InviteAccepter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this InviteAccepter.
+func (mg *InviteAccepter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this InviteAccepter.
 func (mg *InviteAccepter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *InviteAccepter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this InviteAccepter.
+func (mg *InviteAccepter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this InviteAccepter.
 func (mg *InviteAccepter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Member) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Member.
+func (mg *Member) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Member.
 func (mg *Member) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Member) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Member.
+func (mg *Member) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Member.
 func (mg *Member) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ProductSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProductSubscription.
+func (mg *ProductSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProductSubscription.
 func (mg *ProductSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ProductSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProductSubscription.
+func (mg *ProductSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProductSubscription.
 func (mg *ProductSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *StandardsSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StandardsSubscription.
+func (mg *StandardsSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StandardsSubscription.
 func (mg *StandardsSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *StandardsSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StandardsSubscription.
+func (mg *StandardsSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StandardsSubscription.
 func (mg *StandardsSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/serverlessrepo/v1beta1/zz_generated.managed.go b/apis/serverlessrepo/v1beta1/zz_generated.managed.go
index d4747bedb6..c2044282e3 100644
--- a/apis/serverlessrepo/v1beta1/zz_generated.managed.go
+++ b/apis/serverlessrepo/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *CloudFormationStack) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this CloudFormationStack.
+func (mg *CloudFormationStack) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this CloudFormationStack.
 func (mg *CloudFormationStack) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *CloudFormationStack) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this CloudFormationStack.
+func (mg *CloudFormationStack) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this CloudFormationStack.
 func (mg *CloudFormationStack) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/servicecatalog/v1beta1/zz_generated.managed.go b/apis/servicecatalog/v1beta1/zz_generated.managed.go
index 775e02b8c2..764476a80f 100644
--- a/apis/servicecatalog/v1beta1/zz_generated.managed.go
+++ b/apis/servicecatalog/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *BudgetResourceAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this BudgetResourceAssociation.
+func (mg *BudgetResourceAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this BudgetResourceAssociation.
 func (mg *BudgetResourceAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *BudgetResourceAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this BudgetResourceAssociation.
+func (mg *BudgetResourceAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this BudgetResourceAssociation.
 func (mg *BudgetResourceAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Constraint) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Constraint.
+func (mg *Constraint) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Constraint.
 func (mg *Constraint) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Constraint) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Constraint.
+func (mg *Constraint) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Constraint.
 func (mg *Constraint) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Portfolio) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Portfolio.
+func (mg *Portfolio) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Portfolio.
 func (mg *Portfolio) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Portfolio) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Portfolio.
+func (mg *Portfolio) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Portfolio.
 func (mg *Portfolio) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *PortfolioShare) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PortfolioShare.
+func (mg *PortfolioShare) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PortfolioShare.
 func (mg *PortfolioShare) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *PortfolioShare) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PortfolioShare.
+func (mg *PortfolioShare) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PortfolioShare.
 func (mg *PortfolioShare) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *PrincipalPortfolioAssociation) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PrincipalPortfolioAssociation.
+func (mg *PrincipalPortfolioAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PrincipalPortfolioAssociation.
 func (mg *PrincipalPortfolioAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *PrincipalPortfolioAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PrincipalPortfolioAssociation.
+func (mg *PrincipalPortfolioAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PrincipalPortfolioAssociation.
 func (mg *PrincipalPortfolioAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *Product) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Product.
+func (mg *Product) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Product.
 func (mg *Product) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *Product) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Product.
+func (mg *Product) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Product.
 func (mg *Product) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *ProductPortfolioAssociation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProductPortfolioAssociation.
+func (mg *ProductPortfolioAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProductPortfolioAssociation.
 func (mg *ProductPortfolioAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *ProductPortfolioAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProductPortfolioAssociation.
+func (mg *ProductPortfolioAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProductPortfolioAssociation.
 func (mg *ProductPortfolioAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *ProvisioningArtifact) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ProvisioningArtifact.
+func (mg *ProvisioningArtifact) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ProvisioningArtifact.
 func (mg *ProvisioningArtifact) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *ProvisioningArtifact) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ProvisioningArtifact.
+func (mg *ProvisioningArtifact) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ProvisioningArtifact.
 func (mg *ProvisioningArtifact) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *ServiceAction) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServiceAction.
+func (mg *ServiceAction) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServiceAction.
 func (mg *ServiceAction) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *ServiceAction) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServiceAction.
+func (mg *ServiceAction) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServiceAction.
 func (mg *ServiceAction) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *TagOption) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TagOption.
+func (mg *TagOption) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TagOption.
 func (mg *TagOption) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *TagOption) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TagOption.
+func (mg *TagOption) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TagOption.
 func (mg *TagOption) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *TagOptionResourceAssociation) GetDeletionPolicy() xpv1.DeletionPolicy
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TagOptionResourceAssociation.
+func (mg *TagOptionResourceAssociation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TagOptionResourceAssociation.
 func (mg *TagOptionResourceAssociation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *TagOptionResourceAssociation) SetDeletionPolicy(r xpv1.DeletionPolicy)
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TagOptionResourceAssociation.
+func (mg *TagOptionResourceAssociation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TagOptionResourceAssociation.
 func (mg *TagOptionResourceAssociation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/servicediscovery/v1beta1/zz_generated.managed.go b/apis/servicediscovery/v1beta1/zz_generated.managed.go
index 24b06f8e10..6e257fe96b 100644
--- a/apis/servicediscovery/v1beta1/zz_generated.managed.go
+++ b/apis/servicediscovery/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *HTTPNamespace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this HTTPNamespace.
+func (mg *HTTPNamespace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this HTTPNamespace.
 func (mg *HTTPNamespace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *HTTPNamespace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this HTTPNamespace.
+func (mg *HTTPNamespace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this HTTPNamespace.
 func (mg *HTTPNamespace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *PrivateDNSNamespace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PrivateDNSNamespace.
+func (mg *PrivateDNSNamespace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PrivateDNSNamespace.
 func (mg *PrivateDNSNamespace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *PrivateDNSNamespace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PrivateDNSNamespace.
+func (mg *PrivateDNSNamespace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PrivateDNSNamespace.
 func (mg *PrivateDNSNamespace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *PublicDNSNamespace) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PublicDNSNamespace.
+func (mg *PublicDNSNamespace) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PublicDNSNamespace.
 func (mg *PublicDNSNamespace) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *PublicDNSNamespace) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PublicDNSNamespace.
+func (mg *PublicDNSNamespace) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PublicDNSNamespace.
 func (mg *PublicDNSNamespace) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Service) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Service.
+func (mg *Service) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Service.
 func (mg *Service) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Service) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Service.
+func (mg *Service) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Service.
 func (mg *Service) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/servicequotas/v1beta1/zz_generated.managed.go b/apis/servicequotas/v1beta1/zz_generated.managed.go
index a90fd4a102..f1e435e6e0 100644
--- a/apis/servicequotas/v1beta1/zz_generated.managed.go
+++ b/apis/servicequotas/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ServiceQuota) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServiceQuota.
+func (mg *ServiceQuota) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServiceQuota.
 func (mg *ServiceQuota) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ServiceQuota) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServiceQuota.
+func (mg *ServiceQuota) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServiceQuota.
 func (mg *ServiceQuota) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ses/v1beta1/zz_generated.managed.go b/apis/ses/v1beta1/zz_generated.managed.go
index a9778327b3..d8499bb5eb 100644
--- a/apis/ses/v1beta1/zz_generated.managed.go
+++ b/apis/ses/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ActiveReceiptRuleSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ActiveReceiptRuleSet.
+func (mg *ActiveReceiptRuleSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ActiveReceiptRuleSet.
 func (mg *ActiveReceiptRuleSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ActiveReceiptRuleSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ActiveReceiptRuleSet.
+func (mg *ActiveReceiptRuleSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ActiveReceiptRuleSet.
 func (mg *ActiveReceiptRuleSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ConfigurationSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationSet.
+func (mg *ConfigurationSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationSet.
 func (mg *ConfigurationSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ConfigurationSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationSet.
+func (mg *ConfigurationSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationSet.
 func (mg *ConfigurationSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DomainDKIM) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainDKIM.
+func (mg *DomainDKIM) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainDKIM.
 func (mg *DomainDKIM) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DomainDKIM) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainDKIM.
+func (mg *DomainDKIM) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainDKIM.
 func (mg *DomainDKIM) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *DomainIdentity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainIdentity.
+func (mg *DomainIdentity) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainIdentity.
 func (mg *DomainIdentity) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *DomainIdentity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainIdentity.
+func (mg *DomainIdentity) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainIdentity.
 func (mg *DomainIdentity) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *DomainMailFrom) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DomainMailFrom.
+func (mg *DomainMailFrom) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DomainMailFrom.
 func (mg *DomainMailFrom) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *DomainMailFrom) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DomainMailFrom.
+func (mg *DomainMailFrom) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DomainMailFrom.
 func (mg *DomainMailFrom) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *EmailIdentity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EmailIdentity.
+func (mg *EmailIdentity) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EmailIdentity.
 func (mg *EmailIdentity) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *EmailIdentity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EmailIdentity.
+func (mg *EmailIdentity) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EmailIdentity.
 func (mg *EmailIdentity) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *EventDestination) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EventDestination.
+func (mg *EventDestination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EventDestination.
 func (mg *EventDestination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *EventDestination) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EventDestination.
+func (mg *EventDestination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EventDestination.
 func (mg *EventDestination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *IdentityNotificationTopic) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IdentityNotificationTopic.
+func (mg *IdentityNotificationTopic) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IdentityNotificationTopic.
 func (mg *IdentityNotificationTopic) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *IdentityNotificationTopic) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IdentityNotificationTopic.
+func (mg *IdentityNotificationTopic) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IdentityNotificationTopic.
 func (mg *IdentityNotificationTopic) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *IdentityPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IdentityPolicy.
+func (mg *IdentityPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IdentityPolicy.
 func (mg *IdentityPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *IdentityPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IdentityPolicy.
+func (mg *IdentityPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IdentityPolicy.
 func (mg *IdentityPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *ReceiptFilter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReceiptFilter.
+func (mg *ReceiptFilter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReceiptFilter.
 func (mg *ReceiptFilter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *ReceiptFilter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReceiptFilter.
+func (mg *ReceiptFilter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReceiptFilter.
 func (mg *ReceiptFilter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *ReceiptRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReceiptRule.
+func (mg *ReceiptRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReceiptRule.
 func (mg *ReceiptRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *ReceiptRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReceiptRule.
+func (mg *ReceiptRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReceiptRule.
 func (mg *ReceiptRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *ReceiptRuleSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ReceiptRuleSet.
+func (mg *ReceiptRuleSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ReceiptRuleSet.
 func (mg *ReceiptRuleSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *ReceiptRuleSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ReceiptRuleSet.
+func (mg *ReceiptRuleSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ReceiptRuleSet.
 func (mg *ReceiptRuleSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -809,6 +929,11 @@ func (mg *Template) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Template.
+func (mg *Template) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Template.
 func (mg *Template) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -842,6 +967,11 @@ func (mg *Template) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Template.
+func (mg *Template) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Template.
 func (mg *Template) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/sesv2/v1beta1/zz_generated.managed.go b/apis/sesv2/v1beta1/zz_generated.managed.go
index 98f7d3ec74..e098ff7302 100644
--- a/apis/sesv2/v1beta1/zz_generated.managed.go
+++ b/apis/sesv2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ConfigurationSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationSet.
+func (mg *ConfigurationSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationSet.
 func (mg *ConfigurationSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ConfigurationSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationSet.
+func (mg *ConfigurationSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationSet.
 func (mg *ConfigurationSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ConfigurationSetEventDestination) GetDeletionPolicy() xpv1.DeletionPol
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ConfigurationSetEventDestination.
+func (mg *ConfigurationSetEventDestination) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ConfigurationSetEventDestination.
 func (mg *ConfigurationSetEventDestination) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ConfigurationSetEventDestination) SetDeletionPolicy(r xpv1.DeletionPol
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ConfigurationSetEventDestination.
+func (mg *ConfigurationSetEventDestination) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ConfigurationSetEventDestination.
 func (mg *ConfigurationSetEventDestination) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DedicatedIPPool) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DedicatedIPPool.
+func (mg *DedicatedIPPool) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DedicatedIPPool.
 func (mg *DedicatedIPPool) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DedicatedIPPool) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DedicatedIPPool.
+func (mg *DedicatedIPPool) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DedicatedIPPool.
 func (mg *DedicatedIPPool) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *EmailIdentity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EmailIdentity.
+func (mg *EmailIdentity) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EmailIdentity.
 func (mg *EmailIdentity) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *EmailIdentity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EmailIdentity.
+func (mg *EmailIdentity) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EmailIdentity.
 func (mg *EmailIdentity) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *EmailIdentityFeedbackAttributes) GetDeletionPolicy() xpv1.DeletionPoli
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EmailIdentityFeedbackAttributes.
+func (mg *EmailIdentityFeedbackAttributes) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EmailIdentityFeedbackAttributes.
 func (mg *EmailIdentityFeedbackAttributes) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *EmailIdentityFeedbackAttributes) SetDeletionPolicy(r xpv1.DeletionPoli
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EmailIdentityFeedbackAttributes.
+func (mg *EmailIdentityFeedbackAttributes) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EmailIdentityFeedbackAttributes.
 func (mg *EmailIdentityFeedbackAttributes) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *EmailIdentityMailFromAttributes) GetDeletionPolicy() xpv1.DeletionPoli
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EmailIdentityMailFromAttributes.
+func (mg *EmailIdentityMailFromAttributes) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EmailIdentityMailFromAttributes.
 func (mg *EmailIdentityMailFromAttributes) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *EmailIdentityMailFromAttributes) SetDeletionPolicy(r xpv1.DeletionPoli
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EmailIdentityMailFromAttributes.
+func (mg *EmailIdentityMailFromAttributes) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EmailIdentityMailFromAttributes.
 func (mg *EmailIdentityMailFromAttributes) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/sfn/v1beta1/zz_generated.managed.go b/apis/sfn/v1beta1/zz_generated.managed.go
index e414ac0453..781fe002f4 100644
--- a/apis/sfn/v1beta1/zz_generated.managed.go
+++ b/apis/sfn/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Activity) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Activity.
+func (mg *Activity) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Activity.
 func (mg *Activity) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Activity) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Activity.
+func (mg *Activity) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Activity.
 func (mg *Activity) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *StateMachine) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this StateMachine.
+func (mg *StateMachine) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this StateMachine.
 func (mg *StateMachine) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *StateMachine) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this StateMachine.
+func (mg *StateMachine) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this StateMachine.
 func (mg *StateMachine) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/signer/v1beta1/zz_generated.managed.go b/apis/signer/v1beta1/zz_generated.managed.go
index 5617cdf543..65492630c0 100644
--- a/apis/signer/v1beta1/zz_generated.managed.go
+++ b/apis/signer/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *SigningJob) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SigningJob.
+func (mg *SigningJob) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SigningJob.
 func (mg *SigningJob) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *SigningJob) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SigningJob.
+func (mg *SigningJob) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SigningJob.
 func (mg *SigningJob) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *SigningProfile) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SigningProfile.
+func (mg *SigningProfile) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SigningProfile.
 func (mg *SigningProfile) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *SigningProfile) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SigningProfile.
+func (mg *SigningProfile) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SigningProfile.
 func (mg *SigningProfile) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *SigningProfilePermission) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SigningProfilePermission.
+func (mg *SigningProfilePermission) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SigningProfilePermission.
 func (mg *SigningProfilePermission) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *SigningProfilePermission) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SigningProfilePermission.
+func (mg *SigningProfilePermission) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SigningProfilePermission.
 func (mg *SigningProfilePermission) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/simpledb/v1beta1/zz_generated.managed.go b/apis/simpledb/v1beta1/zz_generated.managed.go
index 9d063759ec..b176e744b8 100644
--- a/apis/simpledb/v1beta1/zz_generated.managed.go
+++ b/apis/simpledb/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/sns/v1beta1/zz_generated.managed.go b/apis/sns/v1beta1/zz_generated.managed.go
index 2806295d2a..98697c286d 100644
--- a/apis/sns/v1beta1/zz_generated.managed.go
+++ b/apis/sns/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *PlatformApplication) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PlatformApplication.
+func (mg *PlatformApplication) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PlatformApplication.
 func (mg *PlatformApplication) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *PlatformApplication) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PlatformApplication.
+func (mg *PlatformApplication) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PlatformApplication.
 func (mg *PlatformApplication) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *SMSPreferences) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SMSPreferences.
+func (mg *SMSPreferences) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SMSPreferences.
 func (mg *SMSPreferences) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *SMSPreferences) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SMSPreferences.
+func (mg *SMSPreferences) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SMSPreferences.
 func (mg *SMSPreferences) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Topic) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Topic.
+func (mg *Topic) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Topic.
 func (mg *Topic) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Topic) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Topic.
+func (mg *Topic) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Topic.
 func (mg *Topic) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *TopicPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TopicPolicy.
+func (mg *TopicPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TopicPolicy.
 func (mg *TopicPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *TopicPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TopicPolicy.
+func (mg *TopicPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TopicPolicy.
 func (mg *TopicPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *TopicSubscription) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this TopicSubscription.
+func (mg *TopicSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this TopicSubscription.
 func (mg *TopicSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *TopicSubscription) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this TopicSubscription.
+func (mg *TopicSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this TopicSubscription.
 func (mg *TopicSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/sqs/v1beta1/zz_generated.managed.go b/apis/sqs/v1beta1/zz_generated.managed.go
index 0c9c4c184d..beb24865f0 100644
--- a/apis/sqs/v1beta1/zz_generated.managed.go
+++ b/apis/sqs/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Queue) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Queue.
+func (mg *Queue) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Queue.
 func (mg *Queue) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Queue) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Queue.
+func (mg *Queue) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Queue.
 func (mg *Queue) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *QueuePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this QueuePolicy.
+func (mg *QueuePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this QueuePolicy.
 func (mg *QueuePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *QueuePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this QueuePolicy.
+func (mg *QueuePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this QueuePolicy.
 func (mg *QueuePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *QueueRedriveAllowPolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this QueueRedriveAllowPolicy.
+func (mg *QueueRedriveAllowPolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this QueueRedriveAllowPolicy.
 func (mg *QueueRedriveAllowPolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *QueueRedriveAllowPolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this QueueRedriveAllowPolicy.
+func (mg *QueueRedriveAllowPolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this QueueRedriveAllowPolicy.
 func (mg *QueueRedriveAllowPolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *QueueRedrivePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this QueueRedrivePolicy.
+func (mg *QueueRedrivePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this QueueRedrivePolicy.
 func (mg *QueueRedrivePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *QueueRedrivePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this QueueRedrivePolicy.
+func (mg *QueueRedrivePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this QueueRedrivePolicy.
 func (mg *QueueRedrivePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ssm/v1beta1/zz_generated.managed.go b/apis/ssm/v1beta1/zz_generated.managed.go
index 852eb7587b..ea4971f267 100644
--- a/apis/ssm/v1beta1/zz_generated.managed.go
+++ b/apis/ssm/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Activation) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Activation.
+func (mg *Activation) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Activation.
 func (mg *Activation) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Activation) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Activation.
+func (mg *Activation) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Activation.
 func (mg *Activation) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Association) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Association.
+func (mg *Association) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Association.
 func (mg *Association) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Association) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Association.
+func (mg *Association) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Association.
 func (mg *Association) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *DefaultPatchBaseline) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this DefaultPatchBaseline.
+func (mg *DefaultPatchBaseline) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this DefaultPatchBaseline.
 func (mg *DefaultPatchBaseline) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *DefaultPatchBaseline) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this DefaultPatchBaseline.
+func (mg *DefaultPatchBaseline) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this DefaultPatchBaseline.
 func (mg *DefaultPatchBaseline) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *Document) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Document.
+func (mg *Document) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Document.
 func (mg *Document) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *Document) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Document.
+func (mg *Document) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Document.
 func (mg *Document) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *MaintenanceWindow) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MaintenanceWindow.
+func (mg *MaintenanceWindow) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MaintenanceWindow.
 func (mg *MaintenanceWindow) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *MaintenanceWindow) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MaintenanceWindow.
+func (mg *MaintenanceWindow) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MaintenanceWindow.
 func (mg *MaintenanceWindow) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *MaintenanceWindowTarget) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MaintenanceWindowTarget.
+func (mg *MaintenanceWindowTarget) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MaintenanceWindowTarget.
 func (mg *MaintenanceWindowTarget) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *MaintenanceWindowTarget) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MaintenanceWindowTarget.
+func (mg *MaintenanceWindowTarget) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MaintenanceWindowTarget.
 func (mg *MaintenanceWindowTarget) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *MaintenanceWindowTask) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this MaintenanceWindowTask.
+func (mg *MaintenanceWindowTask) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this MaintenanceWindowTask.
 func (mg *MaintenanceWindowTask) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *MaintenanceWindowTask) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this MaintenanceWindowTask.
+func (mg *MaintenanceWindowTask) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this MaintenanceWindowTask.
 func (mg *MaintenanceWindowTask) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *Parameter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Parameter.
+func (mg *Parameter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Parameter.
 func (mg *Parameter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *Parameter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Parameter.
+func (mg *Parameter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Parameter.
 func (mg *Parameter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *PatchBaseline) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PatchBaseline.
+func (mg *PatchBaseline) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PatchBaseline.
 func (mg *PatchBaseline) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *PatchBaseline) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PatchBaseline.
+func (mg *PatchBaseline) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PatchBaseline.
 func (mg *PatchBaseline) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *PatchGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PatchGroup.
+func (mg *PatchGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PatchGroup.
 func (mg *PatchGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *PatchGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PatchGroup.
+func (mg *PatchGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PatchGroup.
 func (mg *PatchGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *ResourceDataSync) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ResourceDataSync.
+func (mg *ResourceDataSync) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ResourceDataSync.
 func (mg *ResourceDataSync) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *ResourceDataSync) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ResourceDataSync.
+func (mg *ResourceDataSync) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ResourceDataSync.
 func (mg *ResourceDataSync) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -743,6 +853,11 @@ func (mg *ServiceSetting) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ServiceSetting.
+func (mg *ServiceSetting) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ServiceSetting.
 func (mg *ServiceSetting) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -776,6 +891,11 @@ func (mg *ServiceSetting) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ServiceSetting.
+func (mg *ServiceSetting) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ServiceSetting.
 func (mg *ServiceSetting) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/ssoadmin/v1beta1/zz_generated.managed.go b/apis/ssoadmin/v1beta1/zz_generated.managed.go
index 55c072f29c..6be79b1e4c 100644
--- a/apis/ssoadmin/v1beta1/zz_generated.managed.go
+++ b/apis/ssoadmin/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *AccountAssignment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this AccountAssignment.
+func (mg *AccountAssignment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this AccountAssignment.
 func (mg *AccountAssignment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *AccountAssignment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this AccountAssignment.
+func (mg *AccountAssignment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this AccountAssignment.
 func (mg *AccountAssignment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *ManagedPolicyAttachment) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ManagedPolicyAttachment.
+func (mg *ManagedPolicyAttachment) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ManagedPolicyAttachment.
 func (mg *ManagedPolicyAttachment) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *ManagedPolicyAttachment) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ManagedPolicyAttachment.
+func (mg *ManagedPolicyAttachment) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ManagedPolicyAttachment.
 func (mg *ManagedPolicyAttachment) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *PermissionSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PermissionSet.
+func (mg *PermissionSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PermissionSet.
 func (mg *PermissionSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *PermissionSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PermissionSet.
+func (mg *PermissionSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PermissionSet.
 func (mg *PermissionSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *PermissionSetInlinePolicy) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this PermissionSetInlinePolicy.
+func (mg *PermissionSetInlinePolicy) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this PermissionSetInlinePolicy.
 func (mg *PermissionSetInlinePolicy) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *PermissionSetInlinePolicy) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this PermissionSetInlinePolicy.
+func (mg *PermissionSetInlinePolicy) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this PermissionSetInlinePolicy.
 func (mg *PermissionSetInlinePolicy) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/swf/v1beta1/zz_generated.managed.go b/apis/swf/v1beta1/zz_generated.managed.go
index 9d063759ec..b176e744b8 100644
--- a/apis/swf/v1beta1/zz_generated.managed.go
+++ b/apis/swf/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Domain) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Domain.
+func (mg *Domain) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Domain.
 func (mg *Domain) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Domain) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Domain.
+func (mg *Domain) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Domain.
 func (mg *Domain) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/timestreamwrite/v1beta1/zz_generated.managed.go b/apis/timestreamwrite/v1beta1/zz_generated.managed.go
index 2eb2b93122..5fdfd977e4 100644
--- a/apis/timestreamwrite/v1beta1/zz_generated.managed.go
+++ b/apis/timestreamwrite/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Database) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Database.
+func (mg *Database) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Database.
 func (mg *Database) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Database) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Database.
+func (mg *Database) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Database.
 func (mg *Database) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Table) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Table.
+func (mg *Table) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Table.
 func (mg *Table) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Table) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Table.
+func (mg *Table) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Table.
 func (mg *Table) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/transcribe/v1beta1/zz_generated.managed.go b/apis/transcribe/v1beta1/zz_generated.managed.go
index ccab4c718c..afa2e8af78 100644
--- a/apis/transcribe/v1beta1/zz_generated.managed.go
+++ b/apis/transcribe/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *LanguageModel) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this LanguageModel.
+func (mg *LanguageModel) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this LanguageModel.
 func (mg *LanguageModel) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *LanguageModel) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this LanguageModel.
+func (mg *LanguageModel) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this LanguageModel.
 func (mg *LanguageModel) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Vocabulary) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Vocabulary.
+func (mg *Vocabulary) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Vocabulary.
 func (mg *Vocabulary) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Vocabulary) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Vocabulary.
+func (mg *Vocabulary) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Vocabulary.
 func (mg *Vocabulary) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *VocabularyFilter) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this VocabularyFilter.
+func (mg *VocabularyFilter) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this VocabularyFilter.
 func (mg *VocabularyFilter) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *VocabularyFilter) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this VocabularyFilter.
+func (mg *VocabularyFilter) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this VocabularyFilter.
 func (mg *VocabularyFilter) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/transfer/v1beta1/zz_generated.managed.go b/apis/transfer/v1beta1/zz_generated.managed.go
index 1297f70a3e..15e01ffae1 100644
--- a/apis/transfer/v1beta1/zz_generated.managed.go
+++ b/apis/transfer/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *SSHKey) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SSHKey.
+func (mg *SSHKey) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SSHKey.
 func (mg *SSHKey) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *SSHKey) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SSHKey.
+func (mg *SSHKey) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SSHKey.
 func (mg *SSHKey) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Server) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Server.
+func (mg *Server) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Server.
 func (mg *Server) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Server) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Server.
+func (mg *Server) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Server.
 func (mg *Server) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *Tag) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Tag.
+func (mg *Tag) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Tag.
 func (mg *Tag) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *Tag) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Tag.
+func (mg *Tag) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Tag.
 func (mg *Tag) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *User) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this User.
+func (mg *User) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this User.
 func (mg *User) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *User) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this User.
+func (mg *User) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this User.
 func (mg *User) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *Workflow) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Workflow.
+func (mg *Workflow) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Workflow.
 func (mg *Workflow) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *Workflow) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Workflow.
+func (mg *Workflow) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Workflow.
 func (mg *Workflow) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/vpc/v1beta1/zz_generated.managed.go b/apis/vpc/v1beta1/zz_generated.managed.go
index 149f7cbf3c..d252f4cc91 100644
--- a/apis/vpc/v1beta1/zz_generated.managed.go
+++ b/apis/vpc/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *NetworkPerformanceMetricSubscription) GetDeletionPolicy() xpv1.Deletio
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this NetworkPerformanceMetricSubscription.
+func (mg *NetworkPerformanceMetricSubscription) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this NetworkPerformanceMetricSubscription.
 func (mg *NetworkPerformanceMetricSubscription) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *NetworkPerformanceMetricSubscription) SetDeletionPolicy(r xpv1.Deletio
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this NetworkPerformanceMetricSubscription.
+func (mg *NetworkPerformanceMetricSubscription) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this NetworkPerformanceMetricSubscription.
 func (mg *NetworkPerformanceMetricSubscription) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/waf/v1beta1/zz_generated.managed.go b/apis/waf/v1beta1/zz_generated.managed.go
index f3991fc844..684ee064c0 100644
--- a/apis/waf/v1beta1/zz_generated.managed.go
+++ b/apis/waf/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ByteMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ByteMatchSet.
+func (mg *ByteMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ByteMatchSet.
 func (mg *ByteMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ByteMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ByteMatchSet.
+func (mg *ByteMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ByteMatchSet.
 func (mg *ByteMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *GeoMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GeoMatchSet.
+func (mg *GeoMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GeoMatchSet.
 func (mg *GeoMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *GeoMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GeoMatchSet.
+func (mg *GeoMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GeoMatchSet.
 func (mg *GeoMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *IPSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IPSet.
+func (mg *IPSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IPSet.
 func (mg *IPSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *IPSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IPSet.
+func (mg *IPSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IPSet.
 func (mg *IPSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *RateBasedRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RateBasedRule.
+func (mg *RateBasedRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RateBasedRule.
 func (mg *RateBasedRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *RateBasedRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RateBasedRule.
+func (mg *RateBasedRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RateBasedRule.
 func (mg *RateBasedRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *RegexMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegexMatchSet.
+func (mg *RegexMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegexMatchSet.
 func (mg *RegexMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *RegexMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegexMatchSet.
+func (mg *RegexMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegexMatchSet.
 func (mg *RegexMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *RegexPatternSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegexPatternSet.
+func (mg *RegexPatternSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegexPatternSet.
 func (mg *RegexPatternSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *RegexPatternSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegexPatternSet.
+func (mg *RegexPatternSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegexPatternSet.
 func (mg *RegexPatternSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Rule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Rule.
+func (mg *Rule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Rule.
 func (mg *Rule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Rule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Rule.
+func (mg *Rule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Rule.
 func (mg *Rule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *SQLInjectionMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SQLInjectionMatchSet.
+func (mg *SQLInjectionMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SQLInjectionMatchSet.
 func (mg *SQLInjectionMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *SQLInjectionMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SQLInjectionMatchSet.
+func (mg *SQLInjectionMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SQLInjectionMatchSet.
 func (mg *SQLInjectionMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *SizeConstraintSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SizeConstraintSet.
+func (mg *SizeConstraintSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SizeConstraintSet.
 func (mg *SizeConstraintSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *SizeConstraintSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SizeConstraintSet.
+func (mg *SizeConstraintSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SizeConstraintSet.
 func (mg *SizeConstraintSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *WebACL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this WebACL.
+func (mg *WebACL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this WebACL.
 func (mg *WebACL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *WebACL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this WebACL.
+func (mg *WebACL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this WebACL.
 func (mg *WebACL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *XSSMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this XSSMatchSet.
+func (mg *XSSMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this XSSMatchSet.
 func (mg *XSSMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *XSSMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this XSSMatchSet.
+func (mg *XSSMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this XSSMatchSet.
 func (mg *XSSMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/wafregional/v1beta1/zz_generated.managed.go b/apis/wafregional/v1beta1/zz_generated.managed.go
index f3991fc844..684ee064c0 100644
--- a/apis/wafregional/v1beta1/zz_generated.managed.go
+++ b/apis/wafregional/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *ByteMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this ByteMatchSet.
+func (mg *ByteMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this ByteMatchSet.
 func (mg *ByteMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *ByteMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this ByteMatchSet.
+func (mg *ByteMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this ByteMatchSet.
 func (mg *ByteMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *GeoMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this GeoMatchSet.
+func (mg *GeoMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this GeoMatchSet.
 func (mg *GeoMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *GeoMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this GeoMatchSet.
+func (mg *GeoMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this GeoMatchSet.
 func (mg *GeoMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *IPSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IPSet.
+func (mg *IPSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IPSet.
 func (mg *IPSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *IPSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IPSet.
+func (mg *IPSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IPSet.
 func (mg *IPSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -215,6 +245,11 @@ func (mg *RateBasedRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RateBasedRule.
+func (mg *RateBasedRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RateBasedRule.
 func (mg *RateBasedRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -248,6 +283,11 @@ func (mg *RateBasedRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RateBasedRule.
+func (mg *RateBasedRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RateBasedRule.
 func (mg *RateBasedRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -281,6 +321,11 @@ func (mg *RegexMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegexMatchSet.
+func (mg *RegexMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegexMatchSet.
 func (mg *RegexMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -314,6 +359,11 @@ func (mg *RegexMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegexMatchSet.
+func (mg *RegexMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegexMatchSet.
 func (mg *RegexMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -347,6 +397,11 @@ func (mg *RegexPatternSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegexPatternSet.
+func (mg *RegexPatternSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegexPatternSet.
 func (mg *RegexPatternSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -380,6 +435,11 @@ func (mg *RegexPatternSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegexPatternSet.
+func (mg *RegexPatternSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegexPatternSet.
 func (mg *RegexPatternSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -413,6 +473,11 @@ func (mg *Rule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Rule.
+func (mg *Rule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Rule.
 func (mg *Rule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -446,6 +511,11 @@ func (mg *Rule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Rule.
+func (mg *Rule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Rule.
 func (mg *Rule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -479,6 +549,11 @@ func (mg *SQLInjectionMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SQLInjectionMatchSet.
+func (mg *SQLInjectionMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SQLInjectionMatchSet.
 func (mg *SQLInjectionMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -512,6 +587,11 @@ func (mg *SQLInjectionMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SQLInjectionMatchSet.
+func (mg *SQLInjectionMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SQLInjectionMatchSet.
 func (mg *SQLInjectionMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -545,6 +625,11 @@ func (mg *SizeConstraintSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SizeConstraintSet.
+func (mg *SizeConstraintSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SizeConstraintSet.
 func (mg *SizeConstraintSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -578,6 +663,11 @@ func (mg *SizeConstraintSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SizeConstraintSet.
+func (mg *SizeConstraintSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SizeConstraintSet.
 func (mg *SizeConstraintSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -611,6 +701,11 @@ func (mg *WebACL) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this WebACL.
+func (mg *WebACL) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this WebACL.
 func (mg *WebACL) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -644,6 +739,11 @@ func (mg *WebACL) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this WebACL.
+func (mg *WebACL) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this WebACL.
 func (mg *WebACL) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -677,6 +777,11 @@ func (mg *XSSMatchSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this XSSMatchSet.
+func (mg *XSSMatchSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this XSSMatchSet.
 func (mg *XSSMatchSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -710,6 +815,11 @@ func (mg *XSSMatchSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this XSSMatchSet.
+func (mg *XSSMatchSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this XSSMatchSet.
 func (mg *XSSMatchSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/wafv2/v1beta1/zz_generated.managed.go b/apis/wafv2/v1beta1/zz_generated.managed.go
index a6375be8af..45fe5f1b1f 100644
--- a/apis/wafv2/v1beta1/zz_generated.managed.go
+++ b/apis/wafv2/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *IPSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IPSet.
+func (mg *IPSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IPSet.
 func (mg *IPSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *IPSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IPSet.
+func (mg *IPSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IPSet.
 func (mg *IPSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *RegexPatternSet) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this RegexPatternSet.
+func (mg *RegexPatternSet) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this RegexPatternSet.
 func (mg *RegexPatternSet) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *RegexPatternSet) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this RegexPatternSet.
+func (mg *RegexPatternSet) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this RegexPatternSet.
 func (mg *RegexPatternSet) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/workspaces/v1beta1/zz_generated.managed.go b/apis/workspaces/v1beta1/zz_generated.managed.go
index 2133273d9a..6f14a26a18 100644
--- a/apis/workspaces/v1beta1/zz_generated.managed.go
+++ b/apis/workspaces/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *Directory) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Directory.
+func (mg *Directory) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Directory.
 func (mg *Directory) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *Directory) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Directory.
+func (mg *Directory) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Directory.
 func (mg *Directory) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *IPGroup) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this IPGroup.
+func (mg *IPGroup) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this IPGroup.
 func (mg *IPGroup) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *IPGroup) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this IPGroup.
+func (mg *IPGroup) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this IPGroup.
 func (mg *IPGroup) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/apis/xray/v1beta1/zz_generated.managed.go b/apis/xray/v1beta1/zz_generated.managed.go
index 0beab85d05..924abab9f3 100644
--- a/apis/xray/v1beta1/zz_generated.managed.go
+++ b/apis/xray/v1beta1/zz_generated.managed.go
@@ -17,6 +17,11 @@ func (mg *EncryptionConfig) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this EncryptionConfig.
+func (mg *EncryptionConfig) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this EncryptionConfig.
 func (mg *EncryptionConfig) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -50,6 +55,11 @@ func (mg *EncryptionConfig) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this EncryptionConfig.
+func (mg *EncryptionConfig) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this EncryptionConfig.
 func (mg *EncryptionConfig) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -83,6 +93,11 @@ func (mg *Group) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this Group.
+func (mg *Group) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this Group.
 func (mg *Group) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -116,6 +131,11 @@ func (mg *Group) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this Group.
+func (mg *Group) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this Group.
 func (mg *Group) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
@@ -149,6 +169,11 @@ func (mg *SamplingRule) GetDeletionPolicy() xpv1.DeletionPolicy {
 	return mg.Spec.DeletionPolicy
 }
 
+// GetManagementPolicy of this SamplingRule.
+func (mg *SamplingRule) GetManagementPolicy() xpv1.ManagementPolicy {
+	return mg.Spec.ManagementPolicy
+}
+
 // GetProviderConfigReference of this SamplingRule.
 func (mg *SamplingRule) GetProviderConfigReference() *xpv1.Reference {
 	return mg.Spec.ProviderConfigReference
@@ -182,6 +207,11 @@ func (mg *SamplingRule) SetDeletionPolicy(r xpv1.DeletionPolicy) {
 	mg.Spec.DeletionPolicy = r
 }
 
+// SetManagementPolicy of this SamplingRule.
+func (mg *SamplingRule) SetManagementPolicy(r xpv1.ManagementPolicy) {
+	mg.Spec.ManagementPolicy = r
+}
+
 // SetProviderConfigReference of this SamplingRule.
 func (mg *SamplingRule) SetProviderConfigReference(r *xpv1.Reference) {
 	mg.Spec.ProviderConfigReference = r
diff --git a/go.mod b/go.mod
index 7ddaa1bbd8..d494880cc4 100644
--- a/go.mod
+++ b/go.mod
@@ -9,8 +9,8 @@ require (
 	github.com/aws/aws-sdk-go-v2/service/eks v1.22.0
 	github.com/aws/aws-sdk-go-v2/service/sts v1.9.0
 	github.com/aws/smithy-go v1.13.3
-	github.com/crossplane/crossplane-runtime v0.19.2
-	github.com/crossplane/crossplane-tools v0.0.0-20220310165030-1f43fc12793e
+	github.com/crossplane/crossplane-runtime v0.20.0-rc.0.0.20230406155702-4e1673b7141f
+	github.com/crossplane/crossplane-tools v0.0.0-20230327091744-4236bf732aa5
 	github.com/go-ini/ini v1.46.0
 	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0
@@ -71,7 +71,7 @@ require (
 	github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.4.4 // indirect
-	github.com/hashicorp/go-retryablehttp v0.6.6 // indirect
+	github.com/hashicorp/go-retryablehttp v0.7.1 // indirect
 	github.com/hashicorp/go-rootcerts v1.0.2 // indirect
 	github.com/hashicorp/go-secure-stdlib/mlock v0.1.1 // indirect
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.1 // indirect
@@ -98,7 +98,7 @@ require (
 	github.com/mailru/easyjson v0.7.7 // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.16 // indirect
-	github.com/matttproud/golang_protobuf_extensions v1.0.2 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -127,13 +127,13 @@ require (
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
 	github.com/yuin/goldmark v1.4.13 // indirect
 	github.com/zclconf/go-cty v1.11.0 // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.6.0 // indirect
+	go.uber.org/atomic v1.10.0 // indirect
+	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.24.0 // indirect
-	golang.org/x/crypto v0.1.0 // indirect
+	golang.org/x/crypto v0.2.0 // indirect
 	golang.org/x/mod v0.7.0 // indirect
 	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 // indirect
+	golang.org/x/oauth2 v0.1.0 // indirect
 	golang.org/x/sys v0.5.0 // indirect
 	golang.org/x/term v0.5.0 // indirect
 	golang.org/x/text v0.7.0 // indirect
@@ -141,16 +141,16 @@ require (
 	golang.org/x/tools v0.4.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.2.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad // indirect
-	google.golang.org/grpc v1.49.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd // indirect
+	google.golang.org/grpc v1.50.1 // indirect
+	google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/ini.v1 v1.62.0 // indirect
 	gopkg.in/square/go-jose.v2 v2.5.1 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.26.1 // indirect
-	k8s.io/component-base v0.26.1 // indirect
+	k8s.io/apiextensions-apiserver v0.26.3 // indirect
+	k8s.io/component-base v0.26.3 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 // indirect
 	sigs.k8s.io/json v0.0.0-20220713155537-f223a00ba0e2 // indirect
diff --git a/go.sum b/go.sum
index 5ab24e62aa..30f8e33ff2 100644
--- a/go.sum
+++ b/go.sum
@@ -120,18 +120,14 @@ github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDk
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cncf/udpa/go v0.0.0-20200629203442-efcf912fb354/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
 github.com/cncf/udpa/go v0.0.0-20201120205902-5459f2c99403/go.mod h1:WmhPx2Nbnhtbo57+VJT5O0JRkEi1Wbu0z5j0R8u5Hbk=
-github.com/cncf/udpa/go v0.0.0-20210930031921-04548b0d99d4/go.mod h1:6pvJx4me5XPnfI9Z40ddWsdw2W/uZgQLFXToKeRcDiI=
 github.com/cncf/xds/go v0.0.0-20210312221358-fbca930ec8ed/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20210805033703-aa0b78936158/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20210922020428-25de7278fc84/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
-github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
-github.com/crossplane/crossplane-runtime v0.19.2 h1:9qBnhpqKN4x6apF2siaQ6PvgxqBXbGcKmgeD8mSIDO8=
-github.com/crossplane/crossplane-runtime v0.19.2/go.mod h1:OJQ1NxtQK2ZTRmvtnQPoy8LsXsARTnVydRVDQEgIuz4=
-github.com/crossplane/crossplane-tools v0.0.0-20220310165030-1f43fc12793e h1:HqLaMji3FRPwEBA5P6twPz0HbE6no0XOnByLU5O1noM=
-github.com/crossplane/crossplane-tools v0.0.0-20220310165030-1f43fc12793e/go.mod h1:xFf30hwHd5n0/a0D4ZomId8nxQTTjE0Hc1j4/rWxefc=
+github.com/crossplane/crossplane-runtime v0.20.0-rc.0.0.20230406155702-4e1673b7141f h1:wDRr6gaoiQstEdddrn0B5SSSgzdXreOQAbdmRH+9JeI=
+github.com/crossplane/crossplane-runtime v0.20.0-rc.0.0.20230406155702-4e1673b7141f/go.mod h1:ebtUpmconMy8RKUEhrCXTUFSOpfGQqbKM2E+rjCCYJo=
+github.com/crossplane/crossplane-tools v0.0.0-20230327091744-4236bf732aa5 h1:K9H55wcwfXcGroZApIgPmIGRGuZLszsLDCYB12p2yMo=
+github.com/crossplane/crossplane-tools v0.0.0-20230327091744-4236bf732aa5/go.mod h1:+e4OaFlOcmr0JvINHl/yvEYBrZawzTgj6pQumOH1SS0=
 github.com/dave/jennifer v1.4.1 h1:XyqG6cn5RQsTj3qlWQTKlRGAyrTcsk1kUmWdZBzRjDw=
 github.com/dave/jennifer v1.4.1/go.mod h1:7jEdnm+qBcxl8PC0zyp7vxcpSRnzXSt9r39tpTVGlwA=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -147,7 +143,6 @@ github.com/envoyproxy/go-control-plane v0.9.7/go.mod h1:cwu0lG7PUMfa9snN8LXBig5y
 github.com/envoyproxy/go-control-plane v0.9.9-0.20201210154907-fd9021fe5dad/go.mod h1:cXg6YxExXjJnVBQHBLXeUAgxn2UodCpnH306RInaBQk=
 github.com/envoyproxy/go-control-plane v0.9.9-0.20210512163311-63b5d3c536b0/go.mod h1:hliV/p42l8fGbc6Y9bQ70uLwIvmJyVE5k4iMKlh8wCQ=
 github.com/envoyproxy/go-control-plane v0.9.10-0.20210907150352-cf90f659a021/go.mod h1:AFq3mo9L8Lqqiid3OhADV3RfLJnjiw63cSpi+fDTRC0=
-github.com/envoyproxy/go-control-plane v0.10.2-0.20220325020618-49ff273808a1/go.mod h1:KJwIaB5Mv44NWtYuAOFCVOjcI94vtpEz2JU/D2v6IjE=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
 github.com/evanphx/json-patch v0.5.2/go.mod h1:ZWS5hhDbVDyob71nXKNL0+PWn6ToqBHMikGIFbs31qQ=
 github.com/evanphx/json-patch v4.12.0+incompatible h1:4onqiflcdA9EOZ4RxV643DvftH5pOlLGNtQ5lPWQu84=
@@ -312,8 +307,9 @@ github.com/hashicorp/go-plugin v1.4.3/go.mod h1:5fGEH17QVwTTcR0zV7yhDPLLmFX9YSZ3
 github.com/hashicorp/go-plugin v1.4.4 h1:NVdrSdFRt3SkZtNckJ6tog7gbpRrcbOjQi/rgF7JYWQ=
 github.com/hashicorp/go-plugin v1.4.4/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
-github.com/hashicorp/go-retryablehttp v0.6.6 h1:HJunrbHTDDbBb/ay4kxa1n+dLmttUlnP3V9oNE4hmsM=
 github.com/hashicorp/go-retryablehttp v0.6.6/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
+github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
+github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
 github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc=
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/base62 v0.1.1/go.mod h1:EdWO6czbmthiwZ3/PUsDV+UD1D5IRU4ActiaWGwt0Yw=
@@ -427,8 +423,8 @@ github.com/mattn/go-isatty v0.0.14/go.mod h1:7GGIvUiUoEMVVmxf/4nioHXj79iQHKdU27k
 github.com/mattn/go-isatty v0.0.16 h1:bq3VjFmv/sOjHtdEhmkEV4x1AJtvUvOJ2PFAZ5+peKQ=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
-github.com/matttproud/golang_protobuf_extensions v1.0.2 h1:hAHbPm5IJGijwng3PWk09JkG9WeqChjprR5s9bBZ+OM=
-github.com/matttproud/golang_protobuf_extensions v1.0.2/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc=
 github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw=
 github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw=
@@ -589,12 +585,14 @@ go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
 go.opentelemetry.io/proto/otlp v0.7.0/go.mod h1:PqfVotwruBrMGOCsRd/89rSnXhoiJIqeYNgFYFoEGnI=
 go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
-go.uber.org/atomic v1.9.0 h1:ECmE8Bn/WFTYwEW/bpKD3M8VtR/zQVbavAoalC1PYyE=
 go.uber.org/atomic v1.9.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ=
+go.uber.org/atomic v1.10.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.2.0 h1:xqgm/S+aQvhWFTtR0XK3Jvg7z8kGV8P4X14IzwN3Eqk=
-go.uber.org/multierr v1.6.0 h1:y6IPFStTAIT5Ytl7/XYmHvzXQ7S3g/IeZW9hyZ5thw4=
 go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/multierr v1.8.0 h1:dg6GjLku4EH+249NNmoIciG9N/jURbDG+pFlTkhzIC8=
+go.uber.org/multierr v1.8.0/go.mod h1:7EAYxJLBy9rStEaz58O2t4Uvip6FSURkq8/ppBp95ak=
 go.uber.org/zap v1.19.0/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
 go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60=
 go.uber.org/zap v1.24.0/go.mod h1:2kMP+WWQ8aoFoedH3T2sq6iJ2yDWpHbP0f6MQbS9Gkg=
@@ -608,8 +606,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4=
 golang.org/x/crypto v0.0.0-20210711020723-a769d52b0f97/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.0.0-20211108221036-ceb1ce70b4fa/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
-golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
-golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
+golang.org/x/crypto v0.2.0 h1:BRXPfhNivWL5Yq0BGQ39a2sW6t44aODpfxkWjYdzewE=
+golang.org/x/crypto v0.2.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8=
@@ -700,8 +698,8 @@ golang.org/x/oauth2 v0.0.0-20201208152858-08078c50e5b5/go.mod h1:KelEdhl1UZF7XfJ
 golang.org/x/oauth2 v0.0.0-20210218202405-ba52d332ba99/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20210514164344-f6687ab2804c/go.mod h1:KelEdhl1UZF7XfJ4dDtk6s++YSgaE7mD/BuKKDLBl4A=
 golang.org/x/oauth2 v0.0.0-20220223155221-ee480838109b/go.mod h1:DAh4E804XQdzx2j+YRIaUnCqCV2RuMz24cGBJ5QYIrc=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2 h1:+jnHzr9VPj32ykQVai5DNahi9+NSp7yYuCsl5eAQtL0=
-golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
+golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y=
+golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -920,8 +918,8 @@ google.golang.org/genproto v0.0.0-20201214200347-8c77b98c765d/go.mod h1:FWY/as6D
 google.golang.org/genproto v0.0.0-20210108203827-ffc7fda8c3d7/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20210226172003-ab064af71705/go.mod h1:FWY/as6DDZQgahTzZj3fqbO1CbirC29ZNUFHwi0/+no=
 google.golang.org/genproto v0.0.0-20220107163113-42d7afdf6368/go.mod h1:5CzLGKJ67TSI2B9POpiiyGha0AjJvZIUgRMt1dSmuhc=
-google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad h1:kqrS+lhvaMHCxul6sKQvKJ8nAAhlVItmZV822hYFH/U=
-google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
+google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd h1:OjndDrsik+Gt+e6fs45z9AxiewiKyLKYpA45W5Kpkks=
+google.golang.org/genproto v0.0.0-20221202195650-67e5cbc046fd/go.mod h1:cTsE614GARnxrLsqKREzmNYJACSWWpAWdNMwnD7c2BE=
 google.golang.org/grpc v1.8.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -943,9 +941,8 @@ google.golang.org/grpc v1.35.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAG
 google.golang.org/grpc v1.36.0/go.mod h1:qjiiYl8FncCW8feJPdyg3v6XW24KsRHe+dy9BAGRRjU=
 google.golang.org/grpc v1.40.0/go.mod h1:ogyxbiOoUXAkP+4+xa6PZSE9DZgIHtSpzjDTB9KAK34=
 google.golang.org/grpc v1.41.0/go.mod h1:U3l9uK9J0sini8mHphKoXyaqDA/8VyGnDee1zzIUK6k=
-google.golang.org/grpc v1.47.0/go.mod h1:vN9eftEi1UMyUsIF80+uQXhHjbXYbm0uXoFCACuMGWk=
-google.golang.org/grpc v1.49.0 h1:WTLtQzmQori5FUH25Pq4WT22oCsv8USpQ+F6rqtsmxw=
-google.golang.org/grpc v1.49.0/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
+google.golang.org/grpc v1.50.1 h1:DS/BukOZWp8s6p4Dt/tOaJaTQyPyOoCcrjroHuCeLzY=
+google.golang.org/grpc v1.50.1/go.mod h1:ZgQEeidpAuNRZ8iRrlBKXZQP1ghovWIVhdJRyCDK+GI=
 google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
 google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
 google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
@@ -959,9 +956,8 @@ google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlba
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
 google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
+google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8 h1:KR8+MyP7/qOlV+8Af01LtjL04bu7on42eVsxT4EyBQk=
+google.golang.org/protobuf v1.28.2-0.20220831092852-f930b1dc76e8/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -1000,14 +996,14 @@ honnef.co/go/tools v0.0.1-2020.1.3/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9
 honnef.co/go/tools v0.0.1-2020.1.4/go.mod h1:X/FiERA/W4tHapMX5mGpAtMSVEeEUOyHaw9vFzvIQ3k=
 k8s.io/api v0.26.3 h1:emf74GIQMTik01Aum9dPP0gAypL8JTLl/lHa4V9RFSU=
 k8s.io/api v0.26.3/go.mod h1:PXsqwPMXBSBcL1lJ9CYDKy7kIReUydukS5JiRlxC3qE=
-k8s.io/apiextensions-apiserver v0.26.1 h1:cB8h1SRk6e/+i3NOrQgSFij1B2S0Y0wDoNl66bn8RMI=
-k8s.io/apiextensions-apiserver v0.26.1/go.mod h1:AptjOSXDGuE0JICx/Em15PaoO7buLwTs0dGleIHixSM=
+k8s.io/apiextensions-apiserver v0.26.3 h1:5PGMm3oEzdB1W/FTMgGIDmm100vn7IaUP5er36dB+YE=
+k8s.io/apiextensions-apiserver v0.26.3/go.mod h1:jdA5MdjNWGP+njw1EKMZc64xAT5fIhN6VJrElV3sfpQ=
 k8s.io/apimachinery v0.26.3 h1:dQx6PNETJ7nODU3XPtrwkfuubs6w7sX0M8n61zHIV/k=
 k8s.io/apimachinery v0.26.3/go.mod h1:ats7nN1LExKHvJ9TmwootT00Yz05MuYqPXEXaVeOy5I=
 k8s.io/client-go v0.26.3 h1:k1UY+KXfkxV2ScEL3gilKcF7761xkYsSD6BC9szIu8s=
 k8s.io/client-go v0.26.3/go.mod h1:ZPNu9lm8/dbRIPAgteN30RSXea6vrCpFvq+MateTUuQ=
-k8s.io/component-base v0.26.1 h1:4ahudpeQXHZL5kko+iDHqLj/FSGAEUnSVO0EBbgDd+4=
-k8s.io/component-base v0.26.1/go.mod h1:VHrLR0b58oC035w6YQiBSbtsf0ThuSwXP+p5dD/kAWU=
+k8s.io/component-base v0.26.3 h1:oC0WMK/ggcbGDTkdcqefI4wIZRYdK3JySx9/HADpV0g=
+k8s.io/component-base v0.26.3/go.mod h1:5kj1kZYwSC6ZstHJN7oHBqcJC6yyn41eR+Sqa/mQc8E=
 k8s.io/klog/v2 v2.80.1 h1:atnLQ121W371wYYFawwYx1aEY2eUfs4l3J72wtgAwV4=
 k8s.io/klog/v2 v2.80.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0=
 k8s.io/kube-openapi v0.0.0-20221012153701-172d655c2280 h1:+70TFaan3hfJzs+7VK2o+OGxg8HsuBr/5f6tVAjDu6E=

From 6dd26add64741f8829eb7a2ff6829466c342e25d Mon Sep 17 00:00:00 2001
From: Hasan Turken <turkenh@gmail.com>
Date: Thu, 13 Apr 2023 13:03:00 +0300
Subject: [PATCH 2/5] Add feature flag for management policies

Signed-off-by: Hasan Turken <turkenh@gmail.com>
---
 cmd/provider/main.go          | 6 ++++++
 internal/features/features.go | 5 +++++
 2 files changed, 11 insertions(+)

diff --git a/cmd/provider/main.go b/cmd/provider/main.go
index 4d342f9099..5d4afd75ea 100644
--- a/cmd/provider/main.go
+++ b/cmd/provider/main.go
@@ -45,6 +45,7 @@ func main() {
 
 		namespace                  = app.Flag("namespace", "Namespace used to set as default scope in default secret store config.").Default("crossplane-system").Envar("POD_NAMESPACE").String()
 		enableExternalSecretStores = app.Flag("enable-external-secret-stores", "Enable support for ExternalSecretStores.").Default("false").Envar("ENABLE_EXTERNAL_SECRET_STORES").Bool()
+		enableManagementPolicies   = app.Flag("enable-management-policies", "Enable support for Management Policies.").Default("false").Envar("ENABLE_MANAGEMENT_POLICIES").Bool()
 	)
 	setupConfig := &clients.SetupConfig{}
 	setupConfig.TerraformVersion = app.Flag("terraform-version", "Terraform version.").Required().Envar("TERRAFORM_VERSION").String()
@@ -124,6 +125,11 @@ func main() {
 		})), "cannot create default store config")
 	}
 
+	if *enableManagementPolicies {
+		o.Features.Enable(features.EnableAlphaManagementPolicies)
+		log.Info("Alpha feature enabled", "flag", features.EnableAlphaManagementPolicies)
+	}
+
 	kingpin.FatalIfError(controller.Setup(mgr, o), "Cannot setup AWS controllers")
 	kingpin.FatalIfError(mgr.Start(ctrl.SetupSignalHandler()), "Cannot start controller manager")
 }
diff --git a/internal/features/features.go b/internal/features/features.go
index 9c6b1fc84e..de261ca405 100644
--- a/internal/features/features.go
+++ b/internal/features/features.go
@@ -12,4 +12,9 @@ const (
 	// External Secret Stores. See the below design for more details.
 	// https://github.com/crossplane/crossplane/blob/390ddd/design/design-doc-external-secret-stores.md
 	EnableAlphaExternalSecretStores feature.Flag = "EnableAlphaExternalSecretStores"
+
+	// EnableAlphaManagementPolicies enables alpha support for
+	// Management Policies. See the below design for more details.
+	// https://github.com/crossplane/crossplane/pull/3531
+	EnableAlphaManagementPolicies feature.Flag = "EnableAlphaManagementPolicies"
 )

From a1f178dd748231df6ad726146d7212e8f188572d Mon Sep 17 00:00:00 2001
From: Hasan Turken <turkenh@gmail.com>
Date: Thu, 13 Apr 2023 14:20:58 +0300
Subject: [PATCH 3/5] Bump to latest upjet and configure features package

Signed-off-by: Hasan Turken <turkenh@gmail.com>
---
 config/provider.go | 1 +
 go.mod             | 2 +-
 go.sum             | 4 ++--
 3 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/config/provider.go b/config/provider.go
index 3203e5ed93..cd0bb49ca7 100644
--- a/config/provider.go
+++ b/config/provider.go
@@ -141,6 +141,7 @@ func GetProvider() *config.Provider {
 		config.WithReferenceInjectors([]config.ReferenceInjector{reference.NewInjector(modulePath)}),
 		config.WithSkipList(skipList),
 		config.WithBasePackages(BasePackages),
+		config.WithFeaturesPackage("internal/features"),
 		config.WithDefaultResourceOptions(
 			GroupKindOverrides(),
 			KindOverrides(),
diff --git a/go.mod b/go.mod
index d494880cc4..c88e322297 100644
--- a/go.mod
+++ b/go.mod
@@ -15,7 +15,7 @@ require (
 	github.com/google/go-cmp v0.5.9
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.24.0
 	github.com/pkg/errors v0.9.1
-	github.com/upbound/upjet v0.9.0-rc.0.0.20230403193742-b89baca4ae24
+	github.com/upbound/upjet v0.9.0-rc.0.0.20230413124512-01e5c1fafb42
 	gopkg.in/alecthomas/kingpin.v2 v2.2.6
 	k8s.io/api v0.26.3
 	k8s.io/apimachinery v0.26.3
diff --git a/go.sum b/go.sum
index 30f8e33ff2..725368a566 100644
--- a/go.sum
+++ b/go.sum
@@ -551,8 +551,8 @@ github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/tmccombs/hcl2json v0.3.3 h1:+DLNYqpWE0CsOQiEZu+OZm5ZBImake3wtITYxQ8uLFQ=
 github.com/tmccombs/hcl2json v0.3.3/go.mod h1:Y2chtz2x9bAeRTvSibVRVgbLJhLJXKlUeIvjeVdnm4w=
 github.com/tv42/httpunix v0.0.0-20150427012821-b75d8614f926/go.mod h1:9ESjWnEqriFuLhtthL60Sar/7RFoluCcXsuvEwTV5KM=
-github.com/upbound/upjet v0.9.0-rc.0.0.20230403193742-b89baca4ae24 h1:zWEi4gUi1kZ8e/rFsA2Q5ZLs1ABSgz1SjckecQjELDM=
-github.com/upbound/upjet v0.9.0-rc.0.0.20230403193742-b89baca4ae24/go.mod h1:wwCuupQRfs+SL6LGAlAHu5Z/oPffvWaBQ9Luf+7CIZ8=
+github.com/upbound/upjet v0.9.0-rc.0.0.20230413124512-01e5c1fafb42 h1:kEpQ3I4YXkdatz/dT8LvvFUHbJTPw4SBz4SdFmPS/vw=
+github.com/upbound/upjet v0.9.0-rc.0.0.20230413124512-01e5c1fafb42/go.mod h1:IhrO+1L/Ieq7ZCORhiuZ4sShOzl/GoVGVjq0+JCMDYo=
 github.com/vmihailenco/msgpack v3.3.3+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=
 github.com/vmihailenco/msgpack v4.0.4+incompatible h1:dSLoQfGFAo3F6OoNhwUmLwVgaUXK79GlxNBwueZn0xI=
 github.com/vmihailenco/msgpack v4.0.4+incompatible/go.mod h1:fy3FlTQTDXWkZ7Bh6AcGMlsjHatGryHQYUTf1ShIgkk=

From 205e62b80e58ffc6d34da1b659db146b5ae1ef24 Mon Sep 17 00:00:00 2001
From: Hasan Turken <turkenh@gmail.com>
Date: Thu, 13 Apr 2023 13:50:48 +0300
Subject: [PATCH 4/5] Region is an identifier field

Signed-off-by: Hasan Turken <turkenh@gmail.com>
---
 config/externalname.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/config/externalname.go b/config/externalname.go
index 38b3a9d654..600376cd2e 100644
--- a/config/externalname.go
+++ b/config/externalname.go
@@ -2853,6 +2853,11 @@ func ExternalNameConfigurations() config.ResourceOption {
 		if e, ok := ExternalNameConfigs[r.Name]; ok {
 			r.Version = common.VersionV1Beta1
 			r.ExternalName = e
+			// Note(turkenh): This is special to provider-aws. We had injected
+			// region as a parameter for all resources to be consistent with
+			// the native aws provider, and now, we need to add manually it to
+			// the identifier fields for all resources.
+			r.ExternalName.IdentifierFields = append(r.ExternalName.IdentifierFields, "region")
 		}
 	}
 }

From b1be216b57d32dac76d2bb69033b1c81cc53c50f Mon Sep 17 00:00:00 2001
From: Hasan Turken <turkenh@gmail.com>
Date: Thu, 13 Apr 2023 14:23:11 +0300
Subject: [PATCH 5/5] Generate with the latest upjet

Signed-off-by: Hasan Turken <turkenh@gmail.com>
---
 .../v1beta1/zz_analyzer_types.go              |    6 +
 .../v1beta1/zz_archiverule_types.go           |   30 +-
 .../v1beta1/zz_generated.deepcopy.go          |   75 +
 .../v1beta1/zz_alternatecontact_types.go      |   43 +-
 apis/account/v1beta1/zz_generated.deepcopy.go |   30 +
 apis/acm/v1beta1/zz_certificate_types.go      |   46 +
 .../v1beta1/zz_certificatevalidation_types.go |    6 +
 apis/acm/v1beta1/zz_generated.deepcopy.go     |  106 +
 apis/acmpca/v1beta1/zz_certificate_types.go   |   36 +-
 .../v1beta1/zz_certificateauthority_types.go  |  106 +-
 ...z_certificateauthoritycertificate_types.go |   11 +-
 apis/acmpca/v1beta1/zz_generated.deepcopy.go  |  253 +
 apis/acmpca/v1beta1/zz_permission_types.go    |   27 +-
 apis/acmpca/v1beta1/zz_policy_types.go        |   15 +-
 .../zz_alertmanagerdefinition_types.go        |   16 +-
 apis/amp/v1beta1/zz_generated.deepcopy.go     |   52 +
 .../v1beta1/zz_rulegroupnamespace_types.go    |   16 +-
 apis/amp/v1beta1/zz_workspace_types.go        |   12 +
 apis/amplify/v1beta1/zz_app_types.go          |   93 +-
 .../v1beta1/zz_backendenvironment_types.go    |    9 +
 apis/amplify/v1beta1/zz_branch_types.go       |   45 +
 apis/amplify/v1beta1/zz_generated.deepcopy.go |  305 +
 apis/amplify/v1beta1/zz_webhook_types.go      |    9 +
 apis/apigateway/v1beta1/zz_account_types.go   |    4 +
 apis/apigateway/v1beta1/zz_apikey_types.go    |   21 +-
 .../apigateway/v1beta1/zz_authorizer_types.go |   37 +-
 .../v1beta1/zz_basepathmapping_types.go       |   13 +
 .../v1beta1/zz_clientcertificate_types.go     |    6 +
 .../apigateway/v1beta1/zz_deployment_types.go |   18 +
 .../v1beta1/zz_documentationpart_types.go     |   38 +-
 .../v1beta1/zz_documentationversion_types.go  |   19 +-
 .../apigateway/v1beta1/zz_domainname_types.go |   54 +-
 .../v1beta1/zz_gatewayresponse_types.go       |   24 +-
 .../v1beta1/zz_generated.deepcopy.go          | 1288 ++-
 .../v1beta1/zz_integration_types.go           |   72 +-
 .../v1beta1/zz_integrationresponse_types.go   |   25 +
 apis/apigateway/v1beta1/zz_method_types.go    |   51 +-
 .../v1beta1/zz_methodresponse_types.go        |   30 +-
 .../v1beta1/zz_methodsettings_types.go        |   56 +-
 apis/apigateway/v1beta1/zz_model_types.go     |   29 +-
 .../v1beta1/zz_requestvalidator_types.go      |   21 +-
 apis/apigateway/v1beta1/zz_resource_types.go  |   18 +-
 apis/apigateway/v1beta1/zz_restapi_types.go   |   48 +-
 .../v1beta1/zz_restapipolicy_types.go         |   15 +-
 apis/apigateway/v1beta1/zz_stage_types.go     |   64 +-
 apis/apigateway/v1beta1/zz_usageplan_types.go |   63 +-
 .../v1beta1/zz_usageplankey_types.go          |   18 +-
 apis/apigateway/v1beta1/zz_vpclink_types.go   |   21 +-
 apis/apigatewayv2/v1beta1/zz_api_types.go     |   81 +-
 .../v1beta1/zz_apimapping_types.go            |   12 +
 .../v1beta1/zz_authorizer_types.go            |   62 +-
 .../v1beta1/zz_deployment_types.go            |    6 +
 .../v1beta1/zz_domainname_types.go            |   34 +-
 .../v1beta1/zz_generated.deepcopy.go          |  942 ++-
 .../v1beta1/zz_integration_types.go           |   80 +-
 .../v1beta1/zz_integrationresponse_types.go   |   27 +-
 apis/apigatewayv2/v1beta1/zz_model_types.go   |   34 +-
 apis/apigatewayv2/v1beta1/zz_route_types.go   |   54 +-
 .../v1beta1/zz_routeresponse_types.go         |   24 +-
 apis/apigatewayv2/v1beta1/zz_stage_types.go   |   75 +
 apis/apigatewayv2/v1beta1/zz_vpclink_types.go |   21 +-
 .../v1beta1/zz_generated.deepcopy.go          |  244 +
 .../appautoscaling/v1beta1/zz_policy_types.go |   87 +
 .../v1beta1/zz_scheduledaction_types.go       |   52 +-
 .../appautoscaling/v1beta1/zz_target_types.go |   32 +-
 .../appconfig/v1beta1/zz_application_types.go |   18 +-
 .../v1beta1/zz_configurationprofile_types.go  |   41 +-
 apis/appconfig/v1beta1/zz_deployment_types.go |   21 +
 .../v1beta1/zz_deploymentstrategy_types.go    |   48 +-
 .../appconfig/v1beta1/zz_environment_types.go |   30 +-
 apis/appconfig/v1beta1/zz_extension_types.go  |   56 +-
 .../v1beta1/zz_extensionassociation_types.go  |    9 +
 .../v1beta1/zz_generated.deepcopy.go          |  355 +
 .../zz_hostedconfigurationversion_types.go    |   24 +-
 apis/appflow/v1beta1/zz_flow_types.go         |  573 +-
 apis/appflow/v1beta1/zz_generated.deepcopy.go | 1136 ++-
 .../v1beta1/zz_eventintegration_types.go      |   29 +-
 .../v1beta1/zz_generated.deepcopy.go          |   37 +
 .../v1beta1/zz_application_types.go           |   21 +
 .../v1beta1/zz_generated.deepcopy.go          |   45 +
 apis/appmesh/v1beta1/zz_gatewayroute_types.go |  163 +-
 apis/appmesh/v1beta1/zz_generated.deepcopy.go | 2687 +++++-
 apis/appmesh/v1beta1/zz_mesh_types.go         |   13 +
 apis/appmesh/v1beta1/zz_route_types.go        |  407 +-
 .../v1beta1/zz_virtualgateway_types.go        |  229 +-
 apis/appmesh/v1beta1/zz_virtualnode_types.go  |  430 +-
 .../appmesh/v1beta1/zz_virtualrouter_types.go |   41 +-
 .../v1beta1/zz_virtualservice_types.go        |   44 +-
 ...z_autoscalingconfigurationversion_types.go |   24 +-
 apis/apprunner/v1beta1/zz_connection_types.go |   15 +-
 .../v1beta1/zz_generated.deepcopy.go          |  469 ++
 .../zz_observabilityconfiguration_types.go    |   21 +-
 apis/apprunner/v1beta1/zz_service_types.go    |  171 +-
 .../v1beta1/zz_vpcconnector_types.go          |   21 +-
 .../v1beta1/zz_directoryconfig_types.go       |   31 +-
 apis/appstream/v1beta1/zz_fleet_types.go      |   83 +-
 .../v1beta1/zz_fleetstackassociation_types.go |    6 +
 .../v1beta1/zz_generated.deepcopy.go          |  457 ++
 .../v1beta1/zz_imagebuilder_types.go          |   60 +-
 apis/appstream/v1beta1/zz_stack_types.go      |   79 +-
 apis/appstream/v1beta1/zz_user_types.go       |   15 +
 .../v1beta1/zz_userstackassociation_types.go  |   12 +
 apis/appsync/v1beta1/zz_apicache_types.go     |   37 +-
 apis/appsync/v1beta1/zz_apikey_types.go       |    9 +
 apis/appsync/v1beta1/zz_datasource_types.go   |  102 +-
 apis/appsync/v1beta1/zz_function_types.go     |   60 +-
 apis/appsync/v1beta1/zz_generated.deepcopy.go |  737 +-
 apis/appsync/v1beta1/zz_graphqlapi_types.go   |  128 +-
 apis/appsync/v1beta1/zz_resolver_types.go     |   66 +
 apis/athena/v1beta1/zz_database_types.go      |   30 +
 apis/athena/v1beta1/zz_datacatalog_types.go   |   31 +-
 apis/athena/v1beta1/zz_generated.deepcopy.go  |  235 +
 apis/athena/v1beta1/zz_namedquery_types.go    |   29 +-
 apis/athena/v1beta1/zz_workgroup_types.go     |   56 +-
 .../v1beta1/zz_attachment_types.go            |   13 +
 .../v1beta1/zz_autoscalinggroup_types.go      |  381 +-
 .../v1beta1/zz_generated.deepcopy.go          | 2022 ++++-
 apis/autoscaling/v1beta1/zz_grouptag_types.go |   24 +-
 .../v1beta1/zz_launchconfiguration_types.go   |  134 +-
 .../v1beta1/zz_lifecyclehook_types.go         |   31 +-
 .../v1beta1/zz_notification_types.go          |   25 +-
 apis/autoscaling/v1beta1/zz_policy_types.go   |  270 +
 apis/autoscaling/v1beta1/zz_schedule_types.go |   24 +
 .../v1beta1/zz_generated.deepcopy.go          |  252 +
 .../v1beta1/zz_scalingplan_types.go           |  154 +-
 apis/backup/v1beta1/zz_framework_types.go     |   50 +-
 apis/backup/v1beta1/zz_generated.deepcopy.go  |  633 +-
 .../backup/v1beta1/zz_globalsettings_types.go |   12 +-
 apis/backup/v1beta1/zz_plan_types.go          |   77 +-
 .../backup/v1beta1/zz_regionsettings_types.go |   19 +-
 apis/backup/v1beta1/zz_reportplan_types.go    |   52 +-
 apis/backup/v1beta1/zz_selection_types.go     |   70 +-
 apis/backup/v1beta1/zz_vault_types.go         |    9 +
 .../zz_vaultlockconfiguration_types.go        |   12 +
 .../v1beta1/zz_vaultnotifications_types.go    |   18 +-
 apis/backup/v1beta1/zz_vaultpolicy_types.go   |   15 +-
 apis/batch/v1beta1/zz_generated.deepcopy.go   |   49 +
 .../v1beta1/zz_schedulingpolicy_types.go      |   19 +
 apis/budgets/v1beta1/zz_budget_types.go       |  120 +-
 apis/budgets/v1beta1/zz_budgetaction_types.go |  109 +-
 apis/budgets/v1beta1/zz_generated.deepcopy.go |  383 +
 apis/ce/v1beta1/zz_anomalymonitor_types.go    |   29 +-
 apis/ce/v1beta1/zz_generated.deepcopy.go      |   35 +
 apis/chime/v1beta1/zz_generated.deepcopy.go   |  169 +
 apis/chime/v1beta1/zz_voiceconnector_types.go |   16 +-
 .../v1beta1/zz_voiceconnectorgroup_types.go   |    9 +
 .../v1beta1/zz_voiceconnectorlogging_types.go |    9 +
 .../zz_voiceconnectororigination_types.go     |   33 +-
 .../zz_voiceconnectorstreaming_types.go       |   21 +-
 .../zz_voiceconnectortermination_types.go     |   32 +-
 ...ceconnectorterminationcredentials_types.go |   18 +-
 .../cloud9/v1beta1/zz_environmentec2_types.go |   41 +-
 .../v1beta1/zz_environmentmembership_types.go |   18 +-
 apis/cloud9/v1beta1/zz_generated.deepcopy.go  |   70 +
 .../v1beta1/zz_generated.deepcopy.go          |   20 +
 .../cloudcontrol/v1beta1/zz_resource_types.go |   27 +-
 .../v1beta1/zz_generated.deepcopy.go          |  233 +
 apis/cloudformation/v1beta1/zz_stack_types.go |   44 +
 .../v1beta1/zz_stackset_types.go              |   60 +
 .../v1beta1/zz_cachepolicy_types.go           |   74 +-
 .../v1beta1/zz_distribution_types.go          |  387 +-
 .../zz_fieldlevelencryptionconfig_types.go    |   52 +-
 .../zz_fieldlevelencryptionprofile_types.go   |   34 +-
 apis/cloudfront/v1beta1/zz_function_types.go  |   21 +-
 .../v1beta1/zz_generated.deepcopy.go          | 1635 +++-
 apis/cloudfront/v1beta1/zz_keygroup_types.go  |   18 +-
 .../zz_monitoringsubscription_types.go        |   21 +-
 .../v1beta1/zz_originaccesscontrol_types.go   |   39 +-
 .../v1beta1/zz_originaccessidentity_types.go  |    3 +
 .../v1beta1/zz_originrequestpolicy_types.go   |   43 +-
 apis/cloudfront/v1beta1/zz_publickey_types.go |   13 +-
 .../v1beta1/zz_realtimelogconfig_types.go     |   49 +-
 .../v1beta1/zz_responseheaderspolicy_types.go |  134 +-
 apis/cloudsearch/v1beta1/zz_domain_types.go   |   57 +
 .../zz_domainserviceaccesspolicy_types.go     |   16 +-
 .../v1beta1/zz_generated.deepcopy.go          |  111 +
 .../v1beta1/zz_eventdatastore_types.go        |   57 +-
 .../v1beta1/zz_generated.deepcopy.go          |  353 +
 apis/cloudtrail/v1beta1/zz_trail_types.go     |   93 +
 .../v1beta1/zz_compositealarm_types.go        |   30 +-
 apis/cloudwatch/v1beta1/zz_dashboard_types.go |   12 +-
 .../v1beta1/zz_generated.deepcopy.go          |  379 +
 .../v1beta1/zz_metricalarm_types.go           |  124 +-
 .../v1beta1/zz_metricstream_types.go          |   56 +-
 .../v1beta1/zz_apidestination_types.go        |   29 +-
 .../v1beta1/zz_archive_types.go               |   12 +
 apis/cloudwatchevents/v1beta1/zz_bus_types.go |    6 +
 .../v1beta1/zz_buspolicy_types.go             |   15 +-
 .../v1beta1/zz_connection_types.go            |  110 +-
 .../v1beta1/zz_generated.deepcopy.go          |  851 +-
 .../v1beta1/zz_permission_types.go            |   38 +-
 .../cloudwatchevents/v1beta1/zz_rule_types.go |   21 +
 .../v1beta1/zz_target_types.go                |  187 +-
 .../v1beta1/zz_definition_types.go            |   23 +-
 .../v1beta1/zz_destination_types.go           |    9 +
 .../v1beta1/zz_destinationpolicy_types.go     |   16 +-
 .../v1beta1/zz_generated.deepcopy.go          |  188 +
 apis/cloudwatchlogs/v1beta1/zz_group_types.go |   15 +
 .../v1beta1/zz_metricfilter_types.go          |   42 +-
 .../v1beta1/zz_resourcepolicy_types.go        |   12 +-
 .../cloudwatchlogs/v1beta1/zz_stream_types.go |   15 +-
 .../v1beta1/zz_subscriptionfilter_types.go    |   38 +-
 .../v1beta1/zz_approvalruletemplate_types.go  |   15 +-
 ...z_approvalruletemplateassociation_types.go |    6 +
 .../v1beta1/zz_generated.deepcopy.go          |   94 +
 .../codecommit/v1beta1/zz_repository_types.go |    9 +
 apis/codecommit/v1beta1/zz_trigger_types.go   |   29 +-
 .../v1beta1/zz_codepipeline_types.go          |   86 +-
 .../v1beta1/zz_customactiontype_types.go      |   98 +-
 .../v1beta1/zz_generated.deepcopy.go          |  352 +
 apis/codepipeline/v1beta1/zz_webhook_types.go |   46 +-
 .../v1beta1/zz_connection_types.go            |   21 +-
 .../v1beta1/zz_generated.deepcopy.go          |   84 +
 .../v1beta1/zz_host_types.go                  |   43 +-
 .../v1beta1/zz_generated.deepcopy.go          |   56 +
 .../v1beta1/zz_notificationrule_types.go      |   45 +-
 ...oidentitypoolproviderprincipaltag_types.go |   12 +
 .../v1beta1/zz_generated.deepcopy.go          |  193 +
 apis/cognitoidentity/v1beta1/zz_pool_types.go |   46 +-
 .../v1beta1/zz_poolrolesattachment_types.go   |   42 +-
 .../v1beta1/zz_generated.deepcopy.go          | 1203 ++-
 .../v1beta1/zz_identityprovider_types.go      |   38 +-
 .../v1beta1/zz_resourceserver_types.go        |   31 +-
 .../v1beta1/zz_riskconfiguration_types.go     |  108 +
 apis/cognitoidp/v1beta1/zz_user_types.go      |   25 +
 apis/cognitoidp/v1beta1/zz_usergroup_types.go |   25 +-
 .../v1beta1/zz_useringroup_types.go           |   10 +
 apis/cognitoidp/v1beta1/zz_userpool_types.go  |  267 +-
 .../v1beta1/zz_userpoolclient_types.go        |   99 +-
 .../v1beta1/zz_userpooldomain_types.go        |   18 +-
 .../zz_userpooluicustomization_types.go       |   12 +
 ...zz_awsconfigurationrecorderstatus_types.go |   12 +-
 .../v1beta1/zz_configrule_types.go            |   69 +-
 .../zz_configurationaggregator_types.go       |   27 +
 .../v1beta1/zz_configurationrecorder_types.go |   15 +
 .../v1beta1/zz_conformancepack_types.go       |   21 +
 .../v1beta1/zz_deliverychannel_types.go       |   18 +
 .../v1beta1/zz_generated.deepcopy.go          |  400 +
 .../zz_remediationconfiguration_types.go      |   62 +-
 .../v1beta1/zz_botassociation_types.go        |   21 +-
 apis/connect/v1beta1/zz_contactflow_types.go  |   33 +-
 .../v1beta1/zz_contactflowmodule_types.go     |   30 +-
 apis/connect/v1beta1/zz_generated.deepcopy.go |  870 +-
 .../v1beta1/zz_hoursofoperation_types.go      |   58 +-
 apis/connect/v1beta1/zz_instance_types.go     |   49 +-
 .../v1beta1/zz_instancestorageconfig_types.go |   74 +-
 .../zz_lambdafunctionassociation_types.go     |    6 +
 apis/connect/v1beta1/zz_phonenumber_types.go  |   32 +-
 apis/connect/v1beta1/zz_queue_types.go        |   45 +-
 apis/connect/v1beta1/zz_quickconnect_types.go |   56 +-
 .../v1beta1/zz_routingprofile_types.go        |   56 +-
 .../v1beta1/zz_securityprofile_types.go       |   24 +-
 apis/connect/v1beta1/zz_user_types.go         |   67 +-
 .../zz_userhierarchystructure_types.go        |   33 +-
 apis/connect/v1beta1/zz_vocabulary_types.go   |   34 +-
 apis/cur/v1beta1/zz_generated.deepcopy.go     |   62 +
 apis/cur/v1beta1/zz_reportdefinition_types.go |   59 +-
 apis/dataexchange/v1beta1/zz_dataset_types.go |   31 +-
 .../v1beta1/zz_generated.deepcopy.go          |   55 +
 .../dataexchange/v1beta1/zz_revision_types.go |    9 +
 .../v1beta1/zz_generated.deepcopy.go          |   25 +
 .../datapipeline/v1beta1/zz_pipeline_types.go |   18 +-
 apis/dax/v1beta1/zz_cluster_types.go          |   68 +-
 apis/dax/v1beta1/zz_generated.deepcopy.go     |  132 +
 apis/dax/v1beta1/zz_parametergroup_types.go   |   12 +
 apis/dax/v1beta1/zz_subnetgroup_types.go      |    6 +
 apis/deploy/v1beta1/zz_app_types.go           |    6 +
 .../v1beta1/zz_deploymentconfig_types.go      |   39 +
 .../v1beta1/zz_deploymentgroup_types.go       |  168 +
 apis/deploy/v1beta1/zz_generated.deepcopy.go  |  454 +
 .../v1beta1/zz_generated.deepcopy.go          |   45 +
 apis/detective/v1beta1/zz_graph_types.go      |    3 +
 .../v1beta1/zz_invitationaccepter_types.go    |    3 +
 apis/detective/v1beta1/zz_member_types.go     |   29 +-
 .../devicefarm/v1beta1/zz_devicepool_types.go |   41 +-
 .../v1beta1/zz_generated.deepcopy.go          |  282 +
 .../v1beta1/zz_instanceprofile_types.go       |   27 +-
 .../v1beta1/zz_networkprofile_types.go        |   48 +-
 apis/devicefarm/v1beta1/zz_project_types.go   |   18 +-
 .../v1beta1/zz_testgridproject_types.go       |   30 +-
 apis/devicefarm/v1beta1/zz_upload_types.go    |   26 +-
 .../directconnect/v1beta1/zz_bgppeer_types.go |   34 +-
 .../v1beta1/zz_connection_types.go            |   42 +-
 .../v1beta1/zz_connectionassociation_types.go |    7 +
 .../directconnect/v1beta1/zz_gateway_types.go |   20 +-
 .../v1beta1/zz_gatewayassociation_types.go    |   21 +
 .../zz_gatewayassociationproposal_types.go    |   12 +
 .../v1beta1/zz_generated.deepcopy.go          |  673 +-
 .../zz_hostedprivatevirtualinterface_types.go |   60 +-
 ...edprivatevirtualinterfaceaccepter_types.go |   12 +
 .../zz_hostedpublicvirtualinterface_types.go  |   65 +-
 ...tedpublicvirtualinterfaceaccepter_types.go |    6 +
 .../zz_hostedtransitvirtualinterface_types.go |   60 +-
 ...edtransitvirtualinterfaceaccepter_types.go |    9 +
 apis/directconnect/v1beta1/zz_lag_types.go    |   40 +-
 .../zz_privatevirtualinterface_types.go       |   64 +-
 .../zz_publicvirtualinterface_types.go        |   60 +-
 .../zz_transitvirtualinterface_types.go       |   61 +-
 apis/dlm/v1beta1/zz_generated.deepcopy.go     |  445 +
 apis/dlm/v1beta1/zz_lifecyclepolicy_types.go  |  215 +-
 apis/dms/v1beta1/zz_certificate_types.go      |    3 +
 apis/dms/v1beta1/zz_endpoint_types.go         |  338 +-
 .../dms/v1beta1/zz_eventsubscription_types.go |   27 +-
 apis/dms/v1beta1/zz_generated.deepcopy.go     | 1118 ++-
 .../v1beta1/zz_replicationinstance_types.go   |   52 +-
 .../zz_replicationsubnetgroup_types.go        |   18 +-
 apis/dms/v1beta1/zz_replicationtask_types.go  |   45 +-
 apis/dms/v1beta1/zz_s3endpoint_types.go       |  149 +-
 apis/docdb/v1beta1/zz_cluster_types.go        |   71 +
 .../docdb/v1beta1/zz_clusterinstance_types.go |   48 +-
 .../v1beta1/zz_clusterparametergroup_types.go |   30 +-
 .../docdb/v1beta1/zz_clustersnapshot_types.go |    3 +
 .../v1beta1/zz_eventsubscription_types.go     |   18 +
 apis/docdb/v1beta1/zz_generated.deepcopy.go   |  373 +
 apis/docdb/v1beta1/zz_globalcluster_types.go  |   30 +-
 apis/docdb/v1beta1/zz_subnetgroup_types.go    |    9 +
 .../v1beta1/zz_conditionalforwarder_types.go  |   19 +-
 apis/ds/v1beta1/zz_directory_types.go         |   62 +-
 apis/ds/v1beta1/zz_generated.deepcopy.go      |  156 +
 apis/ds/v1beta1/zz_shareddirectory_types.go   |   24 +-
 .../v1beta1/zz_contributorinsights_types.go   |    6 +
 .../dynamodb/v1beta1/zz_generated.deepcopy.go |  336 +
 apis/dynamodb/v1beta1/zz_globaltable_types.go |   15 +-
 .../zz_kinesisstreamingdestination_types.go   |    7 +
 apis/dynamodb/v1beta1/zz_table_types.go       |  121 +-
 apis/dynamodb/v1beta1/zz_tableitem_types.go   |   27 +-
 .../dynamodb/v1beta1/zz_tablereplica_types.go |   15 +
 apis/dynamodb/v1beta1/zz_tag_types.go         |   18 +-
 apis/ec2/v1beta1/zz_ami_types.go              |  108 +-
 apis/ec2/v1beta1/zz_amicopy_types.go          |   44 +-
 .../v1beta1/zz_amilaunchpermission_types.go   |   15 +
 .../v1beta1/zz_availabilityzonegroup_types.go |   12 +-
 .../v1beta1/zz_capacityreservation_types.go   |   63 +-
 apis/ec2/v1beta1/zz_carriergateway_types.go   |    6 +
 apis/ec2/v1beta1/zz_customergateway_types.go  |   33 +-
 .../ec2/v1beta1/zz_defaultnetworkacl_types.go |   69 +
 .../ec2/v1beta1/zz_defaultroutetable_types.go |   48 +
 .../v1beta1/zz_defaultsecuritygroup_types.go  |   68 +
 apis/ec2/v1beta1/zz_defaultsubnet_types.go    |   39 +-
 apis/ec2/v1beta1/zz_defaultvpc_types.go       |   28 +
 .../v1beta1/zz_defaultvpcdhcpoptions_types.go |    6 +
 apis/ec2/v1beta1/zz_ebsdefaultkmskey_types.go |    3 +
 .../zz_ebsencryptionbydefault_types.go        |    4 +
 apis/ec2/v1beta1/zz_ebssnapshot_types.go      |   21 +
 apis/ec2/v1beta1/zz_ebssnapshotcopy_types.go  |   36 +-
 .../ec2/v1beta1/zz_ebssnapshotimport_types.go |   69 +-
 apis/ec2/v1beta1/zz_ebsvolume_types.go        |   45 +-
 .../zz_egressonlyinternetgateway_types.go     |    6 +
 apis/ec2/v1beta1/zz_eip_types.go              |   29 +
 apis/ec2/v1beta1/zz_eipassociation_types.go   |   28 +
 apis/ec2/v1beta1/zz_flowlog_types.go          |   54 +
 apis/ec2/v1beta1/zz_generated.deepcopy.go     | 7302 ++++++++++++++++-
 apis/ec2/v1beta1/zz_host_types.go             |   30 +-
 apis/ec2/v1beta1/zz_instance_types.go         |  251 +-
 apis/ec2/v1beta1/zz_instancestate_types.go    |   18 +-
 apis/ec2/v1beta1/zz_internetgateway_types.go  |    6 +
 apis/ec2/v1beta1/zz_keypair_types.go          |   15 +-
 apis/ec2/v1beta1/zz_launchtemplate_types.go   |  456 +
 .../zz_mainroutetableassociation_types.go     |    7 +
 .../ec2/v1beta1/zz_managedprefixlist_types.go |   40 +-
 .../zz_managedprefixlistentry_types.go        |    9 +
 apis/ec2/v1beta1/zz_natgateway_types.go       |   15 +
 apis/ec2/v1beta1/zz_networkacl_types.go       |    9 +
 apis/ec2/v1beta1/zz_networkaclrule_types.go   |   52 +-
 .../zz_networkinsightsanalysis_types.go       |   12 +
 .../v1beta1/zz_networkinsightspath_types.go   |   30 +-
 apis/ec2/v1beta1/zz_networkinterface_types.go |   56 +
 .../zz_networkinterfaceattachment_types.go    |   18 +-
 .../zz_networkinterfacesgattachment_types.go  |    6 +
 apis/ec2/v1beta1/zz_placementgroup_types.go   |   24 +-
 apis/ec2/v1beta1/zz_route_types.go            |   45 +
 apis/ec2/v1beta1/zz_routetable_types.go       |    6 +
 .../v1beta1/zz_routetableassociation_types.go |    9 +
 apis/ec2/v1beta1/zz_securitygroup_types.go    |   16 +
 .../ec2/v1beta1/zz_securitygrouprule_types.go |   58 +-
 .../v1beta1/zz_serialconsoleaccess_types.go   |    4 +
 ...zz_snapshotcreatevolumepermission_types.go |   15 +-
 .../zz_spotdatafeedsubscription_types.go      |   16 +-
 apis/ec2/v1beta1/zz_spotfleetrequest_types.go |  346 +-
 .../v1beta1/zz_spotinstancerequest_types.go   |  202 +-
 apis/ec2/v1beta1/zz_subnet_types.go           |   53 +
 .../v1beta1/zz_subnetcidrreservation_types.go |   26 +-
 apis/ec2/v1beta1/zz_tag_types.go              |   18 +-
 .../v1beta1/zz_trafficmirrorfilter_types.go   |    9 +
 .../zz_trafficmirrorfilterrule_types.go       |   71 +-
 apis/ec2/v1beta1/zz_transitgateway_types.go   |   30 +
 .../v1beta1/zz_transitgatewayconnect_types.go |   18 +
 .../zz_transitgatewayconnectpeer_types.go     |   32 +-
 .../zz_transitgatewaymulticastdomain_types.go |   15 +
 ...gatewaymulticastdomainassociation_types.go |    9 +
 ...ransitgatewaymulticastgroupmember_types.go |   18 +-
 ...ransitgatewaymulticastgroupsource_types.go |   18 +-
 ...z_transitgatewaypeeringattachment_types.go |   24 +-
 ...tgatewaypeeringattachmentaccepter_types.go |    6 +
 .../zz_transitgatewaypolicytable_types.go     |    6 +
 ...transitgatewayprefixlistreference_types.go |   12 +
 .../v1beta1/zz_transitgatewayroute_types.go   |   21 +-
 .../zz_transitgatewayroutetable_types.go      |    6 +
 ...ansitgatewayroutetableassociation_types.go |    6 +
 ...ansitgatewayroutetablepropagation_types.go |    6 +
 .../zz_transitgatewayvpcattachment_types.go   |   27 +
 ...ansitgatewayvpcattachmentaccepter_types.go |   12 +
 apis/ec2/v1beta1/zz_volumeattachment_types.go |   35 +-
 apis/ec2/v1beta1/zz_vpc_types.go              |   48 +
 apis/ec2/v1beta1/zz_vpcdhcpoptions_types.go   |   18 +
 .../zz_vpcdhcpoptionsassociation_types.go     |    6 +
 apis/ec2/v1beta1/zz_vpcendpoint_types.go      |   31 +
 ...vpcendpointconnectionnotification_types.go |   21 +-
 ..._vpcendpointroutetableassociation_types.go |    6 +
 ...cendpointsecuritygroupassociation_types.go |    9 +
 .../v1beta1/zz_vpcendpointservice_types.go    |   27 +-
 ...pcendpointserviceallowedprincipal_types.go |   15 +-
 .../zz_vpcendpointsubnetassociation_types.go  |    6 +
 apis/ec2/v1beta1/zz_vpcipam_types.go          |   24 +-
 apis/ec2/v1beta1/zz_vpcipampool_types.go      |   52 +-
 apis/ec2/v1beta1/zz_vpcipampoolcidr_types.go  |   18 +
 .../zz_vpcipampoolcidrallocation_types.go     |   15 +
 apis/ec2/v1beta1/zz_vpcipamscope_types.go     |    9 +
 .../zz_vpcipv4cidrblockassociation_types.go   |   12 +
 .../v1beta1/zz_vpcpeeringconnection_types.go  |   20 +
 .../zz_vpcpeeringconnectionaccepter_types.go  |   41 +
 .../zz_vpcpeeringconnectionoptions_types.go   |   41 +
 apis/ec2/v1beta1/zz_vpnconnection_types.go    |  174 +
 .../v1beta1/zz_vpnconnectionroute_types.go    |   16 +-
 apis/ec2/v1beta1/zz_vpngateway_types.go       |   12 +
 .../v1beta1/zz_vpngatewayattachment_types.go  |    6 +
 .../zz_vpngatewayroutepropagation_types.go    |    6 +
 apis/ecr/v1beta1/zz_generated.deepcopy.go     |  171 +
 apis/ecr/v1beta1/zz_lifecyclepolicy_types.go  |   15 +-
 .../v1beta1/zz_pullthroughcacherule_types.go  |   21 +-
 apis/ecr/v1beta1/zz_registrypolicy_types.go   |   12 +-
 .../zz_registryscanningconfiguration_types.go |   24 +-
 .../zz_replicationconfiguration_types.go      |   24 +
 apis/ecr/v1beta1/zz_repository_types.go       |   25 +
 apis/ecr/v1beta1/zz_repositorypolicy_types.go |   15 +-
 .../v1beta1/zz_generated.deepcopy.go          |   79 +
 apis/ecrpublic/v1beta1/zz_repository_types.go |   26 +
 .../v1beta1/zz_repositorypolicy_types.go      |   15 +-
 .../v1beta1/zz_accountsettingdefault_types.go |   20 +-
 apis/ecs/v1beta1/zz_capacityprovider_types.go |   39 +-
 apis/ecs/v1beta1/zz_cluster_types.go          |   60 +
 .../zz_clustercapacityproviders_types.go      |   18 +
 apis/ecs/v1beta1/zz_generated.deepcopy.go     | 1086 ++-
 apis/ecs/v1beta1/zz_service_types.go          |  199 +
 apis/ecs/v1beta1/zz_taskdefinition_types.go   |  165 +-
 apis/efs/v1beta1/zz_accesspoint_types.go      |   36 +
 apis/efs/v1beta1/zz_backuppolicy_types.go     |   18 +-
 apis/efs/v1beta1/zz_filesystem_types.go       |   36 +
 apis/efs/v1beta1/zz_filesystempolicy_types.go |   18 +-
 apis/efs/v1beta1/zz_generated.deepcopy.go     |  227 +
 apis/efs/v1beta1/zz_mounttarget_types.go      |   14 +
 .../zz_replicationconfiguration_types.go      |   22 +-
 apis/eks/v1beta1/zz_addon_types.go            |   42 +-
 apis/eks/v1beta1/zz_cluster_types.go          |   72 +-
 apis/eks/v1beta1/zz_fargateprofile_types.go   |   30 +-
 apis/eks/v1beta1/zz_generated.deepcopy.go     |  555 +-
 .../zz_identityproviderconfig_types.go        |   39 +-
 apis/eks/v1beta1/zz_nodegroup_types.go        |   98 +-
 apis/elasticache/v1beta1/zz_cluster_types.go  |  105 +
 .../v1beta1/zz_generated.deepcopy.go          |  688 +-
 .../v1beta1/zz_parametergroup_types.go        |   35 +-
 .../v1beta1/zz_replicationgroup_types.go      |  138 +
 .../v1beta1/zz_subnetgroup_types.go           |    9 +
 apis/elasticache/v1beta1/zz_user_types.go     |   38 +-
 .../elasticache/v1beta1/zz_usergroup_types.go |   21 +-
 .../v1beta1/zz_application_types.go           |   19 +
 .../v1beta1/zz_applicationversion_types.go    |   27 +-
 .../v1beta1/zz_configurationtemplate_types.go |   31 +
 .../v1beta1/zz_generated.deepcopy.go          |  134 +
 apis/elasticsearch/v1beta1/zz_domain_types.go |  190 +-
 .../v1beta1/zz_domainpolicy_types.go          |   16 +-
 .../v1beta1/zz_domainsamloptions_types.go     |   27 +
 .../v1beta1/zz_generated.deepcopy.go          |  436 +
 .../v1beta1/zz_generated.deepcopy.go          |  412 +
 .../v1beta1/zz_pipeline_types.go              |   72 +
 .../v1beta1/zz_preset_types.go                |  158 +-
 .../zz_appcookiestickinesspolicy_types.go     |   21 +-
 apis/elb/v1beta1/zz_attachment_types.go       |    7 +
 .../v1beta1/zz_backendserverpolicy_types.go   |   18 +-
 apis/elb/v1beta1/zz_elb_types.go              |  103 +-
 apis/elb/v1beta1/zz_generated.deepcopy.go     |  382 +
 .../zz_lbcookiestickinesspolicy_types.go      |   30 +-
 .../zz_lbsslnegotiationpolicy_types.go        |   38 +-
 apis/elb/v1beta1/zz_listenerpolicy_types.go   |   21 +-
 apis/elb/v1beta1/zz_policy_types.go           |   29 +-
 .../v1beta1/zz_proxyprotocolpolicy_types.go   |   17 +-
 apis/elbv2/v1beta1/zz_generated.deepcopy.go   | 1026 +++
 apis/elbv2/v1beta1/zz_lb_types.go             |   76 +-
 apis/elbv2/v1beta1/zz_lblistener_types.go     |  156 +-
 apis/elbv2/v1beta1/zz_lblistenerrule_types.go |  193 +-
 apis/elbv2/v1beta1/zz_lbtargetgroup_types.go  |  108 +-
 .../zz_lbtargetgroupattachment_types.go       |   21 +-
 apis/emr/v1beta1/zz_generated.deepcopy.go     |    5 +
 .../v1beta1/zz_securityconfiguration_types.go |   12 +-
 .../v1beta1/zz_application_types.go           |   94 +-
 .../v1beta1/zz_generated.deepcopy.go          |  161 +
 apis/evidently/v1beta1/zz_feature_types.go    |   48 +-
 .../v1beta1/zz_generated.deepcopy.go          |  175 +
 apis/evidently/v1beta1/zz_project_types.go    |   36 +-
 apis/evidently/v1beta1/zz_segment_types.go    |   18 +-
 .../v1beta1/zz_deliverystream_types.go        |  627 +-
 .../firehose/v1beta1/zz_generated.deepcopy.go | 1231 ++-
 .../v1beta1/zz_experimenttemplate_types.go    |  103 +-
 apis/fis/v1beta1/zz_generated.deepcopy.go     |  182 +
 apis/fsx/v1beta1/zz_backup_types.go           |    9 +
 .../zz_datarepositoryassociation_types.go     |   51 +-
 apis/fsx/v1beta1/zz_generated.deepcopy.go     |  826 +-
 apis/fsx/v1beta1/zz_lustrefilesystem_types.go |   69 +
 apis/fsx/v1beta1/zz_ontapfilesystem_types.go  |   65 +-
 .../zz_ontapstoragevirtualmachine_types.go    |   45 +-
 .../fsx/v1beta1/zz_windowsfilesystem_types.go |   90 +-
 apis/gamelift/v1beta1/zz_alias_types.go       |   35 +-
 apis/gamelift/v1beta1/zz_build_types.go       |   46 +-
 apis/gamelift/v1beta1/zz_fleet_types.go       |   95 +-
 .../v1beta1/zz_gamesessionqueue_types.go      |   21 +
 .../gamelift/v1beta1/zz_generated.deepcopy.go |  375 +
 apis/gamelift/v1beta1/zz_script_types.go      |   36 +-
 apis/glacier/v1beta1/zz_generated.deepcopy.go |   63 +
 apis/glacier/v1beta1/zz_vault_types.go        |   16 +
 apis/glacier/v1beta1/zz_vaultlock_types.go    |   26 +-
 .../v1beta1/zz_accelerator_types.go           |   36 +-
 .../v1beta1/zz_endpointgroup_types.go         |   45 +
 .../v1beta1/zz_generated.deepcopy.go          |  174 +
 .../v1beta1/zz_listener_types.go              |   32 +-
 apis/glue/v1beta1/zz_catalogdatabase_types.go |   33 +
 apis/glue/v1beta1/zz_catalogtable_types.go    |  155 +-
 apis/glue/v1beta1/zz_classifier_types.go      |   54 +
 apis/glue/v1beta1/zz_connection_types.go      |   27 +
 apis/glue/v1beta1/zz_crawler_types.go         |  145 +
 .../zz_datacatalogencryptionsettings_types.go |   33 +-
 apis/glue/v1beta1/zz_generated.deepcopy.go    | 1523 +++-
 apis/glue/v1beta1/zz_job_types.go             |   75 +-
 apis/glue/v1beta1/zz_registry_types.go        |    6 +
 apis/glue/v1beta1/zz_resourcepolicy_types.go  |   16 +-
 apis/glue/v1beta1/zz_schema_types.go          |   45 +-
 .../v1beta1/zz_securityconfiguration_types.go |   36 +-
 apis/glue/v1beta1/zz_trigger_types.go         |   92 +-
 .../v1beta1/zz_userdefinedfunction_types.go   |   43 +-
 apis/glue/v1beta1/zz_workflow_types.go        |   12 +
 apis/grafana/v1beta1/zz_generated.deepcopy.go |  273 +
 .../v1beta1/zz_licenseassociation_types.go    |   15 +-
 .../v1beta1/zz_roleassociation_types.go       |   22 +-
 apis/grafana/v1beta1/zz_workspace_types.go    |   67 +-
 .../v1beta1/zz_workspaceapikey_types.go       |   31 +-
 .../zz_workspacesamlconfiguration_types.go    |   49 +-
 apis/guardduty/v1beta1/zz_detector_types.go   |   48 +
 apis/guardduty/v1beta1/zz_filter_types.go     |   59 +-
 .../v1beta1/zz_generated.deepcopy.go          |  215 +
 apis/guardduty/v1beta1/zz_member_types.go     |   27 +-
 apis/iam/v1beta1/zz_accesskey_types.go        |    9 +
 .../v1beta1/zz_accountpasswordpolicy_types.go |   27 +
 apis/iam/v1beta1/zz_generated.deepcopy.go     |  479 ++
 apis/iam/v1beta1/zz_group_types.go            |    3 +
 apis/iam/v1beta1/zz_groupmembership_types.go  |   19 +-
 .../v1beta1/zz_grouppolicyattachment_types.go |    7 +
 apis/iam/v1beta1/zz_instanceprofile_types.go  |    9 +
 .../v1beta1/zz_openidconnectprovider_types.go |   31 +-
 apis/iam/v1beta1/zz_policy_types.go           |   22 +-
 apis/iam/v1beta1/zz_role_types.go             |   30 +-
 .../v1beta1/zz_rolepolicyattachment_types.go  |    6 +
 apis/iam/v1beta1/zz_samlprovider_types.go     |   15 +-
 .../iam/v1beta1/zz_servercertificate_types.go |   28 +-
 .../iam/v1beta1/zz_servicelinkedrole_types.go |   21 +-
 .../zz_servicespecificcredential_types.go     |   18 +-
 .../v1beta1/zz_signingcertificate_types.go    |   23 +-
 apis/iam/v1beta1/zz_user_types.go             |   15 +
 .../v1beta1/zz_usergroupmembership_types.go   |    7 +
 apis/iam/v1beta1/zz_userloginprofile_types.go |   12 +
 .../v1beta1/zz_userpolicyattachment_types.go  |    6 +
 apis/iam/v1beta1/zz_usersshkey_types.go       |   26 +-
 apis/iam/v1beta1/zz_virtualmfadevice_types.go |   18 +-
 .../v1beta1/zz_component_types.go             |   52 +-
 .../v1beta1/zz_containerrecipe_types.go       |  133 +-
 .../zz_distributionconfiguration_types.go     |  125 +-
 .../v1beta1/zz_generated.deepcopy.go          |  957 +++
 apis/imagebuilder/v1beta1/zz_image_types.go   |   27 +
 .../v1beta1/zz_imagepipeline_types.go         |   57 +-
 .../v1beta1/zz_imagerecipe_types.go           |  105 +-
 .../zz_infrastructureconfiguration_types.go   |   63 +-
 .../v1beta1/zz_assessmenttarget_types.go      |   15 +-
 .../v1beta1/zz_assessmenttemplate_types.go    |   43 +-
 .../v1beta1/zz_generated.deepcopy.go          |   83 +
 .../v1beta1/zz_resourcegroup_types.go         |   12 +-
 apis/inspector2/v1beta1/zz_enabler_types.go   |   21 +-
 .../v1beta1/zz_generated.deepcopy.go          |   22 +
 apis/iot/v1beta1/zz_certificate_types.go      |   19 +-
 apis/iot/v1beta1/zz_generated.deepcopy.go     | 1493 +++-
 .../v1beta1/zz_indexingconfiguration_types.go |   57 +
 apis/iot/v1beta1/zz_loggingoptions_types.go   |   19 +-
 apis/iot/v1beta1/zz_policy_types.go           |   12 +-
 apis/iot/v1beta1/zz_policyattachment_types.go |    6 +
 .../v1beta1/zz_provisioningtemplate_types.go  |   33 +-
 apis/iot/v1beta1/zz_rolealias_types.go        |   18 +-
 apis/iot/v1beta1/zz_thing_types.go            |    6 +
 apis/iot/v1beta1/zz_thinggroup_types.go       |   18 +
 .../v1beta1/zz_thinggroupmembership_types.go  |   23 +-
 .../zz_thingprincipalattachment_types.go      |    6 +
 apis/iot/v1beta1/zz_thingtype_types.go        |   27 +-
 apis/iot/v1beta1/zz_topicrule_types.go        |  574 +-
 apis/ivs/v1beta1/zz_channel_types.go          |   18 +
 apis/ivs/v1beta1/zz_generated.deepcopy.go     |  101 +
 .../zz_recordingconfiguration_types.go        |   36 +-
 apis/kafka/v1beta1/zz_cluster_types.go        |  182 +-
 apis/kafka/v1beta1/zz_configuration_types.go  |   26 +-
 apis/kafka/v1beta1/zz_generated.deepcopy.go   |  366 +
 apis/kendra/v1beta1/zz_datasource_types.go    |  257 +-
 apis/kendra/v1beta1/zz_experience_types.go    |   42 +-
 apis/kendra/v1beta1/zz_generated.deepcopy.go  |  946 ++-
 apis/kendra/v1beta1/zz_index_types.go         |  126 +-
 .../zz_querysuggestionsblocklist_types.go     |   38 +-
 apis/kendra/v1beta1/zz_thesaurus_types.go     |   38 +-
 .../v1beta1/zz_generated.deepcopy.go          |  185 +
 apis/keyspaces/v1beta1/zz_keyspace_types.go   |    3 +
 apis/keyspaces/v1beta1/zz_table_types.go      |   98 +-
 apis/kinesis/v1beta1/zz_generated.deepcopy.go |   73 +
 apis/kinesis/v1beta1/zz_stream_types.go       |   28 +
 .../v1beta1/zz_streamconsumer_types.go        |   15 +-
 .../v1beta1/zz_application_types.go           |  204 +-
 .../v1beta1/zz_generated.deepcopy.go          |  348 +
 .../v1beta1/zz_application_types.go           |  308 +-
 .../v1beta1/zz_applicationsnapshot_types.go   |    3 +
 .../v1beta1/zz_generated.deepcopy.go          |  596 +-
 .../v1beta1/zz_generated.deepcopy.go          |   40 +
 apis/kinesisvideo/v1beta1/zz_stream_types.go  |   28 +-
 apis/kms/v1beta1/zz_alias_types.go            |    3 +
 apis/kms/v1beta1/zz_ciphertext_types.go       |   13 +-
 apis/kms/v1beta1/zz_externalkey_types.go      |   24 +
 apis/kms/v1beta1/zz_generated.deepcopy.go     |  319 +
 apis/kms/v1beta1/zz_grant_types.go            |   40 +-
 apis/kms/v1beta1/zz_key_types.go              |   40 +
 .../v1beta1/zz_replicaexternalkey_types.go    |   28 +
 apis/kms/v1beta1/zz_replicakey_types.go       |   25 +
 .../v1beta1/zz_datalakesettings_types.go      |   28 +
 .../v1beta1/zz_generated.deepcopy.go          |  298 +
 .../v1beta1/zz_permissions_types.go           |  114 +-
 .../v1beta1/zz_resource_types.go              |   16 +-
 apis/lambda/v1beta1/zz_alias_types.go         |   24 +-
 .../v1beta1/zz_codesigningconfig_types.go     |   24 +-
 .../v1beta1/zz_eventsourcemapping_types.go    |   96 +
 apis/lambda/v1beta1/zz_function_types.go      |  119 +-
 .../zz_functioneventinvokeconfig_types.go     |   36 +-
 apis/lambda/v1beta1/zz_functionurl_types.go   |   39 +-
 apis/lambda/v1beta1/zz_generated.deepcopy.go  |  939 ++-
 apis/lambda/v1beta1/zz_invocation_types.go    |   22 +-
 apis/lambda/v1beta1/zz_layerversion_types.go  |   42 +-
 .../zz_layerversionpermission_types.go        |   47 +-
 apis/lambda/v1beta1/zz_permission_types.go    |   52 +-
 .../zz_provisionedconcurrencyconfig_types.go  |   28 +-
 apis/lexmodels/v1beta1/zz_bot_types.go        |  108 +-
 apis/lexmodels/v1beta1/zz_botalias_types.go   |   40 +-
 .../v1beta1/zz_generated.deepcopy.go          |  569 ++
 apis/lexmodels/v1beta1/zz_intent_types.go     |  261 +-
 apis/lexmodels/v1beta1/zz_slottype_types.go   |   34 +-
 .../v1beta1/zz_association_types.go           |    6 +
 .../v1beta1/zz_generated.deepcopy.go          |   61 +
 .../v1beta1/zz_licenseconfiguration_types.go  |   35 +-
 apis/lightsail/v1beta1/zz_bucket_types.go     |   15 +-
 .../lightsail/v1beta1/zz_certificate_types.go |    9 +
 .../v1beta1/zz_containerservice_types.go      |   48 +-
 apis/lightsail/v1beta1/zz_disk_types.go       |   23 +-
 .../v1beta1/zz_diskattachment_types.go        |   18 +-
 apis/lightsail/v1beta1/zz_domain_types.go     |   12 +-
 .../lightsail/v1beta1/zz_domainentry_types.go |   21 +-
 .../v1beta1/zz_generated.deepcopy.go          |  409 +
 apis/lightsail/v1beta1/zz_instance_types.go   |   54 +-
 .../v1beta1/zz_instancepublicports_types.go   |   32 +-
 apis/lightsail/v1beta1/zz_keypair_types.go    |   11 +
 apis/lightsail/v1beta1/zz_lb_types.go         |   20 +-
 .../v1beta1/zz_lbattachment_types.go          |    6 +
 .../v1beta1/zz_lbcertificate_types.go         |    9 +
 .../v1beta1/zz_lbstickinesspolicy_types.go    |   20 +-
 apis/lightsail/v1beta1/zz_staticip_types.go   |   12 +-
 .../v1beta1/zz_staticipattachment_types.go    |    6 +
 .../location/v1beta1/zz_generated.deepcopy.go |  127 +
 .../v1beta1/zz_geofencecollection_types.go    |    9 +
 apis/location/v1beta1/zz_placeindex_types.go  |   24 +-
 .../v1beta1/zz_routecalculator_types.go       |   18 +-
 apis/location/v1beta1/zz_tracker_types.go     |   12 +
 .../v1beta1/zz_trackerassociation_types.go    |    7 +
 apis/macie2/v1beta1/zz_account_types.go       |    6 +
 .../v1beta1/zz_classificationjob_types.go     |  212 +-
 .../v1beta1/zz_customdataidentifier_types.go  |   21 +
 .../macie2/v1beta1/zz_findingsfilter_types.go |   59 +-
 apis/macie2/v1beta1/zz_generated.deepcopy.go  |  650 ++
 .../v1beta1/zz_invitationaccepter_types.go    |   12 +-
 apis/macie2/v1beta1/zz_member_types.go        |   35 +-
 .../v1beta1/zz_generated.deepcopy.go          |   52 +
 apis/mediaconvert/v1beta1/zz_queue_types.go   |   24 +
 apis/medialive/v1beta1/zz_channel_types.go    | 1701 +++-
 .../v1beta1/zz_generated.deepcopy.go          | 5679 ++++++++++---
 apis/medialive/v1beta1/zz_input_types.go      |   68 +-
 .../v1beta1/zz_inputsecuritygroup_types.go    |   18 +-
 apis/medialive/v1beta1/zz_multiplex_types.go  |   41 +-
 apis/mediapackage/v1beta1/zz_channel_types.go |   18 +-
 .../v1beta1/zz_generated.deepcopy.go          |   25 +
 apis/mediastore/v1beta1/zz_container_types.go |    3 +
 .../v1beta1/zz_containerpolicy_types.go       |   16 +-
 .../v1beta1/zz_generated.deepcopy.go          |   25 +
 apis/memorydb/v1beta1/zz_acl_types.go         |    6 +
 apis/memorydb/v1beta1/zz_cluster_types.go     |   80 +-
 .../memorydb/v1beta1/zz_generated.deepcopy.go |  256 +
 .../v1beta1/zz_parametergroup_types.go        |   27 +-
 apis/memorydb/v1beta1/zz_snapshot_types.go    |    9 +
 apis/memorydb/v1beta1/zz_subnetgroup_types.go |    9 +
 apis/mq/v1beta1/zz_broker_types.go            |  152 +-
 apis/mq/v1beta1/zz_configuration_types.go     |   45 +-
 apis/mq/v1beta1/zz_generated.deepcopy.go      |  296 +
 apis/neptune/v1beta1/zz_cluster_types.go      |   87 +
 .../v1beta1/zz_clusterendpoint_types.go       |   24 +-
 .../v1beta1/zz_clusterinstance_types.go       |   56 +-
 .../v1beta1/zz_clusterparametergroup_types.go |   30 +-
 .../v1beta1/zz_clustersnapshot_types.go       |    3 +
 .../v1beta1/zz_eventsubscription_types.go     |   18 +
 apis/neptune/v1beta1/zz_generated.deepcopy.go |  538 +-
 .../neptune/v1beta1/zz_globalcluster_types.go |   15 +
 .../v1beta1/zz_parametergroup_types.go        |   30 +-
 apis/neptune/v1beta1/zz_subnetgroup_types.go  |    9 +
 .../v1beta1/zz_firewall_types.go              |   56 +-
 .../v1beta1/zz_firewallpolicy_types.go        |   86 +-
 .../v1beta1/zz_generated.deepcopy.go          |  785 +-
 .../v1beta1/zz_loggingconfiguration_types.go  |   27 +-
 .../v1beta1/zz_rulegroup_types.go             |  230 +-
 .../v1beta1/zz_attachmentaccepter_types.go    |    6 +
 .../v1beta1/zz_connectattachment_types.go     |   25 +-
 .../v1beta1/zz_connection_types.go            |   21 +
 .../v1beta1/zz_corenetwork_types.go           |   18 +
 .../zz_customergatewayassociation_types.go    |   13 +
 .../networkmanager/v1beta1/zz_device_types.go |   45 +
 .../v1beta1/zz_generated.deepcopy.go          |  468 ++
 .../v1beta1/zz_globalnetwork_types.go         |    6 +
 apis/networkmanager/v1beta1/zz_link_types.go  |   36 +-
 .../v1beta1/zz_linkassociation_types.go       |   10 +
 apis/networkmanager/v1beta1/zz_site_types.go  |   21 +
 ...nsitgatewayconnectpeerassociation_types.go |   13 +
 .../zz_transitgatewayregistration_types.go    |    7 +
 .../v1beta1/zz_vpcattachment_types.go         |   21 +
 apis/opensearch/v1beta1/zz_domain_types.go    |  202 +-
 .../v1beta1/zz_domainpolicy_types.go          |   16 +-
 .../v1beta1/zz_domainsamloptions_types.go     |   30 +
 .../v1beta1/zz_generated.deepcopy.go          |  446 +
 apis/opsworks/v1beta1/zz_application_types.go |   92 +-
 apis/opsworks/v1beta1/zz_customlayer_types.go |  190 +-
 .../v1beta1/zz_ecsclusterlayer_types.go       |  140 +
 .../opsworks/v1beta1/zz_ganglialayer_types.go |  155 +-
 .../opsworks/v1beta1/zz_generated.deepcopy.go | 6202 ++++++++++++--
 .../opsworks/v1beta1/zz_haproxylayer_types.go |  164 +-
 apis/opsworks/v1beta1/zz_instance_types.go    |  126 +
 .../opsworks/v1beta1/zz_javaapplayer_types.go |  152 +
 .../v1beta1/zz_memcachedlayer_types.go        |  140 +
 apis/opsworks/v1beta1/zz_mysqllayer_types.go  |  143 +
 .../v1beta1/zz_nodejsapplayer_types.go        |  140 +
 apis/opsworks/v1beta1/zz_permission_types.go  |   15 +
 apis/opsworks/v1beta1/zz_phpapplayer_types.go |  137 +
 .../v1beta1/zz_railsapplayer_types.go         |  155 +
 .../v1beta1/zz_rdsdbinstance_types.go         |   21 +-
 apis/opsworks/v1beta1/zz_stack_types.go       |   91 +-
 .../v1beta1/zz_staticweblayer_types.go        |  136 +
 apis/opsworks/v1beta1/zz_userprofile_types.go |   21 +-
 .../organizations/v1beta1/zz_account_types.go |   35 +-
 .../zz_delegatedadministrator_types.go        |   15 +-
 .../v1beta1/zz_generated.deepcopy.go          |  162 +
 .../v1beta1/zz_organization_types.go          |    9 +
 .../v1beta1/zz_organizationalunit_types.go    |   23 +-
 apis/organizations/v1beta1/zz_policy_types.go |   32 +-
 .../v1beta1/zz_policyattachment_types.go      |   18 +-
 apis/pinpoint/v1beta1/zz_app_types.go         |   42 +
 .../pinpoint/v1beta1/zz_generated.deepcopy.go |  106 +
 apis/pinpoint/v1beta1/zz_smschannel_types.go  |   13 +
 apis/qldb/v1beta1/zz_generated.deepcopy.go    |   87 +
 apis/qldb/v1beta1/zz_ledger_types.go          |   21 +-
 apis/qldb/v1beta1/zz_stream_types.go          |   46 +-
 .../v1beta1/zz_generated.deepcopy.go          |   60 +
 apis/quicksight/v1beta1/zz_group_types.go     |   21 +-
 apis/quicksight/v1beta1/zz_user_types.go      |   43 +-
 apis/ram/v1beta1/zz_generated.deepcopy.go     |   46 +
 .../v1beta1/zz_resourceassociation_types.go   |   15 +-
 apis/ram/v1beta1/zz_resourceshare_types.go    |   21 +-
 apis/rds/v1beta1/zz_cluster_types.go          |  175 +
 .../v1beta1/zz_clusteractivitystream_types.go |   21 +-
 apis/rds/v1beta1/zz_clusterendpoint_types.go  |   24 +-
 apis/rds/v1beta1/zz_clusterinstance_types.go  |   82 +-
 .../v1beta1/zz_clusterparametergroup_types.go |   32 +-
 .../zz_clusterroleassociation_types.go        |   18 +-
 apis/rds/v1beta1/zz_clustersnapshot_types.go  |   18 +-
 ...stanceautomatedbackupsreplication_types.go |   12 +
 apis/rds/v1beta1/zz_dbsnapshotcopy_types.go   |   36 +-
 .../rds/v1beta1/zz_eventsubscription_types.go |   18 +
 apis/rds/v1beta1/zz_generated.deepcopy.go     | 1665 +++-
 apis/rds/v1beta1/zz_globalcluster_types.go    |   21 +
 apis/rds/v1beta1/zz_instance_types.go         |  293 +-
 .../zz_instanceroleassociation_types.go       |   18 +-
 apis/rds/v1beta1/zz_optiongroup_types.go      |   53 +-
 apis/rds/v1beta1/zz_parametergroup_types.go   |   32 +-
 apis/rds/v1beta1/zz_proxy_types.go            |   64 +-
 .../zz_proxydefaulttargetgroup_types.go       |   21 +
 apis/rds/v1beta1/zz_proxyendpoint_types.go    |   24 +-
 apis/rds/v1beta1/zz_proxytarget_types.go      |   21 +-
 apis/rds/v1beta1/zz_securitygroup_types.go    |   31 +-
 apis/rds/v1beta1/zz_snapshot_types.go         |    6 +
 apis/rds/v1beta1/zz_subnetgroup_types.go      |    9 +
 .../v1beta1/zz_authenticationprofile_types.go |   12 +-
 apis/redshift/v1beta1/zz_cluster_types.go     |  154 +-
 .../v1beta1/zz_eventsubscription_types.go     |   21 +
 .../redshift/v1beta1/zz_generated.deepcopy.go |  667 ++
 .../v1beta1/zz_hsmclientcertificate_types.go  |    3 +
 .../v1beta1/zz_hsmconfiguration_types.go      |   42 +-
 .../v1beta1/zz_parametergroup_types.go        |   35 +-
 .../v1beta1/zz_scheduledaction_types.go       |   65 +-
 .../v1beta1/zz_snapshotcopygrant_types.go     |   18 +-
 .../v1beta1/zz_snapshotschedule_types.go      |   21 +-
 .../zz_snapshotscheduleassociation_types.go   |    7 +
 apis/redshift/v1beta1/zz_subnetgroup_types.go |    9 +
 apis/redshift/v1beta1/zz_usagelimit_types.go  |   40 +-
 .../v1beta1/zz_generated.deepcopy.go          |   72 +
 apis/resourcegroups/v1beta1/zz_group_types.go |   30 +
 .../v1beta1/zz_generated.deepcopy.go          |   62 +
 .../rolesanywhere/v1beta1/zz_profile_types.go |   33 +-
 .../route53/v1beta1/zz_delegationset_types.go |    4 +
 apis/route53/v1beta1/zz_generated.deepcopy.go |  407 +
 apis/route53/v1beta1/zz_healthcheck_types.go  |   73 +-
 .../v1beta1/zz_hostedzonednssec_types.go      |    6 +
 apis/route53/v1beta1/zz_record_types.go       |   93 +-
 .../v1beta1/zz_resolverconfig_types.go        |   15 +-
 .../route53/v1beta1/zz_trafficpolicy_types.go |   23 +-
 .../v1beta1/zz_trafficpolicyinstance_types.go |   34 +-
 .../zz_vpcassociationauthorization_types.go   |    9 +
 apis/route53/v1beta1/zz_zone_types.go         |   32 +-
 .../v1beta1/zz_cluster_types.go               |   12 +-
 .../v1beta1/zz_controlpanel_types.go          |   15 +-
 .../v1beta1/zz_generated.deepcopy.go          |  100 +
 .../v1beta1/zz_routingcontrol_types.go        |   18 +-
 .../v1beta1/zz_safetyrule_types.go            |   49 +-
 .../v1beta1/zz_cell_types.go                  |    6 +
 .../v1beta1/zz_generated.deepcopy.go          |  171 +
 .../v1beta1/zz_readinesscheck_types.go        |   15 +-
 .../v1beta1/zz_recoverygroup_types.go         |    6 +
 .../v1beta1/zz_resourceset_types.go           |   60 +-
 .../v1beta1/zz_endpoint_types.go              |   35 +-
 .../v1beta1/zz_generated.deepcopy.go          |  113 +
 apis/route53resolver/v1beta1/zz_rule_types.go |   40 +-
 .../v1beta1/zz_ruleassociation_types.go       |    9 +
 apis/rum/v1beta1/zz_appmonitor_types.go       |   54 +-
 apis/rum/v1beta1/zz_generated.deepcopy.go     |  133 +
 .../v1beta1/zz_metricsdestination_types.go    |   21 +-
 apis/s3/v1beta1/zz_bucket_types.go            |    9 +
 .../zz_bucketaccelerateconfiguration_types.go |   18 +-
 apis/s3/v1beta1/zz_bucketacl_types.go         |   36 +-
 .../zz_bucketanalyticsconfiguration_types.go  |   52 +-
 .../zz_bucketcorsconfiguration_types.go       |   36 +-
 ...etintelligenttieringconfiguration_types.go |   42 +-
 apis/s3/v1beta1/zz_bucketinventory_types.go   |   82 +-
 .../zz_bucketlifecycleconfiguration_types.go  |  114 +-
 apis/s3/v1beta1/zz_bucketlogging_types.go     |   38 +-
 apis/s3/v1beta1/zz_bucketmetric_types.go      |   25 +-
 .../s3/v1beta1/zz_bucketnotification_types.go |   60 +
 apis/s3/v1beta1/zz_bucketobject_types.go      |   81 +-
 .../zz_bucketobjectlockconfiguration_types.go |   24 +
 .../zz_bucketownershipcontrols_types.go       |   18 +-
 apis/s3/v1beta1/zz_bucketpolicy_types.go      |   16 +-
 .../zz_bucketpublicaccessblock_types.go       |   15 +
 ...zz_bucketreplicationconfiguration_types.go |  129 +-
 ...bucketrequestpaymentconfiguration_types.go |   18 +-
 ...serversideencryptionconfiguration_types.go |   30 +-
 apis/s3/v1beta1/zz_bucketversioning_types.go  |   27 +-
 .../zz_bucketwebsiteconfiguration_types.go    |   63 +
 apis/s3/v1beta1/zz_generated.deepcopy.go      | 2244 ++++-
 apis/s3/v1beta1/zz_object_types.go            |   81 +-
 apis/s3/v1beta1/zz_objectcopy_types.go        |  135 +-
 .../s3control/v1beta1/zz_accesspoint_types.go |   45 +-
 .../v1beta1/zz_accesspointpolicy_types.go     |   15 +-
 .../zz_accountpublicaccessblock_types.go      |   15 +
 .../v1beta1/zz_generated.deepcopy.go          |  605 ++
 .../zz_multiregionaccesspoint_types.go        |   39 +-
 .../zz_multiregionaccesspointpolicy_types.go  |   21 +-
 .../zz_objectlambdaaccesspoint_types.go       |   50 +-
 .../zz_objectlambdaaccesspointpolicy_types.go |   18 +-
 .../zz_storagelensconfiguration_types.go      |  167 +-
 apis/sagemaker/v1beta1/zz_app_types.go        |   47 +-
 .../v1beta1/zz_appimageconfig_types.go        |   27 +
 .../v1beta1/zz_coderepository_types.go        |   24 +-
 apis/sagemaker/v1beta1/zz_device_types.go     |   24 +-
 .../sagemaker/v1beta1/zz_devicefleet_types.go |   30 +-
 apis/sagemaker/v1beta1/zz_domain_types.go     |  267 +-
 .../v1beta1/zz_endpointconfiguration_types.go |  168 +-
 .../v1beta1/zz_featuregroup_types.go          |   82 +-
 .../v1beta1/zz_generated.deepcopy.go          | 2330 +++++-
 apis/sagemaker/v1beta1/zz_image_types.go      |   12 +
 .../v1beta1/zz_imageversion_types.go          |   15 +-
 apis/sagemaker/v1beta1/zz_model_types.go      |   83 +
 .../v1beta1/zz_modelpackagegroup_types.go     |    6 +
 .../zz_modelpackagegrouppolicy_types.go       |   14 +-
 .../v1beta1/zz_notebookinstance_types.go      |   58 +-
 ...ookinstancelifecycleconfiguration_types.go |    6 +
 .../zz_servicecatalogportfoliostatus_types.go |   12 +-
 apis/sagemaker/v1beta1/zz_space_types.go      |   81 +-
 .../v1beta1/zz_studiolifecycleconfig_types.go |   23 +-
 .../sagemaker/v1beta1/zz_userprofile_types.go |  165 +-
 apis/sagemaker/v1beta1/zz_workforce_types.go  |   49 +-
 apis/sagemaker/v1beta1/zz_workteam_types.go   |   50 +-
 .../v1beta1/zz_generated.deepcopy.go          |  355 +
 apis/scheduler/v1beta1/zz_schedule_types.go   |  190 +-
 .../v1beta1/zz_schedulegroup_types.go         |    6 +
 apis/schemas/v1beta1/zz_discoverer_types.go   |    9 +
 apis/schemas/v1beta1/zz_generated.deepcopy.go |   85 +
 apis/schemas/v1beta1/zz_registry_types.go     |    6 +
 apis/schemas/v1beta1/zz_schema_types.go       |   37 +-
 .../v1beta1/zz_generated.deepcopy.go          |  103 +
 .../secretsmanager/v1beta1/zz_secret_types.go |   25 +-
 .../v1beta1/zz_secretpolicy_types.go          |   18 +-
 .../v1beta1/zz_secretrotation_types.go        |   21 +-
 .../v1beta1/zz_secretversion_types.go         |    6 +
 .../v1beta1/zz_actiontarget_types.go          |   20 +-
 .../v1beta1/zz_findingaggregator_types.go     |   15 +-
 .../v1beta1/zz_generated.deepcopy.go          | 2083 ++++-
 apis/securityhub/v1beta1/zz_insight_types.go  |  936 ++-
 .../v1beta1/zz_inviteaccepter_types.go        |    3 +
 apis/securityhub/v1beta1/zz_member_types.go   |   23 +-
 .../v1beta1/zz_productsubscription_types.go   |   12 +-
 .../v1beta1/zz_standardssubscription_types.go |   12 +-
 .../v1beta1/zz_cloudformationstack_types.go   |   37 +-
 .../v1beta1/zz_generated.deepcopy.go          |   56 +
 .../zz_budgetresourceassociation_types.go     |    6 +
 .../v1beta1/zz_constraint_types.go            |   32 +-
 .../v1beta1/zz_generated.deepcopy.go          |  364 +
 .../v1beta1/zz_portfolio_types.go             |   26 +-
 .../v1beta1/zz_portfolioshare_types.go        |   35 +-
 .../zz_principalportfolioassociation_types.go |   21 +-
 .../v1beta1/zz_product_types.go               |   75 +-
 .../zz_productportfolioassociation_types.go   |   21 +-
 .../v1beta1/zz_provisioningartifact_types.go  |   30 +
 .../v1beta1/zz_serviceaction_types.go         |   41 +-
 .../v1beta1/zz_tagoption_types.go             |   23 +-
 .../zz_tagoptionresourceassociation_types.go  |    6 +
 .../v1beta1/zz_generated.deepcopy.go          |  188 +
 .../v1beta1/zz_httpnamespace_types.go         |   18 +-
 .../v1beta1/zz_privatednsnamespace_types.go   |   21 +-
 .../v1beta1/zz_publicdnsnamespace_types.go    |   18 +-
 .../v1beta1/zz_service_types.go               |   63 +-
 .../v1beta1/zz_generated.deepcopy.go          |   15 +
 .../v1beta1/zz_servicequota_types.go          |   28 +-
 .../v1beta1/zz_activereceiptruleset_types.go  |   12 +-
 apis/ses/v1beta1/zz_configurationset_types.go |   18 +
 apis/ses/v1beta1/zz_domainidentity_types.go   |   12 +-
 apis/ses/v1beta1/zz_domainmailfrom_types.go   |   18 +-
 apis/ses/v1beta1/zz_emailidentity_types.go    |   12 +-
 apis/ses/v1beta1/zz_eventdestination_types.go |   45 +-
 apis/ses/v1beta1/zz_generated.deepcopy.go     |  426 +
 .../zz_identitynotificationtopic_types.go     |   21 +-
 apis/ses/v1beta1/zz_identitypolicy_types.go   |   23 +-
 apis/ses/v1beta1/zz_receiptfilter_types.go    |   20 +-
 apis/ses/v1beta1/zz_receiptrule_types.go      |  137 +-
 apis/ses/v1beta1/zz_receiptruleset_types.go   |   12 +-
 apis/ses/v1beta1/zz_template_types.go         |    9 +
 .../v1beta1/zz_configurationset_types.go      |   34 +-
 ..._configurationseteventdestination_types.go |   63 +-
 .../sesv2/v1beta1/zz_dedicatedippool_types.go |    6 +
 apis/sesv2/v1beta1/zz_emailidentity_types.go  |   16 +-
 ...z_emailidentityfeedbackattributes_types.go |    4 +
 ...z_emailidentitymailfromattributes_types.go |    7 +
 apis/sesv2/v1beta1/zz_generated.deepcopy.go   |  252 +
 apis/sfn/v1beta1/zz_activity_types.go         |    3 +
 apis/sfn/v1beta1/zz_generated.deepcopy.go     |   79 +
 apis/sfn/v1beta1/zz_statemachine_types.go     |   39 +-
 apis/signer/v1beta1/zz_generated.deepcopy.go  |  130 +
 apis/signer/v1beta1/zz_signingjob_types.go    |   47 +-
 .../signer/v1beta1/zz_signingprofile_types.go |   21 +-
 .../zz_signingprofilepermission_types.go      |   33 +-
 apis/sns/v1beta1/zz_generated.deepcopy.go     |  275 +
 .../v1beta1/zz_platformapplication_types.go   |   42 +-
 apis/sns/v1beta1/zz_smspreferences_types.go   |   19 +
 apis/sns/v1beta1/zz_topic_types.go            |   72 +
 apis/sns/v1beta1/zz_topicpolicy_types.go      |   16 +-
 .../sns/v1beta1/zz_topicsubscription_types.go |   42 +-
 apis/sqs/v1beta1/zz_generated.deepcopy.go     |  125 +
 apis/sqs/v1beta1/zz_queue_types.go            |   51 +
 apis/sqs/v1beta1/zz_queuepolicy_types.go      |   15 +-
 .../zz_queueredriveallowpolicy_types.go       |   15 +-
 .../v1beta1/zz_queueredrivepolicy_types.go    |   15 +-
 apis/ssm/v1beta1/zz_activation_types.go       |   18 +
 apis/ssm/v1beta1/zz_association_types.go      |   57 +
 .../v1beta1/zz_defaultpatchbaseline_types.go  |   23 +
 apis/ssm/v1beta1/zz_document_types.go         |   47 +-
 apis/ssm/v1beta1/zz_generated.deepcopy.go     |  929 ++-
 .../ssm/v1beta1/zz_maintenancewindow_types.go |   60 +-
 .../zz_maintenancewindowtarget_types.go       |   36 +-
 .../v1beta1/zz_maintenancewindowtask_types.go |  136 +-
 apis/ssm/v1beta1/zz_parameter_types.go        |   40 +-
 apis/ssm/v1beta1/zz_patchbaseline_types.go    |  116 +-
 apis/ssm/v1beta1/zz_patchgroup_types.go       |   15 +-
 apis/ssm/v1beta1/zz_resourcedatasync_types.go |   27 +-
 apis/ssm/v1beta1/zz_servicesetting_types.go   |   20 +-
 .../v1beta1/zz_accountassignment_types.go     |   18 +
 .../ssoadmin/v1beta1/zz_generated.deepcopy.go |  100 +
 .../zz_managedpolicyattachment_types.go       |    9 +
 .../v1beta1/zz_permissionset_types.go         |   32 +-
 .../zz_permissionsetinlinepolicy_types.go     |   18 +-
 apis/swf/v1beta1/zz_domain_types.go           |   18 +-
 apis/swf/v1beta1/zz_generated.deepcopy.go     |   25 +
 .../v1beta1/zz_database_types.go              |    6 +
 .../v1beta1/zz_generated.deepcopy.go          |  108 +
 .../timestreamwrite/v1beta1/zz_table_types.go |   42 +
 .../v1beta1/zz_generated.deepcopy.go          |  119 +
 .../v1beta1/zz_languagemodel_types.go         |   40 +-
 .../transcribe/v1beta1/zz_vocabulary_types.go |   21 +-
 .../v1beta1/zz_vocabularyfilter_types.go      |   21 +-
 .../transfer/v1beta1/zz_generated.deepcopy.go |  596 ++
 apis/transfer/v1beta1/zz_server_types.go      |   69 +
 apis/transfer/v1beta1/zz_sshkey_types.go      |   19 +-
 apis/transfer/v1beta1/zz_tag_types.go         |   23 +-
 apis/transfer/v1beta1/zz_user_types.go        |   39 +
 apis/transfer/v1beta1/zz_workflow_types.go    |  177 +-
 apis/vpc/v1beta1/zz_generated.deepcopy.go     |   20 +
 ...workperformancemetricsubscription_types.go |   27 +-
 apis/waf/v1beta1/zz_bytematchset_types.go     |   49 +-
 apis/waf/v1beta1/zz_generated.deepcopy.go     |  478 ++
 apis/waf/v1beta1/zz_geomatchset_types.go      |   23 +-
 apis/waf/v1beta1/zz_ipset_types.go            |   21 +-
 apis/waf/v1beta1/zz_ratebasedrule_types.go    |   54 +-
 apis/waf/v1beta1/zz_regexmatchset_types.go    |   37 +-
 apis/waf/v1beta1/zz_regexpatternset_types.go  |   15 +-
 apis/waf/v1beta1/zz_rule_types.go             |   38 +-
 .../waf/v1beta1/zz_sizeconstraintset_types.go |   45 +-
 .../v1beta1/zz_sqlinjectionmatchset_types.go  |   35 +-
 apis/waf/v1beta1/zz_webacl_types.go           |   78 +-
 apis/waf/v1beta1/zz_xssmatchset_types.go      |   35 +-
 .../v1beta1/zz_bytematchset_types.go          |   33 +-
 .../v1beta1/zz_generated.deepcopy.go          |  478 ++
 .../v1beta1/zz_geomatchset_types.go           |   23 +-
 apis/wafregional/v1beta1/zz_ipset_types.go    |   21 +-
 .../v1beta1/zz_ratebasedrule_types.go         |   54 +-
 .../v1beta1/zz_regexmatchset_types.go         |   37 +-
 .../v1beta1/zz_regexpatternset_types.go       |   15 +-
 apis/wafregional/v1beta1/zz_rule_types.go     |   35 +-
 .../v1beta1/zz_sizeconstraintset_types.go     |   45 +-
 .../v1beta1/zz_sqlinjectionmatchset_types.go  |   35 +-
 apis/wafregional/v1beta1/zz_webacl_types.go   |   77 +-
 .../v1beta1/zz_xssmatchset_types.go           |   27 +-
 apis/wafv2/v1beta1/zz_generated.deepcopy.go   |   88 +
 apis/wafv2/v1beta1/zz_ipset_types.go          |   37 +-
 .../wafv2/v1beta1/zz_regexpatternset_types.go |   32 +-
 apis/workspaces/v1beta1/zz_directory_types.go |   75 +
 .../v1beta1/zz_generated.deepcopy.go          |  195 +
 apis/workspaces/v1beta1/zz_ipgroup_types.go   |   27 +-
 .../xray/v1beta1/zz_encryptionconfig_types.go |   15 +-
 apis/xray/v1beta1/zz_generated.deepcopy.go    |  132 +
 apis/xray/v1beta1/zz_group_types.go           |   32 +-
 apis/xray/v1beta1/zz_samplingrule_types.go    |   90 +-
 .../accessanalyzer/analyzer/zz_controller.go  |   12 +-
 .../archiverule/zz_controller.go              |   12 +-
 .../account/alternatecontact/zz_controller.go |   12 +-
 .../acm/certificate/zz_controller.go          |   12 +-
 .../certificatevalidation/zz_controller.go    |   12 +-
 .../acmpca/certificate/zz_controller.go       |   12 +-
 .../certificateauthority/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../acmpca/permission/zz_controller.go        |   12 +-
 .../controller/acmpca/policy/zz_controller.go |   12 +-
 .../alertmanagerdefinition/zz_controller.go   |   12 +-
 .../amp/rulegroupnamespace/zz_controller.go   |   12 +-
 .../controller/amp/workspace/zz_controller.go |   12 +-
 .../controller/amplify/app/zz_controller.go   |   12 +-
 .../backendenvironment/zz_controller.go       |   12 +-
 .../amplify/branch/zz_controller.go           |   12 +-
 .../amplify/webhook/zz_controller.go          |   12 +-
 .../apigateway/account/zz_controller.go       |   12 +-
 .../apigateway/apikey/zz_controller.go        |   12 +-
 .../apigateway/authorizer/zz_controller.go    |   12 +-
 .../basepathmapping/zz_controller.go          |   12 +-
 .../clientcertificate/zz_controller.go        |   12 +-
 .../apigateway/deployment/zz_controller.go    |   12 +-
 .../documentationpart/zz_controller.go        |   12 +-
 .../documentationversion/zz_controller.go     |   12 +-
 .../apigateway/domainname/zz_controller.go    |   12 +-
 .../gatewayresponse/zz_controller.go          |   12 +-
 .../apigateway/integration/zz_controller.go   |   12 +-
 .../integrationresponse/zz_controller.go      |   12 +-
 .../apigateway/method/zz_controller.go        |   12 +-
 .../methodresponse/zz_controller.go           |   12 +-
 .../methodsettings/zz_controller.go           |   12 +-
 .../apigateway/model/zz_controller.go         |   12 +-
 .../requestvalidator/zz_controller.go         |   12 +-
 .../apigateway/resource/zz_controller.go      |   12 +-
 .../apigateway/restapi/zz_controller.go       |   12 +-
 .../apigateway/restapipolicy/zz_controller.go |   12 +-
 .../apigateway/stage/zz_controller.go         |   12 +-
 .../apigateway/usageplan/zz_controller.go     |   12 +-
 .../apigateway/usageplankey/zz_controller.go  |   12 +-
 .../apigateway/vpclink/zz_controller.go       |   12 +-
 .../apigatewayv2/api/zz_controller.go         |   12 +-
 .../apigatewayv2/apimapping/zz_controller.go  |   12 +-
 .../apigatewayv2/authorizer/zz_controller.go  |   12 +-
 .../apigatewayv2/deployment/zz_controller.go  |   12 +-
 .../apigatewayv2/domainname/zz_controller.go  |   12 +-
 .../apigatewayv2/integration/zz_controller.go |   12 +-
 .../integrationresponse/zz_controller.go      |   12 +-
 .../apigatewayv2/model/zz_controller.go       |   12 +-
 .../apigatewayv2/route/zz_controller.go       |   12 +-
 .../routeresponse/zz_controller.go            |   12 +-
 .../apigatewayv2/stage/zz_controller.go       |   12 +-
 .../apigatewayv2/vpclink/zz_controller.go     |   12 +-
 .../appautoscaling/policy/zz_controller.go    |   12 +-
 .../scheduledaction/zz_controller.go          |   12 +-
 .../appautoscaling/target/zz_controller.go    |   12 +-
 .../appconfig/application/zz_controller.go    |   12 +-
 .../configurationprofile/zz_controller.go     |   12 +-
 .../appconfig/deployment/zz_controller.go     |   12 +-
 .../deploymentstrategy/zz_controller.go       |   12 +-
 .../appconfig/environment/zz_controller.go    |   12 +-
 .../appconfig/extension/zz_controller.go      |   12 +-
 .../extensionassociation/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/appflow/flow/zz_controller.go  |   12 +-
 .../eventintegration/zz_controller.go         |   12 +-
 .../application/zz_controller.go              |   12 +-
 .../appmesh/gatewayroute/zz_controller.go     |   12 +-
 .../controller/appmesh/mesh/zz_controller.go  |   12 +-
 .../controller/appmesh/route/zz_controller.go |   12 +-
 .../appmesh/virtualgateway/zz_controller.go   |   12 +-
 .../appmesh/virtualnode/zz_controller.go      |   12 +-
 .../appmesh/virtualrouter/zz_controller.go    |   12 +-
 .../appmesh/virtualservice/zz_controller.go   |   12 +-
 .../zz_controller.go                          |   12 +-
 .../apprunner/connection/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../apprunner/service/zz_controller.go        |   12 +-
 .../apprunner/vpcconnector/zz_controller.go   |   12 +-
 .../directoryconfig/zz_controller.go          |   12 +-
 .../appstream/fleet/zz_controller.go          |   12 +-
 .../fleetstackassociation/zz_controller.go    |   12 +-
 .../appstream/imagebuilder/zz_controller.go   |   12 +-
 .../appstream/stack/zz_controller.go          |   12 +-
 .../appstream/user/zz_controller.go           |   12 +-
 .../userstackassociation/zz_controller.go     |   12 +-
 .../appsync/apicache/zz_controller.go         |   12 +-
 .../appsync/apikey/zz_controller.go           |   12 +-
 .../appsync/datasource/zz_controller.go       |   12 +-
 .../appsync/function/zz_controller.go         |   12 +-
 .../appsync/graphqlapi/zz_controller.go       |   12 +-
 .../appsync/resolver/zz_controller.go         |   12 +-
 .../athena/database/zz_controller.go          |   12 +-
 .../athena/datacatalog/zz_controller.go       |   12 +-
 .../athena/namedquery/zz_controller.go        |   12 +-
 .../athena/workgroup/zz_controller.go         |   12 +-
 .../autoscaling/attachment/zz_controller.go   |   12 +-
 .../autoscalinggroup/zz_controller.go         |   12 +-
 .../autoscaling/grouptag/zz_controller.go     |   12 +-
 .../launchconfiguration/zz_controller.go      |   12 +-
 .../lifecyclehook/zz_controller.go            |   12 +-
 .../autoscaling/notification/zz_controller.go |   12 +-
 .../autoscaling/policy/zz_controller.go       |   12 +-
 .../autoscaling/schedule/zz_controller.go     |   12 +-
 .../scalingplan/zz_controller.go              |   12 +-
 .../backup/framework/zz_controller.go         |   12 +-
 .../backup/globalsettings/zz_controller.go    |   12 +-
 .../controller/backup/plan/zz_controller.go   |   12 +-
 .../backup/regionsettings/zz_controller.go    |   12 +-
 .../backup/reportplan/zz_controller.go        |   12 +-
 .../backup/selection/zz_controller.go         |   12 +-
 .../controller/backup/vault/zz_controller.go  |   12 +-
 .../vaultlockconfiguration/zz_controller.go   |   12 +-
 .../vaultnotifications/zz_controller.go       |   12 +-
 .../backup/vaultpolicy/zz_controller.go       |   12 +-
 .../batch/schedulingpolicy/zz_controller.go   |   12 +-
 .../budgets/budget/zz_controller.go           |   12 +-
 .../budgets/budgetaction/zz_controller.go     |   12 +-
 .../ce/anomalymonitor/zz_controller.go        |   12 +-
 .../chime/voiceconnector/zz_controller.go     |   12 +-
 .../voiceconnectorgroup/zz_controller.go      |   12 +-
 .../voiceconnectorlogging/zz_controller.go    |   12 +-
 .../zz_controller.go                          |   12 +-
 .../voiceconnectorstreaming/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../cloud9/environmentec2/zz_controller.go    |   12 +-
 .../environmentmembership/zz_controller.go    |   12 +-
 .../cloudcontrol/resource/zz_controller.go    |   12 +-
 .../cloudformation/stack/zz_controller.go     |   12 +-
 .../cloudformation/stackset/zz_controller.go  |   12 +-
 .../cloudfront/cachepolicy/zz_controller.go   |   12 +-
 .../cloudfront/distribution/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../cloudfront/function/zz_controller.go      |   12 +-
 .../cloudfront/keygroup/zz_controller.go      |   12 +-
 .../monitoringsubscription/zz_controller.go   |   12 +-
 .../originaccesscontrol/zz_controller.go      |   12 +-
 .../originaccessidentity/zz_controller.go     |   12 +-
 .../originrequestpolicy/zz_controller.go      |   12 +-
 .../cloudfront/publickey/zz_controller.go     |   12 +-
 .../realtimelogconfig/zz_controller.go        |   12 +-
 .../responseheaderspolicy/zz_controller.go    |   12 +-
 .../cloudsearch/domain/zz_controller.go       |   12 +-
 .../zz_controller.go                          |   12 +-
 .../eventdatastore/zz_controller.go           |   12 +-
 .../cloudtrail/trail/zz_controller.go         |   12 +-
 .../compositealarm/zz_controller.go           |   12 +-
 .../cloudwatch/dashboard/zz_controller.go     |   12 +-
 .../cloudwatch/metricalarm/zz_controller.go   |   12 +-
 .../cloudwatch/metricstream/zz_controller.go  |   12 +-
 .../apidestination/zz_controller.go           |   12 +-
 .../cloudwatchevents/archive/zz_controller.go |   12 +-
 .../cloudwatchevents/bus/zz_controller.go     |   12 +-
 .../buspolicy/zz_controller.go                |   12 +-
 .../connection/zz_controller.go               |   12 +-
 .../permission/zz_controller.go               |   12 +-
 .../cloudwatchevents/rule/zz_controller.go    |   12 +-
 .../cloudwatchevents/target/zz_controller.go  |   12 +-
 .../definition/zz_controller.go               |   12 +-
 .../destination/zz_controller.go              |   12 +-
 .../destinationpolicy/zz_controller.go        |   12 +-
 .../cloudwatchlogs/group/zz_controller.go     |   12 +-
 .../metricfilter/zz_controller.go             |   12 +-
 .../resourcepolicy/zz_controller.go           |   12 +-
 .../cloudwatchlogs/stream/zz_controller.go    |   12 +-
 .../subscriptionfilter/zz_controller.go       |   12 +-
 .../approvalruletemplate/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../codecommit/repository/zz_controller.go    |   12 +-
 .../codecommit/trigger/zz_controller.go       |   12 +-
 .../codepipeline/zz_controller.go             |   12 +-
 .../customactiontype/zz_controller.go         |   12 +-
 .../codepipeline/webhook/zz_controller.go     |   12 +-
 .../connection/zz_controller.go               |   12 +-
 .../codestarconnections/host/zz_controller.go |   12 +-
 .../notificationrule/zz_controller.go         |   12 +-
 .../zz_controller.go                          |   12 +-
 .../cognitoidentity/pool/zz_controller.go     |   12 +-
 .../poolrolesattachment/zz_controller.go      |   12 +-
 .../identityprovider/zz_controller.go         |   12 +-
 .../resourceserver/zz_controller.go           |   12 +-
 .../riskconfiguration/zz_controller.go        |   12 +-
 .../cognitoidp/user/zz_controller.go          |   12 +-
 .../cognitoidp/usergroup/zz_controller.go     |   12 +-
 .../cognitoidp/useringroup/zz_controller.go   |   12 +-
 .../cognitoidp/userpool/zz_controller.go      |   12 +-
 .../userpoolclient/zz_controller.go           |   12 +-
 .../userpooldomain/zz_controller.go           |   12 +-
 .../userpooluicustomization/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../configservice/configrule/zz_controller.go |   12 +-
 .../configurationaggregator/zz_controller.go  |   12 +-
 .../configurationrecorder/zz_controller.go    |   12 +-
 .../conformancepack/zz_controller.go          |   12 +-
 .../deliverychannel/zz_controller.go          |   12 +-
 .../remediationconfiguration/zz_controller.go |   12 +-
 .../connect/botassociation/zz_controller.go   |   12 +-
 .../connect/contactflow/zz_controller.go      |   12 +-
 .../contactflowmodule/zz_controller.go        |   12 +-
 .../connect/hoursofoperation/zz_controller.go |   12 +-
 .../connect/instance/zz_controller.go         |   12 +-
 .../instancestorageconfig/zz_controller.go    |   12 +-
 .../zz_controller.go                          |   12 +-
 .../connect/phonenumber/zz_controller.go      |   12 +-
 .../controller/connect/queue/zz_controller.go |   12 +-
 .../connect/quickconnect/zz_controller.go     |   12 +-
 .../connect/routingprofile/zz_controller.go   |   12 +-
 .../connect/securityprofile/zz_controller.go  |   12 +-
 .../controller/connect/user/zz_controller.go  |   12 +-
 .../userhierarchystructure/zz_controller.go   |   12 +-
 .../connect/vocabulary/zz_controller.go       |   12 +-
 .../cur/reportdefinition/zz_controller.go     |   12 +-
 .../dataexchange/dataset/zz_controller.go     |   12 +-
 .../dataexchange/revision/zz_controller.go    |   12 +-
 .../datapipeline/pipeline/zz_controller.go    |   12 +-
 .../controller/dax/cluster/zz_controller.go   |   12 +-
 .../dax/parametergroup/zz_controller.go       |   12 +-
 .../dax/subnetgroup/zz_controller.go          |   12 +-
 .../controller/deploy/app/zz_controller.go    |   12 +-
 .../deploy/deploymentconfig/zz_controller.go  |   12 +-
 .../deploy/deploymentgroup/zz_controller.go   |   12 +-
 .../detective/graph/zz_controller.go          |   12 +-
 .../invitationaccepter/zz_controller.go       |   12 +-
 .../detective/member/zz_controller.go         |   12 +-
 .../devicefarm/devicepool/zz_controller.go    |   12 +-
 .../instanceprofile/zz_controller.go          |   12 +-
 .../networkprofile/zz_controller.go           |   12 +-
 .../devicefarm/project/zz_controller.go       |   12 +-
 .../testgridproject/zz_controller.go          |   12 +-
 .../devicefarm/upload/zz_controller.go        |   12 +-
 .../directconnect/bgppeer/zz_controller.go    |   12 +-
 .../directconnect/connection/zz_controller.go |   12 +-
 .../connectionassociation/zz_controller.go    |   12 +-
 .../directconnect/gateway/zz_controller.go    |   12 +-
 .../gatewayassociation/zz_controller.go       |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../directconnect/lag/zz_controller.go        |   12 +-
 .../privatevirtualinterface/zz_controller.go  |   12 +-
 .../publicvirtualinterface/zz_controller.go   |   12 +-
 .../transitvirtualinterface/zz_controller.go  |   12 +-
 .../dlm/lifecyclepolicy/zz_controller.go      |   12 +-
 .../dms/certificate/zz_controller.go          |   12 +-
 .../controller/dms/endpoint/zz_controller.go  |   12 +-
 .../dms/eventsubscription/zz_controller.go    |   12 +-
 .../dms/replicationinstance/zz_controller.go  |   12 +-
 .../replicationsubnetgroup/zz_controller.go   |   12 +-
 .../dms/replicationtask/zz_controller.go      |   12 +-
 .../dms/s3endpoint/zz_controller.go           |   12 +-
 .../controller/docdb/cluster/zz_controller.go |   12 +-
 .../docdb/clusterinstance/zz_controller.go    |   12 +-
 .../clusterparametergroup/zz_controller.go    |   12 +-
 .../docdb/clustersnapshot/zz_controller.go    |   12 +-
 .../docdb/eventsubscription/zz_controller.go  |   12 +-
 .../docdb/globalcluster/zz_controller.go      |   12 +-
 .../docdb/subnetgroup/zz_controller.go        |   12 +-
 .../ds/conditionalforwarder/zz_controller.go  |   12 +-
 .../controller/ds/directory/zz_controller.go  |   12 +-
 .../ds/shareddirectory/zz_controller.go       |   12 +-
 .../contributorinsights/zz_controller.go      |   12 +-
 .../dynamodb/globaltable/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../dynamodb/table/zz_controller.go           |   12 +-
 .../dynamodb/tableitem/zz_controller.go       |   12 +-
 .../dynamodb/tablereplica/zz_controller.go    |   12 +-
 .../controller/dynamodb/tag/zz_controller.go  |   12 +-
 internal/controller/ec2/ami/zz_controller.go  |   12 +-
 .../controller/ec2/amicopy/zz_controller.go   |   12 +-
 .../ec2/amilaunchpermission/zz_controller.go  |   12 +-
 .../availabilityzonegroup/zz_controller.go    |   12 +-
 .../ec2/capacityreservation/zz_controller.go  |   12 +-
 .../ec2/carriergateway/zz_controller.go       |   12 +-
 .../ec2/customergateway/zz_controller.go      |   12 +-
 .../ec2/defaultnetworkacl/zz_controller.go    |   12 +-
 .../ec2/defaultroutetable/zz_controller.go    |   12 +-
 .../ec2/defaultsecuritygroup/zz_controller.go |   12 +-
 .../ec2/defaultsubnet/zz_controller.go        |   12 +-
 .../ec2/defaultvpc/zz_controller.go           |   12 +-
 .../defaultvpcdhcpoptions/zz_controller.go    |   12 +-
 .../ec2/ebsdefaultkmskey/zz_controller.go     |   12 +-
 .../ebsencryptionbydefault/zz_controller.go   |   12 +-
 .../ec2/ebssnapshot/zz_controller.go          |   12 +-
 .../ec2/ebssnapshotcopy/zz_controller.go      |   12 +-
 .../ec2/ebssnapshotimport/zz_controller.go    |   12 +-
 .../controller/ec2/ebsvolume/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 internal/controller/ec2/eip/zz_controller.go  |   12 +-
 .../ec2/eipassociation/zz_controller.go       |   12 +-
 .../controller/ec2/flowlog/zz_controller.go   |   12 +-
 internal/controller/ec2/host/zz_controller.go |   12 +-
 .../controller/ec2/instance/zz_controller.go  |   12 +-
 .../ec2/instancestate/zz_controller.go        |   12 +-
 .../ec2/internetgateway/zz_controller.go      |   12 +-
 .../controller/ec2/keypair/zz_controller.go   |   12 +-
 .../ec2/launchtemplate/zz_controller.go       |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/managedprefixlist/zz_controller.go    |   12 +-
 .../managedprefixlistentry/zz_controller.go   |   12 +-
 .../ec2/natgateway/zz_controller.go           |   12 +-
 .../ec2/networkacl/zz_controller.go           |   12 +-
 .../ec2/networkaclrule/zz_controller.go       |   12 +-
 .../networkinsightsanalysis/zz_controller.go  |   12 +-
 .../ec2/networkinsightspath/zz_controller.go  |   12 +-
 .../ec2/networkinterface/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/placementgroup/zz_controller.go       |   12 +-
 .../controller/ec2/route/zz_controller.go     |   12 +-
 .../ec2/routetable/zz_controller.go           |   12 +-
 .../routetableassociation/zz_controller.go    |   12 +-
 .../ec2/securitygroup/zz_controller.go        |   12 +-
 .../ec2/securitygrouprule/zz_controller.go    |   12 +-
 .../ec2/serialconsoleaccess/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../spotdatafeedsubscription/zz_controller.go |   12 +-
 .../ec2/spotfleetrequest/zz_controller.go     |   12 +-
 .../ec2/spotinstancerequest/zz_controller.go  |   12 +-
 .../controller/ec2/subnet/zz_controller.go    |   12 +-
 .../subnetcidrreservation/zz_controller.go    |   12 +-
 internal/controller/ec2/tag/zz_controller.go  |   12 +-
 .../ec2/trafficmirrorfilter/zz_controller.go  |   12 +-
 .../trafficmirrorfilterrule/zz_controller.go  |   12 +-
 .../ec2/transitgateway/zz_controller.go       |   12 +-
 .../transitgatewayconnect/zz_controller.go    |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/transitgatewayroute/zz_controller.go  |   12 +-
 .../transitgatewayroutetable/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/volumeattachment/zz_controller.go     |   12 +-
 internal/controller/ec2/vpc/zz_controller.go  |   12 +-
 .../ec2/vpcdhcpoptions/zz_controller.go       |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/vpcendpoint/zz_controller.go          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/vpcendpointservice/zz_controller.go   |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/ec2/vpcipam/zz_controller.go   |   12 +-
 .../ec2/vpcipampool/zz_controller.go          |   12 +-
 .../ec2/vpcipampoolcidr/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/vpcipamscope/zz_controller.go         |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/vpcpeeringconnection/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ec2/vpnconnection/zz_controller.go        |   12 +-
 .../ec2/vpnconnectionroute/zz_controller.go   |   12 +-
 .../ec2/vpngateway/zz_controller.go           |   12 +-
 .../ec2/vpngatewayattachment/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ecr/lifecyclepolicy/zz_controller.go      |   12 +-
 .../ecr/pullthroughcacherule/zz_controller.go |   12 +-
 .../ecr/registrypolicy/zz_controller.go       |   12 +-
 .../zz_controller.go                          |   12 +-
 .../replicationconfiguration/zz_controller.go |   12 +-
 .../ecr/repository/zz_controller.go           |   12 +-
 .../ecr/repositorypolicy/zz_controller.go     |   12 +-
 .../ecrpublic/repository/zz_controller.go     |   12 +-
 .../repositorypolicy/zz_controller.go         |   12 +-
 .../accountsettingdefault/zz_controller.go    |   12 +-
 .../ecs/capacityprovider/zz_controller.go     |   12 +-
 .../controller/ecs/cluster/zz_controller.go   |   12 +-
 .../clustercapacityproviders/zz_controller.go |   12 +-
 .../controller/ecs/service/zz_controller.go   |   12 +-
 .../ecs/taskdefinition/zz_controller.go       |   12 +-
 .../efs/accesspoint/zz_controller.go          |   12 +-
 .../efs/backuppolicy/zz_controller.go         |   12 +-
 .../efs/filesystem/zz_controller.go           |   12 +-
 .../efs/filesystempolicy/zz_controller.go     |   12 +-
 .../efs/mounttarget/zz_controller.go          |   12 +-
 .../replicationconfiguration/zz_controller.go |   12 +-
 .../controller/eks/addon/zz_controller.go     |   12 +-
 .../controller/eks/cluster/zz_controller.go   |   12 +-
 .../eks/fargateprofile/zz_controller.go       |   12 +-
 .../identityproviderconfig/zz_controller.go   |   12 +-
 .../controller/eks/nodegroup/zz_controller.go |   12 +-
 .../elasticache/cluster/zz_controller.go      |   12 +-
 .../parametergroup/zz_controller.go           |   12 +-
 .../replicationgroup/zz_controller.go         |   12 +-
 .../elasticache/subnetgroup/zz_controller.go  |   12 +-
 .../elasticache/user/zz_controller.go         |   12 +-
 .../elasticache/usergroup/zz_controller.go    |   12 +-
 .../application/zz_controller.go              |   12 +-
 .../applicationversion/zz_controller.go       |   12 +-
 .../configurationtemplate/zz_controller.go    |   12 +-
 .../elasticsearch/domain/zz_controller.go     |   12 +-
 .../domainpolicy/zz_controller.go             |   12 +-
 .../domainsamloptions/zz_controller.go        |   12 +-
 .../pipeline/zz_controller.go                 |   12 +-
 .../elastictranscoder/preset/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 .../elb/attachment/zz_controller.go           |   12 +-
 .../elb/backendserverpolicy/zz_controller.go  |   12 +-
 internal/controller/elb/elb/zz_controller.go  |   12 +-
 .../lbcookiestickinesspolicy/zz_controller.go |   12 +-
 .../lbsslnegotiationpolicy/zz_controller.go   |   12 +-
 .../elb/listenerpolicy/zz_controller.go       |   12 +-
 .../controller/elb/policy/zz_controller.go    |   12 +-
 .../elb/proxyprotocolpolicy/zz_controller.go  |   12 +-
 internal/controller/elbv2/lb/zz_controller.go |   12 +-
 .../elbv2/lblistener/zz_controller.go         |   12 +-
 .../elbv2/lblistenerrule/zz_controller.go     |   12 +-
 .../elbv2/lbtargetgroup/zz_controller.go      |   12 +-
 .../lbtargetgroupattachment/zz_controller.go  |   12 +-
 .../securityconfiguration/zz_controller.go    |   12 +-
 .../application/zz_controller.go              |   12 +-
 .../evidently/feature/zz_controller.go        |   12 +-
 .../evidently/project/zz_controller.go        |   12 +-
 .../evidently/segment/zz_controller.go        |   12 +-
 .../firehose/deliverystream/zz_controller.go  |   12 +-
 .../fis/experimenttemplate/zz_controller.go   |   12 +-
 .../controller/fsx/backup/zz_controller.go    |   12 +-
 .../zz_controller.go                          |   12 +-
 .../fsx/lustrefilesystem/zz_controller.go     |   12 +-
 .../fsx/ontapfilesystem/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../fsx/windowsfilesystem/zz_controller.go    |   12 +-
 .../gamelift/alias/zz_controller.go           |   12 +-
 .../gamelift/build/zz_controller.go           |   12 +-
 .../gamelift/fleet/zz_controller.go           |   12 +-
 .../gamesessionqueue/zz_controller.go         |   12 +-
 .../gamelift/script/zz_controller.go          |   12 +-
 .../controller/glacier/vault/zz_controller.go |   12 +-
 .../glacier/vaultlock/zz_controller.go        |   12 +-
 .../accelerator/zz_controller.go              |   12 +-
 .../endpointgroup/zz_controller.go            |   12 +-
 .../listener/zz_controller.go                 |   12 +-
 .../glue/catalogdatabase/zz_controller.go     |   12 +-
 .../glue/catalogtable/zz_controller.go        |   12 +-
 .../glue/classifier/zz_controller.go          |   12 +-
 .../glue/connection/zz_controller.go          |   12 +-
 .../controller/glue/crawler/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 internal/controller/glue/job/zz_controller.go |   12 +-
 .../controller/glue/registry/zz_controller.go |   12 +-
 .../glue/resourcepolicy/zz_controller.go      |   12 +-
 .../controller/glue/schema/zz_controller.go   |   12 +-
 .../securityconfiguration/zz_controller.go    |   12 +-
 .../controller/glue/trigger/zz_controller.go  |   12 +-
 .../glue/userdefinedfunction/zz_controller.go |   12 +-
 .../controller/glue/workflow/zz_controller.go |   12 +-
 .../licenseassociation/zz_controller.go       |   12 +-
 .../grafana/roleassociation/zz_controller.go  |   12 +-
 .../grafana/workspace/zz_controller.go        |   12 +-
 .../grafana/workspaceapikey/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../guardduty/detector/zz_controller.go       |   12 +-
 .../guardduty/filter/zz_controller.go         |   12 +-
 .../guardduty/member/zz_controller.go         |   12 +-
 .../controller/iam/accesskey/zz_controller.go |   12 +-
 .../iam/accountalias/zz_controller.go         |   12 +-
 .../accountpasswordpolicy/zz_controller.go    |   12 +-
 .../controller/iam/group/zz_controller.go     |   12 +-
 .../iam/groupmembership/zz_controller.go      |   12 +-
 .../grouppolicyattachment/zz_controller.go    |   12 +-
 .../iam/instanceprofile/zz_controller.go      |   12 +-
 .../openidconnectprovider/zz_controller.go    |   12 +-
 .../controller/iam/policy/zz_controller.go    |   12 +-
 internal/controller/iam/role/zz_controller.go |   12 +-
 .../iam/rolepolicyattachment/zz_controller.go |   12 +-
 .../iam/samlprovider/zz_controller.go         |   12 +-
 .../iam/servercertificate/zz_controller.go    |   12 +-
 .../iam/servicelinkedrole/zz_controller.go    |   12 +-
 .../zz_controller.go                          |   12 +-
 .../iam/signingcertificate/zz_controller.go   |   12 +-
 internal/controller/iam/user/zz_controller.go |   12 +-
 .../iam/usergroupmembership/zz_controller.go  |   12 +-
 .../iam/userloginprofile/zz_controller.go     |   12 +-
 .../iam/userpolicyattachment/zz_controller.go |   12 +-
 .../iam/usersshkey/zz_controller.go           |   12 +-
 .../iam/virtualmfadevice/zz_controller.go     |   12 +-
 .../imagebuilder/component/zz_controller.go   |   12 +-
 .../containerrecipe/zz_controller.go          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../imagebuilder/image/zz_controller.go       |   12 +-
 .../imagepipeline/zz_controller.go            |   12 +-
 .../imagebuilder/imagerecipe/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 .../assessmenttarget/zz_controller.go         |   12 +-
 .../assessmenttemplate/zz_controller.go       |   12 +-
 .../inspector/resourcegroup/zz_controller.go  |   12 +-
 .../inspector2/enabler/zz_controller.go       |   12 +-
 .../iot/certificate/zz_controller.go          |   12 +-
 .../indexingconfiguration/zz_controller.go    |   12 +-
 .../iot/loggingoptions/zz_controller.go       |   12 +-
 .../controller/iot/policy/zz_controller.go    |   12 +-
 .../iot/policyattachment/zz_controller.go     |   12 +-
 .../iot/provisioningtemplate/zz_controller.go |   12 +-
 .../controller/iot/rolealias/zz_controller.go |   12 +-
 .../controller/iot/thing/zz_controller.go     |   12 +-
 .../iot/thinggroup/zz_controller.go           |   12 +-
 .../iot/thinggroupmembership/zz_controller.go |   12 +-
 .../thingprincipalattachment/zz_controller.go |   12 +-
 .../controller/iot/thingtype/zz_controller.go |   12 +-
 .../controller/iot/topicrule/zz_controller.go |   12 +-
 .../controller/ivs/channel/zz_controller.go   |   12 +-
 .../recordingconfiguration/zz_controller.go   |   12 +-
 .../controller/kafka/cluster/zz_controller.go |   12 +-
 .../kafka/configuration/zz_controller.go      |   12 +-
 .../kendra/datasource/zz_controller.go        |   12 +-
 .../kendra/experience/zz_controller.go        |   12 +-
 .../controller/kendra/index/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../kendra/thesaurus/zz_controller.go         |   12 +-
 .../keyspaces/keyspace/zz_controller.go       |   12 +-
 .../keyspaces/table/zz_controller.go          |   12 +-
 .../kinesis/stream/zz_controller.go           |   12 +-
 .../kinesis/streamconsumer/zz_controller.go   |   12 +-
 .../application/zz_controller.go              |   12 +-
 .../application/zz_controller.go              |   12 +-
 .../applicationsnapshot/zz_controller.go      |   12 +-
 .../kinesisvideo/stream/zz_controller.go      |   12 +-
 .../controller/kms/alias/zz_controller.go     |   12 +-
 .../kms/ciphertext/zz_controller.go           |   12 +-
 .../kms/externalkey/zz_controller.go          |   12 +-
 .../controller/kms/grant/zz_controller.go     |   12 +-
 internal/controller/kms/key/zz_controller.go  |   12 +-
 .../kms/replicaexternalkey/zz_controller.go   |   12 +-
 .../kms/replicakey/zz_controller.go           |   12 +-
 .../datalakesettings/zz_controller.go         |   12 +-
 .../permissions/zz_controller.go              |   12 +-
 .../lakeformation/resource/zz_controller.go   |   12 +-
 .../controller/lambda/alias/zz_controller.go  |   12 +-
 .../lambda/codesigningconfig/zz_controller.go |   12 +-
 .../eventsourcemapping/zz_controller.go       |   12 +-
 .../lambda/function/zz_controller.go          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../lambda/functionurl/zz_controller.go       |   12 +-
 .../lambda/invocation/zz_controller.go        |   12 +-
 .../lambda/layerversion/zz_controller.go      |   12 +-
 .../layerversionpermission/zz_controller.go   |   12 +-
 .../lambda/permission/zz_controller.go        |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/lexmodels/bot/zz_controller.go |   12 +-
 .../lexmodels/botalias/zz_controller.go       |   12 +-
 .../lexmodels/intent/zz_controller.go         |   12 +-
 .../lexmodels/slottype/zz_controller.go       |   12 +-
 .../association/zz_controller.go              |   12 +-
 .../licenseconfiguration/zz_controller.go     |   12 +-
 .../lightsail/bucket/zz_controller.go         |   12 +-
 .../lightsail/certificate/zz_controller.go    |   12 +-
 .../containerservice/zz_controller.go         |   12 +-
 .../lightsail/disk/zz_controller.go           |   12 +-
 .../lightsail/diskattachment/zz_controller.go |   12 +-
 .../lightsail/domain/zz_controller.go         |   12 +-
 .../lightsail/domainentry/zz_controller.go    |   12 +-
 .../lightsail/instance/zz_controller.go       |   12 +-
 .../instancepublicports/zz_controller.go      |   12 +-
 .../lightsail/keypair/zz_controller.go        |   12 +-
 .../controller/lightsail/lb/zz_controller.go  |   12 +-
 .../lightsail/lbattachment/zz_controller.go   |   12 +-
 .../lightsail/lbcertificate/zz_controller.go  |   12 +-
 .../lbstickinesspolicy/zz_controller.go       |   12 +-
 .../lightsail/staticip/zz_controller.go       |   12 +-
 .../staticipattachment/zz_controller.go       |   12 +-
 .../geofencecollection/zz_controller.go       |   12 +-
 .../location/placeindex/zz_controller.go      |   12 +-
 .../location/routecalculator/zz_controller.go |   12 +-
 .../location/tracker/zz_controller.go         |   12 +-
 .../trackerassociation/zz_controller.go       |   12 +-
 .../macie2/account/zz_controller.go           |   12 +-
 .../macie2/classificationjob/zz_controller.go |   12 +-
 .../customdataidentifier/zz_controller.go     |   12 +-
 .../macie2/findingsfilter/zz_controller.go    |   12 +-
 .../invitationaccepter/zz_controller.go       |   12 +-
 .../controller/macie2/member/zz_controller.go |   12 +-
 .../mediaconvert/queue/zz_controller.go       |   12 +-
 .../medialive/channel/zz_controller.go        |   12 +-
 .../medialive/input/zz_controller.go          |   12 +-
 .../inputsecuritygroup/zz_controller.go       |   12 +-
 .../medialive/multiplex/zz_controller.go      |   12 +-
 .../mediapackage/channel/zz_controller.go     |   12 +-
 .../mediastore/container/zz_controller.go     |   12 +-
 .../containerpolicy/zz_controller.go          |   12 +-
 .../controller/memorydb/acl/zz_controller.go  |   12 +-
 .../memorydb/cluster/zz_controller.go         |   12 +-
 .../memorydb/parametergroup/zz_controller.go  |   12 +-
 .../memorydb/snapshot/zz_controller.go        |   12 +-
 .../memorydb/subnetgroup/zz_controller.go     |   12 +-
 .../controller/mq/broker/zz_controller.go     |   12 +-
 .../mq/configuration/zz_controller.go         |   12 +-
 .../neptune/cluster/zz_controller.go          |   12 +-
 .../neptune/clusterendpoint/zz_controller.go  |   12 +-
 .../neptune/clusterinstance/zz_controller.go  |   12 +-
 .../clusterparametergroup/zz_controller.go    |   12 +-
 .../neptune/clustersnapshot/zz_controller.go  |   12 +-
 .../eventsubscription/zz_controller.go        |   12 +-
 .../neptune/globalcluster/zz_controller.go    |   12 +-
 .../neptune/parametergroup/zz_controller.go   |   12 +-
 .../neptune/subnetgroup/zz_controller.go      |   12 +-
 .../networkfirewall/firewall/zz_controller.go |   12 +-
 .../firewallpolicy/zz_controller.go           |   12 +-
 .../loggingconfiguration/zz_controller.go     |   12 +-
 .../rulegroup/zz_controller.go                |   12 +-
 .../attachmentaccepter/zz_controller.go       |   12 +-
 .../connectattachment/zz_controller.go        |   12 +-
 .../connection/zz_controller.go               |   12 +-
 .../corenetwork/zz_controller.go              |   12 +-
 .../zz_controller.go                          |   12 +-
 .../networkmanager/device/zz_controller.go    |   12 +-
 .../globalnetwork/zz_controller.go            |   12 +-
 .../networkmanager/link/zz_controller.go      |   12 +-
 .../linkassociation/zz_controller.go          |   12 +-
 .../networkmanager/site/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../vpcattachment/zz_controller.go            |   12 +-
 .../opensearch/domain/zz_controller.go        |   12 +-
 .../opensearch/domainpolicy/zz_controller.go  |   12 +-
 .../domainsamloptions/zz_controller.go        |   12 +-
 .../opsworks/application/zz_controller.go     |   12 +-
 .../opsworks/customlayer/zz_controller.go     |   12 +-
 .../opsworks/ecsclusterlayer/zz_controller.go |   12 +-
 .../opsworks/ganglialayer/zz_controller.go    |   12 +-
 .../opsworks/haproxylayer/zz_controller.go    |   12 +-
 .../opsworks/instance/zz_controller.go        |   12 +-
 .../opsworks/javaapplayer/zz_controller.go    |   12 +-
 .../opsworks/memcachedlayer/zz_controller.go  |   12 +-
 .../opsworks/mysqllayer/zz_controller.go      |   12 +-
 .../opsworks/nodejsapplayer/zz_controller.go  |   12 +-
 .../opsworks/permission/zz_controller.go      |   12 +-
 .../opsworks/phpapplayer/zz_controller.go     |   12 +-
 .../opsworks/railsapplayer/zz_controller.go   |   12 +-
 .../opsworks/rdsdbinstance/zz_controller.go   |   12 +-
 .../opsworks/stack/zz_controller.go           |   12 +-
 .../opsworks/staticweblayer/zz_controller.go  |   12 +-
 .../opsworks/userprofile/zz_controller.go     |   12 +-
 .../organizations/account/zz_controller.go    |   12 +-
 .../delegatedadministrator/zz_controller.go   |   12 +-
 .../organization/zz_controller.go             |   12 +-
 .../organizationalunit/zz_controller.go       |   12 +-
 .../organizations/policy/zz_controller.go     |   12 +-
 .../policyattachment/zz_controller.go         |   12 +-
 .../controller/pinpoint/app/zz_controller.go  |   12 +-
 .../pinpoint/smschannel/zz_controller.go      |   12 +-
 .../controller/qldb/ledger/zz_controller.go   |   12 +-
 .../controller/qldb/stream/zz_controller.go   |   12 +-
 .../quicksight/group/zz_controller.go         |   12 +-
 .../quicksight/user/zz_controller.go          |   12 +-
 .../ram/resourceassociation/zz_controller.go  |   12 +-
 .../ram/resourceshare/zz_controller.go        |   12 +-
 .../controller/rds/cluster/zz_controller.go   |   12 +-
 .../clusteractivitystream/zz_controller.go    |   12 +-
 .../rds/clusterendpoint/zz_controller.go      |   12 +-
 .../rds/clusterinstance/zz_controller.go      |   12 +-
 .../clusterparametergroup/zz_controller.go    |   12 +-
 .../clusterroleassociation/zz_controller.go   |   12 +-
 .../rds/clustersnapshot/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../rds/dbsnapshotcopy/zz_controller.go       |   12 +-
 .../rds/eventsubscription/zz_controller.go    |   12 +-
 .../rds/globalcluster/zz_controller.go        |   12 +-
 .../controller/rds/instance/zz_controller.go  |   12 +-
 .../instanceroleassociation/zz_controller.go  |   12 +-
 .../rds/optiongroup/zz_controller.go          |   12 +-
 .../rds/parametergroup/zz_controller.go       |   12 +-
 .../controller/rds/proxy/zz_controller.go     |   12 +-
 .../proxydefaulttargetgroup/zz_controller.go  |   12 +-
 .../rds/proxyendpoint/zz_controller.go        |   12 +-
 .../rds/proxytarget/zz_controller.go          |   12 +-
 .../rds/securitygroup/zz_controller.go        |   12 +-
 .../controller/rds/snapshot/zz_controller.go  |   12 +-
 .../rds/subnetgroup/zz_controller.go          |   12 +-
 .../authenticationprofile/zz_controller.go    |   12 +-
 .../redshift/cluster/zz_controller.go         |   12 +-
 .../eventsubscription/zz_controller.go        |   12 +-
 .../hsmclientcertificate/zz_controller.go     |   12 +-
 .../hsmconfiguration/zz_controller.go         |   12 +-
 .../redshift/parametergroup/zz_controller.go  |   12 +-
 .../redshift/scheduledaction/zz_controller.go |   12 +-
 .../snapshotcopygrant/zz_controller.go        |   12 +-
 .../snapshotschedule/zz_controller.go         |   12 +-
 .../zz_controller.go                          |   12 +-
 .../redshift/subnetgroup/zz_controller.go     |   12 +-
 .../redshift/usagelimit/zz_controller.go      |   12 +-
 .../resourcegroups/group/zz_controller.go     |   12 +-
 .../rolesanywhere/profile/zz_controller.go    |   12 +-
 .../route53/delegationset/zz_controller.go    |   12 +-
 .../route53/healthcheck/zz_controller.go      |   12 +-
 .../route53/hostedzonednssec/zz_controller.go |   12 +-
 .../route53/record/zz_controller.go           |   12 +-
 .../route53/resolverconfig/zz_controller.go   |   12 +-
 .../route53/trafficpolicy/zz_controller.go    |   12 +-
 .../trafficpolicyinstance/zz_controller.go    |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/route53/zone/zz_controller.go  |   12 +-
 .../cluster/zz_controller.go                  |   12 +-
 .../controlpanel/zz_controller.go             |   12 +-
 .../routingcontrol/zz_controller.go           |   12 +-
 .../safetyrule/zz_controller.go               |   12 +-
 .../cell/zz_controller.go                     |   12 +-
 .../readinesscheck/zz_controller.go           |   12 +-
 .../recoverygroup/zz_controller.go            |   12 +-
 .../resourceset/zz_controller.go              |   12 +-
 .../route53resolver/endpoint/zz_controller.go |   12 +-
 .../route53resolver/rule/zz_controller.go     |   12 +-
 .../ruleassociation/zz_controller.go          |   12 +-
 .../rum/appmonitor/zz_controller.go           |   12 +-
 .../rum/metricsdestination/zz_controller.go   |   12 +-
 .../controller/s3/bucket/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/s3/bucketacl/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../bucketcorsconfiguration/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../s3/bucketinventory/zz_controller.go       |   12 +-
 .../zz_controller.go                          |   12 +-
 .../s3/bucketlogging/zz_controller.go         |   12 +-
 .../s3/bucketmetric/zz_controller.go          |   12 +-
 .../s3/bucketnotification/zz_controller.go    |   12 +-
 .../s3/bucketobject/zz_controller.go          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../bucketownershipcontrols/zz_controller.go  |   12 +-
 .../s3/bucketpolicy/zz_controller.go          |   12 +-
 .../bucketpublicaccessblock/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../s3/bucketversioning/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/s3/object/zz_controller.go     |   12 +-
 .../controller/s3/objectcopy/zz_controller.go |   12 +-
 .../s3control/accesspoint/zz_controller.go    |   12 +-
 .../accesspointpolicy/zz_controller.go        |   12 +-
 .../accountpublicaccessblock/zz_controller.go |   12 +-
 .../multiregionaccesspoint/zz_controller.go   |   12 +-
 .../zz_controller.go                          |   12 +-
 .../objectlambdaaccesspoint/zz_controller.go  |   12 +-
 .../zz_controller.go                          |   12 +-
 .../storagelensconfiguration/zz_controller.go |   12 +-
 .../controller/sagemaker/app/zz_controller.go |   12 +-
 .../sagemaker/appimageconfig/zz_controller.go |   12 +-
 .../sagemaker/coderepository/zz_controller.go |   12 +-
 .../sagemaker/device/zz_controller.go         |   12 +-
 .../sagemaker/devicefleet/zz_controller.go    |   12 +-
 .../sagemaker/domain/zz_controller.go         |   12 +-
 .../endpointconfiguration/zz_controller.go    |   12 +-
 .../sagemaker/featuregroup/zz_controller.go   |   12 +-
 .../sagemaker/image/zz_controller.go          |   12 +-
 .../sagemaker/imageversion/zz_controller.go   |   12 +-
 .../sagemaker/model/zz_controller.go          |   12 +-
 .../modelpackagegroup/zz_controller.go        |   12 +-
 .../modelpackagegrouppolicy/zz_controller.go  |   12 +-
 .../notebookinstance/zz_controller.go         |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../sagemaker/space/zz_controller.go          |   12 +-
 .../studiolifecycleconfig/zz_controller.go    |   12 +-
 .../sagemaker/userprofile/zz_controller.go    |   12 +-
 .../sagemaker/workforce/zz_controller.go      |   12 +-
 .../sagemaker/workteam/zz_controller.go       |   12 +-
 .../scheduler/schedule/zz_controller.go       |   12 +-
 .../scheduler/schedulegroup/zz_controller.go  |   12 +-
 .../schemas/discoverer/zz_controller.go       |   12 +-
 .../schemas/registry/zz_controller.go         |   12 +-
 .../schemas/schema/zz_controller.go           |   12 +-
 .../secretsmanager/secret/zz_controller.go    |   12 +-
 .../secretpolicy/zz_controller.go             |   12 +-
 .../secretrotation/zz_controller.go           |   12 +-
 .../secretversion/zz_controller.go            |   12 +-
 .../securityhub/account/zz_controller.go      |   12 +-
 .../securityhub/actiontarget/zz_controller.go |   12 +-
 .../findingaggregator/zz_controller.go        |   12 +-
 .../securityhub/insight/zz_controller.go      |   12 +-
 .../inviteaccepter/zz_controller.go           |   12 +-
 .../securityhub/member/zz_controller.go       |   12 +-
 .../productsubscription/zz_controller.go      |   12 +-
 .../standardssubscription/zz_controller.go    |   12 +-
 .../cloudformationstack/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../constraint/zz_controller.go               |   12 +-
 .../servicecatalog/portfolio/zz_controller.go |   12 +-
 .../portfolioshare/zz_controller.go           |   12 +-
 .../zz_controller.go                          |   12 +-
 .../servicecatalog/product/zz_controller.go   |   12 +-
 .../zz_controller.go                          |   12 +-
 .../provisioningartifact/zz_controller.go     |   12 +-
 .../serviceaction/zz_controller.go            |   12 +-
 .../servicecatalog/tagoption/zz_controller.go |   12 +-
 .../zz_controller.go                          |   12 +-
 .../httpnamespace/zz_controller.go            |   12 +-
 .../privatednsnamespace/zz_controller.go      |   12 +-
 .../publicdnsnamespace/zz_controller.go       |   12 +-
 .../servicediscovery/service/zz_controller.go |   12 +-
 .../servicequota/zz_controller.go             |   12 +-
 .../ses/activereceiptruleset/zz_controller.go |   12 +-
 .../ses/configurationset/zz_controller.go     |   12 +-
 .../ses/domaindkim/zz_controller.go           |   12 +-
 .../ses/domainidentity/zz_controller.go       |   12 +-
 .../ses/domainmailfrom/zz_controller.go       |   12 +-
 .../ses/emailidentity/zz_controller.go        |   12 +-
 .../ses/eventdestination/zz_controller.go     |   12 +-
 .../zz_controller.go                          |   12 +-
 .../ses/identitypolicy/zz_controller.go       |   12 +-
 .../ses/receiptfilter/zz_controller.go        |   12 +-
 .../ses/receiptrule/zz_controller.go          |   12 +-
 .../ses/receiptruleset/zz_controller.go       |   12 +-
 .../controller/ses/template/zz_controller.go  |   12 +-
 .../sesv2/configurationset/zz_controller.go   |   12 +-
 .../zz_controller.go                          |   12 +-
 .../sesv2/dedicatedippool/zz_controller.go    |   12 +-
 .../sesv2/emailidentity/zz_controller.go      |   12 +-
 .../zz_controller.go                          |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/sfn/activity/zz_controller.go  |   12 +-
 .../sfn/statemachine/zz_controller.go         |   12 +-
 .../signer/signingjob/zz_controller.go        |   12 +-
 .../signer/signingprofile/zz_controller.go    |   12 +-
 .../signingprofilepermission/zz_controller.go |   12 +-
 .../simpledb/domain/zz_controller.go          |   12 +-
 .../sns/platformapplication/zz_controller.go  |   12 +-
 .../sns/smspreferences/zz_controller.go       |   12 +-
 .../controller/sns/topic/zz_controller.go     |   12 +-
 .../sns/topicpolicy/zz_controller.go          |   12 +-
 .../sns/topicsubscription/zz_controller.go    |   12 +-
 .../controller/sqs/queue/zz_controller.go     |   12 +-
 .../sqs/queuepolicy/zz_controller.go          |   12 +-
 .../queueredriveallowpolicy/zz_controller.go  |   12 +-
 .../sqs/queueredrivepolicy/zz_controller.go   |   12 +-
 .../ssm/activation/zz_controller.go           |   12 +-
 .../ssm/association/zz_controller.go          |   12 +-
 .../ssm/defaultpatchbaseline/zz_controller.go |   12 +-
 .../controller/ssm/document/zz_controller.go  |   12 +-
 .../ssm/maintenancewindow/zz_controller.go    |   12 +-
 .../maintenancewindowtarget/zz_controller.go  |   12 +-
 .../maintenancewindowtask/zz_controller.go    |   12 +-
 .../controller/ssm/parameter/zz_controller.go |   12 +-
 .../ssm/patchbaseline/zz_controller.go        |   12 +-
 .../ssm/patchgroup/zz_controller.go           |   12 +-
 .../ssm/resourcedatasync/zz_controller.go     |   12 +-
 .../ssm/servicesetting/zz_controller.go       |   12 +-
 .../accountassignment/zz_controller.go        |   12 +-
 .../managedpolicyattachment/zz_controller.go  |   12 +-
 .../ssoadmin/permissionset/zz_controller.go   |   12 +-
 .../zz_controller.go                          |   12 +-
 .../controller/swf/domain/zz_controller.go    |   12 +-
 .../timestreamwrite/database/zz_controller.go |   12 +-
 .../timestreamwrite/table/zz_controller.go    |   12 +-
 .../transcribe/languagemodel/zz_controller.go |   12 +-
 .../transcribe/vocabulary/zz_controller.go    |   12 +-
 .../vocabularyfilter/zz_controller.go         |   12 +-
 .../transfer/server/zz_controller.go          |   12 +-
 .../transfer/sshkey/zz_controller.go          |   12 +-
 .../controller/transfer/tag/zz_controller.go  |   12 +-
 .../controller/transfer/user/zz_controller.go |   12 +-
 .../transfer/workflow/zz_controller.go        |   12 +-
 .../zz_controller.go                          |   12 +-
 .../waf/bytematchset/zz_controller.go         |   12 +-
 .../waf/geomatchset/zz_controller.go          |   12 +-
 .../controller/waf/ipset/zz_controller.go     |   12 +-
 .../waf/ratebasedrule/zz_controller.go        |   12 +-
 .../waf/regexmatchset/zz_controller.go        |   12 +-
 .../waf/regexpatternset/zz_controller.go      |   12 +-
 internal/controller/waf/rule/zz_controller.go |   12 +-
 .../waf/sizeconstraintset/zz_controller.go    |   12 +-
 .../waf/sqlinjectionmatchset/zz_controller.go |   12 +-
 .../controller/waf/webacl/zz_controller.go    |   12 +-
 .../waf/xssmatchset/zz_controller.go          |   12 +-
 .../wafregional/bytematchset/zz_controller.go |   12 +-
 .../wafregional/geomatchset/zz_controller.go  |   12 +-
 .../wafregional/ipset/zz_controller.go        |   12 +-
 .../ratebasedrule/zz_controller.go            |   12 +-
 .../regexmatchset/zz_controller.go            |   12 +-
 .../regexpatternset/zz_controller.go          |   12 +-
 .../wafregional/rule/zz_controller.go         |   12 +-
 .../sizeconstraintset/zz_controller.go        |   12 +-
 .../sqlinjectionmatchset/zz_controller.go     |   12 +-
 .../wafregional/webacl/zz_controller.go       |   12 +-
 .../wafregional/xssmatchset/zz_controller.go  |   12 +-
 .../controller/wafv2/ipset/zz_controller.go   |   12 +-
 .../wafv2/regexpatternset/zz_controller.go    |   12 +-
 .../workspaces/directory/zz_controller.go     |   12 +-
 .../workspaces/ipgroup/zz_controller.go       |   12 +-
 .../xray/encryptionconfig/zz_controller.go    |   12 +-
 .../controller/xray/group/zz_controller.go    |   12 +-
 .../xray/samplingrule/zz_controller.go        |   12 +-
 ...cessanalyzer.aws.upbound.io_analyzers.yaml |   32 +-
 ...sanalyzer.aws.upbound.io_archiverules.yaml |   58 +-
 ...ount.aws.upbound.io_alternatecontacts.yaml |   56 +-
 .../crds/acm.aws.upbound.io_certificates.yaml |   92 +-
 ...aws.upbound.io_certificatevalidations.yaml |   35 +-
 ...aws.upbound.io_certificateauthorities.yaml |  215 +-
 ...d.io_certificateauthoritycertificates.yaml |   30 +-
 .../acmpca.aws.upbound.io_certificates.yaml   |   62 +-
 .../acmpca.aws.upbound.io_permissions.yaml    |   49 +-
 .../crds/acmpca.aws.upbound.io_policies.yaml  |   34 +-
 ...ws.upbound.io_alertmanagerdefinitions.yaml |   35 +-
 ...mp.aws.upbound.io_rulegroupnamespaces.yaml |   35 +-
 .../crds/amp.aws.upbound.io_workspaces.yaml   |   44 +-
 package/crds/amplify.aws.upbound.io_apps.yaml |  144 +-
 ...fy.aws.upbound.io_backendenvironments.yaml |   32 +-
 .../crds/amplify.aws.upbound.io_branches.yaml |   75 +-
 .../crds/amplify.aws.upbound.io_webhooks.yaml |   32 +-
 .../apigateway.aws.upbound.io_accounts.yaml   |   29 +-
 .../apigateway.aws.upbound.io_apikeys.yaml    |   42 +-
 ...apigateway.aws.upbound.io_authorizers.yaml |   72 +-
 ...teway.aws.upbound.io_basepathmappings.yaml |   40 +-
 ...way.aws.upbound.io_clientcertificates.yaml |   31 +-
 ...apigateway.aws.upbound.io_deployments.yaml |   54 +-
 ...way.aws.upbound.io_documentationparts.yaml |   65 +-
 ....aws.upbound.io_documentationversions.yaml |   36 +-
 ...apigateway.aws.upbound.io_domainnames.yaml |  121 +-
 ...teway.aws.upbound.io_gatewayresponses.yaml |   47 +-
 ...y.aws.upbound.io_integrationresponses.yaml |   64 +-
 ...pigateway.aws.upbound.io_integrations.yaml |  138 +-
 ...ateway.aws.upbound.io_methodresponses.yaml |   54 +-
 .../apigateway.aws.upbound.io_methods.yaml    |   85 +-
 ...gateway.aws.upbound.io_methodsettings.yaml |   93 +-
 .../apigateway.aws.upbound.io_models.yaml     |   45 +-
 ...eway.aws.upbound.io_requestvalidators.yaml |   41 +-
 .../apigateway.aws.upbound.io_resources.yaml  |   36 +-
 ...ateway.aws.upbound.io_restapipolicies.yaml |   34 +-
 .../apigateway.aws.upbound.io_restapis.yaml   |  145 +-
 .../apigateway.aws.upbound.io_stages.yaml     |  107 +-
 ...igateway.aws.upbound.io_usageplankeys.yaml |   38 +-
 .../apigateway.aws.upbound.io_usageplans.yaml |  108 +-
 .../apigateway.aws.upbound.io_vpclinks.yaml   |   44 +-
 ...igatewayv2.aws.upbound.io_apimappings.yaml |   37 +-
 .../apigatewayv2.aws.upbound.io_apis.yaml     |  128 +-
 ...igatewayv2.aws.upbound.io_authorizers.yaml |   99 +-
 ...igatewayv2.aws.upbound.io_deployments.yaml |   30 +-
 ...igatewayv2.aws.upbound.io_domainnames.yaml |   72 +-
 ...2.aws.upbound.io_integrationresponses.yaml |   51 +-
 ...gatewayv2.aws.upbound.io_integrations.yaml |  145 +-
 .../apigatewayv2.aws.upbound.io_models.yaml   |   53 +-
 ...tewayv2.aws.upbound.io_routeresponses.yaml |   44 +-
 .../apigatewayv2.aws.upbound.io_routes.yaml   |   95 +-
 .../apigatewayv2.aws.upbound.io_stages.yaml   |  128 +-
 .../apigatewayv2.aws.upbound.io_vpclinks.yaml |   46 +-
 ...ppautoscaling.aws.upbound.io_policies.yaml |  178 +-
 ...aling.aws.upbound.io_scheduledactions.yaml |   92 +-
 ...appautoscaling.aws.upbound.io_targets.yaml |   60 +-
 ...appconfig.aws.upbound.io_applications.yaml |   40 +-
 ....aws.upbound.io_configurationprofiles.yaml |   81 +-
 .../appconfig.aws.upbound.io_deployments.yaml |   52 +-
 ...g.aws.upbound.io_deploymentstrategies.yaml |   72 +-
 ...appconfig.aws.upbound.io_environments.yaml |   59 +-
 ....aws.upbound.io_extensionassociations.yaml |   35 +-
 .../appconfig.aws.upbound.io_extensions.yaml  |  102 +-
 ...pbound.io_hostedconfigurationversions.yaml |   43 +-
 .../crds/appflow.aws.upbound.io_flows.yaml    | 1130 ++-
 ...ions.aws.upbound.io_eventintegrations.yaml |   51 +-
 ...ninsights.aws.upbound.io_applications.yaml |   56 +-
 .../appmesh.aws.upbound.io_gatewayroutes.yaml |  296 +-
 .../crds/appmesh.aws.upbound.io_meshes.yaml   |   44 +-
 .../crds/appmesh.aws.upbound.io_routes.yaml   |  744 +-
 ...ppmesh.aws.upbound.io_virtualgateways.yaml |  459 +-
 .../appmesh.aws.upbound.io_virtualnodes.yaml  |  869 +-
 ...appmesh.aws.upbound.io_virtualrouters.yaml |   72 +-
 ...ppmesh.aws.upbound.io_virtualservices.yaml |   85 +-
 ...d.io_autoscalingconfigurationversions.yaml |   48 +-
 .../apprunner.aws.upbound.io_connections.yaml |   35 +-
 ...pbound.io_observabilityconfigurations.yaml |   48 +-
 .../apprunner.aws.upbound.io_services.yaml    |  354 +-
 ...pprunner.aws.upbound.io_vpcconnectors.yaml |   52 +-
 ...tream.aws.upbound.io_directoryconfigs.yaml |   58 +-
 .../crds/appstream.aws.upbound.io_fleet.yaml  |  125 +-
 ...aws.upbound.io_fleetstackassociations.yaml |   29 +-
 ...ppstream.aws.upbound.io_imagebuilders.yaml |  106 +-
 .../crds/appstream.aws.upbound.io_stacks.yaml |  125 +-
 .../crds/appstream.aws.upbound.io_users.yaml  |   39 +-
 ....aws.upbound.io_userstackassociations.yaml |   37 +-
 .../appsync.aws.upbound.io_apicaches.yaml     |   56 +-
 .../crds/appsync.aws.upbound.io_apikeys.yaml  |   34 +-
 .../appsync.aws.upbound.io_datasources.yaml   |  160 +-
 .../appsync.aws.upbound.io_functions.yaml     |  106 +-
 .../appsync.aws.upbound.io_graphqlapis.yaml   |  229 +-
 .../appsync.aws.upbound.io_resolvers.yaml     |  134 +-
 .../crds/athena.aws.upbound.io_databases.yaml |   71 +-
 .../athena.aws.upbound.io_datacatalogs.yaml   |   52 +-
 .../athena.aws.upbound.io_namedqueries.yaml   |   49 +-
 .../athena.aws.upbound.io_workgroups.yaml     |  125 +-
 ...utoscaling.aws.upbound.io_attachments.yaml |   35 +-
 ...ling.aws.upbound.io_autoscalinggroups.yaml |  683 +-
 .../autoscaling.aws.upbound.io_grouptags.yaml |   46 +-
 ...g.aws.upbound.io_launchconfigurations.yaml |  195 +-
 ...scaling.aws.upbound.io_lifecyclehooks.yaml |   62 +-
 ...oscaling.aws.upbound.io_notifications.yaml |   44 +-
 .../autoscaling.aws.upbound.io_policies.yaml  |  494 +-
 .../autoscaling.aws.upbound.io_schedules.yaml |   59 +-
 ...lingplans.aws.upbound.io_scalingplans.yaml |  251 +-
 package/crds/aws.upbound.io_storeconfigs.yaml |   33 +-
 .../backup.aws.upbound.io_frameworks.yaml     |  105 +-
 .../backup.aws.upbound.io_globalsettings.yaml |   33 +-
 package/crds/backup.aws.upbound.io_plans.yaml |  140 +-
 .../backup.aws.upbound.io_regionsettings.yaml |   42 +-
 .../backup.aws.upbound.io_reportplans.yaml    |   97 +-
 .../backup.aws.upbound.io_selections.yaml     |  124 +-
 ...ws.upbound.io_vaultlockconfigurations.yaml |   40 +-
 ...kup.aws.upbound.io_vaultnotifications.yaml |   40 +-
 .../backup.aws.upbound.io_vaultpolicies.yaml  |   33 +-
 .../crds/backup.aws.upbound.io_vaults.yaml    |   37 +-
 ...tch.aws.upbound.io_schedulingpolicies.yaml |   57 +-
 .../budgets.aws.upbound.io_budgetactions.yaml |  164 +-
 .../crds/budgets.aws.upbound.io_budgets.yaml  |  191 +-
 .../ce.aws.upbound.io_anomalymonitors.yaml    |   48 +-
 ...e.aws.upbound.io_voiceconnectorgroups.yaml |   38 +-
 ...aws.upbound.io_voiceconnectorloggings.yaml |   34 +-
 ...upbound.io_voiceconnectororiginations.yaml |   65 +-
 .../chime.aws.upbound.io_voiceconnectors.yaml |   35 +-
 ...s.upbound.io_voiceconnectorstreamings.yaml |   44 +-
 ..._voiceconnectorterminationcredentials.yaml |   40 +-
 ...upbound.io_voiceconnectorterminations.yaml |   55 +-
 ...cloud9.aws.upbound.io_environmentec2s.yaml |   66 +-
 ...aws.upbound.io_environmentmemberships.yaml |   40 +-
 ...cloudcontrol.aws.upbound.io_resources.yaml |   44 +-
 .../cloudformation.aws.upbound.io_stacks.yaml |   85 +-
 ...oudformation.aws.upbound.io_stacksets.yaml |  129 +-
 ...oudfront.aws.upbound.io_cachepolicies.yaml |  159 +-
 ...oudfront.aws.upbound.io_distributions.yaml |  761 +-
 ...pbound.io_fieldlevelencryptionconfigs.yaml |  111 +-
 ...bound.io_fieldlevelencryptionprofiles.yaml |   72 +-
 .../cloudfront.aws.upbound.io_functions.yaml  |   41 +-
 .../cloudfront.aws.upbound.io_keygroups.yaml  |   39 +-
 ...ws.upbound.io_monitoringsubscriptions.yaml |   52 +-
 ...t.aws.upbound.io_originaccesscontrols.yaml |   56 +-
 ...aws.upbound.io_originaccessidentities.yaml |   26 +-
 ....aws.upbound.io_originrequestpolicies.yaml |   97 +-
 .../cloudfront.aws.upbound.io_publickeys.yaml |   33 +-
 ...ont.aws.upbound.io_realtimelogconfigs.yaml |   77 +-
 ...ws.upbound.io_responseheaderspolicies.yaml |  288 +-
 .../cloudsearch.aws.upbound.io_domains.yaml   |  109 +-
 ...pbound.io_domainserviceaccesspolicies.yaml |   34 +-
 ...dtrail.aws.upbound.io_eventdatastores.yaml |  124 +-
 .../cloudtrail.aws.upbound.io_trails.yaml     |  207 +-
 ...dwatch.aws.upbound.io_compositealarms.yaml |   67 +-
 .../cloudwatch.aws.upbound.io_dashboards.yaml |   32 +-
 ...loudwatch.aws.upbound.io_metricalarms.yaml |  210 +-
 ...oudwatch.aws.upbound.io_metricstreams.yaml |  109 +-
 ...events.aws.upbound.io_apidestinations.yaml |   52 +-
 ...udwatchevents.aws.upbound.io_archives.yaml |   39 +-
 ...cloudwatchevents.aws.upbound.io_buses.yaml |   32 +-
 ...atchevents.aws.upbound.io_buspolicies.yaml |   34 +-
 ...atchevents.aws.upbound.io_connections.yaml |  230 +-
 ...atchevents.aws.upbound.io_permissions.yaml |   65 +-
 ...cloudwatchevents.aws.upbound.io_rules.yaml |   55 +-
 ...oudwatchevents.aws.upbound.io_targets.yaml |  352 +-
 ...dwatchlogs.aws.upbound.io_definitions.yaml |   42 +-
 ...gs.aws.upbound.io_destinationpolicies.yaml |   35 +-
 ...watchlogs.aws.upbound.io_destinations.yaml |   36 +-
 .../cloudwatchlogs.aws.upbound.io_groups.yaml |   46 +-
 ...atchlogs.aws.upbound.io_metricfilters.yaml |   76 +-
 ...hlogs.aws.upbound.io_resourcepolicies.yaml |   32 +-
 ...cloudwatchlogs.aws.upbound.io_streams.yaml |   35 +-
 ...gs.aws.upbound.io_subscriptionfilters.yaml |   64 +-
 ...d.io_approvalruletemplateassociations.yaml |   30 +-
 ....aws.upbound.io_approvalruletemplates.yaml |   35 +-
 ...odecommit.aws.upbound.io_repositories.yaml |   36 +-
 .../codecommit.aws.upbound.io_triggers.yaml   |   66 +-
 ...pipeline.aws.upbound.io_codepipelines.yaml |  152 +-
 ...line.aws.upbound.io_customactiontypes.yaml |  140 +-
 .../codepipeline.aws.upbound.io_webhooks.yaml |   75 +-
 ...onnections.aws.upbound.io_connections.yaml |   47 +-
 ...estarconnections.aws.upbound.io_hosts.yaml |   76 +-
 ...ions.aws.upbound.io_notificationrules.yaml |   67 +-
 ...nitoidentitypoolproviderprincipaltags.yaml |   38 +-
 ...y.aws.upbound.io_poolrolesattachments.yaml |   84 +-
 .../cognitoidentity.aws.upbound.io_pools.yaml |   84 +-
 ...oidp.aws.upbound.io_identityproviders.yaml |   58 +-
 ...itoidp.aws.upbound.io_resourceservers.yaml |   50 +-
 ...idp.aws.upbound.io_riskconfigurations.yaml |  213 +-
 .../cognitoidp.aws.upbound.io_usergroups.yaml |   43 +-
 ...ognitoidp.aws.upbound.io_useringroups.yaml |   33 +-
 ...itoidp.aws.upbound.io_userpoolclients.yaml |  179 +-
 ...itoidp.aws.upbound.io_userpooldomains.yaml |   39 +-
 .../cognitoidp.aws.upbound.io_userpools.yaml  |  482 +-
 ...s.upbound.io_userpooluicustomizations.yaml |   41 +-
 .../crds/cognitoidp.aws.upbound.io_users.yaml |   87 +-
 ...d.io_awsconfigurationrecorderstatuses.yaml |   31 +-
 ...figservice.aws.upbound.io_configrules.yaml |  147 +-
 ...s.upbound.io_configurationaggregators.yaml |   70 +-
 ...aws.upbound.io_configurationrecorders.yaml |   57 +-
 ...rvice.aws.upbound.io_conformancepacks.yaml |   58 +-
 ...rvice.aws.upbound.io_deliverychannels.yaml |   51 +-
 ....upbound.io_remediationconfigurations.yaml |  100 +-
 ...onnect.aws.upbound.io_botassociations.yaml |   45 +-
 ...ect.aws.upbound.io_contactflowmodules.yaml |   59 +-
 .../connect.aws.upbound.io_contactflows.yaml  |   65 +-
 ...nect.aws.upbound.io_hoursofoperations.yaml |   90 +-
 .../connect.aws.upbound.io_instances.yaml     |   72 +-
 ...aws.upbound.io_instancestorageconfigs.yaml |  139 +-
 ...upbound.io_lambdafunctionassociations.yaml |   31 +-
 .../connect.aws.upbound.io_phonenumbers.yaml  |   56 +-
 .../crds/connect.aws.upbound.io_queues.yaml   |   78 +-
 .../connect.aws.upbound.io_quickconnects.yaml |  100 +-
 ...onnect.aws.upbound.io_routingprofiles.yaml |   90 +-
 ...nnect.aws.upbound.io_securityprofiles.yaml |   48 +-
 ...ws.upbound.io_userhierarchystructures.yaml |   51 +-
 .../crds/connect.aws.upbound.io_users.yaml    |  130 +-
 .../connect.aws.upbound.io_vocabularies.yaml  |   62 +-
 .../cur.aws.upbound.io_reportdefinitions.yaml |   85 +-
 .../dataexchange.aws.upbound.io_datasets.yaml |   48 +-
 ...dataexchange.aws.upbound.io_revisions.yaml |   34 +-
 ...datapipeline.aws.upbound.io_pipelines.yaml |   38 +-
 package/crds/dax.aws.upbound.io_clusters.yaml |   91 +-
 .../dax.aws.upbound.io_parametergroups.yaml   |   38 +-
 .../crds/dax.aws.upbound.io_subnetgroups.yaml |   31 +-
 package/crds/deploy.aws.upbound.io_apps.yaml  |   32 +-
 ...ploy.aws.upbound.io_deploymentconfigs.yaml |   88 +-
 ...eploy.aws.upbound.io_deploymentgroups.yaml |  350 +-
 .../crds/detective.aws.upbound.io_graphs.yaml |   28 +-
 ...ve.aws.upbound.io_invitationaccepters.yaml |   27 +-
 .../detective.aws.upbound.io_members.yaml     |   51 +-
 ...devicefarm.aws.upbound.io_devicepools.yaml |   70 +-
 ...efarm.aws.upbound.io_instanceprofiles.yaml |   53 +-
 ...cefarm.aws.upbound.io_networkprofiles.yaml |   77 +-
 .../devicefarm.aws.upbound.io_projects.yaml   |   40 +-
 ...efarm.aws.upbound.io_testgridprojects.yaml |   59 +-
 .../devicefarm.aws.upbound.io_uploads.yaml    |   47 +-
 ...directconnect.aws.upbound.io_bgppeers.yaml |   53 +-
 ...aws.upbound.io_connectionassociations.yaml |   29 +-
 ...ectconnect.aws.upbound.io_connections.yaml |   70 +-
 ...pbound.io_gatewayassociationproposals.yaml |   41 +-
 ...ct.aws.upbound.io_gatewayassociations.yaml |   51 +-
 ...directconnect.aws.upbound.io_gateways.yaml |   38 +-
 ...ostedprivatevirtualinterfaceaccepters.yaml |   40 +-
 ...und.io_hostedprivatevirtualinterfaces.yaml |   76 +-
 ...hostedpublicvirtualinterfaceaccepters.yaml |   32 +-
 ...ound.io_hostedpublicvirtualinterfaces.yaml |   79 +-
 ...ostedtransitvirtualinterfaceaccepters.yaml |   36 +-
 ...und.io_hostedtransitvirtualinterfaces.yaml |   76 +-
 .../directconnect.aws.upbound.io_lags.yaml    |   65 +-
 ...s.upbound.io_privatevirtualinterfaces.yaml |   85 +-
 ...ws.upbound.io_publicvirtualinterfaces.yaml |   78 +-
 ...s.upbound.io_transitvirtualinterfaces.yaml |   81 +-
 .../dlm.aws.upbound.io_lifecyclepolicies.yaml |  468 +-
 .../crds/dms.aws.upbound.io_certificates.yaml |   28 +-
 .../crds/dms.aws.upbound.io_endpoints.yaml    |  534 +-
 ...dms.aws.upbound.io_eventsubscriptions.yaml |   53 +-
 ...s.aws.upbound.io_replicationinstances.yaml |   96 +-
 ...ws.upbound.io_replicationsubnetgroups.yaml |   41 +-
 .../dms.aws.upbound.io_replicationtasks.yaml  |   75 +-
 .../crds/dms.aws.upbound.io_s3endpoints.yaml  |  240 +-
 ...docdb.aws.upbound.io_clusterinstances.yaml |   83 +-
 ...aws.upbound.io_clusterparametergroups.yaml |   58 +-
 .../crds/docdb.aws.upbound.io_clusters.yaml   |  118 +-
 ...docdb.aws.upbound.io_clustersnapshots.yaml |   27 +-
 ...cdb.aws.upbound.io_eventsubscriptions.yaml |   57 +-
 .../docdb.aws.upbound.io_globalclusters.yaml  |   58 +-
 .../docdb.aws.upbound.io_subnetgroups.yaml    |   36 +-
 ....aws.upbound.io_conditionalforwarders.yaml |   39 +-
 .../crds/ds.aws.upbound.io_directories.yaml   |  101 +-
 .../ds.aws.upbound.io_shareddirectories.yaml  |   49 +-
 ...db.aws.upbound.io_contributorinsights.yaml |   29 +-
 .../dynamodb.aws.upbound.io_globaltables.yaml |   38 +-
 ...bound.io_kinesisstreamingdestinations.yaml |   31 +-
 .../dynamodb.aws.upbound.io_tableitems.yaml   |   47 +-
 ...dynamodb.aws.upbound.io_tablereplicas.yaml |   48 +-
 .../crds/dynamodb.aws.upbound.io_tables.yaml  |  231 +-
 .../crds/dynamodb.aws.upbound.io_tags.yaml    |   37 +-
 .../crds/ec2.aws.upbound.io_amicopies.yaml    |   66 +-
 ...2.aws.upbound.io_amilaunchpermissions.yaml |   39 +-
 package/crds/ec2.aws.upbound.io_amis.yaml     |  159 +-
 ...aws.upbound.io_availabilityzonegroups.yaml |   31 +-
 ...2.aws.upbound.io_capacityreservations.yaml |   92 +-
 .../ec2.aws.upbound.io_carriergateways.yaml   |   31 +-
 .../ec2.aws.upbound.io_customergateways.yaml  |   54 +-
 ...ec2.aws.upbound.io_defaultnetworkacls.yaml |  110 +-
 ...ec2.aws.upbound.io_defaultroutetables.yaml |   85 +-
 ....aws.upbound.io_defaultsecuritygroups.yaml |  134 +-
 .../ec2.aws.upbound.io_defaultsubnets.yaml    |   60 +-
 ....aws.upbound.io_defaultvpcdhcpoptions.yaml |   32 +-
 .../crds/ec2.aws.upbound.io_defaultvpcs.yaml  |   54 +-
 .../ec2.aws.upbound.io_ebsdefaultkmskeys.yaml |   27 +-
 ...ws.upbound.io_ebsencryptionbydefaults.yaml |   27 +-
 .../ec2.aws.upbound.io_ebssnapshotcopies.yaml |   61 +-
 ...ec2.aws.upbound.io_ebssnapshotimports.yaml |  117 +-
 .../crds/ec2.aws.upbound.io_ebssnapshots.yaml |   52 +-
 .../crds/ec2.aws.upbound.io_ebsvolumes.yaml   |   72 +-
 ...upbound.io_egressonlyinternetgateways.yaml |   31 +-
 .../ec2.aws.upbound.io_eipassociations.yaml   |   50 +-
 package/crds/ec2.aws.upbound.io_eips.yaml     |   61 +-
 package/crds/ec2.aws.upbound.io_flowlogs.yaml |   96 +-
 package/crds/ec2.aws.upbound.io_hosts.yaml    |   63 +-
 .../crds/ec2.aws.upbound.io_instances.yaml    |  454 +-
 .../ec2.aws.upbound.io_instancestates.yaml    |   42 +-
 .../ec2.aws.upbound.io_internetgateways.yaml  |   33 +-
 package/crds/ec2.aws.upbound.io_keypairs.yaml |   35 +-
 .../ec2.aws.upbound.io_launchtemplates.yaml   |  748 +-
 ...upbound.io_mainroutetableassociations.yaml |   31 +-
 ...s.upbound.io_managedprefixlistentries.yaml |   34 +-
 ...ec2.aws.upbound.io_managedprefixlists.yaml |   65 +-
 .../crds/ec2.aws.upbound.io_natgateways.yaml  |   45 +-
 .../ec2.aws.upbound.io_networkaclrules.yaml   |   72 +-
 .../crds/ec2.aws.upbound.io_networkacls.yaml  |   36 +-
 ...ws.upbound.io_networkinsightsanalyses.yaml |   42 +-
 ...2.aws.upbound.io_networkinsightspaths.yaml |   55 +-
 ...pbound.io_networkinterfaceattachments.yaml |   36 +-
 .../ec2.aws.upbound.io_networkinterfaces.yaml |  117 +-
 ...ound.io_networkinterfacesgattachments.yaml |   29 +-
 .../ec2.aws.upbound.io_placementgroups.yaml   |   47 +-
 package/crds/ec2.aws.upbound.io_routes.yaml   |   71 +-
 ...aws.upbound.io_routetableassociations.yaml |   34 +-
 .../crds/ec2.aws.upbound.io_routetables.yaml  |   31 +-
 ...ec2.aws.upbound.io_securitygrouprules.yaml |   84 +-
 .../ec2.aws.upbound.io_securitygroups.yaml    |   48 +-
 ....aws.upbound.io_serialconsoleaccesses.yaml |   27 +-
 ...nd.io_snapshotcreatevolumepermissions.yaml |   34 +-
 ....upbound.io_spotdatafeedsubscriptions.yaml |   35 +-
 .../ec2.aws.upbound.io_spotfleetrequests.yaml |  579 +-
 ...2.aws.upbound.io_spotinstancerequests.yaml |  293 +-
 ...aws.upbound.io_subnetcidrreservations.yaml |   43 +-
 package/crds/ec2.aws.upbound.io_subnets.yaml  |   94 +-
 package/crds/ec2.aws.upbound.io_tags.yaml     |   36 +-
 ...s.upbound.io_trafficmirrorfilterrules.yaml |  101 +-
 ...2.aws.upbound.io_trafficmirrorfilters.yaml |   37 +-
 ...upbound.io_transitgatewayconnectpeers.yaml |   70 +-
 ...aws.upbound.io_transitgatewayconnects.yaml |   50 +-
 ...sitgatewaymulticastdomainassociations.yaml |   33 +-
 ...und.io_transitgatewaymulticastdomains.yaml |   48 +-
 ...o_transitgatewaymulticastgroupmembers.yaml |   38 +-
 ...o_transitgatewaymulticastgroupsources.yaml |   38 +-
 ...nsitgatewaypeeringattachmentaccepters.yaml |   32 +-
 ...d.io_transitgatewaypeeringattachments.yaml |   45 +-
 ...upbound.io_transitgatewaypolicytables.yaml |   31 +-
 ...io_transitgatewayprefixlistreferences.yaml |   36 +-
 ...2.aws.upbound.io_transitgatewayroutes.yaml |   41 +-
 ..._transitgatewayroutetableassociations.yaml |   29 +-
 ..._transitgatewayroutetablepropagations.yaml |   29 +-
 ....upbound.io_transitgatewayroutetables.yaml |   31 +-
 .../ec2.aws.upbound.io_transitgateways.yaml   |   71 +-
 ..._transitgatewayvpcattachmentaccepters.yaml |   41 +-
 ...bound.io_transitgatewayvpcattachments.yaml |   66 +-
 .../ec2.aws.upbound.io_volumeattachments.yaml |   53 +-
 .../ec2.aws.upbound.io_vpcdhcpoptions.yaml    |   56 +-
 ...upbound.io_vpcdhcpoptionsassociations.yaml |   31 +-
 ...io_vpcendpointconnectionnotifications.yaml |   44 +-
 ....io_vpcendpointroutetableassociations.yaml |   31 +-
 .../crds/ec2.aws.upbound.io_vpcendpoints.yaml |   71 +-
 ..._vpcendpointsecuritygroupassociations.yaml |   38 +-
 ...o_vpcendpointserviceallowedprincipals.yaml |   33 +-
 ...c2.aws.upbound.io_vpcendpointservices.yaml |   58 +-
 ...ound.io_vpcendpointsubnetassociations.yaml |   31 +-
 ...upbound.io_vpcipampoolcidrallocations.yaml |   43 +-
 .../ec2.aws.upbound.io_vpcipampoolcidrs.yaml  |   53 +-
 .../crds/ec2.aws.upbound.io_vpcipampools.yaml |  101 +-
 package/crds/ec2.aws.upbound.io_vpcipams.yaml |   56 +-
 .../ec2.aws.upbound.io_vpcipamscopes.yaml     |   35 +-
 ...bound.io_vpcipv4cidrblockassociations.yaml |   42 +-
 ...ound.io_vpcpeeringconnectionaccepters.yaml |   81 +-
 ...pbound.io_vpcpeeringconnectionoptions.yaml |   82 +-
 ....aws.upbound.io_vpcpeeringconnections.yaml |   49 +-
 package/crds/ec2.aws.upbound.io_vpcs.yaml     |  103 +-
 ...c2.aws.upbound.io_vpnconnectionroutes.yaml |   34 +-
 .../ec2.aws.upbound.io_vpnconnections.yaml    |  342 +-
 ....aws.upbound.io_vpngatewayattachments.yaml |   29 +-
 ...pbound.io_vpngatewayroutepropagations.yaml |   31 +-
 .../crds/ec2.aws.upbound.io_vpngateways.yaml  |   39 +-
 .../ecr.aws.upbound.io_lifecyclepolicies.yaml |   35 +-
 ....aws.upbound.io_pullthroughcacherules.yaml |   38 +-
 .../ecr.aws.upbound.io_registrypolicies.yaml  |   30 +-
 ...und.io_registryscanningconfigurations.yaml |   55 +-
 ....upbound.io_replicationconfigurations.yaml |   68 +-
 .../crds/ecr.aws.upbound.io_repositories.yaml |   65 +-
 ...ecr.aws.upbound.io_repositorypolicies.yaml |   33 +-
 ...ecrpublic.aws.upbound.io_repositories.yaml |   78 +-
 ...lic.aws.upbound.io_repositorypolicies.yaml |   33 +-
 ...aws.upbound.io_accountsettingdefaults.yaml |   39 +-
 .../ecs.aws.upbound.io_capacityproviders.yaml |   77 +-
 ...s.upbound.io_clustercapacityproviders.yaml |   57 +-
 package/crds/ecs.aws.upbound.io_clusters.yaml |  131 +-
 package/crds/ecs.aws.upbound.io_services.yaml |  393 +-
 .../ecs.aws.upbound.io_taskdefinitions.yaml   |  319 +-
 .../crds/efs.aws.upbound.io_accesspoints.yaml |   85 +-
 .../efs.aws.upbound.io_backuppolicies.yaml    |   40 +-
 ...efs.aws.upbound.io_filesystempolicies.yaml |   44 +-
 .../crds/efs.aws.upbound.io_filesystems.yaml  |   78 +-
 .../crds/efs.aws.upbound.io_mounttargets.yaml |   42 +-
 ....upbound.io_replicationconfigurations.yaml |   45 +-
 package/crds/eks.aws.upbound.io_addons.yaml   |   69 +-
 .../crds/eks.aws.upbound.io_clusterauths.yaml |   23 +-
 package/crds/eks.aws.upbound.io_clusters.yaml |  173 +-
 .../eks.aws.upbound.io_fargateprofiles.yaml   |   64 +-
 ...ws.upbound.io_identityproviderconfigs.yaml |   71 +-
 .../crds/eks.aws.upbound.io_nodegroups.yaml   |  185 +-
 .../elasticache.aws.upbound.io_clusters.yaml  |  201 +-
 ...icache.aws.upbound.io_parametergroups.yaml |   56 +-
 ...ache.aws.upbound.io_replicationgroups.yaml |  262 +-
 ...asticache.aws.upbound.io_subnetgroups.yaml |   36 +-
 ...elasticache.aws.upbound.io_usergroups.yaml |   43 +-
 .../elasticache.aws.upbound.io_users.yaml     |   54 +-
 ...beanstalk.aws.upbound.io_applications.yaml |   55 +-
 ...lk.aws.upbound.io_applicationversions.yaml |   51 +-
 ...aws.upbound.io_configurationtemplates.yaml |   59 +-
 ...csearch.aws.upbound.io_domainpolicies.yaml |   34 +-
 .../elasticsearch.aws.upbound.io_domains.yaml |  348 +-
 ...arch.aws.upbound.io_domainsamloptions.yaml |   66 +-
 ...ictranscoder.aws.upbound.io_pipelines.yaml |  153 +-
 ...stictranscoder.aws.upbound.io_presets.yaml |  300 +-
 ...pbound.io_appcookiestickinesspolicies.yaml |   39 +-
 .../crds/elb.aws.upbound.io_attachments.yaml  |   29 +-
 ....aws.upbound.io_backendserverpolicies.yaml |   38 +-
 package/crds/elb.aws.upbound.io_elbs.yaml     |  152 +-
 ...upbound.io_lbcookiestickinesspolicies.yaml |   44 +-
 ...s.upbound.io_lbsslnegotiationpolicies.yaml |   59 +-
 .../elb.aws.upbound.io_listenerpolicies.yaml  |   45 +-
 package/crds/elb.aws.upbound.io_policies.yaml |   49 +-
 ....aws.upbound.io_proxyprotocolpolicies.yaml |   37 +-
 .../elbv2.aws.upbound.io_lblistenerrules.yaml |  398 +-
 .../elbv2.aws.upbound.io_lblisteners.yaml     |  266 +-
 package/crds/elbv2.aws.upbound.io_lbs.yaml    |  142 +-
 ...s.upbound.io_lbtargetgroupattachments.yaml |   46 +-
 .../elbv2.aws.upbound.io_lbtargetgroups.yaml  |  211 +-
 ...aws.upbound.io_securityconfigurations.yaml |   30 +-
 ...erverless.aws.upbound.io_applications.yaml |  157 +-
 .../evidently.aws.upbound.io_features.yaml    |  101 +-
 .../evidently.aws.upbound.io_projects.yaml    |   74 +-
 .../evidently.aws.upbound.io_segments.yaml    |   39 +-
 ...rehose.aws.upbound.io_deliverystreams.yaml | 1252 ++-
 ...is.aws.upbound.io_experimenttemplates.yaml |  165 +-
 package/crds/fsx.aws.upbound.io_backups.yaml  |   36 +-
 ...upbound.io_datarepositoryassociations.yaml |  122 +-
 .../fsx.aws.upbound.io_lustrefilesystems.yaml |  167 +-
 .../fsx.aws.upbound.io_ontapfilesystems.yaml  |  118 +-
 ...pbound.io_ontapstoragevirtualmachines.yaml |  100 +-
 ...fsx.aws.upbound.io_windowsfilesystems.yaml |  193 +-
 .../crds/gamelift.aws.upbound.io_aliases.yaml |   59 +-
 .../crds/gamelift.aws.upbound.io_builds.yaml  |   70 +-
 .../crds/gamelift.aws.upbound.io_fleet.yaml   |  160 +-
 ...lift.aws.upbound.io_gamesessionqueues.yaml |   59 +-
 .../crds/gamelift.aws.upbound.io_scripts.yaml |   65 +-
 .../glacier.aws.upbound.io_vaultlocks.yaml    |   50 +-
 .../crds/glacier.aws.upbound.io_vaults.yaml   |   51 +-
 ...celerator.aws.upbound.io_accelerators.yaml |   70 +-
 ...lerator.aws.upbound.io_endpointgroups.yaml |  104 +-
 ...laccelerator.aws.upbound.io_listeners.yaml |   59 +-
 .../glue.aws.upbound.io_catalogdatabases.yaml |   76 +-
 .../glue.aws.upbound.io_catalogtables.yaml    |  265 +-
 .../crds/glue.aws.upbound.io_classifiers.yaml |  113 +-
 .../crds/glue.aws.upbound.io_connections.yaml |   67 +-
 .../crds/glue.aws.upbound.io_crawlers.yaml    |  267 +-
 ...ound.io_datacatalogencryptionsettings.yaml |   80 +-
 package/crds/glue.aws.upbound.io_jobs.yaml    |  138 +-
 .../crds/glue.aws.upbound.io_registries.yaml  |   31 +-
 .../glue.aws.upbound.io_resourcepolicies.yaml |   35 +-
 package/crds/glue.aws.upbound.io_schemas.yaml |   64 +-
 ...aws.upbound.io_securityconfigurations.yaml |   78 +-
 .../crds/glue.aws.upbound.io_triggers.yaml    |  158 +-
 ...e.aws.upbound.io_userdefinedfunctions.yaml |   63 +-
 .../crds/glue.aws.upbound.io_workflows.yaml   |   43 +-
 ...na.aws.upbound.io_licenseassociations.yaml |   34 +-
 ...afana.aws.upbound.io_roleassociations.yaml |   45 +-
 ...afana.aws.upbound.io_workspaceapikeys.yaml |   49 +-
 .../grafana.aws.upbound.io_workspaces.yaml    |  119 +-
 ...pbound.io_workspacesamlconfigurations.yaml |   74 +-
 .../guardduty.aws.upbound.io_detectors.yaml   |  110 +-
 .../guardduty.aws.upbound.io_filters.yaml     |   97 +-
 .../guardduty.aws.upbound.io_members.yaml     |   48 +-
 .../crds/iam.aws.upbound.io_accesskeys.yaml   |   38 +-
 .../iam.aws.upbound.io_accountaliases.yaml    |   23 +-
 ...ws.upbound.io_accountpasswordpolicies.yaml |   55 +-
 .../iam.aws.upbound.io_groupmemberships.yaml  |   40 +-
 ...aws.upbound.io_grouppolicyattachments.yaml |   29 +-
 package/crds/iam.aws.upbound.io_groups.yaml   |   26 +-
 .../iam.aws.upbound.io_instanceprofiles.yaml  |   40 +-
 ...aws.upbound.io_openidconnectproviders.yaml |   58 +-
 package/crds/iam.aws.upbound.io_policies.yaml |   43 +-
 ....aws.upbound.io_rolepolicyattachments.yaml |   30 +-
 package/crds/iam.aws.upbound.io_roles.yaml    |   57 +-
 .../iam.aws.upbound.io_samlproviders.yaml     |   37 +-
 ...iam.aws.upbound.io_servercertificates.yaml |   48 +-
 ...iam.aws.upbound.io_servicelinkedroles.yaml |   47 +-
 ...upbound.io_servicespecificcredentials.yaml |   44 +-
 ...am.aws.upbound.io_signingcertificates.yaml |   44 +-
 ...m.aws.upbound.io_usergroupmemberships.yaml |   31 +-
 .../iam.aws.upbound.io_userloginprofiles.yaml |   40 +-
 ....aws.upbound.io_userpolicyattachments.yaml |   29 +-
 package/crds/iam.aws.upbound.io_users.yaml    |   44 +-
 .../crds/iam.aws.upbound.io_usersshkeys.yaml  |   50 +-
 .../iam.aws.upbound.io_virtualmfadevices.yaml |   40 +-
 ...magebuilder.aws.upbound.io_components.yaml |   74 +-
 ...ilder.aws.upbound.io_containerrecipes.yaml |  191 +-
 ...upbound.io_distributionconfigurations.yaml |  231 +-
 ...builder.aws.upbound.io_imagepipelines.yaml |  102 +-
 ...gebuilder.aws.upbound.io_imagerecipes.yaml |  159 +-
 .../imagebuilder.aws.upbound.io_images.yaml   |   61 +-
 ...bound.io_infrastructureconfigurations.yaml |  108 +-
 ...ctor.aws.upbound.io_assessmenttargets.yaml |   36 +-
 ...or.aws.upbound.io_assessmenttemplates.yaml |   71 +-
 ...spector.aws.upbound.io_resourcegroups.yaml |   32 +-
 .../inspector2.aws.upbound.io_enablers.yaml   |   41 +-
 .../crds/iot.aws.upbound.io_certificates.yaml |   38 +-
 ...aws.upbound.io_indexingconfigurations.yaml |  113 +-
 .../iot.aws.upbound.io_loggingoptions.yaml    |   38 +-
 package/crds/iot.aws.upbound.io_policies.yaml |   31 +-
 .../iot.aws.upbound.io_policyattachments.yaml |   29 +-
 ....aws.upbound.io_provisioningtemplates.yaml |   63 +-
 .../crds/iot.aws.upbound.io_rolealiases.yaml  |   39 +-
 ....aws.upbound.io_thinggroupmemberships.yaml |   43 +-
 .../crds/iot.aws.upbound.io_thinggroups.yaml  |   51 +-
 ....upbound.io_thingprincipalattachments.yaml |   30 +-
 package/crds/iot.aws.upbound.io_things.yaml   |   31 +-
 .../crds/iot.aws.upbound.io_thingtypes.yaml   |   54 +-
 .../crds/iot.aws.upbound.io_topicrules.yaml   |  861 +-
 package/crds/ivs.aws.upbound.io_channels.yaml |   45 +-
 ...ws.upbound.io_recordingconfigurations.yaml |   74 +-
 .../crds/kafka.aws.upbound.io_clusters.yaml   |  331 +-
 .../kafka.aws.upbound.io_configurations.yaml  |   46 +-
 .../kendra.aws.upbound.io_datasources.yaml    |  712 +-
 .../kendra.aws.upbound.io_experiences.yaml    |   88 +-
 .../crds/kendra.aws.upbound.io_indices.yaml   |  253 +-
 ...upbound.io_querysuggestionsblocklists.yaml |   64 +-
 .../crds/kendra.aws.upbound.io_thesaurus.yaml |   64 +-
 .../keyspaces.aws.upbound.io_keyspaces.yaml   |   28 +-
 .../crds/keyspaces.aws.upbound.io_tables.yaml |  170 +-
 ...inesis.aws.upbound.io_streamconsumers.yaml |   34 +-
 .../crds/kinesis.aws.upbound.io_streams.yaml  |   74 +-
 ...analytics.aws.upbound.io_applications.yaml |  314 +-
 ...alyticsv2.aws.upbound.io_applications.yaml |  722 +-
 ...2.aws.upbound.io_applicationsnapshots.yaml |   28 +-
 .../kinesisvideo.aws.upbound.io_streams.yaml  |   59 +-
 package/crds/kms.aws.upbound.io_aliases.yaml  |   27 +-
 .../crds/kms.aws.upbound.io_ciphertexts.yaml  |   36 +-
 .../crds/kms.aws.upbound.io_externalkeys.yaml |   63 +-
 package/crds/kms.aws.upbound.io_grants.yaml   |   95 +-
 package/crds/kms.aws.upbound.io_keys.yaml     |   84 +-
 ...ms.aws.upbound.io_replicaexternalkeys.yaml |   69 +-
 .../crds/kms.aws.upbound.io_replicakeys.yaml  |   62 +-
 ...ation.aws.upbound.io_datalakesettings.yaml |   81 +-
 ...eformation.aws.upbound.io_permissions.yaml |  193 +-
 ...akeformation.aws.upbound.io_resources.yaml |   34 +-
 .../crds/lambda.aws.upbound.io_aliases.yaml   |   51 +-
 ...bda.aws.upbound.io_codesigningconfigs.yaml |   60 +-
 ...da.aws.upbound.io_eventsourcemappings.yaml |  234 +-
 ...upbound.io_functioneventinvokeconfigs.yaml |   76 +-
 .../crds/lambda.aws.upbound.io_functions.yaml |  244 +-
 .../lambda.aws.upbound.io_functionurls.yaml   |   85 +-
 .../lambda.aws.upbound.io_invocations.yaml    |   43 +-
 ...ws.upbound.io_layerversionpermissions.yaml |   67 +-
 .../lambda.aws.upbound.io_layerversions.yaml  |   80 +-
 .../lambda.aws.upbound.io_permissions.yaml    |   83 +-
 ...ound.io_provisionedconcurrencyconfigs.yaml |   44 +-
 .../lexmodels.aws.upbound.io_botaliases.yaml  |   66 +-
 .../crds/lexmodels.aws.upbound.io_bots.yaml   |  184 +-
 .../lexmodels.aws.upbound.io_intents.yaml     |  424 +-
 .../lexmodels.aws.upbound.io_slottypes.yaml   |   65 +-
 ...semanager.aws.upbound.io_associations.yaml |   29 +-
 ....aws.upbound.io_licenseconfigurations.yaml |   56 +-
 .../lightsail.aws.upbound.io_buckets.yaml     |   38 +-
 ...lightsail.aws.upbound.io_certificates.yaml |   39 +-
 ...sail.aws.upbound.io_containerservices.yaml |   81 +-
 ...htsail.aws.upbound.io_diskattachments.yaml |   36 +-
 .../crds/lightsail.aws.upbound.io_disks.yaml  |   41 +-
 ...ightsail.aws.upbound.io_domainentries.yaml |   40 +-
 .../lightsail.aws.upbound.io_domains.yaml     |   30 +-
 ...il.aws.upbound.io_instancepublicports.yaml |   63 +-
 .../lightsail.aws.upbound.io_instances.yaml   |   85 +-
 .../lightsail.aws.upbound.io_keypairs.yaml    |   34 +-
 ...ightsail.aws.upbound.io_lbattachments.yaml |   29 +-
 ...ghtsail.aws.upbound.io_lbcertificates.yaml |   38 +-
 .../crds/lightsail.aws.upbound.io_lbs.yaml    |   41 +-
 ...l.aws.upbound.io_lbstickinesspolicies.yaml |   39 +-
 ...il.aws.upbound.io_staticipattachments.yaml |   30 +-
 .../lightsail.aws.upbound.io_staticips.yaml   |   30 +-
 ...on.aws.upbound.io_geofencecollections.yaml |   35 +-
 .../location.aws.upbound.io_placeindices.yaml |   51 +-
 ...ation.aws.upbound.io_routecalculators.yaml |   40 +-
 ...on.aws.upbound.io_trackerassociations.yaml |   32 +-
 .../location.aws.upbound.io_trackers.yaml     |   40 +-
 .../crds/macie2.aws.upbound.io_accounts.yaml  |   35 +-
 ...ie2.aws.upbound.io_classificationjobs.yaml |  452 +-
 ....aws.upbound.io_customdataidentifiers.yaml |   67 +-
 ...macie2.aws.upbound.io_findingsfilters.yaml |  112 +-
 ...e2.aws.upbound.io_invitationaccepters.yaml |   31 +-
 .../crds/macie2.aws.upbound.io_members.yaml   |   62 +-
 .../mediaconvert.aws.upbound.io_queues.yaml   |   59 +-
 .../medialive.aws.upbound.io_channels.yaml    | 2529 +++++-
 .../crds/medialive.aws.upbound.io_inputs.yaml |  117 +-
 ...ve.aws.upbound.io_inputsecuritygroups.yaml |   41 +-
 .../medialive.aws.upbound.io_multiplices.yaml |   66 +-
 .../mediapackage.aws.upbound.io_channels.yaml |   38 +-
 ...tore.aws.upbound.io_containerpolicies.yaml |   33 +-
 .../mediastore.aws.upbound.io_containers.yaml |   28 +-
 .../crds/memorydb.aws.upbound.io_acls.yaml    |   34 +-
 .../memorydb.aws.upbound.io_clusters.yaml     |  131 +-
 ...morydb.aws.upbound.io_parametergroups.yaml |   53 +-
 .../memorydb.aws.upbound.io_snapshots.yaml    |   35 +-
 .../memorydb.aws.upbound.io_subnetgroups.yaml |   37 +-
 package/crds/mq.aws.upbound.io_brokers.yaml   |  239 +-
 .../mq.aws.upbound.io_configurations.yaml     |   63 +-
 ...ptune.aws.upbound.io_clusterendpoints.yaml |   54 +-
 ...ptune.aws.upbound.io_clusterinstances.yaml |   90 +-
 ...aws.upbound.io_clusterparametergroups.yaml |   55 +-
 .../crds/neptune.aws.upbound.io_clusters.yaml |  163 +-
 ...ptune.aws.upbound.io_clustersnapshots.yaml |   27 +-
 ...une.aws.upbound.io_eventsubscriptions.yaml |   56 +-
 ...neptune.aws.upbound.io_globalclusters.yaml |   46 +-
 ...eptune.aws.upbound.io_parametergroups.yaml |   55 +-
 .../neptune.aws.upbound.io_subnetgroups.yaml  |   36 +-
 ...ewall.aws.upbound.io_firewallpolicies.yaml |  204 +-
 ...workfirewall.aws.upbound.io_firewalls.yaml |   97 +-
 ....aws.upbound.io_loggingconfigurations.yaml |   65 +-
 ...orkfirewall.aws.upbound.io_rulegroups.yaml |  583 +-
 ...er.aws.upbound.io_attachmentaccepters.yaml |   30 +-
 ...ger.aws.upbound.io_connectattachments.yaml |   50 +-
 ...orkmanager.aws.upbound.io_connections.yaml |   46 +-
 ...rkmanager.aws.upbound.io_corenetworks.yaml |   69 +-
 ...pbound.io_customergatewayassociations.yaml |   35 +-
 ...networkmanager.aws.upbound.io_devices.yaml |   79 +-
 ...manager.aws.upbound.io_globalnetworks.yaml |   31 +-
 ...nager.aws.upbound.io_linkassociations.yaml |   32 +-
 .../networkmanager.aws.upbound.io_links.yaml  |   60 +-
 .../networkmanager.aws.upbound.io_sites.yaml  |   49 +-
 ...transitgatewayconnectpeerassociations.yaml |   35 +-
 ...pbound.io_transitgatewayregistrations.yaml |   29 +-
 ...manager.aws.upbound.io_vpcattachments.yaml |   54 +-
 ...nsearch.aws.upbound.io_domainpolicies.yaml |   34 +-
 .../opensearch.aws.upbound.io_domains.yaml    |  358 +-
 ...arch.aws.upbound.io_domainsamloptions.yaml |   67 +-
 .../opsworks.aws.upbound.io_applications.yaml |  137 +-
 .../opsworks.aws.upbound.io_customlayers.yaml |  313 +-
 ...works.aws.upbound.io_ecsclusterlayers.yaml |  219 +-
 ...opsworks.aws.upbound.io_ganglialayers.yaml |  231 +-
 ...opsworks.aws.upbound.io_haproxylayers.yaml |  241 +-
 .../opsworks.aws.upbound.io_instances.yaml    |  188 +-
 ...opsworks.aws.upbound.io_javaapplayers.yaml |  233 +-
 ...sworks.aws.upbound.io_memcachedlayers.yaml |  220 +-
 .../opsworks.aws.upbound.io_mysqllayers.yaml  |  223 +-
 ...sworks.aws.upbound.io_nodejsapplayers.yaml |  219 +-
 .../opsworks.aws.upbound.io_permissions.yaml  |   41 +-
 .../opsworks.aws.upbound.io_phpapplayers.yaml |  216 +-
 ...psworks.aws.upbound.io_railsapplayers.yaml |  235 +-
 ...psworks.aws.upbound.io_rdsdbinstances.yaml |   42 +-
 .../crds/opsworks.aws.upbound.io_stacks.yaml  |  133 +-
 ...sworks.aws.upbound.io_staticweblayers.yaml |  215 +-
 .../opsworks.aws.upbound.io_userprofiles.yaml |   42 +-
 ...organizations.aws.upbound.io_accounts.yaml |   68 +-
 ...ws.upbound.io_delegatedadministrators.yaml |   35 +-
 ...ns.aws.upbound.io_organizationalunits.yaml |   42 +-
 ...izations.aws.upbound.io_organizations.yaml |   45 +-
 ...organizations.aws.upbound.io_policies.yaml |   62 +-
 ...ions.aws.upbound.io_policyattachments.yaml |   41 +-
 .../crds/pinpoint.aws.upbound.io_apps.yaml    |   94 +-
 .../pinpoint.aws.upbound.io_smschannels.yaml  |   36 +-
 package/crds/qldb.aws.upbound.io_ledgers.yaml |   48 +-
 package/crds/qldb.aws.upbound.io_streams.yaml |   86 +-
 .../quicksight.aws.upbound.io_groups.yaml     |   42 +-
 .../crds/quicksight.aws.upbound.io_users.yaml |   70 +-
 ...m.aws.upbound.io_resourceassociations.yaml |   34 +-
 .../ram.aws.upbound.io_resourceshares.yaml    |   49 +-
 ...aws.upbound.io_clusteractivitystreams.yaml |   48 +-
 .../rds.aws.upbound.io_clusterendpoints.yaml  |   52 +-
 .../rds.aws.upbound.io_clusterinstances.yaml  |  129 +-
 ...aws.upbound.io_clusterparametergroups.yaml |   58 +-
 ...ws.upbound.io_clusterroleassociations.yaml |   40 +-
 package/crds/rds.aws.upbound.io_clusters.yaml |  335 +-
 .../rds.aws.upbound.io_clustersnapshots.yaml  |   39 +-
 ...binstanceautomatedbackupsreplications.yaml |   42 +-
 .../rds.aws.upbound.io_dbsnapshotcopies.yaml  |   58 +-
 ...rds.aws.upbound.io_eventsubscriptions.yaml |   56 +-
 .../rds.aws.upbound.io_globalclusters.yaml    |   59 +-
 ...s.upbound.io_instanceroleassociations.yaml |   41 +-
 .../crds/rds.aws.upbound.io_instances.yaml    |  394 +-
 .../crds/rds.aws.upbound.io_optiongroups.yaml |   87 +-
 .../rds.aws.upbound.io_parametergroups.yaml   |   58 +-
 package/crds/rds.aws.upbound.io_proxies.yaml  |  120 +-
 ...s.upbound.io_proxydefaulttargetgroups.yaml |   78 +-
 .../rds.aws.upbound.io_proxyendpoints.yaml    |   53 +-
 .../crds/rds.aws.upbound.io_proxytargets.yaml |   39 +-
 .../rds.aws.upbound.io_securitygroups.yaml    |   54 +-
 .../crds/rds.aws.upbound.io_snapshots.yaml    |   32 +-
 .../crds/rds.aws.upbound.io_subnetgroups.yaml |   36 +-
 ...aws.upbound.io_authenticationprofiles.yaml |   32 +-
 .../redshift.aws.upbound.io_clusters.yaml     |  260 +-
 ...ift.aws.upbound.io_eventsubscriptions.yaml |   61 +-
 ....aws.upbound.io_hsmclientcertificates.yaml |   28 +-
 ...hift.aws.upbound.io_hsmconfigurations.yaml |   60 +-
 ...dshift.aws.upbound.io_parametergroups.yaml |   56 +-
 ...shift.aws.upbound.io_scheduledactions.yaml |  106 +-
 ...ift.aws.upbound.io_snapshotcopygrants.yaml |   42 +-
 ...bound.io_snapshotscheduleassociations.yaml |   29 +-
 ...hift.aws.upbound.io_snapshotschedules.yaml |   47 +-
 .../redshift.aws.upbound.io_subnetgroups.yaml |   36 +-
 .../redshift.aws.upbound.io_usagelimits.yaml  |   69 +-
 .../resourcegroups.aws.upbound.io_groups.yaml |   72 +-
 ...rolesanywhere.aws.upbound.io_profiles.yaml |   61 +-
 ...route53.aws.upbound.io_delegationsets.yaml |   27 +-
 .../route53.aws.upbound.io_healthchecks.yaml  |  128 +-
 ...te53.aws.upbound.io_hostedzonednssecs.yaml |   30 +-
 .../crds/route53.aws.upbound.io_records.yaml  |  161 +-
 ...oute53.aws.upbound.io_resolverconfigs.yaml |   35 +-
 ...oute53.aws.upbound.io_trafficpolicies.yaml |   41 +-
 ...aws.upbound.io_trafficpolicyinstances.yaml |   55 +-
 ...bound.io_vpcassociationauthorizations.yaml |   35 +-
 .../crds/route53.aws.upbound.io_zones.yaml    |   61 +-
 ...controlconfig.aws.upbound.io_clusters.yaml |   30 +-
 ...olconfig.aws.upbound.io_controlpanels.yaml |   34 +-
 ...config.aws.upbound.io_routingcontrols.yaml |   38 +-
 ...trolconfig.aws.upbound.io_safetyrules.yaml |   83 +-
 ...ecoveryreadiness.aws.upbound.io_cells.yaml |   34 +-
 ...diness.aws.upbound.io_readinesschecks.yaml |   36 +-
 ...adiness.aws.upbound.io_recoverygroups.yaml |   34 +-
 ...readiness.aws.upbound.io_resourcesets.yaml |  101 +-
 ...te53resolver.aws.upbound.io_endpoints.yaml |   58 +-
 ...olver.aws.upbound.io_ruleassociations.yaml |   35 +-
 .../route53resolver.aws.upbound.io_rules.yaml |   69 +-
 .../crds/rum.aws.upbound.io_appmonitors.yaml  |  121 +-
 ...um.aws.upbound.io_metricsdestinations.yaml |   47 +-
 ...und.io_bucketaccelerateconfigurations.yaml |   37 +-
 .../crds/s3.aws.upbound.io_bucketacls.yaml    |   64 +-
 ...ound.io_bucketanalyticsconfigurations.yaml |   97 +-
 ...s.upbound.io_bucketcorsconfigurations.yaml |   74 +-
 ...ucketintelligenttieringconfigurations.yaml |   74 +-
 .../s3.aws.upbound.io_bucketinventories.yaml  |  138 +-
 ...ound.io_bucketlifecycleconfigurations.yaml |  226 +-
 .../s3.aws.upbound.io_bucketloggings.yaml     |   59 +-
 .../crds/s3.aws.upbound.io_bucketmetrics.yaml |   49 +-
 ...s3.aws.upbound.io_bucketnotifications.yaml |  102 +-
 ...und.io_bucketobjectlockconfigurations.yaml |   61 +-
 .../crds/s3.aws.upbound.io_bucketobjects.yaml |  138 +-
 ...ws.upbound.io_bucketownershipcontrols.yaml |   42 +-
 .../s3.aws.upbound.io_bucketpolicies.yaml     |   36 +-
 ...s.upbound.io_bucketpublicaccessblocks.yaml |   54 +-
 ...nd.io_bucketreplicationconfigurations.yaml |  281 +-
 ...io_bucketrequestpaymentconfigurations.yaml |   37 +-
 package/crds/s3.aws.upbound.io_buckets.yaml   |   41 +-
 ...ketserversideencryptionconfigurations.yaml |   62 +-
 .../s3.aws.upbound.io_bucketversionings.yaml  |   56 +-
 ...pbound.io_bucketwebsiteconfigurations.yaml |  131 +-
 .../crds/s3.aws.upbound.io_objectcopies.yaml  |  217 +-
 package/crds/s3.aws.upbound.io_objects.yaml   |  140 +-
 ...ol.aws.upbound.io_accesspointpolicies.yaml |   35 +-
 ...s3control.aws.upbound.io_accesspoints.yaml |  100 +-
 ....upbound.io_accountpublicaccessblocks.yaml |   53 +-
 ...und.io_multiregionaccesspointpolicies.yaml |   49 +-
 ...ws.upbound.io_multiregionaccesspoints.yaml |   94 +-
 ...nd.io_objectlambdaaccesspointpolicies.yaml |   37 +-
 ...s.upbound.io_objectlambdaaccesspoints.yaml |   97 +-
 ....upbound.io_storagelensconfigurations.yaml |  319 +-
 ...emaker.aws.upbound.io_appimageconfigs.yaml |   71 +-
 .../crds/sagemaker.aws.upbound.io_apps.yaml   |   77 +-
 ...maker.aws.upbound.io_coderepositories.yaml |   52 +-
 .../sagemaker.aws.upbound.io_devicefleet.yaml |   61 +-
 .../sagemaker.aws.upbound.io_devices.yaml     |   47 +-
 .../sagemaker.aws.upbound.io_domains.yaml     |  487 +-
 ...aws.upbound.io_endpointconfigurations.yaml |  312 +-
 ...agemaker.aws.upbound.io_featuregroups.yaml |  136 +-
 .../crds/sagemaker.aws.upbound.io_images.yaml |   39 +-
 ...agemaker.aws.upbound.io_imageversions.yaml |   34 +-
 ....upbound.io_modelpackagegrouppolicies.yaml |   32 +-
 ...ker.aws.upbound.io_modelpackagegroups.yaml |   31 +-
 .../crds/sagemaker.aws.upbound.io_models.yaml |  195 +-
 ...tebookinstancelifecycleconfigurations.yaml |   32 +-
 ...aker.aws.upbound.io_notebookinstances.yaml |  120 +-
 ...nd.io_servicecatalogportfoliostatuses.yaml |   31 +-
 .../crds/sagemaker.aws.upbound.io_spaces.yaml |  148 +-
 ...aws.upbound.io_studiolifecycleconfigs.yaml |   43 +-
 ...sagemaker.aws.upbound.io_userprofiles.yaml |  305 +-
 .../sagemaker.aws.upbound.io_workforces.yaml  |  105 +-
 .../sagemaker.aws.upbound.io_workteams.yaml   |  102 +-
 ...heduler.aws.upbound.io_schedulegroups.yaml |   31 +-
 .../scheduler.aws.upbound.io_schedules.yaml   |  336 +-
 .../schemas.aws.upbound.io_discoverers.yaml   |   36 +-
 .../schemas.aws.upbound.io_registries.yaml    |   32 +-
 .../crds/schemas.aws.upbound.io_schemas.yaml  |   56 +-
 ...manager.aws.upbound.io_secretpolicies.yaml |   40 +-
 ...anager.aws.upbound.io_secretrotations.yaml |   48 +-
 ...secretsmanager.aws.upbound.io_secrets.yaml |   66 +-
 ...manager.aws.upbound.io_secretversions.yaml |   41 +-
 .../securityhub.aws.upbound.io_accounts.yaml  |   23 +-
 ...urityhub.aws.upbound.io_actiontargets.yaml |   36 +-
 ...hub.aws.upbound.io_findingaggregators.yaml |   40 +-
 .../securityhub.aws.upbound.io_insights.yaml  | 1640 +++-
 ...ityhub.aws.upbound.io_inviteaccepters.yaml |   27 +-
 .../securityhub.aws.upbound.io_members.yaml   |   40 +-
 ...b.aws.upbound.io_productsubscriptions.yaml |   31 +-
 ...aws.upbound.io_standardssubscriptions.yaml |   30 +-
 ...o.aws.upbound.io_cloudformationstacks.yaml |   62 +-
 ...upbound.io_budgetresourceassociations.yaml |   29 +-
 ...icecatalog.aws.upbound.io_constraints.yaml |   51 +-
 ...vicecatalog.aws.upbound.io_portfolios.yaml |   44 +-
 ...atalog.aws.upbound.io_portfolioshares.yaml |   61 +-
 ...und.io_principalportfolioassociations.yaml |   42 +-
 ...bound.io_productportfolioassociations.yaml |   40 +-
 ...ervicecatalog.aws.upbound.io_products.yaml |  106 +-
 ....aws.upbound.io_provisioningartifacts.yaml |   71 +-
 ...catalog.aws.upbound.io_serviceactions.yaml |   68 +-
 ...ound.io_tagoptionresourceassociations.yaml |   29 +-
 ...vicecatalog.aws.upbound.io_tagoptions.yaml |   39 +-
 ...scovery.aws.upbound.io_httpnamespaces.yaml |   39 +-
 ...y.aws.upbound.io_privatednsnamespaces.yaml |   43 +-
 ...ry.aws.upbound.io_publicdnsnamespaces.yaml |   39 +-
 ...vicediscovery.aws.upbound.io_services.yaml |  121 +-
 ...cequotas.aws.upbound.io_servicequotas.yaml |   50 +-
 ....aws.upbound.io_activereceiptrulesets.yaml |   30 +-
 .../ses.aws.upbound.io_configurationsets.yaml |   60 +-
 .../crds/ses.aws.upbound.io_domaindkims.yaml  |   23 +-
 .../ses.aws.upbound.io_domainidentities.yaml  |   30 +-
 .../ses.aws.upbound.io_domainmailfroms.yaml   |   41 +-
 .../ses.aws.upbound.io_emailidentities.yaml   |   30 +-
 .../ses.aws.upbound.io_eventdestinations.yaml |   77 +-
 ...upbound.io_identitynotificationtopics.yaml |   45 +-
 .../ses.aws.upbound.io_identitypolicies.yaml  |   39 +-
 .../ses.aws.upbound.io_receiptfilters.yaml    |   37 +-
 .../crds/ses.aws.upbound.io_receiptrules.yaml |  179 +-
 .../ses.aws.upbound.io_receiptrulesets.yaml   |   30 +-
 .../crds/ses.aws.upbound.io_templates.yaml    |   35 +-
 ....io_configurationseteventdestinations.yaml |  129 +-
 ...esv2.aws.upbound.io_configurationsets.yaml |   88 +-
 ...sesv2.aws.upbound.io_dedicatedippools.yaml |   32 +-
 .../sesv2.aws.upbound.io_emailidentities.yaml |   49 +-
 ...nd.io_emailidentityfeedbackattributes.yaml |   27 +-
 ...nd.io_emailidentitymailfromattributes.yaml |   32 +-
 .../crds/sfn.aws.upbound.io_activities.yaml   |   28 +-
 .../sfn.aws.upbound.io_statemachines.yaml     |   81 +-
 .../signer.aws.upbound.io_signingjobs.yaml    |   84 +-
 ....upbound.io_signingprofilepermissions.yaml |   52 +-
 ...signer.aws.upbound.io_signingprofiles.yaml |   46 +-
 .../crds/simpledb.aws.upbound.io_domains.yaml |   23 +-
 ...s.aws.upbound.io_platformapplications.yaml |   74 +-
 .../sns.aws.upbound.io_smspreferences.yaml    |   48 +-
 .../sns.aws.upbound.io_topicpolicies.yaml     |   33 +-
 package/crds/sns.aws.upbound.io_topics.yaml   |  111 +-
 ...sns.aws.upbound.io_topicsubscriptions.yaml |   76 +-
 .../sqs.aws.upbound.io_queuepolicies.yaml     |   33 +-
 ....upbound.io_queueredriveallowpolicies.yaml |   34 +-
 ...s.aws.upbound.io_queueredrivepolicies.yaml |   35 +-
 package/crds/sqs.aws.upbound.io_queues.yaml   |  109 +-
 .../crds/ssm.aws.upbound.io_activations.yaml  |   47 +-
 .../crds/ssm.aws.upbound.io_associations.yaml |  117 +-
 ....aws.upbound.io_defaultpatchbaselines.yaml |   34 +-
 .../crds/ssm.aws.upbound.io_documents.yaml    |   85 +-
 ...ssm.aws.upbound.io_maintenancewindows.yaml |   84 +-
 ...s.upbound.io_maintenancewindowtargets.yaml |   65 +-
 ...aws.upbound.io_maintenancewindowtasks.yaml |  249 +-
 .../crds/ssm.aws.upbound.io_parameters.yaml   |   69 +-
 .../ssm.aws.upbound.io_patchbaselines.yaml    |  159 +-
 .../crds/ssm.aws.upbound.io_patchgroups.yaml  |   35 +-
 .../ssm.aws.upbound.io_resourcedatasyncs.yaml |   52 +-
 .../ssm.aws.upbound.io_servicesettings.yaml   |   36 +-
 ...min.aws.upbound.io_accountassignments.yaml |   46 +-
 ...s.upbound.io_managedpolicyattachments.yaml |   35 +-
 ...pbound.io_permissionsetinlinepolicies.yaml |   38 +-
 ...soadmin.aws.upbound.io_permissionsets.yaml |   53 +-
 package/crds/swf.aws.upbound.io_domains.yaml  |   40 +-
 ...estreamwrite.aws.upbound.io_databases.yaml |   35 +-
 ...timestreamwrite.aws.upbound.io_tables.yaml |  102 +-
 ...nscribe.aws.upbound.io_languagemodels.yaml |   61 +-
 ...ranscribe.aws.upbound.io_vocabularies.yaml |   45 +-
 ...ribe.aws.upbound.io_vocabularyfilters.yaml |   46 +-
 .../crds/transfer.aws.upbound.io_servers.yaml |  167 +-
 .../crds/transfer.aws.upbound.io_sshkeys.yaml |   39 +-
 .../crds/transfer.aws.upbound.io_tags.yaml    |   40 +-
 .../crds/transfer.aws.upbound.io_users.yaml   |   94 +-
 .../transfer.aws.upbound.io_workflows.yaml    |  356 +-
 ...networkperformancemetricsubscriptions.yaml |   46 +-
 .../waf.aws.upbound.io_bytematchsets.yaml     |   77 +-
 .../crds/waf.aws.upbound.io_geomatchsets.yaml |   47 +-
 package/crds/waf.aws.upbound.io_ipsets.yaml   |   45 +-
 .../waf.aws.upbound.io_ratebasedrules.yaml    |   81 +-
 .../waf.aws.upbound.io_regexmatchsets.yaml    |   66 +-
 .../waf.aws.upbound.io_regexpatternsets.yaml  |   36 +-
 package/crds/waf.aws.upbound.io_rules.yaml    |   68 +-
 ...waf.aws.upbound.io_sizeconstraintsets.yaml |   75 +-
 ....aws.upbound.io_sqlinjectionmatchsets.yaml |   66 +-
 package/crds/waf.aws.upbound.io_webacls.yaml  |  141 +-
 .../crds/waf.aws.upbound.io_xssmatchsets.yaml |   64 +-
 ...regional.aws.upbound.io_bytematchsets.yaml |   67 +-
 ...fregional.aws.upbound.io_geomatchsets.yaml |   47 +-
 .../wafregional.aws.upbound.io_ipsets.yaml    |   44 +-
 ...egional.aws.upbound.io_ratebasedrules.yaml |   81 +-
 ...egional.aws.upbound.io_regexmatchsets.yaml |   66 +-
 ...ional.aws.upbound.io_regexpatternsets.yaml |   36 +-
 .../wafregional.aws.upbound.io_rules.yaml     |   61 +-
 ...nal.aws.upbound.io_sizeconstraintsets.yaml |   75 +-
 ....aws.upbound.io_sqlinjectionmatchsets.yaml |   65 +-
 .../wafregional.aws.upbound.io_webacls.yaml   |  152 +-
 ...fregional.aws.upbound.io_xssmatchsets.yaml |   60 +-
 package/crds/wafv2.aws.upbound.io_ipsets.yaml |   61 +-
 ...wafv2.aws.upbound.io_regexpatternsets.yaml |   61 +-
 ...workspaces.aws.upbound.io_directories.yaml |  142 +-
 .../workspaces.aws.upbound.io_ipgroups.yaml   |   52 +-
 ...xray.aws.upbound.io_encryptionconfigs.yaml |   34 +-
 package/crds/xray.aws.upbound.io_groups.yaml  |   55 +-
 .../xray.aws.upbound.io_samplingrules.yaml    |  101 +-
 2843 files changed, 209154 insertions(+), 13286 deletions(-)

diff --git a/apis/accessanalyzer/v1beta1/zz_analyzer_types.go b/apis/accessanalyzer/v1beta1/zz_analyzer_types.go
index 4dbf1d0a7d..3f62cba908 100755
--- a/apis/accessanalyzer/v1beta1/zz_analyzer_types.go
+++ b/apis/accessanalyzer/v1beta1/zz_analyzer_types.go
@@ -21,8 +21,14 @@ type AnalyzerObservation struct {
 	// Analyzer name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Type of Analyzer. Valid values are ACCOUNT or ORGANIZATION. Defaults to ACCOUNT.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AnalyzerParameters struct {
diff --git a/apis/accessanalyzer/v1beta1/zz_archiverule_types.go b/apis/accessanalyzer/v1beta1/zz_archiverule_types.go
index 5fee8d329b..21d9040012 100755
--- a/apis/accessanalyzer/v1beta1/zz_archiverule_types.go
+++ b/apis/accessanalyzer/v1beta1/zz_archiverule_types.go
@@ -15,6 +15,12 @@ import (
 
 type ArchiveRuleObservation struct {
 
+	// Analyzer name.
+	AnalyzerName *string `json:"analyzerName,omitempty" tf:"analyzer_name,omitempty"`
+
+	// Filter criteria for the archive rule. See Filter for more details.
+	Filter []FilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
 	// Resource ID in the format: analyzer_name/rule_name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -26,8 +32,8 @@ type ArchiveRuleParameters struct {
 	AnalyzerName *string `json:"analyzerName" tf:"analyzer_name,omitempty"`
 
 	// Filter criteria for the archive rule. See Filter for more details.
-	// +kubebuilder:validation:Required
-	Filter []FilterParameters `json:"filter" tf:"filter,omitempty"`
+	// +kubebuilder:validation:Optional
+	Filter []FilterParameters `json:"filter,omitempty" tf:"filter,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -36,6 +42,21 @@ type ArchiveRuleParameters struct {
 }
 
 type FilterObservation struct {
+
+	// Contains comparator.
+	Contains []*string `json:"contains,omitempty" tf:"contains,omitempty"`
+
+	// Filter criteria.
+	Criteria *string `json:"criteria,omitempty" tf:"criteria,omitempty"`
+
+	// Equals comparator.
+	Eq []*string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// Boolean comparator.
+	Exists *string `json:"exists,omitempty" tf:"exists,omitempty"`
+
+	// Not Equals comparator.
+	Neq []*string `json:"neq,omitempty" tf:"neq,omitempty"`
 }
 
 type FilterParameters struct {
@@ -85,8 +106,9 @@ type ArchiveRuleStatus struct {
 type ArchiveRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ArchiveRuleSpec   `json:"spec"`
-	Status            ArchiveRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filter)",message="filter is a required parameter"
+	Spec   ArchiveRuleSpec   `json:"spec"`
+	Status ArchiveRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/accessanalyzer/v1beta1/zz_generated.deepcopy.go b/apis/accessanalyzer/v1beta1/zz_generated.deepcopy.go
index 989dfd9fa1..796bd06373 100644
--- a/apis/accessanalyzer/v1beta1/zz_generated.deepcopy.go
+++ b/apis/accessanalyzer/v1beta1/zz_generated.deepcopy.go
@@ -85,6 +85,21 @@ func (in *AnalyzerObservation) DeepCopyInto(out *AnalyzerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -100,6 +115,11 @@ func (in *AnalyzerObservation) DeepCopyInto(out *AnalyzerObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnalyzerObservation.
@@ -248,6 +268,18 @@ func (in *ArchiveRuleList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArchiveRuleObservation) DeepCopyInto(out *ArchiveRuleObservation) {
 	*out = *in
+	if in.AnalyzerName != nil {
+		in, out := &in.AnalyzerName, &out.AnalyzerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]FilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -334,6 +366,49 @@ func (in *ArchiveRuleStatus) DeepCopy() *ArchiveRuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterObservation) DeepCopyInto(out *FilterObservation) {
 	*out = *in
+	if in.Contains != nil {
+		in, out := &in.Contains, &out.Contains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Criteria != nil {
+		in, out := &in.Criteria, &out.Criteria
+		*out = new(string)
+		**out = **in
+	}
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Exists != nil {
+		in, out := &in.Exists, &out.Exists
+		*out = new(string)
+		**out = **in
+	}
+	if in.Neq != nil {
+		in, out := &in.Neq, &out.Neq
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterObservation.
diff --git a/apis/account/v1beta1/zz_alternatecontact_types.go b/apis/account/v1beta1/zz_alternatecontact_types.go
index d2b9b93777..0d683ecd67 100755
--- a/apis/account/v1beta1/zz_alternatecontact_types.go
+++ b/apis/account/v1beta1/zz_alternatecontact_types.go
@@ -14,7 +14,26 @@ import (
 )
 
 type AlternateContactObservation struct {
+
+	// ID of the target account when managing member accounts. Will manage current user's account by default if omitted.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// Type of the alternate contact. Allowed values are: BILLING, OPERATIONS, SECURITY.
+	AlternateContactType *string `json:"alternateContactType,omitempty" tf:"alternate_contact_type,omitempty"`
+
+	// An email address for the alternate contact.
+	EmailAddress *string `json:"emailAddress,omitempty" tf:"email_address,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the alternate contact.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Phone number for the alternate contact.
+	PhoneNumber *string `json:"phoneNumber,omitempty" tf:"phone_number,omitempty"`
+
+	// Title for the alternate contact.
+	Title *string `json:"title,omitempty" tf:"title,omitempty"`
 }
 
 type AlternateContactParameters struct {
@@ -28,16 +47,16 @@ type AlternateContactParameters struct {
 	AlternateContactType *string `json:"alternateContactType" tf:"alternate_contact_type,omitempty"`
 
 	// An email address for the alternate contact.
-	// +kubebuilder:validation:Required
-	EmailAddress *string `json:"emailAddress" tf:"email_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	EmailAddress *string `json:"emailAddress,omitempty" tf:"email_address,omitempty"`
 
 	// Name of the alternate contact.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Phone number for the alternate contact.
-	// +kubebuilder:validation:Required
-	PhoneNumber *string `json:"phoneNumber" tf:"phone_number,omitempty"`
+	// +kubebuilder:validation:Optional
+	PhoneNumber *string `json:"phoneNumber,omitempty" tf:"phone_number,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -45,8 +64,8 @@ type AlternateContactParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Title for the alternate contact.
-	// +kubebuilder:validation:Required
-	Title *string `json:"title" tf:"title,omitempty"`
+	// +kubebuilder:validation:Optional
+	Title *string `json:"title,omitempty" tf:"title,omitempty"`
 }
 
 // AlternateContactSpec defines the desired state of AlternateContact
@@ -73,8 +92,12 @@ type AlternateContactStatus struct {
 type AlternateContact struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AlternateContactSpec   `json:"spec"`
-	Status            AlternateContactStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.emailAddress)",message="emailAddress is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.phoneNumber)",message="phoneNumber is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.title)",message="title is a required parameter"
+	Spec   AlternateContactSpec   `json:"spec"`
+	Status AlternateContactStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/account/v1beta1/zz_generated.deepcopy.go b/apis/account/v1beta1/zz_generated.deepcopy.go
index 453b117093..5c4e7bb350 100644
--- a/apis/account/v1beta1/zz_generated.deepcopy.go
+++ b/apis/account/v1beta1/zz_generated.deepcopy.go
@@ -75,11 +75,41 @@ func (in *AlternateContactList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AlternateContactObservation) DeepCopyInto(out *AlternateContactObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AlternateContactType != nil {
+		in, out := &in.AlternateContactType, &out.AlternateContactType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailAddress != nil {
+		in, out := &in.EmailAddress, &out.EmailAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PhoneNumber != nil {
+		in, out := &in.PhoneNumber, &out.PhoneNumber
+		*out = new(string)
+		**out = **in
+	}
+	if in.Title != nil {
+		in, out := &in.Title, &out.Title
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlternateContactObservation.
diff --git a/apis/acm/v1beta1/zz_certificate_types.go b/apis/acm/v1beta1/zz_certificate_types.go
index 74c81d5550..23a5a4db97 100755
--- a/apis/acm/v1beta1/zz_certificate_types.go
+++ b/apis/acm/v1beta1/zz_certificate_types.go
@@ -18,20 +18,45 @@ type CertificateObservation struct {
 	// ARN of the certificate
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of an ACM PCA
+	CertificateAuthorityArn *string `json:"certificateAuthorityArn,omitempty" tf:"certificate_authority_arn,omitempty"`
+
+	// Certificate's PEM-formatted public key
+	CertificateBody *string `json:"certificateBody,omitempty" tf:"certificate_body,omitempty"`
+
+	// Certificate's PEM-formatted chain
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Domain name for which the certificate should be issued
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// Set of domain validation objects which can be used to complete certificate validation.
 	// Can have more than one element, e.g., if SANs are defined.
 	// Only set if DNS-validation was used.
 	DomainValidationOptions []DomainValidationOptionsObservation `json:"domainValidationOptions,omitempty" tf:"domain_validation_options,omitempty"`
 
+	// Amount of time to start automatic renewal process before expiration.
+	// Has no effect if less than 60 days.
+	// Represented by either
+	// a subset of RFC 3339 duration supporting years, months, and days (e.g., P90D),
+	// or a string such as 2160h.
+	EarlyRenewalDuration *string `json:"earlyRenewalDuration,omitempty" tf:"early_renewal_duration,omitempty"`
+
 	// ARN of the certificate
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the algorithm of the public and private key pair that your Amazon issued certificate uses to encrypt data. See ACM Certificate characteristics for more details.
+	KeyAlgorithm *string `json:"keyAlgorithm,omitempty" tf:"key_algorithm,omitempty"`
+
 	// Expiration date and time of the certificate.
 	NotAfter *string `json:"notAfter,omitempty" tf:"not_after,omitempty"`
 
 	// Start of the validity period of the certificate.
 	NotBefore *string `json:"notBefore,omitempty" tf:"not_before,omitempty"`
 
+	// Configuration block used to set certificate options. Detailed below.
+	Options []OptionsObservation `json:"options,omitempty" tf:"options,omitempty"`
+
 	// true if a Private certificate eligible for managed renewal is within the early_renewal_duration period.
 	PendingRenewal *bool `json:"pendingRenewal,omitempty" tf:"pending_renewal,omitempty"`
 
@@ -44,6 +69,12 @@ type CertificateObservation struct {
 	// Status of the certificate.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Set of domains that should be SANs in the issued certificate.
+	SubjectAlternativeNames []*string `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -52,6 +83,12 @@ type CertificateObservation struct {
 
 	// List of addresses that received a validation email. Only set if EMAIL validation was used.
 	ValidationEmails []*string `json:"validationEmails,omitempty" tf:"validation_emails,omitempty"`
+
+	// Which method to use for validation.
+	ValidationMethod *string `json:"validationMethod,omitempty" tf:"validation_method,omitempty"`
+
+	// Configuration block used to specify information about the initial validation of each domain name. Detailed below.
+	ValidationOption []ValidationOptionObservation `json:"validationOption,omitempty" tf:"validation_option,omitempty"`
 }
 
 type CertificateParameters struct {
@@ -133,6 +170,9 @@ type DomainValidationOptionsParameters struct {
 }
 
 type OptionsObservation struct {
+
+	// Whether certificate details should be added to a certificate transparency log. Valid values are ENABLED or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency for more details.
+	CertificateTransparencyLoggingPreference *string `json:"certificateTransparencyLoggingPreference,omitempty" tf:"certificate_transparency_logging_preference,omitempty"`
 }
 
 type OptionsParameters struct {
@@ -157,6 +197,12 @@ type RenewalSummaryParameters struct {
 }
 
 type ValidationOptionObservation struct {
+
+	// Fully qualified domain name (FQDN) in the certificate.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Domain name that you want ACM to use to send you validation emails. This domain name is the suffix of the email addresses that you want ACM to use. This must be the same as the domain_name value or a superdomain of the domain_name value. For example, if you request a certificate for "testing.example.com", you can specify "example.com" for this value.
+	ValidationDomain *string `json:"validationDomain,omitempty" tf:"validation_domain,omitempty"`
 }
 
 type ValidationOptionParameters struct {
diff --git a/apis/acm/v1beta1/zz_certificatevalidation_types.go b/apis/acm/v1beta1/zz_certificatevalidation_types.go
index 409300b707..5b1cda6c1f 100755
--- a/apis/acm/v1beta1/zz_certificatevalidation_types.go
+++ b/apis/acm/v1beta1/zz_certificatevalidation_types.go
@@ -15,8 +15,14 @@ import (
 
 type CertificateValidationObservation struct {
 
+	// ARN of the certificate that is being validated.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
 	// Time at which the certificate was issued
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// List of FQDNs that implement the validation. Only valid for DNS validation method ACM certificates. If this is set, the resource can implement additional sanity checks and has an explicit dependency on the resource that is implementing the validation
+	ValidationRecordFqdns []*string `json:"validationRecordFqdns,omitempty" tf:"validation_record_fqdns,omitempty"`
 }
 
 type CertificateValidationParameters struct {
diff --git a/apis/acm/v1beta1/zz_generated.deepcopy.go b/apis/acm/v1beta1/zz_generated.deepcopy.go
index f65e103faf..54d0c9c6e9 100644
--- a/apis/acm/v1beta1/zz_generated.deepcopy.go
+++ b/apis/acm/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,26 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateAuthorityArn != nil {
+		in, out := &in.CertificateAuthorityArn, &out.CertificateAuthorityArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateBody != nil {
+		in, out := &in.CertificateBody, &out.CertificateBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DomainValidationOptions != nil {
 		in, out := &in.DomainValidationOptions, &out.DomainValidationOptions
 		*out = make([]DomainValidationOptionsObservation, len(*in))
@@ -88,11 +108,21 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.EarlyRenewalDuration != nil {
+		in, out := &in.EarlyRenewalDuration, &out.EarlyRenewalDuration
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyAlgorithm != nil {
+		in, out := &in.KeyAlgorithm, &out.KeyAlgorithm
+		*out = new(string)
+		**out = **in
+	}
 	if in.NotAfter != nil {
 		in, out := &in.NotAfter, &out.NotAfter
 		*out = new(string)
@@ -103,6 +133,13 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make([]OptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.PendingRenewal != nil {
 		in, out := &in.PendingRenewal, &out.PendingRenewal
 		*out = new(bool)
@@ -125,6 +162,32 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -156,6 +219,18 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 			}
 		}
 	}
+	if in.ValidationMethod != nil {
+		in, out := &in.ValidationMethod, &out.ValidationMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidationOption != nil {
+		in, out := &in.ValidationOption, &out.ValidationOption
+		*out = make([]ValidationOptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateObservation.
@@ -364,11 +439,27 @@ func (in *CertificateValidationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateValidationObservation) DeepCopyInto(out *CertificateValidationObservation) {
 	*out = *in
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ValidationRecordFqdns != nil {
+		in, out := &in.ValidationRecordFqdns, &out.ValidationRecordFqdns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateValidationObservation.
@@ -514,6 +605,11 @@ func (in *DomainValidationOptionsParameters) DeepCopy() *DomainValidationOptions
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OptionsObservation) DeepCopyInto(out *OptionsObservation) {
 	*out = *in
+	if in.CertificateTransparencyLoggingPreference != nil {
+		in, out := &in.CertificateTransparencyLoggingPreference, &out.CertificateTransparencyLoggingPreference
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OptionsObservation.
@@ -594,6 +690,16 @@ func (in *RenewalSummaryParameters) DeepCopy() *RenewalSummaryParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationOptionObservation) DeepCopyInto(out *ValidationOptionObservation) {
 	*out = *in
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidationDomain != nil {
+		in, out := &in.ValidationDomain, &out.ValidationDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationOptionObservation.
diff --git a/apis/acmpca/v1beta1/zz_certificate_types.go b/apis/acmpca/v1beta1/zz_certificate_types.go
index ab60cb294c..7aac2b94f2 100755
--- a/apis/acmpca/v1beta1/zz_certificate_types.go
+++ b/apis/acmpca/v1beta1/zz_certificate_types.go
@@ -21,10 +21,23 @@ type CertificateObservation struct {
 	// PEM-encoded certificate value.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// ARN of the certificate authority.
+	CertificateAuthorityArn *string `json:"certificateAuthorityArn,omitempty" tf:"certificate_authority_arn,omitempty"`
+
 	// PEM-encoded certificate chain that includes any intermediate certificates and chains up to root CA.
 	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Algorithm to use to sign certificate requests. Valid values: SHA256WITHRSA, SHA256WITHECDSA, SHA384WITHRSA, SHA384WITHECDSA, SHA512WITHRSA, SHA512WITHECDSA.
+	SigningAlgorithm *string `json:"signingAlgorithm,omitempty" tf:"signing_algorithm,omitempty"`
+
+	// Template to use when issuing a certificate.
+	// See ACM PCA Documentation for more information.
+	TemplateArn *string `json:"templateArn,omitempty" tf:"template_arn,omitempty"`
+
+	// Configures end of the validity period for the certificate. See validity block below.
+	Validity []ValidityObservation `json:"validity,omitempty" tf:"validity,omitempty"`
 }
 
 type CertificateParameters struct {
@@ -43,7 +56,7 @@ type CertificateParameters struct {
 	CertificateAuthorityArnSelector *v1.Selector `json:"certificateAuthorityArnSelector,omitempty" tf:"-"`
 
 	// Certificate Signing Request in PEM format.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	CertificateSigningRequestSecretRef v1.SecretKeySelector `json:"certificateSigningRequestSecretRef" tf:"-"`
 
 	// Region is the region you'd like your resource to be created in.
@@ -52,8 +65,8 @@ type CertificateParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Algorithm to use to sign certificate requests. Valid values: SHA256WITHRSA, SHA256WITHECDSA, SHA384WITHRSA, SHA384WITHECDSA, SHA512WITHRSA, SHA512WITHECDSA.
-	// +kubebuilder:validation:Required
-	SigningAlgorithm *string `json:"signingAlgorithm" tf:"signing_algorithm,omitempty"`
+	// +kubebuilder:validation:Optional
+	SigningAlgorithm *string `json:"signingAlgorithm,omitempty" tf:"signing_algorithm,omitempty"`
 
 	// Template to use when issuing a certificate.
 	// See ACM PCA Documentation for more information.
@@ -61,11 +74,17 @@ type CertificateParameters struct {
 	TemplateArn *string `json:"templateArn,omitempty" tf:"template_arn,omitempty"`
 
 	// Configures end of the validity period for the certificate. See validity block below.
-	// +kubebuilder:validation:Required
-	Validity []ValidityParameters `json:"validity" tf:"validity,omitempty"`
+	// +kubebuilder:validation:Optional
+	Validity []ValidityParameters `json:"validity,omitempty" tf:"validity,omitempty"`
 }
 
 type ValidityObservation struct {
+
+	// Determines how value is interpreted. Valid values: DAYS, MONTHS, YEARS, ABSOLUTE, END_DATE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// If type is DAYS, MONTHS, or YEARS, the relative time until the certificate expires. If type is ABSOLUTE, the date in seconds since the Unix epoch. If type is END_DATE, the  date in RFC 3339 format.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ValidityParameters struct {
@@ -103,8 +122,11 @@ type CertificateStatus struct {
 type Certificate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CertificateSpec   `json:"spec"`
-	Status            CertificateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateSigningRequestSecretRef)",message="certificateSigningRequestSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.signingAlgorithm)",message="signingAlgorithm is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.validity)",message="validity is a required parameter"
+	Spec   CertificateSpec   `json:"spec"`
+	Status CertificateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/acmpca/v1beta1/zz_certificateauthority_types.go b/apis/acmpca/v1beta1/zz_certificateauthority_types.go
index 32ac53fe54..a83d535e82 100755
--- a/apis/acmpca/v1beta1/zz_certificateauthority_types.go
+++ b/apis/acmpca/v1beta1/zz_certificateauthority_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CertificateAuthorityConfigurationObservation struct {
+
+	// Type of the public key algorithm and size, in bits, of the key pair that your key pair creates when it issues a certificate. Valid values can be found in the ACM PCA Documentation.
+	KeyAlgorithm *string `json:"keyAlgorithm,omitempty" tf:"key_algorithm,omitempty"`
+
+	// Name of the algorithm your private CA uses to sign certificate requests. Valid values can be found in the ACM PCA Documentation.
+	SigningAlgorithm *string `json:"signingAlgorithm,omitempty" tf:"signing_algorithm,omitempty"`
+
+	// Nested argument that contains X.500 distinguished name information. At least one nested attribute must be specified.
+	Subject []SubjectObservation `json:"subject,omitempty" tf:"subject,omitempty"`
 }
 
 type CertificateAuthorityConfigurationParameters struct {
@@ -39,12 +48,18 @@ type CertificateAuthorityObservation struct {
 	// Base64-encoded certificate authority (CA) certificate. Only available after the certificate authority certificate has been imported.
 	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
 
+	// Nested argument containing algorithms and certificate subject information. Defined below.
+	CertificateAuthorityConfiguration []CertificateAuthorityConfigurationObservation `json:"certificateAuthorityConfiguration,omitempty" tf:"certificate_authority_configuration,omitempty"`
+
 	// Base64-encoded certificate chain that includes any intermediate certificates and chains up to root on-premises certificate that you used to sign your private CA certificate. The chain does not include your private CA certificate. Only available after the certificate authority certificate has been imported.
 	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 
 	// The base64 PEM-encoded certificate signing request (CSR) for your private CA certificate.
 	CertificateSigningRequest *string `json:"certificateSigningRequest,omitempty" tf:"certificate_signing_request,omitempty"`
 
+	// Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// ARN of the certificate authority.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -54,21 +69,36 @@ type CertificateAuthorityObservation struct {
 	// Date and time before which the certificate authority is not valid. Only available after the certificate authority certificate has been imported.
 	NotBefore *string `json:"notBefore,omitempty" tf:"not_before,omitempty"`
 
+	// Number of days to make a CA restorable after it has been deleted, must be between 7 to 30 days, with default to 30 days.
+	PermanentDeletionTimeInDays *float64 `json:"permanentDeletionTimeInDays,omitempty" tf:"permanent_deletion_time_in_days,omitempty"`
+
+	// Nested argument containing revocation configuration. Defined below.
+	RevocationConfiguration []RevocationConfigurationObservation `json:"revocationConfiguration,omitempty" tf:"revocation_configuration,omitempty"`
+
 	// Serial number of the certificate authority. Only available after the certificate authority certificate has been imported.
 	Serial *string `json:"serial,omitempty" tf:"serial,omitempty"`
 
 	// (Deprecated use the enabled attribute instead) Status of the certificate authority.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Type of the certificate authority. Defaults to SUBORDINATE. Valid values: ROOT and SUBORDINATE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Specifies whether the CA issues general-purpose certificates that typically require a revocation mechanism, or short-lived certificates that may optionally omit revocation because they expire quickly. Short-lived certificate validity is limited to seven days. Defaults to GENERAL_PURPOSE. Valid values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.
+	UsageMode *string `json:"usageMode,omitempty" tf:"usage_mode,omitempty"`
 }
 
 type CertificateAuthorityParameters struct {
 
 	// Nested argument containing algorithms and certificate subject information. Defined below.
-	// +kubebuilder:validation:Required
-	CertificateAuthorityConfiguration []CertificateAuthorityConfigurationParameters `json:"certificateAuthorityConfiguration" tf:"certificate_authority_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	CertificateAuthorityConfiguration []CertificateAuthorityConfigurationParameters `json:"certificateAuthorityConfiguration,omitempty" tf:"certificate_authority_configuration,omitempty"`
 
 	// Whether the certificate authority is enabled or disabled. Defaults to true. Can only be disabled if the CA is in an ACTIVE state.
 	// +kubebuilder:validation:Optional
@@ -101,6 +131,21 @@ type CertificateAuthorityParameters struct {
 }
 
 type CrlConfigurationObservation struct {
+
+	// Name inserted into the certificate CRL Distribution Points extension that enables the use of an alias for the CRL distribution point. Use this value if you don't want the name of your S3 bucket to be public. Must be less than or equal to 253 characters in length.
+	CustomCname *string `json:"customCname,omitempty" tf:"custom_cname,omitempty"`
+
+	// Boolean value that specifies whether certificate revocation lists (CRLs) are enabled. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Number of days until a certificate expires. Must be between 1 and 5000.
+	ExpirationInDays *float64 `json:"expirationInDays,omitempty" tf:"expiration_in_days,omitempty"`
+
+	// Name of the S3 bucket that contains the CRL. If you do not provide a value for the custom_cname argument, the name of your S3 bucket is placed into the CRL Distribution Points extension of the issued certificate. You must specify a bucket policy that allows ACM PCA to write the CRL to your bucket. Must be between 3 and 255 characters in length.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// Determines whether the CRL will be publicly readable or privately held in the CRL Amazon S3 bucket. Defaults to PUBLIC_READ.
+	S3ObjectACL *string `json:"s3ObjectAcl,omitempty" tf:"s3_object_acl,omitempty"`
 }
 
 type CrlConfigurationParameters struct {
@@ -127,6 +172,12 @@ type CrlConfigurationParameters struct {
 }
 
 type OcspConfigurationObservation struct {
+
+	// Boolean value that specifies whether a custom OCSP responder is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// CNAME specifying a customized OCSP domain. Note: The value of the CNAME must not include a protocol prefix such as "http://" or "https://".
+	OcspCustomCname *string `json:"ocspCustomCname,omitempty" tf:"ocsp_custom_cname,omitempty"`
 }
 
 type OcspConfigurationParameters struct {
@@ -141,6 +192,13 @@ type OcspConfigurationParameters struct {
 }
 
 type RevocationConfigurationObservation struct {
+
+	// Nested argument containing configuration of the certificate revocation list (CRL), if any, maintained by the certificate authority. Defined below.
+	CrlConfiguration []CrlConfigurationObservation `json:"crlConfiguration,omitempty" tf:"crl_configuration,omitempty"`
+
+	// Nested argument containing configuration of
+	// the custom OCSP responder endpoint. Defined below.
+	OcspConfiguration []OcspConfigurationObservation `json:"ocspConfiguration,omitempty" tf:"ocsp_configuration,omitempty"`
 }
 
 type RevocationConfigurationParameters struct {
@@ -156,6 +214,45 @@ type RevocationConfigurationParameters struct {
 }
 
 type SubjectObservation struct {
+
+	// Fully qualified domain name (FQDN) associated with the certificate subject. Must be less than or equal to 64 characters in length.
+	CommonName *string `json:"commonName,omitempty" tf:"common_name,omitempty"`
+
+	// Two digit code that specifies the country in which the certificate subject located. Must be less than or equal to 2 characters in length.
+	Country *string `json:"country,omitempty" tf:"country,omitempty"`
+
+	// Disambiguating information for the certificate subject. Must be less than or equal to 64 characters in length.
+	DistinguishedNameQualifier *string `json:"distinguishedNameQualifier,omitempty" tf:"distinguished_name_qualifier,omitempty"`
+
+	// Typically a qualifier appended to the name of an individual. Examples include Jr. for junior, Sr. for senior, and III for third. Must be less than or equal to 3 characters in length.
+	GenerationQualifier *string `json:"generationQualifier,omitempty" tf:"generation_qualifier,omitempty"`
+
+	// First name. Must be less than or equal to 16 characters in length.
+	GivenName *string `json:"givenName,omitempty" tf:"given_name,omitempty"`
+
+	// Concatenation that typically contains the first letter of the given_name, the first letter of the middle name if one exists, and the first letter of the surname. Must be less than or equal to 5 characters in length.
+	Initials *string `json:"initials,omitempty" tf:"initials,omitempty"`
+
+	// Locality (such as a city or town) in which the certificate subject is located. Must be less than or equal to 128 characters in length.
+	Locality *string `json:"locality,omitempty" tf:"locality,omitempty"`
+
+	// Legal name of the organization with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
+	Organization *string `json:"organization,omitempty" tf:"organization,omitempty"`
+
+	// Subdivision or unit of the organization (such as sales or finance) with which the certificate subject is affiliated. Must be less than or equal to 64 characters in length.
+	OrganizationalUnit *string `json:"organizationalUnit,omitempty" tf:"organizational_unit,omitempty"`
+
+	// Typically a shortened version of a longer given_name. For example, Jonathan is often shortened to John. Elizabeth is often shortened to Beth, Liz, or Eliza. Must be less than or equal to 128 characters in length.
+	Pseudonym *string `json:"pseudonym,omitempty" tf:"pseudonym,omitempty"`
+
+	// State in which the subject of the certificate is located. Must be less than or equal to 128 characters in length.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// Family name. In the US and the UK for example, the surname of an individual is ordered last. In Asian cultures the surname is typically ordered first. Must be less than or equal to 40 characters in length.
+	Surname *string `json:"surname,omitempty" tf:"surname,omitempty"`
+
+	// Title such as Mr. or Ms. which is pre-pended to the name to refer formally to the certificate subject. Must be less than or equal to 64 characters in length.
+	Title *string `json:"title,omitempty" tf:"title,omitempty"`
 }
 
 type SubjectParameters struct {
@@ -237,8 +334,9 @@ type CertificateAuthorityStatus struct {
 type CertificateAuthority struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CertificateAuthoritySpec   `json:"spec"`
-	Status            CertificateAuthorityStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateAuthorityConfiguration)",message="certificateAuthorityConfiguration is a required parameter"
+	Spec   CertificateAuthoritySpec   `json:"spec"`
+	Status CertificateAuthorityStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/acmpca/v1beta1/zz_certificateauthoritycertificate_types.go b/apis/acmpca/v1beta1/zz_certificateauthoritycertificate_types.go
index e2c4cf68eb..9840c9f77e 100755
--- a/apis/acmpca/v1beta1/zz_certificateauthoritycertificate_types.go
+++ b/apis/acmpca/v1beta1/zz_certificateauthoritycertificate_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type CertificateAuthorityCertificateObservation struct {
+
+	// ARN of the Certificate Authority.
+	CertificateAuthorityArn *string `json:"certificateAuthorityArn,omitempty" tf:"certificate_authority_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
@@ -37,7 +41,7 @@ type CertificateAuthorityCertificateParameters struct {
 	CertificateChainSecretRef *v1.SecretKeySelector `json:"certificateChainSecretRef,omitempty" tf:"-"`
 
 	// PEM-encoded certificate for the Certificate Authority.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	CertificateSecretRef v1.SecretKeySelector `json:"certificateSecretRef" tf:"-"`
 
 	// Region is the region you'd like your resource to be created in.
@@ -70,8 +74,9 @@ type CertificateAuthorityCertificateStatus struct {
 type CertificateAuthorityCertificate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CertificateAuthorityCertificateSpec   `json:"spec"`
-	Status            CertificateAuthorityCertificateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateSecretRef)",message="certificateSecretRef is a required parameter"
+	Spec   CertificateAuthorityCertificateSpec   `json:"spec"`
+	Status CertificateAuthorityCertificateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/acmpca/v1beta1/zz_generated.deepcopy.go b/apis/acmpca/v1beta1/zz_generated.deepcopy.go
index 975639d68d..ae4c324e2f 100644
--- a/apis/acmpca/v1beta1/zz_generated.deepcopy.go
+++ b/apis/acmpca/v1beta1/zz_generated.deepcopy.go
@@ -130,6 +130,11 @@ func (in *CertificateAuthorityCertificateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateAuthorityCertificateObservation) DeepCopyInto(out *CertificateAuthorityCertificateObservation) {
 	*out = *in
+	if in.CertificateAuthorityArn != nil {
+		in, out := &in.CertificateAuthorityArn, &out.CertificateAuthorityArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -225,6 +230,23 @@ func (in *CertificateAuthorityCertificateStatus) DeepCopy() *CertificateAuthorit
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateAuthorityConfigurationObservation) DeepCopyInto(out *CertificateAuthorityConfigurationObservation) {
 	*out = *in
+	if in.KeyAlgorithm != nil {
+		in, out := &in.KeyAlgorithm, &out.KeyAlgorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.SigningAlgorithm != nil {
+		in, out := &in.SigningAlgorithm, &out.SigningAlgorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.Subject != nil {
+		in, out := &in.Subject, &out.Subject
+		*out = make([]SubjectObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityConfigurationObservation.
@@ -314,6 +336,13 @@ func (in *CertificateAuthorityObservation) DeepCopyInto(out *CertificateAuthorit
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateAuthorityConfiguration != nil {
+		in, out := &in.CertificateAuthorityConfiguration, &out.CertificateAuthorityConfiguration
+		*out = make([]CertificateAuthorityConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.CertificateChain != nil {
 		in, out := &in.CertificateChain, &out.CertificateChain
 		*out = new(string)
@@ -324,6 +353,11 @@ func (in *CertificateAuthorityObservation) DeepCopyInto(out *CertificateAuthorit
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -339,6 +373,18 @@ func (in *CertificateAuthorityObservation) DeepCopyInto(out *CertificateAuthorit
 		*out = new(string)
 		**out = **in
 	}
+	if in.PermanentDeletionTimeInDays != nil {
+		in, out := &in.PermanentDeletionTimeInDays, &out.PermanentDeletionTimeInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RevocationConfiguration != nil {
+		in, out := &in.RevocationConfiguration, &out.RevocationConfiguration
+		*out = make([]RevocationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Serial != nil {
 		in, out := &in.Serial, &out.Serial
 		*out = new(string)
@@ -349,6 +395,21 @@ func (in *CertificateAuthorityObservation) DeepCopyInto(out *CertificateAuthorit
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -364,6 +425,16 @@ func (in *CertificateAuthorityObservation) DeepCopyInto(out *CertificateAuthorit
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsageMode != nil {
+		in, out := &in.UsageMode, &out.UsageMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAuthorityObservation.
@@ -524,6 +595,11 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateAuthorityArn != nil {
+		in, out := &in.CertificateAuthorityArn, &out.CertificateAuthorityArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.CertificateChain != nil {
 		in, out := &in.CertificateChain, &out.CertificateChain
 		*out = new(string)
@@ -534,6 +610,23 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SigningAlgorithm != nil {
+		in, out := &in.SigningAlgorithm, &out.SigningAlgorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplateArn != nil {
+		in, out := &in.TemplateArn, &out.TemplateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Validity != nil {
+		in, out := &in.Validity, &out.Validity
+		*out = make([]ValidityObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateObservation.
@@ -636,6 +729,31 @@ func (in *CertificateStatus) DeepCopy() *CertificateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CrlConfigurationObservation) DeepCopyInto(out *CrlConfigurationObservation) {
 	*out = *in
+	if in.CustomCname != nil {
+		in, out := &in.CustomCname, &out.CustomCname
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExpirationInDays != nil {
+		in, out := &in.ExpirationInDays, &out.ExpirationInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3ObjectACL != nil {
+		in, out := &in.S3ObjectACL, &out.S3ObjectACL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrlConfigurationObservation.
@@ -691,6 +809,16 @@ func (in *CrlConfigurationParameters) DeepCopy() *CrlConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OcspConfigurationObservation) DeepCopyInto(out *OcspConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OcspCustomCname != nil {
+		in, out := &in.OcspCustomCname, &out.OcspCustomCname
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OcspConfigurationObservation.
@@ -790,6 +918,22 @@ func (in *PermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PermissionObservation) DeepCopyInto(out *PermissionObservation) {
 	*out = *in
+	if in.Actions != nil {
+		in, out := &in.Actions, &out.Actions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CertificateAuthorityArn != nil {
+		in, out := &in.CertificateAuthorityArn, &out.CertificateAuthorityArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -800,6 +944,16 @@ func (in *PermissionObservation) DeepCopyInto(out *PermissionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceAccount != nil {
+		in, out := &in.SourceAccount, &out.SourceAccount
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionObservation.
@@ -969,6 +1123,16 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation.
@@ -1058,6 +1222,20 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RevocationConfigurationObservation) DeepCopyInto(out *RevocationConfigurationObservation) {
 	*out = *in
+	if in.CrlConfiguration != nil {
+		in, out := &in.CrlConfiguration, &out.CrlConfiguration
+		*out = make([]CrlConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OcspConfiguration != nil {
+		in, out := &in.OcspConfiguration, &out.OcspConfiguration
+		*out = make([]OcspConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RevocationConfigurationObservation.
@@ -1102,6 +1280,71 @@ func (in *RevocationConfigurationParameters) DeepCopy() *RevocationConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubjectObservation) DeepCopyInto(out *SubjectObservation) {
 	*out = *in
+	if in.CommonName != nil {
+		in, out := &in.CommonName, &out.CommonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Country != nil {
+		in, out := &in.Country, &out.Country
+		*out = new(string)
+		**out = **in
+	}
+	if in.DistinguishedNameQualifier != nil {
+		in, out := &in.DistinguishedNameQualifier, &out.DistinguishedNameQualifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.GenerationQualifier != nil {
+		in, out := &in.GenerationQualifier, &out.GenerationQualifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.GivenName != nil {
+		in, out := &in.GivenName, &out.GivenName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Initials != nil {
+		in, out := &in.Initials, &out.Initials
+		*out = new(string)
+		**out = **in
+	}
+	if in.Locality != nil {
+		in, out := &in.Locality, &out.Locality
+		*out = new(string)
+		**out = **in
+	}
+	if in.Organization != nil {
+		in, out := &in.Organization, &out.Organization
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnit != nil {
+		in, out := &in.OrganizationalUnit, &out.OrganizationalUnit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pseudonym != nil {
+		in, out := &in.Pseudonym, &out.Pseudonym
+		*out = new(string)
+		**out = **in
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
+	if in.Surname != nil {
+		in, out := &in.Surname, &out.Surname
+		*out = new(string)
+		**out = **in
+	}
+	if in.Title != nil {
+		in, out := &in.Title, &out.Title
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectObservation.
@@ -1197,6 +1440,16 @@ func (in *SubjectParameters) DeepCopy() *SubjectParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidityObservation) DeepCopyInto(out *ValidityObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidityObservation.
diff --git a/apis/acmpca/v1beta1/zz_permission_types.go b/apis/acmpca/v1beta1/zz_permission_types.go
index d4b4e5c13c..9752f796a1 100755
--- a/apis/acmpca/v1beta1/zz_permission_types.go
+++ b/apis/acmpca/v1beta1/zz_permission_types.go
@@ -14,17 +14,30 @@ import (
 )
 
 type PermissionObservation struct {
+
+	// Actions that the specified AWS service principal can use. These include IssueCertificate, GetCertificate, and ListPermissions. Note that in order for ACM to automatically rotate certificates issued by a PCA, it must be granted permission on all 3 actions, as per the example above.
+	Actions []*string `json:"actions,omitempty" tf:"actions,omitempty"`
+
+	// ARN of the CA that grants the permissions.
+	CertificateAuthorityArn *string `json:"certificateAuthorityArn,omitempty" tf:"certificate_authority_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// IAM policy that is associated with the permission.
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// AWS service or identity that receives the permission. At this time, the only valid principal is acm.amazonaws.com.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
+	// ID of the calling account
+	SourceAccount *string `json:"sourceAccount,omitempty" tf:"source_account,omitempty"`
 }
 
 type PermissionParameters struct {
 
 	// Actions that the specified AWS service principal can use. These include IssueCertificate, GetCertificate, and ListPermissions. Note that in order for ACM to automatically rotate certificates issued by a PCA, it must be granted permission on all 3 actions, as per the example above.
-	// +kubebuilder:validation:Required
-	Actions []*string `json:"actions" tf:"actions,omitempty"`
+	// +kubebuilder:validation:Optional
+	Actions []*string `json:"actions,omitempty" tf:"actions,omitempty"`
 
 	// ARN of the CA that grants the permissions.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/acmpca/v1beta1.CertificateAuthority
@@ -41,8 +54,8 @@ type PermissionParameters struct {
 	CertificateAuthorityArnSelector *v1.Selector `json:"certificateAuthorityArnSelector,omitempty" tf:"-"`
 
 	// AWS service or identity that receives the permission. At this time, the only valid principal is acm.amazonaws.com.
-	// +kubebuilder:validation:Required
-	Principal *string `json:"principal" tf:"principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -78,8 +91,10 @@ type PermissionStatus struct {
 type Permission struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PermissionSpec   `json:"spec"`
-	Status            PermissionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actions)",message="actions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)",message="principal is a required parameter"
+	Spec   PermissionSpec   `json:"spec"`
+	Status PermissionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/acmpca/v1beta1/zz_policy_types.go b/apis/acmpca/v1beta1/zz_policy_types.go
index bdb599f68b..5a9089d635 100755
--- a/apis/acmpca/v1beta1/zz_policy_types.go
+++ b/apis/acmpca/v1beta1/zz_policy_types.go
@@ -15,13 +15,19 @@ import (
 
 type PolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// JSON-formatted IAM policy to attach to the specified private CA resource.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// ARN of the private CA to associate with the policy.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type PolicyParameters struct {
 
 	// JSON-formatted IAM policy to attach to the specified private CA resource.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +73,9 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicySpec   `json:"spec"`
-	Status            PolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   PolicySpec   `json:"spec"`
+	Status PolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/amp/v1beta1/zz_alertmanagerdefinition_types.go b/apis/amp/v1beta1/zz_alertmanagerdefinition_types.go
index bea1ec845d..8aeb3cc549 100755
--- a/apis/amp/v1beta1/zz_alertmanagerdefinition_types.go
+++ b/apis/amp/v1beta1/zz_alertmanagerdefinition_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type AlertManagerDefinitionObservation struct {
+
+	// the alert manager definition that you want to be applied. See more in AWS Docs.
+	Definition *string `json:"definition,omitempty" tf:"definition,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ID of the prometheus workspace the alert manager definition should be linked to
+	WorkspaceID *string `json:"workspaceId,omitempty" tf:"workspace_id,omitempty"`
 }
 
 type AlertManagerDefinitionParameters struct {
 
 	// the alert manager definition that you want to be applied. See more in AWS Docs.
-	// +kubebuilder:validation:Required
-	Definition *string `json:"definition" tf:"definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	Definition *string `json:"definition,omitempty" tf:"definition,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +74,9 @@ type AlertManagerDefinitionStatus struct {
 type AlertManagerDefinition struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AlertManagerDefinitionSpec   `json:"spec"`
-	Status            AlertManagerDefinitionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)",message="definition is a required parameter"
+	Spec   AlertManagerDefinitionSpec   `json:"spec"`
+	Status AlertManagerDefinitionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/amp/v1beta1/zz_generated.deepcopy.go b/apis/amp/v1beta1/zz_generated.deepcopy.go
index 9e761d7c38..af2d675ae2 100644
--- a/apis/amp/v1beta1/zz_generated.deepcopy.go
+++ b/apis/amp/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,21 @@ func (in *AlertManagerDefinitionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AlertManagerDefinitionObservation) DeepCopyInto(out *AlertManagerDefinitionObservation) {
 	*out = *in
+	if in.Definition != nil {
+		in, out := &in.Definition, &out.Definition
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.WorkspaceID != nil {
+		in, out := &in.WorkspaceID, &out.WorkspaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlertManagerDefinitionObservation.
@@ -170,6 +180,11 @@ func (in *AlertManagerDefinitionStatus) DeepCopy() *AlertManagerDefinitionStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigurationObservation) DeepCopyInto(out *LoggingConfigurationObservation) {
 	*out = *in
+	if in.LogGroupArn != nil {
+		in, out := &in.LogGroupArn, &out.LogGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigurationObservation.
@@ -264,11 +279,21 @@ func (in *RuleGroupNamespaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleGroupNamespaceObservation) DeepCopyInto(out *RuleGroupNamespaceObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.WorkspaceID != nil {
+		in, out := &in.WorkspaceID, &out.WorkspaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleGroupNamespaceObservation.
@@ -417,6 +442,11 @@ func (in *WorkspaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceObservation) DeepCopyInto(out *WorkspaceObservation) {
 	*out = *in
+	if in.Alias != nil {
+		in, out := &in.Alias, &out.Alias
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -427,11 +457,33 @@ func (in *WorkspaceObservation) DeepCopyInto(out *WorkspaceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoggingConfiguration != nil {
+		in, out := &in.LoggingConfiguration, &out.LoggingConfiguration
+		*out = make([]LoggingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.PrometheusEndpoint != nil {
 		in, out := &in.PrometheusEndpoint, &out.PrometheusEndpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/amp/v1beta1/zz_rulegroupnamespace_types.go b/apis/amp/v1beta1/zz_rulegroupnamespace_types.go
index 7ee7b2ba9e..547ff14de3 100755
--- a/apis/amp/v1beta1/zz_rulegroupnamespace_types.go
+++ b/apis/amp/v1beta1/zz_rulegroupnamespace_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type RuleGroupNamespaceObservation struct {
+
+	// the rule group namespace data that you want to be applied. See more in AWS Docs.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ID of the prometheus workspace the rule group namespace should be linked to
+	WorkspaceID *string `json:"workspaceId,omitempty" tf:"workspace_id,omitempty"`
 }
 
 type RuleGroupNamespaceParameters struct {
 
 	// the rule group namespace data that you want to be applied. See more in AWS Docs.
-	// +kubebuilder:validation:Required
-	Data *string `json:"data" tf:"data,omitempty"`
+	// +kubebuilder:validation:Optional
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +74,9 @@ type RuleGroupNamespaceStatus struct {
 type RuleGroupNamespace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RuleGroupNamespaceSpec   `json:"spec"`
-	Status            RuleGroupNamespaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.data)",message="data is a required parameter"
+	Spec   RuleGroupNamespaceSpec   `json:"spec"`
+	Status RuleGroupNamespaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/amp/v1beta1/zz_workspace_types.go b/apis/amp/v1beta1/zz_workspace_types.go
index 3760cda367..cb0aa5256a 100755
--- a/apis/amp/v1beta1/zz_workspace_types.go
+++ b/apis/amp/v1beta1/zz_workspace_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type LoggingConfigurationObservation struct {
+
+	// The ARN of the CloudWatch log group to which the vended log data will be published. This log group must exist.
+	LogGroupArn *string `json:"logGroupArn,omitempty" tf:"log_group_arn,omitempty"`
 }
 
 type LoggingConfigurationParameters struct {
@@ -25,15 +28,24 @@ type LoggingConfigurationParameters struct {
 
 type WorkspaceObservation struct {
 
+	// The alias of the prometheus workspace. See more in AWS Docs.
+	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
+
 	// Amazon Resource Name (ARN) of the workspace.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Identifier of the workspace
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Logging configuration for the workspace. See Logging Configuration below for details.
+	LoggingConfiguration []LoggingConfigurationObservation `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
+
 	// Prometheus endpoint available for this workspace.
 	PrometheusEndpoint *string `json:"prometheusEndpoint,omitempty" tf:"prometheus_endpoint,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/amplify/v1beta1/zz_app_types.go b/apis/amplify/v1beta1/zz_app_types.go
index 5f8cd3ea55..bee9b051f1 100755
--- a/apis/amplify/v1beta1/zz_app_types.go
+++ b/apis/amplify/v1beta1/zz_app_types.go
@@ -18,15 +18,60 @@ type AppObservation struct {
 	// ARN of the Amplify app.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Automated branch creation configuration for an Amplify app. An auto_branch_creation_config block is documented below.
+	AutoBranchCreationConfig []AutoBranchCreationConfigObservation `json:"autoBranchCreationConfig,omitempty" tf:"auto_branch_creation_config,omitempty"`
+
+	// Automated branch creation glob patterns for an Amplify app.
+	AutoBranchCreationPatterns []*string `json:"autoBranchCreationPatterns,omitempty" tf:"auto_branch_creation_patterns,omitempty"`
+
+	// The build specification (build spec) for an Amplify app.
+	BuildSpec *string `json:"buildSpec,omitempty" tf:"build_spec,omitempty"`
+
+	// Custom rewrite and redirect rules for an Amplify app. A custom_rule block is documented below.
+	CustomRule []CustomRuleObservation `json:"customRule,omitempty" tf:"custom_rule,omitempty"`
+
 	// Default domain for the Amplify app.
 	DefaultDomain *string `json:"defaultDomain,omitempty" tf:"default_domain,omitempty"`
 
+	// Description for an Amplify app.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Enables automated branch creation for an Amplify app.
+	EnableAutoBranchCreation *bool `json:"enableAutoBranchCreation,omitempty" tf:"enable_auto_branch_creation,omitempty"`
+
+	// Enables basic authorization for an Amplify app. This will apply to all branches that are part of this app.
+	EnableBasicAuth *bool `json:"enableBasicAuth,omitempty" tf:"enable_basic_auth,omitempty"`
+
+	// Enables auto-building of branches for the Amplify App.
+	EnableBranchAutoBuild *bool `json:"enableBranchAutoBuild,omitempty" tf:"enable_branch_auto_build,omitempty"`
+
+	// Automatically disconnects a branch in the Amplify Console when you delete a branch from your Git repository.
+	EnableBranchAutoDeletion *bool `json:"enableBranchAutoDeletion,omitempty" tf:"enable_branch_auto_deletion,omitempty"`
+
+	// Environment variables map for an Amplify app.
+	EnvironmentVariables map[string]*string `json:"environmentVariables,omitempty" tf:"environment_variables,omitempty"`
+
+	// AWS Identity and Access Management (IAM) service role for an Amplify app.
+	IAMServiceRoleArn *string `json:"iamServiceRoleArn,omitempty" tf:"iam_service_role_arn,omitempty"`
+
 	// Unique ID of the Amplify app.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name for an Amplify app.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Platform or framework for an Amplify app. Valid values: WEB, WEB_COMPUTE. Default value: WEB.
+	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
+
 	// Describes the information about a production branch for an Amplify app. A production_branch block is documented below.
 	ProductionBranch []ProductionBranchObservation `json:"productionBranch,omitempty" tf:"production_branch,omitempty"`
 
+	// Repository for an Amplify app.
+	Repository *string `json:"repository,omitempty" tf:"repository,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -96,8 +141,8 @@ type AppParameters struct {
 	IAMServiceRoleArnSelector *v1.Selector `json:"iamServiceRoleArnSelector,omitempty" tf:"-"`
 
 	// Name for an Amplify app.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// OAuth token for a third-party source control system for an Amplify app. The OAuth token is used to create a webhook and a read-only deploy key. The OAuth token is not stored.
 	// +kubebuilder:validation:Optional
@@ -122,6 +167,33 @@ type AppParameters struct {
 }
 
 type AutoBranchCreationConfigObservation struct {
+
+	// Build specification (build spec) for the autocreated branch.
+	BuildSpec *string `json:"buildSpec,omitempty" tf:"build_spec,omitempty"`
+
+	// Enables auto building for the autocreated branch.
+	EnableAutoBuild *bool `json:"enableAutoBuild,omitempty" tf:"enable_auto_build,omitempty"`
+
+	// Enables basic authorization for the autocreated branch.
+	EnableBasicAuth *bool `json:"enableBasicAuth,omitempty" tf:"enable_basic_auth,omitempty"`
+
+	// Enables performance mode for the branch.
+	EnablePerformanceMode *bool `json:"enablePerformanceMode,omitempty" tf:"enable_performance_mode,omitempty"`
+
+	// Enables pull request previews for the autocreated branch.
+	EnablePullRequestPreview *bool `json:"enablePullRequestPreview,omitempty" tf:"enable_pull_request_preview,omitempty"`
+
+	// Environment variables for the autocreated branch.
+	EnvironmentVariables map[string]*string `json:"environmentVariables,omitempty" tf:"environment_variables,omitempty"`
+
+	// Framework for the autocreated branch.
+	Framework *string `json:"framework,omitempty" tf:"framework,omitempty"`
+
+	// Amplify environment name for the pull request.
+	PullRequestEnvironmentName *string `json:"pullRequestEnvironmentName,omitempty" tf:"pull_request_environment_name,omitempty"`
+
+	// Describes the current stage for the autocreated branch. Valid values: PRODUCTION, BETA, DEVELOPMENT, EXPERIMENTAL, PULL_REQUEST.
+	Stage *string `json:"stage,omitempty" tf:"stage,omitempty"`
 }
 
 type AutoBranchCreationConfigParameters struct {
@@ -168,6 +240,18 @@ type AutoBranchCreationConfigParameters struct {
 }
 
 type CustomRuleObservation struct {
+
+	// Condition for a URL rewrite or redirect rule, such as a country code.
+	Condition *string `json:"condition,omitempty" tf:"condition,omitempty"`
+
+	// Source pattern for a URL rewrite or redirect rule.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Status code for a URL rewrite or redirect rule. Valid values: 200, 301, 302, 404, 404-200.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Target pattern for a URL rewrite or redirect rule.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type CustomRuleParameters struct {
@@ -231,8 +315,9 @@ type AppStatus struct {
 type App struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AppSpec   `json:"spec"`
-	Status            AppStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AppSpec   `json:"spec"`
+	Status AppStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/amplify/v1beta1/zz_backendenvironment_types.go b/apis/amplify/v1beta1/zz_backendenvironment_types.go
index 9e5d949e7e..52adef1d0c 100755
--- a/apis/amplify/v1beta1/zz_backendenvironment_types.go
+++ b/apis/amplify/v1beta1/zz_backendenvironment_types.go
@@ -15,11 +15,20 @@ import (
 
 type BackendEnvironmentObservation struct {
 
+	// Unique ID for an Amplify app.
+	AppID *string `json:"appId,omitempty" tf:"app_id,omitempty"`
+
 	// ARN for a backend environment that is part of an Amplify app.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name of deployment artifacts.
+	DeploymentArtifacts *string `json:"deploymentArtifacts,omitempty" tf:"deployment_artifacts,omitempty"`
+
 	// Unique ID of the Amplify backend environment.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// AWS CloudFormation stack name of a backend environment.
+	StackName *string `json:"stackName,omitempty" tf:"stack_name,omitempty"`
 }
 
 type BackendEnvironmentParameters struct {
diff --git a/apis/amplify/v1beta1/zz_branch_types.go b/apis/amplify/v1beta1/zz_branch_types.go
index 315d7c0278..476d37839e 100755
--- a/apis/amplify/v1beta1/zz_branch_types.go
+++ b/apis/amplify/v1beta1/zz_branch_types.go
@@ -15,23 +15,68 @@ import (
 
 type BranchObservation struct {
 
+	// Unique ID for an Amplify app.
+	AppID *string `json:"appId,omitempty" tf:"app_id,omitempty"`
+
 	// ARN for the branch.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// A list of custom resources that are linked to this branch.
 	AssociatedResources []*string `json:"associatedResources,omitempty" tf:"associated_resources,omitempty"`
 
+	// ARN for a backend environment that is part of an Amplify app.
+	BackendEnvironmentArn *string `json:"backendEnvironmentArn,omitempty" tf:"backend_environment_arn,omitempty"`
+
 	// Custom domains for the branch.
 	CustomDomains []*string `json:"customDomains,omitempty" tf:"custom_domains,omitempty"`
 
+	// Description for the branch.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Destination branch if the branch is a pull request branch.
 	DestinationBranch *string `json:"destinationBranch,omitempty" tf:"destination_branch,omitempty"`
 
+	// Display name for a branch. This is used as the default domain prefix.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Enables auto building for the branch.
+	EnableAutoBuild *bool `json:"enableAutoBuild,omitempty" tf:"enable_auto_build,omitempty"`
+
+	// Enables basic authorization for the branch.
+	EnableBasicAuth *bool `json:"enableBasicAuth,omitempty" tf:"enable_basic_auth,omitempty"`
+
+	// Enables notifications for the branch.
+	EnableNotification *bool `json:"enableNotification,omitempty" tf:"enable_notification,omitempty"`
+
+	// Enables performance mode for the branch.
+	EnablePerformanceMode *bool `json:"enablePerformanceMode,omitempty" tf:"enable_performance_mode,omitempty"`
+
+	// Enables pull request previews for this branch.
+	EnablePullRequestPreview *bool `json:"enablePullRequestPreview,omitempty" tf:"enable_pull_request_preview,omitempty"`
+
+	// Environment variables for the branch.
+	EnvironmentVariables map[string]*string `json:"environmentVariables,omitempty" tf:"environment_variables,omitempty"`
+
+	// Framework for the branch.
+	Framework *string `json:"framework,omitempty" tf:"framework,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amplify environment name for the pull request.
+	PullRequestEnvironmentName *string `json:"pullRequestEnvironmentName,omitempty" tf:"pull_request_environment_name,omitempty"`
+
 	// Source branch if the branch is a pull request branch.
 	SourceBranch *string `json:"sourceBranch,omitempty" tf:"source_branch,omitempty"`
 
+	// Describes the current stage for the branch. Valid values: PRODUCTION, BETA, DEVELOPMENT, EXPERIMENTAL, PULL_REQUEST.
+	Stage *string `json:"stage,omitempty" tf:"stage,omitempty"`
+
+	// Content Time To Live (TTL) for the website in seconds.
+	TTL *string `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/amplify/v1beta1/zz_generated.deepcopy.go b/apis/amplify/v1beta1/zz_generated.deepcopy.go
index a1b244a00c..aa9155b333 100644
--- a/apis/amplify/v1beta1/zz_generated.deepcopy.go
+++ b/apis/amplify/v1beta1/zz_generated.deepcopy.go
@@ -81,16 +81,101 @@ func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoBranchCreationConfig != nil {
+		in, out := &in.AutoBranchCreationConfig, &out.AutoBranchCreationConfig
+		*out = make([]AutoBranchCreationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoBranchCreationPatterns != nil {
+		in, out := &in.AutoBranchCreationPatterns, &out.AutoBranchCreationPatterns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BuildSpec != nil {
+		in, out := &in.BuildSpec, &out.BuildSpec
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomRule != nil {
+		in, out := &in.CustomRule, &out.CustomRule
+		*out = make([]CustomRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DefaultDomain != nil {
 		in, out := &in.DefaultDomain, &out.DefaultDomain
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableAutoBranchCreation != nil {
+		in, out := &in.EnableAutoBranchCreation, &out.EnableAutoBranchCreation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableBasicAuth != nil {
+		in, out := &in.EnableBasicAuth, &out.EnableBasicAuth
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableBranchAutoBuild != nil {
+		in, out := &in.EnableBranchAutoBuild, &out.EnableBranchAutoBuild
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableBranchAutoDeletion != nil {
+		in, out := &in.EnableBranchAutoDeletion, &out.EnableBranchAutoDeletion
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnvironmentVariables != nil {
+		in, out := &in.EnvironmentVariables, &out.EnvironmentVariables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.IAMServiceRoleArn != nil {
+		in, out := &in.IAMServiceRoleArn, &out.IAMServiceRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Platform != nil {
+		in, out := &in.Platform, &out.Platform
+		*out = new(string)
+		**out = **in
+	}
 	if in.ProductionBranch != nil {
 		in, out := &in.ProductionBranch, &out.ProductionBranch
 		*out = make([]ProductionBranchObservation, len(*in))
@@ -98,6 +183,26 @@ func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Repository != nil {
+		in, out := &in.Repository, &out.Repository
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -312,6 +417,61 @@ func (in *AppStatus) DeepCopy() *AppStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoBranchCreationConfigObservation) DeepCopyInto(out *AutoBranchCreationConfigObservation) {
 	*out = *in
+	if in.BuildSpec != nil {
+		in, out := &in.BuildSpec, &out.BuildSpec
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableAutoBuild != nil {
+		in, out := &in.EnableAutoBuild, &out.EnableAutoBuild
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableBasicAuth != nil {
+		in, out := &in.EnableBasicAuth, &out.EnableBasicAuth
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnablePerformanceMode != nil {
+		in, out := &in.EnablePerformanceMode, &out.EnablePerformanceMode
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnablePullRequestPreview != nil {
+		in, out := &in.EnablePullRequestPreview, &out.EnablePullRequestPreview
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnvironmentVariables != nil {
+		in, out := &in.EnvironmentVariables, &out.EnvironmentVariables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Framework != nil {
+		in, out := &in.Framework, &out.Framework
+		*out = new(string)
+		**out = **in
+	}
+	if in.PullRequestEnvironmentName != nil {
+		in, out := &in.PullRequestEnvironmentName, &out.PullRequestEnvironmentName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Stage != nil {
+		in, out := &in.Stage, &out.Stage
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoBranchCreationConfigObservation.
@@ -461,16 +621,31 @@ func (in *BackendEnvironmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendEnvironmentObservation) DeepCopyInto(out *BackendEnvironmentObservation) {
 	*out = *in
+	if in.AppID != nil {
+		in, out := &in.AppID, &out.AppID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeploymentArtifacts != nil {
+		in, out := &in.DeploymentArtifacts, &out.DeploymentArtifacts
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StackName != nil {
+		in, out := &in.StackName, &out.StackName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendEnvironmentObservation.
@@ -624,6 +799,11 @@ func (in *BranchList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BranchObservation) DeepCopyInto(out *BranchObservation) {
 	*out = *in
+	if in.AppID != nil {
+		in, out := &in.AppID, &out.AppID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -640,6 +820,11 @@ func (in *BranchObservation) DeepCopyInto(out *BranchObservation) {
 			}
 		}
 	}
+	if in.BackendEnvironmentArn != nil {
+		in, out := &in.BackendEnvironmentArn, &out.BackendEnvironmentArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.CustomDomains != nil {
 		in, out := &in.CustomDomains, &out.CustomDomains
 		*out = make([]*string, len(*in))
@@ -651,21 +836,106 @@ func (in *BranchObservation) DeepCopyInto(out *BranchObservation) {
 			}
 		}
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.DestinationBranch != nil {
 		in, out := &in.DestinationBranch, &out.DestinationBranch
 		*out = new(string)
 		**out = **in
 	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableAutoBuild != nil {
+		in, out := &in.EnableAutoBuild, &out.EnableAutoBuild
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableBasicAuth != nil {
+		in, out := &in.EnableBasicAuth, &out.EnableBasicAuth
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableNotification != nil {
+		in, out := &in.EnableNotification, &out.EnableNotification
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnablePerformanceMode != nil {
+		in, out := &in.EnablePerformanceMode, &out.EnablePerformanceMode
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnablePullRequestPreview != nil {
+		in, out := &in.EnablePullRequestPreview, &out.EnablePullRequestPreview
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnvironmentVariables != nil {
+		in, out := &in.EnvironmentVariables, &out.EnvironmentVariables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Framework != nil {
+		in, out := &in.Framework, &out.Framework
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PullRequestEnvironmentName != nil {
+		in, out := &in.PullRequestEnvironmentName, &out.PullRequestEnvironmentName
+		*out = new(string)
+		**out = **in
+	}
 	if in.SourceBranch != nil {
 		in, out := &in.SourceBranch, &out.SourceBranch
 		*out = new(string)
 		**out = **in
 	}
+	if in.Stage != nil {
+		in, out := &in.Stage, &out.Stage
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -860,6 +1130,26 @@ func (in *BranchStatus) DeepCopy() *BranchStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomRuleObservation) DeepCopyInto(out *CustomRuleObservation) {
 	*out = *in
+	if in.Condition != nil {
+		in, out := &in.Condition, &out.Condition
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomRuleObservation.
@@ -1019,11 +1309,26 @@ func (in *WebhookList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WebhookObservation) DeepCopyInto(out *WebhookObservation) {
 	*out = *in
+	if in.AppID != nil {
+		in, out := &in.AppID, &out.AppID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BranchName != nil {
+		in, out := &in.BranchName, &out.BranchName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
diff --git a/apis/amplify/v1beta1/zz_webhook_types.go b/apis/amplify/v1beta1/zz_webhook_types.go
index ceebe7e7e1..3e6a6933b5 100755
--- a/apis/amplify/v1beta1/zz_webhook_types.go
+++ b/apis/amplify/v1beta1/zz_webhook_types.go
@@ -15,9 +15,18 @@ import (
 
 type WebhookObservation struct {
 
+	// Unique ID for an Amplify app.
+	AppID *string `json:"appId,omitempty" tf:"app_id,omitempty"`
+
 	// ARN for the webhook.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name for a branch that is part of the Amplify app.
+	BranchName *string `json:"branchName,omitempty" tf:"branch_name,omitempty"`
+
+	// Description for a webhook.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// URL of the webhook.
diff --git a/apis/apigateway/v1beta1/zz_account_types.go b/apis/apigateway/v1beta1/zz_account_types.go
index ed7db1e577..2ca6e0ba3c 100755
--- a/apis/apigateway/v1beta1/zz_account_types.go
+++ b/apis/apigateway/v1beta1/zz_account_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type AccountObservation struct {
+
+	// ARN of an IAM role for CloudWatch (to allow logging & monitoring). See more in AWS Docs. Logging & monitoring can be enabled/disabled and otherwise tuned on the API Gateway Stage level.
+	CloudwatchRoleArn *string `json:"cloudwatchRoleArn,omitempty" tf:"cloudwatch_role_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Account-Level throttle settings. See exported fields below.
diff --git a/apis/apigateway/v1beta1/zz_apikey_types.go b/apis/apigateway/v1beta1/zz_apikey_types.go
index 731f69c9f3..249b063c2f 100755
--- a/apis/apigateway/v1beta1/zz_apikey_types.go
+++ b/apis/apigateway/v1beta1/zz_apikey_types.go
@@ -21,12 +21,24 @@ type APIKeyObservation struct {
 	// Creation date of the API key
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// API key description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether the API key can be used by callers. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// ID of the API key
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Last update date of the API key
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the API key
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -42,8 +54,8 @@ type APIKeyParameters struct {
 	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 
 	// Name of the API key
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +95,9 @@ type APIKeyStatus struct {
 type APIKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              APIKeySpec   `json:"spec"`
-	Status            APIKeyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   APIKeySpec   `json:"spec"`
+	Status APIKeyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_authorizer_types.go b/apis/apigateway/v1beta1/zz_authorizer_types.go
index 0b55722371..51d14ba525 100755
--- a/apis/apigateway/v1beta1/zz_authorizer_types.go
+++ b/apis/apigateway/v1beta1/zz_authorizer_types.go
@@ -18,8 +18,36 @@ type AuthorizerObservation struct {
 	// ARN of the API Gateway Authorizer
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Credentials required for the authorizer. To specify an IAM Role for API Gateway to assume, use the IAM Role ARN.
+	AuthorizerCredentials *string `json:"authorizerCredentials,omitempty" tf:"authorizer_credentials,omitempty"`
+
+	// TTL of cached authorizer results in seconds. Defaults to 300.
+	AuthorizerResultTTLInSeconds *float64 `json:"authorizerResultTtlInSeconds,omitempty" tf:"authorizer_result_ttl_in_seconds,omitempty"`
+
+	// Authorizer's Uniform Resource Identifier (URI). This must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api},
+	// e.g., arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
+	AuthorizerURI *string `json:"authorizerUri,omitempty" tf:"authorizer_uri,omitempty"`
+
 	// Authorizer identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Source of the identity in an incoming request. Defaults to method.request.header.Authorization. For REQUEST type, this may be a comma-separated list of values, including headers, query string parameters and stage variables - e.g., "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
+	IdentitySource *string `json:"identitySource,omitempty" tf:"identity_source,omitempty"`
+
+	// Validation expression for the incoming identity. For TOKEN type, this value should be a regular expression. The incoming token from the client is matched against this expression, and will proceed if the token matches. If the token doesn't match, the client receives a 401 Unauthorized response.
+	IdentityValidationExpression *string `json:"identityValidationExpression,omitempty" tf:"identity_validation_expression,omitempty"`
+
+	// Name of the authorizer
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// List of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
+	ProviderArns []*string `json:"providerArns,omitempty" tf:"provider_arns,omitempty"`
+
+	// ID of the associated REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Type of the authorizer. Possible values are TOKEN for a Lambda function using a single authorization token submitted in a custom header, REQUEST for a Lambda function using incoming request parameters, or COGNITO_USER_POOLS for using an Amazon Cognito user pool. Defaults to TOKEN.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AuthorizerParameters struct {
@@ -66,8 +94,8 @@ type AuthorizerParameters struct {
 	IdentityValidationExpression *string `json:"identityValidationExpression,omitempty" tf:"identity_validation_expression,omitempty"`
 
 	// Name of the authorizer
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// List of the Amazon Cognito user pool ARNs. Each element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.
 	// +kubebuilder:validation:Optional
@@ -121,8 +149,9 @@ type AuthorizerStatus struct {
 type Authorizer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AuthorizerSpec   `json:"spec"`
-	Status            AuthorizerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AuthorizerSpec   `json:"spec"`
+	Status AuthorizerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_basepathmapping_types.go b/apis/apigateway/v1beta1/zz_basepathmapping_types.go
index fc25c620b3..6cc70ca506 100755
--- a/apis/apigateway/v1beta1/zz_basepathmapping_types.go
+++ b/apis/apigateway/v1beta1/zz_basepathmapping_types.go
@@ -14,7 +14,20 @@ import (
 )
 
 type BasePathMappingObservation struct {
+
+	// ID of the API to connect.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// Path segment that must be prepended to the path when accessing the API via this mapping. If omitted, the API is exposed at the root of the given domain.
+	BasePath *string `json:"basePath,omitempty" tf:"base_path,omitempty"`
+
+	// Already-registered domain name to connect the API to.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of a specific deployment stage to expose at the given path. If omitted, callers may select any stage by including its name as a path element after the base path.
+	StageName *string `json:"stageName,omitempty" tf:"stage_name,omitempty"`
 }
 
 type BasePathMappingParameters struct {
diff --git a/apis/apigateway/v1beta1/zz_clientcertificate_types.go b/apis/apigateway/v1beta1/zz_clientcertificate_types.go
index 8ab098052a..7e336fbfc7 100755
--- a/apis/apigateway/v1beta1/zz_clientcertificate_types.go
+++ b/apis/apigateway/v1beta1/zz_clientcertificate_types.go
@@ -21,6 +21,9 @@ type ClientCertificateObservation struct {
 	// Date when the client certificate was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// Description of the client certificate.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Date when the client certificate will expire.
 	ExpirationDate *string `json:"expirationDate,omitempty" tf:"expiration_date,omitempty"`
 
@@ -30,6 +33,9 @@ type ClientCertificateObservation struct {
 	// The PEM-encoded public key of the client certificate.
 	PemEncodedCertificate *string `json:"pemEncodedCertificate,omitempty" tf:"pem_encoded_certificate,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/apigateway/v1beta1/zz_deployment_types.go b/apis/apigateway/v1beta1/zz_deployment_types.go
index b0680f638c..66ee6a839c 100755
--- a/apis/apigateway/v1beta1/zz_deployment_types.go
+++ b/apis/apigateway/v1beta1/zz_deployment_types.go
@@ -18,6 +18,9 @@ type DeploymentObservation struct {
 	// Creation date of the deployment
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// Description of the deployment
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Execution ARN to be used in lambda_permission's source_arn
 	// when allowing API Gateway to invoke a Lambda function,
 	// e.g., arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j/prod
@@ -29,6 +32,21 @@ type DeploymentObservation struct {
 	// URL to invoke the API pointing to the stage,
 	// e.g., https://z4675bid1j.execute-api.eu-west-2.amazonaws.com/prod
 	InvokeURL *string `json:"invokeUrl,omitempty" tf:"invoke_url,omitempty"`
+
+	// REST API identifier.
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Description to set on the stage managed by the stage_name argument.
+	StageDescription *string `json:"stageDescription,omitempty" tf:"stage_description,omitempty"`
+
+	// Name of the stage to create with this deployment. If the specified stage already exists, it will be updated to point to the new deployment. We recommend using the aws_api_gateway_stage resource instead to manage stages.
+	StageName *string `json:"stageName,omitempty" tf:"stage_name,omitempty"`
+
+	// argument or explicit resource references using the resource . The triggers argument should be preferred over depends_on, since depends_on can only capture dependency ordering and will not cause the resource to recreate (redeploy the REST API) with upstream configuration changes.
+	Triggers map[string]*string `json:"triggers,omitempty" tf:"triggers,omitempty"`
+
+	// Map to set on the stage managed by the stage_name argument.
+	Variables map[string]*string `json:"variables,omitempty" tf:"variables,omitempty"`
 }
 
 type DeploymentParameters struct {
diff --git a/apis/apigateway/v1beta1/zz_documentationpart_types.go b/apis/apigateway/v1beta1/zz_documentationpart_types.go
index 9b485f6981..11e908df99 100755
--- a/apis/apigateway/v1beta1/zz_documentationpart_types.go
+++ b/apis/apigateway/v1beta1/zz_documentationpart_types.go
@@ -17,17 +17,26 @@ type DocumentationPartObservation struct {
 
 	// Unique ID of the Documentation Part
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Location of the targeted API entity of the to-be-created documentation part. See below.
+	Location []LocationObservation `json:"location,omitempty" tf:"location,omitempty"`
+
+	// Content map of API-specific key-value pairs describing the targeted API entity. The map must be encoded as a JSON string, e.g., "{ "description": "The API does ..." }". Only Swagger-compliant key-value pairs can be exported and, hence, published.
+	Properties *string `json:"properties,omitempty" tf:"properties,omitempty"`
+
+	// ID of the associated Rest API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
 }
 
 type DocumentationPartParameters struct {
 
 	// Location of the targeted API entity of the to-be-created documentation part. See below.
-	// +kubebuilder:validation:Required
-	Location []LocationParameters `json:"location" tf:"location,omitempty"`
+	// +kubebuilder:validation:Optional
+	Location []LocationParameters `json:"location,omitempty" tf:"location,omitempty"`
 
 	// Content map of API-specific key-value pairs describing the targeted API entity. The map must be encoded as a JSON string, e.g., "{ "description": "The API does ..." }". Only Swagger-compliant key-value pairs can be exported and, hence, published.
-	// +kubebuilder:validation:Required
-	Properties *string `json:"properties" tf:"properties,omitempty"`
+	// +kubebuilder:validation:Optional
+	Properties *string `json:"properties,omitempty" tf:"properties,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -50,6 +59,21 @@ type DocumentationPartParameters struct {
 }
 
 type LocationObservation struct {
+
+	// HTTP verb of a method. The default value is * for any method.
+	Method *string `json:"method,omitempty" tf:"method,omitempty"`
+
+	// Name of the targeted API entity.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// URL path of the target. The default value is / for the root resource.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// HTTP status code of a response. The default value is * for any status code.
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
+
+	// Type of API entity to which the documentation content appliesE.g., API, METHOD or REQUEST_BODY
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type LocationParameters struct {
@@ -99,8 +123,10 @@ type DocumentationPartStatus struct {
 type DocumentationPart struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DocumentationPartSpec   `json:"spec"`
-	Status            DocumentationPartStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.location)",message="location is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.properties)",message="properties is a required parameter"
+	Spec   DocumentationPartSpec   `json:"spec"`
+	Status DocumentationPartStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_documentationversion_types.go b/apis/apigateway/v1beta1/zz_documentationversion_types.go
index 266191152d..35c126c054 100755
--- a/apis/apigateway/v1beta1/zz_documentationversion_types.go
+++ b/apis/apigateway/v1beta1/zz_documentationversion_types.go
@@ -14,7 +14,17 @@ import (
 )
 
 type DocumentationVersionObservation struct {
+
+	// Description of the API documentation version.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ID of the associated Rest API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Version identifier of the API documentation snapshot.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type DocumentationVersionParameters struct {
@@ -43,8 +53,8 @@ type DocumentationVersionParameters struct {
 	RestAPIIDSelector *v1.Selector `json:"restApiIdSelector,omitempty" tf:"-"`
 
 	// Version identifier of the API documentation snapshot.
-	// +kubebuilder:validation:Required
-	Version *string `json:"version" tf:"version,omitempty"`
+	// +kubebuilder:validation:Optional
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 // DocumentationVersionSpec defines the desired state of DocumentationVersion
@@ -71,8 +81,9 @@ type DocumentationVersionStatus struct {
 type DocumentationVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DocumentationVersionSpec   `json:"spec"`
-	Status            DocumentationVersionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)",message="version is a required parameter"
+	Spec   DocumentationVersionSpec   `json:"spec"`
+	Status DocumentationVersionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_domainname_types.go b/apis/apigateway/v1beta1/zz_domainname_types.go
index bbb9b0beed..5b53b0e601 100755
--- a/apis/apigateway/v1beta1/zz_domainname_types.go
+++ b/apis/apigateway/v1beta1/zz_domainname_types.go
@@ -18,6 +18,18 @@ type DomainNameObservation struct {
 	// ARN of domain name.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN for an AWS-managed certificate. AWS Certificate Manager is the only supported source. Used when an edge-optimized domain name is desired. Conflicts with certificate_name, certificate_body, certificate_chain, certificate_private_key, regional_certificate_arn, and regional_certificate_name.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
+	// Certificate issued for the domain name being registered, in PEM format. Only valid for EDGE endpoint configuration type. Conflicts with certificate_arn, regional_certificate_arn, and regional_certificate_name.
+	CertificateBody *string `json:"certificateBody,omitempty" tf:"certificate_body,omitempty"`
+
+	// Certificate for the CA that issued the certificate, along with any intermediate CA certificates required to create an unbroken chain to a certificate trusted by the intended API clients. Only valid for EDGE endpoint configuration type. Conflicts with certificate_arn, regional_certificate_arn, and regional_certificate_name.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Unique name to use when registering this certificate as an IAM server certificate. Conflicts with certificate_arn, regional_certificate_arn, and regional_certificate_name. Required if certificate_arn is not set.
+	CertificateName *string `json:"certificateName,omitempty" tf:"certificate_name,omitempty"`
+
 	// Upload date associated with the domain certificate.
 	CertificateUploadDate *string `json:"certificateUploadDate,omitempty" tf:"certificate_upload_date,omitempty"`
 
@@ -27,15 +39,39 @@ type DomainNameObservation struct {
 	// For convenience, the hosted zone ID (Z2FDTNDATAQYW2) that can be used to create a Route53 alias record for the distribution.
 	CloudfrontZoneID *string `json:"cloudfrontZoneId,omitempty" tf:"cloudfront_zone_id,omitempty"`
 
+	// Fully-qualified domain name to register.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Configuration block defining API endpoint information including type. See below.
+	EndpointConfiguration []EndpointConfigurationObservation `json:"endpointConfiguration,omitempty" tf:"endpoint_configuration,omitempty"`
+
 	// Internal identifier assigned to this domain name by API Gateway.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Mutual TLS authentication configuration for the domain name. See below.
+	MutualTLSAuthentication []MutualTLSAuthenticationObservation `json:"mutualTlsAuthentication,omitempty" tf:"mutual_tls_authentication,omitempty"`
+
+	// ARN of the AWS-issued certificate used to validate custom domain ownership (when certificate_arn is issued via an ACM Private CA or mutual_tls_authentication is configured with an ACM-imported certificate.)
+	OwnershipVerificationCertificateArn *string `json:"ownershipVerificationCertificateArn,omitempty" tf:"ownership_verification_certificate_arn,omitempty"`
+
+	// ARN for an AWS-managed certificate. AWS Certificate Manager is the only supported source. Used when a regional domain name is desired. Conflicts with certificate_arn, certificate_name, certificate_body, certificate_chain, and certificate_private_key.
+	RegionalCertificateArn *string `json:"regionalCertificateArn,omitempty" tf:"regional_certificate_arn,omitempty"`
+
+	// User-friendly name of the certificate that will be used by regional endpoint for this domain name. Conflicts with certificate_arn, certificate_name, certificate_body, certificate_chain, and certificate_private_key.
+	RegionalCertificateName *string `json:"regionalCertificateName,omitempty" tf:"regional_certificate_name,omitempty"`
+
 	// Hostname for the custom domain's regional endpoint.
 	RegionalDomainName *string `json:"regionalDomainName,omitempty" tf:"regional_domain_name,omitempty"`
 
 	// Hosted zone ID that can be used to create a Route53 alias record for the regional endpoint.
 	RegionalZoneID *string `json:"regionalZoneId,omitempty" tf:"regional_zone_id,omitempty"`
 
+	// Transport Layer Security (TLS) version + cipher suite for this DomainName. Valid values are TLS_1_0 and TLS_1_2. Must be configured to perform drift detection.
+	SecurityPolicy *string `json:"securityPolicy,omitempty" tf:"security_policy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -73,8 +109,8 @@ type DomainNameParameters struct {
 	CertificatePrivateKeySecretRef *v1.SecretKeySelector `json:"certificatePrivateKeySecretRef,omitempty" tf:"-"`
 
 	// Fully-qualified domain name to register.
-	// +kubebuilder:validation:Required
-	DomainName *string `json:"domainName" tf:"domain_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
 	// Configuration block defining API endpoint information including type. See below.
 	// +kubebuilder:validation:Optional
@@ -121,6 +157,9 @@ type DomainNameParameters struct {
 }
 
 type EndpointConfigurationObservation struct {
+
+	// List of endpoint types. This resource currently only supports managing a single value. Valid values: EDGE or REGIONAL. If unspecified, defaults to EDGE. Must be declared as REGIONAL in non-Commercial partitions. Refer to the documentation for more information on the difference between edge-optimized and regional APIs.
+	Types []*string `json:"types,omitempty" tf:"types,omitempty"`
 }
 
 type EndpointConfigurationParameters struct {
@@ -131,6 +170,12 @@ type EndpointConfigurationParameters struct {
 }
 
 type MutualTLSAuthenticationObservation struct {
+
+	// Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucket-name/key-name. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version.
+	TruststoreURI *string `json:"truststoreUri,omitempty" tf:"truststore_uri,omitempty"`
+
+	// Version of the S3 object that contains the truststore. To specify a version, you must have versioning enabled for the S3 bucket.
+	TruststoreVersion *string `json:"truststoreVersion,omitempty" tf:"truststore_version,omitempty"`
 }
 
 type MutualTLSAuthenticationParameters struct {
@@ -168,8 +213,9 @@ type DomainNameStatus struct {
 type DomainName struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainNameSpec   `json:"spec"`
-	Status            DomainNameStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)",message="domainName is a required parameter"
+	Spec   DomainNameSpec   `json:"spec"`
+	Status DomainNameStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_gatewayresponse_types.go b/apis/apigateway/v1beta1/zz_gatewayresponse_types.go
index debba240d2..fd63fa20aa 100755
--- a/apis/apigateway/v1beta1/zz_gatewayresponse_types.go
+++ b/apis/apigateway/v1beta1/zz_gatewayresponse_types.go
@@ -15,6 +15,21 @@ import (
 
 type GatewayResponseObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Map of parameters (paths, query strings and headers) of the Gateway Response.
+	ResponseParameters map[string]*string `json:"responseParameters,omitempty" tf:"response_parameters,omitempty"`
+
+	// Map of templates used to transform the response body.
+	ResponseTemplates map[string]*string `json:"responseTemplates,omitempty" tf:"response_templates,omitempty"`
+
+	// Response type of the associated GatewayResponse.
+	ResponseType *string `json:"responseType,omitempty" tf:"response_type,omitempty"`
+
+	// String identifier of the associated REST API.
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// HTTP status code of the Gateway Response.
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type GatewayResponseParameters struct {
@@ -33,8 +48,8 @@ type GatewayResponseParameters struct {
 	ResponseTemplates map[string]*string `json:"responseTemplates,omitempty" tf:"response_templates,omitempty"`
 
 	// Response type of the associated GatewayResponse.
-	// +kubebuilder:validation:Required
-	ResponseType *string `json:"responseType" tf:"response_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResponseType *string `json:"responseType,omitempty" tf:"response_type,omitempty"`
 
 	// String identifier of the associated REST API.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/apigateway/v1beta1.RestAPI
@@ -79,8 +94,9 @@ type GatewayResponseStatus struct {
 type GatewayResponse struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GatewayResponseSpec   `json:"spec"`
-	Status            GatewayResponseStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.responseType)",message="responseType is a required parameter"
+	Spec   GatewayResponseSpec   `json:"spec"`
+	Status GatewayResponseStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_generated.deepcopy.go b/apis/apigateway/v1beta1/zz_generated.deepcopy.go
index 53e1baba00..6e463315fb 100644
--- a/apis/apigateway/v1beta1/zz_generated.deepcopy.go
+++ b/apis/apigateway/v1beta1/zz_generated.deepcopy.go
@@ -86,6 +86,16 @@ func (in *APIKeyObservation) DeepCopyInto(out *APIKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -96,6 +106,26 @@ func (in *APIKeyObservation) DeepCopyInto(out *APIKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -215,6 +245,23 @@ func (in *APIKeyStatus) DeepCopy() *APIKeyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *APIStagesObservation) DeepCopyInto(out *APIStagesObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Stage != nil {
+		in, out := &in.Stage, &out.Stage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throttle != nil {
+		in, out := &in.Throttle, &out.Throttle
+		*out = make([]ThrottleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIStagesObservation.
@@ -282,6 +329,16 @@ func (in *APIStagesParameters) DeepCopy() *APIStagesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessLogSettingsObservation) DeepCopyInto(out *AccessLogSettingsObservation) {
 	*out = *in
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLogSettingsObservation.
@@ -381,6 +438,11 @@ func (in *AccountList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountObservation) DeepCopyInto(out *AccountObservation) {
 	*out = *in
+	if in.CloudwatchRoleArn != nil {
+		in, out := &in.CloudwatchRoleArn, &out.CloudwatchRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -541,11 +603,62 @@ func (in *AuthorizerObservation) DeepCopyInto(out *AuthorizerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthorizerCredentials != nil {
+		in, out := &in.AuthorizerCredentials, &out.AuthorizerCredentials
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizerResultTTLInSeconds != nil {
+		in, out := &in.AuthorizerResultTTLInSeconds, &out.AuthorizerResultTTLInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AuthorizerURI != nil {
+		in, out := &in.AuthorizerURI, &out.AuthorizerURI
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentitySource != nil {
+		in, out := &in.IdentitySource, &out.IdentitySource
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdentityValidationExpression != nil {
+		in, out := &in.IdentityValidationExpression, &out.IdentityValidationExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderArns != nil {
+		in, out := &in.ProviderArns, &out.ProviderArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizerObservation.
@@ -755,11 +868,31 @@ func (in *BasePathMappingList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BasePathMappingObservation) DeepCopyInto(out *BasePathMappingObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.BasePath != nil {
+		in, out := &in.BasePath, &out.BasePath
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StageName != nil {
+		in, out := &in.StageName, &out.StageName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasePathMappingObservation.
@@ -879,6 +1012,31 @@ func (in *BasePathMappingStatus) DeepCopy() *BasePathMappingStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CanarySettingsObservation) DeepCopyInto(out *CanarySettingsObservation) {
 	*out = *in
+	if in.PercentTraffic != nil {
+		in, out := &in.PercentTraffic, &out.PercentTraffic
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StageVariableOverrides != nil {
+		in, out := &in.StageVariableOverrides, &out.StageVariableOverrides
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UseStageCache != nil {
+		in, out := &in.UseStageCache, &out.UseStageCache
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CanarySettingsObservation.
@@ -1003,6 +1161,11 @@ func (in *ClientCertificateObservation) DeepCopyInto(out *ClientCertificateObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExpirationDate != nil {
 		in, out := &in.ExpirationDate, &out.ExpirationDate
 		*out = new(string)
@@ -1018,6 +1181,21 @@ func (in *ClientCertificateObservation) DeepCopyInto(out *ClientCertificateObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1186,6 +1364,11 @@ func (in *DeploymentObservation) DeepCopyInto(out *DeploymentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExecutionArn != nil {
 		in, out := &in.ExecutionArn, &out.ExecutionArn
 		*out = new(string)
@@ -1201,6 +1384,51 @@ func (in *DeploymentObservation) DeepCopyInto(out *DeploymentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StageDescription != nil {
+		in, out := &in.StageDescription, &out.StageDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.StageName != nil {
+		in, out := &in.StageName, &out.StageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentObservation.
@@ -1394,6 +1622,23 @@ func (in *DocumentationPartObservation) DeepCopyInto(out *DocumentationPartObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = make([]LocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DocumentationPartObservation.
@@ -1549,19 +1794,34 @@ func (in *DocumentationVersionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DocumentationVersionObservation) DeepCopyInto(out *DocumentationVersionObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DocumentationVersionObservation.
-func (in *DocumentationVersionObservation) DeepCopy() *DocumentationVersionObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(DocumentationVersionObservation)
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DocumentationVersionObservation.
+func (in *DocumentationVersionObservation) DeepCopy() *DocumentationVersionObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(DocumentationVersionObservation)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -1712,6 +1972,26 @@ func (in *DomainNameObservation) DeepCopyInto(out *DomainNameObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateBody != nil {
+		in, out := &in.CertificateBody, &out.CertificateBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateName != nil {
+		in, out := &in.CertificateName, &out.CertificateName
+		*out = new(string)
+		**out = **in
+	}
 	if in.CertificateUploadDate != nil {
 		in, out := &in.CertificateUploadDate, &out.CertificateUploadDate
 		*out = new(string)
@@ -1727,11 +2007,45 @@ func (in *DomainNameObservation) DeepCopyInto(out *DomainNameObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EndpointConfiguration != nil {
+		in, out := &in.EndpointConfiguration, &out.EndpointConfiguration
+		*out = make([]EndpointConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MutualTLSAuthentication != nil {
+		in, out := &in.MutualTLSAuthentication, &out.MutualTLSAuthentication
+		*out = make([]MutualTLSAuthenticationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OwnershipVerificationCertificateArn != nil {
+		in, out := &in.OwnershipVerificationCertificateArn, &out.OwnershipVerificationCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegionalCertificateArn != nil {
+		in, out := &in.RegionalCertificateArn, &out.RegionalCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegionalCertificateName != nil {
+		in, out := &in.RegionalCertificateName, &out.RegionalCertificateName
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegionalDomainName != nil {
 		in, out := &in.RegionalDomainName, &out.RegionalDomainName
 		*out = new(string)
@@ -1742,6 +2056,26 @@ func (in *DomainNameObservation) DeepCopyInto(out *DomainNameObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SecurityPolicy != nil {
+		in, out := &in.SecurityPolicy, &out.SecurityPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1925,6 +2259,17 @@ func (in *DomainNameStatus) DeepCopy() *DomainNameStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointConfigurationObservation) DeepCopyInto(out *EndpointConfigurationObservation) {
 	*out = *in
+	if in.Types != nil {
+		in, out := &in.Types, &out.Types
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointConfigurationObservation.
@@ -2030,6 +2375,51 @@ func (in *GatewayResponseObservation) DeepCopyInto(out *GatewayResponseObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResponseParameters != nil {
+		in, out := &in.ResponseParameters, &out.ResponseParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResponseTemplates != nil {
+		in, out := &in.ResponseTemplates, &out.ResponseTemplates
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResponseType != nil {
+		in, out := &in.ResponseType, &out.ResponseType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayResponseObservation.
@@ -2213,11 +2603,124 @@ func (in *IntegrationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntegrationObservation) DeepCopyInto(out *IntegrationObservation) {
 	*out = *in
+	if in.CacheKeyParameters != nil {
+		in, out := &in.CacheKeyParameters, &out.CacheKeyParameters
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CacheNamespace != nil {
+		in, out := &in.CacheNamespace, &out.CacheNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionType != nil {
+		in, out := &in.ConnectionType, &out.ConnectionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentHandling != nil {
+		in, out := &in.ContentHandling, &out.ContentHandling
+		*out = new(string)
+		**out = **in
+	}
+	if in.Credentials != nil {
+		in, out := &in.Credentials, &out.Credentials
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IntegrationHTTPMethod != nil {
+		in, out := &in.IntegrationHTTPMethod, &out.IntegrationHTTPMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughBehavior != nil {
+		in, out := &in.PassthroughBehavior, &out.PassthroughBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestParameters != nil {
+		in, out := &in.RequestParameters, &out.RequestParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RequestTemplates != nil {
+		in, out := &in.RequestTemplates, &out.RequestTemplates
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSConfig != nil {
+		in, out := &in.TLSConfig, &out.TLSConfig
+		*out = make([]TLSConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TimeoutMilliseconds != nil {
+		in, out := &in.TimeoutMilliseconds, &out.TimeoutMilliseconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntegrationObservation.
@@ -2475,11 +2978,71 @@ func (in *IntegrationResponseList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntegrationResponseObservation) DeepCopyInto(out *IntegrationResponseObservation) {
 	*out = *in
+	if in.ContentHandling != nil {
+		in, out := &in.ContentHandling, &out.ContentHandling
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseParameters != nil {
+		in, out := &in.ResponseParameters, &out.ResponseParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResponseTemplates != nil {
+		in, out := &in.ResponseTemplates, &out.ResponseTemplates
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SelectionPattern != nil {
+		in, out := &in.SelectionPattern, &out.SelectionPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntegrationResponseObservation.
@@ -2683,6 +3246,31 @@ func (in *IntegrationStatus) DeepCopy() *IntegrationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LocationObservation) DeepCopyInto(out *LocationObservation) {
 	*out = *in
+	if in.Method != nil {
+		in, out := &in.Method, &out.Method
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocationObservation.
@@ -2797,11 +3385,92 @@ func (in *MethodList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MethodObservation) DeepCopyInto(out *MethodObservation) {
 	*out = *in
+	if in.APIKeyRequired != nil {
+		in, out := &in.APIKeyRequired, &out.APIKeyRequired
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Authorization != nil {
+		in, out := &in.Authorization, &out.Authorization
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizationScopes != nil {
+		in, out := &in.AuthorizationScopes, &out.AuthorizationScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuthorizerID != nil {
+		in, out := &in.AuthorizerID, &out.AuthorizerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OperationName != nil {
+		in, out := &in.OperationName, &out.OperationName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestModels != nil {
+		in, out := &in.RequestModels, &out.RequestModels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RequestParameters != nil {
+		in, out := &in.RequestParameters, &out.RequestParameters
+		*out = make(map[string]*bool, len(*in))
+		for key, val := range *in {
+			var outVal *bool
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(bool)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RequestValidatorID != nil {
+		in, out := &in.RequestValidatorID, &out.RequestValidatorID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MethodObservation.
@@ -3007,11 +3676,61 @@ func (in *MethodResponseList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MethodResponseObservation) DeepCopyInto(out *MethodResponseObservation) {
 	*out = *in
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseModels != nil {
+		in, out := &in.ResponseModels, &out.ResponseModels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResponseParameters != nil {
+		in, out := &in.ResponseParameters, &out.ResponseParameters
+		*out = make(map[string]*bool, len(*in))
+		for key, val := range *in {
+			var outVal *bool
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(bool)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MethodResponseObservation.
@@ -3225,6 +3944,28 @@ func (in *MethodSettingsObservation) DeepCopyInto(out *MethodSettingsObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.MethodPath != nil {
+		in, out := &in.MethodPath, &out.MethodPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Settings != nil {
+		in, out := &in.Settings, &out.Settings
+		*out = make([]SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StageName != nil {
+		in, out := &in.StageName, &out.StageName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MethodSettingsObservation.
@@ -3423,17 +4164,42 @@ func (in *ModelList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ModelObservation) DeepCopyInto(out *ModelObservation) {
-	*out = *in
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ModelObservation) DeepCopyInto(out *ModelObservation) {
+	*out = *in
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schema != nil {
+		in, out := &in.Schema, &out.Schema
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModelObservation.
@@ -3538,6 +4304,16 @@ func (in *ModelStatus) DeepCopy() *ModelStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MutualTLSAuthenticationObservation) DeepCopyInto(out *MutualTLSAuthenticationObservation) {
 	*out = *in
+	if in.TruststoreURI != nil {
+		in, out := &in.TruststoreURI, &out.TruststoreURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.TruststoreVersion != nil {
+		in, out := &in.TruststoreVersion, &out.TruststoreVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTLSAuthenticationObservation.
@@ -3578,6 +4354,21 @@ func (in *MutualTLSAuthenticationParameters) DeepCopy() *MutualTLSAuthentication
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QuotaSettingsObservation) DeepCopyInto(out *QuotaSettingsObservation) {
 	*out = *in
+	if in.Limit != nil {
+		in, out := &in.Limit, &out.Limit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Offset != nil {
+		in, out := &in.Offset, &out.Offset
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QuotaSettingsObservation.
@@ -3687,6 +4478,26 @@ func (in *RequestValidatorObservation) DeepCopyInto(out *RequestValidatorObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidateRequestBody != nil {
+		in, out := &in.ValidateRequestBody, &out.ValidateRequestBody
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ValidateRequestParameters != nil {
+		in, out := &in.ValidateRequestParameters, &out.ValidateRequestParameters
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestValidatorObservation.
@@ -3850,11 +4661,26 @@ func (in *ResourceObservation) DeepCopyInto(out *ResourceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ParentID != nil {
+		in, out := &in.ParentID, &out.ParentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Path != nil {
 		in, out := &in.Path, &out.Path
 		*out = new(string)
 		**out = **in
 	}
+	if in.PathPart != nil {
+		in, out := &in.PathPart, &out.PathPart
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceObservation.
@@ -3986,6 +4812,28 @@ func (in *RestAPI) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RestAPIEndpointConfigurationObservation) DeepCopyInto(out *RestAPIEndpointConfigurationObservation) {
 	*out = *in
+	if in.Types != nil {
+		in, out := &in.Types, &out.Types
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCEndpointIds != nil {
+		in, out := &in.VPCEndpointIds, &out.VPCEndpointIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestAPIEndpointConfigurationObservation.
@@ -4070,16 +4918,54 @@ func (in *RestAPIList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RestAPIObservation) DeepCopyInto(out *RestAPIObservation) {
 	*out = *in
+	if in.APIKeySource != nil {
+		in, out := &in.APIKeySource, &out.APIKeySource
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BinaryMediaTypes != nil {
+		in, out := &in.BinaryMediaTypes, &out.BinaryMediaTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Body != nil {
+		in, out := &in.Body, &out.Body
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreatedDate != nil {
 		in, out := &in.CreatedDate, &out.CreatedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableExecuteAPIEndpoint != nil {
+		in, out := &in.DisableExecuteAPIEndpoint, &out.DisableExecuteAPIEndpoint
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EndpointConfiguration != nil {
+		in, out := &in.EndpointConfiguration, &out.EndpointConfiguration
+		*out = make([]RestAPIEndpointConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ExecutionArn != nil {
 		in, out := &in.ExecutionArn, &out.ExecutionArn
 		*out = new(string)
@@ -4090,16 +4976,61 @@ func (in *RestAPIObservation) DeepCopyInto(out *RestAPIObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MinimumCompressionSize != nil {
+		in, out := &in.MinimumCompressionSize, &out.MinimumCompressionSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(string)
 		**out = **in
 	}
+	if in.PutRestAPIMode != nil {
+		in, out := &in.PutRestAPIMode, &out.PutRestAPIMode
+		*out = new(string)
+		**out = **in
+	}
 	if in.RootResourceID != nil {
 		in, out := &in.RootResourceID, &out.RootResourceID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4297,6 +5228,16 @@ func (in *RestAPIPolicyObservation) DeepCopyInto(out *RestAPIPolicyObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestAPIPolicyObservation.
@@ -4395,31 +5336,81 @@ func (in *RestAPISpec) DeepCopy() *RestAPISpec {
 	if in == nil {
 		return nil
 	}
-	out := new(RestAPISpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RestAPIStatus) DeepCopyInto(out *RestAPIStatus) {
-	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestAPIStatus.
-func (in *RestAPIStatus) DeepCopy() *RestAPIStatus {
-	if in == nil {
-		return nil
+	out := new(RestAPISpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RestAPIStatus) DeepCopyInto(out *RestAPIStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestAPIStatus.
+func (in *RestAPIStatus) DeepCopy() *RestAPIStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(RestAPIStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SettingsObservation) DeepCopyInto(out *SettingsObservation) {
+	*out = *in
+	if in.CacheDataEncrypted != nil {
+		in, out := &in.CacheDataEncrypted, &out.CacheDataEncrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CacheTTLInSeconds != nil {
+		in, out := &in.CacheTTLInSeconds, &out.CacheTTLInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CachingEnabled != nil {
+		in, out := &in.CachingEnabled, &out.CachingEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DataTraceEnabled != nil {
+		in, out := &in.DataTraceEnabled, &out.DataTraceEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoggingLevel != nil {
+		in, out := &in.LoggingLevel, &out.LoggingLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricsEnabled != nil {
+		in, out := &in.MetricsEnabled, &out.MetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireAuthorizationForCacheControl != nil {
+		in, out := &in.RequireAuthorizationForCacheControl, &out.RequireAuthorizationForCacheControl
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ThrottlingBurstLimit != nil {
+		in, out := &in.ThrottlingBurstLimit, &out.ThrottlingBurstLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThrottlingRateLimit != nil {
+		in, out := &in.ThrottlingRateLimit, &out.ThrottlingRateLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnauthorizedCacheControlHeaderStrategy != nil {
+		in, out := &in.UnauthorizedCacheControlHeaderStrategy, &out.UnauthorizedCacheControlHeaderStrategy
+		*out = new(string)
+		**out = **in
 	}
-	out := new(RestAPIStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SettingsObservation) DeepCopyInto(out *SettingsObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SettingsObservation.
@@ -4559,11 +5550,55 @@ func (in *StageList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StageObservation) DeepCopyInto(out *StageObservation) {
 	*out = *in
+	if in.AccessLogSettings != nil {
+		in, out := &in.AccessLogSettings, &out.AccessLogSettings
+		*out = make([]AccessLogSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CacheClusterEnabled != nil {
+		in, out := &in.CacheClusterEnabled, &out.CacheClusterEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CacheClusterSize != nil {
+		in, out := &in.CacheClusterSize, &out.CacheClusterSize
+		*out = new(string)
+		**out = **in
+	}
+	if in.CanarySettings != nil {
+		in, out := &in.CanarySettings, &out.CanarySettings
+		*out = make([]CanarySettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClientCertificateID != nil {
+		in, out := &in.ClientCertificateID, &out.ClientCertificateID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeploymentID != nil {
+		in, out := &in.DeploymentID, &out.DeploymentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentationVersion != nil {
+		in, out := &in.DocumentationVersion, &out.DocumentationVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExecutionArn != nil {
 		in, out := &in.ExecutionArn, &out.ExecutionArn
 		*out = new(string)
@@ -4579,6 +5614,31 @@ func (in *StageObservation) DeepCopyInto(out *StageObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RestAPIID != nil {
+		in, out := &in.RestAPIID, &out.RestAPIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StageName != nil {
+		in, out := &in.StageName, &out.StageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4594,11 +5654,31 @@ func (in *StageObservation) DeepCopyInto(out *StageObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.WebACLArn != nil {
 		in, out := &in.WebACLArn, &out.WebACLArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.XrayTracingEnabled != nil {
+		in, out := &in.XrayTracingEnabled, &out.XrayTracingEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StageObservation.
@@ -4777,6 +5857,11 @@ func (in *StageStatus) DeepCopy() *StageStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSConfigObservation) DeepCopyInto(out *TLSConfigObservation) {
 	*out = *in
+	if in.InsecureSkipVerification != nil {
+		in, out := &in.InsecureSkipVerification, &out.InsecureSkipVerification
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfigObservation.
@@ -4812,6 +5897,21 @@ func (in *TLSConfigParameters) DeepCopy() *TLSConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThrottleObservation) DeepCopyInto(out *ThrottleObservation) {
 	*out = *in
+	if in.BurstLimit != nil {
+		in, out := &in.BurstLimit, &out.BurstLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.RateLimit != nil {
+		in, out := &in.RateLimit, &out.RateLimit
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThrottleObservation.
@@ -4988,11 +6088,26 @@ func (in *UsagePlanKeyObservation) DeepCopyInto(out *UsagePlanKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
+	if in.UsagePlanID != nil {
+		in, out := &in.UsagePlanID, &out.UsagePlanID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Value != nil {
 		in, out := &in.Value, &out.Value
 		*out = new(string)
@@ -5134,16 +6249,60 @@ func (in *UsagePlanList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UsagePlanObservation) DeepCopyInto(out *UsagePlanObservation) {
 	*out = *in
+	if in.APIStages != nil {
+		in, out := &in.APIStages, &out.APIStages
+		*out = make([]APIStagesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProductCode != nil {
+		in, out := &in.ProductCode, &out.ProductCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.QuotaSettings != nil {
+		in, out := &in.QuotaSettings, &out.QuotaSettings
+		*out = make([]QuotaSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5159,6 +6318,13 @@ func (in *UsagePlanObservation) DeepCopyInto(out *UsagePlanObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.ThrottleSettings != nil {
+		in, out := &in.ThrottleSettings, &out.ThrottleSettings
+		*out = make([]UsagePlanThrottleSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsagePlanObservation.
@@ -5279,6 +6445,16 @@ func (in *UsagePlanStatus) DeepCopy() *UsagePlanStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UsagePlanThrottleSettingsObservation) DeepCopyInto(out *UsagePlanThrottleSettingsObservation) {
 	*out = *in
+	if in.BurstLimit != nil {
+		in, out := &in.BurstLimit, &out.BurstLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RateLimit != nil {
+		in, out := &in.RateLimit, &out.RateLimit
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsagePlanThrottleSettingsObservation.
@@ -5383,11 +6559,36 @@ func (in *VPCLinkObservation) DeepCopyInto(out *VPCLinkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5403,6 +6604,17 @@ func (in *VPCLinkObservation) DeepCopyInto(out *VPCLinkObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetArns != nil {
+		in, out := &in.TargetArns, &out.TargetArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCLinkObservation.
diff --git a/apis/apigateway/v1beta1/zz_integration_types.go b/apis/apigateway/v1beta1/zz_integration_types.go
index 5af0f23524..04114d96b9 100755
--- a/apis/apigateway/v1beta1/zz_integration_types.go
+++ b/apis/apigateway/v1beta1/zz_integration_types.go
@@ -14,7 +14,67 @@ import (
 )
 
 type IntegrationObservation struct {
+
+	// List of cache key parameters for the integration.
+	CacheKeyParameters []*string `json:"cacheKeyParameters,omitempty" tf:"cache_key_parameters,omitempty"`
+
+	// Integration's cache namespace.
+	CacheNamespace *string `json:"cacheNamespace,omitempty" tf:"cache_namespace,omitempty"`
+
+	// ID of the VpcLink used for the integration. Required if connection_type is VPC_LINK
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// Integration input's connectionType. Valid values are INTERNET (default for connections through the public routable internet), and VPC_LINK (for private connections between API Gateway and a network load balancer in a VPC).
+	ConnectionType *string `json:"connectionType,omitempty" tf:"connection_type,omitempty"`
+
+	// How to handle request payload content type conversions. Supported values are CONVERT_TO_BINARY and CONVERT_TO_TEXT. If this property is not defined, the request payload will be passed through from the method request to integration request without modification, provided that the passthroughBehaviors is configured to support payload pass-through.
+	ContentHandling *string `json:"contentHandling,omitempty" tf:"content_handling,omitempty"`
+
+	// Credentials required for the integration. For AWS integrations, 2 options are available. To specify an IAM Role for Amazon API Gateway to assume, use the role's ARN. To require that the caller's identity be passed through from the request, specify the string arn:aws:iam::\*:user/\*.
+	Credentials *string `json:"credentials,omitempty" tf:"credentials,omitempty"`
+
+	// HTTP method (GET, POST, PUT, DELETE, HEAD, OPTION, ANY)
+	// when calling the associated resource.
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Integration HTTP method
+	// (GET, POST, PUT, DELETE, HEAD, OPTIONs, ANY, PATCH) specifying how API Gateway will interact with the back end.
+	// Required if type is AWS, AWS_PROXY, HTTP or HTTP_PROXY.
+	// Not all methods are compatible with all AWS integrations.
+	// e.g., Lambda function can only be invoked via POST.
+	IntegrationHTTPMethod *string `json:"integrationHttpMethod,omitempty" tf:"integration_http_method,omitempty"`
+
+	// Integration passthrough behavior (WHEN_NO_MATCH, WHEN_NO_TEMPLATES, NEVER).  Required if request_templates is used.
+	PassthroughBehavior *string `json:"passthroughBehavior,omitempty" tf:"passthrough_behavior,omitempty"`
+
+	// Map of request query string parameters and headers that should be passed to the backend responder.
+	// For example: request_parameters = { "integration.request.header.X-Some-Other-Header" = "method.request.header.X-Some-Header" }
+	RequestParameters map[string]*string `json:"requestParameters,omitempty" tf:"request_parameters,omitempty"`
+
+	// Map of the integration's request templates.
+	RequestTemplates map[string]*string `json:"requestTemplates,omitempty" tf:"request_templates,omitempty"`
+
+	// API resource ID.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// ID of the associated REST API.
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// TLS configuration. See below.
+	TLSConfig []TLSConfigObservation `json:"tlsConfig,omitempty" tf:"tls_config,omitempty"`
+
+	// Custom timeout between 50 and 29,000 milliseconds. The default value is 29,000 milliseconds.
+	TimeoutMilliseconds *float64 `json:"timeoutMilliseconds,omitempty" tf:"timeout_milliseconds,omitempty"`
+
+	// Integration input's type. Valid values are HTTP (for HTTP backends), MOCK (not calling any real backend), AWS (for AWS services), AWS_PROXY (for Lambda proxy integration) and HTTP_PROXY (for HTTP proxy integration). An HTTP or HTTP_PROXY integration with a connection_type of VPC_LINK is referred to as a private integration and uses a VpcLink to connect API Gateway to a network load balancer of a VPC.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Input's URI. Required if type is AWS, AWS_PROXY, HTTP or HTTP_PROXY.
+	// For HTTP integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 specification . For AWS integrations, the URI should be of the form arn:aws:apigateway:{region}:{subdomain.service|service}:{path|action}/{service_api}. region, subdomain and service are used to determine the right endpoint.
+	// e.g., arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:012345678901:function:my-func/invocations. For private integrations, the URI parameter is not used for routing requests to your endpoint, but is used for setting the Host header and for certificate validation.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type IntegrationParameters struct {
@@ -131,8 +191,8 @@ type IntegrationParameters struct {
 	TimeoutMilliseconds *float64 `json:"timeoutMilliseconds,omitempty" tf:"timeout_milliseconds,omitempty"`
 
 	// Integration input's type. Valid values are HTTP (for HTTP backends), MOCK (not calling any real backend), AWS (for AWS services), AWS_PROXY (for Lambda proxy integration) and HTTP_PROXY (for HTTP proxy integration). An HTTP or HTTP_PROXY integration with a connection_type of VPC_LINK is referred to as a private integration and uses a VpcLink to connect API Gateway to a network load balancer of a VPC.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
 	// Input's URI. Required if type is AWS, AWS_PROXY, HTTP or HTTP_PROXY.
 	// For HTTP integrations, the URI must be a fully formed, encoded HTTP(S) URL according to the RFC-3986 specification . For AWS integrations, the URI should be of the form arn:aws:apigateway:{region}:{subdomain.service|service}:{path|action}/{service_api}. region, subdomain and service are used to determine the right endpoint.
@@ -152,6 +212,9 @@ type IntegrationParameters struct {
 }
 
 type TLSConfigObservation struct {
+
+	// Whether or not API Gateway skips verification that the certificate for an integration endpoint is issued by a supported certificate authority. This isn’t recommended, but it enables you to use certificates that are signed by private certificate authorities, or certificates that are self-signed. If enabled, API Gateway still performs basic certificate validation, which includes checking the certificate's expiration date, hostname, and presence of a root certificate authority. Supported only for HTTP and HTTP_PROXY integrations.
+	InsecureSkipVerification *bool `json:"insecureSkipVerification,omitempty" tf:"insecure_skip_verification,omitempty"`
 }
 
 type TLSConfigParameters struct {
@@ -185,8 +248,9 @@ type IntegrationStatus struct {
 type Integration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IntegrationSpec   `json:"spec"`
-	Status            IntegrationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   IntegrationSpec   `json:"spec"`
+	Status IntegrationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_integrationresponse_types.go b/apis/apigateway/v1beta1/zz_integrationresponse_types.go
index 79b8e62b4d..48eeaa8520 100755
--- a/apis/apigateway/v1beta1/zz_integrationresponse_types.go
+++ b/apis/apigateway/v1beta1/zz_integrationresponse_types.go
@@ -14,7 +14,32 @@ import (
 )
 
 type IntegrationResponseObservation struct {
+
+	// How to handle request payload content type conversions. Supported values are CONVERT_TO_BINARY and CONVERT_TO_TEXT. If this property is not defined, the response payload will be passed through from the integration response to the method response without modification.
+	ContentHandling *string `json:"contentHandling,omitempty" tf:"content_handling,omitempty"`
+
+	// HTTP method (GET, POST, PUT, DELETE, HEAD, OPTIONS, ANY).
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// API resource ID.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// Map of response parameters that can be read from the backend response. For example: response_parameters = { "method.response.header.X-Some-Header" = "integration.response.header.X-Some-Other-Header" }.
+	ResponseParameters map[string]*string `json:"responseParameters,omitempty" tf:"response_parameters,omitempty"`
+
+	// Map of templates used to transform the integration response body.
+	ResponseTemplates map[string]*string `json:"responseTemplates,omitempty" tf:"response_templates,omitempty"`
+
+	// ID of the associated REST API.
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Regular expression pattern used to choose an integration response based on the response from the backend. Omit configuring this to make the integration the default one. If the backend is an AWS Lambda function, the AWS Lambda function error header is matched. For all other HTTP and AWS backends, the HTTP status code is matched.
+	SelectionPattern *string `json:"selectionPattern,omitempty" tf:"selection_pattern,omitempty"`
+
+	// HTTP status code.
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type IntegrationResponseParameters struct {
diff --git a/apis/apigateway/v1beta1/zz_method_types.go b/apis/apigateway/v1beta1/zz_method_types.go
index b1831701de..24774c1f37 100755
--- a/apis/apigateway/v1beta1/zz_method_types.go
+++ b/apis/apigateway/v1beta1/zz_method_types.go
@@ -14,7 +14,44 @@ import (
 )
 
 type MethodObservation struct {
+
+	// Specify if the method requires an API key
+	APIKeyRequired *bool `json:"apiKeyRequired,omitempty" tf:"api_key_required,omitempty"`
+
+	// Type of authorization used for the method (NONE, CUSTOM, AWS_IAM, COGNITO_USER_POOLS)
+	Authorization *string `json:"authorization,omitempty" tf:"authorization,omitempty"`
+
+	// Authorization scopes used when the authorization is COGNITO_USER_POOLS
+	AuthorizationScopes []*string `json:"authorizationScopes,omitempty" tf:"authorization_scopes,omitempty"`
+
+	// Authorizer id to be used when the authorization is CUSTOM or COGNITO_USER_POOLS
+	AuthorizerID *string `json:"authorizerId,omitempty" tf:"authorizer_id,omitempty"`
+
+	// HTTP Method (GET, POST, PUT, DELETE, HEAD, OPTIONS, ANY)
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Function name that will be given to the method when generating an SDK through API Gateway. If omitted, API Gateway will generate a function name based on the resource path and HTTP verb.
+	OperationName *string `json:"operationName,omitempty" tf:"operation_name,omitempty"`
+
+	// Map of the API models used for the request's content type
+	// where key is the content type (e.g., application/json)
+	// and value is either Error, Empty (built-in models) or aws_api_gateway_model's name.
+	RequestModels map[string]*string `json:"requestModels,omitempty" tf:"request_models,omitempty"`
+
+	// Map of request parameters (from the path, query string and headers) that should be passed to the integration. The boolean value indicates whether the parameter is required (true) or optional (false).
+	// For example: request_parameters = {"method.request.header.X-Some-Header" = true "method.request.querystring.some-query-param" = true} would define that the header X-Some-Header and the query string some-query-param must be provided in the request.
+	RequestParameters map[string]*bool `json:"requestParameters,omitempty" tf:"request_parameters,omitempty"`
+
+	// ID of a aws_api_gateway_request_validator
+	RequestValidatorID *string `json:"requestValidatorId,omitempty" tf:"request_validator_id,omitempty"`
+
+	// API resource ID
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// ID of the associated REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
 }
 
 type MethodParameters struct {
@@ -24,8 +61,8 @@ type MethodParameters struct {
 	APIKeyRequired *bool `json:"apiKeyRequired,omitempty" tf:"api_key_required,omitempty"`
 
 	// Type of authorization used for the method (NONE, CUSTOM, AWS_IAM, COGNITO_USER_POOLS)
-	// +kubebuilder:validation:Required
-	Authorization *string `json:"authorization" tf:"authorization,omitempty"`
+	// +kubebuilder:validation:Optional
+	Authorization *string `json:"authorization,omitempty" tf:"authorization,omitempty"`
 
 	// Authorization scopes used when the authorization is COGNITO_USER_POOLS
 	// +kubebuilder:validation:Optional
@@ -46,8 +83,8 @@ type MethodParameters struct {
 	AuthorizerIDSelector *v1.Selector `json:"authorizerIdSelector,omitempty" tf:"-"`
 
 	// HTTP Method (GET, POST, PUT, DELETE, HEAD, OPTIONS, ANY)
-	// +kubebuilder:validation:Required
-	HTTPMethod *string `json:"httpMethod" tf:"http_method,omitempty"`
+	// +kubebuilder:validation:Optional
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
 
 	// Function name that will be given to the method when generating an SDK through API Gateway. If omitted, API Gateway will generate a function name based on the resource path and HTTP verb.
 	// +kubebuilder:validation:Optional
@@ -126,8 +163,10 @@ type MethodStatus struct {
 type Method struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MethodSpec   `json:"spec"`
-	Status            MethodStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorization)",message="authorization is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.httpMethod)",message="httpMethod is a required parameter"
+	Spec   MethodSpec   `json:"spec"`
+	Status MethodStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_methodresponse_types.go b/apis/apigateway/v1beta1/zz_methodresponse_types.go
index e04142e998..35ee5a0d45 100755
--- a/apis/apigateway/v1beta1/zz_methodresponse_types.go
+++ b/apis/apigateway/v1beta1/zz_methodresponse_types.go
@@ -14,7 +14,28 @@ import (
 )
 
 type MethodResponseObservation struct {
+
+	// HTTP Method (GET, POST, PUT, DELETE, HEAD, OPTIONS, ANY)
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// API resource ID
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// Map of the API models used for the response's content type
+	ResponseModels map[string]*string `json:"responseModels,omitempty" tf:"response_models,omitempty"`
+
+	// Map of response parameters that can be sent to the caller.
+	// For example: response_parameters = { "method.response.header.X-Some-Header" = true }
+	// would define that the header X-Some-Header can be provided on the response.
+	ResponseParameters map[string]*bool `json:"responseParameters,omitempty" tf:"response_parameters,omitempty"`
+
+	// ID of the associated REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// HTTP status code
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type MethodResponseParameters struct {
@@ -77,8 +98,8 @@ type MethodResponseParameters struct {
 	RestAPIIDSelector *v1.Selector `json:"restApiIdSelector,omitempty" tf:"-"`
 
 	// HTTP status code
-	// +kubebuilder:validation:Required
-	StatusCode *string `json:"statusCode" tf:"status_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 // MethodResponseSpec defines the desired state of MethodResponse
@@ -105,8 +126,9 @@ type MethodResponseStatus struct {
 type MethodResponse struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MethodResponseSpec   `json:"spec"`
-	Status            MethodResponseStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statusCode)",message="statusCode is a required parameter"
+	Spec   MethodResponseSpec   `json:"spec"`
+	Status MethodResponseStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_methodsettings_types.go b/apis/apigateway/v1beta1/zz_methodsettings_types.go
index 13682de1f3..5fd44d8763 100755
--- a/apis/apigateway/v1beta1/zz_methodsettings_types.go
+++ b/apis/apigateway/v1beta1/zz_methodsettings_types.go
@@ -15,13 +15,25 @@ import (
 
 type MethodSettingsObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Method path defined as {resource_path}/{http_method} for an individual method override, or */* for overriding all methods in the stage. Ensure to trim any leading forward slashes in the path (e.g., trimprefix(aws_api_gateway_resource.example.path, "/")).
+	MethodPath *string `json:"methodPath,omitempty" tf:"method_path,omitempty"`
+
+	// ID of the REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Settings block, see below.
+	Settings []SettingsObservation `json:"settings,omitempty" tf:"settings,omitempty"`
+
+	// Name of the stage
+	StageName *string `json:"stageName,omitempty" tf:"stage_name,omitempty"`
 }
 
 type MethodSettingsParameters struct {
 
 	// Method path defined as {resource_path}/{http_method} for an individual method override, or */* for overriding all methods in the stage. Ensure to trim any leading forward slashes in the path (e.g., trimprefix(aws_api_gateway_resource.example.path, "/")).
-	// +kubebuilder:validation:Required
-	MethodPath *string `json:"methodPath" tf:"method_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	MethodPath *string `json:"methodPath,omitempty" tf:"method_path,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -43,8 +55,8 @@ type MethodSettingsParameters struct {
 	RestAPIIDSelector *v1.Selector `json:"restApiIdSelector,omitempty" tf:"-"`
 
 	// Settings block, see below.
-	// +kubebuilder:validation:Required
-	Settings []SettingsParameters `json:"settings" tf:"settings,omitempty"`
+	// +kubebuilder:validation:Optional
+	Settings []SettingsParameters `json:"settings,omitempty" tf:"settings,omitempty"`
 
 	// Name of the stage
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/apigateway/v1beta1.Stage
@@ -62,6 +74,36 @@ type MethodSettingsParameters struct {
 }
 
 type SettingsObservation struct {
+
+	// Whether the cached responses are encrypted.
+	CacheDataEncrypted *bool `json:"cacheDataEncrypted,omitempty" tf:"cache_data_encrypted,omitempty"`
+
+	// Time to live (TTL), in seconds, for cached responses. The higher the TTL, the longer the response will be cached.
+	CacheTTLInSeconds *float64 `json:"cacheTtlInSeconds,omitempty" tf:"cache_ttl_in_seconds,omitempty"`
+
+	// Whether responses should be cached and returned for requests. A cache cluster must be enabled on the stage for responses to be cached.
+	CachingEnabled *bool `json:"cachingEnabled,omitempty" tf:"caching_enabled,omitempty"`
+
+	// Whether data trace logging is enabled for this method, which effects the log entries pushed to Amazon CloudWatch Logs.
+	DataTraceEnabled *bool `json:"dataTraceEnabled,omitempty" tf:"data_trace_enabled,omitempty"`
+
+	// Logging level for this method, which effects the log entries pushed to Amazon CloudWatch Logs. The available levels are OFF, ERROR, and INFO.
+	LoggingLevel *string `json:"loggingLevel,omitempty" tf:"logging_level,omitempty"`
+
+	// Whether Amazon CloudWatch metrics are enabled for this method.
+	MetricsEnabled *bool `json:"metricsEnabled,omitempty" tf:"metrics_enabled,omitempty"`
+
+	// Whether authorization is required for a cache invalidation request.
+	RequireAuthorizationForCacheControl *bool `json:"requireAuthorizationForCacheControl,omitempty" tf:"require_authorization_for_cache_control,omitempty"`
+
+	// Throttling burst limit. Default: -1 (throttling disabled).
+	ThrottlingBurstLimit *float64 `json:"throttlingBurstLimit,omitempty" tf:"throttling_burst_limit,omitempty"`
+
+	// Throttling rate limit. Default: -1 (throttling disabled).
+	ThrottlingRateLimit *float64 `json:"throttlingRateLimit,omitempty" tf:"throttling_rate_limit,omitempty"`
+
+	// How to handle unauthorized requests for cache invalidation. The available values are FAIL_WITH_403, SUCCEED_WITH_RESPONSE_HEADER, SUCCEED_WITHOUT_RESPONSE_HEADER.
+	UnauthorizedCacheControlHeaderStrategy *string `json:"unauthorizedCacheControlHeaderStrategy,omitempty" tf:"unauthorized_cache_control_header_strategy,omitempty"`
 }
 
 type SettingsParameters struct {
@@ -131,8 +173,10 @@ type MethodSettingsStatus struct {
 type MethodSettings struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MethodSettingsSpec   `json:"spec"`
-	Status            MethodSettingsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.methodPath)",message="methodPath is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settings)",message="settings is a required parameter"
+	Spec   MethodSettingsSpec   `json:"spec"`
+	Status MethodSettingsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_model_types.go b/apis/apigateway/v1beta1/zz_model_types.go
index 217bc72e21..2c4f437749 100755
--- a/apis/apigateway/v1beta1/zz_model_types.go
+++ b/apis/apigateway/v1beta1/zz_model_types.go
@@ -15,23 +15,38 @@ import (
 
 type ModelObservation struct {
 
+	// Content type of the model
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Description of the model
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// ID of the model
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the model
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the associated REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Schema of the model in a JSON form
+	Schema *string `json:"schema,omitempty" tf:"schema,omitempty"`
 }
 
 type ModelParameters struct {
 
 	// Content type of the model
-	// +kubebuilder:validation:Required
-	ContentType *string `json:"contentType" tf:"content_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
 
 	// Description of the model
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name of the model
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -81,8 +96,10 @@ type ModelStatus struct {
 type Model struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ModelSpec   `json:"spec"`
-	Status            ModelStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentType)",message="contentType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ModelSpec   `json:"spec"`
+	Status ModelStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_requestvalidator_types.go b/apis/apigateway/v1beta1/zz_requestvalidator_types.go
index b803a7d0b2..08f320dea1 100755
--- a/apis/apigateway/v1beta1/zz_requestvalidator_types.go
+++ b/apis/apigateway/v1beta1/zz_requestvalidator_types.go
@@ -17,13 +17,25 @@ type RequestValidatorObservation struct {
 
 	// Unique ID of the request validator
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the request validator
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the associated Rest API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Boolean whether to validate request body. Defaults to false.
+	ValidateRequestBody *bool `json:"validateRequestBody,omitempty" tf:"validate_request_body,omitempty"`
+
+	// Boolean whether to validate request parameters. Defaults to false.
+	ValidateRequestParameters *bool `json:"validateRequestParameters,omitempty" tf:"validate_request_parameters,omitempty"`
 }
 
 type RequestValidatorParameters struct {
 
 	// Name of the request validator
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -77,8 +89,9 @@ type RequestValidatorStatus struct {
 type RequestValidator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RequestValidatorSpec   `json:"spec"`
-	Status            RequestValidatorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RequestValidatorSpec   `json:"spec"`
+	Status RequestValidatorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_resource_types.go b/apis/apigateway/v1beta1/zz_resource_types.go
index c8adc82589..d5e82ba3ed 100755
--- a/apis/apigateway/v1beta1/zz_resource_types.go
+++ b/apis/apigateway/v1beta1/zz_resource_types.go
@@ -18,8 +18,17 @@ type ResourceObservation struct {
 	// Resource's identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ID of the parent API resource
+	ParentID *string `json:"parentId,omitempty" tf:"parent_id,omitempty"`
+
 	// Complete path for this API resource, including all parent paths.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Last path segment of this API resource.
+	PathPart *string `json:"pathPart,omitempty" tf:"path_part,omitempty"`
+
+	// ID of the associated REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
 }
 
 type ResourceParameters struct {
@@ -39,8 +48,8 @@ type ResourceParameters struct {
 	ParentIDSelector *v1.Selector `json:"parentIdSelector,omitempty" tf:"-"`
 
 	// Last path segment of this API resource.
-	// +kubebuilder:validation:Required
-	PathPart *string `json:"pathPart" tf:"path_part,omitempty"`
+	// +kubebuilder:validation:Optional
+	PathPart *string `json:"pathPart,omitempty" tf:"path_part,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -86,8 +95,9 @@ type ResourceStatus struct {
 type Resource struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceSpec   `json:"spec"`
-	Status            ResourceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pathPart)",message="pathPart is a required parameter"
+	Spec   ResourceSpec   `json:"spec"`
+	Status ResourceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_restapi_types.go b/apis/apigateway/v1beta1/zz_restapi_types.go
index febec043f5..d81666da25 100755
--- a/apis/apigateway/v1beta1/zz_restapi_types.go
+++ b/apis/apigateway/v1beta1/zz_restapi_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type RestAPIEndpointConfigurationObservation struct {
+
+	// List of endpoint types. This resource currently only supports managing a single value. Valid values: EDGE, REGIONAL or PRIVATE. If unspecified, defaults to EDGE. If set to PRIVATE recommend to set put_rest_api_mode = merge to not cause the endpoints and associated Route53 records to be deleted. Refer to the documentation for more information on the difference between edge-optimized and regional APIs.
+	Types []*string `json:"types,omitempty" tf:"types,omitempty"`
+
+	// Set of VPC Endpoint identifiers. It is only supported for PRIVATE endpoint type. If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-endpoint-configuration extension vpcEndpointIds property. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	VPCEndpointIds []*string `json:"vpcEndpointIds,omitempty" tf:"vpc_endpoint_ids,omitempty"`
 }
 
 type RestAPIEndpointConfigurationParameters struct {
@@ -29,12 +35,30 @@ type RestAPIEndpointConfigurationParameters struct {
 
 type RestAPIObservation struct {
 
+	// Source of the API key for requests. Valid values are HEADER (default) and AUTHORIZER. If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-api-key-source extension. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	APIKeySource *string `json:"apiKeySource,omitempty" tf:"api_key_source,omitempty"`
+
 	// ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of binary media types supported by the REST API. By default, the REST API supports only UTF-8-encoded text payloads. If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-binary-media-types extension. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	BinaryMediaTypes []*string `json:"binaryMediaTypes,omitempty" tf:"binary_media_types,omitempty"`
+
+	// OpenAPI specification that defines the set of routes and integrations to create as part of the REST API. This configuration, and any updates to it, will replace all REST API configuration except values overridden in this resource configuration and other resource updates applied after this resource but before any aws_api_gateway_deployment creation. More information about REST API OpenAPI support can be found in the API Gateway Developer Guide.
+	Body *string `json:"body,omitempty" tf:"body,omitempty"`
+
 	// Creation date of the REST API
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// Description of the REST API. If importing an OpenAPI specification via the body argument, this corresponds to the info.description field. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether clients can invoke your API by using the default execute-api endpoint. By default, clients can invoke your API with the default https://{api_id}.execute-api.{region}.amazonaws.com endpoint. To require that clients use a custom domain name to invoke your API, disable the default endpoint. Defaults to false. If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-endpoint-configuration extension disableExecuteApiEndpoint property. If the argument value is true and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	DisableExecuteAPIEndpoint *bool `json:"disableExecuteApiEndpoint,omitempty" tf:"disable_execute_api_endpoint,omitempty"`
+
+	// Configuration block defining API endpoint configuration including endpoint type. Defined below.
+	EndpointConfiguration []RestAPIEndpointConfigurationObservation `json:"endpointConfiguration,omitempty" tf:"endpoint_configuration,omitempty"`
+
 	// Execution ARN part to be used in lambda_permission's source_arn
 	// when allowing API Gateway to invoke a Lambda function,
 	// e.g., arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j, which can be concatenated with allowed stage, method and resource path.
@@ -43,12 +67,27 @@ type RestAPIObservation struct {
 	// ID of the REST API
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Minimum response size to compress for the REST API. Integer between -1 and 10485760 (10MB). Setting a value greater than -1 will enable compression, -1 disables compression (default). If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-minimum-compression-size extension. If the argument value (except -1) is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	MinimumCompressionSize *float64 `json:"minimumCompressionSize,omitempty" tf:"minimum_compression_size,omitempty"`
+
+	// Name of the REST API. If importing an OpenAPI specification via the body argument, this corresponds to the info.title field. If the argument value is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Map of customizations for importing the specification in the body argument. For example, to exclude DocumentationParts from an imported API, set ignore equal to documentation. Additional documentation, including other parameters such as basepath, can be found in the API Gateway Developer Guide.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
 	// JSON formatted policy document that controls access to the API Gateway. We recommend using the aws_api_gateway_rest_api_policy resource instead. If importing an OpenAPI specification via the body argument, this corresponds to the x-amazon-apigateway-policy extension. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
+	// Mode of the PutRestApi operation when importing an OpenAPI specification via the body argument (create or update operation). Valid values are merge and overwrite. If unspecificed, defaults to overwrite (for backwards compatibility). This corresponds to the x-amazon-apigateway-put-integration-method extension. If the argument value is provided and is different than the OpenAPI value, the argument value will override the OpenAPI value.
+	PutRestAPIMode *string `json:"putRestApiMode,omitempty" tf:"put_rest_api_mode,omitempty"`
+
 	// Resource ID of the REST API's root
 	RootResourceID *string `json:"rootResourceId,omitempty" tf:"root_resource_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -84,8 +123,8 @@ type RestAPIParameters struct {
 	MinimumCompressionSize *float64 `json:"minimumCompressionSize,omitempty" tf:"minimum_compression_size,omitempty"`
 
 	// Name of the REST API. If importing an OpenAPI specification via the body argument, this corresponds to the info.title field. If the argument value is different than the OpenAPI value, the argument value will override the OpenAPI value.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Map of customizations for importing the specification in the body argument. For example, to exclude DocumentationParts from an imported API, set ignore equal to documentation. Additional documentation, including other parameters such as basepath, can be found in the API Gateway Developer Guide.
 	// +kubebuilder:validation:Optional
@@ -129,8 +168,9 @@ type RestAPIStatus struct {
 type RestAPI struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RestAPISpec   `json:"spec"`
-	Status            RestAPIStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RestAPISpec   `json:"spec"`
+	Status RestAPIStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_restapipolicy_types.go b/apis/apigateway/v1beta1/zz_restapipolicy_types.go
index 81c21c4e86..c71fdd4e6e 100755
--- a/apis/apigateway/v1beta1/zz_restapipolicy_types.go
+++ b/apis/apigateway/v1beta1/zz_restapipolicy_types.go
@@ -17,13 +17,19 @@ type RestAPIPolicyObservation struct {
 
 	// ID of the REST API
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// JSON formatted policy document that controls access to the API Gateway
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// ID of the REST API.
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
 }
 
 type RestAPIPolicyParameters struct {
 
 	// JSON formatted policy document that controls access to the API Gateway
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type RestAPIPolicyStatus struct {
 type RestAPIPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RestAPIPolicySpec   `json:"spec"`
-	Status            RestAPIPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   RestAPIPolicySpec   `json:"spec"`
+	Status RestAPIPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_stage_types.go b/apis/apigateway/v1beta1/zz_stage_types.go
index bd295be3f1..ec6712ae20 100755
--- a/apis/apigateway/v1beta1/zz_stage_types.go
+++ b/apis/apigateway/v1beta1/zz_stage_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type AccessLogSettingsObservation struct {
+
+	// ARN of the CloudWatch Logs log group or Kinesis Data Firehose delivery stream to receive access logs. If you specify a Kinesis Data Firehose delivery stream, the stream name must begin with amazon-apigateway-. Automatically removes trailing :* if present.
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// Formatting and values recorded in the logs.
+	// For more information on configuring the log format rules visit the AWS documentation
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 }
 
 type AccessLogSettingsParameters struct {
@@ -29,6 +36,15 @@ type AccessLogSettingsParameters struct {
 }
 
 type CanarySettingsObservation struct {
+
+	// Percent 0.0 - 100.0 of traffic to divert to the canary deployment.
+	PercentTraffic *float64 `json:"percentTraffic,omitempty" tf:"percent_traffic,omitempty"`
+
+	// Map of overridden stage variables (including new variables) for the canary deployment.
+	StageVariableOverrides map[string]*string `json:"stageVariableOverrides,omitempty" tf:"stage_variable_overrides,omitempty"`
+
+	// Whether the canary deployment uses the stage cache. Defaults to false.
+	UseStageCache *bool `json:"useStageCache,omitempty" tf:"use_stage_cache,omitempty"`
 }
 
 type CanarySettingsParameters struct {
@@ -48,9 +64,33 @@ type CanarySettingsParameters struct {
 
 type StageObservation struct {
 
+	// Enables access logs for the API stage. See Access Log Settings below.
+	AccessLogSettings []AccessLogSettingsObservation `json:"accessLogSettings,omitempty" tf:"access_log_settings,omitempty"`
+
 	// ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether a cache cluster is enabled for the stage
+	CacheClusterEnabled *bool `json:"cacheClusterEnabled,omitempty" tf:"cache_cluster_enabled,omitempty"`
+
+	// Size of the cache cluster for the stage, if enabled. Allowed values include 0.5, 1.6, 6.1, 13.5, 28.4, 58.2, 118 and 237.
+	CacheClusterSize *string `json:"cacheClusterSize,omitempty" tf:"cache_cluster_size,omitempty"`
+
+	// Configuration settings of a canary deployment. See Canary Settings below.
+	CanarySettings []CanarySettingsObservation `json:"canarySettings,omitempty" tf:"canary_settings,omitempty"`
+
+	// Identifier of a client certificate for the stage.
+	ClientCertificateID *string `json:"clientCertificateId,omitempty" tf:"client_certificate_id,omitempty"`
+
+	// ID of the deployment that the stage points to
+	DeploymentID *string `json:"deploymentId,omitempty" tf:"deployment_id,omitempty"`
+
+	// Description of the stage.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Version of the associated API documentation
+	DocumentationVersion *string `json:"documentationVersion,omitempty" tf:"documentation_version,omitempty"`
+
 	// Execution ARN to be used in lambda_permission's source_arn
 	// when allowing API Gateway to invoke a Lambda function,
 	// e.g., arn:aws:execute-api:eu-west-2:123456789012:z4675bid1j/prod
@@ -63,11 +103,26 @@ type StageObservation struct {
 	// e.g., https://z4675bid1j.execute-api.eu-west-2.amazonaws.com/prod
 	InvokeURL *string `json:"invokeUrl,omitempty" tf:"invoke_url,omitempty"`
 
+	// ID of the associated REST API
+	RestAPIID *string `json:"restApiId,omitempty" tf:"rest_api_id,omitempty"`
+
+	// Name of the stage
+	StageName *string `json:"stageName,omitempty" tf:"stage_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Map that defines the stage variables
+	Variables map[string]*string `json:"variables,omitempty" tf:"variables,omitempty"`
+
 	// ARN of the WebAcl associated with the Stage.
 	WebACLArn *string `json:"webAclArn,omitempty" tf:"web_acl_arn,omitempty"`
+
+	// Whether active tracing with X-ray is enabled. Defaults to false.
+	XrayTracingEnabled *bool `json:"xrayTracingEnabled,omitempty" tf:"xray_tracing_enabled,omitempty"`
 }
 
 type StageParameters struct {
@@ -134,8 +189,8 @@ type StageParameters struct {
 	RestAPIIDSelector *v1.Selector `json:"restApiIdSelector,omitempty" tf:"-"`
 
 	// Name of the stage
-	// +kubebuilder:validation:Required
-	StageName *string `json:"stageName" tf:"stage_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	StageName *string `json:"stageName,omitempty" tf:"stage_name,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -174,8 +229,9 @@ type StageStatus struct {
 type Stage struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StageSpec   `json:"spec"`
-	Status            StageStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stageName)",message="stageName is a required parameter"
+	Spec   StageSpec   `json:"spec"`
+	Status StageStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_usageplan_types.go b/apis/apigateway/v1beta1/zz_usageplan_types.go
index 6b89a54fca..0338d425c7 100755
--- a/apis/apigateway/v1beta1/zz_usageplan_types.go
+++ b/apis/apigateway/v1beta1/zz_usageplan_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type APIStagesObservation struct {
+
+	// API Id of the associated API stage in a usage plan.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// API stage name of the associated API stage in a usage plan.
+	Stage *string `json:"stage,omitempty" tf:"stage,omitempty"`
+
+	// The throttling limits of the usage plan.
+	Throttle []ThrottleObservation `json:"throttle,omitempty" tf:"throttle,omitempty"`
 }
 
 type APIStagesParameters struct {
@@ -52,6 +61,15 @@ type APIStagesParameters struct {
 }
 
 type QuotaSettingsObservation struct {
+
+	// Maximum number of requests that can be made in a given time period.
+	Limit *float64 `json:"limit,omitempty" tf:"limit,omitempty"`
+
+	// Number of requests subtracted from the given limit in the initial time period.
+	Offset *float64 `json:"offset,omitempty" tf:"offset,omitempty"`
+
+	// Time period in which the limit applies. Valid values are "DAY", "WEEK" or "MONTH".
+	Period *string `json:"period,omitempty" tf:"period,omitempty"`
 }
 
 type QuotaSettingsParameters struct {
@@ -70,6 +88,15 @@ type QuotaSettingsParameters struct {
 }
 
 type ThrottleObservation struct {
+
+	// The API request burst limit, the maximum rate limit over a time ranging from one to a few seconds, depending upon whether the underlying token bucket is at its full capacity.
+	BurstLimit *float64 `json:"burstLimit,omitempty" tf:"burst_limit,omitempty"`
+
+	// Method to apply the throttle settings for. Specfiy the path and method, for example /test/GET.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The API request steady-state rate limit.
+	RateLimit *float64 `json:"rateLimit,omitempty" tf:"rate_limit,omitempty"`
 }
 
 type ThrottleParameters struct {
@@ -89,14 +116,35 @@ type ThrottleParameters struct {
 
 type UsagePlanObservation struct {
 
+	// Associated API stages of the usage plan.
+	APIStages []APIStagesObservation `json:"apiStages,omitempty" tf:"api_stages,omitempty"`
+
 	// ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of a usage plan.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// ID of the API resource
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the usage plan.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// AWS Marketplace product identifier to associate with the usage plan as a SaaS product on AWS Marketplace.
+	ProductCode *string `json:"productCode,omitempty" tf:"product_code,omitempty"`
+
+	// The quota settings of the usage plan.
+	QuotaSettings []QuotaSettingsObservation `json:"quotaSettings,omitempty" tf:"quota_settings,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The throttling limits of the usage plan.
+	ThrottleSettings []UsagePlanThrottleSettingsObservation `json:"throttleSettings,omitempty" tf:"throttle_settings,omitempty"`
 }
 
 type UsagePlanParameters struct {
@@ -110,8 +158,8 @@ type UsagePlanParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name of the usage plan.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// AWS Marketplace product identifier to associate with the usage plan as a SaaS product on AWS Marketplace.
 	// +kubebuilder:validation:Optional
@@ -136,6 +184,12 @@ type UsagePlanParameters struct {
 }
 
 type UsagePlanThrottleSettingsObservation struct {
+
+	// The API request burst limit, the maximum rate limit over a time ranging from one to a few seconds, depending upon whether the underlying token bucket is at its full capacity.
+	BurstLimit *float64 `json:"burstLimit,omitempty" tf:"burst_limit,omitempty"`
+
+	// The API request steady-state rate limit.
+	RateLimit *float64 `json:"rateLimit,omitempty" tf:"rate_limit,omitempty"`
 }
 
 type UsagePlanThrottleSettingsParameters struct {
@@ -173,8 +227,9 @@ type UsagePlanStatus struct {
 type UsagePlan struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UsagePlanSpec   `json:"spec"`
-	Status            UsagePlanStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   UsagePlanSpec   `json:"spec"`
+	Status UsagePlanStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_usageplankey_types.go b/apis/apigateway/v1beta1/zz_usageplankey_types.go
index 678d50252c..d96a06d10d 100755
--- a/apis/apigateway/v1beta1/zz_usageplankey_types.go
+++ b/apis/apigateway/v1beta1/zz_usageplankey_types.go
@@ -18,9 +18,18 @@ type UsagePlanKeyObservation struct {
 	// ID of a usage plan key.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Identifier of the API key resource.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// Type of the API key resource. Currently, the valid key type is API_KEY.
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
+
 	// Name of a usage plan key.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// Id of the usage plan resource representing to associate the key to.
+	UsagePlanID *string `json:"usagePlanId,omitempty" tf:"usage_plan_id,omitempty"`
+
 	// Value of a usage plan key.
 	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
@@ -42,8 +51,8 @@ type UsagePlanKeyParameters struct {
 	KeyIDSelector *v1.Selector `json:"keyIdSelector,omitempty" tf:"-"`
 
 	// Type of the API key resource. Currently, the valid key type is API_KEY.
-	// +kubebuilder:validation:Required
-	KeyType *string `json:"keyType" tf:"key_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -89,8 +98,9 @@ type UsagePlanKeyStatus struct {
 type UsagePlanKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UsagePlanKeySpec   `json:"spec"`
-	Status            UsagePlanKeyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyType)",message="keyType is a required parameter"
+	Spec   UsagePlanKeySpec   `json:"spec"`
+	Status UsagePlanKeyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigateway/v1beta1/zz_vpclink_types.go b/apis/apigateway/v1beta1/zz_vpclink_types.go
index 4defd4f2ff..89bf33933b 100755
--- a/apis/apigateway/v1beta1/zz_vpclink_types.go
+++ b/apis/apigateway/v1beta1/zz_vpclink_types.go
@@ -16,11 +16,23 @@ import (
 type VPCLinkObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the VPC link.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Identifier of the VpcLink.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name used to label and identify the VPC link.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// List of network load balancer arns in the VPC targeted by the VPC link. Currently AWS only supports 1 target.
+	TargetArns []*string `json:"targetArns,omitempty" tf:"target_arns,omitempty"`
 }
 
 type VPCLinkParameters struct {
@@ -30,8 +42,8 @@ type VPCLinkParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name used to label and identify the VPC link.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +95,9 @@ type VPCLinkStatus struct {
 type VPCLink struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCLinkSpec   `json:"spec"`
-	Status            VPCLinkStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   VPCLinkSpec   `json:"spec"`
+	Status VPCLinkStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_api_types.go b/apis/apigatewayv2/v1beta1/zz_api_types.go
index 7567632f71..b32f429a99 100755
--- a/apis/apigatewayv2/v1beta1/zz_api_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_api_types.go
@@ -18,19 +18,68 @@ type APIObservation struct {
 	// URI of the API, of the form https://{api-id}.execute-api.{region}.amazonaws.com for HTTP APIs and wss://{api-id}.execute-api.{region}.amazonaws.com for WebSocket APIs.
 	APIEndpoint *string `json:"apiEndpoint,omitempty" tf:"api_endpoint,omitempty"`
 
+	// An API key selection expression.
+	// Valid values: $context.authorizer.usageIdentifierKey, $request.header.x-api-key. Defaults to $request.header.x-api-key.
+	// Applicable for WebSocket APIs.
+	APIKeySelectionExpression *string `json:"apiKeySelectionExpression,omitempty" tf:"api_key_selection_expression,omitempty"`
+
 	// ARN of the API.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// An OpenAPI specification that defines the set of routes and integrations to create as part of the HTTP APIs. Supported only for HTTP APIs.
+	Body *string `json:"body,omitempty" tf:"body,omitempty"`
+
+	// Cross-origin resource sharing (CORS) configuration. Applicable for HTTP APIs.
+	CorsConfiguration []CorsConfigurationObservation `json:"corsConfiguration,omitempty" tf:"cors_configuration,omitempty"`
+
+	// Part of quick create. Specifies any credentials required for the integration. Applicable for HTTP APIs.
+	CredentialsArn *string `json:"credentialsArn,omitempty" tf:"credentials_arn,omitempty"`
+
+	// Description of the API. Must be less than or equal to 1024 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether clients can invoke the API by using the default execute-api endpoint.
+	// By default, clients can invoke the API with the default {api_id}.execute-api.{region}.amazonaws.com endpoint.
+	// To require that clients use a custom domain name to invoke the API, disable the default endpoint.
+	DisableExecuteAPIEndpoint *bool `json:"disableExecuteApiEndpoint,omitempty" tf:"disable_execute_api_endpoint,omitempty"`
+
 	// ARN prefix to be used in an aws_lambda_permission's source_arn attribute
 	// or in an aws_iam_policy to authorize access to the @connections API.
 	// See the Amazon API Gateway Developer Guide for details.
 	ExecutionArn *string `json:"executionArn,omitempty" tf:"execution_arn,omitempty"`
 
+	// Whether warnings should return an error while API Gateway is creating or updating the resource using an OpenAPI specification. Defaults to false. Applicable for HTTP APIs.
+	FailOnWarnings *bool `json:"failOnWarnings,omitempty" tf:"fail_on_warnings,omitempty"`
+
 	// API identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the API. Must be less than or equal to 128 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// API protocol. Valid values: HTTP, WEBSOCKET.
+	ProtocolType *string `json:"protocolType,omitempty" tf:"protocol_type,omitempty"`
+
+	// Part of quick create. Specifies any route key. Applicable for HTTP APIs.
+	RouteKey *string `json:"routeKey,omitempty" tf:"route_key,omitempty"`
+
+	// The route selection expression for the API.
+	// Defaults to $request.method $request.path.
+	RouteSelectionExpression *string `json:"routeSelectionExpression,omitempty" tf:"route_selection_expression,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Part of quick create. Quick create produces an API with an integration, a default catch-all route, and a default stage which is configured to automatically deploy changes.
+	// For HTTP integrations, specify a fully qualified URL. For Lambda integrations, specify a function ARN.
+	// The type of the integration will be HTTP_PROXY or AWS_PROXY, respectively. Applicable for HTTP APIs.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
+
+	// Version identifier for the API. Must be between 1 and 64 characters in length.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type APIParameters struct {
@@ -68,12 +117,12 @@ type APIParameters struct {
 	FailOnWarnings *bool `json:"failOnWarnings,omitempty" tf:"fail_on_warnings,omitempty"`
 
 	// Name of the API. Must be less than or equal to 128 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// API protocol. Valid values: HTTP, WEBSOCKET.
-	// +kubebuilder:validation:Required
-	ProtocolType *string `json:"protocolType" tf:"protocol_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProtocolType *string `json:"protocolType,omitempty" tf:"protocol_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -105,6 +154,24 @@ type APIParameters struct {
 }
 
 type CorsConfigurationObservation struct {
+
+	// Whether credentials are included in the CORS request.
+	AllowCredentials *bool `json:"allowCredentials,omitempty" tf:"allow_credentials,omitempty"`
+
+	// Set of allowed HTTP headers.
+	AllowHeaders []*string `json:"allowHeaders,omitempty" tf:"allow_headers,omitempty"`
+
+	// Set of allowed HTTP methods.
+	AllowMethods []*string `json:"allowMethods,omitempty" tf:"allow_methods,omitempty"`
+
+	// Set of allowed origins.
+	AllowOrigins []*string `json:"allowOrigins,omitempty" tf:"allow_origins,omitempty"`
+
+	// Set of exposed HTTP headers.
+	ExposeHeaders []*string `json:"exposeHeaders,omitempty" tf:"expose_headers,omitempty"`
+
+	// Number of seconds that the browser should cache preflight request results.
+	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`
 }
 
 type CorsConfigurationParameters struct {
@@ -158,8 +225,10 @@ type APIStatus struct {
 type API struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              APISpec   `json:"spec"`
-	Status            APIStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocolType)",message="protocolType is a required parameter"
+	Spec   APISpec   `json:"spec"`
+	Status APIStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_apimapping_types.go b/apis/apigatewayv2/v1beta1/zz_apimapping_types.go
index a53e55a230..f28f7729c7 100755
--- a/apis/apigatewayv2/v1beta1/zz_apimapping_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_apimapping_types.go
@@ -15,8 +15,20 @@ import (
 
 type APIMappingObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// The API mapping key.
+	APIMappingKey *string `json:"apiMappingKey,omitempty" tf:"api_mapping_key,omitempty"`
+
+	// Domain name. Use the aws_apigatewayv2_domain_name resource to configure a domain name.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// API mapping identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// API stage. Use the aws_apigatewayv2_stage resource to configure an API stage.
+	Stage *string `json:"stage,omitempty" tf:"stage,omitempty"`
 }
 
 type APIMappingParameters struct {
diff --git a/apis/apigatewayv2/v1beta1/zz_authorizer_types.go b/apis/apigatewayv2/v1beta1/zz_authorizer_types.go
index af64283768..13a1298fa0 100755
--- a/apis/apigatewayv2/v1beta1/zz_authorizer_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_authorizer_types.go
@@ -15,8 +15,50 @@ import (
 
 type AuthorizerObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// Required credentials as an IAM role for API Gateway to invoke the authorizer.
+	// Supported only for REQUEST authorizers.
+	AuthorizerCredentialsArn *string `json:"authorizerCredentialsArn,omitempty" tf:"authorizer_credentials_arn,omitempty"`
+
+	// Format of the payload sent to an HTTP API Lambda authorizer. Required for HTTP API Lambda authorizers.
+	// Valid values: 1.0, 2.0.
+	AuthorizerPayloadFormatVersion *string `json:"authorizerPayloadFormatVersion,omitempty" tf:"authorizer_payload_format_version,omitempty"`
+
+	// Time to live (TTL) for cached authorizer results, in seconds. If it equals 0, authorization caching is disabled.
+	// If it is greater than 0, API Gateway caches authorizer responses. The maximum value is 3600, or 1 hour. Defaults to 300.
+	// Supported only for HTTP API Lambda authorizers.
+	AuthorizerResultTTLInSeconds *float64 `json:"authorizerResultTtlInSeconds,omitempty" tf:"authorizer_result_ttl_in_seconds,omitempty"`
+
+	// Authorizer type. Valid values: JWT, REQUEST.
+	// Specify REQUEST for a Lambda function using incoming request parameters.
+	// For HTTP APIs, specify JWT to use JSON Web Tokens.
+	AuthorizerType *string `json:"authorizerType,omitempty" tf:"authorizer_type,omitempty"`
+
+	// Authorizer's Uniform Resource Identifier (URI).
+	// For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws_lambda_function resource.
+	// Supported only for REQUEST authorizers. Must be between 1 and 2048 characters in length.
+	AuthorizerURI *string `json:"authorizerUri,omitempty" tf:"authorizer_uri,omitempty"`
+
+	// Whether a Lambda authorizer returns a response in a simple format. If enabled, the Lambda authorizer can return a boolean value instead of an IAM policy.
+	// Supported only for HTTP APIs.
+	EnableSimpleResponses *bool `json:"enableSimpleResponses,omitempty" tf:"enable_simple_responses,omitempty"`
+
 	// Authorizer identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Identity sources for which authorization is requested.
+	// For REQUEST authorizers the value is a list of one or more mapping expressions of the specified request parameters.
+	// For JWT authorizers the single entry specifies where to extract the JSON Web Token (JWT) from inbound requests.
+	IdentitySources []*string `json:"identitySources,omitempty" tf:"identity_sources,omitempty"`
+
+	// Configuration of a JWT authorizer. Required for the JWT authorizer type.
+	// Supported only for HTTP APIs.
+	JwtConfiguration []JwtConfigurationObservation `json:"jwtConfiguration,omitempty" tf:"jwt_configuration,omitempty"`
+
+	// Name of the authorizer. Must be between 1 and 128 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type AuthorizerParameters struct {
@@ -53,8 +95,8 @@ type AuthorizerParameters struct {
 	// Authorizer type. Valid values: JWT, REQUEST.
 	// Specify REQUEST for a Lambda function using incoming request parameters.
 	// For HTTP APIs, specify JWT to use JSON Web Tokens.
-	// +kubebuilder:validation:Required
-	AuthorizerType *string `json:"authorizerType" tf:"authorizer_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthorizerType *string `json:"authorizerType,omitempty" tf:"authorizer_type,omitempty"`
 
 	// Authorizer's Uniform Resource Identifier (URI).
 	// For REQUEST authorizers this must be a well-formed Lambda function URI, such as the invoke_arn attribute of the aws_lambda_function resource.
@@ -89,8 +131,8 @@ type AuthorizerParameters struct {
 	JwtConfiguration []JwtConfigurationParameters `json:"jwtConfiguration,omitempty" tf:"jwt_configuration,omitempty"`
 
 	// Name of the authorizer. Must be between 1 and 128 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -99,6 +141,12 @@ type AuthorizerParameters struct {
 }
 
 type JwtConfigurationObservation struct {
+
+	// List of the intended recipients of the JWT. A valid JWT must provide an aud that matches at least one entry in this list.
+	Audience []*string `json:"audience,omitempty" tf:"audience,omitempty"`
+
+	// Base domain of the identity provider that issues JSON Web Tokens, such as the endpoint attribute of the aws_cognito_user_pool resource.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 }
 
 type JwtConfigurationParameters struct {
@@ -136,8 +184,10 @@ type AuthorizerStatus struct {
 type Authorizer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AuthorizerSpec   `json:"spec"`
-	Status            AuthorizerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorizerType)",message="authorizerType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AuthorizerSpec   `json:"spec"`
+	Status AuthorizerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_deployment_types.go b/apis/apigatewayv2/v1beta1/zz_deployment_types.go
index 2d65d3f852..928011be4c 100755
--- a/apis/apigatewayv2/v1beta1/zz_deployment_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_deployment_types.go
@@ -15,9 +15,15 @@ import (
 
 type DeploymentObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
 	// Whether the deployment was automatically released.
 	AutoDeployed *bool `json:"autoDeployed,omitempty" tf:"auto_deployed,omitempty"`
 
+	// Description for the deployment resource. Must be less than or equal to 1024 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Deployment identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
diff --git a/apis/apigatewayv2/v1beta1/zz_domainname_types.go b/apis/apigatewayv2/v1beta1/zz_domainname_types.go
index fa23e69f97..50b53ba631 100755
--- a/apis/apigatewayv2/v1beta1/zz_domainname_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_domainname_types.go
@@ -15,9 +15,21 @@ import (
 
 type DomainNameConfigurationObservation struct {
 
+	// ARN of an AWS-managed certificate that will be used by the endpoint for the domain name. AWS Certificate Manager is the only supported source. Use the aws_acm_certificate resource to configure an ACM certificate.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
+	// Endpoint type. Valid values: REGIONAL.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
 	// (Computed) Amazon Route 53 Hosted Zone ID of the endpoint.
 	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
 
+	// ARN of the AWS-issued certificate used to validate custom domain ownership (when certificate_arn is issued via an ACM Private CA or mutual_tls_authentication is configured with an ACM-imported certificate.)
+	OwnershipVerificationCertificateArn *string `json:"ownershipVerificationCertificateArn,omitempty" tf:"ownership_verification_certificate_arn,omitempty"`
+
+	// Transport Layer Security (TLS) version of the security policy for the domain name. Valid values: TLS_1_2.
+	SecurityPolicy *string `json:"securityPolicy,omitempty" tf:"security_policy,omitempty"`
+
 	// (Computed) Target domain name.
 	TargetDomainName *string `json:"targetDomainName,omitempty" tf:"target_domain_name,omitempty"`
 }
@@ -60,12 +72,17 @@ type DomainNameObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Domain name configuration. See below.
-	// +kubebuilder:validation:Required
 	DomainNameConfiguration []DomainNameConfigurationObservation `json:"domainNameConfiguration,omitempty" tf:"domain_name_configuration,omitempty"`
 
 	// Domain name identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Mutual TLS authentication configuration for the domain name.
+	MutualTLSAuthentication []MutualTLSAuthenticationObservation `json:"mutualTlsAuthentication,omitempty" tf:"mutual_tls_authentication,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -73,8 +90,8 @@ type DomainNameObservation struct {
 type DomainNameParameters struct {
 
 	// Domain name configuration. See below.
-	// +kubebuilder:validation:Required
-	DomainNameConfiguration []DomainNameConfigurationParameters `json:"domainNameConfiguration" tf:"domain_name_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	DomainNameConfiguration []DomainNameConfigurationParameters `json:"domainNameConfiguration,omitempty" tf:"domain_name_configuration,omitempty"`
 
 	// Mutual TLS authentication configuration for the domain name.
 	// +kubebuilder:validation:Optional
@@ -91,6 +108,12 @@ type DomainNameParameters struct {
 }
 
 type MutualTLSAuthenticationObservation struct {
+
+	// Amazon S3 URL that specifies the truststore for mutual TLS authentication, for example, s3://bucket-name/key-name. The truststore can contain certificates from public or private certificate authorities. To update the truststore, upload a new version to S3, and then update your custom domain name to use the new version.
+	TruststoreURI *string `json:"truststoreUri,omitempty" tf:"truststore_uri,omitempty"`
+
+	// Version of the S3 object that contains the truststore. To specify a version, you must have versioning enabled for the S3 bucket.
+	TruststoreVersion *string `json:"truststoreVersion,omitempty" tf:"truststore_version,omitempty"`
 }
 
 type MutualTLSAuthenticationParameters struct {
@@ -128,8 +151,9 @@ type DomainNameStatus struct {
 type DomainName struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainNameSpec   `json:"spec"`
-	Status            DomainNameStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainNameConfiguration)",message="domainNameConfiguration is a required parameter"
+	Spec   DomainNameSpec   `json:"spec"`
+	Status DomainNameStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_generated.deepcopy.go b/apis/apigatewayv2/v1beta1/zz_generated.deepcopy.go
index 6973c04c54..9a5c95f1fa 100644
--- a/apis/apigatewayv2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/apigatewayv2/v1beta1/zz_generated.deepcopy.go
@@ -135,11 +135,31 @@ func (in *APIMappingList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *APIMappingObservation) DeepCopyInto(out *APIMappingObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.APIMappingKey != nil {
+		in, out := &in.APIMappingKey, &out.APIMappingKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Stage != nil {
+		in, out := &in.Stage, &out.Stage
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIMappingObservation.
@@ -264,21 +284,93 @@ func (in *APIObservation) DeepCopyInto(out *APIObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.APIKeySelectionExpression != nil {
+		in, out := &in.APIKeySelectionExpression, &out.APIKeySelectionExpression
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Body != nil {
+		in, out := &in.Body, &out.Body
+		*out = new(string)
+		**out = **in
+	}
+	if in.CorsConfiguration != nil {
+		in, out := &in.CorsConfiguration, &out.CorsConfiguration
+		*out = make([]CorsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CredentialsArn != nil {
+		in, out := &in.CredentialsArn, &out.CredentialsArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableExecuteAPIEndpoint != nil {
+		in, out := &in.DisableExecuteAPIEndpoint, &out.DisableExecuteAPIEndpoint
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ExecutionArn != nil {
 		in, out := &in.ExecutionArn, &out.ExecutionArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.FailOnWarnings != nil {
+		in, out := &in.FailOnWarnings, &out.FailOnWarnings
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProtocolType != nil {
+		in, out := &in.ProtocolType, &out.ProtocolType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteKey != nil {
+		in, out := &in.RouteKey, &out.RouteKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteSelectionExpression != nil {
+		in, out := &in.RouteSelectionExpression, &out.RouteSelectionExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -294,6 +386,16 @@ func (in *APIObservation) DeepCopyInto(out *APIObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIObservation.
@@ -445,6 +547,16 @@ func (in *APIStatus) DeepCopy() *APIStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessLogSettingsObservation) DeepCopyInto(out *AccessLogSettingsObservation) {
 	*out = *in
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLogSettingsObservation.
@@ -544,11 +656,69 @@ func (in *AuthorizerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizerObservation) DeepCopyInto(out *AuthorizerObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizerCredentialsArn != nil {
+		in, out := &in.AuthorizerCredentialsArn, &out.AuthorizerCredentialsArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizerPayloadFormatVersion != nil {
+		in, out := &in.AuthorizerPayloadFormatVersion, &out.AuthorizerPayloadFormatVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizerResultTTLInSeconds != nil {
+		in, out := &in.AuthorizerResultTTLInSeconds, &out.AuthorizerResultTTLInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AuthorizerType != nil {
+		in, out := &in.AuthorizerType, &out.AuthorizerType
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizerURI != nil {
+		in, out := &in.AuthorizerURI, &out.AuthorizerURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableSimpleResponses != nil {
+		in, out := &in.EnableSimpleResponses, &out.EnableSimpleResponses
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentitySources != nil {
+		in, out := &in.IdentitySources, &out.IdentitySources
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.JwtConfiguration != nil {
+		in, out := &in.JwtConfiguration, &out.JwtConfiguration
+		*out = make([]JwtConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizerObservation.
@@ -696,6 +866,60 @@ func (in *AuthorizerStatus) DeepCopy() *AuthorizerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CorsConfigurationObservation) DeepCopyInto(out *CorsConfigurationObservation) {
 	*out = *in
+	if in.AllowCredentials != nil {
+		in, out := &in.AllowCredentials, &out.AllowCredentials
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowHeaders != nil {
+		in, out := &in.AllowHeaders, &out.AllowHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowMethods != nil {
+		in, out := &in.AllowMethods, &out.AllowMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowOrigins != nil {
+		in, out := &in.AllowOrigins, &out.AllowOrigins
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ExposeHeaders != nil {
+		in, out := &in.ExposeHeaders, &out.ExposeHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxAge != nil {
+		in, out := &in.MaxAge, &out.MaxAge
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CorsConfigurationObservation.
@@ -780,6 +1004,31 @@ func (in *CorsConfigurationParameters) DeepCopy() *CorsConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultRouteSettingsObservation) DeepCopyInto(out *DefaultRouteSettingsObservation) {
 	*out = *in
+	if in.DataTraceEnabled != nil {
+		in, out := &in.DataTraceEnabled, &out.DataTraceEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DetailedMetricsEnabled != nil {
+		in, out := &in.DetailedMetricsEnabled, &out.DetailedMetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoggingLevel != nil {
+		in, out := &in.LoggingLevel, &out.LoggingLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThrottlingBurstLimit != nil {
+		in, out := &in.ThrottlingBurstLimit, &out.ThrottlingBurstLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThrottlingRateLimit != nil {
+		in, out := &in.ThrottlingRateLimit, &out.ThrottlingRateLimit
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultRouteSettingsObservation.
@@ -894,11 +1143,21 @@ func (in *DeploymentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentObservation) DeepCopyInto(out *DeploymentObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
 	if in.AutoDeployed != nil {
 		in, out := &in.AutoDeployed, &out.AutoDeployed
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1020,11 +1279,31 @@ func (in *DomainName) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainNameConfigurationObservation) DeepCopyInto(out *DomainNameConfigurationObservation) {
 	*out = *in
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostedZoneID != nil {
 		in, out := &in.HostedZoneID, &out.HostedZoneID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OwnershipVerificationCertificateArn != nil {
+		in, out := &in.OwnershipVerificationCertificateArn, &out.OwnershipVerificationCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityPolicy != nil {
+		in, out := &in.SecurityPolicy, &out.SecurityPolicy
+		*out = new(string)
+		**out = **in
+	}
 	if in.TargetDomainName != nil {
 		in, out := &in.TargetDomainName, &out.TargetDomainName
 		*out = new(string)
@@ -1144,6 +1423,28 @@ func (in *DomainNameObservation) DeepCopyInto(out *DomainNameObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MutualTLSAuthentication != nil {
+		in, out := &in.MutualTLSAuthentication, &out.MutualTLSAuthentication
+		*out = make([]MutualTLSAuthenticationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1293,37 +1594,151 @@ func (in *IntegrationList) DeepCopyInto(out *IntegrationList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntegrationList.
-func (in *IntegrationList) DeepCopy() *IntegrationList {
-	if in == nil {
-		return nil
-	}
-	out := new(IntegrationList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *IntegrationList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntegrationList.
+func (in *IntegrationList) DeepCopy() *IntegrationList {
+	if in == nil {
+		return nil
+	}
+	out := new(IntegrationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *IntegrationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IntegrationObservation) DeepCopyInto(out *IntegrationObservation) {
+	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionType != nil {
+		in, out := &in.ConnectionType, &out.ConnectionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentHandlingStrategy != nil {
+		in, out := &in.ContentHandlingStrategy, &out.ContentHandlingStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.CredentialsArn != nil {
+		in, out := &in.CredentialsArn, &out.CredentialsArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntegrationMethod != nil {
+		in, out := &in.IntegrationMethod, &out.IntegrationMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntegrationResponseSelectionExpression != nil {
+		in, out := &in.IntegrationResponseSelectionExpression, &out.IntegrationResponseSelectionExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntegrationSubtype != nil {
+		in, out := &in.IntegrationSubtype, &out.IntegrationSubtype
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntegrationType != nil {
+		in, out := &in.IntegrationType, &out.IntegrationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntegrationURI != nil {
+		in, out := &in.IntegrationURI, &out.IntegrationURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughBehavior != nil {
+		in, out := &in.PassthroughBehavior, &out.PassthroughBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.PayloadFormatVersion != nil {
+		in, out := &in.PayloadFormatVersion, &out.PayloadFormatVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestParameters != nil {
+		in, out := &in.RequestParameters, &out.RequestParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RequestTemplates != nil {
+		in, out := &in.RequestTemplates, &out.RequestTemplates
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResponseParameters != nil {
+		in, out := &in.ResponseParameters, &out.ResponseParameters
+		*out = make([]ResponseParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TLSConfig != nil {
+		in, out := &in.TLSConfig, &out.TLSConfig
+		*out = make([]TLSConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IntegrationObservation) DeepCopyInto(out *IntegrationObservation) {
-	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.TemplateSelectionExpression != nil {
+		in, out := &in.TemplateSelectionExpression, &out.TemplateSelectionExpression
 		*out = new(string)
 		**out = **in
 	}
-	if in.IntegrationResponseSelectionExpression != nil {
-		in, out := &in.IntegrationResponseSelectionExpression, &out.IntegrationResponseSelectionExpression
-		*out = new(string)
+	if in.TimeoutMilliseconds != nil {
+		in, out := &in.TimeoutMilliseconds, &out.TimeoutMilliseconds
+		*out = new(float64)
 		**out = **in
 	}
 }
@@ -1574,11 +1989,51 @@ func (in *IntegrationResponseList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntegrationResponseObservation) DeepCopyInto(out *IntegrationResponseObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentHandlingStrategy != nil {
+		in, out := &in.ContentHandlingStrategy, &out.ContentHandlingStrategy
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IntegrationID != nil {
+		in, out := &in.IntegrationID, &out.IntegrationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntegrationResponseKey != nil {
+		in, out := &in.IntegrationResponseKey, &out.IntegrationResponseKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseTemplates != nil {
+		in, out := &in.ResponseTemplates, &out.ResponseTemplates
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TemplateSelectionExpression != nil {
+		in, out := &in.TemplateSelectionExpression, &out.TemplateSelectionExpression
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntegrationResponseObservation.
@@ -1742,6 +2197,22 @@ func (in *IntegrationStatus) DeepCopy() *IntegrationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JwtConfigurationObservation) DeepCopyInto(out *JwtConfigurationObservation) {
 	*out = *in
+	if in.Audience != nil {
+		in, out := &in.Audience, &out.Audience
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtConfigurationObservation.
@@ -1847,11 +2318,36 @@ func (in *ModelList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ModelObservation) DeepCopyInto(out *ModelObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schema != nil {
+		in, out := &in.Schema, &out.Schema
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModelObservation.
@@ -1956,6 +2452,16 @@ func (in *ModelStatus) DeepCopy() *ModelStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MutualTLSAuthenticationObservation) DeepCopyInto(out *MutualTLSAuthenticationObservation) {
 	*out = *in
+	if in.TruststoreURI != nil {
+		in, out := &in.TruststoreURI, &out.TruststoreURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.TruststoreVersion != nil {
+		in, out := &in.TruststoreVersion, &out.TruststoreVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTLSAuthenticationObservation.
@@ -1996,6 +2502,16 @@ func (in *MutualTLSAuthenticationParameters) DeepCopy() *MutualTLSAuthentication
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestParameterObservation) DeepCopyInto(out *RequestParameterObservation) {
 	*out = *in
+	if in.RequestParameterKey != nil {
+		in, out := &in.RequestParameterKey, &out.RequestParameterKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Required != nil {
+		in, out := &in.Required, &out.Required
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestParameterObservation.
@@ -2036,6 +2552,26 @@ func (in *RequestParameterParameters) DeepCopy() *RequestParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResponseParametersObservation) DeepCopyInto(out *ResponseParametersObservation) {
 	*out = *in
+	if in.Mappings != nil {
+		in, out := &in.Mappings, &out.Mappings
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseParametersObservation.
@@ -2097,56 +2633,134 @@ func (in *Route) DeepCopy() *Route {
 	if in == nil {
 		return nil
 	}
-	out := new(Route)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *Route) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	out := new(Route)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *Route) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RouteList) DeepCopyInto(out *RouteList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]Route, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteList.
+func (in *RouteList) DeepCopy() *RouteList {
+	if in == nil {
+		return nil
+	}
+	out := new(RouteList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *RouteList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RouteObservation) DeepCopyInto(out *RouteObservation) {
+	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.APIKeyRequired != nil {
+		in, out := &in.APIKeyRequired, &out.APIKeyRequired
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AuthorizationScopes != nil {
+		in, out := &in.AuthorizationScopes, &out.AuthorizationScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuthorizationType != nil {
+		in, out := &in.AuthorizationType, &out.AuthorizationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthorizerID != nil {
+		in, out := &in.AuthorizerID, &out.AuthorizerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ModelSelectionExpression != nil {
+		in, out := &in.ModelSelectionExpression, &out.ModelSelectionExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.OperationName != nil {
+		in, out := &in.OperationName, &out.OperationName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestModels != nil {
+		in, out := &in.RequestModels, &out.RequestModels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RouteList) DeepCopyInto(out *RouteList) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]Route, len(*in))
+	if in.RequestParameter != nil {
+		in, out := &in.RequestParameter, &out.RequestParameter
+		*out = make([]RequestParameterObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteList.
-func (in *RouteList) DeepCopy() *RouteList {
-	if in == nil {
-		return nil
+	if in.RouteKey != nil {
+		in, out := &in.RouteKey, &out.RouteKey
+		*out = new(string)
+		**out = **in
 	}
-	out := new(RouteList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *RouteList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	if in.RouteResponseSelectionExpression != nil {
+		in, out := &in.RouteResponseSelectionExpression, &out.RouteResponseSelectionExpression
+		*out = new(string)
+		**out = **in
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RouteObservation) DeepCopyInto(out *RouteObservation) {
-	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
 		*out = new(string)
 		**out = **in
 	}
@@ -2352,11 +2966,46 @@ func (in *RouteResponseList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteResponseObservation) DeepCopyInto(out *RouteResponseObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ModelSelectionExpression != nil {
+		in, out := &in.ModelSelectionExpression, &out.ModelSelectionExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseModels != nil {
+		in, out := &in.ResponseModels, &out.ResponseModels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RouteID != nil {
+		in, out := &in.RouteID, &out.RouteID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteResponseKey != nil {
+		in, out := &in.RouteResponseKey, &out.RouteResponseKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteResponseObservation.
@@ -2481,6 +3130,36 @@ func (in *RouteResponseStatus) DeepCopy() *RouteResponseStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteSettingsObservation) DeepCopyInto(out *RouteSettingsObservation) {
 	*out = *in
+	if in.DataTraceEnabled != nil {
+		in, out := &in.DataTraceEnabled, &out.DataTraceEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DetailedMetricsEnabled != nil {
+		in, out := &in.DetailedMetricsEnabled, &out.DetailedMetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoggingLevel != nil {
+		in, out := &in.LoggingLevel, &out.LoggingLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteKey != nil {
+		in, out := &in.RouteKey, &out.RouteKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThrottlingBurstLimit != nil {
+		in, out := &in.ThrottlingBurstLimit, &out.ThrottlingBurstLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThrottlingRateLimit != nil {
+		in, out := &in.ThrottlingRateLimit, &out.ThrottlingRateLimit
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteSettingsObservation.
@@ -2634,11 +3313,50 @@ func (in *StageList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StageObservation) DeepCopyInto(out *StageObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AccessLogSettings != nil {
+		in, out := &in.AccessLogSettings, &out.AccessLogSettings
+		*out = make([]AccessLogSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoDeploy != nil {
+		in, out := &in.AutoDeploy, &out.AutoDeploy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ClientCertificateID != nil {
+		in, out := &in.ClientCertificateID, &out.ClientCertificateID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultRouteSettings != nil {
+		in, out := &in.DefaultRouteSettings, &out.DefaultRouteSettings
+		*out = make([]DefaultRouteSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeploymentID != nil {
+		in, out := &in.DeploymentID, &out.DeploymentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExecutionArn != nil {
 		in, out := &in.ExecutionArn, &out.ExecutionArn
 		*out = new(string)
@@ -2654,6 +3372,43 @@ func (in *StageObservation) DeepCopyInto(out *StageObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RouteSettings != nil {
+		in, out := &in.RouteSettings, &out.RouteSettings
+		*out = make([]RouteSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StageVariables != nil {
+		in, out := &in.StageVariables, &out.StageVariables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2834,6 +3589,11 @@ func (in *StageStatus) DeepCopy() *StageStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSConfigObservation) DeepCopyInto(out *TLSConfigObservation) {
 	*out = *in
+	if in.ServerNameToVerify != nil {
+		in, out := &in.ServerNameToVerify, &out.ServerNameToVerify
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSConfigObservation.
@@ -2938,6 +3698,48 @@ func (in *VPCLinkObservation) DeepCopyInto(out *VPCLinkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/apigatewayv2/v1beta1/zz_integration_types.go b/apis/apigatewayv2/v1beta1/zz_integration_types.go
index 33b75073a4..06c375c3ad 100755
--- a/apis/apigatewayv2/v1beta1/zz_integration_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_integration_types.go
@@ -15,11 +15,72 @@ import (
 
 type IntegrationObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// ID of the VPC link for a private integration. Supported only for HTTP APIs. Must be between 1 and 1024 characters in length.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// Type of the network connection to the integration endpoint. Valid values: INTERNET, VPC_LINK. Default is INTERNET.
+	ConnectionType *string `json:"connectionType,omitempty" tf:"connection_type,omitempty"`
+
+	// How to handle response payload content type conversions. Valid values: CONVERT_TO_BINARY, CONVERT_TO_TEXT. Supported only for WebSocket APIs.
+	ContentHandlingStrategy *string `json:"contentHandlingStrategy,omitempty" tf:"content_handling_strategy,omitempty"`
+
+	// Credentials required for the integration, if any.
+	CredentialsArn *string `json:"credentialsArn,omitempty" tf:"credentials_arn,omitempty"`
+
+	// Description of the integration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Integration identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Integration's HTTP method. Must be specified if integration_type is not MOCK.
+	IntegrationMethod *string `json:"integrationMethod,omitempty" tf:"integration_method,omitempty"`
+
 	// The integration response selection expression for the integration.
 	IntegrationResponseSelectionExpression *string `json:"integrationResponseSelectionExpression,omitempty" tf:"integration_response_selection_expression,omitempty"`
+
+	// AWS service action to invoke. Supported only for HTTP APIs when integration_type is AWS_PROXY. See the AWS service integration reference documentation for supported values. Must be between 1 and 128 characters in length.
+	IntegrationSubtype *string `json:"integrationSubtype,omitempty" tf:"integration_subtype,omitempty"`
+
+	// Integration type of an integration.
+	// Valid values: AWS (supported only for WebSocket APIs), AWS_PROXY, HTTP (supported only for WebSocket APIs), HTTP_PROXY, MOCK (supported only for WebSocket APIs). For an HTTP API private integration, use HTTP_PROXY.
+	IntegrationType *string `json:"integrationType,omitempty" tf:"integration_type,omitempty"`
+
+	// URI of the Lambda function for a Lambda proxy integration, when integration_type is AWS_PROXY.
+	// For an HTTP integration, specify a fully-qualified URL. For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service.
+	IntegrationURI *string `json:"integrationUri,omitempty" tf:"integration_uri,omitempty"`
+
+	// Pass-through behavior for incoming requests based on the Content-Type header in the request, and the available mapping templates specified as the request_templates attribute.
+	// Valid values: WHEN_NO_MATCH, WHEN_NO_TEMPLATES, NEVER. Default is WHEN_NO_MATCH. Supported only for WebSocket APIs.
+	PassthroughBehavior *string `json:"passthroughBehavior,omitempty" tf:"passthrough_behavior,omitempty"`
+
+	// The format of the payload sent to an integration. Valid values: 1.0, 2.0. Default is 1.0.
+	PayloadFormatVersion *string `json:"payloadFormatVersion,omitempty" tf:"payload_format_version,omitempty"`
+
+	// For WebSocket APIs, a key-value map specifying request parameters that are passed from the method request to the backend.
+	// For HTTP APIs with a specified integration_subtype, a key-value map specifying parameters that are passed to AWS_PROXY integrations.
+	// For HTTP APIs without a specified integration_subtype, a key-value map specifying how to transform HTTP requests before sending them to the backend.
+	// See the Amazon API Gateway Developer Guide for details.
+	RequestParameters map[string]*string `json:"requestParameters,omitempty" tf:"request_parameters,omitempty"`
+
+	// Map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client. Supported only for WebSocket APIs.
+	RequestTemplates map[string]*string `json:"requestTemplates,omitempty" tf:"request_templates,omitempty"`
+
+	// Mappings to transform the HTTP response from a backend integration before returning the response to clients. Supported only for HTTP APIs.
+	ResponseParameters []ResponseParametersObservation `json:"responseParameters,omitempty" tf:"response_parameters,omitempty"`
+
+	// TLS configuration for a private integration. Supported only for HTTP APIs.
+	TLSConfig []TLSConfigObservation `json:"tlsConfig,omitempty" tf:"tls_config,omitempty"`
+
+	// The template selection expression for the integration.
+	TemplateSelectionExpression *string `json:"templateSelectionExpression,omitempty" tf:"template_selection_expression,omitempty"`
+
+	// Custom timeout between 50 and 29,000 milliseconds for WebSocket APIs and between 50 and 30,000 milliseconds for HTTP APIs.
+	// The default timeout is 29 seconds for WebSocket APIs and 30 seconds for HTTP APIs.
+	TimeoutMilliseconds *float64 `json:"timeoutMilliseconds,omitempty" tf:"timeout_milliseconds,omitempty"`
 }
 
 type IntegrationParameters struct {
@@ -87,8 +148,8 @@ type IntegrationParameters struct {
 
 	// Integration type of an integration.
 	// Valid values: AWS (supported only for WebSocket APIs), AWS_PROXY, HTTP (supported only for WebSocket APIs), HTTP_PROXY, MOCK (supported only for WebSocket APIs). For an HTTP API private integration, use HTTP_PROXY.
-	// +kubebuilder:validation:Required
-	IntegrationType *string `json:"integrationType" tf:"integration_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	IntegrationType *string `json:"integrationType,omitempty" tf:"integration_type,omitempty"`
 
 	// URI of the Lambda function for a Lambda proxy integration, when integration_type is AWS_PROXY.
 	// For an HTTP integration, specify a fully-qualified URL. For an HTTP API private integration, specify the ARN of an Application Load Balancer listener, Network Load Balancer listener, or AWS Cloud Map service.
@@ -149,6 +210,13 @@ type IntegrationParameters struct {
 }
 
 type ResponseParametersObservation struct {
+
+	// Key-value map. The key of this map identifies the location of the request parameter to change, and how to change it. The corresponding value specifies the new data for the parameter.
+	// See the Amazon API Gateway Developer Guide for details.
+	Mappings map[string]*string `json:"mappings,omitempty" tf:"mappings,omitempty"`
+
+	// HTTP status code in the range 200-599.
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type ResponseParametersParameters struct {
@@ -164,6 +232,9 @@ type ResponseParametersParameters struct {
 }
 
 type TLSConfigObservation struct {
+
+	// If you specify a server name, API Gateway uses it to verify the hostname on the integration's certificate. The server name is also included in the TLS handshake to support Server Name Indication (SNI) or virtual hosting.
+	ServerNameToVerify *string `json:"serverNameToVerify,omitempty" tf:"server_name_to_verify,omitempty"`
 }
 
 type TLSConfigParameters struct {
@@ -197,8 +268,9 @@ type IntegrationStatus struct {
 type Integration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IntegrationSpec   `json:"spec"`
-	Status            IntegrationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationType)",message="integrationType is a required parameter"
+	Spec   IntegrationSpec   `json:"spec"`
+	Status IntegrationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_integrationresponse_types.go b/apis/apigatewayv2/v1beta1/zz_integrationresponse_types.go
index debd12582d..0a8bc79a2b 100755
--- a/apis/apigatewayv2/v1beta1/zz_integrationresponse_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_integrationresponse_types.go
@@ -15,8 +15,26 @@ import (
 
 type IntegrationResponseObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// How to handle response payload content type conversions. Valid values: CONVERT_TO_BINARY, CONVERT_TO_TEXT.
+	ContentHandlingStrategy *string `json:"contentHandlingStrategy,omitempty" tf:"content_handling_strategy,omitempty"`
+
 	// Integration response identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Identifier of the aws_apigatewayv2_integration.
+	IntegrationID *string `json:"integrationId,omitempty" tf:"integration_id,omitempty"`
+
+	// Integration response key.
+	IntegrationResponseKey *string `json:"integrationResponseKey,omitempty" tf:"integration_response_key,omitempty"`
+
+	// Map of Velocity templates that are applied on the request payload based on the value of the Content-Type header sent by the client.
+	ResponseTemplates map[string]*string `json:"responseTemplates,omitempty" tf:"response_templates,omitempty"`
+
+	// The template selection expression for the integration response.
+	TemplateSelectionExpression *string `json:"templateSelectionExpression,omitempty" tf:"template_selection_expression,omitempty"`
 }
 
 type IntegrationResponseParameters struct {
@@ -52,8 +70,8 @@ type IntegrationResponseParameters struct {
 	IntegrationIDSelector *v1.Selector `json:"integrationIdSelector,omitempty" tf:"-"`
 
 	// Integration response key.
-	// +kubebuilder:validation:Required
-	IntegrationResponseKey *string `json:"integrationResponseKey" tf:"integration_response_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	IntegrationResponseKey *string `json:"integrationResponseKey,omitempty" tf:"integration_response_key,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -93,8 +111,9 @@ type IntegrationResponseStatus struct {
 type IntegrationResponse struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IntegrationResponseSpec   `json:"spec"`
-	Status            IntegrationResponseStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationResponseKey)",message="integrationResponseKey is a required parameter"
+	Spec   IntegrationResponseSpec   `json:"spec"`
+	Status IntegrationResponseStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_model_types.go b/apis/apigatewayv2/v1beta1/zz_model_types.go
index b02040c76b..e8eebd2aa7 100755
--- a/apis/apigatewayv2/v1beta1/zz_model_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_model_types.go
@@ -15,8 +15,23 @@ import (
 
 type ModelObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// The content-type for the model, for example, application/json. Must be between 1 and 256 characters in length.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Description of the model. Must be between 1 and 128 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Model identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the model. Must be alphanumeric. Must be between 1 and 128 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Schema for the model. This should be a JSON schema draft 4 model. Must be less than or equal to 32768 characters in length.
+	Schema *string `json:"schema,omitempty" tf:"schema,omitempty"`
 }
 
 type ModelParameters struct {
@@ -35,16 +50,16 @@ type ModelParameters struct {
 	APIIDSelector *v1.Selector `json:"apiIdSelector,omitempty" tf:"-"`
 
 	// The content-type for the model, for example, application/json. Must be between 1 and 256 characters in length.
-	// +kubebuilder:validation:Required
-	ContentType *string `json:"contentType" tf:"content_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
 
 	// Description of the model. Must be between 1 and 128 characters in length.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name of the model. Must be alphanumeric. Must be between 1 and 128 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -52,8 +67,8 @@ type ModelParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Schema for the model. This should be a JSON schema draft 4 model. Must be less than or equal to 32768 characters in length.
-	// +kubebuilder:validation:Required
-	Schema *string `json:"schema" tf:"schema,omitempty"`
+	// +kubebuilder:validation:Optional
+	Schema *string `json:"schema,omitempty" tf:"schema,omitempty"`
 }
 
 // ModelSpec defines the desired state of Model
@@ -80,8 +95,11 @@ type ModelStatus struct {
 type Model struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ModelSpec   `json:"spec"`
-	Status            ModelStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentType)",message="contentType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schema)",message="schema is a required parameter"
+	Spec   ModelSpec   `json:"spec"`
+	Status ModelStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_route_types.go b/apis/apigatewayv2/v1beta1/zz_route_types.go
index bbffb10e1f..45068c72cd 100755
--- a/apis/apigatewayv2/v1beta1/zz_route_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_route_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type RequestParameterObservation struct {
+
+	// Request parameter key. This is a request data mapping parameter.
+	RequestParameterKey *string `json:"requestParameterKey,omitempty" tf:"request_parameter_key,omitempty"`
+
+	// Boolean whether or not the parameter is required.
+	Required *bool `json:"required,omitempty" tf:"required,omitempty"`
 }
 
 type RequestParameterParameters struct {
@@ -29,8 +35,47 @@ type RequestParameterParameters struct {
 
 type RouteObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// Boolean whether an API key is required for the route. Defaults to false. Supported only for WebSocket APIs.
+	APIKeyRequired *bool `json:"apiKeyRequired,omitempty" tf:"api_key_required,omitempty"`
+
+	// Authorization scopes supported by this route. The scopes are used with a JWT authorizer to authorize the method invocation.
+	AuthorizationScopes []*string `json:"authorizationScopes,omitempty" tf:"authorization_scopes,omitempty"`
+
+	// Authorization type for the route.
+	// For WebSocket APIs, valid values are NONE for open access, AWS_IAM for using AWS IAM permissions, and CUSTOM for using a Lambda authorizer.
+	// For HTTP APIs, valid values are NONE for open access, JWT for using JSON Web Tokens, AWS_IAM for using AWS IAM permissions, and CUSTOM for using a Lambda authorizer.
+	// Defaults to NONE.
+	AuthorizationType *string `json:"authorizationType,omitempty" tf:"authorization_type,omitempty"`
+
+	// Identifier of the aws_apigatewayv2_authorizer resource to be associated with this route.
+	AuthorizerID *string `json:"authorizerId,omitempty" tf:"authorizer_id,omitempty"`
+
 	// Route identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The model selection expression for the route. Supported only for WebSocket APIs.
+	ModelSelectionExpression *string `json:"modelSelectionExpression,omitempty" tf:"model_selection_expression,omitempty"`
+
+	// Operation name for the route. Must be between 1 and 64 characters in length.
+	OperationName *string `json:"operationName,omitempty" tf:"operation_name,omitempty"`
+
+	// Request models for the route. Supported only for WebSocket APIs.
+	RequestModels map[string]*string `json:"requestModels,omitempty" tf:"request_models,omitempty"`
+
+	// Request parameters for the route. Supported only for WebSocket APIs.
+	RequestParameter []RequestParameterObservation `json:"requestParameter,omitempty" tf:"request_parameter,omitempty"`
+
+	// Route key for the route. For HTTP APIs, the route key can be either $default, or a combination of an HTTP method and resource path, for example, GET /pets.
+	RouteKey *string `json:"routeKey,omitempty" tf:"route_key,omitempty"`
+
+	// The route response selection expression for the route. Supported only for WebSocket APIs.
+	RouteResponseSelectionExpression *string `json:"routeResponseSelectionExpression,omitempty" tf:"route_response_selection_expression,omitempty"`
+
+	// Target for the route, of the form integrations/IntegrationID, where IntegrationID is the identifier of an aws_apigatewayv2_integration resource.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type RouteParameters struct {
@@ -98,8 +143,8 @@ type RouteParameters struct {
 	RequestParameter []RequestParameterParameters `json:"requestParameter,omitempty" tf:"request_parameter,omitempty"`
 
 	// Route key for the route. For HTTP APIs, the route key can be either $default, or a combination of an HTTP method and resource path, for example, GET /pets.
-	// +kubebuilder:validation:Required
-	RouteKey *string `json:"routeKey" tf:"route_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	RouteKey *string `json:"routeKey,omitempty" tf:"route_key,omitempty"`
 
 	// The route response selection expression for the route. Supported only for WebSocket APIs.
 	// +kubebuilder:validation:Optional
@@ -144,8 +189,9 @@ type RouteStatus struct {
 type Route struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RouteSpec   `json:"spec"`
-	Status            RouteStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeKey)",message="routeKey is a required parameter"
+	Spec   RouteSpec   `json:"spec"`
+	Status RouteStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_routeresponse_types.go b/apis/apigatewayv2/v1beta1/zz_routeresponse_types.go
index c0d3fbfa17..07cb116a0f 100755
--- a/apis/apigatewayv2/v1beta1/zz_routeresponse_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_routeresponse_types.go
@@ -15,8 +15,23 @@ import (
 
 type RouteResponseObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
 	// Route response identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The model selection expression for the route response.
+	ModelSelectionExpression *string `json:"modelSelectionExpression,omitempty" tf:"model_selection_expression,omitempty"`
+
+	// Response models for the route response.
+	ResponseModels map[string]*string `json:"responseModels,omitempty" tf:"response_models,omitempty"`
+
+	// Identifier of the aws_apigatewayv2_route.
+	RouteID *string `json:"routeId,omitempty" tf:"route_id,omitempty"`
+
+	// Route response key.
+	RouteResponseKey *string `json:"routeResponseKey,omitempty" tf:"route_response_key,omitempty"`
 }
 
 type RouteResponseParameters struct {
@@ -61,8 +76,8 @@ type RouteResponseParameters struct {
 	RouteIDSelector *v1.Selector `json:"routeIdSelector,omitempty" tf:"-"`
 
 	// Route response key.
-	// +kubebuilder:validation:Required
-	RouteResponseKey *string `json:"routeResponseKey" tf:"route_response_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	RouteResponseKey *string `json:"routeResponseKey,omitempty" tf:"route_response_key,omitempty"`
 }
 
 // RouteResponseSpec defines the desired state of RouteResponse
@@ -89,8 +104,9 @@ type RouteResponseStatus struct {
 type RouteResponse struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RouteResponseSpec   `json:"spec"`
-	Status            RouteResponseStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeResponseKey)",message="routeResponseKey is a required parameter"
+	Spec   RouteResponseSpec   `json:"spec"`
+	Status RouteResponseStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apigatewayv2/v1beta1/zz_stage_types.go b/apis/apigatewayv2/v1beta1/zz_stage_types.go
index 98baa2a4ac..3ebb00fe91 100755
--- a/apis/apigatewayv2/v1beta1/zz_stage_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_stage_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AccessLogSettingsObservation struct {
+
+	// ARN of the CloudWatch Logs log group to receive access logs. Any trailing :* is trimmed from the ARN.
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// Single line format of the access logs of data. Refer to log settings for HTTP or Websocket.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 }
 
 type AccessLogSettingsParameters struct {
@@ -28,6 +34,23 @@ type AccessLogSettingsParameters struct {
 }
 
 type DefaultRouteSettingsObservation struct {
+
+	// Whether data trace logging is enabled for the default route. Affects the log entries pushed to Amazon CloudWatch Logs.
+	// Defaults to false. Supported only for WebSocket APIs.
+	DataTraceEnabled *bool `json:"dataTraceEnabled,omitempty" tf:"data_trace_enabled,omitempty"`
+
+	// Whether detailed metrics are enabled for the default route. Defaults to false.
+	DetailedMetricsEnabled *bool `json:"detailedMetricsEnabled,omitempty" tf:"detailed_metrics_enabled,omitempty"`
+
+	// Logging level for the default route. Affects the log entries pushed to Amazon CloudWatch Logs.
+	// Valid values: ERROR, INFO, OFF. Defaults to OFF. Supported only for WebSocket APIs.
+	LoggingLevel *string `json:"loggingLevel,omitempty" tf:"logging_level,omitempty"`
+
+	// Throttling burst limit for the default route.
+	ThrottlingBurstLimit *float64 `json:"throttlingBurstLimit,omitempty" tf:"throttling_burst_limit,omitempty"`
+
+	// Throttling rate limit for the default route.
+	ThrottlingRateLimit *float64 `json:"throttlingRateLimit,omitempty" tf:"throttling_rate_limit,omitempty"`
 }
 
 type DefaultRouteSettingsParameters struct {
@@ -56,6 +79,26 @@ type DefaultRouteSettingsParameters struct {
 }
 
 type RouteSettingsObservation struct {
+
+	// Whether data trace logging is enabled for the route. Affects the log entries pushed to Amazon CloudWatch Logs.
+	// Defaults to false. Supported only for WebSocket APIs.
+	DataTraceEnabled *bool `json:"dataTraceEnabled,omitempty" tf:"data_trace_enabled,omitempty"`
+
+	// Whether detailed metrics are enabled for the route. Defaults to false.
+	DetailedMetricsEnabled *bool `json:"detailedMetricsEnabled,omitempty" tf:"detailed_metrics_enabled,omitempty"`
+
+	// Logging level for the route. Affects the log entries pushed to Amazon CloudWatch Logs.
+	// Valid values: ERROR, INFO, OFF. Defaults to OFF. Supported only for WebSocket APIs.
+	LoggingLevel *string `json:"loggingLevel,omitempty" tf:"logging_level,omitempty"`
+
+	// Route key.
+	RouteKey *string `json:"routeKey,omitempty" tf:"route_key,omitempty"`
+
+	// Throttling burst limit for the route.
+	ThrottlingBurstLimit *float64 `json:"throttlingBurstLimit,omitempty" tf:"throttling_burst_limit,omitempty"`
+
+	// Throttling rate limit for the route.
+	ThrottlingRateLimit *float64 `json:"throttlingRateLimit,omitempty" tf:"throttling_rate_limit,omitempty"`
 }
 
 type RouteSettingsParameters struct {
@@ -89,9 +132,32 @@ type RouteSettingsParameters struct {
 
 type StageObservation struct {
 
+	// API identifier.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// Settings for logging access in this stage.
+	// Use the aws_api_gateway_account resource to configure permissions for CloudWatch Logging.
+	AccessLogSettings []AccessLogSettingsObservation `json:"accessLogSettings,omitempty" tf:"access_log_settings,omitempty"`
+
 	// ARN of the stage.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether updates to an API automatically trigger a new deployment. Defaults to false. Applicable for HTTP APIs.
+	AutoDeploy *bool `json:"autoDeploy,omitempty" tf:"auto_deploy,omitempty"`
+
+	// Identifier of a client certificate for the stage. Use the aws_api_gateway_client_certificate resource to configure a client certificate.
+	// Supported only for WebSocket APIs.
+	ClientCertificateID *string `json:"clientCertificateId,omitempty" tf:"client_certificate_id,omitempty"`
+
+	// Default route settings for the stage.
+	DefaultRouteSettings []DefaultRouteSettingsObservation `json:"defaultRouteSettings,omitempty" tf:"default_route_settings,omitempty"`
+
+	// Deployment identifier of the stage. Use the aws_apigatewayv2_deployment resource to configure a deployment.
+	DeploymentID *string `json:"deploymentId,omitempty" tf:"deployment_id,omitempty"`
+
+	// Description for the stage. Must be less than or equal to 1024 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// ARN prefix to be used in an aws_lambda_permission's source_arn attribute.
 	// For WebSocket APIs this attribute can additionally be used in an aws_iam_policy to authorize access to the @connections API.
 	// See the Amazon API Gateway Developer Guide for details.
@@ -104,6 +170,15 @@ type StageObservation struct {
 	// e.g., wss://z4675bid1j.execute-api.eu-west-2.amazonaws.com/example-stage, or https://z4675bid1j.execute-api.eu-west-2.amazonaws.com/
 	InvokeURL *string `json:"invokeUrl,omitempty" tf:"invoke_url,omitempty"`
 
+	// Route settings for the stage.
+	RouteSettings []RouteSettingsObservation `json:"routeSettings,omitempty" tf:"route_settings,omitempty"`
+
+	// Map that defines the stage variables for the stage.
+	StageVariables map[string]*string `json:"stageVariables,omitempty" tf:"stage_variables,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/apigatewayv2/v1beta1/zz_vpclink_types.go b/apis/apigatewayv2/v1beta1/zz_vpclink_types.go
index 33bd13cc76..3862924753 100755
--- a/apis/apigatewayv2/v1beta1/zz_vpclink_types.go
+++ b/apis/apigatewayv2/v1beta1/zz_vpclink_types.go
@@ -21,6 +21,18 @@ type VPCLinkObservation struct {
 	// VPC Link identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the VPC Link. Must be between 1 and 128 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Security group IDs for the VPC Link.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Subnet IDs for the VPC Link.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,8 +40,8 @@ type VPCLinkObservation struct {
 type VPCLinkParameters struct {
 
 	// Name of the VPC Link. Must be between 1 and 128 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -95,8 +107,9 @@ type VPCLinkStatus struct {
 type VPCLink struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCLinkSpec   `json:"spec"`
-	Status            VPCLinkStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   VPCLinkSpec   `json:"spec"`
+	Status VPCLinkStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appautoscaling/v1beta1/zz_generated.deepcopy.go b/apis/appautoscaling/v1beta1/zz_generated.deepcopy.go
index 5a979e5400..c249fd4f05 100644
--- a/apis/appautoscaling/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appautoscaling/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,33 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedMetricSpecificationObservation) DeepCopyInto(out *CustomizedMetricSpecificationObservation) {
 	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make([]DimensionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Statistic != nil {
+		in, out := &in.Statistic, &out.Statistic
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedMetricSpecificationObservation.
@@ -74,6 +101,16 @@ func (in *CustomizedMetricSpecificationParameters) DeepCopy() *CustomizedMetricS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DimensionsObservation) DeepCopyInto(out *DimensionsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DimensionsObservation.
@@ -194,6 +231,40 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyType != nil {
+		in, out := &in.PolicyType, &out.PolicyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalableDimension != nil {
+		in, out := &in.ScalableDimension, &out.ScalableDimension
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceNamespace != nil {
+		in, out := &in.ServiceNamespace, &out.ServiceNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.StepScalingPolicyConfiguration != nil {
+		in, out := &in.StepScalingPolicyConfiguration, &out.StepScalingPolicyConfiguration
+		*out = make([]StepScalingPolicyConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetTrackingScalingPolicyConfiguration != nil {
+		in, out := &in.TargetTrackingScalingPolicyConfiguration, &out.TargetTrackingScalingPolicyConfiguration
+		*out = make([]TargetTrackingScalingPolicyConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation.
@@ -327,6 +398,16 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedMetricSpecificationObservation) DeepCopyInto(out *PredefinedMetricSpecificationObservation) {
 	*out = *in
+	if in.PredefinedMetricType != nil {
+		in, out := &in.PredefinedMetricType, &out.PredefinedMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedMetricSpecificationObservation.
@@ -367,6 +448,16 @@ func (in *PredefinedMetricSpecificationParameters) DeepCopy() *PredefinedMetricS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalableTargetActionObservation) DeepCopyInto(out *ScalableTargetActionObservation) {
 	*out = *in
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinCapacity != nil {
+		in, out := &in.MinCapacity, &out.MinCapacity
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalableTargetActionObservation.
@@ -471,11 +562,58 @@ func (in *ScheduledActionObservation) DeepCopyInto(out *ScheduledActionObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndTime != nil {
+		in, out := &in.EndTime, &out.EndTime
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalableDimension != nil {
+		in, out := &in.ScalableDimension, &out.ScalableDimension
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalableTargetAction != nil {
+		in, out := &in.ScalableTargetAction, &out.ScalableTargetAction
+		*out = make([]ScalableTargetActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceNamespace != nil {
+		in, out := &in.ServiceNamespace, &out.ServiceNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timezone != nil {
+		in, out := &in.Timezone, &out.Timezone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduledActionObservation.
@@ -622,6 +760,21 @@ func (in *ScheduledActionStatus) DeepCopy() *ScheduledActionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepAdjustmentObservation) DeepCopyInto(out *StepAdjustmentObservation) {
 	*out = *in
+	if in.MetricIntervalLowerBound != nil {
+		in, out := &in.MetricIntervalLowerBound, &out.MetricIntervalLowerBound
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricIntervalUpperBound != nil {
+		in, out := &in.MetricIntervalUpperBound, &out.MetricIntervalUpperBound
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalingAdjustment != nil {
+		in, out := &in.ScalingAdjustment, &out.ScalingAdjustment
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepAdjustmentObservation.
@@ -667,6 +820,33 @@ func (in *StepAdjustmentParameters) DeepCopy() *StepAdjustmentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepScalingPolicyConfigurationObservation) DeepCopyInto(out *StepScalingPolicyConfigurationObservation) {
 	*out = *in
+	if in.AdjustmentType != nil {
+		in, out := &in.AdjustmentType, &out.AdjustmentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cooldown != nil {
+		in, out := &in.Cooldown, &out.Cooldown
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MetricAggregationType != nil {
+		in, out := &in.MetricAggregationType, &out.MetricAggregationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinAdjustmentMagnitude != nil {
+		in, out := &in.MinAdjustmentMagnitude, &out.MinAdjustmentMagnitude
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StepAdjustment != nil {
+		in, out := &in.StepAdjustment, &out.StepAdjustment
+		*out = make([]StepAdjustmentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepScalingPolicyConfigurationObservation.
@@ -788,6 +968,36 @@ func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinCapacity != nil {
+		in, out := &in.MinCapacity, &out.MinCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalableDimension != nil {
+		in, out := &in.ScalableDimension, &out.ScalableDimension
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceNamespace != nil {
+		in, out := &in.ServiceNamespace, &out.ServiceNamespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
@@ -897,6 +1107,40 @@ func (in *TargetStatus) DeepCopy() *TargetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetTrackingScalingPolicyConfigurationObservation) DeepCopyInto(out *TargetTrackingScalingPolicyConfigurationObservation) {
 	*out = *in
+	if in.CustomizedMetricSpecification != nil {
+		in, out := &in.CustomizedMetricSpecification, &out.CustomizedMetricSpecification
+		*out = make([]CustomizedMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableScaleIn != nil {
+		in, out := &in.DisableScaleIn, &out.DisableScaleIn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PredefinedMetricSpecification != nil {
+		in, out := &in.PredefinedMetricSpecification, &out.PredefinedMetricSpecification
+		*out = make([]PredefinedMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScaleInCooldown != nil {
+		in, out := &in.ScaleInCooldown, &out.ScaleInCooldown
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ScaleOutCooldown != nil {
+		in, out := &in.ScaleOutCooldown, &out.ScaleOutCooldown
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TargetValue != nil {
+		in, out := &in.TargetValue, &out.TargetValue
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetTrackingScalingPolicyConfigurationObservation.
diff --git a/apis/appautoscaling/v1beta1/zz_policy_types.go b/apis/appautoscaling/v1beta1/zz_policy_types.go
index 93aed66584..57088479df 100755
--- a/apis/appautoscaling/v1beta1/zz_policy_types.go
+++ b/apis/appautoscaling/v1beta1/zz_policy_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type CustomizedMetricSpecificationObservation struct {
+
+	// Configuration block(s) with the dimensions of the metric if the metric was published with dimensions. Detailed below.
+	Dimensions []DimensionsObservation `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Statistic of the metric. Valid values: Average, Minimum, Maximum, SampleCount, and Sum.
+	Statistic *string `json:"statistic,omitempty" tf:"statistic,omitempty"`
+
+	// Unit of the metric.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type CustomizedMetricSpecificationParameters struct {
@@ -40,6 +55,12 @@ type CustomizedMetricSpecificationParameters struct {
 }
 
 type DimensionsObservation struct {
+
+	// Name of the dimension.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value of the dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DimensionsParameters struct {
@@ -62,6 +83,24 @@ type PolicyObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Policy type. Valid values are StepScaling and TargetTrackingScaling. Defaults to StepScaling. Certain services only support only one policy type. For more information see the Target Tracking Scaling Policies and Step Scaling Policies documentation.
+	PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"`
+
+	// Resource type and unique identifier string for the resource associated with the scaling policy. Documentation can be found in the ResourceId parameter at: AWS Application Auto Scaling API Reference
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// Scalable dimension of the scalable target. Documentation can be found in the ScalableDimension parameter at: AWS Application Auto Scaling API Reference
+	ScalableDimension *string `json:"scalableDimension,omitempty" tf:"scalable_dimension,omitempty"`
+
+	// AWS service namespace of the scalable target. Documentation can be found in the ServiceNamespace parameter at: AWS Application Auto Scaling API Reference
+	ServiceNamespace *string `json:"serviceNamespace,omitempty" tf:"service_namespace,omitempty"`
+
+	// Step scaling policy configuration, requires policy_type = "StepScaling" (default). See supported fields below.
+	StepScalingPolicyConfiguration []StepScalingPolicyConfigurationObservation `json:"stepScalingPolicyConfiguration,omitempty" tf:"step_scaling_policy_configuration,omitempty"`
+
+	// Target tracking policy, requires policy_type = "TargetTrackingScaling". See supported fields below.
+	TargetTrackingScalingPolicyConfiguration []TargetTrackingScalingPolicyConfigurationObservation `json:"targetTrackingScalingPolicyConfiguration,omitempty" tf:"target_tracking_scaling_policy_configuration,omitempty"`
 }
 
 type PolicyParameters struct {
@@ -127,6 +166,12 @@ type PolicyParameters struct {
 }
 
 type PredefinedMetricSpecificationObservation struct {
+
+	// Metric type.
+	PredefinedMetricType *string `json:"predefinedMetricType,omitempty" tf:"predefined_metric_type,omitempty"`
+
+	// Reserved for future use if the predefined_metric_type is not ALBRequestCountPerTarget. If the predefined_metric_type is ALBRequestCountPerTarget, you must specify this argument. Documentation can be found at: AWS Predefined Scaling Metric Specification. Must be less than or equal to 1023 characters in length.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedMetricSpecificationParameters struct {
@@ -141,6 +186,15 @@ type PredefinedMetricSpecificationParameters struct {
 }
 
 type StepAdjustmentObservation struct {
+
+	// Lower bound for the difference between the alarm threshold and the CloudWatch metric. Without a value, AWS will treat this bound as negative infinity.
+	MetricIntervalLowerBound *string `json:"metricIntervalLowerBound,omitempty" tf:"metric_interval_lower_bound,omitempty"`
+
+	// Upper bound for the difference between the alarm threshold and the CloudWatch metric. Without a value, AWS will treat this bound as infinity. The upper bound must be greater than the lower bound.
+	MetricIntervalUpperBound *string `json:"metricIntervalUpperBound,omitempty" tf:"metric_interval_upper_bound,omitempty"`
+
+	// Number of members by which to scale, when the adjustment bounds are breached. A positive value scales up. A negative value scales down.
+	ScalingAdjustment *float64 `json:"scalingAdjustment,omitempty" tf:"scaling_adjustment,omitempty"`
 }
 
 type StepAdjustmentParameters struct {
@@ -159,6 +213,21 @@ type StepAdjustmentParameters struct {
 }
 
 type StepScalingPolicyConfigurationObservation struct {
+
+	// Whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity.
+	AdjustmentType *string `json:"adjustmentType,omitempty" tf:"adjustment_type,omitempty"`
+
+	// Amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start.
+	Cooldown *float64 `json:"cooldown,omitempty" tf:"cooldown,omitempty"`
+
+	// Aggregation type for the policy's metrics. Valid values are "Minimum", "Maximum", and "Average". Without a value, AWS will treat the aggregation type as "Average".
+	MetricAggregationType *string `json:"metricAggregationType,omitempty" tf:"metric_aggregation_type,omitempty"`
+
+	// Minimum number to adjust your scalable dimension as a result of a scaling activity. If the adjustment type is PercentChangeInCapacity, the scaling policy changes the scalable dimension of the scalable target by this amount.
+	MinAdjustmentMagnitude *float64 `json:"minAdjustmentMagnitude,omitempty" tf:"min_adjustment_magnitude,omitempty"`
+
+	// Set of adjustments that manage scaling. These have the following structure:
+	StepAdjustment []StepAdjustmentObservation `json:"stepAdjustment,omitempty" tf:"step_adjustment,omitempty"`
 }
 
 type StepScalingPolicyConfigurationParameters struct {
@@ -185,6 +254,24 @@ type StepScalingPolicyConfigurationParameters struct {
 }
 
 type TargetTrackingScalingPolicyConfigurationObservation struct {
+
+	// Custom CloudWatch metric. Documentation can be found  at: AWS Customized Metric Specification. See supported fields below.
+	CustomizedMetricSpecification []CustomizedMetricSpecificationObservation `json:"customizedMetricSpecification,omitempty" tf:"customized_metric_specification,omitempty"`
+
+	// Whether scale in by the target tracking policy is disabled. If the value is true, scale in is disabled and the target tracking policy won't remove capacity from the scalable resource. Otherwise, scale in is enabled and the target tracking policy can remove capacity from the scalable resource. The default value is false.
+	DisableScaleIn *bool `json:"disableScaleIn,omitempty" tf:"disable_scale_in,omitempty"`
+
+	// Predefined metric. See supported fields below.
+	PredefinedMetricSpecification []PredefinedMetricSpecificationObservation `json:"predefinedMetricSpecification,omitempty" tf:"predefined_metric_specification,omitempty"`
+
+	// Amount of time, in seconds, after a scale in activity completes before another scale in activity can start.
+	ScaleInCooldown *float64 `json:"scaleInCooldown,omitempty" tf:"scale_in_cooldown,omitempty"`
+
+	// Amount of time, in seconds, after a scale out activity completes before another scale out activity can start.
+	ScaleOutCooldown *float64 `json:"scaleOutCooldown,omitempty" tf:"scale_out_cooldown,omitempty"`
+
+	// Target value for the metric.
+	TargetValue *float64 `json:"targetValue,omitempty" tf:"target_value,omitempty"`
 }
 
 type TargetTrackingScalingPolicyConfigurationParameters struct {
diff --git a/apis/appautoscaling/v1beta1/zz_scheduledaction_types.go b/apis/appautoscaling/v1beta1/zz_scheduledaction_types.go
index 84fbc4db79..a11d37cb31 100755
--- a/apis/appautoscaling/v1beta1/zz_scheduledaction_types.go
+++ b/apis/appautoscaling/v1beta1/zz_scheduledaction_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ScalableTargetActionObservation struct {
+
+	// Maximum capacity. At least one of max_capacity or min_capacity must be set.
+	MaxCapacity *string `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// Minimum capacity. At least one of min_capacity or max_capacity must be set.
+	MinCapacity *string `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
 }
 
 type ScalableTargetActionParameters struct {
@@ -32,7 +38,34 @@ type ScheduledActionObservation struct {
 	// ARN of the scheduled action.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Date and time for the scheduled action to end in RFC 3339 format. The timezone is not affected by the setting of timezone.
+	EndTime *string `json:"endTime,omitempty" tf:"end_time,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the scheduled action.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Identifier of the resource associated with the scheduled action. Documentation can be found in the ResourceId parameter at: AWS Application Auto Scaling API Reference
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// Scalable dimension. Documentation can be found in the ScalableDimension parameter at: AWS Application Auto Scaling API Reference Example: ecs:service:DesiredCount
+	ScalableDimension *string `json:"scalableDimension,omitempty" tf:"scalable_dimension,omitempty"`
+
+	// New minimum and maximum capacity. You can set both values or just one. See below
+	ScalableTargetAction []ScalableTargetActionObservation `json:"scalableTargetAction,omitempty" tf:"scalable_target_action,omitempty"`
+
+	// Schedule for this action. The following formats are supported: At expressions - at(yyyy-mm-ddThh:mm:ss), Rate expressions - rate(valueunit), Cron expressions - cron(fields). Times for at expressions and cron expressions are evaluated using the time zone configured in timezone. Documentation can be found in the Timezone parameter at: AWS Application Auto Scaling API Reference
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// Namespace of the AWS service. Documentation can be found in the ServiceNamespace parameter at: AWS Application Auto Scaling API Reference Example: ecs
+	ServiceNamespace *string `json:"serviceNamespace,omitempty" tf:"service_namespace,omitempty"`
+
+	// Date and time for the scheduled action to start in RFC 3339 format. The timezone is not affected by the setting of timezone.
+	StartTime *string `json:"startTime,omitempty" tf:"start_time,omitempty"`
+
+	// Time zone used when setting a scheduled action by using an at or cron expression. Does not affect timezone for start_time and end_time. Valid values are the canonical names of the IANA time zones supported by Joda-Time, such as Etc/GMT+9 or Pacific/Tahiti. Default is UTC.
+	Timezone *string `json:"timezone,omitempty" tf:"timezone,omitempty"`
 }
 
 type ScheduledActionParameters struct {
@@ -42,8 +75,8 @@ type ScheduledActionParameters struct {
 	EndTime *string `json:"endTime,omitempty" tf:"end_time,omitempty"`
 
 	// Name of the scheduled action.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -79,12 +112,12 @@ type ScheduledActionParameters struct {
 	ScalableDimensionSelector *v1.Selector `json:"scalableDimensionSelector,omitempty" tf:"-"`
 
 	// New minimum and maximum capacity. You can set both values or just one. See below
-	// +kubebuilder:validation:Required
-	ScalableTargetAction []ScalableTargetActionParameters `json:"scalableTargetAction" tf:"scalable_target_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	ScalableTargetAction []ScalableTargetActionParameters `json:"scalableTargetAction,omitempty" tf:"scalable_target_action,omitempty"`
 
 	// Schedule for this action. The following formats are supported: At expressions - at(yyyy-mm-ddThh:mm:ss), Rate expressions - rate(valueunit), Cron expressions - cron(fields). Times for at expressions and cron expressions are evaluated using the time zone configured in timezone. Documentation can be found in the Timezone parameter at: AWS Application Auto Scaling API Reference
-	// +kubebuilder:validation:Required
-	Schedule *string `json:"schedule" tf:"schedule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
 
 	// Namespace of the AWS service. Documentation can be found in the ServiceNamespace parameter at: AWS Application Auto Scaling API Reference Example: ecs
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/appautoscaling/v1beta1.Target
@@ -133,8 +166,11 @@ type ScheduledActionStatus struct {
 type ScheduledAction struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ScheduledActionSpec   `json:"spec"`
-	Status            ScheduledActionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scalableTargetAction)",message="scalableTargetAction is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)",message="schedule is a required parameter"
+	Spec   ScheduledActionSpec   `json:"spec"`
+	Status ScheduledActionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appautoscaling/v1beta1/zz_target_types.go b/apis/appautoscaling/v1beta1/zz_target_types.go
index bbe9794ec6..d9592342c7 100755
--- a/apis/appautoscaling/v1beta1/zz_target_types.go
+++ b/apis/appautoscaling/v1beta1/zz_target_types.go
@@ -15,17 +15,35 @@ import (
 
 type TargetObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Max capacity of the scalable target.
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// Min capacity of the scalable target.
+	MinCapacity *float64 `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
+
+	// Resource type and unique identifier string for the resource associated with the scaling policy. Documentation can be found in the ResourceId parameter at: AWS Application Auto Scaling API Reference
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// ARN of the IAM role that allows Application AutoScaling to modify your scalable target on your behalf. This defaults to an IAM Service-Linked Role for most services and custom IAM Roles are ignored by the API for those namespaces. See the AWS Application Auto Scaling documentation for more information about how this service interacts with IAM.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Scalable dimension of the scalable target. Documentation can be found in the ScalableDimension parameter at: AWS Application Auto Scaling API Reference
+	ScalableDimension *string `json:"scalableDimension,omitempty" tf:"scalable_dimension,omitempty"`
+
+	// AWS service namespace of the scalable target. Documentation can be found in the ServiceNamespace parameter at: AWS Application Auto Scaling API Reference
+	ServiceNamespace *string `json:"serviceNamespace,omitempty" tf:"service_namespace,omitempty"`
 }
 
 type TargetParameters struct {
 
 	// Max capacity of the scalable target.
-	// +kubebuilder:validation:Required
-	MaxCapacity *float64 `json:"maxCapacity" tf:"max_capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
 
 	// Min capacity of the scalable target.
-	// +kubebuilder:validation:Required
-	MinCapacity *float64 `json:"minCapacity" tf:"min_capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	MinCapacity *float64 `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +101,10 @@ type TargetStatus struct {
 type Target struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TargetSpec   `json:"spec"`
-	Status            TargetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxCapacity)",message="maxCapacity is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.minCapacity)",message="minCapacity is a required parameter"
+	Spec   TargetSpec   `json:"spec"`
+	Status TargetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appconfig/v1beta1/zz_application_types.go b/apis/appconfig/v1beta1/zz_application_types.go
index 1b0b8479f1..c4efd71919 100755
--- a/apis/appconfig/v1beta1/zz_application_types.go
+++ b/apis/appconfig/v1beta1/zz_application_types.go
@@ -18,9 +18,18 @@ type ApplicationObservation struct {
 	// ARN of the AppConfig Application.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the application. Can be at most 1024 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// AppConfig application ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name for the application. Must be between 1 and 64 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +41,8 @@ type ApplicationParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name for the application. Must be between 1 and 64 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +78,9 @@ type ApplicationStatus struct {
 type Application struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ApplicationSpec   `json:"spec"`
-	Status            ApplicationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ApplicationSpec   `json:"spec"`
+	Status ApplicationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appconfig/v1beta1/zz_configurationprofile_types.go b/apis/appconfig/v1beta1/zz_configurationprofile_types.go
index ab4ac9f59b..684251a725 100755
--- a/apis/appconfig/v1beta1/zz_configurationprofile_types.go
+++ b/apis/appconfig/v1beta1/zz_configurationprofile_types.go
@@ -15,17 +15,41 @@ import (
 
 type ConfigurationProfileObservation struct {
 
+	// Application ID. Must be between 4 and 7 characters in length.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
 	// ARN of the AppConfig Configuration Profile.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The configuration profile ID.
 	ConfigurationProfileID *string `json:"configurationProfileId,omitempty" tf:"configuration_profile_id,omitempty"`
 
+	// Description of the configuration profile. Can be at most 1024 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// AppConfig configuration profile ID and application ID separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// URI to locate the configuration. You can specify the AWS AppConfig hosted configuration store, Systems Manager (SSM) document, an SSM Parameter Store parameter, or an Amazon S3 object. For the hosted configuration store, specify hosted. For an SSM document, specify either the document name in the format ssm-document://<Document_name> or the ARN. For a parameter, specify either the parameter name in the format ssm-parameter://<Parameter_name> or the ARN. For an Amazon S3 object, specify the URI in the following format: s3://<bucket>/<objectKey>.
+	LocationURI *string `json:"locationUri,omitempty" tf:"location_uri,omitempty"`
+
+	// Name for the configuration profile. Must be between 1 and 64 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ARN of an IAM role with permission to access the configuration at the specified location_uri. A retrieval role ARN is not required for configurations stored in the AWS AppConfig hosted configuration store. It is required for all other sources that store your configuration.
+	RetrievalRoleArn *string `json:"retrievalRoleArn,omitempty" tf:"retrieval_role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Type of configurations contained in the profile. Valid values: AWS.AppConfig.FeatureFlags and AWS.Freeform.  Default: AWS.Freeform.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Set of methods for validating the configuration. Maximum of 2. See Validator below for more details.
+	Validator []ValidatorObservation `json:"validator,omitempty" tf:"validator,omitempty"`
 }
 
 type ConfigurationProfileParameters struct {
@@ -49,12 +73,12 @@ type ConfigurationProfileParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// URI to locate the configuration. You can specify the AWS AppConfig hosted configuration store, Systems Manager (SSM) document, an SSM Parameter Store parameter, or an Amazon S3 object. For the hosted configuration store, specify hosted. For an SSM document, specify either the document name in the format ssm-document://<Document_name> or the ARN. For a parameter, specify either the parameter name in the format ssm-parameter://<Parameter_name> or the ARN. For an Amazon S3 object, specify the URI in the following format: s3://<bucket>/<objectKey>.
-	// +kubebuilder:validation:Required
-	LocationURI *string `json:"locationUri" tf:"location_uri,omitempty"`
+	// +kubebuilder:validation:Optional
+	LocationURI *string `json:"locationUri,omitempty" tf:"location_uri,omitempty"`
 
 	// Name for the configuration profile. Must be between 1 and 64 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -89,6 +113,9 @@ type ConfigurationProfileParameters struct {
 }
 
 type ValidatorObservation struct {
+
+	// Type of validator. Valid values: JSON_SCHEMA and LAMBDA.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ValidatorParameters struct {
@@ -126,8 +153,10 @@ type ConfigurationProfileStatus struct {
 type ConfigurationProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConfigurationProfileSpec   `json:"spec"`
-	Status            ConfigurationProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.locationUri)",message="locationUri is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ConfigurationProfileSpec   `json:"spec"`
+	Status ConfigurationProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appconfig/v1beta1/zz_deployment_types.go b/apis/appconfig/v1beta1/zz_deployment_types.go
index 53a58d45a2..e3bedc0b8e 100755
--- a/apis/appconfig/v1beta1/zz_deployment_types.go
+++ b/apis/appconfig/v1beta1/zz_deployment_types.go
@@ -15,18 +15,39 @@ import (
 
 type DeploymentObservation struct {
 
+	// Application ID. Must be between 4 and 7 characters in length.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
 	// ARN of the AppConfig Deployment.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration profile ID. Must be between 4 and 7 characters in length.
+	ConfigurationProfileID *string `json:"configurationProfileId,omitempty" tf:"configuration_profile_id,omitempty"`
+
+	// Configuration version to deploy. Can be at most 1024 characters.
+	ConfigurationVersion *string `json:"configurationVersion,omitempty" tf:"configuration_version,omitempty"`
+
 	// Deployment number.
 	DeploymentNumber *float64 `json:"deploymentNumber,omitempty" tf:"deployment_number,omitempty"`
 
+	// Deployment strategy ID or name of a predefined deployment strategy. See Predefined Deployment Strategies for more details.
+	DeploymentStrategyID *string `json:"deploymentStrategyId,omitempty" tf:"deployment_strategy_id,omitempty"`
+
+	// Description of the deployment. Can be at most 1024 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Environment ID. Must be between 4 and 7 characters in length.
+	EnvironmentID *string `json:"environmentId,omitempty" tf:"environment_id,omitempty"`
+
 	// AppConfig application ID, environment ID, and deployment number separated by a slash (/).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// State of the deployment.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/appconfig/v1beta1/zz_deploymentstrategy_types.go b/apis/appconfig/v1beta1/zz_deploymentstrategy_types.go
index e66b084c15..68ebdcf800 100755
--- a/apis/appconfig/v1beta1/zz_deploymentstrategy_types.go
+++ b/apis/appconfig/v1beta1/zz_deploymentstrategy_types.go
@@ -18,9 +18,33 @@ type DeploymentStrategyObservation struct {
 	// ARN of the AppConfig Deployment Strategy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Total amount of time for a deployment to last. Minimum value of 0, maximum value of 1440.
+	DeploymentDurationInMinutes *float64 `json:"deploymentDurationInMinutes,omitempty" tf:"deployment_duration_in_minutes,omitempty"`
+
+	// Description of the deployment strategy. Can be at most 1024 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Amount of time AWS AppConfig monitors for alarms before considering the deployment to be complete and no longer eligible for automatic roll back. Minimum value of 0, maximum value of 1440.
+	FinalBakeTimeInMinutes *float64 `json:"finalBakeTimeInMinutes,omitempty" tf:"final_bake_time_in_minutes,omitempty"`
+
+	// Percentage of targets to receive a deployed configuration during each interval. Minimum value of 1.0, maximum value of 100.0.
+	GrowthFactor *float64 `json:"growthFactor,omitempty" tf:"growth_factor,omitempty"`
+
+	// Algorithm used to define how percentage grows over time. Valid value: LINEAR and EXPONENTIAL. Defaults to LINEAR.
+	GrowthType *string `json:"growthType,omitempty" tf:"growth_type,omitempty"`
+
 	// AppConfig deployment strategy ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name for the deployment strategy. Must be between 1 and 64 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Where to save the deployment strategy. Valid values: NONE and SSM_DOCUMENT.
+	ReplicateTo *string `json:"replicateTo,omitempty" tf:"replicate_to,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,8 +52,8 @@ type DeploymentStrategyObservation struct {
 type DeploymentStrategyParameters struct {
 
 	// Total amount of time for a deployment to last. Minimum value of 0, maximum value of 1440.
-	// +kubebuilder:validation:Required
-	DeploymentDurationInMinutes *float64 `json:"deploymentDurationInMinutes" tf:"deployment_duration_in_minutes,omitempty"`
+	// +kubebuilder:validation:Optional
+	DeploymentDurationInMinutes *float64 `json:"deploymentDurationInMinutes,omitempty" tf:"deployment_duration_in_minutes,omitempty"`
 
 	// Description of the deployment strategy. Can be at most 1024 characters.
 	// +kubebuilder:validation:Optional
@@ -40,16 +64,16 @@ type DeploymentStrategyParameters struct {
 	FinalBakeTimeInMinutes *float64 `json:"finalBakeTimeInMinutes,omitempty" tf:"final_bake_time_in_minutes,omitempty"`
 
 	// Percentage of targets to receive a deployed configuration during each interval. Minimum value of 1.0, maximum value of 100.0.
-	// +kubebuilder:validation:Required
-	GrowthFactor *float64 `json:"growthFactor" tf:"growth_factor,omitempty"`
+	// +kubebuilder:validation:Optional
+	GrowthFactor *float64 `json:"growthFactor,omitempty" tf:"growth_factor,omitempty"`
 
 	// Algorithm used to define how percentage grows over time. Valid value: LINEAR and EXPONENTIAL. Defaults to LINEAR.
 	// +kubebuilder:validation:Optional
 	GrowthType *string `json:"growthType,omitempty" tf:"growth_type,omitempty"`
 
 	// Name for the deployment strategy. Must be between 1 and 64 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -57,8 +81,8 @@ type DeploymentStrategyParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Where to save the deployment strategy. Valid values: NONE and SSM_DOCUMENT.
-	// +kubebuilder:validation:Required
-	ReplicateTo *string `json:"replicateTo" tf:"replicate_to,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReplicateTo *string `json:"replicateTo,omitempty" tf:"replicate_to,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -89,8 +113,12 @@ type DeploymentStrategyStatus struct {
 type DeploymentStrategy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DeploymentStrategySpec   `json:"spec"`
-	Status            DeploymentStrategyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deploymentDurationInMinutes)",message="deploymentDurationInMinutes is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.growthFactor)",message="growthFactor is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicateTo)",message="replicateTo is a required parameter"
+	Spec   DeploymentStrategySpec   `json:"spec"`
+	Status DeploymentStrategyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appconfig/v1beta1/zz_environment_types.go b/apis/appconfig/v1beta1/zz_environment_types.go
index d0fd90b717..6e936595a6 100755
--- a/apis/appconfig/v1beta1/zz_environment_types.go
+++ b/apis/appconfig/v1beta1/zz_environment_types.go
@@ -15,19 +15,34 @@ import (
 
 type EnvironmentObservation struct {
 
+	// AppConfig application ID. Must be between 4 and 7 characters in length.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
 	// ARN of the AppConfig Environment.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the environment. Can be at most 1024 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// AppConfig environment ID.
 	EnvironmentID *string `json:"environmentId,omitempty" tf:"environment_id,omitempty"`
 
 	// AppConfig environment ID and application ID separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Set of Amazon CloudWatch alarms to monitor during the deployment process. Maximum of 5. See Monitor below for more details.
+	Monitor []MonitorObservation `json:"monitor,omitempty" tf:"monitor,omitempty"`
+
+	// Name for the environment. Must be between 1 and 64 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// State of the environment. Possible values are READY_FOR_DEPLOYMENT, DEPLOYING, ROLLING_BACK
 	// or ROLLED_BACK.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -57,8 +72,8 @@ type EnvironmentParameters struct {
 	Monitor []MonitorParameters `json:"monitor,omitempty" tf:"monitor,omitempty"`
 
 	// Name for the environment. Must be between 1 and 64 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -71,6 +86,12 @@ type EnvironmentParameters struct {
 }
 
 type MonitorObservation struct {
+
+	// ARN of the Amazon CloudWatch alarm.
+	AlarmArn *string `json:"alarmArn,omitempty" tf:"alarm_arn,omitempty"`
+
+	// ARN of an IAM role for AWS AppConfig to monitor alarm_arn.
+	AlarmRoleArn *string `json:"alarmRoleArn,omitempty" tf:"alarm_role_arn,omitempty"`
 }
 
 type MonitorParameters struct {
@@ -128,8 +149,9 @@ type EnvironmentStatus struct {
 type Environment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EnvironmentSpec   `json:"spec"`
-	Status            EnvironmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   EnvironmentSpec   `json:"spec"`
+	Status EnvironmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appconfig/v1beta1/zz_extension_types.go b/apis/appconfig/v1beta1/zz_extension_types.go
index 5f9018d75d..9bfe437d54 100755
--- a/apis/appconfig/v1beta1/zz_extension_types.go
+++ b/apis/appconfig/v1beta1/zz_extension_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type ActionObservation struct {
+
+	// Information about the action.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The action name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// An Amazon Resource Name (ARN) for an Identity and Access Management assume role.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The extension URI associated to the action point in the extension definition. The URI can be an Amazon Resource Name (ARN) for one of the following: an Lambda function, an Amazon Simple Queue Service queue, an Amazon Simple Notification Service topic, or the Amazon EventBridge default event bus.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type ActionParameters struct {
@@ -56,6 +68,12 @@ type ActionParameters struct {
 }
 
 type ActionPointObservation struct {
+
+	// An action defines the tasks the extension performs during the AppConfig workflow. Detailed below.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The point at which to perform the defined actions. Valid points are PRE_CREATE_HOSTED_CONFIGURATION_VERSION, PRE_START_DEPLOYMENT, ON_DEPLOYMENT_START, ON_DEPLOYMENT_STEP, ON_DEPLOYMENT_BAKING, ON_DEPLOYMENT_COMPLETE, ON_DEPLOYMENT_ROLLED_BACK.
+	Point *string `json:"point,omitempty" tf:"point,omitempty"`
 }
 
 type ActionPointParameters struct {
@@ -71,12 +89,27 @@ type ActionPointParameters struct {
 
 type ExtensionObservation struct {
 
+	// The action points defined in the extension. Detailed below.
+	ActionPoint []ActionPointObservation `json:"actionPoint,omitempty" tf:"action_point,omitempty"`
+
 	// ARN of the AppConfig Extension.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Information about the extension.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// AppConfig Extension ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A name for the extension. Each extension name in your account must be unique. Extension versions use the same name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The parameters accepted by the extension. You specify parameter values when you associate the extension to an AppConfig resource by using the CreateExtensionAssociation API action. For Lambda extension actions, these parameters are included in the Lambda request object. Detailed below.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The version number for the extension.
@@ -86,16 +119,16 @@ type ExtensionObservation struct {
 type ExtensionParameters struct {
 
 	// The action points defined in the extension. Detailed below.
-	// +kubebuilder:validation:Required
-	ActionPoint []ActionPointParameters `json:"actionPoint" tf:"action_point,omitempty"`
+	// +kubebuilder:validation:Optional
+	ActionPoint []ActionPointParameters `json:"actionPoint,omitempty" tf:"action_point,omitempty"`
 
 	// Information about the extension.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A name for the extension. Each extension name in your account must be unique. Extension versions use the same name.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The parameters accepted by the extension. You specify parameter values when you associate the extension to an AppConfig resource by using the CreateExtensionAssociation API action. For Lambda extension actions, these parameters are included in the Lambda request object. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -112,6 +145,15 @@ type ExtensionParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// Information about the parameter.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The parameter name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Determines if a parameter value must be specified in the extension association.
+	Required *bool `json:"required,omitempty" tf:"required,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -153,8 +195,10 @@ type ExtensionStatus struct {
 type Extension struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ExtensionSpec   `json:"spec"`
-	Status            ExtensionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actionPoint)",message="actionPoint is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ExtensionSpec   `json:"spec"`
+	Status ExtensionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appconfig/v1beta1/zz_extensionassociation_types.go b/apis/appconfig/v1beta1/zz_extensionassociation_types.go
index fd2fefc5ad..6c740bfbee 100755
--- a/apis/appconfig/v1beta1/zz_extensionassociation_types.go
+++ b/apis/appconfig/v1beta1/zz_extensionassociation_types.go
@@ -18,11 +18,20 @@ type ExtensionAssociationObservation struct {
 	// ARN of the AppConfig Extension Association.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ARN of the extension defined in the association.
+	ExtensionArn *string `json:"extensionArn,omitempty" tf:"extension_arn,omitempty"`
+
 	// The version number for the extension defined in the association.
 	ExtensionVersion *float64 `json:"extensionVersion,omitempty" tf:"extension_version,omitempty"`
 
 	// AppConfig Extension Association ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The parameter names and values defined for the association.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The ARN of the application, configuration profile, or environment to associate with the extension.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type ExtensionAssociationParameters struct {
diff --git a/apis/appconfig/v1beta1/zz_generated.deepcopy.go b/apis/appconfig/v1beta1/zz_generated.deepcopy.go
index 6e7c399b4f..cdbb72105d 100644
--- a/apis/appconfig/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appconfig/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,26 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -87,6 +107,18 @@ func (in *ActionParameters) DeepCopy() *ActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionPointObservation) DeepCopyInto(out *ActionPointObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Point != nil {
+		in, out := &in.Point, &out.Point
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionPointObservation.
@@ -193,11 +225,36 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -366,6 +423,11 @@ func (in *ConfigurationProfileList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationProfileObservation) DeepCopyInto(out *ConfigurationProfileObservation) {
 	*out = *in
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -376,11 +438,46 @@ func (in *ConfigurationProfileObservation) DeepCopyInto(out *ConfigurationProfil
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LocationURI != nil {
+		in, out := &in.LocationURI, &out.LocationURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetrievalRoleArn != nil {
+		in, out := &in.RetrievalRoleArn, &out.RetrievalRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -396,6 +493,18 @@ func (in *ConfigurationProfileObservation) DeepCopyInto(out *ConfigurationProfil
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Validator != nil {
+		in, out := &in.Validator, &out.Validator
+		*out = make([]ValidatorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationProfileObservation.
@@ -596,16 +705,46 @@ func (in *DeploymentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentObservation) DeepCopyInto(out *DeploymentObservation) {
 	*out = *in
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConfigurationProfileID != nil {
+		in, out := &in.ConfigurationProfileID, &out.ConfigurationProfileID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigurationVersion != nil {
+		in, out := &in.ConfigurationVersion, &out.ConfigurationVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.DeploymentNumber != nil {
 		in, out := &in.DeploymentNumber, &out.DeploymentNumber
 		*out = new(float64)
 		**out = **in
 	}
+	if in.DeploymentStrategyID != nil {
+		in, out := &in.DeploymentStrategyID, &out.DeploymentStrategyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnvironmentID != nil {
+		in, out := &in.EnvironmentID, &out.EnvironmentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -616,6 +755,21 @@ func (in *DeploymentObservation) DeepCopyInto(out *DeploymentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -859,11 +1013,61 @@ func (in *DeploymentStrategyObservation) DeepCopyInto(out *DeploymentStrategyObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeploymentDurationInMinutes != nil {
+		in, out := &in.DeploymentDurationInMinutes, &out.DeploymentDurationInMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.FinalBakeTimeInMinutes != nil {
+		in, out := &in.FinalBakeTimeInMinutes, &out.FinalBakeTimeInMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GrowthFactor != nil {
+		in, out := &in.GrowthFactor, &out.GrowthFactor
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GrowthType != nil {
+		in, out := &in.GrowthType, &out.GrowthType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplicateTo != nil {
+		in, out := &in.ReplicateTo, &out.ReplicateTo
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1057,11 +1261,21 @@ func (in *EnvironmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvironmentObservation) DeepCopyInto(out *EnvironmentObservation) {
 	*out = *in
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.EnvironmentID != nil {
 		in, out := &in.EnvironmentID, &out.EnvironmentID
 		*out = new(string)
@@ -1072,11 +1286,38 @@ func (in *EnvironmentObservation) DeepCopyInto(out *EnvironmentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Monitor != nil {
+		in, out := &in.Monitor, &out.Monitor
+		*out = make([]MonitorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1299,6 +1540,11 @@ func (in *ExtensionAssociationObservation) DeepCopyInto(out *ExtensionAssociatio
 		*out = new(string)
 		**out = **in
 	}
+	if in.ExtensionArn != nil {
+		in, out := &in.ExtensionArn, &out.ExtensionArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExtensionVersion != nil {
 		in, out := &in.ExtensionVersion, &out.ExtensionVersion
 		*out = new(float64)
@@ -1309,6 +1555,26 @@ func (in *ExtensionAssociationObservation) DeepCopyInto(out *ExtensionAssociatio
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtensionAssociationObservation.
@@ -1455,16 +1721,55 @@ func (in *ExtensionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExtensionObservation) DeepCopyInto(out *ExtensionObservation) {
 	*out = *in
+	if in.ActionPoint != nil {
+		in, out := &in.ActionPoint, &out.ActionPoint
+		*out = make([]ActionPointObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1652,11 +1957,31 @@ func (in *HostedConfigurationVersionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostedConfigurationVersionObservation) DeepCopyInto(out *HostedConfigurationVersionObservation) {
 	*out = *in
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConfigurationProfileID != nil {
+		in, out := &in.ConfigurationProfileID, &out.ConfigurationProfileID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1777,6 +2102,16 @@ func (in *HostedConfigurationVersionStatus) DeepCopy() *HostedConfigurationVersi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MonitorObservation) DeepCopyInto(out *MonitorObservation) {
 	*out = *in
+	if in.AlarmArn != nil {
+		in, out := &in.AlarmArn, &out.AlarmArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AlarmRoleArn != nil {
+		in, out := &in.AlarmRoleArn, &out.AlarmRoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MonitorObservation.
@@ -1837,6 +2172,21 @@ func (in *MonitorParameters) DeepCopy() *MonitorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Required != nil {
+		in, out := &in.Required, &out.Required
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -1882,6 +2232,11 @@ func (in *ParameterParameters) DeepCopy() *ParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidatorObservation) DeepCopyInto(out *ValidatorObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidatorObservation.
diff --git a/apis/appconfig/v1beta1/zz_hostedconfigurationversion_types.go b/apis/appconfig/v1beta1/zz_hostedconfigurationversion_types.go
index 6a4cf2c5c6..636ca8f0d9 100755
--- a/apis/appconfig/v1beta1/zz_hostedconfigurationversion_types.go
+++ b/apis/appconfig/v1beta1/zz_hostedconfigurationversion_types.go
@@ -15,9 +15,21 @@ import (
 
 type HostedConfigurationVersionObservation struct {
 
+	// Application ID.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
 	// ARN of the AppConfig  hosted configuration version.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration profile ID.
+	ConfigurationProfileID *string `json:"configurationProfileId,omitempty" tf:"configuration_profile_id,omitempty"`
+
+	// Standard MIME type describing the format of the configuration content. For more information, see Content-Type.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Description of the configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// AppConfig application ID, configuration profile ID, and version number separated by a slash (/).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -56,12 +68,12 @@ type HostedConfigurationVersionParameters struct {
 	ConfigurationProfileIDSelector *v1.Selector `json:"configurationProfileIdSelector,omitempty" tf:"-"`
 
 	// Content of the configuration or the configuration data.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	ContentSecretRef v1.SecretKeySelector `json:"contentSecretRef" tf:"-"`
 
 	// Standard MIME type describing the format of the configuration content. For more information, see Content-Type.
-	// +kubebuilder:validation:Required
-	ContentType *string `json:"contentType" tf:"content_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
 
 	// Description of the configuration.
 	// +kubebuilder:validation:Optional
@@ -97,8 +109,10 @@ type HostedConfigurationVersionStatus struct {
 type HostedConfigurationVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HostedConfigurationVersionSpec   `json:"spec"`
-	Status            HostedConfigurationVersionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentSecretRef)",message="contentSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentType)",message="contentType is a required parameter"
+	Spec   HostedConfigurationVersionSpec   `json:"spec"`
+	Status HostedConfigurationVersionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appflow/v1beta1/zz_flow_types.go b/apis/appflow/v1beta1/zz_flow_types.go
index 5e201a1f63..631384fad2 100755
--- a/apis/appflow/v1beta1/zz_flow_types.go
+++ b/apis/appflow/v1beta1/zz_flow_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AggregationConfigObservation struct {
+
+	// Whether Amazon AppFlow aggregates the flow records into a single file, or leave them unaggregated. Valid values are None and SingleFile.
+	AggregationType *string `json:"aggregationType,omitempty" tf:"aggregation_type,omitempty"`
 }
 
 type AggregationConfigParameters struct {
@@ -24,6 +27,9 @@ type AggregationConfigParameters struct {
 }
 
 type AmplitudeObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type AmplitudeParameters struct {
@@ -34,6 +40,54 @@ type AmplitudeParameters struct {
 }
 
 type ConnectorOperatorObservation struct {
+
+	// Information that is required for querying Amplitude. See Generic Source Properties for more details.
+	Amplitude *string `json:"amplitude,omitempty" tf:"amplitude,omitempty"`
+
+	// Properties that are required to query the custom Connector. See Custom Connector Destination Properties for more details.
+	CustomConnector *string `json:"customConnector,omitempty" tf:"custom_connector,omitempty"`
+
+	// Information that is required for querying Datadog. See Generic Source Properties for more details.
+	Datadog *string `json:"datadog,omitempty" tf:"datadog,omitempty"`
+
+	// Operation to be performed on the provided Dynatrace source fields. Valid values are PROJECTION, BETWEEN, EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION, SUBTRACTION, MASK_ALL, MASK_FIRST_N, MASK_LAST_N, VALIDATE_NON_NULL, VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE, VALIDATE_NUMERIC, and NO_OP.
+	Dynatrace *string `json:"dynatrace,omitempty" tf:"dynatrace,omitempty"`
+
+	// Operation to be performed on the provided Google Analytics source fields. Valid values are PROJECTION and BETWEEN.
+	GoogleAnalytics *string `json:"googleAnalytics,omitempty" tf:"google_analytics,omitempty"`
+
+	// Information that is required for querying Infor Nexus. See Generic Source Properties for more details.
+	InforNexus *string `json:"inforNexus,omitempty" tf:"infor_nexus,omitempty"`
+
+	// Properties that are required to query Marketo. See Generic Destination Properties for more details.
+	Marketo *string `json:"marketo,omitempty" tf:"marketo,omitempty"`
+
+	// Properties that are required to query Amazon S3. See S3 Destination Properties for more details.
+	S3 *string `json:"s3,omitempty" tf:"s3,omitempty"`
+
+	// Properties that are required to query Salesforce. See Salesforce Destination Properties for more details.
+	Salesforce *string `json:"salesforce,omitempty" tf:"salesforce,omitempty"`
+
+	// Properties that are required to query SAPOData. See SAPOData Destination Properties for more details.
+	SapoData *string `json:"sapoData,omitempty" tf:"sapo_data,omitempty"`
+
+	// Information that is required for querying ServiceNow. See Generic Source Properties for more details.
+	ServiceNow *string `json:"serviceNow,omitempty" tf:"service_now,omitempty"`
+
+	// Information that is required for querying Singular. See Generic Source Properties for more details.
+	Singular *string `json:"singular,omitempty" tf:"singular,omitempty"`
+
+	// Information that is required for querying Slack. See Generic Source Properties for more details.
+	Slack *string `json:"slack,omitempty" tf:"slack,omitempty"`
+
+	// Operation to be performed on the provided Trend Micro source fields. Valid values are PROJECTION, EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION, SUBTRACTION, MASK_ALL, MASK_FIRST_N, MASK_LAST_N, VALIDATE_NON_NULL, VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE, VALIDATE_NUMERIC, and NO_OP.
+	Trendmicro *string `json:"trendmicro,omitempty" tf:"trendmicro,omitempty"`
+
+	// Information that is required for querying Veeva. See Veeva Source Properties for more details.
+	Veeva *string `json:"veeva,omitempty" tf:"veeva,omitempty"`
+
+	// Properties that are required to query Zendesk. See Zendesk Destination Properties for more details.
+	Zendesk *string `json:"zendesk,omitempty" tf:"zendesk,omitempty"`
 }
 
 type ConnectorOperatorParameters struct {
@@ -104,6 +158,21 @@ type ConnectorOperatorParameters struct {
 }
 
 type CustomConnectorObservation struct {
+
+	// Custom properties that are specific to the connector when it's used as a destination in the flow. Maximum of 50 items.
+	CustomProperties map[string]*string `json:"customProperties,omitempty" tf:"custom_properties,omitempty"`
+
+	// Entity specified in the custom connector as a destination in the flow.
+	EntityName *string `json:"entityName,omitempty" tf:"entity_name,omitempty"`
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []ErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Name of the field that Amazon AppFlow uses as an ID when performing a write operation such as update, delete, or upsert.
+	IDFieldNames []*string `json:"idFieldNames,omitempty" tf:"id_field_names,omitempty"`
+
+	// Type of write operation to be performed in the custom connector when it's used as destination. Valid values are INSERT, UPSERT, UPDATE, and DELETE.
+	WriteOperationType *string `json:"writeOperationType,omitempty" tf:"write_operation_type,omitempty"`
 }
 
 type CustomConnectorParameters struct {
@@ -130,6 +199,12 @@ type CustomConnectorParameters struct {
 }
 
 type CustomerProfilesObservation struct {
+
+	// Unique name of the Amazon Connect Customer Profiles domain.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Object specified in the Amazon Connect Customer Profiles flow destination.
+	ObjectTypeName *string `json:"objectTypeName,omitempty" tf:"object_type_name,omitempty"`
 }
 
 type CustomerProfilesParameters struct {
@@ -144,6 +219,9 @@ type CustomerProfilesParameters struct {
 }
 
 type DatadogObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type DatadogParameters struct {
@@ -154,6 +232,44 @@ type DatadogParameters struct {
 }
 
 type DestinationConnectorPropertiesObservation struct {
+
+	// Properties that are required to query the custom Connector. See Custom Connector Destination Properties for more details.
+	CustomConnector []CustomConnectorObservation `json:"customConnector,omitempty" tf:"custom_connector,omitempty"`
+
+	// Properties that are required to query Amazon Connect Customer Profiles. See Customer Profiles Destination Properties for more details.
+	CustomerProfiles []CustomerProfilesObservation `json:"customerProfiles,omitempty" tf:"customer_profiles,omitempty"`
+
+	// Properties that are required to query Amazon EventBridge. See Generic Destination Properties for more details.
+	EventBridge []EventBridgeObservation `json:"eventBridge,omitempty" tf:"event_bridge,omitempty"`
+
+	// Properties that are required to query Amazon Honeycode. See Generic Destination Properties for more details.
+	Honeycode []HoneycodeObservation `json:"honeycode,omitempty" tf:"honeycode,omitempty"`
+
+	LookoutMetrics []LookoutMetricsParameters `json:"lookoutMetrics,omitempty" tf:"lookout_metrics,omitempty"`
+
+	// Properties that are required to query Marketo. See Generic Destination Properties for more details.
+	Marketo []MarketoObservation `json:"marketo,omitempty" tf:"marketo,omitempty"`
+
+	// Properties that are required to query Amazon Redshift. See Redshift Destination Properties for more details.
+	Redshift []RedshiftObservation `json:"redshift,omitempty" tf:"redshift,omitempty"`
+
+	// Properties that are required to query Amazon S3. See S3 Destination Properties for more details.
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
+
+	// Properties that are required to query Salesforce. See Salesforce Destination Properties for more details.
+	Salesforce []SalesforceObservation `json:"salesforce,omitempty" tf:"salesforce,omitempty"`
+
+	// Properties that are required to query SAPOData. See SAPOData Destination Properties for more details.
+	SapoData []SapoDataObservation `json:"sapoData,omitempty" tf:"sapo_data,omitempty"`
+
+	// Properties that are required to query Snowflake. See Snowflake Destination Properties for more details.
+	Snowflake []SnowflakeObservation `json:"snowflake,omitempty" tf:"snowflake,omitempty"`
+
+	// Properties that are required to query Upsolver. See Upsolver Destination Properties for more details.
+	Upsolver []UpsolverObservation `json:"upsolver,omitempty" tf:"upsolver,omitempty"`
+
+	// Properties that are required to query Zendesk. See Zendesk Destination Properties for more details.
+	Zendesk []ZendeskObservation `json:"zendesk,omitempty" tf:"zendesk,omitempty"`
 }
 
 type DestinationConnectorPropertiesParameters struct {
@@ -211,6 +327,18 @@ type DestinationConnectorPropertiesParameters struct {
 }
 
 type DestinationFlowConfigObservation struct {
+
+	// API version that the destination connector uses.
+	APIVersion *string `json:"apiVersion,omitempty" tf:"api_version,omitempty"`
+
+	// Name of the connector profile. This name must be unique for each connector profile in the AWS account.
+	ConnectorProfileName *string `json:"connectorProfileName,omitempty" tf:"connector_profile_name,omitempty"`
+
+	// Type of connector, such as Salesforce, Amplitude, and so on. Valid values are Salesforce, Singular, Slack, Redshift, S3, Marketo, Googleanalytics, Zendesk, Servicenow, Datadog, Trendmicro, Snowflake, Dynatrace, Infornexus, Amplitude, Veeva, EventBridge, LookoutMetrics, Upsolver, Honeycode, CustomerProfiles, SAPOData, and CustomConnector.
+	ConnectorType *string `json:"connectorType,omitempty" tf:"connector_type,omitempty"`
+
+	// This stores the information that is required to query a particular connector. See Destination Connector Properties for more information.
+	DestinationConnectorProperties []DestinationConnectorPropertiesObservation `json:"destinationConnectorProperties,omitempty" tf:"destination_connector_properties,omitempty"`
 }
 
 type DestinationFlowConfigParameters struct {
@@ -233,6 +361,9 @@ type DestinationFlowConfigParameters struct {
 }
 
 type DynatraceObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type DynatraceParameters struct {
@@ -243,6 +374,15 @@ type DynatraceParameters struct {
 }
 
 type ErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type ErrorHandlingConfigParameters struct {
@@ -261,6 +401,15 @@ type ErrorHandlingConfigParameters struct {
 }
 
 type EventBridgeErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type EventBridgeErrorHandlingConfigParameters struct {
@@ -279,6 +428,12 @@ type EventBridgeErrorHandlingConfigParameters struct {
 }
 
 type EventBridgeObservation struct {
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []EventBridgeErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type EventBridgeParameters struct {
@@ -297,10 +452,31 @@ type FlowObservation struct {
 	// Flow's ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the flow you want to create.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A Destination Flow Config that controls how Amazon AppFlow places data in the destination connector.
+	DestinationFlowConfig []DestinationFlowConfigObservation `json:"destinationFlowConfig,omitempty" tf:"destination_flow_config,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN (Amazon Resource Name) of the Key Management Service (KMS) key you provide for encryption. This is required if you do not want to use the Amazon AppFlow-managed KMS key. If you don't provide anything here, Amazon AppFlow uses the Amazon AppFlow-managed KMS key.
+	KMSArn *string `json:"kmsArn,omitempty" tf:"kms_arn,omitempty"`
+
+	// The Source Flow Config that controls how Amazon AppFlow retrieves data from the source connector.
+	SourceFlowConfig []SourceFlowConfigObservation `json:"sourceFlowConfig,omitempty" tf:"source_flow_config,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// A Task that Amazon AppFlow performs while transferring the data in the flow run.
+	Task []TaskObservation `json:"task,omitempty" tf:"task,omitempty"`
+
+	// A Trigger that determine how and when the flow runs.
+	TriggerConfig []TriggerConfigObservation `json:"triggerConfig,omitempty" tf:"trigger_config,omitempty"`
 }
 
 type FlowParameters struct {
@@ -310,8 +486,8 @@ type FlowParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A Destination Flow Config that controls how Amazon AppFlow places data in the destination connector.
-	// +kubebuilder:validation:Required
-	DestinationFlowConfig []DestinationFlowConfigParameters `json:"destinationFlowConfig" tf:"destination_flow_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	DestinationFlowConfig []DestinationFlowConfigParameters `json:"destinationFlowConfig,omitempty" tf:"destination_flow_config,omitempty"`
 
 	// ARN (Amazon Resource Name) of the Key Management Service (KMS) key you provide for encryption. This is required if you do not want to use the Amazon AppFlow-managed KMS key. If you don't provide anything here, Amazon AppFlow uses the Amazon AppFlow-managed KMS key.
 	// +kubebuilder:validation:Optional
@@ -323,23 +499,26 @@ type FlowParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The Source Flow Config that controls how Amazon AppFlow retrieves data from the source connector.
-	// +kubebuilder:validation:Required
-	SourceFlowConfig []SourceFlowConfigParameters `json:"sourceFlowConfig" tf:"source_flow_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceFlowConfig []SourceFlowConfigParameters `json:"sourceFlowConfig,omitempty" tf:"source_flow_config,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// A Task that Amazon AppFlow performs while transferring the data in the flow run.
-	// +kubebuilder:validation:Required
-	Task []TaskParameters `json:"task" tf:"task,omitempty"`
+	// +kubebuilder:validation:Optional
+	Task []TaskParameters `json:"task,omitempty" tf:"task,omitempty"`
 
 	// A Trigger that determine how and when the flow runs.
-	// +kubebuilder:validation:Required
-	TriggerConfig []TriggerConfigParameters `json:"triggerConfig" tf:"trigger_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	TriggerConfig []TriggerConfigParameters `json:"triggerConfig,omitempty" tf:"trigger_config,omitempty"`
 }
 
 type GoogleAnalyticsObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type GoogleAnalyticsParameters struct {
@@ -350,6 +529,15 @@ type GoogleAnalyticsParameters struct {
 }
 
 type HoneycodeErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type HoneycodeErrorHandlingConfigParameters struct {
@@ -368,6 +556,12 @@ type HoneycodeErrorHandlingConfigParameters struct {
 }
 
 type HoneycodeObservation struct {
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []HoneycodeErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type HoneycodeParameters struct {
@@ -382,6 +576,9 @@ type HoneycodeParameters struct {
 }
 
 type IncrementalPullConfigObservation struct {
+
+	// Field that specifies the date time or timestamp field as the criteria to use when importing incremental records from the source.
+	DatetimeTypeFieldName *string `json:"datetimeTypeFieldName,omitempty" tf:"datetime_type_field_name,omitempty"`
 }
 
 type IncrementalPullConfigParameters struct {
@@ -392,6 +589,9 @@ type IncrementalPullConfigParameters struct {
 }
 
 type InforNexusObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type InforNexusParameters struct {
@@ -408,6 +608,15 @@ type LookoutMetricsParameters struct {
 }
 
 type MarketoErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type MarketoErrorHandlingConfigParameters struct {
@@ -426,6 +635,12 @@ type MarketoErrorHandlingConfigParameters struct {
 }
 
 type MarketoObservation struct {
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []MarketoErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type MarketoParameters struct {
@@ -440,6 +655,12 @@ type MarketoParameters struct {
 }
 
 type PrefixConfigObservation struct {
+
+	// Determines the level of granularity that's included in the prefix. Valid values are YEAR, MONTH, DAY, HOUR, and MINUTE.
+	PrefixFormat *string `json:"prefixFormat,omitempty" tf:"prefix_format,omitempty"`
+
+	// Determines the format of the prefix, and whether it applies to the file name, file path, or both. Valid values are FILENAME, PATH, and PATH_AND_FILENAME.
+	PrefixType *string `json:"prefixType,omitempty" tf:"prefix_type,omitempty"`
 }
 
 type PrefixConfigParameters struct {
@@ -454,6 +675,15 @@ type PrefixConfigParameters struct {
 }
 
 type RedshiftErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type RedshiftErrorHandlingConfigParameters struct {
@@ -472,6 +702,18 @@ type RedshiftErrorHandlingConfigParameters struct {
 }
 
 type RedshiftObservation struct {
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []RedshiftErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Intermediate bucket that Amazon AppFlow uses when moving data into Amazon Redshift.
+	IntermediateBucketName *string `json:"intermediateBucketName,omitempty" tf:"intermediate_bucket_name,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type RedshiftParameters struct {
@@ -494,6 +736,9 @@ type RedshiftParameters struct {
 }
 
 type S3InputFormatConfigObservation struct {
+
+	// File type that Amazon AppFlow gets from your Amazon S3 bucket. Valid values are CSV and JSON.
+	S3InputFileType *string `json:"s3InputFileType,omitempty" tf:"s3_input_file_type,omitempty"`
 }
 
 type S3InputFormatConfigParameters struct {
@@ -504,9 +749,21 @@ type S3InputFormatConfigParameters struct {
 }
 
 type S3Observation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Configuration that determines how Amazon AppFlow should format the flow output data when Amazon S3 is used as the destination. See S3 Output Format Config for more details.
+	S3OutputFormatConfig []S3OutputFormatConfigObservation `json:"s3OutputFormatConfig,omitempty" tf:"s3_output_format_config,omitempty"`
 }
 
 type S3OutputFormatConfigAggregationConfigObservation struct {
+
+	// Whether Amazon AppFlow aggregates the flow records into a single file, or leave them unaggregated. Valid values are None and SingleFile.
+	AggregationType *string `json:"aggregationType,omitempty" tf:"aggregation_type,omitempty"`
 }
 
 type S3OutputFormatConfigAggregationConfigParameters struct {
@@ -517,6 +774,15 @@ type S3OutputFormatConfigAggregationConfigParameters struct {
 }
 
 type S3OutputFormatConfigObservation struct {
+
+	// Aggregation settings that you can use to customize the output format of your flow data. See Aggregation Config for more details.
+	AggregationConfig []AggregationConfigObservation `json:"aggregationConfig,omitempty" tf:"aggregation_config,omitempty"`
+
+	// File type that Amazon AppFlow places in the Amazon S3 bucket. Valid values are CSV, JSON, and PARQUET.
+	FileType *string `json:"fileType,omitempty" tf:"file_type,omitempty"`
+
+	// Determines the prefix that Amazon AppFlow applies to the folder name in the Amazon S3 bucket. You can name folders according to the flow frequency and date. See Prefix Config for more details.
+	PrefixConfig []PrefixConfigObservation `json:"prefixConfig,omitempty" tf:"prefix_config,omitempty"`
 }
 
 type S3OutputFormatConfigParameters struct {
@@ -535,6 +801,12 @@ type S3OutputFormatConfigParameters struct {
 }
 
 type S3OutputFormatConfigPrefixConfigObservation struct {
+
+	// Determines the level of granularity that's included in the prefix. Valid values are YEAR, MONTH, DAY, HOUR, and MINUTE.
+	PrefixFormat *string `json:"prefixFormat,omitempty" tf:"prefix_format,omitempty"`
+
+	// Determines the format of the prefix, and whether it applies to the file name, file path, or both. Valid values are FILENAME, PATH, and PATH_AND_FILENAME.
+	PrefixType *string `json:"prefixType,omitempty" tf:"prefix_type,omitempty"`
 }
 
 type S3OutputFormatConfigPrefixConfigParameters struct {
@@ -574,6 +846,15 @@ type S3Parameters struct {
 }
 
 type SalesforceErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type SalesforceErrorHandlingConfigParameters struct {
@@ -592,6 +873,18 @@ type SalesforceErrorHandlingConfigParameters struct {
 }
 
 type SalesforceObservation struct {
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []SalesforceErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Name of the field that Amazon AppFlow uses as an ID when performing a write operation such as update, delete, or upsert.
+	IDFieldNames []*string `json:"idFieldNames,omitempty" tf:"id_field_names,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
+
+	// Type of write operation to be performed in the custom connector when it's used as destination. Valid values are INSERT, UPSERT, UPDATE, and DELETE.
+	WriteOperationType *string `json:"writeOperationType,omitempty" tf:"write_operation_type,omitempty"`
 }
 
 type SalesforceParameters struct {
@@ -614,6 +907,15 @@ type SalesforceParameters struct {
 }
 
 type SapoDataErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type SapoDataErrorHandlingConfigParameters struct {
@@ -632,6 +934,21 @@ type SapoDataErrorHandlingConfigParameters struct {
 }
 
 type SapoDataObservation struct {
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []SapoDataErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Name of the field that Amazon AppFlow uses as an ID when performing a write operation such as update, delete, or upsert.
+	IDFieldNames []*string `json:"idFieldNames,omitempty" tf:"id_field_names,omitempty"`
+
+	// Object path specified in the SAPOData flow destination.
+	ObjectPath *string `json:"objectPath,omitempty" tf:"object_path,omitempty"`
+
+	// Determines how Amazon AppFlow handles the success response that it gets from the connector after placing data. See Success Response Handling Config for more details.
+	SuccessResponseHandlingConfig []SuccessResponseHandlingConfigObservation `json:"successResponseHandlingConfig,omitempty" tf:"success_response_handling_config,omitempty"`
+
+	// Type of write operation to be performed in the custom connector when it's used as destination. Valid values are INSERT, UPSERT, UPDATE, and DELETE.
+	WriteOperationType *string `json:"writeOperationType,omitempty" tf:"write_operation_type,omitempty"`
 }
 
 type SapoDataParameters struct {
@@ -658,6 +975,27 @@ type SapoDataParameters struct {
 }
 
 type ScheduledObservation struct {
+
+	// Whether a scheduled flow has an incremental data transfer or a complete data transfer for each flow run. Valid values are Incremental and Complete.
+	DataPullMode *string `json:"dataPullMode,omitempty" tf:"data_pull_mode,omitempty"`
+
+	// Date range for the records to import from the connector in the first flow run. Must be a valid RFC3339 timestamp.
+	FirstExecutionFrom *string `json:"firstExecutionFrom,omitempty" tf:"first_execution_from,omitempty"`
+
+	// Scheduled end time for a schedule-triggered flow. Must be a valid RFC3339 timestamp.
+	ScheduleEndTime *string `json:"scheduleEndTime,omitempty" tf:"schedule_end_time,omitempty"`
+
+	// Scheduling expression that determines the rate at which the schedule will run, for example rate(5minutes).
+	ScheduleExpression *string `json:"scheduleExpression,omitempty" tf:"schedule_expression,omitempty"`
+
+	// Optional offset that is added to the time interval for a schedule-triggered flow. Maximum value of 36000.
+	ScheduleOffset *float64 `json:"scheduleOffset,omitempty" tf:"schedule_offset,omitempty"`
+
+	// Scheduled start time for a schedule-triggered flow. Must be a valid RFC3339 timestamp.
+	ScheduleStartTime *string `json:"scheduleStartTime,omitempty" tf:"schedule_start_time,omitempty"`
+
+	// Time zone used when referring to the date and time of a scheduled-triggered flow, such as America/New_York.
+	Timezone *string `json:"timezone,omitempty" tf:"timezone,omitempty"`
 }
 
 type ScheduledParameters struct {
@@ -692,6 +1030,9 @@ type ScheduledParameters struct {
 }
 
 type ServiceNowObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type ServiceNowParameters struct {
@@ -702,6 +1043,9 @@ type ServiceNowParameters struct {
 }
 
 type SingularObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type SingularParameters struct {
@@ -712,6 +1056,9 @@ type SingularParameters struct {
 }
 
 type SlackObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type SlackParameters struct {
@@ -722,6 +1069,15 @@ type SlackParameters struct {
 }
 
 type SnowflakeErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type SnowflakeErrorHandlingConfigParameters struct {
@@ -740,6 +1096,18 @@ type SnowflakeErrorHandlingConfigParameters struct {
 }
 
 type SnowflakeObservation struct {
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []SnowflakeErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Intermediate bucket that Amazon AppFlow uses when moving data into Amazon Redshift.
+	IntermediateBucketName *string `json:"intermediateBucketName,omitempty" tf:"intermediate_bucket_name,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type SnowflakeParameters struct {
@@ -762,6 +1130,12 @@ type SnowflakeParameters struct {
 }
 
 type SourceConnectorPropertiesCustomConnectorObservation struct {
+
+	// Custom properties that are specific to the connector when it's used as a destination in the flow. Maximum of 50 items.
+	CustomProperties map[string]*string `json:"customProperties,omitempty" tf:"custom_properties,omitempty"`
+
+	// Entity specified in the custom connector as a destination in the flow.
+	EntityName *string `json:"entityName,omitempty" tf:"entity_name,omitempty"`
 }
 
 type SourceConnectorPropertiesCustomConnectorParameters struct {
@@ -776,6 +1150,9 @@ type SourceConnectorPropertiesCustomConnectorParameters struct {
 }
 
 type SourceConnectorPropertiesMarketoObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type SourceConnectorPropertiesMarketoParameters struct {
@@ -786,6 +1163,54 @@ type SourceConnectorPropertiesMarketoParameters struct {
 }
 
 type SourceConnectorPropertiesObservation struct {
+
+	// Information that is required for querying Amplitude. See Generic Source Properties for more details.
+	Amplitude []AmplitudeObservation `json:"amplitude,omitempty" tf:"amplitude,omitempty"`
+
+	// Properties that are required to query the custom Connector. See Custom Connector Destination Properties for more details.
+	CustomConnector []SourceConnectorPropertiesCustomConnectorObservation `json:"customConnector,omitempty" tf:"custom_connector,omitempty"`
+
+	// Information that is required for querying Datadog. See Generic Source Properties for more details.
+	Datadog []DatadogObservation `json:"datadog,omitempty" tf:"datadog,omitempty"`
+
+	// Operation to be performed on the provided Dynatrace source fields. Valid values are PROJECTION, BETWEEN, EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION, SUBTRACTION, MASK_ALL, MASK_FIRST_N, MASK_LAST_N, VALIDATE_NON_NULL, VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE, VALIDATE_NUMERIC, and NO_OP.
+	Dynatrace []DynatraceObservation `json:"dynatrace,omitempty" tf:"dynatrace,omitempty"`
+
+	// Operation to be performed on the provided Google Analytics source fields. Valid values are PROJECTION and BETWEEN.
+	GoogleAnalytics []GoogleAnalyticsObservation `json:"googleAnalytics,omitempty" tf:"google_analytics,omitempty"`
+
+	// Information that is required for querying Infor Nexus. See Generic Source Properties for more details.
+	InforNexus []InforNexusObservation `json:"inforNexus,omitempty" tf:"infor_nexus,omitempty"`
+
+	// Properties that are required to query Marketo. See Generic Destination Properties for more details.
+	Marketo []SourceConnectorPropertiesMarketoObservation `json:"marketo,omitempty" tf:"marketo,omitempty"`
+
+	// Properties that are required to query Amazon S3. See S3 Destination Properties for more details.
+	S3 []SourceConnectorPropertiesS3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
+
+	// Properties that are required to query Salesforce. See Salesforce Destination Properties for more details.
+	Salesforce []SourceConnectorPropertiesSalesforceObservation `json:"salesforce,omitempty" tf:"salesforce,omitempty"`
+
+	// Properties that are required to query SAPOData. See SAPOData Destination Properties for more details.
+	SapoData []SourceConnectorPropertiesSapoDataObservation `json:"sapoData,omitempty" tf:"sapo_data,omitempty"`
+
+	// Information that is required for querying ServiceNow. See Generic Source Properties for more details.
+	ServiceNow []ServiceNowObservation `json:"serviceNow,omitempty" tf:"service_now,omitempty"`
+
+	// Information that is required for querying Singular. See Generic Source Properties for more details.
+	Singular []SingularObservation `json:"singular,omitempty" tf:"singular,omitempty"`
+
+	// Information that is required for querying Slack. See Generic Source Properties for more details.
+	Slack []SlackObservation `json:"slack,omitempty" tf:"slack,omitempty"`
+
+	// Operation to be performed on the provided Trend Micro source fields. Valid values are PROJECTION, EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION, SUBTRACTION, MASK_ALL, MASK_FIRST_N, MASK_LAST_N, VALIDATE_NON_NULL, VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE, VALIDATE_NUMERIC, and NO_OP.
+	Trendmicro []TrendmicroObservation `json:"trendmicro,omitempty" tf:"trendmicro,omitempty"`
+
+	// Information that is required for querying Veeva. See Veeva Source Properties for more details.
+	Veeva []VeevaObservation `json:"veeva,omitempty" tf:"veeva,omitempty"`
+
+	// Properties that are required to query Zendesk. See Zendesk Destination Properties for more details.
+	Zendesk []SourceConnectorPropertiesZendeskObservation `json:"zendesk,omitempty" tf:"zendesk,omitempty"`
 }
 
 type SourceConnectorPropertiesParameters struct {
@@ -856,6 +1281,15 @@ type SourceConnectorPropertiesParameters struct {
 }
 
 type SourceConnectorPropertiesS3Observation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// When you use Amazon S3 as the source, the configuration format that you provide the flow input data. See S3 Input Format Config for details.
+	S3InputFormatConfig []S3InputFormatConfigObservation `json:"s3InputFormatConfig,omitempty" tf:"s3_input_format_config,omitempty"`
 }
 
 type SourceConnectorPropertiesS3Parameters struct {
@@ -884,6 +1318,15 @@ type SourceConnectorPropertiesS3Parameters struct {
 }
 
 type SourceConnectorPropertiesSalesforceObservation struct {
+
+	// Flag that enables dynamic fetching of new (recently added) fields in the Salesforce objects while running a flow.
+	EnableDynamicFieldUpdate *bool `json:"enableDynamicFieldUpdate,omitempty" tf:"enable_dynamic_field_update,omitempty"`
+
+	// Whether Amazon AppFlow includes deleted files in the flow run.
+	IncludeDeletedRecords *bool `json:"includeDeletedRecords,omitempty" tf:"include_deleted_records,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type SourceConnectorPropertiesSalesforceParameters struct {
@@ -902,6 +1345,9 @@ type SourceConnectorPropertiesSalesforceParameters struct {
 }
 
 type SourceConnectorPropertiesSapoDataObservation struct {
+
+	// Object path specified in the SAPOData flow destination.
+	ObjectPath *string `json:"objectPath,omitempty" tf:"object_path,omitempty"`
 }
 
 type SourceConnectorPropertiesSapoDataParameters struct {
@@ -912,6 +1358,9 @@ type SourceConnectorPropertiesSapoDataParameters struct {
 }
 
 type SourceConnectorPropertiesZendeskObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type SourceConnectorPropertiesZendeskParameters struct {
@@ -922,6 +1371,21 @@ type SourceConnectorPropertiesZendeskParameters struct {
 }
 
 type SourceFlowConfigObservation struct {
+
+	// API version that the destination connector uses.
+	APIVersion *string `json:"apiVersion,omitempty" tf:"api_version,omitempty"`
+
+	// Name of the connector profile. This name must be unique for each connector profile in the AWS account.
+	ConnectorProfileName *string `json:"connectorProfileName,omitempty" tf:"connector_profile_name,omitempty"`
+
+	// Type of connector, such as Salesforce, Amplitude, and so on. Valid values are Salesforce, Singular, Slack, Redshift, S3, Marketo, Googleanalytics, Zendesk, Servicenow, Datadog, Trendmicro, Snowflake, Dynatrace, Infornexus, Amplitude, Veeva, EventBridge, LookoutMetrics, Upsolver, Honeycode, CustomerProfiles, SAPOData, and CustomConnector.
+	ConnectorType *string `json:"connectorType,omitempty" tf:"connector_type,omitempty"`
+
+	// Defines the configuration for a scheduled incremental data pull. If a valid configuration is provided, the fields specified in the configuration are used when querying for the incremental data pull. See Incremental Pull Config for more details.
+	IncrementalPullConfig []IncrementalPullConfigObservation `json:"incrementalPullConfig,omitempty" tf:"incremental_pull_config,omitempty"`
+
+	// Information that is required to query a particular source connector. See Source Connector Properties for details.
+	SourceConnectorProperties []SourceConnectorPropertiesObservation `json:"sourceConnectorProperties,omitempty" tf:"source_connector_properties,omitempty"`
 }
 
 type SourceFlowConfigParameters struct {
@@ -948,6 +1412,12 @@ type SourceFlowConfigParameters struct {
 }
 
 type SuccessResponseHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
 }
 
 type SuccessResponseHandlingConfigParameters struct {
@@ -962,6 +1432,21 @@ type SuccessResponseHandlingConfigParameters struct {
 }
 
 type TaskObservation struct {
+
+	// Operation to be performed on the provided source fields. See Connector Operator for details.
+	ConnectorOperator []ConnectorOperatorObservation `json:"connectorOperator,omitempty" tf:"connector_operator,omitempty"`
+
+	// Field in a destination connector, or a field value against which Amazon AppFlow validates a source field.
+	DestinationField *string `json:"destinationField,omitempty" tf:"destination_field,omitempty"`
+
+	// Source fields to which a particular task is applied.
+	SourceFields []*string `json:"sourceFields,omitempty" tf:"source_fields,omitempty"`
+
+	// Map used to store task-related information. The execution service looks for particular information based on the TaskType. Valid keys are VALUE, VALUES, DATA_TYPE, UPPER_BOUND, LOWER_BOUND, SOURCE_DATA_TYPE, DESTINATION_DATA_TYPE, VALIDATION_ACTION, MASK_VALUE, MASK_LENGTH, TRUNCATE_LENGTH, MATH_OPERATION_FIELDS_ORDER, CONCAT_FORMAT, SUBFIELD_CATEGORY_MAP, and EXCLUDE_SOURCE_FIELDS_LIST.
+	TaskProperties map[string]*string `json:"taskProperties,omitempty" tf:"task_properties,omitempty"`
+
+	// Particular task implementation that Amazon AppFlow performs. Valid values are Arithmetic, Filter, Map, Map_all, Mask, Merge, Passthrough, Truncate, and Validate.
+	TaskType *string `json:"taskType,omitempty" tf:"task_type,omitempty"`
 }
 
 type TaskParameters struct {
@@ -988,6 +1473,9 @@ type TaskParameters struct {
 }
 
 type TrendmicroObservation struct {
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type TrendmicroParameters struct {
@@ -998,6 +1486,12 @@ type TrendmicroParameters struct {
 }
 
 type TriggerConfigObservation struct {
+
+	// Configuration details of a schedule-triggered flow as defined by the user. Currently, these settings only apply to the Scheduled trigger type. See Scheduled Trigger Properties for details.
+	TriggerProperties []TriggerPropertiesObservation `json:"triggerProperties,omitempty" tf:"trigger_properties,omitempty"`
+
+	// Type of flow trigger. Valid values are Scheduled, Event, and OnDemand.
+	TriggerType *string `json:"triggerType,omitempty" tf:"trigger_type,omitempty"`
 }
 
 type TriggerConfigParameters struct {
@@ -1012,6 +1506,7 @@ type TriggerConfigParameters struct {
 }
 
 type TriggerPropertiesObservation struct {
+	Scheduled []ScheduledObservation `json:"scheduled,omitempty" tf:"scheduled,omitempty"`
 }
 
 type TriggerPropertiesParameters struct {
@@ -1021,6 +1516,15 @@ type TriggerPropertiesParameters struct {
 }
 
 type UpsolverObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Configuration that determines how Amazon AppFlow should format the flow output data when Amazon S3 is used as the destination. See S3 Output Format Config for more details.
+	S3OutputFormatConfig []UpsolverS3OutputFormatConfigObservation `json:"s3OutputFormatConfig,omitempty" tf:"s3_output_format_config,omitempty"`
 }
 
 type UpsolverParameters struct {
@@ -1039,6 +1543,15 @@ type UpsolverParameters struct {
 }
 
 type UpsolverS3OutputFormatConfigObservation struct {
+
+	// Aggregation settings that you can use to customize the output format of your flow data. See Aggregation Config for more details.
+	AggregationConfig []S3OutputFormatConfigAggregationConfigObservation `json:"aggregationConfig,omitempty" tf:"aggregation_config,omitempty"`
+
+	// File type that Amazon AppFlow places in the Amazon S3 bucket. Valid values are CSV, JSON, and PARQUET.
+	FileType *string `json:"fileType,omitempty" tf:"file_type,omitempty"`
+
+	// Determines the prefix that Amazon AppFlow applies to the folder name in the Amazon S3 bucket. You can name folders according to the flow frequency and date. See Prefix Config for more details.
+	PrefixConfig []S3OutputFormatConfigPrefixConfigObservation `json:"prefixConfig,omitempty" tf:"prefix_config,omitempty"`
 }
 
 type UpsolverS3OutputFormatConfigParameters struct {
@@ -1057,6 +1570,21 @@ type UpsolverS3OutputFormatConfigParameters struct {
 }
 
 type VeevaObservation struct {
+
+	// Document type specified in the Veeva document extract flow.
+	DocumentType *string `json:"documentType,omitempty" tf:"document_type,omitempty"`
+
+	// Boolean value to include All Versions of files in Veeva document extract flow.
+	IncludeAllVersions *bool `json:"includeAllVersions,omitempty" tf:"include_all_versions,omitempty"`
+
+	// Boolean value to include file renditions in Veeva document extract flow.
+	IncludeRenditions *bool `json:"includeRenditions,omitempty" tf:"include_renditions,omitempty"`
+
+	// Boolean value to include source files in Veeva document extract flow.
+	IncludeSourceFiles *bool `json:"includeSourceFiles,omitempty" tf:"include_source_files,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
 }
 
 type VeevaParameters struct {
@@ -1083,6 +1611,15 @@ type VeevaParameters struct {
 }
 
 type ZendeskErrorHandlingConfigObservation struct {
+
+	// Amazon S3 bucket name in which Amazon AppFlow places the transferred data.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Object key for the bucket in which Amazon AppFlow places the destination files.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// If the flow should fail after the first instance of a failure when attempting to place data in the destination.
+	FailOnFirstDestinationError *bool `json:"failOnFirstDestinationError,omitempty" tf:"fail_on_first_destination_error,omitempty"`
 }
 
 type ZendeskErrorHandlingConfigParameters struct {
@@ -1101,6 +1638,18 @@ type ZendeskErrorHandlingConfigParameters struct {
 }
 
 type ZendeskObservation struct {
+
+	// Settings that determine how Amazon AppFlow handles an error when placing data in the destination. See Error Handling Config for more details.
+	ErrorHandlingConfig []ZendeskErrorHandlingConfigObservation `json:"errorHandlingConfig,omitempty" tf:"error_handling_config,omitempty"`
+
+	// Name of the field that Amazon AppFlow uses as an ID when performing a write operation such as update, delete, or upsert.
+	IDFieldNames []*string `json:"idFieldNames,omitempty" tf:"id_field_names,omitempty"`
+
+	// Object specified in the flow destination.
+	Object *string `json:"object,omitempty" tf:"object,omitempty"`
+
+	// Type of write operation to be performed in the custom connector when it's used as destination. Valid values are INSERT, UPSERT, UPDATE, and DELETE.
+	WriteOperationType *string `json:"writeOperationType,omitempty" tf:"write_operation_type,omitempty"`
 }
 
 type ZendeskParameters struct {
@@ -1146,8 +1695,12 @@ type FlowStatus struct {
 type Flow struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FlowSpec   `json:"spec"`
-	Status            FlowStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationFlowConfig)",message="destinationFlowConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceFlowConfig)",message="sourceFlowConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.task)",message="task is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.triggerConfig)",message="triggerConfig is a required parameter"
+	Spec   FlowSpec   `json:"spec"`
+	Status FlowStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appflow/v1beta1/zz_generated.deepcopy.go b/apis/appflow/v1beta1/zz_generated.deepcopy.go
index 9fdbe9eba6..78f0442f1d 100644
--- a/apis/appflow/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appflow/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AggregationConfigObservation) DeepCopyInto(out *AggregationConfigObservation) {
 	*out = *in
+	if in.AggregationType != nil {
+		in, out := &in.AggregationType, &out.AggregationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AggregationConfigObservation.
@@ -52,6 +57,11 @@ func (in *AggregationConfigParameters) DeepCopy() *AggregationConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AmplitudeObservation) DeepCopyInto(out *AmplitudeObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AmplitudeObservation.
@@ -87,6 +97,86 @@ func (in *AmplitudeParameters) DeepCopy() *AmplitudeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectorOperatorObservation) DeepCopyInto(out *ConnectorOperatorObservation) {
 	*out = *in
+	if in.Amplitude != nil {
+		in, out := &in.Amplitude, &out.Amplitude
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomConnector != nil {
+		in, out := &in.CustomConnector, &out.CustomConnector
+		*out = new(string)
+		**out = **in
+	}
+	if in.Datadog != nil {
+		in, out := &in.Datadog, &out.Datadog
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dynatrace != nil {
+		in, out := &in.Dynatrace, &out.Dynatrace
+		*out = new(string)
+		**out = **in
+	}
+	if in.GoogleAnalytics != nil {
+		in, out := &in.GoogleAnalytics, &out.GoogleAnalytics
+		*out = new(string)
+		**out = **in
+	}
+	if in.InforNexus != nil {
+		in, out := &in.InforNexus, &out.InforNexus
+		*out = new(string)
+		**out = **in
+	}
+	if in.Marketo != nil {
+		in, out := &in.Marketo, &out.Marketo
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = new(string)
+		**out = **in
+	}
+	if in.Salesforce != nil {
+		in, out := &in.Salesforce, &out.Salesforce
+		*out = new(string)
+		**out = **in
+	}
+	if in.SapoData != nil {
+		in, out := &in.SapoData, &out.SapoData
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceNow != nil {
+		in, out := &in.ServiceNow, &out.ServiceNow
+		*out = new(string)
+		**out = **in
+	}
+	if in.Singular != nil {
+		in, out := &in.Singular, &out.Singular
+		*out = new(string)
+		**out = **in
+	}
+	if in.Slack != nil {
+		in, out := &in.Slack, &out.Slack
+		*out = new(string)
+		**out = **in
+	}
+	if in.Trendmicro != nil {
+		in, out := &in.Trendmicro, &out.Trendmicro
+		*out = new(string)
+		**out = **in
+	}
+	if in.Veeva != nil {
+		in, out := &in.Veeva, &out.Veeva
+		*out = new(string)
+		**out = **in
+	}
+	if in.Zendesk != nil {
+		in, out := &in.Zendesk, &out.Zendesk
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorOperatorObservation.
@@ -197,6 +287,49 @@ func (in *ConnectorOperatorParameters) DeepCopy() *ConnectorOperatorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomConnectorObservation) DeepCopyInto(out *CustomConnectorObservation) {
 	*out = *in
+	if in.CustomProperties != nil {
+		in, out := &in.CustomProperties, &out.CustomProperties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.EntityName != nil {
+		in, out := &in.EntityName, &out.EntityName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]ErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IDFieldNames != nil {
+		in, out := &in.IDFieldNames, &out.IDFieldNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WriteOperationType != nil {
+		in, out := &in.WriteOperationType, &out.WriteOperationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomConnectorObservation.
@@ -270,6 +403,16 @@ func (in *CustomConnectorParameters) DeepCopy() *CustomConnectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomerProfilesObservation) DeepCopyInto(out *CustomerProfilesObservation) {
 	*out = *in
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectTypeName != nil {
+		in, out := &in.ObjectTypeName, &out.ObjectTypeName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomerProfilesObservation.
@@ -310,6 +453,11 @@ func (in *CustomerProfilesParameters) DeepCopy() *CustomerProfilesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DatadogObservation) DeepCopyInto(out *DatadogObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DatadogObservation.
@@ -345,6 +493,95 @@ func (in *DatadogParameters) DeepCopy() *DatadogParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationConnectorPropertiesObservation) DeepCopyInto(out *DestinationConnectorPropertiesObservation) {
 	*out = *in
+	if in.CustomConnector != nil {
+		in, out := &in.CustomConnector, &out.CustomConnector
+		*out = make([]CustomConnectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomerProfiles != nil {
+		in, out := &in.CustomerProfiles, &out.CustomerProfiles
+		*out = make([]CustomerProfilesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventBridge != nil {
+		in, out := &in.EventBridge, &out.EventBridge
+		*out = make([]EventBridgeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Honeycode != nil {
+		in, out := &in.Honeycode, &out.Honeycode
+		*out = make([]HoneycodeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LookoutMetrics != nil {
+		in, out := &in.LookoutMetrics, &out.LookoutMetrics
+		*out = make([]LookoutMetricsParameters, len(*in))
+		copy(*out, *in)
+	}
+	if in.Marketo != nil {
+		in, out := &in.Marketo, &out.Marketo
+		*out = make([]MarketoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redshift != nil {
+		in, out := &in.Redshift, &out.Redshift
+		*out = make([]RedshiftObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Salesforce != nil {
+		in, out := &in.Salesforce, &out.Salesforce
+		*out = make([]SalesforceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SapoData != nil {
+		in, out := &in.SapoData, &out.SapoData
+		*out = make([]SapoDataObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Snowflake != nil {
+		in, out := &in.Snowflake, &out.Snowflake
+		*out = make([]SnowflakeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Upsolver != nil {
+		in, out := &in.Upsolver, &out.Upsolver
+		*out = make([]UpsolverObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Zendesk != nil {
+		in, out := &in.Zendesk, &out.Zendesk
+		*out = make([]ZendeskObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationConnectorPropertiesObservation.
@@ -464,6 +701,28 @@ func (in *DestinationConnectorPropertiesParameters) DeepCopy() *DestinationConne
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationFlowConfigObservation) DeepCopyInto(out *DestinationFlowConfigObservation) {
 	*out = *in
+	if in.APIVersion != nil {
+		in, out := &in.APIVersion, &out.APIVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectorProfileName != nil {
+		in, out := &in.ConnectorProfileName, &out.ConnectorProfileName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectorType != nil {
+		in, out := &in.ConnectorType, &out.ConnectorType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationConnectorProperties != nil {
+		in, out := &in.DestinationConnectorProperties, &out.DestinationConnectorProperties
+		*out = make([]DestinationConnectorPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationFlowConfigObservation.
@@ -516,6 +775,11 @@ func (in *DestinationFlowConfigParameters) DeepCopy() *DestinationFlowConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DynatraceObservation) DeepCopyInto(out *DynatraceObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynatraceObservation.
@@ -551,12 +815,27 @@ func (in *DynatraceParameters) DeepCopy() *DynatraceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorHandlingConfigObservation) DeepCopyInto(out *ErrorHandlingConfigObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorHandlingConfigObservation.
-func (in *ErrorHandlingConfigObservation) DeepCopy() *ErrorHandlingConfigObservation {
-	if in == nil {
-		return nil
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorHandlingConfigObservation.
+func (in *ErrorHandlingConfigObservation) DeepCopy() *ErrorHandlingConfigObservation {
+	if in == nil {
+		return nil
 	}
 	out := new(ErrorHandlingConfigObservation)
 	in.DeepCopyInto(out)
@@ -596,6 +875,21 @@ func (in *ErrorHandlingConfigParameters) DeepCopy() *ErrorHandlingConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventBridgeErrorHandlingConfigObservation) DeepCopyInto(out *EventBridgeErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventBridgeErrorHandlingConfigObservation.
@@ -641,6 +935,18 @@ func (in *EventBridgeErrorHandlingConfigParameters) DeepCopy() *EventBridgeError
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventBridgeObservation) DeepCopyInto(out *EventBridgeObservation) {
 	*out = *in
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]EventBridgeErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventBridgeObservation.
@@ -747,11 +1053,50 @@ func (in *FlowObservation) DeepCopyInto(out *FlowObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationFlowConfig != nil {
+		in, out := &in.DestinationFlowConfig, &out.DestinationFlowConfig
+		*out = make([]DestinationFlowConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSArn != nil {
+		in, out := &in.KMSArn, &out.KMSArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFlowConfig != nil {
+		in, out := &in.SourceFlowConfig, &out.SourceFlowConfig
+		*out = make([]SourceFlowConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -767,6 +1112,20 @@ func (in *FlowObservation) DeepCopyInto(out *FlowObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Task != nil {
+		in, out := &in.Task, &out.Task
+		*out = make([]TaskObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TriggerConfig != nil {
+		in, out := &in.TriggerConfig, &out.TriggerConfig
+		*out = make([]TriggerConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlowObservation.
@@ -889,6 +1248,11 @@ func (in *FlowStatus) DeepCopy() *FlowStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GoogleAnalyticsObservation) DeepCopyInto(out *GoogleAnalyticsObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GoogleAnalyticsObservation.
@@ -924,6 +1288,21 @@ func (in *GoogleAnalyticsParameters) DeepCopy() *GoogleAnalyticsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HoneycodeErrorHandlingConfigObservation) DeepCopyInto(out *HoneycodeErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HoneycodeErrorHandlingConfigObservation.
@@ -969,6 +1348,18 @@ func (in *HoneycodeErrorHandlingConfigParameters) DeepCopy() *HoneycodeErrorHand
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HoneycodeObservation) DeepCopyInto(out *HoneycodeObservation) {
 	*out = *in
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]HoneycodeErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HoneycodeObservation.
@@ -1011,6 +1402,11 @@ func (in *HoneycodeParameters) DeepCopy() *HoneycodeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IncrementalPullConfigObservation) DeepCopyInto(out *IncrementalPullConfigObservation) {
 	*out = *in
+	if in.DatetimeTypeFieldName != nil {
+		in, out := &in.DatetimeTypeFieldName, &out.DatetimeTypeFieldName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IncrementalPullConfigObservation.
@@ -1046,6 +1442,11 @@ func (in *IncrementalPullConfigParameters) DeepCopy() *IncrementalPullConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InforNexusObservation) DeepCopyInto(out *InforNexusObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InforNexusObservation.
@@ -1111,6 +1512,21 @@ func (in *LookoutMetricsParameters) DeepCopy() *LookoutMetricsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MarketoErrorHandlingConfigObservation) DeepCopyInto(out *MarketoErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MarketoErrorHandlingConfigObservation.
@@ -1156,6 +1572,18 @@ func (in *MarketoErrorHandlingConfigParameters) DeepCopy() *MarketoErrorHandling
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MarketoObservation) DeepCopyInto(out *MarketoObservation) {
 	*out = *in
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]MarketoErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MarketoObservation.
@@ -1198,6 +1626,16 @@ func (in *MarketoParameters) DeepCopy() *MarketoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrefixConfigObservation) DeepCopyInto(out *PrefixConfigObservation) {
 	*out = *in
+	if in.PrefixFormat != nil {
+		in, out := &in.PrefixFormat, &out.PrefixFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrefixType != nil {
+		in, out := &in.PrefixType, &out.PrefixType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixConfigObservation.
@@ -1238,6 +1676,21 @@ func (in *PrefixConfigParameters) DeepCopy() *PrefixConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftErrorHandlingConfigObservation) DeepCopyInto(out *RedshiftErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftErrorHandlingConfigObservation.
@@ -1283,6 +1736,28 @@ func (in *RedshiftErrorHandlingConfigParameters) DeepCopy() *RedshiftErrorHandli
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftObservation) DeepCopyInto(out *RedshiftObservation) {
 	*out = *in
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]RedshiftErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IntermediateBucketName != nil {
+		in, out := &in.IntermediateBucketName, &out.IntermediateBucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftObservation.
@@ -1335,6 +1810,11 @@ func (in *RedshiftParameters) DeepCopy() *RedshiftParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3InputFormatConfigObservation) DeepCopyInto(out *S3InputFormatConfigObservation) {
 	*out = *in
+	if in.S3InputFileType != nil {
+		in, out := &in.S3InputFileType, &out.S3InputFileType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3InputFormatConfigObservation.
@@ -1370,6 +1850,23 @@ func (in *S3InputFormatConfigParameters) DeepCopy() *S3InputFormatConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3OutputFormatConfig != nil {
+		in, out := &in.S3OutputFormatConfig, &out.S3OutputFormatConfig
+		*out = make([]S3OutputFormatConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -1385,6 +1882,11 @@ func (in *S3Observation) DeepCopy() *S3Observation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3OutputFormatConfigAggregationConfigObservation) DeepCopyInto(out *S3OutputFormatConfigAggregationConfigObservation) {
 	*out = *in
+	if in.AggregationType != nil {
+		in, out := &in.AggregationType, &out.AggregationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3OutputFormatConfigAggregationConfigObservation.
@@ -1420,6 +1922,25 @@ func (in *S3OutputFormatConfigAggregationConfigParameters) DeepCopy() *S3OutputF
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3OutputFormatConfigObservation) DeepCopyInto(out *S3OutputFormatConfigObservation) {
 	*out = *in
+	if in.AggregationConfig != nil {
+		in, out := &in.AggregationConfig, &out.AggregationConfig
+		*out = make([]AggregationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FileType != nil {
+		in, out := &in.FileType, &out.FileType
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrefixConfig != nil {
+		in, out := &in.PrefixConfig, &out.PrefixConfig
+		*out = make([]PrefixConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3OutputFormatConfigObservation.
@@ -1469,10 +1990,20 @@ func (in *S3OutputFormatConfigParameters) DeepCopy() *S3OutputFormatConfigParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3OutputFormatConfigPrefixConfigObservation) DeepCopyInto(out *S3OutputFormatConfigPrefixConfigObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3OutputFormatConfigPrefixConfigObservation.
-func (in *S3OutputFormatConfigPrefixConfigObservation) DeepCopy() *S3OutputFormatConfigPrefixConfigObservation {
+	if in.PrefixFormat != nil {
+		in, out := &in.PrefixFormat, &out.PrefixFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrefixType != nil {
+		in, out := &in.PrefixType, &out.PrefixType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3OutputFormatConfigPrefixConfigObservation.
+func (in *S3OutputFormatConfigPrefixConfigObservation) DeepCopy() *S3OutputFormatConfigPrefixConfigObservation {
 	if in == nil {
 		return nil
 	}
@@ -1551,6 +2082,21 @@ func (in *S3Parameters) DeepCopy() *S3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SalesforceErrorHandlingConfigObservation) DeepCopyInto(out *SalesforceErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SalesforceErrorHandlingConfigObservation.
@@ -1596,6 +2142,34 @@ func (in *SalesforceErrorHandlingConfigParameters) DeepCopy() *SalesforceErrorHa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SalesforceObservation) DeepCopyInto(out *SalesforceObservation) {
 	*out = *in
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]SalesforceErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IDFieldNames != nil {
+		in, out := &in.IDFieldNames, &out.IDFieldNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
+	if in.WriteOperationType != nil {
+		in, out := &in.WriteOperationType, &out.WriteOperationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SalesforceObservation.
@@ -1654,6 +2228,21 @@ func (in *SalesforceParameters) DeepCopy() *SalesforceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SapoDataErrorHandlingConfigObservation) DeepCopyInto(out *SapoDataErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SapoDataErrorHandlingConfigObservation.
@@ -1699,6 +2288,41 @@ func (in *SapoDataErrorHandlingConfigParameters) DeepCopy() *SapoDataErrorHandli
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SapoDataObservation) DeepCopyInto(out *SapoDataObservation) {
 	*out = *in
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]SapoDataErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IDFieldNames != nil {
+		in, out := &in.IDFieldNames, &out.IDFieldNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ObjectPath != nil {
+		in, out := &in.ObjectPath, &out.ObjectPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.SuccessResponseHandlingConfig != nil {
+		in, out := &in.SuccessResponseHandlingConfig, &out.SuccessResponseHandlingConfig
+		*out = make([]SuccessResponseHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WriteOperationType != nil {
+		in, out := &in.WriteOperationType, &out.WriteOperationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SapoDataObservation.
@@ -1764,6 +2388,41 @@ func (in *SapoDataParameters) DeepCopy() *SapoDataParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduledObservation) DeepCopyInto(out *ScheduledObservation) {
 	*out = *in
+	if in.DataPullMode != nil {
+		in, out := &in.DataPullMode, &out.DataPullMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.FirstExecutionFrom != nil {
+		in, out := &in.FirstExecutionFrom, &out.FirstExecutionFrom
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleEndTime != nil {
+		in, out := &in.ScheduleEndTime, &out.ScheduleEndTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleExpression != nil {
+		in, out := &in.ScheduleExpression, &out.ScheduleExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleOffset != nil {
+		in, out := &in.ScheduleOffset, &out.ScheduleOffset
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ScheduleStartTime != nil {
+		in, out := &in.ScheduleStartTime, &out.ScheduleStartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timezone != nil {
+		in, out := &in.Timezone, &out.Timezone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduledObservation.
@@ -1829,6 +2488,11 @@ func (in *ScheduledParameters) DeepCopy() *ScheduledParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceNowObservation) DeepCopyInto(out *ServiceNowObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceNowObservation.
@@ -1864,6 +2528,11 @@ func (in *ServiceNowParameters) DeepCopy() *ServiceNowParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SingularObservation) DeepCopyInto(out *SingularObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SingularObservation.
@@ -1899,6 +2568,11 @@ func (in *SingularParameters) DeepCopy() *SingularParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SlackObservation) DeepCopyInto(out *SlackObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SlackObservation.
@@ -1934,6 +2608,21 @@ func (in *SlackParameters) DeepCopy() *SlackParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnowflakeErrorHandlingConfigObservation) DeepCopyInto(out *SnowflakeErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnowflakeErrorHandlingConfigObservation.
@@ -1979,6 +2668,28 @@ func (in *SnowflakeErrorHandlingConfigParameters) DeepCopy() *SnowflakeErrorHand
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnowflakeObservation) DeepCopyInto(out *SnowflakeObservation) {
 	*out = *in
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]SnowflakeErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IntermediateBucketName != nil {
+		in, out := &in.IntermediateBucketName, &out.IntermediateBucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnowflakeObservation.
@@ -2031,6 +2742,26 @@ func (in *SnowflakeParameters) DeepCopy() *SnowflakeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConnectorPropertiesCustomConnectorObservation) DeepCopyInto(out *SourceConnectorPropertiesCustomConnectorObservation) {
 	*out = *in
+	if in.CustomProperties != nil {
+		in, out := &in.CustomProperties, &out.CustomProperties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.EntityName != nil {
+		in, out := &in.EntityName, &out.EntityName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesCustomConnectorObservation.
@@ -2081,6 +2812,11 @@ func (in *SourceConnectorPropertiesCustomConnectorParameters) DeepCopy() *Source
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConnectorPropertiesMarketoObservation) DeepCopyInto(out *SourceConnectorPropertiesMarketoObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesMarketoObservation.
@@ -2108,14 +2844,126 @@ func (in *SourceConnectorPropertiesMarketoParameters) DeepCopy() *SourceConnecto
 	if in == nil {
 		return nil
 	}
-	out := new(SourceConnectorPropertiesMarketoParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SourceConnectorPropertiesObservation) DeepCopyInto(out *SourceConnectorPropertiesObservation) {
-	*out = *in
+	out := new(SourceConnectorPropertiesMarketoParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SourceConnectorPropertiesObservation) DeepCopyInto(out *SourceConnectorPropertiesObservation) {
+	*out = *in
+	if in.Amplitude != nil {
+		in, out := &in.Amplitude, &out.Amplitude
+		*out = make([]AmplitudeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConnector != nil {
+		in, out := &in.CustomConnector, &out.CustomConnector
+		*out = make([]SourceConnectorPropertiesCustomConnectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Datadog != nil {
+		in, out := &in.Datadog, &out.Datadog
+		*out = make([]DatadogObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Dynatrace != nil {
+		in, out := &in.Dynatrace, &out.Dynatrace
+		*out = make([]DynatraceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GoogleAnalytics != nil {
+		in, out := &in.GoogleAnalytics, &out.GoogleAnalytics
+		*out = make([]GoogleAnalyticsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InforNexus != nil {
+		in, out := &in.InforNexus, &out.InforNexus
+		*out = make([]InforNexusObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Marketo != nil {
+		in, out := &in.Marketo, &out.Marketo
+		*out = make([]SourceConnectorPropertiesMarketoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]SourceConnectorPropertiesS3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Salesforce != nil {
+		in, out := &in.Salesforce, &out.Salesforce
+		*out = make([]SourceConnectorPropertiesSalesforceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SapoData != nil {
+		in, out := &in.SapoData, &out.SapoData
+		*out = make([]SourceConnectorPropertiesSapoDataObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServiceNow != nil {
+		in, out := &in.ServiceNow, &out.ServiceNow
+		*out = make([]ServiceNowObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Singular != nil {
+		in, out := &in.Singular, &out.Singular
+		*out = make([]SingularObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Slack != nil {
+		in, out := &in.Slack, &out.Slack
+		*out = make([]SlackObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Trendmicro != nil {
+		in, out := &in.Trendmicro, &out.Trendmicro
+		*out = make([]TrendmicroObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Veeva != nil {
+		in, out := &in.Veeva, &out.Veeva
+		*out = make([]VeevaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Zendesk != nil {
+		in, out := &in.Zendesk, &out.Zendesk
+		*out = make([]SourceConnectorPropertiesZendeskObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesObservation.
@@ -2258,6 +3106,23 @@ func (in *SourceConnectorPropertiesParameters) DeepCopy() *SourceConnectorProper
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConnectorPropertiesS3Observation) DeepCopyInto(out *SourceConnectorPropertiesS3Observation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3InputFormatConfig != nil {
+		in, out := &in.S3InputFormatConfig, &out.S3InputFormatConfig
+		*out = make([]S3InputFormatConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesS3Observation.
@@ -2315,6 +3180,21 @@ func (in *SourceConnectorPropertiesS3Parameters) DeepCopy() *SourceConnectorProp
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConnectorPropertiesSalesforceObservation) DeepCopyInto(out *SourceConnectorPropertiesSalesforceObservation) {
 	*out = *in
+	if in.EnableDynamicFieldUpdate != nil {
+		in, out := &in.EnableDynamicFieldUpdate, &out.EnableDynamicFieldUpdate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeDeletedRecords != nil {
+		in, out := &in.IncludeDeletedRecords, &out.IncludeDeletedRecords
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesSalesforceObservation.
@@ -2360,6 +3240,11 @@ func (in *SourceConnectorPropertiesSalesforceParameters) DeepCopy() *SourceConne
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConnectorPropertiesSapoDataObservation) DeepCopyInto(out *SourceConnectorPropertiesSapoDataObservation) {
 	*out = *in
+	if in.ObjectPath != nil {
+		in, out := &in.ObjectPath, &out.ObjectPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesSapoDataObservation.
@@ -2395,6 +3280,11 @@ func (in *SourceConnectorPropertiesSapoDataParameters) DeepCopy() *SourceConnect
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConnectorPropertiesZendeskObservation) DeepCopyInto(out *SourceConnectorPropertiesZendeskObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConnectorPropertiesZendeskObservation.
@@ -2430,6 +3320,35 @@ func (in *SourceConnectorPropertiesZendeskParameters) DeepCopy() *SourceConnecto
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceFlowConfigObservation) DeepCopyInto(out *SourceFlowConfigObservation) {
 	*out = *in
+	if in.APIVersion != nil {
+		in, out := &in.APIVersion, &out.APIVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectorProfileName != nil {
+		in, out := &in.ConnectorProfileName, &out.ConnectorProfileName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectorType != nil {
+		in, out := &in.ConnectorType, &out.ConnectorType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncrementalPullConfig != nil {
+		in, out := &in.IncrementalPullConfig, &out.IncrementalPullConfig
+		*out = make([]IncrementalPullConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceConnectorProperties != nil {
+		in, out := &in.SourceConnectorProperties, &out.SourceConnectorProperties
+		*out = make([]SourceConnectorPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceFlowConfigObservation.
@@ -2489,6 +3408,16 @@ func (in *SourceFlowConfigParameters) DeepCopy() *SourceFlowConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SuccessResponseHandlingConfigObservation) DeepCopyInto(out *SuccessResponseHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SuccessResponseHandlingConfigObservation.
@@ -2529,6 +3458,49 @@ func (in *SuccessResponseHandlingConfigParameters) DeepCopy() *SuccessResponseHa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TaskObservation) DeepCopyInto(out *TaskObservation) {
 	*out = *in
+	if in.ConnectorOperator != nil {
+		in, out := &in.ConnectorOperator, &out.ConnectorOperator
+		*out = make([]ConnectorOperatorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DestinationField != nil {
+		in, out := &in.DestinationField, &out.DestinationField
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFields != nil {
+		in, out := &in.SourceFields, &out.SourceFields
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TaskProperties != nil {
+		in, out := &in.TaskProperties, &out.TaskProperties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TaskType != nil {
+		in, out := &in.TaskType, &out.TaskType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TaskObservation.
@@ -2602,6 +3574,11 @@ func (in *TaskParameters) DeepCopy() *TaskParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrendmicroObservation) DeepCopyInto(out *TrendmicroObservation) {
 	*out = *in
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrendmicroObservation.
@@ -2637,6 +3614,18 @@ func (in *TrendmicroParameters) DeepCopy() *TrendmicroParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TriggerConfigObservation) DeepCopyInto(out *TriggerConfigObservation) {
 	*out = *in
+	if in.TriggerProperties != nil {
+		in, out := &in.TriggerProperties, &out.TriggerProperties
+		*out = make([]TriggerPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TriggerType != nil {
+		in, out := &in.TriggerType, &out.TriggerType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TriggerConfigObservation.
@@ -2679,6 +3668,13 @@ func (in *TriggerConfigParameters) DeepCopy() *TriggerConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TriggerPropertiesObservation) DeepCopyInto(out *TriggerPropertiesObservation) {
 	*out = *in
+	if in.Scheduled != nil {
+		in, out := &in.Scheduled, &out.Scheduled
+		*out = make([]ScheduledObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TriggerPropertiesObservation.
@@ -2716,6 +3712,23 @@ func (in *TriggerPropertiesParameters) DeepCopy() *TriggerPropertiesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UpsolverObservation) DeepCopyInto(out *UpsolverObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3OutputFormatConfig != nil {
+		in, out := &in.S3OutputFormatConfig, &out.S3OutputFormatConfig
+		*out = make([]UpsolverS3OutputFormatConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpsolverObservation.
@@ -2763,6 +3776,25 @@ func (in *UpsolverParameters) DeepCopy() *UpsolverParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UpsolverS3OutputFormatConfigObservation) DeepCopyInto(out *UpsolverS3OutputFormatConfigObservation) {
 	*out = *in
+	if in.AggregationConfig != nil {
+		in, out := &in.AggregationConfig, &out.AggregationConfig
+		*out = make([]S3OutputFormatConfigAggregationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FileType != nil {
+		in, out := &in.FileType, &out.FileType
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrefixConfig != nil {
+		in, out := &in.PrefixConfig, &out.PrefixConfig
+		*out = make([]S3OutputFormatConfigPrefixConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpsolverS3OutputFormatConfigObservation.
@@ -2812,6 +3844,31 @@ func (in *UpsolverS3OutputFormatConfigParameters) DeepCopy() *UpsolverS3OutputFo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VeevaObservation) DeepCopyInto(out *VeevaObservation) {
 	*out = *in
+	if in.DocumentType != nil {
+		in, out := &in.DocumentType, &out.DocumentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludeAllVersions != nil {
+		in, out := &in.IncludeAllVersions, &out.IncludeAllVersions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeRenditions != nil {
+		in, out := &in.IncludeRenditions, &out.IncludeRenditions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeSourceFiles != nil {
+		in, out := &in.IncludeSourceFiles, &out.IncludeSourceFiles
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VeevaObservation.
@@ -2867,6 +3924,21 @@ func (in *VeevaParameters) DeepCopy() *VeevaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ZendeskErrorHandlingConfigObservation) DeepCopyInto(out *ZendeskErrorHandlingConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailOnFirstDestinationError != nil {
+		in, out := &in.FailOnFirstDestinationError, &out.FailOnFirstDestinationError
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZendeskErrorHandlingConfigObservation.
@@ -2912,6 +3984,34 @@ func (in *ZendeskErrorHandlingConfigParameters) DeepCopy() *ZendeskErrorHandling
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ZendeskObservation) DeepCopyInto(out *ZendeskObservation) {
 	*out = *in
+	if in.ErrorHandlingConfig != nil {
+		in, out := &in.ErrorHandlingConfig, &out.ErrorHandlingConfig
+		*out = make([]ZendeskErrorHandlingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IDFieldNames != nil {
+		in, out := &in.IDFieldNames, &out.IDFieldNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Object != nil {
+		in, out := &in.Object, &out.Object
+		*out = new(string)
+		**out = **in
+	}
+	if in.WriteOperationType != nil {
+		in, out := &in.WriteOperationType, &out.WriteOperationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZendeskObservation.
diff --git a/apis/appintegrations/v1beta1/zz_eventintegration_types.go b/apis/appintegrations/v1beta1/zz_eventintegration_types.go
index 7636c9ed06..def3564933 100755
--- a/apis/appintegrations/v1beta1/zz_eventintegration_types.go
+++ b/apis/appintegrations/v1beta1/zz_eventintegration_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type EventFilterObservation struct {
+
+	// Source of the events.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
 }
 
 type EventFilterParameters struct {
@@ -28,9 +31,21 @@ type EventIntegrationObservation struct {
 	// ARN of the Event Integration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the Event Integration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Block that defines the configuration information for the event filter. The Event Filter block is documented below.
+	EventFilter []EventFilterObservation `json:"eventFilter,omitempty" tf:"event_filter,omitempty"`
+
+	// EventBridge bus.
+	EventbridgeBus *string `json:"eventbridgeBus,omitempty" tf:"eventbridge_bus,omitempty"`
+
 	// Identifier of the Event Integration which is the name of the Event Integration.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -42,12 +57,12 @@ type EventIntegrationParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Block that defines the configuration information for the event filter. The Event Filter block is documented below.
-	// +kubebuilder:validation:Required
-	EventFilter []EventFilterParameters `json:"eventFilter" tf:"event_filter,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventFilter []EventFilterParameters `json:"eventFilter,omitempty" tf:"event_filter,omitempty"`
 
 	// EventBridge bus.
-	// +kubebuilder:validation:Required
-	EventbridgeBus *string `json:"eventbridgeBus" tf:"eventbridge_bus,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventbridgeBus *string `json:"eventbridgeBus,omitempty" tf:"eventbridge_bus,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +98,10 @@ type EventIntegrationStatus struct {
 type EventIntegration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EventIntegrationSpec   `json:"spec"`
-	Status            EventIntegrationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventFilter)",message="eventFilter is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventbridgeBus)",message="eventbridgeBus is a required parameter"
+	Spec   EventIntegrationSpec   `json:"spec"`
+	Status EventIntegrationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appintegrations/v1beta1/zz_generated.deepcopy.go b/apis/appintegrations/v1beta1/zz_generated.deepcopy.go
index c4c215348c..9f1ebfc150 100644
--- a/apis/appintegrations/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appintegrations/v1beta1/zz_generated.deepcopy.go
@@ -16,6 +16,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventFilterObservation) DeepCopyInto(out *EventFilterObservation) {
 	*out = *in
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventFilterObservation.
@@ -115,11 +120,43 @@ func (in *EventIntegrationObservation) DeepCopyInto(out *EventIntegrationObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventFilter != nil {
+		in, out := &in.EventFilter, &out.EventFilter
+		*out = make([]EventFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventbridgeBus != nil {
+		in, out := &in.EventbridgeBus, &out.EventbridgeBus
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/applicationinsights/v1beta1/zz_application_types.go b/apis/applicationinsights/v1beta1/zz_application_types.go
index e9cb650003..389d0c8a0c 100755
--- a/apis/applicationinsights/v1beta1/zz_application_types.go
+++ b/apis/applicationinsights/v1beta1/zz_application_types.go
@@ -18,9 +18,30 @@ type ApplicationObservation struct {
 	// ARN of the Application.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Indicates whether Application Insights automatically configures unmonitored resources in the resource group.
+	AutoConfigEnabled *bool `json:"autoConfigEnabled,omitempty" tf:"auto_config_enabled,omitempty"`
+
+	// Configures all of the resources in the resource group by applying the recommended configurations.
+	AutoCreate *bool `json:"autoCreate,omitempty" tf:"auto_create,omitempty"`
+
+	// Indicates whether Application Insights can listen to CloudWatch events for the application resources, such as instance terminated, failed deployment, and others.
+	CweMonitorEnabled *bool `json:"cweMonitorEnabled,omitempty" tf:"cwe_monitor_enabled,omitempty"`
+
+	// Application Insights can create applications based on a resource group or on an account. To create an account-based application using all of the resources in the account, set this parameter to ACCOUNT_BASED.
+	GroupingType *string `json:"groupingType,omitempty" tf:"grouping_type,omitempty"`
+
 	// Name of the resource group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// When set to true, creates opsItems for any problems detected on an application.
+	OpsCenterEnabled *bool `json:"opsCenterEnabled,omitempty" tf:"ops_center_enabled,omitempty"`
+
+	// SNS topic provided to Application Insights that is associated to the created opsItem. Allows you to receive notifications for updates to the opsItem.
+	OpsItemSnsTopicArn *string `json:"opsItemSnsTopicArn,omitempty" tf:"ops_item_sns_topic_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/applicationinsights/v1beta1/zz_generated.deepcopy.go b/apis/applicationinsights/v1beta1/zz_generated.deepcopy.go
index 089a8d5270..f26cc2d70a 100644
--- a/apis/applicationinsights/v1beta1/zz_generated.deepcopy.go
+++ b/apis/applicationinsights/v1beta1/zz_generated.deepcopy.go
@@ -80,11 +80,56 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoConfigEnabled != nil {
+		in, out := &in.AutoConfigEnabled, &out.AutoConfigEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoCreate != nil {
+		in, out := &in.AutoCreate, &out.AutoCreate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CweMonitorEnabled != nil {
+		in, out := &in.CweMonitorEnabled, &out.CweMonitorEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.GroupingType != nil {
+		in, out := &in.GroupingType, &out.GroupingType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OpsCenterEnabled != nil {
+		in, out := &in.OpsCenterEnabled, &out.OpsCenterEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OpsItemSnsTopicArn != nil {
+		in, out := &in.OpsItemSnsTopicArn, &out.OpsItemSnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/appmesh/v1beta1/zz_gatewayroute_types.go b/apis/appmesh/v1beta1/zz_gatewayroute_types.go
index fa61feb0e2..9ed6340a47 100755
--- a/apis/appmesh/v1beta1/zz_gatewayroute_types.go
+++ b/apis/appmesh/v1beta1/zz_gatewayroute_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ActionObservation struct {
+
+	// Target that traffic is routed to when a request matches the gateway route.
+	Target []TargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type ActionParameters struct {
@@ -24,6 +27,12 @@ type ActionParameters struct {
 }
 
 type ActionRewriteObservation struct {
+
+	// Host name to rewrite.
+	Hostname []RewriteHostnameObservation `json:"hostname,omitempty" tf:"hostname,omitempty"`
+
+	// Specified beginning characters to rewrite.
+	Prefix []RewritePrefixObservation `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type ActionRewriteParameters struct {
@@ -38,6 +47,9 @@ type ActionRewriteParameters struct {
 }
 
 type ActionTargetObservation struct {
+
+	// Virtual service gateway route target.
+	VirtualService []TargetVirtualServiceObservation `json:"virtualService,omitempty" tf:"virtual_service,omitempty"`
 }
 
 type ActionTargetParameters struct {
@@ -48,6 +60,9 @@ type ActionTargetParameters struct {
 }
 
 type ActionTargetVirtualServiceObservation struct {
+
+	// Name of the virtual service that traffic is routed to. Must be between 1 and 255 characters in length.
+	VirtualServiceName *string `json:"virtualServiceName,omitempty" tf:"virtual_service_name,omitempty"`
 }
 
 type ActionTargetVirtualServiceParameters struct {
@@ -68,6 +83,12 @@ type ActionTargetVirtualServiceParameters struct {
 }
 
 type GRPCRouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining a request match.
+	Match []MatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type GRPCRouteParameters struct {
@@ -95,26 +116,44 @@ type GatewayRouteObservation struct {
 	// Last update date of the gateway route.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the service mesh in which to create the gateway route. Must be between 1 and 255 characters in length.
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
+
+	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
+	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
+
+	// Name to use for the gateway route. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Gateway route specification to apply.
+	Spec []SpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Name of the virtual gateway to associate the gateway route with. Must be between 1 and 255 characters in length.
+	VirtualGatewayName *string `json:"virtualGatewayName,omitempty" tf:"virtual_gateway_name,omitempty"`
 }
 
 type GatewayRouteParameters struct {
 
 	// Name of the service mesh in which to create the gateway route. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	MeshName *string `json:"meshName" tf:"mesh_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
 
 	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
 	// +kubebuilder:validation:Optional
 	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
 
 	// Name to use for the gateway route. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -122,8 +161,8 @@ type GatewayRouteParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Gateway route specification to apply.
-	// +kubebuilder:validation:Required
-	Spec []SpecParameters `json:"spec" tf:"spec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Spec []SpecParameters `json:"spec,omitempty" tf:"spec,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -145,6 +184,12 @@ type GatewayRouteParameters struct {
 }
 
 type HTTPRouteActionObservation struct {
+
+	// Gateway route action to rewrite.
+	Rewrite []ActionRewriteObservation `json:"rewrite,omitempty" tf:"rewrite,omitempty"`
+
+	// Target that traffic is routed to when a request matches the gateway route.
+	Target []HTTPRouteActionTargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type HTTPRouteActionParameters struct {
@@ -159,6 +204,9 @@ type HTTPRouteActionParameters struct {
 }
 
 type HTTPRouteActionTargetObservation struct {
+
+	// Virtual service gateway route target.
+	VirtualService []ActionTargetVirtualServiceObservation `json:"virtualService,omitempty" tf:"virtual_service,omitempty"`
 }
 
 type HTTPRouteActionTargetParameters struct {
@@ -169,6 +217,12 @@ type HTTPRouteActionTargetParameters struct {
 }
 
 type HTTPRouteMatchHostnameObservation struct {
+
+	// Exact host name to match on.
+	Exact *string `json:"exact,omitempty" tf:"exact,omitempty"`
+
+	// Specified ending characters of the host name to match on.
+	Suffix *string `json:"suffix,omitempty" tf:"suffix,omitempty"`
 }
 
 type HTTPRouteMatchHostnameParameters struct {
@@ -183,6 +237,15 @@ type HTTPRouteMatchHostnameParameters struct {
 }
 
 type HTTPRouteMatchObservation struct {
+
+	// Host name to rewrite.
+	Hostname []HTTPRouteMatchHostnameObservation `json:"hostname,omitempty" tf:"hostname,omitempty"`
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Specified beginning characters to rewrite.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type HTTPRouteMatchParameters struct {
@@ -201,6 +264,12 @@ type HTTPRouteMatchParameters struct {
 }
 
 type HTTPRouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []HTTPRouteActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining a request match.
+	Match []HTTPRouteMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type HTTPRouteParameters struct {
@@ -215,6 +284,9 @@ type HTTPRouteParameters struct {
 }
 
 type HostnameObservation struct {
+
+	// Default target host name to write to. Valid values: ENABLED, DISABLED.
+	DefaultTargetHostname *string `json:"defaultTargetHostname,omitempty" tf:"default_target_hostname,omitempty"`
 }
 
 type HostnameParameters struct {
@@ -225,6 +297,12 @@ type HostnameParameters struct {
 }
 
 type Http2RouteActionObservation struct {
+
+	// Gateway route action to rewrite.
+	Rewrite []RewriteObservation `json:"rewrite,omitempty" tf:"rewrite,omitempty"`
+
+	// Target that traffic is routed to when a request matches the gateway route.
+	Target []ActionTargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type Http2RouteActionParameters struct {
@@ -239,6 +317,15 @@ type Http2RouteActionParameters struct {
 }
 
 type Http2RouteMatchObservation struct {
+
+	// Host name to rewrite.
+	Hostname []MatchHostnameObservation `json:"hostname,omitempty" tf:"hostname,omitempty"`
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Specified beginning characters to rewrite.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type Http2RouteMatchParameters struct {
@@ -257,6 +344,12 @@ type Http2RouteMatchParameters struct {
 }
 
 type Http2RouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []Http2RouteActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining a request match.
+	Match []Http2RouteMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type Http2RouteParameters struct {
@@ -271,6 +364,12 @@ type Http2RouteParameters struct {
 }
 
 type MatchHostnameObservation struct {
+
+	// Exact host name to match on.
+	Exact *string `json:"exact,omitempty" tf:"exact,omitempty"`
+
+	// Specified ending characters of the host name to match on.
+	Suffix *string `json:"suffix,omitempty" tf:"suffix,omitempty"`
 }
 
 type MatchHostnameParameters struct {
@@ -285,6 +384,12 @@ type MatchHostnameParameters struct {
 }
 
 type MatchObservation struct {
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Fully qualified domain name for the service to match from the request.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 }
 
 type MatchParameters struct {
@@ -299,6 +404,12 @@ type MatchParameters struct {
 }
 
 type PrefixObservation struct {
+
+	// Default prefix used to replace the incoming route prefix when rewritten. Valid values: ENABLED, DISABLED.
+	DefaultPrefix *string `json:"defaultPrefix,omitempty" tf:"default_prefix,omitempty"`
+
+	// Value used to replace the incoming route prefix when rewritten.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type PrefixParameters struct {
@@ -313,6 +424,9 @@ type PrefixParameters struct {
 }
 
 type RewriteHostnameObservation struct {
+
+	// Default target host name to write to. Valid values: ENABLED, DISABLED.
+	DefaultTargetHostname *string `json:"defaultTargetHostname,omitempty" tf:"default_target_hostname,omitempty"`
 }
 
 type RewriteHostnameParameters struct {
@@ -323,6 +437,12 @@ type RewriteHostnameParameters struct {
 }
 
 type RewriteObservation struct {
+
+	// Host name to rewrite.
+	Hostname []HostnameObservation `json:"hostname,omitempty" tf:"hostname,omitempty"`
+
+	// Specified beginning characters to rewrite.
+	Prefix []PrefixObservation `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type RewriteParameters struct {
@@ -337,6 +457,12 @@ type RewriteParameters struct {
 }
 
 type RewritePrefixObservation struct {
+
+	// Default prefix used to replace the incoming route prefix when rewritten. Valid values: ENABLED, DISABLED.
+	DefaultPrefix *string `json:"defaultPrefix,omitempty" tf:"default_prefix,omitempty"`
+
+	// Value used to replace the incoming route prefix when rewritten.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RewritePrefixParameters struct {
@@ -351,6 +477,15 @@ type RewritePrefixParameters struct {
 }
 
 type SpecObservation struct {
+
+	// Specification of a gRPC gateway route.
+	GRPCRoute []GRPCRouteObservation `json:"grpcRoute,omitempty" tf:"grpc_route,omitempty"`
+
+	// Specification of an HTTP gateway route.
+	HTTPRoute []HTTPRouteObservation `json:"httpRoute,omitempty" tf:"http_route,omitempty"`
+
+	// Specification of an HTTP/2 gateway route.
+	Http2Route []Http2RouteObservation `json:"http2Route,omitempty" tf:"http2_route,omitempty"`
 }
 
 type SpecParameters struct {
@@ -369,6 +504,9 @@ type SpecParameters struct {
 }
 
 type TargetObservation struct {
+
+	// Virtual service gateway route target.
+	VirtualService []VirtualServiceObservation `json:"virtualService,omitempty" tf:"virtual_service,omitempty"`
 }
 
 type TargetParameters struct {
@@ -379,6 +517,9 @@ type TargetParameters struct {
 }
 
 type TargetVirtualServiceObservation struct {
+
+	// Name of the virtual service that traffic is routed to. Must be between 1 and 255 characters in length.
+	VirtualServiceName *string `json:"virtualServiceName,omitempty" tf:"virtual_service_name,omitempty"`
 }
 
 type TargetVirtualServiceParameters struct {
@@ -389,6 +530,9 @@ type TargetVirtualServiceParameters struct {
 }
 
 type VirtualServiceObservation struct {
+
+	// Name of the virtual service that traffic is routed to. Must be between 1 and 255 characters in length.
+	VirtualServiceName *string `json:"virtualServiceName,omitempty" tf:"virtual_service_name,omitempty"`
 }
 
 type VirtualServiceParameters struct {
@@ -422,8 +566,11 @@ type GatewayRouteStatus struct {
 type GatewayRoute struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GatewayRouteSpec   `json:"spec"`
-	Status            GatewayRouteStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.meshName)",message="meshName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)",message="spec is a required parameter"
+	Spec   GatewayRouteSpec   `json:"spec"`
+	Status GatewayRouteStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appmesh/v1beta1/zz_generated.deepcopy.go b/apis/appmesh/v1beta1/zz_generated.deepcopy.go
index 1a5ac7630e..c762251dd5 100644
--- a/apis/appmesh/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appmesh/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessLogFileObservation) DeepCopyInto(out *AccessLogFileObservation) {
 	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLogFileObservation.
@@ -52,6 +57,13 @@ func (in *AccessLogFileParameters) DeepCopy() *AccessLogFileParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessLogObservation) DeepCopyInto(out *AccessLogObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]AccessLogFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLogObservation.
@@ -89,6 +101,17 @@ func (in *AccessLogParameters) DeepCopy() *AccessLogParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AcmObservation) DeepCopyInto(out *AcmObservation) {
 	*out = *in
+	if in.CertificateAuthorityArns != nil {
+		in, out := &in.CertificateAuthorityArns, &out.CertificateAuthorityArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcmObservation.
@@ -130,6 +153,13 @@ func (in *AcmParameters) DeepCopy() *AcmParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]TargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -167,6 +197,20 @@ func (in *ActionParameters) DeepCopy() *ActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionRewriteObservation) DeepCopyInto(out *ActionRewriteObservation) {
 	*out = *in
+	if in.Hostname != nil {
+		in, out := &in.Hostname, &out.Hostname
+		*out = make([]RewriteHostnameObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = make([]RewritePrefixObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionRewriteObservation.
@@ -211,6 +255,13 @@ func (in *ActionRewriteParameters) DeepCopy() *ActionRewriteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionTargetObservation) DeepCopyInto(out *ActionTargetObservation) {
 	*out = *in
+	if in.VirtualService != nil {
+		in, out := &in.VirtualService, &out.VirtualService
+		*out = make([]TargetVirtualServiceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionTargetObservation.
@@ -248,6 +299,11 @@ func (in *ActionTargetParameters) DeepCopy() *ActionTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionTargetVirtualServiceObservation) DeepCopyInto(out *ActionTargetVirtualServiceObservation) {
 	*out = *in
+	if in.VirtualServiceName != nil {
+		in, out := &in.VirtualServiceName, &out.VirtualServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionTargetVirtualServiceObservation.
@@ -293,6 +349,21 @@ func (in *ActionTargetVirtualServiceParameters) DeepCopy() *ActionTargetVirtualS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionWeightedTargetObservation) DeepCopyInto(out *ActionWeightedTargetObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VirtualNode != nil {
+		in, out := &in.VirtualNode, &out.VirtualNode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionWeightedTargetObservation.
@@ -338,6 +409,31 @@ func (in *ActionWeightedTargetParameters) DeepCopy() *ActionWeightedTargetParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsCloudMapObservation) DeepCopyInto(out *AwsCloudMapObservation) {
 	*out = *in
+	if in.Attributes != nil {
+		in, out := &in.Attributes, &out.Attributes
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.NamespaceName != nil {
+		in, out := &in.NamespaceName, &out.NamespaceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsCloudMapObservation.
@@ -403,6 +499,13 @@ func (in *AwsCloudMapParameters) DeepCopy() *AwsCloudMapParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendDefaultsClientPolicyObservation) DeepCopyInto(out *BackendDefaultsClientPolicyObservation) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]BackendDefaultsClientPolicyTLSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendDefaultsClientPolicyObservation.
@@ -440,6 +543,20 @@ func (in *BackendDefaultsClientPolicyParameters) DeepCopy() *BackendDefaultsClie
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendDefaultsClientPolicyTLSCertificateObservation) DeepCopyInto(out *BackendDefaultsClientPolicyTLSCertificateObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]ClientPolicyTLSCertificateFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]ClientPolicyTLSCertificateSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendDefaultsClientPolicyTLSCertificateObservation.
@@ -484,6 +601,36 @@ func (in *BackendDefaultsClientPolicyTLSCertificateParameters) DeepCopy() *Backe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendDefaultsClientPolicyTLSObservation) DeepCopyInto(out *BackendDefaultsClientPolicyTLSObservation) {
 	*out = *in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]BackendDefaultsClientPolicyTLSCertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enforce != nil {
+		in, out := &in.Enforce, &out.Enforce
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Validation != nil {
+		in, out := &in.Validation, &out.Validation
+		*out = make([]BackendDefaultsClientPolicyTLSValidationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendDefaultsClientPolicyTLSObservation.
@@ -544,6 +691,20 @@ func (in *BackendDefaultsClientPolicyTLSParameters) DeepCopy() *BackendDefaultsC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendDefaultsClientPolicyTLSValidationObservation) DeepCopyInto(out *BackendDefaultsClientPolicyTLSValidationObservation) {
 	*out = *in
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]ClientPolicyTLSValidationSubjectAlternativeNamesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Trust != nil {
+		in, out := &in.Trust, &out.Trust
+		*out = make([]ClientPolicyTLSValidationTrustObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendDefaultsClientPolicyTLSValidationObservation.
@@ -588,6 +749,13 @@ func (in *BackendDefaultsClientPolicyTLSValidationParameters) DeepCopy() *Backen
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendDefaultsObservation) DeepCopyInto(out *BackendDefaultsObservation) {
 	*out = *in
+	if in.ClientPolicy != nil {
+		in, out := &in.ClientPolicy, &out.ClientPolicy
+		*out = make([]ClientPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendDefaultsObservation.
@@ -625,6 +793,13 @@ func (in *BackendDefaultsParameters) DeepCopy() *BackendDefaultsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendObservation) DeepCopyInto(out *BackendObservation) {
 	*out = *in
+	if in.VirtualService != nil {
+		in, out := &in.VirtualService, &out.VirtualService
+		*out = make([]BackendVirtualServiceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendObservation.
@@ -662,6 +837,18 @@ func (in *BackendParameters) DeepCopy() *BackendParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackendVirtualServiceObservation) DeepCopyInto(out *BackendVirtualServiceObservation) {
 	*out = *in
+	if in.ClientPolicy != nil {
+		in, out := &in.ClientPolicy, &out.ClientPolicy
+		*out = make([]VirtualServiceClientPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VirtualServiceName != nil {
+		in, out := &in.VirtualServiceName, &out.VirtualServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendVirtualServiceObservation.
@@ -704,6 +891,16 @@ func (in *BackendVirtualServiceParameters) DeepCopy() *BackendVirtualServicePara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BaseEjectionDurationObservation) DeepCopyInto(out *BaseEjectionDurationObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaseEjectionDurationObservation.
@@ -744,6 +941,11 @@ func (in *BaseEjectionDurationParameters) DeepCopy() *BaseEjectionDurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateAcmObservation) DeepCopyInto(out *CertificateAcmObservation) {
 	*out = *in
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateAcmObservation.
@@ -789,6 +991,16 @@ func (in *CertificateAcmParameters) DeepCopy() *CertificateAcmParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateFileObservation) DeepCopyInto(out *CertificateFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKey != nil {
+		in, out := &in.PrivateKey, &out.PrivateKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateFileObservation.
@@ -829,6 +1041,20 @@ func (in *CertificateFileParameters) DeepCopy() *CertificateFileParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]FileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]SdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateObservation.
@@ -873,6 +1099,11 @@ func (in *CertificateParameters) DeepCopy() *CertificateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateSdsObservation) DeepCopyInto(out *CertificateSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateSdsObservation.
@@ -908,6 +1139,13 @@ func (in *CertificateSdsParameters) DeepCopy() *CertificateSdsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyObservation) DeepCopyInto(out *ClientPolicyObservation) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]TLSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyObservation.
@@ -945,6 +1183,16 @@ func (in *ClientPolicyParameters) DeepCopy() *ClientPolicyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSCertificateFileObservation) DeepCopyInto(out *ClientPolicyTLSCertificateFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKey != nil {
+		in, out := &in.PrivateKey, &out.PrivateKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSCertificateFileObservation.
@@ -985,6 +1233,20 @@ func (in *ClientPolicyTLSCertificateFileParameters) DeepCopy() *ClientPolicyTLSC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSCertificateObservation) DeepCopyInto(out *ClientPolicyTLSCertificateObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]TLSCertificateFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]TLSCertificateSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSCertificateObservation.
@@ -1029,6 +1291,11 @@ func (in *ClientPolicyTLSCertificateParameters) DeepCopy() *ClientPolicyTLSCerti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSCertificateSdsObservation) DeepCopyInto(out *ClientPolicyTLSCertificateSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSCertificateSdsObservation.
@@ -1064,15 +1331,45 @@ func (in *ClientPolicyTLSCertificateSdsParameters) DeepCopy() *ClientPolicyTLSCe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSObservation) DeepCopyInto(out *ClientPolicyTLSObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSObservation.
-func (in *ClientPolicyTLSObservation) DeepCopy() *ClientPolicyTLSObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(ClientPolicyTLSObservation)
-	in.DeepCopyInto(out)
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]ClientPolicyTLSCertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enforce != nil {
+		in, out := &in.Enforce, &out.Enforce
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Validation != nil {
+		in, out := &in.Validation, &out.Validation
+		*out = make([]ClientPolicyTLSValidationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSObservation.
+func (in *ClientPolicyTLSObservation) DeepCopy() *ClientPolicyTLSObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(ClientPolicyTLSObservation)
+	in.DeepCopyInto(out)
 	return out
 }
 
@@ -1124,6 +1421,20 @@ func (in *ClientPolicyTLSParameters) DeepCopy() *ClientPolicyTLSParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSValidationObservation) DeepCopyInto(out *ClientPolicyTLSValidationObservation) {
 	*out = *in
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]TLSValidationSubjectAlternativeNamesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Trust != nil {
+		in, out := &in.Trust, &out.Trust
+		*out = make([]TLSValidationTrustObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSValidationObservation.
@@ -1168,6 +1479,17 @@ func (in *ClientPolicyTLSValidationParameters) DeepCopy() *ClientPolicyTLSValida
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSValidationSubjectAlternativeNamesMatchObservation) DeepCopyInto(out *ClientPolicyTLSValidationSubjectAlternativeNamesMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSValidationSubjectAlternativeNamesMatchObservation.
@@ -1209,6 +1531,13 @@ func (in *ClientPolicyTLSValidationSubjectAlternativeNamesMatchParameters) DeepC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSValidationSubjectAlternativeNamesObservation) DeepCopyInto(out *ClientPolicyTLSValidationSubjectAlternativeNamesObservation) {
 	*out = *in
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]ClientPolicyTLSValidationSubjectAlternativeNamesMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSValidationSubjectAlternativeNamesObservation.
@@ -1246,6 +1575,11 @@ func (in *ClientPolicyTLSValidationSubjectAlternativeNamesParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSValidationTrustFileObservation) DeepCopyInto(out *ClientPolicyTLSValidationTrustFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSValidationTrustFileObservation.
@@ -1281,6 +1615,27 @@ func (in *ClientPolicyTLSValidationTrustFileParameters) DeepCopy() *ClientPolicy
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSValidationTrustObservation) DeepCopyInto(out *ClientPolicyTLSValidationTrustObservation) {
 	*out = *in
+	if in.Acm != nil {
+		in, out := &in.Acm, &out.Acm
+		*out = make([]ValidationTrustAcmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]ClientPolicyTLSValidationTrustFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]ClientPolicyTLSValidationTrustSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSValidationTrustObservation.
@@ -1332,6 +1687,11 @@ func (in *ClientPolicyTLSValidationTrustParameters) DeepCopy() *ClientPolicyTLSV
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientPolicyTLSValidationTrustSdsObservation) DeepCopyInto(out *ClientPolicyTLSValidationTrustSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientPolicyTLSValidationTrustSdsObservation.
@@ -1367,6 +1727,11 @@ func (in *ClientPolicyTLSValidationTrustSdsParameters) DeepCopy() *ClientPolicyT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionPoolGRPCObservation) DeepCopyInto(out *ConnectionPoolGRPCObservation) {
 	*out = *in
+	if in.MaxRequests != nil {
+		in, out := &in.MaxRequests, &out.MaxRequests
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPoolGRPCObservation.
@@ -1402,6 +1767,16 @@ func (in *ConnectionPoolGRPCParameters) DeepCopy() *ConnectionPoolGRPCParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionPoolHTTPObservation) DeepCopyInto(out *ConnectionPoolHTTPObservation) {
 	*out = *in
+	if in.MaxConnections != nil {
+		in, out := &in.MaxConnections, &out.MaxConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxPendingRequests != nil {
+		in, out := &in.MaxPendingRequests, &out.MaxPendingRequests
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPoolHTTPObservation.
@@ -1442,6 +1817,11 @@ func (in *ConnectionPoolHTTPParameters) DeepCopy() *ConnectionPoolHTTPParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionPoolHttp2Observation) DeepCopyInto(out *ConnectionPoolHttp2Observation) {
 	*out = *in
+	if in.MaxRequests != nil {
+		in, out := &in.MaxRequests, &out.MaxRequests
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPoolHttp2Observation.
@@ -1477,6 +1857,27 @@ func (in *ConnectionPoolHttp2Parameters) DeepCopy() *ConnectionPoolHttp2Paramete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionPoolObservation) DeepCopyInto(out *ConnectionPoolObservation) {
 	*out = *in
+	if in.GRPC != nil {
+		in, out := &in.GRPC, &out.GRPC
+		*out = make([]GRPCObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		*out = make([]HTTPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Http2 != nil {
+		in, out := &in.Http2, &out.Http2
+		*out = make([]Http2Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPoolObservation.
@@ -1528,6 +1929,11 @@ func (in *ConnectionPoolParameters) DeepCopy() *ConnectionPoolParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DNSObservation) DeepCopyInto(out *DNSObservation) {
 	*out = *in
+	if in.Hostname != nil {
+		in, out := &in.Hostname, &out.Hostname
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSObservation.
@@ -1563,6 +1969,11 @@ func (in *DNSParameters) DeepCopy() *DNSParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EgressFilterObservation) DeepCopyInto(out *EgressFilterObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressFilterObservation.
@@ -1598,6 +2009,16 @@ func (in *EgressFilterParameters) DeepCopy() *EgressFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FileObservation) DeepCopyInto(out *FileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKey != nil {
+		in, out := &in.PrivateKey, &out.PrivateKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileObservation.
@@ -1638,6 +2059,16 @@ func (in *FileParameters) DeepCopy() *FileParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GRPCIdleObservation) DeepCopyInto(out *GRPCIdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCIdleObservation.
@@ -1678,6 +2109,11 @@ func (in *GRPCIdleParameters) DeepCopy() *GRPCIdleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GRPCObservation) DeepCopyInto(out *GRPCObservation) {
 	*out = *in
+	if in.MaxRequests != nil {
+		in, out := &in.MaxRequests, &out.MaxRequests
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCObservation.
@@ -1713,6 +2149,16 @@ func (in *GRPCParameters) DeepCopy() *GRPCParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GRPCPerRequestObservation) DeepCopyInto(out *GRPCPerRequestObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCPerRequestObservation.
@@ -1753,6 +2199,13 @@ func (in *GRPCPerRequestParameters) DeepCopy() *GRPCPerRequestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GRPCRouteActionObservation) DeepCopyInto(out *GRPCRouteActionObservation) {
 	*out = *in
+	if in.WeightedTarget != nil {
+		in, out := &in.WeightedTarget, &out.WeightedTarget
+		*out = make([]WeightedTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCRouteActionObservation.
@@ -1790,6 +2243,33 @@ func (in *GRPCRouteActionParameters) DeepCopy() *GRPCRouteActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GRPCRouteMatchObservation) DeepCopyInto(out *GRPCRouteMatchObservation) {
 	*out = *in
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make([]MetadataObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MethodName != nil {
+		in, out := &in.MethodName, &out.MethodName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCRouteMatchObservation.
@@ -1847,6 +2327,20 @@ func (in *GRPCRouteMatchParameters) DeepCopy() *GRPCRouteMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GRPCRouteObservation) DeepCopyInto(out *GRPCRouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]MatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GRPCRouteObservation.
@@ -1970,13 +2464,35 @@ func (in *GatewayRouteObservation) DeepCopyInto(out *GatewayRouteObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MeshName != nil {
+		in, out := &in.MeshName, &out.MeshName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MeshOwner != nil {
+		in, out := &in.MeshOwner, &out.MeshOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceOwner != nil {
 		in, out := &in.ResourceOwner, &out.ResourceOwner
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]SpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -1990,16 +2506,36 @@ func (in *GatewayRouteObservation) DeepCopyInto(out *GatewayRouteObservation) {
 			(*out)[key] = outVal
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayRouteObservation.
-func (in *GatewayRouteObservation) DeepCopy() *GatewayRouteObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(GatewayRouteObservation)
-	in.DeepCopyInto(out)
-	return out
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VirtualGatewayName != nil {
+		in, out := &in.VirtualGatewayName, &out.VirtualGatewayName
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayRouteObservation.
+func (in *GatewayRouteObservation) DeepCopy() *GatewayRouteObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(GatewayRouteObservation)
+	in.DeepCopyInto(out)
+	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -2111,6 +2647,16 @@ func (in *GatewayRouteStatus) DeepCopy() *GatewayRouteStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPIdleObservation) DeepCopyInto(out *HTTPIdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPIdleObservation.
@@ -2151,6 +2697,16 @@ func (in *HTTPIdleParameters) DeepCopy() *HTTPIdleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPObservation) DeepCopyInto(out *HTTPObservation) {
 	*out = *in
+	if in.MaxConnections != nil {
+		in, out := &in.MaxConnections, &out.MaxConnections
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxPendingRequests != nil {
+		in, out := &in.MaxPendingRequests, &out.MaxPendingRequests
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPObservation.
@@ -2191,6 +2747,16 @@ func (in *HTTPParameters) DeepCopy() *HTTPParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPPerRequestObservation) DeepCopyInto(out *HTTPPerRequestObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPPerRequestObservation.
@@ -2231,6 +2797,20 @@ func (in *HTTPPerRequestParameters) DeepCopy() *HTTPPerRequestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteActionObservation) DeepCopyInto(out *HTTPRouteActionObservation) {
 	*out = *in
+	if in.Rewrite != nil {
+		in, out := &in.Rewrite, &out.Rewrite
+		*out = make([]ActionRewriteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]HTTPRouteActionTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteActionObservation.
@@ -2275,6 +2855,13 @@ func (in *HTTPRouteActionParameters) DeepCopy() *HTTPRouteActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteActionTargetObservation) DeepCopyInto(out *HTTPRouteActionTargetObservation) {
 	*out = *in
+	if in.VirtualService != nil {
+		in, out := &in.VirtualService, &out.VirtualService
+		*out = make([]ActionTargetVirtualServiceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteActionTargetObservation.
@@ -2312,6 +2899,21 @@ func (in *HTTPRouteActionTargetParameters) DeepCopy() *HTTPRouteActionTargetPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteActionWeightedTargetObservation) DeepCopyInto(out *HTTPRouteActionWeightedTargetObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VirtualNode != nil {
+		in, out := &in.VirtualNode, &out.VirtualNode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteActionWeightedTargetObservation.
@@ -2367,6 +2969,16 @@ func (in *HTTPRouteActionWeightedTargetParameters) DeepCopy() *HTTPRouteActionWe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteMatchHostnameObservation) DeepCopyInto(out *HTTPRouteMatchHostnameObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = new(string)
+		**out = **in
+	}
+	if in.Suffix != nil {
+		in, out := &in.Suffix, &out.Suffix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteMatchHostnameObservation.
@@ -2407,6 +3019,23 @@ func (in *HTTPRouteMatchHostnameParameters) DeepCopy() *HTTPRouteMatchHostnamePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteMatchObservation) DeepCopyInto(out *HTTPRouteMatchObservation) {
 	*out = *in
+	if in.Hostname != nil {
+		in, out := &in.Hostname, &out.Hostname
+		*out = make([]HTTPRouteMatchHostnameObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteMatchObservation.
@@ -2454,6 +3083,20 @@ func (in *HTTPRouteMatchParameters) DeepCopy() *HTTPRouteMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteObservation) DeepCopyInto(out *HTTPRouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]HTTPRouteActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]HTTPRouteMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteObservation.
@@ -2498,6 +3141,40 @@ func (in *HTTPRouteParameters) DeepCopy() *HTTPRouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteRetryPolicyObservation) DeepCopyInto(out *HTTPRouteRetryPolicyObservation) {
 	*out = *in
+	if in.HTTPRetryEvents != nil {
+		in, out := &in.HTTPRetryEvents, &out.HTTPRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PerRetryTimeout != nil {
+		in, out := &in.PerRetryTimeout, &out.PerRetryTimeout
+		*out = make([]HTTPRouteRetryPolicyPerRetryTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TCPRetryEvents != nil {
+		in, out := &in.TCPRetryEvents, &out.TCPRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteRetryPolicyObservation.
@@ -2562,6 +3239,16 @@ func (in *HTTPRouteRetryPolicyParameters) DeepCopy() *HTTPRouteRetryPolicyParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteRetryPolicyPerRetryTimeoutObservation) DeepCopyInto(out *HTTPRouteRetryPolicyPerRetryTimeoutObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteRetryPolicyPerRetryTimeoutObservation.
@@ -2602,6 +3289,16 @@ func (in *HTTPRouteRetryPolicyPerRetryTimeoutParameters) DeepCopy() *HTTPRouteRe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteTimeoutIdleObservation) DeepCopyInto(out *HTTPRouteTimeoutIdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteTimeoutIdleObservation.
@@ -2642,6 +3339,20 @@ func (in *HTTPRouteTimeoutIdleParameters) DeepCopy() *HTTPRouteTimeoutIdleParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteTimeoutObservation) DeepCopyInto(out *HTTPRouteTimeoutObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]HTTPRouteTimeoutIdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerRequest != nil {
+		in, out := &in.PerRequest, &out.PerRequest
+		*out = make([]HTTPRouteTimeoutPerRequestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteTimeoutObservation.
@@ -2686,6 +3397,16 @@ func (in *HTTPRouteTimeoutParameters) DeepCopy() *HTTPRouteTimeoutParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRouteTimeoutPerRequestObservation) DeepCopyInto(out *HTTPRouteTimeoutPerRequestObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRouteTimeoutPerRequestObservation.
@@ -2726,6 +3447,33 @@ func (in *HTTPRouteTimeoutPerRequestParameters) DeepCopy() *HTTPRouteTimeoutPerR
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeaderMatchObservation) DeepCopyInto(out *HeaderMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Range != nil {
+		in, out := &in.Range, &out.Range
+		*out = make([]MatchRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Regex != nil {
+		in, out := &in.Regex, &out.Regex
+		*out = new(string)
+		**out = **in
+	}
+	if in.Suffix != nil {
+		in, out := &in.Suffix, &out.Suffix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderMatchObservation.
@@ -2783,6 +3531,16 @@ func (in *HeaderMatchParameters) DeepCopy() *HeaderMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeaderMatchRangeObservation) DeepCopyInto(out *HeaderMatchRangeObservation) {
 	*out = *in
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderMatchRangeObservation.
@@ -2823,17 +3581,34 @@ func (in *HeaderMatchRangeParameters) DeepCopy() *HeaderMatchRangeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeaderObservation) DeepCopyInto(out *HeaderObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderObservation.
-func (in *HeaderObservation) DeepCopy() *HeaderObservation {
-	if in == nil {
-		return nil
+	if in.Invert != nil {
+		in, out := &in.Invert, &out.Invert
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(HeaderObservation)
-	in.DeepCopyInto(out)
-	return out
-}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]HeaderMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderObservation.
+func (in *HeaderObservation) DeepCopy() *HeaderObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(HeaderObservation)
+	in.DeepCopyInto(out)
+	return out
+}
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeaderParameters) DeepCopyInto(out *HeaderParameters) {
@@ -2870,6 +3645,41 @@ func (in *HeaderParameters) DeepCopy() *HeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthCheckObservation) DeepCopyInto(out *HealthCheckObservation) {
 	*out = *in
+	if in.HealthyThreshold != nil {
+		in, out := &in.HealthyThreshold, &out.HealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalMillis != nil {
+		in, out := &in.IntervalMillis, &out.IntervalMillis
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeoutMillis != nil {
+		in, out := &in.TimeoutMillis, &out.TimeoutMillis
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnhealthyThreshold != nil {
+		in, out := &in.UnhealthyThreshold, &out.UnhealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckObservation.
@@ -2935,6 +3745,11 @@ func (in *HealthCheckParameters) DeepCopy() *HealthCheckParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostnameObservation) DeepCopyInto(out *HostnameObservation) {
 	*out = *in
+	if in.DefaultTargetHostname != nil {
+		in, out := &in.DefaultTargetHostname, &out.DefaultTargetHostname
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostnameObservation.
@@ -2970,6 +3785,16 @@ func (in *HostnameParameters) DeepCopy() *HostnameParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2IdleObservation) DeepCopyInto(out *Http2IdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2IdleObservation.
@@ -3010,6 +3835,11 @@ func (in *Http2IdleParameters) DeepCopy() *Http2IdleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2Observation) DeepCopyInto(out *Http2Observation) {
 	*out = *in
+	if in.MaxRequests != nil {
+		in, out := &in.MaxRequests, &out.MaxRequests
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2Observation.
@@ -3045,6 +3875,16 @@ func (in *Http2Parameters) DeepCopy() *Http2Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2PerRequestObservation) DeepCopyInto(out *Http2PerRequestObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2PerRequestObservation.
@@ -3085,6 +3925,20 @@ func (in *Http2PerRequestParameters) DeepCopy() *Http2PerRequestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2RouteActionObservation) DeepCopyInto(out *Http2RouteActionObservation) {
 	*out = *in
+	if in.Rewrite != nil {
+		in, out := &in.Rewrite, &out.Rewrite
+		*out = make([]RewriteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]ActionTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RouteActionObservation.
@@ -3129,6 +3983,23 @@ func (in *Http2RouteActionParameters) DeepCopy() *Http2RouteActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2RouteMatchObservation) DeepCopyInto(out *Http2RouteMatchObservation) {
 	*out = *in
+	if in.Hostname != nil {
+		in, out := &in.Hostname, &out.Hostname
+		*out = make([]MatchHostnameObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RouteMatchObservation.
@@ -3176,6 +4047,20 @@ func (in *Http2RouteMatchParameters) DeepCopy() *Http2RouteMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2RouteObservation) DeepCopyInto(out *Http2RouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]Http2RouteActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]Http2RouteMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RouteObservation.
@@ -3220,6 +4105,40 @@ func (in *Http2RouteParameters) DeepCopy() *Http2RouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2RouteRetryPolicyObservation) DeepCopyInto(out *Http2RouteRetryPolicyObservation) {
 	*out = *in
+	if in.HTTPRetryEvents != nil {
+		in, out := &in.HTTPRetryEvents, &out.HTTPRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PerRetryTimeout != nil {
+		in, out := &in.PerRetryTimeout, &out.PerRetryTimeout
+		*out = make([]RetryPolicyPerRetryTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TCPRetryEvents != nil {
+		in, out := &in.TCPRetryEvents, &out.TCPRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RouteRetryPolicyObservation.
@@ -3284,6 +4203,20 @@ func (in *Http2RouteRetryPolicyParameters) DeepCopy() *Http2RouteRetryPolicyPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Http2RouteTimeoutObservation) DeepCopyInto(out *Http2RouteTimeoutObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]TimeoutIdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerRequest != nil {
+		in, out := &in.PerRequest, &out.PerRequest
+		*out = make([]TimeoutPerRequestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Http2RouteTimeoutObservation.
@@ -3328,6 +4261,16 @@ func (in *Http2RouteTimeoutParameters) DeepCopy() *Http2RouteTimeoutParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdleObservation) DeepCopyInto(out *IdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdleObservation.
@@ -3368,6 +4311,16 @@ func (in *IdleParameters) DeepCopy() *IdleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntervalObservation) DeepCopyInto(out *IntervalObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntervalObservation.
@@ -3408,6 +4361,34 @@ func (in *IntervalParameters) DeepCopy() *IntervalParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerConnectionPoolObservation) DeepCopyInto(out *ListenerConnectionPoolObservation) {
 	*out = *in
+	if in.GRPC != nil {
+		in, out := &in.GRPC, &out.GRPC
+		*out = make([]ConnectionPoolGRPCObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		*out = make([]ConnectionPoolHTTPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Http2 != nil {
+		in, out := &in.Http2, &out.Http2
+		*out = make([]ConnectionPoolHttp2Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TCP != nil {
+		in, out := &in.TCP, &out.TCP
+		*out = make([]TCPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerConnectionPoolObservation.
@@ -3466,6 +4447,41 @@ func (in *ListenerConnectionPoolParameters) DeepCopy() *ListenerConnectionPoolPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerHealthCheckObservation) DeepCopyInto(out *ListenerHealthCheckObservation) {
 	*out = *in
+	if in.HealthyThreshold != nil {
+		in, out := &in.HealthyThreshold, &out.HealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalMillis != nil {
+		in, out := &in.IntervalMillis, &out.IntervalMillis
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeoutMillis != nil {
+		in, out := &in.TimeoutMillis, &out.TimeoutMillis
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnhealthyThreshold != nil {
+		in, out := &in.UnhealthyThreshold, &out.UnhealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerHealthCheckObservation.
@@ -3531,6 +4547,34 @@ func (in *ListenerHealthCheckParameters) DeepCopy() *ListenerHealthCheckParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerObservation) DeepCopyInto(out *ListenerObservation) {
 	*out = *in
+	if in.ConnectionPool != nil {
+		in, out := &in.ConnectionPool, &out.ConnectionPool
+		*out = make([]ConnectionPoolObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HealthCheck != nil {
+		in, out := &in.HealthCheck, &out.HealthCheck
+		*out = make([]HealthCheckObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PortMapping != nil {
+		in, out := &in.PortMapping, &out.PortMapping
+		*out = make([]PortMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]ListenerTLSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerObservation.
@@ -3589,6 +4633,16 @@ func (in *ListenerParameters) DeepCopy() *ListenerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerPortMappingObservation) DeepCopyInto(out *ListenerPortMappingObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerPortMappingObservation.
@@ -3629,6 +4683,16 @@ func (in *ListenerPortMappingParameters) DeepCopy() *ListenerPortMappingParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSCertificateFileObservation) DeepCopyInto(out *ListenerTLSCertificateFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKey != nil {
+		in, out := &in.PrivateKey, &out.PrivateKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSCertificateFileObservation.
@@ -3669,6 +4733,27 @@ func (in *ListenerTLSCertificateFileParameters) DeepCopy() *ListenerTLSCertifica
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSCertificateObservation) DeepCopyInto(out *ListenerTLSCertificateObservation) {
 	*out = *in
+	if in.Acm != nil {
+		in, out := &in.Acm, &out.Acm
+		*out = make([]TLSCertificateAcmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]ListenerTLSCertificateFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]ListenerTLSCertificateSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSCertificateObservation.
@@ -3720,6 +4805,11 @@ func (in *ListenerTLSCertificateParameters) DeepCopy() *ListenerTLSCertificatePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSCertificateSdsObservation) DeepCopyInto(out *ListenerTLSCertificateSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSCertificateSdsObservation.
@@ -3755,6 +4845,25 @@ func (in *ListenerTLSCertificateSdsParameters) DeepCopy() *ListenerTLSCertificat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSObservation) DeepCopyInto(out *ListenerTLSObservation) {
 	*out = *in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]TLSCertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Validation != nil {
+		in, out := &in.Validation, &out.Validation
+		*out = make([]TLSValidationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSObservation.
@@ -3804,6 +4913,20 @@ func (in *ListenerTLSParameters) DeepCopy() *ListenerTLSParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSValidationObservation) DeepCopyInto(out *ListenerTLSValidationObservation) {
 	*out = *in
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]ListenerTLSValidationSubjectAlternativeNamesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Trust != nil {
+		in, out := &in.Trust, &out.Trust
+		*out = make([]ListenerTLSValidationTrustObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSValidationObservation.
@@ -3848,6 +4971,17 @@ func (in *ListenerTLSValidationParameters) DeepCopy() *ListenerTLSValidationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSValidationSubjectAlternativeNamesMatchObservation) DeepCopyInto(out *ListenerTLSValidationSubjectAlternativeNamesMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSValidationSubjectAlternativeNamesMatchObservation.
@@ -3889,6 +5023,13 @@ func (in *ListenerTLSValidationSubjectAlternativeNamesMatchParameters) DeepCopy(
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSValidationSubjectAlternativeNamesObservation) DeepCopyInto(out *ListenerTLSValidationSubjectAlternativeNamesObservation) {
 	*out = *in
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]ListenerTLSValidationSubjectAlternativeNamesMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSValidationSubjectAlternativeNamesObservation.
@@ -3926,6 +5067,11 @@ func (in *ListenerTLSValidationSubjectAlternativeNamesParameters) DeepCopy() *Li
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSValidationTrustFileObservation) DeepCopyInto(out *ListenerTLSValidationTrustFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSValidationTrustFileObservation.
@@ -3961,6 +5107,20 @@ func (in *ListenerTLSValidationTrustFileParameters) DeepCopy() *ListenerTLSValid
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSValidationTrustObservation) DeepCopyInto(out *ListenerTLSValidationTrustObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]ListenerTLSValidationTrustFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]ListenerTLSValidationTrustSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSValidationTrustObservation.
@@ -4005,6 +5165,11 @@ func (in *ListenerTLSValidationTrustParameters) DeepCopy() *ListenerTLSValidatio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTLSValidationTrustSdsObservation) DeepCopyInto(out *ListenerTLSValidationTrustSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTLSValidationTrustSdsObservation.
@@ -4040,6 +5205,34 @@ func (in *ListenerTLSValidationTrustSdsParameters) DeepCopy() *ListenerTLSValida
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerTimeoutObservation) DeepCopyInto(out *ListenerTimeoutObservation) {
 	*out = *in
+	if in.GRPC != nil {
+		in, out := &in.GRPC, &out.GRPC
+		*out = make([]TimeoutGRPCObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		*out = make([]TimeoutHTTPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Http2 != nil {
+		in, out := &in.Http2, &out.Http2
+		*out = make([]TimeoutHttp2Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TCP != nil {
+		in, out := &in.TCP, &out.TCP
+		*out = make([]TimeoutTCPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerTimeoutObservation.
@@ -4098,6 +5291,11 @@ func (in *ListenerTimeoutParameters) DeepCopy() *ListenerTimeoutParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingAccessLogFileObservation) DeepCopyInto(out *LoggingAccessLogFileObservation) {
 	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingAccessLogFileObservation.
@@ -4133,6 +5331,13 @@ func (in *LoggingAccessLogFileParameters) DeepCopy() *LoggingAccessLogFileParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingAccessLogObservation) DeepCopyInto(out *LoggingAccessLogObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]LoggingAccessLogFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingAccessLogObservation.
@@ -4170,6 +5375,13 @@ func (in *LoggingAccessLogParameters) DeepCopy() *LoggingAccessLogParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingObservation) DeepCopyInto(out *LoggingObservation) {
 	*out = *in
+	if in.AccessLog != nil {
+		in, out := &in.AccessLog, &out.AccessLog
+		*out = make([]AccessLogObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingObservation.
@@ -4199,14 +5411,41 @@ func (in *LoggingParameters) DeepCopy() *LoggingParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(LoggingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MatchHeaderMatchObservation) DeepCopyInto(out *MatchHeaderMatchObservation) {
-	*out = *in
+	out := new(LoggingParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MatchHeaderMatchObservation) DeepCopyInto(out *MatchHeaderMatchObservation) {
+	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Range != nil {
+		in, out := &in.Range, &out.Range
+		*out = make([]HeaderMatchRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Regex != nil {
+		in, out := &in.Regex, &out.Regex
+		*out = new(string)
+		**out = **in
+	}
+	if in.Suffix != nil {
+		in, out := &in.Suffix, &out.Suffix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchHeaderMatchObservation.
@@ -4264,6 +5503,23 @@ func (in *MatchHeaderMatchParameters) DeepCopy() *MatchHeaderMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MatchHeaderObservation) DeepCopyInto(out *MatchHeaderObservation) {
 	*out = *in
+	if in.Invert != nil {
+		in, out := &in.Invert, &out.Invert
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]MatchHeaderMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchHeaderObservation.
@@ -4311,6 +5567,16 @@ func (in *MatchHeaderParameters) DeepCopy() *MatchHeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MatchHostnameObservation) DeepCopyInto(out *MatchHostnameObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = new(string)
+		**out = **in
+	}
+	if in.Suffix != nil {
+		in, out := &in.Suffix, &out.Suffix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchHostnameObservation.
@@ -4351,6 +5617,16 @@ func (in *MatchHostnameParameters) DeepCopy() *MatchHostnameParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MatchObservation) DeepCopyInto(out *MatchObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchObservation.
@@ -4391,6 +5667,16 @@ func (in *MatchParameters) DeepCopy() *MatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MatchRangeObservation) DeepCopyInto(out *MatchRangeObservation) {
 	*out = *in
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchRangeObservation.
@@ -4520,6 +5806,28 @@ func (in *MeshObservation) DeepCopyInto(out *MeshObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]MeshSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4609,6 +5917,13 @@ func (in *MeshSpec) DeepCopy() *MeshSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MeshSpecObservation) DeepCopyInto(out *MeshSpecObservation) {
 	*out = *in
+	if in.EgressFilter != nil {
+		in, out := &in.EgressFilter, &out.EgressFilter
+		*out = make([]EgressFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MeshSpecObservation.
@@ -4663,6 +5978,33 @@ func (in *MeshStatus) DeepCopy() *MeshStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetadataMatchObservation) DeepCopyInto(out *MetadataMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Range != nil {
+		in, out := &in.Range, &out.Range
+		*out = make([]RangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Regex != nil {
+		in, out := &in.Regex, &out.Regex
+		*out = new(string)
+		**out = **in
+	}
+	if in.Suffix != nil {
+		in, out := &in.Suffix, &out.Suffix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetadataMatchObservation.
@@ -4720,6 +6062,23 @@ func (in *MetadataMatchParameters) DeepCopy() *MetadataMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetadataObservation) DeepCopyInto(out *MetadataObservation) {
 	*out = *in
+	if in.Invert != nil {
+		in, out := &in.Invert, &out.Invert
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]MetadataMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetadataObservation.
@@ -4767,6 +6126,30 @@ func (in *MetadataParameters) DeepCopy() *MetadataParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutlierDetectionObservation) DeepCopyInto(out *OutlierDetectionObservation) {
 	*out = *in
+	if in.BaseEjectionDuration != nil {
+		in, out := &in.BaseEjectionDuration, &out.BaseEjectionDuration
+		*out = make([]BaseEjectionDurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = make([]IntervalObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxEjectionPercent != nil {
+		in, out := &in.MaxEjectionPercent, &out.MaxEjectionPercent
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxServerErrors != nil {
+		in, out := &in.MaxServerErrors, &out.MaxServerErrors
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutlierDetectionObservation.
@@ -4821,6 +6204,16 @@ func (in *OutlierDetectionParameters) DeepCopy() *OutlierDetectionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PerRequestObservation) DeepCopyInto(out *PerRequestObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PerRequestObservation.
@@ -4861,6 +6254,16 @@ func (in *PerRequestParameters) DeepCopy() *PerRequestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PerRetryTimeoutObservation) DeepCopyInto(out *PerRetryTimeoutObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PerRetryTimeoutObservation.
@@ -4901,6 +6304,16 @@ func (in *PerRetryTimeoutParameters) DeepCopy() *PerRetryTimeoutParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortMappingObservation) DeepCopyInto(out *PortMappingObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortMappingObservation.
@@ -4941,6 +6354,16 @@ func (in *PortMappingParameters) DeepCopy() *PortMappingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrefixObservation) DeepCopyInto(out *PrefixObservation) {
 	*out = *in
+	if in.DefaultPrefix != nil {
+		in, out := &in.DefaultPrefix, &out.DefaultPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixObservation.
@@ -4981,6 +6404,20 @@ func (in *PrefixParameters) DeepCopy() *PrefixParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderObservation) DeepCopyInto(out *ProviderObservation) {
 	*out = *in
+	if in.VirtualNode != nil {
+		in, out := &in.VirtualNode, &out.VirtualNode
+		*out = make([]ProviderVirtualNodeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VirtualRouter != nil {
+		in, out := &in.VirtualRouter, &out.VirtualRouter
+		*out = make([]ProviderVirtualRouterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderObservation.
@@ -5025,6 +6462,11 @@ func (in *ProviderParameters) DeepCopy() *ProviderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderVirtualNodeObservation) DeepCopyInto(out *ProviderVirtualNodeObservation) {
 	*out = *in
+	if in.VirtualNodeName != nil {
+		in, out := &in.VirtualNodeName, &out.VirtualNodeName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderVirtualNodeObservation.
@@ -5070,6 +6512,11 @@ func (in *ProviderVirtualNodeParameters) DeepCopy() *ProviderVirtualNodeParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderVirtualRouterObservation) DeepCopyInto(out *ProviderVirtualRouterObservation) {
 	*out = *in
+	if in.VirtualRouterName != nil {
+		in, out := &in.VirtualRouterName, &out.VirtualRouterName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderVirtualRouterObservation.
@@ -5115,6 +6562,16 @@ func (in *ProviderVirtualRouterParameters) DeepCopy() *ProviderVirtualRouterPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RangeObservation) DeepCopyInto(out *RangeObservation) {
 	*out = *in
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RangeObservation.
@@ -5155,6 +6612,51 @@ func (in *RangeParameters) DeepCopy() *RangeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetryPolicyObservation) DeepCopyInto(out *RetryPolicyObservation) {
 	*out = *in
+	if in.GRPCRetryEvents != nil {
+		in, out := &in.GRPCRetryEvents, &out.GRPCRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.HTTPRetryEvents != nil {
+		in, out := &in.HTTPRetryEvents, &out.HTTPRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PerRetryTimeout != nil {
+		in, out := &in.PerRetryTimeout, &out.PerRetryTimeout
+		*out = make([]PerRetryTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TCPRetryEvents != nil {
+		in, out := &in.TCPRetryEvents, &out.TCPRetryEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetryPolicyObservation.
@@ -5230,6 +6732,16 @@ func (in *RetryPolicyParameters) DeepCopy() *RetryPolicyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetryPolicyPerRetryTimeoutObservation) DeepCopyInto(out *RetryPolicyPerRetryTimeoutObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetryPolicyPerRetryTimeoutObservation.
@@ -5270,6 +6782,11 @@ func (in *RetryPolicyPerRetryTimeoutParameters) DeepCopy() *RetryPolicyPerRetryT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RewriteHostnameObservation) DeepCopyInto(out *RewriteHostnameObservation) {
 	*out = *in
+	if in.DefaultTargetHostname != nil {
+		in, out := &in.DefaultTargetHostname, &out.DefaultTargetHostname
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RewriteHostnameObservation.
@@ -5305,6 +6822,20 @@ func (in *RewriteHostnameParameters) DeepCopy() *RewriteHostnameParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RewriteObservation) DeepCopyInto(out *RewriteObservation) {
 	*out = *in
+	if in.Hostname != nil {
+		in, out := &in.Hostname, &out.Hostname
+		*out = make([]HostnameObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = make([]PrefixObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RewriteObservation.
@@ -5349,6 +6880,16 @@ func (in *RewriteParameters) DeepCopy() *RewriteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RewritePrefixObservation) DeepCopyInto(out *RewritePrefixObservation) {
 	*out = *in
+	if in.DefaultPrefix != nil {
+		in, out := &in.DefaultPrefix, &out.DefaultPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RewritePrefixObservation.
@@ -5468,11 +7009,48 @@ func (in *RouteObservation) DeepCopyInto(out *RouteObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MeshName != nil {
+		in, out := &in.MeshName, &out.MeshName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MeshOwner != nil {
+		in, out := &in.MeshOwner, &out.MeshOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceOwner != nil {
 		in, out := &in.ResourceOwner, &out.ResourceOwner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]RouteSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5488,6 +7066,11 @@ func (in *RouteObservation) DeepCopyInto(out *RouteObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VirtualRouterName != nil {
+		in, out := &in.VirtualRouterName, &out.VirtualRouterName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteObservation.
@@ -5602,6 +7185,39 @@ func (in *RouteSpec) DeepCopy() *RouteSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteSpecObservation) DeepCopyInto(out *RouteSpecObservation) {
 	*out = *in
+	if in.GRPCRoute != nil {
+		in, out := &in.GRPCRoute, &out.GRPCRoute
+		*out = make([]SpecGRPCRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTPRoute != nil {
+		in, out := &in.HTTPRoute, &out.HTTPRoute
+		*out = make([]SpecHTTPRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Http2Route != nil {
+		in, out := &in.Http2Route, &out.Http2Route
+		*out = make([]SpecHttp2RouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TCPRoute != nil {
+		in, out := &in.TCPRoute, &out.TCPRoute
+		*out = make([]TCPRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteSpecObservation.
@@ -5682,6 +7298,11 @@ func (in *RouteStatus) DeepCopy() *RouteStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SdsObservation) DeepCopyInto(out *SdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SdsObservation.
@@ -5717,6 +7338,20 @@ func (in *SdsParameters) DeepCopy() *SdsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceDiscoveryObservation) DeepCopyInto(out *ServiceDiscoveryObservation) {
 	*out = *in
+	if in.AwsCloudMap != nil {
+		in, out := &in.AwsCloudMap, &out.AwsCloudMap
+		*out = make([]AwsCloudMapObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DNS != nil {
+		in, out := &in.DNS, &out.DNS
+		*out = make([]DNSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceDiscoveryObservation.
@@ -5761,6 +7396,13 @@ func (in *ServiceDiscoveryParameters) DeepCopy() *ServiceDiscoveryParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecBackendDefaultsObservation) DeepCopyInto(out *SpecBackendDefaultsObservation) {
 	*out = *in
+	if in.ClientPolicy != nil {
+		in, out := &in.ClientPolicy, &out.ClientPolicy
+		*out = make([]BackendDefaultsClientPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecBackendDefaultsObservation.
@@ -5798,6 +7440,34 @@ func (in *SpecBackendDefaultsParameters) DeepCopy() *SpecBackendDefaultsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecGRPCRouteObservation) DeepCopyInto(out *SpecGRPCRouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]GRPCRouteActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]GRPCRouteMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryPolicy != nil {
+		in, out := &in.RetryPolicy, &out.RetryPolicy
+		*out = make([]RetryPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = make([]TimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecGRPCRouteObservation.
@@ -5856,6 +7526,13 @@ func (in *SpecGRPCRouteParameters) DeepCopy() *SpecGRPCRouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecHTTPRouteActionObservation) DeepCopyInto(out *SpecHTTPRouteActionObservation) {
 	*out = *in
+	if in.WeightedTarget != nil {
+		in, out := &in.WeightedTarget, &out.WeightedTarget
+		*out = make([]HTTPRouteActionWeightedTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHTTPRouteActionObservation.
@@ -5893,6 +7570,33 @@ func (in *SpecHTTPRouteActionParameters) DeepCopy() *SpecHTTPRouteActionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecHTTPRouteMatchObservation) DeepCopyInto(out *SpecHTTPRouteMatchObservation) {
 	*out = *in
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = make([]MatchHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Method != nil {
+		in, out := &in.Method, &out.Method
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scheme != nil {
+		in, out := &in.Scheme, &out.Scheme
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHTTPRouteMatchObservation.
@@ -5950,6 +7654,34 @@ func (in *SpecHTTPRouteMatchParameters) DeepCopy() *SpecHTTPRouteMatchParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecHTTPRouteObservation) DeepCopyInto(out *SpecHTTPRouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]SpecHTTPRouteActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]SpecHTTPRouteMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryPolicy != nil {
+		in, out := &in.RetryPolicy, &out.RetryPolicy
+		*out = make([]HTTPRouteRetryPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = make([]HTTPRouteTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHTTPRouteObservation.
@@ -6008,6 +7740,13 @@ func (in *SpecHTTPRouteParameters) DeepCopy() *SpecHTTPRouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecHttp2RouteActionObservation) DeepCopyInto(out *SpecHttp2RouteActionObservation) {
 	*out = *in
+	if in.WeightedTarget != nil {
+		in, out := &in.WeightedTarget, &out.WeightedTarget
+		*out = make([]ActionWeightedTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHttp2RouteActionObservation.
@@ -6030,21 +7769,48 @@ func (in *SpecHttp2RouteActionParameters) DeepCopyInto(out *SpecHttp2RouteAction
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHttp2RouteActionParameters.
-func (in *SpecHttp2RouteActionParameters) DeepCopy() *SpecHttp2RouteActionParameters {
-	if in == nil {
-		return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHttp2RouteActionParameters.
+func (in *SpecHttp2RouteActionParameters) DeepCopy() *SpecHttp2RouteActionParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SpecHttp2RouteActionParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SpecHttp2RouteMatchObservation) DeepCopyInto(out *SpecHttp2RouteMatchObservation) {
+	*out = *in
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = make([]HeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Method != nil {
+		in, out := &in.Method, &out.Method
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scheme != nil {
+		in, out := &in.Scheme, &out.Scheme
+		*out = new(string)
+		**out = **in
 	}
-	out := new(SpecHttp2RouteActionParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SpecHttp2RouteMatchObservation) DeepCopyInto(out *SpecHttp2RouteMatchObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHttp2RouteMatchObservation.
@@ -6102,6 +7868,34 @@ func (in *SpecHttp2RouteMatchParameters) DeepCopy() *SpecHttp2RouteMatchParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecHttp2RouteObservation) DeepCopyInto(out *SpecHttp2RouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]SpecHttp2RouteActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]SpecHttp2RouteMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryPolicy != nil {
+		in, out := &in.RetryPolicy, &out.RetryPolicy
+		*out = make([]Http2RouteRetryPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = make([]Http2RouteTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecHttp2RouteObservation.
@@ -6160,6 +7954,48 @@ func (in *SpecHttp2RouteParameters) DeepCopy() *SpecHttp2RouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecListenerObservation) DeepCopyInto(out *SpecListenerObservation) {
 	*out = *in
+	if in.ConnectionPool != nil {
+		in, out := &in.ConnectionPool, &out.ConnectionPool
+		*out = make([]ListenerConnectionPoolObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HealthCheck != nil {
+		in, out := &in.HealthCheck, &out.HealthCheck
+		*out = make([]ListenerHealthCheckObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutlierDetection != nil {
+		in, out := &in.OutlierDetection, &out.OutlierDetection
+		*out = make([]OutlierDetectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PortMapping != nil {
+		in, out := &in.PortMapping, &out.PortMapping
+		*out = make([]ListenerPortMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]SpecListenerTLSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = make([]ListenerTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecListenerObservation.
@@ -6232,6 +8068,16 @@ func (in *SpecListenerParameters) DeepCopy() *SpecListenerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecListenerPortMappingObservation) DeepCopyInto(out *SpecListenerPortMappingObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecListenerPortMappingObservation.
@@ -6272,6 +8118,25 @@ func (in *SpecListenerPortMappingParameters) DeepCopy() *SpecListenerPortMapping
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecListenerTLSObservation) DeepCopyInto(out *SpecListenerTLSObservation) {
 	*out = *in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]ListenerTLSCertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Validation != nil {
+		in, out := &in.Validation, &out.Validation
+		*out = make([]ListenerTLSValidationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecListenerTLSObservation.
@@ -6321,6 +8186,13 @@ func (in *SpecListenerTLSParameters) DeepCopy() *SpecListenerTLSParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecLoggingObservation) DeepCopyInto(out *SpecLoggingObservation) {
 	*out = *in
+	if in.AccessLog != nil {
+		in, out := &in.AccessLog, &out.AccessLog
+		*out = make([]LoggingAccessLogObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecLoggingObservation.
@@ -6358,6 +8230,27 @@ func (in *SpecLoggingParameters) DeepCopy() *SpecLoggingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpecObservation) DeepCopyInto(out *SpecObservation) {
 	*out = *in
+	if in.GRPCRoute != nil {
+		in, out := &in.GRPCRoute, &out.GRPCRoute
+		*out = make([]GRPCRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTPRoute != nil {
+		in, out := &in.HTTPRoute, &out.HTTPRoute
+		*out = make([]HTTPRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Http2Route != nil {
+		in, out := &in.Http2Route, &out.Http2Route
+		*out = make([]Http2RouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpecObservation.
@@ -6409,6 +8302,17 @@ func (in *SpecParameters) DeepCopy() *SpecParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubjectAlternativeNamesMatchObservation) DeepCopyInto(out *SubjectAlternativeNamesMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAlternativeNamesMatchObservation.
@@ -6450,6 +8354,13 @@ func (in *SubjectAlternativeNamesMatchParameters) DeepCopy() *SubjectAlternative
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubjectAlternativeNamesObservation) DeepCopyInto(out *SubjectAlternativeNamesObservation) {
 	*out = *in
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]SubjectAlternativeNamesMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubjectAlternativeNamesObservation.
@@ -6487,6 +8398,16 @@ func (in *SubjectAlternativeNamesParameters) DeepCopy() *SubjectAlternativeNames
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPIdleObservation) DeepCopyInto(out *TCPIdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPIdleObservation.
@@ -6527,6 +8448,11 @@ func (in *TCPIdleParameters) DeepCopy() *TCPIdleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPObservation) DeepCopyInto(out *TCPObservation) {
 	*out = *in
+	if in.MaxConnections != nil {
+		in, out := &in.MaxConnections, &out.MaxConnections
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPObservation.
@@ -6562,6 +8488,13 @@ func (in *TCPParameters) DeepCopy() *TCPParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPRouteActionObservation) DeepCopyInto(out *TCPRouteActionObservation) {
 	*out = *in
+	if in.WeightedTarget != nil {
+		in, out := &in.WeightedTarget, &out.WeightedTarget
+		*out = make([]TCPRouteActionWeightedTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRouteActionObservation.
@@ -6599,6 +8532,21 @@ func (in *TCPRouteActionParameters) DeepCopy() *TCPRouteActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPRouteActionWeightedTargetObservation) DeepCopyInto(out *TCPRouteActionWeightedTargetObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VirtualNode != nil {
+		in, out := &in.VirtualNode, &out.VirtualNode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRouteActionWeightedTargetObservation.
@@ -6654,6 +8602,11 @@ func (in *TCPRouteActionWeightedTargetParameters) DeepCopy() *TCPRouteActionWeig
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPRouteMatchObservation) DeepCopyInto(out *TCPRouteMatchObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRouteMatchObservation.
@@ -6689,6 +8642,27 @@ func (in *TCPRouteMatchParameters) DeepCopy() *TCPRouteMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPRouteObservation) DeepCopyInto(out *TCPRouteObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]TCPRouteActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]TCPRouteMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = make([]TCPRouteTimeoutObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRouteObservation.
@@ -6740,6 +8714,16 @@ func (in *TCPRouteParameters) DeepCopy() *TCPRouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPRouteTimeoutIdleObservation) DeepCopyInto(out *TCPRouteTimeoutIdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRouteTimeoutIdleObservation.
@@ -6780,6 +8764,13 @@ func (in *TCPRouteTimeoutIdleParameters) DeepCopy() *TCPRouteTimeoutIdleParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPRouteTimeoutObservation) DeepCopyInto(out *TCPRouteTimeoutObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]TCPRouteTimeoutIdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPRouteTimeoutObservation.
@@ -6817,6 +8808,11 @@ func (in *TCPRouteTimeoutParameters) DeepCopy() *TCPRouteTimeoutParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSCertificateAcmObservation) DeepCopyInto(out *TLSCertificateAcmObservation) {
 	*out = *in
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCertificateAcmObservation.
@@ -6852,6 +8848,16 @@ func (in *TLSCertificateAcmParameters) DeepCopy() *TLSCertificateAcmParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSCertificateFileObservation) DeepCopyInto(out *TLSCertificateFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateKey != nil {
+		in, out := &in.PrivateKey, &out.PrivateKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCertificateFileObservation.
@@ -6892,6 +8898,27 @@ func (in *TLSCertificateFileParameters) DeepCopy() *TLSCertificateFileParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSCertificateObservation) DeepCopyInto(out *TLSCertificateObservation) {
 	*out = *in
+	if in.Acm != nil {
+		in, out := &in.Acm, &out.Acm
+		*out = make([]CertificateAcmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]CertificateFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]CertificateSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCertificateObservation.
@@ -6943,6 +8970,11 @@ func (in *TLSCertificateParameters) DeepCopy() *TLSCertificateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSCertificateSdsObservation) DeepCopyInto(out *TLSCertificateSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSCertificateSdsObservation.
@@ -6978,6 +9010,36 @@ func (in *TLSCertificateSdsParameters) DeepCopy() *TLSCertificateSdsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSObservation) DeepCopyInto(out *TLSObservation) {
 	*out = *in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]CertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enforce != nil {
+		in, out := &in.Enforce, &out.Enforce
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Validation != nil {
+		in, out := &in.Validation, &out.Validation
+		*out = make([]ValidationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSObservation.
@@ -7038,6 +9100,20 @@ func (in *TLSParameters) DeepCopy() *TLSParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSValidationObservation) DeepCopyInto(out *TLSValidationObservation) {
 	*out = *in
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]ValidationSubjectAlternativeNamesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Trust != nil {
+		in, out := &in.Trust, &out.Trust
+		*out = make([]ValidationTrustObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSValidationObservation.
@@ -7082,6 +9158,17 @@ func (in *TLSValidationParameters) DeepCopy() *TLSValidationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSValidationSubjectAlternativeNamesMatchObservation) DeepCopyInto(out *TLSValidationSubjectAlternativeNamesMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSValidationSubjectAlternativeNamesMatchObservation.
@@ -7123,6 +9210,13 @@ func (in *TLSValidationSubjectAlternativeNamesMatchParameters) DeepCopy() *TLSVa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSValidationSubjectAlternativeNamesObservation) DeepCopyInto(out *TLSValidationSubjectAlternativeNamesObservation) {
 	*out = *in
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]TLSValidationSubjectAlternativeNamesMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSValidationSubjectAlternativeNamesObservation.
@@ -7160,6 +9254,11 @@ func (in *TLSValidationSubjectAlternativeNamesParameters) DeepCopy() *TLSValidat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSValidationTrustFileObservation) DeepCopyInto(out *TLSValidationTrustFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSValidationTrustFileObservation.
@@ -7195,6 +9294,27 @@ func (in *TLSValidationTrustFileParameters) DeepCopy() *TLSValidationTrustFilePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSValidationTrustObservation) DeepCopyInto(out *TLSValidationTrustObservation) {
 	*out = *in
+	if in.Acm != nil {
+		in, out := &in.Acm, &out.Acm
+		*out = make([]TrustAcmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]TLSValidationTrustFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]TLSValidationTrustSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSValidationTrustObservation.
@@ -7246,6 +9366,11 @@ func (in *TLSValidationTrustParameters) DeepCopy() *TLSValidationTrustParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSValidationTrustSdsObservation) DeepCopyInto(out *TLSValidationTrustSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSValidationTrustSdsObservation.
@@ -7281,6 +9406,13 @@ func (in *TLSValidationTrustSdsParameters) DeepCopy() *TLSValidationTrustSdsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.VirtualService != nil {
+		in, out := &in.VirtualService, &out.VirtualService
+		*out = make([]VirtualServiceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
@@ -7318,6 +9450,11 @@ func (in *TargetParameters) DeepCopy() *TargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetVirtualServiceObservation) DeepCopyInto(out *TargetVirtualServiceObservation) {
 	*out = *in
+	if in.VirtualServiceName != nil {
+		in, out := &in.VirtualServiceName, &out.VirtualServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetVirtualServiceObservation.
@@ -7353,6 +9490,20 @@ func (in *TargetVirtualServiceParameters) DeepCopy() *TargetVirtualServiceParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutGRPCObservation) DeepCopyInto(out *TimeoutGRPCObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]GRPCIdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerRequest != nil {
+		in, out := &in.PerRequest, &out.PerRequest
+		*out = make([]GRPCPerRequestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutGRPCObservation.
@@ -7397,6 +9548,20 @@ func (in *TimeoutGRPCParameters) DeepCopy() *TimeoutGRPCParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutHTTPObservation) DeepCopyInto(out *TimeoutHTTPObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]HTTPIdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerRequest != nil {
+		in, out := &in.PerRequest, &out.PerRequest
+		*out = make([]HTTPPerRequestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutHTTPObservation.
@@ -7441,6 +9606,20 @@ func (in *TimeoutHTTPParameters) DeepCopy() *TimeoutHTTPParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutHttp2Observation) DeepCopyInto(out *TimeoutHttp2Observation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]Http2IdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerRequest != nil {
+		in, out := &in.PerRequest, &out.PerRequest
+		*out = make([]Http2PerRequestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutHttp2Observation.
@@ -7485,6 +9664,16 @@ func (in *TimeoutHttp2Parameters) DeepCopy() *TimeoutHttp2Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutIdleObservation) DeepCopyInto(out *TimeoutIdleObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutIdleObservation.
@@ -7525,6 +9714,20 @@ func (in *TimeoutIdleParameters) DeepCopy() *TimeoutIdleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutObservation) DeepCopyInto(out *TimeoutObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]IdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerRequest != nil {
+		in, out := &in.PerRequest, &out.PerRequest
+		*out = make([]PerRequestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutObservation.
@@ -7569,6 +9772,16 @@ func (in *TimeoutParameters) DeepCopy() *TimeoutParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutPerRequestObservation) DeepCopyInto(out *TimeoutPerRequestObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutPerRequestObservation.
@@ -7609,6 +9822,13 @@ func (in *TimeoutPerRequestParameters) DeepCopy() *TimeoutPerRequestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeoutTCPObservation) DeepCopyInto(out *TimeoutTCPObservation) {
 	*out = *in
+	if in.Idle != nil {
+		in, out := &in.Idle, &out.Idle
+		*out = make([]TCPIdleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeoutTCPObservation.
@@ -7646,6 +9866,17 @@ func (in *TimeoutTCPParameters) DeepCopy() *TimeoutTCPParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrustAcmObservation) DeepCopyInto(out *TrustAcmObservation) {
 	*out = *in
+	if in.CertificateAuthorityArns != nil {
+		in, out := &in.CertificateAuthorityArns, &out.CertificateAuthorityArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustAcmObservation.
@@ -7687,6 +9918,11 @@ func (in *TrustAcmParameters) DeepCopy() *TrustAcmParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrustFileObservation) DeepCopyInto(out *TrustFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustFileObservation.
@@ -7722,6 +9958,27 @@ func (in *TrustFileParameters) DeepCopy() *TrustFileParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrustObservation) DeepCopyInto(out *TrustObservation) {
 	*out = *in
+	if in.Acm != nil {
+		in, out := &in.Acm, &out.Acm
+		*out = make([]AcmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]TrustFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]TrustSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustObservation.
@@ -7773,6 +10030,11 @@ func (in *TrustParameters) DeepCopy() *TrustParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrustSdsObservation) DeepCopyInto(out *TrustSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrustSdsObservation.
@@ -7808,6 +10070,20 @@ func (in *TrustSdsParameters) DeepCopy() *TrustSdsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationObservation) DeepCopyInto(out *ValidationObservation) {
 	*out = *in
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]SubjectAlternativeNamesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Trust != nil {
+		in, out := &in.Trust, &out.Trust
+		*out = make([]TrustObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationObservation.
@@ -7852,6 +10128,17 @@ func (in *ValidationParameters) DeepCopy() *ValidationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationSubjectAlternativeNamesMatchObservation) DeepCopyInto(out *ValidationSubjectAlternativeNamesMatchObservation) {
 	*out = *in
+	if in.Exact != nil {
+		in, out := &in.Exact, &out.Exact
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationSubjectAlternativeNamesMatchObservation.
@@ -7893,6 +10180,13 @@ func (in *ValidationSubjectAlternativeNamesMatchParameters) DeepCopy() *Validati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationSubjectAlternativeNamesObservation) DeepCopyInto(out *ValidationSubjectAlternativeNamesObservation) {
 	*out = *in
+	if in.Match != nil {
+		in, out := &in.Match, &out.Match
+		*out = make([]ValidationSubjectAlternativeNamesMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationSubjectAlternativeNamesObservation.
@@ -7930,6 +10224,17 @@ func (in *ValidationSubjectAlternativeNamesParameters) DeepCopy() *ValidationSub
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationTrustAcmObservation) DeepCopyInto(out *ValidationTrustAcmObservation) {
 	*out = *in
+	if in.CertificateAuthorityArns != nil {
+		in, out := &in.CertificateAuthorityArns, &out.CertificateAuthorityArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationTrustAcmObservation.
@@ -7971,6 +10276,11 @@ func (in *ValidationTrustAcmParameters) DeepCopy() *ValidationTrustAcmParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationTrustFileObservation) DeepCopyInto(out *ValidationTrustFileObservation) {
 	*out = *in
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationTrustFileObservation.
@@ -8006,6 +10316,20 @@ func (in *ValidationTrustFileParameters) DeepCopy() *ValidationTrustFileParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationTrustObservation) DeepCopyInto(out *ValidationTrustObservation) {
 	*out = *in
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = make([]ValidationTrustFileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sds != nil {
+		in, out := &in.Sds, &out.Sds
+		*out = make([]ValidationTrustSdsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationTrustObservation.
@@ -8050,6 +10374,11 @@ func (in *ValidationTrustParameters) DeepCopy() *ValidationTrustParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValidationTrustSdsObservation) DeepCopyInto(out *ValidationTrustSdsObservation) {
 	*out = *in
+	if in.SecretName != nil {
+		in, out := &in.SecretName, &out.SecretName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValidationTrustSdsObservation.
@@ -8164,11 +10493,48 @@ func (in *VirtualGatewayObservation) DeepCopyInto(out *VirtualGatewayObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.MeshName != nil {
+		in, out := &in.MeshName, &out.MeshName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MeshOwner != nil {
+		in, out := &in.MeshOwner, &out.MeshOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceOwner != nil {
 		in, out := &in.ResourceOwner, &out.ResourceOwner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]VirtualGatewaySpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8273,6 +10639,27 @@ func (in *VirtualGatewaySpec) DeepCopy() *VirtualGatewaySpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualGatewaySpecObservation) DeepCopyInto(out *VirtualGatewaySpecObservation) {
 	*out = *in
+	if in.BackendDefaults != nil {
+		in, out := &in.BackendDefaults, &out.BackendDefaults
+		*out = make([]BackendDefaultsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Listener != nil {
+		in, out := &in.Listener, &out.Listener
+		*out = make([]ListenerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Logging != nil {
+		in, out := &in.Logging, &out.Logging
+		*out = make([]LoggingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualGatewaySpecObservation.
@@ -8420,11 +10807,48 @@ func (in *VirtualNodeObservation) DeepCopyInto(out *VirtualNodeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MeshName != nil {
+		in, out := &in.MeshName, &out.MeshName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MeshOwner != nil {
+		in, out := &in.MeshOwner, &out.MeshOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceOwner != nil {
 		in, out := &in.ResourceOwner, &out.ResourceOwner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]VirtualNodeSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8539,6 +10963,41 @@ func (in *VirtualNodeSpec) DeepCopy() *VirtualNodeSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualNodeSpecObservation) DeepCopyInto(out *VirtualNodeSpecObservation) {
 	*out = *in
+	if in.Backend != nil {
+		in, out := &in.Backend, &out.Backend
+		*out = make([]BackendObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BackendDefaults != nil {
+		in, out := &in.BackendDefaults, &out.BackendDefaults
+		*out = make([]SpecBackendDefaultsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Listener != nil {
+		in, out := &in.Listener, &out.Listener
+		*out = make([]SpecListenerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Logging != nil {
+		in, out := &in.Logging, &out.Logging
+		*out = make([]SpecLoggingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServiceDiscovery != nil {
+		in, out := &in.ServiceDiscovery, &out.ServiceDiscovery
+		*out = make([]ServiceDiscoveryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualNodeSpecObservation.
@@ -8700,11 +11159,48 @@ func (in *VirtualRouterObservation) DeepCopyInto(out *VirtualRouterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.MeshName != nil {
+		in, out := &in.MeshName, &out.MeshName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MeshOwner != nil {
+		in, out := &in.MeshOwner, &out.MeshOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceOwner != nil {
 		in, out := &in.ResourceOwner, &out.ResourceOwner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]VirtualRouterSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8819,6 +11315,13 @@ func (in *VirtualRouterSpec) DeepCopy() *VirtualRouterSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualRouterSpecListenerObservation) DeepCopyInto(out *VirtualRouterSpecListenerObservation) {
 	*out = *in
+	if in.PortMapping != nil {
+		in, out := &in.PortMapping, &out.PortMapping
+		*out = make([]SpecListenerPortMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualRouterSpecListenerObservation.
@@ -8856,6 +11359,13 @@ func (in *VirtualRouterSpecListenerParameters) DeepCopy() *VirtualRouterSpecList
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualRouterSpecObservation) DeepCopyInto(out *VirtualRouterSpecObservation) {
 	*out = *in
+	if in.Listener != nil {
+		in, out := &in.Listener, &out.Listener
+		*out = make([]VirtualRouterSpecListenerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualRouterSpecObservation.
@@ -8937,6 +11447,13 @@ func (in *VirtualService) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualServiceClientPolicyObservation) DeepCopyInto(out *VirtualServiceClientPolicyObservation) {
 	*out = *in
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]ClientPolicyTLSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualServiceClientPolicyObservation.
@@ -9006,6 +11523,11 @@ func (in *VirtualServiceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualServiceObservation) DeepCopyInto(out *VirtualServiceObservation) {
 	*out = *in
+	if in.VirtualServiceName != nil {
+		in, out := &in.VirtualServiceName, &out.VirtualServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualServiceObservation.
@@ -9041,11 +11563,48 @@ func (in *VirtualServiceObservation_2) DeepCopyInto(out *VirtualServiceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.MeshName != nil {
+		in, out := &in.MeshName, &out.MeshName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MeshOwner != nil {
+		in, out := &in.MeshOwner, &out.MeshOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceOwner != nil {
 		in, out := &in.ResourceOwner, &out.ResourceOwner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = make([]VirtualServiceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -9180,6 +11739,13 @@ func (in *VirtualServiceSpec) DeepCopy() *VirtualServiceSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VirtualServiceSpecObservation) DeepCopyInto(out *VirtualServiceSpecObservation) {
 	*out = *in
+	if in.Provider != nil {
+		in, out := &in.Provider, &out.Provider
+		*out = make([]ProviderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualServiceSpecObservation.
@@ -9234,6 +11800,21 @@ func (in *VirtualServiceStatus) DeepCopy() *VirtualServiceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WeightedTargetObservation) DeepCopyInto(out *WeightedTargetObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VirtualNode != nil {
+		in, out := &in.VirtualNode, &out.VirtualNode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WeightedTargetObservation.
diff --git a/apis/appmesh/v1beta1/zz_mesh_types.go b/apis/appmesh/v1beta1/zz_mesh_types.go
index fa7af22047..026a32773a 100755
--- a/apis/appmesh/v1beta1/zz_mesh_types.go
+++ b/apis/appmesh/v1beta1/zz_mesh_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type EgressFilterObservation struct {
+
+	// Egress filter type. By default, the type is DROP_ALL.
+	// Valid values are ALLOW_ALL and DROP_ALL.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EgressFilterParameters struct {
@@ -44,6 +48,12 @@ type MeshObservation struct {
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Service mesh specification to apply.
+	Spec []MeshSpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -65,6 +75,9 @@ type MeshParameters struct {
 }
 
 type MeshSpecObservation struct {
+
+	// Egress filter rules for the service mesh.
+	EgressFilter []EgressFilterObservation `json:"egressFilter,omitempty" tf:"egress_filter,omitempty"`
 }
 
 type MeshSpecParameters struct {
diff --git a/apis/appmesh/v1beta1/zz_route_types.go b/apis/appmesh/v1beta1/zz_route_types.go
index 35d1ec21a1..b7c14e51d2 100755
--- a/apis/appmesh/v1beta1/zz_route_types.go
+++ b/apis/appmesh/v1beta1/zz_route_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ActionWeightedTargetObservation struct {
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Virtual node to associate with the weighted target. Must be between 1 and 255 characters in length.
+	VirtualNode *string `json:"virtualNode,omitempty" tf:"virtual_node,omitempty"`
+
+	// Relative weight of the weighted target. An integer between 0 and 100.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type ActionWeightedTargetParameters struct {
@@ -32,6 +41,10 @@ type ActionWeightedTargetParameters struct {
 }
 
 type GRPCRouteActionObservation struct {
+
+	// Targets that traffic is routed to when a request matches the route.
+	// You can specify one or more targets and their relative weights with which to distribute traffic.
+	WeightedTarget []WeightedTargetObservation `json:"weightedTarget,omitempty" tf:"weighted_target,omitempty"`
 }
 
 type GRPCRouteActionParameters struct {
@@ -43,6 +56,21 @@ type GRPCRouteActionParameters struct {
 }
 
 type GRPCRouteMatchObservation struct {
+
+	// Data to match from the gRPC request.
+	Metadata []MetadataObservation `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// Method name to match from the request. If you specify a name, you must also specify a service_name.
+	MethodName *string `json:"methodName,omitempty" tf:"method_name,omitempty"`
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Value sent by the client must begin with the specified characters. Must be between 1 and 255 characters in length.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Fully qualified domain name for the service to match from the request.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 }
 
 type GRPCRouteMatchParameters struct {
@@ -69,6 +97,15 @@ type GRPCRouteMatchParameters struct {
 }
 
 type HTTPRouteActionWeightedTargetObservation struct {
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Virtual node to associate with the weighted target. Must be between 1 and 255 characters in length.
+	VirtualNode *string `json:"virtualNode,omitempty" tf:"virtual_node,omitempty"`
+
+	// Relative weight of the weighted target. An integer between 0 and 100.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type HTTPRouteActionWeightedTargetParameters struct {
@@ -97,6 +134,19 @@ type HTTPRouteActionWeightedTargetParameters struct {
 }
 
 type HTTPRouteRetryPolicyObservation struct {
+
+	// List of HTTP retry events.
+	// Valid values: client-error (HTTP status code 409), gateway-error (HTTP status codes 502, 503, and 504), server-error (HTTP status codes 500, 501, 502, 503, 504, 505, 506, 507, 508, 510, and 511), stream-error (retry on refused stream).
+	HTTPRetryEvents []*string `json:"httpRetryEvents,omitempty" tf:"http_retry_events,omitempty"`
+
+	// Maximum number of retries.
+	MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"`
+
+	// Per-retry timeout.
+	PerRetryTimeout []HTTPRouteRetryPolicyPerRetryTimeoutObservation `json:"perRetryTimeout,omitempty" tf:"per_retry_timeout,omitempty"`
+
+	// List of TCP retry events. The only valid value is connection-error.
+	TCPRetryEvents []*string `json:"tcpRetryEvents,omitempty" tf:"tcp_retry_events,omitempty"`
 }
 
 type HTTPRouteRetryPolicyParameters struct {
@@ -120,6 +170,12 @@ type HTTPRouteRetryPolicyParameters struct {
 }
 
 type HTTPRouteRetryPolicyPerRetryTimeoutObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPRouteRetryPolicyPerRetryTimeoutParameters struct {
@@ -134,6 +190,12 @@ type HTTPRouteRetryPolicyPerRetryTimeoutParameters struct {
 }
 
 type HTTPRouteTimeoutIdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPRouteTimeoutIdleParameters struct {
@@ -148,6 +210,12 @@ type HTTPRouteTimeoutIdleParameters struct {
 }
 
 type HTTPRouteTimeoutObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []HTTPRouteTimeoutIdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
+
+	// Per request timeout.
+	PerRequest []HTTPRouteTimeoutPerRequestObservation `json:"perRequest,omitempty" tf:"per_request,omitempty"`
 }
 
 type HTTPRouteTimeoutParameters struct {
@@ -162,6 +230,12 @@ type HTTPRouteTimeoutParameters struct {
 }
 
 type HTTPRouteTimeoutPerRequestObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPRouteTimeoutPerRequestParameters struct {
@@ -176,6 +250,21 @@ type HTTPRouteTimeoutPerRequestParameters struct {
 }
 
 type HeaderMatchObservation struct {
+
+	// Value sent by the client must match the specified value exactly. Must be between 1 and 255 characters in length.
+	Exact *string `json:"exact,omitempty" tf:"exact,omitempty"`
+
+	// Value sent by the client must begin with the specified characters. Must be between 1 and 255 characters in length.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Object that specifies the range of numbers that the value sent by the client must be included in.
+	Range []MatchRangeObservation `json:"range,omitempty" tf:"range,omitempty"`
+
+	// Value sent by the client must include the specified characters. Must be between 1 and 255 characters in length.
+	Regex *string `json:"regex,omitempty" tf:"regex,omitempty"`
+
+	// Value sent by the client must end with the specified characters. Must be between 1 and 255 characters in length.
+	Suffix *string `json:"suffix,omitempty" tf:"suffix,omitempty"`
 }
 
 type HeaderMatchParameters struct {
@@ -202,6 +291,12 @@ type HeaderMatchParameters struct {
 }
 
 type HeaderMatchRangeObservation struct {
+
+	// End of the range.
+	End *float64 `json:"end,omitempty" tf:"end,omitempty"`
+
+	// (Requited) Start of the range.
+	Start *float64 `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type HeaderMatchRangeParameters struct {
@@ -216,6 +311,15 @@ type HeaderMatchRangeParameters struct {
 }
 
 type HeaderObservation struct {
+
+	// If true, the match is on the opposite of the match criteria. Default is false.
+	Invert *bool `json:"invert,omitempty" tf:"invert,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []HeaderMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Name to use for the route. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type HeaderParameters struct {
@@ -234,6 +338,19 @@ type HeaderParameters struct {
 }
 
 type Http2RouteRetryPolicyObservation struct {
+
+	// List of HTTP retry events.
+	// Valid values: client-error (HTTP status code 409), gateway-error (HTTP status codes 502, 503, and 504), server-error (HTTP status codes 500, 501, 502, 503, 504, 505, 506, 507, 508, 510, and 511), stream-error (retry on refused stream).
+	HTTPRetryEvents []*string `json:"httpRetryEvents,omitempty" tf:"http_retry_events,omitempty"`
+
+	// Maximum number of retries.
+	MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"`
+
+	// Per-retry timeout.
+	PerRetryTimeout []RetryPolicyPerRetryTimeoutObservation `json:"perRetryTimeout,omitempty" tf:"per_retry_timeout,omitempty"`
+
+	// List of TCP retry events. The only valid value is connection-error.
+	TCPRetryEvents []*string `json:"tcpRetryEvents,omitempty" tf:"tcp_retry_events,omitempty"`
 }
 
 type Http2RouteRetryPolicyParameters struct {
@@ -257,6 +374,12 @@ type Http2RouteRetryPolicyParameters struct {
 }
 
 type Http2RouteTimeoutObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []TimeoutIdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
+
+	// Per request timeout.
+	PerRequest []TimeoutPerRequestObservation `json:"perRequest,omitempty" tf:"per_request,omitempty"`
 }
 
 type Http2RouteTimeoutParameters struct {
@@ -271,6 +394,12 @@ type Http2RouteTimeoutParameters struct {
 }
 
 type IdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type IdleParameters struct {
@@ -285,6 +414,21 @@ type IdleParameters struct {
 }
 
 type MatchHeaderMatchObservation struct {
+
+	// Value sent by the client must match the specified value exactly. Must be between 1 and 255 characters in length.
+	Exact *string `json:"exact,omitempty" tf:"exact,omitempty"`
+
+	// Value sent by the client must begin with the specified characters. Must be between 1 and 255 characters in length.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Object that specifies the range of numbers that the value sent by the client must be included in.
+	Range []HeaderMatchRangeObservation `json:"range,omitempty" tf:"range,omitempty"`
+
+	// Value sent by the client must include the specified characters. Must be between 1 and 255 characters in length.
+	Regex *string `json:"regex,omitempty" tf:"regex,omitempty"`
+
+	// Value sent by the client must end with the specified characters. Must be between 1 and 255 characters in length.
+	Suffix *string `json:"suffix,omitempty" tf:"suffix,omitempty"`
 }
 
 type MatchHeaderMatchParameters struct {
@@ -311,6 +455,15 @@ type MatchHeaderMatchParameters struct {
 }
 
 type MatchHeaderObservation struct {
+
+	// If true, the match is on the opposite of the match criteria. Default is false.
+	Invert *bool `json:"invert,omitempty" tf:"invert,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []MatchHeaderMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Name to use for the route. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type MatchHeaderParameters struct {
@@ -329,6 +482,12 @@ type MatchHeaderParameters struct {
 }
 
 type MatchRangeObservation struct {
+
+	// End of the range.
+	End *float64 `json:"end,omitempty" tf:"end,omitempty"`
+
+	// (Requited) Start of the range.
+	Start *float64 `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type MatchRangeParameters struct {
@@ -343,6 +502,21 @@ type MatchRangeParameters struct {
 }
 
 type MetadataMatchObservation struct {
+
+	// Value sent by the client must match the specified value exactly. Must be between 1 and 255 characters in length.
+	Exact *string `json:"exact,omitempty" tf:"exact,omitempty"`
+
+	// Value sent by the client must begin with the specified characters. Must be between 1 and 255 characters in length.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Object that specifies the range of numbers that the value sent by the client must be included in.
+	Range []RangeObservation `json:"range,omitempty" tf:"range,omitempty"`
+
+	// Value sent by the client must include the specified characters. Must be between 1 and 255 characters in length.
+	Regex *string `json:"regex,omitempty" tf:"regex,omitempty"`
+
+	// Value sent by the client must end with the specified characters. Must be between 1 and 255 characters in length.
+	Suffix *string `json:"suffix,omitempty" tf:"suffix,omitempty"`
 }
 
 type MetadataMatchParameters struct {
@@ -369,6 +543,15 @@ type MetadataMatchParameters struct {
 }
 
 type MetadataObservation struct {
+
+	// If true, the match is on the opposite of the match criteria. Default is false.
+	Invert *bool `json:"invert,omitempty" tf:"invert,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []MetadataMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Name to use for the route. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type MetadataParameters struct {
@@ -387,6 +570,12 @@ type MetadataParameters struct {
 }
 
 type PerRequestObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type PerRequestParameters struct {
@@ -401,6 +590,12 @@ type PerRequestParameters struct {
 }
 
 type PerRetryTimeoutObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type PerRetryTimeoutParameters struct {
@@ -415,6 +610,12 @@ type PerRetryTimeoutParameters struct {
 }
 
 type RangeObservation struct {
+
+	// End of the range.
+	End *float64 `json:"end,omitempty" tf:"end,omitempty"`
+
+	// (Requited) Start of the range.
+	Start *float64 `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type RangeParameters struct {
@@ -429,6 +630,23 @@ type RangeParameters struct {
 }
 
 type RetryPolicyObservation struct {
+
+	// List of gRPC retry events.
+	// Valid values: cancelled, deadline-exceeded, internal, resource-exhausted, unavailable.
+	GRPCRetryEvents []*string `json:"grpcRetryEvents,omitempty" tf:"grpc_retry_events,omitempty"`
+
+	// List of HTTP retry events.
+	// Valid values: client-error (HTTP status code 409), gateway-error (HTTP status codes 502, 503, and 504), server-error (HTTP status codes 500, 501, 502, 503, 504, 505, 506, 507, 508, 510, and 511), stream-error (retry on refused stream).
+	HTTPRetryEvents []*string `json:"httpRetryEvents,omitempty" tf:"http_retry_events,omitempty"`
+
+	// Maximum number of retries.
+	MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"`
+
+	// Per-retry timeout.
+	PerRetryTimeout []PerRetryTimeoutObservation `json:"perRetryTimeout,omitempty" tf:"per_retry_timeout,omitempty"`
+
+	// List of TCP retry events. The only valid value is connection-error.
+	TCPRetryEvents []*string `json:"tcpRetryEvents,omitempty" tf:"tcp_retry_events,omitempty"`
 }
 
 type RetryPolicyParameters struct {
@@ -457,6 +675,12 @@ type RetryPolicyParameters struct {
 }
 
 type RetryPolicyPerRetryTimeoutObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RetryPolicyPerRetryTimeoutParameters struct {
@@ -484,11 +708,29 @@ type RouteObservation struct {
 	// Last update date of the route.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the service mesh in which to create the route. Must be between 1 and 255 characters in length.
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
+
+	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
+	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
+
+	// Name to use for the route. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Route specification to apply.
+	Spec []RouteSpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Name of the virtual router in which to create the route. Must be between 1 and 255 characters in length.
+	VirtualRouterName *string `json:"virtualRouterName,omitempty" tf:"virtual_router_name,omitempty"`
 }
 
 type RouteParameters struct {
@@ -512,8 +754,8 @@ type RouteParameters struct {
 	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
 
 	// Name to use for the route. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -521,8 +763,8 @@ type RouteParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Route specification to apply.
-	// +kubebuilder:validation:Required
-	Spec []RouteSpecParameters `json:"spec" tf:"spec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Spec []RouteSpecParameters `json:"spec,omitempty" tf:"spec,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -544,6 +786,22 @@ type RouteParameters struct {
 }
 
 type RouteSpecObservation struct {
+
+	// GRPC routing information for the route.
+	GRPCRoute []SpecGRPCRouteObservation `json:"grpcRoute,omitempty" tf:"grpc_route,omitempty"`
+
+	// HTTP routing information for the route.
+	HTTPRoute []SpecHTTPRouteObservation `json:"httpRoute,omitempty" tf:"http_route,omitempty"`
+
+	// HTTP/2 routing information for the route.
+	Http2Route []SpecHttp2RouteObservation `json:"http2Route,omitempty" tf:"http2_route,omitempty"`
+
+	// Priority for the route, between 0 and 1000.
+	// Routes are matched based on the specified value, where 0 is the highest priority.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// TCP routing information for the route.
+	TCPRoute []TCPRouteObservation `json:"tcpRoute,omitempty" tf:"tcp_route,omitempty"`
 }
 
 type RouteSpecParameters struct {
@@ -571,6 +829,18 @@ type RouteSpecParameters struct {
 }
 
 type SpecGRPCRouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []GRPCRouteActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []GRPCRouteMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Retry policy.
+	RetryPolicy []RetryPolicyObservation `json:"retryPolicy,omitempty" tf:"retry_policy,omitempty"`
+
+	// Types of timeouts.
+	Timeout []TimeoutObservation `json:"timeout,omitempty" tf:"timeout,omitempty"`
 }
 
 type SpecGRPCRouteParameters struct {
@@ -593,6 +863,10 @@ type SpecGRPCRouteParameters struct {
 }
 
 type SpecHTTPRouteActionObservation struct {
+
+	// Targets that traffic is routed to when a request matches the route.
+	// You can specify one or more targets and their relative weights with which to distribute traffic.
+	WeightedTarget []HTTPRouteActionWeightedTargetObservation `json:"weightedTarget,omitempty" tf:"weighted_target,omitempty"`
 }
 
 type SpecHTTPRouteActionParameters struct {
@@ -604,6 +878,21 @@ type SpecHTTPRouteActionParameters struct {
 }
 
 type SpecHTTPRouteMatchObservation struct {
+
+	// Client request headers to match on.
+	Header []MatchHeaderObservation `json:"header,omitempty" tf:"header,omitempty"`
+
+	// Client request header method to match on. Valid values: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH.
+	Method *string `json:"method,omitempty" tf:"method,omitempty"`
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Value sent by the client must begin with the specified characters. Must be between 1 and 255 characters in length.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Client request header scheme to match on. Valid values: http, https.
+	Scheme *string `json:"scheme,omitempty" tf:"scheme,omitempty"`
 }
 
 type SpecHTTPRouteMatchParameters struct {
@@ -630,6 +919,18 @@ type SpecHTTPRouteMatchParameters struct {
 }
 
 type SpecHTTPRouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []SpecHTTPRouteActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []SpecHTTPRouteMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Retry policy.
+	RetryPolicy []HTTPRouteRetryPolicyObservation `json:"retryPolicy,omitempty" tf:"retry_policy,omitempty"`
+
+	// Types of timeouts.
+	Timeout []HTTPRouteTimeoutObservation `json:"timeout,omitempty" tf:"timeout,omitempty"`
 }
 
 type SpecHTTPRouteParameters struct {
@@ -652,6 +953,10 @@ type SpecHTTPRouteParameters struct {
 }
 
 type SpecHttp2RouteActionObservation struct {
+
+	// Targets that traffic is routed to when a request matches the route.
+	// You can specify one or more targets and their relative weights with which to distribute traffic.
+	WeightedTarget []ActionWeightedTargetObservation `json:"weightedTarget,omitempty" tf:"weighted_target,omitempty"`
 }
 
 type SpecHttp2RouteActionParameters struct {
@@ -663,6 +968,21 @@ type SpecHttp2RouteActionParameters struct {
 }
 
 type SpecHttp2RouteMatchObservation struct {
+
+	// Client request headers to match on.
+	Header []HeaderObservation `json:"header,omitempty" tf:"header,omitempty"`
+
+	// Client request header method to match on. Valid values: GET, HEAD, POST, PUT, DELETE, CONNECT, OPTIONS, TRACE, PATCH.
+	Method *string `json:"method,omitempty" tf:"method,omitempty"`
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Value sent by the client must begin with the specified characters. Must be between 1 and 255 characters in length.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Client request header scheme to match on. Valid values: http, https.
+	Scheme *string `json:"scheme,omitempty" tf:"scheme,omitempty"`
 }
 
 type SpecHttp2RouteMatchParameters struct {
@@ -689,6 +1009,18 @@ type SpecHttp2RouteMatchParameters struct {
 }
 
 type SpecHttp2RouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []SpecHttp2RouteActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []SpecHttp2RouteMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Retry policy.
+	RetryPolicy []Http2RouteRetryPolicyObservation `json:"retryPolicy,omitempty" tf:"retry_policy,omitempty"`
+
+	// Types of timeouts.
+	Timeout []Http2RouteTimeoutObservation `json:"timeout,omitempty" tf:"timeout,omitempty"`
 }
 
 type SpecHttp2RouteParameters struct {
@@ -711,6 +1043,10 @@ type SpecHttp2RouteParameters struct {
 }
 
 type TCPRouteActionObservation struct {
+
+	// Targets that traffic is routed to when a request matches the route.
+	// You can specify one or more targets and their relative weights with which to distribute traffic.
+	WeightedTarget []TCPRouteActionWeightedTargetObservation `json:"weightedTarget,omitempty" tf:"weighted_target,omitempty"`
 }
 
 type TCPRouteActionParameters struct {
@@ -722,6 +1058,15 @@ type TCPRouteActionParameters struct {
 }
 
 type TCPRouteActionWeightedTargetObservation struct {
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Virtual node to associate with the weighted target. Must be between 1 and 255 characters in length.
+	VirtualNode *string `json:"virtualNode,omitempty" tf:"virtual_node,omitempty"`
+
+	// Relative weight of the weighted target. An integer between 0 and 100.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type TCPRouteActionWeightedTargetParameters struct {
@@ -750,6 +1095,9 @@ type TCPRouteActionWeightedTargetParameters struct {
 }
 
 type TCPRouteMatchObservation struct {
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 }
 
 type TCPRouteMatchParameters struct {
@@ -760,6 +1108,15 @@ type TCPRouteMatchParameters struct {
 }
 
 type TCPRouteObservation struct {
+
+	// Action to take if a match is determined.
+	Action []TCPRouteActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Criteria for determining an gRPC request match.
+	Match []TCPRouteMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
+
+	// Types of timeouts.
+	Timeout []TCPRouteTimeoutObservation `json:"timeout,omitempty" tf:"timeout,omitempty"`
 }
 
 type TCPRouteParameters struct {
@@ -778,6 +1135,12 @@ type TCPRouteParameters struct {
 }
 
 type TCPRouteTimeoutIdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TCPRouteTimeoutIdleParameters struct {
@@ -792,6 +1155,9 @@ type TCPRouteTimeoutIdleParameters struct {
 }
 
 type TCPRouteTimeoutObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []TCPRouteTimeoutIdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
 }
 
 type TCPRouteTimeoutParameters struct {
@@ -802,6 +1168,12 @@ type TCPRouteTimeoutParameters struct {
 }
 
 type TimeoutIdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TimeoutIdleParameters struct {
@@ -816,6 +1188,12 @@ type TimeoutIdleParameters struct {
 }
 
 type TimeoutObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []IdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
+
+	// Per request timeout.
+	PerRequest []PerRequestObservation `json:"perRequest,omitempty" tf:"per_request,omitempty"`
 }
 
 type TimeoutParameters struct {
@@ -830,6 +1208,12 @@ type TimeoutParameters struct {
 }
 
 type TimeoutPerRequestObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TimeoutPerRequestParameters struct {
@@ -844,6 +1228,15 @@ type TimeoutPerRequestParameters struct {
 }
 
 type WeightedTargetObservation struct {
+
+	// The port number to match from the request.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Virtual node to associate with the weighted target. Must be between 1 and 255 characters in length.
+	VirtualNode *string `json:"virtualNode,omitempty" tf:"virtual_node,omitempty"`
+
+	// Relative weight of the weighted target. An integer between 0 and 100.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type WeightedTargetParameters struct {
@@ -885,8 +1278,10 @@ type RouteStatus struct {
 type Route struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RouteSpec   `json:"spec"`
-	Status            RouteStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)",message="spec is a required parameter"
+	Spec   RouteSpec   `json:"spec"`
+	Status RouteStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appmesh/v1beta1/zz_virtualgateway_types.go b/apis/appmesh/v1beta1/zz_virtualgateway_types.go
index c426ec52df..e4998a9f54 100755
--- a/apis/appmesh/v1beta1/zz_virtualgateway_types.go
+++ b/apis/appmesh/v1beta1/zz_virtualgateway_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AccessLogFileObservation struct {
+
+	// File path to write access logs to. You can use /dev/stdout to send access logs to standard out. Must be between 1 and 255 characters in length.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type AccessLogFileParameters struct {
@@ -24,6 +27,9 @@ type AccessLogFileParameters struct {
 }
 
 type AccessLogObservation struct {
+
+	// Local file certificate.
+	File []AccessLogFileObservation `json:"file,omitempty" tf:"file,omitempty"`
 }
 
 type AccessLogParameters struct {
@@ -34,6 +40,9 @@ type AccessLogParameters struct {
 }
 
 type AcmObservation struct {
+
+	// One or more ACM ARNs.
+	CertificateAuthorityArns []*string `json:"certificateAuthorityArns,omitempty" tf:"certificate_authority_arns,omitempty"`
 }
 
 type AcmParameters struct {
@@ -44,6 +53,9 @@ type AcmParameters struct {
 }
 
 type BackendDefaultsObservation struct {
+
+	// Default client policy for virtual gateway backends.
+	ClientPolicy []ClientPolicyObservation `json:"clientPolicy,omitempty" tf:"client_policy,omitempty"`
 }
 
 type BackendDefaultsParameters struct {
@@ -54,6 +66,9 @@ type BackendDefaultsParameters struct {
 }
 
 type CertificateAcmObservation struct {
+
+	// ARN for the certificate.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
 }
 
 type CertificateAcmParameters struct {
@@ -74,6 +89,12 @@ type CertificateAcmParameters struct {
 }
 
 type CertificateFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.
+	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 }
 
 type CertificateFileParameters struct {
@@ -88,6 +109,12 @@ type CertificateFileParameters struct {
 }
 
 type CertificateObservation struct {
+
+	// Local file certificate.
+	File []FileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []SdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type CertificateParameters struct {
@@ -102,6 +129,9 @@ type CertificateParameters struct {
 }
 
 type CertificateSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type CertificateSdsParameters struct {
@@ -112,6 +142,9 @@ type CertificateSdsParameters struct {
 }
 
 type ClientPolicyObservation struct {
+
+	// Transport Layer Security (TLS) client policy.
+	TLS []TLSObservation `json:"tls,omitempty" tf:"tls,omitempty"`
 }
 
 type ClientPolicyParameters struct {
@@ -122,6 +155,15 @@ type ClientPolicyParameters struct {
 }
 
 type ConnectionPoolObservation struct {
+
+	// Connection pool information for gRPC listeners.
+	GRPC []GRPCObservation `json:"grpc,omitempty" tf:"grpc,omitempty"`
+
+	// Connection pool information for HTTP listeners.
+	HTTP []HTTPObservation `json:"http,omitempty" tf:"http,omitempty"`
+
+	// Connection pool information for HTTP2 listeners.
+	Http2 []Http2Observation `json:"http2,omitempty" tf:"http2,omitempty"`
 }
 
 type ConnectionPoolParameters struct {
@@ -140,6 +182,12 @@ type ConnectionPoolParameters struct {
 }
 
 type FileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.
+	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 }
 
 type FileParameters struct {
@@ -154,6 +202,9 @@ type FileParameters struct {
 }
 
 type GRPCObservation struct {
+
+	// Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.
+	MaxRequests *float64 `json:"maxRequests,omitempty" tf:"max_requests,omitempty"`
 }
 
 type GRPCParameters struct {
@@ -164,6 +215,12 @@ type GRPCParameters struct {
 }
 
 type HTTPObservation struct {
+
+	// Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of 1.
+	MaxConnections *float64 `json:"maxConnections,omitempty" tf:"max_connections,omitempty"`
+
+	// Number of overflowing requests after max_connections Envoy will queue to upstream cluster. Minimum value of 1.
+	MaxPendingRequests *float64 `json:"maxPendingRequests,omitempty" tf:"max_pending_requests,omitempty"`
 }
 
 type HTTPParameters struct {
@@ -178,6 +235,27 @@ type HTTPParameters struct {
 }
 
 type HealthCheckObservation struct {
+
+	// Number of consecutive successful health checks that must occur before declaring listener healthy.
+	HealthyThreshold *float64 `json:"healthyThreshold,omitempty" tf:"healthy_threshold,omitempty"`
+
+	// Time period in milliseconds between each health check execution.
+	IntervalMillis *float64 `json:"intervalMillis,omitempty" tf:"interval_millis,omitempty"`
+
+	// File path to write access logs to. You can use /dev/stdout to send access logs to standard out. Must be between 1 and 255 characters in length.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Port used for the port mapping.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol used for the port mapping. Valid values are http, http2, tcp and grpc.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Amount of time to wait when receiving a response from the health check, in milliseconds.
+	TimeoutMillis *float64 `json:"timeoutMillis,omitempty" tf:"timeout_millis,omitempty"`
+
+	// Number of consecutive failed health checks that must occur before declaring a virtual gateway unhealthy.
+	UnhealthyThreshold *float64 `json:"unhealthyThreshold,omitempty" tf:"unhealthy_threshold,omitempty"`
 }
 
 type HealthCheckParameters struct {
@@ -212,6 +290,9 @@ type HealthCheckParameters struct {
 }
 
 type Http2Observation struct {
+
+	// Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.
+	MaxRequests *float64 `json:"maxRequests,omitempty" tf:"max_requests,omitempty"`
 }
 
 type Http2Parameters struct {
@@ -222,6 +303,18 @@ type Http2Parameters struct {
 }
 
 type ListenerObservation struct {
+
+	// Connection pool information for the listener.
+	ConnectionPool []ConnectionPoolObservation `json:"connectionPool,omitempty" tf:"connection_pool,omitempty"`
+
+	// Health check information for the listener.
+	HealthCheck []HealthCheckObservation `json:"healthCheck,omitempty" tf:"health_check,omitempty"`
+
+	// Port mapping information for the listener.
+	PortMapping []PortMappingObservation `json:"portMapping,omitempty" tf:"port_mapping,omitempty"`
+
+	// Transport Layer Security (TLS) client policy.
+	TLS []ListenerTLSObservation `json:"tls,omitempty" tf:"tls,omitempty"`
 }
 
 type ListenerParameters struct {
@@ -244,6 +337,15 @@ type ListenerParameters struct {
 }
 
 type ListenerTLSObservation struct {
+
+	// Virtual gateway's client's Transport Layer Security (TLS) certificate.
+	Certificate []TLSCertificateObservation `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Listener's TLS mode. Valid values: DISABLED, PERMISSIVE, STRICT.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// TLS validation context.
+	Validation []TLSValidationObservation `json:"validation,omitempty" tf:"validation,omitempty"`
 }
 
 type ListenerTLSParameters struct {
@@ -262,6 +364,9 @@ type ListenerTLSParameters struct {
 }
 
 type LoggingObservation struct {
+
+	// Access log configuration for a virtual gateway.
+	AccessLog []AccessLogObservation `json:"accessLog,omitempty" tf:"access_log,omitempty"`
 }
 
 type LoggingParameters struct {
@@ -272,6 +377,12 @@ type LoggingParameters struct {
 }
 
 type PortMappingObservation struct {
+
+	// Port used for the port mapping.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol used for the port mapping. Valid values are http, http2, tcp and grpc.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 }
 
 type PortMappingParameters struct {
@@ -286,6 +397,9 @@ type PortMappingParameters struct {
 }
 
 type SdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type SdsParameters struct {
@@ -296,6 +410,9 @@ type SdsParameters struct {
 }
 
 type SubjectAlternativeNamesMatchObservation struct {
+
+	// Values sent must match the specified values exactly.
+	Exact []*string `json:"exact,omitempty" tf:"exact,omitempty"`
 }
 
 type SubjectAlternativeNamesMatchParameters struct {
@@ -306,6 +423,9 @@ type SubjectAlternativeNamesMatchParameters struct {
 }
 
 type SubjectAlternativeNamesObservation struct {
+
+	// Criteria for determining a SAN's match.
+	Match []SubjectAlternativeNamesMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type SubjectAlternativeNamesParameters struct {
@@ -316,6 +436,15 @@ type SubjectAlternativeNamesParameters struct {
 }
 
 type TLSCertificateObservation struct {
+
+	// TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
+	Acm []CertificateAcmObservation `json:"acm,omitempty" tf:"acm,omitempty"`
+
+	// Local file certificate.
+	File []CertificateFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []CertificateSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type TLSCertificateParameters struct {
@@ -334,6 +463,18 @@ type TLSCertificateParameters struct {
 }
 
 type TLSObservation struct {
+
+	// Virtual gateway's client's Transport Layer Security (TLS) certificate.
+	Certificate []CertificateObservation `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Whether the policy is enforced. Default is true.
+	Enforce *bool `json:"enforce,omitempty" tf:"enforce,omitempty"`
+
+	// One or more ports that the policy is enforced for.
+	Ports []*float64 `json:"ports,omitempty" tf:"ports,omitempty"`
+
+	// TLS validation context.
+	Validation []ValidationObservation `json:"validation,omitempty" tf:"validation,omitempty"`
 }
 
 type TLSParameters struct {
@@ -356,6 +497,12 @@ type TLSParameters struct {
 }
 
 type TLSValidationObservation struct {
+
+	// SANs for a virtual gateway's listener's Transport Layer Security (TLS) validation context.
+	SubjectAlternativeNames []ValidationSubjectAlternativeNamesObservation `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// TLS validation context trust.
+	Trust []ValidationTrustObservation `json:"trust,omitempty" tf:"trust,omitempty"`
 }
 
 type TLSValidationParameters struct {
@@ -370,6 +517,9 @@ type TLSValidationParameters struct {
 }
 
 type TrustFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 }
 
 type TrustFileParameters struct {
@@ -380,6 +530,15 @@ type TrustFileParameters struct {
 }
 
 type TrustObservation struct {
+
+	// TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
+	Acm []AcmObservation `json:"acm,omitempty" tf:"acm,omitempty"`
+
+	// Local file certificate.
+	File []TrustFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []TrustSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type TrustParameters struct {
@@ -398,6 +557,9 @@ type TrustParameters struct {
 }
 
 type TrustSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type TrustSdsParameters struct {
@@ -408,6 +570,12 @@ type TrustSdsParameters struct {
 }
 
 type ValidationObservation struct {
+
+	// SANs for a virtual gateway's listener's Transport Layer Security (TLS) validation context.
+	SubjectAlternativeNames []SubjectAlternativeNamesObservation `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// TLS validation context trust.
+	Trust []TrustObservation `json:"trust,omitempty" tf:"trust,omitempty"`
 }
 
 type ValidationParameters struct {
@@ -422,6 +590,9 @@ type ValidationParameters struct {
 }
 
 type ValidationSubjectAlternativeNamesMatchObservation struct {
+
+	// Values sent must match the specified values exactly.
+	Exact []*string `json:"exact,omitempty" tf:"exact,omitempty"`
 }
 
 type ValidationSubjectAlternativeNamesMatchParameters struct {
@@ -432,6 +603,9 @@ type ValidationSubjectAlternativeNamesMatchParameters struct {
 }
 
 type ValidationSubjectAlternativeNamesObservation struct {
+
+	// Criteria for determining a SAN's match.
+	Match []ValidationSubjectAlternativeNamesMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type ValidationSubjectAlternativeNamesParameters struct {
@@ -442,6 +616,9 @@ type ValidationSubjectAlternativeNamesParameters struct {
 }
 
 type ValidationTrustFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 }
 
 type ValidationTrustFileParameters struct {
@@ -452,6 +629,12 @@ type ValidationTrustFileParameters struct {
 }
 
 type ValidationTrustObservation struct {
+
+	// Local file certificate.
+	File []ValidationTrustFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []ValidationTrustSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type ValidationTrustParameters struct {
@@ -466,6 +649,9 @@ type ValidationTrustParameters struct {
 }
 
 type ValidationTrustSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type ValidationTrustSdsParameters struct {
@@ -489,9 +675,24 @@ type VirtualGatewayObservation struct {
 	// Last update date of the virtual gateway.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the service mesh in which to create the virtual gateway. Must be between 1 and 255 characters in length.
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
+
+	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
+	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
+
+	// Name to use for the virtual gateway. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Virtual gateway specification to apply.
+	Spec []VirtualGatewaySpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -499,16 +700,16 @@ type VirtualGatewayObservation struct {
 type VirtualGatewayParameters struct {
 
 	// Name of the service mesh in which to create the virtual gateway. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	MeshName *string `json:"meshName" tf:"mesh_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
 
 	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
 	// +kubebuilder:validation:Optional
 	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
 
 	// Name to use for the virtual gateway. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -516,8 +717,8 @@ type VirtualGatewayParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Virtual gateway specification to apply.
-	// +kubebuilder:validation:Required
-	Spec []VirtualGatewaySpecParameters `json:"spec" tf:"spec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Spec []VirtualGatewaySpecParameters `json:"spec,omitempty" tf:"spec,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -525,6 +726,15 @@ type VirtualGatewayParameters struct {
 }
 
 type VirtualGatewaySpecObservation struct {
+
+	// Defaults for backends.
+	BackendDefaults []BackendDefaultsObservation `json:"backendDefaults,omitempty" tf:"backend_defaults,omitempty"`
+
+	// Listeners that the mesh endpoint is expected to receive inbound traffic from. You can specify one listener.
+	Listener []ListenerObservation `json:"listener,omitempty" tf:"listener,omitempty"`
+
+	// Inbound and outbound access logging information for the virtual gateway.
+	Logging []LoggingObservation `json:"logging,omitempty" tf:"logging,omitempty"`
 }
 
 type VirtualGatewaySpecParameters struct {
@@ -566,8 +776,11 @@ type VirtualGatewayStatus struct {
 type VirtualGateway struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VirtualGatewaySpec   `json:"spec"`
-	Status            VirtualGatewayStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.meshName)",message="meshName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)",message="spec is a required parameter"
+	Spec   VirtualGatewaySpec   `json:"spec"`
+	Status VirtualGatewayStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appmesh/v1beta1/zz_virtualnode_types.go b/apis/appmesh/v1beta1/zz_virtualnode_types.go
index e1927bce95..d821ebb93f 100755
--- a/apis/appmesh/v1beta1/zz_virtualnode_types.go
+++ b/apis/appmesh/v1beta1/zz_virtualnode_types.go
@@ -14,6 +14,16 @@ import (
 )
 
 type AwsCloudMapObservation struct {
+
+	// String map that contains attributes with values that you can use to filter instances by any custom attribute that you specified when you registered the instance. Only instances that match all of the specified key/value pairs will be returned.
+	Attributes map[string]*string `json:"attributes,omitempty" tf:"attributes,omitempty"`
+
+	// Name of the AWS Cloud Map namespace to use.
+	// Use the aws_service_discovery_http_namespace resource to configure a Cloud Map namespace. Must be between 1 and 1024 characters in length.
+	NamespaceName *string `json:"namespaceName,omitempty" tf:"namespace_name,omitempty"`
+
+	// attribute of the dns object to hostname.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 }
 
 type AwsCloudMapParameters struct {
@@ -43,6 +53,9 @@ type AwsCloudMapParameters struct {
 }
 
 type BackendDefaultsClientPolicyObservation struct {
+
+	// Transport Layer Security (TLS) client policy.
+	TLS []BackendDefaultsClientPolicyTLSObservation `json:"tls,omitempty" tf:"tls,omitempty"`
 }
 
 type BackendDefaultsClientPolicyParameters struct {
@@ -53,6 +66,12 @@ type BackendDefaultsClientPolicyParameters struct {
 }
 
 type BackendDefaultsClientPolicyTLSCertificateObservation struct {
+
+	// Local file certificate.
+	File []ClientPolicyTLSCertificateFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []ClientPolicyTLSCertificateSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type BackendDefaultsClientPolicyTLSCertificateParameters struct {
@@ -67,6 +86,18 @@ type BackendDefaultsClientPolicyTLSCertificateParameters struct {
 }
 
 type BackendDefaultsClientPolicyTLSObservation struct {
+
+	// Virtual node's client's Transport Layer Security (TLS) certificate.
+	Certificate []BackendDefaultsClientPolicyTLSCertificateObservation `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Whether the policy is enforced. Default is true.
+	Enforce *bool `json:"enforce,omitempty" tf:"enforce,omitempty"`
+
+	// One or more ports that the policy is enforced for.
+	Ports []*float64 `json:"ports,omitempty" tf:"ports,omitempty"`
+
+	// TLS validation context.
+	Validation []BackendDefaultsClientPolicyTLSValidationObservation `json:"validation,omitempty" tf:"validation,omitempty"`
 }
 
 type BackendDefaultsClientPolicyTLSParameters struct {
@@ -89,6 +120,12 @@ type BackendDefaultsClientPolicyTLSParameters struct {
 }
 
 type BackendDefaultsClientPolicyTLSValidationObservation struct {
+
+	// SANs for a TLS validation context.
+	SubjectAlternativeNames []ClientPolicyTLSValidationSubjectAlternativeNamesObservation `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// TLS validation context trust.
+	Trust []ClientPolicyTLSValidationTrustObservation `json:"trust,omitempty" tf:"trust,omitempty"`
 }
 
 type BackendDefaultsClientPolicyTLSValidationParameters struct {
@@ -103,6 +140,9 @@ type BackendDefaultsClientPolicyTLSValidationParameters struct {
 }
 
 type BackendObservation struct {
+
+	// Virtual service to use as a backend for a virtual node.
+	VirtualService []BackendVirtualServiceObservation `json:"virtualService,omitempty" tf:"virtual_service,omitempty"`
 }
 
 type BackendParameters struct {
@@ -113,6 +153,12 @@ type BackendParameters struct {
 }
 
 type BackendVirtualServiceObservation struct {
+
+	// Client policy for the backend.
+	ClientPolicy []VirtualServiceClientPolicyObservation `json:"clientPolicy,omitempty" tf:"client_policy,omitempty"`
+
+	// Name of the virtual service that is acting as a virtual node backend. Must be between 1 and 255 characters in length.
+	VirtualServiceName *string `json:"virtualServiceName,omitempty" tf:"virtual_service_name,omitempty"`
 }
 
 type BackendVirtualServiceParameters struct {
@@ -127,6 +173,12 @@ type BackendVirtualServiceParameters struct {
 }
 
 type BaseEjectionDurationObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type BaseEjectionDurationParameters struct {
@@ -141,6 +193,12 @@ type BaseEjectionDurationParameters struct {
 }
 
 type ClientPolicyTLSCertificateFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.
+	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 }
 
 type ClientPolicyTLSCertificateFileParameters struct {
@@ -155,6 +213,12 @@ type ClientPolicyTLSCertificateFileParameters struct {
 }
 
 type ClientPolicyTLSCertificateObservation struct {
+
+	// Local file certificate.
+	File []TLSCertificateFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []TLSCertificateSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type ClientPolicyTLSCertificateParameters struct {
@@ -169,6 +233,9 @@ type ClientPolicyTLSCertificateParameters struct {
 }
 
 type ClientPolicyTLSCertificateSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type ClientPolicyTLSCertificateSdsParameters struct {
@@ -179,6 +246,18 @@ type ClientPolicyTLSCertificateSdsParameters struct {
 }
 
 type ClientPolicyTLSObservation struct {
+
+	// Virtual node's client's Transport Layer Security (TLS) certificate.
+	Certificate []ClientPolicyTLSCertificateObservation `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Whether the policy is enforced. Default is true.
+	Enforce *bool `json:"enforce,omitempty" tf:"enforce,omitempty"`
+
+	// One or more ports that the policy is enforced for.
+	Ports []*float64 `json:"ports,omitempty" tf:"ports,omitempty"`
+
+	// TLS validation context.
+	Validation []ClientPolicyTLSValidationObservation `json:"validation,omitempty" tf:"validation,omitempty"`
 }
 
 type ClientPolicyTLSParameters struct {
@@ -201,6 +280,12 @@ type ClientPolicyTLSParameters struct {
 }
 
 type ClientPolicyTLSValidationObservation struct {
+
+	// SANs for a TLS validation context.
+	SubjectAlternativeNames []TLSValidationSubjectAlternativeNamesObservation `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// TLS validation context trust.
+	Trust []TLSValidationTrustObservation `json:"trust,omitempty" tf:"trust,omitempty"`
 }
 
 type ClientPolicyTLSValidationParameters struct {
@@ -215,6 +300,9 @@ type ClientPolicyTLSValidationParameters struct {
 }
 
 type ClientPolicyTLSValidationSubjectAlternativeNamesMatchObservation struct {
+
+	// Values sent must match the specified values exactly.
+	Exact []*string `json:"exact,omitempty" tf:"exact,omitempty"`
 }
 
 type ClientPolicyTLSValidationSubjectAlternativeNamesMatchParameters struct {
@@ -225,6 +313,9 @@ type ClientPolicyTLSValidationSubjectAlternativeNamesMatchParameters struct {
 }
 
 type ClientPolicyTLSValidationSubjectAlternativeNamesObservation struct {
+
+	// Criteria for determining a SAN's match.
+	Match []ClientPolicyTLSValidationSubjectAlternativeNamesMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type ClientPolicyTLSValidationSubjectAlternativeNamesParameters struct {
@@ -235,6 +326,9 @@ type ClientPolicyTLSValidationSubjectAlternativeNamesParameters struct {
 }
 
 type ClientPolicyTLSValidationTrustFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 }
 
 type ClientPolicyTLSValidationTrustFileParameters struct {
@@ -245,6 +339,15 @@ type ClientPolicyTLSValidationTrustFileParameters struct {
 }
 
 type ClientPolicyTLSValidationTrustObservation struct {
+
+	// TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
+	Acm []ValidationTrustAcmObservation `json:"acm,omitempty" tf:"acm,omitempty"`
+
+	// Local file certificate.
+	File []ClientPolicyTLSValidationTrustFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []ClientPolicyTLSValidationTrustSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type ClientPolicyTLSValidationTrustParameters struct {
@@ -263,6 +366,9 @@ type ClientPolicyTLSValidationTrustParameters struct {
 }
 
 type ClientPolicyTLSValidationTrustSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type ClientPolicyTLSValidationTrustSdsParameters struct {
@@ -273,6 +379,9 @@ type ClientPolicyTLSValidationTrustSdsParameters struct {
 }
 
 type ConnectionPoolGRPCObservation struct {
+
+	// Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.
+	MaxRequests *float64 `json:"maxRequests,omitempty" tf:"max_requests,omitempty"`
 }
 
 type ConnectionPoolGRPCParameters struct {
@@ -283,6 +392,12 @@ type ConnectionPoolGRPCParameters struct {
 }
 
 type ConnectionPoolHTTPObservation struct {
+
+	// Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of 1.
+	MaxConnections *float64 `json:"maxConnections,omitempty" tf:"max_connections,omitempty"`
+
+	// Number of overflowing requests after max_connections Envoy will queue to upstream cluster. Minimum value of 1.
+	MaxPendingRequests *float64 `json:"maxPendingRequests,omitempty" tf:"max_pending_requests,omitempty"`
 }
 
 type ConnectionPoolHTTPParameters struct {
@@ -297,6 +412,9 @@ type ConnectionPoolHTTPParameters struct {
 }
 
 type ConnectionPoolHttp2Observation struct {
+
+	// Maximum number of inflight requests Envoy can concurrently support across hosts in upstream cluster. Minimum value of 1.
+	MaxRequests *float64 `json:"maxRequests,omitempty" tf:"max_requests,omitempty"`
 }
 
 type ConnectionPoolHttp2Parameters struct {
@@ -307,6 +425,9 @@ type ConnectionPoolHttp2Parameters struct {
 }
 
 type DNSObservation struct {
+
+	// DNS host name for your virtual node.
+	Hostname *string `json:"hostname,omitempty" tf:"hostname,omitempty"`
 }
 
 type DNSParameters struct {
@@ -317,6 +438,12 @@ type DNSParameters struct {
 }
 
 type GRPCIdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type GRPCIdleParameters struct {
@@ -331,6 +458,12 @@ type GRPCIdleParameters struct {
 }
 
 type GRPCPerRequestObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type GRPCPerRequestParameters struct {
@@ -345,6 +478,12 @@ type GRPCPerRequestParameters struct {
 }
 
 type HTTPIdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPIdleParameters struct {
@@ -359,6 +498,12 @@ type HTTPIdleParameters struct {
 }
 
 type HTTPPerRequestObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPPerRequestParameters struct {
@@ -373,6 +518,12 @@ type HTTPPerRequestParameters struct {
 }
 
 type Http2IdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type Http2IdleParameters struct {
@@ -387,6 +538,12 @@ type Http2IdleParameters struct {
 }
 
 type Http2PerRequestObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type Http2PerRequestParameters struct {
@@ -401,6 +558,12 @@ type Http2PerRequestParameters struct {
 }
 
 type IntervalObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type IntervalParameters struct {
@@ -415,6 +578,18 @@ type IntervalParameters struct {
 }
 
 type ListenerConnectionPoolObservation struct {
+
+	// Connection pool information for gRPC listeners.
+	GRPC []ConnectionPoolGRPCObservation `json:"grpc,omitempty" tf:"grpc,omitempty"`
+
+	// Connection pool information for HTTP listeners.
+	HTTP []ConnectionPoolHTTPObservation `json:"http,omitempty" tf:"http,omitempty"`
+
+	// Connection pool information for HTTP2 listeners.
+	Http2 []ConnectionPoolHttp2Observation `json:"http2,omitempty" tf:"http2,omitempty"`
+
+	// Connection pool information for TCP listeners.
+	TCP []TCPObservation `json:"tcp,omitempty" tf:"tcp,omitempty"`
 }
 
 type ListenerConnectionPoolParameters struct {
@@ -437,6 +612,27 @@ type ListenerConnectionPoolParameters struct {
 }
 
 type ListenerHealthCheckObservation struct {
+
+	// Number of consecutive successful health checks that must occur before declaring listener healthy.
+	HealthyThreshold *float64 `json:"healthyThreshold,omitempty" tf:"healthy_threshold,omitempty"`
+
+	// Time period in milliseconds between each health check execution.
+	IntervalMillis *float64 `json:"intervalMillis,omitempty" tf:"interval_millis,omitempty"`
+
+	// File path to write access logs to. You can use /dev/stdout to send access logs to standard out. Must be between 1 and 255 characters in length.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Port used for the port mapping.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol used for the port mapping. Valid values are http, http2, tcp and grpc.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Amount of time to wait when receiving a response from the health check, in milliseconds.
+	TimeoutMillis *float64 `json:"timeoutMillis,omitempty" tf:"timeout_millis,omitempty"`
+
+	// Number of consecutive failed health checks that must occur before declaring a virtual node unhealthy.
+	UnhealthyThreshold *float64 `json:"unhealthyThreshold,omitempty" tf:"unhealthy_threshold,omitempty"`
 }
 
 type ListenerHealthCheckParameters struct {
@@ -471,6 +667,12 @@ type ListenerHealthCheckParameters struct {
 }
 
 type ListenerPortMappingObservation struct {
+
+	// Port used for the port mapping.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol used for the port mapping. Valid values are http, http2, tcp and grpc.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 }
 
 type ListenerPortMappingParameters struct {
@@ -485,6 +687,12 @@ type ListenerPortMappingParameters struct {
 }
 
 type ListenerTLSCertificateFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.
+	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 }
 
 type ListenerTLSCertificateFileParameters struct {
@@ -499,6 +707,15 @@ type ListenerTLSCertificateFileParameters struct {
 }
 
 type ListenerTLSCertificateObservation struct {
+
+	// TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
+	Acm []TLSCertificateAcmObservation `json:"acm,omitempty" tf:"acm,omitempty"`
+
+	// Local file certificate.
+	File []ListenerTLSCertificateFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []ListenerTLSCertificateSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type ListenerTLSCertificateParameters struct {
@@ -517,6 +734,9 @@ type ListenerTLSCertificateParameters struct {
 }
 
 type ListenerTLSCertificateSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type ListenerTLSCertificateSdsParameters struct {
@@ -527,6 +747,12 @@ type ListenerTLSCertificateSdsParameters struct {
 }
 
 type ListenerTLSValidationObservation struct {
+
+	// SANs for a TLS validation context.
+	SubjectAlternativeNames []ListenerTLSValidationSubjectAlternativeNamesObservation `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// TLS validation context trust.
+	Trust []ListenerTLSValidationTrustObservation `json:"trust,omitempty" tf:"trust,omitempty"`
 }
 
 type ListenerTLSValidationParameters struct {
@@ -541,6 +767,9 @@ type ListenerTLSValidationParameters struct {
 }
 
 type ListenerTLSValidationSubjectAlternativeNamesMatchObservation struct {
+
+	// Values sent must match the specified values exactly.
+	Exact []*string `json:"exact,omitempty" tf:"exact,omitempty"`
 }
 
 type ListenerTLSValidationSubjectAlternativeNamesMatchParameters struct {
@@ -551,6 +780,9 @@ type ListenerTLSValidationSubjectAlternativeNamesMatchParameters struct {
 }
 
 type ListenerTLSValidationSubjectAlternativeNamesObservation struct {
+
+	// Criteria for determining a SAN's match.
+	Match []ListenerTLSValidationSubjectAlternativeNamesMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type ListenerTLSValidationSubjectAlternativeNamesParameters struct {
@@ -561,6 +793,9 @@ type ListenerTLSValidationSubjectAlternativeNamesParameters struct {
 }
 
 type ListenerTLSValidationTrustFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 }
 
 type ListenerTLSValidationTrustFileParameters struct {
@@ -571,6 +806,12 @@ type ListenerTLSValidationTrustFileParameters struct {
 }
 
 type ListenerTLSValidationTrustObservation struct {
+
+	// Local file certificate.
+	File []ListenerTLSValidationTrustFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []ListenerTLSValidationTrustSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type ListenerTLSValidationTrustParameters struct {
@@ -585,6 +826,9 @@ type ListenerTLSValidationTrustParameters struct {
 }
 
 type ListenerTLSValidationTrustSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type ListenerTLSValidationTrustSdsParameters struct {
@@ -595,6 +839,18 @@ type ListenerTLSValidationTrustSdsParameters struct {
 }
 
 type ListenerTimeoutObservation struct {
+
+	// Connection pool information for gRPC listeners.
+	GRPC []TimeoutGRPCObservation `json:"grpc,omitempty" tf:"grpc,omitempty"`
+
+	// Connection pool information for HTTP listeners.
+	HTTP []TimeoutHTTPObservation `json:"http,omitempty" tf:"http,omitempty"`
+
+	// Connection pool information for HTTP2 listeners.
+	Http2 []TimeoutHttp2Observation `json:"http2,omitempty" tf:"http2,omitempty"`
+
+	// Connection pool information for TCP listeners.
+	TCP []TimeoutTCPObservation `json:"tcp,omitempty" tf:"tcp,omitempty"`
 }
 
 type ListenerTimeoutParameters struct {
@@ -617,6 +873,9 @@ type ListenerTimeoutParameters struct {
 }
 
 type LoggingAccessLogFileObservation struct {
+
+	// File path to write access logs to. You can use /dev/stdout to send access logs to standard out. Must be between 1 and 255 characters in length.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type LoggingAccessLogFileParameters struct {
@@ -627,6 +886,9 @@ type LoggingAccessLogFileParameters struct {
 }
 
 type LoggingAccessLogObservation struct {
+
+	// Local file certificate.
+	File []LoggingAccessLogFileObservation `json:"file,omitempty" tf:"file,omitempty"`
 }
 
 type LoggingAccessLogParameters struct {
@@ -637,6 +899,19 @@ type LoggingAccessLogParameters struct {
 }
 
 type OutlierDetectionObservation struct {
+
+	// Base amount of time for which a host is ejected.
+	BaseEjectionDuration []BaseEjectionDurationObservation `json:"baseEjectionDuration,omitempty" tf:"base_ejection_duration,omitempty"`
+
+	// Time interval between ejection sweep analysis.
+	Interval []IntervalObservation `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// Maximum percentage of hosts in load balancing pool for upstream service that can be ejected. Will eject at least one host regardless of the value.
+	// Minimum value of 0. Maximum value of 100.
+	MaxEjectionPercent *float64 `json:"maxEjectionPercent,omitempty" tf:"max_ejection_percent,omitempty"`
+
+	// Number of consecutive 5xx errors required for ejection. Minimum value of 1.
+	MaxServerErrors *float64 `json:"maxServerErrors,omitempty" tf:"max_server_errors,omitempty"`
 }
 
 type OutlierDetectionParameters struct {
@@ -660,6 +935,12 @@ type OutlierDetectionParameters struct {
 }
 
 type ServiceDiscoveryObservation struct {
+
+	// Any AWS Cloud Map information for the virtual node.
+	AwsCloudMap []AwsCloudMapObservation `json:"awsCloudMap,omitempty" tf:"aws_cloud_map,omitempty"`
+
+	// DNS service name for the virtual node.
+	DNS []DNSObservation `json:"dns,omitempty" tf:"dns,omitempty"`
 }
 
 type ServiceDiscoveryParameters struct {
@@ -674,6 +955,9 @@ type ServiceDiscoveryParameters struct {
 }
 
 type SpecBackendDefaultsObservation struct {
+
+	// Client policy for the backend.
+	ClientPolicy []BackendDefaultsClientPolicyObservation `json:"clientPolicy,omitempty" tf:"client_policy,omitempty"`
 }
 
 type SpecBackendDefaultsParameters struct {
@@ -684,6 +968,24 @@ type SpecBackendDefaultsParameters struct {
 }
 
 type SpecListenerObservation struct {
+
+	// Connection pool information for the listener.
+	ConnectionPool []ListenerConnectionPoolObservation `json:"connectionPool,omitempty" tf:"connection_pool,omitempty"`
+
+	// Health check information for the listener.
+	HealthCheck []ListenerHealthCheckObservation `json:"healthCheck,omitempty" tf:"health_check,omitempty"`
+
+	// Outlier detection information for the listener.
+	OutlierDetection []OutlierDetectionObservation `json:"outlierDetection,omitempty" tf:"outlier_detection,omitempty"`
+
+	// Port mapping information for the listener.
+	PortMapping []ListenerPortMappingObservation `json:"portMapping,omitempty" tf:"port_mapping,omitempty"`
+
+	// Transport Layer Security (TLS) client policy.
+	TLS []SpecListenerTLSObservation `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// Timeouts for different protocols.
+	Timeout []ListenerTimeoutObservation `json:"timeout,omitempty" tf:"timeout,omitempty"`
 }
 
 type SpecListenerParameters struct {
@@ -714,6 +1016,15 @@ type SpecListenerParameters struct {
 }
 
 type SpecListenerTLSObservation struct {
+
+	// Virtual node's client's Transport Layer Security (TLS) certificate.
+	Certificate []ListenerTLSCertificateObservation `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Listener's TLS mode. Valid values: DISABLED, PERMISSIVE, STRICT.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// TLS validation context.
+	Validation []ListenerTLSValidationObservation `json:"validation,omitempty" tf:"validation,omitempty"`
 }
 
 type SpecListenerTLSParameters struct {
@@ -732,6 +1043,9 @@ type SpecListenerTLSParameters struct {
 }
 
 type SpecLoggingObservation struct {
+
+	// Access log configuration for a virtual node.
+	AccessLog []LoggingAccessLogObservation `json:"accessLog,omitempty" tf:"access_log,omitempty"`
 }
 
 type SpecLoggingParameters struct {
@@ -742,6 +1056,12 @@ type SpecLoggingParameters struct {
 }
 
 type TCPIdleObservation struct {
+
+	// Unit of time. Valid values: ms, s.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// Number of time units. Minimum value of 0.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TCPIdleParameters struct {
@@ -756,6 +1076,9 @@ type TCPIdleParameters struct {
 }
 
 type TCPObservation struct {
+
+	// Maximum number of outbound TCP connections Envoy can establish concurrently with all hosts in upstream cluster. Minimum value of 1.
+	MaxConnections *float64 `json:"maxConnections,omitempty" tf:"max_connections,omitempty"`
 }
 
 type TCPParameters struct {
@@ -766,6 +1089,9 @@ type TCPParameters struct {
 }
 
 type TLSCertificateAcmObservation struct {
+
+	// ARN for the certificate.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
 }
 
 type TLSCertificateAcmParameters struct {
@@ -776,6 +1102,12 @@ type TLSCertificateAcmParameters struct {
 }
 
 type TLSCertificateFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
+	// Private key for a certificate stored on the file system of the mesh endpoint that the proxy is running on.
+	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
 }
 
 type TLSCertificateFileParameters struct {
@@ -790,6 +1122,9 @@ type TLSCertificateFileParameters struct {
 }
 
 type TLSCertificateSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type TLSCertificateSdsParameters struct {
@@ -800,6 +1135,9 @@ type TLSCertificateSdsParameters struct {
 }
 
 type TLSValidationSubjectAlternativeNamesMatchObservation struct {
+
+	// Values sent must match the specified values exactly.
+	Exact []*string `json:"exact,omitempty" tf:"exact,omitempty"`
 }
 
 type TLSValidationSubjectAlternativeNamesMatchParameters struct {
@@ -810,6 +1148,9 @@ type TLSValidationSubjectAlternativeNamesMatchParameters struct {
 }
 
 type TLSValidationSubjectAlternativeNamesObservation struct {
+
+	// Criteria for determining a SAN's match.
+	Match []TLSValidationSubjectAlternativeNamesMatchObservation `json:"match,omitempty" tf:"match,omitempty"`
 }
 
 type TLSValidationSubjectAlternativeNamesParameters struct {
@@ -820,6 +1161,9 @@ type TLSValidationSubjectAlternativeNamesParameters struct {
 }
 
 type TLSValidationTrustFileObservation struct {
+
+	// Certificate chain for the certificate.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
 }
 
 type TLSValidationTrustFileParameters struct {
@@ -830,6 +1174,15 @@ type TLSValidationTrustFileParameters struct {
 }
 
 type TLSValidationTrustObservation struct {
+
+	// TLS validation context trust for an AWS Certificate Manager (ACM) certificate.
+	Acm []TrustAcmObservation `json:"acm,omitempty" tf:"acm,omitempty"`
+
+	// Local file certificate.
+	File []TLSValidationTrustFileObservation `json:"file,omitempty" tf:"file,omitempty"`
+
+	// A Secret Discovery Service certificate.
+	Sds []TLSValidationTrustSdsObservation `json:"sds,omitempty" tf:"sds,omitempty"`
 }
 
 type TLSValidationTrustParameters struct {
@@ -848,6 +1201,9 @@ type TLSValidationTrustParameters struct {
 }
 
 type TLSValidationTrustSdsObservation struct {
+
+	// Name of the secret secret requested from the Secret Discovery Service provider representing Transport Layer Security (TLS) materials like a certificate or certificate chain.
+	SecretName *string `json:"secretName,omitempty" tf:"secret_name,omitempty"`
 }
 
 type TLSValidationTrustSdsParameters struct {
@@ -858,6 +1214,12 @@ type TLSValidationTrustSdsParameters struct {
 }
 
 type TimeoutGRPCObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []GRPCIdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
+
+	// Per request timeout.
+	PerRequest []GRPCPerRequestObservation `json:"perRequest,omitempty" tf:"per_request,omitempty"`
 }
 
 type TimeoutGRPCParameters struct {
@@ -872,6 +1234,12 @@ type TimeoutGRPCParameters struct {
 }
 
 type TimeoutHTTPObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []HTTPIdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
+
+	// Per request timeout.
+	PerRequest []HTTPPerRequestObservation `json:"perRequest,omitempty" tf:"per_request,omitempty"`
 }
 
 type TimeoutHTTPParameters struct {
@@ -886,6 +1254,12 @@ type TimeoutHTTPParameters struct {
 }
 
 type TimeoutHttp2Observation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []Http2IdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
+
+	// Per request timeout.
+	PerRequest []Http2PerRequestObservation `json:"perRequest,omitempty" tf:"per_request,omitempty"`
 }
 
 type TimeoutHttp2Parameters struct {
@@ -900,6 +1274,9 @@ type TimeoutHttp2Parameters struct {
 }
 
 type TimeoutTCPObservation struct {
+
+	// Idle timeout. An idle timeout bounds the amount of time that a connection may be idle.
+	Idle []TCPIdleObservation `json:"idle,omitempty" tf:"idle,omitempty"`
 }
 
 type TimeoutTCPParameters struct {
@@ -910,6 +1287,9 @@ type TimeoutTCPParameters struct {
 }
 
 type TrustAcmObservation struct {
+
+	// One or more ACM ARNs.
+	CertificateAuthorityArns []*string `json:"certificateAuthorityArns,omitempty" tf:"certificate_authority_arns,omitempty"`
 }
 
 type TrustAcmParameters struct {
@@ -920,6 +1300,9 @@ type TrustAcmParameters struct {
 }
 
 type ValidationTrustAcmObservation struct {
+
+	// One or more ACM ARNs.
+	CertificateAuthorityArns []*string `json:"certificateAuthorityArns,omitempty" tf:"certificate_authority_arns,omitempty"`
 }
 
 type ValidationTrustAcmParameters struct {
@@ -943,9 +1326,24 @@ type VirtualNodeObservation struct {
 	// Last update date of the virtual node.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the service mesh in which to create the virtual node. Must be between 1 and 255 characters in length.
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
+
+	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
+	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
+
+	// Name to use for the virtual node. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Virtual node specification to apply.
+	Spec []VirtualNodeSpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -971,8 +1369,8 @@ type VirtualNodeParameters struct {
 	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
 
 	// Name to use for the virtual node. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -980,8 +1378,8 @@ type VirtualNodeParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Virtual node specification to apply.
-	// +kubebuilder:validation:Required
-	Spec []VirtualNodeSpecParameters `json:"spec" tf:"spec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Spec []VirtualNodeSpecParameters `json:"spec,omitempty" tf:"spec,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -989,6 +1387,21 @@ type VirtualNodeParameters struct {
 }
 
 type VirtualNodeSpecObservation struct {
+
+	// Backends to which the virtual node is expected to send outbound traffic.
+	Backend []BackendObservation `json:"backend,omitempty" tf:"backend,omitempty"`
+
+	// Defaults for backends.
+	BackendDefaults []SpecBackendDefaultsObservation `json:"backendDefaults,omitempty" tf:"backend_defaults,omitempty"`
+
+	// Listeners from which the virtual node is expected to receive inbound traffic.
+	Listener []SpecListenerObservation `json:"listener,omitempty" tf:"listener,omitempty"`
+
+	// Inbound and outbound access logging information for the virtual node.
+	Logging []SpecLoggingObservation `json:"logging,omitempty" tf:"logging,omitempty"`
+
+	// Service discovery information for the virtual node.
+	ServiceDiscovery []ServiceDiscoveryObservation `json:"serviceDiscovery,omitempty" tf:"service_discovery,omitempty"`
 }
 
 type VirtualNodeSpecParameters struct {
@@ -1015,6 +1428,9 @@ type VirtualNodeSpecParameters struct {
 }
 
 type VirtualServiceClientPolicyObservation struct {
+
+	// Transport Layer Security (TLS) client policy.
+	TLS []ClientPolicyTLSObservation `json:"tls,omitempty" tf:"tls,omitempty"`
 }
 
 type VirtualServiceClientPolicyParameters struct {
@@ -1048,8 +1464,10 @@ type VirtualNodeStatus struct {
 type VirtualNode struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VirtualNodeSpec   `json:"spec"`
-	Status            VirtualNodeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)",message="spec is a required parameter"
+	Spec   VirtualNodeSpec   `json:"spec"`
+	Status VirtualNodeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appmesh/v1beta1/zz_virtualrouter_types.go b/apis/appmesh/v1beta1/zz_virtualrouter_types.go
index 2d1e603a24..65c66d0bf6 100755
--- a/apis/appmesh/v1beta1/zz_virtualrouter_types.go
+++ b/apis/appmesh/v1beta1/zz_virtualrouter_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type SpecListenerPortMappingObservation struct {
+
+	// Port used for the port mapping.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol used for the port mapping. Valid values are http,http2, tcp and grpc.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 }
 
 type SpecListenerPortMappingParameters struct {
@@ -41,9 +47,24 @@ type VirtualRouterObservation struct {
 	// Last update date of the virtual router.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the service mesh in which to create the virtual router. Must be between 1 and 255 characters in length.
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
+
+	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
+	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
+
+	// Name to use for the virtual router. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Virtual router specification to apply.
+	Spec []VirtualRouterSpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -69,8 +90,8 @@ type VirtualRouterParameters struct {
 	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
 
 	// Name to use for the virtual router. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -78,8 +99,8 @@ type VirtualRouterParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Virtual router specification to apply.
-	// +kubebuilder:validation:Required
-	Spec []VirtualRouterSpecParameters `json:"spec" tf:"spec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Spec []VirtualRouterSpecParameters `json:"spec,omitempty" tf:"spec,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -87,6 +108,9 @@ type VirtualRouterParameters struct {
 }
 
 type VirtualRouterSpecListenerObservation struct {
+
+	// Port mapping information for the listener.
+	PortMapping []SpecListenerPortMappingObservation `json:"portMapping,omitempty" tf:"port_mapping,omitempty"`
 }
 
 type VirtualRouterSpecListenerParameters struct {
@@ -97,6 +121,9 @@ type VirtualRouterSpecListenerParameters struct {
 }
 
 type VirtualRouterSpecObservation struct {
+
+	// configuration block to the spec argument.
+	Listener []VirtualRouterSpecListenerObservation `json:"listener,omitempty" tf:"listener,omitempty"`
 }
 
 type VirtualRouterSpecParameters struct {
@@ -130,8 +157,10 @@ type VirtualRouterStatus struct {
 type VirtualRouter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VirtualRouterSpec   `json:"spec"`
-	Status            VirtualRouterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)",message="spec is a required parameter"
+	Spec   VirtualRouterSpec   `json:"spec"`
+	Status VirtualRouterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appmesh/v1beta1/zz_virtualservice_types.go b/apis/appmesh/v1beta1/zz_virtualservice_types.go
index a54fc4ec69..d5e04abdeb 100755
--- a/apis/appmesh/v1beta1/zz_virtualservice_types.go
+++ b/apis/appmesh/v1beta1/zz_virtualservice_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ProviderObservation struct {
+
+	// Virtual node associated with a virtual service.
+	VirtualNode []ProviderVirtualNodeObservation `json:"virtualNode,omitempty" tf:"virtual_node,omitempty"`
+
+	// Virtual router associated with a virtual service.
+	VirtualRouter []ProviderVirtualRouterObservation `json:"virtualRouter,omitempty" tf:"virtual_router,omitempty"`
 }
 
 type ProviderParameters struct {
@@ -28,6 +34,9 @@ type ProviderParameters struct {
 }
 
 type ProviderVirtualNodeObservation struct {
+
+	// Name of the virtual node that is acting as a service provider. Must be between 1 and 255 characters in length.
+	VirtualNodeName *string `json:"virtualNodeName,omitempty" tf:"virtual_node_name,omitempty"`
 }
 
 type ProviderVirtualNodeParameters struct {
@@ -48,6 +57,9 @@ type ProviderVirtualNodeParameters struct {
 }
 
 type ProviderVirtualRouterObservation struct {
+
+	// Name of the virtual router that is acting as a service provider. Must be between 1 and 255 characters in length.
+	VirtualRouterName *string `json:"virtualRouterName,omitempty" tf:"virtual_router_name,omitempty"`
 }
 
 type ProviderVirtualRouterParameters struct {
@@ -81,9 +93,24 @@ type VirtualServiceObservation_2 struct {
 	// Last update date of the virtual service.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Name of the service mesh in which to create the virtual service. Must be between 1 and 255 characters in length.
+	MeshName *string `json:"meshName,omitempty" tf:"mesh_name,omitempty"`
+
+	// AWS account ID of the service mesh's owner. Defaults to the account ID the AWS provider is currently connected to.
+	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
+
+	// Name to use for the virtual service. Must be between 1 and 255 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Resource owner's AWS account ID.
 	ResourceOwner *string `json:"resourceOwner,omitempty" tf:"resource_owner,omitempty"`
 
+	// Virtual service specification to apply.
+	Spec []VirtualServiceSpecObservation `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -109,8 +136,8 @@ type VirtualServiceParameters_2 struct {
 	MeshOwner *string `json:"meshOwner,omitempty" tf:"mesh_owner,omitempty"`
 
 	// Name to use for the virtual service. Must be between 1 and 255 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -118,8 +145,8 @@ type VirtualServiceParameters_2 struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Virtual service specification to apply.
-	// +kubebuilder:validation:Required
-	Spec []VirtualServiceSpecParameters `json:"spec" tf:"spec,omitempty"`
+	// +kubebuilder:validation:Optional
+	Spec []VirtualServiceSpecParameters `json:"spec,omitempty" tf:"spec,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -127,6 +154,9 @@ type VirtualServiceParameters_2 struct {
 }
 
 type VirtualServiceSpecObservation struct {
+
+	// App Mesh object that is acting as the provider for a virtual service. You can specify a single virtual node or virtual router.
+	Provider []ProviderObservation `json:"provider,omitempty" tf:"provider,omitempty"`
 }
 
 type VirtualServiceSpecParameters struct {
@@ -160,8 +190,10 @@ type VirtualServiceStatus struct {
 type VirtualService struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VirtualServiceSpec   `json:"spec"`
-	Status            VirtualServiceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)",message="spec is a required parameter"
+	Spec   VirtualServiceSpec   `json:"spec"`
+	Status VirtualServiceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apprunner/v1beta1/zz_autoscalingconfigurationversion_types.go b/apis/apprunner/v1beta1/zz_autoscalingconfigurationversion_types.go
index bd6c08f41c..b1dfd61b4e 100755
--- a/apis/apprunner/v1beta1/zz_autoscalingconfigurationversion_types.go
+++ b/apis/apprunner/v1beta1/zz_autoscalingconfigurationversion_types.go
@@ -18,6 +18,9 @@ type AutoScalingConfigurationVersionObservation struct {
 	// ARN of this auto scaling configuration version.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name of the auto scaling configuration.
+	AutoScalingConfigurationName *string `json:"autoScalingConfigurationName,omitempty" tf:"auto_scaling_configuration_name,omitempty"`
+
 	// The revision of this auto scaling configuration.
 	AutoScalingConfigurationRevision *float64 `json:"autoScalingConfigurationRevision,omitempty" tf:"auto_scaling_configuration_revision,omitempty"`
 
@@ -26,9 +29,21 @@ type AutoScalingConfigurationVersionObservation struct {
 	// Whether the auto scaling configuration has the highest auto_scaling_configuration_revision among all configurations that share the same auto_scaling_configuration_name.
 	Latest *bool `json:"latest,omitempty" tf:"latest,omitempty"`
 
+	// Maximal number of concurrent requests that you want an instance to process. When the number of concurrent requests goes over this limit, App Runner scales up your service.
+	MaxConcurrency *float64 `json:"maxConcurrency,omitempty" tf:"max_concurrency,omitempty"`
+
+	// Maximal number of instances that App Runner provisions for your service.
+	MaxSize *float64 `json:"maxSize,omitempty" tf:"max_size,omitempty"`
+
+	// Minimal number of instances that App Runner provisions for your service.
+	MinSize *float64 `json:"minSize,omitempty" tf:"min_size,omitempty"`
+
 	// Current state of the auto scaling configuration. An INACTIVE configuration revision has been deleted and can't be used. It is permanently removed some time after deletion.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -36,8 +51,8 @@ type AutoScalingConfigurationVersionObservation struct {
 type AutoScalingConfigurationVersionParameters struct {
 
 	// Name of the auto scaling configuration.
-	// +kubebuilder:validation:Required
-	AutoScalingConfigurationName *string `json:"autoScalingConfigurationName" tf:"auto_scaling_configuration_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	AutoScalingConfigurationName *string `json:"autoScalingConfigurationName,omitempty" tf:"auto_scaling_configuration_name,omitempty"`
 
 	// Maximal number of concurrent requests that you want an instance to process. When the number of concurrent requests goes over this limit, App Runner scales up your service.
 	// +kubebuilder:validation:Optional
@@ -85,8 +100,9 @@ type AutoScalingConfigurationVersionStatus struct {
 type AutoScalingConfigurationVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AutoScalingConfigurationVersionSpec   `json:"spec"`
-	Status            AutoScalingConfigurationVersionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.autoScalingConfigurationName)",message="autoScalingConfigurationName is a required parameter"
+	Spec   AutoScalingConfigurationVersionSpec   `json:"spec"`
+	Status AutoScalingConfigurationVersionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apprunner/v1beta1/zz_connection_types.go b/apis/apprunner/v1beta1/zz_connection_types.go
index 50e54bc71c..346ac93a36 100755
--- a/apis/apprunner/v1beta1/zz_connection_types.go
+++ b/apis/apprunner/v1beta1/zz_connection_types.go
@@ -20,9 +20,15 @@ type ConnectionObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Source repository provider. Valid values: GITHUB.
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
+
 	// Current state of the App Runner connection. When the state is AVAILABLE, you can use the connection to create an aws_apprunner_service resource.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -30,8 +36,8 @@ type ConnectionObservation struct {
 type ConnectionParameters struct {
 
 	// Source repository provider. Valid values: GITHUB.
-	// +kubebuilder:validation:Required
-	ProviderType *string `json:"providerType" tf:"provider_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +73,9 @@ type ConnectionStatus struct {
 type Connection struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConnectionSpec   `json:"spec"`
-	Status            ConnectionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerType)",message="providerType is a required parameter"
+	Spec   ConnectionSpec   `json:"spec"`
+	Status ConnectionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apprunner/v1beta1/zz_generated.deepcopy.go b/apis/apprunner/v1beta1/zz_generated.deepcopy.go
index 99bb2550a1..44b5058728 100644
--- a/apis/apprunner/v1beta1/zz_generated.deepcopy.go
+++ b/apis/apprunner/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthenticationConfigurationObservation) DeepCopyInto(out *AuthenticationConfigurationObservation) {
 	*out = *in
+	if in.AccessRoleArn != nil {
+		in, out := &in.AccessRoleArn, &out.AccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionArn != nil {
+		in, out := &in.ConnectionArn, &out.ConnectionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfigurationObservation.
@@ -131,6 +141,11 @@ func (in *AutoScalingConfigurationVersionObservation) DeepCopyInto(out *AutoScal
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoScalingConfigurationName != nil {
+		in, out := &in.AutoScalingConfigurationName, &out.AutoScalingConfigurationName
+		*out = new(string)
+		**out = **in
+	}
 	if in.AutoScalingConfigurationRevision != nil {
 		in, out := &in.AutoScalingConfigurationRevision, &out.AutoScalingConfigurationRevision
 		*out = new(float64)
@@ -146,11 +161,41 @@ func (in *AutoScalingConfigurationVersionObservation) DeepCopyInto(out *AutoScal
 		*out = new(bool)
 		**out = **in
 	}
+	if in.MaxConcurrency != nil {
+		in, out := &in.MaxConcurrency, &out.MaxConcurrency
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxSize != nil {
+		in, out := &in.MaxSize, &out.MaxSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinSize != nil {
+		in, out := &in.MinSize, &out.MinSize
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -270,6 +315,18 @@ func (in *AutoScalingConfigurationVersionStatus) DeepCopy() *AutoScalingConfigur
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodeConfigurationObservation) DeepCopyInto(out *CodeConfigurationObservation) {
 	*out = *in
+	if in.CodeConfigurationValues != nil {
+		in, out := &in.CodeConfigurationValues, &out.CodeConfigurationValues
+		*out = make([]CodeConfigurationValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ConfigurationSource != nil {
+		in, out := &in.ConfigurationSource, &out.ConfigurationSource
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodeConfigurationObservation.
@@ -312,6 +369,56 @@ func (in *CodeConfigurationParameters) DeepCopy() *CodeConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodeConfigurationValuesObservation) DeepCopyInto(out *CodeConfigurationValuesObservation) {
 	*out = *in
+	if in.BuildCommand != nil {
+		in, out := &in.BuildCommand, &out.BuildCommand
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(string)
+		**out = **in
+	}
+	if in.Runtime != nil {
+		in, out := &in.Runtime, &out.Runtime
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuntimeEnvironmentSecrets != nil {
+		in, out := &in.RuntimeEnvironmentSecrets, &out.RuntimeEnvironmentSecrets
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RuntimeEnvironmentVariables != nil {
+		in, out := &in.RuntimeEnvironmentVariables, &out.RuntimeEnvironmentVariables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.StartCommand != nil {
+		in, out := &in.StartCommand, &out.StartCommand
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodeConfigurationValuesObservation.
@@ -392,6 +499,25 @@ func (in *CodeConfigurationValuesParameters) DeepCopy() *CodeConfigurationValues
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodeRepositoryObservation) DeepCopyInto(out *CodeRepositoryObservation) {
 	*out = *in
+	if in.CodeConfiguration != nil {
+		in, out := &in.CodeConfiguration, &out.CodeConfiguration
+		*out = make([]CodeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RepositoryURL != nil {
+		in, out := &in.RepositoryURL, &out.RepositoryURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceCodeVersion != nil {
+		in, out := &in.SourceCodeVersion, &out.SourceCodeVersion
+		*out = make([]SourceCodeVersionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodeRepositoryObservation.
@@ -510,11 +636,31 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProviderType != nil {
+		in, out := &in.ProviderType, &out.ProviderType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -619,6 +765,16 @@ func (in *ConnectionStatus) DeepCopy() *ConnectionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EgressConfigurationObservation) DeepCopyInto(out *EgressConfigurationObservation) {
 	*out = *in
+	if in.EgressType != nil {
+		in, out := &in.EgressType, &out.EgressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCConnectorArn != nil {
+		in, out := &in.VPCConnectorArn, &out.VPCConnectorArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressConfigurationObservation.
@@ -669,6 +825,11 @@ func (in *EgressConfigurationParameters) DeepCopy() *EgressConfigurationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.KMSKey != nil {
+		in, out := &in.KMSKey, &out.KMSKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -704,6 +865,36 @@ func (in *EncryptionConfigurationParameters) DeepCopy() *EncryptionConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthCheckConfigurationObservation) DeepCopyInto(out *HealthCheckConfigurationObservation) {
 	*out = *in
+	if in.HealthyThreshold != nil {
+		in, out := &in.HealthyThreshold, &out.HealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnhealthyThreshold != nil {
+		in, out := &in.UnhealthyThreshold, &out.UnhealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckConfigurationObservation.
@@ -764,6 +955,46 @@ func (in *HealthCheckConfigurationParameters) DeepCopy() *HealthCheckConfigurati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageConfigurationObservation) DeepCopyInto(out *ImageConfigurationObservation) {
 	*out = *in
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuntimeEnvironmentSecrets != nil {
+		in, out := &in.RuntimeEnvironmentSecrets, &out.RuntimeEnvironmentSecrets
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RuntimeEnvironmentVariables != nil {
+		in, out := &in.RuntimeEnvironmentVariables, &out.RuntimeEnvironmentVariables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.StartCommand != nil {
+		in, out := &in.StartCommand, &out.StartCommand
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageConfigurationObservation.
@@ -834,6 +1065,23 @@ func (in *ImageConfigurationParameters) DeepCopy() *ImageConfigurationParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageRepositoryObservation) DeepCopyInto(out *ImageRepositoryObservation) {
 	*out = *in
+	if in.ImageConfiguration != nil {
+		in, out := &in.ImageConfiguration, &out.ImageConfiguration
+		*out = make([]ImageConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ImageIdentifier != nil {
+		in, out := &in.ImageIdentifier, &out.ImageIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageRepositoryType != nil {
+		in, out := &in.ImageRepositoryType, &out.ImageRepositoryType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRepositoryObservation.
@@ -881,6 +1129,11 @@ func (in *ImageRepositoryParameters) DeepCopy() *ImageRepositoryParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IngressConfigurationObservation) DeepCopyInto(out *IngressConfigurationObservation) {
 	*out = *in
+	if in.IsPubliclyAccessible != nil {
+		in, out := &in.IsPubliclyAccessible, &out.IsPubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressConfigurationObservation.
@@ -916,6 +1169,21 @@ func (in *IngressConfigurationParameters) DeepCopy() *IngressConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceConfigurationObservation) DeepCopyInto(out *InstanceConfigurationObservation) {
 	*out = *in
+	if in.CPU != nil {
+		in, out := &in.CPU, &out.CPU
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceRoleArn != nil {
+		in, out := &in.InstanceRoleArn, &out.InstanceRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Memory != nil {
+		in, out := &in.Memory, &out.Memory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceConfigurationObservation.
@@ -961,6 +1229,20 @@ func (in *InstanceConfigurationParameters) DeepCopy() *InstanceConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkConfigurationObservation) DeepCopyInto(out *NetworkConfigurationObservation) {
 	*out = *in
+	if in.EgressConfiguration != nil {
+		in, out := &in.EgressConfiguration, &out.EgressConfiguration
+		*out = make([]EgressConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IngressConfiguration != nil {
+		in, out := &in.IngressConfiguration, &out.IngressConfiguration
+		*out = make([]IngressConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkConfigurationObservation.
@@ -1079,6 +1361,11 @@ func (in *ObservabilityConfigurationObservation) DeepCopyInto(out *Observability
 		*out = new(bool)
 		**out = **in
 	}
+	if in.ObservabilityConfigurationName != nil {
+		in, out := &in.ObservabilityConfigurationName, &out.ObservabilityConfigurationName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ObservabilityConfigurationRevision != nil {
 		in, out := &in.ObservabilityConfigurationRevision, &out.ObservabilityConfigurationRevision
 		*out = new(float64)
@@ -1089,6 +1376,21 @@ func (in *ObservabilityConfigurationObservation) DeepCopyInto(out *Observability
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1104,6 +1406,13 @@ func (in *ObservabilityConfigurationObservation) DeepCopyInto(out *Observability
 			(*out)[key] = outVal
 		}
 	}
+	if in.TraceConfiguration != nil {
+		in, out := &in.TraceConfiguration, &out.TraceConfiguration
+		*out = make([]TraceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObservabilityConfigurationObservation.
@@ -1259,6 +1568,16 @@ func (in *ServiceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceObservabilityConfigurationObservation) DeepCopyInto(out *ServiceObservabilityConfigurationObservation) {
 	*out = *in
+	if in.ObservabilityConfigurationArn != nil {
+		in, out := &in.ObservabilityConfigurationArn, &out.ObservabilityConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObservabilityEnabled != nil {
+		in, out := &in.ObservabilityEnabled, &out.ObservabilityEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceObservabilityConfigurationObservation.
@@ -1314,26 +1633,93 @@ func (in *ServiceObservation) DeepCopyInto(out *ServiceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoScalingConfigurationArn != nil {
+		in, out := &in.AutoScalingConfigurationArn, &out.AutoScalingConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HealthCheckConfiguration != nil {
+		in, out := &in.HealthCheckConfiguration, &out.HealthCheckConfiguration
+		*out = make([]HealthCheckConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceConfiguration != nil {
+		in, out := &in.InstanceConfiguration, &out.InstanceConfiguration
+		*out = make([]InstanceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkConfiguration != nil {
+		in, out := &in.NetworkConfiguration, &out.NetworkConfiguration
+		*out = make([]NetworkConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ObservabilityConfiguration != nil {
+		in, out := &in.ObservabilityConfiguration, &out.ObservabilityConfiguration
+		*out = make([]ServiceObservabilityConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ServiceID != nil {
 		in, out := &in.ServiceID, &out.ServiceID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ServiceURL != nil {
 		in, out := &in.ServiceURL, &out.ServiceURL
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceConfiguration != nil {
+		in, out := &in.SourceConfiguration, &out.SourceConfiguration
+		*out = make([]SourceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1485,6 +1871,16 @@ func (in *ServiceStatus) DeepCopy() *ServiceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceCodeVersionObservation) DeepCopyInto(out *SourceCodeVersionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceCodeVersionObservation.
@@ -1525,6 +1921,32 @@ func (in *SourceCodeVersionParameters) DeepCopy() *SourceCodeVersionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceConfigurationObservation) DeepCopyInto(out *SourceConfigurationObservation) {
 	*out = *in
+	if in.AuthenticationConfiguration != nil {
+		in, out := &in.AuthenticationConfiguration, &out.AuthenticationConfiguration
+		*out = make([]AuthenticationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoDeploymentsEnabled != nil {
+		in, out := &in.AutoDeploymentsEnabled, &out.AutoDeploymentsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CodeRepository != nil {
+		in, out := &in.CodeRepository, &out.CodeRepository
+		*out = make([]CodeRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ImageRepository != nil {
+		in, out := &in.ImageRepository, &out.ImageRepository
+		*out = make([]ImageRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceConfigurationObservation.
@@ -1581,6 +2003,11 @@ func (in *SourceConfigurationParameters) DeepCopy() *SourceConfigurationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TraceConfigurationObservation) DeepCopyInto(out *TraceConfigurationObservation) {
 	*out = *in
+	if in.Vendor != nil {
+		in, out := &in.Vendor, &out.Vendor
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TraceConfigurationObservation.
@@ -1685,11 +2112,48 @@ func (in *VPCConnectorObservation) DeepCopyInto(out *VPCConnectorObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1705,6 +2169,11 @@ func (in *VPCConnectorObservation) DeepCopyInto(out *VPCConnectorObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCConnectorName != nil {
+		in, out := &in.VPCConnectorName, &out.VPCConnectorName
+		*out = new(string)
+		**out = **in
+	}
 	if in.VPCConnectorRevision != nil {
 		in, out := &in.VPCConnectorRevision, &out.VPCConnectorRevision
 		*out = new(float64)
diff --git a/apis/apprunner/v1beta1/zz_observabilityconfiguration_types.go b/apis/apprunner/v1beta1/zz_observabilityconfiguration_types.go
index ff3ce92134..e8756f6459 100755
--- a/apis/apprunner/v1beta1/zz_observabilityconfiguration_types.go
+++ b/apis/apprunner/v1beta1/zz_observabilityconfiguration_types.go
@@ -23,21 +23,30 @@ type ObservabilityConfigurationObservation struct {
 	// Whether the observability configuration has the highest observability_configuration_revision among all configurations that share the same observability_configuration_name.
 	Latest *bool `json:"latest,omitempty" tf:"latest,omitempty"`
 
+	// Name of the observability configuration.
+	ObservabilityConfigurationName *string `json:"observabilityConfigurationName,omitempty" tf:"observability_configuration_name,omitempty"`
+
 	// The revision of this observability configuration.
 	ObservabilityConfigurationRevision *float64 `json:"observabilityConfigurationRevision,omitempty" tf:"observability_configuration_revision,omitempty"`
 
 	// Current state of the observability configuration. An INACTIVE configuration revision has been deleted and can't be used. It is permanently removed some time after deletion.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration of the tracing feature within this observability configuration. If you don't specify it, App Runner doesn't enable tracing. See Trace Configuration below for more details.
+	TraceConfiguration []TraceConfigurationObservation `json:"traceConfiguration,omitempty" tf:"trace_configuration,omitempty"`
 }
 
 type ObservabilityConfigurationParameters struct {
 
 	// Name of the observability configuration.
-	// +kubebuilder:validation:Required
-	ObservabilityConfigurationName *string `json:"observabilityConfigurationName" tf:"observability_configuration_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ObservabilityConfigurationName *string `json:"observabilityConfigurationName,omitempty" tf:"observability_configuration_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -54,6 +63,9 @@ type ObservabilityConfigurationParameters struct {
 }
 
 type TraceConfigurationObservation struct {
+
+	// Implementation provider chosen for tracing App Runner services. Valid values: AWSXRAY.
+	Vendor *string `json:"vendor,omitempty" tf:"vendor,omitempty"`
 }
 
 type TraceConfigurationParameters struct {
@@ -87,8 +99,9 @@ type ObservabilityConfigurationStatus struct {
 type ObservabilityConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ObservabilityConfigurationSpec   `json:"spec"`
-	Status            ObservabilityConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.observabilityConfigurationName)",message="observabilityConfigurationName is a required parameter"
+	Spec   ObservabilityConfigurationSpec   `json:"spec"`
+	Status ObservabilityConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apprunner/v1beta1/zz_service_types.go b/apis/apprunner/v1beta1/zz_service_types.go
index 9be784f4e8..0a27f58008 100755
--- a/apis/apprunner/v1beta1/zz_service_types.go
+++ b/apis/apprunner/v1beta1/zz_service_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AuthenticationConfigurationObservation struct {
+
+	// ARN of the IAM role that grants the App Runner service access to a source repository. Required for ECR image repositories (but not for ECR Public)
+	AccessRoleArn *string `json:"accessRoleArn,omitempty" tf:"access_role_arn,omitempty"`
+
+	// ARN of the App Runner connection that enables the App Runner service to connect to a source repository. Required for GitHub code repositories.
+	ConnectionArn *string `json:"connectionArn,omitempty" tf:"connection_arn,omitempty"`
 }
 
 type AuthenticationConfigurationParameters struct {
@@ -38,6 +44,12 @@ type AuthenticationConfigurationParameters struct {
 }
 
 type CodeConfigurationObservation struct {
+
+	// Basic configuration for building and running the App Runner service. Use this parameter to quickly launch an App Runner service without providing an apprunner.yaml file in the source code repository (or ignoring the file if it exists). See Code Configuration Values below for more details.
+	CodeConfigurationValues []CodeConfigurationValuesObservation `json:"codeConfigurationValues,omitempty" tf:"code_configuration_values,omitempty"`
+
+	// Source of the App Runner configuration. Valid values: REPOSITORY, API. Values are interpreted as follows:
+	ConfigurationSource *string `json:"configurationSource,omitempty" tf:"configuration_source,omitempty"`
 }
 
 type CodeConfigurationParameters struct {
@@ -52,6 +64,24 @@ type CodeConfigurationParameters struct {
 }
 
 type CodeConfigurationValuesObservation struct {
+
+	// Command App Runner runs to build your application.
+	BuildCommand *string `json:"buildCommand,omitempty" tf:"build_command,omitempty"`
+
+	// Port that your application listens to in the container. Defaults to "8080".
+	Port *string `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Runtime environment type for building and running an App Runner service. Represents a programming language runtime. Valid values: PYTHON_3, NODEJS_12, NODEJS_14, NODEJS_16, CORRETTO_8, CORRETTO_11, GO_1, DOTNET_6, PHP_81, RUBY_31.
+	Runtime *string `json:"runtime,omitempty" tf:"runtime,omitempty"`
+
+	// Secrets and parameters available to your service as environment variables. A map of key/value pairs.
+	RuntimeEnvironmentSecrets map[string]*string `json:"runtimeEnvironmentSecrets,omitempty" tf:"runtime_environment_secrets,omitempty"`
+
+	// Environment variables available to your running App Runner service. A map of key/value pairs. Keys with a prefix of AWSAPPRUNNER are reserved for system use and aren't valid.
+	RuntimeEnvironmentVariables map[string]*string `json:"runtimeEnvironmentVariables,omitempty" tf:"runtime_environment_variables,omitempty"`
+
+	// Command App Runner runs to start the application in the source image. If specified, this command overrides the Docker image’s default start command.
+	StartCommand *string `json:"startCommand,omitempty" tf:"start_command,omitempty"`
 }
 
 type CodeConfigurationValuesParameters struct {
@@ -82,6 +112,15 @@ type CodeConfigurationValuesParameters struct {
 }
 
 type CodeRepositoryObservation struct {
+
+	// Configuration for building and running the service from a source code repository. See Code Configuration below for more details.
+	CodeConfiguration []CodeConfigurationObservation `json:"codeConfiguration,omitempty" tf:"code_configuration,omitempty"`
+
+	// Location of the repository that contains the source code.
+	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
+
+	// Version that should be used within the source code repository. See Source Code Version below for more details.
+	SourceCodeVersion []SourceCodeVersionObservation `json:"sourceCodeVersion,omitempty" tf:"source_code_version,omitempty"`
 }
 
 type CodeRepositoryParameters struct {
@@ -100,6 +139,12 @@ type CodeRepositoryParameters struct {
 }
 
 type EgressConfigurationObservation struct {
+
+	// Type of egress configuration.Set to DEFAULT for access to resources hosted on public networks.Set to VPC to associate your service to a custom VPC specified by VpcConnectorArn.
+	EgressType *string `json:"egressType,omitempty" tf:"egress_type,omitempty"`
+
+	// ARN of the App Runner VPC connector that you want to associate with your App Runner service. Only valid when EgressType = VPC.
+	VPCConnectorArn *string `json:"vpcConnectorArn,omitempty" tf:"vpc_connector_arn,omitempty"`
 }
 
 type EgressConfigurationParameters struct {
@@ -124,6 +169,9 @@ type EgressConfigurationParameters struct {
 }
 
 type EncryptionConfigurationObservation struct {
+
+	// ARN of the KMS key used for encryption.
+	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
@@ -134,6 +182,24 @@ type EncryptionConfigurationParameters struct {
 }
 
 type HealthCheckConfigurationObservation struct {
+
+	// Number of consecutive checks that must succeed before App Runner decides that the service is healthy. Defaults to 1. Minimum value of 1. Maximum value of 20.
+	HealthyThreshold *float64 `json:"healthyThreshold,omitempty" tf:"healthy_threshold,omitempty"`
+
+	// Time interval, in seconds, between health checks. Defaults to 5. Minimum value of 1. Maximum value of 20.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// URL to send requests to for health checks. Defaults to /. Minimum length of 0. Maximum length of 51200.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// IP protocol that App Runner uses to perform health checks for your service. Valid values: TCP, HTTP. Defaults to TCP. If you set protocol to HTTP, App Runner sends health check requests to the HTTP path specified by path.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Time, in seconds, to wait for a health check response before deciding it failed. Defaults to 2. Minimum value of  1. Maximum value of 20.
+	Timeout *float64 `json:"timeout,omitempty" tf:"timeout,omitempty"`
+
+	// Number of consecutive checks that must fail before App Runner decides that the service is unhealthy. Defaults to 5. Minimum value of  1. Maximum value of 20.
+	UnhealthyThreshold *float64 `json:"unhealthyThreshold,omitempty" tf:"unhealthy_threshold,omitempty"`
 }
 
 type HealthCheckConfigurationParameters struct {
@@ -164,6 +230,18 @@ type HealthCheckConfigurationParameters struct {
 }
 
 type ImageConfigurationObservation struct {
+
+	// Port that your application listens to in the container. Defaults to "8080".
+	Port *string `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Secrets and parameters available to your service as environment variables. A map of key/value pairs.
+	RuntimeEnvironmentSecrets map[string]*string `json:"runtimeEnvironmentSecrets,omitempty" tf:"runtime_environment_secrets,omitempty"`
+
+	// Environment variables available to your running App Runner service. A map of key/value pairs. Keys with a prefix of AWSAPPRUNNER are reserved for system use and aren't valid.
+	RuntimeEnvironmentVariables map[string]*string `json:"runtimeEnvironmentVariables,omitempty" tf:"runtime_environment_variables,omitempty"`
+
+	// Command App Runner runs to start the application in the source image. If specified, this command overrides the Docker image’s default start command.
+	StartCommand *string `json:"startCommand,omitempty" tf:"start_command,omitempty"`
 }
 
 type ImageConfigurationParameters struct {
@@ -186,6 +264,16 @@ type ImageConfigurationParameters struct {
 }
 
 type ImageRepositoryObservation struct {
+
+	// Configuration for running the identified image. See Image Configuration below for more details.
+	ImageConfiguration []ImageConfigurationObservation `json:"imageConfiguration,omitempty" tf:"image_configuration,omitempty"`
+
+	// Identifier of an image. For an image in Amazon Elastic Container Registry (Amazon ECR), this is an image name. For the
+	// image name format, see Pulling an image in the Amazon ECR User Guide.
+	ImageIdentifier *string `json:"imageIdentifier,omitempty" tf:"image_identifier,omitempty"`
+
+	// Type of the image repository. This reflects the repository provider and whether the repository is private or public. Valid values: ECR , ECR_PUBLIC.
+	ImageRepositoryType *string `json:"imageRepositoryType,omitempty" tf:"image_repository_type,omitempty"`
 }
 
 type ImageRepositoryParameters struct {
@@ -205,6 +293,9 @@ type ImageRepositoryParameters struct {
 }
 
 type IngressConfigurationObservation struct {
+
+	// Specifies whether your App Runner service is publicly accessible. To make the service publicly accessible set it to True. To make the service privately accessible, from only within an Amazon VPC set it to False.
+	IsPubliclyAccessible *bool `json:"isPubliclyAccessible,omitempty" tf:"is_publicly_accessible,omitempty"`
 }
 
 type IngressConfigurationParameters struct {
@@ -215,6 +306,15 @@ type IngressConfigurationParameters struct {
 }
 
 type InstanceConfigurationObservation struct {
+
+	// Number of CPU units reserved for each instance of your App Runner service represented as a String. Defaults to 1024. Valid values: 1024|2048|(1|2) vCPU.
+	CPU *string `json:"cpu,omitempty" tf:"cpu,omitempty"`
+
+	// ARN of an IAM role that provides permissions to your App Runner service. These are permissions that your code needs when it calls any AWS APIs.
+	InstanceRoleArn *string `json:"instanceRoleArn,omitempty" tf:"instance_role_arn,omitempty"`
+
+	// Amount of memory, in MB or GB, reserved for each instance of your App Runner service. Defaults to 2048. Valid values: 2048|3072|4096|(2|3|4) GB.
+	Memory *string `json:"memory,omitempty" tf:"memory,omitempty"`
 }
 
 type InstanceConfigurationParameters struct {
@@ -233,6 +333,12 @@ type InstanceConfigurationParameters struct {
 }
 
 type NetworkConfigurationObservation struct {
+
+	// Network configuration settings for outbound message traffic. See Egress Configuration below for more details.
+	EgressConfiguration []EgressConfigurationObservation `json:"egressConfiguration,omitempty" tf:"egress_configuration,omitempty"`
+
+	// Network configuration settings for inbound network traffic. See Ingress Configuration below for more details.
+	IngressConfiguration []IngressConfigurationObservation `json:"ingressConfiguration,omitempty" tf:"ingress_configuration,omitempty"`
 }
 
 type NetworkConfigurationParameters struct {
@@ -247,6 +353,12 @@ type NetworkConfigurationParameters struct {
 }
 
 type ServiceObservabilityConfigurationObservation struct {
+
+	// ARN of the observability configuration that is associated with the service. Specified only when observability_enabled is true.
+	ObservabilityConfigurationArn *string `json:"observabilityConfigurationArn,omitempty" tf:"observability_configuration_arn,omitempty"`
+
+	// When true, an observability configuration resource is associated with the service.
+	ObservabilityEnabled *bool `json:"observabilityEnabled,omitempty" tf:"observability_enabled,omitempty"`
 }
 
 type ServiceObservabilityConfigurationParameters struct {
@@ -275,17 +387,44 @@ type ServiceObservation struct {
 	// ARN of the App Runner service.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of an App Runner automatic scaling configuration resource that you want to associate with your service. If not provided, App Runner associates the latest revision of a default auto scaling configuration.
+	AutoScalingConfigurationArn *string `json:"autoScalingConfigurationArn,omitempty" tf:"auto_scaling_configuration_arn,omitempty"`
+
+	// (Forces new resource) An optional custom encryption key that App Runner uses to encrypt the copy of your source repository that it maintains and your service logs. By default, App Runner uses an AWS managed CMK. See Encryption Configuration below for more details.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// (Forces new resource) Settings of the health check that AWS App Runner performs to monitor the health of your service. See Health Check Configuration below for more details.
+	HealthCheckConfiguration []HealthCheckConfigurationObservation `json:"healthCheckConfiguration,omitempty" tf:"health_check_configuration,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The runtime configuration of instances (scaling units) of the App Runner service. See Instance Configuration below for more details.
+	InstanceConfiguration []InstanceConfigurationObservation `json:"instanceConfiguration,omitempty" tf:"instance_configuration,omitempty"`
+
+	// Configuration settings related to network traffic of the web application that the App Runner service runs. See Network Configuration below for more details.
+	NetworkConfiguration []NetworkConfigurationObservation `json:"networkConfiguration,omitempty" tf:"network_configuration,omitempty"`
+
+	// The observability configuration of your service. See Observability Configuration below for more details.
+	ObservabilityConfiguration []ServiceObservabilityConfigurationObservation `json:"observabilityConfiguration,omitempty" tf:"observability_configuration,omitempty"`
+
 	// An alphanumeric ID that App Runner generated for this service. Unique within the AWS Region.
 	ServiceID *string `json:"serviceId,omitempty" tf:"service_id,omitempty"`
 
+	// (Forces new resource) Name of the service.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
 	// Subdomain URL that App Runner generated for this service. You can use this URL to access your service web application.
 	ServiceURL *string `json:"serviceUrl,omitempty" tf:"service_url,omitempty"`
 
+	// The source to deploy to the App Runner service. Can be a code or an image repository. See Source Configuration below for more details.
+	SourceConfiguration []SourceConfigurationObservation `json:"sourceConfiguration,omitempty" tf:"source_configuration,omitempty"`
+
 	// Current state of the App Runner service.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -322,12 +461,12 @@ type ServiceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// (Forces new resource) Name of the service.
-	// +kubebuilder:validation:Required
-	ServiceName *string `json:"serviceName" tf:"service_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 
 	// The source to deploy to the App Runner service. Can be a code or an image repository. See Source Configuration below for more details.
-	// +kubebuilder:validation:Required
-	SourceConfiguration []SourceConfigurationParameters `json:"sourceConfiguration" tf:"source_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceConfiguration []SourceConfigurationParameters `json:"sourceConfiguration,omitempty" tf:"source_configuration,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -335,6 +474,12 @@ type ServiceParameters struct {
 }
 
 type SourceCodeVersionObservation struct {
+
+	// Type of version identifier. For a git-based repository, branches represent versions. Valid values: BRANCH.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Source code version. For a git-based repository, a branch name maps to a specific version. App Runner uses the most recent commit to the branch.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SourceCodeVersionParameters struct {
@@ -349,6 +494,18 @@ type SourceCodeVersionParameters struct {
 }
 
 type SourceConfigurationObservation struct {
+
+	// Describes resources needed to authenticate access to some source repositories. See Authentication Configuration below for more details.
+	AuthenticationConfiguration []AuthenticationConfigurationObservation `json:"authenticationConfiguration,omitempty" tf:"authentication_configuration,omitempty"`
+
+	// Whether continuous integration from the source repository is enabled for the App Runner service. If set to true, each repository change (source code commit or new image version) starts a deployment. Defaults to true.
+	AutoDeploymentsEnabled *bool `json:"autoDeploymentsEnabled,omitempty" tf:"auto_deployments_enabled,omitempty"`
+
+	// Description of a source code repository. See Code Repository below for more details.
+	CodeRepository []CodeRepositoryObservation `json:"codeRepository,omitempty" tf:"code_repository,omitempty"`
+
+	// Description of a source image repository. See Image Repository below for more details.
+	ImageRepository []ImageRepositoryObservation `json:"imageRepository,omitempty" tf:"image_repository,omitempty"`
 }
 
 type SourceConfigurationParameters struct {
@@ -394,8 +551,10 @@ type ServiceStatus struct {
 type Service struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceSpec   `json:"spec"`
-	Status            ServiceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceName)",message="serviceName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceConfiguration)",message="sourceConfiguration is a required parameter"
+	Spec   ServiceSpec   `json:"spec"`
+	Status ServiceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/apprunner/v1beta1/zz_vpcconnector_types.go b/apis/apprunner/v1beta1/zz_vpcconnector_types.go
index 38e7c619c2..f66394dfc2 100755
--- a/apis/apprunner/v1beta1/zz_vpcconnector_types.go
+++ b/apis/apprunner/v1beta1/zz_vpcconnector_types.go
@@ -20,12 +20,24 @@ type VPCConnectorObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of IDs of security groups that App Runner should use for access to AWS resources under the specified subnets. If not specified, App Runner uses the default security group of the Amazon VPC. The default security group allows all outbound traffic.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
 	// Current state of the VPC connector. If the status of a connector revision is INACTIVE, it was deleted and can't be used. Inactive connector revisions are permanently removed some time after they are deleted.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// List of IDs of subnets that App Runner should use when it associates your service with a custom Amazon VPC. Specify IDs of subnets of a single Amazon VPC. App Runner determines the Amazon VPC from the subnets you specify.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Name for the VPC connector.
+	VPCConnectorName *string `json:"vpcConnectorName,omitempty" tf:"vpc_connector_name,omitempty"`
+
 	// The revision of VPC connector. It's unique among all the active connectors ("Status": "ACTIVE") that share the same Name.
 	VPCConnectorRevision *float64 `json:"vpcConnectorRevision,omitempty" tf:"vpc_connector_revision,omitempty"`
 }
@@ -72,8 +84,8 @@ type VPCConnectorParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Name for the VPC connector.
-	// +kubebuilder:validation:Required
-	VPCConnectorName *string `json:"vpcConnectorName" tf:"vpc_connector_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	VPCConnectorName *string `json:"vpcConnectorName,omitempty" tf:"vpc_connector_name,omitempty"`
 }
 
 // VPCConnectorSpec defines the desired state of VPCConnector
@@ -100,8 +112,9 @@ type VPCConnectorStatus struct {
 type VPCConnector struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCConnectorSpec   `json:"spec"`
-	Status            VPCConnectorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcConnectorName)",message="vpcConnectorName is a required parameter"
+	Spec   VPCConnectorSpec   `json:"spec"`
+	Status VPCConnectorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appstream/v1beta1/zz_directoryconfig_types.go b/apis/appstream/v1beta1/zz_directoryconfig_types.go
index 40793f9e16..141402b68d 100755
--- a/apis/appstream/v1beta1/zz_directoryconfig_types.go
+++ b/apis/appstream/v1beta1/zz_directoryconfig_types.go
@@ -18,19 +18,28 @@ type DirectoryConfigObservation struct {
 	// Date and time, in UTC and extended RFC 3339 format, when the directory config was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Fully qualified name of the directory.
+	DirectoryName *string `json:"directoryName,omitempty" tf:"directory_name,omitempty"`
+
 	// Unique identifier (ID) of the appstream directory config.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Distinguished names of the organizational units for computer accounts.
+	OrganizationalUnitDistinguishedNames []*string `json:"organizationalUnitDistinguishedNames,omitempty" tf:"organizational_unit_distinguished_names,omitempty"`
+
+	// Configuration block for the name of the directory and organizational unit (OU) to use to join the directory config to a Microsoft Active Directory domain. See service_account_credentials below.
+	ServiceAccountCredentials []ServiceAccountCredentialsObservation `json:"serviceAccountCredentials,omitempty" tf:"service_account_credentials,omitempty"`
 }
 
 type DirectoryConfigParameters struct {
 
 	// Fully qualified name of the directory.
-	// +kubebuilder:validation:Required
-	DirectoryName *string `json:"directoryName" tf:"directory_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DirectoryName *string `json:"directoryName,omitempty" tf:"directory_name,omitempty"`
 
 	// Distinguished names of the organizational units for computer accounts.
-	// +kubebuilder:validation:Required
-	OrganizationalUnitDistinguishedNames []*string `json:"organizationalUnitDistinguishedNames" tf:"organizational_unit_distinguished_names,omitempty"`
+	// +kubebuilder:validation:Optional
+	OrganizationalUnitDistinguishedNames []*string `json:"organizationalUnitDistinguishedNames,omitempty" tf:"organizational_unit_distinguished_names,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -38,11 +47,14 @@ type DirectoryConfigParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Configuration block for the name of the directory and organizational unit (OU) to use to join the directory config to a Microsoft Active Directory domain. See service_account_credentials below.
-	// +kubebuilder:validation:Required
-	ServiceAccountCredentials []ServiceAccountCredentialsParameters `json:"serviceAccountCredentials" tf:"service_account_credentials,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServiceAccountCredentials []ServiceAccountCredentialsParameters `json:"serviceAccountCredentials,omitempty" tf:"service_account_credentials,omitempty"`
 }
 
 type ServiceAccountCredentialsObservation struct {
+
+	// User name of the account. This account must have the following privileges: create computer objects, join computers to the domain, and change/reset the password on descendant computer objects for the organizational units specified.
+	AccountName *string `json:"accountName,omitempty" tf:"account_name,omitempty"`
 }
 
 type ServiceAccountCredentialsParameters struct {
@@ -80,8 +92,11 @@ type DirectoryConfigStatus struct {
 type DirectoryConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DirectoryConfigSpec   `json:"spec"`
-	Status            DirectoryConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.directoryName)",message="directoryName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.organizationalUnitDistinguishedNames)",message="organizationalUnitDistinguishedNames is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountCredentials)",message="serviceAccountCredentials is a required parameter"
+	Spec   DirectoryConfigSpec   `json:"spec"`
+	Status DirectoryConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appstream/v1beta1/zz_fleet_types.go b/apis/appstream/v1beta1/zz_fleet_types.go
index 930e96b032..87faed45a1 100755
--- a/apis/appstream/v1beta1/zz_fleet_types.go
+++ b/apis/appstream/v1beta1/zz_fleet_types.go
@@ -18,6 +18,9 @@ type ComputeCapacityObservation struct {
 	// Number of currently available instances that can be used to stream sessions.
 	Available *float64 `json:"available,omitempty" tf:"available,omitempty"`
 
+	// Desired number of streaming instances.
+	DesiredInstances *float64 `json:"desiredInstances,omitempty" tf:"desired_instances,omitempty"`
+
 	// Number of instances in use for streaming.
 	InUse *float64 `json:"inUse,omitempty" tf:"in_use,omitempty"`
 
@@ -33,6 +36,12 @@ type ComputeCapacityParameters struct {
 }
 
 type DomainJoinInfoObservation struct {
+
+	// Fully qualified name of the directory (for example, corp.example.com).
+	DirectoryName *string `json:"directoryName,omitempty" tf:"directory_name,omitempty"`
+
+	// Distinguished name of the organizational unit for computer accounts.
+	OrganizationalUnitDistinguishedName *string `json:"organizationalUnitDistinguishedName,omitempty" tf:"organizational_unit_distinguished_name,omitempty"`
 }
 
 type DomainJoinInfoParameters struct {
@@ -52,26 +61,73 @@ type FleetObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Configuration block for the desired capacity of the fleet. See below.
-	// +kubebuilder:validation:Required
 	ComputeCapacity []ComputeCapacityObservation `json:"computeCapacity,omitempty" tf:"compute_capacity,omitempty"`
 
 	// Date and time, in UTC and extended RFC 3339 format, when the fleet was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Description to display.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Amount of time that a streaming session remains active after users disconnect.
+	DisconnectTimeoutInSeconds *float64 `json:"disconnectTimeoutInSeconds,omitempty" tf:"disconnect_timeout_in_seconds,omitempty"`
+
+	// Human-readable friendly name for the AppStream fleet.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Configuration block for the name of the directory and organizational unit (OU) to use to join the fleet to a Microsoft Active Directory domain. See below.
+	DomainJoinInfo []DomainJoinInfoObservation `json:"domainJoinInfo,omitempty" tf:"domain_join_info,omitempty"`
+
+	// Enables or disables default internet access for the fleet.
+	EnableDefaultInternetAccess *bool `json:"enableDefaultInternetAccess,omitempty" tf:"enable_default_internet_access,omitempty"`
+
+	// Fleet type. Valid values are: ON_DEMAND, ALWAYS_ON
+	FleetType *string `json:"fleetType,omitempty" tf:"fleet_type,omitempty"`
+
+	// ARN of the IAM role to apply to the fleet.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// Unique identifier (ID) of the appstream fleet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amount of time that users can be idle (inactive) before they are disconnected from their streaming session and the disconnect_timeout_in_seconds time interval begins.
+	IdleDisconnectTimeoutInSeconds *float64 `json:"idleDisconnectTimeoutInSeconds,omitempty" tf:"idle_disconnect_timeout_in_seconds,omitempty"`
+
+	// ARN of the public, private, or shared image to use.
+	ImageArn *string `json:"imageArn,omitempty" tf:"image_arn,omitempty"`
+
+	// Name of the image used to create the fleet.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// Instance type to use when launching fleet instances.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// Maximum amount of time that a streaming session can remain active, in seconds.
+	MaxUserDurationInSeconds *float64 `json:"maxUserDurationInSeconds,omitempty" tf:"max_user_duration_in_seconds,omitempty"`
+
+	// Unique name for the fleet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// State of the fleet. Can be STARTING, RUNNING, STOPPING or STOPPED
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// AppStream 2.0 view that is displayed to your users when they stream from the fleet. When APP is specified, only the windows of applications opened by users display. When DESKTOP is specified, the standard desktop that is provided by the operating system displays. If not specified, defaults to APP.
+	StreamView *string `json:"streamView,omitempty" tf:"stream_view,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block for the VPC configuration for the image builder. See below.
+	VPCConfig []VPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 }
 
 type FleetParameters struct {
 
 	// Configuration block for the desired capacity of the fleet. See below.
-	// +kubebuilder:validation:Required
-	ComputeCapacity []ComputeCapacityParameters `json:"computeCapacity" tf:"compute_capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	ComputeCapacity []ComputeCapacityParameters `json:"computeCapacity,omitempty" tf:"compute_capacity,omitempty"`
 
 	// Description to display.
 	// +kubebuilder:validation:Optional
@@ -124,16 +180,16 @@ type FleetParameters struct {
 	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
 
 	// Instance type to use when launching fleet instances.
-	// +kubebuilder:validation:Required
-	InstanceType *string `json:"instanceType" tf:"instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
 
 	// Maximum amount of time that a streaming session can remain active, in seconds.
 	// +kubebuilder:validation:Optional
 	MaxUserDurationInSeconds *float64 `json:"maxUserDurationInSeconds,omitempty" tf:"max_user_duration_in_seconds,omitempty"`
 
 	// Unique name for the fleet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -154,6 +210,12 @@ type FleetParameters struct {
 }
 
 type VPCConfigObservation struct {
+
+	// Identifiers of the security groups for the fleet or image builder.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Identifiers of the subnets to which a network interface is attached from the fleet instance or image builder instance.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 }
 
 type VPCConfigParameters struct {
@@ -202,8 +264,11 @@ type FleetStatus struct {
 type Fleet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FleetSpec   `json:"spec"`
-	Status            FleetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.computeCapacity)",message="computeCapacity is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)",message="instanceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   FleetSpec   `json:"spec"`
+	Status FleetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appstream/v1beta1/zz_fleetstackassociation_types.go b/apis/appstream/v1beta1/zz_fleetstackassociation_types.go
index a5fa3d98ad..14ac20dd8d 100755
--- a/apis/appstream/v1beta1/zz_fleetstackassociation_types.go
+++ b/apis/appstream/v1beta1/zz_fleetstackassociation_types.go
@@ -15,8 +15,14 @@ import (
 
 type FleetStackAssociationObservation struct {
 
+	// Name of the fleet.
+	FleetName *string `json:"fleetName,omitempty" tf:"fleet_name,omitempty"`
+
 	// Unique ID of the appstream stack fleet association, composed of the fleet_name and stack_name separated by a slash (/).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the stack.
+	StackName *string `json:"stackName,omitempty" tf:"stack_name,omitempty"`
 }
 
 type FleetStackAssociationParameters struct {
diff --git a/apis/appstream/v1beta1/zz_generated.deepcopy.go b/apis/appstream/v1beta1/zz_generated.deepcopy.go
index a3f7119b58..5b0b0737bd 100644
--- a/apis/appstream/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appstream/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessEndpointObservation) DeepCopyInto(out *AccessEndpointObservation) {
 	*out = *in
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.VpceID != nil {
+		in, out := &in.VpceID, &out.VpceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessEndpointObservation.
@@ -57,6 +67,16 @@ func (in *AccessEndpointParameters) DeepCopy() *AccessEndpointParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessEndpointsObservation) DeepCopyInto(out *AccessEndpointsObservation) {
 	*out = *in
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.VpceID != nil {
+		in, out := &in.VpceID, &out.VpceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessEndpointsObservation.
@@ -97,6 +117,16 @@ func (in *AccessEndpointsParameters) DeepCopy() *AccessEndpointsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationSettingsObservation) DeepCopyInto(out *ApplicationSettingsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SettingsGroup != nil {
+		in, out := &in.SettingsGroup, &out.SettingsGroup
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationSettingsObservation.
@@ -142,6 +172,11 @@ func (in *ComputeCapacityObservation) DeepCopyInto(out *ComputeCapacityObservati
 		*out = new(float64)
 		**out = **in
 	}
+	if in.DesiredInstances != nil {
+		in, out := &in.DesiredInstances, &out.DesiredInstances
+		*out = new(float64)
+		**out = **in
+	}
 	if in.InUse != nil {
 		in, out := &in.InUse, &out.InUse
 		*out = new(float64)
@@ -251,11 +286,34 @@ func (in *DirectoryConfigObservation) DeepCopyInto(out *DirectoryConfigObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.DirectoryName != nil {
+		in, out := &in.DirectoryName, &out.DirectoryName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OrganizationalUnitDistinguishedNames != nil {
+		in, out := &in.OrganizationalUnitDistinguishedNames, &out.OrganizationalUnitDistinguishedNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ServiceAccountCredentials != nil {
+		in, out := &in.ServiceAccountCredentials, &out.ServiceAccountCredentials
+		*out = make([]ServiceAccountCredentialsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DirectoryConfigObservation.
@@ -348,6 +406,16 @@ func (in *DirectoryConfigStatus) DeepCopy() *DirectoryConfigStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainJoinInfoObservation) DeepCopyInto(out *DomainJoinInfoObservation) {
 	*out = *in
+	if in.DirectoryName != nil {
+		in, out := &in.DirectoryName, &out.DirectoryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnitDistinguishedName != nil {
+		in, out := &in.OrganizationalUnitDistinguishedName, &out.OrganizationalUnitDistinguishedName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainJoinInfoObservation.
@@ -464,16 +532,103 @@ func (in *FleetObservation) DeepCopyInto(out *FleetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisconnectTimeoutInSeconds != nil {
+		in, out := &in.DisconnectTimeoutInSeconds, &out.DisconnectTimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainJoinInfo != nil {
+		in, out := &in.DomainJoinInfo, &out.DomainJoinInfo
+		*out = make([]DomainJoinInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnableDefaultInternetAccess != nil {
+		in, out := &in.EnableDefaultInternetAccess, &out.EnableDefaultInternetAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FleetType != nil {
+		in, out := &in.FleetType, &out.FleetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdleDisconnectTimeoutInSeconds != nil {
+		in, out := &in.IdleDisconnectTimeoutInSeconds, &out.IdleDisconnectTimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ImageArn != nil {
+		in, out := &in.ImageArn, &out.ImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxUserDurationInSeconds != nil {
+		in, out := &in.MaxUserDurationInSeconds, &out.MaxUserDurationInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.StreamView != nil {
+		in, out := &in.StreamView, &out.StreamView
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -489,6 +644,13 @@ func (in *FleetObservation) DeepCopyInto(out *FleetObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCConfig != nil {
+		in, out := &in.VPCConfig, &out.VPCConfig
+		*out = make([]VPCConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FleetObservation.
@@ -711,11 +873,21 @@ func (in *FleetStackAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FleetStackAssociationObservation) DeepCopyInto(out *FleetStackAssociationObservation) {
 	*out = *in
+	if in.FleetName != nil {
+		in, out := &in.FleetName, &out.FleetName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StackName != nil {
+		in, out := &in.StackName, &out.StackName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FleetStackAssociationObservation.
@@ -859,6 +1031,16 @@ func (in *ImageBuilder) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageBuilderDomainJoinInfoObservation) DeepCopyInto(out *ImageBuilderDomainJoinInfoObservation) {
 	*out = *in
+	if in.DirectoryName != nil {
+		in, out := &in.DirectoryName, &out.DirectoryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnitDistinguishedName != nil {
+		in, out := &in.OrganizationalUnitDistinguishedName, &out.OrganizationalUnitDistinguishedName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageBuilderDomainJoinInfoObservation.
@@ -931,6 +1113,18 @@ func (in *ImageBuilderList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageBuilderObservation) DeepCopyInto(out *ImageBuilderObservation) {
 	*out = *in
+	if in.AccessEndpoint != nil {
+		in, out := &in.AccessEndpoint, &out.AccessEndpoint
+		*out = make([]AccessEndpointObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AppstreamAgentVersion != nil {
+		in, out := &in.AppstreamAgentVersion, &out.AppstreamAgentVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -941,21 +1135,73 @@ func (in *ImageBuilderObservation) DeepCopyInto(out *ImageBuilderObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainJoinInfo != nil {
+		in, out := &in.DomainJoinInfo, &out.DomainJoinInfo
+		*out = make([]ImageBuilderDomainJoinInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnableDefaultInternetAccess != nil {
+		in, out := &in.EnableDefaultInternetAccess, &out.EnableDefaultInternetAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageArn != nil {
+		in, out := &in.ImageArn, &out.ImageArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ImageName != nil {
 		in, out := &in.ImageName, &out.ImageName
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -971,6 +1217,13 @@ func (in *ImageBuilderObservation) DeepCopyInto(out *ImageBuilderObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCConfig != nil {
+		in, out := &in.VPCConfig, &out.VPCConfig
+		*out = make([]ImageBuilderVPCConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageBuilderObservation.
@@ -1121,6 +1374,28 @@ func (in *ImageBuilderStatus) DeepCopy() *ImageBuilderStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageBuilderVPCConfigObservation) DeepCopyInto(out *ImageBuilderVPCConfigObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageBuilderVPCConfigObservation.
@@ -1185,6 +1460,11 @@ func (in *ImageBuilderVPCConfigParameters) DeepCopy() *ImageBuilderVPCConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceAccountCredentialsObservation) DeepCopyInto(out *ServiceAccountCredentialsObservation) {
 	*out = *in
+	if in.AccountName != nil {
+		in, out := &in.AccountName, &out.AccountName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceAccountCredentialsObservation.
@@ -1280,6 +1560,20 @@ func (in *StackList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 	*out = *in
+	if in.AccessEndpoints != nil {
+		in, out := &in.AccessEndpoints, &out.AccessEndpoints
+		*out = make([]AccessEndpointsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ApplicationSettings != nil {
+		in, out := &in.ApplicationSettings, &out.ApplicationSettings
+		*out = make([]ApplicationSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -1290,11 +1584,69 @@ func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmbedHostDomains != nil {
+		in, out := &in.EmbedHostDomains, &out.EmbedHostDomains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FeedbackURL != nil {
+		in, out := &in.FeedbackURL, &out.FeedbackURL
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedirectURL != nil {
+		in, out := &in.RedirectURL, &out.RedirectURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageConnectors != nil {
+		in, out := &in.StorageConnectors, &out.StorageConnectors
+		*out = make([]StorageConnectorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1310,6 +1662,13 @@ func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserSettings != nil {
+		in, out := &in.UserSettings, &out.UserSettings
+		*out = make([]UserSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StackObservation.
@@ -1458,6 +1817,27 @@ func (in *StackStatus) DeepCopy() *StackStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageConnectorsObservation) DeepCopyInto(out *StorageConnectorsObservation) {
 	*out = *in
+	if in.ConnectorType != nil {
+		in, out := &in.ConnectorType, &out.ConnectorType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Domains != nil {
+		in, out := &in.Domains, &out.Domains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ResourceIdentifier != nil {
+		in, out := &in.ResourceIdentifier, &out.ResourceIdentifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageConnectorsObservation.
@@ -1573,16 +1953,41 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthenticationType != nil {
+		in, out := &in.AuthenticationType, &out.AuthenticationType
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreatedTime != nil {
 		in, out := &in.CreatedTime, &out.CreatedTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FirstName != nil {
+		in, out := &in.FirstName, &out.FirstName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LastName != nil {
+		in, out := &in.LastName, &out.LastName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SendEmailNotification != nil {
+		in, out := &in.SendEmailNotification, &out.SendEmailNotification
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserObservation.
@@ -1643,6 +2048,16 @@ func (in *UserParameters) DeepCopy() *UserParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsObservation) DeepCopyInto(out *UserSettingsObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.Permission != nil {
+		in, out := &in.Permission, &out.Permission
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsObservation.
@@ -1759,11 +2174,31 @@ func (in *UserStackAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserStackAssociationObservation) DeepCopyInto(out *UserStackAssociationObservation) {
 	*out = *in
+	if in.AuthenticationType != nil {
+		in, out := &in.AuthenticationType, &out.AuthenticationType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SendEmailNotification != nil {
+		in, out := &in.SendEmailNotification, &out.SendEmailNotification
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StackName != nil {
+		in, out := &in.StackName, &out.StackName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserName != nil {
+		in, out := &in.UserName, &out.UserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserStackAssociationObservation.
@@ -1900,6 +2335,28 @@ func (in *UserStatus) DeepCopy() *UserStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigObservation) DeepCopyInto(out *VPCConfigObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCConfigObservation.
diff --git a/apis/appstream/v1beta1/zz_imagebuilder_types.go b/apis/appstream/v1beta1/zz_imagebuilder_types.go
index 2cce3ae90e..fe6edbb7c7 100755
--- a/apis/appstream/v1beta1/zz_imagebuilder_types.go
+++ b/apis/appstream/v1beta1/zz_imagebuilder_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AccessEndpointObservation struct {
+
+	// Type of interface endpoint.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
+	// Identifier (ID) of the VPC in which the interface endpoint is used.
+	VpceID *string `json:"vpceId,omitempty" tf:"vpce_id,omitempty"`
 }
 
 type AccessEndpointParameters struct {
@@ -28,6 +34,12 @@ type AccessEndpointParameters struct {
 }
 
 type ImageBuilderDomainJoinInfoObservation struct {
+
+	// Fully qualified name of the directory (for example, corp.example.com).
+	DirectoryName *string `json:"directoryName,omitempty" tf:"directory_name,omitempty"`
+
+	// Distinguished name of the organizational unit for computer accounts.
+	OrganizationalUnitDistinguishedName *string `json:"organizationalUnitDistinguishedName,omitempty" tf:"organizational_unit_distinguished_name,omitempty"`
 }
 
 type ImageBuilderDomainJoinInfoParameters struct {
@@ -43,23 +55,56 @@ type ImageBuilderDomainJoinInfoParameters struct {
 
 type ImageBuilderObservation struct {
 
+	// Set of interface VPC endpoint (interface endpoint) objects. Maximum of 4. See below.
+	AccessEndpoint []AccessEndpointObservation `json:"accessEndpoint,omitempty" tf:"access_endpoint,omitempty"`
+
+	// Version of the AppStream 2.0 agent to use for this image builder.
+	AppstreamAgentVersion *string `json:"appstreamAgentVersion,omitempty" tf:"appstream_agent_version,omitempty"`
+
 	// ARN of the appstream image builder.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Date and time, in UTC and extended RFC 3339 format, when the image builder was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Description to display.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Human-readable friendly name for the AppStream image builder.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Configuration block for the name of the directory and organizational unit (OU) to use to join the image builder to a Microsoft Active Directory domain. See below.
+	DomainJoinInfo []ImageBuilderDomainJoinInfoObservation `json:"domainJoinInfo,omitempty" tf:"domain_join_info,omitempty"`
+
+	// Enables or disables default internet access for the image builder.
+	EnableDefaultInternetAccess *bool `json:"enableDefaultInternetAccess,omitempty" tf:"enable_default_internet_access,omitempty"`
+
+	// ARN of the IAM role to apply to the image builder.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// Name of the image builder.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the public, private, or shared image to use.
+	ImageArn *string `json:"imageArn,omitempty" tf:"image_arn,omitempty"`
+
 	// Name of the image used to create the image builder.
 	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
 
+	// Instance type to use when launching the image builder.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
 	// State of the image builder. Can be: PENDING, UPDATING_AGENT, RUNNING, STOPPING, STOPPED, REBOOTING, SNAPSHOTTING, DELETING, FAILED, UPDATING, PENDING_QUALIFICATION
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block for the VPC configuration for the image builder. See below.
+	VPCConfig []ImageBuilderVPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 }
 
 type ImageBuilderParameters struct {
@@ -107,8 +152,8 @@ type ImageBuilderParameters struct {
 	ImageArn *string `json:"imageArn,omitempty" tf:"image_arn,omitempty"`
 
 	// Instance type to use when launching the image builder.
-	// +kubebuilder:validation:Required
-	InstanceType *string `json:"instanceType" tf:"instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -125,6 +170,12 @@ type ImageBuilderParameters struct {
 }
 
 type ImageBuilderVPCConfigObservation struct {
+
+	// Identifiers of the security groups for the image builder or image builder.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Identifiers of the subnets to which a network interface is attached from the image builder instance or image builder instance.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 }
 
 type ImageBuilderVPCConfigParameters struct {
@@ -173,8 +224,9 @@ type ImageBuilderStatus struct {
 type ImageBuilder struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ImageBuilderSpec   `json:"spec"`
-	Status            ImageBuilderStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)",message="instanceType is a required parameter"
+	Spec   ImageBuilderSpec   `json:"spec"`
+	Status ImageBuilderStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appstream/v1beta1/zz_stack_types.go b/apis/appstream/v1beta1/zz_stack_types.go
index 9714df7e61..868ed3a6ea 100755
--- a/apis/appstream/v1beta1/zz_stack_types.go
+++ b/apis/appstream/v1beta1/zz_stack_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type AccessEndpointsObservation struct {
+
+	// Type of the interface endpoint.
+	// See the AccessEndpoint AWS API documentation for valid values.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
+	// ID of the VPC in which the interface endpoint is used.
+	VpceID *string `json:"vpceId,omitempty" tf:"vpce_id,omitempty"`
 }
 
 type AccessEndpointsParameters struct {
@@ -29,6 +36,14 @@ type AccessEndpointsParameters struct {
 }
 
 type ApplicationSettingsObservation struct {
+
+	// Whether application settings should be persisted.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Name of the settings group.
+	// Required when enabled is true.
+	// Can be up to 100 characters.
+	SettingsGroup *string `json:"settingsGroup,omitempty" tf:"settings_group,omitempty"`
 }
 
 type ApplicationSettingsParameters struct {
@@ -46,16 +61,53 @@ type ApplicationSettingsParameters struct {
 
 type StackObservation struct {
 
+	// Set of configuration blocks defining the interface VPC endpoints. Users of the stack can connect to AppStream 2.0 only through the specified endpoints.
+	// See access_endpoints below.
+	AccessEndpoints []AccessEndpointsObservation `json:"accessEndpoints,omitempty" tf:"access_endpoints,omitempty"`
+
+	// Settings for application settings persistence.
+	// See application_settings below.
+	ApplicationSettings []ApplicationSettingsObservation `json:"applicationSettings,omitempty" tf:"application_settings,omitempty"`
+
 	// ARN of the appstream stack.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Date and time, in UTC and extended RFC 3339 format, when the stack was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Description for the AppStream stack.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Stack name to display.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Domains where AppStream 2.0 streaming sessions can be embedded in an iframe. You must approve the domains that you want to host embedded AppStream 2.0 streaming sessions.
+	EmbedHostDomains []*string `json:"embedHostDomains,omitempty" tf:"embed_host_domains,omitempty"`
+
+	// URL that users are redirected to after they click the Send Feedback link. If no URL is specified, no Send Feedback link is displayed. .
+	FeedbackURL *string `json:"feedbackUrl,omitempty" tf:"feedback_url,omitempty"`
+
 	// Unique ID of the appstream stack.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Unique name for the AppStream stack.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// URL that users are redirected to after their streaming session ends.
+	RedirectURL *string `json:"redirectUrl,omitempty" tf:"redirect_url,omitempty"`
+
+	// Configuration block for the storage connectors to enable.
+	// See storage_connectors below.
+	StorageConnectors []StorageConnectorsObservation `json:"storageConnectors,omitempty" tf:"storage_connectors,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block for the actions that are enabled or disabled for users during their streaming sessions. If not provided, these settings are configured automatically by AWS.
+	// See user_settings below.
+	UserSettings []UserSettingsObservation `json:"userSettings,omitempty" tf:"user_settings,omitempty"`
 }
 
 type StackParameters struct {
@@ -87,8 +139,8 @@ type StackParameters struct {
 	FeedbackURL *string `json:"feedbackUrl,omitempty" tf:"feedback_url,omitempty"`
 
 	// Unique name for the AppStream stack.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// URL that users are redirected to after their streaming session ends.
 	// +kubebuilder:validation:Optional
@@ -115,6 +167,16 @@ type StackParameters struct {
 }
 
 type StorageConnectorsObservation struct {
+
+	// Type of storage connector.
+	// Valid values are HOMEFOLDERS, GOOGLE_DRIVE, or ONE_DRIVE.
+	ConnectorType *string `json:"connectorType,omitempty" tf:"connector_type,omitempty"`
+
+	// Names of the domains for the account.
+	Domains []*string `json:"domains,omitempty" tf:"domains,omitempty"`
+
+	// ARN of the storage connector.
+	ResourceIdentifier *string `json:"resourceIdentifier,omitempty" tf:"resource_identifier,omitempty"`
 }
 
 type StorageConnectorsParameters struct {
@@ -134,6 +196,14 @@ type StorageConnectorsParameters struct {
 }
 
 type UserSettingsObservation struct {
+
+	// Action that is enabled or disabled.
+	// Valid values are CLIPBOARD_COPY_FROM_LOCAL_DEVICE,  CLIPBOARD_COPY_TO_LOCAL_DEVICE, FILE_UPLOAD, FILE_DOWNLOAD, PRINTING_TO_LOCAL_DEVICE, DOMAIN_PASSWORD_SIGNIN, or DOMAIN_SMART_CARD_SIGNIN.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Whether the action is enabled or disabled.
+	// Valid values are ENABLED or DISABLED.
+	Permission *string `json:"permission,omitempty" tf:"permission,omitempty"`
 }
 
 type UserSettingsParameters struct {
@@ -173,8 +243,9 @@ type StackStatus struct {
 type Stack struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StackSpec   `json:"spec"`
-	Status            StackStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   StackSpec   `json:"spec"`
+	Status StackStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appstream/v1beta1/zz_user_types.go b/apis/appstream/v1beta1/zz_user_types.go
index 40ce18dbd3..d3249a2483 100755
--- a/apis/appstream/v1beta1/zz_user_types.go
+++ b/apis/appstream/v1beta1/zz_user_types.go
@@ -18,11 +18,26 @@ type UserObservation struct {
 	// ARN of the appstream user.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Authentication type for the user. You must specify USERPOOL. Valid values: API, SAML, USERPOOL
+	AuthenticationType *string `json:"authenticationType,omitempty" tf:"authentication_type,omitempty"`
+
 	// Date and time, in UTC and extended RFC 3339 format, when the user was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Whether the user in the user pool is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// First name, or given name, of the user.
+	FirstName *string `json:"firstName,omitempty" tf:"first_name,omitempty"`
+
 	// Unique ID of the appstream user.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Last name, or surname, of the user.
+	LastName *string `json:"lastName,omitempty" tf:"last_name,omitempty"`
+
+	// Send an email notification.
+	SendEmailNotification *bool `json:"sendEmailNotification,omitempty" tf:"send_email_notification,omitempty"`
 }
 
 type UserParameters struct {
diff --git a/apis/appstream/v1beta1/zz_userstackassociation_types.go b/apis/appstream/v1beta1/zz_userstackassociation_types.go
index 4bad9d715f..003bacc91b 100755
--- a/apis/appstream/v1beta1/zz_userstackassociation_types.go
+++ b/apis/appstream/v1beta1/zz_userstackassociation_types.go
@@ -15,8 +15,20 @@ import (
 
 type UserStackAssociationObservation struct {
 
+	// Authentication type for the user.
+	AuthenticationType *string `json:"authenticationType,omitempty" tf:"authentication_type,omitempty"`
+
 	// Unique ID of the appstream User Stack association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Whether a welcome email is sent to a user after the user is created in the user pool.
+	SendEmailNotification *bool `json:"sendEmailNotification,omitempty" tf:"send_email_notification,omitempty"`
+
+	// Name of the stack that is associated with the user.
+	StackName *string `json:"stackName,omitempty" tf:"stack_name,omitempty"`
+
+	// Email address of the user who is associated with the stack.
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 type UserStackAssociationParameters struct {
diff --git a/apis/appsync/v1beta1/zz_apicache_types.go b/apis/appsync/v1beta1/zz_apicache_types.go
index cdc3ed3369..8570f03cd9 100755
--- a/apis/appsync/v1beta1/zz_apicache_types.go
+++ b/apis/appsync/v1beta1/zz_apicache_types.go
@@ -15,15 +15,33 @@ import (
 
 type APICacheObservation struct {
 
+	// Caching behavior. Valid values are FULL_REQUEST_CACHING and PER_RESOLVER_CACHING.
+	APICachingBehavior *string `json:"apiCachingBehavior,omitempty" tf:"api_caching_behavior,omitempty"`
+
+	// GraphQL API ID.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// At-rest encryption flag for cache. You cannot update this setting after creation.
+	AtRestEncryptionEnabled *bool `json:"atRestEncryptionEnabled,omitempty" tf:"at_rest_encryption_enabled,omitempty"`
+
 	// AppSync API ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// TTL in seconds for cache entries.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// Transit encryption flag when connecting to cache. You cannot update this setting after creation.
+	TransitEncryptionEnabled *bool `json:"transitEncryptionEnabled,omitempty" tf:"transit_encryption_enabled,omitempty"`
+
+	// Cache instance type. Valid values are SMALL, MEDIUM, LARGE, XLARGE, LARGE_2X, LARGE_4X, LARGE_8X, LARGE_12X, T2_SMALL, T2_MEDIUM, R4_LARGE, R4_XLARGE, R4_2XLARGE, R4_4XLARGE, R4_8XLARGE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type APICacheParameters struct {
 
 	// Caching behavior. Valid values are FULL_REQUEST_CACHING and PER_RESOLVER_CACHING.
-	// +kubebuilder:validation:Required
-	APICachingBehavior *string `json:"apiCachingBehavior" tf:"api_caching_behavior,omitempty"`
+	// +kubebuilder:validation:Optional
+	APICachingBehavior *string `json:"apiCachingBehavior,omitempty" tf:"api_caching_behavior,omitempty"`
 
 	// GraphQL API ID.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/appsync/v1beta1.GraphQLAPI
@@ -49,16 +67,16 @@ type APICacheParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// TTL in seconds for cache entries.
-	// +kubebuilder:validation:Required
-	TTL *float64 `json:"ttl" tf:"ttl,omitempty"`
+	// +kubebuilder:validation:Optional
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
 	// Transit encryption flag when connecting to cache. You cannot update this setting after creation.
 	// +kubebuilder:validation:Optional
 	TransitEncryptionEnabled *bool `json:"transitEncryptionEnabled,omitempty" tf:"transit_encryption_enabled,omitempty"`
 
 	// Cache instance type. Valid values are SMALL, MEDIUM, LARGE, XLARGE, LARGE_2X, LARGE_4X, LARGE_8X, LARGE_12X, T2_SMALL, T2_MEDIUM, R4_LARGE, R4_XLARGE, R4_2XLARGE, R4_4XLARGE, R4_8XLARGE.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // APICacheSpec defines the desired state of APICache
@@ -85,8 +103,11 @@ type APICacheStatus struct {
 type APICache struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              APICacheSpec   `json:"spec"`
-	Status            APICacheStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiCachingBehavior)",message="apiCachingBehavior is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ttl)",message="ttl is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   APICacheSpec   `json:"spec"`
+	Status APICacheStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appsync/v1beta1/zz_apikey_types.go b/apis/appsync/v1beta1/zz_apikey_types.go
index c60c468cf2..750cd91ca0 100755
--- a/apis/appsync/v1beta1/zz_apikey_types.go
+++ b/apis/appsync/v1beta1/zz_apikey_types.go
@@ -15,6 +15,15 @@ import (
 
 type APIKeyObservation struct {
 
+	// ID of the associated AppSync API
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
+	// API key description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// RFC3339 string representation of the expiry date. Rounded down to nearest hour. By default, it is 7 days from the date of creation.
+	Expires *string `json:"expires,omitempty" tf:"expires,omitempty"`
+
 	// API Key ID (Formatted as ApiId:Key)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
diff --git a/apis/appsync/v1beta1/zz_datasource_types.go b/apis/appsync/v1beta1/zz_datasource_types.go
index ea57753587..91de9761e1 100755
--- a/apis/appsync/v1beta1/zz_datasource_types.go
+++ b/apis/appsync/v1beta1/zz_datasource_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AuthorizationConfigObservation struct {
+
+	// Authorization type that the HTTP endpoint requires. Default values is AWS_IAM.
+	AuthorizationType *string `json:"authorizationType,omitempty" tf:"authorization_type,omitempty"`
+
+	// Identity and Access Management (IAM) settings. See AWS IAM Config.
+	AwsIAMConfig []AwsIAMConfigObservation `json:"awsIamConfig,omitempty" tf:"aws_iam_config,omitempty"`
 }
 
 type AuthorizationConfigParameters struct {
@@ -28,6 +34,12 @@ type AuthorizationConfigParameters struct {
 }
 
 type AwsIAMConfigObservation struct {
+
+	// Signing Amazon Web Services Region for IAM authorization.
+	SigningRegion *string `json:"signingRegion,omitempty" tf:"signing_region,omitempty"`
+
+	// Signing service name for IAM authorization.
+	SigningServiceName *string `json:"signingServiceName,omitempty" tf:"signing_service_name,omitempty"`
 }
 
 type AwsIAMConfigParameters struct {
@@ -43,10 +55,37 @@ type AwsIAMConfigParameters struct {
 
 type DatasourceObservation struct {
 
+	// API ID for the GraphQL API for the data source.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
 	// ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the data source.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// DynamoDB settings. See below
+	DynamodbConfig []DynamodbConfigObservation `json:"dynamodbConfig,omitempty" tf:"dynamodb_config,omitempty"`
+
+	// Amazon Elasticsearch settings. See below
+	ElasticsearchConfig []ElasticsearchConfigObservation `json:"elasticsearchConfig,omitempty" tf:"elasticsearch_config,omitempty"`
+
+	// HTTP settings. See below
+	HTTPConfig []HTTPConfigObservation `json:"httpConfig,omitempty" tf:"http_config,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// AWS Lambda settings. See below
+	LambdaConfig []LambdaConfigObservation `json:"lambdaConfig,omitempty" tf:"lambda_config,omitempty"`
+
+	// AWS RDS settings. See Relational Database Config
+	RelationalDatabaseConfig []RelationalDatabaseConfigObservation `json:"relationalDatabaseConfig,omitempty" tf:"relational_database_config,omitempty"`
+
+	// IAM service role ARN for the data source.
+	ServiceRoleArn *string `json:"serviceRoleArn,omitempty" tf:"service_role_arn,omitempty"`
+
+	// Type of the Data Source. Valid values: AWS_LAMBDA, AMAZON_DYNAMODB, AMAZON_ELASTICSEARCH, HTTP, NONE, RELATIONAL_DATABASE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DatasourceParameters struct {
@@ -110,11 +149,17 @@ type DatasourceParameters struct {
 	ServiceRoleArnSelector *v1.Selector `json:"serviceRoleArnSelector,omitempty" tf:"-"`
 
 	// Type of the Data Source. Valid values: AWS_LAMBDA, AMAZON_DYNAMODB, AMAZON_ELASTICSEARCH, HTTP, NONE, RELATIONAL_DATABASE.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DeltaSyncConfigObservation struct {
+	BaseTableTTL *float64 `json:"baseTableTtl,omitempty" tf:"base_table_ttl,omitempty"`
+
+	// User-supplied name for the data source.
+	DeltaSyncTableName *string `json:"deltaSyncTableName,omitempty" tf:"delta_sync_table_name,omitempty"`
+
+	DeltaSyncTableTTL *float64 `json:"deltaSyncTableTtl,omitempty" tf:"delta_sync_table_ttl,omitempty"`
 }
 
 type DeltaSyncConfigParameters struct {
@@ -131,6 +176,18 @@ type DeltaSyncConfigParameters struct {
 }
 
 type DynamodbConfigObservation struct {
+	DeltaSyncConfig []DeltaSyncConfigObservation `json:"deltaSyncConfig,omitempty" tf:"delta_sync_config,omitempty"`
+
+	// AWS region of the DynamoDB table. Defaults to current region.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// Name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
+
+	// Set to true to use Amazon Cognito credentials with this data source.
+	UseCallerCredentials *bool `json:"useCallerCredentials,omitempty" tf:"use_caller_credentials,omitempty"`
+
+	Versioned *bool `json:"versioned,omitempty" tf:"versioned,omitempty"`
 }
 
 type DynamodbConfigParameters struct {
@@ -164,6 +221,12 @@ type DynamodbConfigParameters struct {
 }
 
 type ElasticsearchConfigObservation struct {
+
+	// HTTP endpoint of the Elasticsearch domain.
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// AWS region of Elasticsearch domain. Defaults to current region.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 }
 
 type ElasticsearchConfigParameters struct {
@@ -178,6 +241,12 @@ type ElasticsearchConfigParameters struct {
 }
 
 type HTTPConfigObservation struct {
+
+	// Authorization configuration in case the HTTP endpoint requires authorization. See Authorization Config.
+	AuthorizationConfig []AuthorizationConfigObservation `json:"authorizationConfig,omitempty" tf:"authorization_config,omitempty"`
+
+	// HTTP URL.
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 }
 
 type HTTPConfigParameters struct {
@@ -192,6 +261,21 @@ type HTTPConfigParameters struct {
 }
 
 type HTTPEndpointConfigObservation struct {
+
+	// AWS secret store ARN for database credentials.
+	AwsSecretStoreArn *string `json:"awsSecretStoreArn,omitempty" tf:"aws_secret_store_arn,omitempty"`
+
+	// Amazon RDS cluster identifier.
+	DBClusterIdentifier *string `json:"dbClusterIdentifier,omitempty" tf:"db_cluster_identifier,omitempty"`
+
+	// Logical database name.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// AWS Region for RDS HTTP endpoint. Defaults to current region.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// Logical schema name.
+	Schema *string `json:"schema,omitempty" tf:"schema,omitempty"`
 }
 
 type HTTPEndpointConfigParameters struct {
@@ -218,6 +302,9 @@ type HTTPEndpointConfigParameters struct {
 }
 
 type LambdaConfigObservation struct {
+
+	// ARN for the Lambda function.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 }
 
 type LambdaConfigParameters struct {
@@ -228,6 +315,12 @@ type LambdaConfigParameters struct {
 }
 
 type RelationalDatabaseConfigObservation struct {
+
+	// Amazon RDS HTTP endpoint configuration. See HTTP Endpoint Config.
+	HTTPEndpointConfig []HTTPEndpointConfigObservation `json:"httpEndpointConfig,omitempty" tf:"http_endpoint_config,omitempty"`
+
+	// Source type for the relational database. Valid values: RDS_HTTP_ENDPOINT.
+	SourceType *string `json:"sourceType,omitempty" tf:"source_type,omitempty"`
 }
 
 type RelationalDatabaseConfigParameters struct {
@@ -265,8 +358,9 @@ type DatasourceStatus struct {
 type Datasource struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DatasourceSpec   `json:"spec"`
-	Status            DatasourceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   DatasourceSpec   `json:"spec"`
+	Status DatasourceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appsync/v1beta1/zz_function_types.go b/apis/appsync/v1beta1/zz_function_types.go
index cce5862451..779efa10b3 100755
--- a/apis/appsync/v1beta1/zz_function_types.go
+++ b/apis/appsync/v1beta1/zz_function_types.go
@@ -15,14 +15,47 @@ import (
 
 type FunctionObservation struct {
 
+	// ID of the associated AppSync API.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
 	// ARN of the Function object.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The function code that contains the request and response functions. When code is used, the runtime is required. The runtime value must be APPSYNC_JS.
+	Code *string `json:"code,omitempty" tf:"code,omitempty"`
+
+	// Function data source name.
+	DataSource *string `json:"dataSource,omitempty" tf:"data_source,omitempty"`
+
+	// Function description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Unique ID representing the Function object.
 	FunctionID *string `json:"functionId,omitempty" tf:"function_id,omitempty"`
 
+	// Version of the request mapping template. Currently the supported value is 2018-05-29. Does not apply when specifying code.
+	FunctionVersion *string `json:"functionVersion,omitempty" tf:"function_version,omitempty"`
+
 	// API Function ID (Formatted as ApiId-FunctionId)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Maximum batching size for a resolver. Valid values are between 0 and 2000.
+	MaxBatchSize *float64 `json:"maxBatchSize,omitempty" tf:"max_batch_size,omitempty"`
+
+	// Function name. The function name does not have to be unique.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Function request mapping template. Functions support only the 2018-05-29 version of the request mapping template.
+	RequestMappingTemplate *string `json:"requestMappingTemplate,omitempty" tf:"request_mapping_template,omitempty"`
+
+	// Function response mapping template.
+	ResponseMappingTemplate *string `json:"responseMappingTemplate,omitempty" tf:"response_mapping_template,omitempty"`
+
+	// Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified. See Runtime.
+	Runtime []RuntimeObservation `json:"runtime,omitempty" tf:"runtime,omitempty"`
+
+	// Describes a Sync configuration for a resolver. See Sync Config.
+	SyncConfig []SyncConfigObservation `json:"syncConfig,omitempty" tf:"sync_config,omitempty"`
 }
 
 type FunctionParameters struct {
@@ -71,8 +104,8 @@ type FunctionParameters struct {
 	MaxBatchSize *float64 `json:"maxBatchSize,omitempty" tf:"max_batch_size,omitempty"`
 
 	// Function name. The function name does not have to be unique.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -97,6 +130,9 @@ type FunctionParameters struct {
 }
 
 type LambdaConflictHandlerConfigObservation struct {
+
+	// ARN for the Lambda function to use as the Conflict Handler.
+	LambdaConflictHandlerArn *string `json:"lambdaConflictHandlerArn,omitempty" tf:"lambda_conflict_handler_arn,omitempty"`
 }
 
 type LambdaConflictHandlerConfigParameters struct {
@@ -107,6 +143,12 @@ type LambdaConflictHandlerConfigParameters struct {
 }
 
 type RuntimeObservation struct {
+
+	// Function name. The function name does not have to be unique.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The version of the runtime to use. Currently, the only allowed version is 1.0.0.
+	RuntimeVersion *string `json:"runtimeVersion,omitempty" tf:"runtime_version,omitempty"`
 }
 
 type RuntimeParameters struct {
@@ -121,6 +163,15 @@ type RuntimeParameters struct {
 }
 
 type SyncConfigObservation struct {
+
+	// Conflict Detection strategy to use. Valid values are NONE and VERSION.
+	ConflictDetection *string `json:"conflictDetection,omitempty" tf:"conflict_detection,omitempty"`
+
+	// Conflict Resolution strategy to perform in the event of a conflict. Valid values are NONE, OPTIMISTIC_CONCURRENCY, AUTOMERGE, and LAMBDA.
+	ConflictHandler *string `json:"conflictHandler,omitempty" tf:"conflict_handler,omitempty"`
+
+	// Lambda Conflict Handler Config when configuring LAMBDA as the Conflict Handler. See Lambda Conflict Handler Config.
+	LambdaConflictHandlerConfig []LambdaConflictHandlerConfigObservation `json:"lambdaConflictHandlerConfig,omitempty" tf:"lambda_conflict_handler_config,omitempty"`
 }
 
 type SyncConfigParameters struct {
@@ -162,8 +213,9 @@ type FunctionStatus struct {
 type Function struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FunctionSpec   `json:"spec"`
-	Status            FunctionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   FunctionSpec   `json:"spec"`
+	Status FunctionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appsync/v1beta1/zz_generated.deepcopy.go b/apis/appsync/v1beta1/zz_generated.deepcopy.go
index 7b66ffcc13..5191a8defd 100644
--- a/apis/appsync/v1beta1/zz_generated.deepcopy.go
+++ b/apis/appsync/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,41 @@ func (in *APICacheList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *APICacheObservation) DeepCopyInto(out *APICacheObservation) {
 	*out = *in
+	if in.APICachingBehavior != nil {
+		in, out := &in.APICachingBehavior, &out.APICachingBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AtRestEncryptionEnabled != nil {
+		in, out := &in.AtRestEncryptionEnabled, &out.AtRestEncryptionEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TransitEncryptionEnabled != nil {
+		in, out := &in.TransitEncryptionEnabled, &out.TransitEncryptionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APICacheObservation.
@@ -249,6 +279,21 @@ func (in *APIKeyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *APIKeyObservation) DeepCopyInto(out *APIKeyObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Expires != nil {
+		in, out := &in.Expires, &out.Expires
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -348,6 +393,32 @@ func (in *APIKeyStatus) DeepCopy() *APIKeyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdditionalAuthenticationProviderObservation) DeepCopyInto(out *AdditionalAuthenticationProviderObservation) {
 	*out = *in
+	if in.AuthenticationType != nil {
+		in, out := &in.AuthenticationType, &out.AuthenticationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaAuthorizerConfig != nil {
+		in, out := &in.LambdaAuthorizerConfig, &out.LambdaAuthorizerConfig
+		*out = make([]LambdaAuthorizerConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OpenIDConnectConfig != nil {
+		in, out := &in.OpenIDConnectConfig, &out.OpenIDConnectConfig
+		*out = make([]OpenIDConnectConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserPoolConfig != nil {
+		in, out := &in.UserPoolConfig, &out.UserPoolConfig
+		*out = make([]UserPoolConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdditionalAuthenticationProviderObservation.
@@ -404,6 +475,18 @@ func (in *AdditionalAuthenticationProviderParameters) DeepCopy() *AdditionalAuth
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizationConfigObservation) DeepCopyInto(out *AuthorizationConfigObservation) {
 	*out = *in
+	if in.AuthorizationType != nil {
+		in, out := &in.AuthorizationType, &out.AuthorizationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsIAMConfig != nil {
+		in, out := &in.AwsIAMConfig, &out.AwsIAMConfig
+		*out = make([]AwsIAMConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationConfigObservation.
@@ -446,6 +529,16 @@ func (in *AuthorizationConfigParameters) DeepCopy() *AuthorizationConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsIAMConfigObservation) DeepCopyInto(out *AwsIAMConfigObservation) {
 	*out = *in
+	if in.SigningRegion != nil {
+		in, out := &in.SigningRegion, &out.SigningRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.SigningServiceName != nil {
+		in, out := &in.SigningServiceName, &out.SigningServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsIAMConfigObservation.
@@ -486,6 +579,22 @@ func (in *AwsIAMConfigParameters) DeepCopy() *AwsIAMConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CachingConfigObservation) DeepCopyInto(out *CachingConfigObservation) {
 	*out = *in
+	if in.CachingKeys != nil {
+		in, out := &in.CachingKeys, &out.CachingKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CachingConfigObservation.
@@ -591,16 +700,71 @@ func (in *DatasourceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DatasourceObservation) DeepCopyInto(out *DatasourceObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DynamodbConfig != nil {
+		in, out := &in.DynamodbConfig, &out.DynamodbConfig
+		*out = make([]DynamodbConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticsearchConfig != nil {
+		in, out := &in.ElasticsearchConfig, &out.ElasticsearchConfig
+		*out = make([]ElasticsearchConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTPConfig != nil {
+		in, out := &in.HTTPConfig, &out.HTTPConfig
+		*out = make([]HTTPConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LambdaConfig != nil {
+		in, out := &in.LambdaConfig, &out.LambdaConfig
+		*out = make([]LambdaConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RelationalDatabaseConfig != nil {
+		in, out := &in.RelationalDatabaseConfig, &out.RelationalDatabaseConfig
+		*out = make([]RelationalDatabaseConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServiceRoleArn != nil {
+		in, out := &in.ServiceRoleArn, &out.ServiceRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DatasourceObservation.
@@ -745,6 +909,21 @@ func (in *DatasourceStatus) DeepCopy() *DatasourceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeltaSyncConfigObservation) DeepCopyInto(out *DeltaSyncConfigObservation) {
 	*out = *in
+	if in.BaseTableTTL != nil {
+		in, out := &in.BaseTableTTL, &out.BaseTableTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DeltaSyncTableName != nil {
+		in, out := &in.DeltaSyncTableName, &out.DeltaSyncTableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeltaSyncTableTTL != nil {
+		in, out := &in.DeltaSyncTableTTL, &out.DeltaSyncTableTTL
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeltaSyncConfigObservation.
@@ -790,6 +969,33 @@ func (in *DeltaSyncConfigParameters) DeepCopy() *DeltaSyncConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DynamodbConfigObservation) DeepCopyInto(out *DynamodbConfigObservation) {
 	*out = *in
+	if in.DeltaSyncConfig != nil {
+		in, out := &in.DeltaSyncConfig, &out.DeltaSyncConfig
+		*out = make([]DeltaSyncConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseCallerCredentials != nil {
+		in, out := &in.UseCallerCredentials, &out.UseCallerCredentials
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Versioned != nil {
+		in, out := &in.Versioned, &out.Versioned
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamodbConfigObservation.
@@ -857,6 +1063,16 @@ func (in *DynamodbConfigParameters) DeepCopy() *DynamodbConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticsearchConfigObservation) DeepCopyInto(out *ElasticsearchConfigObservation) {
 	*out = *in
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticsearchConfigObservation.
@@ -956,58 +1172,117 @@ func (in *FunctionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
-	if in.FunctionID != nil {
-		in, out := &in.FunctionID, &out.FunctionID
+	if in.Code != nil {
+		in, out := &in.Code, &out.Code
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.DataSource != nil {
+		in, out := &in.DataSource, &out.DataSource
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionObservation.
-func (in *FunctionObservation) DeepCopy() *FunctionObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(FunctionObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FunctionParameters) DeepCopyInto(out *FunctionParameters) {
-	*out = *in
-	if in.APIID != nil {
-		in, out := &in.APIID, &out.APIID
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
 		*out = new(string)
 		**out = **in
 	}
-	if in.APIIDRef != nil {
-		in, out := &in.APIIDRef, &out.APIIDRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.APIIDSelector != nil {
-		in, out := &in.APIIDSelector, &out.APIIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.Code != nil {
-		in, out := &in.Code, &out.Code
+	if in.FunctionID != nil {
+		in, out := &in.FunctionID, &out.FunctionID
 		*out = new(string)
 		**out = **in
 	}
-	if in.DataSource != nil {
-		in, out := &in.DataSource, &out.DataSource
+	if in.FunctionVersion != nil {
+		in, out := &in.FunctionVersion, &out.FunctionVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxBatchSize != nil {
+		in, out := &in.MaxBatchSize, &out.MaxBatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestMappingTemplate != nil {
+		in, out := &in.RequestMappingTemplate, &out.RequestMappingTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseMappingTemplate != nil {
+		in, out := &in.ResponseMappingTemplate, &out.ResponseMappingTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Runtime != nil {
+		in, out := &in.Runtime, &out.Runtime
+		*out = make([]RuntimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SyncConfig != nil {
+		in, out := &in.SyncConfig, &out.SyncConfig
+		*out = make([]SyncConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionObservation.
+func (in *FunctionObservation) DeepCopy() *FunctionObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FunctionObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FunctionParameters) DeepCopyInto(out *FunctionParameters) {
+	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.APIIDRef != nil {
+		in, out := &in.APIIDRef, &out.APIIDRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.APIIDSelector != nil {
+		in, out := &in.APIIDSelector, &out.APIIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.Code != nil {
+		in, out := &in.Code, &out.Code
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSource != nil {
+		in, out := &in.DataSource, &out.DataSource
 		*out = new(string)
 		**out = **in
 	}
@@ -1146,6 +1421,21 @@ func (in *GraphQLAPI) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GraphQLAPILambdaAuthorizerConfigObservation) DeepCopyInto(out *GraphQLAPILambdaAuthorizerConfigObservation) {
 	*out = *in
+	if in.AuthorizerResultTTLInSeconds != nil {
+		in, out := &in.AuthorizerResultTTLInSeconds, &out.AuthorizerResultTTLInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AuthorizerURI != nil {
+		in, out := &in.AuthorizerURI, &out.AuthorizerURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdentityValidationExpression != nil {
+		in, out := &in.IdentityValidationExpression, &out.IdentityValidationExpression
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GraphQLAPILambdaAuthorizerConfigObservation.
@@ -1223,16 +1513,74 @@ func (in *GraphQLAPIList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GraphQLAPIObservation) DeepCopyInto(out *GraphQLAPIObservation) {
 	*out = *in
+	if in.AdditionalAuthenticationProvider != nil {
+		in, out := &in.AdditionalAuthenticationProvider, &out.AdditionalAuthenticationProvider
+		*out = make([]AdditionalAuthenticationProviderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthenticationType != nil {
+		in, out := &in.AuthenticationType, &out.AuthenticationType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LambdaAuthorizerConfig != nil {
+		in, out := &in.LambdaAuthorizerConfig, &out.LambdaAuthorizerConfig
+		*out = make([]GraphQLAPILambdaAuthorizerConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LogConfig != nil {
+		in, out := &in.LogConfig, &out.LogConfig
+		*out = make([]LogConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OpenIDConnectConfig != nil {
+		in, out := &in.OpenIDConnectConfig, &out.OpenIDConnectConfig
+		*out = make([]GraphQLAPIOpenIDConnectConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Schema != nil {
+		in, out := &in.Schema, &out.Schema
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1263,6 +1611,18 @@ func (in *GraphQLAPIObservation) DeepCopyInto(out *GraphQLAPIObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserPoolConfig != nil {
+		in, out := &in.UserPoolConfig, &out.UserPoolConfig
+		*out = make([]GraphQLAPIUserPoolConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.XrayEnabled != nil {
+		in, out := &in.XrayEnabled, &out.XrayEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GraphQLAPIObservation.
@@ -1278,6 +1638,26 @@ func (in *GraphQLAPIObservation) DeepCopy() *GraphQLAPIObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GraphQLAPIOpenIDConnectConfigObservation) DeepCopyInto(out *GraphQLAPIOpenIDConnectConfigObservation) {
 	*out = *in
+	if in.AuthTTL != nil {
+		in, out := &in.AuthTTL, &out.AuthTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IatTTL != nil {
+		in, out := &in.IatTTL, &out.IatTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GraphQLAPIOpenIDConnectConfigObservation.
@@ -1452,6 +1832,26 @@ func (in *GraphQLAPIStatus) DeepCopy() *GraphQLAPIStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GraphQLAPIUserPoolConfigObservation) DeepCopyInto(out *GraphQLAPIUserPoolConfigObservation) {
 	*out = *in
+	if in.AppIDClientRegex != nil {
+		in, out := &in.AppIDClientRegex, &out.AppIDClientRegex
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsRegion != nil {
+		in, out := &in.AwsRegion, &out.AwsRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultAction != nil {
+		in, out := &in.DefaultAction, &out.DefaultAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GraphQLAPIUserPoolConfigObservation.
@@ -1512,6 +1912,18 @@ func (in *GraphQLAPIUserPoolConfigParameters) DeepCopy() *GraphQLAPIUserPoolConf
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPConfigObservation) DeepCopyInto(out *HTTPConfigObservation) {
 	*out = *in
+	if in.AuthorizationConfig != nil {
+		in, out := &in.AuthorizationConfig, &out.AuthorizationConfig
+		*out = make([]AuthorizationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPConfigObservation.
@@ -1554,6 +1966,31 @@ func (in *HTTPConfigParameters) DeepCopy() *HTTPConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPEndpointConfigObservation) DeepCopyInto(out *HTTPEndpointConfigObservation) {
 	*out = *in
+	if in.AwsSecretStoreArn != nil {
+		in, out := &in.AwsSecretStoreArn, &out.AwsSecretStoreArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBClusterIdentifier != nil {
+		in, out := &in.DBClusterIdentifier, &out.DBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schema != nil {
+		in, out := &in.Schema, &out.Schema
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPEndpointConfigObservation.
@@ -1609,6 +2046,21 @@ func (in *HTTPEndpointConfigParameters) DeepCopy() *HTTPEndpointConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaAuthorizerConfigObservation) DeepCopyInto(out *LambdaAuthorizerConfigObservation) {
 	*out = *in
+	if in.AuthorizerResultTTLInSeconds != nil {
+		in, out := &in.AuthorizerResultTTLInSeconds, &out.AuthorizerResultTTLInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AuthorizerURI != nil {
+		in, out := &in.AuthorizerURI, &out.AuthorizerURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdentityValidationExpression != nil {
+		in, out := &in.IdentityValidationExpression, &out.IdentityValidationExpression
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaAuthorizerConfigObservation.
@@ -1654,6 +2106,11 @@ func (in *LambdaAuthorizerConfigParameters) DeepCopy() *LambdaAuthorizerConfigPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaConfigObservation) DeepCopyInto(out *LambdaConfigObservation) {
 	*out = *in
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaConfigObservation.
@@ -1689,6 +2146,11 @@ func (in *LambdaConfigParameters) DeepCopy() *LambdaConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaConflictHandlerConfigObservation) DeepCopyInto(out *LambdaConflictHandlerConfigObservation) {
 	*out = *in
+	if in.LambdaConflictHandlerArn != nil {
+		in, out := &in.LambdaConflictHandlerArn, &out.LambdaConflictHandlerArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaConflictHandlerConfigObservation.
@@ -1724,6 +2186,21 @@ func (in *LambdaConflictHandlerConfigParameters) DeepCopy() *LambdaConflictHandl
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogConfigObservation) DeepCopyInto(out *LogConfigObservation) {
 	*out = *in
+	if in.CloudwatchLogsRoleArn != nil {
+		in, out := &in.CloudwatchLogsRoleArn, &out.CloudwatchLogsRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeVerboseContent != nil {
+		in, out := &in.ExcludeVerboseContent, &out.ExcludeVerboseContent
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FieldLogLevel != nil {
+		in, out := &in.FieldLogLevel, &out.FieldLogLevel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogConfigObservation.
@@ -1779,6 +2256,26 @@ func (in *LogConfigParameters) DeepCopy() *LogConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OpenIDConnectConfigObservation) DeepCopyInto(out *OpenIDConnectConfigObservation) {
 	*out = *in
+	if in.AuthTTL != nil {
+		in, out := &in.AuthTTL, &out.AuthTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IatTTL != nil {
+		in, out := &in.IatTTL, &out.IatTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectConfigObservation.
@@ -1829,6 +2326,17 @@ func (in *OpenIDConnectConfigParameters) DeepCopy() *OpenIDConnectConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PipelineConfigObservation) DeepCopyInto(out *PipelineConfigObservation) {
 	*out = *in
+	if in.Functions != nil {
+		in, out := &in.Functions, &out.Functions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PipelineConfigObservation.
@@ -1870,6 +2378,18 @@ func (in *PipelineConfigParameters) DeepCopy() *PipelineConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RelationalDatabaseConfigObservation) DeepCopyInto(out *RelationalDatabaseConfigObservation) {
 	*out = *in
+	if in.HTTPEndpointConfig != nil {
+		in, out := &in.HTTPEndpointConfig, &out.HTTPEndpointConfig
+		*out = make([]HTTPEndpointConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceType != nil {
+		in, out := &in.SourceType, &out.SourceType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RelationalDatabaseConfigObservation.
@@ -1971,16 +2491,89 @@ func (in *ResolverList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolverObservation) DeepCopyInto(out *ResolverObservation) {
 	*out = *in
+	if in.APIID != nil {
+		in, out := &in.APIID, &out.APIID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CachingConfig != nil {
+		in, out := &in.CachingConfig, &out.CachingConfig
+		*out = make([]CachingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Code != nil {
+		in, out := &in.Code, &out.Code
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSource != nil {
+		in, out := &in.DataSource, &out.DataSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Kind != nil {
+		in, out := &in.Kind, &out.Kind
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxBatchSize != nil {
+		in, out := &in.MaxBatchSize, &out.MaxBatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PipelineConfig != nil {
+		in, out := &in.PipelineConfig, &out.PipelineConfig
+		*out = make([]PipelineConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RequestTemplate != nil {
+		in, out := &in.RequestTemplate, &out.RequestTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseTemplate != nil {
+		in, out := &in.ResponseTemplate, &out.ResponseTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Runtime != nil {
+		in, out := &in.Runtime, &out.Runtime
+		*out = make([]ResolverRuntimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SyncConfig != nil {
+		in, out := &in.SyncConfig, &out.SyncConfig
+		*out = make([]ResolverSyncConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolverObservation.
@@ -2109,6 +2702,16 @@ func (in *ResolverParameters) DeepCopy() *ResolverParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolverRuntimeObservation) DeepCopyInto(out *ResolverRuntimeObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuntimeVersion != nil {
+		in, out := &in.RuntimeVersion, &out.RuntimeVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolverRuntimeObservation.
@@ -2183,6 +2786,23 @@ func (in *ResolverStatus) DeepCopy() *ResolverStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolverSyncConfigObservation) DeepCopyInto(out *ResolverSyncConfigObservation) {
 	*out = *in
+	if in.ConflictDetection != nil {
+		in, out := &in.ConflictDetection, &out.ConflictDetection
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConflictHandler != nil {
+		in, out := &in.ConflictHandler, &out.ConflictHandler
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaConflictHandlerConfig != nil {
+		in, out := &in.LambdaConflictHandlerConfig, &out.LambdaConflictHandlerConfig
+		*out = make([]SyncConfigLambdaConflictHandlerConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolverSyncConfigObservation.
@@ -2230,6 +2850,16 @@ func (in *ResolverSyncConfigParameters) DeepCopy() *ResolverSyncConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuntimeObservation) DeepCopyInto(out *RuntimeObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuntimeVersion != nil {
+		in, out := &in.RuntimeVersion, &out.RuntimeVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeObservation.
@@ -2270,6 +2900,11 @@ func (in *RuntimeParameters) DeepCopy() *RuntimeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SyncConfigLambdaConflictHandlerConfigObservation) DeepCopyInto(out *SyncConfigLambdaConflictHandlerConfigObservation) {
 	*out = *in
+	if in.LambdaConflictHandlerArn != nil {
+		in, out := &in.LambdaConflictHandlerArn, &out.LambdaConflictHandlerArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncConfigLambdaConflictHandlerConfigObservation.
@@ -2305,6 +2940,23 @@ func (in *SyncConfigLambdaConflictHandlerConfigParameters) DeepCopy() *SyncConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SyncConfigObservation) DeepCopyInto(out *SyncConfigObservation) {
 	*out = *in
+	if in.ConflictDetection != nil {
+		in, out := &in.ConflictDetection, &out.ConflictDetection
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConflictHandler != nil {
+		in, out := &in.ConflictHandler, &out.ConflictHandler
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaConflictHandlerConfig != nil {
+		in, out := &in.LambdaConflictHandlerConfig, &out.LambdaConflictHandlerConfig
+		*out = make([]LambdaConflictHandlerConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SyncConfigObservation.
@@ -2352,6 +3004,21 @@ func (in *SyncConfigParameters) DeepCopy() *SyncConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserPoolConfigObservation) DeepCopyInto(out *UserPoolConfigObservation) {
 	*out = *in
+	if in.AppIDClientRegex != nil {
+		in, out := &in.AppIDClientRegex, &out.AppIDClientRegex
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsRegion != nil {
+		in, out := &in.AwsRegion, &out.AwsRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPoolConfigObservation.
diff --git a/apis/appsync/v1beta1/zz_graphqlapi_types.go b/apis/appsync/v1beta1/zz_graphqlapi_types.go
index f57a19ddf4..1f533bd3c4 100755
--- a/apis/appsync/v1beta1/zz_graphqlapi_types.go
+++ b/apis/appsync/v1beta1/zz_graphqlapi_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type AdditionalAuthenticationProviderObservation struct {
+
+	// Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
+	AuthenticationType *string `json:"authenticationType,omitempty" tf:"authentication_type,omitempty"`
+
+	// Nested argument containing Lambda authorizer configuration. Defined below.
+	LambdaAuthorizerConfig []LambdaAuthorizerConfigObservation `json:"lambdaAuthorizerConfig,omitempty" tf:"lambda_authorizer_config,omitempty"`
+
+	// Nested argument containing OpenID Connect configuration. Defined below.
+	OpenIDConnectConfig []OpenIDConnectConfigObservation `json:"openidConnectConfig,omitempty" tf:"openid_connect_config,omitempty"`
+
+	// Amazon Cognito User Pool configuration. Defined below.
+	UserPoolConfig []UserPoolConfigObservation `json:"userPoolConfig,omitempty" tf:"user_pool_config,omitempty"`
 }
 
 type AdditionalAuthenticationProviderParameters struct {
@@ -36,6 +48,15 @@ type AdditionalAuthenticationProviderParameters struct {
 }
 
 type GraphQLAPILambdaAuthorizerConfigObservation struct {
+
+	// Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
+	AuthorizerResultTTLInSeconds *float64 `json:"authorizerResultTtlInSeconds,omitempty" tf:"authorizer_result_ttl_in_seconds,omitempty"`
+
+	// ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
+	AuthorizerURI *string `json:"authorizerUri,omitempty" tf:"authorizer_uri,omitempty"`
+
+	// Regular expression for validation of tokens before the Lambda function is called.
+	IdentityValidationExpression *string `json:"identityValidationExpression,omitempty" tf:"identity_validation_expression,omitempty"`
 }
 
 type GraphQLAPILambdaAuthorizerConfigParameters struct {
@@ -55,20 +76,62 @@ type GraphQLAPILambdaAuthorizerConfigParameters struct {
 
 type GraphQLAPIObservation struct {
 
+	// One or more additional authentication providers for the GraphqlApi. Defined below.
+	AdditionalAuthenticationProvider []AdditionalAuthenticationProviderObservation `json:"additionalAuthenticationProvider,omitempty" tf:"additional_authentication_provider,omitempty"`
+
 	// ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
+	AuthenticationType *string `json:"authenticationType,omitempty" tf:"authentication_type,omitempty"`
+
 	// API ID
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Nested argument containing Lambda authorizer configuration. Defined below.
+	LambdaAuthorizerConfig []GraphQLAPILambdaAuthorizerConfigObservation `json:"lambdaAuthorizerConfig,omitempty" tf:"lambda_authorizer_config,omitempty"`
+
+	// Nested argument containing logging configuration. Defined below.
+	LogConfig []LogConfigObservation `json:"logConfig,omitempty" tf:"log_config,omitempty"`
+
+	// User-supplied name for the GraphqlApi.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Nested argument containing OpenID Connect configuration. Defined below.
+	OpenIDConnectConfig []GraphQLAPIOpenIDConnectConfigObservation `json:"openidConnectConfig,omitempty" tf:"openid_connect_config,omitempty"`
+
+	// Schema definition, in GraphQL schema language format.
+	Schema *string `json:"schema,omitempty" tf:"schema,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Map of URIs associated with the APIE.g., uris["GRAPHQL"] = https://ID.appsync-api.REGION.amazonaws.com/graphql
 	Uris map[string]*string `json:"uris,omitempty" tf:"uris,omitempty"`
+
+	// Amazon Cognito User Pool configuration. Defined below.
+	UserPoolConfig []GraphQLAPIUserPoolConfigObservation `json:"userPoolConfig,omitempty" tf:"user_pool_config,omitempty"`
+
+	// Whether tracing with X-ray is enabled. Defaults to false.
+	XrayEnabled *bool `json:"xrayEnabled,omitempty" tf:"xray_enabled,omitempty"`
 }
 
 type GraphQLAPIOpenIDConnectConfigObservation struct {
+
+	// Number of milliseconds a token is valid after being authenticated.
+	AuthTTL *float64 `json:"authTtl,omitempty" tf:"auth_ttl,omitempty"`
+
+	// Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// Number of milliseconds a token is valid after being issued to a user.
+	IatTTL *float64 `json:"iatTtl,omitempty" tf:"iat_ttl,omitempty"`
+
+	// Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 }
 
 type GraphQLAPIOpenIDConnectConfigParameters struct {
@@ -97,8 +160,8 @@ type GraphQLAPIParameters struct {
 	AdditionalAuthenticationProvider []AdditionalAuthenticationProviderParameters `json:"additionalAuthenticationProvider,omitempty" tf:"additional_authentication_provider,omitempty"`
 
 	// Authentication type. Valid values: API_KEY, AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA
-	// +kubebuilder:validation:Required
-	AuthenticationType *string `json:"authenticationType" tf:"authentication_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthenticationType *string `json:"authenticationType,omitempty" tf:"authentication_type,omitempty"`
 
 	// Nested argument containing Lambda authorizer configuration. Defined below.
 	// +kubebuilder:validation:Optional
@@ -109,8 +172,8 @@ type GraphQLAPIParameters struct {
 	LogConfig []LogConfigParameters `json:"logConfig,omitempty" tf:"log_config,omitempty"`
 
 	// User-supplied name for the GraphqlApi.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Nested argument containing OpenID Connect configuration. Defined below.
 	// +kubebuilder:validation:Optional
@@ -139,6 +202,18 @@ type GraphQLAPIParameters struct {
 }
 
 type GraphQLAPIUserPoolConfigObservation struct {
+
+	// Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
+	AppIDClientRegex *string `json:"appIdClientRegex,omitempty" tf:"app_id_client_regex,omitempty"`
+
+	// AWS region in which the user pool was created.
+	AwsRegion *string `json:"awsRegion,omitempty" tf:"aws_region,omitempty"`
+
+	// Action that you want your GraphQL API to take when a request that uses Amazon Cognito User Pool authentication doesn't match the Amazon Cognito User Pool configuration. Valid: ALLOW and DENY
+	DefaultAction *string `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
+
+	// User pool ID.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type GraphQLAPIUserPoolConfigParameters struct {
@@ -171,6 +246,15 @@ type GraphQLAPIUserPoolConfigParameters struct {
 }
 
 type LambdaAuthorizerConfigObservation struct {
+
+	// Number of seconds a response should be cached for. The default is 5 minutes (300 seconds). The Lambda function can override this by returning a ttlOverride key in its response. A value of 0 disables caching of responses. Minimum value of 0. Maximum value of 3600.
+	AuthorizerResultTTLInSeconds *float64 `json:"authorizerResultTtlInSeconds,omitempty" tf:"authorizer_result_ttl_in_seconds,omitempty"`
+
+	// ARN of the Lambda function to be called for authorization. Note: This Lambda function must have a resource-based policy assigned to it, to allow lambda:InvokeFunction from service principal appsync.amazonaws.com.
+	AuthorizerURI *string `json:"authorizerUri,omitempty" tf:"authorizer_uri,omitempty"`
+
+	// Regular expression for validation of tokens before the Lambda function is called.
+	IdentityValidationExpression *string `json:"identityValidationExpression,omitempty" tf:"identity_validation_expression,omitempty"`
 }
 
 type LambdaAuthorizerConfigParameters struct {
@@ -189,6 +273,15 @@ type LambdaAuthorizerConfigParameters struct {
 }
 
 type LogConfigObservation struct {
+
+	// Amazon Resource Name of the service role that AWS AppSync will assume to publish to Amazon CloudWatch logs in your account.
+	CloudwatchLogsRoleArn *string `json:"cloudwatchLogsRoleArn,omitempty" tf:"cloudwatch_logs_role_arn,omitempty"`
+
+	// Set to TRUE to exclude sections that contain information such as headers, context, and evaluated mapping templates, regardless of logging  level. Valid values: true, false. Default value: false
+	ExcludeVerboseContent *bool `json:"excludeVerboseContent,omitempty" tf:"exclude_verbose_content,omitempty"`
+
+	// Field logging level. Valid values: ALL, ERROR, NONE.
+	FieldLogLevel *string `json:"fieldLogLevel,omitempty" tf:"field_log_level,omitempty"`
 }
 
 type LogConfigParameters struct {
@@ -217,6 +310,18 @@ type LogConfigParameters struct {
 }
 
 type OpenIDConnectConfigObservation struct {
+
+	// Number of milliseconds a token is valid after being authenticated.
+	AuthTTL *float64 `json:"authTtl,omitempty" tf:"auth_ttl,omitempty"`
+
+	// Client identifier of the Relying party at the OpenID identity provider. This identifier is typically obtained when the Relying party is registered with the OpenID identity provider. You can specify a regular expression so the AWS AppSync can validate against multiple client identifiers at a time.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// Number of milliseconds a token is valid after being issued to a user.
+	IatTTL *float64 `json:"iatTtl,omitempty" tf:"iat_ttl,omitempty"`
+
+	// Issuer for the OpenID Connect configuration. The issuer returned by discovery MUST exactly match the value of iss in the ID Token.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
 }
 
 type OpenIDConnectConfigParameters struct {
@@ -239,6 +344,15 @@ type OpenIDConnectConfigParameters struct {
 }
 
 type UserPoolConfigObservation struct {
+
+	// Regular expression for validating the incoming Amazon Cognito User Pool app client ID.
+	AppIDClientRegex *string `json:"appIdClientRegex,omitempty" tf:"app_id_client_regex,omitempty"`
+
+	// AWS region in which the user pool was created.
+	AwsRegion *string `json:"awsRegion,omitempty" tf:"aws_region,omitempty"`
+
+	// User pool ID.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type UserPoolConfigParameters struct {
@@ -280,8 +394,10 @@ type GraphQLAPIStatus struct {
 type GraphQLAPI struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GraphQLAPISpec   `json:"spec"`
-	Status            GraphQLAPIStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authenticationType)",message="authenticationType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   GraphQLAPISpec   `json:"spec"`
+	Status GraphQLAPIStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/appsync/v1beta1/zz_resolver_types.go b/apis/appsync/v1beta1/zz_resolver_types.go
index 150b90f4b7..453087ff6e 100755
--- a/apis/appsync/v1beta1/zz_resolver_types.go
+++ b/apis/appsync/v1beta1/zz_resolver_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CachingConfigObservation struct {
+
+	// The caching keys for a resolver that has caching activated. Valid values are entries from the $context.arguments, $context.source, and $context.identity maps.
+	CachingKeys []*string `json:"cachingKeys,omitempty" tf:"caching_keys,omitempty"`
+
+	// The TTL in seconds for a resolver that has caching activated. Valid values are between 1 and 3600 seconds.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 }
 
 type CachingConfigParameters struct {
@@ -28,6 +34,9 @@ type CachingConfigParameters struct {
 }
 
 type PipelineConfigObservation struct {
+
+	// A list of Function objects.
+	Functions []*string `json:"functions,omitempty" tf:"functions,omitempty"`
 }
 
 type PipelineConfigParameters struct {
@@ -39,10 +48,49 @@ type PipelineConfigParameters struct {
 
 type ResolverObservation struct {
 
+	// API ID for the GraphQL API.
+	APIID *string `json:"apiId,omitempty" tf:"api_id,omitempty"`
+
 	// ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Caching Config. See Caching Config.
+	CachingConfig []CachingConfigObservation `json:"cachingConfig,omitempty" tf:"caching_config,omitempty"`
+
+	// The function code that contains the request and response functions. When code is used, the runtime is required. The runtime value must be APPSYNC_JS.
+	Code *string `json:"code,omitempty" tf:"code,omitempty"`
+
+	// Data source name.
+	DataSource *string `json:"dataSource,omitempty" tf:"data_source,omitempty"`
+
+	// Field name from the schema defined in the GraphQL API.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Resolver type. Valid values are UNIT and PIPELINE.
+	Kind *string `json:"kind,omitempty" tf:"kind,omitempty"`
+
+	// Maximum batching size for a resolver. Valid values are between 0 and 2000.
+	MaxBatchSize *float64 `json:"maxBatchSize,omitempty" tf:"max_batch_size,omitempty"`
+
+	// The caching configuration for the resolver. See Pipeline Config.
+	PipelineConfig []PipelineConfigObservation `json:"pipelineConfig,omitempty" tf:"pipeline_config,omitempty"`
+
+	// Request mapping template for UNIT resolver or 'before mapping template' for PIPELINE resolver. Required for non-Lambda resolvers.
+	RequestTemplate *string `json:"requestTemplate,omitempty" tf:"request_template,omitempty"`
+
+	// Response mapping template for UNIT resolver or 'after mapping template' for PIPELINE resolver. Required for non-Lambda resolvers.
+	ResponseTemplate *string `json:"responseTemplate,omitempty" tf:"response_template,omitempty"`
+
+	// Describes a runtime used by an AWS AppSync pipeline resolver or AWS AppSync function. Specifies the name and version of the runtime to use. Note that if a runtime is specified, code must also be specified. See Runtime.
+	Runtime []ResolverRuntimeObservation `json:"runtime,omitempty" tf:"runtime,omitempty"`
+
+	// Describes a Sync configuration for a resolver. See Sync Config.
+	SyncConfig []ResolverSyncConfigObservation `json:"syncConfig,omitempty" tf:"sync_config,omitempty"`
+
+	// Type name from the schema defined in the GraphQL API.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ResolverParameters struct {
@@ -125,6 +173,12 @@ type ResolverParameters struct {
 }
 
 type ResolverRuntimeObservation struct {
+
+	// The name of the runtime to use. Currently, the only allowed value is APPSYNC_JS.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The version of the runtime to use. Currently, the only allowed version is 1.0.0.
+	RuntimeVersion *string `json:"runtimeVersion,omitempty" tf:"runtime_version,omitempty"`
 }
 
 type ResolverRuntimeParameters struct {
@@ -139,6 +193,15 @@ type ResolverRuntimeParameters struct {
 }
 
 type ResolverSyncConfigObservation struct {
+
+	// Conflict Detection strategy to use. Valid values are NONE and VERSION.
+	ConflictDetection *string `json:"conflictDetection,omitempty" tf:"conflict_detection,omitempty"`
+
+	// Conflict Resolution strategy to perform in the event of a conflict. Valid values are NONE, OPTIMISTIC_CONCURRENCY, AUTOMERGE, and LAMBDA.
+	ConflictHandler *string `json:"conflictHandler,omitempty" tf:"conflict_handler,omitempty"`
+
+	// Lambda Conflict Handler Config when configuring LAMBDA as the Conflict Handler. See Lambda Conflict Handler Config.
+	LambdaConflictHandlerConfig []SyncConfigLambdaConflictHandlerConfigObservation `json:"lambdaConflictHandlerConfig,omitempty" tf:"lambda_conflict_handler_config,omitempty"`
 }
 
 type ResolverSyncConfigParameters struct {
@@ -157,6 +220,9 @@ type ResolverSyncConfigParameters struct {
 }
 
 type SyncConfigLambdaConflictHandlerConfigObservation struct {
+
+	// ARN for the Lambda function to use as the Conflict Handler.
+	LambdaConflictHandlerArn *string `json:"lambdaConflictHandlerArn,omitempty" tf:"lambda_conflict_handler_arn,omitempty"`
 }
 
 type SyncConfigLambdaConflictHandlerConfigParameters struct {
diff --git a/apis/athena/v1beta1/zz_database_types.go b/apis/athena/v1beta1/zz_database_types.go
index 7114b2064b..3cd0b16ea9 100755
--- a/apis/athena/v1beta1/zz_database_types.go
+++ b/apis/athena/v1beta1/zz_database_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ACLConfigurationObservation struct {
+
+	// Amazon S3 canned ACL that Athena should specify when storing query results. Valid value is BUCKET_OWNER_FULL_CONTROL.
+	S3ACLOption *string `json:"s3AclOption,omitempty" tf:"s3_acl_option,omitempty"`
 }
 
 type ACLConfigurationParameters struct {
@@ -25,8 +28,29 @@ type ACLConfigurationParameters struct {
 
 type DatabaseObservation struct {
 
+	// That an Amazon S3 canned ACL should be set to control ownership of stored query results. See ACL Configuration below.
+	ACLConfiguration []ACLConfigurationObservation `json:"aclConfiguration,omitempty" tf:"acl_configuration,omitempty"`
+
+	// Name of S3 bucket to save the results of the query execution.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Description of the database.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// Encryption key block AWS Athena uses to decrypt the data in S3, such as an AWS Key Management Service (AWS KMS) key. See Encryption Configuration below.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// AWS account ID that you expect to be the owner of the Amazon S3 bucket.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
+	// Boolean that indicates all tables should be deleted from the database so that the database can be destroyed without error. The tables are not recoverable.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// Database name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Key-value map of custom metadata properties for the database definition.
+	Properties map[string]*string `json:"properties,omitempty" tf:"properties,omitempty"`
 }
 
 type DatabaseParameters struct {
@@ -76,6 +100,12 @@ type DatabaseParameters struct {
 }
 
 type EncryptionConfigurationObservation struct {
+
+	// Type of key; one of SSE_S3, SSE_KMS, CSE_KMS
+	EncryptionOption *string `json:"encryptionOption,omitempty" tf:"encryption_option,omitempty"`
+
+	// KMS key ARN or ID; required for key types SSE_KMS and CSE_KMS.
+	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
diff --git a/apis/athena/v1beta1/zz_datacatalog_types.go b/apis/athena/v1beta1/zz_datacatalog_types.go
index 7a9958c4a1..91dbb13b9d 100755
--- a/apis/athena/v1beta1/zz_datacatalog_types.go
+++ b/apis/athena/v1beta1/zz_datacatalog_types.go
@@ -18,22 +18,34 @@ type DataCatalogObservation struct {
 	// ARN of the data catalog.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the data catalog.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Name of the data catalog.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key value pairs that specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Type of data catalog: LAMBDA for a federated catalog, GLUE for AWS Glue Catalog, or HIVE for an external hive metastore.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DataCatalogParameters struct {
 
 	// Description of the data catalog.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Key value pairs that specifies the Lambda function or functions to use for the data catalog. The mapping used depends on the catalog type.
-	// +kubebuilder:validation:Required
-	Parameters map[string]*string `json:"parameters" tf:"parameters,omitempty"`
+	// +kubebuilder:validation:Optional
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -45,8 +57,8 @@ type DataCatalogParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Type of data catalog: LAMBDA for a federated catalog, GLUE for AWS Glue Catalog, or HIVE for an external hive metastore.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // DataCatalogSpec defines the desired state of DataCatalog
@@ -73,8 +85,11 @@ type DataCatalogStatus struct {
 type DataCatalog struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DataCatalogSpec   `json:"spec"`
-	Status            DataCatalogStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parameters)",message="parameters is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   DataCatalogSpec   `json:"spec"`
+	Status DataCatalogStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/athena/v1beta1/zz_generated.deepcopy.go b/apis/athena/v1beta1/zz_generated.deepcopy.go
index 0218bf692b..d82b88eada 100644
--- a/apis/athena/v1beta1/zz_generated.deepcopy.go
+++ b/apis/athena/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ACLConfigurationObservation) DeepCopyInto(out *ACLConfigurationObservation) {
 	*out = *in
+	if in.S3ACLOption != nil {
+		in, out := &in.S3ACLOption, &out.S3ACLOption
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACLConfigurationObservation.
@@ -52,6 +57,16 @@ func (in *ACLConfigurationParameters) DeepCopy() *ACLConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation) {
 	*out = *in
+	if in.BytesScannedCutoffPerQuery != nil {
+		in, out := &in.BytesScannedCutoffPerQuery, &out.BytesScannedCutoffPerQuery
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EnforceWorkgroupConfiguration != nil {
+		in, out := &in.EnforceWorkgroupConfiguration, &out.EnforceWorkgroupConfiguration
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EngineVersion != nil {
 		in, out := &in.EngineVersion, &out.EngineVersion
 		*out = make([]EngineVersionObservation, len(*in))
@@ -59,6 +74,28 @@ func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation)
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ExecutionRole != nil {
+		in, out := &in.ExecutionRole, &out.ExecutionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublishCloudwatchMetricsEnabled != nil {
+		in, out := &in.PublishCloudwatchMetricsEnabled, &out.PublishCloudwatchMetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequesterPaysEnabled != nil {
+		in, out := &in.RequesterPaysEnabled, &out.RequesterPaysEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ResultConfiguration != nil {
+		in, out := &in.ResultConfiguration, &out.ResultConfiguration
+		*out = make([]ResultConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -192,11 +229,46 @@ func (in *DataCatalogObservation) DeepCopyInto(out *DataCatalogObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -212,6 +284,11 @@ func (in *DataCatalogObservation) DeepCopyInto(out *DataCatalogObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataCatalogObservation.
@@ -380,11 +457,60 @@ func (in *DatabaseList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DatabaseObservation) DeepCopyInto(out *DatabaseObservation) {
 	*out = *in
+	if in.ACLConfiguration != nil {
+		in, out := &in.ACLConfiguration, &out.ACLConfiguration
+		*out = make([]ACLConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DatabaseObservation.
@@ -513,6 +639,16 @@ func (in *DatabaseStatus) DeepCopy() *DatabaseStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.EncryptionOption != nil {
+		in, out := &in.EncryptionOption, &out.EncryptionOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKey != nil {
+		in, out := &in.KMSKey, &out.KMSKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -558,6 +694,11 @@ func (in *EngineVersionObservation) DeepCopyInto(out *EngineVersionObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.SelectedEngineVersion != nil {
+		in, out := &in.SelectedEngineVersion, &out.SelectedEngineVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EngineVersionObservation.
@@ -652,11 +793,36 @@ func (in *NamedQueryList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NamedQueryObservation) DeepCopyInto(out *NamedQueryObservation) {
 	*out = *in
+	if in.Database != nil {
+		in, out := &in.Database, &out.Database
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Query != nil {
+		in, out := &in.Query, &out.Query
+		*out = new(string)
+		**out = **in
+	}
+	if in.Workgroup != nil {
+		in, out := &in.Workgroup, &out.Workgroup
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedQueryObservation.
@@ -771,6 +937,11 @@ func (in *NamedQueryStatus) DeepCopy() *NamedQueryStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResultConfigurationACLConfigurationObservation) DeepCopyInto(out *ResultConfigurationACLConfigurationObservation) {
 	*out = *in
+	if in.S3ACLOption != nil {
+		in, out := &in.S3ACLOption, &out.S3ACLOption
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResultConfigurationACLConfigurationObservation.
@@ -806,6 +977,16 @@ func (in *ResultConfigurationACLConfigurationParameters) DeepCopy() *ResultConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResultConfigurationEncryptionConfigurationObservation) DeepCopyInto(out *ResultConfigurationEncryptionConfigurationObservation) {
 	*out = *in
+	if in.EncryptionOption != nil {
+		in, out := &in.EncryptionOption, &out.EncryptionOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResultConfigurationEncryptionConfigurationObservation.
@@ -856,6 +1037,30 @@ func (in *ResultConfigurationEncryptionConfigurationParameters) DeepCopy() *Resu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResultConfigurationObservation) DeepCopyInto(out *ResultConfigurationObservation) {
 	*out = *in
+	if in.ACLConfiguration != nil {
+		in, out := &in.ACLConfiguration, &out.ACLConfiguration
+		*out = make([]ResultConfigurationACLConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]ResultConfigurationEncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputLocation != nil {
+		in, out := &in.OutputLocation, &out.OutputLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResultConfigurationObservation.
@@ -981,11 +1186,41 @@ func (in *WorkgroupObservation) DeepCopyInto(out *WorkgroupObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/athena/v1beta1/zz_namedquery_types.go b/apis/athena/v1beta1/zz_namedquery_types.go
index 63a0bc43c1..efd6a6fc8c 100755
--- a/apis/athena/v1beta1/zz_namedquery_types.go
+++ b/apis/athena/v1beta1/zz_namedquery_types.go
@@ -15,8 +15,23 @@ import (
 
 type NamedQueryObservation struct {
 
+	// Database to which the query belongs.
+	Database *string `json:"database,omitempty" tf:"database,omitempty"`
+
+	// Brief explanation of the query. Maximum length of 1024.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Unique ID of the query.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Plain language name for the query. Maximum length of 128.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Text of the query itself. In other words, all query statements. Maximum length of 262144.
+	Query *string `json:"query,omitempty" tf:"query,omitempty"`
+
+	// Workgroup to which the query belongs. Defaults to primary
+	Workgroup *string `json:"workgroup,omitempty" tf:"workgroup,omitempty"`
 }
 
 type NamedQueryParameters struct {
@@ -39,12 +54,12 @@ type NamedQueryParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Plain language name for the query. Maximum length of 128.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Text of the query itself. In other words, all query statements. Maximum length of 262144.
-	// +kubebuilder:validation:Required
-	Query *string `json:"query" tf:"query,omitempty"`
+	// +kubebuilder:validation:Optional
+	Query *string `json:"query,omitempty" tf:"query,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -90,8 +105,10 @@ type NamedQueryStatus struct {
 type NamedQuery struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NamedQuerySpec   `json:"spec"`
-	Status            NamedQueryStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.query)",message="query is a required parameter"
+	Spec   NamedQuerySpec   `json:"spec"`
+	Status NamedQueryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/athena/v1beta1/zz_workgroup_types.go b/apis/athena/v1beta1/zz_workgroup_types.go
index 3e3a83017b..139434e45e 100755
--- a/apis/athena/v1beta1/zz_workgroup_types.go
+++ b/apis/athena/v1beta1/zz_workgroup_types.go
@@ -15,9 +15,26 @@ import (
 
 type ConfigurationObservation struct {
 
+	// Integer for the upper data usage limit (cutoff) for the amount of bytes a single query in a workgroup is allowed to scan. Must be at least 10485760.
+	BytesScannedCutoffPerQuery *float64 `json:"bytesScannedCutoffPerQuery,omitempty" tf:"bytes_scanned_cutoff_per_query,omitempty"`
+
+	// Boolean whether the settings for the workgroup override client-side settings. For more information, see Workgroup Settings Override Client-Side Settings. Defaults to true.
+	EnforceWorkgroupConfiguration *bool `json:"enforceWorkgroupConfiguration,omitempty" tf:"enforce_workgroup_configuration,omitempty"`
+
 	// Configuration block for the Athena Engine Versioning. For more information, see Athena Engine Versioning. See Engine Version below.
-	// +kubebuilder:validation:Optional
 	EngineVersion []EngineVersionObservation `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
+	// Role used in a notebook session for accessing the user's resources.
+	ExecutionRole *string `json:"executionRole,omitempty" tf:"execution_role,omitempty"`
+
+	// Boolean whether Amazon CloudWatch metrics are enabled for the workgroup. Defaults to true.
+	PublishCloudwatchMetricsEnabled *bool `json:"publishCloudwatchMetricsEnabled,omitempty" tf:"publish_cloudwatch_metrics_enabled,omitempty"`
+
+	// If set to true , allows members assigned to a workgroup to reference Amazon S3 Requester Pays buckets in queries. If set to false , workgroup members cannot query data from Requester Pays buckets, and queries that retrieve data from Requester Pays buckets cause an error. The default is false . For more information about Requester Pays buckets, see Requester Pays Buckets in the Amazon Simple Storage Service Developer Guide.
+	RequesterPaysEnabled *bool `json:"requesterPaysEnabled,omitempty" tf:"requester_pays_enabled,omitempty"`
+
+	// Configuration block with result settings. See Result Configuration below.
+	ResultConfiguration []ResultConfigurationObservation `json:"resultConfiguration,omitempty" tf:"result_configuration,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -55,6 +72,9 @@ type EngineVersionObservation struct {
 
 	// The engine version on which the query runs. If selected_engine_version is set to AUTO, the effective engine version is chosen by Athena.
 	EffectiveEngineVersion *string `json:"effectiveEngineVersion,omitempty" tf:"effective_engine_version,omitempty"`
+
+	// Requested engine version. Defaults to AUTO.
+	SelectedEngineVersion *string `json:"selectedEngineVersion,omitempty" tf:"selected_engine_version,omitempty"`
 }
 
 type EngineVersionParameters struct {
@@ -65,6 +85,9 @@ type EngineVersionParameters struct {
 }
 
 type ResultConfigurationACLConfigurationObservation struct {
+
+	// Amazon S3 canned ACL that Athena should specify when storing query results. Valid value is BUCKET_OWNER_FULL_CONTROL.
+	S3ACLOption *string `json:"s3AclOption,omitempty" tf:"s3_acl_option,omitempty"`
 }
 
 type ResultConfigurationACLConfigurationParameters struct {
@@ -75,6 +98,12 @@ type ResultConfigurationACLConfigurationParameters struct {
 }
 
 type ResultConfigurationEncryptionConfigurationObservation struct {
+
+	// Whether Amazon S3 server-side encryption with Amazon S3-managed keys (SSE_S3), server-side encryption with KMS-managed keys (SSE_KMS), or client-side encryption with KMS-managed keys (CSE_KMS) is used. If a query runs in a workgroup and the workgroup overrides client-side settings, then the workgroup's setting for encryption is used. It specifies whether query results must be encrypted, for all queries that run in this workgroup.
+	EncryptionOption *string `json:"encryptionOption,omitempty" tf:"encryption_option,omitempty"`
+
+	// For SSE_KMS and CSE_KMS, this is the KMS key ARN.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
 }
 
 type ResultConfigurationEncryptionConfigurationParameters struct {
@@ -99,6 +128,18 @@ type ResultConfigurationEncryptionConfigurationParameters struct {
 }
 
 type ResultConfigurationObservation struct {
+
+	// That an Amazon S3 canned ACL should be set to control ownership of stored query results. See ACL Configuration below.
+	ACLConfiguration []ResultConfigurationACLConfigurationObservation `json:"aclConfiguration,omitempty" tf:"acl_configuration,omitempty"`
+
+	// Configuration block with encryption settings. See Encryption Configuration below.
+	EncryptionConfiguration []ResultConfigurationEncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// AWS account ID that you expect to be the owner of the Amazon S3 bucket.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
+	// Location in Amazon S3 where your query results are stored, such as s3://path/to/query/bucket/. For more information, see Queries and Query Result Files.
+	OutputLocation *string `json:"outputLocation,omitempty" tf:"output_location,omitempty"`
 }
 
 type ResultConfigurationParameters struct {
@@ -126,12 +167,23 @@ type WorkgroupObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Configuration block with various settings for the workgroup. Documented below.
-	// +kubebuilder:validation:Optional
 	Configuration []ConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
 
+	// Description of the workgroup.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Option to delete the workgroup and its contents even if the workgroup contains any named queries.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// Workgroup name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// State of the workgroup. Valid values are DISABLED or ENABLED. Defaults to ENABLED.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/autoscaling/v1beta1/zz_attachment_types.go b/apis/autoscaling/v1beta1/zz_attachment_types.go
index 9e35269c9d..e51e39b7b9 100755
--- a/apis/autoscaling/v1beta1/zz_attachment_types.go
+++ b/apis/autoscaling/v1beta1/zz_attachment_types.go
@@ -14,7 +14,20 @@ import (
 )
 
 type AttachmentObservation struct {
+
+	// ARN of an ALB Target Group.
+	ALBTargetGroupArn *string `json:"albTargetGroupArn,omitempty" tf:"alb_target_group_arn,omitempty"`
+
+	// Name of ASG to associate with the ELB.
+	AutoscalingGroupName *string `json:"autoscalingGroupName,omitempty" tf:"autoscaling_group_name,omitempty"`
+
+	// Name of the ELB.
+	ELB *string `json:"elb,omitempty" tf:"elb,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ARN of a load balancer target group.
+	LBTargetGroupArn *string `json:"lbTargetGroupArn,omitempty" tf:"lb_target_group_arn,omitempty"`
 }
 
 type AttachmentParameters struct {
diff --git a/apis/autoscaling/v1beta1/zz_autoscalinggroup_types.go b/apis/autoscaling/v1beta1/zz_autoscalinggroup_types.go
index 78204a7c26..a3d41997eb 100755
--- a/apis/autoscaling/v1beta1/zz_autoscalinggroup_types.go
+++ b/apis/autoscaling/v1beta1/zz_autoscalinggroup_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AcceleratorCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type AcceleratorCountParameters struct {
@@ -28,6 +34,12 @@ type AcceleratorCountParameters struct {
 }
 
 type AcceleratorTotalMemoryMibObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type AcceleratorTotalMemoryMibParameters struct {
@@ -46,15 +58,136 @@ type AutoscalingGroupObservation struct {
 	// ARN for this Auto Scaling Group
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of one or more availability zones for the group. Used for EC2-Classic, attaching a network interface via id from a launch template and default subnets when not specified with vpc_zone_identifier argument. Conflicts with vpc_zone_identifier.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// Whether capacity rebalance is enabled. Otherwise, capacity rebalance is disabled.
+	CapacityRebalance *bool `json:"capacityRebalance,omitempty" tf:"capacity_rebalance,omitempty"`
+
+	// Reserved.
+	Context *string `json:"context,omitempty" tf:"context,omitempty"`
+
+	// Amount of time, in seconds, after a scaling activity completes before another scaling activity can start.
+	DefaultCooldown *float64 `json:"defaultCooldown,omitempty" tf:"default_cooldown,omitempty"`
+
+	// Amount of time, in seconds, until a newly launched instance can contribute to the Amazon CloudWatch metrics. This delay lets an instance finish initializing before Amazon EC2 Auto Scaling aggregates instance metrics, resulting in more reliable usage data. Set this value equal to the amount of time that it takes for resource consumption to become stable after an instance reaches the InService state. (See Set the default instance warmup for an Auto Scaling group)
+	DefaultInstanceWarmup *float64 `json:"defaultInstanceWarmup,omitempty" tf:"default_instance_warmup,omitempty"`
+
+	// Number of Amazon EC2 instances that
+	// should be running in the group. (See also Waiting for
+	// Capacity below.)
+	DesiredCapacity *float64 `json:"desiredCapacity,omitempty" tf:"desired_capacity,omitempty"`
+
+	// The unit of measurement for the value specified for desired_capacity. Supported for attribute-based instance type selection only. Valid values: "units", "vcpu", "memory-mib".
+	DesiredCapacityType *string `json:"desiredCapacityType,omitempty" tf:"desired_capacity_type,omitempty"`
+
+	// List of metrics to collect. The allowed values are defined by the underlying AWS API.
+	EnabledMetrics []*string `json:"enabledMetrics,omitempty" tf:"enabled_metrics,omitempty"`
+
+	// Allows deleting the Auto Scaling Group without waiting
+	// for all instances in the pool to terminate.  You can force an Auto Scaling Group to delete
+	// even if it's in the process of scaling a resource.  This bypasses that
+	// behavior and potentially leaves resources dangling.
+	ForceDelete *bool `json:"forceDelete,omitempty" tf:"force_delete,omitempty"`
+
+	// If this block is configured, add a Warm Pool
+	// to the specified Auto Scaling group. Defined below
+	ForceDeleteWarmPool *bool `json:"forceDeleteWarmPool,omitempty" tf:"force_delete_warm_pool,omitempty"`
+
+	// Time (in seconds) after instance comes into service before checking health.
+	HealthCheckGracePeriod *float64 `json:"healthCheckGracePeriod,omitempty" tf:"health_check_grace_period,omitempty"`
+
+	// "EC2" or "ELB". Controls how health checking is done.
+	HealthCheckType *string `json:"healthCheckType,omitempty" tf:"health_check_type,omitempty"`
+
 	// Auto Scaling Group id.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// One or more
+	// Lifecycle Hooks
+	// to attach to the Auto Scaling Group before instances are launched. The
+	// syntax is exactly the same as the separate
+	// aws_autoscaling_lifecycle_hook
+	// resource, without the autoscaling_group_name attribute. Please note that this will only work when creating
+	// a new Auto Scaling Group. For all other use-cases, please use aws_autoscaling_lifecycle_hook resource.
+	InitialLifecycleHook []InitialLifecycleHookObservation `json:"initialLifecycleHook,omitempty" tf:"initial_lifecycle_hook,omitempty"`
+
+	// If this block is configured, start an
+	// Instance Refresh
+	// when this Auto Scaling Group is updated. Defined below.
+	InstanceRefresh []InstanceRefreshObservation `json:"instanceRefresh,omitempty" tf:"instance_refresh,omitempty"`
+
+	// Name of the launch configuration to use.
+	LaunchConfiguration *string `json:"launchConfiguration,omitempty" tf:"launch_configuration,omitempty"`
+
+	// Nested argument with Launch template specification to use to launch instances. See Launch Template below for more details.
+	LaunchTemplate []LaunchTemplateObservation `json:"launchTemplate,omitempty" tf:"launch_template,omitempty"`
+
 	// List of elastic load balancer names to add to the autoscaling
 	// group names. Only valid for classic load balancers. For ALBs, use target_group_arns instead.
 	LoadBalancers []*string `json:"loadBalancers,omitempty" tf:"load_balancers,omitempty"`
 
+	// Maximum amount of time, in seconds, that an instance can be in service, values must be either equal to 0 or between 86400 and 31536000 seconds.
+	MaxInstanceLifetime *float64 `json:"maxInstanceLifetime,omitempty" tf:"max_instance_lifetime,omitempty"`
+
+	// Maximum size of the Auto Scaling Group.
+	MaxSize *float64 `json:"maxSize,omitempty" tf:"max_size,omitempty"`
+
+	// Granularity to associate with the metrics to collect. The only valid value is 1Minute. Default is 1Minute.
+	MetricsGranularity *string `json:"metricsGranularity,omitempty" tf:"metrics_granularity,omitempty"`
+
+	// Updates will not wait on ELB instance number changes.
+	// (See also Waiting for Capacity below.)
+	MinELBCapacity *float64 `json:"minElbCapacity,omitempty" tf:"min_elb_capacity,omitempty"`
+
+	// Minimum size of the Auto Scaling Group.
+	// (See also Waiting for Capacity below.)
+	MinSize *float64 `json:"minSize,omitempty" tf:"min_size,omitempty"`
+
+	// Configuration block containing settings to define launch targets for Auto Scaling groups. See Mixed Instances Policy below for more details.
+	MixedInstancesPolicy []MixedInstancesPolicyObservation `json:"mixedInstancesPolicy,omitempty" tf:"mixed_instances_policy,omitempty"`
+
+	// Name of the placement group into which you'll launch your instances, if any.
+	PlacementGroup *string `json:"placementGroup,omitempty" tf:"placement_group,omitempty"`
+
+	// in protection
+	// in the Amazon EC2 Auto Scaling User Guide.
+	ProtectFromScaleIn *bool `json:"protectFromScaleIn,omitempty" tf:"protect_from_scale_in,omitempty"`
+
+	// linked role that the ASG will use to call other AWS services
+	ServiceLinkedRoleArn *string `json:"serviceLinkedRoleArn,omitempty" tf:"service_linked_role_arn,omitempty"`
+
+	// List of processes to suspend for the Auto Scaling Group. The allowed values are Launch, Terminate, HealthCheck, ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions, AddToLoadBalancer, InstanceRefresh.
+	// Note that if you suspend either the Launch or Terminate process types, it can prevent your Auto Scaling Group from functioning properly.
+	SuspendedProcesses []*string `json:"suspendedProcesses,omitempty" tf:"suspended_processes,omitempty"`
+
+	// Configuration block(s) containing resource tags. Conflicts with tags. See Tag below for more details.
+	Tag []TagObservation `json:"tag,omitempty" tf:"tag,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags []map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Set of aws_alb_target_group ARNs, for use with Application or Network Load Balancing.
 	TargetGroupArns []*string `json:"targetGroupArns,omitempty" tf:"target_group_arns,omitempty"`
+
+	// List of policies to decide how the instances in the Auto Scaling Group should be terminated. The allowed values are OldestInstance, NewestInstance, OldestLaunchConfiguration, ClosestToNextInstanceHour, OldestLaunchTemplate, AllocationStrategy, Default. Additionally, the ARN of a Lambda function can be specified for custom termination policies.
+	TerminationPolicies []*string `json:"terminationPolicies,omitempty" tf:"termination_policies,omitempty"`
+
+	// List of subnet IDs to launch resources in. Subnets automatically determine which availability zones the group will reside. Conflicts with availability_zones.
+	VPCZoneIdentifier []*string `json:"vpcZoneIdentifier,omitempty" tf:"vpc_zone_identifier,omitempty"`
+
+	// (See also Waiting
+	// for Capacity below.
+	WaitForCapacityTimeout *string `json:"waitForCapacityTimeout,omitempty" tf:"wait_for_capacity_timeout,omitempty"`
+
+	// (Takes
+	// precedence over min_elb_capacity behavior.)
+	// (See also Waiting for Capacity below.)
+	WaitForELBCapacity *float64 `json:"waitForElbCapacity,omitempty" tf:"wait_for_elb_capacity,omitempty"`
+
+	// If this block is configured, add a Warm Pool
+	// to the specified Auto Scaling group. Defined below
+	WarmPool []WarmPoolObservation `json:"warmPool,omitempty" tf:"warm_pool,omitempty"`
 }
 
 type AutoscalingGroupParameters struct {
@@ -151,8 +284,8 @@ type AutoscalingGroupParameters struct {
 	MaxInstanceLifetime *float64 `json:"maxInstanceLifetime,omitempty" tf:"max_instance_lifetime,omitempty"`
 
 	// Maximum size of the Auto Scaling Group.
-	// +kubebuilder:validation:Required
-	MaxSize *float64 `json:"maxSize" tf:"max_size,omitempty"`
+	// +kubebuilder:validation:Optional
+	MaxSize *float64 `json:"maxSize,omitempty" tf:"max_size,omitempty"`
 
 	// Granularity to associate with the metrics to collect. The only valid value is 1Minute. Default is 1Minute.
 	// +kubebuilder:validation:Optional
@@ -165,8 +298,8 @@ type AutoscalingGroupParameters struct {
 
 	// Minimum size of the Auto Scaling Group.
 	// (See also Waiting for Capacity below.)
-	// +kubebuilder:validation:Required
-	MinSize *float64 `json:"minSize" tf:"min_size,omitempty"`
+	// +kubebuilder:validation:Optional
+	MinSize *float64 `json:"minSize,omitempty" tf:"min_size,omitempty"`
 
 	// Configuration block containing settings to define launch targets for Auto Scaling groups. See Mixed Instances Policy below for more details.
 	// +kubebuilder:validation:Optional
@@ -258,6 +391,12 @@ type AutoscalingGroupParameters struct {
 }
 
 type BaselineEBSBandwidthMbpsObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type BaselineEBSBandwidthMbpsParameters struct {
@@ -272,6 +411,22 @@ type BaselineEBSBandwidthMbpsParameters struct {
 }
 
 type InitialLifecycleHookObservation struct {
+	DefaultResult *string `json:"defaultResult,omitempty" tf:"default_result,omitempty"`
+
+	HeartbeatTimeout *float64 `json:"heartbeatTimeout,omitempty" tf:"heartbeat_timeout,omitempty"`
+
+	LifecycleTransition *string `json:"lifecycleTransition,omitempty" tf:"lifecycle_transition,omitempty"`
+
+	// Name of the Auto Scaling Group. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	NotificationMetadata *string `json:"notificationMetadata,omitempty" tf:"notification_metadata,omitempty"`
+
+	// ARN for this Auto Scaling Group
+	NotificationTargetArn *string `json:"notificationTargetArn,omitempty" tf:"notification_target_arn,omitempty"`
+
+	// ARN for this Auto Scaling Group
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type InitialLifecycleHookParameters struct {
@@ -302,6 +457,15 @@ type InitialLifecycleHookParameters struct {
 }
 
 type InstanceRefreshObservation struct {
+
+	// Override default parameters for Instance Refresh.
+	Preferences []PreferencesObservation `json:"preferences,omitempty" tf:"preferences,omitempty"`
+
+	// Strategy to use for instance refresh. The only allowed value is Rolling. See StartInstanceRefresh Action for more information.
+	Strategy *string `json:"strategy,omitempty" tf:"strategy,omitempty"`
+
+	// Set of additional property names that will trigger an Instance Refresh. A refresh will always be triggered by a change in any of launch_configuration, launch_template, or mixed_instances_policy.
+	Triggers []*string `json:"triggers,omitempty" tf:"triggers,omitempty"`
 }
 
 type InstanceRefreshParameters struct {
@@ -320,6 +484,69 @@ type InstanceRefreshParameters struct {
 }
 
 type InstanceRequirementsObservation struct {
+
+	// Block describing the minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips). Default is no minimum or maximum.
+	AcceleratorCount []AcceleratorCountObservation `json:"acceleratorCount,omitempty" tf:"accelerator_count,omitempty"`
+
+	// List of accelerator manufacturer names. Default is any manufacturer.
+	AcceleratorManufacturers []*string `json:"acceleratorManufacturers,omitempty" tf:"accelerator_manufacturers,omitempty"`
+
+	// List of accelerator names. Default is any acclerator.
+	AcceleratorNames []*string `json:"acceleratorNames,omitempty" tf:"accelerator_names,omitempty"`
+
+	// Block describing the minimum and maximum total memory of the accelerators. Default is no minimum or maximum.
+	AcceleratorTotalMemoryMib []AcceleratorTotalMemoryMibObservation `json:"acceleratorTotalMemoryMib,omitempty" tf:"accelerator_total_memory_mib,omitempty"`
+
+	// List of accelerator types. Default is any accelerator type.
+	AcceleratorTypes []*string `json:"acceleratorTypes,omitempty" tf:"accelerator_types,omitempty"`
+
+	// Indicate whether bare metal instace types should be included, excluded, or required. Default is excluded.
+	BareMetal *string `json:"bareMetal,omitempty" tf:"bare_metal,omitempty"`
+
+	// Block describing the minimum and maximum baseline EBS bandwidth, in Mbps. Default is no minimum or maximum.
+	BaselineEBSBandwidthMbps []BaselineEBSBandwidthMbpsObservation `json:"baselineEbsBandwidthMbps,omitempty" tf:"baseline_ebs_bandwidth_mbps,omitempty"`
+
+	// Indicate whether burstable performance instance types should be included, excluded, or required. Default is excluded.
+	BurstablePerformance *string `json:"burstablePerformance,omitempty" tf:"burstable_performance,omitempty"`
+
+	// List of CPU manufacturer names. Default is any manufacturer.
+	CPUManufacturers []*string `json:"cpuManufacturers,omitempty" tf:"cpu_manufacturers,omitempty"`
+
+	// List of instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk (*). The following are examples: c5*, m5a.*, r*, *3*. For example, if you specify c5*, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify m5a.*, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types.
+	ExcludedInstanceTypes []*string `json:"excludedInstanceTypes,omitempty" tf:"excluded_instance_types,omitempty"`
+
+	// List of instance generation names. Default is any generation.
+	InstanceGenerations []*string `json:"instanceGenerations,omitempty" tf:"instance_generations,omitempty"`
+
+	// Indicate whether instance types with local storage volumes are included, excluded, or required. Default is included.
+	LocalStorage *string `json:"localStorage,omitempty" tf:"local_storage,omitempty"`
+
+	// List of local storage type names. Default any storage type.
+	LocalStorageTypes []*string `json:"localStorageTypes,omitempty" tf:"local_storage_types,omitempty"`
+
+	// Block describing the minimum and maximum amount of memory (GiB) per vCPU. Default is no minimum or maximum.
+	MemoryGibPerVcpu []MemoryGibPerVcpuObservation `json:"memoryGibPerVcpu,omitempty" tf:"memory_gib_per_vcpu,omitempty"`
+
+	// Block describing the minimum and maximum amount of memory (MiB). Default is no maximum.
+	MemoryMib []MemoryMibObservation `json:"memoryMib,omitempty" tf:"memory_mib,omitempty"`
+
+	// Block describing the minimum and maximum number of network interfaces. Default is no minimum or maximum.
+	NetworkInterfaceCount []NetworkInterfaceCountObservation `json:"networkInterfaceCount,omitempty" tf:"network_interface_count,omitempty"`
+
+	// Price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 20.
+	OnDemandMaxPricePercentageOverLowestPrice *float64 `json:"onDemandMaxPricePercentageOverLowestPrice,omitempty" tf:"on_demand_max_price_percentage_over_lowest_price,omitempty"`
+
+	// Indicate whether instance types must support On-Demand Instance Hibernation, either true or false. Default is false.
+	RequireHibernateSupport *bool `json:"requireHibernateSupport,omitempty" tf:"require_hibernate_support,omitempty"`
+
+	// Price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 100.
+	SpotMaxPricePercentageOverLowestPrice *float64 `json:"spotMaxPricePercentageOverLowestPrice,omitempty" tf:"spot_max_price_percentage_over_lowest_price,omitempty"`
+
+	// Block describing the minimum and maximum total local storage (GB). Default is no minimum or maximum.
+	TotalLocalStorageGb []TotalLocalStorageGbObservation `json:"totalLocalStorageGb,omitempty" tf:"total_local_storage_gb,omitempty"`
+
+	// Block describing the minimum and maximum number of vCPUs. Default is no maximum.
+	VcpuCount []VcpuCountObservation `json:"vcpuCount,omitempty" tf:"vcpu_count,omitempty"`
 }
 
 type InstanceRequirementsParameters struct {
@@ -410,6 +637,9 @@ type InstanceRequirementsParameters struct {
 }
 
 type InstanceReusePolicyObservation struct {
+
+	// Whether instances in the Auto Scaling group can be returned to the warm pool on scale in.
+	ReuseOnScaleIn *bool `json:"reuseOnScaleIn,omitempty" tf:"reuse_on_scale_in,omitempty"`
 }
 
 type InstanceReusePolicyParameters struct {
@@ -420,6 +650,24 @@ type InstanceReusePolicyParameters struct {
 }
 
 type InstancesDistributionObservation struct {
+
+	// Strategy to use when launching on-demand instances. Valid values: prioritized, lowest-price. Default: prioritized.
+	OnDemandAllocationStrategy *string `json:"onDemandAllocationStrategy,omitempty" tf:"on_demand_allocation_strategy,omitempty"`
+
+	// Absolute minimum amount of desired capacity that must be fulfilled by on-demand instances. Default: 0.
+	OnDemandBaseCapacity *float64 `json:"onDemandBaseCapacity,omitempty" tf:"on_demand_base_capacity,omitempty"`
+
+	// Percentage split between on-demand and Spot instances above the base on-demand capacity. Default: 100.
+	OnDemandPercentageAboveBaseCapacity *float64 `json:"onDemandPercentageAboveBaseCapacity,omitempty" tf:"on_demand_percentage_above_base_capacity,omitempty"`
+
+	// How to allocate capacity across the Spot pools. Valid values: lowest-price, capacity-optimized, capacity-optimized-prioritized, and price-capacity-optimized. Default: lowest-price.
+	SpotAllocationStrategy *string `json:"spotAllocationStrategy,omitempty" tf:"spot_allocation_strategy,omitempty"`
+
+	// Number of Spot pools per availability zone to allocate capacity. EC2 Auto Scaling selects the cheapest Spot pools and evenly allocates Spot capacity across the number of Spot pools that you specify. Only available with spot_allocation_strategy set to lowest-price. Otherwise it must be set to 0, if it has been defined before. Default: 2.
+	SpotInstancePools *float64 `json:"spotInstancePools,omitempty" tf:"spot_instance_pools,omitempty"`
+
+	// Maximum price per unit hour that the user is willing to pay for the Spot instances. Default: an empty string which means the on-demand price.
+	SpotMaxPrice *string `json:"spotMaxPrice,omitempty" tf:"spot_max_price,omitempty"`
 }
 
 type InstancesDistributionParameters struct {
@@ -450,6 +698,15 @@ type InstancesDistributionParameters struct {
 }
 
 type LaunchTemplateObservation struct {
+
+	// ID of the launch template. Conflicts with name.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the launch template. Conflicts with id.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Template version. Can be version number, $Latest, or $Default. (Default: $Default).
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type LaunchTemplateParameters struct {
@@ -478,6 +735,15 @@ type LaunchTemplateParameters struct {
 }
 
 type LaunchTemplateSpecificationObservation struct {
+
+	// ID of the launch template. Conflicts with launch_template_name.
+	LaunchTemplateID *string `json:"launchTemplateId,omitempty" tf:"launch_template_id,omitempty"`
+
+	// Name of the launch template. Conflicts with launch_template_id.
+	LaunchTemplateName *string `json:"launchTemplateName,omitempty" tf:"launch_template_name,omitempty"`
+
+	// Template version. Can be version number, $Latest, or $Default. (Default: $Default).
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type LaunchTemplateSpecificationParameters struct {
@@ -506,6 +772,12 @@ type LaunchTemplateSpecificationParameters struct {
 }
 
 type MemoryGibPerVcpuObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type MemoryGibPerVcpuParameters struct {
@@ -520,6 +792,12 @@ type MemoryGibPerVcpuParameters struct {
 }
 
 type MemoryMibObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type MemoryMibParameters struct {
@@ -534,6 +812,12 @@ type MemoryMibParameters struct {
 }
 
 type MixedInstancesPolicyLaunchTemplateObservation struct {
+
+	// Nested argument defines the Launch Template. Defined below.
+	LaunchTemplateSpecification []LaunchTemplateSpecificationObservation `json:"launchTemplateSpecification,omitempty" tf:"launch_template_specification,omitempty"`
+
+	// List of nested arguments provides the ability to specify multiple instance types. This will override the same parameter in the launch template. For on-demand instances, Auto Scaling considers the order of preference of instance types to launch based on the order specified in the overrides list. Defined below.
+	Override []OverrideObservation `json:"override,omitempty" tf:"override,omitempty"`
 }
 
 type MixedInstancesPolicyLaunchTemplateParameters struct {
@@ -548,6 +832,12 @@ type MixedInstancesPolicyLaunchTemplateParameters struct {
 }
 
 type MixedInstancesPolicyObservation struct {
+
+	// Nested argument containing settings on how to mix on-demand and Spot instances in the Auto Scaling group. Defined below.
+	InstancesDistribution []InstancesDistributionObservation `json:"instancesDistribution,omitempty" tf:"instances_distribution,omitempty"`
+
+	// Nested argument containing launch template settings along with the overrides to specify multiple instance types and weights. Defined below.
+	LaunchTemplate []MixedInstancesPolicyLaunchTemplateObservation `json:"launchTemplate,omitempty" tf:"launch_template,omitempty"`
 }
 
 type MixedInstancesPolicyParameters struct {
@@ -562,6 +852,12 @@ type MixedInstancesPolicyParameters struct {
 }
 
 type NetworkInterfaceCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type NetworkInterfaceCountParameters struct {
@@ -576,6 +872,15 @@ type NetworkInterfaceCountParameters struct {
 }
 
 type OverrideLaunchTemplateSpecificationObservation struct {
+
+	// ID of the launch template. Conflicts with launch_template_name.
+	LaunchTemplateID *string `json:"launchTemplateId,omitempty" tf:"launch_template_id,omitempty"`
+
+	// Name of the launch template. Conflicts with launch_template_id.
+	LaunchTemplateName *string `json:"launchTemplateName,omitempty" tf:"launch_template_name,omitempty"`
+
+	// Template version. Can be version number, $Latest, or $Default. (Default: $Default).
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type OverrideLaunchTemplateSpecificationParameters struct {
@@ -604,6 +909,18 @@ type OverrideLaunchTemplateSpecificationParameters struct {
 }
 
 type OverrideObservation struct {
+
+	// Override the instance type in the Launch Template with instance types that satisfy the requirements.
+	InstanceRequirements []InstanceRequirementsObservation `json:"instanceRequirements,omitempty" tf:"instance_requirements,omitempty"`
+
+	// Override the instance type in the Launch Template.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// Nested argument defines the Launch Template. Defined below.
+	LaunchTemplateSpecification []OverrideLaunchTemplateSpecificationObservation `json:"launchTemplateSpecification,omitempty" tf:"launch_template_specification,omitempty"`
+
+	// Number of capacity units, which gives the instance type a proportional weight to other instance types.
+	WeightedCapacity *string `json:"weightedCapacity,omitempty" tf:"weighted_capacity,omitempty"`
 }
 
 type OverrideParameters struct {
@@ -626,6 +943,21 @@ type OverrideParameters struct {
 }
 
 type PreferencesObservation struct {
+
+	// Number of seconds to wait after a checkpoint. Defaults to 3600.
+	CheckpointDelay *string `json:"checkpointDelay,omitempty" tf:"checkpoint_delay,omitempty"`
+
+	// List of percentages for each checkpoint. Values must be unique and in ascending order. To replace all instances, the final number must be 100.
+	CheckpointPercentages []*float64 `json:"checkpointPercentages,omitempty" tf:"checkpoint_percentages,omitempty"`
+
+	// Number of seconds until a newly launched instance is configured and ready to use. Default behavior is to use the Auto Scaling Group's health check grace period.
+	InstanceWarmup *string `json:"instanceWarmup,omitempty" tf:"instance_warmup,omitempty"`
+
+	// Amount of capacity in the Auto Scaling group that must remain healthy during an instance refresh to allow the operation to continue, as a percentage of the desired capacity of the Auto Scaling group. Defaults to 90.
+	MinHealthyPercentage *float64 `json:"minHealthyPercentage,omitempty" tf:"min_healthy_percentage,omitempty"`
+
+	// Replace instances that already have your desired configuration. Defaults to false.
+	SkipMatching *bool `json:"skipMatching,omitempty" tf:"skip_matching,omitempty"`
 }
 
 type PreferencesParameters struct {
@@ -652,6 +984,16 @@ type PreferencesParameters struct {
 }
 
 type TagObservation struct {
+
+	// Key
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Enables propagation of the tag to
+	// Amazon EC2 instances launched via this ASG
+	PropagateAtLaunch *bool `json:"propagateAtLaunch,omitempty" tf:"propagate_at_launch,omitempty"`
+
+	// Value
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagParameters struct {
@@ -671,6 +1013,12 @@ type TagParameters struct {
 }
 
 type TotalLocalStorageGbObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type TotalLocalStorageGbParameters struct {
@@ -685,6 +1033,12 @@ type TotalLocalStorageGbParameters struct {
 }
 
 type VcpuCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type VcpuCountParameters struct {
@@ -699,6 +1053,19 @@ type VcpuCountParameters struct {
 }
 
 type WarmPoolObservation struct {
+
+	// Whether instances in the Auto Scaling group can be returned to the warm pool on scale in. The default is to terminate instances in the Auto Scaling group when the group scales in.
+	InstanceReusePolicy []InstanceReusePolicyObservation `json:"instanceReusePolicy,omitempty" tf:"instance_reuse_policy,omitempty"`
+
+	// Total maximum number of instances that are allowed to be in the warm pool or in any state except Terminated for the Auto Scaling group.
+	MaxGroupPreparedCapacity *float64 `json:"maxGroupPreparedCapacity,omitempty" tf:"max_group_prepared_capacity,omitempty"`
+
+	// Minimum size of the Auto Scaling Group.
+	// (See also Waiting for Capacity below.)
+	MinSize *float64 `json:"minSize,omitempty" tf:"min_size,omitempty"`
+
+	// Sets the instance state to transition to after the lifecycle hooks finish. Valid values are: Stopped (default), Running or Hibernated.
+	PoolState *string `json:"poolState,omitempty" tf:"pool_state,omitempty"`
 }
 
 type WarmPoolParameters struct {
@@ -745,8 +1112,10 @@ type AutoscalingGroupStatus struct {
 type AutoscalingGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AutoscalingGroupSpec   `json:"spec"`
-	Status            AutoscalingGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxSize)",message="maxSize is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.minSize)",message="minSize is a required parameter"
+	Spec   AutoscalingGroupSpec   `json:"spec"`
+	Status AutoscalingGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/autoscaling/v1beta1/zz_generated.deepcopy.go b/apis/autoscaling/v1beta1/zz_generated.deepcopy.go
index d21e7728c6..2ab683e138 100644
--- a/apis/autoscaling/v1beta1/zz_generated.deepcopy.go
+++ b/apis/autoscaling/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AcceleratorCountObservation) DeepCopyInto(out *AcceleratorCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceleratorCountObservation.
@@ -57,6 +67,16 @@ func (in *AcceleratorCountParameters) DeepCopy() *AcceleratorCountParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AcceleratorTotalMemoryMibObservation) DeepCopyInto(out *AcceleratorTotalMemoryMibObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceleratorTotalMemoryMibObservation.
@@ -156,11 +176,31 @@ func (in *AttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttachmentObservation) DeepCopyInto(out *AttachmentObservation) {
 	*out = *in
+	if in.ALBTargetGroupArn != nil {
+		in, out := &in.ALBTargetGroupArn, &out.ALBTargetGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoscalingGroupName != nil {
+		in, out := &in.AutoscalingGroupName, &out.AutoscalingGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ELB != nil {
+		in, out := &in.ELB, &out.ELB
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LBTargetGroupArn != nil {
+		in, out := &in.LBTargetGroupArn, &out.LBTargetGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttachmentObservation.
@@ -354,48 +394,6 @@ func (in *AutoscalingGroupObservation) DeepCopyInto(out *AutoscalingGroupObserva
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.LoadBalancers != nil {
-		in, out := &in.LoadBalancers, &out.LoadBalancers
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-	if in.TargetGroupArns != nil {
-		in, out := &in.TargetGroupArns, &out.TargetGroupArns
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupObservation.
-func (in *AutoscalingGroupObservation) DeepCopy() *AutoscalingGroupObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(AutoscalingGroupObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParameters) {
-	*out = *in
 	if in.AvailabilityZones != nil {
 		in, out := &in.AvailabilityZones, &out.AvailabilityZones
 		*out = make([]*string, len(*in))
@@ -468,16 +466,21 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 		*out = new(string)
 		**out = **in
 	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 	if in.InitialLifecycleHook != nil {
 		in, out := &in.InitialLifecycleHook, &out.InitialLifecycleHook
-		*out = make([]InitialLifecycleHookParameters, len(*in))
+		*out = make([]InitialLifecycleHookObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.InstanceRefresh != nil {
 		in, out := &in.InstanceRefresh, &out.InstanceRefresh
-		*out = make([]InstanceRefreshParameters, len(*in))
+		*out = make([]InstanceRefreshObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -487,23 +490,24 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 		*out = new(string)
 		**out = **in
 	}
-	if in.LaunchConfigurationRef != nil {
-		in, out := &in.LaunchConfigurationRef, &out.LaunchConfigurationRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.LaunchConfigurationSelector != nil {
-		in, out := &in.LaunchConfigurationSelector, &out.LaunchConfigurationSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.LaunchTemplate != nil {
 		in, out := &in.LaunchTemplate, &out.LaunchTemplate
-		*out = make([]LaunchTemplateParameters, len(*in))
+		*out = make([]LaunchTemplateObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.LoadBalancers != nil {
+		in, out := &in.LoadBalancers, &out.LoadBalancers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.MaxInstanceLifetime != nil {
 		in, out := &in.MaxInstanceLifetime, &out.MaxInstanceLifetime
 		*out = new(float64)
@@ -531,7 +535,7 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 	}
 	if in.MixedInstancesPolicy != nil {
 		in, out := &in.MixedInstancesPolicy, &out.MixedInstancesPolicy
-		*out = make([]MixedInstancesPolicyParameters, len(*in))
+		*out = make([]MixedInstancesPolicyObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -541,41 +545,16 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 		*out = new(string)
 		**out = **in
 	}
-	if in.PlacementGroupRef != nil {
-		in, out := &in.PlacementGroupRef, &out.PlacementGroupRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.PlacementGroupSelector != nil {
-		in, out := &in.PlacementGroupSelector, &out.PlacementGroupSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.ProtectFromScaleIn != nil {
 		in, out := &in.ProtectFromScaleIn, &out.ProtectFromScaleIn
 		*out = new(bool)
 		**out = **in
 	}
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
-		*out = new(string)
-		**out = **in
-	}
 	if in.ServiceLinkedRoleArn != nil {
 		in, out := &in.ServiceLinkedRoleArn, &out.ServiceLinkedRoleArn
 		*out = new(string)
 		**out = **in
 	}
-	if in.ServiceLinkedRoleArnRef != nil {
-		in, out := &in.ServiceLinkedRoleArnRef, &out.ServiceLinkedRoleArnRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.ServiceLinkedRoleArnSelector != nil {
-		in, out := &in.ServiceLinkedRoleArnSelector, &out.ServiceLinkedRoleArnSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.SuspendedProcesses != nil {
 		in, out := &in.SuspendedProcesses, &out.SuspendedProcesses
 		*out = make([]*string, len(*in))
@@ -589,7 +568,7 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 	}
 	if in.Tag != nil {
 		in, out := &in.Tag, &out.Tag
-		*out = make([]TagParameters, len(*in))
+		*out = make([]TagObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -615,6 +594,17 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 			}
 		}
 	}
+	if in.TargetGroupArns != nil {
+		in, out := &in.TargetGroupArns, &out.TargetGroupArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.TerminationPolicies != nil {
 		in, out := &in.TerminationPolicies, &out.TerminationPolicies
 		*out = make([]*string, len(*in))
@@ -637,18 +627,6 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 			}
 		}
 	}
-	if in.VPCZoneIdentifierRefs != nil {
-		in, out := &in.VPCZoneIdentifierRefs, &out.VPCZoneIdentifierRefs
-		*out = make([]v1.Reference, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.VPCZoneIdentifierSelector != nil {
-		in, out := &in.VPCZoneIdentifierSelector, &out.VPCZoneIdentifierSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.WaitForCapacityTimeout != nil {
 		in, out := &in.WaitForCapacityTimeout, &out.WaitForCapacityTimeout
 		*out = new(string)
@@ -661,100 +639,402 @@ func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParamete
 	}
 	if in.WarmPool != nil {
 		in, out := &in.WarmPool, &out.WarmPool
-		*out = make([]WarmPoolParameters, len(*in))
+		*out = make([]WarmPoolObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupParameters.
-func (in *AutoscalingGroupParameters) DeepCopy() *AutoscalingGroupParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupObservation.
+func (in *AutoscalingGroupObservation) DeepCopy() *AutoscalingGroupObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(AutoscalingGroupParameters)
+	out := new(AutoscalingGroupObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AutoscalingGroupSpec) DeepCopyInto(out *AutoscalingGroupSpec) {
+func (in *AutoscalingGroupParameters) DeepCopyInto(out *AutoscalingGroupParameters) {
 	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupSpec.
-func (in *AutoscalingGroupSpec) DeepCopy() *AutoscalingGroupSpec {
-	if in == nil {
-		return nil
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	out := new(AutoscalingGroupSpec)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *AutoscalingGroupStatus) DeepCopyInto(out *AutoscalingGroupStatus) {
-	*out = *in
-	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
-	in.AtProvider.DeepCopyInto(&out.AtProvider)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupStatus.
-func (in *AutoscalingGroupStatus) DeepCopy() *AutoscalingGroupStatus {
-	if in == nil {
-		return nil
+	if in.CapacityRebalance != nil {
+		in, out := &in.CapacityRebalance, &out.CapacityRebalance
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(AutoscalingGroupStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BaselineEBSBandwidthMbpsObservation) DeepCopyInto(out *BaselineEBSBandwidthMbpsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineEBSBandwidthMbpsObservation.
-func (in *BaselineEBSBandwidthMbpsObservation) DeepCopy() *BaselineEBSBandwidthMbpsObservation {
-	if in == nil {
-		return nil
+	if in.Context != nil {
+		in, out := &in.Context, &out.Context
+		*out = new(string)
+		**out = **in
 	}
-	out := new(BaselineEBSBandwidthMbpsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *BaselineEBSBandwidthMbpsParameters) DeepCopyInto(out *BaselineEBSBandwidthMbpsParameters) {
-	*out = *in
-	if in.Max != nil {
-		in, out := &in.Max, &out.Max
+	if in.DefaultCooldown != nil {
+		in, out := &in.DefaultCooldown, &out.DefaultCooldown
 		*out = new(float64)
 		**out = **in
 	}
-	if in.Min != nil {
-		in, out := &in.Min, &out.Min
+	if in.DefaultInstanceWarmup != nil {
+		in, out := &in.DefaultInstanceWarmup, &out.DefaultInstanceWarmup
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineEBSBandwidthMbpsParameters.
-func (in *BaselineEBSBandwidthMbpsParameters) DeepCopy() *BaselineEBSBandwidthMbpsParameters {
-	if in == nil {
-		return nil
+	if in.DesiredCapacity != nil {
+		in, out := &in.DesiredCapacity, &out.DesiredCapacity
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(BaselineEBSBandwidthMbpsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
+	if in.DesiredCapacityType != nil {
+		in, out := &in.DesiredCapacityType, &out.DesiredCapacityType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnabledMetrics != nil {
+		in, out := &in.EnabledMetrics, &out.EnabledMetrics
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ForceDelete != nil {
+		in, out := &in.ForceDelete, &out.ForceDelete
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ForceDeleteWarmPool != nil {
+		in, out := &in.ForceDeleteWarmPool, &out.ForceDeleteWarmPool
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HealthCheckGracePeriod != nil {
+		in, out := &in.HealthCheckGracePeriod, &out.HealthCheckGracePeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HealthCheckType != nil {
+		in, out := &in.HealthCheckType, &out.HealthCheckType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialLifecycleHook != nil {
+		in, out := &in.InitialLifecycleHook, &out.InitialLifecycleHook
+		*out = make([]InitialLifecycleHookParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceRefresh != nil {
+		in, out := &in.InstanceRefresh, &out.InstanceRefresh
+		*out = make([]InstanceRefreshParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LaunchConfiguration != nil {
+		in, out := &in.LaunchConfiguration, &out.LaunchConfiguration
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchConfigurationRef != nil {
+		in, out := &in.LaunchConfigurationRef, &out.LaunchConfigurationRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.LaunchConfigurationSelector != nil {
+		in, out := &in.LaunchConfigurationSelector, &out.LaunchConfigurationSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.LaunchTemplate != nil {
+		in, out := &in.LaunchTemplate, &out.LaunchTemplate
+		*out = make([]LaunchTemplateParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxInstanceLifetime != nil {
+		in, out := &in.MaxInstanceLifetime, &out.MaxInstanceLifetime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxSize != nil {
+		in, out := &in.MaxSize, &out.MaxSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MetricsGranularity != nil {
+		in, out := &in.MetricsGranularity, &out.MetricsGranularity
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinELBCapacity != nil {
+		in, out := &in.MinELBCapacity, &out.MinELBCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinSize != nil {
+		in, out := &in.MinSize, &out.MinSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MixedInstancesPolicy != nil {
+		in, out := &in.MixedInstancesPolicy, &out.MixedInstancesPolicy
+		*out = make([]MixedInstancesPolicyParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlacementGroup != nil {
+		in, out := &in.PlacementGroup, &out.PlacementGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementGroupRef != nil {
+		in, out := &in.PlacementGroupRef, &out.PlacementGroupRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.PlacementGroupSelector != nil {
+		in, out := &in.PlacementGroupSelector, &out.PlacementGroupSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ProtectFromScaleIn != nil {
+		in, out := &in.ProtectFromScaleIn, &out.ProtectFromScaleIn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceLinkedRoleArn != nil {
+		in, out := &in.ServiceLinkedRoleArn, &out.ServiceLinkedRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceLinkedRoleArnRef != nil {
+		in, out := &in.ServiceLinkedRoleArnRef, &out.ServiceLinkedRoleArnRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ServiceLinkedRoleArnSelector != nil {
+		in, out := &in.ServiceLinkedRoleArnSelector, &out.ServiceLinkedRoleArnSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SuspendedProcesses != nil {
+		in, out := &in.SuspendedProcesses, &out.SuspendedProcesses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tag != nil {
+		in, out := &in.Tag, &out.Tag
+		*out = make([]TagParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make([]map[string]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = make(map[string]*string, len(*in))
+				for key, val := range *in {
+					var outVal *string
+					if val == nil {
+						(*out)[key] = nil
+					} else {
+						in, out := &val, &outVal
+						*out = new(string)
+						**out = **in
+					}
+					(*out)[key] = outVal
+				}
+			}
+		}
+	}
+	if in.TerminationPolicies != nil {
+		in, out := &in.TerminationPolicies, &out.TerminationPolicies
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCZoneIdentifier != nil {
+		in, out := &in.VPCZoneIdentifier, &out.VPCZoneIdentifier
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCZoneIdentifierRefs != nil {
+		in, out := &in.VPCZoneIdentifierRefs, &out.VPCZoneIdentifierRefs
+		*out = make([]v1.Reference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VPCZoneIdentifierSelector != nil {
+		in, out := &in.VPCZoneIdentifierSelector, &out.VPCZoneIdentifierSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.WaitForCapacityTimeout != nil {
+		in, out := &in.WaitForCapacityTimeout, &out.WaitForCapacityTimeout
+		*out = new(string)
+		**out = **in
+	}
+	if in.WaitForELBCapacity != nil {
+		in, out := &in.WaitForELBCapacity, &out.WaitForELBCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WarmPool != nil {
+		in, out := &in.WarmPool, &out.WarmPool
+		*out = make([]WarmPoolParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupParameters.
+func (in *AutoscalingGroupParameters) DeepCopy() *AutoscalingGroupParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(AutoscalingGroupParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutoscalingGroupSpec) DeepCopyInto(out *AutoscalingGroupSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupSpec.
+func (in *AutoscalingGroupSpec) DeepCopy() *AutoscalingGroupSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(AutoscalingGroupSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *AutoscalingGroupStatus) DeepCopyInto(out *AutoscalingGroupStatus) {
+	*out = *in
+	in.ResourceStatus.DeepCopyInto(&out.ResourceStatus)
+	in.AtProvider.DeepCopyInto(&out.AtProvider)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoscalingGroupStatus.
+func (in *AutoscalingGroupStatus) DeepCopy() *AutoscalingGroupStatus {
+	if in == nil {
+		return nil
+	}
+	out := new(AutoscalingGroupStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BaselineEBSBandwidthMbpsObservation) DeepCopyInto(out *BaselineEBSBandwidthMbpsObservation) {
+	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineEBSBandwidthMbpsObservation.
+func (in *BaselineEBSBandwidthMbpsObservation) DeepCopy() *BaselineEBSBandwidthMbpsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(BaselineEBSBandwidthMbpsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *BaselineEBSBandwidthMbpsParameters) DeepCopyInto(out *BaselineEBSBandwidthMbpsParameters) {
+	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineEBSBandwidthMbpsParameters.
+func (in *BaselineEBSBandwidthMbpsParameters) DeepCopy() *BaselineEBSBandwidthMbpsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(BaselineEBSBandwidthMbpsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedCapacityMetricSpecificationObservation) DeepCopyInto(out *CustomizedCapacityMetricSpecificationObservation) {
 	*out = *in
+	if in.MetricDataQueries != nil {
+		in, out := &in.MetricDataQueries, &out.MetricDataQueries
+		*out = make([]MetricDataQueriesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedCapacityMetricSpecificationObservation.
@@ -792,6 +1072,33 @@ func (in *CustomizedCapacityMetricSpecificationParameters) DeepCopy() *Customize
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedLoadMetricSpecificationMetricDataQueriesObservation) DeepCopyInto(out *CustomizedLoadMetricSpecificationMetricDataQueriesObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Label != nil {
+		in, out := &in.Label, &out.Label
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricStat != nil {
+		in, out := &in.MetricStat, &out.MetricStat
+		*out = make([]MetricDataQueriesMetricStatObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReturnData != nil {
+		in, out := &in.ReturnData, &out.ReturnData
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedLoadMetricSpecificationMetricDataQueriesObservation.
@@ -849,6 +1156,13 @@ func (in *CustomizedLoadMetricSpecificationMetricDataQueriesParameters) DeepCopy
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedLoadMetricSpecificationObservation) DeepCopyInto(out *CustomizedLoadMetricSpecificationObservation) {
 	*out = *in
+	if in.MetricDataQueries != nil {
+		in, out := &in.MetricDataQueries, &out.MetricDataQueries
+		*out = make([]CustomizedLoadMetricSpecificationMetricDataQueriesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedLoadMetricSpecificationObservation.
@@ -886,6 +1200,33 @@ func (in *CustomizedLoadMetricSpecificationParameters) DeepCopy() *CustomizedLoa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedMetricSpecificationObservation) DeepCopyInto(out *CustomizedMetricSpecificationObservation) {
 	*out = *in
+	if in.MetricDimension != nil {
+		in, out := &in.MetricDimension, &out.MetricDimension
+		*out = make([]MetricDimensionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Statistic != nil {
+		in, out := &in.Statistic, &out.Statistic
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedMetricSpecificationObservation.
@@ -943,6 +1284,23 @@ func (in *CustomizedMetricSpecificationParameters) DeepCopy() *CustomizedMetricS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatObservation) DeepCopyInto(out *CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatObservation) {
 	*out = *in
+	if in.Metric != nil {
+		in, out := &in.Metric, &out.Metric
+		*out = make([]MetricDataQueriesMetricStatMetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Stat != nil {
+		in, out := &in.Stat, &out.Stat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatObservation.
@@ -990,6 +1348,33 @@ func (in *CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatParamet
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedScalingMetricSpecificationMetricDataQueriesObservation) DeepCopyInto(out *CustomizedScalingMetricSpecificationMetricDataQueriesObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Label != nil {
+		in, out := &in.Label, &out.Label
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricStat != nil {
+		in, out := &in.MetricStat, &out.MetricStat
+		*out = make([]CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReturnData != nil {
+		in, out := &in.ReturnData, &out.ReturnData
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedScalingMetricSpecificationMetricDataQueriesObservation.
@@ -1047,6 +1432,13 @@ func (in *CustomizedScalingMetricSpecificationMetricDataQueriesParameters) DeepC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedScalingMetricSpecificationObservation) DeepCopyInto(out *CustomizedScalingMetricSpecificationObservation) {
 	*out = *in
+	if in.MetricDataQueries != nil {
+		in, out := &in.MetricDataQueries, &out.MetricDataQueries
+		*out = make([]CustomizedScalingMetricSpecificationMetricDataQueriesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedScalingMetricSpecificationObservation.
@@ -1084,6 +1476,16 @@ func (in *CustomizedScalingMetricSpecificationParameters) DeepCopy() *Customized
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DimensionsObservation) DeepCopyInto(out *DimensionsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DimensionsObservation.
@@ -1124,6 +1526,51 @@ func (in *DimensionsParameters) DeepCopy() *DimensionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSBlockDeviceObservation) DeepCopyInto(out *EBSBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSBlockDeviceObservation.
@@ -1199,6 +1646,21 @@ func (in *EBSBlockDeviceParameters) DeepCopy() *EBSBlockDeviceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralBlockDeviceObservation) DeepCopyInto(out *EphemeralBlockDeviceObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralBlockDeviceObservation.
@@ -1303,11 +1765,23 @@ func (in *GroupTagList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupTagObservation) DeepCopyInto(out *GroupTagObservation) {
 	*out = *in
+	if in.AutoscalingGroupName != nil {
+		in, out := &in.AutoscalingGroupName, &out.AutoscalingGroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tag != nil {
+		in, out := &in.Tag, &out.Tag
+		*out = make([]GroupTagTagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupTagObservation.
@@ -1399,6 +1873,21 @@ func (in *GroupTagStatus) DeepCopy() *GroupTagStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupTagTagObservation) DeepCopyInto(out *GroupTagTagObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.PropagateAtLaunch != nil {
+		in, out := &in.PropagateAtLaunch, &out.PropagateAtLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupTagTagObservation.
@@ -1444,6 +1933,41 @@ func (in *GroupTagTagParameters) DeepCopy() *GroupTagTagParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InitialLifecycleHookObservation) DeepCopyInto(out *InitialLifecycleHookObservation) {
 	*out = *in
+	if in.DefaultResult != nil {
+		in, out := &in.DefaultResult, &out.DefaultResult
+		*out = new(string)
+		**out = **in
+	}
+	if in.HeartbeatTimeout != nil {
+		in, out := &in.HeartbeatTimeout, &out.HeartbeatTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LifecycleTransition != nil {
+		in, out := &in.LifecycleTransition, &out.LifecycleTransition
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationMetadata != nil {
+		in, out := &in.NotificationMetadata, &out.NotificationMetadata
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationTargetArn != nil {
+		in, out := &in.NotificationTargetArn, &out.NotificationTargetArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitialLifecycleHookObservation.
@@ -1509,6 +2033,29 @@ func (in *InitialLifecycleHookParameters) DeepCopy() *InitialLifecycleHookParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRefreshObservation) DeepCopyInto(out *InstanceRefreshObservation) {
 	*out = *in
+	if in.Preferences != nil {
+		in, out := &in.Preferences, &out.Preferences
+		*out = make([]PreferencesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Strategy != nil {
+		in, out := &in.Strategy, &out.Strategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRefreshObservation.
@@ -1516,28 +2063,118 @@ func (in *InstanceRefreshObservation) DeepCopy() *InstanceRefreshObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(InstanceRefreshObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *InstanceRefreshParameters) DeepCopyInto(out *InstanceRefreshParameters) {
-	*out = *in
-	if in.Preferences != nil {
-		in, out := &in.Preferences, &out.Preferences
-		*out = make([]PreferencesParameters, len(*in))
+	out := new(InstanceRefreshObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InstanceRefreshParameters) DeepCopyInto(out *InstanceRefreshParameters) {
+	*out = *in
+	if in.Preferences != nil {
+		in, out := &in.Preferences, &out.Preferences
+		*out = make([]PreferencesParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Strategy != nil {
+		in, out := &in.Strategy, &out.Strategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRefreshParameters.
+func (in *InstanceRefreshParameters) DeepCopy() *InstanceRefreshParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(InstanceRefreshParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InstanceRequirementsObservation) DeepCopyInto(out *InstanceRequirementsObservation) {
+	*out = *in
+	if in.AcceleratorCount != nil {
+		in, out := &in.AcceleratorCount, &out.AcceleratorCount
+		*out = make([]AcceleratorCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AcceleratorManufacturers != nil {
+		in, out := &in.AcceleratorManufacturers, &out.AcceleratorManufacturers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AcceleratorNames != nil {
+		in, out := &in.AcceleratorNames, &out.AcceleratorNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AcceleratorTotalMemoryMib != nil {
+		in, out := &in.AcceleratorTotalMemoryMib, &out.AcceleratorTotalMemoryMib
+		*out = make([]AcceleratorTotalMemoryMibObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AcceleratorTypes != nil {
+		in, out := &in.AcceleratorTypes, &out.AcceleratorTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BareMetal != nil {
+		in, out := &in.BareMetal, &out.BareMetal
+		*out = new(string)
+		**out = **in
+	}
+	if in.BaselineEBSBandwidthMbps != nil {
+		in, out := &in.BaselineEBSBandwidthMbps, &out.BaselineEBSBandwidthMbps
+		*out = make([]BaselineEBSBandwidthMbpsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.Strategy != nil {
-		in, out := &in.Strategy, &out.Strategy
+	if in.BurstablePerformance != nil {
+		in, out := &in.BurstablePerformance, &out.BurstablePerformance
 		*out = new(string)
 		**out = **in
 	}
-	if in.Triggers != nil {
-		in, out := &in.Triggers, &out.Triggers
+	if in.CPUManufacturers != nil {
+		in, out := &in.CPUManufacturers, &out.CPUManufacturers
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -1547,21 +2184,94 @@ func (in *InstanceRefreshParameters) DeepCopyInto(out *InstanceRefreshParameters
 			}
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRefreshParameters.
-func (in *InstanceRefreshParameters) DeepCopy() *InstanceRefreshParameters {
-	if in == nil {
-		return nil
+	if in.ExcludedInstanceTypes != nil {
+		in, out := &in.ExcludedInstanceTypes, &out.ExcludedInstanceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InstanceGenerations != nil {
+		in, out := &in.InstanceGenerations, &out.InstanceGenerations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.LocalStorage != nil {
+		in, out := &in.LocalStorage, &out.LocalStorage
+		*out = new(string)
+		**out = **in
+	}
+	if in.LocalStorageTypes != nil {
+		in, out := &in.LocalStorageTypes, &out.LocalStorageTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MemoryGibPerVcpu != nil {
+		in, out := &in.MemoryGibPerVcpu, &out.MemoryGibPerVcpu
+		*out = make([]MemoryGibPerVcpuObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MemoryMib != nil {
+		in, out := &in.MemoryMib, &out.MemoryMib
+		*out = make([]MemoryMibObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkInterfaceCount != nil {
+		in, out := &in.NetworkInterfaceCount, &out.NetworkInterfaceCount
+		*out = make([]NetworkInterfaceCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OnDemandMaxPricePercentageOverLowestPrice != nil {
+		in, out := &in.OnDemandMaxPricePercentageOverLowestPrice, &out.OnDemandMaxPricePercentageOverLowestPrice
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RequireHibernateSupport != nil {
+		in, out := &in.RequireHibernateSupport, &out.RequireHibernateSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SpotMaxPricePercentageOverLowestPrice != nil {
+		in, out := &in.SpotMaxPricePercentageOverLowestPrice, &out.SpotMaxPricePercentageOverLowestPrice
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TotalLocalStorageGb != nil {
+		in, out := &in.TotalLocalStorageGb, &out.TotalLocalStorageGb
+		*out = make([]TotalLocalStorageGbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VcpuCount != nil {
+		in, out := &in.VcpuCount, &out.VcpuCount
+		*out = make([]VcpuCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(InstanceRefreshParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *InstanceRequirementsObservation) DeepCopyInto(out *InstanceRequirementsObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsObservation.
@@ -1755,6 +2465,11 @@ func (in *InstanceRequirementsParameters) DeepCopy() *InstanceRequirementsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceReusePolicyObservation) DeepCopyInto(out *InstanceReusePolicyObservation) {
 	*out = *in
+	if in.ReuseOnScaleIn != nil {
+		in, out := &in.ReuseOnScaleIn, &out.ReuseOnScaleIn
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceReusePolicyObservation.
@@ -1790,6 +2505,36 @@ func (in *InstanceReusePolicyParameters) DeepCopy() *InstanceReusePolicyParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstancesDistributionObservation) DeepCopyInto(out *InstancesDistributionObservation) {
 	*out = *in
+	if in.OnDemandAllocationStrategy != nil {
+		in, out := &in.OnDemandAllocationStrategy, &out.OnDemandAllocationStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnDemandBaseCapacity != nil {
+		in, out := &in.OnDemandBaseCapacity, &out.OnDemandBaseCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OnDemandPercentageAboveBaseCapacity != nil {
+		in, out := &in.OnDemandPercentageAboveBaseCapacity, &out.OnDemandPercentageAboveBaseCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SpotAllocationStrategy != nil {
+		in, out := &in.SpotAllocationStrategy, &out.SpotAllocationStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.SpotInstancePools != nil {
+		in, out := &in.SpotInstancePools, &out.SpotInstancePools
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SpotMaxPrice != nil {
+		in, out := &in.SpotMaxPrice, &out.SpotMaxPrice
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstancesDistributionObservation.
@@ -1883,42 +2628,152 @@ func (in *LaunchConfigurationList) DeepCopyInto(out *LaunchConfigurationList) {
 		in, out := &in.Items, &out.Items
 		*out = make([]LaunchConfiguration, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchConfigurationList.
+func (in *LaunchConfigurationList) DeepCopy() *LaunchConfigurationList {
+	if in == nil {
+		return nil
+	}
+	out := new(LaunchConfigurationList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *LaunchConfigurationList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LaunchConfigurationObservation) DeepCopyInto(out *LaunchConfigurationObservation) {
+	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AssociatePublicIPAddress != nil {
+		in, out := &in.AssociatePublicIPAddress, &out.AssociatePublicIPAddress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSBlockDevice != nil {
+		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
+		*out = make([]EBSBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableMonitoring != nil {
+		in, out := &in.EnableMonitoring, &out.EnableMonitoring
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EphemeralBlockDevice != nil {
+		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
+		*out = make([]EphemeralBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IAMInstanceProfile != nil {
+		in, out := &in.IAMInstanceProfile, &out.IAMInstanceProfile
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageID != nil {
+		in, out := &in.ImageID, &out.ImageID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetadataOptions != nil {
+		in, out := &in.MetadataOptions, &out.MetadataOptions
+		*out = make([]MetadataOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlacementTenancy != nil {
+		in, out := &in.PlacementTenancy, &out.PlacementTenancy
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootBlockDevice != nil {
+		in, out := &in.RootBlockDevice, &out.RootBlockDevice
+		*out = make([]RootBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchConfigurationList.
-func (in *LaunchConfigurationList) DeepCopy() *LaunchConfigurationList {
-	if in == nil {
-		return nil
+	if in.SpotPrice != nil {
+		in, out := &in.SpotPrice, &out.SpotPrice
+		*out = new(string)
+		**out = **in
 	}
-	out := new(LaunchConfigurationList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *LaunchConfigurationList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	if in.UserData != nil {
+		in, out := &in.UserData, &out.UserData
+		*out = new(string)
+		**out = **in
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *LaunchConfigurationObservation) DeepCopyInto(out *LaunchConfigurationObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.UserDataBase64 != nil {
+		in, out := &in.UserDataBase64, &out.UserDataBase64
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.VPCClassicLinkID != nil {
+		in, out := &in.VPCClassicLinkID, &out.VPCClassicLinkID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCClassicLinkSecurityGroups != nil {
+		in, out := &in.VPCClassicLinkSecurityGroups, &out.VPCClassicLinkSecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchConfigurationObservation.
@@ -2098,6 +2953,21 @@ func (in *LaunchConfigurationStatus) DeepCopy() *LaunchConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateObservation) DeepCopyInto(out *LaunchTemplateObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateObservation.
@@ -2153,6 +3023,21 @@ func (in *LaunchTemplateParameters) DeepCopy() *LaunchTemplateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateSpecificationObservation) DeepCopyInto(out *LaunchTemplateSpecificationObservation) {
 	*out = *in
+	if in.LaunchTemplateID != nil {
+		in, out := &in.LaunchTemplateID, &out.LaunchTemplateID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchTemplateName != nil {
+		in, out := &in.LaunchTemplateName, &out.LaunchTemplateName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateSpecificationObservation.
@@ -2267,11 +3152,46 @@ func (in *LifecycleHookList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LifecycleHookObservation) DeepCopyInto(out *LifecycleHookObservation) {
 	*out = *in
+	if in.AutoscalingGroupName != nil {
+		in, out := &in.AutoscalingGroupName, &out.AutoscalingGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultResult != nil {
+		in, out := &in.DefaultResult, &out.DefaultResult
+		*out = new(string)
+		**out = **in
+	}
+	if in.HeartbeatTimeout != nil {
+		in, out := &in.HeartbeatTimeout, &out.HeartbeatTimeout
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LifecycleTransition != nil {
+		in, out := &in.LifecycleTransition, &out.LifecycleTransition
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationMetadata != nil {
+		in, out := &in.NotificationMetadata, &out.NotificationMetadata
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationTargetArn != nil {
+		in, out := &in.NotificationTargetArn, &out.NotificationTargetArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LifecycleHookObservation.
@@ -2396,6 +3316,16 @@ func (in *LifecycleHookStatus) DeepCopy() *LifecycleHookStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemoryGibPerVcpuObservation) DeepCopyInto(out *MemoryGibPerVcpuObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryGibPerVcpuObservation.
@@ -2436,6 +3366,16 @@ func (in *MemoryGibPerVcpuParameters) DeepCopy() *MemoryGibPerVcpuParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemoryMibObservation) DeepCopyInto(out *MemoryMibObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryMibObservation.
@@ -2476,6 +3416,21 @@ func (in *MemoryMibParameters) DeepCopy() *MemoryMibParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetadataOptionsObservation) DeepCopyInto(out *MetadataOptionsObservation) {
 	*out = *in
+	if in.HTTPEndpoint != nil {
+		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTokens != nil {
+		in, out := &in.HTTPTokens, &out.HTTPTokens
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetadataOptionsObservation.
@@ -2521,6 +3476,23 @@ func (in *MetadataOptionsParameters) DeepCopy() *MetadataOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricDataQueriesMetricStatMetricObservation) DeepCopyInto(out *MetricDataQueriesMetricStatMetricObservation) {
 	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make([]MetricStatMetricDimensionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricDataQueriesMetricStatMetricObservation.
@@ -2568,6 +3540,23 @@ func (in *MetricDataQueriesMetricStatMetricParameters) DeepCopy() *MetricDataQue
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricDataQueriesMetricStatObservation) DeepCopyInto(out *MetricDataQueriesMetricStatObservation) {
 	*out = *in
+	if in.Metric != nil {
+		in, out := &in.Metric, &out.Metric
+		*out = make([]MetricStatMetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Stat != nil {
+		in, out := &in.Stat, &out.Stat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricDataQueriesMetricStatObservation.
@@ -2615,6 +3604,33 @@ func (in *MetricDataQueriesMetricStatParameters) DeepCopy() *MetricDataQueriesMe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricDataQueriesObservation) DeepCopyInto(out *MetricDataQueriesObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Label != nil {
+		in, out := &in.Label, &out.Label
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricStat != nil {
+		in, out := &in.MetricStat, &out.MetricStat
+		*out = make([]MetricStatObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReturnData != nil {
+		in, out := &in.ReturnData, &out.ReturnData
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricDataQueriesObservation.
@@ -2672,6 +3688,16 @@ func (in *MetricDataQueriesParameters) DeepCopy() *MetricDataQueriesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricDimensionObservation) DeepCopyInto(out *MetricDimensionObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricDimensionObservation.
@@ -2712,6 +3738,16 @@ func (in *MetricDimensionParameters) DeepCopy() *MetricDimensionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricDimensionsObservation) DeepCopyInto(out *MetricDimensionsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricDimensionsObservation.
@@ -2744,14 +3780,31 @@ func (in *MetricDimensionsParameters) DeepCopy() *MetricDimensionsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(MetricDimensionsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MetricObservation) DeepCopyInto(out *MetricObservation) {
-	*out = *in
+	out := new(MetricDimensionsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MetricObservation) DeepCopyInto(out *MetricObservation) {
+	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make([]DimensionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricObservation.
@@ -2799,6 +3852,53 @@ func (in *MetricParameters) DeepCopy() *MetricParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricSpecificationObservation) DeepCopyInto(out *MetricSpecificationObservation) {
 	*out = *in
+	if in.CustomizedCapacityMetricSpecification != nil {
+		in, out := &in.CustomizedCapacityMetricSpecification, &out.CustomizedCapacityMetricSpecification
+		*out = make([]CustomizedCapacityMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomizedLoadMetricSpecification != nil {
+		in, out := &in.CustomizedLoadMetricSpecification, &out.CustomizedLoadMetricSpecification
+		*out = make([]CustomizedLoadMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomizedScalingMetricSpecification != nil {
+		in, out := &in.CustomizedScalingMetricSpecification, &out.CustomizedScalingMetricSpecification
+		*out = make([]CustomizedScalingMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PredefinedLoadMetricSpecification != nil {
+		in, out := &in.PredefinedLoadMetricSpecification, &out.PredefinedLoadMetricSpecification
+		*out = make([]PredefinedLoadMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PredefinedMetricPairSpecification != nil {
+		in, out := &in.PredefinedMetricPairSpecification, &out.PredefinedMetricPairSpecification
+		*out = make([]PredefinedMetricPairSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PredefinedScalingMetricSpecification != nil {
+		in, out := &in.PredefinedScalingMetricSpecification, &out.PredefinedScalingMetricSpecification
+		*out = make([]PredefinedScalingMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetValue != nil {
+		in, out := &in.TargetValue, &out.TargetValue
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricSpecificationObservation.
@@ -2876,6 +3976,16 @@ func (in *MetricSpecificationParameters) DeepCopy() *MetricSpecificationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricStatMetricDimensionsObservation) DeepCopyInto(out *MetricStatMetricDimensionsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricStatMetricDimensionsObservation.
@@ -2916,6 +4026,23 @@ func (in *MetricStatMetricDimensionsParameters) DeepCopy() *MetricStatMetricDime
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricStatMetricObservation) DeepCopyInto(out *MetricStatMetricObservation) {
 	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make([]MetricDimensionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricStatMetricObservation.
@@ -2963,6 +4090,23 @@ func (in *MetricStatMetricParameters) DeepCopy() *MetricStatMetricParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricStatObservation) DeepCopyInto(out *MetricStatObservation) {
 	*out = *in
+	if in.Metric != nil {
+		in, out := &in.Metric, &out.Metric
+		*out = make([]MetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Stat != nil {
+		in, out := &in.Stat, &out.Stat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricStatObservation.
@@ -3010,6 +4154,20 @@ func (in *MetricStatParameters) DeepCopy() *MetricStatParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MixedInstancesPolicyLaunchTemplateObservation) DeepCopyInto(out *MixedInstancesPolicyLaunchTemplateObservation) {
 	*out = *in
+	if in.LaunchTemplateSpecification != nil {
+		in, out := &in.LaunchTemplateSpecification, &out.LaunchTemplateSpecification
+		*out = make([]LaunchTemplateSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = make([]OverrideObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MixedInstancesPolicyLaunchTemplateObservation.
@@ -3054,6 +4212,20 @@ func (in *MixedInstancesPolicyLaunchTemplateParameters) DeepCopy() *MixedInstanc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MixedInstancesPolicyObservation) DeepCopyInto(out *MixedInstancesPolicyObservation) {
 	*out = *in
+	if in.InstancesDistribution != nil {
+		in, out := &in.InstancesDistribution, &out.InstancesDistribution
+		*out = make([]InstancesDistributionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LaunchTemplate != nil {
+		in, out := &in.LaunchTemplate, &out.LaunchTemplate
+		*out = make([]MixedInstancesPolicyLaunchTemplateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MixedInstancesPolicyObservation.
@@ -3098,6 +4270,16 @@ func (in *MixedInstancesPolicyParameters) DeepCopy() *MixedInstancesPolicyParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkInterfaceCountObservation) DeepCopyInto(out *NetworkInterfaceCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceCountObservation.
@@ -3197,11 +4379,38 @@ func (in *NotificationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationObservation) DeepCopyInto(out *NotificationObservation) {
 	*out = *in
+	if in.GroupNames != nil {
+		in, out := &in.GroupNames, &out.GroupNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Notifications != nil {
+		in, out := &in.Notifications, &out.Notifications
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationObservation.
@@ -3308,6 +4517,21 @@ func (in *NotificationStatus) DeepCopy() *NotificationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverrideLaunchTemplateSpecificationObservation) DeepCopyInto(out *OverrideLaunchTemplateSpecificationObservation) {
 	*out = *in
+	if in.LaunchTemplateID != nil {
+		in, out := &in.LaunchTemplateID, &out.LaunchTemplateID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchTemplateName != nil {
+		in, out := &in.LaunchTemplateName, &out.LaunchTemplateName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverrideLaunchTemplateSpecificationObservation.
@@ -3363,6 +4587,30 @@ func (in *OverrideLaunchTemplateSpecificationParameters) DeepCopy() *OverrideLau
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverrideObservation) DeepCopyInto(out *OverrideObservation) {
 	*out = *in
+	if in.InstanceRequirements != nil {
+		in, out := &in.InstanceRequirements, &out.InstanceRequirements
+		*out = make([]InstanceRequirementsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchTemplateSpecification != nil {
+		in, out := &in.LaunchTemplateSpecification, &out.LaunchTemplateSpecification
+		*out = make([]OverrideLaunchTemplateSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WeightedCapacity != nil {
+		in, out := &in.WeightedCapacity, &out.WeightedCapacity
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverrideObservation.
@@ -3476,16 +4724,82 @@ func (in *PolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 	*out = *in
+	if in.AdjustmentType != nil {
+		in, out := &in.AdjustmentType, &out.AdjustmentType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoscalingGroupName != nil {
+		in, out := &in.AutoscalingGroupName, &out.AutoscalingGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cooldown != nil {
+		in, out := &in.Cooldown, &out.Cooldown
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EstimatedInstanceWarmup != nil {
+		in, out := &in.EstimatedInstanceWarmup, &out.EstimatedInstanceWarmup
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MetricAggregationType != nil {
+		in, out := &in.MetricAggregationType, &out.MetricAggregationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinAdjustmentMagnitude != nil {
+		in, out := &in.MinAdjustmentMagnitude, &out.MinAdjustmentMagnitude
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PolicyType != nil {
+		in, out := &in.PolicyType, &out.PolicyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.PredictiveScalingConfiguration != nil {
+		in, out := &in.PredictiveScalingConfiguration, &out.PredictiveScalingConfiguration
+		*out = make([]PredictiveScalingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScalingAdjustment != nil {
+		in, out := &in.ScalingAdjustment, &out.ScalingAdjustment
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StepAdjustment != nil {
+		in, out := &in.StepAdjustment, &out.StepAdjustment
+		*out = make([]StepAdjustmentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetTrackingConfiguration != nil {
+		in, out := &in.TargetTrackingConfiguration, &out.TargetTrackingConfiguration
+		*out = make([]TargetTrackingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation.
@@ -3631,6 +4945,16 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedLoadMetricSpecificationObservation) DeepCopyInto(out *PredefinedLoadMetricSpecificationObservation) {
 	*out = *in
+	if in.PredefinedMetricType != nil {
+		in, out := &in.PredefinedMetricType, &out.PredefinedMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedLoadMetricSpecificationObservation.
@@ -3671,6 +4995,16 @@ func (in *PredefinedLoadMetricSpecificationParameters) DeepCopy() *PredefinedLoa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedMetricPairSpecificationObservation) DeepCopyInto(out *PredefinedMetricPairSpecificationObservation) {
 	*out = *in
+	if in.PredefinedMetricType != nil {
+		in, out := &in.PredefinedMetricType, &out.PredefinedMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedMetricPairSpecificationObservation.
@@ -3711,6 +5045,16 @@ func (in *PredefinedMetricPairSpecificationParameters) DeepCopy() *PredefinedMet
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedMetricSpecificationObservation) DeepCopyInto(out *PredefinedMetricSpecificationObservation) {
 	*out = *in
+	if in.PredefinedMetricType != nil {
+		in, out := &in.PredefinedMetricType, &out.PredefinedMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedMetricSpecificationObservation.
@@ -3751,6 +5095,16 @@ func (in *PredefinedMetricSpecificationParameters) DeepCopy() *PredefinedMetricS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedScalingMetricSpecificationObservation) DeepCopyInto(out *PredefinedScalingMetricSpecificationObservation) {
 	*out = *in
+	if in.PredefinedMetricType != nil {
+		in, out := &in.PredefinedMetricType, &out.PredefinedMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedScalingMetricSpecificationObservation.
@@ -3791,6 +5145,33 @@ func (in *PredefinedScalingMetricSpecificationParameters) DeepCopy() *Predefined
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredictiveScalingConfigurationObservation) DeepCopyInto(out *PredictiveScalingConfigurationObservation) {
 	*out = *in
+	if in.MaxCapacityBreachBehavior != nil {
+		in, out := &in.MaxCapacityBreachBehavior, &out.MaxCapacityBreachBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxCapacityBuffer != nil {
+		in, out := &in.MaxCapacityBuffer, &out.MaxCapacityBuffer
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricSpecification != nil {
+		in, out := &in.MetricSpecification, &out.MetricSpecification
+		*out = make([]MetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchedulingBufferTime != nil {
+		in, out := &in.SchedulingBufferTime, &out.SchedulingBufferTime
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredictiveScalingConfigurationObservation.
@@ -3848,6 +5229,37 @@ func (in *PredictiveScalingConfigurationParameters) DeepCopy() *PredictiveScalin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PreferencesObservation) DeepCopyInto(out *PreferencesObservation) {
 	*out = *in
+	if in.CheckpointDelay != nil {
+		in, out := &in.CheckpointDelay, &out.CheckpointDelay
+		*out = new(string)
+		**out = **in
+	}
+	if in.CheckpointPercentages != nil {
+		in, out := &in.CheckpointPercentages, &out.CheckpointPercentages
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.InstanceWarmup != nil {
+		in, out := &in.InstanceWarmup, &out.InstanceWarmup
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinHealthyPercentage != nil {
+		in, out := &in.MinHealthyPercentage, &out.MinHealthyPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SkipMatching != nil {
+		in, out := &in.SkipMatching, &out.SkipMatching
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreferencesObservation.
@@ -3909,6 +5321,36 @@ func (in *PreferencesParameters) DeepCopy() *PreferencesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RootBlockDeviceObservation) DeepCopyInto(out *RootBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootBlockDeviceObservation.
@@ -4033,11 +5475,51 @@ func (in *ScheduleObservation) DeepCopyInto(out *ScheduleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoscalingGroupName != nil {
+		in, out := &in.AutoscalingGroupName, &out.AutoscalingGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DesiredCapacity != nil {
+		in, out := &in.DesiredCapacity, &out.DesiredCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EndTime != nil {
+		in, out := &in.EndTime, &out.EndTime
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxSize != nil {
+		in, out := &in.MaxSize, &out.MaxSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinSize != nil {
+		in, out := &in.MinSize, &out.MinSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Recurrence != nil {
+		in, out := &in.Recurrence, &out.Recurrence
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleObservation.
@@ -4157,6 +5639,21 @@ func (in *ScheduleStatus) DeepCopy() *ScheduleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepAdjustmentObservation) DeepCopyInto(out *StepAdjustmentObservation) {
 	*out = *in
+	if in.MetricIntervalLowerBound != nil {
+		in, out := &in.MetricIntervalLowerBound, &out.MetricIntervalLowerBound
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricIntervalUpperBound != nil {
+		in, out := &in.MetricIntervalUpperBound, &out.MetricIntervalUpperBound
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalingAdjustment != nil {
+		in, out := &in.ScalingAdjustment, &out.ScalingAdjustment
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepAdjustmentObservation.
@@ -4202,6 +5699,21 @@ func (in *StepAdjustmentParameters) DeepCopy() *StepAdjustmentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagObservation) DeepCopyInto(out *TagObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.PropagateAtLaunch != nil {
+		in, out := &in.PropagateAtLaunch, &out.PropagateAtLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagObservation.
@@ -4247,6 +5759,30 @@ func (in *TagParameters) DeepCopy() *TagParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetTrackingConfigurationObservation) DeepCopyInto(out *TargetTrackingConfigurationObservation) {
 	*out = *in
+	if in.CustomizedMetricSpecification != nil {
+		in, out := &in.CustomizedMetricSpecification, &out.CustomizedMetricSpecification
+		*out = make([]CustomizedMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableScaleIn != nil {
+		in, out := &in.DisableScaleIn, &out.DisableScaleIn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PredefinedMetricSpecification != nil {
+		in, out := &in.PredefinedMetricSpecification, &out.PredefinedMetricSpecification
+		*out = make([]PredefinedMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetValue != nil {
+		in, out := &in.TargetValue, &out.TargetValue
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetTrackingConfigurationObservation.
@@ -4301,6 +5837,16 @@ func (in *TargetTrackingConfigurationParameters) DeepCopy() *TargetTrackingConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TotalLocalStorageGbObservation) DeepCopyInto(out *TotalLocalStorageGbObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TotalLocalStorageGbObservation.
@@ -4341,6 +5887,16 @@ func (in *TotalLocalStorageGbParameters) DeepCopy() *TotalLocalStorageGbParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VcpuCountObservation) DeepCopyInto(out *VcpuCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VcpuCountObservation.
@@ -4381,6 +5937,28 @@ func (in *VcpuCountParameters) DeepCopy() *VcpuCountParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WarmPoolObservation) DeepCopyInto(out *WarmPoolObservation) {
 	*out = *in
+	if in.InstanceReusePolicy != nil {
+		in, out := &in.InstanceReusePolicy, &out.InstanceReusePolicy
+		*out = make([]InstanceReusePolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxGroupPreparedCapacity != nil {
+		in, out := &in.MaxGroupPreparedCapacity, &out.MaxGroupPreparedCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinSize != nil {
+		in, out := &in.MinSize, &out.MinSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PoolState != nil {
+		in, out := &in.PoolState, &out.PoolState
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WarmPoolObservation.
diff --git a/apis/autoscaling/v1beta1/zz_grouptag_types.go b/apis/autoscaling/v1beta1/zz_grouptag_types.go
index 12e59c4a18..ede5bc5437 100755
--- a/apis/autoscaling/v1beta1/zz_grouptag_types.go
+++ b/apis/autoscaling/v1beta1/zz_grouptag_types.go
@@ -15,8 +15,14 @@ import (
 
 type GroupTagObservation struct {
 
+	// Name of the Autoscaling Group to apply the tag to.
+	AutoscalingGroupName *string `json:"autoscalingGroupName,omitempty" tf:"autoscaling_group_name,omitempty"`
+
 	// ASG name and key, separated by a comma (,)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Tag to create. The tag block is documented below.
+	Tag []GroupTagTagObservation `json:"tag,omitempty" tf:"tag,omitempty"`
 }
 
 type GroupTagParameters struct {
@@ -40,11 +46,20 @@ type GroupTagParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Tag to create. The tag block is documented below.
-	// +kubebuilder:validation:Required
-	Tag []GroupTagTagParameters `json:"tag" tf:"tag,omitempty"`
+	// +kubebuilder:validation:Optional
+	Tag []GroupTagTagParameters `json:"tag,omitempty" tf:"tag,omitempty"`
 }
 
 type GroupTagTagObservation struct {
+
+	// Tag name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Whether to propagate the tags to instances launched by the ASG.
+	PropagateAtLaunch *bool `json:"propagateAtLaunch,omitempty" tf:"propagate_at_launch,omitempty"`
+
+	// Tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type GroupTagTagParameters struct {
@@ -86,8 +101,9 @@ type GroupTagStatus struct {
 type GroupTag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GroupTagSpec   `json:"spec"`
-	Status            GroupTagStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tag)",message="tag is a required parameter"
+	Spec   GroupTagSpec   `json:"spec"`
+	Status GroupTagStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/autoscaling/v1beta1/zz_launchconfiguration_types.go b/apis/autoscaling/v1beta1/zz_launchconfiguration_types.go
index ab2c534907..366171e710 100755
--- a/apis/autoscaling/v1beta1/zz_launchconfiguration_types.go
+++ b/apis/autoscaling/v1beta1/zz_launchconfiguration_types.go
@@ -14,6 +14,36 @@ import (
 )
 
 type EBSBlockDeviceObservation struct {
+
+	// Whether the volume should be destroyed
+	// on instance termination (Default: true).
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// The name of the device to mount.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Whether the volume should be encrypted or not. Defaults to false.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// The amount of provisioned
+	// IOPS.
+	// This must be set with a volume_type of "io1".
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Whether the device in the block device mapping of the AMI is suppressed.
+	NoDevice *bool `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	// The Snapshot ID to mount.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// The throughput (MiBps) to provision for a gp3 volume.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// The size of the volume in gigabytes.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// The type of volume. Can be standard, gp2, gp3, st1, sc1 or io1.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSBlockDeviceParameters struct {
@@ -59,6 +89,15 @@ type EBSBlockDeviceParameters struct {
 }
 
 type EphemeralBlockDeviceObservation struct {
+
+	// The name of the block device to mount on the instance.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Whether the device in the block device mapping of the AMI is suppressed.
+	NoDevice *bool `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	// The Instance Store Device Name.
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type EphemeralBlockDeviceParameters struct {
@@ -81,8 +120,62 @@ type LaunchConfigurationObservation struct {
 	// The Amazon Resource Name of the launch configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Associate a public ip address with an instance in a VPC.
+	AssociatePublicIPAddress *bool `json:"associatePublicIpAddress,omitempty" tf:"associate_public_ip_address,omitempty"`
+
+	// Additional EBS block devices to attach to the instance. See Block Devices below for details.
+	EBSBlockDevice []EBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
+
+	// If true, the launched EC2 instance will be EBS-optimized.
+	EBSOptimized *bool `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
+	// Enables/disables detailed monitoring. This is enabled by default.
+	EnableMonitoring *bool `json:"enableMonitoring,omitempty" tf:"enable_monitoring,omitempty"`
+
+	// Customize Ephemeral (also known as "Instance Store") volumes on the instance. See Block Devices below for details.
+	EphemeralBlockDevice []EphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
+
+	// The name attribute of the IAM instance profile to associate with launched instances.
+	IAMInstanceProfile *string `json:"iamInstanceProfile,omitempty" tf:"iam_instance_profile,omitempty"`
+
 	// The ID of the launch configuration.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The EC2 image ID to launch.
+	ImageID *string `json:"imageId,omitempty" tf:"image_id,omitempty"`
+
+	// The size of instance to launch.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The key name that should be used for the instance.
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	// The metadata options for the instance.
+	MetadataOptions []MetadataOptionsObservation `json:"metadataOptions,omitempty" tf:"metadata_options,omitempty"`
+
+	// The tenancy of the instance. Valid values are default or dedicated, see AWS's Create Launch Configuration for more details.
+	PlacementTenancy *string `json:"placementTenancy,omitempty" tf:"placement_tenancy,omitempty"`
+
+	// Customize details about the root block device of the instance. See Block Devices below for details.
+	RootBlockDevice []RootBlockDeviceObservation `json:"rootBlockDevice,omitempty" tf:"root_block_device,omitempty"`
+
+	// A list of associated security group IDS.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The maximum price to use for reserving spot instances.
+	SpotPrice *string `json:"spotPrice,omitempty" tf:"spot_price,omitempty"`
+
+	// The user data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see user_data_base64 instead.
+	UserData *string `json:"userData,omitempty" tf:"user_data,omitempty"`
+
+	// Can be used instead of user_data to pass base64-encoded binary data directly. Use this instead of user_data whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption.
+	UserDataBase64 *string `json:"userDataBase64,omitempty" tf:"user_data_base64,omitempty"`
+
+	// The ID of a ClassicLink-enabled VPC. Only applies to EC2-Classic instances. (eg. vpc-2730681a)
+	VPCClassicLinkID *string `json:"vpcClassicLinkId,omitempty" tf:"vpc_classic_link_id,omitempty"`
+
+	// The IDs of one or more security groups for the specified ClassicLink-enabled VPC (eg. sg-46ae3d11).
+	VPCClassicLinkSecurityGroups []*string `json:"vpcClassicLinkSecurityGroups,omitempty" tf:"vpc_classic_link_security_groups,omitempty"`
 }
 
 type LaunchConfigurationParameters struct {
@@ -112,12 +205,12 @@ type LaunchConfigurationParameters struct {
 	IAMInstanceProfile *string `json:"iamInstanceProfile,omitempty" tf:"iam_instance_profile,omitempty"`
 
 	// The EC2 image ID to launch.
-	// +kubebuilder:validation:Required
-	ImageID *string `json:"imageId" tf:"image_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	ImageID *string `json:"imageId,omitempty" tf:"image_id,omitempty"`
 
 	// The size of instance to launch.
-	// +kubebuilder:validation:Required
-	InstanceType *string `json:"instanceType" tf:"instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
 
 	// The key name that should be used for the instance.
 	// +kubebuilder:validation:Optional
@@ -166,6 +259,15 @@ type LaunchConfigurationParameters struct {
 }
 
 type MetadataOptionsObservation struct {
+
+	// The state of the metadata service: enabled, disabled.
+	HTTPEndpoint *string `json:"httpEndpoint,omitempty" tf:"http_endpoint,omitempty"`
+
+	// The desired HTTP PUT response hop limit for instance metadata requests.
+	HTTPPutResponseHopLimit *float64 `json:"httpPutResponseHopLimit,omitempty" tf:"http_put_response_hop_limit,omitempty"`
+
+	// If session tokens are required: optional, required.
+	HTTPTokens *string `json:"httpTokens,omitempty" tf:"http_tokens,omitempty"`
 }
 
 type MetadataOptionsParameters struct {
@@ -184,6 +286,24 @@ type MetadataOptionsParameters struct {
 }
 
 type RootBlockDeviceObservation struct {
+
+	// Whether the volume should be destroyed on instance termination. Defaults to true.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Whether the volume should be encrypted or not. Defaults to false.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// The amount of provisioned IOPS. This must be set with a volume_type of io1.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The throughput (MiBps) to provision for a gp3 volume.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// The size of the volume in gigabytes.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// The type of volume. Can be standard, gp2, gp3, st1, sc1 or io1.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type RootBlockDeviceParameters struct {
@@ -237,8 +357,10 @@ type LaunchConfigurationStatus struct {
 type LaunchConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LaunchConfigurationSpec   `json:"spec"`
-	Status            LaunchConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.imageId)",message="imageId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)",message="instanceType is a required parameter"
+	Spec   LaunchConfigurationSpec   `json:"spec"`
+	Status LaunchConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/autoscaling/v1beta1/zz_lifecyclehook_types.go b/apis/autoscaling/v1beta1/zz_lifecyclehook_types.go
index c3367e1a25..ebe7c64af1 100755
--- a/apis/autoscaling/v1beta1/zz_lifecyclehook_types.go
+++ b/apis/autoscaling/v1beta1/zz_lifecyclehook_types.go
@@ -14,7 +14,29 @@ import (
 )
 
 type LifecycleHookObservation struct {
+
+	// Name of the Auto Scaling group to which you want to assign the lifecycle hook
+	AutoscalingGroupName *string `json:"autoscalingGroupName,omitempty" tf:"autoscaling_group_name,omitempty"`
+
+	// Defines the action the Auto Scaling group should take when the lifecycle hook timeout elapses or if an unexpected failure occurs. The value for this parameter can be either CONTINUE or ABANDON. The default value for this parameter is ABANDON.
+	DefaultResult *string `json:"defaultResult,omitempty" tf:"default_result,omitempty"`
+
+	// Defines the amount of time, in seconds, that can elapse before the lifecycle hook times out. When the lifecycle hook times out, Auto Scaling performs the action defined in the DefaultResult parameter
+	HeartbeatTimeout *float64 `json:"heartbeatTimeout,omitempty" tf:"heartbeat_timeout,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Instance state to which you want to attach the lifecycle hook. For a list of lifecycle hook types, see describe-lifecycle-hook-types
+	LifecycleTransition *string `json:"lifecycleTransition,omitempty" tf:"lifecycle_transition,omitempty"`
+
+	// Contains additional information that you want to include any time Auto Scaling sends a message to the notification target.
+	NotificationMetadata *string `json:"notificationMetadata,omitempty" tf:"notification_metadata,omitempty"`
+
+	// ARN of the notification target that Auto Scaling will use to notify you when an instance is in the transition state for the lifecycle hook. This ARN target can be either an SQS queue or an SNS topic.
+	NotificationTargetArn *string `json:"notificationTargetArn,omitempty" tf:"notification_target_arn,omitempty"`
+
+	// ARN of the IAM role that allows the Auto Scaling group to publish to the specified notification target.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type LifecycleHookParameters struct {
@@ -41,8 +63,8 @@ type LifecycleHookParameters struct {
 	HeartbeatTimeout *float64 `json:"heartbeatTimeout,omitempty" tf:"heartbeat_timeout,omitempty"`
 
 	// Instance state to which you want to attach the lifecycle hook. For a list of lifecycle hook types, see describe-lifecycle-hook-types
-	// +kubebuilder:validation:Required
-	LifecycleTransition *string `json:"lifecycleTransition" tf:"lifecycle_transition,omitempty"`
+	// +kubebuilder:validation:Optional
+	LifecycleTransition *string `json:"lifecycleTransition,omitempty" tf:"lifecycle_transition,omitempty"`
 
 	// Contains additional information that you want to include any time Auto Scaling sends a message to the notification target.
 	// +kubebuilder:validation:Optional
@@ -96,8 +118,9 @@ type LifecycleHookStatus struct {
 type LifecycleHook struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LifecycleHookSpec   `json:"spec"`
-	Status            LifecycleHookStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lifecycleTransition)",message="lifecycleTransition is a required parameter"
+	Spec   LifecycleHookSpec   `json:"spec"`
+	Status LifecycleHookStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/autoscaling/v1beta1/zz_notification_types.go b/apis/autoscaling/v1beta1/zz_notification_types.go
index 905a2e85f6..b6546f4af0 100755
--- a/apis/autoscaling/v1beta1/zz_notification_types.go
+++ b/apis/autoscaling/v1beta1/zz_notification_types.go
@@ -14,19 +14,30 @@ import (
 )
 
 type NotificationObservation struct {
+
+	// List of AutoScaling Group Names
+	GroupNames []*string `json:"groupNames,omitempty" tf:"group_names,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// List of Notification Types that trigger
+	// notifications. Acceptable values are documented in the AWS documentation here
+	Notifications []*string `json:"notifications,omitempty" tf:"notifications,omitempty"`
+
+	// Topic ARN for notifications to be sent through
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type NotificationParameters struct {
 
 	// List of AutoScaling Group Names
-	// +kubebuilder:validation:Required
-	GroupNames []*string `json:"groupNames" tf:"group_names,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupNames []*string `json:"groupNames,omitempty" tf:"group_names,omitempty"`
 
 	// List of Notification Types that trigger
 	// notifications. Acceptable values are documented in the AWS documentation here
-	// +kubebuilder:validation:Required
-	Notifications []*string `json:"notifications" tf:"notifications,omitempty"`
+	// +kubebuilder:validation:Optional
+	Notifications []*string `json:"notifications,omitempty" tf:"notifications,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -72,8 +83,10 @@ type NotificationStatus struct {
 type Notification struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NotificationSpec   `json:"spec"`
-	Status            NotificationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupNames)",message="groupNames is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.notifications)",message="notifications is a required parameter"
+	Spec   NotificationSpec   `json:"spec"`
+	Status NotificationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/autoscaling/v1beta1/zz_policy_types.go b/apis/autoscaling/v1beta1/zz_policy_types.go
index e8dbe0ab4a..073b6cea85 100755
--- a/apis/autoscaling/v1beta1/zz_policy_types.go
+++ b/apis/autoscaling/v1beta1/zz_policy_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CustomizedCapacityMetricSpecificationObservation struct {
+
+	// List of up to 10 structures that defines custom capacity metric in predictive scaling policy
+	MetricDataQueries []MetricDataQueriesObservation `json:"metricDataQueries,omitempty" tf:"metric_data_queries,omitempty"`
 }
 
 type CustomizedCapacityMetricSpecificationParameters struct {
@@ -24,6 +27,21 @@ type CustomizedCapacityMetricSpecificationParameters struct {
 }
 
 type CustomizedLoadMetricSpecificationMetricDataQueriesObservation struct {
+
+	// Math expression used on the returned metric. You must specify either expression or metric_stat, but not both.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// Short name for the metric used in predictive scaling policy.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Human-readable label for this metric or expression.
+	Label *string `json:"label,omitempty" tf:"label,omitempty"`
+
+	// Structure that defines CloudWatch metric to be used in predictive scaling policy. You must specify either expression or metric_stat, but not both.
+	MetricStat []MetricDataQueriesMetricStatObservation `json:"metricStat,omitempty" tf:"metric_stat,omitempty"`
+
+	// Boolean that indicates whether to return the timestamps and raw data values of this metric, the default it true
+	ReturnData *bool `json:"returnData,omitempty" tf:"return_data,omitempty"`
 }
 
 type CustomizedLoadMetricSpecificationMetricDataQueriesParameters struct {
@@ -50,6 +68,9 @@ type CustomizedLoadMetricSpecificationMetricDataQueriesParameters struct {
 }
 
 type CustomizedLoadMetricSpecificationObservation struct {
+
+	// List of up to 10 structures that defines custom load metric in predictive scaling policy
+	MetricDataQueries []CustomizedLoadMetricSpecificationMetricDataQueriesObservation `json:"metricDataQueries,omitempty" tf:"metric_data_queries,omitempty"`
 }
 
 type CustomizedLoadMetricSpecificationParameters struct {
@@ -60,6 +81,21 @@ type CustomizedLoadMetricSpecificationParameters struct {
 }
 
 type CustomizedMetricSpecificationObservation struct {
+
+	// Dimensions of the metric.
+	MetricDimension []MetricDimensionObservation `json:"metricDimension,omitempty" tf:"metric_dimension,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Statistic of the metric.
+	Statistic *string `json:"statistic,omitempty" tf:"statistic,omitempty"`
+
+	// Unit of the metrics to return.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type CustomizedMetricSpecificationParameters struct {
@@ -86,6 +122,15 @@ type CustomizedMetricSpecificationParameters struct {
 }
 
 type CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatObservation struct {
+
+	// Structure that defines the CloudWatch metric to return, including the metric name, namespace, and dimensions.
+	Metric []MetricDataQueriesMetricStatMetricObservation `json:"metric,omitempty" tf:"metric,omitempty"`
+
+	// Statistic of the metrics to return.
+	Stat *string `json:"stat,omitempty" tf:"stat,omitempty"`
+
+	// Unit of the metrics to return.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatParameters struct {
@@ -104,6 +149,21 @@ type CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatParameters s
 }
 
 type CustomizedScalingMetricSpecificationMetricDataQueriesObservation struct {
+
+	// Math expression used on the returned metric. You must specify either expression or metric_stat, but not both.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// Short name for the metric used in predictive scaling policy.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Human-readable label for this metric or expression.
+	Label *string `json:"label,omitempty" tf:"label,omitempty"`
+
+	// Structure that defines CloudWatch metric to be used in predictive scaling policy. You must specify either expression or metric_stat, but not both.
+	MetricStat []CustomizedScalingMetricSpecificationMetricDataQueriesMetricStatObservation `json:"metricStat,omitempty" tf:"metric_stat,omitempty"`
+
+	// Boolean that indicates whether to return the timestamps and raw data values of this metric, the default it true
+	ReturnData *bool `json:"returnData,omitempty" tf:"return_data,omitempty"`
 }
 
 type CustomizedScalingMetricSpecificationMetricDataQueriesParameters struct {
@@ -130,6 +190,9 @@ type CustomizedScalingMetricSpecificationMetricDataQueriesParameters struct {
 }
 
 type CustomizedScalingMetricSpecificationObservation struct {
+
+	// List of up to 10 structures that defines custom scaling metric in predictive scaling policy
+	MetricDataQueries []CustomizedScalingMetricSpecificationMetricDataQueriesObservation `json:"metricDataQueries,omitempty" tf:"metric_data_queries,omitempty"`
 }
 
 type CustomizedScalingMetricSpecificationParameters struct {
@@ -140,6 +203,12 @@ type CustomizedScalingMetricSpecificationParameters struct {
 }
 
 type DimensionsObservation struct {
+
+	// Name of the dimension.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value of the dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DimensionsParameters struct {
@@ -154,6 +223,15 @@ type DimensionsParameters struct {
 }
 
 type MetricDataQueriesMetricStatMetricObservation struct {
+
+	// Dimensions of the metric.
+	Dimensions []MetricStatMetricDimensionsObservation `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type MetricDataQueriesMetricStatMetricParameters struct {
@@ -172,6 +250,15 @@ type MetricDataQueriesMetricStatMetricParameters struct {
 }
 
 type MetricDataQueriesMetricStatObservation struct {
+
+	// Structure that defines the CloudWatch metric to return, including the metric name, namespace, and dimensions.
+	Metric []MetricStatMetricObservation `json:"metric,omitempty" tf:"metric,omitempty"`
+
+	// Statistic of the metrics to return.
+	Stat *string `json:"stat,omitempty" tf:"stat,omitempty"`
+
+	// Unit of the metrics to return.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type MetricDataQueriesMetricStatParameters struct {
@@ -190,6 +277,21 @@ type MetricDataQueriesMetricStatParameters struct {
 }
 
 type MetricDataQueriesObservation struct {
+
+	// Math expression used on the returned metric. You must specify either expression or metric_stat, but not both.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// Short name for the metric used in predictive scaling policy.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Human-readable label for this metric or expression.
+	Label *string `json:"label,omitempty" tf:"label,omitempty"`
+
+	// Structure that defines CloudWatch metric to be used in predictive scaling policy. You must specify either expression or metric_stat, but not both.
+	MetricStat []MetricStatObservation `json:"metricStat,omitempty" tf:"metric_stat,omitempty"`
+
+	// Boolean that indicates whether to return the timestamps and raw data values of this metric, the default it true
+	ReturnData *bool `json:"returnData,omitempty" tf:"return_data,omitempty"`
 }
 
 type MetricDataQueriesParameters struct {
@@ -216,6 +318,12 @@ type MetricDataQueriesParameters struct {
 }
 
 type MetricDimensionObservation struct {
+
+	// Name of the dimension.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value of the dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MetricDimensionParameters struct {
@@ -230,6 +338,12 @@ type MetricDimensionParameters struct {
 }
 
 type MetricDimensionsObservation struct {
+
+	// Name of the dimension.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value of the dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MetricDimensionsParameters struct {
@@ -244,6 +358,15 @@ type MetricDimensionsParameters struct {
 }
 
 type MetricObservation struct {
+
+	// Dimensions of the metric.
+	Dimensions []DimensionsObservation `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type MetricParameters struct {
@@ -262,6 +385,27 @@ type MetricParameters struct {
 }
 
 type MetricSpecificationObservation struct {
+
+	// Customized capacity metric specification. The field is only valid when you use customized_load_metric_specification
+	CustomizedCapacityMetricSpecification []CustomizedCapacityMetricSpecificationObservation `json:"customizedCapacityMetricSpecification,omitempty" tf:"customized_capacity_metric_specification,omitempty"`
+
+	// Customized load metric specification.
+	CustomizedLoadMetricSpecification []CustomizedLoadMetricSpecificationObservation `json:"customizedLoadMetricSpecification,omitempty" tf:"customized_load_metric_specification,omitempty"`
+
+	// Customized scaling metric specification.
+	CustomizedScalingMetricSpecification []CustomizedScalingMetricSpecificationObservation `json:"customizedScalingMetricSpecification,omitempty" tf:"customized_scaling_metric_specification,omitempty"`
+
+	// Predefined load metric specification.
+	PredefinedLoadMetricSpecification []PredefinedLoadMetricSpecificationObservation `json:"predefinedLoadMetricSpecification,omitempty" tf:"predefined_load_metric_specification,omitempty"`
+
+	// Metric pair specification from which Amazon EC2 Auto Scaling determines the appropriate scaling metric and load metric to use.
+	PredefinedMetricPairSpecification []PredefinedMetricPairSpecificationObservation `json:"predefinedMetricPairSpecification,omitempty" tf:"predefined_metric_pair_specification,omitempty"`
+
+	// Predefined scaling metric specification.
+	PredefinedScalingMetricSpecification []PredefinedScalingMetricSpecificationObservation `json:"predefinedScalingMetricSpecification,omitempty" tf:"predefined_scaling_metric_specification,omitempty"`
+
+	// Target value for the metric.
+	TargetValue *float64 `json:"targetValue,omitempty" tf:"target_value,omitempty"`
 }
 
 type MetricSpecificationParameters struct {
@@ -296,6 +440,12 @@ type MetricSpecificationParameters struct {
 }
 
 type MetricStatMetricDimensionsObservation struct {
+
+	// Name of the dimension.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value of the dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MetricStatMetricDimensionsParameters struct {
@@ -310,6 +460,15 @@ type MetricStatMetricDimensionsParameters struct {
 }
 
 type MetricStatMetricObservation struct {
+
+	// Dimensions of the metric.
+	Dimensions []MetricDimensionsObservation `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type MetricStatMetricParameters struct {
@@ -328,6 +487,15 @@ type MetricStatMetricParameters struct {
 }
 
 type MetricStatObservation struct {
+
+	// Structure that defines the CloudWatch metric to return, including the metric name, namespace, and dimensions.
+	Metric []MetricObservation `json:"metric,omitempty" tf:"metric,omitempty"`
+
+	// Statistic of the metrics to return.
+	Stat *string `json:"stat,omitempty" tf:"stat,omitempty"`
+
+	// Unit of the metrics to return.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type MetricStatParameters struct {
@@ -347,11 +515,48 @@ type MetricStatParameters struct {
 
 type PolicyObservation struct {
 
+	// Whether the adjustment is an absolute number or a percentage of the current capacity. Valid values are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity.
+	AdjustmentType *string `json:"adjustmentType,omitempty" tf:"adjustment_type,omitempty"`
+
 	// ARN assigned by AWS to the scaling policy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name of the autoscaling group.
+	AutoscalingGroupName *string `json:"autoscalingGroupName,omitempty" tf:"autoscaling_group_name,omitempty"`
+
+	// Amount of time, in seconds, after a scaling activity completes and before the next scaling activity can start.
+	Cooldown *float64 `json:"cooldown,omitempty" tf:"cooldown,omitempty"`
+
+	// Whether the scaling policy is enabled or disabled. Default: true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Estimated time, in seconds, until a newly launched instance will contribute CloudWatch metrics. Without a value, AWS will default to the group's specified cooldown period.
+	EstimatedInstanceWarmup *float64 `json:"estimatedInstanceWarmup,omitempty" tf:"estimated_instance_warmup,omitempty"`
+
 	// Short name for the metric used in predictive scaling policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Aggregation type for the policy's metrics. Valid values are "Minimum", "Maximum", and "Average". Without a value, AWS will treat the aggregation type as "Average".
+	MetricAggregationType *string `json:"metricAggregationType,omitempty" tf:"metric_aggregation_type,omitempty"`
+
+	// Minimum value to scale by when adjustment_type is set to PercentChangeInCapacity.
+	MinAdjustmentMagnitude *float64 `json:"minAdjustmentMagnitude,omitempty" tf:"min_adjustment_magnitude,omitempty"`
+
+	// Policy type, either "SimpleScaling", "StepScaling", "TargetTrackingScaling", or "PredictiveScaling". If this value isn't provided, AWS will default to "SimpleScaling."
+	PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"`
+
+	// Predictive scaling policy configuration to use with Amazon EC2 Auto Scaling.
+	PredictiveScalingConfiguration []PredictiveScalingConfigurationObservation `json:"predictiveScalingConfiguration,omitempty" tf:"predictive_scaling_configuration,omitempty"`
+
+	// Number of instances by which to scale. adjustment_type determines the interpretation of this number (e.g., as an absolute number or as a percentage of the existing Auto Scaling group size). A positive increment adds to the current capacity and a negative value removes from the current capacity.
+	ScalingAdjustment *float64 `json:"scalingAdjustment,omitempty" tf:"scaling_adjustment,omitempty"`
+
+	// Set of adjustments that manage
+	// group scaling. These have the following structure:
+	StepAdjustment []StepAdjustmentObservation `json:"stepAdjustment,omitempty" tf:"step_adjustment,omitempty"`
+
+	// Target tracking policy. These have the following structure:
+	TargetTrackingConfiguration []TargetTrackingConfigurationObservation `json:"targetTrackingConfiguration,omitempty" tf:"target_tracking_configuration,omitempty"`
 }
 
 type PolicyParameters struct {
@@ -421,6 +626,12 @@ type PolicyParameters struct {
 }
 
 type PredefinedLoadMetricSpecificationObservation struct {
+
+	// Metric type. Valid values are ASGTotalCPUUtilization, ASGTotalNetworkIn, ASGTotalNetworkOut, or ALBTargetGroupRequestCount.
+	PredefinedMetricType *string `json:"predefinedMetricType,omitempty" tf:"predefined_metric_type,omitempty"`
+
+	// Label that uniquely identifies a specific Application Load Balancer target group from which to determine the request count served by your Auto Scaling group.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedLoadMetricSpecificationParameters struct {
@@ -435,6 +646,12 @@ type PredefinedLoadMetricSpecificationParameters struct {
 }
 
 type PredefinedMetricPairSpecificationObservation struct {
+
+	// Which metrics to use. There are two different types of metrics for each metric type: one is a load metric and one is a scaling metric. For example, if the metric type is ASGCPUUtilization, the Auto Scaling group's total CPU metric is used as the load metric, and the average CPU metric is used for the scaling metric. Valid values are ASGCPUUtilization, ASGNetworkIn, ASGNetworkOut, or ALBRequestCount.
+	PredefinedMetricType *string `json:"predefinedMetricType,omitempty" tf:"predefined_metric_type,omitempty"`
+
+	// Label that uniquely identifies a specific Application Load Balancer target group from which to determine the request count served by your Auto Scaling group.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedMetricPairSpecificationParameters struct {
@@ -449,6 +666,12 @@ type PredefinedMetricPairSpecificationParameters struct {
 }
 
 type PredefinedMetricSpecificationObservation struct {
+
+	// Describes a scaling metric for a predictive scaling policy. Valid values are ASGAverageCPUUtilization, ASGAverageNetworkIn, ASGAverageNetworkOut, or ALBRequestCountPerTarget.
+	PredefinedMetricType *string `json:"predefinedMetricType,omitempty" tf:"predefined_metric_type,omitempty"`
+
+	// Label that uniquely identifies a specific Application Load Balancer target group from which to determine the request count served by your Auto Scaling group.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedMetricSpecificationParameters struct {
@@ -463,6 +686,12 @@ type PredefinedMetricSpecificationParameters struct {
 }
 
 type PredefinedScalingMetricSpecificationObservation struct {
+
+	// Describes a scaling metric for a predictive scaling policy. Valid values are ASGAverageCPUUtilization, ASGAverageNetworkIn, ASGAverageNetworkOut, or ALBRequestCountPerTarget.
+	PredefinedMetricType *string `json:"predefinedMetricType,omitempty" tf:"predefined_metric_type,omitempty"`
+
+	// Label that uniquely identifies a specific Application Load Balancer target group from which to determine the request count served by your Auto Scaling group.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedScalingMetricSpecificationParameters struct {
@@ -477,6 +706,21 @@ type PredefinedScalingMetricSpecificationParameters struct {
 }
 
 type PredictiveScalingConfigurationObservation struct {
+
+	// Defines the behavior that should be applied if the forecast capacity approaches or exceeds the maximum capacity of the Auto Scaling group. Valid values are HonorMaxCapacity or IncreaseMaxCapacity. Default is HonorMaxCapacity.
+	MaxCapacityBreachBehavior *string `json:"maxCapacityBreachBehavior,omitempty" tf:"max_capacity_breach_behavior,omitempty"`
+
+	// Size of the capacity buffer to use when the forecast capacity is close to or exceeds the maximum capacity. Valid range is 0 to 100. If set to 0, Amazon EC2 Auto Scaling may scale capacity higher than the maximum capacity to equal but not exceed forecast capacity.
+	MaxCapacityBuffer *string `json:"maxCapacityBuffer,omitempty" tf:"max_capacity_buffer,omitempty"`
+
+	// This structure includes the metrics and target utilization to use for predictive scaling.
+	MetricSpecification []MetricSpecificationObservation `json:"metricSpecification,omitempty" tf:"metric_specification,omitempty"`
+
+	// Predictive scaling mode. Valid values are ForecastAndScale and ForecastOnly. Default is ForecastOnly.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// Amount of time, in seconds, by which the instance launch time can be advanced. Minimum is 0.
+	SchedulingBufferTime *string `json:"schedulingBufferTime,omitempty" tf:"scheduling_buffer_time,omitempty"`
 }
 
 type PredictiveScalingConfigurationParameters struct {
@@ -503,6 +747,20 @@ type PredictiveScalingConfigurationParameters struct {
 }
 
 type StepAdjustmentObservation struct {
+
+	// Lower bound for the
+	// difference between the alarm threshold and the CloudWatch metric.
+	// Without a value, AWS will treat this bound as negative infinity.
+	MetricIntervalLowerBound *string `json:"metricIntervalLowerBound,omitempty" tf:"metric_interval_lower_bound,omitempty"`
+
+	// Upper bound for the
+	// difference between the alarm threshold and the CloudWatch metric.
+	// Without a value, AWS will treat this bound as positive infinity. The upper bound
+	// must be greater than the lower bound.
+	MetricIntervalUpperBound *string `json:"metricIntervalUpperBound,omitempty" tf:"metric_interval_upper_bound,omitempty"`
+
+	// Number of instances by which to scale. adjustment_type determines the interpretation of this number (e.g., as an absolute number or as a percentage of the existing Auto Scaling group size). A positive increment adds to the current capacity and a negative value removes from the current capacity.
+	ScalingAdjustment *float64 `json:"scalingAdjustment,omitempty" tf:"scaling_adjustment,omitempty"`
 }
 
 type StepAdjustmentParameters struct {
@@ -526,6 +784,18 @@ type StepAdjustmentParameters struct {
 }
 
 type TargetTrackingConfigurationObservation struct {
+
+	// Customized metric. Conflicts with predefined_metric_specification.
+	CustomizedMetricSpecification []CustomizedMetricSpecificationObservation `json:"customizedMetricSpecification,omitempty" tf:"customized_metric_specification,omitempty"`
+
+	// Whether scale in by the target tracking policy is disabled.
+	DisableScaleIn *bool `json:"disableScaleIn,omitempty" tf:"disable_scale_in,omitempty"`
+
+	// Predefined metric. Conflicts with customized_metric_specification.
+	PredefinedMetricSpecification []PredefinedMetricSpecificationObservation `json:"predefinedMetricSpecification,omitempty" tf:"predefined_metric_specification,omitempty"`
+
+	// Target value for the metric.
+	TargetValue *float64 `json:"targetValue,omitempty" tf:"target_value,omitempty"`
 }
 
 type TargetTrackingConfigurationParameters struct {
diff --git a/apis/autoscaling/v1beta1/zz_schedule_types.go b/apis/autoscaling/v1beta1/zz_schedule_types.go
index 72157b3c87..462bb6822b 100755
--- a/apis/autoscaling/v1beta1/zz_schedule_types.go
+++ b/apis/autoscaling/v1beta1/zz_schedule_types.go
@@ -18,7 +18,31 @@ type ScheduleObservation struct {
 	// ARN assigned by AWS to the autoscaling schedule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The name of the Auto Scaling group.
+	AutoscalingGroupName *string `json:"autoscalingGroupName,omitempty" tf:"autoscaling_group_name,omitempty"`
+
+	// The initial capacity of the Auto Scaling group after the scheduled action runs and the capacity it attempts to maintain. Set to -1 if you don't want to change the desired capacity at the scheduled time. Defaults to 0.
+	DesiredCapacity *float64 `json:"desiredCapacity,omitempty" tf:"desired_capacity,omitempty"`
+
+	// The date and time for the recurring schedule to end, in UTC with the format "YYYY-MM-DDThh:mm:ssZ" (e.g. "2021-06-01T00:00:00Z").
+	EndTime *string `json:"endTime,omitempty" tf:"end_time,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The maximum size of the Auto Scaling group. Set to -1 if you don't want to change the maximum size at the scheduled time. Defaults to 0.
+	MaxSize *float64 `json:"maxSize,omitempty" tf:"max_size,omitempty"`
+
+	// The minimum size of the Auto Scaling group. Set to -1 if you don't want to change the minimum size at the scheduled time. Defaults to 0.
+	MinSize *float64 `json:"minSize,omitempty" tf:"min_size,omitempty"`
+
+	// The recurring schedule for this action specified using the Unix cron syntax format.
+	Recurrence *string `json:"recurrence,omitempty" tf:"recurrence,omitempty"`
+
+	// The date and time for the recurring schedule to start, in UTC with the format "YYYY-MM-DDThh:mm:ssZ" (e.g. "2021-06-01T00:00:00Z").
+	StartTime *string `json:"startTime,omitempty" tf:"start_time,omitempty"`
+
+	// Specifies the time zone for a cron expression. Valid values are the canonical names of the IANA time zones (such as Etc/GMT+9 or Pacific/Tahiti).
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type ScheduleParameters struct {
diff --git a/apis/autoscalingplans/v1beta1/zz_generated.deepcopy.go b/apis/autoscalingplans/v1beta1/zz_generated.deepcopy.go
index 1a143c529d..ba9bd2d046 100644
--- a/apis/autoscalingplans/v1beta1/zz_generated.deepcopy.go
+++ b/apis/autoscalingplans/v1beta1/zz_generated.deepcopy.go
@@ -16,6 +16,18 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationSourceObservation) DeepCopyInto(out *ApplicationSourceObservation) {
 	*out = *in
+	if in.CloudFormationStackArn != nil {
+		in, out := &in.CloudFormationStackArn, &out.CloudFormationStackArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TagFilter != nil {
+		in, out := &in.TagFilter, &out.TagFilter
+		*out = make([]TagFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationSourceObservation.
@@ -58,6 +70,41 @@ func (in *ApplicationSourceParameters) DeepCopy() *ApplicationSourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedLoadMetricSpecificationObservation) DeepCopyInto(out *CustomizedLoadMetricSpecificationObservation) {
 	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Statistic != nil {
+		in, out := &in.Statistic, &out.Statistic
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedLoadMetricSpecificationObservation.
@@ -123,6 +170,41 @@ func (in *CustomizedLoadMetricSpecificationParameters) DeepCopy() *CustomizedLoa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomizedScalingMetricSpecificationObservation) DeepCopyInto(out *CustomizedScalingMetricSpecificationObservation) {
 	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Statistic != nil {
+		in, out := &in.Statistic, &out.Statistic
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomizedScalingMetricSpecificationObservation.
@@ -188,6 +270,16 @@ func (in *CustomizedScalingMetricSpecificationParameters) DeepCopy() *Customized
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedLoadMetricSpecificationObservation) DeepCopyInto(out *PredefinedLoadMetricSpecificationObservation) {
 	*out = *in
+	if in.PredefinedLoadMetricType != nil {
+		in, out := &in.PredefinedLoadMetricType, &out.PredefinedLoadMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedLoadMetricSpecificationObservation.
@@ -228,6 +320,16 @@ func (in *PredefinedLoadMetricSpecificationParameters) DeepCopy() *PredefinedLoa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredefinedScalingMetricSpecificationObservation) DeepCopyInto(out *PredefinedScalingMetricSpecificationObservation) {
 	*out = *in
+	if in.PredefinedScalingMetricType != nil {
+		in, out := &in.PredefinedScalingMetricType, &out.PredefinedScalingMetricType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLabel != nil {
+		in, out := &in.ResourceLabel, &out.ResourceLabel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredefinedScalingMetricSpecificationObservation.
@@ -268,6 +370,82 @@ func (in *PredefinedScalingMetricSpecificationParameters) DeepCopy() *Predefined
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalingInstructionObservation) DeepCopyInto(out *ScalingInstructionObservation) {
 	*out = *in
+	if in.CustomizedLoadMetricSpecification != nil {
+		in, out := &in.CustomizedLoadMetricSpecification, &out.CustomizedLoadMetricSpecification
+		*out = make([]CustomizedLoadMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableDynamicScaling != nil {
+		in, out := &in.DisableDynamicScaling, &out.DisableDynamicScaling
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinCapacity != nil {
+		in, out := &in.MinCapacity, &out.MinCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PredefinedLoadMetricSpecification != nil {
+		in, out := &in.PredefinedLoadMetricSpecification, &out.PredefinedLoadMetricSpecification
+		*out = make([]PredefinedLoadMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PredictiveScalingMaxCapacityBehavior != nil {
+		in, out := &in.PredictiveScalingMaxCapacityBehavior, &out.PredictiveScalingMaxCapacityBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.PredictiveScalingMaxCapacityBuffer != nil {
+		in, out := &in.PredictiveScalingMaxCapacityBuffer, &out.PredictiveScalingMaxCapacityBuffer
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PredictiveScalingMode != nil {
+		in, out := &in.PredictiveScalingMode, &out.PredictiveScalingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalableDimension != nil {
+		in, out := &in.ScalableDimension, &out.ScalableDimension
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalingPolicyUpdateBehavior != nil {
+		in, out := &in.ScalingPolicyUpdateBehavior, &out.ScalingPolicyUpdateBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduledActionBufferTime != nil {
+		in, out := &in.ScheduledActionBufferTime, &out.ScheduledActionBufferTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceNamespace != nil {
+		in, out := &in.ServiceNamespace, &out.ServiceNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetTrackingConfiguration != nil {
+		in, out := &in.TargetTrackingConfiguration, &out.TargetTrackingConfiguration
+		*out = make([]TargetTrackingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalingInstructionObservation.
@@ -433,11 +611,30 @@ func (in *ScalingPlanList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalingPlanObservation) DeepCopyInto(out *ScalingPlanObservation) {
 	*out = *in
+	if in.ApplicationSource != nil {
+		in, out := &in.ApplicationSource, &out.ApplicationSource
+		*out = make([]ApplicationSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalingInstruction != nil {
+		in, out := &in.ScalingInstruction, &out.ScalingInstruction
+		*out = make([]ScalingInstructionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ScalingPlanVersion != nil {
 		in, out := &in.ScalingPlanVersion, &out.ScalingPlanVersion
 		*out = new(float64)
@@ -531,6 +728,22 @@ func (in *ScalingPlanStatus) DeepCopy() *ScalingPlanStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagFilterObservation) DeepCopyInto(out *TagFilterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagFilterObservation.
@@ -577,6 +790,45 @@ func (in *TagFilterParameters) DeepCopy() *TagFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetTrackingConfigurationObservation) DeepCopyInto(out *TargetTrackingConfigurationObservation) {
 	*out = *in
+	if in.CustomizedScalingMetricSpecification != nil {
+		in, out := &in.CustomizedScalingMetricSpecification, &out.CustomizedScalingMetricSpecification
+		*out = make([]CustomizedScalingMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableScaleIn != nil {
+		in, out := &in.DisableScaleIn, &out.DisableScaleIn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EstimatedInstanceWarmup != nil {
+		in, out := &in.EstimatedInstanceWarmup, &out.EstimatedInstanceWarmup
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PredefinedScalingMetricSpecification != nil {
+		in, out := &in.PredefinedScalingMetricSpecification, &out.PredefinedScalingMetricSpecification
+		*out = make([]PredefinedScalingMetricSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScaleInCooldown != nil {
+		in, out := &in.ScaleInCooldown, &out.ScaleInCooldown
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ScaleOutCooldown != nil {
+		in, out := &in.ScaleOutCooldown, &out.ScaleOutCooldown
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TargetValue != nil {
+		in, out := &in.TargetValue, &out.TargetValue
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetTrackingConfigurationObservation.
diff --git a/apis/autoscalingplans/v1beta1/zz_scalingplan_types.go b/apis/autoscalingplans/v1beta1/zz_scalingplan_types.go
index 68538209c5..559b94c087 100755
--- a/apis/autoscalingplans/v1beta1/zz_scalingplan_types.go
+++ b/apis/autoscalingplans/v1beta1/zz_scalingplan_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ApplicationSourceObservation struct {
+
+	// ARN of a AWS CloudFormation stack.
+	CloudFormationStackArn *string `json:"cloudformationStackArn,omitempty" tf:"cloudformation_stack_arn,omitempty"`
+
+	// Set of tags.
+	TagFilter []TagFilterObservation `json:"tagFilter,omitempty" tf:"tag_filter,omitempty"`
 }
 
 type ApplicationSourceParameters struct {
@@ -28,6 +34,21 @@ type ApplicationSourceParameters struct {
 }
 
 type CustomizedLoadMetricSpecificationObservation struct {
+
+	// Dimensions of the metric.
+	Dimensions map[string]*string `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Statistic of the metric. Currently, the value must always be Sum.
+	Statistic *string `json:"statistic,omitempty" tf:"statistic,omitempty"`
+
+	// Unit of the metric.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type CustomizedLoadMetricSpecificationParameters struct {
@@ -54,6 +75,21 @@ type CustomizedLoadMetricSpecificationParameters struct {
 }
 
 type CustomizedScalingMetricSpecificationObservation struct {
+
+	// Dimensions of the metric.
+	Dimensions map[string]*string `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// Statistic of the metric. Currently, the value must always be Sum.
+	Statistic *string `json:"statistic,omitempty" tf:"statistic,omitempty"`
+
+	// Unit of the metric.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type CustomizedScalingMetricSpecificationParameters struct {
@@ -80,6 +116,12 @@ type CustomizedScalingMetricSpecificationParameters struct {
 }
 
 type PredefinedLoadMetricSpecificationObservation struct {
+
+	// Metric type. Valid values: ALBTargetGroupRequestCount, ASGTotalCPUUtilization, ASGTotalNetworkIn, ASGTotalNetworkOut.
+	PredefinedLoadMetricType *string `json:"predefinedLoadMetricType,omitempty" tf:"predefined_load_metric_type,omitempty"`
+
+	// Identifies the resource associated with the metric type.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedLoadMetricSpecificationParameters struct {
@@ -94,6 +136,12 @@ type PredefinedLoadMetricSpecificationParameters struct {
 }
 
 type PredefinedScalingMetricSpecificationObservation struct {
+
+	// Metric type. Valid values: ALBRequestCountPerTarget, ASGAverageCPUUtilization, ASGAverageNetworkIn, ASGAverageNetworkOut, DynamoDBReadCapacityUtilization, DynamoDBWriteCapacityUtilization, ECSServiceAverageCPUUtilization, ECSServiceAverageMemoryUtilization, EC2SpotFleetRequestAverageCPUUtilization, EC2SpotFleetRequestAverageNetworkIn, EC2SpotFleetRequestAverageNetworkOut, RDSReaderAverageCPUUtilization, RDSReaderAverageDatabaseConnections.
+	PredefinedScalingMetricType *string `json:"predefinedScalingMetricType,omitempty" tf:"predefined_scaling_metric_type,omitempty"`
+
+	// Identifies the resource associated with the metric type.
+	ResourceLabel *string `json:"resourceLabel,omitempty" tf:"resource_label,omitempty"`
 }
 
 type PredefinedScalingMetricSpecificationParameters struct {
@@ -108,6 +156,52 @@ type PredefinedScalingMetricSpecificationParameters struct {
 }
 
 type ScalingInstructionObservation struct {
+
+	// Customized load metric to use for predictive scaling. You must specify either customized_load_metric_specification or predefined_load_metric_specification when configuring predictive scaling.
+	// More details can be found in the AWS Auto Scaling API Reference.
+	CustomizedLoadMetricSpecification []CustomizedLoadMetricSpecificationObservation `json:"customizedLoadMetricSpecification,omitempty" tf:"customized_load_metric_specification,omitempty"`
+
+	// Boolean controlling whether dynamic scaling by AWS Auto Scaling is disabled. Defaults to false.
+	DisableDynamicScaling *bool `json:"disableDynamicScaling,omitempty" tf:"disable_dynamic_scaling,omitempty"`
+
+	// Maximum capacity of the resource. The exception to this upper limit is if you specify a non-default setting for predictive_scaling_max_capacity_behavior.
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// Minimum capacity of the resource.
+	MinCapacity *float64 `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
+
+	// Predefined load metric to use for predictive scaling. You must specify either predefined_load_metric_specification or customized_load_metric_specification when configuring predictive scaling.
+	// More details can be found in the AWS Auto Scaling API Reference.
+	PredefinedLoadMetricSpecification []PredefinedLoadMetricSpecificationObservation `json:"predefinedLoadMetricSpecification,omitempty" tf:"predefined_load_metric_specification,omitempty"`
+
+	// Defines the behavior that should be applied if the forecast capacity approaches or exceeds the maximum capacity specified for the resource.
+	// Valid values: SetForecastCapacityToMaxCapacity, SetMaxCapacityAboveForecastCapacity, SetMaxCapacityToForecastCapacity.
+	PredictiveScalingMaxCapacityBehavior *string `json:"predictiveScalingMaxCapacityBehavior,omitempty" tf:"predictive_scaling_max_capacity_behavior,omitempty"`
+
+	// Size of the capacity buffer to use when the forecast capacity is close to or exceeds the maximum capacity.
+	PredictiveScalingMaxCapacityBuffer *float64 `json:"predictiveScalingMaxCapacityBuffer,omitempty" tf:"predictive_scaling_max_capacity_buffer,omitempty"`
+
+	// Predictive scaling mode. Valid values: ForecastAndScale, ForecastOnly.
+	PredictiveScalingMode *string `json:"predictiveScalingMode,omitempty" tf:"predictive_scaling_mode,omitempty"`
+
+	// ID of the resource. This string consists of the resource type and unique identifier.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// Scalable dimension associated with the resource. Valid values: autoscaling:autoScalingGroup:DesiredCapacity, dynamodb:index:ReadCapacityUnits, dynamodb:index:WriteCapacityUnits, dynamodb:table:ReadCapacityUnits, dynamodb:table:WriteCapacityUnits, ecs:service:DesiredCount, ec2:spot-fleet-request:TargetCapacity, rds:cluster:ReadReplicaCount.
+	ScalableDimension *string `json:"scalableDimension,omitempty" tf:"scalable_dimension,omitempty"`
+
+	// Controls whether a resource's externally created scaling policies are kept or replaced. Valid values: KeepExternalPolicies, ReplaceExternalPolicies. Defaults to KeepExternalPolicies.
+	ScalingPolicyUpdateBehavior *string `json:"scalingPolicyUpdateBehavior,omitempty" tf:"scaling_policy_update_behavior,omitempty"`
+
+	// Amount of time, in seconds, to buffer the run time of scheduled scaling actions when scaling out.
+	ScheduledActionBufferTime *float64 `json:"scheduledActionBufferTime,omitempty" tf:"scheduled_action_buffer_time,omitempty"`
+
+	// Namespace of the AWS service. Valid values: autoscaling, dynamodb, ecs, ec2, rds.
+	ServiceNamespace *string `json:"serviceNamespace,omitempty" tf:"service_namespace,omitempty"`
+
+	// Structure that defines new target tracking configurations. Each of these structures includes a specific scaling metric and a target value for the metric, along with various parameters to use with dynamic scaling.
+	// More details can be found in the AWS Auto Scaling API Reference.
+	TargetTrackingConfiguration []TargetTrackingConfigurationObservation `json:"targetTrackingConfiguration,omitempty" tf:"target_tracking_configuration,omitempty"`
 }
 
 type ScalingInstructionParameters struct {
@@ -175,9 +269,18 @@ type ScalingInstructionParameters struct {
 
 type ScalingPlanObservation struct {
 
+	// CloudFormation stack or set of tags. You can create one scaling plan per application source.
+	ApplicationSource []ApplicationSourceObservation `json:"applicationSource,omitempty" tf:"application_source,omitempty"`
+
 	// Scaling plan identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the scaling plan. Names cannot contain vertical bars, colons, or forward slashes.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Scaling instructions. More details can be found in the AWS Auto Scaling API Reference.
+	ScalingInstruction []ScalingInstructionObservation `json:"scalingInstruction,omitempty" tf:"scaling_instruction,omitempty"`
+
 	// The version number of the scaling plan. This value is always 1.
 	ScalingPlanVersion *float64 `json:"scalingPlanVersion,omitempty" tf:"scaling_plan_version,omitempty"`
 }
@@ -185,12 +288,12 @@ type ScalingPlanObservation struct {
 type ScalingPlanParameters struct {
 
 	// CloudFormation stack or set of tags. You can create one scaling plan per application source.
-	// +kubebuilder:validation:Required
-	ApplicationSource []ApplicationSourceParameters `json:"applicationSource" tf:"application_source,omitempty"`
+	// +kubebuilder:validation:Optional
+	ApplicationSource []ApplicationSourceParameters `json:"applicationSource,omitempty" tf:"application_source,omitempty"`
 
 	// Name of the scaling plan. Names cannot contain vertical bars, colons, or forward slashes.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -198,11 +301,17 @@ type ScalingPlanParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Scaling instructions. More details can be found in the AWS Auto Scaling API Reference.
-	// +kubebuilder:validation:Required
-	ScalingInstruction []ScalingInstructionParameters `json:"scalingInstruction" tf:"scaling_instruction,omitempty"`
+	// +kubebuilder:validation:Optional
+	ScalingInstruction []ScalingInstructionParameters `json:"scalingInstruction,omitempty" tf:"scaling_instruction,omitempty"`
 }
 
 type TagFilterObservation struct {
+
+	// Tag key.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Tag values.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type TagFilterParameters struct {
@@ -217,6 +326,32 @@ type TagFilterParameters struct {
 }
 
 type TargetTrackingConfigurationObservation struct {
+
+	// Customized metric. You can specify either customized_scaling_metric_specification or predefined_scaling_metric_specification.
+	// More details can be found in the AWS Auto Scaling API Reference.
+	CustomizedScalingMetricSpecification []CustomizedScalingMetricSpecificationObservation `json:"customizedScalingMetricSpecification,omitempty" tf:"customized_scaling_metric_specification,omitempty"`
+
+	// Boolean indicating whether scale in by the target tracking scaling policy is disabled. Defaults to false.
+	DisableScaleIn *bool `json:"disableScaleIn,omitempty" tf:"disable_scale_in,omitempty"`
+
+	// Estimated time, in seconds, until a newly launched instance can contribute to the CloudWatch metrics.
+	// This value is used only if the resource is an Auto Scaling group.
+	EstimatedInstanceWarmup *float64 `json:"estimatedInstanceWarmup,omitempty" tf:"estimated_instance_warmup,omitempty"`
+
+	// Predefined metric. You can specify either predefined_scaling_metric_specification or customized_scaling_metric_specification.
+	// More details can be found in the AWS Auto Scaling API Reference.
+	PredefinedScalingMetricSpecification []PredefinedScalingMetricSpecificationObservation `json:"predefinedScalingMetricSpecification,omitempty" tf:"predefined_scaling_metric_specification,omitempty"`
+
+	// Amount of time, in seconds, after a scale in activity completes before another scale in activity can start.
+	// This value is not used if the scalable resource is an Auto Scaling group.
+	ScaleInCooldown *float64 `json:"scaleInCooldown,omitempty" tf:"scale_in_cooldown,omitempty"`
+
+	// Amount of time, in seconds, after a scale-out activity completes before another scale-out activity can start.
+	// This value is not used if the scalable resource is an Auto Scaling group.
+	ScaleOutCooldown *float64 `json:"scaleOutCooldown,omitempty" tf:"scale_out_cooldown,omitempty"`
+
+	// Target value for the metric.
+	TargetValue *float64 `json:"targetValue,omitempty" tf:"target_value,omitempty"`
 }
 
 type TargetTrackingConfigurationParameters struct {
@@ -279,8 +414,11 @@ type ScalingPlanStatus struct {
 type ScalingPlan struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ScalingPlanSpec   `json:"spec"`
-	Status            ScalingPlanStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.applicationSource)",message="applicationSource is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scalingInstruction)",message="scalingInstruction is a required parameter"
+	Spec   ScalingPlanSpec   `json:"spec"`
+	Status ScalingPlanStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_framework_types.go b/apis/backup/v1beta1/zz_framework_types.go
index 0b15f15572..349f5b555f 100755
--- a/apis/backup/v1beta1/zz_framework_types.go
+++ b/apis/backup/v1beta1/zz_framework_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ControlObservation struct {
+
+	// One or more input parameter blocks. An example of a control with two parameters is: "backup plan frequency is at least daily and the retention period is at least 1 year". The first parameter is daily. The second parameter is 1 year. Detailed below.
+	InputParameter []InputParameterObservation `json:"inputParameter,omitempty" tf:"input_parameter,omitempty"`
+
+	// The unique name of the framework. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters, numbers, and underscores.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The scope of a control. The control scope defines what the control will evaluate. Three examples of control scopes are: a specific backup plan, all backup plans with a specific tag, or all backup plans. Detailed below.
+	Scope []ScopeObservation `json:"scope,omitempty" tf:"scope,omitempty"`
 }
 
 type ControlParameters struct {
@@ -36,18 +45,30 @@ type FrameworkObservation struct {
 	// The ARN of the backup framework.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// One or more control blocks that make up the framework. Each control in the list has a name, input parameters, and scope. Detailed below.
+	Control []ControlObservation `json:"control,omitempty" tf:"control,omitempty"`
+
 	// The date and time that a framework is created, in Unix format and Coordinated Universal Time (UTC).
 	CreationTime *string `json:"creationTime,omitempty" tf:"creation_time,omitempty"`
 
 	// The deployment status of a framework. The statuses are: CREATE_IN_PROGRESS | UPDATE_IN_PROGRESS | DELETE_IN_PROGRESS | COMPLETED | FAILED.
 	DeploymentStatus *string `json:"deploymentStatus,omitempty" tf:"deployment_status,omitempty"`
 
+	// The description of the framework with a maximum of 1,024 characters
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The id of the backup framework.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The unique name of the framework. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters, numbers, and underscores.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// A framework consists of one or more controls. Each control governs a resource, such as backup plans, backup selections, backup vaults, or recovery points. You can also turn AWS Config recording on or off for each resource. For more information refer to the AWS documentation for Framework Status
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -55,16 +76,16 @@ type FrameworkObservation struct {
 type FrameworkParameters struct {
 
 	// One or more control blocks that make up the framework. Each control in the list has a name, input parameters, and scope. Detailed below.
-	// +kubebuilder:validation:Required
-	Control []ControlParameters `json:"control" tf:"control,omitempty"`
+	// +kubebuilder:validation:Optional
+	Control []ControlParameters `json:"control,omitempty" tf:"control,omitempty"`
 
 	// The description of the framework with a maximum of 1,024 characters
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The unique name of the framework. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters, numbers, and underscores.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -77,6 +98,12 @@ type FrameworkParameters struct {
 }
 
 type InputParameterObservation struct {
+
+	// The unique name of the framework. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters, numbers, and underscores.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of parameter, for example, hourly.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type InputParameterParameters struct {
@@ -91,6 +118,15 @@ type InputParameterParameters struct {
 }
 
 type ScopeObservation struct {
+
+	// The ID of the only AWS resource that you want your control scope to contain. Minimum number of 1 item. Maximum number of 100 items.
+	ComplianceResourceIds []*string `json:"complianceResourceIds,omitempty" tf:"compliance_resource_ids,omitempty"`
+
+	// Describes whether the control scope includes one or more types of resources, such as EFS or RDS.
+	ComplianceResourceTypes []*string `json:"complianceResourceTypes,omitempty" tf:"compliance_resource_types,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type ScopeParameters struct {
@@ -132,8 +168,10 @@ type FrameworkStatus struct {
 type Framework struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FrameworkSpec   `json:"spec"`
-	Status            FrameworkStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.control)",message="control is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   FrameworkSpec   `json:"spec"`
+	Status FrameworkStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_generated.deepcopy.go b/apis/backup/v1beta1/zz_generated.deepcopy.go
index 61ef410ec9..b40b867782 100644
--- a/apis/backup/v1beta1/zz_generated.deepcopy.go
+++ b/apis/backup/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,26 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedBackupSettingObservation) DeepCopyInto(out *AdvancedBackupSettingObservation) {
 	*out = *in
+	if in.BackupOptions != nil {
+		in, out := &in.BackupOptions, &out.BackupOptions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedBackupSettingObservation.
@@ -67,6 +87,34 @@ func (in *AdvancedBackupSettingParameters) DeepCopy() *AdvancedBackupSettingPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionObservation) DeepCopyInto(out *ConditionObservation) {
 	*out = *in
+	if in.StringEquals != nil {
+		in, out := &in.StringEquals, &out.StringEquals
+		*out = make([]StringEqualsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StringLike != nil {
+		in, out := &in.StringLike, &out.StringLike
+		*out = make([]StringLikeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StringNotEquals != nil {
+		in, out := &in.StringNotEquals, &out.StringNotEquals
+		*out = make([]StringNotEqualsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StringNotLike != nil {
+		in, out := &in.StringNotLike, &out.StringNotLike
+		*out = make([]StringNotLikeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionObservation.
@@ -125,6 +173,25 @@ func (in *ConditionParameters) DeepCopy() *ConditionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControlObservation) DeepCopyInto(out *ControlObservation) {
 	*out = *in
+	if in.InputParameter != nil {
+		in, out := &in.InputParameter, &out.InputParameter
+		*out = make([]InputParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = make([]ScopeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlObservation.
@@ -174,6 +241,18 @@ func (in *ControlParameters) DeepCopy() *ControlParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CopyActionObservation) DeepCopyInto(out *CopyActionObservation) {
 	*out = *in
+	if in.DestinationVaultArn != nil {
+		in, out := &in.DestinationVaultArn, &out.DestinationVaultArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lifecycle != nil {
+		in, out := &in.Lifecycle, &out.Lifecycle
+		*out = make([]LifecycleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CopyActionObservation.
@@ -280,6 +359,13 @@ func (in *FrameworkObservation) DeepCopyInto(out *FrameworkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Control != nil {
+		in, out := &in.Control, &out.Control
+		*out = make([]ControlObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.CreationTime != nil {
 		in, out := &in.CreationTime, &out.CreationTime
 		*out = new(string)
@@ -290,16 +376,41 @@ func (in *FrameworkObservation) DeepCopyInto(out *FrameworkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -475,6 +586,21 @@ func (in *GlobalSettingsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GlobalSettingsObservation) DeepCopyInto(out *GlobalSettingsObservation) {
 	*out = *in
+	if in.GlobalSettings != nil {
+		in, out := &in.GlobalSettings, &out.GlobalSettings
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -564,6 +690,16 @@ func (in *GlobalSettingsStatus) DeepCopy() *GlobalSettingsStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputParameterObservation) DeepCopyInto(out *InputParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputParameterObservation.
@@ -604,6 +740,16 @@ func (in *InputParameterParameters) DeepCopy() *InputParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LifecycleObservation) DeepCopyInto(out *LifecycleObservation) {
 	*out = *in
+	if in.ColdStorageAfter != nil {
+		in, out := &in.ColdStorageAfter, &out.ColdStorageAfter
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DeleteAfter != nil {
+		in, out := &in.DeleteAfter, &out.DeleteAfter
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LifecycleObservation.
@@ -703,6 +849,13 @@ func (in *PlanList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlanObservation) DeepCopyInto(out *PlanObservation) {
 	*out = *in
+	if in.AdvancedBackupSetting != nil {
+		in, out := &in.AdvancedBackupSetting, &out.AdvancedBackupSetting
+		*out = make([]AdvancedBackupSettingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -713,6 +866,33 @@ func (in *PlanObservation) DeepCopyInto(out *PlanObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]RuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -900,6 +1080,36 @@ func (in *RegionSettingsObservation) DeepCopyInto(out *RegionSettingsObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceTypeManagementPreference != nil {
+		in, out := &in.ResourceTypeManagementPreference, &out.ResourceTypeManagementPreference
+		*out = make(map[string]*bool, len(*in))
+		for key, val := range *in {
+			var outVal *bool
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(bool)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ResourceTypeOptInPreference != nil {
+		in, out := &in.ResourceTypeOptInPreference, &out.ResourceTypeOptInPreference
+		*out = make(map[string]*bool, len(*in))
+		for key, val := range *in {
+			var outVal *bool
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(bool)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegionSettingsObservation.
@@ -999,6 +1209,27 @@ func (in *RegionSettingsStatus) DeepCopy() *RegionSettingsStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReportDeliveryChannelObservation) DeepCopyInto(out *ReportDeliveryChannelObservation) {
 	*out = *in
+	if in.Formats != nil {
+		in, out := &in.Formats, &out.Formats
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportDeliveryChannelObservation.
@@ -1124,11 +1355,50 @@ func (in *ReportPlanObservation) DeepCopyInto(out *ReportPlanObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReportDeliveryChannel != nil {
+		in, out := &in.ReportDeliveryChannel, &out.ReportDeliveryChannel
+		*out = make([]ReportDeliveryChannelObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReportSetting != nil {
+		in, out := &in.ReportSetting, &out.ReportSetting
+		*out = make([]ReportSettingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1252,6 +1522,27 @@ func (in *ReportPlanStatus) DeepCopy() *ReportPlanStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReportSettingObservation) DeepCopyInto(out *ReportSettingObservation) {
 	*out = *in
+	if in.FrameworkArns != nil {
+		in, out := &in.FrameworkArns, &out.FrameworkArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NumberOfFrameworks != nil {
+		in, out := &in.NumberOfFrameworks, &out.NumberOfFrameworks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ReportTemplate != nil {
+		in, out := &in.ReportTemplate, &out.ReportTemplate
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportSettingObservation.
@@ -1303,6 +1594,16 @@ func (in *ReportSettingParameters) DeepCopy() *ReportSettingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleLifecycleObservation) DeepCopyInto(out *RuleLifecycleObservation) {
 	*out = *in
+	if in.ColdStorageAfter != nil {
+		in, out := &in.ColdStorageAfter, &out.ColdStorageAfter
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DeleteAfter != nil {
+		in, out := &in.DeleteAfter, &out.DeleteAfter
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleLifecycleObservation.
@@ -1310,39 +1611,98 @@ func (in *RuleLifecycleObservation) DeepCopy() *RuleLifecycleObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(RuleLifecycleObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RuleLifecycleParameters) DeepCopyInto(out *RuleLifecycleParameters) {
-	*out = *in
-	if in.ColdStorageAfter != nil {
-		in, out := &in.ColdStorageAfter, &out.ColdStorageAfter
-		*out = new(float64)
+	out := new(RuleLifecycleObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleLifecycleParameters) DeepCopyInto(out *RuleLifecycleParameters) {
+	*out = *in
+	if in.ColdStorageAfter != nil {
+		in, out := &in.ColdStorageAfter, &out.ColdStorageAfter
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DeleteAfter != nil {
+		in, out := &in.DeleteAfter, &out.DeleteAfter
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleLifecycleParameters.
+func (in *RuleLifecycleParameters) DeepCopy() *RuleLifecycleParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleLifecycleParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
+	*out = *in
+	if in.CompletionWindow != nil {
+		in, out := &in.CompletionWindow, &out.CompletionWindow
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CopyAction != nil {
+		in, out := &in.CopyAction, &out.CopyAction
+		*out = make([]CopyActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnableContinuousBackup != nil {
+		in, out := &in.EnableContinuousBackup, &out.EnableContinuousBackup
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Lifecycle != nil {
+		in, out := &in.Lifecycle, &out.Lifecycle
+		*out = make([]RuleLifecycleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecoveryPointTags != nil {
+		in, out := &in.RecoveryPointTags, &out.RecoveryPointTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.RuleName != nil {
+		in, out := &in.RuleName, &out.RuleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
 		**out = **in
 	}
-	if in.DeleteAfter != nil {
-		in, out := &in.DeleteAfter, &out.DeleteAfter
+	if in.StartWindow != nil {
+		in, out := &in.StartWindow, &out.StartWindow
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleLifecycleParameters.
-func (in *RuleLifecycleParameters) DeepCopy() *RuleLifecycleParameters {
-	if in == nil {
-		return nil
+	if in.TargetVaultName != nil {
+		in, out := &in.TargetVaultName, &out.TargetVaultName
+		*out = new(string)
+		**out = **in
 	}
-	out := new(RuleLifecycleParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleObservation.
@@ -1442,6 +1802,43 @@ func (in *RuleParameters) DeepCopy() *RuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopeObservation) DeepCopyInto(out *ScopeObservation) {
 	*out = *in
+	if in.ComplianceResourceIds != nil {
+		in, out := &in.ComplianceResourceIds, &out.ComplianceResourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ComplianceResourceTypes != nil {
+		in, out := &in.ComplianceResourceTypes, &out.ComplianceResourceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopeObservation.
@@ -1568,11 +1965,62 @@ func (in *SelectionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelectionObservation) DeepCopyInto(out *SelectionObservation) {
 	*out = *in
+	if in.Condition != nil {
+		in, out := &in.Condition, &out.Condition
+		*out = make([]ConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotResources != nil {
+		in, out := &in.NotResources, &out.NotResources
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PlanID != nil {
+		in, out := &in.PlanID, &out.PlanID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SelectionTag != nil {
+		in, out := &in.SelectionTag, &out.SelectionTag
+		*out = make([]SelectionTagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelectionObservation.
@@ -1713,6 +2161,21 @@ func (in *SelectionStatus) DeepCopy() *SelectionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelectionTagObservation) DeepCopyInto(out *SelectionTagObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelectionTagObservation.
@@ -1758,6 +2221,16 @@ func (in *SelectionTagParameters) DeepCopy() *SelectionTagParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringEqualsObservation) DeepCopyInto(out *StringEqualsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringEqualsObservation.
@@ -1798,6 +2271,16 @@ func (in *StringEqualsParameters) DeepCopy() *StringEqualsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringLikeObservation) DeepCopyInto(out *StringLikeObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringLikeObservation.
@@ -1838,6 +2321,16 @@ func (in *StringLikeParameters) DeepCopy() *StringLikeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringNotEqualsObservation) DeepCopyInto(out *StringNotEqualsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringNotEqualsObservation.
@@ -1878,6 +2371,16 @@ func (in *StringNotEqualsParameters) DeepCopy() *StringNotEqualsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringNotLikeObservation) DeepCopyInto(out *StringNotLikeObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringNotLikeObservation.
@@ -2041,11 +2544,31 @@ func (in *VaultLockConfigurationObservation) DeepCopyInto(out *VaultLockConfigur
 		*out = new(string)
 		**out = **in
 	}
+	if in.BackupVaultName != nil {
+		in, out := &in.BackupVaultName, &out.BackupVaultName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ChangeableForDays != nil {
+		in, out := &in.ChangeableForDays, &out.ChangeableForDays
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxRetentionDays != nil {
+		in, out := &in.MaxRetentionDays, &out.MaxRetentionDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinRetentionDays != nil {
+		in, out := &in.MinRetentionDays, &out.MinRetentionDays
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLockConfigurationObservation.
@@ -2209,11 +2732,32 @@ func (in *VaultNotificationsObservation) DeepCopyInto(out *VaultNotificationsObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.BackupVaultEvents != nil {
+		in, out := &in.BackupVaultEvents, &out.BackupVaultEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BackupVaultName != nil {
+		in, out := &in.BackupVaultName, &out.BackupVaultName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultNotificationsObservation.
@@ -2329,16 +2873,41 @@ func (in *VaultObservation) DeepCopyInto(out *VaultObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.RecoveryPoints != nil {
 		in, out := &in.RecoveryPoints, &out.RecoveryPoints
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2488,11 +3057,21 @@ func (in *VaultPolicyObservation) DeepCopyInto(out *VaultPolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BackupVaultName != nil {
+		in, out := &in.BackupVaultName, &out.BackupVaultName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultPolicyObservation.
diff --git a/apis/backup/v1beta1/zz_globalsettings_types.go b/apis/backup/v1beta1/zz_globalsettings_types.go
index b86c37f438..dd44ff9cb2 100755
--- a/apis/backup/v1beta1/zz_globalsettings_types.go
+++ b/apis/backup/v1beta1/zz_globalsettings_types.go
@@ -15,6 +15,9 @@ import (
 
 type GlobalSettingsObservation struct {
 
+	// A list of resources along with the opt-in preferences for the account.
+	GlobalSettings map[string]*string `json:"globalSettings,omitempty" tf:"global_settings,omitempty"`
+
 	// The AWS Account ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -22,8 +25,8 @@ type GlobalSettingsObservation struct {
 type GlobalSettingsParameters struct {
 
 	// A list of resources along with the opt-in preferences for the account.
-	// +kubebuilder:validation:Required
-	GlobalSettings map[string]*string `json:"globalSettings" tf:"global_settings,omitempty"`
+	// +kubebuilder:validation:Optional
+	GlobalSettings map[string]*string `json:"globalSettings,omitempty" tf:"global_settings,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -55,8 +58,9 @@ type GlobalSettingsStatus struct {
 type GlobalSettings struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GlobalSettingsSpec   `json:"spec"`
-	Status            GlobalSettingsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.globalSettings)",message="globalSettings is a required parameter"
+	Spec   GlobalSettingsSpec   `json:"spec"`
+	Status GlobalSettingsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_plan_types.go b/apis/backup/v1beta1/zz_plan_types.go
index f31a3943ed..e352554d7b 100755
--- a/apis/backup/v1beta1/zz_plan_types.go
+++ b/apis/backup/v1beta1/zz_plan_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AdvancedBackupSettingObservation struct {
+
+	// Specifies the backup option for a selected resource. This option is only available for Windows VSS backup jobs. Set to { WindowsVSS = "enabled" } to enable Windows VSS backup option and create a VSS Windows backup.
+	BackupOptions map[string]*string `json:"backupOptions,omitempty" tf:"backup_options,omitempty"`
+
+	// The type of AWS resource to be backed up. For VSS Windows backups, the only supported resource type is Amazon EC2. Valid values: EC2.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
 }
 
 type AdvancedBackupSettingParameters struct {
@@ -28,6 +34,12 @@ type AdvancedBackupSettingParameters struct {
 }
 
 type CopyActionObservation struct {
+
+	// An Amazon Resource Name (ARN) that uniquely identifies the destination backup vault for the copied backup.
+	DestinationVaultArn *string `json:"destinationVaultArn,omitempty" tf:"destination_vault_arn,omitempty"`
+
+	// The lifecycle defines when a protected resource is transitioned to cold storage and when it expires.  Fields documented below.
+	Lifecycle []LifecycleObservation `json:"lifecycle,omitempty" tf:"lifecycle,omitempty"`
 }
 
 type CopyActionParameters struct {
@@ -42,6 +54,12 @@ type CopyActionParameters struct {
 }
 
 type LifecycleObservation struct {
+
+	// Specifies the number of days after creation that a recovery point is moved to cold storage.
+	ColdStorageAfter *float64 `json:"coldStorageAfter,omitempty" tf:"cold_storage_after,omitempty"`
+
+	// Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after.
+	DeleteAfter *float64 `json:"deleteAfter,omitempty" tf:"delete_after,omitempty"`
 }
 
 type LifecycleParameters struct {
@@ -57,12 +75,24 @@ type LifecycleParameters struct {
 
 type PlanObservation struct {
 
+	// An object that specifies backup options for each resource type.
+	AdvancedBackupSetting []AdvancedBackupSettingObservation `json:"advancedBackupSetting,omitempty" tf:"advanced_backup_setting,omitempty"`
+
 	// The ARN of the backup plan.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The id of the backup plan.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The display name of a backup plan.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A rule object that specifies a scheduled task that is used to back up a selection of resources.
+	Rule []RuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -77,8 +107,8 @@ type PlanParameters struct {
 	AdvancedBackupSetting []AdvancedBackupSettingParameters `json:"advancedBackupSetting,omitempty" tf:"advanced_backup_setting,omitempty"`
 
 	// The display name of a backup plan.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -86,8 +116,8 @@ type PlanParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A rule object that specifies a scheduled task that is used to back up a selection of resources.
-	// +kubebuilder:validation:Required
-	Rule []RuleParameters `json:"rule" tf:"rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rule []RuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -95,6 +125,12 @@ type PlanParameters struct {
 }
 
 type RuleLifecycleObservation struct {
+
+	// Specifies the number of days after creation that a recovery point is moved to cold storage.
+	ColdStorageAfter *float64 `json:"coldStorageAfter,omitempty" tf:"cold_storage_after,omitempty"`
+
+	// Specifies the number of days after creation that a recovery point is deleted. Must be 90 days greater than cold_storage_after.
+	DeleteAfter *float64 `json:"deleteAfter,omitempty" tf:"delete_after,omitempty"`
 }
 
 type RuleLifecycleParameters struct {
@@ -109,6 +145,33 @@ type RuleLifecycleParameters struct {
 }
 
 type RuleObservation struct {
+
+	// The amount of time in minutes AWS Backup attempts a backup before canceling the job and returning an error.
+	CompletionWindow *float64 `json:"completionWindow,omitempty" tf:"completion_window,omitempty"`
+
+	// Configuration block(s) with copy operation settings. Detailed below.
+	CopyAction []CopyActionObservation `json:"copyAction,omitempty" tf:"copy_action,omitempty"`
+
+	// Enable continuous backups for supported resources.
+	EnableContinuousBackup *bool `json:"enableContinuousBackup,omitempty" tf:"enable_continuous_backup,omitempty"`
+
+	// The lifecycle defines when a protected resource is transitioned to cold storage and when it expires.  Fields documented below.
+	Lifecycle []RuleLifecycleObservation `json:"lifecycle,omitempty" tf:"lifecycle,omitempty"`
+
+	// Metadata that you can assign to help organize the resources that you create.
+	RecoveryPointTags map[string]*string `json:"recoveryPointTags,omitempty" tf:"recovery_point_tags,omitempty"`
+
+	// An display name for a backup rule.
+	RuleName *string `json:"ruleName,omitempty" tf:"rule_name,omitempty"`
+
+	// A CRON expression specifying when AWS Backup initiates a backup job.
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// The amount of time in minutes before beginning a backup.
+	StartWindow *float64 `json:"startWindow,omitempty" tf:"start_window,omitempty"`
+
+	// The name of a logical container where backups are stored.
+	TargetVaultName *string `json:"targetVaultName,omitempty" tf:"target_vault_name,omitempty"`
 }
 
 type RuleParameters struct {
@@ -183,8 +246,10 @@ type PlanStatus struct {
 type Plan struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PlanSpec   `json:"spec"`
-	Status            PlanStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)",message="rule is a required parameter"
+	Spec   PlanSpec   `json:"spec"`
+	Status PlanStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_regionsettings_types.go b/apis/backup/v1beta1/zz_regionsettings_types.go
index c8b06e35f1..d665b78763 100755
--- a/apis/backup/v1beta1/zz_regionsettings_types.go
+++ b/apis/backup/v1beta1/zz_regionsettings_types.go
@@ -17,6 +17,16 @@ type RegionSettingsObservation struct {
 
 	// The AWS region.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A map of services along with the management preferences for the Region.
+	//
+	// WARNING: All parameters are required to be given: EFS, DynamoDB
+	ResourceTypeManagementPreference map[string]*bool `json:"resourceTypeManagementPreference,omitempty" tf:"resource_type_management_preference,omitempty"`
+
+	// A map of services along with the opt-in preferences for the Region.
+	//
+	// WARNING: All parameters are required to be given: EFS, DynamoDB, EBS, EC2, FSx, S3, Aurora, RDS, Storage Gateway, VirtualMachine
+	ResourceTypeOptInPreference map[string]*bool `json:"resourceTypeOptInPreference,omitempty" tf:"resource_type_opt_in_preference,omitempty"`
 }
 
 type RegionSettingsParameters struct {
@@ -35,8 +45,8 @@ type RegionSettingsParameters struct {
 	// A map of services along with the opt-in preferences for the Region.
 	//
 	// WARNING: All parameters are required to be given: EFS, DynamoDB, EBS, EC2, FSx, S3, Aurora, RDS, Storage Gateway, VirtualMachine
-	// +kubebuilder:validation:Required
-	ResourceTypeOptInPreference map[string]*bool `json:"resourceTypeOptInPreference" tf:"resource_type_opt_in_preference,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceTypeOptInPreference map[string]*bool `json:"resourceTypeOptInPreference,omitempty" tf:"resource_type_opt_in_preference,omitempty"`
 }
 
 // RegionSettingsSpec defines the desired state of RegionSettings
@@ -63,8 +73,9 @@ type RegionSettingsStatus struct {
 type RegionSettings struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegionSettingsSpec   `json:"spec"`
-	Status            RegionSettingsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceTypeOptInPreference)",message="resourceTypeOptInPreference is a required parameter"
+	Spec   RegionSettingsSpec   `json:"spec"`
+	Status RegionSettingsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_reportplan_types.go b/apis/backup/v1beta1/zz_reportplan_types.go
index 2f5ce213f5..5e8e17d2c6 100755
--- a/apis/backup/v1beta1/zz_reportplan_types.go
+++ b/apis/backup/v1beta1/zz_reportplan_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ReportDeliveryChannelObservation struct {
+
+	// A list of the format of your reports: CSV, JSON, or both. If not specified, the default format is CSV.
+	Formats []*string `json:"formats,omitempty" tf:"formats,omitempty"`
+
+	// The unique name of the S3 bucket that receives your reports.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// The prefix for where Backup Audit Manager delivers your reports to Amazon S3. The prefix is this part of the following path: s3://your-bucket-name/prefix/Backup/us-west-2/year/month/day/report-name. If not specified, there is no prefix.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
 }
 
 type ReportDeliveryChannelParameters struct {
@@ -42,9 +51,24 @@ type ReportPlanObservation struct {
 	// The deployment status of a report plan. The statuses are: CREATE_IN_PROGRESS | UPDATE_IN_PROGRESS | DELETE_IN_PROGRESS | COMPLETED.
 	DeploymentStatus *string `json:"deploymentStatus,omitempty" tf:"deployment_status,omitempty"`
 
+	// The description of the report plan with a maximum of 1,024 characters
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The id of the backup report plan.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The unique name of the report plan. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters, numbers, and underscores.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// An object that contains information about where and how to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports. Detailed below.
+	ReportDeliveryChannel []ReportDeliveryChannelObservation `json:"reportDeliveryChannel,omitempty" tf:"report_delivery_channel,omitempty"`
+
+	// An object that identifies the report template for the report. Reports are built using a report template. Detailed below.
+	ReportSetting []ReportSettingObservation `json:"reportSetting,omitempty" tf:"report_setting,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -56,8 +80,8 @@ type ReportPlanParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The unique name of the report plan. The name must be between 1 and 256 characters, starting with a letter, and consisting of letters, numbers, and underscores.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -65,12 +89,12 @@ type ReportPlanParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// An object that contains information about where and how to deliver your reports, specifically your Amazon S3 bucket name, S3 key prefix, and the formats of your reports. Detailed below.
-	// +kubebuilder:validation:Required
-	ReportDeliveryChannel []ReportDeliveryChannelParameters `json:"reportDeliveryChannel" tf:"report_delivery_channel,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReportDeliveryChannel []ReportDeliveryChannelParameters `json:"reportDeliveryChannel,omitempty" tf:"report_delivery_channel,omitempty"`
 
 	// An object that identifies the report template for the report. Reports are built using a report template. Detailed below.
-	// +kubebuilder:validation:Required
-	ReportSetting []ReportSettingParameters `json:"reportSetting" tf:"report_setting,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReportSetting []ReportSettingParameters `json:"reportSetting,omitempty" tf:"report_setting,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -78,6 +102,15 @@ type ReportPlanParameters struct {
 }
 
 type ReportSettingObservation struct {
+
+	// Specifies the Amazon Resource Names (ARNs) of the frameworks a report covers.
+	FrameworkArns []*string `json:"frameworkArns,omitempty" tf:"framework_arns,omitempty"`
+
+	// Specifies the number of frameworks a report covers.
+	NumberOfFrameworks *float64 `json:"numberOfFrameworks,omitempty" tf:"number_of_frameworks,omitempty"`
+
+	// Identifies the report template for the report. Reports are built using a report template. The report templates are: RESOURCE_COMPLIANCE_REPORT | CONTROL_COMPLIANCE_REPORT | BACKUP_JOB_REPORT | COPY_JOB_REPORT | RESTORE_JOB_REPORT.
+	ReportTemplate *string `json:"reportTemplate,omitempty" tf:"report_template,omitempty"`
 }
 
 type ReportSettingParameters struct {
@@ -119,8 +152,11 @@ type ReportPlanStatus struct {
 type ReportPlan struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReportPlanSpec   `json:"spec"`
-	Status            ReportPlanStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reportDeliveryChannel)",message="reportDeliveryChannel is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reportSetting)",message="reportSetting is a required parameter"
+	Spec   ReportPlanSpec   `json:"spec"`
+	Status ReportPlanStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_selection_types.go b/apis/backup/v1beta1/zz_selection_types.go
index 4262cab3f6..655f43bb62 100755
--- a/apis/backup/v1beta1/zz_selection_types.go
+++ b/apis/backup/v1beta1/zz_selection_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type ConditionObservation struct {
+	StringEquals []StringEqualsObservation `json:"stringEquals,omitempty" tf:"string_equals,omitempty"`
+
+	StringLike []StringLikeObservation `json:"stringLike,omitempty" tf:"string_like,omitempty"`
+
+	StringNotEquals []StringNotEqualsObservation `json:"stringNotEquals,omitempty" tf:"string_not_equals,omitempty"`
+
+	StringNotLike []StringNotLikeObservation `json:"stringNotLike,omitempty" tf:"string_not_like,omitempty"`
 }
 
 type ConditionParameters struct {
@@ -33,8 +40,29 @@ type ConditionParameters struct {
 
 type SelectionObservation struct {
 
+	// A list of conditions that you define to assign resources to your backup plans using tags.
+	Condition []ConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"`
+
+	// The ARN of the IAM role that AWS Backup uses to authenticate when restoring and backing up the target resource. See the AWS Backup Developer Guide for additional information about using AWS managed policies or creating custom policies attached to the IAM role.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// Backup Selection identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The display name of a resource selection document.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan.
+	NotResources []*string `json:"notResources,omitempty" tf:"not_resources,omitempty"`
+
+	// The backup plan ID to be associated with the selection of resources.
+	PlanID *string `json:"planId,omitempty" tf:"plan_id,omitempty"`
+
+	// An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to assign to a backup plan.
+	Resources []*string `json:"resources,omitempty" tf:"resources,omitempty"`
+
+	// Tag-based conditions used to specify a set of resources to assign to a backup plan.
+	SelectionTag []SelectionTagObservation `json:"selectionTag,omitempty" tf:"selection_tag,omitempty"`
 }
 
 type SelectionParameters struct {
@@ -58,8 +86,8 @@ type SelectionParameters struct {
 	IAMRoleArnSelector *v1.Selector `json:"iamRoleArnSelector,omitempty" tf:"-"`
 
 	// The display name of a resource selection document.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// An array of strings that either contain Amazon Resource Names (ARNs) or match patterns of resources to exclude from a backup plan.
 	// +kubebuilder:validation:Optional
@@ -93,6 +121,15 @@ type SelectionParameters struct {
 }
 
 type SelectionTagObservation struct {
+
+	// The key in a key-value pair.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// An operation, such as StringEquals, that is applied to a key-value pair used to filter resources in a selection.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The value in a key-value pair.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SelectionTagParameters struct {
@@ -111,6 +148,12 @@ type SelectionTagParameters struct {
 }
 
 type StringEqualsObservation struct {
+
+	// The key in a key-value pair.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value in a key-value pair.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type StringEqualsParameters struct {
@@ -125,6 +168,12 @@ type StringEqualsParameters struct {
 }
 
 type StringLikeObservation struct {
+
+	// The key in a key-value pair.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value in a key-value pair.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type StringLikeParameters struct {
@@ -139,6 +188,12 @@ type StringLikeParameters struct {
 }
 
 type StringNotEqualsObservation struct {
+
+	// The key in a key-value pair.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value in a key-value pair.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type StringNotEqualsParameters struct {
@@ -153,6 +208,12 @@ type StringNotEqualsParameters struct {
 }
 
 type StringNotLikeObservation struct {
+
+	// The key in a key-value pair.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value in a key-value pair.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type StringNotLikeParameters struct {
@@ -190,8 +251,9 @@ type SelectionStatus struct {
 type Selection struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SelectionSpec   `json:"spec"`
-	Status            SelectionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SelectionSpec   `json:"spec"`
+	Status SelectionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_vault_types.go b/apis/backup/v1beta1/zz_vault_types.go
index 476571dd6f..033253c842 100755
--- a/apis/backup/v1beta1/zz_vault_types.go
+++ b/apis/backup/v1beta1/zz_vault_types.go
@@ -18,12 +18,21 @@ type VaultObservation struct {
 	// The ARN of the vault.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A boolean that indicates that all recovery points stored in the vault are deleted so that the vault can be destroyed without error.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// The name of the vault.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The server-side encryption key that is used to protect your backups.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
 	// The number of recovery points that are stored in a backup vault.
 	RecoveryPoints *float64 `json:"recoveryPoints,omitempty" tf:"recovery_points,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/backup/v1beta1/zz_vaultlockconfiguration_types.go b/apis/backup/v1beta1/zz_vaultlockconfiguration_types.go
index 252beb5de7..976065534f 100755
--- a/apis/backup/v1beta1/zz_vaultlockconfiguration_types.go
+++ b/apis/backup/v1beta1/zz_vaultlockconfiguration_types.go
@@ -18,7 +18,19 @@ type VaultLockConfigurationObservation struct {
 	// The ARN of the vault.
 	BackupVaultArn *string `json:"backupVaultArn,omitempty" tf:"backup_vault_arn,omitempty"`
 
+	// Name of the backup vault to add a lock configuration for.
+	BackupVaultName *string `json:"backupVaultName,omitempty" tf:"backup_vault_name,omitempty"`
+
+	// The number of days before the lock date. If omitted creates a vault lock in governance mode, otherwise it will create a vault lock in compliance mode.
+	ChangeableForDays *float64 `json:"changeableForDays,omitempty" tf:"changeable_for_days,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The maximum retention period that the vault retains its recovery points.
+	MaxRetentionDays *float64 `json:"maxRetentionDays,omitempty" tf:"max_retention_days,omitempty"`
+
+	// The minimum retention period that the vault retains its recovery points.
+	MinRetentionDays *float64 `json:"minRetentionDays,omitempty" tf:"min_retention_days,omitempty"`
 }
 
 type VaultLockConfigurationParameters struct {
diff --git a/apis/backup/v1beta1/zz_vaultnotifications_types.go b/apis/backup/v1beta1/zz_vaultnotifications_types.go
index b711516e88..a49d2422f3 100755
--- a/apis/backup/v1beta1/zz_vaultnotifications_types.go
+++ b/apis/backup/v1beta1/zz_vaultnotifications_types.go
@@ -18,15 +18,24 @@ type VaultNotificationsObservation struct {
 	// The ARN of the vault.
 	BackupVaultArn *string `json:"backupVaultArn,omitempty" tf:"backup_vault_arn,omitempty"`
 
+	// An array of events that indicate the status of jobs to back up resources to the backup vault.
+	BackupVaultEvents []*string `json:"backupVaultEvents,omitempty" tf:"backup_vault_events,omitempty"`
+
+	// Name of the backup vault to add notifications for.
+	BackupVaultName *string `json:"backupVaultName,omitempty" tf:"backup_vault_name,omitempty"`
+
 	// The name of the vault.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Amazon Resource Name (ARN) that specifies the topic for a backup vault’s events
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
 }
 
 type VaultNotificationsParameters struct {
 
 	// An array of events that indicate the status of jobs to back up resources to the backup vault.
-	// +kubebuilder:validation:Required
-	BackupVaultEvents []*string `json:"backupVaultEvents" tf:"backup_vault_events,omitempty"`
+	// +kubebuilder:validation:Optional
+	BackupVaultEvents []*string `json:"backupVaultEvents,omitempty" tf:"backup_vault_events,omitempty"`
 
 	// Name of the backup vault to add notifications for.
 	// +crossplane:generate:reference:type=Vault
@@ -85,8 +94,9 @@ type VaultNotificationsStatus struct {
 type VaultNotifications struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VaultNotificationsSpec   `json:"spec"`
-	Status            VaultNotificationsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backupVaultEvents)",message="backupVaultEvents is a required parameter"
+	Spec   VaultNotificationsSpec   `json:"spec"`
+	Status VaultNotificationsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/backup/v1beta1/zz_vaultpolicy_types.go b/apis/backup/v1beta1/zz_vaultpolicy_types.go
index ce82360c12..9c1b246863 100755
--- a/apis/backup/v1beta1/zz_vaultpolicy_types.go
+++ b/apis/backup/v1beta1/zz_vaultpolicy_types.go
@@ -18,8 +18,14 @@ type VaultPolicyObservation struct {
 	// The ARN of the vault.
 	BackupVaultArn *string `json:"backupVaultArn,omitempty" tf:"backup_vault_arn,omitempty"`
 
+	// Name of the backup vault to add policy for.
+	BackupVaultName *string `json:"backupVaultName,omitempty" tf:"backup_vault_name,omitempty"`
+
 	// The name of the vault.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The backup vault access policy document in JSON format.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type VaultPolicyParameters struct {
@@ -38,8 +44,8 @@ type VaultPolicyParameters struct {
 	BackupVaultNameSelector *v1.Selector `json:"backupVaultNameSelector,omitempty" tf:"-"`
 
 	// The backup vault access policy document in JSON format.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -71,8 +77,9 @@ type VaultPolicyStatus struct {
 type VaultPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VaultPolicySpec   `json:"spec"`
-	Status            VaultPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   VaultPolicySpec   `json:"spec"`
+	Status VaultPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/batch/v1beta1/zz_generated.deepcopy.go b/apis/batch/v1beta1/zz_generated.deepcopy.go
index 63f248aaf6..4837ee566c 100644
--- a/apis/batch/v1beta1/zz_generated.deepcopy.go
+++ b/apis/batch/v1beta1/zz_generated.deepcopy.go
@@ -16,6 +16,23 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FairSharePolicyObservation) DeepCopyInto(out *FairSharePolicyObservation) {
 	*out = *in
+	if in.ComputeReservation != nil {
+		in, out := &in.ComputeReservation, &out.ComputeReservation
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ShareDecaySeconds != nil {
+		in, out := &in.ShareDecaySeconds, &out.ShareDecaySeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ShareDistribution != nil {
+		in, out := &in.ShareDistribution, &out.ShareDistribution
+		*out = make([]ShareDistributionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FairSharePolicyObservation.
@@ -127,11 +144,33 @@ func (in *SchedulingPolicyObservation) DeepCopyInto(out *SchedulingPolicyObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.FairSharePolicy != nil {
+		in, out := &in.FairSharePolicy, &out.FairSharePolicy
+		*out = make([]FairSharePolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -238,6 +277,16 @@ func (in *SchedulingPolicyStatus) DeepCopy() *SchedulingPolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ShareDistributionObservation) DeepCopyInto(out *ShareDistributionObservation) {
 	*out = *in
+	if in.ShareIdentifier != nil {
+		in, out := &in.ShareIdentifier, &out.ShareIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.WeightFactor != nil {
+		in, out := &in.WeightFactor, &out.WeightFactor
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShareDistributionObservation.
diff --git a/apis/batch/v1beta1/zz_schedulingpolicy_types.go b/apis/batch/v1beta1/zz_schedulingpolicy_types.go
index 02ed4276d6..465209ef44 100755
--- a/apis/batch/v1beta1/zz_schedulingpolicy_types.go
+++ b/apis/batch/v1beta1/zz_schedulingpolicy_types.go
@@ -14,6 +14,14 @@ import (
 )
 
 type FairSharePolicyObservation struct {
+
+	// A value used to reserve some of the available maximum vCPU for fair share identifiers that have not yet been used. For more information, see FairsharePolicy.
+	ComputeReservation *float64 `json:"computeReservation,omitempty" tf:"compute_reservation,omitempty"`
+
+	ShareDecaySeconds *float64 `json:"shareDecaySeconds,omitempty" tf:"share_decay_seconds,omitempty"`
+
+	// One or more share distribution blocks which define the weights for the fair share identifiers for the fair share policy. For more information, see FairsharePolicy. The share_distribution block is documented below.
+	ShareDistribution []ShareDistributionObservation `json:"shareDistribution,omitempty" tf:"share_distribution,omitempty"`
 }
 
 type FairSharePolicyParameters struct {
@@ -35,8 +43,13 @@ type SchedulingPolicyObservation struct {
 	// The Amazon Resource Name of the scheduling policy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	FairSharePolicy []FairSharePolicyObservation `json:"fairSharePolicy,omitempty" tf:"fair_share_policy,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -57,6 +70,12 @@ type SchedulingPolicyParameters struct {
 }
 
 type ShareDistributionObservation struct {
+
+	// A fair share identifier or fair share identifier prefix. For more information, see ShareAttributes.
+	ShareIdentifier *string `json:"shareIdentifier,omitempty" tf:"share_identifier,omitempty"`
+
+	// The weight factor for the fair share identifier. For more information, see ShareAttributes.
+	WeightFactor *float64 `json:"weightFactor,omitempty" tf:"weight_factor,omitempty"`
 }
 
 type ShareDistributionParameters struct {
diff --git a/apis/budgets/v1beta1/zz_budget_types.go b/apis/budgets/v1beta1/zz_budget_types.go
index a9c6077b9f..44c22fbc43 100755
--- a/apis/budgets/v1beta1/zz_budget_types.go
+++ b/apis/budgets/v1beta1/zz_budget_types.go
@@ -14,8 +14,8 @@ import (
 )
 
 type AutoAdjustDataObservation struct {
+	AutoAdjustType *string `json:"autoAdjustType,omitempty" tf:"auto_adjust_type,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	HistoricalOptions []HistoricalOptionsObservation `json:"historicalOptions,omitempty" tf:"historical_options,omitempty"`
 
 	LastAutoAdjustTime *string `json:"lastAutoAdjustTime,omitempty" tf:"last_auto_adjust_time,omitempty"`
@@ -32,15 +32,50 @@ type AutoAdjustDataParameters struct {
 
 type BudgetObservation struct {
 
+	// The ID of the target account for budget. Will use current user's account_id by default if omitted.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// The ARN of the budget.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Object containing [AutoAdjustData] which determines the budget amount for an auto-adjusting budget.
-	// +kubebuilder:validation:Optional
 	AutoAdjustData []AutoAdjustDataObservation `json:"autoAdjustData,omitempty" tf:"auto_adjust_data,omitempty"`
 
+	// Whether this budget tracks monetary cost or usage.
+	BudgetType *string `json:"budgetType,omitempty" tf:"budget_type,omitempty"`
+
+	// A list of CostFilter name/values pair to apply to budget.
+	CostFilter []CostFilterObservation `json:"costFilter,omitempty" tf:"cost_filter,omitempty"`
+
+	// Map of CostFilters key/value pairs to apply to the budget.
+	CostFilters map[string]*string `json:"costFilters,omitempty" tf:"cost_filters,omitempty"`
+
+	// Object containing CostTypes The types of cost included in a budget, such as tax and subscriptions.
+	CostTypes []CostTypesObservation `json:"costTypes,omitempty" tf:"cost_types,omitempty"`
+
 	// id of resource.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The amount of cost or usage being measured for a budget.
+	LimitAmount *string `json:"limitAmount,omitempty" tf:"limit_amount,omitempty"`
+
+	// The unit of measurement used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
+	LimitUnit *string `json:"limitUnit,omitempty" tf:"limit_unit,omitempty"`
+
+	// Object containing Budget Notifications. Can be used multiple times to define more than one budget notification.
+	Notification []NotificationObservation `json:"notification,omitempty" tf:"notification,omitempty"`
+
+	// Object containing Planned Budget Limits. Can be used multiple times to plan more than one budget limit. See PlannedBudgetLimits documentation.
+	PlannedLimit []PlannedLimitObservation `json:"plannedLimit,omitempty" tf:"planned_limit,omitempty"`
+
+	// The end of the time period covered by the budget. There are no restrictions on the end date. Format: 2017-01-01_12:00.
+	TimePeriodEnd *string `json:"timePeriodEnd,omitempty" tf:"time_period_end,omitempty"`
+
+	// The start of the time period covered by the budget. If you don't specify a start date, AWS defaults to the start of your chosen time period. The start date must come before the end date. Format: 2017-01-01_12:00.
+	TimePeriodStart *string `json:"timePeriodStart,omitempty" tf:"time_period_start,omitempty"`
+
+	// The length of time until a budget resets the actual and forecasted spend. Valid values: MONTHLY, QUARTERLY, ANNUALLY, and DAILY.
+	TimeUnit *string `json:"timeUnit,omitempty" tf:"time_unit,omitempty"`
 }
 
 type BudgetParameters struct {
@@ -54,8 +89,8 @@ type BudgetParameters struct {
 	AutoAdjustData []AutoAdjustDataParameters `json:"autoAdjustData,omitempty" tf:"auto_adjust_data,omitempty"`
 
 	// Whether this budget tracks monetary cost or usage.
-	// +kubebuilder:validation:Required
-	BudgetType *string `json:"budgetType" tf:"budget_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	BudgetType *string `json:"budgetType,omitempty" tf:"budget_type,omitempty"`
 
 	// A list of CostFilter name/values pair to apply to budget.
 	// +kubebuilder:validation:Optional
@@ -99,11 +134,16 @@ type BudgetParameters struct {
 	TimePeriodStart *string `json:"timePeriodStart,omitempty" tf:"time_period_start,omitempty"`
 
 	// The length of time until a budget resets the actual and forecasted spend. Valid values: MONTHLY, QUARTERLY, ANNUALLY, and DAILY.
-	// +kubebuilder:validation:Required
-	TimeUnit *string `json:"timeUnit" tf:"time_unit,omitempty"`
+	// +kubebuilder:validation:Optional
+	TimeUnit *string `json:"timeUnit,omitempty" tf:"time_unit,omitempty"`
 }
 
 type CostFilterObservation struct {
+
+	// The name of a budget. Unique within accounts.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type CostFilterParameters struct {
@@ -117,6 +157,39 @@ type CostFilterParameters struct {
 }
 
 type CostTypesObservation struct {
+
+	// A boolean value whether to include credits in the cost budget. Defaults to true
+	IncludeCredit *bool `json:"includeCredit,omitempty" tf:"include_credit,omitempty"`
+
+	// Whether a budget includes discounts. Defaults to true
+	IncludeDiscount *bool `json:"includeDiscount,omitempty" tf:"include_discount,omitempty"`
+
+	// A boolean value whether to include other subscription costs in the cost budget. Defaults to true
+	IncludeOtherSubscription *bool `json:"includeOtherSubscription,omitempty" tf:"include_other_subscription,omitempty"`
+
+	// A boolean value whether to include recurring costs in the cost budget. Defaults to true
+	IncludeRecurring *bool `json:"includeRecurring,omitempty" tf:"include_recurring,omitempty"`
+
+	// A boolean value whether to include refunds in the cost budget. Defaults to true
+	IncludeRefund *bool `json:"includeRefund,omitempty" tf:"include_refund,omitempty"`
+
+	// A boolean value whether to include subscriptions in the cost budget. Defaults to true
+	IncludeSubscription *bool `json:"includeSubscription,omitempty" tf:"include_subscription,omitempty"`
+
+	// A boolean value whether to include support costs in the cost budget. Defaults to true
+	IncludeSupport *bool `json:"includeSupport,omitempty" tf:"include_support,omitempty"`
+
+	// A boolean value whether to include tax in the cost budget. Defaults to true
+	IncludeTax *bool `json:"includeTax,omitempty" tf:"include_tax,omitempty"`
+
+	// A boolean value whether to include upfront costs in the cost budget. Defaults to true
+	IncludeUpfront *bool `json:"includeUpfront,omitempty" tf:"include_upfront,omitempty"`
+
+	// Whether a budget uses the amortized rate. Defaults to false
+	UseAmortized *bool `json:"useAmortized,omitempty" tf:"use_amortized,omitempty"`
+
+	// A boolean value whether to use blended costs in the cost budget. Defaults to false
+	UseBlended *bool `json:"useBlended,omitempty" tf:"use_blended,omitempty"`
 }
 
 type CostTypesParameters struct {
@@ -167,6 +240,8 @@ type CostTypesParameters struct {
 }
 
 type HistoricalOptionsObservation struct {
+	BudgetAdjustmentPeriod *float64 `json:"budgetAdjustmentPeriod,omitempty" tf:"budget_adjustment_period,omitempty"`
+
 	LookbackAvailablePeriods *float64 `json:"lookbackAvailablePeriods,omitempty" tf:"lookback_available_periods,omitempty"`
 }
 
@@ -177,6 +252,24 @@ type HistoricalOptionsParameters struct {
 }
 
 type NotificationObservation struct {
+
+	// Comparison operator to use to evaluate the condition. Can be LESS_THAN, EQUAL_TO or GREATER_THAN.
+	ComparisonOperator *string `json:"comparisonOperator,omitempty" tf:"comparison_operator,omitempty"`
+
+	// What kind of budget value to notify on. Can be ACTUAL or FORECASTED
+	NotificationType *string `json:"notificationType,omitempty" tf:"notification_type,omitempty"`
+
+	// E-Mail addresses to notify. Either this or subscriber_sns_topic_arns is required.
+	SubscriberEmailAddresses []*string `json:"subscriberEmailAddresses,omitempty" tf:"subscriber_email_addresses,omitempty"`
+
+	// SNS topics to notify. Either this or subscriber_email_addresses is required.
+	SubscriberSnsTopicArns []*string `json:"subscriberSnsTopicArns,omitempty" tf:"subscriber_sns_topic_arns,omitempty"`
+
+	// Threshold when the notification should be sent.
+	Threshold *float64 `json:"threshold,omitempty" tf:"threshold,omitempty"`
+
+	// What kind of threshold is defined. Can be PERCENTAGE OR ABSOLUTE_VALUE.
+	ThresholdType *string `json:"thresholdType,omitempty" tf:"threshold_type,omitempty"`
 }
 
 type NotificationParameters struct {
@@ -207,6 +300,15 @@ type NotificationParameters struct {
 }
 
 type PlannedLimitObservation struct {
+
+	// The amount of cost or usage being measured for a budget.
+	Amount *string `json:"amount,omitempty" tf:"amount,omitempty"`
+
+	// The start time of the budget limit. Format: 2017-01-01_12:00. See PlannedBudgetLimits documentation.
+	StartTime *string `json:"startTime,omitempty" tf:"start_time,omitempty"`
+
+	// The unit of measurement used for the budget forecast, actual spend, or budget threshold, such as dollars or GB. See Spend documentation.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type PlannedLimitParameters struct {
@@ -248,8 +350,10 @@ type BudgetStatus struct {
 type Budget struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BudgetSpec   `json:"spec"`
-	Status            BudgetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.budgetType)",message="budgetType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.timeUnit)",message="timeUnit is a required parameter"
+	Spec   BudgetSpec   `json:"spec"`
+	Status BudgetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/budgets/v1beta1/zz_budgetaction_types.go b/apis/budgets/v1beta1/zz_budgetaction_types.go
index 6f849a436d..fe41a48bb3 100755
--- a/apis/budgets/v1beta1/zz_budgetaction_types.go
+++ b/apis/budgets/v1beta1/zz_budgetaction_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ActionThresholdObservation struct {
+
+	// The type of threshold for a notification. Valid values are PERCENTAGE or ABSOLUTE_VALUE.
+	ActionThresholdType *string `json:"actionThresholdType,omitempty" tf:"action_threshold_type,omitempty"`
+
+	// The threshold of a notification.
+	ActionThresholdValue *float64 `json:"actionThresholdValue,omitempty" tf:"action_threshold_value,omitempty"`
 }
 
 type ActionThresholdParameters struct {
@@ -29,17 +35,44 @@ type ActionThresholdParameters struct {
 
 type BudgetActionObservation struct {
 
+	// The ID of the target account for budget. Will use current user's account_id by default if omitted.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// The id of the budget action.
 	ActionID *string `json:"actionId,omitempty" tf:"action_id,omitempty"`
 
+	// The trigger threshold of the action. See Action Threshold.
+	ActionThreshold []ActionThresholdObservation `json:"actionThreshold,omitempty" tf:"action_threshold,omitempty"`
+
+	// The type of action. This defines the type of tasks that can be carried out by this action. This field also determines the format for definition. Valid values are APPLY_IAM_POLICY, APPLY_SCP_POLICY, and RUN_SSM_DOCUMENTS.
+	ActionType *string `json:"actionType,omitempty" tf:"action_type,omitempty"`
+
+	// This specifies if the action needs manual or automatic approval. Valid values are AUTOMATIC and MANUAL.
+	ApprovalModel *string `json:"approvalModel,omitempty" tf:"approval_model,omitempty"`
+
 	// The ARN of the budget action.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The name of a budget.
+	BudgetName *string `json:"budgetName,omitempty" tf:"budget_name,omitempty"`
+
+	// Specifies all of the type-specific parameters. See Definition.
+	Definition []DefinitionObservation `json:"definition,omitempty" tf:"definition,omitempty"`
+
+	// The role passed for action execution and reversion. Roles and actions must be in the same account.
+	ExecutionRoleArn *string `json:"executionRoleArn,omitempty" tf:"execution_role_arn,omitempty"`
+
 	// ID of resource.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The type of a notification. Valid values are ACTUAL or FORECASTED.
+	NotificationType *string `json:"notificationType,omitempty" tf:"notification_type,omitempty"`
+
 	// The status of the budget action.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// A list of subscribers. See Subscriber.
+	Subscriber []SubscriberObservation `json:"subscriber,omitempty" tf:"subscriber,omitempty"`
 }
 
 type BudgetActionParameters struct {
@@ -49,16 +82,16 @@ type BudgetActionParameters struct {
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// The trigger threshold of the action. See Action Threshold.
-	// +kubebuilder:validation:Required
-	ActionThreshold []ActionThresholdParameters `json:"actionThreshold" tf:"action_threshold,omitempty"`
+	// +kubebuilder:validation:Optional
+	ActionThreshold []ActionThresholdParameters `json:"actionThreshold,omitempty" tf:"action_threshold,omitempty"`
 
 	// The type of action. This defines the type of tasks that can be carried out by this action. This field also determines the format for definition. Valid values are APPLY_IAM_POLICY, APPLY_SCP_POLICY, and RUN_SSM_DOCUMENTS.
-	// +kubebuilder:validation:Required
-	ActionType *string `json:"actionType" tf:"action_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ActionType *string `json:"actionType,omitempty" tf:"action_type,omitempty"`
 
 	// This specifies if the action needs manual or automatic approval. Valid values are AUTOMATIC and MANUAL.
-	// +kubebuilder:validation:Required
-	ApprovalModel *string `json:"approvalModel" tf:"approval_model,omitempty"`
+	// +kubebuilder:validation:Optional
+	ApprovalModel *string `json:"approvalModel,omitempty" tf:"approval_model,omitempty"`
 
 	// The name of a budget.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/budgets/v1beta1.Budget
@@ -74,8 +107,8 @@ type BudgetActionParameters struct {
 	BudgetNameSelector *v1.Selector `json:"budgetNameSelector,omitempty" tf:"-"`
 
 	// Specifies all of the type-specific parameters. See Definition.
-	// +kubebuilder:validation:Required
-	Definition []DefinitionParameters `json:"definition" tf:"definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	Definition []DefinitionParameters `json:"definition,omitempty" tf:"definition,omitempty"`
 
 	// The role passed for action execution and reversion. Roles and actions must be in the same account.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/iam/v1beta1.Role
@@ -92,8 +125,8 @@ type BudgetActionParameters struct {
 	ExecutionRoleArnSelector *v1.Selector `json:"executionRoleArnSelector,omitempty" tf:"-"`
 
 	// The type of a notification. Valid values are ACTUAL or FORECASTED.
-	// +kubebuilder:validation:Required
-	NotificationType *string `json:"notificationType" tf:"notification_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	NotificationType *string `json:"notificationType,omitempty" tf:"notification_type,omitempty"`
 
 	// The Region to run the SSM document.
 	// Region is the region you'd like your resource to be created in.
@@ -102,11 +135,20 @@ type BudgetActionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A list of subscribers. See Subscriber.
-	// +kubebuilder:validation:Required
-	Subscriber []SubscriberParameters `json:"subscriber" tf:"subscriber,omitempty"`
+	// +kubebuilder:validation:Optional
+	Subscriber []SubscriberParameters `json:"subscriber,omitempty" tf:"subscriber,omitempty"`
 }
 
 type DefinitionObservation struct {
+
+	// The AWS Identity and Access Management (IAM) action definition details. See IAM Action Definition.
+	IAMActionDefinition []IAMActionDefinitionObservation `json:"iamActionDefinition,omitempty" tf:"iam_action_definition,omitempty"`
+
+	// The service control policies (SCPs) action definition details. See SCP Action Definition.
+	ScpActionDefinition []ScpActionDefinitionObservation `json:"scpActionDefinition,omitempty" tf:"scp_action_definition,omitempty"`
+
+	// The AWS Systems Manager (SSM) action definition details. See SSM Action Definition.
+	SsmActionDefinition []SsmActionDefinitionObservation `json:"ssmActionDefinition,omitempty" tf:"ssm_action_definition,omitempty"`
 }
 
 type DefinitionParameters struct {
@@ -125,6 +167,18 @@ type DefinitionParameters struct {
 }
 
 type IAMActionDefinitionObservation struct {
+
+	// A list of groups to be attached. There must be at least one group.
+	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the policy to be attached.
+	PolicyArn *string `json:"policyArn,omitempty" tf:"policy_arn,omitempty"`
+
+	// A list of roles to be attached. There must be at least one role.
+	Roles []*string `json:"roles,omitempty" tf:"roles,omitempty"`
+
+	// A list of users to be attached. There must be at least one user.
+	Users []*string `json:"users,omitempty" tf:"users,omitempty"`
 }
 
 type IAMActionDefinitionParameters struct {
@@ -157,6 +211,12 @@ type IAMActionDefinitionParameters struct {
 }
 
 type ScpActionDefinitionObservation struct {
+
+	// The policy ID attached.
+	PolicyID *string `json:"policyId,omitempty" tf:"policy_id,omitempty"`
+
+	// A list of target IDs.
+	TargetIds []*string `json:"targetIds,omitempty" tf:"target_ids,omitempty"`
 }
 
 type ScpActionDefinitionParameters struct {
@@ -171,6 +231,15 @@ type ScpActionDefinitionParameters struct {
 }
 
 type SsmActionDefinitionObservation struct {
+
+	// The action subType. Valid values are STOP_EC2_INSTANCES or STOP_RDS_INSTANCES.
+	ActionSubType *string `json:"actionSubType,omitempty" tf:"action_sub_type,omitempty"`
+
+	// The EC2 and RDS instance IDs.
+	InstanceIds []*string `json:"instanceIds,omitempty" tf:"instance_ids,omitempty"`
+
+	// The Region to run the SSM document.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 }
 
 type SsmActionDefinitionParameters struct {
@@ -189,6 +258,12 @@ type SsmActionDefinitionParameters struct {
 }
 
 type SubscriberObservation struct {
+
+	// The address that AWS sends budget notifications to, either an SNS topic or an email.
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
+	// The type of notification that AWS sends to a subscriber. Valid values are SNS or EMAIL.
+	SubscriptionType *string `json:"subscriptionType,omitempty" tf:"subscription_type,omitempty"`
 }
 
 type SubscriberParameters struct {
@@ -226,8 +301,14 @@ type BudgetActionStatus struct {
 type BudgetAction struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BudgetActionSpec   `json:"spec"`
-	Status            BudgetActionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actionThreshold)",message="actionThreshold is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actionType)",message="actionType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.approvalModel)",message="approvalModel is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)",message="definition is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.notificationType)",message="notificationType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.subscriber)",message="subscriber is a required parameter"
+	Spec   BudgetActionSpec   `json:"spec"`
+	Status BudgetActionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/budgets/v1beta1/zz_generated.deepcopy.go b/apis/budgets/v1beta1/zz_generated.deepcopy.go
index db71711fd8..efcae2958c 100644
--- a/apis/budgets/v1beta1/zz_generated.deepcopy.go
+++ b/apis/budgets/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionThresholdObservation) DeepCopyInto(out *ActionThresholdObservation) {
 	*out = *in
+	if in.ActionThresholdType != nil {
+		in, out := &in.ActionThresholdType, &out.ActionThresholdType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ActionThresholdValue != nil {
+		in, out := &in.ActionThresholdValue, &out.ActionThresholdValue
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionThresholdObservation.
@@ -57,6 +67,11 @@ func (in *ActionThresholdParameters) DeepCopy() *ActionThresholdParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoAdjustDataObservation) DeepCopyInto(out *AutoAdjustDataObservation) {
 	*out = *in
+	if in.AutoAdjustType != nil {
+		in, out := &in.AutoAdjustType, &out.AutoAdjustType
+		*out = new(string)
+		**out = **in
+	}
 	if in.HistoricalOptions != nil {
 		in, out := &in.HistoricalOptions, &out.HistoricalOptions
 		*out = make([]HistoricalOptionsObservation, len(*in))
@@ -197,26 +212,77 @@ func (in *BudgetActionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BudgetActionObservation) DeepCopyInto(out *BudgetActionObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ActionID != nil {
 		in, out := &in.ActionID, &out.ActionID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ActionThreshold != nil {
+		in, out := &in.ActionThreshold, &out.ActionThreshold
+		*out = make([]ActionThresholdObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ActionType != nil {
+		in, out := &in.ActionType, &out.ActionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ApprovalModel != nil {
+		in, out := &in.ApprovalModel, &out.ApprovalModel
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BudgetName != nil {
+		in, out := &in.BudgetName, &out.BudgetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Definition != nil {
+		in, out := &in.Definition, &out.Definition
+		*out = make([]DefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExecutionRoleArn != nil {
+		in, out := &in.ExecutionRoleArn, &out.ExecutionRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NotificationType != nil {
+		in, out := &in.NotificationType, &out.NotificationType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Subscriber != nil {
+		in, out := &in.Subscriber, &out.Subscriber
+		*out = make([]SubscriberObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BudgetActionObservation.
@@ -389,6 +455,11 @@ func (in *BudgetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BudgetObservation) DeepCopyInto(out *BudgetObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -401,11 +472,84 @@ func (in *BudgetObservation) DeepCopyInto(out *BudgetObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.BudgetType != nil {
+		in, out := &in.BudgetType, &out.BudgetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.CostFilter != nil {
+		in, out := &in.CostFilter, &out.CostFilter
+		*out = make([]CostFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CostFilters != nil {
+		in, out := &in.CostFilters, &out.CostFilters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.CostTypes != nil {
+		in, out := &in.CostTypes, &out.CostTypes
+		*out = make([]CostTypesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LimitAmount != nil {
+		in, out := &in.LimitAmount, &out.LimitAmount
+		*out = new(string)
+		**out = **in
+	}
+	if in.LimitUnit != nil {
+		in, out := &in.LimitUnit, &out.LimitUnit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Notification != nil {
+		in, out := &in.Notification, &out.Notification
+		*out = make([]NotificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlannedLimit != nil {
+		in, out := &in.PlannedLimit, &out.PlannedLimit
+		*out = make([]PlannedLimitObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TimePeriodEnd != nil {
+		in, out := &in.TimePeriodEnd, &out.TimePeriodEnd
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimePeriodStart != nil {
+		in, out := &in.TimePeriodStart, &out.TimePeriodStart
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeUnit != nil {
+		in, out := &in.TimeUnit, &out.TimeUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BudgetObservation.
@@ -560,6 +704,22 @@ func (in *BudgetStatus) DeepCopy() *BudgetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CostFilterObservation) DeepCopyInto(out *CostFilterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CostFilterObservation.
@@ -606,6 +766,61 @@ func (in *CostFilterParameters) DeepCopy() *CostFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CostTypesObservation) DeepCopyInto(out *CostTypesObservation) {
 	*out = *in
+	if in.IncludeCredit != nil {
+		in, out := &in.IncludeCredit, &out.IncludeCredit
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeDiscount != nil {
+		in, out := &in.IncludeDiscount, &out.IncludeDiscount
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeOtherSubscription != nil {
+		in, out := &in.IncludeOtherSubscription, &out.IncludeOtherSubscription
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeRecurring != nil {
+		in, out := &in.IncludeRecurring, &out.IncludeRecurring
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeRefund != nil {
+		in, out := &in.IncludeRefund, &out.IncludeRefund
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeSubscription != nil {
+		in, out := &in.IncludeSubscription, &out.IncludeSubscription
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeSupport != nil {
+		in, out := &in.IncludeSupport, &out.IncludeSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeTax != nil {
+		in, out := &in.IncludeTax, &out.IncludeTax
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeUpfront != nil {
+		in, out := &in.IncludeUpfront, &out.IncludeUpfront
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UseAmortized != nil {
+		in, out := &in.UseAmortized, &out.UseAmortized
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UseBlended != nil {
+		in, out := &in.UseBlended, &out.UseBlended
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CostTypesObservation.
@@ -691,6 +906,27 @@ func (in *CostTypesParameters) DeepCopy() *CostTypesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefinitionObservation) DeepCopyInto(out *DefinitionObservation) {
 	*out = *in
+	if in.IAMActionDefinition != nil {
+		in, out := &in.IAMActionDefinition, &out.IAMActionDefinition
+		*out = make([]IAMActionDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScpActionDefinition != nil {
+		in, out := &in.ScpActionDefinition, &out.ScpActionDefinition
+		*out = make([]ScpActionDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SsmActionDefinition != nil {
+		in, out := &in.SsmActionDefinition, &out.SsmActionDefinition
+		*out = make([]SsmActionDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefinitionObservation.
@@ -742,6 +978,11 @@ func (in *DefinitionParameters) DeepCopy() *DefinitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HistoricalOptionsObservation) DeepCopyInto(out *HistoricalOptionsObservation) {
 	*out = *in
+	if in.BudgetAdjustmentPeriod != nil {
+		in, out := &in.BudgetAdjustmentPeriod, &out.BudgetAdjustmentPeriod
+		*out = new(float64)
+		**out = **in
+	}
 	if in.LookbackAvailablePeriods != nil {
 		in, out := &in.LookbackAvailablePeriods, &out.LookbackAvailablePeriods
 		*out = new(float64)
@@ -782,6 +1023,44 @@ func (in *HistoricalOptionsParameters) DeepCopy() *HistoricalOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IAMActionDefinitionObservation) DeepCopyInto(out *IAMActionDefinitionObservation) {
 	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PolicyArn != nil {
+		in, out := &in.PolicyArn, &out.PolicyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Users != nil {
+		in, out := &in.Users, &out.Users
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IAMActionDefinitionObservation.
@@ -860,6 +1139,48 @@ func (in *IAMActionDefinitionParameters) DeepCopy() *IAMActionDefinitionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationObservation) DeepCopyInto(out *NotificationObservation) {
 	*out = *in
+	if in.ComparisonOperator != nil {
+		in, out := &in.ComparisonOperator, &out.ComparisonOperator
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationType != nil {
+		in, out := &in.NotificationType, &out.NotificationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubscriberEmailAddresses != nil {
+		in, out := &in.SubscriberEmailAddresses, &out.SubscriberEmailAddresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubscriberSnsTopicArns != nil {
+		in, out := &in.SubscriberSnsTopicArns, &out.SubscriberSnsTopicArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Threshold != nil {
+		in, out := &in.Threshold, &out.Threshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdType != nil {
+		in, out := &in.ThresholdType, &out.ThresholdType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationObservation.
@@ -932,6 +1253,21 @@ func (in *NotificationParameters) DeepCopy() *NotificationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlannedLimitObservation) DeepCopyInto(out *PlannedLimitObservation) {
 	*out = *in
+	if in.Amount != nil {
+		in, out := &in.Amount, &out.Amount
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlannedLimitObservation.
@@ -977,6 +1313,22 @@ func (in *PlannedLimitParameters) DeepCopy() *PlannedLimitParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScpActionDefinitionObservation) DeepCopyInto(out *ScpActionDefinitionObservation) {
 	*out = *in
+	if in.PolicyID != nil {
+		in, out := &in.PolicyID, &out.PolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetIds != nil {
+		in, out := &in.TargetIds, &out.TargetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScpActionDefinitionObservation.
@@ -1023,6 +1375,27 @@ func (in *ScpActionDefinitionParameters) DeepCopy() *ScpActionDefinitionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SsmActionDefinitionObservation) DeepCopyInto(out *SsmActionDefinitionObservation) {
 	*out = *in
+	if in.ActionSubType != nil {
+		in, out := &in.ActionSubType, &out.ActionSubType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceIds != nil {
+		in, out := &in.InstanceIds, &out.InstanceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SsmActionDefinitionObservation.
@@ -1074,6 +1447,16 @@ func (in *SsmActionDefinitionParameters) DeepCopy() *SsmActionDefinitionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubscriberObservation) DeepCopyInto(out *SubscriberObservation) {
 	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubscriptionType != nil {
+		in, out := &in.SubscriptionType, &out.SubscriptionType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubscriberObservation.
diff --git a/apis/ce/v1beta1/zz_anomalymonitor_types.go b/apis/ce/v1beta1/zz_anomalymonitor_types.go
index 973f34218b..c4515dda96 100755
--- a/apis/ce/v1beta1/zz_anomalymonitor_types.go
+++ b/apis/ce/v1beta1/zz_anomalymonitor_types.go
@@ -21,6 +21,21 @@ type AnomalyMonitorObservation struct {
 	// Unique ID of the anomaly monitor. Same as arn.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The dimensions to evaluate. Valid values: SERVICE.
+	MonitorDimension *string `json:"monitorDimension,omitempty" tf:"monitor_dimension,omitempty"`
+
+	// A valid JSON representation for the Expression object.
+	MonitorSpecification *string `json:"monitorSpecification,omitempty" tf:"monitor_specification,omitempty"`
+
+	// The possible type values. Valid values: DIMENSIONAL | CUSTOM.
+	MonitorType *string `json:"monitorType,omitempty" tf:"monitor_type,omitempty"`
+
+	// The name of the monitor.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -36,12 +51,12 @@ type AnomalyMonitorParameters struct {
 	MonitorSpecification *string `json:"monitorSpecification,omitempty" tf:"monitor_specification,omitempty"`
 
 	// The possible type values. Valid values: DIMENSIONAL | CUSTOM.
-	// +kubebuilder:validation:Required
-	MonitorType *string `json:"monitorType" tf:"monitor_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	MonitorType *string `json:"monitorType,omitempty" tf:"monitor_type,omitempty"`
 
 	// The name of the monitor.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -77,8 +92,10 @@ type AnomalyMonitorStatus struct {
 type AnomalyMonitor struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AnomalyMonitorSpec   `json:"spec"`
-	Status            AnomalyMonitorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.monitorType)",message="monitorType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AnomalyMonitorSpec   `json:"spec"`
+	Status AnomalyMonitorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ce/v1beta1/zz_generated.deepcopy.go b/apis/ce/v1beta1/zz_generated.deepcopy.go
index ce1836e890..821817abc1 100644
--- a/apis/ce/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ce/v1beta1/zz_generated.deepcopy.go
@@ -85,6 +85,41 @@ func (in *AnomalyMonitorObservation) DeepCopyInto(out *AnomalyMonitorObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.MonitorDimension != nil {
+		in, out := &in.MonitorDimension, &out.MonitorDimension
+		*out = new(string)
+		**out = **in
+	}
+	if in.MonitorSpecification != nil {
+		in, out := &in.MonitorSpecification, &out.MonitorSpecification
+		*out = new(string)
+		**out = **in
+	}
+	if in.MonitorType != nil {
+		in, out := &in.MonitorType, &out.MonitorType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/chime/v1beta1/zz_generated.deepcopy.go b/apis/chime/v1beta1/zz_generated.deepcopy.go
index 27a6be9b42..a5a38268fa 100644
--- a/apis/chime/v1beta1/zz_generated.deepcopy.go
+++ b/apis/chime/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectorObservation) DeepCopyInto(out *ConnectorObservation) {
 	*out = *in
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VoiceConnectorID != nil {
+		in, out := &in.VoiceConnectorID, &out.VoiceConnectorID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectorObservation.
@@ -67,6 +77,11 @@ func (in *ConnectorParameters) DeepCopy() *ConnectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CredentialsObservation) DeepCopyInto(out *CredentialsObservation) {
 	*out = *in
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CredentialsObservation.
@@ -103,6 +118,31 @@ func (in *CredentialsParameters) DeepCopy() *CredentialsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteObservation) DeepCopyInto(out *RouteObservation) {
 	*out = *in
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteObservation.
@@ -244,6 +284,13 @@ func (in *VoiceConnectorGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorGroupObservation) DeepCopyInto(out *VoiceConnectorGroupObservation) {
 	*out = *in
+	if in.Connector != nil {
+		in, out := &in.Connector, &out.Connector
+		*out = make([]ConnectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -416,11 +463,26 @@ func (in *VoiceConnectorLoggingList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorLoggingObservation) DeepCopyInto(out *VoiceConnectorLoggingObservation) {
 	*out = *in
+	if in.EnableMediaMetricLogs != nil {
+		in, out := &in.EnableMediaMetricLogs, &out.EnableMediaMetricLogs
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableSIPLogs != nil {
+		in, out := &in.EnableSIPLogs, &out.EnableSIPLogs
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VoiceConnectorID != nil {
+		in, out := &in.VoiceConnectorID, &out.VoiceConnectorID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VoiceConnectorLoggingObservation.
@@ -515,6 +577,11 @@ func (in *VoiceConnectorLoggingStatus) DeepCopy() *VoiceConnectorLoggingStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorObservation) DeepCopyInto(out *VoiceConnectorObservation) {
 	*out = *in
+	if in.AwsRegion != nil {
+		in, out := &in.AwsRegion, &out.AwsRegion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -525,6 +592,11 @@ func (in *VoiceConnectorObservation) DeepCopyInto(out *VoiceConnectorObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.RequireEncryption != nil {
+		in, out := &in.RequireEncryption, &out.RequireEncryption
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VoiceConnectorObservation.
@@ -599,11 +671,28 @@ func (in *VoiceConnectorOriginationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorOriginationObservation) DeepCopyInto(out *VoiceConnectorOriginationObservation) {
 	*out = *in
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Route != nil {
+		in, out := &in.Route, &out.Route
+		*out = make([]RouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VoiceConnectorID != nil {
+		in, out := &in.VoiceConnectorID, &out.VoiceConnectorID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VoiceConnectorOriginationObservation.
@@ -823,11 +912,37 @@ func (in *VoiceConnectorStreamingList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorStreamingObservation) DeepCopyInto(out *VoiceConnectorStreamingObservation) {
 	*out = *in
+	if in.DataRetention != nil {
+		in, out := &in.DataRetention, &out.DataRetention
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StreamingNotificationTargets != nil {
+		in, out := &in.StreamingNotificationTargets, &out.StreamingNotificationTargets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VoiceConnectorID != nil {
+		in, out := &in.VoiceConnectorID, &out.VoiceConnectorID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VoiceConnectorStreamingObservation.
@@ -1019,11 +1134,23 @@ func (in *VoiceConnectorTerminationCredentialsList) DeepCopyObject() runtime.Obj
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorTerminationCredentialsObservation) DeepCopyInto(out *VoiceConnectorTerminationCredentialsObservation) {
 	*out = *in
+	if in.Credentials != nil {
+		in, out := &in.Credentials, &out.Credentials
+		*out = make([]CredentialsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VoiceConnectorID != nil {
+		in, out := &in.VoiceConnectorID, &out.VoiceConnectorID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VoiceConnectorTerminationCredentialsObservation.
@@ -1147,11 +1274,53 @@ func (in *VoiceConnectorTerminationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VoiceConnectorTerminationObservation) DeepCopyInto(out *VoiceConnectorTerminationObservation) {
 	*out = *in
+	if in.CallingRegions != nil {
+		in, out := &in.CallingRegions, &out.CallingRegions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CidrAllowList != nil {
+		in, out := &in.CidrAllowList, &out.CidrAllowList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CpsLimit != nil {
+		in, out := &in.CpsLimit, &out.CpsLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DefaultPhoneNumber != nil {
+		in, out := &in.DefaultPhoneNumber, &out.DefaultPhoneNumber
+		*out = new(string)
+		**out = **in
+	}
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VoiceConnectorID != nil {
+		in, out := &in.VoiceConnectorID, &out.VoiceConnectorID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VoiceConnectorTerminationObservation.
diff --git a/apis/chime/v1beta1/zz_voiceconnector_types.go b/apis/chime/v1beta1/zz_voiceconnector_types.go
index d15270a32c..715aa73b93 100755
--- a/apis/chime/v1beta1/zz_voiceconnector_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnector_types.go
@@ -14,10 +14,17 @@ import (
 )
 
 type VoiceConnectorObservation struct {
+
+	// The AWS Region in which the Amazon Chime Voice Connector is created. Default value: us-east-1
+	AwsRegion *string `json:"awsRegion,omitempty" tf:"aws_region,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The outbound host name for the Amazon Chime Voice Connector.
 	OutboundHostName *string `json:"outboundHostName,omitempty" tf:"outbound_host_name,omitempty"`
+
+	// When enabled, requires encryption for the Amazon Chime Voice Connector.
+	RequireEncryption *bool `json:"requireEncryption,omitempty" tf:"require_encryption,omitempty"`
 }
 
 type VoiceConnectorParameters struct {
@@ -32,8 +39,8 @@ type VoiceConnectorParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// When enabled, requires encryption for the Amazon Chime Voice Connector.
-	// +kubebuilder:validation:Required
-	RequireEncryption *bool `json:"requireEncryption" tf:"require_encryption,omitempty"`
+	// +kubebuilder:validation:Optional
+	RequireEncryption *bool `json:"requireEncryption,omitempty" tf:"require_encryption,omitempty"`
 }
 
 // VoiceConnectorSpec defines the desired state of VoiceConnector
@@ -60,8 +67,9 @@ type VoiceConnectorStatus struct {
 type VoiceConnector struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VoiceConnectorSpec   `json:"spec"`
-	Status            VoiceConnectorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.requireEncryption)",message="requireEncryption is a required parameter"
+	Spec   VoiceConnectorSpec   `json:"spec"`
+	Status VoiceConnectorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/chime/v1beta1/zz_voiceconnectorgroup_types.go b/apis/chime/v1beta1/zz_voiceconnectorgroup_types.go
index f4619f98a5..852e3e005a 100755
--- a/apis/chime/v1beta1/zz_voiceconnectorgroup_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnectorgroup_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ConnectorObservation struct {
+
+	// The priority associated with the Amazon Chime Voice Connector, with 1 being the highest priority. Higher priority Amazon Chime Voice Connectors are attempted first.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The Amazon Chime Voice Connector ID.
+	VoiceConnectorID *string `json:"voiceConnectorId,omitempty" tf:"voice_connector_id,omitempty"`
 }
 
 type ConnectorParameters struct {
@@ -39,6 +45,9 @@ type ConnectorParameters struct {
 
 type VoiceConnectorGroupObservation struct {
 
+	// The Amazon Chime Voice Connectors to route inbound calls to.
+	Connector []ConnectorObservation `json:"connector,omitempty" tf:"connector,omitempty"`
+
 	// Amazon Chime Voice Connector group ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
diff --git a/apis/chime/v1beta1/zz_voiceconnectorlogging_types.go b/apis/chime/v1beta1/zz_voiceconnectorlogging_types.go
index 7210d30a5b..0835a7c2b9 100755
--- a/apis/chime/v1beta1/zz_voiceconnectorlogging_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnectorlogging_types.go
@@ -15,8 +15,17 @@ import (
 
 type VoiceConnectorLoggingObservation struct {
 
+	// When true, enables logging of detailed media metrics for Voice Connectors to Amazon CloudWatch logs.
+	EnableMediaMetricLogs *bool `json:"enableMediaMetricLogs,omitempty" tf:"enable_media_metric_logs,omitempty"`
+
+	// When true, enables SIP message logs for sending to Amazon CloudWatch Logs.
+	EnableSIPLogs *bool `json:"enableSipLogs,omitempty" tf:"enable_sip_logs,omitempty"`
+
 	// The Amazon Chime Voice Connector ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Amazon Chime Voice Connector ID.
+	VoiceConnectorID *string `json:"voiceConnectorId,omitempty" tf:"voice_connector_id,omitempty"`
 }
 
 type VoiceConnectorLoggingParameters struct {
diff --git a/apis/chime/v1beta1/zz_voiceconnectororigination_types.go b/apis/chime/v1beta1/zz_voiceconnectororigination_types.go
index 80662b2faf..77e68ed1b1 100755
--- a/apis/chime/v1beta1/zz_voiceconnectororigination_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnectororigination_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type RouteObservation struct {
+
+	// The FQDN or IP address to contact for origination traffic.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// The designated origination route port. Defaults to 5060.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The priority associated with the host, with 1 being the highest priority. Higher priority hosts are attempted first.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The protocol to use for the origination route. Encryption-enabled Amazon Chime Voice Connectors use TCP protocol by default.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// The weight associated with the host. If hosts are equal in priority, calls are redistributed among them based on their relative weight.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type RouteParameters struct {
@@ -41,8 +56,17 @@ type RouteParameters struct {
 
 type VoiceConnectorOriginationObservation struct {
 
+	// When origination settings are disabled, inbound calls are not enabled for your Amazon Chime Voice Connector.
+	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
+
 	// The Amazon Chime Voice Connector ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Set of call distribution properties defined for your SIP hosts. See route below for more details. Minimum of 1. Maximum of 20.
+	Route []RouteObservation `json:"route,omitempty" tf:"route,omitempty"`
+
+	// The Amazon Chime Voice Connector ID.
+	VoiceConnectorID *string `json:"voiceConnectorId,omitempty" tf:"voice_connector_id,omitempty"`
 }
 
 type VoiceConnectorOriginationParameters struct {
@@ -57,8 +81,8 @@ type VoiceConnectorOriginationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Set of call distribution properties defined for your SIP hosts. See route below for more details. Minimum of 1. Maximum of 20.
-	// +kubebuilder:validation:Required
-	Route []RouteParameters `json:"route" tf:"route,omitempty"`
+	// +kubebuilder:validation:Optional
+	Route []RouteParameters `json:"route,omitempty" tf:"route,omitempty"`
 
 	// The Amazon Chime Voice Connector ID.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/chime/v1beta1.VoiceConnector
@@ -99,8 +123,9 @@ type VoiceConnectorOriginationStatus struct {
 type VoiceConnectorOrigination struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VoiceConnectorOriginationSpec   `json:"spec"`
-	Status            VoiceConnectorOriginationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.route)",message="route is a required parameter"
+	Spec   VoiceConnectorOriginationSpec   `json:"spec"`
+	Status VoiceConnectorOriginationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/chime/v1beta1/zz_voiceconnectorstreaming_types.go b/apis/chime/v1beta1/zz_voiceconnectorstreaming_types.go
index 3b27647059..fa06ffc16d 100755
--- a/apis/chime/v1beta1/zz_voiceconnectorstreaming_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnectorstreaming_types.go
@@ -15,15 +15,27 @@ import (
 
 type VoiceConnectorStreamingObservation struct {
 
+	// The retention period, in hours, for the Amazon Kinesis data.
+	DataRetention *float64 `json:"dataRetention,omitempty" tf:"data_retention,omitempty"`
+
+	// When true, media streaming to Amazon Kinesis is turned off. Default: false
+	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
+
 	// The Amazon Chime Voice Connector ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The streaming notification targets. Valid Values: EventBridge | SNS | SQS
+	StreamingNotificationTargets []*string `json:"streamingNotificationTargets,omitempty" tf:"streaming_notification_targets,omitempty"`
+
+	// The Amazon Chime Voice Connector ID.
+	VoiceConnectorID *string `json:"voiceConnectorId,omitempty" tf:"voice_connector_id,omitempty"`
 }
 
 type VoiceConnectorStreamingParameters struct {
 
 	// The retention period, in hours, for the Amazon Kinesis data.
-	// +kubebuilder:validation:Required
-	DataRetention *float64 `json:"dataRetention" tf:"data_retention,omitempty"`
+	// +kubebuilder:validation:Optional
+	DataRetention *float64 `json:"dataRetention,omitempty" tf:"data_retention,omitempty"`
 
 	// When true, media streaming to Amazon Kinesis is turned off. Default: false
 	// +kubebuilder:validation:Optional
@@ -77,8 +89,9 @@ type VoiceConnectorStreamingStatus struct {
 type VoiceConnectorStreaming struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VoiceConnectorStreamingSpec   `json:"spec"`
-	Status            VoiceConnectorStreamingStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataRetention)",message="dataRetention is a required parameter"
+	Spec   VoiceConnectorStreamingSpec   `json:"spec"`
+	Status VoiceConnectorStreamingStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/chime/v1beta1/zz_voiceconnectortermination_types.go b/apis/chime/v1beta1/zz_voiceconnectortermination_types.go
index 0ba24e2318..dd79e44b91 100755
--- a/apis/chime/v1beta1/zz_voiceconnectortermination_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnectortermination_types.go
@@ -15,19 +15,37 @@ import (
 
 type VoiceConnectorTerminationObservation struct {
 
+	// The countries to which calls are allowed, in ISO 3166-1 alpha-2 format.
+	CallingRegions []*string `json:"callingRegions,omitempty" tf:"calling_regions,omitempty"`
+
+	// The IP addresses allowed to make calls, in CIDR format.
+	CidrAllowList []*string `json:"cidrAllowList,omitempty" tf:"cidr_allow_list,omitempty"`
+
+	// The limit on calls per second. Max value based on account service quota. Default value of 1.
+	CpsLimit *float64 `json:"cpsLimit,omitempty" tf:"cps_limit,omitempty"`
+
+	// The default caller ID phone number.
+	DefaultPhoneNumber *string `json:"defaultPhoneNumber,omitempty" tf:"default_phone_number,omitempty"`
+
+	// When termination settings are disabled, outbound calls can not be made.
+	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
+
 	// The Amazon Chime Voice Connector ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Amazon Chime Voice Connector ID.
+	VoiceConnectorID *string `json:"voiceConnectorId,omitempty" tf:"voice_connector_id,omitempty"`
 }
 
 type VoiceConnectorTerminationParameters struct {
 
 	// The countries to which calls are allowed, in ISO 3166-1 alpha-2 format.
-	// +kubebuilder:validation:Required
-	CallingRegions []*string `json:"callingRegions" tf:"calling_regions,omitempty"`
+	// +kubebuilder:validation:Optional
+	CallingRegions []*string `json:"callingRegions,omitempty" tf:"calling_regions,omitempty"`
 
 	// The IP addresses allowed to make calls, in CIDR format.
-	// +kubebuilder:validation:Required
-	CidrAllowList []*string `json:"cidrAllowList" tf:"cidr_allow_list,omitempty"`
+	// +kubebuilder:validation:Optional
+	CidrAllowList []*string `json:"cidrAllowList,omitempty" tf:"cidr_allow_list,omitempty"`
 
 	// The limit on calls per second. Max value based on account service quota. Default value of 1.
 	// +kubebuilder:validation:Optional
@@ -85,8 +103,10 @@ type VoiceConnectorTerminationStatus struct {
 type VoiceConnectorTermination struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VoiceConnectorTerminationSpec   `json:"spec"`
-	Status            VoiceConnectorTerminationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.callingRegions)",message="callingRegions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cidrAllowList)",message="cidrAllowList is a required parameter"
+	Spec   VoiceConnectorTerminationSpec   `json:"spec"`
+	Status VoiceConnectorTerminationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/chime/v1beta1/zz_voiceconnectorterminationcredentials_types.go b/apis/chime/v1beta1/zz_voiceconnectorterminationcredentials_types.go
index f23f178b29..95e748550b 100755
--- a/apis/chime/v1beta1/zz_voiceconnectorterminationcredentials_types.go
+++ b/apis/chime/v1beta1/zz_voiceconnectorterminationcredentials_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CredentialsObservation struct {
+
+	// RFC2617 compliant username associated with the SIP credentials.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type CredentialsParameters struct {
@@ -29,15 +32,21 @@ type CredentialsParameters struct {
 
 type VoiceConnectorTerminationCredentialsObservation struct {
 
+	// List of termination SIP credentials.
+	Credentials []CredentialsObservation `json:"credentials,omitempty" tf:"credentials,omitempty"`
+
 	// Amazon Chime Voice Connector ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon Chime Voice Connector ID.
+	VoiceConnectorID *string `json:"voiceConnectorId,omitempty" tf:"voice_connector_id,omitempty"`
 }
 
 type VoiceConnectorTerminationCredentialsParameters struct {
 
 	// List of termination SIP credentials.
-	// +kubebuilder:validation:Required
-	Credentials []CredentialsParameters `json:"credentials" tf:"credentials,omitempty"`
+	// +kubebuilder:validation:Optional
+	Credentials []CredentialsParameters `json:"credentials,omitempty" tf:"credentials,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +92,9 @@ type VoiceConnectorTerminationCredentialsStatus struct {
 type VoiceConnectorTerminationCredentials struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VoiceConnectorTerminationCredentialsSpec   `json:"spec"`
-	Status            VoiceConnectorTerminationCredentialsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.credentials)",message="credentials is a required parameter"
+	Spec   VoiceConnectorTerminationCredentialsSpec   `json:"spec"`
+	Status VoiceConnectorTerminationCredentialsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloud9/v1beta1/zz_environmentec2_types.go b/apis/cloud9/v1beta1/zz_environmentec2_types.go
index 7a0fb949f2..09a53db75c 100755
--- a/apis/cloud9/v1beta1/zz_environmentec2_types.go
+++ b/apis/cloud9/v1beta1/zz_environmentec2_types.go
@@ -18,9 +18,36 @@ type EnvironmentEC2Observation struct {
 	// The ARN of the environment.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The number of minutes until the running instance is shut down after the environment has last been used.
+	AutomaticStopTimeMinutes *float64 `json:"automaticStopTimeMinutes,omitempty" tf:"automatic_stop_time_minutes,omitempty"`
+
+	// The connection type used for connecting to an Amazon EC2 environment. Valid values are CONNECT_SSH and CONNECT_SSM. For more information please refer AWS documentation for Cloud9.
+	ConnectionType *string `json:"connectionType,omitempty" tf:"connection_type,omitempty"`
+
+	// The description of the environment.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the environment.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The identifier for the Amazon Machine Image (AMI) that's used to create the EC2 instance. Valid values are
+	ImageID *string `json:"imageId,omitempty" tf:"image_id,omitempty"`
+
+	// The type of instance to connect to the environment, e.g., t2.micro.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The name of the environment.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of the environment owner. This can be ARN of any AWS IAM principal. Defaults to the environment's creator.
+	OwnerArn *string `json:"ownerArn,omitempty" tf:"owner_arn,omitempty"`
+
+	// The ID of the subnet in Amazon VPC that AWS Cloud9 will use to communicate with the Amazon EC2 instance.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -47,12 +74,12 @@ type EnvironmentEC2Parameters struct {
 	ImageID *string `json:"imageId,omitempty" tf:"image_id,omitempty"`
 
 	// The type of instance to connect to the environment, e.g., t2.micro.
-	// +kubebuilder:validation:Required
-	InstanceType *string `json:"instanceType" tf:"instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
 
 	// The name of the environment.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The ARN of the environment owner. This can be ARN of any AWS IAM principal. Defaults to the environment's creator.
 	// +kubebuilder:validation:Optional
@@ -105,8 +132,10 @@ type EnvironmentEC2Status struct {
 type EnvironmentEC2 struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EnvironmentEC2Spec   `json:"spec"`
-	Status            EnvironmentEC2Status `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)",message="instanceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   EnvironmentEC2Spec   `json:"spec"`
+	Status EnvironmentEC2Status `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloud9/v1beta1/zz_environmentmembership_types.go b/apis/cloud9/v1beta1/zz_environmentmembership_types.go
index 8d64370c2b..d16916eca4 100755
--- a/apis/cloud9/v1beta1/zz_environmentmembership_types.go
+++ b/apis/cloud9/v1beta1/zz_environmentmembership_types.go
@@ -15,9 +15,18 @@ import (
 
 type EnvironmentMembershipObservation struct {
 
+	// The ID of the environment that contains the environment member you want to add.
+	EnvironmentID *string `json:"environmentId,omitempty" tf:"environment_id,omitempty"`
+
 	// The ID of the environment membership.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The type of environment member permissions you want to associate with this environment member. Allowed values are read-only and read-write .
+	Permissions *string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the environment member you want to add.
+	UserArn *string `json:"userArn,omitempty" tf:"user_arn,omitempty"`
+
 	// he user ID in AWS Identity and Access Management (AWS IAM) of the environment member.
 	UserID *string `json:"userId,omitempty" tf:"user_id,omitempty"`
 }
@@ -39,8 +48,8 @@ type EnvironmentMembershipParameters struct {
 	EnvironmentIDSelector *v1.Selector `json:"environmentIdSelector,omitempty" tf:"-"`
 
 	// The type of environment member permissions you want to associate with this environment member. Allowed values are read-only and read-write .
-	// +kubebuilder:validation:Required
-	Permissions *string `json:"permissions" tf:"permissions,omitempty"`
+	// +kubebuilder:validation:Optional
+	Permissions *string `json:"permissions,omitempty" tf:"permissions,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -86,8 +95,9 @@ type EnvironmentMembershipStatus struct {
 type EnvironmentMembership struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EnvironmentMembershipSpec   `json:"spec"`
-	Status            EnvironmentMembershipStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissions)",message="permissions is a required parameter"
+	Spec   EnvironmentMembershipSpec   `json:"spec"`
+	Status EnvironmentMembershipStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloud9/v1beta1/zz_generated.deepcopy.go b/apis/cloud9/v1beta1/zz_generated.deepcopy.go
index 2a74b38894..4dbcfb897e 100644
--- a/apis/cloud9/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloud9/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,66 @@ func (in *EnvironmentEC2Observation) DeepCopyInto(out *EnvironmentEC2Observation
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutomaticStopTimeMinutes != nil {
+		in, out := &in.AutomaticStopTimeMinutes, &out.AutomaticStopTimeMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ConnectionType != nil {
+		in, out := &in.ConnectionType, &out.ConnectionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageID != nil {
+		in, out := &in.ImageID, &out.ImageID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerArn != nil {
+		in, out := &in.OwnerArn, &out.OwnerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -299,11 +354,26 @@ func (in *EnvironmentMembershipList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvironmentMembershipObservation) DeepCopyInto(out *EnvironmentMembershipObservation) {
 	*out = *in
+	if in.EnvironmentID != nil {
+		in, out := &in.EnvironmentID, &out.EnvironmentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserArn != nil {
+		in, out := &in.UserArn, &out.UserArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.UserID != nil {
 		in, out := &in.UserID, &out.UserID
 		*out = new(string)
diff --git a/apis/cloudcontrol/v1beta1/zz_generated.deepcopy.go b/apis/cloudcontrol/v1beta1/zz_generated.deepcopy.go
index c0800f067b..6af0c69e54 100644
--- a/apis/cloudcontrol/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudcontrol/v1beta1/zz_generated.deepcopy.go
@@ -76,6 +76,11 @@ func (in *ResourceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceObservation) DeepCopyInto(out *ResourceObservation) {
 	*out = *in
+	if in.DesiredState != nil {
+		in, out := &in.DesiredState, &out.DesiredState
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -86,6 +91,21 @@ func (in *ResourceObservation) DeepCopyInto(out *ResourceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TypeName != nil {
+		in, out := &in.TypeName, &out.TypeName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TypeVersionID != nil {
+		in, out := &in.TypeVersionID, &out.TypeVersionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceObservation.
diff --git a/apis/cloudcontrol/v1beta1/zz_resource_types.go b/apis/cloudcontrol/v1beta1/zz_resource_types.go
index f3a78a448c..f486e5ad08 100755
--- a/apis/cloudcontrol/v1beta1/zz_resource_types.go
+++ b/apis/cloudcontrol/v1beta1/zz_resource_types.go
@@ -14,17 +14,30 @@ import (
 )
 
 type ResourceObservation struct {
+
+	// JSON string matching the CloudFormation resource type schema with desired configuration.
+	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// JSON string matching the CloudFormation resource type schema with current configuration. Underlying attributes can be referenced via the jsondecode() function, for example, jsondecode(data.aws_cloudcontrolapi_resource.example.properties)["example"].
 	Properties *string `json:"properties,omitempty" tf:"properties,omitempty"`
+
+	// Amazon Resource Name (ARN) of the IAM Role to assume for operations.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// CloudFormation resource type name. For example, AWS::EC2::VPC.
+	TypeName *string `json:"typeName,omitempty" tf:"type_name,omitempty"`
+
+	// Identifier of the CloudFormation resource type version.
+	TypeVersionID *string `json:"typeVersionId,omitempty" tf:"type_version_id,omitempty"`
 }
 
 type ResourceParameters struct {
 
 	// JSON string matching the CloudFormation resource type schema with desired configuration.
-	// +kubebuilder:validation:Required
-	DesiredState *string `json:"desiredState" tf:"desired_state,omitempty"`
+	// +kubebuilder:validation:Optional
+	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -50,8 +63,8 @@ type ResourceParameters struct {
 	SchemaSecretRef *v1.SecretKeySelector `json:"schemaSecretRef,omitempty" tf:"-"`
 
 	// CloudFormation resource type name. For example, AWS::EC2::VPC.
-	// +kubebuilder:validation:Required
-	TypeName *string `json:"typeName" tf:"type_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	TypeName *string `json:"typeName,omitempty" tf:"type_name,omitempty"`
 
 	// Identifier of the CloudFormation resource type version.
 	// +kubebuilder:validation:Optional
@@ -82,8 +95,10 @@ type ResourceStatus struct {
 type Resource struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceSpec   `json:"spec"`
-	Status            ResourceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.desiredState)",message="desiredState is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.typeName)",message="typeName is a required parameter"
+	Spec   ResourceSpec   `json:"spec"`
+	Status ResourceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudformation/v1beta1/zz_generated.deepcopy.go b/apis/cloudformation/v1beta1/zz_generated.deepcopy.go
index 3844d4b4f5..9e967fad95 100644
--- a/apis/cloudformation/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudformation/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoDeploymentObservation) DeepCopyInto(out *AutoDeploymentObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RetainStacksOnAccountRemoval != nil {
+		in, out := &in.RetainStacksOnAccountRemoval, &out.RetainStacksOnAccountRemoval
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoDeploymentObservation.
@@ -57,6 +67,42 @@ func (in *AutoDeploymentParameters) DeepCopy() *AutoDeploymentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OperationPreferencesObservation) DeepCopyInto(out *OperationPreferencesObservation) {
 	*out = *in
+	if in.FailureToleranceCount != nil {
+		in, out := &in.FailureToleranceCount, &out.FailureToleranceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FailureTolerancePercentage != nil {
+		in, out := &in.FailureTolerancePercentage, &out.FailureTolerancePercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxConcurrentCount != nil {
+		in, out := &in.MaxConcurrentCount, &out.MaxConcurrentCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxConcurrentPercentage != nil {
+		in, out := &in.MaxConcurrentPercentage, &out.MaxConcurrentPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RegionConcurrencyType != nil {
+		in, out := &in.RegionConcurrencyType, &out.RegionConcurrencyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegionOrder != nil {
+		in, out := &in.RegionOrder, &out.RegionOrder
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperationPreferencesObservation.
@@ -182,11 +228,53 @@ func (in *StackList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 	*out = *in
+	if in.Capabilities != nil {
+		in, out := &in.Capabilities, &out.Capabilities
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DisableRollback != nil {
+		in, out := &in.DisableRollback, &out.DisableRollback
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationArns != nil {
+		in, out := &in.NotificationArns, &out.NotificationArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OnFailure != nil {
+		in, out := &in.OnFailure, &out.OnFailure
+		*out = new(string)
+		**out = **in
+	}
 	if in.Outputs != nil {
 		in, out := &in.Outputs, &out.Outputs
 		*out = make(map[string]*string, len(*in))
@@ -202,6 +290,46 @@ func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.PolicyBody != nil {
+		in, out := &in.PolicyBody, &out.PolicyBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.PolicyURL != nil {
+		in, out := &in.PolicyURL, &out.PolicyURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -217,6 +345,21 @@ func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TemplateBody != nil {
+		in, out := &in.TemplateBody, &out.TemplateBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplateURL != nil {
+		in, out := &in.TemplateURL, &out.TemplateURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeoutInMinutes != nil {
+		in, out := &in.TimeoutInMinutes, &out.TimeoutInMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StackObservation.
@@ -418,21 +561,101 @@ func (in *StackSetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StackSetObservation) DeepCopyInto(out *StackSetObservation) {
 	*out = *in
+	if in.AdministrationRoleArn != nil {
+		in, out := &in.AdministrationRoleArn, &out.AdministrationRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoDeployment != nil {
+		in, out := &in.AutoDeployment, &out.AutoDeployment
+		*out = make([]AutoDeploymentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CallAs != nil {
+		in, out := &in.CallAs, &out.CallAs
+		*out = new(string)
+		**out = **in
+	}
+	if in.Capabilities != nil {
+		in, out := &in.Capabilities, &out.Capabilities
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExecutionRoleName != nil {
+		in, out := &in.ExecutionRoleName, &out.ExecutionRoleName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OperationPreferences != nil {
+		in, out := &in.OperationPreferences, &out.OperationPreferences
+		*out = make([]OperationPreferencesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.PermissionModel != nil {
+		in, out := &in.PermissionModel, &out.PermissionModel
+		*out = new(string)
+		**out = **in
+	}
 	if in.StackSetID != nil {
 		in, out := &in.StackSetID, &out.StackSetID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -448,6 +671,16 @@ func (in *StackSetObservation) DeepCopyInto(out *StackSetObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TemplateBody != nil {
+		in, out := &in.TemplateBody, &out.TemplateBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplateURL != nil {
+		in, out := &in.TemplateURL, &out.TemplateURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StackSetObservation.
diff --git a/apis/cloudformation/v1beta1/zz_stack_types.go b/apis/cloudformation/v1beta1/zz_stack_types.go
index 48ef5713eb..c73336e1f0 100755
--- a/apis/cloudformation/v1beta1/zz_stack_types.go
+++ b/apis/cloudformation/v1beta1/zz_stack_types.go
@@ -15,14 +15,58 @@ import (
 
 type StackObservation struct {
 
+	// A list of capabilities.
+	// Valid values: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, or CAPABILITY_AUTO_EXPAND
+	Capabilities []*string `json:"capabilities,omitempty" tf:"capabilities,omitempty"`
+
+	// Set to true to disable rollback of the stack if stack creation failed.
+	// Conflicts with on_failure.
+	DisableRollback *bool `json:"disableRollback,omitempty" tf:"disable_rollback,omitempty"`
+
+	// The ARN of an IAM role that AWS CloudFormation assumes to create the stack. If you don't specify a value, AWS CloudFormation uses the role that was previously associated with the stack. If no role is available, AWS CloudFormation uses a temporary session that is generated from your user credentials.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// A unique identifier of the stack.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Stack name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of SNS topic ARNs to publish stack related events.
+	NotificationArns []*string `json:"notificationArns,omitempty" tf:"notification_arns,omitempty"`
+
+	// Action to be taken if stack creation fails. This must be
+	// one of: DO_NOTHING, ROLLBACK, or DELETE. Conflicts with disable_rollback.
+	OnFailure *string `json:"onFailure,omitempty" tf:"on_failure,omitempty"`
+
 	// A map of outputs from the stack.
 	Outputs map[string]*string `json:"outputs,omitempty" tf:"outputs,omitempty"`
 
+	// A map of Parameter structures that specify input parameters for the stack.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Structure containing the stack policy body.
+	// Conflicts w/ policy_url.
+	PolicyBody *string `json:"policyBody,omitempty" tf:"policy_body,omitempty"`
+
+	// Location of a file containing the stack policy.
+	// Conflicts w/ policy_body.
+	PolicyURL *string `json:"policyUrl,omitempty" tf:"policy_url,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Structure containing the template body (max size: 51,200 bytes).
+	TemplateBody *string `json:"templateBody,omitempty" tf:"template_body,omitempty"`
+
+	// Location of a file containing the template body (max size: 460,800 bytes).
+	TemplateURL *string `json:"templateUrl,omitempty" tf:"template_url,omitempty"`
+
+	// The amount of time that can pass before the stack status becomes CREATE_FAILED.
+	TimeoutInMinutes *float64 `json:"timeoutInMinutes,omitempty" tf:"timeout_in_minutes,omitempty"`
 }
 
 type StackParameters struct {
diff --git a/apis/cloudformation/v1beta1/zz_stackset_types.go b/apis/cloudformation/v1beta1/zz_stackset_types.go
index 3b55d15a87..6e605f2d53 100755
--- a/apis/cloudformation/v1beta1/zz_stackset_types.go
+++ b/apis/cloudformation/v1beta1/zz_stackset_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AutoDeploymentObservation struct {
+
+	// Whether or not auto-deployment is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Whether or not to retain stacks when the account is removed.
+	RetainStacksOnAccountRemoval *bool `json:"retainStacksOnAccountRemoval,omitempty" tf:"retain_stacks_on_account_removal,omitempty"`
 }
 
 type AutoDeploymentParameters struct {
@@ -28,6 +34,24 @@ type AutoDeploymentParameters struct {
 }
 
 type OperationPreferencesObservation struct {
+
+	// The number of accounts, per Region, for which this operation can fail before AWS CloudFormation stops the operation in that Region.
+	FailureToleranceCount *float64 `json:"failureToleranceCount,omitempty" tf:"failure_tolerance_count,omitempty"`
+
+	// The percentage of accounts, per Region, for which this stack operation can fail before AWS CloudFormation stops the operation in that Region.
+	FailureTolerancePercentage *float64 `json:"failureTolerancePercentage,omitempty" tf:"failure_tolerance_percentage,omitempty"`
+
+	// The maximum number of accounts in which to perform this operation at one time.
+	MaxConcurrentCount *float64 `json:"maxConcurrentCount,omitempty" tf:"max_concurrent_count,omitempty"`
+
+	// The maximum percentage of accounts in which to perform this operation at one time.
+	MaxConcurrentPercentage *float64 `json:"maxConcurrentPercentage,omitempty" tf:"max_concurrent_percentage,omitempty"`
+
+	// The concurrency type of deploying StackSets operations in Regions, could be in parallel or one Region at a time.
+	RegionConcurrencyType *string `json:"regionConcurrencyType,omitempty" tf:"region_concurrency_type,omitempty"`
+
+	// The order of the Regions in where you want to perform the stack operation.
+	RegionOrder []*string `json:"regionOrder,omitempty" tf:"region_order,omitempty"`
 }
 
 type OperationPreferencesParameters struct {
@@ -59,17 +83,53 @@ type OperationPreferencesParameters struct {
 
 type StackSetObservation struct {
 
+	// Amazon Resource Number (ARN) of the IAM Role in the administrator account. This must be defined when using the SELF_MANAGED permission model.
+	AdministrationRoleArn *string `json:"administrationRoleArn,omitempty" tf:"administration_role_arn,omitempty"`
+
 	// Amazon Resource Name (ARN) of the StackSet.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block containing the auto-deployment model for your StackSet. This can only be defined when using the SERVICE_MANAGED permission model.
+	AutoDeployment []AutoDeploymentObservation `json:"autoDeployment,omitempty" tf:"auto_deployment,omitempty"`
+
+	// Specifies whether you are acting as an account administrator in the organization's management account or as a delegated administrator in a member account. Valid values: SELF (default), DELEGATED_ADMIN.
+	CallAs *string `json:"callAs,omitempty" tf:"call_as,omitempty"`
+
+	// A list of capabilities. Valid values: CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_AUTO_EXPAND.
+	Capabilities []*string `json:"capabilities,omitempty" tf:"capabilities,omitempty"`
+
+	// Description of the StackSet.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Name of the IAM Role in all target accounts for StackSet operations. Defaults to AWSCloudFormationStackSetExecutionRole when using the SELF_MANAGED permission model. This should not be defined when using the SERVICE_MANAGED permission model.
+	ExecutionRoleName *string `json:"executionRoleName,omitempty" tf:"execution_role_name,omitempty"`
+
 	// Name of the StackSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Preferences for how AWS CloudFormation performs a stack set update.
+	OperationPreferences []OperationPreferencesObservation `json:"operationPreferences,omitempty" tf:"operation_preferences,omitempty"`
+
+	// Key-value map of input parameters for the StackSet template. All template parameters, including those with a Default, must be configured or ignored with lifecycle configuration block ignore_changes argument. All NoEcho template parameters must be ignored with the lifecycle configuration block ignore_changes argument.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Describes how the IAM roles required for your StackSet are created. Valid values: SELF_MANAGED (default), SERVICE_MANAGED.
+	PermissionModel *string `json:"permissionModel,omitempty" tf:"permission_model,omitempty"`
+
 	// Unique identifier of the StackSet.
 	StackSetID *string `json:"stackSetId,omitempty" tf:"stack_set_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// String containing the CloudFormation template body. Maximum size: 51,200 bytes. Conflicts with template_url.
+	TemplateBody *string `json:"templateBody,omitempty" tf:"template_body,omitempty"`
+
+	// String containing the location of a file containing the CloudFormation template body. The URL must point to a template that is located in an Amazon S3 bucket. Maximum location file size: 460,800 bytes. Conflicts with template_body.
+	TemplateURL *string `json:"templateUrl,omitempty" tf:"template_url,omitempty"`
 }
 
 type StackSetParameters struct {
diff --git a/apis/cloudfront/v1beta1/zz_cachepolicy_types.go b/apis/cloudfront/v1beta1/zz_cachepolicy_types.go
index 3c4101cd11..4042555d56 100755
--- a/apis/cloudfront/v1beta1/zz_cachepolicy_types.go
+++ b/apis/cloudfront/v1beta1/zz_cachepolicy_types.go
@@ -15,11 +15,29 @@ import (
 
 type CachePolicyObservation struct {
 
+	// A comment to describe the cache policy.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The default amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated.
+	DefaultTTL *float64 `json:"defaultTtl,omitempty" tf:"default_ttl,omitempty"`
+
 	// The current version of the cache policy.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// The identifier for the cache policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The maximum amount of time, in seconds, that objects stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// The minimum amount of time, in seconds, that you want objects to stay in the CloudFront cache before CloudFront sends another request to the origin to see if the object has been updated.
+	MinTTL *float64 `json:"minTtl,omitempty" tf:"min_ttl,omitempty"`
+
+	// A unique name to identify the cache policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The HTTP headers, cookies, and URL query strings to include in the cache key. See Parameters In Cache Key And Forwarded To Origin for more information.
+	ParametersInCacheKeyAndForwardedToOrigin []ParametersInCacheKeyAndForwardedToOriginObservation `json:"parametersInCacheKeyAndForwardedToOrigin,omitempty" tf:"parameters_in_cache_key_and_forwarded_to_origin,omitempty"`
 }
 
 type CachePolicyParameters struct {
@@ -41,12 +59,12 @@ type CachePolicyParameters struct {
 	MinTTL *float64 `json:"minTtl,omitempty" tf:"min_ttl,omitempty"`
 
 	// A unique name to identify the cache policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The HTTP headers, cookies, and URL query strings to include in the cache key. See Parameters In Cache Key And Forwarded To Origin for more information.
-	// +kubebuilder:validation:Required
-	ParametersInCacheKeyAndForwardedToOrigin []ParametersInCacheKeyAndForwardedToOriginParameters `json:"parametersInCacheKeyAndForwardedToOrigin" tf:"parameters_in_cache_key_and_forwarded_to_origin,omitempty"`
+	// +kubebuilder:validation:Optional
+	ParametersInCacheKeyAndForwardedToOrigin []ParametersInCacheKeyAndForwardedToOriginParameters `json:"parametersInCacheKeyAndForwardedToOrigin,omitempty" tf:"parameters_in_cache_key_and_forwarded_to_origin,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -55,6 +73,12 @@ type CachePolicyParameters struct {
 }
 
 type CookiesConfigObservation struct {
+
+	// Determines whether any cookies in viewer requests are included in the cache key and automatically included in requests that CloudFront sends to the origin. Valid values are none, whitelist, allExcept, all.
+	CookieBehavior *string `json:"cookieBehavior,omitempty" tf:"cookie_behavior,omitempty"`
+
+	// Object that contains a list of cookie names. See Items for more information.
+	Cookies []CookiesObservation `json:"cookies,omitempty" tf:"cookies,omitempty"`
 }
 
 type CookiesConfigParameters struct {
@@ -69,6 +93,9 @@ type CookiesConfigParameters struct {
 }
 
 type CookiesObservation struct {
+
+	// A list of item names (cookies, headers, or query strings).
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type CookiesParameters struct {
@@ -79,6 +106,12 @@ type CookiesParameters struct {
 }
 
 type HeadersConfigObservation struct {
+
+	// Determines whether any HTTP headers are included in the cache key and automatically included in requests that CloudFront sends to the origin. Valid values are none, whitelist.
+	HeaderBehavior *string `json:"headerBehavior,omitempty" tf:"header_behavior,omitempty"`
+
+	// Object that contains a list of header names. See Items for more information.
+	Headers []HeadersObservation `json:"headers,omitempty" tf:"headers,omitempty"`
 }
 
 type HeadersConfigParameters struct {
@@ -93,6 +126,9 @@ type HeadersConfigParameters struct {
 }
 
 type HeadersObservation struct {
+
+	// A list of item names (cookies, headers, or query strings).
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type HeadersParameters struct {
@@ -103,6 +139,21 @@ type HeadersParameters struct {
 }
 
 type ParametersInCacheKeyAndForwardedToOriginObservation struct {
+
+	// Object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the cache key and automatically included in requests that CloudFront sends to the origin. See Cookies Config for more information.
+	CookiesConfig []CookiesConfigObservation `json:"cookiesConfig,omitempty" tf:"cookies_config,omitempty"`
+
+	// A flag that can affect whether the Accept-Encoding HTTP header is included in the cache key and included in requests that CloudFront sends to the origin.
+	EnableAcceptEncodingBrotli *bool `json:"enableAcceptEncodingBrotli,omitempty" tf:"enable_accept_encoding_brotli,omitempty"`
+
+	// A flag that can affect whether the Accept-Encoding HTTP header is included in the cache key and included in requests that CloudFront sends to the origin.
+	EnableAcceptEncodingGzip *bool `json:"enableAcceptEncodingGzip,omitempty" tf:"enable_accept_encoding_gzip,omitempty"`
+
+	// Object that determines whether any HTTP headers (and if so, which headers) are included in the cache key and automatically included in requests that CloudFront sends to the origin. See Headers Config for more information.
+	HeadersConfig []HeadersConfigObservation `json:"headersConfig,omitempty" tf:"headers_config,omitempty"`
+
+	// Object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the cache key and automatically included in requests that CloudFront sends to the origin. See Query String Config for more information.
+	QueryStringsConfig []QueryStringsConfigObservation `json:"queryStringsConfig,omitempty" tf:"query_strings_config,omitempty"`
 }
 
 type ParametersInCacheKeyAndForwardedToOriginParameters struct {
@@ -129,6 +180,12 @@ type ParametersInCacheKeyAndForwardedToOriginParameters struct {
 }
 
 type QueryStringsConfigObservation struct {
+
+	// Determines whether any URL query strings in viewer requests are included in the cache key and automatically included in requests that CloudFront sends to the origin. Valid values are none, whitelist, allExcept, all.
+	QueryStringBehavior *string `json:"queryStringBehavior,omitempty" tf:"query_string_behavior,omitempty"`
+
+	// Object that contains a list of query string names. See Items for more information.
+	QueryStrings []QueryStringsObservation `json:"queryStrings,omitempty" tf:"query_strings,omitempty"`
 }
 
 type QueryStringsConfigParameters struct {
@@ -143,6 +200,9 @@ type QueryStringsConfigParameters struct {
 }
 
 type QueryStringsObservation struct {
+
+	// A list of item names (cookies, headers, or query strings).
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type QueryStringsParameters struct {
@@ -176,8 +236,10 @@ type CachePolicyStatus struct {
 type CachePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CachePolicySpec   `json:"spec"`
-	Status            CachePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parametersInCacheKeyAndForwardedToOrigin)",message="parametersInCacheKeyAndForwardedToOrigin is a required parameter"
+	Spec   CachePolicySpec   `json:"spec"`
+	Status CachePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_distribution_types.go b/apis/cloudfront/v1beta1/zz_distribution_types.go
index 7c0816cf39..e7d02fc5bf 100755
--- a/apis/cloudfront/v1beta1/zz_distribution_types.go
+++ b/apis/cloudfront/v1beta1/zz_distribution_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type CustomErrorResponseObservation struct {
+
+	// Minimum amount of time you want HTTP error codes to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated.
+	ErrorCachingMinTTL *float64 `json:"errorCachingMinTtl,omitempty" tf:"error_caching_min_ttl,omitempty"`
+
+	// 4xx or 5xx HTTP status code that you want to customize.
+	ErrorCode *float64 `json:"errorCode,omitempty" tf:"error_code,omitempty"`
+
+	// HTTP status code that you want CloudFront to return with the custom error page to the viewer.
+	ResponseCode *float64 `json:"responseCode,omitempty" tf:"response_code,omitempty"`
+
+	// Path of the custom error page (for example, /custom_404.html).
+	ResponsePagePath *string `json:"responsePagePath,omitempty" tf:"response_page_path,omitempty"`
 }
 
 type CustomErrorResponseParameters struct {
@@ -36,6 +48,9 @@ type CustomErrorResponseParameters struct {
 }
 
 type CustomHeaderObservation struct {
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type CustomHeaderParameters struct {
@@ -48,6 +63,24 @@ type CustomHeaderParameters struct {
 }
 
 type CustomOriginConfigObservation struct {
+
+	// HTTP port the custom origin listens on.
+	HTTPPort *float64 `json:"httpPort,omitempty" tf:"http_port,omitempty"`
+
+	// HTTPS port the custom origin listens on.
+	HTTPSPort *float64 `json:"httpsPort,omitempty" tf:"https_port,omitempty"`
+
+	// The Custom KeepAlive timeout, in seconds. By default, AWS enforces a limit of 60. But you can request an increase.
+	OriginKeepaliveTimeout *float64 `json:"originKeepaliveTimeout,omitempty" tf:"origin_keepalive_timeout,omitempty"`
+
+	// Origin protocol policy to apply to your origin. One of http-only, https-only, or match-viewer.
+	OriginProtocolPolicy *string `json:"originProtocolPolicy,omitempty" tf:"origin_protocol_policy,omitempty"`
+
+	// The Custom Read timeout, in seconds. By default, AWS enforces a limit of 60. But you can request an increase.
+	OriginReadTimeout *float64 `json:"originReadTimeout,omitempty" tf:"origin_read_timeout,omitempty"`
+
+	// SSL/TLS protocols that you want CloudFront to use when communicating with your origin over HTTPS. A list of one or more of SSLv3, TLSv1, TLSv1.1, and TLSv1.2.
+	OriginSSLProtocols []*string `json:"originSslProtocols,omitempty" tf:"origin_ssl_protocols,omitempty"`
 }
 
 type CustomOriginConfigParameters struct {
@@ -78,6 +111,63 @@ type CustomOriginConfigParameters struct {
 }
 
 type DefaultCacheBehaviorObservation struct {
+
+	// Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin.
+	AllowedMethods []*string `json:"allowedMethods,omitempty" tf:"allowed_methods,omitempty"`
+
+	// Unique identifier of the cache policy that is attached to the cache behavior. If configuring the default_cache_behavior either cache_policy_id or forwarded_values must be set.
+	CachePolicyID *string `json:"cachePolicyId,omitempty" tf:"cache_policy_id,omitempty"`
+
+	// Controls whether CloudFront caches the response to requests using the specified HTTP methods.
+	CachedMethods []*string `json:"cachedMethods,omitempty" tf:"cached_methods,omitempty"`
+
+	// Whether you want CloudFront to automatically compress content for web requests that include Accept-Encoding: gzip in the request header (default: false).
+	Compress *bool `json:"compress,omitempty" tf:"compress,omitempty"`
+
+	// Default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header.
+	DefaultTTL *float64 `json:"defaultTtl,omitempty" tf:"default_ttl,omitempty"`
+
+	// Field level encryption configuration ID.
+	FieldLevelEncryptionID *string `json:"fieldLevelEncryptionId,omitempty" tf:"field_level_encryption_id,omitempty"`
+
+	// The forwarded values configuration that specifies how CloudFront handles query strings, cookies and headers (maximum one).
+	ForwardedValues []ForwardedValuesObservation `json:"forwardedValues,omitempty" tf:"forwarded_values,omitempty"`
+
+	// A config block that triggers a cloudfront function with specific actions (maximum 2).
+	FunctionAssociation []FunctionAssociationObservation `json:"functionAssociation,omitempty" tf:"function_association,omitempty"`
+
+	// A config block that triggers a lambda function with specific actions (maximum 4).
+	LambdaFunctionAssociation []LambdaFunctionAssociationObservation `json:"lambdaFunctionAssociation,omitempty" tf:"lambda_function_association,omitempty"`
+
+	// Maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of Cache-Control max-age, Cache-Control s-maxage, and Expires headers.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// Minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to 0 seconds.
+	MinTTL *float64 `json:"minTtl,omitempty" tf:"min_ttl,omitempty"`
+
+	// Unique identifier of the origin request policy that is attached to the behavior.
+	OriginRequestPolicyID *string `json:"originRequestPolicyId,omitempty" tf:"origin_request_policy_id,omitempty"`
+
+	// ARN of the real-time log configuration that is attached to this cache behavior.
+	RealtimeLogConfigArn *string `json:"realtimeLogConfigArn,omitempty" tf:"realtime_log_config_arn,omitempty"`
+
+	// Identifier for a response headers policy.
+	ResponseHeadersPolicyID *string `json:"responseHeadersPolicyId,omitempty" tf:"response_headers_policy_id,omitempty"`
+
+	// Indicates whether you want to distribute media files in Microsoft Smooth Streaming format using the origin that is associated with this cache behavior.
+	SmoothStreaming *bool `json:"smoothStreaming,omitempty" tf:"smooth_streaming,omitempty"`
+
+	// Value of ID for the origin that you want CloudFront to route requests to when a request matches the path pattern either for a cache behavior or for the default cache behavior.
+	TargetOriginID *string `json:"targetOriginId,omitempty" tf:"target_origin_id,omitempty"`
+
+	// List of key group IDs that CloudFront can use to validate signed URLs or signed cookies. See the CloudFront User Guide for more information about this feature.
+	TrustedKeyGroups []*string `json:"trustedKeyGroups,omitempty" tf:"trusted_key_groups,omitempty"`
+
+	// List of AWS account IDs (or self) that you want to allow to create signed URLs for private content. See the CloudFront User Guide for more information about this feature.
+	TrustedSigners []*string `json:"trustedSigners,omitempty" tf:"trusted_signers,omitempty"`
+
+	// Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https.
+	ViewerProtocolPolicy *string `json:"viewerProtocolPolicy,omitempty" tf:"viewer_protocol_policy,omitempty"`
 }
 
 type DefaultCacheBehaviorParameters struct {
@@ -161,18 +251,39 @@ type DefaultCacheBehaviorParameters struct {
 
 type DistributionObservation struct {
 
+	// Extra CNAMEs (alternate domain names), if any, for this distribution.
+	Aliases []*string `json:"aliases,omitempty" tf:"aliases,omitempty"`
+
 	// ARN for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5, where 123456789012 is your AWS account ID.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Internal value used by CloudFront to allow future updates to the distribution configuration.
 	CallerReference *string `json:"callerReference,omitempty" tf:"caller_reference,omitempty"`
 
+	// Any comments you want to include about the distribution.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// One or more custom error response elements (multiples allowed).
+	CustomErrorResponse []CustomErrorResponseObservation `json:"customErrorResponse,omitempty" tf:"custom_error_response,omitempty"`
+
+	// Default cache behavior for this distribution (maximum one). Requires either cache_policy_id (preferred) or forwarded_values (deprecated) be set.
+	DefaultCacheBehavior []DefaultCacheBehaviorObservation `json:"defaultCacheBehavior,omitempty" tf:"default_cache_behavior,omitempty"`
+
+	// Object that you want CloudFront to return (for example, index.html) when an end user requests the root URL.
+	DefaultRootObject *string `json:"defaultRootObject,omitempty" tf:"default_root_object,omitempty"`
+
 	// DNS domain name of either the S3 bucket, or web site of your custom origin.
 	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
+	// Whether the distribution is enabled to accept end user requests for content.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// Current version of the distribution's information. For example: E2QWRUHAPOMQZL.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
+	// Maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3. The default is http2.
+	HTTPVersion *string `json:"httpVersion,omitempty" tf:"http_version,omitempty"`
+
 	// CloudFront Route 53 zone ID that can be used to route an Alias Resource Record Set to. This attribute is simply an alias for the zone ID Z2FDTNDATAQYW2.
 	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
 
@@ -182,12 +293,39 @@ type DistributionObservation struct {
 	// Number of invalidation batches currently in progress.
 	InProgressValidationBatches *float64 `json:"inProgressValidationBatches,omitempty" tf:"in_progress_validation_batches,omitempty"`
 
+	// Whether the IPv6 is enabled for the distribution.
+	IsIPv6Enabled *bool `json:"isIpv6Enabled,omitempty" tf:"is_ipv6_enabled,omitempty"`
+
 	// Date and time the distribution was last modified.
 	LastModifiedTime *string `json:"lastModifiedTime,omitempty" tf:"last_modified_time,omitempty"`
 
+	// The logging configuration that controls how logs are written to your distribution (maximum one).
+	LoggingConfig []LoggingConfigObservation `json:"loggingConfig,omitempty" tf:"logging_config,omitempty"`
+
+	// Ordered list of cache behaviors resource for this distribution. List from top to bottom in order of precedence. The topmost cache behavior will have precedence 0.
+	OrderedCacheBehavior []OrderedCacheBehaviorObservation `json:"orderedCacheBehavior,omitempty" tf:"ordered_cache_behavior,omitempty"`
+
+	// One or more origins for this distribution (multiples allowed).
+	Origin []OriginObservation `json:"origin,omitempty" tf:"origin,omitempty"`
+
+	// One or more origin_group for this distribution (multiples allowed).
+	OriginGroup []OriginGroupObservation `json:"originGroup,omitempty" tf:"origin_group,omitempty"`
+
+	// Price class for this distribution. One of PriceClass_All, PriceClass_200, PriceClass_100.
+	PriceClass *string `json:"priceClass,omitempty" tf:"price_class,omitempty"`
+
+	// The restriction configuration for this distribution (maximum one).
+	Restrictions []RestrictionsObservation `json:"restrictions,omitempty" tf:"restrictions,omitempty"`
+
+	// If this is set, the distribution needs to be deleted manually afterwards. Default: false.
+	RetainOnDelete *bool `json:"retainOnDelete,omitempty" tf:"retain_on_delete,omitempty"`
+
 	// Current status of the distribution. Deployed if the distribution's information is fully propagated throughout the Amazon CloudFront system.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -196,6 +334,15 @@ type DistributionObservation struct {
 
 	// List of AWS account IDs (or self) that you want to allow to create signed URLs for private content. See the CloudFront User Guide for more information about this feature.
 	TrustedSigners []TrustedSignersObservation `json:"trustedSigners,omitempty" tf:"trusted_signers,omitempty"`
+
+	// The SSL configuration for this distribution (maximum one).
+	ViewerCertificate []ViewerCertificateObservation `json:"viewerCertificate,omitempty" tf:"viewer_certificate,omitempty"`
+
+	// If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this tofalse will skip the process. Default: true.
+	WaitForDeployment *bool `json:"waitForDeployment,omitempty" tf:"wait_for_deployment,omitempty"`
+
+	// Unique identifier that specifies the AWS WAF web ACL, if any, to associate with this distribution. To specify a web ACL created using the latest version of AWS WAF (WAFv2), use the ACL ARN, for example aws_wafv2_web_acl.example.arn. To specify a web ACL created using AWS WAF Classic, use the ACL ID, for example aws_waf_web_acl.example.id. The WAF Web ACL must exist in the WAF Global (CloudFront) region and the credentials configuring this argument must have waf:GetWebACL permissions assigned.
+	WebACLID *string `json:"webAclId,omitempty" tf:"web_acl_id,omitempty"`
 }
 
 type DistributionParameters struct {
@@ -213,16 +360,16 @@ type DistributionParameters struct {
 	CustomErrorResponse []CustomErrorResponseParameters `json:"customErrorResponse,omitempty" tf:"custom_error_response,omitempty"`
 
 	// Default cache behavior for this distribution (maximum one). Requires either cache_policy_id (preferred) or forwarded_values (deprecated) be set.
-	// +kubebuilder:validation:Required
-	DefaultCacheBehavior []DefaultCacheBehaviorParameters `json:"defaultCacheBehavior" tf:"default_cache_behavior,omitempty"`
+	// +kubebuilder:validation:Optional
+	DefaultCacheBehavior []DefaultCacheBehaviorParameters `json:"defaultCacheBehavior,omitempty" tf:"default_cache_behavior,omitempty"`
 
 	// Object that you want CloudFront to return (for example, index.html) when an end user requests the root URL.
 	// +kubebuilder:validation:Optional
 	DefaultRootObject *string `json:"defaultRootObject,omitempty" tf:"default_root_object,omitempty"`
 
 	// Whether the distribution is enabled to accept end user requests for content.
-	// +kubebuilder:validation:Required
-	Enabled *bool `json:"enabled" tf:"enabled,omitempty"`
+	// +kubebuilder:validation:Optional
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 
 	// Maximum HTTP version to support on the distribution. Allowed values are http1.1, http2, http2and3 and http3. The default is http2.
 	// +kubebuilder:validation:Optional
@@ -241,8 +388,8 @@ type DistributionParameters struct {
 	OrderedCacheBehavior []OrderedCacheBehaviorParameters `json:"orderedCacheBehavior,omitempty" tf:"ordered_cache_behavior,omitempty"`
 
 	// One or more origins for this distribution (multiples allowed).
-	// +kubebuilder:validation:Required
-	Origin []OriginParameters `json:"origin" tf:"origin,omitempty"`
+	// +kubebuilder:validation:Optional
+	Origin []OriginParameters `json:"origin,omitempty" tf:"origin,omitempty"`
 
 	// One or more origin_group for this distribution (multiples allowed).
 	// +kubebuilder:validation:Optional
@@ -258,8 +405,8 @@ type DistributionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The restriction configuration for this distribution (maximum one).
-	// +kubebuilder:validation:Required
-	Restrictions []RestrictionsParameters `json:"restrictions" tf:"restrictions,omitempty"`
+	// +kubebuilder:validation:Optional
+	Restrictions []RestrictionsParameters `json:"restrictions,omitempty" tf:"restrictions,omitempty"`
 
 	// If this is set, the distribution needs to be deleted manually afterwards. Default: false.
 	// +kubebuilder:validation:Optional
@@ -270,8 +417,8 @@ type DistributionParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The SSL configuration for this distribution (maximum one).
-	// +kubebuilder:validation:Required
-	ViewerCertificate []ViewerCertificateParameters `json:"viewerCertificate" tf:"viewer_certificate,omitempty"`
+	// +kubebuilder:validation:Optional
+	ViewerCertificate []ViewerCertificateParameters `json:"viewerCertificate,omitempty" tf:"viewer_certificate,omitempty"`
 
 	// If enabled, the resource will wait for the distribution status to change from InProgress to Deployed. Setting this tofalse will skip the process. Default: true.
 	// +kubebuilder:validation:Optional
@@ -283,6 +430,9 @@ type DistributionParameters struct {
 }
 
 type FailoverCriteriaObservation struct {
+
+	// List of HTTP status codes for the origin group.
+	StatusCodes []*float64 `json:"statusCodes,omitempty" tf:"status_codes,omitempty"`
 }
 
 type FailoverCriteriaParameters struct {
@@ -293,6 +443,12 @@ type FailoverCriteriaParameters struct {
 }
 
 type ForwardedValuesCookiesObservation struct {
+
+	// Whether you want CloudFront to forward cookies to the origin that is associated with this cache behavior. You can specify all, none or whitelist. If whitelist, you must include the subsequent whitelisted_names.
+	Forward *string `json:"forward,omitempty" tf:"forward,omitempty"`
+
+	// If you have specified whitelist to forward, the whitelisted cookies that you want CloudFront to forward to your origin.
+	WhitelistedNames []*string `json:"whitelistedNames,omitempty" tf:"whitelisted_names,omitempty"`
 }
 
 type ForwardedValuesCookiesParameters struct {
@@ -307,6 +463,18 @@ type ForwardedValuesCookiesParameters struct {
 }
 
 type ForwardedValuesObservation struct {
+
+	// The forwarded values cookies that specifies how CloudFront handles cookies (maximum one).
+	Cookies []ForwardedValuesCookiesObservation `json:"cookies,omitempty" tf:"cookies,omitempty"`
+
+	// Headers, if any, that you want CloudFront to vary upon for this cache behavior. Specify * to include all headers.
+	Headers []*string `json:"headers,omitempty" tf:"headers,omitempty"`
+
+	// Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior.
+	QueryString *bool `json:"queryString,omitempty" tf:"query_string,omitempty"`
+
+	// When specified, along with a value of true for query_string, all query strings are forwarded, however only the query string keys listed in this argument are cached. When omitted with a value of true for query_string, all query string keys are cached.
+	QueryStringCacheKeys []*string `json:"queryStringCacheKeys,omitempty" tf:"query_string_cache_keys,omitempty"`
 }
 
 type ForwardedValuesParameters struct {
@@ -329,6 +497,12 @@ type ForwardedValuesParameters struct {
 }
 
 type FunctionAssociationObservation struct {
+
+	// Specific event to trigger this function. Valid values: viewer-request, origin-request, viewer-response, origin-response.
+	EventType *string `json:"eventType,omitempty" tf:"event_type,omitempty"`
+
+	// ARN of the CloudFront function.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 }
 
 type FunctionAssociationParameters struct {
@@ -343,6 +517,12 @@ type FunctionAssociationParameters struct {
 }
 
 type GeoRestrictionObservation struct {
+
+	// ISO 3166-1-alpha-2 codes for which you want CloudFront either to distribute your content (whitelist) or not distribute your content (blacklist). If the type is specified as none an empty array can be used.
+	Locations []*string `json:"locations,omitempty" tf:"locations,omitempty"`
+
+	// Method that you want to use to restrict distribution of your content by country: none, whitelist, or blacklist.
+	RestrictionType *string `json:"restrictionType,omitempty" tf:"restriction_type,omitempty"`
 }
 
 type GeoRestrictionParameters struct {
@@ -369,6 +549,15 @@ type ItemsParameters struct {
 }
 
 type LambdaFunctionAssociationObservation struct {
+
+	// Specific event to trigger this function. Valid values: viewer-request, origin-request, viewer-response, origin-response.
+	EventType *string `json:"eventType,omitempty" tf:"event_type,omitempty"`
+
+	// When set to true it exposes the request body to the lambda function. Defaults to false. Valid values: true, false.
+	IncludeBody *bool `json:"includeBody,omitempty" tf:"include_body,omitempty"`
+
+	// ARN of the Lambda function.
+	LambdaArn *string `json:"lambdaArn,omitempty" tf:"lambda_arn,omitempty"`
 }
 
 type LambdaFunctionAssociationParameters struct {
@@ -387,6 +576,15 @@ type LambdaFunctionAssociationParameters struct {
 }
 
 type LoggingConfigObservation struct {
+
+	// Amazon S3 bucket to store the access logs in, for example, myawslogbucket.s3.amazonaws.com.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Whether to include cookies in access logs (default: false).
+	IncludeCookies *bool `json:"includeCookies,omitempty" tf:"include_cookies,omitempty"`
+
+	// Prefix to the access log filenames for this distribution, for example, myprefix/.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type LoggingConfigParameters struct {
@@ -405,6 +603,9 @@ type LoggingConfigParameters struct {
 }
 
 type MemberObservation struct {
+
+	// Unique identifier for the origin.
+	OriginID *string `json:"originId,omitempty" tf:"origin_id,omitempty"`
 }
 
 type MemberParameters struct {
@@ -415,6 +616,12 @@ type MemberParameters struct {
 }
 
 type OrderedCacheBehaviorForwardedValuesCookiesObservation struct {
+
+	// Whether you want CloudFront to forward cookies to the origin that is associated with this cache behavior. You can specify all, none or whitelist. If whitelist, you must include the subsequent whitelisted_names.
+	Forward *string `json:"forward,omitempty" tf:"forward,omitempty"`
+
+	// If you have specified whitelist to forward, the whitelisted cookies that you want CloudFront to forward to your origin.
+	WhitelistedNames []*string `json:"whitelistedNames,omitempty" tf:"whitelisted_names,omitempty"`
 }
 
 type OrderedCacheBehaviorForwardedValuesCookiesParameters struct {
@@ -429,6 +636,18 @@ type OrderedCacheBehaviorForwardedValuesCookiesParameters struct {
 }
 
 type OrderedCacheBehaviorForwardedValuesObservation struct {
+
+	// The forwarded values cookies that specifies how CloudFront handles cookies (maximum one).
+	Cookies []OrderedCacheBehaviorForwardedValuesCookiesObservation `json:"cookies,omitempty" tf:"cookies,omitempty"`
+
+	// Headers, if any, that you want CloudFront to vary upon for this cache behavior. Specify * to include all headers.
+	Headers []*string `json:"headers,omitempty" tf:"headers,omitempty"`
+
+	// Indicates whether you want CloudFront to forward query strings to the origin that is associated with this cache behavior.
+	QueryString *bool `json:"queryString,omitempty" tf:"query_string,omitempty"`
+
+	// When specified, along with a value of true for query_string, all query strings are forwarded, however only the query string keys listed in this argument are cached. When omitted with a value of true for query_string, all query string keys are cached.
+	QueryStringCacheKeys []*string `json:"queryStringCacheKeys,omitempty" tf:"query_string_cache_keys,omitempty"`
 }
 
 type OrderedCacheBehaviorForwardedValuesParameters struct {
@@ -451,6 +670,12 @@ type OrderedCacheBehaviorForwardedValuesParameters struct {
 }
 
 type OrderedCacheBehaviorFunctionAssociationObservation struct {
+
+	// Specific event to trigger this function. Valid values: viewer-request, origin-request, viewer-response, origin-response.
+	EventType *string `json:"eventType,omitempty" tf:"event_type,omitempty"`
+
+	// ARN of the CloudFront function.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 }
 
 type OrderedCacheBehaviorFunctionAssociationParameters struct {
@@ -475,6 +700,15 @@ type OrderedCacheBehaviorFunctionAssociationParameters struct {
 }
 
 type OrderedCacheBehaviorLambdaFunctionAssociationObservation struct {
+
+	// Specific event to trigger this function. Valid values: viewer-request, origin-request, viewer-response, origin-response.
+	EventType *string `json:"eventType,omitempty" tf:"event_type,omitempty"`
+
+	// When set to true it exposes the request body to the lambda function. Defaults to false. Valid values: true, false.
+	IncludeBody *bool `json:"includeBody,omitempty" tf:"include_body,omitempty"`
+
+	// ARN of the Lambda function.
+	LambdaArn *string `json:"lambdaArn,omitempty" tf:"lambda_arn,omitempty"`
 }
 
 type OrderedCacheBehaviorLambdaFunctionAssociationParameters struct {
@@ -503,6 +737,66 @@ type OrderedCacheBehaviorLambdaFunctionAssociationParameters struct {
 }
 
 type OrderedCacheBehaviorObservation struct {
+
+	// Controls which HTTP methods CloudFront processes and forwards to your Amazon S3 bucket or your custom origin.
+	AllowedMethods []*string `json:"allowedMethods,omitempty" tf:"allowed_methods,omitempty"`
+
+	// Unique identifier of the cache policy that is attached to the cache behavior. If configuring the default_cache_behavior either cache_policy_id or forwarded_values must be set.
+	CachePolicyID *string `json:"cachePolicyId,omitempty" tf:"cache_policy_id,omitempty"`
+
+	// Controls whether CloudFront caches the response to requests using the specified HTTP methods.
+	CachedMethods []*string `json:"cachedMethods,omitempty" tf:"cached_methods,omitempty"`
+
+	// Whether you want CloudFront to automatically compress content for web requests that include Accept-Encoding: gzip in the request header (default: false).
+	Compress *bool `json:"compress,omitempty" tf:"compress,omitempty"`
+
+	// Default amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request in the absence of an Cache-Control max-age or Expires header.
+	DefaultTTL *float64 `json:"defaultTtl,omitempty" tf:"default_ttl,omitempty"`
+
+	// Field level encryption configuration ID.
+	FieldLevelEncryptionID *string `json:"fieldLevelEncryptionId,omitempty" tf:"field_level_encryption_id,omitempty"`
+
+	// The forwarded values configuration that specifies how CloudFront handles query strings, cookies and headers (maximum one).
+	ForwardedValues []OrderedCacheBehaviorForwardedValuesObservation `json:"forwardedValues,omitempty" tf:"forwarded_values,omitempty"`
+
+	// A config block that triggers a cloudfront function with specific actions (maximum 2).
+	FunctionAssociation []OrderedCacheBehaviorFunctionAssociationObservation `json:"functionAssociation,omitempty" tf:"function_association,omitempty"`
+
+	// A config block that triggers a lambda function with specific actions (maximum 4).
+	LambdaFunctionAssociation []OrderedCacheBehaviorLambdaFunctionAssociationObservation `json:"lambdaFunctionAssociation,omitempty" tf:"lambda_function_association,omitempty"`
+
+	// Maximum amount of time (in seconds) that an object is in a CloudFront cache before CloudFront forwards another request to your origin to determine whether the object has been updated. Only effective in the presence of Cache-Control max-age, Cache-Control s-maxage, and Expires headers.
+	MaxTTL *float64 `json:"maxTtl,omitempty" tf:"max_ttl,omitempty"`
+
+	// Minimum amount of time that you want objects to stay in CloudFront caches before CloudFront queries your origin to see whether the object has been updated. Defaults to 0 seconds.
+	MinTTL *float64 `json:"minTtl,omitempty" tf:"min_ttl,omitempty"`
+
+	// Unique identifier of the origin request policy that is attached to the behavior.
+	OriginRequestPolicyID *string `json:"originRequestPolicyId,omitempty" tf:"origin_request_policy_id,omitempty"`
+
+	// Pattern (for example, images/*.jpg) that specifies which requests you want this cache behavior to apply to.
+	PathPattern *string `json:"pathPattern,omitempty" tf:"path_pattern,omitempty"`
+
+	// ARN of the real-time log configuration that is attached to this cache behavior.
+	RealtimeLogConfigArn *string `json:"realtimeLogConfigArn,omitempty" tf:"realtime_log_config_arn,omitempty"`
+
+	// Identifier for a response headers policy.
+	ResponseHeadersPolicyID *string `json:"responseHeadersPolicyId,omitempty" tf:"response_headers_policy_id,omitempty"`
+
+	// Indicates whether you want to distribute media files in Microsoft Smooth Streaming format using the origin that is associated with this cache behavior.
+	SmoothStreaming *bool `json:"smoothStreaming,omitempty" tf:"smooth_streaming,omitempty"`
+
+	// Value of ID for the origin that you want CloudFront to route requests to when a request matches the path pattern either for a cache behavior or for the default cache behavior.
+	TargetOriginID *string `json:"targetOriginId,omitempty" tf:"target_origin_id,omitempty"`
+
+	// List of key group IDs that CloudFront can use to validate signed URLs or signed cookies. See the CloudFront User Guide for more information about this feature.
+	TrustedKeyGroups []*string `json:"trustedKeyGroups,omitempty" tf:"trusted_key_groups,omitempty"`
+
+	// List of AWS account IDs (or self) that you want to allow to create signed URLs for private content. See the CloudFront User Guide for more information about this feature.
+	TrustedSigners []*string `json:"trustedSigners,omitempty" tf:"trusted_signers,omitempty"`
+
+	// Use this element to specify the protocol that users can use to access the files in the origin specified by TargetOriginId when a request matches the path pattern in PathPattern. One of allow-all, https-only, or redirect-to-https.
+	ViewerProtocolPolicy *string `json:"viewerProtocolPolicy,omitempty" tf:"viewer_protocol_policy,omitempty"`
 }
 
 type OrderedCacheBehaviorParameters struct {
@@ -589,6 +883,15 @@ type OrderedCacheBehaviorParameters struct {
 }
 
 type OriginGroupObservation struct {
+
+	// The failover criteria for when to failover to the secondary origin.
+	FailoverCriteria []FailoverCriteriaObservation `json:"failoverCriteria,omitempty" tf:"failover_criteria,omitempty"`
+
+	// Ordered member configuration blocks assigned to the origin group, where the first member is the primary origin. You must specify two members.
+	Member []MemberObservation `json:"member,omitempty" tf:"member,omitempty"`
+
+	// Unique identifier for the origin.
+	OriginID *string `json:"originId,omitempty" tf:"origin_id,omitempty"`
 }
 
 type OriginGroupParameters struct {
@@ -607,6 +910,36 @@ type OriginGroupParameters struct {
 }
 
 type OriginObservation struct {
+
+	// Number of times that CloudFront attempts to connect to the origin. Must be between 1-3. Defaults to 3.
+	ConnectionAttempts *float64 `json:"connectionAttempts,omitempty" tf:"connection_attempts,omitempty"`
+
+	// Number of seconds that CloudFront waits when trying to establish a connection to the origin. Must be between 1-10. Defaults to 10.
+	ConnectionTimeout *float64 `json:"connectionTimeout,omitempty" tf:"connection_timeout,omitempty"`
+
+	// One or more sub-resources with name and value parameters that specify header data that will be sent to the origin (multiples allowed).
+	CustomHeader []CustomHeaderObservation `json:"customHeader,omitempty" tf:"custom_header,omitempty"`
+
+	// The CloudFront custom origin configuration information. If an S3 origin is required, use origin_access_control_id or s3_origin_config instead.
+	CustomOriginConfig []CustomOriginConfigObservation `json:"customOriginConfig,omitempty" tf:"custom_origin_config,omitempty"`
+
+	// DNS domain name of either the S3 bucket, or web site of your custom origin.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Unique identifier of a CloudFront origin access control for this origin.
+	OriginAccessControlID *string `json:"originAccessControlId,omitempty" tf:"origin_access_control_id,omitempty"`
+
+	// Unique identifier for the origin.
+	OriginID *string `json:"originId,omitempty" tf:"origin_id,omitempty"`
+
+	// Optional element that causes CloudFront to request your content from a directory in your Amazon S3 bucket or your custom origin.
+	OriginPath *string `json:"originPath,omitempty" tf:"origin_path,omitempty"`
+
+	// The CloudFront Origin Shield configuration information. Using Origin Shield can help reduce the load on your origin. For more information, see Using Origin Shield in the Amazon CloudFront Developer Guide.
+	OriginShield []OriginShieldObservation `json:"originShield,omitempty" tf:"origin_shield,omitempty"`
+
+	// The CloudFront S3 origin configuration information. If a custom origin is required, use custom_origin_config instead.
+	S3OriginConfig []S3OriginConfigObservation `json:"s3OriginConfig,omitempty" tf:"s3_origin_config,omitempty"`
 }
 
 type OriginParameters struct {
@@ -663,6 +996,12 @@ type OriginParameters struct {
 }
 
 type OriginShieldObservation struct {
+
+	// Whether the distribution is enabled to accept end user requests for content.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// AWS Region for Origin Shield. To specify a region, use the region code, not the region name. For example, specify the US East (Ohio) region as us-east-2.
+	OriginShieldRegion *string `json:"originShieldRegion,omitempty" tf:"origin_shield_region,omitempty"`
 }
 
 type OriginShieldParameters struct {
@@ -677,6 +1016,7 @@ type OriginShieldParameters struct {
 }
 
 type RestrictionsObservation struct {
+	GeoRestriction []GeoRestrictionObservation `json:"geoRestriction,omitempty" tf:"geo_restriction,omitempty"`
 }
 
 type RestrictionsParameters struct {
@@ -686,6 +1026,9 @@ type RestrictionsParameters struct {
 }
 
 type S3OriginConfigObservation struct {
+
+	// The CloudFront origin access identity to associate with the origin.
+	OriginAccessIdentity *string `json:"originAccessIdentity,omitempty" tf:"origin_access_identity,omitempty"`
 }
 
 type S3OriginConfigParameters struct {
@@ -742,6 +1085,21 @@ type TrustedSignersParameters struct {
 }
 
 type ViewerCertificateObservation struct {
+
+	// ARN of the AWS Certificate Manager certificate that you wish to use with this distribution. Specify this, cloudfront_default_certificate, or iam_certificate_id.  The ACM certificate must be in  US-EAST-1.
+	AcmCertificateArn *string `json:"acmCertificateArn,omitempty" tf:"acm_certificate_arn,omitempty"`
+
+	// true if you want viewers to use HTTPS to request your objects and you're using the CloudFront domain name for your distribution. Specify this, acm_certificate_arn, or iam_certificate_id.
+	CloudfrontDefaultCertificate *bool `json:"cloudfrontDefaultCertificate,omitempty" tf:"cloudfront_default_certificate,omitempty"`
+
+	// IAM certificate identifier of the custom viewer certificate for this distribution if you are using a custom domain. Specify this, acm_certificate_arn, or cloudfront_default_certificate.
+	IAMCertificateID *string `json:"iamCertificateId,omitempty" tf:"iam_certificate_id,omitempty"`
+
+	// Minimum version of the SSL protocol that you want CloudFront to use for HTTPS connections. Can only be set if cloudfront_default_certificate = false. See all possible values in this table under "Security policy." Some examples include: TLSv1.2_2019 and TLSv1.2_2021. Default: TLSv1. NOTE: If you are using a custom certificate (specified with acm_certificate_arn or iam_certificate_id), and have specified sni-only in ssl_support_method, TLSv1 or later must be specified. If you have specified vip in ssl_support_method, only SSLv3 or TLSv1 can be specified. If you have specified cloudfront_default_certificate, TLSv1 must be specified.
+	MinimumProtocolVersion *string `json:"minimumProtocolVersion,omitempty" tf:"minimum_protocol_version,omitempty"`
+
+	// How you want CloudFront to serve HTTPS requests. One of vip or sni-only. Required if you specify acm_certificate_arn or iam_certificate_id. NOTE: vip causes CloudFront to use a dedicated IP address and may incur extra charges.
+	SSLSupportMethod *string `json:"sslSupportMethod,omitempty" tf:"ssl_support_method,omitempty"`
 }
 
 type ViewerCertificateParameters struct {
@@ -791,8 +1149,13 @@ type DistributionStatus struct {
 type Distribution struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DistributionSpec   `json:"spec"`
-	Status            DistributionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultCacheBehavior)",message="defaultCacheBehavior is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enabled)",message="enabled is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.origin)",message="origin is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.restrictions)",message="restrictions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.viewerCertificate)",message="viewerCertificate is a required parameter"
+	Spec   DistributionSpec   `json:"spec"`
+	Status DistributionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_fieldlevelencryptionconfig_types.go b/apis/cloudfront/v1beta1/zz_fieldlevelencryptionconfig_types.go
index 17a5a64b71..76e6ba5925 100755
--- a/apis/cloudfront/v1beta1/zz_fieldlevelencryptionconfig_types.go
+++ b/apis/cloudfront/v1beta1/zz_fieldlevelencryptionconfig_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ContentTypeProfileConfigObservation struct {
+
+	// Object that contains an attribute items that contains the list of configurations for a field-level encryption content type-profile. See Content Type Profile.
+	ContentTypeProfiles []ContentTypeProfilesObservation `json:"contentTypeProfiles,omitempty" tf:"content_type_profiles,omitempty"`
+
+	// specifies what to do when an unknown content type is provided for the profile. If true, content is forwarded without being encrypted when the content type is unknown. If false (the default), an error is returned when the content type is unknown.
+	ForwardWhenContentTypeIsUnknown *bool `json:"forwardWhenContentTypeIsUnknown,omitempty" tf:"forward_when_content_type_is_unknown,omitempty"`
 }
 
 type ContentTypeProfileConfigParameters struct {
@@ -28,6 +34,15 @@ type ContentTypeProfileConfigParameters struct {
 }
 
 type ContentTypeProfilesItemsObservation struct {
+
+	// he content type for a field-level encryption content type-profile mapping. Valid value is application/x-www-form-urlencoded.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// The format for a field-level encryption content type-profile mapping. Valid value is URLEncoded.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// The profile ID for a field-level encryption content type-profile mapping.
+	ProfileID *string `json:"profileId,omitempty" tf:"profile_id,omitempty"`
 }
 
 type ContentTypeProfilesItemsParameters struct {
@@ -46,6 +61,7 @@ type ContentTypeProfilesItemsParameters struct {
 }
 
 type ContentTypeProfilesObservation struct {
+	Items []ContentTypeProfilesItemsObservation `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type ContentTypeProfilesParameters struct {
@@ -59,11 +75,20 @@ type FieldLevelEncryptionConfigObservation struct {
 	// Internal value used by CloudFront to allow future updates to the Field Level Encryption Config.
 	CallerReference *string `json:"callerReference,omitempty" tf:"caller_reference,omitempty"`
 
+	// An optional comment about the Field Level Encryption Config.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// Content Type Profile Config specifies when to forward content if a content type isn't recognized and profiles to use as by default in a request if a query argument doesn't specify a profile to use.
+	ContentTypeProfileConfig []ContentTypeProfileConfigObservation `json:"contentTypeProfileConfig,omitempty" tf:"content_type_profile_config,omitempty"`
+
 	// The current version of the Field Level Encryption Config. For example: E2QWRUHAPOMQZL.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// The identifier for the Field Level Encryption Config. For example: K3D5EWEUDCCXON.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Query Arg Profile Config that specifies when to forward content if a profile isn't found and the profile that can be provided as a query argument in a request.
+	QueryArgProfileConfig []QueryArgProfileConfigObservation `json:"queryArgProfileConfig,omitempty" tf:"query_arg_profile_config,omitempty"`
 }
 
 type FieldLevelEncryptionConfigParameters struct {
@@ -73,12 +98,12 @@ type FieldLevelEncryptionConfigParameters struct {
 	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
 
 	// Content Type Profile Config specifies when to forward content if a content type isn't recognized and profiles to use as by default in a request if a query argument doesn't specify a profile to use.
-	// +kubebuilder:validation:Required
-	ContentTypeProfileConfig []ContentTypeProfileConfigParameters `json:"contentTypeProfileConfig" tf:"content_type_profile_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	ContentTypeProfileConfig []ContentTypeProfileConfigParameters `json:"contentTypeProfileConfig,omitempty" tf:"content_type_profile_config,omitempty"`
 
 	// Query Arg Profile Config that specifies when to forward content if a profile isn't found and the profile that can be provided as a query argument in a request.
-	// +kubebuilder:validation:Required
-	QueryArgProfileConfig []QueryArgProfileConfigParameters `json:"queryArgProfileConfig" tf:"query_arg_profile_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	QueryArgProfileConfig []QueryArgProfileConfigParameters `json:"queryArgProfileConfig,omitempty" tf:"query_arg_profile_config,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -87,6 +112,12 @@ type FieldLevelEncryptionConfigParameters struct {
 }
 
 type QueryArgProfileConfigObservation struct {
+
+	// Flag to set if you want a request to be forwarded to the origin even if the profile specified by the field-level encryption query argument, fle-profile, is unknown.
+	ForwardWhenQueryArgProfileIsUnknown *bool `json:"forwardWhenQueryArgProfileIsUnknown,omitempty" tf:"forward_when_query_arg_profile_is_unknown,omitempty"`
+
+	// Object that contains an attribute items that contains the list ofrofiles specified for query argument-profile mapping for field-level encryption. see Query Arg Profile.
+	QueryArgProfiles []QueryArgProfilesObservation `json:"queryArgProfiles,omitempty" tf:"query_arg_profiles,omitempty"`
 }
 
 type QueryArgProfileConfigParameters struct {
@@ -101,6 +132,12 @@ type QueryArgProfileConfigParameters struct {
 }
 
 type QueryArgProfilesItemsObservation struct {
+
+	// The profile ID for a field-level encryption content type-profile mapping.
+	ProfileID *string `json:"profileId,omitempty" tf:"profile_id,omitempty"`
+
+	// Query argument for field-level encryption query argument-profile mapping.
+	QueryArg *string `json:"queryArg,omitempty" tf:"query_arg,omitempty"`
 }
 
 type QueryArgProfilesItemsParameters struct {
@@ -125,6 +162,7 @@ type QueryArgProfilesItemsParameters struct {
 }
 
 type QueryArgProfilesObservation struct {
+	Items []QueryArgProfilesItemsObservation `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type QueryArgProfilesParameters struct {
@@ -157,8 +195,10 @@ type FieldLevelEncryptionConfigStatus struct {
 type FieldLevelEncryptionConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FieldLevelEncryptionConfigSpec   `json:"spec"`
-	Status            FieldLevelEncryptionConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentTypeProfileConfig)",message="contentTypeProfileConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.queryArgProfileConfig)",message="queryArgProfileConfig is a required parameter"
+	Spec   FieldLevelEncryptionConfigSpec   `json:"spec"`
+	Status FieldLevelEncryptionConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_fieldlevelencryptionprofile_types.go b/apis/cloudfront/v1beta1/zz_fieldlevelencryptionprofile_types.go
index 6b7ac6e0d0..1e38ee0b4c 100755
--- a/apis/cloudfront/v1beta1/zz_fieldlevelencryptionprofile_types.go
+++ b/apis/cloudfront/v1beta1/zz_fieldlevelencryptionprofile_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type EncryptionEntitiesItemsObservation struct {
+
+	// Object that contains an attribute items that contains the list of field patterns in a field-level encryption content type profile specify the fields that you want to be encrypted.
+	FieldPatterns []FieldPatternsObservation `json:"fieldPatterns,omitempty" tf:"field_patterns,omitempty"`
+
+	// The provider associated with the public key being used for encryption.
+	ProviderID *string `json:"providerId,omitempty" tf:"provider_id,omitempty"`
+
+	// The public key associated with a set of field-level encryption patterns, to be used when encrypting the fields that match the patterns.
+	PublicKeyID *string `json:"publicKeyId,omitempty" tf:"public_key_id,omitempty"`
 }
 
 type EncryptionEntitiesItemsParameters struct {
@@ -42,6 +51,7 @@ type EncryptionEntitiesItemsParameters struct {
 }
 
 type EncryptionEntitiesObservation struct {
+	Items []EncryptionEntitiesItemsObservation `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type EncryptionEntitiesParameters struct {
@@ -55,11 +65,20 @@ type FieldLevelEncryptionProfileObservation struct {
 	// Internal value used by CloudFront to allow future updates to the Field Level Encryption Profile.
 	CallerReference *string `json:"callerReference,omitempty" tf:"caller_reference,omitempty"`
 
+	// An optional comment about the Field Level Encryption Profile.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The encryption entities config block for field-level encryption profiles that contains an attribute items which includes the encryption key and field pattern specifications.
+	EncryptionEntities []EncryptionEntitiesObservation `json:"encryptionEntities,omitempty" tf:"encryption_entities,omitempty"`
+
 	// The current version of the Field Level Encryption Profile. For example: E2QWRUHAPOMQZL.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// The identifier for the Field Level Encryption Profile. For example: K3D5EWEUDCCXON.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the Field Level Encryption Profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type FieldLevelEncryptionProfileParameters struct {
@@ -69,12 +88,12 @@ type FieldLevelEncryptionProfileParameters struct {
 	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
 
 	// The encryption entities config block for field-level encryption profiles that contains an attribute items which includes the encryption key and field pattern specifications.
-	// +kubebuilder:validation:Required
-	EncryptionEntities []EncryptionEntitiesParameters `json:"encryptionEntities" tf:"encryption_entities,omitempty"`
+	// +kubebuilder:validation:Optional
+	EncryptionEntities []EncryptionEntitiesParameters `json:"encryptionEntities,omitempty" tf:"encryption_entities,omitempty"`
 
 	// The name of the Field Level Encryption Profile.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,6 +102,7 @@ type FieldLevelEncryptionProfileParameters struct {
 }
 
 type FieldPatternsObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type FieldPatternsParameters struct {
@@ -115,8 +135,10 @@ type FieldLevelEncryptionProfileStatus struct {
 type FieldLevelEncryptionProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FieldLevelEncryptionProfileSpec   `json:"spec"`
-	Status            FieldLevelEncryptionProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encryptionEntities)",message="encryptionEntities is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   FieldLevelEncryptionProfileSpec   `json:"spec"`
+	Status FieldLevelEncryptionProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_function_types.go b/apis/cloudfront/v1beta1/zz_function_types.go
index 4610e4cd72..dd5467a2c0 100755
--- a/apis/cloudfront/v1beta1/zz_function_types.go
+++ b/apis/cloudfront/v1beta1/zz_function_types.go
@@ -18,6 +18,9 @@ type FunctionObservation struct {
 	// Amazon Resource Name (ARN) identifying your CloudFront Function.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Comment.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
 	// ETag hash of the function. This is the value for the DEVELOPMENT stage of the function.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
@@ -26,6 +29,12 @@ type FunctionObservation struct {
 	// ETag hash of any LIVE stage of the function.
 	LiveStageEtag *string `json:"liveStageEtag,omitempty" tf:"live_stage_etag,omitempty"`
 
+	// Whether to publish creation/change as Live CloudFront Function Version. Defaults to true.
+	Publish *bool `json:"publish,omitempty" tf:"publish,omitempty"`
+
+	// Identifier of the function's runtime. Currently only cloudfront-js-1.0 is valid.
+	Runtime *string `json:"runtime,omitempty" tf:"runtime,omitempty"`
+
 	// Status of the function. Can be UNPUBLISHED, UNASSOCIATED or ASSOCIATED.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -33,7 +42,7 @@ type FunctionObservation struct {
 type FunctionParameters struct {
 
 	// Source code of the function
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	CodeSecretRef v1.SecretKeySelector `json:"codeSecretRef" tf:"-"`
 
 	// Comment.
@@ -50,8 +59,8 @@ type FunctionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Identifier of the function's runtime. Currently only cloudfront-js-1.0 is valid.
-	// +kubebuilder:validation:Required
-	Runtime *string `json:"runtime" tf:"runtime,omitempty"`
+	// +kubebuilder:validation:Optional
+	Runtime *string `json:"runtime,omitempty" tf:"runtime,omitempty"`
 }
 
 // FunctionSpec defines the desired state of Function
@@ -78,8 +87,10 @@ type FunctionStatus struct {
 type Function struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FunctionSpec   `json:"spec"`
-	Status            FunctionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.codeSecretRef)",message="codeSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.runtime)",message="runtime is a required parameter"
+	Spec   FunctionSpec   `json:"spec"`
+	Status FunctionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_generated.deepcopy.go b/apis/cloudfront/v1beta1/zz_generated.deepcopy.go
index f4bf0e381b..a2379f8b44 100644
--- a/apis/cloudfront/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudfront/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,17 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessControlAllowHeadersObservation) DeepCopyInto(out *AccessControlAllowHeadersObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlAllowHeadersObservation.
@@ -58,6 +69,17 @@ func (in *AccessControlAllowHeadersParameters) DeepCopy() *AccessControlAllowHea
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessControlAllowMethodsObservation) DeepCopyInto(out *AccessControlAllowMethodsObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlAllowMethodsObservation.
@@ -99,6 +121,17 @@ func (in *AccessControlAllowMethodsParameters) DeepCopy() *AccessControlAllowMet
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessControlAllowOriginsObservation) DeepCopyInto(out *AccessControlAllowOriginsObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlAllowOriginsObservation.
@@ -140,6 +173,17 @@ func (in *AccessControlAllowOriginsParameters) DeepCopy() *AccessControlAllowOri
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessControlExposeHeadersObservation) DeepCopyInto(out *AccessControlExposeHeadersObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlExposeHeadersObservation.
@@ -240,6 +284,16 @@ func (in *CachePolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CachePolicyObservation) DeepCopyInto(out *CachePolicyObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultTTL != nil {
+		in, out := &in.DefaultTTL, &out.DefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -250,6 +304,28 @@ func (in *CachePolicyObservation) DeepCopyInto(out *CachePolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinTTL != nil {
+		in, out := &in.MinTTL, &out.MinTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParametersInCacheKeyAndForwardedToOrigin != nil {
+		in, out := &in.ParametersInCacheKeyAndForwardedToOrigin, &out.ParametersInCacheKeyAndForwardedToOrigin
+		*out = make([]ParametersInCacheKeyAndForwardedToOriginObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CachePolicyObservation.
@@ -351,6 +427,16 @@ func (in *CachePolicyStatus) DeepCopy() *CachePolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentSecurityPolicyObservation) DeepCopyInto(out *ContentSecurityPolicyObservation) {
 	*out = *in
+	if in.ContentSecurityPolicy != nil {
+		in, out := &in.ContentSecurityPolicy, &out.ContentSecurityPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentSecurityPolicyObservation.
@@ -391,6 +477,11 @@ func (in *ContentSecurityPolicyParameters) DeepCopy() *ContentSecurityPolicyPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentTypeOptionsObservation) DeepCopyInto(out *ContentTypeOptionsObservation) {
 	*out = *in
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentTypeOptionsObservation.
@@ -426,6 +517,18 @@ func (in *ContentTypeOptionsParameters) DeepCopy() *ContentTypeOptionsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentTypeProfileConfigObservation) DeepCopyInto(out *ContentTypeProfileConfigObservation) {
 	*out = *in
+	if in.ContentTypeProfiles != nil {
+		in, out := &in.ContentTypeProfiles, &out.ContentTypeProfiles
+		*out = make([]ContentTypeProfilesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ForwardWhenContentTypeIsUnknown != nil {
+		in, out := &in.ForwardWhenContentTypeIsUnknown, &out.ForwardWhenContentTypeIsUnknown
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentTypeProfileConfigObservation.
@@ -468,6 +571,21 @@ func (in *ContentTypeProfileConfigParameters) DeepCopy() *ContentTypeProfileConf
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentTypeProfilesItemsObservation) DeepCopyInto(out *ContentTypeProfilesItemsObservation) {
 	*out = *in
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProfileID != nil {
+		in, out := &in.ProfileID, &out.ProfileID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentTypeProfilesItemsObservation.
@@ -513,6 +631,13 @@ func (in *ContentTypeProfilesItemsParameters) DeepCopy() *ContentTypeProfilesIte
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentTypeProfilesObservation) DeepCopyInto(out *ContentTypeProfilesObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]ContentTypeProfilesItemsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentTypeProfilesObservation.
@@ -550,6 +675,17 @@ func (in *ContentTypeProfilesParameters) DeepCopy() *ContentTypeProfilesParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CookiesConfigCookiesObservation) DeepCopyInto(out *CookiesConfigCookiesObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CookiesConfigCookiesObservation.
@@ -591,6 +727,18 @@ func (in *CookiesConfigCookiesParameters) DeepCopy() *CookiesConfigCookiesParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CookiesConfigObservation) DeepCopyInto(out *CookiesConfigObservation) {
 	*out = *in
+	if in.CookieBehavior != nil {
+		in, out := &in.CookieBehavior, &out.CookieBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cookies != nil {
+		in, out := &in.Cookies, &out.Cookies
+		*out = make([]CookiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CookiesConfigObservation.
@@ -633,6 +781,17 @@ func (in *CookiesConfigParameters) DeepCopy() *CookiesConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CookiesObservation) DeepCopyInto(out *CookiesObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CookiesObservation.
@@ -674,6 +833,49 @@ func (in *CookiesParameters) DeepCopy() *CookiesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CorsConfigObservation) DeepCopyInto(out *CorsConfigObservation) {
 	*out = *in
+	if in.AccessControlAllowCredentials != nil {
+		in, out := &in.AccessControlAllowCredentials, &out.AccessControlAllowCredentials
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AccessControlAllowHeaders != nil {
+		in, out := &in.AccessControlAllowHeaders, &out.AccessControlAllowHeaders
+		*out = make([]AccessControlAllowHeadersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AccessControlAllowMethods != nil {
+		in, out := &in.AccessControlAllowMethods, &out.AccessControlAllowMethods
+		*out = make([]AccessControlAllowMethodsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AccessControlAllowOrigins != nil {
+		in, out := &in.AccessControlAllowOrigins, &out.AccessControlAllowOrigins
+		*out = make([]AccessControlAllowOriginsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AccessControlExposeHeaders != nil {
+		in, out := &in.AccessControlExposeHeaders, &out.AccessControlExposeHeaders
+		*out = make([]AccessControlExposeHeadersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AccessControlMaxAgeSec != nil {
+		in, out := &in.AccessControlMaxAgeSec, &out.AccessControlMaxAgeSec
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OriginOverride != nil {
+		in, out := &in.OriginOverride, &out.OriginOverride
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CorsConfigObservation.
@@ -747,6 +949,26 @@ func (in *CorsConfigParameters) DeepCopy() *CorsConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomErrorResponseObservation) DeepCopyInto(out *CustomErrorResponseObservation) {
 	*out = *in
+	if in.ErrorCachingMinTTL != nil {
+		in, out := &in.ErrorCachingMinTTL, &out.ErrorCachingMinTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ErrorCode != nil {
+		in, out := &in.ErrorCode, &out.ErrorCode
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResponseCode != nil {
+		in, out := &in.ResponseCode, &out.ResponseCode
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResponsePagePath != nil {
+		in, out := &in.ResponsePagePath, &out.ResponsePagePath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomErrorResponseObservation.
@@ -797,6 +1019,16 @@ func (in *CustomErrorResponseParameters) DeepCopy() *CustomErrorResponseParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomHeaderObservation) DeepCopyInto(out *CustomHeaderObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomHeaderObservation.
@@ -837,6 +1069,21 @@ func (in *CustomHeaderParameters) DeepCopy() *CustomHeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomHeadersConfigItemsObservation) DeepCopyInto(out *CustomHeadersConfigItemsObservation) {
 	*out = *in
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = new(string)
+		**out = **in
+	}
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomHeadersConfigItemsObservation.
@@ -882,6 +1129,13 @@ func (in *CustomHeadersConfigItemsParameters) DeepCopy() *CustomHeadersConfigIte
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomHeadersConfigObservation) DeepCopyInto(out *CustomHeadersConfigObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]CustomHeadersConfigItemsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomHeadersConfigObservation.
@@ -919,14 +1173,50 @@ func (in *CustomHeadersConfigParameters) DeepCopy() *CustomHeadersConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomOriginConfigObservation) DeepCopyInto(out *CustomOriginConfigObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomOriginConfigObservation.
-func (in *CustomOriginConfigObservation) DeepCopy() *CustomOriginConfigObservation {
-	if in == nil {
-		return nil
+	if in.HTTPPort != nil {
+		in, out := &in.HTTPPort, &out.HTTPPort
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(CustomOriginConfigObservation)
+	if in.HTTPSPort != nil {
+		in, out := &in.HTTPSPort, &out.HTTPSPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OriginKeepaliveTimeout != nil {
+		in, out := &in.OriginKeepaliveTimeout, &out.OriginKeepaliveTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OriginProtocolPolicy != nil {
+		in, out := &in.OriginProtocolPolicy, &out.OriginProtocolPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.OriginReadTimeout != nil {
+		in, out := &in.OriginReadTimeout, &out.OriginReadTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OriginSSLProtocols != nil {
+		in, out := &in.OriginSSLProtocols, &out.OriginSSLProtocols
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomOriginConfigObservation.
+func (in *CustomOriginConfigObservation) DeepCopy() *CustomOriginConfigObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomOriginConfigObservation)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -985,6 +1275,131 @@ func (in *CustomOriginConfigParameters) DeepCopy() *CustomOriginConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultCacheBehaviorObservation) DeepCopyInto(out *DefaultCacheBehaviorObservation) {
 	*out = *in
+	if in.AllowedMethods != nil {
+		in, out := &in.AllowedMethods, &out.AllowedMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CachePolicyID != nil {
+		in, out := &in.CachePolicyID, &out.CachePolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CachedMethods != nil {
+		in, out := &in.CachedMethods, &out.CachedMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Compress != nil {
+		in, out := &in.Compress, &out.Compress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DefaultTTL != nil {
+		in, out := &in.DefaultTTL, &out.DefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FieldLevelEncryptionID != nil {
+		in, out := &in.FieldLevelEncryptionID, &out.FieldLevelEncryptionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForwardedValues != nil {
+		in, out := &in.ForwardedValues, &out.ForwardedValues
+		*out = make([]ForwardedValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FunctionAssociation != nil {
+		in, out := &in.FunctionAssociation, &out.FunctionAssociation
+		*out = make([]FunctionAssociationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LambdaFunctionAssociation != nil {
+		in, out := &in.LambdaFunctionAssociation, &out.LambdaFunctionAssociation
+		*out = make([]LambdaFunctionAssociationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinTTL != nil {
+		in, out := &in.MinTTL, &out.MinTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OriginRequestPolicyID != nil {
+		in, out := &in.OriginRequestPolicyID, &out.OriginRequestPolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RealtimeLogConfigArn != nil {
+		in, out := &in.RealtimeLogConfigArn, &out.RealtimeLogConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseHeadersPolicyID != nil {
+		in, out := &in.ResponseHeadersPolicyID, &out.ResponseHeadersPolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SmoothStreaming != nil {
+		in, out := &in.SmoothStreaming, &out.SmoothStreaming
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TargetOriginID != nil {
+		in, out := &in.TargetOriginID, &out.TargetOriginID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TrustedKeyGroups != nil {
+		in, out := &in.TrustedKeyGroups, &out.TrustedKeyGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TrustedSigners != nil {
+		in, out := &in.TrustedSigners, &out.TrustedSigners
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ViewerProtocolPolicy != nil {
+		in, out := &in.ViewerProtocolPolicy, &out.ViewerProtocolPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultCacheBehaviorObservation.
@@ -1199,6 +1614,17 @@ func (in *DistributionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DistributionObservation) DeepCopyInto(out *DistributionObservation) {
 	*out = *in
+	if in.Aliases != nil {
+		in, out := &in.Aliases, &out.Aliases
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -1209,16 +1635,50 @@ func (in *DistributionObservation) DeepCopyInto(out *DistributionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomErrorResponse != nil {
+		in, out := &in.CustomErrorResponse, &out.CustomErrorResponse
+		*out = make([]CustomErrorResponseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultCacheBehavior != nil {
+		in, out := &in.DefaultCacheBehavior, &out.DefaultCacheBehavior
+		*out = make([]DefaultCacheBehaviorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultRootObject != nil {
+		in, out := &in.DefaultRootObject, &out.DefaultRootObject
+		*out = new(string)
+		**out = **in
+	}
 	if in.DomainName != nil {
 		in, out := &in.DomainName, &out.DomainName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
 		**out = **in
 	}
+	if in.HTTPVersion != nil {
+		in, out := &in.HTTPVersion, &out.HTTPVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostedZoneID != nil {
 		in, out := &in.HostedZoneID, &out.HostedZoneID
 		*out = new(string)
@@ -1234,16 +1694,81 @@ func (in *DistributionObservation) DeepCopyInto(out *DistributionObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.IsIPv6Enabled != nil {
+		in, out := &in.IsIPv6Enabled, &out.IsIPv6Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.LastModifiedTime != nil {
 		in, out := &in.LastModifiedTime, &out.LastModifiedTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoggingConfig != nil {
+		in, out := &in.LoggingConfig, &out.LoggingConfig
+		*out = make([]LoggingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OrderedCacheBehavior != nil {
+		in, out := &in.OrderedCacheBehavior, &out.OrderedCacheBehavior
+		*out = make([]OrderedCacheBehaviorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Origin != nil {
+		in, out := &in.Origin, &out.Origin
+		*out = make([]OriginObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OriginGroup != nil {
+		in, out := &in.OriginGroup, &out.OriginGroup
+		*out = make([]OriginGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PriceClass != nil {
+		in, out := &in.PriceClass, &out.PriceClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.Restrictions != nil {
+		in, out := &in.Restrictions, &out.Restrictions
+		*out = make([]RestrictionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetainOnDelete != nil {
+		in, out := &in.RetainOnDelete, &out.RetainOnDelete
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1273,6 +1798,23 @@ func (in *DistributionObservation) DeepCopyInto(out *DistributionObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ViewerCertificate != nil {
+		in, out := &in.ViewerCertificate, &out.ViewerCertificate
+		*out = make([]ViewerCertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WaitForDeployment != nil {
+		in, out := &in.WaitForDeployment, &out.WaitForDeployment
+		*out = new(bool)
+		**out = **in
+	}
+	if in.WebACLID != nil {
+		in, out := &in.WebACLID, &out.WebACLID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DistributionObservation.
@@ -1469,6 +2011,23 @@ func (in *DistributionStatus) DeepCopy() *DistributionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionEntitiesItemsObservation) DeepCopyInto(out *EncryptionEntitiesItemsObservation) {
 	*out = *in
+	if in.FieldPatterns != nil {
+		in, out := &in.FieldPatterns, &out.FieldPatterns
+		*out = make([]FieldPatternsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProviderID != nil {
+		in, out := &in.ProviderID, &out.ProviderID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicKeyID != nil {
+		in, out := &in.PublicKeyID, &out.PublicKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionEntitiesItemsObservation.
@@ -1526,6 +2085,13 @@ func (in *EncryptionEntitiesItemsParameters) DeepCopy() *EncryptionEntitiesItems
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionEntitiesObservation) DeepCopyInto(out *EncryptionEntitiesObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]EncryptionEntitiesItemsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionEntitiesObservation.
@@ -1563,6 +2129,18 @@ func (in *EncryptionEntitiesParameters) DeepCopy() *EncryptionEntitiesParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointObservation) DeepCopyInto(out *EndpointObservation) {
 	*out = *in
+	if in.KinesisStreamConfig != nil {
+		in, out := &in.KinesisStreamConfig, &out.KinesisStreamConfig
+		*out = make([]KinesisStreamConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StreamType != nil {
+		in, out := &in.StreamType, &out.StreamType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointObservation.
@@ -1605,6 +2183,17 @@ func (in *EndpointParameters) DeepCopy() *EndpointParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FailoverCriteriaObservation) DeepCopyInto(out *FailoverCriteriaObservation) {
 	*out = *in
+	if in.StatusCodes != nil {
+		in, out := &in.StatusCodes, &out.StatusCodes
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverCriteriaObservation.
@@ -1710,6 +2299,18 @@ func (in *FieldLevelEncryptionConfigObservation) DeepCopyInto(out *FieldLevelEnc
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentTypeProfileConfig != nil {
+		in, out := &in.ContentTypeProfileConfig, &out.ContentTypeProfileConfig
+		*out = make([]ContentTypeProfileConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -1720,6 +2321,13 @@ func (in *FieldLevelEncryptionConfigObservation) DeepCopyInto(out *FieldLevelEnc
 		*out = new(string)
 		**out = **in
 	}
+	if in.QueryArgProfileConfig != nil {
+		in, out := &in.QueryArgProfileConfig, &out.QueryArgProfileConfig
+		*out = make([]QueryArgProfileConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldLevelEncryptionConfigObservation.
@@ -1872,6 +2480,18 @@ func (in *FieldLevelEncryptionProfileObservation) DeepCopyInto(out *FieldLevelEn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionEntities != nil {
+		in, out := &in.EncryptionEntities, &out.EncryptionEntities
+		*out = make([]EncryptionEntitiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -1882,6 +2502,11 @@ func (in *FieldLevelEncryptionProfileObservation) DeepCopyInto(out *FieldLevelEn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldLevelEncryptionProfileObservation.
@@ -1968,6 +2593,17 @@ func (in *FieldLevelEncryptionProfileStatus) DeepCopy() *FieldLevelEncryptionPro
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FieldPatternsObservation) DeepCopyInto(out *FieldPatternsObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldPatternsObservation.
@@ -2009,6 +2645,22 @@ func (in *FieldPatternsParameters) DeepCopy() *FieldPatternsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ForwardedValuesCookiesObservation) DeepCopyInto(out *ForwardedValuesCookiesObservation) {
 	*out = *in
+	if in.Forward != nil {
+		in, out := &in.Forward, &out.Forward
+		*out = new(string)
+		**out = **in
+	}
+	if in.WhitelistedNames != nil {
+		in, out := &in.WhitelistedNames, &out.WhitelistedNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForwardedValuesCookiesObservation.
@@ -2055,6 +2707,40 @@ func (in *ForwardedValuesCookiesParameters) DeepCopy() *ForwardedValuesCookiesPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ForwardedValuesObservation) DeepCopyInto(out *ForwardedValuesObservation) {
 	*out = *in
+	if in.Cookies != nil {
+		in, out := &in.Cookies, &out.Cookies
+		*out = make([]ForwardedValuesCookiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.QueryString != nil {
+		in, out := &in.QueryString, &out.QueryString
+		*out = new(bool)
+		**out = **in
+	}
+	if in.QueryStringCacheKeys != nil {
+		in, out := &in.QueryStringCacheKeys, &out.QueryStringCacheKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForwardedValuesObservation.
@@ -2119,6 +2805,16 @@ func (in *ForwardedValuesParameters) DeepCopy() *ForwardedValuesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FrameOptionsObservation) DeepCopyInto(out *FrameOptionsObservation) {
 	*out = *in
+	if in.FrameOption != nil {
+		in, out := &in.FrameOption, &out.FrameOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameOptionsObservation.
@@ -2186,6 +2882,16 @@ func (in *Function) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FunctionAssociationObservation) DeepCopyInto(out *FunctionAssociationObservation) {
 	*out = *in
+	if in.EventType != nil {
+		in, out := &in.EventType, &out.EventType
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionAssociationObservation.
@@ -2263,6 +2969,11 @@ func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -2278,6 +2989,16 @@ func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Publish != nil {
+		in, out := &in.Publish, &out.Publish
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Runtime != nil {
+		in, out := &in.Runtime, &out.Runtime
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -2368,6 +3089,22 @@ func (in *FunctionStatus) DeepCopy() *FunctionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeoRestrictionObservation) DeepCopyInto(out *GeoRestrictionObservation) {
 	*out = *in
+	if in.Locations != nil {
+		in, out := &in.Locations, &out.Locations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RestrictionType != nil {
+		in, out := &in.RestrictionType, &out.RestrictionType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeoRestrictionObservation.
@@ -2414,6 +3151,17 @@ func (in *GeoRestrictionParameters) DeepCopy() *GeoRestrictionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeadersConfigHeadersObservation) DeepCopyInto(out *HeadersConfigHeadersObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeadersConfigHeadersObservation.
@@ -2455,6 +3203,18 @@ func (in *HeadersConfigHeadersParameters) DeepCopy() *HeadersConfigHeadersParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeadersConfigObservation) DeepCopyInto(out *HeadersConfigObservation) {
 	*out = *in
+	if in.HeaderBehavior != nil {
+		in, out := &in.HeaderBehavior, &out.HeaderBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make([]HeadersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeadersConfigObservation.
@@ -2497,6 +3257,17 @@ func (in *HeadersConfigParameters) DeepCopy() *HeadersConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeadersObservation) DeepCopyInto(out *HeadersObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeadersObservation.
@@ -2643,6 +3414,11 @@ func (in *KeyGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KeyGroupObservation) DeepCopyInto(out *KeyGroupObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -2653,6 +3429,22 @@ func (in *KeyGroupObservation) DeepCopyInto(out *KeyGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyGroupObservation.
@@ -2755,6 +3547,16 @@ func (in *KeyGroupStatus) DeepCopy() *KeyGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisStreamConfigObservation) DeepCopyInto(out *KinesisStreamConfigObservation) {
 	*out = *in
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisStreamConfigObservation.
@@ -2815,6 +3617,21 @@ func (in *KinesisStreamConfigParameters) DeepCopy() *KinesisStreamConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaFunctionAssociationObservation) DeepCopyInto(out *LambdaFunctionAssociationObservation) {
 	*out = *in
+	if in.EventType != nil {
+		in, out := &in.EventType, &out.EventType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludeBody != nil {
+		in, out := &in.IncludeBody, &out.IncludeBody
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaFunctionAssociationObservation.
@@ -2860,6 +3677,21 @@ func (in *LambdaFunctionAssociationParameters) DeepCopy() *LambdaFunctionAssocia
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigObservation) DeepCopyInto(out *LoggingConfigObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludeCookies != nil {
+		in, out := &in.IncludeCookies, &out.IncludeCookies
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigObservation.
@@ -2905,6 +3737,11 @@ func (in *LoggingConfigParameters) DeepCopy() *LoggingConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 	*out = *in
+	if in.OriginID != nil {
+		in, out := &in.OriginID, &out.OriginID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemberObservation.
@@ -2999,6 +3836,13 @@ func (in *MonitoringSubscriptionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MonitoringSubscriptionMonitoringSubscriptionObservation) DeepCopyInto(out *MonitoringSubscriptionMonitoringSubscriptionObservation) {
 	*out = *in
+	if in.RealtimeMetricsSubscriptionConfig != nil {
+		in, out := &in.RealtimeMetricsSubscriptionConfig, &out.RealtimeMetricsSubscriptionConfig
+		*out = make([]RealtimeMetricsSubscriptionConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MonitoringSubscriptionMonitoringSubscriptionObservation.
@@ -3036,11 +3880,23 @@ func (in *MonitoringSubscriptionMonitoringSubscriptionParameters) DeepCopy() *Mo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MonitoringSubscriptionObservation) DeepCopyInto(out *MonitoringSubscriptionObservation) {
 	*out = *in
+	if in.DistributionID != nil {
+		in, out := &in.DistributionID, &out.DistributionID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MonitoringSubscription != nil {
+		in, out := &in.MonitoringSubscription, &out.MonitoringSubscription
+		*out = make([]MonitoringSubscriptionMonitoringSubscriptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MonitoringSubscriptionObservation.
@@ -3132,6 +3988,22 @@ func (in *MonitoringSubscriptionStatus) DeepCopy() *MonitoringSubscriptionStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrderedCacheBehaviorForwardedValuesCookiesObservation) DeepCopyInto(out *OrderedCacheBehaviorForwardedValuesCookiesObservation) {
 	*out = *in
+	if in.Forward != nil {
+		in, out := &in.Forward, &out.Forward
+		*out = new(string)
+		**out = **in
+	}
+	if in.WhitelistedNames != nil {
+		in, out := &in.WhitelistedNames, &out.WhitelistedNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorForwardedValuesCookiesObservation.
@@ -3178,6 +4050,40 @@ func (in *OrderedCacheBehaviorForwardedValuesCookiesParameters) DeepCopy() *Orde
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrderedCacheBehaviorForwardedValuesObservation) DeepCopyInto(out *OrderedCacheBehaviorForwardedValuesObservation) {
 	*out = *in
+	if in.Cookies != nil {
+		in, out := &in.Cookies, &out.Cookies
+		*out = make([]OrderedCacheBehaviorForwardedValuesCookiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.QueryString != nil {
+		in, out := &in.QueryString, &out.QueryString
+		*out = new(bool)
+		**out = **in
+	}
+	if in.QueryStringCacheKeys != nil {
+		in, out := &in.QueryStringCacheKeys, &out.QueryStringCacheKeys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorForwardedValuesObservation.
@@ -3242,6 +4148,16 @@ func (in *OrderedCacheBehaviorForwardedValuesParameters) DeepCopy() *OrderedCach
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrderedCacheBehaviorFunctionAssociationObservation) DeepCopyInto(out *OrderedCacheBehaviorFunctionAssociationObservation) {
 	*out = *in
+	if in.EventType != nil {
+		in, out := &in.EventType, &out.EventType
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorFunctionAssociationObservation.
@@ -3292,6 +4208,21 @@ func (in *OrderedCacheBehaviorFunctionAssociationParameters) DeepCopy() *Ordered
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrderedCacheBehaviorLambdaFunctionAssociationObservation) DeepCopyInto(out *OrderedCacheBehaviorLambdaFunctionAssociationObservation) {
 	*out = *in
+	if in.EventType != nil {
+		in, out := &in.EventType, &out.EventType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludeBody != nil {
+		in, out := &in.IncludeBody, &out.IncludeBody
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorLambdaFunctionAssociationObservation.
@@ -3312,41 +4243,171 @@ func (in *OrderedCacheBehaviorLambdaFunctionAssociationParameters) DeepCopyInto(
 		*out = new(string)
 		**out = **in
 	}
-	if in.IncludeBody != nil {
-		in, out := &in.IncludeBody, &out.IncludeBody
-		*out = new(bool)
-		**out = **in
+	if in.IncludeBody != nil {
+		in, out := &in.IncludeBody, &out.IncludeBody
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaArnRef != nil {
+		in, out := &in.LambdaArnRef, &out.LambdaArnRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.LambdaArnSelector != nil {
+		in, out := &in.LambdaArnSelector, &out.LambdaArnSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorLambdaFunctionAssociationParameters.
+func (in *OrderedCacheBehaviorLambdaFunctionAssociationParameters) DeepCopy() *OrderedCacheBehaviorLambdaFunctionAssociationParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(OrderedCacheBehaviorLambdaFunctionAssociationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OrderedCacheBehaviorObservation) DeepCopyInto(out *OrderedCacheBehaviorObservation) {
+	*out = *in
+	if in.AllowedMethods != nil {
+		in, out := &in.AllowedMethods, &out.AllowedMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CachePolicyID != nil {
+		in, out := &in.CachePolicyID, &out.CachePolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CachedMethods != nil {
+		in, out := &in.CachedMethods, &out.CachedMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Compress != nil {
+		in, out := &in.Compress, &out.Compress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DefaultTTL != nil {
+		in, out := &in.DefaultTTL, &out.DefaultTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FieldLevelEncryptionID != nil {
+		in, out := &in.FieldLevelEncryptionID, &out.FieldLevelEncryptionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForwardedValues != nil {
+		in, out := &in.ForwardedValues, &out.ForwardedValues
+		*out = make([]OrderedCacheBehaviorForwardedValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FunctionAssociation != nil {
+		in, out := &in.FunctionAssociation, &out.FunctionAssociation
+		*out = make([]OrderedCacheBehaviorFunctionAssociationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LambdaFunctionAssociation != nil {
+		in, out := &in.LambdaFunctionAssociation, &out.LambdaFunctionAssociation
+		*out = make([]OrderedCacheBehaviorLambdaFunctionAssociationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxTTL != nil {
+		in, out := &in.MaxTTL, &out.MaxTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinTTL != nil {
+		in, out := &in.MinTTL, &out.MinTTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OriginRequestPolicyID != nil {
+		in, out := &in.OriginRequestPolicyID, &out.OriginRequestPolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PathPattern != nil {
+		in, out := &in.PathPattern, &out.PathPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.RealtimeLogConfigArn != nil {
+		in, out := &in.RealtimeLogConfigArn, &out.RealtimeLogConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResponseHeadersPolicyID != nil {
+		in, out := &in.ResponseHeadersPolicyID, &out.ResponseHeadersPolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SmoothStreaming != nil {
+		in, out := &in.SmoothStreaming, &out.SmoothStreaming
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TargetOriginID != nil {
+		in, out := &in.TargetOriginID, &out.TargetOriginID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TrustedKeyGroups != nil {
+		in, out := &in.TrustedKeyGroups, &out.TrustedKeyGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TrustedSigners != nil {
+		in, out := &in.TrustedSigners, &out.TrustedSigners
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	if in.LambdaArn != nil {
-		in, out := &in.LambdaArn, &out.LambdaArn
+	if in.ViewerProtocolPolicy != nil {
+		in, out := &in.ViewerProtocolPolicy, &out.ViewerProtocolPolicy
 		*out = new(string)
 		**out = **in
 	}
-	if in.LambdaArnRef != nil {
-		in, out := &in.LambdaArnRef, &out.LambdaArnRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.LambdaArnSelector != nil {
-		in, out := &in.LambdaArnSelector, &out.LambdaArnSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorLambdaFunctionAssociationParameters.
-func (in *OrderedCacheBehaviorLambdaFunctionAssociationParameters) DeepCopy() *OrderedCacheBehaviorLambdaFunctionAssociationParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(OrderedCacheBehaviorLambdaFunctionAssociationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OrderedCacheBehaviorObservation) DeepCopyInto(out *OrderedCacheBehaviorObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedCacheBehaviorObservation.
@@ -3566,6 +4627,11 @@ func (in *OriginAccessControlList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginAccessControlObservation) DeepCopyInto(out *OriginAccessControlObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -3576,6 +4642,26 @@ func (in *OriginAccessControlObservation) DeepCopyInto(out *OriginAccessControlO
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OriginAccessControlOriginType != nil {
+		in, out := &in.OriginAccessControlOriginType, &out.OriginAccessControlOriginType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SigningBehavior != nil {
+		in, out := &in.SigningBehavior, &out.SigningBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.SigningProtocol != nil {
+		in, out := &in.SigningProtocol, &out.SigningProtocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAccessControlObservation.
@@ -3739,6 +4825,11 @@ func (in *OriginAccessIdentityObservation) DeepCopyInto(out *OriginAccessIdentit
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -3833,6 +4924,25 @@ func (in *OriginAccessIdentityStatus) DeepCopy() *OriginAccessIdentityStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginGroupObservation) DeepCopyInto(out *OriginGroupObservation) {
 	*out = *in
+	if in.FailoverCriteria != nil {
+		in, out := &in.FailoverCriteria, &out.FailoverCriteria
+		*out = make([]FailoverCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Member != nil {
+		in, out := &in.Member, &out.Member
+		*out = make([]MemberObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OriginID != nil {
+		in, out := &in.OriginID, &out.OriginID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginGroupObservation.
@@ -3882,6 +4992,64 @@ func (in *OriginGroupParameters) DeepCopy() *OriginGroupParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginObservation) DeepCopyInto(out *OriginObservation) {
 	*out = *in
+	if in.ConnectionAttempts != nil {
+		in, out := &in.ConnectionAttempts, &out.ConnectionAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ConnectionTimeout != nil {
+		in, out := &in.ConnectionTimeout, &out.ConnectionTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CustomHeader != nil {
+		in, out := &in.CustomHeader, &out.CustomHeader
+		*out = make([]CustomHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomOriginConfig != nil {
+		in, out := &in.CustomOriginConfig, &out.CustomOriginConfig
+		*out = make([]CustomOriginConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OriginAccessControlID != nil {
+		in, out := &in.OriginAccessControlID, &out.OriginAccessControlID
+		*out = new(string)
+		**out = **in
+	}
+	if in.OriginID != nil {
+		in, out := &in.OriginID, &out.OriginID
+		*out = new(string)
+		**out = **in
+	}
+	if in.OriginPath != nil {
+		in, out := &in.OriginPath, &out.OriginPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.OriginShield != nil {
+		in, out := &in.OriginShield, &out.OriginShield
+		*out = make([]OriginShieldObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3OriginConfig != nil {
+		in, out := &in.S3OriginConfig, &out.S3OriginConfig
+		*out = make([]S3OriginConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginObservation.
@@ -4007,6 +5175,18 @@ func (in *OriginRequestPolicy) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginRequestPolicyCookiesConfigObservation) DeepCopyInto(out *OriginRequestPolicyCookiesConfigObservation) {
 	*out = *in
+	if in.CookieBehavior != nil {
+		in, out := &in.CookieBehavior, &out.CookieBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cookies != nil {
+		in, out := &in.Cookies, &out.Cookies
+		*out = make([]CookiesConfigCookiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginRequestPolicyCookiesConfigObservation.
@@ -4049,6 +5229,18 @@ func (in *OriginRequestPolicyCookiesConfigParameters) DeepCopy() *OriginRequestP
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginRequestPolicyHeadersConfigObservation) DeepCopyInto(out *OriginRequestPolicyHeadersConfigObservation) {
 	*out = *in
+	if in.HeaderBehavior != nil {
+		in, out := &in.HeaderBehavior, &out.HeaderBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Headers != nil {
+		in, out := &in.Headers, &out.Headers
+		*out = make([]HeadersConfigHeadersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginRequestPolicyHeadersConfigObservation.
@@ -4123,16 +5315,42 @@ func (in *OriginRequestPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginRequestPolicyObservation) DeepCopyInto(out *OriginRequestPolicyObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.CookiesConfig != nil {
+		in, out := &in.CookiesConfig, &out.CookiesConfig
+		*out = make([]OriginRequestPolicyCookiesConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
 		**out = **in
 	}
+	if in.HeadersConfig != nil {
+		in, out := &in.HeadersConfig, &out.HeadersConfig
+		*out = make([]OriginRequestPolicyHeadersConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.QueryStringsConfig != nil {
+		in, out := &in.QueryStringsConfig, &out.QueryStringsConfig
+		*out = make([]OriginRequestPolicyQueryStringsConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginRequestPolicyObservation.
@@ -4194,6 +5412,18 @@ func (in *OriginRequestPolicyParameters) DeepCopy() *OriginRequestPolicyParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginRequestPolicyQueryStringsConfigObservation) DeepCopyInto(out *OriginRequestPolicyQueryStringsConfigObservation) {
 	*out = *in
+	if in.QueryStringBehavior != nil {
+		in, out := &in.QueryStringBehavior, &out.QueryStringBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.QueryStrings != nil {
+		in, out := &in.QueryStrings, &out.QueryStrings
+		*out = make([]QueryStringsConfigQueryStringsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginRequestPolicyQueryStringsConfigObservation.
@@ -4270,6 +5500,16 @@ func (in *OriginRequestPolicyStatus) DeepCopy() *OriginRequestPolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OriginShieldObservation) DeepCopyInto(out *OriginShieldObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OriginShieldRegion != nil {
+		in, out := &in.OriginShieldRegion, &out.OriginShieldRegion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginShieldObservation.
@@ -4310,6 +5550,37 @@ func (in *OriginShieldParameters) DeepCopy() *OriginShieldParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParametersInCacheKeyAndForwardedToOriginObservation) DeepCopyInto(out *ParametersInCacheKeyAndForwardedToOriginObservation) {
 	*out = *in
+	if in.CookiesConfig != nil {
+		in, out := &in.CookiesConfig, &out.CookiesConfig
+		*out = make([]CookiesConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnableAcceptEncodingBrotli != nil {
+		in, out := &in.EnableAcceptEncodingBrotli, &out.EnableAcceptEncodingBrotli
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableAcceptEncodingGzip != nil {
+		in, out := &in.EnableAcceptEncodingGzip, &out.EnableAcceptEncodingGzip
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HeadersConfig != nil {
+		in, out := &in.HeadersConfig, &out.HeadersConfig
+		*out = make([]HeadersConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.QueryStringsConfig != nil {
+		in, out := &in.QueryStringsConfig, &out.QueryStringsConfig
+		*out = make([]QueryStringsConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParametersInCacheKeyAndForwardedToOriginObservation.
@@ -4435,6 +5706,11 @@ func (in *PublicKeyObservation) DeepCopyInto(out *PublicKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
 	if in.Etag != nil {
 		in, out := &in.Etag, &out.Etag
 		*out = new(string)
@@ -4445,6 +5721,11 @@ func (in *PublicKeyObservation) DeepCopyInto(out *PublicKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicKeyObservation.
@@ -4525,6 +5806,18 @@ func (in *PublicKeyStatus) DeepCopy() *PublicKeyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryArgProfileConfigObservation) DeepCopyInto(out *QueryArgProfileConfigObservation) {
 	*out = *in
+	if in.ForwardWhenQueryArgProfileIsUnknown != nil {
+		in, out := &in.ForwardWhenQueryArgProfileIsUnknown, &out.ForwardWhenQueryArgProfileIsUnknown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.QueryArgProfiles != nil {
+		in, out := &in.QueryArgProfiles, &out.QueryArgProfiles
+		*out = make([]QueryArgProfilesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryArgProfileConfigObservation.
@@ -4567,6 +5860,16 @@ func (in *QueryArgProfileConfigParameters) DeepCopy() *QueryArgProfileConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryArgProfilesItemsObservation) DeepCopyInto(out *QueryArgProfilesItemsObservation) {
 	*out = *in
+	if in.ProfileID != nil {
+		in, out := &in.ProfileID, &out.ProfileID
+		*out = new(string)
+		**out = **in
+	}
+	if in.QueryArg != nil {
+		in, out := &in.QueryArg, &out.QueryArg
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryArgProfilesItemsObservation.
@@ -4617,6 +5920,13 @@ func (in *QueryArgProfilesItemsParameters) DeepCopy() *QueryArgProfilesItemsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryArgProfilesObservation) DeepCopyInto(out *QueryArgProfilesObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]QueryArgProfilesItemsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryArgProfilesObservation.
@@ -4654,6 +5964,18 @@ func (in *QueryArgProfilesParameters) DeepCopy() *QueryArgProfilesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryStringsConfigObservation) DeepCopyInto(out *QueryStringsConfigObservation) {
 	*out = *in
+	if in.QueryStringBehavior != nil {
+		in, out := &in.QueryStringBehavior, &out.QueryStringBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.QueryStrings != nil {
+		in, out := &in.QueryStrings, &out.QueryStrings
+		*out = make([]QueryStringsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryStringsConfigObservation.
@@ -4696,6 +6018,17 @@ func (in *QueryStringsConfigParameters) DeepCopy() *QueryStringsConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryStringsConfigQueryStringsObservation) DeepCopyInto(out *QueryStringsConfigQueryStringsObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryStringsConfigQueryStringsObservation.
@@ -4737,6 +6070,17 @@ func (in *QueryStringsConfigQueryStringsParameters) DeepCopy() *QueryStringsConf
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryStringsObservation) DeepCopyInto(out *QueryStringsObservation) {
 	*out = *in
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryStringsObservation.
@@ -4842,11 +6186,39 @@ func (in *RealtimeLogConfigObservation) DeepCopyInto(out *RealtimeLogConfigObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = make([]EndpointObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Fields != nil {
+		in, out := &in.Fields, &out.Fields
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SamplingRate != nil {
+		in, out := &in.SamplingRate, &out.SamplingRate
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RealtimeLogConfigObservation.
@@ -4944,6 +6316,11 @@ func (in *RealtimeLogConfigStatus) DeepCopy() *RealtimeLogConfigStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RealtimeMetricsSubscriptionConfigObservation) DeepCopyInto(out *RealtimeMetricsSubscriptionConfigObservation) {
 	*out = *in
+	if in.RealtimeMetricsSubscriptionStatus != nil {
+		in, out := &in.RealtimeMetricsSubscriptionStatus, &out.RealtimeMetricsSubscriptionStatus
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RealtimeMetricsSubscriptionConfigObservation.
@@ -4979,6 +6356,16 @@ func (in *RealtimeMetricsSubscriptionConfigParameters) DeepCopy() *RealtimeMetri
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReferrerPolicyObservation) DeepCopyInto(out *ReferrerPolicyObservation) {
 	*out = *in
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReferrerPolicy != nil {
+		in, out := &in.ReferrerPolicy, &out.ReferrerPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferrerPolicyObservation.
@@ -5078,11 +6465,54 @@ func (in *ResponseHeadersPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResponseHeadersPolicyObservation) DeepCopyInto(out *ResponseHeadersPolicyObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.CorsConfig != nil {
+		in, out := &in.CorsConfig, &out.CorsConfig
+		*out = make([]CorsConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomHeadersConfig != nil {
+		in, out := &in.CustomHeadersConfig, &out.CustomHeadersConfig
+		*out = make([]CustomHeadersConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Etag != nil {
+		in, out := &in.Etag, &out.Etag
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityHeadersConfig != nil {
+		in, out := &in.SecurityHeadersConfig, &out.SecurityHeadersConfig
+		*out = make([]SecurityHeadersConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServerTimingHeadersConfig != nil {
+		in, out := &in.ServerTimingHeadersConfig, &out.ServerTimingHeadersConfig
+		*out = make([]ServerTimingHeadersConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResponseHeadersPolicyObservation.
@@ -5195,6 +6625,13 @@ func (in *ResponseHeadersPolicyStatus) DeepCopy() *ResponseHeadersPolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RestrictionsObservation) DeepCopyInto(out *RestrictionsObservation) {
 	*out = *in
+	if in.GeoRestriction != nil {
+		in, out := &in.GeoRestriction, &out.GeoRestriction
+		*out = make([]GeoRestrictionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestrictionsObservation.
@@ -5232,6 +6669,11 @@ func (in *RestrictionsParameters) DeepCopy() *RestrictionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3OriginConfigObservation) DeepCopyInto(out *S3OriginConfigObservation) {
 	*out = *in
+	if in.OriginAccessIdentity != nil {
+		in, out := &in.OriginAccessIdentity, &out.OriginAccessIdentity
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3OriginConfigObservation.
@@ -5277,6 +6719,48 @@ func (in *S3OriginConfigParameters) DeepCopy() *S3OriginConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecurityHeadersConfigObservation) DeepCopyInto(out *SecurityHeadersConfigObservation) {
 	*out = *in
+	if in.ContentSecurityPolicy != nil {
+		in, out := &in.ContentSecurityPolicy, &out.ContentSecurityPolicy
+		*out = make([]ContentSecurityPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ContentTypeOptions != nil {
+		in, out := &in.ContentTypeOptions, &out.ContentTypeOptions
+		*out = make([]ContentTypeOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FrameOptions != nil {
+		in, out := &in.FrameOptions, &out.FrameOptions
+		*out = make([]FrameOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReferrerPolicy != nil {
+		in, out := &in.ReferrerPolicy, &out.ReferrerPolicy
+		*out = make([]ReferrerPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StrictTransportSecurity != nil {
+		in, out := &in.StrictTransportSecurity, &out.StrictTransportSecurity
+		*out = make([]StrictTransportSecurityObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.XSSProtection != nil {
+		in, out := &in.XSSProtection, &out.XSSProtection
+		*out = make([]XSSProtectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityHeadersConfigObservation.
@@ -5349,6 +6833,16 @@ func (in *SecurityHeadersConfigParameters) DeepCopy() *SecurityHeadersConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerTimingHeadersConfigObservation) DeepCopyInto(out *ServerTimingHeadersConfigObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SamplingRate != nil {
+		in, out := &in.SamplingRate, &out.SamplingRate
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerTimingHeadersConfigObservation.
@@ -5389,6 +6883,26 @@ func (in *ServerTimingHeadersConfigParameters) DeepCopy() *ServerTimingHeadersCo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StrictTransportSecurityObservation) DeepCopyInto(out *StrictTransportSecurityObservation) {
 	*out = *in
+	if in.AccessControlMaxAgeSec != nil {
+		in, out := &in.AccessControlMaxAgeSec, &out.AccessControlMaxAgeSec
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IncludeSubdomains != nil {
+		in, out := &in.IncludeSubdomains, &out.IncludeSubdomains
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Preload != nil {
+		in, out := &in.Preload, &out.Preload
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StrictTransportSecurityObservation.
@@ -5569,6 +7083,31 @@ func (in *TrustedSignersParameters) DeepCopy() *TrustedSignersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ViewerCertificateObservation) DeepCopyInto(out *ViewerCertificateObservation) {
 	*out = *in
+	if in.AcmCertificateArn != nil {
+		in, out := &in.AcmCertificateArn, &out.AcmCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CloudfrontDefaultCertificate != nil {
+		in, out := &in.CloudfrontDefaultCertificate, &out.CloudfrontDefaultCertificate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IAMCertificateID != nil {
+		in, out := &in.IAMCertificateID, &out.IAMCertificateID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinimumProtocolVersion != nil {
+		in, out := &in.MinimumProtocolVersion, &out.MinimumProtocolVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLSupportMethod != nil {
+		in, out := &in.SSLSupportMethod, &out.SSLSupportMethod
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ViewerCertificateObservation.
@@ -5624,6 +7163,26 @@ func (in *ViewerCertificateParameters) DeepCopy() *ViewerCertificateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *XSSProtectionObservation) DeepCopyInto(out *XSSProtectionObservation) {
 	*out = *in
+	if in.ModeBlock != nil {
+		in, out := &in.ModeBlock, &out.ModeBlock
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Protection != nil {
+		in, out := &in.Protection, &out.Protection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReportURI != nil {
+		in, out := &in.ReportURI, &out.ReportURI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSProtectionObservation.
diff --git a/apis/cloudfront/v1beta1/zz_keygroup_types.go b/apis/cloudfront/v1beta1/zz_keygroup_types.go
index a46cd89046..60f0151245 100755
--- a/apis/cloudfront/v1beta1/zz_keygroup_types.go
+++ b/apis/cloudfront/v1beta1/zz_keygroup_types.go
@@ -15,11 +15,20 @@ import (
 
 type KeyGroupObservation struct {
 
+	// A comment to describe the key group..
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
 	// The identifier for this version of the key group.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// The identifier for the key group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A list of the identifiers of the public keys in the key group.
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
+
+	// A name to identify the key group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type KeyGroupParameters struct {
@@ -44,8 +53,8 @@ type KeyGroupParameters struct {
 	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 
 	// A name to identify the key group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -77,8 +86,9 @@ type KeyGroupStatus struct {
 type KeyGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              KeyGroupSpec   `json:"spec"`
-	Status            KeyGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   KeyGroupSpec   `json:"spec"`
+	Status KeyGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_monitoringsubscription_types.go b/apis/cloudfront/v1beta1/zz_monitoringsubscription_types.go
index de8b5888cc..95525e83ef 100755
--- a/apis/cloudfront/v1beta1/zz_monitoringsubscription_types.go
+++ b/apis/cloudfront/v1beta1/zz_monitoringsubscription_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type MonitoringSubscriptionMonitoringSubscriptionObservation struct {
+
+	// A subscription configuration for additional CloudWatch metrics. See below.
+	RealtimeMetricsSubscriptionConfig []RealtimeMetricsSubscriptionConfigObservation `json:"realtimeMetricsSubscriptionConfig,omitempty" tf:"realtime_metrics_subscription_config,omitempty"`
 }
 
 type MonitoringSubscriptionMonitoringSubscriptionParameters struct {
@@ -25,8 +28,14 @@ type MonitoringSubscriptionMonitoringSubscriptionParameters struct {
 
 type MonitoringSubscriptionObservation struct {
 
+	// The ID of the distribution that you are enabling metrics for.
+	DistributionID *string `json:"distributionId,omitempty" tf:"distribution_id,omitempty"`
+
 	// The ID of the CloudFront monitoring subscription, which corresponds to the distribution_id.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A monitoring subscription. This structure contains information about whether additional CloudWatch metrics are enabled for a given CloudFront distribution.
+	MonitoringSubscription []MonitoringSubscriptionMonitoringSubscriptionObservation `json:"monitoringSubscription,omitempty" tf:"monitoring_subscription,omitempty"`
 }
 
 type MonitoringSubscriptionParameters struct {
@@ -46,8 +55,8 @@ type MonitoringSubscriptionParameters struct {
 	DistributionIDSelector *v1.Selector `json:"distributionIdSelector,omitempty" tf:"-"`
 
 	// A monitoring subscription. This structure contains information about whether additional CloudWatch metrics are enabled for a given CloudFront distribution.
-	// +kubebuilder:validation:Required
-	MonitoringSubscription []MonitoringSubscriptionMonitoringSubscriptionParameters `json:"monitoringSubscription" tf:"monitoring_subscription,omitempty"`
+	// +kubebuilder:validation:Optional
+	MonitoringSubscription []MonitoringSubscriptionMonitoringSubscriptionParameters `json:"monitoringSubscription,omitempty" tf:"monitoring_subscription,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -56,6 +65,9 @@ type MonitoringSubscriptionParameters struct {
 }
 
 type RealtimeMetricsSubscriptionConfigObservation struct {
+
+	// A flag that indicates whether additional CloudWatch metrics are enabled for a given CloudFront distribution. Valid values are Enabled and Disabled. See below.
+	RealtimeMetricsSubscriptionStatus *string `json:"realtimeMetricsSubscriptionStatus,omitempty" tf:"realtime_metrics_subscription_status,omitempty"`
 }
 
 type RealtimeMetricsSubscriptionConfigParameters struct {
@@ -89,8 +101,9 @@ type MonitoringSubscriptionStatus struct {
 type MonitoringSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MonitoringSubscriptionSpec   `json:"spec"`
-	Status            MonitoringSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.monitoringSubscription)",message="monitoringSubscription is a required parameter"
+	Spec   MonitoringSubscriptionSpec   `json:"spec"`
+	Status MonitoringSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_originaccesscontrol_types.go b/apis/cloudfront/v1beta1/zz_originaccesscontrol_types.go
index 79c6f5dd6b..47f7c82a57 100755
--- a/apis/cloudfront/v1beta1/zz_originaccesscontrol_types.go
+++ b/apis/cloudfront/v1beta1/zz_originaccesscontrol_types.go
@@ -15,11 +15,26 @@ import (
 
 type OriginAccessControlObservation struct {
 
+	// The description of the Origin Access Control. It may be empty.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The current version of this Origin Access Control.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// The unique identifier of this Origin Access Control.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A name that identifies the Origin Access Control.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The type of origin that this Origin Access Control is for. The only valid value is s3.
+	OriginAccessControlOriginType *string `json:"originAccessControlOriginType,omitempty" tf:"origin_access_control_origin_type,omitempty"`
+
+	// Specifies which requests CloudFront signs. Specify always for the most common use case. Allowed values: always, never, no-override.
+	SigningBehavior *string `json:"signingBehavior,omitempty" tf:"signing_behavior,omitempty"`
+
+	// Determines how CloudFront signs (authenticates) requests. Valid values: sigv4.
+	SigningProtocol *string `json:"signingProtocol,omitempty" tf:"signing_protocol,omitempty"`
 }
 
 type OriginAccessControlParameters struct {
@@ -29,12 +44,12 @@ type OriginAccessControlParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A name that identifies the Origin Access Control.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The type of origin that this Origin Access Control is for. The only valid value is s3.
-	// +kubebuilder:validation:Required
-	OriginAccessControlOriginType *string `json:"originAccessControlOriginType" tf:"origin_access_control_origin_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	OriginAccessControlOriginType *string `json:"originAccessControlOriginType,omitempty" tf:"origin_access_control_origin_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -42,12 +57,12 @@ type OriginAccessControlParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Specifies which requests CloudFront signs. Specify always for the most common use case. Allowed values: always, never, no-override.
-	// +kubebuilder:validation:Required
-	SigningBehavior *string `json:"signingBehavior" tf:"signing_behavior,omitempty"`
+	// +kubebuilder:validation:Optional
+	SigningBehavior *string `json:"signingBehavior,omitempty" tf:"signing_behavior,omitempty"`
 
 	// Determines how CloudFront signs (authenticates) requests. Valid values: sigv4.
-	// +kubebuilder:validation:Required
-	SigningProtocol *string `json:"signingProtocol" tf:"signing_protocol,omitempty"`
+	// +kubebuilder:validation:Optional
+	SigningProtocol *string `json:"signingProtocol,omitempty" tf:"signing_protocol,omitempty"`
 }
 
 // OriginAccessControlSpec defines the desired state of OriginAccessControl
@@ -74,8 +89,12 @@ type OriginAccessControlStatus struct {
 type OriginAccessControl struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OriginAccessControlSpec   `json:"spec"`
-	Status            OriginAccessControlStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.originAccessControlOriginType)",message="originAccessControlOriginType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.signingBehavior)",message="signingBehavior is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.signingProtocol)",message="signingProtocol is a required parameter"
+	Spec   OriginAccessControlSpec   `json:"spec"`
+	Status OriginAccessControlStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_originaccessidentity_types.go b/apis/cloudfront/v1beta1/zz_originaccessidentity_types.go
index 9b590ad2f6..048aadd10c 100755
--- a/apis/cloudfront/v1beta1/zz_originaccessidentity_types.go
+++ b/apis/cloudfront/v1beta1/zz_originaccessidentity_types.go
@@ -23,6 +23,9 @@ type OriginAccessIdentityObservation struct {
 	// origin access identity to use in CloudFront, see below.
 	CloudfrontAccessIdentityPath *string `json:"cloudfrontAccessIdentityPath,omitempty" tf:"cloudfront_access_identity_path,omitempty"`
 
+	// An optional comment for the origin access identity.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
 	// The current version of the origin access identity's information.
 	// For example: E2QWRUHAPOMQZL.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
diff --git a/apis/cloudfront/v1beta1/zz_originrequestpolicy_types.go b/apis/cloudfront/v1beta1/zz_originrequestpolicy_types.go
index e583f0377d..22be89a6b3 100755
--- a/apis/cloudfront/v1beta1/zz_originrequestpolicy_types.go
+++ b/apis/cloudfront/v1beta1/zz_originrequestpolicy_types.go
@@ -14,6 +14,7 @@ import (
 )
 
 type CookiesConfigCookiesObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type CookiesConfigCookiesParameters struct {
@@ -23,6 +24,7 @@ type CookiesConfigCookiesParameters struct {
 }
 
 type HeadersConfigHeadersObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type HeadersConfigHeadersParameters struct {
@@ -32,6 +34,9 @@ type HeadersConfigHeadersParameters struct {
 }
 
 type OriginRequestPolicyCookiesConfigObservation struct {
+	CookieBehavior *string `json:"cookieBehavior,omitempty" tf:"cookie_behavior,omitempty"`
+
+	Cookies []CookiesConfigCookiesObservation `json:"cookies,omitempty" tf:"cookies,omitempty"`
 }
 
 type OriginRequestPolicyCookiesConfigParameters struct {
@@ -44,6 +49,9 @@ type OriginRequestPolicyCookiesConfigParameters struct {
 }
 
 type OriginRequestPolicyHeadersConfigObservation struct {
+	HeaderBehavior *string `json:"headerBehavior,omitempty" tf:"header_behavior,omitempty"`
+
+	Headers []HeadersConfigHeadersObservation `json:"headers,omitempty" tf:"headers,omitempty"`
 }
 
 type OriginRequestPolicyHeadersConfigParameters struct {
@@ -57,11 +65,23 @@ type OriginRequestPolicyHeadersConfigParameters struct {
 
 type OriginRequestPolicyObservation struct {
 
+	// Comment to describe the origin request policy.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// Object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See Cookies Config for more information.
+	CookiesConfig []OriginRequestPolicyCookiesConfigObservation `json:"cookiesConfig,omitempty" tf:"cookies_config,omitempty"`
+
 	// The current version of the origin request policy.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
+	// Object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See Headers Config for more information.
+	HeadersConfig []OriginRequestPolicyHeadersConfigObservation `json:"headersConfig,omitempty" tf:"headers_config,omitempty"`
+
 	// The identifier for the origin request policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See Query String Config for more information.
+	QueryStringsConfig []OriginRequestPolicyQueryStringsConfigObservation `json:"queryStringsConfig,omitempty" tf:"query_strings_config,omitempty"`
 }
 
 type OriginRequestPolicyParameters struct {
@@ -71,16 +91,16 @@ type OriginRequestPolicyParameters struct {
 	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
 
 	// Object that determines whether any cookies in viewer requests (and if so, which cookies) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See Cookies Config for more information.
-	// +kubebuilder:validation:Required
-	CookiesConfig []OriginRequestPolicyCookiesConfigParameters `json:"cookiesConfig" tf:"cookies_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	CookiesConfig []OriginRequestPolicyCookiesConfigParameters `json:"cookiesConfig,omitempty" tf:"cookies_config,omitempty"`
 
 	// Object that determines whether any HTTP headers (and if so, which headers) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See Headers Config for more information.
-	// +kubebuilder:validation:Required
-	HeadersConfig []OriginRequestPolicyHeadersConfigParameters `json:"headersConfig" tf:"headers_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	HeadersConfig []OriginRequestPolicyHeadersConfigParameters `json:"headersConfig,omitempty" tf:"headers_config,omitempty"`
 
 	// Object that determines whether any URL query strings in viewer requests (and if so, which query strings) are included in the origin request key and automatically included in requests that CloudFront sends to the origin. See Query String Config for more information.
-	// +kubebuilder:validation:Required
-	QueryStringsConfig []OriginRequestPolicyQueryStringsConfigParameters `json:"queryStringsConfig" tf:"query_strings_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	QueryStringsConfig []OriginRequestPolicyQueryStringsConfigParameters `json:"queryStringsConfig,omitempty" tf:"query_strings_config,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -89,6 +109,9 @@ type OriginRequestPolicyParameters struct {
 }
 
 type OriginRequestPolicyQueryStringsConfigObservation struct {
+	QueryStringBehavior *string `json:"queryStringBehavior,omitempty" tf:"query_string_behavior,omitempty"`
+
+	QueryStrings []QueryStringsConfigQueryStringsObservation `json:"queryStrings,omitempty" tf:"query_strings,omitempty"`
 }
 
 type OriginRequestPolicyQueryStringsConfigParameters struct {
@@ -101,6 +124,7 @@ type OriginRequestPolicyQueryStringsConfigParameters struct {
 }
 
 type QueryStringsConfigQueryStringsObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type QueryStringsConfigQueryStringsParameters struct {
@@ -133,8 +157,11 @@ type OriginRequestPolicyStatus struct {
 type OriginRequestPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OriginRequestPolicySpec   `json:"spec"`
-	Status            OriginRequestPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cookiesConfig)",message="cookiesConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.headersConfig)",message="headersConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.queryStringsConfig)",message="queryStringsConfig is a required parameter"
+	Spec   OriginRequestPolicySpec   `json:"spec"`
+	Status OriginRequestPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_publickey_types.go b/apis/cloudfront/v1beta1/zz_publickey_types.go
index c5e06e3239..62c0532785 100755
--- a/apis/cloudfront/v1beta1/zz_publickey_types.go
+++ b/apis/cloudfront/v1beta1/zz_publickey_types.go
@@ -18,11 +18,17 @@ type PublicKeyObservation struct {
 	// Internal value used by CloudFront to allow future updates to the public key configuration.
 	CallerReference *string `json:"callerReference,omitempty" tf:"caller_reference,omitempty"`
 
+	// An optional comment about the public key.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
 	// The current version of the public key. For example: E2QWRUHAPOMQZL.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// The identifier for the public key. For example: K3D5EWEUDCCXON.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name for the public key.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type PublicKeyParameters struct {
@@ -32,7 +38,7 @@ type PublicKeyParameters struct {
 	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
 
 	// The encoded public key that you want to add to CloudFront to use with features like field-level encryption.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	EncodedKeySecretRef v1.SecretKeySelector `json:"encodedKeySecretRef" tf:"-"`
 
 	// The name for the public key.
@@ -69,8 +75,9 @@ type PublicKeyStatus struct {
 type PublicKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PublicKeySpec   `json:"spec"`
-	Status            PublicKeyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encodedKeySecretRef)",message="encodedKeySecretRef is a required parameter"
+	Spec   PublicKeySpec   `json:"spec"`
+	Status PublicKeyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_realtimelogconfig_types.go b/apis/cloudfront/v1beta1/zz_realtimelogconfig_types.go
index 25d8b33ce4..462011f49d 100755
--- a/apis/cloudfront/v1beta1/zz_realtimelogconfig_types.go
+++ b/apis/cloudfront/v1beta1/zz_realtimelogconfig_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type EndpointObservation struct {
+
+	// The Amazon Kinesis data stream configuration.
+	KinesisStreamConfig []KinesisStreamConfigObservation `json:"kinesisStreamConfig,omitempty" tf:"kinesis_stream_config,omitempty"`
+
+	// The type of data stream where real-time log data is sent. The only valid value is Kinesis.
+	StreamType *string `json:"streamType,omitempty" tf:"stream_type,omitempty"`
 }
 
 type EndpointParameters struct {
@@ -28,6 +34,13 @@ type EndpointParameters struct {
 }
 
 type KinesisStreamConfigObservation struct {
+
+	// The ARN of an IAM role that CloudFront can use to send real-time log data to the Kinesis data stream.
+	// See the AWS documentation for more information.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The ARN of the Kinesis data stream.
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 }
 
 type KinesisStreamConfigParameters struct {
@@ -67,23 +80,35 @@ type RealtimeLogConfigObservation struct {
 	// The ARN (Amazon Resource Name) of the CloudFront real-time log configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Amazon Kinesis data streams where real-time log data is sent.
+	Endpoint []EndpointObservation `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// The fields that are included in each real-time log record. See the AWS documentation for supported values.
+	Fields []*string `json:"fields,omitempty" tf:"fields,omitempty"`
+
 	// The ID of the CloudFront real-time log configuration.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The unique name to identify this real-time log configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The sampling rate for this real-time log configuration. The sampling rate determines the percentage of viewer requests that are represented in the real-time log data. An integer between 1 and 100, inclusive.
+	SamplingRate *float64 `json:"samplingRate,omitempty" tf:"sampling_rate,omitempty"`
 }
 
 type RealtimeLogConfigParameters struct {
 
 	// The Amazon Kinesis data streams where real-time log data is sent.
-	// +kubebuilder:validation:Required
-	Endpoint []EndpointParameters `json:"endpoint" tf:"endpoint,omitempty"`
+	// +kubebuilder:validation:Optional
+	Endpoint []EndpointParameters `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
 	// The fields that are included in each real-time log record. See the AWS documentation for supported values.
-	// +kubebuilder:validation:Required
-	Fields []*string `json:"fields" tf:"fields,omitempty"`
+	// +kubebuilder:validation:Optional
+	Fields []*string `json:"fields,omitempty" tf:"fields,omitempty"`
 
 	// The unique name to identify this real-time log configuration.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -91,8 +116,8 @@ type RealtimeLogConfigParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The sampling rate for this real-time log configuration. The sampling rate determines the percentage of viewer requests that are represented in the real-time log data. An integer between 1 and 100, inclusive.
-	// +kubebuilder:validation:Required
-	SamplingRate *float64 `json:"samplingRate" tf:"sampling_rate,omitempty"`
+	// +kubebuilder:validation:Optional
+	SamplingRate *float64 `json:"samplingRate,omitempty" tf:"sampling_rate,omitempty"`
 }
 
 // RealtimeLogConfigSpec defines the desired state of RealtimeLogConfig
@@ -119,8 +144,12 @@ type RealtimeLogConfigStatus struct {
 type RealtimeLogConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RealtimeLogConfigSpec   `json:"spec"`
-	Status            RealtimeLogConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpoint)",message="endpoint is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fields)",message="fields is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.samplingRate)",message="samplingRate is a required parameter"
+	Spec   RealtimeLogConfigSpec   `json:"spec"`
+	Status RealtimeLogConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudfront/v1beta1/zz_responseheaderspolicy_types.go b/apis/cloudfront/v1beta1/zz_responseheaderspolicy_types.go
index 99067a2b84..4e5beb4973 100755
--- a/apis/cloudfront/v1beta1/zz_responseheaderspolicy_types.go
+++ b/apis/cloudfront/v1beta1/zz_responseheaderspolicy_types.go
@@ -14,6 +14,7 @@ import (
 )
 
 type AccessControlAllowHeadersObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type AccessControlAllowHeadersParameters struct {
@@ -23,6 +24,7 @@ type AccessControlAllowHeadersParameters struct {
 }
 
 type AccessControlAllowMethodsObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type AccessControlAllowMethodsParameters struct {
@@ -32,6 +34,7 @@ type AccessControlAllowMethodsParameters struct {
 }
 
 type AccessControlAllowOriginsObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type AccessControlAllowOriginsParameters struct {
@@ -41,6 +44,7 @@ type AccessControlAllowOriginsParameters struct {
 }
 
 type AccessControlExposeHeadersObservation struct {
+	Items []*string `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type AccessControlExposeHeadersParameters struct {
@@ -50,6 +54,12 @@ type AccessControlExposeHeadersParameters struct {
 }
 
 type ContentSecurityPolicyObservation struct {
+
+	// The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. See Content Security Policy for more information.
+	ContentSecurityPolicy *string `json:"contentSecurityPolicy,omitempty" tf:"content_security_policy,omitempty"`
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
 }
 
 type ContentSecurityPolicyParameters struct {
@@ -64,6 +74,9 @@ type ContentSecurityPolicyParameters struct {
 }
 
 type ContentTypeOptionsObservation struct {
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
 }
 
 type ContentTypeOptionsParameters struct {
@@ -74,6 +87,27 @@ type ContentTypeOptionsParameters struct {
 }
 
 type CorsConfigObservation struct {
+
+	// A Boolean value that CloudFront uses as the value for the Access-Control-Allow-Credentials HTTP response header.
+	AccessControlAllowCredentials *bool `json:"accessControlAllowCredentials,omitempty" tf:"access_control_allow_credentials,omitempty"`
+
+	// Object that contains an attribute items that contains a list of HTTP header names that CloudFront includes as values for the Access-Control-Allow-Headers HTTP response header.
+	AccessControlAllowHeaders []AccessControlAllowHeadersObservation `json:"accessControlAllowHeaders,omitempty" tf:"access_control_allow_headers,omitempty"`
+
+	// Object that contains an attribute items that contains a list of HTTP methods that CloudFront includes as values for the Access-Control-Allow-Methods HTTP response header. Valid values: GET | POST | OPTIONS | PUT | DELETE | HEAD | ALL
+	AccessControlAllowMethods []AccessControlAllowMethodsObservation `json:"accessControlAllowMethods,omitempty" tf:"access_control_allow_methods,omitempty"`
+
+	// Object that contains an attribute items that contains a list of origins that CloudFront can use as the value for the Access-Control-Allow-Origin HTTP response header.
+	AccessControlAllowOrigins []AccessControlAllowOriginsObservation `json:"accessControlAllowOrigins,omitempty" tf:"access_control_allow_origins,omitempty"`
+
+	// Object that contains an attribute items that contains a list of HTTP headers that CloudFront includes as values for the Access-Control-Expose-Headers HTTP response header.
+	AccessControlExposeHeaders []AccessControlExposeHeadersObservation `json:"accessControlExposeHeaders,omitempty" tf:"access_control_expose_headers,omitempty"`
+
+	// A number that CloudFront uses as the value for the Access-Control-Max-Age HTTP response header.
+	AccessControlMaxAgeSec *float64 `json:"accessControlMaxAgeSec,omitempty" tf:"access_control_max_age_sec,omitempty"`
+
+	// A Boolean value that determines how CloudFront behaves for the HTTP response header.
+	OriginOverride *bool `json:"originOverride,omitempty" tf:"origin_override,omitempty"`
 }
 
 type CorsConfigParameters struct {
@@ -108,6 +142,15 @@ type CorsConfigParameters struct {
 }
 
 type CustomHeadersConfigItemsObservation struct {
+
+	// The HTTP response header name.
+	Header *string `json:"header,omitempty" tf:"header,omitempty"`
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
+
+	// The value for the HTTP response header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type CustomHeadersConfigItemsParameters struct {
@@ -126,6 +169,7 @@ type CustomHeadersConfigItemsParameters struct {
 }
 
 type CustomHeadersConfigObservation struct {
+	Items []CustomHeadersConfigItemsObservation `json:"items,omitempty" tf:"items,omitempty"`
 }
 
 type CustomHeadersConfigParameters struct {
@@ -135,6 +179,12 @@ type CustomHeadersConfigParameters struct {
 }
 
 type FrameOptionsObservation struct {
+
+	// The value of the X-Frame-Options HTTP response header. Valid values: DENY | SAMEORIGIN
+	FrameOption *string `json:"frameOption,omitempty" tf:"frame_option,omitempty"`
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
 }
 
 type FrameOptionsParameters struct {
@@ -149,6 +199,12 @@ type FrameOptionsParameters struct {
 }
 
 type ReferrerPolicyObservation struct {
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
+
+	// Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. See Referrer Policy for more information.
+	ReferrerPolicy *string `json:"referrerPolicy,omitempty" tf:"referrer_policy,omitempty"`
 }
 
 type ReferrerPolicyParameters struct {
@@ -164,8 +220,29 @@ type ReferrerPolicyParameters struct {
 
 type ResponseHeadersPolicyObservation struct {
 
+	// A comment to describe the response headers policy. The comment cannot be longer than 128 characters.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// A configuration for a set of HTTP response headers that are used for Cross-Origin Resource Sharing (CORS). See Cors Config for more information.
+	CorsConfig []CorsConfigObservation `json:"corsConfig,omitempty" tf:"cors_config,omitempty"`
+
+	// Object that contains an attribute items that contains a list of custom headers. See Custom Header for more information.
+	CustomHeadersConfig []CustomHeadersConfigObservation `json:"customHeadersConfig,omitempty" tf:"custom_headers_config,omitempty"`
+
+	// The current version of the response headers policy.
+	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
+
 	// The identifier for the response headers policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A unique name to identify the response headers policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A configuration for a set of security-related HTTP response headers. See Security Headers Config for more information.
+	SecurityHeadersConfig []SecurityHeadersConfigObservation `json:"securityHeadersConfig,omitempty" tf:"security_headers_config,omitempty"`
+
+	// A configuration for enabling the Server-Timing header in HTTP responses sent from CloudFront. See Server Timing Headers Config for more information.
+	ServerTimingHeadersConfig []ServerTimingHeadersConfigObservation `json:"serverTimingHeadersConfig,omitempty" tf:"server_timing_headers_config,omitempty"`
 }
 
 type ResponseHeadersPolicyParameters struct {
@@ -187,8 +264,8 @@ type ResponseHeadersPolicyParameters struct {
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
 	// A unique name to identify the response headers policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -205,6 +282,24 @@ type ResponseHeadersPolicyParameters struct {
 }
 
 type SecurityHeadersConfigObservation struct {
+
+	// The policy directives and their values that CloudFront includes as values for the Content-Security-Policy HTTP response header. See Content Security Policy for more information.
+	ContentSecurityPolicy []ContentSecurityPolicyObservation `json:"contentSecurityPolicy,omitempty" tf:"content_security_policy,omitempty"`
+
+	// Determines whether CloudFront includes the X-Content-Type-Options HTTP response header with its value set to nosniff. See Content Type Options for more information.
+	ContentTypeOptions []ContentTypeOptionsObservation `json:"contentTypeOptions,omitempty" tf:"content_type_options,omitempty"`
+
+	// Determines whether CloudFront includes the X-Frame-Options HTTP response header and the header’s value. See Frame Options for more information.
+	FrameOptions []FrameOptionsObservation `json:"frameOptions,omitempty" tf:"frame_options,omitempty"`
+
+	// Determines whether CloudFront includes the Referrer-Policy HTTP response header and the header’s value. See Referrer Policy for more information.
+	ReferrerPolicy []ReferrerPolicyObservation `json:"referrerPolicy,omitempty" tf:"referrer_policy,omitempty"`
+
+	// Determines whether CloudFront includes the Strict-Transport-Security HTTP response header and the header’s value. See Strict Transport Security for more information.
+	StrictTransportSecurity []StrictTransportSecurityObservation `json:"strictTransportSecurity,omitempty" tf:"strict_transport_security,omitempty"`
+
+	// Determine whether CloudFront includes the X-XSS-Protection HTTP response header and the header’s value. See XSS Protection for more information.
+	XSSProtection []XSSProtectionObservation `json:"xssProtection,omitempty" tf:"xss_protection,omitempty"`
 }
 
 type SecurityHeadersConfigParameters struct {
@@ -235,6 +330,12 @@ type SecurityHeadersConfigParameters struct {
 }
 
 type ServerTimingHeadersConfigObservation struct {
+
+	// A Whether CloudFront adds the Server-Timing header to HTTP responses that it sends in response to requests that match a cache behavior that's associated with this response headers policy.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// A number 0–100 (inclusive) that specifies the percentage of responses that you want CloudFront to add the Server-Timing header to. Valid range: Minimum value of 0.0. Maximum value of 100.0.
+	SamplingRate *float64 `json:"samplingRate,omitempty" tf:"sampling_rate,omitempty"`
 }
 
 type ServerTimingHeadersConfigParameters struct {
@@ -249,6 +350,18 @@ type ServerTimingHeadersConfigParameters struct {
 }
 
 type StrictTransportSecurityObservation struct {
+
+	// A number that CloudFront uses as the value for the Access-Control-Max-Age HTTP response header.
+	AccessControlMaxAgeSec *float64 `json:"accessControlMaxAgeSec,omitempty" tf:"access_control_max_age_sec,omitempty"`
+
+	// Whether CloudFront includes the includeSubDomains directive in the Strict-Transport-Security HTTP response header.
+	IncludeSubdomains *bool `json:"includeSubdomains,omitempty" tf:"include_subdomains,omitempty"`
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
+
+	// Whether CloudFront includes the preload directive in the Strict-Transport-Security HTTP response header.
+	Preload *bool `json:"preload,omitempty" tf:"preload,omitempty"`
 }
 
 type StrictTransportSecurityParameters struct {
@@ -271,6 +384,18 @@ type StrictTransportSecurityParameters struct {
 }
 
 type XSSProtectionObservation struct {
+
+	// Whether CloudFront includes the mode=block directive in the X-XSS-Protection header.
+	ModeBlock *bool `json:"modeBlock,omitempty" tf:"mode_block,omitempty"`
+
+	// Whether CloudFront overrides a response header with the same name received from the origin with the header specifies here.
+	Override *bool `json:"override,omitempty" tf:"override,omitempty"`
+
+	// A Boolean value that determines the value of the X-XSS-Protection HTTP response header. When this setting is true, the value of the X-XSS-Protection header is 1. When this setting is false, the value of the X-XSS-Protection header is 0.
+	Protection *bool `json:"protection,omitempty" tf:"protection,omitempty"`
+
+	// A reporting URI, which CloudFront uses as the value of the report directive in the X-XSS-Protection header. You cannot specify a report_uri when mode_block is true.
+	ReportURI *string `json:"reportUri,omitempty" tf:"report_uri,omitempty"`
 }
 
 type XSSProtectionParameters struct {
@@ -316,8 +441,9 @@ type ResponseHeadersPolicyStatus struct {
 type ResponseHeadersPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResponseHeadersPolicySpec   `json:"spec"`
-	Status            ResponseHeadersPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ResponseHeadersPolicySpec   `json:"spec"`
+	Status ResponseHeadersPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudsearch/v1beta1/zz_domain_types.go b/apis/cloudsearch/v1beta1/zz_domain_types.go
index 8f05bfd134..db6aceef10 100755
--- a/apis/cloudsearch/v1beta1/zz_domain_types.go
+++ b/apis/cloudsearch/v1beta1/zz_domain_types.go
@@ -24,8 +24,20 @@ type DomainObservation struct {
 	// An internally generated unique identifier for the domain.
 	DomainID *string `json:"domainId,omitempty" tf:"domain_id,omitempty"`
 
+	// Domain endpoint options. Documented below.
+	EndpointOptions []EndpointOptionsObservation `json:"endpointOptions,omitempty" tf:"endpoint_options,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The index fields for documents added to the domain. Documented below.
+	IndexField []IndexFieldObservation `json:"indexField,omitempty" tf:"index_field,omitempty"`
+
+	// Whether or not to maintain extra instances for the domain in a second Availability Zone to ensure high availability.
+	MultiAz *bool `json:"multiAz,omitempty" tf:"multi_az,omitempty"`
+
+	// Domain scaling parameters. Documented below.
+	ScalingParameters []ScalingParametersObservation `json:"scalingParameters,omitempty" tf:"scaling_parameters,omitempty"`
+
 	// The service endpoint for requesting search results from a search domain.
 	SearchServiceEndpoint *string `json:"searchServiceEndpoint,omitempty" tf:"search_service_endpoint,omitempty"`
 }
@@ -55,6 +67,12 @@ type DomainParameters struct {
 }
 
 type EndpointOptionsObservation struct {
+
+	// Enables or disables the requirement that all requests to the domain arrive over HTTPS.
+	EnforceHTTPS *bool `json:"enforceHttps,omitempty" tf:"enforce_https,omitempty"`
+
+	// The minimum required TLS version. See the AWS documentation for valid values.
+	TLSSecurityPolicy *string `json:"tlsSecurityPolicy,omitempty" tf:"tls_security_policy,omitempty"`
 }
 
 type EndpointOptionsParameters struct {
@@ -69,6 +87,36 @@ type EndpointOptionsParameters struct {
 }
 
 type IndexFieldObservation struct {
+
+	// The analysis scheme you want to use for a text field. The analysis scheme specifies the language-specific text processing options that are used during indexing.
+	AnalysisScheme *string `json:"analysisScheme,omitempty" tf:"analysis_scheme,omitempty"`
+
+	// The default value for the field. This value is used when no value is specified for the field in the document data.
+	DefaultValue *string `json:"defaultValue,omitempty" tf:"default_value,omitempty"`
+
+	// You can get facet information by enabling this.
+	Facet *bool `json:"facet,omitempty" tf:"facet,omitempty"`
+
+	// You can highlight information.
+	Highlight *bool `json:"highlight,omitempty" tf:"highlight,omitempty"`
+
+	// The name of the CloudSearch domain.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// You can enable returning the value of all searchable fields.
+	Return *bool `json:"return,omitempty" tf:"return,omitempty"`
+
+	// You can set whether this index should be searchable or not.
+	Search *bool `json:"search,omitempty" tf:"search,omitempty"`
+
+	// You can enable the property to be sortable.
+	Sort *bool `json:"sort,omitempty" tf:"sort,omitempty"`
+
+	// A comma-separated list of source fields to map to the field. Specifying a source field copies data from one field to another, enabling you to use the same source data in different ways by configuring different options for the fields.
+	SourceFields *string `json:"sourceFields,omitempty" tf:"source_fields,omitempty"`
+
+	// The field type. Valid values: date, date-array, double, double-array, int, int-array, literal, literal-array, text, text-array.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type IndexFieldParameters struct {
@@ -115,6 +163,15 @@ type IndexFieldParameters struct {
 }
 
 type ScalingParametersObservation struct {
+
+	// The instance type that you want to preconfigure for your domain. See the AWS documentation for valid values.
+	DesiredInstanceType *string `json:"desiredInstanceType,omitempty" tf:"desired_instance_type,omitempty"`
+
+	// The number of partitions you want to preconfigure for your domain. Only valid when you select search.2xlarge as the instance type.
+	DesiredPartitionCount *float64 `json:"desiredPartitionCount,omitempty" tf:"desired_partition_count,omitempty"`
+
+	// The number of replicas you want to preconfigure for each index partition.
+	DesiredReplicationCount *float64 `json:"desiredReplicationCount,omitempty" tf:"desired_replication_count,omitempty"`
 }
 
 type ScalingParametersParameters struct {
diff --git a/apis/cloudsearch/v1beta1/zz_domainserviceaccesspolicy_types.go b/apis/cloudsearch/v1beta1/zz_domainserviceaccesspolicy_types.go
index 342cb053a4..4dc5e2ea67 100755
--- a/apis/cloudsearch/v1beta1/zz_domainserviceaccesspolicy_types.go
+++ b/apis/cloudsearch/v1beta1/zz_domainserviceaccesspolicy_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type DomainServiceAccessPolicyObservation struct {
+
+	// The access rules you want to configure. These rules replace any existing rules. See the AWS documentation for details.
+	AccessPolicy *string `json:"accessPolicy,omitempty" tf:"access_policy,omitempty"`
+
+	// The CloudSearch domain name the policy applies to.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type DomainServiceAccessPolicyParameters struct {
 
 	// The access rules you want to configure. These rules replace any existing rules. See the AWS documentation for details.
-	// +kubebuilder:validation:Required
-	AccessPolicy *string `json:"accessPolicy" tf:"access_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccessPolicy *string `json:"accessPolicy,omitempty" tf:"access_policy,omitempty"`
 
 	// The CloudSearch domain name the policy applies to.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/cloudsearch/v1beta1.Domain
@@ -67,8 +74,9 @@ type DomainServiceAccessPolicyStatus struct {
 type DomainServiceAccessPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainServiceAccessPolicySpec   `json:"spec"`
-	Status            DomainServiceAccessPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicy)",message="accessPolicy is a required parameter"
+	Spec   DomainServiceAccessPolicySpec   `json:"spec"`
+	Status DomainServiceAccessPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudsearch/v1beta1/zz_generated.deepcopy.go b/apis/cloudsearch/v1beta1/zz_generated.deepcopy.go
index ee24b3157d..3722a9cc45 100644
--- a/apis/cloudsearch/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudsearch/v1beta1/zz_generated.deepcopy.go
@@ -91,11 +91,37 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndpointOptions != nil {
+		in, out := &in.EndpointOptions, &out.EndpointOptions
+		*out = make([]EndpointOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IndexField != nil {
+		in, out := &in.IndexField, &out.IndexField
+		*out = make([]IndexFieldObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MultiAz != nil {
+		in, out := &in.MultiAz, &out.MultiAz
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ScalingParameters != nil {
+		in, out := &in.ScalingParameters, &out.ScalingParameters
+		*out = make([]ScalingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.SearchServiceEndpoint != nil {
 		in, out := &in.SearchServiceEndpoint, &out.SearchServiceEndpoint
 		*out = new(string)
@@ -221,6 +247,16 @@ func (in *DomainServiceAccessPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainServiceAccessPolicyObservation) DeepCopyInto(out *DomainServiceAccessPolicyObservation) {
 	*out = *in
+	if in.AccessPolicy != nil {
+		in, out := &in.AccessPolicy, &out.AccessPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -349,6 +385,16 @@ func (in *DomainStatus) DeepCopy() *DomainStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointOptionsObservation) DeepCopyInto(out *EndpointOptionsObservation) {
 	*out = *in
+	if in.EnforceHTTPS != nil {
+		in, out := &in.EnforceHTTPS, &out.EnforceHTTPS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLSSecurityPolicy != nil {
+		in, out := &in.TLSSecurityPolicy, &out.TLSSecurityPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointOptionsObservation.
@@ -389,6 +435,56 @@ func (in *EndpointOptionsParameters) DeepCopy() *EndpointOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IndexFieldObservation) DeepCopyInto(out *IndexFieldObservation) {
 	*out = *in
+	if in.AnalysisScheme != nil {
+		in, out := &in.AnalysisScheme, &out.AnalysisScheme
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultValue != nil {
+		in, out := &in.DefaultValue, &out.DefaultValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Facet != nil {
+		in, out := &in.Facet, &out.Facet
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Highlight != nil {
+		in, out := &in.Highlight, &out.Highlight
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Return != nil {
+		in, out := &in.Return, &out.Return
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Search != nil {
+		in, out := &in.Search, &out.Search
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Sort != nil {
+		in, out := &in.Sort, &out.Sort
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SourceFields != nil {
+		in, out := &in.SourceFields, &out.SourceFields
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IndexFieldObservation.
@@ -469,6 +565,21 @@ func (in *IndexFieldParameters) DeepCopy() *IndexFieldParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalingParametersObservation) DeepCopyInto(out *ScalingParametersObservation) {
 	*out = *in
+	if in.DesiredInstanceType != nil {
+		in, out := &in.DesiredInstanceType, &out.DesiredInstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DesiredPartitionCount != nil {
+		in, out := &in.DesiredPartitionCount, &out.DesiredPartitionCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DesiredReplicationCount != nil {
+		in, out := &in.DesiredReplicationCount, &out.DesiredReplicationCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalingParametersObservation.
diff --git a/apis/cloudtrail/v1beta1/zz_eventdatastore_types.go b/apis/cloudtrail/v1beta1/zz_eventdatastore_types.go
index 8fd0eab625..7843c991cb 100755
--- a/apis/cloudtrail/v1beta1/zz_eventdatastore_types.go
+++ b/apis/cloudtrail/v1beta1/zz_eventdatastore_types.go
@@ -14,6 +14,27 @@ import (
 )
 
 type AdvancedEventSelectorFieldSelectorObservation struct {
+
+	// A list of values that includes events that match the last few characters of the event record field specified as the value of field.
+	EndsWith []*string `json:"endsWith,omitempty" tf:"ends_with,omitempty"`
+
+	// A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.
+	Equals []*string `json:"equals,omitempty" tf:"equals,omitempty"`
+
+	// Specifies a field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
+	// A list of values that excludes events that match the last few characters of the event record field specified as the value of field.
+	NotEndsWith []*string `json:"notEndsWith,omitempty" tf:"not_ends_with,omitempty"`
+
+	// A list of values that excludes events that match the exact value of the event record field specified as the value of field.
+	NotEquals []*string `json:"notEquals,omitempty" tf:"not_equals,omitempty"`
+
+	// A list of values that excludes events that match the first few characters of the event record field specified as the value of field.
+	NotStartsWith []*string `json:"notStartsWith,omitempty" tf:"not_starts_with,omitempty"`
+
+	// A list of values that includes events that match the first few characters of the event record field specified as the value of field.
+	StartsWith []*string `json:"startsWith,omitempty" tf:"starts_with,omitempty"`
 }
 
 type AdvancedEventSelectorFieldSelectorParameters struct {
@@ -48,6 +69,12 @@ type AdvancedEventSelectorFieldSelectorParameters struct {
 }
 
 type EventDataStoreAdvancedEventSelectorObservation struct {
+
+	// Specifies the selector statements in an advanced event selector. Fields documented below.
+	FieldSelector []AdvancedEventSelectorFieldSelectorObservation `json:"fieldSelector,omitempty" tf:"field_selector,omitempty"`
+
+	// The name of the event data store.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type EventDataStoreAdvancedEventSelectorParameters struct {
@@ -63,14 +90,35 @@ type EventDataStoreAdvancedEventSelectorParameters struct {
 
 type EventDataStoreObservation struct {
 
+	// The advanced event selectors to use to select the events for the data store. For more information about how to use advanced event selectors, see Log events by using advanced event selectors in the CloudTrail User Guide.
+	AdvancedEventSelector []EventDataStoreAdvancedEventSelectorObservation `json:"advancedEventSelector,omitempty" tf:"advanced_event_selector,omitempty"`
+
 	// ARN of the event data store.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Name of the event data store.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies whether the event data store includes events from all regions, or only from the region in which the event data store is created. Default: true.
+	MultiRegionEnabled *bool `json:"multiRegionEnabled,omitempty" tf:"multi_region_enabled,omitempty"`
+
+	// The name of the event data store.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies whether an event data store collects events logged for an organization in AWS Organizations. Default: false.
+	OrganizationEnabled *bool `json:"organizationEnabled,omitempty" tf:"organization_enabled,omitempty"`
+
+	// The retention period of the event data store, in days. You can set a retention period of up to 2555 days, the equivalent of seven years. Default: 2555.
+	RetentionPeriod *float64 `json:"retentionPeriod,omitempty" tf:"retention_period,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Specifies whether termination protection is enabled for the event data store. If termination protection is enabled, you cannot delete the event data store until termination protection is disabled. Default: true.
+	TerminationProtectionEnabled *bool `json:"terminationProtectionEnabled,omitempty" tf:"termination_protection_enabled,omitempty"`
 }
 
 type EventDataStoreParameters struct {
@@ -84,8 +132,8 @@ type EventDataStoreParameters struct {
 	MultiRegionEnabled *bool `json:"multiRegionEnabled,omitempty" tf:"multi_region_enabled,omitempty"`
 
 	// The name of the event data store.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Specifies whether an event data store collects events logged for an organization in AWS Organizations. Default: false.
 	// +kubebuilder:validation:Optional
@@ -133,8 +181,9 @@ type EventDataStoreStatus struct {
 type EventDataStore struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EventDataStoreSpec   `json:"spec"`
-	Status            EventDataStoreStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   EventDataStoreSpec   `json:"spec"`
+	Status EventDataStoreStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudtrail/v1beta1/zz_generated.deepcopy.go b/apis/cloudtrail/v1beta1/zz_generated.deepcopy.go
index 2fb969965d..3f7496e4f1 100644
--- a/apis/cloudtrail/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudtrail/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,77 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedEventSelectorFieldSelectorObservation) DeepCopyInto(out *AdvancedEventSelectorFieldSelectorObservation) {
 	*out = *in
+	if in.EndsWith != nil {
+		in, out := &in.EndsWith, &out.EndsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Equals != nil {
+		in, out := &in.Equals, &out.Equals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotEndsWith != nil {
+		in, out := &in.NotEndsWith, &out.NotEndsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NotEquals != nil {
+		in, out := &in.NotEquals, &out.NotEquals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NotStartsWith != nil {
+		in, out := &in.NotStartsWith, &out.NotStartsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StartsWith != nil {
+		in, out := &in.StartsWith, &out.StartsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedEventSelectorFieldSelectorObservation.
@@ -118,6 +189,18 @@ func (in *AdvancedEventSelectorFieldSelectorParameters) DeepCopy() *AdvancedEven
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedEventSelectorObservation) DeepCopyInto(out *AdvancedEventSelectorObservation) {
 	*out = *in
+	if in.FieldSelector != nil {
+		in, out := &in.FieldSelector, &out.FieldSelector
+		*out = make([]FieldSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedEventSelectorObservation.
@@ -160,6 +243,22 @@ func (in *AdvancedEventSelectorParameters) DeepCopy() *AdvancedEventSelectorPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataResourceObservation) DeepCopyInto(out *DataResourceObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataResourceObservation.
@@ -233,6 +332,18 @@ func (in *EventDataStore) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventDataStoreAdvancedEventSelectorObservation) DeepCopyInto(out *EventDataStoreAdvancedEventSelectorObservation) {
 	*out = *in
+	if in.FieldSelector != nil {
+		in, out := &in.FieldSelector, &out.FieldSelector
+		*out = make([]AdvancedEventSelectorFieldSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventDataStoreAdvancedEventSelectorObservation.
@@ -307,6 +418,13 @@ func (in *EventDataStoreList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventDataStoreObservation) DeepCopyInto(out *EventDataStoreObservation) {
 	*out = *in
+	if in.AdvancedEventSelector != nil {
+		in, out := &in.AdvancedEventSelector, &out.AdvancedEventSelector
+		*out = make([]EventDataStoreAdvancedEventSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -317,6 +435,41 @@ func (in *EventDataStoreObservation) DeepCopyInto(out *EventDataStoreObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.MultiRegionEnabled != nil {
+		in, out := &in.MultiRegionEnabled, &out.MultiRegionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationEnabled != nil {
+		in, out := &in.OrganizationEnabled, &out.OrganizationEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RetentionPeriod != nil {
+		in, out := &in.RetentionPeriod, &out.RetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -332,6 +485,11 @@ func (in *EventDataStoreObservation) DeepCopyInto(out *EventDataStoreObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.TerminationProtectionEnabled != nil {
+		in, out := &in.TerminationProtectionEnabled, &out.TerminationProtectionEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventDataStoreObservation.
@@ -448,6 +606,34 @@ func (in *EventDataStoreStatus) DeepCopy() *EventDataStoreStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventSelectorObservation) DeepCopyInto(out *EventSelectorObservation) {
 	*out = *in
+	if in.DataResource != nil {
+		in, out := &in.DataResource, &out.DataResource
+		*out = make([]DataResourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExcludeManagementEventSources != nil {
+		in, out := &in.ExcludeManagementEventSources, &out.ExcludeManagementEventSources
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IncludeManagementEvents != nil {
+		in, out := &in.IncludeManagementEvents, &out.IncludeManagementEvents
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReadWriteType != nil {
+		in, out := &in.ReadWriteType, &out.ReadWriteType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventSelectorObservation.
@@ -506,6 +692,77 @@ func (in *EventSelectorParameters) DeepCopy() *EventSelectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FieldSelectorObservation) DeepCopyInto(out *FieldSelectorObservation) {
 	*out = *in
+	if in.EndsWith != nil {
+		in, out := &in.EndsWith, &out.EndsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Equals != nil {
+		in, out := &in.Equals, &out.Equals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotEndsWith != nil {
+		in, out := &in.NotEndsWith, &out.NotEndsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NotEquals != nil {
+		in, out := &in.NotEquals, &out.NotEquals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NotStartsWith != nil {
+		in, out := &in.NotStartsWith, &out.NotStartsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StartsWith != nil {
+		in, out := &in.StartsWith, &out.StartsWith
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldSelectorObservation.
@@ -607,6 +864,11 @@ func (in *FieldSelectorParameters) DeepCopy() *FieldSelectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InsightSelectorObservation) DeepCopyInto(out *InsightSelectorObservation) {
 	*out = *in
+	if in.InsightType != nil {
+		in, out := &in.InsightType, &out.InsightType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightSelectorObservation.
@@ -701,11 +963,45 @@ func (in *TrailList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrailObservation) DeepCopyInto(out *TrailObservation) {
 	*out = *in
+	if in.AdvancedEventSelector != nil {
+		in, out := &in.AdvancedEventSelector, &out.AdvancedEventSelector
+		*out = make([]AdvancedEventSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CloudWatchLogsGroupArn != nil {
+		in, out := &in.CloudWatchLogsGroupArn, &out.CloudWatchLogsGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CloudWatchLogsRoleArn != nil {
+		in, out := &in.CloudWatchLogsRoleArn, &out.CloudWatchLogsRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableLogFileValidation != nil {
+		in, out := &in.EnableLogFileValidation, &out.EnableLogFileValidation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableLogging != nil {
+		in, out := &in.EnableLogging, &out.EnableLogging
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventSelector != nil {
+		in, out := &in.EventSelector, &out.EventSelector
+		*out = make([]EventSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.HomeRegion != nil {
 		in, out := &in.HomeRegion, &out.HomeRegion
 		*out = new(string)
@@ -716,6 +1012,63 @@ func (in *TrailObservation) DeepCopyInto(out *TrailObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IncludeGlobalServiceEvents != nil {
+		in, out := &in.IncludeGlobalServiceEvents, &out.IncludeGlobalServiceEvents
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InsightSelector != nil {
+		in, out := &in.InsightSelector, &out.InsightSelector
+		*out = make([]InsightSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IsMultiRegionTrail != nil {
+		in, out := &in.IsMultiRegionTrail, &out.IsMultiRegionTrail
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IsOrganizationTrail != nil {
+		in, out := &in.IsOrganizationTrail, &out.IsOrganizationTrail
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnsTopicName != nil {
+		in, out := &in.SnsTopicName, &out.SnsTopicName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/cloudtrail/v1beta1/zz_trail_types.go b/apis/cloudtrail/v1beta1/zz_trail_types.go
index d5fb36ee3e..a366064f1e 100755
--- a/apis/cloudtrail/v1beta1/zz_trail_types.go
+++ b/apis/cloudtrail/v1beta1/zz_trail_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AdvancedEventSelectorObservation struct {
+
+	// Specifies the selector statements in an advanced event selector. Fields documented below.
+	FieldSelector []FieldSelectorObservation `json:"fieldSelector,omitempty" tf:"field_selector,omitempty"`
+
+	// Name of the trail.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type AdvancedEventSelectorParameters struct {
@@ -28,6 +34,12 @@ type AdvancedEventSelectorParameters struct {
 }
 
 type DataResourceObservation struct {
+
+	// Resource type in which you want to log data events. You can specify only the following value: "AWS::S3::Object", "AWS::Lambda::Function" and "AWS::DynamoDB::Table".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// List of ARN strings or partial ARN strings to specify selectors for data audit events over data resources. ARN list is specific to single-valued type. For example, arn:aws:s3:::<bucket name>/ for all objects in a bucket, arn:aws:s3:::<bucket name>/key for specific objects, arn:aws:lambda for all lambda events within an account, arn:aws:lambda:<region>:<account number>:function:<function name> for a specific Lambda function, arn:aws:dynamodb for all DDB events for all tables within an account, or arn:aws:dynamodb:<region>:<account number>:table/<table name> for a specific DynamoDB table.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type DataResourceParameters struct {
@@ -42,6 +54,18 @@ type DataResourceParameters struct {
 }
 
 type EventSelectorObservation struct {
+
+	// Configuration block for data events. See details below.
+	DataResource []DataResourceObservation `json:"dataResource,omitempty" tf:"data_resource,omitempty"`
+
+	// A set of event sources to exclude. Valid values include: kms.amazonaws.com and rdsdata.amazonaws.com. include_management_events must be set totrue to allow this.
+	ExcludeManagementEventSources []*string `json:"excludeManagementEventSources,omitempty" tf:"exclude_management_event_sources,omitempty"`
+
+	// Whether to include management events for your trail. Defaults to true.
+	IncludeManagementEvents *bool `json:"includeManagementEvents,omitempty" tf:"include_management_events,omitempty"`
+
+	// Type of events to log. Valid values are ReadOnly, WriteOnly, All. Default value is All.
+	ReadWriteType *string `json:"readWriteType,omitempty" tf:"read_write_type,omitempty"`
 }
 
 type EventSelectorParameters struct {
@@ -64,6 +88,27 @@ type EventSelectorParameters struct {
 }
 
 type FieldSelectorObservation struct {
+
+	// A list of values that includes events that match the last few characters of the event record field specified as the value of field.
+	EndsWith []*string `json:"endsWith,omitempty" tf:"ends_with,omitempty"`
+
+	// A list of values that includes events that match the exact value of the event record field specified as the value of field. This is the only valid operator that you can use with the readOnly, eventCategory, and resources.type fields.
+	Equals []*string `json:"equals,omitempty" tf:"equals,omitempty"`
+
+	// Field in an event record on which to filter events to be logged. You can specify only the following values: readOnly, eventSource, eventName, eventCategory, resources.type, resources.ARN.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
+	// A list of values that excludes events that match the last few characters of the event record field specified as the value of field.
+	NotEndsWith []*string `json:"notEndsWith,omitempty" tf:"not_ends_with,omitempty"`
+
+	// A list of values that excludes events that match the exact value of the event record field specified as the value of field.
+	NotEquals []*string `json:"notEquals,omitempty" tf:"not_equals,omitempty"`
+
+	// A list of values that excludes events that match the first few characters of the event record field specified as the value of field.
+	NotStartsWith []*string `json:"notStartsWith,omitempty" tf:"not_starts_with,omitempty"`
+
+	// A list of values that includes events that match the first few characters of the event record field specified as the value of field.
+	StartsWith []*string `json:"startsWith,omitempty" tf:"starts_with,omitempty"`
 }
 
 type FieldSelectorParameters struct {
@@ -98,6 +143,9 @@ type FieldSelectorParameters struct {
 }
 
 type InsightSelectorObservation struct {
+
+	// Type of insights to log on a trail. Valid values are: ApiCallRateInsight and ApiErrorRateInsight.
+	InsightType *string `json:"insightType,omitempty" tf:"insight_type,omitempty"`
 }
 
 type InsightSelectorParameters struct {
@@ -109,15 +157,60 @@ type InsightSelectorParameters struct {
 
 type TrailObservation struct {
 
+	// Specifies an advanced event selector for enabling data event logging. Fields documented below. Conflicts with event_selector.
+	AdvancedEventSelector []AdvancedEventSelectorObservation `json:"advancedEventSelector,omitempty" tf:"advanced_event_selector,omitempty"`
+
 	// ARN of the trail.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Log group name using an ARN that represents the log group to which CloudTrail logs will be delivered. Note that CloudTrail requires the Log Stream wildcard.
+	CloudWatchLogsGroupArn *string `json:"cloudWatchLogsGroupArn,omitempty" tf:"cloud_watch_logs_group_arn,omitempty"`
+
+	// Role for the CloudWatch Logs endpoint to assume to write to a user’s log group.
+	CloudWatchLogsRoleArn *string `json:"cloudWatchLogsRoleArn,omitempty" tf:"cloud_watch_logs_role_arn,omitempty"`
+
+	// Whether log file integrity validation is enabled. Defaults to false.
+	EnableLogFileValidation *bool `json:"enableLogFileValidation,omitempty" tf:"enable_log_file_validation,omitempty"`
+
+	// Enables logging for the trail. Defaults to true. Setting this to false will pause logging.
+	EnableLogging *bool `json:"enableLogging,omitempty" tf:"enable_logging,omitempty"`
+
+	// Specifies an event selector for enabling data event logging. Fields documented below. Please note the CloudTrail limits when configuring these. Conflicts with advanced_event_selector.
+	EventSelector []EventSelectorObservation `json:"eventSelector,omitempty" tf:"event_selector,omitempty"`
+
 	// Region in which the trail was created.
 	HomeRegion *string `json:"homeRegion,omitempty" tf:"home_region,omitempty"`
 
 	// Name of the trail.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether the trail is publishing events from global services such as IAM to the log files. Defaults to true.
+	IncludeGlobalServiceEvents *bool `json:"includeGlobalServiceEvents,omitempty" tf:"include_global_service_events,omitempty"`
+
+	// Configuration block for identifying unusual operational activity. See details below.
+	InsightSelector []InsightSelectorObservation `json:"insightSelector,omitempty" tf:"insight_selector,omitempty"`
+
+	// Whether the trail is created in the current region or in all regions. Defaults to false.
+	IsMultiRegionTrail *bool `json:"isMultiRegionTrail,omitempty" tf:"is_multi_region_trail,omitempty"`
+
+	// Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account. Defaults to false.
+	IsOrganizationTrail *bool `json:"isOrganizationTrail,omitempty" tf:"is_organization_trail,omitempty"`
+
+	// KMS key ARN to use to encrypt the logs delivered by CloudTrail.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Name of the S3 bucket designated for publishing log files.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// S3 key prefix that follows the name of the bucket you have designated for log file delivery.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
+
+	// Name of the Amazon SNS topic defined for notification of log file delivery.
+	SnsTopicName *string `json:"snsTopicName,omitempty" tf:"sns_topic_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/cloudwatch/v1beta1/zz_compositealarm_types.go b/apis/cloudwatch/v1beta1/zz_compositealarm_types.go
index 3712608bc0..b1ed84b9a1 100755
--- a/apis/cloudwatch/v1beta1/zz_compositealarm_types.go
+++ b/apis/cloudwatch/v1beta1/zz_compositealarm_types.go
@@ -15,12 +15,33 @@ import (
 
 type CompositeAlarmObservation struct {
 
+	// Indicates whether actions should be executed during any changes to the alarm state of the composite alarm. Defaults to true.
+	ActionsEnabled *bool `json:"actionsEnabled,omitempty" tf:"actions_enabled,omitempty"`
+
+	// The set of actions to execute when this alarm transitions to the ALARM state from any other state. Each action is specified as an ARN. Up to 5 actions are allowed.
+	AlarmActions []*string `json:"alarmActions,omitempty" tf:"alarm_actions,omitempty"`
+
+	// The description for the composite alarm.
+	AlarmDescription *string `json:"alarmDescription,omitempty" tf:"alarm_description,omitempty"`
+
+	// An expression that specifies which other alarms are to be evaluated to determine this composite alarm's state. For syntax, see Creating a Composite Alarm. The maximum length is 10240 characters.
+	AlarmRule *string `json:"alarmRule,omitempty" tf:"alarm_rule,omitempty"`
+
 	// The ARN of the composite alarm.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The ID of the composite alarm resource, which is equivalent to its alarm_name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The set of actions to execute when this alarm transitions to the INSUFFICIENT_DATA state from any other state. Each action is specified as an ARN. Up to 5 actions are allowed.
+	InsufficientDataActions []*string `json:"insufficientDataActions,omitempty" tf:"insufficient_data_actions,omitempty"`
+
+	// The set of actions to execute when this alarm transitions to an OK state from any other state. Each action is specified as an ARN. Up to 5 actions are allowed.
+	OkActions []*string `json:"okActions,omitempty" tf:"ok_actions,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -50,8 +71,8 @@ type CompositeAlarmParameters struct {
 	AlarmDescription *string `json:"alarmDescription,omitempty" tf:"alarm_description,omitempty"`
 
 	// An expression that specifies which other alarms are to be evaluated to determine this composite alarm's state. For syntax, see Creating a Composite Alarm. The maximum length is 10240 characters.
-	// +kubebuilder:validation:Required
-	AlarmRule *string `json:"alarmRule" tf:"alarm_rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	AlarmRule *string `json:"alarmRule,omitempty" tf:"alarm_rule,omitempty"`
 
 	// The set of actions to execute when this alarm transitions to the INSUFFICIENT_DATA state from any other state. Each action is specified as an ARN. Up to 5 actions are allowed.
 	// +kubebuilder:validation:Optional
@@ -105,8 +126,9 @@ type CompositeAlarmStatus struct {
 type CompositeAlarm struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CompositeAlarmSpec   `json:"spec"`
-	Status            CompositeAlarmStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.alarmRule)",message="alarmRule is a required parameter"
+	Spec   CompositeAlarmSpec   `json:"spec"`
+	Status CompositeAlarmStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatch/v1beta1/zz_dashboard_types.go b/apis/cloudwatch/v1beta1/zz_dashboard_types.go
index ebeab90be8..ac06f56d34 100755
--- a/apis/cloudwatch/v1beta1/zz_dashboard_types.go
+++ b/apis/cloudwatch/v1beta1/zz_dashboard_types.go
@@ -18,14 +18,17 @@ type DashboardObservation struct {
 	// The Amazon Resource Name (ARN) of the dashboard.
 	DashboardArn *string `json:"dashboardArn,omitempty" tf:"dashboard_arn,omitempty"`
 
+	// The detailed information about the dashboard, including what widgets are included and their location on the dashboard. You can read more about the body structure in the documentation.
+	DashboardBody *string `json:"dashboardBody,omitempty" tf:"dashboard_body,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type DashboardParameters struct {
 
 	// The detailed information about the dashboard, including what widgets are included and their location on the dashboard. You can read more about the body structure in the documentation.
-	// +kubebuilder:validation:Required
-	DashboardBody *string `json:"dashboardBody" tf:"dashboard_body,omitempty"`
+	// +kubebuilder:validation:Optional
+	DashboardBody *string `json:"dashboardBody,omitempty" tf:"dashboard_body,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -57,8 +60,9 @@ type DashboardStatus struct {
 type Dashboard struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DashboardSpec   `json:"spec"`
-	Status            DashboardStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dashboardBody)",message="dashboardBody is a required parameter"
+	Spec   DashboardSpec   `json:"spec"`
+	Status DashboardStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatch/v1beta1/zz_generated.deepcopy.go b/apis/cloudwatch/v1beta1/zz_generated.deepcopy.go
index 3b3826aa4c..ef3a5c4771 100644
--- a/apis/cloudwatch/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudwatch/v1beta1/zz_generated.deepcopy.go
@@ -76,6 +76,32 @@ func (in *CompositeAlarmList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CompositeAlarmObservation) DeepCopyInto(out *CompositeAlarmObservation) {
 	*out = *in
+	if in.ActionsEnabled != nil {
+		in, out := &in.ActionsEnabled, &out.ActionsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AlarmActions != nil {
+		in, out := &in.AlarmActions, &out.AlarmActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AlarmDescription != nil {
+		in, out := &in.AlarmDescription, &out.AlarmDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.AlarmRule != nil {
+		in, out := &in.AlarmRule, &out.AlarmRule
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -86,6 +112,43 @@ func (in *CompositeAlarmObservation) DeepCopyInto(out *CompositeAlarmObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.InsufficientDataActions != nil {
+		in, out := &in.InsufficientDataActions, &out.InsufficientDataActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OkActions != nil {
+		in, out := &in.OkActions, &out.OkActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -321,6 +384,11 @@ func (in *DashboardObservation) DeepCopyInto(out *DashboardObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DashboardBody != nil {
+		in, out := &in.DashboardBody, &out.DashboardBody
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -400,6 +468,11 @@ func (in *DashboardStatus) DeepCopy() *DashboardStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExcludeFilterObservation) DeepCopyInto(out *ExcludeFilterObservation) {
 	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeFilterObservation.
@@ -435,6 +508,11 @@ func (in *ExcludeFilterParameters) DeepCopy() *ExcludeFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IncludeFilterObservation) DeepCopyInto(out *IncludeFilterObservation) {
 	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IncludeFilterObservation.
@@ -470,6 +548,16 @@ func (in *IncludeFilterParameters) DeepCopy() *IncludeFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IncludeMetricObservation) DeepCopyInto(out *IncludeMetricObservation) {
 	*out = *in
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IncludeMetricObservation.
@@ -569,16 +657,141 @@ func (in *MetricAlarmList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricAlarmObservation) DeepCopyInto(out *MetricAlarmObservation) {
 	*out = *in
+	if in.ActionsEnabled != nil {
+		in, out := &in.ActionsEnabled, &out.ActionsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AlarmActions != nil {
+		in, out := &in.AlarmActions, &out.AlarmActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AlarmDescription != nil {
+		in, out := &in.AlarmDescription, &out.AlarmDescription
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ComparisonOperator != nil {
+		in, out := &in.ComparisonOperator, &out.ComparisonOperator
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatapointsToAlarm != nil {
+		in, out := &in.DatapointsToAlarm, &out.DatapointsToAlarm
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.EvaluateLowSampleCountPercentiles != nil {
+		in, out := &in.EvaluateLowSampleCountPercentiles, &out.EvaluateLowSampleCountPercentiles
+		*out = new(string)
+		**out = **in
+	}
+	if in.EvaluationPeriods != nil {
+		in, out := &in.EvaluationPeriods, &out.EvaluationPeriods
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ExtendedStatistic != nil {
+		in, out := &in.ExtendedStatistic, &out.ExtendedStatistic
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InsufficientDataActions != nil {
+		in, out := &in.InsufficientDataActions, &out.InsufficientDataActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricQuery != nil {
+		in, out := &in.MetricQuery, &out.MetricQuery
+		*out = make([]MetricQueryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OkActions != nil {
+		in, out := &in.OkActions, &out.OkActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Statistic != nil {
+		in, out := &in.Statistic, &out.Statistic
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -594,6 +807,26 @@ func (in *MetricAlarmObservation) DeepCopyInto(out *MetricAlarmObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Threshold != nil {
+		in, out := &in.Threshold, &out.Threshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdMetricID != nil {
+		in, out := &in.ThresholdMetricID, &out.ThresholdMetricID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TreatMissingData != nil {
+		in, out := &in.TreatMissingData, &out.TreatMissingData
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricAlarmObservation.
@@ -808,6 +1041,46 @@ func (in *MetricAlarmStatus) DeepCopy() *MetricAlarmStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricObservation) DeepCopyInto(out *MetricObservation) {
 	*out = *in
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Stat != nil {
+		in, out := &in.Stat, &out.Stat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricObservation.
@@ -878,6 +1151,38 @@ func (in *MetricParameters) DeepCopy() *MetricParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricQueryObservation) DeepCopyInto(out *MetricQueryObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Label != nil {
+		in, out := &in.Label, &out.Label
+		*out = new(string)
+		**out = **in
+	}
+	if in.Metric != nil {
+		in, out := &in.Metric, &out.Metric
+		*out = make([]MetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReturnData != nil {
+		in, out := &in.ReturnData, &out.ReturnData
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricQueryObservation.
@@ -1009,21 +1314,77 @@ func (in *MetricStreamObservation) DeepCopyInto(out *MetricStreamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ExcludeFilter != nil {
+		in, out := &in.ExcludeFilter, &out.ExcludeFilter
+		*out = make([]ExcludeFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FirehoseArn != nil {
+		in, out := &in.FirehoseArn, &out.FirehoseArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IncludeFilter != nil {
+		in, out := &in.IncludeFilter, &out.IncludeFilter
+		*out = make([]IncludeFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.LastUpdateDate != nil {
 		in, out := &in.LastUpdateDate, &out.LastUpdateDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputFormat != nil {
+		in, out := &in.OutputFormat, &out.OutputFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.StatisticsConfiguration != nil {
+		in, out := &in.StatisticsConfiguration, &out.StatisticsConfiguration
+		*out = make([]StatisticsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1184,6 +1545,24 @@ func (in *MetricStreamStatus) DeepCopy() *MetricStreamStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatisticsConfigurationObservation) DeepCopyInto(out *StatisticsConfigurationObservation) {
 	*out = *in
+	if in.AdditionalStatistics != nil {
+		in, out := &in.AdditionalStatistics, &out.AdditionalStatistics
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IncludeMetric != nil {
+		in, out := &in.IncludeMetric, &out.IncludeMetric
+		*out = make([]IncludeMetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatisticsConfigurationObservation.
diff --git a/apis/cloudwatch/v1beta1/zz_metricalarm_types.go b/apis/cloudwatch/v1beta1/zz_metricalarm_types.go
index 32dc495146..5b5dcbd2bb 100755
--- a/apis/cloudwatch/v1beta1/zz_metricalarm_types.go
+++ b/apis/cloudwatch/v1beta1/zz_metricalarm_types.go
@@ -15,14 +15,85 @@ import (
 
 type MetricAlarmObservation struct {
 
+	// Indicates whether or not actions should be executed during any changes to the alarm's state. Defaults to true.
+	ActionsEnabled *bool `json:"actionsEnabled,omitempty" tf:"actions_enabled,omitempty"`
+
+	// The list of actions to execute when this alarm transitions into an ALARM state from any other state. Each action is specified as an Amazon Resource Name (ARN).
+	AlarmActions []*string `json:"alarmActions,omitempty" tf:"alarm_actions,omitempty"`
+
+	// The description for the alarm.
+	AlarmDescription *string `json:"alarmDescription,omitempty" tf:"alarm_description,omitempty"`
+
 	// The ARN of the CloudWatch Metric Alarm.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The arithmetic operation to use when comparing the specified Statistic and Threshold. The specified Statistic value is used as the first operand. Either of the following is supported: GreaterThanOrEqualToThreshold, GreaterThanThreshold, LessThanThreshold, LessThanOrEqualToThreshold. Additionally, the values  LessThanLowerOrGreaterThanUpperThreshold, LessThanLowerThreshold, and GreaterThanUpperThreshold are used only for alarms based on anomaly detection models.
+	ComparisonOperator *string `json:"comparisonOperator,omitempty" tf:"comparison_operator,omitempty"`
+
+	// The number of datapoints that must be breaching to trigger the alarm.
+	DatapointsToAlarm *float64 `json:"datapointsToAlarm,omitempty" tf:"datapoints_to_alarm,omitempty"`
+
+	// The dimensions for the alarm's associated metric.  For the list of available dimensions see the AWS documentation here.
+	Dimensions map[string]*string `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// Used only for alarms
+	// based on percentiles. If you specify ignore, the alarm state will not
+	// change during periods with too few data points to be statistically significant.
+	// If you specify evaluate or omit this parameter, the alarm will always be
+	// evaluated and possibly change state no matter how many data points are available.
+	// The following values are supported: ignore, and evaluate.
+	EvaluateLowSampleCountPercentiles *string `json:"evaluateLowSampleCountPercentiles,omitempty" tf:"evaluate_low_sample_count_percentiles,omitempty"`
+
+	// The number of periods over which data is compared to the specified threshold.
+	EvaluationPeriods *float64 `json:"evaluationPeriods,omitempty" tf:"evaluation_periods,omitempty"`
+
+	// The percentile statistic for the metric associated with the alarm. Specify a value between p0.0 and p100.
+	ExtendedStatistic *string `json:"extendedStatistic,omitempty" tf:"extended_statistic,omitempty"`
+
 	// The ID of the health check.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The list of actions to execute when this alarm transitions into an INSUFFICIENT_DATA state from any other state. Each action is specified as an Amazon Resource Name (ARN).
+	InsufficientDataActions []*string `json:"insufficientDataActions,omitempty" tf:"insufficient_data_actions,omitempty"`
+
+	// The name for the alarm's associated metric.
+	// See docs for supported metrics.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// Enables you to create an alarm based on a metric math expression. You may specify at most 20.
+	MetricQuery []MetricQueryObservation `json:"metricQuery,omitempty" tf:"metric_query,omitempty"`
+
+	// The namespace for the alarm's associated metric. See docs for the list of namespaces.
+	// See docs for supported metrics.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The list of actions to execute when this alarm transitions into an OK state from any other state. Each action is specified as an Amazon Resource Name (ARN).
+	OkActions []*string `json:"okActions,omitempty" tf:"ok_actions,omitempty"`
+
+	// The period in seconds over which the specified statistic is applied.
+	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
+
+	// The statistic to apply to the alarm's associated metric.
+	// Either of the following is supported: SampleCount, Average, Sum, Minimum, Maximum
+	Statistic *string `json:"statistic,omitempty" tf:"statistic,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The value against which the specified statistic is compared. This parameter is required for alarms based on static thresholds, but should not be used for alarms based on anomaly detection models.
+	Threshold *float64 `json:"threshold,omitempty" tf:"threshold,omitempty"`
+
+	// If this is an alarm based on an anomaly detection model, make this value match the ID of the ANOMALY_DETECTION_BAND function.
+	ThresholdMetricID *string `json:"thresholdMetricId,omitempty" tf:"threshold_metric_id,omitempty"`
+
+	// Sets how this alarm is to handle missing data points. The following values are supported: missing, ignore, breaching and notBreaching. Defaults to missing.
+	TreatMissingData *string `json:"treatMissingData,omitempty" tf:"treat_missing_data,omitempty"`
+
+	// The unit for the alarm's associated metric.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type MetricAlarmParameters struct {
@@ -40,8 +111,8 @@ type MetricAlarmParameters struct {
 	AlarmDescription *string `json:"alarmDescription,omitempty" tf:"alarm_description,omitempty"`
 
 	// The arithmetic operation to use when comparing the specified Statistic and Threshold. The specified Statistic value is used as the first operand. Either of the following is supported: GreaterThanOrEqualToThreshold, GreaterThanThreshold, LessThanThreshold, LessThanOrEqualToThreshold. Additionally, the values  LessThanLowerOrGreaterThanUpperThreshold, LessThanLowerThreshold, and GreaterThanUpperThreshold are used only for alarms based on anomaly detection models.
-	// +kubebuilder:validation:Required
-	ComparisonOperator *string `json:"comparisonOperator" tf:"comparison_operator,omitempty"`
+	// +kubebuilder:validation:Optional
+	ComparisonOperator *string `json:"comparisonOperator,omitempty" tf:"comparison_operator,omitempty"`
 
 	// The number of datapoints that must be breaching to trigger the alarm.
 	// +kubebuilder:validation:Optional
@@ -61,8 +132,8 @@ type MetricAlarmParameters struct {
 	EvaluateLowSampleCountPercentiles *string `json:"evaluateLowSampleCountPercentiles,omitempty" tf:"evaluate_low_sample_count_percentiles,omitempty"`
 
 	// The number of periods over which data is compared to the specified threshold.
-	// +kubebuilder:validation:Required
-	EvaluationPeriods *float64 `json:"evaluationPeriods" tf:"evaluation_periods,omitempty"`
+	// +kubebuilder:validation:Optional
+	EvaluationPeriods *float64 `json:"evaluationPeriods,omitempty" tf:"evaluation_periods,omitempty"`
 
 	// The percentile statistic for the metric associated with the alarm. Specify a value between p0.0 and p100.
 	// +kubebuilder:validation:Optional
@@ -126,6 +197,27 @@ type MetricAlarmParameters struct {
 }
 
 type MetricObservation struct {
+
+	// The dimensions for this metric.  For the list of available dimensions see the AWS documentation here.
+	Dimensions map[string]*string `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// The name for this metric.
+	// See docs for supported metrics.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The namespace for this metric. See docs for the list of namespaces.
+	// See docs for supported metrics.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The period in seconds over which the specified stat is applied.
+	Period *float64 `json:"period,omitempty" tf:"period,omitempty"`
+
+	// The statistic to apply to this metric.
+	// See docs for supported statistics.
+	Stat *string `json:"stat,omitempty" tf:"stat,omitempty"`
+
+	// The unit for this metric.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
 }
 
 type MetricParameters struct {
@@ -159,6 +251,24 @@ type MetricParameters struct {
 }
 
 type MetricQueryObservation struct {
+
+	// The ID of the account where the metrics are located, if this is a cross-account alarm.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// The math expression to be performed on the returned data, if this object is performing a math expression. This expression can use the id of the other metrics to refer to those metrics, and can also use the id of other expressions to use the result of those expressions. For more information about metric math expressions, see Metric Math Syntax and Functions in the Amazon CloudWatch User Guide.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// A short name used to tie this object to the results in the response. If you are performing math expressions on this set of data, this name represents that data and can serve as a variable in the mathematical expression. The valid characters are letters, numbers, and underscore. The first character must be a lowercase letter.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A human-readable label for this metric or expression. This is especially useful if this is an expression, so that you know what the value represents.
+	Label *string `json:"label,omitempty" tf:"label,omitempty"`
+
+	// The metric to be returned, along with statistics, period, and units. Use this parameter only if this object is retrieving a metric and not performing a math expression on returned data.
+	Metric []MetricObservation `json:"metric,omitempty" tf:"metric,omitempty"`
+
+	// Specify exactly one metric_query to be true to use that metric_query result as the alarm.
+	ReturnData *bool `json:"returnData,omitempty" tf:"return_data,omitempty"`
 }
 
 type MetricQueryParameters struct {
@@ -212,8 +322,10 @@ type MetricAlarmStatus struct {
 type MetricAlarm struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MetricAlarmSpec   `json:"spec"`
-	Status            MetricAlarmStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.comparisonOperator)",message="comparisonOperator is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.evaluationPeriods)",message="evaluationPeriods is a required parameter"
+	Spec   MetricAlarmSpec   `json:"spec"`
+	Status MetricAlarmStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatch/v1beta1/zz_metricstream_types.go b/apis/cloudwatch/v1beta1/zz_metricstream_types.go
index 463a4c85c8..1ff48ca818 100755
--- a/apis/cloudwatch/v1beta1/zz_metricstream_types.go
+++ b/apis/cloudwatch/v1beta1/zz_metricstream_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ExcludeFilterObservation struct {
+
+	// Name of the metric namespace in the filter.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type ExcludeFilterParameters struct {
@@ -24,6 +27,9 @@ type ExcludeFilterParameters struct {
 }
 
 type IncludeFilterObservation struct {
+
+	// Name of the metric namespace in the filter.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type IncludeFilterParameters struct {
@@ -34,6 +40,12 @@ type IncludeFilterParameters struct {
 }
 
 type IncludeMetricObservation struct {
+
+	// The name of the metric.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The namespace of the metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type IncludeMetricParameters struct {
@@ -55,14 +67,38 @@ type MetricStreamObservation struct {
 	// Date and time in RFC3339 format that the metric stream was created.
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
+	// List of exclusive metric filters. If you specify this parameter, the stream sends metrics from all metric namespaces except for the namespaces that you specify here. Conflicts with include_filter.
+	ExcludeFilter []ExcludeFilterObservation `json:"excludeFilter,omitempty" tf:"exclude_filter,omitempty"`
+
+	// ARN of the Amazon Kinesis Firehose delivery stream to use for this metric stream.
+	FirehoseArn *string `json:"firehoseArn,omitempty" tf:"firehose_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of inclusive metric filters. If you specify this parameter, the stream sends only the metrics from the metric namespaces that you specify here. Conflicts with exclude_filter.
+	IncludeFilter []IncludeFilterObservation `json:"includeFilter,omitempty" tf:"include_filter,omitempty"`
+
 	// Date and time in RFC3339 format that the metric stream was last updated.
 	LastUpdateDate *string `json:"lastUpdateDate,omitempty" tf:"last_update_date,omitempty"`
 
+	// Friendly name of the metric stream. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Output format for the stream. Possible values are json and opentelemetry0.7. For more information about output formats, see Metric streams output formats.
+	OutputFormat *string `json:"outputFormat,omitempty" tf:"output_format,omitempty"`
+
+	// ARN of the IAM role that this metric stream will use to access Amazon Kinesis Firehose resources. For more information about role permissions, see Trust between CloudWatch and Kinesis Data Firehose.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
 	// State of the metric stream. Possible values are running and stopped.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// For each entry in this array, you specify one or more metrics and the list of additional statistics to stream for those metrics. The additional statistics that you can stream depend on the stream's output_format. If the OutputFormat is json, you can stream any additional statistic that is supported by CloudWatch, listed in CloudWatch statistics definitions. If the OutputFormat is opentelemetry0.7, you can stream percentile statistics (p99 etc.). See details below.
+	StatisticsConfiguration []StatisticsConfigurationObservation `json:"statisticsConfiguration,omitempty" tf:"statistics_configuration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -92,12 +128,12 @@ type MetricStreamParameters struct {
 	IncludeFilter []IncludeFilterParameters `json:"includeFilter,omitempty" tf:"include_filter,omitempty"`
 
 	// Friendly name of the metric stream. Conflicts with name_prefix.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Output format for the stream. Possible values are json and opentelemetry0.7. For more information about output formats, see Metric streams output formats.
-	// +kubebuilder:validation:Required
-	OutputFormat *string `json:"outputFormat" tf:"output_format,omitempty"`
+	// +kubebuilder:validation:Optional
+	OutputFormat *string `json:"outputFormat,omitempty" tf:"output_format,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -128,6 +164,12 @@ type MetricStreamParameters struct {
 }
 
 type StatisticsConfigurationObservation struct {
+
+	// The additional statistics to stream for the metrics listed in include_metrics.
+	AdditionalStatistics []*string `json:"additionalStatistics,omitempty" tf:"additional_statistics,omitempty"`
+
+	// An array that defines the metrics that are to have additional statistics streamed. See details below.
+	IncludeMetric []IncludeMetricObservation `json:"includeMetric,omitempty" tf:"include_metric,omitempty"`
 }
 
 type StatisticsConfigurationParameters struct {
@@ -165,8 +207,10 @@ type MetricStreamStatus struct {
 type MetricStream struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MetricStreamSpec   `json:"spec"`
-	Status            MetricStreamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outputFormat)",message="outputFormat is a required parameter"
+	Spec   MetricStreamSpec   `json:"spec"`
+	Status MetricStreamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchevents/v1beta1/zz_apidestination_types.go b/apis/cloudwatchevents/v1beta1/zz_apidestination_types.go
index 1dd0c3f862..f1ce4d5bd2 100755
--- a/apis/cloudwatchevents/v1beta1/zz_apidestination_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_apidestination_types.go
@@ -18,7 +18,22 @@ type APIDestinationObservation struct {
 	// The Amazon Resource Name (ARN) of the event API Destination.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of the EventBridge Connection to use for the API Destination.
+	ConnectionArn *string `json:"connectionArn,omitempty" tf:"connection_arn,omitempty"`
+
+	// The description of the new API Destination. Maximum of 512 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Select the HTTP method used for the invocation endpoint, such as GET, POST, PUT, etc.
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// URL endpoint to invoke as a target. This could be a valid endpoint generated by a partner service. You can include "*" as path parameters wildcards to be set from the Target HttpParameters.
+	InvocationEndpoint *string `json:"invocationEndpoint,omitempty" tf:"invocation_endpoint,omitempty"`
+
+	// Enter the maximum number of invocations per second to allow for this destination. Enter a value greater than 0 (default 300).
+	InvocationRateLimitPerSecond *float64 `json:"invocationRateLimitPerSecond,omitempty" tf:"invocation_rate_limit_per_second,omitempty"`
 }
 
 type APIDestinationParameters struct {
@@ -42,12 +57,12 @@ type APIDestinationParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Select the HTTP method used for the invocation endpoint, such as GET, POST, PUT, etc.
-	// +kubebuilder:validation:Required
-	HTTPMethod *string `json:"httpMethod" tf:"http_method,omitempty"`
+	// +kubebuilder:validation:Optional
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
 
 	// URL endpoint to invoke as a target. This could be a valid endpoint generated by a partner service. You can include "*" as path parameters wildcards to be set from the Target HttpParameters.
-	// +kubebuilder:validation:Required
-	InvocationEndpoint *string `json:"invocationEndpoint" tf:"invocation_endpoint,omitempty"`
+	// +kubebuilder:validation:Optional
+	InvocationEndpoint *string `json:"invocationEndpoint,omitempty" tf:"invocation_endpoint,omitempty"`
 
 	// Enter the maximum number of invocations per second to allow for this destination. Enter a value greater than 0 (default 300).
 	// +kubebuilder:validation:Optional
@@ -83,8 +98,10 @@ type APIDestinationStatus struct {
 type APIDestination struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              APIDestinationSpec   `json:"spec"`
-	Status            APIDestinationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.httpMethod)",message="httpMethod is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.invocationEndpoint)",message="invocationEndpoint is a required parameter"
+	Spec   APIDestinationSpec   `json:"spec"`
+	Status APIDestinationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchevents/v1beta1/zz_archive_types.go b/apis/cloudwatchevents/v1beta1/zz_archive_types.go
index eccd6a07a2..798275cdea 100755
--- a/apis/cloudwatchevents/v1beta1/zz_archive_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_archive_types.go
@@ -18,7 +18,19 @@ type ArchiveObservation struct {
 	// The Amazon Resource Name (ARN) of the event archive.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the new event archive.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Instructs the new event archive to only capture events matched by this pattern. By default, it attempts to archive every event received in the event_source_arn.
+	EventPattern *string `json:"eventPattern,omitempty" tf:"event_pattern,omitempty"`
+
+	// Event bus source ARN from where these events should be archived.
+	EventSourceArn *string `json:"eventSourceArn,omitempty" tf:"event_source_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The maximum number of days to retain events in the new event archive. By default, it archives indefinitely.
+	RetentionDays *float64 `json:"retentionDays,omitempty" tf:"retention_days,omitempty"`
 }
 
 type ArchiveParameters struct {
diff --git a/apis/cloudwatchevents/v1beta1/zz_bus_types.go b/apis/cloudwatchevents/v1beta1/zz_bus_types.go
index d63a202e9b..0af75c52c3 100755
--- a/apis/cloudwatchevents/v1beta1/zz_bus_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_bus_types.go
@@ -18,8 +18,14 @@ type BusObservation struct {
 	// The Amazon Resource Name (ARN) of the event bus.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The partner event source that the new event bus will be matched with. Must match name.
+	EventSourceName *string `json:"eventSourceName,omitempty" tf:"event_source_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/cloudwatchevents/v1beta1/zz_buspolicy_types.go b/apis/cloudwatchevents/v1beta1/zz_buspolicy_types.go
index 8bd03ef96b..0b96368188 100755
--- a/apis/cloudwatchevents/v1beta1/zz_buspolicy_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_buspolicy_types.go
@@ -15,8 +15,14 @@ import (
 
 type BusPolicyObservation struct {
 
+	// The event bus to set the permissions on. If you omit this, the permissions are set on the default event bus.
+	EventBusName *string `json:"eventBusName,omitempty" tf:"event_bus_name,omitempty"`
+
 	// The name of the EventBridge event bus.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The text of the policy.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type BusPolicyParameters struct {
@@ -35,8 +41,8 @@ type BusPolicyParameters struct {
 	EventBusNameSelector *v1.Selector `json:"eventBusNameSelector,omitempty" tf:"-"`
 
 	// The text of the policy.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -68,8 +74,9 @@ type BusPolicyStatus struct {
 type BusPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BusPolicySpec   `json:"spec"`
-	Status            BusPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   BusPolicySpec   `json:"spec"`
+	Status BusPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchevents/v1beta1/zz_connection_types.go b/apis/cloudwatchevents/v1beta1/zz_connection_types.go
index 06a6a7f684..54de6bff04 100755
--- a/apis/cloudwatchevents/v1beta1/zz_connection_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_connection_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type APIKeyObservation struct {
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type APIKeyParameters struct {
@@ -28,6 +31,18 @@ type APIKeyParameters struct {
 }
 
 type AuthParametersObservation struct {
+
+	// Parameters used for API_KEY authorization. An API key to include in the header for each authentication request. A maximum of 1 are allowed. Conflicts with basic and oauth. Documented below.
+	APIKey []APIKeyObservation `json:"apiKey,omitempty" tf:"api_key,omitempty"`
+
+	// Parameters used for BASIC authorization. A maximum of 1 are allowed. Conflicts with api_key and oauth. Documented below.
+	Basic []BasicObservation `json:"basic,omitempty" tf:"basic,omitempty"`
+
+	// Invocation Http Parameters are additional credentials used to sign each Invocation of the ApiDestination created from this Connection. If the ApiDestination Rule Target has additional HttpParameters, the values will be merged together, with the Connection Invocation Http Parameters taking precedence. Secret values are stored and managed by AWS Secrets Manager. A maximum of 1 are allowed. Documented below.
+	InvocationHTTPParameters []InvocationHTTPParametersObservation `json:"invocationHttpParameters,omitempty" tf:"invocation_http_parameters,omitempty"`
+
+	// Parameters used for OAUTH_CLIENT_CREDENTIALS authorization. A maximum of 1 are allowed. Conflicts with basic and api_key. Documented below.
+	Oauth []OauthObservation `json:"oauth,omitempty" tf:"oauth,omitempty"`
 }
 
 type AuthParametersParameters struct {
@@ -50,6 +65,9 @@ type AuthParametersParameters struct {
 }
 
 type BasicObservation struct {
+
+	// A username for the authorization.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type BasicParameters struct {
@@ -64,6 +82,12 @@ type BasicParameters struct {
 }
 
 type BodyObservation struct {
+
+	// Specified whether the value is secret.
+	IsValueSecret *bool `json:"isValueSecret,omitempty" tf:"is_value_secret,omitempty"`
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type BodyParameters struct {
@@ -82,6 +106,9 @@ type BodyParameters struct {
 }
 
 type ClientParametersObservation struct {
+
+	// The client ID for the credentials to use for authorization. Created and stored in AWS Secrets Manager.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
 }
 
 type ClientParametersParameters struct {
@@ -100,6 +127,15 @@ type ConnectionObservation struct {
 	// The Amazon Resource Name (ARN) of the connection.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Parameters used for authorization. A maximum of 1 are allowed. Documented below.
+	AuthParameters []AuthParametersObservation `json:"authParameters,omitempty" tf:"auth_parameters,omitempty"`
+
+	// Choose the type of authorization to use for the connection. One of API_KEY,BASIC,OAUTH_CLIENT_CREDENTIALS.
+	AuthorizationType *string `json:"authorizationType,omitempty" tf:"authorization_type,omitempty"`
+
+	// Enter a description for the connection. Maximum of 512 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the secret created from the authorization parameters specified for the connection.
@@ -109,12 +145,12 @@ type ConnectionObservation struct {
 type ConnectionParameters struct {
 
 	// Parameters used for authorization. A maximum of 1 are allowed. Documented below.
-	// +kubebuilder:validation:Required
-	AuthParameters []AuthParametersParameters `json:"authParameters" tf:"auth_parameters,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthParameters []AuthParametersParameters `json:"authParameters,omitempty" tf:"auth_parameters,omitempty"`
 
 	// Choose the type of authorization to use for the connection. One of API_KEY,BASIC,OAUTH_CLIENT_CREDENTIALS.
-	// +kubebuilder:validation:Required
-	AuthorizationType *string `json:"authorizationType" tf:"authorization_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthorizationType *string `json:"authorizationType,omitempty" tf:"authorization_type,omitempty"`
 
 	// Enter a description for the connection. Maximum of 512 characters.
 	// +kubebuilder:validation:Optional
@@ -127,6 +163,12 @@ type ConnectionParameters struct {
 }
 
 type HeaderObservation struct {
+
+	// Specified whether the value is secret.
+	IsValueSecret *bool `json:"isValueSecret,omitempty" tf:"is_value_secret,omitempty"`
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type HeaderParameters struct {
@@ -145,6 +187,15 @@ type HeaderParameters struct {
 }
 
 type InvocationHTTPParametersObservation struct {
+
+	// Contains additional body string parameters for the connection. You can include up to 100 additional body string parameters per request. Each additional parameter counts towards the event payload size, which cannot exceed 64 KB. Each parameter can contain the following:
+	Body []BodyObservation `json:"body,omitempty" tf:"body,omitempty"`
+
+	// Contains additional header parameters for the connection. You can include up to 100 additional body string parameters per request. Each additional parameter counts towards the event payload size, which cannot exceed 64 KB. Each parameter can contain the following:
+	Header []HeaderObservation `json:"header,omitempty" tf:"header,omitempty"`
+
+	// Contains additional query string parameters for the connection. You can include up to 100 additional body string parameters per request. Each additional parameter counts towards the event payload size, which cannot exceed 64 KB. Each parameter can contain the following:
+	QueryString []QueryStringObservation `json:"queryString,omitempty" tf:"query_string,omitempty"`
 }
 
 type InvocationHTTPParametersParameters struct {
@@ -163,6 +214,12 @@ type InvocationHTTPParametersParameters struct {
 }
 
 type OauthHTTPParametersBodyObservation struct {
+
+	// Specified whether the value is secret.
+	IsValueSecret *bool `json:"isValueSecret,omitempty" tf:"is_value_secret,omitempty"`
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type OauthHTTPParametersBodyParameters struct {
@@ -181,6 +238,12 @@ type OauthHTTPParametersBodyParameters struct {
 }
 
 type OauthHTTPParametersHeaderObservation struct {
+
+	// Specified whether the value is secret.
+	IsValueSecret *bool `json:"isValueSecret,omitempty" tf:"is_value_secret,omitempty"`
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type OauthHTTPParametersHeaderParameters struct {
@@ -199,6 +262,15 @@ type OauthHTTPParametersHeaderParameters struct {
 }
 
 type OauthHTTPParametersObservation struct {
+
+	// Contains additional body string parameters for the connection. You can include up to 100 additional body string parameters per request. Each additional parameter counts towards the event payload size, which cannot exceed 64 KB. Each parameter can contain the following:
+	Body []OauthHTTPParametersBodyObservation `json:"body,omitempty" tf:"body,omitempty"`
+
+	// Contains additional header parameters for the connection. You can include up to 100 additional body string parameters per request. Each additional parameter counts towards the event payload size, which cannot exceed 64 KB. Each parameter can contain the following:
+	Header []OauthHTTPParametersHeaderObservation `json:"header,omitempty" tf:"header,omitempty"`
+
+	// Contains additional query string parameters for the connection. You can include up to 100 additional body string parameters per request. Each additional parameter counts towards the event payload size, which cannot exceed 64 KB. Each parameter can contain the following:
+	QueryString []OauthHTTPParametersQueryStringObservation `json:"queryString,omitempty" tf:"query_string,omitempty"`
 }
 
 type OauthHTTPParametersParameters struct {
@@ -217,6 +289,12 @@ type OauthHTTPParametersParameters struct {
 }
 
 type OauthHTTPParametersQueryStringObservation struct {
+
+	// Specified whether the value is secret.
+	IsValueSecret *bool `json:"isValueSecret,omitempty" tf:"is_value_secret,omitempty"`
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type OauthHTTPParametersQueryStringParameters struct {
@@ -235,6 +313,18 @@ type OauthHTTPParametersQueryStringParameters struct {
 }
 
 type OauthObservation struct {
+
+	// The URL to the authorization endpoint.
+	AuthorizationEndpoint *string `json:"authorizationEndpoint,omitempty" tf:"authorization_endpoint,omitempty"`
+
+	// Contains the client parameters for OAuth authorization. Contains the following two parameters.
+	ClientParameters []ClientParametersObservation `json:"clientParameters,omitempty" tf:"client_parameters,omitempty"`
+
+	// A password for the authorization. Created and stored in AWS Secrets Manager.
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
+	// OAuth Http Parameters are additional credentials used to sign the request to the authorization endpoint to exchange the OAuth Client information for an access token. Secret values are stored and managed by AWS Secrets Manager. A maximum of 1 are allowed. Documented below.
+	OauthHTTPParameters []OauthHTTPParametersObservation `json:"oauthHttpParameters,omitempty" tf:"oauth_http_parameters,omitempty"`
 }
 
 type OauthParameters struct {
@@ -257,6 +347,12 @@ type OauthParameters struct {
 }
 
 type QueryStringObservation struct {
+
+	// Specified whether the value is secret.
+	IsValueSecret *bool `json:"isValueSecret,omitempty" tf:"is_value_secret,omitempty"`
+
+	// Header Name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type QueryStringParameters struct {
@@ -298,8 +394,10 @@ type ConnectionStatus struct {
 type Connection struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConnectionSpec   `json:"spec"`
-	Status            ConnectionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authParameters)",message="authParameters is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorizationType)",message="authorizationType is a required parameter"
+	Spec   ConnectionSpec   `json:"spec"`
+	Status ConnectionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchevents/v1beta1/zz_generated.deepcopy.go b/apis/cloudwatchevents/v1beta1/zz_generated.deepcopy.go
index 0305c85813..a6cc19808f 100644
--- a/apis/cloudwatchevents/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudwatchevents/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,36 @@ func (in *APIDestinationObservation) DeepCopyInto(out *APIDestinationObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConnectionArn != nil {
+		in, out := &in.ConnectionArn, &out.ConnectionArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InvocationEndpoint != nil {
+		in, out := &in.InvocationEndpoint, &out.InvocationEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.InvocationRateLimitPerSecond != nil {
+		in, out := &in.InvocationRateLimitPerSecond, &out.InvocationRateLimitPerSecond
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIDestinationObservation.
@@ -190,6 +215,11 @@ func (in *APIDestinationStatus) DeepCopy() *APIDestinationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *APIKeyObservation) DeepCopyInto(out *APIKeyObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new APIKeyObservation.
@@ -290,11 +320,31 @@ func (in *ArchiveObservation) DeepCopyInto(out *ArchiveObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventPattern != nil {
+		in, out := &in.EventPattern, &out.EventPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventSourceArn != nil {
+		in, out := &in.EventSourceArn, &out.EventSourceArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RetentionDays != nil {
+		in, out := &in.RetentionDays, &out.RetentionDays
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArchiveObservation.
@@ -394,6 +444,34 @@ func (in *ArchiveStatus) DeepCopy() *ArchiveStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthParametersObservation) DeepCopyInto(out *AuthParametersObservation) {
 	*out = *in
+	if in.APIKey != nil {
+		in, out := &in.APIKey, &out.APIKey
+		*out = make([]APIKeyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Basic != nil {
+		in, out := &in.Basic, &out.Basic
+		*out = make([]BasicObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InvocationHTTPParameters != nil {
+		in, out := &in.InvocationHTTPParameters, &out.InvocationHTTPParameters
+		*out = make([]InvocationHTTPParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Oauth != nil {
+		in, out := &in.Oauth, &out.Oauth
+		*out = make([]OauthObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthParametersObservation.
@@ -452,6 +530,11 @@ func (in *AuthParametersParameters) DeepCopy() *AuthParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BasicObservation) DeepCopyInto(out *BasicObservation) {
 	*out = *in
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicObservation.
@@ -488,6 +571,26 @@ func (in *BasicParameters) DeepCopy() *BasicParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BatchTargetObservation) DeepCopyInto(out *BatchTargetObservation) {
 	*out = *in
+	if in.ArraySize != nil {
+		in, out := &in.ArraySize, &out.ArraySize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.JobAttempts != nil {
+		in, out := &in.JobAttempts, &out.JobAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.JobDefinition != nil {
+		in, out := &in.JobDefinition, &out.JobDefinition
+		*out = new(string)
+		**out = **in
+	}
+	if in.JobName != nil {
+		in, out := &in.JobName, &out.JobName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BatchTargetObservation.
@@ -538,6 +641,16 @@ func (in *BatchTargetParameters) DeepCopy() *BatchTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BodyObservation) DeepCopyInto(out *BodyObservation) {
 	*out = *in
+	if in.IsValueSecret != nil {
+		in, out := &in.IsValueSecret, &out.IsValueSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BodyObservation.
@@ -647,11 +760,31 @@ func (in *BusObservation) DeepCopyInto(out *BusObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EventSourceName != nil {
+		in, out := &in.EventSourceName, &out.EventSourceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -781,11 +914,21 @@ func (in *BusPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BusPolicyObservation) DeepCopyInto(out *BusPolicyObservation) {
 	*out = *in
+	if in.EventBusName != nil {
+		in, out := &in.EventBusName, &out.EventBusName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BusPolicyObservation.
@@ -909,6 +1052,21 @@ func (in *BusStatus) DeepCopy() *BusStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityProviderStrategyObservation) DeepCopyInto(out *CapacityProviderStrategyObservation) {
 	*out = *in
+	if in.Base != nil {
+		in, out := &in.Base, &out.Base
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityProvider != nil {
+		in, out := &in.CapacityProvider, &out.CapacityProvider
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityProviderStrategyObservation.
@@ -954,6 +1112,11 @@ func (in *CapacityProviderStrategyParameters) DeepCopy() *CapacityProviderStrate
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientParametersObservation) DeepCopyInto(out *ClientParametersObservation) {
 	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientParametersObservation.
@@ -990,6 +1153,21 @@ func (in *ClientParametersParameters) DeepCopy() *ClientParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionObservation) DeepCopyInto(out *ConditionObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionObservation.
@@ -1109,6 +1287,23 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthParameters != nil {
+		in, out := &in.AuthParameters, &out.AuthParameters
+		*out = make([]AuthParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AuthorizationType != nil {
+		in, out := &in.AuthorizationType, &out.AuthorizationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1205,6 +1400,11 @@ func (in *ConnectionStatus) DeepCopy() *ConnectionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeadLetterConfigObservation) DeepCopyInto(out *DeadLetterConfigObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeadLetterConfigObservation.
@@ -1240,24 +1440,9 @@ func (in *DeadLetterConfigParameters) DeepCopy() *DeadLetterConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcsTargetObservation) DeepCopyInto(out *EcsTargetObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsTargetObservation.
-func (in *EcsTargetObservation) DeepCopy() *EcsTargetObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(EcsTargetObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EcsTargetParameters) DeepCopyInto(out *EcsTargetParameters) {
-	*out = *in
 	if in.CapacityProviderStrategy != nil {
 		in, out := &in.CapacityProviderStrategy, &out.CapacityProviderStrategy
-		*out = make([]CapacityProviderStrategyParameters, len(*in))
+		*out = make([]CapacityProviderStrategyObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1284,14 +1469,14 @@ func (in *EcsTargetParameters) DeepCopyInto(out *EcsTargetParameters) {
 	}
 	if in.NetworkConfiguration != nil {
 		in, out := &in.NetworkConfiguration, &out.NetworkConfiguration
-		*out = make([]NetworkConfigurationParameters, len(*in))
+		*out = make([]NetworkConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.PlacementConstraint != nil {
 		in, out := &in.PlacementConstraint, &out.PlacementConstraint
-		*out = make([]PlacementConstraintParameters, len(*in))
+		*out = make([]PlacementConstraintObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1331,51 +1516,183 @@ func (in *EcsTargetParameters) DeepCopyInto(out *EcsTargetParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.TaskDefinitionArnRef != nil {
-		in, out := &in.TaskDefinitionArnRef, &out.TaskDefinitionArnRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.TaskDefinitionArnSelector != nil {
-		in, out := &in.TaskDefinitionArnSelector, &out.TaskDefinitionArnSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsTargetParameters.
-func (in *EcsTargetParameters) DeepCopy() *EcsTargetParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsTargetObservation.
+func (in *EcsTargetObservation) DeepCopy() *EcsTargetObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(EcsTargetParameters)
+	out := new(EcsTargetObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HTTPTargetObservation) DeepCopyInto(out *HTTPTargetObservation) {
+func (in *EcsTargetParameters) DeepCopyInto(out *EcsTargetParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPTargetObservation.
-func (in *HTTPTargetObservation) DeepCopy() *HTTPTargetObservation {
-	if in == nil {
-		return nil
+	if in.CapacityProviderStrategy != nil {
+		in, out := &in.CapacityProviderStrategy, &out.CapacityProviderStrategy
+		*out = make([]CapacityProviderStrategyParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(HTTPTargetObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HTTPTargetParameters) DeepCopyInto(out *HTTPTargetParameters) {
-	*out = *in
-	if in.HeaderParameters != nil {
-		in, out := &in.HeaderParameters, &out.HeaderParameters
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
+	if in.EnableEcsManagedTags != nil {
+		in, out := &in.EnableEcsManagedTags, &out.EnableEcsManagedTags
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableExecuteCommand != nil {
+		in, out := &in.EnableExecuteCommand, &out.EnableExecuteCommand
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Group != nil {
+		in, out := &in.Group, &out.Group
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchType != nil {
+		in, out := &in.LaunchType, &out.LaunchType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkConfiguration != nil {
+		in, out := &in.NetworkConfiguration, &out.NetworkConfiguration
+		*out = make([]NetworkConfigurationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlacementConstraint != nil {
+		in, out := &in.PlacementConstraint, &out.PlacementConstraint
+		*out = make([]PlacementConstraintParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlatformVersion != nil {
+		in, out := &in.PlatformVersion, &out.PlatformVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PropagateTags != nil {
+		in, out := &in.PropagateTags, &out.PropagateTags
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TaskCount != nil {
+		in, out := &in.TaskCount, &out.TaskCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TaskDefinitionArn != nil {
+		in, out := &in.TaskDefinitionArn, &out.TaskDefinitionArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TaskDefinitionArnRef != nil {
+		in, out := &in.TaskDefinitionArnRef, &out.TaskDefinitionArnRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.TaskDefinitionArnSelector != nil {
+		in, out := &in.TaskDefinitionArnSelector, &out.TaskDefinitionArnSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsTargetParameters.
+func (in *EcsTargetParameters) DeepCopy() *EcsTargetParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EcsTargetParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPTargetObservation) DeepCopyInto(out *HTTPTargetObservation) {
+	*out = *in
+	if in.HeaderParameters != nil {
+		in, out := &in.HeaderParameters, &out.HeaderParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.PathParameterValues != nil {
+		in, out := &in.PathParameterValues, &out.PathParameterValues
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.QueryStringParameters != nil {
+		in, out := &in.QueryStringParameters, &out.QueryStringParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPTargetObservation.
+func (in *HTTPTargetObservation) DeepCopy() *HTTPTargetObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(HTTPTargetObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HTTPTargetParameters) DeepCopyInto(out *HTTPTargetParameters) {
+	*out = *in
+	if in.HeaderParameters != nil {
+		in, out := &in.HeaderParameters, &out.HeaderParameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
 			if val == nil {
 				(*out)[key] = nil
 			} else {
@@ -1427,6 +1744,16 @@ func (in *HTTPTargetParameters) DeepCopy() *HTTPTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeaderObservation) DeepCopyInto(out *HeaderObservation) {
 	*out = *in
+	if in.IsValueSecret != nil {
+		in, out := &in.IsValueSecret, &out.IsValueSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderObservation.
@@ -1472,6 +1799,26 @@ func (in *HeaderParameters) DeepCopy() *HeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputTransformerObservation) DeepCopyInto(out *InputTransformerObservation) {
 	*out = *in
+	if in.InputPaths != nil {
+		in, out := &in.InputPaths, &out.InputPaths
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.InputTemplate != nil {
+		in, out := &in.InputTemplate, &out.InputTemplate
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputTransformerObservation.
@@ -1522,6 +1869,27 @@ func (in *InputTransformerParameters) DeepCopy() *InputTransformerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InvocationHTTPParametersObservation) DeepCopyInto(out *InvocationHTTPParametersObservation) {
 	*out = *in
+	if in.Body != nil {
+		in, out := &in.Body, &out.Body
+		*out = make([]BodyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = make([]HeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.QueryString != nil {
+		in, out := &in.QueryString, &out.QueryString
+		*out = make([]QueryStringObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InvocationHTTPParametersObservation.
@@ -1573,6 +1941,11 @@ func (in *InvocationHTTPParametersParameters) DeepCopy() *InvocationHTTPParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisTargetObservation) DeepCopyInto(out *KinesisTargetObservation) {
 	*out = *in
+	if in.PartitionKeyPath != nil {
+		in, out := &in.PartitionKeyPath, &out.PartitionKeyPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisTargetObservation.
@@ -1608,6 +1981,33 @@ func (in *KinesisTargetParameters) DeepCopy() *KinesisTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkConfigurationObservation) DeepCopyInto(out *NetworkConfigurationObservation) {
 	*out = *in
+	if in.AssignPublicIP != nil {
+		in, out := &in.AssignPublicIP, &out.AssignPublicIP
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkConfigurationObservation.
@@ -1665,6 +2065,16 @@ func (in *NetworkConfigurationParameters) DeepCopy() *NetworkConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OauthHTTPParametersBodyObservation) DeepCopyInto(out *OauthHTTPParametersBodyObservation) {
 	*out = *in
+	if in.IsValueSecret != nil {
+		in, out := &in.IsValueSecret, &out.IsValueSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OauthHTTPParametersBodyObservation.
@@ -1710,6 +2120,16 @@ func (in *OauthHTTPParametersBodyParameters) DeepCopy() *OauthHTTPParametersBody
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OauthHTTPParametersHeaderObservation) DeepCopyInto(out *OauthHTTPParametersHeaderObservation) {
 	*out = *in
+	if in.IsValueSecret != nil {
+		in, out := &in.IsValueSecret, &out.IsValueSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OauthHTTPParametersHeaderObservation.
@@ -1755,6 +2175,27 @@ func (in *OauthHTTPParametersHeaderParameters) DeepCopy() *OauthHTTPParametersHe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OauthHTTPParametersObservation) DeepCopyInto(out *OauthHTTPParametersObservation) {
 	*out = *in
+	if in.Body != nil {
+		in, out := &in.Body, &out.Body
+		*out = make([]OauthHTTPParametersBodyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = make([]OauthHTTPParametersHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.QueryString != nil {
+		in, out := &in.QueryString, &out.QueryString
+		*out = make([]OauthHTTPParametersQueryStringObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OauthHTTPParametersObservation.
@@ -1806,6 +2247,16 @@ func (in *OauthHTTPParametersParameters) DeepCopy() *OauthHTTPParametersParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OauthHTTPParametersQueryStringObservation) DeepCopyInto(out *OauthHTTPParametersQueryStringObservation) {
 	*out = *in
+	if in.IsValueSecret != nil {
+		in, out := &in.IsValueSecret, &out.IsValueSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OauthHTTPParametersQueryStringObservation.
@@ -1843,14 +2294,38 @@ func (in *OauthHTTPParametersQueryStringParameters) DeepCopy() *OauthHTTPParamet
 	if in == nil {
 		return nil
 	}
-	out := new(OauthHTTPParametersQueryStringParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OauthObservation) DeepCopyInto(out *OauthObservation) {
-	*out = *in
+	out := new(OauthHTTPParametersQueryStringParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OauthObservation) DeepCopyInto(out *OauthObservation) {
+	*out = *in
+	if in.AuthorizationEndpoint != nil {
+		in, out := &in.AuthorizationEndpoint, &out.AuthorizationEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientParameters != nil {
+		in, out := &in.ClientParameters, &out.ClientParameters
+		*out = make([]ClientParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.OauthHTTPParameters != nil {
+		in, out := &in.OauthHTTPParameters, &out.OauthHTTPParameters
+		*out = make([]OauthHTTPParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OauthObservation.
@@ -1964,11 +2439,38 @@ func (in *PermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PermissionObservation) DeepCopyInto(out *PermissionObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.Condition != nil {
+		in, out := &in.Condition, &out.Condition
+		*out = make([]ConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventBusName != nil {
+		in, out := &in.EventBusName, &out.EventBusName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatementID != nil {
+		in, out := &in.StatementID, &out.StatementID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionObservation.
@@ -2075,6 +2577,16 @@ func (in *PermissionStatus) DeepCopy() *PermissionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementConstraintObservation) DeepCopyInto(out *PlacementConstraintObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementConstraintObservation.
@@ -2115,6 +2627,16 @@ func (in *PlacementConstraintParameters) DeepCopy() *PlacementConstraintParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryStringObservation) DeepCopyInto(out *QueryStringObservation) {
 	*out = *in
+	if in.IsValueSecret != nil {
+		in, out := &in.IsValueSecret, &out.IsValueSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryStringObservation.
@@ -2160,6 +2682,36 @@ func (in *QueryStringParameters) DeepCopy() *QueryStringParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftTargetObservation) DeepCopyInto(out *RedshiftTargetObservation) {
 	*out = *in
+	if in.DBUser != nil {
+		in, out := &in.DBUser, &out.DBUser
+		*out = new(string)
+		**out = **in
+	}
+	if in.Database != nil {
+		in, out := &in.Database, &out.Database
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQL != nil {
+		in, out := &in.SQL, &out.SQL
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretsManagerArn != nil {
+		in, out := &in.SecretsManagerArn, &out.SecretsManagerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatementName != nil {
+		in, out := &in.StatementName, &out.StatementName
+		*out = new(string)
+		**out = **in
+	}
+	if in.WithEvent != nil {
+		in, out := &in.WithEvent, &out.WithEvent
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftTargetObservation.
@@ -2220,6 +2772,16 @@ func (in *RedshiftTargetParameters) DeepCopy() *RedshiftTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetryPolicyObservation) DeepCopyInto(out *RetryPolicyObservation) {
 	*out = *in
+	if in.MaximumEventAgeInSeconds != nil {
+		in, out := &in.MaximumEventAgeInSeconds, &out.MaximumEventAgeInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumRetryAttempts != nil {
+		in, out := &in.MaximumRetryAttempts, &out.MaximumRetryAttempts
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetryPolicyObservation.
@@ -2324,11 +2886,56 @@ func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventBusName != nil {
+		in, out := &in.EventBusName, &out.EventBusName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventPattern != nil {
+		in, out := &in.EventPattern, &out.EventPattern
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IsEnabled != nil {
+		in, out := &in.IsEnabled, &out.IsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleExpression != nil {
+		in, out := &in.ScheduleExpression, &out.ScheduleExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2478,6 +3085,22 @@ func (in *RuleStatus) DeepCopy() *RuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunCommandTargetsObservation) DeepCopyInto(out *RunCommandTargetsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunCommandTargetsObservation.
@@ -2524,6 +3147,11 @@ func (in *RunCommandTargetsParameters) DeepCopy() *RunCommandTargetsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SqsTargetObservation) DeepCopyInto(out *SqsTargetObservation) {
 	*out = *in
+	if in.MessageGroupID != nil {
+		in, out := &in.MessageGroupID, &out.MessageGroupID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SqsTargetObservation.
@@ -2618,11 +3246,116 @@ func (in *TargetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.BatchTarget != nil {
+		in, out := &in.BatchTarget, &out.BatchTarget
+		*out = make([]BatchTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeadLetterConfig != nil {
+		in, out := &in.DeadLetterConfig, &out.DeadLetterConfig
+		*out = make([]DeadLetterConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EcsTarget != nil {
+		in, out := &in.EcsTarget, &out.EcsTarget
+		*out = make([]EcsTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventBusName != nil {
+		in, out := &in.EventBusName, &out.EventBusName
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPTarget != nil {
+		in, out := &in.HTTPTarget, &out.HTTPTarget
+		*out = make([]HTTPTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Input != nil {
+		in, out := &in.Input, &out.Input
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputPath != nil {
+		in, out := &in.InputPath, &out.InputPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputTransformer != nil {
+		in, out := &in.InputTransformer, &out.InputTransformer
+		*out = make([]InputTransformerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisTarget != nil {
+		in, out := &in.KinesisTarget, &out.KinesisTarget
+		*out = make([]KinesisTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RedshiftTarget != nil {
+		in, out := &in.RedshiftTarget, &out.RedshiftTarget
+		*out = make([]RedshiftTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryPolicy != nil {
+		in, out := &in.RetryPolicy, &out.RetryPolicy
+		*out = make([]RetryPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = new(string)
+		**out = **in
+	}
+	if in.RunCommandTargets != nil {
+		in, out := &in.RunCommandTargets, &out.RunCommandTargets
+		*out = make([]RunCommandTargetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SqsTarget != nil {
+		in, out := &in.SqsTarget, &out.SqsTarget
+		*out = make([]SqsTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetID != nil {
+		in, out := &in.TargetID, &out.TargetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
diff --git a/apis/cloudwatchevents/v1beta1/zz_permission_types.go b/apis/cloudwatchevents/v1beta1/zz_permission_types.go
index 9eecf2ca83..e71f62ceaf 100755
--- a/apis/cloudwatchevents/v1beta1/zz_permission_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_permission_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ConditionObservation struct {
+
+	// Key for the condition. Valid values: aws:PrincipalOrgID.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Type of condition. Value values: StringEquals.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Value for the key.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ConditionParameters struct {
@@ -43,8 +52,23 @@ type ConditionParameters struct {
 
 type PermissionObservation struct {
 
+	// The action that you are enabling the other account to perform. Defaults to events:PutEvents.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Configuration block to limit the event bus permissions you are granting to only accounts that fulfill the condition. Specified below.
+	Condition []ConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"`
+
+	// The event bus to set the permissions on. If you omit this, the permissions are set on the default event bus.
+	EventBusName *string `json:"eventBusName,omitempty" tf:"event_bus_name,omitempty"`
+
 	// The statement ID of the EventBridge permission.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The 12-digit AWS account ID that you are permitting to put events to your default event bus. Specify * to permit any account to put events to your default event bus, optionally limited by condition.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
+	// An identifier string for the external account that you are granting permissions to.
+	StatementID *string `json:"statementId,omitempty" tf:"statement_id,omitempty"`
 }
 
 type PermissionParameters struct {
@@ -71,8 +95,8 @@ type PermissionParameters struct {
 	EventBusNameSelector *v1.Selector `json:"eventBusNameSelector,omitempty" tf:"-"`
 
 	// The 12-digit AWS account ID that you are permitting to put events to your default event bus. Specify * to permit any account to put events to your default event bus, optionally limited by condition.
-	// +kubebuilder:validation:Required
-	Principal *string `json:"principal" tf:"principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -80,8 +104,8 @@ type PermissionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// An identifier string for the external account that you are granting permissions to.
-	// +kubebuilder:validation:Required
-	StatementID *string `json:"statementId" tf:"statement_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	StatementID *string `json:"statementId,omitempty" tf:"statement_id,omitempty"`
 }
 
 // PermissionSpec defines the desired state of Permission
@@ -108,8 +132,10 @@ type PermissionStatus struct {
 type Permission struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PermissionSpec   `json:"spec"`
-	Status            PermissionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)",message="principal is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statementId)",message="statementId is a required parameter"
+	Spec   PermissionSpec   `json:"spec"`
+	Status PermissionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchevents/v1beta1/zz_rule_types.go b/apis/cloudwatchevents/v1beta1/zz_rule_types.go
index 4925c48979..495d1dfd13 100755
--- a/apis/cloudwatchevents/v1beta1/zz_rule_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_rule_types.go
@@ -18,9 +18,30 @@ type RuleObservation struct {
 	// The Amazon Resource Name (ARN) of the rule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the rule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The event bus to associate with this rule. If you omit this, the default event bus is used.
+	EventBusName *string `json:"eventBusName,omitempty" tf:"event_bus_name,omitempty"`
+
+	// The event pattern described a JSON object. At least one of schedule_expression or event_pattern is required. See full documentation of Events and Event Patterns in EventBridge for details.
+	EventPattern *string `json:"eventPattern,omitempty" tf:"event_pattern,omitempty"`
+
 	// The name of the rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether the rule should be enabled (defaults to true).
+	IsEnabled *bool `json:"isEnabled,omitempty" tf:"is_enabled,omitempty"`
+
+	// The Amazon Resource Name (ARN) associated with the role that is used for target invocation.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The scheduling expression. For example, cron(0 20 * * ? *) or rate(5 minutes). At least one of schedule_expression or event_pattern is required. Can only be used on the default event bus. For more information, refer to the AWS documentation Schedule Expressions for Rules.
+	ScheduleExpression *string `json:"scheduleExpression,omitempty" tf:"schedule_expression,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/cloudwatchevents/v1beta1/zz_target_types.go b/apis/cloudwatchevents/v1beta1/zz_target_types.go
index c60699e3f6..34390f65aa 100755
--- a/apis/cloudwatchevents/v1beta1/zz_target_types.go
+++ b/apis/cloudwatchevents/v1beta1/zz_target_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type BatchTargetObservation struct {
+
+	// The size of the array, if this is an array batch job. Valid values are integers between 2 and 10,000.
+	ArraySize *float64 `json:"arraySize,omitempty" tf:"array_size,omitempty"`
+
+	// The number of times to attempt to retry, if the job fails. Valid values are 1 to 10.
+	JobAttempts *float64 `json:"jobAttempts,omitempty" tf:"job_attempts,omitempty"`
+
+	// The ARN or name of the job definition to use if the event target is an AWS Batch job. This job definition must already exist.
+	JobDefinition *string `json:"jobDefinition,omitempty" tf:"job_definition,omitempty"`
+
+	// The name to use for this execution of the job, if the target is an AWS Batch job.
+	JobName *string `json:"jobName,omitempty" tf:"job_name,omitempty"`
 }
 
 type BatchTargetParameters struct {
@@ -36,6 +48,15 @@ type BatchTargetParameters struct {
 }
 
 type CapacityProviderStrategyObservation struct {
+
+	// The base value designates how many tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined. Defaults to 0.
+	Base *float64 `json:"base,omitempty" tf:"base,omitempty"`
+
+	// Short name of the capacity provider.
+	CapacityProvider *string `json:"capacityProvider,omitempty" tf:"capacity_provider,omitempty"`
+
+	// The weight value designates the relative percentage of the total number of tasks launched that should use the specified capacity provider. The weight value is taken into consideration after the base value, if defined, is satisfied.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type CapacityProviderStrategyParameters struct {
@@ -54,6 +75,9 @@ type CapacityProviderStrategyParameters struct {
 }
 
 type DeadLetterConfigObservation struct {
+
+	// - ARN of the SQS queue specified as the target for the dead-letter queue.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 }
 
 type DeadLetterConfigParameters struct {
@@ -64,6 +88,42 @@ type DeadLetterConfigParameters struct {
 }
 
 type EcsTargetObservation struct {
+
+	// The capacity provider strategy to use for the task. If a capacity_provider_strategy specified, the launch_type parameter must be omitted. If no capacity_provider_strategy or launch_type is specified, the default capacity provider strategy for the cluster is used. Can be one or more. See below.
+	CapacityProviderStrategy []CapacityProviderStrategyObservation `json:"capacityProviderStrategy,omitempty" tf:"capacity_provider_strategy,omitempty"`
+
+	// Specifies whether to enable Amazon ECS managed tags for the task.
+	EnableEcsManagedTags *bool `json:"enableEcsManagedTags,omitempty" tf:"enable_ecs_managed_tags,omitempty"`
+
+	// Whether or not to enable the execute command functionality for the containers in this task. If true, this enables execute command functionality on all containers in the task.
+	EnableExecuteCommand *bool `json:"enableExecuteCommand,omitempty" tf:"enable_execute_command,omitempty"`
+
+	// Specifies an ECS task group for the task. The maximum length is 255 characters.
+	Group *string `json:"group,omitempty" tf:"group,omitempty"`
+
+	// Specifies the launch type on which your task is running. The launch type that you specify here must match one of the launch type (compatibilities) of the target task. Valid values include: EC2, EXTERNAL, or FARGATE.
+	LaunchType *string `json:"launchType,omitempty" tf:"launch_type,omitempty"`
+
+	// Use this if the ECS task uses the awsvpc network mode. This specifies the VPC subnets and security groups associated with the task, and whether a public IP address is to be used. Required if launch_type is FARGATE because the awsvpc mode is required for Fargate tasks.
+	NetworkConfiguration []NetworkConfigurationObservation `json:"networkConfiguration,omitempty" tf:"network_configuration,omitempty"`
+
+	// An array of placement constraint objects to use for the task. You can specify up to 10 constraints per task (including constraints in the task definition and those specified at runtime). See Below.
+	PlacementConstraint []PlacementConstraintObservation `json:"placementConstraint,omitempty" tf:"placement_constraint,omitempty"`
+
+	// Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as 1.1.0. This is used only if LaunchType is FARGATE. For more information about valid platform versions, see AWS Fargate Platform Versions.
+	PlatformVersion *string `json:"platformVersion,omitempty" tf:"platform_version,omitempty"`
+
+	// Specifies whether to propagate the tags from the task definition to the task. If no value is specified, the tags are not propagated. Tags can only be propagated to the task during task creation. The only valid value is: TASK_DEFINITION.
+	PropagateTags *string `json:"propagateTags,omitempty" tf:"propagate_tags,omitempty"`
+
+	// A map of tags to assign to ecs resources.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	// The number of tasks to create based on the TaskDefinition. Defaults to 1.
+	TaskCount *float64 `json:"taskCount,omitempty" tf:"task_count,omitempty"`
+
+	// The ARN of the task definition to use if the event target is an Amazon ECS cluster.
+	TaskDefinitionArn *string `json:"taskDefinitionArn,omitempty" tf:"task_definition_arn,omitempty"`
 }
 
 type EcsTargetParameters struct {
@@ -128,6 +188,15 @@ type EcsTargetParameters struct {
 }
 
 type HTTPTargetObservation struct {
+
+	// Enables you to specify HTTP headers to add to the request.
+	HeaderParameters map[string]*string `json:"headerParameters,omitempty" tf:"header_parameters,omitempty"`
+
+	// The list of values that correspond sequentially to any path variables in your endpoint ARN (for example arn:aws:execute-api:us-east-1:123456:myapi/*/POST/pets/*).
+	PathParameterValues []*string `json:"pathParameterValues,omitempty" tf:"path_parameter_values,omitempty"`
+
+	// Represents keys/values of query string parameters that are appended to the invoked endpoint.
+	QueryStringParameters map[string]*string `json:"queryStringParameters,omitempty" tf:"query_string_parameters,omitempty"`
 }
 
 type HTTPTargetParameters struct {
@@ -146,6 +215,12 @@ type HTTPTargetParameters struct {
 }
 
 type InputTransformerObservation struct {
+
+	// Key value pairs specified in the form of JSONPath (for example, time = $.time)
+	InputPaths map[string]*string `json:"inputPaths,omitempty" tf:"input_paths,omitempty"`
+
+	// Template to customize data sent to the target. Must be valid JSON. To send a string value, the string value must include double quotes.g., "\"Your string goes here.\\nA new line.\""
+	InputTemplate *string `json:"inputTemplate,omitempty" tf:"input_template,omitempty"`
 }
 
 type InputTransformerParameters struct {
@@ -160,6 +235,9 @@ type InputTransformerParameters struct {
 }
 
 type KinesisTargetObservation struct {
+
+	// The JSON path to be extracted from the event and used as the partition key.
+	PartitionKeyPath *string `json:"partitionKeyPath,omitempty" tf:"partition_key_path,omitempty"`
 }
 
 type KinesisTargetParameters struct {
@@ -170,6 +248,15 @@ type KinesisTargetParameters struct {
 }
 
 type NetworkConfigurationObservation struct {
+
+	// Assign a public IP address to the ENI (Fargate launch type only). Valid values are true or false. Defaults to false.
+	AssignPublicIP *bool `json:"assignPublicIp,omitempty" tf:"assign_public_ip,omitempty"`
+
+	// The security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The subnets associated with the task or service.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
 }
 
 type NetworkConfigurationParameters struct {
@@ -188,6 +275,12 @@ type NetworkConfigurationParameters struct {
 }
 
 type PlacementConstraintObservation struct {
+
+	// Cluster Query Language expression to apply to the constraint. Does not need to be specified for the distinctInstance type. For more information, see Cluster Query Language in the Amazon EC2 Container Service Developer Guide.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// Type of constraint. The only valid values at this time are memberOf and distinctInstance.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PlacementConstraintParameters struct {
@@ -202,6 +295,24 @@ type PlacementConstraintParameters struct {
 }
 
 type RedshiftTargetObservation struct {
+
+	// The database user name.
+	DBUser *string `json:"dbUser,omitempty" tf:"db_user,omitempty"`
+
+	// The name of the database.
+	Database *string `json:"database,omitempty" tf:"database,omitempty"`
+
+	// The SQL statement text to run.
+	SQL *string `json:"sql,omitempty" tf:"sql,omitempty"`
+
+	// The name or ARN of the secret that enables access to the database.
+	SecretsManagerArn *string `json:"secretsManagerArn,omitempty" tf:"secrets_manager_arn,omitempty"`
+
+	// The name of the SQL statement.
+	StatementName *string `json:"statementName,omitempty" tf:"statement_name,omitempty"`
+
+	// Indicates whether to send an event back to EventBridge after the SQL statement runs.
+	WithEvent *bool `json:"withEvent,omitempty" tf:"with_event,omitempty"`
 }
 
 type RedshiftTargetParameters struct {
@@ -232,6 +343,12 @@ type RedshiftTargetParameters struct {
 }
 
 type RetryPolicyObservation struct {
+
+	// The age in seconds to continue to make retry attempts.
+	MaximumEventAgeInSeconds *float64 `json:"maximumEventAgeInSeconds,omitempty" tf:"maximum_event_age_in_seconds,omitempty"`
+
+	// maximum number of retry attempts to make before the request fails
+	MaximumRetryAttempts *float64 `json:"maximumRetryAttempts,omitempty" tf:"maximum_retry_attempts,omitempty"`
 }
 
 type RetryPolicyParameters struct {
@@ -246,6 +363,12 @@ type RetryPolicyParameters struct {
 }
 
 type RunCommandTargetsObservation struct {
+
+	// Can be either tag:tag-key or InstanceIds.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// If Key is tag:tag-key, Values is a list of tag values. If Key is InstanceIds, Values is a list of Amazon EC2 instance IDs.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type RunCommandTargetsParameters struct {
@@ -260,6 +383,9 @@ type RunCommandTargetsParameters struct {
 }
 
 type SqsTargetObservation struct {
+
+	// The FIFO message group ID to use as the target.
+	MessageGroupID *string `json:"messageGroupId,omitempty" tf:"message_group_id,omitempty"`
 }
 
 type SqsTargetParameters struct {
@@ -270,14 +396,66 @@ type SqsTargetParameters struct {
 }
 
 type TargetObservation struct {
+
+	// The Amazon Resource Name (ARN) of the target.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Parameters used when you are using the rule to invoke an Amazon Batch Job. Documented below. A maximum of 1 are allowed.
+	BatchTarget []BatchTargetObservation `json:"batchTarget,omitempty" tf:"batch_target,omitempty"`
+
+	// Parameters used when you are providing a dead letter config. Documented below. A maximum of 1 are allowed.
+	DeadLetterConfig []DeadLetterConfigObservation `json:"deadLetterConfig,omitempty" tf:"dead_letter_config,omitempty"`
+
+	// Parameters used when you are using the rule to invoke Amazon ECS Task. Documented below. A maximum of 1 are allowed.
+	EcsTarget []EcsTargetObservation `json:"ecsTarget,omitempty" tf:"ecs_target,omitempty"`
+
+	// The event bus to associate with the rule. If you omit this, the default event bus is used.
+	EventBusName *string `json:"eventBusName,omitempty" tf:"event_bus_name,omitempty"`
+
+	// Parameters used when you are using the rule to invoke an API Gateway REST endpoint. Documented below. A maximum of 1 is allowed.
+	HTTPTarget []HTTPTargetObservation `json:"httpTarget,omitempty" tf:"http_target,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Valid JSON text passed to the target. Conflicts with input_path and input_transformer.
+	Input *string `json:"input,omitempty" tf:"input,omitempty"`
+
+	// The value of the JSONPath that is used for extracting part of the matched event when passing it to the target. Conflicts with input and input_transformer.
+	InputPath *string `json:"inputPath,omitempty" tf:"input_path,omitempty"`
+
+	// Parameters used when you are providing a custom input to a target based on certain event data. Conflicts with input and input_path.
+	InputTransformer []InputTransformerObservation `json:"inputTransformer,omitempty" tf:"input_transformer,omitempty"`
+
+	// Parameters used when you are using the rule to invoke an Amazon Kinesis Stream. Documented below. A maximum of 1 are allowed.
+	KinesisTarget []KinesisTargetObservation `json:"kinesisTarget,omitempty" tf:"kinesis_target,omitempty"`
+
+	// Parameters used when you are using the rule to invoke an Amazon Redshift Statement. Documented below. A maximum of 1 are allowed.
+	RedshiftTarget []RedshiftTargetObservation `json:"redshiftTarget,omitempty" tf:"redshift_target,omitempty"`
+
+	// Parameters used when you are providing retry policies. Documented below. A maximum of 1 are allowed.
+	RetryPolicy []RetryPolicyObservation `json:"retryPolicy,omitempty" tf:"retry_policy,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the IAM role to be used for this target when the rule is triggered. Required if ecs_target is used or target in arn is EC2 instance, Kinesis data stream, Step Functions state machine, or Event Bus in different account or region.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the rule you want to add targets to.
+	Rule *string `json:"rule,omitempty" tf:"rule,omitempty"`
+
+	// Parameters used when you are using the rule to invoke Amazon EC2 Run Command. Documented below. A maximum of 5 are allowed.
+	RunCommandTargets []RunCommandTargetsObservation `json:"runCommandTargets,omitempty" tf:"run_command_targets,omitempty"`
+
+	// Parameters used when you are using the rule to invoke an Amazon SQS Queue. Documented below. A maximum of 1 are allowed.
+	SqsTarget []SqsTargetObservation `json:"sqsTarget,omitempty" tf:"sqs_target,omitempty"`
+
+	// The unique target assignment ID. If missing, will generate a random, unique id.
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
 }
 
 type TargetParameters struct {
 
 	// The Amazon Resource Name (ARN) of the target.
-	// +kubebuilder:validation:Required
-	Arn *string `json:"arn" tf:"arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Parameters used when you are using the rule to invoke an Amazon Batch Job. Documented below. A maximum of 1 are allowed.
 	// +kubebuilder:validation:Optional
@@ -401,8 +579,9 @@ type TargetStatus struct {
 type Target struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TargetSpec   `json:"spec"`
-	Status            TargetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.arn)",message="arn is a required parameter"
+	Spec   TargetSpec   `json:"spec"`
+	Status TargetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchlogs/v1beta1/zz_definition_types.go b/apis/cloudwatchlogs/v1beta1/zz_definition_types.go
index 92316f33e8..1cc4e3f6e1 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_definition_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_definition_types.go
@@ -16,8 +16,17 @@ import (
 type DefinitionObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specific log groups to use with the query.
+	LogGroupNames []*string `json:"logGroupNames,omitempty" tf:"log_group_names,omitempty"`
+
+	// The name of the query.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The query definition ID.
 	QueryDefinitionID *string `json:"queryDefinitionId,omitempty" tf:"query_definition_id,omitempty"`
+
+	// The query to save. You can read more about CloudWatch Logs Query Syntax in the documentation.
+	QueryString *string `json:"queryString,omitempty" tf:"query_string,omitempty"`
 }
 
 type DefinitionParameters struct {
@@ -27,12 +36,12 @@ type DefinitionParameters struct {
 	LogGroupNames []*string `json:"logGroupNames,omitempty" tf:"log_group_names,omitempty"`
 
 	// The name of the query.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The query to save. You can read more about CloudWatch Logs Query Syntax in the documentation.
-	// +kubebuilder:validation:Required
-	QueryString *string `json:"queryString" tf:"query_string,omitempty"`
+	// +kubebuilder:validation:Optional
+	QueryString *string `json:"queryString,omitempty" tf:"query_string,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -64,8 +73,10 @@ type DefinitionStatus struct {
 type Definition struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DefinitionSpec   `json:"spec"`
-	Status            DefinitionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.queryString)",message="queryString is a required parameter"
+	Spec   DefinitionSpec   `json:"spec"`
+	Status DefinitionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchlogs/v1beta1/zz_destination_types.go b/apis/cloudwatchlogs/v1beta1/zz_destination_types.go
index 0000a34e22..a61a1f09be 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_destination_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_destination_types.go
@@ -20,8 +20,17 @@ type DestinationObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of an IAM role that grants Amazon CloudWatch Logs permissions to put data into the target.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ARN of the target Amazon Kinesis stream resource for the destination.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 }
 
 type DestinationParameters struct {
diff --git a/apis/cloudwatchlogs/v1beta1/zz_destinationpolicy_types.go b/apis/cloudwatchlogs/v1beta1/zz_destinationpolicy_types.go
index 22d360f000..14c96cfa22 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_destinationpolicy_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_destinationpolicy_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type DestinationPolicyObservation struct {
+
+	// The policy document. This is a JSON formatted string.
+	AccessPolicy *string `json:"accessPolicy,omitempty" tf:"access_policy,omitempty"`
+
+	// Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
+	ForceUpdate *bool `json:"forceUpdate,omitempty" tf:"force_update,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type DestinationPolicyParameters struct {
 
 	// The policy document. This is a JSON formatted string.
-	// +kubebuilder:validation:Required
-	AccessPolicy *string `json:"accessPolicy" tf:"access_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccessPolicy *string `json:"accessPolicy,omitempty" tf:"access_policy,omitempty"`
 
 	// Specify true if you are updating an existing destination policy to grant permission to an organization ID instead of granting permission to individual AWS accounts.
 	// +kubebuilder:validation:Optional
@@ -57,8 +64,9 @@ type DestinationPolicyStatus struct {
 type DestinationPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DestinationPolicySpec   `json:"spec"`
-	Status            DestinationPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicy)",message="accessPolicy is a required parameter"
+	Spec   DestinationPolicySpec   `json:"spec"`
+	Status DestinationPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchlogs/v1beta1/zz_generated.deepcopy.go b/apis/cloudwatchlogs/v1beta1/zz_generated.deepcopy.go
index cb6c65304c..22b353361a 100644
--- a/apis/cloudwatchlogs/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,32 @@ func (in *DefinitionObservation) DeepCopyInto(out *DefinitionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogGroupNames != nil {
+		in, out := &in.LogGroupNames, &out.LogGroupNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.QueryDefinitionID != nil {
 		in, out := &in.QueryDefinitionID, &out.QueryDefinitionID
 		*out = new(string)
 		**out = **in
 	}
+	if in.QueryString != nil {
+		in, out := &in.QueryString, &out.QueryString
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefinitionObservation.
@@ -245,6 +266,26 @@ func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -260,6 +301,11 @@ func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationObservation.
@@ -399,6 +445,16 @@ func (in *DestinationPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationPolicyObservation) DeepCopyInto(out *DestinationPolicyObservation) {
 	*out = *in
+	if in.AccessPolicy != nil {
+		in, out := &in.AccessPolicy, &out.AccessPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceUpdate != nil {
+		in, out := &in.ForceUpdate, &out.ForceUpdate
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -586,6 +642,36 @@ func (in *GroupObservation) DeepCopyInto(out *GroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetentionInDays != nil {
+		in, out := &in.RetentionInDays, &out.RetentionInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -774,6 +860,23 @@ func (in *MetricFilterObservation) DeepCopyInto(out *MetricFilterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricTransformation != nil {
+		in, out := &in.MetricTransformation, &out.MetricTransformation
+		*out = make([]MetricTransformationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Pattern != nil {
+		in, out := &in.Pattern, &out.Pattern
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricFilterObservation.
@@ -870,6 +973,46 @@ func (in *MetricFilterStatus) DeepCopy() *MetricFilterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricTransformationObservation) DeepCopyInto(out *MetricTransformationObservation) {
 	*out = *in
+	if in.DefaultValue != nil {
+		in, out := &in.DefaultValue, &out.DefaultValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dimensions != nil {
+		in, out := &in.Dimensions, &out.Dimensions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetricTransformationObservation.
@@ -1004,6 +1147,11 @@ func (in *ResourcePolicyObservation) DeepCopyInto(out *ResourcePolicyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyDocument != nil {
+		in, out := &in.PolicyDocument, &out.PolicyDocument
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyObservation.
@@ -1147,6 +1295,16 @@ func (in *StreamObservation) DeepCopyInto(out *StreamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StreamObservation.
@@ -1295,11 +1453,41 @@ func (in *SubscriptionFilterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubscriptionFilterObservation) DeepCopyInto(out *SubscriptionFilterObservation) {
 	*out = *in
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Distribution != nil {
+		in, out := &in.Distribution, &out.Distribution
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterPattern != nil {
+		in, out := &in.FilterPattern, &out.FilterPattern
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubscriptionFilterObservation.
diff --git a/apis/cloudwatchlogs/v1beta1/zz_group_types.go b/apis/cloudwatchlogs/v1beta1/zz_group_types.go
index 6cba865513..3962408671 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_group_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_group_types.go
@@ -20,6 +20,21 @@ type GroupObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of the KMS Key to use when encrypting log data. Please note, after the AWS KMS CMK is disassociated from the log group,
+	// AWS CloudWatch Logs stops encrypting newly ingested data for the log group. All previously ingested data remains encrypted, and AWS CloudWatch Logs requires
+	// permissions for the CMK whenever the encrypted data is requested.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Specifies the number of days
+	// you want to retain log events in the specified log group.  Possible values are: 1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731, 1096, 1827, 2192, 2557, 2922, 3288, 3653, and 0.
+	// If you select 0, the events in the log group are always retained and never expire.
+	RetentionInDays *float64 `json:"retentionInDays,omitempty" tf:"retention_in_days,omitempty"`
+
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/cloudwatchlogs/v1beta1/zz_metricfilter_types.go b/apis/cloudwatchlogs/v1beta1/zz_metricfilter_types.go
index 7362e32fb2..ab6b996b40 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_metricfilter_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_metricfilter_types.go
@@ -17,6 +17,16 @@ type MetricFilterObservation struct {
 
 	// The name of the metric filter.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the log group to associate the metric filter with.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// A block defining collection of information needed to define how metric data gets emitted. See below.
+	MetricTransformation []MetricTransformationObservation `json:"metricTransformation,omitempty" tf:"metric_transformation,omitempty"`
+
+	// A valid CloudWatch Logs filter pattern
+	// for extracting metric data out of ingested log events.
+	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
 }
 
 type MetricFilterParameters struct {
@@ -35,13 +45,13 @@ type MetricFilterParameters struct {
 	LogGroupNameSelector *v1.Selector `json:"logGroupNameSelector,omitempty" tf:"-"`
 
 	// A block defining collection of information needed to define how metric data gets emitted. See below.
-	// +kubebuilder:validation:Required
-	MetricTransformation []MetricTransformationParameters `json:"metricTransformation" tf:"metric_transformation,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricTransformation []MetricTransformationParameters `json:"metricTransformation,omitempty" tf:"metric_transformation,omitempty"`
 
 	// A valid CloudWatch Logs filter pattern
 	// for extracting metric data out of ingested log events.
-	// +kubebuilder:validation:Required
-	Pattern *string `json:"pattern" tf:"pattern,omitempty"`
+	// +kubebuilder:validation:Optional
+	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -50,6 +60,24 @@ type MetricFilterParameters struct {
 }
 
 type MetricTransformationObservation struct {
+
+	// The value to emit when a filter pattern does not match a log event. Conflicts with dimensions.
+	DefaultValue *string `json:"defaultValue,omitempty" tf:"default_value,omitempty"`
+
+	// Map of fields to use as dimensions for the metric. Up to 3 dimensions are allowed. Conflicts with default_value.
+	Dimensions map[string]*string `json:"dimensions,omitempty" tf:"dimensions,omitempty"`
+
+	// The name of the CloudWatch metric to which the monitored log information should be published (e.g., ErrorCount)
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The destination namespace of the CloudWatch metric.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The unit to assign to the metric. If you omit this, the unit is set as None.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// What to publish to the metric. For example, if you're counting the occurrences of a particular term like "Error", the value will be "1" for each occurrence. If you're counting the bytes transferred the published value will be the value in the log event.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MetricTransformationParameters struct {
@@ -103,8 +131,10 @@ type MetricFilterStatus struct {
 type MetricFilter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MetricFilterSpec   `json:"spec"`
-	Status            MetricFilterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricTransformation)",message="metricTransformation is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pattern)",message="pattern is a required parameter"
+	Spec   MetricFilterSpec   `json:"spec"`
+	Status MetricFilterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchlogs/v1beta1/zz_resourcepolicy_types.go b/apis/cloudwatchlogs/v1beta1/zz_resourcepolicy_types.go
index 8d37e98d28..d153f30a56 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_resourcepolicy_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_resourcepolicy_types.go
@@ -17,13 +17,16 @@ type ResourcePolicyObservation struct {
 
 	// The name of the CloudWatch log resource policy
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Details of the resource policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. Maximum length of 5120 characters.
+	PolicyDocument *string `json:"policyDocument,omitempty" tf:"policy_document,omitempty"`
 }
 
 type ResourcePolicyParameters struct {
 
 	// Details of the resource policy, including the identity of the principal that is enabled to put logs to this account. This is formatted as a JSON string. Maximum length of 5120 characters.
-	// +kubebuilder:validation:Required
-	PolicyDocument *string `json:"policyDocument" tf:"policy_document,omitempty"`
+	// +kubebuilder:validation:Optional
+	PolicyDocument *string `json:"policyDocument,omitempty" tf:"policy_document,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -55,8 +58,9 @@ type ResourcePolicyStatus struct {
 type ResourcePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourcePolicySpec   `json:"spec"`
-	Status            ResourcePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyDocument)",message="policyDocument is a required parameter"
+	Spec   ResourcePolicySpec   `json:"spec"`
+	Status ResourcePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchlogs/v1beta1/zz_stream_types.go b/apis/cloudwatchlogs/v1beta1/zz_stream_types.go
index bb97f35c23..5f12b28423 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_stream_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_stream_types.go
@@ -19,6 +19,12 @@ type StreamObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the log group under which the log stream is to be created.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The name of the log stream. Must not be longer than 512 characters and must not contain :
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type StreamParameters struct {
@@ -37,8 +43,8 @@ type StreamParameters struct {
 	LogGroupNameSelector *v1.Selector `json:"logGroupNameSelector,omitempty" tf:"-"`
 
 	// The name of the log stream. Must not be longer than 512 characters and must not contain :
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -70,8 +76,9 @@ type StreamStatus struct {
 type Stream struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StreamSpec   `json:"spec"`
-	Status            StreamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   StreamSpec   `json:"spec"`
+	Status StreamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cloudwatchlogs/v1beta1/zz_subscriptionfilter_types.go b/apis/cloudwatchlogs/v1beta1/zz_subscriptionfilter_types.go
index ae8cb3ccef..8cb30fe073 100755
--- a/apis/cloudwatchlogs/v1beta1/zz_subscriptionfilter_types.go
+++ b/apis/cloudwatchlogs/v1beta1/zz_subscriptionfilter_types.go
@@ -14,7 +14,26 @@ import (
 )
 
 type SubscriptionFilterObservation struct {
+
+	// The ARN of the destination to deliver matching log events to. Kinesis stream or Lambda function ARN.
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// The method used to distribute log data to the destination. By default log data is grouped by log stream, but the grouping can be set to random for a more even distribution. This property is only applicable when the destination is an Amazon Kinesis stream. Valid values are "Random" and "ByLogStream".
+	Distribution *string `json:"distribution,omitempty" tf:"distribution,omitempty"`
+
+	// A valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events. Use empty string "" to match everything. For more information, see the Amazon CloudWatch Logs User Guide.
+	FilterPattern *string `json:"filterPattern,omitempty" tf:"filter_pattern,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the log group to associate the subscription filter with
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// A name for the subscription filter
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of an IAM role that grants Amazon CloudWatch Logs permissions to deliver ingested log events to the destination. If you use Lambda as a destination, you should skip this argument and use aws_lambda_permission resource for granting access from CloudWatch logs to the destination Lambda function.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type SubscriptionFilterParameters struct {
@@ -38,16 +57,16 @@ type SubscriptionFilterParameters struct {
 	Distribution *string `json:"distribution,omitempty" tf:"distribution,omitempty"`
 
 	// A valid CloudWatch Logs filter pattern for subscribing to a filtered stream of log events. Use empty string "" to match everything. For more information, see the Amazon CloudWatch Logs User Guide.
-	// +kubebuilder:validation:Required
-	FilterPattern *string `json:"filterPattern" tf:"filter_pattern,omitempty"`
+	// +kubebuilder:validation:Optional
+	FilterPattern *string `json:"filterPattern,omitempty" tf:"filter_pattern,omitempty"`
 
 	// The name of the log group to associate the subscription filter with
-	// +kubebuilder:validation:Required
-	LogGroupName *string `json:"logGroupName" tf:"log_group_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
 
 	// A name for the subscription filter
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -93,8 +112,11 @@ type SubscriptionFilterStatus struct {
 type SubscriptionFilter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SubscriptionFilterSpec   `json:"spec"`
-	Status            SubscriptionFilterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filterPattern)",message="filterPattern is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.logGroupName)",message="logGroupName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SubscriptionFilterSpec   `json:"spec"`
+	Status SubscriptionFilterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codecommit/v1beta1/zz_approvalruletemplate_types.go b/apis/codecommit/v1beta1/zz_approvalruletemplate_types.go
index 604fc2bb11..0ea61c95a8 100755
--- a/apis/codecommit/v1beta1/zz_approvalruletemplate_types.go
+++ b/apis/codecommit/v1beta1/zz_approvalruletemplate_types.go
@@ -18,9 +18,15 @@ type ApprovalRuleTemplateObservation struct {
 	// The ID of the approval rule template
 	ApprovalRuleTemplateID *string `json:"approvalRuleTemplateId,omitempty" tf:"approval_rule_template_id,omitempty"`
 
+	// The content of the approval rule template. Maximum of 3000 characters.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
 	// The date the approval rule template was created, in RFC3339 format.
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
+	// The description of the approval rule template. Maximum of 1000 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date the approval rule template was most recently changed, in RFC3339 format.
@@ -36,8 +42,8 @@ type ApprovalRuleTemplateObservation struct {
 type ApprovalRuleTemplateParameters struct {
 
 	// The content of the approval rule template. Maximum of 3000 characters.
-	// +kubebuilder:validation:Required
-	Content *string `json:"content" tf:"content,omitempty"`
+	// +kubebuilder:validation:Optional
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
 
 	// The description of the approval rule template. Maximum of 1000 characters.
 	// +kubebuilder:validation:Optional
@@ -73,8 +79,9 @@ type ApprovalRuleTemplateStatus struct {
 type ApprovalRuleTemplate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ApprovalRuleTemplateSpec   `json:"spec"`
-	Status            ApprovalRuleTemplateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)",message="content is a required parameter"
+	Spec   ApprovalRuleTemplateSpec   `json:"spec"`
+	Status ApprovalRuleTemplateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codecommit/v1beta1/zz_approvalruletemplateassociation_types.go b/apis/codecommit/v1beta1/zz_approvalruletemplateassociation_types.go
index d242dfb679..c75b867208 100755
--- a/apis/codecommit/v1beta1/zz_approvalruletemplateassociation_types.go
+++ b/apis/codecommit/v1beta1/zz_approvalruletemplateassociation_types.go
@@ -15,8 +15,14 @@ import (
 
 type ApprovalRuleTemplateAssociationObservation struct {
 
+	// The name for the approval rule template.
+	ApprovalRuleTemplateName *string `json:"approvalRuleTemplateName,omitempty" tf:"approval_rule_template_name,omitempty"`
+
 	// The name of the approval rule template and name of the repository, separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the repository that you want to associate with the template.
+	RepositoryName *string `json:"repositoryName,omitempty" tf:"repository_name,omitempty"`
 }
 
 type ApprovalRuleTemplateAssociationParameters struct {
diff --git a/apis/codecommit/v1beta1/zz_generated.deepcopy.go b/apis/codecommit/v1beta1/zz_generated.deepcopy.go
index 6aded9f482..c8b160337d 100644
--- a/apis/codecommit/v1beta1/zz_generated.deepcopy.go
+++ b/apis/codecommit/v1beta1/zz_generated.deepcopy.go
@@ -103,11 +103,21 @@ func (in *ApprovalRuleTemplateAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApprovalRuleTemplateAssociationObservation) DeepCopyInto(out *ApprovalRuleTemplateAssociationObservation) {
 	*out = *in
+	if in.ApprovalRuleTemplateName != nil {
+		in, out := &in.ApprovalRuleTemplateName, &out.ApprovalRuleTemplateName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RepositoryName != nil {
+		in, out := &in.RepositoryName, &out.RepositoryName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApprovalRuleTemplateAssociationObservation.
@@ -244,11 +254,21 @@ func (in *ApprovalRuleTemplateObservation) DeepCopyInto(out *ApprovalRuleTemplat
 		*out = new(string)
 		**out = **in
 	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreationDate != nil {
 		in, out := &in.CreationDate, &out.CreationDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -422,6 +442,16 @@ func (in *RepositoryObservation) DeepCopyInto(out *RepositoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultBranch != nil {
+		in, out := &in.DefaultBranch, &out.DefaultBranch
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -432,6 +462,21 @@ func (in *RepositoryObservation) DeepCopyInto(out *RepositoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -610,6 +655,18 @@ func (in *TriggerObservation) DeepCopyInto(out *TriggerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RepositoryName != nil {
+		in, out := &in.RepositoryName, &out.RepositoryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Trigger != nil {
+		in, out := &in.Trigger, &out.Trigger
+		*out = make([]TriggerTriggerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TriggerObservation.
@@ -701,6 +758,43 @@ func (in *TriggerStatus) DeepCopy() *TriggerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TriggerTriggerObservation) DeepCopyInto(out *TriggerTriggerObservation) {
 	*out = *in
+	if in.Branches != nil {
+		in, out := &in.Branches, &out.Branches
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomData != nil {
+		in, out := &in.CustomData, &out.CustomData
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TriggerTriggerObservation.
diff --git a/apis/codecommit/v1beta1/zz_repository_types.go b/apis/codecommit/v1beta1/zz_repository_types.go
index fcba873f9a..30075f3c71 100755
--- a/apis/codecommit/v1beta1/zz_repository_types.go
+++ b/apis/codecommit/v1beta1/zz_repository_types.go
@@ -24,11 +24,20 @@ type RepositoryObservation struct {
 	// The URL to use for cloning the repository over SSH.
 	CloneURLSSH *string `json:"cloneUrlSsh,omitempty" tf:"clone_url_ssh,omitempty"`
 
+	// The default branch of the repository. The branch specified here needs to exist.
+	DefaultBranch *string `json:"defaultBranch,omitempty" tf:"default_branch,omitempty"`
+
+	// The description of the repository. This needs to be less than 1000 characters
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The ID of the repository
 	RepositoryID *string `json:"repositoryId,omitempty" tf:"repository_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/codecommit/v1beta1/zz_trigger_types.go b/apis/codecommit/v1beta1/zz_trigger_types.go
index 02d092ff00..d4b2f4ac0b 100755
--- a/apis/codecommit/v1beta1/zz_trigger_types.go
+++ b/apis/codecommit/v1beta1/zz_trigger_types.go
@@ -19,6 +19,11 @@ type TriggerObservation struct {
 	ConfigurationID *string `json:"configurationId,omitempty" tf:"configuration_id,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name for the repository. This needs to be less than 100 characters.
+	RepositoryName *string `json:"repositoryName,omitempty" tf:"repository_name,omitempty"`
+
+	Trigger []TriggerTriggerObservation `json:"trigger,omitempty" tf:"trigger,omitempty"`
 }
 
 type TriggerParameters struct {
@@ -41,11 +46,26 @@ type TriggerParameters struct {
 	// +kubebuilder:validation:Optional
 	RepositoryNameSelector *v1.Selector `json:"repositoryNameSelector,omitempty" tf:"-"`
 
-	// +kubebuilder:validation:Required
-	Trigger []TriggerTriggerParameters `json:"trigger" tf:"trigger,omitempty"`
+	// +kubebuilder:validation:Optional
+	Trigger []TriggerTriggerParameters `json:"trigger,omitempty" tf:"trigger,omitempty"`
 }
 
 type TriggerTriggerObservation struct {
+
+	// The branches that will be included in the trigger configuration. If no branches are specified, the trigger will apply to all branches.
+	Branches []*string `json:"branches,omitempty" tf:"branches,omitempty"`
+
+	// Any custom data associated with the trigger that will be included in the information sent to the target of the trigger.
+	CustomData *string `json:"customData,omitempty" tf:"custom_data,omitempty"`
+
+	// The ARN of the resource that is the target for a trigger. For example, the ARN of a topic in Amazon Simple Notification Service (SNS).
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// The repository events that will cause the trigger to run actions in another service, such as sending a notification through Amazon Simple Notification Service (SNS). If no events are specified, the trigger will run for all repository events. Event types include: all, updateReference, createReference, deleteReference.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
+
+	// The name of the trigger.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type TriggerTriggerParameters struct {
@@ -105,8 +125,9 @@ type TriggerStatus struct {
 type Trigger struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TriggerSpec   `json:"spec"`
-	Status            TriggerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.trigger)",message="trigger is a required parameter"
+	Spec   TriggerSpec   `json:"spec"`
+	Status TriggerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codepipeline/v1beta1/zz_codepipeline_types.go b/apis/codepipeline/v1beta1/zz_codepipeline_types.go
index 87cb1857d8..eee7815f4c 100755
--- a/apis/codepipeline/v1beta1/zz_codepipeline_types.go
+++ b/apis/codepipeline/v1beta1/zz_codepipeline_types.go
@@ -14,6 +14,42 @@ import (
 )
 
 type ActionObservation struct {
+
+	// A category defines what kind of action can be taken in the stage, and constrains the provider type for the action. Possible values are Approval, Build, Deploy, Invoke, Source and Test.
+	Category *string `json:"category,omitempty" tf:"category,omitempty"`
+
+	// A map of the action declaration's configuration. Configurations options for action types and providers can be found in the Pipeline Structure Reference and Action Structure Reference documentation.
+	Configuration map[string]*string `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// A list of artifact names to be worked on.
+	InputArtifacts []*string `json:"inputArtifacts,omitempty" tf:"input_artifacts,omitempty"`
+
+	// The action declaration's name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The namespace all output variables will be accessed from.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// A list of artifact names to output. Output artifact names must be unique within a pipeline.
+	OutputArtifacts []*string `json:"outputArtifacts,omitempty" tf:"output_artifacts,omitempty"`
+
+	// The creator of the action being called. Possible values are AWS, Custom and ThirdParty.
+	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
+
+	// The provider of the service being called by the action. Valid providers are determined by the action category. Provider names are listed in the Action Structure Reference documentation.
+	Provider *string `json:"provider,omitempty" tf:"provider,omitempty"`
+
+	// The region in which to run the action.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The ARN of the IAM service role that will perform the declared action. This is assumed through the roleArn for the pipeline.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The order in which actions are run.
+	RunOrder *float64 `json:"runOrder,omitempty" tf:"run_order,omitempty"`
+
+	// A string that identifies the action type.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type ActionParameters struct {
@@ -68,6 +104,18 @@ type ActionParameters struct {
 }
 
 type ArtifactStoreObservation struct {
+
+	// The encryption key block AWS CodePipeline uses to encrypt the data in the artifact store, such as an AWS Key Management Service (AWS KMS) key. If you don't specify a key, AWS CodePipeline uses the default key for Amazon Simple Storage Service (Amazon S3). An encryption_key block is documented below.
+	EncryptionKey []EncryptionKeyObservation `json:"encryptionKey,omitempty" tf:"encryption_key,omitempty"`
+
+	// The location where AWS CodePipeline stores artifacts for a pipeline; currently only S3 is supported.
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
+
+	// The region where the artifact store is located. Required for a cross-region CodePipeline, do not provide for a single-region CodePipeline.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The type of the artifact store, such as Amazon S3
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ArtifactStoreParameters struct {
@@ -103,9 +151,21 @@ type CodepipelineObservation struct {
 	// The codepipeline ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// One or more artifact_store blocks. Artifact stores are documented below.
+	ArtifactStore []ArtifactStoreObservation `json:"artifactStore,omitempty" tf:"artifact_store,omitempty"`
+
 	// The codepipeline ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A service role Amazon Resource Name (ARN) that grants AWS CodePipeline permission to make calls to AWS services on your behalf.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// (Minimum of at least two stage blocks is required) A stage block. Stages are documented below.
+	Stage []StageObservation `json:"stage,omitempty" tf:"stage,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -113,8 +173,8 @@ type CodepipelineObservation struct {
 type CodepipelineParameters struct {
 
 	// One or more artifact_store blocks. Artifact stores are documented below.
-	// +kubebuilder:validation:Required
-	ArtifactStore []ArtifactStoreParameters `json:"artifactStore" tf:"artifact_store,omitempty"`
+	// +kubebuilder:validation:Optional
+	ArtifactStore []ArtifactStoreParameters `json:"artifactStore,omitempty" tf:"artifact_store,omitempty"`
 
 	// The region in which to run the action.
 	// Region is the region you'd like your resource to be created in.
@@ -137,8 +197,8 @@ type CodepipelineParameters struct {
 	RoleArnSelector *v1.Selector `json:"roleArnSelector,omitempty" tf:"-"`
 
 	// (Minimum of at least two stage blocks is required) A stage block. Stages are documented below.
-	// +kubebuilder:validation:Required
-	Stage []StageParameters `json:"stage" tf:"stage,omitempty"`
+	// +kubebuilder:validation:Optional
+	Stage []StageParameters `json:"stage,omitempty" tf:"stage,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -146,6 +206,12 @@ type CodepipelineParameters struct {
 }
 
 type EncryptionKeyObservation struct {
+
+	// The KMS key ARN or ID
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The type of key; currently only KMS is supported
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EncryptionKeyParameters struct {
@@ -160,6 +226,12 @@ type EncryptionKeyParameters struct {
 }
 
 type StageObservation struct {
+
+	// The action(s) to include in the stage. Defined as an action block below
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The name of the stage.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type StageParameters struct {
@@ -197,8 +269,10 @@ type CodepipelineStatus struct {
 type Codepipeline struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CodepipelineSpec   `json:"spec"`
-	Status            CodepipelineStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.artifactStore)",message="artifactStore is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stage)",message="stage is a required parameter"
+	Spec   CodepipelineSpec   `json:"spec"`
+	Status CodepipelineStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codepipeline/v1beta1/zz_customactiontype_types.go b/apis/codepipeline/v1beta1/zz_customactiontype_types.go
index c1cca9b71f..d8016908e0 100755
--- a/apis/codepipeline/v1beta1/zz_customactiontype_types.go
+++ b/apis/codepipeline/v1beta1/zz_customactiontype_types.go
@@ -14,6 +14,27 @@ import (
 )
 
 type ConfigurationPropertyObservation struct {
+
+	// The description of the action configuration property.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether the configuration property is a key.
+	Key *bool `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The name of the action configuration property.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Indicates that the property will be used in conjunction with PollForJobs.
+	Queryable *bool `json:"queryable,omitempty" tf:"queryable,omitempty"`
+
+	// Whether the configuration property is a required value.
+	Required *bool `json:"required,omitempty" tf:"required,omitempty"`
+
+	// Whether the configuration property is secret.
+	Secret *bool `json:"secret,omitempty" tf:"secret,omitempty"`
+
+	// The type of the configuration property. Valid values: String, Number, Boolean
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ConfigurationPropertyParameters struct {
@@ -52,37 +73,61 @@ type CustomActionTypeObservation struct {
 	// The action ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The category of the custom action. Valid values: Source, Build, Deploy, Test, Invoke, Approval
+	Category *string `json:"category,omitempty" tf:"category,omitempty"`
+
+	// The configuration properties for the custom action. Max 10 items.
+	ConfigurationProperty []ConfigurationPropertyObservation `json:"configurationProperty,omitempty" tf:"configuration_property,omitempty"`
+
 	// Composed of category, provider and version
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The details of the input artifact for the action.
+	InputArtifactDetails []InputArtifactDetailsObservation `json:"inputArtifactDetails,omitempty" tf:"input_artifact_details,omitempty"`
+
+	// The details of the output artifact of the action.
+	OutputArtifactDetails []OutputArtifactDetailsObservation `json:"outputArtifactDetails,omitempty" tf:"output_artifact_details,omitempty"`
+
 	// The creator of the action being called.
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
+	// The provider of the service used in the custom action
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// The settings for an action type.
+	Settings []SettingsObservation `json:"settings,omitempty" tf:"settings,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The version identifier of the custom action.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type CustomActionTypeParameters struct {
 
 	// The category of the custom action. Valid values: Source, Build, Deploy, Test, Invoke, Approval
-	// +kubebuilder:validation:Required
-	Category *string `json:"category" tf:"category,omitempty"`
+	// +kubebuilder:validation:Optional
+	Category *string `json:"category,omitempty" tf:"category,omitempty"`
 
 	// The configuration properties for the custom action. Max 10 items.
 	// +kubebuilder:validation:Optional
 	ConfigurationProperty []ConfigurationPropertyParameters `json:"configurationProperty,omitempty" tf:"configuration_property,omitempty"`
 
 	// The details of the input artifact for the action.
-	// +kubebuilder:validation:Required
-	InputArtifactDetails []InputArtifactDetailsParameters `json:"inputArtifactDetails" tf:"input_artifact_details,omitempty"`
+	// +kubebuilder:validation:Optional
+	InputArtifactDetails []InputArtifactDetailsParameters `json:"inputArtifactDetails,omitempty" tf:"input_artifact_details,omitempty"`
 
 	// The details of the output artifact of the action.
-	// +kubebuilder:validation:Required
-	OutputArtifactDetails []OutputArtifactDetailsParameters `json:"outputArtifactDetails" tf:"output_artifact_details,omitempty"`
+	// +kubebuilder:validation:Optional
+	OutputArtifactDetails []OutputArtifactDetailsParameters `json:"outputArtifactDetails,omitempty" tf:"output_artifact_details,omitempty"`
 
 	// The provider of the service used in the custom action
-	// +kubebuilder:validation:Required
-	ProviderName *string `json:"providerName" tf:"provider_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -98,11 +143,17 @@ type CustomActionTypeParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The version identifier of the custom action.
-	// +kubebuilder:validation:Required
-	Version *string `json:"version" tf:"version,omitempty"`
+	// +kubebuilder:validation:Optional
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type InputArtifactDetailsObservation struct {
+
+	// The maximum number of artifacts allowed for the action type. Min: 0, Max: 5
+	MaximumCount *float64 `json:"maximumCount,omitempty" tf:"maximum_count,omitempty"`
+
+	// The minimum number of artifacts allowed for the action type. Min: 0, Max: 5
+	MinimumCount *float64 `json:"minimumCount,omitempty" tf:"minimum_count,omitempty"`
 }
 
 type InputArtifactDetailsParameters struct {
@@ -117,6 +168,12 @@ type InputArtifactDetailsParameters struct {
 }
 
 type OutputArtifactDetailsObservation struct {
+
+	// The maximum number of artifacts allowed for the action type. Min: 0, Max: 5
+	MaximumCount *float64 `json:"maximumCount,omitempty" tf:"maximum_count,omitempty"`
+
+	// The minimum number of artifacts allowed for the action type. Min: 0, Max: 5
+	MinimumCount *float64 `json:"minimumCount,omitempty" tf:"minimum_count,omitempty"`
 }
 
 type OutputArtifactDetailsParameters struct {
@@ -131,6 +188,18 @@ type OutputArtifactDetailsParameters struct {
 }
 
 type SettingsObservation struct {
+
+	// The URL returned to the AWS CodePipeline console that provides a deep link to the resources of the external system.
+	EntityURLTemplate *string `json:"entityUrlTemplate,omitempty" tf:"entity_url_template,omitempty"`
+
+	// The URL returned to the AWS CodePipeline console that contains a link to the top-level landing page for the external system.
+	ExecutionURLTemplate *string `json:"executionUrlTemplate,omitempty" tf:"execution_url_template,omitempty"`
+
+	// The URL returned to the AWS CodePipeline console that contains a link to the page where customers can update or change the configuration of the external action.
+	RevisionURLTemplate *string `json:"revisionUrlTemplate,omitempty" tf:"revision_url_template,omitempty"`
+
+	// The URL of a sign-up page where users can sign up for an external service and perform initial configuration of the action provided by that service.
+	ThirdPartyConfigurationURL *string `json:"thirdPartyConfigurationUrl,omitempty" tf:"third_party_configuration_url,omitempty"`
 }
 
 type SettingsParameters struct {
@@ -176,8 +245,13 @@ type CustomActionTypeStatus struct {
 type CustomActionType struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CustomActionTypeSpec   `json:"spec"`
-	Status            CustomActionTypeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.category)",message="category is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputArtifactDetails)",message="inputArtifactDetails is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outputArtifactDetails)",message="outputArtifactDetails is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerName)",message="providerName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)",message="version is a required parameter"
+	Spec   CustomActionTypeSpec   `json:"spec"`
+	Status CustomActionTypeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codepipeline/v1beta1/zz_generated.deepcopy.go b/apis/codepipeline/v1beta1/zz_generated.deepcopy.go
index 1ee22d474e..be9f21ccbc 100644
--- a/apis/codepipeline/v1beta1/zz_generated.deepcopy.go
+++ b/apis/codepipeline/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,88 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.Category != nil {
+		in, out := &in.Category, &out.Category
+		*out = new(string)
+		**out = **in
+	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.InputArtifacts != nil {
+		in, out := &in.InputArtifacts, &out.InputArtifacts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputArtifacts != nil {
+		in, out := &in.OutputArtifacts, &out.OutputArtifacts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Owner != nil {
+		in, out := &in.Owner, &out.Owner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Provider != nil {
+		in, out := &in.Provider, &out.Provider
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RunOrder != nil {
+		in, out := &in.RunOrder, &out.RunOrder
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -129,6 +211,28 @@ func (in *ActionParameters) DeepCopy() *ActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArtifactStoreObservation) DeepCopyInto(out *ArtifactStoreObservation) {
 	*out = *in
+	if in.EncryptionKey != nil {
+		in, out := &in.EncryptionKey, &out.EncryptionKey
+		*out = make([]EncryptionKeyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArtifactStoreObservation.
@@ -191,6 +295,11 @@ func (in *ArtifactStoreParameters) DeepCopy() *ArtifactStoreParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthenticationConfigurationObservation) DeepCopyInto(out *AuthenticationConfigurationObservation) {
 	*out = *in
+	if in.AllowedIPRange != nil {
+		in, out := &in.AllowedIPRange, &out.AllowedIPRange
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfigurationObservation.
@@ -295,11 +404,45 @@ func (in *CodepipelineObservation) DeepCopyInto(out *CodepipelineObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ArtifactStore != nil {
+		in, out := &in.ArtifactStore, &out.ArtifactStore
+		*out = make([]ArtifactStoreObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Stage != nil {
+		in, out := &in.Stage, &out.Stage
+		*out = make([]StageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -428,6 +571,41 @@ func (in *CodepipelineStatus) DeepCopy() *CodepipelineStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationPropertyObservation) DeepCopyInto(out *ConfigurationPropertyObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Queryable != nil {
+		in, out := &in.Queryable, &out.Queryable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Required != nil {
+		in, out := &in.Required, &out.Required
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Secret != nil {
+		in, out := &in.Secret, &out.Secret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationPropertyObservation.
@@ -557,16 +735,69 @@ func (in *CustomActionTypeObservation) DeepCopyInto(out *CustomActionTypeObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Category != nil {
+		in, out := &in.Category, &out.Category
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigurationProperty != nil {
+		in, out := &in.ConfigurationProperty, &out.ConfigurationProperty
+		*out = make([]ConfigurationPropertyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputArtifactDetails != nil {
+		in, out := &in.InputArtifactDetails, &out.InputArtifactDetails
+		*out = make([]InputArtifactDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputArtifactDetails != nil {
+		in, out := &in.OutputArtifactDetails, &out.OutputArtifactDetails
+		*out = make([]OutputArtifactDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Owner != nil {
 		in, out := &in.Owner, &out.Owner
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Settings != nil {
+		in, out := &in.Settings, &out.Settings
+		*out = make([]SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -582,6 +813,11 @@ func (in *CustomActionTypeObservation) DeepCopyInto(out *CustomActionTypeObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomActionTypeObservation.
@@ -709,6 +945,16 @@ func (in *CustomActionTypeStatus) DeepCopy() *CustomActionTypeStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionKeyObservation) DeepCopyInto(out *EncryptionKeyObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionKeyObservation.
@@ -749,6 +995,16 @@ func (in *EncryptionKeyParameters) DeepCopy() *EncryptionKeyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterObservation) DeepCopyInto(out *FilterObservation) {
 	*out = *in
+	if in.JSONPath != nil {
+		in, out := &in.JSONPath, &out.JSONPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.MatchEquals != nil {
+		in, out := &in.MatchEquals, &out.MatchEquals
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterObservation.
@@ -789,6 +1045,16 @@ func (in *FilterParameters) DeepCopy() *FilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputArtifactDetailsObservation) DeepCopyInto(out *InputArtifactDetailsObservation) {
 	*out = *in
+	if in.MaximumCount != nil {
+		in, out := &in.MaximumCount, &out.MaximumCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinimumCount != nil {
+		in, out := &in.MinimumCount, &out.MinimumCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputArtifactDetailsObservation.
@@ -829,6 +1095,16 @@ func (in *InputArtifactDetailsParameters) DeepCopy() *InputArtifactDetailsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputArtifactDetailsObservation) DeepCopyInto(out *OutputArtifactDetailsObservation) {
 	*out = *in
+	if in.MaximumCount != nil {
+		in, out := &in.MaximumCount, &out.MaximumCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinimumCount != nil {
+		in, out := &in.MinimumCount, &out.MinimumCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputArtifactDetailsObservation.
@@ -869,6 +1145,26 @@ func (in *OutputArtifactDetailsParameters) DeepCopy() *OutputArtifactDetailsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SettingsObservation) DeepCopyInto(out *SettingsObservation) {
 	*out = *in
+	if in.EntityURLTemplate != nil {
+		in, out := &in.EntityURLTemplate, &out.EntityURLTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExecutionURLTemplate != nil {
+		in, out := &in.ExecutionURLTemplate, &out.ExecutionURLTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.RevisionURLTemplate != nil {
+		in, out := &in.RevisionURLTemplate, &out.RevisionURLTemplate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThirdPartyConfigurationURL != nil {
+		in, out := &in.ThirdPartyConfigurationURL, &out.ThirdPartyConfigurationURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SettingsObservation.
@@ -919,6 +1215,18 @@ func (in *SettingsParameters) DeepCopy() *SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StageObservation) DeepCopyInto(out *StageObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StageObservation.
@@ -1025,11 +1333,45 @@ func (in *WebhookObservation) DeepCopyInto(out *WebhookObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Authentication != nil {
+		in, out := &in.Authentication, &out.Authentication
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthenticationConfiguration != nil {
+		in, out := &in.AuthenticationConfiguration, &out.AuthenticationConfiguration
+		*out = make([]AuthenticationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]FilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1045,6 +1387,16 @@ func (in *WebhookObservation) DeepCopyInto(out *WebhookObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetAction != nil {
+		in, out := &in.TargetAction, &out.TargetAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetPipeline != nil {
+		in, out := &in.TargetPipeline, &out.TargetPipeline
+		*out = new(string)
+		**out = **in
+	}
 	if in.URL != nil {
 		in, out := &in.URL, &out.URL
 		*out = new(string)
diff --git a/apis/codepipeline/v1beta1/zz_webhook_types.go b/apis/codepipeline/v1beta1/zz_webhook_types.go
index 36e230a12e..9be211ae49 100755
--- a/apis/codepipeline/v1beta1/zz_webhook_types.go
+++ b/apis/codepipeline/v1beta1/zz_webhook_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AuthenticationConfigurationObservation struct {
+
+	// A valid CIDR block for IP filtering. Required for IP.
+	AllowedIPRange *string `json:"allowedIpRange,omitempty" tf:"allowed_ip_range,omitempty"`
 }
 
 type AuthenticationConfigurationParameters struct {
@@ -28,6 +31,12 @@ type AuthenticationConfigurationParameters struct {
 }
 
 type FilterObservation struct {
+
+	// The JSON path to filter on.
+	JSONPath *string `json:"jsonPath,omitempty" tf:"json_path,omitempty"`
+
+	// The value to match on (e.g., refs/heads/{Branch}). See AWS docs for details.
+	MatchEquals *string `json:"matchEquals,omitempty" tf:"match_equals,omitempty"`
 }
 
 type FilterParameters struct {
@@ -46,12 +55,30 @@ type WebhookObservation struct {
 	// The CodePipeline webhook's ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The type of authentication  to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED.
+	Authentication *string `json:"authentication,omitempty" tf:"authentication,omitempty"`
+
+	// An auth block. Required for IP and GITHUB_HMAC. Auth blocks are documented below.
+	AuthenticationConfiguration []AuthenticationConfigurationObservation `json:"authenticationConfiguration,omitempty" tf:"authentication_configuration,omitempty"`
+
+	// One or more filter blocks. Filter blocks are documented below.
+	Filter []FilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
 	// The CodePipeline webhook's ARN.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline.
+	TargetAction *string `json:"targetAction,omitempty" tf:"target_action,omitempty"`
+
+	// The name of the pipeline.
+	TargetPipeline *string `json:"targetPipeline,omitempty" tf:"target_pipeline,omitempty"`
+
 	// The CodePipeline webhook's URL. POST events to this endpoint to trigger the target.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
@@ -59,16 +86,16 @@ type WebhookObservation struct {
 type WebhookParameters struct {
 
 	// The type of authentication  to use. One of IP, GITHUB_HMAC, or UNAUTHENTICATED.
-	// +kubebuilder:validation:Required
-	Authentication *string `json:"authentication" tf:"authentication,omitempty"`
+	// +kubebuilder:validation:Optional
+	Authentication *string `json:"authentication,omitempty" tf:"authentication,omitempty"`
 
 	// An auth block. Required for IP and GITHUB_HMAC. Auth blocks are documented below.
 	// +kubebuilder:validation:Optional
 	AuthenticationConfiguration []AuthenticationConfigurationParameters `json:"authenticationConfiguration,omitempty" tf:"authentication_configuration,omitempty"`
 
 	// One or more filter blocks. Filter blocks are documented below.
-	// +kubebuilder:validation:Required
-	Filter []FilterParameters `json:"filter" tf:"filter,omitempty"`
+	// +kubebuilder:validation:Optional
+	Filter []FilterParameters `json:"filter,omitempty" tf:"filter,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -80,8 +107,8 @@ type WebhookParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The name of the action in a pipeline you want to connect to the webhook. The action must be from the source (first) stage of the pipeline.
-	// +kubebuilder:validation:Required
-	TargetAction *string `json:"targetAction" tf:"target_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetAction *string `json:"targetAction,omitempty" tf:"target_action,omitempty"`
 
 	// The name of the pipeline.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/codepipeline/v1beta1.Codepipeline
@@ -121,8 +148,11 @@ type WebhookStatus struct {
 type Webhook struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WebhookSpec   `json:"spec"`
-	Status            WebhookStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authentication)",message="authentication is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filter)",message="filter is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetAction)",message="targetAction is a required parameter"
+	Spec   WebhookSpec   `json:"spec"`
+	Status WebhookStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codestarconnections/v1beta1/zz_connection_types.go b/apis/codestarconnections/v1beta1/zz_connection_types.go
index cdee652b0d..8510bc9c81 100755
--- a/apis/codestarconnections/v1beta1/zz_connection_types.go
+++ b/apis/codestarconnections/v1beta1/zz_connection_types.go
@@ -21,9 +21,21 @@ type ConnectionObservation struct {
 	// The codestar connection status. Possible values are PENDING, AVAILABLE and ERROR.
 	ConnectionStatus *string `json:"connectionStatus,omitempty" tf:"connection_status,omitempty"`
 
+	// The Amazon Resource Name (ARN) of the host associated with the connection. Conflicts with provider_type
+	HostArn *string `json:"hostArn,omitempty" tf:"host_arn,omitempty"`
+
 	// The codestar connection ARN.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the connection to be created. The name must be unique in the calling AWS account. Changing name will create a new resource.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The name of the external provider where your third-party code repository is configured. Valid values are Bitbucket, GitHub or GitHubEnterpriseServer. Changing provider_type will create a new resource. Conflicts with host_arn
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +47,8 @@ type ConnectionParameters struct {
 	HostArn *string `json:"hostArn,omitempty" tf:"host_arn,omitempty"`
 
 	// The name of the connection to be created. The name must be unique in the calling AWS account. Changing name will create a new resource.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The name of the external provider where your third-party code repository is configured. Valid values are Bitbucket, GitHub or GitHubEnterpriseServer. Changing provider_type will create a new resource. Conflicts with host_arn
 	// +kubebuilder:validation:Optional
@@ -76,8 +88,9 @@ type ConnectionStatus struct {
 type Connection struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConnectionSpec   `json:"spec"`
-	Status            ConnectionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ConnectionSpec   `json:"spec"`
+	Status ConnectionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codestarconnections/v1beta1/zz_generated.deepcopy.go b/apis/codestarconnections/v1beta1/zz_generated.deepcopy.go
index 0997faeed4..3a5ca8ca8c 100644
--- a/apis/codestarconnections/v1beta1/zz_generated.deepcopy.go
+++ b/apis/codestarconnections/v1beta1/zz_generated.deepcopy.go
@@ -85,11 +85,41 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.HostArn != nil {
+		in, out := &in.HostArn, &out.HostArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderType != nil {
+		in, out := &in.ProviderType, &out.ProviderType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -273,11 +303,33 @@ func (in *HostObservation) DeepCopyInto(out *HostObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderEndpoint != nil {
+		in, out := &in.ProviderEndpoint, &out.ProviderEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderType != nil {
+		in, out := &in.ProviderType, &out.ProviderType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCConfiguration != nil {
+		in, out := &in.VPCConfiguration, &out.VPCConfiguration
+		*out = make([]VPCConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostObservation.
@@ -369,6 +421,38 @@ func (in *HostStatus) DeepCopy() *HostStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigurationObservation) DeepCopyInto(out *VPCConfigurationObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TLSCertificate != nil {
+		in, out := &in.TLSCertificate, &out.TLSCertificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCConfigurationObservation.
diff --git a/apis/codestarconnections/v1beta1/zz_host_types.go b/apis/codestarconnections/v1beta1/zz_host_types.go
index 06b4910f19..300986fe47 100755
--- a/apis/codestarconnections/v1beta1/zz_host_types.go
+++ b/apis/codestarconnections/v1beta1/zz_host_types.go
@@ -21,23 +21,35 @@ type HostObservation struct {
 	// The CodeStar Host ARN.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the host to be created. The name must be unique in the calling AWS account.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The endpoint of the infrastructure to be represented by the host after it is created.
+	ProviderEndpoint *string `json:"providerEndpoint,omitempty" tf:"provider_endpoint,omitempty"`
+
+	// The name of the external provider where your third-party code repository is configured.
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
+
 	// The CodeStar Host status. Possible values are PENDING, AVAILABLE, VPC_CONFIG_DELETING, VPC_CONFIG_INITIALIZING, and VPC_CONFIG_FAILED_INITIALIZATION.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// The VPC configuration to be provisioned for the host. A VPC must be configured, and the infrastructure to be represented by the host must already be connected to the VPC.
+	VPCConfiguration []VPCConfigurationObservation `json:"vpcConfiguration,omitempty" tf:"vpc_configuration,omitempty"`
 }
 
 type HostParameters struct {
 
 	// The name of the host to be created. The name must be unique in the calling AWS account.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The endpoint of the infrastructure to be represented by the host after it is created.
-	// +kubebuilder:validation:Required
-	ProviderEndpoint *string `json:"providerEndpoint" tf:"provider_endpoint,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderEndpoint *string `json:"providerEndpoint,omitempty" tf:"provider_endpoint,omitempty"`
 
 	// The name of the external provider where your third-party code repository is configured.
-	// +kubebuilder:validation:Required
-	ProviderType *string `json:"providerType" tf:"provider_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -50,6 +62,18 @@ type HostParameters struct {
 }
 
 type VPCConfigurationObservation struct {
+
+	// he ID of the security group or security groups associated with the Amazon VPC connected to the infrastructure where your provider type is installed.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// The ID of the subnet or subnets associated with the Amazon VPC connected to the infrastructure where your provider type is installed.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// The value of the Transport Layer Security (TLS) certificate associated with the infrastructure where your provider type is installed.
+	TLSCertificate *string `json:"tlsCertificate,omitempty" tf:"tls_certificate,omitempty"`
+
+	// The ID of the Amazon VPC connected to the infrastructure where your provider type is installed.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCConfigurationParameters struct {
@@ -95,8 +119,11 @@ type HostStatus struct {
 type Host struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HostSpec   `json:"spec"`
-	Status            HostStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerEndpoint)",message="providerEndpoint is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerType)",message="providerType is a required parameter"
+	Spec   HostSpec   `json:"spec"`
+	Status HostStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/codestarnotifications/v1beta1/zz_generated.deepcopy.go b/apis/codestarnotifications/v1beta1/zz_generated.deepcopy.go
index f5e659d52c..fd8745aeed 100644
--- a/apis/codestarnotifications/v1beta1/zz_generated.deepcopy.go
+++ b/apis/codestarnotifications/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,57 @@ func (in *NotificationRuleObservation) DeepCopyInto(out *NotificationRuleObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.DetailType != nil {
+		in, out := &in.DetailType, &out.DetailType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventTypeIds != nil {
+		in, out := &in.EventTypeIds, &out.EventTypeIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -240,11 +286,21 @@ func (in *NotificationRuleStatus) DeepCopy() *NotificationRuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
diff --git a/apis/codestarnotifications/v1beta1/zz_notificationrule_types.go b/apis/codestarnotifications/v1beta1/zz_notificationrule_types.go
index a9ef812872..0f392ada6b 100755
--- a/apis/codestarnotifications/v1beta1/zz_notificationrule_types.go
+++ b/apis/codestarnotifications/v1beta1/zz_notificationrule_types.go
@@ -18,31 +18,49 @@ type NotificationRuleObservation struct {
 	// The codestar notification rule ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The level of detail to include in the notifications for this resource. Possible values are BASIC and FULL.
+	DetailType *string `json:"detailType,omitempty" tf:"detail_type,omitempty"`
+
+	// A list of event types associated with this notification rule.
+	// For list of allowed events see here.
+	EventTypeIds []*string `json:"eventTypeIds,omitempty" tf:"event_type_ids,omitempty"`
+
 	// The codestar notification rule ARN.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of notification rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of the resource to associate with the notification rule.
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
+
+	// The status of the notification rule. Possible values are ENABLED and DISABLED, default is ENABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Configuration blocks containing notification target information. Can be specified multiple times. At least one target must be specified on creation.
-	// +kubebuilder:validation:Optional
 	Target []TargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type NotificationRuleParameters struct {
 
 	// The level of detail to include in the notifications for this resource. Possible values are BASIC and FULL.
-	// +kubebuilder:validation:Required
-	DetailType *string `json:"detailType" tf:"detail_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	DetailType *string `json:"detailType,omitempty" tf:"detail_type,omitempty"`
 
 	// A list of event types associated with this notification rule.
 	// For list of allowed events see here.
-	// +kubebuilder:validation:Required
-	EventTypeIds []*string `json:"eventTypeIds" tf:"event_type_ids,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventTypeIds []*string `json:"eventTypeIds,omitempty" tf:"event_type_ids,omitempty"`
 
 	// The name of notification rule.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -78,8 +96,14 @@ type NotificationRuleParameters struct {
 
 type TargetObservation struct {
 
+	// The ARN of notification rule target. For example, a SNS Topic ARN.
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
 	// The status of the notification rule. Possible values are ENABLED and DISABLED, default is ENABLED.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// The type of the notification target. Default value is SNS.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type TargetParameters struct {
@@ -127,8 +151,11 @@ type NotificationRuleStatus struct {
 type NotificationRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NotificationRuleSpec   `json:"spec"`
-	Status            NotificationRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.detailType)",message="detailType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventTypeIds)",message="eventTypeIds is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   NotificationRuleSpec   `json:"spec"`
+	Status NotificationRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidentity/v1beta1/zz_cognitoidentitypoolproviderprincipaltag_types.go b/apis/cognitoidentity/v1beta1/zz_cognitoidentitypoolproviderprincipaltag_types.go
index b37cff7cc9..9fa6cf20d7 100755
--- a/apis/cognitoidentity/v1beta1/zz_cognitoidentitypoolproviderprincipaltag_types.go
+++ b/apis/cognitoidentity/v1beta1/zz_cognitoidentitypoolproviderprincipaltag_types.go
@@ -15,6 +15,18 @@ import (
 
 type CognitoIdentityPoolProviderPrincipalTagObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// An identity pool ID.
+	IdentityPoolID *string `json:"identityPoolId,omitempty" tf:"identity_pool_id,omitempty"`
+
+	// The name of the identity provider.
+	IdentityProviderName *string `json:"identityProviderName,omitempty" tf:"identity_provider_name,omitempty"`
+
+	// String to string map of variables.
+	PrincipalTags map[string]*string `json:"principalTags,omitempty" tf:"principal_tags,omitempty"`
+
+	// :  use default (username and clientID) attribute mappings.
+	UseDefaults *bool `json:"useDefaults,omitempty" tf:"use_defaults,omitempty"`
 }
 
 type CognitoIdentityPoolProviderPrincipalTagParameters struct {
diff --git a/apis/cognitoidentity/v1beta1/zz_generated.deepcopy.go b/apis/cognitoidentity/v1beta1/zz_generated.deepcopy.go
index 0dda0a4298..e2f1b289a6 100644
--- a/apis/cognitoidentity/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cognitoidentity/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,36 @@ func (in *CognitoIdentityPoolProviderPrincipalTagObservation) DeepCopyInto(out *
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityPoolID != nil {
+		in, out := &in.IdentityPoolID, &out.IdentityPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdentityProviderName != nil {
+		in, out := &in.IdentityProviderName, &out.IdentityProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalTags != nil {
+		in, out := &in.PrincipalTags, &out.PrincipalTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UseDefaults != nil {
+		in, out := &in.UseDefaults, &out.UseDefaults
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CognitoIdentityPoolProviderPrincipalTagObservation.
@@ -200,6 +230,21 @@ func (in *CognitoIdentityPoolProviderPrincipalTagStatus) DeepCopy() *CognitoIden
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CognitoIdentityProvidersObservation) DeepCopyInto(out *CognitoIdentityProvidersObservation) {
 	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerSideTokenCheck != nil {
+		in, out := &in.ServerSideTokenCheck, &out.ServerSideTokenCheck
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CognitoIdentityProvidersObservation.
@@ -255,6 +300,26 @@ func (in *CognitoIdentityProvidersParameters) DeepCopy() *CognitoIdentityProvide
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingRuleObservation) DeepCopyInto(out *MappingRuleObservation) {
 	*out = *in
+	if in.Claim != nil {
+		in, out := &in.Claim, &out.Claim
+		*out = new(string)
+		**out = **in
+	}
+	if in.MatchType != nil {
+		in, out := &in.MatchType, &out.MatchType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingRuleObservation.
@@ -374,16 +439,95 @@ func (in *PoolList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PoolObservation) DeepCopyInto(out *PoolObservation) {
 	*out = *in
+	if in.AllowClassicFlow != nil {
+		in, out := &in.AllowClassicFlow, &out.AllowClassicFlow
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowUnauthenticatedIdentities != nil {
+		in, out := &in.AllowUnauthenticatedIdentities, &out.AllowUnauthenticatedIdentities
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CognitoIdentityProviders != nil {
+		in, out := &in.CognitoIdentityProviders, &out.CognitoIdentityProviders
+		*out = make([]CognitoIdentityProvidersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeveloperProviderName != nil {
+		in, out := &in.DeveloperProviderName, &out.DeveloperProviderName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityPoolName != nil {
+		in, out := &in.IdentityPoolName, &out.IdentityPoolName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OpenIDConnectProviderArns != nil {
+		in, out := &in.OpenIDConnectProviderArns, &out.OpenIDConnectProviderArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SAMLProviderArns != nil {
+		in, out := &in.SAMLProviderArns, &out.SAMLProviderArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SupportedLoginProviders != nil {
+		in, out := &in.SupportedLoginProviders, &out.SupportedLoginProviders
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -589,6 +733,33 @@ func (in *PoolRolesAttachmentObservation) DeepCopyInto(out *PoolRolesAttachmentO
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityPoolID != nil {
+		in, out := &in.IdentityPoolID, &out.IdentityPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleMapping != nil {
+		in, out := &in.RoleMapping, &out.RoleMapping
+		*out = make([]RoleMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Roles != nil {
+		in, out := &in.Roles, &out.Roles
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PoolRolesAttachmentObservation.
@@ -729,6 +900,28 @@ func (in *PoolStatus) DeepCopy() *PoolStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoleMappingObservation) DeepCopyInto(out *RoleMappingObservation) {
 	*out = *in
+	if in.AmbiguousRoleResolution != nil {
+		in, out := &in.AmbiguousRoleResolution, &out.AmbiguousRoleResolution
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdentityProvider != nil {
+		in, out := &in.IdentityProvider, &out.IdentityProvider
+		*out = new(string)
+		**out = **in
+	}
+	if in.MappingRule != nil {
+		in, out := &in.MappingRule, &out.MappingRule
+		*out = make([]MappingRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleMappingObservation.
diff --git a/apis/cognitoidentity/v1beta1/zz_pool_types.go b/apis/cognitoidentity/v1beta1/zz_pool_types.go
index 939e6f8883..2c1ca5bfdb 100755
--- a/apis/cognitoidentity/v1beta1/zz_pool_types.go
+++ b/apis/cognitoidentity/v1beta1/zz_pool_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CognitoIdentityProvidersObservation struct {
+
+	// The client ID for the Amazon Cognito Identity User Pool.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// The provider name for an Amazon Cognito Identity User Pool.
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// Whether server-side token validation is enabled for the identity provider’s token or not.
+	ServerSideTokenCheck *bool `json:"serverSideTokenCheck,omitempty" tf:"server_side_token_check,omitempty"`
 }
 
 type CognitoIdentityProvidersParameters struct {
@@ -42,12 +51,40 @@ type CognitoIdentityProvidersParameters struct {
 
 type PoolObservation struct {
 
+	// Enables or disables the classic / basic authentication flow. Default is false.
+	AllowClassicFlow *bool `json:"allowClassicFlow,omitempty" tf:"allow_classic_flow,omitempty"`
+
+	// Whether the identity pool supports unauthenticated logins or not.
+	AllowUnauthenticatedIdentities *bool `json:"allowUnauthenticatedIdentities,omitempty" tf:"allow_unauthenticated_identities,omitempty"`
+
 	// The ARN of the identity pool.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// An array of Amazon Cognito Identity user pools and their client IDs.
+	CognitoIdentityProviders []CognitoIdentityProvidersObservation `json:"cognitoIdentityProviders,omitempty" tf:"cognito_identity_providers,omitempty"`
+
+	// The "domain" by which Cognito will refer to your users. This name acts as a placeholder that allows your
+	// backend and the Cognito service to communicate about the developer provider.
+	DeveloperProviderName *string `json:"developerProviderName,omitempty" tf:"developer_provider_name,omitempty"`
+
 	// An identity pool ID, e.g. us-west-2_abc123.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Cognito Identity Pool name.
+	IdentityPoolName *string `json:"identityPoolName,omitempty" tf:"identity_pool_name,omitempty"`
+
+	// Set of OpendID Connect provider ARNs.
+	OpenIDConnectProviderArns []*string `json:"openidConnectProviderArns,omitempty" tf:"openid_connect_provider_arns,omitempty"`
+
+	// An array of Amazon Resource Names (ARNs) of the SAML provider for your identity.
+	SAMLProviderArns []*string `json:"samlProviderArns,omitempty" tf:"saml_provider_arns,omitempty"`
+
+	// Key-Value pairs mapping provider names to provider app IDs.
+	SupportedLoginProviders map[string]*string `json:"supportedLoginProviders,omitempty" tf:"supported_login_providers,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -72,8 +109,8 @@ type PoolParameters struct {
 	DeveloperProviderName *string `json:"developerProviderName,omitempty" tf:"developer_provider_name,omitempty"`
 
 	// The Cognito Identity Pool name.
-	// +kubebuilder:validation:Required
-	IdentityPoolName *string `json:"identityPoolName" tf:"identity_pool_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	IdentityPoolName *string `json:"identityPoolName,omitempty" tf:"identity_pool_name,omitempty"`
 
 	// Set of OpendID Connect provider ARNs.
 	// +kubebuilder:validation:Optional
@@ -131,8 +168,9 @@ type PoolStatus struct {
 type Pool struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PoolSpec   `json:"spec"`
-	Status            PoolStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identityPoolName)",message="identityPoolName is a required parameter"
+	Spec   PoolSpec   `json:"spec"`
+	Status PoolStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidentity/v1beta1/zz_poolrolesattachment_types.go b/apis/cognitoidentity/v1beta1/zz_poolrolesattachment_types.go
index 1c033b1e53..7443b71d5c 100755
--- a/apis/cognitoidentity/v1beta1/zz_poolrolesattachment_types.go
+++ b/apis/cognitoidentity/v1beta1/zz_poolrolesattachment_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type MappingRuleObservation struct {
+
+	// The claim name that must be present in the token, for example, "isAdmin" or "paid".
+	Claim *string `json:"claim,omitempty" tf:"claim,omitempty"`
+
+	// The match condition that specifies how closely the claim value in the IdP token must match Value.
+	MatchType *string `json:"matchType,omitempty" tf:"match_type,omitempty"`
+
+	// The role ARN.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// A brief string that the claim must match, for example, "paid" or "yes".
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MappingRuleParameters struct {
@@ -49,6 +61,15 @@ type PoolRolesAttachmentObservation struct {
 
 	// The identity pool ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// An identity pool ID in the format REGION_GUID.
+	IdentityPoolID *string `json:"identityPoolId,omitempty" tf:"identity_pool_id,omitempty"`
+
+	// A List of Role Mapping.
+	RoleMapping []RoleMappingObservation `json:"roleMapping,omitempty" tf:"role_mapping,omitempty"`
+
+	// The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.
+	Roles map[string]*string `json:"roles,omitempty" tf:"roles,omitempty"`
 }
 
 type PoolRolesAttachmentParameters struct {
@@ -77,11 +98,23 @@ type PoolRolesAttachmentParameters struct {
 	RoleMapping []RoleMappingParameters `json:"roleMapping,omitempty" tf:"role_mapping,omitempty"`
 
 	// The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.
-	// +kubebuilder:validation:Required
-	Roles map[string]*string `json:"roles" tf:"roles,omitempty"`
+	// +kubebuilder:validation:Optional
+	Roles map[string]*string `json:"roles,omitempty" tf:"roles,omitempty"`
 }
 
 type RoleMappingObservation struct {
+
+	// Specifies the action to be taken if either no rules match the claim value for the Rules type, or there is no cognito:preferred_role claim and there are multiple cognito:roles matches for the Token type. Required if you specify Token or Rules as the Type.
+	AmbiguousRoleResolution *string `json:"ambiguousRoleResolution,omitempty" tf:"ambiguous_role_resolution,omitempty"`
+
+	// A string identifying the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id". Depends on cognito_identity_providers set on aws_cognito_identity_pool resource or a aws_cognito_identity_provider resource.
+	IdentityProvider *string `json:"identityProvider,omitempty" tf:"identity_provider,omitempty"`
+
+	// The Rules Configuration to be used for mapping users to roles. You can specify up to 25 rules per identity provider. Rules are evaluated in order. The first one to match specifies the role.
+	MappingRule []MappingRuleObservation `json:"mappingRule,omitempty" tf:"mapping_rule,omitempty"`
+
+	// The role mapping type.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RoleMappingParameters struct {
@@ -127,8 +160,9 @@ type PoolRolesAttachmentStatus struct {
 type PoolRolesAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PoolRolesAttachmentSpec   `json:"spec"`
-	Status            PoolRolesAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roles)",message="roles is a required parameter"
+	Spec   PoolRolesAttachmentSpec   `json:"spec"`
+	Status PoolRolesAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_generated.deepcopy.go b/apis/cognitoidp/v1beta1/zz_generated.deepcopy.go
index ea2df73a52..54331c147c 100644
--- a/apis/cognitoidp/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cognitoidp/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,13 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountRecoverySettingObservation) DeepCopyInto(out *AccountRecoverySettingObservation) {
 	*out = *in
+	if in.RecoveryMechanism != nil {
+		in, out := &in.RecoveryMechanism, &out.RecoveryMechanism
+		*out = make([]RecoveryMechanismObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountRecoverySettingObservation.
@@ -54,6 +61,20 @@ func (in *AccountRecoverySettingParameters) DeepCopy() *AccountRecoverySettingPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountTakeoverRiskConfigurationObservation) DeepCopyInto(out *AccountTakeoverRiskConfigurationObservation) {
 	*out = *in
+	if in.Actions != nil {
+		in, out := &in.Actions, &out.Actions
+		*out = make([]ActionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NotifyConfiguration != nil {
+		in, out := &in.NotifyConfiguration, &out.NotifyConfiguration
+		*out = make([]NotifyConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountTakeoverRiskConfigurationObservation.
@@ -98,6 +119,27 @@ func (in *AccountTakeoverRiskConfigurationParameters) DeepCopy() *AccountTakeove
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionsObservation) DeepCopyInto(out *ActionsObservation) {
 	*out = *in
+	if in.HighAction != nil {
+		in, out := &in.HighAction, &out.HighAction
+		*out = make([]HighActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LowAction != nil {
+		in, out := &in.LowAction, &out.LowAction
+		*out = make([]LowActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MediumAction != nil {
+		in, out := &in.MediumAction, &out.MediumAction
+		*out = make([]MediumActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionsObservation.
@@ -149,6 +191,18 @@ func (in *ActionsParameters) DeepCopy() *ActionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdminCreateUserConfigObservation) DeepCopyInto(out *AdminCreateUserConfigObservation) {
 	*out = *in
+	if in.AllowAdminCreateUserOnly != nil {
+		in, out := &in.AllowAdminCreateUserOnly, &out.AllowAdminCreateUserOnly
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InviteMessageTemplate != nil {
+		in, out := &in.InviteMessageTemplate, &out.InviteMessageTemplate
+		*out = make([]InviteMessageTemplateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminCreateUserConfigObservation.
@@ -191,6 +245,31 @@ func (in *AdminCreateUserConfigParameters) DeepCopy() *AdminCreateUserConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AnalyticsConfigurationObservation) DeepCopyInto(out *AnalyticsConfigurationObservation) {
 	*out = *in
+	if in.ApplicationArn != nil {
+		in, out := &in.ApplicationArn, &out.ApplicationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExternalID != nil {
+		in, out := &in.ExternalID, &out.ExternalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserDataShared != nil {
+		in, out := &in.UserDataShared, &out.UserDataShared
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AnalyticsConfigurationObservation.
@@ -266,6 +345,21 @@ func (in *AnalyticsConfigurationParameters) DeepCopy() *AnalyticsConfigurationPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BlockEmailObservation) DeepCopyInto(out *BlockEmailObservation) {
 	*out = *in
+	if in.HTMLBody != nil {
+		in, out := &in.HTMLBody, &out.HTMLBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.Subject != nil {
+		in, out := &in.Subject, &out.Subject
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextBody != nil {
+		in, out := &in.TextBody, &out.TextBody
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BlockEmailObservation.
@@ -311,6 +405,11 @@ func (in *BlockEmailParameters) DeepCopy() *BlockEmailParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CompromisedCredentialsRiskConfigurationActionsObservation) DeepCopyInto(out *CompromisedCredentialsRiskConfigurationActionsObservation) {
 	*out = *in
+	if in.EventAction != nil {
+		in, out := &in.EventAction, &out.EventAction
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompromisedCredentialsRiskConfigurationActionsObservation.
@@ -346,6 +445,24 @@ func (in *CompromisedCredentialsRiskConfigurationActionsParameters) DeepCopy() *
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CompromisedCredentialsRiskConfigurationObservation) DeepCopyInto(out *CompromisedCredentialsRiskConfigurationObservation) {
 	*out = *in
+	if in.Actions != nil {
+		in, out := &in.Actions, &out.Actions
+		*out = make([]CompromisedCredentialsRiskConfigurationActionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventFilter != nil {
+		in, out := &in.EventFilter, &out.EventFilter
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompromisedCredentialsRiskConfigurationObservation.
@@ -394,6 +511,16 @@ func (in *CompromisedCredentialsRiskConfigurationParameters) DeepCopy() *Comprom
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomEmailSenderObservation) DeepCopyInto(out *CustomEmailSenderObservation) {
 	*out = *in
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaVersion != nil {
+		in, out := &in.LambdaVersion, &out.LambdaVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomEmailSenderObservation.
@@ -434,6 +561,16 @@ func (in *CustomEmailSenderParameters) DeepCopy() *CustomEmailSenderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomSMSSenderObservation) DeepCopyInto(out *CustomSMSSenderObservation) {
 	*out = *in
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaVersion != nil {
+		in, out := &in.LambdaVersion, &out.LambdaVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomSMSSenderObservation.
@@ -474,6 +611,16 @@ func (in *CustomSMSSenderParameters) DeepCopy() *CustomSMSSenderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeviceConfigurationObservation) DeepCopyInto(out *DeviceConfigurationObservation) {
 	*out = *in
+	if in.ChallengeRequiredOnNewDevice != nil {
+		in, out := &in.ChallengeRequiredOnNewDevice, &out.ChallengeRequiredOnNewDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceOnlyRememberedOnUserPrompt != nil {
+		in, out := &in.DeviceOnlyRememberedOnUserPrompt, &out.DeviceOnlyRememberedOnUserPrompt
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceConfigurationObservation.
@@ -514,6 +661,31 @@ func (in *DeviceConfigurationParameters) DeepCopy() *DeviceConfigurationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EmailConfigurationObservation) DeepCopyInto(out *EmailConfigurationObservation) {
 	*out = *in
+	if in.ConfigurationSet != nil {
+		in, out := &in.ConfigurationSet, &out.ConfigurationSet
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailSendingAccount != nil {
+		in, out := &in.EmailSendingAccount, &out.EmailSendingAccount
+		*out = new(string)
+		**out = **in
+	}
+	if in.FromEmailAddress != nil {
+		in, out := &in.FromEmailAddress, &out.FromEmailAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplyToEmailAddress != nil {
+		in, out := &in.ReplyToEmailAddress, &out.ReplyToEmailAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceArn != nil {
+		in, out := &in.SourceArn, &out.SourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmailConfigurationObservation.
@@ -569,6 +741,16 @@ func (in *EmailConfigurationParameters) DeepCopy() *EmailConfigurationParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HighActionObservation) DeepCopyInto(out *HighActionObservation) {
 	*out = *in
+	if in.EventAction != nil {
+		in, out := &in.EventAction, &out.EventAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.Notify != nil {
+		in, out := &in.Notify, &out.Notify
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HighActionObservation.
@@ -668,11 +850,67 @@ func (in *IdentityProviderList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdentityProviderObservation) DeepCopyInto(out *IdentityProviderObservation) {
 	*out = *in
+	if in.AttributeMapping != nil {
+		in, out := &in.AttributeMapping, &out.AttributeMapping
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdpIdentifiers != nil {
+		in, out := &in.IdpIdentifiers, &out.IdpIdentifiers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ProviderDetails != nil {
+		in, out := &in.ProviderDetails, &out.ProviderDetails
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderType != nil {
+		in, out := &in.ProviderType, &out.ProviderType
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderObservation.
@@ -808,6 +1046,21 @@ func (in *IdentityProviderStatus) DeepCopy() *IdentityProviderStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InviteMessageTemplateObservation) DeepCopyInto(out *InviteMessageTemplateObservation) {
 	*out = *in
+	if in.EmailMessage != nil {
+		in, out := &in.EmailMessage, &out.EmailMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailSubject != nil {
+		in, out := &in.EmailSubject, &out.EmailSubject
+		*out = new(string)
+		**out = **in
+	}
+	if in.SMSMessage != nil {
+		in, out := &in.SMSMessage, &out.SMSMessage
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InviteMessageTemplateObservation.
@@ -853,14 +1106,83 @@ func (in *InviteMessageTemplateParameters) DeepCopy() *InviteMessageTemplatePara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaConfigObservation) DeepCopyInto(out *LambdaConfigObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaConfigObservation.
-func (in *LambdaConfigObservation) DeepCopy() *LambdaConfigObservation {
-	if in == nil {
-		return nil
+	if in.CreateAuthChallenge != nil {
+		in, out := &in.CreateAuthChallenge, &out.CreateAuthChallenge
+		*out = new(string)
+		**out = **in
 	}
-	out := new(LambdaConfigObservation)
+	if in.CustomEmailSender != nil {
+		in, out := &in.CustomEmailSender, &out.CustomEmailSender
+		*out = make([]CustomEmailSenderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomMessage != nil {
+		in, out := &in.CustomMessage, &out.CustomMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSMSSender != nil {
+		in, out := &in.CustomSMSSender, &out.CustomSMSSender
+		*out = make([]CustomSMSSenderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefineAuthChallenge != nil {
+		in, out := &in.DefineAuthChallenge, &out.DefineAuthChallenge
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PostAuthentication != nil {
+		in, out := &in.PostAuthentication, &out.PostAuthentication
+		*out = new(string)
+		**out = **in
+	}
+	if in.PostConfirmation != nil {
+		in, out := &in.PostConfirmation, &out.PostConfirmation
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreAuthentication != nil {
+		in, out := &in.PreAuthentication, &out.PreAuthentication
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreSignUp != nil {
+		in, out := &in.PreSignUp, &out.PreSignUp
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreTokenGeneration != nil {
+		in, out := &in.PreTokenGeneration, &out.PreTokenGeneration
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserMigration != nil {
+		in, out := &in.UserMigration, &out.UserMigration
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerifyAuthChallengeResponse != nil {
+		in, out := &in.VerifyAuthChallengeResponse, &out.VerifyAuthChallengeResponse
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaConfigObservation.
+func (in *LambdaConfigObservation) DeepCopy() *LambdaConfigObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(LambdaConfigObservation)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -952,6 +1274,16 @@ func (in *LambdaConfigParameters) DeepCopy() *LambdaConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LowActionObservation) DeepCopyInto(out *LowActionObservation) {
 	*out = *in
+	if in.EventAction != nil {
+		in, out := &in.EventAction, &out.EventAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.Notify != nil {
+		in, out := &in.Notify, &out.Notify
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LowActionObservation.
@@ -992,6 +1324,16 @@ func (in *LowActionParameters) DeepCopy() *LowActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MediumActionObservation) DeepCopyInto(out *MediumActionObservation) {
 	*out = *in
+	if in.EventAction != nil {
+		in, out := &in.EventAction, &out.EventAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.Notify != nil {
+		in, out := &in.Notify, &out.Notify
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MediumActionObservation.
@@ -1032,6 +1374,21 @@ func (in *MediumActionParameters) DeepCopy() *MediumActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MfaEmailObservation) DeepCopyInto(out *MfaEmailObservation) {
 	*out = *in
+	if in.HTMLBody != nil {
+		in, out := &in.HTMLBody, &out.HTMLBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.Subject != nil {
+		in, out := &in.Subject, &out.Subject
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextBody != nil {
+		in, out := &in.TextBody, &out.TextBody
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MfaEmailObservation.
@@ -1077,6 +1434,21 @@ func (in *MfaEmailParameters) DeepCopy() *MfaEmailParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NoActionEmailObservation) DeepCopyInto(out *NoActionEmailObservation) {
 	*out = *in
+	if in.HTMLBody != nil {
+		in, out := &in.HTMLBody, &out.HTMLBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.Subject != nil {
+		in, out := &in.Subject, &out.Subject
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextBody != nil {
+		in, out := &in.TextBody, &out.TextBody
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoActionEmailObservation.
@@ -1122,6 +1494,42 @@ func (in *NoActionEmailParameters) DeepCopy() *NoActionEmailParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotifyConfigurationObservation) DeepCopyInto(out *NotifyConfigurationObservation) {
 	*out = *in
+	if in.BlockEmail != nil {
+		in, out := &in.BlockEmail, &out.BlockEmail
+		*out = make([]BlockEmailObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.From != nil {
+		in, out := &in.From, &out.From
+		*out = new(string)
+		**out = **in
+	}
+	if in.MfaEmail != nil {
+		in, out := &in.MfaEmail, &out.MfaEmail
+		*out = make([]MfaEmailObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoActionEmail != nil {
+		in, out := &in.NoActionEmail, &out.NoActionEmail
+		*out = make([]NoActionEmailObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReplyTo != nil {
+		in, out := &in.ReplyTo, &out.ReplyTo
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceArn != nil {
+		in, out := &in.SourceArn, &out.SourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotifyConfigurationObservation.
@@ -1188,6 +1596,16 @@ func (in *NotifyConfigurationParameters) DeepCopy() *NotifyConfigurationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NumberAttributeConstraintsObservation) DeepCopyInto(out *NumberAttributeConstraintsObservation) {
 	*out = *in
+	if in.MaxValue != nil {
+		in, out := &in.MaxValue, &out.MaxValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinValue != nil {
+		in, out := &in.MinValue, &out.MinValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NumberAttributeConstraintsObservation.
@@ -1228,6 +1646,36 @@ func (in *NumberAttributeConstraintsParameters) DeepCopy() *NumberAttributeConst
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PasswordPolicyObservation) DeepCopyInto(out *PasswordPolicyObservation) {
 	*out = *in
+	if in.MinimumLength != nil {
+		in, out := &in.MinimumLength, &out.MinimumLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RequireLowercase != nil {
+		in, out := &in.RequireLowercase, &out.RequireLowercase
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireNumbers != nil {
+		in, out := &in.RequireNumbers, &out.RequireNumbers
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireSymbols != nil {
+		in, out := &in.RequireSymbols, &out.RequireSymbols
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireUppercase != nil {
+		in, out := &in.RequireUppercase, &out.RequireUppercase
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TemporaryPasswordValidityDays != nil {
+		in, out := &in.TemporaryPasswordValidityDays, &out.TemporaryPasswordValidityDays
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PasswordPolicyObservation.
@@ -1288,6 +1736,16 @@ func (in *PasswordPolicyParameters) DeepCopy() *PasswordPolicyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecoveryMechanismObservation) DeepCopyInto(out *RecoveryMechanismObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecoveryMechanismObservation.
@@ -1392,6 +1850,23 @@ func (in *ResourceServerObservation) DeepCopyInto(out *ResourceServerObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Identifier != nil {
+		in, out := &in.Identifier, &out.Identifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = make([]ScopeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ScopeIdentifiers != nil {
 		in, out := &in.ScopeIdentifiers, &out.ScopeIdentifiers
 		*out = make([]*string, len(*in))
@@ -1403,6 +1878,11 @@ func (in *ResourceServerObservation) DeepCopyInto(out *ResourceServerObservation
 			}
 		}
 	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceServerObservation.
@@ -1563,11 +2043,42 @@ func (in *RiskConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RiskConfigurationObservation) DeepCopyInto(out *RiskConfigurationObservation) {
 	*out = *in
+	if in.AccountTakeoverRiskConfiguration != nil {
+		in, out := &in.AccountTakeoverRiskConfiguration, &out.AccountTakeoverRiskConfiguration
+		*out = make([]AccountTakeoverRiskConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CompromisedCredentialsRiskConfiguration != nil {
+		in, out := &in.CompromisedCredentialsRiskConfiguration, &out.CompromisedCredentialsRiskConfiguration
+		*out = make([]CompromisedCredentialsRiskConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RiskExceptionConfiguration != nil {
+		in, out := &in.RiskExceptionConfiguration, &out.RiskExceptionConfiguration
+		*out = make([]RiskExceptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RiskConfigurationObservation.
@@ -1678,10 +2189,32 @@ func (in *RiskConfigurationStatus) DeepCopy() *RiskConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RiskExceptionConfigurationObservation) DeepCopyInto(out *RiskExceptionConfigurationObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RiskExceptionConfigurationObservation.
-func (in *RiskExceptionConfigurationObservation) DeepCopy() *RiskExceptionConfigurationObservation {
+	if in.BlockedIPRangeList != nil {
+		in, out := &in.BlockedIPRangeList, &out.BlockedIPRangeList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SkippedIPRangeList != nil {
+		in, out := &in.SkippedIPRangeList, &out.SkippedIPRangeList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RiskExceptionConfigurationObservation.
+func (in *RiskExceptionConfigurationObservation) DeepCopy() *RiskExceptionConfigurationObservation {
 	if in == nil {
 		return nil
 	}
@@ -1730,6 +2263,21 @@ func (in *RiskExceptionConfigurationParameters) DeepCopy() *RiskExceptionConfigu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SMSConfigurationObservation) DeepCopyInto(out *SMSConfigurationObservation) {
 	*out = *in
+	if in.ExternalID != nil {
+		in, out := &in.ExternalID, &out.ExternalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnsCallerArn != nil {
+		in, out := &in.SnsCallerArn, &out.SnsCallerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnsRegion != nil {
+		in, out := &in.SnsRegion, &out.SnsRegion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SMSConfigurationObservation.
@@ -1785,6 +2333,45 @@ func (in *SMSConfigurationParameters) DeepCopy() *SMSConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 	*out = *in
+	if in.AttributeDataType != nil {
+		in, out := &in.AttributeDataType, &out.AttributeDataType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeveloperOnlyAttribute != nil {
+		in, out := &in.DeveloperOnlyAttribute, &out.DeveloperOnlyAttribute
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Mutable != nil {
+		in, out := &in.Mutable, &out.Mutable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberAttributeConstraints != nil {
+		in, out := &in.NumberAttributeConstraints, &out.NumberAttributeConstraints
+		*out = make([]NumberAttributeConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Required != nil {
+		in, out := &in.Required, &out.Required
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StringAttributeConstraints != nil {
+		in, out := &in.StringAttributeConstraints, &out.StringAttributeConstraints
+		*out = make([]StringAttributeConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaObservation.
@@ -1854,6 +2441,16 @@ func (in *SchemaParameters) DeepCopy() *SchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopeObservation) DeepCopyInto(out *ScopeObservation) {
 	*out = *in
+	if in.ScopeDescription != nil {
+		in, out := &in.ScopeDescription, &out.ScopeDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScopeName != nil {
+		in, out := &in.ScopeName, &out.ScopeName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopeObservation.
@@ -1894,6 +2491,11 @@ func (in *ScopeParameters) DeepCopy() *ScopeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SoftwareTokenMfaConfigurationObservation) DeepCopyInto(out *SoftwareTokenMfaConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SoftwareTokenMfaConfigurationObservation.
@@ -1929,6 +2531,16 @@ func (in *SoftwareTokenMfaConfigurationParameters) DeepCopy() *SoftwareTokenMfaC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StringAttributeConstraintsObservation) DeepCopyInto(out *StringAttributeConstraintsObservation) {
 	*out = *in
+	if in.MaxLength != nil {
+		in, out := &in.MaxLength, &out.MaxLength
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinLength != nil {
+		in, out := &in.MinLength, &out.MinLength
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringAttributeConstraintsObservation.
@@ -1969,6 +2581,21 @@ func (in *StringAttributeConstraintsParameters) DeepCopy() *StringAttributeConst
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TokenValidityUnitsObservation) DeepCopyInto(out *TokenValidityUnitsObservation) {
 	*out = *in
+	if in.AccessToken != nil {
+		in, out := &in.AccessToken, &out.AccessToken
+		*out = new(string)
+		**out = **in
+	}
+	if in.IDToken != nil {
+		in, out := &in.IDToken, &out.IDToken
+		*out = new(string)
+		**out = **in
+	}
+	if in.RefreshToken != nil {
+		in, out := &in.RefreshToken, &out.RefreshToken
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TokenValidityUnitsObservation.
@@ -2041,6 +2668,17 @@ func (in *User) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserAttributeUpdateSettingsObservation) DeepCopyInto(out *UserAttributeUpdateSettingsObservation) {
 	*out = *in
+	if in.AttributesRequireVerificationBeforeUpdate != nil {
+		in, out := &in.AttributesRequireVerificationBeforeUpdate, &out.AttributesRequireVerificationBeforeUpdate
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserAttributeUpdateSettingsObservation.
@@ -2141,11 +2779,36 @@ func (in *UserGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserGroupObservation) DeepCopyInto(out *UserGroupObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Precedence != nil {
+		in, out := &in.Precedence, &out.Precedence
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserGroupObservation.
@@ -2319,11 +2982,26 @@ func (in *UserInGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserInGroupObservation) DeepCopyInto(out *UserInGroupObservation) {
 	*out = *in
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserInGroupObservation.
@@ -2470,11 +3148,62 @@ func (in *UserList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 	*out = *in
+	if in.Attributes != nil {
+		in, out := &in.Attributes, &out.Attributes
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ClientMetadata != nil {
+		in, out := &in.ClientMetadata, &out.ClientMetadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.CreationDate != nil {
 		in, out := &in.CreationDate, &out.CreationDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.DesiredDeliveryMediums != nil {
+		in, out := &in.DesiredDeliveryMediums, &out.DesiredDeliveryMediums
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ForceAliasCreation != nil {
+		in, out := &in.ForceAliasCreation, &out.ForceAliasCreation
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2485,6 +3214,11 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MessageAction != nil {
+		in, out := &in.MessageAction, &out.MessageAction
+		*out = new(string)
+		**out = **in
+	}
 	if in.MfaSettingList != nil {
 		in, out := &in.MfaSettingList, &out.MfaSettingList
 		*out = make([]*string, len(*in))
@@ -2511,6 +3245,26 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidationData != nil {
+		in, out := &in.ValidationData, &out.ValidationData
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserObservation.
@@ -2669,6 +3423,11 @@ func (in *UserPool) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserPoolAddOnsObservation) DeepCopyInto(out *UserPoolAddOnsObservation) {
 	*out = *in
+	if in.AdvancedSecurityMode != nil {
+		in, out := &in.AdvancedSecurityMode, &out.AdvancedSecurityMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPoolAddOnsObservation.
@@ -2757,17 +3516,179 @@ func (in *UserPoolClientList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *UserPoolClientObservation) DeepCopyInto(out *UserPoolClientObservation) {
-	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserPoolClientObservation) DeepCopyInto(out *UserPoolClientObservation) {
+	*out = *in
+	if in.AccessTokenValidity != nil {
+		in, out := &in.AccessTokenValidity, &out.AccessTokenValidity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AllowedOauthFlows != nil {
+		in, out := &in.AllowedOauthFlows, &out.AllowedOauthFlows
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedOauthFlowsUserPoolClient != nil {
+		in, out := &in.AllowedOauthFlowsUserPoolClient, &out.AllowedOauthFlowsUserPoolClient
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowedOauthScopes != nil {
+		in, out := &in.AllowedOauthScopes, &out.AllowedOauthScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AnalyticsConfiguration != nil {
+		in, out := &in.AnalyticsConfiguration, &out.AnalyticsConfiguration
+		*out = make([]AnalyticsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AuthSessionValidity != nil {
+		in, out := &in.AuthSessionValidity, &out.AuthSessionValidity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CallbackUrls != nil {
+		in, out := &in.CallbackUrls, &out.CallbackUrls
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultRedirectURI != nil {
+		in, out := &in.DefaultRedirectURI, &out.DefaultRedirectURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnablePropagateAdditionalUserContextData != nil {
+		in, out := &in.EnablePropagateAdditionalUserContextData, &out.EnablePropagateAdditionalUserContextData
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableTokenRevocation != nil {
+		in, out := &in.EnableTokenRevocation, &out.EnableTokenRevocation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExplicitAuthFlows != nil {
+		in, out := &in.ExplicitAuthFlows, &out.ExplicitAuthFlows
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.GenerateSecret != nil {
+		in, out := &in.GenerateSecret, &out.GenerateSecret
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IDTokenValidity != nil {
+		in, out := &in.IDTokenValidity, &out.IDTokenValidity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LogoutUrls != nil {
+		in, out := &in.LogoutUrls, &out.LogoutUrls
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreventUserExistenceErrors != nil {
+		in, out := &in.PreventUserExistenceErrors, &out.PreventUserExistenceErrors
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReadAttributes != nil {
+		in, out := &in.ReadAttributes, &out.ReadAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RefreshTokenValidity != nil {
+		in, out := &in.RefreshTokenValidity, &out.RefreshTokenValidity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SupportedIdentityProviders != nil {
+		in, out := &in.SupportedIdentityProviders, &out.SupportedIdentityProviders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TokenValidityUnits != nil {
+		in, out := &in.TokenValidityUnits, &out.TokenValidityUnits
+		*out = make([]TokenValidityUnitsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
 		*out = new(string)
 		**out = **in
 	}
+	if in.WriteAttributes != nil {
+		in, out := &in.WriteAttributes, &out.WriteAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPoolClientObservation.
@@ -3073,11 +3994,21 @@ func (in *UserPoolDomainObservation) DeepCopyInto(out *UserPoolDomainObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.CloudfrontDistributionArn != nil {
 		in, out := &in.CloudfrontDistributionArn, &out.CloudfrontDistributionArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -3088,6 +4019,11 @@ func (in *UserPoolDomainObservation) DeepCopyInto(out *UserPoolDomainObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(string)
@@ -3229,11 +4165,47 @@ func (in *UserPoolList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserPoolObservation) DeepCopyInto(out *UserPoolObservation) {
 	*out = *in
+	if in.AccountRecoverySetting != nil {
+		in, out := &in.AccountRecoverySetting, &out.AccountRecoverySetting
+		*out = make([]AccountRecoverySettingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AdminCreateUserConfig != nil {
+		in, out := &in.AdminCreateUserConfig, &out.AdminCreateUserConfig
+		*out = make([]AdminCreateUserConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AliasAttributes != nil {
+		in, out := &in.AliasAttributes, &out.AliasAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoVerifiedAttributes != nil {
+		in, out := &in.AutoVerifiedAttributes, &out.AutoVerifiedAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.CreationDate != nil {
 		in, out := &in.CreationDate, &out.CreationDate
 		*out = new(string)
@@ -3244,11 +4216,40 @@ func (in *UserPoolObservation) DeepCopyInto(out *UserPoolObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceConfiguration != nil {
+		in, out := &in.DeviceConfiguration, &out.DeviceConfiguration
+		*out = make([]DeviceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Domain != nil {
 		in, out := &in.Domain, &out.Domain
 		*out = new(string)
 		**out = **in
 	}
+	if in.EmailConfiguration != nil {
+		in, out := &in.EmailConfiguration, &out.EmailConfiguration
+		*out = make([]EmailConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EmailVerificationMessage != nil {
+		in, out := &in.EmailVerificationMessage, &out.EmailVerificationMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailVerificationSubject != nil {
+		in, out := &in.EmailVerificationSubject, &out.EmailVerificationSubject
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
@@ -3264,11 +4265,81 @@ func (in *UserPoolObservation) DeepCopyInto(out *UserPoolObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LambdaConfig != nil {
+		in, out := &in.LambdaConfig, &out.LambdaConfig
+		*out = make([]LambdaConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.LastModifiedDate != nil {
 		in, out := &in.LastModifiedDate, &out.LastModifiedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.MfaConfiguration != nil {
+		in, out := &in.MfaConfiguration, &out.MfaConfiguration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordPolicy != nil {
+		in, out := &in.PasswordPolicy, &out.PasswordPolicy
+		*out = make([]PasswordPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SMSAuthenticationMessage != nil {
+		in, out := &in.SMSAuthenticationMessage, &out.SMSAuthenticationMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.SMSConfiguration != nil {
+		in, out := &in.SMSConfiguration, &out.SMSConfiguration
+		*out = make([]SMSConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SMSVerificationMessage != nil {
+		in, out := &in.SMSVerificationMessage, &out.SMSVerificationMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schema != nil {
+		in, out := &in.Schema, &out.Schema
+		*out = make([]SchemaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SoftwareTokenMfaConfiguration != nil {
+		in, out := &in.SoftwareTokenMfaConfiguration, &out.SoftwareTokenMfaConfiguration
+		*out = make([]SoftwareTokenMfaConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3284,6 +4355,45 @@ func (in *UserPoolObservation) DeepCopyInto(out *UserPoolObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserAttributeUpdateSettings != nil {
+		in, out := &in.UserAttributeUpdateSettings, &out.UserAttributeUpdateSettings
+		*out = make([]UserAttributeUpdateSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserPoolAddOns != nil {
+		in, out := &in.UserPoolAddOns, &out.UserPoolAddOns
+		*out = make([]UserPoolAddOnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UsernameAttributes != nil {
+		in, out := &in.UsernameAttributes, &out.UsernameAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UsernameConfiguration != nil {
+		in, out := &in.UsernameConfiguration, &out.UsernameConfiguration
+		*out = make([]UsernameConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VerificationMessageTemplate != nil {
+		in, out := &in.VerificationMessageTemplate, &out.VerificationMessageTemplate
+		*out = make([]VerificationMessageTemplateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPoolObservation.
@@ -3586,11 +4696,21 @@ func (in *UserPoolUICustomizationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserPoolUICustomizationObservation) DeepCopyInto(out *UserPoolUICustomizationObservation) {
 	*out = *in
+	if in.CSS != nil {
+		in, out := &in.CSS, &out.CSS
+		*out = new(string)
+		**out = **in
+	}
 	if in.CSSVersion != nil {
 		in, out := &in.CSSVersion, &out.CSSVersion
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreationDate != nil {
 		in, out := &in.CreationDate, &out.CreationDate
 		*out = new(string)
@@ -3601,6 +4721,11 @@ func (in *UserPoolUICustomizationObservation) DeepCopyInto(out *UserPoolUICustom
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageFile != nil {
+		in, out := &in.ImageFile, &out.ImageFile
+		*out = new(string)
+		**out = **in
+	}
 	if in.ImageURL != nil {
 		in, out := &in.ImageURL, &out.ImageURL
 		*out = new(string)
@@ -3611,6 +4736,11 @@ func (in *UserPoolUICustomizationObservation) DeepCopyInto(out *UserPoolUICustom
 		*out = new(string)
 		**out = **in
 	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPoolUICustomizationObservation.
@@ -3754,6 +4884,11 @@ func (in *UserStatus) DeepCopy() *UserStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UsernameConfigurationObservation) DeepCopyInto(out *UsernameConfigurationObservation) {
 	*out = *in
+	if in.CaseSensitive != nil {
+		in, out := &in.CaseSensitive, &out.CaseSensitive
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UsernameConfigurationObservation.
@@ -3789,6 +4924,36 @@ func (in *UsernameConfigurationParameters) DeepCopy() *UsernameConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VerificationMessageTemplateObservation) DeepCopyInto(out *VerificationMessageTemplateObservation) {
 	*out = *in
+	if in.DefaultEmailOption != nil {
+		in, out := &in.DefaultEmailOption, &out.DefaultEmailOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailMessage != nil {
+		in, out := &in.EmailMessage, &out.EmailMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailMessageByLink != nil {
+		in, out := &in.EmailMessageByLink, &out.EmailMessageByLink
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailSubject != nil {
+		in, out := &in.EmailSubject, &out.EmailSubject
+		*out = new(string)
+		**out = **in
+	}
+	if in.EmailSubjectByLink != nil {
+		in, out := &in.EmailSubjectByLink, &out.EmailSubjectByLink
+		*out = new(string)
+		**out = **in
+	}
+	if in.SMSMessage != nil {
+		in, out := &in.SMSMessage, &out.SMSMessage
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VerificationMessageTemplateObservation.
diff --git a/apis/cognitoidp/v1beta1/zz_identityprovider_types.go b/apis/cognitoidp/v1beta1/zz_identityprovider_types.go
index e02e71c048..288d7b887a 100755
--- a/apis/cognitoidp/v1beta1/zz_identityprovider_types.go
+++ b/apis/cognitoidp/v1beta1/zz_identityprovider_types.go
@@ -14,7 +14,26 @@ import (
 )
 
 type IdentityProviderObservation struct {
+
+	// The map of attribute mapping of user pool attributes. AttributeMapping in AWS API documentation
+	AttributeMapping map[string]*string `json:"attributeMapping,omitempty" tf:"attribute_mapping,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The list of identity providers.
+	IdpIdentifiers []*string `json:"idpIdentifiers,omitempty" tf:"idp_identifiers,omitempty"`
+
+	// The map of identity details, such as access token
+	ProviderDetails map[string]*string `json:"providerDetails,omitempty" tf:"provider_details,omitempty"`
+
+	// The provider name
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// The provider type.  See AWS API for valid values
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
+
+	// The user pool id
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type IdentityProviderParameters struct {
@@ -28,16 +47,16 @@ type IdentityProviderParameters struct {
 	IdpIdentifiers []*string `json:"idpIdentifiers,omitempty" tf:"idp_identifiers,omitempty"`
 
 	// The map of identity details, such as access token
-	// +kubebuilder:validation:Required
-	ProviderDetails map[string]*string `json:"providerDetails" tf:"provider_details,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderDetails map[string]*string `json:"providerDetails,omitempty" tf:"provider_details,omitempty"`
 
 	// The provider name
-	// +kubebuilder:validation:Required
-	ProviderName *string `json:"providerName" tf:"provider_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
 
 	// The provider type.  See AWS API for valid values
-	// +kubebuilder:validation:Required
-	ProviderType *string `json:"providerType" tf:"provider_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderType *string `json:"providerType,omitempty" tf:"provider_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,8 +101,11 @@ type IdentityProviderStatus struct {
 type IdentityProvider struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IdentityProviderSpec   `json:"spec"`
-	Status            IdentityProviderStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerDetails)",message="providerDetails is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerName)",message="providerName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerType)",message="providerType is a required parameter"
+	Spec   IdentityProviderSpec   `json:"spec"`
+	Status IdentityProviderStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_resourceserver_types.go b/apis/cognitoidp/v1beta1/zz_resourceserver_types.go
index 46866ef4e4..5f80ca9586 100755
--- a/apis/cognitoidp/v1beta1/zz_resourceserver_types.go
+++ b/apis/cognitoidp/v1beta1/zz_resourceserver_types.go
@@ -16,19 +16,30 @@ import (
 type ResourceServerObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An identifier for the resource server.
+	Identifier *string `json:"identifier,omitempty" tf:"identifier,omitempty"`
+
+	// A name for the resource server.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of Authorization Scope.
+	Scope []ScopeObservation `json:"scope,omitempty" tf:"scope,omitempty"`
+
 	// A list of all scopes configured for this resource server in the format identifier/scope_name.
 	ScopeIdentifiers []*string `json:"scopeIdentifiers,omitempty" tf:"scope_identifiers,omitempty"`
+
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type ResourceServerParameters struct {
 
 	// An identifier for the resource server.
-	// +kubebuilder:validation:Required
-	Identifier *string `json:"identifier" tf:"identifier,omitempty"`
+	// +kubebuilder:validation:Optional
+	Identifier *string `json:"identifier,omitempty" tf:"identifier,omitempty"`
 
 	// A name for the resource server.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -53,6 +64,12 @@ type ResourceServerParameters struct {
 }
 
 type ScopeObservation struct {
+
+	// The scope description.
+	ScopeDescription *string `json:"scopeDescription,omitempty" tf:"scope_description,omitempty"`
+
+	// The scope name.
+	ScopeName *string `json:"scopeName,omitempty" tf:"scope_name,omitempty"`
 }
 
 type ScopeParameters struct {
@@ -90,8 +107,10 @@ type ResourceServerStatus struct {
 type ResourceServer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceServerSpec   `json:"spec"`
-	Status            ResourceServerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identifier)",message="identifier is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ResourceServerSpec   `json:"spec"`
+	Status ResourceServerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_riskconfiguration_types.go b/apis/cognitoidp/v1beta1/zz_riskconfiguration_types.go
index 8fafb26756..a6740dc70f 100755
--- a/apis/cognitoidp/v1beta1/zz_riskconfiguration_types.go
+++ b/apis/cognitoidp/v1beta1/zz_riskconfiguration_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AccountTakeoverRiskConfigurationObservation struct {
+
+	// Account takeover risk configuration actions. See details below.
+	Actions []ActionsObservation `json:"actions,omitempty" tf:"actions,omitempty"`
+
+	// The notify configuration used to construct email notifications. See details below.
+	NotifyConfiguration []NotifyConfigurationObservation `json:"notifyConfiguration,omitempty" tf:"notify_configuration,omitempty"`
 }
 
 type AccountTakeoverRiskConfigurationParameters struct {
@@ -28,6 +34,15 @@ type AccountTakeoverRiskConfigurationParameters struct {
 }
 
 type ActionsObservation struct {
+
+	// Action to take for a high risk. See action block below.
+	HighAction []HighActionObservation `json:"highAction,omitempty" tf:"high_action,omitempty"`
+
+	// Action to take for a low risk. See action block below.
+	LowAction []LowActionObservation `json:"lowAction,omitempty" tf:"low_action,omitempty"`
+
+	// Action to take for a medium risk. See action block below.
+	MediumAction []MediumActionObservation `json:"mediumAction,omitempty" tf:"medium_action,omitempty"`
 }
 
 type ActionsParameters struct {
@@ -46,6 +61,15 @@ type ActionsParameters struct {
 }
 
 type BlockEmailObservation struct {
+
+	// The email HTML body.
+	HTMLBody *string `json:"htmlBody,omitempty" tf:"html_body,omitempty"`
+
+	// The email subject.
+	Subject *string `json:"subject,omitempty" tf:"subject,omitempty"`
+
+	// The email text body.
+	TextBody *string `json:"textBody,omitempty" tf:"text_body,omitempty"`
 }
 
 type BlockEmailParameters struct {
@@ -64,6 +88,9 @@ type BlockEmailParameters struct {
 }
 
 type CompromisedCredentialsRiskConfigurationActionsObservation struct {
+
+	// The action to take in response to the account takeover action. Valid values are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED and NO_ACTION.
+	EventAction *string `json:"eventAction,omitempty" tf:"event_action,omitempty"`
 }
 
 type CompromisedCredentialsRiskConfigurationActionsParameters struct {
@@ -74,6 +101,12 @@ type CompromisedCredentialsRiskConfigurationActionsParameters struct {
 }
 
 type CompromisedCredentialsRiskConfigurationObservation struct {
+
+	// The compromised credentials risk configuration actions. See details below.
+	Actions []CompromisedCredentialsRiskConfigurationActionsObservation `json:"actions,omitempty" tf:"actions,omitempty"`
+
+	// Perform the action for these events. The default is to perform all events if no event filter is specified. Valid values are SIGN_IN, PASSWORD_CHANGE, and SIGN_UP.
+	EventFilter []*string `json:"eventFilter,omitempty" tf:"event_filter,omitempty"`
 }
 
 type CompromisedCredentialsRiskConfigurationParameters struct {
@@ -88,6 +121,12 @@ type CompromisedCredentialsRiskConfigurationParameters struct {
 }
 
 type HighActionObservation struct {
+
+	// The action to take in response to the account takeover action. Valid values are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED and NO_ACTION.
+	EventAction *string `json:"eventAction,omitempty" tf:"event_action,omitempty"`
+
+	// Whether to send a notification.
+	Notify *bool `json:"notify,omitempty" tf:"notify,omitempty"`
 }
 
 type HighActionParameters struct {
@@ -102,6 +141,12 @@ type HighActionParameters struct {
 }
 
 type LowActionObservation struct {
+
+	// The action to take in response to the account takeover action. Valid values are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED and NO_ACTION.
+	EventAction *string `json:"eventAction,omitempty" tf:"event_action,omitempty"`
+
+	// Whether to send a notification.
+	Notify *bool `json:"notify,omitempty" tf:"notify,omitempty"`
 }
 
 type LowActionParameters struct {
@@ -116,6 +161,12 @@ type LowActionParameters struct {
 }
 
 type MediumActionObservation struct {
+
+	// The action to take in response to the account takeover action. Valid values are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED and NO_ACTION.
+	EventAction *string `json:"eventAction,omitempty" tf:"event_action,omitempty"`
+
+	// Whether to send a notification.
+	Notify *bool `json:"notify,omitempty" tf:"notify,omitempty"`
 }
 
 type MediumActionParameters struct {
@@ -130,6 +181,15 @@ type MediumActionParameters struct {
 }
 
 type MfaEmailObservation struct {
+
+	// The email HTML body.
+	HTMLBody *string `json:"htmlBody,omitempty" tf:"html_body,omitempty"`
+
+	// The email subject.
+	Subject *string `json:"subject,omitempty" tf:"subject,omitempty"`
+
+	// The email text body.
+	TextBody *string `json:"textBody,omitempty" tf:"text_body,omitempty"`
 }
 
 type MfaEmailParameters struct {
@@ -148,6 +208,15 @@ type MfaEmailParameters struct {
 }
 
 type NoActionEmailObservation struct {
+
+	// The email HTML body.
+	HTMLBody *string `json:"htmlBody,omitempty" tf:"html_body,omitempty"`
+
+	// The email subject.
+	Subject *string `json:"subject,omitempty" tf:"subject,omitempty"`
+
+	// The email text body.
+	TextBody *string `json:"textBody,omitempty" tf:"text_body,omitempty"`
 }
 
 type NoActionEmailParameters struct {
@@ -166,6 +235,24 @@ type NoActionEmailParameters struct {
 }
 
 type NotifyConfigurationObservation struct {
+
+	// Email template used when a detected risk event is blocked. See notify email type below.
+	BlockEmail []BlockEmailObservation `json:"blockEmail,omitempty" tf:"block_email,omitempty"`
+
+	// The email address that is sending the email. The address must be either individually verified with Amazon Simple Email Service, or from a domain that has been verified with Amazon SES.
+	From *string `json:"from,omitempty" tf:"from,omitempty"`
+
+	// The multi-factor authentication (MFA) email template used when MFA is challenged as part of a detected risk. See notify email type below.
+	MfaEmail []MfaEmailObservation `json:"mfaEmail,omitempty" tf:"mfa_email,omitempty"`
+
+	// The email template used when a detected risk event is allowed. See notify email type below.
+	NoActionEmail []NoActionEmailObservation `json:"noActionEmail,omitempty" tf:"no_action_email,omitempty"`
+
+	// The destination to which the receiver of an email should reply to.
+	ReplyTo *string `json:"replyTo,omitempty" tf:"reply_to,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the identity that is associated with the sending authorization policy. This identity permits Amazon Cognito to send for the email address specified in the From parameter.
+	SourceArn *string `json:"sourceArn,omitempty" tf:"source_arn,omitempty"`
 }
 
 type NotifyConfigurationParameters struct {
@@ -197,8 +284,23 @@ type NotifyConfigurationParameters struct {
 
 type RiskConfigurationObservation struct {
 
+	// The account takeover risk configuration. See details below.
+	AccountTakeoverRiskConfiguration []AccountTakeoverRiskConfigurationObservation `json:"accountTakeoverRiskConfiguration,omitempty" tf:"account_takeover_risk_configuration,omitempty"`
+
+	// The app client ID. When the client ID is not provided, the same risk configuration is applied to all the clients in the User Pool.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// The compromised credentials risk configuration. See details below.
+	CompromisedCredentialsRiskConfiguration []CompromisedCredentialsRiskConfigurationObservation `json:"compromisedCredentialsRiskConfiguration,omitempty" tf:"compromised_credentials_risk_configuration,omitempty"`
+
 	// The user pool ID. or The user pool ID and Client Id separated by a : if the configuration is client specific.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The configuration to override the risk decision. See details below.
+	RiskExceptionConfiguration []RiskExceptionConfigurationObservation `json:"riskExceptionConfiguration,omitempty" tf:"risk_exception_configuration,omitempty"`
+
+	// The user pool ID.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type RiskConfigurationParameters struct {
@@ -240,6 +342,12 @@ type RiskConfigurationParameters struct {
 }
 
 type RiskExceptionConfigurationObservation struct {
+
+	// Overrides the risk decision to always block the pre-authentication requests. The IP range is in CIDR notation, a compact representation of an IP address and its routing prefix.
+	BlockedIPRangeList []*string `json:"blockedIpRangeList,omitempty" tf:"blocked_ip_range_list,omitempty"`
+
+	// Risk detection isn't performed on the IP addresses in this range list. The IP range is in CIDR notation.
+	SkippedIPRangeList []*string `json:"skippedIpRangeList,omitempty" tf:"skipped_ip_range_list,omitempty"`
 }
 
 type RiskExceptionConfigurationParameters struct {
diff --git a/apis/cognitoidp/v1beta1/zz_user_types.go b/apis/cognitoidp/v1beta1/zz_user_types.go
index f777ce9036..b3aa0d4b20 100755
--- a/apis/cognitoidp/v1beta1/zz_user_types.go
+++ b/apis/cognitoidp/v1beta1/zz_user_types.go
@@ -14,12 +14,31 @@ import (
 )
 
 type UserObservation struct {
+
+	// A map that contains user attributes and attribute values to be set for the user.
+	Attributes map[string]*string `json:"attributes,omitempty" tf:"attributes,omitempty"`
+
+	// A map of custom key-value pairs that you can provide as input for any custom workflows that user creation triggers. Amazon Cognito does not store the client_metadata value. This data is available only to Lambda triggers that are assigned to a user pool to support custom workflows. If your user pool configuration does not include triggers, the ClientMetadata parameter serves no purpose. For more information, see Customizing User Pool Workflows with Lambda Triggers.
+	ClientMetadata map[string]*string `json:"clientMetadata,omitempty" tf:"client_metadata,omitempty"`
+
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
+	// A list of mediums to the welcome message will be sent through. Allowed values are EMAIL and SMS. If it's provided, make sure you have also specified email attribute for the EMAIL medium and phone_number for the SMS. More than one value can be specified. Amazon Cognito does not store the desired_delivery_mediums value. Defaults to ["SMS"].
+	DesiredDeliveryMediums []*string `json:"desiredDeliveryMediums,omitempty" tf:"desired_delivery_mediums,omitempty"`
+
+	// Specifies whether the user should be enabled after creation. The welcome message will be sent regardless of the enabled value. The behavior can be changed with message_action argument. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// If this parameter is set to True and the phone_number or email address specified in the attributes parameter already exists as an alias with a different user, Amazon Cognito will migrate the alias from the previous user to the newly created user. The previous user will no longer be able to log in using that alias. Amazon Cognito does not store the force_alias_creation value. Defaults to false.
+	ForceAliasCreation *bool `json:"forceAliasCreation,omitempty" tf:"force_alias_creation,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	LastModifiedDate *string `json:"lastModifiedDate,omitempty" tf:"last_modified_date,omitempty"`
 
+	// Set to RESEND to resend the invitation message to a user that already exists and reset the expiration limit on the user's account. Set to SUPPRESS to suppress sending the message. Only one value can be specified. Amazon Cognito does not store the message_action value.
+	MessageAction *string `json:"messageAction,omitempty" tf:"message_action,omitempty"`
+
 	MfaSettingList []*string `json:"mfaSettingList,omitempty" tf:"mfa_setting_list,omitempty"`
 
 	PreferredMfaSetting *string `json:"preferredMfaSetting,omitempty" tf:"preferred_mfa_setting,omitempty"`
@@ -29,6 +48,12 @@ type UserObservation struct {
 
 	// unique user id that is never reassignable to another user.
 	Sub *string `json:"sub,omitempty" tf:"sub,omitempty"`
+
+	// The user pool ID for the user pool where the user will be created.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
+
+	// The user's validation data. This is an array of name-value pairs that contain user attributes and attribute values that you can use for custom validation, such as restricting the types of user accounts that can be registered. Amazon Cognito does not store the validation_data value. For more information, see Customizing User Pool Workflows with Lambda Triggers.
+	ValidationData map[string]*string `json:"validationData,omitempty" tf:"validation_data,omitempty"`
 }
 
 type UserParameters struct {
diff --git a/apis/cognitoidp/v1beta1/zz_usergroup_types.go b/apis/cognitoidp/v1beta1/zz_usergroup_types.go
index 2b89e0c696..ad8904b792 100755
--- a/apis/cognitoidp/v1beta1/zz_usergroup_types.go
+++ b/apis/cognitoidp/v1beta1/zz_usergroup_types.go
@@ -14,7 +14,23 @@ import (
 )
 
 type UserGroupObservation struct {
+
+	// The description of the user group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the user group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The precedence of the user group.
+	Precedence *float64 `json:"precedence,omitempty" tf:"precedence,omitempty"`
+
+	// The ARN of the IAM role to be associated with the user group.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The user pool ID.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type UserGroupParameters struct {
@@ -24,8 +40,8 @@ type UserGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the user group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The precedence of the user group.
 	// +kubebuilder:validation:Optional
@@ -88,8 +104,9 @@ type UserGroupStatus struct {
 type UserGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserGroupSpec   `json:"spec"`
-	Status            UserGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   UserGroupSpec   `json:"spec"`
+	Status UserGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_useringroup_types.go b/apis/cognitoidp/v1beta1/zz_useringroup_types.go
index f7d05ac8c2..fd62a376eb 100755
--- a/apis/cognitoidp/v1beta1/zz_useringroup_types.go
+++ b/apis/cognitoidp/v1beta1/zz_useringroup_types.go
@@ -14,7 +14,17 @@ import (
 )
 
 type UserInGroupObservation struct {
+
+	// The name of the group to which the user is to be added.
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The user pool ID of the user and group.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
+
+	// The username of the user to be added to the group.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type UserInGroupParameters struct {
diff --git a/apis/cognitoidp/v1beta1/zz_userpool_types.go b/apis/cognitoidp/v1beta1/zz_userpool_types.go
index 34ecc2face..72d006de1c 100755
--- a/apis/cognitoidp/v1beta1/zz_userpool_types.go
+++ b/apis/cognitoidp/v1beta1/zz_userpool_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AccountRecoverySettingObservation struct {
+
+	// List of Account Recovery Options of the following structure:
+	RecoveryMechanism []RecoveryMechanismObservation `json:"recoveryMechanism,omitempty" tf:"recovery_mechanism,omitempty"`
 }
 
 type AccountRecoverySettingParameters struct {
@@ -24,6 +27,12 @@ type AccountRecoverySettingParameters struct {
 }
 
 type AdminCreateUserConfigObservation struct {
+
+	// Set to True if only the administrator is allowed to create user profiles. Set to False if users can sign themselves up via an app.
+	AllowAdminCreateUserOnly *bool `json:"allowAdminCreateUserOnly,omitempty" tf:"allow_admin_create_user_only,omitempty"`
+
+	// Invite message template structure. Detailed below.
+	InviteMessageTemplate []InviteMessageTemplateObservation `json:"inviteMessageTemplate,omitempty" tf:"invite_message_template,omitempty"`
 }
 
 type AdminCreateUserConfigParameters struct {
@@ -38,6 +47,12 @@ type AdminCreateUserConfigParameters struct {
 }
 
 type CustomEmailSenderObservation struct {
+
+	// The Lambda Amazon Resource Name of the Lambda function that Amazon Cognito triggers to send email notifications to users.
+	LambdaArn *string `json:"lambdaArn,omitempty" tf:"lambda_arn,omitempty"`
+
+	// The Lambda version represents the signature of the "request" attribute in the "event" information Amazon Cognito passes to your custom email Lambda function. The only supported value is V1_0.
+	LambdaVersion *string `json:"lambdaVersion,omitempty" tf:"lambda_version,omitempty"`
 }
 
 type CustomEmailSenderParameters struct {
@@ -52,6 +67,12 @@ type CustomEmailSenderParameters struct {
 }
 
 type CustomSMSSenderObservation struct {
+
+	// The Lambda Amazon Resource Name of the Lambda function that Amazon Cognito triggers to send SMS notifications to users.
+	LambdaArn *string `json:"lambdaArn,omitempty" tf:"lambda_arn,omitempty"`
+
+	// The Lambda version represents the signature of the "request" attribute in the "event" information Amazon Cognito passes to your custom SMS Lambda function. The only supported value is V1_0.
+	LambdaVersion *string `json:"lambdaVersion,omitempty" tf:"lambda_version,omitempty"`
 }
 
 type CustomSMSSenderParameters struct {
@@ -66,6 +87,12 @@ type CustomSMSSenderParameters struct {
 }
 
 type DeviceConfigurationObservation struct {
+
+	// Whether a challenge is required on a new device. Only applicable to a new device.
+	ChallengeRequiredOnNewDevice *bool `json:"challengeRequiredOnNewDevice,omitempty" tf:"challenge_required_on_new_device,omitempty"`
+
+	// Whether a device is only remembered on user prompt. false equates to "Always" remember, true is "User Opt In," and not using a device_configuration block is "No."
+	DeviceOnlyRememberedOnUserPrompt *bool `json:"deviceOnlyRememberedOnUserPrompt,omitempty" tf:"device_only_remembered_on_user_prompt,omitempty"`
 }
 
 type DeviceConfigurationParameters struct {
@@ -80,6 +107,21 @@ type DeviceConfigurationParameters struct {
 }
 
 type EmailConfigurationObservation struct {
+
+	// Email configuration set name from SES.
+	ConfigurationSet *string `json:"configurationSet,omitempty" tf:"configuration_set,omitempty"`
+
+	// Email delivery method to use. COGNITO_DEFAULT for the default email functionality built into Cognito or DEVELOPER to use your Amazon SES configuration.
+	EmailSendingAccount *string `json:"emailSendingAccount,omitempty" tf:"email_sending_account,omitempty"`
+
+	// Sender’s email address or sender’s display name with their email address (e.g., john@example.com, John Smith <john@example.com> or \"John Smith Ph.D.\" <john@example.com>). Escaped double quotes are required around display names that contain certain characters as specified in RFC 5322.
+	FromEmailAddress *string `json:"fromEmailAddress,omitempty" tf:"from_email_address,omitempty"`
+
+	// REPLY-TO email address.
+	ReplyToEmailAddress *string `json:"replyToEmailAddress,omitempty" tf:"reply_to_email_address,omitempty"`
+
+	// ARN of the SES verified email identity to use. Required if email_sending_account is set to DEVELOPER.
+	SourceArn *string `json:"sourceArn,omitempty" tf:"source_arn,omitempty"`
 }
 
 type EmailConfigurationParameters struct {
@@ -106,6 +148,15 @@ type EmailConfigurationParameters struct {
 }
 
 type InviteMessageTemplateObservation struct {
+
+	// Message template for email messages. Must contain {username} and {####} placeholders, for username and temporary password, respectively.
+	EmailMessage *string `json:"emailMessage,omitempty" tf:"email_message,omitempty"`
+
+	// Subject line for email messages.
+	EmailSubject *string `json:"emailSubject,omitempty" tf:"email_subject,omitempty"`
+
+	// Message template for SMS messages. Must contain {username} and {####} placeholders, for username and temporary password, respectively.
+	SMSMessage *string `json:"smsMessage,omitempty" tf:"sms_message,omitempty"`
 }
 
 type InviteMessageTemplateParameters struct {
@@ -124,6 +175,45 @@ type InviteMessageTemplateParameters struct {
 }
 
 type LambdaConfigObservation struct {
+
+	// ARN of the lambda creating an authentication challenge.
+	CreateAuthChallenge *string `json:"createAuthChallenge,omitempty" tf:"create_auth_challenge,omitempty"`
+
+	// A custom email sender AWS Lambda trigger. See custom_email_sender Below.
+	CustomEmailSender []CustomEmailSenderObservation `json:"customEmailSender,omitempty" tf:"custom_email_sender,omitempty"`
+
+	// Custom Message AWS Lambda trigger.
+	CustomMessage *string `json:"customMessage,omitempty" tf:"custom_message,omitempty"`
+
+	// A custom SMS sender AWS Lambda trigger. See custom_sms_sender Below.
+	CustomSMSSender []CustomSMSSenderObservation `json:"customSmsSender,omitempty" tf:"custom_sms_sender,omitempty"`
+
+	// Defines the authentication challenge.
+	DefineAuthChallenge *string `json:"defineAuthChallenge,omitempty" tf:"define_auth_challenge,omitempty"`
+
+	// The Amazon Resource Name of Key Management Service Customer master keys. Amazon Cognito uses the key to encrypt codes and temporary passwords sent to CustomEmailSender and CustomSMSSender.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Post-authentication AWS Lambda trigger.
+	PostAuthentication *string `json:"postAuthentication,omitempty" tf:"post_authentication,omitempty"`
+
+	// Post-confirmation AWS Lambda trigger.
+	PostConfirmation *string `json:"postConfirmation,omitempty" tf:"post_confirmation,omitempty"`
+
+	// Pre-authentication AWS Lambda trigger.
+	PreAuthentication *string `json:"preAuthentication,omitempty" tf:"pre_authentication,omitempty"`
+
+	// Pre-registration AWS Lambda trigger.
+	PreSignUp *string `json:"preSignUp,omitempty" tf:"pre_sign_up,omitempty"`
+
+	// Allow to customize identity token claims before token generation.
+	PreTokenGeneration *string `json:"preTokenGeneration,omitempty" tf:"pre_token_generation,omitempty"`
+
+	// User migration Lambda config type.
+	UserMigration *string `json:"userMigration,omitempty" tf:"user_migration,omitempty"`
+
+	// Verifies the authentication challenge response.
+	VerifyAuthChallengeResponse *string `json:"verifyAuthChallengeResponse,omitempty" tf:"verify_auth_challenge_response,omitempty"`
 }
 
 type LambdaConfigParameters struct {
@@ -182,6 +272,12 @@ type LambdaConfigParameters struct {
 }
 
 type NumberAttributeConstraintsObservation struct {
+
+	// Maximum value of an attribute that is of the number data type.
+	MaxValue *string `json:"maxValue,omitempty" tf:"max_value,omitempty"`
+
+	// Minimum value of an attribute that is of the number data type.
+	MinValue *string `json:"minValue,omitempty" tf:"min_value,omitempty"`
 }
 
 type NumberAttributeConstraintsParameters struct {
@@ -196,6 +292,24 @@ type NumberAttributeConstraintsParameters struct {
 }
 
 type PasswordPolicyObservation struct {
+
+	// Minimum length of the password policy that you have set.
+	MinimumLength *float64 `json:"minimumLength,omitempty" tf:"minimum_length,omitempty"`
+
+	// Whether you have required users to use at least one lowercase letter in their password.
+	RequireLowercase *bool `json:"requireLowercase,omitempty" tf:"require_lowercase,omitempty"`
+
+	// Whether you have required users to use at least one number in their password.
+	RequireNumbers *bool `json:"requireNumbers,omitempty" tf:"require_numbers,omitempty"`
+
+	// Whether you have required users to use at least one symbol in their password.
+	RequireSymbols *bool `json:"requireSymbols,omitempty" tf:"require_symbols,omitempty"`
+
+	// Whether you have required users to use at least one uppercase letter in their password.
+	RequireUppercase *bool `json:"requireUppercase,omitempty" tf:"require_uppercase,omitempty"`
+
+	// In the password policy you have set, refers to the number of days a temporary password is valid. If the user does not sign-in during this time, their password will need to be reset by an administrator.
+	TemporaryPasswordValidityDays *float64 `json:"temporaryPasswordValidityDays,omitempty" tf:"temporary_password_validity_days,omitempty"`
 }
 
 type PasswordPolicyParameters struct {
@@ -226,6 +340,12 @@ type PasswordPolicyParameters struct {
 }
 
 type RecoveryMechanismObservation struct {
+
+	// Name of the user pool.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Positive integer specifying priority of a method with 1 being the highest priority.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
 }
 
 type RecoveryMechanismParameters struct {
@@ -240,6 +360,15 @@ type RecoveryMechanismParameters struct {
 }
 
 type SMSConfigurationObservation struct {
+
+	// External ID used in IAM role trust relationships. For more information about using external IDs, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
+	ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"`
+
+	// ARN of the Amazon SNS caller. This is usually the IAM role that you've given Cognito permission to assume.
+	SnsCallerArn *string `json:"snsCallerArn,omitempty" tf:"sns_caller_arn,omitempty"`
+
+	// The AWS Region to use with Amazon SNS integration. You can choose the same Region as your user pool, or a supported Legacy Amazon SNS alternate Region. Amazon Cognito resources in the Asia Pacific (Seoul) AWS Region must use your Amazon SNS configuration in the Asia Pacific (Tokyo) Region. For more information, see SMS message settings for Amazon Cognito user pools.
+	SnsRegion *string `json:"snsRegion,omitempty" tf:"sns_region,omitempty"`
 }
 
 type SMSConfigurationParameters struct {
@@ -268,6 +397,27 @@ type SMSConfigurationParameters struct {
 }
 
 type SchemaObservation struct {
+
+	// Attribute data type. Must be one of Boolean, Number, String, DateTime.
+	AttributeDataType *string `json:"attributeDataType,omitempty" tf:"attribute_data_type,omitempty"`
+
+	// Whether the attribute type is developer only.
+	DeveloperOnlyAttribute *bool `json:"developerOnlyAttribute,omitempty" tf:"developer_only_attribute,omitempty"`
+
+	// Whether the attribute can be changed once it has been created.
+	Mutable *bool `json:"mutable,omitempty" tf:"mutable,omitempty"`
+
+	// Name of the user pool.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration block for the constraints for an attribute of the number type. Detailed below.
+	NumberAttributeConstraints []NumberAttributeConstraintsObservation `json:"numberAttributeConstraints,omitempty" tf:"number_attribute_constraints,omitempty"`
+
+	// Whether a user pool attribute is required. If the attribute is required and the user does not provide a value, registration or sign-in will fail.
+	Required *bool `json:"required,omitempty" tf:"required,omitempty"`
+
+	// Constraints for an attribute of the string type. Detailed below.
+	StringAttributeConstraints []StringAttributeConstraintsObservation `json:"stringAttributeConstraints,omitempty" tf:"string_attribute_constraints,omitempty"`
 }
 
 type SchemaParameters struct {
@@ -302,6 +452,9 @@ type SchemaParameters struct {
 }
 
 type SoftwareTokenMfaConfigurationObservation struct {
+
+	// Boolean whether to enable software token Multi-Factor (MFA) tokens, such as Time-based One-Time Password (TOTP). To disable software token MFA When sms_configuration is not present, the mfa_configuration argument must be set to OFF and the software_token_mfa_configuration configuration block must be fully removed.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type SoftwareTokenMfaConfigurationParameters struct {
@@ -312,6 +465,12 @@ type SoftwareTokenMfaConfigurationParameters struct {
 }
 
 type StringAttributeConstraintsObservation struct {
+
+	// Maximum length of an attribute value of the string type.
+	MaxLength *string `json:"maxLength,omitempty" tf:"max_length,omitempty"`
+
+	// Minimum length of an attribute value of the string type.
+	MinLength *string `json:"minLength,omitempty" tf:"min_length,omitempty"`
 }
 
 type StringAttributeConstraintsParameters struct {
@@ -326,6 +485,9 @@ type StringAttributeConstraintsParameters struct {
 }
 
 type UserAttributeUpdateSettingsObservation struct {
+
+	// A list of attributes requiring verification before update. If set, the provided value(s) must also be set in auto_verified_attributes. Valid values: email, phone_number.
+	AttributesRequireVerificationBeforeUpdate []*string `json:"attributesRequireVerificationBeforeUpdate,omitempty" tf:"attributes_require_verification_before_update,omitempty"`
 }
 
 type UserAttributeUpdateSettingsParameters struct {
@@ -336,6 +498,9 @@ type UserAttributeUpdateSettingsParameters struct {
 }
 
 type UserPoolAddOnsObservation struct {
+
+	// Mode for advanced security, must be one of OFF, AUDIT or ENFORCED.
+	AdvancedSecurityMode *string `json:"advancedSecurityMode,omitempty" tf:"advanced_security_mode,omitempty"`
 }
 
 type UserPoolAddOnsParameters struct {
@@ -347,18 +512,45 @@ type UserPoolAddOnsParameters struct {
 
 type UserPoolObservation struct {
 
+	// Configuration block to define which verified available method a user can use to recover their forgotten password. Detailed below.
+	AccountRecoverySetting []AccountRecoverySettingObservation `json:"accountRecoverySetting,omitempty" tf:"account_recovery_setting,omitempty"`
+
+	// Configuration block for creating a new user profile. Detailed below.
+	AdminCreateUserConfig []AdminCreateUserConfigObservation `json:"adminCreateUserConfig,omitempty" tf:"admin_create_user_config,omitempty"`
+
+	// Attributes supported as an alias for this user pool. Valid values: phone_number, email, or preferred_username. Conflicts with username_attributes.
+	AliasAttributes []*string `json:"aliasAttributes,omitempty" tf:"alias_attributes,omitempty"`
+
 	// ARN of the user pool.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Attributes to be auto-verified. Valid values: email, phone_number.
+	AutoVerifiedAttributes []*string `json:"autoVerifiedAttributes,omitempty" tf:"auto_verified_attributes,omitempty"`
+
 	// Date the user pool was created.
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
 	// A custom domain name that you provide to Amazon Cognito. This parameter applies only if you use a custom domain to host the sign-up and sign-in pages for your application. For example: auth.example.com.
 	CustomDomain *string `json:"customDomain,omitempty" tf:"custom_domain,omitempty"`
 
+	// When active, DeletionProtection prevents accidental deletion of your user pool. Before you can delete a user pool that you have protected against deletion, you must deactivate this feature. Valid values are ACTIVE and INACTIVE, Default value is INACTIVE.
+	DeletionProtection *string `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// Configuration block for the user pool's device tracking. Detailed below.
+	DeviceConfiguration []DeviceConfigurationObservation `json:"deviceConfiguration,omitempty" tf:"device_configuration,omitempty"`
+
 	// Holds the domain prefix if the user pool has a domain associated with it.
 	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
 
+	// Configuration block for configuring email. Detailed below.
+	EmailConfiguration []EmailConfigurationObservation `json:"emailConfiguration,omitempty" tf:"email_configuration,omitempty"`
+
+	// String representing the email verification message. Conflicts with verification_message_template configuration block email_message argument.
+	EmailVerificationMessage *string `json:"emailVerificationMessage,omitempty" tf:"email_verification_message,omitempty"`
+
+	// String representing the email verification subject. Conflicts with verification_message_template configuration block email_subject argument.
+	EmailVerificationSubject *string `json:"emailVerificationSubject,omitempty" tf:"email_verification_subject,omitempty"`
+
 	// Endpoint name of the user pool. Example format: cognito-idp.REGION.amazonaws.com/xxxx_yyyyy
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
@@ -368,11 +560,56 @@ type UserPoolObservation struct {
 	// ID of the user pool.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block for the AWS Lambda triggers associated with the user pool. Detailed below.
+	LambdaConfig []LambdaConfigObservation `json:"lambdaConfig,omitempty" tf:"lambda_config,omitempty"`
+
 	// Date the user pool was last modified.
 	LastModifiedDate *string `json:"lastModifiedDate,omitempty" tf:"last_modified_date,omitempty"`
 
+	// Multi-Factor Authentication (MFA) configuration for the User Pool. Defaults of OFF. Valid values are OFF (MFA Tokens are not required), ON (MFA is required for all users to sign in; requires at least one of sms_configuration or software_token_mfa_configuration to be configured), or OPTIONAL (MFA Will be required only for individual users who have MFA Enabled; requires at least one of sms_configuration or software_token_mfa_configuration to be configured).
+	MfaConfiguration *string `json:"mfaConfiguration,omitempty" tf:"mfa_configuration,omitempty"`
+
+	// Name of the user pool.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration blocked for information about the user pool password policy. Detailed below.
+	PasswordPolicy []PasswordPolicyObservation `json:"passwordPolicy,omitempty" tf:"password_policy,omitempty"`
+
+	// String representing the SMS authentication message. The Message must contain the {####} placeholder, which will be replaced with the code.
+	SMSAuthenticationMessage *string `json:"smsAuthenticationMessage,omitempty" tf:"sms_authentication_message,omitempty"`
+
+	// Configuration block for Short Message Service (SMS) settings. Detailed below. These settings apply to SMS user verification and SMS Multi-Factor Authentication (MFA). Due to Cognito API restrictions, the SMS configuration cannot be removed without recreating the Cognito User Pool. For user data safety, this resource will ignore the removal of this configuration by disabling drift detection. To force resource recreation after this configuration has been applied, see the taint command.
+	SMSConfiguration []SMSConfigurationObservation `json:"smsConfiguration,omitempty" tf:"sms_configuration,omitempty"`
+
+	// String representing the SMS verification message. Conflicts with verification_message_template configuration block sms_message argument.
+	SMSVerificationMessage *string `json:"smsVerificationMessage,omitempty" tf:"sms_verification_message,omitempty"`
+
+	// Configuration block for the schema attributes of a user pool. Detailed below. Schema attributes from the standard attribute set only need to be specified if they are different from the default configuration. Attributes can be added, but not modified or removed. Maximum of 50 attributes.
+	Schema []SchemaObservation `json:"schema,omitempty" tf:"schema,omitempty"`
+
+	// Configuration block for software token Mult-Factor Authentication (MFA) settings. Detailed below.
+	SoftwareTokenMfaConfiguration []SoftwareTokenMfaConfigurationObservation `json:"softwareTokenMfaConfiguration,omitempty" tf:"software_token_mfa_configuration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block for user attribute update settings. Detailed below.
+	UserAttributeUpdateSettings []UserAttributeUpdateSettingsObservation `json:"userAttributeUpdateSettings,omitempty" tf:"user_attribute_update_settings,omitempty"`
+
+	// Configuration block for user pool add-ons to enable user pool advanced security mode features. Detailed below.
+	UserPoolAddOns []UserPoolAddOnsObservation `json:"userPoolAddOns,omitempty" tf:"user_pool_add_ons,omitempty"`
+
+	// Whether email addresses or phone numbers can be specified as usernames when a user signs up. Conflicts with alias_attributes.
+	UsernameAttributes []*string `json:"usernameAttributes,omitempty" tf:"username_attributes,omitempty"`
+
+	// Configuration block for username configuration. Detailed below.
+	UsernameConfiguration []UsernameConfigurationObservation `json:"usernameConfiguration,omitempty" tf:"username_configuration,omitempty"`
+
+	// Configuration block for verification message templates. Detailed below.
+	VerificationMessageTemplate []VerificationMessageTemplateObservation `json:"verificationMessageTemplate,omitempty" tf:"verification_message_template,omitempty"`
 }
 
 type UserPoolParameters struct {
@@ -422,8 +659,8 @@ type UserPoolParameters struct {
 	MfaConfiguration *string `json:"mfaConfiguration,omitempty" tf:"mfa_configuration,omitempty"`
 
 	// Name of the user pool.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Configuration blocked for information about the user pool password policy. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -480,6 +717,9 @@ type UserPoolParameters struct {
 }
 
 type UsernameConfigurationObservation struct {
+
+	// Whether username case sensitivity will be applied for all users in the user pool through Cognito APIs.
+	CaseSensitive *bool `json:"caseSensitive,omitempty" tf:"case_sensitive,omitempty"`
 }
 
 type UsernameConfigurationParameters struct {
@@ -490,6 +730,24 @@ type UsernameConfigurationParameters struct {
 }
 
 type VerificationMessageTemplateObservation struct {
+
+	// Default email option. Must be either CONFIRM_WITH_CODE or CONFIRM_WITH_LINK. Defaults to CONFIRM_WITH_CODE.
+	DefaultEmailOption *string `json:"defaultEmailOption,omitempty" tf:"default_email_option,omitempty"`
+
+	// Email message template. Must contain the {####} placeholder. Conflicts with email_verification_message argument.
+	EmailMessage *string `json:"emailMessage,omitempty" tf:"email_message,omitempty"`
+
+	// Email message template for sending a confirmation link to the user, it must contain the {##Click Here##} placeholder.
+	EmailMessageByLink *string `json:"emailMessageByLink,omitempty" tf:"email_message_by_link,omitempty"`
+
+	// Subject line for the email message template. Conflicts with email_verification_subject argument.
+	EmailSubject *string `json:"emailSubject,omitempty" tf:"email_subject,omitempty"`
+
+	// Subject line for the email message template for sending a confirmation link to the user.
+	EmailSubjectByLink *string `json:"emailSubjectByLink,omitempty" tf:"email_subject_by_link,omitempty"`
+
+	// SMS message template. Must contain the {####} placeholder. Conflicts with sms_verification_message argument.
+	SMSMessage *string `json:"smsMessage,omitempty" tf:"sms_message,omitempty"`
 }
 
 type VerificationMessageTemplateParameters struct {
@@ -543,8 +801,9 @@ type UserPoolStatus struct {
 type UserPool struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserPoolSpec   `json:"spec"`
-	Status            UserPoolStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   UserPoolSpec   `json:"spec"`
+	Status UserPoolStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_userpoolclient_types.go b/apis/cognitoidp/v1beta1/zz_userpoolclient_types.go
index d945787970..cf62b37e55 100755
--- a/apis/cognitoidp/v1beta1/zz_userpoolclient_types.go
+++ b/apis/cognitoidp/v1beta1/zz_userpoolclient_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type AnalyticsConfigurationObservation struct {
+
+	// Application ARN for an Amazon Pinpoint application. Conflicts with external_id and role_arn.
+	ApplicationArn *string `json:"applicationArn,omitempty" tf:"application_arn,omitempty"`
+
+	// Application ID for an Amazon Pinpoint application.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
+	// ID for the Analytics Configuration. Conflicts with application_arn.
+	ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"`
+
+	// ARN of an IAM role that authorizes Amazon Cognito to publish events to Amazon Pinpoint analytics. Conflicts with application_arn.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// If set to true, Amazon Cognito will include user data in the events it publishes to Amazon Pinpoint analytics.
+	UserDataShared *bool `json:"userDataShared,omitempty" tf:"user_data_shared,omitempty"`
 }
 
 type AnalyticsConfigurationParameters struct {
@@ -60,6 +75,15 @@ type AnalyticsConfigurationParameters struct {
 }
 
 type TokenValidityUnitsObservation struct {
+
+	// Time unit in for the value in access_token_validity, defaults to hours.
+	AccessToken *string `json:"accessToken,omitempty" tf:"access_token,omitempty"`
+
+	// Time unit in for the value in id_token_validity, defaults to hours.
+	IDToken *string `json:"idToken,omitempty" tf:"id_token,omitempty"`
+
+	// Time unit in for the value in refresh_token_validity, defaults to days.
+	RefreshToken *string `json:"refreshToken,omitempty" tf:"refresh_token,omitempty"`
 }
 
 type TokenValidityUnitsParameters struct {
@@ -79,8 +103,74 @@ type TokenValidityUnitsParameters struct {
 
 type UserPoolClientObservation struct {
 
+	// Time limit, between 5 minutes and 1 day, after which the access token is no longer valid and cannot be used. This value will be overridden if you have entered a value in token_validity_units.
+	AccessTokenValidity *float64 `json:"accessTokenValidity,omitempty" tf:"access_token_validity,omitempty"`
+
+	// List of allowed OAuth flows (code, implicit, client_credentials).
+	AllowedOauthFlows []*string `json:"allowedOauthFlows,omitempty" tf:"allowed_oauth_flows,omitempty"`
+
+	// Whether the client is allowed to follow the OAuth protocol when interacting with Cognito user pools.
+	AllowedOauthFlowsUserPoolClient *bool `json:"allowedOauthFlowsUserPoolClient,omitempty" tf:"allowed_oauth_flows_user_pool_client,omitempty"`
+
+	// List of allowed OAuth scopes (phone, email, openid, profile, and aws.cognito.signin.user.admin).
+	AllowedOauthScopes []*string `json:"allowedOauthScopes,omitempty" tf:"allowed_oauth_scopes,omitempty"`
+
+	// Configuration block for Amazon Pinpoint analytics for collecting metrics for this user pool. Detailed below.
+	AnalyticsConfiguration []AnalyticsConfigurationObservation `json:"analyticsConfiguration,omitempty" tf:"analytics_configuration,omitempty"`
+
+	// Amazon Cognito creates a session token for each API request in an authentication flow. AuthSessionValidity is the duration, in minutes, of that session token. Your user pool native user must respond to each authentication challenge before the session expires. Valid values between 3 and 15. Default value is 3.
+	AuthSessionValidity *float64 `json:"authSessionValidity,omitempty" tf:"auth_session_validity,omitempty"`
+
+	// List of allowed callback URLs for the identity providers.
+	CallbackUrls []*string `json:"callbackUrls,omitempty" tf:"callback_urls,omitempty"`
+
+	// Default redirect URI. Must be in the list of callback URLs.
+	DefaultRedirectURI *string `json:"defaultRedirectUri,omitempty" tf:"default_redirect_uri,omitempty"`
+
+	// Activates the propagation of additional user context data.
+	EnablePropagateAdditionalUserContextData *bool `json:"enablePropagateAdditionalUserContextData,omitempty" tf:"enable_propagate_additional_user_context_data,omitempty"`
+
+	// Enables or disables token revocation.
+	EnableTokenRevocation *bool `json:"enableTokenRevocation,omitempty" tf:"enable_token_revocation,omitempty"`
+
+	// List of authentication flows (ADMIN_NO_SRP_AUTH, CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH, ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH, ALLOW_REFRESH_TOKEN_AUTH).
+	ExplicitAuthFlows []*string `json:"explicitAuthFlows,omitempty" tf:"explicit_auth_flows,omitempty"`
+
+	// Should an application secret be generated.
+	GenerateSecret *bool `json:"generateSecret,omitempty" tf:"generate_secret,omitempty"`
+
 	// ID of the user pool client.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Time limit, between 5 minutes and 1 day, after which the ID token is no longer valid and cannot be used. This value will be overridden if you have entered a value in token_validity_units.
+	IDTokenValidity *float64 `json:"idTokenValidity,omitempty" tf:"id_token_validity,omitempty"`
+
+	// List of allowed logout URLs for the identity providers.
+	LogoutUrls []*string `json:"logoutUrls,omitempty" tf:"logout_urls,omitempty"`
+
+	// Name of the application client.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
+	PreventUserExistenceErrors *string `json:"preventUserExistenceErrors,omitempty" tf:"prevent_user_existence_errors,omitempty"`
+
+	// List of user pool attributes the application client can read from.
+	ReadAttributes []*string `json:"readAttributes,omitempty" tf:"read_attributes,omitempty"`
+
+	// Time limit in days refresh tokens are valid for.
+	RefreshTokenValidity *float64 `json:"refreshTokenValidity,omitempty" tf:"refresh_token_validity,omitempty"`
+
+	// List of provider names for the identity providers that are supported on this client. Uses the provider_name attribute of aws_cognito_identity_provider resource(s), or the equivalent string(s).
+	SupportedIdentityProviders []*string `json:"supportedIdentityProviders,omitempty" tf:"supported_identity_providers,omitempty"`
+
+	// Configuration block for units in which the validity times are represented in. Detailed below.
+	TokenValidityUnits []TokenValidityUnitsObservation `json:"tokenValidityUnits,omitempty" tf:"token_validity_units,omitempty"`
+
+	// User pool the client belongs to.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
+
+	// List of user pool attributes the application client can write to.
+	WriteAttributes []*string `json:"writeAttributes,omitempty" tf:"write_attributes,omitempty"`
 }
 
 type UserPoolClientParameters struct {
@@ -142,8 +232,8 @@ type UserPoolClientParameters struct {
 	LogoutUrls []*string `json:"logoutUrls,omitempty" tf:"logout_urls,omitempty"`
 
 	// Name of the application client.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Choose which errors and responses are returned by Cognito APIs during authentication, account confirmation, and password recovery when the user does not exist in the user pool. When set to ENABLED and the user does not exist, authentication returns an error indicating either the username or password was incorrect, and account confirmation and password recovery return a response indicating a code was sent to a simulated destination. When set to LEGACY, those APIs will return a UserNotFoundException exception if the user does not exist in the user pool.
 	// +kubebuilder:validation:Optional
@@ -212,8 +302,9 @@ type UserPoolClientStatus struct {
 type UserPoolClient struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserPoolClientSpec   `json:"spec"`
-	Status            UserPoolClientStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   UserPoolClientSpec   `json:"spec"`
+	Status UserPoolClientStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_userpooldomain_types.go b/apis/cognitoidp/v1beta1/zz_userpooldomain_types.go
index 517d1f84df..dd6479244c 100755
--- a/apis/cognitoidp/v1beta1/zz_userpooldomain_types.go
+++ b/apis/cognitoidp/v1beta1/zz_userpooldomain_types.go
@@ -18,14 +18,23 @@ type UserPoolDomainObservation struct {
 	// The AWS account ID for the user pool owner.
 	AwsAccountID *string `json:"awsAccountId,omitempty" tf:"aws_account_id,omitempty"`
 
+	// The ARN of an ISSUED ACM certificate in us-east-1 for a custom domain.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
 	// The URL of the CloudFront distribution. This is required to generate the ALIAS aws_route53_record
 	CloudfrontDistributionArn *string `json:"cloudfrontDistributionArn,omitempty" tf:"cloudfront_distribution_arn,omitempty"`
 
+	// For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The S3 bucket where the static files for this domain are stored.
 	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
 
+	// The user pool ID.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
+
 	// The app version.
 	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
@@ -47,8 +56,8 @@ type UserPoolDomainParameters struct {
 	CertificateArnSelector *v1.Selector `json:"certificateArnSelector,omitempty" tf:"-"`
 
 	// For custom domains, this is the fully-qualified domain name, such as auth.example.com. For Amazon Cognito prefix domains, this is the prefix alone, such as auth.
-	// +kubebuilder:validation:Required
-	Domain *string `json:"domain" tf:"domain,omitempty"`
+	// +kubebuilder:validation:Optional
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -93,8 +102,9 @@ type UserPoolDomainStatus struct {
 type UserPoolDomain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserPoolDomainSpec   `json:"spec"`
-	Status            UserPoolDomainStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domain)",message="domain is a required parameter"
+	Spec   UserPoolDomainSpec   `json:"spec"`
+	Status UserPoolDomainStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cognitoidp/v1beta1/zz_userpooluicustomization_types.go b/apis/cognitoidp/v1beta1/zz_userpooluicustomization_types.go
index 730024b77c..644eecafea 100755
--- a/apis/cognitoidp/v1beta1/zz_userpooluicustomization_types.go
+++ b/apis/cognitoidp/v1beta1/zz_userpooluicustomization_types.go
@@ -15,19 +15,31 @@ import (
 
 type UserPoolUICustomizationObservation struct {
 
+	// The CSS values in the UI customization, provided as a String. At least one of css or image_file is required.
+	CSS *string `json:"css,omitempty" tf:"css,omitempty"`
+
 	// The CSS version number.
 	CSSVersion *string `json:"cssVersion,omitempty" tf:"css_version,omitempty"`
 
+	// The client ID for the client app. Defaults to ALL. If ALL is specified, the css and/or image_file settings will be used for every client that has no UI customization set previously.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
 	// The creation date in RFC3339 format for the UI customization.
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The uploaded logo image for the UI customization, provided as a base64-encoded String. Drift detection is not possible for this argument. At least one of css or image_file is required.
+	ImageFile *string `json:"imageFile,omitempty" tf:"image_file,omitempty"`
+
 	// The logo image URL for the UI customization.
 	ImageURL *string `json:"imageUrl,omitempty" tf:"image_url,omitempty"`
 
 	// The last-modified date in RFC3339 format for the UI customization.
 	LastModifiedDate *string `json:"lastModifiedDate,omitempty" tf:"last_modified_date,omitempty"`
+
+	// The user pool ID for the user pool.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type UserPoolUICustomizationParameters struct {
diff --git a/apis/configservice/v1beta1/zz_awsconfigurationrecorderstatus_types.go b/apis/configservice/v1beta1/zz_awsconfigurationrecorderstatus_types.go
index 0f1ea4a633..915617f028 100755
--- a/apis/configservice/v1beta1/zz_awsconfigurationrecorderstatus_types.go
+++ b/apis/configservice/v1beta1/zz_awsconfigurationrecorderstatus_types.go
@@ -15,13 +15,16 @@ import (
 
 type AWSConfigurationRecorderStatusObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Whether the configuration recorder should be enabled or disabled.
+	IsEnabled *bool `json:"isEnabled,omitempty" tf:"is_enabled,omitempty"`
 }
 
 type AWSConfigurationRecorderStatusParameters struct {
 
 	// Whether the configuration recorder should be enabled or disabled.
-	// +kubebuilder:validation:Required
-	IsEnabled *bool `json:"isEnabled" tf:"is_enabled,omitempty"`
+	// +kubebuilder:validation:Optional
+	IsEnabled *bool `json:"isEnabled,omitempty" tf:"is_enabled,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -53,8 +56,9 @@ type AWSConfigurationRecorderStatusStatus struct {
 type AWSConfigurationRecorderStatus struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AWSConfigurationRecorderStatusSpec   `json:"spec"`
-	Status            AWSConfigurationRecorderStatusStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.isEnabled)",message="isEnabled is a required parameter"
+	Spec   AWSConfigurationRecorderStatusSpec   `json:"spec"`
+	Status AWSConfigurationRecorderStatusStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/configservice/v1beta1/zz_configrule_types.go b/apis/configservice/v1beta1/zz_configrule_types.go
index 3ca150536f..a4ba9a0f62 100755
--- a/apis/configservice/v1beta1/zz_configrule_types.go
+++ b/apis/configservice/v1beta1/zz_configrule_types.go
@@ -18,11 +18,29 @@ type ConfigRuleObservation struct {
 	// The ARN of the config rule
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the rule
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A string in JSON format that is passed to the AWS Config rule Lambda function.
+	InputParameters *string `json:"inputParameters,omitempty" tf:"input_parameters,omitempty"`
+
+	// The maximum frequency with which AWS Config runs evaluations for a rule.
+	MaximumExecutionFrequency *string `json:"maximumExecutionFrequency,omitempty" tf:"maximum_execution_frequency,omitempty"`
+
 	// The ID of the config rule
 	RuleID *string `json:"ruleId,omitempty" tf:"rule_id,omitempty"`
 
+	// Scope defines which resources can trigger an evaluation for the rule. See Source Below.
+	Scope []ScopeObservation `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Scope Below.
+	Source []SourceObservation `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -51,8 +69,8 @@ type ConfigRuleParameters struct {
 	Scope []ScopeParameters `json:"scope,omitempty" tf:"scope,omitempty"`
 
 	// Source specifies the rule owner, the rule identifier, and the notifications that cause the function to evaluate your AWS resources. See Scope Below.
-	// +kubebuilder:validation:Required
-	Source []SourceParameters `json:"source" tf:"source,omitempty"`
+	// +kubebuilder:validation:Optional
+	Source []SourceParameters `json:"source,omitempty" tf:"source,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -60,6 +78,15 @@ type ConfigRuleParameters struct {
 }
 
 type CustomPolicyDetailsObservation struct {
+
+	// The boolean expression for enabling debug logging for your Config Custom Policy rule. The default value is false.
+	EnableDebugLogDelivery *bool `json:"enableDebugLogDelivery,omitempty" tf:"enable_debug_log_delivery,omitempty"`
+
+	// The runtime system for your Config Custom Policy rule. Guard is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. For more information about Guard, see the Guard GitHub Repository.
+	PolicyRuntime *string `json:"policyRuntime,omitempty" tf:"policy_runtime,omitempty"`
+
+	// The policy definition containing the logic for your Config Custom Policy rule.
+	PolicyText *string `json:"policyText,omitempty" tf:"policy_text,omitempty"`
 }
 
 type CustomPolicyDetailsParameters struct {
@@ -78,6 +105,18 @@ type CustomPolicyDetailsParameters struct {
 }
 
 type ScopeObservation struct {
+
+	// The IDs of the only AWS resource that you want to trigger an evaluation for the rule. If you specify a resource ID, you must specify one resource type for compliance_resource_types.
+	ComplianceResourceID *string `json:"complianceResourceId,omitempty" tf:"compliance_resource_id,omitempty"`
+
+	// A list of resource types of only those AWS resources that you want to trigger an evaluation for the ruleE.g., AWS::EC2::Instance. You can only specify one type if you also specify a resource ID for compliance_resource_id. See relevant part of AWS Docs for available types.
+	ComplianceResourceTypes []*string `json:"complianceResourceTypes,omitempty" tf:"compliance_resource_types,omitempty"`
+
+	// The tag key that is applied to only those AWS resources that you want you want to trigger an evaluation for the rule.
+	TagKey *string `json:"tagKey,omitempty" tf:"tag_key,omitempty"`
+
+	// The tag value applied to only those AWS resources that you want to trigger an evaluation for the rule.
+	TagValue *string `json:"tagValue,omitempty" tf:"tag_value,omitempty"`
 }
 
 type ScopeParameters struct {
@@ -100,6 +139,15 @@ type ScopeParameters struct {
 }
 
 type SourceDetailObservation struct {
+
+	// The source of the event, such as an AWS service, that triggers AWS Config to evaluate your AWSresources. This defaults to aws.config and is the only valid value.
+	EventSource *string `json:"eventSource,omitempty" tf:"event_source,omitempty"`
+
+	// The maximum frequency with which AWS Config runs evaluations for a rule.
+	MaximumExecutionFrequency *string `json:"maximumExecutionFrequency,omitempty" tf:"maximum_execution_frequency,omitempty"`
+
+	// The type of notification that triggers AWS Config to run an evaluation for a rule. You canspecify the following notification types:
+	MessageType *string `json:"messageType,omitempty" tf:"message_type,omitempty"`
 }
 
 type SourceDetailParameters struct {
@@ -118,6 +166,18 @@ type SourceDetailParameters struct {
 }
 
 type SourceObservation struct {
+
+	// Provides the runtime system, policy definition, and whether debug logging is enabled. Required when owner is set to CUSTOM_POLICY. See Custom Policy Details Below.
+	CustomPolicyDetails []CustomPolicyDetailsObservation `json:"customPolicyDetails,omitempty" tf:"custom_policy_details,omitempty"`
+
+	// Indicates whether AWS or the customer owns and manages the AWS Config rule. Valid values are AWS, CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about managed rules, see the AWS Config Managed Rules documentation. For more information about custom rules, see the AWS Config Custom Rules documentation. Custom Lambda Functions require permissions to allow the AWS Config service to invoke them, e.g., via the aws_lambda_permission resource.
+	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
+
+	// Provides the source and type of the event that causes AWS Config to evaluate your AWS resources. Only valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See Source Detail Below.
+	SourceDetail []SourceDetailObservation `json:"sourceDetail,omitempty" tf:"source_detail,omitempty"`
+
+	// For AWS Config managed rules, a predefined identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda rules, the identifier is the ARN of the Lambda Function, such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name or the arn attribute of the aws_lambda_function resource.
+	SourceIdentifier *string `json:"sourceIdentifier,omitempty" tf:"source_identifier,omitempty"`
 }
 
 type SourceParameters struct {
@@ -173,8 +233,9 @@ type ConfigRuleStatus struct {
 type ConfigRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConfigRuleSpec   `json:"spec"`
-	Status            ConfigRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)",message="source is a required parameter"
+	Spec   ConfigRuleSpec   `json:"spec"`
+	Status ConfigRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/configservice/v1beta1/zz_configurationaggregator_types.go b/apis/configservice/v1beta1/zz_configurationaggregator_types.go
index 8584886467..66bc464981 100755
--- a/apis/configservice/v1beta1/zz_configurationaggregator_types.go
+++ b/apis/configservice/v1beta1/zz_configurationaggregator_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AccountAggregationSourceObservation struct {
+
+	// List of 12-digit account IDs of the account(s) being aggregated.
+	AccountIds []*string `json:"accountIds,omitempty" tf:"account_ids,omitempty"`
+
+	// If true, aggregate existing AWS Config regions and future regions.
+	AllRegions *bool `json:"allRegions,omitempty" tf:"all_regions,omitempty"`
+
+	// List of source regions being aggregated.
+	Regions []*string `json:"regions,omitempty" tf:"regions,omitempty"`
 }
 
 type AccountAggregationSourceParameters struct {
@@ -33,11 +42,20 @@ type AccountAggregationSourceParameters struct {
 
 type ConfigurationAggregatorObservation struct {
 
+	// The account(s) to aggregate config data from as documented below.
+	AccountAggregationSource []AccountAggregationSourceObservation `json:"accountAggregationSource,omitempty" tf:"account_aggregation_source,omitempty"`
+
 	// The ARN of the aggregator
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The organization to aggregate config data from as documented below.
+	OrganizationAggregationSource []OrganizationAggregationSourceObservation `json:"organizationAggregationSource,omitempty" tf:"organization_aggregation_source,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -63,6 +81,15 @@ type ConfigurationAggregatorParameters struct {
 }
 
 type OrganizationAggregationSourceObservation struct {
+
+	// If true, aggregate existing AWS Config regions and future regions.
+	AllRegions *bool `json:"allRegions,omitempty" tf:"all_regions,omitempty"`
+
+	// List of source regions being aggregated.
+	Regions []*string `json:"regions,omitempty" tf:"regions,omitempty"`
+
+	// ARN of the IAM role used to retrieve AWS Organization details associated with the aggregator account.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type OrganizationAggregationSourceParameters struct {
diff --git a/apis/configservice/v1beta1/zz_configurationrecorder_types.go b/apis/configservice/v1beta1/zz_configurationrecorder_types.go
index eaefba66e0..fc9804dbcf 100755
--- a/apis/configservice/v1beta1/zz_configurationrecorder_types.go
+++ b/apis/configservice/v1beta1/zz_configurationrecorder_types.go
@@ -17,6 +17,12 @@ type ConfigurationRecorderObservation struct {
 
 	// Name of the recorder
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Recording group - see below.
+	RecordingGroup []RecordingGroupObservation `json:"recordingGroup,omitempty" tf:"recording_group,omitempty"`
+
+	// Amazon Resource Name (ARN) of the IAM role. Used to make read or write requests to the delivery channel and to describe the AWS resources associated with the account. See AWS Docs for more details.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ConfigurationRecorderParameters struct {
@@ -46,6 +52,15 @@ type ConfigurationRecorderParameters struct {
 }
 
 type RecordingGroupObservation struct {
+
+	// Specifies whether AWS Config records configuration changes for every supported type of regional resource (which includes any new type that will become supported in the future). Conflicts with resource_types. Defaults to true.
+	AllSupported *bool `json:"allSupported,omitempty" tf:"all_supported,omitempty"`
+
+	// Specifies whether AWS Config includes all supported types of global resources with the resources that it records. Requires all_supported = true. Conflicts with resource_types.
+	IncludeGlobalResourceTypes *bool `json:"includeGlobalResourceTypes,omitempty" tf:"include_global_resource_types,omitempty"`
+
+	// A list that specifies the types of AWS resources for which AWS Config records configuration changes (for example, AWS::EC2::Instance or AWS::CloudTrail::Trail). See relevant part of AWS Docs for available types. In order to use this attribute, all_supported must be set to false.
+	ResourceTypes []*string `json:"resourceTypes,omitempty" tf:"resource_types,omitempty"`
 }
 
 type RecordingGroupParameters struct {
diff --git a/apis/configservice/v1beta1/zz_conformancepack_types.go b/apis/configservice/v1beta1/zz_conformancepack_types.go
index f41f24ff6b..8e5fb4b03e 100755
--- a/apis/configservice/v1beta1/zz_conformancepack_types.go
+++ b/apis/configservice/v1beta1/zz_conformancepack_types.go
@@ -18,7 +18,22 @@ type ConformancePackObservation struct {
 	// Amazon Resource Name (ARN) of the conformance pack.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Amazon S3 bucket where AWS Config stores conformance pack templates. Maximum length of 63.
+	DeliveryS3Bucket *string `json:"deliveryS3Bucket,omitempty" tf:"delivery_s3_bucket,omitempty"`
+
+	// The prefix for the Amazon S3 bucket. Maximum length of 1024.
+	DeliveryS3KeyPrefix *string `json:"deliveryS3KeyPrefix,omitempty" tf:"delivery_s3_key_prefix,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Set of configuration blocks describing input parameters passed to the conformance pack template. Documented below. When configured, the parameters must also be included in the template_body or in the template stored in Amazon S3 if using template_s3_uri.
+	InputParameter []InputParameterObservation `json:"inputParameter,omitempty" tf:"input_parameter,omitempty"`
+
+	// A string containing full conformance pack template body. Maximum length of 51200. Drift detection is not possible with this argument.
+	TemplateBody *string `json:"templateBody,omitempty" tf:"template_body,omitempty"`
+
+	// Location of file, e.g., s3://bucketname/prefix, containing the template body. The uri must point to the conformance pack template that is located in an Amazon S3 bucket in the same region as the conformance pack. Maximum length of 1024. Drift detection is not possible with this argument.
+	TemplateS3URI *string `json:"templateS3Uri,omitempty" tf:"template_s3_uri,omitempty"`
 }
 
 type ConformancePackParameters struct {
@@ -50,6 +65,12 @@ type ConformancePackParameters struct {
 }
 
 type InputParameterObservation struct {
+
+	// The input key.
+	ParameterName *string `json:"parameterName,omitempty" tf:"parameter_name,omitempty"`
+
+	// The input value.
+	ParameterValue *string `json:"parameterValue,omitempty" tf:"parameter_value,omitempty"`
 }
 
 type InputParameterParameters struct {
diff --git a/apis/configservice/v1beta1/zz_deliverychannel_types.go b/apis/configservice/v1beta1/zz_deliverychannel_types.go
index 3f11f559c4..1f9ca357b6 100755
--- a/apis/configservice/v1beta1/zz_deliverychannel_types.go
+++ b/apis/configservice/v1beta1/zz_deliverychannel_types.go
@@ -17,6 +17,21 @@ type DeliveryChannelObservation struct {
 
 	// The name of the delivery channel.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the S3 bucket used to store the configuration history.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// The ARN of the AWS KMS key used to encrypt objects delivered by AWS Config. Must belong to the same Region as the destination S3 bucket.
+	S3KMSKeyArn *string `json:"s3KmsKeyArn,omitempty" tf:"s3_kms_key_arn,omitempty"`
+
+	// The prefix for the specified S3 bucket.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
+
+	// Options for how AWS Config delivers configuration snapshots. See below
+	SnapshotDeliveryProperties []SnapshotDeliveryPropertiesObservation `json:"snapshotDeliveryProperties,omitempty" tf:"snapshot_delivery_properties,omitempty"`
+
+	// The ARN of the SNS topic that AWS Config delivers notifications to.
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
 }
 
 type DeliveryChannelParameters struct {
@@ -57,6 +72,9 @@ type DeliveryChannelParameters struct {
 }
 
 type SnapshotDeliveryPropertiesObservation struct {
+
+	// - The frequency with which AWS Config recurringly delivers configuration snapshotsE.g., One_Hour or Three_Hours. Valid values are listed here.
+	DeliveryFrequency *string `json:"deliveryFrequency,omitempty" tf:"delivery_frequency,omitempty"`
 }
 
 type SnapshotDeliveryPropertiesParameters struct {
diff --git a/apis/configservice/v1beta1/zz_generated.deepcopy.go b/apis/configservice/v1beta1/zz_generated.deepcopy.go
index f796431c95..0b2403abf9 100644
--- a/apis/configservice/v1beta1/zz_generated.deepcopy.go
+++ b/apis/configservice/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,11 @@ func (in *AWSConfigurationRecorderStatusObservation) DeepCopyInto(out *AWSConfig
 		*out = new(string)
 		**out = **in
 	}
+	if in.IsEnabled != nil {
+		in, out := &in.IsEnabled, &out.IsEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSConfigurationRecorderStatusObservation.
@@ -155,6 +160,33 @@ func (in *AWSConfigurationRecorderStatusStatus) DeepCopy() *AWSConfigurationReco
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountAggregationSourceObservation) DeepCopyInto(out *AccountAggregationSourceObservation) {
 	*out = *in
+	if in.AccountIds != nil {
+		in, out := &in.AccountIds, &out.AccountIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllRegions != nil {
+		in, out := &in.AllRegions, &out.AllRegions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Regions != nil {
+		in, out := &in.Regions, &out.Regions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountAggregationSourceObservation.
@@ -276,16 +308,60 @@ func (in *ConfigRuleObservation) DeepCopyInto(out *ConfigRuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputParameters != nil {
+		in, out := &in.InputParameters, &out.InputParameters
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaximumExecutionFrequency != nil {
+		in, out := &in.MaximumExecutionFrequency, &out.MaximumExecutionFrequency
+		*out = new(string)
+		**out = **in
+	}
 	if in.RuleID != nil {
 		in, out := &in.RuleID, &out.RuleID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = make([]ScopeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = make([]SourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -473,6 +549,13 @@ func (in *ConfigurationAggregatorList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationAggregatorObservation) DeepCopyInto(out *ConfigurationAggregatorObservation) {
 	*out = *in
+	if in.AccountAggregationSource != nil {
+		in, out := &in.AccountAggregationSource, &out.AccountAggregationSource
+		*out = make([]AccountAggregationSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -483,6 +566,28 @@ func (in *ConfigurationAggregatorObservation) DeepCopyInto(out *ConfigurationAgg
 		*out = new(string)
 		**out = **in
 	}
+	if in.OrganizationAggregationSource != nil {
+		in, out := &in.OrganizationAggregationSource, &out.OrganizationAggregationSource
+		*out = make([]OrganizationAggregationSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -660,6 +765,18 @@ func (in *ConfigurationRecorderObservation) DeepCopyInto(out *ConfigurationRecor
 		*out = new(string)
 		**out = **in
 	}
+	if in.RecordingGroup != nil {
+		in, out := &in.RecordingGroup, &out.RecordingGroup
+		*out = make([]RecordingGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationRecorderObservation.
@@ -815,11 +932,38 @@ func (in *ConformancePackObservation) DeepCopyInto(out *ConformancePackObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeliveryS3Bucket != nil {
+		in, out := &in.DeliveryS3Bucket, &out.DeliveryS3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeliveryS3KeyPrefix != nil {
+		in, out := &in.DeliveryS3KeyPrefix, &out.DeliveryS3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputParameter != nil {
+		in, out := &in.InputParameter, &out.InputParameter
+		*out = make([]InputParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TemplateBody != nil {
+		in, out := &in.TemplateBody, &out.TemplateBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplateS3URI != nil {
+		in, out := &in.TemplateS3URI, &out.TemplateS3URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConformancePackObservation.
@@ -916,6 +1060,21 @@ func (in *ConformancePackStatus) DeepCopy() *ConformancePackStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomPolicyDetailsObservation) DeepCopyInto(out *CustomPolicyDetailsObservation) {
 	*out = *in
+	if in.EnableDebugLogDelivery != nil {
+		in, out := &in.EnableDebugLogDelivery, &out.EnableDebugLogDelivery
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PolicyRuntime != nil {
+		in, out := &in.PolicyRuntime, &out.PolicyRuntime
+		*out = new(string)
+		**out = **in
+	}
+	if in.PolicyText != nil {
+		in, out := &in.PolicyText, &out.PolicyText
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomPolicyDetailsObservation.
@@ -1025,6 +1184,33 @@ func (in *DeliveryChannelObservation) DeepCopyInto(out *DeliveryChannelObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KMSKeyArn != nil {
+		in, out := &in.S3KMSKeyArn, &out.S3KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotDeliveryProperties != nil {
+		in, out := &in.SnapshotDeliveryProperties, &out.SnapshotDeliveryProperties
+		*out = make([]SnapshotDeliveryPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeliveryChannelObservation.
@@ -1131,6 +1317,13 @@ func (in *DeliveryChannelStatus) DeepCopy() *DeliveryChannelStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExecutionControlsObservation) DeepCopyInto(out *ExecutionControlsObservation) {
 	*out = *in
+	if in.SsmControls != nil {
+		in, out := &in.SsmControls, &out.SsmControls
+		*out = make([]SsmControlsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecutionControlsObservation.
@@ -1168,6 +1361,16 @@ func (in *ExecutionControlsParameters) DeepCopy() *ExecutionControlsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputParameterObservation) DeepCopyInto(out *InputParameterObservation) {
 	*out = *in
+	if in.ParameterName != nil {
+		in, out := &in.ParameterName, &out.ParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterValue != nil {
+		in, out := &in.ParameterValue, &out.ParameterValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputParameterObservation.
@@ -1208,6 +1411,27 @@ func (in *InputParameterParameters) DeepCopy() *InputParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrganizationAggregationSourceObservation) DeepCopyInto(out *OrganizationAggregationSourceObservation) {
 	*out = *in
+	if in.AllRegions != nil {
+		in, out := &in.AllRegions, &out.AllRegions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Regions != nil {
+		in, out := &in.Regions, &out.Regions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrganizationAggregationSourceObservation.
@@ -1269,6 +1493,32 @@ func (in *OrganizationAggregationSourceParameters) DeepCopy() *OrganizationAggre
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceValue != nil {
+		in, out := &in.ResourceValue, &out.ResourceValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.StaticValue != nil {
+		in, out := &in.StaticValue, &out.StaticValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.StaticValues != nil {
+		in, out := &in.StaticValues, &out.StaticValues
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -1325,6 +1575,27 @@ func (in *ParameterParameters) DeepCopy() *ParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordingGroupObservation) DeepCopyInto(out *RecordingGroupObservation) {
 	*out = *in
+	if in.AllSupported != nil {
+		in, out := &in.AllSupported, &out.AllSupported
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeGlobalResourceTypes != nil {
+		in, out := &in.IncludeGlobalResourceTypes, &out.IncludeGlobalResourceTypes
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ResourceTypes != nil {
+		in, out := &in.ResourceTypes, &out.ResourceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordingGroupObservation.
@@ -1440,11 +1711,60 @@ func (in *RemediationConfigurationObservation) DeepCopyInto(out *RemediationConf
 		*out = new(string)
 		**out = **in
 	}
+	if in.Automatic != nil {
+		in, out := &in.Automatic, &out.Automatic
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExecutionControls != nil {
+		in, out := &in.ExecutionControls, &out.ExecutionControls
+		*out = make([]ExecutionControlsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaximumAutomaticAttempts != nil {
+		in, out := &in.MaximumAutomaticAttempts, &out.MaximumAutomaticAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetryAttemptSeconds != nil {
+		in, out := &in.RetryAttemptSeconds, &out.RetryAttemptSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TargetID != nil {
+		in, out := &in.TargetID, &out.TargetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetType != nil {
+		in, out := &in.TargetType, &out.TargetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetVersion != nil {
+		in, out := &in.TargetVersion, &out.TargetVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemediationConfigurationObservation.
@@ -1563,6 +1883,32 @@ func (in *RemediationConfigurationStatus) DeepCopy() *RemediationConfigurationSt
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopeObservation) DeepCopyInto(out *ScopeObservation) {
 	*out = *in
+	if in.ComplianceResourceID != nil {
+		in, out := &in.ComplianceResourceID, &out.ComplianceResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ComplianceResourceTypes != nil {
+		in, out := &in.ComplianceResourceTypes, &out.ComplianceResourceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TagKey != nil {
+		in, out := &in.TagKey, &out.TagKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.TagValue != nil {
+		in, out := &in.TagValue, &out.TagValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopeObservation.
@@ -1619,6 +1965,11 @@ func (in *ScopeParameters) DeepCopy() *ScopeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotDeliveryPropertiesObservation) DeepCopyInto(out *SnapshotDeliveryPropertiesObservation) {
 	*out = *in
+	if in.DeliveryFrequency != nil {
+		in, out := &in.DeliveryFrequency, &out.DeliveryFrequency
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotDeliveryPropertiesObservation.
@@ -1654,6 +2005,21 @@ func (in *SnapshotDeliveryPropertiesParameters) DeepCopy() *SnapshotDeliveryProp
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceDetailObservation) DeepCopyInto(out *SourceDetailObservation) {
 	*out = *in
+	if in.EventSource != nil {
+		in, out := &in.EventSource, &out.EventSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaximumExecutionFrequency != nil {
+		in, out := &in.MaximumExecutionFrequency, &out.MaximumExecutionFrequency
+		*out = new(string)
+		**out = **in
+	}
+	if in.MessageType != nil {
+		in, out := &in.MessageType, &out.MessageType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceDetailObservation.
@@ -1699,6 +2065,30 @@ func (in *SourceDetailParameters) DeepCopy() *SourceDetailParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceObservation) DeepCopyInto(out *SourceObservation) {
 	*out = *in
+	if in.CustomPolicyDetails != nil {
+		in, out := &in.CustomPolicyDetails, &out.CustomPolicyDetails
+		*out = make([]CustomPolicyDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Owner != nil {
+		in, out := &in.Owner, &out.Owner
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceDetail != nil {
+		in, out := &in.SourceDetail, &out.SourceDetail
+		*out = make([]SourceDetailObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceIdentifier != nil {
+		in, out := &in.SourceIdentifier, &out.SourceIdentifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceObservation.
@@ -1763,6 +2153,16 @@ func (in *SourceParameters) DeepCopy() *SourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SsmControlsObservation) DeepCopyInto(out *SsmControlsObservation) {
 	*out = *in
+	if in.ConcurrentExecutionRatePercentage != nil {
+		in, out := &in.ConcurrentExecutionRatePercentage, &out.ConcurrentExecutionRatePercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ErrorPercentage != nil {
+		in, out := &in.ErrorPercentage, &out.ErrorPercentage
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SsmControlsObservation.
diff --git a/apis/configservice/v1beta1/zz_remediationconfiguration_types.go b/apis/configservice/v1beta1/zz_remediationconfiguration_types.go
index 99e0eb45dd..01d5a3c33e 100755
--- a/apis/configservice/v1beta1/zz_remediationconfiguration_types.go
+++ b/apis/configservice/v1beta1/zz_remediationconfiguration_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ExecutionControlsObservation struct {
+
+	// Configuration block for SSM controls. See below.
+	SsmControls []SsmControlsObservation `json:"ssmControls,omitempty" tf:"ssm_controls,omitempty"`
 }
 
 type ExecutionControlsParameters struct {
@@ -24,6 +27,18 @@ type ExecutionControlsParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// Name of the attribute.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value is dynamic and changes at run-time.
+	ResourceValue *string `json:"resourceValue,omitempty" tf:"resource_value,omitempty"`
+
+	// Value is static and does not change at run-time.
+	StaticValue *string `json:"staticValue,omitempty" tf:"static_value,omitempty"`
+
+	// List of static values.
+	StaticValues []*string `json:"staticValues,omitempty" tf:"static_values,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -50,7 +65,34 @@ type RemediationConfigurationObservation struct {
 	// ARN of the Config Remediation Configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Remediation is triggered automatically if true.
+	Automatic *bool `json:"automatic,omitempty" tf:"automatic,omitempty"`
+
+	// Configuration block for execution controls. See below.
+	ExecutionControls []ExecutionControlsObservation `json:"executionControls,omitempty" tf:"execution_controls,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Maximum number of failed attempts for auto-remediation. If you do not select a number, the default is 5.
+	MaximumAutomaticAttempts *float64 `json:"maximumAutomaticAttempts,omitempty" tf:"maximum_automatic_attempts,omitempty"`
+
+	// Can be specified multiple times for each parameter. Each parameter block supports arguments below.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Type of resource.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// Maximum time in seconds that AWS Config runs auto-remediation. If you do not select a number, the default is 60 seconds.
+	RetryAttemptSeconds *float64 `json:"retryAttemptSeconds,omitempty" tf:"retry_attempt_seconds,omitempty"`
+
+	// Target ID is the name of the public document.
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
+
+	// Type of the target. Target executes remediation. For example, SSM document.
+	TargetType *string `json:"targetType,omitempty" tf:"target_type,omitempty"`
+
+	// Version of the target. For example, version of the SSM document
+	TargetVersion *string `json:"targetVersion,omitempty" tf:"target_version,omitempty"`
 }
 
 type RemediationConfigurationParameters struct {
@@ -85,12 +127,12 @@ type RemediationConfigurationParameters struct {
 	RetryAttemptSeconds *float64 `json:"retryAttemptSeconds,omitempty" tf:"retry_attempt_seconds,omitempty"`
 
 	// Target ID is the name of the public document.
-	// +kubebuilder:validation:Required
-	TargetID *string `json:"targetId" tf:"target_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
 
 	// Type of the target. Target executes remediation. For example, SSM document.
-	// +kubebuilder:validation:Required
-	TargetType *string `json:"targetType" tf:"target_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetType *string `json:"targetType,omitempty" tf:"target_type,omitempty"`
 
 	// Version of the target. For example, version of the SSM document
 	// +kubebuilder:validation:Optional
@@ -98,6 +140,12 @@ type RemediationConfigurationParameters struct {
 }
 
 type SsmControlsObservation struct {
+
+	// Maximum percentage of remediation actions allowed to run in parallel on the non-compliant resources for that specific rule. The default value is 10%.
+	ConcurrentExecutionRatePercentage *float64 `json:"concurrentExecutionRatePercentage,omitempty" tf:"concurrent_execution_rate_percentage,omitempty"`
+
+	// Percentage of errors that are allowed before SSM stops running automations on non-compliant resources for that specific rule. The default is 50%.
+	ErrorPercentage *float64 `json:"errorPercentage,omitempty" tf:"error_percentage,omitempty"`
 }
 
 type SsmControlsParameters struct {
@@ -135,8 +183,10 @@ type RemediationConfigurationStatus struct {
 type RemediationConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RemediationConfigurationSpec   `json:"spec"`
-	Status            RemediationConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetId)",message="targetId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetType)",message="targetType is a required parameter"
+	Spec   RemediationConfigurationSpec   `json:"spec"`
+	Status RemediationConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_botassociation_types.go b/apis/connect/v1beta1/zz_botassociation_types.go
index dd2bd25fd3..02d68a1cc2 100755
--- a/apis/connect/v1beta1/zz_botassociation_types.go
+++ b/apis/connect/v1beta1/zz_botassociation_types.go
@@ -17,6 +17,12 @@ type BotAssociationObservation struct {
 
 	// The Amazon Connect instance ID, Lex (V1) bot name, and Lex (V1) bot region separated by colons (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The identifier of the Amazon Connect instance. You can find the instanceId in the ARN of the instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Configuration information of an Amazon Lex (V1) bot. Detailed below.
+	LexBot []LexBotObservation `json:"lexBot,omitempty" tf:"lex_bot,omitempty"`
 }
 
 type BotAssociationParameters struct {
@@ -36,8 +42,8 @@ type BotAssociationParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// Configuration information of an Amazon Lex (V1) bot. Detailed below.
-	// +kubebuilder:validation:Required
-	LexBot []LexBotParameters `json:"lexBot" tf:"lex_bot,omitempty"`
+	// +kubebuilder:validation:Optional
+	LexBot []LexBotParameters `json:"lexBot,omitempty" tf:"lex_bot,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -46,6 +52,12 @@ type BotAssociationParameters struct {
 }
 
 type LexBotObservation struct {
+
+	// The Region that the Amazon Lex (V1) bot was created in. Defaults to current region.
+	LexRegion *string `json:"lexRegion,omitempty" tf:"lex_region,omitempty"`
+
+	// The name of the Amazon Lex (V1) bot.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LexBotParameters struct {
@@ -92,8 +104,9 @@ type BotAssociationStatus struct {
 type BotAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BotAssociationSpec   `json:"spec"`
-	Status            BotAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lexBot)",message="lexBot is a required parameter"
+	Spec   BotAssociationSpec   `json:"spec"`
+	Status BotAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_contactflow_types.go b/apis/connect/v1beta1/zz_contactflow_types.go
index 36a6b22424..3ee0386959 100755
--- a/apis/connect/v1beta1/zz_contactflow_types.go
+++ b/apis/connect/v1beta1/zz_contactflow_types.go
@@ -21,11 +21,35 @@ type ContactFlowObservation struct {
 	// The identifier of the Contact Flow.
 	ContactFlowID *string `json:"contactFlowId,omitempty" tf:"contact_flow_id,omitempty"`
 
+	// Specifies the content of the Contact Flow, provided as a JSON string, written in Amazon Connect Contact Flow Language. If defined, the filename argument cannot be used.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the Contact Flow source specified with filename. The usual way to set this is filebase64sha256("mycontact_flow.11.12 and later) or base64sha256(file("mycontact_flow.11.11 and earlier), where "mycontact_flow.json" is the local filename of the Contact Flow source.
+	ContentHash *string `json:"contentHash,omitempty" tf:"content_hash,omitempty"`
+
+	// Specifies the description of the Contact Flow.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The path to the Contact Flow source within the local filesystem. Conflicts with content.
+	Filename *string `json:"filename,omitempty" tf:"filename,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Contact Flow separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Specifies the name of the Contact Flow.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Specifies the type of the Contact Flow. Defaults to CONTACT_FLOW. Allowed Values are: CONTACT_FLOW, CUSTOMER_QUEUE, CUSTOMER_HOLD, CUSTOMER_WHISPER, AGENT_HOLD, AGENT_WHISPER, OUTBOUND_WHISPER, AGENT_TRANSFER, QUEUE_TRANSFER.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ContactFlowParameters struct {
@@ -61,8 +85,8 @@ type ContactFlowParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// Specifies the name of the Contact Flow.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -102,8 +126,9 @@ type ContactFlowStatus struct {
 type ContactFlow struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ContactFlowSpec   `json:"spec"`
-	Status            ContactFlowStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ContactFlowSpec   `json:"spec"`
+	Status ContactFlowStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_contactflowmodule_types.go b/apis/connect/v1beta1/zz_contactflowmodule_types.go
index 2ed42520a5..4fc49cfe46 100755
--- a/apis/connect/v1beta1/zz_contactflowmodule_types.go
+++ b/apis/connect/v1beta1/zz_contactflowmodule_types.go
@@ -21,9 +21,30 @@ type ContactFlowModuleObservation struct {
 	// The identifier of the Contact Flow Module.
 	ContactFlowModuleID *string `json:"contactFlowModuleId,omitempty" tf:"contact_flow_module_id,omitempty"`
 
+	// Specifies the content of the Contact Flow Module, provided as a JSON string, written in Amazon Connect Contact Flow Language. If defined, the filename argument cannot be used.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the Contact Flow Module source specified with filename. The usual way to set this is filebase64sha256("contact_flow_module.11.12 and later) or base64sha256(file("contact_flow_module.11.11 and earlier), where "contact_flow_module.json" is the local filename of the Contact Flow Module source.
+	ContentHash *string `json:"contentHash,omitempty" tf:"content_hash,omitempty"`
+
+	// Specifies the description of the Contact Flow Module.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The path to the Contact Flow Module source within the local filesystem. Conflicts with content.
+	Filename *string `json:"filename,omitempty" tf:"filename,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Contact Flow Module separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Specifies the name of the Contact Flow Module.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -61,8 +82,8 @@ type ContactFlowModuleParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// Specifies the name of the Contact Flow Module.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -98,8 +119,9 @@ type ContactFlowModuleStatus struct {
 type ContactFlowModule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ContactFlowModuleSpec   `json:"spec"`
-	Status            ContactFlowModuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ContactFlowModuleSpec   `json:"spec"`
+	Status ContactFlowModuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_generated.deepcopy.go b/apis/connect/v1beta1/zz_generated.deepcopy.go
index 7c5a49144e..dc29941986 100644
--- a/apis/connect/v1beta1/zz_generated.deepcopy.go
+++ b/apis/connect/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,18 @@ func (in *BotAssociationObservation) DeepCopyInto(out *BotAssociationObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LexBot != nil {
+		in, out := &in.LexBot, &out.LexBot
+		*out = make([]LexBotObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BotAssociationObservation.
@@ -172,6 +184,25 @@ func (in *BotAssociationStatus) DeepCopy() *BotAssociationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigObservation) DeepCopyInto(out *ConfigObservation) {
 	*out = *in
+	if in.Day != nil {
+		in, out := &in.Day, &out.Day
+		*out = new(string)
+		**out = **in
+	}
+	if in.EndTime != nil {
+		in, out := &in.EndTime, &out.EndTime
+		*out = make([]EndTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = make([]StartTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigObservation.
@@ -349,11 +380,56 @@ func (in *ContactFlowModuleObservation) DeepCopyInto(out *ContactFlowModuleObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentHash != nil {
+		in, out := &in.ContentHash, &out.ContentHash
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filename != nil {
+		in, out := &in.Filename, &out.Filename
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -503,11 +579,56 @@ func (in *ContactFlowObservation) DeepCopyInto(out *ContactFlowObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentHash != nil {
+		in, out := &in.ContentHash, &out.ContentHash
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filename != nil {
+		in, out := &in.Filename, &out.Filename
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -523,6 +644,11 @@ func (in *ContactFlowObservation) DeepCopyInto(out *ContactFlowObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContactFlowObservation.
@@ -652,6 +778,16 @@ func (in *ContactFlowStatus) DeepCopy() *ContactFlowStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigObservation) DeepCopyInto(out *EncryptionConfigObservation) {
 	*out = *in
+	if in.EncryptionType != nil {
+		in, out := &in.EncryptionType, &out.EncryptionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigObservation.
@@ -702,6 +838,16 @@ func (in *EncryptionConfigParameters) DeepCopy() *EncryptionConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndTimeObservation) DeepCopyInto(out *EndTimeObservation) {
 	*out = *in
+	if in.Hours != nil {
+		in, out := &in.Hours, &out.Hours
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Minutes != nil {
+		in, out := &in.Minutes, &out.Minutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndTimeObservation.
@@ -906,6 +1052,18 @@ func (in *HoursOfOperationObservation) DeepCopyInto(out *HoursOfOperationObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Config != nil {
+		in, out := &in.Config, &out.Config
+		*out = make([]ConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.HoursOfOperationArn != nil {
 		in, out := &in.HoursOfOperationArn, &out.HoursOfOperationArn
 		*out = new(string)
@@ -921,6 +1079,31 @@ func (in *HoursOfOperationObservation) DeepCopyInto(out *HoursOfOperationObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -936,6 +1119,11 @@ func (in *HoursOfOperationObservation) DeepCopyInto(out *HoursOfOperationObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HoursOfOperationObservation.
@@ -1057,6 +1245,21 @@ func (in *HoursOfOperationStatus) DeepCopy() *HoursOfOperationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdentityInfoObservation) DeepCopyInto(out *IdentityInfoObservation) {
 	*out = *in
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
+	if in.FirstName != nil {
+		in, out := &in.FirstName, &out.FirstName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LastName != nil {
+		in, out := &in.LastName, &out.LastName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityInfoObservation.
@@ -1166,16 +1369,66 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoResolveBestVoicesEnabled != nil {
+		in, out := &in.AutoResolveBestVoicesEnabled, &out.AutoResolveBestVoicesEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ContactFlowLogsEnabled != nil {
+		in, out := &in.ContactFlowLogsEnabled, &out.ContactFlowLogsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ContactLensEnabled != nil {
+		in, out := &in.ContactLensEnabled, &out.ContactLensEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CreatedTime != nil {
 		in, out := &in.CreatedTime, &out.CreatedTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.DirectoryID != nil {
+		in, out := &in.DirectoryID, &out.DirectoryID
+		*out = new(string)
+		**out = **in
+	}
+	if in.EarlyMediaEnabled != nil {
+		in, out := &in.EarlyMediaEnabled, &out.EarlyMediaEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityManagementType != nil {
+		in, out := &in.IdentityManagementType, &out.IdentityManagementType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InboundCallsEnabled != nil {
+		in, out := &in.InboundCallsEnabled, &out.InboundCallsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceAlias != nil {
+		in, out := &in.InstanceAlias, &out.InstanceAlias
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultiPartyConferenceEnabled != nil {
+		in, out := &in.MultiPartyConferenceEnabled, &out.MultiPartyConferenceEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OutboundCallsEnabled != nil {
+		in, out := &in.OutboundCallsEnabled, &out.OutboundCallsEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ServiceRole != nil {
 		in, out := &in.ServiceRole, &out.ServiceRole
 		*out = new(string)
@@ -1384,13 +1637,30 @@ func (in *InstanceStorageConfigObservation) DeepCopyInto(out *InstanceStorageCon
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceStorageConfigObservation.
-func (in *InstanceStorageConfigObservation) DeepCopy() *InstanceStorageConfigObservation {
-	if in == nil {
-		return nil
-	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageConfig != nil {
+		in, out := &in.StorageConfig, &out.StorageConfig
+		*out = make([]StorageConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceStorageConfigObservation.
+func (in *InstanceStorageConfigObservation) DeepCopy() *InstanceStorageConfigObservation {
+	if in == nil {
+		return nil
+	}
 	out := new(InstanceStorageConfigObservation)
 	in.DeepCopyInto(out)
 	return out
@@ -1480,6 +1750,11 @@ func (in *InstanceStorageConfigStatus) DeepCopy() *InstanceStorageConfigStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisFirehoseConfigObservation) DeepCopyInto(out *KinesisFirehoseConfigObservation) {
 	*out = *in
+	if in.FirehoseArn != nil {
+		in, out := &in.FirehoseArn, &out.FirehoseArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisFirehoseConfigObservation.
@@ -1525,6 +1800,11 @@ func (in *KinesisFirehoseConfigParameters) DeepCopy() *KinesisFirehoseConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisStreamConfigObservation) DeepCopyInto(out *KinesisStreamConfigObservation) {
 	*out = *in
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisStreamConfigObservation.
@@ -1570,6 +1850,23 @@ func (in *KinesisStreamConfigParameters) DeepCopy() *KinesisStreamConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisVideoStreamConfigObservation) DeepCopyInto(out *KinesisVideoStreamConfigObservation) {
 	*out = *in
+	if in.EncryptionConfig != nil {
+		in, out := &in.EncryptionConfig, &out.EncryptionConfig
+		*out = make([]EncryptionConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetentionPeriodHours != nil {
+		in, out := &in.RetentionPeriodHours, &out.RetentionPeriodHours
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisVideoStreamConfigObservation.
@@ -1676,11 +1973,21 @@ func (in *LambdaFunctionAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaFunctionAssociationObservation) DeepCopyInto(out *LambdaFunctionAssociationObservation) {
 	*out = *in
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaFunctionAssociationObservation.
@@ -1790,6 +2097,11 @@ func (in *LevelFiveObservation) DeepCopyInto(out *LevelFiveObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LevelFiveObservation.
@@ -1835,6 +2147,11 @@ func (in *LevelFourObservation) DeepCopyInto(out *LevelFourObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LevelFourObservation.
@@ -1880,6 +2197,11 @@ func (in *LevelOneObservation) DeepCopyInto(out *LevelOneObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LevelOneObservation.
@@ -1925,6 +2247,11 @@ func (in *LevelThreeObservation) DeepCopyInto(out *LevelThreeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LevelThreeObservation.
@@ -1970,6 +2297,11 @@ func (in *LevelTwoObservation) DeepCopyInto(out *LevelTwoObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LevelTwoObservation.
@@ -2005,6 +2337,16 @@ func (in *LevelTwoParameters) DeepCopy() *LevelTwoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LexBotObservation) DeepCopyInto(out *LexBotObservation) {
 	*out = *in
+	if in.LexRegion != nil {
+		in, out := &in.LexRegion, &out.LexRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LexBotObservation.
@@ -2055,6 +2397,16 @@ func (in *LexBotParameters) DeepCopy() *LexBotParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MediaConcurrenciesObservation) DeepCopyInto(out *MediaConcurrenciesObservation) {
 	*out = *in
+	if in.Channel != nil {
+		in, out := &in.Channel, &out.Channel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Concurrency != nil {
+		in, out := &in.Concurrency, &out.Concurrency
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MediaConcurrenciesObservation.
@@ -2095,6 +2447,21 @@ func (in *MediaConcurrenciesParameters) DeepCopy() *MediaConcurrenciesParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutboundCallerConfigObservation) DeepCopyInto(out *OutboundCallerConfigObservation) {
 	*out = *in
+	if in.OutboundCallerIDName != nil {
+		in, out := &in.OutboundCallerIDName, &out.OutboundCallerIDName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutboundCallerIDNumberID != nil {
+		in, out := &in.OutboundCallerIDNumberID, &out.OutboundCallerIDNumberID
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutboundFlowID != nil {
+		in, out := &in.OutboundFlowID, &out.OutboundFlowID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutboundCallerConfigObservation.
@@ -2140,6 +2507,11 @@ func (in *OutboundCallerConfigParameters) DeepCopy() *OutboundCallerConfigParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PhoneConfigObservation) DeepCopyInto(out *PhoneConfigObservation) {
 	*out = *in
+	if in.PhoneNumber != nil {
+		in, out := &in.PhoneNumber, &out.PhoneNumber
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PhoneConfigObservation.
@@ -2239,6 +2611,16 @@ func (in *PhoneNumberObservation) DeepCopyInto(out *PhoneNumberObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CountryCode != nil {
+		in, out := &in.CountryCode, &out.CountryCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2249,6 +2631,11 @@ func (in *PhoneNumberObservation) DeepCopyInto(out *PhoneNumberObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = make([]StatusObservation, len(*in))
@@ -2256,6 +2643,21 @@ func (in *PhoneNumberObservation) DeepCopyInto(out *PhoneNumberObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2271,6 +2673,16 @@ func (in *PhoneNumberObservation) DeepCopyInto(out *PhoneNumberObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PhoneNumberObservation.
@@ -2417,6 +2829,16 @@ func (in *Queue) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueueConfigObservation) DeepCopyInto(out *QueueConfigObservation) {
 	*out = *in
+	if in.ContactFlowID != nil {
+		in, out := &in.ContactFlowID, &out.ContactFlowID
+		*out = new(string)
+		**out = **in
+	}
+	if in.QueueID != nil {
+		in, out := &in.QueueID, &out.QueueID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueueConfigObservation.
@@ -2517,11 +2939,31 @@ func (in *QueueConfigsAssociatedParameters) DeepCopy() *QueueConfigsAssociatedPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueueConfigsObservation) DeepCopyInto(out *QueueConfigsObservation) {
 	*out = *in
+	if in.Channel != nil {
+		in, out := &in.Channel, &out.Channel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Delay != nil {
+		in, out := &in.Delay, &out.Delay
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
 	if in.QueueArn != nil {
 		in, out := &in.QueueArn, &out.QueueArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.QueueID != nil {
+		in, out := &in.QueueID, &out.QueueID
+		*out = new(string)
+		**out = **in
+	}
 	if in.QueueName != nil {
 		in, out := &in.QueueName, &out.QueueName
 		*out = new(string)
@@ -2614,16 +3056,59 @@ func (in *QueueObservation) DeepCopyInto(out *QueueObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.HoursOfOperationID != nil {
+		in, out := &in.HoursOfOperationID, &out.HoursOfOperationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxContacts != nil {
+		in, out := &in.MaxContacts, &out.MaxContacts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutboundCallerConfig != nil {
+		in, out := &in.OutboundCallerConfig, &out.OutboundCallerConfig
+		*out = make([]OutboundCallerConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.QueueID != nil {
 		in, out := &in.QueueID, &out.QueueID
 		*out = new(string)
 		**out = **in
 	}
+	if in.QuickConnectIds != nil {
+		in, out := &in.QuickConnectIds, &out.QuickConnectIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.QuickConnectIdsAssociated != nil {
 		in, out := &in.QuickConnectIdsAssociated, &out.QuickConnectIdsAssociated
 		*out = make([]*string, len(*in))
@@ -2635,6 +3120,26 @@ func (in *QueueObservation) DeepCopyInto(out *QueueObservation) {
 			}
 		}
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2829,6 +3334,32 @@ func (in *QuickConnect) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QuickConnectConfigObservation) DeepCopyInto(out *QuickConnectConfigObservation) {
 	*out = *in
+	if in.PhoneConfig != nil {
+		in, out := &in.PhoneConfig, &out.PhoneConfig
+		*out = make([]PhoneConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.QueueConfig != nil {
+		in, out := &in.QueueConfig, &out.QueueConfig
+		*out = make([]QueueConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.QuickConnectType != nil {
+		in, out := &in.QuickConnectType, &out.QuickConnectType
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserConfig != nil {
+		in, out := &in.UserConfig, &out.UserConfig
+		*out = make([]UserConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QuickConnectConfigObservation.
@@ -2922,16 +3453,53 @@ func (in *QuickConnectObservation) DeepCopyInto(out *QuickConnectObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.QuickConnectConfig != nil {
+		in, out := &in.QuickConnectConfig, &out.QuickConnectConfig
+		*out = make([]QuickConnectConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.QuickConnectID != nil {
 		in, out := &in.QuickConnectID, &out.QuickConnectID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3127,11 +3695,38 @@ func (in *RoutingProfileObservation) DeepCopyInto(out *RoutingProfileObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultOutboundQueueID != nil {
+		in, out := &in.DefaultOutboundQueueID, &out.DefaultOutboundQueueID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MediaConcurrencies != nil {
+		in, out := &in.MediaConcurrencies, &out.MediaConcurrencies
+		*out = make([]MediaConcurrenciesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.QueueConfigs != nil {
 		in, out := &in.QueueConfigs, &out.QueueConfigs
 		*out = make([]QueueConfigsObservation, len(*in))
@@ -3151,6 +3746,21 @@ func (in *RoutingProfileObservation) DeepCopyInto(out *RoutingProfileObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3304,6 +3914,16 @@ func (in *RoutingProfileStatus) DeepCopy() *RoutingProfileStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ConfigEncryptionConfigObservation) DeepCopyInto(out *S3ConfigEncryptionConfigObservation) {
 	*out = *in
+	if in.EncryptionType != nil {
+		in, out := &in.EncryptionType, &out.EncryptionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ConfigEncryptionConfigObservation.
@@ -3354,6 +3974,23 @@ func (in *S3ConfigEncryptionConfigParameters) DeepCopy() *S3ConfigEncryptionConf
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ConfigObservation) DeepCopyInto(out *S3ConfigObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfig != nil {
+		in, out := &in.EncryptionConfig, &out.EncryptionConfig
+		*out = make([]S3ConfigEncryptionConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ConfigObservation.
@@ -3475,21 +4112,62 @@ func (in *SecurityProfileObservation) DeepCopyInto(out *SecurityProfileObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OrganizationResourceID != nil {
 		in, out := &in.OrganizationResourceID, &out.OrganizationResourceID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.SecurityProfileID != nil {
 		in, out := &in.SecurityProfileID, &out.SecurityProfileID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3625,6 +4303,16 @@ func (in *SecurityProfileStatus) DeepCopy() *SecurityProfileStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StartTimeObservation) DeepCopyInto(out *StartTimeObservation) {
 	*out = *in
+	if in.Hours != nil {
+		in, out := &in.Hours, &out.Hours
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Minutes != nil {
+		in, out := &in.Minutes, &out.Minutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StartTimeObservation.
@@ -3705,6 +4393,39 @@ func (in *StatusParameters) DeepCopy() *StatusParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageConfigObservation) DeepCopyInto(out *StorageConfigObservation) {
 	*out = *in
+	if in.KinesisFirehoseConfig != nil {
+		in, out := &in.KinesisFirehoseConfig, &out.KinesisFirehoseConfig
+		*out = make([]KinesisFirehoseConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisStreamConfig != nil {
+		in, out := &in.KinesisStreamConfig, &out.KinesisStreamConfig
+		*out = make([]KinesisStreamConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisVideoStreamConfig != nil {
+		in, out := &in.KinesisVideoStreamConfig, &out.KinesisVideoStreamConfig
+		*out = make([]KinesisVideoStreamConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Config != nil {
+		in, out := &in.S3Config, &out.S3Config
+		*out = make([]S3ConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageConfigObservation.
@@ -3795,6 +4516,16 @@ func (in *User) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserConfigObservation) DeepCopyInto(out *UserConfigObservation) {
 	*out = *in
+	if in.ContactFlowID != nil {
+		in, out := &in.ContactFlowID, &out.ContactFlowID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserID != nil {
+		in, out := &in.UserID, &out.UserID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserConfigObservation.
@@ -3906,6 +4637,11 @@ func (in *UserHierarchyStructureObservation) DeepCopyInto(out *UserHierarchyStru
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserHierarchyStructureObservation.
@@ -4034,11 +4770,76 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DirectoryUserID != nil {
+		in, out := &in.DirectoryUserID, &out.DirectoryUserID
+		*out = new(string)
+		**out = **in
+	}
+	if in.HierarchyGroupID != nil {
+		in, out := &in.HierarchyGroupID, &out.HierarchyGroupID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityInfo != nil {
+		in, out := &in.IdentityInfo, &out.IdentityInfo
+		*out = make([]IdentityInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PhoneConfig != nil {
+		in, out := &in.PhoneConfig, &out.PhoneConfig
+		*out = make([]UserPhoneConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoutingProfileID != nil {
+		in, out := &in.RoutingProfileID, &out.RoutingProfileID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityProfileIds != nil {
+		in, out := &in.SecurityProfileIds, &out.SecurityProfileIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4184,6 +4985,26 @@ func (in *UserParameters) DeepCopy() *UserParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserPhoneConfigObservation) DeepCopyInto(out *UserPhoneConfigObservation) {
 	*out = *in
+	if in.AfterContactWorkTimeLimit != nil {
+		in, out := &in.AfterContactWorkTimeLimit, &out.AfterContactWorkTimeLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AutoAccept != nil {
+		in, out := &in.AutoAccept, &out.AutoAccept
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeskPhoneNumber != nil {
+		in, out := &in.DeskPhoneNumber, &out.DeskPhoneNumber
+		*out = new(string)
+		**out = **in
+	}
+	if in.PhoneType != nil {
+		in, out := &in.PhoneType, &out.PhoneType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPhoneConfigObservation.
@@ -4332,6 +5153,11 @@ func (in *VocabularyObservation) DeepCopyInto(out *VocabularyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
 	if in.FailureReason != nil {
 		in, out := &in.FailureReason, &out.FailureReason
 		*out = new(string)
@@ -4342,16 +5168,46 @@ func (in *VocabularyObservation) DeepCopyInto(out *VocabularyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
 	if in.LastModifiedTime != nil {
 		in, out := &in.LastModifiedTime, &out.LastModifiedTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/connect/v1beta1/zz_hoursofoperation_types.go b/apis/connect/v1beta1/zz_hoursofoperation_types.go
index 167bfe21bc..5cb9c6a7db 100755
--- a/apis/connect/v1beta1/zz_hoursofoperation_types.go
+++ b/apis/connect/v1beta1/zz_hoursofoperation_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ConfigObservation struct {
+
+	// Specifies the day that the hours of operation applies to.
+	Day *string `json:"day,omitempty" tf:"day,omitempty"`
+
+	// A end time block specifies the time that your contact center closes. The end_time is documented below.
+	EndTime []EndTimeObservation `json:"endTime,omitempty" tf:"end_time,omitempty"`
+
+	// A start time block specifies the time that your contact center opens. The start_time is documented below.
+	StartTime []StartTimeObservation `json:"startTime,omitempty" tf:"start_time,omitempty"`
 }
 
 type ConfigParameters struct {
@@ -32,6 +41,12 @@ type ConfigParameters struct {
 }
 
 type EndTimeObservation struct {
+
+	// Specifies the hour of closing.
+	Hours *float64 `json:"hours,omitempty" tf:"hours,omitempty"`
+
+	// Specifies the minute of closing.
+	Minutes *float64 `json:"minutes,omitempty" tf:"minutes,omitempty"`
 }
 
 type EndTimeParameters struct {
@@ -50,6 +65,12 @@ type HoursOfOperationObservation struct {
 	// The Amazon Resource Name (ARN) of the Hours of Operation.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// One or more config blocks which define the configuration information for the hours of operation: day, start time, and end time . Config blocks are documented below.
+	Config []ConfigObservation `json:"config,omitempty" tf:"config,omitempty"`
+
+	// Specifies the description of the Hours of Operation.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// (Deprecated) The Amazon Resource Name (ARN) of the Hours of Operation.
 	HoursOfOperationArn *string `json:"hoursOfOperationArn,omitempty" tf:"hours_of_operation_arn,omitempty"`
 
@@ -59,15 +80,27 @@ type HoursOfOperationObservation struct {
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Hours of Operation separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Specifies the name of the Hours of Operation.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Specifies the time zone of the Hours of Operation.
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type HoursOfOperationParameters struct {
 
 	// One or more config blocks which define the configuration information for the hours of operation: day, start time, and end time . Config blocks are documented below.
-	// +kubebuilder:validation:Required
-	Config []ConfigParameters `json:"config" tf:"config,omitempty"`
+	// +kubebuilder:validation:Optional
+	Config []ConfigParameters `json:"config,omitempty" tf:"config,omitempty"`
 
 	// Specifies the description of the Hours of Operation.
 	// +kubebuilder:validation:Optional
@@ -88,8 +121,8 @@ type HoursOfOperationParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// Specifies the name of the Hours of Operation.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -101,11 +134,17 @@ type HoursOfOperationParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Specifies the time zone of the Hours of Operation.
-	// +kubebuilder:validation:Required
-	TimeZone *string `json:"timeZone" tf:"time_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type StartTimeObservation struct {
+
+	// Specifies the hour of opening.
+	Hours *float64 `json:"hours,omitempty" tf:"hours,omitempty"`
+
+	// Specifies the minute of opening.
+	Minutes *float64 `json:"minutes,omitempty" tf:"minutes,omitempty"`
 }
 
 type StartTimeParameters struct {
@@ -143,8 +182,11 @@ type HoursOfOperationStatus struct {
 type HoursOfOperation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HoursOfOperationSpec   `json:"spec"`
-	Status            HoursOfOperationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.config)",message="config is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.timeZone)",message="timeZone is a required parameter"
+	Spec   HoursOfOperationSpec   `json:"spec"`
+	Status HoursOfOperationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_instance_types.go b/apis/connect/v1beta1/zz_instance_types.go
index 8434a3b2bf..9bf83af612 100755
--- a/apis/connect/v1beta1/zz_instance_types.go
+++ b/apis/connect/v1beta1/zz_instance_types.go
@@ -18,12 +18,42 @@ type InstanceObservation struct {
 	// Amazon Resource Name (ARN) of the instance.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies whether auto resolve best voices is enabled. Defaults to true.
+	AutoResolveBestVoicesEnabled *bool `json:"autoResolveBestVoicesEnabled,omitempty" tf:"auto_resolve_best_voices_enabled,omitempty"`
+
+	// Specifies whether contact flow logs are enabled. Defaults to false.
+	ContactFlowLogsEnabled *bool `json:"contactFlowLogsEnabled,omitempty" tf:"contact_flow_logs_enabled,omitempty"`
+
+	// Specifies whether contact lens is enabled. Defaults to true.
+	ContactLensEnabled *bool `json:"contactLensEnabled,omitempty" tf:"contact_lens_enabled,omitempty"`
+
 	// When the instance was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// The identifier for the directory if identity_management_type is EXISTING_DIRECTORY.
+	DirectoryID *string `json:"directoryId,omitempty" tf:"directory_id,omitempty"`
+
+	// Specifies whether early media for outbound calls is enabled . Defaults to true if outbound calls is enabled.
+	EarlyMediaEnabled *bool `json:"earlyMediaEnabled,omitempty" tf:"early_media_enabled,omitempty"`
+
 	// The identifier of the instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identity management type attached to the instance. Allowed Values are: SAML, CONNECT_MANAGED, EXISTING_DIRECTORY.
+	IdentityManagementType *string `json:"identityManagementType,omitempty" tf:"identity_management_type,omitempty"`
+
+	// Specifies whether inbound calls are enabled.
+	InboundCallsEnabled *bool `json:"inboundCallsEnabled,omitempty" tf:"inbound_calls_enabled,omitempty"`
+
+	// Specifies the name of the instance. Required if directory_id not specified.
+	InstanceAlias *string `json:"instanceAlias,omitempty" tf:"instance_alias,omitempty"`
+
+	// Specifies whether multi-party calls/conference is enabled. Defaults to false.
+	MultiPartyConferenceEnabled *bool `json:"multiPartyConferenceEnabled,omitempty" tf:"multi_party_conference_enabled,omitempty"`
+
+	// Specifies whether outbound calls are enabled.
+	OutboundCallsEnabled *bool `json:"outboundCallsEnabled,omitempty" tf:"outbound_calls_enabled,omitempty"`
+
 	// The service role of the instance.
 	ServiceRole *string `json:"serviceRole,omitempty" tf:"service_role,omitempty"`
 
@@ -64,12 +94,12 @@ type InstanceParameters struct {
 	EarlyMediaEnabled *bool `json:"earlyMediaEnabled,omitempty" tf:"early_media_enabled,omitempty"`
 
 	// Specifies the identity management type attached to the instance. Allowed Values are: SAML, CONNECT_MANAGED, EXISTING_DIRECTORY.
-	// +kubebuilder:validation:Required
-	IdentityManagementType *string `json:"identityManagementType" tf:"identity_management_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	IdentityManagementType *string `json:"identityManagementType,omitempty" tf:"identity_management_type,omitempty"`
 
 	// Specifies whether inbound calls are enabled.
-	// +kubebuilder:validation:Required
-	InboundCallsEnabled *bool `json:"inboundCallsEnabled" tf:"inbound_calls_enabled,omitempty"`
+	// +kubebuilder:validation:Optional
+	InboundCallsEnabled *bool `json:"inboundCallsEnabled,omitempty" tf:"inbound_calls_enabled,omitempty"`
 
 	// Specifies the name of the instance. Required if directory_id not specified.
 	// +kubebuilder:validation:Optional
@@ -80,8 +110,8 @@ type InstanceParameters struct {
 	MultiPartyConferenceEnabled *bool `json:"multiPartyConferenceEnabled,omitempty" tf:"multi_party_conference_enabled,omitempty"`
 
 	// Specifies whether outbound calls are enabled.
-	// +kubebuilder:validation:Required
-	OutboundCallsEnabled *bool `json:"outboundCallsEnabled" tf:"outbound_calls_enabled,omitempty"`
+	// +kubebuilder:validation:Optional
+	OutboundCallsEnabled *bool `json:"outboundCallsEnabled,omitempty" tf:"outbound_calls_enabled,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -113,8 +143,11 @@ type InstanceStatus struct {
 type Instance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceSpec   `json:"spec"`
-	Status            InstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identityManagementType)",message="identityManagementType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inboundCallsEnabled)",message="inboundCallsEnabled is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outboundCallsEnabled)",message="outboundCallsEnabled is a required parameter"
+	Spec   InstanceSpec   `json:"spec"`
+	Status InstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_instancestorageconfig_types.go b/apis/connect/v1beta1/zz_instancestorageconfig_types.go
index f3f84d98bd..c05427d7d0 100755
--- a/apis/connect/v1beta1/zz_instancestorageconfig_types.go
+++ b/apis/connect/v1beta1/zz_instancestorageconfig_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type EncryptionConfigObservation struct {
+
+	// The type of encryption. Valid Values: KMS.
+	EncryptionType *string `json:"encryptionType,omitempty" tf:"encryption_type,omitempty"`
+
+	// The full ARN of the encryption key. Be sure to provide the full ARN of the encryption key, not just the ID.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 }
 
 type EncryptionConfigParameters struct {
@@ -44,6 +50,15 @@ type InstanceStorageConfigObservation struct {
 
 	// The identifier of the hosting Amazon Connect Instance, association_id, and resource_type separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// A valid resource type. Valid Values: CHAT_TRANSCRIPTS | CALL_RECORDINGS | SCHEDULED_REPORTS | MEDIA_STREAMS | CONTACT_TRACE_RECORDS | AGENT_EVENTS | REAL_TIME_CONTACT_ANALYSIS_SEGMENTS.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// Specifies the storage configuration options for the Connect Instance. Documented below.
+	StorageConfig []StorageConfigObservation `json:"storageConfig,omitempty" tf:"storage_config,omitempty"`
 }
 
 type InstanceStorageConfigParameters struct {
@@ -68,15 +83,18 @@ type InstanceStorageConfigParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A valid resource type. Valid Values: CHAT_TRANSCRIPTS | CALL_RECORDINGS | SCHEDULED_REPORTS | MEDIA_STREAMS | CONTACT_TRACE_RECORDS | AGENT_EVENTS | REAL_TIME_CONTACT_ANALYSIS_SEGMENTS.
-	// +kubebuilder:validation:Required
-	ResourceType *string `json:"resourceType" tf:"resource_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
 
 	// Specifies the storage configuration options for the Connect Instance. Documented below.
-	// +kubebuilder:validation:Required
-	StorageConfig []StorageConfigParameters `json:"storageConfig" tf:"storage_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	StorageConfig []StorageConfigParameters `json:"storageConfig,omitempty" tf:"storage_config,omitempty"`
 }
 
 type KinesisFirehoseConfigObservation struct {
+
+	// The Amazon Resource Name (ARN) of the delivery stream.
+	FirehoseArn *string `json:"firehoseArn,omitempty" tf:"firehose_arn,omitempty"`
 }
 
 type KinesisFirehoseConfigParameters struct {
@@ -97,6 +115,9 @@ type KinesisFirehoseConfigParameters struct {
 }
 
 type KinesisStreamConfigObservation struct {
+
+	// The Amazon Resource Name (ARN) of the data stream.
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 }
 
 type KinesisStreamConfigParameters struct {
@@ -117,6 +138,15 @@ type KinesisStreamConfigParameters struct {
 }
 
 type KinesisVideoStreamConfigObservation struct {
+
+	// The encryption configuration. Documented below.
+	EncryptionConfig []EncryptionConfigObservation `json:"encryptionConfig,omitempty" tf:"encryption_config,omitempty"`
+
+	// The prefix of the video stream. Minimum length of 1. Maximum length of 128. When read from the state, the value returned is <prefix>-connect-<connect_instance_alias>-contact- since the API appends additional details to the prefix.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// The number of hours data is retained in the stream. Kinesis Video Streams retains the data in a data store that is associated with the stream. Minimum value of 0. Maximum value of 87600. A value of 0, indicates that the stream does not persist data.
+	RetentionPeriodHours *float64 `json:"retentionPeriodHours,omitempty" tf:"retention_period_hours,omitempty"`
 }
 
 type KinesisVideoStreamConfigParameters struct {
@@ -135,6 +165,12 @@ type KinesisVideoStreamConfigParameters struct {
 }
 
 type S3ConfigEncryptionConfigObservation struct {
+
+	// The type of encryption. Valid Values: KMS.
+	EncryptionType *string `json:"encryptionType,omitempty" tf:"encryption_type,omitempty"`
+
+	// The full ARN of the encryption key. Be sure to provide the full ARN of the encryption key, not just the ID.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 }
 
 type S3ConfigEncryptionConfigParameters struct {
@@ -159,6 +195,15 @@ type S3ConfigEncryptionConfigParameters struct {
 }
 
 type S3ConfigObservation struct {
+
+	// The S3 bucket name.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// The S3 bucket prefix.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// The encryption configuration. Documented below.
+	EncryptionConfig []S3ConfigEncryptionConfigObservation `json:"encryptionConfig,omitempty" tf:"encryption_config,omitempty"`
 }
 
 type S3ConfigParameters struct {
@@ -187,6 +232,21 @@ type S3ConfigParameters struct {
 }
 
 type StorageConfigObservation struct {
+
+	// A block that specifies the configuration of the Kinesis Firehose delivery stream. Documented below.
+	KinesisFirehoseConfig []KinesisFirehoseConfigObservation `json:"kinesisFirehoseConfig,omitempty" tf:"kinesis_firehose_config,omitempty"`
+
+	// A block that specifies the configuration of the Kinesis data stream. Documented below.
+	KinesisStreamConfig []KinesisStreamConfigObservation `json:"kinesisStreamConfig,omitempty" tf:"kinesis_stream_config,omitempty"`
+
+	// A block that specifies the configuration of the Kinesis video stream. Documented below.
+	KinesisVideoStreamConfig []KinesisVideoStreamConfigObservation `json:"kinesisVideoStreamConfig,omitempty" tf:"kinesis_video_stream_config,omitempty"`
+
+	// A block that specifies the configuration of S3 Bucket. Documented below.
+	S3Config []S3ConfigObservation `json:"s3Config,omitempty" tf:"s3_config,omitempty"`
+
+	// A valid storage type. Valid Values: S3 | KINESIS_VIDEO_STREAM | KINESIS_STREAM | KINESIS_FIREHOSE.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
 }
 
 type StorageConfigParameters struct {
@@ -236,8 +296,10 @@ type InstanceStorageConfigStatus struct {
 type InstanceStorageConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceStorageConfigSpec   `json:"spec"`
-	Status            InstanceStorageConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceType)",message="resourceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageConfig)",message="storageConfig is a required parameter"
+	Spec   InstanceStorageConfigSpec   `json:"spec"`
+	Status InstanceStorageConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_lambdafunctionassociation_types.go b/apis/connect/v1beta1/zz_lambdafunctionassociation_types.go
index 6fffc354be..21378aa3c3 100755
--- a/apis/connect/v1beta1/zz_lambdafunctionassociation_types.go
+++ b/apis/connect/v1beta1/zz_lambdafunctionassociation_types.go
@@ -15,8 +15,14 @@ import (
 
 type LambdaFunctionAssociationObservation struct {
 
+	// Amazon Resource Name (ARN) of the Lambda Function, omitting any version or alias qualifier.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
+
 	// The Amazon Connect instance ID and Lambda Function ARN separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The identifier of the Amazon Connect instance. You can find the instanceId in the ARN of the instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
 }
 
 type LambdaFunctionAssociationParameters struct {
diff --git a/apis/connect/v1beta1/zz_phonenumber_types.go b/apis/connect/v1beta1/zz_phonenumber_types.go
index 2c443dffa2..db1afe562f 100755
--- a/apis/connect/v1beta1/zz_phonenumber_types.go
+++ b/apis/connect/v1beta1/zz_phonenumber_types.go
@@ -18,24 +18,42 @@ type PhoneNumberObservation struct {
 	// The ARN of the phone number.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ISO country code. For a list of Valid values, refer to PhoneNumberCountryCode.
+	CountryCode *string `json:"countryCode,omitempty" tf:"country_code,omitempty"`
+
+	// The description of the phone number.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The identifier of the phone number.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The phone number. Phone numbers are formatted [+] [country code] [subscriber number including area code].
 	PhoneNumber *string `json:"phoneNumber,omitempty" tf:"phone_number,omitempty"`
 
+	// The prefix of the phone number that is used to filter available phone numbers. If provided, it must contain + as part of the country code. Do not specify this argument when importing the resource.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
 	// A block that specifies status of the phone number. Documented below.
 	Status []StatusObservation `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The Amazon Resource Name (ARN) for Amazon Connect instances that phone numbers are claimed to.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
+
+	// The type of phone number. Valid Values: TOLL_FREE | DID.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PhoneNumberParameters struct {
 
 	// The ISO country code. For a list of Valid values, refer to PhoneNumberCountryCode.
-	// +kubebuilder:validation:Required
-	CountryCode *string `json:"countryCode" tf:"country_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	CountryCode *string `json:"countryCode,omitempty" tf:"country_code,omitempty"`
 
 	// The description of the phone number.
 	// +kubebuilder:validation:Optional
@@ -69,8 +87,8 @@ type PhoneNumberParameters struct {
 	TargetArnSelector *v1.Selector `json:"targetArnSelector,omitempty" tf:"-"`
 
 	// The type of phone number. Valid Values: TOLL_FREE | DID.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type StatusObservation struct {
@@ -109,8 +127,10 @@ type PhoneNumberStatus struct {
 type PhoneNumber struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PhoneNumberSpec   `json:"spec"`
-	Status            PhoneNumberStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.countryCode)",message="countryCode is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   PhoneNumberSpec   `json:"spec"`
+	Status PhoneNumberStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_queue_types.go b/apis/connect/v1beta1/zz_queue_types.go
index 989df69867..78abe61ef2 100755
--- a/apis/connect/v1beta1/zz_queue_types.go
+++ b/apis/connect/v1beta1/zz_queue_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type OutboundCallerConfigObservation struct {
+
+	// Specifies the caller ID name.
+	OutboundCallerIDName *string `json:"outboundCallerIdName,omitempty" tf:"outbound_caller_id_name,omitempty"`
+
+	// Specifies the caller ID number.
+	OutboundCallerIDNumberID *string `json:"outboundCallerIdNumberId,omitempty" tf:"outbound_caller_id_number_id,omitempty"`
+
+	// Specifies outbound whisper flow to be used during an outbound call.
+	OutboundFlowID *string `json:"outboundFlowId,omitempty" tf:"outbound_flow_id,omitempty"`
 }
 
 type OutboundCallerConfigParameters struct {
@@ -36,14 +45,41 @@ type QueueObservation struct {
 	// The Amazon Resource Name (ARN) of the Queue.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies the description of the Queue.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies the identifier of the Hours of Operation.
+	HoursOfOperationID *string `json:"hoursOfOperationId,omitempty" tf:"hours_of_operation_id,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Queue separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Specifies the maximum number of contacts that can be in the queue before it is considered full. Minimum value of 0.
+	MaxContacts *float64 `json:"maxContacts,omitempty" tf:"max_contacts,omitempty"`
+
+	// Specifies the name of the Queue.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A block that defines the outbound caller ID name, number, and outbound whisper flow. The Outbound Caller Config block is documented below.
+	OutboundCallerConfig []OutboundCallerConfigObservation `json:"outboundCallerConfig,omitempty" tf:"outbound_caller_config,omitempty"`
+
 	// The identifier for the Queue.
 	QueueID *string `json:"queueId,omitempty" tf:"queue_id,omitempty"`
 
+	// Specifies a list of quick connects ids that determine the quick connects available to agents who are working the queue.
+	QuickConnectIds []*string `json:"quickConnectIds,omitempty" tf:"quick_connect_ids,omitempty"`
+
 	QuickConnectIdsAssociated []*string `json:"quickConnectIdsAssociated,omitempty" tf:"quick_connect_ids_associated,omitempty"`
 
+	// Specifies the description of the Queue. Valid values are ENABLED, DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -87,8 +123,8 @@ type QueueParameters struct {
 	MaxContacts *float64 `json:"maxContacts,omitempty" tf:"max_contacts,omitempty"`
 
 	// Specifies the name of the Queue.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A block that defines the outbound caller ID name, number, and outbound whisper flow. The Outbound Caller Config block is documented below.
 	// +kubebuilder:validation:Optional
@@ -136,8 +172,9 @@ type QueueStatus struct {
 type Queue struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              QueueSpec   `json:"spec"`
-	Status            QueueStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   QueueSpec   `json:"spec"`
+	Status QueueStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_quickconnect_types.go b/apis/connect/v1beta1/zz_quickconnect_types.go
index 38ecb035dd..c9b8726339 100755
--- a/apis/connect/v1beta1/zz_quickconnect_types.go
+++ b/apis/connect/v1beta1/zz_quickconnect_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type PhoneConfigObservation struct {
+
+	// Specifies the phone number in in E.164 format.
+	PhoneNumber *string `json:"phoneNumber,omitempty" tf:"phone_number,omitempty"`
 }
 
 type PhoneConfigParameters struct {
@@ -24,6 +27,12 @@ type PhoneConfigParameters struct {
 }
 
 type QueueConfigObservation struct {
+
+	// Specifies the identifier of the contact flow.
+	ContactFlowID *string `json:"contactFlowId,omitempty" tf:"contact_flow_id,omitempty"`
+
+	// Specifies the identifier for the queue.
+	QueueID *string `json:"queueId,omitempty" tf:"queue_id,omitempty"`
 }
 
 type QueueConfigParameters struct {
@@ -38,6 +47,18 @@ type QueueConfigParameters struct {
 }
 
 type QuickConnectConfigObservation struct {
+
+	// Specifies the phone configuration of the Quick Connect. This is required only if quick_connect_type is PHONE_NUMBER. The phone_config block is documented below.
+	PhoneConfig []PhoneConfigObservation `json:"phoneConfig,omitempty" tf:"phone_config,omitempty"`
+
+	// Specifies the queue configuration of the Quick Connect. This is required only if quick_connect_type is QUEUE. The queue_config block is documented below.
+	QueueConfig []QueueConfigObservation `json:"queueConfig,omitempty" tf:"queue_config,omitempty"`
+
+	// Specifies the configuration type of the quick connect. valid values are PHONE_NUMBER, QUEUE, USER.
+	QuickConnectType *string `json:"quickConnectType,omitempty" tf:"quick_connect_type,omitempty"`
+
+	// Specifies the user configuration of the Quick Connect. This is required only if quick_connect_type is USER. The user_config block is documented below.
+	UserConfig []UserConfigObservation `json:"userConfig,omitempty" tf:"user_config,omitempty"`
 }
 
 type QuickConnectConfigParameters struct {
@@ -64,12 +85,27 @@ type QuickConnectObservation struct {
 	// The Amazon Resource Name (ARN) of the Quick Connect.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies the description of the Quick Connect.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Quick Connect separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Specifies the name of the Quick Connect.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A block that defines the configuration information for the Quick Connect: quick_connect_type and one of phone_config, queue_config, user_config . The Quick Connect Config block is documented below.
+	QuickConnectConfig []QuickConnectConfigObservation `json:"quickConnectConfig,omitempty" tf:"quick_connect_config,omitempty"`
+
 	// The identifier for the Quick Connect.
 	QuickConnectID *string `json:"quickConnectId,omitempty" tf:"quick_connect_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -95,12 +131,12 @@ type QuickConnectParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// Specifies the name of the Quick Connect.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A block that defines the configuration information for the Quick Connect: quick_connect_type and one of phone_config, queue_config, user_config . The Quick Connect Config block is documented below.
-	// +kubebuilder:validation:Required
-	QuickConnectConfig []QuickConnectConfigParameters `json:"quickConnectConfig" tf:"quick_connect_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	QuickConnectConfig []QuickConnectConfigParameters `json:"quickConnectConfig,omitempty" tf:"quick_connect_config,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -113,6 +149,12 @@ type QuickConnectParameters struct {
 }
 
 type UserConfigObservation struct {
+
+	// Specifies the identifier of the contact flow.
+	ContactFlowID *string `json:"contactFlowId,omitempty" tf:"contact_flow_id,omitempty"`
+
+	// Specifies the identifier for the user.
+	UserID *string `json:"userId,omitempty" tf:"user_id,omitempty"`
 }
 
 type UserConfigParameters struct {
@@ -150,8 +192,10 @@ type QuickConnectStatus struct {
 type QuickConnect struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              QuickConnectSpec   `json:"spec"`
-	Status            QuickConnectStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.quickConnectConfig)",message="quickConnectConfig is a required parameter"
+	Spec   QuickConnectSpec   `json:"spec"`
+	Status QuickConnectStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_routingprofile_types.go b/apis/connect/v1beta1/zz_routingprofile_types.go
index 7b273e74e6..4eafb829f5 100755
--- a/apis/connect/v1beta1/zz_routingprofile_types.go
+++ b/apis/connect/v1beta1/zz_routingprofile_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type MediaConcurrenciesObservation struct {
+
+	// Specifies the channels that agents can handle in the Contact Control Panel (CCP). Valid values are VOICE, CHAT, TASK.
+	Channel *string `json:"channel,omitempty" tf:"channel,omitempty"`
+
+	// Specifies the number of contacts an agent can have on a channel simultaneously. Valid Range for VOICE: Minimum value of 1. Maximum value of 1. Valid Range for CHAT: Minimum value of 1. Maximum value of 10. Valid Range for TASK: Minimum value of 1. Maximum value of 10.
+	Concurrency *float64 `json:"concurrency,omitempty" tf:"concurrency,omitempty"`
 }
 
 type MediaConcurrenciesParameters struct {
@@ -53,9 +59,21 @@ type QueueConfigsAssociatedParameters struct {
 
 type QueueConfigsObservation struct {
 
+	// Specifies the channels agents can handle in the Contact Control Panel (CCP) for this routing profile. Valid values are VOICE, CHAT, TASK.
+	Channel *string `json:"channel,omitempty" tf:"channel,omitempty"`
+
+	// Specifies the delay, in seconds, that a contact should be in the queue before they are routed to an available agent
+	Delay *float64 `json:"delay,omitempty" tf:"delay,omitempty"`
+
+	// Specifies the order in which contacts are to be handled for the queue.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
 	// ARN for the queue.
 	QueueArn *string `json:"queueArn,omitempty" tf:"queue_arn,omitempty"`
 
+	// Specifies the identifier for the queue.
+	QueueID *string `json:"queueId,omitempty" tf:"queue_id,omitempty"`
+
 	// Name for the queue.
 	QueueName *string `json:"queueName,omitempty" tf:"queue_name,omitempty"`
 }
@@ -84,11 +102,25 @@ type RoutingProfileObservation struct {
 	// The Amazon Resource Name (ARN) of the Routing Profile.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies the default outbound queue for the Routing Profile.
+	DefaultOutboundQueueID *string `json:"defaultOutboundQueueId,omitempty" tf:"default_outbound_queue_id,omitempty"`
+
+	// Specifies the description of the Routing Profile.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Routing Profile separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// One or more media_concurrencies blocks that specify the channels that agents can handle in the Contact Control Panel (CCP) for this Routing Profile. The media_concurrencies block is documented below.
+	MediaConcurrencies []MediaConcurrenciesObservation `json:"mediaConcurrencies,omitempty" tf:"media_concurrencies,omitempty"`
+
+	// Specifies the name of the Routing Profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// One or more queue_configs blocks that specify the inbound queues associated with the routing profile. If no queue is added, the agent only can make outbound calls. The queue_configs block is documented below.
-	// +kubebuilder:validation:Optional
 	QueueConfigs []QueueConfigsObservation `json:"queueConfigs,omitempty" tf:"queue_configs,omitempty"`
 
 	QueueConfigsAssociated []QueueConfigsAssociatedObservation `json:"queueConfigsAssociated,omitempty" tf:"queue_configs_associated,omitempty"`
@@ -96,6 +128,9 @@ type RoutingProfileObservation struct {
 	// The identifier for the Routing Profile.
 	RoutingProfileID *string `json:"routingProfileId,omitempty" tf:"routing_profile_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -117,8 +152,8 @@ type RoutingProfileParameters struct {
 	DefaultOutboundQueueIDSelector *v1.Selector `json:"defaultOutboundQueueIdSelector,omitempty" tf:"-"`
 
 	// Specifies the description of the Routing Profile.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Specifies the identifier of the hosting Amazon Connect Instance.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/connect/v1beta1.Instance
@@ -135,12 +170,12 @@ type RoutingProfileParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// One or more media_concurrencies blocks that specify the channels that agents can handle in the Contact Control Panel (CCP) for this Routing Profile. The media_concurrencies block is documented below.
-	// +kubebuilder:validation:Required
-	MediaConcurrencies []MediaConcurrenciesParameters `json:"mediaConcurrencies" tf:"media_concurrencies,omitempty"`
+	// +kubebuilder:validation:Optional
+	MediaConcurrencies []MediaConcurrenciesParameters `json:"mediaConcurrencies,omitempty" tf:"media_concurrencies,omitempty"`
 
 	// Specifies the name of the Routing Profile.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// One or more queue_configs blocks that specify the inbound queues associated with the routing profile. If no queue is added, the agent only can make outbound calls. The queue_configs block is documented below.
 	// +kubebuilder:validation:Optional
@@ -180,8 +215,11 @@ type RoutingProfileStatus struct {
 type RoutingProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RoutingProfileSpec   `json:"spec"`
-	Status            RoutingProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mediaConcurrencies)",message="mediaConcurrencies is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RoutingProfileSpec   `json:"spec"`
+	Status RoutingProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_securityprofile_types.go b/apis/connect/v1beta1/zz_securityprofile_types.go
index 45a589925f..c4efbe7921 100755
--- a/apis/connect/v1beta1/zz_securityprofile_types.go
+++ b/apis/connect/v1beta1/zz_securityprofile_types.go
@@ -18,15 +18,30 @@ type SecurityProfileObservation struct {
 	// The Amazon Resource Name (ARN) of the Security Profile.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies the description of the Security Profile.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the Security Profile separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Specifies the name of the Security Profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The organization resource identifier for the security profile.
 	OrganizationResourceID *string `json:"organizationResourceId,omitempty" tf:"organization_resource_id,omitempty"`
 
+	// Specifies a list of permissions assigned to the security profile.
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
 	// The identifier for the Security Profile.
 	SecurityProfileID *string `json:"securityProfileId,omitempty" tf:"security_profile_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -52,8 +67,8 @@ type SecurityProfileParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// Specifies the name of the Security Profile.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Specifies a list of permissions assigned to the security profile.
 	// +kubebuilder:validation:Optional
@@ -93,8 +108,9 @@ type SecurityProfileStatus struct {
 type SecurityProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecurityProfileSpec   `json:"spec"`
-	Status            SecurityProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SecurityProfileSpec   `json:"spec"`
+	Status SecurityProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_user_types.go b/apis/connect/v1beta1/zz_user_types.go
index 4f5681b28b..345831f87b 100755
--- a/apis/connect/v1beta1/zz_user_types.go
+++ b/apis/connect/v1beta1/zz_user_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type IdentityInfoObservation struct {
+
+	// The email address. If you are using SAML for identity management and include this parameter, an error is returned. Note that updates to the email is supported. From the UpdateUserIdentityInfo API documentation it is strongly recommended to limit who has the ability to invoke UpdateUserIdentityInfo. Someone with that ability can change the login credentials of other users by changing their email address. This poses a security risk to your organization. They can change the email address of a user to the attacker's email address, and then reset the password through email. For more information, see Best Practices for Security Profiles in the Amazon Connect Administrator Guide.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
+	// The first name. This is required if you are using Amazon Connect or SAML for identity management. Minimum length of 1. Maximum length of 100.
+	FirstName *string `json:"firstName,omitempty" tf:"first_name,omitempty"`
+
+	// The last name. This is required if you are using Amazon Connect or SAML for identity management. Minimum length of 1. Maximum length of 100.
+	LastName *string `json:"lastName,omitempty" tf:"last_name,omitempty"`
 }
 
 type IdentityInfoParameters struct {
@@ -36,10 +45,37 @@ type UserObservation struct {
 	// The Amazon Resource Name (ARN) of the user.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The identifier of the user account in the directory used for identity management. If Amazon Connect cannot access the directory, you can specify this identifier to authenticate users. If you include the identifier, we assume that Amazon Connect cannot access the directory. Otherwise, the identity information is used to authenticate users from your directory. This parameter is required if you are using an existing directory for identity management in Amazon Connect when Amazon Connect cannot access your directory to authenticate users. If you are using SAML for identity management and include this parameter, an error is returned.
+	DirectoryUserID *string `json:"directoryUserId,omitempty" tf:"directory_user_id,omitempty"`
+
+	// The identifier of the hierarchy group for the user.
+	HierarchyGroupID *string `json:"hierarchyGroupId,omitempty" tf:"hierarchy_group_id,omitempty"`
+
 	// The identifier of the hosting Amazon Connect Instance and identifier of the user
 	// separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A block that contains information about the identity of the user. Documented below.
+	IdentityInfo []IdentityInfoObservation `json:"identityInfo,omitempty" tf:"identity_info,omitempty"`
+
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// The user name for the account. For instances not using SAML for identity management, the user name can include up to 20 characters. If you are using SAML for identity management, the user name can include up to 64 characters from [a-zA-Z0-9_-.\@]+.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A block that contains information about the phone settings for the user. Documented below.
+	PhoneConfig []UserPhoneConfigObservation `json:"phoneConfig,omitempty" tf:"phone_config,omitempty"`
+
+	// The identifier of the routing profile for the user.
+	RoutingProfileID *string `json:"routingProfileId,omitempty" tf:"routing_profile_id,omitempty"`
+
+	// A list of identifiers for the security profiles for the user. Specify a minimum of 1 and maximum of 10 security profile ids. For more information, see Best Practices for Security Profiles in the Amazon Connect Administrator Guide.
+	SecurityProfileIds []*string `json:"securityProfileIds,omitempty" tf:"security_profile_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -76,16 +112,16 @@ type UserParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// The user name for the account. For instances not using SAML for identity management, the user name can include up to 20 characters. If you are using SAML for identity management, the user name can include up to 64 characters from [a-zA-Z0-9_-.\@]+.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The password for the user account. A password is required if you are using Amazon Connect for identity management. Otherwise, it is an error to include a password.
 	// +kubebuilder:validation:Optional
 	PasswordSecretRef *v1.SecretKeySelector `json:"passwordSecretRef,omitempty" tf:"-"`
 
 	// A block that contains information about the phone settings for the user. Documented below.
-	// +kubebuilder:validation:Required
-	PhoneConfig []UserPhoneConfigParameters `json:"phoneConfig" tf:"phone_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	PhoneConfig []UserPhoneConfigParameters `json:"phoneConfig,omitempty" tf:"phone_config,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -107,8 +143,8 @@ type UserParameters struct {
 	RoutingProfileIDSelector *v1.Selector `json:"routingProfileIdSelector,omitempty" tf:"-"`
 
 	// A list of identifiers for the security profiles for the user. Specify a minimum of 1 and maximum of 10 security profile ids. For more information, see Best Practices for Security Profiles in the Amazon Connect Administrator Guide.
-	// +kubebuilder:validation:Required
-	SecurityProfileIds []*string `json:"securityProfileIds" tf:"security_profile_ids,omitempty"`
+	// +kubebuilder:validation:Optional
+	SecurityProfileIds []*string `json:"securityProfileIds,omitempty" tf:"security_profile_ids,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -116,6 +152,18 @@ type UserParameters struct {
 }
 
 type UserPhoneConfigObservation struct {
+
+	// The After Call Work (ACW) timeout setting, in seconds. Minimum value of 0.
+	AfterContactWorkTimeLimit *float64 `json:"afterContactWorkTimeLimit,omitempty" tf:"after_contact_work_time_limit,omitempty"`
+
+	// When Auto-Accept Call is enabled for an available agent, the agent connects to contacts automatically.
+	AutoAccept *bool `json:"autoAccept,omitempty" tf:"auto_accept,omitempty"`
+
+	// The phone number for the user's desk phone. Required if phone_type is set as DESK_PHONE.
+	DeskPhoneNumber *string `json:"deskPhoneNumber,omitempty" tf:"desk_phone_number,omitempty"`
+
+	// The phone type. Valid values are DESK_PHONE and SOFT_PHONE.
+	PhoneType *string `json:"phoneType,omitempty" tf:"phone_type,omitempty"`
 }
 
 type UserPhoneConfigParameters struct {
@@ -161,8 +209,11 @@ type UserStatus struct {
 type User struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserSpec   `json:"spec"`
-	Status            UserStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.phoneConfig)",message="phoneConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.securityProfileIds)",message="securityProfileIds is a required parameter"
+	Spec   UserSpec   `json:"spec"`
+	Status UserStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_userhierarchystructure_types.go b/apis/connect/v1beta1/zz_userhierarchystructure_types.go
index e54a493a2b..0ba934b567 100755
--- a/apis/connect/v1beta1/zz_userhierarchystructure_types.go
+++ b/apis/connect/v1beta1/zz_userhierarchystructure_types.go
@@ -16,23 +16,18 @@ import (
 type HierarchyStructureObservation struct {
 
 	// A block that defines the details of level five. The level block is documented below.
-	// +kubebuilder:validation:Optional
 	LevelFive []LevelFiveObservation `json:"levelFive,omitempty" tf:"level_five,omitempty"`
 
 	// A block that defines the details of level four. The level block is documented below.
-	// +kubebuilder:validation:Optional
 	LevelFour []LevelFourObservation `json:"levelFour,omitempty" tf:"level_four,omitempty"`
 
 	// A block that defines the details of level one. The level block is documented below.
-	// +kubebuilder:validation:Optional
 	LevelOne []LevelOneObservation `json:"levelOne,omitempty" tf:"level_one,omitempty"`
 
 	// A block that defines the details of level three. The level block is documented below.
-	// +kubebuilder:validation:Optional
 	LevelThree []LevelThreeObservation `json:"levelThree,omitempty" tf:"level_three,omitempty"`
 
 	// A block that defines the details of level two. The level block is documented below.
-	// +kubebuilder:validation:Optional
 	LevelTwo []LevelTwoObservation `json:"levelTwo,omitempty" tf:"level_two,omitempty"`
 }
 
@@ -66,6 +61,9 @@ type LevelFiveObservation struct {
 
 	// The identifier of the hosting Amazon Connect Instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the user hierarchy level. Must not be more than 50 characters.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LevelFiveParameters struct {
@@ -82,6 +80,9 @@ type LevelFourObservation struct {
 
 	// The identifier of the hosting Amazon Connect Instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the user hierarchy level. Must not be more than 50 characters.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LevelFourParameters struct {
@@ -98,6 +99,9 @@ type LevelOneObservation struct {
 
 	// The identifier of the hosting Amazon Connect Instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the user hierarchy level. Must not be more than 50 characters.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LevelOneParameters struct {
@@ -114,6 +118,9 @@ type LevelThreeObservation struct {
 
 	// The identifier of the hosting Amazon Connect Instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the user hierarchy level. Must not be more than 50 characters.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LevelThreeParameters struct {
@@ -130,6 +137,9 @@ type LevelTwoObservation struct {
 
 	// The identifier of the hosting Amazon Connect Instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the user hierarchy level. Must not be more than 50 characters.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LevelTwoParameters struct {
@@ -142,18 +152,20 @@ type LevelTwoParameters struct {
 type UserHierarchyStructureObservation struct {
 
 	// A block that defines the hierarchy structure's levels. The hierarchy_structure block is documented below.
-	// +kubebuilder:validation:Required
 	HierarchyStructure []HierarchyStructureObservation `json:"hierarchyStructure,omitempty" tf:"hierarchy_structure,omitempty"`
 
 	// The identifier of the hosting Amazon Connect Instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
 }
 
 type UserHierarchyStructureParameters struct {
 
 	// A block that defines the hierarchy structure's levels. The hierarchy_structure block is documented below.
-	// +kubebuilder:validation:Required
-	HierarchyStructure []HierarchyStructureParameters `json:"hierarchyStructure" tf:"hierarchy_structure,omitempty"`
+	// +kubebuilder:validation:Optional
+	HierarchyStructure []HierarchyStructureParameters `json:"hierarchyStructure,omitempty" tf:"hierarchy_structure,omitempty"`
 
 	// Specifies the identifier of the hosting Amazon Connect Instance.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/connect/v1beta1.Instance
@@ -199,8 +211,9 @@ type UserHierarchyStructureStatus struct {
 type UserHierarchyStructure struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserHierarchyStructureSpec   `json:"spec"`
-	Status            UserHierarchyStructureStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hierarchyStructure)",message="hierarchyStructure is a required parameter"
+	Spec   UserHierarchyStructureSpec   `json:"spec"`
+	Status UserHierarchyStructureStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/connect/v1beta1/zz_vocabulary_types.go b/apis/connect/v1beta1/zz_vocabulary_types.go
index 6a782db587..14704cffd4 100755
--- a/apis/connect/v1beta1/zz_vocabulary_types.go
+++ b/apis/connect/v1beta1/zz_vocabulary_types.go
@@ -18,6 +18,9 @@ type VocabularyObservation struct {
 	// The Amazon Resource Name (ARN) of the vocabulary.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The content of the custom vocabulary in plain-text format with a table of values. Each row in the table represents a word or a phrase, described with Phrase, IPA, SoundsLike, and DisplayAs fields. Separate the fields with TAB characters. For more information, see Create a custom vocabulary using a table. Minimum length of 1. Maximum length of 60000.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
 	// The reason why the custom vocabulary was not created.
 	FailureReason *string `json:"failureReason,omitempty" tf:"failure_reason,omitempty"`
 
@@ -25,12 +28,24 @@ type VocabularyObservation struct {
 	// separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the identifier of the hosting Amazon Connect Instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// The language code of the vocabulary entries. For a list of languages and their corresponding language codes, see What is Amazon Transcribe?. Valid Values are ar-AE, de-CH, de-DE, en-AB, en-AU, en-GB, en-IE, en-IN, en-US, en-WL, es-ES, es-US, fr-CA, fr-FR, hi-IN, it-IT, ja-JP, ko-KR, pt-BR, pt-PT, zh-CN.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
 	// The timestamp when the custom vocabulary was last modified.
 	LastModifiedTime *string `json:"lastModifiedTime,omitempty" tf:"last_modified_time,omitempty"`
 
+	// A unique name of the custom vocabulary. Must not be more than 140 characters.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The current state of the custom vocabulary. Valid values are CREATION_IN_PROGRESS, ACTIVE, CREATION_FAILED, DELETE_IN_PROGRESS.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -41,8 +56,8 @@ type VocabularyObservation struct {
 type VocabularyParameters struct {
 
 	// The content of the custom vocabulary in plain-text format with a table of values. Each row in the table represents a word or a phrase, described with Phrase, IPA, SoundsLike, and DisplayAs fields. Separate the fields with TAB characters. For more information, see Create a custom vocabulary using a table. Minimum length of 1. Maximum length of 60000.
-	// +kubebuilder:validation:Required
-	Content *string `json:"content" tf:"content,omitempty"`
+	// +kubebuilder:validation:Optional
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
 
 	// Specifies the identifier of the hosting Amazon Connect Instance.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/connect/v1beta1.Instance
@@ -59,12 +74,12 @@ type VocabularyParameters struct {
 	InstanceIDSelector *v1.Selector `json:"instanceIdSelector,omitempty" tf:"-"`
 
 	// The language code of the vocabulary entries. For a list of languages and their corresponding language codes, see What is Amazon Transcribe?. Valid Values are ar-AE, de-CH, de-DE, en-AB, en-AU, en-GB, en-IE, en-IN, en-US, en-WL, es-ES, es-US, fr-CA, fr-FR, hi-IN, it-IT, ja-JP, ko-KR, pt-BR, pt-PT, zh-CN.
-	// +kubebuilder:validation:Required
-	LanguageCode *string `json:"languageCode" tf:"language_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
 
 	// A unique name of the custom vocabulary. Must not be more than 140 characters.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -100,8 +115,11 @@ type VocabularyStatus struct {
 type Vocabulary struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VocabularySpec   `json:"spec"`
-	Status            VocabularyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)",message="content is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)",message="languageCode is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   VocabularySpec   `json:"spec"`
+	Status VocabularyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/cur/v1beta1/zz_generated.deepcopy.go b/apis/cur/v1beta1/zz_generated.deepcopy.go
index 87f0bd38d0..7bd6e70e19 100644
--- a/apis/cur/v1beta1/zz_generated.deepcopy.go
+++ b/apis/cur/v1beta1/zz_generated.deepcopy.go
@@ -76,16 +76,78 @@ func (in *ReportDefinitionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReportDefinitionObservation) DeepCopyInto(out *ReportDefinitionObservation) {
 	*out = *in
+	if in.AdditionalArtifacts != nil {
+		in, out := &in.AdditionalArtifacts, &out.AdditionalArtifacts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AdditionalSchemaElements != nil {
+		in, out := &in.AdditionalSchemaElements, &out.AdditionalSchemaElements
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Compression != nil {
+		in, out := &in.Compression, &out.Compression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RefreshClosedReports != nil {
+		in, out := &in.RefreshClosedReports, &out.RefreshClosedReports
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReportVersioning != nil {
+		in, out := &in.ReportVersioning, &out.ReportVersioning
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Bucket != nil {
+		in, out := &in.S3Bucket, &out.S3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Prefix != nil {
+		in, out := &in.S3Prefix, &out.S3Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Region != nil {
+		in, out := &in.S3Region, &out.S3Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeUnit != nil {
+		in, out := &in.TimeUnit, &out.TimeUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReportDefinitionObservation.
diff --git a/apis/cur/v1beta1/zz_reportdefinition_types.go b/apis/cur/v1beta1/zz_reportdefinition_types.go
index c6d2403aaf..8b52c01b54 100755
--- a/apis/cur/v1beta1/zz_reportdefinition_types.go
+++ b/apis/cur/v1beta1/zz_reportdefinition_types.go
@@ -15,10 +15,40 @@ import (
 
 type ReportDefinitionObservation struct {
 
+	// A list of additional artifacts. Valid values are: REDSHIFT, QUICKSIGHT, ATHENA. When ATHENA exists within additional_artifacts, no other artifact type can be declared and report_versioning must be OVERWRITE_REPORT.
+	AdditionalArtifacts []*string `json:"additionalArtifacts,omitempty" tf:"additional_artifacts,omitempty"`
+
+	// A list of schema elements. Valid values are: RESOURCES.
+	AdditionalSchemaElements []*string `json:"additionalSchemaElements,omitempty" tf:"additional_schema_elements,omitempty"`
+
 	// The Amazon Resource Name (ARN) specifying the cur report.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Compression format for report. Valid values are: GZIP, ZIP, Parquet. If Parquet is used, then format must also be Parquet.
+	Compression *string `json:"compression,omitempty" tf:"compression,omitempty"`
+
+	// Format for report. Valid values are: textORcsv, Parquet. If Parquet is used, then Compression must also be Parquet.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Set to true to update your reports after they have been finalized if AWS detects charges related to previous months.
+	RefreshClosedReports *bool `json:"refreshClosedReports,omitempty" tf:"refresh_closed_reports,omitempty"`
+
+	// Overwrite the previous version of each report or to deliver the report in addition to the previous versions. Valid values are: CREATE_NEW_REPORT and OVERWRITE_REPORT.
+	ReportVersioning *string `json:"reportVersioning,omitempty" tf:"report_versioning,omitempty"`
+
+	// Name of the existing S3 bucket to hold generated reports.
+	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
+
+	// Report path prefix. Limited to 256 characters.
+	S3Prefix *string `json:"s3Prefix,omitempty" tf:"s3_prefix,omitempty"`
+
+	// Region of the existing S3 bucket to hold generated reports.
+	S3Region *string `json:"s3Region,omitempty" tf:"s3_region,omitempty"`
+
+	// The frequency on which report data are measured and displayed.  Valid values are: DAILY, HOURLY, MONTHLY.
+	TimeUnit *string `json:"timeUnit,omitempty" tf:"time_unit,omitempty"`
 }
 
 type ReportDefinitionParameters struct {
@@ -28,16 +58,16 @@ type ReportDefinitionParameters struct {
 	AdditionalArtifacts []*string `json:"additionalArtifacts,omitempty" tf:"additional_artifacts,omitempty"`
 
 	// A list of schema elements. Valid values are: RESOURCES.
-	// +kubebuilder:validation:Required
-	AdditionalSchemaElements []*string `json:"additionalSchemaElements" tf:"additional_schema_elements,omitempty"`
+	// +kubebuilder:validation:Optional
+	AdditionalSchemaElements []*string `json:"additionalSchemaElements,omitempty" tf:"additional_schema_elements,omitempty"`
 
 	// Compression format for report. Valid values are: GZIP, ZIP, Parquet. If Parquet is used, then format must also be Parquet.
-	// +kubebuilder:validation:Required
-	Compression *string `json:"compression" tf:"compression,omitempty"`
+	// +kubebuilder:validation:Optional
+	Compression *string `json:"compression,omitempty" tf:"compression,omitempty"`
 
 	// Format for report. Valid values are: textORcsv, Parquet. If Parquet is used, then Compression must also be Parquet.
-	// +kubebuilder:validation:Required
-	Format *string `json:"format" tf:"format,omitempty"`
+	// +kubebuilder:validation:Optional
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
 
 	// Set to true to update your reports after they have been finalized if AWS detects charges related to previous months.
 	// +kubebuilder:validation:Optional
@@ -70,12 +100,12 @@ type ReportDefinitionParameters struct {
 	S3Prefix *string `json:"s3Prefix,omitempty" tf:"s3_prefix,omitempty"`
 
 	// Region of the existing S3 bucket to hold generated reports.
-	// +kubebuilder:validation:Required
-	S3Region *string `json:"s3Region" tf:"s3_region,omitempty"`
+	// +kubebuilder:validation:Optional
+	S3Region *string `json:"s3Region,omitempty" tf:"s3_region,omitempty"`
 
 	// The frequency on which report data are measured and displayed.  Valid values are: DAILY, HOURLY, MONTHLY.
-	// +kubebuilder:validation:Required
-	TimeUnit *string `json:"timeUnit" tf:"time_unit,omitempty"`
+	// +kubebuilder:validation:Optional
+	TimeUnit *string `json:"timeUnit,omitempty" tf:"time_unit,omitempty"`
 }
 
 // ReportDefinitionSpec defines the desired state of ReportDefinition
@@ -102,8 +132,13 @@ type ReportDefinitionStatus struct {
 type ReportDefinition struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReportDefinitionSpec   `json:"spec"`
-	Status            ReportDefinitionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.additionalSchemaElements)",message="additionalSchemaElements is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.compression)",message="compression is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.format)",message="format is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.s3Region)",message="s3Region is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.timeUnit)",message="timeUnit is a required parameter"
+	Spec   ReportDefinitionSpec   `json:"spec"`
+	Status ReportDefinitionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dataexchange/v1beta1/zz_dataset_types.go b/apis/dataexchange/v1beta1/zz_dataset_types.go
index 2a11e1e36e..5071fa9199 100755
--- a/apis/dataexchange/v1beta1/zz_dataset_types.go
+++ b/apis/dataexchange/v1beta1/zz_dataset_types.go
@@ -18,9 +18,21 @@ type DataSetObservation struct {
 	// The Amazon Resource Name of this data set.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The type of asset that is added to a data set. Valid values are: S3_SNAPSHOT, REDSHIFT_DATA_SHARE, and API_GATEWAY_API.
+	AssetType *string `json:"assetType,omitempty" tf:"asset_type,omitempty"`
+
+	// A description for the data set.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The Id of the data set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the data set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,16 +40,16 @@ type DataSetObservation struct {
 type DataSetParameters struct {
 
 	// The type of asset that is added to a data set. Valid values are: S3_SNAPSHOT, REDSHIFT_DATA_SHARE, and API_GATEWAY_API.
-	// +kubebuilder:validation:Required
-	AssetType *string `json:"assetType" tf:"asset_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AssetType *string `json:"assetType,omitempty" tf:"asset_type,omitempty"`
 
 	// A description for the data set.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the data set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -73,8 +85,11 @@ type DataSetStatus struct {
 type DataSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DataSetSpec   `json:"spec"`
-	Status            DataSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.assetType)",message="assetType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   DataSetSpec   `json:"spec"`
+	Status DataSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dataexchange/v1beta1/zz_generated.deepcopy.go b/apis/dataexchange/v1beta1/zz_generated.deepcopy.go
index 10409e5b49..aea54b1690 100644
--- a/apis/dataexchange/v1beta1/zz_generated.deepcopy.go
+++ b/apis/dataexchange/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,41 @@ func (in *DataSetObservation) DeepCopyInto(out *DataSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssetType != nil {
+		in, out := &in.AssetType, &out.AssetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -264,6 +294,16 @@ func (in *RevisionObservation) DeepCopyInto(out *RevisionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSetID != nil {
+		in, out := &in.DataSetID, &out.DataSetID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -274,6 +314,21 @@ func (in *RevisionObservation) DeepCopyInto(out *RevisionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/dataexchange/v1beta1/zz_revision_types.go b/apis/dataexchange/v1beta1/zz_revision_types.go
index cfea6040cc..aff930bfd4 100755
--- a/apis/dataexchange/v1beta1/zz_revision_types.go
+++ b/apis/dataexchange/v1beta1/zz_revision_types.go
@@ -18,12 +18,21 @@ type RevisionObservation struct {
 	// The Amazon Resource Name of this data set.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// An optional comment about the revision.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The dataset id.
+	DataSetID *string `json:"dataSetId,omitempty" tf:"data_set_id,omitempty"`
+
 	// The Id of the data set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The Id of the revision.
 	RevisionID *string `json:"revisionId,omitempty" tf:"revision_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/datapipeline/v1beta1/zz_generated.deepcopy.go b/apis/datapipeline/v1beta1/zz_generated.deepcopy.go
index 83a2323b6d..3d3a05fa3b 100644
--- a/apis/datapipeline/v1beta1/zz_generated.deepcopy.go
+++ b/apis/datapipeline/v1beta1/zz_generated.deepcopy.go
@@ -75,11 +75,36 @@ func (in *PipelineList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PipelineObservation) DeepCopyInto(out *PipelineObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/datapipeline/v1beta1/zz_pipeline_types.go b/apis/datapipeline/v1beta1/zz_pipeline_types.go
index 4045575e6f..169ce3e4b2 100755
--- a/apis/datapipeline/v1beta1/zz_pipeline_types.go
+++ b/apis/datapipeline/v1beta1/zz_pipeline_types.go
@@ -15,9 +15,18 @@ import (
 
 type PipelineObservation struct {
 
+	// The description of Pipeline.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The identifier of the client certificate.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of Pipeline.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -29,8 +38,8 @@ type PipelineParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of Pipeline.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -66,8 +75,9 @@ type PipelineStatus struct {
 type Pipeline struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PipelineSpec   `json:"spec"`
-	Status            PipelineStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   PipelineSpec   `json:"spec"`
+	Status PipelineStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dax/v1beta1/zz_cluster_types.go b/apis/dax/v1beta1/zz_cluster_types.go
index c263c26203..eba3dea346 100755
--- a/apis/dax/v1beta1/zz_cluster_types.go
+++ b/apis/dax/v1beta1/zz_cluster_types.go
@@ -18,23 +18,74 @@ type ClusterObservation struct {
 	// The ARN of the DAX cluster
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of Availability Zones in which the
+	// nodes will be created
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
 	// The DNS name of the DAX cluster without the port appended
 	ClusterAddress *string `json:"clusterAddress,omitempty" tf:"cluster_address,omitempty"`
 
+	// –  The type of encryption the
+	// cluster's endpoint should support. Valid values are: NONE and TLS.
+	// Default value is NONE.
+	ClusterEndpointEncryptionType *string `json:"clusterEndpointEncryptionType,omitempty" tf:"cluster_endpoint_encryption_type,omitempty"`
+
 	// The configuration endpoint for this DAX cluster,
 	// consisting of a DNS name and a port number
 	ConfigurationEndpoint *string `json:"configurationEndpoint,omitempty" tf:"configuration_endpoint,omitempty"`
 
+	// –  Description for the cluster
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A valid Amazon Resource Name (ARN) that identifies
+	// an IAM role. At runtime, DAX will assume this role and use the role's
+	// permissions to access DynamoDB on your behalf
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ddd:hh24:mi
+	// (24H Clock UTC). The minimum maintenance window is a 60 minute period. Example:
+	// sun:05:00-sun:09:00
+	MaintenanceWindow *string `json:"maintenanceWindow,omitempty" tf:"maintenance_window,omitempty"`
+
+	// –  The compute and memory capacity of the nodes. See
+	// Nodes for supported node types
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
+
 	// List of node objects including id, address, port and
 	// availability_zone. Referenceable e.g., as
 	// ${aws_dax_cluster.test.nodes.0.address}
 	Nodes []NodesObservation `json:"nodes,omitempty" tf:"nodes,omitempty"`
 
+	// east-1:012345678999:my_sns_topic
+	NotificationTopicArn *string `json:"notificationTopicArn,omitempty" tf:"notification_topic_arn,omitempty"`
+
+	// –  Name of the parameter group to associate
+	// with this DAX cluster
+	ParameterGroupName *string `json:"parameterGroupName,omitempty" tf:"parameter_group_name,omitempty"`
+
 	// The port used by the configuration endpoint
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// node cluster, without any read
+	// replicas
+	ReplicationFactor *float64 `json:"replicationFactor,omitempty" tf:"replication_factor,omitempty"`
+
+	// –  One or more VPC security groups associated
+	// with the cluster
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Encrypt at rest options
+	ServerSideEncryption []ServerSideEncryptionObservation `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
+
+	// –  Name of the subnet group to be used for the
+	// cluster
+	SubnetGroupName *string `json:"subnetGroupName,omitempty" tf:"subnet_group_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -80,8 +131,8 @@ type ClusterParameters struct {
 
 	// –  The compute and memory capacity of the nodes. See
 	// Nodes for supported node types
-	// +kubebuilder:validation:Required
-	NodeType *string `json:"nodeType" tf:"node_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
 
 	// east-1:012345678999:my_sns_topic
 	// +kubebuilder:validation:Optional
@@ -99,8 +150,8 @@ type ClusterParameters struct {
 
 	// node cluster, without any read
 	// replicas
-	// +kubebuilder:validation:Required
-	ReplicationFactor *float64 `json:"replicationFactor" tf:"replication_factor,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReplicationFactor *float64 `json:"replicationFactor,omitempty" tf:"replication_factor,omitempty"`
 
 	// References to SecurityGroup in ec2 to populate securityGroupIds.
 	// +kubebuilder:validation:Optional
@@ -147,6 +198,9 @@ type NodesParameters struct {
 }
 
 type ServerSideEncryptionObservation struct {
+
+	// Whether to enable encryption at rest. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type ServerSideEncryptionParameters struct {
@@ -180,8 +234,10 @@ type ClusterStatus struct {
 type Cluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSpec   `json:"spec"`
-	Status            ClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.nodeType)",message="nodeType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicationFactor)",message="replicationFactor is a required parameter"
+	Spec   ClusterSpec   `json:"spec"`
+	Status ClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dax/v1beta1/zz_generated.deepcopy.go b/apis/dax/v1beta1/zz_generated.deepcopy.go
index ea0aa140f1..b5ff87031d 100644
--- a/apis/dax/v1beta1/zz_generated.deepcopy.go
+++ b/apis/dax/v1beta1/zz_generated.deepcopy.go
@@ -81,21 +81,57 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ClusterAddress != nil {
 		in, out := &in.ClusterAddress, &out.ClusterAddress
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterEndpointEncryptionType != nil {
+		in, out := &in.ClusterEndpointEncryptionType, &out.ClusterEndpointEncryptionType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ConfigurationEndpoint != nil {
 		in, out := &in.ConfigurationEndpoint, &out.ConfigurationEndpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaintenanceWindow != nil {
+		in, out := &in.MaintenanceWindow, &out.MaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.NodeType != nil {
+		in, out := &in.NodeType, &out.NodeType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Nodes != nil {
 		in, out := &in.Nodes, &out.Nodes
 		*out = make([]NodesObservation, len(*in))
@@ -103,11 +139,64 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.NotificationTopicArn != nil {
+		in, out := &in.NotificationTopicArn, &out.NotificationTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterGroupName != nil {
+		in, out := &in.ParameterGroupName, &out.ParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Port != nil {
 		in, out := &in.Port, &out.Port
 		*out = new(float64)
 		**out = **in
 	}
+	if in.ReplicationFactor != nil {
+		in, out := &in.ReplicationFactor, &out.ReplicationFactor
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ServerSideEncryption != nil {
+		in, out := &in.ServerSideEncryption, &out.ServerSideEncryption
+		*out = make([]ServerSideEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SubnetGroupName != nil {
+		in, out := &in.SubnetGroupName, &out.SubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -412,11 +501,23 @@ func (in *ParameterGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterGroupObservation) DeepCopyInto(out *ParameterGroupObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]ParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterGroupObservation.
@@ -498,6 +599,16 @@ func (in *ParameterGroupStatus) DeepCopy() *ParameterGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParametersObservation) DeepCopyInto(out *ParametersObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParametersObservation.
@@ -538,6 +649,11 @@ func (in *ParametersParameters) DeepCopy() *ParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerSideEncryptionObservation) DeepCopyInto(out *ServerSideEncryptionObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerSideEncryptionObservation.
@@ -632,11 +748,27 @@ func (in *SubnetGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
diff --git a/apis/dax/v1beta1/zz_parametergroup_types.go b/apis/dax/v1beta1/zz_parametergroup_types.go
index b05adf1f34..21109e941a 100755
--- a/apis/dax/v1beta1/zz_parametergroup_types.go
+++ b/apis/dax/v1beta1/zz_parametergroup_types.go
@@ -15,8 +15,14 @@ import (
 
 type ParameterGroupObservation struct {
 
+	// A description of the parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of the parameter group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// –  The parameters of the parameter group.
+	Parameters []ParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
 }
 
 type ParameterGroupParameters struct {
@@ -36,6 +42,12 @@ type ParameterGroupParameters struct {
 }
 
 type ParametersObservation struct {
+
+	// The name of the parameter.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value for the parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParametersParameters struct {
diff --git a/apis/dax/v1beta1/zz_subnetgroup_types.go b/apis/dax/v1beta1/zz_subnetgroup_types.go
index 31cb567a31..e27d6d278f 100755
--- a/apis/dax/v1beta1/zz_subnetgroup_types.go
+++ b/apis/dax/v1beta1/zz_subnetgroup_types.go
@@ -15,9 +15,15 @@ import (
 
 type SubnetGroupObservation struct {
 
+	// A description of the subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of the subnet group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  A list of VPC subnet IDs for the subnet group.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// – VPC ID of the subnet group.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
diff --git a/apis/deploy/v1beta1/zz_app_types.go b/apis/deploy/v1beta1/zz_app_types.go
index 9a45191c79..11e7478410 100755
--- a/apis/deploy/v1beta1/zz_app_types.go
+++ b/apis/deploy/v1beta1/zz_app_types.go
@@ -21,6 +21,9 @@ type AppObservation struct {
 	// The ARN of the CodeDeploy application.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The compute platform can either be ECS, Lambda, or Server. Default is Server.
+	ComputePlatform *string `json:"computePlatform,omitempty" tf:"compute_platform,omitempty"`
+
 	// The name for a connection to a GitHub account.
 	GithubAccountName *string `json:"githubAccountName,omitempty" tf:"github_account_name,omitempty"`
 
@@ -30,6 +33,9 @@ type AppObservation struct {
 	// Whether the user has authenticated with GitHub for the specified application.
 	LinkedToGithub *bool `json:"linkedToGithub,omitempty" tf:"linked_to_github,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/deploy/v1beta1/zz_deploymentconfig_types.go b/apis/deploy/v1beta1/zz_deploymentconfig_types.go
index c309bb8584..f149906673 100755
--- a/apis/deploy/v1beta1/zz_deploymentconfig_types.go
+++ b/apis/deploy/v1beta1/zz_deploymentconfig_types.go
@@ -15,11 +15,20 @@ import (
 
 type DeploymentConfigObservation struct {
 
+	// The compute platform can be Server, Lambda, or ECS. Default is Server.
+	ComputePlatform *string `json:"computePlatform,omitempty" tf:"compute_platform,omitempty"`
+
 	// The AWS Assigned deployment config id
 	DeploymentConfigID *string `json:"deploymentConfigId,omitempty" tf:"deployment_config_id,omitempty"`
 
 	// The deployment group's config name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A minimum_healthy_hosts block. Required for Server compute platform. Minimum Healthy Hosts are documented below.
+	MinimumHealthyHosts []MinimumHealthyHostsObservation `json:"minimumHealthyHosts,omitempty" tf:"minimum_healthy_hosts,omitempty"`
+
+	// A traffic_routing_config block. Traffic Routing Config is documented below.
+	TrafficRoutingConfig []TrafficRoutingConfigObservation `json:"trafficRoutingConfig,omitempty" tf:"traffic_routing_config,omitempty"`
 }
 
 type DeploymentConfigParameters struct {
@@ -43,6 +52,15 @@ type DeploymentConfigParameters struct {
 }
 
 type MinimumHealthyHostsObservation struct {
+
+	// The type can either be FLEET_PERCENT or HOST_COUNT.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The value when the type is FLEET_PERCENT represents the minimum number of healthy instances as
+	// a percentage of the total number of instances in the deployment. If you specify FLEET_PERCENT, at the start of the
+	// deployment, AWS CodeDeploy converts the percentage to the equivalent number of instance and rounds up fractional instances.
+	// When the type is HOST_COUNT, the value represents the minimum number of healthy instances as an absolute value.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MinimumHealthyHostsParameters struct {
@@ -60,6 +78,12 @@ type MinimumHealthyHostsParameters struct {
 }
 
 type TimeBasedCanaryObservation struct {
+
+	// The number of minutes between the first and second traffic shifts of a TimeBasedCanary deployment.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The percentage of traffic to shift in the first increment of a TimeBasedCanary deployment.
+	Percentage *float64 `json:"percentage,omitempty" tf:"percentage,omitempty"`
 }
 
 type TimeBasedCanaryParameters struct {
@@ -74,6 +98,12 @@ type TimeBasedCanaryParameters struct {
 }
 
 type TimeBasedLinearObservation struct {
+
+	// The number of minutes between the first and second traffic shifts of a TimeBasedCanary deployment.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The percentage of traffic to shift in the first increment of a TimeBasedCanary deployment.
+	Percentage *float64 `json:"percentage,omitempty" tf:"percentage,omitempty"`
 }
 
 type TimeBasedLinearParameters struct {
@@ -88,6 +118,15 @@ type TimeBasedLinearParameters struct {
 }
 
 type TrafficRoutingConfigObservation struct {
+
+	// The time based canary configuration information. If type is TimeBasedLinear, use time_based_linear instead.
+	TimeBasedCanary []TimeBasedCanaryObservation `json:"timeBasedCanary,omitempty" tf:"time_based_canary,omitempty"`
+
+	// The time based linear configuration information. If type is TimeBasedCanary, use time_based_canary instead.
+	TimeBasedLinear []TimeBasedLinearObservation `json:"timeBasedLinear,omitempty" tf:"time_based_linear,omitempty"`
+
+	// Type of traffic routing config. One of TimeBasedCanary, TimeBasedLinear, AllAtOnce.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type TrafficRoutingConfigParameters struct {
diff --git a/apis/deploy/v1beta1/zz_deploymentgroup_types.go b/apis/deploy/v1beta1/zz_deploymentgroup_types.go
index 47e27891b0..721c708718 100755
--- a/apis/deploy/v1beta1/zz_deploymentgroup_types.go
+++ b/apis/deploy/v1beta1/zz_deploymentgroup_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AlarmConfigurationObservation struct {
+
+	// A list of alarms configured for the deployment group. A maximum of 10 alarms can be added to a deployment group.
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	// Indicates whether the alarm configuration is enabled. This option is useful when you want to temporarily deactivate alarm monitoring for a deployment group without having to add the same alarms again later.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Indicates whether a deployment should continue if information about the current state of alarms cannot be retrieved from CloudWatch. The default value is false.
+	IgnorePollAlarmFailure *bool `json:"ignorePollAlarmFailure,omitempty" tf:"ignore_poll_alarm_failure,omitempty"`
 }
 
 type AlarmConfigurationParameters struct {
@@ -32,6 +41,12 @@ type AlarmConfigurationParameters struct {
 }
 
 type AutoRollbackConfigurationObservation struct {
+
+	// Indicates whether the alarm configuration is enabled. This option is useful when you want to temporarily deactivate alarm monitoring for a deployment group without having to add the same alarms again later.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The event type or types that trigger a rollback. Supported types are DEPLOYMENT_FAILURE and DEPLOYMENT_STOP_ON_ALARM.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
 }
 
 type AutoRollbackConfigurationParameters struct {
@@ -46,6 +61,15 @@ type AutoRollbackConfigurationParameters struct {
 }
 
 type BlueGreenDeploymentConfigObservation struct {
+
+	// Information about the action to take when newly provisioned instances are ready to receive traffic in a blue/green deployment (documented below).
+	DeploymentReadyOption []DeploymentReadyOptionObservation `json:"deploymentReadyOption,omitempty" tf:"deployment_ready_option,omitempty"`
+
+	// Information about how instances are provisioned for a replacement environment in a blue/green deployment (documented below).
+	GreenFleetProvisioningOption []GreenFleetProvisioningOptionObservation `json:"greenFleetProvisioningOption,omitempty" tf:"green_fleet_provisioning_option,omitempty"`
+
+	// Information about whether to terminate instances in the original fleet during a blue/green deployment (documented below).
+	TerminateBlueInstancesOnDeploymentSuccess []TerminateBlueInstancesOnDeploymentSuccessObservation `json:"terminateBlueInstancesOnDeploymentSuccess,omitempty" tf:"terminate_blue_instances_on_deployment_success,omitempty"`
 }
 
 type BlueGreenDeploymentConfigParameters struct {
@@ -65,20 +89,65 @@ type BlueGreenDeploymentConfigParameters struct {
 
 type DeploymentGroupObservation struct {
 
+	// Configuration block of alarms associated with the deployment group (documented below).
+	AlarmConfiguration []AlarmConfigurationObservation `json:"alarmConfiguration,omitempty" tf:"alarm_configuration,omitempty"`
+
+	// The name of the application.
+	AppName *string `json:"appName,omitempty" tf:"app_name,omitempty"`
+
 	// The ARN of the CodeDeploy deployment group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block of the automatic rollback configuration associated with the deployment group (documented below).
+	AutoRollbackConfiguration []AutoRollbackConfigurationObservation `json:"autoRollbackConfiguration,omitempty" tf:"auto_rollback_configuration,omitempty"`
+
+	// Autoscaling groups associated with the deployment group.
+	AutoscalingGroups []*string `json:"autoscalingGroups,omitempty" tf:"autoscaling_groups,omitempty"`
+
+	// Configuration block of the blue/green deployment options for a deployment group (documented below).
+	BlueGreenDeploymentConfig []BlueGreenDeploymentConfigObservation `json:"blueGreenDeploymentConfig,omitempty" tf:"blue_green_deployment_config,omitempty"`
+
 	// The destination platform type for the deployment.
 	ComputePlatform *string `json:"computePlatform,omitempty" tf:"compute_platform,omitempty"`
 
+	// The name of the group's deployment config. The default is "CodeDeployDefault.OneAtATime".
+	DeploymentConfigName *string `json:"deploymentConfigName,omitempty" tf:"deployment_config_name,omitempty"`
+
 	// The ID of the CodeDeploy deployment group.
 	DeploymentGroupID *string `json:"deploymentGroupId,omitempty" tf:"deployment_group_id,omitempty"`
 
+	// Configuration block of the type of deployment, either in-place or blue/green, you want to run and whether to route deployment traffic behind a load balancer (documented below).
+	DeploymentStyle []DeploymentStyleObservation `json:"deploymentStyle,omitempty" tf:"deployment_style,omitempty"`
+
+	// Tag filters associated with the deployment group. See the AWS docs for details.
+	EC2TagFilter []EC2TagFilterObservation `json:"ec2TagFilter,omitempty" tf:"ec2_tag_filter,omitempty"`
+
+	// Configuration block(s) of Tag filters associated with the deployment group, which are also referred to as tag groups (documented below). See the AWS docs for details.
+	EC2TagSet []EC2TagSetObservation `json:"ec2TagSet,omitempty" tf:"ec2_tag_set,omitempty"`
+
+	// Configuration block(s) of the ECS services for a deployment group (documented below).
+	EcsService []EcsServiceObservation `json:"ecsService,omitempty" tf:"ecs_service,omitempty"`
+
 	// Application name and deployment group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Single configuration block of the load balancer to use in a blue/green deployment (documented below).
+	LoadBalancerInfo []LoadBalancerInfoObservation `json:"loadBalancerInfo,omitempty" tf:"load_balancer_info,omitempty"`
+
+	// On premise tag filters associated with the group. See the AWS docs for details.
+	OnPremisesInstanceTagFilter []OnPremisesInstanceTagFilterObservation `json:"onPremisesInstanceTagFilter,omitempty" tf:"on_premises_instance_tag_filter,omitempty"`
+
+	// The service role ARN that allows deployments.
+	ServiceRoleArn *string `json:"serviceRoleArn,omitempty" tf:"service_role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block(s) of the triggers for the deployment group (documented below).
+	TriggerConfiguration []TriggerConfigurationObservation `json:"triggerConfiguration,omitempty" tf:"trigger_configuration,omitempty"`
 }
 
 type DeploymentGroupParameters struct {
@@ -169,6 +238,12 @@ type DeploymentGroupParameters struct {
 }
 
 type DeploymentReadyOptionObservation struct {
+
+	// When to reroute traffic from an original environment to a replacement environment in a blue/green deployment.
+	ActionOnTimeout *string `json:"actionOnTimeout,omitempty" tf:"action_on_timeout,omitempty"`
+
+	// The number of minutes to wait before the status of a blue/green deployment changed to Stopped if rerouting is not started manually. Applies only to the STOP_DEPLOYMENT option for action_on_timeout.
+	WaitTimeInMinutes *float64 `json:"waitTimeInMinutes,omitempty" tf:"wait_time_in_minutes,omitempty"`
 }
 
 type DeploymentReadyOptionParameters struct {
@@ -183,6 +258,12 @@ type DeploymentReadyOptionParameters struct {
 }
 
 type DeploymentStyleObservation struct {
+
+	// Indicates whether to route deployment traffic behind a load balancer. Valid Values are WITH_TRAFFIC_CONTROL or WITHOUT_TRAFFIC_CONTROL. Default is WITHOUT_TRAFFIC_CONTROL.
+	DeploymentOption *string `json:"deploymentOption,omitempty" tf:"deployment_option,omitempty"`
+
+	// Indicates whether to run an in-place deployment or a blue/green deployment. Valid Values are IN_PLACE or BLUE_GREEN. Default is IN_PLACE.
+	DeploymentType *string `json:"deploymentType,omitempty" tf:"deployment_type,omitempty"`
 }
 
 type DeploymentStyleParameters struct {
@@ -197,6 +278,15 @@ type DeploymentStyleParameters struct {
 }
 
 type EC2TagFilterObservation struct {
+
+	// The key of the tag filter.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The type of the tag filter, either KEY_ONLY, VALUE_ONLY, or KEY_AND_VALUE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The value of the tag filter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type EC2TagFilterParameters struct {
@@ -215,6 +305,15 @@ type EC2TagFilterParameters struct {
 }
 
 type EC2TagSetEC2TagFilterObservation struct {
+
+	// The key of the tag filter.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The type of the tag filter, either KEY_ONLY, VALUE_ONLY, or KEY_AND_VALUE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The value of the tag filter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type EC2TagSetEC2TagFilterParameters struct {
@@ -233,6 +332,9 @@ type EC2TagSetEC2TagFilterParameters struct {
 }
 
 type EC2TagSetObservation struct {
+
+	// Tag filters associated with the deployment group. See the AWS docs for details.
+	EC2TagFilter []EC2TagSetEC2TagFilterObservation `json:"ec2TagFilter,omitempty" tf:"ec2_tag_filter,omitempty"`
 }
 
 type EC2TagSetParameters struct {
@@ -243,6 +345,9 @@ type EC2TagSetParameters struct {
 }
 
 type ELBInfoObservation struct {
+
+	// The name of the target group that instances in the original environment are deregistered from, and instances in the replacement environment registered with. For in-place deployments, the name of the target group that instances are deregistered from, so they are not serving traffic during a deployment, and then re-registered with after the deployment completes.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ELBInfoParameters struct {
@@ -262,6 +367,12 @@ type ELBInfoParameters struct {
 }
 
 type EcsServiceObservation struct {
+
+	// The name of the ECS cluster.
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
+	// The name of the ECS service.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 }
 
 type EcsServiceParameters struct {
@@ -294,6 +405,9 @@ type EcsServiceParameters struct {
 }
 
 type GreenFleetProvisioningOptionObservation struct {
+
+	// The method used to add instances to a replacement environment.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 }
 
 type GreenFleetProvisioningOptionParameters struct {
@@ -304,6 +418,15 @@ type GreenFleetProvisioningOptionParameters struct {
 }
 
 type LoadBalancerInfoObservation struct {
+
+	// The Classic Elastic Load Balancer to use in a deployment. Conflicts with target_group_info and target_group_pair_info.
+	ELBInfo []ELBInfoObservation `json:"elbInfo,omitempty" tf:"elb_info,omitempty"`
+
+	// The (Application/Network Load Balancer) target group to use in a deployment. Conflicts with elb_info and target_group_pair_info.
+	TargetGroupInfo []TargetGroupInfoObservation `json:"targetGroupInfo,omitempty" tf:"target_group_info,omitempty"`
+
+	// The (Application/Network Load Balancer) target group pair to use in a deployment. Conflicts with elb_info and target_group_info.
+	TargetGroupPairInfo []TargetGroupPairInfoObservation `json:"targetGroupPairInfo,omitempty" tf:"target_group_pair_info,omitempty"`
 }
 
 type LoadBalancerInfoParameters struct {
@@ -322,6 +445,15 @@ type LoadBalancerInfoParameters struct {
 }
 
 type OnPremisesInstanceTagFilterObservation struct {
+
+	// The key of the tag filter.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The type of the tag filter, either KEY_ONLY, VALUE_ONLY, or KEY_AND_VALUE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The value of the tag filter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type OnPremisesInstanceTagFilterParameters struct {
@@ -340,6 +472,9 @@ type OnPremisesInstanceTagFilterParameters struct {
 }
 
 type ProdTrafficRouteObservation struct {
+
+	// List of Amazon Resource Names (ARNs) of the load balancer listeners.
+	ListenerArns []*string `json:"listenerArns,omitempty" tf:"listener_arns,omitempty"`
 }
 
 type ProdTrafficRouteParameters struct {
@@ -350,6 +485,9 @@ type ProdTrafficRouteParameters struct {
 }
 
 type TargetGroupInfoObservation struct {
+
+	// The name of the target group that instances in the original environment are deregistered from, and instances in the replacement environment registered with. For in-place deployments, the name of the target group that instances are deregistered from, so they are not serving traffic during a deployment, and then re-registered with after the deployment completes.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type TargetGroupInfoParameters struct {
@@ -360,9 +498,21 @@ type TargetGroupInfoParameters struct {
 }
 
 type TargetGroupObservation struct {
+
+	// The name of the target group that instances in the original environment are deregistered from, and instances in the replacement environment registered with. For in-place deployments, the name of the target group that instances are deregistered from, so they are not serving traffic during a deployment, and then re-registered with after the deployment completes.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type TargetGroupPairInfoObservation struct {
+
+	// Configuration block for the production traffic route (documented below).
+	ProdTrafficRoute []ProdTrafficRouteObservation `json:"prodTrafficRoute,omitempty" tf:"prod_traffic_route,omitempty"`
+
+	// Configuration blocks for a target group within a target group pair (documented below).
+	TargetGroup []TargetGroupObservation `json:"targetGroup,omitempty" tf:"target_group,omitempty"`
+
+	// Configuration block for the test traffic route (documented below).
+	TestTrafficRoute []TestTrafficRouteObservation `json:"testTrafficRoute,omitempty" tf:"test_traffic_route,omitempty"`
 }
 
 type TargetGroupPairInfoParameters struct {
@@ -398,6 +548,12 @@ type TargetGroupParameters struct {
 }
 
 type TerminateBlueInstancesOnDeploymentSuccessObservation struct {
+
+	// The method used to add instances to a replacement environment.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The number of minutes to wait after a successful blue/green deployment before terminating instances from the original environment.
+	TerminationWaitTimeInMinutes *float64 `json:"terminationWaitTimeInMinutes,omitempty" tf:"termination_wait_time_in_minutes,omitempty"`
 }
 
 type TerminateBlueInstancesOnDeploymentSuccessParameters struct {
@@ -412,6 +568,9 @@ type TerminateBlueInstancesOnDeploymentSuccessParameters struct {
 }
 
 type TestTrafficRouteObservation struct {
+
+	// List of Amazon Resource Names (ARNs) of the load balancer listeners.
+	ListenerArns []*string `json:"listenerArns,omitempty" tf:"listener_arns,omitempty"`
 }
 
 type TestTrafficRouteParameters struct {
@@ -422,6 +581,15 @@ type TestTrafficRouteParameters struct {
 }
 
 type TriggerConfigurationObservation struct {
+
+	// The event type or types for which notifications are triggered. Some values that are supported: DeploymentStart, DeploymentSuccess, DeploymentFailure, DeploymentStop, DeploymentRollback, InstanceStart, InstanceSuccess, InstanceFailure.  See the CodeDeploy documentation for all possible values.
+	TriggerEvents []*string `json:"triggerEvents,omitempty" tf:"trigger_events,omitempty"`
+
+	// The name of the notification trigger.
+	TriggerName *string `json:"triggerName,omitempty" tf:"trigger_name,omitempty"`
+
+	// The ARN of the SNS topic through which notifications are sent.
+	TriggerTargetArn *string `json:"triggerTargetArn,omitempty" tf:"trigger_target_arn,omitempty"`
 }
 
 type TriggerConfigurationParameters struct {
diff --git a/apis/deploy/v1beta1/zz_generated.deepcopy.go b/apis/deploy/v1beta1/zz_generated.deepcopy.go
index 0447609816..233cff8d0e 100644
--- a/apis/deploy/v1beta1/zz_generated.deepcopy.go
+++ b/apis/deploy/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,27 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AlarmConfigurationObservation) DeepCopyInto(out *AlarmConfigurationObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IgnorePollAlarmFailure != nil {
+		in, out := &in.IgnorePollAlarmFailure, &out.IgnorePollAlarmFailure
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlarmConfigurationObservation.
@@ -137,6 +158,11 @@ func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ComputePlatform != nil {
+		in, out := &in.ComputePlatform, &out.ComputePlatform
+		*out = new(string)
+		**out = **in
+	}
 	if in.GithubAccountName != nil {
 		in, out := &in.GithubAccountName, &out.GithubAccountName
 		*out = new(string)
@@ -152,6 +178,21 @@ func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -256,6 +297,22 @@ func (in *AppStatus) DeepCopy() *AppStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoRollbackConfigurationObservation) DeepCopyInto(out *AutoRollbackConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoRollbackConfigurationObservation.
@@ -302,6 +359,27 @@ func (in *AutoRollbackConfigurationParameters) DeepCopy() *AutoRollbackConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BlueGreenDeploymentConfigObservation) DeepCopyInto(out *BlueGreenDeploymentConfigObservation) {
 	*out = *in
+	if in.DeploymentReadyOption != nil {
+		in, out := &in.DeploymentReadyOption, &out.DeploymentReadyOption
+		*out = make([]DeploymentReadyOptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GreenFleetProvisioningOption != nil {
+		in, out := &in.GreenFleetProvisioningOption, &out.GreenFleetProvisioningOption
+		*out = make([]GreenFleetProvisioningOptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TerminateBlueInstancesOnDeploymentSuccess != nil {
+		in, out := &in.TerminateBlueInstancesOnDeploymentSuccess, &out.TerminateBlueInstancesOnDeploymentSuccess
+		*out = make([]TerminateBlueInstancesOnDeploymentSuccessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BlueGreenDeploymentConfigObservation.
@@ -412,6 +490,11 @@ func (in *DeploymentConfigList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentConfigObservation) DeepCopyInto(out *DeploymentConfigObservation) {
 	*out = *in
+	if in.ComputePlatform != nil {
+		in, out := &in.ComputePlatform, &out.ComputePlatform
+		*out = new(string)
+		**out = **in
+	}
 	if in.DeploymentConfigID != nil {
 		in, out := &in.DeploymentConfigID, &out.DeploymentConfigID
 		*out = new(string)
@@ -422,6 +505,20 @@ func (in *DeploymentConfigObservation) DeepCopyInto(out *DeploymentConfigObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.MinimumHealthyHosts != nil {
+		in, out := &in.MinimumHealthyHosts, &out.MinimumHealthyHosts
+		*out = make([]MinimumHealthyHostsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TrafficRoutingConfig != nil {
+		in, out := &in.TrafficRoutingConfig, &out.TrafficRoutingConfig
+		*out = make([]TrafficRoutingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentConfigObservation.
@@ -569,26 +666,130 @@ func (in *DeploymentGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentGroupObservation) DeepCopyInto(out *DeploymentGroupObservation) {
 	*out = *in
+	if in.AlarmConfiguration != nil {
+		in, out := &in.AlarmConfiguration, &out.AlarmConfiguration
+		*out = make([]AlarmConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AppName != nil {
+		in, out := &in.AppName, &out.AppName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoRollbackConfiguration != nil {
+		in, out := &in.AutoRollbackConfiguration, &out.AutoRollbackConfiguration
+		*out = make([]AutoRollbackConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoscalingGroups != nil {
+		in, out := &in.AutoscalingGroups, &out.AutoscalingGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BlueGreenDeploymentConfig != nil {
+		in, out := &in.BlueGreenDeploymentConfig, &out.BlueGreenDeploymentConfig
+		*out = make([]BlueGreenDeploymentConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ComputePlatform != nil {
 		in, out := &in.ComputePlatform, &out.ComputePlatform
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeploymentConfigName != nil {
+		in, out := &in.DeploymentConfigName, &out.DeploymentConfigName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DeploymentGroupID != nil {
 		in, out := &in.DeploymentGroupID, &out.DeploymentGroupID
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeploymentStyle != nil {
+		in, out := &in.DeploymentStyle, &out.DeploymentStyle
+		*out = make([]DeploymentStyleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EC2TagFilter != nil {
+		in, out := &in.EC2TagFilter, &out.EC2TagFilter
+		*out = make([]EC2TagFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EC2TagSet != nil {
+		in, out := &in.EC2TagSet, &out.EC2TagSet
+		*out = make([]EC2TagSetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EcsService != nil {
+		in, out := &in.EcsService, &out.EcsService
+		*out = make([]EcsServiceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoadBalancerInfo != nil {
+		in, out := &in.LoadBalancerInfo, &out.LoadBalancerInfo
+		*out = make([]LoadBalancerInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OnPremisesInstanceTagFilter != nil {
+		in, out := &in.OnPremisesInstanceTagFilter, &out.OnPremisesInstanceTagFilter
+		*out = make([]OnPremisesInstanceTagFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServiceRoleArn != nil {
+		in, out := &in.ServiceRoleArn, &out.ServiceRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -604,6 +805,13 @@ func (in *DeploymentGroupObservation) DeepCopyInto(out *DeploymentGroupObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.TriggerConfiguration != nil {
+		in, out := &in.TriggerConfiguration, &out.TriggerConfiguration
+		*out = make([]TriggerConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentGroupObservation.
@@ -804,6 +1012,16 @@ func (in *DeploymentGroupStatus) DeepCopy() *DeploymentGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentReadyOptionObservation) DeepCopyInto(out *DeploymentReadyOptionObservation) {
 	*out = *in
+	if in.ActionOnTimeout != nil {
+		in, out := &in.ActionOnTimeout, &out.ActionOnTimeout
+		*out = new(string)
+		**out = **in
+	}
+	if in.WaitTimeInMinutes != nil {
+		in, out := &in.WaitTimeInMinutes, &out.WaitTimeInMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentReadyOptionObservation.
@@ -844,6 +1062,16 @@ func (in *DeploymentReadyOptionParameters) DeepCopy() *DeploymentReadyOptionPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentStyleObservation) DeepCopyInto(out *DeploymentStyleObservation) {
 	*out = *in
+	if in.DeploymentOption != nil {
+		in, out := &in.DeploymentOption, &out.DeploymentOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeploymentType != nil {
+		in, out := &in.DeploymentType, &out.DeploymentType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentStyleObservation.
@@ -884,6 +1112,21 @@ func (in *DeploymentStyleParameters) DeepCopy() *DeploymentStyleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EC2TagFilterObservation) DeepCopyInto(out *EC2TagFilterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EC2TagFilterObservation.
@@ -929,6 +1172,21 @@ func (in *EC2TagFilterParameters) DeepCopy() *EC2TagFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EC2TagSetEC2TagFilterObservation) DeepCopyInto(out *EC2TagSetEC2TagFilterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EC2TagSetEC2TagFilterObservation.
@@ -974,6 +1232,13 @@ func (in *EC2TagSetEC2TagFilterParameters) DeepCopy() *EC2TagSetEC2TagFilterPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EC2TagSetObservation) DeepCopyInto(out *EC2TagSetObservation) {
 	*out = *in
+	if in.EC2TagFilter != nil {
+		in, out := &in.EC2TagFilter, &out.EC2TagFilter
+		*out = make([]EC2TagSetEC2TagFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EC2TagSetObservation.
@@ -1011,6 +1276,11 @@ func (in *EC2TagSetParameters) DeepCopy() *EC2TagSetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ELBInfoObservation) DeepCopyInto(out *ELBInfoObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ELBInfoObservation.
@@ -1056,6 +1326,16 @@ func (in *ELBInfoParameters) DeepCopy() *ELBInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcsServiceObservation) DeepCopyInto(out *EcsServiceObservation) {
 	*out = *in
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsServiceObservation.
@@ -1116,6 +1396,11 @@ func (in *EcsServiceParameters) DeepCopy() *EcsServiceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GreenFleetProvisioningOptionObservation) DeepCopyInto(out *GreenFleetProvisioningOptionObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GreenFleetProvisioningOptionObservation.
@@ -1151,6 +1436,27 @@ func (in *GreenFleetProvisioningOptionParameters) DeepCopy() *GreenFleetProvisio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoadBalancerInfoObservation) DeepCopyInto(out *LoadBalancerInfoObservation) {
 	*out = *in
+	if in.ELBInfo != nil {
+		in, out := &in.ELBInfo, &out.ELBInfo
+		*out = make([]ELBInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroupInfo != nil {
+		in, out := &in.TargetGroupInfo, &out.TargetGroupInfo
+		*out = make([]TargetGroupInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroupPairInfo != nil {
+		in, out := &in.TargetGroupPairInfo, &out.TargetGroupPairInfo
+		*out = make([]TargetGroupPairInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBalancerInfoObservation.
@@ -1202,6 +1508,16 @@ func (in *LoadBalancerInfoParameters) DeepCopy() *LoadBalancerInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MinimumHealthyHostsObservation) DeepCopyInto(out *MinimumHealthyHostsObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MinimumHealthyHostsObservation.
@@ -1242,6 +1558,21 @@ func (in *MinimumHealthyHostsParameters) DeepCopy() *MinimumHealthyHostsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnPremisesInstanceTagFilterObservation) DeepCopyInto(out *OnPremisesInstanceTagFilterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnPremisesInstanceTagFilterObservation.
@@ -1287,6 +1618,17 @@ func (in *OnPremisesInstanceTagFilterParameters) DeepCopy() *OnPremisesInstanceT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProdTrafficRouteObservation) DeepCopyInto(out *ProdTrafficRouteObservation) {
 	*out = *in
+	if in.ListenerArns != nil {
+		in, out := &in.ListenerArns, &out.ListenerArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProdTrafficRouteObservation.
@@ -1328,6 +1670,11 @@ func (in *ProdTrafficRouteParameters) DeepCopy() *ProdTrafficRouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetGroupInfoObservation) DeepCopyInto(out *TargetGroupInfoObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetGroupInfoObservation.
@@ -1363,6 +1710,11 @@ func (in *TargetGroupInfoParameters) DeepCopy() *TargetGroupInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetGroupObservation) DeepCopyInto(out *TargetGroupObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetGroupObservation.
@@ -1378,6 +1730,27 @@ func (in *TargetGroupObservation) DeepCopy() *TargetGroupObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetGroupPairInfoObservation) DeepCopyInto(out *TargetGroupPairInfoObservation) {
 	*out = *in
+	if in.ProdTrafficRoute != nil {
+		in, out := &in.ProdTrafficRoute, &out.ProdTrafficRoute
+		*out = make([]ProdTrafficRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroup != nil {
+		in, out := &in.TargetGroup, &out.TargetGroup
+		*out = make([]TargetGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TestTrafficRoute != nil {
+		in, out := &in.TestTrafficRoute, &out.TestTrafficRoute
+		*out = make([]TestTrafficRouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetGroupPairInfoObservation.
@@ -1459,6 +1832,16 @@ func (in *TargetGroupParameters) DeepCopy() *TargetGroupParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TerminateBlueInstancesOnDeploymentSuccessObservation) DeepCopyInto(out *TerminateBlueInstancesOnDeploymentSuccessObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.TerminationWaitTimeInMinutes != nil {
+		in, out := &in.TerminationWaitTimeInMinutes, &out.TerminationWaitTimeInMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TerminateBlueInstancesOnDeploymentSuccessObservation.
@@ -1499,6 +1882,17 @@ func (in *TerminateBlueInstancesOnDeploymentSuccessParameters) DeepCopy() *Termi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TestTrafficRouteObservation) DeepCopyInto(out *TestTrafficRouteObservation) {
 	*out = *in
+	if in.ListenerArns != nil {
+		in, out := &in.ListenerArns, &out.ListenerArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestTrafficRouteObservation.
@@ -1540,6 +1934,16 @@ func (in *TestTrafficRouteParameters) DeepCopy() *TestTrafficRouteParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeBasedCanaryObservation) DeepCopyInto(out *TimeBasedCanaryObservation) {
 	*out = *in
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Percentage != nil {
+		in, out := &in.Percentage, &out.Percentage
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeBasedCanaryObservation.
@@ -1580,6 +1984,16 @@ func (in *TimeBasedCanaryParameters) DeepCopy() *TimeBasedCanaryParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeBasedLinearObservation) DeepCopyInto(out *TimeBasedLinearObservation) {
 	*out = *in
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Percentage != nil {
+		in, out := &in.Percentage, &out.Percentage
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeBasedLinearObservation.
@@ -1620,6 +2034,25 @@ func (in *TimeBasedLinearParameters) DeepCopy() *TimeBasedLinearParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrafficRoutingConfigObservation) DeepCopyInto(out *TrafficRoutingConfigObservation) {
 	*out = *in
+	if in.TimeBasedCanary != nil {
+		in, out := &in.TimeBasedCanary, &out.TimeBasedCanary
+		*out = make([]TimeBasedCanaryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TimeBasedLinear != nil {
+		in, out := &in.TimeBasedLinear, &out.TimeBasedLinear
+		*out = make([]TimeBasedLinearObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficRoutingConfigObservation.
@@ -1669,6 +2102,27 @@ func (in *TrafficRoutingConfigParameters) DeepCopy() *TrafficRoutingConfigParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TriggerConfigurationObservation) DeepCopyInto(out *TriggerConfigurationObservation) {
 	*out = *in
+	if in.TriggerEvents != nil {
+		in, out := &in.TriggerEvents, &out.TriggerEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TriggerName != nil {
+		in, out := &in.TriggerName, &out.TriggerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TriggerTargetArn != nil {
+		in, out := &in.TriggerTargetArn, &out.TriggerTargetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TriggerConfigurationObservation.
diff --git a/apis/detective/v1beta1/zz_generated.deepcopy.go b/apis/detective/v1beta1/zz_generated.deepcopy.go
index 5837bba930..ce68f72125 100644
--- a/apis/detective/v1beta1/zz_generated.deepcopy.go
+++ b/apis/detective/v1beta1/zz_generated.deepcopy.go
@@ -91,6 +91,21 @@ func (in *GraphObservation) DeepCopyInto(out *GraphObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -249,6 +264,11 @@ func (in *InvitationAccepterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InvitationAccepterObservation) DeepCopyInto(out *InvitationAccepterObservation) {
 	*out = *in
+	if in.GraphArn != nil {
+		in, out := &in.GraphArn, &out.GraphArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -397,16 +417,36 @@ func (in *MemberList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.AdministratorID != nil {
 		in, out := &in.AdministratorID, &out.AdministratorID
 		*out = new(string)
 		**out = **in
 	}
+	if in.DisableEmailNotification != nil {
+		in, out := &in.DisableEmailNotification, &out.DisableEmailNotification
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DisabledReason != nil {
 		in, out := &in.DisabledReason, &out.DisabledReason
 		*out = new(string)
 		**out = **in
 	}
+	if in.EmailAddress != nil {
+		in, out := &in.EmailAddress, &out.EmailAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.GraphArn != nil {
+		in, out := &in.GraphArn, &out.GraphArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -417,6 +457,11 @@ func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
diff --git a/apis/detective/v1beta1/zz_graph_types.go b/apis/detective/v1beta1/zz_graph_types.go
index 78161720c9..7bf789d133 100755
--- a/apis/detective/v1beta1/zz_graph_types.go
+++ b/apis/detective/v1beta1/zz_graph_types.go
@@ -24,6 +24,9 @@ type GraphObservation struct {
 	// ARN of the Detective Graph.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
diff --git a/apis/detective/v1beta1/zz_invitationaccepter_types.go b/apis/detective/v1beta1/zz_invitationaccepter_types.go
index 1f169db88e..895a257cf4 100755
--- a/apis/detective/v1beta1/zz_invitationaccepter_types.go
+++ b/apis/detective/v1beta1/zz_invitationaccepter_types.go
@@ -15,6 +15,9 @@ import (
 
 type InvitationAccepterObservation struct {
 
+	// ARN of the behavior graph that the member account is accepting the invitation for.
+	GraphArn *string `json:"graphArn,omitempty" tf:"graph_arn,omitempty"`
+
 	// Unique identifier (ID) of the Detective invitation accepter.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
diff --git a/apis/detective/v1beta1/zz_member_types.go b/apis/detective/v1beta1/zz_member_types.go
index 72297d681c..1b3c352f39 100755
--- a/apis/detective/v1beta1/zz_member_types.go
+++ b/apis/detective/v1beta1/zz_member_types.go
@@ -15,17 +15,32 @@ import (
 
 type MemberObservation struct {
 
+	// AWS account ID for the account.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// AWS account ID for the administrator account.
 	AdministratorID *string `json:"administratorId,omitempty" tf:"administrator_id,omitempty"`
 
+	// If set to true, then the root user of the invited account will not receive an email notification. This notification is in addition to an alert that the root user receives in AWS Personal Health Dashboard. By default, this is set to false.
+	DisableEmailNotification *bool `json:"disableEmailNotification,omitempty" tf:"disable_email_notification,omitempty"`
+
 	DisabledReason *string `json:"disabledReason,omitempty" tf:"disabled_reason,omitempty"`
 
+	// Email address for the account.
+	EmailAddress *string `json:"emailAddress,omitempty" tf:"email_address,omitempty"`
+
+	// ARN of the behavior graph to invite the member accounts to contribute their data to.
+	GraphArn *string `json:"graphArn,omitempty" tf:"graph_arn,omitempty"`
+
 	// Unique identifier (ID) of the Detective.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Date and time, in UTC and extended RFC 3339 format, when an Amazon Detective membership invitation was last sent to the account.
 	InvitedTime *string `json:"invitedTime,omitempty" tf:"invited_time,omitempty"`
 
+	// A custom message to include in the invitation. Amazon Detective adds this message to the standard content that it sends for an invitation.
+	Message *string `json:"message,omitempty" tf:"message,omitempty"`
+
 	// Current membership status of the member account.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
@@ -39,16 +54,16 @@ type MemberObservation struct {
 type MemberParameters struct {
 
 	// AWS account ID for the account.
-	// +kubebuilder:validation:Required
-	AccountID *string `json:"accountId" tf:"account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// If set to true, then the root user of the invited account will not receive an email notification. This notification is in addition to an alert that the root user receives in AWS Personal Health Dashboard. By default, this is set to false.
 	// +kubebuilder:validation:Optional
 	DisableEmailNotification *bool `json:"disableEmailNotification,omitempty" tf:"disable_email_notification,omitempty"`
 
 	// Email address for the account.
-	// +kubebuilder:validation:Required
-	EmailAddress *string `json:"emailAddress" tf:"email_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	EmailAddress *string `json:"emailAddress,omitempty" tf:"email_address,omitempty"`
 
 	// ARN of the behavior graph to invite the member accounts to contribute their data to.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/detective/v1beta1.Graph
@@ -98,8 +113,10 @@ type MemberStatus struct {
 type Member struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MemberSpec   `json:"spec"`
-	Status            MemberStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)",message="accountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.emailAddress)",message="emailAddress is a required parameter"
+	Spec   MemberSpec   `json:"spec"`
+	Status MemberStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/devicefarm/v1beta1/zz_devicepool_types.go b/apis/devicefarm/v1beta1/zz_devicepool_types.go
index c0c1c8a1c0..fc54e1b61a 100755
--- a/apis/devicefarm/v1beta1/zz_devicepool_types.go
+++ b/apis/devicefarm/v1beta1/zz_devicepool_types.go
@@ -18,8 +18,26 @@ type DevicePoolObservation struct {
 	// The Amazon Resource Name of this Device Pool
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The device pool's description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of devices that Device Farm can add to your device pool.
+	MaxDevices *float64 `json:"maxDevices,omitempty" tf:"max_devices,omitempty"`
+
+	// The name of the Device Pool
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of the project for the device pool.
+	ProjectArn *string `json:"projectArn,omitempty" tf:"project_arn,omitempty"`
+
+	// The device pool's rules. See Rule.
+	Rule []RuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -37,8 +55,8 @@ type DevicePoolParameters struct {
 	MaxDevices *float64 `json:"maxDevices,omitempty" tf:"max_devices,omitempty"`
 
 	// The name of the Device Pool
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The ARN of the project for the device pool.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/devicefarm/v1beta1.Project
@@ -60,8 +78,8 @@ type DevicePoolParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The device pool's rules. See Rule.
-	// +kubebuilder:validation:Required
-	Rule []RuleParameters `json:"rule" tf:"rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rule []RuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -69,6 +87,15 @@ type DevicePoolParameters struct {
 }
 
 type RuleObservation struct {
+
+	// The rule's stringified attribute. Valid values are: APPIUM_VERSION, ARN, AVAILABILITY, FLEET_TYPE, FORM_FACTOR, INSTANCE_ARN, INSTANCE_LABELS, MANUFACTURER, MODEL, OS_VERSION, PLATFORM, REMOTE_ACCESS_ENABLED, REMOTE_DEBUG_ENABLED.
+	Attribute *string `json:"attribute,omitempty" tf:"attribute,omitempty"`
+
+	// Specifies how Device Farm compares the rule's attribute to the value. For the operators that are supported by each attribute. Valid values are: EQUALS, NOT_IN, IN, GREATER_THAN, GREATER_THAN_OR_EQUALS, LESS_THAN, LESS_THAN_OR_EQUALS, CONTAINS.
+	Operator *string `json:"operator,omitempty" tf:"operator,omitempty"`
+
+	// The rule's value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RuleParameters struct {
@@ -110,8 +137,10 @@ type DevicePoolStatus struct {
 type DevicePool struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DevicePoolSpec   `json:"spec"`
-	Status            DevicePoolStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)",message="rule is a required parameter"
+	Spec   DevicePoolSpec   `json:"spec"`
+	Status DevicePoolStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/devicefarm/v1beta1/zz_generated.deepcopy.go b/apis/devicefarm/v1beta1/zz_generated.deepcopy.go
index 840c8b10f6..cc5a8eca3c 100644
--- a/apis/devicefarm/v1beta1/zz_generated.deepcopy.go
+++ b/apis/devicefarm/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,53 @@ func (in *DevicePoolObservation) DeepCopyInto(out *DevicePoolObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxDevices != nil {
+		in, out := &in.MaxDevices, &out.MaxDevices
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProjectArn != nil {
+		in, out := &in.ProjectArn, &out.ProjectArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]RuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -291,11 +333,57 @@ func (in *InstanceProfileObservation) DeepCopyInto(out *InstanceProfileObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludeAppPackagesFromCleanup != nil {
+		in, out := &in.ExcludeAppPackagesFromCleanup, &out.ExcludeAppPackagesFromCleanup
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PackageCleanup != nil {
+		in, out := &in.PackageCleanup, &out.PackageCleanup
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RebootAfterUse != nil {
+		in, out := &in.RebootAfterUse, &out.RebootAfterUse
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -490,11 +578,61 @@ func (in *NetworkProfileObservation) DeepCopyInto(out *NetworkProfileObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DownlinkBandwidthBits != nil {
+		in, out := &in.DownlinkBandwidthBits, &out.DownlinkBandwidthBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DownlinkDelayMs != nil {
+		in, out := &in.DownlinkDelayMs, &out.DownlinkDelayMs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DownlinkJitterMs != nil {
+		in, out := &in.DownlinkJitterMs, &out.DownlinkJitterMs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DownlinkLossPercent != nil {
+		in, out := &in.DownlinkLossPercent, &out.DownlinkLossPercent
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProjectArn != nil {
+		in, out := &in.ProjectArn, &out.ProjectArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -510,6 +648,31 @@ func (in *NetworkProfileObservation) DeepCopyInto(out *NetworkProfileObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.UplinkBandwidthBits != nil {
+		in, out := &in.UplinkBandwidthBits, &out.UplinkBandwidthBits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UplinkDelayMs != nil {
+		in, out := &in.UplinkDelayMs, &out.UplinkDelayMs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UplinkJitterMs != nil {
+		in, out := &in.UplinkJitterMs, &out.UplinkJitterMs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UplinkLossPercent != nil {
+		in, out := &in.UplinkLossPercent, &out.UplinkLossPercent
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkProfileObservation.
@@ -728,11 +891,36 @@ func (in *ProjectObservation) DeepCopyInto(out *ProjectObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultJobTimeoutMinutes != nil {
+		in, out := &in.DefaultJobTimeoutMinutes, &out.DefaultJobTimeoutMinutes
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -842,6 +1030,21 @@ func (in *ProjectStatus) DeepCopy() *ProjectStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 	*out = *in
+	if in.Attribute != nil {
+		in, out := &in.Attribute, &out.Attribute
+		*out = new(string)
+		**out = **in
+	}
+	if in.Operator != nil {
+		in, out := &in.Operator, &out.Operator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleObservation.
@@ -951,11 +1154,36 @@ func (in *TestGridProjectObservation) DeepCopyInto(out *TestGridProjectObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -971,6 +1199,13 @@ func (in *TestGridProjectObservation) DeepCopyInto(out *TestGridProjectObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCConfig != nil {
+		in, out := &in.VPCConfig, &out.VPCConfig
+		*out = make([]VPCConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TestGridProjectObservation.
@@ -1141,6 +1376,11 @@ func (in *UploadObservation) DeepCopyInto(out *UploadObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1151,6 +1391,21 @@ func (in *UploadObservation) DeepCopyInto(out *UploadObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProjectArn != nil {
+		in, out := &in.ProjectArn, &out.ProjectArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 	if in.URL != nil {
 		in, out := &in.URL, &out.URL
 		*out = new(string)
@@ -1255,6 +1510,33 @@ func (in *UploadStatus) DeepCopy() *UploadStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigObservation) DeepCopyInto(out *VPCConfigObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCConfigObservation.
diff --git a/apis/devicefarm/v1beta1/zz_instanceprofile_types.go b/apis/devicefarm/v1beta1/zz_instanceprofile_types.go
index 7eaad68ca1..b579cd5de0 100755
--- a/apis/devicefarm/v1beta1/zz_instanceprofile_types.go
+++ b/apis/devicefarm/v1beta1/zz_instanceprofile_types.go
@@ -18,8 +18,26 @@ type InstanceProfileObservation struct {
 	// The Amazon Resource Name of this instance profile.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the instance profile.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// An array of strings that specifies the list of app packages that should not be cleaned up from the device after a test run.
+	ExcludeAppPackagesFromCleanup []*string `json:"excludeAppPackagesFromCleanup,omitempty" tf:"exclude_app_packages_from_cleanup,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name for the instance profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// When set to true, Device Farm removes app packages after a test run. The default value is false for private devices.
+	PackageCleanup *bool `json:"packageCleanup,omitempty" tf:"package_cleanup,omitempty"`
+
+	// When set to true, Device Farm reboots the instance after a test run. The default value is true.
+	RebootAfterUse *bool `json:"rebootAfterUse,omitempty" tf:"reboot_after_use,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +53,8 @@ type InstanceProfileParameters struct {
 	ExcludeAppPackagesFromCleanup []*string `json:"excludeAppPackagesFromCleanup,omitempty" tf:"exclude_app_packages_from_cleanup,omitempty"`
 
 	// The name for the instance profile.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// When set to true, Device Farm removes app packages after a test run. The default value is false for private devices.
 	// +kubebuilder:validation:Optional
@@ -80,8 +98,9 @@ type InstanceProfileStatus struct {
 type InstanceProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceProfileSpec   `json:"spec"`
-	Status            InstanceProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   InstanceProfileSpec   `json:"spec"`
+	Status InstanceProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/devicefarm/v1beta1/zz_networkprofile_types.go b/apis/devicefarm/v1beta1/zz_networkprofile_types.go
index 6891cb912d..a75f3b72a4 100755
--- a/apis/devicefarm/v1beta1/zz_networkprofile_types.go
+++ b/apis/devicefarm/v1beta1/zz_networkprofile_types.go
@@ -18,10 +18,49 @@ type NetworkProfileObservation struct {
 	// The Amazon Resource Name of this network profile.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the network profile.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The data throughput rate in bits per second, as an integer from 0 to 104857600. Default value is 104857600.
+	DownlinkBandwidthBits *float64 `json:"downlinkBandwidthBits,omitempty" tf:"downlink_bandwidth_bits,omitempty"`
+
+	// Delay time for all packets to destination in milliseconds as an integer from 0 to 2000.
+	DownlinkDelayMs *float64 `json:"downlinkDelayMs,omitempty" tf:"downlink_delay_ms,omitempty"`
+
+	// Time variation in the delay of received packets in milliseconds as an integer from 0 to 2000.
+	DownlinkJitterMs *float64 `json:"downlinkJitterMs,omitempty" tf:"downlink_jitter_ms,omitempty"`
+
+	// Proportion of received packets that fail to arrive from 0 to 100 percent.
+	DownlinkLossPercent *float64 `json:"downlinkLossPercent,omitempty" tf:"downlink_loss_percent,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name for the network profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of the project for the network profile.
+	ProjectArn *string `json:"projectArn,omitempty" tf:"project_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The type of network profile to create. Valid values are listed are PRIVATE and CURATED.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The data throughput rate in bits per second, as an integer from 0 to 104857600. Default value is 104857600.
+	UplinkBandwidthBits *float64 `json:"uplinkBandwidthBits,omitempty" tf:"uplink_bandwidth_bits,omitempty"`
+
+	// Delay time for all packets to destination in milliseconds as an integer from 0 to 2000.
+	UplinkDelayMs *float64 `json:"uplinkDelayMs,omitempty" tf:"uplink_delay_ms,omitempty"`
+
+	// Time variation in the delay of received packets in milliseconds as an integer from 0 to 2000.
+	UplinkJitterMs *float64 `json:"uplinkJitterMs,omitempty" tf:"uplink_jitter_ms,omitempty"`
+
+	// Proportion of received packets that fail to arrive from 0 to 100 percent.
+	UplinkLossPercent *float64 `json:"uplinkLossPercent,omitempty" tf:"uplink_loss_percent,omitempty"`
 }
 
 type NetworkProfileParameters struct {
@@ -47,8 +86,8 @@ type NetworkProfileParameters struct {
 	DownlinkLossPercent *float64 `json:"downlinkLossPercent,omitempty" tf:"downlink_loss_percent,omitempty"`
 
 	// The name for the network profile.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The ARN of the project for the network profile.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/devicefarm/v1beta1.Project
@@ -118,8 +157,9 @@ type NetworkProfileStatus struct {
 type NetworkProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NetworkProfileSpec   `json:"spec"`
-	Status            NetworkProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   NetworkProfileSpec   `json:"spec"`
+	Status NetworkProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/devicefarm/v1beta1/zz_project_types.go b/apis/devicefarm/v1beta1/zz_project_types.go
index d53a6b050f..e07532a674 100755
--- a/apis/devicefarm/v1beta1/zz_project_types.go
+++ b/apis/devicefarm/v1beta1/zz_project_types.go
@@ -18,8 +18,17 @@ type ProjectObservation struct {
 	// The Amazon Resource Name of this project
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Sets the execution timeout value (in minutes) for a project. All test runs in this project use the specified execution timeout value unless overridden when scheduling a run.
+	DefaultJobTimeoutMinutes *float64 `json:"defaultJobTimeoutMinutes,omitempty" tf:"default_job_timeout_minutes,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the project
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -31,8 +40,8 @@ type ProjectParameters struct {
 	DefaultJobTimeoutMinutes *float64 `json:"defaultJobTimeoutMinutes,omitempty" tf:"default_job_timeout_minutes,omitempty"`
 
 	// The name of the project
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -68,8 +77,9 @@ type ProjectStatus struct {
 type Project struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProjectSpec   `json:"spec"`
-	Status            ProjectStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ProjectSpec   `json:"spec"`
+	Status ProjectStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/devicefarm/v1beta1/zz_testgridproject_types.go b/apis/devicefarm/v1beta1/zz_testgridproject_types.go
index c548f4b390..2f613d3a33 100755
--- a/apis/devicefarm/v1beta1/zz_testgridproject_types.go
+++ b/apis/devicefarm/v1beta1/zz_testgridproject_types.go
@@ -18,10 +18,22 @@ type TestGridProjectObservation struct {
 	// The Amazon Resource Name of this Test Grid Project.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Human-readable description of the project.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the Selenium testing project.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC security groups and subnets that are attached to a project. See VPC Config below.
+	VPCConfig []VPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 }
 
 type TestGridProjectParameters struct {
@@ -31,8 +43,8 @@ type TestGridProjectParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the Selenium testing project.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -49,6 +61,15 @@ type TestGridProjectParameters struct {
 }
 
 type VPCConfigObservation struct {
+
+	// A list of VPC security group IDs in your Amazon VPC.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// A list of VPC subnet IDs in your Amazon VPC.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// The ID of the Amazon VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCConfigParameters struct {
@@ -122,8 +143,9 @@ type TestGridProjectStatus struct {
 type TestGridProject struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TestGridProjectSpec   `json:"spec"`
-	Status            TestGridProjectStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   TestGridProjectSpec   `json:"spec"`
+	Status TestGridProjectStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/devicefarm/v1beta1/zz_upload_types.go b/apis/devicefarm/v1beta1/zz_upload_types.go
index 13bbdc241b..c1d04ec559 100755
--- a/apis/devicefarm/v1beta1/zz_upload_types.go
+++ b/apis/devicefarm/v1beta1/zz_upload_types.go
@@ -21,11 +21,23 @@ type UploadObservation struct {
 	// The upload's category.
 	Category *string `json:"category,omitempty" tf:"category,omitempty"`
 
+	// The upload's content type (for example, application/octet-stream).
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The upload's metadata. For example, for Android, this contains information that is parsed from the manifest and is displayed in the AWS Device Farm console after the associated app is uploaded.
 	Metadata *string `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The upload's file name. The name should not contain any forward slashes (/). If you are uploading an iOS app, the file name must end with the .ipa extension. If you are uploading an Android app, the file name must end with the .apk extension. For all others, the file name must end with the .zip file extension.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of the project for the upload.
+	ProjectArn *string `json:"projectArn,omitempty" tf:"project_arn,omitempty"`
+
+	// The upload's upload type. See AWS Docs for valid list of values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
 	// The presigned Amazon S3 URL that was used to store a file using a PUT request.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
@@ -37,8 +49,8 @@ type UploadParameters struct {
 	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
 
 	// The upload's file name. The name should not contain any forward slashes (/). If you are uploading an iOS app, the file name must end with the .ipa extension. If you are uploading an Android app, the file name must end with the .apk extension. For all others, the file name must end with the .zip file extension.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The ARN of the project for the upload.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/devicefarm/v1beta1.Project
@@ -60,8 +72,8 @@ type UploadParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The upload's upload type. See AWS Docs for valid list of values.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // UploadSpec defines the desired state of Upload
@@ -88,8 +100,10 @@ type UploadStatus struct {
 type Upload struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UploadSpec   `json:"spec"`
-	Status            UploadStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   UploadSpec   `json:"spec"`
+	Status UploadStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_bgppeer_types.go b/apis/directconnect/v1beta1/zz_bgppeer_types.go
index 761b74b5ed..5536fda565 100755
--- a/apis/directconnect/v1beta1/zz_bgppeer_types.go
+++ b/apis/directconnect/v1beta1/zz_bgppeer_types.go
@@ -15,24 +15,44 @@ import (
 
 type BGPPeerObservation struct {
 
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon.
+	// Required for IPv4 BGP peers on public virtual interfaces.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	// The Direct Connect endpoint on which the BGP peer terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
 	// The ID of the BGP peer.
 	BGPPeerID *string `json:"bgpPeerId,omitempty" tf:"bgp_peer_id,omitempty"`
 
 	// The Up/Down state of the BGP peer.
 	BGPStatus *string `json:"bgpStatus,omitempty" tf:"bgp_status,omitempty"`
 
+	// The IPv4 CIDR destination address to which Amazon should send traffic.
+	// Required for IPv4 BGP peers on public virtual interfaces.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
 	// The ID of the BGP peer resource.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the Direct Connect virtual interface on which to create the BGP peer.
+	VirtualInterfaceID *string `json:"virtualInterfaceId,omitempty" tf:"virtual_interface_id,omitempty"`
 }
 
 type BGPPeerParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon.
 	// Required for IPv4 BGP peers on public virtual interfaces.
@@ -40,8 +60,8 @@ type BGPPeerParameters struct {
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -96,8 +116,10 @@ type BGPPeerStatus struct {
 type BGPPeer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BGPPeerSpec   `json:"spec"`
-	Status            BGPPeerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	Spec   BGPPeerSpec   `json:"spec"`
+	Status BGPPeerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_connection_types.go b/apis/directconnect/v1beta1/zz_connection_types.go
index 5e1d30aa5b..0a1d94eaa2 100755
--- a/apis/directconnect/v1beta1/zz_connection_types.go
+++ b/apis/directconnect/v1beta1/zz_connection_types.go
@@ -21,6 +21,12 @@ type ConnectionObservation struct {
 	// The Direct Connect endpoint on which the physical connection terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The bandwidth of the connection. Valid values for dedicated connections: 1Gbps, 10Gbps. Valid values for hosted connections: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive.
+	Bandwidth *string `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
+
+	// The connection MAC Security (MACsec) encryption mode. MAC Security (MACsec) is only available on dedicated connections. Valid values are no_encrypt, should_encrypt, and must_encrypt.
+	EncryptionMode *string `json:"encryptionMode,omitempty" tf:"encryption_mode,omitempty"`
+
 	// Indicates whether the connection supports a secondary BGP peer in the same address family (IPv4/IPv6).
 	HasLogicalRedundancy *string `json:"hasLogicalRedundancy,omitempty" tf:"has_logical_redundancy,omitempty"`
 
@@ -30,15 +36,32 @@ type ConnectionObservation struct {
 	// Boolean value representing if jumbo frames have been enabled for this connection.
 	JumboFrameCapable *bool `json:"jumboFrameCapable,omitempty" tf:"jumbo_frame_capable,omitempty"`
 
+	// The AWS Direct Connect location where the connection is located. See DescribeLocations for the list of AWS Direct Connect locations. Use locationCode.
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
+
 	// Boolean value indicating whether the connection supports MAC Security (MACsec).
 	MacsecCapable *bool `json:"macsecCapable,omitempty" tf:"macsec_capable,omitempty"`
 
+	// The name of the connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The ID of the AWS account that owns the connection.
 	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
 	// The MAC Security (MACsec) port link status of the connection.
 	PortEncryptionStatus *string `json:"portEncryptionStatus,omitempty" tf:"port_encryption_status,omitempty"`
 
+	// The name of the service provider associated with the connection.
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// Boolean value indicating whether you want the connection to support MAC Security (MACsec). MAC Security (MACsec) is only available on dedicated connections. See MACsec prerequisites for more information about MAC Security (MACsec) prerequisites. Default value: false.
+	RequestMacsec *bool `json:"requestMacsec,omitempty" tf:"request_macsec,omitempty"`
+
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -49,20 +72,20 @@ type ConnectionObservation struct {
 type ConnectionParameters struct {
 
 	// The bandwidth of the connection. Valid values for dedicated connections: 1Gbps, 10Gbps. Valid values for hosted connections: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive.
-	// +kubebuilder:validation:Required
-	Bandwidth *string `json:"bandwidth" tf:"bandwidth,omitempty"`
+	// +kubebuilder:validation:Optional
+	Bandwidth *string `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
 
 	// The connection MAC Security (MACsec) encryption mode. MAC Security (MACsec) is only available on dedicated connections. Valid values are no_encrypt, should_encrypt, and must_encrypt.
 	// +kubebuilder:validation:Optional
 	EncryptionMode *string `json:"encryptionMode,omitempty" tf:"encryption_mode,omitempty"`
 
 	// The AWS Direct Connect location where the connection is located. See DescribeLocations for the list of AWS Direct Connect locations. Use locationCode.
-	// +kubebuilder:validation:Required
-	Location *string `json:"location" tf:"location,omitempty"`
+	// +kubebuilder:validation:Optional
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
 
 	// The name of the connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The name of the service provider associated with the connection.
 	// +kubebuilder:validation:Optional
@@ -109,8 +132,11 @@ type ConnectionStatus struct {
 type Connection struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConnectionSpec   `json:"spec"`
-	Status            ConnectionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bandwidth)",message="bandwidth is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.location)",message="location is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ConnectionSpec   `json:"spec"`
+	Status ConnectionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_connectionassociation_types.go b/apis/directconnect/v1beta1/zz_connectionassociation_types.go
index 2c680d77ef..2d968c98a1 100755
--- a/apis/directconnect/v1beta1/zz_connectionassociation_types.go
+++ b/apis/directconnect/v1beta1/zz_connectionassociation_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type ConnectionAssociationObservation struct {
+
+	// The ID of the connection.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the LAG with which to associate the connection.
+	LagID *string `json:"lagId,omitempty" tf:"lag_id,omitempty"`
 }
 
 type ConnectionAssociationParameters struct {
diff --git a/apis/directconnect/v1beta1/zz_gateway_types.go b/apis/directconnect/v1beta1/zz_gateway_types.go
index 4943434ce3..a76777b84d 100755
--- a/apis/directconnect/v1beta1/zz_gateway_types.go
+++ b/apis/directconnect/v1beta1/zz_gateway_types.go
@@ -15,9 +15,15 @@ import (
 
 type GatewayObservation struct {
 
+	// The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294.
+	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
+
 	// The ID of the gateway.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the connection.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// AWS Account ID of the gateway.
 	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 }
@@ -25,12 +31,12 @@ type GatewayObservation struct {
 type GatewayParameters struct {
 
 	// The ASN to be configured on the Amazon side of the connection. The ASN must be in the private range of 64,512 to 65,534 or 4,200,000,000 to 4,294,967,294.
-	// +kubebuilder:validation:Required
-	AmazonSideAsn *string `json:"amazonSideAsn" tf:"amazon_side_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The name of the connection.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -62,8 +68,10 @@ type GatewayStatus struct {
 type Gateway struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GatewaySpec   `json:"spec"`
-	Status            GatewayStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.amazonSideAsn)",message="amazonSideAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   GatewaySpec   `json:"spec"`
+	Status GatewayStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_gatewayassociation_types.go b/apis/directconnect/v1beta1/zz_gatewayassociation_types.go
index 720793d688..2a07e9247e 100755
--- a/apis/directconnect/v1beta1/zz_gatewayassociation_types.go
+++ b/apis/directconnect/v1beta1/zz_gatewayassociation_types.go
@@ -15,17 +15,38 @@ import (
 
 type GatewayAssociationObservation struct {
 
+	// VPC prefixes (CIDRs) to advertise to the Direct Connect gateway. Defaults to the CIDR block of the VPC associated with the Virtual Gateway. To enable drift detection, must be configured.
+	AllowedPrefixes []*string `json:"allowedPrefixes,omitempty" tf:"allowed_prefixes,omitempty"`
+
+	// The ID of the VGW or transit gateway with which to associate the Direct Connect gateway.
+	// Used for single account Direct Connect gateway associations.
+	AssociatedGatewayID *string `json:"associatedGatewayId,omitempty" tf:"associated_gateway_id,omitempty"`
+
+	// The ID of the AWS account that owns the VGW or transit gateway with which to associate the Direct Connect gateway.
+	// Used for cross-account Direct Connect gateway associations.
+	AssociatedGatewayOwnerAccountID *string `json:"associatedGatewayOwnerAccountId,omitempty" tf:"associated_gateway_owner_account_id,omitempty"`
+
 	// The type of the associated gateway, transitGateway or virtualPrivateGateway.
 	AssociatedGatewayType *string `json:"associatedGatewayType,omitempty" tf:"associated_gateway_type,omitempty"`
 
 	// The ID of the Direct Connect gateway association.
 	DxGatewayAssociationID *string `json:"dxGatewayAssociationId,omitempty" tf:"dx_gateway_association_id,omitempty"`
 
+	// The ID of the Direct Connect gateway.
+	DxGatewayID *string `json:"dxGatewayId,omitempty" tf:"dx_gateway_id,omitempty"`
+
 	// The ID of the AWS account that owns the Direct Connect gateway.
 	DxGatewayOwnerAccountID *string `json:"dxGatewayOwnerAccountId,omitempty" tf:"dx_gateway_owner_account_id,omitempty"`
 
 	// The ID of the Direct Connect gateway association resource.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the Direct Connect gateway association proposal.
+	// Used for cross-account Direct Connect gateway associations.
+	ProposalID *string `json:"proposalId,omitempty" tf:"proposal_id,omitempty"`
+
+	// The ID of the Direct Connect gateway association resource.
+	VPNGatewayID *string `json:"vpnGatewayId,omitempty" tf:"vpn_gateway_id,omitempty"`
 }
 
 type GatewayAssociationParameters struct {
diff --git a/apis/directconnect/v1beta1/zz_gatewayassociationproposal_types.go b/apis/directconnect/v1beta1/zz_gatewayassociationproposal_types.go
index 46b3704c62..98ff3db720 100755
--- a/apis/directconnect/v1beta1/zz_gatewayassociationproposal_types.go
+++ b/apis/directconnect/v1beta1/zz_gatewayassociationproposal_types.go
@@ -15,12 +15,24 @@ import (
 
 type GatewayAssociationProposalObservation struct {
 
+	// VPC prefixes (CIDRs) to advertise to the Direct Connect gateway. Defaults to the CIDR block of the VPC associated with the Virtual Gateway. To enable drift detection, must be configured.
+	AllowedPrefixes []*string `json:"allowedPrefixes,omitempty" tf:"allowed_prefixes,omitempty"`
+
+	// The ID of the VGW or transit gateway with which to associate the Direct Connect gateway.
+	AssociatedGatewayID *string `json:"associatedGatewayId,omitempty" tf:"associated_gateway_id,omitempty"`
+
 	// The ID of the AWS account that owns the VGW or transit gateway with which to associate the Direct Connect gateway.
 	AssociatedGatewayOwnerAccountID *string `json:"associatedGatewayOwnerAccountId,omitempty" tf:"associated_gateway_owner_account_id,omitempty"`
 
 	// The type of the associated gateway, transitGateway or virtualPrivateGateway.
 	AssociatedGatewayType *string `json:"associatedGatewayType,omitempty" tf:"associated_gateway_type,omitempty"`
 
+	// Direct Connect Gateway identifier.
+	DxGatewayID *string `json:"dxGatewayId,omitempty" tf:"dx_gateway_id,omitempty"`
+
+	// AWS Account identifier of the Direct Connect Gateway's owner.
+	DxGatewayOwnerAccountID *string `json:"dxGatewayOwnerAccountId,omitempty" tf:"dx_gateway_owner_account_id,omitempty"`
+
 	// Direct Connect Gateway Association Proposal identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
diff --git a/apis/directconnect/v1beta1/zz_generated.deepcopy.go b/apis/directconnect/v1beta1/zz_generated.deepcopy.go
index 1804edce14..ea9ed4fb56 100644
--- a/apis/directconnect/v1beta1/zz_generated.deepcopy.go
+++ b/apis/directconnect/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,31 @@ func (in *BGPPeerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BGPPeerObservation) DeepCopyInto(out *BGPPeerObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AwsDevice != nil {
 		in, out := &in.AwsDevice, &out.AwsDevice
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.BGPPeerID != nil {
 		in, out := &in.BGPPeerID, &out.BGPPeerID
 		*out = new(string)
@@ -91,11 +111,21 @@ func (in *BGPPeerObservation) DeepCopyInto(out *BGPPeerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VirtualInterfaceID != nil {
+		in, out := &in.VirtualInterfaceID, &out.VirtualInterfaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BGPPeerObservation.
@@ -291,11 +321,21 @@ func (in *ConnectionAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionAssociationObservation) DeepCopyInto(out *ConnectionAssociationObservation) {
 	*out = *in
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LagID != nil {
+		in, out := &in.LagID, &out.LagID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionAssociationObservation.
@@ -437,6 +477,16 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Bandwidth != nil {
+		in, out := &in.Bandwidth, &out.Bandwidth
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionMode != nil {
+		in, out := &in.EncryptionMode, &out.EncryptionMode
+		*out = new(string)
+		**out = **in
+	}
 	if in.HasLogicalRedundancy != nil {
 		in, out := &in.HasLogicalRedundancy, &out.HasLogicalRedundancy
 		*out = new(string)
@@ -452,11 +502,21 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = new(string)
+		**out = **in
+	}
 	if in.MacsecCapable != nil {
 		in, out := &in.MacsecCapable, &out.MacsecCapable
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerAccountID != nil {
 		in, out := &in.OwnerAccountID, &out.OwnerAccountID
 		*out = new(string)
@@ -467,6 +527,36 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestMacsec != nil {
+		in, out := &in.RequestMacsec, &out.RequestMacsec
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -692,6 +782,27 @@ func (in *GatewayAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayAssociationObservation) DeepCopyInto(out *GatewayAssociationObservation) {
 	*out = *in
+	if in.AllowedPrefixes != nil {
+		in, out := &in.AllowedPrefixes, &out.AllowedPrefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AssociatedGatewayID != nil {
+		in, out := &in.AssociatedGatewayID, &out.AssociatedGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AssociatedGatewayOwnerAccountID != nil {
+		in, out := &in.AssociatedGatewayOwnerAccountID, &out.AssociatedGatewayOwnerAccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.AssociatedGatewayType != nil {
 		in, out := &in.AssociatedGatewayType, &out.AssociatedGatewayType
 		*out = new(string)
@@ -702,6 +813,11 @@ func (in *GatewayAssociationObservation) DeepCopyInto(out *GatewayAssociationObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.DxGatewayID != nil {
+		in, out := &in.DxGatewayID, &out.DxGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.DxGatewayOwnerAccountID != nil {
 		in, out := &in.DxGatewayOwnerAccountID, &out.DxGatewayOwnerAccountID
 		*out = new(string)
@@ -712,6 +828,16 @@ func (in *GatewayAssociationObservation) DeepCopyInto(out *GatewayAssociationObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProposalID != nil {
+		in, out := &in.ProposalID, &out.ProposalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPNGatewayID != nil {
+		in, out := &in.VPNGatewayID, &out.VPNGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GatewayAssociationObservation.
@@ -862,6 +988,22 @@ func (in *GatewayAssociationProposalList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayAssociationProposalObservation) DeepCopyInto(out *GatewayAssociationProposalObservation) {
 	*out = *in
+	if in.AllowedPrefixes != nil {
+		in, out := &in.AllowedPrefixes, &out.AllowedPrefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AssociatedGatewayID != nil {
+		in, out := &in.AssociatedGatewayID, &out.AssociatedGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.AssociatedGatewayOwnerAccountID != nil {
 		in, out := &in.AssociatedGatewayOwnerAccountID, &out.AssociatedGatewayOwnerAccountID
 		*out = new(string)
@@ -872,6 +1014,16 @@ func (in *GatewayAssociationProposalObservation) DeepCopyInto(out *GatewayAssoci
 		*out = new(string)
 		**out = **in
 	}
+	if in.DxGatewayID != nil {
+		in, out := &in.DxGatewayID, &out.DxGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DxGatewayOwnerAccountID != nil {
+		in, out := &in.DxGatewayOwnerAccountID, &out.DxGatewayOwnerAccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1068,11 +1220,21 @@ func (in *GatewayList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GatewayObservation) DeepCopyInto(out *GatewayObservation) {
 	*out = *in
+	if in.AmazonSideAsn != nil {
+		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerAccountID != nil {
 		in, out := &in.OwnerAccountID, &out.OwnerAccountID
 		*out = new(string)
@@ -1248,11 +1410,31 @@ func (in *HostedPrivateVirtualInterfaceAccepterObservation) DeepCopyInto(out *Ho
 		*out = new(string)
 		**out = **in
 	}
+	if in.DxGatewayID != nil {
+		in, out := &in.DxGatewayID, &out.DxGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1268,6 +1450,16 @@ func (in *HostedPrivateVirtualInterfaceAccepterObservation) DeepCopyInto(out *Ho
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPNGatewayID != nil {
+		in, out := &in.VPNGatewayID, &out.VPNGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VirtualInterfaceID != nil {
+		in, out := &in.VirtualInterfaceID, &out.VirtualInterfaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedPrivateVirtualInterfaceAccepterObservation.
@@ -1419,6 +1611,16 @@ func (in *HostedPrivateVirtualInterfaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostedPrivateVirtualInterfaceObservation) DeepCopyInto(out *HostedPrivateVirtualInterfaceObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AmazonSideAsn != nil {
 		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
 		*out = new(string)
@@ -1434,6 +1636,26 @@ func (in *HostedPrivateVirtualInterfaceObservation) DeepCopyInto(out *HostedPriv
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1444,6 +1666,26 @@ func (in *HostedPrivateVirtualInterfaceObservation) DeepCopyInto(out *HostedPriv
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Mtu != nil {
+		in, out := &in.Mtu, &out.Mtu
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerAccountID != nil {
+		in, out := &in.OwnerAccountID, &out.OwnerAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Vlan != nil {
+		in, out := &in.Vlan, &out.Vlan
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedPrivateVirtualInterfaceObservation.
@@ -1669,8 +1911,8 @@ func (in *HostedPublicVirtualInterfaceAccepterObservation) DeepCopyInto(out *Hos
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -1684,18 +1926,38 @@ func (in *HostedPublicVirtualInterfaceAccepterObservation) DeepCopyInto(out *Hos
 			(*out)[key] = outVal
 		}
 	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VirtualInterfaceID != nil {
+		in, out := &in.VirtualInterfaceID, &out.VirtualInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedPublicVirtualInterfaceAccepterObservation.
+func (in *HostedPublicVirtualInterfaceAccepterObservation) DeepCopy() *HostedPublicVirtualInterfaceAccepterObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(HostedPublicVirtualInterfaceAccepterObservation)
+	in.DeepCopyInto(out)
+	return out
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedPublicVirtualInterfaceAccepterObservation.
-func (in *HostedPublicVirtualInterfaceAccepterObservation) DeepCopy() *HostedPublicVirtualInterfaceAccepterObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(HostedPublicVirtualInterfaceAccepterObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostedPublicVirtualInterfaceAccepterParameters) DeepCopyInto(out *HostedPublicVirtualInterfaceAccepterParameters) {
 	*out = *in
@@ -1815,6 +2077,16 @@ func (in *HostedPublicVirtualInterfaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostedPublicVirtualInterfaceObservation) DeepCopyInto(out *HostedPublicVirtualInterfaceObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AmazonSideAsn != nil {
 		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
 		*out = new(string)
@@ -1830,11 +2102,57 @@ func (in *HostedPublicVirtualInterfaceObservation) DeepCopyInto(out *HostedPubli
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerAccountID != nil {
+		in, out := &in.OwnerAccountID, &out.OwnerAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteFilterPrefixes != nil {
+		in, out := &in.RouteFilterPrefixes, &out.RouteFilterPrefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Vlan != nil {
+		in, out := &in.Vlan, &out.Vlan
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedPublicVirtualInterfaceObservation.
@@ -2061,11 +2379,31 @@ func (in *HostedTransitVirtualInterfaceAccepterObservation) DeepCopyInto(out *Ho
 		*out = new(string)
 		**out = **in
 	}
+	if in.DxGatewayID != nil {
+		in, out := &in.DxGatewayID, &out.DxGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2081,6 +2419,11 @@ func (in *HostedTransitVirtualInterfaceAccepterObservation) DeepCopyInto(out *Ho
 			(*out)[key] = outVal
 		}
 	}
+	if in.VirtualInterfaceID != nil {
+		in, out := &in.VirtualInterfaceID, &out.VirtualInterfaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedTransitVirtualInterfaceAccepterObservation.
@@ -2227,6 +2570,16 @@ func (in *HostedTransitVirtualInterfaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostedTransitVirtualInterfaceObservation) DeepCopyInto(out *HostedTransitVirtualInterfaceObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AmazonSideAsn != nil {
 		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
 		*out = new(string)
@@ -2242,6 +2595,26 @@ func (in *HostedTransitVirtualInterfaceObservation) DeepCopyInto(out *HostedTran
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2252,6 +2625,26 @@ func (in *HostedTransitVirtualInterfaceObservation) DeepCopyInto(out *HostedTran
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Mtu != nil {
+		in, out := &in.Mtu, &out.Mtu
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerAccountID != nil {
+		in, out := &in.OwnerAccountID, &out.OwnerAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Vlan != nil {
+		in, out := &in.Vlan, &out.Vlan
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedTransitVirtualInterfaceObservation.
@@ -2445,6 +2838,21 @@ func (in *LagObservation) DeepCopyInto(out *LagObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionsBandwidth != nil {
+		in, out := &in.ConnectionsBandwidth, &out.ConnectionsBandwidth
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.HasLogicalRedundancy != nil {
 		in, out := &in.HasLogicalRedundancy, &out.HasLogicalRedundancy
 		*out = new(string)
@@ -2460,11 +2868,41 @@ func (in *LagObservation) DeepCopyInto(out *LagObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerAccountID != nil {
 		in, out := &in.OwnerAccountID, &out.OwnerAccountID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2653,6 +3091,16 @@ func (in *PrivateVirtualInterfaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrivateVirtualInterfaceObservation) DeepCopyInto(out *PrivateVirtualInterfaceObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AmazonSideAsn != nil {
 		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
 		*out = new(string)
@@ -2668,6 +3116,31 @@ func (in *PrivateVirtualInterfaceObservation) DeepCopyInto(out *PrivateVirtualIn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.DxGatewayID != nil {
+		in, out := &in.DxGatewayID, &out.DxGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2678,6 +3151,36 @@ func (in *PrivateVirtualInterfaceObservation) DeepCopyInto(out *PrivateVirtualIn
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Mtu != nil {
+		in, out := &in.Mtu, &out.Mtu
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SitelinkEnabled != nil {
+		in, out := &in.SitelinkEnabled, &out.SitelinkEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2693,6 +3196,16 @@ func (in *PrivateVirtualInterfaceObservation) DeepCopyInto(out *PrivateVirtualIn
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPNGatewayID != nil {
+		in, out := &in.VPNGatewayID, &out.VPNGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Vlan != nil {
+		in, out := &in.Vlan, &out.Vlan
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivateVirtualInterfaceObservation.
@@ -2916,6 +3429,16 @@ func (in *PublicVirtualInterfaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublicVirtualInterfaceObservation) DeepCopyInto(out *PublicVirtualInterfaceObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AmazonSideAsn != nil {
 		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
 		*out = new(string)
@@ -2931,11 +3454,62 @@ func (in *PublicVirtualInterfaceObservation) DeepCopyInto(out *PublicVirtualInte
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteFilterPrefixes != nil {
+		in, out := &in.RouteFilterPrefixes, &out.RouteFilterPrefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2951,6 +3525,11 @@ func (in *PublicVirtualInterfaceObservation) DeepCopyInto(out *PublicVirtualInte
 			(*out)[key] = outVal
 		}
 	}
+	if in.Vlan != nil {
+		in, out := &in.Vlan, &out.Vlan
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicVirtualInterfaceObservation.
@@ -3155,6 +3734,16 @@ func (in *TransitVirtualInterfaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitVirtualInterfaceObservation) DeepCopyInto(out *TransitVirtualInterfaceObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AmazonAddress != nil {
+		in, out := &in.AmazonAddress, &out.AmazonAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.AmazonSideAsn != nil {
 		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
 		*out = new(string)
@@ -3170,6 +3759,31 @@ func (in *TransitVirtualInterfaceObservation) DeepCopyInto(out *TransitVirtualIn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BGPAuthKey != nil {
+		in, out := &in.BGPAuthKey, &out.BGPAuthKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionID != nil {
+		in, out := &in.ConnectionID, &out.ConnectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAddress != nil {
+		in, out := &in.CustomerAddress, &out.CustomerAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.DxGatewayID != nil {
+		in, out := &in.DxGatewayID, &out.DxGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -3180,6 +3794,36 @@ func (in *TransitVirtualInterfaceObservation) DeepCopyInto(out *TransitVirtualIn
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Mtu != nil {
+		in, out := &in.Mtu, &out.Mtu
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SitelinkEnabled != nil {
+		in, out := &in.SitelinkEnabled, &out.SitelinkEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3195,6 +3839,11 @@ func (in *TransitVirtualInterfaceObservation) DeepCopyInto(out *TransitVirtualIn
 			(*out)[key] = outVal
 		}
 	}
+	if in.Vlan != nil {
+		in, out := &in.Vlan, &out.Vlan
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitVirtualInterfaceObservation.
diff --git a/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterface_types.go b/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterface_types.go
index 4c5e7fd8d5..081de19a25 100755
--- a/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterface_types.go
+++ b/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterface_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type HostedPrivateVirtualInterfaceObservation struct {
+
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The ARN of the virtual interface.
@@ -22,26 +29,50 @@ type HostedPrivateVirtualInterfaceObservation struct {
 	// The Direct Connect endpoint on which the virtual interface terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
+	// The ID of the Direct Connect connection (or LAG) on which to create the virtual interface.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The IPv4 CIDR destination address to which Amazon should send traffic. Required for IPv4 BGP peers.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Indicates whether jumbo frames (9001 MTU) are supported.
 	JumboFrameCapable *bool `json:"jumboFrameCapable,omitempty" tf:"jumbo_frame_capable,omitempty"`
+
+	// The maximum transmission unit (MTU) is the size, in bytes, of the largest permissible packet that can be passed over the connection. The MTU of a virtual private interface can be either 1500 or 9001 (jumbo frames). Default is 1500.
+	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
+
+	// The name for the virtual interface.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The AWS account that will own the new virtual interface.
+	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
+
+	// The VLAN ID.
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 type HostedPrivateVirtualInterfaceParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
 	// +kubebuilder:validation:Optional
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -69,12 +100,12 @@ type HostedPrivateVirtualInterfaceParameters struct {
 	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
 
 	// The name for the virtual interface.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The AWS account that will own the new virtual interface.
-	// +kubebuilder:validation:Required
-	OwnerAccountID *string `json:"ownerAccountId" tf:"owner_account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,8 +113,8 @@ type HostedPrivateVirtualInterfaceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The VLAN ID.
-	// +kubebuilder:validation:Required
-	Vlan *float64 `json:"vlan" tf:"vlan,omitempty"`
+	// +kubebuilder:validation:Optional
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 // HostedPrivateVirtualInterfaceSpec defines the desired state of HostedPrivateVirtualInterface
@@ -110,8 +141,13 @@ type HostedPrivateVirtualInterfaceStatus struct {
 type HostedPrivateVirtualInterface struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HostedPrivateVirtualInterfaceSpec   `json:"spec"`
-	Status            HostedPrivateVirtualInterfaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerAccountId)",message="ownerAccountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)",message="vlan is a required parameter"
+	Spec   HostedPrivateVirtualInterfaceSpec   `json:"spec"`
+	Status HostedPrivateVirtualInterfaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterfaceaccepter_types.go b/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterfaceaccepter_types.go
index a6c4098fa2..3a0f657d66 100755
--- a/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterfaceaccepter_types.go
+++ b/apis/directconnect/v1beta1/zz_hostedprivatevirtualinterfaceaccepter_types.go
@@ -18,11 +18,23 @@ type HostedPrivateVirtualInterfaceAccepterObservation struct {
 	// The ARN of the virtual interface.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the Direct Connect gateway to which to connect the virtual interface.
+	DxGatewayID *string `json:"dxGatewayId,omitempty" tf:"dx_gateway_id,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the virtual private gateway to which to connect the virtual interface.
+	VPNGatewayID *string `json:"vpnGatewayId,omitempty" tf:"vpn_gateway_id,omitempty"`
+
+	// The ID of the Direct Connect virtual interface to accept.
+	VirtualInterfaceID *string `json:"virtualInterfaceId,omitempty" tf:"virtual_interface_id,omitempty"`
 }
 
 type HostedPrivateVirtualInterfaceAccepterParameters struct {
diff --git a/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterface_types.go b/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterface_types.go
index 025a15a16e..d4d033883b 100755
--- a/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterface_types.go
+++ b/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterface_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type HostedPublicVirtualInterfaceObservation struct {
+
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The ARN of the virtual interface.
@@ -22,23 +29,47 @@ type HostedPublicVirtualInterfaceObservation struct {
 	// The Direct Connect endpoint on which the virtual interface terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
+	// The ID of the Direct Connect connection (or LAG) on which to create the virtual interface.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The IPv4 CIDR destination address to which Amazon should send traffic. Required for IPv4 BGP peers.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name for the virtual interface.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The AWS account that will own the new virtual interface.
+	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
+
+	// A list of routes to be advertised to the AWS network in this region.
+	RouteFilterPrefixes []*string `json:"routeFilterPrefixes,omitempty" tf:"route_filter_prefixes,omitempty"`
+
+	// The VLAN ID.
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 type HostedPublicVirtualInterfaceParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
 	// +kubebuilder:validation:Optional
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -62,12 +93,12 @@ type HostedPublicVirtualInterfaceParameters struct {
 	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
 
 	// The name for the virtual interface.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The AWS account that will own the new virtual interface.
-	// +kubebuilder:validation:Required
-	OwnerAccountID *string `json:"ownerAccountId" tf:"owner_account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -75,12 +106,12 @@ type HostedPublicVirtualInterfaceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A list of routes to be advertised to the AWS network in this region.
-	// +kubebuilder:validation:Required
-	RouteFilterPrefixes []*string `json:"routeFilterPrefixes" tf:"route_filter_prefixes,omitempty"`
+	// +kubebuilder:validation:Optional
+	RouteFilterPrefixes []*string `json:"routeFilterPrefixes,omitempty" tf:"route_filter_prefixes,omitempty"`
 
 	// The VLAN ID.
-	// +kubebuilder:validation:Required
-	Vlan *float64 `json:"vlan" tf:"vlan,omitempty"`
+	// +kubebuilder:validation:Optional
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 // HostedPublicVirtualInterfaceSpec defines the desired state of HostedPublicVirtualInterface
@@ -107,8 +138,14 @@ type HostedPublicVirtualInterfaceStatus struct {
 type HostedPublicVirtualInterface struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HostedPublicVirtualInterfaceSpec   `json:"spec"`
-	Status            HostedPublicVirtualInterfaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerAccountId)",message="ownerAccountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeFilterPrefixes)",message="routeFilterPrefixes is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)",message="vlan is a required parameter"
+	Spec   HostedPublicVirtualInterfaceSpec   `json:"spec"`
+	Status HostedPublicVirtualInterfaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterfaceaccepter_types.go b/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterfaceaccepter_types.go
index b17918c240..71448c7d71 100755
--- a/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterfaceaccepter_types.go
+++ b/apis/directconnect/v1beta1/zz_hostedpublicvirtualinterfaceaccepter_types.go
@@ -21,8 +21,14 @@ type HostedPublicVirtualInterfaceAccepterObservation struct {
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the Direct Connect virtual interface to accept.
+	VirtualInterfaceID *string `json:"virtualInterfaceId,omitempty" tf:"virtual_interface_id,omitempty"`
 }
 
 type HostedPublicVirtualInterfaceAccepterParameters struct {
diff --git a/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterface_types.go b/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterface_types.go
index 9573129dcc..ec6c179ddb 100755
--- a/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterface_types.go
+++ b/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterface_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type HostedTransitVirtualInterfaceObservation struct {
+
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The ARN of the virtual interface.
@@ -22,26 +29,50 @@ type HostedTransitVirtualInterfaceObservation struct {
 	// The Direct Connect endpoint on which the virtual interface terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
+	// The ID of the Direct Connect connection (or LAG) on which to create the virtual interface.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The IPv4 CIDR destination address to which Amazon should send traffic. Required for IPv4 BGP peers.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Indicates whether jumbo frames (8500 MTU) are supported.
 	JumboFrameCapable *bool `json:"jumboFrameCapable,omitempty" tf:"jumbo_frame_capable,omitempty"`
+
+	// The maximum transmission unit (MTU) is the size, in bytes, of the largest permissible packet that can be passed over the connection. The MTU of a virtual transit interface can be either 1500 or 8500 (jumbo frames). Default is 1500.
+	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
+
+	// The name for the virtual interface.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The AWS account that will own the new virtual interface.
+	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
+
+	// The VLAN ID.
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 type HostedTransitVirtualInterfaceParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
 	// +kubebuilder:validation:Optional
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -69,12 +100,12 @@ type HostedTransitVirtualInterfaceParameters struct {
 	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
 
 	// The name for the virtual interface.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The AWS account that will own the new virtual interface.
-	// +kubebuilder:validation:Required
-	OwnerAccountID *string `json:"ownerAccountId" tf:"owner_account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,8 +113,8 @@ type HostedTransitVirtualInterfaceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The VLAN ID.
-	// +kubebuilder:validation:Required
-	Vlan *float64 `json:"vlan" tf:"vlan,omitempty"`
+	// +kubebuilder:validation:Optional
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 // HostedTransitVirtualInterfaceSpec defines the desired state of HostedTransitVirtualInterface
@@ -110,8 +141,13 @@ type HostedTransitVirtualInterfaceStatus struct {
 type HostedTransitVirtualInterface struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HostedTransitVirtualInterfaceSpec   `json:"spec"`
-	Status            HostedTransitVirtualInterfaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerAccountId)",message="ownerAccountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)",message="vlan is a required parameter"
+	Spec   HostedTransitVirtualInterfaceSpec   `json:"spec"`
+	Status HostedTransitVirtualInterfaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterfaceaccepter_types.go b/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterfaceaccepter_types.go
index d96ef2bc92..9ff489f2a8 100755
--- a/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterfaceaccepter_types.go
+++ b/apis/directconnect/v1beta1/zz_hostedtransitvirtualinterfaceaccepter_types.go
@@ -18,11 +18,20 @@ type HostedTransitVirtualInterfaceAccepterObservation struct {
 	// The ARN of the virtual interface.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the Direct Connect gateway to which to connect the virtual interface.
+	DxGatewayID *string `json:"dxGatewayId,omitempty" tf:"dx_gateway_id,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the Direct Connect virtual interface to accept.
+	VirtualInterfaceID *string `json:"virtualInterfaceId,omitempty" tf:"virtual_interface_id,omitempty"`
 }
 
 type HostedTransitVirtualInterfaceAccepterParameters struct {
diff --git a/apis/directconnect/v1beta1/zz_lag_types.go b/apis/directconnect/v1beta1/zz_lag_types.go
index 82c40094b2..0d9abe57ef 100755
--- a/apis/directconnect/v1beta1/zz_lag_types.go
+++ b/apis/directconnect/v1beta1/zz_lag_types.go
@@ -18,6 +18,15 @@ type LagObservation struct {
 	// The ARN of the LAG.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of an existing dedicated connection to migrate to the LAG.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The bandwidth of the individual physical connections bundled by the LAG. Valid values: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive.
+	ConnectionsBandwidth *string `json:"connectionsBandwidth,omitempty" tf:"connections_bandwidth,omitempty"`
+
+	// A boolean that indicates all connections associated with the LAG should be deleted so that the LAG can be destroyed without error. These objects are not recoverable.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// Indicates whether the LAG supports a secondary BGP peer in the same address family (IPv4/IPv6).
 	HasLogicalRedundancy *string `json:"hasLogicalRedundancy,omitempty" tf:"has_logical_redundancy,omitempty"`
 
@@ -27,9 +36,21 @@ type LagObservation struct {
 	// Indicates whether jumbo frames (9001 MTU) are supported.
 	JumboFrameCapable *bool `json:"jumboFrameCapable,omitempty" tf:"jumbo_frame_capable,omitempty"`
 
+	// The AWS Direct Connect location in which the LAG should be allocated. See DescribeLocations for the list of AWS Direct Connect locations. Use locationCode.
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
+
+	// The name of the LAG.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The ID of the AWS account that owns the LAG.
 	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
+	// The name of the service provider associated with the LAG.
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -41,20 +62,20 @@ type LagParameters struct {
 	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
 
 	// The bandwidth of the individual physical connections bundled by the LAG. Valid values: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive.
-	// +kubebuilder:validation:Required
-	ConnectionsBandwidth *string `json:"connectionsBandwidth" tf:"connections_bandwidth,omitempty"`
+	// +kubebuilder:validation:Optional
+	ConnectionsBandwidth *string `json:"connectionsBandwidth,omitempty" tf:"connections_bandwidth,omitempty"`
 
 	// A boolean that indicates all connections associated with the LAG should be deleted so that the LAG can be destroyed without error. These objects are not recoverable.
 	// +kubebuilder:validation:Optional
 	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
 
 	// The AWS Direct Connect location in which the LAG should be allocated. See DescribeLocations for the list of AWS Direct Connect locations. Use locationCode.
-	// +kubebuilder:validation:Required
-	Location *string `json:"location" tf:"location,omitempty"`
+	// +kubebuilder:validation:Optional
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
 
 	// The name of the LAG.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The name of the service provider associated with the LAG.
 	// +kubebuilder:validation:Optional
@@ -94,8 +115,11 @@ type LagStatus struct {
 type Lag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LagSpec   `json:"spec"`
-	Status            LagStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.connectionsBandwidth)",message="connectionsBandwidth is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.location)",message="location is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   LagSpec   `json:"spec"`
+	Status LagStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_privatevirtualinterface_types.go b/apis/directconnect/v1beta1/zz_privatevirtualinterface_types.go
index a3b8513950..d5f1740f49 100755
--- a/apis/directconnect/v1beta1/zz_privatevirtualinterface_types.go
+++ b/apis/directconnect/v1beta1/zz_privatevirtualinterface_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type PrivateVirtualInterfaceObservation struct {
+
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The ARN of the virtual interface.
@@ -22,29 +29,62 @@ type PrivateVirtualInterfaceObservation struct {
 	// The Direct Connect endpoint on which the virtual interface terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
+	// The ID of the Direct Connect connection (or LAG) on which to create the virtual interface.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The IPv4 CIDR destination address to which Amazon should send traffic. Required for IPv4 BGP peers.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
+	// The ID of the Direct Connect gateway to which to connect the virtual interface.
+	DxGatewayID *string `json:"dxGatewayId,omitempty" tf:"dx_gateway_id,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Indicates whether jumbo frames (9001 MTU) are supported.
 	JumboFrameCapable *bool `json:"jumboFrameCapable,omitempty" tf:"jumbo_frame_capable,omitempty"`
 
+	// The maximum transmission unit (MTU) is the size, in bytes, of the largest permissible packet that can be passed over the connection.
+	// The MTU of a virtual private interface can be either 1500 or 9001 (jumbo frames). Default is 1500.
+	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
+
+	// The name for the virtual interface.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	SitelinkEnabled *bool `json:"sitelinkEnabled,omitempty" tf:"sitelink_enabled,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the virtual private gateway to which to connect the virtual interface.
+	VPNGatewayID *string `json:"vpnGatewayId,omitempty" tf:"vpn_gateway_id,omitempty"`
+
+	// The VLAN ID.
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 type PrivateVirtualInterfaceParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
 	// +kubebuilder:validation:Optional
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -77,8 +117,8 @@ type PrivateVirtualInterfaceParameters struct {
 	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
 
 	// The name for the virtual interface.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -106,8 +146,8 @@ type PrivateVirtualInterfaceParameters struct {
 	VPNGatewayIDSelector *v1.Selector `json:"vpnGatewayIdSelector,omitempty" tf:"-"`
 
 	// The VLAN ID.
-	// +kubebuilder:validation:Required
-	Vlan *float64 `json:"vlan" tf:"vlan,omitempty"`
+	// +kubebuilder:validation:Optional
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 // PrivateVirtualInterfaceSpec defines the desired state of PrivateVirtualInterface
@@ -134,8 +174,12 @@ type PrivateVirtualInterfaceStatus struct {
 type PrivateVirtualInterface struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PrivateVirtualInterfaceSpec   `json:"spec"`
-	Status            PrivateVirtualInterfaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)",message="vlan is a required parameter"
+	Spec   PrivateVirtualInterfaceSpec   `json:"spec"`
+	Status PrivateVirtualInterfaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_publicvirtualinterface_types.go b/apis/directconnect/v1beta1/zz_publicvirtualinterface_types.go
index 807675a930..80ffc18918 100755
--- a/apis/directconnect/v1beta1/zz_publicvirtualinterface_types.go
+++ b/apis/directconnect/v1beta1/zz_publicvirtualinterface_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type PublicVirtualInterfaceObservation struct {
+
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The ARN of the virtual interface.
@@ -22,26 +29,50 @@ type PublicVirtualInterfaceObservation struct {
 	// The Direct Connect endpoint on which the virtual interface terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
+	// The ID of the Direct Connect connection (or LAG) on which to create the virtual interface.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The IPv4 CIDR destination address to which Amazon should send traffic. Required for IPv4 BGP peers.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name for the virtual interface.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of routes to be advertised to the AWS network in this region.
+	RouteFilterPrefixes []*string `json:"routeFilterPrefixes,omitempty" tf:"route_filter_prefixes,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VLAN ID.
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 type PublicVirtualInterfaceParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
 	// +kubebuilder:validation:Optional
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -65,8 +96,8 @@ type PublicVirtualInterfaceParameters struct {
 	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
 
 	// The name for the virtual interface.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -74,16 +105,16 @@ type PublicVirtualInterfaceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A list of routes to be advertised to the AWS network in this region.
-	// +kubebuilder:validation:Required
-	RouteFilterPrefixes []*string `json:"routeFilterPrefixes" tf:"route_filter_prefixes,omitempty"`
+	// +kubebuilder:validation:Optional
+	RouteFilterPrefixes []*string `json:"routeFilterPrefixes,omitempty" tf:"route_filter_prefixes,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The VLAN ID.
-	// +kubebuilder:validation:Required
-	Vlan *float64 `json:"vlan" tf:"vlan,omitempty"`
+	// +kubebuilder:validation:Optional
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 // PublicVirtualInterfaceSpec defines the desired state of PublicVirtualInterface
@@ -110,8 +141,13 @@ type PublicVirtualInterfaceStatus struct {
 type PublicVirtualInterface struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PublicVirtualInterfaceSpec   `json:"spec"`
-	Status            PublicVirtualInterfaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeFilterPrefixes)",message="routeFilterPrefixes is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)",message="vlan is a required parameter"
+	Spec   PublicVirtualInterfaceSpec   `json:"spec"`
+	Status PublicVirtualInterfaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/directconnect/v1beta1/zz_transitvirtualinterface_types.go b/apis/directconnect/v1beta1/zz_transitvirtualinterface_types.go
index ec0f580929..66a1d3baed 100755
--- a/apis/directconnect/v1beta1/zz_transitvirtualinterface_types.go
+++ b/apis/directconnect/v1beta1/zz_transitvirtualinterface_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type TransitVirtualInterfaceObservation struct {
+
+	// The address family for the BGP peer. ipv4  or ipv6.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
+	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
+
 	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
 
 	// The ARN of the virtual interface.
@@ -22,29 +29,59 @@ type TransitVirtualInterfaceObservation struct {
 	// The Direct Connect endpoint on which the virtual interface terminates.
 	AwsDevice *string `json:"awsDevice,omitempty" tf:"aws_device,omitempty"`
 
+	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The authentication key for BGP configuration.
+	BGPAuthKey *string `json:"bgpAuthKey,omitempty" tf:"bgp_auth_key,omitempty"`
+
+	// The ID of the Direct Connect connection (or LAG) on which to create the virtual interface.
+	ConnectionID *string `json:"connectionId,omitempty" tf:"connection_id,omitempty"`
+
+	// The IPv4 CIDR destination address to which Amazon should send traffic. Required for IPv4 BGP peers.
+	CustomerAddress *string `json:"customerAddress,omitempty" tf:"customer_address,omitempty"`
+
+	// The ID of the Direct Connect gateway to which to connect the virtual interface.
+	DxGatewayID *string `json:"dxGatewayId,omitempty" tf:"dx_gateway_id,omitempty"`
+
 	// The ID of the virtual interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Indicates whether jumbo frames (8500 MTU) are supported.
 	JumboFrameCapable *bool `json:"jumboFrameCapable,omitempty" tf:"jumbo_frame_capable,omitempty"`
 
+	// The maximum transmission unit (MTU) is the size, in bytes, of the largest permissible packet that can be passed over the connection.
+	// The MTU of a virtual transit interface can be either 1500 or 8500 (jumbo frames). Default is 1500.
+	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
+
+	// The name for the virtual interface.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	SitelinkEnabled *bool `json:"sitelinkEnabled,omitempty" tf:"sitelink_enabled,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VLAN ID.
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 type TransitVirtualInterfaceParameters struct {
 
 	// The address family for the BGP peer. ipv4  or ipv6.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// The IPv4 CIDR address to use to send traffic to Amazon. Required for IPv4 BGP peers.
 	// +kubebuilder:validation:Optional
 	AmazonAddress *string `json:"amazonAddress,omitempty" tf:"amazon_address,omitempty"`
 
 	// The autonomous system (AS) number for Border Gateway Protocol (BGP) configuration.
-	// +kubebuilder:validation:Required
-	BGPAsn *float64 `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *float64 `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The authentication key for BGP configuration.
 	// +kubebuilder:validation:Optional
@@ -88,8 +125,8 @@ type TransitVirtualInterfaceParameters struct {
 	Mtu *float64 `json:"mtu,omitempty" tf:"mtu,omitempty"`
 
 	// The name for the virtual interface.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -104,8 +141,8 @@ type TransitVirtualInterfaceParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The VLAN ID.
-	// +kubebuilder:validation:Required
-	Vlan *float64 `json:"vlan" tf:"vlan,omitempty"`
+	// +kubebuilder:validation:Optional
+	Vlan *float64 `json:"vlan,omitempty" tf:"vlan,omitempty"`
 }
 
 // TransitVirtualInterfaceSpec defines the desired state of TransitVirtualInterface
@@ -132,8 +169,12 @@ type TransitVirtualInterfaceStatus struct {
 type TransitVirtualInterface struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TransitVirtualInterfaceSpec   `json:"spec"`
-	Status            TransitVirtualInterfaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)",message="vlan is a required parameter"
+	Spec   TransitVirtualInterfaceSpec   `json:"spec"`
+	Status TransitVirtualInterfaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dlm/v1beta1/zz_generated.deepcopy.go b/apis/dlm/v1beta1/zz_generated.deepcopy.go
index c2c4d6f66d..89e3d47819 100644
--- a/apis/dlm/v1beta1/zz_generated.deepcopy.go
+++ b/apis/dlm/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,18 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.CrossRegionCopy != nil {
+		in, out := &in.CrossRegionCopy, &out.CrossRegionCopy
+		*out = make([]CrossRegionCopyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -59,6 +71,37 @@ func (in *ActionParameters) DeepCopy() *ActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreateRuleObservation) DeepCopyInto(out *CreateRuleObservation) {
 	*out = *in
+	if in.CronExpression != nil {
+		in, out := &in.CronExpression, &out.CronExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = new(string)
+		**out = **in
+	}
+	if in.Times != nil {
+		in, out := &in.Times, &out.Times
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreateRuleObservation.
@@ -120,6 +163,25 @@ func (in *CreateRuleParameters) DeepCopy() *CreateRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CrossRegionCopyObservation) DeepCopyInto(out *CrossRegionCopyObservation) {
 	*out = *in
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetainRule != nil {
+		in, out := &in.RetainRule, &out.RetainRule
+		*out = make([]RetainRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossRegionCopyObservation.
@@ -169,6 +231,40 @@ func (in *CrossRegionCopyParameters) DeepCopy() *CrossRegionCopyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CrossRegionCopyRuleObservation) DeepCopyInto(out *CrossRegionCopyRuleObservation) {
 	*out = *in
+	if in.CmkArn != nil {
+		in, out := &in.CmkArn, &out.CmkArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyTags != nil {
+		in, out := &in.CopyTags, &out.CopyTags
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeprecateRule != nil {
+		in, out := &in.DeprecateRule, &out.DeprecateRule
+		*out = make([]DeprecateRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RetainRule != nil {
+		in, out := &in.RetainRule, &out.RetainRule
+		*out = make([]CrossRegionCopyRuleRetainRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossRegionCopyRuleObservation.
@@ -243,6 +339,16 @@ func (in *CrossRegionCopyRuleParameters) DeepCopy() *CrossRegionCopyRuleParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CrossRegionCopyRuleRetainRuleObservation) DeepCopyInto(out *CrossRegionCopyRuleRetainRuleObservation) {
 	*out = *in
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CrossRegionCopyRuleRetainRuleObservation.
@@ -283,6 +389,16 @@ func (in *CrossRegionCopyRuleRetainRuleParameters) DeepCopy() *CrossRegionCopyRu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeprecateRuleObservation) DeepCopyInto(out *DeprecateRuleObservation) {
 	*out = *in
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeprecateRuleObservation.
@@ -323,6 +439,16 @@ func (in *DeprecateRuleParameters) DeepCopy() *DeprecateRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.CmkArn != nil {
+		in, out := &in.CmkArn, &out.CmkArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -363,6 +489,18 @@ func (in *EncryptionConfigurationParameters) DeepCopy() *EncryptionConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventSourceObservation) DeepCopyInto(out *EventSourceObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]ParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventSourceObservation.
@@ -405,6 +543,32 @@ func (in *EventSourceParameters) DeepCopy() *EventSourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FastRestoreRuleObservation) DeepCopyInto(out *FastRestoreRuleObservation) {
 	*out = *in
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Count != nil {
+		in, out := &in.Count, &out.Count
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FastRestoreRuleObservation.
@@ -525,11 +689,48 @@ func (in *LifecyclePolicyObservation) DeepCopyInto(out *LifecyclePolicyObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExecutionRoleArn != nil {
+		in, out := &in.ExecutionRoleArn, &out.ExecutionRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyDetails != nil {
+		in, out := &in.PolicyDetails, &out.PolicyDetails
+		*out = make([]PolicyDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -661,6 +862,27 @@ func (in *LifecyclePolicyStatus) DeepCopy() *LifecyclePolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParametersObservation) DeepCopyInto(out *ParametersObservation) {
 	*out = *in
+	if in.DescriptionRegex != nil {
+		in, out := &in.DescriptionRegex, &out.DescriptionRegex
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventType != nil {
+		in, out := &in.EventType, &out.EventType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotOwner != nil {
+		in, out := &in.SnapshotOwner, &out.SnapshotOwner
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParametersObservation.
@@ -712,6 +934,76 @@ func (in *ParametersParameters) DeepCopy() *ParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyDetailsObservation) DeepCopyInto(out *PolicyDetailsObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventSource != nil {
+		in, out := &in.EventSource, &out.EventSource
+		*out = make([]EventSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]PolicyDetailsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyType != nil {
+		in, out := &in.PolicyType, &out.PolicyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceLocations != nil {
+		in, out := &in.ResourceLocations, &out.ResourceLocations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ResourceTypes != nil {
+		in, out := &in.ResourceTypes, &out.ResourceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = make([]ScheduleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetTags != nil {
+		in, out := &in.TargetTags, &out.TargetTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyDetailsObservation.
@@ -812,6 +1104,16 @@ func (in *PolicyDetailsParameters) DeepCopy() *PolicyDetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyDetailsParametersObservation) DeepCopyInto(out *PolicyDetailsParametersObservation) {
 	*out = *in
+	if in.ExcludeBootVolume != nil {
+		in, out := &in.ExcludeBootVolume, &out.ExcludeBootVolume
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NoReboot != nil {
+		in, out := &in.NoReboot, &out.NoReboot
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyDetailsParametersObservation.
@@ -852,6 +1154,16 @@ func (in *PolicyDetailsParametersParameters) DeepCopy() *PolicyDetailsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetainRuleObservation) DeepCopyInto(out *RetainRuleObservation) {
 	*out = *in
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetainRuleObservation.
@@ -892,6 +1204,21 @@ func (in *RetainRuleParameters) DeepCopy() *RetainRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduleDeprecateRuleObservation) DeepCopyInto(out *ScheduleDeprecateRuleObservation) {
 	*out = *in
+	if in.Count != nil {
+		in, out := &in.Count, &out.Count
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleDeprecateRuleObservation.
@@ -937,6 +1264,88 @@ func (in *ScheduleDeprecateRuleParameters) DeepCopy() *ScheduleDeprecateRulePara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduleObservation) DeepCopyInto(out *ScheduleObservation) {
 	*out = *in
+	if in.CopyTags != nil {
+		in, out := &in.CopyTags, &out.CopyTags
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CreateRule != nil {
+		in, out := &in.CreateRule, &out.CreateRule
+		*out = make([]CreateRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CrossRegionCopyRule != nil {
+		in, out := &in.CrossRegionCopyRule, &out.CrossRegionCopyRule
+		*out = make([]CrossRegionCopyRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeprecateRule != nil {
+		in, out := &in.DeprecateRule, &out.DeprecateRule
+		*out = make([]ScheduleDeprecateRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FastRestoreRule != nil {
+		in, out := &in.FastRestoreRule, &out.FastRestoreRule
+		*out = make([]FastRestoreRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetainRule != nil {
+		in, out := &in.RetainRule, &out.RetainRule
+		*out = make([]ScheduleRetainRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ShareRule != nil {
+		in, out := &in.ShareRule, &out.ShareRule
+		*out = make([]ShareRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagsToAdd != nil {
+		in, out := &in.TagsToAdd, &out.TagsToAdd
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VariableTags != nil {
+		in, out := &in.VariableTags, &out.VariableTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleObservation.
@@ -1049,6 +1458,21 @@ func (in *ScheduleParameters) DeepCopy() *ScheduleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduleRetainRuleObservation) DeepCopyInto(out *ScheduleRetainRuleObservation) {
 	*out = *in
+	if in.Count != nil {
+		in, out := &in.Count, &out.Count
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IntervalUnit != nil {
+		in, out := &in.IntervalUnit, &out.IntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleRetainRuleObservation.
@@ -1094,6 +1518,27 @@ func (in *ScheduleRetainRuleParameters) DeepCopy() *ScheduleRetainRuleParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ShareRuleObservation) DeepCopyInto(out *ShareRuleObservation) {
 	*out = *in
+	if in.TargetAccounts != nil {
+		in, out := &in.TargetAccounts, &out.TargetAccounts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UnshareInterval != nil {
+		in, out := &in.UnshareInterval, &out.UnshareInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnshareIntervalUnit != nil {
+		in, out := &in.UnshareIntervalUnit, &out.UnshareIntervalUnit
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShareRuleObservation.
diff --git a/apis/dlm/v1beta1/zz_lifecyclepolicy_types.go b/apis/dlm/v1beta1/zz_lifecyclepolicy_types.go
index 300858f0ee..52c31847cc 100755
--- a/apis/dlm/v1beta1/zz_lifecyclepolicy_types.go
+++ b/apis/dlm/v1beta1/zz_lifecyclepolicy_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ActionObservation struct {
+
+	// The rule for copying shared snapshots across Regions. See the cross_region_copy configuration block.
+	CrossRegionCopy []CrossRegionCopyObservation `json:"crossRegionCopy,omitempty" tf:"cross_region_copy,omitempty"`
+
+	// A descriptive name for the action.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ActionParameters struct {
@@ -28,6 +34,21 @@ type ActionParameters struct {
 }
 
 type CreateRuleObservation struct {
+
+	// The schedule, as a Cron expression. The schedule interval must be between 1 hour and 1 year.
+	CronExpression *string `json:"cronExpression,omitempty" tf:"cron_expression,omitempty"`
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
+
+	// Specifies the destination for snapshots created by the policy. To create snapshots in the same Region as the source resource, specify CLOUD. To create snapshots on the same Outpost as the source resource, specify OUTPOST_LOCAL. If you omit this parameter, CLOUD is used by default. If the policy targets resources in an AWS Region, then you must create snapshots in the same Region as the source resource. If the policy targets resources on an Outpost, then you can create snapshots on the same Outpost as the source resource, or in the Region of that Outpost. Valid values are CLOUD and OUTPOST_LOCAL.
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
+
+	// A list of times in 24 hour clock format that sets when the lifecycle policy should be evaluated. Max of 1.
+	Times []*string `json:"times,omitempty" tf:"times,omitempty"`
 }
 
 type CreateRuleParameters struct {
@@ -54,6 +75,15 @@ type CreateRuleParameters struct {
 }
 
 type CrossRegionCopyObservation struct {
+
+	// The encryption settings for the copied snapshot. See the encryption_configuration block. Max of 1 per action.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// Specifies the retention rule for cross-Region snapshot copies. See the retain_rule block. Max of 1 per action.
+	RetainRule []RetainRuleObservation `json:"retainRule,omitempty" tf:"retain_rule,omitempty"`
+
+	// The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type CrossRegionCopyParameters struct {
@@ -72,6 +102,24 @@ type CrossRegionCopyParameters struct {
 }
 
 type CrossRegionCopyRuleObservation struct {
+
+	// The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.
+	CmkArn *string `json:"cmkArn,omitempty" tf:"cmk_arn,omitempty"`
+
+	// Copy all user-defined tags on a source volume to snapshots of the volume created by this policy.
+	CopyTags *bool `json:"copyTags,omitempty" tf:"copy_tags,omitempty"`
+
+	// See the deprecate_rule block. Max of 1 per schedule.
+	DeprecateRule []DeprecateRuleObservation `json:"deprecateRule,omitempty" tf:"deprecate_rule,omitempty"`
+
+	// To encrypt a copy of an unencrypted snapshot when encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or when encryption by default is not enabled.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// Specifies the retention rule for cross-Region snapshot copies. See the retain_rule block. Max of 1 per action.
+	RetainRule []CrossRegionCopyRuleRetainRuleObservation `json:"retainRule,omitempty" tf:"retain_rule,omitempty"`
+
+	// The target Region or the Amazon Resource Name (ARN) of the target Outpost for the snapshot copies.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type CrossRegionCopyRuleParameters struct {
@@ -112,6 +160,12 @@ type CrossRegionCopyRuleParameters struct {
 }
 
 type CrossRegionCopyRuleRetainRuleObservation struct {
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
 }
 
 type CrossRegionCopyRuleRetainRuleParameters struct {
@@ -126,6 +180,12 @@ type CrossRegionCopyRuleRetainRuleParameters struct {
 }
 
 type DeprecateRuleObservation struct {
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
 }
 
 type DeprecateRuleParameters struct {
@@ -140,6 +200,12 @@ type DeprecateRuleParameters struct {
 }
 
 type EncryptionConfigurationObservation struct {
+
+	// The Amazon Resource Name (ARN) of the AWS KMS key to use for EBS encryption. If this parameter is not specified, the default KMS key for the account is used.
+	CmkArn *string `json:"cmkArn,omitempty" tf:"cmk_arn,omitempty"`
+
+	// To encrypt a copy of an unencrypted snapshot when encryption by default is not enabled, enable encryption using this parameter. Copies of encrypted snapshots are encrypted, even if this parameter is false or when encryption by default is not enabled.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
@@ -154,6 +220,12 @@ type EncryptionConfigurationParameters struct {
 }
 
 type EventSourceObservation struct {
+
+	// A set of optional parameters for snapshot and AMI lifecycle policies. See the parameters configuration block.
+	Parameters []ParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The source of the event. Currently only managed CloudWatch Events rules are supported. Valid values are MANAGED_CWE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EventSourceParameters struct {
@@ -168,6 +240,18 @@ type EventSourceParameters struct {
 }
 
 type FastRestoreRuleObservation struct {
+
+	// The Availability Zones in which to enable fast snapshot restore.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// Specifies the number of oldest AMIs to deprecate. Must be an integer between 1 and 1000.
+	Count *float64 `json:"count,omitempty" tf:"count,omitempty"`
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
 }
 
 type FastRestoreRuleParameters struct {
@@ -194,9 +278,24 @@ type LifecyclePolicyObservation struct {
 	// Amazon Resource Name (ARN) of the DLM Lifecycle Policy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A description for the DLM lifecycle policy.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The ARN of an IAM role that is able to be assumed by the DLM service.
+	ExecutionRoleArn *string `json:"executionRoleArn,omitempty" tf:"execution_role_arn,omitempty"`
+
 	// Identifier of the DLM Lifecycle Policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// See the policy_details configuration block. Max of 1.
+	PolicyDetails []PolicyDetailsObservation `json:"policyDetails,omitempty" tf:"policy_details,omitempty"`
+
+	// Whether the lifecycle policy should be enabled or disabled. ENABLED or DISABLED are valid values. Defaults to ENABLED.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -204,8 +303,8 @@ type LifecyclePolicyObservation struct {
 type LifecyclePolicyParameters struct {
 
 	// A description for the DLM lifecycle policy.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The ARN of an IAM role that is able to be assumed by the DLM service.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/iam/v1beta1.Role
@@ -222,8 +321,8 @@ type LifecyclePolicyParameters struct {
 	ExecutionRoleArnSelector *v1.Selector `json:"executionRoleArnSelector,omitempty" tf:"-"`
 
 	// See the policy_details configuration block. Max of 1.
-	// +kubebuilder:validation:Required
-	PolicyDetails []PolicyDetailsParameters `json:"policyDetails" tf:"policy_details,omitempty"`
+	// +kubebuilder:validation:Optional
+	PolicyDetails []PolicyDetailsParameters `json:"policyDetails,omitempty" tf:"policy_details,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -240,6 +339,15 @@ type LifecyclePolicyParameters struct {
 }
 
 type ParametersObservation struct {
+
+	// The snapshot description that can trigger the policy. The description pattern is specified using a regular expression. The policy runs only if a snapshot with a description that matches the specified pattern is shared with your account.
+	DescriptionRegex *string `json:"descriptionRegex,omitempty" tf:"description_regex,omitempty"`
+
+	// The type of event. Currently, only shareSnapshot events are supported.
+	EventType *string `json:"eventType,omitempty" tf:"event_type,omitempty"`
+
+	// The IDs of the AWS accounts that can trigger policy by sharing snapshots with your account. The policy only runs if one of the specified AWS accounts shares a snapshot with your account.
+	SnapshotOwner []*string `json:"snapshotOwner,omitempty" tf:"snapshot_owner,omitempty"`
 }
 
 type ParametersParameters struct {
@@ -258,6 +366,30 @@ type ParametersParameters struct {
 }
 
 type PolicyDetailsObservation struct {
+
+	// The actions to be performed when the event-based policy is triggered. You can specify only one action per policy. This parameter is required for event-based policies only. If you are creating a snapshot or AMI policy, omit this parameter. See the action configuration block.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The event that triggers the event-based policy. This parameter is required for event-based policies only. If you are creating a snapshot or AMI policy, omit this parameter. See the event_source configuration block.
+	EventSource []EventSourceObservation `json:"eventSource,omitempty" tf:"event_source,omitempty"`
+
+	// A set of optional parameters for snapshot and AMI lifecycle policies. See the parameters configuration block.
+	Parameters []PolicyDetailsParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The valid target resource types and actions a policy can manage. Specify EBS_SNAPSHOT_MANAGEMENT to create a lifecycle policy that manages the lifecycle of Amazon EBS snapshots. Specify IMAGE_MANAGEMENT to create a lifecycle policy that manages the lifecycle of EBS-backed AMIs. Specify EVENT_BASED_POLICY to create an event-based policy that performs specific actions when a defined event occurs in your AWS account. Default value is EBS_SNAPSHOT_MANAGEMENT.
+	PolicyType *string `json:"policyType,omitempty" tf:"policy_type,omitempty"`
+
+	// The location of the resources to backup. If the source resources are located in an AWS Region, specify CLOUD. If the source resources are located on an Outpost in your account, specify OUTPOST. If you specify OUTPOST, Amazon Data Lifecycle Manager backs up all resources of the specified type with matching target tags across all of the Outposts in your account. Valid values are CLOUD and OUTPOST.
+	ResourceLocations []*string `json:"resourceLocations,omitempty" tf:"resource_locations,omitempty"`
+
+	// A list of resource types that should be targeted by the lifecycle policy. Valid values are VOLUME and INSTANCE.
+	ResourceTypes []*string `json:"resourceTypes,omitempty" tf:"resource_types,omitempty"`
+
+	// See the schedule configuration block.
+	Schedule []ScheduleObservation `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// A map of tag keys and their values. Any resources that match the resource_types and are tagged with any of these tags will be targeted.
+	TargetTags map[string]*string `json:"targetTags,omitempty" tf:"target_tags,omitempty"`
 }
 
 type PolicyDetailsParameters struct {
@@ -296,6 +428,12 @@ type PolicyDetailsParameters struct {
 }
 
 type PolicyDetailsParametersObservation struct {
+
+	// Indicates whether to exclude the root volume from snapshots created using CreateSnapshots. The default is false.
+	ExcludeBootVolume *bool `json:"excludeBootVolume,omitempty" tf:"exclude_boot_volume,omitempty"`
+
+	// Applies to AMI lifecycle policies only. Indicates whether targeted instances are rebooted when the lifecycle policy runs. true indicates that targeted instances are not rebooted when the policy runs. false indicates that target instances are rebooted when the policy runs. The default is true (instances are not rebooted).
+	NoReboot *bool `json:"noReboot,omitempty" tf:"no_reboot,omitempty"`
 }
 
 type PolicyDetailsParametersParameters struct {
@@ -310,6 +448,12 @@ type PolicyDetailsParametersParameters struct {
 }
 
 type RetainRuleObservation struct {
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
 }
 
 type RetainRuleParameters struct {
@@ -324,6 +468,15 @@ type RetainRuleParameters struct {
 }
 
 type ScheduleDeprecateRuleObservation struct {
+
+	// Specifies the number of oldest AMIs to deprecate. Must be an integer between 1 and 1000.
+	Count *float64 `json:"count,omitempty" tf:"count,omitempty"`
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
 }
 
 type ScheduleDeprecateRuleParameters struct {
@@ -342,6 +495,36 @@ type ScheduleDeprecateRuleParameters struct {
 }
 
 type ScheduleObservation struct {
+
+	// Copy all user-defined tags on a source volume to snapshots of the volume created by this policy.
+	CopyTags *bool `json:"copyTags,omitempty" tf:"copy_tags,omitempty"`
+
+	// See the create_rule block. Max of 1 per schedule.
+	CreateRule []CreateRuleObservation `json:"createRule,omitempty" tf:"create_rule,omitempty"`
+
+	// See the cross_region_copy_rule block. Max of 3 per schedule.
+	CrossRegionCopyRule []CrossRegionCopyRuleObservation `json:"crossRegionCopyRule,omitempty" tf:"cross_region_copy_rule,omitempty"`
+
+	// See the deprecate_rule block. Max of 1 per schedule.
+	DeprecateRule []ScheduleDeprecateRuleObservation `json:"deprecateRule,omitempty" tf:"deprecate_rule,omitempty"`
+
+	// See the fast_restore_rule block. Max of 1 per schedule.
+	FastRestoreRule []FastRestoreRuleObservation `json:"fastRestoreRule,omitempty" tf:"fast_restore_rule,omitempty"`
+
+	// A descriptive name for the action.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the retention rule for cross-Region snapshot copies. See the retain_rule block. Max of 1 per action.
+	RetainRule []ScheduleRetainRuleObservation `json:"retainRule,omitempty" tf:"retain_rule,omitempty"`
+
+	// See the share_rule block. Max of 1 per schedule.
+	ShareRule []ShareRuleObservation `json:"shareRule,omitempty" tf:"share_rule,omitempty"`
+
+	// A map of tag keys and their values. DLM lifecycle policies will already tag the snapshot with the tags on the volume. This configuration adds extra tags on top of these.
+	TagsToAdd map[string]*string `json:"tagsToAdd,omitempty" tf:"tags_to_add,omitempty"`
+
+	// A map of tag keys and variable values, where the values are determined when the policy is executed. Only $(instance-id) or $(timestamp) are valid values. Can only be used when resource_types is INSTANCE.
+	VariableTags map[string]*string `json:"variableTags,omitempty" tf:"variable_tags,omitempty"`
 }
 
 type ScheduleParameters struct {
@@ -388,6 +571,15 @@ type ScheduleParameters struct {
 }
 
 type ScheduleRetainRuleObservation struct {
+
+	// Specifies the number of oldest AMIs to deprecate. Must be an integer between 1 and 1000.
+	Count *float64 `json:"count,omitempty" tf:"count,omitempty"`
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	IntervalUnit *string `json:"intervalUnit,omitempty" tf:"interval_unit,omitempty"`
 }
 
 type ScheduleRetainRuleParameters struct {
@@ -406,6 +598,15 @@ type ScheduleRetainRuleParameters struct {
 }
 
 type ShareRuleObservation struct {
+
+	// The IDs of the AWS accounts with which to share the snapshots.
+	TargetAccounts []*string `json:"targetAccounts,omitempty" tf:"target_accounts,omitempty"`
+
+	// How often this lifecycle policy should be evaluated. 1, 2,3,4,6,8,12 or 24 are valid values.
+	UnshareInterval *float64 `json:"unshareInterval,omitempty" tf:"unshare_interval,omitempty"`
+
+	// The unit for how often the lifecycle policy should be evaluated. HOURS is currently the only allowed value and also the default value.
+	UnshareIntervalUnit *string `json:"unshareIntervalUnit,omitempty" tf:"unshare_interval_unit,omitempty"`
 }
 
 type ShareRuleParameters struct {
@@ -447,8 +648,10 @@ type LifecyclePolicyStatus struct {
 type LifecyclePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LifecyclePolicySpec   `json:"spec"`
-	Status            LifecyclePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyDetails)",message="policyDetails is a required parameter"
+	Spec   LifecyclePolicySpec   `json:"spec"`
+	Status LifecyclePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dms/v1beta1/zz_certificate_types.go b/apis/dms/v1beta1/zz_certificate_types.go
index 076f0fd120..2a96c59594 100755
--- a/apis/dms/v1beta1/zz_certificate_types.go
+++ b/apis/dms/v1beta1/zz_certificate_types.go
@@ -20,6 +20,9 @@ type CertificateObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/dms/v1beta1/zz_endpoint_types.go b/apis/dms/v1beta1/zz_endpoint_types.go
index fc47c21397..d6c66e343a 100755
--- a/apis/dms/v1beta1/zz_endpoint_types.go
+++ b/apis/dms/v1beta1/zz_endpoint_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type ElasticsearchSettingsObservation struct {
+
+	// Endpoint for the OpenSearch cluster.
+	EndpointURI *string `json:"endpointUri,omitempty" tf:"endpoint_uri,omitempty"`
+
+	// Maximum number of seconds for which DMS retries failed API requests to the OpenSearch cluster. Default is 300.
+	ErrorRetryDuration *float64 `json:"errorRetryDuration,omitempty" tf:"error_retry_duration,omitempty"`
+
+	// Maximum percentage of records that can fail to be written before a full load operation stops. Default is 10.
+	FullLoadErrorPercentage *float64 `json:"fullLoadErrorPercentage,omitempty" tf:"full_load_error_percentage,omitempty"`
+
+	// ARN of the IAM Role with permissions to write to the OpenSearch cluster.
+	ServiceAccessRoleArn *string `json:"serviceAccessRoleArn,omitempty" tf:"service_access_role_arn,omitempty"`
 }
 
 type ElasticsearchSettingsParameters struct {
@@ -37,13 +49,82 @@ type ElasticsearchSettingsParameters struct {
 
 type EndpointObservation struct {
 
+	// ARN for the certificate.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
+	// Name of the endpoint database.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Configuration block for OpenSearch settings. See below.
+	ElasticsearchSettings []ElasticsearchSettingsObservation `json:"elasticsearchSettings,omitempty" tf:"elasticsearch_settings,omitempty"`
+
 	// ARN for the endpoint.
 	EndpointArn *string `json:"endpointArn,omitempty" tf:"endpoint_arn,omitempty"`
 
+	// Type of endpoint. Valid values are source, target.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
+	// Type of engine for the endpoint. Valid values are aurora, aurora-postgresql, azuredb, db2, docdb, dynamodb, elasticsearch, kafka, kinesis, mariadb, mongodb, mysql, opensearch, oracle, postgres, redshift, s3, sqlserver, sybase. Please note that some of engine names are available only for target endpoint type (e.g. redshift).
+	EngineName *string `json:"engineName,omitempty" tf:"engine_name,omitempty"`
+
+	// Additional attributes associated with the connection.
+	// For available attributes for a source Endpoint, see Sources for data migration.
+	// For available attributes for a target Endpoint, see Targets for data migration.
+	ExtraConnectionAttributes *string `json:"extraConnectionAttributes,omitempty" tf:"extra_connection_attributes,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN for the KMS key that will be used to encrypt the connection parameters.
+	// If you do not specify a value for kms_key_arn, then AWS DMS will use your default encryption key.
+	// AWS KMS creates the default encryption key for your AWS account.
+	// Your AWS account has a different default encryption key for each AWS region.
+	// To encrypt an S3 target with a KMS Key, use the parameter s3_settings.server_side_encryption_kms_key_id.
+	// When engine_name is redshift, kms_key_arn is the KMS Key for the Redshift target and the parameter redshift_settings.server_side_encryption_kms_key_id encrypts the S3 intermediate storage.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Configuration block for Kafka settings. See below.
+	KafkaSettings []KafkaSettingsObservation `json:"kafkaSettings,omitempty" tf:"kafka_settings,omitempty"`
+
+	// Configuration block for Kinesis settings. See below.
+	KinesisSettings []KinesisSettingsObservation `json:"kinesisSettings,omitempty" tf:"kinesis_settings,omitempty"`
+
+	// Configuration block for MongoDB settings. See below.
+	MongodbSettings []MongodbSettingsObservation `json:"mongodbSettings,omitempty" tf:"mongodb_settings,omitempty"`
+
+	// Port used by the endpoint database.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	RedisSettings []RedisSettingsObservation `json:"redisSettings,omitempty" tf:"redis_settings,omitempty"`
+
+	// Configuration block for Redshift settings. See below.
+	RedshiftSettings []RedshiftSettingsObservation `json:"redshiftSettings,omitempty" tf:"redshift_settings,omitempty"`
+
+	// Configuration block for S3 settings. See below.
+	S3Settings []S3SettingsObservation `json:"s3Settings,omitempty" tf:"s3_settings,omitempty"`
+
+	// SSL mode to use for the connection. Valid values are none, require, verify-ca, verify-full
+	SSLMode *string `json:"sslMode,omitempty" tf:"ssl_mode,omitempty"`
+
+	// ARN of the IAM role that specifies AWS DMS as the trusted entity and has the required permissions to access the value in SecretsManagerSecret.
+	SecretsManagerAccessRoleArn *string `json:"secretsManagerAccessRoleArn,omitempty" tf:"secrets_manager_access_role_arn,omitempty"`
+
+	// Full ARN, partial ARN, or friendly name of the SecretsManagerSecret that contains the endpoint connection details. Supported only when engine_name is aurora, aurora-postgresql, mariadb, mongodb, mysql, oracle, postgres, redshift, or sqlserver.
+	SecretsManagerArn *string `json:"secretsManagerArn,omitempty" tf:"secrets_manager_arn,omitempty"`
+
+	// Host name of the server.
+	ServerName *string `json:"serverName,omitempty" tf:"server_name,omitempty"`
+
+	// ARN used by the service access IAM role for dynamodb endpoints.
+	ServiceAccessRole *string `json:"serviceAccessRole,omitempty" tf:"service_access_role,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// User name to be used to login to the endpoint database.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type EndpointParameters struct {
@@ -61,12 +142,12 @@ type EndpointParameters struct {
 	ElasticsearchSettings []ElasticsearchSettingsParameters `json:"elasticsearchSettings,omitempty" tf:"elasticsearch_settings,omitempty"`
 
 	// Type of endpoint. Valid values are source, target.
-	// +kubebuilder:validation:Required
-	EndpointType *string `json:"endpointType" tf:"endpoint_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
 
 	// Type of engine for the endpoint. Valid values are aurora, aurora-postgresql, azuredb, db2, docdb, dynamodb, elasticsearch, kafka, kinesis, mariadb, mongodb, mysql, opensearch, oracle, postgres, redshift, s3, sqlserver, sybase. Please note that some of engine names are available only for target endpoint type (e.g. redshift).
-	// +kubebuilder:validation:Required
-	EngineName *string `json:"engineName" tf:"engine_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineName *string `json:"engineName,omitempty" tf:"engine_name,omitempty"`
 
 	// Additional attributes associated with the connection.
 	// For available attributes for a source Endpoint, see Sources for data migration.
@@ -168,6 +249,54 @@ type EndpointParameters struct {
 }
 
 type KafkaSettingsObservation struct {
+
+	// Kafka broker location. Specify in the form broker-hostname-or-ip:port.
+	Broker *string `json:"broker,omitempty" tf:"broker,omitempty"`
+
+	// Shows detailed control information for table definition, column definition, and table and column changes in the Kafka message output. Default is false.
+	IncludeControlDetails *bool `json:"includeControlDetails,omitempty" tf:"include_control_details,omitempty"`
+
+	// Include NULL and empty columns for records migrated to the endpoint. Default is false.
+	IncludeNullAndEmpty *bool `json:"includeNullAndEmpty,omitempty" tf:"include_null_and_empty,omitempty"`
+
+	// Shows the partition value within the Kafka message output unless the partition type is schema-table-type. Default is false.
+	IncludePartitionValue *bool `json:"includePartitionValue,omitempty" tf:"include_partition_value,omitempty"`
+
+	// Includes any data definition language (DDL) operations that change the table in the control data, such as rename-table, drop-table, add-column, drop-column, and rename-column. Default is false.
+	IncludeTableAlterOperations *bool `json:"includeTableAlterOperations,omitempty" tf:"include_table_alter_operations,omitempty"`
+
+	// Provides detailed transaction information from the source database. This information includes a commit timestamp, a log position, and values for transaction_id, previous transaction_id, and transaction_record_id (the record offset within a transaction). Default is false.
+	IncludeTransactionDetails *bool `json:"includeTransactionDetails,omitempty" tf:"include_transaction_details,omitempty"`
+
+	// Output format for the records created on the endpoint. Message format is JSON (default) or JSON_UNFORMATTED (a single line with no tab).
+	MessageFormat *string `json:"messageFormat,omitempty" tf:"message_format,omitempty"`
+
+	// Maximum size in bytes for records created on the endpoint Default is 1,000,000.
+	MessageMaxBytes *float64 `json:"messageMaxBytes,omitempty" tf:"message_max_bytes,omitempty"`
+
+	// Set this optional parameter to true to avoid adding a '0x' prefix to raw data in hexadecimal format. For example, by default, AWS DMS adds a '0x' prefix to the LOB column type in hexadecimal format moving from an Oracle source to a Kafka target. Use the no_hex_prefix endpoint setting to enable migration of RAW data type columns without adding the '0x' prefix.
+	NoHexPrefix *bool `json:"noHexPrefix,omitempty" tf:"no_hex_prefix,omitempty"`
+
+	// Prefixes schema and table names to partition values, when the partition type is primary-key-type. Doing this increases data distribution among Kafka partitions. For example, suppose that a SysBench schema has thousands of tables and each table has only limited range for a primary key. In this case, the same primary key is sent from thousands of tables to the same partition, which causes throttling. Default is false.
+	PartitionIncludeSchemaTable *bool `json:"partitionIncludeSchemaTable,omitempty" tf:"partition_include_schema_table,omitempty"`
+
+	// ARN for the private certificate authority (CA) cert that AWS DMS uses to securely connect to your Kafka target endpoint.
+	SSLCACertificateArn *string `json:"sslCaCertificateArn,omitempty" tf:"ssl_ca_certificate_arn,omitempty"`
+
+	// ARN of the client certificate used to securely connect to a Kafka target endpoint.
+	SSLClientCertificateArn *string `json:"sslClientCertificateArn,omitempty" tf:"ssl_client_certificate_arn,omitempty"`
+
+	// ARN for the client private key used to securely connect to a Kafka target endpoint.
+	SSLClientKeyArn *string `json:"sslClientKeyArn,omitempty" tf:"ssl_client_key_arn,omitempty"`
+
+	// Secure user name you created when you first set up your MSK cluster to validate a client identity and make an encrypted connection between server and client using SASL-SSL authentication.
+	SaslUsername *string `json:"saslUsername,omitempty" tf:"sasl_username,omitempty"`
+
+	// Set secure connection to a Kafka target endpoint using Transport Layer Security (TLS). Options include ssl-encryption, ssl-authentication, and sasl-ssl. sasl-ssl requires sasl_username and sasl_password.
+	SecurityProtocol *string `json:"securityProtocol,omitempty" tf:"security_protocol,omitempty"`
+
+	// Kafka topic for migration. Default is kafka-default-topic.
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
 }
 
 type KafkaSettingsParameters struct {
@@ -246,6 +375,33 @@ type KafkaSettingsParameters struct {
 }
 
 type KinesisSettingsObservation struct {
+
+	// Shows detailed control information for table definition, column definition, and table and column changes in the Kinesis message output. Default is false.
+	IncludeControlDetails *bool `json:"includeControlDetails,omitempty" tf:"include_control_details,omitempty"`
+
+	// Include NULL and empty columns in the target. Default is false.
+	IncludeNullAndEmpty *bool `json:"includeNullAndEmpty,omitempty" tf:"include_null_and_empty,omitempty"`
+
+	// Shows the partition value within the Kinesis message output, unless the partition type is schema-table-type. Default is false.
+	IncludePartitionValue *bool `json:"includePartitionValue,omitempty" tf:"include_partition_value,omitempty"`
+
+	// Includes any data definition language (DDL) operations that change the table in the control data. Default is false.
+	IncludeTableAlterOperations *bool `json:"includeTableAlterOperations,omitempty" tf:"include_table_alter_operations,omitempty"`
+
+	// Provides detailed transaction information from the source database. Default is false.
+	IncludeTransactionDetails *bool `json:"includeTransactionDetails,omitempty" tf:"include_transaction_details,omitempty"`
+
+	// Output format for the records created. Default is json. Valid values are json and json-unformatted (a single line with no tab).
+	MessageFormat *string `json:"messageFormat,omitempty" tf:"message_format,omitempty"`
+
+	// Prefixes schema and table names to partition values, when the partition type is primary-key-type. Default is false.
+	PartitionIncludeSchemaTable *bool `json:"partitionIncludeSchemaTable,omitempty" tf:"partition_include_schema_table,omitempty"`
+
+	// ARN of the IAM Role with permissions to write to the Kinesis data stream.
+	ServiceAccessRoleArn *string `json:"serviceAccessRoleArn,omitempty" tf:"service_access_role_arn,omitempty"`
+
+	// ARN of the Kinesis data stream.
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 }
 
 type KinesisSettingsParameters struct {
@@ -288,6 +444,24 @@ type KinesisSettingsParameters struct {
 }
 
 type MongodbSettingsObservation struct {
+
+	// Authentication mechanism to access the MongoDB source endpoint. Default is default.
+	AuthMechanism *string `json:"authMechanism,omitempty" tf:"auth_mechanism,omitempty"`
+
+	// Authentication database name. Not used when auth_type is no. Default is admin.
+	AuthSource *string `json:"authSource,omitempty" tf:"auth_source,omitempty"`
+
+	// Authentication type to access the MongoDB source endpoint. Default is password.
+	AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"`
+
+	// Number of documents to preview to determine the document organization. Use this setting when nesting_level is set to one. Default is 1000.
+	DocsToInvestigate *string `json:"docsToInvestigate,omitempty" tf:"docs_to_investigate,omitempty"`
+
+	// Document ID. Use this setting when nesting_level is set to none. Default is false.
+	ExtractDocID *string `json:"extractDocId,omitempty" tf:"extract_doc_id,omitempty"`
+
+	// Specifies either document or table mode. Default is none. Valid values are one (table mode) and none (document mode).
+	NestingLevel *string `json:"nestingLevel,omitempty" tf:"nesting_level,omitempty"`
 }
 
 type MongodbSettingsParameters struct {
@@ -318,6 +492,24 @@ type MongodbSettingsParameters struct {
 }
 
 type RedisSettingsObservation struct {
+
+	// Authentication type to access the MongoDB source endpoint. Default is password.
+	AuthType *string `json:"authType,omitempty" tf:"auth_type,omitempty"`
+
+	// The username provided with the auth-role option of the AuthType setting for a Redis target endpoint.
+	AuthUserName *string `json:"authUserName,omitempty" tf:"auth_user_name,omitempty"`
+
+	// Port used by the endpoint database.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The Amazon Resource Name (ARN) for the certificate authority (CA) that DMS uses to connect to your Redis target endpoint.
+	SSLCACertificateArn *string `json:"sslCaCertificateArn,omitempty" tf:"ssl_ca_certificate_arn,omitempty"`
+
+	// The plaintext option doesn't provide Transport Layer Security (TLS) encryption for traffic between endpoint and database. Options include plaintext, ssl-encryption. The default is ssl-encryption.
+	SSLSecurityProtocol *string `json:"sslSecurityProtocol,omitempty" tf:"ssl_security_protocol,omitempty"`
+
+	// Host name of the server.
+	ServerName *string `json:"serverName,omitempty" tf:"server_name,omitempty"`
 }
 
 type RedisSettingsParameters struct {
@@ -352,6 +544,21 @@ type RedisSettingsParameters struct {
 }
 
 type RedshiftSettingsObservation struct {
+
+	// Custom S3 Bucket Object prefix for intermediate storage.
+	BucketFolder *string `json:"bucketFolder,omitempty" tf:"bucket_folder,omitempty"`
+
+	// Custom S3 Bucket name for intermediate storage.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// The server-side encryption mode that you want to encrypt your intermediate .csv object files copied to S3. Defaults to SSE_S3. Valid values are SSE_S3 and SSE_KMS.
+	EncryptionMode *string `json:"encryptionMode,omitempty" tf:"encryption_mode,omitempty"`
+
+	// ARN or Id of KMS Key to use when encryption_mode is SSE_KMS.
+	ServerSideEncryptionKMSKeyID *string `json:"serverSideEncryptionKmsKeyId,omitempty" tf:"server_side_encryption_kms_key_id,omitempty"`
+
+	// Amazon Resource Name (ARN) of the IAM Role with permissions to read from or write to the S3 Bucket for intermediate storage.
+	ServiceAccessRoleArn *string `json:"serviceAccessRoleArn,omitempty" tf:"service_access_role_arn,omitempty"`
 }
 
 type RedshiftSettingsParameters struct {
@@ -378,6 +585,123 @@ type RedshiftSettingsParameters struct {
 }
 
 type S3SettingsObservation struct {
+
+	// Whether to add column name information to the .csv output file. Default is false.
+	AddColumnName *bool `json:"addColumnName,omitempty" tf:"add_column_name,omitempty"`
+
+	// S3 object prefix.
+	BucketFolder *string `json:"bucketFolder,omitempty" tf:"bucket_folder,omitempty"`
+
+	// S3 bucket name.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Predefined (canned) access control list for objects created in an S3 bucket. Valid values include none, private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, and bucket-owner-full-control. Default is none.
+	CannedACLForObjects *string `json:"cannedAclForObjects,omitempty" tf:"canned_acl_for_objects,omitempty"`
+
+	// Whether to write insert and update operations to .csv or .parquet output files. Default is false.
+	CdcInsertsAndUpdates *bool `json:"cdcInsertsAndUpdates,omitempty" tf:"cdc_inserts_and_updates,omitempty"`
+
+	// Whether to write insert operations to .csv or .parquet output files. Default is false.
+	CdcInsertsOnly *bool `json:"cdcInsertsOnly,omitempty" tf:"cdc_inserts_only,omitempty"`
+
+	// Maximum length of the interval, defined in seconds, after which to output a file to Amazon S3. Default is 60.
+	CdcMaxBatchInterval *float64 `json:"cdcMaxBatchInterval,omitempty" tf:"cdc_max_batch_interval,omitempty"`
+
+	// Minimum file size condition as defined in kilobytes to output a file to Amazon S3. Default is 32000. NOTE: Previously, this setting was measured in megabytes but now represents kilobytes. Update configurations accordingly.
+	CdcMinFileSize *float64 `json:"cdcMinFileSize,omitempty" tf:"cdc_min_file_size,omitempty"`
+
+	// Folder path of CDC files. For an S3 source, this setting is required if a task captures change data; otherwise, it's optional. If cdc_path is set, AWS DMS reads CDC files from this path and replicates the data changes to the target endpoint. Supported in AWS DMS versions 3.4.2 and later.
+	CdcPath *string `json:"cdcPath,omitempty" tf:"cdc_path,omitempty"`
+
+	// Set to compress target files. Default is NONE. Valid values are GZIP and NONE.
+	CompressionType *string `json:"compressionType,omitempty" tf:"compression_type,omitempty"`
+
+	// Delimiter used to separate columns in the source files. Default is ,.
+	CsvDelimiter *string `json:"csvDelimiter,omitempty" tf:"csv_delimiter,omitempty"`
+
+	// String to use for all columns not included in the supplemental log.
+	CsvNoSupValue *string `json:"csvNoSupValue,omitempty" tf:"csv_no_sup_value,omitempty"`
+
+	// String to as null when writing to the target.
+	CsvNullValue *string `json:"csvNullValue,omitempty" tf:"csv_null_value,omitempty"`
+
+	// Delimiter used to separate rows in the source files. Default is \n.
+	CsvRowDelimiter *string `json:"csvRowDelimiter,omitempty" tf:"csv_row_delimiter,omitempty"`
+
+	// Output format for the files that AWS DMS uses to create S3 objects. Valid values are csv and parquet. Default is csv.
+	DataFormat *string `json:"dataFormat,omitempty" tf:"data_format,omitempty"`
+
+	// Size of one data page in bytes. Default is 1048576 (1 MiB).
+	DataPageSize *float64 `json:"dataPageSize,omitempty" tf:"data_page_size,omitempty"`
+
+	// Date separating delimiter to use during folder partitioning. Valid values are SLASH, UNDERSCORE, DASH, and NONE. Default is SLASH.
+	DatePartitionDelimiter *string `json:"datePartitionDelimiter,omitempty" tf:"date_partition_delimiter,omitempty"`
+
+	// Partition S3 bucket folders based on transaction commit dates. Default is false.
+	DatePartitionEnabled *bool `json:"datePartitionEnabled,omitempty" tf:"date_partition_enabled,omitempty"`
+
+	// Date format to use during folder partitioning. Use this parameter when date_partition_enabled is set to true. Valid values are YYYYMMDD, YYYYMMDDHH, YYYYMM, MMYYYYDD, and DDMMYYYY. Default is YYYYMMDD.
+	DatePartitionSequence *string `json:"datePartitionSequence,omitempty" tf:"date_partition_sequence,omitempty"`
+
+	// Maximum size in bytes of an encoded dictionary page of a column. Default is 1048576 (1 MiB).
+	DictPageSizeLimit *float64 `json:"dictPageSizeLimit,omitempty" tf:"dict_page_size_limit,omitempty"`
+
+	// Whether to enable statistics for Parquet pages and row groups. Default is true.
+	EnableStatistics *bool `json:"enableStatistics,omitempty" tf:"enable_statistics,omitempty"`
+
+	// Type of encoding to use. Value values are rle_dictionary, plain, and plain_dictionary. Default is rle_dictionary.
+	EncodingType *string `json:"encodingType,omitempty" tf:"encoding_type,omitempty"`
+
+	// Server-side encryption mode that you want to encrypt your .csv or .parquet object files copied to S3. Valid values are SSE_S3 and SSE_KMS. Default is SSE_S3.
+	EncryptionMode *string `json:"encryptionMode,omitempty" tf:"encryption_mode,omitempty"`
+
+	// JSON document that describes how AWS DMS should interpret the data.
+	ExternalTableDefinition *string `json:"externalTableDefinition,omitempty" tf:"external_table_definition,omitempty"`
+
+	// When this value is set to 1, DMS ignores the first row header in a .csv file. Default is 0.
+	IgnoreHeaderRows *float64 `json:"ignoreHeaderRows,omitempty" tf:"ignore_header_rows,omitempty"`
+
+	// Deprecated. This setting has no effect. Will be removed in a future version.
+	// This setting has no effect, is deprecated, and will be removed in a future version
+	IgnoreHeadersRow *float64 `json:"ignoreHeadersRow,omitempty" tf:"ignore_headers_row,omitempty"`
+
+	// Whether to enable a full load to write INSERT operations to the .csv output files only to indicate how the rows were added to the source database. Default is false.
+	IncludeOpForFullLoad *bool `json:"includeOpForFullLoad,omitempty" tf:"include_op_for_full_load,omitempty"`
+
+	// Maximum size (in KB) of any .csv file to be created while migrating to an S3 target during full load. Valid values are from 1 to 1048576. Default is 1048576 (1 GB).
+	MaxFileSize *float64 `json:"maxFileSize,omitempty" tf:"max_file_size,omitempty"`
+
+	// - Specifies the precision of any TIMESTAMP column values written to an S3 object file in .parquet format. Default is false.
+	ParquetTimestampInMillisecond *bool `json:"parquetTimestampInMillisecond,omitempty" tf:"parquet_timestamp_in_millisecond,omitempty"`
+
+	// Version of the .parquet file format. Default is parquet-1-0. Valid values are parquet-1-0 and parquet-2-0.
+	ParquetVersion *string `json:"parquetVersion,omitempty" tf:"parquet_version,omitempty"`
+
+	// Whether DMS saves the transaction order for a CDC load on the S3 target specified by cdc_path. Default is false.
+	PreserveTransactions *bool `json:"preserveTransactions,omitempty" tf:"preserve_transactions,omitempty"`
+
+	// For an S3 source, whether each leading double quotation mark has to be followed by an ending double quotation mark. Default is true.
+	Rfc4180 *bool `json:"rfc4180,omitempty" tf:"rfc_4180,omitempty"`
+
+	// Number of rows in a row group. Default is 10000.
+	RowGroupLength *float64 `json:"rowGroupLength,omitempty" tf:"row_group_length,omitempty"`
+
+	// ARN or Id of KMS Key to use when encryption_mode is SSE_KMS.
+	ServerSideEncryptionKMSKeyID *string `json:"serverSideEncryptionKmsKeyId,omitempty" tf:"server_side_encryption_kms_key_id,omitempty"`
+
+	// ARN of the IAM Role with permissions to read from or write to the S3 Bucket.
+	ServiceAccessRoleArn *string `json:"serviceAccessRoleArn,omitempty" tf:"service_access_role_arn,omitempty"`
+
+	// Column to add with timestamp information to the endpoint data for an Amazon S3 target.
+	TimestampColumnName *string `json:"timestampColumnName,omitempty" tf:"timestamp_column_name,omitempty"`
+
+	// Whether to use csv_no_sup_value for columns not included in the supplemental log.
+	UseCsvNoSupValue *bool `json:"useCsvNoSupValue,omitempty" tf:"use_csv_no_sup_value,omitempty"`
+
+	// When set to true, uses the task start time as the timestamp column value instead of the time data is written to target.
+	// For full load, when set to true, each row of the timestamp column contains the task start time. For CDC loads, each row of the timestamp column contains the transaction commit time.
+	// When set to false, the full load timestamp in the timestamp column increments with the time data arrives at the target. Default is false.
+	UseTaskStartTimeForFullLoadTimestamp *bool `json:"useTaskStartTimeForFullLoadTimestamp,omitempty" tf:"use_task_start_time_for_full_load_timestamp,omitempty"`
 }
 
 type S3SettingsParameters struct {
@@ -562,8 +886,10 @@ type EndpointStatus struct {
 type Endpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EndpointSpec   `json:"spec"`
-	Status            EndpointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpointType)",message="endpointType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineName)",message="engineName is a required parameter"
+	Spec   EndpointSpec   `json:"spec"`
+	Status EndpointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dms/v1beta1/zz_eventsubscription_types.go b/apis/dms/v1beta1/zz_eventsubscription_types.go
index d1c46fbe5c..120c3b84d5 100755
--- a/apis/dms/v1beta1/zz_eventsubscription_types.go
+++ b/apis/dms/v1beta1/zz_eventsubscription_types.go
@@ -18,8 +18,26 @@ type EventSubscriptionObservation struct {
 	// Amazon Resource Name (ARN) of the DMS Event Subscription.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether the event subscription should be enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// List of event categories to listen for, see DescribeEventCategories for a canonical list.
+	EventCategories []*string `json:"eventCategories,omitempty" tf:"event_categories,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// SNS topic arn to send events on.
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
+
+	// Ids of sources to listen to.
+	SourceIds []*string `json:"sourceIds,omitempty" tf:"source_ids,omitempty"`
+
+	// Type of source for events. Valid values: replication-instance or replication-task
+	SourceType *string `json:"sourceType,omitempty" tf:"source_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -31,8 +49,8 @@ type EventSubscriptionParameters struct {
 	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 
 	// List of event categories to listen for, see DescribeEventCategories for a canonical list.
-	// +kubebuilder:validation:Required
-	EventCategories []*string `json:"eventCategories" tf:"event_categories,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventCategories []*string `json:"eventCategories,omitempty" tf:"event_categories,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -90,8 +108,9 @@ type EventSubscriptionStatus struct {
 type EventSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EventSubscriptionSpec   `json:"spec"`
-	Status            EventSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventCategories)",message="eventCategories is a required parameter"
+	Spec   EventSubscriptionSpec   `json:"spec"`
+	Status EventSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dms/v1beta1/zz_generated.deepcopy.go b/apis/dms/v1beta1/zz_generated.deepcopy.go
index 347e23d9e0..74fd1f50eb 100644
--- a/apis/dms/v1beta1/zz_generated.deepcopy.go
+++ b/apis/dms/v1beta1/zz_generated.deepcopy.go
@@ -86,6 +86,21 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -195,6 +210,26 @@ func (in *CertificateStatus) DeepCopy() *CertificateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticsearchSettingsObservation) DeepCopyInto(out *ElasticsearchSettingsObservation) {
 	*out = *in
+	if in.EndpointURI != nil {
+		in, out := &in.EndpointURI, &out.EndpointURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorRetryDuration != nil {
+		in, out := &in.ErrorRetryDuration, &out.ErrorRetryDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FullLoadErrorPercentage != nil {
+		in, out := &in.FullLoadErrorPercentage, &out.FullLoadErrorPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceAccessRoleArn != nil {
+		in, out := &in.ServiceAccessRoleArn, &out.ServiceAccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticsearchSettingsObservation.
@@ -304,16 +339,140 @@ func (in *EndpointList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointObservation) DeepCopyInto(out *EndpointObservation) {
 	*out = *in
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ElasticsearchSettings != nil {
+		in, out := &in.ElasticsearchSettings, &out.ElasticsearchSettings
+		*out = make([]ElasticsearchSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.EndpointArn != nil {
 		in, out := &in.EndpointArn, &out.EndpointArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineName != nil {
+		in, out := &in.EngineName, &out.EngineName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExtraConnectionAttributes != nil {
+		in, out := &in.ExtraConnectionAttributes, &out.ExtraConnectionAttributes
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.KafkaSettings != nil {
+		in, out := &in.KafkaSettings, &out.KafkaSettings
+		*out = make([]KafkaSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisSettings != nil {
+		in, out := &in.KinesisSettings, &out.KinesisSettings
+		*out = make([]KinesisSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MongodbSettings != nil {
+		in, out := &in.MongodbSettings, &out.MongodbSettings
+		*out = make([]MongodbSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RedisSettings != nil {
+		in, out := &in.RedisSettings, &out.RedisSettings
+		*out = make([]RedisSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RedshiftSettings != nil {
+		in, out := &in.RedshiftSettings, &out.RedshiftSettings
+		*out = make([]RedshiftSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Settings != nil {
+		in, out := &in.S3Settings, &out.S3Settings
+		*out = make([]S3SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SSLMode != nil {
+		in, out := &in.SSLMode, &out.SSLMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretsManagerAccessRoleArn != nil {
+		in, out := &in.SecretsManagerAccessRoleArn, &out.SecretsManagerAccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretsManagerArn != nil {
+		in, out := &in.SecretsManagerArn, &out.SecretsManagerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerName != nil {
+		in, out := &in.ServerName, &out.ServerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccessRole != nil {
+		in, out := &in.ServiceAccessRole, &out.ServiceAccessRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -329,6 +488,11 @@ func (in *EndpointObservation) DeepCopyInto(out *EndpointObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointObservation.
@@ -616,11 +780,63 @@ func (in *EventSubscriptionObservation) DeepCopyInto(out *EventSubscriptionObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventCategories != nil {
+		in, out := &in.EventCategories, &out.EventCategories
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceIds != nil {
+		in, out := &in.SourceIds, &out.SourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceType != nil {
+		in, out := &in.SourceType, &out.SourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -767,21 +983,6 @@ func (in *EventSubscriptionStatus) DeepCopy() *EventSubscriptionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KafkaSettingsObservation) DeepCopyInto(out *KafkaSettingsObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSettingsObservation.
-func (in *KafkaSettingsObservation) DeepCopy() *KafkaSettingsObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(KafkaSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KafkaSettingsParameters) DeepCopyInto(out *KafkaSettingsParameters) {
-	*out = *in
 	if in.Broker != nil {
 		in, out := &in.Broker, &out.Broker
 		*out = new(string)
@@ -847,16 +1048,6 @@ func (in *KafkaSettingsParameters) DeepCopyInto(out *KafkaSettingsParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.SSLClientKeyPasswordSecretRef != nil {
-		in, out := &in.SSLClientKeyPasswordSecretRef, &out.SSLClientKeyPasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.SaslPasswordSecretRef != nil {
-		in, out := &in.SaslPasswordSecretRef, &out.SaslPasswordSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
 	if in.SaslUsername != nil {
 		in, out := &in.SaslUsername, &out.SaslUsername
 		*out = new(string)
@@ -874,30 +1065,180 @@ func (in *KafkaSettingsParameters) DeepCopyInto(out *KafkaSettingsParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSettingsParameters.
-func (in *KafkaSettingsParameters) DeepCopy() *KafkaSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSettingsObservation.
+func (in *KafkaSettingsObservation) DeepCopy() *KafkaSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(KafkaSettingsParameters)
+	out := new(KafkaSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *KinesisSettingsObservation) DeepCopyInto(out *KinesisSettingsObservation) {
+func (in *KafkaSettingsParameters) DeepCopyInto(out *KafkaSettingsParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisSettingsObservation.
-func (in *KinesisSettingsObservation) DeepCopy() *KinesisSettingsObservation {
-	if in == nil {
-		return nil
+	if in.Broker != nil {
+		in, out := &in.Broker, &out.Broker
+		*out = new(string)
+		**out = **in
 	}
-	out := new(KinesisSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
+	if in.IncludeControlDetails != nil {
+		in, out := &in.IncludeControlDetails, &out.IncludeControlDetails
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeNullAndEmpty != nil {
+		in, out := &in.IncludeNullAndEmpty, &out.IncludeNullAndEmpty
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludePartitionValue != nil {
+		in, out := &in.IncludePartitionValue, &out.IncludePartitionValue
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeTableAlterOperations != nil {
+		in, out := &in.IncludeTableAlterOperations, &out.IncludeTableAlterOperations
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeTransactionDetails != nil {
+		in, out := &in.IncludeTransactionDetails, &out.IncludeTransactionDetails
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MessageFormat != nil {
+		in, out := &in.MessageFormat, &out.MessageFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.MessageMaxBytes != nil {
+		in, out := &in.MessageMaxBytes, &out.MessageMaxBytes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NoHexPrefix != nil {
+		in, out := &in.NoHexPrefix, &out.NoHexPrefix
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PartitionIncludeSchemaTable != nil {
+		in, out := &in.PartitionIncludeSchemaTable, &out.PartitionIncludeSchemaTable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SSLCACertificateArn != nil {
+		in, out := &in.SSLCACertificateArn, &out.SSLCACertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLClientCertificateArn != nil {
+		in, out := &in.SSLClientCertificateArn, &out.SSLClientCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLClientKeyArn != nil {
+		in, out := &in.SSLClientKeyArn, &out.SSLClientKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLClientKeyPasswordSecretRef != nil {
+		in, out := &in.SSLClientKeyPasswordSecretRef, &out.SSLClientKeyPasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.SaslPasswordSecretRef != nil {
+		in, out := &in.SaslPasswordSecretRef, &out.SaslPasswordSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.SaslUsername != nil {
+		in, out := &in.SaslUsername, &out.SaslUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityProtocol != nil {
+		in, out := &in.SecurityProtocol, &out.SecurityProtocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaSettingsParameters.
+func (in *KafkaSettingsParameters) DeepCopy() *KafkaSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(KafkaSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *KinesisSettingsObservation) DeepCopyInto(out *KinesisSettingsObservation) {
+	*out = *in
+	if in.IncludeControlDetails != nil {
+		in, out := &in.IncludeControlDetails, &out.IncludeControlDetails
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeNullAndEmpty != nil {
+		in, out := &in.IncludeNullAndEmpty, &out.IncludeNullAndEmpty
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludePartitionValue != nil {
+		in, out := &in.IncludePartitionValue, &out.IncludePartitionValue
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeTableAlterOperations != nil {
+		in, out := &in.IncludeTableAlterOperations, &out.IncludeTableAlterOperations
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncludeTransactionDetails != nil {
+		in, out := &in.IncludeTransactionDetails, &out.IncludeTransactionDetails
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MessageFormat != nil {
+		in, out := &in.MessageFormat, &out.MessageFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.PartitionIncludeSchemaTable != nil {
+		in, out := &in.PartitionIncludeSchemaTable, &out.PartitionIncludeSchemaTable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ServiceAccessRoleArn != nil {
+		in, out := &in.ServiceAccessRoleArn, &out.ServiceAccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisSettingsObservation.
+func (in *KinesisSettingsObservation) DeepCopy() *KinesisSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(KinesisSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisSettingsParameters) DeepCopyInto(out *KinesisSettingsParameters) {
@@ -962,6 +1303,36 @@ func (in *KinesisSettingsParameters) DeepCopy() *KinesisSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MongodbSettingsObservation) DeepCopyInto(out *MongodbSettingsObservation) {
 	*out = *in
+	if in.AuthMechanism != nil {
+		in, out := &in.AuthMechanism, &out.AuthMechanism
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthSource != nil {
+		in, out := &in.AuthSource, &out.AuthSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthType != nil {
+		in, out := &in.AuthType, &out.AuthType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocsToInvestigate != nil {
+		in, out := &in.DocsToInvestigate, &out.DocsToInvestigate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExtractDocID != nil {
+		in, out := &in.ExtractDocID, &out.ExtractDocID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NestingLevel != nil {
+		in, out := &in.NestingLevel, &out.NestingLevel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbSettingsObservation.
@@ -1022,6 +1393,36 @@ func (in *MongodbSettingsParameters) DeepCopy() *MongodbSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedisSettingsObservation) DeepCopyInto(out *RedisSettingsObservation) {
 	*out = *in
+	if in.AuthType != nil {
+		in, out := &in.AuthType, &out.AuthType
+		*out = new(string)
+		**out = **in
+	}
+	if in.AuthUserName != nil {
+		in, out := &in.AuthUserName, &out.AuthUserName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SSLCACertificateArn != nil {
+		in, out := &in.SSLCACertificateArn, &out.SSLCACertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLSecurityProtocol != nil {
+		in, out := &in.SSLSecurityProtocol, &out.SSLSecurityProtocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerName != nil {
+		in, out := &in.ServerName, &out.ServerName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisSettingsObservation.
@@ -1087,6 +1488,31 @@ func (in *RedisSettingsParameters) DeepCopy() *RedisSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftSettingsObservation) DeepCopyInto(out *RedshiftSettingsObservation) {
 	*out = *in
+	if in.BucketFolder != nil {
+		in, out := &in.BucketFolder, &out.BucketFolder
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionMode != nil {
+		in, out := &in.EncryptionMode, &out.EncryptionMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerSideEncryptionKMSKeyID != nil {
+		in, out := &in.ServerSideEncryptionKMSKeyID, &out.ServerSideEncryptionKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccessRoleArn != nil {
+		in, out := &in.ServiceAccessRoleArn, &out.ServiceAccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftSettingsObservation.
@@ -1201,16 +1627,71 @@ func (in *ReplicationInstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicationInstanceObservation) DeepCopyInto(out *ReplicationInstanceObservation) {
 	*out = *in
+	if in.AllocatedStorage != nil {
+		in, out := &in.AllocatedStorage, &out.AllocatedStorage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AllowMajorVersionUpgrade != nil {
+		in, out := &in.AllowMajorVersionUpgrade, &out.AllowMajorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultiAz != nil {
+		in, out := &in.MultiAz, &out.MultiAz
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PubliclyAccessible != nil {
+		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ReplicationInstanceArn != nil {
 		in, out := &in.ReplicationInstanceArn, &out.ReplicationInstanceArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReplicationInstanceClass != nil {
+		in, out := &in.ReplicationInstanceClass, &out.ReplicationInstanceClass
+		*out = new(string)
+		**out = **in
+	}
 	if in.ReplicationInstancePrivateIps != nil {
 		in, out := &in.ReplicationInstancePrivateIps, &out.ReplicationInstancePrivateIps
 		*out = make([]*string, len(*in))
@@ -1233,6 +1714,26 @@ func (in *ReplicationInstanceObservation) DeepCopyInto(out *ReplicationInstanceO
 			}
 		}
 	}
+	if in.ReplicationSubnetGroupID != nil {
+		in, out := &in.ReplicationSubnetGroupID, &out.ReplicationSubnetGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1248,6 +1749,17 @@ func (in *ReplicationInstanceObservation) DeepCopyInto(out *ReplicationInstanceO
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationInstanceObservation.
@@ -1504,6 +2016,37 @@ func (in *ReplicationSubnetGroupObservation) DeepCopyInto(out *ReplicationSubnet
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReplicationSubnetGroupDescription != nil {
+		in, out := &in.ReplicationSubnetGroupDescription, &out.ReplicationSubnetGroupDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1695,21 +2238,76 @@ func (in *ReplicationTaskList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicationTaskObservation) DeepCopyInto(out *ReplicationTaskObservation) {
 	*out = *in
+	if in.CdcStartPosition != nil {
+		in, out := &in.CdcStartPosition, &out.CdcStartPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.CdcStartTime != nil {
+		in, out := &in.CdcStartTime, &out.CdcStartTime
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MigrationType != nil {
+		in, out := &in.MigrationType, &out.MigrationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplicationInstanceArn != nil {
+		in, out := &in.ReplicationInstanceArn, &out.ReplicationInstanceArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ReplicationTaskArn != nil {
 		in, out := &in.ReplicationTaskArn, &out.ReplicationTaskArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReplicationTaskSettings != nil {
+		in, out := &in.ReplicationTaskSettings, &out.ReplicationTaskSettings
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceEndpointArn != nil {
+		in, out := &in.SourceEndpointArn, &out.SourceEndpointArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartReplicationTask != nil {
+		in, out := &in.StartReplicationTask, &out.StartReplicationTask
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.TableMappings != nil {
+		in, out := &in.TableMappings, &out.TableMappings
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1725,6 +2323,11 @@ func (in *ReplicationTaskObservation) DeepCopyInto(out *ReplicationTaskObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetEndpointArn != nil {
+		in, out := &in.TargetEndpointArn, &out.TargetEndpointArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationTaskObservation.
@@ -1943,23 +2546,228 @@ func (in *S3EndpointList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3EndpointObservation) DeepCopyInto(out *S3EndpointObservation) {
 	*out = *in
+	if in.AddColumnName != nil {
+		in, out := &in.AddColumnName, &out.AddColumnName
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AddTrailingPaddingCharacter != nil {
+		in, out := &in.AddTrailingPaddingCharacter, &out.AddTrailingPaddingCharacter
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BucketFolder != nil {
+		in, out := &in.BucketFolder, &out.BucketFolder
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CannedACLForObjects != nil {
+		in, out := &in.CannedACLForObjects, &out.CannedACLForObjects
+		*out = new(string)
+		**out = **in
+	}
+	if in.CdcInsertsAndUpdates != nil {
+		in, out := &in.CdcInsertsAndUpdates, &out.CdcInsertsAndUpdates
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CdcInsertsOnly != nil {
+		in, out := &in.CdcInsertsOnly, &out.CdcInsertsOnly
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CdcMaxBatchInterval != nil {
+		in, out := &in.CdcMaxBatchInterval, &out.CdcMaxBatchInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CdcMinFileSize != nil {
+		in, out := &in.CdcMinFileSize, &out.CdcMinFileSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CdcPath != nil {
+		in, out := &in.CdcPath, &out.CdcPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CompressionType != nil {
+		in, out := &in.CompressionType, &out.CompressionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvDelimiter != nil {
+		in, out := &in.CsvDelimiter, &out.CsvDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvNoSupValue != nil {
+		in, out := &in.CsvNoSupValue, &out.CsvNoSupValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvNullValue != nil {
+		in, out := &in.CsvNullValue, &out.CsvNullValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvRowDelimiter != nil {
+		in, out := &in.CsvRowDelimiter, &out.CsvRowDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataFormat != nil {
+		in, out := &in.DataFormat, &out.DataFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataPageSize != nil {
+		in, out := &in.DataPageSize, &out.DataPageSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatePartitionDelimiter != nil {
+		in, out := &in.DatePartitionDelimiter, &out.DatePartitionDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatePartitionEnabled != nil {
+		in, out := &in.DatePartitionEnabled, &out.DatePartitionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DatePartitionSequence != nil {
+		in, out := &in.DatePartitionSequence, &out.DatePartitionSequence
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatePartitionTimezone != nil {
+		in, out := &in.DatePartitionTimezone, &out.DatePartitionTimezone
+		*out = new(string)
+		**out = **in
+	}
+	if in.DictPageSizeLimit != nil {
+		in, out := &in.DictPageSizeLimit, &out.DictPageSizeLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EnableStatistics != nil {
+		in, out := &in.EnableStatistics, &out.EnableStatistics
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EncodingType != nil {
+		in, out := &in.EncodingType, &out.EncodingType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionMode != nil {
+		in, out := &in.EncryptionMode, &out.EncryptionMode
+		*out = new(string)
+		**out = **in
+	}
 	if in.EndpointArn != nil {
 		in, out := &in.EndpointArn, &out.EndpointArn
 		*out = new(string)
 		**out = **in
 	}
-	if in.EngineDisplayName != nil {
-		in, out := &in.EngineDisplayName, &out.EngineDisplayName
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineDisplayName != nil {
+		in, out := &in.EngineDisplayName, &out.EngineDisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExternalID != nil {
+		in, out := &in.ExternalID, &out.ExternalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExternalTableDefinition != nil {
+		in, out := &in.ExternalTableDefinition, &out.ExternalTableDefinition
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IgnoreHeaderRows != nil {
+		in, out := &in.IgnoreHeaderRows, &out.IgnoreHeaderRows
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IncludeOpForFullLoad != nil {
+		in, out := &in.IncludeOpForFullLoad, &out.IncludeOpForFullLoad
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxFileSize != nil {
+		in, out := &in.MaxFileSize, &out.MaxFileSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParquetTimestampInMillisecond != nil {
+		in, out := &in.ParquetTimestampInMillisecond, &out.ParquetTimestampInMillisecond
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ParquetVersion != nil {
+		in, out := &in.ParquetVersion, &out.ParquetVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreserveTransactions != nil {
+		in, out := &in.PreserveTransactions, &out.PreserveTransactions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Rfc4180 != nil {
+		in, out := &in.Rfc4180, &out.Rfc4180
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RowGroupLength != nil {
+		in, out := &in.RowGroupLength, &out.RowGroupLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SSLMode != nil {
+		in, out := &in.SSLMode, &out.SSLMode
 		*out = new(string)
 		**out = **in
 	}
-	if in.ExternalID != nil {
-		in, out := &in.ExternalID, &out.ExternalID
+	if in.ServerSideEncryptionKMSKeyID != nil {
+		in, out := &in.ServerSideEncryptionKMSKeyID, &out.ServerSideEncryptionKMSKeyID
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.ServiceAccessRoleArn != nil {
+		in, out := &in.ServiceAccessRoleArn, &out.ServiceAccessRoleArn
 		*out = new(string)
 		**out = **in
 	}
@@ -1968,6 +2776,21 @@ func (in *S3EndpointObservation) DeepCopyInto(out *S3EndpointObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1983,6 +2806,21 @@ func (in *S3EndpointObservation) DeepCopyInto(out *S3EndpointObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TimestampColumnName != nil {
+		in, out := &in.TimestampColumnName, &out.TimestampColumnName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseCsvNoSupValue != nil {
+		in, out := &in.UseCsvNoSupValue, &out.UseCsvNoSupValue
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UseTaskStartTimeForFullLoadTimestamp != nil {
+		in, out := &in.UseTaskStartTimeForFullLoadTimestamp, &out.UseTaskStartTimeForFullLoadTimestamp
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3EndpointObservation.
@@ -2317,6 +3155,196 @@ func (in *S3EndpointStatus) DeepCopy() *S3EndpointStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3SettingsObservation) DeepCopyInto(out *S3SettingsObservation) {
 	*out = *in
+	if in.AddColumnName != nil {
+		in, out := &in.AddColumnName, &out.AddColumnName
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BucketFolder != nil {
+		in, out := &in.BucketFolder, &out.BucketFolder
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CannedACLForObjects != nil {
+		in, out := &in.CannedACLForObjects, &out.CannedACLForObjects
+		*out = new(string)
+		**out = **in
+	}
+	if in.CdcInsertsAndUpdates != nil {
+		in, out := &in.CdcInsertsAndUpdates, &out.CdcInsertsAndUpdates
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CdcInsertsOnly != nil {
+		in, out := &in.CdcInsertsOnly, &out.CdcInsertsOnly
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CdcMaxBatchInterval != nil {
+		in, out := &in.CdcMaxBatchInterval, &out.CdcMaxBatchInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CdcMinFileSize != nil {
+		in, out := &in.CdcMinFileSize, &out.CdcMinFileSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CdcPath != nil {
+		in, out := &in.CdcPath, &out.CdcPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.CompressionType != nil {
+		in, out := &in.CompressionType, &out.CompressionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvDelimiter != nil {
+		in, out := &in.CsvDelimiter, &out.CsvDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvNoSupValue != nil {
+		in, out := &in.CsvNoSupValue, &out.CsvNoSupValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvNullValue != nil {
+		in, out := &in.CsvNullValue, &out.CsvNullValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.CsvRowDelimiter != nil {
+		in, out := &in.CsvRowDelimiter, &out.CsvRowDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataFormat != nil {
+		in, out := &in.DataFormat, &out.DataFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataPageSize != nil {
+		in, out := &in.DataPageSize, &out.DataPageSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatePartitionDelimiter != nil {
+		in, out := &in.DatePartitionDelimiter, &out.DatePartitionDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatePartitionEnabled != nil {
+		in, out := &in.DatePartitionEnabled, &out.DatePartitionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DatePartitionSequence != nil {
+		in, out := &in.DatePartitionSequence, &out.DatePartitionSequence
+		*out = new(string)
+		**out = **in
+	}
+	if in.DictPageSizeLimit != nil {
+		in, out := &in.DictPageSizeLimit, &out.DictPageSizeLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EnableStatistics != nil {
+		in, out := &in.EnableStatistics, &out.EnableStatistics
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EncodingType != nil {
+		in, out := &in.EncodingType, &out.EncodingType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionMode != nil {
+		in, out := &in.EncryptionMode, &out.EncryptionMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExternalTableDefinition != nil {
+		in, out := &in.ExternalTableDefinition, &out.ExternalTableDefinition
+		*out = new(string)
+		**out = **in
+	}
+	if in.IgnoreHeaderRows != nil {
+		in, out := &in.IgnoreHeaderRows, &out.IgnoreHeaderRows
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreHeadersRow != nil {
+		in, out := &in.IgnoreHeadersRow, &out.IgnoreHeadersRow
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IncludeOpForFullLoad != nil {
+		in, out := &in.IncludeOpForFullLoad, &out.IncludeOpForFullLoad
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxFileSize != nil {
+		in, out := &in.MaxFileSize, &out.MaxFileSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParquetTimestampInMillisecond != nil {
+		in, out := &in.ParquetTimestampInMillisecond, &out.ParquetTimestampInMillisecond
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ParquetVersion != nil {
+		in, out := &in.ParquetVersion, &out.ParquetVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreserveTransactions != nil {
+		in, out := &in.PreserveTransactions, &out.PreserveTransactions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Rfc4180 != nil {
+		in, out := &in.Rfc4180, &out.Rfc4180
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RowGroupLength != nil {
+		in, out := &in.RowGroupLength, &out.RowGroupLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServerSideEncryptionKMSKeyID != nil {
+		in, out := &in.ServerSideEncryptionKMSKeyID, &out.ServerSideEncryptionKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccessRoleArn != nil {
+		in, out := &in.ServiceAccessRoleArn, &out.ServiceAccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimestampColumnName != nil {
+		in, out := &in.TimestampColumnName, &out.TimestampColumnName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseCsvNoSupValue != nil {
+		in, out := &in.UseCsvNoSupValue, &out.UseCsvNoSupValue
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UseTaskStartTimeForFullLoadTimestamp != nil {
+		in, out := &in.UseTaskStartTimeForFullLoadTimestamp, &out.UseTaskStartTimeForFullLoadTimestamp
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3SettingsObservation.
diff --git a/apis/dms/v1beta1/zz_replicationinstance_types.go b/apis/dms/v1beta1/zz_replicationinstance_types.go
index 4c4bb61b72..74079357e6 100755
--- a/apis/dms/v1beta1/zz_replicationinstance_types.go
+++ b/apis/dms/v1beta1/zz_replicationinstance_types.go
@@ -14,19 +14,62 @@ import (
 )
 
 type ReplicationInstanceObservation struct {
+
+	// The amount of storage (in gigabytes) to be initially allocated for the replication instance.
+	AllocatedStorage *float64 `json:"allocatedStorage,omitempty" tf:"allocated_storage,omitempty"`
+
+	// Indicates that major version upgrades are allowed.
+	AllowMajorVersionUpgrade *bool `json:"allowMajorVersionUpgrade,omitempty" tf:"allow_major_version_upgrade,omitempty"`
+
+	// Indicates whether the changes should be applied immediately or during the next maintenance window. Only used when updating an existing resource.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
+	// Indicates that minor engine upgrades will be applied automatically to the replication instance during the maintenance window.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// The EC2 Availability Zone that the replication instance will be created in.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The engine version number of the replication instance.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Amazon Resource Name (ARN) for the KMS key that will be used to encrypt the connection parameters. If you do not specify a value for kms_key_arn, then AWS DMS will use your default encryption key. AWS KMS creates the default encryption key for your AWS account. Your AWS account has a different default encryption key for each AWS region.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Specifies if the replication instance is a multi-az deployment. You cannot set the availability_zone parameter if the multi_az parameter is set to true.
+	MultiAz *bool `json:"multiAz,omitempty" tf:"multi_az,omitempty"`
+
+	// The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC).
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
+	// Specifies the accessibility options for the replication instance. A value of true represents an instance with a public IP address. A value of false represents an instance with a private IP address.
+	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the replication instance.
 	ReplicationInstanceArn *string `json:"replicationInstanceArn,omitempty" tf:"replication_instance_arn,omitempty"`
 
+	// The compute and memory capacity of the replication instance as specified by the replication instance class. See AWS DMS User Guide for available instance sizes and advice on which one to choose.
+	ReplicationInstanceClass *string `json:"replicationInstanceClass,omitempty" tf:"replication_instance_class,omitempty"`
+
 	// A list of the private IP addresses of the replication instance.
 	ReplicationInstancePrivateIps []*string `json:"replicationInstancePrivateIps,omitempty" tf:"replication_instance_private_ips,omitempty"`
 
 	// A list of the public IP addresses of the replication instance.
 	ReplicationInstancePublicIps []*string `json:"replicationInstancePublicIps,omitempty" tf:"replication_instance_public_ips,omitempty"`
 
+	// A subnet group to associate with the replication instance.
+	ReplicationSubnetGroupID *string `json:"replicationSubnetGroupId,omitempty" tf:"replication_subnet_group_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// A list of VPC security group IDs to be used with the replication instance. The VPC security groups must work with the VPC containing the replication instance.
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type ReplicationInstanceParameters struct {
@@ -86,8 +129,8 @@ type ReplicationInstanceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The compute and memory capacity of the replication instance as specified by the replication instance class. See AWS DMS User Guide for available instance sizes and advice on which one to choose.
-	// +kubebuilder:validation:Required
-	ReplicationInstanceClass *string `json:"replicationInstanceClass" tf:"replication_instance_class,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReplicationInstanceClass *string `json:"replicationInstanceClass,omitempty" tf:"replication_instance_class,omitempty"`
 
 	// A subnet group to associate with the replication instance.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/dms/v1beta1.ReplicationSubnetGroup
@@ -147,8 +190,9 @@ type ReplicationInstanceStatus struct {
 type ReplicationInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReplicationInstanceSpec   `json:"spec"`
-	Status            ReplicationInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicationInstanceClass)",message="replicationInstanceClass is a required parameter"
+	Spec   ReplicationInstanceSpec   `json:"spec"`
+	Status ReplicationInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dms/v1beta1/zz_replicationsubnetgroup_types.go b/apis/dms/v1beta1/zz_replicationsubnetgroup_types.go
index 1edb9b25a4..04b8e089d0 100755
--- a/apis/dms/v1beta1/zz_replicationsubnetgroup_types.go
+++ b/apis/dms/v1beta1/zz_replicationsubnetgroup_types.go
@@ -18,6 +18,15 @@ type ReplicationSubnetGroupObservation struct {
 
 	ReplicationSubnetGroupArn *string `json:"replicationSubnetGroupArn,omitempty" tf:"replication_subnet_group_arn,omitempty"`
 
+	// Description for the subnet group.
+	ReplicationSubnetGroupDescription *string `json:"replicationSubnetGroupDescription,omitempty" tf:"replication_subnet_group_description,omitempty"`
+
+	// List of at least 2 EC2 subnet IDs for the subnet group. The subnets must cover at least 2 availability zones.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -33,8 +42,8 @@ type ReplicationSubnetGroupParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Description for the subnet group.
-	// +kubebuilder:validation:Required
-	ReplicationSubnetGroupDescription *string `json:"replicationSubnetGroupDescription" tf:"replication_subnet_group_description,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReplicationSubnetGroupDescription *string `json:"replicationSubnetGroupDescription,omitempty" tf:"replication_subnet_group_description,omitempty"`
 
 	// References to Subnet in ec2 to populate subnetIds.
 	// +kubebuilder:validation:Optional
@@ -80,8 +89,9 @@ type ReplicationSubnetGroupStatus struct {
 type ReplicationSubnetGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReplicationSubnetGroupSpec   `json:"spec"`
-	Status            ReplicationSubnetGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicationSubnetGroupDescription)",message="replicationSubnetGroupDescription is a required parameter"
+	Spec   ReplicationSubnetGroupSpec   `json:"spec"`
+	Status ReplicationSubnetGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dms/v1beta1/zz_replicationtask_types.go b/apis/dms/v1beta1/zz_replicationtask_types.go
index a1170d788b..f6014fd4da 100755
--- a/apis/dms/v1beta1/zz_replicationtask_types.go
+++ b/apis/dms/v1beta1/zz_replicationtask_types.go
@@ -14,16 +14,47 @@ import (
 )
 
 type ReplicationTaskObservation struct {
+
+	// Indicates when you want a change data capture (CDC) operation to start. The value can be in date, checkpoint, or LSN/SCN format depending on the source engine. For more information, see Determining a CDC native start point.
+	CdcStartPosition *string `json:"cdcStartPosition,omitempty" tf:"cdc_start_position,omitempty"`
+
+	// The Unix timestamp integer for the start of the Change Data Capture (CDC) operation.
+	CdcStartTime *string `json:"cdcStartTime,omitempty" tf:"cdc_start_time,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The migration type. Can be one of full-load | cdc | full-load-and-cdc.
+	MigrationType *string `json:"migrationType,omitempty" tf:"migration_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the replication instance.
+	ReplicationInstanceArn *string `json:"replicationInstanceArn,omitempty" tf:"replication_instance_arn,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the replication task.
 	ReplicationTaskArn *string `json:"replicationTaskArn,omitempty" tf:"replication_task_arn,omitempty"`
 
+	// An escaped JSON string that contains the task settings. For a complete list of task settings, see Task Settings for AWS Database Migration Service Tasks.
+	ReplicationTaskSettings *string `json:"replicationTaskSettings,omitempty" tf:"replication_task_settings,omitempty"`
+
+	// The Amazon Resource Name (ARN) string that uniquely identifies the source endpoint.
+	SourceEndpointArn *string `json:"sourceEndpointArn,omitempty" tf:"source_endpoint_arn,omitempty"`
+
+	// Whether to run or stop the replication task.
+	StartReplicationTask *bool `json:"startReplicationTask,omitempty" tf:"start_replication_task,omitempty"`
+
 	// Replication Task status.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// An escaped JSON string that contains the table mappings. For information on table mapping see Using Table Mapping with an AWS Database Migration Service Task to Select and Filter Data
+	TableMappings *string `json:"tableMappings,omitempty" tf:"table_mappings,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The Amazon Resource Name (ARN) string that uniquely identifies the target endpoint.
+	TargetEndpointArn *string `json:"targetEndpointArn,omitempty" tf:"target_endpoint_arn,omitempty"`
 }
 
 type ReplicationTaskParameters struct {
@@ -37,8 +68,8 @@ type ReplicationTaskParameters struct {
 	CdcStartTime *string `json:"cdcStartTime,omitempty" tf:"cdc_start_time,omitempty"`
 
 	// The migration type. Can be one of full-load | cdc | full-load-and-cdc.
-	// +kubebuilder:validation:Required
-	MigrationType *string `json:"migrationType" tf:"migration_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	MigrationType *string `json:"migrationType,omitempty" tf:"migration_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,8 +113,8 @@ type ReplicationTaskParameters struct {
 	StartReplicationTask *bool `json:"startReplicationTask,omitempty" tf:"start_replication_task,omitempty"`
 
 	// An escaped JSON string that contains the table mappings. For information on table mapping see Using Table Mapping with an AWS Database Migration Service Task to Select and Filter Data
-	// +kubebuilder:validation:Required
-	TableMappings *string `json:"tableMappings" tf:"table_mappings,omitempty"`
+	// +kubebuilder:validation:Optional
+	TableMappings *string `json:"tableMappings,omitempty" tf:"table_mappings,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -128,8 +159,10 @@ type ReplicationTaskStatus struct {
 type ReplicationTask struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReplicationTaskSpec   `json:"spec"`
-	Status            ReplicationTaskStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.migrationType)",message="migrationType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tableMappings)",message="tableMappings is a required parameter"
+	Spec   ReplicationTaskSpec   `json:"spec"`
+	Status ReplicationTaskStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dms/v1beta1/zz_s3endpoint_types.go b/apis/dms/v1beta1/zz_s3endpoint_types.go
index 62ade5403b..8be935d989 100755
--- a/apis/dms/v1beta1/zz_s3endpoint_types.go
+++ b/apis/dms/v1beta1/zz_s3endpoint_types.go
@@ -15,22 +15,157 @@ import (
 
 type S3EndpointObservation struct {
 
+	// Whether to add column name information to the .csv output file. Default is false.
+	AddColumnName *bool `json:"addColumnName,omitempty" tf:"add_column_name,omitempty"`
+
+	// Whether to add padding. Default is false. (Ignored for source endpoints.)
+	AddTrailingPaddingCharacter *bool `json:"addTrailingPaddingCharacter,omitempty" tf:"add_trailing_padding_character,omitempty"`
+
+	// S3 object prefix.
+	BucketFolder *string `json:"bucketFolder,omitempty" tf:"bucket_folder,omitempty"`
+
+	// S3 bucket name.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Predefined (canned) access control list for objects created in an S3 bucket. Valid values include NONE, PRIVATE, PUBLIC_READ, PUBLIC_READ_WRITE, AUTHENTICATED_READ, AWS_EXEC_READ, BUCKET_OWNER_READ, and BUCKET_OWNER_FULL_CONTROL. (AWS default is NONE.)
+	CannedACLForObjects *string `json:"cannedAclForObjects,omitempty" tf:"canned_acl_for_objects,omitempty"`
+
+	// Whether to write insert and update operations to .csv or .parquet output files. Default is false.
+	CdcInsertsAndUpdates *bool `json:"cdcInsertsAndUpdates,omitempty" tf:"cdc_inserts_and_updates,omitempty"`
+
+	// Whether to write insert operations to .csv or .parquet output files. Default is false.
+	CdcInsertsOnly *bool `json:"cdcInsertsOnly,omitempty" tf:"cdc_inserts_only,omitempty"`
+
+	// Maximum length of the interval, defined in seconds, after which to output a file to Amazon S3. (AWS default is 60.)
+	CdcMaxBatchInterval *float64 `json:"cdcMaxBatchInterval,omitempty" tf:"cdc_max_batch_interval,omitempty"`
+
+	// Minimum file size condition as defined in kilobytes to output a file to Amazon S3. (AWS default is 32000 KB.)
+	CdcMinFileSize *float64 `json:"cdcMinFileSize,omitempty" tf:"cdc_min_file_size,omitempty"`
+
+	// Folder path of CDC files. If cdc_path is set, AWS DMS reads CDC files from this path and replicates the data changes to the target endpoint. Supported in AWS DMS versions 3.4.2 and later.
+	CdcPath *string `json:"cdcPath,omitempty" tf:"cdc_path,omitempty"`
+
+	// ARN for the certificate.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
+	// Set to compress target files. Valid values are GZIP and NONE. Default is NONE. (Ignored for source endpoints.)
+	CompressionType *string `json:"compressionType,omitempty" tf:"compression_type,omitempty"`
+
+	// Delimiter used to separate columns in the source files. Default is ,.
+	CsvDelimiter *string `json:"csvDelimiter,omitempty" tf:"csv_delimiter,omitempty"`
+
+	// Only applies if output files for a CDC load are written in .csv format. If use_csv_no_sup_value is set to true, string to use for all columns not included in the supplemental log. If you do not specify a string value, DMS uses the null value for these columns regardless of use_csv_no_sup_value. (Ignored for source endpoints.)
+	CsvNoSupValue *string `json:"csvNoSupValue,omitempty" tf:"csv_no_sup_value,omitempty"`
+
+	// String to as null when writing to the target. (AWS default is NULL.)
+	CsvNullValue *string `json:"csvNullValue,omitempty" tf:"csv_null_value,omitempty"`
+
+	// Delimiter used to separate rows in the source files. Default is newline (i.e., \n).
+	CsvRowDelimiter *string `json:"csvRowDelimiter,omitempty" tf:"csv_row_delimiter,omitempty"`
+
+	// Output format for the files that AWS DMS uses to create S3 objects. Valid values are csv and parquet.  (Ignored for source endpoints -- only csv is valid.)
+	DataFormat *string `json:"dataFormat,omitempty" tf:"data_format,omitempty"`
+
+	// Size of one data page in bytes. (AWS default is 1 MiB, i.e., 1048576.)
+	DataPageSize *float64 `json:"dataPageSize,omitempty" tf:"data_page_size,omitempty"`
+
+	// Date separating delimiter to use during folder partitioning. Valid values are SLASH, UNDERSCORE, DASH, and NONE. (AWS default is SLASH.) (Ignored for source endpoints.)
+	DatePartitionDelimiter *string `json:"datePartitionDelimiter,omitempty" tf:"date_partition_delimiter,omitempty"`
+
+	// Partition S3 bucket folders based on transaction commit dates. Default is false. (Ignored for source endpoints.)
+	DatePartitionEnabled *bool `json:"datePartitionEnabled,omitempty" tf:"date_partition_enabled,omitempty"`
+
+	// Date format to use during folder partitioning. Use this parameter when date_partition_enabled is set to true. Valid values are YYYYMMDD, YYYYMMDDHH, YYYYMM, MMYYYYDD, and DDMMYYYY. (AWS default is YYYYMMDD.) (Ignored for source endpoints.)
+	DatePartitionSequence *string `json:"datePartitionSequence,omitempty" tf:"date_partition_sequence,omitempty"`
+
+	// Convert the current UTC time to a timezone. The conversion occurs when a date partition folder is created and a CDC filename is generated. The timezone format is Area/Location (e.g., Europe/Paris). Use this when date_partition_enabled is true. (Ignored for source endpoints.)
+	DatePartitionTimezone *string `json:"datePartitionTimezone,omitempty" tf:"date_partition_timezone,omitempty"`
+
+	// Maximum size in bytes of an encoded dictionary page of a column. (AWS default is 1 MiB, i.e., 1048576.)
+	DictPageSizeLimit *float64 `json:"dictPageSizeLimit,omitempty" tf:"dict_page_size_limit,omitempty"`
+
+	// Whether to enable statistics for Parquet pages and row groups. Default is true.
+	EnableStatistics *bool `json:"enableStatistics,omitempty" tf:"enable_statistics,omitempty"`
+
+	// Type of encoding to use. Value values are rle_dictionary, plain, and plain_dictionary. (AWS default is rle_dictionary.)
+	EncodingType *string `json:"encodingType,omitempty" tf:"encoding_type,omitempty"`
+
+	// Server-side encryption mode that you want to encrypt your .csv or .parquet object files copied to S3. Valid values are SSE_S3 and SSE_KMS. (AWS default is SSE_S3.) (Ignored for source endpoints -- only SSE_S3 is valid.)
+	EncryptionMode *string `json:"encryptionMode,omitempty" tf:"encryption_mode,omitempty"`
+
 	// ARN for the endpoint.
 	EndpointArn *string `json:"endpointArn,omitempty" tf:"endpoint_arn,omitempty"`
 
+	// Type of endpoint. Valid values are source, target.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
 	// Expanded name for the engine name.
 	EngineDisplayName *string `json:"engineDisplayName,omitempty" tf:"engine_display_name,omitempty"`
 
+	// Bucket owner to prevent sniping. Value is an AWS account ID.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// Can be used for cross-account validation. Use it in another account with aws_dms_s3_endpoint to create the endpoint cross-account.
 	ExternalID *string `json:"externalId,omitempty" tf:"external_id,omitempty"`
 
+	// JSON document that describes how AWS DMS should interpret the data.
+	ExternalTableDefinition *string `json:"externalTableDefinition,omitempty" tf:"external_table_definition,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// When this value is set to 1, DMS ignores the first row header in a .csv file. (AWS default is 0.)
+	IgnoreHeaderRows *float64 `json:"ignoreHeaderRows,omitempty" tf:"ignore_header_rows,omitempty"`
+
+	// Whether to enable a full load to write INSERT operations to the .csv output files only to indicate how the rows were added to the source database. Default is false.
+	IncludeOpForFullLoad *bool `json:"includeOpForFullLoad,omitempty" tf:"include_op_for_full_load,omitempty"`
+
+	// ARN for the KMS key that will be used to encrypt the connection parameters. If you do not specify a value for kms_key_arn, then AWS DMS will use your default encryption key. AWS KMS creates the default encryption key for your AWS account. Your AWS account has a different default encryption key for each AWS region.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Maximum size (in KB) of any .csv file to be created while migrating to an S3 target during full load. Valid values are from 1 to 1048576. (AWS default is 1 GB, i.e., 1048576.)
+	MaxFileSize *float64 `json:"maxFileSize,omitempty" tf:"max_file_size,omitempty"`
+
+	// - Specifies the precision of any TIMESTAMP column values written to an S3 object file in .parquet format. Default is false. (Ignored for source endpoints.)
+	ParquetTimestampInMillisecond *bool `json:"parquetTimestampInMillisecond,omitempty" tf:"parquet_timestamp_in_millisecond,omitempty"`
+
+	// Version of the .parquet file format. Valid values are parquet-1-0 and parquet-2-0. (AWS default is parquet-1-0.) (Ignored for source endpoints.)
+	ParquetVersion *string `json:"parquetVersion,omitempty" tf:"parquet_version,omitempty"`
+
+	// Whether DMS saves the transaction order for a CDC load on the S3 target specified by cdc_path. Default is false. (Ignored for source endpoints.)
+	PreserveTransactions *bool `json:"preserveTransactions,omitempty" tf:"preserve_transactions,omitempty"`
+
+	// For an S3 source, whether each leading double quotation mark has to be followed by an ending double quotation mark. Default is true.
+	Rfc4180 *bool `json:"rfc4180,omitempty" tf:"rfc_4180,omitempty"`
+
+	// Number of rows in a row group. (AWS default is 10000.)
+	RowGroupLength *float64 `json:"rowGroupLength,omitempty" tf:"row_group_length,omitempty"`
+
+	// SSL mode to use for the connection. Valid values are none, require, verify-ca, verify-full. (AWS default is none.)
+	SSLMode *string `json:"sslMode,omitempty" tf:"ssl_mode,omitempty"`
+
+	// When encryption_mode is SSE_KMS, ARN for the AWS KMS key. (Ignored for source endpoints -- only SSE_S3 encryption_mode is valid.)
+	ServerSideEncryptionKMSKeyID *string `json:"serverSideEncryptionKmsKeyId,omitempty" tf:"server_side_encryption_kms_key_id,omitempty"`
+
+	// ARN of the IAM role with permissions to the S3 Bucket.
+	ServiceAccessRoleArn *string `json:"serviceAccessRoleArn,omitempty" tf:"service_access_role_arn,omitempty"`
+
 	// Status of the endpoint.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Column to add with timestamp information to the endpoint data for an Amazon S3 target.
+	TimestampColumnName *string `json:"timestampColumnName,omitempty" tf:"timestamp_column_name,omitempty"`
+
+	// Whether to use csv_no_sup_value for columns not included in the supplemental log. (Ignored for source endpoints.)
+	UseCsvNoSupValue *bool `json:"useCsvNoSupValue,omitempty" tf:"use_csv_no_sup_value,omitempty"`
+
+	// When set to true, uses the task start time as the timestamp column value instead of the time data is written to target. For full load, when set to true, each row of the timestamp column contains the task start time. For CDC loads, each row of the timestamp column contains the transaction commit time.When set to false, the full load timestamp in the timestamp column increments with the time data arrives at the target. Default is false.
+	UseTaskStartTimeForFullLoadTimestamp *bool `json:"useTaskStartTimeForFullLoadTimestamp,omitempty" tf:"use_task_start_time_for_full_load_timestamp,omitempty"`
 }
 
 type S3EndpointParameters struct {
@@ -48,8 +183,8 @@ type S3EndpointParameters struct {
 	BucketFolder *string `json:"bucketFolder,omitempty" tf:"bucket_folder,omitempty"`
 
 	// S3 bucket name.
-	// +kubebuilder:validation:Required
-	BucketName *string `json:"bucketName" tf:"bucket_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
 
 	// Predefined (canned) access control list for objects created in an S3 bucket. Valid values include NONE, PRIVATE, PUBLIC_READ, PUBLIC_READ_WRITE, AUTHENTICATED_READ, AWS_EXEC_READ, BUCKET_OWNER_READ, and BUCKET_OWNER_FULL_CONTROL. (AWS default is NONE.)
 	// +kubebuilder:validation:Optional
@@ -140,8 +275,8 @@ type S3EndpointParameters struct {
 	EncryptionMode *string `json:"encryptionMode,omitempty" tf:"encryption_mode,omitempty"`
 
 	// Type of endpoint. Valid values are source, target.
-	// +kubebuilder:validation:Required
-	EndpointType *string `json:"endpointType" tf:"endpoint_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
 
 	// Bucket owner to prevent sniping. Value is an AWS account ID.
 	// +kubebuilder:validation:Optional
@@ -274,8 +409,10 @@ type S3EndpointStatus struct {
 type S3Endpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              S3EndpointSpec   `json:"spec"`
-	Status            S3EndpointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bucketName)",message="bucketName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpointType)",message="endpointType is a required parameter"
+	Spec   S3EndpointSpec   `json:"spec"`
+	Status S3EndpointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/docdb/v1beta1/zz_cluster_types.go b/apis/docdb/v1beta1/zz_cluster_types.go
index db7ba2eadb..9f23b05f47 100755
--- a/apis/docdb/v1beta1/zz_cluster_types.go
+++ b/apis/docdb/v1beta1/zz_cluster_types.go
@@ -15,29 +15,100 @@ import (
 
 type ClusterObservation struct {
 
+	// Specifies whether any cluster modifications
+	// are applied immediately, or during the next maintenance window. Default is
+	// false.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// Amazon Resource Name (ARN) of cluster
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A list of EC2 Availability Zones that
+	// instances in the DB cluster can be created in.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// The days to retain backups for. Default 1
+	BackupRetentionPeriod *float64 `json:"backupRetentionPeriod,omitempty" tf:"backup_retention_period,omitempty"`
+
 	// – List of DocDB Instances that are a part of this cluster
 	ClusterMembers []*string `json:"clusterMembers,omitempty" tf:"cluster_members,omitempty"`
 
 	// The DocDB Cluster Resource ID
 	ClusterResourceID *string `json:"clusterResourceId,omitempty" tf:"cluster_resource_id,omitempty"`
 
+	// A cluster parameter group to associate with the cluster.
+	DBClusterParameterGroupName *string `json:"dbClusterParameterGroupName,omitempty" tf:"db_cluster_parameter_group_name,omitempty"`
+
+	// A DB subnet group to associate with this DB instance.
+	DBSubnetGroupName *string `json:"dbSubnetGroupName,omitempty" tf:"db_subnet_group_name,omitempty"`
+
+	// A value that indicates whether the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// List of log types to export to cloudwatch. If omitted, no logs will be exported.
+	// The following log types are supported: audit, profiler.
+	EnabledCloudwatchLogsExports []*string `json:"enabledCloudwatchLogsExports,omitempty" tf:"enabled_cloudwatch_logs_exports,omitempty"`
+
 	// The DNS address of the DocDB instance
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The name of the database engine to be used for this DB cluster. Defaults to docdb. Valid Values: docdb
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// The database engine version. Updating this argument results in an outage.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
+	// The name of your final DB snapshot
+	// when this DB cluster is deleted. If omitted, no final snapshot will be
+	// made.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
+	// The global cluster identifier specified on aws_docdb_global_cluster.
+	GlobalClusterIdentifier *string `json:"globalClusterIdentifier,omitempty" tf:"global_cluster_identifier,omitempty"`
+
 	// The Route53 Hosted Zone ID of the endpoint
 	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
 
 	// The DocDB Cluster Identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN for the KMS encryption key. When specifying kms_key_id, storage_encrypted needs to be set to true.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Username for the master DB user.
+	MasterUsername *string `json:"masterUsername,omitempty" tf:"master_username,omitempty"`
+
+	// The port on which the DB accepts connections
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.Time in UTC
+	// Default: A 30-minute window selected at random from an 8-hour block of time per regionE.g., 04:00-09:00
+	PreferredBackupWindow *string `json:"preferredBackupWindow,omitempty" tf:"preferred_backup_window,omitempty"`
+
+	// The weekly time range during which system maintenance can occur, in (UTC) e.g., wed:04:00-wed:04:30
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
 	// A read-only endpoint for the DocDB cluster, automatically load-balanced across replicas
 	ReaderEndpoint *string `json:"readerEndpoint,omitempty" tf:"reader_endpoint,omitempty"`
 
+	// Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false.
+	SkipFinalSnapshot *bool `json:"skipFinalSnapshot,omitempty" tf:"skip_final_snapshot,omitempty"`
+
+	// Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot.
+	SnapshotIdentifier *string `json:"snapshotIdentifier,omitempty" tf:"snapshot_identifier,omitempty"`
+
+	// Specifies whether the DB cluster is encrypted. The default is false.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// List of VPC security groups to associate
+	// with the Cluster
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type ClusterParameters struct {
diff --git a/apis/docdb/v1beta1/zz_clusterinstance_types.go b/apis/docdb/v1beta1/zz_clusterinstance_types.go
index 1d55b6174b..c4ee2f2fb1 100755
--- a/apis/docdb/v1beta1/zz_clusterinstance_types.go
+++ b/apis/docdb/v1beta1/zz_clusterinstance_types.go
@@ -15,37 +15,76 @@ import (
 
 type ClusterInstanceObservation struct {
 
+	// Specifies whether any database modifications
+	// are applied immediately, or during the next maintenance window. Default isfalse.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// Amazon Resource Name (ARN) of cluster instance
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// This parameter does not apply to Amazon DocumentDB. Amazon DocumentDB does not perform minor version upgrades regardless of the value set (see docs). Default true.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// The EC2 Availability Zone that the DB instance is created in. See docs about the details.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The identifier of the CA certificate for the DB instance.
+	CACertIdentifier *string `json:"caCertIdentifier,omitempty" tf:"ca_cert_identifier,omitempty"`
+
+	// The identifier of the aws_docdb_cluster in which to launch this instance.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
 	// The DB subnet group to associate with this DB instance.
 	DBSubnetGroupName *string `json:"dbSubnetGroupName,omitempty" tf:"db_subnet_group_name,omitempty"`
 
 	// The region-unique, immutable identifier for the DB instance.
 	DbiResourceID *string `json:"dbiResourceId,omitempty" tf:"dbi_resource_id,omitempty"`
 
+	// A value that indicates whether to enable Performance Insights for the DB Instance. Default false. See [docs] (https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html) about the details.
+	EnablePerformanceInsights *bool `json:"enablePerformanceInsights,omitempty" tf:"enable_performance_insights,omitempty"`
+
 	// The DNS address for this instance. May not be writable
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The name of the database engine to be used for the DocDB instance. Defaults to docdb. Valid Values: docdb.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
 	// The database engine version
 	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The instance class to use. For details on CPU and memory, see Scaling for DocDB Instances. DocDB currently
+	// supports the below instance classes. Please see AWS Documentation for complete details.
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
+
 	// The ARN for the KMS encryption key if one is set to the cluster.
 	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 
+	// The KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. If you do not specify a value for PerformanceInsightsKMSKeyId, then Amazon DocumentDB uses your default KMS key.
+	PerformanceInsightsKMSKeyID *string `json:"performanceInsightsKmsKeyId,omitempty" tf:"performance_insights_kms_key_id,omitempty"`
+
 	// The database port
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
 	// The daily time range during which automated backups are created if automated backups are enabled.
 	PreferredBackupWindow *string `json:"preferredBackupWindow,omitempty" tf:"preferred_backup_window,omitempty"`
 
+	// The window to perform maintenance in.
+	// Syntax: "ddd:hh24:mi-ddd:hh24:mi". Eg: "Mon:00:00-Mon:03:00".
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
+	// Default 0. Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoter to writer.
+	PromotionTier *float64 `json:"promotionTier,omitempty" tf:"promotion_tier,omitempty"`
+
 	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
 
 	// Specifies whether the DB cluster is encrypted.
 	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -95,8 +134,8 @@ type ClusterInstanceParameters struct {
 
 	// The instance class to use. For details on CPU and memory, see Scaling for DocDB Instances. DocDB currently
 	// supports the below instance classes. Please see AWS Documentation for complete details.
-	// +kubebuilder:validation:Required
-	InstanceClass *string `json:"instanceClass" tf:"instance_class,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
 
 	// The KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. If you do not specify a value for PerformanceInsightsKMSKeyId, then Amazon DocumentDB uses your default KMS key.
 	// +kubebuilder:validation:Optional
@@ -145,8 +184,9 @@ type ClusterInstanceStatus struct {
 type ClusterInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterInstanceSpec   `json:"spec"`
-	Status            ClusterInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)",message="instanceClass is a required parameter"
+	Spec   ClusterInstanceSpec   `json:"spec"`
+	Status ClusterInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/docdb/v1beta1/zz_clusterparametergroup_types.go b/apis/docdb/v1beta1/zz_clusterparametergroup_types.go
index 92a3a2a280..eaa4835b53 100755
--- a/apis/docdb/v1beta1/zz_clusterparametergroup_types.go
+++ b/apis/docdb/v1beta1/zz_clusterparametergroup_types.go
@@ -18,9 +18,21 @@ type ClusterParameterGroupObservation struct {
 	// The ARN of the documentDB cluster parameter group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the documentDB cluster parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the documentDB cluster parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The documentDB cluster parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of documentDB parameters to apply. Setting parameters to system default values may show a difference on imported resources.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +44,8 @@ type ClusterParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the documentDB cluster parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// A list of documentDB parameters to apply. Setting parameters to system default values may show a difference on imported resources.
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,15 @@ type ClusterParameterGroupParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// Valid values are immediate and pending-reboot. Defaults to pending-reboot.
+	ApplyMethod *string `json:"applyMethod,omitempty" tf:"apply_method,omitempty"`
+
+	// The name of the documentDB cluster parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the documentDB parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -91,8 +112,9 @@ type ClusterParameterGroupStatus struct {
 type ClusterParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterParameterGroupSpec   `json:"spec"`
-	Status            ClusterParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   ClusterParameterGroupSpec   `json:"spec"`
+	Status ClusterParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/docdb/v1beta1/zz_clustersnapshot_types.go b/apis/docdb/v1beta1/zz_clustersnapshot_types.go
index 6016634e91..de64bef27b 100755
--- a/apis/docdb/v1beta1/zz_clustersnapshot_types.go
+++ b/apis/docdb/v1beta1/zz_clustersnapshot_types.go
@@ -18,6 +18,9 @@ type ClusterSnapshotObservation struct {
 	// List of EC2 Availability Zones that instances in the DocDB cluster snapshot can be restored in.
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
 
+	// The DocDB Cluster Identifier from which to take the snapshot.
+	DBClusterIdentifier *string `json:"dbClusterIdentifier,omitempty" tf:"db_cluster_identifier,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the DocDB Cluster Snapshot.
 	DBClusterSnapshotArn *string `json:"dbClusterSnapshotArn,omitempty" tf:"db_cluster_snapshot_arn,omitempty"`
 
diff --git a/apis/docdb/v1beta1/zz_eventsubscription_types.go b/apis/docdb/v1beta1/zz_eventsubscription_types.go
index 3635a9bec7..371ac0058b 100755
--- a/apis/docdb/v1beta1/zz_eventsubscription_types.go
+++ b/apis/docdb/v1beta1/zz_eventsubscription_types.go
@@ -21,9 +21,27 @@ type EventSubscriptionObservation struct {
 	// The AWS customer account associated with the DocDB event notification subscription
 	CustomerAwsID *string `json:"customerAwsId,omitempty" tf:"customer_aws_id,omitempty"`
 
+	// A boolean flag to enable/disable the subscription. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// A list of event categories for a SourceType that you want to subscribe to. See https://docs.aws.amazon.com/documentdb/latest/developerguide/API_Event.html or run aws docdb describe-event-categories.
+	EventCategories []*string `json:"eventCategories,omitempty" tf:"event_categories,omitempty"`
+
 	// The name of the DocDB event notification subscription
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Amazon Resource Name of the DocDB event notification subscription
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
+
+	// A list of identifiers of the event sources for which events will be returned. If not specified, then all sources are included in the response. If specified, a source_type must also be specified.
+	SourceIds []*string `json:"sourceIds,omitempty" tf:"source_ids,omitempty"`
+
+	// The type of source that will be generating the events. Valid options are db-instance, db-cluster, db-parameter-group, db-security-group, db-cluster-snapshot. If not set, all sources will be subscribed to.
+	SourceType *string `json:"sourceType,omitempty" tf:"source_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/docdb/v1beta1/zz_generated.deepcopy.go b/apis/docdb/v1beta1/zz_generated.deepcopy.go
index 370b683fa6..34e0c5e33d 100644
--- a/apis/docdb/v1beta1/zz_generated.deepcopy.go
+++ b/apis/docdb/v1beta1/zz_generated.deepcopy.go
@@ -103,11 +103,36 @@ func (in *ClusterInstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservation) {
 	*out = *in
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.CACertIdentifier != nil {
+		in, out := &in.CACertIdentifier, &out.CACertIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.DBSubnetGroupName != nil {
 		in, out := &in.DBSubnetGroupName, &out.DBSubnetGroupName
 		*out = new(string)
@@ -118,11 +143,21 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.EnablePerformanceInsights != nil {
+		in, out := &in.EnablePerformanceInsights, &out.EnablePerformanceInsights
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
 	if in.EngineVersion != nil {
 		in, out := &in.EngineVersion, &out.EngineVersion
 		*out = new(string)
@@ -133,11 +168,21 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceClass != nil {
+		in, out := &in.InstanceClass, &out.InstanceClass
+		*out = new(string)
+		**out = **in
+	}
 	if in.KMSKeyID != nil {
 		in, out := &in.KMSKeyID, &out.KMSKeyID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PerformanceInsightsKMSKeyID != nil {
+		in, out := &in.PerformanceInsightsKMSKeyID, &out.PerformanceInsightsKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Port != nil {
 		in, out := &in.Port, &out.Port
 		*out = new(float64)
@@ -148,6 +193,16 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PromotionTier != nil {
+		in, out := &in.PromotionTier, &out.PromotionTier
+		*out = new(float64)
+		**out = **in
+	}
 	if in.PubliclyAccessible != nil {
 		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
 		*out = new(bool)
@@ -158,6 +213,21 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -359,11 +429,32 @@ func (in *ClusterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 	*out = *in
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BackupRetentionPeriod != nil {
+		in, out := &in.BackupRetentionPeriod, &out.BackupRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ClusterMembers != nil {
 		in, out := &in.ClusterMembers, &out.ClusterMembers
 		*out = make([]*string, len(*in))
@@ -380,11 +471,57 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DBClusterParameterGroupName != nil {
+		in, out := &in.DBClusterParameterGroupName, &out.DBClusterParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBSubnetGroupName != nil {
+		in, out := &in.DBSubnetGroupName, &out.DBSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnabledCloudwatchLogsExports != nil {
+		in, out := &in.EnabledCloudwatchLogsExports, &out.EnabledCloudwatchLogsExports
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalClusterIdentifier != nil {
+		in, out := &in.GlobalClusterIdentifier, &out.GlobalClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostedZoneID != nil {
 		in, out := &in.HostedZoneID, &out.HostedZoneID
 		*out = new(string)
@@ -395,11 +532,66 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MasterUsername != nil {
+		in, out := &in.MasterUsername, &out.MasterUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreferredBackupWindow != nil {
+		in, out := &in.PreferredBackupWindow, &out.PreferredBackupWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
 	if in.ReaderEndpoint != nil {
 		in, out := &in.ReaderEndpoint, &out.ReaderEndpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.SkipFinalSnapshot != nil {
+		in, out := &in.SkipFinalSnapshot, &out.SkipFinalSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnapshotIdentifier != nil {
+		in, out := &in.SnapshotIdentifier, &out.SnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -415,6 +607,17 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterObservation.
@@ -494,11 +697,43 @@ func (in *ClusterParameterGroupObservation) DeepCopyInto(out *ClusterParameterGr
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -865,6 +1100,11 @@ func (in *ClusterSnapshotObservation) DeepCopyInto(out *ClusterSnapshotObservati
 			}
 		}
 	}
+	if in.DBClusterIdentifier != nil {
+		in, out := &in.DBClusterIdentifier, &out.DBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.DBClusterSnapshotArn != nil {
 		in, out := &in.DBClusterSnapshotArn, &out.DBClusterSnapshotArn
 		*out = new(string)
@@ -1107,11 +1347,63 @@ func (in *EventSubscriptionObservation) DeepCopyInto(out *EventSubscriptionObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventCategories != nil {
+		in, out := &in.EventCategories, &out.EventCategories
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceIds != nil {
+		in, out := &in.SourceIds, &out.SourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceType != nil {
+		in, out := &in.SourceType, &out.SourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1362,6 +1654,31 @@ func (in *GlobalClusterObservation) DeepCopyInto(out *GlobalClusterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalClusterIdentifier != nil {
+		in, out := &in.GlobalClusterIdentifier, &out.GlobalClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.GlobalClusterMembers != nil {
 		in, out := &in.GlobalClusterMembers, &out.GlobalClusterMembers
 		*out = make([]GlobalClusterMembersObservation, len(*in))
@@ -1379,11 +1696,21 @@ func (in *GlobalClusterObservation) DeepCopyInto(out *GlobalClusterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceDBClusterIdentifier != nil {
+		in, out := &in.SourceDBClusterIdentifier, &out.SourceDBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalClusterObservation.
@@ -1498,6 +1825,21 @@ func (in *GlobalClusterStatus) DeepCopy() *GlobalClusterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.ApplyMethod != nil {
+		in, out := &in.ApplyMethod, &out.ApplyMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -1607,11 +1949,42 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/docdb/v1beta1/zz_globalcluster_types.go b/apis/docdb/v1beta1/zz_globalcluster_types.go
index 599f118a8d..aa3be1a6d3 100755
--- a/apis/docdb/v1beta1/zz_globalcluster_types.go
+++ b/apis/docdb/v1beta1/zz_globalcluster_types.go
@@ -30,6 +30,21 @@ type GlobalClusterObservation struct {
 	// Global Cluster Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name for an automatically created database on cluster creation.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// If the Global Cluster should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// Name of the database engine to be used for this DB cluster. Current Valid values: docdb. Defaults to docdb. Conflicts with source_db_cluster_identifier.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// Engine version of the global database. Upgrading the engine version will result in all cluster members being immediately updated and will.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
+	// The global cluster identifier.
+	GlobalClusterIdentifier *string `json:"globalClusterIdentifier,omitempty" tf:"global_cluster_identifier,omitempty"`
+
 	// Set of objects containing Global Cluster members.
 	GlobalClusterMembers []GlobalClusterMembersObservation `json:"globalClusterMembers,omitempty" tf:"global_cluster_members,omitempty"`
 
@@ -39,7 +54,13 @@ type GlobalClusterObservation struct {
 	// DocDB Global Cluster.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amazon Resource Name (ARN) to use as the primary DB Cluster of the Global Cluster on creation.
+	SourceDBClusterIdentifier *string `json:"sourceDbClusterIdentifier,omitempty" tf:"source_db_cluster_identifier,omitempty"`
+
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Specifies whether the DB cluster is encrypted. The default is false unless source_db_cluster_identifier is specified and encrypted.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 }
 
 type GlobalClusterParameters struct {
@@ -61,8 +82,8 @@ type GlobalClusterParameters struct {
 	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
 
 	// The global cluster identifier.
-	// +kubebuilder:validation:Required
-	GlobalClusterIdentifier *string `json:"globalClusterIdentifier" tf:"global_cluster_identifier,omitempty"`
+	// +kubebuilder:validation:Optional
+	GlobalClusterIdentifier *string `json:"globalClusterIdentifier,omitempty" tf:"global_cluster_identifier,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -112,8 +133,9 @@ type GlobalClusterStatus struct {
 type GlobalCluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GlobalClusterSpec   `json:"spec"`
-	Status            GlobalClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.globalClusterIdentifier)",message="globalClusterIdentifier is a required parameter"
+	Spec   GlobalClusterSpec   `json:"spec"`
+	Status GlobalClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/docdb/v1beta1/zz_subnetgroup_types.go b/apis/docdb/v1beta1/zz_subnetgroup_types.go
index d1e6cf75b2..99eaca4c93 100755
--- a/apis/docdb/v1beta1/zz_subnetgroup_types.go
+++ b/apis/docdb/v1beta1/zz_subnetgroup_types.go
@@ -18,9 +18,18 @@ type SubnetGroupObservation struct {
 	// The ARN of the docDB subnet group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the docDB subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The docDB subnet group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of VPC subnet IDs.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ds/v1beta1/zz_conditionalforwarder_types.go b/apis/ds/v1beta1/zz_conditionalforwarder_types.go
index 69f54bf5ea..bf9d5f73bb 100755
--- a/apis/ds/v1beta1/zz_conditionalforwarder_types.go
+++ b/apis/ds/v1beta1/zz_conditionalforwarder_types.go
@@ -14,14 +14,24 @@ import (
 )
 
 type ConditionalForwarderObservation struct {
+
+	// A list of forwarder IP addresses.
+	DNSIps []*string `json:"dnsIps,omitempty" tf:"dns_ips,omitempty"`
+
+	// ID of directory.
+	DirectoryID *string `json:"directoryId,omitempty" tf:"directory_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The fully qualified domain name of the remote domain for which forwarders will be used.
+	RemoteDomainName *string `json:"remoteDomainName,omitempty" tf:"remote_domain_name,omitempty"`
 }
 
 type ConditionalForwarderParameters struct {
 
 	// A list of forwarder IP addresses.
-	// +kubebuilder:validation:Required
-	DNSIps []*string `json:"dnsIps" tf:"dns_ips,omitempty"`
+	// +kubebuilder:validation:Optional
+	DNSIps []*string `json:"dnsIps,omitempty" tf:"dns_ips,omitempty"`
 
 	// ID of directory.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ds/v1beta1.Directory
@@ -71,8 +81,9 @@ type ConditionalForwarderStatus struct {
 type ConditionalForwarder struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConditionalForwarderSpec   `json:"spec"`
-	Status            ConditionalForwarderStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dnsIps)",message="dnsIps is a required parameter"
+	Spec   ConditionalForwarderSpec   `json:"spec"`
+	Status ConditionalForwarderStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ds/v1beta1/zz_directory_types.go b/apis/ds/v1beta1/zz_directory_types.go
index cc5cb1b762..301b3eda72 100755
--- a/apis/ds/v1beta1/zz_directory_types.go
+++ b/apis/ds/v1beta1/zz_directory_types.go
@@ -18,6 +18,18 @@ type ConnectSettingsObservation struct {
 
 	// The IP addresses of the AD Connector servers.
 	ConnectIps []*string `json:"connectIps,omitempty" tf:"connect_ips,omitempty"`
+
+	// The DNS IP addresses of the domain to connect to.
+	CustomerDNSIps []*string `json:"customerDnsIps,omitempty" tf:"customer_dns_ips,omitempty"`
+
+	// The username corresponding to the password provided.
+	CustomerUsername *string `json:"customerUsername,omitempty" tf:"customer_username,omitempty"`
+
+	// The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs).
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// The identifier of the VPC that the directory is in.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type ConnectSettingsParameters struct {
@@ -63,24 +75,52 @@ type DirectoryObservation struct {
 	// The access URL for the directory, such as http://alias.awsapps.com.
 	AccessURL *string `json:"accessUrl,omitempty" tf:"access_url,omitempty"`
 
+	// The alias for the directory (must be unique amongst all aliases in AWS). Required for enable_sso.
+	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
+
 	// Connector related information about the directory. Fields documented below.
-	// +kubebuilder:validation:Optional
 	ConnectSettings []ConnectSettingsObservation `json:"connectSettings,omitempty" tf:"connect_settings,omitempty"`
 
 	// A list of IP addresses of the DNS servers for the directory or connector.
 	DNSIPAddresses []*string `json:"dnsIpAddresses,omitempty" tf:"dns_ip_addresses,omitempty"`
 
+	// A textual description for the directory.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The number of domain controllers desired in the directory. Minimum value of 2. Scaling of domain controllers is only supported for MicrosoftAD directories.
+	DesiredNumberOfDomainControllers *float64 `json:"desiredNumberOfDomainControllers,omitempty" tf:"desired_number_of_domain_controllers,omitempty"`
+
+	// The MicrosoftAD edition (Standard or Enterprise). Defaults to Enterprise.
+	Edition *string `json:"edition,omitempty" tf:"edition,omitempty"`
+
+	// Whether to enable single-sign on for the directory. Requires alias. Defaults to false.
+	EnableSso *bool `json:"enableSso,omitempty" tf:"enable_sso,omitempty"`
+
 	// The directory identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The fully qualified name for the directory, such as corp.example.com
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The ID of the security group created by the directory.
 	SecurityGroupID *string `json:"securityGroupId,omitempty" tf:"security_group_id,omitempty"`
 
+	// The short name of the directory, such as CORP.
+	ShortName *string `json:"shortName,omitempty" tf:"short_name,omitempty"`
+
+	// (For SimpleAD and ADConnector types) The size of the directory (Small or Large are accepted values). Large by default.
+	Size *string `json:"size,omitempty" tf:"size,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The directory type (SimpleAD, ADConnector or MicrosoftAD are accepted values). Defaults to SimpleAD.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
 	// VPC related information about the directory. Fields documented below.
-	// +kubebuilder:validation:Optional
 	VPCSettings []VPCSettingsObservation `json:"vpcSettings,omitempty" tf:"vpc_settings,omitempty"`
 }
 
@@ -111,11 +151,11 @@ type DirectoryParameters struct {
 	EnableSso *bool `json:"enableSso,omitempty" tf:"enable_sso,omitempty"`
 
 	// The fully qualified name for the directory, such as corp.example.com
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The password for the directory administrator or connector user.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	PasswordSecretRef v1.SecretKeySelector `json:"passwordSecretRef" tf:"-"`
 
 	// Region is the region you'd like your resource to be created in.
@@ -146,6 +186,12 @@ type DirectoryParameters struct {
 
 type VPCSettingsObservation struct {
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs).
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// The identifier of the VPC that the directory is in.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCSettingsParameters struct {
@@ -202,8 +248,10 @@ type DirectoryStatus struct {
 type Directory struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DirectorySpec   `json:"spec"`
-	Status            DirectoryStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.passwordSecretRef)",message="passwordSecretRef is a required parameter"
+	Spec   DirectorySpec   `json:"spec"`
+	Status DirectoryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ds/v1beta1/zz_generated.deepcopy.go b/apis/ds/v1beta1/zz_generated.deepcopy.go
index b738221d2e..449c973112 100644
--- a/apis/ds/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ds/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,32 @@ func (in *ConditionalForwarderList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionalForwarderObservation) DeepCopyInto(out *ConditionalForwarderObservation) {
 	*out = *in
+	if in.DNSIps != nil {
+		in, out := &in.DNSIps, &out.DNSIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DirectoryID != nil {
+		in, out := &in.DirectoryID, &out.DirectoryID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RemoteDomainName != nil {
+		in, out := &in.RemoteDomainName, &out.RemoteDomainName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionalForwarderObservation.
@@ -203,6 +224,38 @@ func (in *ConnectSettingsObservation) DeepCopyInto(out *ConnectSettingsObservati
 			}
 		}
 	}
+	if in.CustomerDNSIps != nil {
+		in, out := &in.CustomerDNSIps, &out.CustomerDNSIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomerUsername != nil {
+		in, out := &in.CustomerUsername, &out.CustomerUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectSettingsObservation.
@@ -351,6 +404,11 @@ func (in *DirectoryObservation) DeepCopyInto(out *DirectoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Alias != nil {
+		in, out := &in.Alias, &out.Alias
+		*out = new(string)
+		**out = **in
+	}
 	if in.ConnectSettings != nil {
 		in, out := &in.ConnectSettings, &out.ConnectSettings
 		*out = make([]ConnectSettingsObservation, len(*in))
@@ -369,16 +427,66 @@ func (in *DirectoryObservation) DeepCopyInto(out *DirectoryObservation) {
 			}
 		}
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DesiredNumberOfDomainControllers != nil {
+		in, out := &in.DesiredNumberOfDomainControllers, &out.DesiredNumberOfDomainControllers
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Edition != nil {
+		in, out := &in.Edition, &out.Edition
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableSso != nil {
+		in, out := &in.EnableSso, &out.EnableSso
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.SecurityGroupID != nil {
 		in, out := &in.SecurityGroupID, &out.SecurityGroupID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ShortName != nil {
+		in, out := &in.ShortName, &out.ShortName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -394,6 +502,11 @@ func (in *DirectoryObservation) DeepCopyInto(out *DirectoryObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 	if in.VPCSettings != nil {
 		in, out := &in.VPCSettings, &out.VPCSettings
 		*out = make([]VPCSettingsObservation, len(*in))
@@ -604,16 +717,33 @@ func (in *SharedDirectoryList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SharedDirectoryObservation) DeepCopyInto(out *SharedDirectoryObservation) {
 	*out = *in
+	if in.DirectoryID != nil {
+		in, out := &in.DirectoryID, &out.DirectoryID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Method != nil {
+		in, out := &in.Method, &out.Method
+		*out = new(string)
+		**out = **in
+	}
 	if in.SharedDirectoryID != nil {
 		in, out := &in.SharedDirectoryID, &out.SharedDirectoryID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]TargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SharedDirectoryObservation.
@@ -715,6 +845,16 @@ func (in *SharedDirectoryStatus) DeepCopy() *SharedDirectoryStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
@@ -766,6 +906,22 @@ func (in *VPCSettingsObservation) DeepCopyInto(out *VPCSettingsObservation) {
 			}
 		}
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCSettingsObservation.
diff --git a/apis/ds/v1beta1/zz_shareddirectory_types.go b/apis/ds/v1beta1/zz_shareddirectory_types.go
index 2c64e26b0b..0ccf13dde1 100755
--- a/apis/ds/v1beta1/zz_shareddirectory_types.go
+++ b/apis/ds/v1beta1/zz_shareddirectory_types.go
@@ -15,11 +15,20 @@ import (
 
 type SharedDirectoryObservation struct {
 
+	// Identifier of the Managed Microsoft AD directory that you want to share with other accounts.
+	DirectoryID *string `json:"directoryId,omitempty" tf:"directory_id,omitempty"`
+
 	// Identifier of the shared directory.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Method used when sharing a directory. Valid values are ORGANIZATIONS and HANDSHAKE. Default is HANDSHAKE.
+	Method *string `json:"method,omitempty" tf:"method,omitempty"`
+
 	// Identifier of the directory that is stored in the directory consumer account that corresponds to the shared directory in the owner account.
 	SharedDirectoryID *string `json:"sharedDirectoryId,omitempty" tf:"shared_directory_id,omitempty"`
+
+	// Identifier for the directory consumer account with whom the directory is to be shared. See below.
+	Target []TargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type SharedDirectoryParameters struct {
@@ -52,11 +61,17 @@ type SharedDirectoryParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Identifier for the directory consumer account with whom the directory is to be shared. See below.
-	// +kubebuilder:validation:Required
-	Target []TargetParameters `json:"target" tf:"target,omitempty"`
+	// +kubebuilder:validation:Optional
+	Target []TargetParameters `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type TargetObservation struct {
+
+	// Identifier of the directory consumer account.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Type of identifier to be used in the id field. Valid value is ACCOUNT. Default is ACCOUNT.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type TargetParameters struct {
@@ -94,8 +109,9 @@ type SharedDirectoryStatus struct {
 type SharedDirectory struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SharedDirectorySpec   `json:"spec"`
-	Status            SharedDirectoryStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.target)",message="target is a required parameter"
+	Spec   SharedDirectorySpec   `json:"spec"`
+	Status SharedDirectoryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dynamodb/v1beta1/zz_contributorinsights_types.go b/apis/dynamodb/v1beta1/zz_contributorinsights_types.go
index dc38b94148..4e23c2ea2a 100755
--- a/apis/dynamodb/v1beta1/zz_contributorinsights_types.go
+++ b/apis/dynamodb/v1beta1/zz_contributorinsights_types.go
@@ -15,6 +15,12 @@ import (
 
 type ContributorInsightsObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The global secondary index name
+	IndexName *string `json:"indexName,omitempty" tf:"index_name,omitempty"`
+
+	// The name of the table to enable contributor insights
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type ContributorInsightsParameters struct {
diff --git a/apis/dynamodb/v1beta1/zz_generated.deepcopy.go b/apis/dynamodb/v1beta1/zz_generated.deepcopy.go
index d98602b5c9..cd02c0ec96 100644
--- a/apis/dynamodb/v1beta1/zz_generated.deepcopy.go
+++ b/apis/dynamodb/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttributeObservation) DeepCopyInto(out *AttributeObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttributeObservation.
@@ -121,6 +131,16 @@ func (in *ContributorInsightsObservation) DeepCopyInto(out *ContributorInsightsO
 		*out = new(string)
 		**out = **in
 	}
+	if in.IndexName != nil {
+		in, out := &in.IndexName, &out.IndexName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContributorInsightsObservation.
@@ -210,6 +230,47 @@ func (in *ContributorInsightsStatus) DeepCopy() *ContributorInsightsStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GlobalSecondaryIndexObservation) DeepCopyInto(out *GlobalSecondaryIndexObservation) {
 	*out = *in
+	if in.HashKey != nil {
+		in, out := &in.HashKey, &out.HashKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NonKeyAttributes != nil {
+		in, out := &in.NonKeyAttributes, &out.NonKeyAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ProjectionType != nil {
+		in, out := &in.ProjectionType, &out.ProjectionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKey != nil {
+		in, out := &in.RangeKey, &out.RangeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReadCapacity != nil {
+		in, out := &in.ReadCapacity, &out.ReadCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WriteCapacity != nil {
+		in, out := &in.WriteCapacity, &out.WriteCapacity
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalSecondaryIndexObservation.
@@ -350,6 +411,13 @@ func (in *GlobalTableObservation) DeepCopyInto(out *GlobalTableObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Replica != nil {
+		in, out := &in.Replica, &out.Replica
+		*out = make([]ReplicaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalTableObservation.
@@ -490,6 +558,16 @@ func (in *KinesisStreamingDestinationObservation) DeepCopyInto(out *KinesisStrea
 		*out = new(string)
 		**out = **in
 	}
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisStreamingDestinationObservation.
@@ -589,6 +667,32 @@ func (in *KinesisStreamingDestinationStatus) DeepCopy() *KinesisStreamingDestina
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LocalSecondaryIndexObservation) DeepCopyInto(out *LocalSecondaryIndexObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NonKeyAttributes != nil {
+		in, out := &in.NonKeyAttributes, &out.NonKeyAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ProjectionType != nil {
+		in, out := &in.ProjectionType, &out.ProjectionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKey != nil {
+		in, out := &in.RangeKey, &out.RangeKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocalSecondaryIndexObservation.
@@ -645,6 +749,11 @@ func (in *LocalSecondaryIndexParameters) DeepCopy() *LocalSecondaryIndexParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PointInTimeRecoveryObservation) DeepCopyInto(out *PointInTimeRecoveryObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PointInTimeRecoveryObservation.
@@ -680,6 +789,11 @@ func (in *PointInTimeRecoveryParameters) DeepCopy() *PointInTimeRecoveryParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicaObservation) DeepCopyInto(out *ReplicaObservation) {
 	*out = *in
+	if in.RegionName != nil {
+		in, out := &in.RegionName, &out.RegionName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaObservation.
@@ -715,6 +829,16 @@ func (in *ReplicaParameters) DeepCopy() *ReplicaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerSideEncryptionObservation) DeepCopyInto(out *ServerSideEncryptionObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerSideEncryptionObservation.
@@ -755,6 +879,16 @@ func (in *ServerSideEncryptionParameters) DeepCopy() *ServerSideEncryptionParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TTLObservation) DeepCopyInto(out *TTLObservation) {
 	*out = *in
+	if in.AttributeName != nil {
+		in, out := &in.AttributeName, &out.AttributeName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TTLObservation.
@@ -881,11 +1015,31 @@ func (in *TableItemList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TableItemObservation) DeepCopyInto(out *TableItemObservation) {
 	*out = *in
+	if in.HashKey != nil {
+		in, out := &in.HashKey, &out.HashKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Item != nil {
+		in, out := &in.Item, &out.Item
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKey != nil {
+		in, out := &in.RangeKey, &out.RangeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableItemObservation.
@@ -1022,11 +1176,59 @@ func (in *TableObservation) DeepCopyInto(out *TableObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Attribute != nil {
+		in, out := &in.Attribute, &out.Attribute
+		*out = make([]AttributeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BillingMode != nil {
+		in, out := &in.BillingMode, &out.BillingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalSecondaryIndex != nil {
+		in, out := &in.GlobalSecondaryIndex, &out.GlobalSecondaryIndex
+		*out = make([]GlobalSecondaryIndexObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HashKey != nil {
+		in, out := &in.HashKey, &out.HashKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LocalSecondaryIndex != nil {
+		in, out := &in.LocalSecondaryIndex, &out.LocalSecondaryIndex
+		*out = make([]LocalSecondaryIndexObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PointInTimeRecovery != nil {
+		in, out := &in.PointInTimeRecovery, &out.PointInTimeRecovery
+		*out = make([]PointInTimeRecoveryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RangeKey != nil {
+		in, out := &in.RangeKey, &out.RangeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReadCapacity != nil {
+		in, out := &in.ReadCapacity, &out.ReadCapacity
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Replica != nil {
 		in, out := &in.Replica, &out.Replica
 		*out = make([]TableReplicaObservation, len(*in))
@@ -1034,16 +1236,75 @@ func (in *TableObservation) DeepCopyInto(out *TableObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.RestoreDateTime != nil {
+		in, out := &in.RestoreDateTime, &out.RestoreDateTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestoreSourceName != nil {
+		in, out := &in.RestoreSourceName, &out.RestoreSourceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestoreToLatestTime != nil {
+		in, out := &in.RestoreToLatestTime, &out.RestoreToLatestTime
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ServerSideEncryption != nil {
+		in, out := &in.ServerSideEncryption, &out.ServerSideEncryption
+		*out = make([]ServerSideEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.StreamArn != nil {
 		in, out := &in.StreamArn, &out.StreamArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.StreamEnabled != nil {
+		in, out := &in.StreamEnabled, &out.StreamEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.StreamLabel != nil {
 		in, out := &in.StreamLabel, &out.StreamLabel
 		*out = new(string)
 		**out = **in
 	}
+	if in.StreamViewType != nil {
+		in, out := &in.StreamViewType, &out.StreamViewType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = make([]TTLObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TableClass != nil {
+		in, out := &in.TableClass, &out.TableClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1059,6 +1320,11 @@ func (in *TableObservation) DeepCopyInto(out *TableObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.WriteCapacity != nil {
+		in, out := &in.WriteCapacity, &out.WriteCapacity
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableObservation.
@@ -1277,6 +1543,26 @@ func (in *TableReplicaObservation) DeepCopyInto(out *TableReplicaObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PointInTimeRecovery != nil {
+		in, out := &in.PointInTimeRecovery, &out.PointInTimeRecovery
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PropagateTags != nil {
+		in, out := &in.PropagateTags, &out.PropagateTags
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RegionName != nil {
+		in, out := &in.RegionName, &out.RegionName
+		*out = new(string)
+		**out = **in
+	}
 	if in.StreamArn != nil {
 		in, out := &in.StreamArn, &out.StreamArn
 		*out = new(string)
@@ -1307,11 +1593,46 @@ func (in *TableReplicaObservation_2) DeepCopyInto(out *TableReplicaObservation_2
 		*out = new(string)
 		**out = **in
 	}
+	if in.GlobalTableArn != nil {
+		in, out := &in.GlobalTableArn, &out.GlobalTableArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PointInTimeRecovery != nil {
+		in, out := &in.PointInTimeRecovery, &out.PointInTimeRecovery
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TableClassOverride != nil {
+		in, out := &in.TableClassOverride, &out.TableClassOverride
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1584,6 +1905,21 @@ func (in *TagObservation) DeepCopyInto(out *TagObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagObservation.
diff --git a/apis/dynamodb/v1beta1/zz_globaltable_types.go b/apis/dynamodb/v1beta1/zz_globaltable_types.go
index ea9c44565d..04afe2c47e 100755
--- a/apis/dynamodb/v1beta1/zz_globaltable_types.go
+++ b/apis/dynamodb/v1beta1/zz_globaltable_types.go
@@ -20,6 +20,9 @@ type GlobalTableObservation struct {
 
 	// The name of the DynamoDB Global Table
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Underlying DynamoDB Table. At least 1 replica must be defined. See below.
+	Replica []ReplicaObservation `json:"replica,omitempty" tf:"replica,omitempty"`
 }
 
 type GlobalTableParameters struct {
@@ -30,11 +33,14 @@ type GlobalTableParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Underlying DynamoDB Table. At least 1 replica must be defined. See below.
-	// +kubebuilder:validation:Required
-	Replica []ReplicaParameters `json:"replica" tf:"replica,omitempty"`
+	// +kubebuilder:validation:Optional
+	Replica []ReplicaParameters `json:"replica,omitempty" tf:"replica,omitempty"`
 }
 
 type ReplicaObservation struct {
+
+	// AWS region name of replica DynamoDB TableE.g., us-east-1
+	RegionName *string `json:"regionName,omitempty" tf:"region_name,omitempty"`
 }
 
 type ReplicaParameters struct {
@@ -68,8 +74,9 @@ type GlobalTableStatus struct {
 type GlobalTable struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GlobalTableSpec   `json:"spec"`
-	Status            GlobalTableStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replica)",message="replica is a required parameter"
+	Spec   GlobalTableSpec   `json:"spec"`
+	Status GlobalTableStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dynamodb/v1beta1/zz_kinesisstreamingdestination_types.go b/apis/dynamodb/v1beta1/zz_kinesisstreamingdestination_types.go
index f65df6bb81..14487aa429 100755
--- a/apis/dynamodb/v1beta1/zz_kinesisstreamingdestination_types.go
+++ b/apis/dynamodb/v1beta1/zz_kinesisstreamingdestination_types.go
@@ -17,6 +17,13 @@ type KinesisStreamingDestinationObservation struct {
 
 	// The table_name and stream_arn separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN for a Kinesis data stream. This must exist in the same account and region as the DynamoDB table.
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
+
+	// The name of the DynamoDB table. There
+	// can only be one Kinesis streaming destination for a given DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type KinesisStreamingDestinationParameters struct {
diff --git a/apis/dynamodb/v1beta1/zz_table_types.go b/apis/dynamodb/v1beta1/zz_table_types.go
index 8e510b52cf..686d08495e 100755
--- a/apis/dynamodb/v1beta1/zz_table_types.go
+++ b/apis/dynamodb/v1beta1/zz_table_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AttributeObservation struct {
+
+	// Name of the attribute
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Attribute type. Valid values are S (string), N (number), B (binary).
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AttributeParameters struct {
@@ -28,6 +34,27 @@ type AttributeParameters struct {
 }
 
 type GlobalSecondaryIndexObservation struct {
+
+	// Name of the hash key in the index; must be defined as an attribute in the resource.
+	HashKey *string `json:"hashKey,omitempty" tf:"hash_key,omitempty"`
+
+	// Name of the index.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Only required with INCLUDE as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table.
+	NonKeyAttributes []*string `json:"nonKeyAttributes,omitempty" tf:"non_key_attributes,omitempty"`
+
+	// One of ALL, INCLUDE or KEYS_ONLY where ALL projects every attribute into the index, KEYS_ONLY projects  into the index only the table and index hash_key and sort_key attributes ,  INCLUDE projects into the index all of the attributes that are defined in non_key_attributes in addition to the attributes that thatKEYS_ONLY project.
+	ProjectionType *string `json:"projectionType,omitempty" tf:"projection_type,omitempty"`
+
+	// Name of the range key; must be defined
+	RangeKey *string `json:"rangeKey,omitempty" tf:"range_key,omitempty"`
+
+	// Number of read units for this index. Must be set if billing_mode is set to PROVISIONED.
+	ReadCapacity *float64 `json:"readCapacity,omitempty" tf:"read_capacity,omitempty"`
+
+	// Number of write units for this index. Must be set if billing_mode is set to PROVISIONED.
+	WriteCapacity *float64 `json:"writeCapacity,omitempty" tf:"write_capacity,omitempty"`
 }
 
 type GlobalSecondaryIndexParameters struct {
@@ -62,6 +89,18 @@ type GlobalSecondaryIndexParameters struct {
 }
 
 type LocalSecondaryIndexObservation struct {
+
+	// Name of the index
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Only required with INCLUDE as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table.
+	NonKeyAttributes []*string `json:"nonKeyAttributes,omitempty" tf:"non_key_attributes,omitempty"`
+
+	// One of ALL, INCLUDE or KEYS_ONLY where ALL projects every attribute into the index, KEYS_ONLY projects  into the index only the table and index hash_key and sort_key attributes ,  INCLUDE projects into the index all of the attributes that are defined in non_key_attributes in addition to the attributes that thatKEYS_ONLY project.
+	ProjectionType *string `json:"projectionType,omitempty" tf:"projection_type,omitempty"`
+
+	// Name of the range key.
+	RangeKey *string `json:"rangeKey,omitempty" tf:"range_key,omitempty"`
 }
 
 type LocalSecondaryIndexParameters struct {
@@ -84,6 +123,9 @@ type LocalSecondaryIndexParameters struct {
 }
 
 type PointInTimeRecoveryObservation struct {
+
+	// Whether to enable point-in-time recovery. It can take 10 minutes to enable for new tables. If the point_in_time_recovery block is not provided, this defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type PointInTimeRecoveryParameters struct {
@@ -94,6 +136,12 @@ type PointInTimeRecoveryParameters struct {
 }
 
 type ServerSideEncryptionObservation struct {
+
+	// Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK). If enabled is false then server-side encryption is set to AWS-owned key (shown as DEFAULT in the AWS console). Potentially confusingly, if enabled is true and no kms_key_arn is specified then server-side encryption is set to the default KMS-managed key (shown as KMS in the AWS console). The AWS KMS documentation explains the difference between AWS-owned and KMS-managed keys.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, alias/aws/dynamodb. Note: This attribute will not be populated with the ARN of default keys.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
 }
 
 type ServerSideEncryptionParameters struct {
@@ -108,6 +156,12 @@ type ServerSideEncryptionParameters struct {
 }
 
 type TTLObservation struct {
+
+	// Name of the table attribute to store the TTL timestamp in.
+	AttributeName *string `json:"attributeName,omitempty" tf:"attribute_name,omitempty"`
+
+	// Whether TTL is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type TTLParameters struct {
@@ -126,21 +180,74 @@ type TableObservation struct {
 	// ARN of the table
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Set of nested attribute definitions. Only required for hash_key and range_key attributes. See below.
+	Attribute []AttributeObservation `json:"attribute,omitempty" tf:"attribute,omitempty"`
+
+	// Controls how you are charged for read and write throughput and how you manage capacity. The valid values are PROVISIONED and PAY_PER_REQUEST. Defaults to PROVISIONED.
+	BillingMode *string `json:"billingMode,omitempty" tf:"billing_mode,omitempty"`
+
+	// Describe a GSI for the table; subject to the normal limits on the number of GSIs, projected attributes, etc. See below.
+	GlobalSecondaryIndex []GlobalSecondaryIndexObservation `json:"globalSecondaryIndex,omitempty" tf:"global_secondary_index,omitempty"`
+
+	// Attribute to use as the hash (partition) key. Must also be defined as an attribute. See below.
+	HashKey *string `json:"hashKey,omitempty" tf:"hash_key,omitempty"`
+
 	// Name of the table
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Describe an LSI on the table; these can only be allocated at creation so you cannot change this definition after you have created the resource. See below.
+	LocalSecondaryIndex []LocalSecondaryIndexObservation `json:"localSecondaryIndex,omitempty" tf:"local_secondary_index,omitempty"`
+
+	// Enable point-in-time recovery options. See below.
+	PointInTimeRecovery []PointInTimeRecoveryObservation `json:"pointInTimeRecovery,omitempty" tf:"point_in_time_recovery,omitempty"`
+
+	// Attribute to use as the range (sort) key. Must also be defined as an attribute, see below.
+	RangeKey *string `json:"rangeKey,omitempty" tf:"range_key,omitempty"`
+
+	// Number of read units for this table. If the billing_mode is PROVISIONED, this field is required.
+	ReadCapacity *float64 `json:"readCapacity,omitempty" tf:"read_capacity,omitempty"`
+
 	// Configuration block(s) with DynamoDB Global Tables V2 (version 2019.11.21) replication configurations. See below.
-	// +kubebuilder:validation:Optional
 	Replica []TableReplicaObservation `json:"replica,omitempty" tf:"replica,omitempty"`
 
+	// Time of the point-in-time recovery point to restore.
+	RestoreDateTime *string `json:"restoreDateTime,omitempty" tf:"restore_date_time,omitempty"`
+
+	// Name of the table to restore. Must match the name of an existing table.
+	RestoreSourceName *string `json:"restoreSourceName,omitempty" tf:"restore_source_name,omitempty"`
+
+	// If set, restores table to the most recent point-in-time recovery point.
+	RestoreToLatestTime *bool `json:"restoreToLatestTime,omitempty" tf:"restore_to_latest_time,omitempty"`
+
+	// Encryption at rest options. AWS DynamoDB tables are automatically encrypted at rest with an AWS-owned Customer Master Key if this argument isn't specified. See below.
+	ServerSideEncryption []ServerSideEncryptionObservation `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
+
 	// ARN of the Table Stream. Only available when stream_enabled = true
 	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 
+	// Whether Streams are enabled.
+	StreamEnabled *bool `json:"streamEnabled,omitempty" tf:"stream_enabled,omitempty"`
+
 	// Timestamp, in ISO 8601 format, for this stream. Note that this timestamp is not a unique identifier for the stream on its own. However, the combination of AWS customer ID, table name and this field is guaranteed to be unique. It can be used for creating CloudWatch Alarms. Only available when stream_enabled = true.
 	StreamLabel *string `json:"streamLabel,omitempty" tf:"stream_label,omitempty"`
 
+	// When an item in the table is modified, StreamViewType determines what information is written to the table's stream. Valid values are KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES.
+	StreamViewType *string `json:"streamViewType,omitempty" tf:"stream_view_type,omitempty"`
+
+	// Configuration block for TTL. See below.
+	TTL []TTLObservation `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// Storage class of the table. Valid values are STANDARD and STANDARD_INFREQUENT_ACCESS.
+	TableClass *string `json:"tableClass,omitempty" tf:"table_class,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Number of write units for this table. If the billing_mode is PROVISIONED, this field is required.
+	WriteCapacity *float64 `json:"writeCapacity,omitempty" tf:"write_capacity,omitempty"`
 }
 
 type TableParameters struct {
@@ -232,6 +339,18 @@ type TableReplicaObservation struct {
 	// ARN of the replica
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, alias/aws/dynamodb. Note: This attribute will not be populated with the ARN of default keys.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Whether to enable Point In Time Recovery for the replica. Default is false.
+	PointInTimeRecovery *bool `json:"pointInTimeRecovery,omitempty" tf:"point_in_time_recovery,omitempty"`
+
+	// Whether to propagate the global table's tags to a replica. Default is false. Changes to tags only move in one direction: from global (source) to replica. In other words, tag drift on a replica will not trigger an update. Tag or replica changes on the global table, whether from drift or configuration changes, are propagated to replicas. Changing from true to false on a subsequent apply means replica tags are left as they were, unmanaged, not deleted.
+	PropagateTags *bool `json:"propagateTags,omitempty" tf:"propagate_tags,omitempty"`
+
+	// Region name of the replica.
+	RegionName *string `json:"regionName,omitempty" tf:"region_name,omitempty"`
+
 	// ARN of the Table Stream. Only available when stream_enabled = true
 	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 
diff --git a/apis/dynamodb/v1beta1/zz_tableitem_types.go b/apis/dynamodb/v1beta1/zz_tableitem_types.go
index 2f2935940d..7f148636de 100755
--- a/apis/dynamodb/v1beta1/zz_tableitem_types.go
+++ b/apis/dynamodb/v1beta1/zz_tableitem_types.go
@@ -14,18 +14,31 @@ import (
 )
 
 type TableItemObservation struct {
+
+	// Hash key to use for lookups and identification of the item
+	HashKey *string `json:"hashKey,omitempty" tf:"hash_key,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// JSON representation of a map of attribute name/value pairs, one for each attribute. Only the primary key attributes are required; you can optionally provide other attribute name-value pairs for the item.
+	Item *string `json:"item,omitempty" tf:"item,omitempty"`
+
+	// Range key to use for lookups and identification of the item. Required if there is range key defined in the table.
+	RangeKey *string `json:"rangeKey,omitempty" tf:"range_key,omitempty"`
+
+	// Name of the table to contain the item.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type TableItemParameters struct {
 
 	// Hash key to use for lookups and identification of the item
-	// +kubebuilder:validation:Required
-	HashKey *string `json:"hashKey" tf:"hash_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	HashKey *string `json:"hashKey,omitempty" tf:"hash_key,omitempty"`
 
 	// JSON representation of a map of attribute name/value pairs, one for each attribute. Only the primary key attributes are required; you can optionally provide other attribute name-value pairs for the item.
-	// +kubebuilder:validation:Required
-	Item *string `json:"item" tf:"item,omitempty"`
+	// +kubebuilder:validation:Optional
+	Item *string `json:"item,omitempty" tf:"item,omitempty"`
 
 	// Range key to use for lookups and identification of the item. Required if there is range key defined in the table.
 	// +kubebuilder:validation:Optional
@@ -74,8 +87,10 @@ type TableItemStatus struct {
 type TableItem struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TableItemSpec   `json:"spec"`
-	Status            TableItemStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hashKey)",message="hashKey is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.item)",message="item is a required parameter"
+	Spec   TableItemSpec   `json:"spec"`
+	Status TableItemStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/dynamodb/v1beta1/zz_tablereplica_types.go b/apis/dynamodb/v1beta1/zz_tablereplica_types.go
index cd4d6012d0..f7111df36a 100755
--- a/apis/dynamodb/v1beta1/zz_tablereplica_types.go
+++ b/apis/dynamodb/v1beta1/zz_tablereplica_types.go
@@ -18,9 +18,24 @@ type TableReplicaObservation_2 struct {
 	// ARN of the table replica.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of the main or global table which this resource will replicate.
+	GlobalTableArn *string `json:"globalTableArn,omitempty" tf:"global_table_arn,omitempty"`
+
 	// Name of the table and region of the main global table joined with a semicolon (e.g., TableName:us-east-1).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, alias/aws/dynamodb. Note: This attribute will not be populated with the ARN of default keys.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Whether to enable Point In Time Recovery for the replica. Default is false.
+	PointInTimeRecovery *bool `json:"pointInTimeRecovery,omitempty" tf:"point_in_time_recovery,omitempty"`
+
+	// Storage class of the table replica. Valid values are STANDARD and STANDARD_INFREQUENT_ACCESS. If not used, the table replica will use the same class as the global table.
+	TableClassOverride *string `json:"tableClassOverride,omitempty" tf:"table_class_override,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/dynamodb/v1beta1/zz_tag_types.go b/apis/dynamodb/v1beta1/zz_tag_types.go
index 7ea8126ca0..25794af420 100755
--- a/apis/dynamodb/v1beta1/zz_tag_types.go
+++ b/apis/dynamodb/v1beta1/zz_tag_types.go
@@ -17,6 +17,15 @@ type TagObservation struct {
 
 	// DynamoDB resource identifier and key, separated by a comma (,)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Tag name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Amazon Resource Name (ARN) of the DynamoDB resource to tag.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// Tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagParameters struct {
@@ -35,8 +44,8 @@ type TagParameters struct {
 	ResourceArn *string `json:"resourceArn" tf:"resource_arn,omitempty"`
 
 	// Tag value.
-	// +kubebuilder:validation:Required
-	Value *string `json:"value" tf:"value,omitempty"`
+	// +kubebuilder:validation:Optional
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 // TagSpec defines the desired state of Tag
@@ -63,8 +72,9 @@ type TagStatus struct {
 type Tag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TagSpec   `json:"spec"`
-	Status            TagStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)",message="value is a required parameter"
+	Spec   TagSpec   `json:"spec"`
+	Status TagStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_ami_types.go b/apis/ec2/v1beta1/zz_ami_types.go
index 2dd36a4831..26b144cf7f 100755
--- a/apis/ec2/v1beta1/zz_ami_types.go
+++ b/apis/ec2/v1beta1/zz_ami_types.go
@@ -15,23 +15,60 @@ import (
 
 type AMIObservation struct {
 
+	// Machine architecture for created instances. Defaults to "x86_64".
+	Architecture *string `json:"architecture,omitempty" tf:"architecture,omitempty"`
+
 	// ARN of the AMI.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Boot mode of the AMI. For more information, see Boot modes in the Amazon Elastic Compute Cloud User Guide.
+	BootMode *string `json:"bootMode,omitempty" tf:"boot_mode,omitempty"`
+
+	// Date and time to deprecate the AMI. If you specified a value for seconds, Amazon EC2 rounds the seconds to the nearest minute. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
+	DeprecationTime *string `json:"deprecationTime,omitempty" tf:"deprecation_time,omitempty"`
+
+	// Longer, human-readable description for the AMI.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Nested block describing an EBS block device that should be
+	// attached to created instances. The structure of this block is described below.
+	EBSBlockDevice []EBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
+
+	// Whether enhanced networking with ENA is enabled. Defaults to false.
+	EnaSupport *bool `json:"enaSupport,omitempty" tf:"ena_support,omitempty"`
+
+	// Nested block describing an ephemeral block device that
+	// should be attached to created instances. The structure of this block is described below.
+	EphemeralBlockDevice []EphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
+
 	// Hypervisor type of the image.
 	Hypervisor *string `json:"hypervisor,omitempty" tf:"hypervisor,omitempty"`
 
 	// ID of the created AMI.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Path to an S3 object containing an image manifest, e.g., created
+	// by the ec2-upload-bundle command in the EC2 command line tools.
+	ImageLocation *string `json:"imageLocation,omitempty" tf:"image_location,omitempty"`
+
 	// AWS account alias (for example, amazon, self) or the AWS account ID of the AMI owner.
 	ImageOwnerAlias *string `json:"imageOwnerAlias,omitempty" tf:"image_owner_alias,omitempty"`
 
 	// Type of image.
 	ImageType *string `json:"imageType,omitempty" tf:"image_type,omitempty"`
 
+	// If EC2 instances started from this image should require the use of the Instance Metadata Service V2 (IMDSv2), set this argument to v2.0. For more information, see Configure instance metadata options for new instances.
+	ImdsSupport *string `json:"imdsSupport,omitempty" tf:"imds_support,omitempty"`
+
+	// ID of the kernel image (AKI) that will be used as the paravirtual
+	// kernel in created instances.
+	KernelID *string `json:"kernelId,omitempty" tf:"kernel_id,omitempty"`
+
 	ManageEBSSnapshots *bool `json:"manageEbsSnapshots,omitempty" tf:"manage_ebs_snapshots,omitempty"`
 
+	// Region-unique name for the AMI.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// AWS account ID of the image owner.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
@@ -44,14 +81,36 @@ type AMIObservation struct {
 	// Whether the image has public launch permissions.
 	Public *bool `json:"public,omitempty" tf:"public,omitempty"`
 
+	// ID of an initrd image (ARI) that will be used when booting the
+	// created instances.
+	RamdiskID *string `json:"ramdiskId,omitempty" tf:"ramdisk_id,omitempty"`
+
+	// Name of the root device (for example, /dev/sda1, or /dev/xvda).
+	RootDeviceName *string `json:"rootDeviceName,omitempty" tf:"root_device_name,omitempty"`
+
 	// Snapshot ID for the root volume (for EBS-backed AMIs)
 	RootSnapshotID *string `json:"rootSnapshotId,omitempty" tf:"root_snapshot_id,omitempty"`
 
+	// When set to "simple" (the default), enables enhanced networking
+	// for created instances. No other value is supported at this time.
+	SriovNetSupport *string `json:"sriovNetSupport,omitempty" tf:"sriov_net_support,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// If the image is configured for NitroTPM support, the value is v2.0. For more information, see NitroTPM in the Amazon Elastic Compute Cloud User Guide.
+	TpmSupport *string `json:"tpmSupport,omitempty" tf:"tpm_support,omitempty"`
+
 	// Operation of the Amazon EC2 instance and the billing code that is associated with the AMI.
 	UsageOperation *string `json:"usageOperation,omitempty" tf:"usage_operation,omitempty"`
+
+	// Keyword to choose what virtualization mode created instances
+	// will use. Can be either "paravirtual" (the default) or "hvm". The choice of virtualization type
+	// changes the set of further arguments that are required, as described below.
+	VirtualizationType *string `json:"virtualizationType,omitempty" tf:"virtualization_type,omitempty"`
 }
 
 type AMIParameters struct {
@@ -101,8 +160,8 @@ type AMIParameters struct {
 	KernelID *string `json:"kernelId,omitempty" tf:"kernel_id,omitempty"`
 
 	// Region-unique name for the AMI.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// ID of an initrd image (ARI) that will be used when booting the
 	// created instances.
@@ -139,6 +198,39 @@ type AMIParameters struct {
 }
 
 type EBSBlockDeviceObservation struct {
+
+	// Boolean controlling whether the EBS volumes created to
+	// support each created instance will be deleted once that instance is terminated.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Path at which the device is exposed to created instances.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with snapshot_id.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// Number of I/O operations per second the
+	// created volumes will support.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// ARN of the Outpost on which the snapshot is stored.
+	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
+
+	// ID of an EBS snapshot that will be used to initialize the created
+	// EBS volumes. If set, the volume_size attribute must be at least as large as the referenced
+	// snapshot.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// Throughput that the EBS volume supports, in MiB/s. Only valid for volume_type of gp3.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// Size of created volumes in GiB.
+	// If snapshot_id is set and volume_size is omitted then the volume will have the same size
+	// as the selected snapshot.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of EBS volume to create. Can be standard, gp2, gp3, io1, io2, sc1 or st1 (Default: standard).
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSBlockDeviceParameters struct {
@@ -196,6 +288,13 @@ type EBSBlockDeviceParameters struct {
 }
 
 type EphemeralBlockDeviceObservation struct {
+
+	// Path at which the device is exposed to created instances.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Name for the ephemeral device, of the form "ephemeralN" where
+	// N is a volume number starting from zero.
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type EphemeralBlockDeviceParameters struct {
@@ -234,8 +333,9 @@ type AMIStatus struct {
 type AMI struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AMISpec   `json:"spec"`
-	Status            AMIStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AMISpec   `json:"spec"`
+	Status AMIStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_amicopy_types.go b/apis/ec2/v1beta1/zz_amicopy_types.go
index 12fce326ec..29b92c071e 100755
--- a/apis/ec2/v1beta1/zz_amicopy_types.go
+++ b/apis/ec2/v1beta1/zz_amicopy_types.go
@@ -60,12 +60,21 @@ type AMICopyObservation struct {
 
 	BootMode *string `json:"bootMode,omitempty" tf:"boot_mode,omitempty"`
 
-	// +kubebuilder:validation:Optional
+	DeprecationTime *string `json:"deprecationTime,omitempty" tf:"deprecation_time,omitempty"`
+
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// ARN of the Outpost to which to copy the AMI.
+	// Only specify this parameter when copying an AMI from an AWS Region to an Outpost. The AMI must be in the Region of the destination Outpost.
+	DestinationOutpostArn *string `json:"destinationOutpostArn,omitempty" tf:"destination_outpost_arn,omitempty"`
+
 	EBSBlockDevice []AMICopyEBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
 
 	EnaSupport *bool `json:"enaSupport,omitempty" tf:"ena_support,omitempty"`
 
-	// +kubebuilder:validation:Optional
+	// Whether the destination snapshots of the copied image should be encrypted. Defaults to false
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
 	EphemeralBlockDevice []AMICopyEphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
 
 	Hypervisor *string `json:"hypervisor,omitempty" tf:"hypervisor,omitempty"`
@@ -81,11 +90,17 @@ type AMICopyObservation struct {
 
 	ImdsSupport *string `json:"imdsSupport,omitempty" tf:"imds_support,omitempty"`
 
+	// Full ARN of the KMS Key to use when encrypting the snapshots of an image during a copy operation. If not specified, then the default AWS KMS Key will be used
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// ID of the created AMI.
 	KernelID *string `json:"kernelId,omitempty" tf:"kernel_id,omitempty"`
 
 	ManageEBSSnapshots *bool `json:"manageEbsSnapshots,omitempty" tf:"manage_ebs_snapshots,omitempty"`
 
+	// Region-unique name for the AMI.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// ID of the created AMI.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
@@ -104,8 +119,19 @@ type AMICopyObservation struct {
 	// ID of the created AMI.
 	RootSnapshotID *string `json:"rootSnapshotId,omitempty" tf:"root_snapshot_id,omitempty"`
 
+	// Id of the AMI to copy. This id must be valid in the region
+	// given by source_ami_region.
+	SourceAMIID *string `json:"sourceAmiId,omitempty" tf:"source_ami_id,omitempty"`
+
+	// Region from which the AMI will be copied. This may be the
+	// same as the AWS provider region in order to create a copy within the same region.
+	SourceAMIRegion *string `json:"sourceAmiRegion,omitempty" tf:"source_ami_region,omitempty"`
+
 	SriovNetSupport *string `json:"sriovNetSupport,omitempty" tf:"sriov_net_support,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	TpmSupport *string `json:"tpmSupport,omitempty" tf:"tpm_support,omitempty"`
@@ -152,8 +178,8 @@ type AMICopyParameters struct {
 	KMSKeyIDSelector *v1.Selector `json:"kmsKeyIdSelector,omitempty" tf:"-"`
 
 	// Region-unique name for the AMI.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -176,8 +202,8 @@ type AMICopyParameters struct {
 
 	// Region from which the AMI will be copied. This may be the
 	// same as the AWS provider region in order to create a copy within the same region.
-	// +kubebuilder:validation:Required
-	SourceAMIRegion *string `json:"sourceAmiRegion" tf:"source_ami_region,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceAMIRegion *string `json:"sourceAmiRegion,omitempty" tf:"source_ami_region,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -208,8 +234,10 @@ type AMICopyStatus struct {
 type AMICopy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AMICopySpec   `json:"spec"`
-	Status            AMICopyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceAmiRegion)",message="sourceAmiRegion is a required parameter"
+	Spec   AMICopySpec   `json:"spec"`
+	Status AMICopyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_amilaunchpermission_types.go b/apis/ec2/v1beta1/zz_amilaunchpermission_types.go
index 79c409e051..f44a1e2db5 100755
--- a/apis/ec2/v1beta1/zz_amilaunchpermission_types.go
+++ b/apis/ec2/v1beta1/zz_amilaunchpermission_types.go
@@ -15,8 +15,23 @@ import (
 
 type AMILaunchPermissionObservation struct {
 
+	// AWS account ID for the launch permission.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// Name of the group for the launch permission. Valid values: "all".
+	Group *string `json:"group,omitempty" tf:"group,omitempty"`
+
 	// Launch permission ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ID of the AMI.
+	ImageID *string `json:"imageId,omitempty" tf:"image_id,omitempty"`
+
+	// ARN of an organization for the launch permission.
+	OrganizationArn *string `json:"organizationArn,omitempty" tf:"organization_arn,omitempty"`
+
+	// ARN of an organizational unit for the launch permission.
+	OrganizationalUnitArn *string `json:"organizationalUnitArn,omitempty" tf:"organizational_unit_arn,omitempty"`
 }
 
 type AMILaunchPermissionParameters struct {
diff --git a/apis/ec2/v1beta1/zz_availabilityzonegroup_types.go b/apis/ec2/v1beta1/zz_availabilityzonegroup_types.go
index 4130a778aa..69f5c7515e 100755
--- a/apis/ec2/v1beta1/zz_availabilityzonegroup_types.go
+++ b/apis/ec2/v1beta1/zz_availabilityzonegroup_types.go
@@ -17,13 +17,16 @@ type AvailabilityZoneGroupObservation struct {
 
 	// Name of the Availability Zone Group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Indicates whether to enable or disable Availability Zone Group. Valid values: opted-in or not-opted-in.
+	OptInStatus *string `json:"optInStatus,omitempty" tf:"opt_in_status,omitempty"`
 }
 
 type AvailabilityZoneGroupParameters struct {
 
 	// Indicates whether to enable or disable Availability Zone Group. Valid values: opted-in or not-opted-in.
-	// +kubebuilder:validation:Required
-	OptInStatus *string `json:"optInStatus" tf:"opt_in_status,omitempty"`
+	// +kubebuilder:validation:Optional
+	OptInStatus *string `json:"optInStatus,omitempty" tf:"opt_in_status,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -55,8 +58,9 @@ type AvailabilityZoneGroupStatus struct {
 type AvailabilityZoneGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AvailabilityZoneGroupSpec   `json:"spec"`
-	Status            AvailabilityZoneGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.optInStatus)",message="optInStatus is a required parameter"
+	Spec   AvailabilityZoneGroupSpec   `json:"spec"`
+	Status AvailabilityZoneGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_capacityreservation_types.go b/apis/ec2/v1beta1/zz_capacityreservation_types.go
index 8609f5aceb..d2af68c23d 100755
--- a/apis/ec2/v1beta1/zz_capacityreservation_types.go
+++ b/apis/ec2/v1beta1/zz_capacityreservation_types.go
@@ -18,21 +18,60 @@ type CapacityReservationObservation struct {
 	// The ARN of the Capacity Reservation.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Availability Zone in which to create the Capacity Reservation.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// Indicates whether the Capacity Reservation supports EBS-optimized instances.
+	EBSOptimized *bool `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
+	// The date and time at which the Capacity Reservation expires. When a Capacity Reservation expires, the reserved capacity is released and you can no longer launch instances into it. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
+	EndDate *string `json:"endDate,omitempty" tf:"end_date,omitempty"`
+
+	// Indicates the way in which the Capacity Reservation ends. Specify either unlimited or limited.
+	EndDateType *string `json:"endDateType,omitempty" tf:"end_date_type,omitempty"`
+
+	// Indicates whether the Capacity Reservation supports instances with temporary, block-level storage.
+	EphemeralStorage *bool `json:"ephemeralStorage,omitempty" tf:"ephemeral_storage,omitempty"`
+
 	// The Capacity Reservation ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of instances for which to reserve capacity.
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	// Indicates the type of instance launches that the Capacity Reservation accepts. Specify either open or targeted.
+	InstanceMatchCriteria *string `json:"instanceMatchCriteria,omitempty" tf:"instance_match_criteria,omitempty"`
+
+	// The type of operating system for which to reserve capacity. Valid options are Linux/UNIX, Red Hat Enterprise Linux, SUSE Linux, Windows, Windows with SQL Server, Windows with SQL Server Enterprise, Windows with SQL Server Standard or Windows with SQL Server Web.
+	InstancePlatform *string `json:"instancePlatform,omitempty" tf:"instance_platform,omitempty"`
+
+	// The instance type for which to reserve capacity.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
+	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
+
 	// The ID of the AWS account that owns the Capacity Reservation.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// The Amazon Resource Name (ARN) of the cluster placement group in which to create the Capacity Reservation.
+	PlacementGroupArn *string `json:"placementGroupArn,omitempty" tf:"placement_group_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Indicates the tenancy of the Capacity Reservation. Specify either default or dedicated.
+	Tenancy *string `json:"tenancy,omitempty" tf:"tenancy,omitempty"`
 }
 
 type CapacityReservationParameters struct {
 
 	// The Availability Zone in which to create the Capacity Reservation.
-	// +kubebuilder:validation:Required
-	AvailabilityZone *string `json:"availabilityZone" tf:"availability_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
 	// Indicates whether the Capacity Reservation supports EBS-optimized instances.
 	// +kubebuilder:validation:Optional
@@ -51,20 +90,20 @@ type CapacityReservationParameters struct {
 	EphemeralStorage *bool `json:"ephemeralStorage,omitempty" tf:"ephemeral_storage,omitempty"`
 
 	// The number of instances for which to reserve capacity.
-	// +kubebuilder:validation:Required
-	InstanceCount *float64 `json:"instanceCount" tf:"instance_count,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
 
 	// Indicates the type of instance launches that the Capacity Reservation accepts. Specify either open or targeted.
 	// +kubebuilder:validation:Optional
 	InstanceMatchCriteria *string `json:"instanceMatchCriteria,omitempty" tf:"instance_match_criteria,omitempty"`
 
 	// The type of operating system for which to reserve capacity. Valid options are Linux/UNIX, Red Hat Enterprise Linux, SUSE Linux, Windows, Windows with SQL Server, Windows with SQL Server Enterprise, Windows with SQL Server Standard or Windows with SQL Server Web.
-	// +kubebuilder:validation:Required
-	InstancePlatform *string `json:"instancePlatform" tf:"instance_platform,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstancePlatform *string `json:"instancePlatform,omitempty" tf:"instance_platform,omitempty"`
 
 	// The instance type for which to reserve capacity.
-	// +kubebuilder:validation:Required
-	InstanceType *string `json:"instanceType" tf:"instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the Outpost on which to create the Capacity Reservation.
 	// +kubebuilder:validation:Optional
@@ -112,8 +151,12 @@ type CapacityReservationStatus struct {
 type CapacityReservation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CapacityReservationSpec   `json:"spec"`
-	Status            CapacityReservationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)",message="availabilityZone is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceCount)",message="instanceCount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePlatform)",message="instancePlatform is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)",message="instanceType is a required parameter"
+	Spec   CapacityReservationSpec   `json:"spec"`
+	Status CapacityReservationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_carriergateway_types.go b/apis/ec2/v1beta1/zz_carriergateway_types.go
index 30f67a7762..b0412d21db 100755
--- a/apis/ec2/v1beta1/zz_carriergateway_types.go
+++ b/apis/ec2/v1beta1/zz_carriergateway_types.go
@@ -24,8 +24,14 @@ type CarrierGatewayObservation struct {
 	// The AWS account ID of the owner of the carrier gateway.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the VPC to associate with the carrier gateway.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type CarrierGatewayParameters struct {
diff --git a/apis/ec2/v1beta1/zz_customergateway_types.go b/apis/ec2/v1beta1/zz_customergateway_types.go
index 32532a8ea9..ab035ef031 100755
--- a/apis/ec2/v1beta1/zz_customergateway_types.go
+++ b/apis/ec2/v1beta1/zz_customergateway_types.go
@@ -18,18 +18,37 @@ type CustomerGatewayObservation struct {
 	// The ARN of the customer gateway.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN).
+	BGPAsn *string `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
+	// The Amazon Resource Name (ARN) for the customer gateway certificate.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
+	// A name for the customer gateway device.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
 	// The amazon-assigned ID of the gateway.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IPv4 address for the customer gateway device's outside interface.
+	IPAddress *string `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The type of customer gateway. The only type AWS
+	// supports at this time is "ipsec.1".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type CustomerGatewayParameters struct {
 
 	// The gateway's Border Gateway Protocol (BGP) Autonomous System Number (ASN).
-	// +kubebuilder:validation:Required
-	BGPAsn *string `json:"bgpAsn" tf:"bgp_asn,omitempty"`
+	// +kubebuilder:validation:Optional
+	BGPAsn *string `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The Amazon Resource Name (ARN) for the customer gateway certificate.
 	// +kubebuilder:validation:Optional
@@ -54,8 +73,8 @@ type CustomerGatewayParameters struct {
 
 	// The type of customer gateway. The only type AWS
 	// supports at this time is "ipsec.1".
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // CustomerGatewaySpec defines the desired state of CustomerGateway
@@ -82,8 +101,10 @@ type CustomerGatewayStatus struct {
 type CustomerGateway struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CustomerGatewaySpec   `json:"spec"`
-	Status            CustomerGatewayStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)",message="bgpAsn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   CustomerGatewaySpec   `json:"spec"`
+	Status CustomerGatewayStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_defaultnetworkacl_types.go b/apis/ec2/v1beta1/zz_defaultnetworkacl_types.go
index 3a22ee0d6d..be3a4e5b1c 100755
--- a/apis/ec2/v1beta1/zz_defaultnetworkacl_types.go
+++ b/apis/ec2/v1beta1/zz_defaultnetworkacl_types.go
@@ -18,12 +18,27 @@ type DefaultNetworkACLObservation struct {
 	// ARN of the Default Network ACL
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Network ACL ID to manage. This attribute is exported from aws_vpc, or manually found via the AWS Console.
+	DefaultNetworkACLID *string `json:"defaultNetworkAclId,omitempty" tf:"default_network_acl_id,omitempty"`
+
+	// Configuration block for an egress rule. Detailed below.
+	Egress []EgressObservation `json:"egress,omitempty" tf:"egress,omitempty"`
+
 	// ID of the Default Network ACL
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block for an ingress rule. Detailed below.
+	Ingress []IngressObservation `json:"ingress,omitempty" tf:"ingress,omitempty"`
+
 	// ID of the AWS account that owns the Default Network ACL
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// List of Subnet IDs to apply the ACL to. See the notes above on Managing Subnets in the Default Network ACL
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -81,6 +96,33 @@ type DefaultNetworkACLParameters struct {
 }
 
 type EgressObservation struct {
+
+	// The action to take.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The CIDR block to match. This must be a valid network mask.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
+	// The from port to match.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// The IPv6 CIDR block.
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
+	// The ICMP type code to be used. Default 0.
+	IcmpCode *float64 `json:"icmpCode,omitempty" tf:"icmp_code,omitempty"`
+
+	// The ICMP type to be used. Default 0.
+	IcmpType *float64 `json:"icmpType,omitempty" tf:"icmp_type,omitempty"`
+
+	// The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// The rule number. Used for ordering.
+	RuleNo *float64 `json:"ruleNo,omitempty" tf:"rule_no,omitempty"`
+
+	// The to port to match.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type EgressParameters struct {
@@ -123,6 +165,33 @@ type EgressParameters struct {
 }
 
 type IngressObservation struct {
+
+	// The action to take.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The CIDR block to match. This must be a valid network mask.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
+	// The from port to match.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// The IPv6 CIDR block.
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
+	// The ICMP type code to be used. Default 0.
+	IcmpCode *float64 `json:"icmpCode,omitempty" tf:"icmp_code,omitempty"`
+
+	// The ICMP type to be used. Default 0.
+	IcmpType *float64 `json:"icmpType,omitempty" tf:"icmp_type,omitempty"`
+
+	// The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// The rule number. Used for ordering.
+	RuleNo *float64 `json:"ruleNo,omitempty" tf:"rule_no,omitempty"`
+
+	// The to port to match.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type IngressParameters struct {
diff --git a/apis/ec2/v1beta1/zz_defaultroutetable_types.go b/apis/ec2/v1beta1/zz_defaultroutetable_types.go
index de288415e0..989afb38e1 100755
--- a/apis/ec2/v1beta1/zz_defaultroutetable_types.go
+++ b/apis/ec2/v1beta1/zz_defaultroutetable_types.go
@@ -18,12 +18,24 @@ type DefaultRouteTableObservation struct {
 	// The ARN of the route table.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ID of the default route table.
+	DefaultRouteTableID *string `json:"defaultRouteTableId,omitempty" tf:"default_route_table_id,omitempty"`
+
 	// ID of the route table.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// ID of the AWS account that owns the route table.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// List of virtual gateways for propagation.
+	PropagatingVgws []*string `json:"propagatingVgws,omitempty" tf:"propagating_vgws,omitempty"`
+
+	// Configuration block of routes. Detailed below. This argument is processed in attribute-as-blocks mode. This means that omitting this argument is interpreted as ignoring any existing routes. To remove all managed routes an empty list should be specified. See the example above.
+	Route []RouteObservation `json:"route,omitempty" tf:"route,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -66,6 +78,42 @@ type DefaultRouteTableParameters struct {
 }
 
 type RouteObservation struct {
+
+	// The CIDR block of the route.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a core network.
+	CoreNetworkArn *string `json:"coreNetworkArn,omitempty" tf:"core_network_arn,omitempty"`
+
+	// The ID of a managed prefix list destination of the route.
+	DestinationPrefixListID *string `json:"destinationPrefixListId,omitempty" tf:"destination_prefix_list_id,omitempty"`
+
+	// Identifier of a VPC Egress Only Internet Gateway.
+	EgressOnlyGatewayID *string `json:"egressOnlyGatewayId,omitempty" tf:"egress_only_gateway_id,omitempty"`
+
+	// Identifier of a VPC internet gateway or a virtual private gateway.
+	GatewayID *string `json:"gatewayId,omitempty" tf:"gateway_id,omitempty"`
+
+	// The Ipv6 CIDR block of the route
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
+	// Identifier of an EC2 instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// Identifier of a VPC NAT gateway.
+	NATGatewayID *string `json:"natGatewayId,omitempty" tf:"nat_gateway_id,omitempty"`
+
+	// Identifier of an EC2 network interface.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
+	// Identifier of an EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
+
+	// Identifier of a VPC Endpoint. This route must be removed prior to VPC Endpoint deletion.
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
+
+	// Identifier of a VPC peering connection.
+	VPCPeeringConnectionID *string `json:"vpcPeeringConnectionId,omitempty" tf:"vpc_peering_connection_id,omitempty"`
 }
 
 type RouteParameters struct {
diff --git a/apis/ec2/v1beta1/zz_defaultsecuritygroup_types.go b/apis/ec2/v1beta1/zz_defaultsecuritygroup_types.go
index 744b8d0acb..b78f46c40f 100755
--- a/apis/ec2/v1beta1/zz_defaultsecuritygroup_types.go
+++ b/apis/ec2/v1beta1/zz_defaultsecuritygroup_types.go
@@ -14,6 +14,33 @@ import (
 )
 
 type DefaultSecurityGroupEgressObservation struct {
+
+	// List of CIDR blocks.
+	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
+
+	// Description of this rule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Start port (or ICMP type number if protocol is icmp)
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// List of IPv6 CIDR blocks.
+	IPv6CidrBlocks []*string `json:"ipv6CidrBlocks,omitempty" tf:"ipv6_cidr_blocks,omitempty"`
+
+	// List of prefix list IDs (for allowing access to VPC endpoints)
+	PrefixListIds []*string `json:"prefixListIds,omitempty" tf:"prefix_list_ids,omitempty"`
+
+	// Protocol. If you select a protocol of "-1" (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. If not icmp, tcp, udp, or -1 use the protocol number.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// Whether the security group itself will be added as a source to this egress rule.
+	Self *bool `json:"self,omitempty" tf:"self,omitempty"`
+
+	// End range port (or ICMP code if protocol is icmp).
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type DefaultSecurityGroupEgressParameters struct {
@@ -56,6 +83,33 @@ type DefaultSecurityGroupEgressParameters struct {
 }
 
 type DefaultSecurityGroupIngressObservation struct {
+
+	// List of CIDR blocks.
+	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
+
+	// Description of this rule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Start port (or ICMP type number if protocol is icmp)
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// List of IPv6 CIDR blocks.
+	IPv6CidrBlocks []*string `json:"ipv6CidrBlocks,omitempty" tf:"ipv6_cidr_blocks,omitempty"`
+
+	// List of prefix list IDs (for allowing access to VPC endpoints)
+	PrefixListIds []*string `json:"prefixListIds,omitempty" tf:"prefix_list_ids,omitempty"`
+
+	// Protocol. If you select a protocol of "-1" (semantically equivalent to all, which is not a valid value here), you must specify a from_port and to_port equal to 0. If not icmp, tcp, udp, or -1 use the protocol number.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// Whether the security group itself will be added as a source to this egress rule.
+	Self *bool `json:"self,omitempty" tf:"self,omitempty"`
+
+	// End range port (or ICMP code if protocol is icmp).
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type DefaultSecurityGroupIngressParameters struct {
@@ -105,17 +159,31 @@ type DefaultSecurityGroupObservation struct {
 	// Description of this rule.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// Configuration block. Detailed below.
+	Egress []DefaultSecurityGroupEgressObservation `json:"egress,omitempty" tf:"egress,omitempty"`
+
 	// ID of the security group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block. Detailed below.
+	Ingress []DefaultSecurityGroupIngressObservation `json:"ingress,omitempty" tf:"ingress,omitempty"`
+
 	// Name of the security group.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Owner ID.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	RevokeRulesOnDelete *bool `json:"revokeRulesOnDelete,omitempty" tf:"revoke_rules_on_delete,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// VPC ID. Note that changing the  It will be left in its current state.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type DefaultSecurityGroupParameters struct {
diff --git a/apis/ec2/v1beta1/zz_defaultsubnet_types.go b/apis/ec2/v1beta1/zz_defaultsubnet_types.go
index 570aaf768d..5aa20182c6 100755
--- a/apis/ec2/v1beta1/zz_defaultsubnet_types.go
+++ b/apis/ec2/v1beta1/zz_defaultsubnet_types.go
@@ -16,22 +16,52 @@ import (
 type DefaultSubnetObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	AssignIPv6AddressOnCreation *bool `json:"assignIpv6AddressOnCreation,omitempty" tf:"assign_ipv6_address_on_creation,omitempty"`
+
+	// is required
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
 	// , cidr_block and vpc_id arguments become computed attributes
 	AvailabilityZoneID *string `json:"availabilityZoneId,omitempty" tf:"availability_zone_id,omitempty"`
 
 	// The IPv4 CIDR block assigned to the subnet
 	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
 
+	CustomerOwnedIPv4Pool *string `json:"customerOwnedIpv4Pool,omitempty" tf:"customer_owned_ipv4_pool,omitempty"`
+
+	EnableDns64 *bool `json:"enableDns64,omitempty" tf:"enable_dns64,omitempty"`
+
+	EnableResourceNameDNSARecordOnLaunch *bool `json:"enableResourceNameDnsARecordOnLaunch,omitempty" tf:"enable_resource_name_dns_a_record_on_launch,omitempty"`
+
+	EnableResourceNameDNSAaaaRecordOnLaunch *bool `json:"enableResourceNameDnsAaaaRecordOnLaunch,omitempty" tf:"enable_resource_name_dns_aaaa_record_on_launch,omitempty"`
+
 	ExistingDefaultSubnet *bool `json:"existingDefaultSubnet,omitempty" tf:"existing_default_subnet,omitempty"`
 
+	// Whether destroying the resource deletes the default subnet. Default: false
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IPv4 CIDR block assigned to the subnet
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
 	IPv6CidrBlockAssociationID *string `json:"ipv6CidrBlockAssociationId,omitempty" tf:"ipv6_cidr_block_association_id,omitempty"`
 
+	IPv6Native *bool `json:"ipv6Native,omitempty" tf:"ipv6_native,omitempty"`
+
+	MapCustomerOwnedIPOnLaunch *bool `json:"mapCustomerOwnedIpOnLaunch,omitempty" tf:"map_customer_owned_ip_on_launch,omitempty"`
+
+	// is true
+	MapPublicIPOnLaunch *bool `json:"mapPublicIpOnLaunch,omitempty" tf:"map_public_ip_on_launch,omitempty"`
+
 	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
 
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	PrivateDNSHostnameTypeOnLaunch *string `json:"privateDnsHostnameTypeOnLaunch,omitempty" tf:"private_dns_hostname_type_on_launch,omitempty"`
+
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The ID of the VPC the subnet is in
@@ -44,8 +74,8 @@ type DefaultSubnetParameters struct {
 	AssignIPv6AddressOnCreation *bool `json:"assignIpv6AddressOnCreation,omitempty" tf:"assign_ipv6_address_on_creation,omitempty"`
 
 	// is required
-	// +kubebuilder:validation:Required
-	AvailabilityZone *string `json:"availabilityZone" tf:"availability_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
 	// +kubebuilder:validation:Optional
 	CustomerOwnedIPv4Pool *string `json:"customerOwnedIpv4Pool,omitempty" tf:"customer_owned_ipv4_pool,omitempty"`
@@ -113,8 +143,9 @@ type DefaultSubnetStatus struct {
 type DefaultSubnet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DefaultSubnetSpec   `json:"spec"`
-	Status            DefaultSubnetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)",message="availabilityZone is a required parameter"
+	Spec   DefaultSubnetSpec   `json:"spec"`
+	Status DefaultSubnetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_defaultvpc_types.go b/apis/ec2/v1beta1/zz_defaultvpc_types.go
index 44526f57bc..1a07772599 100755
--- a/apis/ec2/v1beta1/zz_defaultvpc_types.go
+++ b/apis/ec2/v1beta1/zz_defaultvpc_types.go
@@ -16,6 +16,9 @@ import (
 type DefaultVPCObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// and instance_tenancy arguments become computed attributes
+	AssignGeneratedIPv6CidrBlock *bool `json:"assignGeneratedIpv6CidrBlock,omitempty" tf:"assign_generated_ipv6_cidr_block,omitempty"`
+
 	// and instance_tenancy arguments become computed attributes
 	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
 
@@ -27,12 +30,35 @@ type DefaultVPCObservation struct {
 
 	DefaultSecurityGroupID *string `json:"defaultSecurityGroupId,omitempty" tf:"default_security_group_id,omitempty"`
 
+	EnableClassiclink *bool `json:"enableClassiclink,omitempty" tf:"enable_classiclink,omitempty"`
+
+	EnableClassiclinkDNSSupport *bool `json:"enableClassiclinkDnsSupport,omitempty" tf:"enable_classiclink_dns_support,omitempty"`
+
+	// is true
+	EnableDNSHostnames *bool `json:"enableDnsHostnames,omitempty" tf:"enable_dns_hostnames,omitempty"`
+
+	EnableDNSSupport *bool `json:"enableDnsSupport,omitempty" tf:"enable_dns_support,omitempty"`
+
+	EnableNetworkAddressUsageMetrics *bool `json:"enableNetworkAddressUsageMetrics,omitempty" tf:"enable_network_address_usage_metrics,omitempty"`
+
 	ExistingDefaultVPC *bool `json:"existingDefaultVpc,omitempty" tf:"existing_default_vpc,omitempty"`
 
+	// Whether destroying the resource deletes the default VPC. Default: false
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	IPv6AssociationID *string `json:"ipv6AssociationId,omitempty" tf:"ipv6_association_id,omitempty"`
 
+	// and instance_tenancy arguments become computed attributes
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
+	IPv6CidrBlockNetworkBorderGroup *string `json:"ipv6CidrBlockNetworkBorderGroup,omitempty" tf:"ipv6_cidr_block_network_border_group,omitempty"`
+
+	IPv6IpamPoolID *string `json:"ipv6IpamPoolId,omitempty" tf:"ipv6_ipam_pool_id,omitempty"`
+
+	IPv6NetmaskLength *float64 `json:"ipv6NetmaskLength,omitempty" tf:"ipv6_netmask_length,omitempty"`
+
 	// The allowed tenancy of instances launched into the VPC
 	InstanceTenancy *string `json:"instanceTenancy,omitempty" tf:"instance_tenancy,omitempty"`
 
@@ -40,6 +66,8 @@ type DefaultVPCObservation struct {
 
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
diff --git a/apis/ec2/v1beta1/zz_defaultvpcdhcpoptions_types.go b/apis/ec2/v1beta1/zz_defaultvpcdhcpoptions_types.go
index 2783b81149..81e298d14d 100755
--- a/apis/ec2/v1beta1/zz_defaultvpcdhcpoptions_types.go
+++ b/apis/ec2/v1beta1/zz_defaultvpcdhcpoptions_types.go
@@ -33,6 +33,12 @@ type DefaultVPCDHCPOptionsObservation struct {
 
 	NtpServers *string `json:"ntpServers,omitempty" tf:"ntp_servers,omitempty"`
 
+	// The ID of the AWS account that owns the DHCP options set.
+	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
diff --git a/apis/ec2/v1beta1/zz_ebsdefaultkmskey_types.go b/apis/ec2/v1beta1/zz_ebsdefaultkmskey_types.go
index 54f50bb1f6..325d0d1876 100755
--- a/apis/ec2/v1beta1/zz_ebsdefaultkmskey_types.go
+++ b/apis/ec2/v1beta1/zz_ebsdefaultkmskey_types.go
@@ -15,6 +15,9 @@ import (
 
 type EBSDefaultKMSKeyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use to encrypt the EBS volume.
+	KeyArn *string `json:"keyArn,omitempty" tf:"key_arn,omitempty"`
 }
 
 type EBSDefaultKMSKeyParameters struct {
diff --git a/apis/ec2/v1beta1/zz_ebsencryptionbydefault_types.go b/apis/ec2/v1beta1/zz_ebsencryptionbydefault_types.go
index 86ed41413f..fd1c2559b6 100755
--- a/apis/ec2/v1beta1/zz_ebsencryptionbydefault_types.go
+++ b/apis/ec2/v1beta1/zz_ebsencryptionbydefault_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type EBSEncryptionByDefaultObservation struct {
+
+	// Whether or not default EBS encryption is enabled. Valid values are true or false. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
diff --git a/apis/ec2/v1beta1/zz_ebssnapshot_types.go b/apis/ec2/v1beta1/zz_ebssnapshot_types.go
index ae5e287113..2e10442f53 100755
--- a/apis/ec2/v1beta1/zz_ebssnapshot_types.go
+++ b/apis/ec2/v1beta1/zz_ebssnapshot_types.go
@@ -21,6 +21,9 @@ type EBSSnapshotObservation struct {
 	// The data encryption key identifier for the snapshot.
 	DataEncryptionKeyID *string `json:"dataEncryptionKeyId,omitempty" tf:"data_encryption_key_id,omitempty"`
 
+	// A description of what the snapshot is.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Whether the snapshot is encrypted.
 	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
 
@@ -30,15 +33,33 @@ type EBSSnapshotObservation struct {
 	// The ARN for the KMS encryption key.
 	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 
+	// The Amazon Resource Name (ARN) of the Outpost on which to create a local snapshot.
+	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
+
 	// Value from an Amazon-maintained list (amazon, aws-marketplace, microsoft) of snapshot owners.
 	OwnerAlias *string `json:"ownerAlias,omitempty" tf:"owner_alias,omitempty"`
 
 	// The AWS account ID of the EBS snapshot owner.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Indicates whether to permanently restore an archived snapshot.
+	PermanentRestore *bool `json:"permanentRestore,omitempty" tf:"permanent_restore,omitempty"`
+
+	// The name of the storage tier. Valid values are archive and standard. Default value is standard.
+	StorageTier *string `json:"storageTier,omitempty" tf:"storage_tier,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Specifies the number of days for which to temporarily restore an archived snapshot. Required for temporary restores only. The snapshot will be automatically re-archived after this period.
+	TemporaryRestoreDays *float64 `json:"temporaryRestoreDays,omitempty" tf:"temporary_restore_days,omitempty"`
+
+	// The Volume ID of which to make a snapshot.
+	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
+
 	// The size of the drive in GiBs.
 	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_ebssnapshotcopy_types.go b/apis/ec2/v1beta1/zz_ebssnapshotcopy_types.go
index ba52ee2ff6..030e1686e6 100755
--- a/apis/ec2/v1beta1/zz_ebssnapshotcopy_types.go
+++ b/apis/ec2/v1beta1/zz_ebssnapshotcopy_types.go
@@ -21,9 +21,18 @@ type EBSSnapshotCopyObservation struct {
 	// The data encryption key identifier for the snapshot.
 	DataEncryptionKeyID *string `json:"dataEncryptionKeyId,omitempty" tf:"data_encryption_key_id,omitempty"`
 
+	// A description of what the snapshot is.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether the snapshot is encrypted.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
 	// The snapshot ID (e.g., snap-59fcb34e).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN for the KMS encryption key.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// Amazon Resource Name (ARN) of the EBS Snapshot.
 	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
 
@@ -33,9 +42,27 @@ type EBSSnapshotCopyObservation struct {
 	// The AWS account ID of the snapshot owner.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Indicates whether to permanently restore an archived snapshot.
+	PermanentRestore *bool `json:"permanentRestore,omitempty" tf:"permanent_restore,omitempty"`
+
+	// The region of the source snapshot.
+	SourceRegion *string `json:"sourceRegion,omitempty" tf:"source_region,omitempty"`
+
+	// The ARN for the snapshot to be copied.
+	SourceSnapshotID *string `json:"sourceSnapshotId,omitempty" tf:"source_snapshot_id,omitempty"`
+
+	// The name of the storage tier. Valid values are archive and standard. Default value is standard.
+	StorageTier *string `json:"storageTier,omitempty" tf:"storage_tier,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Specifies the number of days for which to temporarily restore an archived snapshot. Required for temporary restores only. The snapshot will be automatically re-archived after this period.
+	TemporaryRestoreDays *float64 `json:"temporaryRestoreDays,omitempty" tf:"temporary_restore_days,omitempty"`
+
 	// The snapshot ID (e.g., snap-59fcb34e).
 	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
 
@@ -76,8 +103,8 @@ type EBSSnapshotCopyParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The region of the source snapshot.
-	// +kubebuilder:validation:Required
-	SourceRegion *string `json:"sourceRegion" tf:"source_region,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceRegion *string `json:"sourceRegion,omitempty" tf:"source_region,omitempty"`
 
 	// The ARN for the snapshot to be copied.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.EBSSnapshot
@@ -130,8 +157,9 @@ type EBSSnapshotCopyStatus struct {
 type EBSSnapshotCopy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EBSSnapshotCopySpec   `json:"spec"`
-	Status            EBSSnapshotCopyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceRegion)",message="sourceRegion is a required parameter"
+	Spec   EBSSnapshotCopySpec   `json:"spec"`
+	Status EBSSnapshotCopyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_ebssnapshotimport_types.go b/apis/ec2/v1beta1/zz_ebssnapshotimport_types.go
index 0bb2dd62e6..24a3b04946 100755
--- a/apis/ec2/v1beta1/zz_ebssnapshotimport_types.go
+++ b/apis/ec2/v1beta1/zz_ebssnapshotimport_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type ClientDataObservation struct {
+
+	// A user-defined comment about the disk upload.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The time that the disk upload ends.
+	UploadEnd *string `json:"uploadEnd,omitempty" tf:"upload_end,omitempty"`
+
+	// The size of the uploaded disk image, in GiB.
+	UploadSize *float64 `json:"uploadSize,omitempty" tf:"upload_size,omitempty"`
+
+	// The time that the disk upload starts.
+	UploadStart *string `json:"uploadStart,omitempty" tf:"upload_start,omitempty"`
 }
 
 type ClientDataParameters struct {
@@ -36,6 +48,18 @@ type ClientDataParameters struct {
 }
 
 type DiskContainerObservation struct {
+
+	// The description of the disk image being imported.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The format of the disk image being imported. One of VHD or VMDK.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// The URL to the Amazon S3-based disk image being imported. It can either be a https URL (https://..) or an Amazon S3 URL (s3://..). One of url or user_bucket must be set.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The Amazon S3 bucket for the disk image. One of url or user_bucket must be set. Detailed below.
+	UserBucket []UserBucketObservation `json:"userBucket,omitempty" tf:"user_bucket,omitempty"`
 }
 
 type DiskContainerParameters struct {
@@ -62,12 +86,27 @@ type EBSSnapshotImportObservation struct {
 	// Amazon Resource Name (ARN) of the EBS Snapshot.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The client-specific data. Detailed below.
+	ClientData []ClientDataObservation `json:"clientData,omitempty" tf:"client_data,omitempty"`
+
 	// The data encryption key identifier for the snapshot.
 	DataEncryptionKeyID *string `json:"dataEncryptionKeyId,omitempty" tf:"data_encryption_key_id,omitempty"`
 
+	// The description string for the import snapshot task.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Information about the disk container. Detailed below.
+	DiskContainer []DiskContainerObservation `json:"diskContainer,omitempty" tf:"disk_container,omitempty"`
+
+	// Specifies whether the destination snapshot of the imported image should be encrypted. The default KMS key for EBS is used unless you specify a non-default KMS key using KmsKeyId.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
 	// The snapshot ID (e.g., snap-59fcb34e).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An identifier for the symmetric KMS key to use when creating the encrypted snapshot. This parameter is only required if you want to use a non-default KMS key; if this parameter is not specified, the default KMS key for EBS is used. If a KmsKeyId is specified, the Encrypted flag must also be set.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// Amazon Resource Name (ARN) of the EBS Snapshot.
 	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
 
@@ -77,9 +116,24 @@ type EBSSnapshotImportObservation struct {
 	// The AWS account ID of the EBS snapshot owner.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Indicates whether to permanently restore an archived snapshot.
+	PermanentRestore *bool `json:"permanentRestore,omitempty" tf:"permanent_restore,omitempty"`
+
+	// The name of the IAM Role the VM Import/Export service will assume. This role needs certain permissions. See https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role. Default: vmimport
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// The name of the storage tier. Valid values are archive and standard. Default value is standard.
+	StorageTier *string `json:"storageTier,omitempty" tf:"storage_tier,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Specifies the number of days for which to temporarily restore an archived snapshot. Required for temporary restores only. The snapshot will be automatically re-archived after this period.
+	TemporaryRestoreDays *float64 `json:"temporaryRestoreDays,omitempty" tf:"temporary_restore_days,omitempty"`
+
 	// The snapshot ID (e.g., snap-59fcb34e).
 	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
 
@@ -98,8 +152,8 @@ type EBSSnapshotImportParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Information about the disk container. Detailed below.
-	// +kubebuilder:validation:Required
-	DiskContainer []DiskContainerParameters `json:"diskContainer" tf:"disk_container,omitempty"`
+	// +kubebuilder:validation:Optional
+	DiskContainer []DiskContainerParameters `json:"diskContainer,omitempty" tf:"disk_container,omitempty"`
 
 	// Specifies whether the destination snapshot of the imported image should be encrypted. The default KMS key for EBS is used unless you specify a non-default KMS key using KmsKeyId.
 	// +kubebuilder:validation:Optional
@@ -145,6 +199,12 @@ type EBSSnapshotImportParameters struct {
 }
 
 type UserBucketObservation struct {
+
+	// The name of the Amazon S3 bucket where the disk image is located.
+	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
+
+	// The file name of the disk image.
+	S3Key *string `json:"s3Key,omitempty" tf:"s3_key,omitempty"`
 }
 
 type UserBucketParameters struct {
@@ -182,8 +242,9 @@ type EBSSnapshotImportStatus struct {
 type EBSSnapshotImport struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EBSSnapshotImportSpec   `json:"spec"`
-	Status            EBSSnapshotImportStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.diskContainer)",message="diskContainer is a required parameter"
+	Spec   EBSSnapshotImportSpec   `json:"spec"`
+	Status EBSSnapshotImportStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_ebsvolume_types.go b/apis/ec2/v1beta1/zz_ebsvolume_types.go
index 61c417e849..d3cdf832aa 100755
--- a/apis/ec2/v1beta1/zz_ebsvolume_types.go
+++ b/apis/ec2/v1beta1/zz_ebsvolume_types.go
@@ -18,18 +18,54 @@ type EBSVolumeObservation struct {
 	// The volume ARN (e.g., arn:aws:ec2:us-east-1:0123456789012:volume/vol-59fcb34e).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The AZ where the EBS volume will exist.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// If true, the disk will be encrypted.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// If true, snapshot will be created before volume deletion. Any tags on the volume will be migrated to the snapshot. By default set to false
+	FinalSnapshot *bool `json:"finalSnapshot,omitempty" tf:"final_snapshot,omitempty"`
+
 	// The volume ID (e.g., vol-59fcb34e).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The amount of IOPS to provision for the disk. Only valid for type of io1, io2 or gp3.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Specifies whether to enable Amazon EBS Multi-Attach. Multi-Attach is supported on io1 and io2 volumes.
+	MultiAttachEnabled *bool `json:"multiAttachEnabled,omitempty" tf:"multi_attach_enabled,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Outpost.
+	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
+
+	// The size of the drive in GiBs.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// A snapshot to base the EBS volume off of.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The throughput that the volume supports, in MiB/s. Only valid for type of gp3.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// The type of EBS volume. Can be standard, gp2, gp3, io1, io2, sc1 or st1 (Default: gp2).
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EBSVolumeParameters struct {
 
 	// The AZ where the EBS volume will exist.
-	// +kubebuilder:validation:Required
-	AvailabilityZone *string `json:"availabilityZone" tf:"availability_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
 	// If true, the disk will be encrypted.
 	// +kubebuilder:validation:Optional
@@ -114,8 +150,9 @@ type EBSVolumeStatus struct {
 type EBSVolume struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EBSVolumeSpec   `json:"spec"`
-	Status            EBSVolumeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)",message="availabilityZone is a required parameter"
+	Spec   EBSVolumeSpec   `json:"spec"`
+	Status EBSVolumeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_egressonlyinternetgateway_types.go b/apis/ec2/v1beta1/zz_egressonlyinternetgateway_types.go
index 0ec5cb8b4f..29303d3f5d 100755
--- a/apis/ec2/v1beta1/zz_egressonlyinternetgateway_types.go
+++ b/apis/ec2/v1beta1/zz_egressonlyinternetgateway_types.go
@@ -18,8 +18,14 @@ type EgressOnlyInternetGatewayObservation struct {
 	// The ID of the egress-only Internet gateway.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC ID to create in.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type EgressOnlyInternetGatewayParameters struct {
diff --git a/apis/ec2/v1beta1/zz_eip_types.go b/apis/ec2/v1beta1/zz_eip_types.go
index 052e1cf1b5..7bfd4f0d6c 100755
--- a/apis/ec2/v1beta1/zz_eip_types.go
+++ b/apis/ec2/v1beta1/zz_eip_types.go
@@ -15,9 +15,15 @@ import (
 
 type EIPObservation struct {
 
+	// IP address from an EC2 BYOIP pool. This option is only available for VPC EIPs.
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
 	// ID that AWS assigns to represent the allocation of the Elastic IP address for use with instances in a VPC.
 	AllocationID *string `json:"allocationId,omitempty" tf:"allocation_id,omitempty"`
 
+	// User-specified primary or secondary private IP address to associate with the Elastic IP address. If no private IP address is specified, the Elastic IP address is associated with the primary private IP address.
+	AssociateWithPrivateIP *string `json:"associateWithPrivateIp,omitempty" tf:"associate_with_private_ip,omitempty"`
+
 	// ID representing the association of the address with an instance in a VPC.
 	AssociationID *string `json:"associationId,omitempty" tf:"association_id,omitempty"`
 
@@ -27,12 +33,24 @@ type EIPObservation struct {
 	// Customer owned IP.
 	CustomerOwnedIP *string `json:"customerOwnedIp,omitempty" tf:"customer_owned_ip,omitempty"`
 
+	// ID  of a customer-owned address pool. For more on customer owned IP addressed check out Customer-owned IP addresses guide.
+	CustomerOwnedIPv4Pool *string `json:"customerOwnedIpv4Pool,omitempty" tf:"customer_owned_ipv4_pool,omitempty"`
+
 	// Indicates if this EIP is for use in VPC (vpc) or EC2-Classic (standard).
 	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
 
 	// Contains the EIP allocation ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// EC2 instance ID.
+	Instance *string `json:"instance,omitempty" tf:"instance,omitempty"`
+
+	// Location from which the IP address is advertised. Use this parameter to limit the address to this location.
+	NetworkBorderGroup *string `json:"networkBorderGroup,omitempty" tf:"network_border_group,omitempty"`
+
+	// Network interface ID to associate with.
+	NetworkInterface *string `json:"networkInterface,omitempty" tf:"network_interface,omitempty"`
+
 	// The Private DNS associated with the Elastic IP address (if in VPC).
 	PrivateDNS *string `json:"privateDns,omitempty" tf:"private_dns,omitempty"`
 
@@ -45,8 +63,19 @@ type EIPObservation struct {
 	// Contains the public IP address.
 	PublicIP *string `json:"publicIp,omitempty" tf:"public_ip,omitempty"`
 
+	// EC2 IPv4 address pool identifier or amazon.
+	// This option is only available for VPC EIPs.
+	PublicIPv4Pool *string `json:"publicIpv4Pool,omitempty" tf:"public_ipv4_pool,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Boolean if the EIP is in a VPC or not.
+	// Defaults to true unless the region supports EC2-Classic.
+	VPC *bool `json:"vpc,omitempty" tf:"vpc,omitempty"`
 }
 
 type EIPParameters struct {
diff --git a/apis/ec2/v1beta1/zz_eipassociation_types.go b/apis/ec2/v1beta1/zz_eipassociation_types.go
index 1ca1cedcd7..e315833b98 100755
--- a/apis/ec2/v1beta1/zz_eipassociation_types.go
+++ b/apis/ec2/v1beta1/zz_eipassociation_types.go
@@ -14,7 +14,35 @@ import (
 )
 
 type EIPAssociationObservation struct {
+
+	// The allocation ID. This is required for EC2-VPC.
+	AllocationID *string `json:"allocationId,omitempty" tf:"allocation_id,omitempty"`
+
+	// Whether to allow an Elastic IP to
+	// be re-associated. Defaults to true in VPC.
+	AllowReassociation *bool `json:"allowReassociation,omitempty" tf:"allow_reassociation,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the instance. This is required for
+	// EC2-Classic. For EC2-VPC, you can specify either the instance ID or the
+	// network interface ID, but not both. The operation fails if you specify an
+	// instance ID unless exactly one network interface is attached.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// The ID of the network interface. If the
+	// instance has more than one network interface, you must specify a network
+	// interface ID.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
+	// The primary or secondary private IP address
+	// to associate with the Elastic IP address. If no private IP address is
+	// specified, the Elastic IP address is associated with the primary private IP
+	// address.
+	PrivateIPAddress *string `json:"privateIpAddress,omitempty" tf:"private_ip_address,omitempty"`
+
+	// The Elastic IP address. This is required for EC2-Classic.
+	PublicIP *string `json:"publicIp,omitempty" tf:"public_ip,omitempty"`
 }
 
 type EIPAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_flowlog_types.go b/apis/ec2/v1beta1/zz_flowlog_types.go
index 21c913b005..9bfe49e8fe 100755
--- a/apis/ec2/v1beta1/zz_flowlog_types.go
+++ b/apis/ec2/v1beta1/zz_flowlog_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type DestinationOptionsObservation struct {
+
+	// The format for the flow log. Default value: plain-text. Valid values: plain-text, parquet.
+	FileFormat *string `json:"fileFormat,omitempty" tf:"file_format,omitempty"`
+
+	// Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value: false.
+	HiveCompatiblePartitions *bool `json:"hiveCompatiblePartitions,omitempty" tf:"hive_compatible_partitions,omitempty"`
+
+	// Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value: false.
+	PerHourPartition *bool `json:"perHourPartition,omitempty" tf:"per_hour_partition,omitempty"`
 }
 
 type DestinationOptionsParameters struct {
@@ -36,11 +45,56 @@ type FlowLogObservation struct {
 	// The ARN of the Flow Log.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Describes the destination options for a flow log. More details below.
+	DestinationOptions []DestinationOptionsObservation `json:"destinationOptions,omitempty" tf:"destination_options,omitempty"`
+
+	// Elastic Network Interface ID to attach to
+	EniID *string `json:"eniId,omitempty" tf:"eni_id,omitempty"`
+
+	// The ARN for the IAM role that's used to post flow logs to a CloudWatch Logs log group
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// The Flow Log ID
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of the logging destination. Either log_destination or log_group_name must be set.
+	LogDestination *string `json:"logDestination,omitempty" tf:"log_destination,omitempty"`
+
+	// The type of the logging destination. Valid values: cloud-watch-logs, s3, kinesis-data-firehose. Default: cloud-watch-logs.
+	LogDestinationType *string `json:"logDestinationType,omitempty" tf:"log_destination_type,omitempty"`
+
+	// The fields to include in the flow log record, in the order in which they should appear.
+	LogFormat *string `json:"logFormat,omitempty" tf:"log_format,omitempty"`
+
+	// Deprecated: Use log_destination instead. The name of the CloudWatch log group. Either log_group_name or log_destination must be set.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The maximum interval of time
+	// during which a flow of packets is captured and aggregated into a flow
+	// log record. Valid Values: 60 seconds (1 minute) or 600 seconds (10
+	// minutes). Default: 600. When transit_gateway_id or transit_gateway_attachment_id is specified, max_aggregation_interval must be 60 seconds (1 minute).
+	MaxAggregationInterval *float64 `json:"maxAggregationInterval,omitempty" tf:"max_aggregation_interval,omitempty"`
+
+	// Subnet ID to attach to
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The type of traffic to capture. Valid values: ACCEPT,REJECT, ALL.
+	TrafficType *string `json:"trafficType,omitempty" tf:"traffic_type,omitempty"`
+
+	// Transit Gateway Attachment ID to attach to
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// Transit Gateway ID to attach to
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
+
+	// VPC ID to attach to
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type FlowLogParameters struct {
diff --git a/apis/ec2/v1beta1/zz_generated.deepcopy.go b/apis/ec2/v1beta1/zz_generated.deepcopy.go
index b221856c5e..90771dfee4 100644
--- a/apis/ec2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ec2/v1beta1/zz_generated.deepcopy.go
@@ -380,6 +380,21 @@ func (in *AMICopyObservation) DeepCopyInto(out *AMICopyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeprecationTime != nil {
+		in, out := &in.DeprecationTime, &out.DeprecationTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationOutpostArn != nil {
+		in, out := &in.DestinationOutpostArn, &out.DestinationOutpostArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.EBSBlockDevice != nil {
 		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
 		*out = make([]AMICopyEBSBlockDeviceObservation, len(*in))
@@ -392,6 +407,11 @@ func (in *AMICopyObservation) DeepCopyInto(out *AMICopyObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
 	if in.EphemeralBlockDevice != nil {
 		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
 		*out = make([]AMICopyEphemeralBlockDeviceObservation, len(*in))
@@ -429,6 +449,11 @@ func (in *AMICopyObservation) DeepCopyInto(out *AMICopyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.KernelID != nil {
 		in, out := &in.KernelID, &out.KernelID
 		*out = new(string)
@@ -439,6 +464,11 @@ func (in *AMICopyObservation) DeepCopyInto(out *AMICopyObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
@@ -474,11 +504,36 @@ func (in *AMICopyObservation) DeepCopyInto(out *AMICopyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceAMIID != nil {
+		in, out := &in.SourceAMIID, &out.SourceAMIID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceAMIRegion != nil {
+		in, out := &in.SourceAMIRegion, &out.SourceAMIRegion
+		*out = new(string)
+		**out = **in
+	}
 	if in.SriovNetSupport != nil {
 		in, out := &in.SriovNetSupport, &out.SriovNetSupport
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -722,11 +777,36 @@ func (in *AMILaunchPermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AMILaunchPermissionObservation) DeepCopyInto(out *AMILaunchPermissionObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Group != nil {
+		in, out := &in.Group, &out.Group
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageID != nil {
+		in, out := &in.ImageID, &out.ImageID
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationArn != nil {
+		in, out := &in.OrganizationArn, &out.OrganizationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnitArn != nil {
+		in, out := &in.OrganizationalUnitArn, &out.OrganizationalUnitArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AMILaunchPermissionObservation.
@@ -863,11 +943,50 @@ func (in *AMIList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AMIObservation) DeepCopyInto(out *AMIObservation) {
 	*out = *in
+	if in.Architecture != nil {
+		in, out := &in.Architecture, &out.Architecture
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BootMode != nil {
+		in, out := &in.BootMode, &out.BootMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeprecationTime != nil {
+		in, out := &in.DeprecationTime, &out.DeprecationTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBSBlockDevice != nil {
+		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
+		*out = make([]EBSBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnaSupport != nil {
+		in, out := &in.EnaSupport, &out.EnaSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EphemeralBlockDevice != nil {
+		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
+		*out = make([]EphemeralBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Hypervisor != nil {
 		in, out := &in.Hypervisor, &out.Hypervisor
 		*out = new(string)
@@ -878,6 +997,11 @@ func (in *AMIObservation) DeepCopyInto(out *AMIObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageLocation != nil {
+		in, out := &in.ImageLocation, &out.ImageLocation
+		*out = new(string)
+		**out = **in
+	}
 	if in.ImageOwnerAlias != nil {
 		in, out := &in.ImageOwnerAlias, &out.ImageOwnerAlias
 		*out = new(string)
@@ -888,11 +1012,26 @@ func (in *AMIObservation) DeepCopyInto(out *AMIObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImdsSupport != nil {
+		in, out := &in.ImdsSupport, &out.ImdsSupport
+		*out = new(string)
+		**out = **in
+	}
+	if in.KernelID != nil {
+		in, out := &in.KernelID, &out.KernelID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ManageEBSSnapshots != nil {
 		in, out := &in.ManageEBSSnapshots, &out.ManageEBSSnapshots
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
@@ -913,11 +1052,41 @@ func (in *AMIObservation) DeepCopyInto(out *AMIObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.RamdiskID != nil {
+		in, out := &in.RamdiskID, &out.RamdiskID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootDeviceName != nil {
+		in, out := &in.RootDeviceName, &out.RootDeviceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.RootSnapshotID != nil {
 		in, out := &in.RootSnapshotID, &out.RootSnapshotID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SriovNetSupport != nil {
+		in, out := &in.SriovNetSupport, &out.SriovNetSupport
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -933,11 +1102,21 @@ func (in *AMIObservation) DeepCopyInto(out *AMIObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TpmSupport != nil {
+		in, out := &in.TpmSupport, &out.TpmSupport
+		*out = new(string)
+		**out = **in
+	}
 	if in.UsageOperation != nil {
 		in, out := &in.UsageOperation, &out.UsageOperation
 		*out = new(string)
 		**out = **in
 	}
+	if in.VirtualizationType != nil {
+		in, out := &in.VirtualizationType, &out.VirtualizationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AMIObservation.
@@ -1106,6 +1285,16 @@ func (in *AMIStatus) DeepCopy() *AMIStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AcceleratorCountObservation) DeepCopyInto(out *AcceleratorCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceleratorCountObservation.
@@ -1146,6 +1335,16 @@ func (in *AcceleratorCountParameters) DeepCopy() *AcceleratorCountParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AcceleratorTotalMemoryMibObservation) DeepCopyInto(out *AcceleratorTotalMemoryMibObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AcceleratorTotalMemoryMibObservation.
@@ -1512,6 +1711,11 @@ func (in *AvailabilityZoneGroupObservation) DeepCopyInto(out *AvailabilityZoneGr
 		*out = new(string)
 		**out = **in
 	}
+	if in.OptInStatus != nil {
+		in, out := &in.OptInStatus, &out.OptInStatus
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AvailabilityZoneGroupObservation.
@@ -1586,6 +1790,16 @@ func (in *AvailabilityZoneGroupStatus) DeepCopy() *AvailabilityZoneGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BaselineEBSBandwidthMbpsObservation) DeepCopyInto(out *BaselineEBSBandwidthMbpsObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineEBSBandwidthMbpsObservation.
@@ -1626,6 +1840,28 @@ func (in *BaselineEBSBandwidthMbpsParameters) DeepCopy() *BaselineEBSBandwidthMb
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BlockDeviceMappingsObservation) DeepCopyInto(out *BlockDeviceMappingsObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBS != nil {
+		in, out := &in.EBS, &out.EBS
+		*out = make([]EBSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(string)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BlockDeviceMappingsObservation.
@@ -1678,6 +1914,16 @@ func (in *BlockDeviceMappingsParameters) DeepCopy() *BlockDeviceMappingsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CPUOptionsObservation) DeepCopyInto(out *CPUOptionsObservation) {
 	*out = *in
+	if in.CoreCount != nil {
+		in, out := &in.CoreCount, &out.CoreCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThreadsPerCore != nil {
+		in, out := &in.ThreadsPerCore, &out.ThreadsPerCore
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CPUOptionsObservation.
@@ -1718,6 +1964,11 @@ func (in *CPUOptionsParameters) DeepCopy() *CPUOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityRebalanceObservation) DeepCopyInto(out *CapacityRebalanceObservation) {
 	*out = *in
+	if in.ReplacementStrategy != nil {
+		in, out := &in.ReplacementStrategy, &out.ReplacementStrategy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityRebalanceObservation.
@@ -1817,46 +2068,121 @@ func (in *CapacityReservationObservation) DeepCopyInto(out *CapacityReservationO
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.OwnerID != nil {
-		in, out := &in.OwnerID, &out.OwnerID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityReservationObservation.
-func (in *CapacityReservationObservation) DeepCopy() *CapacityReservationObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(CapacityReservationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CapacityReservationParameters) DeepCopyInto(out *CapacityReservationParameters) {
-	*out = *in
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EndDate != nil {
+		in, out := &in.EndDate, &out.EndDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.EndDateType != nil {
+		in, out := &in.EndDateType, &out.EndDateType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EphemeralStorage != nil {
+		in, out := &in.EphemeralStorage, &out.EphemeralStorage
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceMatchCriteria != nil {
+		in, out := &in.InstanceMatchCriteria, &out.InstanceMatchCriteria
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstancePlatform != nil {
+		in, out := &in.InstancePlatform, &out.InstancePlatform
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerID != nil {
+		in, out := &in.OwnerID, &out.OwnerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementGroupArn != nil {
+		in, out := &in.PlacementGroupArn, &out.PlacementGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Tenancy != nil {
+		in, out := &in.Tenancy, &out.Tenancy
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityReservationObservation.
+func (in *CapacityReservationObservation) DeepCopy() *CapacityReservationObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(CapacityReservationObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CapacityReservationParameters) DeepCopyInto(out *CapacityReservationParameters) {
+	*out = *in
 	if in.AvailabilityZone != nil {
 		in, out := &in.AvailabilityZone, &out.AvailabilityZone
 		*out = new(string)
@@ -1969,6 +2295,16 @@ func (in *CapacityReservationSpec) DeepCopy() *CapacityReservationSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityReservationSpecificationCapacityReservationTargetObservation) DeepCopyInto(out *CapacityReservationSpecificationCapacityReservationTargetObservation) {
 	*out = *in
+	if in.CapacityReservationID != nil {
+		in, out := &in.CapacityReservationID, &out.CapacityReservationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CapacityReservationResourceGroupArn != nil {
+		in, out := &in.CapacityReservationResourceGroupArn, &out.CapacityReservationResourceGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityReservationSpecificationCapacityReservationTargetObservation.
@@ -2009,6 +2345,18 @@ func (in *CapacityReservationSpecificationCapacityReservationTargetParameters) D
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityReservationSpecificationObservation) DeepCopyInto(out *CapacityReservationSpecificationObservation) {
 	*out = *in
+	if in.CapacityReservationPreference != nil {
+		in, out := &in.CapacityReservationPreference, &out.CapacityReservationPreference
+		*out = new(string)
+		**out = **in
+	}
+	if in.CapacityReservationTarget != nil {
+		in, out := &in.CapacityReservationTarget, &out.CapacityReservationTarget
+		*out = make([]CapacityReservationTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityReservationSpecificationObservation.
@@ -2068,6 +2416,16 @@ func (in *CapacityReservationStatus) DeepCopy() *CapacityReservationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityReservationTargetObservation) DeepCopyInto(out *CapacityReservationTargetObservation) {
 	*out = *in
+	if in.CapacityReservationID != nil {
+		in, out := &in.CapacityReservationID, &out.CapacityReservationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CapacityReservationResourceGroupArn != nil {
+		in, out := &in.CapacityReservationResourceGroupArn, &out.CapacityReservationResourceGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityReservationTargetObservation.
@@ -2182,6 +2540,21 @@ func (in *CarrierGatewayObservation) DeepCopyInto(out *CarrierGatewayObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2197,6 +2570,11 @@ func (in *CarrierGatewayObservation) DeepCopyInto(out *CarrierGatewayObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CarrierGatewayObservation.
@@ -2296,6 +2674,16 @@ func (in *CarrierGatewayStatus) DeepCopy() *CarrierGatewayStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CidrAuthorizationContextObservation) DeepCopyInto(out *CidrAuthorizationContextObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	if in.Signature != nil {
+		in, out := &in.Signature, &out.Signature
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CidrAuthorizationContextObservation.
@@ -2376,6 +2764,26 @@ func (in *ClassicLoadBalancerListenerParameters) DeepCopy() *ClassicLoadBalancer
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientDataObservation) DeepCopyInto(out *ClientDataObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.UploadEnd != nil {
+		in, out := &in.UploadEnd, &out.UploadEnd
+		*out = new(string)
+		**out = **in
+	}
+	if in.UploadSize != nil {
+		in, out := &in.UploadSize, &out.UploadSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UploadStart != nil {
+		in, out := &in.UploadStart, &out.UploadStart
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientDataObservation.
@@ -2426,6 +2834,21 @@ func (in *ClientDataParameters) DeepCopy() *ClientDataParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchLogOptionsObservation) DeepCopyInto(out *CloudwatchLogOptionsObservation) {
 	*out = *in
+	if in.LogEnabled != nil {
+		in, out := &in.LogEnabled, &out.LogEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupArn != nil {
+		in, out := &in.LogGroupArn, &out.LogGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogOutputFormat != nil {
+		in, out := &in.LogOutputFormat, &out.LogOutputFormat
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLogOptionsObservation.
@@ -2516,6 +2939,11 @@ func (in *ComponentParameters) DeepCopy() *ComponentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreditSpecificationObservation) DeepCopyInto(out *CreditSpecificationObservation) {
 	*out = *in
+	if in.CPUCredits != nil {
+		in, out := &in.CPUCredits, &out.CPUCredits
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreditSpecificationObservation.
@@ -2615,11 +3043,46 @@ func (in *CustomerGatewayObservation) DeepCopyInto(out *CustomerGatewayObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddress != nil {
+		in, out := &in.IPAddress, &out.IPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2635,6 +3098,11 @@ func (in *CustomerGatewayObservation) DeepCopyInto(out *CustomerGatewayObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomerGatewayObservation.
@@ -2784,6 +3252,11 @@ func (in *DNSEntryParameters) DeepCopy() *DNSEntryParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DNSOptionsObservation) DeepCopyInto(out *DNSOptionsObservation) {
 	*out = *in
+	if in.DNSRecordIPType != nil {
+		in, out := &in.DNSRecordIPType, &out.DNSRecordIPType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSOptionsObservation.
@@ -2883,16 +3356,61 @@ func (in *DefaultNetworkACLObservation) DeepCopyInto(out *DefaultNetworkACLObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultNetworkACLID != nil {
+		in, out := &in.DefaultNetworkACLID, &out.DefaultNetworkACLID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]EgressObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]IngressObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3113,6 +3631,11 @@ func (in *DefaultRouteTableObservation) DeepCopyInto(out *DefaultRouteTableObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultRouteTableID != nil {
+		in, out := &in.DefaultRouteTableID, &out.DefaultRouteTableID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -3123,6 +3646,39 @@ func (in *DefaultRouteTableObservation) DeepCopyInto(out *DefaultRouteTableObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.PropagatingVgws != nil {
+		in, out := &in.PropagatingVgws, &out.PropagatingVgws
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Route != nil {
+		in, out := &in.Route, &out.Route
+		*out = make([]RouteObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3287,6 +3843,75 @@ func (in *DefaultSecurityGroup) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultSecurityGroupEgressObservation) DeepCopyInto(out *DefaultSecurityGroupEgressObservation) {
 	*out = *in
+	if in.CidrBlocks != nil {
+		in, out := &in.CidrBlocks, &out.CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6CidrBlocks != nil {
+		in, out := &in.IPv6CidrBlocks, &out.IPv6CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrefixListIds != nil {
+		in, out := &in.PrefixListIds, &out.PrefixListIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Self != nil {
+		in, out := &in.Self, &out.Self
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultSecurityGroupEgressObservation.
@@ -3386,6 +4011,75 @@ func (in *DefaultSecurityGroupEgressParameters) DeepCopy() *DefaultSecurityGroup
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultSecurityGroupIngressObservation) DeepCopyInto(out *DefaultSecurityGroupIngressObservation) {
 	*out = *in
+	if in.CidrBlocks != nil {
+		in, out := &in.CidrBlocks, &out.CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6CidrBlocks != nil {
+		in, out := &in.IPv6CidrBlocks, &out.IPv6CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrefixListIds != nil {
+		in, out := &in.PrefixListIds, &out.PrefixListIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Self != nil {
+		in, out := &in.Self, &out.Self
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultSecurityGroupIngressObservation.
@@ -3527,11 +4221,25 @@ func (in *DefaultSecurityGroupObservation) DeepCopyInto(out *DefaultSecurityGrou
 		*out = new(string)
 		**out = **in
 	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]DefaultSecurityGroupEgressObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]DefaultSecurityGroupIngressObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
@@ -3542,6 +4250,26 @@ func (in *DefaultSecurityGroupObservation) DeepCopyInto(out *DefaultSecurityGrou
 		*out = new(string)
 		**out = **in
 	}
+	if in.RevokeRulesOnDelete != nil {
+		in, out := &in.RevokeRulesOnDelete, &out.RevokeRulesOnDelete
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3557,6 +4285,11 @@ func (in *DefaultSecurityGroupObservation) DeepCopyInto(out *DefaultSecurityGrou
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultSecurityGroupObservation.
@@ -3739,6 +4472,16 @@ func (in *DefaultSubnetObservation) DeepCopyInto(out *DefaultSubnetObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssignIPv6AddressOnCreation != nil {
+		in, out := &in.AssignIPv6AddressOnCreation, &out.AssignIPv6AddressOnCreation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
 	if in.AvailabilityZoneID != nil {
 		in, out := &in.AvailabilityZoneID, &out.AvailabilityZoneID
 		*out = new(string)
@@ -3749,21 +4492,66 @@ func (in *DefaultSubnetObservation) DeepCopyInto(out *DefaultSubnetObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomerOwnedIPv4Pool != nil {
+		in, out := &in.CustomerOwnedIPv4Pool, &out.CustomerOwnedIPv4Pool
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableDns64 != nil {
+		in, out := &in.EnableDns64, &out.EnableDns64
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSARecordOnLaunch != nil {
+		in, out := &in.EnableResourceNameDNSARecordOnLaunch, &out.EnableResourceNameDNSARecordOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSAaaaRecordOnLaunch != nil {
+		in, out := &in.EnableResourceNameDNSAaaaRecordOnLaunch, &out.EnableResourceNameDNSAaaaRecordOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ExistingDefaultSubnet != nil {
 		in, out := &in.ExistingDefaultSubnet, &out.ExistingDefaultSubnet
 		*out = new(bool)
 		**out = **in
 	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
 	if in.IPv6CidrBlockAssociationID != nil {
 		in, out := &in.IPv6CidrBlockAssociationID, &out.IPv6CidrBlockAssociationID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6Native != nil {
+		in, out := &in.IPv6Native, &out.IPv6Native
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MapCustomerOwnedIPOnLaunch != nil {
+		in, out := &in.MapCustomerOwnedIPOnLaunch, &out.MapCustomerOwnedIPOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MapPublicIPOnLaunch != nil {
+		in, out := &in.MapPublicIPOnLaunch, &out.MapPublicIPOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
 	if in.OutpostArn != nil {
 		in, out := &in.OutpostArn, &out.OutpostArn
 		*out = new(string)
@@ -3774,6 +4562,26 @@ func (in *DefaultSubnetObservation) DeepCopyInto(out *DefaultSubnetObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateDNSHostnameTypeOnLaunch != nil {
+		in, out := &in.PrivateDNSHostnameTypeOnLaunch, &out.PrivateDNSHostnameTypeOnLaunch
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4059,6 +4867,26 @@ func (in *DefaultVPCDHCPOptionsObservation) DeepCopyInto(out *DefaultVPCDHCPOpti
 		*out = new(string)
 		**out = **in
 	}
+	if in.OwnerID != nil {
+		in, out := &in.OwnerID, &out.OwnerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4200,6 +5028,11 @@ func (in *DefaultVPCObservation) DeepCopyInto(out *DefaultVPCObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssignGeneratedIPv6CidrBlock != nil {
+		in, out := &in.AssignGeneratedIPv6CidrBlock, &out.AssignGeneratedIPv6CidrBlock
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CidrBlock != nil {
 		in, out := &in.CidrBlock, &out.CidrBlock
 		*out = new(string)
@@ -4225,11 +5058,41 @@ func (in *DefaultVPCObservation) DeepCopyInto(out *DefaultVPCObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EnableClassiclink != nil {
+		in, out := &in.EnableClassiclink, &out.EnableClassiclink
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableClassiclinkDNSSupport != nil {
+		in, out := &in.EnableClassiclinkDNSSupport, &out.EnableClassiclinkDNSSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableDNSHostnames != nil {
+		in, out := &in.EnableDNSHostnames, &out.EnableDNSHostnames
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableDNSSupport != nil {
+		in, out := &in.EnableDNSSupport, &out.EnableDNSSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableNetworkAddressUsageMetrics != nil {
+		in, out := &in.EnableNetworkAddressUsageMetrics, &out.EnableNetworkAddressUsageMetrics
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ExistingDefaultVPC != nil {
 		in, out := &in.ExistingDefaultVPC, &out.ExistingDefaultVPC
 		*out = new(bool)
 		**out = **in
 	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -4240,6 +5103,26 @@ func (in *DefaultVPCObservation) DeepCopyInto(out *DefaultVPCObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6CidrBlockNetworkBorderGroup != nil {
+		in, out := &in.IPv6CidrBlockNetworkBorderGroup, &out.IPv6CidrBlockNetworkBorderGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6IpamPoolID != nil {
+		in, out := &in.IPv6IpamPoolID, &out.IPv6IpamPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6NetmaskLength != nil {
+		in, out := &in.IPv6NetmaskLength, &out.IPv6NetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
 	if in.InstanceTenancy != nil {
 		in, out := &in.InstanceTenancy, &out.InstanceTenancy
 		*out = new(string)
@@ -4255,6 +5138,21 @@ func (in *DefaultVPCObservation) DeepCopyInto(out *DefaultVPCObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4439,6 +5337,21 @@ func (in *DestinationObservation) DeepCopy() *DestinationObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationOptionsObservation) DeepCopyInto(out *DestinationOptionsObservation) {
 	*out = *in
+	if in.FileFormat != nil {
+		in, out := &in.FileFormat, &out.FileFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.HiveCompatiblePartitions != nil {
+		in, out := &in.HiveCompatiblePartitions, &out.HiveCompatiblePartitions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PerHourPartition != nil {
+		in, out := &in.PerHourPartition, &out.PerHourPartition
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationOptionsObservation.
@@ -4499,6 +5412,16 @@ func (in *DestinationParameters) DeepCopy() *DestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationPortRangeObservation) DeepCopyInto(out *DestinationPortRangeObservation) {
 	*out = *in
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationPortRangeObservation.
@@ -4624,6 +5547,28 @@ func (in *DestinationVPCParameters) DeepCopy() *DestinationVPCParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DiskContainerObservation) DeepCopyInto(out *DiskContainerObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserBucket != nil {
+		in, out := &in.UserBucket, &out.UserBucket
+		*out = make([]UserBucketObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DiskContainerObservation.
@@ -4676,6 +5621,51 @@ func (in *DiskContainerParameters) DeepCopy() *DiskContainerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSBlockDeviceObservation) DeepCopyInto(out *EBSBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSBlockDeviceObservation.
@@ -4825,6 +5815,11 @@ func (in *EBSDefaultKMSKeyObservation) DeepCopyInto(out *EBSDefaultKMSKeyObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyArn != nil {
+		in, out := &in.KeyArn, &out.KeyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSDefaultKMSKeyObservation.
@@ -4968,6 +5963,11 @@ func (in *EBSEncryptionByDefaultList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSEncryptionByDefaultObservation) DeepCopyInto(out *EBSEncryptionByDefaultObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -5047,6 +6047,46 @@ func (in *EBSEncryptionByDefaultStatus) DeepCopy() *EBSEncryptionByDefaultStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSObservation) DeepCopyInto(out *EBSObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(string)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSObservation.
@@ -5223,11 +6263,26 @@ func (in *EBSSnapshotCopyObservation) DeepCopyInto(out *EBSSnapshotCopyObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.OutpostArn != nil {
 		in, out := &in.OutpostArn, &out.OutpostArn
 		*out = new(string)
@@ -5243,6 +6298,41 @@ func (in *EBSSnapshotCopyObservation) DeepCopyInto(out *EBSSnapshotCopyObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.PermanentRestore != nil {
+		in, out := &in.PermanentRestore, &out.PermanentRestore
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SourceRegion != nil {
+		in, out := &in.SourceRegion, &out.SourceRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceSnapshotID != nil {
+		in, out := &in.SourceSnapshotID, &out.SourceSnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageTier != nil {
+		in, out := &in.StorageTier, &out.StorageTier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5258,6 +6348,11 @@ func (in *EBSSnapshotCopyObservation) DeepCopyInto(out *EBSSnapshotCopyObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.TemporaryRestoreDays != nil {
+		in, out := &in.TemporaryRestoreDays, &out.TemporaryRestoreDays
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VolumeID != nil {
 		in, out := &in.VolumeID, &out.VolumeID
 		*out = new(string)
@@ -5476,16 +6571,45 @@ func (in *EBSSnapshotImportObservation) DeepCopyInto(out *EBSSnapshotImportObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClientData != nil {
+		in, out := &in.ClientData, &out.ClientData
+		*out = make([]ClientDataObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DataEncryptionKeyID != nil {
 		in, out := &in.DataEncryptionKeyID, &out.DataEncryptionKeyID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DiskContainer != nil {
+		in, out := &in.DiskContainer, &out.DiskContainer
+		*out = make([]DiskContainerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.OutpostArn != nil {
 		in, out := &in.OutpostArn, &out.OutpostArn
 		*out = new(string)
@@ -5501,6 +6625,36 @@ func (in *EBSSnapshotImportObservation) DeepCopyInto(out *EBSSnapshotImportObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.PermanentRestore != nil {
+		in, out := &in.PermanentRestore, &out.PermanentRestore
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageTier != nil {
+		in, out := &in.StorageTier, &out.StorageTier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5516,6 +6670,11 @@ func (in *EBSSnapshotImportObservation) DeepCopyInto(out *EBSSnapshotImportObser
 			(*out)[key] = outVal
 		}
 	}
+	if in.TemporaryRestoreDays != nil {
+		in, out := &in.TemporaryRestoreDays, &out.TemporaryRestoreDays
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VolumeID != nil {
 		in, out := &in.VolumeID, &out.VolumeID
 		*out = new(string)
@@ -5711,6 +6870,11 @@ func (in *EBSSnapshotObservation) DeepCopyInto(out *EBSSnapshotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Encrypted != nil {
 		in, out := &in.Encrypted, &out.Encrypted
 		*out = new(bool)
@@ -5726,6 +6890,11 @@ func (in *EBSSnapshotObservation) DeepCopyInto(out *EBSSnapshotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerAlias != nil {
 		in, out := &in.OwnerAlias, &out.OwnerAlias
 		*out = new(string)
@@ -5736,6 +6905,31 @@ func (in *EBSSnapshotObservation) DeepCopyInto(out *EBSSnapshotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PermanentRestore != nil {
+		in, out := &in.PermanentRestore, &out.PermanentRestore
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StorageTier != nil {
+		in, out := &in.StorageTier, &out.StorageTier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5751,6 +6945,16 @@ func (in *EBSSnapshotObservation) DeepCopyInto(out *EBSSnapshotObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TemporaryRestoreDays != nil {
+		in, out := &in.TemporaryRestoreDays, &out.TemporaryRestoreDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeID != nil {
+		in, out := &in.VolumeID, &out.VolumeID
+		*out = new(string)
+		**out = **in
+	}
 	if in.VolumeSize != nil {
 		in, out := &in.VolumeSize, &out.VolumeSize
 		*out = new(float64)
@@ -5944,11 +7148,71 @@ func (in *EBSVolumeObservation) DeepCopyInto(out *EBSVolumeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FinalSnapshot != nil {
+		in, out := &in.FinalSnapshot, &out.FinalSnapshot
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultiAttachEnabled != nil {
+		in, out := &in.MultiAttachEnabled, &out.MultiAttachEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5964,6 +7228,16 @@ func (in *EBSVolumeObservation) DeepCopyInto(out *EBSVolumeObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSVolumeObservation.
@@ -6199,11 +7473,41 @@ func (in *EIPAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EIPAssociationObservation) DeepCopyInto(out *EIPAssociationObservation) {
 	*out = *in
+	if in.AllocationID != nil {
+		in, out := &in.AllocationID, &out.AllocationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllowReassociation != nil {
+		in, out := &in.AllowReassociation, &out.AllowReassociation
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateIPAddress != nil {
+		in, out := &in.PrivateIPAddress, &out.PrivateIPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicIP != nil {
+		in, out := &in.PublicIP, &out.PublicIP
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EIPAssociationObservation.
@@ -6355,11 +7659,21 @@ func (in *EIPList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EIPObservation) DeepCopyInto(out *EIPObservation) {
 	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
 	if in.AllocationID != nil {
 		in, out := &in.AllocationID, &out.AllocationID
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssociateWithPrivateIP != nil {
+		in, out := &in.AssociateWithPrivateIP, &out.AssociateWithPrivateIP
+		*out = new(string)
+		**out = **in
+	}
 	if in.AssociationID != nil {
 		in, out := &in.AssociationID, &out.AssociationID
 		*out = new(string)
@@ -6375,6 +7689,11 @@ func (in *EIPObservation) DeepCopyInto(out *EIPObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomerOwnedIPv4Pool != nil {
+		in, out := &in.CustomerOwnedIPv4Pool, &out.CustomerOwnedIPv4Pool
+		*out = new(string)
+		**out = **in
+	}
 	if in.Domain != nil {
 		in, out := &in.Domain, &out.Domain
 		*out = new(string)
@@ -6385,6 +7704,21 @@ func (in *EIPObservation) DeepCopyInto(out *EIPObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Instance != nil {
+		in, out := &in.Instance, &out.Instance
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkBorderGroup != nil {
+		in, out := &in.NetworkBorderGroup, &out.NetworkBorderGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInterface != nil {
+		in, out := &in.NetworkInterface, &out.NetworkInterface
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrivateDNS != nil {
 		in, out := &in.PrivateDNS, &out.PrivateDNS
 		*out = new(string)
@@ -6405,6 +7739,26 @@ func (in *EIPObservation) DeepCopyInto(out *EIPObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PublicIPv4Pool != nil {
+		in, out := &in.PublicIPv4Pool, &out.PublicIPv4Pool
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6420,6 +7774,11 @@ func (in *EIPObservation) DeepCopyInto(out *EIPObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPC != nil {
+		in, out := &in.VPC, &out.VPC
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EIPObservation.
@@ -6564,6 +7923,51 @@ func (in *EIPStatus) DeepCopy() *EIPStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EgressObservation) DeepCopyInto(out *EgressObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.IcmpCode != nil {
+		in, out := &in.IcmpCode, &out.IcmpCode
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IcmpType != nil {
+		in, out := &in.IcmpType, &out.IcmpType
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleNo != nil {
+		in, out := &in.RuleNo, &out.RuleNo
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressObservation.
@@ -6643,6 +8047,21 @@ func (in *EgressOnlyInternetGatewayObservation) DeepCopyInto(out *EgressOnlyInte
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6658,6 +8077,11 @@ func (in *EgressOnlyInternetGatewayObservation) DeepCopyInto(out *EgressOnlyInte
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressOnlyInternetGatewayObservation.
@@ -6817,6 +8241,11 @@ func (in *EgressParameters) DeepCopy() *EgressParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticGpuSpecificationsObservation) DeepCopyInto(out *ElasticGpuSpecificationsObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticGpuSpecificationsObservation.
@@ -6852,6 +8281,11 @@ func (in *ElasticGpuSpecificationsParameters) DeepCopy() *ElasticGpuSpecificatio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticInferenceAcceleratorObservation) DeepCopyInto(out *ElasticInferenceAcceleratorObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticInferenceAcceleratorObservation.
@@ -6932,6 +8366,11 @@ func (in *ElasticLoadBalancerListenerParameters) DeepCopy() *ElasticLoadBalancer
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnclaveOptionsObservation) DeepCopyInto(out *EnclaveOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnclaveOptionsObservation.
@@ -6967,6 +8406,16 @@ func (in *EnclaveOptionsParameters) DeepCopy() *EnclaveOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EntryObservation) DeepCopyInto(out *EntryObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntryObservation.
@@ -7017,6 +8466,16 @@ func (in *EntryParameters) DeepCopy() *EntryParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralBlockDeviceObservation) DeepCopyInto(out *EphemeralBlockDeviceObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralBlockDeviceObservation.
@@ -7528,11 +8987,73 @@ func (in *FlowLogObservation) DeepCopyInto(out *FlowLogObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DestinationOptions != nil {
+		in, out := &in.DestinationOptions, &out.DestinationOptions
+		*out = make([]DestinationOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EniID != nil {
+		in, out := &in.EniID, &out.EniID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogDestination != nil {
+		in, out := &in.LogDestination, &out.LogDestination
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogDestinationType != nil {
+		in, out := &in.LogDestinationType, &out.LogDestinationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogFormat != nil {
+		in, out := &in.LogFormat, &out.LogFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxAggregationInterval != nil {
+		in, out := &in.MaxAggregationInterval, &out.MaxAggregationInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -7548,6 +9069,26 @@ func (in *FlowLogObservation) DeepCopyInto(out *FlowLogObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TrafficType != nil {
+		in, out := &in.TrafficType, &out.TrafficType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlowLogObservation.
@@ -8496,6 +10037,11 @@ func (in *ForwardPathComponentsVPCParameters) DeepCopy() *ForwardPathComponentsV
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HibernationOptionsObservation) DeepCopyInto(out *HibernationOptionsObservation) {
 	*out = *in
+	if in.Configured != nil {
+		in, out := &in.Configured, &out.Configured
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HibernationOptionsObservation.
@@ -8595,16 +10141,61 @@ func (in *HostObservation) DeepCopyInto(out *HostObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoPlacement != nil {
+		in, out := &in.AutoPlacement, &out.AutoPlacement
+		*out = new(string)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostRecovery != nil {
+		in, out := &in.HostRecovery, &out.HostRecovery
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceFamily != nil {
+		in, out := &in.InstanceFamily, &out.InstanceFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8734,6 +10325,16 @@ func (in *HostStatus) DeepCopy() *HostStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IAMInstanceProfileObservation) DeepCopyInto(out *IAMInstanceProfileObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IAMInstanceProfileObservation.
@@ -8945,21 +10546,6 @@ func (in *InboundHeaderSourcePortRangesParameters) DeepCopy() *InboundHeaderSour
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IngressObservation) DeepCopyInto(out *IngressObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressObservation.
-func (in *IngressObservation) DeepCopy() *IngressObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(IngressObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *IngressParameters) DeepCopyInto(out *IngressParameters) {
-	*out = *in
 	if in.Action != nil {
 		in, out := &in.Action, &out.Action
 		*out = new(string)
@@ -8970,16 +10556,76 @@ func (in *IngressParameters) DeepCopyInto(out *IngressParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.CidrBlockRef != nil {
-		in, out := &in.CidrBlockRef, &out.CidrBlockRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.CidrBlockSelector != nil {
-		in, out := &in.CidrBlockSelector, &out.CidrBlockSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.IcmpCode != nil {
+		in, out := &in.IcmpCode, &out.IcmpCode
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IcmpType != nil {
+		in, out := &in.IcmpType, &out.IcmpType
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleNo != nil {
+		in, out := &in.RuleNo, &out.RuleNo
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressObservation.
+func (in *IngressObservation) DeepCopy() *IngressObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(IngressObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *IngressParameters) DeepCopyInto(out *IngressParameters) {
+	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrBlockRef != nil {
+		in, out := &in.CidrBlockRef, &out.CidrBlockRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CidrBlockSelector != nil {
+		in, out := &in.CidrBlockSelector, &out.CidrBlockSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
 	if in.FromPort != nil {
 		in, out := &in.FromPort, &out.FromPort
 		*out = new(float64)
@@ -9102,11 +10748,71 @@ func (in *Instance) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceEBSBlockDeviceObservation) DeepCopyInto(out *InstanceEBSBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VolumeID != nil {
 		in, out := &in.VolumeID, &out.VolumeID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceEBSBlockDeviceObservation.
@@ -9207,6 +10913,21 @@ func (in *InstanceEBSBlockDeviceParameters) DeepCopy() *InstanceEBSBlockDevicePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceEphemeralBlockDeviceObservation) DeepCopyInto(out *InstanceEphemeralBlockDeviceObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceEphemeralBlockDeviceObservation.
@@ -9284,6 +11005,18 @@ func (in *InstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceMarketOptionsObservation) DeepCopyInto(out *InstanceMarketOptionsObservation) {
 	*out = *in
+	if in.MarketType != nil {
+		in, out := &in.MarketType, &out.MarketType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SpotOptions != nil {
+		in, out := &in.SpotOptions, &out.SpotOptions
+		*out = make([]SpotOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceMarketOptionsObservation.
@@ -9326,6 +11059,26 @@ func (in *InstanceMarketOptionsParameters) DeepCopy() *InstanceMarketOptionsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceNetworkInterfaceObservation) DeepCopyInto(out *InstanceNetworkInterfaceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceIndex != nil {
+		in, out := &in.DeviceIndex, &out.DeviceIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkCardIndex != nil {
+		in, out := &in.NetworkCardIndex, &out.NetworkCardIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceNetworkInterfaceObservation.
@@ -9386,108 +11139,13 @@ func (in *InstanceNetworkInterfaceParameters) DeepCopy() *InstanceNetworkInterfa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
-		*out = new(string)
-		**out = **in
-	}
-	if in.EBSBlockDevice != nil {
-		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
-		*out = make([]InstanceEBSBlockDeviceObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.InstanceState != nil {
-		in, out := &in.InstanceState, &out.InstanceState
-		*out = new(string)
-		**out = **in
-	}
-	if in.OutpostArn != nil {
-		in, out := &in.OutpostArn, &out.OutpostArn
-		*out = new(string)
-		**out = **in
-	}
-	if in.PasswordData != nil {
-		in, out := &in.PasswordData, &out.PasswordData
-		*out = new(string)
-		**out = **in
-	}
-	if in.PrimaryNetworkInterfaceID != nil {
-		in, out := &in.PrimaryNetworkInterfaceID, &out.PrimaryNetworkInterfaceID
-		*out = new(string)
-		**out = **in
-	}
-	if in.PrivateDNS != nil {
-		in, out := &in.PrivateDNS, &out.PrivateDNS
-		*out = new(string)
-		**out = **in
-	}
-	if in.PublicDNS != nil {
-		in, out := &in.PublicDNS, &out.PublicDNS
-		*out = new(string)
-		**out = **in
-	}
-	if in.PublicIP != nil {
-		in, out := &in.PublicIP, &out.PublicIP
+	if in.AMI != nil {
+		in, out := &in.AMI, &out.AMI
 		*out = new(string)
 		**out = **in
 	}
-	if in.RootBlockDevice != nil {
-		in, out := &in.RootBlockDevice, &out.RootBlockDevice
-		*out = make([]RootBlockDeviceObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.SecurityGroups != nil {
-		in, out := &in.SecurityGroups, &out.SecurityGroups
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceObservation.
-func (in *InstanceObservation) DeepCopy() *InstanceObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(InstanceObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *InstanceParameters) DeepCopyInto(out *InstanceParameters) {
-	*out = *in
-	if in.AMI != nil {
-		in, out := &in.AMI, &out.AMI
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
@@ -9513,14 +11171,14 @@ func (in *InstanceParameters) DeepCopyInto(out *InstanceParameters) {
 	}
 	if in.CapacityReservationSpecification != nil {
 		in, out := &in.CapacityReservationSpecification, &out.CapacityReservationSpecification
-		*out = make([]CapacityReservationSpecificationParameters, len(*in))
+		*out = make([]CapacityReservationSpecificationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.CreditSpecification != nil {
 		in, out := &in.CreditSpecification, &out.CreditSpecification
-		*out = make([]CreditSpecificationParameters, len(*in))
+		*out = make([]CreditSpecificationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -9537,7 +11195,7 @@ func (in *InstanceParameters) DeepCopyInto(out *InstanceParameters) {
 	}
 	if in.EBSBlockDevice != nil {
 		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
-		*out = make([]InstanceEBSBlockDeviceParameters, len(*in))
+		*out = make([]InstanceEBSBlockDeviceObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -9549,14 +11207,370 @@ func (in *InstanceParameters) DeepCopyInto(out *InstanceParameters) {
 	}
 	if in.EnclaveOptions != nil {
 		in, out := &in.EnclaveOptions, &out.EnclaveOptions
-		*out = make([]EnclaveOptionsParameters, len(*in))
+		*out = make([]EnclaveOptionsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.EphemeralBlockDevice != nil {
 		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
-		*out = make([]InstanceEphemeralBlockDeviceParameters, len(*in))
+		*out = make([]InstanceEphemeralBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GetPasswordData != nil {
+		in, out := &in.GetPasswordData, &out.GetPasswordData
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Hibernation != nil {
+		in, out := &in.Hibernation, &out.Hibernation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HostID != nil {
+		in, out := &in.HostID, &out.HostID
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostResourceGroupArn != nil {
+		in, out := &in.HostResourceGroupArn, &out.HostResourceGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMInstanceProfile != nil {
+		in, out := &in.IAMInstanceProfile, &out.IAMInstanceProfile
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6AddressCount != nil {
+		in, out := &in.IPv6AddressCount, &out.IPv6AddressCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6Addresses != nil {
+		in, out := &in.IPv6Addresses, &out.IPv6Addresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InstanceInitiatedShutdownBehavior != nil {
+		in, out := &in.InstanceInitiatedShutdownBehavior, &out.InstanceInitiatedShutdownBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceState != nil {
+		in, out := &in.InstanceState, &out.InstanceState
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchTemplate != nil {
+		in, out := &in.LaunchTemplate, &out.LaunchTemplate
+		*out = make([]LaunchTemplateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaintenanceOptions != nil {
+		in, out := &in.MaintenanceOptions, &out.MaintenanceOptions
+		*out = make([]MaintenanceOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetadataOptions != nil {
+		in, out := &in.MetadataOptions, &out.MetadataOptions
+		*out = make([]MetadataOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Monitoring != nil {
+		in, out := &in.Monitoring, &out.Monitoring
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NetworkInterface != nil {
+		in, out := &in.NetworkInterface, &out.NetworkInterface
+		*out = make([]InstanceNetworkInterfaceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PasswordData != nil {
+		in, out := &in.PasswordData, &out.PasswordData
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementGroup != nil {
+		in, out := &in.PlacementGroup, &out.PlacementGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementPartitionNumber != nil {
+		in, out := &in.PlacementPartitionNumber, &out.PlacementPartitionNumber
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PrimaryNetworkInterfaceID != nil {
+		in, out := &in.PrimaryNetworkInterfaceID, &out.PrimaryNetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateDNS != nil {
+		in, out := &in.PrivateDNS, &out.PrivateDNS
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateDNSNameOptions != nil {
+		in, out := &in.PrivateDNSNameOptions, &out.PrivateDNSNameOptions
+		*out = make([]PrivateDNSNameOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PrivateIP != nil {
+		in, out := &in.PrivateIP, &out.PrivateIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicDNS != nil {
+		in, out := &in.PublicDNS, &out.PublicDNS
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicIP != nil {
+		in, out := &in.PublicIP, &out.PublicIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootBlockDevice != nil {
+		in, out := &in.RootBlockDevice, &out.RootBlockDevice
+		*out = make([]RootBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecondaryPrivateIps != nil {
+		in, out := &in.SecondaryPrivateIps, &out.SecondaryPrivateIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceDestCheck != nil {
+		in, out := &in.SourceDestCheck, &out.SourceDestCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Tenancy != nil {
+		in, out := &in.Tenancy, &out.Tenancy
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserData != nil {
+		in, out := &in.UserData, &out.UserData
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserDataBase64 != nil {
+		in, out := &in.UserDataBase64, &out.UserDataBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserDataReplaceOnChange != nil {
+		in, out := &in.UserDataReplaceOnChange, &out.UserDataReplaceOnChange
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VolumeTags != nil {
+		in, out := &in.VolumeTags, &out.VolumeTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceObservation.
+func (in *InstanceObservation) DeepCopy() *InstanceObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(InstanceObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *InstanceParameters) DeepCopyInto(out *InstanceParameters) {
+	*out = *in
+	if in.AMI != nil {
+		in, out := &in.AMI, &out.AMI
+		*out = new(string)
+		**out = **in
+	}
+	if in.AssociatePublicIPAddress != nil {
+		in, out := &in.AssociatePublicIPAddress, &out.AssociatePublicIPAddress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.CPUCoreCount != nil {
+		in, out := &in.CPUCoreCount, &out.CPUCoreCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CPUThreadsPerCore != nil {
+		in, out := &in.CPUThreadsPerCore, &out.CPUThreadsPerCore
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityReservationSpecification != nil {
+		in, out := &in.CapacityReservationSpecification, &out.CapacityReservationSpecification
+		*out = make([]CapacityReservationSpecificationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreditSpecification != nil {
+		in, out := &in.CreditSpecification, &out.CreditSpecification
+		*out = make([]CreditSpecificationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableAPIStop != nil {
+		in, out := &in.DisableAPIStop, &out.DisableAPIStop
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableAPITermination != nil {
+		in, out := &in.DisableAPITermination, &out.DisableAPITermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSBlockDevice != nil {
+		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
+		*out = make([]InstanceEBSBlockDeviceParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnclaveOptions != nil {
+		in, out := &in.EnclaveOptions, &out.EnclaveOptions
+		*out = make([]EnclaveOptionsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EphemeralBlockDevice != nil {
+		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
+		*out = make([]InstanceEphemeralBlockDeviceParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -9803,6 +11817,16 @@ func (in *InstanceParameters) DeepCopy() *InstanceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsAcceleratorCountObservation) DeepCopyInto(out *InstanceRequirementsAcceleratorCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsAcceleratorCountObservation.
@@ -9843,6 +11867,16 @@ func (in *InstanceRequirementsAcceleratorCountParameters) DeepCopy() *InstanceRe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsAcceleratorTotalMemoryMibObservation) DeepCopyInto(out *InstanceRequirementsAcceleratorTotalMemoryMibObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsAcceleratorTotalMemoryMibObservation.
@@ -9883,6 +11917,16 @@ func (in *InstanceRequirementsAcceleratorTotalMemoryMibParameters) DeepCopy() *I
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsBaselineEBSBandwidthMbpsObservation) DeepCopyInto(out *InstanceRequirementsBaselineEBSBandwidthMbpsObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsBaselineEBSBandwidthMbpsObservation.
@@ -9923,6 +11967,16 @@ func (in *InstanceRequirementsBaselineEBSBandwidthMbpsParameters) DeepCopy() *In
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsMemoryGibPerVcpuObservation) DeepCopyInto(out *InstanceRequirementsMemoryGibPerVcpuObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsMemoryGibPerVcpuObservation.
@@ -9963,6 +12017,16 @@ func (in *InstanceRequirementsMemoryGibPerVcpuParameters) DeepCopy() *InstanceRe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsMemoryMibObservation) DeepCopyInto(out *InstanceRequirementsMemoryMibObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsMemoryMibObservation.
@@ -10003,6 +12067,16 @@ func (in *InstanceRequirementsMemoryMibParameters) DeepCopy() *InstanceRequireme
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsNetworkInterfaceCountObservation) DeepCopyInto(out *InstanceRequirementsNetworkInterfaceCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsNetworkInterfaceCountObservation.
@@ -10043,6 +12117,169 @@ func (in *InstanceRequirementsNetworkInterfaceCountParameters) DeepCopy() *Insta
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsObservation) DeepCopyInto(out *InstanceRequirementsObservation) {
 	*out = *in
+	if in.AcceleratorCount != nil {
+		in, out := &in.AcceleratorCount, &out.AcceleratorCount
+		*out = make([]AcceleratorCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AcceleratorManufacturers != nil {
+		in, out := &in.AcceleratorManufacturers, &out.AcceleratorManufacturers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AcceleratorNames != nil {
+		in, out := &in.AcceleratorNames, &out.AcceleratorNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AcceleratorTotalMemoryMib != nil {
+		in, out := &in.AcceleratorTotalMemoryMib, &out.AcceleratorTotalMemoryMib
+		*out = make([]AcceleratorTotalMemoryMibObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AcceleratorTypes != nil {
+		in, out := &in.AcceleratorTypes, &out.AcceleratorTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BareMetal != nil {
+		in, out := &in.BareMetal, &out.BareMetal
+		*out = new(string)
+		**out = **in
+	}
+	if in.BaselineEBSBandwidthMbps != nil {
+		in, out := &in.BaselineEBSBandwidthMbps, &out.BaselineEBSBandwidthMbps
+		*out = make([]BaselineEBSBandwidthMbpsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BurstablePerformance != nil {
+		in, out := &in.BurstablePerformance, &out.BurstablePerformance
+		*out = new(string)
+		**out = **in
+	}
+	if in.CPUManufacturers != nil {
+		in, out := &in.CPUManufacturers, &out.CPUManufacturers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ExcludedInstanceTypes != nil {
+		in, out := &in.ExcludedInstanceTypes, &out.ExcludedInstanceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InstanceGenerations != nil {
+		in, out := &in.InstanceGenerations, &out.InstanceGenerations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.LocalStorage != nil {
+		in, out := &in.LocalStorage, &out.LocalStorage
+		*out = new(string)
+		**out = **in
+	}
+	if in.LocalStorageTypes != nil {
+		in, out := &in.LocalStorageTypes, &out.LocalStorageTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MemoryGibPerVcpu != nil {
+		in, out := &in.MemoryGibPerVcpu, &out.MemoryGibPerVcpu
+		*out = make([]MemoryGibPerVcpuObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MemoryMib != nil {
+		in, out := &in.MemoryMib, &out.MemoryMib
+		*out = make([]MemoryMibObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkInterfaceCount != nil {
+		in, out := &in.NetworkInterfaceCount, &out.NetworkInterfaceCount
+		*out = make([]NetworkInterfaceCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OnDemandMaxPricePercentageOverLowestPrice != nil {
+		in, out := &in.OnDemandMaxPricePercentageOverLowestPrice, &out.OnDemandMaxPricePercentageOverLowestPrice
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RequireHibernateSupport != nil {
+		in, out := &in.RequireHibernateSupport, &out.RequireHibernateSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SpotMaxPricePercentageOverLowestPrice != nil {
+		in, out := &in.SpotMaxPricePercentageOverLowestPrice, &out.SpotMaxPricePercentageOverLowestPrice
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TotalLocalStorageGb != nil {
+		in, out := &in.TotalLocalStorageGb, &out.TotalLocalStorageGb
+		*out = make([]TotalLocalStorageGbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VcpuCount != nil {
+		in, out := &in.VcpuCount, &out.VcpuCount
+		*out = make([]VcpuCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsObservation.
@@ -10236,6 +12473,16 @@ func (in *InstanceRequirementsParameters) DeepCopy() *InstanceRequirementsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsTotalLocalStorageGbObservation) DeepCopyInto(out *InstanceRequirementsTotalLocalStorageGbObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsTotalLocalStorageGbObservation.
@@ -10276,6 +12523,16 @@ func (in *InstanceRequirementsTotalLocalStorageGbParameters) DeepCopy() *Instanc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRequirementsVcpuCountObservation) DeepCopyInto(out *InstanceRequirementsVcpuCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRequirementsVcpuCountObservation.
@@ -10392,11 +12649,26 @@ func (in *InstanceStateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceStateObservation) DeepCopyInto(out *InstanceStateObservation) {
 	*out = *in
+	if in.Force != nil {
+		in, out := &in.Force, &out.Force
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceStateObservation.
@@ -10612,6 +12884,21 @@ func (in *InternetGatewayObservation_2) DeepCopyInto(out *InternetGatewayObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -10627,6 +12914,11 @@ func (in *InternetGatewayObservation_2) DeepCopyInto(out *InternetGatewayObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InternetGatewayObservation_2.
@@ -10825,6 +13117,26 @@ func (in *KeyPairObservation) DeepCopyInto(out *KeyPairObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -10929,6 +13241,51 @@ func (in *KeyPairStatus) DeepCopy() *KeyPairStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchSpecificationEBSBlockDeviceObservation) DeepCopyInto(out *LaunchSpecificationEBSBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchSpecificationEBSBlockDeviceObservation.
@@ -11004,6 +13361,16 @@ func (in *LaunchSpecificationEBSBlockDeviceParameters) DeepCopy() *LaunchSpecifi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchSpecificationEphemeralBlockDeviceObservation) DeepCopyInto(out *LaunchSpecificationEphemeralBlockDeviceObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchSpecificationEphemeralBlockDeviceObservation.
@@ -11044,6 +13411,128 @@ func (in *LaunchSpecificationEphemeralBlockDeviceParameters) DeepCopy() *LaunchS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchSpecificationObservation) DeepCopyInto(out *LaunchSpecificationObservation) {
 	*out = *in
+	if in.AMI != nil {
+		in, out := &in.AMI, &out.AMI
+		*out = new(string)
+		**out = **in
+	}
+	if in.AssociatePublicIPAddress != nil {
+		in, out := &in.AssociatePublicIPAddress, &out.AssociatePublicIPAddress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBSBlockDevice != nil {
+		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
+		*out = make([]LaunchSpecificationEBSBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EphemeralBlockDevice != nil {
+		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
+		*out = make([]LaunchSpecificationEphemeralBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IAMInstanceProfile != nil {
+		in, out := &in.IAMInstanceProfile, &out.IAMInstanceProfile
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMInstanceProfileArn != nil {
+		in, out := &in.IAMInstanceProfileArn, &out.IAMInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Monitoring != nil {
+		in, out := &in.Monitoring, &out.Monitoring
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PlacementGroup != nil {
+		in, out := &in.PlacementGroup, &out.PlacementGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementTenancy != nil {
+		in, out := &in.PlacementTenancy, &out.PlacementTenancy
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootBlockDevice != nil {
+		in, out := &in.RootBlockDevice, &out.RootBlockDevice
+		*out = make([]LaunchSpecificationRootBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SpotPrice != nil {
+		in, out := &in.SpotPrice, &out.SpotPrice
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UserData != nil {
+		in, out := &in.UserData, &out.UserData
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WeightedCapacity != nil {
+		in, out := &in.WeightedCapacity, &out.WeightedCapacity
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchSpecificationObservation.
@@ -11206,6 +13695,41 @@ func (in *LaunchSpecificationParameters) DeepCopy() *LaunchSpecificationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchSpecificationRootBlockDeviceObservation) DeepCopyInto(out *LaunchSpecificationRootBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchSpecificationRootBlockDeviceObservation.
@@ -11298,6 +13822,18 @@ func (in *LaunchTemplate) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateCapacityReservationSpecificationObservation) DeepCopyInto(out *LaunchTemplateCapacityReservationSpecificationObservation) {
 	*out = *in
+	if in.CapacityReservationPreference != nil {
+		in, out := &in.CapacityReservationPreference, &out.CapacityReservationPreference
+		*out = new(string)
+		**out = **in
+	}
+	if in.CapacityReservationTarget != nil {
+		in, out := &in.CapacityReservationTarget, &out.CapacityReservationTarget
+		*out = make([]CapacityReservationSpecificationCapacityReservationTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateCapacityReservationSpecificationObservation.
@@ -11340,6 +13876,20 @@ func (in *LaunchTemplateCapacityReservationSpecificationParameters) DeepCopy() *
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateConfigObservation) DeepCopyInto(out *LaunchTemplateConfigObservation) {
 	*out = *in
+	if in.LaunchTemplateSpecification != nil {
+		in, out := &in.LaunchTemplateSpecification, &out.LaunchTemplateSpecification
+		*out = make([]LaunchTemplateSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Overrides != nil {
+		in, out := &in.Overrides, &out.Overrides
+		*out = make([]OverridesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateConfigObservation.
@@ -11384,6 +13934,11 @@ func (in *LaunchTemplateConfigParameters) DeepCopy() *LaunchTemplateConfigParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateCreditSpecificationObservation) DeepCopyInto(out *LaunchTemplateCreditSpecificationObservation) {
 	*out = *in
+	if in.CPUCredits != nil {
+		in, out := &in.CPUCredits, &out.CPUCredits
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateCreditSpecificationObservation.
@@ -11419,6 +13974,11 @@ func (in *LaunchTemplateCreditSpecificationParameters) DeepCopy() *LaunchTemplat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateEnclaveOptionsObservation) DeepCopyInto(out *LaunchTemplateEnclaveOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateEnclaveOptionsObservation.
@@ -11486,6 +14046,11 @@ func (in *LaunchTemplateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateMaintenanceOptionsObservation) DeepCopyInto(out *LaunchTemplateMaintenanceOptionsObservation) {
 	*out = *in
+	if in.AutoRecovery != nil {
+		in, out := &in.AutoRecovery, &out.AutoRecovery
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateMaintenanceOptionsObservation.
@@ -11521,6 +14086,31 @@ func (in *LaunchTemplateMaintenanceOptionsParameters) DeepCopy() *LaunchTemplate
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateMetadataOptionsObservation) DeepCopyInto(out *LaunchTemplateMetadataOptionsObservation) {
 	*out = *in
+	if in.HTTPEndpoint != nil {
+		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPProtocolIPv6 != nil {
+		in, out := &in.HTTPProtocolIPv6, &out.HTTPProtocolIPv6
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTokens != nil {
+		in, out := &in.HTTPTokens, &out.HTTPTokens
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceMetadataTags != nil {
+		in, out := &in.InstanceMetadataTags, &out.InstanceMetadataTags
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateMetadataOptionsObservation.
@@ -11576,6 +14166,21 @@ func (in *LaunchTemplateMetadataOptionsParameters) DeepCopy() *LaunchTemplateMet
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateObservation) DeepCopyInto(out *LaunchTemplateObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateObservation.
@@ -11596,16 +14201,235 @@ func (in *LaunchTemplateObservation_2) DeepCopyInto(out *LaunchTemplateObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.BlockDeviceMappings != nil {
+		in, out := &in.BlockDeviceMappings, &out.BlockDeviceMappings
+		*out = make([]BlockDeviceMappingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CPUOptions != nil {
+		in, out := &in.CPUOptions, &out.CPUOptions
+		*out = make([]CPUOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CapacityReservationSpecification != nil {
+		in, out := &in.CapacityReservationSpecification, &out.CapacityReservationSpecification
+		*out = make([]LaunchTemplateCapacityReservationSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreditSpecification != nil {
+		in, out := &in.CreditSpecification, &out.CreditSpecification
+		*out = make([]LaunchTemplateCreditSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultVersion != nil {
+		in, out := &in.DefaultVersion, &out.DefaultVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableAPIStop != nil {
+		in, out := &in.DisableAPIStop, &out.DisableAPIStop
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableAPITermination != nil {
+		in, out := &in.DisableAPITermination, &out.DisableAPITermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(string)
+		**out = **in
+	}
+	if in.ElasticGpuSpecifications != nil {
+		in, out := &in.ElasticGpuSpecifications, &out.ElasticGpuSpecifications
+		*out = make([]ElasticGpuSpecificationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticInferenceAccelerator != nil {
+		in, out := &in.ElasticInferenceAccelerator, &out.ElasticInferenceAccelerator
+		*out = make([]ElasticInferenceAcceleratorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnclaveOptions != nil {
+		in, out := &in.EnclaveOptions, &out.EnclaveOptions
+		*out = make([]LaunchTemplateEnclaveOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HibernationOptions != nil {
+		in, out := &in.HibernationOptions, &out.HibernationOptions
+		*out = make([]HibernationOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IAMInstanceProfile != nil {
+		in, out := &in.IAMInstanceProfile, &out.IAMInstanceProfile
+		*out = make([]IAMInstanceProfileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageID != nil {
+		in, out := &in.ImageID, &out.ImageID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceInitiatedShutdownBehavior != nil {
+		in, out := &in.InstanceInitiatedShutdownBehavior, &out.InstanceInitiatedShutdownBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceMarketOptions != nil {
+		in, out := &in.InstanceMarketOptions, &out.InstanceMarketOptions
+		*out = make([]InstanceMarketOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceRequirements != nil {
+		in, out := &in.InstanceRequirements, &out.InstanceRequirements
+		*out = make([]InstanceRequirementsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KernelID != nil {
+		in, out := &in.KernelID, &out.KernelID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
 	if in.LatestVersion != nil {
 		in, out := &in.LatestVersion, &out.LatestVersion
 		*out = new(float64)
 		**out = **in
 	}
+	if in.LicenseSpecification != nil {
+		in, out := &in.LicenseSpecification, &out.LicenseSpecification
+		*out = make([]LicenseSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaintenanceOptions != nil {
+		in, out := &in.MaintenanceOptions, &out.MaintenanceOptions
+		*out = make([]LaunchTemplateMaintenanceOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetadataOptions != nil {
+		in, out := &in.MetadataOptions, &out.MetadataOptions
+		*out = make([]LaunchTemplateMetadataOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Monitoring != nil {
+		in, out := &in.Monitoring, &out.Monitoring
+		*out = make([]MonitoringObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInterfaces != nil {
+		in, out := &in.NetworkInterfaces, &out.NetworkInterfaces
+		*out = make([]NetworkInterfacesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Placement != nil {
+		in, out := &in.Placement, &out.Placement
+		*out = make([]PlacementObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PrivateDNSNameOptions != nil {
+		in, out := &in.PrivateDNSNameOptions, &out.PrivateDNSNameOptions
+		*out = make([]LaunchTemplatePrivateDNSNameOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RAMDiskID != nil {
+		in, out := &in.RAMDiskID, &out.RAMDiskID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupNames != nil {
+		in, out := &in.SecurityGroupNames, &out.SecurityGroupNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TagSpecifications != nil {
+		in, out := &in.TagSpecifications, &out.TagSpecifications
+		*out = make([]TagSpecificationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -11621,6 +14445,27 @@ func (in *LaunchTemplateObservation_2) DeepCopyInto(out *LaunchTemplateObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.UpdateDefaultVersion != nil {
+		in, out := &in.UpdateDefaultVersion, &out.UpdateDefaultVersion
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UserData != nil {
+		in, out := &in.UserData, &out.UserData
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateObservation_2.
@@ -11950,6 +14795,21 @@ func (in *LaunchTemplateParameters_2) DeepCopy() *LaunchTemplateParameters_2 {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplatePrivateDNSNameOptionsObservation) DeepCopyInto(out *LaunchTemplatePrivateDNSNameOptionsObservation) {
 	*out = *in
+	if in.EnableResourceNameDNSARecord != nil {
+		in, out := &in.EnableResourceNameDNSARecord, &out.EnableResourceNameDNSARecord
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSAaaaRecord != nil {
+		in, out := &in.EnableResourceNameDNSAaaaRecord, &out.EnableResourceNameDNSAaaaRecord
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HostnameType != nil {
+		in, out := &in.HostnameType, &out.HostnameType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplatePrivateDNSNameOptionsObservation.
@@ -12012,6 +14872,21 @@ func (in *LaunchTemplateSpec) DeepCopy() *LaunchTemplateSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateSpecificationObservation) DeepCopyInto(out *LaunchTemplateSpecificationObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateSpecificationObservation.
@@ -12094,6 +14969,11 @@ func (in *LaunchTemplateStatus) DeepCopy() *LaunchTemplateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LicenseSpecificationObservation) DeepCopyInto(out *LicenseSpecificationObservation) {
 	*out = *in
+	if in.LicenseConfigurationArn != nil {
+		in, out := &in.LicenseConfigurationArn, &out.LicenseConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LicenseSpecificationObservation.
@@ -12288,6 +15168,16 @@ func (in *MainRouteTableAssociationObservation) DeepCopyInto(out *MainRouteTable
 		*out = new(string)
 		**out = **in
 	}
+	if in.RouteTableID != nil {
+		in, out := &in.RouteTableID, &out.RouteTableID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MainRouteTableAssociationObservation.
@@ -12387,6 +15277,11 @@ func (in *MainRouteTableAssociationStatus) DeepCopy() *MainRouteTableAssociation
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceOptionsObservation) DeepCopyInto(out *MaintenanceOptionsObservation) {
 	*out = *in
+	if in.AutoRecovery != nil {
+		in, out := &in.AutoRecovery, &out.AutoRecovery
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceOptionsObservation.
@@ -12508,11 +15403,26 @@ func (in *ManagedPrefixListEntryList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedPrefixListEntryObservation) DeepCopyInto(out *ManagedPrefixListEntryObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrefixListID != nil {
+		in, out := &in.PrefixListID, &out.PrefixListID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedPrefixListEntryObservation.
@@ -12649,21 +15559,58 @@ func (in *ManagedPrefixListList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedPrefixListObservation) DeepCopyInto(out *ManagedPrefixListObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Entry != nil {
+		in, out := &in.Entry, &out.Entry
+		*out = make([]EntryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxEntries != nil {
+		in, out := &in.MaxEntries, &out.MaxEntries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -12790,6 +15737,16 @@ func (in *ManagedPrefixListStatus) DeepCopy() *ManagedPrefixListStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemoryGibPerVcpuObservation) DeepCopyInto(out *MemoryGibPerVcpuObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryGibPerVcpuObservation.
@@ -12830,6 +15787,16 @@ func (in *MemoryGibPerVcpuParameters) DeepCopy() *MemoryGibPerVcpuParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemoryMibObservation) DeepCopyInto(out *MemoryMibObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemoryMibObservation.
@@ -12870,6 +15837,26 @@ func (in *MemoryMibParameters) DeepCopy() *MemoryMibParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetadataOptionsObservation) DeepCopyInto(out *MetadataOptionsObservation) {
 	*out = *in
+	if in.HTTPEndpoint != nil {
+		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTokens != nil {
+		in, out := &in.HTTPTokens, &out.HTTPTokens
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceMetadataTags != nil {
+		in, out := &in.InstanceMetadataTags, &out.InstanceMetadataTags
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MetadataOptionsObservation.
@@ -12920,6 +15907,11 @@ func (in *MetadataOptionsParameters) DeepCopy() *MetadataOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MonitoringObservation) DeepCopyInto(out *MonitoringObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MonitoringObservation.
@@ -13044,6 +16036,16 @@ func (in *NATGatewayObservation) DeepCopy() *NATGatewayObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NATGatewayObservation_2) DeepCopyInto(out *NATGatewayObservation_2) {
 	*out = *in
+	if in.AllocationID != nil {
+		in, out := &in.AllocationID, &out.AllocationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectivityType != nil {
+		in, out := &in.ConnectivityType, &out.ConnectivityType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -13054,11 +16056,36 @@ func (in *NATGatewayObservation_2) DeepCopyInto(out *NATGatewayObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateIP != nil {
+		in, out := &in.PrivateIP, &out.PrivateIP
+		*out = new(string)
+		**out = **in
+	}
 	if in.PublicIP != nil {
 		in, out := &in.PublicIP, &out.PublicIP
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -13451,6 +16478,32 @@ func (in *NetworkACLObservation) DeepCopyInto(out *NetworkACLObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -13466,6 +16519,11 @@ func (in *NetworkACLObservation) DeepCopyInto(out *NetworkACLObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkACLObservation.
@@ -13613,11 +16671,66 @@ func (in *NetworkACLRuleList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkACLRuleObservation) DeepCopyInto(out *NetworkACLRuleObservation) {
 	*out = *in
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.IcmpCode != nil {
+		in, out := &in.IcmpCode, &out.IcmpCode
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IcmpType != nil {
+		in, out := &in.IcmpType, &out.IcmpType
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkACLID != nil {
+		in, out := &in.NetworkACLID, &out.NetworkACLID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleAction != nil {
+		in, out := &in.RuleAction, &out.RuleAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleNumber != nil {
+		in, out := &in.RuleNumber, &out.RuleNumber
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkACLRuleObservation.
@@ -13864,6 +16977,17 @@ func (in *NetworkInsightsAnalysisObservation) DeepCopyInto(out *NetworkInsightsA
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.FilterInArns != nil {
+		in, out := &in.FilterInArns, &out.FilterInArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ForwardPathComponents != nil {
 		in, out := &in.ForwardPathComponents, &out.ForwardPathComponents
 		*out = make([]ForwardPathComponentsObservation, len(*in))
@@ -13876,6 +17000,11 @@ func (in *NetworkInsightsAnalysisObservation) DeepCopyInto(out *NetworkInsightsA
 		*out = new(string)
 		**out = **in
 	}
+	if in.NetworkInsightsPathID != nil {
+		in, out := &in.NetworkInsightsPathID, &out.NetworkInsightsPathID
+		*out = new(string)
+		**out = **in
+	}
 	if in.PathFound != nil {
 		in, out := &in.PathFound, &out.PathFound
 		*out = new(bool)
@@ -13903,6 +17032,21 @@ func (in *NetworkInsightsAnalysisObservation) DeepCopyInto(out *NetworkInsightsA
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -13918,6 +17062,11 @@ func (in *NetworkInsightsAnalysisObservation) DeepCopyInto(out *NetworkInsightsA
 			(*out)[key] = outVal
 		}
 	}
+	if in.WaitForCompletion != nil {
+		in, out := &in.WaitForCompletion, &out.WaitForCompletion
+		*out = new(bool)
+		**out = **in
+	}
 	if in.WarningMessage != nil {
 		in, out := &in.WarningMessage, &out.WarningMessage
 		*out = new(string)
@@ -14102,11 +17251,56 @@ func (in *NetworkInsightsPathObservation) DeepCopyInto(out *NetworkInsightsPathO
 		*out = new(string)
 		**out = **in
 	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationIP != nil {
+		in, out := &in.DestinationIP, &out.DestinationIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationPort != nil {
+		in, out := &in.DestinationPort, &out.DestinationPort
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceIP != nil {
+		in, out := &in.SourceIP, &out.SourceIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -14347,11 +17541,26 @@ func (in *NetworkInterfaceAttachmentObservation) DeepCopyInto(out *NetworkInterf
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeviceIndex != nil {
+		in, out := &in.DeviceIndex, &out.DeviceIndex
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -14461,6 +17670,16 @@ func (in *NetworkInterfaceAttachmentStatus) DeepCopy() *NetworkInterfaceAttachme
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkInterfaceCountObservation) DeepCopyInto(out *NetworkInterfaceCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceCountObservation.
@@ -14575,11 +17794,85 @@ func (in *NetworkInterfaceObservation_2) DeepCopyInto(out *NetworkInterfaceObser
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv4PrefixCount != nil {
+		in, out := &in.IPv4PrefixCount, &out.IPv4PrefixCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv4Prefixes != nil {
+		in, out := &in.IPv4Prefixes, &out.IPv4Prefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPv6AddressCount != nil {
+		in, out := &in.IPv6AddressCount, &out.IPv6AddressCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6AddressList != nil {
+		in, out := &in.IPv6AddressList, &out.IPv6AddressList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPv6AddressListEnabled != nil {
+		in, out := &in.IPv6AddressListEnabled, &out.IPv6AddressListEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IPv6Addresses != nil {
+		in, out := &in.IPv6Addresses, &out.IPv6Addresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPv6PrefixCount != nil {
+		in, out := &in.IPv6PrefixCount, &out.IPv6PrefixCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6Prefixes != nil {
+		in, out := &in.IPv6Prefixes, &out.IPv6Prefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InterfaceType != nil {
+		in, out := &in.InterfaceType, &out.InterfaceType
+		*out = new(string)
+		**out = **in
+	}
 	if in.MacAddress != nil {
 		in, out := &in.MacAddress, &out.MacAddress
 		*out = new(string)
@@ -14600,6 +17893,79 @@ func (in *NetworkInterfaceObservation_2) DeepCopyInto(out *NetworkInterfaceObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateIP != nil {
+		in, out := &in.PrivateIP, &out.PrivateIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateIPList != nil {
+		in, out := &in.PrivateIPList, &out.PrivateIPList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrivateIPListEnabled != nil {
+		in, out := &in.PrivateIPListEnabled, &out.PrivateIPListEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PrivateIps != nil {
+		in, out := &in.PrivateIps, &out.PrivateIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrivateIpsCount != nil {
+		in, out := &in.PrivateIpsCount, &out.PrivateIpsCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceDestCheck != nil {
+		in, out := &in.SourceDestCheck, &out.SourceDestCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -14898,6 +18264,16 @@ func (in *NetworkInterfaceSgAttachmentObservation) DeepCopyInto(out *NetworkInte
 		*out = new(string)
 		**out = **in
 	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupID != nil {
+		in, out := &in.SecurityGroupID, &out.SecurityGroupID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfaceSgAttachmentObservation.
@@ -15031,6 +18407,131 @@ func (in *NetworkInterfaceStatus) DeepCopy() *NetworkInterfaceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkInterfacesObservation) DeepCopyInto(out *NetworkInterfacesObservation) {
 	*out = *in
+	if in.AssociateCarrierIPAddress != nil {
+		in, out := &in.AssociateCarrierIPAddress, &out.AssociateCarrierIPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.AssociatePublicIPAddress != nil {
+		in, out := &in.AssociatePublicIPAddress, &out.AssociatePublicIPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceIndex != nil {
+		in, out := &in.DeviceIndex, &out.DeviceIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv4AddressCount != nil {
+		in, out := &in.IPv4AddressCount, &out.IPv4AddressCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv4Addresses != nil {
+		in, out := &in.IPv4Addresses, &out.IPv4Addresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPv4PrefixCount != nil {
+		in, out := &in.IPv4PrefixCount, &out.IPv4PrefixCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv4Prefixes != nil {
+		in, out := &in.IPv4Prefixes, &out.IPv4Prefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPv6AddressCount != nil {
+		in, out := &in.IPv6AddressCount, &out.IPv6AddressCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6Addresses != nil {
+		in, out := &in.IPv6Addresses, &out.IPv6Addresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.IPv6PrefixCount != nil {
+		in, out := &in.IPv6PrefixCount, &out.IPv6PrefixCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6Prefixes != nil {
+		in, out := &in.IPv6Prefixes, &out.IPv6Prefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InterfaceType != nil {
+		in, out := &in.InterfaceType, &out.InterfaceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkCardIndex != nil {
+		in, out := &in.NetworkCardIndex, &out.NetworkCardIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateIPAddress != nil {
+		in, out := &in.PrivateIPAddress, &out.PrivateIPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInterfacesObservation.
@@ -15218,6 +18719,11 @@ func (in *NetworkInterfacesParameters) DeepCopy() *NetworkInterfacesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OperatingRegionsObservation) DeepCopyInto(out *OperatingRegionsObservation) {
 	*out = *in
+	if in.RegionName != nil {
+		in, out := &in.RegionName, &out.RegionName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OperatingRegionsObservation.
@@ -15404,6 +18910,169 @@ func (in *OutboundHeaderSourcePortRangesParameters) DeepCopy() *OutboundHeaderSo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverridesInstanceRequirementsObservation) DeepCopyInto(out *OverridesInstanceRequirementsObservation) {
 	*out = *in
+	if in.AcceleratorCount != nil {
+		in, out := &in.AcceleratorCount, &out.AcceleratorCount
+		*out = make([]InstanceRequirementsAcceleratorCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AcceleratorManufacturers != nil {
+		in, out := &in.AcceleratorManufacturers, &out.AcceleratorManufacturers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AcceleratorNames != nil {
+		in, out := &in.AcceleratorNames, &out.AcceleratorNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AcceleratorTotalMemoryMib != nil {
+		in, out := &in.AcceleratorTotalMemoryMib, &out.AcceleratorTotalMemoryMib
+		*out = make([]InstanceRequirementsAcceleratorTotalMemoryMibObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AcceleratorTypes != nil {
+		in, out := &in.AcceleratorTypes, &out.AcceleratorTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BareMetal != nil {
+		in, out := &in.BareMetal, &out.BareMetal
+		*out = new(string)
+		**out = **in
+	}
+	if in.BaselineEBSBandwidthMbps != nil {
+		in, out := &in.BaselineEBSBandwidthMbps, &out.BaselineEBSBandwidthMbps
+		*out = make([]InstanceRequirementsBaselineEBSBandwidthMbpsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BurstablePerformance != nil {
+		in, out := &in.BurstablePerformance, &out.BurstablePerformance
+		*out = new(string)
+		**out = **in
+	}
+	if in.CPUManufacturers != nil {
+		in, out := &in.CPUManufacturers, &out.CPUManufacturers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ExcludedInstanceTypes != nil {
+		in, out := &in.ExcludedInstanceTypes, &out.ExcludedInstanceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InstanceGenerations != nil {
+		in, out := &in.InstanceGenerations, &out.InstanceGenerations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.LocalStorage != nil {
+		in, out := &in.LocalStorage, &out.LocalStorage
+		*out = new(string)
+		**out = **in
+	}
+	if in.LocalStorageTypes != nil {
+		in, out := &in.LocalStorageTypes, &out.LocalStorageTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MemoryGibPerVcpu != nil {
+		in, out := &in.MemoryGibPerVcpu, &out.MemoryGibPerVcpu
+		*out = make([]InstanceRequirementsMemoryGibPerVcpuObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MemoryMib != nil {
+		in, out := &in.MemoryMib, &out.MemoryMib
+		*out = make([]InstanceRequirementsMemoryMibObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkInterfaceCount != nil {
+		in, out := &in.NetworkInterfaceCount, &out.NetworkInterfaceCount
+		*out = make([]InstanceRequirementsNetworkInterfaceCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OnDemandMaxPricePercentageOverLowestPrice != nil {
+		in, out := &in.OnDemandMaxPricePercentageOverLowestPrice, &out.OnDemandMaxPricePercentageOverLowestPrice
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RequireHibernateSupport != nil {
+		in, out := &in.RequireHibernateSupport, &out.RequireHibernateSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SpotMaxPricePercentageOverLowestPrice != nil {
+		in, out := &in.SpotMaxPricePercentageOverLowestPrice, &out.SpotMaxPricePercentageOverLowestPrice
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TotalLocalStorageGb != nil {
+		in, out := &in.TotalLocalStorageGb, &out.TotalLocalStorageGb
+		*out = make([]InstanceRequirementsTotalLocalStorageGbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VcpuCount != nil {
+		in, out := &in.VcpuCount, &out.VcpuCount
+		*out = make([]InstanceRequirementsVcpuCountObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverridesInstanceRequirementsObservation.
@@ -15597,6 +19266,43 @@ func (in *OverridesInstanceRequirementsParameters) DeepCopy() *OverridesInstance
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverridesObservation) DeepCopyInto(out *OverridesObservation) {
 	*out = *in
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceRequirements != nil {
+		in, out := &in.InstanceRequirements, &out.InstanceRequirements
+		*out = make([]OverridesInstanceRequirementsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SpotPrice != nil {
+		in, out := &in.SpotPrice, &out.SpotPrice
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.WeightedCapacity != nil {
+		in, out := &in.WeightedCapacity, &out.WeightedCapacity
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverridesObservation.
@@ -15733,11 +19439,41 @@ func (in *PlacementGroupObservation) DeepCopyInto(out *PlacementGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.PartitionCount != nil {
+		in, out := &in.PartitionCount, &out.PartitionCount
+		*out = new(float64)
+		**out = **in
+	}
 	if in.PlacementGroupID != nil {
 		in, out := &in.PlacementGroupID, &out.PlacementGroupID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SpreadLevel != nil {
+		in, out := &in.SpreadLevel, &out.SpreadLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Strategy != nil {
+		in, out := &in.Strategy, &out.Strategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -15852,6 +19588,46 @@ func (in *PlacementGroupStatus) DeepCopy() *PlacementGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementObservation) DeepCopyInto(out *PlacementObservation) {
 	*out = *in
+	if in.Affinity != nil {
+		in, out := &in.Affinity, &out.Affinity
+		*out = new(string)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostID != nil {
+		in, out := &in.HostID, &out.HostID
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostResourceGroupArn != nil {
+		in, out := &in.HostResourceGroupArn, &out.HostResourceGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PartitionNumber != nil {
+		in, out := &in.PartitionNumber, &out.PartitionNumber
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SpreadDomain != nil {
+		in, out := &in.SpreadDomain, &out.SpreadDomain
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tenancy != nil {
+		in, out := &in.Tenancy, &out.Tenancy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementObservation.
@@ -16097,6 +19873,21 @@ func (in *PrivateDNSNameConfigurationParameters) DeepCopy() *PrivateDNSNameConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrivateDNSNameOptionsObservation) DeepCopyInto(out *PrivateDNSNameOptionsObservation) {
 	*out = *in
+	if in.EnableResourceNameDNSARecord != nil {
+		in, out := &in.EnableResourceNameDNSARecord, &out.EnableResourceNameDNSARecord
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSAaaaRecord != nil {
+		in, out := &in.EnableResourceNameDNSAaaaRecord, &out.EnableResourceNameDNSAaaaRecord
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HostnameType != nil {
+		in, out := &in.HostnameType, &out.HostnameType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivateDNSNameOptionsObservation.
@@ -17293,16 +21084,66 @@ func (in *ReturnPathComponentsVPCParameters) DeepCopy() *ReturnPathComponentsVPC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RootBlockDeviceObservation) DeepCopyInto(out *RootBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DeviceName != nil {
 		in, out := &in.DeviceName, &out.DeviceName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VolumeID != nil {
 		in, out := &in.VolumeID, &out.VolumeID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootBlockDeviceObservation.
@@ -17452,6 +21293,66 @@ func (in *RouteList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteObservation) DeepCopyInto(out *RouteObservation) {
 	*out = *in
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.CoreNetworkArn != nil {
+		in, out := &in.CoreNetworkArn, &out.CoreNetworkArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationPrefixListID != nil {
+		in, out := &in.DestinationPrefixListID, &out.DestinationPrefixListID
+		*out = new(string)
+		**out = **in
+	}
+	if in.EgressOnlyGatewayID != nil {
+		in, out := &in.EgressOnlyGatewayID, &out.EgressOnlyGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GatewayID != nil {
+		in, out := &in.GatewayID, &out.GatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NATGatewayID != nil {
+		in, out := &in.NATGatewayID, &out.NATGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCPeeringConnectionID != nil {
+		in, out := &in.VPCPeeringConnectionID, &out.VPCPeeringConnectionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteObservation.
@@ -17467,26 +21368,101 @@ func (in *RouteObservation) DeepCopy() *RouteObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteObservation_2) DeepCopyInto(out *RouteObservation_2) {
 	*out = *in
+	if in.CarrierGatewayID != nil {
+		in, out := &in.CarrierGatewayID, &out.CarrierGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CoreNetworkArn != nil {
+		in, out := &in.CoreNetworkArn, &out.CoreNetworkArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationCidrBlock != nil {
+		in, out := &in.DestinationCidrBlock, &out.DestinationCidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationIPv6CidrBlock != nil {
+		in, out := &in.DestinationIPv6CidrBlock, &out.DestinationIPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationPrefixListID != nil {
+		in, out := &in.DestinationPrefixListID, &out.DestinationPrefixListID
+		*out = new(string)
+		**out = **in
+	}
+	if in.EgressOnlyGatewayID != nil {
+		in, out := &in.EgressOnlyGatewayID, &out.EgressOnlyGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GatewayID != nil {
+		in, out := &in.GatewayID, &out.GatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
 	if in.InstanceOwnerID != nil {
 		in, out := &in.InstanceOwnerID, &out.InstanceOwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LocalGatewayID != nil {
+		in, out := &in.LocalGatewayID, &out.LocalGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NATGatewayID != nil {
+		in, out := &in.NATGatewayID, &out.NATGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Origin != nil {
 		in, out := &in.Origin, &out.Origin
 		*out = new(string)
 		**out = **in
 	}
+	if in.RouteTableID != nil {
+		in, out := &in.RouteTableID, &out.RouteTableID
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCPeeringConnectionID != nil {
+		in, out := &in.VPCPeeringConnectionID, &out.VPCPeeringConnectionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteObservation_2.
@@ -17912,11 +21888,26 @@ func (in *RouteTableAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RouteTableAssociationObservation) DeepCopyInto(out *RouteTableAssociationObservation) {
 	*out = *in
+	if in.GatewayID != nil {
+		in, out := &in.GatewayID, &out.GatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RouteTableID != nil {
+		in, out := &in.RouteTableID, &out.RouteTableID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteTableAssociationObservation.
@@ -18126,6 +22117,21 @@ func (in *RouteTableObservation_2) DeepCopyInto(out *RouteTableObservation_2) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -18141,6 +22147,11 @@ func (in *RouteTableObservation_2) DeepCopyInto(out *RouteTableObservation_2) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RouteTableObservation_2.
@@ -18772,6 +22783,11 @@ func (in *SecurityGroupObservation_2) DeepCopyInto(out *SecurityGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Egress != nil {
 		in, out := &in.Egress, &out.Egress
 		*out = make([]SecurityGroupEgressObservation, len(*in))
@@ -18791,11 +22807,36 @@ func (in *SecurityGroupObservation_2) DeepCopyInto(out *SecurityGroupObservation
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RevokeRulesOnDelete != nil {
+		in, out := &in.RevokeRulesOnDelete, &out.RevokeRulesOnDelete
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -18811,6 +22852,11 @@ func (in *SecurityGroupObservation_2) DeepCopyInto(out *SecurityGroupObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityGroupObservation_2.
@@ -19012,16 +23058,89 @@ func (in *SecurityGroupRuleObservation) DeepCopy() *SecurityGroupRuleObservation
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecurityGroupRuleObservation_2) DeepCopyInto(out *SecurityGroupRuleObservation_2) {
 	*out = *in
+	if in.CidrBlocks != nil {
+		in, out := &in.CidrBlocks, &out.CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6CidrBlocks != nil {
+		in, out := &in.IPv6CidrBlocks, &out.IPv6CidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrefixListIds != nil {
+		in, out := &in.PrefixListIds, &out.PrefixListIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupID != nil {
+		in, out := &in.SecurityGroupID, &out.SecurityGroupID
+		*out = new(string)
+		**out = **in
+	}
 	if in.SecurityGroupRuleID != nil {
 		in, out := &in.SecurityGroupRuleID, &out.SecurityGroupRuleID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Self != nil {
+		in, out := &in.Self, &out.Self
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SourceSecurityGroupID != nil {
+		in, out := &in.SourceSecurityGroupID, &out.SourceSecurityGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityGroupRuleObservation_2.
@@ -19389,6 +23508,11 @@ func (in *SerialConsoleAccessList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SerialConsoleAccessObservation) DeepCopyInto(out *SerialConsoleAccessObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -19527,11 +23651,21 @@ func (in *SnapshotCreateVolumePermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotCreateVolumePermissionObservation) DeepCopyInto(out *SnapshotCreateVolumePermissionObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotCreateVolumePermissionObservation.
@@ -19621,6 +23755,16 @@ func (in *SnapshotCreateVolumePermissionStatus) DeepCopy() *SnapshotCreateVolume
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourcePortRangeObservation) DeepCopyInto(out *SourcePortRangeObservation) {
 	*out = *in
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcePortRangeObservation.
@@ -19805,11 +23949,21 @@ func (in *SpotDatafeedSubscriptionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotDatafeedSubscriptionObservation) DeepCopyInto(out *SpotDatafeedSubscriptionObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotDatafeedSubscriptionObservation.
@@ -19948,21 +24102,123 @@ func (in *SpotFleetRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotFleetRequestObservation) DeepCopyInto(out *SpotFleetRequestObservation) {
 	*out = *in
+	if in.AllocationStrategy != nil {
+		in, out := &in.AllocationStrategy, &out.AllocationStrategy
+		*out = new(string)
+		**out = **in
+	}
 	if in.ClientToken != nil {
 		in, out := &in.ClientToken, &out.ClientToken
 		*out = new(string)
 		**out = **in
 	}
+	if in.ExcessCapacityTerminationPolicy != nil {
+		in, out := &in.ExcessCapacityTerminationPolicy, &out.ExcessCapacityTerminationPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.FleetType != nil {
+		in, out := &in.FleetType, &out.FleetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMFleetRole != nil {
+		in, out := &in.IAMFleetRole, &out.IAMFleetRole
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceInterruptionBehaviour != nil {
+		in, out := &in.InstanceInterruptionBehaviour, &out.InstanceInterruptionBehaviour
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstancePoolsToUseCount != nil {
+		in, out := &in.InstancePoolsToUseCount, &out.InstancePoolsToUseCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LaunchSpecification != nil {
+		in, out := &in.LaunchSpecification, &out.LaunchSpecification
+		*out = make([]LaunchSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LaunchTemplateConfig != nil {
+		in, out := &in.LaunchTemplateConfig, &out.LaunchTemplateConfig
+		*out = make([]LaunchTemplateConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LoadBalancers != nil {
+		in, out := &in.LoadBalancers, &out.LoadBalancers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OnDemandAllocationStrategy != nil {
+		in, out := &in.OnDemandAllocationStrategy, &out.OnDemandAllocationStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnDemandMaxTotalPrice != nil {
+		in, out := &in.OnDemandMaxTotalPrice, &out.OnDemandMaxTotalPrice
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnDemandTargetCapacity != nil {
+		in, out := &in.OnDemandTargetCapacity, &out.OnDemandTargetCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ReplaceUnhealthyInstances != nil {
+		in, out := &in.ReplaceUnhealthyInstances, &out.ReplaceUnhealthyInstances
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SpotMaintenanceStrategies != nil {
+		in, out := &in.SpotMaintenanceStrategies, &out.SpotMaintenanceStrategies
+		*out = make([]SpotMaintenanceStrategiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SpotPrice != nil {
+		in, out := &in.SpotPrice, &out.SpotPrice
+		*out = new(string)
+		**out = **in
+	}
 	if in.SpotRequestState != nil {
 		in, out := &in.SpotRequestState, &out.SpotRequestState
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -19978,6 +24234,52 @@ func (in *SpotFleetRequestObservation) DeepCopyInto(out *SpotFleetRequestObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetCapacity != nil {
+		in, out := &in.TargetCapacity, &out.TargetCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TargetCapacityUnitType != nil {
+		in, out := &in.TargetCapacityUnitType, &out.TargetCapacityUnitType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetGroupArns != nil {
+		in, out := &in.TargetGroupArns, &out.TargetGroupArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TerminateInstancesOnDelete != nil {
+		in, out := &in.TerminateInstancesOnDelete, &out.TerminateInstancesOnDelete
+		*out = new(string)
+		**out = **in
+	}
+	if in.TerminateInstancesWithExpiration != nil {
+		in, out := &in.TerminateInstancesWithExpiration, &out.TerminateInstancesWithExpiration
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ValidFrom != nil {
+		in, out := &in.ValidFrom, &out.ValidFrom
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidUntil != nil {
+		in, out := &in.ValidUntil, &out.ValidUntil
+		*out = new(string)
+		**out = **in
+	}
+	if in.WaitForFulfillment != nil {
+		in, out := &in.WaitForFulfillment, &out.WaitForFulfillment
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotFleetRequestObservation.
@@ -20222,6 +24524,16 @@ func (in *SpotInstanceRequest) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetObservation) DeepCopyInto(out *SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetObservation) {
 	*out = *in
+	if in.CapacityReservationID != nil {
+		in, out := &in.CapacityReservationID, &out.CapacityReservationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CapacityReservationResourceGroupArn != nil {
+		in, out := &in.CapacityReservationResourceGroupArn, &out.CapacityReservationResourceGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetObservation.
@@ -20262,6 +24574,18 @@ func (in *SpotInstanceRequestCapacityReservationSpecificationCapacityReservation
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestCapacityReservationSpecificationObservation) DeepCopyInto(out *SpotInstanceRequestCapacityReservationSpecificationObservation) {
 	*out = *in
+	if in.CapacityReservationPreference != nil {
+		in, out := &in.CapacityReservationPreference, &out.CapacityReservationPreference
+		*out = new(string)
+		**out = **in
+	}
+	if in.CapacityReservationTarget != nil {
+		in, out := &in.CapacityReservationTarget, &out.CapacityReservationTarget
+		*out = make([]SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestCapacityReservationSpecificationObservation.
@@ -20304,6 +24628,11 @@ func (in *SpotInstanceRequestCapacityReservationSpecificationParameters) DeepCop
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestCreditSpecificationObservation) DeepCopyInto(out *SpotInstanceRequestCreditSpecificationObservation) {
 	*out = *in
+	if in.CPUCredits != nil {
+		in, out := &in.CPUCredits, &out.CPUCredits
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestCreditSpecificationObservation.
@@ -20339,11 +24668,71 @@ func (in *SpotInstanceRequestCreditSpecificationParameters) DeepCopy() *SpotInst
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestEBSBlockDeviceObservation) DeepCopyInto(out *SpotInstanceRequestEBSBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VolumeID != nil {
 		in, out := &in.VolumeID, &out.VolumeID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestEBSBlockDeviceObservation.
@@ -20434,6 +24823,11 @@ func (in *SpotInstanceRequestEBSBlockDeviceParameters) DeepCopy() *SpotInstanceR
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestEnclaveOptionsObservation) DeepCopyInto(out *SpotInstanceRequestEnclaveOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestEnclaveOptionsObservation.
@@ -20469,6 +24863,21 @@ func (in *SpotInstanceRequestEnclaveOptionsParameters) DeepCopy() *SpotInstanceR
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestEphemeralBlockDeviceObservation) DeepCopyInto(out *SpotInstanceRequestEphemeralBlockDeviceObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestEphemeralBlockDeviceObservation.
@@ -20514,6 +24923,21 @@ func (in *SpotInstanceRequestEphemeralBlockDeviceParameters) DeepCopy() *SpotIns
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestLaunchTemplateObservation) DeepCopyInto(out *SpotInstanceRequestLaunchTemplateObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestLaunchTemplateObservation.
@@ -20591,6 +25015,11 @@ func (in *SpotInstanceRequestList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestMaintenanceOptionsObservation) DeepCopyInto(out *SpotInstanceRequestMaintenanceOptionsObservation) {
 	*out = *in
+	if in.AutoRecovery != nil {
+		in, out := &in.AutoRecovery, &out.AutoRecovery
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestMaintenanceOptionsObservation.
@@ -20626,6 +25055,26 @@ func (in *SpotInstanceRequestMaintenanceOptionsParameters) DeepCopy() *SpotInsta
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestMetadataOptionsObservation) DeepCopyInto(out *SpotInstanceRequestMetadataOptionsObservation) {
 	*out = *in
+	if in.HTTPEndpoint != nil {
+		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTokens != nil {
+		in, out := &in.HTTPTokens, &out.HTTPTokens
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceMetadataTags != nil {
+		in, out := &in.InstanceMetadataTags, &out.InstanceMetadataTags
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestMetadataOptionsObservation.
@@ -20633,121 +25082,313 @@ func (in *SpotInstanceRequestMetadataOptionsObservation) DeepCopy() *SpotInstanc
 	if in == nil {
 		return nil
 	}
-	out := new(SpotInstanceRequestMetadataOptionsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SpotInstanceRequestMetadataOptionsParameters) DeepCopyInto(out *SpotInstanceRequestMetadataOptionsParameters) {
-	*out = *in
-	if in.HTTPEndpoint != nil {
-		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+	out := new(SpotInstanceRequestMetadataOptionsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SpotInstanceRequestMetadataOptionsParameters) DeepCopyInto(out *SpotInstanceRequestMetadataOptionsParameters) {
+	*out = *in
+	if in.HTTPEndpoint != nil {
+		in, out := &in.HTTPEndpoint, &out.HTTPEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTokens != nil {
+		in, out := &in.HTTPTokens, &out.HTTPTokens
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceMetadataTags != nil {
+		in, out := &in.InstanceMetadataTags, &out.InstanceMetadataTags
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestMetadataOptionsParameters.
+func (in *SpotInstanceRequestMetadataOptionsParameters) DeepCopy() *SpotInstanceRequestMetadataOptionsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SpotInstanceRequestMetadataOptionsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SpotInstanceRequestNetworkInterfaceObservation) DeepCopyInto(out *SpotInstanceRequestNetworkInterfaceObservation) {
+	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceIndex != nil {
+		in, out := &in.DeviceIndex, &out.DeviceIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkCardIndex != nil {
+		in, out := &in.NetworkCardIndex, &out.NetworkCardIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestNetworkInterfaceObservation.
+func (in *SpotInstanceRequestNetworkInterfaceObservation) DeepCopy() *SpotInstanceRequestNetworkInterfaceObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(SpotInstanceRequestNetworkInterfaceObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SpotInstanceRequestNetworkInterfaceParameters) DeepCopyInto(out *SpotInstanceRequestNetworkInterfaceParameters) {
+	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceIndex != nil {
+		in, out := &in.DeviceIndex, &out.DeviceIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkCardIndex != nil {
+		in, out := &in.NetworkCardIndex, &out.NetworkCardIndex
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestNetworkInterfaceParameters.
+func (in *SpotInstanceRequestNetworkInterfaceParameters) DeepCopy() *SpotInstanceRequestNetworkInterfaceParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(SpotInstanceRequestNetworkInterfaceParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestObservation) {
+	*out = *in
+	if in.AMI != nil {
+		in, out := &in.AMI, &out.AMI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AssociatePublicIPAddress != nil {
+		in, out := &in.AssociatePublicIPAddress, &out.AssociatePublicIPAddress
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.BlockDurationMinutes != nil {
+		in, out := &in.BlockDurationMinutes, &out.BlockDurationMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CPUCoreCount != nil {
+		in, out := &in.CPUCoreCount, &out.CPUCoreCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CPUThreadsPerCore != nil {
+		in, out := &in.CPUThreadsPerCore, &out.CPUThreadsPerCore
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityReservationSpecification != nil {
+		in, out := &in.CapacityReservationSpecification, &out.CapacityReservationSpecification
+		*out = make([]SpotInstanceRequestCapacityReservationSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreditSpecification != nil {
+		in, out := &in.CreditSpecification, &out.CreditSpecification
+		*out = make([]SpotInstanceRequestCreditSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableAPIStop != nil {
+		in, out := &in.DisableAPIStop, &out.DisableAPIStop
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DisableAPITermination != nil {
+		in, out := &in.DisableAPITermination, &out.DisableAPITermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSBlockDevice != nil {
+		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
+		*out = make([]SpotInstanceRequestEBSBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnclaveOptions != nil {
+		in, out := &in.EnclaveOptions, &out.EnclaveOptions
+		*out = make([]SpotInstanceRequestEnclaveOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EphemeralBlockDevice != nil {
+		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
+		*out = make([]SpotInstanceRequestEphemeralBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GetPasswordData != nil {
+		in, out := &in.GetPasswordData, &out.GetPasswordData
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Hibernation != nil {
+		in, out := &in.Hibernation, &out.Hibernation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HostID != nil {
+		in, out := &in.HostID, &out.HostID
 		*out = new(string)
 		**out = **in
 	}
-	if in.HTTPPutResponseHopLimit != nil {
-		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
-		*out = new(float64)
+	if in.HostResourceGroupArn != nil {
+		in, out := &in.HostResourceGroupArn, &out.HostResourceGroupArn
+		*out = new(string)
 		**out = **in
 	}
-	if in.HTTPTokens != nil {
-		in, out := &in.HTTPTokens, &out.HTTPTokens
+	if in.IAMInstanceProfile != nil {
+		in, out := &in.IAMInstanceProfile, &out.IAMInstanceProfile
 		*out = new(string)
 		**out = **in
 	}
-	if in.InstanceMetadataTags != nil {
-		in, out := &in.InstanceMetadataTags, &out.InstanceMetadataTags
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestMetadataOptionsParameters.
-func (in *SpotInstanceRequestMetadataOptionsParameters) DeepCopy() *SpotInstanceRequestMetadataOptionsParameters {
-	if in == nil {
-		return nil
+	if in.IPv6AddressCount != nil {
+		in, out := &in.IPv6AddressCount, &out.IPv6AddressCount
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(SpotInstanceRequestMetadataOptionsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SpotInstanceRequestNetworkInterfaceObservation) DeepCopyInto(out *SpotInstanceRequestNetworkInterfaceObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestNetworkInterfaceObservation.
-func (in *SpotInstanceRequestNetworkInterfaceObservation) DeepCopy() *SpotInstanceRequestNetworkInterfaceObservation {
-	if in == nil {
-		return nil
+	if in.IPv6Addresses != nil {
+		in, out := &in.IPv6Addresses, &out.IPv6Addresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	out := new(SpotInstanceRequestNetworkInterfaceObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SpotInstanceRequestNetworkInterfaceParameters) DeepCopyInto(out *SpotInstanceRequestNetworkInterfaceParameters) {
-	*out = *in
-	if in.DeleteOnTermination != nil {
-		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
-		*out = new(bool)
+	if in.InstanceInitiatedShutdownBehavior != nil {
+		in, out := &in.InstanceInitiatedShutdownBehavior, &out.InstanceInitiatedShutdownBehavior
+		*out = new(string)
 		**out = **in
 	}
-	if in.DeviceIndex != nil {
-		in, out := &in.DeviceIndex, &out.DeviceIndex
-		*out = new(float64)
+	if in.InstanceInterruptionBehavior != nil {
+		in, out := &in.InstanceInterruptionBehavior, &out.InstanceInterruptionBehavior
+		*out = new(string)
 		**out = **in
 	}
-	if in.NetworkCardIndex != nil {
-		in, out := &in.NetworkCardIndex, &out.NetworkCardIndex
-		*out = new(float64)
+	if in.InstanceState != nil {
+		in, out := &in.InstanceState, &out.InstanceState
+		*out = new(string)
 		**out = **in
 	}
-	if in.NetworkInterfaceID != nil {
-		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestNetworkInterfaceParameters.
-func (in *SpotInstanceRequestNetworkInterfaceParameters) DeepCopy() *SpotInstanceRequestNetworkInterfaceParameters {
-	if in == nil {
-		return nil
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
 	}
-	out := new(SpotInstanceRequestNetworkInterfaceParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.LaunchGroup != nil {
+		in, out := &in.LaunchGroup, &out.LaunchGroup
 		*out = new(string)
 		**out = **in
 	}
-	if in.EBSBlockDevice != nil {
-		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
-		*out = make([]SpotInstanceRequestEBSBlockDeviceObservation, len(*in))
+	if in.LaunchTemplate != nil {
+		in, out := &in.LaunchTemplate, &out.LaunchTemplate
+		*out = make([]SpotInstanceRequestLaunchTemplateObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
+	if in.MaintenanceOptions != nil {
+		in, out := &in.MaintenanceOptions, &out.MaintenanceOptions
+		*out = make([]SpotInstanceRequestMaintenanceOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.InstanceState != nil {
-		in, out := &in.InstanceState, &out.InstanceState
-		*out = new(string)
+	if in.MetadataOptions != nil {
+		in, out := &in.MetadataOptions, &out.MetadataOptions
+		*out = make([]SpotInstanceRequestMetadataOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Monitoring != nil {
+		in, out := &in.Monitoring, &out.Monitoring
+		*out = new(bool)
 		**out = **in
 	}
+	if in.NetworkInterface != nil {
+		in, out := &in.NetworkInterface, &out.NetworkInterface
+		*out = make([]SpotInstanceRequestNetworkInterfaceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.OutpostArn != nil {
 		in, out := &in.OutpostArn, &out.OutpostArn
 		*out = new(string)
@@ -20758,6 +25399,16 @@ func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestO
 		*out = new(string)
 		**out = **in
 	}
+	if in.PlacementGroup != nil {
+		in, out := &in.PlacementGroup, &out.PlacementGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementPartitionNumber != nil {
+		in, out := &in.PlacementPartitionNumber, &out.PlacementPartitionNumber
+		*out = new(float64)
+		**out = **in
+	}
 	if in.PrimaryNetworkInterfaceID != nil {
 		in, out := &in.PrimaryNetworkInterfaceID, &out.PrimaryNetworkInterfaceID
 		*out = new(string)
@@ -20768,6 +25419,18 @@ func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestO
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateDNSNameOptions != nil {
+		in, out := &in.PrivateDNSNameOptions, &out.PrivateDNSNameOptions
+		*out = make([]SpotInstanceRequestPrivateDNSNameOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PrivateIP != nil {
+		in, out := &in.PrivateIP, &out.PrivateIP
+		*out = new(string)
+		**out = **in
+	}
 	if in.PublicDNS != nil {
 		in, out := &in.PublicDNS, &out.PublicDNS
 		*out = new(string)
@@ -20785,6 +25448,33 @@ func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestO
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.SecondaryPrivateIps != nil {
+		in, out := &in.SecondaryPrivateIps, &out.SecondaryPrivateIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceDestCheck != nil {
+		in, out := &in.SourceDestCheck, &out.SourceDestCheck
+		*out = new(bool)
+		**out = **in
+	}
 	if in.SpotBidStatus != nil {
 		in, out := &in.SpotBidStatus, &out.SpotBidStatus
 		*out = new(string)
@@ -20795,11 +25485,41 @@ func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestO
 		*out = new(string)
 		**out = **in
 	}
+	if in.SpotPrice != nil {
+		in, out := &in.SpotPrice, &out.SpotPrice
+		*out = new(string)
+		**out = **in
+	}
 	if in.SpotRequestState != nil {
 		in, out := &in.SpotRequestState, &out.SpotRequestState
 		*out = new(string)
 		**out = **in
 	}
+	if in.SpotType != nil {
+		in, out := &in.SpotType, &out.SpotType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -20815,6 +25535,67 @@ func (in *SpotInstanceRequestObservation) DeepCopyInto(out *SpotInstanceRequestO
 			(*out)[key] = outVal
 		}
 	}
+	if in.Tenancy != nil {
+		in, out := &in.Tenancy, &out.Tenancy
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserData != nil {
+		in, out := &in.UserData, &out.UserData
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserDataBase64 != nil {
+		in, out := &in.UserDataBase64, &out.UserDataBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserDataReplaceOnChange != nil {
+		in, out := &in.UserDataReplaceOnChange, &out.UserDataReplaceOnChange
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ValidFrom != nil {
+		in, out := &in.ValidFrom, &out.ValidFrom
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidUntil != nil {
+		in, out := &in.ValidUntil, &out.ValidUntil
+		*out = new(string)
+		**out = **in
+	}
+	if in.VolumeTags != nil {
+		in, out := &in.VolumeTags, &out.VolumeTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.WaitForFulfillment != nil {
+		in, out := &in.WaitForFulfillment, &out.WaitForFulfillment
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestObservation.
@@ -21198,6 +25979,21 @@ func (in *SpotInstanceRequestParameters) DeepCopy() *SpotInstanceRequestParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestPrivateDNSNameOptionsObservation) DeepCopyInto(out *SpotInstanceRequestPrivateDNSNameOptionsObservation) {
 	*out = *in
+	if in.EnableResourceNameDNSARecord != nil {
+		in, out := &in.EnableResourceNameDNSARecord, &out.EnableResourceNameDNSARecord
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSAaaaRecord != nil {
+		in, out := &in.EnableResourceNameDNSAaaaRecord, &out.EnableResourceNameDNSAaaaRecord
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HostnameType != nil {
+		in, out := &in.HostnameType, &out.HostnameType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestPrivateDNSNameOptionsObservation.
@@ -21243,16 +26039,66 @@ func (in *SpotInstanceRequestPrivateDNSNameOptionsParameters) DeepCopy() *SpotIn
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotInstanceRequestRootBlockDeviceObservation) DeepCopyInto(out *SpotInstanceRequestRootBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DeviceName != nil {
 		in, out := &in.DeviceName, &out.DeviceName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VolumeID != nil {
 		in, out := &in.VolumeID, &out.VolumeID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotInstanceRequestRootBlockDeviceObservation.
@@ -21367,6 +26213,13 @@ func (in *SpotInstanceRequestStatus) DeepCopy() *SpotInstanceRequestStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotMaintenanceStrategiesObservation) DeepCopyInto(out *SpotMaintenanceStrategiesObservation) {
 	*out = *in
+	if in.CapacityRebalance != nil {
+		in, out := &in.CapacityRebalance, &out.CapacityRebalance
+		*out = make([]CapacityRebalanceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotMaintenanceStrategiesObservation.
@@ -21404,6 +26257,31 @@ func (in *SpotMaintenanceStrategiesParameters) DeepCopy() *SpotMaintenanceStrate
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpotOptionsObservation) DeepCopyInto(out *SpotOptionsObservation) {
 	*out = *in
+	if in.BlockDurationMinutes != nil {
+		in, out := &in.BlockDurationMinutes, &out.BlockDurationMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceInterruptionBehavior != nil {
+		in, out := &in.InstanceInterruptionBehavior, &out.InstanceInterruptionBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxPrice != nil {
+		in, out := &in.MaxPrice, &out.MaxPrice
+		*out = new(string)
+		**out = **in
+	}
+	if in.SpotInstanceType != nil {
+		in, out := &in.SpotInstanceType, &out.SpotInstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValidUntil != nil {
+		in, out := &in.ValidUntil, &out.ValidUntil
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpotOptionsObservation.
@@ -21545,6 +26423,16 @@ func (in *SubnetCidrReservationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubnetCidrReservationObservation) DeepCopyInto(out *SubnetCidrReservationObservation) {
 	*out = *in
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -21555,6 +26443,16 @@ func (in *SubnetCidrReservationObservation) DeepCopyInto(out *SubnetCidrReservat
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReservationType != nil {
+		in, out := &in.ReservationType, &out.ReservationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubnetCidrReservationObservation.
@@ -21721,21 +26619,106 @@ func (in *SubnetObservation_2) DeepCopyInto(out *SubnetObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssignIPv6AddressOnCreation != nil {
+		in, out := &in.AssignIPv6AddressOnCreation, &out.AssignIPv6AddressOnCreation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.AvailabilityZoneID != nil {
+		in, out := &in.AvailabilityZoneID, &out.AvailabilityZoneID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerOwnedIPv4Pool != nil {
+		in, out := &in.CustomerOwnedIPv4Pool, &out.CustomerOwnedIPv4Pool
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableDns64 != nil {
+		in, out := &in.EnableDns64, &out.EnableDns64
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSARecordOnLaunch != nil {
+		in, out := &in.EnableResourceNameDNSARecordOnLaunch, &out.EnableResourceNameDNSARecordOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableResourceNameDNSAaaaRecordOnLaunch != nil {
+		in, out := &in.EnableResourceNameDNSAaaaRecordOnLaunch, &out.EnableResourceNameDNSAaaaRecordOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
 	if in.IPv6CidrBlockAssociationID != nil {
 		in, out := &in.IPv6CidrBlockAssociationID, &out.IPv6CidrBlockAssociationID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6Native != nil {
+		in, out := &in.IPv6Native, &out.IPv6Native
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MapCustomerOwnedIPOnLaunch != nil {
+		in, out := &in.MapCustomerOwnedIPOnLaunch, &out.MapCustomerOwnedIPOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MapPublicIPOnLaunch != nil {
+		in, out := &in.MapPublicIPOnLaunch, &out.MapPublicIPOnLaunch
+		*out = new(bool)
+		**out = **in
+	}
+	if in.OutpostArn != nil {
+		in, out := &in.OutpostArn, &out.OutpostArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateDNSHostnameTypeOnLaunch != nil {
+		in, out := &in.PrivateDNSHostnameTypeOnLaunch, &out.PrivateDNSHostnameTypeOnLaunch
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -21751,6 +26734,11 @@ func (in *SubnetObservation_2) DeepCopyInto(out *SubnetObservation_2) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubnetObservation_2.
@@ -22044,6 +27032,21 @@ func (in *TagObservation) DeepCopyInto(out *TagObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagObservation.
@@ -22111,6 +27114,26 @@ func (in *TagSpec) DeepCopy() *TagSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagSpecificationsObservation) DeepCopyInto(out *TagSpecificationsObservation) {
 	*out = *in
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagSpecificationsObservation.
@@ -22178,6 +27201,16 @@ func (in *TagStatus) DeepCopy() *TagStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TotalLocalStorageGbObservation) DeepCopyInto(out *TotalLocalStorageGbObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TotalLocalStorageGbObservation.
@@ -22282,11 +27315,42 @@ func (in *TrafficMirrorFilterObservation) DeepCopyInto(out *TrafficMirrorFilterO
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NetworkServices != nil {
+		in, out := &in.NetworkServices, &out.NetworkServices
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -22432,11 +27496,65 @@ func (in *TrafficMirrorFilterRuleObservation) DeepCopyInto(out *TrafficMirrorFil
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationCidrBlock != nil {
+		in, out := &in.DestinationCidrBlock, &out.DestinationCidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationPortRange != nil {
+		in, out := &in.DestinationPortRange, &out.DestinationPortRange
+		*out = make([]DestinationPortRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RuleAction != nil {
+		in, out := &in.RuleAction, &out.RuleAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleNumber != nil {
+		in, out := &in.RuleNumber, &out.RuleNumber
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SourceCidrBlock != nil {
+		in, out := &in.SourceCidrBlock, &out.SourceCidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourcePortRange != nil {
+		in, out := &in.SourcePortRange, &out.SourcePortRange
+		*out = make([]SourcePortRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TrafficDirection != nil {
+		in, out := &in.TrafficDirection, &out.TrafficDirection
+		*out = new(string)
+		**out = **in
+	}
+	if in.TrafficMirrorFilterID != nil {
+		in, out := &in.TrafficMirrorFilterID, &out.TrafficMirrorFilterID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficMirrorFilterRuleObservation.
@@ -22740,6 +27858,26 @@ func (in *TransitGatewayConnectObservation) DeepCopyInto(out *TransitGatewayConn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -22755,6 +27893,26 @@ func (in *TransitGatewayConnectObservation) DeepCopyInto(out *TransitGatewayConn
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayDefaultRouteTableAssociation != nil {
+		in, out := &in.TransitGatewayDefaultRouteTableAssociation, &out.TransitGatewayDefaultRouteTableAssociation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TransitGatewayDefaultRouteTablePropagation != nil {
+		in, out := &in.TransitGatewayDefaultRouteTablePropagation, &out.TransitGatewayDefaultRouteTablePropagation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransportAttachmentID != nil {
+		in, out := &in.TransportAttachmentID, &out.TransportAttachmentID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayConnectObservation.
@@ -22914,11 +28072,47 @@ func (in *TransitGatewayConnectPeerObservation) DeepCopyInto(out *TransitGateway
 		*out = new(string)
 		**out = **in
 	}
+	if in.BGPAsn != nil {
+		in, out := &in.BGPAsn, &out.BGPAsn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InsideCidrBlocks != nil {
+		in, out := &in.InsideCidrBlocks, &out.InsideCidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PeerAddress != nil {
+		in, out := &in.PeerAddress, &out.PeerAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -22934,6 +28128,16 @@ func (in *TransitGatewayConnectPeerObservation) DeepCopyInto(out *TransitGateway
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayAddress != nil {
+		in, out := &in.TransitGatewayAddress, &out.TransitGatewayAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayConnectPeerObservation.
@@ -23216,6 +28420,21 @@ func (in *TransitGatewayMulticastDomainAssociationObservation) DeepCopyInto(out
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayMulticastDomainID != nil {
+		in, out := &in.TransitGatewayMulticastDomainID, &out.TransitGatewayMulticastDomainID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayMulticastDomainAssociationObservation.
@@ -23367,16 +28586,46 @@ func (in *TransitGatewayMulticastDomainObservation) DeepCopyInto(out *TransitGat
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoAcceptSharedAssociations != nil {
+		in, out := &in.AutoAcceptSharedAssociations, &out.AutoAcceptSharedAssociations
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Igmpv2Support != nil {
+		in, out := &in.Igmpv2Support, &out.Igmpv2Support
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StaticSourcesSupport != nil {
+		in, out := &in.StaticSourcesSupport, &out.StaticSourcesSupport
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -23392,6 +28641,11 @@ func (in *TransitGatewayMulticastDomainObservation) DeepCopyInto(out *TransitGat
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayMulticastDomainObservation.
@@ -23565,11 +28819,26 @@ func (in *TransitGatewayMulticastGroupMemberList) DeepCopyObject() runtime.Objec
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayMulticastGroupMemberObservation) DeepCopyInto(out *TransitGatewayMulticastGroupMemberObservation) {
 	*out = *in
+	if in.GroupIPAddress != nil {
+		in, out := &in.GroupIPAddress, &out.GroupIPAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayMulticastDomainID != nil {
+		in, out := &in.TransitGatewayMulticastDomainID, &out.TransitGatewayMulticastDomainID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayMulticastGroupMemberObservation.
@@ -23733,11 +29002,26 @@ func (in *TransitGatewayMulticastGroupSourceList) DeepCopyObject() runtime.Objec
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayMulticastGroupSourceObservation) DeepCopyInto(out *TransitGatewayMulticastGroupSourceObservation) {
 	*out = *in
+	if in.GroupIPAddress != nil {
+		in, out := &in.GroupIPAddress, &out.GroupIPAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NetworkInterfaceID != nil {
+		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayMulticastDomainID != nil {
+		in, out := &in.TransitGatewayMulticastDomainID, &out.TransitGatewayMulticastDomainID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayMulticastGroupSourceObservation.
@@ -23872,6 +29156,11 @@ func (in *TransitGatewayObservation) DeepCopy() *TransitGatewayObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayObservation_2) DeepCopyInto(out *TransitGatewayObservation_2) {
 	*out = *in
+	if in.AmazonSideAsn != nil {
+		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -23882,11 +29171,41 @@ func (in *TransitGatewayObservation_2) DeepCopyInto(out *TransitGatewayObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoAcceptSharedAttachments != nil {
+		in, out := &in.AutoAcceptSharedAttachments, &out.AutoAcceptSharedAttachments
+		*out = new(string)
+		**out = **in
+	}
+	if in.DNSSupport != nil {
+		in, out := &in.DNSSupport, &out.DNSSupport
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultRouteTableAssociation != nil {
+		in, out := &in.DefaultRouteTableAssociation, &out.DefaultRouteTableAssociation
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultRouteTablePropagation != nil {
+		in, out := &in.DefaultRouteTablePropagation, &out.DefaultRouteTablePropagation
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MulticastSupport != nil {
+		in, out := &in.MulticastSupport, &out.MulticastSupport
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
@@ -23897,6 +29216,21 @@ func (in *TransitGatewayObservation_2) DeepCopyInto(out *TransitGatewayObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -23912,6 +29246,22 @@ func (in *TransitGatewayObservation_2) DeepCopyInto(out *TransitGatewayObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayCidrBlocks != nil {
+		in, out := &in.TransitGatewayCidrBlocks, &out.TransitGatewayCidrBlocks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPNEcmpSupport != nil {
+		in, out := &in.VPNEcmpSupport, &out.VPNEcmpSupport
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayObservation_2.
@@ -24134,6 +29484,21 @@ func (in *TransitGatewayPeeringAttachmentAccepterObservation) DeepCopyInto(out *
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -24149,6 +29514,11 @@ func (in *TransitGatewayPeeringAttachmentAccepterObservation) DeepCopyInto(out *
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.TransitGatewayID != nil {
 		in, out := &in.TransitGatewayID, &out.TransitGatewayID
 		*out = new(string)
@@ -24290,6 +29660,36 @@ func (in *TransitGatewayPeeringAttachmentObservation) DeepCopyInto(out *TransitG
 		*out = new(string)
 		**out = **in
 	}
+	if in.PeerAccountID != nil {
+		in, out := &in.PeerAccountID, &out.PeerAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PeerRegion != nil {
+		in, out := &in.PeerRegion, &out.PeerRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PeerTransitGatewayID != nil {
+		in, out := &in.PeerTransitGatewayID, &out.PeerTransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -24305,6 +29705,11 @@ func (in *TransitGatewayPeeringAttachmentObservation) DeepCopyInto(out *TransitG
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayPeeringAttachmentObservation.
@@ -24503,6 +29908,21 @@ func (in *TransitGatewayPolicyTableObservation) DeepCopyInto(out *TransitGateway
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -24518,6 +29938,11 @@ func (in *TransitGatewayPolicyTableObservation) DeepCopyInto(out *TransitGateway
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayPolicyTableObservation.
@@ -24676,16 +30101,36 @@ func (in *TransitGatewayPrefixListReferenceList) DeepCopyObject() runtime.Object
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayPrefixListReferenceObservation) DeepCopyInto(out *TransitGatewayPrefixListReferenceObservation) {
 	*out = *in
+	if in.Blackhole != nil {
+		in, out := &in.Blackhole, &out.Blackhole
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrefixListID != nil {
+		in, out := &in.PrefixListID, &out.PrefixListID
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrefixListOwnerID != nil {
 		in, out := &in.PrefixListOwnerID, &out.PrefixListOwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayRouteTableID != nil {
+		in, out := &in.TransitGatewayRouteTableID, &out.TransitGatewayRouteTableID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayPrefixListReferenceObservation.
@@ -24864,11 +30309,31 @@ func (in *TransitGatewayRouteList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayRouteObservation) DeepCopyInto(out *TransitGatewayRouteObservation) {
 	*out = *in
+	if in.Blackhole != nil {
+		in, out := &in.Blackhole, &out.Blackhole
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DestinationCidrBlock != nil {
+		in, out := &in.DestinationCidrBlock, &out.DestinationCidrBlock
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayRouteTableID != nil {
+		in, out := &in.TransitGatewayRouteTableID, &out.TransitGatewayRouteTableID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayRouteObservation.
@@ -25079,6 +30544,16 @@ func (in *TransitGatewayRouteTableAssociationObservation) DeepCopyInto(out *Tran
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayRouteTableID != nil {
+		in, out := &in.TransitGatewayRouteTableID, &out.TransitGatewayRouteTableID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayRouteTableAssociationObservation.
@@ -25260,6 +30735,21 @@ func (in *TransitGatewayRouteTableObservation_2) DeepCopyInto(out *TransitGatewa
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -25275,6 +30765,11 @@ func (in *TransitGatewayRouteTableObservation_2) DeepCopyInto(out *TransitGatewa
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayRouteTableObservation_2.
@@ -25429,6 +30924,16 @@ func (in *TransitGatewayRouteTablePropagationObservation) DeepCopyInto(out *Tran
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayRouteTableID != nil {
+		in, out := &in.TransitGatewayRouteTableID, &out.TransitGatewayRouteTableID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayRouteTablePropagationObservation.
@@ -25778,6 +31283,21 @@ func (in *TransitGatewayVPCAttachmentAccepterObservation) DeepCopyInto(out *Tran
 			}
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -25793,6 +31313,21 @@ func (in *TransitGatewayVPCAttachmentAccepterObservation) DeepCopyInto(out *Tran
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayAttachmentID != nil {
+		in, out := &in.TransitGatewayAttachmentID, &out.TransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayDefaultRouteTableAssociation != nil {
+		in, out := &in.TransitGatewayDefaultRouteTableAssociation, &out.TransitGatewayDefaultRouteTableAssociation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TransitGatewayDefaultRouteTablePropagation != nil {
+		in, out := &in.TransitGatewayDefaultRouteTablePropagation, &out.TransitGatewayDefaultRouteTablePropagation
+		*out = new(bool)
+		**out = **in
+	}
 	if in.TransitGatewayID != nil {
 		in, out := &in.TransitGatewayID, &out.TransitGatewayID
 		*out = new(string)
@@ -25949,11 +31484,52 @@ func (in *TransitGatewayVPCAttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayVPCAttachmentObservation) DeepCopyInto(out *TransitGatewayVPCAttachmentObservation) {
 	*out = *in
+	if in.ApplianceModeSupport != nil {
+		in, out := &in.ApplianceModeSupport, &out.ApplianceModeSupport
+		*out = new(string)
+		**out = **in
+	}
+	if in.DNSSupport != nil {
+		in, out := &in.DNSSupport, &out.DNSSupport
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6Support != nil {
+		in, out := &in.IPv6Support, &out.IPv6Support
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -25969,6 +31545,26 @@ func (in *TransitGatewayVPCAttachmentObservation) DeepCopyInto(out *TransitGatew
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitGatewayDefaultRouteTableAssociation != nil {
+		in, out := &in.TransitGatewayDefaultRouteTableAssociation, &out.TransitGatewayDefaultRouteTableAssociation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TransitGatewayDefaultRouteTablePropagation != nil {
+		in, out := &in.TransitGatewayDefaultRouteTablePropagation, &out.TransitGatewayDefaultRouteTablePropagation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 	if in.VPCOwnerID != nil {
 		in, out := &in.VPCOwnerID, &out.VPCOwnerID
 		*out = new(string)
@@ -26136,6 +31732,13 @@ func (in *TransitGatewayVPCAttachmentStatus) DeepCopy() *TransitGatewayVPCAttach
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tunnel1LogOptionsObservation) DeepCopyInto(out *Tunnel1LogOptionsObservation) {
 	*out = *in
+	if in.CloudwatchLogOptions != nil {
+		in, out := &in.CloudwatchLogOptions, &out.CloudwatchLogOptions
+		*out = make([]CloudwatchLogOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tunnel1LogOptionsObservation.
@@ -26173,6 +31776,21 @@ func (in *Tunnel1LogOptionsParameters) DeepCopy() *Tunnel1LogOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tunnel2LogOptionsCloudwatchLogOptionsObservation) DeepCopyInto(out *Tunnel2LogOptionsCloudwatchLogOptionsObservation) {
 	*out = *in
+	if in.LogEnabled != nil {
+		in, out := &in.LogEnabled, &out.LogEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupArn != nil {
+		in, out := &in.LogGroupArn, &out.LogGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogOutputFormat != nil {
+		in, out := &in.LogOutputFormat, &out.LogOutputFormat
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tunnel2LogOptionsCloudwatchLogOptionsObservation.
@@ -26218,6 +31836,13 @@ func (in *Tunnel2LogOptionsCloudwatchLogOptionsParameters) DeepCopy() *Tunnel2Lo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Tunnel2LogOptionsObservation) DeepCopyInto(out *Tunnel2LogOptionsObservation) {
 	*out = *in
+	if in.CloudwatchLogOptions != nil {
+		in, out := &in.CloudwatchLogOptions, &out.CloudwatchLogOptions
+		*out = make([]Tunnel2LogOptionsCloudwatchLogOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Tunnel2LogOptionsObservation.
@@ -26255,6 +31880,16 @@ func (in *Tunnel2LogOptionsParameters) DeepCopy() *Tunnel2LogOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserBucketObservation) DeepCopyInto(out *UserBucketObservation) {
 	*out = *in
+	if in.S3Bucket != nil {
+		in, out := &in.S3Bucket, &out.S3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Key != nil {
+		in, out := &in.S3Key, &out.S3Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserBucketObservation.
@@ -26408,11 +32043,21 @@ func (in *VPCDHCPOptionsAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCDHCPOptionsAssociationObservation) DeepCopyInto(out *VPCDHCPOptionsAssociationObservation) {
 	*out = *in
+	if in.DHCPOptionsID != nil {
+		in, out := &in.DHCPOptionsID, &out.DHCPOptionsID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCDHCPOptionsAssociationObservation.
@@ -26549,16 +32194,74 @@ func (in *VPCDHCPOptionsObservation) DeepCopyInto(out *VPCDHCPOptionsObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainNameServers != nil {
+		in, out := &in.DomainNameServers, &out.DomainNameServers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NetbiosNameServers != nil {
+		in, out := &in.NetbiosNameServers, &out.NetbiosNameServers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NetbiosNodeType != nil {
+		in, out := &in.NetbiosNodeType, &out.NetbiosNodeType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NtpServers != nil {
+		in, out := &in.NtpServers, &out.NtpServers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -26787,6 +32490,22 @@ func (in *VPCEndpointConnectionNotificationList) DeepCopyObject() runtime.Object
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCEndpointConnectionNotificationObservation) DeepCopyInto(out *VPCEndpointConnectionNotificationObservation) {
 	*out = *in
+	if in.ConnectionEvents != nil {
+		in, out := &in.ConnectionEvents, &out.ConnectionEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectionNotificationArn != nil {
+		in, out := &in.ConnectionNotificationArn, &out.ConnectionNotificationArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -26802,6 +32521,16 @@ func (in *VPCEndpointConnectionNotificationObservation) DeepCopyInto(out *VPCEnd
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointServiceID != nil {
+		in, out := &in.VPCEndpointServiceID, &out.VPCEndpointServiceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCEndpointConnectionNotificationObservation.
@@ -26984,6 +32713,11 @@ func (in *VPCEndpointObservation_2) DeepCopyInto(out *VPCEndpointObservation_2)
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoAccept != nil {
+		in, out := &in.AutoAccept, &out.AutoAccept
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CidrBlocks != nil {
 		in, out := &in.CidrBlocks, &out.CidrBlocks
 		*out = make([]*string, len(*in))
@@ -27002,11 +32736,23 @@ func (in *VPCEndpointObservation_2) DeepCopyInto(out *VPCEndpointObservation_2)
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.DNSOptions != nil {
+		in, out := &in.DNSOptions, &out.DNSOptions
+		*out = make([]DNSOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
 	if in.NetworkInterfaceIds != nil {
 		in, out := &in.NetworkInterfaceIds, &out.NetworkInterfaceIds
 		*out = make([]*string, len(*in))
@@ -27023,11 +32769,21 @@ func (in *VPCEndpointObservation_2) DeepCopyInto(out *VPCEndpointObservation_2)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrefixListID != nil {
 		in, out := &in.PrefixListID, &out.PrefixListID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateDNSEnabled != nil {
+		in, out := &in.PrivateDNSEnabled, &out.PrivateDNSEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.RequesterManaged != nil {
 		in, out := &in.RequesterManaged, &out.RequesterManaged
 		*out = new(bool)
@@ -27055,6 +32811,11 @@ func (in *VPCEndpointObservation_2) DeepCopyInto(out *VPCEndpointObservation_2)
 			}
 		}
 	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
@@ -27071,6 +32832,21 @@ func (in *VPCEndpointObservation_2) DeepCopyInto(out *VPCEndpointObservation_2)
 			}
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -27086,6 +32862,16 @@ func (in *VPCEndpointObservation_2) DeepCopyInto(out *VPCEndpointObservation_2)
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCEndpointType != nil {
+		in, out := &in.VPCEndpointType, &out.VPCEndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCEndpointObservation_2.
@@ -27277,6 +33063,16 @@ func (in *VPCEndpointRouteTableAssociationObservation) DeepCopyInto(out *VPCEndp
 		*out = new(string)
 		**out = **in
 	}
+	if in.RouteTableID != nil {
+		in, out := &in.RouteTableID, &out.RouteTableID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCEndpointRouteTableAssociationObservation.
@@ -27440,6 +33236,21 @@ func (in *VPCEndpointSecurityGroupAssociationObservation) DeepCopyInto(out *VPCE
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReplaceDefaultAssociation != nil {
+		in, out := &in.ReplaceDefaultAssociation, &out.ReplaceDefaultAssociation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityGroupID != nil {
+		in, out := &in.SecurityGroupID, &out.SecurityGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCEndpointSecurityGroupAssociationObservation.
@@ -27635,6 +33446,16 @@ func (in *VPCEndpointServiceAllowedPrincipalObservation) DeepCopyInto(out *VPCEn
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrincipalArn != nil {
+		in, out := &in.PrincipalArn, &out.PrincipalArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointServiceID != nil {
+		in, out := &in.VPCEndpointServiceID, &out.VPCEndpointServiceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCEndpointServiceAllowedPrincipalObservation.
@@ -27756,6 +33577,11 @@ func (in *VPCEndpointServiceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCEndpointServiceObservation) DeepCopyInto(out *VPCEndpointServiceObservation) {
 	*out = *in
+	if in.AcceptanceRequired != nil {
+		in, out := &in.AcceptanceRequired, &out.AcceptanceRequired
+		*out = new(bool)
+		**out = **in
+	}
 	if in.AllowedPrincipals != nil {
 		in, out := &in.AllowedPrincipals, &out.AllowedPrincipals
 		*out = make([]*string, len(*in))
@@ -27794,6 +33620,17 @@ func (in *VPCEndpointServiceObservation) DeepCopyInto(out *VPCEndpointServiceObs
 			}
 		}
 	}
+	if in.GatewayLoadBalancerArns != nil {
+		in, out := &in.GatewayLoadBalancerArns, &out.GatewayLoadBalancerArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -27804,6 +33641,22 @@ func (in *VPCEndpointServiceObservation) DeepCopyInto(out *VPCEndpointServiceObs
 		*out = new(bool)
 		**out = **in
 	}
+	if in.NetworkLoadBalancerArns != nil {
+		in, out := &in.NetworkLoadBalancerArns, &out.NetworkLoadBalancerArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrivateDNSName != nil {
+		in, out := &in.PrivateDNSName, &out.PrivateDNSName
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrivateDNSNameConfiguration != nil {
 		in, out := &in.PrivateDNSNameConfiguration, &out.PrivateDNSNameConfiguration
 		*out = make([]PrivateDNSNameConfigurationObservation, len(*in))
@@ -27826,6 +33679,32 @@ func (in *VPCEndpointServiceObservation) DeepCopyInto(out *VPCEndpointServiceObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.SupportedIPAddressTypes != nil {
+		in, out := &in.SupportedIPAddressTypes, &out.SupportedIPAddressTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -28066,6 +33945,16 @@ func (in *VPCEndpointSubnetAssociationObservation) DeepCopyInto(out *VPCEndpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCEndpointSubnetAssociationObservation.
@@ -28224,11 +34113,31 @@ func (in *VPCIPv4CidrBlockAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCIPv4CidrBlockAssociationObservation) DeepCopyInto(out *VPCIPv4CidrBlockAssociationObservation) {
 	*out = *in
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv4IpamPoolID != nil {
+		in, out := &in.IPv4IpamPoolID, &out.IPv4IpamPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv4NetmaskLength != nil {
+		in, out := &in.IPv4NetmaskLength, &out.IPv4NetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCIPv4CidrBlockAssociationObservation.
@@ -28392,6 +34301,11 @@ func (in *VPCIpamObservation) DeepCopyInto(out *VPCIpamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Cascade != nil {
+		in, out := &in.Cascade, &out.Cascade
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DefaultResourceDiscoveryAssociationID != nil {
 		in, out := &in.DefaultResourceDiscoveryAssociationID, &out.DefaultResourceDiscoveryAssociationID
 		*out = new(string)
@@ -28402,11 +34316,23 @@ func (in *VPCIpamObservation) DeepCopyInto(out *VPCIpamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OperatingRegions != nil {
+		in, out := &in.OperatingRegions, &out.OperatingRegions
+		*out = make([]OperatingRegionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.PrivateDefaultScopeID != nil {
 		in, out := &in.PrivateDefaultScopeID, &out.PrivateDefaultScopeID
 		*out = new(string)
@@ -28422,6 +34348,21 @@ func (in *VPCIpamObservation) DeepCopyInto(out *VPCIpamObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -28617,6 +34558,27 @@ func (in *VPCIpamPoolCidrAllocationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCIpamPoolCidrAllocationObservation) DeepCopyInto(out *VPCIpamPoolCidrAllocationObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisallowedCidrs != nil {
+		in, out := &in.DisallowedCidrs, &out.DisallowedCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -28627,6 +34589,16 @@ func (in *VPCIpamPoolCidrAllocationObservation) DeepCopyInto(out *VPCIpamPoolCid
 		*out = new(string)
 		**out = **in
 	}
+	if in.IpamPoolID != nil {
+		in, out := &in.IpamPoolID, &out.IpamPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetmaskLength != nil {
+		in, out := &in.NetmaskLength, &out.NetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ResourceID != nil {
 		in, out := &in.ResourceID, &out.ResourceID
 		*out = new(string)
@@ -28784,6 +34756,18 @@ func (in *VPCIpamPoolCidrList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCIpamPoolCidrObservation) DeepCopyInto(out *VPCIpamPoolCidrObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.CidrAuthorizationContext != nil {
+		in, out := &in.CidrAuthorizationContext, &out.CidrAuthorizationContext
+		*out = make([]CidrAuthorizationContextObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -28794,6 +34778,16 @@ func (in *VPCIpamPoolCidrObservation) DeepCopyInto(out *VPCIpamPoolCidrObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.IpamPoolID != nil {
+		in, out := &in.IpamPoolID, &out.IpamPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetmaskLength != nil {
+		in, out := &in.NetmaskLength, &out.NetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCIpamPoolCidrObservation.
@@ -28927,31 +34921,121 @@ func (in *VPCIpamPoolList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCIpamPoolObservation) DeepCopyInto(out *VPCIpamPoolObservation) {
 	*out = *in
+	if in.AddressFamily != nil {
+		in, out := &in.AddressFamily, &out.AddressFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.AllocationDefaultNetmaskLength != nil {
+		in, out := &in.AllocationDefaultNetmaskLength, &out.AllocationDefaultNetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AllocationMaxNetmaskLength != nil {
+		in, out := &in.AllocationMaxNetmaskLength, &out.AllocationMaxNetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AllocationMinNetmaskLength != nil {
+		in, out := &in.AllocationMinNetmaskLength, &out.AllocationMinNetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AllocationResourceTags != nil {
+		in, out := &in.AllocationResourceTags, &out.AllocationResourceTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoImport != nil {
+		in, out := &in.AutoImport, &out.AutoImport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AwsService != nil {
+		in, out := &in.AwsService, &out.AwsService
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IpamScopeID != nil {
+		in, out := &in.IpamScopeID, &out.IpamScopeID
+		*out = new(string)
+		**out = **in
+	}
 	if in.IpamScopeType != nil {
 		in, out := &in.IpamScopeType, &out.IpamScopeType
 		*out = new(string)
 		**out = **in
 	}
+	if in.Locale != nil {
+		in, out := &in.Locale, &out.Locale
+		*out = new(string)
+		**out = **in
+	}
 	if in.PoolDepth != nil {
 		in, out := &in.PoolDepth, &out.PoolDepth
 		*out = new(float64)
 		**out = **in
 	}
+	if in.PublicIPSource != nil {
+		in, out := &in.PublicIPSource, &out.PublicIPSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.PubliclyAdvertisable != nil {
+		in, out := &in.PubliclyAdvertisable, &out.PubliclyAdvertisable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SourceIpamPoolID != nil {
+		in, out := &in.SourceIpamPoolID, &out.SourceIpamPoolID
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -29210,6 +35294,11 @@ func (in *VPCIpamScopeObservation) DeepCopyInto(out *VPCIpamScopeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -29220,6 +35309,11 @@ func (in *VPCIpamScopeObservation) DeepCopyInto(out *VPCIpamScopeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IpamID != nil {
+		in, out := &in.IpamID, &out.IpamID
+		*out = new(string)
+		**out = **in
+	}
 	if in.IpamScopeType != nil {
 		in, out := &in.IpamScopeType, &out.IpamScopeType
 		*out = new(string)
@@ -29235,6 +35329,21 @@ func (in *VPCIpamScopeObservation) DeepCopyInto(out *VPCIpamScopeObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -29455,6 +35564,16 @@ func (in *VPCObservation_2) DeepCopyInto(out *VPCObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssignGeneratedIPv6CidrBlock != nil {
+		in, out := &in.AssignGeneratedIPv6CidrBlock, &out.AssignGeneratedIPv6CidrBlock
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CidrBlock != nil {
+		in, out := &in.CidrBlock, &out.CidrBlock
+		*out = new(string)
+		**out = **in
+	}
 	if in.DHCPOptionsID != nil {
 		in, out := &in.DHCPOptionsID, &out.DHCPOptionsID
 		*out = new(string)
@@ -29475,16 +35594,76 @@ func (in *VPCObservation_2) DeepCopyInto(out *VPCObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EnableClassiclink != nil {
+		in, out := &in.EnableClassiclink, &out.EnableClassiclink
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableClassiclinkDNSSupport != nil {
+		in, out := &in.EnableClassiclinkDNSSupport, &out.EnableClassiclinkDNSSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableDNSHostnames != nil {
+		in, out := &in.EnableDNSHostnames, &out.EnableDNSHostnames
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableDNSSupport != nil {
+		in, out := &in.EnableDNSSupport, &out.EnableDNSSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableNetworkAddressUsageMetrics != nil {
+		in, out := &in.EnableNetworkAddressUsageMetrics, &out.EnableNetworkAddressUsageMetrics
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv4IpamPoolID != nil {
+		in, out := &in.IPv4IpamPoolID, &out.IPv4IpamPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv4NetmaskLength != nil {
+		in, out := &in.IPv4NetmaskLength, &out.IPv4NetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
 	if in.IPv6AssociationID != nil {
 		in, out := &in.IPv6AssociationID, &out.IPv6AssociationID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPv6CidrBlock != nil {
+		in, out := &in.IPv6CidrBlock, &out.IPv6CidrBlock
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6CidrBlockNetworkBorderGroup != nil {
+		in, out := &in.IPv6CidrBlockNetworkBorderGroup, &out.IPv6CidrBlockNetworkBorderGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6IpamPoolID != nil {
+		in, out := &in.IPv6IpamPoolID, &out.IPv6IpamPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6NetmaskLength != nil {
+		in, out := &in.IPv6NetmaskLength, &out.IPv6NetmaskLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceTenancy != nil {
+		in, out := &in.InstanceTenancy, &out.InstanceTenancy
+		*out = new(string)
+		**out = **in
+	}
 	if in.MainRouteTableID != nil {
 		in, out := &in.MainRouteTableID, &out.MainRouteTableID
 		*out = new(string)
@@ -29495,6 +35674,21 @@ func (in *VPCObservation_2) DeepCopyInto(out *VPCObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -29709,6 +35903,21 @@ func (in *VPCPeeringConnectionAccepter) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCPeeringConnectionAccepterAccepterObservation) DeepCopyInto(out *VPCPeeringConnectionAccepterAccepterObservation) {
 	*out = *in
+	if in.AllowClassicLinkToRemoteVPC != nil {
+		in, out := &in.AllowClassicLinkToRemoteVPC, &out.AllowClassicLinkToRemoteVPC
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowRemoteVPCDNSResolution != nil {
+		in, out := &in.AllowRemoteVPCDNSResolution, &out.AllowRemoteVPCDNSResolution
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowVPCToRemoteClassicLink != nil {
+		in, out := &in.AllowVPCToRemoteClassicLink, &out.AllowVPCToRemoteClassicLink
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionAccepterAccepterObservation.
@@ -29791,6 +36000,18 @@ func (in *VPCPeeringConnectionAccepterObservation) DeepCopyInto(out *VPCPeeringC
 		*out = new(string)
 		**out = **in
 	}
+	if in.Accepter != nil {
+		in, out := &in.Accepter, &out.Accepter
+		*out = make([]VPCPeeringConnectionAccepterAccepterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoAccept != nil {
+		in, out := &in.AutoAccept, &out.AutoAccept
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -29811,6 +36032,28 @@ func (in *VPCPeeringConnectionAccepterObservation) DeepCopyInto(out *VPCPeeringC
 		*out = new(string)
 		**out = **in
 	}
+	if in.Requester != nil {
+		in, out := &in.Requester, &out.Requester
+		*out = make([]VPCPeeringConnectionAccepterRequesterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -29831,6 +36074,11 @@ func (in *VPCPeeringConnectionAccepterObservation) DeepCopyInto(out *VPCPeeringC
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCPeeringConnectionID != nil {
+		in, out := &in.VPCPeeringConnectionID, &out.VPCPeeringConnectionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionAccepterObservation.
@@ -29915,6 +36163,21 @@ func (in *VPCPeeringConnectionAccepterParameters) DeepCopy() *VPCPeeringConnecti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCPeeringConnectionAccepterRequesterObservation) DeepCopyInto(out *VPCPeeringConnectionAccepterRequesterObservation) {
 	*out = *in
+	if in.AllowClassicLinkToRemoteVPC != nil {
+		in, out := &in.AllowClassicLinkToRemoteVPC, &out.AllowClassicLinkToRemoteVPC
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowRemoteVPCDNSResolution != nil {
+		in, out := &in.AllowRemoteVPCDNSResolution, &out.AllowRemoteVPCDNSResolution
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowVPCToRemoteClassicLink != nil {
+		in, out := &in.AllowVPCToRemoteClassicLink, &out.AllowVPCToRemoteClassicLink
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionAccepterRequesterObservation.
@@ -30068,11 +36331,31 @@ func (in *VPCPeeringConnectionObservation_2) DeepCopyInto(out *VPCPeeringConnect
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.AutoAccept != nil {
+		in, out := &in.AutoAccept, &out.AutoAccept
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PeerOwnerID != nil {
+		in, out := &in.PeerOwnerID, &out.PeerOwnerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PeerRegion != nil {
+		in, out := &in.PeerRegion, &out.PeerRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PeerVPCID != nil {
+		in, out := &in.PeerVPCID, &out.PeerVPCID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Requester != nil {
 		in, out := &in.Requester, &out.Requester
 		*out = make([]RequesterObservation, len(*in))
@@ -30080,6 +36363,21 @@ func (in *VPCPeeringConnectionObservation_2) DeepCopyInto(out *VPCPeeringConnect
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -30095,6 +36393,11 @@ func (in *VPCPeeringConnectionObservation_2) DeepCopyInto(out *VPCPeeringConnect
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionObservation_2.
@@ -30137,6 +36440,21 @@ func (in *VPCPeeringConnectionOptions) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCPeeringConnectionOptionsAccepterObservation) DeepCopyInto(out *VPCPeeringConnectionOptionsAccepterObservation) {
 	*out = *in
+	if in.AllowClassicLinkToRemoteVPC != nil {
+		in, out := &in.AllowClassicLinkToRemoteVPC, &out.AllowClassicLinkToRemoteVPC
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowRemoteVPCDNSResolution != nil {
+		in, out := &in.AllowRemoteVPCDNSResolution, &out.AllowRemoteVPCDNSResolution
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowVPCToRemoteClassicLink != nil {
+		in, out := &in.AllowVPCToRemoteClassicLink, &out.AllowVPCToRemoteClassicLink
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionOptionsAccepterObservation.
@@ -30214,11 +36532,30 @@ func (in *VPCPeeringConnectionOptionsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCPeeringConnectionOptionsObservation) DeepCopyInto(out *VPCPeeringConnectionOptionsObservation) {
 	*out = *in
+	if in.Accepter != nil {
+		in, out := &in.Accepter, &out.Accepter
+		*out = make([]VPCPeeringConnectionOptionsAccepterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Requester != nil {
+		in, out := &in.Requester, &out.Requester
+		*out = make([]VPCPeeringConnectionOptionsRequesterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VPCPeeringConnectionID != nil {
+		in, out := &in.VPCPeeringConnectionID, &out.VPCPeeringConnectionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionOptionsObservation.
@@ -30283,6 +36620,21 @@ func (in *VPCPeeringConnectionOptionsParameters) DeepCopy() *VPCPeeringConnectio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCPeeringConnectionOptionsRequesterObservation) DeepCopyInto(out *VPCPeeringConnectionOptionsRequesterObservation) {
 	*out = *in
+	if in.AllowClassicLinkToRemoteVPC != nil {
+		in, out := &in.AllowClassicLinkToRemoteVPC, &out.AllowClassicLinkToRemoteVPC
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowRemoteVPCDNSResolution != nil {
+		in, out := &in.AllowRemoteVPCDNSResolution, &out.AllowRemoteVPCDNSResolution
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowVPCToRemoteClassicLink != nil {
+		in, out := &in.AllowVPCToRemoteClassicLink, &out.AllowVPCToRemoteClassicLink
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCPeeringConnectionOptionsRequesterObservation.
@@ -30629,11 +36981,46 @@ func (in *VPNConnectionObservation_2) DeepCopyInto(out *VPNConnectionObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomerGatewayID != nil {
+		in, out := &in.CustomerGatewayID, &out.CustomerGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableAcceleration != nil {
+		in, out := &in.EnableAcceleration, &out.EnableAcceleration
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LocalIPv4NetworkCidr != nil {
+		in, out := &in.LocalIPv4NetworkCidr, &out.LocalIPv4NetworkCidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.LocalIPv6NetworkCidr != nil {
+		in, out := &in.LocalIPv6NetworkCidr, &out.LocalIPv6NetworkCidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutsideIPAddressType != nil {
+		in, out := &in.OutsideIPAddressType, &out.OutsideIPAddressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RemoteIPv4NetworkCidr != nil {
+		in, out := &in.RemoteIPv4NetworkCidr, &out.RemoteIPv4NetworkCidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.RemoteIPv6NetworkCidr != nil {
+		in, out := &in.RemoteIPv6NetworkCidr, &out.RemoteIPv6NetworkCidr
+		*out = new(string)
+		**out = **in
+	}
 	if in.Routes != nil {
 		in, out := &in.Routes, &out.Routes
 		*out = make([]RoutesObservation, len(*in))
@@ -30641,6 +37028,26 @@ func (in *VPNConnectionObservation_2) DeepCopyInto(out *VPNConnectionObservation
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.StaticRoutesOnly != nil {
+		in, out := &in.StaticRoutesOnly, &out.StaticRoutesOnly
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -30661,6 +37068,16 @@ func (in *VPNConnectionObservation_2) DeepCopyInto(out *VPNConnectionObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayID != nil {
+		in, out := &in.TransitGatewayID, &out.TransitGatewayID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransportTransitGatewayAttachmentID != nil {
+		in, out := &in.TransportTransitGatewayAttachmentID, &out.TransportTransitGatewayAttachmentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Tunnel1Address != nil {
 		in, out := &in.Tunnel1Address, &out.Tunnel1Address
 		*out = new(string)
@@ -30681,6 +37098,140 @@ func (in *VPNConnectionObservation_2) DeepCopyInto(out *VPNConnectionObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tunnel1DpdTimeoutAction != nil {
+		in, out := &in.Tunnel1DpdTimeoutAction, &out.Tunnel1DpdTimeoutAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tunnel1DpdTimeoutSeconds != nil {
+		in, out := &in.Tunnel1DpdTimeoutSeconds, &out.Tunnel1DpdTimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel1IkeVersions != nil {
+		in, out := &in.Tunnel1IkeVersions, &out.Tunnel1IkeVersions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1InsideCidr != nil {
+		in, out := &in.Tunnel1InsideCidr, &out.Tunnel1InsideCidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tunnel1InsideIPv6Cidr != nil {
+		in, out := &in.Tunnel1InsideIPv6Cidr, &out.Tunnel1InsideIPv6Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tunnel1LogOptions != nil {
+		in, out := &in.Tunnel1LogOptions, &out.Tunnel1LogOptions
+		*out = make([]Tunnel1LogOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tunnel1Phase1DhGroupNumbers != nil {
+		in, out := &in.Tunnel1Phase1DhGroupNumbers, &out.Tunnel1Phase1DhGroupNumbers
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1Phase1EncryptionAlgorithms != nil {
+		in, out := &in.Tunnel1Phase1EncryptionAlgorithms, &out.Tunnel1Phase1EncryptionAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1Phase1IntegrityAlgorithms != nil {
+		in, out := &in.Tunnel1Phase1IntegrityAlgorithms, &out.Tunnel1Phase1IntegrityAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1Phase1LifetimeSeconds != nil {
+		in, out := &in.Tunnel1Phase1LifetimeSeconds, &out.Tunnel1Phase1LifetimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel1Phase2DhGroupNumbers != nil {
+		in, out := &in.Tunnel1Phase2DhGroupNumbers, &out.Tunnel1Phase2DhGroupNumbers
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1Phase2EncryptionAlgorithms != nil {
+		in, out := &in.Tunnel1Phase2EncryptionAlgorithms, &out.Tunnel1Phase2EncryptionAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1Phase2IntegrityAlgorithms != nil {
+		in, out := &in.Tunnel1Phase2IntegrityAlgorithms, &out.Tunnel1Phase2IntegrityAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel1Phase2LifetimeSeconds != nil {
+		in, out := &in.Tunnel1Phase2LifetimeSeconds, &out.Tunnel1Phase2LifetimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel1RekeyFuzzPercentage != nil {
+		in, out := &in.Tunnel1RekeyFuzzPercentage, &out.Tunnel1RekeyFuzzPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel1RekeyMarginTimeSeconds != nil {
+		in, out := &in.Tunnel1RekeyMarginTimeSeconds, &out.Tunnel1RekeyMarginTimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel1ReplayWindowSize != nil {
+		in, out := &in.Tunnel1ReplayWindowSize, &out.Tunnel1ReplayWindowSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel1StartupAction != nil {
+		in, out := &in.Tunnel1StartupAction, &out.Tunnel1StartupAction
+		*out = new(string)
+		**out = **in
+	}
 	if in.Tunnel1VgwInsideAddress != nil {
 		in, out := &in.Tunnel1VgwInsideAddress, &out.Tunnel1VgwInsideAddress
 		*out = new(string)
@@ -30706,11 +37257,160 @@ func (in *VPNConnectionObservation_2) DeepCopyInto(out *VPNConnectionObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tunnel2DpdTimeoutAction != nil {
+		in, out := &in.Tunnel2DpdTimeoutAction, &out.Tunnel2DpdTimeoutAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tunnel2DpdTimeoutSeconds != nil {
+		in, out := &in.Tunnel2DpdTimeoutSeconds, &out.Tunnel2DpdTimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel2IkeVersions != nil {
+		in, out := &in.Tunnel2IkeVersions, &out.Tunnel2IkeVersions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2InsideCidr != nil {
+		in, out := &in.Tunnel2InsideCidr, &out.Tunnel2InsideCidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tunnel2InsideIPv6Cidr != nil {
+		in, out := &in.Tunnel2InsideIPv6Cidr, &out.Tunnel2InsideIPv6Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tunnel2LogOptions != nil {
+		in, out := &in.Tunnel2LogOptions, &out.Tunnel2LogOptions
+		*out = make([]Tunnel2LogOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tunnel2Phase1DhGroupNumbers != nil {
+		in, out := &in.Tunnel2Phase1DhGroupNumbers, &out.Tunnel2Phase1DhGroupNumbers
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2Phase1EncryptionAlgorithms != nil {
+		in, out := &in.Tunnel2Phase1EncryptionAlgorithms, &out.Tunnel2Phase1EncryptionAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2Phase1IntegrityAlgorithms != nil {
+		in, out := &in.Tunnel2Phase1IntegrityAlgorithms, &out.Tunnel2Phase1IntegrityAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2Phase1LifetimeSeconds != nil {
+		in, out := &in.Tunnel2Phase1LifetimeSeconds, &out.Tunnel2Phase1LifetimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel2Phase2DhGroupNumbers != nil {
+		in, out := &in.Tunnel2Phase2DhGroupNumbers, &out.Tunnel2Phase2DhGroupNumbers
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2Phase2EncryptionAlgorithms != nil {
+		in, out := &in.Tunnel2Phase2EncryptionAlgorithms, &out.Tunnel2Phase2EncryptionAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2Phase2IntegrityAlgorithms != nil {
+		in, out := &in.Tunnel2Phase2IntegrityAlgorithms, &out.Tunnel2Phase2IntegrityAlgorithms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tunnel2Phase2LifetimeSeconds != nil {
+		in, out := &in.Tunnel2Phase2LifetimeSeconds, &out.Tunnel2Phase2LifetimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel2RekeyFuzzPercentage != nil {
+		in, out := &in.Tunnel2RekeyFuzzPercentage, &out.Tunnel2RekeyFuzzPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel2RekeyMarginTimeSeconds != nil {
+		in, out := &in.Tunnel2RekeyMarginTimeSeconds, &out.Tunnel2RekeyMarginTimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel2ReplayWindowSize != nil {
+		in, out := &in.Tunnel2ReplayWindowSize, &out.Tunnel2ReplayWindowSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tunnel2StartupAction != nil {
+		in, out := &in.Tunnel2StartupAction, &out.Tunnel2StartupAction
+		*out = new(string)
+		**out = **in
+	}
 	if in.Tunnel2VgwInsideAddress != nil {
 		in, out := &in.Tunnel2VgwInsideAddress, &out.Tunnel2VgwInsideAddress
 		*out = new(string)
 		**out = **in
 	}
+	if in.TunnelInsideIPVersion != nil {
+		in, out := &in.TunnelInsideIPVersion, &out.TunnelInsideIPVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPNGatewayID != nil {
+		in, out := &in.VPNGatewayID, &out.VPNGatewayID
+		*out = new(string)
+		**out = **in
+	}
 	if in.VgwTelemetry != nil {
 		in, out := &in.VgwTelemetry, &out.VgwTelemetry
 		*out = make([]VgwTelemetryObservation, len(*in))
@@ -31225,11 +37925,21 @@ func (in *VPNConnectionRouteList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPNConnectionRouteObservation) DeepCopyInto(out *VPNConnectionRouteObservation) {
 	*out = *in
+	if in.DestinationCidrBlock != nil {
+		in, out := &in.DestinationCidrBlock, &out.DestinationCidrBlock
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPNConnectionID != nil {
+		in, out := &in.VPNConnectionID, &out.VPNConnectionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPNConnectionRouteObservation.
@@ -31444,6 +38154,16 @@ func (in *VPNGatewayAttachmentObservation) DeepCopyInto(out *VPNGatewayAttachmen
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPNGatewayID != nil {
+		in, out := &in.VPNGatewayID, &out.VPNGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPNGatewayAttachmentObservation.
@@ -31605,16 +38325,41 @@ func (in *VPNGatewayObservation) DeepCopy() *VPNGatewayObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPNGatewayObservation_2) DeepCopyInto(out *VPNGatewayObservation_2) {
 	*out = *in
+	if in.AmazonSideAsn != nil {
+		in, out := &in.AmazonSideAsn, &out.AmazonSideAsn
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -31630,6 +38375,11 @@ func (in *VPNGatewayObservation_2) DeepCopyInto(out *VPNGatewayObservation_2) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPNGatewayObservation_2.
@@ -31784,6 +38534,16 @@ func (in *VPNGatewayRoutePropagationObservation) DeepCopyInto(out *VPNGatewayRou
 		*out = new(string)
 		**out = **in
 	}
+	if in.RouteTableID != nil {
+		in, out := &in.RouteTableID, &out.RouteTableID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPNGatewayID != nil {
+		in, out := &in.VPNGatewayID, &out.VPNGatewayID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPNGatewayRoutePropagationObservation.
@@ -31917,6 +38677,16 @@ func (in *VPNGatewayStatus) DeepCopy() *VPNGatewayStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VcpuCountObservation) DeepCopyInto(out *VcpuCountObservation) {
 	*out = *in
+	if in.Max != nil {
+		in, out := &in.Max, &out.Max
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Min != nil {
+		in, out := &in.Min, &out.Min
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VcpuCountObservation.
@@ -32076,11 +38846,41 @@ func (in *VolumeAttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VolumeAttachmentObservation) DeepCopyInto(out *VolumeAttachmentObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDetach != nil {
+		in, out := &in.ForceDetach, &out.ForceDetach
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StopInstanceBeforeDetaching != nil {
+		in, out := &in.StopInstanceBeforeDetaching, &out.StopInstanceBeforeDetaching
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VolumeID != nil {
+		in, out := &in.VolumeID, &out.VolumeID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeAttachmentObservation.
diff --git a/apis/ec2/v1beta1/zz_host_types.go b/apis/ec2/v1beta1/zz_host_types.go
index 87fd30e815..92f7724074 100755
--- a/apis/ec2/v1beta1/zz_host_types.go
+++ b/apis/ec2/v1beta1/zz_host_types.go
@@ -18,12 +18,33 @@ type HostObservation struct {
 	// The ARN of the Dedicated Host.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Indicates whether the host accepts any untargeted instance launches that match its instance type configuration, or if it only accepts Host tenancy instance launches that specify its unique host ID. Valid values: on, off. Default: on.
+	AutoPlacement *string `json:"autoPlacement,omitempty" tf:"auto_placement,omitempty"`
+
+	// The Availability Zone in which to allocate the Dedicated Host.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// Indicates whether to enable or disable host recovery for the Dedicated Host. Valid values: on, off. Default: off.
+	HostRecovery *string `json:"hostRecovery,omitempty" tf:"host_recovery,omitempty"`
+
 	// The ID of the allocated Dedicated Host. This is used to launch an instance onto a specific host.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the instance family to be supported by the Dedicated Hosts. If you specify an instance family, the Dedicated Hosts support multiple instance types within that instance family. Exactly one of instance_family or instance_type must be specified.
+	InstanceFamily *string `json:"instanceFamily,omitempty" tf:"instance_family,omitempty"`
+
+	// Specifies the instance type to be supported by the Dedicated Hosts. If you specify an instance type, the Dedicated Hosts support instances of the specified instance type only. Exactly one of instance_family or instance_type must be specified.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the AWS Outpost on which to allocate the Dedicated Host.
+	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
+
 	// The ID of the AWS account that owns the Dedicated Host.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +56,8 @@ type HostParameters struct {
 	AutoPlacement *string `json:"autoPlacement,omitempty" tf:"auto_placement,omitempty"`
 
 	// The Availability Zone in which to allocate the Dedicated Host.
-	// +kubebuilder:validation:Required
-	AvailabilityZone *string `json:"availabilityZone" tf:"availability_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
 	// Indicates whether to enable or disable host recovery for the Dedicated Host. Valid values: on, off. Default: off.
 	// +kubebuilder:validation:Optional
@@ -88,8 +109,9 @@ type HostStatus struct {
 type Host struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HostSpec   `json:"spec"`
-	Status            HostStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)",message="availabilityZone is a required parameter"
+	Spec   HostSpec   `json:"spec"`
+	Status HostStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_instance_types.go b/apis/ec2/v1beta1/zz_instance_types.go
index a8581d0688..59fa295eed 100755
--- a/apis/ec2/v1beta1/zz_instance_types.go
+++ b/apis/ec2/v1beta1/zz_instance_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CapacityReservationSpecificationObservation struct {
+
+	// Indicates the instance's Capacity Reservation preferences. Can be "open" or "none". (Default: "open").
+	CapacityReservationPreference *string `json:"capacityReservationPreference,omitempty" tf:"capacity_reservation_preference,omitempty"`
+
+	// Information about the target Capacity Reservation. See Capacity Reservation Target below for more details.
+	CapacityReservationTarget []CapacityReservationTargetObservation `json:"capacityReservationTarget,omitempty" tf:"capacity_reservation_target,omitempty"`
 }
 
 type CapacityReservationSpecificationParameters struct {
@@ -28,6 +34,12 @@ type CapacityReservationSpecificationParameters struct {
 }
 
 type CapacityReservationTargetObservation struct {
+
+	// ID of the Capacity Reservation in which to run the instance.
+	CapacityReservationID *string `json:"capacityReservationId,omitempty" tf:"capacity_reservation_id,omitempty"`
+
+	// ARN of the Capacity Reservation resource group in which to run the instance.
+	CapacityReservationResourceGroupArn *string `json:"capacityReservationResourceGroupArn,omitempty" tf:"capacity_reservation_resource_group_arn,omitempty"`
 }
 
 type CapacityReservationTargetParameters struct {
@@ -42,6 +54,9 @@ type CapacityReservationTargetParameters struct {
 }
 
 type CreditSpecificationObservation struct {
+
+	// Credit option for CPU usage. Valid values include standard or unlimited. T3 instances are launched as unlimited by default. T2 instances are launched as standard by default.
+	CPUCredits *string `json:"cpuCredits,omitempty" tf:"cpu_credits,omitempty"`
 }
 
 type CreditSpecificationParameters struct {
@@ -52,6 +67,9 @@ type CreditSpecificationParameters struct {
 }
 
 type EnclaveOptionsObservation struct {
+
+	// Whether Nitro Enclaves will be enabled on the instance. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type EnclaveOptionsParameters struct {
@@ -63,8 +81,38 @@ type EnclaveOptionsParameters struct {
 
 type InstanceEBSBlockDeviceObservation struct {
 
+	// Whether the volume should be destroyed on instance termination. Defaults to true.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Name of the device to mount.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Enables EBS encryption on the volume. Defaults to false. Cannot be used with snapshot_id. Must be configured to perform drift detection.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// Amount of provisioned IOPS. Only valid for volume_type of io1, io2 or gp3.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume. Must be configured to perform drift detection.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Snapshot ID to mount.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// Map of tags to assign to the device.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	// Throughput to provision for a volume in mebibytes per second (MiB/s). This is only valid for volume_type of gp3.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
 	// ID of the volume. For example, the ID can be accessed like this, aws_instance.web.ebs_block_device.2.volume_id.
 	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
+
+	// Size of the volume in gibibytes (GiB).
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp2.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type InstanceEBSBlockDeviceParameters struct {
@@ -120,6 +168,15 @@ type InstanceEBSBlockDeviceParameters struct {
 }
 
 type InstanceEphemeralBlockDeviceObservation struct {
+
+	// Name of the block device to mount on the instance.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Suppresses the specified device included in the AMI's block device mapping.
+	NoDevice *bool `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	// Instance Store Device Name (e.g., ephemeral0).
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type InstanceEphemeralBlockDeviceParameters struct {
@@ -138,6 +195,18 @@ type InstanceEphemeralBlockDeviceParameters struct {
 }
 
 type InstanceNetworkInterfaceObservation struct {
+
+	// Whether or not to delete the network interface on instance termination. Defaults to false. Currently, the only valid value is false, as this is only supported when creating new network interfaces when launching an instance.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Integer index of the network interface attachment. Limited by instance type.
+	DeviceIndex *float64 `json:"deviceIndex,omitempty" tf:"device_index,omitempty"`
+
+	// Integer index of the network card. Limited by instance type. The default index is 0.
+	NetworkCardIndex *float64 `json:"networkCardIndex,omitempty" tf:"network_card_index,omitempty"`
+
+	// ID of the network interface to attach.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
 }
 
 type InstanceNetworkInterfaceParameters struct {
@@ -170,31 +239,123 @@ type InstanceNetworkInterfaceParameters struct {
 
 type InstanceObservation struct {
 
+	// AMI to use for the instance. Required unless launch_template is specified and the Launch Template specifes an AMI. If an AMI is specified in the Launch Template, setting ami will override the AMI specified in the Launch Template.
+	AMI *string `json:"ami,omitempty" tf:"ami,omitempty"`
+
 	// ARN of the instance.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to associate a public IP address with an instance in a VPC.
+	AssociatePublicIPAddress *bool `json:"associatePublicIpAddress,omitempty" tf:"associate_public_ip_address,omitempty"`
+
+	// AZ to start the instance in.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// Sets the number of CPU cores for an instance. This option is only supported on creation of instance type that support CPU Options CPU Cores and Threads Per CPU Core Per Instance Type - specifying this option for unsupported instance types will return an error from the EC2 API.
+	CPUCoreCount *float64 `json:"cpuCoreCount,omitempty" tf:"cpu_core_count,omitempty"`
+
+	// If set to 1, hyperthreading is disabled on the launched instance. Defaults to 2 if not set. See Optimizing CPU Options for more information.
+	CPUThreadsPerCore *float64 `json:"cpuThreadsPerCore,omitempty" tf:"cpu_threads_per_core,omitempty"`
+
+	// Describes an instance's Capacity Reservation targeting option. See Capacity Reservation Specification below for more details.
+	CapacityReservationSpecification []CapacityReservationSpecificationObservation `json:"capacityReservationSpecification,omitempty" tf:"capacity_reservation_specification,omitempty"`
+
+	// Configuration block for customizing the credit specification of the instance. See Credit Specification below for more details. Removing this configuration on existing instances will only stop managing it. It will not change the configuration back to the default for the instance type.
+	CreditSpecification []CreditSpecificationObservation `json:"creditSpecification,omitempty" tf:"credit_specification,omitempty"`
+
+	// If true, enables EC2 Instance Stop Protection.
+	DisableAPIStop *bool `json:"disableApiStop,omitempty" tf:"disable_api_stop,omitempty"`
+
+	// If true, enables EC2 Instance Termination Protection.
+	DisableAPITermination *bool `json:"disableApiTermination,omitempty" tf:"disable_api_termination,omitempty"`
+
 	// One or more configuration blocks with additional EBS block devices to attach to the instance. Block device configurations only apply on resource creation. See Block Devices below for details on attributes and drift detection. When accessing this as an attribute reference, it is a set of objects.
-	// +kubebuilder:validation:Optional
 	EBSBlockDevice []InstanceEBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
 
+	// If true, the launched EC2 instance will be EBS-optimized. Note that if this is not set on an instance type that is optimized by default then this will show as disabled but if the instance type is optimized by default then there is no need to set this and there is no effect to disabling it. See the EBS Optimized section of the AWS User Guide for more information.
+	EBSOptimized *bool `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
+	// Enable Nitro Enclaves on launched instances. See Enclave Options below for more details.
+	EnclaveOptions []EnclaveOptionsObservation `json:"enclaveOptions,omitempty" tf:"enclave_options,omitempty"`
+
+	// One or more configuration blocks to customize Ephemeral (also known as "Instance Store") volumes on the instance. See Block Devices below for details. When accessing this as an attribute reference, it is a set of objects.
+	EphemeralBlockDevice []InstanceEphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
+
+	// If true, wait for password data to become available and retrieve it. Useful for getting the administrator password for instances running Microsoft Windows. The password data is exported to the password_data attribute. See GetPasswordData for more information.
+	GetPasswordData *bool `json:"getPasswordData,omitempty" tf:"get_password_data,omitempty"`
+
+	// If true, the launched EC2 instance will support hibernation.
+	Hibernation *bool `json:"hibernation,omitempty" tf:"hibernation,omitempty"`
+
+	// ID of a dedicated host that the instance will be assigned to. Use when an instance is to be launched on a specific dedicated host.
+	HostID *string `json:"hostId,omitempty" tf:"host_id,omitempty"`
+
+	// ARN of the host resource group in which to launch the instances. If you specify an ARN, omit the tenancy parameter or set it to host.
+	HostResourceGroupArn *string `json:"hostResourceGroupArn,omitempty" tf:"host_resource_group_arn,omitempty"`
+
+	// IAM Instance Profile to launch the instance with. Specified as the name of the Instance Profile. Ensure your credentials have the correct permission to assign the instance profile according to the EC2 documentation, notably iam:PassRole.
+	IAMInstanceProfile *string `json:"iamInstanceProfile,omitempty" tf:"iam_instance_profile,omitempty"`
+
 	// ID of the launch template. Conflicts with name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Number of IPv6 addresses to associate with the primary network interface. Amazon EC2 chooses the IPv6 addresses from the range of your subnet.
+	IPv6AddressCount *float64 `json:"ipv6AddressCount,omitempty" tf:"ipv6_address_count,omitempty"`
+
+	// Specify one or more IPv6 addresses from the range of the subnet to associate with the primary network interface
+	IPv6Addresses []*string `json:"ipv6Addresses,omitempty" tf:"ipv6_addresses,omitempty"`
+
+	// Shutdown behavior for the instance. Amazon defaults this to stop for EBS-backed instances and terminate for instance-store instances. Cannot be set on instance-store instances. See Shutdown Behavior for more information.
+	InstanceInitiatedShutdownBehavior *string `json:"instanceInitiatedShutdownBehavior,omitempty" tf:"instance_initiated_shutdown_behavior,omitempty"`
+
 	// State of the instance. One of: pending, running, shutting-down, terminated, stopping, stopped. See Instance Lifecycle for more information.
 	InstanceState *string `json:"instanceState,omitempty" tf:"instance_state,omitempty"`
 
+	// Instance type to use for the instance. Required unless launch_template is specified and the Launch Template specifies an instance type. If an instance type is specified in the Launch Template, setting instance_type will override the instance type specified in the Launch Template. Updates to this field will trigger a stop/start of the EC2 instance.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// Key name of the Key Pair to use for the instance; which can be managed using the .
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	// Specifies a Launch Template to configure the instance. Parameters configured on this resource will override the corresponding parameters in the Launch Template. See Launch Template Specification below for more details.
+	LaunchTemplate []LaunchTemplateObservation `json:"launchTemplate,omitempty" tf:"launch_template,omitempty"`
+
+	// Maintenance and recovery options for the instance. See Maintenance Options below for more details.
+	MaintenanceOptions []MaintenanceOptionsObservation `json:"maintenanceOptions,omitempty" tf:"maintenance_options,omitempty"`
+
+	// Customize the metadata options of the instance. See Metadata Options below for more details.
+	MetadataOptions []MetadataOptionsObservation `json:"metadataOptions,omitempty" tf:"metadata_options,omitempty"`
+
+	// If true, the launched EC2 instance will have detailed monitoring enabled. (Available since v0.6.0)
+	Monitoring *bool `json:"monitoring,omitempty" tf:"monitoring,omitempty"`
+
+	// Customize network interfaces to be attached at instance boot time. See Network Interfaces below for more details.
+	NetworkInterface []InstanceNetworkInterfaceObservation `json:"networkInterface,omitempty" tf:"network_interface,omitempty"`
+
 	// ARN of the Outpost the instance is assigned to.
 	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
 
 	// Base-64 encoded encrypted password data for the instance. Useful for getting the administrator password for instances running Microsoft Windows. This attribute is only exported if get_password_data is true. Note that this encrypted value will be stored in the state file, as with all exported attributes. See GetPasswordData for more information.
 	PasswordData *string `json:"passwordData,omitempty" tf:"password_data,omitempty"`
 
+	// Placement Group to start the instance in.
+	PlacementGroup *string `json:"placementGroup,omitempty" tf:"placement_group,omitempty"`
+
+	// Number of the partition the instance is in. Valid only if the  strategy argument is set to "partition".
+	PlacementPartitionNumber *float64 `json:"placementPartitionNumber,omitempty" tf:"placement_partition_number,omitempty"`
+
 	// ID of the instance's primary network interface.
 	PrimaryNetworkInterfaceID *string `json:"primaryNetworkInterfaceId,omitempty" tf:"primary_network_interface_id,omitempty"`
 
 	// Private DNS name assigned to the instance. Can only be used inside the Amazon EC2, and only available if you've enabled DNS hostnames for your VPC.
 	PrivateDNS *string `json:"privateDns,omitempty" tf:"private_dns,omitempty"`
 
+	// Options for the instance hostname. The default values are inherited from the subnet. See Private DNS Name Options below for more details.
+	PrivateDNSNameOptions []PrivateDNSNameOptionsObservation `json:"privateDnsNameOptions,omitempty" tf:"private_dns_name_options,omitempty"`
+
+	// Private IP address to associate with the instance in a VPC.
+	PrivateIP *string `json:"privateIp,omitempty" tf:"private_ip,omitempty"`
+
 	// Public DNS name assigned to the instance. For EC2-VPC, this is only available if you've enabled DNS hostnames for your VPC.
 	PublicDNS *string `json:"publicDns,omitempty" tf:"public_dns,omitempty"`
 
@@ -202,14 +363,43 @@ type InstanceObservation struct {
 	PublicIP *string `json:"publicIp,omitempty" tf:"public_ip,omitempty"`
 
 	// Configuration block to customize details about the root block device of the instance. See Block Devices below for details. When accessing this as an attribute reference, it is a list containing one object.
-	// +kubebuilder:validation:Optional
 	RootBlockDevice []RootBlockDeviceObservation `json:"rootBlockDevice,omitempty" tf:"root_block_device,omitempty"`
 
+	// List of secondary private IPv4 addresses to assign to the instance's primary network interface (eth0) in a VPC. Can only be assigned to the primary network interface (eth0) attached at instance creation, not a pre-existing network interface i.e., referenced in a network_interface block. Refer to the Elastic network interfaces documentation to see the maximum number of private IP addresses allowed per instance type.
+	SecondaryPrivateIps []*string `json:"secondaryPrivateIps,omitempty" tf:"secondary_private_ips,omitempty"`
+
 	// List of security group names to associate with.
 	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
 
+	// Controls if traffic is routed to the instance when the destination address does not match the instance. Used for NAT or VPNs. Defaults true.
+	SourceDestCheck *bool `json:"sourceDestCheck,omitempty" tf:"source_dest_check,omitempty"`
+
+	// VPC Subnet ID to launch in.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Tenancy of the instance (if the instance is running in a VPC). An instance with a tenancy of dedicated runs on single-tenant hardware. The host tenancy is not supported for the import-instance command. Valid values are default, dedicated, and host.
+	Tenancy *string `json:"tenancy,omitempty" tf:"tenancy,omitempty"`
+
+	// User data to provide when launching the instance. Do not pass gzip-compressed data via this argument; see user_data_base64 instead. Updates to this field will trigger a stop/start of the EC2 instance by default. If the user_data_replace_on_change is set then updates to this field will trigger a destroy and recreate.
+	UserData *string `json:"userData,omitempty" tf:"user_data,omitempty"`
+
+	// Can be used instead of user_data to pass base64-encoded binary data directly. Use this instead of user_data whenever the value is not a valid UTF-8 string. For example, gzip-encoded user data must be base64-encoded and passed via this argument to avoid corruption. Updates to this field will trigger a stop/start of the EC2 instance by default. If the user_data_replace_on_change is set then updates to this field will trigger a destroy and recreate.
+	UserDataBase64 *string `json:"userDataBase64,omitempty" tf:"user_data_base64,omitempty"`
+
+	// When used in combination with user_data or user_data_base64 will trigger a destroy and recreate when set to true. Defaults to false if not set.
+	UserDataReplaceOnChange *bool `json:"userDataReplaceOnChange,omitempty" tf:"user_data_replace_on_change,omitempty"`
+
+	// List of security group IDs to associate with.
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
+
+	// Map of tags to assign, at instance-creation time, to root and EBS volumes.
+	VolumeTags map[string]*string `json:"volumeTags,omitempty" tf:"volume_tags,omitempty"`
 }
 
 type InstanceParameters struct {
@@ -413,6 +603,15 @@ type InstanceParameters struct {
 }
 
 type LaunchTemplateObservation struct {
+
+	// ID of the launch template. Conflicts with name.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the launch template. Conflicts with id.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Template version. Can be a specific version number, $Latest or $Default. The default value is $Default.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type LaunchTemplateParameters struct {
@@ -431,6 +630,9 @@ type LaunchTemplateParameters struct {
 }
 
 type MaintenanceOptionsObservation struct {
+
+	// Automatic recovery behavior of the Instance. Can be "default" or "disabled". See Recover your instance for more details.
+	AutoRecovery *string `json:"autoRecovery,omitempty" tf:"auto_recovery,omitempty"`
 }
 
 type MaintenanceOptionsParameters struct {
@@ -441,6 +643,18 @@ type MaintenanceOptionsParameters struct {
 }
 
 type MetadataOptionsObservation struct {
+
+	// Whether the metadata service is available. Valid values include enabled or disabled. Defaults to enabled.
+	HTTPEndpoint *string `json:"httpEndpoint,omitempty" tf:"http_endpoint,omitempty"`
+
+	// Desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Valid values are integer from 1 to 64. Defaults to 1.
+	HTTPPutResponseHopLimit *float64 `json:"httpPutResponseHopLimit,omitempty" tf:"http_put_response_hop_limit,omitempty"`
+
+	// Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Valid values include optional or required. Defaults to optional.
+	HTTPTokens *string `json:"httpTokens,omitempty" tf:"http_tokens,omitempty"`
+
+	// Enables or disables access to instance tags from the instance metadata service. Valid values include enabled or disabled. Defaults to disabled.
+	InstanceMetadataTags *string `json:"instanceMetadataTags,omitempty" tf:"instance_metadata_tags,omitempty"`
 }
 
 type MetadataOptionsParameters struct {
@@ -463,6 +677,15 @@ type MetadataOptionsParameters struct {
 }
 
 type PrivateDNSNameOptionsObservation struct {
+
+	// Indicates whether to respond to DNS queries for instance hostnames with DNS A records.
+	EnableResourceNameDNSARecord *bool `json:"enableResourceNameDnsARecord,omitempty" tf:"enable_resource_name_dns_a_record,omitempty"`
+
+	// Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.
+	EnableResourceNameDNSAaaaRecord *bool `json:"enableResourceNameDnsAaaaRecord,omitempty" tf:"enable_resource_name_dns_aaaa_record,omitempty"`
+
+	// Type of hostname for Amazon EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 native subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name and resource-name.
+	HostnameType *string `json:"hostnameType,omitempty" tf:"hostname_type,omitempty"`
 }
 
 type PrivateDNSNameOptionsParameters struct {
@@ -482,11 +705,35 @@ type PrivateDNSNameOptionsParameters struct {
 
 type RootBlockDeviceObservation struct {
 
+	// Whether the volume should be destroyed on instance termination. Defaults to true.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
 	// Device name, e.g., /dev/sdh or xvdh.
 	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
 
+	// Whether to enable volume encryption. Defaults to false. Must be configured to perform drift detection.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// Amount of provisioned IOPS. Only valid for volume_type of io1, io2 or gp3.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Amazon Resource Name (ARN) of the KMS Key to use when encrypting the volume. Must be configured to perform drift detection.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Map of tags to assign to the device.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	// Throughput to provision for a volume in mebibytes per second (MiB/s). This is only valid for volume_type of gp3.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
 	// ID of the volume. For example, the ID can be accessed like this, aws_instance.web.root_block_device.0.volume_id.
 	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
+
+	// Size of the volume in gibibytes (GiB).
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of volume. Valid values include standard, gp2, gp3, io1, io2, sc1, or st1. Defaults to gp2.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type RootBlockDeviceParameters struct {
diff --git a/apis/ec2/v1beta1/zz_instancestate_types.go b/apis/ec2/v1beta1/zz_instancestate_types.go
index c34ed024bf..60d8db9b0e 100755
--- a/apis/ec2/v1beta1/zz_instancestate_types.go
+++ b/apis/ec2/v1beta1/zz_instancestate_types.go
@@ -15,8 +15,17 @@ import (
 
 type InstanceStateObservation struct {
 
+	// Whether to request a forced stop when state is stopped. Otherwise (i.e., state is running), ignored. When an instance is forced to stop, it does not flush file system caches or file system metadata, and you must subsequently perform file system check and repair. Not recommended for Windows instances. Defaults to false.
+	Force *bool `json:"force,omitempty" tf:"force,omitempty"`
+
 	// ID of the instance (matches instance_id).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ID of the instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// - State of the instance. Valid values are stopped, running.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
 }
 
 type InstanceStateParameters struct {
@@ -45,8 +54,8 @@ type InstanceStateParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// - State of the instance. Valid values are stopped, running.
-	// +kubebuilder:validation:Required
-	State *string `json:"state" tf:"state,omitempty"`
+	// +kubebuilder:validation:Optional
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
 }
 
 // InstanceStateSpec defines the desired state of InstanceState
@@ -73,8 +82,9 @@ type InstanceStateStatus struct {
 type InstanceState struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceStateSpec   `json:"spec"`
-	Status            InstanceStateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.state)",message="state is a required parameter"
+	Spec   InstanceStateSpec   `json:"spec"`
+	Status InstanceStateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_internetgateway_types.go b/apis/ec2/v1beta1/zz_internetgateway_types.go
index bbd37c0386..5d8783c513 100755
--- a/apis/ec2/v1beta1/zz_internetgateway_types.go
+++ b/apis/ec2/v1beta1/zz_internetgateway_types.go
@@ -24,8 +24,14 @@ type InternetGatewayObservation_2 struct {
 	// The ID of the AWS account that owns the internet gateway.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC ID to create in.  See the aws_internet_gateway_attachment resource for an alternate way to attach an Internet Gateway to a VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type InternetGatewayParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_keypair_types.go b/apis/ec2/v1beta1/zz_keypair_types.go
index 8d240c4e29..a2d7d9705f 100755
--- a/apis/ec2/v1beta1/zz_keypair_types.go
+++ b/apis/ec2/v1beta1/zz_keypair_types.go
@@ -30,6 +30,12 @@ type KeyPairObservation struct {
 	// The type of key pair.
 	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 
+	// The public key material.
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -37,8 +43,8 @@ type KeyPairObservation struct {
 type KeyPairParameters struct {
 
 	// The public key material.
-	// +kubebuilder:validation:Required
-	PublicKey *string `json:"publicKey" tf:"public_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -74,8 +80,9 @@ type KeyPairStatus struct {
 type KeyPair struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              KeyPairSpec   `json:"spec"`
-	Status            KeyPairStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.publicKey)",message="publicKey is a required parameter"
+	Spec   KeyPairSpec   `json:"spec"`
+	Status KeyPairStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_launchtemplate_types.go b/apis/ec2/v1beta1/zz_launchtemplate_types.go
index fb3fe62fdd..c4dfe208df 100755
--- a/apis/ec2/v1beta1/zz_launchtemplate_types.go
+++ b/apis/ec2/v1beta1/zz_launchtemplate_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AcceleratorCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type AcceleratorCountParameters struct {
@@ -28,6 +34,12 @@ type AcceleratorCountParameters struct {
 }
 
 type AcceleratorTotalMemoryMibObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type AcceleratorTotalMemoryMibParameters struct {
@@ -42,6 +54,12 @@ type AcceleratorTotalMemoryMibParameters struct {
 }
 
 type BaselineEBSBandwidthMbpsObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type BaselineEBSBandwidthMbpsParameters struct {
@@ -56,6 +74,20 @@ type BaselineEBSBandwidthMbpsParameters struct {
 }
 
 type BlockDeviceMappingsObservation struct {
+
+	// The name of the device to mount.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Configure EBS volume properties.
+	EBS []EBSObservation `json:"ebs,omitempty" tf:"ebs,omitempty"`
+
+	// Suppresses the specified device included in the AMI's block device mapping.
+	NoDevice *string `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	// The Instance Store Device
+	// Name
+	// (e.g., "ephemeral0").
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type BlockDeviceMappingsParameters struct {
@@ -80,6 +112,13 @@ type BlockDeviceMappingsParameters struct {
 }
 
 type CPUOptionsObservation struct {
+
+	// The number of CPU cores for the instance.
+	CoreCount *float64 `json:"coreCount,omitempty" tf:"core_count,omitempty"`
+
+	// The number of threads per CPU core. To disable Intel Hyper-Threading Technology for the instance, specify a value of 1.
+	// Otherwise, specify the default value of 2.
+	ThreadsPerCore *float64 `json:"threadsPerCore,omitempty" tf:"threads_per_core,omitempty"`
 }
 
 type CPUOptionsParameters struct {
@@ -95,6 +134,12 @@ type CPUOptionsParameters struct {
 }
 
 type CapacityReservationSpecificationCapacityReservationTargetObservation struct {
+
+	// The ID of the Capacity Reservation in which to run the instance.
+	CapacityReservationID *string `json:"capacityReservationId,omitempty" tf:"capacity_reservation_id,omitempty"`
+
+	// The ARN of the Capacity Reservation resource group in which to run the instance.
+	CapacityReservationResourceGroupArn *string `json:"capacityReservationResourceGroupArn,omitempty" tf:"capacity_reservation_resource_group_arn,omitempty"`
 }
 
 type CapacityReservationSpecificationCapacityReservationTargetParameters struct {
@@ -109,6 +154,35 @@ type CapacityReservationSpecificationCapacityReservationTargetParameters struct
 }
 
 type EBSObservation struct {
+
+	// Whether the volume should be destroyed on instance termination.
+	// See Preserving Amazon EBS Volumes on Instance Termination for more information.
+	DeleteOnTermination *string `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Enables EBS encryption on the volume.
+	// Cannot be used with snapshot_id.
+	Encrypted *string `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// The amount of provisioned IOPS.
+	// This must be set with a volume_type of "io1/io2".
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The ARN of the AWS Key Management Service (AWS KMS) customer master key (CMK) to use when creating the encrypted volume.
+	// encrypted must be set to true when this is set.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The Snapshot ID to mount.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// The throughput to provision for a gp3 volume in MiB/s (specified as an integer, e.g., 500), with a maximum of 1,000 MiB/s.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// The size of the volume in gigabytes.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// The volume type.
+	// Can be one of standard, gp2, gp3, io1, io2, sc1 or st1.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSParameters struct {
@@ -162,6 +236,9 @@ type EBSParameters struct {
 }
 
 type ElasticGpuSpecificationsObservation struct {
+
+	// The Elastic GPU Type
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ElasticGpuSpecificationsParameters struct {
@@ -172,6 +249,9 @@ type ElasticGpuSpecificationsParameters struct {
 }
 
 type ElasticInferenceAcceleratorObservation struct {
+
+	// Accelerator type.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ElasticInferenceAcceleratorParameters struct {
@@ -182,6 +262,9 @@ type ElasticInferenceAcceleratorParameters struct {
 }
 
 type HibernationOptionsObservation struct {
+
+	// If set to true, the launched EC2 instance will hibernation enabled.
+	Configured *bool `json:"configured,omitempty" tf:"configured,omitempty"`
 }
 
 type HibernationOptionsParameters struct {
@@ -192,6 +275,12 @@ type HibernationOptionsParameters struct {
 }
 
 type IAMInstanceProfileObservation struct {
+
+	// The Amazon Resource Name (ARN) of the instance profile.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// The name of the instance profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type IAMInstanceProfileParameters struct {
@@ -225,6 +314,12 @@ type IAMInstanceProfileParameters struct {
 }
 
 type InstanceMarketOptionsObservation struct {
+
+	// The market type. Can be spot.
+	MarketType *string `json:"marketType,omitempty" tf:"market_type,omitempty"`
+
+	// The options for Spot Instance
+	SpotOptions []SpotOptionsObservation `json:"spotOptions,omitempty" tf:"spot_options,omitempty"`
 }
 
 type InstanceMarketOptionsParameters struct {
@@ -239,6 +334,69 @@ type InstanceMarketOptionsParameters struct {
 }
 
 type InstanceRequirementsObservation struct {
+
+	// Block describing the minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips). Default is no minimum or maximum.
+	AcceleratorCount []AcceleratorCountObservation `json:"acceleratorCount,omitempty" tf:"accelerator_count,omitempty"`
+
+	// List of accelerator manufacturer names. Default is any manufacturer.
+	AcceleratorManufacturers []*string `json:"acceleratorManufacturers,omitempty" tf:"accelerator_manufacturers,omitempty"`
+
+	// List of accelerator names. Default is any acclerator.
+	AcceleratorNames []*string `json:"acceleratorNames,omitempty" tf:"accelerator_names,omitempty"`
+
+	// Block describing the minimum and maximum total memory of the accelerators. Default is no minimum or maximum.
+	AcceleratorTotalMemoryMib []AcceleratorTotalMemoryMibObservation `json:"acceleratorTotalMemoryMib,omitempty" tf:"accelerator_total_memory_mib,omitempty"`
+
+	// List of accelerator types. Default is any accelerator type.
+	AcceleratorTypes []*string `json:"acceleratorTypes,omitempty" tf:"accelerator_types,omitempty"`
+
+	// Indicate whether bare metal instace types should be included, excluded, or required. Default is excluded.
+	BareMetal *string `json:"bareMetal,omitempty" tf:"bare_metal,omitempty"`
+
+	// Block describing the minimum and maximum baseline EBS bandwidth, in Mbps. Default is no minimum or maximum.
+	BaselineEBSBandwidthMbps []BaselineEBSBandwidthMbpsObservation `json:"baselineEbsBandwidthMbps,omitempty" tf:"baseline_ebs_bandwidth_mbps,omitempty"`
+
+	// Indicate whether burstable performance instance types should be included, excluded, or required. Default is excluded.
+	BurstablePerformance *string `json:"burstablePerformance,omitempty" tf:"burstable_performance,omitempty"`
+
+	// List of CPU manufacturer names. Default is any manufacturer.
+	CPUManufacturers []*string `json:"cpuManufacturers,omitempty" tf:"cpu_manufacturers,omitempty"`
+
+	// List of instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk (*). The following are examples: c5*, m5a.*, r*, *3*. For example, if you specify c5*, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify m5a.*, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types.
+	ExcludedInstanceTypes []*string `json:"excludedInstanceTypes,omitempty" tf:"excluded_instance_types,omitempty"`
+
+	// List of instance generation names. Default is any generation.
+	InstanceGenerations []*string `json:"instanceGenerations,omitempty" tf:"instance_generations,omitempty"`
+
+	// Indicate whether instance types with local storage volumes are included, excluded, or required. Default is included.
+	LocalStorage *string `json:"localStorage,omitempty" tf:"local_storage,omitempty"`
+
+	// List of local storage type names. Default any storage type.
+	LocalStorageTypes []*string `json:"localStorageTypes,omitempty" tf:"local_storage_types,omitempty"`
+
+	// Block describing the minimum and maximum amount of memory (GiB) per vCPU. Default is no minimum or maximum.
+	MemoryGibPerVcpu []MemoryGibPerVcpuObservation `json:"memoryGibPerVcpu,omitempty" tf:"memory_gib_per_vcpu,omitempty"`
+
+	// Block describing the minimum and maximum amount of memory (MiB). Default is no maximum.
+	MemoryMib []MemoryMibObservation `json:"memoryMib,omitempty" tf:"memory_mib,omitempty"`
+
+	// Block describing the minimum and maximum number of network interfaces. Default is no minimum or maximum.
+	NetworkInterfaceCount []NetworkInterfaceCountObservation `json:"networkInterfaceCount,omitempty" tf:"network_interface_count,omitempty"`
+
+	// The price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 20.
+	OnDemandMaxPricePercentageOverLowestPrice *float64 `json:"onDemandMaxPricePercentageOverLowestPrice,omitempty" tf:"on_demand_max_price_percentage_over_lowest_price,omitempty"`
+
+	// Indicate whether instance types must support On-Demand Instance Hibernation, either true or false. Default is false.
+	RequireHibernateSupport *bool `json:"requireHibernateSupport,omitempty" tf:"require_hibernate_support,omitempty"`
+
+	// The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 100.
+	SpotMaxPricePercentageOverLowestPrice *float64 `json:"spotMaxPricePercentageOverLowestPrice,omitempty" tf:"spot_max_price_percentage_over_lowest_price,omitempty"`
+
+	// Block describing the minimum and maximum total local storage (GB). Default is no minimum or maximum.
+	TotalLocalStorageGb []TotalLocalStorageGbObservation `json:"totalLocalStorageGb,omitempty" tf:"total_local_storage_gb,omitempty"`
+
+	// Block describing the minimum and maximum number of vCPUs. Default is no maximum.
+	VcpuCount []VcpuCountObservation `json:"vcpuCount,omitempty" tf:"vcpu_count,omitempty"`
 }
 
 type InstanceRequirementsParameters struct {
@@ -329,6 +487,12 @@ type InstanceRequirementsParameters struct {
 }
 
 type LaunchTemplateCapacityReservationSpecificationObservation struct {
+
+	// Indicates the instance's Capacity Reservation preferences. Can be open or none. (Default none).
+	CapacityReservationPreference *string `json:"capacityReservationPreference,omitempty" tf:"capacity_reservation_preference,omitempty"`
+
+	// Used to target a specific Capacity Reservation:
+	CapacityReservationTarget []CapacityReservationSpecificationCapacityReservationTargetObservation `json:"capacityReservationTarget,omitempty" tf:"capacity_reservation_target,omitempty"`
 }
 
 type LaunchTemplateCapacityReservationSpecificationParameters struct {
@@ -343,6 +507,9 @@ type LaunchTemplateCapacityReservationSpecificationParameters struct {
 }
 
 type LaunchTemplateCreditSpecificationObservation struct {
+
+	// The credit option for CPU usage. Can be "standard" or "unlimited". T3 instances are launched as unlimited by default. T2 instances are launched as standard by default.
+	CPUCredits *string `json:"cpuCredits,omitempty" tf:"cpu_credits,omitempty"`
 }
 
 type LaunchTemplateCreditSpecificationParameters struct {
@@ -353,6 +520,9 @@ type LaunchTemplateCreditSpecificationParameters struct {
 }
 
 type LaunchTemplateEnclaveOptionsObservation struct {
+
+	// If set to true, Nitro Enclaves will be enabled on the instance.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type LaunchTemplateEnclaveOptionsParameters struct {
@@ -363,6 +533,9 @@ type LaunchTemplateEnclaveOptionsParameters struct {
 }
 
 type LaunchTemplateMaintenanceOptionsObservation struct {
+
+	// Disables the automatic recovery behavior of your instance or sets it to default. Can be "default" or "disabled". See Recover your instance for more details.
+	AutoRecovery *string `json:"autoRecovery,omitempty" tf:"auto_recovery,omitempty"`
 }
 
 type LaunchTemplateMaintenanceOptionsParameters struct {
@@ -373,6 +546,21 @@ type LaunchTemplateMaintenanceOptionsParameters struct {
 }
 
 type LaunchTemplateMetadataOptionsObservation struct {
+
+	// Whether the metadata service is available. Can be "enabled" or "disabled". (Default: "enabled").
+	HTTPEndpoint *string `json:"httpEndpoint,omitempty" tf:"http_endpoint,omitempty"`
+
+	// Enables or disables the IPv6 endpoint for the instance metadata service. (Default: disabled).
+	HTTPProtocolIPv6 *string `json:"httpProtocolIpv6,omitempty" tf:"http_protocol_ipv6,omitempty"`
+
+	// The desired HTTP PUT response hop limit for instance metadata requests. The larger the number, the further instance metadata requests can travel. Can be an integer from 1 to 64. (Default: 1).
+	HTTPPutResponseHopLimit *float64 `json:"httpPutResponseHopLimit,omitempty" tf:"http_put_response_hop_limit,omitempty"`
+
+	// Whether or not the metadata service requires session tokens, also referred to as Instance Metadata Service Version 2 (IMDSv2). Can be "optional" or "required". (Default: "optional").
+	HTTPTokens *string `json:"httpTokens,omitempty" tf:"http_tokens,omitempty"`
+
+	// Enables or disables access to instance tags from the instance metadata service. (Default: disabled).
+	InstanceMetadataTags *string `json:"instanceMetadataTags,omitempty" tf:"instance_metadata_tags,omitempty"`
 }
 
 type LaunchTemplateMetadataOptionsParameters struct {
@@ -403,14 +591,131 @@ type LaunchTemplateObservation_2 struct {
 	// Amazon Resource Name (ARN) of the launch template.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specify volumes to attach to the instance besides the volumes specified by the AMI.
+	// See Block Devices below for details.
+	BlockDeviceMappings []BlockDeviceMappingsObservation `json:"blockDeviceMappings,omitempty" tf:"block_device_mappings,omitempty"`
+
+	// The CPU options for the instance. See CPU Options below for more details.
+	CPUOptions []CPUOptionsObservation `json:"cpuOptions,omitempty" tf:"cpu_options,omitempty"`
+
+	// Targeting for EC2 capacity reservations. See Capacity Reservation Specification below for more details.
+	CapacityReservationSpecification []LaunchTemplateCapacityReservationSpecificationObservation `json:"capacityReservationSpecification,omitempty" tf:"capacity_reservation_specification,omitempty"`
+
+	// Customize the credit specification of the instance. See Credit
+	// Specification below for more details.
+	CreditSpecification []LaunchTemplateCreditSpecificationObservation `json:"creditSpecification,omitempty" tf:"credit_specification,omitempty"`
+
+	// Default Version of the launch template.
+	DefaultVersion *float64 `json:"defaultVersion,omitempty" tf:"default_version,omitempty"`
+
+	// Description of the launch template.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// If true, enables EC2 Instance Stop Protection.
+	DisableAPIStop *bool `json:"disableApiStop,omitempty" tf:"disable_api_stop,omitempty"`
+
+	// If true, enables EC2 Instance
+	// Termination Protection
+	DisableAPITermination *bool `json:"disableApiTermination,omitempty" tf:"disable_api_termination,omitempty"`
+
+	// If true, the launched EC2 instance will be EBS-optimized.
+	EBSOptimized *string `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
+	// The elastic GPU to attach to the instance. See Elastic GPU
+	// below for more details.
+	ElasticGpuSpecifications []ElasticGpuSpecificationsObservation `json:"elasticGpuSpecifications,omitempty" tf:"elastic_gpu_specifications,omitempty"`
+
+	// Configuration block containing an Elastic Inference Accelerator to attach to the instance. See Elastic Inference Accelerator below for more details.
+	ElasticInferenceAccelerator []ElasticInferenceAcceleratorObservation `json:"elasticInferenceAccelerator,omitempty" tf:"elastic_inference_accelerator,omitempty"`
+
+	// Enable Nitro Enclaves on launched instances. See Enclave Options below for more details.
+	EnclaveOptions []LaunchTemplateEnclaveOptionsObservation `json:"enclaveOptions,omitempty" tf:"enclave_options,omitempty"`
+
+	// The hibernation options for the instance. See Hibernation Options below for more details.
+	HibernationOptions []HibernationOptionsObservation `json:"hibernationOptions,omitempty" tf:"hibernation_options,omitempty"`
+
+	// The IAM Instance Profile to launch the instance with. See Instance Profile
+	// below for more details.
+	IAMInstanceProfile []IAMInstanceProfileObservation `json:"iamInstanceProfile,omitempty" tf:"iam_instance_profile,omitempty"`
+
 	// The ID of the launch template.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The AMI from which to launch the instance.
+	ImageID *string `json:"imageId,omitempty" tf:"image_id,omitempty"`
+
+	// Shutdown behavior for the instance. Can be stop or terminate.
+	// (Default: stop).
+	InstanceInitiatedShutdownBehavior *string `json:"instanceInitiatedShutdownBehavior,omitempty" tf:"instance_initiated_shutdown_behavior,omitempty"`
+
+	// The market (purchasing) option for the instance. See Market Options
+	// below for details.
+	InstanceMarketOptions []InstanceMarketOptionsObservation `json:"instanceMarketOptions,omitempty" tf:"instance_market_options,omitempty"`
+
+	// The attribute requirements for the type of instance. If present then instance_type cannot be present.
+	InstanceRequirements []InstanceRequirementsObservation `json:"instanceRequirements,omitempty" tf:"instance_requirements,omitempty"`
+
+	// The type of the instance. If present then instance_requirements cannot be present.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The kernel ID.
+	KernelID *string `json:"kernelId,omitempty" tf:"kernel_id,omitempty"`
+
+	// The key name to use for the instance.
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
 	// The latest version of the launch template.
 	LatestVersion *float64 `json:"latestVersion,omitempty" tf:"latest_version,omitempty"`
 
+	// A list of license specifications to associate with. See License Specification below for more details.
+	LicenseSpecification []LicenseSpecificationObservation `json:"licenseSpecification,omitempty" tf:"license_specification,omitempty"`
+
+	// The maintenance options for the instance. See Maintenance Options below for more details.
+	MaintenanceOptions []LaunchTemplateMaintenanceOptionsObservation `json:"maintenanceOptions,omitempty" tf:"maintenance_options,omitempty"`
+
+	// Customize the metadata options for the instance. See Metadata Options below for more details.
+	MetadataOptions []LaunchTemplateMetadataOptionsObservation `json:"metadataOptions,omitempty" tf:"metadata_options,omitempty"`
+
+	// The monitoring option for the instance. See Monitoring below for more details.
+	Monitoring []MonitoringObservation `json:"monitoring,omitempty" tf:"monitoring,omitempty"`
+
+	// The name of the launch template.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Customize network interfaces to be attached at instance boot time. See Network
+	// Interfaces below for more details.
+	NetworkInterfaces []NetworkInterfacesObservation `json:"networkInterfaces,omitempty" tf:"network_interfaces,omitempty"`
+
+	// The placement of the instance. See Placement below for more details.
+	Placement []PlacementObservation `json:"placement,omitempty" tf:"placement,omitempty"`
+
+	// The options for the instance hostname. The default values are inherited from the subnet. See Private DNS Name Options below for more details.
+	PrivateDNSNameOptions []LaunchTemplatePrivateDNSNameOptionsObservation `json:"privateDnsNameOptions,omitempty" tf:"private_dns_name_options,omitempty"`
+
+	// The ID of the RAM disk.
+	RAMDiskID *string `json:"ramDiskId,omitempty" tf:"ram_disk_id,omitempty"`
+
+	// A list of security group names to associate with. If you are creating Instances in a VPC, use
+	// vpc_security_group_ids instead.
+	SecurityGroupNames []*string `json:"securityGroupNames,omitempty" tf:"security_group_names,omitempty"`
+
+	// The tags to apply to the resources during launch. See Tag Specifications below for more details.
+	TagSpecifications []TagSpecificationsObservation `json:"tagSpecifications,omitempty" tf:"tag_specifications,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to update Default Version each update. Conflicts with default_version.
+	UpdateDefaultVersion *bool `json:"updateDefaultVersion,omitempty" tf:"update_default_version,omitempty"`
+
+	// The base64-encoded user data to provide when launching the instance.
+	UserData *string `json:"userData,omitempty" tf:"user_data,omitempty"`
+
+	// A list of security group IDs to associate with. Conflicts with network_interfaces.security_groups
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type LaunchTemplateParameters_2 struct {
@@ -597,6 +902,15 @@ type LaunchTemplateParameters_2 struct {
 }
 
 type LaunchTemplatePrivateDNSNameOptionsObservation struct {
+
+	// Indicates whether to respond to DNS queries for instance hostnames with DNS A records.
+	EnableResourceNameDNSARecord *bool `json:"enableResourceNameDnsARecord,omitempty" tf:"enable_resource_name_dns_a_record,omitempty"`
+
+	// Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records.
+	EnableResourceNameDNSAaaaRecord *bool `json:"enableResourceNameDnsAaaaRecord,omitempty" tf:"enable_resource_name_dns_aaaa_record,omitempty"`
+
+	// The type of hostname for Amazon EC2 instances. For IPv4 only subnets, an instance DNS name must be based on the instance IPv4 address. For IPv6 native subnets, an instance DNS name must be based on the instance ID. For dual-stack subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name and resource-name.
+	HostnameType *string `json:"hostnameType,omitempty" tf:"hostname_type,omitempty"`
 }
 
 type LaunchTemplatePrivateDNSNameOptionsParameters struct {
@@ -615,6 +929,9 @@ type LaunchTemplatePrivateDNSNameOptionsParameters struct {
 }
 
 type LicenseSpecificationObservation struct {
+
+	// ARN of the license configuration.
+	LicenseConfigurationArn *string `json:"licenseConfigurationArn,omitempty" tf:"license_configuration_arn,omitempty"`
 }
 
 type LicenseSpecificationParameters struct {
@@ -625,6 +942,12 @@ type LicenseSpecificationParameters struct {
 }
 
 type MemoryGibPerVcpuObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type MemoryGibPerVcpuParameters struct {
@@ -639,6 +962,12 @@ type MemoryGibPerVcpuParameters struct {
 }
 
 type MemoryMibObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type MemoryMibParameters struct {
@@ -653,6 +982,9 @@ type MemoryMibParameters struct {
 }
 
 type MonitoringObservation struct {
+
+	// If true, the launched EC2 instance will have detailed monitoring enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type MonitoringParameters struct {
@@ -663,6 +995,12 @@ type MonitoringParameters struct {
 }
 
 type NetworkInterfaceCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type NetworkInterfaceCountParameters struct {
@@ -677,6 +1015,66 @@ type NetworkInterfaceCountParameters struct {
 }
 
 type NetworkInterfacesObservation struct {
+
+	// Associate a Carrier IP address with eth0 for a new network interface.
+	// Use this option when you launch an instance in a Wavelength Zone and want to associate a Carrier IP address with the network interface.
+	// Boolean value, can be left unset.
+	AssociateCarrierIPAddress *string `json:"associateCarrierIpAddress,omitempty" tf:"associate_carrier_ip_address,omitempty"`
+
+	// Associate a public ip address with the network interface.
+	// Boolean value, can be left unset.
+	AssociatePublicIPAddress *string `json:"associatePublicIpAddress,omitempty" tf:"associate_public_ip_address,omitempty"`
+
+	// Whether the network interface should be destroyed on instance termination.
+	DeleteOnTermination *string `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Description of the network interface.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The integer index of the network interface attachment.
+	DeviceIndex *float64 `json:"deviceIndex,omitempty" tf:"device_index,omitempty"`
+
+	// The number of secondary private IPv4 addresses to assign to a network interface. Conflicts with ipv4_addresses
+	IPv4AddressCount *float64 `json:"ipv4AddressCount,omitempty" tf:"ipv4_address_count,omitempty"`
+
+	// One or more private IPv4 addresses to associate. Conflicts with ipv4_address_count
+	IPv4Addresses []*string `json:"ipv4Addresses,omitempty" tf:"ipv4_addresses,omitempty"`
+
+	// The number of IPv4 prefixes to be automatically assigned to the network interface. Conflicts with ipv4_prefixes
+	IPv4PrefixCount *float64 `json:"ipv4PrefixCount,omitempty" tf:"ipv4_prefix_count,omitempty"`
+
+	// One or more IPv4 prefixes to be assigned to the network interface. Conflicts with ipv4_prefix_count
+	IPv4Prefixes []*string `json:"ipv4Prefixes,omitempty" tf:"ipv4_prefixes,omitempty"`
+
+	// The number of IPv6 addresses to assign to a network interface. Conflicts with ipv6_addresses
+	IPv6AddressCount *float64 `json:"ipv6AddressCount,omitempty" tf:"ipv6_address_count,omitempty"`
+
+	// One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet. Conflicts with ipv6_address_count
+	IPv6Addresses []*string `json:"ipv6Addresses,omitempty" tf:"ipv6_addresses,omitempty"`
+
+	// The number of IPv6 prefixes to be automatically assigned to the network interface. Conflicts with ipv6_prefixes
+	IPv6PrefixCount *float64 `json:"ipv6PrefixCount,omitempty" tf:"ipv6_prefix_count,omitempty"`
+
+	// One or more IPv6 prefixes to be assigned to the network interface. Conflicts with ipv6_prefix_count
+	IPv6Prefixes []*string `json:"ipv6Prefixes,omitempty" tf:"ipv6_prefixes,omitempty"`
+
+	// The type of network interface. To create an Elastic Fabric Adapter (EFA), specify efa.
+	InterfaceType *string `json:"interfaceType,omitempty" tf:"interface_type,omitempty"`
+
+	// The index of the network card. Some instance types support multiple network cards. The primary network interface must be assigned to network card index 0. The default is network card index 0.
+	NetworkCardIndex *float64 `json:"networkCardIndex,omitempty" tf:"network_card_index,omitempty"`
+
+	// The ID of the network interface to attach.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
+	// The primary private IPv4 address.
+	PrivateIPAddress *string `json:"privateIpAddress,omitempty" tf:"private_ip_address,omitempty"`
+
+	// A list of security group IDs to associate.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The VPC Subnet ID to associate.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type NetworkInterfacesParameters struct {
@@ -791,6 +1189,30 @@ type NetworkInterfacesParameters struct {
 }
 
 type PlacementObservation struct {
+
+	// The affinity setting for an instance on a Dedicated Host.
+	Affinity *string `json:"affinity,omitempty" tf:"affinity,omitempty"`
+
+	// The Availability Zone for the instance.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The name of the placement group for the instance.
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+
+	// The ID of the Dedicated Host for the instance.
+	HostID *string `json:"hostId,omitempty" tf:"host_id,omitempty"`
+
+	// The ARN of the Host Resource Group in which to launch instances.
+	HostResourceGroupArn *string `json:"hostResourceGroupArn,omitempty" tf:"host_resource_group_arn,omitempty"`
+
+	// The number of the partition the instance should launch in. Valid only if the placement group strategy is set to partition.
+	PartitionNumber *float64 `json:"partitionNumber,omitempty" tf:"partition_number,omitempty"`
+
+	// Reserved for future use.
+	SpreadDomain *string `json:"spreadDomain,omitempty" tf:"spread_domain,omitempty"`
+
+	// The tenancy of the instance (if the instance is running in a VPC). Can be default, dedicated, or host.
+	Tenancy *string `json:"tenancy,omitempty" tf:"tenancy,omitempty"`
 }
 
 type PlacementParameters struct {
@@ -829,6 +1251,22 @@ type PlacementParameters struct {
 }
 
 type SpotOptionsObservation struct {
+
+	// The required duration in minutes. This value must be a multiple of 60.
+	BlockDurationMinutes *float64 `json:"blockDurationMinutes,omitempty" tf:"block_duration_minutes,omitempty"`
+
+	// The behavior when a Spot Instance is interrupted. Can be hibernate,
+	// stop, or terminate. (Default: terminate).
+	InstanceInterruptionBehavior *string `json:"instanceInterruptionBehavior,omitempty" tf:"instance_interruption_behavior,omitempty"`
+
+	// The maximum hourly price you're willing to pay for the Spot Instances.
+	MaxPrice *string `json:"maxPrice,omitempty" tf:"max_price,omitempty"`
+
+	// The Spot Instance request type. Can be one-time, or persistent.
+	SpotInstanceType *string `json:"spotInstanceType,omitempty" tf:"spot_instance_type,omitempty"`
+
+	// The end date of the request.
+	ValidUntil *string `json:"validUntil,omitempty" tf:"valid_until,omitempty"`
 }
 
 type SpotOptionsParameters struct {
@@ -856,6 +1294,12 @@ type SpotOptionsParameters struct {
 }
 
 type TagSpecificationsObservation struct {
+
+	// The type of resource to tag.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// A map of tags to assign to the resource.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type TagSpecificationsParameters struct {
@@ -870,6 +1314,12 @@ type TagSpecificationsParameters struct {
 }
 
 type TotalLocalStorageGbObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type TotalLocalStorageGbParameters struct {
@@ -884,6 +1334,12 @@ type TotalLocalStorageGbParameters struct {
 }
 
 type VcpuCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type VcpuCountParameters struct {
diff --git a/apis/ec2/v1beta1/zz_mainroutetableassociation_types.go b/apis/ec2/v1beta1/zz_mainroutetableassociation_types.go
index 17ce96bfd0..2444f44892 100755
--- a/apis/ec2/v1beta1/zz_mainroutetableassociation_types.go
+++ b/apis/ec2/v1beta1/zz_mainroutetableassociation_types.go
@@ -20,6 +20,13 @@ type MainRouteTableAssociationObservation struct {
 
 	// Used internally, see Notes below
 	OriginalRouteTableID *string `json:"originalRouteTableId,omitempty" tf:"original_route_table_id,omitempty"`
+
+	// The ID of the Route Table to set as the new
+	// main route table for the target VPC
+	RouteTableID *string `json:"routeTableId,omitempty" tf:"route_table_id,omitempty"`
+
+	// The ID of the VPC whose main route table should be set
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type MainRouteTableAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_managedprefixlist_types.go b/apis/ec2/v1beta1/zz_managedprefixlist_types.go
index 9fbed56762..7bdcf5d079 100755
--- a/apis/ec2/v1beta1/zz_managedprefixlist_types.go
+++ b/apis/ec2/v1beta1/zz_managedprefixlist_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type EntryObservation struct {
+
+	// CIDR block of this entry.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
+
+	// Description of this entry. Due to API limitations, updating only the description of an existing entry requires temporarily removing and re-adding the entry.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 }
 
 type EntryParameters struct {
@@ -39,15 +45,30 @@ type EntryParameters struct {
 
 type ManagedPrefixListObservation struct {
 
+	// Address family (IPv4 or IPv6) of this prefix list.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
 	// ARN of the prefix list.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block for prefix list entry. Detailed below. Different entries may have overlapping CIDR blocks, but a particular CIDR should not be duplicated.
+	Entry []EntryObservation `json:"entry,omitempty" tf:"entry,omitempty"`
+
 	// ID of the prefix list.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Maximum number of entries that this prefix list can contain.
+	MaxEntries *float64 `json:"maxEntries,omitempty" tf:"max_entries,omitempty"`
+
+	// Name of this resource. The name must not start with com.amazonaws.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// ID of the AWS account that owns this prefix list.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -58,20 +79,20 @@ type ManagedPrefixListObservation struct {
 type ManagedPrefixListParameters struct {
 
 	// Address family (IPv4 or IPv6) of this prefix list.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// Configuration block for prefix list entry. Detailed below. Different entries may have overlapping CIDR blocks, but a particular CIDR should not be duplicated.
 	// +kubebuilder:validation:Optional
 	Entry []EntryParameters `json:"entry,omitempty" tf:"entry,omitempty"`
 
 	// Maximum number of entries that this prefix list can contain.
-	// +kubebuilder:validation:Required
-	MaxEntries *float64 `json:"maxEntries" tf:"max_entries,omitempty"`
+	// +kubebuilder:validation:Optional
+	MaxEntries *float64 `json:"maxEntries,omitempty" tf:"max_entries,omitempty"`
 
 	// Name of this resource. The name must not start with com.amazonaws.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -107,8 +128,11 @@ type ManagedPrefixListStatus struct {
 type ManagedPrefixList struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ManagedPrefixListSpec   `json:"spec"`
-	Status            ManagedPrefixListStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxEntries)",message="maxEntries is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ManagedPrefixListSpec   `json:"spec"`
+	Status ManagedPrefixListStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_managedprefixlistentry_types.go b/apis/ec2/v1beta1/zz_managedprefixlistentry_types.go
index 45f5980e57..663124cfc1 100755
--- a/apis/ec2/v1beta1/zz_managedprefixlistentry_types.go
+++ b/apis/ec2/v1beta1/zz_managedprefixlistentry_types.go
@@ -15,8 +15,17 @@ import (
 
 type ManagedPrefixListEntryObservation struct {
 
+	// CIDR block of this entry.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
+
+	// Description of this entry. Due to API limitations, updating only the description of an entry requires recreating the entry.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// ID of the managed prefix list entry.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// CIDR block of this entry.
+	PrefixListID *string `json:"prefixListId,omitempty" tf:"prefix_list_id,omitempty"`
 }
 
 type ManagedPrefixListEntryParameters struct {
diff --git a/apis/ec2/v1beta1/zz_natgateway_types.go b/apis/ec2/v1beta1/zz_natgateway_types.go
index 69d33a2bef..44d88bbfa2 100755
--- a/apis/ec2/v1beta1/zz_natgateway_types.go
+++ b/apis/ec2/v1beta1/zz_natgateway_types.go
@@ -15,15 +15,30 @@ import (
 
 type NATGatewayObservation_2 struct {
 
+	// The Allocation ID of the Elastic IP address for the gateway. Required for connectivity_type of public.
+	AllocationID *string `json:"allocationId,omitempty" tf:"allocation_id,omitempty"`
+
+	// Connectivity type for the gateway. Valid values are private and public. Defaults to public.
+	ConnectivityType *string `json:"connectivityType,omitempty" tf:"connectivity_type,omitempty"`
+
 	// The ID of the NAT Gateway.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The ID of the network interface associated with the NAT gateway.
 	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
 
+	// The private IPv4 address to assign to the NAT gateway. If you don't provide an address, a private IPv4 address will be automatically assigned.
+	PrivateIP *string `json:"privateIp,omitempty" tf:"private_ip,omitempty"`
+
 	// The Elastic IP address associated with the NAT gateway.
 	PublicIP *string `json:"publicIp,omitempty" tf:"public_ip,omitempty"`
 
+	// The Subnet ID of the subnet in which to place the gateway.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_networkacl_types.go b/apis/ec2/v1beta1/zz_networkacl_types.go
index 278363f326..bdf02f0c25 100755
--- a/apis/ec2/v1beta1/zz_networkacl_types.go
+++ b/apis/ec2/v1beta1/zz_networkacl_types.go
@@ -102,8 +102,17 @@ type NetworkACLObservation struct {
 	// The ID of the AWS account that owns the network ACL.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// A list of Subnet IDs to apply the ACL to
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the associated VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type NetworkACLParameters struct {
diff --git a/apis/ec2/v1beta1/zz_networkaclrule_types.go b/apis/ec2/v1beta1/zz_networkaclrule_types.go
index 59a46fc2e8..00139a35ce 100755
--- a/apis/ec2/v1beta1/zz_networkaclrule_types.go
+++ b/apis/ec2/v1beta1/zz_networkaclrule_types.go
@@ -15,8 +15,41 @@ import (
 
 type NetworkACLRuleObservation struct {
 
+	// The network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
+	// Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet). Default false.
+	Egress *bool `json:"egress,omitempty" tf:"egress,omitempty"`
+
+	// The from port to match.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
 	// The ID of the network ACL Rule
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The IPv6 CIDR block to allow or deny.
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
+	// ICMP protocol: The ICMP code. Required if specifying ICMP for the protocolE.g., -1
+	IcmpCode *float64 `json:"icmpCode,omitempty" tf:"icmp_code,omitempty"`
+
+	// ICMP protocol: The ICMP type. Required if specifying ICMP for the protocolE.g., -1
+	IcmpType *float64 `json:"icmpType,omitempty" tf:"icmp_type,omitempty"`
+
+	// The ID of the network ACL.
+	NetworkACLID *string `json:"networkAclId,omitempty" tf:"network_acl_id,omitempty"`
+
+	// The protocol. A value of -1 means all protocols.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
+	RuleAction *string `json:"ruleAction,omitempty" tf:"rule_action,omitempty"`
+
+	// The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
+	RuleNumber *float64 `json:"ruleNumber,omitempty" tf:"rule_number,omitempty"`
+
+	// The to port to match.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type NetworkACLRuleParameters struct {
@@ -60,8 +93,8 @@ type NetworkACLRuleParameters struct {
 	NetworkACLIDSelector *v1.Selector `json:"networkAclIdSelector,omitempty" tf:"-"`
 
 	// The protocol. A value of -1 means all protocols.
-	// +kubebuilder:validation:Required
-	Protocol *string `json:"protocol" tf:"protocol,omitempty"`
+	// +kubebuilder:validation:Optional
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,12 +102,12 @@ type NetworkACLRuleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Indicates whether to allow or deny the traffic that matches the rule. Accepted values: allow | deny
-	// +kubebuilder:validation:Required
-	RuleAction *string `json:"ruleAction" tf:"rule_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleAction *string `json:"ruleAction,omitempty" tf:"rule_action,omitempty"`
 
 	// The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
-	// +kubebuilder:validation:Required
-	RuleNumber *float64 `json:"ruleNumber" tf:"rule_number,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleNumber *float64 `json:"ruleNumber,omitempty" tf:"rule_number,omitempty"`
 
 	// The to port to match.
 	// +kubebuilder:validation:Optional
@@ -105,8 +138,11 @@ type NetworkACLRuleStatus struct {
 type NetworkACLRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NetworkACLRuleSpec   `json:"spec"`
-	Status            NetworkACLRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)",message="protocol is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleAction)",message="ruleAction is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleNumber)",message="ruleNumber is a required parameter"
+	Spec   NetworkACLRuleSpec   `json:"spec"`
+	Status NetworkACLRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_networkinsightsanalysis_types.go b/apis/ec2/v1beta1/zz_networkinsightsanalysis_types.go
index 30e6ae5e04..bf889c1c9b 100755
--- a/apis/ec2/v1beta1/zz_networkinsightsanalysis_types.go
+++ b/apis/ec2/v1beta1/zz_networkinsightsanalysis_types.go
@@ -640,12 +640,18 @@ type NetworkInsightsAnalysisObservation struct {
 	// Explanation codes for an unreachable path. See the AWS documentation for details.
 	Explanations []ExplanationsObservation `json:"explanations,omitempty" tf:"explanations,omitempty"`
 
+	// A list of ARNs for resources the path must traverse.
+	FilterInArns []*string `json:"filterInArns,omitempty" tf:"filter_in_arns,omitempty"`
+
 	// The components in the path from source to destination. See the AWS documentation for details.
 	ForwardPathComponents []ForwardPathComponentsObservation `json:"forwardPathComponents,omitempty" tf:"forward_path_components,omitempty"`
 
 	// ID of the Network Insights Analysis.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ID of the Network Insights Path to run an analysis on.
+	NetworkInsightsPathID *string `json:"networkInsightsPathId,omitempty" tf:"network_insights_path_id,omitempty"`
+
 	// Set to true if the destination was reachable.
 	PathFound *bool `json:"pathFound,omitempty" tf:"path_found,omitempty"`
 
@@ -661,9 +667,15 @@ type NetworkInsightsAnalysisObservation struct {
 	// A message to provide more context when the status is failed.
 	StatusMessage *string `json:"statusMessage,omitempty" tf:"status_message,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// If enabled, the resource will wait for the Network Insights Analysis status to change to succeeded or failed. Setting this to false will skip the process. Default: true.
+	WaitForCompletion *bool `json:"waitForCompletion,omitempty" tf:"wait_for_completion,omitempty"`
+
 	// The warning message.
 	WarningMessage *string `json:"warningMessage,omitempty" tf:"warning_message,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_networkinsightspath_types.go b/apis/ec2/v1beta1/zz_networkinsightspath_types.go
index c1df27eaec..6f603cac6a 100755
--- a/apis/ec2/v1beta1/zz_networkinsightspath_types.go
+++ b/apis/ec2/v1beta1/zz_networkinsightspath_types.go
@@ -18,9 +18,30 @@ type NetworkInsightsPathObservation struct {
 	// ARN of the Network Insights Path.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ID of the resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// IP address of the destination resource.
+	DestinationIP *string `json:"destinationIp,omitempty" tf:"destination_ip,omitempty"`
+
+	// Destination port to analyze access to.
+	DestinationPort *float64 `json:"destinationPort,omitempty" tf:"destination_port,omitempty"`
+
 	// ID of the Network Insights Path.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Protocol to use for analysis. Valid options are tcp or udp.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// ID of the resource which is the source of the path. Can be an Instance, Internet Gateway, Network Interface, Transit Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// IP address of the source resource.
+	SourceIP *string `json:"sourceIp,omitempty" tf:"source_ip,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -50,8 +71,8 @@ type NetworkInsightsPathParameters struct {
 	DestinationSelector *v1.Selector `json:"destinationSelector,omitempty" tf:"-"`
 
 	// Protocol to use for analysis. Valid options are tcp or udp.
-	// +kubebuilder:validation:Required
-	Protocol *string `json:"protocol" tf:"protocol,omitempty"`
+	// +kubebuilder:validation:Optional
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -105,8 +126,9 @@ type NetworkInsightsPathStatus struct {
 type NetworkInsightsPath struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NetworkInsightsPathSpec   `json:"spec"`
-	Status            NetworkInsightsPathStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)",message="protocol is a required parameter"
+	Spec   NetworkInsightsPathSpec   `json:"spec"`
+	Status NetworkInsightsPathStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_networkinterface_types.go b/apis/ec2/v1beta1/zz_networkinterface_types.go
index 176081b2d5..b944c6587a 100755
--- a/apis/ec2/v1beta1/zz_networkinterface_types.go
+++ b/apis/ec2/v1beta1/zz_networkinterface_types.go
@@ -36,9 +36,39 @@ type NetworkInterfaceObservation_2 struct {
 	// Configuration block to define the attachment of the ENI. See Attachment below for more details!
 	Attachment []AttachmentObservation `json:"attachment,omitempty" tf:"attachment,omitempty"`
 
+	// Description for the network interface.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// ID of the network interface.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Number of IPv4 prefixes that AWS automatically assigns to the network interface.
+	IPv4PrefixCount *float64 `json:"ipv4PrefixCount,omitempty" tf:"ipv4_prefix_count,omitempty"`
+
+	// One or more IPv4 prefixes assigned to the network interface.
+	IPv4Prefixes []*string `json:"ipv4Prefixes,omitempty" tf:"ipv4_prefixes,omitempty"`
+
+	// Number of IPv6 addresses to assign to a network interface. You can't use this option if specifying specific ipv6_addresses. If your subnet has the AssignIpv6AddressOnCreation attribute set to true, you can specify 0 to override this setting.
+	IPv6AddressCount *float64 `json:"ipv6AddressCount,omitempty" tf:"ipv6_address_count,omitempty"`
+
+	// List of private IPs to assign to the ENI in sequential order.
+	IPv6AddressList []*string `json:"ipv6AddressList,omitempty" tf:"ipv6_address_list,omitempty"`
+
+	// Whether ipv6_address_list is allowed and controls the IPs to assign to the ENI and ipv6_addresses and ipv6_address_count become read-only. Default false.
+	IPv6AddressListEnabled *bool `json:"ipv6AddressListEnabled,omitempty" tf:"ipv6_address_list_enabled,omitempty"`
+
+	// One or more specific IPv6 addresses from the IPv6 CIDR block range of your subnet. Addresses are assigned without regard to order. You can't use this option if you're specifying ipv6_address_count.
+	IPv6Addresses []*string `json:"ipv6Addresses,omitempty" tf:"ipv6_addresses,omitempty"`
+
+	// Number of IPv6 prefixes that AWS automatically assigns to the network interface.
+	IPv6PrefixCount *float64 `json:"ipv6PrefixCount,omitempty" tf:"ipv6_prefix_count,omitempty"`
+
+	// One or more IPv6 prefixes assigned to the network interface.
+	IPv6Prefixes []*string `json:"ipv6Prefixes,omitempty" tf:"ipv6_prefixes,omitempty"`
+
+	// Type of network interface to create. Set to efa for Elastic Fabric Adapter. Changing interface_type will cause the resource to be destroyed and re-created.
+	InterfaceType *string `json:"interfaceType,omitempty" tf:"interface_type,omitempty"`
+
 	// MAC address of the network interface.
 	MacAddress *string `json:"macAddress,omitempty" tf:"mac_address,omitempty"`
 
@@ -51,6 +81,32 @@ type NetworkInterfaceObservation_2 struct {
 	// Private DNS name of the network interface (IPv4).
 	PrivateDNSName *string `json:"privateDnsName,omitempty" tf:"private_dns_name,omitempty"`
 
+	PrivateIP *string `json:"privateIp,omitempty" tf:"private_ip,omitempty"`
+
+	// List of private IPs to assign to the ENI in sequential order. Requires setting private_ip_list_enabled to true.
+	PrivateIPList []*string `json:"privateIpList,omitempty" tf:"private_ip_list,omitempty"`
+
+	// Whether private_ip_list is allowed and controls the IPs to assign to the ENI and private_ips and private_ips_count become read-only. Default false.
+	PrivateIPListEnabled *bool `json:"privateIpListEnabled,omitempty" tf:"private_ip_list_enabled,omitempty"`
+
+	// List of private IPs to assign to the ENI without regard to order.
+	PrivateIps []*string `json:"privateIps,omitempty" tf:"private_ips,omitempty"`
+
+	// Number of secondary private IPs to assign to the ENI. The total number of private IPs will be 1 + private_ips_count, as a primary private IP will be assiged to an ENI by default.
+	PrivateIpsCount *float64 `json:"privateIpsCount,omitempty" tf:"private_ips_count,omitempty"`
+
+	// List of security group IDs to assign to the ENI.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// Whether to enable source destination checking for the ENI. Default true.
+	SourceDestCheck *bool `json:"sourceDestCheck,omitempty" tf:"source_dest_check,omitempty"`
+
+	// Subnet ID to create the ENI in.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_networkinterfaceattachment_types.go b/apis/ec2/v1beta1/zz_networkinterfaceattachment_types.go
index c9712f5629..82962b8f4f 100755
--- a/apis/ec2/v1beta1/zz_networkinterfaceattachment_types.go
+++ b/apis/ec2/v1beta1/zz_networkinterfaceattachment_types.go
@@ -18,8 +18,17 @@ type NetworkInterfaceAttachmentObservation struct {
 	// The ENI Attachment ID.
 	AttachmentID *string `json:"attachmentId,omitempty" tf:"attachment_id,omitempty"`
 
+	// Network interface index (int).
+	DeviceIndex *float64 `json:"deviceIndex,omitempty" tf:"device_index,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Instance ID to attach.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// ENI ID to attach.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
 	// The status of the Network Interface Attachment.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -27,8 +36,8 @@ type NetworkInterfaceAttachmentObservation struct {
 type NetworkInterfaceAttachmentParameters struct {
 
 	// Network interface index (int).
-	// +kubebuilder:validation:Required
-	DeviceIndex *float64 `json:"deviceIndex" tf:"device_index,omitempty"`
+	// +kubebuilder:validation:Optional
+	DeviceIndex *float64 `json:"deviceIndex,omitempty" tf:"device_index,omitempty"`
 
 	// Instance ID to attach.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.Instance
@@ -88,8 +97,9 @@ type NetworkInterfaceAttachmentStatus struct {
 type NetworkInterfaceAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NetworkInterfaceAttachmentSpec   `json:"spec"`
-	Status            NetworkInterfaceAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deviceIndex)",message="deviceIndex is a required parameter"
+	Spec   NetworkInterfaceAttachmentSpec   `json:"spec"`
+	Status NetworkInterfaceAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_networkinterfacesgattachment_types.go b/apis/ec2/v1beta1/zz_networkinterfacesgattachment_types.go
index 6601ff0cb9..eb143843dc 100755
--- a/apis/ec2/v1beta1/zz_networkinterfacesgattachment_types.go
+++ b/apis/ec2/v1beta1/zz_networkinterfacesgattachment_types.go
@@ -15,6 +15,12 @@ import (
 
 type NetworkInterfaceSgAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the network interface to attach to.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
+	// The ID of the security group.
+	SecurityGroupID *string `json:"securityGroupId,omitempty" tf:"security_group_id,omitempty"`
 }
 
 type NetworkInterfaceSgAttachmentParameters struct {
diff --git a/apis/ec2/v1beta1/zz_placementgroup_types.go b/apis/ec2/v1beta1/zz_placementgroup_types.go
index 27397d812f..a93762f897 100755
--- a/apis/ec2/v1beta1/zz_placementgroup_types.go
+++ b/apis/ec2/v1beta1/zz_placementgroup_types.go
@@ -21,9 +21,24 @@ type PlacementGroupObservation struct {
 	// The name of the placement group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of partitions to create in the
+	// placement group.  Can only be specified when the strategy is set to
+	// "partition".  Valid values are 1 - 7 (default is 2).
+	PartitionCount *float64 `json:"partitionCount,omitempty" tf:"partition_count,omitempty"`
+
 	// The ID of the placement group.
 	PlacementGroupID *string `json:"placementGroupId,omitempty" tf:"placement_group_id,omitempty"`
 
+	// Determines how placement groups spread instances. Can only be used
+	// when the strategy is set to "spread". Can be "host" or "rack". "host" can only be used for Outpost placement groups.
+	SpreadLevel *string `json:"spreadLevel,omitempty" tf:"spread_level,omitempty"`
+
+	// The placement strategy. Can be "cluster", "partition" or "spread".
+	Strategy *string `json:"strategy,omitempty" tf:"strategy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -47,8 +62,8 @@ type PlacementGroupParameters struct {
 	SpreadLevel *string `json:"spreadLevel,omitempty" tf:"spread_level,omitempty"`
 
 	// The placement strategy. Can be "cluster", "partition" or "spread".
-	// +kubebuilder:validation:Required
-	Strategy *string `json:"strategy" tf:"strategy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Strategy *string `json:"strategy,omitempty" tf:"strategy,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -79,8 +94,9 @@ type PlacementGroupStatus struct {
 type PlacementGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PlacementGroupSpec   `json:"spec"`
-	Status            PlacementGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.strategy)",message="strategy is a required parameter"
+	Spec   PlacementGroupSpec   `json:"spec"`
+	Status PlacementGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_route_types.go b/apis/ec2/v1beta1/zz_route_types.go
index 2baf83c8e9..ce6006738d 100755
--- a/apis/ec2/v1beta1/zz_route_types.go
+++ b/apis/ec2/v1beta1/zz_route_types.go
@@ -15,17 +15,62 @@ import (
 
 type RouteObservation_2 struct {
 
+	// Identifier of a carrier gateway. This attribute can only be used when the VPC contains a subnet which is associated with a Wavelength Zone.
+	CarrierGatewayID *string `json:"carrierGatewayId,omitempty" tf:"carrier_gateway_id,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a core network.
+	CoreNetworkArn *string `json:"coreNetworkArn,omitempty" tf:"core_network_arn,omitempty"`
+
+	// The destination CIDR block.
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
+
+	// The destination IPv6 CIDR block.
+	DestinationIPv6CidrBlock *string `json:"destinationIpv6CidrBlock,omitempty" tf:"destination_ipv6_cidr_block,omitempty"`
+
+	// The ID of a managed prefix list destination.
+	DestinationPrefixListID *string `json:"destinationPrefixListId,omitempty" tf:"destination_prefix_list_id,omitempty"`
+
+	// Identifier of a VPC Egress Only Internet Gateway.
+	EgressOnlyGatewayID *string `json:"egressOnlyGatewayId,omitempty" tf:"egress_only_gateway_id,omitempty"`
+
+	// Identifier of a VPC internet gateway or a virtual private gateway.
+	GatewayID *string `json:"gatewayId,omitempty" tf:"gateway_id,omitempty"`
+
 	// Route identifier computed from the routing table identifier and route destination.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Identifier of an EC2 instance.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
 	// The AWS account ID of the owner of the EC2 instance.
 	InstanceOwnerID *string `json:"instanceOwnerId,omitempty" tf:"instance_owner_id,omitempty"`
 
+	// Identifier of a Outpost local gateway.
+	LocalGatewayID *string `json:"localGatewayId,omitempty" tf:"local_gateway_id,omitempty"`
+
+	// Identifier of a VPC NAT gateway.
+	NATGatewayID *string `json:"natGatewayId,omitempty" tf:"nat_gateway_id,omitempty"`
+
+	// Identifier of an EC2 network interface.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
 	// How the route was created - CreateRouteTable, CreateRoute or EnableVgwRoutePropagation.
 	Origin *string `json:"origin,omitempty" tf:"origin,omitempty"`
 
+	// The ID of the routing table.
+	RouteTableID *string `json:"routeTableId,omitempty" tf:"route_table_id,omitempty"`
+
 	// The state of the route - active or blackhole.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// Identifier of an EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
+
+	// Identifier of a VPC Endpoint.
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
+
+	// Identifier of a VPC peering connection.
+	VPCPeeringConnectionID *string `json:"vpcPeeringConnectionId,omitempty" tf:"vpc_peering_connection_id,omitempty"`
 }
 
 type RouteParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_routetable_types.go b/apis/ec2/v1beta1/zz_routetable_types.go
index f7ceef5831..2fe802a28f 100755
--- a/apis/ec2/v1beta1/zz_routetable_types.go
+++ b/apis/ec2/v1beta1/zz_routetable_types.go
@@ -31,8 +31,14 @@ type RouteTableObservation_2 struct {
 	// This means that omitting this argument is interpreted as ignoring any existing routes. To remove all managed routes an empty list should be specified. See the example above.
 	Route []RouteTableRouteObservation_2 `json:"route,omitempty" tf:"route,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC ID.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type RouteTableParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_routetableassociation_types.go b/apis/ec2/v1beta1/zz_routetableassociation_types.go
index 51f27d4b53..f28395de2c 100755
--- a/apis/ec2/v1beta1/zz_routetableassociation_types.go
+++ b/apis/ec2/v1beta1/zz_routetableassociation_types.go
@@ -15,8 +15,17 @@ import (
 
 type RouteTableAssociationObservation struct {
 
+	// The gateway ID to create an association. Conflicts with subnet_id.
+	GatewayID *string `json:"gatewayId,omitempty" tf:"gateway_id,omitempty"`
+
 	// The ID of the association
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the routing table to associate with.
+	RouteTableID *string `json:"routeTableId,omitempty" tf:"route_table_id,omitempty"`
+
+	// The subnet ID to create an association. Conflicts with gateway_id.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type RouteTableAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_securitygroup_types.go b/apis/ec2/v1beta1/zz_securitygroup_types.go
index 0c0a0f9f0b..f33af8f4a1 100755
--- a/apis/ec2/v1beta1/zz_securitygroup_types.go
+++ b/apis/ec2/v1beta1/zz_securitygroup_types.go
@@ -84,6 +84,9 @@ type SecurityGroupObservation_2 struct {
 	// ARN of the security group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Security group description. Cannot be "". NOTE: This field maps to the AWS GroupDescription attribute, for which there is no Update API. If you'd like to classify your security groups in a way that can be updated, use tags.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Configuration block for egress rules. Can be specified multiple times for each egress rule. Each egress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
 	Egress []SecurityGroupEgressObservation `json:"egress,omitempty" tf:"egress,omitempty"`
 
@@ -93,11 +96,24 @@ type SecurityGroupObservation_2 struct {
 	// Configuration block for ingress rules. Can be specified multiple times for each ingress rule. Each ingress block supports fields documented below. This argument is processed in attribute-as-blocks mode.
 	Ingress []SecurityGroupIngressObservation `json:"ingress,omitempty" tf:"ingress,omitempty"`
 
+	// Name of the security group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Owner ID.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// This is normally not needed, however certain AWS services such as Elastic Map Reduce may automatically add required rules to security groups used with the service, and those rules may contain a cyclic dependency that prevent the security groups from being destroyed without removing the dependency first. Default false.
+	RevokeRulesOnDelete *bool `json:"revokeRulesOnDelete,omitempty" tf:"revoke_rules_on_delete,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// VPC ID.
+	// Defaults to the region's default VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type SecurityGroupParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_securitygrouprule_types.go b/apis/ec2/v1beta1/zz_securitygrouprule_types.go
index 78f09120c4..9f1656f3b3 100755
--- a/apis/ec2/v1beta1/zz_securitygrouprule_types.go
+++ b/apis/ec2/v1beta1/zz_securitygrouprule_types.go
@@ -15,11 +15,45 @@ import (
 
 type SecurityGroupRuleObservation_2 struct {
 
+	// List of CIDR blocks. Cannot be specified with source_security_group_id or self.
+	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
+
+	// Description of the rule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
 	// ID of the security group rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
+	IPv6CidrBlocks []*string `json:"ipv6CidrBlocks,omitempty" tf:"ipv6_cidr_blocks,omitempty"`
+
+	// List of Prefix List IDs.
+	PrefixListIds []*string `json:"prefixListIds,omitempty" tf:"prefix_list_ids,omitempty"`
+
+	// Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Security group to apply this rule to.
+	SecurityGroupID *string `json:"securityGroupId,omitempty" tf:"security_group_id,omitempty"`
+
 	// If the aws_security_group_rule resource has a single source or destination then this is the AWS Security Group Rule resource ID. Otherwise it is empty.
 	SecurityGroupRuleID *string `json:"securityGroupRuleId,omitempty" tf:"security_group_rule_id,omitempty"`
+
+	// Whether the security group itself will be added as a source to this ingress rule. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or source_security_group_id.
+	Self *bool `json:"self,omitempty" tf:"self,omitempty"`
+
+	// Security group id to allow access to/from, depending on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks, or self.
+	SourceSecurityGroupID *string `json:"sourceSecurityGroupId,omitempty" tf:"source_security_group_id,omitempty"`
+
+	// End port (or ICMP code if protocol is "icmp").
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
+
+	// Type of rule being created. Valid options are ingress (inbound)
+	// or egress (outbound).
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SecurityGroupRuleParameters_2 struct {
@@ -33,8 +67,8 @@ type SecurityGroupRuleParameters_2 struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Start port (or ICMP type number if protocol is "icmp" or "icmpv6").
-	// +kubebuilder:validation:Required
-	FromPort *float64 `json:"fromPort" tf:"from_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
 
 	// List of IPv6 CIDR blocks. Cannot be specified with source_security_group_id or self.
 	// +kubebuilder:validation:Optional
@@ -56,8 +90,8 @@ type SecurityGroupRuleParameters_2 struct {
 	PrefixListIds []*string `json:"prefixListIds,omitempty" tf:"prefix_list_ids,omitempty"`
 
 	// Protocol. If not icmp, icmpv6, tcp, udp, or all use the protocol number
-	// +kubebuilder:validation:Required
-	Protocol *string `json:"protocol" tf:"protocol,omitempty"`
+	// +kubebuilder:validation:Optional
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -95,13 +129,13 @@ type SecurityGroupRuleParameters_2 struct {
 	SourceSecurityGroupIDSelector *v1.Selector `json:"sourceSecurityGroupIdSelector,omitempty" tf:"-"`
 
 	// End port (or ICMP code if protocol is "icmp").
-	// +kubebuilder:validation:Required
-	ToPort *float64 `json:"toPort" tf:"to_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 
 	// Type of rule being created. Valid options are ingress (inbound)
 	// or egress (outbound).
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // SecurityGroupRuleSpec defines the desired state of SecurityGroupRule
@@ -128,8 +162,12 @@ type SecurityGroupRuleStatus struct {
 type SecurityGroupRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecurityGroupRuleSpec   `json:"spec"`
-	Status            SecurityGroupRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fromPort)",message="fromPort is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)",message="protocol is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.toPort)",message="toPort is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   SecurityGroupRuleSpec   `json:"spec"`
+	Status SecurityGroupRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_serialconsoleaccess_types.go b/apis/ec2/v1beta1/zz_serialconsoleaccess_types.go
index 51c18acdec..13a5ec92f7 100755
--- a/apis/ec2/v1beta1/zz_serialconsoleaccess_types.go
+++ b/apis/ec2/v1beta1/zz_serialconsoleaccess_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type SerialConsoleAccessObservation struct {
+
+	// Whether or not serial console access is enabled. Valid values are true or false. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
diff --git a/apis/ec2/v1beta1/zz_snapshotcreatevolumepermission_types.go b/apis/ec2/v1beta1/zz_snapshotcreatevolumepermission_types.go
index 1f3c27dfd7..d6250d1884 100755
--- a/apis/ec2/v1beta1/zz_snapshotcreatevolumepermission_types.go
+++ b/apis/ec2/v1beta1/zz_snapshotcreatevolumepermission_types.go
@@ -15,15 +15,21 @@ import (
 
 type SnapshotCreateVolumePermissionObservation struct {
 
+	// An AWS Account ID to add create volume permissions. The AWS Account cannot be the snapshot's owner
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// A combination of "snapshot_id-account_id".
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A snapshot ID
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
 }
 
 type SnapshotCreateVolumePermissionParameters struct {
 
 	// An AWS Account ID to add create volume permissions. The AWS Account cannot be the snapshot's owner
-	// +kubebuilder:validation:Required
-	AccountID *string `json:"accountId" tf:"account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type SnapshotCreateVolumePermissionStatus struct {
 type SnapshotCreateVolumePermission struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SnapshotCreateVolumePermissionSpec   `json:"spec"`
-	Status            SnapshotCreateVolumePermissionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)",message="accountId is a required parameter"
+	Spec   SnapshotCreateVolumePermissionSpec   `json:"spec"`
+	Status SnapshotCreateVolumePermissionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_spotdatafeedsubscription_types.go b/apis/ec2/v1beta1/zz_spotdatafeedsubscription_types.go
index d67a1bd180..931d8cc066 100755
--- a/apis/ec2/v1beta1/zz_spotdatafeedsubscription_types.go
+++ b/apis/ec2/v1beta1/zz_spotdatafeedsubscription_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type SpotDatafeedSubscriptionObservation struct {
+
+	// The Amazon S3 bucket in which to store the Spot instance data feed.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Path of folder inside bucket to place spot pricing data.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type SpotDatafeedSubscriptionParameters struct {
 
 	// The Amazon S3 bucket in which to store the Spot instance data feed.
-	// +kubebuilder:validation:Required
-	Bucket *string `json:"bucket" tf:"bucket,omitempty"`
+	// +kubebuilder:validation:Optional
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
 
 	// Path of folder inside bucket to place spot pricing data.
 	// +kubebuilder:validation:Optional
@@ -57,8 +64,9 @@ type SpotDatafeedSubscriptionStatus struct {
 type SpotDatafeedSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SpotDatafeedSubscriptionSpec   `json:"spec"`
-	Status            SpotDatafeedSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bucket)",message="bucket is a required parameter"
+	Spec   SpotDatafeedSubscriptionSpec   `json:"spec"`
+	Status SpotDatafeedSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_spotfleetrequest_types.go b/apis/ec2/v1beta1/zz_spotfleetrequest_types.go
index 021a74b121..b54988a6ef 100755
--- a/apis/ec2/v1beta1/zz_spotfleetrequest_types.go
+++ b/apis/ec2/v1beta1/zz_spotfleetrequest_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CapacityRebalanceObservation struct {
+
+	// The replacement strategy to use. Only available for spot fleets with fleet_type set to maintain. Valid values: launch.
+	ReplacementStrategy *string `json:"replacementStrategy,omitempty" tf:"replacement_strategy,omitempty"`
 }
 
 type CapacityRebalanceParameters struct {
@@ -24,6 +27,12 @@ type CapacityRebalanceParameters struct {
 }
 
 type InstanceRequirementsAcceleratorCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsAcceleratorCountParameters struct {
@@ -38,6 +47,12 @@ type InstanceRequirementsAcceleratorCountParameters struct {
 }
 
 type InstanceRequirementsAcceleratorTotalMemoryMibObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsAcceleratorTotalMemoryMibParameters struct {
@@ -52,6 +67,12 @@ type InstanceRequirementsAcceleratorTotalMemoryMibParameters struct {
 }
 
 type InstanceRequirementsBaselineEBSBandwidthMbpsObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsBaselineEBSBandwidthMbpsParameters struct {
@@ -66,6 +87,12 @@ type InstanceRequirementsBaselineEBSBandwidthMbpsParameters struct {
 }
 
 type InstanceRequirementsMemoryGibPerVcpuObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsMemoryGibPerVcpuParameters struct {
@@ -80,6 +107,12 @@ type InstanceRequirementsMemoryGibPerVcpuParameters struct {
 }
 
 type InstanceRequirementsMemoryMibObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsMemoryMibParameters struct {
@@ -94,6 +127,12 @@ type InstanceRequirementsMemoryMibParameters struct {
 }
 
 type InstanceRequirementsNetworkInterfaceCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsNetworkInterfaceCountParameters struct {
@@ -108,6 +147,12 @@ type InstanceRequirementsNetworkInterfaceCountParameters struct {
 }
 
 type InstanceRequirementsTotalLocalStorageGbObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsTotalLocalStorageGbParameters struct {
@@ -122,6 +167,12 @@ type InstanceRequirementsTotalLocalStorageGbParameters struct {
 }
 
 type InstanceRequirementsVcpuCountObservation struct {
+
+	// Maximum.
+	Max *float64 `json:"max,omitempty" tf:"max,omitempty"`
+
+	// Minimum.
+	Min *float64 `json:"min,omitempty" tf:"min,omitempty"`
 }
 
 type InstanceRequirementsVcpuCountParameters struct {
@@ -136,6 +187,26 @@ type InstanceRequirementsVcpuCountParameters struct {
 }
 
 type LaunchSpecificationEBSBlockDeviceObservation struct {
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// The name of the launch template. Conflicts with id.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The ID of the launch template. Conflicts with name.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The ID of the launch template. Conflicts with name.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type LaunchSpecificationEBSBlockDeviceParameters struct {
@@ -172,6 +243,12 @@ type LaunchSpecificationEBSBlockDeviceParameters struct {
 }
 
 type LaunchSpecificationEphemeralBlockDeviceObservation struct {
+
+	// The name of the launch template. Conflicts with id.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// The name of the launch template. Conflicts with id.
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type LaunchSpecificationEphemeralBlockDeviceParameters struct {
@@ -186,6 +263,53 @@ type LaunchSpecificationEphemeralBlockDeviceParameters struct {
 }
 
 type LaunchSpecificationObservation struct {
+	AMI *string `json:"ami,omitempty" tf:"ami,omitempty"`
+
+	AssociatePublicIPAddress *bool `json:"associatePublicIpAddress,omitempty" tf:"associate_public_ip_address,omitempty"`
+
+	// The availability zone in which to place the request.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	EBSBlockDevice []LaunchSpecificationEBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
+
+	EBSOptimized *bool `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
+	EphemeralBlockDevice []LaunchSpecificationEphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
+
+	IAMInstanceProfile *string `json:"iamInstanceProfile,omitempty" tf:"iam_instance_profile,omitempty"`
+
+	// takes aws_iam_instance_profile attribute arn as input.
+	IAMInstanceProfileArn *string `json:"iamInstanceProfileArn,omitempty" tf:"iam_instance_profile_arn,omitempty"`
+
+	// The type of instance to request.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The name of the launch template. Conflicts with id.
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	Monitoring *bool `json:"monitoring,omitempty" tf:"monitoring,omitempty"`
+
+	PlacementGroup *string `json:"placementGroup,omitempty" tf:"placement_group,omitempty"`
+
+	PlacementTenancy *string `json:"placementTenancy,omitempty" tf:"placement_tenancy,omitempty"`
+
+	RootBlockDevice []LaunchSpecificationRootBlockDeviceObservation `json:"rootBlockDevice,omitempty" tf:"root_block_device,omitempty"`
+
+	// The maximum bid price per unit hour.
+	SpotPrice *string `json:"spotPrice,omitempty" tf:"spot_price,omitempty"`
+
+	// The subnet in which to launch the requested instance.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	UserData *string `json:"userData,omitempty" tf:"user_data,omitempty"`
+
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
+
+	// The capacity added to the fleet by a fulfilled request.
+	WeightedCapacity *string `json:"weightedCapacity,omitempty" tf:"weighted_capacity,omitempty"`
 }
 
 type LaunchSpecificationParameters struct {
@@ -270,6 +394,20 @@ type LaunchSpecificationParameters struct {
 }
 
 type LaunchSpecificationRootBlockDeviceObservation struct {
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The ID of the launch template. Conflicts with name.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type LaunchSpecificationRootBlockDeviceParameters struct {
@@ -298,6 +436,12 @@ type LaunchSpecificationRootBlockDeviceParameters struct {
 }
 
 type LaunchTemplateConfigObservation struct {
+
+	// Launch template specification. See Launch Template Specification below for more details.
+	LaunchTemplateSpecification []LaunchTemplateSpecificationObservation `json:"launchTemplateSpecification,omitempty" tf:"launch_template_specification,omitempty"`
+
+	// One or more override configurations. See Overrides below for more details.
+	Overrides []OverridesObservation `json:"overrides,omitempty" tf:"overrides,omitempty"`
 }
 
 type LaunchTemplateConfigParameters struct {
@@ -312,6 +456,15 @@ type LaunchTemplateConfigParameters struct {
 }
 
 type LaunchTemplateSpecificationObservation struct {
+
+	// The ID of the launch template. Conflicts with name.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the launch template. Conflicts with id.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Template version. Unlike the autoscaling equivalent, does not support $Latest or $Default, so use the launch_template resource's attribute, e.g., "${aws_launch_template.foo.latest_version}". It will use the default version if omitted.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type LaunchTemplateSpecificationParameters struct {
@@ -350,6 +503,69 @@ type LaunchTemplateSpecificationParameters struct {
 }
 
 type OverridesInstanceRequirementsObservation struct {
+
+	// Block describing the minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips). Default is no minimum or maximum.
+	AcceleratorCount []InstanceRequirementsAcceleratorCountObservation `json:"acceleratorCount,omitempty" tf:"accelerator_count,omitempty"`
+
+	// List of accelerator manufacturer names. Default is any manufacturer.
+	AcceleratorManufacturers []*string `json:"acceleratorManufacturers,omitempty" tf:"accelerator_manufacturers,omitempty"`
+
+	// List of accelerator names. Default is any acclerator.
+	AcceleratorNames []*string `json:"acceleratorNames,omitempty" tf:"accelerator_names,omitempty"`
+
+	// Block describing the minimum and maximum total memory of the accelerators. Default is no minimum or maximum.
+	AcceleratorTotalMemoryMib []InstanceRequirementsAcceleratorTotalMemoryMibObservation `json:"acceleratorTotalMemoryMib,omitempty" tf:"accelerator_total_memory_mib,omitempty"`
+
+	// List of accelerator types. Default is any accelerator type.
+	AcceleratorTypes []*string `json:"acceleratorTypes,omitempty" tf:"accelerator_types,omitempty"`
+
+	// Indicate whether bare metal instace types should be included, excluded, or required. Default is excluded.
+	BareMetal *string `json:"bareMetal,omitempty" tf:"bare_metal,omitempty"`
+
+	// Block describing the minimum and maximum baseline EBS bandwidth, in Mbps. Default is no minimum or maximum.
+	BaselineEBSBandwidthMbps []InstanceRequirementsBaselineEBSBandwidthMbpsObservation `json:"baselineEbsBandwidthMbps,omitempty" tf:"baseline_ebs_bandwidth_mbps,omitempty"`
+
+	// Indicate whether burstable performance instance types should be included, excluded, or required. Default is excluded.
+	BurstablePerformance *string `json:"burstablePerformance,omitempty" tf:"burstable_performance,omitempty"`
+
+	// List of CPU manufacturer names. Default is any manufacturer.
+	CPUManufacturers []*string `json:"cpuManufacturers,omitempty" tf:"cpu_manufacturers,omitempty"`
+
+	// List of instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk (*). The following are examples: c5*, m5a.*, r*, *3*. For example, if you specify c5*, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify m5a.*, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types.
+	ExcludedInstanceTypes []*string `json:"excludedInstanceTypes,omitempty" tf:"excluded_instance_types,omitempty"`
+
+	// List of instance generation names. Default is any generation.
+	InstanceGenerations []*string `json:"instanceGenerations,omitempty" tf:"instance_generations,omitempty"`
+
+	// Indicate whether instance types with local storage volumes are included, excluded, or required. Default is included.
+	LocalStorage *string `json:"localStorage,omitempty" tf:"local_storage,omitempty"`
+
+	// List of local storage type names. Default any storage type.
+	LocalStorageTypes []*string `json:"localStorageTypes,omitempty" tf:"local_storage_types,omitempty"`
+
+	// Block describing the minimum and maximum amount of memory (GiB) per vCPU. Default is no minimum or maximum.
+	MemoryGibPerVcpu []InstanceRequirementsMemoryGibPerVcpuObservation `json:"memoryGibPerVcpu,omitempty" tf:"memory_gib_per_vcpu,omitempty"`
+
+	// Block describing the minimum and maximum amount of memory (MiB). Default is no maximum.
+	MemoryMib []InstanceRequirementsMemoryMibObservation `json:"memoryMib,omitempty" tf:"memory_mib,omitempty"`
+
+	// Block describing the minimum and maximum number of network interfaces. Default is no minimum or maximum.
+	NetworkInterfaceCount []InstanceRequirementsNetworkInterfaceCountObservation `json:"networkInterfaceCount,omitempty" tf:"network_interface_count,omitempty"`
+
+	// The price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 20.
+	OnDemandMaxPricePercentageOverLowestPrice *float64 `json:"onDemandMaxPricePercentageOverLowestPrice,omitempty" tf:"on_demand_max_price_percentage_over_lowest_price,omitempty"`
+
+	// Indicate whether instance types must support On-Demand Instance Hibernation, either true or false. Default is false.
+	RequireHibernateSupport *bool `json:"requireHibernateSupport,omitempty" tf:"require_hibernate_support,omitempty"`
+
+	// The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 100.
+	SpotMaxPricePercentageOverLowestPrice *float64 `json:"spotMaxPricePercentageOverLowestPrice,omitempty" tf:"spot_max_price_percentage_over_lowest_price,omitempty"`
+
+	// Block describing the minimum and maximum total local storage (GB). Default is no minimum or maximum.
+	TotalLocalStorageGb []InstanceRequirementsTotalLocalStorageGbObservation `json:"totalLocalStorageGb,omitempty" tf:"total_local_storage_gb,omitempty"`
+
+	// Block describing the minimum and maximum number of vCPUs. Default is no maximum.
+	VcpuCount []InstanceRequirementsVcpuCountObservation `json:"vcpuCount,omitempty" tf:"vcpu_count,omitempty"`
 }
 
 type OverridesInstanceRequirementsParameters struct {
@@ -440,6 +656,27 @@ type OverridesInstanceRequirementsParameters struct {
 }
 
 type OverridesObservation struct {
+
+	// The availability zone in which to place the request.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The instance requirements. See below.
+	InstanceRequirements []OverridesInstanceRequirementsObservation `json:"instanceRequirements,omitempty" tf:"instance_requirements,omitempty"`
+
+	// The type of instance to request.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The priority for the launch template override. The lower the number, the higher the priority. If no number is set, the launch template override has the lowest priority.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The maximum bid price per unit hour.
+	SpotPrice *string `json:"spotPrice,omitempty" tf:"spot_price,omitempty"`
+
+	// The subnet in which to launch the requested instance.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// The capacity added to the fleet by a fulfilled request.
+	WeightedCapacity *float64 `json:"weightedCapacity,omitempty" tf:"weighted_capacity,omitempty"`
 }
 
 type OverridesParameters struct {
@@ -474,16 +711,108 @@ type OverridesParameters struct {
 }
 
 type SpotFleetRequestObservation struct {
+
+	// Indicates how to allocate the target capacity across
+	// the Spot pools specified by the Spot fleet request. Valid values: lowestPrice, diversified, capacityOptimized, capacityOptimizedPrioritized, and priceCapacityOptimized. The default is
+	// lowestPrice.
+	AllocationStrategy *string `json:"allocationStrategy,omitempty" tf:"allocation_strategy,omitempty"`
+
 	ClientToken *string `json:"clientToken,omitempty" tf:"client_token,omitempty"`
 
+	// Indicates whether running Spot
+	// instances should be terminated if the target capacity of the Spot fleet
+	// request is decreased below the current size of the Spot fleet.
+	ExcessCapacityTerminationPolicy *string `json:"excessCapacityTerminationPolicy,omitempty" tf:"excess_capacity_termination_policy,omitempty"`
+
+	// The type of fleet request. Indicates whether the Spot Fleet only requests the target
+	// capacity or also attempts to maintain it. Default is maintain.
+	FleetType *string `json:"fleetType,omitempty" tf:"fleet_type,omitempty"`
+
+	// Grants the Spot fleet permission to terminate
+	// Spot instances on your behalf when you cancel its Spot fleet request using
+	// CancelSpotFleetRequests or when the Spot fleet request expires, if you set
+	// terminateInstancesWithExpiration.
+	IAMFleetRole *string `json:"iamFleetRole,omitempty" tf:"iam_fleet_role,omitempty"`
+
 	// The ID of the launch template. Conflicts with name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Indicates whether a Spot
+	// instance stops or terminates when it is interrupted. Default is
+	// terminate.
+	InstanceInterruptionBehaviour *string `json:"instanceInterruptionBehaviour,omitempty" tf:"instance_interruption_behaviour,omitempty"`
+
+	// The number of Spot pools across which to allocate your target Spot capacity.
+	// Valid only when allocation_strategy is set to lowestPrice. Spot Fleet selects
+	// the cheapest Spot pools and evenly allocates your target Spot capacity across
+	// the number of Spot pools that you specify.
+	InstancePoolsToUseCount *float64 `json:"instancePoolsToUseCount,omitempty" tf:"instance_pools_to_use_count,omitempty"`
+
+	// Used to define the launch configuration of the
+	// spot-fleet request. Can be specified multiple times to define different bids
+	// across different markets and instance types. Conflicts with launch_template_config. At least one of launch_specification or launch_template_config is required.
+	LaunchSpecification []LaunchSpecificationObservation `json:"launchSpecification,omitempty" tf:"launch_specification,omitempty"`
+
+	// Launch template configuration block. See Launch Template Configs below for more details. Conflicts with launch_specification. At least one of launch_specification or launch_template_config is required.
+	LaunchTemplateConfig []LaunchTemplateConfigObservation `json:"launchTemplateConfig,omitempty" tf:"launch_template_config,omitempty"`
+
+	// A list of elastic load balancer names to add to the Spot fleet.
+	LoadBalancers []*string `json:"loadBalancers,omitempty" tf:"load_balancers,omitempty"`
+
+	// The order of the launch template overrides to use in fulfilling On-Demand capacity. the possible values are: lowestPrice and prioritized. the default is lowestPrice.
+	OnDemandAllocationStrategy *string `json:"onDemandAllocationStrategy,omitempty" tf:"on_demand_allocation_strategy,omitempty"`
+
+	// The maximum amount per hour for On-Demand Instances that you're willing to pay. When the maximum amount you're willing to pay is reached, the fleet stops launching instances even if it hasn’t met the target capacity.
+	OnDemandMaxTotalPrice *string `json:"onDemandMaxTotalPrice,omitempty" tf:"on_demand_max_total_price,omitempty"`
+
+	// The number of On-Demand units to request. If the request type is maintain, you can specify a target capacity of 0 and add capacity later.
+	OnDemandTargetCapacity *float64 `json:"onDemandTargetCapacity,omitempty" tf:"on_demand_target_capacity,omitempty"`
+
+	// Indicates whether Spot fleet should replace unhealthy instances. Default false.
+	ReplaceUnhealthyInstances *bool `json:"replaceUnhealthyInstances,omitempty" tf:"replace_unhealthy_instances,omitempty"`
+
+	// Nested argument containing maintenance strategies for managing your Spot Instances that are at an elevated risk of being interrupted. Defined below.
+	SpotMaintenanceStrategies []SpotMaintenanceStrategiesObservation `json:"spotMaintenanceStrategies,omitempty" tf:"spot_maintenance_strategies,omitempty"`
+
+	// The maximum bid price per unit hour.
+	SpotPrice *string `json:"spotPrice,omitempty" tf:"spot_price,omitempty"`
+
 	// The state of the Spot fleet request.
 	SpotRequestState *string `json:"spotRequestState,omitempty" tf:"spot_request_state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The number of units to request. You can choose to set the
+	// target capacity in terms of instances or a performance characteristic that is
+	// important to your application workload, such as vCPUs, memory, or I/O.
+	TargetCapacity *float64 `json:"targetCapacity,omitempty" tf:"target_capacity,omitempty"`
+
+	// The unit for the target capacity. This can only be done with instance_requirements defined
+	TargetCapacityUnitType *string `json:"targetCapacityUnitType,omitempty" tf:"target_capacity_unit_type,omitempty"`
+
+	// A list of aws_alb_target_group ARNs, for use with Application Load Balancing.
+	TargetGroupArns []*string `json:"targetGroupArns,omitempty" tf:"target_group_arns,omitempty"`
+
+	// Indicates whether running Spot
+	// instances should be terminated when the resource is deleted (and the Spot fleet request cancelled).
+	// If no value is specified, the value of the terminate_instances_with_expiration argument is used.
+	TerminateInstancesOnDelete *string `json:"terminateInstancesOnDelete,omitempty" tf:"terminate_instances_on_delete,omitempty"`
+
+	// Indicates whether running Spot
+	// instances should be terminated when the Spot fleet request expires.
+	TerminateInstancesWithExpiration *bool `json:"terminateInstancesWithExpiration,omitempty" tf:"terminate_instances_with_expiration,omitempty"`
+
+	// The start date and time of the request, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ). The default is to start fulfilling the request immediately.
+	ValidFrom *string `json:"validFrom,omitempty" tf:"valid_from,omitempty"`
+
+	// The end date and time of the request, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ). At this point, no new Spot instance requests are placed or enabled to fulfill the request.
+	ValidUntil *string `json:"validUntil,omitempty" tf:"valid_until,omitempty"`
+
+	WaitForFulfillment *bool `json:"waitForFulfillment,omitempty" tf:"wait_for_fulfillment,omitempty"`
 }
 
 type SpotFleetRequestParameters struct {
@@ -509,8 +838,8 @@ type SpotFleetRequestParameters struct {
 	// Spot instances on your behalf when you cancel its Spot fleet request using
 	// CancelSpotFleetRequests or when the Spot fleet request expires, if you set
 	// terminateInstancesWithExpiration.
-	// +kubebuilder:validation:Required
-	IAMFleetRole *string `json:"iamFleetRole" tf:"iam_fleet_role,omitempty"`
+	// +kubebuilder:validation:Optional
+	IAMFleetRole *string `json:"iamFleetRole,omitempty" tf:"iam_fleet_role,omitempty"`
 
 	// Indicates whether a Spot
 	// instance stops or terminates when it is interrupted. Default is
@@ -575,8 +904,8 @@ type SpotFleetRequestParameters struct {
 	// The number of units to request. You can choose to set the
 	// target capacity in terms of instances or a performance characteristic that is
 	// important to your application workload, such as vCPUs, memory, or I/O.
-	// +kubebuilder:validation:Required
-	TargetCapacity *float64 `json:"targetCapacity" tf:"target_capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetCapacity *float64 `json:"targetCapacity,omitempty" tf:"target_capacity,omitempty"`
 
 	// The unit for the target capacity. This can only be done with instance_requirements defined
 	// +kubebuilder:validation:Optional
@@ -610,6 +939,9 @@ type SpotFleetRequestParameters struct {
 }
 
 type SpotMaintenanceStrategiesObservation struct {
+
+	// Nested argument containing the capacity rebalance for your fleet request. Defined below.
+	CapacityRebalance []CapacityRebalanceObservation `json:"capacityRebalance,omitempty" tf:"capacity_rebalance,omitempty"`
 }
 
 type SpotMaintenanceStrategiesParameters struct {
@@ -643,8 +975,10 @@ type SpotFleetRequestStatus struct {
 type SpotFleetRequest struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SpotFleetRequestSpec   `json:"spec"`
-	Status            SpotFleetRequestStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.iamFleetRole)",message="iamFleetRole is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetCapacity)",message="targetCapacity is a required parameter"
+	Spec   SpotFleetRequestSpec   `json:"spec"`
+	Status SpotFleetRequestStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_spotinstancerequest_types.go b/apis/ec2/v1beta1/zz_spotinstancerequest_types.go
index 45185410ac..58d34912a2 100755
--- a/apis/ec2/v1beta1/zz_spotinstancerequest_types.go
+++ b/apis/ec2/v1beta1/zz_spotinstancerequest_types.go
@@ -14,6 +14,11 @@ import (
 )
 
 type SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetObservation struct {
+
+	// The Spot Instance Request ID.
+	CapacityReservationID *string `json:"capacityReservationId,omitempty" tf:"capacity_reservation_id,omitempty"`
+
+	CapacityReservationResourceGroupArn *string `json:"capacityReservationResourceGroupArn,omitempty" tf:"capacity_reservation_resource_group_arn,omitempty"`
 }
 
 type SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetParameters struct {
@@ -27,6 +32,9 @@ type SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTarge
 }
 
 type SpotInstanceRequestCapacityReservationSpecificationObservation struct {
+	CapacityReservationPreference *string `json:"capacityReservationPreference,omitempty" tf:"capacity_reservation_preference,omitempty"`
+
+	CapacityReservationTarget []SpotInstanceRequestCapacityReservationSpecificationCapacityReservationTargetObservation `json:"capacityReservationTarget,omitempty" tf:"capacity_reservation_target,omitempty"`
 }
 
 type SpotInstanceRequestCapacityReservationSpecificationParameters struct {
@@ -39,6 +47,7 @@ type SpotInstanceRequestCapacityReservationSpecificationParameters struct {
 }
 
 type SpotInstanceRequestCreditSpecificationObservation struct {
+	CPUCredits *string `json:"cpuCredits,omitempty" tf:"cpu_credits,omitempty"`
 }
 
 type SpotInstanceRequestCreditSpecificationParameters struct {
@@ -48,9 +57,31 @@ type SpotInstanceRequestCreditSpecificationParameters struct {
 }
 
 type SpotInstanceRequestEBSBlockDeviceObservation struct {
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The Spot Instance Request ID.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The Spot Instance Request ID.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
 
 	// The Spot Instance Request ID.
 	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
+
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type SpotInstanceRequestEBSBlockDeviceParameters struct {
@@ -90,6 +121,7 @@ type SpotInstanceRequestEBSBlockDeviceParameters struct {
 }
 
 type SpotInstanceRequestEnclaveOptionsObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type SpotInstanceRequestEnclaveOptionsParameters struct {
@@ -99,6 +131,11 @@ type SpotInstanceRequestEnclaveOptionsParameters struct {
 }
 
 type SpotInstanceRequestEphemeralBlockDeviceObservation struct {
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	NoDevice *bool `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type SpotInstanceRequestEphemeralBlockDeviceParameters struct {
@@ -114,6 +151,13 @@ type SpotInstanceRequestEphemeralBlockDeviceParameters struct {
 }
 
 type SpotInstanceRequestLaunchTemplateObservation struct {
+
+	// The Spot Instance Request ID.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type SpotInstanceRequestLaunchTemplateParameters struct {
@@ -130,6 +174,7 @@ type SpotInstanceRequestLaunchTemplateParameters struct {
 }
 
 type SpotInstanceRequestMaintenanceOptionsObservation struct {
+	AutoRecovery *string `json:"autoRecovery,omitempty" tf:"auto_recovery,omitempty"`
 }
 
 type SpotInstanceRequestMaintenanceOptionsParameters struct {
@@ -139,6 +184,14 @@ type SpotInstanceRequestMaintenanceOptionsParameters struct {
 }
 
 type SpotInstanceRequestMetadataOptionsObservation struct {
+	HTTPEndpoint *string `json:"httpEndpoint,omitempty" tf:"http_endpoint,omitempty"`
+
+	HTTPPutResponseHopLimit *float64 `json:"httpPutResponseHopLimit,omitempty" tf:"http_put_response_hop_limit,omitempty"`
+
+	HTTPTokens *string `json:"httpTokens,omitempty" tf:"http_tokens,omitempty"`
+
+	// Key-value map of resource tags.
+	InstanceMetadataTags *string `json:"instanceMetadataTags,omitempty" tf:"instance_metadata_tags,omitempty"`
 }
 
 type SpotInstanceRequestMetadataOptionsParameters struct {
@@ -158,6 +211,14 @@ type SpotInstanceRequestMetadataOptionsParameters struct {
 }
 
 type SpotInstanceRequestNetworkInterfaceObservation struct {
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	DeviceIndex *float64 `json:"deviceIndex,omitempty" tf:"device_index,omitempty"`
+
+	NetworkCardIndex *float64 `json:"networkCardIndex,omitempty" tf:"network_card_index,omitempty"`
+
+	// The Spot Instance Request ID.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
 }
 
 type SpotInstanceRequestNetworkInterfaceParameters struct {
@@ -177,20 +238,90 @@ type SpotInstanceRequestNetworkInterfaceParameters struct {
 }
 
 type SpotInstanceRequestObservation struct {
+	AMI *string `json:"ami,omitempty" tf:"ami,omitempty"`
+
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
-	// +kubebuilder:validation:Optional
+	AssociatePublicIPAddress *bool `json:"associatePublicIpAddress,omitempty" tf:"associate_public_ip_address,omitempty"`
+
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The required duration for the Spot instances, in minutes. This value must be a multiple of 60 (60, 120, 180, 240, 300, or 360).
+	// The duration period starts as soon as your Spot instance receives its instance ID. At the end of the duration period, Amazon EC2 marks the Spot instance for termination and provides a Spot instance termination notice, which gives the instance a two-minute warning before it terminates.
+	// Note that you can't specify an Availability Zone group or a launch group if you specify a duration.
+	BlockDurationMinutes *float64 `json:"blockDurationMinutes,omitempty" tf:"block_duration_minutes,omitempty"`
+
+	CPUCoreCount *float64 `json:"cpuCoreCount,omitempty" tf:"cpu_core_count,omitempty"`
+
+	CPUThreadsPerCore *float64 `json:"cpuThreadsPerCore,omitempty" tf:"cpu_threads_per_core,omitempty"`
+
+	CapacityReservationSpecification []SpotInstanceRequestCapacityReservationSpecificationObservation `json:"capacityReservationSpecification,omitempty" tf:"capacity_reservation_specification,omitempty"`
+
+	CreditSpecification []SpotInstanceRequestCreditSpecificationObservation `json:"creditSpecification,omitempty" tf:"credit_specification,omitempty"`
+
+	DisableAPIStop *bool `json:"disableApiStop,omitempty" tf:"disable_api_stop,omitempty"`
+
+	DisableAPITermination *bool `json:"disableApiTermination,omitempty" tf:"disable_api_termination,omitempty"`
+
 	EBSBlockDevice []SpotInstanceRequestEBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
 
+	EBSOptimized *bool `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
+	EnclaveOptions []SpotInstanceRequestEnclaveOptionsObservation `json:"enclaveOptions,omitempty" tf:"enclave_options,omitempty"`
+
+	EphemeralBlockDevice []SpotInstanceRequestEphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
+
+	GetPasswordData *bool `json:"getPasswordData,omitempty" tf:"get_password_data,omitempty"`
+
+	Hibernation *bool `json:"hibernation,omitempty" tf:"hibernation,omitempty"`
+
+	// The Spot Instance Request ID.
+	HostID *string `json:"hostId,omitempty" tf:"host_id,omitempty"`
+
+	HostResourceGroupArn *string `json:"hostResourceGroupArn,omitempty" tf:"host_resource_group_arn,omitempty"`
+
+	IAMInstanceProfile *string `json:"iamInstanceProfile,omitempty" tf:"iam_instance_profile,omitempty"`
+
 	// The Spot Instance Request ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	IPv6AddressCount *float64 `json:"ipv6AddressCount,omitempty" tf:"ipv6_address_count,omitempty"`
+
+	IPv6Addresses []*string `json:"ipv6Addresses,omitempty" tf:"ipv6_addresses,omitempty"`
+
+	InstanceInitiatedShutdownBehavior *string `json:"instanceInitiatedShutdownBehavior,omitempty" tf:"instance_initiated_shutdown_behavior,omitempty"`
+
+	// Indicates Spot instance behavior when it is interrupted. Valid values are terminate, stop, or hibernate. Default value is terminate.
+	InstanceInterruptionBehavior *string `json:"instanceInterruptionBehavior,omitempty" tf:"instance_interruption_behavior,omitempty"`
+
 	InstanceState *string `json:"instanceState,omitempty" tf:"instance_state,omitempty"`
 
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	// A launch group is a group of spot instances that launch together and terminate together.
+	// If left empty instances are launched and terminated individually.
+	LaunchGroup *string `json:"launchGroup,omitempty" tf:"launch_group,omitempty"`
+
+	LaunchTemplate []SpotInstanceRequestLaunchTemplateObservation `json:"launchTemplate,omitempty" tf:"launch_template,omitempty"`
+
+	MaintenanceOptions []SpotInstanceRequestMaintenanceOptionsObservation `json:"maintenanceOptions,omitempty" tf:"maintenance_options,omitempty"`
+
+	MetadataOptions []SpotInstanceRequestMetadataOptionsObservation `json:"metadataOptions,omitempty" tf:"metadata_options,omitempty"`
+
+	Monitoring *bool `json:"monitoring,omitempty" tf:"monitoring,omitempty"`
+
+	NetworkInterface []SpotInstanceRequestNetworkInterfaceObservation `json:"networkInterface,omitempty" tf:"network_interface,omitempty"`
+
 	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
 
 	PasswordData *string `json:"passwordData,omitempty" tf:"password_data,omitempty"`
 
+	PlacementGroup *string `json:"placementGroup,omitempty" tf:"placement_group,omitempty"`
+
+	PlacementPartitionNumber *float64 `json:"placementPartitionNumber,omitempty" tf:"placement_partition_number,omitempty"`
+
 	// The Spot Instance Request ID.
 	PrimaryNetworkInterfaceID *string `json:"primaryNetworkInterfaceId,omitempty" tf:"primary_network_interface_id,omitempty"`
 
@@ -199,6 +330,11 @@ type SpotInstanceRequestObservation struct {
 	// for your VPC
 	PrivateDNS *string `json:"privateDns,omitempty" tf:"private_dns,omitempty"`
 
+	PrivateDNSNameOptions []SpotInstanceRequestPrivateDNSNameOptionsObservation `json:"privateDnsNameOptions,omitempty" tf:"private_dns_name_options,omitempty"`
+
+	// The private IP address assigned to the instance
+	PrivateIP *string `json:"privateIp,omitempty" tf:"private_ip,omitempty"`
+
 	// The public DNS name assigned to the instance. For EC2-VPC, this
 	// is only available if you've enabled DNS hostnames for your VPC
 	PublicDNS *string `json:"publicDns,omitempty" tf:"public_dns,omitempty"`
@@ -206,9 +342,14 @@ type SpotInstanceRequestObservation struct {
 	// The public IP address assigned to the instance, if applicable.
 	PublicIP *string `json:"publicIp,omitempty" tf:"public_ip,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	RootBlockDevice []SpotInstanceRequestRootBlockDeviceObservation `json:"rootBlockDevice,omitempty" tf:"root_block_device,omitempty"`
 
+	SecondaryPrivateIps []*string `json:"secondaryPrivateIps,omitempty" tf:"secondary_private_ips,omitempty"`
+
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	SourceDestCheck *bool `json:"sourceDestCheck,omitempty" tf:"source_dest_check,omitempty"`
+
 	// The current bid
 	// status
 	// of the Spot Instance Request.
@@ -218,13 +359,47 @@ type SpotInstanceRequestObservation struct {
 	// the Spot Instance request.
 	SpotInstanceID *string `json:"spotInstanceId,omitempty" tf:"spot_instance_id,omitempty"`
 
+	// The maximum price to request on the spot market.
+	SpotPrice *string `json:"spotPrice,omitempty" tf:"spot_price,omitempty"`
+
 	// The current request
 	// state
 	// of the Spot Instance Request.
 	SpotRequestState *string `json:"spotRequestState,omitempty" tf:"spot_request_state,omitempty"`
 
+	// If set to one-time, after
+	// the instance is terminated, the spot request will be closed.
+	SpotType *string `json:"spotType,omitempty" tf:"spot_type,omitempty"`
+
+	// The Spot Instance Request ID.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	Tenancy *string `json:"tenancy,omitempty" tf:"tenancy,omitempty"`
+
+	UserData *string `json:"userData,omitempty" tf:"user_data,omitempty"`
+
+	UserDataBase64 *string `json:"userDataBase64,omitempty" tf:"user_data_base64,omitempty"`
+
+	UserDataReplaceOnChange *bool `json:"userDataReplaceOnChange,omitempty" tf:"user_data_replace_on_change,omitempty"`
+
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
+
+	// The start date and time of the request, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ). The default is to start fulfilling the request immediately.
+	ValidFrom *string `json:"validFrom,omitempty" tf:"valid_from,omitempty"`
+
+	// The end date and time of the request, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ). At this point, no new Spot instance requests are placed or enabled to fulfill the request. The default end date is 7 days from the current date.
+	ValidUntil *string `json:"validUntil,omitempty" tf:"valid_until,omitempty"`
+
+	// Key-value map of resource tags.
+	VolumeTags map[string]*string `json:"volumeTags,omitempty" tf:"volume_tags,omitempty"`
+
+	WaitForFulfillment *bool `json:"waitForFulfillment,omitempty" tf:"wait_for_fulfillment,omitempty"`
 }
 
 type SpotInstanceRequestParameters struct {
@@ -428,6 +603,11 @@ type SpotInstanceRequestParameters struct {
 }
 
 type SpotInstanceRequestPrivateDNSNameOptionsObservation struct {
+	EnableResourceNameDNSARecord *bool `json:"enableResourceNameDnsARecord,omitempty" tf:"enable_resource_name_dns_a_record,omitempty"`
+
+	EnableResourceNameDNSAaaaRecord *bool `json:"enableResourceNameDnsAaaaRecord,omitempty" tf:"enable_resource_name_dns_aaaa_record,omitempty"`
+
+	HostnameType *string `json:"hostnameType,omitempty" tf:"hostname_type,omitempty"`
 }
 
 type SpotInstanceRequestPrivateDNSNameOptionsParameters struct {
@@ -443,10 +623,28 @@ type SpotInstanceRequestPrivateDNSNameOptionsParameters struct {
 }
 
 type SpotInstanceRequestRootBlockDeviceObservation struct {
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
 	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
 
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The Spot Instance Request ID.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
 	// The Spot Instance Request ID.
 	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
+
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type SpotInstanceRequestRootBlockDeviceParameters struct {
diff --git a/apis/ec2/v1beta1/zz_subnet_types.go b/apis/ec2/v1beta1/zz_subnet_types.go
index 3c0c4c4e1d..1a15b0e71d 100755
--- a/apis/ec2/v1beta1/zz_subnet_types.go
+++ b/apis/ec2/v1beta1/zz_subnet_types.go
@@ -18,17 +18,70 @@ type SubnetObservation_2 struct {
 	// The ARN of the subnet.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specify true to indicate
+	// that network interfaces created in the specified subnet should be
+	// assigned an IPv6 address. Default is false
+	AssignIPv6AddressOnCreation *bool `json:"assignIpv6AddressOnCreation,omitempty" tf:"assign_ipv6_address_on_creation,omitempty"`
+
+	// AZ for the subnet.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// AZ ID of the subnet. This argument is not supported in all regions or partitions. If necessary, use availability_zone instead.
+	AvailabilityZoneID *string `json:"availabilityZoneId,omitempty" tf:"availability_zone_id,omitempty"`
+
+	// The IPv4 CIDR block for the subnet.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
+	// The customer owned IPv4 address pool. Typically used with the map_customer_owned_ip_on_launch argument. The outpost_arn argument must be specified when configured.
+	CustomerOwnedIPv4Pool *string `json:"customerOwnedIpv4Pool,omitempty" tf:"customer_owned_ipv4_pool,omitempty"`
+
+	// Indicates whether DNS queries made to the Amazon-provided DNS Resolver in this subnet should return synthetic IPv6 addresses for IPv4-only destinations. Default: false.
+	EnableDns64 *bool `json:"enableDns64,omitempty" tf:"enable_dns64,omitempty"`
+
+	// Indicates whether to respond to DNS queries for instance hostnames with DNS A records. Default: false.
+	EnableResourceNameDNSARecordOnLaunch *bool `json:"enableResourceNameDnsARecordOnLaunch,omitempty" tf:"enable_resource_name_dns_a_record_on_launch,omitempty"`
+
+	// Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. Default: false.
+	EnableResourceNameDNSAaaaRecordOnLaunch *bool `json:"enableResourceNameDnsAaaaRecordOnLaunch,omitempty" tf:"enable_resource_name_dns_aaaa_record_on_launch,omitempty"`
+
 	// The ID of the subnet
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IPv6 network range for the subnet,
+	// in CIDR notation. The subnet size must use a /64 prefix length.
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
 	// The association ID for the IPv6 CIDR block.
 	IPv6CidrBlockAssociationID *string `json:"ipv6CidrBlockAssociationId,omitempty" tf:"ipv6_cidr_block_association_id,omitempty"`
 
+	// Indicates whether to create an IPv6-only subnet. Default: false.
+	IPv6Native *bool `json:"ipv6Native,omitempty" tf:"ipv6_native,omitempty"`
+
+	// Specify true to indicate that network interfaces created in the subnet should be assigned a customer owned IP address. The customer_owned_ipv4_pool and outpost_arn arguments must be specified when set to true. Default is false.
+	MapCustomerOwnedIPOnLaunch *bool `json:"mapCustomerOwnedIpOnLaunch,omitempty" tf:"map_customer_owned_ip_on_launch,omitempty"`
+
+	// Specify true to indicate
+	// that instances launched into the subnet should be assigned
+	// a public IP address. Default is false.
+	MapPublicIPOnLaunch *bool `json:"mapPublicIpOnLaunch,omitempty" tf:"map_public_ip_on_launch,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Outpost.
+	OutpostArn *string `json:"outpostArn,omitempty" tf:"outpost_arn,omitempty"`
+
 	// The ID of the AWS account that owns the subnet.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// The type of hostnames to assign to instances in the subnet at launch. For IPv6-only subnets, an instance DNS name must be based on the instance ID. For dual-stack and IPv4-only subnets, you can specify whether DNS names use the instance IPv4 address or the instance ID. Valid values: ip-name, resource-name.
+	PrivateDNSHostnameTypeOnLaunch *string `json:"privateDnsHostnameTypeOnLaunch,omitempty" tf:"private_dns_hostname_type_on_launch,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC ID.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type SubnetParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_subnetcidrreservation_types.go b/apis/ec2/v1beta1/zz_subnetcidrreservation_types.go
index f9b094fdb5..c72b964db8 100755
--- a/apis/ec2/v1beta1/zz_subnetcidrreservation_types.go
+++ b/apis/ec2/v1beta1/zz_subnetcidrreservation_types.go
@@ -15,18 +15,30 @@ import (
 
 type SubnetCidrReservationObservation struct {
 
+	// The CIDR block for the reservation.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
+	// A brief description of the reservation.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// ID of the CIDR reservation.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// ID of the AWS account that owns this CIDR reservation.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
+
+	// The type of reservation to create. Valid values: explicit, prefix
+	ReservationType *string `json:"reservationType,omitempty" tf:"reservation_type,omitempty"`
+
+	// The ID of the subnet to create the reservation for.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type SubnetCidrReservationParameters struct {
 
 	// The CIDR block for the reservation.
-	// +kubebuilder:validation:Required
-	CidrBlock *string `json:"cidrBlock" tf:"cidr_block,omitempty"`
+	// +kubebuilder:validation:Optional
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
 
 	// A brief description of the reservation.
 	// +kubebuilder:validation:Optional
@@ -38,8 +50,8 @@ type SubnetCidrReservationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The type of reservation to create. Valid values: explicit, prefix
-	// +kubebuilder:validation:Required
-	ReservationType *string `json:"reservationType" tf:"reservation_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReservationType *string `json:"reservationType,omitempty" tf:"reservation_type,omitempty"`
 
 	// The ID of the subnet to create the reservation for.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.Subnet
@@ -79,8 +91,10 @@ type SubnetCidrReservationStatus struct {
 type SubnetCidrReservation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SubnetCidrReservationSpec   `json:"spec"`
-	Status            SubnetCidrReservationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cidrBlock)",message="cidrBlock is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reservationType)",message="reservationType is a required parameter"
+	Spec   SubnetCidrReservationSpec   `json:"spec"`
+	Status SubnetCidrReservationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_tag_types.go b/apis/ec2/v1beta1/zz_tag_types.go
index 42f19f96b4..9d425039dd 100755
--- a/apis/ec2/v1beta1/zz_tag_types.go
+++ b/apis/ec2/v1beta1/zz_tag_types.go
@@ -17,6 +17,15 @@ type TagObservation struct {
 
 	// EC2 resource identifier and key, separated by a comma (,)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The tag name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The ID of the EC2 resource to manage the tag for.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// The value of the tag.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagParameters struct {
@@ -35,8 +44,8 @@ type TagParameters struct {
 	ResourceID *string `json:"resourceId" tf:"resource_id,omitempty"`
 
 	// The value of the tag.
-	// +kubebuilder:validation:Required
-	Value *string `json:"value" tf:"value,omitempty"`
+	// +kubebuilder:validation:Optional
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 // TagSpec defines the desired state of Tag
@@ -63,8 +72,9 @@ type TagStatus struct {
 type Tag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TagSpec   `json:"spec"`
-	Status            TagStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)",message="value is a required parameter"
+	Spec   TagSpec   `json:"spec"`
+	Status TagStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_trafficmirrorfilter_types.go b/apis/ec2/v1beta1/zz_trafficmirrorfilter_types.go
index a052746df8..5badf9935c 100755
--- a/apis/ec2/v1beta1/zz_trafficmirrorfilter_types.go
+++ b/apis/ec2/v1beta1/zz_trafficmirrorfilter_types.go
@@ -18,9 +18,18 @@ type TrafficMirrorFilterObservation struct {
 	// The ARN of the traffic mirror filter.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A description of the filter.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of the filter.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of amazon network services that should be mirrored. Valid values: amazon-dns.
+	NetworkServices []*string `json:"networkServices,omitempty" tf:"network_services,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_trafficmirrorfilterrule_types.go b/apis/ec2/v1beta1/zz_trafficmirrorfilterrule_types.go
index 5685c32fe4..4f51d7608f 100755
--- a/apis/ec2/v1beta1/zz_trafficmirrorfilterrule_types.go
+++ b/apis/ec2/v1beta1/zz_trafficmirrorfilterrule_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type DestinationPortRangeObservation struct {
+
+	// Starting port of the range
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// Ending port of the range
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type DestinationPortRangeParameters struct {
@@ -28,6 +34,12 @@ type DestinationPortRangeParameters struct {
 }
 
 type SourcePortRangeObservation struct {
+
+	// Starting port of the range
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// Ending port of the range
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type SourcePortRangeParameters struct {
@@ -46,8 +58,38 @@ type TrafficMirrorFilterRuleObservation struct {
 	// ARN of the traffic mirror filter rule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the traffic mirror filter rule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Destination CIDR block to assign to the Traffic Mirror rule.
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
+
+	// Destination port range. Supported only when the protocol is set to TCP(6) or UDP(17). See Traffic mirror port range documented below
+	DestinationPortRange []DestinationPortRangeObservation `json:"destinationPortRange,omitempty" tf:"destination_port_range,omitempty"`
+
 	// Name of the traffic mirror filter rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Protocol number, for example 17 (UDP), to assign to the Traffic Mirror rule. For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers Authority (IANA) website.
+	Protocol *float64 `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Action to take (accept | reject) on the filtered traffic. Valid values are accept and reject
+	RuleAction *string `json:"ruleAction,omitempty" tf:"rule_action,omitempty"`
+
+	// Number of the Traffic Mirror rule. This number must be unique for each Traffic Mirror rule in a given direction. The rules are processed in ascending order by rule number.
+	RuleNumber *float64 `json:"ruleNumber,omitempty" tf:"rule_number,omitempty"`
+
+	// Source CIDR block to assign to the Traffic Mirror rule.
+	SourceCidrBlock *string `json:"sourceCidrBlock,omitempty" tf:"source_cidr_block,omitempty"`
+
+	// Source port range. Supported only when the protocol is set to TCP(6) or UDP(17). See Traffic mirror port range documented below
+	SourcePortRange []SourcePortRangeObservation `json:"sourcePortRange,omitempty" tf:"source_port_range,omitempty"`
+
+	// Direction of traffic to be captured. Valid values are ingress and egress
+	TrafficDirection *string `json:"trafficDirection,omitempty" tf:"traffic_direction,omitempty"`
+
+	// ID of the traffic mirror filter to which this rule should be added
+	TrafficMirrorFilterID *string `json:"trafficMirrorFilterId,omitempty" tf:"traffic_mirror_filter_id,omitempty"`
 }
 
 type TrafficMirrorFilterRuleParameters struct {
@@ -57,8 +99,8 @@ type TrafficMirrorFilterRuleParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Destination CIDR block to assign to the Traffic Mirror rule.
-	// +kubebuilder:validation:Required
-	DestinationCidrBlock *string `json:"destinationCidrBlock" tf:"destination_cidr_block,omitempty"`
+	// +kubebuilder:validation:Optional
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
 
 	// Destination port range. Supported only when the protocol is set to TCP(6) or UDP(17). See Traffic mirror port range documented below
 	// +kubebuilder:validation:Optional
@@ -74,24 +116,24 @@ type TrafficMirrorFilterRuleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Action to take (accept | reject) on the filtered traffic. Valid values are accept and reject
-	// +kubebuilder:validation:Required
-	RuleAction *string `json:"ruleAction" tf:"rule_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleAction *string `json:"ruleAction,omitempty" tf:"rule_action,omitempty"`
 
 	// Number of the Traffic Mirror rule. This number must be unique for each Traffic Mirror rule in a given direction. The rules are processed in ascending order by rule number.
-	// +kubebuilder:validation:Required
-	RuleNumber *float64 `json:"ruleNumber" tf:"rule_number,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleNumber *float64 `json:"ruleNumber,omitempty" tf:"rule_number,omitempty"`
 
 	// Source CIDR block to assign to the Traffic Mirror rule.
-	// +kubebuilder:validation:Required
-	SourceCidrBlock *string `json:"sourceCidrBlock" tf:"source_cidr_block,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceCidrBlock *string `json:"sourceCidrBlock,omitempty" tf:"source_cidr_block,omitempty"`
 
 	// Source port range. Supported only when the protocol is set to TCP(6) or UDP(17). See Traffic mirror port range documented below
 	// +kubebuilder:validation:Optional
 	SourcePortRange []SourcePortRangeParameters `json:"sourcePortRange,omitempty" tf:"source_port_range,omitempty"`
 
 	// Direction of traffic to be captured. Valid values are ingress and egress
-	// +kubebuilder:validation:Required
-	TrafficDirection *string `json:"trafficDirection" tf:"traffic_direction,omitempty"`
+	// +kubebuilder:validation:Optional
+	TrafficDirection *string `json:"trafficDirection,omitempty" tf:"traffic_direction,omitempty"`
 
 	// ID of the traffic mirror filter to which this rule should be added
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.TrafficMirrorFilter
@@ -132,8 +174,13 @@ type TrafficMirrorFilterRuleStatus struct {
 type TrafficMirrorFilterRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TrafficMirrorFilterRuleSpec   `json:"spec"`
-	Status            TrafficMirrorFilterRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationCidrBlock)",message="destinationCidrBlock is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleAction)",message="ruleAction is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleNumber)",message="ruleNumber is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceCidrBlock)",message="sourceCidrBlock is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.trafficDirection)",message="trafficDirection is a required parameter"
+	Spec   TrafficMirrorFilterRuleSpec   `json:"spec"`
+	Status TrafficMirrorFilterRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_transitgateway_types.go b/apis/ec2/v1beta1/zz_transitgateway_types.go
index 4f2e427cc8..d7b2421c0f 100755
--- a/apis/ec2/v1beta1/zz_transitgateway_types.go
+++ b/apis/ec2/v1beta1/zz_transitgateway_types.go
@@ -15,23 +15,53 @@ import (
 
 type TransitGatewayObservation_2 struct {
 
+	// Private Autonomous System Number (ASN) for the Amazon side of a BGP session. The range is 64512 to 65534 for 16-bit ASNs and 4200000000 to 4294967294 for 32-bit ASNs. Default value: 64512.
+	AmazonSideAsn *float64 `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
+
 	// EC2 Transit Gateway Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Identifier of the default association route table
 	AssociationDefaultRouteTableID *string `json:"associationDefaultRouteTableId,omitempty" tf:"association_default_route_table_id,omitempty"`
 
+	// Whether resource attachment requests are automatically accepted. Valid values: disable, enable. Default value: disable.
+	AutoAcceptSharedAttachments *string `json:"autoAcceptSharedAttachments,omitempty" tf:"auto_accept_shared_attachments,omitempty"`
+
+	// Whether DNS support is enabled. Valid values: disable, enable. Default value: enable.
+	DNSSupport *string `json:"dnsSupport,omitempty" tf:"dns_support,omitempty"`
+
+	// Whether resource attachments are automatically associated with the default association route table. Valid values: disable, enable. Default value: enable.
+	DefaultRouteTableAssociation *string `json:"defaultRouteTableAssociation,omitempty" tf:"default_route_table_association,omitempty"`
+
+	// Whether resource attachments automatically propagate routes to the default propagation route table. Valid values: disable, enable. Default value: enable.
+	DefaultRouteTablePropagation *string `json:"defaultRouteTablePropagation,omitempty" tf:"default_route_table_propagation,omitempty"`
+
+	// Description of the EC2 Transit Gateway.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// EC2 Transit Gateway identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether Multicast support is enabled. Required to use ec2_transit_gateway_multicast_domain. Valid values: disable, enable. Default value: disable.
+	MulticastSupport *string `json:"multicastSupport,omitempty" tf:"multicast_support,omitempty"`
+
 	// Identifier of the AWS account that owns the EC2 Transit Gateway
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
 	// Identifier of the default propagation route table
 	PropagationDefaultRouteTableID *string `json:"propagationDefaultRouteTableId,omitempty" tf:"propagation_default_route_table_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// One or more IPv4 or IPv6 CIDR blocks for the transit gateway. Must be a size /24 CIDR block or larger for IPv4, or a size /64 CIDR block or larger for IPv6.
+	TransitGatewayCidrBlocks []*string `json:"transitGatewayCidrBlocks,omitempty" tf:"transit_gateway_cidr_blocks,omitempty"`
+
+	// Whether VPN Equal Cost Multipath Protocol support is enabled. Valid values: disable, enable. Default value: enable.
+	VPNEcmpSupport *string `json:"vpnEcmpSupport,omitempty" tf:"vpn_ecmp_support,omitempty"`
 }
 
 type TransitGatewayParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayconnect_types.go b/apis/ec2/v1beta1/zz_transitgatewayconnect_types.go
index 8cb5c6d393..dbe215e39a 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayconnect_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayconnect_types.go
@@ -18,8 +18,26 @@ type TransitGatewayConnectObservation struct {
 	// EC2 Transit Gateway Attachment identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The tunnel protocol. Valida values: gre. Default is gre.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Boolean whether the Connect should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: true.
+	TransitGatewayDefaultRouteTableAssociation *bool `json:"transitGatewayDefaultRouteTableAssociation,omitempty" tf:"transit_gateway_default_route_table_association,omitempty"`
+
+	// Boolean whether the Connect should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: true.
+	TransitGatewayDefaultRouteTablePropagation *bool `json:"transitGatewayDefaultRouteTablePropagation,omitempty" tf:"transit_gateway_default_route_table_propagation,omitempty"`
+
+	// Identifier of EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
+
+	// The underlaying VPC attachment
+	TransportAttachmentID *string `json:"transportAttachmentId,omitempty" tf:"transport_attachment_id,omitempty"`
 }
 
 type TransitGatewayConnectParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayconnectpeer_types.go b/apis/ec2/v1beta1/zz_transitgatewayconnectpeer_types.go
index 62f1510060..832581712b 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayconnectpeer_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayconnectpeer_types.go
@@ -18,11 +18,29 @@ type TransitGatewayConnectPeerObservation struct {
 	// EC2 Transit Gateway Connect Peer ARN
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The BGP ASN number assigned customer device. If not provided, it will use the same BGP ASN as is associated with Transit Gateway.
+	BGPAsn *string `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
+
 	// EC2 Transit Gateway Connect Peer identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The CIDR block that will be used for addressing within the tunnel. It must contain exactly one IPv4 CIDR block and up to one IPv6 CIDR block. The IPv4 CIDR block must be /29 size and must be within 169.254.0.0/16 range, with exception of: 169.254.0.0/29, 169.254.1.0/29, 169.254.2.0/29, 169.254.3.0/29, 169.254.4.0/29, 169.254.5.0/29, 169.254.169.248/29. The IPv6 CIDR block must be /125 size and must be within fd00::/8. The first IP from each CIDR block is assigned for customer gateway, the second and third is for Transit Gateway (An example: from range 169.254.100.0/29, .1 is assigned to customer gateway and .2 and .3 are assigned to Transit Gateway)
+	InsideCidrBlocks []*string `json:"insideCidrBlocks,omitempty" tf:"inside_cidr_blocks,omitempty"`
+
+	// The IP addressed assigned to customer device, which will be used as tunnel endpoint. It can be IPv4 or IPv6 address, but must be the same address family as transit_gateway_address
+	PeerAddress *string `json:"peerAddress,omitempty" tf:"peer_address,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The IP address assigned to Transit Gateway, which will be used as tunnel endpoint. This address must be from associated Transit Gateway CIDR block. The address must be from the same address family as peer_address. If not set explicitly, it will be selected from associated Transit Gateway CIDR blocks
+	TransitGatewayAddress *string `json:"transitGatewayAddress,omitempty" tf:"transit_gateway_address,omitempty"`
+
+	// The Transit Gateway Connect
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
 }
 
 type TransitGatewayConnectPeerParameters struct {
@@ -32,12 +50,12 @@ type TransitGatewayConnectPeerParameters struct {
 	BGPAsn *string `json:"bgpAsn,omitempty" tf:"bgp_asn,omitempty"`
 
 	// The CIDR block that will be used for addressing within the tunnel. It must contain exactly one IPv4 CIDR block and up to one IPv6 CIDR block. The IPv4 CIDR block must be /29 size and must be within 169.254.0.0/16 range, with exception of: 169.254.0.0/29, 169.254.1.0/29, 169.254.2.0/29, 169.254.3.0/29, 169.254.4.0/29, 169.254.5.0/29, 169.254.169.248/29. The IPv6 CIDR block must be /125 size and must be within fd00::/8. The first IP from each CIDR block is assigned for customer gateway, the second and third is for Transit Gateway (An example: from range 169.254.100.0/29, .1 is assigned to customer gateway and .2 and .3 are assigned to Transit Gateway)
-	// +kubebuilder:validation:Required
-	InsideCidrBlocks []*string `json:"insideCidrBlocks" tf:"inside_cidr_blocks,omitempty"`
+	// +kubebuilder:validation:Optional
+	InsideCidrBlocks []*string `json:"insideCidrBlocks,omitempty" tf:"inside_cidr_blocks,omitempty"`
 
 	// The IP addressed assigned to customer device, which will be used as tunnel endpoint. It can be IPv4 or IPv6 address, but must be the same address family as transit_gateway_address
-	// +kubebuilder:validation:Required
-	PeerAddress *string `json:"peerAddress" tf:"peer_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	PeerAddress *string `json:"peerAddress,omitempty" tf:"peer_address,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -91,8 +109,10 @@ type TransitGatewayConnectPeerStatus struct {
 type TransitGatewayConnectPeer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TransitGatewayConnectPeerSpec   `json:"spec"`
-	Status            TransitGatewayConnectPeerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.insideCidrBlocks)",message="insideCidrBlocks is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.peerAddress)",message="peerAddress is a required parameter"
+	Spec   TransitGatewayConnectPeerSpec   `json:"spec"`
+	Status TransitGatewayConnectPeerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_transitgatewaymulticastdomain_types.go b/apis/ec2/v1beta1/zz_transitgatewaymulticastdomain_types.go
index f537b37e2a..1c104a10d9 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaymulticastdomain_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaymulticastdomain_types.go
@@ -18,14 +18,29 @@ type TransitGatewayMulticastDomainObservation struct {
 	// EC2 Transit Gateway Multicast Domain Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically accept cross-account subnet associations that are associated with the EC2 Transit Gateway Multicast Domain. Valid values: disable, enable. Default value: disable.
+	AutoAcceptSharedAssociations *string `json:"autoAcceptSharedAssociations,omitempty" tf:"auto_accept_shared_associations,omitempty"`
+
 	// EC2 Transit Gateway Multicast Domain identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to enable Internet Group Management Protocol (IGMP) version 2 for the EC2 Transit Gateway Multicast Domain. Valid values: disable, enable. Default value: disable.
+	Igmpv2Support *string `json:"igmpv2Support,omitempty" tf:"igmpv2_support,omitempty"`
+
 	// Identifier of the AWS account that owns the EC2 Transit Gateway Multicast Domain.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Whether to enable support for statically configuring multicast group sources for the EC2 Transit Gateway Multicast Domain. Valid values: disable, enable. Default value: disable.
+	StaticSourcesSupport *string `json:"staticSourcesSupport,omitempty" tf:"static_sources_support,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// EC2 Transit Gateway identifier. The EC2 Transit Gateway must have multicast_support enabled.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
 }
 
 type TransitGatewayMulticastDomainParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewaymulticastdomainassociation_types.go b/apis/ec2/v1beta1/zz_transitgatewaymulticastdomainassociation_types.go
index d1a7e6b11c..16d8f04627 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaymulticastdomainassociation_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaymulticastdomainassociation_types.go
@@ -17,6 +17,15 @@ type TransitGatewayMulticastDomainAssociationObservation struct {
 
 	// EC2 Transit Gateway Multicast Domain Association identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the subnet to associate with the transit gateway multicast domain.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// The ID of the transit gateway attachment.
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// The ID of the transit gateway multicast domain.
+	TransitGatewayMulticastDomainID *string `json:"transitGatewayMulticastDomainId,omitempty" tf:"transit_gateway_multicast_domain_id,omitempty"`
 }
 
 type TransitGatewayMulticastDomainAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupmember_types.go b/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupmember_types.go
index 4edd38061f..904286c7ea 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupmember_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupmember_types.go
@@ -15,15 +15,24 @@ import (
 
 type TransitGatewayMulticastGroupMemberObservation struct {
 
+	// The IP address assigned to the transit gateway multicast group.
+	GroupIPAddress *string `json:"groupIpAddress,omitempty" tf:"group_ip_address,omitempty"`
+
 	// EC2 Transit Gateway Multicast Group Member identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The group members' network interface ID to register with the transit gateway multicast group.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
+	// The ID of the transit gateway multicast domain.
+	TransitGatewayMulticastDomainID *string `json:"transitGatewayMulticastDomainId,omitempty" tf:"transit_gateway_multicast_domain_id,omitempty"`
 }
 
 type TransitGatewayMulticastGroupMemberParameters struct {
 
 	// The IP address assigned to the transit gateway multicast group.
-	// +kubebuilder:validation:Required
-	GroupIPAddress *string `json:"groupIpAddress" tf:"group_ip_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupIPAddress *string `json:"groupIpAddress,omitempty" tf:"group_ip_address,omitempty"`
 
 	// The group members' network interface ID to register with the transit gateway multicast group.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.NetworkInterface
@@ -83,8 +92,9 @@ type TransitGatewayMulticastGroupMemberStatus struct {
 type TransitGatewayMulticastGroupMember struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TransitGatewayMulticastGroupMemberSpec   `json:"spec"`
-	Status            TransitGatewayMulticastGroupMemberStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupIpAddress)",message="groupIpAddress is a required parameter"
+	Spec   TransitGatewayMulticastGroupMemberSpec   `json:"spec"`
+	Status TransitGatewayMulticastGroupMemberStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupsource_types.go b/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupsource_types.go
index 7994d3bf01..00128ec6ac 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupsource_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaymulticastgroupsource_types.go
@@ -15,15 +15,24 @@ import (
 
 type TransitGatewayMulticastGroupSourceObservation struct {
 
+	// The IP address assigned to the transit gateway multicast group.
+	GroupIPAddress *string `json:"groupIpAddress,omitempty" tf:"group_ip_address,omitempty"`
+
 	// EC2 Transit Gateway Multicast Group Member identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The group members' network interface ID to register with the transit gateway multicast group.
+	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
+
+	// The ID of the transit gateway multicast domain.
+	TransitGatewayMulticastDomainID *string `json:"transitGatewayMulticastDomainId,omitempty" tf:"transit_gateway_multicast_domain_id,omitempty"`
 }
 
 type TransitGatewayMulticastGroupSourceParameters struct {
 
 	// The IP address assigned to the transit gateway multicast group.
-	// +kubebuilder:validation:Required
-	GroupIPAddress *string `json:"groupIpAddress" tf:"group_ip_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupIPAddress *string `json:"groupIpAddress,omitempty" tf:"group_ip_address,omitempty"`
 
 	// The group members' network interface ID to register with the transit gateway multicast group.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.NetworkInterface
@@ -83,8 +92,9 @@ type TransitGatewayMulticastGroupSourceStatus struct {
 type TransitGatewayMulticastGroupSource struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TransitGatewayMulticastGroupSourceSpec   `json:"spec"`
-	Status            TransitGatewayMulticastGroupSourceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupIpAddress)",message="groupIpAddress is a required parameter"
+	Spec   TransitGatewayMulticastGroupSourceSpec   `json:"spec"`
+	Status TransitGatewayMulticastGroupSourceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_transitgatewaypeeringattachment_types.go b/apis/ec2/v1beta1/zz_transitgatewaypeeringattachment_types.go
index c3520d8e6f..cf318c9a5b 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaypeeringattachment_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaypeeringattachment_types.go
@@ -18,8 +18,23 @@ type TransitGatewayPeeringAttachmentObservation struct {
 	// EC2 Transit Gateway Attachment identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Account ID of EC2 Transit Gateway to peer with. Defaults to the account ID the AWS provider is currently connected to.
+	PeerAccountID *string `json:"peerAccountId,omitempty" tf:"peer_account_id,omitempty"`
+
+	// Region of EC2 Transit Gateway to peer with.
+	PeerRegion *string `json:"peerRegion,omitempty" tf:"peer_region,omitempty"`
+
+	// Identifier of EC2 Transit Gateway to peer with.
+	PeerTransitGatewayID *string `json:"peerTransitGatewayId,omitempty" tf:"peer_transit_gateway_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Identifier of EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
 }
 
 type TransitGatewayPeeringAttachmentParameters struct {
@@ -29,8 +44,8 @@ type TransitGatewayPeeringAttachmentParameters struct {
 	PeerAccountID *string `json:"peerAccountId,omitempty" tf:"peer_account_id,omitempty"`
 
 	// Region of EC2 Transit Gateway to peer with.
-	// +kubebuilder:validation:Required
-	PeerRegion *string `json:"peerRegion" tf:"peer_region,omitempty"`
+	// +kubebuilder:validation:Optional
+	PeerRegion *string `json:"peerRegion,omitempty" tf:"peer_region,omitempty"`
 
 	// Identifier of EC2 Transit Gateway to peer with.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ec2/v1beta1.TransitGateway
@@ -94,8 +109,9 @@ type TransitGatewayPeeringAttachmentStatus struct {
 type TransitGatewayPeeringAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TransitGatewayPeeringAttachmentSpec   `json:"spec"`
-	Status            TransitGatewayPeeringAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.peerRegion)",message="peerRegion is a required parameter"
+	Spec   TransitGatewayPeeringAttachmentSpec   `json:"spec"`
+	Status TransitGatewayPeeringAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_transitgatewaypeeringattachmentaccepter_types.go b/apis/ec2/v1beta1/zz_transitgatewaypeeringattachmentaccepter_types.go
index 77467b4aed..30ac50de24 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaypeeringattachmentaccepter_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaypeeringattachmentaccepter_types.go
@@ -26,9 +26,15 @@ type TransitGatewayPeeringAttachmentAccepterObservation struct {
 	// Identifier of EC2 Transit Gateway to peer with.
 	PeerTransitGatewayID *string `json:"peerTransitGatewayId,omitempty" tf:"peer_transit_gateway_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The ID of the EC2 Transit Gateway Peering Attachment to manage.
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
 	// Identifier of EC2 Transit Gateway.
 	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_transitgatewaypolicytable_types.go b/apis/ec2/v1beta1/zz_transitgatewaypolicytable_types.go
index 85811dff7b..748a91917f 100755
--- a/apis/ec2/v1beta1/zz_transitgatewaypolicytable_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewaypolicytable_types.go
@@ -24,8 +24,14 @@ type TransitGatewayPolicyTableObservation struct {
 	// The state of the EC2 Transit Gateway Policy Table.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// EC2 Transit Gateway identifier.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
 }
 
 type TransitGatewayPolicyTableParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayprefixlistreference_types.go b/apis/ec2/v1beta1/zz_transitgatewayprefixlistreference_types.go
index 8650858b78..08b72f62c9 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayprefixlistreference_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayprefixlistreference_types.go
@@ -15,11 +15,23 @@ import (
 
 type TransitGatewayPrefixListReferenceObservation struct {
 
+	// Indicates whether to drop traffic that matches the Prefix List. Defaults to false.
+	Blackhole *bool `json:"blackhole,omitempty" tf:"blackhole,omitempty"`
+
 	// EC2 Transit Gateway Route Table identifier and EC2 Prefix List identifier, separated by an underscore (_)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Identifier of EC2 Prefix List.
+	PrefixListID *string `json:"prefixListId,omitempty" tf:"prefix_list_id,omitempty"`
+
 	// EC2 Transit Gateway Route Table identifier and EC2 Prefix List identifier, separated by an underscore (_)
 	PrefixListOwnerID *string `json:"prefixListOwnerId,omitempty" tf:"prefix_list_owner_id,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Attachment.
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Route Table.
+	TransitGatewayRouteTableID *string `json:"transitGatewayRouteTableId,omitempty" tf:"transit_gateway_route_table_id,omitempty"`
 }
 
 type TransitGatewayPrefixListReferenceParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayroute_types.go b/apis/ec2/v1beta1/zz_transitgatewayroute_types.go
index 0986a2aeda..3128cccc8d 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayroute_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayroute_types.go
@@ -15,8 +15,20 @@ import (
 
 type TransitGatewayRouteObservation struct {
 
+	// Indicates whether to drop traffic that matches this route (default to false).
+	Blackhole *bool `json:"blackhole,omitempty" tf:"blackhole,omitempty"`
+
+	// IPv4 or IPv6 RFC1924 CIDR used for destination matches. Routing decisions are based on the most specific match.
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
+
 	// EC2 Transit Gateway Route Table identifier combined with destination
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Attachment .
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Route Table.
+	TransitGatewayRouteTableID *string `json:"transitGatewayRouteTableId,omitempty" tf:"transit_gateway_route_table_id,omitempty"`
 }
 
 type TransitGatewayRouteParameters struct {
@@ -26,8 +38,8 @@ type TransitGatewayRouteParameters struct {
 	Blackhole *bool `json:"blackhole,omitempty" tf:"blackhole,omitempty"`
 
 	// IPv4 or IPv6 RFC1924 CIDR used for destination matches. Routing decisions are based on the most specific match.
-	// +kubebuilder:validation:Required
-	DestinationCidrBlock *string `json:"destinationCidrBlock" tf:"destination_cidr_block,omitempty"`
+	// +kubebuilder:validation:Optional
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -85,8 +97,9 @@ type TransitGatewayRouteStatus struct {
 type TransitGatewayRoute struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TransitGatewayRouteSpec   `json:"spec"`
-	Status            TransitGatewayRouteStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationCidrBlock)",message="destinationCidrBlock is a required parameter"
+	Spec   TransitGatewayRouteSpec   `json:"spec"`
+	Status TransitGatewayRouteStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_transitgatewayroutetable_types.go b/apis/ec2/v1beta1/zz_transitgatewayroutetable_types.go
index f80eea4ada..d735f1ebe5 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayroutetable_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayroutetable_types.go
@@ -27,8 +27,14 @@ type TransitGatewayRouteTableObservation_2 struct {
 	// EC2 Transit Gateway Route Table identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Identifier of EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
 }
 
 type TransitGatewayRouteTableParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayroutetableassociation_types.go b/apis/ec2/v1beta1/zz_transitgatewayroutetableassociation_types.go
index c554359770..46c0b65f53 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayroutetableassociation_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayroutetableassociation_types.go
@@ -23,6 +23,12 @@ type TransitGatewayRouteTableAssociationObservation struct {
 
 	// Type of the resource
 	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Attachment.
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Route Table.
+	TransitGatewayRouteTableID *string `json:"transitGatewayRouteTableId,omitempty" tf:"transit_gateway_route_table_id,omitempty"`
 }
 
 type TransitGatewayRouteTableAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayroutetablepropagation_types.go b/apis/ec2/v1beta1/zz_transitgatewayroutetablepropagation_types.go
index c360f15563..93a6a481a5 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayroutetablepropagation_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayroutetablepropagation_types.go
@@ -23,6 +23,12 @@ type TransitGatewayRouteTablePropagationObservation struct {
 
 	// Type of the resource
 	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Attachment.
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// Identifier of EC2 Transit Gateway Route Table.
+	TransitGatewayRouteTableID *string `json:"transitGatewayRouteTableId,omitempty" tf:"transit_gateway_route_table_id,omitempty"`
 }
 
 type TransitGatewayRouteTablePropagationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_transitgatewayvpcattachment_types.go b/apis/ec2/v1beta1/zz_transitgatewayvpcattachment_types.go
index 0237fafed6..f5429c22e3 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayvpcattachment_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayvpcattachment_types.go
@@ -15,12 +15,39 @@ import (
 
 type TransitGatewayVPCAttachmentObservation struct {
 
+	// Whether Appliance Mode support is enabled. If enabled, a traffic flow between a source and destination uses the same Availability Zone for the VPC attachment for the lifetime of that flow. Valid values: disable, enable. Default value: disable.
+	ApplianceModeSupport *string `json:"applianceModeSupport,omitempty" tf:"appliance_mode_support,omitempty"`
+
+	// Whether DNS support is enabled. Valid values: disable, enable. Default value: enable.
+	DNSSupport *string `json:"dnsSupport,omitempty" tf:"dns_support,omitempty"`
+
 	// EC2 Transit Gateway Attachment identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether IPv6 support is enabled. Valid values: disable, enable. Default value: disable.
+	IPv6Support *string `json:"ipv6Support,omitempty" tf:"ipv6_support,omitempty"`
+
+	// Identifiers of EC2 Subnets.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: true.
+	TransitGatewayDefaultRouteTableAssociation *bool `json:"transitGatewayDefaultRouteTableAssociation,omitempty" tf:"transit_gateway_default_route_table_association,omitempty"`
+
+	// Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. This cannot be configured or perform drift detection with Resource Access Manager shared EC2 Transit Gateways. Default value: true.
+	TransitGatewayDefaultRouteTablePropagation *bool `json:"transitGatewayDefaultRouteTablePropagation,omitempty" tf:"transit_gateway_default_route_table_propagation,omitempty"`
+
+	// Identifier of EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
+
+	// Identifier of EC2 VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
 	// Identifier of the AWS account that owns the EC2 VPC.
 	VPCOwnerID *string `json:"vpcOwnerId,omitempty" tf:"vpc_owner_id,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_transitgatewayvpcattachmentaccepter_types.go b/apis/ec2/v1beta1/zz_transitgatewayvpcattachmentaccepter_types.go
index 925dc682a7..cacbbd35b3 100755
--- a/apis/ec2/v1beta1/zz_transitgatewayvpcattachmentaccepter_types.go
+++ b/apis/ec2/v1beta1/zz_transitgatewayvpcattachmentaccepter_types.go
@@ -30,9 +30,21 @@ type TransitGatewayVPCAttachmentAccepterObservation struct {
 	// Identifiers of EC2 Subnets.
 	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The ID of the EC2 Transit Gateway Attachment to manage.
+	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
+
+	// Boolean whether the VPC Attachment should be associated with the EC2 Transit Gateway association default route table. Default value: true.
+	TransitGatewayDefaultRouteTableAssociation *bool `json:"transitGatewayDefaultRouteTableAssociation,omitempty" tf:"transit_gateway_default_route_table_association,omitempty"`
+
+	// Boolean whether the VPC Attachment should propagate routes with the EC2 Transit Gateway propagation default route table. Default value: true.
+	TransitGatewayDefaultRouteTablePropagation *bool `json:"transitGatewayDefaultRouteTablePropagation,omitempty" tf:"transit_gateway_default_route_table_propagation,omitempty"`
+
 	// Identifier of EC2 Transit Gateway.
 	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
 
diff --git a/apis/ec2/v1beta1/zz_volumeattachment_types.go b/apis/ec2/v1beta1/zz_volumeattachment_types.go
index 7313649401..ba6ef856d5 100755
--- a/apis/ec2/v1beta1/zz_volumeattachment_types.go
+++ b/apis/ec2/v1beta1/zz_volumeattachment_types.go
@@ -14,15 +14,41 @@ import (
 )
 
 type VolumeAttachmentObservation struct {
+
+	// The device name to expose to the instance (for
+	// example, /dev/sdh or xvdh).  See Device Naming on Linux Instances and Device Naming on Windows Instances for more information.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Set to true if you want to force the
+	// volume to detach. Useful if previous attempts failed, but use this option only
+	// as a last resort, as this can result in data loss. See
+	// Detaching an Amazon EBS Volume from an Instance for more information.
+	ForceDetach *bool `json:"forceDetach,omitempty" tf:"force_detach,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ID of the Instance to attach to
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// This is
+	// useful when destroying an instance which has volumes created by some other
+	// means attached.
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Set this to true to ensure that the target instance is stopped
+	// before trying to detach the volume. Stops the instance, if it is not already stopped.
+	StopInstanceBeforeDetaching *bool `json:"stopInstanceBeforeDetaching,omitempty" tf:"stop_instance_before_detaching,omitempty"`
+
+	// ID of the Volume to be attached
+	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
 }
 
 type VolumeAttachmentParameters struct {
 
 	// The device name to expose to the instance (for
 	// example, /dev/sdh or xvdh).  See Device Naming on Linux Instances and Device Naming on Windows Instances for more information.
-	// +kubebuilder:validation:Required
-	DeviceName *string `json:"deviceName" tf:"device_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
 
 	// Set to true if you want to force the
 	// volume to detach. Useful if previous attempts failed, but use this option only
@@ -100,8 +126,9 @@ type VolumeAttachmentStatus struct {
 type VolumeAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VolumeAttachmentSpec   `json:"spec"`
-	Status            VolumeAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deviceName)",message="deviceName is a required parameter"
+	Spec   VolumeAttachmentSpec   `json:"spec"`
+	Status VolumeAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpc_types.go b/apis/ec2/v1beta1/zz_vpc_types.go
index ec97684e7e..4881af2857 100755
--- a/apis/ec2/v1beta1/zz_vpc_types.go
+++ b/apis/ec2/v1beta1/zz_vpc_types.go
@@ -18,6 +18,12 @@ type VPCObservation_2 struct {
 	// Amazon Resource Name (ARN) of VPC
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Requests an Amazon-provided IPv6 CIDR block with a /56 prefix length for the VPC. You cannot specify the range of IP addresses, or the size of the CIDR block. Default is false. Conflicts with ipv6_ipam_pool_id
+	AssignGeneratedIPv6CidrBlock *bool `json:"assignGeneratedIpv6CidrBlock,omitempty" tf:"assign_generated_ipv6_cidr_block,omitempty"`
+
+	// The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4_netmask_length.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
 	// The ID of the VPC
 	DHCPOptionsID *string `json:"dhcpOptionsId,omitempty" tf:"dhcp_options_id,omitempty"`
 
@@ -30,12 +36,51 @@ type VPCObservation_2 struct {
 	// The ID of the security group created by default on VPC creation
 	DefaultSecurityGroupID *string `json:"defaultSecurityGroupId,omitempty" tf:"default_security_group_id,omitempty"`
 
+	// A boolean flag to enable/disable ClassicLink
+	// for the VPC. Only valid in regions and accounts that support EC2 Classic.
+	// See the ClassicLink documentation for more information. Defaults false.
+	EnableClassiclink *bool `json:"enableClassiclink,omitempty" tf:"enable_classiclink,omitempty"`
+
+	// A boolean flag to enable/disable ClassicLink DNS Support for the VPC.
+	// Only valid in regions and accounts that support EC2 Classic.
+	EnableClassiclinkDNSSupport *bool `json:"enableClassiclinkDnsSupport,omitempty" tf:"enable_classiclink_dns_support,omitempty"`
+
+	// A boolean flag to enable/disable DNS hostnames in the VPC. Defaults false.
+	EnableDNSHostnames *bool `json:"enableDnsHostnames,omitempty" tf:"enable_dns_hostnames,omitempty"`
+
+	// A boolean flag to enable/disable DNS support in the VPC. Defaults to true.
+	EnableDNSSupport *bool `json:"enableDnsSupport,omitempty" tf:"enable_dns_support,omitempty"`
+
+	// Indicates whether Network Address Usage metrics are enabled for your VPC. Defaults to false.
+	EnableNetworkAddressUsageMetrics *bool `json:"enableNetworkAddressUsageMetrics,omitempty" tf:"enable_network_address_usage_metrics,omitempty"`
+
 	// The ID of the VPC
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. IPAM is a VPC feature that you can use to automate your IP address management workflows including assigning, tracking, troubleshooting, and auditing IP addresses across AWS Regions and accounts. Using IPAM you can monitor IP address usage throughout your AWS Organization.
+	IPv4IpamPoolID *string `json:"ipv4IpamPoolId,omitempty" tf:"ipv4_ipam_pool_id,omitempty"`
+
+	// The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id.
+	IPv4NetmaskLength *float64 `json:"ipv4NetmaskLength,omitempty" tf:"ipv4_netmask_length,omitempty"`
+
 	// The association ID for the IPv6 CIDR block.
 	IPv6AssociationID *string `json:"ipv6AssociationId,omitempty" tf:"ipv6_association_id,omitempty"`
 
+	// IPv6 CIDR block to request from an IPAM Pool. Can be set explicitly or derived from IPAM using ipv6_netmask_length.
+	IPv6CidrBlock *string `json:"ipv6CidrBlock,omitempty" tf:"ipv6_cidr_block,omitempty"`
+
+	// By default when an IPv6 CIDR is assigned to a VPC a default ipv6_cidr_block_network_border_group will be set to the region of the VPC. This can be changed to restrict advertisement of public addresses to specific Network Border Groups such as LocalZones.
+	IPv6CidrBlockNetworkBorderGroup *string `json:"ipv6CidrBlockNetworkBorderGroup,omitempty" tf:"ipv6_cidr_block_network_border_group,omitempty"`
+
+	// IPAM Pool ID for a IPv6 pool. Conflicts with assign_generated_ipv6_cidr_block.
+	IPv6IpamPoolID *string `json:"ipv6IpamPoolId,omitempty" tf:"ipv6_ipam_pool_id,omitempty"`
+
+	// Netmask length to request from IPAM Pool. Conflicts with ipv6_cidr_block. This can be omitted if IPAM pool as a allocation_default_netmask_length set. Valid values: 56.
+	IPv6NetmaskLength *float64 `json:"ipv6NetmaskLength,omitempty" tf:"ipv6_netmask_length,omitempty"`
+
+	// A tenancy option for instances launched into the VPC. Default is default, which ensures that EC2 instances launched in this VPC use the EC2 instance tenancy attribute specified when the EC2 instance is launched. The only other option is dedicated, which ensures that EC2 instances launched in this VPC are run on dedicated tenancy instances regardless of the tenancy attribute specified at launch. This has a dedicated per region fee of $2 per hour, plus an hourly per instance usage fee.
+	InstanceTenancy *string `json:"instanceTenancy,omitempty" tf:"instance_tenancy,omitempty"`
+
 	// The ID of the main route table associated with
 	// this VPC. Note that you can change a VPC's main route table by using an
 	// aws_main_route_table_association.
@@ -44,6 +89,9 @@ type VPCObservation_2 struct {
 	// The ID of the AWS account that owns the VPC.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_vpcdhcpoptions_types.go b/apis/ec2/v1beta1/zz_vpcdhcpoptions_types.go
index bae3c69723..8ed2072f99 100755
--- a/apis/ec2/v1beta1/zz_vpcdhcpoptions_types.go
+++ b/apis/ec2/v1beta1/zz_vpcdhcpoptions_types.go
@@ -18,12 +18,30 @@ type VPCDHCPOptionsObservation struct {
 	// The ARN of the DHCP Options Set.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// the suffix domain name to use by default when resolving non Fully Qualified Domain Names. In other words, this is what ends up being the search value in the /etc/resolv.conf file.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// List of name servers to configure in /etc/resolv.conf. If you want to use the default AWS nameservers you should set this to AmazonProvidedDNS.
+	DomainNameServers []*string `json:"domainNameServers,omitempty" tf:"domain_name_servers,omitempty"`
+
 	// The ID of the DHCP Options Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of NETBIOS name servers.
+	NetbiosNameServers []*string `json:"netbiosNameServers,omitempty" tf:"netbios_name_servers,omitempty"`
+
+	// The NetBIOS node type (1, 2, 4, or 8). AWS recommends to specify 2 since broadcast and multicast are not supported in their network. For more information about these node types, see RFC 2132.
+	NetbiosNodeType *string `json:"netbiosNodeType,omitempty" tf:"netbios_node_type,omitempty"`
+
+	// List of NTP servers to configure.
+	NtpServers []*string `json:"ntpServers,omitempty" tf:"ntp_servers,omitempty"`
+
 	// The ID of the AWS account that owns the DHCP options set.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_vpcdhcpoptionsassociation_types.go b/apis/ec2/v1beta1/zz_vpcdhcpoptionsassociation_types.go
index a9e9b60043..698e3e0c52 100755
--- a/apis/ec2/v1beta1/zz_vpcdhcpoptionsassociation_types.go
+++ b/apis/ec2/v1beta1/zz_vpcdhcpoptionsassociation_types.go
@@ -15,8 +15,14 @@ import (
 
 type VPCDHCPOptionsAssociationObservation struct {
 
+	// The ID of the DHCP Options Set to associate to the VPC.
+	DHCPOptionsID *string `json:"dhcpOptionsId,omitempty" tf:"dhcp_options_id,omitempty"`
+
 	// The ID of the DHCP Options Set Association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the VPC to which we would like to associate a DHCP Options Set.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCDHCPOptionsAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcendpoint_types.go b/apis/ec2/v1beta1/zz_vpcendpoint_types.go
index 4868f6d4f4..ec8b092a33 100755
--- a/apis/ec2/v1beta1/zz_vpcendpoint_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpoint_types.go
@@ -26,6 +26,9 @@ type DNSEntryParameters struct {
 }
 
 type DNSOptionsObservation struct {
+
+	// The DNS records created for the endpoint. Valid values are ipv4, dualstack, service-defined, and ipv6.
+	DNSRecordIPType *string `json:"dnsRecordIpType,omitempty" tf:"dns_record_ip_type,omitempty"`
 }
 
 type DNSOptionsParameters struct {
@@ -40,24 +43,40 @@ type VPCEndpointObservation_2 struct {
 	// The Amazon Resource Name (ARN) of the VPC endpoint.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Accept the VPC endpoint (the VPC endpoint and service need to be in the same AWS account).
+	AutoAccept *bool `json:"autoAccept,omitempty" tf:"auto_accept,omitempty"`
+
 	// The list of CIDR blocks for the exposed AWS service. Applicable for endpoints of type Gateway.
 	CidrBlocks []*string `json:"cidrBlocks,omitempty" tf:"cidr_blocks,omitempty"`
 
 	// The DNS entries for the VPC Endpoint. Applicable for endpoints of type Interface. DNS blocks are documented below.
 	DNSEntry []DNSEntryObservation `json:"dnsEntry,omitempty" tf:"dns_entry,omitempty"`
 
+	// The DNS options for the endpoint. See dns_options below.
+	DNSOptions []DNSOptionsObservation `json:"dnsOptions,omitempty" tf:"dns_options,omitempty"`
+
 	// The ID of the VPC endpoint.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IP address type for the endpoint. Valid values are ipv4, dualstack, and ipv6.
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
 	// One or more network interfaces for the VPC Endpoint. Applicable for endpoints of type Interface.
 	NetworkInterfaceIds []*string `json:"networkInterfaceIds,omitempty" tf:"network_interface_ids,omitempty"`
 
 	// The ID of the AWS account that owns the VPC endpoint.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// A policy to attach to the endpoint that controls access to the service. This is a JSON formatted string. Defaults to full access. All Gateway and some Interface endpoints support policies - see the relevant AWS documentation for more details.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
 	// The prefix list ID of the exposed AWS service. Applicable for endpoints of type Gateway.
 	PrefixListID *string `json:"prefixListId,omitempty" tf:"prefix_list_id,omitempty"`
 
+	// Whether or not to associate a private hosted zone with the specified VPC. Applicable for endpoints of type Interface.
+	// Defaults to false.
+	PrivateDNSEnabled *bool `json:"privateDnsEnabled,omitempty" tf:"private_dns_enabled,omitempty"`
+
 	// Whether or not the VPC Endpoint is being managed by its service - true or false.
 	RequesterManaged *bool `json:"requesterManaged,omitempty" tf:"requester_managed,omitempty"`
 
@@ -68,14 +87,26 @@ type VPCEndpointObservation_2 struct {
 	// If no security groups are specified, the VPC's default security group is associated with the endpoint.
 	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
 
+	// The service name. For AWS services the service name is usually in the form com.amazonaws.<region>.<service> (the SageMaker Notebook service is an exception to this rule, the service name is in the form aws.sagemaker.<region>.notebook).
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
 	// The state of the VPC endpoint.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
 	// The ID of one or more subnets in which to create a network interface for the endpoint. Applicable for endpoints of type GatewayLoadBalancer and Interface.
 	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC endpoint type, Gateway, GatewayLoadBalancer, or Interface. Defaults to Gateway.
+	VPCEndpointType *string `json:"vpcEndpointType,omitempty" tf:"vpc_endpoint_type,omitempty"`
+
+	// The ID of the VPC in which the endpoint will be used.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCEndpointParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_vpcendpointconnectionnotification_types.go b/apis/ec2/v1beta1/zz_vpcendpointconnectionnotification_types.go
index 6a73ad651f..d7e4301295 100755
--- a/apis/ec2/v1beta1/zz_vpcendpointconnectionnotification_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpointconnectionnotification_types.go
@@ -15,6 +15,12 @@ import (
 
 type VPCEndpointConnectionNotificationObservation struct {
 
+	// One or more endpoint events for which to receive notifications.
+	ConnectionEvents []*string `json:"connectionEvents,omitempty" tf:"connection_events,omitempty"`
+
+	// The ARN of the SNS topic for the notifications.
+	ConnectionNotificationArn *string `json:"connectionNotificationArn,omitempty" tf:"connection_notification_arn,omitempty"`
+
 	// The ID of the VPC connection notification.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -23,13 +29,19 @@ type VPCEndpointConnectionNotificationObservation struct {
 
 	// The state of the notification.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// The ID of the VPC Endpoint to receive notifications for.
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
+
+	// The ID of the VPC Endpoint Service to receive notifications for.
+	VPCEndpointServiceID *string `json:"vpcEndpointServiceId,omitempty" tf:"vpc_endpoint_service_id,omitempty"`
 }
 
 type VPCEndpointConnectionNotificationParameters struct {
 
 	// One or more endpoint events for which to receive notifications.
-	// +kubebuilder:validation:Required
-	ConnectionEvents []*string `json:"connectionEvents" tf:"connection_events,omitempty"`
+	// +kubebuilder:validation:Optional
+	ConnectionEvents []*string `json:"connectionEvents,omitempty" tf:"connection_events,omitempty"`
 
 	// The ARN of the SNS topic for the notifications.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/sns/v1beta1.Topic
@@ -93,8 +105,9 @@ type VPCEndpointConnectionNotificationStatus struct {
 type VPCEndpointConnectionNotification struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCEndpointConnectionNotificationSpec   `json:"spec"`
-	Status            VPCEndpointConnectionNotificationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.connectionEvents)",message="connectionEvents is a required parameter"
+	Spec   VPCEndpointConnectionNotificationSpec   `json:"spec"`
+	Status VPCEndpointConnectionNotificationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpcendpointroutetableassociation_types.go b/apis/ec2/v1beta1/zz_vpcendpointroutetableassociation_types.go
index 01d0699f19..f45930b4f8 100755
--- a/apis/ec2/v1beta1/zz_vpcendpointroutetableassociation_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpointroutetableassociation_types.go
@@ -17,6 +17,12 @@ type VPCEndpointRouteTableAssociationObservation struct {
 
 	// A hash of the EC2 Route Table and VPC Endpoint identifiers.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Identifier of the EC2 Route Table to be associated with the VPC Endpoint.
+	RouteTableID *string `json:"routeTableId,omitempty" tf:"route_table_id,omitempty"`
+
+	// Identifier of the VPC Endpoint with which the EC2 Route Table will be associated.
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
 }
 
 type VPCEndpointRouteTableAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcendpointsecuritygroupassociation_types.go b/apis/ec2/v1beta1/zz_vpcendpointsecuritygroupassociation_types.go
index 2c90e40dad..d45500c178 100755
--- a/apis/ec2/v1beta1/zz_vpcendpointsecuritygroupassociation_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpointsecuritygroupassociation_types.go
@@ -17,6 +17,15 @@ type VPCEndpointSecurityGroupAssociationObservation struct {
 
 	// The ID of the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Whether this association should replace the association with the VPC's default security group that is created when no security groups are specified during VPC endpoint creation. At most 1 association per-VPC endpoint should be configured with replace_default_association = true.
+	ReplaceDefaultAssociation *bool `json:"replaceDefaultAssociation,omitempty" tf:"replace_default_association,omitempty"`
+
+	// The ID of the security group to be associated with the VPC endpoint.
+	SecurityGroupID *string `json:"securityGroupId,omitempty" tf:"security_group_id,omitempty"`
+
+	// The ID of the VPC endpoint with which the security group will be associated.
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
 }
 
 type VPCEndpointSecurityGroupAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcendpointservice_types.go b/apis/ec2/v1beta1/zz_vpcendpointservice_types.go
index 63859cf2f4..47c96cdf83 100755
--- a/apis/ec2/v1beta1/zz_vpcendpointservice_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpointservice_types.go
@@ -33,6 +33,9 @@ type PrivateDNSNameConfigurationParameters struct {
 
 type VPCEndpointServiceObservation struct {
 
+	// Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false.
+	AcceptanceRequired *bool `json:"acceptanceRequired,omitempty" tf:"acceptance_required,omitempty"`
+
 	// The ARNs of one or more principals allowed to discover the endpoint service.
 	AllowedPrincipals []*string `json:"allowedPrincipals,omitempty" tf:"allowed_principals,omitempty"`
 
@@ -45,12 +48,21 @@ type VPCEndpointServiceObservation struct {
 	// A set of DNS names for the service.
 	BaseEndpointDNSNames []*string `json:"baseEndpointDnsNames,omitempty" tf:"base_endpoint_dns_names,omitempty"`
 
+	// Amazon Resource Names (ARNs) of one or more Gateway Load Balancers for the endpoint service.
+	GatewayLoadBalancerArns []*string `json:"gatewayLoadBalancerArns,omitempty" tf:"gateway_load_balancer_arns,omitempty"`
+
 	// The ID of the VPC endpoint service.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Whether or not the service manages its VPC endpoints - true or false.
 	ManagesVPCEndpoints *bool `json:"managesVpcEndpoints,omitempty" tf:"manages_vpc_endpoints,omitempty"`
 
+	// Amazon Resource Names (ARNs) of one or more Network Load Balancers for the endpoint service.
+	NetworkLoadBalancerArns []*string `json:"networkLoadBalancerArns,omitempty" tf:"network_load_balancer_arns,omitempty"`
+
+	// The private DNS name for the service.
+	PrivateDNSName *string `json:"privateDnsName,omitempty" tf:"private_dns_name,omitempty"`
+
 	// List of objects containing information about the endpoint service private DNS name configuration.
 	PrivateDNSNameConfiguration []PrivateDNSNameConfigurationObservation `json:"privateDnsNameConfiguration,omitempty" tf:"private_dns_name_configuration,omitempty"`
 
@@ -63,6 +75,12 @@ type VPCEndpointServiceObservation struct {
 	// The state of the VPC endpoint service.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// The supported IP address types. The possible values are ipv4 and ipv6.
+	SupportedIPAddressTypes []*string `json:"supportedIpAddressTypes,omitempty" tf:"supported_ip_address_types,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -70,8 +88,8 @@ type VPCEndpointServiceObservation struct {
 type VPCEndpointServiceParameters struct {
 
 	// Whether or not VPC endpoint connection requests to the service must be accepted by the service owner - true or false.
-	// +kubebuilder:validation:Required
-	AcceptanceRequired *bool `json:"acceptanceRequired" tf:"acceptance_required,omitempty"`
+	// +kubebuilder:validation:Optional
+	AcceptanceRequired *bool `json:"acceptanceRequired,omitempty" tf:"acceptance_required,omitempty"`
 
 	// Amazon Resource Names (ARNs) of one or more Gateway Load Balancers for the endpoint service.
 	// +kubebuilder:validation:Optional
@@ -123,8 +141,9 @@ type VPCEndpointServiceStatus struct {
 type VPCEndpointService struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCEndpointServiceSpec   `json:"spec"`
-	Status            VPCEndpointServiceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.acceptanceRequired)",message="acceptanceRequired is a required parameter"
+	Spec   VPCEndpointServiceSpec   `json:"spec"`
+	Status VPCEndpointServiceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpcendpointserviceallowedprincipal_types.go b/apis/ec2/v1beta1/zz_vpcendpointserviceallowedprincipal_types.go
index b60a33c9fe..7facffe6bd 100755
--- a/apis/ec2/v1beta1/zz_vpcendpointserviceallowedprincipal_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpointserviceallowedprincipal_types.go
@@ -17,13 +17,19 @@ type VPCEndpointServiceAllowedPrincipalObservation struct {
 
 	// The ID of the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the principal to allow permissions.
+	PrincipalArn *string `json:"principalArn,omitempty" tf:"principal_arn,omitempty"`
+
+	// The ID of the VPC endpoint service to allow permission.
+	VPCEndpointServiceID *string `json:"vpcEndpointServiceId,omitempty" tf:"vpc_endpoint_service_id,omitempty"`
 }
 
 type VPCEndpointServiceAllowedPrincipalParameters struct {
 
 	// The ARN of the principal to allow permissions.
-	// +kubebuilder:validation:Required
-	PrincipalArn *string `json:"principalArn" tf:"principal_arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	PrincipalArn *string `json:"principalArn,omitempty" tf:"principal_arn,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type VPCEndpointServiceAllowedPrincipalStatus struct {
 type VPCEndpointServiceAllowedPrincipal struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCEndpointServiceAllowedPrincipalSpec   `json:"spec"`
-	Status            VPCEndpointServiceAllowedPrincipalStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principalArn)",message="principalArn is a required parameter"
+	Spec   VPCEndpointServiceAllowedPrincipalSpec   `json:"spec"`
+	Status VPCEndpointServiceAllowedPrincipalStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpcendpointsubnetassociation_types.go b/apis/ec2/v1beta1/zz_vpcendpointsubnetassociation_types.go
index 187199d8f0..5beb89929e 100755
--- a/apis/ec2/v1beta1/zz_vpcendpointsubnetassociation_types.go
+++ b/apis/ec2/v1beta1/zz_vpcendpointsubnetassociation_types.go
@@ -17,6 +17,12 @@ type VPCEndpointSubnetAssociationObservation struct {
 
 	// The ID of the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the subnet to be associated with the VPC endpoint.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// The ID of the VPC endpoint with which the subnet will be associated.
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
 }
 
 type VPCEndpointSubnetAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcipam_types.go b/apis/ec2/v1beta1/zz_vpcipam_types.go
index 5a6e452a86..8f335dfe81 100755
--- a/apis/ec2/v1beta1/zz_vpcipam_types.go
+++ b/apis/ec2/v1beta1/zz_vpcipam_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type OperatingRegionsObservation struct {
+
+	// The name of the Region you want to add to the IPAM.
+	RegionName *string `json:"regionName,omitempty" tf:"region_name,omitempty"`
 }
 
 type OperatingRegionsParameters struct {
@@ -28,15 +31,24 @@ type VPCIpamObservation struct {
 	// Amazon Resource Name (ARN) of IPAM
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Enables you to quickly delete an IPAM, private scopes, pools in private scopes, and any allocations in the pools in private scopes.
+	Cascade *bool `json:"cascade,omitempty" tf:"cascade,omitempty"`
+
 	// The ID of the IPAM
 	DefaultResourceDiscoveryAssociationID *string `json:"defaultResourceDiscoveryAssociationId,omitempty" tf:"default_resource_discovery_association_id,omitempty"`
 
 	// The ID of the IPAM
 	DefaultResourceDiscoveryID *string `json:"defaultResourceDiscoveryId,omitempty" tf:"default_resource_discovery_id,omitempty"`
 
+	// A description for the IPAM.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the IPAM
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Determines which locales can be chosen when you create pools. Locale is the Region where you want to make an IPAM pool available for allocations. You can only create pools with locales that match the operating Regions of the IPAM. You can only create VPCs from a pool whose locale matches the VPC's Region. You specify a region using the region_name parameter. You must set your provider block region as an operating_region.
+	OperatingRegions []OperatingRegionsObservation `json:"operatingRegions,omitempty" tf:"operating_regions,omitempty"`
+
 	// The ID of the IPAM's private scope. A scope is a top-level container in IPAM. Each scope represents an IP-independent network. Scopes enable you to represent networks where you have overlapping IP space. When you create an IPAM, IPAM automatically creates two scopes: public and private. The private scope is intended for private IP space. The public scope is intended for all internet-routable IP space.
 	PrivateDefaultScopeID *string `json:"privateDefaultScopeId,omitempty" tf:"private_default_scope_id,omitempty"`
 
@@ -47,6 +59,9 @@ type VPCIpamObservation struct {
 	// The number of scopes in the IPAM.
 	ScopeCount *float64 `json:"scopeCount,omitempty" tf:"scope_count,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -62,8 +77,8 @@ type VPCIpamParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Determines which locales can be chosen when you create pools. Locale is the Region where you want to make an IPAM pool available for allocations. You can only create pools with locales that match the operating Regions of the IPAM. You can only create VPCs from a pool whose locale matches the VPC's Region. You specify a region using the region_name parameter. You must set your provider block region as an operating_region.
-	// +kubebuilder:validation:Required
-	OperatingRegions []OperatingRegionsParameters `json:"operatingRegions" tf:"operating_regions,omitempty"`
+	// +kubebuilder:validation:Optional
+	OperatingRegions []OperatingRegionsParameters `json:"operatingRegions,omitempty" tf:"operating_regions,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -99,8 +114,9 @@ type VPCIpamStatus struct {
 type VPCIpam struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCIpamSpec   `json:"spec"`
-	Status            VPCIpamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.operatingRegions)",message="operatingRegions is a required parameter"
+	Spec   VPCIpamSpec   `json:"spec"`
+	Status VPCIpamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpcipampool_types.go b/apis/ec2/v1beta1/zz_vpcipampool_types.go
index e65f25128f..a3b19efdd4 100755
--- a/apis/ec2/v1beta1/zz_vpcipampool_types.go
+++ b/apis/ec2/v1beta1/zz_vpcipampool_types.go
@@ -15,19 +15,62 @@ import (
 
 type VPCIpamPoolObservation struct {
 
+	// The IP protocol assigned to this pool. You must choose either IPv4 or IPv6 protocol for a pool.
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
+
+	// A default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16 (unless you provide a different netmask value when you create the new allocation).
+	AllocationDefaultNetmaskLength *float64 `json:"allocationDefaultNetmaskLength,omitempty" tf:"allocation_default_netmask_length,omitempty"`
+
+	// The maximum netmask length that will be required for CIDR allocations in this pool.
+	AllocationMaxNetmaskLength *float64 `json:"allocationMaxNetmaskLength,omitempty" tf:"allocation_max_netmask_length,omitempty"`
+
+	// The minimum netmask length that will be required for CIDR allocations in this pool.
+	AllocationMinNetmaskLength *float64 `json:"allocationMinNetmaskLength,omitempty" tf:"allocation_min_netmask_length,omitempty"`
+
+	// Tags that are required for resources that use CIDRs from this IPAM pool. Resources that do not have these tags will not be allowed to allocate space from the pool. If the resources have their tags changed after they have allocated space or if the allocation tagging requirements are changed on the pool, the resource may be marked as noncompliant.
+	AllocationResourceTags map[string]*string `json:"allocationResourceTags,omitempty" tf:"allocation_resource_tags,omitempty"`
+
 	// Amazon Resource Name (ARN) of IPAM
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// If you include this argument, IPAM automatically imports any VPCs you have in your scope that fall
+	// within the CIDR range in the pool.
+	AutoImport *bool `json:"autoImport,omitempty" tf:"auto_import,omitempty"`
+
+	// Limits which AWS service the pool can be used in. Only useable on public scopes. Valid Values: ec2.
+	AwsService *string `json:"awsService,omitempty" tf:"aws_service,omitempty"`
+
+	// A description for the IPAM pool.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the IPAM
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ID of the scope in which you would like to create the IPAM pool.
+	IpamScopeID *string `json:"ipamScopeId,omitempty" tf:"ipam_scope_id,omitempty"`
+
 	IpamScopeType *string `json:"ipamScopeType,omitempty" tf:"ipam_scope_type,omitempty"`
 
+	// The locale in which you would like to create the IPAM pool. Locale is the Region where you want to make an IPAM pool available for allocations. You can only create pools with locales that match the operating Regions of the IPAM. You can only create VPCs from a pool whose locale matches the VPC's Region. Possible values: Any AWS region, such as us-east-1.
+	Locale *string `json:"locale,omitempty" tf:"locale,omitempty"`
+
 	PoolDepth *float64 `json:"poolDepth,omitempty" tf:"pool_depth,omitempty"`
 
+	// The IP address source for pools in the public scope. Only used for provisioning IP address CIDRs to pools in the public scope. Valid values are byoip or amazon. Default is byoip.
+	PublicIPSource *string `json:"publicIpSource,omitempty" tf:"public_ip_source,omitempty"`
+
+	// Defines whether or not IPv6 pool space is publicly advertisable over the internet. This argument is required if address_family = "ipv6" and public_ip_source = "byoip", default is false. This option is not available for IPv4 pool space or if public_ip_source = "amazon".
+	PubliclyAdvertisable *bool `json:"publiclyAdvertisable,omitempty" tf:"publicly_advertisable,omitempty"`
+
+	// The ID of the source IPAM pool. Use this argument to create a child pool within an existing pool.
+	SourceIpamPoolID *string `json:"sourceIpamPoolId,omitempty" tf:"source_ipam_pool_id,omitempty"`
+
 	// The ID of the IPAM
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +78,8 @@ type VPCIpamPoolObservation struct {
 type VPCIpamPoolParameters struct {
 
 	// The IP protocol assigned to this pool. You must choose either IPv4 or IPv6 protocol for a pool.
-	// +kubebuilder:validation:Required
-	AddressFamily *string `json:"addressFamily" tf:"address_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddressFamily *string `json:"addressFamily,omitempty" tf:"address_family,omitempty"`
 
 	// A default netmask length for allocations added to this pool. If, for example, the CIDR assigned to this pool is 10.0.0.0/8 and you enter 16 here, new allocations will default to 10.0.0.0/16 (unless you provide a different netmask value when you create the new allocation).
 	// +kubebuilder:validation:Optional
@@ -140,8 +183,9 @@ type VPCIpamPoolStatus struct {
 type VPCIpamPool struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPCIpamPoolSpec   `json:"spec"`
-	Status            VPCIpamPoolStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)",message="addressFamily is a required parameter"
+	Spec   VPCIpamPoolSpec   `json:"spec"`
+	Status VPCIpamPoolStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpcipampoolcidr_types.go b/apis/ec2/v1beta1/zz_vpcipampoolcidr_types.go
index d31d37648b..981a8c83fd 100755
--- a/apis/ec2/v1beta1/zz_vpcipampoolcidr_types.go
+++ b/apis/ec2/v1beta1/zz_vpcipampoolcidr_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CidrAuthorizationContextObservation struct {
+
+	// The plain-text authorization message for the prefix and account.
+	Message *string `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The signed authorization message for the prefix and account.
+	Signature *string `json:"signature,omitempty" tf:"signature,omitempty"`
 }
 
 type CidrAuthorizationContextParameters struct {
@@ -29,11 +35,23 @@ type CidrAuthorizationContextParameters struct {
 
 type VPCIpamPoolCidrObservation struct {
 
+	// The CIDR you want to assign to the pool. Conflicts with netmask_length.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
+
+	// A signed document that proves that you are authorized to bring the specified IP address range to Amazon using BYOIP. This is not stored in the state file. See cidr_authorization_context for more information.
+	CidrAuthorizationContext []CidrAuthorizationContextObservation `json:"cidrAuthorizationContext,omitempty" tf:"cidr_authorization_context,omitempty"`
+
 	// The ID of the IPAM Pool Cidr concatenated with the IPAM Pool ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The unique ID generated by AWS for the pool cidr.
 	IpamPoolCidrID *string `json:"ipamPoolCidrId,omitempty" tf:"ipam_pool_cidr_id,omitempty"`
+
+	// The ID of the pool to which you want to assign a CIDR.
+	IpamPoolID *string `json:"ipamPoolId,omitempty" tf:"ipam_pool_id,omitempty"`
+
+	// If provided, the cidr provisioned into the specified pool will be the next available cidr given this declared netmask length. Conflicts with cidr.
+	NetmaskLength *float64 `json:"netmaskLength,omitempty" tf:"netmask_length,omitempty"`
 }
 
 type VPCIpamPoolCidrParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcipampoolcidrallocation_types.go b/apis/ec2/v1beta1/zz_vpcipampoolcidrallocation_types.go
index 31083c7c64..4e3b2f61f6 100755
--- a/apis/ec2/v1beta1/zz_vpcipampoolcidrallocation_types.go
+++ b/apis/ec2/v1beta1/zz_vpcipampoolcidrallocation_types.go
@@ -15,12 +15,27 @@ import (
 
 type VPCIpamPoolCidrAllocationObservation struct {
 
+	// The CIDR you want to assign to the pool.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
+
+	// The description for the allocation.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Exclude a particular CIDR range from being returned by the pool.
+	DisallowedCidrs []*string `json:"disallowedCidrs,omitempty" tf:"disallowed_cidrs,omitempty"`
+
 	// The ID of the allocation.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The ID of the allocation.
 	IpamPoolAllocationID *string `json:"ipamPoolAllocationId,omitempty" tf:"ipam_pool_allocation_id,omitempty"`
 
+	// The ID of the pool to which you want to assign a CIDR.
+	IpamPoolID *string `json:"ipamPoolId,omitempty" tf:"ipam_pool_id,omitempty"`
+
+	// The netmask length of the CIDR you would like to allocate to the IPAM pool. Valid Values: 0-128.
+	NetmaskLength *float64 `json:"netmaskLength,omitempty" tf:"netmask_length,omitempty"`
+
 	// The ID of the resource.
 	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
 
diff --git a/apis/ec2/v1beta1/zz_vpcipamscope_types.go b/apis/ec2/v1beta1/zz_vpcipamscope_types.go
index be6a34dcc2..740b765b13 100755
--- a/apis/ec2/v1beta1/zz_vpcipamscope_types.go
+++ b/apis/ec2/v1beta1/zz_vpcipamscope_types.go
@@ -16,12 +16,18 @@ import (
 type VPCIpamScopeObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A description for the scope you're creating.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the IPAM Scope.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The ARN of the IPAM for which you're creating this scope.
 	IpamArn *string `json:"ipamArn,omitempty" tf:"ipam_arn,omitempty"`
 
+	// The ID of the IPAM for which you're creating this scope.
+	IpamID *string `json:"ipamId,omitempty" tf:"ipam_id,omitempty"`
+
 	IpamScopeType *string `json:"ipamScopeType,omitempty" tf:"ipam_scope_type,omitempty"`
 
 	// Defines if the scope is the default scope or not.
@@ -30,6 +36,9 @@ type VPCIpamScopeObservation struct {
 	// Count of pools under this scope
 	PoolCount *float64 `json:"poolCount,omitempty" tf:"pool_count,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
diff --git a/apis/ec2/v1beta1/zz_vpcipv4cidrblockassociation_types.go b/apis/ec2/v1beta1/zz_vpcipv4cidrblockassociation_types.go
index f01a2132be..07c444a3c5 100755
--- a/apis/ec2/v1beta1/zz_vpcipv4cidrblockassociation_types.go
+++ b/apis/ec2/v1beta1/zz_vpcipv4cidrblockassociation_types.go
@@ -15,8 +15,20 @@ import (
 
 type VPCIPv4CidrBlockAssociationObservation struct {
 
+	// The IPv4 CIDR block for the VPC. CIDR can be explicitly set or it can be derived from IPAM using ipv4_netmask_length.
+	CidrBlock *string `json:"cidrBlock,omitempty" tf:"cidr_block,omitempty"`
+
 	// The ID of the VPC CIDR association
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of an IPv4 IPAM pool you want to use for allocating this VPC's CIDR. IPAM is a VPC feature that you can use to automate your IP address management workflows including assigning, tracking, troubleshooting, and auditing IP addresses across AWS Regions and accounts. Using IPAM you can monitor IP address usage throughout your AWS Organization.
+	IPv4IpamPoolID *string `json:"ipv4IpamPoolId,omitempty" tf:"ipv4_ipam_pool_id,omitempty"`
+
+	// The netmask length of the IPv4 CIDR you want to allocate to this VPC. Requires specifying a ipv4_ipam_pool_id.
+	IPv4NetmaskLength *float64 `json:"ipv4NetmaskLength,omitempty" tf:"ipv4_netmask_length,omitempty"`
+
+	// The ID of the VPC to make the association with.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCIPv4CidrBlockAssociationParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcpeeringconnection_types.go b/apis/ec2/v1beta1/zz_vpcpeeringconnection_types.go
index a2aa99f892..3cdf05c331 100755
--- a/apis/ec2/v1beta1/zz_vpcpeeringconnection_types.go
+++ b/apis/ec2/v1beta1/zz_vpcpeeringconnection_types.go
@@ -62,15 +62,35 @@ type VPCPeeringConnectionObservation_2 struct {
 	// the peering connection (a maximum of one).
 	Accepter []AccepterObservation `json:"accepter,omitempty" tf:"accepter,omitempty"`
 
+	// Accept the peering (both VPCs need to be in the same AWS account and region).
+	AutoAccept *bool `json:"autoAccept,omitempty" tf:"auto_accept,omitempty"`
+
 	// The ID of the VPC Peering Connection.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The AWS account ID of the owner of the peer VPC.
+	// Defaults to the account ID the AWS provider is currently connected to.
+	PeerOwnerID *string `json:"peerOwnerId,omitempty" tf:"peer_owner_id,omitempty"`
+
+	// The region of the accepter VPC of the VPC Peering Connection. auto_accept must be false,
+	// and use the aws_vpc_peering_connection_accepter to manage the accepter side.
+	PeerRegion *string `json:"peerRegion,omitempty" tf:"peer_region,omitempty"`
+
+	// The ID of the VPC with which you are creating the VPC Peering Connection.
+	PeerVPCID *string `json:"peerVpcId,omitempty" tf:"peer_vpc_id,omitempty"`
+
 	// A optional configuration block that allows for VPC Peering Connection options to be set for the VPC that requests
 	// the peering connection (a maximum of one).
 	Requester []RequesterObservation `json:"requester,omitempty" tf:"requester,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the requester VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCPeeringConnectionParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_vpcpeeringconnectionaccepter_types.go b/apis/ec2/v1beta1/zz_vpcpeeringconnectionaccepter_types.go
index 99144a4b45..889ae0cd07 100755
--- a/apis/ec2/v1beta1/zz_vpcpeeringconnectionaccepter_types.go
+++ b/apis/ec2/v1beta1/zz_vpcpeeringconnectionaccepter_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type VPCPeeringConnectionAccepterAccepterObservation struct {
+
+	// Indicates whether a local ClassicLink connection can communicate
+	// with the peer VPC over the VPC Peering Connection.
+	AllowClassicLinkToRemoteVPC *bool `json:"allowClassicLinkToRemoteVpc,omitempty" tf:"allow_classic_link_to_remote_vpc,omitempty"`
+
+	// Indicates whether a local VPC can resolve public DNS hostnames to
+	// private IP addresses when queried from instances in a peer VPC.
+	AllowRemoteVPCDNSResolution *bool `json:"allowRemoteVpcDnsResolution,omitempty" tf:"allow_remote_vpc_dns_resolution,omitempty"`
+
+	// Indicates whether a local VPC can communicate with a ClassicLink
+	// connection in the peer VPC over the VPC Peering Connection.
+	AllowVPCToRemoteClassicLink *bool `json:"allowVpcToRemoteClassicLink,omitempty" tf:"allow_vpc_to_remote_classic_link,omitempty"`
 }
 
 type VPCPeeringConnectionAccepterAccepterParameters struct {
@@ -39,6 +51,13 @@ type VPCPeeringConnectionAccepterObservation struct {
 	// The status of the VPC Peering Connection request.
 	AcceptStatus *string `json:"acceptStatus,omitempty" tf:"accept_status,omitempty"`
 
+	// A configuration block that describes [VPC Peering Connection]
+	// (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) options set for the accepter VPC.
+	Accepter []VPCPeeringConnectionAccepterAccepterObservation `json:"accepter,omitempty" tf:"accepter,omitempty"`
+
+	// Whether or not to accept the peering request. Defaults to false.
+	AutoAccept *bool `json:"autoAccept,omitempty" tf:"auto_accept,omitempty"`
+
 	// The ID of the VPC Peering Connection.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -51,11 +70,21 @@ type VPCPeeringConnectionAccepterObservation struct {
 	// The ID of the requester VPC.
 	PeerVPCID *string `json:"peerVpcId,omitempty" tf:"peer_vpc_id,omitempty"`
 
+	// A configuration block that describes [VPC Peering Connection]
+	// (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) options set for the requester VPC.
+	Requester []VPCPeeringConnectionAccepterRequesterObservation `json:"requester,omitempty" tf:"requester,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The ID of the accepter VPC.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// The VPC Peering Connection ID to manage.
+	VPCPeeringConnectionID *string `json:"vpcPeeringConnectionId,omitempty" tf:"vpc_peering_connection_id,omitempty"`
 }
 
 type VPCPeeringConnectionAccepterParameters struct {
@@ -99,6 +128,18 @@ type VPCPeeringConnectionAccepterParameters struct {
 }
 
 type VPCPeeringConnectionAccepterRequesterObservation struct {
+
+	// Indicates whether a local ClassicLink connection can communicate
+	// with the peer VPC over the VPC Peering Connection.
+	AllowClassicLinkToRemoteVPC *bool `json:"allowClassicLinkToRemoteVpc,omitempty" tf:"allow_classic_link_to_remote_vpc,omitempty"`
+
+	// Indicates whether a local VPC can resolve public DNS hostnames to
+	// private IP addresses when queried from instances in a peer VPC.
+	AllowRemoteVPCDNSResolution *bool `json:"allowRemoteVpcDnsResolution,omitempty" tf:"allow_remote_vpc_dns_resolution,omitempty"`
+
+	// Indicates whether a local VPC can communicate with a ClassicLink
+	// connection in the peer VPC over the VPC Peering Connection.
+	AllowVPCToRemoteClassicLink *bool `json:"allowVpcToRemoteClassicLink,omitempty" tf:"allow_vpc_to_remote_classic_link,omitempty"`
 }
 
 type VPCPeeringConnectionAccepterRequesterParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpcpeeringconnectionoptions_types.go b/apis/ec2/v1beta1/zz_vpcpeeringconnectionoptions_types.go
index 7d442e94ad..403242468f 100755
--- a/apis/ec2/v1beta1/zz_vpcpeeringconnectionoptions_types.go
+++ b/apis/ec2/v1beta1/zz_vpcpeeringconnectionoptions_types.go
@@ -14,6 +14,20 @@ import (
 )
 
 type VPCPeeringConnectionOptionsAccepterObservation struct {
+
+	// Allow a local linked EC2-Classic instance to communicate
+	// with instances in a peer VPC. This enables an outbound communication from the local ClassicLink connection
+	// to the remote VPC. This option is not supported for inter-region VPC peering.
+	AllowClassicLinkToRemoteVPC *bool `json:"allowClassicLinkToRemoteVpc,omitempty" tf:"allow_classic_link_to_remote_vpc,omitempty"`
+
+	// Allow a local VPC to resolve public DNS hostnames to
+	// private IP addresses when queried from instances in the peer VPC.
+	AllowRemoteVPCDNSResolution *bool `json:"allowRemoteVpcDnsResolution,omitempty" tf:"allow_remote_vpc_dns_resolution,omitempty"`
+
+	// Allow a local VPC to communicate with a linked EC2-Classic
+	// instance in a peer VPC. This enables an outbound communication from the local VPC to the remote ClassicLink
+	// connection. This option is not supported for inter-region VPC peering.
+	AllowVPCToRemoteClassicLink *bool `json:"allowVpcToRemoteClassicLink,omitempty" tf:"allow_vpc_to_remote_classic_link,omitempty"`
 }
 
 type VPCPeeringConnectionOptionsAccepterParameters struct {
@@ -38,8 +52,21 @@ type VPCPeeringConnectionOptionsAccepterParameters struct {
 
 type VPCPeeringConnectionOptionsObservation struct {
 
+	// An optional configuration block that allows for [VPC Peering Connection]
+	// (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) options to be set for the VPC that accepts
+	// the peering connection (a maximum of one).
+	Accepter []VPCPeeringConnectionOptionsAccepterObservation `json:"accepter,omitempty" tf:"accepter,omitempty"`
+
 	// The ID of the VPC Peering Connection Options.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A optional configuration block that allows for [VPC Peering Connection]
+	// (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html) options to be set for the VPC that requests
+	// the peering connection (a maximum of one).
+	Requester []VPCPeeringConnectionOptionsRequesterObservation `json:"requester,omitempty" tf:"requester,omitempty"`
+
+	// The ID of the requester VPC peering connection.
+	VPCPeeringConnectionID *string `json:"vpcPeeringConnectionId,omitempty" tf:"vpc_peering_connection_id,omitempty"`
 }
 
 type VPCPeeringConnectionOptionsParameters struct {
@@ -77,6 +104,20 @@ type VPCPeeringConnectionOptionsParameters struct {
 }
 
 type VPCPeeringConnectionOptionsRequesterObservation struct {
+
+	// Allow a local linked EC2-Classic instance to communicate
+	// with instances in a peer VPC. This enables an outbound communication from the local ClassicLink connection
+	// to the remote VPC. This option is not supported for inter-region VPC peering.
+	AllowClassicLinkToRemoteVPC *bool `json:"allowClassicLinkToRemoteVpc,omitempty" tf:"allow_classic_link_to_remote_vpc,omitempty"`
+
+	// Allow a local VPC to resolve public DNS hostnames to
+	// private IP addresses when queried from instances in the peer VPC.
+	AllowRemoteVPCDNSResolution *bool `json:"allowRemoteVpcDnsResolution,omitempty" tf:"allow_remote_vpc_dns_resolution,omitempty"`
+
+	// Allow a local VPC to communicate with a linked EC2-Classic
+	// instance in a peer VPC. This enables an outbound communication from the local VPC to the remote ClassicLink
+	// connection. This option is not supported for inter-region VPC peering.
+	AllowVPCToRemoteClassicLink *bool `json:"allowVpcToRemoteClassicLink,omitempty" tf:"allow_vpc_to_remote_classic_link,omitempty"`
 }
 
 type VPCPeeringConnectionOptionsRequesterParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpnconnection_types.go b/apis/ec2/v1beta1/zz_vpnconnection_types.go
index 2d93a1e6d0..85c3cef5da 100755
--- a/apis/ec2/v1beta1/zz_vpnconnection_types.go
+++ b/apis/ec2/v1beta1/zz_vpnconnection_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CloudwatchLogOptionsObservation struct {
+
+	// Enable or disable VPN tunnel logging feature. The default is false.
+	LogEnabled *bool `json:"logEnabled,omitempty" tf:"log_enabled,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
+	LogGroupArn *string `json:"logGroupArn,omitempty" tf:"log_group_arn,omitempty"`
+
+	// Set log format. Default format is json. Possible values are: json and text. The default is json.
+	LogOutputFormat *string `json:"logOutputFormat,omitempty" tf:"log_output_format,omitempty"`
 }
 
 type CloudwatchLogOptionsParameters struct {
@@ -47,6 +56,9 @@ type RoutesParameters struct {
 }
 
 type Tunnel1LogOptionsObservation struct {
+
+	// Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
+	CloudwatchLogOptions []CloudwatchLogOptionsObservation `json:"cloudwatchLogOptions,omitempty" tf:"cloudwatch_log_options,omitempty"`
 }
 
 type Tunnel1LogOptionsParameters struct {
@@ -57,6 +69,15 @@ type Tunnel1LogOptionsParameters struct {
 }
 
 type Tunnel2LogOptionsCloudwatchLogOptionsObservation struct {
+
+	// Enable or disable VPN tunnel logging feature. The default is false.
+	LogEnabled *bool `json:"logEnabled,omitempty" tf:"log_enabled,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the CloudWatch log group to send logs to.
+	LogGroupArn *string `json:"logGroupArn,omitempty" tf:"log_group_arn,omitempty"`
+
+	// Set log format. Default format is json. Possible values are: json and text. The default is json.
+	LogOutputFormat *string `json:"logOutputFormat,omitempty" tf:"log_output_format,omitempty"`
 }
 
 type Tunnel2LogOptionsCloudwatchLogOptionsParameters struct {
@@ -75,6 +96,9 @@ type Tunnel2LogOptionsCloudwatchLogOptionsParameters struct {
 }
 
 type Tunnel2LogOptionsObservation struct {
+
+	// Options for sending VPN tunnel logs to CloudWatch. See CloudWatch Log Options below for more details.
+	CloudwatchLogOptions []Tunnel2LogOptionsCloudwatchLogOptionsObservation `json:"cloudwatchLogOptions,omitempty" tf:"cloudwatch_log_options,omitempty"`
 }
 
 type Tunnel2LogOptionsParameters struct {
@@ -95,18 +119,51 @@ type VPNConnectionObservation_2 struct {
 	// The ARN of the core network attachment.
 	CoreNetworkAttachmentArn *string `json:"coreNetworkAttachmentArn,omitempty" tf:"core_network_attachment_arn,omitempty"`
 
+	// The ID of the customer gateway.
+	CustomerGatewayID *string `json:"customerGatewayId,omitempty" tf:"customer_gateway_id,omitempty"`
+
+	// Indicate whether to enable acceleration for the VPN connection. Supports only EC2 Transit Gateway.
+	EnableAcceleration *bool `json:"enableAcceleration,omitempty" tf:"enable_acceleration,omitempty"`
+
 	// The amazon-assigned ID of the VPN connection.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IPv4 CIDR on the customer gateway (on-premises) side of the VPN connection.
+	LocalIPv4NetworkCidr *string `json:"localIpv4NetworkCidr,omitempty" tf:"local_ipv4_network_cidr,omitempty"`
+
+	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
+	LocalIPv6NetworkCidr *string `json:"localIpv6NetworkCidr,omitempty" tf:"local_ipv6_network_cidr,omitempty"`
+
+	// Indicates if a Public S2S VPN or Private S2S VPN over AWS Direct Connect. Valid values are PublicIpv4 | PrivateIpv4
+	OutsideIPAddressType *string `json:"outsideIpAddressType,omitempty" tf:"outside_ip_address_type,omitempty"`
+
+	// The IPv4 CIDR on the AWS side of the VPN connection.
+	RemoteIPv4NetworkCidr *string `json:"remoteIpv4NetworkCidr,omitempty" tf:"remote_ipv4_network_cidr,omitempty"`
+
+	// The IPv6 CIDR on the customer gateway (on-premises) side of the VPN connection.
+	RemoteIPv6NetworkCidr *string `json:"remoteIpv6NetworkCidr,omitempty" tf:"remote_ipv6_network_cidr,omitempty"`
+
 	// The static routes associated with the VPN connection. Detailed below.
 	Routes []RoutesObservation `json:"routes,omitempty" tf:"routes,omitempty"`
 
+	// Whether the VPN connection uses static routes exclusively. Static routes must be used for devices that don't support BGP.
+	StaticRoutesOnly *bool `json:"staticRoutesOnly,omitempty" tf:"static_routes_only,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// When associated with an EC2 Transit Gateway (transit_gateway_id argument), the attachment ID. See also the aws_ec2_tag resource for tagging the EC2 Transit Gateway VPN Attachment.
 	TransitGatewayAttachmentID *string `json:"transitGatewayAttachmentId,omitempty" tf:"transit_gateway_attachment_id,omitempty"`
 
+	// The ID of the EC2 Transit Gateway.
+	TransitGatewayID *string `json:"transitGatewayId,omitempty" tf:"transit_gateway_id,omitempty"`
+
+	// . The attachment ID of the Transit Gateway attachment to Direct Connect Gateway. The ID is obtained through a data source only.
+	TransportTransitGatewayAttachmentID *string `json:"transportTransitGatewayAttachmentId,omitempty" tf:"transport_transit_gateway_attachment_id,omitempty"`
+
 	// The public IP address of the first VPN tunnel.
 	Tunnel1Address *string `json:"tunnel1Address,omitempty" tf:"tunnel1_address,omitempty"`
 
@@ -119,6 +176,60 @@ type VPNConnectionObservation_2 struct {
 	// The RFC 6890 link-local address of the first VPN tunnel (Customer Gateway Side).
 	Tunnel1CgwInsideAddress *string `json:"tunnel1CgwInsideAddress,omitempty" tf:"tunnel1_cgw_inside_address,omitempty"`
 
+	// The action to take after DPD timeout occurs for the first VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
+	Tunnel1DpdTimeoutAction *string `json:"tunnel1DpdTimeoutAction,omitempty" tf:"tunnel1_dpd_timeout_action,omitempty"`
+
+	// The number of seconds after which a DPD timeout occurs for the first VPN tunnel. Valid value is equal or higher than 30.
+	Tunnel1DpdTimeoutSeconds *float64 `json:"tunnel1DpdTimeoutSeconds,omitempty" tf:"tunnel1_dpd_timeout_seconds,omitempty"`
+
+	// The IKE versions that are permitted for the first VPN tunnel. Valid values are ikev1 | ikev2.
+	Tunnel1IkeVersions []*string `json:"tunnel1IkeVersions,omitempty" tf:"tunnel1_ike_versions,omitempty"`
+
+	// The CIDR block of the inside IP addresses for the first VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
+	Tunnel1InsideCidr *string `json:"tunnel1InsideCidr,omitempty" tf:"tunnel1_inside_cidr,omitempty"`
+
+	// The range of inside IPv6 addresses for the first VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
+	Tunnel1InsideIPv6Cidr *string `json:"tunnel1InsideIpv6Cidr,omitempty" tf:"tunnel1_inside_ipv6_cidr,omitempty"`
+
+	// Options for logging VPN tunnel activity. See Log Options below for more details.
+	Tunnel1LogOptions []Tunnel1LogOptionsObservation `json:"tunnel1LogOptions,omitempty" tf:"tunnel1_log_options,omitempty"`
+
+	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
+	Tunnel1Phase1DhGroupNumbers []*float64 `json:"tunnel1Phase1DhGroupNumbers,omitempty" tf:"tunnel1_phase1_dh_group_numbers,omitempty"`
+
+	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+	Tunnel1Phase1EncryptionAlgorithms []*string `json:"tunnel1Phase1EncryptionAlgorithms,omitempty" tf:"tunnel1_phase1_encryption_algorithms,omitempty"`
+
+	// One or more integrity algorithms that are permitted for the first VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+	Tunnel1Phase1IntegrityAlgorithms []*string `json:"tunnel1Phase1IntegrityAlgorithms,omitempty" tf:"tunnel1_phase1_integrity_algorithms,omitempty"`
+
+	// The lifetime for phase 1 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 28800.
+	Tunnel1Phase1LifetimeSeconds *float64 `json:"tunnel1Phase1LifetimeSeconds,omitempty" tf:"tunnel1_phase1_lifetime_seconds,omitempty"`
+
+	// List of one or more Diffie-Hellman group numbers that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
+	Tunnel1Phase2DhGroupNumbers []*float64 `json:"tunnel1Phase2DhGroupNumbers,omitempty" tf:"tunnel1_phase2_dh_group_numbers,omitempty"`
+
+	// List of one or more encryption algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+	Tunnel1Phase2EncryptionAlgorithms []*string `json:"tunnel1Phase2EncryptionAlgorithms,omitempty" tf:"tunnel1_phase2_encryption_algorithms,omitempty"`
+
+	// List of one or more integrity algorithms that are permitted for the first VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+	Tunnel1Phase2IntegrityAlgorithms []*string `json:"tunnel1Phase2IntegrityAlgorithms,omitempty" tf:"tunnel1_phase2_integrity_algorithms,omitempty"`
+
+	// The lifetime for phase 2 of the IKE negotiation for the first VPN tunnel, in seconds. Valid value is between 900 and 3600.
+	Tunnel1Phase2LifetimeSeconds *float64 `json:"tunnel1Phase2LifetimeSeconds,omitempty" tf:"tunnel1_phase2_lifetime_seconds,omitempty"`
+
+	// The percentage of the rekey window for the first VPN tunnel (determined by tunnel1_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
+	Tunnel1RekeyFuzzPercentage *float64 `json:"tunnel1RekeyFuzzPercentage,omitempty" tf:"tunnel1_rekey_fuzz_percentage,omitempty"`
+
+	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the first VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel1_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
+	Tunnel1RekeyMarginTimeSeconds *float64 `json:"tunnel1RekeyMarginTimeSeconds,omitempty" tf:"tunnel1_rekey_margin_time_seconds,omitempty"`
+
+	// The number of packets in an IKE replay window for the first VPN tunnel. Valid value is between 64 and 2048.
+	Tunnel1ReplayWindowSize *float64 `json:"tunnel1ReplayWindowSize,omitempty" tf:"tunnel1_replay_window_size,omitempty"`
+
+	// The action to take when the establishing the tunnel for the first VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
+	Tunnel1StartupAction *string `json:"tunnel1StartupAction,omitempty" tf:"tunnel1_startup_action,omitempty"`
+
 	// The RFC 6890 link-local address of the first VPN tunnel (VPN Gateway Side).
 	Tunnel1VgwInsideAddress *string `json:"tunnel1VgwInsideAddress,omitempty" tf:"tunnel1_vgw_inside_address,omitempty"`
 
@@ -134,9 +245,72 @@ type VPNConnectionObservation_2 struct {
 	// The RFC 6890 link-local address of the second VPN tunnel (Customer Gateway Side).
 	Tunnel2CgwInsideAddress *string `json:"tunnel2CgwInsideAddress,omitempty" tf:"tunnel2_cgw_inside_address,omitempty"`
 
+	// The action to take after DPD timeout occurs for the second VPN tunnel. Specify restart to restart the IKE initiation. Specify clear to end the IKE session. Valid values are clear | none | restart.
+	Tunnel2DpdTimeoutAction *string `json:"tunnel2DpdTimeoutAction,omitempty" tf:"tunnel2_dpd_timeout_action,omitempty"`
+
+	// The number of seconds after which a DPD timeout occurs for the second VPN tunnel. Valid value is equal or higher than 30.
+	Tunnel2DpdTimeoutSeconds *float64 `json:"tunnel2DpdTimeoutSeconds,omitempty" tf:"tunnel2_dpd_timeout_seconds,omitempty"`
+
+	// The IKE versions that are permitted for the second VPN tunnel. Valid values are ikev1 | ikev2.
+	Tunnel2IkeVersions []*string `json:"tunnel2IkeVersions,omitempty" tf:"tunnel2_ike_versions,omitempty"`
+
+	// The CIDR block of the inside IP addresses for the second VPN tunnel. Valid value is a size /30 CIDR block from the 169.254.0.0/16 range.
+	Tunnel2InsideCidr *string `json:"tunnel2InsideCidr,omitempty" tf:"tunnel2_inside_cidr,omitempty"`
+
+	// The range of inside IPv6 addresses for the second VPN tunnel. Supports only EC2 Transit Gateway. Valid value is a size /126 CIDR block from the local fd00::/8 range.
+	Tunnel2InsideIPv6Cidr *string `json:"tunnel2InsideIpv6Cidr,omitempty" tf:"tunnel2_inside_ipv6_cidr,omitempty"`
+
+	// Options for logging VPN tunnel activity. See Log Options below for more details.
+	Tunnel2LogOptions []Tunnel2LogOptionsObservation `json:"tunnel2LogOptions,omitempty" tf:"tunnel2_log_options,omitempty"`
+
+	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are  2 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
+	Tunnel2Phase1DhGroupNumbers []*float64 `json:"tunnel2Phase1DhGroupNumbers,omitempty" tf:"tunnel2_phase1_dh_group_numbers,omitempty"`
+
+	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+	Tunnel2Phase1EncryptionAlgorithms []*string `json:"tunnel2Phase1EncryptionAlgorithms,omitempty" tf:"tunnel2_phase1_encryption_algorithms,omitempty"`
+
+	// One or more integrity algorithms that are permitted for the second VPN tunnel for phase 1 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+	Tunnel2Phase1IntegrityAlgorithms []*string `json:"tunnel2Phase1IntegrityAlgorithms,omitempty" tf:"tunnel2_phase1_integrity_algorithms,omitempty"`
+
+	// The lifetime for phase 1 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 28800.
+	Tunnel2Phase1LifetimeSeconds *float64 `json:"tunnel2Phase1LifetimeSeconds,omitempty" tf:"tunnel2_phase1_lifetime_seconds,omitempty"`
+
+	// List of one or more Diffie-Hellman group numbers that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24.
+	Tunnel2Phase2DhGroupNumbers []*float64 `json:"tunnel2Phase2DhGroupNumbers,omitempty" tf:"tunnel2_phase2_dh_group_numbers,omitempty"`
+
+	// List of one or more encryption algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+	Tunnel2Phase2EncryptionAlgorithms []*string `json:"tunnel2Phase2EncryptionAlgorithms,omitempty" tf:"tunnel2_phase2_encryption_algorithms,omitempty"`
+
+	// List of one or more integrity algorithms that are permitted for the second VPN tunnel for phase 2 IKE negotiations. Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+	Tunnel2Phase2IntegrityAlgorithms []*string `json:"tunnel2Phase2IntegrityAlgorithms,omitempty" tf:"tunnel2_phase2_integrity_algorithms,omitempty"`
+
+	// The lifetime for phase 2 of the IKE negotiation for the second VPN tunnel, in seconds. Valid value is between 900 and 3600.
+	Tunnel2Phase2LifetimeSeconds *float64 `json:"tunnel2Phase2LifetimeSeconds,omitempty" tf:"tunnel2_phase2_lifetime_seconds,omitempty"`
+
+	// The percentage of the rekey window for the second VPN tunnel (determined by tunnel2_rekey_margin_time_seconds) during which the rekey time is randomly selected. Valid value is between 0 and 100.
+	Tunnel2RekeyFuzzPercentage *float64 `json:"tunnel2RekeyFuzzPercentage,omitempty" tf:"tunnel2_rekey_fuzz_percentage,omitempty"`
+
+	// The margin time, in seconds, before the phase 2 lifetime expires, during which the AWS side of the second VPN connection performs an IKE rekey. The exact time of the rekey is randomly selected based on the value for tunnel2_rekey_fuzz_percentage. Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
+	Tunnel2RekeyMarginTimeSeconds *float64 `json:"tunnel2RekeyMarginTimeSeconds,omitempty" tf:"tunnel2_rekey_margin_time_seconds,omitempty"`
+
+	// The number of packets in an IKE replay window for the second VPN tunnel. Valid value is between 64 and 2048.
+	Tunnel2ReplayWindowSize *float64 `json:"tunnel2ReplayWindowSize,omitempty" tf:"tunnel2_replay_window_size,omitempty"`
+
+	// The action to take when the establishing the tunnel for the second VPN connection. By default, your customer gateway device must initiate the IKE negotiation and bring up the tunnel. Specify start for AWS to initiate the IKE negotiation. Valid values are add | start.
+	Tunnel2StartupAction *string `json:"tunnel2StartupAction,omitempty" tf:"tunnel2_startup_action,omitempty"`
+
 	// The RFC 6890 link-local address of the second VPN tunnel (VPN Gateway Side).
 	Tunnel2VgwInsideAddress *string `json:"tunnel2VgwInsideAddress,omitempty" tf:"tunnel2_vgw_inside_address,omitempty"`
 
+	// Indicate whether the VPN tunnels process IPv4 or IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only EC2 Transit Gateway.
+	TunnelInsideIPVersion *string `json:"tunnelInsideIpVersion,omitempty" tf:"tunnel_inside_ip_version,omitempty"`
+
+	// The type of VPN connection. The only type AWS supports at this time is "ipsec.1".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The ID of the Virtual Private Gateway.
+	VPNGatewayID *string `json:"vpnGatewayId,omitempty" tf:"vpn_gateway_id,omitempty"`
+
 	// Telemetry for the VPN tunnels. Detailed below.
 	VgwTelemetry []VgwTelemetryObservation `json:"vgwTelemetry,omitempty" tf:"vgw_telemetry,omitempty"`
 }
diff --git a/apis/ec2/v1beta1/zz_vpnconnectionroute_types.go b/apis/ec2/v1beta1/zz_vpnconnectionroute_types.go
index 8f17e9f312..205731e3ad 100755
--- a/apis/ec2/v1beta1/zz_vpnconnectionroute_types.go
+++ b/apis/ec2/v1beta1/zz_vpnconnectionroute_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type VPNConnectionRouteObservation struct {
+
+	// The CIDR block associated with the local subnet of the customer network.
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the VPN connection.
+	VPNConnectionID *string `json:"vpnConnectionId,omitempty" tf:"vpn_connection_id,omitempty"`
 }
 
 type VPNConnectionRouteParameters struct {
 
 	// The CIDR block associated with the local subnet of the customer network.
-	// +kubebuilder:validation:Required
-	DestinationCidrBlock *string `json:"destinationCidrBlock" tf:"destination_cidr_block,omitempty"`
+	// +kubebuilder:validation:Optional
+	DestinationCidrBlock *string `json:"destinationCidrBlock,omitempty" tf:"destination_cidr_block,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +74,9 @@ type VPNConnectionRouteStatus struct {
 type VPNConnectionRoute struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VPNConnectionRouteSpec   `json:"spec"`
-	Status            VPNConnectionRouteStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationCidrBlock)",message="destinationCidrBlock is a required parameter"
+	Spec   VPNConnectionRouteSpec   `json:"spec"`
+	Status VPNConnectionRouteStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ec2/v1beta1/zz_vpngateway_types.go b/apis/ec2/v1beta1/zz_vpngateway_types.go
index b15130aa7c..70398d357d 100755
--- a/apis/ec2/v1beta1/zz_vpngateway_types.go
+++ b/apis/ec2/v1beta1/zz_vpngateway_types.go
@@ -15,14 +15,26 @@ import (
 
 type VPNGatewayObservation_2 struct {
 
+	// The Autonomous System Number (ASN) for the Amazon side of the gateway. If you don't specify an ASN, the virtual private gateway is created with the default ASN.
+	AmazonSideAsn *string `json:"amazonSideAsn,omitempty" tf:"amazon_side_asn,omitempty"`
+
 	// Amazon Resource Name (ARN) of the VPN Gateway.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Availability Zone for the virtual private gateway.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
 	// The ID of the VPN Gateway.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The VPC ID to create in.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPNGatewayParameters_2 struct {
diff --git a/apis/ec2/v1beta1/zz_vpngatewayattachment_types.go b/apis/ec2/v1beta1/zz_vpngatewayattachment_types.go
index 480cddbecc..54d9dedf4b 100755
--- a/apis/ec2/v1beta1/zz_vpngatewayattachment_types.go
+++ b/apis/ec2/v1beta1/zz_vpngatewayattachment_types.go
@@ -15,6 +15,12 @@ import (
 
 type VPNGatewayAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// The ID of the Virtual Private Gateway.
+	VPNGatewayID *string `json:"vpnGatewayId,omitempty" tf:"vpn_gateway_id,omitempty"`
 }
 
 type VPNGatewayAttachmentParameters struct {
diff --git a/apis/ec2/v1beta1/zz_vpngatewayroutepropagation_types.go b/apis/ec2/v1beta1/zz_vpngatewayroutepropagation_types.go
index a95dd16acd..9b21c469bd 100755
--- a/apis/ec2/v1beta1/zz_vpngatewayroutepropagation_types.go
+++ b/apis/ec2/v1beta1/zz_vpngatewayroutepropagation_types.go
@@ -15,6 +15,12 @@ import (
 
 type VPNGatewayRoutePropagationObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The id of the aws_route_table to propagate routes into.
+	RouteTableID *string `json:"routeTableId,omitempty" tf:"route_table_id,omitempty"`
+
+	// The id of the aws_vpn_gateway to propagate routes from.
+	VPNGatewayID *string `json:"vpnGatewayId,omitempty" tf:"vpn_gateway_id,omitempty"`
 }
 
 type VPNGatewayRoutePropagationParameters struct {
diff --git a/apis/ecr/v1beta1/zz_generated.deepcopy.go b/apis/ecr/v1beta1/zz_generated.deepcopy.go
index aa5dd109bc..e2b5ccd068 100644
--- a/apis/ecr/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ecr/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
 	*out = *in
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegistryID != nil {
+		in, out := &in.RegistryID, &out.RegistryID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationObservation.
@@ -57,6 +67,16 @@ func (in *DestinationParameters) DeepCopy() *DestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.EncryptionType != nil {
+		in, out := &in.EncryptionType, &out.EncryptionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKey != nil {
+		in, out := &in.KMSKey, &out.KMSKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -107,6 +127,11 @@ func (in *EncryptionConfigurationParameters) DeepCopy() *EncryptionConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageScanningConfigurationObservation) DeepCopyInto(out *ImageScanningConfigurationObservation) {
 	*out = *in
+	if in.ScanOnPush != nil {
+		in, out := &in.ScanOnPush, &out.ScanOnPush
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageScanningConfigurationObservation.
@@ -206,11 +231,21 @@ func (in *LifecyclePolicyObservation) DeepCopyInto(out *LifecyclePolicyObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistryID != nil {
 		in, out := &in.RegistryID, &out.RegistryID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Repository != nil {
+		in, out := &in.Repository, &out.Repository
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LifecyclePolicyObservation.
@@ -359,6 +394,11 @@ func (in *PullThroughCacheRuleList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PullThroughCacheRuleObservation) DeepCopyInto(out *PullThroughCacheRuleObservation) {
 	*out = *in
+	if in.EcrRepositoryPrefix != nil {
+		in, out := &in.EcrRepositoryPrefix, &out.EcrRepositoryPrefix
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -369,6 +409,11 @@ func (in *PullThroughCacheRuleObservation) DeepCopyInto(out *PullThroughCacheRul
 		*out = new(string)
 		**out = **in
 	}
+	if in.UpstreamRegistryURL != nil {
+		in, out := &in.UpstreamRegistryURL, &out.UpstreamRegistryURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PullThroughCacheRuleObservation.
@@ -512,6 +557,11 @@ func (in *RegistryPolicyObservation) DeepCopyInto(out *RegistryPolicyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistryID != nil {
 		in, out := &in.RegistryID, &out.RegistryID
 		*out = new(string)
@@ -660,6 +710,18 @@ func (in *RegistryScanningConfigurationObservation) DeepCopyInto(out *RegistrySc
 		*out = new(string)
 		**out = **in
 	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]RuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScanType != nil {
+		in, out := &in.ScanType, &out.ScanType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegistryScanningConfigurationObservation.
@@ -810,6 +872,13 @@ func (in *ReplicationConfigurationObservation) DeepCopyInto(out *ReplicationConf
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReplicationConfiguration != nil {
+		in, out := &in.ReplicationConfiguration, &out.ReplicationConfiguration
+		*out = make([]ReplicationConfigurationReplicationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationConfigurationObservation.
@@ -852,6 +921,13 @@ func (in *ReplicationConfigurationParameters) DeepCopy() *ReplicationConfigurati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicationConfigurationReplicationConfigurationObservation) DeepCopyInto(out *ReplicationConfigurationReplicationConfigurationObservation) {
 	*out = *in
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]ReplicationConfigurationRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationConfigurationReplicationConfigurationObservation.
@@ -889,6 +965,20 @@ func (in *ReplicationConfigurationReplicationConfigurationParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicationConfigurationRuleObservation) DeepCopyInto(out *ReplicationConfigurationRuleObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]DestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RepositoryFilter != nil {
+		in, out := &in.RepositoryFilter, &out.RepositoryFilter
+		*out = make([]RuleRepositoryFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationConfigurationRuleObservation.
@@ -994,6 +1084,16 @@ func (in *Repository) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RepositoryFilterObservation) DeepCopyInto(out *RepositoryFilterObservation) {
 	*out = *in
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterType != nil {
+		in, out := &in.FilterType, &out.FilterType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RepositoryFilterObservation.
@@ -1071,11 +1171,35 @@ func (in *RepositoryObservation) DeepCopyInto(out *RepositoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ForceDelete != nil {
+		in, out := &in.ForceDelete, &out.ForceDelete
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageScanningConfiguration != nil {
+		in, out := &in.ImageScanningConfiguration, &out.ImageScanningConfiguration
+		*out = make([]ImageScanningConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ImageTagMutability != nil {
+		in, out := &in.ImageTagMutability, &out.ImageTagMutability
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistryID != nil {
 		in, out := &in.RegistryID, &out.RegistryID
 		*out = new(string)
@@ -1086,6 +1210,21 @@ func (in *RepositoryObservation) DeepCopyInto(out *RepositoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1239,11 +1378,21 @@ func (in *RepositoryPolicyObservation) DeepCopyInto(out *RepositoryPolicyObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistryID != nil {
 		in, out := &in.RegistryID, &out.RegistryID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Repository != nil {
+		in, out := &in.Repository, &out.Repository
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RepositoryPolicyObservation.
@@ -1367,6 +1516,18 @@ func (in *RepositoryStatus) DeepCopy() *RepositoryStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 	*out = *in
+	if in.RepositoryFilter != nil {
+		in, out := &in.RepositoryFilter, &out.RepositoryFilter
+		*out = make([]RepositoryFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScanFrequency != nil {
+		in, out := &in.ScanFrequency, &out.ScanFrequency
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleObservation.
@@ -1409,6 +1570,16 @@ func (in *RuleParameters) DeepCopy() *RuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleRepositoryFilterObservation) DeepCopyInto(out *RuleRepositoryFilterObservation) {
 	*out = *in
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterType != nil {
+		in, out := &in.FilterType, &out.FilterType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleRepositoryFilterObservation.
diff --git a/apis/ecr/v1beta1/zz_lifecyclepolicy_types.go b/apis/ecr/v1beta1/zz_lifecyclepolicy_types.go
index df224e9301..74d43088fa 100755
--- a/apis/ecr/v1beta1/zz_lifecyclepolicy_types.go
+++ b/apis/ecr/v1beta1/zz_lifecyclepolicy_types.go
@@ -16,15 +16,21 @@ import (
 type LifecyclePolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The policy document. This is a JSON formatted string. See more details about Policy Parameters in the official AWS docs.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
 	// The registry ID where the repository was created.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
+
+	// Name of the repository to apply the policy.
+	Repository *string `json:"repository,omitempty" tf:"repository,omitempty"`
 }
 
 type LifecyclePolicyParameters struct {
 
 	// The policy document. This is a JSON formatted string. See more details about Policy Parameters in the official AWS docs.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type LifecyclePolicyStatus struct {
 type LifecyclePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LifecyclePolicySpec   `json:"spec"`
-	Status            LifecyclePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   LifecyclePolicySpec   `json:"spec"`
+	Status LifecyclePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecr/v1beta1/zz_pullthroughcacherule_types.go b/apis/ecr/v1beta1/zz_pullthroughcacherule_types.go
index d1b0f56d77..d50a3bc6f0 100755
--- a/apis/ecr/v1beta1/zz_pullthroughcacherule_types.go
+++ b/apis/ecr/v1beta1/zz_pullthroughcacherule_types.go
@@ -14,17 +14,24 @@ import (
 )
 
 type PullThroughCacheRuleObservation struct {
+
+	// The repository name prefix to use when caching images from the source registry.
+	EcrRepositoryPrefix *string `json:"ecrRepositoryPrefix,omitempty" tf:"ecr_repository_prefix,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The registry ID where the repository was created.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
+
+	// The registry URL of the upstream public registry to use as the source.
+	UpstreamRegistryURL *string `json:"upstreamRegistryUrl,omitempty" tf:"upstream_registry_url,omitempty"`
 }
 
 type PullThroughCacheRuleParameters struct {
 
 	// The repository name prefix to use when caching images from the source registry.
-	// +kubebuilder:validation:Required
-	EcrRepositoryPrefix *string `json:"ecrRepositoryPrefix" tf:"ecr_repository_prefix,omitempty"`
+	// +kubebuilder:validation:Optional
+	EcrRepositoryPrefix *string `json:"ecrRepositoryPrefix,omitempty" tf:"ecr_repository_prefix,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -32,8 +39,8 @@ type PullThroughCacheRuleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The registry URL of the upstream public registry to use as the source.
-	// +kubebuilder:validation:Required
-	UpstreamRegistryURL *string `json:"upstreamRegistryUrl" tf:"upstream_registry_url,omitempty"`
+	// +kubebuilder:validation:Optional
+	UpstreamRegistryURL *string `json:"upstreamRegistryUrl,omitempty" tf:"upstream_registry_url,omitempty"`
 }
 
 // PullThroughCacheRuleSpec defines the desired state of PullThroughCacheRule
@@ -60,8 +67,10 @@ type PullThroughCacheRuleStatus struct {
 type PullThroughCacheRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PullThroughCacheRuleSpec   `json:"spec"`
-	Status            PullThroughCacheRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ecrRepositoryPrefix)",message="ecrRepositoryPrefix is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.upstreamRegistryUrl)",message="upstreamRegistryUrl is a required parameter"
+	Spec   PullThroughCacheRuleSpec   `json:"spec"`
+	Status PullThroughCacheRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecr/v1beta1/zz_registrypolicy_types.go b/apis/ecr/v1beta1/zz_registrypolicy_types.go
index 9ac9bd6cce..b79bb0f7a2 100755
--- a/apis/ecr/v1beta1/zz_registrypolicy_types.go
+++ b/apis/ecr/v1beta1/zz_registrypolicy_types.go
@@ -16,6 +16,9 @@ import (
 type RegistryPolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The policy document. This is a JSON formatted string
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
 	// The registry ID where the registry was created.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
 }
@@ -23,8 +26,8 @@ type RegistryPolicyObservation struct {
 type RegistryPolicyParameters struct {
 
 	// The policy document. This is a JSON formatted string
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -56,8 +59,9 @@ type RegistryPolicyStatus struct {
 type RegistryPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegistryPolicySpec   `json:"spec"`
-	Status            RegistryPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   RegistryPolicySpec   `json:"spec"`
+	Status RegistryPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecr/v1beta1/zz_registryscanningconfiguration_types.go b/apis/ecr/v1beta1/zz_registryscanningconfiguration_types.go
index 4a554feae6..f2d45442db 100755
--- a/apis/ecr/v1beta1/zz_registryscanningconfiguration_types.go
+++ b/apis/ecr/v1beta1/zz_registryscanningconfiguration_types.go
@@ -18,6 +18,12 @@ type RegistryScanningConfigurationObservation struct {
 
 	// The registry ID the scanning configuration applies to.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
+
+	// One or multiple blocks specifying scanning rules to determine which repository filters are used and at what frequency scanning will occur. See below for schema.
+	Rule []RuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
+
+	// the scanning type to set for the registry. Can be either ENHANCED or BASIC.
+	ScanType *string `json:"scanType,omitempty" tf:"scan_type,omitempty"`
 }
 
 type RegistryScanningConfigurationParameters struct {
@@ -32,11 +38,14 @@ type RegistryScanningConfigurationParameters struct {
 	Rule []RuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 
 	// the scanning type to set for the registry. Can be either ENHANCED or BASIC.
-	// +kubebuilder:validation:Required
-	ScanType *string `json:"scanType" tf:"scan_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ScanType *string `json:"scanType,omitempty" tf:"scan_type,omitempty"`
 }
 
 type RepositoryFilterObservation struct {
+	Filter *string `json:"filter,omitempty" tf:"filter,omitempty"`
+
+	FilterType *string `json:"filterType,omitempty" tf:"filter_type,omitempty"`
 }
 
 type RepositoryFilterParameters struct {
@@ -49,6 +58,12 @@ type RepositoryFilterParameters struct {
 }
 
 type RuleObservation struct {
+
+	// One or more repository filter blocks, containing a filter  and a filter_type .
+	RepositoryFilter []RepositoryFilterObservation `json:"repositoryFilter,omitempty" tf:"repository_filter,omitempty"`
+
+	// The frequency that scans are performed at for a private registry. Can be SCAN_ON_PUSH, CONTINUOUS_SCAN, or MANUAL.
+	ScanFrequency *string `json:"scanFrequency,omitempty" tf:"scan_frequency,omitempty"`
 }
 
 type RuleParameters struct {
@@ -86,8 +101,9 @@ type RegistryScanningConfigurationStatus struct {
 type RegistryScanningConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegistryScanningConfigurationSpec   `json:"spec"`
-	Status            RegistryScanningConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scanType)",message="scanType is a required parameter"
+	Spec   RegistryScanningConfigurationSpec   `json:"spec"`
+	Status RegistryScanningConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecr/v1beta1/zz_replicationconfiguration_types.go b/apis/ecr/v1beta1/zz_replicationconfiguration_types.go
index bb01445998..5c2a2eee62 100755
--- a/apis/ecr/v1beta1/zz_replicationconfiguration_types.go
+++ b/apis/ecr/v1beta1/zz_replicationconfiguration_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type DestinationObservation struct {
+
+	// A Region to replicate to.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The account ID of the destination registry to replicate to.
+	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
 }
 
 type DestinationParameters struct {
@@ -32,6 +38,9 @@ type ReplicationConfigurationObservation struct {
 
 	// The account ID of the destination registry to replicate to.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
+
+	// Replication configuration for a registry. See Replication Configuration.
+	ReplicationConfiguration []ReplicationConfigurationReplicationConfigurationObservation `json:"replicationConfiguration,omitempty" tf:"replication_configuration,omitempty"`
 }
 
 type ReplicationConfigurationParameters struct {
@@ -48,6 +57,9 @@ type ReplicationConfigurationParameters struct {
 }
 
 type ReplicationConfigurationReplicationConfigurationObservation struct {
+
+	// The replication rules for a replication configuration. A maximum of 10 are allowed per replication_configuration. See Rule
+	Rule []ReplicationConfigurationRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type ReplicationConfigurationReplicationConfigurationParameters struct {
@@ -58,6 +70,12 @@ type ReplicationConfigurationReplicationConfigurationParameters struct {
 }
 
 type ReplicationConfigurationRuleObservation struct {
+
+	// the details of a replication destination. A maximum of 25 are allowed per rule. See Destination.
+	Destination []DestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// filters for a replication rule. See Repository Filter.
+	RepositoryFilter []RuleRepositoryFilterObservation `json:"repositoryFilter,omitempty" tf:"repository_filter,omitempty"`
 }
 
 type ReplicationConfigurationRuleParameters struct {
@@ -72,6 +90,12 @@ type ReplicationConfigurationRuleParameters struct {
 }
 
 type RuleRepositoryFilterObservation struct {
+
+	// The repository filter details.
+	Filter *string `json:"filter,omitempty" tf:"filter,omitempty"`
+
+	// The repository filter type. The only supported value is PREFIX_MATCH, which is a repository name prefix specified with the filter parameter.
+	FilterType *string `json:"filterType,omitempty" tf:"filter_type,omitempty"`
 }
 
 type RuleRepositoryFilterParameters struct {
diff --git a/apis/ecr/v1beta1/zz_repository_types.go b/apis/ecr/v1beta1/zz_repository_types.go
index 97c027dbc0..ff5df3eff2 100755
--- a/apis/ecr/v1beta1/zz_repository_types.go
+++ b/apis/ecr/v1beta1/zz_repository_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type EncryptionConfigurationObservation struct {
+
+	// The encryption type to use for the repository. Valid values are AES256 or KMS. Defaults to AES256.
+	EncryptionType *string `json:"encryptionType,omitempty" tf:"encryption_type,omitempty"`
+
+	// The ARN of the KMS key to use when encryption_type is KMS. If not specified, uses the default AWS managed key for ECR.
+	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
@@ -38,6 +44,9 @@ type EncryptionConfigurationParameters struct {
 }
 
 type ImageScanningConfigurationObservation struct {
+
+	// Indicates whether images are scanned after being pushed to the repository (true) or not scanned (false).
+	ScanOnPush *bool `json:"scanOnPush,omitempty" tf:"scan_on_push,omitempty"`
 }
 
 type ImageScanningConfigurationParameters struct {
@@ -52,14 +61,30 @@ type RepositoryObservation struct {
 	// Full ARN of the repository.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Encryption configuration for the repository. See below for schema.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// If true, will delete the repository even if it contains images.
+	// Defaults to false.
+	ForceDelete *bool `json:"forceDelete,omitempty" tf:"force_delete,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block that defines image scanning configuration for the repository. By default, image scanning must be manually triggered. See the ECR User Guide for more information about image scanning.
+	ImageScanningConfiguration []ImageScanningConfigurationObservation `json:"imageScanningConfiguration,omitempty" tf:"image_scanning_configuration,omitempty"`
+
+	// The tag mutability setting for the repository. Must be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE.
+	ImageTagMutability *string `json:"imageTagMutability,omitempty" tf:"image_tag_mutability,omitempty"`
+
 	// The registry ID where the repository was created.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
 
 	// The URL of the repository (in the form aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName).
 	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ecr/v1beta1/zz_repositorypolicy_types.go b/apis/ecr/v1beta1/zz_repositorypolicy_types.go
index df5e66ef1d..5880668db9 100755
--- a/apis/ecr/v1beta1/zz_repositorypolicy_types.go
+++ b/apis/ecr/v1beta1/zz_repositorypolicy_types.go
@@ -16,15 +16,21 @@ import (
 type RepositoryPolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The policy document. This is a JSON formatted string
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
 	// The registry ID where the repository was created.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
+
+	// Name of the repository to apply the policy.
+	Repository *string `json:"repository,omitempty" tf:"repository,omitempty"`
 }
 
 type RepositoryPolicyParameters struct {
 
 	// The policy document. This is a JSON formatted string
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type RepositoryPolicyStatus struct {
 type RepositoryPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RepositoryPolicySpec   `json:"spec"`
-	Status            RepositoryPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   RepositoryPolicySpec   `json:"spec"`
+	Status RepositoryPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecrpublic/v1beta1/zz_generated.deepcopy.go b/apis/ecrpublic/v1beta1/zz_generated.deepcopy.go
index d5cdc4082a..7f6562850b 100644
--- a/apis/ecrpublic/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ecrpublic/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,48 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CatalogDataObservation) DeepCopyInto(out *CatalogDataObservation) {
 	*out = *in
+	if in.AboutText != nil {
+		in, out := &in.AboutText, &out.AboutText
+		*out = new(string)
+		**out = **in
+	}
+	if in.Architectures != nil {
+		in, out := &in.Architectures, &out.Architectures
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogoImageBlob != nil {
+		in, out := &in.LogoImageBlob, &out.LogoImageBlob
+		*out = new(string)
+		**out = **in
+	}
+	if in.OperatingSystems != nil {
+		in, out := &in.OperatingSystems, &out.OperatingSystems
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UsageText != nil {
+		in, out := &in.UsageText, &out.UsageText
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogDataObservation.
@@ -153,6 +195,18 @@ func (in *RepositoryObservation) DeepCopyInto(out *RepositoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CatalogData != nil {
+		in, out := &in.CatalogData, &out.CatalogData
+		*out = make([]CatalogDataObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -168,6 +222,21 @@ func (in *RepositoryObservation) DeepCopyInto(out *RepositoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -309,11 +378,21 @@ func (in *RepositoryPolicyObservation) DeepCopyInto(out *RepositoryPolicyObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistryID != nil {
 		in, out := &in.RegistryID, &out.RegistryID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RepositoryName != nil {
+		in, out := &in.RepositoryName, &out.RepositoryName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RepositoryPolicyObservation.
diff --git a/apis/ecrpublic/v1beta1/zz_repository_types.go b/apis/ecrpublic/v1beta1/zz_repository_types.go
index 3ede8aae9f..320026f584 100755
--- a/apis/ecrpublic/v1beta1/zz_repository_types.go
+++ b/apis/ecrpublic/v1beta1/zz_repository_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type CatalogDataObservation struct {
+
+	// A detailed description of the contents of the repository. It is publicly visible in the Amazon ECR Public Gallery. The text must be in markdown format.
+	AboutText *string `json:"aboutText,omitempty" tf:"about_text,omitempty"`
+
+	// The system architecture that the images in the repository are compatible with. On the Amazon ECR Public Gallery, the following supported architectures will appear as badges on the repository and are used as search filters: ARM, ARM 64, x86, x86-64
+	Architectures []*string `json:"architectures,omitempty" tf:"architectures,omitempty"`
+
+	// A short description of the contents of the repository. This text appears in both the image details and also when searching for repositories on the Amazon ECR Public Gallery.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The base64-encoded repository logo payload. (Only visible for verified accounts) Note that drift detection is disabled for this attribute.
+	LogoImageBlob *string `json:"logoImageBlob,omitempty" tf:"logo_image_blob,omitempty"`
+
+	// The operating systems that the images in the repository are compatible with. On the Amazon ECR Public Gallery, the following supported operating systems will appear as badges on the repository and are used as search filters: Linux, Windows
+	OperatingSystems []*string `json:"operatingSystems,omitempty" tf:"operating_systems,omitempty"`
+
+	// Detailed information on how to use the contents of the repository. It is publicly visible in the Amazon ECR Public Gallery. The usage text provides context, support information, and additional usage details for users of the repository. The text must be in markdown format.
+	UsageText *string `json:"usageText,omitempty" tf:"usage_text,omitempty"`
 }
 
 type CatalogDataParameters struct {
@@ -48,6 +66,11 @@ type RepositoryObservation struct {
 	// Full ARN of the repository.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Catalog data configuration for the repository. See below for schema.
+	CatalogData []CatalogDataObservation `json:"catalogData,omitempty" tf:"catalog_data,omitempty"`
+
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// The repository name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -57,6 +80,9 @@ type RepositoryObservation struct {
 	// The URI of the repository.
 	RepositoryURI *string `json:"repositoryUri,omitempty" tf:"repository_uri,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ecrpublic/v1beta1/zz_repositorypolicy_types.go b/apis/ecrpublic/v1beta1/zz_repositorypolicy_types.go
index e7b3be4087..70e8e7bada 100755
--- a/apis/ecrpublic/v1beta1/zz_repositorypolicy_types.go
+++ b/apis/ecrpublic/v1beta1/zz_repositorypolicy_types.go
@@ -16,15 +16,21 @@ import (
 type RepositoryPolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The policy document. This is a JSON formatted string
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
 	// The registry ID where the repository was created.
 	RegistryID *string `json:"registryId,omitempty" tf:"registry_id,omitempty"`
+
+	// Name of the repository to apply the policy.
+	RepositoryName *string `json:"repositoryName,omitempty" tf:"repository_name,omitempty"`
 }
 
 type RepositoryPolicyParameters struct {
 
 	// The policy document. This is a JSON formatted string
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type RepositoryPolicyStatus struct {
 type RepositoryPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RepositoryPolicySpec   `json:"spec"`
-	Status            RepositoryPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   RepositoryPolicySpec   `json:"spec"`
+	Status RepositoryPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecs/v1beta1/zz_accountsettingdefault_types.go b/apis/ecs/v1beta1/zz_accountsettingdefault_types.go
index 1ec084fc91..75fd14d9c0 100755
--- a/apis/ecs/v1beta1/zz_accountsettingdefault_types.go
+++ b/apis/ecs/v1beta1/zz_accountsettingdefault_types.go
@@ -18,14 +18,20 @@ type AccountSettingDefaultObservation struct {
 	// ARN that identifies the account setting.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the account setting to set. Valid values are serviceLongArnFormat, taskLongArnFormat, containerInstanceLongArnFormat, awsvpcTrunking and containerInsights.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	PrincipalArn *string `json:"principalArn,omitempty" tf:"principal_arn,omitempty"`
+
+	// State of the setting. Valid values are enabled and disabled.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type AccountSettingDefaultParameters struct {
 
 	// Name of the account setting to set. Valid values are serviceLongArnFormat, taskLongArnFormat, containerInstanceLongArnFormat, awsvpcTrunking and containerInsights.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -33,8 +39,8 @@ type AccountSettingDefaultParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// State of the setting. Valid values are enabled and disabled.
-	// +kubebuilder:validation:Required
-	Value *string `json:"value" tf:"value,omitempty"`
+	// +kubebuilder:validation:Optional
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 // AccountSettingDefaultSpec defines the desired state of AccountSettingDefault
@@ -61,8 +67,10 @@ type AccountSettingDefaultStatus struct {
 type AccountSettingDefault struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AccountSettingDefaultSpec   `json:"spec"`
-	Status            AccountSettingDefaultStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)",message="value is a required parameter"
+	Spec   AccountSettingDefaultSpec   `json:"spec"`
+	Status AccountSettingDefaultStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecs/v1beta1/zz_capacityprovider_types.go b/apis/ecs/v1beta1/zz_capacityprovider_types.go
index 527c643acc..00f6cd30e9 100755
--- a/apis/ecs/v1beta1/zz_capacityprovider_types.go
+++ b/apis/ecs/v1beta1/zz_capacityprovider_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AutoScalingGroupProviderObservation struct {
+
+	// - ARN of the associated auto scaling group.
+	AutoScalingGroupArn *string `json:"autoScalingGroupArn,omitempty" tf:"auto_scaling_group_arn,omitempty"`
+
+	// - Configuration block defining the parameters of the auto scaling. Detailed below.
+	ManagedScaling []ManagedScalingObservation `json:"managedScaling,omitempty" tf:"managed_scaling,omitempty"`
+
+	// - Enables or disables container-aware termination of instances in the auto scaling group when scale-in happens. Valid values are ENABLED and DISABLED.
+	ManagedTerminationProtection *string `json:"managedTerminationProtection,omitempty" tf:"managed_termination_protection,omitempty"`
 }
 
 type AutoScalingGroupProviderParameters struct {
@@ -46,9 +55,15 @@ type CapacityProviderObservation struct {
 	// ARN that identifies the capacity provider.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block for the provider for the ECS auto scaling group. Detailed below.
+	AutoScalingGroupProvider []AutoScalingGroupProviderObservation `json:"autoScalingGroupProvider,omitempty" tf:"auto_scaling_group_provider,omitempty"`
+
 	// ARN that identifies the capacity provider.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -56,8 +71,8 @@ type CapacityProviderObservation struct {
 type CapacityProviderParameters struct {
 
 	// Configuration block for the provider for the ECS auto scaling group. Detailed below.
-	// +kubebuilder:validation:Required
-	AutoScalingGroupProvider []AutoScalingGroupProviderParameters `json:"autoScalingGroupProvider" tf:"auto_scaling_group_provider,omitempty"`
+	// +kubebuilder:validation:Optional
+	AutoScalingGroupProvider []AutoScalingGroupProviderParameters `json:"autoScalingGroupProvider,omitempty" tf:"auto_scaling_group_provider,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -70,6 +85,21 @@ type CapacityProviderParameters struct {
 }
 
 type ManagedScalingObservation struct {
+
+	// Period of time, in seconds, after a newly launched Amazon EC2 instance can contribute to CloudWatch metrics for Auto Scaling group. If this parameter is omitted, the default value of 300 seconds is used.
+	InstanceWarmupPeriod *float64 `json:"instanceWarmupPeriod,omitempty" tf:"instance_warmup_period,omitempty"`
+
+	// Maximum step adjustment size. A number between 1 and 10,000.
+	MaximumScalingStepSize *float64 `json:"maximumScalingStepSize,omitempty" tf:"maximum_scaling_step_size,omitempty"`
+
+	// Minimum step adjustment size. A number between 1 and 10,000.
+	MinimumScalingStepSize *float64 `json:"minimumScalingStepSize,omitempty" tf:"minimum_scaling_step_size,omitempty"`
+
+	// Whether auto scaling is managed by ECS. Valid values are ENABLED and DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Target utilization for the capacity provider. A number between 1 and 100.
+	TargetCapacity *float64 `json:"targetCapacity,omitempty" tf:"target_capacity,omitempty"`
 }
 
 type ManagedScalingParameters struct {
@@ -119,8 +149,9 @@ type CapacityProviderStatus struct {
 type CapacityProvider struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CapacityProviderSpec   `json:"spec"`
-	Status            CapacityProviderStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.autoScalingGroupProvider)",message="autoScalingGroupProvider is a required parameter"
+	Spec   CapacityProviderSpec   `json:"spec"`
+	Status CapacityProviderStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ecs/v1beta1/zz_cluster_types.go b/apis/ecs/v1beta1/zz_cluster_types.go
index 11b63483c4..b2097d309d 100755
--- a/apis/ecs/v1beta1/zz_cluster_types.go
+++ b/apis/ecs/v1beta1/zz_cluster_types.go
@@ -21,9 +21,24 @@ type ClusterObservation struct {
 	// List of short names of one or more capacity providers to associate with the cluster. Valid values also include FARGATE and FARGATE_SPOT.
 	CapacityProviders []*string `json:"capacityProviders,omitempty" tf:"capacity_providers,omitempty"`
 
+	// The execute command configuration for the cluster. Detailed below.
+	Configuration []ConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// Configuration block for capacity provider strategy to use by default for the cluster. Can be one or more. Detailed below.
+	DefaultCapacityProviderStrategy []DefaultCapacityProviderStrategyObservation `json:"defaultCapacityProviderStrategy,omitempty" tf:"default_capacity_provider_strategy,omitempty"`
+
 	// ARN that identifies the cluster.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configures a default Service Connect namespace. Detailed below.
+	ServiceConnectDefaults []ServiceConnectDefaultsObservation `json:"serviceConnectDefaults,omitempty" tf:"service_connect_defaults,omitempty"`
+
+	// Configuration block(s) with cluster settings. For example, this can be used to enable CloudWatch Container Insights for a cluster. Detailed below.
+	Setting []SettingObservation `json:"setting,omitempty" tf:"setting,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -57,6 +72,9 @@ type ClusterParameters struct {
 }
 
 type ConfigurationObservation struct {
+
+	// The details of the execute command configuration. Detailed below.
+	ExecuteCommandConfiguration []ExecuteCommandConfigurationObservation `json:"executeCommandConfiguration,omitempty" tf:"execute_command_configuration,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -67,6 +85,15 @@ type ConfigurationParameters struct {
 }
 
 type DefaultCapacityProviderStrategyObservation struct {
+
+	// The number of tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined.
+	Base *float64 `json:"base,omitempty" tf:"base,omitempty"`
+
+	// The short name of the capacity provider.
+	CapacityProvider *string `json:"capacityProvider,omitempty" tf:"capacity_provider,omitempty"`
+
+	// The relative percentage of the total number of launched tasks that should use the specified capacity provider.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type DefaultCapacityProviderStrategyParameters struct {
@@ -85,6 +112,15 @@ type DefaultCapacityProviderStrategyParameters struct {
 }
 
 type ExecuteCommandConfigurationObservation struct {
+
+	// The AWS Key Management Service key ID to encrypt the data between the local client and the container.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The log configuration for the results of the execute command actions Required when logging is OVERRIDE. Detailed below.
+	LogConfiguration []LogConfigurationObservation `json:"logConfiguration,omitempty" tf:"log_configuration,omitempty"`
+
+	// The log setting to use for redirecting logs for your execute command results. Valid values are NONE, DEFAULT, and OVERRIDE.
+	Logging *string `json:"logging,omitempty" tf:"logging,omitempty"`
 }
 
 type ExecuteCommandConfigurationParameters struct {
@@ -103,6 +139,21 @@ type ExecuteCommandConfigurationParameters struct {
 }
 
 type LogConfigurationObservation struct {
+
+	// Whether or not to enable encryption on the CloudWatch logs. If not specified, encryption will be disabled.
+	CloudWatchEncryptionEnabled *bool `json:"cloudWatchEncryptionEnabled,omitempty" tf:"cloud_watch_encryption_enabled,omitempty"`
+
+	// The name of the CloudWatch log group to send logs to.
+	CloudWatchLogGroupName *string `json:"cloudWatchLogGroupName,omitempty" tf:"cloud_watch_log_group_name,omitempty"`
+
+	// Whether or not to enable encryption on the logs sent to S3. If not specified, encryption will be disabled.
+	S3BucketEncryptionEnabled *bool `json:"s3BucketEncryptionEnabled,omitempty" tf:"s3_bucket_encryption_enabled,omitempty"`
+
+	// The name of the S3 bucket to send logs to.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// An optional folder in the S3 bucket to place logs in.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
 }
 
 type LogConfigurationParameters struct {
@@ -129,6 +180,9 @@ type LogConfigurationParameters struct {
 }
 
 type ServiceConnectDefaultsObservation struct {
+
+	// The ARN of the aws_service_discovery_http_namespace that's used when you create a service and don't specify a Service Connect configuration.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type ServiceConnectDefaultsParameters struct {
@@ -139,6 +193,12 @@ type ServiceConnectDefaultsParameters struct {
 }
 
 type SettingObservation struct {
+
+	// Name of the setting to manage. Valid values: containerInsights.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value to assign to the setting. Valid values are enabled and disabled.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SettingParameters struct {
diff --git a/apis/ecs/v1beta1/zz_clustercapacityproviders_types.go b/apis/ecs/v1beta1/zz_clustercapacityproviders_types.go
index 94d05b3278..d15602569b 100755
--- a/apis/ecs/v1beta1/zz_clustercapacityproviders_types.go
+++ b/apis/ecs/v1beta1/zz_clustercapacityproviders_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ClusterCapacityProvidersDefaultCapacityProviderStrategyObservation struct {
+
+	// The number of tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined. Defaults to 0.
+	Base *float64 `json:"base,omitempty" tf:"base,omitempty"`
+
+	// Name of the capacity provider.
+	CapacityProvider *string `json:"capacityProvider,omitempty" tf:"capacity_provider,omitempty"`
+
+	// The relative percentage of the total number of launched tasks that should use the specified capacity provider. The weight value is taken into consideration after the base count of tasks has been satisfied. Defaults to 0.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type ClusterCapacityProvidersDefaultCapacityProviderStrategyParameters struct {
@@ -33,6 +42,15 @@ type ClusterCapacityProvidersDefaultCapacityProviderStrategyParameters struct {
 
 type ClusterCapacityProvidersObservation struct {
 
+	// Set of names of one or more capacity providers to associate with the cluster. Valid values also include FARGATE and FARGATE_SPOT.
+	CapacityProviders []*string `json:"capacityProviders,omitempty" tf:"capacity_providers,omitempty"`
+
+	// Name of the ECS cluster to manage capacity providers for.
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
+	// Set of capacity provider strategies to use by default for the cluster. Detailed below.
+	DefaultCapacityProviderStrategy []ClusterCapacityProvidersDefaultCapacityProviderStrategyObservation `json:"defaultCapacityProviderStrategy,omitempty" tf:"default_capacity_provider_strategy,omitempty"`
+
 	// Same as cluster_name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
diff --git a/apis/ecs/v1beta1/zz_generated.deepcopy.go b/apis/ecs/v1beta1/zz_generated.deepcopy.go
index 5f58168dcc..04589e0b25 100644
--- a/apis/ecs/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ecs/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,21 @@ func (in *AccountSettingDefaultObservation) DeepCopyInto(out *AccountSettingDefa
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrincipalArn != nil {
 		in, out := &in.PrincipalArn, &out.PrincipalArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountSettingDefaultObservation.
@@ -165,6 +175,27 @@ func (in *AccountSettingDefaultStatus) DeepCopy() *AccountSettingDefaultStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AlarmsObservation) DeepCopyInto(out *AlarmsObservation) {
 	*out = *in
+	if in.AlarmNames != nil {
+		in, out := &in.AlarmNames, &out.AlarmNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Rollback != nil {
+		in, out := &in.Rollback, &out.Rollback
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AlarmsObservation.
@@ -216,6 +247,16 @@ func (in *AlarmsParameters) DeepCopy() *AlarmsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthorizationConfigObservation) DeepCopyInto(out *AuthorizationConfigObservation) {
 	*out = *in
+	if in.AccessPointID != nil {
+		in, out := &in.AccessPointID, &out.AccessPointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAM != nil {
+		in, out := &in.IAM, &out.IAM
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthorizationConfigObservation.
@@ -256,6 +297,23 @@ func (in *AuthorizationConfigParameters) DeepCopy() *AuthorizationConfigParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoScalingGroupProviderObservation) DeepCopyInto(out *AutoScalingGroupProviderObservation) {
 	*out = *in
+	if in.AutoScalingGroupArn != nil {
+		in, out := &in.AutoScalingGroupArn, &out.AutoScalingGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedScaling != nil {
+		in, out := &in.ManagedScaling, &out.ManagedScaling
+		*out = make([]ManagedScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ManagedTerminationProtection != nil {
+		in, out := &in.ManagedTerminationProtection, &out.ManagedTerminationProtection
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoScalingGroupProviderObservation.
@@ -377,11 +435,33 @@ func (in *CapacityProviderObservation) DeepCopyInto(out *CapacityProviderObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoScalingGroupProvider != nil {
+		in, out := &in.AutoScalingGroupProvider, &out.AutoScalingGroupProvider
+		*out = make([]AutoScalingGroupProviderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -488,6 +568,21 @@ func (in *CapacityProviderStatus) DeepCopy() *CapacityProviderStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityProviderStrategyObservation) DeepCopyInto(out *CapacityProviderStrategyObservation) {
 	*out = *in
+	if in.Base != nil {
+		in, out := &in.Base, &out.Base
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityProvider != nil {
+		in, out := &in.CapacityProvider, &out.CapacityProvider
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityProviderStrategyObservation.
@@ -533,6 +628,16 @@ func (in *CapacityProviderStrategyParameters) DeepCopy() *CapacityProviderStrate
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientAliasObservation) DeepCopyInto(out *ClientAliasObservation) {
 	*out = *in
+	if in.DNSName != nil {
+		in, out := &in.DNSName, &out.DNSName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientAliasObservation.
@@ -627,6 +732,21 @@ func (in *ClusterCapacityProviders) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterCapacityProvidersDefaultCapacityProviderStrategyObservation) DeepCopyInto(out *ClusterCapacityProvidersDefaultCapacityProviderStrategyObservation) {
 	*out = *in
+	if in.Base != nil {
+		in, out := &in.Base, &out.Base
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityProvider != nil {
+		in, out := &in.CapacityProvider, &out.CapacityProvider
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterCapacityProvidersDefaultCapacityProviderStrategyObservation.
@@ -704,6 +824,29 @@ func (in *ClusterCapacityProvidersList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterCapacityProvidersObservation) DeepCopyInto(out *ClusterCapacityProvidersObservation) {
 	*out = *in
+	if in.CapacityProviders != nil {
+		in, out := &in.CapacityProviders, &out.CapacityProviders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultCapacityProviderStrategy != nil {
+		in, out := &in.DefaultCapacityProviderStrategy, &out.DefaultCapacityProviderStrategy
+		*out = make([]ClusterCapacityProvidersDefaultCapacityProviderStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -859,11 +1002,54 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			}
 		}
 	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make([]ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultCapacityProviderStrategy != nil {
+		in, out := &in.DefaultCapacityProviderStrategy, &out.DefaultCapacityProviderStrategy
+		*out = make([]DefaultCapacityProviderStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ServiceConnectDefaults != nil {
+		in, out := &in.ServiceConnectDefaults, &out.ServiceConnectDefaults
+		*out = make([]ServiceConnectDefaultsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Setting != nil {
+		in, out := &in.Setting, &out.Setting
+		*out = make([]SettingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -991,6 +1177,13 @@ func (in *ClusterStatus) DeepCopy() *ClusterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation) {
 	*out = *in
+	if in.ExecuteCommandConfiguration != nil {
+		in, out := &in.ExecuteCommandConfiguration, &out.ExecuteCommandConfiguration
+		*out = make([]ExecuteCommandConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -1028,6 +1221,21 @@ func (in *ConfigurationParameters) DeepCopy() *ConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultCapacityProviderStrategyObservation) DeepCopyInto(out *DefaultCapacityProviderStrategyObservation) {
 	*out = *in
+	if in.Base != nil {
+		in, out := &in.Base, &out.Base
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityProvider != nil {
+		in, out := &in.CapacityProvider, &out.CapacityProvider
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultCapacityProviderStrategyObservation.
@@ -1073,6 +1281,16 @@ func (in *DefaultCapacityProviderStrategyParameters) DeepCopy() *DefaultCapacity
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentCircuitBreakerObservation) DeepCopyInto(out *DeploymentCircuitBreakerObservation) {
 	*out = *in
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Rollback != nil {
+		in, out := &in.Rollback, &out.Rollback
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentCircuitBreakerObservation.
@@ -1113,6 +1331,11 @@ func (in *DeploymentCircuitBreakerParameters) DeepCopy() *DeploymentCircuitBreak
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeploymentControllerObservation) DeepCopyInto(out *DeploymentControllerObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeploymentControllerObservation.
@@ -1148,21 +1371,6 @@ func (in *DeploymentControllerParameters) DeepCopy() *DeploymentControllerParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DockerVolumeConfigurationObservation) DeepCopyInto(out *DockerVolumeConfigurationObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DockerVolumeConfigurationObservation.
-func (in *DockerVolumeConfigurationObservation) DeepCopy() *DockerVolumeConfigurationObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(DockerVolumeConfigurationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DockerVolumeConfigurationParameters) DeepCopyInto(out *DockerVolumeConfigurationParameters) {
-	*out = *in
 	if in.Autoprovision != nil {
 		in, out := &in.Autoprovision, &out.Autoprovision
 		*out = new(bool)
@@ -1210,34 +1418,121 @@ func (in *DockerVolumeConfigurationParameters) DeepCopyInto(out *DockerVolumeCon
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DockerVolumeConfigurationParameters.
-func (in *DockerVolumeConfigurationParameters) DeepCopy() *DockerVolumeConfigurationParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DockerVolumeConfigurationObservation.
+func (in *DockerVolumeConfigurationObservation) DeepCopy() *DockerVolumeConfigurationObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(DockerVolumeConfigurationParameters)
+	out := new(DockerVolumeConfigurationObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EFSVolumeConfigurationObservation) DeepCopyInto(out *EFSVolumeConfigurationObservation) {
+func (in *DockerVolumeConfigurationParameters) DeepCopyInto(out *DockerVolumeConfigurationParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EFSVolumeConfigurationObservation.
-func (in *EFSVolumeConfigurationObservation) DeepCopy() *EFSVolumeConfigurationObservation {
-	if in == nil {
-		return nil
+	if in.Autoprovision != nil {
+		in, out := &in.Autoprovision, &out.Autoprovision
+		*out = new(bool)
+		**out = **in
 	}
-	out := new(EFSVolumeConfigurationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EFSVolumeConfigurationParameters) DeepCopyInto(out *EFSVolumeConfigurationParameters) {
-	*out = *in
+	if in.Driver != nil {
+		in, out := &in.Driver, &out.Driver
+		*out = new(string)
+		**out = **in
+	}
+	if in.DriverOpts != nil {
+		in, out := &in.DriverOpts, &out.DriverOpts
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DockerVolumeConfigurationParameters.
+func (in *DockerVolumeConfigurationParameters) DeepCopy() *DockerVolumeConfigurationParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(DockerVolumeConfigurationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EFSVolumeConfigurationObservation) DeepCopyInto(out *EFSVolumeConfigurationObservation) {
+	*out = *in
+	if in.AuthorizationConfig != nil {
+		in, out := &in.AuthorizationConfig, &out.AuthorizationConfig
+		*out = make([]AuthorizationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootDirectory != nil {
+		in, out := &in.RootDirectory, &out.RootDirectory
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitEncryption != nil {
+		in, out := &in.TransitEncryption, &out.TransitEncryption
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitEncryptionPort != nil {
+		in, out := &in.TransitEncryptionPort, &out.TransitEncryptionPort
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EFSVolumeConfigurationObservation.
+func (in *EFSVolumeConfigurationObservation) DeepCopy() *EFSVolumeConfigurationObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(EFSVolumeConfigurationObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EFSVolumeConfigurationParameters) DeepCopyInto(out *EFSVolumeConfigurationParameters) {
+	*out = *in
 	if in.AuthorizationConfig != nil {
 		in, out := &in.AuthorizationConfig, &out.AuthorizationConfig
 		*out = make([]AuthorizationConfigParameters, len(*in))
@@ -1280,6 +1575,11 @@ func (in *EFSVolumeConfigurationParameters) DeepCopy() *EFSVolumeConfigurationPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralStorageObservation) DeepCopyInto(out *EphemeralStorageObservation) {
 	*out = *in
+	if in.SizeInGib != nil {
+		in, out := &in.SizeInGib, &out.SizeInGib
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralStorageObservation.
@@ -1315,6 +1615,23 @@ func (in *EphemeralStorageParameters) DeepCopy() *EphemeralStorageParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExecuteCommandConfigurationObservation) DeepCopyInto(out *ExecuteCommandConfigurationObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogConfiguration != nil {
+		in, out := &in.LogConfiguration, &out.LogConfiguration
+		*out = make([]LogConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Logging != nil {
+		in, out := &in.Logging, &out.Logging
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecuteCommandConfigurationObservation.
@@ -1362,6 +1679,16 @@ func (in *ExecuteCommandConfigurationParameters) DeepCopy() *ExecuteCommandConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FSXWindowsFileServerVolumeConfigurationAuthorizationConfigObservation) DeepCopyInto(out *FSXWindowsFileServerVolumeConfigurationAuthorizationConfigObservation) {
 	*out = *in
+	if in.CredentialsParameter != nil {
+		in, out := &in.CredentialsParameter, &out.CredentialsParameter
+		*out = new(string)
+		**out = **in
+	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSXWindowsFileServerVolumeConfigurationAuthorizationConfigObservation.
@@ -1402,6 +1729,23 @@ func (in *FSXWindowsFileServerVolumeConfigurationAuthorizationConfigParameters)
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FSXWindowsFileServerVolumeConfigurationObservation) DeepCopyInto(out *FSXWindowsFileServerVolumeConfigurationObservation) {
 	*out = *in
+	if in.AuthorizationConfig != nil {
+		in, out := &in.AuthorizationConfig, &out.AuthorizationConfig
+		*out = make([]FSXWindowsFileServerVolumeConfigurationAuthorizationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootDirectory != nil {
+		in, out := &in.RootDirectory, &out.RootDirectory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FSXWindowsFileServerVolumeConfigurationObservation.
@@ -1449,6 +1793,16 @@ func (in *FSXWindowsFileServerVolumeConfigurationParameters) DeepCopy() *FSXWind
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InferenceAcceleratorObservation) DeepCopyInto(out *InferenceAcceleratorObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceType != nil {
+		in, out := &in.DeviceType, &out.DeviceType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InferenceAcceleratorObservation.
@@ -1489,6 +1843,26 @@ func (in *InferenceAcceleratorParameters) DeepCopy() *InferenceAcceleratorParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoadBalancerObservation) DeepCopyInto(out *LoadBalancerObservation) {
 	*out = *in
+	if in.ContainerName != nil {
+		in, out := &in.ContainerName, &out.ContainerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContainerPort != nil {
+		in, out := &in.ContainerPort, &out.ContainerPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ELBName != nil {
+		in, out := &in.ELBName, &out.ELBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetGroupArn != nil {
+		in, out := &in.TargetGroupArn, &out.TargetGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBalancerObservation.
@@ -1539,6 +1913,31 @@ func (in *LoadBalancerParameters) DeepCopy() *LoadBalancerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogConfigurationObservation) DeepCopyInto(out *LogConfigurationObservation) {
 	*out = *in
+	if in.CloudWatchEncryptionEnabled != nil {
+		in, out := &in.CloudWatchEncryptionEnabled, &out.CloudWatchEncryptionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudWatchLogGroupName != nil {
+		in, out := &in.CloudWatchLogGroupName, &out.CloudWatchLogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3BucketEncryptionEnabled != nil {
+		in, out := &in.S3BucketEncryptionEnabled, &out.S3BucketEncryptionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogConfigurationObservation.
@@ -1594,6 +1993,31 @@ func (in *LogConfigurationParameters) DeepCopy() *LogConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedScalingObservation) DeepCopyInto(out *ManagedScalingObservation) {
 	*out = *in
+	if in.InstanceWarmupPeriod != nil {
+		in, out := &in.InstanceWarmupPeriod, &out.InstanceWarmupPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumScalingStepSize != nil {
+		in, out := &in.MaximumScalingStepSize, &out.MaximumScalingStepSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinimumScalingStepSize != nil {
+		in, out := &in.MinimumScalingStepSize, &out.MinimumScalingStepSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetCapacity != nil {
+		in, out := &in.TargetCapacity, &out.TargetCapacity
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedScalingObservation.
@@ -1649,6 +2073,33 @@ func (in *ManagedScalingParameters) DeepCopy() *ManagedScalingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkConfigurationObservation) DeepCopyInto(out *NetworkConfigurationObservation) {
 	*out = *in
+	if in.AssignPublicIP != nil {
+		in, out := &in.AssignPublicIP, &out.AssignPublicIP
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkConfigurationObservation.
@@ -1730,12 +2181,22 @@ func (in *NetworkConfigurationParameters) DeepCopy() *NetworkConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrderedPlacementStrategyObservation) DeepCopyInto(out *OrderedPlacementStrategyObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedPlacementStrategyObservation.
-func (in *OrderedPlacementStrategyObservation) DeepCopy() *OrderedPlacementStrategyObservation {
-	if in == nil {
-		return nil
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrderedPlacementStrategyObservation.
+func (in *OrderedPlacementStrategyObservation) DeepCopy() *OrderedPlacementStrategyObservation {
+	if in == nil {
+		return nil
 	}
 	out := new(OrderedPlacementStrategyObservation)
 	in.DeepCopyInto(out)
@@ -1770,6 +2231,16 @@ func (in *OrderedPlacementStrategyParameters) DeepCopy() *OrderedPlacementStrate
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementConstraintsObservation) DeepCopyInto(out *PlacementConstraintsObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementConstraintsObservation.
@@ -1810,6 +2281,31 @@ func (in *PlacementConstraintsParameters) DeepCopy() *PlacementConstraintsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyConfigurationObservation) DeepCopyInto(out *ProxyConfigurationObservation) {
 	*out = *in
+	if in.ContainerName != nil {
+		in, out := &in.ContainerName, &out.ContainerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigurationObservation.
@@ -1865,6 +2361,16 @@ func (in *ProxyConfigurationParameters) DeepCopy() *ProxyConfigurationParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuntimePlatformObservation) DeepCopyInto(out *RuntimePlatformObservation) {
 	*out = *in
+	if in.CPUArchitecture != nil {
+		in, out := &in.CPUArchitecture, &out.CPUArchitecture
+		*out = new(string)
+		**out = **in
+	}
+	if in.OperatingSystemFamily != nil {
+		in, out := &in.OperatingSystemFamily, &out.OperatingSystemFamily
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimePlatformObservation.
@@ -1905,6 +2411,16 @@ func (in *RuntimePlatformParameters) DeepCopy() *RuntimePlatformParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretOptionObservation) DeepCopyInto(out *SecretOptionObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValueFrom != nil {
+		in, out := &in.ValueFrom, &out.ValueFrom
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretOptionObservation.
@@ -1972,6 +2488,33 @@ func (in *Service) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceConnectConfigurationLogConfigurationObservation) DeepCopyInto(out *ServiceConnectConfigurationLogConfigurationObservation) {
 	*out = *in
+	if in.LogDriver != nil {
+		in, out := &in.LogDriver, &out.LogDriver
+		*out = new(string)
+		**out = **in
+	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.SecretOption != nil {
+		in, out := &in.SecretOption, &out.SecretOption
+		*out = make([]SecretOptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceConnectConfigurationLogConfigurationObservation.
@@ -2029,6 +2572,30 @@ func (in *ServiceConnectConfigurationLogConfigurationParameters) DeepCopy() *Ser
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceConnectConfigurationObservation) DeepCopyInto(out *ServiceConnectConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogConfiguration != nil {
+		in, out := &in.LogConfiguration, &out.LogConfiguration
+		*out = make([]ServiceConnectConfigurationLogConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		*out = make([]ServiceConnectConfigurationServiceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceConnectConfigurationObservation.
@@ -2083,6 +2650,28 @@ func (in *ServiceConnectConfigurationParameters) DeepCopy() *ServiceConnectConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceConnectConfigurationServiceObservation) DeepCopyInto(out *ServiceConnectConfigurationServiceObservation) {
 	*out = *in
+	if in.ClientAlias != nil {
+		in, out := &in.ClientAlias, &out.ClientAlias
+		*out = make([]ClientAliasObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DiscoveryName != nil {
+		in, out := &in.DiscoveryName, &out.DiscoveryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.IngressPortOverride != nil {
+		in, out := &in.IngressPortOverride, &out.IngressPortOverride
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PortName != nil {
+		in, out := &in.PortName, &out.PortName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceConnectConfigurationServiceObservation.
@@ -2135,6 +2724,11 @@ func (in *ServiceConnectConfigurationServiceParameters) DeepCopy() *ServiceConne
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceConnectDefaultsObservation) DeepCopyInto(out *ServiceConnectDefaultsObservation) {
 	*out = *in
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceConnectDefaultsObservation.
@@ -2179,36 +2773,206 @@ func (in *ServiceList) DeepCopyInto(out *ServiceList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceList.
-func (in *ServiceList) DeepCopy() *ServiceList {
-	if in == nil {
-		return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceList.
+func (in *ServiceList) DeepCopy() *ServiceList {
+	if in == nil {
+		return nil
+	}
+	out := new(ServiceList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *ServiceList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ServiceObservation) DeepCopyInto(out *ServiceObservation) {
+	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]AlarmsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CapacityProviderStrategy != nil {
+		in, out := &in.CapacityProviderStrategy, &out.CapacityProviderStrategy
+		*out = make([]CapacityProviderStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Cluster != nil {
+		in, out := &in.Cluster, &out.Cluster
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeploymentCircuitBreaker != nil {
+		in, out := &in.DeploymentCircuitBreaker, &out.DeploymentCircuitBreaker
+		*out = make([]DeploymentCircuitBreakerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeploymentController != nil {
+		in, out := &in.DeploymentController, &out.DeploymentController
+		*out = make([]DeploymentControllerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeploymentMaximumPercent != nil {
+		in, out := &in.DeploymentMaximumPercent, &out.DeploymentMaximumPercent
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DeploymentMinimumHealthyPercent != nil {
+		in, out := &in.DeploymentMinimumHealthyPercent, &out.DeploymentMinimumHealthyPercent
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DesiredCount != nil {
+		in, out := &in.DesiredCount, &out.DesiredCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EnableEcsManagedTags != nil {
+		in, out := &in.EnableEcsManagedTags, &out.EnableEcsManagedTags
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableExecuteCommand != nil {
+		in, out := &in.EnableExecuteCommand, &out.EnableExecuteCommand
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ForceNewDeployment != nil {
+		in, out := &in.ForceNewDeployment, &out.ForceNewDeployment
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HealthCheckGracePeriodSeconds != nil {
+		in, out := &in.HealthCheckGracePeriodSeconds, &out.HealthCheckGracePeriodSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IAMRole != nil {
+		in, out := &in.IAMRole, &out.IAMRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchType != nil {
+		in, out := &in.LaunchType, &out.LaunchType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = make([]LoadBalancerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkConfiguration != nil {
+		in, out := &in.NetworkConfiguration, &out.NetworkConfiguration
+		*out = make([]NetworkConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OrderedPlacementStrategy != nil {
+		in, out := &in.OrderedPlacementStrategy, &out.OrderedPlacementStrategy
+		*out = make([]OrderedPlacementStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlacementConstraints != nil {
+		in, out := &in.PlacementConstraints, &out.PlacementConstraints
+		*out = make([]PlacementConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlatformVersion != nil {
+		in, out := &in.PlatformVersion, &out.PlatformVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PropagateTags != nil {
+		in, out := &in.PropagateTags, &out.PropagateTags
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchedulingStrategy != nil {
+		in, out := &in.SchedulingStrategy, &out.SchedulingStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceConnectConfiguration != nil {
+		in, out := &in.ServiceConnectConfiguration, &out.ServiceConnectConfiguration
+		*out = make([]ServiceConnectConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServiceRegistries != nil {
+		in, out := &in.ServiceRegistries, &out.ServiceRegistries
+		*out = make([]ServiceRegistriesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(ServiceList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *ServiceList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ServiceObservation) DeepCopyInto(out *ServiceObservation) {
-	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TaskDefinition != nil {
+		in, out := &in.TaskDefinition, &out.TaskDefinition
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -2222,6 +2986,11 @@ func (in *ServiceObservation) DeepCopyInto(out *ServiceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.WaitForSteadyState != nil {
+		in, out := &in.WaitForSteadyState, &out.WaitForSteadyState
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceObservation.
@@ -2462,6 +3231,26 @@ func (in *ServiceParameters) DeepCopy() *ServiceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceRegistriesObservation) DeepCopyInto(out *ServiceRegistriesObservation) {
 	*out = *in
+	if in.ContainerName != nil {
+		in, out := &in.ContainerName, &out.ContainerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContainerPort != nil {
+		in, out := &in.ContainerPort, &out.ContainerPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RegistryArn != nil {
+		in, out := &in.RegistryArn, &out.RegistryArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceRegistriesObservation.
@@ -2546,6 +3335,16 @@ func (in *ServiceStatus) DeepCopy() *ServiceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SettingObservation) DeepCopyInto(out *SettingObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SettingObservation.
@@ -2650,16 +3449,122 @@ func (in *TaskDefinitionObservation) DeepCopyInto(out *TaskDefinitionObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.CPU != nil {
+		in, out := &in.CPU, &out.CPU
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContainerDefinitions != nil {
+		in, out := &in.ContainerDefinitions, &out.ContainerDefinitions
+		*out = new(string)
+		**out = **in
+	}
+	if in.EphemeralStorage != nil {
+		in, out := &in.EphemeralStorage, &out.EphemeralStorage
+		*out = make([]EphemeralStorageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExecutionRoleArn != nil {
+		in, out := &in.ExecutionRoleArn, &out.ExecutionRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InferenceAccelerator != nil {
+		in, out := &in.InferenceAccelerator, &out.InferenceAccelerator
+		*out = make([]InferenceAcceleratorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IpcMode != nil {
+		in, out := &in.IpcMode, &out.IpcMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Memory != nil {
+		in, out := &in.Memory, &out.Memory
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkMode != nil {
+		in, out := &in.NetworkMode, &out.NetworkMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.PidMode != nil {
+		in, out := &in.PidMode, &out.PidMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlacementConstraints != nil {
+		in, out := &in.PlacementConstraints, &out.PlacementConstraints
+		*out = make([]TaskDefinitionPlacementConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProxyConfiguration != nil {
+		in, out := &in.ProxyConfiguration, &out.ProxyConfiguration
+		*out = make([]ProxyConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RequiresCompatibilities != nil {
+		in, out := &in.RequiresCompatibilities, &out.RequiresCompatibilities
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Revision != nil {
 		in, out := &in.Revision, &out.Revision
 		*out = new(float64)
 		**out = **in
 	}
+	if in.RuntimePlatform != nil {
+		in, out := &in.RuntimePlatform, &out.RuntimePlatform
+		*out = make([]RuntimePlatformObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2675,6 +3580,18 @@ func (in *TaskDefinitionObservation) DeepCopyInto(out *TaskDefinitionObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.TaskRoleArn != nil {
+		in, out := &in.TaskRoleArn, &out.TaskRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Volume != nil {
+		in, out := &in.Volume, &out.Volume
+		*out = make([]VolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TaskDefinitionObservation.
@@ -2838,6 +3755,16 @@ func (in *TaskDefinitionParameters) DeepCopy() *TaskDefinitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TaskDefinitionPlacementConstraintsObservation) DeepCopyInto(out *TaskDefinitionPlacementConstraintsObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TaskDefinitionPlacementConstraintsObservation.
@@ -2912,6 +3839,37 @@ func (in *TaskDefinitionStatus) DeepCopy() *TaskDefinitionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VolumeObservation) DeepCopyInto(out *VolumeObservation) {
 	*out = *in
+	if in.DockerVolumeConfiguration != nil {
+		in, out := &in.DockerVolumeConfiguration, &out.DockerVolumeConfiguration
+		*out = make([]DockerVolumeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EFSVolumeConfiguration != nil {
+		in, out := &in.EFSVolumeConfiguration, &out.EFSVolumeConfiguration
+		*out = make([]EFSVolumeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FSXWindowsFileServerVolumeConfiguration != nil {
+		in, out := &in.FSXWindowsFileServerVolumeConfiguration, &out.FSXWindowsFileServerVolumeConfiguration
+		*out = make([]FSXWindowsFileServerVolumeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HostPath != nil {
+		in, out := &in.HostPath, &out.HostPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VolumeObservation.
diff --git a/apis/ecs/v1beta1/zz_service_types.go b/apis/ecs/v1beta1/zz_service_types.go
index 915552d836..6d523b64f3 100755
--- a/apis/ecs/v1beta1/zz_service_types.go
+++ b/apis/ecs/v1beta1/zz_service_types.go
@@ -14,6 +14,13 @@ import (
 )
 
 type AlarmsObservation struct {
+	AlarmNames []*string `json:"alarmNames,omitempty" tf:"alarm_names,omitempty"`
+
+	// Determines whether to use the CloudWatch alarm option in the service deployment process.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	// Determines whether to configure Amazon ECS to roll back the service if a service deployment fails. If rollback is used, when a service deployment fails, the service is rolled back to the last deployment that completed successfully.
+	Rollback *bool `json:"rollback,omitempty" tf:"rollback,omitempty"`
 }
 
 type AlarmsParameters struct {
@@ -31,6 +38,15 @@ type AlarmsParameters struct {
 }
 
 type CapacityProviderStrategyObservation struct {
+
+	// Number of tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined.
+	Base *float64 `json:"base,omitempty" tf:"base,omitempty"`
+
+	// Short name of the capacity provider.
+	CapacityProvider *string `json:"capacityProvider,omitempty" tf:"capacity_provider,omitempty"`
+
+	// Relative percentage of the total number of launched tasks that should use the specified capacity provider.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type CapacityProviderStrategyParameters struct {
@@ -49,6 +65,12 @@ type CapacityProviderStrategyParameters struct {
 }
 
 type ClientAliasObservation struct {
+
+	// The name that you use in the applications of client tasks to connect to this service.
+	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
+
+	// The listening port number for the Service Connect proxy. This port is available inside of all of the tasks within the same namespace.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 }
 
 type ClientAliasParameters struct {
@@ -63,6 +85,12 @@ type ClientAliasParameters struct {
 }
 
 type DeploymentCircuitBreakerObservation struct {
+
+	// Whether to enable the deployment circuit breaker logic for the service.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	// Whether to enable Amazon ECS to roll back the service if a service deployment fails. If rollback is enabled, when a service deployment fails, the service is rolled back to the last deployment that completed successfully.
+	Rollback *bool `json:"rollback,omitempty" tf:"rollback,omitempty"`
 }
 
 type DeploymentCircuitBreakerParameters struct {
@@ -77,6 +105,9 @@ type DeploymentCircuitBreakerParameters struct {
 }
 
 type DeploymentControllerObservation struct {
+
+	// Type of deployment controller. Valid values: CODE_DEPLOY, ECS, EXTERNAL. Default: ECS.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DeploymentControllerParameters struct {
@@ -87,6 +118,18 @@ type DeploymentControllerParameters struct {
 }
 
 type LoadBalancerObservation struct {
+
+	// Name of the container to associate with the load balancer (as it appears in a container definition).
+	ContainerName *string `json:"containerName,omitempty" tf:"container_name,omitempty"`
+
+	// Port on the container to associate with the load balancer.
+	ContainerPort *float64 `json:"containerPort,omitempty" tf:"container_port,omitempty"`
+
+	// Name of the ELB (Classic) to associate with the service.
+	ELBName *string `json:"elbName,omitempty" tf:"elb_name,omitempty"`
+
+	// ARN of the Load Balancer target group to associate with the service.
+	TargetGroupArn *string `json:"targetGroupArn,omitempty" tf:"target_group_arn,omitempty"`
 }
 
 type LoadBalancerParameters struct {
@@ -109,6 +152,15 @@ type LoadBalancerParameters struct {
 }
 
 type NetworkConfigurationObservation struct {
+
+	// Assign a public IP address to the ENI (Fargate launch type only). Valid values are true or false. Default false.
+	AssignPublicIP *bool `json:"assignPublicIp,omitempty" tf:"assign_public_ip,omitempty"`
+
+	// Security groups associated with the task or service. If you do not specify a security group, the default security group for the VPC is used.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// Subnets associated with the task or service.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
 }
 
 type NetworkConfigurationParameters struct {
@@ -149,6 +201,15 @@ type NetworkConfigurationParameters struct {
 }
 
 type OrderedPlacementStrategyObservation struct {
+
+	// For the spread placement strategy, valid values are instanceId (or host,
+	// which has the same effect), or any platform or custom attribute that is applied to a container instance.
+	// For the binpack type, valid values are memory and cpu. For the random type, this attribute is not
+	// needed. For more information, see Placement Strategy.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
+	// Type of placement strategy. Must be one of: binpack, random, or spread
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type OrderedPlacementStrategyParameters struct {
@@ -166,6 +227,12 @@ type OrderedPlacementStrategyParameters struct {
 }
 
 type PlacementConstraintsObservation struct {
+
+	// Cluster Query Language expression to apply to the constraint. Does not need to be specified for the distinctInstance type. For more information, see Cluster Query Language in the Amazon EC2 Container Service Developer Guide.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// Type of constraint. The only valid values at this time are memberOf and distinctInstance.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PlacementConstraintsParameters struct {
@@ -180,6 +247,12 @@ type PlacementConstraintsParameters struct {
 }
 
 type SecretOptionObservation struct {
+
+	// The name of the secret.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The secret to expose to the container. The supported values are either the full ARN of the AWS Secrets Manager secret or the full ARN of the parameter in the SSM Parameter Store.
+	ValueFrom *string `json:"valueFrom,omitempty" tf:"value_from,omitempty"`
 }
 
 type SecretOptionParameters struct {
@@ -194,6 +267,15 @@ type SecretOptionParameters struct {
 }
 
 type ServiceConnectConfigurationLogConfigurationObservation struct {
+
+	// The log driver to use for the container.
+	LogDriver *string `json:"logDriver,omitempty" tf:"log_driver,omitempty"`
+
+	// The configuration options to send to the log driver.
+	Options map[string]*string `json:"options,omitempty" tf:"options,omitempty"`
+
+	// The secrets to pass to the log configuration. See below.
+	SecretOption []SecretOptionObservation `json:"secretOption,omitempty" tf:"secret_option,omitempty"`
 }
 
 type ServiceConnectConfigurationLogConfigurationParameters struct {
@@ -212,6 +294,18 @@ type ServiceConnectConfigurationLogConfigurationParameters struct {
 }
 
 type ServiceConnectConfigurationObservation struct {
+
+	// Specifies whether to use Service Connect with this service.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The log configuration for the container. See below.
+	LogConfiguration []ServiceConnectConfigurationLogConfigurationObservation `json:"logConfiguration,omitempty" tf:"log_configuration,omitempty"`
+
+	// The namespace name or ARN of the aws_service_discovery_http_namespace for use with Service Connect.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The list of Service Connect service objects. See below.
+	Service []ServiceConnectConfigurationServiceObservation `json:"service,omitempty" tf:"service,omitempty"`
 }
 
 type ServiceConnectConfigurationParameters struct {
@@ -234,6 +328,18 @@ type ServiceConnectConfigurationParameters struct {
 }
 
 type ServiceConnectConfigurationServiceObservation struct {
+
+	// The list of client aliases for this Service Connect service. You use these to assign names that can be used by client applications. The maximum number of client aliases that you can have in this list is 1. See below.
+	ClientAlias []ClientAliasObservation `json:"clientAlias,omitempty" tf:"client_alias,omitempty"`
+
+	// The name of the new AWS Cloud Map service that Amazon ECS creates for this Amazon ECS service.
+	DiscoveryName *string `json:"discoveryName,omitempty" tf:"discovery_name,omitempty"`
+
+	// The port number for the Service Connect proxy to listen on.
+	IngressPortOverride *float64 `json:"ingressPortOverride,omitempty" tf:"ingress_port_override,omitempty"`
+
+	// The name of one of the portMappings from all the containers in the task definition of this Amazon ECS service.
+	PortName *string `json:"portName,omitempty" tf:"port_name,omitempty"`
 }
 
 type ServiceConnectConfigurationServiceParameters struct {
@@ -257,11 +363,92 @@ type ServiceConnectConfigurationServiceParameters struct {
 
 type ServiceObservation struct {
 
+	// Information about the CloudWatch alarms. See below.
+	Alarms []AlarmsObservation `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	// Capacity provider strategies to use for the service. Can be one or more. These can be updated without destroying and recreating the service only if force_new_deployment = true and not changing from 0 capacity_provider_strategy blocks to greater than 0, or vice versa. See below.
+	CapacityProviderStrategy []CapacityProviderStrategyObservation `json:"capacityProviderStrategy,omitempty" tf:"capacity_provider_strategy,omitempty"`
+
+	// Name of an ECS cluster.
+	Cluster *string `json:"cluster,omitempty" tf:"cluster,omitempty"`
+
+	// Configuration block for deployment circuit breaker. See below.
+	DeploymentCircuitBreaker []DeploymentCircuitBreakerObservation `json:"deploymentCircuitBreaker,omitempty" tf:"deployment_circuit_breaker,omitempty"`
+
+	// Configuration block for deployment controller configuration. See below.
+	DeploymentController []DeploymentControllerObservation `json:"deploymentController,omitempty" tf:"deployment_controller,omitempty"`
+
+	// Upper limit (as a percentage of the service's desiredCount) of the number of running tasks that can be running in a service during a deployment. Not valid when using the DAEMON scheduling strategy.
+	DeploymentMaximumPercent *float64 `json:"deploymentMaximumPercent,omitempty" tf:"deployment_maximum_percent,omitempty"`
+
+	// Lower limit (as a percentage of the service's desiredCount) of the number of running tasks that must remain running and healthy in a service during a deployment.
+	DeploymentMinimumHealthyPercent *float64 `json:"deploymentMinimumHealthyPercent,omitempty" tf:"deployment_minimum_healthy_percent,omitempty"`
+
+	// Number of instances of the task definition to place and keep running. Defaults to 0. Do not specify if using the DAEMON scheduling strategy.
+	DesiredCount *float64 `json:"desiredCount,omitempty" tf:"desired_count,omitempty"`
+
+	// Specifies whether to enable Amazon ECS managed tags for the tasks within the service.
+	EnableEcsManagedTags *bool `json:"enableEcsManagedTags,omitempty" tf:"enable_ecs_managed_tags,omitempty"`
+
+	// Specifies whether to enable Amazon ECS Exec for the tasks within the service.
+	EnableExecuteCommand *bool `json:"enableExecuteCommand,omitempty" tf:"enable_execute_command,omitempty"`
+
+	// Enable to force a new task deployment of the service. This can be used to update tasks to use a newer Docker image with same image/tag combination (e.g., myimage:latest), roll Fargate tasks onto a newer platform version, or immediately deploy ordered_placement_strategy and placement_constraints updates.
+	ForceNewDeployment *bool `json:"forceNewDeployment,omitempty" tf:"force_new_deployment,omitempty"`
+
+	// Seconds to ignore failing load balancer health checks on newly instantiated tasks to prevent premature shutdown, up to 2147483647. Only valid for services configured to use load balancers.
+	HealthCheckGracePeriodSeconds *float64 `json:"healthCheckGracePeriodSeconds,omitempty" tf:"health_check_grace_period_seconds,omitempty"`
+
+	// ARN of the IAM role that allows Amazon ECS to make calls to your load balancer on your behalf. This parameter is required if you are using a load balancer with your service, but only if your task definition does not use the awsvpc network mode. If using awsvpc network mode, do not specify this role. If your account has already created the Amazon ECS service-linked role, that role is used by default for your service unless you specify a role here.
+	IAMRole *string `json:"iamRole,omitempty" tf:"iam_role,omitempty"`
+
 	// ARN that identifies the service.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Launch type on which to run your service. The valid values are EC2, FARGATE, and EXTERNAL. Defaults to EC2.
+	LaunchType *string `json:"launchType,omitempty" tf:"launch_type,omitempty"`
+
+	// Configuration block for load balancers. See below.
+	LoadBalancer []LoadBalancerObservation `json:"loadBalancer,omitempty" tf:"load_balancer,omitempty"`
+
+	// Network configuration for the service. This parameter is required for task definitions that use the awsvpc network mode to receive their own Elastic Network Interface, and it is not supported for other network modes. See below.
+	NetworkConfiguration []NetworkConfigurationObservation `json:"networkConfiguration,omitempty" tf:"network_configuration,omitempty"`
+
+	// Service level strategy rules that are taken into consideration during task placement. List from top to bottom in order of precedence. Updates to this configuration will take effect next task deployment unless force_new_deployment is enabled. The maximum number of ordered_placement_strategy blocks is 5. See below.
+	OrderedPlacementStrategy []OrderedPlacementStrategyObservation `json:"orderedPlacementStrategy,omitempty" tf:"ordered_placement_strategy,omitempty"`
+
+	// Rules that are taken into consideration during task placement. Updates to this configuration will take effect next task deployment unless force_new_deployment is enabled. Maximum number of placement_constraints is 10. See below.
+	PlacementConstraints []PlacementConstraintsObservation `json:"placementConstraints,omitempty" tf:"placement_constraints,omitempty"`
+
+	// Platform version on which to run your service. Only applicable for launch_type set to FARGATE. Defaults to LATEST. More information about Fargate platform versions can be found in the AWS ECS User Guide.
+	PlatformVersion *string `json:"platformVersion,omitempty" tf:"platform_version,omitempty"`
+
+	// Specifies whether to propagate the tags from the task definition or the service to the tasks. The valid values are SERVICE and TASK_DEFINITION.
+	PropagateTags *string `json:"propagateTags,omitempty" tf:"propagate_tags,omitempty"`
+
+	// Scheduling strategy to use for the service. The valid values are REPLICA and DAEMON. Defaults to REPLICA. Note that Tasks using the Fargate launch type or the .
+	SchedulingStrategy *string `json:"schedulingStrategy,omitempty" tf:"scheduling_strategy,omitempty"`
+
+	// The ECS Service Connect configuration for this service to discover and connect to services, and be discovered by, and connected from, other services within a namespace. See below.
+	ServiceConnectConfiguration []ServiceConnectConfigurationObservation `json:"serviceConnectConfiguration,omitempty" tf:"service_connect_configuration,omitempty"`
+
+	// Service discovery registries for the service. The maximum number of service_registries blocks is 1. See below.
+	ServiceRegistries []ServiceRegistriesObservation `json:"serviceRegistries,omitempty" tf:"service_registries,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Family and revision (family:revision) or full ARN of the task definition that you want to run in your service. Required unless using the EXTERNAL deployment controller. If a revision is not specified, the latest ACTIVE revision is used.
+	TaskDefinition *string `json:"taskDefinition,omitempty" tf:"task_definition,omitempty"`
+
+	// Map of arbitrary keys and values that, when changed, will trigger an in-place update (redeployment). Useful with timestamp(). See example above.
+	Triggers map[string]*string `json:"triggers,omitempty" tf:"triggers,omitempty"`
+
+	// Default false.
+	WaitForSteadyState *bool `json:"waitForSteadyState,omitempty" tf:"wait_for_steady_state,omitempty"`
 }
 
 type ServiceParameters struct {
@@ -409,6 +596,18 @@ type ServiceParameters struct {
 }
 
 type ServiceRegistriesObservation struct {
+
+	// Container name value, already specified in the task definition, to be used for your service discovery service.
+	ContainerName *string `json:"containerName,omitempty" tf:"container_name,omitempty"`
+
+	// Port value, already specified in the task definition, to be used for your service discovery service.
+	ContainerPort *float64 `json:"containerPort,omitempty" tf:"container_port,omitempty"`
+
+	// Port value used if your Service Discovery service specified an SRV record.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// ARN of the Service Registry. The currently supported service registry is Amazon Route 53 Auto Naming Service(aws_service_discovery_service). For more information, see Service
+	RegistryArn *string `json:"registryArn,omitempty" tf:"registry_arn,omitempty"`
 }
 
 type ServiceRegistriesParameters struct {
diff --git a/apis/ecs/v1beta1/zz_taskdefinition_types.go b/apis/ecs/v1beta1/zz_taskdefinition_types.go
index d5d281495d..830ebffb05 100755
--- a/apis/ecs/v1beta1/zz_taskdefinition_types.go
+++ b/apis/ecs/v1beta1/zz_taskdefinition_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AuthorizationConfigObservation struct {
+
+	// Access point ID to use. If an access point is specified, the root directory value will be relative to the directory set for the access point. If specified, transit encryption must be enabled in the EFSVolumeConfiguration.
+	AccessPointID *string `json:"accessPointId,omitempty" tf:"access_point_id,omitempty"`
+
+	// Whether or not to use the Amazon ECS task IAM role defined in a task definition when mounting the Amazon EFS file system. If enabled, transit encryption must be enabled in the EFSVolumeConfiguration. Valid values: ENABLED, DISABLED. If this parameter is omitted, the default value of DISABLED is used.
+	IAM *string `json:"iam,omitempty" tf:"iam,omitempty"`
 }
 
 type AuthorizationConfigParameters struct {
@@ -28,6 +34,21 @@ type AuthorizationConfigParameters struct {
 }
 
 type DockerVolumeConfigurationObservation struct {
+
+	// If this value is true, the Docker volume is created if it does not already exist. Note: This field is only used if the scope is shared.
+	Autoprovision *bool `json:"autoprovision,omitempty" tf:"autoprovision,omitempty"`
+
+	// Docker volume driver to use. The driver value must match the driver name provided by Docker because it is used for task placement.
+	Driver *string `json:"driver,omitempty" tf:"driver,omitempty"`
+
+	// Map of Docker driver specific options.
+	DriverOpts map[string]*string `json:"driverOpts,omitempty" tf:"driver_opts,omitempty"`
+
+	// Map of custom metadata to add to your Docker volume.
+	Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"`
+
+	// Scope for the Docker volume, which determines its lifecycle, either task or shared.  Docker volumes that are scoped to a task are automatically provisioned when the task starts and destroyed when the task stops. Docker volumes that are scoped as shared persist after the task stops.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 }
 
 type DockerVolumeConfigurationParameters struct {
@@ -54,6 +75,21 @@ type DockerVolumeConfigurationParameters struct {
 }
 
 type EFSVolumeConfigurationObservation struct {
+
+	// Configuration block for authorization for the Amazon EFS file system. Detailed below.
+	AuthorizationConfig []AuthorizationConfigObservation `json:"authorizationConfig,omitempty" tf:"authorization_config,omitempty"`
+
+	// ID of the EFS File System.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
+	// Directory within the Amazon EFS file system to mount as the root directory inside the host. If this parameter is omitted, the root of the Amazon EFS volume will be used. Specifying / will have the same effect as omitting this parameter. This argument is ignored when using authorization_config.
+	RootDirectory *string `json:"rootDirectory,omitempty" tf:"root_directory,omitempty"`
+
+	// Whether or not to enable encryption for Amazon EFS data in transit between the Amazon ECS host and the Amazon EFS server. Transit encryption must be enabled if Amazon EFS IAM authorization is used. Valid values: ENABLED, DISABLED. If this parameter is omitted, the default value of DISABLED is used.
+	TransitEncryption *string `json:"transitEncryption,omitempty" tf:"transit_encryption,omitempty"`
+
+	// Port to use for transit encryption. If you do not specify a transit encryption port, it will use the port selection strategy that the Amazon EFS mount helper uses.
+	TransitEncryptionPort *float64 `json:"transitEncryptionPort,omitempty" tf:"transit_encryption_port,omitempty"`
 }
 
 type EFSVolumeConfigurationParameters struct {
@@ -80,6 +116,9 @@ type EFSVolumeConfigurationParameters struct {
 }
 
 type EphemeralStorageObservation struct {
+
+	// The total amount, in GiB, of ephemeral storage to set for the task. The minimum supported value is 21 GiB and the maximum supported value is 200 GiB.
+	SizeInGib *float64 `json:"sizeInGib,omitempty" tf:"size_in_gib,omitempty"`
 }
 
 type EphemeralStorageParameters struct {
@@ -90,6 +129,12 @@ type EphemeralStorageParameters struct {
 }
 
 type FSXWindowsFileServerVolumeConfigurationAuthorizationConfigObservation struct {
+
+	// The authorization credential option to use. The authorization credential options can be provided using either the Amazon Resource Name (ARN) of an AWS Secrets Manager secret or AWS Systems Manager Parameter Store parameter. The ARNs refer to the stored credentials.
+	CredentialsParameter *string `json:"credentialsParameter,omitempty" tf:"credentials_parameter,omitempty"`
+
+	// A fully qualified domain name hosted by an AWS Directory Service Managed Microsoft AD (Active Directory) or self-hosted AD on Amazon EC2.
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
 }
 
 type FSXWindowsFileServerVolumeConfigurationAuthorizationConfigParameters struct {
@@ -104,6 +149,15 @@ type FSXWindowsFileServerVolumeConfigurationAuthorizationConfigParameters struct
 }
 
 type FSXWindowsFileServerVolumeConfigurationObservation struct {
+
+	// Configuration block for authorization for the Amazon FSx for Windows File Server file system detailed below.
+	AuthorizationConfig []FSXWindowsFileServerVolumeConfigurationAuthorizationConfigObservation `json:"authorizationConfig,omitempty" tf:"authorization_config,omitempty"`
+
+	// The Amazon FSx for Windows File Server file system ID to use.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
+	// The directory within the Amazon FSx for Windows File Server file system to mount as the root directory inside the host.
+	RootDirectory *string `json:"rootDirectory,omitempty" tf:"root_directory,omitempty"`
 }
 
 type FSXWindowsFileServerVolumeConfigurationParameters struct {
@@ -122,6 +176,12 @@ type FSXWindowsFileServerVolumeConfigurationParameters struct {
 }
 
 type InferenceAcceleratorObservation struct {
+
+	// Elastic Inference accelerator device name. The deviceName must also be referenced in a container definition as a ResourceRequirement.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Elastic Inference accelerator type to use.
+	DeviceType *string `json:"deviceType,omitempty" tf:"device_type,omitempty"`
 }
 
 type InferenceAcceleratorParameters struct {
@@ -136,6 +196,15 @@ type InferenceAcceleratorParameters struct {
 }
 
 type ProxyConfigurationObservation struct {
+
+	// Name of the container that will serve as the App Mesh proxy.
+	ContainerName *string `json:"containerName,omitempty" tf:"container_name,omitempty"`
+
+	// Set of network configuration parameters to provide the Container Network Interface (CNI) plugin, specified a key-value mapping.
+	Properties map[string]*string `json:"properties,omitempty" tf:"properties,omitempty"`
+
+	// Proxy type. The default value is APPMESH. The only supported value is APPMESH.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProxyConfigurationParameters struct {
@@ -154,6 +223,12 @@ type ProxyConfigurationParameters struct {
 }
 
 type RuntimePlatformObservation struct {
+
+	// Must be set to either X86_64 or ARM64; see cpu architecture
+	CPUArchitecture *string `json:"cpuArchitecture,omitempty" tf:"cpu_architecture,omitempty"`
+
+	// If the requires_compatibilities is FARGATE this field is required; must be set to a valid option from the operating system family in the runtime platform setting
+	OperatingSystemFamily *string `json:"operatingSystemFamily,omitempty" tf:"operating_system_family,omitempty"`
 }
 
 type RuntimePlatformParameters struct {
@@ -172,13 +247,67 @@ type TaskDefinitionObservation struct {
 	// Full ARN of the Task Definition (including both family and revision).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Number of cpu units used by the task. If the requires_compatibilities is FARGATE this field is required.
+	CPU *string `json:"cpu,omitempty" tf:"cpu,omitempty"`
+
+	// A list of valid container definitions provided as a single valid JSON document. Please note that you should only provide values that are part of the container definition document. For a detailed description of what parameters are available, see the Task Definition Parameters section from the official Developer Guide.
+	ContainerDefinitions *string `json:"containerDefinitions,omitempty" tf:"container_definitions,omitempty"`
+
+	// The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate. See Ephemeral Storage.
+	EphemeralStorage []EphemeralStorageObservation `json:"ephemeralStorage,omitempty" tf:"ephemeral_storage,omitempty"`
+
+	// ARN of the task execution role that the Amazon ECS container agent and the Docker daemon can assume.
+	ExecutionRoleArn *string `json:"executionRoleArn,omitempty" tf:"execution_role_arn,omitempty"`
+
+	// A unique name for your task definition.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block(s) with Inference Accelerators settings. Detailed below.
+	InferenceAccelerator []InferenceAcceleratorObservation `json:"inferenceAccelerator,omitempty" tf:"inference_accelerator,omitempty"`
+
+	// IPC resource namespace to be used for the containers in the task The valid values are host, task, and none.
+	IpcMode *string `json:"ipcMode,omitempty" tf:"ipc_mode,omitempty"`
+
+	// Amount (in MiB) of memory used by the task. If the requires_compatibilities is FARGATE this field is required.
+	Memory *string `json:"memory,omitempty" tf:"memory,omitempty"`
+
+	// Docker networking mode to use for the containers in the task. Valid values are none, bridge, awsvpc, and host.
+	NetworkMode *string `json:"networkMode,omitempty" tf:"network_mode,omitempty"`
+
+	// Process namespace to use for the containers in the task. The valid values are host and task.
+	PidMode *string `json:"pidMode,omitempty" tf:"pid_mode,omitempty"`
+
+	// Configuration block for rules that are taken into consideration during task placement. Maximum number of placement_constraints is 10. Detailed below.
+	PlacementConstraints []TaskDefinitionPlacementConstraintsObservation `json:"placementConstraints,omitempty" tf:"placement_constraints,omitempty"`
+
+	// Configuration block for the App Mesh proxy. Detailed below.
+	ProxyConfiguration []ProxyConfigurationObservation `json:"proxyConfiguration,omitempty" tf:"proxy_configuration,omitempty"`
+
+	// Set of launch types required by the task. The valid values are EC2 and FARGATE.
+	RequiresCompatibilities []*string `json:"requiresCompatibilities,omitempty" tf:"requires_compatibilities,omitempty"`
+
 	// Revision of the task in a particular family.
 	Revision *float64 `json:"revision,omitempty" tf:"revision,omitempty"`
 
+	// Configuration block for runtime_platform that containers in your task may use.
+	RuntimePlatform []RuntimePlatformObservation `json:"runtimePlatform,omitempty" tf:"runtime_platform,omitempty"`
+
+	// Whether to retain the old revision when the resource is destroyed or replacement is necessary. Default is false.
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// ARN of IAM role that allows your Amazon ECS container task to make calls to other AWS services.
+	TaskRoleArn *string `json:"taskRoleArn,omitempty" tf:"task_role_arn,omitempty"`
+
+	// Configuration block for volumes that containers in your task may use. Detailed below.
+	Volume []VolumeObservation `json:"volume,omitempty" tf:"volume,omitempty"`
 }
 
 type TaskDefinitionParameters struct {
@@ -188,8 +317,8 @@ type TaskDefinitionParameters struct {
 	CPU *string `json:"cpu,omitempty" tf:"cpu,omitempty"`
 
 	// A list of valid container definitions provided as a single valid JSON document. Please note that you should only provide values that are part of the container definition document. For a detailed description of what parameters are available, see the Task Definition Parameters section from the official Developer Guide.
-	// +kubebuilder:validation:Required
-	ContainerDefinitions *string `json:"containerDefinitions" tf:"container_definitions,omitempty"`
+	// +kubebuilder:validation:Optional
+	ContainerDefinitions *string `json:"containerDefinitions,omitempty" tf:"container_definitions,omitempty"`
 
 	// The amount of ephemeral storage to allocate for the task. This parameter is used to expand the total amount of ephemeral storage available, beyond the default amount, for tasks hosted on AWS Fargate. See Ephemeral Storage.
 	// +kubebuilder:validation:Optional
@@ -210,8 +339,8 @@ type TaskDefinitionParameters struct {
 	ExecutionRoleArnSelector *v1.Selector `json:"executionRoleArnSelector,omitempty" tf:"-"`
 
 	// A unique name for your task definition.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// Configuration block(s) with Inference Accelerators settings. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -272,6 +401,12 @@ type TaskDefinitionParameters struct {
 }
 
 type TaskDefinitionPlacementConstraintsObservation struct {
+
+	// Cluster Query Language expression to apply to the constraint. For more information, see Cluster Query Language in the Amazon EC2 Container Service Developer Guide.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// Type of constraint. Use memberOf to restrict selection to a group of valid candidates. Note that distinctInstance is not supported in task definitions.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type TaskDefinitionPlacementConstraintsParameters struct {
@@ -286,6 +421,22 @@ type TaskDefinitionPlacementConstraintsParameters struct {
 }
 
 type VolumeObservation struct {
+
+	// Configuration block to configure a docker volume. Detailed below.
+	DockerVolumeConfiguration []DockerVolumeConfigurationObservation `json:"dockerVolumeConfiguration,omitempty" tf:"docker_volume_configuration,omitempty"`
+
+	// Configuration block for an EFS volume. Detailed below.
+	EFSVolumeConfiguration []EFSVolumeConfigurationObservation `json:"efsVolumeConfiguration,omitempty" tf:"efs_volume_configuration,omitempty"`
+
+	// Configuration block for an FSX Windows File Server volume. Detailed below.
+	FSXWindowsFileServerVolumeConfiguration []FSXWindowsFileServerVolumeConfigurationObservation `json:"fsxWindowsFileServerVolumeConfiguration,omitempty" tf:"fsx_windows_file_server_volume_configuration,omitempty"`
+
+	// Path on the host container instance that is presented to the container. If not set, ECS will create a nonpersistent data volume that starts empty and is deleted after the task has finished.
+	HostPath *string `json:"hostPath,omitempty" tf:"host_path,omitempty"`
+
+	// Name of the volume. This name is referenced in the sourceVolume
+	// parameter of container definition in the mountPoints section.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type VolumeParameters struct {
@@ -336,8 +487,10 @@ type TaskDefinitionStatus struct {
 type TaskDefinition struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TaskDefinitionSpec   `json:"spec"`
-	Status            TaskDefinitionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.containerDefinitions)",message="containerDefinitions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   TaskDefinitionSpec   `json:"spec"`
+	Status TaskDefinitionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/efs/v1beta1/zz_accesspoint_types.go b/apis/efs/v1beta1/zz_accesspoint_types.go
index bac49c6596..38c841ae1d 100755
--- a/apis/efs/v1beta1/zz_accesspoint_types.go
+++ b/apis/efs/v1beta1/zz_accesspoint_types.go
@@ -21,12 +21,24 @@ type AccessPointObservation struct {
 	// ARN of the file system.
 	FileSystemArn *string `json:"fileSystemArn,omitempty" tf:"file_system_arn,omitempty"`
 
+	// ID of the file system for which the access point is intended.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
 	// ID of the access point.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// ID of the access point.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Operating system user and group applied to all file system requests made using the access point. Detailed below.
+	PosixUser []PosixUserObservation `json:"posixUser,omitempty" tf:"posix_user,omitempty"`
+
+	// Directory on the Amazon EFS file system that the access point provides access to. Detailed below.
+	RootDirectory []RootDirectoryObservation `json:"rootDirectory,omitempty" tf:"root_directory,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -65,6 +77,15 @@ type AccessPointParameters struct {
 }
 
 type CreationInfoObservation struct {
+
+	// POSIX group ID to apply to the root_directory.
+	OwnerGID *float64 `json:"ownerGid,omitempty" tf:"owner_gid,omitempty"`
+
+	// POSIX user ID to apply to the root_directory.
+	OwnerUID *float64 `json:"ownerUid,omitempty" tf:"owner_uid,omitempty"`
+
+	// POSIX permissions to apply to the RootDirectory, in the format of an octal number representing the file's mode bits.
+	Permissions *string `json:"permissions,omitempty" tf:"permissions,omitempty"`
 }
 
 type CreationInfoParameters struct {
@@ -83,6 +104,15 @@ type CreationInfoParameters struct {
 }
 
 type PosixUserObservation struct {
+
+	// POSIX group ID used for all file system operations using this access point.
+	GID *float64 `json:"gid,omitempty" tf:"gid,omitempty"`
+
+	// Secondary POSIX group IDs used for all file system operations using this access point.
+	SecondaryGids []*float64 `json:"secondaryGids,omitempty" tf:"secondary_gids,omitempty"`
+
+	// POSIX user ID used for all file system operations using this access point.
+	UID *float64 `json:"uid,omitempty" tf:"uid,omitempty"`
 }
 
 type PosixUserParameters struct {
@@ -101,6 +131,12 @@ type PosixUserParameters struct {
 }
 
 type RootDirectoryObservation struct {
+
+	// POSIX IDs and permissions to apply to the access point's Root Directory. See Creation Info below.
+	CreationInfo []CreationInfoObservation `json:"creationInfo,omitempty" tf:"creation_info,omitempty"`
+
+	// Path on the EFS file system to expose as the root directory to NFS clients using the access point to access the EFS file system. A path can have up to four subdirectories. If the specified path does not exist, you are required to provide creation_info.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type RootDirectoryParameters struct {
diff --git a/apis/efs/v1beta1/zz_backuppolicy_types.go b/apis/efs/v1beta1/zz_backuppolicy_types.go
index dc0a4a42aa..0017274a5a 100755
--- a/apis/efs/v1beta1/zz_backuppolicy_types.go
+++ b/apis/efs/v1beta1/zz_backuppolicy_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type BackupPolicyBackupPolicyObservation struct {
+
+	// A status of the backup policy. Valid values: ENABLED, DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type BackupPolicyBackupPolicyParameters struct {
@@ -25,6 +28,12 @@ type BackupPolicyBackupPolicyParameters struct {
 
 type BackupPolicyObservation struct {
 
+	// A backup_policy object (documented below).
+	BackupPolicy []BackupPolicyBackupPolicyObservation `json:"backupPolicy,omitempty" tf:"backup_policy,omitempty"`
+
+	// The ID of the EFS file system.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
 	// The ID that identifies the file system (e.g., fs-ccfc0d65).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -32,8 +41,8 @@ type BackupPolicyObservation struct {
 type BackupPolicyParameters struct {
 
 	// A backup_policy object (documented below).
-	// +kubebuilder:validation:Required
-	BackupPolicy []BackupPolicyBackupPolicyParameters `json:"backupPolicy" tf:"backup_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	BackupPolicy []BackupPolicyBackupPolicyParameters `json:"backupPolicy,omitempty" tf:"backup_policy,omitempty"`
 
 	// The ID of the EFS file system.
 	// +crossplane:generate:reference:type=FileSystem
@@ -78,8 +87,9 @@ type BackupPolicyStatus struct {
 type BackupPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BackupPolicySpec   `json:"spec"`
-	Status            BackupPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backupPolicy)",message="backupPolicy is a required parameter"
+	Spec   BackupPolicySpec   `json:"spec"`
+	Status BackupPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/efs/v1beta1/zz_filesystem_types.go b/apis/efs/v1beta1/zz_filesystem_types.go
index 10476862af..1c5c818e0d 100755
--- a/apis/efs/v1beta1/zz_filesystem_types.go
+++ b/apis/efs/v1beta1/zz_filesystem_types.go
@@ -21,23 +21,53 @@ type FileSystemObservation struct {
 	// The identifier of the Availability Zone in which the file system's One Zone storage classes exist.
 	AvailabilityZoneID *string `json:"availabilityZoneId,omitempty" tf:"availability_zone_id,omitempty"`
 
+	// the AWS Availability Zone in which to create the file system. Used to create a file system that uses One Zone storage classes. See user guide for more information.
+	AvailabilityZoneName *string `json:"availabilityZoneName,omitempty" tf:"availability_zone_name,omitempty"`
+
+	// A unique name (a maximum of 64 characters are allowed)
+	// used as reference when creating the Elastic File System to ensure idempotent file
+	// system creation. See Elastic File System
+	// user guide for more information.
+	CreationToken *string `json:"creationToken,omitempty" tf:"creation_token,omitempty"`
+
 	// The DNS name for the filesystem per documented convention.
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// If true, the disk will be encrypted.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
 	// The ID that identifies the file system (e.g., fs-ccfc0d65).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// A file system lifecycle policy object (documented below).
+	LifecyclePolicy []LifecyclePolicyObservation `json:"lifecyclePolicy,omitempty" tf:"lifecycle_policy,omitempty"`
+
 	// The current number of mount targets that the file system has.
 	NumberOfMountTargets *float64 `json:"numberOfMountTargets,omitempty" tf:"number_of_mount_targets,omitempty"`
 
 	// The AWS account that created the file system. If the file system was createdby an IAM user, the parent account to which the user belongs is the owner.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// The file system performance mode. Can be either "generalPurpose" or "maxIO" (Default: "generalPurpose").
+	PerformanceMode *string `json:"performanceMode,omitempty" tf:"performance_mode,omitempty"`
+
+	// The throughput, measured in MiB/s, that you want to provision for the file system. Only applicable with throughput_mode set to provisioned.
+	ProvisionedThroughputInMibps *float64 `json:"provisionedThroughputInMibps,omitempty" tf:"provisioned_throughput_in_mibps,omitempty"`
+
 	// The latest known metered size (in bytes) of data stored in the file system, the value is not the exact size that the file system was at any point in time. See Size In Bytes.
 	SizeInBytes []SizeInBytesObservation `json:"sizeInBytes,omitempty" tf:"size_in_bytes,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Throughput mode for the file system. Defaults to bursting. Valid values: bursting, provisioned, or elastic. When using provisioned, also set provisioned_throughput_in_mibps.
+	ThroughputMode *string `json:"throughputMode,omitempty" tf:"throughput_mode,omitempty"`
 }
 
 type FileSystemParameters struct {
@@ -97,6 +127,12 @@ type FileSystemParameters struct {
 }
 
 type LifecyclePolicyObservation struct {
+
+	// Indicates how long it takes to transition files to the IA storage class. Valid values: AFTER_1_DAY, AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS, or AFTER_90_DAYS.
+	TransitionToIa *string `json:"transitionToIa,omitempty" tf:"transition_to_ia,omitempty"`
+
+	// Describes the policy used to transition a file from infequent access storage to primary storage. Valid values: AFTER_1_ACCESS.
+	TransitionToPrimaryStorageClass *string `json:"transitionToPrimaryStorageClass,omitempty" tf:"transition_to_primary_storage_class,omitempty"`
 }
 
 type LifecyclePolicyParameters struct {
diff --git a/apis/efs/v1beta1/zz_filesystempolicy_types.go b/apis/efs/v1beta1/zz_filesystempolicy_types.go
index c3dca6b119..ed1a79c40d 100755
--- a/apis/efs/v1beta1/zz_filesystempolicy_types.go
+++ b/apis/efs/v1beta1/zz_filesystempolicy_types.go
@@ -15,8 +15,17 @@ import (
 
 type FileSystemPolicyObservation struct {
 
+	// A flag to indicate whether to bypass the aws_efs_file_system_policy lockout safety check. The policy lockout safety check determines whether the policy in the request will prevent the principal making the request will be locked out from making future PutFileSystemPolicy requests on the file system. Set bypass_policy_lockout_safety_check to true only when you intend to prevent the principal that is making the request from making a subsequent PutFileSystemPolicy request on the file system. The default value is false.
+	BypassPolicyLockoutSafetyCheck *bool `json:"bypassPolicyLockoutSafetyCheck,omitempty" tf:"bypass_policy_lockout_safety_check,omitempty"`
+
+	// The ID of the EFS file system.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
 	// The ID that identifies the file system (e.g., fs-ccfc0d65).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The JSON formatted file system policy for the EFS file system. see Docs for more info.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type FileSystemPolicyParameters struct {
@@ -39,8 +48,8 @@ type FileSystemPolicyParameters struct {
 	FileSystemIDSelector *v1.Selector `json:"fileSystemIdSelector,omitempty" tf:"-"`
 
 	// The JSON formatted file system policy for the EFS file system. see Docs for more info.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -72,8 +81,9 @@ type FileSystemPolicyStatus struct {
 type FileSystemPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FileSystemPolicySpec   `json:"spec"`
-	Status            FileSystemPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   FileSystemPolicySpec   `json:"spec"`
+	Status FileSystemPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/efs/v1beta1/zz_generated.deepcopy.go b/apis/efs/v1beta1/zz_generated.deepcopy.go
index b0e5895952..fa8411eab7 100644
--- a/apis/efs/v1beta1/zz_generated.deepcopy.go
+++ b/apis/efs/v1beta1/zz_generated.deepcopy.go
@@ -86,6 +86,11 @@ func (in *AccessPointObservation) DeepCopyInto(out *AccessPointObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -96,6 +101,35 @@ func (in *AccessPointObservation) DeepCopyInto(out *AccessPointObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PosixUser != nil {
+		in, out := &in.PosixUser, &out.PosixUser
+		*out = make([]PosixUserObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RootDirectory != nil {
+		in, out := &in.RootDirectory, &out.RootDirectory
+		*out = make([]RootDirectoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -251,6 +285,11 @@ func (in *BackupPolicy) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackupPolicyBackupPolicyObservation) DeepCopyInto(out *BackupPolicyBackupPolicyObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupPolicyBackupPolicyObservation.
@@ -318,6 +357,18 @@ func (in *BackupPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackupPolicyObservation) DeepCopyInto(out *BackupPolicyObservation) {
 	*out = *in
+	if in.BackupPolicy != nil {
+		in, out := &in.BackupPolicy, &out.BackupPolicy
+		*out = make([]BackupPolicyBackupPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -414,6 +465,21 @@ func (in *BackupPolicyStatus) DeepCopy() *BackupPolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreationInfoObservation) DeepCopyInto(out *CreationInfoObservation) {
 	*out = *in
+	if in.OwnerGID != nil {
+		in, out := &in.OwnerGID, &out.OwnerGID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OwnerUID != nil {
+		in, out := &in.OwnerUID, &out.OwnerUID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreationInfoObservation.
@@ -459,11 +525,26 @@ func (in *CreationInfoParameters) DeepCopy() *CreationInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
 	*out = *in
+	if in.AvailabilityZoneName != nil {
+		in, out := &in.AvailabilityZoneName, &out.AvailabilityZoneName
+		*out = new(string)
+		**out = **in
+	}
 	if in.FileSystemID != nil {
 		in, out := &in.FileSystemID, &out.FileSystemID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -583,16 +664,43 @@ func (in *FileSystemObservation) DeepCopyInto(out *FileSystemObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZoneName != nil {
+		in, out := &in.AvailabilityZoneName, &out.AvailabilityZoneName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreationToken != nil {
+		in, out := &in.CreationToken, &out.CreationToken
+		*out = new(string)
+		**out = **in
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecyclePolicy != nil {
+		in, out := &in.LifecyclePolicy, &out.LifecyclePolicy
+		*out = make([]LifecyclePolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.NumberOfMountTargets != nil {
 		in, out := &in.NumberOfMountTargets, &out.NumberOfMountTargets
 		*out = new(float64)
@@ -603,6 +711,16 @@ func (in *FileSystemObservation) DeepCopyInto(out *FileSystemObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PerformanceMode != nil {
+		in, out := &in.PerformanceMode, &out.PerformanceMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProvisionedThroughputInMibps != nil {
+		in, out := &in.ProvisionedThroughputInMibps, &out.ProvisionedThroughputInMibps
+		*out = new(float64)
+		**out = **in
+	}
 	if in.SizeInBytes != nil {
 		in, out := &in.SizeInBytes, &out.SizeInBytes
 		*out = make([]SizeInBytesObservation, len(*in))
@@ -610,6 +728,21 @@ func (in *FileSystemObservation) DeepCopyInto(out *FileSystemObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -625,6 +758,11 @@ func (in *FileSystemObservation) DeepCopyInto(out *FileSystemObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.ThroughputMode != nil {
+		in, out := &in.ThroughputMode, &out.ThroughputMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSystemObservation.
@@ -786,11 +924,26 @@ func (in *FileSystemPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FileSystemPolicyObservation) DeepCopyInto(out *FileSystemPolicyObservation) {
 	*out = *in
+	if in.BypassPolicyLockoutSafetyCheck != nil {
+		in, out := &in.BypassPolicyLockoutSafetyCheck, &out.BypassPolicyLockoutSafetyCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSystemPolicyObservation.
@@ -919,6 +1072,16 @@ func (in *FileSystemStatus) DeepCopy() *FileSystemStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LifecyclePolicyObservation) DeepCopyInto(out *LifecyclePolicyObservation) {
 	*out = *in
+	if in.TransitionToIa != nil {
+		in, out := &in.TransitionToIa, &out.TransitionToIa
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitionToPrimaryStorageClass != nil {
+		in, out := &in.TransitionToPrimaryStorageClass, &out.TransitionToPrimaryStorageClass
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LifecyclePolicyObservation.
@@ -1038,11 +1201,21 @@ func (in *MountTargetObservation) DeepCopyInto(out *MountTargetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddress != nil {
+		in, out := &in.IPAddress, &out.IPAddress
+		*out = new(string)
+		**out = **in
+	}
 	if in.MountTargetDNSName != nil {
 		in, out := &in.MountTargetDNSName, &out.MountTargetDNSName
 		*out = new(string)
@@ -1058,6 +1231,22 @@ func (in *MountTargetObservation) DeepCopyInto(out *MountTargetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MountTargetObservation.
@@ -1185,6 +1374,27 @@ func (in *MountTargetStatus) DeepCopy() *MountTargetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PosixUserObservation) DeepCopyInto(out *PosixUserObservation) {
 	*out = *in
+	if in.GID != nil {
+		in, out := &in.GID, &out.GID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecondaryGids != nil {
+		in, out := &in.SecondaryGids, &out.SecondaryGids
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.UID != nil {
+		in, out := &in.UID, &out.UID
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PosixUserObservation.
@@ -1322,6 +1532,11 @@ func (in *ReplicationConfigurationObservation) DeepCopyInto(out *ReplicationConf
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceFileSystemID != nil {
+		in, out := &in.SourceFileSystemID, &out.SourceFileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.SourceFileSystemRegion != nil {
 		in, out := &in.SourceFileSystemRegion, &out.SourceFileSystemRegion
 		*out = new(string)
@@ -1418,6 +1633,18 @@ func (in *ReplicationConfigurationStatus) DeepCopy() *ReplicationConfigurationSt
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RootDirectoryObservation) DeepCopyInto(out *RootDirectoryObservation) {
 	*out = *in
+	if in.CreationInfo != nil {
+		in, out := &in.CreationInfo, &out.CreationInfo
+		*out = make([]CreationInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootDirectoryObservation.
diff --git a/apis/efs/v1beta1/zz_mounttarget_types.go b/apis/efs/v1beta1/zz_mounttarget_types.go
index b9f767cf2a..81084241b8 100755
--- a/apis/efs/v1beta1/zz_mounttarget_types.go
+++ b/apis/efs/v1beta1/zz_mounttarget_types.go
@@ -27,9 +27,16 @@ type MountTargetObservation struct {
 	// Amazon Resource Name of the file system.
 	FileSystemArn *string `json:"fileSystemArn,omitempty" tf:"file_system_arn,omitempty"`
 
+	// The ID of the file system for which the mount target is intended.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
 	// The ID of the mount target.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The address (within the address range of the specified subnet) at
+	// which the file system may be mounted via the mount target.
+	IPAddress *string `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
+
 	// The DNS name for the given subnet/AZ per documented convention.
 	MountTargetDNSName *string `json:"mountTargetDnsName,omitempty" tf:"mount_target_dns_name,omitempty"`
 
@@ -38,6 +45,13 @@ type MountTargetObservation struct {
 
 	// AWS account ID that owns the resource.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
+
+	// A list of up to 5 VPC security group IDs (that must
+	// be for the same VPC as subnet specified) in effect for the mount target.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The ID of the subnet to add the mount target in.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type MountTargetParameters struct {
diff --git a/apis/efs/v1beta1/zz_replicationconfiguration_types.go b/apis/efs/v1beta1/zz_replicationconfiguration_types.go
index 5e540b9152..e5e121ea57 100755
--- a/apis/efs/v1beta1/zz_replicationconfiguration_types.go
+++ b/apis/efs/v1beta1/zz_replicationconfiguration_types.go
@@ -15,9 +15,18 @@ import (
 
 type DestinationObservation struct {
 
+	// The availability zone in which the replica should be created. If specified, the replica will be created with One Zone storage. If omitted, regional storage will be used.
+	AvailabilityZoneName *string `json:"availabilityZoneName,omitempty" tf:"availability_zone_name,omitempty"`
+
 	// The fs ID of the replica.
 	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
 
+	// The Key ID, ARN, alias, or alias ARN of the KMS key that should be used to encrypt the replica file system. If omitted, the default KMS key for EFS /aws/elasticfilesystem will be used.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The region in which the replica should be created.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
 	// The status of the replication.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -43,7 +52,6 @@ type ReplicationConfigurationObservation struct {
 	CreationTime *string `json:"creationTime,omitempty" tf:"creation_time,omitempty"`
 
 	// A destination configuration block (documented below).
-	// +kubebuilder:validation:Required
 	Destination []DestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
@@ -54,6 +62,9 @@ type ReplicationConfigurationObservation struct {
 	// The Amazon Resource Name (ARN) of the current source file system in the replication configuration.
 	SourceFileSystemArn *string `json:"sourceFileSystemArn,omitempty" tf:"source_file_system_arn,omitempty"`
 
+	// The ID of the file system that is to be replicated.
+	SourceFileSystemID *string `json:"sourceFileSystemId,omitempty" tf:"source_file_system_id,omitempty"`
+
 	// The AWS Region in which the source Amazon EFS file system is located.
 	SourceFileSystemRegion *string `json:"sourceFileSystemRegion,omitempty" tf:"source_file_system_region,omitempty"`
 }
@@ -61,8 +72,8 @@ type ReplicationConfigurationObservation struct {
 type ReplicationConfigurationParameters struct {
 
 	// A destination configuration block (documented below).
-	// +kubebuilder:validation:Required
-	Destination []DestinationParameters `json:"destination" tf:"destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destination []DestinationParameters `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	// The region in which the replica should be created.
 	// Region is the region you'd like your resource to be created in.
@@ -109,8 +120,9 @@ type ReplicationConfigurationStatus struct {
 type ReplicationConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReplicationConfigurationSpec   `json:"spec"`
-	Status            ReplicationConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)",message="destination is a required parameter"
+	Spec   ReplicationConfigurationSpec   `json:"spec"`
+	Status ReplicationConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/eks/v1beta1/zz_addon_types.go b/apis/eks/v1beta1/zz_addon_types.go
index 6f1c2b1d42..7e1b97ed5a 100755
--- a/apis/eks/v1beta1/zz_addon_types.go
+++ b/apis/eks/v1beta1/zz_addon_types.go
@@ -15,9 +15,23 @@ import (
 
 type AddonObservation struct {
 
+	// on. The name must match one of
+	// the names returned by describe-addon-versions.
+	AddonName *string `json:"addonName,omitempty" tf:"addon_name,omitempty"`
+
+	// on. The version must
+	// match one of the versions returned by describe-addon-versions.
+	AddonVersion *string `json:"addonVersion,omitempty" tf:"addon_version,omitempty"`
+
 	// Amazon Resource Name (ARN) of the EKS add-on.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// 100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
+	// custom configuration values for addons with single JSON string. This JSON string value must match the JSON schema derived from describe-addon-configuration.
+	ConfigurationValues *string `json:"configurationValues,omitempty" tf:"configuration_values,omitempty"`
+
 	// Date and time in RFC3339 format that the EKS add-on was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
@@ -27,6 +41,25 @@ type AddonObservation struct {
 	// Date and time in RFC3339 format that the EKS add-on was updated.
 	ModifiedAt *string `json:"modifiedAt,omitempty" tf:"modified_at,omitempty"`
 
+	// Indicates if you want to preserve the created resources when deleting the EKS add-on.
+	Preserve *bool `json:"preserve,omitempty" tf:"preserve,omitempty"`
+
+	// Define how to resolve parameter value conflicts
+	// when migrating an existing add-on to an Amazon EKS add-on or when applying
+	// version updates to the add-on. Valid values are NONE, OVERWRITE and PRESERVE. For more details check UpdateAddon API Docs.
+	ResolveConflicts *string `json:"resolveConflicts,omitempty" tf:"resolve_conflicts,omitempty"`
+
+	// The Amazon Resource Name (ARN) of an
+	// existing IAM role to bind to the add-on's service account. The role must be
+	// assigned the IAM permissions required by the add-on. If you don't specify
+	// an existing IAM role, then the add-on uses the permissions assigned to the node
+	// IAM role. For more information, see Amazon EKS node IAM role
+	// in the Amazon EKS User Guide.
+	ServiceAccountRoleArn *string `json:"serviceAccountRoleArn,omitempty" tf:"service_account_role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Key-value map of resource tags, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +68,8 @@ type AddonParameters struct {
 
 	// on. The name must match one of
 	// the names returned by describe-addon-versions.
-	// +kubebuilder:validation:Required
-	AddonName *string `json:"addonName" tf:"addon_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	AddonName *string `json:"addonName,omitempty" tf:"addon_name,omitempty"`
 
 	// on. The version must
 	// match one of the versions returned by describe-addon-versions.
@@ -123,8 +156,9 @@ type AddonStatus struct {
 type Addon struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AddonSpec   `json:"spec"`
-	Status            AddonStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addonName)",message="addonName is a required parameter"
+	Spec   AddonSpec   `json:"spec"`
+	Status AddonStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/eks/v1beta1/zz_cluster_types.go b/apis/eks/v1beta1/zz_cluster_types.go
index 1eb35f9f0b..96796c4691 100755
--- a/apis/eks/v1beta1/zz_cluster_types.go
+++ b/apis/eks/v1beta1/zz_cluster_types.go
@@ -36,6 +36,12 @@ type ClusterObservation struct {
 	// Unix epoch timestamp in seconds for when the cluster was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// List of the desired control plane logging to enable. For more information, see Amazon EKS Control Plane Logging.
+	EnabledClusterLogTypes []*string `json:"enabledClusterLogTypes,omitempty" tf:"enabled_cluster_log_types,omitempty"`
+
+	// Configuration block with encryption configuration for the cluster. Only available on Kubernetes 1.13 and above clusters created after March 6, 2020. Detailed below.
+	EncryptionConfig []EncryptionConfigObservation `json:"encryptionConfig,omitempty" tf:"encryption_config,omitempty"`
+
 	// Endpoint for your Kubernetes API server.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
@@ -46,21 +52,31 @@ type ClusterObservation struct {
 	Identity []IdentityObservation `json:"identity,omitempty" tf:"identity,omitempty"`
 
 	// Configuration block with kubernetes network configuration for the cluster. Detailed below.
-	// +kubebuilder:validation:Optional
 	KubernetesNetworkConfig []KubernetesNetworkConfigObservation `json:"kubernetesNetworkConfig,omitempty" tf:"kubernetes_network_config,omitempty"`
 
+	// Configuration block representing the configuration of your local Amazon EKS cluster on an AWS Outpost. This block isn't available for creating Amazon EKS clusters on the AWS cloud.
+	OutpostConfig []OutpostConfigObservation `json:"outpostConfig,omitempty" tf:"outpost_config,omitempty"`
+
 	// Platform version for the cluster.
 	PlatformVersion *string `json:"platformVersion,omitempty" tf:"platform_version,omitempty"`
 
+	// ARN of the IAM role that provides permissions for the Kubernetes control plane to make calls to AWS API operations on your behalf. Ensure the resource configuration includes explicit dependencies on the IAM Role permissions by adding depends_on if using the aws_iam_role_policy resource or aws_iam_role_policy_attachment resource, otherwise EKS cannot delete EKS managed EC2 infrastructure such as Security Groups on EKS Cluster deletion.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
 	// Status of the EKS cluster. One of CREATING, ACTIVE, DELETING, FAILED.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
-	// +kubebuilder:validation:Required
 	VPCConfig []VPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
+
+	// –  Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type ClusterParameters struct {
@@ -105,8 +121,8 @@ type ClusterParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Configuration block for the VPC associated with your cluster. Amazon EKS VPC resources have specific requirements to work properly with Kubernetes. For more information, see Cluster VPC Considerations and Cluster Security Group Considerations in the Amazon EKS User Guide. Detailed below. Also contains attributes detailed in the Attributes section.
-	// +kubebuilder:validation:Required
-	VPCConfig []VPCConfigParameters `json:"vpcConfig" tf:"vpc_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	VPCConfig []VPCConfigParameters `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 
 	// –  Desired Kubernetes master version. If you do not specify a value, the latest available version at resource creation is used and no upgrades will occur except those automatically triggered by EKS. The value must be configured and increased to upgrade the version when desired. Downgrades are not supported by EKS.
 	// +kubebuilder:validation:Optional
@@ -114,6 +130,9 @@ type ClusterParameters struct {
 }
 
 type ControlPlanePlacementObservation struct {
+
+	// The name of the placement group for the Kubernetes control plane instances. This setting can't be changed after cluster creation.
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 }
 
 type ControlPlanePlacementParameters struct {
@@ -124,6 +143,12 @@ type ControlPlanePlacementParameters struct {
 }
 
 type EncryptionConfigObservation struct {
+
+	// Configuration block with provider for encryption. Detailed below.
+	Provider []ProviderObservation `json:"provider,omitempty" tf:"provider,omitempty"`
+
+	// List of strings with resources to be encrypted. Valid values: secrets.
+	Resources []*string `json:"resources,omitempty" tf:"resources,omitempty"`
 }
 
 type EncryptionConfigParameters struct {
@@ -148,6 +173,12 @@ type IdentityParameters struct {
 
 type KubernetesNetworkConfigObservation struct {
 
+	// The IP family used to assign Kubernetes pod and service addresses. Valid values are ipv4 (default) and ipv6. You can only specify an IP family when you create a cluster, changing this value will force a new cluster to be created.
+	IPFamily *string `json:"ipFamily,omitempty" tf:"ip_family,omitempty"`
+
+	// The CIDR block to assign Kubernetes pod and service IP addresses from. If you don't specify a block, Kubernetes assigns addresses from either the 10.100.0.0/16 or 172.20.0.0/16 CIDR blocks. We recommend that you specify a block that does not overlap with resources in other networks that are peered or connected to your VPC. You can only specify a custom CIDR block when you create a cluster, changing this value will force a new cluster to be created. The block must meet the following requirements:
+	ServiceIPv4Cidr *string `json:"serviceIpv4Cidr,omitempty" tf:"service_ipv4_cidr,omitempty"`
+
 	// The CIDR block that Kubernetes pod and service IP addresses are assigned from if you specified ipv6 for ipFamily when you created the cluster. Kubernetes assigns service addresses from the unique local address range (fc00::/7) because you can't specify a custom IPv6 CIDR block when you create the cluster.
 	ServiceIPv6Cidr *string `json:"serviceIpv6Cidr,omitempty" tf:"service_ipv6_cidr,omitempty"`
 }
@@ -173,6 +204,16 @@ type OidcParameters struct {
 }
 
 type OutpostConfigObservation struct {
+
+	// The Amazon EC2 instance type that you want to use for your local Amazon EKS cluster on Outposts. The instance type that you specify is used for all Kubernetes control plane instances. The instance type can't be changed after cluster creation. Choose an instance type based on the number of nodes that your cluster will have. If your cluster will have:
+	ControlPlaneInstanceType *string `json:"controlPlaneInstanceType,omitempty" tf:"control_plane_instance_type,omitempty"`
+
+	// An object representing the placement configuration for all the control plane instances of your local Amazon EKS cluster on AWS Outpost.
+	// The following arguments are supported in the control_plane_placement configuration block:
+	ControlPlanePlacement []ControlPlanePlacementObservation `json:"controlPlanePlacement,omitempty" tf:"control_plane_placement,omitempty"`
+
+	// The ARN of the Outpost that you want to use for your local Amazon EKS cluster on Outposts. This argument is a list of arns, but only a single Outpost ARN is supported currently.
+	OutpostArns []*string `json:"outpostArns,omitempty" tf:"outpost_arns,omitempty"`
 }
 
 type OutpostConfigParameters struct {
@@ -192,6 +233,9 @@ type OutpostConfigParameters struct {
 }
 
 type ProviderObservation struct {
+
+	// ARN of the Key Management Service (KMS) customer master key (CMK). The CMK must be symmetric, created in the same region as the cluster, and if the CMK was created in a different account, the user must have access to the CMK. For more information, see Allowing Users in Other Accounts to Use a CMK in the AWS Key Management Service Developer Guide.
+	KeyArn *string `json:"keyArn,omitempty" tf:"key_arn,omitempty"`
 }
 
 type ProviderParameters struct {
@@ -206,6 +250,21 @@ type VPCConfigObservation struct {
 	// Cluster security group that was created by Amazon EKS for the cluster. Managed node groups use this security group for control-plane-to-data-plane communication.
 	ClusterSecurityGroupID *string `json:"clusterSecurityGroupId,omitempty" tf:"cluster_security_group_id,omitempty"`
 
+	// Whether the Amazon EKS private API server endpoint is enabled. Default is false.
+	EndpointPrivateAccess *bool `json:"endpointPrivateAccess,omitempty" tf:"endpoint_private_access,omitempty"`
+
+	// Whether the Amazon EKS public API server endpoint is enabled. Default is true.
+	EndpointPublicAccess *bool `json:"endpointPublicAccess,omitempty" tf:"endpoint_public_access,omitempty"`
+
+	// List of CIDR blocks. Indicates which CIDR blocks can access the Amazon EKS public API server endpoint when enabled. EKS defaults this to a list with 0.0.0.0/0.
+	PublicAccessCidrs []*string `json:"publicAccessCidrs,omitempty" tf:"public_access_cidrs,omitempty"`
+
+	// account elastic network interfaces that Amazon EKS creates to use to allow communication between your worker nodes and the Kubernetes control plane.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// account elastic network interfaces in these subnets to allow communication between your worker nodes and the Kubernetes control plane.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// ID of the VPC associated with your cluster.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
@@ -279,8 +338,9 @@ type ClusterStatus struct {
 type Cluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSpec   `json:"spec"`
-	Status            ClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcConfig)",message="vpcConfig is a required parameter"
+	Spec   ClusterSpec   `json:"spec"`
+	Status ClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/eks/v1beta1/zz_fargateprofile_types.go b/apis/eks/v1beta1/zz_fargateprofile_types.go
index 6f8bcfe422..f14ede04d6 100755
--- a/apis/eks/v1beta1/zz_fargateprofile_types.go
+++ b/apis/eks/v1beta1/zz_fargateprofile_types.go
@@ -18,12 +18,27 @@ type FargateProfileObservation struct {
 	// Amazon Resource Name (ARN) of the EKS Fargate Profile.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// 100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
 	// EKS Cluster name and EKS Fargate Profile name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Fargate Profile.
+	PodExecutionRoleArn *string `json:"podExecutionRoleArn,omitempty" tf:"pod_execution_role_arn,omitempty"`
+
+	// Configuration block(s) for selecting Kubernetes Pods to execute with this EKS Fargate Profile. Detailed below.
+	Selector []SelectorObservation `json:"selector,omitempty" tf:"selector,omitempty"`
+
 	// Status of the EKS Fargate Profile.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// –  Identifiers of private EC2 Subnets to associate with the EKS Fargate Profile. These subnets must have the following resource tag: kubernetes.io/cluster/CLUSTER_NAME (where CLUSTER_NAME is replaced with the name of the EKS Cluster).
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -63,8 +78,8 @@ type FargateProfileParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Configuration block(s) for selecting Kubernetes Pods to execute with this EKS Fargate Profile. Detailed below.
-	// +kubebuilder:validation:Required
-	Selector []SelectorParameters `json:"selector" tf:"selector,omitempty"`
+	// +kubebuilder:validation:Optional
+	Selector []SelectorParameters `json:"selector,omitempty" tf:"selector,omitempty"`
 
 	// References to Subnet in ec2 to populate subnetIds.
 	// +kubebuilder:validation:Optional
@@ -87,6 +102,12 @@ type FargateProfileParameters struct {
 }
 
 type SelectorObservation struct {
+
+	// Key-value map of Kubernetes labels for selection.
+	Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"`
+
+	// Kubernetes namespace for selection.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type SelectorParameters struct {
@@ -124,8 +145,9 @@ type FargateProfileStatus struct {
 type FargateProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FargateProfileSpec   `json:"spec"`
-	Status            FargateProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.selector)",message="selector is a required parameter"
+	Spec   FargateProfileSpec   `json:"spec"`
+	Status FargateProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/eks/v1beta1/zz_generated.deepcopy.go b/apis/eks/v1beta1/zz_generated.deepcopy.go
index a5091d2b58..458d117f99 100644
--- a/apis/eks/v1beta1/zz_generated.deepcopy.go
+++ b/apis/eks/v1beta1/zz_generated.deepcopy.go
@@ -77,11 +77,31 @@ func (in *AddonList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AddonObservation) DeepCopyInto(out *AddonObservation) {
 	*out = *in
+	if in.AddonName != nil {
+		in, out := &in.AddonName, &out.AddonName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AddonVersion != nil {
+		in, out := &in.AddonVersion, &out.AddonVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigurationValues != nil {
+		in, out := &in.ConfigurationValues, &out.ConfigurationValues
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
@@ -97,6 +117,36 @@ func (in *AddonObservation) DeepCopyInto(out *AddonObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Preserve != nil {
+		in, out := &in.Preserve, &out.Preserve
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ResolveConflicts != nil {
+		in, out := &in.ResolveConflicts, &out.ResolveConflicts
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceAccountRoleArn != nil {
+		in, out := &in.ServiceAccountRoleArn, &out.ServiceAccountRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -544,6 +594,24 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EnabledClusterLogTypes != nil {
+		in, out := &in.EnabledClusterLogTypes, &out.EnabledClusterLogTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EncryptionConfig != nil {
+		in, out := &in.EncryptionConfig, &out.EncryptionConfig
+		*out = make([]EncryptionConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
@@ -568,16 +636,43 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.OutpostConfig != nil {
+		in, out := &in.OutpostConfig, &out.OutpostConfig
+		*out = make([]OutpostConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.PlatformVersion != nil {
 		in, out := &in.PlatformVersion, &out.PlatformVersion
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -600,6 +695,11 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterObservation.
@@ -743,6 +843,11 @@ func (in *ClusterStatus) DeepCopy() *ClusterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ControlPlanePlacementObservation) DeepCopyInto(out *ControlPlanePlacementObservation) {
 	*out = *in
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControlPlanePlacementObservation.
@@ -778,6 +883,24 @@ func (in *ControlPlanePlacementParameters) DeepCopy() *ControlPlanePlacementPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigObservation) DeepCopyInto(out *EncryptionConfigObservation) {
 	*out = *in
+	if in.Provider != nil {
+		in, out := &in.Provider, &out.Provider
+		*out = make([]ProviderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Resources != nil {
+		in, out := &in.Resources, &out.Resources
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigObservation.
@@ -890,16 +1013,59 @@ func (in *FargateProfileObservation) DeepCopyInto(out *FargateProfileObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PodExecutionRoleArn != nil {
+		in, out := &in.PodExecutionRoleArn, &out.PodExecutionRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Selector != nil {
+		in, out := &in.Selector, &out.Selector
+		*out = make([]SelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1160,16 +1326,43 @@ func (in *IdentityProviderConfigObservation) DeepCopyInto(out *IdentityProviderC
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Oidc != nil {
+		in, out := &in.Oidc, &out.Oidc
+		*out = make([]IdentityProviderConfigOidcObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1200,6 +1393,51 @@ func (in *IdentityProviderConfigObservation) DeepCopy() *IdentityProviderConfigO
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdentityProviderConfigOidcObservation) DeepCopyInto(out *IdentityProviderConfigOidcObservation) {
 	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupsClaim != nil {
+		in, out := &in.GroupsClaim, &out.GroupsClaim
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupsPrefix != nil {
+		in, out := &in.GroupsPrefix, &out.GroupsPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.IssuerURL != nil {
+		in, out := &in.IssuerURL, &out.IssuerURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequiredClaims != nil {
+		in, out := &in.RequiredClaims, &out.RequiredClaims
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UsernameClaim != nil {
+		in, out := &in.UsernameClaim, &out.UsernameClaim
+		*out = new(string)
+		**out = **in
+	}
+	if in.UsernamePrefix != nil {
+		in, out := &in.UsernamePrefix, &out.UsernamePrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityProviderConfigOidcObservation.
@@ -1366,6 +1604,16 @@ func (in *IdentityProviderConfigStatus) DeepCopy() *IdentityProviderConfigStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubernetesNetworkConfigObservation) DeepCopyInto(out *KubernetesNetworkConfigObservation) {
 	*out = *in
+	if in.IPFamily != nil {
+		in, out := &in.IPFamily, &out.IPFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceIPv4Cidr != nil {
+		in, out := &in.ServiceIPv4Cidr, &out.ServiceIPv4Cidr
+		*out = new(string)
+		**out = **in
+	}
 	if in.ServiceIPv6Cidr != nil {
 		in, out := &in.ServiceIPv6Cidr, &out.ServiceIPv6Cidr
 		*out = new(string)
@@ -1411,16 +1659,31 @@ func (in *KubernetesNetworkConfigParameters) DeepCopy() *KubernetesNetworkConfig
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateObservation) DeepCopyInto(out *LaunchTemplateObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateObservation.
-func (in *LaunchTemplateObservation) DeepCopy() *LaunchTemplateObservation {
-	if in == nil {
-		return nil
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
 	}
-	out := new(LaunchTemplateObservation)
-	in.DeepCopyInto(out)
-	return out
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateObservation.
+func (in *LaunchTemplateObservation) DeepCopy() *LaunchTemplateObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(LaunchTemplateObservation)
+	in.DeepCopyInto(out)
+	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
@@ -1515,16 +1778,91 @@ func (in *NodeGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeGroupObservation) DeepCopyInto(out *NodeGroupObservation) {
 	*out = *in
+	if in.AMIType != nil {
+		in, out := &in.AMIType, &out.AMIType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CapacityType != nil {
+		in, out := &in.CapacityType, &out.CapacityType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DiskSize != nil {
+		in, out := &in.DiskSize, &out.DiskSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ForceUpdateVersion != nil {
+		in, out := &in.ForceUpdateVersion, &out.ForceUpdateVersion
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceTypes != nil {
+		in, out := &in.InstanceTypes, &out.InstanceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.LaunchTemplate != nil {
+		in, out := &in.LaunchTemplate, &out.LaunchTemplate
+		*out = make([]LaunchTemplateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NodeRoleArn != nil {
+		in, out := &in.NodeRoleArn, &out.NodeRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReleaseVersion != nil {
+		in, out := &in.ReleaseVersion, &out.ReleaseVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.RemoteAccess != nil {
+		in, out := &in.RemoteAccess, &out.RemoteAccess
+		*out = make([]RemoteAccessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Resources != nil {
 		in, out := &in.Resources, &out.Resources
 		*out = make([]ResourcesObservation, len(*in))
@@ -1532,11 +1870,44 @@ func (in *NodeGroupObservation) DeepCopyInto(out *NodeGroupObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ScalingConfig != nil {
+		in, out := &in.ScalingConfig, &out.ScalingConfig
+		*out = make([]ScalingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1552,6 +1923,25 @@ func (in *NodeGroupObservation) DeepCopyInto(out *NodeGroupObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Taint != nil {
+		in, out := &in.Taint, &out.Taint
+		*out = make([]TaintObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UpdateConfig != nil {
+		in, out := &in.UpdateConfig, &out.UpdateConfig
+		*out = make([]UpdateConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeGroupObservation.
@@ -1825,6 +2215,29 @@ func (in *OidcParameters) DeepCopy() *OidcParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutpostConfigObservation) DeepCopyInto(out *OutpostConfigObservation) {
 	*out = *in
+	if in.ControlPlaneInstanceType != nil {
+		in, out := &in.ControlPlaneInstanceType, &out.ControlPlaneInstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ControlPlanePlacement != nil {
+		in, out := &in.ControlPlanePlacement, &out.ControlPlanePlacement
+		*out = make([]ControlPlanePlacementObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutpostArns != nil {
+		in, out := &in.OutpostArns, &out.OutpostArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutpostConfigObservation.
@@ -1878,6 +2291,11 @@ func (in *OutpostConfigParameters) DeepCopy() *OutpostConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProviderObservation) DeepCopyInto(out *ProviderObservation) {
 	*out = *in
+	if in.KeyArn != nil {
+		in, out := &in.KeyArn, &out.KeyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProviderObservation.
@@ -1913,6 +2331,22 @@ func (in *ProviderParameters) DeepCopy() *ProviderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RemoteAccessObservation) DeepCopyInto(out *RemoteAccessObservation) {
 	*out = *in
+	if in.EC2SSHKey != nil {
+		in, out := &in.EC2SSHKey, &out.EC2SSHKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceSecurityGroupIds != nil {
+		in, out := &in.SourceSecurityGroupIds, &out.SourceSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemoteAccessObservation.
@@ -2013,6 +2447,21 @@ func (in *ResourcesParameters) DeepCopy() *ResourcesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalingConfigObservation) DeepCopyInto(out *ScalingConfigObservation) {
 	*out = *in
+	if in.DesiredSize != nil {
+		in, out := &in.DesiredSize, &out.DesiredSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxSize != nil {
+		in, out := &in.MaxSize, &out.MaxSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinSize != nil {
+		in, out := &in.MinSize, &out.MinSize
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalingConfigObservation.
@@ -2058,6 +2507,26 @@ func (in *ScalingConfigParameters) DeepCopy() *ScalingConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelectorObservation) DeepCopyInto(out *SelectorObservation) {
 	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelectorObservation.
@@ -2108,6 +2577,21 @@ func (in *SelectorParameters) DeepCopy() *SelectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TaintObservation) DeepCopyInto(out *TaintObservation) {
 	*out = *in
+	if in.Effect != nil {
+		in, out := &in.Effect, &out.Effect
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TaintObservation.
@@ -2153,6 +2637,16 @@ func (in *TaintParameters) DeepCopy() *TaintParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UpdateConfigObservation) DeepCopyInto(out *UpdateConfigObservation) {
 	*out = *in
+	if in.MaxUnavailable != nil {
+		in, out := &in.MaxUnavailable, &out.MaxUnavailable
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxUnavailablePercentage != nil {
+		in, out := &in.MaxUnavailablePercentage, &out.MaxUnavailablePercentage
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdateConfigObservation.
@@ -2198,6 +2692,49 @@ func (in *VPCConfigObservation) DeepCopyInto(out *VPCConfigObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndpointPrivateAccess != nil {
+		in, out := &in.EndpointPrivateAccess, &out.EndpointPrivateAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EndpointPublicAccess != nil {
+		in, out := &in.EndpointPublicAccess, &out.EndpointPublicAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PublicAccessCidrs != nil {
+		in, out := &in.PublicAccessCidrs, &out.PublicAccessCidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
diff --git a/apis/eks/v1beta1/zz_identityproviderconfig_types.go b/apis/eks/v1beta1/zz_identityproviderconfig_types.go
index a7347d45b7..1601247be2 100755
--- a/apis/eks/v1beta1/zz_identityproviderconfig_types.go
+++ b/apis/eks/v1beta1/zz_identityproviderconfig_types.go
@@ -18,17 +18,47 @@ type IdentityProviderConfigObservation struct {
 	// Amazon Resource Name (ARN) of the EKS Identity Provider Configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  Name of the EKS Cluster.
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
 	// EKS Cluster name and EKS Identity Provider Configuration name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Nested attribute containing OpenID Connect identity provider information for the cluster. Detailed below.
+	Oidc []IdentityProviderConfigOidcObservation `json:"oidc,omitempty" tf:"oidc,omitempty"`
+
 	// Status of the EKS Identity Provider Configuration.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
 type IdentityProviderConfigOidcObservation struct {
+
+	// –  Client ID for the OpenID Connect identity provider.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// The JWT claim that the provider will use to return groups.
+	GroupsClaim *string `json:"groupsClaim,omitempty" tf:"groups_claim,omitempty"`
+
+	// A prefix that is prepended to group claims e.g., oidc:.
+	GroupsPrefix *string `json:"groupsPrefix,omitempty" tf:"groups_prefix,omitempty"`
+
+	// Issuer URL for the OpenID Connect identity provider.
+	IssuerURL *string `json:"issuerUrl,omitempty" tf:"issuer_url,omitempty"`
+
+	// The key value pairs that describe required claims in the identity token.
+	RequiredClaims map[string]*string `json:"requiredClaims,omitempty" tf:"required_claims,omitempty"`
+
+	// The JWT claim that the provider will use as the username.
+	UsernameClaim *string `json:"usernameClaim,omitempty" tf:"username_claim,omitempty"`
+
+	// A prefix that is prepended to username claims.
+	UsernamePrefix *string `json:"usernamePrefix,omitempty" tf:"username_prefix,omitempty"`
 }
 
 type IdentityProviderConfigOidcParameters struct {
@@ -78,8 +108,8 @@ type IdentityProviderConfigParameters struct {
 	ClusterNameSelector *v1.Selector `json:"clusterNameSelector,omitempty" tf:"-"`
 
 	// Nested attribute containing OpenID Connect identity provider information for the cluster. Detailed below.
-	// +kubebuilder:validation:Required
-	Oidc []IdentityProviderConfigOidcParameters `json:"oidc" tf:"oidc,omitempty"`
+	// +kubebuilder:validation:Optional
+	Oidc []IdentityProviderConfigOidcParameters `json:"oidc,omitempty" tf:"oidc,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -115,8 +145,9 @@ type IdentityProviderConfigStatus struct {
 type IdentityProviderConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IdentityProviderConfigSpec   `json:"spec"`
-	Status            IdentityProviderConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.oidc)",message="oidc is a required parameter"
+	Spec   IdentityProviderConfigSpec   `json:"spec"`
+	Status IdentityProviderConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/eks/v1beta1/zz_nodegroup_types.go b/apis/eks/v1beta1/zz_nodegroup_types.go
index b988c66417..c4feaa4117 100755
--- a/apis/eks/v1beta1/zz_nodegroup_types.go
+++ b/apis/eks/v1beta1/zz_nodegroup_types.go
@@ -23,6 +23,15 @@ type AutoscalingGroupsParameters struct {
 }
 
 type LaunchTemplateObservation struct {
+
+	// Identifier of the EC2 Launch Template. Conflicts with name.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the EC2 Launch Template. Conflicts with id.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// EC2 Launch Template version number. While the API accepts values like $Default and $Latest, the API will convert the value to the associated version number (e.g., 1). Using the default_version or latest_version attribute of the aws_launch_template resource or data source is recommended for this argument.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type LaunchTemplateParameters struct {
@@ -42,20 +51,70 @@ type LaunchTemplateParameters struct {
 
 type NodeGroupObservation struct {
 
+	// Type of Amazon Machine Image (AMI) associated with the EKS Node Group. See the AWS documentation for valid values.
+	AMIType *string `json:"amiType,omitempty" tf:"ami_type,omitempty"`
+
 	// Amazon Resource Name (ARN) of the EKS Node Group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Type of capacity associated with the EKS Node Group. Valid values: ON_DEMAND, SPOT.
+	CapacityType *string `json:"capacityType,omitempty" tf:"capacity_type,omitempty"`
+
+	// 100 characters in length. Must begin with an alphanumeric character, and must only contain alphanumeric characters, dashes and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
+	// Disk size in GiB for worker nodes. Defaults to 50 for Windows, 20 all other node groups.
+	DiskSize *float64 `json:"diskSize,omitempty" tf:"disk_size,omitempty"`
+
+	// Force version update if existing pods are unable to be drained due to a pod disruption budget issue.
+	ForceUpdateVersion *bool `json:"forceUpdateVersion,omitempty" tf:"force_update_version,omitempty"`
+
 	// EKS Cluster name and EKS Node Group name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of instance types associated with the EKS Node Group. Defaults to ["t3.medium"].
+	InstanceTypes []*string `json:"instanceTypes,omitempty" tf:"instance_types,omitempty"`
+
+	// Key-value map of Kubernetes labels. Only labels that are applied with the EKS API are managed by this argument. Other Kubernetes labels applied to the EKS Node Group will not be managed.
+	Labels map[string]*string `json:"labels,omitempty" tf:"labels,omitempty"`
+
+	// Configuration block with Launch Template settings. Detailed below.
+	LaunchTemplate []LaunchTemplateObservation `json:"launchTemplate,omitempty" tf:"launch_template,omitempty"`
+
+	// –  Amazon Resource Name (ARN) of the IAM Role that provides permissions for the EKS Node Group.
+	NodeRoleArn *string `json:"nodeRoleArn,omitempty" tf:"node_role_arn,omitempty"`
+
+	// –  AMI version of the EKS Node Group. Defaults to latest version for Kubernetes version.
+	ReleaseVersion *string `json:"releaseVersion,omitempty" tf:"release_version,omitempty"`
+
+	// Configuration block with remote access settings. Detailed below.
+	RemoteAccess []RemoteAccessObservation `json:"remoteAccess,omitempty" tf:"remote_access,omitempty"`
+
 	// List of objects containing information about underlying resources.
 	Resources []ResourcesObservation `json:"resources,omitempty" tf:"resources,omitempty"`
 
+	// Configuration block with scaling settings. Detailed below.
+	ScalingConfig []ScalingConfigObservation `json:"scalingConfig,omitempty" tf:"scaling_config,omitempty"`
+
 	// Status of the EKS Node Group.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Identifiers of EC2 Subnets to associate with the EKS Node Group. Amazon EKS managed node groups can be launched in both public and private subnets. If you plan to deploy load balancers to a subnet, the private subnet must have tag kubernetes.io/role/internal-elb, the public subnet must have tag kubernetes.io/role/elb.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The Kubernetes taints to be applied to the nodes in the node group. Maximum of 50 taints per node group. Detailed below.
+	Taint []TaintObservation `json:"taint,omitempty" tf:"taint,omitempty"`
+
+	UpdateConfig []UpdateConfigObservation `json:"updateConfig,omitempty" tf:"update_config,omitempty"`
+
+	// –  Kubernetes version. Defaults to EKS Cluster Kubernetes version.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type NodeGroupParameters struct {
@@ -130,8 +189,8 @@ type NodeGroupParameters struct {
 	RemoteAccess []RemoteAccessParameters `json:"remoteAccess,omitempty" tf:"remote_access,omitempty"`
 
 	// Configuration block with scaling settings. Detailed below.
-	// +kubebuilder:validation:Required
-	ScalingConfig []ScalingConfigParameters `json:"scalingConfig" tf:"scaling_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	ScalingConfig []ScalingConfigParameters `json:"scalingConfig,omitempty" tf:"scaling_config,omitempty"`
 
 	// References to Subnet in ec2 to populate subnetIds.
 	// +kubebuilder:validation:Optional
@@ -175,6 +234,12 @@ type NodeGroupParameters struct {
 }
 
 type RemoteAccessObservation struct {
+
+	// EC2 Key Pair name that provides access for remote communication with the worker nodes in the EKS Node Group. If you specify this configuration, but do not specify source_security_group_ids when you create an EKS Node Group, either port 3389 for Windows, or port 22 for all other operating systems is opened on the worker nodes to the Internet (0.0.0.0/0). For Windows nodes, this will allow you to use RDP, for all others this allows you to SSH into the worker nodes.
+	EC2SSHKey *string `json:"ec2SshKey,omitempty" tf:"ec2_ssh_key,omitempty"`
+
+	// Set of EC2 Security Group IDs to allow SSH access (port 22) from on the worker nodes. If you specify ec2_ssh_key, but do not specify this configuration when you create an EKS Node Group, port 22 on the worker nodes is opened to the Internet (0.0.0.0/0).
+	SourceSecurityGroupIds []*string `json:"sourceSecurityGroupIds,omitempty" tf:"source_security_group_ids,omitempty"`
 }
 
 type RemoteAccessParameters struct {
@@ -212,6 +277,15 @@ type ResourcesParameters struct {
 }
 
 type ScalingConfigObservation struct {
+
+	// Desired number of worker nodes.
+	DesiredSize *float64 `json:"desiredSize,omitempty" tf:"desired_size,omitempty"`
+
+	// Maximum number of worker nodes.
+	MaxSize *float64 `json:"maxSize,omitempty" tf:"max_size,omitempty"`
+
+	// Minimum number of worker nodes.
+	MinSize *float64 `json:"minSize,omitempty" tf:"min_size,omitempty"`
 }
 
 type ScalingConfigParameters struct {
@@ -230,6 +304,15 @@ type ScalingConfigParameters struct {
 }
 
 type TaintObservation struct {
+
+	// The effect of the taint. Valid values: NO_SCHEDULE, NO_EXECUTE, PREFER_NO_SCHEDULE.
+	Effect *string `json:"effect,omitempty" tf:"effect,omitempty"`
+
+	// The key of the taint. Maximum length of 63.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value of the taint. Maximum length of 63.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TaintParameters struct {
@@ -248,6 +331,12 @@ type TaintParameters struct {
 }
 
 type UpdateConfigObservation struct {
+
+	// Desired max number of unavailable worker nodes during node group update.
+	MaxUnavailable *float64 `json:"maxUnavailable,omitempty" tf:"max_unavailable,omitempty"`
+
+	// Desired max percentage of unavailable worker nodes during node group update.
+	MaxUnavailablePercentage *float64 `json:"maxUnavailablePercentage,omitempty" tf:"max_unavailable_percentage,omitempty"`
 }
 
 type UpdateConfigParameters struct {
@@ -285,8 +374,9 @@ type NodeGroupStatus struct {
 type NodeGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NodeGroupSpec   `json:"spec"`
-	Status            NodeGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scalingConfig)",message="scalingConfig is a required parameter"
+	Spec   NodeGroupSpec   `json:"spec"`
+	Status NodeGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elasticache/v1beta1/zz_cluster_types.go b/apis/elasticache/v1beta1/zz_cluster_types.go
index 24c747883f..03f4a08d8b 100755
--- a/apis/elasticache/v1beta1/zz_cluster_types.go
+++ b/apis/elasticache/v1beta1/zz_cluster_types.go
@@ -33,9 +33,23 @@ type CacheNodesParameters struct {
 
 type ClusterObservation struct {
 
+	// Whether any database modifications are applied immediately, or during the next maintenance window. Default is false. See Amazon ElastiCache Documentation for more information..
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// The ARN of the created ElastiCache Cluster.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window.
+	// Only supported for engine type "redis" and if the engine version is 6 or higher.
+	// Defaults to true.
+	AutoMinorVersionUpgrade *string `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// Availability Zone for the cache cluster. If you want to create cache nodes in multi-az, use preferred_availability_zones instead. Default: System chosen Availability Zone. Changing this value will re-create the resource.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// Whether the nodes in this Memcached node group are created in a single Availability Zone or created across multiple Availability Zones in the cluster's region. Valid values for this parameter are single-az or cross-az, default is single-az. If you want to choose cross-az, num_cache_nodes must be greater than 1.
+	AzMode *string `json:"azMode,omitempty" tf:"az_mode,omitempty"`
+
 	// List of node objects including id, address, port and availability_zone.
 	CacheNodes []CacheNodesObservation `json:"cacheNodes,omitempty" tf:"cache_nodes,omitempty"`
 
@@ -45,11 +59,90 @@ type ClusterObservation struct {
 	// (Memcached only) Configuration endpoint to allow host discovery.
 	ConfigurationEndpoint *string `json:"configurationEndpoint,omitempty" tf:"configuration_endpoint,omitempty"`
 
+	// –  Name of the cache engine to be used for this cache cluster. Valid values are memcached or redis.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// –  Version number of the cache engine to be used.
+	// If not set, defaults to the latest version.
+	// See Describe Cache Engine Versions in the AWS Documentation for supported versions.
+	// When engine is redis and the version is 6 or higher, the major and minor version can be set, e.g., 6.2,
+	// or the minor version can be unspecified which will use the latest version at creation time, e.g., 6.x.
+	// Otherwise, specify the full version desired, e.g., 5.0.6.
+	// The actual engine version used is returned in the attribute engine_version_actual, see Attributes Reference below.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// Because ElastiCache pulls the latest minor or patch for a version, this attribute returns the running version of the cache engine.
 	EngineVersionActual *string `json:"engineVersionActual,omitempty" tf:"engine_version_actual,omitempty"`
 
+	// Name of your final cluster snapshot. If omitted, no final snapshot will be made.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IP version to advertise in the discovery protocol. Valid values are ipv4 or ipv6.
+	IPDiscovery *string `json:"ipDiscovery,omitempty" tf:"ip_discovery,omitempty"`
+
+	// Specifies the destination and format of Redis SLOWLOG or Redis Engine Log. See the documentation on Amazon ElastiCache. See Log Delivery Configuration below for more details.
+	LogDeliveryConfiguration []LogDeliveryConfigurationObservation `json:"logDeliveryConfiguration,omitempty" tf:"log_delivery_configuration,omitempty"`
+
+	// ddd:hh24:mi (24H Clock UTC).
+	// The minimum maintenance window is a 60 minute period. Example: sun:05:00-sun:09:00.
+	MaintenanceWindow *string `json:"maintenanceWindow,omitempty" tf:"maintenance_window,omitempty"`
+
+	// The IP versions for cache cluster connections. IPv6 is supported with Redis engine 6.2 onword or Memcached version 1.6.6 for all Nitro system instances. Valid values are ipv4, ipv6 or dual_stack.
+	NetworkType *string `json:"networkType,omitempty" tf:"network_type,omitempty"`
+
+	// create the resource.
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
+
+	// east-1:012345678999:my_sns_topic.
+	NotificationTopicArn *string `json:"notificationTopicArn,omitempty" tf:"notification_topic_arn,omitempty"`
+
+	// –  The initial number of cache nodes that the cache cluster will have. For Redis, this value must be 1. For Memcached, this value must be between 1 and 40. If this number is reduced on subsequent runs, the highest numbered nodes will be removed.
+	NumCacheNodes *float64 `json:"numCacheNodes,omitempty" tf:"num_cache_nodes,omitempty"`
+
+	// Specify the outpost mode that will apply to the cache cluster creation. Valid values are "single-outpost" and "cross-outpost", however AWS currently only supports "single-outpost" mode.
+	OutpostMode *string `json:"outpostMode,omitempty" tf:"outpost_mode,omitempty"`
+
+	// –  The name of the parameter group to associate with this cache cluster.
+	ParameterGroupName *string `json:"parameterGroupName,omitempty" tf:"parameter_group_name,omitempty"`
+
+	// create the resource.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// List of the Availability Zones in which cache nodes are created. If you are creating your cluster in an Amazon VPC you can only locate nodes in Availability Zones that are associated with the subnets in the selected subnet group. The number of Availability Zones listed must equal the value of num_cache_nodes. If you want all the nodes in the same Availability Zone, use availability_zone instead, or repeat the Availability Zone multiple times in the list. Default: System chosen Availability Zones. Detecting drift of existing node availability zone is not currently supported. Updating this argument by itself to migrate existing node availability zones is not currently supported and will show a perpetual difference.
+	PreferredAvailabilityZones []*string `json:"preferredAvailabilityZones,omitempty" tf:"preferred_availability_zones,omitempty"`
+
+	// The outpost ARN in which the cache cluster will be created.
+	PreferredOutpostArn *string `json:"preferredOutpostArn,omitempty" tf:"preferred_outpost_arn,omitempty"`
+
+	// ID of the replication group to which this cluster should belong. If this parameter is specified, the cluster is added to the specified replication group as a read replica; otherwise, the cluster is a standalone primary that is not part of any replication group.
+	ReplicationGroupID *string `json:"replicationGroupId,omitempty" tf:"replication_group_id,omitempty"`
+
+	// –  One or more VPC security groups associated with the cache cluster
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// create the resource.
+	SecurityGroupNames []*string `json:"securityGroupNames,omitempty" tf:"security_group_names,omitempty"`
+
+	// element string list containing an Amazon Resource Name (ARN) of a Redis RDB snapshot file stored in Amazon S3. The object name cannot contain any commas. Changing snapshot_arns forces a new resource.
+	SnapshotArns []*string `json:"snapshotArns,omitempty" tf:"snapshot_arns,omitempty"`
+
+	// Name of a snapshot from which to restore data into the new node group. Changing snapshot_name forces a new resource.
+	SnapshotName *string `json:"snapshotName,omitempty" tf:"snapshot_name,omitempty"`
+
+	// Number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. For example, if you set SnapshotRetentionLimit to 5, then a snapshot that was taken today will be retained for 5 days before being deleted. If the value of SnapshotRetentionLimit is set to zero (0), backups are turned off. Please note that setting a snapshot_retention_limit is not supported on cache.t1.micro cache nodes
+	SnapshotRetentionLimit *float64 `json:"snapshotRetentionLimit,omitempty" tf:"snapshot_retention_limit,omitempty"`
+
+	// Daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. Example: 05:00-09:00
+	SnapshotWindow *string `json:"snapshotWindow,omitempty" tf:"snapshot_window,omitempty"`
+
+	// create the resource.
+	SubnetGroupName *string `json:"subnetGroupName,omitempty" tf:"subnet_group_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -202,6 +295,18 @@ type ClusterParameters struct {
 }
 
 type LogDeliveryConfigurationObservation struct {
+
+	// Name of either the CloudWatch Logs LogGroup or Kinesis Data Firehose resource.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// For CloudWatch Logs use cloudwatch-logs or for Kinesis Data Firehose use kinesis-firehose.
+	DestinationType *string `json:"destinationType,omitempty" tf:"destination_type,omitempty"`
+
+	// Valid values are json or text
+	LogFormat *string `json:"logFormat,omitempty" tf:"log_format,omitempty"`
+
+	// Valid values are  slow-log or engine-log. Max 1 of each.
+	LogType *string `json:"logType,omitempty" tf:"log_type,omitempty"`
 }
 
 type LogDeliveryConfigurationParameters struct {
diff --git a/apis/elasticache/v1beta1/zz_generated.deepcopy.go b/apis/elasticache/v1beta1/zz_generated.deepcopy.go
index b09c209c73..35e0398489 100644
--- a/apis/elasticache/v1beta1/zz_generated.deepcopy.go
+++ b/apis/elasticache/v1beta1/zz_generated.deepcopy.go
@@ -131,6 +131,16 @@ func (in *ClusterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterModeObservation) DeepCopyInto(out *ClusterModeObservation) {
 	*out = *in
+	if in.NumNodeGroups != nil {
+		in, out := &in.NumNodeGroups, &out.NumNodeGroups
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ReplicasPerNodeGroup != nil {
+		in, out := &in.ReplicasPerNodeGroup, &out.ReplicasPerNodeGroup
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterModeObservation.
@@ -171,11 +181,31 @@ func (in *ClusterModeParameters) DeepCopy() *ClusterModeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 	*out = *in
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(string)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.AzMode != nil {
+		in, out := &in.AzMode, &out.AzMode
+		*out = new(string)
+		**out = **in
+	}
 	if in.CacheNodes != nil {
 		in, out := &in.CacheNodes, &out.CacheNodes
 		*out = make([]CacheNodesObservation, len(*in))
@@ -193,16 +223,172 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.EngineVersionActual != nil {
 		in, out := &in.EngineVersionActual, &out.EngineVersionActual
 		*out = new(string)
 		**out = **in
 	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPDiscovery != nil {
+		in, out := &in.IPDiscovery, &out.IPDiscovery
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogDeliveryConfiguration != nil {
+		in, out := &in.LogDeliveryConfiguration, &out.LogDeliveryConfiguration
+		*out = make([]LogDeliveryConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaintenanceWindow != nil {
+		in, out := &in.MaintenanceWindow, &out.MaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkType != nil {
+		in, out := &in.NetworkType, &out.NetworkType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NodeType != nil {
+		in, out := &in.NodeType, &out.NodeType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationTopicArn != nil {
+		in, out := &in.NotificationTopicArn, &out.NotificationTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumCacheNodes != nil {
+		in, out := &in.NumCacheNodes, &out.NumCacheNodes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OutpostMode != nil {
+		in, out := &in.OutpostMode, &out.OutpostMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterGroupName != nil {
+		in, out := &in.ParameterGroupName, &out.ParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreferredAvailabilityZones != nil {
+		in, out := &in.PreferredAvailabilityZones, &out.PreferredAvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PreferredOutpostArn != nil {
+		in, out := &in.PreferredOutpostArn, &out.PreferredOutpostArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplicationGroupID != nil {
+		in, out := &in.ReplicationGroupID, &out.ReplicationGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroupNames != nil {
+		in, out := &in.SecurityGroupNames, &out.SecurityGroupNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnapshotArns != nil {
+		in, out := &in.SnapshotArns, &out.SnapshotArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnapshotName != nil {
+		in, out := &in.SnapshotName, &out.SnapshotName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotRetentionLimit != nil {
+		in, out := &in.SnapshotRetentionLimit, &out.SnapshotRetentionLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SnapshotWindow != nil {
+		in, out := &in.SnapshotWindow, &out.SnapshotWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetGroupName != nil {
+		in, out := &in.SubnetGroupName, &out.SubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -483,6 +669,26 @@ func (in *ClusterStatus) DeepCopy() *ClusterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogDeliveryConfigurationObservation) DeepCopyInto(out *LogDeliveryConfigurationObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationType != nil {
+		in, out := &in.DestinationType, &out.DestinationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogFormat != nil {
+		in, out := &in.LogFormat, &out.LogFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogDeliveryConfigurationObservation.
@@ -597,11 +803,48 @@ func (in *ParameterGroupObservation) DeepCopyInto(out *ParameterGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -723,6 +966,16 @@ func (in *ParameterGroupStatus) DeepCopy() *ParameterGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -822,6 +1075,26 @@ func (in *ReplicationGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicationGroupLogDeliveryConfigurationObservation) DeepCopyInto(out *ReplicationGroupLogDeliveryConfigurationObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationType != nil {
+		in, out := &in.DestinationType, &out.DestinationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogFormat != nil {
+		in, out := &in.LogFormat, &out.LogFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationGroupLogDeliveryConfigurationObservation.
@@ -842,63 +1115,230 @@ func (in *ReplicationGroupLogDeliveryConfigurationParameters) DeepCopyInto(out *
 		*out = new(string)
 		**out = **in
 	}
-	if in.DestinationType != nil {
-		in, out := &in.DestinationType, &out.DestinationType
+	if in.DestinationType != nil {
+		in, out := &in.DestinationType, &out.DestinationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogFormat != nil {
+		in, out := &in.LogFormat, &out.LogFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationGroupLogDeliveryConfigurationParameters.
+func (in *ReplicationGroupLogDeliveryConfigurationParameters) DeepCopy() *ReplicationGroupLogDeliveryConfigurationParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(ReplicationGroupLogDeliveryConfigurationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ReplicationGroupObservation) DeepCopyInto(out *ReplicationGroupObservation) {
+	*out = *in
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AtRestEncryptionEnabled != nil {
+		in, out := &in.AtRestEncryptionEnabled, &out.AtRestEncryptionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutomaticFailoverEnabled != nil {
+		in, out := &in.AutomaticFailoverEnabled, &out.AutomaticFailoverEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ClusterEnabled != nil {
+		in, out := &in.ClusterEnabled, &out.ClusterEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ClusterMode != nil {
+		in, out := &in.ClusterMode, &out.ClusterMode
+		*out = make([]ClusterModeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ConfigurationEndpointAddress != nil {
+		in, out := &in.ConfigurationEndpointAddress, &out.ConfigurationEndpointAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataTieringEnabled != nil {
+		in, out := &in.DataTieringEnabled, &out.DataTieringEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersionActual != nil {
+		in, out := &in.EngineVersionActual, &out.EngineVersionActual
+		*out = new(string)
+		**out = **in
+	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalReplicationGroupID != nil {
+		in, out := &in.GlobalReplicationGroupID, &out.GlobalReplicationGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogDeliveryConfiguration != nil {
+		in, out := &in.LogDeliveryConfiguration, &out.LogDeliveryConfiguration
+		*out = make([]ReplicationGroupLogDeliveryConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaintenanceWindow != nil {
+		in, out := &in.MaintenanceWindow, &out.MaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.MemberClusters != nil {
+		in, out := &in.MemberClusters, &out.MemberClusters
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MultiAzEnabled != nil {
+		in, out := &in.MultiAzEnabled, &out.MultiAzEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NodeType != nil {
+		in, out := &in.NodeType, &out.NodeType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationTopicArn != nil {
+		in, out := &in.NotificationTopicArn, &out.NotificationTopicArn
 		*out = new(string)
 		**out = **in
 	}
-	if in.LogFormat != nil {
-		in, out := &in.LogFormat, &out.LogFormat
-		*out = new(string)
+	if in.NumCacheClusters != nil {
+		in, out := &in.NumCacheClusters, &out.NumCacheClusters
+		*out = new(float64)
 		**out = **in
 	}
-	if in.LogType != nil {
-		in, out := &in.LogType, &out.LogType
-		*out = new(string)
+	if in.NumNodeGroups != nil {
+		in, out := &in.NumNodeGroups, &out.NumNodeGroups
+		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationGroupLogDeliveryConfigurationParameters.
-func (in *ReplicationGroupLogDeliveryConfigurationParameters) DeepCopy() *ReplicationGroupLogDeliveryConfigurationParameters {
-	if in == nil {
-		return nil
+	if in.NumberCacheClusters != nil {
+		in, out := &in.NumberCacheClusters, &out.NumberCacheClusters
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(ReplicationGroupLogDeliveryConfigurationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ReplicationGroupObservation) DeepCopyInto(out *ReplicationGroupObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.ParameterGroupName != nil {
+		in, out := &in.ParameterGroupName, &out.ParameterGroupName
 		*out = new(string)
 		**out = **in
 	}
-	if in.ClusterEnabled != nil {
-		in, out := &in.ClusterEnabled, &out.ClusterEnabled
-		*out = new(bool)
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
 		**out = **in
 	}
-	if in.ConfigurationEndpointAddress != nil {
-		in, out := &in.ConfigurationEndpointAddress, &out.ConfigurationEndpointAddress
+	if in.PreferredCacheClusterAzs != nil {
+		in, out := &in.PreferredCacheClusterAzs, &out.PreferredCacheClusterAzs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PrimaryEndpointAddress != nil {
+		in, out := &in.PrimaryEndpointAddress, &out.PrimaryEndpointAddress
 		*out = new(string)
 		**out = **in
 	}
-	if in.EngineVersionActual != nil {
-		in, out := &in.EngineVersionActual, &out.EngineVersionActual
+	if in.ReaderEndpointAddress != nil {
+		in, out := &in.ReaderEndpointAddress, &out.ReaderEndpointAddress
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.ReplicasPerNodeGroup != nil {
+		in, out := &in.ReplicasPerNodeGroup, &out.ReplicasPerNodeGroup
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ReplicationGroupDescription != nil {
+		in, out := &in.ReplicationGroupDescription, &out.ReplicationGroupDescription
 		*out = new(string)
 		**out = **in
 	}
-	if in.MemberClusters != nil {
-		in, out := &in.MemberClusters, &out.MemberClusters
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -908,16 +1348,63 @@ func (in *ReplicationGroupObservation) DeepCopyInto(out *ReplicationGroupObserva
 			}
 		}
 	}
-	if in.PrimaryEndpointAddress != nil {
-		in, out := &in.PrimaryEndpointAddress, &out.PrimaryEndpointAddress
+	if in.SecurityGroupNames != nil {
+		in, out := &in.SecurityGroupNames, &out.SecurityGroupNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnapshotArns != nil {
+		in, out := &in.SnapshotArns, &out.SnapshotArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnapshotName != nil {
+		in, out := &in.SnapshotName, &out.SnapshotName
 		*out = new(string)
 		**out = **in
 	}
-	if in.ReaderEndpointAddress != nil {
-		in, out := &in.ReaderEndpointAddress, &out.ReaderEndpointAddress
+	if in.SnapshotRetentionLimit != nil {
+		in, out := &in.SnapshotRetentionLimit, &out.SnapshotRetentionLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SnapshotWindow != nil {
+		in, out := &in.SnapshotWindow, &out.SnapshotWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetGroupName != nil {
+		in, out := &in.SubnetGroupName, &out.SubnetGroupName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -933,6 +1420,22 @@ func (in *ReplicationGroupObservation) DeepCopyInto(out *ReplicationGroupObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransitEncryptionEnabled != nil {
+		in, out := &in.TransitEncryptionEnabled, &out.TransitEncryptionEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UserGroupIds != nil {
+		in, out := &in.UserGroupIds, &out.UserGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicationGroupObservation.
@@ -1333,11 +1836,42 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1551,11 +2085,36 @@ func (in *UserGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserGroupObservation) DeepCopyInto(out *UserGroupObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1571,6 +2130,17 @@ func (in *UserGroupObservation) DeepCopyInto(out *UserGroupObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserIds != nil {
+		in, out := &in.UserIds, &out.UserIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserGroupObservation.
@@ -1720,11 +2290,46 @@ func (in *UserList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 	*out = *in
+	if in.AccessString != nil {
+		in, out := &in.AccessString, &out.AccessString
+		*out = new(string)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NoPasswordRequired != nil {
+		in, out := &in.NoPasswordRequired, &out.NoPasswordRequired
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1740,6 +2345,11 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserName != nil {
+		in, out := &in.UserName, &out.UserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserObservation.
diff --git a/apis/elasticache/v1beta1/zz_parametergroup_types.go b/apis/elasticache/v1beta1/zz_parametergroup_types.go
index 43f0072e48..885d48e0ad 100755
--- a/apis/elasticache/v1beta1/zz_parametergroup_types.go
+++ b/apis/elasticache/v1beta1/zz_parametergroup_types.go
@@ -18,9 +18,24 @@ type ParameterGroupObservation struct {
 	// The AWS ARN associated with the parameter group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the ElastiCache parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the ElastiCache parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The ElastiCache parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the ElastiCache parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of ElastiCache parameters to apply.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,12 +47,12 @@ type ParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the ElastiCache parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// The name of the ElastiCache parameter group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A list of ElastiCache parameters to apply.
 	// +kubebuilder:validation:Optional
@@ -54,6 +69,12 @@ type ParameterGroupParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// The name of the ElastiCache parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the ElastiCache parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -91,8 +112,10 @@ type ParameterGroupStatus struct {
 type ParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ParameterGroupSpec   `json:"spec"`
-	Status            ParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ParameterGroupSpec   `json:"spec"`
+	Status ParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elasticache/v1beta1/zz_replicationgroup_types.go b/apis/elasticache/v1beta1/zz_replicationgroup_types.go
index 562d656a01..f1997b3acb 100755
--- a/apis/elasticache/v1beta1/zz_replicationgroup_types.go
+++ b/apis/elasticache/v1beta1/zz_replicationgroup_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ClusterModeObservation struct {
+
+	// Number of node groups (shards) for this Redis replication group.
+	// Changing this number will trigger a resizing operation before other settings modifications.
+	NumNodeGroups *float64 `json:"numNodeGroups,omitempty" tf:"num_node_groups,omitempty"`
+
+	// Number of replica nodes in each node group.
+	// Changing this number will trigger a resizing operation before other settings modifications.
+	// Valid values are 0 to 5.
+	ReplicasPerNodeGroup *float64 `json:"replicasPerNodeGroup,omitempty" tf:"replicas_per_node_group,omitempty"`
 }
 
 type ClusterModeParameters struct {
@@ -31,6 +40,18 @@ type ClusterModeParameters struct {
 }
 
 type ReplicationGroupLogDeliveryConfigurationObservation struct {
+
+	// Name of either the CloudWatch Logs LogGroup or Kinesis Data Firehose resource.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// For CloudWatch Logs use cloudwatch-logs or for Kinesis Data Firehose use kinesis-firehose.
+	DestinationType *string `json:"destinationType,omitempty" tf:"destination_type,omitempty"`
+
+	// Valid values are json or text
+	LogFormat *string `json:"logFormat,omitempty" tf:"log_format,omitempty"`
+
+	// Valid values are  slow-log or engine-log. Max 1 of each.
+	LogType *string `json:"logType,omitempty" tf:"log_type,omitempty"`
 }
 
 type ReplicationGroupLogDeliveryConfigurationParameters struct {
@@ -54,32 +75,149 @@ type ReplicationGroupLogDeliveryConfigurationParameters struct {
 
 type ReplicationGroupObservation struct {
 
+	// Specifies whether any modifications are applied immediately, or during the next maintenance window. Default is false.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// ARN of the created ElastiCache Replication Group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to enable encryption at rest.
+	AtRestEncryptionEnabled *bool `json:"atRestEncryptionEnabled,omitempty" tf:"at_rest_encryption_enabled,omitempty"`
+
+	// Specifies whether minor version engine upgrades will be applied automatically to the underlying Cache Cluster instances during the maintenance window.
+	// Only supported for engine type "redis" and if the engine version is 6 or higher.
+	// Defaults to true.
+	AutoMinorVersionUpgrade *string `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// Specifies whether a read-only replica will be automatically promoted to read/write primary if the existing primary fails. If enabled, num_cache_clusters must be greater than 1. Must be enabled for Redis (cluster mode enabled) replication groups. Defaults to false.
+	AutomaticFailoverEnabled *bool `json:"automaticFailoverEnabled,omitempty" tf:"automatic_failover_enabled,omitempty"`
+
+	// List of EC2 availability zones in which the replication group's cache clusters will be created. The order of the availability zones in the list is not considered.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
 	// Indicates if cluster mode is enabled.
 	ClusterEnabled *bool `json:"clusterEnabled,omitempty" tf:"cluster_enabled,omitempty"`
 
+	// Create a native Redis cluster. automatic_failover_enabled must be set to true. Cluster Mode documented below. Only 1 cluster_mode block is allowed. Note that configuring this block does not enable cluster mode, i.e., data sharding, this requires using a parameter group that has the parameter cluster-enabled set to true.
+	ClusterMode []ClusterModeObservation `json:"clusterMode,omitempty" tf:"cluster_mode,omitempty"`
+
 	// Address of the replication group configuration endpoint when cluster mode is enabled.
 	ConfigurationEndpointAddress *string `json:"configurationEndpointAddress,omitempty" tf:"configuration_endpoint_address,omitempty"`
 
+	// Enables data tiering. Data tiering is only supported for replication groups using the r6gd node type. This parameter must be set to true when using r6gd nodes.
+	DataTieringEnabled *bool `json:"dataTieringEnabled,omitempty" tf:"data_tiering_enabled,omitempty"`
+
+	// created description for the replication group. Must not be empty.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Name of the cache engine to be used for the clusters in this replication group. The only valid value is redis.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// Version number of the cache engine to be used for the cache clusters in this replication group.
+	// If the version is 6 or higher, the major and minor version can be set, e.g., 6.2,
+	// or the minor version can be unspecified which will use the latest version at creation time, e.g., 6.x.
+	// Otherwise, specify the full version desired, e.g., 5.0.6.
+	// The actual engine version used is returned in the attribute engine_version_actual, see Attributes Reference below.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// Because ElastiCache pulls the latest minor or patch for a version, this attribute returns the running version of the cache engine.
 	EngineVersionActual *string `json:"engineVersionActual,omitempty" tf:"engine_version_actual,omitempty"`
 
+	// The name of your final node group (shard) snapshot. ElastiCache creates the snapshot from the primary node in the cluster. If omitted, no final snapshot will be made.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
+	// The ID of the global replication group to which this replication group should belong. If this parameter is specified, the replication group is added to the specified global replication group as a secondary replication group; otherwise, the replication group is not part of any global replication group. If global_replication_group_id is set, the num_node_groups parameter (or the num_node_groups parameter of the deprecated cluster_mode block) cannot be set.
+	GlobalReplicationGroupID *string `json:"globalReplicationGroupId,omitempty" tf:"global_replication_group_id,omitempty"`
+
 	// ID of the ElastiCache Replication Group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of the key that you wish to use if encrypting at rest. If not supplied, uses service managed encryption. Can be specified only if at_rest_encryption_enabled = true.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Specifies the destination and format of Redis SLOWLOG or Redis Engine Log. See the documentation on Amazon ElastiCache. See Log Delivery Configuration below for more details.
+	LogDeliveryConfiguration []ReplicationGroupLogDeliveryConfigurationObservation `json:"logDeliveryConfiguration,omitempty" tf:"log_delivery_configuration,omitempty"`
+
+	// ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period. Example: sun:05:00-sun:09:00
+	MaintenanceWindow *string `json:"maintenanceWindow,omitempty" tf:"maintenance_window,omitempty"`
+
 	// Identifiers of all the nodes that are part of this replication group.
 	MemberClusters []*string `json:"memberClusters,omitempty" tf:"member_clusters,omitempty"`
 
+	// Specifies whether to enable Multi-AZ Support for the replication group. If true, automatic_failover_enabled must also be enabled. Defaults to false.
+	MultiAzEnabled *bool `json:"multiAzEnabled,omitempty" tf:"multi_az_enabled,omitempty"`
+
+	// Instance class to be used. See AWS documentation for information on supported node types and guidance on selecting node types. Required unless global_replication_group_id is set. Cannot be set if global_replication_group_id is set.
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
+
+	// east-1:012345678999:my_sns_topic
+	NotificationTopicArn *string `json:"notificationTopicArn,omitempty" tf:"notification_topic_arn,omitempty"`
+
+	// 00#.
+	NumCacheClusters *float64 `json:"numCacheClusters,omitempty" tf:"num_cache_clusters,omitempty"`
+
+	// Number of node groups (shards) for this Redis replication group.
+	// Changing this number will trigger a resizing operation before other settings modifications.
+	NumNodeGroups *float64 `json:"numNodeGroups,omitempty" tf:"num_node_groups,omitempty"`
+
+	// Number of cache clusters (primary and replicas) this replication group will have. If Multi-AZ is enabled, the value of this parameter must be at least 2. Updates will occur before other modifications. Conflicts with num_cache_clusters, num_node_groups, or the deprecated cluster_mode. Defaults to 1.
+	NumberCacheClusters *float64 `json:"numberCacheClusters,omitempty" tf:"number_cache_clusters,omitempty"`
+
+	// Name of the parameter group to associate with this replication group. If this argument is omitted, the default cache parameter group for the specified engine is used. To enable "cluster mode", i.e., data sharding, use a parameter group that has the parameter cluster-enabled set to true.
+	ParameterGroupName *string `json:"parameterGroupName,omitempty" tf:"parameter_group_name,omitempty"`
+
+	// –  Port number on which each of the cache nodes will accept connections. For Memcache the default is 11211, and for Redis the default port is 6379.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// List of EC2 availability zones in which the replication group's cache clusters will be created. The order of the availability zones in the list is considered. The first item in the list will be the primary node. Ignored when updating.
+	PreferredCacheClusterAzs []*string `json:"preferredCacheClusterAzs,omitempty" tf:"preferred_cache_cluster_azs,omitempty"`
+
 	// (Redis only) Address of the endpoint for the primary node in the replication group, if the cluster mode is disabled.
 	PrimaryEndpointAddress *string `json:"primaryEndpointAddress,omitempty" tf:"primary_endpoint_address,omitempty"`
 
 	// (Redis only) Address of the endpoint for the reader node in the replication group, if the cluster mode is disabled.
 	ReaderEndpointAddress *string `json:"readerEndpointAddress,omitempty" tf:"reader_endpoint_address,omitempty"`
 
+	// Number of replica nodes in each node group.
+	// Changing this number will trigger a resizing operation before other settings modifications.
+	// Valid values are 0 to 5.
+	ReplicasPerNodeGroup *float64 `json:"replicasPerNodeGroup,omitempty" tf:"replicas_per_node_group,omitempty"`
+
+	// created description for the replication group. Must not be empty.
+	ReplicationGroupDescription *string `json:"replicationGroupDescription,omitempty" tf:"replication_group_description,omitempty"`
+
+	// One or more Amazon VPC security groups associated with this replication group. Use this parameter only when you are creating a replication group in an Amazon Virtual Private Cloud
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// List of cache security group names to associate with this replication group.
+	SecurityGroupNames []*string `json:"securityGroupNames,omitempty" tf:"security_group_names,omitempty"`
+
+	// –  List of ARNs that identify Redis RDB snapshot files stored in Amazon S3. The names object names cannot contain any commas.
+	SnapshotArns []*string `json:"snapshotArns,omitempty" tf:"snapshot_arns,omitempty"`
+
+	// Name of a snapshot from which to restore data into the new node group. Changing the snapshot_name forces a new resource.
+	SnapshotName *string `json:"snapshotName,omitempty" tf:"snapshot_name,omitempty"`
+
+	// Number of days for which ElastiCache will retain automatic cache cluster snapshots before deleting them. For example, if you set SnapshotRetentionLimit to 5, then a snapshot that was taken today will be retained for 5 days before being deleted. If the value of snapshot_retention_limit is set to zero (0), backups are turned off. Please note that setting a snapshot_retention_limit is not supported on cache.t1.micro cache nodes
+	SnapshotRetentionLimit *float64 `json:"snapshotRetentionLimit,omitempty" tf:"snapshot_retention_limit,omitempty"`
+
+	// Daily time range (in UTC) during which ElastiCache will begin taking a daily snapshot of your cache cluster. The minimum snapshot window is a 60 minute period. Example: 05:00-09:00
+	SnapshotWindow *string `json:"snapshotWindow,omitempty" tf:"snapshot_window,omitempty"`
+
+	// Name of the cache subnet group to be used for the replication group.
+	SubnetGroupName *string `json:"subnetGroupName,omitempty" tf:"subnet_group_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to enable encryption in transit.
+	TransitEncryptionEnabled *bool `json:"transitEncryptionEnabled,omitempty" tf:"transit_encryption_enabled,omitempty"`
+
+	// User Group ID to associate with the replication group. Only a maximum of one (1) user group ID is valid. NOTE: This argument is a set because the AWS specification allows for multiple IDs. However, in practice, AWS only allows a maximum size of one.
+	UserGroupIds []*string `json:"userGroupIds,omitempty" tf:"user_group_ids,omitempty"`
 }
 
 type ReplicationGroupParameters struct {
diff --git a/apis/elasticache/v1beta1/zz_subnetgroup_types.go b/apis/elasticache/v1beta1/zz_subnetgroup_types.go
index 1c88b63b4b..ad056855f7 100755
--- a/apis/elasticache/v1beta1/zz_subnetgroup_types.go
+++ b/apis/elasticache/v1beta1/zz_subnetgroup_types.go
@@ -16,8 +16,17 @@ import (
 type SubnetGroupObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  Description for the cache subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  List of VPC Subnet IDs for the cache subnet group
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/elasticache/v1beta1/zz_user_types.go b/apis/elasticache/v1beta1/zz_user_types.go
index c2b2616b43..d113241562 100755
--- a/apis/elasticache/v1beta1/zz_user_types.go
+++ b/apis/elasticache/v1beta1/zz_user_types.go
@@ -14,24 +14,43 @@ import (
 )
 
 type UserObservation struct {
+
+	// Access permissions string used for this user. See Specifying Permissions Using an Access String for more details.
+	AccessString *string `json:"accessString,omitempty" tf:"access_string,omitempty"`
+
+	// The ARN of the created ElastiCache User.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// The current supported value is REDIS.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Indicates a password is not required for this user.
+	NoPasswordRequired *bool `json:"noPasswordRequired,omitempty" tf:"no_password_required,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The username of the user.
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 type UserParameters struct {
 
 	// Access permissions string used for this user. See Specifying Permissions Using an Access String for more details.
-	// +kubebuilder:validation:Required
-	AccessString *string `json:"accessString" tf:"access_string,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccessString *string `json:"accessString,omitempty" tf:"access_string,omitempty"`
 
 	// The ARN of the created ElastiCache User.
 	// +kubebuilder:validation:Optional
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The current supported value is REDIS.
-	// +kubebuilder:validation:Required
-	Engine *string `json:"engine" tf:"engine,omitempty"`
+	// +kubebuilder:validation:Optional
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
 
 	// Indicates a password is not required for this user.
 	// +kubebuilder:validation:Optional
@@ -51,8 +70,8 @@ type UserParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The username of the user.
-	// +kubebuilder:validation:Required
-	UserName *string `json:"userName" tf:"user_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 // UserSpec defines the desired state of User
@@ -79,8 +98,11 @@ type UserStatus struct {
 type User struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserSpec   `json:"spec"`
-	Status            UserStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessString)",message="accessString is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engine)",message="engine is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userName)",message="userName is a required parameter"
+	Spec   UserSpec   `json:"spec"`
+	Status UserStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elasticache/v1beta1/zz_usergroup_types.go b/apis/elasticache/v1beta1/zz_usergroup_types.go
index 4415f15110..4dc19791bf 100755
--- a/apis/elasticache/v1beta1/zz_usergroup_types.go
+++ b/apis/elasticache/v1beta1/zz_usergroup_types.go
@@ -15,11 +15,23 @@ import (
 
 type UserGroupObservation struct {
 
+	// The ARN that identifies the user group.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// The current supported value is REDIS.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
 	// The user group identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The list of user IDs that belong to the user group.
+	UserIds []*string `json:"userIds,omitempty" tf:"user_ids,omitempty"`
 }
 
 type UserGroupParameters struct {
@@ -29,8 +41,8 @@ type UserGroupParameters struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The current supported value is REDIS.
-	// +kubebuilder:validation:Required
-	Engine *string `json:"engine" tf:"engine,omitempty"`
+	// +kubebuilder:validation:Optional
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -81,8 +93,9 @@ type UserGroupStatus struct {
 type UserGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserGroupSpec   `json:"spec"`
-	Status            UserGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engine)",message="engine is a required parameter"
+	Spec   UserGroupSpec   `json:"spec"`
+	Status UserGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elasticbeanstalk/v1beta1/zz_application_types.go b/apis/elasticbeanstalk/v1beta1/zz_application_types.go
index 58d8f10c13..3c867c70fc 100755
--- a/apis/elasticbeanstalk/v1beta1/zz_application_types.go
+++ b/apis/elasticbeanstalk/v1beta1/zz_application_types.go
@@ -14,12 +14,19 @@ import (
 )
 
 type ApplicationObservation struct {
+	AppversionLifecycle []AppversionLifecycleObservation `json:"appversionLifecycle,omitempty" tf:"appversion_lifecycle,omitempty"`
 
 	// The ARN assigned by AWS for this Elastic Beanstalk Application.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Short description of the application
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -44,6 +51,18 @@ type ApplicationParameters struct {
 }
 
 type AppversionLifecycleObservation struct {
+
+	// Set to true to delete a version's source bundle from S3 when the application version is deleted.
+	DeleteSourceFromS3 *bool `json:"deleteSourceFromS3,omitempty" tf:"delete_source_from_s3,omitempty"`
+
+	// The number of days to retain an application version ('max_age_in_days' and 'max_count' cannot be enabled simultaneously.).
+	MaxAgeInDays *float64 `json:"maxAgeInDays,omitempty" tf:"max_age_in_days,omitempty"`
+
+	// The maximum number of application versions to retain ('max_age_in_days' and 'max_count' cannot be enabled simultaneously.).
+	MaxCount *float64 `json:"maxCount,omitempty" tf:"max_count,omitempty"`
+
+	// The ARN of an IAM service role under which the application version is deleted.  Elastic Beanstalk must have permission to assume this role.
+	ServiceRole *string `json:"serviceRole,omitempty" tf:"service_role,omitempty"`
 }
 
 type AppversionLifecycleParameters struct {
diff --git a/apis/elasticbeanstalk/v1beta1/zz_applicationversion_types.go b/apis/elasticbeanstalk/v1beta1/zz_applicationversion_types.go
index ace5d3582a..30e8037e9f 100755
--- a/apis/elasticbeanstalk/v1beta1/zz_applicationversion_types.go
+++ b/apis/elasticbeanstalk/v1beta1/zz_applicationversion_types.go
@@ -15,11 +15,29 @@ import (
 
 type ApplicationVersionObservation struct {
 
+	// Name of the Beanstalk Application the version is associated with.
+	Application *string `json:"application,omitempty" tf:"application,omitempty"`
+
 	// ARN assigned by AWS for this Elastic Beanstalk Application.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// S3 bucket that contains the Application Version source bundle.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Short description of the Application Version.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// On delete, force an Application Version to be deleted when it may be in use by multiple Elastic Beanstalk Environments.
+	ForceDelete *bool `json:"forceDelete,omitempty" tf:"force_delete,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// S3 object that is the Application Version source bundle.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -27,8 +45,8 @@ type ApplicationVersionObservation struct {
 type ApplicationVersionParameters struct {
 
 	// Name of the Beanstalk Application the version is associated with.
-	// +kubebuilder:validation:Required
-	Application *string `json:"application" tf:"application,omitempty"`
+	// +kubebuilder:validation:Optional
+	Application *string `json:"application,omitempty" tf:"application,omitempty"`
 
 	// S3 bucket that contains the Application Version source bundle.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/s3/v1beta1.Bucket
@@ -100,8 +118,9 @@ type ApplicationVersionStatus struct {
 type ApplicationVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ApplicationVersionSpec   `json:"spec"`
-	Status            ApplicationVersionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.application)",message="application is a required parameter"
+	Spec   ApplicationVersionSpec   `json:"spec"`
+	Status ApplicationVersionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elasticbeanstalk/v1beta1/zz_configurationtemplate_types.go b/apis/elasticbeanstalk/v1beta1/zz_configurationtemplate_types.go
index 922209d23a..1fddd21a20 100755
--- a/apis/elasticbeanstalk/v1beta1/zz_configurationtemplate_types.go
+++ b/apis/elasticbeanstalk/v1beta1/zz_configurationtemplate_types.go
@@ -14,7 +14,26 @@ import (
 )
 
 type ConfigurationTemplateObservation struct {
+
+	// –  name of the application to associate with this configuration template
+	Application *string `json:"application,omitempty" tf:"application,omitempty"`
+
+	// Short description of the Template
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// –  The ID of the environment used with this configuration template
+	EnvironmentID *string `json:"environmentId,omitempty" tf:"environment_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// –  Option settings to configure the new Environment. These
+	// override specific values that are set as defaults. The format is detailed
+	// below in Option Settings
+	Setting []SettingObservation `json:"setting,omitempty" tf:"setting,omitempty"`
+
+	// –  A solution stack to base your Template
+	// off of. Example stacks can be found in the Amazon API documentation
+	SolutionStackName *string `json:"solutionStackName,omitempty" tf:"solution_stack_name,omitempty"`
 }
 
 type ConfigurationTemplateParameters struct {
@@ -58,6 +77,18 @@ type ConfigurationTemplateParameters struct {
 }
 
 type SettingObservation struct {
+
+	// A unique name for this Template.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// unique namespace identifying the option's associated AWS resource
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// resource name for scheduled action
+	Resource *string `json:"resource,omitempty" tf:"resource,omitempty"`
+
+	// value for the configuration option
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SettingParameters struct {
diff --git a/apis/elasticbeanstalk/v1beta1/zz_generated.deepcopy.go b/apis/elasticbeanstalk/v1beta1/zz_generated.deepcopy.go
index 013958526e..13efc66b9c 100644
--- a/apis/elasticbeanstalk/v1beta1/zz_generated.deepcopy.go
+++ b/apis/elasticbeanstalk/v1beta1/zz_generated.deepcopy.go
@@ -76,16 +76,43 @@ func (in *ApplicationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 	*out = *in
+	if in.AppversionLifecycle != nil {
+		in, out := &in.AppversionLifecycle, &out.AppversionLifecycle
+		*out = make([]AppversionLifecycleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -256,16 +283,56 @@ func (in *ApplicationVersionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationVersionObservation) DeepCopyInto(out *ApplicationVersionObservation) {
 	*out = *in
+	if in.Application != nil {
+		in, out := &in.Application, &out.Application
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDelete != nil {
+		in, out := &in.ForceDelete, &out.ForceDelete
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -410,6 +477,26 @@ func (in *ApplicationVersionStatus) DeepCopy() *ApplicationVersionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppversionLifecycleObservation) DeepCopyInto(out *AppversionLifecycleObservation) {
 	*out = *in
+	if in.DeleteSourceFromS3 != nil {
+		in, out := &in.DeleteSourceFromS3, &out.DeleteSourceFromS3
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxAgeInDays != nil {
+		in, out := &in.MaxAgeInDays, &out.MaxAgeInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxCount != nil {
+		in, out := &in.MaxCount, &out.MaxCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceRole != nil {
+		in, out := &in.ServiceRole, &out.ServiceRole
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppversionLifecycleObservation.
@@ -529,11 +616,38 @@ func (in *ConfigurationTemplateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationTemplateObservation) DeepCopyInto(out *ConfigurationTemplateObservation) {
 	*out = *in
+	if in.Application != nil {
+		in, out := &in.Application, &out.Application
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnvironmentID != nil {
+		in, out := &in.EnvironmentID, &out.EnvironmentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Setting != nil {
+		in, out := &in.Setting, &out.Setting
+		*out = make([]SettingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SolutionStackName != nil {
+		in, out := &in.SolutionStackName, &out.SolutionStackName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationTemplateObservation.
@@ -640,6 +754,26 @@ func (in *ConfigurationTemplateStatus) DeepCopy() *ConfigurationTemplateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SettingObservation) DeepCopyInto(out *SettingObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resource != nil {
+		in, out := &in.Resource, &out.Resource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SettingObservation.
diff --git a/apis/elasticsearch/v1beta1/zz_domain_types.go b/apis/elasticsearch/v1beta1/zz_domain_types.go
index 24a4669e8f..3121cc178b 100755
--- a/apis/elasticsearch/v1beta1/zz_domain_types.go
+++ b/apis/elasticsearch/v1beta1/zz_domain_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AdvancedSecurityOptionsObservation struct {
+
+	// Whether advanced security is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Whether the internal user database is enabled. If not set, defaults to false by the AWS API.
+	InternalUserDatabaseEnabled *bool `json:"internalUserDatabaseEnabled,omitempty" tf:"internal_user_database_enabled,omitempty"`
+
+	// Configuration block for the main user. Detailed below.
+	MasterUserOptions []MasterUserOptionsObservation `json:"masterUserOptions,omitempty" tf:"master_user_options,omitempty"`
 }
 
 type AdvancedSecurityOptionsParameters struct {
@@ -32,6 +41,15 @@ type AdvancedSecurityOptionsParameters struct {
 }
 
 type AutoTuneOptionsObservation struct {
+
+	// The Auto-Tune desired state for the domain. Valid values: ENABLED or DISABLED.
+	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`
+
+	// Configuration block for Auto-Tune maintenance windows. Can be specified multiple times for each maintenance window. Detailed below.
+	MaintenanceSchedule []MaintenanceScheduleObservation `json:"maintenanceSchedule,omitempty" tf:"maintenance_schedule,omitempty"`
+
+	// Whether to roll back to default Auto-Tune settings when disabling Auto-Tune. Valid values: DEFAULT_ROLLBACK or NO_ROLLBACK.
+	RollbackOnDisable *string `json:"rollbackOnDisable,omitempty" tf:"rollback_on_disable,omitempty"`
 }
 
 type AutoTuneOptionsParameters struct {
@@ -50,6 +68,39 @@ type AutoTuneOptionsParameters struct {
 }
 
 type ClusterConfigObservation struct {
+
+	// Configuration block containing cold storage configuration. Detailed below.
+	ColdStorageOptions []ColdStorageOptionsObservation `json:"coldStorageOptions,omitempty" tf:"cold_storage_options,omitempty"`
+
+	// Number of dedicated main nodes in the cluster.
+	DedicatedMasterCount *float64 `json:"dedicatedMasterCount,omitempty" tf:"dedicated_master_count,omitempty"`
+
+	// Whether dedicated main nodes are enabled for the cluster.
+	DedicatedMasterEnabled *bool `json:"dedicatedMasterEnabled,omitempty" tf:"dedicated_master_enabled,omitempty"`
+
+	// Instance type of the dedicated main nodes in the cluster.
+	DedicatedMasterType *string `json:"dedicatedMasterType,omitempty" tf:"dedicated_master_type,omitempty"`
+
+	// Number of instances in the cluster.
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	// Instance type of data nodes in the cluster.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// Number of warm nodes in the cluster. Valid values are between 2 and 150. warm_count can be only and must be set when warm_enabled is set to true.
+	WarmCount *float64 `json:"warmCount,omitempty" tf:"warm_count,omitempty"`
+
+	// Whether to enable warm storage.
+	WarmEnabled *bool `json:"warmEnabled,omitempty" tf:"warm_enabled,omitempty"`
+
+	// Instance type for the Elasticsearch cluster's warm nodes. Valid values are ultrawarm1.medium.elasticsearch, ultrawarm1.large.elasticsearch and ultrawarm1.xlarge.elasticsearch. warm_type can be only and must be set when warm_enabled is set to true.
+	WarmType *string `json:"warmType,omitempty" tf:"warm_type,omitempty"`
+
+	// Configuration block containing zone awareness settings. Detailed below.
+	ZoneAwarenessConfig []ZoneAwarenessConfigObservation `json:"zoneAwarenessConfig,omitempty" tf:"zone_awareness_config,omitempty"`
+
+	// Whether zone awareness is enabled, set to true for multi-az deployment. To enable awareness with three Availability Zones, the availability_zone_count within the zone_awareness_config must be set to 3.
+	ZoneAwarenessEnabled *bool `json:"zoneAwarenessEnabled,omitempty" tf:"zone_awareness_enabled,omitempty"`
 }
 
 type ClusterConfigParameters struct {
@@ -100,6 +151,18 @@ type ClusterConfigParameters struct {
 }
 
 type CognitoOptionsObservation struct {
+
+	// Whether Amazon Cognito authentication with Kibana is enabled or not.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// ID of the Cognito Identity Pool to use.
+	IdentityPoolID *string `json:"identityPoolId,omitempty" tf:"identity_pool_id,omitempty"`
+
+	// ARN of the IAM role that has the AmazonESCognitoAccess policy attached.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// ID of the Cognito User Pool to use.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type CognitoOptionsParameters struct {
@@ -122,6 +185,9 @@ type CognitoOptionsParameters struct {
 }
 
 type ColdStorageOptionsObservation struct {
+
+	// Boolean to enable cold storage for an Elasticsearch domain. Defaults to false. Master and ultrawarm nodes must be enabled for cold storage.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type ColdStorageOptionsParameters struct {
@@ -132,6 +198,21 @@ type ColdStorageOptionsParameters struct {
 }
 
 type DomainEndpointOptionsObservation struct {
+
+	// Fully qualified domain for your custom endpoint.
+	CustomEndpoint *string `json:"customEndpoint,omitempty" tf:"custom_endpoint,omitempty"`
+
+	// ACM certificate ARN for your custom endpoint.
+	CustomEndpointCertificateArn *string `json:"customEndpointCertificateArn,omitempty" tf:"custom_endpoint_certificate_arn,omitempty"`
+
+	// Whether to enable custom endpoint for the Elasticsearch domain.
+	CustomEndpointEnabled *bool `json:"customEndpointEnabled,omitempty" tf:"custom_endpoint_enabled,omitempty"`
+
+	// Whether or not to require HTTPS. Defaults to true.
+	EnforceHTTPS *bool `json:"enforceHttps,omitempty" tf:"enforce_https,omitempty"`
+
+	// Name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values:  Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07.
+	TLSSecurityPolicy *string `json:"tlsSecurityPolicy,omitempty" tf:"tls_security_policy,omitempty"`
 }
 
 type DomainEndpointOptionsParameters struct {
@@ -159,12 +240,42 @@ type DomainEndpointOptionsParameters struct {
 
 type DomainObservation struct {
 
+	// IAM policy document specifying the access policies for the domain.
+	AccessPolicies *string `json:"accessPolicies,omitempty" tf:"access_policies,omitempty"`
+
+	// Key-value string pairs to specify advanced configuration options.
+	AdvancedOptions map[string]*string `json:"advancedOptions,omitempty" tf:"advanced_options,omitempty"`
+
+	// Configuration block for fine-grained access control. Detailed below.
+	AdvancedSecurityOptions []AdvancedSecurityOptionsObservation `json:"advancedSecurityOptions,omitempty" tf:"advanced_security_options,omitempty"`
+
 	// ARN of the domain.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block for the Auto-Tune options of the domain. Detailed below.
+	AutoTuneOptions []AutoTuneOptionsObservation `json:"autoTuneOptions,omitempty" tf:"auto_tune_options,omitempty"`
+
+	// Configuration block for the cluster of the domain. Detailed below.
+	ClusterConfig []ClusterConfigObservation `json:"clusterConfig,omitempty" tf:"cluster_config,omitempty"`
+
+	// Configuration block for authenticating Kibana with Cognito. Detailed below.
+	CognitoOptions []CognitoOptionsObservation `json:"cognitoOptions,omitempty" tf:"cognito_options,omitempty"`
+
+	// Configuration block for domain endpoint HTTP(S) related options. Detailed below.
+	DomainEndpointOptions []DomainEndpointOptionsObservation `json:"domainEndpointOptions,omitempty" tf:"domain_endpoint_options,omitempty"`
+
 	// Unique identifier for the domain.
 	DomainID *string `json:"domainId,omitempty" tf:"domain_id,omitempty"`
 
+	// Configuration block for EBS related options, may be required based on chosen instance size. Detailed below.
+	EBSOptions []EBSOptionsObservation `json:"ebsOptions,omitempty" tf:"ebs_options,omitempty"`
+
+	// Version of Elasticsearch to deploy. Defaults to 1.5.
+	ElasticsearchVersion *string `json:"elasticsearchVersion,omitempty" tf:"elasticsearch_version,omitempty"`
+
+	// Configuration block for encrypt at rest options. Only available for certain instance types. Detailed below.
+	EncryptAtRest []EncryptAtRestObservation `json:"encryptAtRest,omitempty" tf:"encrypt_at_rest,omitempty"`
+
 	// Domain-specific endpoint used to submit index, search, and data upload requests.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
@@ -173,11 +284,22 @@ type DomainObservation struct {
 	// Domain-specific endpoint for kibana without https scheme.
 	KibanaEndpoint *string `json:"kibanaEndpoint,omitempty" tf:"kibana_endpoint,omitempty"`
 
+	// Configuration block for publishing slow and application logs to CloudWatch Logs. This block can be declared multiple times, for each log_type, within the same resource. Detailed below.
+	LogPublishingOptions []LogPublishingOptionsObservation `json:"logPublishingOptions,omitempty" tf:"log_publishing_options,omitempty"`
+
+	// Configuration block for node-to-node encryption options. Detailed below.
+	NodeToNodeEncryption []NodeToNodeEncryptionObservation `json:"nodeToNodeEncryption,omitempty" tf:"node_to_node_encryption,omitempty"`
+
+	// Configuration block for snapshot related options. Detailed below. DEPRECATED. For domains running Elasticsearch 5.3 and later, Amazon ES takes hourly automated snapshots, making this setting irrelevant. For domains running earlier versions of Elasticsearch, Amazon ES takes daily automated snapshots.
+	SnapshotOptions []SnapshotOptionsObservation `json:"snapshotOptions,omitempty" tf:"snapshot_options,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Configuration block for VPC related options. Adding or removing this configuration forces a new resource (documentation). Detailed below.
-	// +kubebuilder:validation:Optional
 	VPCOptions []VPCOptionsObservation `json:"vpcOptions,omitempty" tf:"vpc_options,omitempty"`
 }
 
@@ -250,6 +372,12 @@ type DomainParameters struct {
 }
 
 type DurationObservation struct {
+
+	// The unit of time specifying the duration of an Auto-Tune maintenance window. Valid values: HOURS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// An integer specifying the value of the duration of an Auto-Tune maintenance window.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DurationParameters struct {
@@ -264,6 +392,21 @@ type DurationParameters struct {
 }
 
 type EBSOptionsObservation struct {
+
+	// Whether EBS volumes are attached to data nodes in the domain.
+	EBSEnabled *bool `json:"ebsEnabled,omitempty" tf:"ebs_enabled,omitempty"`
+
+	// Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 125 and 1000.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// Size of EBS volumes attached to data nodes (in GiB).
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of EBS volumes attached to data nodes.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSOptionsParameters struct {
@@ -290,6 +433,12 @@ type EBSOptionsParameters struct {
 }
 
 type EncryptAtRestObservation struct {
+
+	// Whether to enable encryption at rest. If the encrypt_at_rest block is not provided then this defaults to false. Enabling encryption on new domains requires elasticsearch_version 5.1 or greater.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// KMS key ARN to encrypt the Elasticsearch domain with. If not specified then it defaults to using the aws/es service KMS key. Note that KMS will accept a KMS key ID but will return the key ARN.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type EncryptAtRestParameters struct {
@@ -304,6 +453,15 @@ type EncryptAtRestParameters struct {
 }
 
 type LogPublishingOptionsObservation struct {
+
+	// ARN of the Cloudwatch log group to which log needs to be published.
+	CloudwatchLogGroupArn *string `json:"cloudwatchLogGroupArn,omitempty" tf:"cloudwatch_log_group_arn,omitempty"`
+
+	// Whether given log publishing option is enabled or not.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Type of Elasticsearch log. Valid values: INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, AUDIT_LOGS.
+	LogType *string `json:"logType,omitempty" tf:"log_type,omitempty"`
 }
 
 type LogPublishingOptionsParameters struct {
@@ -332,6 +490,15 @@ type LogPublishingOptionsParameters struct {
 }
 
 type MaintenanceScheduleObservation struct {
+
+	// A cron expression specifying the recurrence pattern for an Auto-Tune maintenance schedule.
+	CronExpressionForRecurrence *string `json:"cronExpressionForRecurrence,omitempty" tf:"cron_expression_for_recurrence,omitempty"`
+
+	// Configuration block for the duration of the Auto-Tune maintenance window. Detailed below.
+	Duration []DurationObservation `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// Date and time at which to start the Auto-Tune maintenance schedule in RFC3339 format.
+	StartAt *string `json:"startAt,omitempty" tf:"start_at,omitempty"`
 }
 
 type MaintenanceScheduleParameters struct {
@@ -350,6 +517,12 @@ type MaintenanceScheduleParameters struct {
 }
 
 type MasterUserOptionsObservation struct {
+
+	// ARN for the main user. Only specify if internal_user_database_enabled is not set or set to false.
+	MasterUserArn *string `json:"masterUserArn,omitempty" tf:"master_user_arn,omitempty"`
+
+	// Main user's username, which is stored in the Amazon Elasticsearch Service domain's internal database. Only specify if internal_user_database_enabled is set to true.
+	MasterUserName *string `json:"masterUserName,omitempty" tf:"master_user_name,omitempty"`
 }
 
 type MasterUserOptionsParameters struct {
@@ -368,6 +541,9 @@ type MasterUserOptionsParameters struct {
 }
 
 type NodeToNodeEncryptionObservation struct {
+
+	// Whether to enable node-to-node encryption. If the node_to_node_encryption block is not provided then this defaults to false. Enabling node-to-node encryption of a new domain requires an elasticsearch_version of 6.0 or greater.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type NodeToNodeEncryptionParameters struct {
@@ -378,6 +554,9 @@ type NodeToNodeEncryptionParameters struct {
 }
 
 type SnapshotOptionsObservation struct {
+
+	// Hour during which the service takes an automated daily snapshot of the indices in the domain.
+	AutomatedSnapshotStartHour *float64 `json:"automatedSnapshotStartHour,omitempty" tf:"automated_snapshot_start_hour,omitempty"`
 }
 
 type SnapshotOptionsParameters struct {
@@ -392,6 +571,12 @@ type VPCOptionsObservation struct {
 	// If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside.
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
 
+	// List of VPC Security Group IDs to be applied to the Elasticsearch domain endpoints. If omitted, the default Security Group for the VPC will be used.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// List of VPC Subnet IDs for the Elasticsearch domain endpoints to be created in.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// If the domain was created inside a VPC, the ID of the VPC.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
@@ -408,6 +593,9 @@ type VPCOptionsParameters struct {
 }
 
 type ZoneAwarenessConfigObservation struct {
+
+	// Number of Availability Zones for the domain to use with zone_awareness_enabled. Defaults to 2. Valid values: 2 or 3.
+	AvailabilityZoneCount *float64 `json:"availabilityZoneCount,omitempty" tf:"availability_zone_count,omitempty"`
 }
 
 type ZoneAwarenessConfigParameters struct {
diff --git a/apis/elasticsearch/v1beta1/zz_domainpolicy_types.go b/apis/elasticsearch/v1beta1/zz_domainpolicy_types.go
index 4794aa8668..c6cc62f545 100755
--- a/apis/elasticsearch/v1beta1/zz_domainpolicy_types.go
+++ b/apis/elasticsearch/v1beta1/zz_domainpolicy_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type DomainPolicyObservation struct {
+
+	// IAM policy document specifying the access policies for the domain
+	AccessPolicies *string `json:"accessPolicies,omitempty" tf:"access_policies,omitempty"`
+
+	// Name of the domain.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type DomainPolicyParameters struct {
 
 	// IAM policy document specifying the access policies for the domain
-	// +kubebuilder:validation:Required
-	AccessPolicies *string `json:"accessPolicies" tf:"access_policies,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccessPolicies *string `json:"accessPolicies,omitempty" tf:"access_policies,omitempty"`
 
 	// Name of the domain.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/elasticsearch/v1beta1.Domain
@@ -66,8 +73,9 @@ type DomainPolicyStatus struct {
 type DomainPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainPolicySpec   `json:"spec"`
-	Status            DomainPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicies)",message="accessPolicies is a required parameter"
+	Spec   DomainPolicySpec   `json:"spec"`
+	Status DomainPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elasticsearch/v1beta1/zz_domainsamloptions_types.go b/apis/elasticsearch/v1beta1/zz_domainsamloptions_types.go
index 3f335ac865..099f3280d5 100755
--- a/apis/elasticsearch/v1beta1/zz_domainsamloptions_types.go
+++ b/apis/elasticsearch/v1beta1/zz_domainsamloptions_types.go
@@ -17,6 +17,9 @@ type DomainSAMLOptionsObservation struct {
 
 	// The name of the domain the SAML options are associated with.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The SAML authentication options for an AWS Elasticsearch Domain.
+	SAMLOptions []SAMLOptionsObservation `json:"samlOptions,omitempty" tf:"saml_options,omitempty"`
 }
 
 type DomainSAMLOptionsParameters struct {
@@ -32,6 +35,12 @@ type DomainSAMLOptionsParameters struct {
 }
 
 type IdpObservation struct {
+
+	// The unique Entity ID of the application in SAML Identity Provider.
+	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
+
+	// The Metadata of the SAML application in xml format.
+	MetadataContent *string `json:"metadataContent,omitempty" tf:"metadata_content,omitempty"`
 }
 
 type IdpParameters struct {
@@ -46,6 +55,24 @@ type IdpParameters struct {
 }
 
 type SAMLOptionsObservation struct {
+
+	// Whether SAML authentication is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Information from your identity provider.
+	Idp []IdpObservation `json:"idp,omitempty" tf:"idp,omitempty"`
+
+	// This backend role from the SAML IdP receives full permissions to the cluster, equivalent to a new master user.
+	MasterBackendRole *string `json:"masterBackendRole,omitempty" tf:"master_backend_role,omitempty"`
+
+	// Element of the SAML assertion to use for backend roles. Default is roles.
+	RolesKey *string `json:"rolesKey,omitempty" tf:"roles_key,omitempty"`
+
+	// Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440.
+	SessionTimeoutMinutes *float64 `json:"sessionTimeoutMinutes,omitempty" tf:"session_timeout_minutes,omitempty"`
+
+	// Custom SAML attribute to use for user names. Default is an empty string - "". This will cause Elasticsearch to use the NameID element of the Subject, which is the default location for name identifiers in the SAML specification.
+	SubjectKey *string `json:"subjectKey,omitempty" tf:"subject_key,omitempty"`
 }
 
 type SAMLOptionsParameters struct {
diff --git a/apis/elasticsearch/v1beta1/zz_generated.deepcopy.go b/apis/elasticsearch/v1beta1/zz_generated.deepcopy.go
index 3eb98949db..ec8020ae27 100644
--- a/apis/elasticsearch/v1beta1/zz_generated.deepcopy.go
+++ b/apis/elasticsearch/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,23 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedSecurityOptionsObservation) DeepCopyInto(out *AdvancedSecurityOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InternalUserDatabaseEnabled != nil {
+		in, out := &in.InternalUserDatabaseEnabled, &out.InternalUserDatabaseEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MasterUserOptions != nil {
+		in, out := &in.MasterUserOptions, &out.MasterUserOptions
+		*out = make([]MasterUserOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedSecurityOptionsObservation.
@@ -64,6 +81,23 @@ func (in *AdvancedSecurityOptionsParameters) DeepCopy() *AdvancedSecurityOptions
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoTuneOptionsObservation) DeepCopyInto(out *AutoTuneOptionsObservation) {
 	*out = *in
+	if in.DesiredState != nil {
+		in, out := &in.DesiredState, &out.DesiredState
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaintenanceSchedule != nil {
+		in, out := &in.MaintenanceSchedule, &out.MaintenanceSchedule
+		*out = make([]MaintenanceScheduleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RollbackOnDisable != nil {
+		in, out := &in.RollbackOnDisable, &out.RollbackOnDisable
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoTuneOptionsObservation.
@@ -111,6 +145,65 @@ func (in *AutoTuneOptionsParameters) DeepCopy() *AutoTuneOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterConfigObservation) DeepCopyInto(out *ClusterConfigObservation) {
 	*out = *in
+	if in.ColdStorageOptions != nil {
+		in, out := &in.ColdStorageOptions, &out.ColdStorageOptions
+		*out = make([]ColdStorageOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DedicatedMasterCount != nil {
+		in, out := &in.DedicatedMasterCount, &out.DedicatedMasterCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DedicatedMasterEnabled != nil {
+		in, out := &in.DedicatedMasterEnabled, &out.DedicatedMasterEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DedicatedMasterType != nil {
+		in, out := &in.DedicatedMasterType, &out.DedicatedMasterType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.WarmCount != nil {
+		in, out := &in.WarmCount, &out.WarmCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WarmEnabled != nil {
+		in, out := &in.WarmEnabled, &out.WarmEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.WarmType != nil {
+		in, out := &in.WarmType, &out.WarmType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ZoneAwarenessConfig != nil {
+		in, out := &in.ZoneAwarenessConfig, &out.ZoneAwarenessConfig
+		*out = make([]ZoneAwarenessConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ZoneAwarenessEnabled != nil {
+		in, out := &in.ZoneAwarenessEnabled, &out.ZoneAwarenessEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterConfigObservation.
@@ -200,6 +293,26 @@ func (in *ClusterConfigParameters) DeepCopy() *ClusterConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CognitoOptionsObservation) DeepCopyInto(out *CognitoOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IdentityPoolID != nil {
+		in, out := &in.IdentityPoolID, &out.IdentityPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CognitoOptionsObservation.
@@ -250,6 +363,11 @@ func (in *CognitoOptionsParameters) DeepCopy() *CognitoOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ColdStorageOptionsObservation) DeepCopyInto(out *ColdStorageOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ColdStorageOptionsObservation.
@@ -312,6 +430,31 @@ func (in *Domain) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainEndpointOptionsObservation) DeepCopyInto(out *DomainEndpointOptionsObservation) {
 	*out = *in
+	if in.CustomEndpoint != nil {
+		in, out := &in.CustomEndpoint, &out.CustomEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomEndpointCertificateArn != nil {
+		in, out := &in.CustomEndpointCertificateArn, &out.CustomEndpointCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomEndpointEnabled != nil {
+		in, out := &in.CustomEndpointEnabled, &out.CustomEndpointEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnforceHTTPS != nil {
+		in, out := &in.EnforceHTTPS, &out.EnforceHTTPS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLSSecurityPolicy != nil {
+		in, out := &in.TLSSecurityPolicy, &out.TLSSecurityPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainEndpointOptionsObservation.
@@ -399,16 +542,90 @@ func (in *DomainList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 	*out = *in
+	if in.AccessPolicies != nil {
+		in, out := &in.AccessPolicies, &out.AccessPolicies
+		*out = new(string)
+		**out = **in
+	}
+	if in.AdvancedOptions != nil {
+		in, out := &in.AdvancedOptions, &out.AdvancedOptions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.AdvancedSecurityOptions != nil {
+		in, out := &in.AdvancedSecurityOptions, &out.AdvancedSecurityOptions
+		*out = make([]AdvancedSecurityOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoTuneOptions != nil {
+		in, out := &in.AutoTuneOptions, &out.AutoTuneOptions
+		*out = make([]AutoTuneOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClusterConfig != nil {
+		in, out := &in.ClusterConfig, &out.ClusterConfig
+		*out = make([]ClusterConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CognitoOptions != nil {
+		in, out := &in.CognitoOptions, &out.CognitoOptions
+		*out = make([]CognitoOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DomainEndpointOptions != nil {
+		in, out := &in.DomainEndpointOptions, &out.DomainEndpointOptions
+		*out = make([]DomainEndpointOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DomainID != nil {
 		in, out := &in.DomainID, &out.DomainID
 		*out = new(string)
 		**out = **in
 	}
+	if in.EBSOptions != nil {
+		in, out := &in.EBSOptions, &out.EBSOptions
+		*out = make([]EBSOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticsearchVersion != nil {
+		in, out := &in.ElasticsearchVersion, &out.ElasticsearchVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptAtRest != nil {
+		in, out := &in.EncryptAtRest, &out.EncryptAtRest
+		*out = make([]EncryptAtRestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
@@ -424,6 +641,42 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogPublishingOptions != nil {
+		in, out := &in.LogPublishingOptions, &out.LogPublishingOptions
+		*out = make([]LogPublishingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NodeToNodeEncryption != nil {
+		in, out := &in.NodeToNodeEncryption, &out.NodeToNodeEncryption
+		*out = make([]NodeToNodeEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SnapshotOptions != nil {
+		in, out := &in.SnapshotOptions, &out.SnapshotOptions
+		*out = make([]SnapshotOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -657,6 +910,16 @@ func (in *DomainPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainPolicyObservation) DeepCopyInto(out *DomainPolicyObservation) {
 	*out = *in
+	if in.AccessPolicies != nil {
+		in, out := &in.AccessPolicies, &out.AccessPolicies
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -815,6 +1078,13 @@ func (in *DomainSAMLOptionsObservation) DeepCopyInto(out *DomainSAMLOptionsObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.SAMLOptions != nil {
+		in, out := &in.SAMLOptions, &out.SAMLOptions
+		*out = make([]SAMLOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainSAMLOptionsObservation.
@@ -925,6 +1195,16 @@ func (in *DomainStatus) DeepCopy() *DomainStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DurationObservation) DeepCopyInto(out *DurationObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DurationObservation.
@@ -965,6 +1245,31 @@ func (in *DurationParameters) DeepCopy() *DurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSOptionsObservation) DeepCopyInto(out *EBSOptionsObservation) {
 	*out = *in
+	if in.EBSEnabled != nil {
+		in, out := &in.EBSEnabled, &out.EBSEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSOptionsObservation.
@@ -1020,6 +1325,16 @@ func (in *EBSOptionsParameters) DeepCopy() *EBSOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptAtRestObservation) DeepCopyInto(out *EncryptAtRestObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptAtRestObservation.
@@ -1060,6 +1375,16 @@ func (in *EncryptAtRestParameters) DeepCopy() *EncryptAtRestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdpObservation) DeepCopyInto(out *IdpObservation) {
 	*out = *in
+	if in.EntityID != nil {
+		in, out := &in.EntityID, &out.EntityID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetadataContent != nil {
+		in, out := &in.MetadataContent, &out.MetadataContent
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdpObservation.
@@ -1100,6 +1425,21 @@ func (in *IdpParameters) DeepCopy() *IdpParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogPublishingOptionsObservation) DeepCopyInto(out *LogPublishingOptionsObservation) {
 	*out = *in
+	if in.CloudwatchLogGroupArn != nil {
+		in, out := &in.CloudwatchLogGroupArn, &out.CloudwatchLogGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogPublishingOptionsObservation.
@@ -1155,6 +1495,23 @@ func (in *LogPublishingOptionsParameters) DeepCopy() *LogPublishingOptionsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceScheduleObservation) DeepCopyInto(out *MaintenanceScheduleObservation) {
 	*out = *in
+	if in.CronExpressionForRecurrence != nil {
+		in, out := &in.CronExpressionForRecurrence, &out.CronExpressionForRecurrence
+		*out = new(string)
+		**out = **in
+	}
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = make([]DurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartAt != nil {
+		in, out := &in.StartAt, &out.StartAt
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceScheduleObservation.
@@ -1202,6 +1559,16 @@ func (in *MaintenanceScheduleParameters) DeepCopy() *MaintenanceScheduleParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MasterUserOptionsObservation) DeepCopyInto(out *MasterUserOptionsObservation) {
 	*out = *in
+	if in.MasterUserArn != nil {
+		in, out := &in.MasterUserArn, &out.MasterUserArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.MasterUserName != nil {
+		in, out := &in.MasterUserName, &out.MasterUserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MasterUserOptionsObservation.
@@ -1247,6 +1614,11 @@ func (in *MasterUserOptionsParameters) DeepCopy() *MasterUserOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeToNodeEncryptionObservation) DeepCopyInto(out *NodeToNodeEncryptionObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeToNodeEncryptionObservation.
@@ -1282,6 +1654,38 @@ func (in *NodeToNodeEncryptionParameters) DeepCopy() *NodeToNodeEncryptionParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SAMLOptionsObservation) DeepCopyInto(out *SAMLOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Idp != nil {
+		in, out := &in.Idp, &out.Idp
+		*out = make([]IdpObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MasterBackendRole != nil {
+		in, out := &in.MasterBackendRole, &out.MasterBackendRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.RolesKey != nil {
+		in, out := &in.RolesKey, &out.RolesKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionTimeoutMinutes != nil {
+		in, out := &in.SessionTimeoutMinutes, &out.SessionTimeoutMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SubjectKey != nil {
+		in, out := &in.SubjectKey, &out.SubjectKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SAMLOptionsObservation.
@@ -1349,6 +1753,11 @@ func (in *SAMLOptionsParameters) DeepCopy() *SAMLOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotOptionsObservation) DeepCopyInto(out *SnapshotOptionsObservation) {
 	*out = *in
+	if in.AutomatedSnapshotStartHour != nil {
+		in, out := &in.AutomatedSnapshotStartHour, &out.AutomatedSnapshotStartHour
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotOptionsObservation.
@@ -1395,6 +1804,28 @@ func (in *VPCOptionsObservation) DeepCopyInto(out *VPCOptionsObservation) {
 			}
 		}
 	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
@@ -1452,6 +1883,11 @@ func (in *VPCOptionsParameters) DeepCopy() *VPCOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ZoneAwarenessConfigObservation) DeepCopyInto(out *ZoneAwarenessConfigObservation) {
 	*out = *in
+	if in.AvailabilityZoneCount != nil {
+		in, out := &in.AvailabilityZoneCount, &out.AvailabilityZoneCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZoneAwarenessConfigObservation.
diff --git a/apis/elastictranscoder/v1beta1/zz_generated.deepcopy.go b/apis/elastictranscoder/v1beta1/zz_generated.deepcopy.go
index 5bbc79e8ac..65b986b876 100644
--- a/apis/elastictranscoder/v1beta1/zz_generated.deepcopy.go
+++ b/apis/elastictranscoder/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,26 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioCodecOptionsObservation) DeepCopyInto(out *AudioCodecOptionsObservation) {
 	*out = *in
+	if in.BitDepth != nil {
+		in, out := &in.BitDepth, &out.BitDepth
+		*out = new(string)
+		**out = **in
+	}
+	if in.BitOrder != nil {
+		in, out := &in.BitOrder, &out.BitOrder
+		*out = new(string)
+		**out = **in
+	}
+	if in.Profile != nil {
+		in, out := &in.Profile, &out.Profile
+		*out = new(string)
+		**out = **in
+	}
+	if in.Signed != nil {
+		in, out := &in.Signed, &out.Signed
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioCodecOptionsObservation.
@@ -67,6 +87,31 @@ func (in *AudioCodecOptionsParameters) DeepCopy() *AudioCodecOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioObservation) DeepCopyInto(out *AudioObservation) {
 	*out = *in
+	if in.AudioPackingMode != nil {
+		in, out := &in.AudioPackingMode, &out.AudioPackingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.BitRate != nil {
+		in, out := &in.BitRate, &out.BitRate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Channels != nil {
+		in, out := &in.Channels, &out.Channels
+		*out = new(string)
+		**out = **in
+	}
+	if in.Codec != nil {
+		in, out := &in.Codec, &out.Codec
+		*out = new(string)
+		**out = **in
+	}
+	if in.SampleRate != nil {
+		in, out := &in.SampleRate, &out.SampleRate
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioObservation.
@@ -122,6 +167,16 @@ func (in *AudioParameters) DeepCopy() *AudioParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentConfigObservation) DeepCopyInto(out *ContentConfigObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentConfigObservation.
@@ -172,6 +227,27 @@ func (in *ContentConfigParameters) DeepCopy() *ContentConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentConfigPermissionsObservation) DeepCopyInto(out *ContentConfigPermissionsObservation) {
 	*out = *in
+	if in.Access != nil {
+		in, out := &in.Access, &out.Access
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Grantee != nil {
+		in, out := &in.Grantee, &out.Grantee
+		*out = new(string)
+		**out = **in
+	}
+	if in.GranteeType != nil {
+		in, out := &in.GranteeType, &out.GranteeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentConfigPermissionsObservation.
@@ -223,6 +299,26 @@ func (in *ContentConfigPermissionsParameters) DeepCopy() *ContentConfigPermissio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationsObservation) DeepCopyInto(out *NotificationsObservation) {
 	*out = *in
+	if in.Completed != nil {
+		in, out := &in.Completed, &out.Completed
+		*out = new(string)
+		**out = **in
+	}
+	if in.Error != nil {
+		in, out := &in.Error, &out.Error
+		*out = new(string)
+		**out = **in
+	}
+	if in.Progressing != nil {
+		in, out := &in.Progressing, &out.Progressing
+		*out = new(string)
+		**out = **in
+	}
+	if in.Warning != nil {
+		in, out := &in.Warning, &out.Warning
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationsObservation.
@@ -337,11 +433,71 @@ func (in *PipelineObservation) DeepCopyInto(out *PipelineObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AwsKMSKeyArn != nil {
+		in, out := &in.AwsKMSKeyArn, &out.AwsKMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentConfig != nil {
+		in, out := &in.ContentConfig, &out.ContentConfig
+		*out = make([]ContentConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ContentConfigPermissions != nil {
+		in, out := &in.ContentConfigPermissions, &out.ContentConfigPermissions
+		*out = make([]ContentConfigPermissionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputBucket != nil {
+		in, out := &in.InputBucket, &out.InputBucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Notifications != nil {
+		in, out := &in.Notifications, &out.Notifications
+		*out = make([]NotificationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputBucket != nil {
+		in, out := &in.OutputBucket, &out.OutputBucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThumbnailConfig != nil {
+		in, out := &in.ThumbnailConfig, &out.ThumbnailConfig
+		*out = make([]ThumbnailConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThumbnailConfigPermissions != nil {
+		in, out := &in.ThumbnailConfigPermissions, &out.ThumbnailConfigPermissions
+		*out = make([]ThumbnailConfigPermissionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PipelineObservation.
@@ -555,11 +711,81 @@ func (in *PresetObservation) DeepCopyInto(out *PresetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Audio != nil {
+		in, out := &in.Audio, &out.Audio
+		*out = make([]AudioObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AudioCodecOptions != nil {
+		in, out := &in.AudioCodecOptions, &out.AudioCodecOptions
+		*out = make([]AudioCodecOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Container != nil {
+		in, out := &in.Container, &out.Container
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Thumbnails != nil {
+		in, out := &in.Thumbnails, &out.Thumbnails
+		*out = make([]ThumbnailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Video != nil {
+		in, out := &in.Video, &out.Video
+		*out = make([]VideoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VideoCodecOptions != nil {
+		in, out := &in.VideoCodecOptions, &out.VideoCodecOptions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VideoWatermarks != nil {
+		in, out := &in.VideoWatermarks, &out.VideoWatermarks
+		*out = make([]VideoWatermarksObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PresetObservation.
@@ -699,6 +925,16 @@ func (in *PresetStatus) DeepCopy() *PresetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThumbnailConfigObservation) DeepCopyInto(out *ThumbnailConfigObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThumbnailConfigObservation.
@@ -749,6 +985,27 @@ func (in *ThumbnailConfigParameters) DeepCopy() *ThumbnailConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThumbnailConfigPermissionsObservation) DeepCopyInto(out *ThumbnailConfigPermissionsObservation) {
 	*out = *in
+	if in.Access != nil {
+		in, out := &in.Access, &out.Access
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Grantee != nil {
+		in, out := &in.Grantee, &out.Grantee
+		*out = new(string)
+		**out = **in
+	}
+	if in.GranteeType != nil {
+		in, out := &in.GranteeType, &out.GranteeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThumbnailConfigPermissionsObservation.
@@ -800,6 +1057,46 @@ func (in *ThumbnailConfigPermissionsParameters) DeepCopy() *ThumbnailConfigPermi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThumbnailsObservation) DeepCopyInto(out *ThumbnailsObservation) {
 	*out = *in
+	if in.AspectRatio != nil {
+		in, out := &in.AspectRatio, &out.AspectRatio
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxHeight != nil {
+		in, out := &in.MaxHeight, &out.MaxHeight
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxWidth != nil {
+		in, out := &in.MaxWidth, &out.MaxWidth
+		*out = new(string)
+		**out = **in
+	}
+	if in.PaddingPolicy != nil {
+		in, out := &in.PaddingPolicy, &out.PaddingPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resolution != nil {
+		in, out := &in.Resolution, &out.Resolution
+		*out = new(string)
+		**out = **in
+	}
+	if in.SizingPolicy != nil {
+		in, out := &in.SizingPolicy, &out.SizingPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThumbnailsObservation.
@@ -870,6 +1167,71 @@ func (in *ThumbnailsParameters) DeepCopy() *ThumbnailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VideoObservation) DeepCopyInto(out *VideoObservation) {
 	*out = *in
+	if in.AspectRatio != nil {
+		in, out := &in.AspectRatio, &out.AspectRatio
+		*out = new(string)
+		**out = **in
+	}
+	if in.BitRate != nil {
+		in, out := &in.BitRate, &out.BitRate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Codec != nil {
+		in, out := &in.Codec, &out.Codec
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisplayAspectRatio != nil {
+		in, out := &in.DisplayAspectRatio, &out.DisplayAspectRatio
+		*out = new(string)
+		**out = **in
+	}
+	if in.FixedGop != nil {
+		in, out := &in.FixedGop, &out.FixedGop
+		*out = new(string)
+		**out = **in
+	}
+	if in.FrameRate != nil {
+		in, out := &in.FrameRate, &out.FrameRate
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyframesMaxDist != nil {
+		in, out := &in.KeyframesMaxDist, &out.KeyframesMaxDist
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxFrameRate != nil {
+		in, out := &in.MaxFrameRate, &out.MaxFrameRate
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxHeight != nil {
+		in, out := &in.MaxHeight, &out.MaxHeight
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxWidth != nil {
+		in, out := &in.MaxWidth, &out.MaxWidth
+		*out = new(string)
+		**out = **in
+	}
+	if in.PaddingPolicy != nil {
+		in, out := &in.PaddingPolicy, &out.PaddingPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Resolution != nil {
+		in, out := &in.Resolution, &out.Resolution
+		*out = new(string)
+		**out = **in
+	}
+	if in.SizingPolicy != nil {
+		in, out := &in.SizingPolicy, &out.SizingPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VideoObservation.
@@ -965,6 +1327,56 @@ func (in *VideoParameters) DeepCopy() *VideoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VideoWatermarksObservation) DeepCopyInto(out *VideoWatermarksObservation) {
 	*out = *in
+	if in.HorizontalAlign != nil {
+		in, out := &in.HorizontalAlign, &out.HorizontalAlign
+		*out = new(string)
+		**out = **in
+	}
+	if in.HorizontalOffset != nil {
+		in, out := &in.HorizontalOffset, &out.HorizontalOffset
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxHeight != nil {
+		in, out := &in.MaxHeight, &out.MaxHeight
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxWidth != nil {
+		in, out := &in.MaxWidth, &out.MaxWidth
+		*out = new(string)
+		**out = **in
+	}
+	if in.Opacity != nil {
+		in, out := &in.Opacity, &out.Opacity
+		*out = new(string)
+		**out = **in
+	}
+	if in.SizingPolicy != nil {
+		in, out := &in.SizingPolicy, &out.SizingPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerticalAlign != nil {
+		in, out := &in.VerticalAlign, &out.VerticalAlign
+		*out = new(string)
+		**out = **in
+	}
+	if in.VerticalOffset != nil {
+		in, out := &in.VerticalOffset, &out.VerticalOffset
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VideoWatermarksObservation.
diff --git a/apis/elastictranscoder/v1beta1/zz_pipeline_types.go b/apis/elastictranscoder/v1beta1/zz_pipeline_types.go
index d38a3d596e..1cb08bf122 100755
--- a/apis/elastictranscoder/v1beta1/zz_pipeline_types.go
+++ b/apis/elastictranscoder/v1beta1/zz_pipeline_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ContentConfigObservation struct {
+
+	// The Amazon S3 bucket in which you want Elastic Transcoder to save transcoded files and playlists.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The Amazon S3 storage class, Standard or ReducedRedundancy, that you want Elastic Transcoder to assign to the files and playlists that it stores in your Amazon S3 bucket.
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
 }
 
 type ContentConfigParameters struct {
@@ -38,6 +44,15 @@ type ContentConfigParameters struct {
 }
 
 type ContentConfigPermissionsObservation struct {
+
+	// The permission that you want to give to the AWS user that you specified in content_config_permissions.grantee. Valid values are Read, ReadAcp, WriteAcp or FullControl.
+	Access []*string `json:"access,omitempty" tf:"access,omitempty"`
+
+	// The AWS user or group that you want to have access to transcoded files and playlists.
+	Grantee *string `json:"grantee,omitempty" tf:"grantee,omitempty"`
+
+	// Specify the type of value that appears in the content_config_permissions.grantee object. Valid values are Canonical, Email or Group.
+	GranteeType *string `json:"granteeType,omitempty" tf:"grantee_type,omitempty"`
 }
 
 type ContentConfigPermissionsParameters struct {
@@ -56,6 +71,18 @@ type ContentConfigPermissionsParameters struct {
 }
 
 type NotificationsObservation struct {
+
+	// The topic ARN for the Amazon SNS topic that you want to notify when Elastic Transcoder has finished processing a job in this pipeline.
+	Completed *string `json:"completed,omitempty" tf:"completed,omitempty"`
+
+	// The topic ARN for the Amazon SNS topic that you want to notify when Elastic Transcoder encounters an error condition while processing a job in this pipeline.
+	Error *string `json:"error,omitempty" tf:"error,omitempty"`
+
+	// The topic ARN for the Amazon Simple Notification Service (Amazon SNS) topic that you want to notify when Elastic Transcoder has started to process a job in this pipeline.
+	Progressing *string `json:"progressing,omitempty" tf:"progressing,omitempty"`
+
+	// The topic ARN for the Amazon SNS topic that you want to notify when Elastic Transcoder encounters a warning condition while processing a job in this pipeline.
+	Warning *string `json:"warning,omitempty" tf:"warning,omitempty"`
 }
 
 type NotificationsParameters struct {
@@ -82,8 +109,38 @@ type PipelineObservation struct {
 	// The ARN of the Elastictranscoder pipeline.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The AWS Key Management Service (AWS KMS) key that you want to use with this pipeline.
+	AwsKMSKeyArn *string `json:"awsKmsKeyArn,omitempty" tf:"aws_kms_key_arn,omitempty"`
+
+	// The ContentConfig object specifies information about the Amazon S3 bucket in which you want Elastic Transcoder to save transcoded files and playlists. (documented below)
+	ContentConfig []ContentConfigObservation `json:"contentConfig,omitempty" tf:"content_config,omitempty"`
+
+	// The permissions for the content_config object. (documented below)
+	ContentConfigPermissions []ContentConfigPermissionsObservation `json:"contentConfigPermissions,omitempty" tf:"content_config_permissions,omitempty"`
+
 	// The ID of the Elastictranscoder pipeline.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Amazon S3 bucket in which you saved the media files that you want to transcode and the graphics that you want to use as watermarks.
+	InputBucket *string `json:"inputBucket,omitempty" tf:"input_bucket,omitempty"`
+
+	// The name of the pipeline. Maximum 40 characters
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Amazon Simple Notification Service (Amazon SNS) topic that you want to notify to report job status. (documented below)
+	Notifications []NotificationsObservation `json:"notifications,omitempty" tf:"notifications,omitempty"`
+
+	// The Amazon S3 bucket in which you want Elastic Transcoder to save the transcoded files.
+	OutputBucket *string `json:"outputBucket,omitempty" tf:"output_bucket,omitempty"`
+
+	// The IAM Amazon Resource Name (ARN) for the role that you want Elastic Transcoder to use to transcode jobs for this pipeline.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// The ThumbnailConfig object specifies information about the Amazon S3 bucket in which you want Elastic Transcoder to save thumbnail files. (documented below)
+	ThumbnailConfig []ThumbnailConfigObservation `json:"thumbnailConfig,omitempty" tf:"thumbnail_config,omitempty"`
+
+	// The permissions for the thumbnail_config object. (documented below)
+	ThumbnailConfigPermissions []ThumbnailConfigPermissionsObservation `json:"thumbnailConfigPermissions,omitempty" tf:"thumbnail_config_permissions,omitempty"`
 }
 
 type PipelineParameters struct {
@@ -155,6 +212,12 @@ type PipelineParameters struct {
 }
 
 type ThumbnailConfigObservation struct {
+
+	// The Amazon S3 bucket in which you want Elastic Transcoder to save transcoded files and playlists.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The Amazon S3 storage class, Standard or ReducedRedundancy, that you want Elastic Transcoder to assign to the files and playlists that it stores in your Amazon S3 bucket.
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
 }
 
 type ThumbnailConfigParameters struct {
@@ -179,6 +242,15 @@ type ThumbnailConfigParameters struct {
 }
 
 type ThumbnailConfigPermissionsObservation struct {
+
+	// The permission that you want to give to the AWS user that you specified in content_config_permissions.grantee. Valid values are Read, ReadAcp, WriteAcp or FullControl.
+	Access []*string `json:"access,omitempty" tf:"access,omitempty"`
+
+	// The AWS user or group that you want to have access to transcoded files and playlists.
+	Grantee *string `json:"grantee,omitempty" tf:"grantee,omitempty"`
+
+	// Specify the type of value that appears in the content_config_permissions.grantee object. Valid values are Canonical, Email or Group.
+	GranteeType *string `json:"granteeType,omitempty" tf:"grantee_type,omitempty"`
 }
 
 type ThumbnailConfigPermissionsParameters struct {
diff --git a/apis/elastictranscoder/v1beta1/zz_preset_types.go b/apis/elastictranscoder/v1beta1/zz_preset_types.go
index d550380376..ec4249a45b 100755
--- a/apis/elastictranscoder/v1beta1/zz_preset_types.go
+++ b/apis/elastictranscoder/v1beta1/zz_preset_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type AudioCodecOptionsObservation struct {
+
+	// The bit depth of a sample is how many bits of information are included in the audio samples. Valid values are 16 and 24. (FLAC/PCM Only)
+	BitDepth *string `json:"bitDepth,omitempty" tf:"bit_depth,omitempty"`
+
+	// The order the bits of a PCM sample are stored in. The supported value is LittleEndian. (PCM Only)
+	BitOrder *string `json:"bitOrder,omitempty" tf:"bit_order,omitempty"`
+
+	// If you specified AAC for Audio:Codec, choose the AAC profile for the output file.
+	Profile *string `json:"profile,omitempty" tf:"profile,omitempty"`
+
+	// Whether audio samples are represented with negative and positive numbers (signed) or only positive numbers (unsigned). The supported value is Signed. (PCM Only)
+	Signed *string `json:"signed,omitempty" tf:"signed,omitempty"`
 }
 
 type AudioCodecOptionsParameters struct {
@@ -36,6 +48,21 @@ type AudioCodecOptionsParameters struct {
 }
 
 type AudioObservation struct {
+
+	// The method of organizing audio channels and tracks. Use Audio:Channels to specify the number of channels in your output, and Audio:AudioPackingMode to specify the number of tracks and their relation to the channels. If you do not specify an Audio:AudioPackingMode, Elastic Transcoder uses SingleTrack.
+	AudioPackingMode *string `json:"audioPackingMode,omitempty" tf:"audio_packing_mode,omitempty"`
+
+	// The bit rate of the audio stream in the output file, in kilobits/second. Enter an integer between 64 and 320, inclusive.
+	BitRate *string `json:"bitRate,omitempty" tf:"bit_rate,omitempty"`
+
+	// The number of audio channels in the output file
+	Channels *string `json:"channels,omitempty" tf:"channels,omitempty"`
+
+	// The audio codec for the output file. Valid values are AAC, flac, mp2, mp3, pcm, and vorbis.
+	Codec *string `json:"codec,omitempty" tf:"codec,omitempty"`
+
+	// The sample rate of the audio stream in the output file, in hertz. Valid values are: auto, 22050, 32000, 44100, 48000, 96000
+	SampleRate *string `json:"sampleRate,omitempty" tf:"sample_rate,omitempty"`
 }
 
 type AudioParameters struct {
@@ -66,8 +93,37 @@ type PresetObservation struct {
 	// Amazon Resource Name (ARN) of the Elastic Transcoder Preset.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Audio parameters object (documented below).
+	Audio []AudioObservation `json:"audio,omitempty" tf:"audio,omitempty"`
+
+	// Codec options for the audio parameters (documented below)
+	AudioCodecOptions []AudioCodecOptionsObservation `json:"audioCodecOptions,omitempty" tf:"audio_codec_options,omitempty"`
+
+	// The container type for the output file. Valid values are flac, flv, fmp4, gif, mp3, mp4, mpg, mxf, oga, ogg, ts, and webm.
+	Container *string `json:"container,omitempty" tf:"container,omitempty"`
+
+	// A description of the preset (maximum 255 characters)
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// A unique identifier for the settings for one watermark. The value of Id can be up to 40 characters long. You can specify settings for up to four watermarks.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the preset. (maximum 40 characters)
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Thumbnail parameters object (documented below)
+	Thumbnails []ThumbnailsObservation `json:"thumbnails,omitempty" tf:"thumbnails,omitempty"`
+
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Video parameters object (documented below)
+	Video []VideoObservation `json:"video,omitempty" tf:"video,omitempty"`
+
+	// Codec options for the video parameters
+	VideoCodecOptions map[string]*string `json:"videoCodecOptions,omitempty" tf:"video_codec_options,omitempty"`
+
+	// Watermark parameters for the video parameters (documented below)
+	VideoWatermarks []VideoWatermarksObservation `json:"videoWatermarks,omitempty" tf:"video_watermarks,omitempty"`
 }
 
 type PresetParameters struct {
@@ -81,8 +137,8 @@ type PresetParameters struct {
 	AudioCodecOptions []AudioCodecOptionsParameters `json:"audioCodecOptions,omitempty" tf:"audio_codec_options,omitempty"`
 
 	// The container type for the output file. Valid values are flac, flv, fmp4, gif, mp3, mp4, mpg, mxf, oga, ogg, ts, and webm.
-	// +kubebuilder:validation:Required
-	Container *string `json:"container" tf:"container,omitempty"`
+	// +kubebuilder:validation:Optional
+	Container *string `json:"container,omitempty" tf:"container,omitempty"`
 
 	// A description of the preset (maximum 255 characters)
 	// +kubebuilder:validation:Optional
@@ -118,6 +174,30 @@ type PresetParameters struct {
 }
 
 type ThumbnailsObservation struct {
+
+	// The aspect ratio of thumbnails. The following values are valid: auto, 1:1, 4:3, 3:2, 16:9
+	AspectRatio *string `json:"aspectRatio,omitempty" tf:"aspect_ratio,omitempty"`
+
+	// The format of thumbnails, if any. Valid formats are jpg and png.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// The approximate number of seconds between thumbnails. The value must be an integer. The actual interval can vary by several seconds from one thumbnail to the next.
+	Interval *string `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The maximum height of thumbnails, in pixels. If you specify auto, Elastic Transcoder uses 1080 (Full HD) as the default value. If you specify a numeric value, enter an even integer between 32 and 3072, inclusive.
+	MaxHeight *string `json:"maxHeight,omitempty" tf:"max_height,omitempty"`
+
+	// The maximum width of thumbnails, in pixels. If you specify auto, Elastic Transcoder uses 1920 (Full HD) as the default value. If you specify a numeric value, enter an even integer between 32 and 4096, inclusive.
+	MaxWidth *string `json:"maxWidth,omitempty" tf:"max_width,omitempty"`
+
+	// When you set PaddingPolicy to Pad, Elastic Transcoder might add black bars to the top and bottom and/or left and right sides of thumbnails to make the total size of the thumbnails match the values that you specified for thumbnail MaxWidth and MaxHeight settings.
+	PaddingPolicy *string `json:"paddingPolicy,omitempty" tf:"padding_policy,omitempty"`
+
+	// The width and height of thumbnail files in pixels, in the format WidthxHeight, where both values are even integers. The values cannot exceed the width and height that you specified in the Video:Resolution object. (To better control resolution and aspect ratio of thumbnails, we recommend that you use the thumbnail values max_width, max_height, sizing_policy, and padding_policy instead of resolution and aspect_ratio. The two groups of settings are mutually exclusive. Do not use them together)
+	Resolution *string `json:"resolution,omitempty" tf:"resolution,omitempty"`
+
+	// A value that controls scaling of thumbnails. Valid values are: Fit, Fill, Stretch, Keep, ShrinkToFit, and ShrinkToFill.
+	SizingPolicy *string `json:"sizingPolicy,omitempty" tf:"sizing_policy,omitempty"`
 }
 
 type ThumbnailsParameters struct {
@@ -156,6 +236,45 @@ type ThumbnailsParameters struct {
 }
 
 type VideoObservation struct {
+
+	// The aspect ratio of thumbnails. The following values are valid: auto, 1:1, 4:3, 3:2, 16:9
+	AspectRatio *string `json:"aspectRatio,omitempty" tf:"aspect_ratio,omitempty"`
+
+	// The bit rate of the audio stream in the output file, in kilobits/second. Enter an integer between 64 and 320, inclusive.
+	BitRate *string `json:"bitRate,omitempty" tf:"bit_rate,omitempty"`
+
+	// The audio codec for the output file. Valid values are AAC, flac, mp2, mp3, pcm, and vorbis.
+	Codec *string `json:"codec,omitempty" tf:"codec,omitempty"`
+
+	// The value that Elastic Transcoder adds to the metadata in the output file. If you set DisplayAspectRatio to auto, Elastic Transcoder chooses an aspect ratio that ensures square pixels. If you specify another option, Elastic Transcoder sets that value in the output file.
+	DisplayAspectRatio *string `json:"displayAspectRatio,omitempty" tf:"display_aspect_ratio,omitempty"`
+
+	// Whether to use a fixed value for Video:FixedGOP. Not applicable for containers of type gif. Valid values are true and false. Also known as, Fixed Number of Frames Between Keyframes.
+	FixedGop *string `json:"fixedGop,omitempty" tf:"fixed_gop,omitempty"`
+
+	// The frames per second for the video stream in the output file. The following values are valid: auto, 10, 15, 23.97, 24, 25, 29.97, 30, 50, 60.
+	FrameRate *string `json:"frameRate,omitempty" tf:"frame_rate,omitempty"`
+
+	// The maximum number of frames between key frames. Not applicable for containers of type gif.
+	KeyframesMaxDist *string `json:"keyframesMaxDist,omitempty" tf:"keyframes_max_dist,omitempty"`
+
+	// If you specify auto for FrameRate, Elastic Transcoder uses the frame rate of the input video for the frame rate of the output video, up to the maximum frame rate. If you do not specify a MaxFrameRate, Elastic Transcoder will use a default of 30.
+	MaxFrameRate *string `json:"maxFrameRate,omitempty" tf:"max_frame_rate,omitempty"`
+
+	// The maximum height of thumbnails, in pixels. If you specify auto, Elastic Transcoder uses 1080 (Full HD) as the default value. If you specify a numeric value, enter an even integer between 32 and 3072, inclusive.
+	MaxHeight *string `json:"maxHeight,omitempty" tf:"max_height,omitempty"`
+
+	// The maximum width of thumbnails, in pixels. If you specify auto, Elastic Transcoder uses 1920 (Full HD) as the default value. If you specify a numeric value, enter an even integer between 32 and 4096, inclusive.
+	MaxWidth *string `json:"maxWidth,omitempty" tf:"max_width,omitempty"`
+
+	// When you set PaddingPolicy to Pad, Elastic Transcoder might add black bars to the top and bottom and/or left and right sides of thumbnails to make the total size of the thumbnails match the values that you specified for thumbnail MaxWidth and MaxHeight settings.
+	PaddingPolicy *string `json:"paddingPolicy,omitempty" tf:"padding_policy,omitempty"`
+
+	// The width and height of thumbnail files in pixels, in the format WidthxHeight, where both values are even integers. The values cannot exceed the width and height that you specified in the Video:Resolution object. (To better control resolution and aspect ratio of thumbnails, we recommend that you use the thumbnail values max_width, max_height, sizing_policy, and padding_policy instead of resolution and aspect_ratio. The two groups of settings are mutually exclusive. Do not use them together)
+	Resolution *string `json:"resolution,omitempty" tf:"resolution,omitempty"`
+
+	// A value that controls scaling of thumbnails. Valid values are: Fit, Fill, Stretch, Keep, ShrinkToFit, and ShrinkToFill.
+	SizingPolicy *string `json:"sizingPolicy,omitempty" tf:"sizing_policy,omitempty"`
 }
 
 type VideoParameters struct {
@@ -214,6 +333,36 @@ type VideoParameters struct {
 }
 
 type VideoWatermarksObservation struct {
+
+	// The horizontal position of the watermark unless you specify a nonzero value for horzontal_offset.
+	HorizontalAlign *string `json:"horizontalAlign,omitempty" tf:"horizontal_align,omitempty"`
+
+	// The amount by which you want the horizontal position of the watermark to be offset from the position specified by horizontal_align.
+	HorizontalOffset *string `json:"horizontalOffset,omitempty" tf:"horizontal_offset,omitempty"`
+
+	// A unique identifier for the settings for one watermark. The value of Id can be up to 40 characters long. You can specify settings for up to four watermarks.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The maximum height of thumbnails, in pixels. If you specify auto, Elastic Transcoder uses 1080 (Full HD) as the default value. If you specify a numeric value, enter an even integer between 32 and 3072, inclusive.
+	MaxHeight *string `json:"maxHeight,omitempty" tf:"max_height,omitempty"`
+
+	// The maximum width of thumbnails, in pixels. If you specify auto, Elastic Transcoder uses 1920 (Full HD) as the default value. If you specify a numeric value, enter an even integer between 32 and 4096, inclusive.
+	MaxWidth *string `json:"maxWidth,omitempty" tf:"max_width,omitempty"`
+
+	// A percentage that indicates how much you want a watermark to obscure the video in the location where it appears.
+	Opacity *string `json:"opacity,omitempty" tf:"opacity,omitempty"`
+
+	// A value that controls scaling of thumbnails. Valid values are: Fit, Fill, Stretch, Keep, ShrinkToFit, and ShrinkToFill.
+	SizingPolicy *string `json:"sizingPolicy,omitempty" tf:"sizing_policy,omitempty"`
+
+	// A value that determines how Elastic Transcoder interprets values that you specified for video_watermarks.horizontal_offset, video_watermarks.vertical_offset, video_watermarks.max_width, and video_watermarks.max_height. Valid values are Content and Frame.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
+
+	// The vertical position of the watermark unless you specify a nonzero value for vertical_align. Valid values are Top, Bottom, Center.
+	VerticalAlign *string `json:"verticalAlign,omitempty" tf:"vertical_align,omitempty"`
+
+	// The amount by which you want the vertical position of the watermark to be offset from the position specified by vertical_align
+	VerticalOffset *string `json:"verticalOffset,omitempty" tf:"vertical_offset,omitempty"`
 }
 
 type VideoWatermarksParameters struct {
@@ -283,8 +432,9 @@ type PresetStatus struct {
 type Preset struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PresetSpec   `json:"spec"`
-	Status            PresetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.container)",message="container is a required parameter"
+	Spec   PresetSpec   `json:"spec"`
+	Status PresetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_appcookiestickinesspolicy_types.go b/apis/elb/v1beta1/zz_appcookiestickinesspolicy_types.go
index 12bb4cc527..be46c8ed98 100755
--- a/apis/elb/v1beta1/zz_appcookiestickinesspolicy_types.go
+++ b/apis/elb/v1beta1/zz_appcookiestickinesspolicy_types.go
@@ -15,15 +15,27 @@ import (
 
 type AppCookieStickinessPolicyObservation struct {
 
+	// Application cookie whose lifetime the ELB's cookie should follow.
+	CookieName *string `json:"cookieName,omitempty" tf:"cookie_name,omitempty"`
+
 	// ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Load balancer port to which the policy
+	// should be applied. This must be an active listener on the load
+	// balancer.
+	LBPort *float64 `json:"lbPort,omitempty" tf:"lb_port,omitempty"`
+
+	// Name of load balancer to which the policy
+	// should be attached.
+	LoadBalancer *string `json:"loadBalancer,omitempty" tf:"load_balancer,omitempty"`
 }
 
 type AppCookieStickinessPolicyParameters struct {
 
 	// Application cookie whose lifetime the ELB's cookie should follow.
-	// +kubebuilder:validation:Required
-	CookieName *string `json:"cookieName" tf:"cookie_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	CookieName *string `json:"cookieName,omitempty" tf:"cookie_name,omitempty"`
 
 	// Load balancer port to which the policy
 	// should be applied. This must be an active listener on the load
@@ -75,8 +87,9 @@ type AppCookieStickinessPolicyStatus struct {
 type AppCookieStickinessPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AppCookieStickinessPolicySpec   `json:"spec"`
-	Status            AppCookieStickinessPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cookieName)",message="cookieName is a required parameter"
+	Spec   AppCookieStickinessPolicySpec   `json:"spec"`
+	Status AppCookieStickinessPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_attachment_types.go b/apis/elb/v1beta1/zz_attachment_types.go
index df27991d8b..7ff8a12999 100755
--- a/apis/elb/v1beta1/zz_attachment_types.go
+++ b/apis/elb/v1beta1/zz_attachment_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type AttachmentObservation struct {
+
+	// The name of the ELB.
+	ELB *string `json:"elb,omitempty" tf:"elb,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Instance ID to place in the ELB pool.
+	Instance *string `json:"instance,omitempty" tf:"instance,omitempty"`
 }
 
 type AttachmentParameters struct {
diff --git a/apis/elb/v1beta1/zz_backendserverpolicy_types.go b/apis/elb/v1beta1/zz_backendserverpolicy_types.go
index 536e7ca7d1..ad4969a7ff 100755
--- a/apis/elb/v1beta1/zz_backendserverpolicy_types.go
+++ b/apis/elb/v1beta1/zz_backendserverpolicy_types.go
@@ -17,13 +17,22 @@ type BackendServerPolicyObservation struct {
 
 	// The ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The instance port to apply the policy to.
+	InstancePort *float64 `json:"instancePort,omitempty" tf:"instance_port,omitempty"`
+
+	// The load balancer to attach the policy to.
+	LoadBalancerName *string `json:"loadBalancerName,omitempty" tf:"load_balancer_name,omitempty"`
+
+	// List of Policy Names to apply to the backend server.
+	PolicyNames []*string `json:"policyNames,omitempty" tf:"policy_names,omitempty"`
 }
 
 type BackendServerPolicyParameters struct {
 
 	// The instance port to apply the policy to.
-	// +kubebuilder:validation:Required
-	InstancePort *float64 `json:"instancePort" tf:"instance_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstancePort *float64 `json:"instancePort,omitempty" tf:"instance_port,omitempty"`
 
 	// The load balancer to attach the policy to.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/elb/v1beta1.ELB
@@ -72,8 +81,9 @@ type BackendServerPolicyStatus struct {
 type BackendServerPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BackendServerPolicySpec   `json:"spec"`
-	Status            BackendServerPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePort)",message="instancePort is a required parameter"
+	Spec   BackendServerPolicySpec   `json:"spec"`
+	Status BackendServerPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_elb_types.go b/apis/elb/v1beta1/zz_elb_types.go
index 8b8ea38cde..2d812dd3fc 100755
--- a/apis/elb/v1beta1/zz_elb_types.go
+++ b/apis/elb/v1beta1/zz_elb_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type AccessLogsObservation struct {
+
+	// The S3 bucket name to store the logs in.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The S3 bucket prefix. Logs are stored in the root if not configured.
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Boolean to enable / disable access_logs. Default is true
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The publishing interval in minutes. Valid values: 5 and 60. Default: 60
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
 }
 
 type AccessLogsParameters struct {
@@ -37,20 +49,68 @@ type AccessLogsParameters struct {
 
 type ELBObservation struct {
 
+	// An Access Logs block. Access Logs documented below.
+	AccessLogs []AccessLogsObservation `json:"accessLogs,omitempty" tf:"access_logs,omitempty"`
+
 	// The ARN of the ELB
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The AZ's to serve traffic in.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// Boolean to enable connection draining. Default: false
+	ConnectionDraining *bool `json:"connectionDraining,omitempty" tf:"connection_draining,omitempty"`
+
+	// The time in seconds to allow for connections to drain. Default: 300
+	ConnectionDrainingTimeout *float64 `json:"connectionDrainingTimeout,omitempty" tf:"connection_draining_timeout,omitempty"`
+
+	// Enable cross-zone load balancing. Default: true
+	CrossZoneLoadBalancing *bool `json:"crossZoneLoadBalancing,omitempty" tf:"cross_zone_load_balancing,omitempty"`
+
 	// The DNS name of the ELB
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), strictest.
+	DesyncMitigationMode *string `json:"desyncMitigationMode,omitempty" tf:"desync_mitigation_mode,omitempty"`
+
+	// A health_check block. Health Check documented below.
+	HealthCheck []HealthCheckObservation `json:"healthCheck,omitempty" tf:"health_check,omitempty"`
+
 	// The name of the ELB
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The time in seconds that the connection is allowed to be idle. Default: 60
+	IdleTimeout *float64 `json:"idleTimeout,omitempty" tf:"idle_timeout,omitempty"`
+
+	// A list of instance ids to place in the ELB pool.
+	Instances []*string `json:"instances,omitempty" tf:"instances,omitempty"`
+
+	// If true, ELB will be an internal ELB.
+	Internal *bool `json:"internal,omitempty" tf:"internal,omitempty"`
+
+	// A list of listener blocks. Listeners documented below.
+	Listener []ListenerObservation `json:"listener,omitempty" tf:"listener,omitempty"`
+
+	// A list of security group IDs to assign to the ELB.
+	// Only valid if creating an ELB within a VPC
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The name of the security group that you can use as
+	// part of your inbound rules for your load balancer's back-end application
+	// instances. Use this for Classic or Default VPC only.
+	SourceSecurityGroup *string `json:"sourceSecurityGroup,omitempty" tf:"source_security_group,omitempty"`
+
 	// The ID of the security group that you can use as
 	// part of your inbound rules for your load balancer's back-end application
 	// instances. Only available on ELBs launched in a VPC.
 	SourceSecurityGroupID *string `json:"sourceSecurityGroupId,omitempty" tf:"source_security_group_id,omitempty"`
 
+	// A list of subnet IDs to attach to the ELB.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -110,8 +170,8 @@ type ELBParameters struct {
 	Internal *bool `json:"internal,omitempty" tf:"internal,omitempty"`
 
 	// A list of listener blocks. Listeners documented below.
-	// +kubebuilder:validation:Required
-	Listener []ListenerParameters `json:"listener" tf:"listener,omitempty"`
+	// +kubebuilder:validation:Optional
+	Listener []ListenerParameters `json:"listener,omitempty" tf:"listener,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -148,6 +208,22 @@ type ELBParameters struct {
 }
 
 type HealthCheckObservation struct {
+
+	// The number of checks before the instance is declared healthy.
+	HealthyThreshold *float64 `json:"healthyThreshold,omitempty" tf:"healthy_threshold,omitempty"`
+
+	// The publishing interval in minutes. Valid values: 5 and 60. Default: 60
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// The target of the check. Valid pattern is "${PROTOCOL}:${PORT}${PATH}", where PROTOCOL
+	// values are:
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
+
+	// The length of time before the check times out.
+	Timeout *float64 `json:"timeout,omitempty" tf:"timeout,omitempty"`
+
+	// The number of checks before the instance is declared unhealthy.
+	UnhealthyThreshold *float64 `json:"unhealthyThreshold,omitempty" tf:"unhealthy_threshold,omitempty"`
 }
 
 type HealthCheckParameters struct {
@@ -175,6 +251,24 @@ type HealthCheckParameters struct {
 }
 
 type ListenerObservation struct {
+
+	// The port on the instance to route to
+	InstancePort *float64 `json:"instancePort,omitempty" tf:"instance_port,omitempty"`
+
+	// The protocol to use to the instance. Valid
+	// values are HTTP, HTTPS, TCP, or SSL
+	InstanceProtocol *string `json:"instanceProtocol,omitempty" tf:"instance_protocol,omitempty"`
+
+	// The port to listen on for the load balancer
+	LBPort *float64 `json:"lbPort,omitempty" tf:"lb_port,omitempty"`
+
+	// The protocol to listen on. Valid values are HTTP,
+	// HTTPS, TCP, or SSL
+	LBProtocol *string `json:"lbProtocol,omitempty" tf:"lb_protocol,omitempty"`
+
+	// The ARN of an SSL certificate you have
+	// uploaded to AWS IAM. Note ECDSA-specific restrictions below.  Only valid when
+	SSLCertificateID *string `json:"sslCertificateId,omitempty" tf:"ssl_certificate_id,omitempty"`
 }
 
 type ListenerParameters struct {
@@ -227,8 +321,9 @@ type ELBStatus struct {
 type ELB struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ELBSpec   `json:"spec"`
-	Status            ELBStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.listener)",message="listener is a required parameter"
+	Spec   ELBSpec   `json:"spec"`
+	Status ELBStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_generated.deepcopy.go b/apis/elb/v1beta1/zz_generated.deepcopy.go
index 14f89cd6cf..41f1a2a958 100644
--- a/apis/elb/v1beta1/zz_generated.deepcopy.go
+++ b/apis/elb/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,26 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessLogsObservation) DeepCopyInto(out *AccessLogsObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLogsObservation.
@@ -126,11 +146,26 @@ func (in *AppCookieStickinessPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppCookieStickinessPolicyObservation) DeepCopyInto(out *AppCookieStickinessPolicyObservation) {
 	*out = *in
+	if in.CookieName != nil {
+		in, out := &in.CookieName, &out.CookieName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LBPort != nil {
+		in, out := &in.LBPort, &out.LBPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppCookieStickinessPolicyObservation.
@@ -284,11 +319,21 @@ func (in *AttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttachmentObservation) DeepCopyInto(out *AttachmentObservation) {
 	*out = *in
+	if in.ELB != nil {
+		in, out := &in.ELB, &out.ELB
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Instance != nil {
+		in, out := &in.Instance, &out.Instance
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttachmentObservation.
@@ -388,6 +433,16 @@ func (in *AttachmentStatus) DeepCopy() *AttachmentStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttributeObservation) DeepCopyInto(out *AttributeObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttributeObservation.
@@ -492,6 +547,27 @@ func (in *BackendServerPolicyObservation) DeepCopyInto(out *BackendServerPolicyO
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstancePort != nil {
+		in, out := &in.InstancePort, &out.InstancePort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBalancerName != nil {
+		in, out := &in.LoadBalancerName, &out.LoadBalancerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PolicyNames != nil {
+		in, out := &in.PolicyNames, &out.PolicyNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackendServerPolicyObservation.
@@ -651,26 +727,141 @@ func (in *ELBList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ELBObservation) DeepCopyInto(out *ELBObservation) {
 	*out = *in
+	if in.AccessLogs != nil {
+		in, out := &in.AccessLogs, &out.AccessLogs
+		*out = make([]AccessLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectionDraining != nil {
+		in, out := &in.ConnectionDraining, &out.ConnectionDraining
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ConnectionDrainingTimeout != nil {
+		in, out := &in.ConnectionDrainingTimeout, &out.ConnectionDrainingTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CrossZoneLoadBalancing != nil {
+		in, out := &in.CrossZoneLoadBalancing, &out.CrossZoneLoadBalancing
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.DesyncMitigationMode != nil {
+		in, out := &in.DesyncMitigationMode, &out.DesyncMitigationMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.HealthCheck != nil {
+		in, out := &in.HealthCheck, &out.HealthCheck
+		*out = make([]HealthCheckObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdleTimeout != nil {
+		in, out := &in.IdleTimeout, &out.IdleTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Instances != nil {
+		in, out := &in.Instances, &out.Instances
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Internal != nil {
+		in, out := &in.Internal, &out.Internal
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Listener != nil {
+		in, out := &in.Listener, &out.Listener
+		*out = make([]ListenerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceSecurityGroup != nil {
+		in, out := &in.SourceSecurityGroup, &out.SourceSecurityGroup
+		*out = new(string)
+		**out = **in
+	}
 	if in.SourceSecurityGroupID != nil {
 		in, out := &in.SourceSecurityGroupID, &out.SourceSecurityGroupID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -899,6 +1090,31 @@ func (in *ELBStatus) DeepCopy() *ELBStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthCheckObservation) DeepCopyInto(out *HealthCheckObservation) {
 	*out = *in
+	if in.HealthyThreshold != nil {
+		in, out := &in.HealthyThreshold, &out.HealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnhealthyThreshold != nil {
+		in, out := &in.UnhealthyThreshold, &out.UnhealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckObservation.
@@ -1013,11 +1229,31 @@ func (in *LBCookieStickinessPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBCookieStickinessPolicyObservation) DeepCopyInto(out *LBCookieStickinessPolicyObservation) {
 	*out = *in
+	if in.CookieExpirationPeriod != nil {
+		in, out := &in.CookieExpirationPeriod, &out.CookieExpirationPeriod
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LBPort != nil {
+		in, out := &in.LBPort, &out.LBPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LBCookieStickinessPolicyObservation.
@@ -1176,11 +1412,48 @@ func (in *LBSSLNegotiationPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBSSLNegotiationPolicyObservation) DeepCopyInto(out *LBSSLNegotiationPolicyObservation) {
 	*out = *in
+	if in.Attribute != nil {
+		in, out := &in.Attribute, &out.Attribute
+		*out = make([]AttributeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LBPort != nil {
+		in, out := &in.LBPort, &out.LBPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LBSSLNegotiationPolicyObservation.
@@ -1297,6 +1570,31 @@ func (in *LBSSLNegotiationPolicyStatus) DeepCopy() *LBSSLNegotiationPolicyStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerObservation) DeepCopyInto(out *ListenerObservation) {
 	*out = *in
+	if in.InstancePort != nil {
+		in, out := &in.InstancePort, &out.InstancePort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceProtocol != nil {
+		in, out := &in.InstanceProtocol, &out.InstanceProtocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.LBPort != nil {
+		in, out := &in.LBPort, &out.LBPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LBProtocol != nil {
+		in, out := &in.LBProtocol, &out.LBProtocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLCertificateID != nil {
+		in, out := &in.SSLCertificateID, &out.SSLCertificateID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerObservation.
@@ -1416,6 +1714,42 @@ func (in *ListenerPolicyObservation) DeepCopyInto(out *ListenerPolicyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoadBalancerName != nil {
+		in, out := &in.LoadBalancerName, &out.LoadBalancerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoadBalancerPort != nil {
+		in, out := &in.LoadBalancerPort, &out.LoadBalancerPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PolicyNames != nil {
+		in, out := &in.PolicyNames, &out.PolicyNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerPolicyObservation.
@@ -1558,6 +1892,16 @@ func (in *Policy) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PolicyAttributeObservation) DeepCopyInto(out *PolicyAttributeObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyAttributeObservation.
@@ -1645,6 +1989,28 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoadBalancerName != nil {
+		in, out := &in.LoadBalancerName, &out.LoadBalancerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PolicyAttribute != nil {
+		in, out := &in.PolicyAttribute, &out.PolicyAttribute
+		*out = make([]PolicyAttributeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyName != nil {
+		in, out := &in.PolicyName, &out.PolicyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PolicyTypeName != nil {
+		in, out := &in.PolicyTypeName, &out.PolicyTypeName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation.
@@ -1810,6 +2176,22 @@ func (in *ProxyProtocolPolicyObservation) DeepCopyInto(out *ProxyProtocolPolicyO
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstancePorts != nil {
+		in, out := &in.InstancePorts, &out.InstancePorts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.LoadBalancer != nil {
+		in, out := &in.LoadBalancer, &out.LoadBalancer
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyProtocolPolicyObservation.
diff --git a/apis/elb/v1beta1/zz_lbcookiestickinesspolicy_types.go b/apis/elb/v1beta1/zz_lbcookiestickinesspolicy_types.go
index c2520eaa29..d5a61f495a 100755
--- a/apis/elb/v1beta1/zz_lbcookiestickinesspolicy_types.go
+++ b/apis/elb/v1beta1/zz_lbcookiestickinesspolicy_types.go
@@ -15,8 +15,24 @@ import (
 
 type LBCookieStickinessPolicyObservation struct {
 
+	// The time period after which
+	// the session cookie should be considered stale, expressed in seconds.
+	CookieExpirationPeriod *float64 `json:"cookieExpirationPeriod,omitempty" tf:"cookie_expiration_period,omitempty"`
+
 	// The ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The load balancer port to which the policy
+	// should be applied. This must be an active listener on the load
+	// balancer.
+	LBPort *float64 `json:"lbPort,omitempty" tf:"lb_port,omitempty"`
+
+	// The load balancer to which the policy
+	// should be attached.
+	LoadBalancer *string `json:"loadBalancer,omitempty" tf:"load_balancer,omitempty"`
+
+	// The name of the stickiness policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type LBCookieStickinessPolicyParameters struct {
@@ -29,8 +45,8 @@ type LBCookieStickinessPolicyParameters struct {
 	// The load balancer port to which the policy
 	// should be applied. This must be an active listener on the load
 	// balancer.
-	// +kubebuilder:validation:Required
-	LBPort *float64 `json:"lbPort" tf:"lb_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	LBPort *float64 `json:"lbPort,omitempty" tf:"lb_port,omitempty"`
 
 	// The load balancer to which the policy
 	// should be attached.
@@ -48,8 +64,8 @@ type LBCookieStickinessPolicyParameters struct {
 	LoadBalancerSelector *v1.Selector `json:"loadBalancerSelector,omitempty" tf:"-"`
 
 	// The name of the stickiness policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -81,8 +97,10 @@ type LBCookieStickinessPolicyStatus struct {
 type LBCookieStickinessPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBCookieStickinessPolicySpec   `json:"spec"`
-	Status            LBCookieStickinessPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lbPort)",message="lbPort is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   LBCookieStickinessPolicySpec   `json:"spec"`
+	Status LBCookieStickinessPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_lbsslnegotiationpolicy_types.go b/apis/elb/v1beta1/zz_lbsslnegotiationpolicy_types.go
index 47f10ebdae..6b1c6d002d 100755
--- a/apis/elb/v1beta1/zz_lbsslnegotiationpolicy_types.go
+++ b/apis/elb/v1beta1/zz_lbsslnegotiationpolicy_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AttributeObservation struct {
+
+	// The name of the SSL negotiation policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the attribute
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type AttributeParameters struct {
@@ -29,8 +35,26 @@ type AttributeParameters struct {
 
 type LBSSLNegotiationPolicyObservation struct {
 
+	// An SSL Negotiation policy attribute. Each has two properties:
+	Attribute []AttributeObservation `json:"attribute,omitempty" tf:"attribute,omitempty"`
+
 	// The ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The load balancer port to which the policy
+	// should be applied. This must be an active listener on the load
+	// balancer.
+	LBPort *float64 `json:"lbPort,omitempty" tf:"lb_port,omitempty"`
+
+	// The load balancer to which the policy
+	// should be attached.
+	LoadBalancer *string `json:"loadBalancer,omitempty" tf:"load_balancer,omitempty"`
+
+	// The name of the SSL negotiation policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Map of arbitrary keys and values that, when changed, will trigger a redeployment.
+	Triggers map[string]*string `json:"triggers,omitempty" tf:"triggers,omitempty"`
 }
 
 type LBSSLNegotiationPolicyParameters struct {
@@ -42,8 +66,8 @@ type LBSSLNegotiationPolicyParameters struct {
 	// The load balancer port to which the policy
 	// should be applied. This must be an active listener on the load
 	// balancer.
-	// +kubebuilder:validation:Required
-	LBPort *float64 `json:"lbPort" tf:"lb_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	LBPort *float64 `json:"lbPort,omitempty" tf:"lb_port,omitempty"`
 
 	// The load balancer to which the policy
 	// should be attached.
@@ -61,8 +85,8 @@ type LBSSLNegotiationPolicyParameters struct {
 	LoadBalancerSelector *v1.Selector `json:"loadBalancerSelector,omitempty" tf:"-"`
 
 	// The name of the SSL negotiation policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -98,8 +122,10 @@ type LBSSLNegotiationPolicyStatus struct {
 type LBSSLNegotiationPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBSSLNegotiationPolicySpec   `json:"spec"`
-	Status            LBSSLNegotiationPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lbPort)",message="lbPort is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   LBSSLNegotiationPolicySpec   `json:"spec"`
+	Status LBSSLNegotiationPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_listenerpolicy_types.go b/apis/elb/v1beta1/zz_listenerpolicy_types.go
index abc1feb7d7..ce28780e6e 100755
--- a/apis/elb/v1beta1/zz_listenerpolicy_types.go
+++ b/apis/elb/v1beta1/zz_listenerpolicy_types.go
@@ -17,6 +17,18 @@ type ListenerPolicyObservation struct {
 
 	// The ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The load balancer to attach the policy to.
+	LoadBalancerName *string `json:"loadBalancerName,omitempty" tf:"load_balancer_name,omitempty"`
+
+	// The load balancer listener port to apply the policy to.
+	LoadBalancerPort *float64 `json:"loadBalancerPort,omitempty" tf:"load_balancer_port,omitempty"`
+
+	// List of Policy Names to apply to the backend server.
+	PolicyNames []*string `json:"policyNames,omitempty" tf:"policy_names,omitempty"`
+
+	// Map of arbitrary keys and values that, when changed, will trigger an update.
+	Triggers map[string]*string `json:"triggers,omitempty" tf:"triggers,omitempty"`
 }
 
 type ListenerPolicyParameters struct {
@@ -35,8 +47,8 @@ type ListenerPolicyParameters struct {
 	LoadBalancerNameSelector *v1.Selector `json:"loadBalancerNameSelector,omitempty" tf:"-"`
 
 	// The load balancer listener port to apply the policy to.
-	// +kubebuilder:validation:Required
-	LoadBalancerPort *float64 `json:"loadBalancerPort" tf:"load_balancer_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	LoadBalancerPort *float64 `json:"loadBalancerPort,omitempty" tf:"load_balancer_port,omitempty"`
 
 	// List of Policy Names to apply to the backend server.
 	// +kubebuilder:validation:Optional
@@ -76,8 +88,9 @@ type ListenerPolicyStatus struct {
 type ListenerPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ListenerPolicySpec   `json:"spec"`
-	Status            ListenerPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.loadBalancerPort)",message="loadBalancerPort is a required parameter"
+	Spec   ListenerPolicySpec   `json:"spec"`
+	Status ListenerPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_policy_types.go b/apis/elb/v1beta1/zz_policy_types.go
index 410a1048e8..00c2ef2f6c 100755
--- a/apis/elb/v1beta1/zz_policy_types.go
+++ b/apis/elb/v1beta1/zz_policy_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type PolicyAttributeObservation struct {
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type PolicyAttributeParameters struct {
@@ -39,6 +42,18 @@ type PolicyObservation struct {
 
 	// The ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The load balancer on which the policy is defined.
+	LoadBalancerName *string `json:"loadBalancerName,omitempty" tf:"load_balancer_name,omitempty"`
+
+	// Policy attribute to apply to the policy.
+	PolicyAttribute []PolicyAttributeObservation `json:"policyAttribute,omitempty" tf:"policy_attribute,omitempty"`
+
+	// The name of the load balancer policy.
+	PolicyName *string `json:"policyName,omitempty" tf:"policy_name,omitempty"`
+
+	// The policy type.
+	PolicyTypeName *string `json:"policyTypeName,omitempty" tf:"policy_type_name,omitempty"`
 }
 
 type PolicyParameters struct {
@@ -61,12 +76,12 @@ type PolicyParameters struct {
 	PolicyAttribute []PolicyAttributeParameters `json:"policyAttribute,omitempty" tf:"policy_attribute,omitempty"`
 
 	// The name of the load balancer policy.
-	// +kubebuilder:validation:Required
-	PolicyName *string `json:"policyName" tf:"policy_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	PolicyName *string `json:"policyName,omitempty" tf:"policy_name,omitempty"`
 
 	// The policy type.
-	// +kubebuilder:validation:Required
-	PolicyTypeName *string `json:"policyTypeName" tf:"policy_type_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	PolicyTypeName *string `json:"policyTypeName,omitempty" tf:"policy_type_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -98,8 +113,10 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicySpec   `json:"spec"`
-	Status            PolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyName)",message="policyName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyTypeName)",message="policyTypeName is a required parameter"
+	Spec   PolicySpec   `json:"spec"`
+	Status PolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elb/v1beta1/zz_proxyprotocolpolicy_types.go b/apis/elb/v1beta1/zz_proxyprotocolpolicy_types.go
index c7711b39fa..30c0d1f854 100755
--- a/apis/elb/v1beta1/zz_proxyprotocolpolicy_types.go
+++ b/apis/elb/v1beta1/zz_proxyprotocolpolicy_types.go
@@ -17,14 +17,22 @@ type ProxyProtocolPolicyObservation struct {
 
 	// The ID of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// List of instance ports to which the policy
+	// should be applied. This can be specified if the protocol is SSL or TCP.
+	InstancePorts []*string `json:"instancePorts,omitempty" tf:"instance_ports,omitempty"`
+
+	// The load balancer to which the policy
+	// should be attached.
+	LoadBalancer *string `json:"loadBalancer,omitempty" tf:"load_balancer,omitempty"`
 }
 
 type ProxyProtocolPolicyParameters struct {
 
 	// List of instance ports to which the policy
 	// should be applied. This can be specified if the protocol is SSL or TCP.
-	// +kubebuilder:validation:Required
-	InstancePorts []*string `json:"instancePorts" tf:"instance_ports,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstancePorts []*string `json:"instancePorts,omitempty" tf:"instance_ports,omitempty"`
 
 	// The load balancer to which the policy
 	// should be attached.
@@ -70,8 +78,9 @@ type ProxyProtocolPolicyStatus struct {
 type ProxyProtocolPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProxyProtocolPolicySpec   `json:"spec"`
-	Status            ProxyProtocolPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePorts)",message="instancePorts is a required parameter"
+	Spec   ProxyProtocolPolicySpec   `json:"spec"`
+	Status ProxyProtocolPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elbv2/v1beta1/zz_generated.deepcopy.go b/apis/elbv2/v1beta1/zz_generated.deepcopy.go
index 63449ec538..97088c17a4 100644
--- a/apis/elbv2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/elbv2/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessLogsObservation) DeepCopyInto(out *AccessLogsObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessLogsObservation.
@@ -72,6 +87,56 @@ func (in *AccessLogsParameters) DeepCopy() *AccessLogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionAuthenticateCognitoObservation) DeepCopyInto(out *ActionAuthenticateCognitoObservation) {
 	*out = *in
+	if in.AuthenticationRequestExtraParams != nil {
+		in, out := &in.AuthenticationRequestExtraParams, &out.AuthenticationRequestExtraParams
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.OnUnauthenticatedRequest != nil {
+		in, out := &in.OnUnauthenticatedRequest, &out.OnUnauthenticatedRequest
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionCookieName != nil {
+		in, out := &in.SessionCookieName, &out.SessionCookieName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionTimeout != nil {
+		in, out := &in.SessionTimeout, &out.SessionTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UserPoolArn != nil {
+		in, out := &in.UserPoolArn, &out.UserPoolArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolClientID != nil {
+		in, out := &in.UserPoolClientID, &out.UserPoolClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolDomain != nil {
+		in, out := &in.UserPoolDomain, &out.UserPoolDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionAuthenticateCognitoObservation.
@@ -182,6 +247,66 @@ func (in *ActionAuthenticateCognitoParameters) DeepCopy() *ActionAuthenticateCog
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionAuthenticateOidcObservation) DeepCopyInto(out *ActionAuthenticateOidcObservation) {
 	*out = *in
+	if in.AuthenticationRequestExtraParams != nil {
+		in, out := &in.AuthenticationRequestExtraParams, &out.AuthenticationRequestExtraParams
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.AuthorizationEndpoint != nil {
+		in, out := &in.AuthorizationEndpoint, &out.AuthorizationEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnUnauthenticatedRequest != nil {
+		in, out := &in.OnUnauthenticatedRequest, &out.OnUnauthenticatedRequest
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionCookieName != nil {
+		in, out := &in.SessionCookieName, &out.SessionCookieName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionTimeout != nil {
+		in, out := &in.SessionTimeout, &out.SessionTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenEndpoint != nil {
+		in, out := &in.TokenEndpoint, &out.TokenEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserInfoEndpoint != nil {
+		in, out := &in.UserInfoEndpoint, &out.UserInfoEndpoint
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionAuthenticateOidcObservation.
@@ -273,6 +398,21 @@ func (in *ActionAuthenticateOidcParameters) DeepCopy() *ActionAuthenticateOidcPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionFixedResponseObservation) DeepCopyInto(out *ActionFixedResponseObservation) {
 	*out = *in
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MessageBody != nil {
+		in, out := &in.MessageBody, &out.MessageBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionFixedResponseObservation.
@@ -318,6 +458,20 @@ func (in *ActionFixedResponseParameters) DeepCopy() *ActionFixedResponseParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionForwardObservation) DeepCopyInto(out *ActionForwardObservation) {
 	*out = *in
+	if in.Stickiness != nil {
+		in, out := &in.Stickiness, &out.Stickiness
+		*out = make([]ForwardStickinessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroup != nil {
+		in, out := &in.TargetGroup, &out.TargetGroup
+		*out = make([]ForwardTargetGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionForwardObservation.
@@ -362,6 +516,56 @@ func (in *ActionForwardParameters) DeepCopy() *ActionForwardParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.AuthenticateCognito != nil {
+		in, out := &in.AuthenticateCognito, &out.AuthenticateCognito
+		*out = make([]ActionAuthenticateCognitoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AuthenticateOidc != nil {
+		in, out := &in.AuthenticateOidc, &out.AuthenticateOidc
+		*out = make([]ActionAuthenticateOidcObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FixedResponse != nil {
+		in, out := &in.FixedResponse, &out.FixedResponse
+		*out = make([]ActionFixedResponseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Forward != nil {
+		in, out := &in.Forward, &out.Forward
+		*out = make([]ActionForwardObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Order != nil {
+		in, out := &in.Order, &out.Order
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Redirect != nil {
+		in, out := &in.Redirect, &out.Redirect
+		*out = make([]ActionRedirectObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroupArn != nil {
+		in, out := &in.TargetGroupArn, &out.TargetGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -452,6 +656,36 @@ func (in *ActionParameters) DeepCopy() *ActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionRedirectObservation) DeepCopyInto(out *ActionRedirectObservation) {
 	*out = *in
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Query != nil {
+		in, out := &in.Query, &out.Query
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionRedirectObservation.
@@ -512,6 +746,56 @@ func (in *ActionRedirectParameters) DeepCopy() *ActionRedirectParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthenticateCognitoObservation) DeepCopyInto(out *AuthenticateCognitoObservation) {
 	*out = *in
+	if in.AuthenticationRequestExtraParams != nil {
+		in, out := &in.AuthenticationRequestExtraParams, &out.AuthenticationRequestExtraParams
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.OnUnauthenticatedRequest != nil {
+		in, out := &in.OnUnauthenticatedRequest, &out.OnUnauthenticatedRequest
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionCookieName != nil {
+		in, out := &in.SessionCookieName, &out.SessionCookieName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionTimeout != nil {
+		in, out := &in.SessionTimeout, &out.SessionTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UserPoolArn != nil {
+		in, out := &in.UserPoolArn, &out.UserPoolArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolClientID != nil {
+		in, out := &in.UserPoolClientID, &out.UserPoolClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolDomain != nil {
+		in, out := &in.UserPoolDomain, &out.UserPoolDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticateCognitoObservation.
@@ -592,6 +876,66 @@ func (in *AuthenticateCognitoParameters) DeepCopy() *AuthenticateCognitoParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthenticateOidcObservation) DeepCopyInto(out *AuthenticateOidcObservation) {
 	*out = *in
+	if in.AuthenticationRequestExtraParams != nil {
+		in, out := &in.AuthenticationRequestExtraParams, &out.AuthenticationRequestExtraParams
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.AuthorizationEndpoint != nil {
+		in, out := &in.AuthorizationEndpoint, &out.AuthorizationEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnUnauthenticatedRequest != nil {
+		in, out := &in.OnUnauthenticatedRequest, &out.OnUnauthenticatedRequest
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionCookieName != nil {
+		in, out := &in.SessionCookieName, &out.SessionCookieName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionTimeout != nil {
+		in, out := &in.SessionTimeout, &out.SessionTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TokenEndpoint != nil {
+		in, out := &in.TokenEndpoint, &out.TokenEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserInfoEndpoint != nil {
+		in, out := &in.UserInfoEndpoint, &out.UserInfoEndpoint
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticateOidcObservation.
@@ -683,6 +1027,48 @@ func (in *AuthenticateOidcParameters) DeepCopy() *AuthenticateOidcParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionObservation) DeepCopyInto(out *ConditionObservation) {
 	*out = *in
+	if in.HTTPHeader != nil {
+		in, out := &in.HTTPHeader, &out.HTTPHeader
+		*out = make([]HTTPHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTPRequestMethod != nil {
+		in, out := &in.HTTPRequestMethod, &out.HTTPRequestMethod
+		*out = make([]HTTPRequestMethodObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HostHeader != nil {
+		in, out := &in.HostHeader, &out.HostHeader
+		*out = make([]HostHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PathPattern != nil {
+		in, out := &in.PathPattern, &out.PathPattern
+		*out = make([]PathPatternObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.QueryString != nil {
+		in, out := &in.QueryString, &out.QueryString
+		*out = make([]QueryStringObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceIP != nil {
+		in, out := &in.SourceIP, &out.SourceIP
+		*out = make([]SourceIPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionObservation.
@@ -755,6 +1141,56 @@ func (in *ConditionParameters) DeepCopy() *ConditionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultActionObservation) DeepCopyInto(out *DefaultActionObservation) {
 	*out = *in
+	if in.AuthenticateCognito != nil {
+		in, out := &in.AuthenticateCognito, &out.AuthenticateCognito
+		*out = make([]AuthenticateCognitoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AuthenticateOidc != nil {
+		in, out := &in.AuthenticateOidc, &out.AuthenticateOidc
+		*out = make([]AuthenticateOidcObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FixedResponse != nil {
+		in, out := &in.FixedResponse, &out.FixedResponse
+		*out = make([]FixedResponseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Forward != nil {
+		in, out := &in.Forward, &out.Forward
+		*out = make([]ForwardObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Order != nil {
+		in, out := &in.Order, &out.Order
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Redirect != nil {
+		in, out := &in.Redirect, &out.Redirect
+		*out = make([]RedirectObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroupArn != nil {
+		in, out := &in.TargetGroupArn, &out.TargetGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultActionObservation.
@@ -845,6 +1281,21 @@ func (in *DefaultActionParameters) DeepCopy() *DefaultActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FixedResponseObservation) DeepCopyInto(out *FixedResponseObservation) {
 	*out = *in
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MessageBody != nil {
+		in, out := &in.MessageBody, &out.MessageBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FixedResponseObservation.
@@ -890,6 +1341,20 @@ func (in *FixedResponseParameters) DeepCopy() *FixedResponseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ForwardObservation) DeepCopyInto(out *ForwardObservation) {
 	*out = *in
+	if in.Stickiness != nil {
+		in, out := &in.Stickiness, &out.Stickiness
+		*out = make([]StickinessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetGroup != nil {
+		in, out := &in.TargetGroup, &out.TargetGroup
+		*out = make([]TargetGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForwardObservation.
@@ -934,6 +1399,16 @@ func (in *ForwardParameters) DeepCopy() *ForwardParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ForwardStickinessObservation) DeepCopyInto(out *ForwardStickinessObservation) {
 	*out = *in
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForwardStickinessObservation.
@@ -974,6 +1449,16 @@ func (in *ForwardStickinessParameters) DeepCopy() *ForwardStickinessParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ForwardTargetGroupObservation) DeepCopyInto(out *ForwardTargetGroupObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ForwardTargetGroupObservation.
@@ -1024,6 +1509,22 @@ func (in *ForwardTargetGroupParameters) DeepCopy() *ForwardTargetGroupParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPHeaderObservation) DeepCopyInto(out *HTTPHeaderObservation) {
 	*out = *in
+	if in.HTTPHeaderName != nil {
+		in, out := &in.HTTPHeaderName, &out.HTTPHeaderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHeaderObservation.
@@ -1070,6 +1571,17 @@ func (in *HTTPHeaderParameters) DeepCopy() *HTTPHeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPRequestMethodObservation) DeepCopyInto(out *HTTPRequestMethodObservation) {
 	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPRequestMethodObservation.
@@ -1111,6 +1623,51 @@ func (in *HTTPRequestMethodParameters) DeepCopy() *HTTPRequestMethodParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthCheckObservation) DeepCopyInto(out *HealthCheckObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HealthyThreshold != nil {
+		in, out := &in.HealthyThreshold, &out.HealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Interval != nil {
+		in, out := &in.Interval, &out.Interval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Matcher != nil {
+		in, out := &in.Matcher, &out.Matcher
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UnhealthyThreshold != nil {
+		in, out := &in.UnhealthyThreshold, &out.UnhealthyThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckObservation.
@@ -1186,6 +1743,17 @@ func (in *HealthCheckParameters) DeepCopy() *HealthCheckParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostHeaderObservation) DeepCopyInto(out *HostHeaderObservation) {
 	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostHeaderObservation.
@@ -1345,16 +1913,68 @@ func (in *LBListenerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBListenerObservation) DeepCopyInto(out *LBListenerObservation) {
 	*out = *in
+	if in.AlpnPolicy != nil {
+		in, out := &in.AlpnPolicy, &out.AlpnPolicy
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateArn != nil {
+		in, out := &in.CertificateArn, &out.CertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultAction != nil {
+		in, out := &in.DefaultAction, &out.DefaultAction
+		*out = make([]DefaultActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoadBalancerArn != nil {
+		in, out := &in.LoadBalancerArn, &out.LoadBalancerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLPolicy != nil {
+		in, out := &in.SSLPolicy, &out.SSLPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1526,16 +2146,55 @@ func (in *LBListenerRuleList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBListenerRuleObservation) DeepCopyInto(out *LBListenerRuleObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Condition != nil {
+		in, out := &in.Condition, &out.Condition
+		*out = make([]ConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ListenerArn != nil {
+		in, out := &in.ListenerArn, &out.ListenerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1703,6 +2362,13 @@ func (in *LBListenerStatus) DeepCopy() *LBListenerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBObservation) DeepCopyInto(out *LBObservation) {
 	*out = *in
+	if in.AccessLogs != nil {
+		in, out := &in.AccessLogs, &out.AccessLogs
+		*out = make([]AccessLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -1713,16 +2379,92 @@ func (in *LBObservation) DeepCopyInto(out *LBObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomerOwnedIPv4Pool != nil {
+		in, out := &in.CustomerOwnedIPv4Pool, &out.CustomerOwnedIPv4Pool
+		*out = new(string)
+		**out = **in
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.DesyncMitigationMode != nil {
+		in, out := &in.DesyncMitigationMode, &out.DesyncMitigationMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.DropInvalidHeaderFields != nil {
+		in, out := &in.DropInvalidHeaderFields, &out.DropInvalidHeaderFields
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableCrossZoneLoadBalancing != nil {
+		in, out := &in.EnableCrossZoneLoadBalancing, &out.EnableCrossZoneLoadBalancing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableDeletionProtection != nil {
+		in, out := &in.EnableDeletionProtection, &out.EnableDeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableHttp2 != nil {
+		in, out := &in.EnableHttp2, &out.EnableHttp2
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableWafFailOpen != nil {
+		in, out := &in.EnableWafFailOpen, &out.EnableWafFailOpen
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdleTimeout != nil {
+		in, out := &in.IdleTimeout, &out.IdleTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Internal != nil {
+		in, out := &in.Internal, &out.Internal
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoadBalancerType != nil {
+		in, out := &in.LoadBalancerType, &out.LoadBalancerType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreserveHostHeader != nil {
+		in, out := &in.PreserveHostHeader, &out.PreserveHostHeader
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.SubnetMapping != nil {
 		in, out := &in.SubnetMapping, &out.SubnetMapping
 		*out = make([]SubnetMappingObservation, len(*in))
@@ -1730,6 +2472,32 @@ func (in *LBObservation) DeepCopyInto(out *LBObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2050,11 +2818,31 @@ func (in *LBTargetGroupAttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBTargetGroupAttachmentObservation) DeepCopyInto(out *LBTargetGroupAttachmentObservation) {
 	*out = *in
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TargetGroupArn != nil {
+		in, out := &in.TargetGroupArn, &out.TargetGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetID != nil {
+		in, out := &in.TargetID, &out.TargetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LBTargetGroupAttachmentObservation.
@@ -2196,11 +2984,100 @@ func (in *LBTargetGroupObservation) DeepCopyInto(out *LBTargetGroupObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConnectionTermination != nil {
+		in, out := &in.ConnectionTermination, &out.ConnectionTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeregistrationDelay != nil {
+		in, out := &in.DeregistrationDelay, &out.DeregistrationDelay
+		*out = new(string)
+		**out = **in
+	}
+	if in.HealthCheck != nil {
+		in, out := &in.HealthCheck, &out.HealthCheck
+		*out = make([]HealthCheckObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaMultiValueHeadersEnabled != nil {
+		in, out := &in.LambdaMultiValueHeadersEnabled, &out.LambdaMultiValueHeadersEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LoadBalancingAlgorithmType != nil {
+		in, out := &in.LoadBalancingAlgorithmType, &out.LoadBalancingAlgorithmType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreserveClientIP != nil {
+		in, out := &in.PreserveClientIP, &out.PreserveClientIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProtocolVersion != nil {
+		in, out := &in.ProtocolVersion, &out.ProtocolVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProxyProtocolV2 != nil {
+		in, out := &in.ProxyProtocolV2, &out.ProxyProtocolV2
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SlowStart != nil {
+		in, out := &in.SlowStart, &out.SlowStart
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Stickiness != nil {
+		in, out := &in.Stickiness, &out.Stickiness
+		*out = make([]LBTargetGroupStickinessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2216,6 +3093,23 @@ func (in *LBTargetGroupObservation) DeepCopyInto(out *LBTargetGroupObservation)
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetFailover != nil {
+		in, out := &in.TargetFailover, &out.TargetFailover
+		*out = make([]TargetFailoverObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetType != nil {
+		in, out := &in.TargetType, &out.TargetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LBTargetGroupObservation.
@@ -2401,6 +3295,26 @@ func (in *LBTargetGroupStatus) DeepCopy() *LBTargetGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBTargetGroupStickinessObservation) DeepCopyInto(out *LBTargetGroupStickinessObservation) {
 	*out = *in
+	if in.CookieDuration != nil {
+		in, out := &in.CookieDuration, &out.CookieDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CookieName != nil {
+		in, out := &in.CookieName, &out.CookieName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LBTargetGroupStickinessObservation.
@@ -2451,6 +3365,17 @@ func (in *LBTargetGroupStickinessParameters) DeepCopy() *LBTargetGroupStickiness
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PathPatternObservation) DeepCopyInto(out *PathPatternObservation) {
 	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PathPatternObservation.
@@ -2492,6 +3417,16 @@ func (in *PathPatternParameters) DeepCopy() *PathPatternParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueryStringObservation) DeepCopyInto(out *QueryStringObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueryStringObservation.
@@ -2532,6 +3467,36 @@ func (in *QueryStringParameters) DeepCopy() *QueryStringParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedirectObservation) DeepCopyInto(out *RedirectObservation) {
 	*out = *in
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Query != nil {
+		in, out := &in.Query, &out.Query
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedirectObservation.
@@ -2592,6 +3557,17 @@ func (in *RedirectParameters) DeepCopy() *RedirectParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceIPObservation) DeepCopyInto(out *SourceIPObservation) {
 	*out = *in
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceIPObservation.
@@ -2633,6 +3609,16 @@ func (in *SourceIPParameters) DeepCopy() *SourceIPParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StickinessObservation) DeepCopyInto(out *StickinessObservation) {
 	*out = *in
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StickinessObservation.
@@ -2673,11 +3659,31 @@ func (in *StickinessParameters) DeepCopy() *StickinessParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubnetMappingObservation) DeepCopyInto(out *SubnetMappingObservation) {
 	*out = *in
+	if in.AllocationID != nil {
+		in, out := &in.AllocationID, &out.AllocationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPv6Address != nil {
+		in, out := &in.IPv6Address, &out.IPv6Address
+		*out = new(string)
+		**out = **in
+	}
 	if in.OutpostID != nil {
 		in, out := &in.OutpostID, &out.OutpostID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PrivateIPv4Address != nil {
+		in, out := &in.PrivateIPv4Address, &out.PrivateIPv4Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubnetMappingObservation.
@@ -2738,6 +3744,16 @@ func (in *SubnetMappingParameters) DeepCopy() *SubnetMappingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetFailoverObservation) DeepCopyInto(out *TargetFailoverObservation) {
 	*out = *in
+	if in.OnDeregistration != nil {
+		in, out := &in.OnDeregistration, &out.OnDeregistration
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnUnhealthy != nil {
+		in, out := &in.OnUnhealthy, &out.OnUnhealthy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetFailoverObservation.
@@ -2778,6 +3794,16 @@ func (in *TargetFailoverParameters) DeepCopy() *TargetFailoverParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetGroupObservation) DeepCopyInto(out *TargetGroupObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetGroupObservation.
diff --git a/apis/elbv2/v1beta1/zz_lb_types.go b/apis/elbv2/v1beta1/zz_lb_types.go
index 88a3d0f2d5..f0ef80362b 100755
--- a/apis/elbv2/v1beta1/zz_lb_types.go
+++ b/apis/elbv2/v1beta1/zz_lb_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AccessLogsObservation struct {
+
+	// The S3 bucket name to store the logs in.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Boolean to enable / disable access_logs. Defaults to false, even when bucket is specified.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The S3 bucket prefix. Logs are stored in the root if not configured.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type AccessLogsParameters struct {
@@ -42,22 +51,75 @@ type AccessLogsParameters struct {
 
 type LBObservation struct {
 
+	// An Access Logs block. Access Logs documented below.
+	AccessLogs []AccessLogsObservation `json:"accessLogs,omitempty" tf:"access_logs,omitempty"`
+
 	// The ARN of the load balancer (matches id).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The ARN suffix for use with CloudWatch Metrics.
 	ArnSuffix *string `json:"arnSuffix,omitempty" tf:"arn_suffix,omitempty"`
 
+	// The ID of the customer owned ipv4 pool to use for this load balancer.
+	CustomerOwnedIPv4Pool *string `json:"customerOwnedIpv4Pool,omitempty" tf:"customer_owned_ipv4_pool,omitempty"`
+
 	// The DNS name of the load balancer.
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// Determines how the load balancer handles requests that might pose a security risk to an application due to HTTP desync. Valid values are monitor, defensive (default), strictest.
+	DesyncMitigationMode *string `json:"desyncMitigationMode,omitempty" tf:"desync_mitigation_mode,omitempty"`
+
+	// Indicates whether HTTP headers with header fields that are not valid are removed by the load balancer (true) or routed to targets (false). The default is false. Elastic Load Balancing requires that message header names contain only alphanumeric characters and hyphens. Only valid for Load Balancers of type application.
+	DropInvalidHeaderFields *bool `json:"dropInvalidHeaderFields,omitempty" tf:"drop_invalid_header_fields,omitempty"`
+
+	// If true, cross-zone load balancing of the load balancer will be enabled. For network and gateway type load balancers, this feature is disabled by default (false). For application load balancer this feature is always enabled (true) and cannot be disabled. Defaults to false.
+	EnableCrossZoneLoadBalancing *bool `json:"enableCrossZoneLoadBalancing,omitempty" tf:"enable_cross_zone_load_balancing,omitempty"`
+
+	// If true, deletion of the load balancer will be disabled via the AWS API. Defaults to false.
+	EnableDeletionProtection *bool `json:"enableDeletionProtection,omitempty" tf:"enable_deletion_protection,omitempty"`
+
+	// Indicates whether HTTP/2 is enabled in application load balancers. Defaults to true.
+	EnableHttp2 *bool `json:"enableHttp2,omitempty" tf:"enable_http2,omitempty"`
+
+	// Indicates whether to allow a WAF-enabled load balancer to route requests to targets if it is unable to forward the request to AWS WAF. Defaults to false.
+	EnableWafFailOpen *bool `json:"enableWafFailOpen,omitempty" tf:"enable_waf_fail_open,omitempty"`
+
 	// The ARN of the load balancer (matches arn).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The type of IP addresses used by the subnets for your load balancer. The possible values are ipv4 and dualstack.
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
+	// The time in seconds that the connection is allowed to be idle. Only valid for Load Balancers of type application. Default: 60.
+	IdleTimeout *float64 `json:"idleTimeout,omitempty" tf:"idle_timeout,omitempty"`
+
+	// If true, the LB will be internal.
+	Internal *bool `json:"internal,omitempty" tf:"internal,omitempty"`
+
+	// The type of load balancer to create. Possible values are application, gateway, or network. The default value is application.
+	LoadBalancerType *string `json:"loadBalancerType,omitempty" tf:"load_balancer_type,omitempty"`
+
+	// The name of the LB. This name must be unique within your AWS account, can have a maximum of 32 characters,
+	// must contain only alphanumeric characters or hyphens, and must not begin or end with a hyphen.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Indicates whether the Application Load Balancer should preserve the Host header in the HTTP request and send it to the target without any change. Defaults to false.
+	PreserveHostHeader *bool `json:"preserveHostHeader,omitempty" tf:"preserve_host_header,omitempty"`
+
+	// A list of security group IDs to assign to the LB. Only valid for Load Balancers of type application.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
 	// A subnet mapping block as documented below.
-	// +kubebuilder:validation:Optional
 	SubnetMapping []SubnetMappingObservation `json:"subnetMapping,omitempty" tf:"subnet_mapping,omitempty"`
 
+	// A list of subnet IDs to attach to the LB. Subnets
+	// cannot be updated for Load Balancers of type network. Changing this value
+	// for load balancers of type network will force a recreation of the resource.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -175,8 +237,20 @@ type LBParameters struct {
 
 type SubnetMappingObservation struct {
 
+	// The allocation ID of the Elastic IP address for an internet-facing load balancer.
+	AllocationID *string `json:"allocationId,omitempty" tf:"allocation_id,omitempty"`
+
+	// The IPv6 address. You associate IPv6 CIDR blocks with your VPC and choose the subnets where you launch both internet-facing and internal Application Load Balancers or Network Load Balancers.
+	IPv6Address *string `json:"ipv6Address,omitempty" tf:"ipv6_address,omitempty"`
+
 	// ID of the Outpost containing the load balancer.
 	OutpostID *string `json:"outpostId,omitempty" tf:"outpost_id,omitempty"`
+
+	// The private IPv4 address for an internal load balancer.
+	PrivateIPv4Address *string `json:"privateIpv4Address,omitempty" tf:"private_ipv4_address,omitempty"`
+
+	// ID of the subnet of which to attach to the load balancer. You can specify only one subnet per Availability Zone.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type SubnetMappingParameters struct {
diff --git a/apis/elbv2/v1beta1/zz_lblistener_types.go b/apis/elbv2/v1beta1/zz_lblistener_types.go
index bae93f2af7..6e09e16a14 100755
--- a/apis/elbv2/v1beta1/zz_lblistener_types.go
+++ b/apis/elbv2/v1beta1/zz_lblistener_types.go
@@ -14,6 +14,30 @@ import (
 )
 
 type AuthenticateCognitoObservation struct {
+
+	// Query parameters to include in the redirect request to the authorization endpoint. Max: 10. Detailed below.
+	AuthenticationRequestExtraParams map[string]*string `json:"authenticationRequestExtraParams,omitempty" tf:"authentication_request_extra_params,omitempty"`
+
+	// Behavior if the user is not authenticated. Valid values are deny, allow and authenticate.
+	OnUnauthenticatedRequest *string `json:"onUnauthenticatedRequest,omitempty" tf:"on_unauthenticated_request,omitempty"`
+
+	// Set of user claims to be requested from the IdP.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// Name of the cookie used to maintain session information.
+	SessionCookieName *string `json:"sessionCookieName,omitempty" tf:"session_cookie_name,omitempty"`
+
+	// Maximum duration of the authentication session, in seconds.
+	SessionTimeout *float64 `json:"sessionTimeout,omitempty" tf:"session_timeout,omitempty"`
+
+	// ARN of the Cognito user pool.
+	UserPoolArn *string `json:"userPoolArn,omitempty" tf:"user_pool_arn,omitempty"`
+
+	// ID of the Cognito user pool client.
+	UserPoolClientID *string `json:"userPoolClientId,omitempty" tf:"user_pool_client_id,omitempty"`
+
+	// Domain prefix or fully-qualified domain name of the Cognito user pool.
+	UserPoolDomain *string `json:"userPoolDomain,omitempty" tf:"user_pool_domain,omitempty"`
 }
 
 type AuthenticateCognitoParameters struct {
@@ -52,6 +76,36 @@ type AuthenticateCognitoParameters struct {
 }
 
 type AuthenticateOidcObservation struct {
+
+	// Query parameters to include in the redirect request to the authorization endpoint. Max: 10.
+	AuthenticationRequestExtraParams map[string]*string `json:"authenticationRequestExtraParams,omitempty" tf:"authentication_request_extra_params,omitempty"`
+
+	// Authorization endpoint of the IdP.
+	AuthorizationEndpoint *string `json:"authorizationEndpoint,omitempty" tf:"authorization_endpoint,omitempty"`
+
+	// OAuth 2.0 client identifier.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// OIDC issuer identifier of the IdP.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// Behavior if the user is not authenticated. Valid values: deny, allow and authenticate
+	OnUnauthenticatedRequest *string `json:"onUnauthenticatedRequest,omitempty" tf:"on_unauthenticated_request,omitempty"`
+
+	// Set of user claims to be requested from the IdP.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// Name of the cookie used to maintain session information.
+	SessionCookieName *string `json:"sessionCookieName,omitempty" tf:"session_cookie_name,omitempty"`
+
+	// Maximum duration of the authentication session, in seconds.
+	SessionTimeout *float64 `json:"sessionTimeout,omitempty" tf:"session_timeout,omitempty"`
+
+	// Token endpoint of the IdP.
+	TokenEndpoint *string `json:"tokenEndpoint,omitempty" tf:"token_endpoint,omitempty"`
+
+	// User info endpoint of the IdP.
+	UserInfoEndpoint *string `json:"userInfoEndpoint,omitempty" tf:"user_info_endpoint,omitempty"`
 }
 
 type AuthenticateOidcParameters struct {
@@ -102,6 +156,30 @@ type AuthenticateOidcParameters struct {
 }
 
 type DefaultActionObservation struct {
+
+	// Configuration block for using Amazon Cognito to authenticate users. Specify only when type is authenticate-cognito. Detailed below.
+	AuthenticateCognito []AuthenticateCognitoObservation `json:"authenticateCognito,omitempty" tf:"authenticate_cognito,omitempty"`
+
+	// Configuration block for an identity provider that is compliant with OpenID Connect (OIDC). Specify only when type is authenticate-oidc. Detailed below.
+	AuthenticateOidc []AuthenticateOidcObservation `json:"authenticateOidc,omitempty" tf:"authenticate_oidc,omitempty"`
+
+	// Information for creating an action that returns a custom HTTP response. Required if type is fixed-response.
+	FixedResponse []FixedResponseObservation `json:"fixedResponse,omitempty" tf:"fixed_response,omitempty"`
+
+	// Configuration block for creating an action that distributes requests among one or more target groups. Specify only if type is forward. If you specify both forward block and target_group_arn attribute, you can specify only one target group using forward and it must be the same target group specified in target_group_arn. Detailed below.
+	Forward []ForwardObservation `json:"forward,omitempty" tf:"forward,omitempty"`
+
+	// Order for the action. This value is required for rules with multiple actions. The action with the lowest value for order is performed first. Valid values are between 1 and 50000.
+	Order *float64 `json:"order,omitempty" tf:"order,omitempty"`
+
+	// Configuration block for creating a redirect action. Required if type is redirect. Detailed below.
+	Redirect []RedirectObservation `json:"redirect,omitempty" tf:"redirect,omitempty"`
+
+	// ARN of the Target Group to which to route traffic. Specify only if type is forward and you want to route to a single target group. To route to one or more target groups, use a forward block instead.
+	TargetGroupArn *string `json:"targetGroupArn,omitempty" tf:"target_group_arn,omitempty"`
+
+	// Type of routing action. Valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DefaultActionParameters struct {
@@ -149,6 +227,15 @@ type DefaultActionParameters struct {
 }
 
 type FixedResponseObservation struct {
+
+	// Content type. Valid values are text/plain, text/css, text/html, application/javascript and application/json.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Message body.
+	MessageBody *string `json:"messageBody,omitempty" tf:"message_body,omitempty"`
+
+	// HTTP response code. Valid values are 2XX, 4XX, or 5XX.
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type FixedResponseParameters struct {
@@ -167,6 +254,12 @@ type FixedResponseParameters struct {
 }
 
 type ForwardObservation struct {
+
+	// Configuration block for target group stickiness for the rule. Detailed below.
+	Stickiness []StickinessObservation `json:"stickiness,omitempty" tf:"stickiness,omitempty"`
+
+	// Set of 1-5 target group blocks. Detailed below.
+	TargetGroup []TargetGroupObservation `json:"targetGroup,omitempty" tf:"target_group,omitempty"`
 }
 
 type ForwardParameters struct {
@@ -182,12 +275,36 @@ type ForwardParameters struct {
 
 type LBListenerObservation struct {
 
+	// Name of the Application-Layer Protocol Negotiation (ALPN) policy. Can be set if protocol is TLS. Valid values are HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, and None.
+	AlpnPolicy *string `json:"alpnPolicy,omitempty" tf:"alpn_policy,omitempty"`
+
 	// ARN of the listener (matches id).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of the default SSL server certificate. Exactly one certificate is required if the protocol is HTTPS. For adding additional SSL certificates, see the aws_lb_listener_certificate resource.
+	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
+
+	// Configuration block for default actions. Detailed below.
+	DefaultAction []DefaultActionObservation `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
+
 	// ARN of the listener (matches arn).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the load balancer.
+	LoadBalancerArn *string `json:"loadBalancerArn,omitempty" tf:"load_balancer_arn,omitempty"`
+
+	// Port on which the load balancer is listening. Not valid for Gateway Load Balancers.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol for connections from clients to the load balancer. For Application Load Balancers, valid values are HTTP and HTTPS, with a default of HTTP. For Network Load Balancers, valid values are TCP, TLS, UDP, and TCP_UDP. Not valid to use UDP or TCP_UDP if dual-stack mode is enabled. Not valid for Gateway Load Balancers.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Name of the SSL Policy for the listener. Required if protocol is HTTPS or TLS.
+	SSLPolicy *string `json:"sslPolicy,omitempty" tf:"ssl_policy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -203,8 +320,8 @@ type LBListenerParameters struct {
 	CertificateArn *string `json:"certificateArn,omitempty" tf:"certificate_arn,omitempty"`
 
 	// Configuration block for default actions. Detailed below.
-	// +kubebuilder:validation:Required
-	DefaultAction []DefaultActionParameters `json:"defaultAction" tf:"default_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	DefaultAction []DefaultActionParameters `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
 
 	// ARN of the load balancer.
 	// +crossplane:generate:reference:type=LB
@@ -242,6 +359,24 @@ type LBListenerParameters struct {
 }
 
 type RedirectObservation struct {
+
+	// Hostname. This component is not percent-encoded. The hostname can contain #{host}. Defaults to #{host}.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// Absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to /#{path}.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Port. Specify a value from 1 to 65535 or #{port}. Defaults to #{port}.
+	Port *string `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol. Valid values are HTTP, HTTPS, or #{protocol}. Defaults to #{protocol}.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to #{query}.
+	Query *string `json:"query,omitempty" tf:"query,omitempty"`
+
+	// HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type RedirectParameters struct {
@@ -272,6 +407,12 @@ type RedirectParameters struct {
 }
 
 type StickinessObservation struct {
+
+	// Time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
+	Duration *float64 `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// Whether target group stickiness is enabled. Default is false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type StickinessParameters struct {
@@ -286,6 +427,12 @@ type StickinessParameters struct {
 }
 
 type TargetGroupObservation struct {
+
+	// ARN of the target group.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Weight. The range is 0 to 999.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type TargetGroupParameters struct {
@@ -332,8 +479,9 @@ type LBListenerStatus struct {
 type LBListener struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBListenerSpec   `json:"spec"`
-	Status            LBListenerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultAction)",message="defaultAction is a required parameter"
+	Spec   LBListenerSpec   `json:"spec"`
+	Status LBListenerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elbv2/v1beta1/zz_lblistenerrule_types.go b/apis/elbv2/v1beta1/zz_lblistenerrule_types.go
index 1474434a04..2606033a72 100755
--- a/apis/elbv2/v1beta1/zz_lblistenerrule_types.go
+++ b/apis/elbv2/v1beta1/zz_lblistenerrule_types.go
@@ -14,6 +14,30 @@ import (
 )
 
 type ActionAuthenticateCognitoObservation struct {
+
+	// The query parameters to include in the redirect request to the authorization endpoint. Max: 10.
+	AuthenticationRequestExtraParams map[string]*string `json:"authenticationRequestExtraParams,omitempty" tf:"authentication_request_extra_params,omitempty"`
+
+	// The behavior if the user is not authenticated. Valid values: deny, allow and authenticate
+	OnUnauthenticatedRequest *string `json:"onUnauthenticatedRequest,omitempty" tf:"on_unauthenticated_request,omitempty"`
+
+	// The set of user claims to be requested from the IdP.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// The name of the cookie used to maintain session information.
+	SessionCookieName *string `json:"sessionCookieName,omitempty" tf:"session_cookie_name,omitempty"`
+
+	// The maximum duration of the authentication session, in seconds.
+	SessionTimeout *float64 `json:"sessionTimeout,omitempty" tf:"session_timeout,omitempty"`
+
+	// The ARN of the Cognito user pool.
+	UserPoolArn *string `json:"userPoolArn,omitempty" tf:"user_pool_arn,omitempty"`
+
+	// The ID of the Cognito user pool client.
+	UserPoolClientID *string `json:"userPoolClientId,omitempty" tf:"user_pool_client_id,omitempty"`
+
+	// The domain prefix or fully-qualified domain name of the Cognito user pool.
+	UserPoolDomain *string `json:"userPoolDomain,omitempty" tf:"user_pool_domain,omitempty"`
 }
 
 type ActionAuthenticateCognitoParameters struct {
@@ -82,6 +106,36 @@ type ActionAuthenticateCognitoParameters struct {
 }
 
 type ActionAuthenticateOidcObservation struct {
+
+	// The query parameters to include in the redirect request to the authorization endpoint. Max: 10.
+	AuthenticationRequestExtraParams map[string]*string `json:"authenticationRequestExtraParams,omitempty" tf:"authentication_request_extra_params,omitempty"`
+
+	// The authorization endpoint of the IdP.
+	AuthorizationEndpoint *string `json:"authorizationEndpoint,omitempty" tf:"authorization_endpoint,omitempty"`
+
+	// The OAuth 2.0 client identifier.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// The OIDC issuer identifier of the IdP.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// The behavior if the user is not authenticated. Valid values: deny, allow and authenticate
+	OnUnauthenticatedRequest *string `json:"onUnauthenticatedRequest,omitempty" tf:"on_unauthenticated_request,omitempty"`
+
+	// The set of user claims to be requested from the IdP.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// The name of the cookie used to maintain session information.
+	SessionCookieName *string `json:"sessionCookieName,omitempty" tf:"session_cookie_name,omitempty"`
+
+	// The maximum duration of the authentication session, in seconds.
+	SessionTimeout *float64 `json:"sessionTimeout,omitempty" tf:"session_timeout,omitempty"`
+
+	// The token endpoint of the IdP.
+	TokenEndpoint *string `json:"tokenEndpoint,omitempty" tf:"token_endpoint,omitempty"`
+
+	// The user info endpoint of the IdP.
+	UserInfoEndpoint *string `json:"userInfoEndpoint,omitempty" tf:"user_info_endpoint,omitempty"`
 }
 
 type ActionAuthenticateOidcParameters struct {
@@ -132,6 +186,15 @@ type ActionAuthenticateOidcParameters struct {
 }
 
 type ActionFixedResponseObservation struct {
+
+	// The content type. Valid values are text/plain, text/css, text/html, application/javascript and application/json.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// The message body.
+	MessageBody *string `json:"messageBody,omitempty" tf:"message_body,omitempty"`
+
+	// The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type ActionFixedResponseParameters struct {
@@ -150,6 +213,12 @@ type ActionFixedResponseParameters struct {
 }
 
 type ActionForwardObservation struct {
+
+	// The target group stickiness for the rule.
+	Stickiness []ForwardStickinessObservation `json:"stickiness,omitempty" tf:"stickiness,omitempty"`
+
+	// One or more target groups block.
+	TargetGroup []ForwardTargetGroupObservation `json:"targetGroup,omitempty" tf:"target_group,omitempty"`
 }
 
 type ActionForwardParameters struct {
@@ -164,6 +233,29 @@ type ActionForwardParameters struct {
 }
 
 type ActionObservation struct {
+
+	// Information for creating an authenticate action using Cognito. Required if type is authenticate-cognito.
+	AuthenticateCognito []ActionAuthenticateCognitoObservation `json:"authenticateCognito,omitempty" tf:"authenticate_cognito,omitempty"`
+
+	// Information for creating an authenticate action using OIDC. Required if type is authenticate-oidc.
+	AuthenticateOidc []ActionAuthenticateOidcObservation `json:"authenticateOidc,omitempty" tf:"authenticate_oidc,omitempty"`
+
+	// Information for creating an action that returns a custom HTTP response. Required if type is fixed-response.
+	FixedResponse []ActionFixedResponseObservation `json:"fixedResponse,omitempty" tf:"fixed_response,omitempty"`
+
+	// Information for creating an action that distributes requests among one or more target groups. Specify only if type is forward. If you specify both forward block and target_group_arn attribute, you can specify only one target group using forward and it must be the same target group specified in target_group_arn.
+	Forward []ActionForwardObservation `json:"forward,omitempty" tf:"forward,omitempty"`
+
+	Order *float64 `json:"order,omitempty" tf:"order,omitempty"`
+
+	// Information for creating a redirect action. Required if type is redirect.
+	Redirect []ActionRedirectObservation `json:"redirect,omitempty" tf:"redirect,omitempty"`
+
+	// The ARN of the Target Group to which to route traffic. Specify only if type is forward and you want to route to a single target group. To route to one or more target groups, use a forward block instead.
+	TargetGroupArn *string `json:"targetGroupArn,omitempty" tf:"target_group_arn,omitempty"`
+
+	// The type of routing action. Valid values are forward, redirect, fixed-response, authenticate-cognito and authenticate-oidc.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ActionParameters struct {
@@ -211,6 +303,24 @@ type ActionParameters struct {
 }
 
 type ActionRedirectObservation struct {
+
+	// The hostname. This component is not percent-encoded. The hostname can contain #{host}. Defaults to #{host}.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// The absolute path, starting with the leading "/". This component is not percent-encoded. The path can contain #{host}, #{path}, and #{port}. Defaults to /#{path}.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The port. Specify a value from 1 to 65535 or #{port}. Defaults to #{port}.
+	Port *string `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The protocol. Valid values are HTTP, HTTPS, or #{protocol}. Defaults to #{protocol}.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// The query parameters, URL-encoded when necessary, but not percent-encoded. Do not include the leading "?". Defaults to #{query}.
+	Query *string `json:"query,omitempty" tf:"query,omitempty"`
+
+	// The HTTP redirect code. The redirect is either permanent (HTTP_301) or temporary (HTTP_302).
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
 }
 
 type ActionRedirectParameters struct {
@@ -241,6 +351,24 @@ type ActionRedirectParameters struct {
 }
 
 type ConditionObservation struct {
+
+	// HTTP headers to match. HTTP Header block fields documented below.
+	HTTPHeader []HTTPHeaderObservation `json:"httpHeader,omitempty" tf:"http_header,omitempty"`
+
+	// Contains a single values item which is a list of HTTP request methods or verbs to match. Maximum size is 40 characters. Only allowed characters are A-Z, hyphen (-) and underscore (_). Comparison is case sensitive. Wildcards are not supported. Only one needs to match for the condition to be satisfied. AWS recommends that GET and HEAD requests are routed in the same way because the response to a HEAD request may be cached.
+	HTTPRequestMethod []HTTPRequestMethodObservation `json:"httpRequestMethod,omitempty" tf:"http_request_method,omitempty"`
+
+	// Contains a single values item which is a list of host header patterns to match. The maximum size of each pattern is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). Only one pattern needs to match for the condition to be satisfied.
+	HostHeader []HostHeaderObservation `json:"hostHeader,omitempty" tf:"host_header,omitempty"`
+
+	// Contains a single values item which is a list of path patterns to match against the request URL. Maximum size of each pattern is 128 characters. Comparison is case sensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). Only one pattern needs to match for the condition to be satisfied. Path pattern is compared only to the path of the URL, not to its query string. To compare against the query string, use a query_string condition.
+	PathPattern []PathPatternObservation `json:"pathPattern,omitempty" tf:"path_pattern,omitempty"`
+
+	// Query strings to match. Query String block fields documented below.
+	QueryString []QueryStringObservation `json:"queryString,omitempty" tf:"query_string,omitempty"`
+
+	// Contains a single values item which is a list of source IP CIDR notations to match. You can use both IPv4 and IPv6 addresses. Wildcards are not supported. Condition is satisfied if the source IP address of the request matches one of the CIDR blocks. Condition is not satisfied by the addresses in the X-Forwarded-For header, use http_header condition instead.
+	SourceIP []SourceIPObservation `json:"sourceIp,omitempty" tf:"source_ip,omitempty"`
 }
 
 type ConditionParameters struct {
@@ -271,6 +399,12 @@ type ConditionParameters struct {
 }
 
 type ForwardStickinessObservation struct {
+
+	// The time period, in seconds, during which requests from a client should be routed to the same target group. The range is 1-604800 seconds (7 days).
+	Duration *float64 `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// Indicates whether target group stickiness is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type ForwardStickinessParameters struct {
@@ -285,6 +419,12 @@ type ForwardStickinessParameters struct {
 }
 
 type ForwardTargetGroupObservation struct {
+
+	// The Amazon Resource Name (ARN) of the target group.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// The weight. The range is 0 to 999.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type ForwardTargetGroupParameters struct {
@@ -309,6 +449,12 @@ type ForwardTargetGroupParameters struct {
 }
 
 type HTTPHeaderObservation struct {
+
+	// Name of HTTP header to search. The maximum size is 40 characters. Comparison is case insensitive. Only RFC7240 characters are supported. Wildcards are not supported. You cannot use HTTP header condition to specify the host header, use a host-header condition instead.
+	HTTPHeaderName *string `json:"httpHeaderName,omitempty" tf:"http_header_name,omitempty"`
+
+	// List of header value patterns to match. Maximum size of each pattern is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). If the same header appears multiple times in the request they will be searched in order until a match is found. Only one pattern needs to match for the condition to be satisfied. To require that all of the strings are a match, create one condition block per string.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type HTTPHeaderParameters struct {
@@ -323,6 +469,9 @@ type HTTPHeaderParameters struct {
 }
 
 type HTTPRequestMethodObservation struct {
+
+	// Query string pairs or values to match. Query String Value blocks documented below. Multiple values blocks can be specified, see example above. Maximum size of each string is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). To search for a literal '*' or '?' character in a query string, escape the character with a backslash (\). Only one pair needs to match for the condition to be satisfied.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type HTTPRequestMethodParameters struct {
@@ -333,6 +482,9 @@ type HTTPRequestMethodParameters struct {
 }
 
 type HostHeaderObservation struct {
+
+	// Query string pairs or values to match. Query String Value blocks documented below. Multiple values blocks can be specified, see example above. Maximum size of each string is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). To search for a literal '*' or '?' character in a query string, escape the character with a backslash (\). Only one pair needs to match for the condition to be satisfied.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type HostHeaderParameters struct {
@@ -344,12 +496,27 @@ type HostHeaderParameters struct {
 
 type LBListenerRuleObservation struct {
 
+	// An Action block. Action blocks are documented below.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
 	// The ARN of the rule (matches id)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A Condition block. Multiple condition blocks of different types can be set and all must be satisfied for the rule to match. Condition blocks are documented below.
+	Condition []ConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"`
+
 	// The ARN of the rule (matches arn)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of the listener to which to attach the rule.
+	ListenerArn *string `json:"listenerArn,omitempty" tf:"listener_arn,omitempty"`
+
+	// The priority for the rule between 1 and 50000. Leaving it unset will automatically set the rule with next available priority after currently existing highest rule. A listener can't have multiple rules with the same priority.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -357,12 +524,12 @@ type LBListenerRuleObservation struct {
 type LBListenerRuleParameters struct {
 
 	// An Action block. Action blocks are documented below.
-	// +kubebuilder:validation:Required
-	Action []ActionParameters `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action []ActionParameters `json:"action,omitempty" tf:"action,omitempty"`
 
 	// A Condition block. Multiple condition blocks of different types can be set and all must be satisfied for the rule to match. Condition blocks are documented below.
-	// +kubebuilder:validation:Required
-	Condition []ConditionParameters `json:"condition" tf:"condition,omitempty"`
+	// +kubebuilder:validation:Optional
+	Condition []ConditionParameters `json:"condition,omitempty" tf:"condition,omitempty"`
 
 	// The ARN of the listener to which to attach the rule.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/elbv2/v1beta1.LBListener
@@ -393,6 +560,9 @@ type LBListenerRuleParameters struct {
 }
 
 type PathPatternObservation struct {
+
+	// Query string pairs or values to match. Query String Value blocks documented below. Multiple values blocks can be specified, see example above. Maximum size of each string is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). To search for a literal '*' or '?' character in a query string, escape the character with a backslash (\). Only one pair needs to match for the condition to be satisfied.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type PathPatternParameters struct {
@@ -403,6 +573,12 @@ type PathPatternParameters struct {
 }
 
 type QueryStringObservation struct {
+
+	// Query string key pattern to match.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Query string value pattern to match.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type QueryStringParameters struct {
@@ -417,6 +593,9 @@ type QueryStringParameters struct {
 }
 
 type SourceIPObservation struct {
+
+	// Query string pairs or values to match. Query String Value blocks documented below. Multiple values blocks can be specified, see example above. Maximum size of each string is 128 characters. Comparison is case insensitive. Wildcard characters supported: * (matches 0 or more characters) and ? (matches exactly 1 character). To search for a literal '*' or '?' character in a query string, escape the character with a backslash (\). Only one pair needs to match for the condition to be satisfied.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type SourceIPParameters struct {
@@ -450,8 +629,10 @@ type LBListenerRuleStatus struct {
 type LBListenerRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBListenerRuleSpec   `json:"spec"`
-	Status            LBListenerRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.condition)",message="condition is a required parameter"
+	Spec   LBListenerRuleSpec   `json:"spec"`
+	Status LBListenerRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elbv2/v1beta1/zz_lbtargetgroup_types.go b/apis/elbv2/v1beta1/zz_lbtargetgroup_types.go
index d03139e01e..5ab44f0155 100755
--- a/apis/elbv2/v1beta1/zz_lbtargetgroup_types.go
+++ b/apis/elbv2/v1beta1/zz_lbtargetgroup_types.go
@@ -14,6 +14,33 @@ import (
 )
 
 type HealthCheckObservation struct {
+
+	// Whether health checks are enabled. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Number of consecutive health check successes required before considering a target healthy. The range is 2-10. Defaults to 3.
+	HealthyThreshold *float64 `json:"healthyThreshold,omitempty" tf:"healthy_threshold,omitempty"`
+
+	// Approximate amount of time, in seconds, between health checks of an individual target. The range is 5-300. For lambda target groups, it needs to be greater than the timeout of the underlying lambda. Defaults to 30.
+	Interval *float64 `json:"interval,omitempty" tf:"interval,omitempty"`
+
+	// 299" or "0-99"). Required for HTTP/HTTPS/GRPC ALB. Only applies to Application Load Balancers (i.e., HTTP/HTTPS/GRPC) not Network Load Balancers (i.e., TCP).
+	Matcher *string `json:"matcher,omitempty" tf:"matcher,omitempty"`
+
+	// (May be required) Destination for the health check request. Required for HTTP/HTTPS ALB and HTTP NLB. Only applies to HTTP/HTTPS.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The port the load balancer uses when performing health checks on targets. Default is traffic-port.
+	Port *string `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Protocol the load balancer uses when performing health checks on targets. Must be either TCP, HTTP, or HTTPS. The TCP protocol is not supported for health checks if the protocol of the target group is HTTP or HTTPS. Defaults to HTTP.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Amount of time, in seconds, during which no response from a target means a failed health check. The range is 2–120 seconds. For target groups with a protocol of HTTP, the default is 6 seconds. For target groups with a protocol of TCP, TLS or HTTPS, the default is 10 seconds. For target groups with a protocol of GENEVE, the default is 5 seconds. If the target type is lambda, the default is 30 seconds.
+	Timeout *float64 `json:"timeout,omitempty" tf:"timeout,omitempty"`
+
+	// Number of consecutive health check failures required before considering a target unhealthy. The range is 2-10. Defaults to 3.
+	UnhealthyThreshold *float64 `json:"unhealthyThreshold,omitempty" tf:"unhealthy_threshold,omitempty"`
 }
 
 type HealthCheckParameters struct {
@@ -63,11 +90,65 @@ type LBTargetGroupObservation struct {
 	// ARN suffix for use with CloudWatch Metrics.
 	ArnSuffix *string `json:"arnSuffix,omitempty" tf:"arn_suffix,omitempty"`
 
+	// Whether to terminate connections at the end of the deregistration timeout on Network Load Balancers. See doc for more information. Default is false.
+	ConnectionTermination *bool `json:"connectionTermination,omitempty" tf:"connection_termination,omitempty"`
+
+	// Amount time for Elastic Load Balancing to wait before changing the state of a deregistering target from draining to unused. The range is 0-3600 seconds. The default value is 300 seconds.
+	DeregistrationDelay *string `json:"deregistrationDelay,omitempty" tf:"deregistration_delay,omitempty"`
+
+	// Health Check configuration block. Detailed below.
+	HealthCheck []HealthCheckObservation `json:"healthCheck,omitempty" tf:"health_check,omitempty"`
+
 	// ARN of the Target Group (matches arn).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The type of IP addresses used by the target group, only supported when target type is set to ip. Possible values are ipv4 or ipv6.
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
+	// Whether the request and response headers exchanged between the load balancer and the Lambda function include arrays of values or strings. Only applies when target_type is lambda. Default is false.
+	LambdaMultiValueHeadersEnabled *bool `json:"lambdaMultiValueHeadersEnabled,omitempty" tf:"lambda_multi_value_headers_enabled,omitempty"`
+
+	// Determines how the load balancer selects targets when routing requests. Only applicable for Application Load Balancer Target Groups. The value is round_robin or least_outstanding_requests. The default is round_robin.
+	LoadBalancingAlgorithmType *string `json:"loadBalancingAlgorithmType,omitempty" tf:"load_balancing_algorithm_type,omitempty"`
+
+	// Name of the target group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// (May be required, Forces new resource) Port on which targets receive traffic, unless overridden when registering a specific target. Required when target_type is instance, ip or alb. Does not apply when target_type is lambda.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Whether client IP preservation is enabled. See doc for more information.
+	PreserveClientIP *string `json:"preserveClientIp,omitempty" tf:"preserve_client_ip,omitempty"`
+
+	// (May be required, Forces new resource) Protocol to use for routing traffic to the targets. Should be one of GENEVE, HTTP, HTTPS, TCP, TCP_UDP, TLS, or UDP. Required when target_type is instance, ip or alb. Does not apply when target_type is lambda.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Only applicable when protocol is HTTP or HTTPS. The protocol version. Specify GRPC to send requests to targets using gRPC. Specify HTTP2 to send requests to targets using HTTP/2. The default is HTTP1, which sends requests to targets using HTTP/1.1
+	ProtocolVersion *string `json:"protocolVersion,omitempty" tf:"protocol_version,omitempty"`
+
+	// Whether to enable support for proxy protocol v2 on Network Load Balancers. See doc for more information. Default is false.
+	ProxyProtocolV2 *bool `json:"proxyProtocolV2,omitempty" tf:"proxy_protocol_v2,omitempty"`
+
+	// Amount time for targets to warm up before the load balancer sends them a full share of requests. The range is 30-900 seconds or 0 to disable. The default value is 0 seconds.
+	SlowStart *float64 `json:"slowStart,omitempty" tf:"slow_start,omitempty"`
+
+	// Stickiness configuration block. Detailed below.
+	Stickiness []LBTargetGroupStickinessObservation `json:"stickiness,omitempty" tf:"stickiness,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Target failover block. Only applicable for Gateway Load Balancer target groups. See target_failover for more information.
+	TargetFailover []TargetFailoverObservation `json:"targetFailover,omitempty" tf:"target_failover,omitempty"`
+
+	// (May be required, Forces new resource) Type of target that you must specify when registering targets with this target group. See doc for supported values. The default is instance.
+	TargetType *string `json:"targetType,omitempty" tf:"target_type,omitempty"`
+
+	// Identifier of the VPC in which to create the target group. Required when target_type is instance, ip or alb. Does not apply when target_type is lambda.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type LBTargetGroupParameters struct {
@@ -97,8 +178,8 @@ type LBTargetGroupParameters struct {
 	LoadBalancingAlgorithmType *string `json:"loadBalancingAlgorithmType,omitempty" tf:"load_balancing_algorithm_type,omitempty"`
 
 	// Name of the target group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// (May be required, Forces new resource) Port on which targets receive traffic, unless overridden when registering a specific target. Required when target_type is instance, ip or alb. Does not apply when target_type is lambda.
 	// +kubebuilder:validation:Optional
@@ -160,6 +241,18 @@ type LBTargetGroupParameters struct {
 }
 
 type LBTargetGroupStickinessObservation struct {
+
+	// Only used when the type is lb_cookie. The time period, in seconds, during which requests from a client should be routed to the same target. After this time period expires, the load balancer-generated cookie is considered stale. The range is 1 second to 1 week (604800 seconds). The default value is 1 day (86400 seconds).
+	CookieDuration *float64 `json:"cookieDuration,omitempty" tf:"cookie_duration,omitempty"`
+
+	// Name of the application based cookie. AWSALB, AWSALBAPP, and AWSALBTG prefixes are reserved and cannot be used. Only needed when type is app_cookie.
+	CookieName *string `json:"cookieName,omitempty" tf:"cookie_name,omitempty"`
+
+	// Whether health checks are enabled. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The type of sticky sessions. The only current possible values are lb_cookie, app_cookie for ALBs, source_ip for NLBs, and source_ip_dest_ip, source_ip_dest_ip_proto for GWLBs.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type LBTargetGroupStickinessParameters struct {
@@ -182,6 +275,12 @@ type LBTargetGroupStickinessParameters struct {
 }
 
 type TargetFailoverObservation struct {
+
+	// Indicates how the GWLB handles existing flows when a target is deregistered. Possible values are rebalance and no_rebalance. Must match the attribute value set for on_unhealthy. Default: no_rebalance.
+	OnDeregistration *string `json:"onDeregistration,omitempty" tf:"on_deregistration,omitempty"`
+
+	// Indicates how the GWLB handles existing flows when a target is unhealthy. Possible values are rebalance and no_rebalance. Must match the attribute value set for on_deregistration. Default: no_rebalance.
+	OnUnhealthy *string `json:"onUnhealthy,omitempty" tf:"on_unhealthy,omitempty"`
 }
 
 type TargetFailoverParameters struct {
@@ -219,8 +318,9 @@ type LBTargetGroupStatus struct {
 type LBTargetGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBTargetGroupSpec   `json:"spec"`
-	Status            LBTargetGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   LBTargetGroupSpec   `json:"spec"`
+	Status LBTargetGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/elbv2/v1beta1/zz_lbtargetgroupattachment_types.go b/apis/elbv2/v1beta1/zz_lbtargetgroupattachment_types.go
index d4c6644194..9a8c15a2d4 100755
--- a/apis/elbv2/v1beta1/zz_lbtargetgroupattachment_types.go
+++ b/apis/elbv2/v1beta1/zz_lbtargetgroupattachment_types.go
@@ -15,8 +15,20 @@ import (
 
 type LBTargetGroupAttachmentObservation struct {
 
+	// The Availability Zone where the IP address of the target is to be registered. If the private ip address is outside of the VPC scope, this value must be set to 'all'.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
 	// A unique identifier for the attachment
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The port on which targets receive traffic.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The ARN of the target group with which to register targets
+	TargetGroupArn *string `json:"targetGroupArn,omitempty" tf:"target_group_arn,omitempty"`
+
+	// The ID of the target. This is the Instance ID for an instance, or the container ID for an ECS container. If the target type is ip, specify an IP address. If the target type is lambda, specify the arn of lambda. If the target type is alb, specify the arn of alb.
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
 }
 
 type LBTargetGroupAttachmentParameters struct {
@@ -48,8 +60,8 @@ type LBTargetGroupAttachmentParameters struct {
 	TargetGroupArnSelector *v1.Selector `json:"targetGroupArnSelector,omitempty" tf:"-"`
 
 	// The ID of the target. This is the Instance ID for an instance, or the container ID for an ECS container. If the target type is ip, specify an IP address. If the target type is lambda, specify the arn of lambda. If the target type is alb, specify the arn of alb.
-	// +kubebuilder:validation:Required
-	TargetID *string `json:"targetId" tf:"target_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
 }
 
 // LBTargetGroupAttachmentSpec defines the desired state of LBTargetGroupAttachment
@@ -76,8 +88,9 @@ type LBTargetGroupAttachmentStatus struct {
 type LBTargetGroupAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBTargetGroupAttachmentSpec   `json:"spec"`
-	Status            LBTargetGroupAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetId)",message="targetId is a required parameter"
+	Spec   LBTargetGroupAttachmentSpec   `json:"spec"`
+	Status LBTargetGroupAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/emr/v1beta1/zz_generated.deepcopy.go b/apis/emr/v1beta1/zz_generated.deepcopy.go
index e0d369fba8..6a7c2b93dc 100644
--- a/apis/emr/v1beta1/zz_generated.deepcopy.go
+++ b/apis/emr/v1beta1/zz_generated.deepcopy.go
@@ -75,6 +75,11 @@ func (in *SecurityConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecurityConfigurationObservation) DeepCopyInto(out *SecurityConfigurationObservation) {
 	*out = *in
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreationDate != nil {
 		in, out := &in.CreationDate, &out.CreationDate
 		*out = new(string)
diff --git a/apis/emr/v1beta1/zz_securityconfiguration_types.go b/apis/emr/v1beta1/zz_securityconfiguration_types.go
index 30faf6b825..15e93d3637 100755
--- a/apis/emr/v1beta1/zz_securityconfiguration_types.go
+++ b/apis/emr/v1beta1/zz_securityconfiguration_types.go
@@ -15,6 +15,9 @@ import (
 
 type SecurityConfigurationObservation struct {
 
+	// A JSON formatted Security Configuration
+	Configuration *string `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
 	// Date the Security Configuration was created
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
@@ -25,8 +28,8 @@ type SecurityConfigurationObservation struct {
 type SecurityConfigurationParameters struct {
 
 	// A JSON formatted Security Configuration
-	// +kubebuilder:validation:Required
-	Configuration *string `json:"configuration" tf:"configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	Configuration *string `json:"configuration,omitempty" tf:"configuration,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -58,8 +61,9 @@ type SecurityConfigurationStatus struct {
 type SecurityConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecurityConfigurationSpec   `json:"spec"`
-	Status            SecurityConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.configuration)",message="configuration is a required parameter"
+	Spec   SecurityConfigurationSpec   `json:"spec"`
+	Status SecurityConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/emrserverless/v1beta1/zz_application_types.go b/apis/emrserverless/v1beta1/zz_application_types.go
index 25fb4f024a..2b21ccf6ae 100755
--- a/apis/emrserverless/v1beta1/zz_application_types.go
+++ b/apis/emrserverless/v1beta1/zz_application_types.go
@@ -15,14 +15,44 @@ import (
 
 type ApplicationObservation struct {
 
+	// –  The CPU architecture of an application. Valid values are ARM64 or X86_64. Default value is X86_64.
+	Architecture *string `json:"architecture,omitempty" tf:"architecture,omitempty"`
+
 	// ARN of the cluster.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  The configuration for an application to automatically start on job submission.
+	AutoStartConfiguration []AutoStartConfigurationObservation `json:"autoStartConfiguration,omitempty" tf:"auto_start_configuration,omitempty"`
+
+	// –  The configuration for an application to automatically stop after a certain amount of time being idle.
+	AutoStopConfiguration []AutoStopConfigurationObservation `json:"autoStopConfiguration,omitempty" tf:"auto_stop_configuration,omitempty"`
+
 	// The ID of the cluster.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  The capacity to initialize when the application is created.
+	InitialCapacity []InitialCapacityObservation `json:"initialCapacity,omitempty" tf:"initial_capacity,omitempty"`
+
+	// –  The maximum capacity to allocate when the application is created. This is cumulative across all workers at any given point in time, not just when an application is created. No new resources will be created once any one of the defined limits is hit.
+	MaximumCapacity []MaximumCapacityObservation `json:"maximumCapacity,omitempty" tf:"maximum_capacity,omitempty"`
+
+	// –  The name of the application.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// –  The network configuration for customer VPC connectivity.
+	NetworkConfiguration []NetworkConfigurationObservation `json:"networkConfiguration,omitempty" tf:"network_configuration,omitempty"`
+
+	// –  The EMR release version associated with the application.
+	ReleaseLabel *string `json:"releaseLabel,omitempty" tf:"release_label,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// –  The type of application you want to start, such as spark or hive.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ApplicationParameters struct {
@@ -48,8 +78,8 @@ type ApplicationParameters struct {
 	MaximumCapacity []MaximumCapacityParameters `json:"maximumCapacity,omitempty" tf:"maximum_capacity,omitempty"`
 
 	// –  The name of the application.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// –  The network configuration for customer VPC connectivity.
 	// +kubebuilder:validation:Optional
@@ -61,19 +91,22 @@ type ApplicationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// –  The EMR release version associated with the application.
-	// +kubebuilder:validation:Required
-	ReleaseLabel *string `json:"releaseLabel" tf:"release_label,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReleaseLabel *string `json:"releaseLabel,omitempty" tf:"release_label,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// –  The type of application you want to start, such as spark or hive.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AutoStartConfigurationObservation struct {
+
+	// Enables the application to automatically start on job submission. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type AutoStartConfigurationParameters struct {
@@ -84,6 +117,12 @@ type AutoStartConfigurationParameters struct {
 }
 
 type AutoStopConfigurationObservation struct {
+
+	// Enables the application to automatically start on job submission. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The amount of idle time in minutes after which your application will automatically stop. Defaults to 15 minutes.
+	IdleTimeoutMinutes *float64 `json:"idleTimeoutMinutes,omitempty" tf:"idle_timeout_minutes,omitempty"`
 }
 
 type AutoStopConfigurationParameters struct {
@@ -98,6 +137,12 @@ type AutoStopConfigurationParameters struct {
 }
 
 type InitialCapacityConfigObservation struct {
+
+	// The resource configuration of the initial capacity configuration.
+	WorkerConfiguration []WorkerConfigurationObservation `json:"workerConfiguration,omitempty" tf:"worker_configuration,omitempty"`
+
+	// The number of workers in the initial capacity configuration.
+	WorkerCount *float64 `json:"workerCount,omitempty" tf:"worker_count,omitempty"`
 }
 
 type InitialCapacityConfigParameters struct {
@@ -112,6 +157,12 @@ type InitialCapacityConfigParameters struct {
 }
 
 type InitialCapacityObservation struct {
+
+	// The initial capacity configuration per worker.
+	InitialCapacityConfig []InitialCapacityConfigObservation `json:"initialCapacityConfig,omitempty" tf:"initial_capacity_config,omitempty"`
+
+	// The worker type for an analytics framework. For Spark applications, the key can either be set to Driver or Executor. For Hive applications, it can be set to HiveDriver or TezTask.
+	InitialCapacityType *string `json:"initialCapacityType,omitempty" tf:"initial_capacity_type,omitempty"`
 }
 
 type InitialCapacityParameters struct {
@@ -126,6 +177,15 @@ type InitialCapacityParameters struct {
 }
 
 type MaximumCapacityObservation struct {
+
+	// The maximum allowed CPU for an application.
+	CPU *string `json:"cpu,omitempty" tf:"cpu,omitempty"`
+
+	// The maximum allowed disk for an application.
+	Disk *string `json:"disk,omitempty" tf:"disk,omitempty"`
+
+	// The maximum allowed resources for an application.
+	Memory *string `json:"memory,omitempty" tf:"memory,omitempty"`
 }
 
 type MaximumCapacityParameters struct {
@@ -144,6 +204,12 @@ type MaximumCapacityParameters struct {
 }
 
 type NetworkConfigurationObservation struct {
+
+	// The array of security group Ids for customer VPC connectivity.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// The array of subnet Ids for customer VPC connectivity.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 }
 
 type NetworkConfigurationParameters struct {
@@ -158,6 +224,15 @@ type NetworkConfigurationParameters struct {
 }
 
 type WorkerConfigurationObservation struct {
+
+	// The maximum allowed CPU for an application.
+	CPU *string `json:"cpu,omitempty" tf:"cpu,omitempty"`
+
+	// The maximum allowed disk for an application.
+	Disk *string `json:"disk,omitempty" tf:"disk,omitempty"`
+
+	// The maximum allowed resources for an application.
+	Memory *string `json:"memory,omitempty" tf:"memory,omitempty"`
 }
 
 type WorkerConfigurationParameters struct {
@@ -199,8 +274,11 @@ type ApplicationStatus struct {
 type Application struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ApplicationSpec   `json:"spec"`
-	Status            ApplicationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.releaseLabel)",message="releaseLabel is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   ApplicationSpec   `json:"spec"`
+	Status ApplicationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/emrserverless/v1beta1/zz_generated.deepcopy.go b/apis/emrserverless/v1beta1/zz_generated.deepcopy.go
index bd799d1102..a78ea04782 100644
--- a/apis/emrserverless/v1beta1/zz_generated.deepcopy.go
+++ b/apis/emrserverless/v1beta1/zz_generated.deepcopy.go
@@ -75,16 +75,81 @@ func (in *ApplicationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 	*out = *in
+	if in.Architecture != nil {
+		in, out := &in.Architecture, &out.Architecture
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoStartConfiguration != nil {
+		in, out := &in.AutoStartConfiguration, &out.AutoStartConfiguration
+		*out = make([]AutoStartConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoStopConfiguration != nil {
+		in, out := &in.AutoStopConfiguration, &out.AutoStopConfiguration
+		*out = make([]AutoStopConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InitialCapacity != nil {
+		in, out := &in.InitialCapacity, &out.InitialCapacity
+		*out = make([]InitialCapacityObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaximumCapacity != nil {
+		in, out := &in.MaximumCapacity, &out.MaximumCapacity
+		*out = make([]MaximumCapacityObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkConfiguration != nil {
+		in, out := &in.NetworkConfiguration, &out.NetworkConfiguration
+		*out = make([]NetworkConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReleaseLabel != nil {
+		in, out := &in.ReleaseLabel, &out.ReleaseLabel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -100,6 +165,11 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationObservation.
@@ -239,6 +309,11 @@ func (in *ApplicationStatus) DeepCopy() *ApplicationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoStartConfigurationObservation) DeepCopyInto(out *AutoStartConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoStartConfigurationObservation.
@@ -274,6 +349,16 @@ func (in *AutoStartConfigurationParameters) DeepCopy() *AutoStartConfigurationPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoStopConfigurationObservation) DeepCopyInto(out *AutoStopConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IdleTimeoutMinutes != nil {
+		in, out := &in.IdleTimeoutMinutes, &out.IdleTimeoutMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoStopConfigurationObservation.
@@ -314,6 +399,18 @@ func (in *AutoStopConfigurationParameters) DeepCopy() *AutoStopConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InitialCapacityConfigObservation) DeepCopyInto(out *InitialCapacityConfigObservation) {
 	*out = *in
+	if in.WorkerConfiguration != nil {
+		in, out := &in.WorkerConfiguration, &out.WorkerConfiguration
+		*out = make([]WorkerConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WorkerCount != nil {
+		in, out := &in.WorkerCount, &out.WorkerCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitialCapacityConfigObservation.
@@ -356,6 +453,18 @@ func (in *InitialCapacityConfigParameters) DeepCopy() *InitialCapacityConfigPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InitialCapacityObservation) DeepCopyInto(out *InitialCapacityObservation) {
 	*out = *in
+	if in.InitialCapacityConfig != nil {
+		in, out := &in.InitialCapacityConfig, &out.InitialCapacityConfig
+		*out = make([]InitialCapacityConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InitialCapacityType != nil {
+		in, out := &in.InitialCapacityType, &out.InitialCapacityType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InitialCapacityObservation.
@@ -398,6 +507,21 @@ func (in *InitialCapacityParameters) DeepCopy() *InitialCapacityParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaximumCapacityObservation) DeepCopyInto(out *MaximumCapacityObservation) {
 	*out = *in
+	if in.CPU != nil {
+		in, out := &in.CPU, &out.CPU
+		*out = new(string)
+		**out = **in
+	}
+	if in.Disk != nil {
+		in, out := &in.Disk, &out.Disk
+		*out = new(string)
+		**out = **in
+	}
+	if in.Memory != nil {
+		in, out := &in.Memory, &out.Memory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaximumCapacityObservation.
@@ -443,6 +567,28 @@ func (in *MaximumCapacityParameters) DeepCopy() *MaximumCapacityParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkConfigurationObservation) DeepCopyInto(out *NetworkConfigurationObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkConfigurationObservation.
@@ -495,6 +641,21 @@ func (in *NetworkConfigurationParameters) DeepCopy() *NetworkConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkerConfigurationObservation) DeepCopyInto(out *WorkerConfigurationObservation) {
 	*out = *in
+	if in.CPU != nil {
+		in, out := &in.CPU, &out.CPU
+		*out = new(string)
+		**out = **in
+	}
+	if in.Disk != nil {
+		in, out := &in.Disk, &out.Disk
+		*out = new(string)
+		**out = **in
+	}
+	if in.Memory != nil {
+		in, out := &in.Memory, &out.Memory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkerConfigurationObservation.
diff --git a/apis/evidently/v1beta1/zz_feature_types.go b/apis/evidently/v1beta1/zz_feature_types.go
index c9bca95620..cc7969ab74 100755
--- a/apis/evidently/v1beta1/zz_feature_types.go
+++ b/apis/evidently/v1beta1/zz_feature_types.go
@@ -33,23 +33,44 @@ type FeatureObservation struct {
 	// The date and time that the feature is created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// The name of the variation to use as the default variation. The default variation is served to users who are not allocated to any ongoing launches or experiments of this feature. This variation must also be listed in the variations structure. If you omit default_variation, the first variation listed in the variations structure is used as the default variation.
+	DefaultVariation *string `json:"defaultVariation,omitempty" tf:"default_variation,omitempty"`
+
+	// Specifies the description of the feature.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specify users that should always be served a specific variation of a feature. Each user is specified by a key-value pair . For each key, specify a user by entering their user ID, account ID, or some other identifier. For the value, specify the name of the variation that they are to be served.
+	EntityOverrides map[string]*string `json:"entityOverrides,omitempty" tf:"entity_overrides,omitempty"`
+
 	// One or more blocks that define the evaluation rules for the feature. Detailed below
 	EvaluationRules []EvaluationRulesObservation `json:"evaluationRules,omitempty" tf:"evaluation_rules,omitempty"`
 
+	// Specify ALL_RULES to activate the traffic allocation specified by any ongoing launches or experiments. Specify DEFAULT_VARIATION to serve the default variation to all users instead.
+	EvaluationStrategy *string `json:"evaluationStrategy,omitempty" tf:"evaluation_strategy,omitempty"`
+
 	// The feature name and the project name or arn separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date and time that the feature was most recently updated.
 	LastUpdatedTime *string `json:"lastUpdatedTime,omitempty" tf:"last_updated_time,omitempty"`
 
+	// The name or ARN of the project that is to contain the new feature.
+	Project *string `json:"project,omitempty" tf:"project,omitempty"`
+
 	// The current state of the feature. Valid values are AVAILABLE and UPDATING.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Defines the type of value used to define the different feature variations. Valid Values: STRING, LONG, DOUBLE, BOOLEAN.
 	ValueType *string `json:"valueType,omitempty" tf:"value_type,omitempty"`
+
+	// One or more blocks that contain the configuration of the feature's different variations. Detailed below
+	Variations []VariationsObservation `json:"variations,omitempty" tf:"variations,omitempty"`
 }
 
 type FeatureParameters struct {
@@ -94,11 +115,23 @@ type FeatureParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// One or more blocks that contain the configuration of the feature's different variations. Detailed below
-	// +kubebuilder:validation:Required
-	Variations []VariationsParameters `json:"variations" tf:"variations,omitempty"`
+	// +kubebuilder:validation:Optional
+	Variations []VariationsParameters `json:"variations,omitempty" tf:"variations,omitempty"`
 }
 
 type ValueObservation struct {
+
+	// If this feature uses the Boolean variation type, this field contains the Boolean value of this variation.
+	BoolValue *string `json:"boolValue,omitempty" tf:"bool_value,omitempty"`
+
+	// If this feature uses the double integer variation type, this field contains the double integer value of this variation.
+	DoubleValue *string `json:"doubleValue,omitempty" tf:"double_value,omitempty"`
+
+	// If this feature uses the long variation type, this field contains the long value of this variation. Minimum value of -9007199254740991. Maximum value of 9007199254740991.
+	LongValue *string `json:"longValue,omitempty" tf:"long_value,omitempty"`
+
+	// If this feature uses the string variation type, this field contains the string value of this variation. Minimum length of 0. Maximum length of 512.
+	StringValue *string `json:"stringValue,omitempty" tf:"string_value,omitempty"`
 }
 
 type ValueParameters struct {
@@ -121,6 +154,12 @@ type ValueParameters struct {
 }
 
 type VariationsObservation struct {
+
+	// The name of the variation. Minimum length of 1. Maximum length of 127.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A block that specifies the value assigned to this variation. Detailed below
+	Value []ValueObservation `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type VariationsParameters struct {
@@ -158,8 +197,9 @@ type FeatureStatus struct {
 type Feature struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FeatureSpec   `json:"spec"`
-	Status            FeatureStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.variations)",message="variations is a required parameter"
+	Spec   FeatureSpec   `json:"spec"`
+	Status FeatureStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/evidently/v1beta1/zz_generated.deepcopy.go b/apis/evidently/v1beta1/zz_generated.deepcopy.go
index 0db4a43fa6..7df1254b9b 100644
--- a/apis/evidently/v1beta1/zz_generated.deepcopy.go
+++ b/apis/evidently/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchLogsObservation) DeepCopyInto(out *CloudwatchLogsObservation) {
 	*out = *in
+	if in.LogGroup != nil {
+		in, out := &in.LogGroup, &out.LogGroup
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLogsObservation.
@@ -52,6 +57,20 @@ func (in *CloudwatchLogsParameters) DeepCopy() *CloudwatchLogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataDeliveryObservation) DeepCopyInto(out *DataDeliveryObservation) {
 	*out = *in
+	if in.CloudwatchLogs != nil {
+		in, out := &in.CloudwatchLogs, &out.CloudwatchLogs
+		*out = make([]CloudwatchLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Destination != nil {
+		in, out := &in.S3Destination, &out.S3Destination
+		*out = make([]S3DestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataDeliveryObservation.
@@ -205,6 +224,31 @@ func (in *FeatureObservation) DeepCopyInto(out *FeatureObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultVariation != nil {
+		in, out := &in.DefaultVariation, &out.DefaultVariation
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EntityOverrides != nil {
+		in, out := &in.EntityOverrides, &out.EntityOverrides
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.EvaluationRules != nil {
 		in, out := &in.EvaluationRules, &out.EvaluationRules
 		*out = make([]EvaluationRulesObservation, len(*in))
@@ -212,6 +256,11 @@ func (in *FeatureObservation) DeepCopyInto(out *FeatureObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.EvaluationStrategy != nil {
+		in, out := &in.EvaluationStrategy, &out.EvaluationStrategy
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -222,11 +271,31 @@ func (in *FeatureObservation) DeepCopyInto(out *FeatureObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Project != nil {
+		in, out := &in.Project, &out.Project
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -247,6 +316,13 @@ func (in *FeatureObservation) DeepCopyInto(out *FeatureObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Variations != nil {
+		in, out := &in.Variations, &out.Variations
+		*out = make([]VariationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureObservation.
@@ -462,6 +538,18 @@ func (in *ProjectObservation) DeepCopyInto(out *ProjectObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DataDelivery != nil {
+		in, out := &in.DataDelivery, &out.DataDelivery
+		*out = make([]DataDeliveryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExperimentCount != nil {
 		in, out := &in.ExperimentCount, &out.ExperimentCount
 		*out = new(float64)
@@ -487,11 +575,31 @@ func (in *ProjectObservation) DeepCopyInto(out *ProjectObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -608,6 +716,16 @@ func (in *ProjectStatus) DeepCopy() *ProjectStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3DestinationObservation) DeepCopyInto(out *S3DestinationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3DestinationObservation.
@@ -717,6 +835,11 @@ func (in *SegmentObservation) DeepCopyInto(out *SegmentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ExperimentCount != nil {
 		in, out := &in.ExperimentCount, &out.ExperimentCount
 		*out = new(float64)
@@ -737,6 +860,26 @@ func (in *SegmentObservation) DeepCopyInto(out *SegmentObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Pattern != nil {
+		in, out := &in.Pattern, &out.Pattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -846,6 +989,26 @@ func (in *SegmentStatus) DeepCopy() *SegmentStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValueObservation) DeepCopyInto(out *ValueObservation) {
 	*out = *in
+	if in.BoolValue != nil {
+		in, out := &in.BoolValue, &out.BoolValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.DoubleValue != nil {
+		in, out := &in.DoubleValue, &out.DoubleValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.LongValue != nil {
+		in, out := &in.LongValue, &out.LongValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.StringValue != nil {
+		in, out := &in.StringValue, &out.StringValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValueObservation.
@@ -896,6 +1059,18 @@ func (in *ValueParameters) DeepCopy() *ValueParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VariationsObservation) DeepCopyInto(out *VariationsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = make([]ValueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VariationsObservation.
diff --git a/apis/evidently/v1beta1/zz_project_types.go b/apis/evidently/v1beta1/zz_project_types.go
index da322a2b3e..4a99a279c5 100755
--- a/apis/evidently/v1beta1/zz_project_types.go
+++ b/apis/evidently/v1beta1/zz_project_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CloudwatchLogsObservation struct {
+
+	// The name of the log group where the project stores evaluation events.
+	LogGroup *string `json:"logGroup,omitempty" tf:"log_group,omitempty"`
 }
 
 type CloudwatchLogsParameters struct {
@@ -24,6 +27,12 @@ type CloudwatchLogsParameters struct {
 }
 
 type DataDeliveryObservation struct {
+
+	// A block that defines the CloudWatch Log Group that stores the evaluation events. See below.
+	CloudwatchLogs []CloudwatchLogsObservation `json:"cloudwatchLogs,omitempty" tf:"cloudwatch_logs,omitempty"`
+
+	// A block that defines the S3 bucket and prefix that stores the evaluation events. See below.
+	S3Destination []S3DestinationObservation `json:"s3Destination,omitempty" tf:"s3_destination,omitempty"`
 }
 
 type DataDeliveryParameters struct {
@@ -51,6 +60,12 @@ type ProjectObservation struct {
 	// The date and time that the project is created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// A block that contains information about where Evidently is to store evaluation events for longer term storage, if you choose to do so. If you choose not to store these events, Evidently deletes them after using them to produce metrics and other experiment results that you can view. See below.
+	DataDelivery []DataDeliveryObservation `json:"dataDelivery,omitempty" tf:"data_delivery,omitempty"`
+
+	// Specifies the description of the project.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The number of experiments currently in the project. This includes all experiments that have been created and not deleted, whether they are ongoing or not.
 	ExperimentCount *float64 `json:"experimentCount,omitempty" tf:"experiment_count,omitempty"`
 
@@ -66,9 +81,15 @@ type ProjectObservation struct {
 	// The number of launches currently in the project. This includes all launches that have been created and not deleted, whether they are ongoing or not.
 	LaunchCount *float64 `json:"launchCount,omitempty" tf:"launch_count,omitempty"`
 
+	// A name for the project.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The current state of the project. Valid values are AVAILABLE and UPDATING.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -84,8 +105,8 @@ type ProjectParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A name for the project.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -98,6 +119,12 @@ type ProjectParameters struct {
 }
 
 type S3DestinationObservation struct {
+
+	// The name of the bucket in which Evidently stores evaluation events.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The bucket prefix in which Evidently stores evaluation events.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type S3DestinationParameters struct {
@@ -135,8 +162,9 @@ type ProjectStatus struct {
 type Project struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProjectSpec   `json:"spec"`
-	Status            ProjectStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ProjectSpec   `json:"spec"`
+	Status ProjectStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/evidently/v1beta1/zz_segment_types.go b/apis/evidently/v1beta1/zz_segment_types.go
index 7370c03a6e..66cf5a8538 100755
--- a/apis/evidently/v1beta1/zz_segment_types.go
+++ b/apis/evidently/v1beta1/zz_segment_types.go
@@ -21,6 +21,9 @@ type SegmentObservation struct {
 	// The date and time that the segment is created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Specifies the description of the segment.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The number of experiments that this segment is used in. This count includes all current experiments, not just those that are currently running.
 	ExperimentCount *float64 `json:"experimentCount,omitempty" tf:"experiment_count,omitempty"`
 
@@ -33,6 +36,12 @@ type SegmentObservation struct {
 	// The number of launches that this segment is used in. This count includes all current launches, not just those that are currently running.
 	LaunchCount *float64 `json:"launchCount,omitempty" tf:"launch_count,omitempty"`
 
+	// The pattern to use for the segment. For more information about pattern syntax, see Segment rule pattern syntax.
+	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -44,8 +53,8 @@ type SegmentParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The pattern to use for the segment. For more information about pattern syntax, see Segment rule pattern syntax.
-	// +kubebuilder:validation:Required
-	Pattern *string `json:"pattern" tf:"pattern,omitempty"`
+	// +kubebuilder:validation:Optional
+	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -81,8 +90,9 @@ type SegmentStatus struct {
 type Segment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SegmentSpec   `json:"spec"`
-	Status            SegmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pattern)",message="pattern is a required parameter"
+	Spec   SegmentSpec   `json:"spec"`
+	Status SegmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/firehose/v1beta1/zz_deliverystream_types.go b/apis/firehose/v1beta1/zz_deliverystream_types.go
index 03a7425b6d..c54b2ebf89 100755
--- a/apis/firehose/v1beta1/zz_deliverystream_types.go
+++ b/apis/firehose/v1beta1/zz_deliverystream_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type CloudwatchLoggingOptionsParameters struct {
@@ -32,6 +41,12 @@ type CloudwatchLoggingOptionsParameters struct {
 }
 
 type CommonAttributesObservation struct {
+
+	// The HTTP endpoint name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the HTTP endpoint common attribute.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type CommonAttributesParameters struct {
@@ -46,6 +61,18 @@ type CommonAttributesParameters struct {
 }
 
 type DataFormatConversionConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Nested argument that specifies the deserializer that you want Kinesis Data Firehose to use to convert the format of your data from JSON. More details below.
+	InputFormatConfiguration []InputFormatConfigurationObservation `json:"inputFormatConfiguration,omitempty" tf:"input_format_configuration,omitempty"`
+
+	// Nested argument that specifies the serializer that you want Kinesis Data Firehose to use to convert the format of your data to the Parquet or ORC format. More details below.
+	OutputFormatConfiguration []OutputFormatConfigurationObservation `json:"outputFormatConfiguration,omitempty" tf:"output_format_configuration,omitempty"`
+
+	// Nested argument that specifies the AWS Glue Data Catalog table that contains the column information. More details below.
+	SchemaConfiguration []SchemaConfigurationObservation `json:"schemaConfiguration,omitempty" tf:"schema_configuration,omitempty"`
 }
 
 type DataFormatConversionConfigurationParameters struct {
@@ -69,14 +96,55 @@ type DataFormatConversionConfigurationParameters struct {
 
 type DeliveryStreamObservation struct {
 
+	// The Amazon Resource Name (ARN) specifying the Stream
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// –  This is the destination to where the data is delivered. The only options are s3 (Deprecated, use extended_s3 instead), extended_s3, redshift, elasticsearch, splunk, and http_endpoint.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	DestinationID *string `json:"destinationId,omitempty" tf:"destination_id,omitempty"`
+
 	// Configuration options if elasticsearch is the destination. More details are given below.
-	// +kubebuilder:validation:Optional
 	ElasticsearchConfiguration []ElasticsearchConfigurationObservation `json:"elasticsearchConfiguration,omitempty" tf:"elasticsearch_configuration,omitempty"`
 
+	// Enhanced configuration options for the s3 destination. More details are given below.
+	ExtendedS3Configuration []ExtendedS3ConfigurationObservation `json:"extendedS3Configuration,omitempty" tf:"extended_s3_configuration,omitempty"`
+
+	// Configuration options if http_endpoint is the destination. requires the user to also specify a s3_configuration block.  More details are given below.
+	HTTPEndpointConfiguration []HTTPEndpointConfigurationObservation `json:"httpEndpointConfiguration,omitempty" tf:"http_endpoint_configuration,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Allows the ability to specify the kinesis stream that is used as the source of the firehose delivery stream.
+	KinesisSourceConfiguration []KinesisSourceConfigurationObservation `json:"kinesisSourceConfiguration,omitempty" tf:"kinesis_source_configuration,omitempty"`
+
+	// A name to identify the stream. This is unique to the AWS account and region the Stream is created in. When using for WAF logging, name must be prefixed with aws-waf-logs-. See AWS Documentation for more details.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration options if redshift is the destination.
+	// Using redshift_configuration requires the user to also specify a
+	// s3_configuration block. More details are given below.
+	RedshiftConfiguration []RedshiftConfigurationObservation `json:"redshiftConfiguration,omitempty" tf:"redshift_configuration,omitempty"`
+
+	// Required for non-S3 destinations. For S3 destination, use extended_s3_configuration instead. Configuration options for the s3 destination (or the intermediate bucket if the destination
+	// is redshift). More details are given below.
+	S3Configuration []S3ConfigurationObservation `json:"s3Configuration,omitempty" tf:"s3_configuration,omitempty"`
+
+	// Encrypt at rest options.
+	// Server-side encryption should not be enabled when a kinesis stream is configured as the source of the firehose delivery stream.
+	ServerSideEncryption []ServerSideEncryptionObservation `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
+
+	// Configuration options if splunk is the destination. More details are given below.
+	SplunkConfiguration []SplunkConfigurationObservation `json:"splunkConfiguration,omitempty" tf:"splunk_configuration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Specifies the table version for the output data schema. Defaults to LATEST.
+	VersionID *string `json:"versionId,omitempty" tf:"version_id,omitempty"`
 }
 
 type DeliveryStreamParameters struct {
@@ -86,8 +154,8 @@ type DeliveryStreamParameters struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// –  This is the destination to where the data is delivered. The only options are s3 (Deprecated, use extended_s3 instead), extended_s3, redshift, elasticsearch, splunk, and http_endpoint.
-	// +kubebuilder:validation:Required
-	Destination *string `json:"destination" tf:"destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	// +kubebuilder:validation:Optional
 	DestinationID *string `json:"destinationId,omitempty" tf:"destination_id,omitempty"`
@@ -109,8 +177,8 @@ type DeliveryStreamParameters struct {
 	KinesisSourceConfiguration []KinesisSourceConfigurationParameters `json:"kinesisSourceConfiguration,omitempty" tf:"kinesis_source_configuration,omitempty"`
 
 	// A name to identify the stream. This is unique to the AWS account and region the Stream is created in. When using for WAF logging, name must be prefixed with aws-waf-logs-. See AWS Documentation for more details.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Configuration options if redshift is the destination.
 	// Using redshift_configuration requires the user to also specify a
@@ -148,6 +216,12 @@ type DeliveryStreamParameters struct {
 }
 
 type DeserializerObservation struct {
+
+	// Nested argument that specifies the native Hive / HCatalog JsonSerDe. More details below.
+	HiveJSONSerDe []HiveJSONSerDeObservation `json:"hiveJsonSerDe,omitempty" tf:"hive_json_ser_de,omitempty"`
+
+	// Nested argument that specifies the OpenX SerDe. More details below.
+	OpenXJSONSerDe []OpenXJSONSerDeObservation `json:"openXJsonSerDe,omitempty" tf:"open_x_json_ser_de,omitempty"`
 }
 
 type DeserializerParameters struct {
@@ -162,6 +236,12 @@ type DeserializerParameters struct {
 }
 
 type DynamicPartitioningConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The length of time during which Firehose retries delivery after a failure, starting from the initial request and including the first attempt. The default value is 3600 seconds (60 minutes). Firehose does not retry if the value of DurationInSeconds is 0 (zero) or if the first delivery attempt takes longer than the current value.
+	RetryDuration *float64 `json:"retryDuration,omitempty" tf:"retry_duration,omitempty"`
 }
 
 type DynamicPartitioningConfigurationParameters struct {
@@ -177,8 +257,43 @@ type DynamicPartitioningConfigurationParameters struct {
 
 type ElasticsearchConfigurationObservation struct {
 
+	// Buffer incoming data for the specified period of time, in seconds between 60 to 900, before delivering it to the destination.  The default value is 300s.
+	BufferingInterval *float64 `json:"bufferingInterval,omitempty" tf:"buffering_interval,omitempty"`
+
+	// Buffer incoming data to the specified size, in MBs between 1 to 100, before delivering it to the destination.  The default value is 5MB.
+	BufferingSize *float64 `json:"bufferingSize,omitempty" tf:"buffering_size,omitempty"`
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []CloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The endpoint to use when communicating with the cluster. Conflicts with domain_arn.
+	ClusterEndpoint *string `json:"clusterEndpoint,omitempty" tf:"cluster_endpoint,omitempty"`
+
+	// The ARN of the Amazon ES domain.  The pattern needs to be arn:.*.  Conflicts with cluster_endpoint.
+	DomainArn *string `json:"domainArn,omitempty" tf:"domain_arn,omitempty"`
+
+	// The Elasticsearch index name.
+	IndexName *string `json:"indexName,omitempty" tf:"index_name,omitempty"`
+
+	// The Elasticsearch index rotation period.  Index rotation appends a timestamp to the IndexName to facilitate expiration of old data.  Valid values are NoRotation, OneHour, OneDay, OneWeek, and OneMonth.  The default value is OneDay.
+	IndexRotationPeriod *string `json:"indexRotationPeriod,omitempty" tf:"index_rotation_period,omitempty"`
+
+	// The data processing configuration.  More details are given below.
+	ProcessingConfiguration []ProcessingConfigurationObservation `json:"processingConfiguration,omitempty" tf:"processing_configuration,omitempty"`
+
+	// The length of time during which Firehose retries delivery after a failure, starting from the initial request and including the first attempt. The default value is 3600 seconds (60 minutes). Firehose does not retry if the value of DurationInSeconds is 0 (zero) or if the first delivery attempt takes longer than the current value.
+	RetryDuration *float64 `json:"retryDuration,omitempty" tf:"retry_duration,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The Amazon S3 backup mode.  Valid values are Disabled and Enabled.  Default value is Disabled.
+	S3BackupMode *string `json:"s3BackupMode,omitempty" tf:"s3_backup_mode,omitempty"`
+
+	// The Elasticsearch type name with maximum length of 100 characters.
+	TypeName *string `json:"typeName,omitempty" tf:"type_name,omitempty"`
+
 	// The VPC configuration for the delivery stream to connect to Elastic Search associated with the VPC. More details are given below
-	// +kubebuilder:validation:Optional
 	VPCConfig []VPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 }
 
@@ -258,6 +373,15 @@ type ElasticsearchConfigurationParameters struct {
 }
 
 type ExtendedS3ConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type ExtendedS3ConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -276,6 +400,50 @@ type ExtendedS3ConfigurationCloudwatchLoggingOptionsParameters struct {
 }
 
 type ExtendedS3ConfigurationObservation struct {
+
+	// The ARN of the S3 bucket
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300.
+	BufferInterval *float64 `json:"bufferInterval,omitempty" tf:"buffer_interval,omitempty"`
+
+	// Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.
+	// We recommend setting SizeInMBs to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec set SizeInMBs to be 10 MB or higher.
+	BufferSize *float64 `json:"bufferSize,omitempty" tf:"buffer_size,omitempty"`
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []ExtendedS3ConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The compression format. If no value is specified, the default is UNCOMPRESSED. Other supported values are GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+	CompressionFormat *string `json:"compressionFormat,omitempty" tf:"compression_format,omitempty"`
+
+	// Nested argument for the serializer, deserializer, and schema for converting data from the JSON format to the Parquet or ORC format before writing it to Amazon S3. More details given below.
+	DataFormatConversionConfiguration []DataFormatConversionConfigurationObservation `json:"dataFormatConversionConfiguration,omitempty" tf:"data_format_conversion_configuration,omitempty"`
+
+	// The configuration for dynamic partitioning. See Dynamic Partitioning Configuration below for more details. Required when using dynamic partitioning.
+	DynamicPartitioningConfiguration []DynamicPartitioningConfigurationObservation `json:"dynamicPartitioningConfiguration,omitempty" tf:"dynamic_partitioning_configuration,omitempty"`
+
+	// Prefix added to failed records before writing them to S3. Not currently supported for redshift destination. This prefix appears immediately following the bucket name. For information about how to specify this prefix, see Custom Prefixes for Amazon S3 Objects.
+	ErrorOutputPrefix *string `json:"errorOutputPrefix,omitempty" tf:"error_output_prefix,omitempty"`
+
+	// Specifies the KMS key ARN the stream will use to encrypt data. If not set, no encryption will
+	// be used.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// The "YYYY/MM/DD/HH" time format prefix is automatically used for delivered S3 files. You can specify an extra prefix to be added in front of the time format prefix. Note that if the prefix ends with a slash, it appears as a folder in the S3 bucket
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// The data processing configuration.  More details are given below.
+	ProcessingConfiguration []ExtendedS3ConfigurationProcessingConfigurationObservation `json:"processingConfiguration,omitempty" tf:"processing_configuration,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The configuration for backup in Amazon S3. Required if s3_backup_mode is Enabled. Supports the same fields as s3_configuration object.
+	S3BackupConfiguration []S3BackupConfigurationObservation `json:"s3BackupConfiguration,omitempty" tf:"s3_backup_configuration,omitempty"`
+
+	// The Amazon S3 backup mode.  Valid values are Disabled and Enabled.  Default value is Disabled.
+	S3BackupMode *string `json:"s3BackupMode,omitempty" tf:"s3_backup_mode,omitempty"`
 }
 
 type ExtendedS3ConfigurationParameters struct {
@@ -360,6 +528,12 @@ type ExtendedS3ConfigurationParameters struct {
 }
 
 type ExtendedS3ConfigurationProcessingConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Array of data processors. More details are given below
+	Processors []ProcessingConfigurationProcessorsObservation `json:"processors,omitempty" tf:"processors,omitempty"`
 }
 
 type ExtendedS3ConfigurationProcessingConfigurationParameters struct {
@@ -374,6 +548,15 @@ type ExtendedS3ConfigurationProcessingConfigurationParameters struct {
 }
 
 type HTTPEndpointConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type HTTPEndpointConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -392,6 +575,36 @@ type HTTPEndpointConfigurationCloudwatchLoggingOptionsParameters struct {
 }
 
 type HTTPEndpointConfigurationObservation struct {
+
+	// Buffer incoming data for the specified period of time, in seconds between 60 to 900, before delivering it to the destination.  The default value is 300s.
+	BufferingInterval *float64 `json:"bufferingInterval,omitempty" tf:"buffering_interval,omitempty"`
+
+	// Buffer incoming data to the specified size, in MBs between 1 to 100, before delivering it to the destination.  The default value is 5MB.
+	BufferingSize *float64 `json:"bufferingSize,omitempty" tf:"buffering_size,omitempty"`
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []HTTPEndpointConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The HTTP endpoint name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The data processing configuration.  More details are given below.
+	ProcessingConfiguration []HTTPEndpointConfigurationProcessingConfigurationObservation `json:"processingConfiguration,omitempty" tf:"processing_configuration,omitempty"`
+
+	// The request configuration.  More details are given below.
+	RequestConfiguration []RequestConfigurationObservation `json:"requestConfiguration,omitempty" tf:"request_configuration,omitempty"`
+
+	// The length of time during which Firehose retries delivery after a failure, starting from the initial request and including the first attempt. The default value is 3600 seconds (60 minutes). Firehose does not retry if the value of DurationInSeconds is 0 (zero) or if the first delivery attempt takes longer than the current value.
+	RetryDuration *float64 `json:"retryDuration,omitempty" tf:"retry_duration,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The Amazon S3 backup mode.  Valid values are Disabled and Enabled.  Default value is Disabled.
+	S3BackupMode *string `json:"s3BackupMode,omitempty" tf:"s3_backup_mode,omitempty"`
+
+	// The HTTP endpoint URL to which Kinesis Firehose sends your data.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
 
 type HTTPEndpointConfigurationParameters struct {
@@ -452,6 +665,12 @@ type HTTPEndpointConfigurationParameters struct {
 }
 
 type HTTPEndpointConfigurationProcessingConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Array of data processors. More details are given below
+	Processors []HTTPEndpointConfigurationProcessingConfigurationProcessorsObservation `json:"processors,omitempty" tf:"processors,omitempty"`
 }
 
 type HTTPEndpointConfigurationProcessingConfigurationParameters struct {
@@ -466,6 +685,12 @@ type HTTPEndpointConfigurationProcessingConfigurationParameters struct {
 }
 
 type HTTPEndpointConfigurationProcessingConfigurationProcessorsObservation struct {
+
+	// Array of processor parameters. More details are given below
+	Parameters []ProcessingConfigurationProcessorsParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The type of processor. Valid Values: RecordDeAggregation, Lambda, MetadataExtraction, AppendDelimiterToRecord. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type HTTPEndpointConfigurationProcessingConfigurationProcessorsParameters struct {
@@ -480,6 +705,9 @@ type HTTPEndpointConfigurationProcessingConfigurationProcessorsParameters struct
 }
 
 type HiveJSONSerDeObservation struct {
+
+	// A list of how you want Kinesis Data Firehose to parse the date and time stamps that may be present in your input data JSON. To specify these format strings, follow the pattern syntax of JodaTime's DateTimeFormat format strings. For more information, see Class DateTimeFormat. You can also use the special value millis to parse time stamps in epoch milliseconds. If you don't specify a format, Kinesis Data Firehose uses java.sql.Timestamp::valueOf by default.
+	TimestampFormats []*string `json:"timestampFormats,omitempty" tf:"timestamp_formats,omitempty"`
 }
 
 type HiveJSONSerDeParameters struct {
@@ -490,6 +718,9 @@ type HiveJSONSerDeParameters struct {
 }
 
 type InputFormatConfigurationObservation struct {
+
+	// Nested argument that specifies which deserializer to use. You can choose either the Apache Hive JSON SerDe or the OpenX JSON SerDe. More details below.
+	Deserializer []DeserializerObservation `json:"deserializer,omitempty" tf:"deserializer,omitempty"`
 }
 
 type InputFormatConfigurationParameters struct {
@@ -500,6 +731,12 @@ type InputFormatConfigurationParameters struct {
 }
 
 type KinesisSourceConfigurationObservation struct {
+
+	// The kinesis stream used as the source of the firehose delivery stream.
+	KinesisStreamArn *string `json:"kinesisStreamArn,omitempty" tf:"kinesis_stream_arn,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type KinesisSourceConfigurationParameters struct {
@@ -514,6 +751,15 @@ type KinesisSourceConfigurationParameters struct {
 }
 
 type OpenXJSONSerDeObservation struct {
+
+	// When set to true, which is the default, Kinesis Data Firehose converts JSON keys to lowercase before deserializing them.
+	CaseInsensitive *bool `json:"caseInsensitive,omitempty" tf:"case_insensitive,omitempty"`
+
+	// A map of column names to JSON keys that aren't identical to the column names. This is useful when the JSON contains keys that are Hive keywords. For example, timestamp is a Hive keyword. If you have a JSON key named timestamp, set this parameter to { ts = "timestamp" } to map this key to a column named ts.
+	ColumnToJSONKeyMappings map[string]*string `json:"columnToJsonKeyMappings,omitempty" tf:"column_to_json_key_mappings,omitempty"`
+
+	// When set to true, specifies that the names of the keys include dots and that you want Kinesis Data Firehose to replace them with underscores. This is useful because Apache Hive does not allow dots in column names. For example, if the JSON contains a key whose name is "a.b", you can define the column name to be "a_b" when using this option. Defaults to false.
+	ConvertDotsInJSONKeysToUnderscores *bool `json:"convertDotsInJsonKeysToUnderscores,omitempty" tf:"convert_dots_in_json_keys_to_underscores,omitempty"`
 }
 
 type OpenXJSONSerDeParameters struct {
@@ -532,6 +778,36 @@ type OpenXJSONSerDeParameters struct {
 }
 
 type OrcSerDeObservation struct {
+
+	// The Hadoop Distributed File System (HDFS) block size. This is useful if you intend to copy the data from Amazon S3 to HDFS before querying. The default is 256 MiB and the minimum is 64 MiB. Kinesis Data Firehose uses this value for padding calculations.
+	BlockSizeBytes *float64 `json:"blockSizeBytes,omitempty" tf:"block_size_bytes,omitempty"`
+
+	// A list of column names for which you want Kinesis Data Firehose to create bloom filters.
+	BloomFilterColumns []*string `json:"bloomFilterColumns,omitempty" tf:"bloom_filter_columns,omitempty"`
+
+	// The Bloom filter false positive probability (FPP). The lower the FPP, the bigger the Bloom filter. The default value is 0.05, the minimum is 0, and the maximum is 1.
+	BloomFilterFalsePositiveProbability *float64 `json:"bloomFilterFalsePositiveProbability,omitempty" tf:"bloom_filter_false_positive_probability,omitempty"`
+
+	// The compression code to use over data blocks. The possible values are UNCOMPRESSED, SNAPPY, and GZIP, with the default being SNAPPY. Use SNAPPY for higher decompression speed. Use GZIP if the compression ratio is more important than speed.
+	Compression *string `json:"compression,omitempty" tf:"compression,omitempty"`
+
+	// A float that represents the fraction of the total number of non-null rows. To turn off dictionary encoding, set this fraction to a number that is less than the number of distinct keys in a dictionary. To always use dictionary encoding, set this threshold to 1.
+	DictionaryKeyThreshold *float64 `json:"dictionaryKeyThreshold,omitempty" tf:"dictionary_key_threshold,omitempty"`
+
+	// Set this to true to indicate that you want stripes to be padded to the HDFS block boundaries. This is useful if you intend to copy the data from Amazon S3 to HDFS before querying. The default is false.
+	EnablePadding *bool `json:"enablePadding,omitempty" tf:"enable_padding,omitempty"`
+
+	// The version of the file to write. The possible values are V0_11 and V0_12. The default is V0_12.
+	FormatVersion *string `json:"formatVersion,omitempty" tf:"format_version,omitempty"`
+
+	// A float between 0 and 1 that defines the tolerance for block padding as a decimal fraction of stripe size. The default value is 0.05, which means 5 percent of stripe size. For the default values of 64 MiB ORC stripes and 256 MiB HDFS blocks, the default block padding tolerance of 5 percent reserves a maximum of 3.2 MiB for padding within the 256 MiB block. In such a case, if the available size within the block is more than 3.2 MiB, a new, smaller stripe is inserted to fit within that space. This ensures that no stripe crosses block boundaries and causes remote reads within a node-local task. Kinesis Data Firehose ignores this parameter when enable_padding is false.
+	PaddingTolerance *float64 `json:"paddingTolerance,omitempty" tf:"padding_tolerance,omitempty"`
+
+	// The number of rows between index entries. The default is 10000 and the minimum is 1000.
+	RowIndexStride *float64 `json:"rowIndexStride,omitempty" tf:"row_index_stride,omitempty"`
+
+	// The number of bytes in each stripe. The default is 64 MiB and the minimum is 8 MiB.
+	StripeSizeBytes *float64 `json:"stripeSizeBytes,omitempty" tf:"stripe_size_bytes,omitempty"`
 }
 
 type OrcSerDeParameters struct {
@@ -578,6 +854,9 @@ type OrcSerDeParameters struct {
 }
 
 type OutputFormatConfigurationObservation struct {
+
+	// Nested argument that specifies which serializer to use. You can choose either the ORC SerDe or the Parquet SerDe. More details below.
+	Serializer []SerializerObservation `json:"serializer,omitempty" tf:"serializer,omitempty"`
 }
 
 type OutputFormatConfigurationParameters struct {
@@ -588,6 +867,12 @@ type OutputFormatConfigurationParameters struct {
 }
 
 type ParametersObservation struct {
+
+	// Parameter name. Valid Values: LambdaArn, NumberOfRetries, MetadataExtractionQuery, JsonParsingEngine, RoleArn, BufferSizeInMBs, BufferIntervalInSeconds, SubRecordType, Delimiter. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	ParameterName *string `json:"parameterName,omitempty" tf:"parameter_name,omitempty"`
+
+	// Parameter value. Must be between 1 and 512 length (inclusive). When providing a Lambda ARN, you should specify the resource version as well.
+	ParameterValue *string `json:"parameterValue,omitempty" tf:"parameter_value,omitempty"`
 }
 
 type ParametersParameters struct {
@@ -602,6 +887,24 @@ type ParametersParameters struct {
 }
 
 type ParquetSerDeObservation struct {
+
+	// The Hadoop Distributed File System (HDFS) block size. This is useful if you intend to copy the data from Amazon S3 to HDFS before querying. The default is 256 MiB and the minimum is 64 MiB. Kinesis Data Firehose uses this value for padding calculations.
+	BlockSizeBytes *float64 `json:"blockSizeBytes,omitempty" tf:"block_size_bytes,omitempty"`
+
+	// The compression code to use over data blocks. The possible values are UNCOMPRESSED, SNAPPY, and GZIP, with the default being SNAPPY. Use SNAPPY for higher decompression speed. Use GZIP if the compression ratio is more important than speed.
+	Compression *string `json:"compression,omitempty" tf:"compression,omitempty"`
+
+	// Indicates whether to enable dictionary compression.
+	EnableDictionaryCompression *bool `json:"enableDictionaryCompression,omitempty" tf:"enable_dictionary_compression,omitempty"`
+
+	// The maximum amount of padding to apply. This is useful if you intend to copy the data from Amazon S3 to HDFS before querying. The default is 0.
+	MaxPaddingBytes *float64 `json:"maxPaddingBytes,omitempty" tf:"max_padding_bytes,omitempty"`
+
+	// The Parquet page size. Column chunks are divided into pages. A page is conceptually an indivisible unit (in terms of compression and encoding). The minimum value is 64 KiB and the default is 1 MiB.
+	PageSizeBytes *float64 `json:"pageSizeBytes,omitempty" tf:"page_size_bytes,omitempty"`
+
+	// Indicates the version of row format to output. The possible values are V1 and V2. The default is V1.
+	WriterVersion *string `json:"writerVersion,omitempty" tf:"writer_version,omitempty"`
 }
 
 type ParquetSerDeParameters struct {
@@ -632,6 +935,12 @@ type ParquetSerDeParameters struct {
 }
 
 type ProcessingConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Array of data processors. More details are given below
+	Processors []ProcessorsObservation `json:"processors,omitempty" tf:"processors,omitempty"`
 }
 
 type ProcessingConfigurationParameters struct {
@@ -646,6 +955,12 @@ type ProcessingConfigurationParameters struct {
 }
 
 type ProcessingConfigurationProcessorsObservation struct {
+
+	// Array of processor parameters. More details are given below
+	Parameters []ProcessorsParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The type of processor. Valid Values: RecordDeAggregation, Lambda, MetadataExtraction, AppendDelimiterToRecord. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProcessingConfigurationProcessorsParameters struct {
@@ -659,7 +974,13 @@ type ProcessingConfigurationProcessorsParameters struct {
 	Type *string `json:"type" tf:"type,omitempty"`
 }
 
-type ProcessingConfigurationProcessorsParametersObservation struct {
+type ProcessingConfigurationProcessorsParametersObservation struct {
+
+	// Parameter name. Valid Values: LambdaArn, NumberOfRetries, MetadataExtractionQuery, JsonParsingEngine, RoleArn, BufferSizeInMBs, BufferIntervalInSeconds, SubRecordType, Delimiter. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	ParameterName *string `json:"parameterName,omitempty" tf:"parameter_name,omitempty"`
+
+	// Parameter value. Must be between 1 and 512 length (inclusive). When providing a Lambda ARN, you should specify the resource version as well.
+	ParameterValue *string `json:"parameterValue,omitempty" tf:"parameter_value,omitempty"`
 }
 
 type ProcessingConfigurationProcessorsParametersParameters struct {
@@ -674,6 +995,12 @@ type ProcessingConfigurationProcessorsParametersParameters struct {
 }
 
 type ProcessorsObservation struct {
+
+	// Array of processor parameters. More details are given below
+	Parameters []ParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The type of processor. Valid Values: RecordDeAggregation, Lambda, MetadataExtraction, AppendDelimiterToRecord. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProcessorsParameters struct {
@@ -688,6 +1015,12 @@ type ProcessorsParameters struct {
 }
 
 type ProcessorsParametersObservation struct {
+
+	// Parameter name. Valid Values: LambdaArn, NumberOfRetries, MetadataExtractionQuery, JsonParsingEngine, RoleArn, BufferSizeInMBs, BufferIntervalInSeconds, SubRecordType, Delimiter. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	ParameterName *string `json:"parameterName,omitempty" tf:"parameter_name,omitempty"`
+
+	// Parameter value. Must be between 1 and 512 length (inclusive). When providing a Lambda ARN, you should specify the resource version as well.
+	ParameterValue *string `json:"parameterValue,omitempty" tf:"parameter_value,omitempty"`
 }
 
 type ProcessorsParametersParameters struct {
@@ -702,6 +1035,15 @@ type ProcessorsParametersParameters struct {
 }
 
 type RedshiftConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type RedshiftConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -720,6 +1062,39 @@ type RedshiftConfigurationCloudwatchLoggingOptionsParameters struct {
 }
 
 type RedshiftConfigurationObservation struct {
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []RedshiftConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The jdbcurl of the redshift cluster.
+	ClusterJdbcurl *string `json:"clusterJdbcurl,omitempty" tf:"cluster_jdbcurl,omitempty"`
+
+	// Copy options for copying the data from the s3 intermediate bucket into redshift, for example to change the default delimiter. For valid values, see the AWS documentation
+	CopyOptions *string `json:"copyOptions,omitempty" tf:"copy_options,omitempty"`
+
+	// The data table columns that will be targeted by the copy command.
+	DataTableColumns *string `json:"dataTableColumns,omitempty" tf:"data_table_columns,omitempty"`
+
+	// The name of the table in the redshift cluster that the s3 bucket will copy to.
+	DataTableName *string `json:"dataTableName,omitempty" tf:"data_table_name,omitempty"`
+
+	// The data processing configuration.  More details are given below.
+	ProcessingConfiguration []RedshiftConfigurationProcessingConfigurationObservation `json:"processingConfiguration,omitempty" tf:"processing_configuration,omitempty"`
+
+	// The length of time during which Firehose retries delivery after a failure, starting from the initial request and including the first attempt. The default value is 3600 seconds (60 minutes). Firehose does not retry if the value of DurationInSeconds is 0 (zero) or if the first delivery attempt takes longer than the current value.
+	RetryDuration *float64 `json:"retryDuration,omitempty" tf:"retry_duration,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The configuration for backup in Amazon S3. Required if s3_backup_mode is Enabled. Supports the same fields as s3_configuration object.
+	S3BackupConfiguration []RedshiftConfigurationS3BackupConfigurationObservation `json:"s3BackupConfiguration,omitempty" tf:"s3_backup_configuration,omitempty"`
+
+	// The Amazon S3 backup mode.  Valid values are Disabled and Enabled.  Default value is Disabled.
+	S3BackupMode *string `json:"s3BackupMode,omitempty" tf:"s3_backup_mode,omitempty"`
+
+	// The username that the firehose delivery stream will assume. It is strongly recommended that the username and password provided is used exclusively for Amazon Kinesis Firehose purposes, and that the permissions for the account are restricted for Amazon Redshift INSERT permissions.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type RedshiftConfigurationParameters struct {
@@ -784,6 +1159,12 @@ type RedshiftConfigurationParameters struct {
 }
 
 type RedshiftConfigurationProcessingConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Array of data processors. More details are given below
+	Processors []RedshiftConfigurationProcessingConfigurationProcessorsObservation `json:"processors,omitempty" tf:"processors,omitempty"`
 }
 
 type RedshiftConfigurationProcessingConfigurationParameters struct {
@@ -798,6 +1179,12 @@ type RedshiftConfigurationProcessingConfigurationParameters struct {
 }
 
 type RedshiftConfigurationProcessingConfigurationProcessorsObservation struct {
+
+	// Array of processor parameters. More details are given below
+	Parameters []RedshiftConfigurationProcessingConfigurationProcessorsParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The type of processor. Valid Values: RecordDeAggregation, Lambda, MetadataExtraction, AppendDelimiterToRecord. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RedshiftConfigurationProcessingConfigurationProcessorsParameters struct {
@@ -812,6 +1199,12 @@ type RedshiftConfigurationProcessingConfigurationProcessorsParameters struct {
 }
 
 type RedshiftConfigurationProcessingConfigurationProcessorsParametersObservation struct {
+
+	// Parameter name. Valid Values: LambdaArn, NumberOfRetries, MetadataExtractionQuery, JsonParsingEngine, RoleArn, BufferSizeInMBs, BufferIntervalInSeconds, SubRecordType, Delimiter. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	ParameterName *string `json:"parameterName,omitempty" tf:"parameter_name,omitempty"`
+
+	// Parameter value. Must be between 1 and 512 length (inclusive). When providing a Lambda ARN, you should specify the resource version as well.
+	ParameterValue *string `json:"parameterValue,omitempty" tf:"parameter_value,omitempty"`
 }
 
 type RedshiftConfigurationProcessingConfigurationProcessorsParametersParameters struct {
@@ -826,6 +1219,15 @@ type RedshiftConfigurationProcessingConfigurationProcessorsParametersParameters
 }
 
 type RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -844,6 +1246,35 @@ type RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsParameter
 }
 
 type RedshiftConfigurationS3BackupConfigurationObservation struct {
+
+	// The ARN of the S3 bucket
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300.
+	BufferInterval *float64 `json:"bufferInterval,omitempty" tf:"buffer_interval,omitempty"`
+
+	// Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.
+	// We recommend setting SizeInMBs to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec set SizeInMBs to be 10 MB or higher.
+	BufferSize *float64 `json:"bufferSize,omitempty" tf:"buffer_size,omitempty"`
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The compression format. If no value is specified, the default is UNCOMPRESSED. Other supported values are GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+	CompressionFormat *string `json:"compressionFormat,omitempty" tf:"compression_format,omitempty"`
+
+	// Prefix added to failed records before writing them to S3. Not currently supported for redshift destination. This prefix appears immediately following the bucket name. For information about how to specify this prefix, see Custom Prefixes for Amazon S3 Objects.
+	ErrorOutputPrefix *string `json:"errorOutputPrefix,omitempty" tf:"error_output_prefix,omitempty"`
+
+	// Specifies the KMS key ARN the stream will use to encrypt data. If not set, no encryption will
+	// be used.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// The "YYYY/MM/DD/HH" time format prefix is automatically used for delivered S3 files. You can specify an extra prefix to be added in front of the time format prefix. Note that if the prefix ends with a slash, it appears as a folder in the S3 bucket
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type RedshiftConfigurationS3BackupConfigurationParameters struct {
@@ -908,6 +1339,12 @@ type RedshiftConfigurationS3BackupConfigurationParameters struct {
 }
 
 type RequestConfigurationObservation struct {
+
+	// Describes the metadata sent to the HTTP endpoint destination. More details are given below
+	CommonAttributes []CommonAttributesObservation `json:"commonAttributes,omitempty" tf:"common_attributes,omitempty"`
+
+	// Kinesis Data Firehose uses the content encoding to compress the body of a request before sending the request to the destination. Valid values are NONE and GZIP.  Default value is NONE.
+	ContentEncoding *string `json:"contentEncoding,omitempty" tf:"content_encoding,omitempty"`
 }
 
 type RequestConfigurationParameters struct {
@@ -922,6 +1359,15 @@ type RequestConfigurationParameters struct {
 }
 
 type S3BackupConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type S3BackupConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -940,6 +1386,35 @@ type S3BackupConfigurationCloudwatchLoggingOptionsParameters struct {
 }
 
 type S3BackupConfigurationObservation struct {
+
+	// The ARN of the S3 bucket
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300.
+	BufferInterval *float64 `json:"bufferInterval,omitempty" tf:"buffer_interval,omitempty"`
+
+	// Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.
+	// We recommend setting SizeInMBs to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec set SizeInMBs to be 10 MB or higher.
+	BufferSize *float64 `json:"bufferSize,omitempty" tf:"buffer_size,omitempty"`
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []S3BackupConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The compression format. If no value is specified, the default is UNCOMPRESSED. Other supported values are GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+	CompressionFormat *string `json:"compressionFormat,omitempty" tf:"compression_format,omitempty"`
+
+	// Prefix added to failed records before writing them to S3. Not currently supported for redshift destination. This prefix appears immediately following the bucket name. For information about how to specify this prefix, see Custom Prefixes for Amazon S3 Objects.
+	ErrorOutputPrefix *string `json:"errorOutputPrefix,omitempty" tf:"error_output_prefix,omitempty"`
+
+	// Specifies the KMS key ARN the stream will use to encrypt data. If not set, no encryption will
+	// be used.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// The "YYYY/MM/DD/HH" time format prefix is automatically used for delivered S3 files. You can specify an extra prefix to be added in front of the time format prefix. Note that if the prefix ends with a slash, it appears as a folder in the S3 bucket
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type S3BackupConfigurationParameters struct {
@@ -984,6 +1459,15 @@ type S3BackupConfigurationParameters struct {
 }
 
 type S3ConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type S3ConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -1002,6 +1486,35 @@ type S3ConfigurationCloudwatchLoggingOptionsParameters struct {
 }
 
 type S3ConfigurationObservation struct {
+
+	// The ARN of the S3 bucket
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// Buffer incoming data for the specified period of time, in seconds, before delivering it to the destination. The default value is 300.
+	BufferInterval *float64 `json:"bufferInterval,omitempty" tf:"buffer_interval,omitempty"`
+
+	// Buffer incoming data to the specified size, in MBs, before delivering it to the destination. The default value is 5.
+	// We recommend setting SizeInMBs to a value greater than the amount of data you typically ingest into the delivery stream in 10 seconds. For example, if you typically ingest data at 1 MB/sec set SizeInMBs to be 10 MB or higher.
+	BufferSize *float64 `json:"bufferSize,omitempty" tf:"buffer_size,omitempty"`
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []S3ConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The compression format. If no value is specified, the default is UNCOMPRESSED. Other supported values are GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+	CompressionFormat *string `json:"compressionFormat,omitempty" tf:"compression_format,omitempty"`
+
+	// Prefix added to failed records before writing them to S3. Not currently supported for redshift destination. This prefix appears immediately following the bucket name. For information about how to specify this prefix, see Custom Prefixes for Amazon S3 Objects.
+	ErrorOutputPrefix *string `json:"errorOutputPrefix,omitempty" tf:"error_output_prefix,omitempty"`
+
+	// Specifies the KMS key ARN the stream will use to encrypt data. If not set, no encryption will
+	// be used.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// The "YYYY/MM/DD/HH" time format prefix is automatically used for delivered S3 files. You can specify an extra prefix to be added in front of the time format prefix. Note that if the prefix ends with a slash, it appears as a folder in the S3 bucket
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type S3ConfigurationParameters struct {
@@ -1066,6 +1579,24 @@ type S3ConfigurationParameters struct {
 }
 
 type SchemaConfigurationObservation struct {
+
+	// The ID of the AWS Glue Data Catalog. If you don't supply this, the AWS account ID is used by default.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Specifies the name of the AWS Glue database that contains the schema for the output data.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// If you don't specify an AWS Region, the default is the current region.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Specifies the AWS Glue table that contains the column information that constitutes your data schema.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
+
+	// Specifies the table version for the output data schema. Defaults to LATEST.
+	VersionID *string `json:"versionId,omitempty" tf:"version_id,omitempty"`
 }
 
 type SchemaConfigurationParameters struct {
@@ -1115,6 +1646,12 @@ type SchemaConfigurationParameters struct {
 }
 
 type SerializerObservation struct {
+
+	// Nested argument that specifies converting data to the ORC format before storing it in Amazon S3. For more information, see Apache ORC. More details below.
+	OrcSerDe []OrcSerDeObservation `json:"orcSerDe,omitempty" tf:"orc_ser_de,omitempty"`
+
+	// Nested argument that specifies converting data to the Parquet format before storing it in Amazon S3. For more information, see Apache Parquet. More details below.
+	ParquetSerDe []ParquetSerDeObservation `json:"parquetSerDe,omitempty" tf:"parquet_ser_de,omitempty"`
 }
 
 type SerializerParameters struct {
@@ -1129,6 +1666,15 @@ type SerializerParameters struct {
 }
 
 type ServerSideEncryptionObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Amazon Resource Name (ARN) of the encryption key. Required when key_type is CUSTOMER_MANAGED_CMK.
+	KeyArn *string `json:"keyArn,omitempty" tf:"key_arn,omitempty"`
+
+	// Type of encryption key. Default is AWS_OWNED_CMK. Valid values are AWS_OWNED_CMK and CUSTOMER_MANAGED_CMK
+	KeyType *string `json:"keyType,omitempty" tf:"key_type,omitempty"`
 }
 
 type ServerSideEncryptionParameters struct {
@@ -1147,6 +1693,15 @@ type ServerSideEncryptionParameters struct {
 }
 
 type SplunkConfigurationCloudwatchLoggingOptionsObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The CloudWatch group name for logging. This value is required if enabled is true.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The CloudWatch log stream name for logging. This value is required if enabled is true.
+	LogStreamName *string `json:"logStreamName,omitempty" tf:"log_stream_name,omitempty"`
 }
 
 type SplunkConfigurationCloudwatchLoggingOptionsParameters struct {
@@ -1165,6 +1720,30 @@ type SplunkConfigurationCloudwatchLoggingOptionsParameters struct {
 }
 
 type SplunkConfigurationObservation struct {
+
+	// The CloudWatch Logging Options for the delivery stream. More details are given below
+	CloudwatchLoggingOptions []SplunkConfigurationCloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
+
+	// The amount of time, in seconds between 180 and 600, that Kinesis Firehose waits to receive an acknowledgment from Splunk after it sends it data.
+	HecAcknowledgmentTimeout *float64 `json:"hecAcknowledgmentTimeout,omitempty" tf:"hec_acknowledgment_timeout,omitempty"`
+
+	// The HTTP Event Collector (HEC) endpoint to which Kinesis Firehose sends your data.
+	HecEndpoint *string `json:"hecEndpoint,omitempty" tf:"hec_endpoint,omitempty"`
+
+	// The HEC endpoint type. Valid values are Raw or Event. The default value is Raw.
+	HecEndpointType *string `json:"hecEndpointType,omitempty" tf:"hec_endpoint_type,omitempty"`
+
+	// The GUID that you obtain from your Splunk cluster when you create a new HEC endpoint.
+	HecToken *string `json:"hecToken,omitempty" tf:"hec_token,omitempty"`
+
+	// The data processing configuration.  More details are given below.
+	ProcessingConfiguration []SplunkConfigurationProcessingConfigurationObservation `json:"processingConfiguration,omitempty" tf:"processing_configuration,omitempty"`
+
+	// The length of time during which Firehose retries delivery after a failure, starting from the initial request and including the first attempt. The default value is 3600 seconds (60 minutes). Firehose does not retry if the value of DurationInSeconds is 0 (zero) or if the first delivery attempt takes longer than the current value.
+	RetryDuration *float64 `json:"retryDuration,omitempty" tf:"retry_duration,omitempty"`
+
+	// The Amazon S3 backup mode.  Valid values are Disabled and Enabled.  Default value is Disabled.
+	S3BackupMode *string `json:"s3BackupMode,omitempty" tf:"s3_backup_mode,omitempty"`
 }
 
 type SplunkConfigurationParameters struct {
@@ -1203,6 +1782,12 @@ type SplunkConfigurationParameters struct {
 }
 
 type SplunkConfigurationProcessingConfigurationObservation struct {
+
+	// Enables or disables the logging. Defaults to false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Array of data processors. More details are given below
+	Processors []SplunkConfigurationProcessingConfigurationProcessorsObservation `json:"processors,omitempty" tf:"processors,omitempty"`
 }
 
 type SplunkConfigurationProcessingConfigurationParameters struct {
@@ -1217,6 +1802,12 @@ type SplunkConfigurationProcessingConfigurationParameters struct {
 }
 
 type SplunkConfigurationProcessingConfigurationProcessorsObservation struct {
+
+	// Array of processor parameters. More details are given below
+	Parameters []SplunkConfigurationProcessingConfigurationProcessorsParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The type of processor. Valid Values: RecordDeAggregation, Lambda, MetadataExtraction, AppendDelimiterToRecord. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SplunkConfigurationProcessingConfigurationProcessorsParameters struct {
@@ -1231,6 +1822,12 @@ type SplunkConfigurationProcessingConfigurationProcessorsParameters struct {
 }
 
 type SplunkConfigurationProcessingConfigurationProcessorsParametersObservation struct {
+
+	// Parameter name. Valid Values: LambdaArn, NumberOfRetries, MetadataExtractionQuery, JsonParsingEngine, RoleArn, BufferSizeInMBs, BufferIntervalInSeconds, SubRecordType, Delimiter. Validation is done against AWS SDK constants; so that values not explicitly listed may also work.
+	ParameterName *string `json:"parameterName,omitempty" tf:"parameter_name,omitempty"`
+
+	// Parameter value. Must be between 1 and 512 length (inclusive). When providing a Lambda ARN, you should specify the resource version as well.
+	ParameterValue *string `json:"parameterValue,omitempty" tf:"parameter_value,omitempty"`
 }
 
 type SplunkConfigurationProcessingConfigurationProcessorsParametersParameters struct {
@@ -1245,6 +1842,16 @@ type SplunkConfigurationProcessingConfigurationProcessorsParametersParameters st
 }
 
 type VPCConfigObservation struct {
+
+	// The ARN of the AWS credentials.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// A list of security group IDs to associate with Kinesis Firehose.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// A list of subnet IDs to associate with Kinesis Firehose.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
@@ -1297,8 +1904,10 @@ type DeliveryStreamStatus struct {
 type DeliveryStream struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DeliveryStreamSpec   `json:"spec"`
-	Status            DeliveryStreamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)",message="destination is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   DeliveryStreamSpec   `json:"spec"`
+	Status DeliveryStreamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/firehose/v1beta1/zz_generated.deepcopy.go b/apis/firehose/v1beta1/zz_generated.deepcopy.go
index d8ba919b57..78f7e1b072 100644
--- a/apis/firehose/v1beta1/zz_generated.deepcopy.go
+++ b/apis/firehose/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchLoggingOptionsObservation) DeepCopyInto(out *CloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLoggingOptionsObservation.
@@ -62,6 +77,16 @@ func (in *CloudwatchLoggingOptionsParameters) DeepCopy() *CloudwatchLoggingOptio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommonAttributesObservation) DeepCopyInto(out *CommonAttributesObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommonAttributesObservation.
@@ -102,6 +127,32 @@ func (in *CommonAttributesParameters) DeepCopy() *CommonAttributesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataFormatConversionConfigurationObservation) DeepCopyInto(out *DataFormatConversionConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InputFormatConfiguration != nil {
+		in, out := &in.InputFormatConfiguration, &out.InputFormatConfiguration
+		*out = make([]InputFormatConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputFormatConfiguration != nil {
+		in, out := &in.OutputFormatConfiguration, &out.OutputFormatConfiguration
+		*out = make([]OutputFormatConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SchemaConfiguration != nil {
+		in, out := &in.SchemaConfiguration, &out.SchemaConfiguration
+		*out = make([]SchemaConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataFormatConversionConfigurationObservation.
@@ -217,6 +268,21 @@ func (in *DeliveryStreamList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeliveryStreamObservation) DeepCopyInto(out *DeliveryStreamObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationID != nil {
+		in, out := &in.DestinationID, &out.DestinationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ElasticsearchConfiguration != nil {
 		in, out := &in.ElasticsearchConfiguration, &out.ElasticsearchConfiguration
 		*out = make([]ElasticsearchConfigurationObservation, len(*in))
@@ -224,11 +290,80 @@ func (in *DeliveryStreamObservation) DeepCopyInto(out *DeliveryStreamObservation
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ExtendedS3Configuration != nil {
+		in, out := &in.ExtendedS3Configuration, &out.ExtendedS3Configuration
+		*out = make([]ExtendedS3ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTPEndpointConfiguration != nil {
+		in, out := &in.HTTPEndpointConfiguration, &out.HTTPEndpointConfiguration
+		*out = make([]HTTPEndpointConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KinesisSourceConfiguration != nil {
+		in, out := &in.KinesisSourceConfiguration, &out.KinesisSourceConfiguration
+		*out = make([]KinesisSourceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedshiftConfiguration != nil {
+		in, out := &in.RedshiftConfiguration, &out.RedshiftConfiguration
+		*out = make([]RedshiftConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Configuration != nil {
+		in, out := &in.S3Configuration, &out.S3Configuration
+		*out = make([]S3ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServerSideEncryption != nil {
+		in, out := &in.ServerSideEncryption, &out.ServerSideEncryption
+		*out = make([]ServerSideEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SplunkConfiguration != nil {
+		in, out := &in.SplunkConfiguration, &out.SplunkConfiguration
+		*out = make([]SplunkConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -244,6 +379,11 @@ func (in *DeliveryStreamObservation) DeepCopyInto(out *DeliveryStreamObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.VersionID != nil {
+		in, out := &in.VersionID, &out.VersionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeliveryStreamObservation.
@@ -409,6 +549,20 @@ func (in *DeliveryStreamStatus) DeepCopy() *DeliveryStreamStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeserializerObservation) DeepCopyInto(out *DeserializerObservation) {
 	*out = *in
+	if in.HiveJSONSerDe != nil {
+		in, out := &in.HiveJSONSerDe, &out.HiveJSONSerDe
+		*out = make([]HiveJSONSerDeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OpenXJSONSerDe != nil {
+		in, out := &in.OpenXJSONSerDe, &out.OpenXJSONSerDe
+		*out = make([]OpenXJSONSerDeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeserializerObservation.
@@ -453,6 +607,16 @@ func (in *DeserializerParameters) DeepCopy() *DeserializerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DynamicPartitioningConfigurationObservation) DeepCopyInto(out *DynamicPartitioningConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RetryDuration != nil {
+		in, out := &in.RetryDuration, &out.RetryDuration
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamicPartitioningConfigurationObservation.
@@ -493,6 +657,70 @@ func (in *DynamicPartitioningConfigurationParameters) DeepCopy() *DynamicPartiti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticsearchConfigurationObservation) DeepCopyInto(out *ElasticsearchConfigurationObservation) {
 	*out = *in
+	if in.BufferingInterval != nil {
+		in, out := &in.BufferingInterval, &out.BufferingInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferingSize != nil {
+		in, out := &in.BufferingSize, &out.BufferingSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]CloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClusterEndpoint != nil {
+		in, out := &in.ClusterEndpoint, &out.ClusterEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainArn != nil {
+		in, out := &in.DomainArn, &out.DomainArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.IndexName != nil {
+		in, out := &in.IndexName, &out.IndexName
+		*out = new(string)
+		**out = **in
+	}
+	if in.IndexRotationPeriod != nil {
+		in, out := &in.IndexRotationPeriod, &out.IndexRotationPeriod
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProcessingConfiguration != nil {
+		in, out := &in.ProcessingConfiguration, &out.ProcessingConfiguration
+		*out = make([]ProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryDuration != nil {
+		in, out := &in.RetryDuration, &out.RetryDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3BackupMode != nil {
+		in, out := &in.S3BackupMode, &out.S3BackupMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.TypeName != nil {
+		in, out := &in.TypeName, &out.TypeName
+		*out = new(string)
+		**out = **in
+	}
 	if in.VPCConfig != nil {
 		in, out := &in.VPCConfig, &out.VPCConfig
 		*out = make([]VPCConfigObservation, len(*in))
@@ -621,6 +849,21 @@ func (in *ElasticsearchConfigurationParameters) DeepCopy() *ElasticsearchConfigu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExtendedS3ConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *ExtendedS3ConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtendedS3ConfigurationCloudwatchLoggingOptionsObservation.
@@ -666,36 +909,11 @@ func (in *ExtendedS3ConfigurationCloudwatchLoggingOptionsParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExtendedS3ConfigurationObservation) DeepCopyInto(out *ExtendedS3ConfigurationObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtendedS3ConfigurationObservation.
-func (in *ExtendedS3ConfigurationObservation) DeepCopy() *ExtendedS3ConfigurationObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(ExtendedS3ConfigurationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ExtendedS3ConfigurationParameters) DeepCopyInto(out *ExtendedS3ConfigurationParameters) {
-	*out = *in
 	if in.BucketArn != nil {
 		in, out := &in.BucketArn, &out.BucketArn
 		*out = new(string)
 		**out = **in
 	}
-	if in.BucketArnRef != nil {
-		in, out := &in.BucketArnRef, &out.BucketArnRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.BucketArnSelector != nil {
-		in, out := &in.BucketArnSelector, &out.BucketArnSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.BufferInterval != nil {
 		in, out := &in.BufferInterval, &out.BufferInterval
 		*out = new(float64)
@@ -708,7 +926,7 @@ func (in *ExtendedS3ConfigurationParameters) DeepCopyInto(out *ExtendedS3Configu
 	}
 	if in.CloudwatchLoggingOptions != nil {
 		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
-		*out = make([]ExtendedS3ConfigurationCloudwatchLoggingOptionsParameters, len(*in))
+		*out = make([]ExtendedS3ConfigurationCloudwatchLoggingOptionsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -720,7 +938,112 @@ func (in *ExtendedS3ConfigurationParameters) DeepCopyInto(out *ExtendedS3Configu
 	}
 	if in.DataFormatConversionConfiguration != nil {
 		in, out := &in.DataFormatConversionConfiguration, &out.DataFormatConversionConfiguration
-		*out = make([]DataFormatConversionConfigurationParameters, len(*in))
+		*out = make([]DataFormatConversionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DynamicPartitioningConfiguration != nil {
+		in, out := &in.DynamicPartitioningConfiguration, &out.DynamicPartitioningConfiguration
+		*out = make([]DynamicPartitioningConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ErrorOutputPrefix != nil {
+		in, out := &in.ErrorOutputPrefix, &out.ErrorOutputPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProcessingConfiguration != nil {
+		in, out := &in.ProcessingConfiguration, &out.ProcessingConfiguration
+		*out = make([]ExtendedS3ConfigurationProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3BackupConfiguration != nil {
+		in, out := &in.S3BackupConfiguration, &out.S3BackupConfiguration
+		*out = make([]S3BackupConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3BackupMode != nil {
+		in, out := &in.S3BackupMode, &out.S3BackupMode
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtendedS3ConfigurationObservation.
+func (in *ExtendedS3ConfigurationObservation) DeepCopy() *ExtendedS3ConfigurationObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(ExtendedS3ConfigurationObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ExtendedS3ConfigurationParameters) DeepCopyInto(out *ExtendedS3ConfigurationParameters) {
+	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketArnRef != nil {
+		in, out := &in.BucketArnRef, &out.BucketArnRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.BucketArnSelector != nil {
+		in, out := &in.BucketArnSelector, &out.BucketArnSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.BufferInterval != nil {
+		in, out := &in.BufferInterval, &out.BufferInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferSize != nil {
+		in, out := &in.BufferSize, &out.BufferSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]ExtendedS3ConfigurationCloudwatchLoggingOptionsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CompressionFormat != nil {
+		in, out := &in.CompressionFormat, &out.CompressionFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataFormatConversionConfiguration != nil {
+		in, out := &in.DataFormatConversionConfiguration, &out.DataFormatConversionConfiguration
+		*out = make([]DataFormatConversionConfigurationParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -796,6 +1119,18 @@ func (in *ExtendedS3ConfigurationParameters) DeepCopy() *ExtendedS3Configuration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExtendedS3ConfigurationProcessingConfigurationObservation) DeepCopyInto(out *ExtendedS3ConfigurationProcessingConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Processors != nil {
+		in, out := &in.Processors, &out.Processors
+		*out = make([]ProcessingConfigurationProcessorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExtendedS3ConfigurationProcessingConfigurationObservation.
@@ -838,6 +1173,21 @@ func (in *ExtendedS3ConfigurationProcessingConfigurationParameters) DeepCopy() *
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPEndpointConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *HTTPEndpointConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPEndpointConfigurationCloudwatchLoggingOptionsObservation.
@@ -883,6 +1233,62 @@ func (in *HTTPEndpointConfigurationCloudwatchLoggingOptionsParameters) DeepCopy(
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPEndpointConfigurationObservation) DeepCopyInto(out *HTTPEndpointConfigurationObservation) {
 	*out = *in
+	if in.BufferingInterval != nil {
+		in, out := &in.BufferingInterval, &out.BufferingInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferingSize != nil {
+		in, out := &in.BufferingSize, &out.BufferingSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]HTTPEndpointConfigurationCloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProcessingConfiguration != nil {
+		in, out := &in.ProcessingConfiguration, &out.ProcessingConfiguration
+		*out = make([]HTTPEndpointConfigurationProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RequestConfiguration != nil {
+		in, out := &in.RequestConfiguration, &out.RequestConfiguration
+		*out = make([]RequestConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryDuration != nil {
+		in, out := &in.RetryDuration, &out.RetryDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3BackupMode != nil {
+		in, out := &in.S3BackupMode, &out.S3BackupMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPEndpointConfigurationObservation.
@@ -984,6 +1390,18 @@ func (in *HTTPEndpointConfigurationParameters) DeepCopy() *HTTPEndpointConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPEndpointConfigurationProcessingConfigurationObservation) DeepCopyInto(out *HTTPEndpointConfigurationProcessingConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Processors != nil {
+		in, out := &in.Processors, &out.Processors
+		*out = make([]HTTPEndpointConfigurationProcessingConfigurationProcessorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPEndpointConfigurationProcessingConfigurationObservation.
@@ -1026,6 +1444,18 @@ func (in *HTTPEndpointConfigurationProcessingConfigurationParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPEndpointConfigurationProcessingConfigurationProcessorsObservation) DeepCopyInto(out *HTTPEndpointConfigurationProcessingConfigurationProcessorsObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]ProcessingConfigurationProcessorsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPEndpointConfigurationProcessingConfigurationProcessorsObservation.
@@ -1068,6 +1498,17 @@ func (in *HTTPEndpointConfigurationProcessingConfigurationProcessorsParameters)
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HiveJSONSerDeObservation) DeepCopyInto(out *HiveJSONSerDeObservation) {
 	*out = *in
+	if in.TimestampFormats != nil {
+		in, out := &in.TimestampFormats, &out.TimestampFormats
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HiveJSONSerDeObservation.
@@ -1109,6 +1550,13 @@ func (in *HiveJSONSerDeParameters) DeepCopy() *HiveJSONSerDeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputFormatConfigurationObservation) DeepCopyInto(out *InputFormatConfigurationObservation) {
 	*out = *in
+	if in.Deserializer != nil {
+		in, out := &in.Deserializer, &out.Deserializer
+		*out = make([]DeserializerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputFormatConfigurationObservation.
@@ -1146,6 +1594,16 @@ func (in *InputFormatConfigurationParameters) DeepCopy() *InputFormatConfigurati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisSourceConfigurationObservation) DeepCopyInto(out *KinesisSourceConfigurationObservation) {
 	*out = *in
+	if in.KinesisStreamArn != nil {
+		in, out := &in.KinesisStreamArn, &out.KinesisStreamArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisSourceConfigurationObservation.
@@ -1186,6 +1644,31 @@ func (in *KinesisSourceConfigurationParameters) DeepCopy() *KinesisSourceConfigu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OpenXJSONSerDeObservation) DeepCopyInto(out *OpenXJSONSerDeObservation) {
 	*out = *in
+	if in.CaseInsensitive != nil {
+		in, out := &in.CaseInsensitive, &out.CaseInsensitive
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ColumnToJSONKeyMappings != nil {
+		in, out := &in.ColumnToJSONKeyMappings, &out.ColumnToJSONKeyMappings
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ConvertDotsInJSONKeysToUnderscores != nil {
+		in, out := &in.ConvertDotsInJSONKeysToUnderscores, &out.ConvertDotsInJSONKeysToUnderscores
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenXJSONSerDeObservation.
@@ -1241,6 +1724,62 @@ func (in *OpenXJSONSerDeParameters) DeepCopy() *OpenXJSONSerDeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OrcSerDeObservation) DeepCopyInto(out *OrcSerDeObservation) {
 	*out = *in
+	if in.BlockSizeBytes != nil {
+		in, out := &in.BlockSizeBytes, &out.BlockSizeBytes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BloomFilterColumns != nil {
+		in, out := &in.BloomFilterColumns, &out.BloomFilterColumns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BloomFilterFalsePositiveProbability != nil {
+		in, out := &in.BloomFilterFalsePositiveProbability, &out.BloomFilterFalsePositiveProbability
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Compression != nil {
+		in, out := &in.Compression, &out.Compression
+		*out = new(string)
+		**out = **in
+	}
+	if in.DictionaryKeyThreshold != nil {
+		in, out := &in.DictionaryKeyThreshold, &out.DictionaryKeyThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EnablePadding != nil {
+		in, out := &in.EnablePadding, &out.EnablePadding
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FormatVersion != nil {
+		in, out := &in.FormatVersion, &out.FormatVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PaddingTolerance != nil {
+		in, out := &in.PaddingTolerance, &out.PaddingTolerance
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RowIndexStride != nil {
+		in, out := &in.RowIndexStride, &out.RowIndexStride
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StripeSizeBytes != nil {
+		in, out := &in.StripeSizeBytes, &out.StripeSizeBytes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OrcSerDeObservation.
@@ -1327,6 +1866,13 @@ func (in *OrcSerDeParameters) DeepCopy() *OrcSerDeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputFormatConfigurationObservation) DeepCopyInto(out *OutputFormatConfigurationObservation) {
 	*out = *in
+	if in.Serializer != nil {
+		in, out := &in.Serializer, &out.Serializer
+		*out = make([]SerializerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputFormatConfigurationObservation.
@@ -1364,6 +1910,16 @@ func (in *OutputFormatConfigurationParameters) DeepCopy() *OutputFormatConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParametersObservation) DeepCopyInto(out *ParametersObservation) {
 	*out = *in
+	if in.ParameterName != nil {
+		in, out := &in.ParameterName, &out.ParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterValue != nil {
+		in, out := &in.ParameterValue, &out.ParameterValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParametersObservation.
@@ -1404,6 +1960,36 @@ func (in *ParametersParameters) DeepCopy() *ParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParquetSerDeObservation) DeepCopyInto(out *ParquetSerDeObservation) {
 	*out = *in
+	if in.BlockSizeBytes != nil {
+		in, out := &in.BlockSizeBytes, &out.BlockSizeBytes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Compression != nil {
+		in, out := &in.Compression, &out.Compression
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableDictionaryCompression != nil {
+		in, out := &in.EnableDictionaryCompression, &out.EnableDictionaryCompression
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxPaddingBytes != nil {
+		in, out := &in.MaxPaddingBytes, &out.MaxPaddingBytes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PageSizeBytes != nil {
+		in, out := &in.PageSizeBytes, &out.PageSizeBytes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WriterVersion != nil {
+		in, out := &in.WriterVersion, &out.WriterVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParquetSerDeObservation.
@@ -1464,6 +2050,18 @@ func (in *ParquetSerDeParameters) DeepCopy() *ParquetSerDeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingConfigurationObservation) DeepCopyInto(out *ProcessingConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Processors != nil {
+		in, out := &in.Processors, &out.Processors
+		*out = make([]ProcessorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingConfigurationObservation.
@@ -1506,6 +2104,18 @@ func (in *ProcessingConfigurationParameters) DeepCopy() *ProcessingConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingConfigurationProcessorsObservation) DeepCopyInto(out *ProcessingConfigurationProcessorsObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]ProcessorsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingConfigurationProcessorsObservation.
@@ -1548,6 +2158,16 @@ func (in *ProcessingConfigurationProcessorsParameters) DeepCopy() *ProcessingCon
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingConfigurationProcessorsParametersObservation) DeepCopyInto(out *ProcessingConfigurationProcessorsParametersObservation) {
 	*out = *in
+	if in.ParameterName != nil {
+		in, out := &in.ParameterName, &out.ParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterValue != nil {
+		in, out := &in.ParameterValue, &out.ParameterValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingConfigurationProcessorsParametersObservation.
@@ -1588,6 +2208,18 @@ func (in *ProcessingConfigurationProcessorsParametersParameters) DeepCopy() *Pro
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessorsObservation) DeepCopyInto(out *ProcessorsObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]ParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessorsObservation.
@@ -1622,14 +2254,24 @@ func (in *ProcessorsParameters) DeepCopy() *ProcessorsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(ProcessorsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ProcessorsParametersObservation) DeepCopyInto(out *ProcessorsParametersObservation) {
-	*out = *in
+	out := new(ProcessorsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ProcessorsParametersObservation) DeepCopyInto(out *ProcessorsParametersObservation) {
+	*out = *in
+	if in.ParameterName != nil {
+		in, out := &in.ParameterName, &out.ParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterValue != nil {
+		in, out := &in.ParameterValue, &out.ParameterValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessorsParametersObservation.
@@ -1670,6 +2312,21 @@ func (in *ProcessorsParametersParameters) DeepCopy() *ProcessorsParametersParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *RedshiftConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationCloudwatchLoggingOptionsObservation.
@@ -1715,6 +2372,67 @@ func (in *RedshiftConfigurationCloudwatchLoggingOptionsParameters) DeepCopy() *R
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationObservation) DeepCopyInto(out *RedshiftConfigurationObservation) {
 	*out = *in
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]RedshiftConfigurationCloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClusterJdbcurl != nil {
+		in, out := &in.ClusterJdbcurl, &out.ClusterJdbcurl
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyOptions != nil {
+		in, out := &in.CopyOptions, &out.CopyOptions
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataTableColumns != nil {
+		in, out := &in.DataTableColumns, &out.DataTableColumns
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataTableName != nil {
+		in, out := &in.DataTableName, &out.DataTableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProcessingConfiguration != nil {
+		in, out := &in.ProcessingConfiguration, &out.ProcessingConfiguration
+		*out = make([]RedshiftConfigurationProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryDuration != nil {
+		in, out := &in.RetryDuration, &out.RetryDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3BackupConfiguration != nil {
+		in, out := &in.S3BackupConfiguration, &out.S3BackupConfiguration
+		*out = make([]RedshiftConfigurationS3BackupConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3BackupMode != nil {
+		in, out := &in.S3BackupMode, &out.S3BackupMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationObservation.
@@ -1817,6 +2535,18 @@ func (in *RedshiftConfigurationParameters) DeepCopy() *RedshiftConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationProcessingConfigurationObservation) DeepCopyInto(out *RedshiftConfigurationProcessingConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Processors != nil {
+		in, out := &in.Processors, &out.Processors
+		*out = make([]RedshiftConfigurationProcessingConfigurationProcessorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationProcessingConfigurationObservation.
@@ -1859,6 +2589,18 @@ func (in *RedshiftConfigurationProcessingConfigurationParameters) DeepCopy() *Re
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationProcessingConfigurationProcessorsObservation) DeepCopyInto(out *RedshiftConfigurationProcessingConfigurationProcessorsObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]RedshiftConfigurationProcessingConfigurationProcessorsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationProcessingConfigurationProcessorsObservation.
@@ -1901,6 +2643,16 @@ func (in *RedshiftConfigurationProcessingConfigurationProcessorsParameters) Deep
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationProcessingConfigurationProcessorsParametersObservation) DeepCopyInto(out *RedshiftConfigurationProcessingConfigurationProcessorsParametersObservation) {
 	*out = *in
+	if in.ParameterName != nil {
+		in, out := &in.ParameterName, &out.ParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterValue != nil {
+		in, out := &in.ParameterValue, &out.ParameterValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationProcessingConfigurationProcessorsParametersObservation.
@@ -1941,6 +2693,21 @@ func (in *RedshiftConfigurationProcessingConfigurationProcessorsParametersParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsObservation.
@@ -1986,6 +2753,53 @@ func (in *RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedshiftConfigurationS3BackupConfigurationObservation) DeepCopyInto(out *RedshiftConfigurationS3BackupConfigurationObservation) {
 	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.BufferInterval != nil {
+		in, out := &in.BufferInterval, &out.BufferInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferSize != nil {
+		in, out := &in.BufferSize, &out.BufferSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]RedshiftConfigurationS3BackupConfigurationCloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CompressionFormat != nil {
+		in, out := &in.CompressionFormat, &out.CompressionFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorOutputPrefix != nil {
+		in, out := &in.ErrorOutputPrefix, &out.ErrorOutputPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedshiftConfigurationS3BackupConfigurationObservation.
@@ -2083,6 +2897,18 @@ func (in *RedshiftConfigurationS3BackupConfigurationParameters) DeepCopy() *Reds
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RequestConfigurationObservation) DeepCopyInto(out *RequestConfigurationObservation) {
 	*out = *in
+	if in.CommonAttributes != nil {
+		in, out := &in.CommonAttributes, &out.CommonAttributes
+		*out = make([]CommonAttributesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ContentEncoding != nil {
+		in, out := &in.ContentEncoding, &out.ContentEncoding
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RequestConfigurationObservation.
@@ -2125,6 +2951,21 @@ func (in *RequestConfigurationParameters) DeepCopy() *RequestConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3BackupConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *S3BackupConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3BackupConfigurationCloudwatchLoggingOptionsObservation.
@@ -2150,26 +2991,73 @@ func (in *S3BackupConfigurationCloudwatchLoggingOptionsParameters) DeepCopyInto(
 		*out = new(string)
 		**out = **in
 	}
-	if in.LogStreamName != nil {
-		in, out := &in.LogStreamName, &out.LogStreamName
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3BackupConfigurationCloudwatchLoggingOptionsParameters.
+func (in *S3BackupConfigurationCloudwatchLoggingOptionsParameters) DeepCopy() *S3BackupConfigurationCloudwatchLoggingOptionsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(S3BackupConfigurationCloudwatchLoggingOptionsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *S3BackupConfigurationObservation) DeepCopyInto(out *S3BackupConfigurationObservation) {
+	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.BufferInterval != nil {
+		in, out := &in.BufferInterval, &out.BufferInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferSize != nil {
+		in, out := &in.BufferSize, &out.BufferSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]S3BackupConfigurationCloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CompressionFormat != nil {
+		in, out := &in.CompressionFormat, &out.CompressionFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorOutputPrefix != nil {
+		in, out := &in.ErrorOutputPrefix, &out.ErrorOutputPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3BackupConfigurationCloudwatchLoggingOptionsParameters.
-func (in *S3BackupConfigurationCloudwatchLoggingOptionsParameters) DeepCopy() *S3BackupConfigurationCloudwatchLoggingOptionsParameters {
-	if in == nil {
-		return nil
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
 	}
-	out := new(S3BackupConfigurationCloudwatchLoggingOptionsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *S3BackupConfigurationObservation) DeepCopyInto(out *S3BackupConfigurationObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3BackupConfigurationObservation.
@@ -2247,6 +3135,21 @@ func (in *S3BackupConfigurationParameters) DeepCopy() *S3BackupConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *S3ConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ConfigurationCloudwatchLoggingOptionsObservation.
@@ -2292,6 +3195,53 @@ func (in *S3ConfigurationCloudwatchLoggingOptionsParameters) DeepCopy() *S3Confi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ConfigurationObservation) DeepCopyInto(out *S3ConfigurationObservation) {
 	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.BufferInterval != nil {
+		in, out := &in.BufferInterval, &out.BufferInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferSize != nil {
+		in, out := &in.BufferSize, &out.BufferSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]S3ConfigurationCloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CompressionFormat != nil {
+		in, out := &in.CompressionFormat, &out.CompressionFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorOutputPrefix != nil {
+		in, out := &in.ErrorOutputPrefix, &out.ErrorOutputPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ConfigurationObservation.
@@ -2389,6 +3339,36 @@ func (in *S3ConfigurationParameters) DeepCopy() *S3ConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaConfigurationObservation) DeepCopyInto(out *SchemaConfigurationObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.VersionID != nil {
+		in, out := &in.VersionID, &out.VersionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaConfigurationObservation.
@@ -2469,6 +3449,20 @@ func (in *SchemaConfigurationParameters) DeepCopy() *SchemaConfigurationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SerializerObservation) DeepCopyInto(out *SerializerObservation) {
 	*out = *in
+	if in.OrcSerDe != nil {
+		in, out := &in.OrcSerDe, &out.OrcSerDe
+		*out = make([]OrcSerDeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ParquetSerDe != nil {
+		in, out := &in.ParquetSerDe, &out.ParquetSerDe
+		*out = make([]ParquetSerDeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SerializerObservation.
@@ -2513,6 +3507,21 @@ func (in *SerializerParameters) DeepCopy() *SerializerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerSideEncryptionObservation) DeepCopyInto(out *ServerSideEncryptionObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KeyArn != nil {
+		in, out := &in.KeyArn, &out.KeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyType != nil {
+		in, out := &in.KeyType, &out.KeyType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerSideEncryptionObservation.
@@ -2558,6 +3567,21 @@ func (in *ServerSideEncryptionParameters) DeepCopy() *ServerSideEncryptionParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SplunkConfigurationCloudwatchLoggingOptionsObservation) DeepCopyInto(out *SplunkConfigurationCloudwatchLoggingOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogStreamName != nil {
+		in, out := &in.LogStreamName, &out.LogStreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SplunkConfigurationCloudwatchLoggingOptionsObservation.
@@ -2603,6 +3627,50 @@ func (in *SplunkConfigurationCloudwatchLoggingOptionsParameters) DeepCopy() *Spl
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SplunkConfigurationObservation) DeepCopyInto(out *SplunkConfigurationObservation) {
 	*out = *in
+	if in.CloudwatchLoggingOptions != nil {
+		in, out := &in.CloudwatchLoggingOptions, &out.CloudwatchLoggingOptions
+		*out = make([]SplunkConfigurationCloudwatchLoggingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HecAcknowledgmentTimeout != nil {
+		in, out := &in.HecAcknowledgmentTimeout, &out.HecAcknowledgmentTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HecEndpoint != nil {
+		in, out := &in.HecEndpoint, &out.HecEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.HecEndpointType != nil {
+		in, out := &in.HecEndpointType, &out.HecEndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.HecToken != nil {
+		in, out := &in.HecToken, &out.HecToken
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProcessingConfiguration != nil {
+		in, out := &in.ProcessingConfiguration, &out.ProcessingConfiguration
+		*out = make([]SplunkConfigurationProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryDuration != nil {
+		in, out := &in.RetryDuration, &out.RetryDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.S3BackupMode != nil {
+		in, out := &in.S3BackupMode, &out.S3BackupMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SplunkConfigurationObservation.
@@ -2677,6 +3745,18 @@ func (in *SplunkConfigurationParameters) DeepCopy() *SplunkConfigurationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SplunkConfigurationProcessingConfigurationObservation) DeepCopyInto(out *SplunkConfigurationProcessingConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Processors != nil {
+		in, out := &in.Processors, &out.Processors
+		*out = make([]SplunkConfigurationProcessingConfigurationProcessorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SplunkConfigurationProcessingConfigurationObservation.
@@ -2719,6 +3799,18 @@ func (in *SplunkConfigurationProcessingConfigurationParameters) DeepCopy() *Splu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SplunkConfigurationProcessingConfigurationProcessorsObservation) DeepCopyInto(out *SplunkConfigurationProcessingConfigurationProcessorsObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]SplunkConfigurationProcessingConfigurationProcessorsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SplunkConfigurationProcessingConfigurationProcessorsObservation.
@@ -2761,6 +3853,16 @@ func (in *SplunkConfigurationProcessingConfigurationProcessorsParameters) DeepCo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SplunkConfigurationProcessingConfigurationProcessorsParametersObservation) DeepCopyInto(out *SplunkConfigurationProcessingConfigurationProcessorsParametersObservation) {
 	*out = *in
+	if in.ParameterName != nil {
+		in, out := &in.ParameterName, &out.ParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterValue != nil {
+		in, out := &in.ParameterValue, &out.ParameterValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SplunkConfigurationProcessingConfigurationProcessorsParametersObservation.
@@ -2801,6 +3903,33 @@ func (in *SplunkConfigurationProcessingConfigurationProcessorsParametersParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigObservation) DeepCopyInto(out *VPCConfigObservation) {
 	*out = *in
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
diff --git a/apis/fis/v1beta1/zz_experimenttemplate_types.go b/apis/fis/v1beta1/zz_experimenttemplate_types.go
index 0ead7ec4ca..77aa6b4e14 100755
--- a/apis/fis/v1beta1/zz_experimenttemplate_types.go
+++ b/apis/fis/v1beta1/zz_experimenttemplate_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type ActionObservation struct {
+
+	// ID of the action. To find out what actions are supported see AWS FIS actions reference.
+	ActionID *string `json:"actionId,omitempty" tf:"action_id,omitempty"`
+
+	// Description of the action.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Friendly name of the action.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Parameter(s) for the action, if applicable. See below.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Set of action names that must complete before this action can be executed.
+	StartAfter []*string `json:"startAfter,omitempty" tf:"start_after,omitempty"`
+
+	// Action's target, if applicable. See below.
+	Target []TargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type ActionParameters struct {
@@ -45,21 +63,39 @@ type ActionParameters struct {
 
 type ExperimentTemplateObservation struct {
 
+	// Action to be performed during an experiment. See below.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Description for the experiment template.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Experiment Template ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of an IAM role that grants the AWS FIS service permission to perform service actions on your behalf.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// When an ongoing experiment should be stopped. See below.
+	StopCondition []StopConditionObservation `json:"stopCondition,omitempty" tf:"stop_condition,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Target of an action. See below.
+	Target []ExperimentTemplateTargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type ExperimentTemplateParameters struct {
 
 	// Action to be performed during an experiment. See below.
-	// +kubebuilder:validation:Required
-	Action []ActionParameters `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action []ActionParameters `json:"action,omitempty" tf:"action,omitempty"`
 
 	// Description for the experiment template.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -81,8 +117,8 @@ type ExperimentTemplateParameters struct {
 	RoleArnSelector *v1.Selector `json:"roleArnSelector,omitempty" tf:"-"`
 
 	// When an ongoing experiment should be stopped. See below.
-	// +kubebuilder:validation:Required
-	StopCondition []StopConditionParameters `json:"stopCondition" tf:"stop_condition,omitempty"`
+	// +kubebuilder:validation:Optional
+	StopCondition []StopConditionParameters `json:"stopCondition,omitempty" tf:"stop_condition,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -94,6 +130,24 @@ type ExperimentTemplateParameters struct {
 }
 
 type ExperimentTemplateTargetObservation struct {
+
+	// Filter(s) for the target. Filters can be used to select resources based on specific attributes returned by the respective describe action of the resource type. For more information, see Targets for AWS FIS. See below.
+	Filter []FilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
+	// Friendly name given to the target.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Set of ARNs of the resources to target with an action. Conflicts with resource_tag.
+	ResourceArns []*string `json:"resourceArns,omitempty" tf:"resource_arns,omitempty"`
+
+	// Tag(s) the resources need to have to be considered a valid target for an action. Conflicts with resource_arns. See below.
+	ResourceTag []ResourceTagObservation `json:"resourceTag,omitempty" tf:"resource_tag,omitempty"`
+
+	// AWS resource type. The resource type must be supported for the specified action. To find out what resource types are supported, see Targets for AWS FIS.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// Scopes the identified resources. Valid values are ALL (all identified resources), COUNT(n) (randomly select n of the identified resources), PERCENT(n) (randomly select n percent of the identified resources).
+	SelectionMode *string `json:"selectionMode,omitempty" tf:"selection_mode,omitempty"`
 }
 
 type ExperimentTemplateTargetParameters struct {
@@ -124,6 +178,12 @@ type ExperimentTemplateTargetParameters struct {
 }
 
 type FilterObservation struct {
+
+	// Attribute path for the filter.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Set of attribute values for the filter.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type FilterParameters struct {
@@ -138,6 +198,12 @@ type FilterParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// Parameter name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Parameter value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -152,6 +218,12 @@ type ParameterParameters struct {
 }
 
 type ResourceTagObservation struct {
+
+	// Tag key.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceTagParameters struct {
@@ -166,6 +238,12 @@ type ResourceTagParameters struct {
 }
 
 type StopConditionObservation struct {
+
+	// Source of the condition. One of none, aws:cloudwatch:alarm.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// ARN of the CloudWatch alarm. Required if the source is a CloudWatch alarm.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type StopConditionParameters struct {
@@ -180,6 +258,12 @@ type StopConditionParameters struct {
 }
 
 type TargetObservation struct {
+
+	// Tag key.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Target name, referencing a corresponding target.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TargetParameters struct {
@@ -217,8 +301,11 @@ type ExperimentTemplateStatus struct {
 type ExperimentTemplate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ExperimentTemplateSpec   `json:"spec"`
-	Status            ExperimentTemplateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stopCondition)",message="stopCondition is a required parameter"
+	Spec   ExperimentTemplateSpec   `json:"spec"`
+	Status ExperimentTemplateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/fis/v1beta1/zz_generated.deepcopy.go b/apis/fis/v1beta1/zz_generated.deepcopy.go
index d4a1aa2db6..48c1384cbc 100644
--- a/apis/fis/v1beta1/zz_generated.deepcopy.go
+++ b/apis/fis/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,46 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.ActionID != nil {
+		in, out := &in.ActionID, &out.ActionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartAfter != nil {
+		in, out := &in.StartAfter, &out.StartAfter
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]TargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -146,11 +186,50 @@ func (in *ExperimentTemplateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExperimentTemplateObservation) DeepCopyInto(out *ExperimentTemplateObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StopCondition != nil {
+		in, out := &in.StopCondition, &out.StopCondition
+		*out = make([]StopConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -166,6 +245,13 @@ func (in *ExperimentTemplateObservation) DeepCopyInto(out *ExperimentTemplateObs
 			(*out)[key] = outVal
 		}
 	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]ExperimentTemplateTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExperimentTemplateObservation.
@@ -291,6 +377,46 @@ func (in *ExperimentTemplateStatus) DeepCopy() *ExperimentTemplateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExperimentTemplateTargetObservation) DeepCopyInto(out *ExperimentTemplateTargetObservation) {
 	*out = *in
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]FilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArns != nil {
+		in, out := &in.ResourceArns, &out.ResourceArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ResourceTag != nil {
+		in, out := &in.ResourceTag, &out.ResourceTag
+		*out = make([]ResourceTagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SelectionMode != nil {
+		in, out := &in.SelectionMode, &out.SelectionMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExperimentTemplateTargetObservation.
@@ -361,6 +487,22 @@ func (in *ExperimentTemplateTargetParameters) DeepCopy() *ExperimentTemplateTarg
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterObservation) DeepCopyInto(out *FilterObservation) {
 	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterObservation.
@@ -407,6 +549,16 @@ func (in *FilterParameters) DeepCopy() *FilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -447,6 +599,16 @@ func (in *ParameterParameters) DeepCopy() *ParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceTagObservation) DeepCopyInto(out *ResourceTagObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTagObservation.
@@ -487,6 +649,16 @@ func (in *ResourceTagParameters) DeepCopy() *ResourceTagParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StopConditionObservation) DeepCopyInto(out *StopConditionObservation) {
 	*out = *in
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StopConditionObservation.
@@ -527,6 +699,16 @@ func (in *StopConditionParameters) DeepCopy() *StopConditionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
diff --git a/apis/fsx/v1beta1/zz_backup_types.go b/apis/fsx/v1beta1/zz_backup_types.go
index 88b93c53ec..cf2cc33261 100755
--- a/apis/fsx/v1beta1/zz_backup_types.go
+++ b/apis/fsx/v1beta1/zz_backup_types.go
@@ -18,6 +18,9 @@ type BackupObservation struct {
 	// Amazon Resource Name of the backup.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the file system to back up. Required if backing up Lustre or Windows file systems.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
 	// Identifier of the backup, e.g., fs-12345678
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -27,11 +30,17 @@ type BackupObservation struct {
 	// AWS account identifier that created the file system.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The type of the file system backup.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The ID of the volume to back up. Required if backing up a ONTAP Volume.
+	VolumeID *string `json:"volumeId,omitempty" tf:"volume_id,omitempty"`
 }
 
 type BackupParameters struct {
diff --git a/apis/fsx/v1beta1/zz_datarepositoryassociation_types.go b/apis/fsx/v1beta1/zz_datarepositoryassociation_types.go
index 9354589fcc..a06233ac10 100755
--- a/apis/fsx/v1beta1/zz_datarepositoryassociation_types.go
+++ b/apis/fsx/v1beta1/zz_datarepositoryassociation_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AutoExportPolicyObservation struct {
+
+	// A list of file event types to automatically export to your linked S3 bucket or import from the linked S3 bucket. Valid values are NEW, CHANGED, DELETED. Max of 3.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
 }
 
 type AutoExportPolicyParameters struct {
@@ -24,6 +27,9 @@ type AutoExportPolicyParameters struct {
 }
 
 type AutoImportPolicyObservation struct {
+
+	// A list of file event types to automatically export to your linked S3 bucket or import from the linked S3 bucket. Valid values are NEW, CHANGED, DELETED. Max of 3.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
 }
 
 type AutoImportPolicyParameters struct {
@@ -41,9 +47,34 @@ type DataRepositoryAssociationObservation struct {
 	// Identifier of the data repository association, e.g., dra-12345678
 	AssociationID *string `json:"associationId,omitempty" tf:"association_id,omitempty"`
 
+	// Set to true to run an import data repository task to import metadata from the data repository to the file system after the data repository association is created. Defaults to false.
+	BatchImportMetaDataOnCreate *bool `json:"batchImportMetaDataOnCreate,omitempty" tf:"batch_import_meta_data_on_create,omitempty"`
+
+	// The path to the Amazon S3 data repository that will be linked to the file system. The path must be an S3 bucket s3://myBucket/myPrefix/. This path specifies where in the S3 data repository files will be imported from or exported to. The same S3 bucket cannot be linked more than once to the same file system.
+	DataRepositoryPath *string `json:"dataRepositoryPath,omitempty" tf:"data_repository_path,omitempty"`
+
+	// Set to true to delete files from the file system upon deleting this data repository association. Defaults to false.
+	DeleteDataInFilesystem *bool `json:"deleteDataInFilesystem,omitempty" tf:"delete_data_in_filesystem,omitempty"`
+
+	// The ID of the Amazon FSx file system to on which to create a data repository association.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
+	// A path on the file system that points to a high-level directory (such as /ns1/) or subdirectory (such as /ns1/subdir/) that will be mapped 1-1 with data_repository_path. The leading forward slash in the name is required. Two data repository associations cannot have overlapping file system paths. For example, if a data repository is associated with file system path /ns1/, then you cannot link another data repository with file system path /ns1/ns2. This path specifies where in your file system files will be exported from or imported to. This file system directory can be linked to only one Amazon S3 bucket, and no other S3 bucket can be linked to the directory.
+	FileSystemPath *string `json:"fileSystemPath,omitempty" tf:"file_system_path,omitempty"`
+
 	// Identifier of the data repository association, e.g., dra-12345678
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// For files imported from a data repository, this value determines the stripe count and maximum amount of data per file (in MiB) stored on a single physical disk. The maximum number of disks that a single file can be striped across is limited by the total number of disks that make up the file system.
+	ImportedFileChunkSize *float64 `json:"importedFileChunkSize,omitempty" tf:"imported_file_chunk_size,omitempty"`
+
+	// See the s3 configuration block. Max of 1.
+	// The configuration for an Amazon S3 data repository linked to an Amazon FSx Lustre file system with a data repository association. The configuration defines which file events (new, changed, or deleted files or directories) are automatically imported from the linked data repository to the file system or automatically exported from the file system to the data repository.
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -55,8 +86,8 @@ type DataRepositoryAssociationParameters struct {
 	BatchImportMetaDataOnCreate *bool `json:"batchImportMetaDataOnCreate,omitempty" tf:"batch_import_meta_data_on_create,omitempty"`
 
 	// The path to the Amazon S3 data repository that will be linked to the file system. The path must be an S3 bucket s3://myBucket/myPrefix/. This path specifies where in the S3 data repository files will be imported from or exported to. The same S3 bucket cannot be linked more than once to the same file system.
-	// +kubebuilder:validation:Required
-	DataRepositoryPath *string `json:"dataRepositoryPath" tf:"data_repository_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	DataRepositoryPath *string `json:"dataRepositoryPath,omitempty" tf:"data_repository_path,omitempty"`
 
 	// Set to true to delete files from the file system upon deleting this data repository association. Defaults to false.
 	// +kubebuilder:validation:Optional
@@ -77,8 +108,8 @@ type DataRepositoryAssociationParameters struct {
 	FileSystemIDSelector *v1.Selector `json:"fileSystemIdSelector,omitempty" tf:"-"`
 
 	// A path on the file system that points to a high-level directory (such as /ns1/) or subdirectory (such as /ns1/subdir/) that will be mapped 1-1 with data_repository_path. The leading forward slash in the name is required. Two data repository associations cannot have overlapping file system paths. For example, if a data repository is associated with file system path /ns1/, then you cannot link another data repository with file system path /ns1/ns2. This path specifies where in your file system files will be exported from or imported to. This file system directory can be linked to only one Amazon S3 bucket, and no other S3 bucket can be linked to the directory.
-	// +kubebuilder:validation:Required
-	FileSystemPath *string `json:"fileSystemPath" tf:"file_system_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	FileSystemPath *string `json:"fileSystemPath,omitempty" tf:"file_system_path,omitempty"`
 
 	// For files imported from a data repository, this value determines the stripe count and maximum amount of data per file (in MiB) stored on a single physical disk. The maximum number of disks that a single file can be striped across is limited by the total number of disks that make up the file system.
 	// +kubebuilder:validation:Optional
@@ -100,6 +131,12 @@ type DataRepositoryAssociationParameters struct {
 }
 
 type S3Observation struct {
+
+	// Specifies the type of updated objects that will be automatically exported from your file system to the linked S3 bucket. See the events configuration block.
+	AutoExportPolicy []AutoExportPolicyObservation `json:"autoExportPolicy,omitempty" tf:"auto_export_policy,omitempty"`
+
+	// Specifies the type of updated objects that will be automatically imported from the linked S3 bucket to your file system. See the events configuration block.
+	AutoImportPolicy []AutoImportPolicyObservation `json:"autoImportPolicy,omitempty" tf:"auto_import_policy,omitempty"`
 }
 
 type S3Parameters struct {
@@ -137,8 +174,10 @@ type DataRepositoryAssociationStatus struct {
 type DataRepositoryAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DataRepositoryAssociationSpec   `json:"spec"`
-	Status            DataRepositoryAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataRepositoryPath)",message="dataRepositoryPath is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fileSystemPath)",message="fileSystemPath is a required parameter"
+	Spec   DataRepositoryAssociationSpec   `json:"spec"`
+	Status DataRepositoryAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/fsx/v1beta1/zz_generated.deepcopy.go b/apis/fsx/v1beta1/zz_generated.deepcopy.go
index 4c888b6888..7367f7ab98 100644
--- a/apis/fsx/v1beta1/zz_generated.deepcopy.go
+++ b/apis/fsx/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,18 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActiveDirectoryConfigurationObservation) DeepCopyInto(out *ActiveDirectoryConfigurationObservation) {
 	*out = *in
+	if in.NetbiosName != nil {
+		in, out := &in.NetbiosName, &out.NetbiosName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SelfManagedActiveDirectoryConfiguration != nil {
+		in, out := &in.SelfManagedActiveDirectoryConfiguration, &out.SelfManagedActiveDirectoryConfiguration
+		*out = make([]SelfManagedActiveDirectoryConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveDirectoryConfigurationObservation.
@@ -59,6 +71,21 @@ func (in *ActiveDirectoryConfigurationParameters) DeepCopy() *ActiveDirectoryCon
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuditLogConfigurationObservation) DeepCopyInto(out *AuditLogConfigurationObservation) {
 	*out = *in
+	if in.AuditLogDestination != nil {
+		in, out := &in.AuditLogDestination, &out.AuditLogDestination
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileAccessAuditLogLevel != nil {
+		in, out := &in.FileAccessAuditLogLevel, &out.FileAccessAuditLogLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileShareAccessAuditLogLevel != nil {
+		in, out := &in.FileShareAccessAuditLogLevel, &out.FileShareAccessAuditLogLevel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditLogConfigurationObservation.
@@ -104,6 +131,17 @@ func (in *AuditLogConfigurationParameters) DeepCopy() *AuditLogConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoExportPolicyObservation) DeepCopyInto(out *AutoExportPolicyObservation) {
 	*out = *in
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoExportPolicyObservation.
@@ -145,6 +183,17 @@ func (in *AutoExportPolicyParameters) DeepCopy() *AutoExportPolicyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoImportPolicyObservation) DeepCopyInto(out *AutoImportPolicyObservation) {
 	*out = *in
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoImportPolicyObservation.
@@ -250,6 +299,11 @@ func (in *BackupObservation) DeepCopyInto(out *BackupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -265,6 +319,21 @@ func (in *BackupObservation) DeepCopyInto(out *BackupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -285,6 +354,11 @@ func (in *BackupObservation) DeepCopyInto(out *BackupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.VolumeID != nil {
+		in, out := &in.VolumeID, &out.VolumeID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BackupObservation.
@@ -458,11 +532,63 @@ func (in *DataRepositoryAssociationObservation) DeepCopyInto(out *DataRepository
 		*out = new(string)
 		**out = **in
 	}
+	if in.BatchImportMetaDataOnCreate != nil {
+		in, out := &in.BatchImportMetaDataOnCreate, &out.BatchImportMetaDataOnCreate
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DataRepositoryPath != nil {
+		in, out := &in.DataRepositoryPath, &out.DataRepositoryPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeleteDataInFilesystem != nil {
+		in, out := &in.DeleteDataInFilesystem, &out.DeleteDataInFilesystem
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileSystemPath != nil {
+		in, out := &in.FileSystemPath, &out.FileSystemPath
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImportedFileChunkSize != nil {
+		in, out := &in.ImportedFileChunkSize, &out.ImportedFileChunkSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -609,6 +735,16 @@ func (in *DataRepositoryAssociationStatus) DeepCopy() *DataRepositoryAssociation
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DiskIopsConfigurationObservation) DeepCopyInto(out *DiskIopsConfigurationObservation) {
 	*out = *in
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DiskIopsConfigurationObservation.
@@ -831,6 +967,16 @@ func (in *InterclusterParameters) DeepCopy() *InterclusterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogConfigurationObservation) DeepCopyInto(out *LogConfigurationObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.Level != nil {
+		in, out := &in.Level, &out.Level
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogConfigurationObservation.
@@ -935,72 +1081,6 @@ func (in *LustreFileSystemObservation) DeepCopyInto(out *LustreFileSystemObserva
 		*out = new(string)
 		**out = **in
 	}
-	if in.DNSName != nil {
-		in, out := &in.DNSName, &out.DNSName
-		*out = new(string)
-		**out = **in
-	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.MountName != nil {
-		in, out := &in.MountName, &out.MountName
-		*out = new(string)
-		**out = **in
-	}
-	if in.NetworkInterfaceIds != nil {
-		in, out := &in.NetworkInterfaceIds, &out.NetworkInterfaceIds
-		*out = make([]*string, len(*in))
-		for i := range *in {
-			if (*in)[i] != nil {
-				in, out := &(*in)[i], &(*out)[i]
-				*out = new(string)
-				**out = **in
-			}
-		}
-	}
-	if in.OwnerID != nil {
-		in, out := &in.OwnerID, &out.OwnerID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-	if in.VPCID != nil {
-		in, out := &in.VPCID, &out.VPCID
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LustreFileSystemObservation.
-func (in *LustreFileSystemObservation) DeepCopy() *LustreFileSystemObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(LustreFileSystemObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *LustreFileSystemParameters) DeepCopyInto(out *LustreFileSystemParameters) {
-	*out = *in
 	if in.AutoImportPolicy != nil {
 		in, out := &in.AutoImportPolicy, &out.AutoImportPolicy
 		*out = new(string)
@@ -1021,6 +1101,11 @@ func (in *LustreFileSystemParameters) DeepCopyInto(out *LustreFileSystemParamete
 		*out = new(bool)
 		**out = **in
 	}
+	if in.DNSName != nil {
+		in, out := &in.DNSName, &out.DNSName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DailyAutomaticBackupStartTime != nil {
 		in, out := &in.DailyAutomaticBackupStartTime, &out.DailyAutomaticBackupStartTime
 		*out = new(string)
@@ -1051,6 +1136,11 @@ func (in *LustreFileSystemParameters) DeepCopyInto(out *LustreFileSystemParamete
 		*out = new(string)
 		**out = **in
 	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ImportPath != nil {
 		in, out := &in.ImportPath, &out.ImportPath
 		*out = new(string)
@@ -1066,47 +1156,232 @@ func (in *LustreFileSystemParameters) DeepCopyInto(out *LustreFileSystemParamete
 		*out = new(string)
 		**out = **in
 	}
-	if in.KMSKeyIDRef != nil {
-		in, out := &in.KMSKeyIDRef, &out.KMSKeyIDRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.KMSKeyIDSelector != nil {
-		in, out := &in.KMSKeyIDSelector, &out.KMSKeyIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.LogConfiguration != nil {
 		in, out := &in.LogConfiguration, &out.LogConfiguration
-		*out = make([]LogConfigurationParameters, len(*in))
+		*out = make([]LogConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.PerUnitStorageThroughput != nil {
-		in, out := &in.PerUnitStorageThroughput, &out.PerUnitStorageThroughput
-		*out = new(float64)
-		**out = **in
-	}
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
+	if in.MountName != nil {
+		in, out := &in.MountName, &out.MountName
 		*out = new(string)
 		**out = **in
 	}
-	if in.SecurityGroupIDRefs != nil {
-		in, out := &in.SecurityGroupIDRefs, &out.SecurityGroupIDRefs
-		*out = make([]v1.Reference, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.SecurityGroupIDSelector != nil {
-		in, out := &in.SecurityGroupIDSelector, &out.SecurityGroupIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.SecurityGroupIds != nil {
-		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+	if in.NetworkInterfaceIds != nil {
+		in, out := &in.NetworkInterfaceIds, &out.NetworkInterfaceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OwnerID != nil {
+		in, out := &in.OwnerID, &out.OwnerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PerUnitStorageThroughput != nil {
+		in, out := &in.PerUnitStorageThroughput, &out.PerUnitStorageThroughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StorageCapacity != nil {
+		in, out := &in.StorageCapacity, &out.StorageCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
+	if in.WeeklyMaintenanceStartTime != nil {
+		in, out := &in.WeeklyMaintenanceStartTime, &out.WeeklyMaintenanceStartTime
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LustreFileSystemObservation.
+func (in *LustreFileSystemObservation) DeepCopy() *LustreFileSystemObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(LustreFileSystemObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LustreFileSystemParameters) DeepCopyInto(out *LustreFileSystemParameters) {
+	*out = *in
+	if in.AutoImportPolicy != nil {
+		in, out := &in.AutoImportPolicy, &out.AutoImportPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutomaticBackupRetentionDays != nil {
+		in, out := &in.AutomaticBackupRetentionDays, &out.AutomaticBackupRetentionDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BackupID != nil {
+		in, out := &in.BackupID, &out.BackupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyTagsToBackups != nil {
+		in, out := &in.CopyTagsToBackups, &out.CopyTagsToBackups
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DailyAutomaticBackupStartTime != nil {
+		in, out := &in.DailyAutomaticBackupStartTime, &out.DailyAutomaticBackupStartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataCompressionType != nil {
+		in, out := &in.DataCompressionType, &out.DataCompressionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeploymentType != nil {
+		in, out := &in.DeploymentType, &out.DeploymentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DriveCacheType != nil {
+		in, out := &in.DriveCacheType, &out.DriveCacheType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExportPath != nil {
+		in, out := &in.ExportPath, &out.ExportPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileSystemTypeVersion != nil {
+		in, out := &in.FileSystemTypeVersion, &out.FileSystemTypeVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImportPath != nil {
+		in, out := &in.ImportPath, &out.ImportPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImportedFileChunkSize != nil {
+		in, out := &in.ImportedFileChunkSize, &out.ImportedFileChunkSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyIDRef != nil {
+		in, out := &in.KMSKeyIDRef, &out.KMSKeyIDRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.KMSKeyIDSelector != nil {
+		in, out := &in.KMSKeyIDSelector, &out.KMSKeyIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.LogConfiguration != nil {
+		in, out := &in.LogConfiguration, &out.LogConfiguration
+		*out = make([]LogConfigurationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PerUnitStorageThroughput != nil {
+		in, out := &in.PerUnitStorageThroughput, &out.PerUnitStorageThroughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIDRefs != nil {
+		in, out := &in.SecurityGroupIDRefs, &out.SecurityGroupIDRefs
+		*out = make([]v1.Reference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroupIDSelector != nil {
+		in, out := &in.SecurityGroupIDSelector, &out.SecurityGroupIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -1374,11 +1649,38 @@ func (in *OntapFileSystemObservation) DeepCopyInto(out *OntapFileSystemObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutomaticBackupRetentionDays != nil {
+		in, out := &in.AutomaticBackupRetentionDays, &out.AutomaticBackupRetentionDays
+		*out = new(float64)
+		**out = **in
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.DailyAutomaticBackupStartTime != nil {
+		in, out := &in.DailyAutomaticBackupStartTime, &out.DailyAutomaticBackupStartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeploymentType != nil {
+		in, out := &in.DeploymentType, &out.DeploymentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DiskIopsConfiguration != nil {
+		in, out := &in.DiskIopsConfiguration, &out.DiskIopsConfiguration
+		*out = make([]DiskIopsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EndpointIPAddressRange != nil {
+		in, out := &in.EndpointIPAddressRange, &out.EndpointIPAddressRange
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoints != nil {
 		in, out := &in.Endpoints, &out.Endpoints
 		*out = make([]EndpointsObservation, len(*in))
@@ -1391,6 +1693,11 @@ func (in *OntapFileSystemObservation) DeepCopyInto(out *OntapFileSystemObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.NetworkInterfaceIds != nil {
 		in, out := &in.NetworkInterfaceIds, &out.NetworkInterfaceIds
 		*out = make([]*string, len(*in))
@@ -1402,11 +1709,74 @@ func (in *OntapFileSystemObservation) DeepCopyInto(out *OntapFileSystemObservati
 			}
 		}
 	}
-	if in.OwnerID != nil {
-		in, out := &in.OwnerID, &out.OwnerID
-		*out = new(string)
-		**out = **in
-	}
+	if in.OwnerID != nil {
+		in, out := &in.OwnerID, &out.OwnerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreferredSubnetID != nil {
+		in, out := &in.PreferredSubnetID, &out.PreferredSubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RouteTableIds != nil {
+		in, out := &in.RouteTableIds, &out.RouteTableIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StorageCapacity != nil {
+		in, out := &in.StorageCapacity, &out.StorageCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1422,11 +1792,21 @@ func (in *OntapFileSystemObservation) DeepCopyInto(out *OntapFileSystemObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.ThroughputCapacity != nil {
+		in, out := &in.ThroughputCapacity, &out.ThroughputCapacity
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
 		**out = **in
 	}
+	if in.WeeklyMaintenanceStartTime != nil {
+		in, out := &in.WeeklyMaintenanceStartTime, &out.WeeklyMaintenanceStartTime
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OntapFileSystemObservation.
@@ -1767,6 +2147,13 @@ func (in *OntapStorageVirtualMachineList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OntapStorageVirtualMachineObservation) DeepCopyInto(out *OntapStorageVirtualMachineObservation) {
 	*out = *in
+	if in.ActiveDirectoryConfiguration != nil {
+		in, out := &in.ActiveDirectoryConfiguration, &out.ActiveDirectoryConfiguration
+		*out = make([]ActiveDirectoryConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -1779,16 +2166,46 @@ func (in *OntapStorageVirtualMachineObservation) DeepCopyInto(out *OntapStorageV
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootVolumeSecurityStyle != nil {
+		in, out := &in.RootVolumeSecurityStyle, &out.RootVolumeSecurityStyle
+		*out = new(string)
+		**out = **in
+	}
 	if in.Subtype != nil {
 		in, out := &in.Subtype, &out.Subtype
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1930,6 +2347,20 @@ func (in *OntapStorageVirtualMachineStatus) DeepCopy() *OntapStorageVirtualMachi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.AutoExportPolicy != nil {
+		in, out := &in.AutoExportPolicy, &out.AutoExportPolicy
+		*out = make([]AutoExportPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoImportPolicy != nil {
+		in, out := &in.AutoImportPolicy, &out.AutoImportPolicy
+		*out = make([]AutoImportPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -2020,6 +2451,37 @@ func (in *SMBParameters) DeepCopy() *SMBParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelfManagedActiveDirectoryConfigurationObservation) DeepCopyInto(out *SelfManagedActiveDirectoryConfigurationObservation) {
 	*out = *in
+	if in.DNSIps != nil {
+		in, out := &in.DNSIps, &out.DNSIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileSystemAdministratorsGroup != nil {
+		in, out := &in.FileSystemAdministratorsGroup, &out.FileSystemAdministratorsGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnitDistinguishedName != nil {
+		in, out := &in.OrganizationalUnitDistinguishedName, &out.OrganizationalUnitDistinguishedName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfManagedActiveDirectoryConfigurationObservation.
@@ -2082,6 +2544,37 @@ func (in *SelfManagedActiveDirectoryConfigurationParameters) DeepCopy() *SelfMan
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelfManagedActiveDirectoryObservation) DeepCopyInto(out *SelfManagedActiveDirectoryObservation) {
 	*out = *in
+	if in.DNSIps != nil {
+		in, out := &in.DNSIps, &out.DNSIps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileSystemAdministratorsGroup != nil {
+		in, out := &in.FileSystemAdministratorsGroup, &out.FileSystemAdministratorsGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnitDistinguishedName != nil {
+		in, out := &in.OrganizationalUnitDistinguishedName, &out.OrganizationalUnitDistinguishedName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfManagedActiveDirectoryObservation.
@@ -2203,21 +2696,74 @@ func (in *WindowsFileSystemList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WindowsFileSystemObservation) DeepCopyInto(out *WindowsFileSystemObservation) {
 	*out = *in
+	if in.ActiveDirectoryID != nil {
+		in, out := &in.ActiveDirectoryID, &out.ActiveDirectoryID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Aliases != nil {
+		in, out := &in.Aliases, &out.Aliases
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuditLogConfiguration != nil {
+		in, out := &in.AuditLogConfiguration, &out.AuditLogConfiguration
+		*out = make([]AuditLogConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutomaticBackupRetentionDays != nil {
+		in, out := &in.AutomaticBackupRetentionDays, &out.AutomaticBackupRetentionDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BackupID != nil {
+		in, out := &in.BackupID, &out.BackupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyTagsToBackups != nil {
+		in, out := &in.CopyTagsToBackups, &out.CopyTagsToBackups
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.DailyAutomaticBackupStartTime != nil {
+		in, out := &in.DailyAutomaticBackupStartTime, &out.DailyAutomaticBackupStartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeploymentType != nil {
+		in, out := &in.DeploymentType, &out.DeploymentType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.NetworkInterfaceIds != nil {
 		in, out := &in.NetworkInterfaceIds, &out.NetworkInterfaceIds
 		*out = make([]*string, len(*in))
@@ -2239,11 +2785,75 @@ func (in *WindowsFileSystemObservation) DeepCopyInto(out *WindowsFileSystemObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.PreferredSubnetID != nil {
+		in, out := &in.PreferredSubnetID, &out.PreferredSubnetID
+		*out = new(string)
+		**out = **in
+	}
 	if in.RemoteAdministrationEndpoint != nil {
 		in, out := &in.RemoteAdministrationEndpoint, &out.RemoteAdministrationEndpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SelfManagedActiveDirectory != nil {
+		in, out := &in.SelfManagedActiveDirectory, &out.SelfManagedActiveDirectory
+		*out = make([]SelfManagedActiveDirectoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SkipFinalBackup != nil {
+		in, out := &in.SkipFinalBackup, &out.SkipFinalBackup
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StorageCapacity != nil {
+		in, out := &in.StorageCapacity, &out.StorageCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2259,11 +2869,21 @@ func (in *WindowsFileSystemObservation) DeepCopyInto(out *WindowsFileSystemObser
 			(*out)[key] = outVal
 		}
 	}
+	if in.ThroughputCapacity != nil {
+		in, out := &in.ThroughputCapacity, &out.ThroughputCapacity
+		*out = new(float64)
+		**out = **in
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
 		**out = **in
 	}
+	if in.WeeklyMaintenanceStartTime != nil {
+		in, out := &in.WeeklyMaintenanceStartTime, &out.WeeklyMaintenanceStartTime
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WindowsFileSystemObservation.
diff --git a/apis/fsx/v1beta1/zz_lustrefilesystem_types.go b/apis/fsx/v1beta1/zz_lustrefilesystem_types.go
index 4e64baef40..260ac1d774 100755
--- a/apis/fsx/v1beta1/zz_lustrefilesystem_types.go
+++ b/apis/fsx/v1beta1/zz_lustrefilesystem_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type LogConfigurationObservation struct {
+
+	// The Amazon Resource Name (ARN) that specifies the destination of the logs. The name of the Amazon CloudWatch Logs log group must begin with the /aws/fsx prefix. If you do not provide a destination, Amazon FSx will create and use a log stream in the CloudWatch Logs /aws/fsx/lustre log group.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Sets which data repository events are logged by Amazon FSx. Valid values are WARN_ONLY, FAILURE_ONLY, ERROR_ONLY, WARN_ERROR and DISABLED. Default value is DISABLED.
+	Level *string `json:"level,omitempty" tf:"level,omitempty"`
 }
 
 type LogConfigurationParameters struct {
@@ -32,12 +38,54 @@ type LustreFileSystemObservation struct {
 	// Amazon Resource Name of the file system.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// How Amazon FSx keeps your file and directory listings up to date as you add or modify objects in your linked S3 bucket. see Auto Import Data Repo for more details. Only supported on PERSISTENT_1 deployment types.
+	AutoImportPolicy *string `json:"autoImportPolicy,omitempty" tf:"auto_import_policy,omitempty"`
+
+	// The number of days to retain automatic backups. Setting this to 0 disables automatic backups. You can retain automatic backups for a maximum of 90 days. only valid for PERSISTENT_1 and PERSISTENT_2 deployment_type.
+	AutomaticBackupRetentionDays *float64 `json:"automaticBackupRetentionDays,omitempty" tf:"automatic_backup_retention_days,omitempty"`
+
+	// The ID of the source backup to create the filesystem from.
+	BackupID *string `json:"backupId,omitempty" tf:"backup_id,omitempty"`
+
+	// A boolean flag indicating whether tags for the file system should be copied to backups. Applicable for PERSISTENT_1 and PERSISTENT_2 deployment_type. The default value is false.
+	CopyTagsToBackups *bool `json:"copyTagsToBackups,omitempty" tf:"copy_tags_to_backups,omitempty"`
+
 	// DNS name for the file system, e.g., fs-12345678.fsx.us-west-2.amazonaws.com
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// A recurring daily time, in the format HH:MM. HH is the zero-padded hour of the day (0-23), and MM is the zero-padded minute of the hour. For example, 05:00 specifies 5 AM daily. only valid for PERSISTENT_1 and PERSISTENT_2 deployment_type. Requires automatic_backup_retention_days to be set.
+	DailyAutomaticBackupStartTime *string `json:"dailyAutomaticBackupStartTime,omitempty" tf:"daily_automatic_backup_start_time,omitempty"`
+
+	// Sets the data compression configuration for the file system. Valid values are LZ4 and NONE. Default value is NONE. Unsetting this value reverts the compression type back to NONE.
+	DataCompressionType *string `json:"dataCompressionType,omitempty" tf:"data_compression_type,omitempty"`
+
+	// - The filesystem deployment type. One of: SCRATCH_1, SCRATCH_2, PERSISTENT_1, PERSISTENT_2.
+	DeploymentType *string `json:"deploymentType,omitempty" tf:"deployment_type,omitempty"`
+
+	// - The type of drive cache used by PERSISTENT_1 filesystems that are provisioned with HDD storage_type. Required for HDD storage_type, set to either READ or NONE.
+	DriveCacheType *string `json:"driveCacheType,omitempty" tf:"drive_cache_type,omitempty"`
+
+	// S3 URI (with optional prefix) where the root of your Amazon FSx file system is exported. Can only be specified with import_path argument and the path must use the same Amazon S3 bucket as specified in import_path. Set equal to import_path to overwrite files on export. Defaults to s3://{IMPORT BUCKET}/FSxLustre{CREATION TIMESTAMP}. Only supported on PERSISTENT_1 deployment types.
+	ExportPath *string `json:"exportPath,omitempty" tf:"export_path,omitempty"`
+
+	// Sets the Lustre version for the file system that you're creating. Valid values are 2.10 for SCRATCH_1, SCRATCH_2 and PERSISTENT_1 deployment types. Valid values for 2.12 include all deployment types.
+	FileSystemTypeVersion *string `json:"fileSystemTypeVersion,omitempty" tf:"file_system_type_version,omitempty"`
+
 	// Identifier of the file system, e.g., fs-12345678
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// S3 URI (with optional prefix) that you're using as the data repository for your FSx for Lustre file system. For example, s3://example-bucket/optional-prefix/. Only supported on PERSISTENT_1 deployment types.
+	ImportPath *string `json:"importPath,omitempty" tf:"import_path,omitempty"`
+
+	// For files imported from a data repository, this value determines the stripe count and maximum amount of data per file (in MiB) stored on a single physical disk. Can only be specified with import_path argument. Defaults to 1024. Minimum of 1 and maximum of 512000. Only supported on PERSISTENT_1 deployment types.
+	ImportedFileChunkSize *float64 `json:"importedFileChunkSize,omitempty" tf:"imported_file_chunk_size,omitempty"`
+
+	// ARN for the KMS Key to encrypt the file system at rest, applicable for PERSISTENT_1 and PERSISTENT_2 deployment_type. Defaults to an AWS managed KMS Key.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The Lustre logging configuration used when creating an Amazon FSx for Lustre file system. When logging is enabled, Lustre logs error and warning events for data repositories associated with your file system to Amazon CloudWatch Logs.
+	LogConfiguration []LogConfigurationObservation `json:"logConfiguration,omitempty" tf:"log_configuration,omitempty"`
+
 	// The value to be used when mounting the filesystem.
 	MountName *string `json:"mountName,omitempty" tf:"mount_name,omitempty"`
 
@@ -47,11 +95,32 @@ type LustreFileSystemObservation struct {
 	// AWS account identifier that created the file system.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// - Describes the amount of read and write throughput for each 1 tebibyte of storage, in MB/s/TiB, required for the PERSISTENT_1 and PERSISTENT_2 deployment_type. Valid values for PERSISTENT_1 deployment_type and SSD storage_type are 50, 100, 200. Valid values for PERSISTENT_1 deployment_type and HDD storage_type are 12, 40. Valid values for PERSISTENT_2 deployment_type and  SSD storage_type are 125, 250, 500, 1000.
+	PerUnitStorageThroughput *float64 `json:"perUnitStorageThroughput,omitempty" tf:"per_unit_storage_throughput,omitempty"`
+
+	// A list of IDs for the security groups that apply to the specified network interfaces created for file system access. These security groups will apply to all network interfaces.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// The storage capacity (GiB) of the file system. Minimum of 1200. See more details at Allowed values for Fsx storage capacity. Update is allowed only for SCRATCH_2, PERSISTENT_1 and PERSISTENT_2 deployment types, See more details at Fsx Storage Capacity Update. Required when not creating filesystem for a backup.
+	StorageCapacity *float64 `json:"storageCapacity,omitempty" tf:"storage_capacity,omitempty"`
+
+	// - The filesystem storage type. Either SSD or HDD, defaults to SSD. HDD is only supported on PERSISTENT_1 deployment types.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+
+	// A list of IDs for the subnets that the file system will be accessible from. File systems currently support only one subnet. The file server is also launched in that subnet's Availability Zone.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Identifier of the Virtual Private Cloud for the file system.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone.
+	WeeklyMaintenanceStartTime *string `json:"weeklyMaintenanceStartTime,omitempty" tf:"weekly_maintenance_start_time,omitempty"`
 }
 
 type LustreFileSystemParameters struct {
diff --git a/apis/fsx/v1beta1/zz_ontapfilesystem_types.go b/apis/fsx/v1beta1/zz_ontapfilesystem_types.go
index 281e0427cc..8fa32fd7a4 100755
--- a/apis/fsx/v1beta1/zz_ontapfilesystem_types.go
+++ b/apis/fsx/v1beta1/zz_ontapfilesystem_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type DiskIopsConfigurationObservation struct {
+
+	// - The total number of SSD IOPS provisioned for the file system.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// - Specifies whether the number of IOPS for the file system is using the system. Valid values are AUTOMATIC and USER_PROVISIONED. Default value is AUTOMATIC.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
 }
 
 type DiskIopsConfigurationParameters struct {
@@ -68,26 +74,71 @@ type OntapFileSystemObservation struct {
 	// Amazon Resource Name of the file system.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The number of days to retain automatic backups. Setting this to 0 disables automatic backups. You can retain automatic backups for a maximum of 90 days.
+	AutomaticBackupRetentionDays *float64 `json:"automaticBackupRetentionDays,omitempty" tf:"automatic_backup_retention_days,omitempty"`
+
 	// DNS name for the file system, e.g., fs-12345678.fsx.us-west-2.amazonaws.com
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// A recurring daily time, in the format HH:MM. HH is the zero-padded hour of the day (0-23), and MM is the zero-padded minute of the hour. For example, 05:00 specifies 5 AM daily. Requires automatic_backup_retention_days to be set.
+	DailyAutomaticBackupStartTime *string `json:"dailyAutomaticBackupStartTime,omitempty" tf:"daily_automatic_backup_start_time,omitempty"`
+
+	// - The filesystem deployment type. Supports MULTI_AZ_1 and SINGLE_AZ_1.
+	DeploymentType *string `json:"deploymentType,omitempty" tf:"deployment_type,omitempty"`
+
+	// The SSD IOPS configuration for the Amazon FSx for NetApp ONTAP file system. See Disk Iops Configuration Below.
+	DiskIopsConfiguration []DiskIopsConfigurationObservation `json:"diskIopsConfiguration,omitempty" tf:"disk_iops_configuration,omitempty"`
+
+	// Specifies the IP address range in which the endpoints to access your file system will be created. By default, Amazon FSx selects an unused IP address range for you from the 198.19.* range.
+	EndpointIPAddressRange *string `json:"endpointIpAddressRange,omitempty" tf:"endpoint_ip_address_range,omitempty"`
+
 	// The endpoints that are used to access data or to manage the file system using the NetApp ONTAP CLI, REST API, or NetApp SnapMirror. See Endpoints below.
 	Endpoints []EndpointsObservation `json:"endpoints,omitempty" tf:"endpoints,omitempty"`
 
 	// Identifier of the file system, e.g., fs-12345678
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN for the KMS Key to encrypt the file system at rest, Defaults to an AWS managed KMS Key.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// Set of Elastic Network Interface identifiers from which the file system is accessible The first network interface returned is the primary network interface.
 	NetworkInterfaceIds []*string `json:"networkInterfaceIds,omitempty" tf:"network_interface_ids,omitempty"`
 
 	// AWS account identifier that created the file system.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// The ID for a subnet. A subnet is a range of IP addresses in your virtual private cloud (VPC).
+	PreferredSubnetID *string `json:"preferredSubnetId,omitempty" tf:"preferred_subnet_id,omitempty"`
+
+	// Specifies the VPC route tables in which your file system's endpoints will be created. You should specify all VPC route tables associated with the subnets in which your clients are located. By default, Amazon FSx selects your VPC's default route table.
+	RouteTableIds []*string `json:"routeTableIds,omitempty" tf:"route_table_ids,omitempty"`
+
+	// A list of IDs for the security groups that apply to the specified network interfaces created for file system access. These security groups will apply to all network interfaces.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// The storage capacity (GiB) of the file system. Valid values between 1024 and 196608.
+	StorageCapacity *float64 `json:"storageCapacity,omitempty" tf:"storage_capacity,omitempty"`
+
+	// - The filesystem storage type. defaults to SSD.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+
+	// A list of IDs for the subnets that the file system will be accessible from. Upto 2 subnets can be provided.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Sets the throughput capacity (in MBps) for the file system that you're creating. Valid values are 128, 256, 512, 1024, and 2048.
+	ThroughputCapacity *float64 `json:"throughputCapacity,omitempty" tf:"throughput_capacity,omitempty"`
+
 	// Identifier of the Virtual Private Cloud for the file system.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone.
+	WeeklyMaintenanceStartTime *string `json:"weeklyMaintenanceStartTime,omitempty" tf:"weekly_maintenance_start_time,omitempty"`
 }
 
 type OntapFileSystemParameters struct {
@@ -101,8 +152,8 @@ type OntapFileSystemParameters struct {
 	DailyAutomaticBackupStartTime *string `json:"dailyAutomaticBackupStartTime,omitempty" tf:"daily_automatic_backup_start_time,omitempty"`
 
 	// - The filesystem deployment type. Supports MULTI_AZ_1 and SINGLE_AZ_1.
-	// +kubebuilder:validation:Required
-	DeploymentType *string `json:"deploymentType" tf:"deployment_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	DeploymentType *string `json:"deploymentType,omitempty" tf:"deployment_type,omitempty"`
 
 	// The SSD IOPS configuration for the Amazon FSx for NetApp ONTAP file system. See Disk Iops Configuration Below.
 	// +kubebuilder:validation:Optional
@@ -195,8 +246,8 @@ type OntapFileSystemParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Sets the throughput capacity (in MBps) for the file system that you're creating. Valid values are 128, 256, 512, 1024, and 2048.
-	// +kubebuilder:validation:Required
-	ThroughputCapacity *float64 `json:"throughputCapacity" tf:"throughput_capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	ThroughputCapacity *float64 `json:"throughputCapacity,omitempty" tf:"throughput_capacity,omitempty"`
 
 	// The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone.
 	// +kubebuilder:validation:Optional
@@ -227,8 +278,10 @@ type OntapFileSystemStatus struct {
 type OntapFileSystem struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OntapFileSystemSpec   `json:"spec"`
-	Status            OntapFileSystemStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deploymentType)",message="deploymentType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.throughputCapacity)",message="throughputCapacity is a required parameter"
+	Spec   OntapFileSystemSpec   `json:"spec"`
+	Status OntapFileSystemStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/fsx/v1beta1/zz_ontapstoragevirtualmachine_types.go b/apis/fsx/v1beta1/zz_ontapstoragevirtualmachine_types.go
index 2f13e4a07b..c4f2ba1909 100755
--- a/apis/fsx/v1beta1/zz_ontapstoragevirtualmachine_types.go
+++ b/apis/fsx/v1beta1/zz_ontapstoragevirtualmachine_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ActiveDirectoryConfigurationObservation struct {
+
+	// The NetBIOS name of the Active Directory computer object that will be created for your SVM. This is often the same as the SVM name but can be different. AWS limits to 15 characters because of standard NetBIOS naming limits.
+	NetbiosName *string `json:"netbiosName,omitempty" tf:"netbios_name,omitempty"`
+
+	// Configuration block that Amazon FSx uses to join the FSx ONTAP Storage Virtual Machine(SVM) to your Microsoft Active Directory (AD) directory. Detailed below.
+	SelfManagedActiveDirectoryConfiguration []SelfManagedActiveDirectoryConfigurationObservation `json:"selfManagedActiveDirectoryConfiguration,omitempty" tf:"self_managed_active_directory_configuration,omitempty"`
 }
 
 type ActiveDirectoryConfigurationParameters struct {
@@ -83,18 +89,33 @@ type OntapStorageVirtualMachineEndpointsParameters struct {
 
 type OntapStorageVirtualMachineObservation struct {
 
+	// Configuration block that Amazon FSx uses to join the FSx ONTAP Storage Virtual Machine(SVM) to your Microsoft Active Directory (AD) directory. Detailed below.
+	ActiveDirectoryConfiguration []ActiveDirectoryConfigurationObservation `json:"activeDirectoryConfiguration,omitempty" tf:"active_directory_configuration,omitempty"`
+
 	// Amazon Resource Name of the storage virtual machine.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The endpoints that are used to access data or to manage the storage virtual machine using the NetApp ONTAP CLI, REST API, or NetApp SnapMirror. See Endpoints below.
 	Endpoints []OntapStorageVirtualMachineEndpointsObservation `json:"endpoints,omitempty" tf:"endpoints,omitempty"`
 
+	// The ID of the Amazon FSx ONTAP File System that this SVM will be created on.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
 	// Identifier of the storage virtual machine, e.g., svm-12345678
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the SVM. You can use a maximum of 47 alphanumeric characters, plus the underscore (_) special character.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the root volume security style, Valid values are UNIX, NTFS, and MIXED. All volumes created under this SVM will inherit the root security style unless the security style is specified on the volume. Default value is UNIX.
+	RootVolumeSecurityStyle *string `json:"rootVolumeSecurityStyle,omitempty" tf:"root_volume_security_style,omitempty"`
+
 	// Describes the SVM's subtype, e.g. DEFAULT
 	Subtype *string `json:"subtype,omitempty" tf:"subtype,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -123,8 +144,8 @@ type OntapStorageVirtualMachineParameters struct {
 	FileSystemIDSelector *v1.Selector `json:"fileSystemIdSelector,omitempty" tf:"-"`
 
 	// The name of the SVM. You can use a maximum of 47 alphanumeric characters, plus the underscore (_) special character.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -156,6 +177,21 @@ type SMBParameters struct {
 }
 
 type SelfManagedActiveDirectoryConfigurationObservation struct {
+
+	// A list of up to three IP addresses of DNS servers or domain controllers in the self-managed AD directory.
+	DNSIps []*string `json:"dnsIps,omitempty" tf:"dns_ips,omitempty"`
+
+	// The fully qualified domain name of the self-managed AD directory. For example, corp.example.com.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// The name of the domain group whose members are granted administrative privileges for the SVM. The group that you specify must already exist in your domain. Defaults to Domain Admins.
+	FileSystemAdministratorsGroup *string `json:"fileSystemAdministratorsGroup,omitempty" tf:"file_system_administrators_group,omitempty"`
+
+	// The fully qualified distinguished name of the organizational unit within your self-managed AD directory that the Windows File Server instance will join. For example, OU=FSx,DC=yourdomain,DC=corp,DC=com. Only accepts OU as the direct parent of the SVM. If none is provided, the SVM is created in the default location of your self-managed AD directory. To learn more, see RFC 2253.
+	OrganizationalUnitDistinguishedName *string `json:"organizationalUnitDistinguishedName,omitempty" tf:"organizational_unit_distinguished_name,omitempty"`
+
+	// The user name for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type SelfManagedActiveDirectoryConfigurationParameters struct {
@@ -209,8 +245,9 @@ type OntapStorageVirtualMachineStatus struct {
 type OntapStorageVirtualMachine struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OntapStorageVirtualMachineSpec   `json:"spec"`
-	Status            OntapStorageVirtualMachineStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   OntapStorageVirtualMachineSpec   `json:"spec"`
+	Status OntapStorageVirtualMachineStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/fsx/v1beta1/zz_windowsfilesystem_types.go b/apis/fsx/v1beta1/zz_windowsfilesystem_types.go
index efa6efcf5e..f6eba2642a 100755
--- a/apis/fsx/v1beta1/zz_windowsfilesystem_types.go
+++ b/apis/fsx/v1beta1/zz_windowsfilesystem_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AuditLogConfigurationObservation struct {
+
+	// The Amazon Resource Name (ARN) for the destination of the audit logs. The destination can be any Amazon CloudWatch Logs log group ARN or Amazon Kinesis Data Firehose delivery stream ARN. Can be specified when file_access_audit_log_level and file_share_access_audit_log_level are not set to DISABLED. The name of the Amazon CloudWatch Logs log group must begin with the /aws/fsx prefix. The name of the Amazon Kinesis Data Firehouse delivery stream must begin with the aws-fsx prefix. If you do not provide a destination in audit_log_destionation, Amazon FSx will create and use a log stream in the CloudWatch Logs /aws/fsx/windows log group.
+	AuditLogDestination *string `json:"auditLogDestination,omitempty" tf:"audit_log_destination,omitempty"`
+
+	// Sets which attempt type is logged by Amazon FSx for file and folder accesses. Valid values are SUCCESS_ONLY, FAILURE_ONLY, SUCCESS_AND_FAILURE, and DISABLED. Default value is DISABLED.
+	FileAccessAuditLogLevel *string `json:"fileAccessAuditLogLevel,omitempty" tf:"file_access_audit_log_level,omitempty"`
+
+	// Sets which attempt type is logged by Amazon FSx for file share accesses. Valid values are SUCCESS_ONLY, FAILURE_ONLY, SUCCESS_AND_FAILURE, and DISABLED. Default value is DISABLED.
+	FileShareAccessAuditLogLevel *string `json:"fileShareAccessAuditLogLevel,omitempty" tf:"file_share_access_audit_log_level,omitempty"`
 }
 
 type AuditLogConfigurationParameters struct {
@@ -32,6 +41,21 @@ type AuditLogConfigurationParameters struct {
 }
 
 type SelfManagedActiveDirectoryObservation struct {
+
+	// A list of up to two IP addresses of DNS servers or domain controllers in the self-managed AD directory. The IP addresses need to be either in the same VPC CIDR range as the file system or in the private IP version 4 (IPv4) address ranges as specified in RFC 1918.
+	DNSIps []*string `json:"dnsIps,omitempty" tf:"dns_ips,omitempty"`
+
+	// The fully qualified domain name of the self-managed AD directory. For example, corp.example.com.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// The name of the domain group whose members are granted administrative privileges for the file system. Administrative privileges include taking ownership of files and folders, and setting audit controls (audit ACLs) on files and folders. The group that you specify must already exist in your domain. Defaults to Domain Admins.
+	FileSystemAdministratorsGroup *string `json:"fileSystemAdministratorsGroup,omitempty" tf:"file_system_administrators_group,omitempty"`
+
+	// The fully qualified distinguished name of the organizational unit within your self-managed AD directory that the Windows File Server instance will join. For example, OU=FSx,DC=yourdomain,DC=corp,DC=com. Only accepts OU as the direct parent of the file system. If none is provided, the FSx file system is created in the default location of your self-managed AD directory. To learn more, see RFC 2253.
+	OrganizationalUnitDistinguishedName *string `json:"organizationalUnitDistinguishedName,omitempty" tf:"organizational_unit_distinguished_name,omitempty"`
+
+	// The user name for the service account on your self-managed AD domain that Amazon FSx will use to join to your AD domain.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type SelfManagedActiveDirectoryParameters struct {
@@ -63,15 +87,42 @@ type SelfManagedActiveDirectoryParameters struct {
 
 type WindowsFileSystemObservation struct {
 
+	// The ID for an existing Microsoft Active Directory instance that the file system should join when it's created. Cannot be specified with self_managed_active_directory.
+	ActiveDirectoryID *string `json:"activeDirectoryId,omitempty" tf:"active_directory_id,omitempty"`
+
+	// An array DNS alias names that you want to associate with the Amazon FSx file system.  For more information, see Working with DNS Aliases
+	Aliases []*string `json:"aliases,omitempty" tf:"aliases,omitempty"`
+
 	// Amazon Resource Name of the file system.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The configuration that Amazon FSx for Windows File Server uses to audit and log user accesses of files, folders, and file shares on the Amazon FSx for Windows File Server file system. See below.
+	AuditLogConfiguration []AuditLogConfigurationObservation `json:"auditLogConfiguration,omitempty" tf:"audit_log_configuration,omitempty"`
+
+	// The number of days to retain automatic backups. Minimum of 0 and maximum of 90. Defaults to 7. Set to 0 to disable.
+	AutomaticBackupRetentionDays *float64 `json:"automaticBackupRetentionDays,omitempty" tf:"automatic_backup_retention_days,omitempty"`
+
+	// The ID of the source backup to create the filesystem from.
+	BackupID *string `json:"backupId,omitempty" tf:"backup_id,omitempty"`
+
+	// A boolean flag indicating whether tags on the file system should be copied to backups. Defaults to false.
+	CopyTagsToBackups *bool `json:"copyTagsToBackups,omitempty" tf:"copy_tags_to_backups,omitempty"`
+
 	// DNS name for the file system, e.g., fs-12345678.corp.example.com (domain name matching the Active Directory domain name)
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// The preferred time (in HH:MM format) to take daily automatic backups, in the UTC time zone.
+	DailyAutomaticBackupStartTime *string `json:"dailyAutomaticBackupStartTime,omitempty" tf:"daily_automatic_backup_start_time,omitempty"`
+
+	// Specifies the file system deployment type, valid values are MULTI_AZ_1, SINGLE_AZ_1 and SINGLE_AZ_2. Default value is SINGLE_AZ_1.
+	DeploymentType *string `json:"deploymentType,omitempty" tf:"deployment_type,omitempty"`
+
 	// Identifier of the file system, e.g., fs-12345678
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN for the KMS Key to encrypt the file system at rest. Defaults to an AWS managed KMS Key.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// Set of Elastic Network Interface identifiers from which the file system is accessible.
 	NetworkInterfaceIds []*string `json:"networkInterfaceIds,omitempty" tf:"network_interface_ids,omitempty"`
 
@@ -81,14 +132,44 @@ type WindowsFileSystemObservation struct {
 	// The IP address of the primary, or preferred, file server.
 	PreferredFileServerIP *string `json:"preferredFileServerIp,omitempty" tf:"preferred_file_server_ip,omitempty"`
 
+	// Specifies the subnet in which you want the preferred file server to be located. Required for when deployment type is MULTI_AZ_1.
+	PreferredSubnetID *string `json:"preferredSubnetId,omitempty" tf:"preferred_subnet_id,omitempty"`
+
 	// For MULTI_AZ_1 deployment types, use this endpoint when performing administrative tasks on the file system using Amazon FSx Remote PowerShell. For SINGLE_AZ_1 deployment types, this is the DNS name of the file system.
 	RemoteAdministrationEndpoint *string `json:"remoteAdministrationEndpoint,omitempty" tf:"remote_administration_endpoint,omitempty"`
 
+	// A list of IDs for the security groups that apply to the specified network interfaces created for file system access. These security groups will apply to all network interfaces.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Configuration block that Amazon FSx uses to join the Windows File Server instance to your self-managed (including on-premises) Microsoft Active Directory (AD) directory. Cannot be specified with active_directory_id. Detailed below.
+	SelfManagedActiveDirectory []SelfManagedActiveDirectoryObservation `json:"selfManagedActiveDirectory,omitempty" tf:"self_managed_active_directory,omitempty"`
+
+	// When enabled, will skip the default final backup taken when the file system is deleted. This configuration must be applied separately before attempting to delete the resource to have the desired behavior. Defaults to false.
+	SkipFinalBackup *bool `json:"skipFinalBackup,omitempty" tf:"skip_final_backup,omitempty"`
+
+	// Storage capacity (GiB) of the file system. Minimum of 32 and maximum of 65536. If the storage type is set to HDD the minimum value is 2000. Required when not creating filesystem for a backup.
+	StorageCapacity *float64 `json:"storageCapacity,omitempty" tf:"storage_capacity,omitempty"`
+
+	// Specifies the storage type, Valid values are SSD and HDD. HDD is supported on SINGLE_AZ_2 and MULTI_AZ_1 Windows file system deployment types. Default value is SSD.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+
+	// A list of IDs for the subnets that the file system will be accessible from. To specify more than a single subnet set deployment_type to MULTI_AZ_1.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Throughput (megabytes per second) of the file system in power of 2 increments. Minimum of 8 and maximum of 2048.
+	ThroughputCapacity *float64 `json:"throughputCapacity,omitempty" tf:"throughput_capacity,omitempty"`
+
 	// Identifier of the Virtual Private Cloud for the file system.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone.
+	WeeklyMaintenanceStartTime *string `json:"weeklyMaintenanceStartTime,omitempty" tf:"weekly_maintenance_start_time,omitempty"`
 }
 
 type WindowsFileSystemParameters struct {
@@ -209,8 +290,8 @@ type WindowsFileSystemParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Throughput (megabytes per second) of the file system in power of 2 increments. Minimum of 8 and maximum of 2048.
-	// +kubebuilder:validation:Required
-	ThroughputCapacity *float64 `json:"throughputCapacity" tf:"throughput_capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	ThroughputCapacity *float64 `json:"throughputCapacity,omitempty" tf:"throughput_capacity,omitempty"`
 
 	// The preferred start time (in d:HH:MM format) to perform weekly maintenance, in the UTC time zone.
 	// +kubebuilder:validation:Optional
@@ -241,8 +322,9 @@ type WindowsFileSystemStatus struct {
 type WindowsFileSystem struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WindowsFileSystemSpec   `json:"spec"`
-	Status            WindowsFileSystemStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.throughputCapacity)",message="throughputCapacity is a required parameter"
+	Spec   WindowsFileSystemSpec   `json:"spec"`
+	Status WindowsFileSystemStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/gamelift/v1beta1/zz_alias_types.go b/apis/gamelift/v1beta1/zz_alias_types.go
index 05fdb975f7..f833c6be91 100755
--- a/apis/gamelift/v1beta1/zz_alias_types.go
+++ b/apis/gamelift/v1beta1/zz_alias_types.go
@@ -18,9 +18,21 @@ type AliasObservation struct {
 	// Alias ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the alias.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Alias ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the alias.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the fleet and/or routing type to use for the alias.
+	RoutingStrategy []RoutingStrategyObservation `json:"routingStrategy,omitempty" tf:"routing_strategy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +44,8 @@ type AliasParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name of the alias.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -41,8 +53,8 @@ type AliasParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Specifies the fleet and/or routing type to use for the alias.
-	// +kubebuilder:validation:Required
-	RoutingStrategy []RoutingStrategyParameters `json:"routingStrategy" tf:"routing_strategy,omitempty"`
+	// +kubebuilder:validation:Optional
+	RoutingStrategy []RoutingStrategyParameters `json:"routingStrategy,omitempty" tf:"routing_strategy,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,15 @@ type AliasParameters struct {
 }
 
 type RoutingStrategyObservation struct {
+
+	// ID of the GameLift Fleet to point the alias to.
+	FleetID *string `json:"fleetId,omitempty" tf:"fleet_id,omitempty"`
+
+	// Message text to be used with the TERMINAL routing strategy.
+	Message *string `json:"message,omitempty" tf:"message,omitempty"`
+
+	// Type of routing strategyE.g., SIMPLE or TERMINAL
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RoutingStrategyParameters struct {
@@ -91,8 +112,10 @@ type AliasStatus struct {
 type Alias struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AliasSpec   `json:"spec"`
-	Status            AliasStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routingStrategy)",message="routingStrategy is a required parameter"
+	Spec   AliasSpec   `json:"spec"`
+	Status AliasStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/gamelift/v1beta1/zz_build_types.go b/apis/gamelift/v1beta1/zz_build_types.go
index 1262e98b01..4a5db4ab0f 100755
--- a/apis/gamelift/v1beta1/zz_build_types.go
+++ b/apis/gamelift/v1beta1/zz_build_types.go
@@ -21,19 +21,34 @@ type BuildObservation struct {
 	// GameLift Build ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the build
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Operating system that the game server binaries are built to run onE.g., WINDOWS_2012, AMAZON_LINUX or AMAZON_LINUX_2.
+	OperatingSystem *string `json:"operatingSystem,omitempty" tf:"operating_system,omitempty"`
+
+	// Information indicating where your game build files are stored. See below.
+	StorageLocation []StorageLocationObservation `json:"storageLocation,omitempty" tf:"storage_location,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Version that is associated with this build.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type BuildParameters struct {
 
 	// Name of the build
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Operating system that the game server binaries are built to run onE.g., WINDOWS_2012, AMAZON_LINUX or AMAZON_LINUX_2.
-	// +kubebuilder:validation:Required
-	OperatingSystem *string `json:"operatingSystem" tf:"operating_system,omitempty"`
+	// +kubebuilder:validation:Optional
+	OperatingSystem *string `json:"operatingSystem,omitempty" tf:"operating_system,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -41,8 +56,8 @@ type BuildParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Information indicating where your game build files are stored. See below.
-	// +kubebuilder:validation:Required
-	StorageLocation []StorageLocationParameters `json:"storageLocation" tf:"storage_location,omitempty"`
+	// +kubebuilder:validation:Optional
+	StorageLocation []StorageLocationParameters `json:"storageLocation,omitempty" tf:"storage_location,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -54,6 +69,18 @@ type BuildParameters struct {
 }
 
 type StorageLocationObservation struct {
+
+	// Name of your S3 bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Name of the zip file containing your build files.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A specific version of the file. If not set, the latest version of the file is retrieved.
+	ObjectVersion *string `json:"objectVersion,omitempty" tf:"object_version,omitempty"`
+
+	// ARN of the access role that allows Amazon GameLift to access your S3 bucket.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type StorageLocationParameters struct {
@@ -128,8 +155,11 @@ type BuildStatus struct {
 type Build struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BuildSpec   `json:"spec"`
-	Status            BuildStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.operatingSystem)",message="operatingSystem is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageLocation)",message="storageLocation is a required parameter"
+	Spec   BuildSpec   `json:"spec"`
+	Status BuildStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/gamelift/v1beta1/zz_fleet_types.go b/apis/gamelift/v1beta1/zz_fleet_types.go
index d01a8b46ef..bbb8e0dc46 100755
--- a/apis/gamelift/v1beta1/zz_fleet_types.go
+++ b/apis/gamelift/v1beta1/zz_fleet_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CertificateConfigurationObservation struct {
+
+	// Indicates whether a TLS/SSL certificate is generated for a fleet. Valid values are DISABLED and GENERATED. Default value is DISABLED.
+	CertificateType *string `json:"certificateType,omitempty" tf:"certificate_type,omitempty"`
 }
 
 type CertificateConfigurationParameters struct {
@@ -24,6 +27,18 @@ type CertificateConfigurationParameters struct {
 }
 
 type EC2InboundPermissionObservation struct {
+
+	// Starting value for a range of allowed port numbers.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// Range of allowed IP addresses expressed in CIDR notationE.g., 000.000.000.000/[subnet mask] or 0.0.0.0/[subnet mask].
+	IPRange *string `json:"ipRange,omitempty" tf:"ip_range,omitempty"`
+
+	// Network communication protocol used by the fleetE.g., TCP or UDP
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Ending value for a range of allowed port numbers. Port numbers are end-inclusive. This value must be higher than from_port.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type EC2InboundPermissionParameters struct {
@@ -53,17 +68,59 @@ type FleetObservation struct {
 	// Build ARN.
 	BuildArn *string `json:"buildArn,omitempty" tf:"build_arn,omitempty"`
 
+	// ID of the GameLift Build to be deployed on the fleet.
+	BuildID *string `json:"buildId,omitempty" tf:"build_id,omitempty"`
+
+	// Prompts GameLift to generate a TLS/SSL certificate for the fleet. See certificate_configuration.
+	CertificateConfiguration []CertificateConfigurationObservation `json:"certificateConfiguration,omitempty" tf:"certificate_configuration,omitempty"`
+
+	// Human-readable description of the fleet.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Range of IP addresses and port settings that permit inbound traffic to access server processes running on the fleet. See below.
+	EC2InboundPermission []EC2InboundPermissionObservation `json:"ec2InboundPermission,omitempty" tf:"ec2_inbound_permission,omitempty"`
+
+	// Name of an EC2 instance typeE.g., t2.micro
+	EC2InstanceType *string `json:"ec2InstanceType,omitempty" tf:"ec2_instance_type,omitempty"`
+
+	// Type of fleet. This value must be ON_DEMAND or SPOT. Defaults to ON_DEMAND.
+	FleetType *string `json:"fleetType,omitempty" tf:"fleet_type,omitempty"`
+
 	// Fleet ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of an IAM role that instances in the fleet can assume.
+	InstanceRoleArn *string `json:"instanceRoleArn,omitempty" tf:"instance_role_arn,omitempty"`
+
 	LogPaths []*string `json:"logPaths,omitempty" tf:"log_paths,omitempty"`
 
+	// List of names of metric groups to add this fleet to. A metric group tracks metrics across all fleets in the group. Defaults to default.
+	MetricGroups []*string `json:"metricGroups,omitempty" tf:"metric_groups,omitempty"`
+
+	// The name of the fleet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Game session protection policy to apply to all instances in this fleetE.g., FullProtection. Defaults to NoProtection.
+	NewGameSessionProtectionPolicy *string `json:"newGameSessionProtectionPolicy,omitempty" tf:"new_game_session_protection_policy,omitempty"`
+
 	// Operating system of the fleet's computing resources.
 	OperatingSystem *string `json:"operatingSystem,omitempty" tf:"operating_system,omitempty"`
 
+	// Policy that limits the number of game sessions an individual player can create over a span of time for this fleet. See below.
+	ResourceCreationLimitPolicy []ResourceCreationLimitPolicyObservation `json:"resourceCreationLimitPolicy,omitempty" tf:"resource_creation_limit_policy,omitempty"`
+
+	// Instructions for launching server processes on each instance in the fleet. See below.
+	RuntimeConfiguration []RuntimeConfigurationObservation `json:"runtimeConfiguration,omitempty" tf:"runtime_configuration,omitempty"`
+
 	// Script ARN.
 	ScriptArn *string `json:"scriptArn,omitempty" tf:"script_arn,omitempty"`
 
+	// ID of the GameLift Script to be deployed on the fleet.
+	ScriptID *string `json:"scriptId,omitempty" tf:"script_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -96,8 +153,8 @@ type FleetParameters struct {
 	EC2InboundPermission []EC2InboundPermissionParameters `json:"ec2InboundPermission,omitempty" tf:"ec2_inbound_permission,omitempty"`
 
 	// Name of an EC2 instance typeE.g., t2.micro
-	// +kubebuilder:validation:Required
-	EC2InstanceType *string `json:"ec2InstanceType" tf:"ec2_instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	EC2InstanceType *string `json:"ec2InstanceType,omitempty" tf:"ec2_instance_type,omitempty"`
 
 	// Type of fleet. This value must be ON_DEMAND or SPOT. Defaults to ON_DEMAND.
 	// +kubebuilder:validation:Optional
@@ -122,8 +179,8 @@ type FleetParameters struct {
 	MetricGroups []*string `json:"metricGroups,omitempty" tf:"metric_groups,omitempty"`
 
 	// The name of the fleet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Game session protection policy to apply to all instances in this fleetE.g., FullProtection. Defaults to NoProtection.
 	// +kubebuilder:validation:Optional
@@ -152,6 +209,12 @@ type FleetParameters struct {
 }
 
 type ResourceCreationLimitPolicyObservation struct {
+
+	// Maximum number of game sessions that an individual can create during the policy period.
+	NewGameSessionsPerCreator *float64 `json:"newGameSessionsPerCreator,omitempty" tf:"new_game_sessions_per_creator,omitempty"`
+
+	// Time span used in evaluating the resource creation limit policy.
+	PolicyPeriodInMinutes *float64 `json:"policyPeriodInMinutes,omitempty" tf:"policy_period_in_minutes,omitempty"`
 }
 
 type ResourceCreationLimitPolicyParameters struct {
@@ -166,6 +229,15 @@ type ResourceCreationLimitPolicyParameters struct {
 }
 
 type RuntimeConfigurationObservation struct {
+
+	// Maximum amount of time (in seconds) that a game session can remain in status ACTIVATING.
+	GameSessionActivationTimeoutSeconds *float64 `json:"gameSessionActivationTimeoutSeconds,omitempty" tf:"game_session_activation_timeout_seconds,omitempty"`
+
+	// Maximum number of game sessions with status ACTIVATING to allow on an instance simultaneously.
+	MaxConcurrentGameSessionActivations *float64 `json:"maxConcurrentGameSessionActivations,omitempty" tf:"max_concurrent_game_session_activations,omitempty"`
+
+	// Collection of server process configurations that describe which server processes to run on each instance in a fleet. See below.
+	ServerProcess []ServerProcessObservation `json:"serverProcess,omitempty" tf:"server_process,omitempty"`
 }
 
 type RuntimeConfigurationParameters struct {
@@ -184,6 +256,15 @@ type RuntimeConfigurationParameters struct {
 }
 
 type ServerProcessObservation struct {
+
+	// Number of server processes using this configuration to run concurrently on an instance.
+	ConcurrentExecutions *float64 `json:"concurrentExecutions,omitempty" tf:"concurrent_executions,omitempty"`
+
+	// Location of the server executable in a game build. All game builds are installed on instances at the root : for Windows instances C:\game, and for Linux instances /local/game.
+	LaunchPath *string `json:"launchPath,omitempty" tf:"launch_path,omitempty"`
+
+	// Optional list of parameters to pass to the server executable on launch.
+	Parameters *string `json:"parameters,omitempty" tf:"parameters,omitempty"`
 }
 
 type ServerProcessParameters struct {
@@ -225,8 +306,10 @@ type FleetStatus struct {
 type Fleet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FleetSpec   `json:"spec"`
-	Status            FleetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ec2InstanceType)",message="ec2InstanceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   FleetSpec   `json:"spec"`
+	Status FleetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/gamelift/v1beta1/zz_gamesessionqueue_types.go b/apis/gamelift/v1beta1/zz_gamesessionqueue_types.go
index 7b48ab591f..355f93783b 100755
--- a/apis/gamelift/v1beta1/zz_gamesessionqueue_types.go
+++ b/apis/gamelift/v1beta1/zz_gamesessionqueue_types.go
@@ -18,10 +18,25 @@ type GameSessionQueueObservation struct {
 	// Game Session Queue ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of fleet/alias ARNs used by session queue for placing game sessions.
+	Destinations []*string `json:"destinations,omitempty" tf:"destinations,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An SNS topic ARN that is set up to receive game session placement notifications.
+	NotificationTarget *string `json:"notificationTarget,omitempty" tf:"notification_target,omitempty"`
+
+	// One or more policies used to choose fleet based on player latency. See below.
+	PlayerLatencyPolicy []PlayerLatencyPolicyObservation `json:"playerLatencyPolicy,omitempty" tf:"player_latency_policy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Maximum time a game session request can remain in the queue.
+	TimeoutInSeconds *float64 `json:"timeoutInSeconds,omitempty" tf:"timeout_in_seconds,omitempty"`
 }
 
 type GameSessionQueueParameters struct {
@@ -63,6 +78,12 @@ type GameSessionQueueParameters struct {
 }
 
 type PlayerLatencyPolicyObservation struct {
+
+	// Maximum latency value that is allowed for any player.
+	MaximumIndividualPlayerLatencyMilliseconds *float64 `json:"maximumIndividualPlayerLatencyMilliseconds,omitempty" tf:"maximum_individual_player_latency_milliseconds,omitempty"`
+
+	// Length of time that the policy is enforced while placing a new game session. Absence of value for this attribute means that the policy is enforced until the queue times out.
+	PolicyDurationSeconds *float64 `json:"policyDurationSeconds,omitempty" tf:"policy_duration_seconds,omitempty"`
 }
 
 type PlayerLatencyPolicyParameters struct {
diff --git a/apis/gamelift/v1beta1/zz_generated.deepcopy.go b/apis/gamelift/v1beta1/zz_generated.deepcopy.go
index 9f6a7e8a0e..3512a50a1f 100644
--- a/apis/gamelift/v1beta1/zz_generated.deepcopy.go
+++ b/apis/gamelift/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,43 @@ func (in *AliasObservation) DeepCopyInto(out *AliasObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoutingStrategy != nil {
+		in, out := &in.RoutingStrategy, &out.RoutingStrategy
+		*out = make([]RoutingStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -271,6 +303,38 @@ func (in *BuildObservation) DeepCopyInto(out *BuildObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OperatingSystem != nil {
+		in, out := &in.OperatingSystem, &out.OperatingSystem
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageLocation != nil {
+		in, out := &in.StorageLocation, &out.StorageLocation
+		*out = make([]StorageLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -286,6 +350,11 @@ func (in *BuildObservation) DeepCopyInto(out *BuildObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BuildObservation.
@@ -392,6 +461,11 @@ func (in *BuildStatus) DeepCopy() *BuildStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateConfigurationObservation) DeepCopyInto(out *CertificateConfigurationObservation) {
 	*out = *in
+	if in.CertificateType != nil {
+		in, out := &in.CertificateType, &out.CertificateType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CertificateConfigurationObservation.
@@ -427,6 +501,26 @@ func (in *CertificateConfigurationParameters) DeepCopy() *CertificateConfigurati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EC2InboundPermissionObservation) DeepCopyInto(out *EC2InboundPermissionObservation) {
 	*out = *in
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPRange != nil {
+		in, out := &in.IPRange, &out.IPRange
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EC2InboundPermissionObservation.
@@ -546,11 +640,50 @@ func (in *FleetObservation) DeepCopyInto(out *FleetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BuildID != nil {
+		in, out := &in.BuildID, &out.BuildID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateConfiguration != nil {
+		in, out := &in.CertificateConfiguration, &out.CertificateConfiguration
+		*out = make([]CertificateConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EC2InboundPermission != nil {
+		in, out := &in.EC2InboundPermission, &out.EC2InboundPermission
+		*out = make([]EC2InboundPermissionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EC2InstanceType != nil {
+		in, out := &in.EC2InstanceType, &out.EC2InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.FleetType != nil {
+		in, out := &in.FleetType, &out.FleetType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceRoleArn != nil {
+		in, out := &in.InstanceRoleArn, &out.InstanceRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.LogPaths != nil {
 		in, out := &in.LogPaths, &out.LogPaths
 		*out = make([]*string, len(*in))
@@ -562,16 +695,71 @@ func (in *FleetObservation) DeepCopyInto(out *FleetObservation) {
 			}
 		}
 	}
+	if in.MetricGroups != nil {
+		in, out := &in.MetricGroups, &out.MetricGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NewGameSessionProtectionPolicy != nil {
+		in, out := &in.NewGameSessionProtectionPolicy, &out.NewGameSessionProtectionPolicy
+		*out = new(string)
+		**out = **in
+	}
 	if in.OperatingSystem != nil {
 		in, out := &in.OperatingSystem, &out.OperatingSystem
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceCreationLimitPolicy != nil {
+		in, out := &in.ResourceCreationLimitPolicy, &out.ResourceCreationLimitPolicy
+		*out = make([]ResourceCreationLimitPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RuntimeConfiguration != nil {
+		in, out := &in.RuntimeConfiguration, &out.RuntimeConfiguration
+		*out = make([]RuntimeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ScriptArn != nil {
 		in, out := &in.ScriptArn, &out.ScriptArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ScriptID != nil {
+		in, out := &in.ScriptID, &out.ScriptID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -834,11 +1022,49 @@ func (in *GameSessionQueueObservation) DeepCopyInto(out *GameSessionQueueObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Destinations != nil {
+		in, out := &in.Destinations, &out.Destinations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.NotificationTarget != nil {
+		in, out := &in.NotificationTarget, &out.NotificationTarget
+		*out = new(string)
+		**out = **in
+	}
+	if in.PlayerLatencyPolicy != nil {
+		in, out := &in.PlayerLatencyPolicy, &out.PlayerLatencyPolicy
+		*out = make([]PlayerLatencyPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -854,6 +1080,11 @@ func (in *GameSessionQueueObservation) DeepCopyInto(out *GameSessionQueueObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.TimeoutInSeconds != nil {
+		in, out := &in.TimeoutInSeconds, &out.TimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GameSessionQueueObservation.
@@ -976,6 +1207,16 @@ func (in *GameSessionQueueStatus) DeepCopy() *GameSessionQueueStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlayerLatencyPolicyObservation) DeepCopyInto(out *PlayerLatencyPolicyObservation) {
 	*out = *in
+	if in.MaximumIndividualPlayerLatencyMilliseconds != nil {
+		in, out := &in.MaximumIndividualPlayerLatencyMilliseconds, &out.MaximumIndividualPlayerLatencyMilliseconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PolicyDurationSeconds != nil {
+		in, out := &in.PolicyDurationSeconds, &out.PolicyDurationSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlayerLatencyPolicyObservation.
@@ -1016,6 +1257,16 @@ func (in *PlayerLatencyPolicyParameters) DeepCopy() *PlayerLatencyPolicyParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceCreationLimitPolicyObservation) DeepCopyInto(out *ResourceCreationLimitPolicyObservation) {
 	*out = *in
+	if in.NewGameSessionsPerCreator != nil {
+		in, out := &in.NewGameSessionsPerCreator, &out.NewGameSessionsPerCreator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PolicyPeriodInMinutes != nil {
+		in, out := &in.PolicyPeriodInMinutes, &out.PolicyPeriodInMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceCreationLimitPolicyObservation.
@@ -1056,6 +1307,21 @@ func (in *ResourceCreationLimitPolicyParameters) DeepCopy() *ResourceCreationLim
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoutingStrategyObservation) DeepCopyInto(out *RoutingStrategyObservation) {
 	*out = *in
+	if in.FleetID != nil {
+		in, out := &in.FleetID, &out.FleetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoutingStrategyObservation.
@@ -1101,6 +1367,23 @@ func (in *RoutingStrategyParameters) DeepCopy() *RoutingStrategyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuntimeConfigurationObservation) DeepCopyInto(out *RuntimeConfigurationObservation) {
 	*out = *in
+	if in.GameSessionActivationTimeoutSeconds != nil {
+		in, out := &in.GameSessionActivationTimeoutSeconds, &out.GameSessionActivationTimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxConcurrentGameSessionActivations != nil {
+		in, out := &in.MaxConcurrentGameSessionActivations, &out.MaxConcurrentGameSessionActivations
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServerProcess != nil {
+		in, out := &in.ServerProcess, &out.ServerProcess
+		*out = make([]ServerProcessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuntimeConfigurationObservation.
@@ -1217,6 +1500,33 @@ func (in *ScriptObservation) DeepCopyInto(out *ScriptObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageLocation != nil {
+		in, out := &in.StorageLocation, &out.StorageLocation
+		*out = make([]ScriptStorageLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1232,6 +1542,16 @@ func (in *ScriptObservation) DeepCopyInto(out *ScriptObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
+	if in.ZipFile != nil {
+		in, out := &in.ZipFile, &out.ZipFile
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScriptObservation.
@@ -1338,6 +1658,26 @@ func (in *ScriptStatus) DeepCopy() *ScriptStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScriptStorageLocationObservation) DeepCopyInto(out *ScriptStorageLocationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectVersion != nil {
+		in, out := &in.ObjectVersion, &out.ObjectVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScriptStorageLocationObservation.
@@ -1418,6 +1758,21 @@ func (in *ScriptStorageLocationParameters) DeepCopy() *ScriptStorageLocationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerProcessObservation) DeepCopyInto(out *ServerProcessObservation) {
 	*out = *in
+	if in.ConcurrentExecutions != nil {
+		in, out := &in.ConcurrentExecutions, &out.ConcurrentExecutions
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LaunchPath != nil {
+		in, out := &in.LaunchPath, &out.LaunchPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerProcessObservation.
@@ -1463,6 +1818,26 @@ func (in *ServerProcessParameters) DeepCopy() *ServerProcessParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageLocationObservation) DeepCopyInto(out *StorageLocationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectVersion != nil {
+		in, out := &in.ObjectVersion, &out.ObjectVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageLocationObservation.
diff --git a/apis/gamelift/v1beta1/zz_script_types.go b/apis/gamelift/v1beta1/zz_script_types.go
index bb972a1e43..dedcc61891 100755
--- a/apis/gamelift/v1beta1/zz_script_types.go
+++ b/apis/gamelift/v1beta1/zz_script_types.go
@@ -21,15 +21,30 @@ type ScriptObservation struct {
 	// GameLift Script ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the script
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Information indicating where your game script files are stored. See below.
+	StorageLocation []ScriptStorageLocationObservation `json:"storageLocation,omitempty" tf:"storage_location,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Version that is associated with this script.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
+
+	// A data object containing your Realtime scripts and dependencies as a zip  file. The zip file can have one or multiple files. Maximum size of a zip file is 5 MB.
+	ZipFile *string `json:"zipFile,omitempty" tf:"zip_file,omitempty"`
 }
 
 type ScriptParameters struct {
 
 	// Name of the script
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -54,6 +69,18 @@ type ScriptParameters struct {
 }
 
 type ScriptStorageLocationObservation struct {
+
+	// Name of your S3 bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Name of the zip file containing your script files.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A specific version of the file. If not set, the latest version of the file is retrieved.
+	ObjectVersion *string `json:"objectVersion,omitempty" tf:"object_version,omitempty"`
+
+	// ARN of the access role that allows Amazon GameLift to access your S3 bucket.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ScriptStorageLocationParameters struct {
@@ -128,8 +155,9 @@ type ScriptStatus struct {
 type Script struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ScriptSpec   `json:"spec"`
-	Status            ScriptStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ScriptSpec   `json:"spec"`
+	Status ScriptStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glacier/v1beta1/zz_generated.deepcopy.go b/apis/glacier/v1beta1/zz_generated.deepcopy.go
index 0886bdd908..4ded356eec 100644
--- a/apis/glacier/v1beta1/zz_generated.deepcopy.go
+++ b/apis/glacier/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,22 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationObservation) DeepCopyInto(out *NotificationObservation) {
 	*out = *in
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnsTopic != nil {
+		in, out := &in.SnsTopic, &out.SnsTopic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationObservation.
@@ -191,11 +207,31 @@ func (in *VaultLockList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultLockObservation) DeepCopyInto(out *VaultLockObservation) {
 	*out = *in
+	if in.CompleteLock != nil {
+		in, out := &in.CompleteLock, &out.CompleteLock
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IgnoreDeletionError != nil {
+		in, out := &in.IgnoreDeletionError, &out.IgnoreDeletionError
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.VaultName != nil {
+		in, out := &in.VaultName, &out.VaultName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VaultLockObservation.
@@ -295,6 +331,11 @@ func (in *VaultLockStatus) DeepCopy() *VaultLockStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VaultObservation) DeepCopyInto(out *VaultObservation) {
 	*out = *in
+	if in.AccessPolicy != nil {
+		in, out := &in.AccessPolicy, &out.AccessPolicy
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -310,6 +351,28 @@ func (in *VaultObservation) DeepCopyInto(out *VaultObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Notification != nil {
+		in, out := &in.Notification, &out.Notification
+		*out = make([]NotificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/glacier/v1beta1/zz_vault_types.go b/apis/glacier/v1beta1/zz_vault_types.go
index c3140eb981..9819ae3274 100755
--- a/apis/glacier/v1beta1/zz_vault_types.go
+++ b/apis/glacier/v1beta1/zz_vault_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type NotificationObservation struct {
+
+	// You can configure a vault to publish a notification for ArchiveRetrievalCompleted and InventoryRetrievalCompleted events.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
+
+	// The SNS Topic ARN.
+	SnsTopic *string `json:"snsTopic,omitempty" tf:"sns_topic,omitempty"`
 }
 
 type NotificationParameters struct {
@@ -39,6 +45,10 @@ type NotificationParameters struct {
 
 type VaultObservation struct {
 
+	// The policy document. This is a JSON formatted string.
+	// The heredoc syntax or file function is helpful here. Use the Glacier Developer Guide for more information on Glacier Vault Policy
+	AccessPolicy *string `json:"accessPolicy,omitempty" tf:"access_policy,omitempty"`
+
 	// The ARN of the vault.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
@@ -47,6 +57,12 @@ type VaultObservation struct {
 	// The URI of the vault that was created.
 	Location *string `json:"location,omitempty" tf:"location,omitempty"`
 
+	// The notifications for the Vault. Fields documented below.
+	Notification []NotificationObservation `json:"notification,omitempty" tf:"notification,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/glacier/v1beta1/zz_vaultlock_types.go b/apis/glacier/v1beta1/zz_vaultlock_types.go
index 45a596d5e9..803ec7dd8a 100755
--- a/apis/glacier/v1beta1/zz_vaultlock_types.go
+++ b/apis/glacier/v1beta1/zz_vaultlock_types.go
@@ -15,23 +15,35 @@ import (
 
 type VaultLockObservation struct {
 
+	// Boolean whether to permanently apply this Glacier Lock Policy. Once completed, this cannot be undone. If set to false, the Glacier Lock Policy remains in a testing mode for 24 hours. Changing this from false to true will show as resource recreation, which is expected. Changing this from true to false is not possible unless the Glacier Vault is recreated at the same time.
+	CompleteLock *bool `json:"completeLock,omitempty" tf:"complete_lock,omitempty"`
+
 	// Glacier Vault name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// This should only be used in conjunction with complete_lock being set to true.
+	IgnoreDeletionError *bool `json:"ignoreDeletionError,omitempty" tf:"ignore_deletion_error,omitempty"`
+
+	// JSON string containing the IAM policy to apply as the Glacier Vault Lock policy.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// The name of the Glacier Vault.
+	VaultName *string `json:"vaultName,omitempty" tf:"vault_name,omitempty"`
 }
 
 type VaultLockParameters struct {
 
 	// Boolean whether to permanently apply this Glacier Lock Policy. Once completed, this cannot be undone. If set to false, the Glacier Lock Policy remains in a testing mode for 24 hours. Changing this from false to true will show as resource recreation, which is expected. Changing this from true to false is not possible unless the Glacier Vault is recreated at the same time.
-	// +kubebuilder:validation:Required
-	CompleteLock *bool `json:"completeLock" tf:"complete_lock,omitempty"`
+	// +kubebuilder:validation:Optional
+	CompleteLock *bool `json:"completeLock,omitempty" tf:"complete_lock,omitempty"`
 
 	// This should only be used in conjunction with complete_lock being set to true.
 	// +kubebuilder:validation:Optional
 	IgnoreDeletionError *bool `json:"ignoreDeletionError,omitempty" tf:"ignore_deletion_error,omitempty"`
 
 	// JSON string containing the IAM policy to apply as the Glacier Vault Lock policy.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -76,8 +88,10 @@ type VaultLockStatus struct {
 type VaultLock struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VaultLockSpec   `json:"spec"`
-	Status            VaultLockStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.completeLock)",message="completeLock is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   VaultLockSpec   `json:"spec"`
+	Status VaultLockStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/globalaccelerator/v1beta1/zz_accelerator_types.go b/apis/globalaccelerator/v1beta1/zz_accelerator_types.go
index baf3e9f125..92949aa30d 100755
--- a/apis/globalaccelerator/v1beta1/zz_accelerator_types.go
+++ b/apis/globalaccelerator/v1beta1/zz_accelerator_types.go
@@ -15,9 +15,15 @@ import (
 
 type AcceleratorObservation struct {
 
+	// The attributes of the accelerator. Fields documented below.
+	Attributes []AttributesObservation `json:"attributes,omitempty" tf:"attributes,omitempty"`
+
 	// The DNS name of the accelerator. For example, a5d53ff5ee6bca4ce.awsglobalaccelerator.com.
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// Indicates whether the accelerator is enabled. Defaults to true. Valid values: true, false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// -  The Global Accelerator Route 53 zone ID that can be used to
 	// route an Alias Resource Record Set to the Global Accelerator. This attribute
 	// is simply an alias for the zone ID Z2BJ6XQ5FK7U4H.
@@ -26,9 +32,21 @@ type AcceleratorObservation struct {
 	// The Amazon Resource Name (ARN) of the accelerator.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The value for the address type. Defaults to IPV4. Valid values: IPV4, DUAL_STACK.
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
+	// The IP addresses to use for BYOIP accelerators. If not specified, the service assigns IP addresses. Valid values: 1 or 2 IPv4 addresses.
+	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`
+
 	// IP address set associated with the accelerator.
 	IPSets []IPSetsObservation `json:"ipSets,omitempty" tf:"ip_sets,omitempty"`
 
+	// The name of the accelerator.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -52,8 +70,8 @@ type AcceleratorParameters struct {
 	IPAddresses []*string `json:"ipAddresses,omitempty" tf:"ip_addresses,omitempty"`
 
 	// The name of the accelerator.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -66,6 +84,15 @@ type AcceleratorParameters struct {
 }
 
 type AttributesObservation struct {
+
+	// Indicates whether flow logs are enabled. Defaults to false. Valid values: true, false.
+	FlowLogsEnabled *bool `json:"flowLogsEnabled,omitempty" tf:"flow_logs_enabled,omitempty"`
+
+	// The name of the Amazon S3 bucket for the flow logs. Required if flow_logs_enabled is true.
+	FlowLogsS3Bucket *string `json:"flowLogsS3Bucket,omitempty" tf:"flow_logs_s3_bucket,omitempty"`
+
+	// The prefix for the location in the Amazon S3 bucket for the flow logs. Required if flow_logs_enabled is true.
+	FlowLogsS3Prefix *string `json:"flowLogsS3Prefix,omitempty" tf:"flow_logs_s3_prefix,omitempty"`
 }
 
 type AttributesParameters struct {
@@ -119,8 +146,9 @@ type AcceleratorStatus struct {
 type Accelerator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AcceleratorSpec   `json:"spec"`
-	Status            AcceleratorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AcceleratorSpec   `json:"spec"`
+	Status AcceleratorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/globalaccelerator/v1beta1/zz_endpointgroup_types.go b/apis/globalaccelerator/v1beta1/zz_endpointgroup_types.go
index 781444301f..23802bca5b 100755
--- a/apis/globalaccelerator/v1beta1/zz_endpointgroup_types.go
+++ b/apis/globalaccelerator/v1beta1/zz_endpointgroup_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type EndpointConfigurationObservation struct {
+
+	// Indicates whether client IP address preservation is enabled for an Application Load Balancer endpoint. See the AWS documentation for more details. The default value is false.
+	ClientIPPreservationEnabled *bool `json:"clientIpPreservationEnabled,omitempty" tf:"client_ip_preservation_enabled,omitempty"`
+
+	// An ID for the endpoint. If the endpoint is a Network Load Balancer or Application Load Balancer, this is the Amazon Resource Name (ARN) of the resource. If the endpoint is an Elastic IP address, this is the Elastic IP address allocation ID.
+	EndpointID *string `json:"endpointId,omitempty" tf:"endpoint_id,omitempty"`
+
+	// The weight associated with the endpoint. When you add weights to endpoints, you configure AWS Global Accelerator to route traffic based on proportions that you specify.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type EndpointConfigurationParameters struct {
@@ -36,8 +45,38 @@ type EndpointGroupObservation struct {
 	// The Amazon Resource Name (ARN) of the endpoint group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The list of endpoint objects. Fields documented below.
+	EndpointConfiguration []EndpointConfigurationObservation `json:"endpointConfiguration,omitempty" tf:"endpoint_configuration,omitempty"`
+
+	// The name of the AWS Region where the endpoint group is located.
+	EndpointGroupRegion *string `json:"endpointGroupRegion,omitempty" tf:"endpoint_group_region,omitempty"`
+
+	// The time—10 seconds or 30 seconds—between each health check for an endpoint. The default value is 30.
+	HealthCheckIntervalSeconds *float64 `json:"healthCheckIntervalSeconds,omitempty" tf:"health_check_interval_seconds,omitempty"`
+
+	// If the protocol is HTTP/S, then this specifies the path that is the destination for health check targets. The default value is slash (/).
+	HealthCheckPath *string `json:"healthCheckPath,omitempty" tf:"health_check_path,omitempty"`
+
+	// The port that AWS Global Accelerator uses to check the health of endpoints that are part of this endpoint group. The default port is the listener port that this endpoint group is associated with. If listener port is a list of ports, Global Accelerator uses the first port in the list.
+	HealthCheckPort *float64 `json:"healthCheckPort,omitempty" tf:"health_check_port,omitempty"`
+
+	// The protocol that AWS Global Accelerator uses to check the health of endpoints that are part of this endpoint group. The default value is TCP.
+	HealthCheckProtocol *string `json:"healthCheckProtocol,omitempty" tf:"health_check_protocol,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the endpoint group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the listener.
+	ListenerArn *string `json:"listenerArn,omitempty" tf:"listener_arn,omitempty"`
+
+	// Override specific listener ports used to route traffic to endpoints that are part of this endpoint group. Fields documented below.
+	PortOverride []PortOverrideObservation `json:"portOverride,omitempty" tf:"port_override,omitempty"`
+
+	// The number of consecutive health checks required to set the state of a healthy endpoint to unhealthy, or to set an unhealthy endpoint to healthy. The default value is 3.
+	ThresholdCount *float64 `json:"thresholdCount,omitempty" tf:"threshold_count,omitempty"`
+
+	// The percentage of traffic to send to an AWS Region. Additional traffic is distributed to other endpoint groups for this listener. The default value is 100.
+	TrafficDialPercentage *float64 `json:"trafficDialPercentage,omitempty" tf:"traffic_dial_percentage,omitempty"`
 }
 
 type EndpointGroupParameters struct {
@@ -98,6 +137,12 @@ type EndpointGroupParameters struct {
 }
 
 type PortOverrideObservation struct {
+
+	// The endpoint port that you want a listener port to be mapped to. This is the port on the endpoint, such as the Application Load Balancer or Amazon EC2 instance.
+	EndpointPort *float64 `json:"endpointPort,omitempty" tf:"endpoint_port,omitempty"`
+
+	// The listener port that you want to map to a specific endpoint port. This is the port that user traffic arrives to the Global Accelerator on.
+	ListenerPort *float64 `json:"listenerPort,omitempty" tf:"listener_port,omitempty"`
 }
 
 type PortOverrideParameters struct {
diff --git a/apis/globalaccelerator/v1beta1/zz_generated.deepcopy.go b/apis/globalaccelerator/v1beta1/zz_generated.deepcopy.go
index bcc7c0125a..a406d33774 100644
--- a/apis/globalaccelerator/v1beta1/zz_generated.deepcopy.go
+++ b/apis/globalaccelerator/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,23 @@ func (in *AcceleratorList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AcceleratorObservation) DeepCopyInto(out *AcceleratorObservation) {
 	*out = *in
+	if in.Attributes != nil {
+		in, out := &in.Attributes, &out.Attributes
+		*out = make([]AttributesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.HostedZoneID != nil {
 		in, out := &in.HostedZoneID, &out.HostedZoneID
 		*out = new(string)
@@ -91,6 +103,22 @@ func (in *AcceleratorObservation) DeepCopyInto(out *AcceleratorObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.IPAddresses != nil {
+		in, out := &in.IPAddresses, &out.IPAddresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.IPSets != nil {
 		in, out := &in.IPSets, &out.IPSets
 		*out = make([]IPSetsObservation, len(*in))
@@ -98,6 +126,26 @@ func (in *AcceleratorObservation) DeepCopyInto(out *AcceleratorObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -230,6 +278,21 @@ func (in *AcceleratorStatus) DeepCopy() *AcceleratorStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttributesObservation) DeepCopyInto(out *AttributesObservation) {
 	*out = *in
+	if in.FlowLogsEnabled != nil {
+		in, out := &in.FlowLogsEnabled, &out.FlowLogsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FlowLogsS3Bucket != nil {
+		in, out := &in.FlowLogsS3Bucket, &out.FlowLogsS3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.FlowLogsS3Prefix != nil {
+		in, out := &in.FlowLogsS3Prefix, &out.FlowLogsS3Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttributesObservation.
@@ -275,6 +338,21 @@ func (in *AttributesParameters) DeepCopy() *AttributesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointConfigurationObservation) DeepCopyInto(out *EndpointConfigurationObservation) {
 	*out = *in
+	if in.ClientIPPreservationEnabled != nil {
+		in, out := &in.ClientIPPreservationEnabled, &out.ClientIPPreservationEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EndpointID != nil {
+		in, out := &in.EndpointID, &out.EndpointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointConfigurationObservation.
@@ -384,11 +462,65 @@ func (in *EndpointGroupObservation) DeepCopyInto(out *EndpointGroupObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndpointConfiguration != nil {
+		in, out := &in.EndpointConfiguration, &out.EndpointConfiguration
+		*out = make([]EndpointConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EndpointGroupRegion != nil {
+		in, out := &in.EndpointGroupRegion, &out.EndpointGroupRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.HealthCheckIntervalSeconds != nil {
+		in, out := &in.HealthCheckIntervalSeconds, &out.HealthCheckIntervalSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HealthCheckPath != nil {
+		in, out := &in.HealthCheckPath, &out.HealthCheckPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.HealthCheckPort != nil {
+		in, out := &in.HealthCheckPort, &out.HealthCheckPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HealthCheckProtocol != nil {
+		in, out := &in.HealthCheckProtocol, &out.HealthCheckProtocol
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ListenerArn != nil {
+		in, out := &in.ListenerArn, &out.ListenerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PortOverride != nil {
+		in, out := &in.PortOverride, &out.PortOverride
+		*out = make([]PortOverrideObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThresholdCount != nil {
+		in, out := &in.ThresholdCount, &out.ThresholdCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TrafficDialPercentage != nil {
+		in, out := &in.TrafficDialPercentage, &out.TrafficDialPercentage
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointGroupObservation.
@@ -627,11 +759,33 @@ func (in *ListenerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ListenerObservation) DeepCopyInto(out *ListenerObservation) {
 	*out = *in
+	if in.AcceleratorArn != nil {
+		in, out := &in.AcceleratorArn, &out.AcceleratorArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientAffinity != nil {
+		in, out := &in.ClientAffinity, &out.ClientAffinity
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PortRange != nil {
+		in, out := &in.PortRange, &out.PortRange
+		*out = make([]PortRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ListenerObservation.
@@ -733,6 +887,16 @@ func (in *ListenerStatus) DeepCopy() *ListenerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortOverrideObservation) DeepCopyInto(out *PortOverrideObservation) {
 	*out = *in
+	if in.EndpointPort != nil {
+		in, out := &in.EndpointPort, &out.EndpointPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ListenerPort != nil {
+		in, out := &in.ListenerPort, &out.ListenerPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortOverrideObservation.
@@ -773,6 +937,16 @@ func (in *PortOverrideParameters) DeepCopy() *PortOverrideParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortRangeObservation) DeepCopyInto(out *PortRangeObservation) {
 	*out = *in
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRangeObservation.
diff --git a/apis/globalaccelerator/v1beta1/zz_listener_types.go b/apis/globalaccelerator/v1beta1/zz_listener_types.go
index 1a790ed48e..fbed2ff1ed 100755
--- a/apis/globalaccelerator/v1beta1/zz_listener_types.go
+++ b/apis/globalaccelerator/v1beta1/zz_listener_types.go
@@ -15,8 +15,20 @@ import (
 
 type ListenerObservation struct {
 
+	// The Amazon Resource Name (ARN) of your accelerator.
+	AcceleratorArn *string `json:"acceleratorArn,omitempty" tf:"accelerator_arn,omitempty"`
+
+	// Direct all requests from a user to the same endpoint. Valid values are NONE, SOURCE_IP. Default: NONE. If NONE, Global Accelerator uses the "five-tuple" properties of source IP address, source port, destination IP address, destination port, and protocol to select the hash value. If SOURCE_IP, Global Accelerator uses the "two-tuple" properties of source (client) IP address and destination IP address to select the hash value.
+	ClientAffinity *string `json:"clientAffinity,omitempty" tf:"client_affinity,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the listener.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The list of port ranges for the connections from clients to the accelerator. Fields documented below.
+	PortRange []PortRangeObservation `json:"portRange,omitempty" tf:"port_range,omitempty"`
+
+	// The protocol for the connections from clients to the accelerator. Valid values are TCP, UDP.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 }
 
 type ListenerParameters struct {
@@ -39,12 +51,12 @@ type ListenerParameters struct {
 	ClientAffinity *string `json:"clientAffinity,omitempty" tf:"client_affinity,omitempty"`
 
 	// The list of port ranges for the connections from clients to the accelerator. Fields documented below.
-	// +kubebuilder:validation:Required
-	PortRange []PortRangeParameters `json:"portRange" tf:"port_range,omitempty"`
+	// +kubebuilder:validation:Optional
+	PortRange []PortRangeParameters `json:"portRange,omitempty" tf:"port_range,omitempty"`
 
 	// The protocol for the connections from clients to the accelerator. Valid values are TCP, UDP.
-	// +kubebuilder:validation:Required
-	Protocol *string `json:"protocol" tf:"protocol,omitempty"`
+	// +kubebuilder:validation:Optional
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -53,6 +65,12 @@ type ListenerParameters struct {
 }
 
 type PortRangeObservation struct {
+
+	// The first port in the range of ports, inclusive.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// The last port in the range of ports, inclusive.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type PortRangeParameters struct {
@@ -90,8 +108,10 @@ type ListenerStatus struct {
 type Listener struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ListenerSpec   `json:"spec"`
-	Status            ListenerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.portRange)",message="portRange is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)",message="protocol is a required parameter"
+	Spec   ListenerSpec   `json:"spec"`
+	Status ListenerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_catalogdatabase_types.go b/apis/glue/v1beta1/zz_catalogdatabase_types.go
index 548514c8e3..3409cd6d39 100755
--- a/apis/glue/v1beta1/zz_catalogdatabase_types.go
+++ b/apis/glue/v1beta1/zz_catalogdatabase_types.go
@@ -18,8 +18,26 @@ type CatalogDatabaseObservation struct {
 	// ARN of the Glue Catalog Database.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ID of the Glue Catalog to create the database in. If omitted, this defaults to the AWS Account ID.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Creates a set of default permissions on the table for principals. See create_table_default_permission below.
+	CreateTableDefaultPermission []CreateTableDefaultPermissionObservation `json:"createTableDefaultPermission,omitempty" tf:"create_table_default_permission,omitempty"`
+
+	// Description of the database.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Catalog ID and name of the database
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Location of the database (for example, an HDFS path).
+	LocationURI *string `json:"locationUri,omitempty" tf:"location_uri,omitempty"`
+
+	// List of key-value pairs that define parameters and properties of the database.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Configuration block for a target database for resource linking. See target_database below.
+	TargetDatabase []TargetDatabaseObservation `json:"targetDatabase,omitempty" tf:"target_database,omitempty"`
 }
 
 type CatalogDatabaseParameters struct {
@@ -55,6 +73,12 @@ type CatalogDatabaseParameters struct {
 }
 
 type CreateTableDefaultPermissionObservation struct {
+
+	// The permissions that are granted to the principal.
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
+	// The principal who is granted permissions.. See principal below.
+	Principal []PrincipalObservation `json:"principal,omitempty" tf:"principal,omitempty"`
 }
 
 type CreateTableDefaultPermissionParameters struct {
@@ -69,6 +93,9 @@ type CreateTableDefaultPermissionParameters struct {
 }
 
 type PrincipalObservation struct {
+
+	// An identifier for the Lake Formation principal.
+	DataLakePrincipalIdentifier *string `json:"dataLakePrincipalIdentifier,omitempty" tf:"data_lake_principal_identifier,omitempty"`
 }
 
 type PrincipalParameters struct {
@@ -79,6 +106,12 @@ type PrincipalParameters struct {
 }
 
 type TargetDatabaseObservation struct {
+
+	// ID of the Data Catalog in which the database resides.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Name of the catalog database.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
 }
 
 type TargetDatabaseParameters struct {
diff --git a/apis/glue/v1beta1/zz_catalogtable_types.go b/apis/glue/v1beta1/zz_catalogtable_types.go
index 08aae9c513..30921279bf 100755
--- a/apis/glue/v1beta1/zz_catalogtable_types.go
+++ b/apis/glue/v1beta1/zz_catalogtable_types.go
@@ -18,12 +18,47 @@ type CatalogTableObservation struct {
 	// The ARN of the Glue Table.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ID of the Glue Catalog and database to create the table in. If omitted, this defaults to the AWS Account ID plus the database name.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Name of the metadata database where the table metadata resides. For Hive compatibility, this must be all lowercase.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Description of the table.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Catalog ID, Database name and of the name table.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Owner of the table.
+	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
+
+	// Properties associated with this table, as a list of key-value pairs.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
 	// Configuration block for a maximum of 3 partition indexes. See partition_index below.
-	// +kubebuilder:validation:Optional
 	PartitionIndex []PartitionIndexObservation `json:"partitionIndex,omitempty" tf:"partition_index,omitempty"`
+
+	// Configuration block of columns by which the table is partitioned. Only primitive types are supported as partition keys. See partition_keys below.
+	PartitionKeys []PartitionKeysObservation `json:"partitionKeys,omitempty" tf:"partition_keys,omitempty"`
+
+	// Retention time for this table.
+	Retention *float64 `json:"retention,omitempty" tf:"retention,omitempty"`
+
+	// Configuration block for information about the physical storage of this table. For more information, refer to the Glue Developer Guide. See storage_descriptor below.
+	StorageDescriptor []StorageDescriptorObservation `json:"storageDescriptor,omitempty" tf:"storage_descriptor,omitempty"`
+
+	// Type of this table (EXTERNAL_TABLE, VIRTUAL_VIEW, etc.). While optional, some Athena DDL queries such as ALTER TABLE and SHOW CREATE TABLE will fail if this argument is empty.
+	TableType *string `json:"tableType,omitempty" tf:"table_type,omitempty"`
+
+	// Configuration block of a target table for resource linking. See target_table below.
+	TargetTable []TargetTableObservation `json:"targetTable,omitempty" tf:"target_table,omitempty"`
+
+	// If the table is a view, the expanded text of the view; otherwise null.
+	ViewExpandedText *string `json:"viewExpandedText,omitempty" tf:"view_expanded_text,omitempty"`
+
+	// If the table is a view, the original text of the view; otherwise null.
+	ViewOriginalText *string `json:"viewOriginalText,omitempty" tf:"view_original_text,omitempty"`
 }
 
 type CatalogTableParameters struct {
@@ -96,6 +131,18 @@ type CatalogTableParameters struct {
 }
 
 type ColumnsObservation struct {
+
+	// Free-form text comment.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// Name of the Column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value pairs defining properties associated with the column.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Datatype of data in the Column.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ColumnsParameters struct {
@@ -118,7 +165,14 @@ type ColumnsParameters struct {
 }
 
 type PartitionIndexObservation struct {
+
+	// Name of the partition index.
+	IndexName *string `json:"indexName,omitempty" tf:"index_name,omitempty"`
+
 	IndexStatus *string `json:"indexStatus,omitempty" tf:"index_status,omitempty"`
+
+	// Keys for the partition index.
+	Keys []*string `json:"keys,omitempty" tf:"keys,omitempty"`
 }
 
 type PartitionIndexParameters struct {
@@ -133,6 +187,15 @@ type PartitionIndexParameters struct {
 }
 
 type PartitionKeysObservation struct {
+
+	// Free-form text comment.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// Name of the Partition Key.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Datatype of data in the Partition Key.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PartitionKeysParameters struct {
@@ -151,6 +214,15 @@ type PartitionKeysParameters struct {
 }
 
 type SchemaIDObservation struct {
+
+	// Name of the schema registry that contains the schema. Must be provided when schema_name is specified and conflicts with schema_arn.
+	RegistryName *string `json:"registryName,omitempty" tf:"registry_name,omitempty"`
+
+	// ARN of the schema. One of schema_arn or schema_name has to be provided.
+	SchemaArn *string `json:"schemaArn,omitempty" tf:"schema_arn,omitempty"`
+
+	// Name of the schema. One of schema_arn or schema_name has to be provided.
+	SchemaName *string `json:"schemaName,omitempty" tf:"schema_name,omitempty"`
 }
 
 type SchemaIDParameters struct {
@@ -169,6 +241,15 @@ type SchemaIDParameters struct {
 }
 
 type SchemaReferenceObservation struct {
+
+	// Configuration block that contains schema identity fields. Either this or the schema_version_id has to be provided. See schema_id below.
+	SchemaID []SchemaIDObservation `json:"schemaId,omitempty" tf:"schema_id,omitempty"`
+
+	// Unique ID assigned to a version of the schema. Either this or the schema_id has to be provided.
+	SchemaVersionID *string `json:"schemaVersionId,omitempty" tf:"schema_version_id,omitempty"`
+
+	// Version number of the schema.
+	SchemaVersionNumber *float64 `json:"schemaVersionNumber,omitempty" tf:"schema_version_number,omitempty"`
 }
 
 type SchemaReferenceParameters struct {
@@ -187,6 +268,15 @@ type SchemaReferenceParameters struct {
 }
 
 type SerDeInfoObservation struct {
+
+	// Name of the SerDe.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Map of initialization parameters for the SerDe, in key-value form.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Usually the class that implements the SerDe. An example is org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe.
+	SerializationLibrary *string `json:"serializationLibrary,omitempty" tf:"serialization_library,omitempty"`
 }
 
 type SerDeInfoParameters struct {
@@ -205,6 +295,15 @@ type SerDeInfoParameters struct {
 }
 
 type SkewedInfoObservation struct {
+
+	// List of names of columns that contain skewed values.
+	SkewedColumnNames []*string `json:"skewedColumnNames,omitempty" tf:"skewed_column_names,omitempty"`
+
+	// List of values that appear so frequently as to be considered skewed.
+	SkewedColumnValueLocationMaps map[string]*string `json:"skewedColumnValueLocationMaps,omitempty" tf:"skewed_column_value_location_maps,omitempty"`
+
+	// Map of skewed values to the columns that contain them.
+	SkewedColumnValues []*string `json:"skewedColumnValues,omitempty" tf:"skewed_column_values,omitempty"`
 }
 
 type SkewedInfoParameters struct {
@@ -223,6 +322,12 @@ type SkewedInfoParameters struct {
 }
 
 type SortColumnsObservation struct {
+
+	// Name of the column.
+	Column *string `json:"column,omitempty" tf:"column,omitempty"`
+
+	// Whether the column is sorted in ascending (1) or descending order (0).
+	SortOrder *float64 `json:"sortOrder,omitempty" tf:"sort_order,omitempty"`
 }
 
 type SortColumnsParameters struct {
@@ -237,6 +342,45 @@ type SortColumnsParameters struct {
 }
 
 type StorageDescriptorObservation struct {
+
+	// List of reducer grouping columns, clustering columns, and bucketing columns in the table.
+	BucketColumns []*string `json:"bucketColumns,omitempty" tf:"bucket_columns,omitempty"`
+
+	// Configuration block for columns in the table. See columns below.
+	Columns []ColumnsObservation `json:"columns,omitempty" tf:"columns,omitempty"`
+
+	// Whether the data in the table is compressed.
+	Compressed *bool `json:"compressed,omitempty" tf:"compressed,omitempty"`
+
+	// Input format: SequenceFileInputFormat (binary), or TextInputFormat, or a custom format.
+	InputFormat *string `json:"inputFormat,omitempty" tf:"input_format,omitempty"`
+
+	// Physical location of the table. By default this takes the form of the warehouse location, followed by the database location in the warehouse, followed by the table name.
+	Location *string `json:"location,omitempty" tf:"location,omitempty"`
+
+	// Must be specified if the table contains any dimension columns.
+	NumberOfBuckets *float64 `json:"numberOfBuckets,omitempty" tf:"number_of_buckets,omitempty"`
+
+	// Output format: SequenceFileOutputFormat (binary), or IgnoreKeyTextOutputFormat, or a custom format.
+	OutputFormat *string `json:"outputFormat,omitempty" tf:"output_format,omitempty"`
+
+	// User-supplied properties in key-value form.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Object that references a schema stored in the AWS Glue Schema Registry. When creating a table, you can pass an empty list of columns for the schema, and instead use a schema reference. See Schema Reference below.
+	SchemaReference []SchemaReferenceObservation `json:"schemaReference,omitempty" tf:"schema_reference,omitempty"`
+
+	// Configuration block for serialization and deserialization ("SerDe") information. See ser_de_info below.
+	SerDeInfo []SerDeInfoObservation `json:"serDeInfo,omitempty" tf:"ser_de_info,omitempty"`
+
+	// Configuration block with information about values that appear very frequently in a column (skewed values). See skewed_info below.
+	SkewedInfo []SkewedInfoObservation `json:"skewedInfo,omitempty" tf:"skewed_info,omitempty"`
+
+	// Configuration block for the sort order of each bucket in the table. See sort_columns below.
+	SortColumns []SortColumnsObservation `json:"sortColumns,omitempty" tf:"sort_columns,omitempty"`
+
+	// Whether the table data is stored in subdirectories.
+	StoredAsSubDirectories *bool `json:"storedAsSubDirectories,omitempty" tf:"stored_as_sub_directories,omitempty"`
 }
 
 type StorageDescriptorParameters struct {
@@ -295,6 +439,15 @@ type StorageDescriptorParameters struct {
 }
 
 type TargetTableObservation struct {
+
+	// ID of the Data Catalog in which the table resides.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Name of the catalog database that contains the target table.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Name of the target table.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type TargetTableParameters struct {
diff --git a/apis/glue/v1beta1/zz_classifier_types.go b/apis/glue/v1beta1/zz_classifier_types.go
index 95ad83286b..9e8270ec03 100755
--- a/apis/glue/v1beta1/zz_classifier_types.go
+++ b/apis/glue/v1beta1/zz_classifier_types.go
@@ -15,8 +15,20 @@ import (
 
 type ClassifierObservation struct {
 
+	// A classifier for Csv content. Defined below.
+	CsvClassifier []CsvClassifierObservation `json:"csvClassifier,omitempty" tf:"csv_classifier,omitempty"`
+
+	// –  A classifier that uses grok patterns. Defined below.
+	GrokClassifier []GrokClassifierObservation `json:"grokClassifier,omitempty" tf:"grok_classifier,omitempty"`
+
 	// Name of the classifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// –  A classifier for JSON content. Defined below.
+	JSONClassifier []JSONClassifierObservation `json:"jsonClassifier,omitempty" tf:"json_classifier,omitempty"`
+
+	// –  A classifier for XML content. Defined below.
+	XMLClassifier []XMLClassifierObservation `json:"xmlClassifier,omitempty" tf:"xml_classifier,omitempty"`
 }
 
 type ClassifierParameters struct {
@@ -44,6 +56,30 @@ type ClassifierParameters struct {
 }
 
 type CsvClassifierObservation struct {
+
+	// Enables the processing of files that contain only one column.
+	AllowSingleColumn *bool `json:"allowSingleColumn,omitempty" tf:"allow_single_column,omitempty"`
+
+	// Indicates whether the CSV file contains a header. This can be one of "ABSENT", "PRESENT", or "UNKNOWN".
+	ContainsHeader *string `json:"containsHeader,omitempty" tf:"contains_header,omitempty"`
+
+	// A custom symbol to denote what combines content into a single column value. It must be different from the column delimiter.
+	CustomDatatypeConfigured *bool `json:"customDatatypeConfigured,omitempty" tf:"custom_datatype_configured,omitempty"`
+
+	// A list of supported custom datatypes. Valid values are BINARY, BOOLEAN, DATE, DECIMAL, DOUBLE, FLOAT, INT, LONG, SHORT, STRING, TIMESTAMP.
+	CustomDatatypes []*string `json:"customDatatypes,omitempty" tf:"custom_datatypes,omitempty"`
+
+	// The delimiter used in the Csv to separate columns.
+	Delimiter *string `json:"delimiter,omitempty" tf:"delimiter,omitempty"`
+
+	// Specifies whether to trim column values.
+	DisableValueTrimming *bool `json:"disableValueTrimming,omitempty" tf:"disable_value_trimming,omitempty"`
+
+	// A list of strings representing column names.
+	Header []*string `json:"header,omitempty" tf:"header,omitempty"`
+
+	// A custom symbol to denote what combines content into a single column value. It must be different from the column delimiter.
+	QuoteSymbol *string `json:"quoteSymbol,omitempty" tf:"quote_symbol,omitempty"`
 }
 
 type CsvClassifierParameters struct {
@@ -82,6 +118,15 @@ type CsvClassifierParameters struct {
 }
 
 type GrokClassifierObservation struct {
+
+	// An identifier of the data format that the classifier matches, such as Twitter, JSON, Omniture logs, Amazon CloudWatch Logs, and so on.
+	Classification *string `json:"classification,omitempty" tf:"classification,omitempty"`
+
+	// Custom grok patterns used by this classifier.
+	CustomPatterns *string `json:"customPatterns,omitempty" tf:"custom_patterns,omitempty"`
+
+	// The grok pattern used by this classifier.
+	GrokPattern *string `json:"grokPattern,omitempty" tf:"grok_pattern,omitempty"`
 }
 
 type GrokClassifierParameters struct {
@@ -100,6 +145,9 @@ type GrokClassifierParameters struct {
 }
 
 type JSONClassifierObservation struct {
+
+	// A JsonPath string defining the JSON data for the classifier to classify. AWS Glue supports a subset of JsonPath, as described in Writing JsonPath Custom Classifiers.
+	JSONPath *string `json:"jsonPath,omitempty" tf:"json_path,omitempty"`
 }
 
 type JSONClassifierParameters struct {
@@ -110,6 +158,12 @@ type JSONClassifierParameters struct {
 }
 
 type XMLClassifierObservation struct {
+
+	// An identifier of the data format that the classifier matches.
+	Classification *string `json:"classification,omitempty" tf:"classification,omitempty"`
+
+	// The XML tag designating the element that contains each record in an XML document being parsed. Note that this cannot identify a self-closing element (closed by />). An empty row element that contains only attributes can be parsed as long as it ends with a closing tag (for example, <row item_a="A" item_b="B"></row> is okay, but <row item_a="A" item_b="B" /> is not).
+	RowTag *string `json:"rowTag,omitempty" tf:"row_tag,omitempty"`
 }
 
 type XMLClassifierParameters struct {
diff --git a/apis/glue/v1beta1/zz_connection_types.go b/apis/glue/v1beta1/zz_connection_types.go
index 150d6144c3..07d9eb0624 100755
--- a/apis/glue/v1beta1/zz_connection_types.go
+++ b/apis/glue/v1beta1/zz_connection_types.go
@@ -18,9 +18,27 @@ type ConnectionObservation struct {
 	// The ARN of the Glue Connection.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  The ID of the Data Catalog in which to create the connection. If none is supplied, the AWS account ID is used by default.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// –  The type of the connection. Supported are: CUSTOM, JDBC, KAFKA, MARKETPLACE, MONGODB, and NETWORK. Defaults to JBDC.
+	ConnectionType *string `json:"connectionType,omitempty" tf:"connection_type,omitempty"`
+
+	// –  Description of the connection.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Catalog ID and name of the connection
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  A list of criteria that can be used in selecting this connection.
+	MatchCriteria []*string `json:"matchCriteria,omitempty" tf:"match_criteria,omitempty"`
+
+	// A map of physical connection requirements, such as VPC and SecurityGroup. Defined below.
+	PhysicalConnectionRequirements []PhysicalConnectionRequirementsObservation `json:"physicalConnectionRequirements,omitempty" tf:"physical_connection_requirements,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -62,6 +80,15 @@ type ConnectionParameters struct {
 }
 
 type PhysicalConnectionRequirementsObservation struct {
+
+	// The availability zone of the connection. This field is redundant and implied by subnet_id, but is currently an api requirement.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The security group ID list used by the connection.
+	SecurityGroupIDList []*string `json:"securityGroupIdList,omitempty" tf:"security_group_id_list,omitempty"`
+
+	// The subnet ID used by the connection.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type PhysicalConnectionRequirementsParameters struct {
diff --git a/apis/glue/v1beta1/zz_crawler_types.go b/apis/glue/v1beta1/zz_crawler_types.go
index 3c45de200c..97af61e6e7 100755
--- a/apis/glue/v1beta1/zz_crawler_types.go
+++ b/apis/glue/v1beta1/zz_crawler_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type CatalogTargetObservation struct {
+
+	// The name of the connection to use to connect to the JDBC target.
+	ConnectionName *string `json:"connectionName,omitempty" tf:"connection_name,omitempty"`
+
+	// Glue database where results are written.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// The ARN of the dead-letter SQS queue.
+	DlqEventQueueArn *string `json:"dlqEventQueueArn,omitempty" tf:"dlq_event_queue_arn,omitempty"`
+
+	// The ARN of the SQS queue to receive S3 notifications from.
+	EventQueueArn *string `json:"eventQueueArn,omitempty" tf:"event_queue_arn,omitempty"`
+
+	// A list of catalog tables to be synchronized.
+	Tables []*string `json:"tables,omitempty" tf:"tables,omitempty"`
 }
 
 type CatalogTargetParameters struct {
@@ -53,9 +68,64 @@ type CrawlerObservation struct {
 	// The ARN of the crawler
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	CatalogTarget []CatalogTargetObservation `json:"catalogTarget,omitempty" tf:"catalog_target,omitempty"`
+
+	// List of custom classifiers. By default, all AWS classifiers are included in a crawl, but these custom classifiers always override the default classifiers for a given classification.
+	Classifiers []*string `json:"classifiers,omitempty" tf:"classifiers,omitempty"`
+
+	// JSON string of configuration information. For more details see Setting Crawler Configuration Options.
+	Configuration *string `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// Glue database where results are written.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	DeltaTarget []DeltaTargetObservation `json:"deltaTarget,omitempty" tf:"delta_target,omitempty"`
+
+	// Description of the crawler.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// List of nested DynamoDB target arguments. See Dynamodb Target below.
+	DynamodbTarget []DynamodbTargetObservation `json:"dynamodbTarget,omitempty" tf:"dynamodb_target,omitempty"`
+
 	// Crawler name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of nested JBDC target arguments. See JDBC Target below.
+	JdbcTarget []JdbcTargetObservation `json:"jdbcTarget,omitempty" tf:"jdbc_target,omitempty"`
+
+	// Specifies Lake Formation configuration settings for the crawler. See Lake Formation Configuration below.
+	LakeFormationConfiguration []LakeFormationConfigurationObservation `json:"lakeFormationConfiguration,omitempty" tf:"lake_formation_configuration,omitempty"`
+
+	// Specifies data lineage configuration settings for the crawler. See Lineage Configuration below.
+	LineageConfiguration []LineageConfigurationObservation `json:"lineageConfiguration,omitempty" tf:"lineage_configuration,omitempty"`
+
+	// List nested MongoDB target arguments. See MongoDB Target below.
+	MongodbTarget []MongodbTargetObservation `json:"mongodbTarget,omitempty" tf:"mongodb_target,omitempty"`
+
+	// A policy that specifies whether to crawl the entire dataset again, or to crawl only folders that were added since the last crawler run.. See Recrawl Policy below.
+	RecrawlPolicy []RecrawlPolicyObservation `json:"recrawlPolicy,omitempty" tf:"recrawl_policy,omitempty"`
+
+	// The IAM role friendly name (including path without leading slash), or ARN of an IAM role, used by the crawler to access other resources.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// List nested Amazon S3 target arguments. See S3 Target below.
+	S3Target []S3TargetObservation `json:"s3Target,omitempty" tf:"s3_target,omitempty"`
+
+	// Based Schedules for Jobs and Crawlers. For example, to run something every day at 12:15 UTC, you would specify: cron(15 12 * * ? *).
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// Policy for the crawler's update and deletion behavior. See Schema Change Policy below.
+	SchemaChangePolicy []SchemaChangePolicyObservation `json:"schemaChangePolicy,omitempty" tf:"schema_change_policy,omitempty"`
+
+	// The name of Security Configuration to be used by the crawler
+	SecurityConfiguration *string `json:"securityConfiguration,omitempty" tf:"security_configuration,omitempty"`
+
+	// The table prefix used for catalog tables that are created.
+	TablePrefix *string `json:"tablePrefix,omitempty" tf:"table_prefix,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -162,6 +232,15 @@ type CrawlerParameters struct {
 }
 
 type DeltaTargetObservation struct {
+
+	// The name of the connection to use to connect to the JDBC target.
+	ConnectionName *string `json:"connectionName,omitempty" tf:"connection_name,omitempty"`
+
+	// A list of the Amazon S3 paths to the Delta tables.
+	DeltaTables []*string `json:"deltaTables,omitempty" tf:"delta_tables,omitempty"`
+
+	// Specifies whether to write the manifest files to the Delta table path.
+	WriteManifest *bool `json:"writeManifest,omitempty" tf:"write_manifest,omitempty"`
 }
 
 type DeltaTargetParameters struct {
@@ -180,6 +259,15 @@ type DeltaTargetParameters struct {
 }
 
 type DynamodbTargetObservation struct {
+
+	// The name of the DynamoDB table to crawl.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Indicates whether to scan all the records, or to sample rows from the table. Scanning all the records can take a long time when the table is not a high throughput table.  defaults to true.
+	ScanAll *bool `json:"scanAll,omitempty" tf:"scan_all,omitempty"`
+
+	// The percentage of the configured read capacity units to use by the AWS Glue crawler. The valid values are null or a value between 0.1 to 1.5.
+	ScanRate *float64 `json:"scanRate,omitempty" tf:"scan_rate,omitempty"`
 }
 
 type DynamodbTargetParameters struct {
@@ -198,6 +286,18 @@ type DynamodbTargetParameters struct {
 }
 
 type JdbcTargetObservation struct {
+
+	// The name of the connection to use to connect to the JDBC target.
+	ConnectionName *string `json:"connectionName,omitempty" tf:"connection_name,omitempty"`
+
+	// Specify a value of RAWTYPES or COMMENTS to enable additional metadata intable responses. RAWTYPES provides the native-level datatype. COMMENTS provides comments associated with a column or table in the database.
+	EnableAdditionalMetadata []*string `json:"enableAdditionalMetadata,omitempty" tf:"enable_additional_metadata,omitempty"`
+
+	// A list of glob patterns used to exclude from the crawl.
+	Exclusions []*string `json:"exclusions,omitempty" tf:"exclusions,omitempty"`
+
+	// The name of the DynamoDB table to crawl.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type JdbcTargetParameters struct {
@@ -229,6 +329,12 @@ type JdbcTargetParameters struct {
 }
 
 type LakeFormationConfigurationObservation struct {
+
+	// Required for cross account crawls. For same account crawls as the target data, this can omitted.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// Specifies whether to use Lake Formation credentials for the crawler instead of the IAM role credentials.
+	UseLakeFormationCredentials *bool `json:"useLakeFormationCredentials,omitempty" tf:"use_lake_formation_credentials,omitempty"`
 }
 
 type LakeFormationConfigurationParameters struct {
@@ -243,6 +349,9 @@ type LakeFormationConfigurationParameters struct {
 }
 
 type LineageConfigurationObservation struct {
+
+	// Specifies whether data lineage is enabled for the crawler. Valid values are: ENABLE and DISABLE. Default value is Disable.
+	CrawlerLineageSettings *string `json:"crawlerLineageSettings,omitempty" tf:"crawler_lineage_settings,omitempty"`
 }
 
 type LineageConfigurationParameters struct {
@@ -253,6 +362,15 @@ type LineageConfigurationParameters struct {
 }
 
 type MongodbTargetObservation struct {
+
+	// The name of the connection to use to connect to the JDBC target.
+	ConnectionName *string `json:"connectionName,omitempty" tf:"connection_name,omitempty"`
+
+	// The name of the DynamoDB table to crawl.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Indicates whether to scan all the records, or to sample rows from the table. Scanning all the records can take a long time when the table is not a high throughput table.  defaults to true.
+	ScanAll *bool `json:"scanAll,omitempty" tf:"scan_all,omitempty"`
 }
 
 type MongodbTargetParameters struct {
@@ -280,6 +398,9 @@ type MongodbTargetParameters struct {
 }
 
 type RecrawlPolicyObservation struct {
+
+	// Specifies whether to crawl the entire dataset again, crawl only folders that were added since the last crawler run, or crawl what S3 notifies the crawler of via SQS. Valid Values are: CRAWL_EVENT_MODE, CRAWL_EVERYTHING and CRAWL_NEW_FOLDERS_ONLY. Default value is CRAWL_EVERYTHING.
+	RecrawlBehavior *string `json:"recrawlBehavior,omitempty" tf:"recrawl_behavior,omitempty"`
 }
 
 type RecrawlPolicyParameters struct {
@@ -290,6 +411,24 @@ type RecrawlPolicyParameters struct {
 }
 
 type S3TargetObservation struct {
+
+	// The name of the connection to use to connect to the JDBC target.
+	ConnectionName *string `json:"connectionName,omitempty" tf:"connection_name,omitempty"`
+
+	// The ARN of the dead-letter SQS queue.
+	DlqEventQueueArn *string `json:"dlqEventQueueArn,omitempty" tf:"dlq_event_queue_arn,omitempty"`
+
+	// The ARN of the SQS queue to receive S3 notifications from.
+	EventQueueArn *string `json:"eventQueueArn,omitempty" tf:"event_queue_arn,omitempty"`
+
+	// A list of glob patterns used to exclude from the crawl.
+	Exclusions []*string `json:"exclusions,omitempty" tf:"exclusions,omitempty"`
+
+	// The name of the DynamoDB table to crawl.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Sets the number of files in each leaf folder to be crawled when crawling sample files in a dataset. If not set, all the files are crawled. A valid value is an integer between 1 and 249.
+	SampleSize *float64 `json:"sampleSize,omitempty" tf:"sample_size,omitempty"`
 }
 
 type S3TargetParameters struct {
@@ -320,6 +459,12 @@ type S3TargetParameters struct {
 }
 
 type SchemaChangePolicyObservation struct {
+
+	// The deletion behavior when the crawler finds a deleted object. Valid values: LOG, DELETE_FROM_DATABASE, or DEPRECATE_IN_DATABASE. Defaults to DEPRECATE_IN_DATABASE.
+	DeleteBehavior *string `json:"deleteBehavior,omitempty" tf:"delete_behavior,omitempty"`
+
+	// The update behavior when the crawler finds a changed schema. Valid values: LOG or UPDATE_IN_DATABASE. Defaults to UPDATE_IN_DATABASE.
+	UpdateBehavior *string `json:"updateBehavior,omitempty" tf:"update_behavior,omitempty"`
 }
 
 type SchemaChangePolicyParameters struct {
diff --git a/apis/glue/v1beta1/zz_datacatalogencryptionsettings_types.go b/apis/glue/v1beta1/zz_datacatalogencryptionsettings_types.go
index 5a4d46e051..8d1f537478 100755
--- a/apis/glue/v1beta1/zz_datacatalogencryptionsettings_types.go
+++ b/apis/glue/v1beta1/zz_datacatalogencryptionsettings_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ConnectionPasswordEncryptionObservation struct {
+
+	// A KMS key ARN that is used to encrypt the connection password. If connection password protection is enabled, the caller of CreateConnection and UpdateConnection needs at least kms:Encrypt permission on the specified AWS KMS key, to encrypt passwords before storing them in the Data Catalog.
+	AwsKMSKeyID *string `json:"awsKmsKeyId,omitempty" tf:"aws_kms_key_id,omitempty"`
+
+	// When set to true, passwords remain encrypted in the responses of GetConnection and GetConnections. This encryption takes effect independently of the catalog encryption.
+	ReturnConnectionPasswordEncrypted *bool `json:"returnConnectionPasswordEncrypted,omitempty" tf:"return_connection_password_encrypted,omitempty"`
 }
 
 type ConnectionPasswordEncryptionParameters struct {
@@ -38,6 +44,12 @@ type ConnectionPasswordEncryptionParameters struct {
 }
 
 type DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsObservation struct {
+
+	// When connection password protection is enabled, the Data Catalog uses a customer-provided key to encrypt the password as part of CreateConnection or UpdateConnection and store it in the ENCRYPTED_PASSWORD field in the connection properties. You can enable catalog encryption or only password encryption. see Connection Password Encryption.
+	ConnectionPasswordEncryption []ConnectionPasswordEncryptionObservation `json:"connectionPasswordEncryption,omitempty" tf:"connection_password_encryption,omitempty"`
+
+	// Specifies the encryption-at-rest configuration for the Data Catalog. see Encryption At Rest.
+	EncryptionAtRest []EncryptionAtRestObservation `json:"encryptionAtRest,omitempty" tf:"encryption_at_rest,omitempty"`
 }
 
 type DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsParameters struct {
@@ -53,6 +65,12 @@ type DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsParameters struct
 
 type DataCatalogEncryptionSettingsObservation struct {
 
+	// –  The ID of the Data Catalog to set the security configuration for. If none is provided, the AWS account ID is used by default.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// –  The security configuration to set. see Data Catalog Encryption Settings.
+	DataCatalogEncryptionSettings []DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsObservation `json:"dataCatalogEncryptionSettings,omitempty" tf:"data_catalog_encryption_settings,omitempty"`
+
 	// The ID of the Data Catalog to set the security configuration for.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -64,8 +82,8 @@ type DataCatalogEncryptionSettingsParameters struct {
 	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
 
 	// –  The security configuration to set. see Data Catalog Encryption Settings.
-	// +kubebuilder:validation:Required
-	DataCatalogEncryptionSettings []DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsParameters `json:"dataCatalogEncryptionSettings" tf:"data_catalog_encryption_settings,omitempty"`
+	// +kubebuilder:validation:Optional
+	DataCatalogEncryptionSettings []DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsParameters `json:"dataCatalogEncryptionSettings,omitempty" tf:"data_catalog_encryption_settings,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -74,6 +92,12 @@ type DataCatalogEncryptionSettingsParameters struct {
 }
 
 type EncryptionAtRestObservation struct {
+
+	// The encryption-at-rest mode for encrypting Data Catalog data. Valid values are DISABLED and SSE-KMS.
+	CatalogEncryptionMode *string `json:"catalogEncryptionMode,omitempty" tf:"catalog_encryption_mode,omitempty"`
+
+	// The ARN of the AWS KMS key to use for encryption at rest.
+	SseAwsKMSKeyID *string `json:"sseAwsKmsKeyId,omitempty" tf:"sse_aws_kms_key_id,omitempty"`
 }
 
 type EncryptionAtRestParameters struct {
@@ -121,8 +145,9 @@ type DataCatalogEncryptionSettingsStatus struct {
 type DataCatalogEncryptionSettings struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DataCatalogEncryptionSettingsSpec   `json:"spec"`
-	Status            DataCatalogEncryptionSettingsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataCatalogEncryptionSettings)",message="dataCatalogEncryptionSettings is a required parameter"
+	Spec   DataCatalogEncryptionSettingsSpec   `json:"spec"`
+	Status DataCatalogEncryptionSettingsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_generated.deepcopy.go b/apis/glue/v1beta1/zz_generated.deepcopy.go
index 0e026d160b..2cf995fd61 100644
--- a/apis/glue/v1beta1/zz_generated.deepcopy.go
+++ b/apis/glue/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionsNotificationPropertyObservation) DeepCopyInto(out *ActionsNotificationPropertyObservation) {
 	*out = *in
+	if in.NotifyDelayAfter != nil {
+		in, out := &in.NotifyDelayAfter, &out.NotifyDelayAfter
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionsNotificationPropertyObservation.
@@ -52,6 +57,48 @@ func (in *ActionsNotificationPropertyParameters) DeepCopy() *ActionsNotification
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionsObservation) DeepCopyInto(out *ActionsObservation) {
 	*out = *in
+	if in.Arguments != nil {
+		in, out := &in.Arguments, &out.Arguments
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.CrawlerName != nil {
+		in, out := &in.CrawlerName, &out.CrawlerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.JobName != nil {
+		in, out := &in.JobName, &out.JobName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationProperty != nil {
+		in, out := &in.NotificationProperty, &out.NotificationProperty
+		*out = make([]ActionsNotificationPropertyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityConfiguration != nil {
+		in, out := &in.SecurityConfiguration, &out.SecurityConfiguration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionsObservation.
@@ -208,11 +255,55 @@ func (in *CatalogDatabaseObservation) DeepCopyInto(out *CatalogDatabaseObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreateTableDefaultPermission != nil {
+		in, out := &in.CreateTableDefaultPermission, &out.CreateTableDefaultPermission
+		*out = make([]CreateTableDefaultPermissionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LocationURI != nil {
+		in, out := &in.LocationURI, &out.LocationURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TargetDatabase != nil {
+		in, out := &in.TargetDatabase, &out.TargetDatabase
+		*out = make([]TargetDatabaseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogDatabaseObservation.
@@ -390,11 +481,46 @@ func (in *CatalogTableObservation) DeepCopyInto(out *CatalogTableObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Owner != nil {
+		in, out := &in.Owner, &out.Owner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.PartitionIndex != nil {
 		in, out := &in.PartitionIndex, &out.PartitionIndex
 		*out = make([]PartitionIndexObservation, len(*in))
@@ -402,6 +528,47 @@ func (in *CatalogTableObservation) DeepCopyInto(out *CatalogTableObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.PartitionKeys != nil {
+		in, out := &in.PartitionKeys, &out.PartitionKeys
+		*out = make([]PartitionKeysObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Retention != nil {
+		in, out := &in.Retention, &out.Retention
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageDescriptor != nil {
+		in, out := &in.StorageDescriptor, &out.StorageDescriptor
+		*out = make([]StorageDescriptorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TableType != nil {
+		in, out := &in.TableType, &out.TableType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetTable != nil {
+		in, out := &in.TargetTable, &out.TargetTable
+		*out = make([]TargetTableObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ViewExpandedText != nil {
+		in, out := &in.ViewExpandedText, &out.ViewExpandedText
+		*out = new(string)
+		**out = **in
+	}
+	if in.ViewOriginalText != nil {
+		in, out := &in.ViewOriginalText, &out.ViewOriginalText
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogTableObservation.
@@ -564,6 +731,37 @@ func (in *CatalogTableStatus) DeepCopy() *CatalogTableStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CatalogTargetObservation) DeepCopyInto(out *CatalogTargetObservation) {
 	*out = *in
+	if in.ConnectionName != nil {
+		in, out := &in.ConnectionName, &out.ConnectionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DlqEventQueueArn != nil {
+		in, out := &in.DlqEventQueueArn, &out.DlqEventQueueArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventQueueArn != nil {
+		in, out := &in.EventQueueArn, &out.EventQueueArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tables != nil {
+		in, out := &in.Tables, &out.Tables
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CatalogTargetObservation.
@@ -694,11 +892,39 @@ func (in *ClassifierList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClassifierObservation) DeepCopyInto(out *ClassifierObservation) {
 	*out = *in
+	if in.CsvClassifier != nil {
+		in, out := &in.CsvClassifier, &out.CsvClassifier
+		*out = make([]CsvClassifierObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GrokClassifier != nil {
+		in, out := &in.GrokClassifier, &out.GrokClassifier
+		*out = make([]GrokClassifierObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.JSONClassifier != nil {
+		in, out := &in.JSONClassifier, &out.JSONClassifier
+		*out = make([]JSONClassifierObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.XMLClassifier != nil {
+		in, out := &in.XMLClassifier, &out.XMLClassifier
+		*out = make([]XMLClassifierObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClassifierObservation.
@@ -796,6 +1022,16 @@ func (in *ClassifierStatus) DeepCopy() *ClassifierStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchEncryptionObservation) DeepCopyInto(out *CloudwatchEncryptionObservation) {
 	*out = *in
+	if in.CloudwatchEncryptionMode != nil {
+		in, out := &in.CloudwatchEncryptionMode, &out.CloudwatchEncryptionMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchEncryptionObservation.
@@ -846,6 +1082,36 @@ func (in *CloudwatchEncryptionParameters) DeepCopy() *CloudwatchEncryptionParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ColumnsObservation) DeepCopyInto(out *ColumnsObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ColumnsObservation.
@@ -906,6 +1172,21 @@ func (in *ColumnsParameters) DeepCopy() *ColumnsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommandObservation) DeepCopyInto(out *CommandObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PythonVersion != nil {
+		in, out := &in.PythonVersion, &out.PythonVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScriptLocation != nil {
+		in, out := &in.ScriptLocation, &out.ScriptLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommandObservation.
@@ -951,6 +1232,31 @@ func (in *CommandParameters) DeepCopy() *CommandParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionsObservation) DeepCopyInto(out *ConditionsObservation) {
 	*out = *in
+	if in.CrawlState != nil {
+		in, out := &in.CrawlState, &out.CrawlState
+		*out = new(string)
+		**out = **in
+	}
+	if in.CrawlerName != nil {
+		in, out := &in.CrawlerName, &out.CrawlerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.JobName != nil {
+		in, out := &in.JobName, &out.JobName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogicalOperator != nil {
+		in, out := &in.LogicalOperator, &out.LogicalOperator
+		*out = new(string)
+		**out = **in
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionsObservation.
@@ -1090,11 +1396,59 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionType != nil {
+		in, out := &in.ConnectionType, &out.ConnectionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MatchCriteria != nil {
+		in, out := &in.MatchCriteria, &out.MatchCriteria
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PhysicalConnectionRequirements != nil {
+		in, out := &in.PhysicalConnectionRequirements, &out.PhysicalConnectionRequirements
+		*out = make([]PhysicalConnectionRequirementsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1198,6 +1552,16 @@ func (in *ConnectionParameters) DeepCopy() *ConnectionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionPasswordEncryptionObservation) DeepCopyInto(out *ConnectionPasswordEncryptionObservation) {
 	*out = *in
+	if in.AwsKMSKeyID != nil {
+		in, out := &in.AwsKMSKeyID, &out.AwsKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReturnConnectionPasswordEncrypted != nil {
+		in, out := &in.ReturnConnectionPasswordEncrypted, &out.ReturnConnectionPasswordEncrypted
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPasswordEncryptionObservation.
@@ -1346,11 +1710,142 @@ func (in *CrawlerObservation) DeepCopyInto(out *CrawlerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CatalogTarget != nil {
+		in, out := &in.CatalogTarget, &out.CatalogTarget
+		*out = make([]CatalogTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Classifiers != nil {
+		in, out := &in.Classifiers, &out.Classifiers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeltaTarget != nil {
+		in, out := &in.DeltaTarget, &out.DeltaTarget
+		*out = make([]DeltaTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DynamodbTarget != nil {
+		in, out := &in.DynamodbTarget, &out.DynamodbTarget
+		*out = make([]DynamodbTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.JdbcTarget != nil {
+		in, out := &in.JdbcTarget, &out.JdbcTarget
+		*out = make([]JdbcTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LakeFormationConfiguration != nil {
+		in, out := &in.LakeFormationConfiguration, &out.LakeFormationConfiguration
+		*out = make([]LakeFormationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LineageConfiguration != nil {
+		in, out := &in.LineageConfiguration, &out.LineageConfiguration
+		*out = make([]LineageConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MongodbTarget != nil {
+		in, out := &in.MongodbTarget, &out.MongodbTarget
+		*out = make([]MongodbTargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecrawlPolicy != nil {
+		in, out := &in.RecrawlPolicy, &out.RecrawlPolicy
+		*out = make([]RecrawlPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Target != nil {
+		in, out := &in.S3Target, &out.S3Target
+		*out = make([]S3TargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchemaChangePolicy != nil {
+		in, out := &in.SchemaChangePolicy, &out.SchemaChangePolicy
+		*out = make([]SchemaChangePolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityConfiguration != nil {
+		in, out := &in.SecurityConfiguration, &out.SecurityConfiguration
+		*out = new(string)
+		**out = **in
+	}
+	if in.TablePrefix != nil {
+		in, out := &in.TablePrefix, &out.TablePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1586,6 +2081,24 @@ func (in *CrawlerStatus) DeepCopy() *CrawlerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreateTableDefaultPermissionObservation) DeepCopyInto(out *CreateTableDefaultPermissionObservation) {
 	*out = *in
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = make([]PrincipalObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreateTableDefaultPermissionObservation.
@@ -1634,21 +2147,6 @@ func (in *CreateTableDefaultPermissionParameters) DeepCopy() *CreateTableDefault
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CsvClassifierObservation) DeepCopyInto(out *CsvClassifierObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CsvClassifierObservation.
-func (in *CsvClassifierObservation) DeepCopy() *CsvClassifierObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(CsvClassifierObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CsvClassifierParameters) DeepCopyInto(out *CsvClassifierParameters) {
-	*out = *in
 	if in.AllowSingleColumn != nil {
 		in, out := &in.AllowSingleColumn, &out.AllowSingleColumn
 		*out = new(bool)
@@ -1703,12 +2201,79 @@ func (in *CsvClassifierParameters) DeepCopyInto(out *CsvClassifierParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CsvClassifierParameters.
-func (in *CsvClassifierParameters) DeepCopy() *CsvClassifierParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CsvClassifierObservation.
+func (in *CsvClassifierObservation) DeepCopy() *CsvClassifierObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(CsvClassifierParameters)
+	out := new(CsvClassifierObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CsvClassifierParameters) DeepCopyInto(out *CsvClassifierParameters) {
+	*out = *in
+	if in.AllowSingleColumn != nil {
+		in, out := &in.AllowSingleColumn, &out.AllowSingleColumn
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ContainsHeader != nil {
+		in, out := &in.ContainsHeader, &out.ContainsHeader
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomDatatypeConfigured != nil {
+		in, out := &in.CustomDatatypeConfigured, &out.CustomDatatypeConfigured
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CustomDatatypes != nil {
+		in, out := &in.CustomDatatypes, &out.CustomDatatypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Delimiter != nil {
+		in, out := &in.Delimiter, &out.Delimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableValueTrimming != nil {
+		in, out := &in.DisableValueTrimming, &out.DisableValueTrimming
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.QuoteSymbol != nil {
+		in, out := &in.QuoteSymbol, &out.QuoteSymbol
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CsvClassifierParameters.
+func (in *CsvClassifierParameters) DeepCopy() *CsvClassifierParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(CsvClassifierParameters)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -1743,6 +2308,20 @@ func (in *DataCatalogEncryptionSettings) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsObservation) DeepCopyInto(out *DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsObservation) {
 	*out = *in
+	if in.ConnectionPasswordEncryption != nil {
+		in, out := &in.ConnectionPasswordEncryption, &out.ConnectionPasswordEncryption
+		*out = make([]ConnectionPasswordEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EncryptionAtRest != nil {
+		in, out := &in.EncryptionAtRest, &out.EncryptionAtRest
+		*out = make([]EncryptionAtRestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsObservation.
@@ -1819,6 +2398,18 @@ func (in *DataCatalogEncryptionSettingsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataCatalogEncryptionSettingsObservation) DeepCopyInto(out *DataCatalogEncryptionSettingsObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataCatalogEncryptionSettings != nil {
+		in, out := &in.DataCatalogEncryptionSettings, &out.DataCatalogEncryptionSettings
+		*out = make([]DataCatalogEncryptionSettingsDataCatalogEncryptionSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1905,6 +2496,27 @@ func (in *DataCatalogEncryptionSettingsStatus) DeepCopy() *DataCatalogEncryption
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeltaTargetObservation) DeepCopyInto(out *DeltaTargetObservation) {
 	*out = *in
+	if in.ConnectionName != nil {
+		in, out := &in.ConnectionName, &out.ConnectionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeltaTables != nil {
+		in, out := &in.DeltaTables, &out.DeltaTables
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WriteManifest != nil {
+		in, out := &in.WriteManifest, &out.WriteManifest
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeltaTargetObservation.
@@ -1956,6 +2568,21 @@ func (in *DeltaTargetParameters) DeepCopy() *DeltaTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DynamodbTargetObservation) DeepCopyInto(out *DynamodbTargetObservation) {
 	*out = *in
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScanAll != nil {
+		in, out := &in.ScanAll, &out.ScanAll
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ScanRate != nil {
+		in, out := &in.ScanRate, &out.ScanRate
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamodbTargetObservation.
@@ -2001,6 +2628,16 @@ func (in *DynamodbTargetParameters) DeepCopy() *DynamodbTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionAtRestObservation) DeepCopyInto(out *EncryptionAtRestObservation) {
 	*out = *in
+	if in.CatalogEncryptionMode != nil {
+		in, out := &in.CatalogEncryptionMode, &out.CatalogEncryptionMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SseAwsKMSKeyID != nil {
+		in, out := &in.SseAwsKMSKeyID, &out.SseAwsKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionAtRestObservation.
@@ -2051,6 +2688,27 @@ func (in *EncryptionAtRestParameters) DeepCopy() *EncryptionAtRestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.CloudwatchEncryption != nil {
+		in, out := &in.CloudwatchEncryption, &out.CloudwatchEncryption
+		*out = make([]CloudwatchEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.JobBookmarksEncryption != nil {
+		in, out := &in.JobBookmarksEncryption, &out.JobBookmarksEncryption
+		*out = make([]JobBookmarksEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Encryption != nil {
+		in, out := &in.S3Encryption, &out.S3Encryption
+		*out = make([]S3EncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -2102,6 +2760,16 @@ func (in *EncryptionConfigurationParameters) DeepCopy() *EncryptionConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventBatchingConditionObservation) DeepCopyInto(out *EventBatchingConditionObservation) {
 	*out = *in
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchWindow != nil {
+		in, out := &in.BatchWindow, &out.BatchWindow
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventBatchingConditionObservation.
@@ -2142,6 +2810,11 @@ func (in *EventBatchingConditionParameters) DeepCopy() *EventBatchingConditionPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExecutionPropertyObservation) DeepCopyInto(out *ExecutionPropertyObservation) {
 	*out = *in
+	if in.MaxConcurrentRuns != nil {
+		in, out := &in.MaxConcurrentRuns, &out.MaxConcurrentRuns
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExecutionPropertyObservation.
@@ -2177,6 +2850,21 @@ func (in *ExecutionPropertyParameters) DeepCopy() *ExecutionPropertyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GrokClassifierObservation) DeepCopyInto(out *GrokClassifierObservation) {
 	*out = *in
+	if in.Classification != nil {
+		in, out := &in.Classification, &out.Classification
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomPatterns != nil {
+		in, out := &in.CustomPatterns, &out.CustomPatterns
+		*out = new(string)
+		**out = **in
+	}
+	if in.GrokPattern != nil {
+		in, out := &in.GrokPattern, &out.GrokPattern
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrokClassifierObservation.
@@ -2222,6 +2910,11 @@ func (in *GrokClassifierParameters) DeepCopy() *GrokClassifierParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JSONClassifierObservation) DeepCopyInto(out *JSONClassifierObservation) {
 	*out = *in
+	if in.JSONPath != nil {
+		in, out := &in.JSONPath, &out.JSONPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSONClassifierObservation.
@@ -2257,6 +2950,38 @@ func (in *JSONClassifierParameters) DeepCopy() *JSONClassifierParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JdbcTargetObservation) DeepCopyInto(out *JdbcTargetObservation) {
 	*out = *in
+	if in.ConnectionName != nil {
+		in, out := &in.ConnectionName, &out.ConnectionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableAdditionalMetadata != nil {
+		in, out := &in.EnableAdditionalMetadata, &out.EnableAdditionalMetadata
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Exclusions != nil {
+		in, out := &in.Exclusions, &out.Exclusions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JdbcTargetObservation.
@@ -2356,6 +3081,16 @@ func (in *Job) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JobBookmarksEncryptionObservation) DeepCopyInto(out *JobBookmarksEncryptionObservation) {
 	*out = *in
+	if in.JobBookmarksEncryptionMode != nil {
+		in, out := &in.JobBookmarksEncryptionMode, &out.JobBookmarksEncryptionMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobBookmarksEncryptionObservation.
@@ -2443,11 +3178,128 @@ func (in *JobObservation) DeepCopyInto(out *JobObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]CommandObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Connections != nil {
+		in, out := &in.Connections, &out.Connections
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DefaultArguments != nil {
+		in, out := &in.DefaultArguments, &out.DefaultArguments
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExecutionClass != nil {
+		in, out := &in.ExecutionClass, &out.ExecutionClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExecutionProperty != nil {
+		in, out := &in.ExecutionProperty, &out.ExecutionProperty
+		*out = make([]ExecutionPropertyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GlueVersion != nil {
+		in, out := &in.GlueVersion, &out.GlueVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxRetries != nil {
+		in, out := &in.MaxRetries, &out.MaxRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NonOverridableArguments != nil {
+		in, out := &in.NonOverridableArguments, &out.NonOverridableArguments
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.NotificationProperty != nil {
+		in, out := &in.NotificationProperty, &out.NotificationProperty
+		*out = make([]NotificationPropertyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NumberOfWorkers != nil {
+		in, out := &in.NumberOfWorkers, &out.NumberOfWorkers
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityConfiguration != nil {
+		in, out := &in.SecurityConfiguration, &out.SecurityConfiguration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2463,6 +3315,16 @@ func (in *JobObservation) DeepCopyInto(out *JobObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WorkerType != nil {
+		in, out := &in.WorkerType, &out.WorkerType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JobObservation.
@@ -2669,6 +3531,16 @@ func (in *JobStatus) DeepCopy() *JobStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LakeFormationConfigurationObservation) DeepCopyInto(out *LakeFormationConfigurationObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseLakeFormationCredentials != nil {
+		in, out := &in.UseLakeFormationCredentials, &out.UseLakeFormationCredentials
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LakeFormationConfigurationObservation.
@@ -2709,6 +3581,11 @@ func (in *LakeFormationConfigurationParameters) DeepCopy() *LakeFormationConfigu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LineageConfigurationObservation) DeepCopyInto(out *LineageConfigurationObservation) {
 	*out = *in
+	if in.CrawlerLineageSettings != nil {
+		in, out := &in.CrawlerLineageSettings, &out.CrawlerLineageSettings
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LineageConfigurationObservation.
@@ -2744,6 +3621,21 @@ func (in *LineageConfigurationParameters) DeepCopy() *LineageConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MongodbTargetObservation) DeepCopyInto(out *MongodbTargetObservation) {
 	*out = *in
+	if in.ConnectionName != nil {
+		in, out := &in.ConnectionName, &out.ConnectionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScanAll != nil {
+		in, out := &in.ScanAll, &out.ScanAll
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MongodbTargetObservation.
@@ -2799,6 +3691,11 @@ func (in *MongodbTargetParameters) DeepCopy() *MongodbTargetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationPropertyObservation) DeepCopyInto(out *NotificationPropertyObservation) {
 	*out = *in
+	if in.NotifyDelayAfter != nil {
+		in, out := &in.NotifyDelayAfter, &out.NotifyDelayAfter
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationPropertyObservation.
@@ -2834,11 +3731,27 @@ func (in *NotificationPropertyParameters) DeepCopy() *NotificationPropertyParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PartitionIndexObservation) DeepCopyInto(out *PartitionIndexObservation) {
 	*out = *in
+	if in.IndexName != nil {
+		in, out := &in.IndexName, &out.IndexName
+		*out = new(string)
+		**out = **in
+	}
 	if in.IndexStatus != nil {
 		in, out := &in.IndexStatus, &out.IndexStatus
 		*out = new(string)
 		**out = **in
 	}
+	if in.Keys != nil {
+		in, out := &in.Keys, &out.Keys
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionIndexObservation.
@@ -2885,6 +3798,21 @@ func (in *PartitionIndexParameters) DeepCopy() *PartitionIndexParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PartitionKeysObservation) DeepCopyInto(out *PartitionKeysObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionKeysObservation.
@@ -2930,6 +3858,27 @@ func (in *PartitionKeysParameters) DeepCopy() *PartitionKeysParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PhysicalConnectionRequirementsObservation) DeepCopyInto(out *PhysicalConnectionRequirementsObservation) {
 	*out = *in
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIDList != nil {
+		in, out := &in.SecurityGroupIDList, &out.SecurityGroupIDList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PhysicalConnectionRequirementsObservation.
@@ -3001,6 +3950,18 @@ func (in *PhysicalConnectionRequirementsParameters) DeepCopy() *PhysicalConnecti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredicateObservation) DeepCopyInto(out *PredicateObservation) {
 	*out = *in
+	if in.Conditions != nil {
+		in, out := &in.Conditions, &out.Conditions
+		*out = make([]ConditionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Logical != nil {
+		in, out := &in.Logical, &out.Logical
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredicateObservation.
@@ -3043,6 +4004,11 @@ func (in *PredicateParameters) DeepCopy() *PredicateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrincipalObservation) DeepCopyInto(out *PrincipalObservation) {
 	*out = *in
+	if in.DataLakePrincipalIdentifier != nil {
+		in, out := &in.DataLakePrincipalIdentifier, &out.DataLakePrincipalIdentifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrincipalObservation.
@@ -3078,6 +4044,11 @@ func (in *PrincipalParameters) DeepCopy() *PrincipalParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecrawlPolicyObservation) DeepCopyInto(out *RecrawlPolicyObservation) {
 	*out = *in
+	if in.RecrawlBehavior != nil {
+		in, out := &in.RecrawlBehavior, &out.RecrawlBehavior
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecrawlPolicyObservation.
@@ -3177,11 +4148,31 @@ func (in *RegistryObservation) DeepCopyInto(out *RegistryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3345,11 +4336,21 @@ func (in *ResourcePolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourcePolicyObservation) DeepCopyInto(out *ResourcePolicyObservation) {
 	*out = *in
+	if in.EnableHybrid != nil {
+		in, out := &in.EnableHybrid, &out.EnableHybrid
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePolicyObservation.
@@ -3429,6 +4430,16 @@ func (in *ResourcePolicyStatus) DeepCopy() *ResourcePolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceUrisObservation) DeepCopyInto(out *ResourceUrisObservation) {
 	*out = *in
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceUrisObservation.
@@ -3469,6 +4480,16 @@ func (in *ResourceUrisParameters) DeepCopy() *ResourceUrisParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3EncryptionObservation) DeepCopyInto(out *S3EncryptionObservation) {
 	*out = *in
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3EncryptionMode != nil {
+		in, out := &in.S3EncryptionMode, &out.S3EncryptionMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3EncryptionObservation.
@@ -3519,6 +4540,42 @@ func (in *S3EncryptionParameters) DeepCopy() *S3EncryptionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3TargetObservation) DeepCopyInto(out *S3TargetObservation) {
 	*out = *in
+	if in.ConnectionName != nil {
+		in, out := &in.ConnectionName, &out.ConnectionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DlqEventQueueArn != nil {
+		in, out := &in.DlqEventQueueArn, &out.DlqEventQueueArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventQueueArn != nil {
+		in, out := &in.EventQueueArn, &out.EventQueueArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Exclusions != nil {
+		in, out := &in.Exclusions, &out.Exclusions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.SampleSize != nil {
+		in, out := &in.SampleSize, &out.SampleSize
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3TargetObservation.
@@ -3612,6 +4669,16 @@ func (in *Schema) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaChangePolicyObservation) DeepCopyInto(out *SchemaChangePolicyObservation) {
 	*out = *in
+	if in.DeleteBehavior != nil {
+		in, out := &in.DeleteBehavior, &out.DeleteBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.UpdateBehavior != nil {
+		in, out := &in.UpdateBehavior, &out.UpdateBehavior
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaChangePolicyObservation.
@@ -3652,6 +4719,21 @@ func (in *SchemaChangePolicyParameters) DeepCopy() *SchemaChangePolicyParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaIDObservation) DeepCopyInto(out *SchemaIDObservation) {
 	*out = *in
+	if in.RegistryName != nil {
+		in, out := &in.RegistryName, &out.RegistryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchemaArn != nil {
+		in, out := &in.SchemaArn, &out.SchemaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchemaName != nil {
+		in, out := &in.SchemaName, &out.SchemaName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaIDObservation.
@@ -3734,6 +4816,21 @@ func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Compatibility != nil {
+		in, out := &in.Compatibility, &out.Compatibility
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataFormat != nil {
+		in, out := &in.DataFormat, &out.DataFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -3749,6 +4846,11 @@ func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.RegistryArn != nil {
+		in, out := &in.RegistryArn, &out.RegistryArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistryName != nil {
 		in, out := &in.RegistryName, &out.RegistryName
 		*out = new(string)
@@ -3759,6 +4861,31 @@ func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.SchemaDefinition != nil {
+		in, out := &in.SchemaDefinition, &out.SchemaDefinition
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchemaName != nil {
+		in, out := &in.SchemaName, &out.SchemaName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3864,6 +4991,23 @@ func (in *SchemaParameters) DeepCopy() *SchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaReferenceObservation) DeepCopyInto(out *SchemaReferenceObservation) {
 	*out = *in
+	if in.SchemaID != nil {
+		in, out := &in.SchemaID, &out.SchemaID
+		*out = make([]SchemaIDObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SchemaVersionID != nil {
+		in, out := &in.SchemaVersionID, &out.SchemaVersionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SchemaVersionNumber != nil {
+		in, out := &in.SchemaVersionNumber, &out.SchemaVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaReferenceObservation.
@@ -4004,6 +5148,13 @@ func (in *SecurityConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecurityConfigurationObservation) DeepCopyInto(out *SecurityConfigurationObservation) {
 	*out = *in
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -4085,6 +5236,31 @@ func (in *SecurityConfigurationStatus) DeepCopy() *SecurityConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SerDeInfoObservation) DeepCopyInto(out *SerDeInfoObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.SerializationLibrary != nil {
+		in, out := &in.SerializationLibrary, &out.SerializationLibrary
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SerDeInfoObservation.
@@ -4140,6 +5316,43 @@ func (in *SerDeInfoParameters) DeepCopy() *SerDeInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SkewedInfoObservation) DeepCopyInto(out *SkewedInfoObservation) {
 	*out = *in
+	if in.SkewedColumnNames != nil {
+		in, out := &in.SkewedColumnNames, &out.SkewedColumnNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SkewedColumnValueLocationMaps != nil {
+		in, out := &in.SkewedColumnValueLocationMaps, &out.SkewedColumnValueLocationMaps
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.SkewedColumnValues != nil {
+		in, out := &in.SkewedColumnValues, &out.SkewedColumnValues
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SkewedInfoObservation.
@@ -4207,6 +5420,16 @@ func (in *SkewedInfoParameters) DeepCopy() *SkewedInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SortColumnsObservation) DeepCopyInto(out *SortColumnsObservation) {
 	*out = *in
+	if in.Column != nil {
+		in, out := &in.Column, &out.Column
+		*out = new(string)
+		**out = **in
+	}
+	if in.SortOrder != nil {
+		in, out := &in.SortOrder, &out.SortOrder
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SortColumnsObservation.
@@ -4247,6 +5470,97 @@ func (in *SortColumnsParameters) DeepCopy() *SortColumnsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageDescriptorObservation) DeepCopyInto(out *StorageDescriptorObservation) {
 	*out = *in
+	if in.BucketColumns != nil {
+		in, out := &in.BucketColumns, &out.BucketColumns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Columns != nil {
+		in, out := &in.Columns, &out.Columns
+		*out = make([]ColumnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Compressed != nil {
+		in, out := &in.Compressed, &out.Compressed
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InputFormat != nil {
+		in, out := &in.InputFormat, &out.InputFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfBuckets != nil {
+		in, out := &in.NumberOfBuckets, &out.NumberOfBuckets
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OutputFormat != nil {
+		in, out := &in.OutputFormat, &out.OutputFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.SchemaReference != nil {
+		in, out := &in.SchemaReference, &out.SchemaReference
+		*out = make([]SchemaReferenceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SerDeInfo != nil {
+		in, out := &in.SerDeInfo, &out.SerDeInfo
+		*out = make([]SerDeInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SkewedInfo != nil {
+		in, out := &in.SkewedInfo, &out.SkewedInfo
+		*out = make([]SkewedInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SortColumns != nil {
+		in, out := &in.SortColumns, &out.SortColumns
+		*out = make([]SortColumnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StoredAsSubDirectories != nil {
+		in, out := &in.StoredAsSubDirectories, &out.StoredAsSubDirectories
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageDescriptorObservation.
@@ -4368,6 +5682,16 @@ func (in *StorageDescriptorParameters) DeepCopy() *StorageDescriptorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetDatabaseObservation) DeepCopyInto(out *TargetDatabaseObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetDatabaseObservation.
@@ -4408,6 +5732,21 @@ func (in *TargetDatabaseParameters) DeepCopy() *TargetDatabaseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetTableObservation) DeepCopyInto(out *TargetTableObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetTableObservation.
@@ -4512,21 +5851,77 @@ func (in *TriggerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TriggerObservation) DeepCopyInto(out *TriggerObservation) {
 	*out = *in
+	if in.Actions != nil {
+		in, out := &in.Actions, &out.Actions
+		*out = make([]ActionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventBatchingCondition != nil {
+		in, out := &in.EventBatchingCondition, &out.EventBatchingCondition
+		*out = make([]EventBatchingConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Predicate != nil {
+		in, out := &in.Predicate, &out.Predicate
+		*out = make([]PredicateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartOnCreation != nil {
+		in, out := &in.StartOnCreation, &out.StartOnCreation
+		*out = new(bool)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4542,6 +5937,16 @@ func (in *TriggerObservation) DeepCopyInto(out *TriggerObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkflowName != nil {
+		in, out := &in.WorkflowName, &out.WorkflowName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TriggerObservation.
@@ -4741,16 +6146,48 @@ func (in *UserDefinedFunctionObservation) DeepCopyInto(out *UserDefinedFunctionO
 		*out = new(string)
 		**out = **in
 	}
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClassName != nil {
+		in, out := &in.ClassName, &out.ClassName
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreateTime != nil {
 		in, out := &in.CreateTime, &out.CreateTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OwnerName != nil {
+		in, out := &in.OwnerName, &out.OwnerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerType != nil {
+		in, out := &in.OwnerType, &out.OwnerType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceUris != nil {
+		in, out := &in.ResourceUris, &out.ResourceUris
+		*out = make([]ResourceUrisObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserDefinedFunctionObservation.
@@ -4926,11 +6363,51 @@ func (in *WorkflowObservation) DeepCopyInto(out *WorkflowObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultRunProperties != nil {
+		in, out := &in.DefaultRunProperties, &out.DefaultRunProperties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxConcurrentRuns != nil {
+		in, out := &in.MaxConcurrentRuns, &out.MaxConcurrentRuns
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5055,6 +6532,16 @@ func (in *WorkflowStatus) DeepCopy() *WorkflowStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *XMLClassifierObservation) DeepCopyInto(out *XMLClassifierObservation) {
 	*out = *in
+	if in.Classification != nil {
+		in, out := &in.Classification, &out.Classification
+		*out = new(string)
+		**out = **in
+	}
+	if in.RowTag != nil {
+		in, out := &in.RowTag, &out.RowTag
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XMLClassifierObservation.
diff --git a/apis/glue/v1beta1/zz_job_types.go b/apis/glue/v1beta1/zz_job_types.go
index 868843e893..f0055096c3 100755
--- a/apis/glue/v1beta1/zz_job_types.go
+++ b/apis/glue/v1beta1/zz_job_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CommandObservation struct {
+
+	// –  The name you assign to this job. It must be unique in your account.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Python version being used to execute a Python shell job. Allowed values are 2, 3 or 3.9. Version 3 refers to Python 3.6.
+	PythonVersion *string `json:"pythonVersion,omitempty" tf:"python_version,omitempty"`
+
+	// Specifies the S3 path to a script that executes a job.
+	ScriptLocation *string `json:"scriptLocation,omitempty" tf:"script_location,omitempty"`
 }
 
 type CommandParameters struct {
@@ -32,6 +41,9 @@ type CommandParameters struct {
 }
 
 type ExecutionPropertyObservation struct {
+
+	// The maximum number of concurrent runs allowed for a job. The default is 1.
+	MaxConcurrentRuns *float64 `json:"maxConcurrentRuns,omitempty" tf:"max_concurrent_runs,omitempty"`
 }
 
 type ExecutionPropertyParameters struct {
@@ -46,18 +58,69 @@ type JobObservation struct {
 	// Amazon Resource Name (ARN) of Glue Job
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  The command of the job. Defined below.
+	Command []CommandObservation `json:"command,omitempty" tf:"command,omitempty"`
+
+	// –  The list of connections used for this job.
+	Connections []*string `json:"connections,omitempty" tf:"connections,omitempty"`
+
+	// execution script consumes, as well as arguments that AWS Glue itself consumes. For information about how to specify and consume your own Job arguments, see the Calling AWS Glue APIs in Python topic in the developer guide. For information about the key-value pairs that AWS Glue consumes to set up your job, see the Special Parameters Used by AWS Glue topic in the developer guide.
+	DefaultArguments map[string]*string `json:"defaultArguments,omitempty" tf:"default_arguments,omitempty"`
+
+	// –  Description of the job.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Indicates whether the job is run with a standard or flexible execution class. The standard execution class is ideal for time-sensitive workloads that require fast job startup and dedicated resources. Valid value: FLEX, STANDARD.
+	ExecutionClass *string `json:"executionClass,omitempty" tf:"execution_class,omitempty"`
+
+	// –  Execution property of the job. Defined below.
+	ExecutionProperty []ExecutionPropertyObservation `json:"executionProperty,omitempty" tf:"execution_property,omitempty"`
+
+	// The version of glue to use, for example "1.0". For information about available versions, see the AWS Glue Release Notes.
+	GlueVersion *string `json:"glueVersion,omitempty" tf:"glue_version,omitempty"`
+
 	// Job name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  The maximum number of AWS Glue data processing units (DPUs) that can be allocated when this job runs. Required when pythonshell is set, accept either 0.0625 or 1.0. Use number_of_workers and worker_type arguments instead with glue_version 2.0 and above.
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// –  The maximum number of times to retry this job if it fails.
+	MaxRetries *float64 `json:"maxRetries,omitempty" tf:"max_retries,omitempty"`
+
+	// overridable arguments for this job, specified as name-value pairs.
+	NonOverridableArguments map[string]*string `json:"nonOverridableArguments,omitempty" tf:"non_overridable_arguments,omitempty"`
+
+	// Notification property of the job. Defined below.
+	NotificationProperty []NotificationPropertyObservation `json:"notificationProperty,omitempty" tf:"notification_property,omitempty"`
+
+	// The number of workers of a defined workerType that are allocated when a job runs.
+	NumberOfWorkers *float64 `json:"numberOfWorkers,omitempty" tf:"number_of_workers,omitempty"`
+
+	// –  The ARN of the IAM role associated with this job.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the Security Configuration to be associated with the job.
+	SecurityConfiguration *string `json:"securityConfiguration,omitempty" tf:"security_configuration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// –  The job timeout in minutes. The default is 2880 minutes (48 hours) for glueetl and pythonshell jobs, and null (unlimited) for gluestreaming jobs.
+	Timeout *float64 `json:"timeout,omitempty" tf:"timeout,omitempty"`
+
+	// The type of predefined worker that is allocated when a job runs. Accepts a value of Standard, G.1X, or G.2X.
+	WorkerType *string `json:"workerType,omitempty" tf:"worker_type,omitempty"`
 }
 
 type JobParameters struct {
 
 	// –  The command of the job. Defined below.
-	// +kubebuilder:validation:Required
-	Command []CommandParameters `json:"command" tf:"command,omitempty"`
+	// +kubebuilder:validation:Optional
+	Command []CommandParameters `json:"command,omitempty" tf:"command,omitempty"`
 
 	// –  The list of connections used for this job.
 	// +kubebuilder:validation:Optional
@@ -140,6 +203,9 @@ type JobParameters struct {
 }
 
 type NotificationPropertyObservation struct {
+
+	// After a job run starts, the number of minutes to wait before sending a job run delay notification.
+	NotifyDelayAfter *float64 `json:"notifyDelayAfter,omitempty" tf:"notify_delay_after,omitempty"`
 }
 
 type NotificationPropertyParameters struct {
@@ -173,8 +239,9 @@ type JobStatus struct {
 type Job struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              JobSpec   `json:"spec"`
-	Status            JobStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.command)",message="command is a required parameter"
+	Spec   JobSpec   `json:"spec"`
+	Status JobStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_registry_types.go b/apis/glue/v1beta1/zz_registry_types.go
index a4b575ff8f..29d05984c1 100755
--- a/apis/glue/v1beta1/zz_registry_types.go
+++ b/apis/glue/v1beta1/zz_registry_types.go
@@ -18,9 +18,15 @@ type RegistryObservation struct {
 	// Amazon Resource Name (ARN) of Glue Registry.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  A description of the registry.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Amazon Resource Name (ARN) of Glue Registry.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/glue/v1beta1/zz_resourcepolicy_types.go b/apis/glue/v1beta1/zz_resourcepolicy_types.go
index 3af6be4cbb..4c76c12636 100755
--- a/apis/glue/v1beta1/zz_resourcepolicy_types.go
+++ b/apis/glue/v1beta1/zz_resourcepolicy_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type ResourcePolicyObservation struct {
+
+	// Indicates that you are using both methods to grant cross-account. Valid values are TRUE and FALSE.
+	EnableHybrid *string `json:"enableHybrid,omitempty" tf:"enable_hybrid,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// –  The policy to be applied to the aws glue data catalog.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type ResourcePolicyParameters struct {
@@ -24,8 +31,8 @@ type ResourcePolicyParameters struct {
 	EnableHybrid *string `json:"enableHybrid,omitempty" tf:"enable_hybrid,omitempty"`
 
 	// –  The policy to be applied to the aws glue data catalog.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -57,8 +64,9 @@ type ResourcePolicyStatus struct {
 type ResourcePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourcePolicySpec   `json:"spec"`
-	Status            ResourcePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   ResourcePolicySpec   `json:"spec"`
+	Status ResourcePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_schema_types.go b/apis/glue/v1beta1/zz_schema_types.go
index c9640f14e5..3da329eda4 100755
--- a/apis/glue/v1beta1/zz_schema_types.go
+++ b/apis/glue/v1beta1/zz_schema_types.go
@@ -18,6 +18,15 @@ type SchemaObservation struct {
 	// Amazon Resource Name (ARN) of the schema.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The compatibility mode of the schema. Values values are: NONE, DISABLED, BACKWARD, BACKWARD_ALL, FORWARD, FORWARD_ALL, FULL, and FULL_ALL.
+	Compatibility *string `json:"compatibility,omitempty" tf:"compatibility,omitempty"`
+
+	// The data format of the schema definition. Valid values are AVRO, JSON and PROTOBUF.
+	DataFormat *string `json:"dataFormat,omitempty" tf:"data_format,omitempty"`
+
+	// –  A description of the schema.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Amazon Resource Name (ARN) of the schema.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -27,12 +36,24 @@ type SchemaObservation struct {
 	// The next version of the schema associated with the returned schema definition.
 	NextSchemaVersion *float64 `json:"nextSchemaVersion,omitempty" tf:"next_schema_version,omitempty"`
 
+	// The ARN of the Glue Registry to create the schema in.
+	RegistryArn *string `json:"registryArn,omitempty" tf:"registry_arn,omitempty"`
+
 	// The name of the Glue Registry.
 	RegistryName *string `json:"registryName,omitempty" tf:"registry_name,omitempty"`
 
 	// The version number of the checkpoint (the last time the compatibility mode was changed).
 	SchemaCheckpoint *float64 `json:"schemaCheckpoint,omitempty" tf:"schema_checkpoint,omitempty"`
 
+	// The schema definition using the data_format setting for schema_name.
+	SchemaDefinition *string `json:"schemaDefinition,omitempty" tf:"schema_definition,omitempty"`
+
+	// –  The Name of the schema.
+	SchemaName *string `json:"schemaName,omitempty" tf:"schema_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -40,12 +61,12 @@ type SchemaObservation struct {
 type SchemaParameters struct {
 
 	// The compatibility mode of the schema. Values values are: NONE, DISABLED, BACKWARD, BACKWARD_ALL, FORWARD, FORWARD_ALL, FULL, and FULL_ALL.
-	// +kubebuilder:validation:Required
-	Compatibility *string `json:"compatibility" tf:"compatibility,omitempty"`
+	// +kubebuilder:validation:Optional
+	Compatibility *string `json:"compatibility,omitempty" tf:"compatibility,omitempty"`
 
 	// The data format of the schema definition. Valid values are AVRO, JSON and PROTOBUF.
-	// +kubebuilder:validation:Required
-	DataFormat *string `json:"dataFormat" tf:"data_format,omitempty"`
+	// +kubebuilder:validation:Optional
+	DataFormat *string `json:"dataFormat,omitempty" tf:"data_format,omitempty"`
 
 	// –  A description of the schema.
 	// +kubebuilder:validation:Optional
@@ -71,12 +92,12 @@ type SchemaParameters struct {
 	RegistryArnSelector *v1.Selector `json:"registryArnSelector,omitempty" tf:"-"`
 
 	// The schema definition using the data_format setting for schema_name.
-	// +kubebuilder:validation:Required
-	SchemaDefinition *string `json:"schemaDefinition" tf:"schema_definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	SchemaDefinition *string `json:"schemaDefinition,omitempty" tf:"schema_definition,omitempty"`
 
 	// –  The Name of the schema.
-	// +kubebuilder:validation:Required
-	SchemaName *string `json:"schemaName" tf:"schema_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	SchemaName *string `json:"schemaName,omitempty" tf:"schema_name,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -107,8 +128,12 @@ type SchemaStatus struct {
 type Schema struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SchemaSpec   `json:"spec"`
-	Status            SchemaStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.compatibility)",message="compatibility is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataFormat)",message="dataFormat is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schemaDefinition)",message="schemaDefinition is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schemaName)",message="schemaName is a required parameter"
+	Spec   SchemaSpec   `json:"spec"`
+	Status SchemaStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_securityconfiguration_types.go b/apis/glue/v1beta1/zz_securityconfiguration_types.go
index 3fe71aaf4a..389b6999cb 100755
--- a/apis/glue/v1beta1/zz_securityconfiguration_types.go
+++ b/apis/glue/v1beta1/zz_securityconfiguration_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CloudwatchEncryptionObservation struct {
+
+	// Encryption mode to use for CloudWatch data. Valid values: DISABLED, SSE-KMS. Default value: DISABLED.
+	CloudwatchEncryptionMode *string `json:"cloudwatchEncryptionMode,omitempty" tf:"cloudwatch_encryption_mode,omitempty"`
+
+	// Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
 }
 
 type CloudwatchEncryptionParameters struct {
@@ -38,6 +44,12 @@ type CloudwatchEncryptionParameters struct {
 }
 
 type EncryptionConfigurationObservation struct {
+	CloudwatchEncryption []CloudwatchEncryptionObservation `json:"cloudwatchEncryption,omitempty" tf:"cloudwatch_encryption,omitempty"`
+
+	JobBookmarksEncryption []JobBookmarksEncryptionObservation `json:"jobBookmarksEncryption,omitempty" tf:"job_bookmarks_encryption,omitempty"`
+
+	// A s3_encryption  block as described below, which contains encryption configuration for S3 data.
+	S3Encryption []S3EncryptionObservation `json:"s3Encryption,omitempty" tf:"s3_encryption,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
@@ -54,6 +66,12 @@ type EncryptionConfigurationParameters struct {
 }
 
 type JobBookmarksEncryptionObservation struct {
+
+	// Encryption mode to use for job bookmarks data. Valid values: CSE-KMS, DISABLED. Default value: DISABLED.
+	JobBookmarksEncryptionMode *string `json:"jobBookmarksEncryptionMode,omitempty" tf:"job_bookmarks_encryption_mode,omitempty"`
+
+	// Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
 }
 
 type JobBookmarksEncryptionParameters struct {
@@ -78,6 +96,12 @@ type JobBookmarksEncryptionParameters struct {
 }
 
 type S3EncryptionObservation struct {
+
+	// Amazon Resource Name (ARN) of the KMS key to be used to encrypt the data.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Encryption mode to use for S3 data. Valid values: DISABLED, SSE-KMS, SSE-S3. Default value: DISABLED.
+	S3EncryptionMode *string `json:"s3EncryptionMode,omitempty" tf:"s3_encryption_mode,omitempty"`
 }
 
 type S3EncryptionParameters struct {
@@ -103,6 +127,9 @@ type S3EncryptionParameters struct {
 
 type SecurityConfigurationObservation struct {
 
+	// –  Configuration block containing encryption configuration. Detailed below.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
 	// Glue security configuration name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -110,8 +137,8 @@ type SecurityConfigurationObservation struct {
 type SecurityConfigurationParameters struct {
 
 	// –  Configuration block containing encryption configuration. Detailed below.
-	// +kubebuilder:validation:Required
-	EncryptionConfiguration []EncryptionConfigurationParameters `json:"encryptionConfiguration" tf:"encryption_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	EncryptionConfiguration []EncryptionConfigurationParameters `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -143,8 +170,9 @@ type SecurityConfigurationStatus struct {
 type SecurityConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecurityConfigurationSpec   `json:"spec"`
-	Status            SecurityConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encryptionConfiguration)",message="encryptionConfiguration is a required parameter"
+	Spec   SecurityConfigurationSpec   `json:"spec"`
+	Status SecurityConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_trigger_types.go b/apis/glue/v1beta1/zz_trigger_types.go
index aa1b4a3139..0c55828f35 100755
--- a/apis/glue/v1beta1/zz_trigger_types.go
+++ b/apis/glue/v1beta1/zz_trigger_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ActionsNotificationPropertyObservation struct {
+
+	// After a job run starts, the number of minutes to wait before sending a job run delay notification.
+	NotifyDelayAfter *float64 `json:"notifyDelayAfter,omitempty" tf:"notify_delay_after,omitempty"`
 }
 
 type ActionsNotificationPropertyParameters struct {
@@ -24,6 +27,24 @@ type ActionsNotificationPropertyParameters struct {
 }
 
 type ActionsObservation struct {
+
+	// Arguments to be passed to the job. You can specify arguments here that your own job-execution script consumes, as well as arguments that AWS Glue itself consumes.
+	Arguments map[string]*string `json:"arguments,omitempty" tf:"arguments,omitempty"`
+
+	// The name of the crawler to be executed. Conflicts with job_name.
+	CrawlerName *string `json:"crawlerName,omitempty" tf:"crawler_name,omitempty"`
+
+	// The name of a job to be executed. Conflicts with crawler_name.
+	JobName *string `json:"jobName,omitempty" tf:"job_name,omitempty"`
+
+	// Specifies configuration properties of a job run notification. See Notification Property details below.
+	NotificationProperty []ActionsNotificationPropertyObservation `json:"notificationProperty,omitempty" tf:"notification_property,omitempty"`
+
+	// The name of the Security Configuration structure to be used with this action.
+	SecurityConfiguration *string `json:"securityConfiguration,omitempty" tf:"security_configuration,omitempty"`
+
+	// The job run timeout in minutes. It overrides the timeout value of the job.
+	Timeout *float64 `json:"timeout,omitempty" tf:"timeout,omitempty"`
 }
 
 type ActionsParameters struct {
@@ -72,6 +93,21 @@ type ActionsParameters struct {
 }
 
 type ConditionsObservation struct {
+
+	// The condition crawl state. Currently, the values supported are RUNNING, SUCCEEDED, CANCELLED, and FAILED. If this is specified, crawler_name must also be specified. Conflicts with state.
+	CrawlState *string `json:"crawlState,omitempty" tf:"crawl_state,omitempty"`
+
+	// The name of the crawler to be executed. Conflicts with job_name.
+	CrawlerName *string `json:"crawlerName,omitempty" tf:"crawler_name,omitempty"`
+
+	// The name of a job to be executed. Conflicts with crawler_name.
+	JobName *string `json:"jobName,omitempty" tf:"job_name,omitempty"`
+
+	// A logical operator. Defaults to EQUALS.
+	LogicalOperator *string `json:"logicalOperator,omitempty" tf:"logical_operator,omitempty"`
+
+	// The condition job state. Currently, the values supported are SUCCEEDED, STOPPED, TIMEOUT and FAILED. If this is specified, job_name must also be specified. Conflicts with crawler_state.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
 }
 
 type ConditionsParameters struct {
@@ -116,6 +152,12 @@ type ConditionsParameters struct {
 }
 
 type EventBatchingConditionObservation struct {
+
+	// Number of events that must be received from Amazon EventBridge before EventBridge  event trigger fires.
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	// Window of time in seconds after which EventBridge event trigger fires. Window starts when first event is received. Default value is 900.
+	BatchWindow *float64 `json:"batchWindow,omitempty" tf:"batch_window,omitempty"`
 }
 
 type EventBatchingConditionParameters struct {
@@ -130,6 +172,12 @@ type EventBatchingConditionParameters struct {
 }
 
 type PredicateObservation struct {
+
+	// A list of the conditions that determine when the trigger will fire. See Conditions.
+	Conditions []ConditionsObservation `json:"conditions,omitempty" tf:"conditions,omitempty"`
+
+	// How to handle multiple conditions. Defaults to AND. Valid values are AND or ANY.
+	Logical *string `json:"logical,omitempty" tf:"logical,omitempty"`
 }
 
 type PredicateParameters struct {
@@ -145,24 +193,54 @@ type PredicateParameters struct {
 
 type TriggerObservation struct {
 
+	// –  List of actions initiated by this trigger when it fires. See Actions Below.
+	Actions []ActionsObservation `json:"actions,omitempty" tf:"actions,omitempty"`
+
 	// Amazon Resource Name (ARN) of Glue Trigger
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  A description of the new trigger.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// –  Start the trigger. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Batch condition that must be met (specified number of events received or batch time window expired) before EventBridge event trigger fires. See Event Batching Condition.
+	EventBatchingCondition []EventBatchingConditionObservation `json:"eventBatchingCondition,omitempty" tf:"event_batching_condition,omitempty"`
+
 	// Trigger name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  A predicate to specify when the new trigger should fire. Required when trigger type is CONDITIONAL. See Predicate Below.
+	Predicate []PredicateObservation `json:"predicate,omitempty" tf:"predicate,omitempty"`
+
+	// Based Schedules for Jobs and Crawlers
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// –  Set to true to start SCHEDULED and CONDITIONAL triggers when created. True is not supported for ON_DEMAND triggers.
+	StartOnCreation *bool `json:"startOnCreation,omitempty" tf:"start_on_creation,omitempty"`
+
 	// The condition job state. Currently, the values supported are SUCCEEDED, STOPPED, TIMEOUT and FAILED. If this is specified, job_name must also be specified. Conflicts with crawler_state.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// –  The type of trigger. Valid values are CONDITIONAL, EVENT, ON_DEMAND, and SCHEDULED.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// A workflow to which the trigger should be associated to. Every workflow graph (DAG) needs a starting trigger (ON_DEMAND or SCHEDULED type) and can contain multiple additional CONDITIONAL triggers.
+	WorkflowName *string `json:"workflowName,omitempty" tf:"workflow_name,omitempty"`
 }
 
 type TriggerParameters struct {
 
 	// –  List of actions initiated by this trigger when it fires. See Actions Below.
-	// +kubebuilder:validation:Required
-	Actions []ActionsParameters `json:"actions" tf:"actions,omitempty"`
+	// +kubebuilder:validation:Optional
+	Actions []ActionsParameters `json:"actions,omitempty" tf:"actions,omitempty"`
 
 	// –  A description of the new trigger.
 	// +kubebuilder:validation:Optional
@@ -198,8 +276,8 @@ type TriggerParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// –  The type of trigger. Valid values are CONDITIONAL, EVENT, ON_DEMAND, and SCHEDULED.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
 	// A workflow to which the trigger should be associated to. Every workflow graph (DAG) needs a starting trigger (ON_DEMAND or SCHEDULED type) and can contain multiple additional CONDITIONAL triggers.
 	// +kubebuilder:validation:Optional
@@ -230,8 +308,10 @@ type TriggerStatus struct {
 type Trigger struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TriggerSpec   `json:"spec"`
-	Status            TriggerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actions)",message="actions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   TriggerSpec   `json:"spec"`
+	Status TriggerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_userdefinedfunction_types.go b/apis/glue/v1beta1/zz_userdefinedfunction_types.go
index 667449ba62..797e8fe31a 100755
--- a/apis/glue/v1beta1/zz_userdefinedfunction_types.go
+++ b/apis/glue/v1beta1/zz_userdefinedfunction_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ResourceUrisObservation struct {
+
+	// The type of the resource. can be one of JAR, FILE, and ARCHIVE.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// The URI for accessing the resource.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type ResourceUrisParameters struct {
@@ -32,11 +38,29 @@ type UserDefinedFunctionObservation struct {
 	// The ARN of the Glue User Defined Function.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ID of the Glue Catalog to create the function in. If omitted, this defaults to the AWS Account ID.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// The Java class that contains the function code.
+	ClassName *string `json:"className,omitempty" tf:"class_name,omitempty"`
+
 	// The time at which the function was created.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`
 
+	// The name of the Database to create the Function.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
 	// The id of the Glue User Defined Function.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The owner of the function.
+	OwnerName *string `json:"ownerName,omitempty" tf:"owner_name,omitempty"`
+
+	// The owner type. can be one of USER, ROLE, and GROUP.
+	OwnerType *string `json:"ownerType,omitempty" tf:"owner_type,omitempty"`
+
+	// The configuration block for Resource URIs. See resource uris below for more details.
+	ResourceUris []ResourceUrisObservation `json:"resourceUris,omitempty" tf:"resource_uris,omitempty"`
 }
 
 type UserDefinedFunctionParameters struct {
@@ -46,8 +70,8 @@ type UserDefinedFunctionParameters struct {
 	CatalogID *string `json:"catalogId" tf:"catalog_id,omitempty"`
 
 	// The Java class that contains the function code.
-	// +kubebuilder:validation:Required
-	ClassName *string `json:"className" tf:"class_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ClassName *string `json:"className,omitempty" tf:"class_name,omitempty"`
 
 	// The name of the Database to create the Function.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/glue/v1beta1.CatalogDatabase
@@ -63,12 +87,12 @@ type UserDefinedFunctionParameters struct {
 	DatabaseNameSelector *v1.Selector `json:"databaseNameSelector,omitempty" tf:"-"`
 
 	// The owner of the function.
-	// +kubebuilder:validation:Required
-	OwnerName *string `json:"ownerName" tf:"owner_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	OwnerName *string `json:"ownerName,omitempty" tf:"owner_name,omitempty"`
 
 	// The owner type. can be one of USER, ROLE, and GROUP.
-	// +kubebuilder:validation:Required
-	OwnerType *string `json:"ownerType" tf:"owner_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	OwnerType *string `json:"ownerType,omitempty" tf:"owner_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -104,8 +128,11 @@ type UserDefinedFunctionStatus struct {
 type UserDefinedFunction struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserDefinedFunctionSpec   `json:"spec"`
-	Status            UserDefinedFunctionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.className)",message="className is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerName)",message="ownerName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerType)",message="ownerType is a required parameter"
+	Spec   UserDefinedFunctionSpec   `json:"spec"`
+	Status UserDefinedFunctionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/glue/v1beta1/zz_workflow_types.go b/apis/glue/v1beta1/zz_workflow_types.go
index 930f154352..4505b1469a 100755
--- a/apis/glue/v1beta1/zz_workflow_types.go
+++ b/apis/glue/v1beta1/zz_workflow_types.go
@@ -18,9 +18,21 @@ type WorkflowObservation struct {
 	// Amazon Resource Name (ARN) of Glue Workflow
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  A map of default run properties for this workflow. These properties are passed to all jobs associated to the workflow.
+	DefaultRunProperties map[string]*string `json:"defaultRunProperties,omitempty" tf:"default_run_properties,omitempty"`
+
+	// –  Description of the workflow.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Workflow name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Prevents exceeding the maximum number of concurrent runs of any of the component jobs. If you leave this parameter blank, there is no limit to the number of concurrent workflow runs.
+	MaxConcurrentRuns *float64 `json:"maxConcurrentRuns,omitempty" tf:"max_concurrent_runs,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/grafana/v1beta1/zz_generated.deepcopy.go b/apis/grafana/v1beta1/zz_generated.deepcopy.go
index cffae29135..bf8c0726ea 100644
--- a/apis/grafana/v1beta1/zz_generated.deepcopy.go
+++ b/apis/grafana/v1beta1/zz_generated.deepcopy.go
@@ -91,6 +91,16 @@ func (in *LicenseAssociationObservation) DeepCopyInto(out *LicenseAssociationObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.LicenseType != nil {
+		in, out := &in.LicenseType, &out.LicenseType
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkspaceID != nil {
+		in, out := &in.WorkspaceID, &out.WorkspaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LicenseAssociationObservation.
@@ -239,11 +249,43 @@ func (in *RoleAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoleAssociationObservation) DeepCopyInto(out *RoleAssociationObservation) {
 	*out = *in
+	if in.GroupIds != nil {
+		in, out := &in.GroupIds, &out.GroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserIds != nil {
+		in, out := &in.UserIds, &out.UserIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WorkspaceID != nil {
+		in, out := &in.WorkspaceID, &out.WorkspaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAssociationObservation.
@@ -355,6 +397,28 @@ func (in *RoleAssociationStatus) DeepCopy() *RoleAssociationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigurationObservation) DeepCopyInto(out *VPCConfigurationObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCConfigurationObservation.
@@ -503,6 +567,26 @@ func (in *WorkspaceAPIKeyObservation) DeepCopyInto(out *WorkspaceAPIKeyObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyName != nil {
+		in, out := &in.KeyName, &out.KeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyRole != nil {
+		in, out := &in.KeyRole, &out.KeyRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecondsToLive != nil {
+		in, out := &in.SecondsToLive, &out.SecondsToLive
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WorkspaceID != nil {
+		in, out := &in.WorkspaceID, &out.WorkspaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceAPIKeyObservation.
@@ -634,11 +718,48 @@ func (in *WorkspaceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceObservation) DeepCopyInto(out *WorkspaceObservation) {
 	*out = *in
+	if in.AccountAccessType != nil {
+		in, out := &in.AccountAccessType, &out.AccountAccessType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthenticationProviders != nil {
+		in, out := &in.AuthenticationProviders, &out.AuthenticationProviders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSources != nil {
+		in, out := &in.DataSources, &out.DataSources
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
@@ -654,11 +775,73 @@ func (in *WorkspaceObservation) DeepCopyInto(out *WorkspaceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationDestinations != nil {
+		in, out := &in.NotificationDestinations, &out.NotificationDestinations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OrganizationRoleName != nil {
+		in, out := &in.OrganizationRoleName, &out.OrganizationRoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationalUnits != nil {
+		in, out := &in.OrganizationalUnits, &out.OrganizationalUnits
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PermissionType != nil {
+		in, out := &in.PermissionType, &out.PermissionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.SAMLConfigurationStatus != nil {
 		in, out := &in.SAMLConfigurationStatus, &out.SAMLConfigurationStatus
 		*out = new(string)
 		**out = **in
 	}
+	if in.StackSetName != nil {
+		in, out := &in.StackSetName, &out.StackSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -674,6 +857,13 @@ func (in *WorkspaceObservation) DeepCopyInto(out *WorkspaceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCConfiguration != nil {
+		in, out := &in.VPCConfiguration, &out.VPCConfiguration
+		*out = make([]VPCConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceObservation.
@@ -884,16 +1074,99 @@ func (in *WorkspaceSAMLConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceSAMLConfigurationObservation) DeepCopyInto(out *WorkspaceSAMLConfigurationObservation) {
 	*out = *in
+	if in.AdminRoleValues != nil {
+		in, out := &in.AdminRoleValues, &out.AdminRoleValues
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedOrganizations != nil {
+		in, out := &in.AllowedOrganizations, &out.AllowedOrganizations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EditorRoleValues != nil {
+		in, out := &in.EditorRoleValues, &out.EditorRoleValues
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EmailAssertion != nil {
+		in, out := &in.EmailAssertion, &out.EmailAssertion
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupsAssertion != nil {
+		in, out := &in.GroupsAssertion, &out.GroupsAssertion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdpMetadataURL != nil {
+		in, out := &in.IdpMetadataURL, &out.IdpMetadataURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdpMetadataXML != nil {
+		in, out := &in.IdpMetadataXML, &out.IdpMetadataXML
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoginAssertion != nil {
+		in, out := &in.LoginAssertion, &out.LoginAssertion
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoginValidityDuration != nil {
+		in, out := &in.LoginValidityDuration, &out.LoginValidityDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NameAssertion != nil {
+		in, out := &in.NameAssertion, &out.NameAssertion
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrgAssertion != nil {
+		in, out := &in.OrgAssertion, &out.OrgAssertion
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleAssertion != nil {
+		in, out := &in.RoleAssertion, &out.RoleAssertion
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.WorkspaceID != nil {
+		in, out := &in.WorkspaceID, &out.WorkspaceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceSAMLConfigurationObservation.
diff --git a/apis/grafana/v1beta1/zz_licenseassociation_types.go b/apis/grafana/v1beta1/zz_licenseassociation_types.go
index b20c583f34..762243bca5 100755
--- a/apis/grafana/v1beta1/zz_licenseassociation_types.go
+++ b/apis/grafana/v1beta1/zz_licenseassociation_types.go
@@ -22,13 +22,19 @@ type LicenseAssociationObservation struct {
 
 	// If license_type is set to ENTERPRISE, this is the expiration date of the enterprise license.
 	LicenseExpiration *string `json:"licenseExpiration,omitempty" tf:"license_expiration,omitempty"`
+
+	// The type of license for the workspace license association. Valid values are ENTERPRISE and ENTERPRISE_FREE_TRIAL.
+	LicenseType *string `json:"licenseType,omitempty" tf:"license_type,omitempty"`
+
+	// The workspace id.
+	WorkspaceID *string `json:"workspaceId,omitempty" tf:"workspace_id,omitempty"`
 }
 
 type LicenseAssociationParameters struct {
 
 	// The type of license for the workspace license association. Valid values are ENTERPRISE and ENTERPRISE_FREE_TRIAL.
-	// +kubebuilder:validation:Required
-	LicenseType *string `json:"licenseType" tf:"license_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	LicenseType *string `json:"licenseType,omitempty" tf:"license_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -74,8 +80,9 @@ type LicenseAssociationStatus struct {
 type LicenseAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LicenseAssociationSpec   `json:"spec"`
-	Status            LicenseAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.licenseType)",message="licenseType is a required parameter"
+	Spec   LicenseAssociationSpec   `json:"spec"`
+	Status LicenseAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/grafana/v1beta1/zz_roleassociation_types.go b/apis/grafana/v1beta1/zz_roleassociation_types.go
index ac2466f724..0478392c4e 100755
--- a/apis/grafana/v1beta1/zz_roleassociation_types.go
+++ b/apis/grafana/v1beta1/zz_roleassociation_types.go
@@ -14,7 +14,20 @@ import (
 )
 
 type RoleAssociationObservation struct {
+
+	// The AWS SSO group ids to be assigned the role given in role.
+	GroupIds []*string `json:"groupIds,omitempty" tf:"group_ids,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The grafana role. Valid values can be found here.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// The AWS SSO user ids to be assigned the role given in role.
+	UserIds []*string `json:"userIds,omitempty" tf:"user_ids,omitempty"`
+
+	// The workspace id.
+	WorkspaceID *string `json:"workspaceId,omitempty" tf:"workspace_id,omitempty"`
 }
 
 type RoleAssociationParameters struct {
@@ -29,8 +42,8 @@ type RoleAssociationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The grafana role. Valid values can be found here.
-	// +kubebuilder:validation:Required
-	Role *string `json:"role" tf:"role,omitempty"`
+	// +kubebuilder:validation:Optional
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 
 	// The AWS SSO user ids to be assigned the role given in role.
 	// +kubebuilder:validation:Optional
@@ -74,8 +87,9 @@ type RoleAssociationStatus struct {
 type RoleAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RoleAssociationSpec   `json:"spec"`
-	Status            RoleAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)",message="role is a required parameter"
+	Spec   RoleAssociationSpec   `json:"spec"`
+	Status RoleAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/grafana/v1beta1/zz_workspace_types.go b/apis/grafana/v1beta1/zz_workspace_types.go
index d868a021b0..6eadfbf054 100755
--- a/apis/grafana/v1beta1/zz_workspace_types.go
+++ b/apis/grafana/v1beta1/zz_workspace_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type VPCConfigurationObservation struct {
+
+	// - The list of Amazon EC2 security group IDs attached to the Amazon VPC for your Grafana workspace to connect.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// - The list of Amazon EC2 subnet IDs created in the Amazon VPC for your Grafana workspace to connect.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 }
 
 type VPCConfigurationParameters struct {
@@ -29,9 +35,24 @@ type VPCConfigurationParameters struct {
 
 type WorkspaceObservation struct {
 
+	// The type of account access for the workspace. Valid values are CURRENT_ACCOUNT and ORGANIZATION. If ORGANIZATION is specified, then organizational_units must also be present.
+	AccountAccessType *string `json:"accountAccessType,omitempty" tf:"account_access_type,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the Grafana workspace.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The authentication providers for the workspace. Valid values are AWS_SSO, SAML, or both.
+	AuthenticationProviders []*string `json:"authenticationProviders,omitempty" tf:"authentication_providers,omitempty"`
+
+	// The configuration string for the workspace that you create. For more information about the format and configuration options available, see Working in your Grafana workspace.
+	Configuration *string `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// The data sources for the workspace. Valid values are AMAZON_OPENSEARCH_SERVICE, ATHENA, CLOUDWATCH, PROMETHEUS, REDSHIFT, SITEWISE, TIMESTREAM, XRAY
+	DataSources []*string `json:"dataSources,omitempty" tf:"data_sources,omitempty"`
+
+	// The workspace description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The endpoint of the Grafana workspace.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
@@ -40,21 +61,48 @@ type WorkspaceObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Grafana workspace name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The notification destinations. If a data source is specified here, Amazon Managed Grafana will create IAM roles and permissions needed to use these destinations. Must be set to SNS.
+	NotificationDestinations []*string `json:"notificationDestinations,omitempty" tf:"notification_destinations,omitempty"`
+
+	// The role name that the workspace uses to access resources through Amazon Organizations.
+	OrganizationRoleName *string `json:"organizationRoleName,omitempty" tf:"organization_role_name,omitempty"`
+
+	// The Amazon Organizations organizational units that the workspace is authorized to use data sources from.
+	OrganizationalUnits []*string `json:"organizationalUnits,omitempty" tf:"organizational_units,omitempty"`
+
+	// The permission type of the workspace. If SERVICE_MANAGED is specified, the IAM roles and IAM policy attachments are generated automatically. If CUSTOMER_MANAGED is specified, the IAM roles and IAM policy attachments will not be created.
+	PermissionType *string `json:"permissionType,omitempty" tf:"permission_type,omitempty"`
+
+	// The IAM role ARN that the workspace assumes.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
 	SAMLConfigurationStatus *string `json:"samlConfigurationStatus,omitempty" tf:"saml_configuration_status,omitempty"`
 
+	// The AWS CloudFormation stack set name that provisions IAM roles to be used by the workspace.
+	StackSetName *string `json:"stackSetName,omitempty" tf:"stack_set_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The configuration settings for an Amazon VPC that contains data sources for your Grafana workspace to connect to. See VPC Configuration below.
+	VPCConfiguration []VPCConfigurationObservation `json:"vpcConfiguration,omitempty" tf:"vpc_configuration,omitempty"`
 }
 
 type WorkspaceParameters struct {
 
 	// The type of account access for the workspace. Valid values are CURRENT_ACCOUNT and ORGANIZATION. If ORGANIZATION is specified, then organizational_units must also be present.
-	// +kubebuilder:validation:Required
-	AccountAccessType *string `json:"accountAccessType" tf:"account_access_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccountAccessType *string `json:"accountAccessType,omitempty" tf:"account_access_type,omitempty"`
 
 	// The authentication providers for the workspace. Valid values are AWS_SSO, SAML, or both.
-	// +kubebuilder:validation:Required
-	AuthenticationProviders []*string `json:"authenticationProviders" tf:"authentication_providers,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthenticationProviders []*string `json:"authenticationProviders,omitempty" tf:"authentication_providers,omitempty"`
 
 	// The configuration string for the workspace that you create. For more information about the format and configuration options available, see Working in your Grafana workspace.
 	// +kubebuilder:validation:Optional
@@ -85,8 +133,8 @@ type WorkspaceParameters struct {
 	OrganizationalUnits []*string `json:"organizationalUnits,omitempty" tf:"organizational_units,omitempty"`
 
 	// The permission type of the workspace. If SERVICE_MANAGED is specified, the IAM roles and IAM policy attachments are generated automatically. If CUSTOMER_MANAGED is specified, the IAM roles and IAM policy attachments will not be created.
-	// +kubebuilder:validation:Required
-	PermissionType *string `json:"permissionType" tf:"permission_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	PermissionType *string `json:"permissionType,omitempty" tf:"permission_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -144,8 +192,11 @@ type WorkspaceStatus struct {
 type Workspace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WorkspaceSpec   `json:"spec"`
-	Status            WorkspaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountAccessType)",message="accountAccessType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authenticationProviders)",message="authenticationProviders is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissionType)",message="permissionType is a required parameter"
+	Spec   WorkspaceSpec   `json:"spec"`
+	Status WorkspaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/grafana/v1beta1/zz_workspaceapikey_types.go b/apis/grafana/v1beta1/zz_workspaceapikey_types.go
index 0a3a376d34..2efd5d2663 100755
--- a/apis/grafana/v1beta1/zz_workspaceapikey_types.go
+++ b/apis/grafana/v1beta1/zz_workspaceapikey_types.go
@@ -18,17 +18,29 @@ type WorkspaceAPIKeyObservation struct {
 
 	// The key token in JSON format. Use this value as a bearer token to authenticate HTTP requests to the workspace.
 	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Specifies the name of the API key. Key names must be unique to the workspace.
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
+
+	// Specifies the permission level of the API key. Valid values are VIEWER, EDITOR, or ADMIN.
+	KeyRole *string `json:"keyRole,omitempty" tf:"key_role,omitempty"`
+
+	// Specifies the time in seconds until the API key expires. Keys can be valid for up to 30 days.
+	SecondsToLive *float64 `json:"secondsToLive,omitempty" tf:"seconds_to_live,omitempty"`
+
+	// The ID of the workspace that the API key is valid for.
+	WorkspaceID *string `json:"workspaceId,omitempty" tf:"workspace_id,omitempty"`
 }
 
 type WorkspaceAPIKeyParameters struct {
 
 	// Specifies the name of the API key. Key names must be unique to the workspace.
-	// +kubebuilder:validation:Required
-	KeyName *string `json:"keyName" tf:"key_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyName *string `json:"keyName,omitempty" tf:"key_name,omitempty"`
 
 	// Specifies the permission level of the API key. Valid values are VIEWER, EDITOR, or ADMIN.
-	// +kubebuilder:validation:Required
-	KeyRole *string `json:"keyRole" tf:"key_role,omitempty"`
+	// +kubebuilder:validation:Optional
+	KeyRole *string `json:"keyRole,omitempty" tf:"key_role,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -36,8 +48,8 @@ type WorkspaceAPIKeyParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Specifies the time in seconds until the API key expires. Keys can be valid for up to 30 days.
-	// +kubebuilder:validation:Required
-	SecondsToLive *float64 `json:"secondsToLive" tf:"seconds_to_live,omitempty"`
+	// +kubebuilder:validation:Optional
+	SecondsToLive *float64 `json:"secondsToLive,omitempty" tf:"seconds_to_live,omitempty"`
 
 	// The ID of the workspace that the API key is valid for.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/grafana/v1beta1.Workspace
@@ -78,8 +90,11 @@ type WorkspaceAPIKeyStatus struct {
 type WorkspaceAPIKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WorkspaceAPIKeySpec   `json:"spec"`
-	Status            WorkspaceAPIKeyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyName)",message="keyName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyRole)",message="keyRole is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.secondsToLive)",message="secondsToLive is a required parameter"
+	Spec   WorkspaceAPIKeySpec   `json:"spec"`
+	Status WorkspaceAPIKeyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/grafana/v1beta1/zz_workspacesamlconfiguration_types.go b/apis/grafana/v1beta1/zz_workspacesamlconfiguration_types.go
index 828f069fa1..eb362225c8 100755
--- a/apis/grafana/v1beta1/zz_workspacesamlconfiguration_types.go
+++ b/apis/grafana/v1beta1/zz_workspacesamlconfiguration_types.go
@@ -14,10 +14,50 @@ import (
 )
 
 type WorkspaceSAMLConfigurationObservation struct {
+
+	// The admin role values.
+	AdminRoleValues []*string `json:"adminRoleValues,omitempty" tf:"admin_role_values,omitempty"`
+
+	// The allowed organizations.
+	AllowedOrganizations []*string `json:"allowedOrganizations,omitempty" tf:"allowed_organizations,omitempty"`
+
+	// The editor role values.
+	EditorRoleValues []*string `json:"editorRoleValues,omitempty" tf:"editor_role_values,omitempty"`
+
+	// The email assertion.
+	EmailAssertion *string `json:"emailAssertion,omitempty" tf:"email_assertion,omitempty"`
+
+	// The groups assertion.
+	GroupsAssertion *string `json:"groupsAssertion,omitempty" tf:"groups_assertion,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IDP Metadata URL. Note that either idp_metadata_url or idp_metadata_xml (but not both) must be specified.
+	IdpMetadataURL *string `json:"idpMetadataUrl,omitempty" tf:"idp_metadata_url,omitempty"`
+
+	// The IDP Metadata XML. Note that either idp_metadata_url or idp_metadata_xml (but not both) must be specified.
+	IdpMetadataXML *string `json:"idpMetadataXml,omitempty" tf:"idp_metadata_xml,omitempty"`
+
+	// The login assertion.
+	LoginAssertion *string `json:"loginAssertion,omitempty" tf:"login_assertion,omitempty"`
+
+	// The login validity duration.
+	LoginValidityDuration *float64 `json:"loginValidityDuration,omitempty" tf:"login_validity_duration,omitempty"`
+
+	// The name assertion.
+	NameAssertion *string `json:"nameAssertion,omitempty" tf:"name_assertion,omitempty"`
+
+	// The org assertion.
+	OrgAssertion *string `json:"orgAssertion,omitempty" tf:"org_assertion,omitempty"`
+
+	// The role assertion.
+	RoleAssertion *string `json:"roleAssertion,omitempty" tf:"role_assertion,omitempty"`
+
 	// The status of the SAML configuration.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// The workspace id.
+	WorkspaceID *string `json:"workspaceId,omitempty" tf:"workspace_id,omitempty"`
 }
 
 type WorkspaceSAMLConfigurationParameters struct {
@@ -31,8 +71,8 @@ type WorkspaceSAMLConfigurationParameters struct {
 	AllowedOrganizations []*string `json:"allowedOrganizations,omitempty" tf:"allowed_organizations,omitempty"`
 
 	// The editor role values.
-	// +kubebuilder:validation:Required
-	EditorRoleValues []*string `json:"editorRoleValues" tf:"editor_role_values,omitempty"`
+	// +kubebuilder:validation:Optional
+	EditorRoleValues []*string `json:"editorRoleValues,omitempty" tf:"editor_role_values,omitempty"`
 
 	// The email assertion.
 	// +kubebuilder:validation:Optional
@@ -113,8 +153,9 @@ type WorkspaceSAMLConfigurationStatus struct {
 type WorkspaceSAMLConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WorkspaceSAMLConfigurationSpec   `json:"spec"`
-	Status            WorkspaceSAMLConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.editorRoleValues)",message="editorRoleValues is a required parameter"
+	Spec   WorkspaceSAMLConfigurationSpec   `json:"spec"`
+	Status WorkspaceSAMLConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/guardduty/v1beta1/zz_detector_types.go b/apis/guardduty/v1beta1/zz_detector_types.go
index 21ab3e2268..d976f1e090 100755
--- a/apis/guardduty/v1beta1/zz_detector_types.go
+++ b/apis/guardduty/v1beta1/zz_detector_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type AuditLogsObservation struct {
+
+	// If true, enables Malware Protection as data source for the detector.
+	// Defaults to true.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
 }
 
 type AuditLogsParameters struct {
@@ -25,6 +29,18 @@ type AuditLogsParameters struct {
 }
 
 type DatasourcesObservation struct {
+
+	// Configures Kubernetes protection.
+	// See Kubernetes and Kubernetes Audit Logs below for more details.
+	Kubernetes []KubernetesObservation `json:"kubernetes,omitempty" tf:"kubernetes,omitempty"`
+
+	// Configures Malware Protection.
+	// See Malware Protection, Scan EC2 instance with findings and EBS volumes below for more details.
+	MalwareProtection []MalwareProtectionObservation `json:"malwareProtection,omitempty" tf:"malware_protection,omitempty"`
+
+	// Configures S3 protection.
+	// See S3 Logs below for more details.
+	S3Logs []S3LogsObservation `json:"s3Logs,omitempty" tf:"s3_logs,omitempty"`
 }
 
 type DatasourcesParameters struct {
@@ -53,9 +69,21 @@ type DetectorObservation struct {
 	// Amazon Resource Name (ARN) of the GuardDuty detector
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Describes which data sources will be enabled for the detector. See Data Sources below for more details.
+	Datasources []DatasourcesObservation `json:"datasources,omitempty" tf:"datasources,omitempty"`
+
+	// Enable monitoring and feedback reporting. Setting to false is equivalent to "suspending" GuardDuty. Defaults to true.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	// Specifies the frequency of notifications sent for subsequent finding occurrences. If the detector is a GuardDuty member account, the value is determined by the GuardDuty primary account and cannot be modified, otherwise defaults to SIX_HOURS. Valid values for standalone and primary accounts: FIFTEEN_MINUTES, ONE_HOUR, SIX_HOURS. See AWS Documentation for more information.
+	FindingPublishingFrequency *string `json:"findingPublishingFrequency,omitempty" tf:"finding_publishing_frequency,omitempty"`
+
 	// The ID of the GuardDuty detector
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -85,6 +113,10 @@ type DetectorParameters struct {
 }
 
 type EBSVolumesObservation struct {
+
+	// If true, enables Malware Protection as data source for the detector.
+	// Defaults to true.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
 }
 
 type EBSVolumesParameters struct {
@@ -96,6 +128,10 @@ type EBSVolumesParameters struct {
 }
 
 type KubernetesObservation struct {
+
+	// Configures Kubernetes audit logs as a data source for Kubernetes protection.
+	// See Kubernetes Audit Logs below for more details.
+	AuditLogs []AuditLogsObservation `json:"auditLogs,omitempty" tf:"audit_logs,omitempty"`
 }
 
 type KubernetesParameters struct {
@@ -107,6 +143,10 @@ type KubernetesParameters struct {
 }
 
 type MalwareProtectionObservation struct {
+
+	// Configure whether Malware Protection is enabled as data source for EC2 instances with findings for the detector.
+	// See Scan EC2 instance with findings below for more details.
+	ScanEC2InstanceWithFindings []ScanEC2InstanceWithFindingsObservation `json:"scanEc2InstanceWithFindings,omitempty" tf:"scan_ec2_instance_with_findings,omitempty"`
 }
 
 type MalwareProtectionParameters struct {
@@ -118,6 +158,10 @@ type MalwareProtectionParameters struct {
 }
 
 type S3LogsObservation struct {
+
+	// If true, enables S3 protection.
+	// Defaults to true.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
 }
 
 type S3LogsParameters struct {
@@ -129,6 +173,10 @@ type S3LogsParameters struct {
 }
 
 type ScanEC2InstanceWithFindingsObservation struct {
+
+	// Configure whether scanning EBS volumes is enabled as data source for the detector for instances with findings.
+	// See EBS volumes below for more details.
+	EBSVolumes []EBSVolumesObservation `json:"ebsVolumes,omitempty" tf:"ebs_volumes,omitempty"`
 }
 
 type ScanEC2InstanceWithFindingsParameters struct {
diff --git a/apis/guardduty/v1beta1/zz_filter_types.go b/apis/guardduty/v1beta1/zz_filter_types.go
index b821ce2d84..39767470a1 100755
--- a/apis/guardduty/v1beta1/zz_filter_types.go
+++ b/apis/guardduty/v1beta1/zz_filter_types.go
@@ -14,6 +14,27 @@ import (
 )
 
 type CriterionObservation struct {
+
+	// List of string values to be evaluated.
+	Equals []*string `json:"equals,omitempty" tf:"equals,omitempty"`
+
+	// The name of the field to be evaluated. The full list of field names can be found in AWS documentation.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
+	// A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
+	GreaterThan *string `json:"greaterThan,omitempty" tf:"greater_than,omitempty"`
+
+	// A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
+	GreaterThanOrEqual *string `json:"greaterThanOrEqual,omitempty" tf:"greater_than_or_equal,omitempty"`
+
+	// A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
+	LessThan *string `json:"lessThan,omitempty" tf:"less_than,omitempty"`
+
+	// A value to be evaluated. Accepts either an integer or a date in RFC 3339 format.
+	LessThanOrEqual *string `json:"lessThanOrEqual,omitempty" tf:"less_than_or_equal,omitempty"`
+
+	// List of string values to be evaluated.
+	NotEquals []*string `json:"notEquals,omitempty" tf:"not_equals,omitempty"`
 }
 
 type CriterionParameters struct {
@@ -49,12 +70,30 @@ type CriterionParameters struct {
 
 type FilterObservation struct {
 
+	// Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
 	// The ARN of the GuardDuty filter.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the filter.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// ID of a GuardDuty detector, attached to your account.
+	DetectorID *string `json:"detectorId,omitempty" tf:"detector_id,omitempty"`
+
+	// Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks, documented below.
+	FindingCriteria []FindingCriteriaObservation `json:"findingCriteria,omitempty" tf:"finding_criteria,omitempty"`
+
 	// A compound field, consisting of the ID of the GuardDuty detector and the name of the filter.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
+	Rank *float64 `json:"rank,omitempty" tf:"rank,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -62,8 +101,8 @@ type FilterObservation struct {
 type FilterParameters struct {
 
 	// Specifies the action that is to be applied to the findings that match the filter. Can be one of ARCHIVE or NOOP.
-	// +kubebuilder:validation:Required
-	Action *string `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 
 	// Description of the filter.
 	// +kubebuilder:validation:Optional
@@ -84,12 +123,12 @@ type FilterParameters struct {
 	DetectorIDSelector *v1.Selector `json:"detectorIdSelector,omitempty" tf:"-"`
 
 	// Represents the criteria to be used in the filter for querying findings. Contains one or more criterion blocks, documented below.
-	// +kubebuilder:validation:Required
-	FindingCriteria []FindingCriteriaParameters `json:"findingCriteria" tf:"finding_criteria,omitempty"`
+	// +kubebuilder:validation:Optional
+	FindingCriteria []FindingCriteriaParameters `json:"findingCriteria,omitempty" tf:"finding_criteria,omitempty"`
 
 	// Specifies the position of the filter in the list of current filters. Also specifies the order in which this filter is applied to the findings.
-	// +kubebuilder:validation:Required
-	Rank *float64 `json:"rank" tf:"rank,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rank *float64 `json:"rank,omitempty" tf:"rank,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -102,6 +141,7 @@ type FilterParameters struct {
 }
 
 type FindingCriteriaObservation struct {
+	Criterion []CriterionObservation `json:"criterion,omitempty" tf:"criterion,omitempty"`
 }
 
 type FindingCriteriaParameters struct {
@@ -134,8 +174,11 @@ type FilterStatus struct {
 type Filter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FilterSpec   `json:"spec"`
-	Status            FilterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.findingCriteria)",message="findingCriteria is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rank)",message="rank is a required parameter"
+	Spec   FilterSpec   `json:"spec"`
+	Status FilterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/guardduty/v1beta1/zz_generated.deepcopy.go b/apis/guardduty/v1beta1/zz_generated.deepcopy.go
index 22e1d0e98e..7434ec6cb9 100644
--- a/apis/guardduty/v1beta1/zz_generated.deepcopy.go
+++ b/apis/guardduty/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuditLogsObservation) DeepCopyInto(out *AuditLogsObservation) {
 	*out = *in
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuditLogsObservation.
@@ -52,6 +57,53 @@ func (in *AuditLogsParameters) DeepCopy() *AuditLogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CriterionObservation) DeepCopyInto(out *CriterionObservation) {
 	*out = *in
+	if in.Equals != nil {
+		in, out := &in.Equals, &out.Equals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
+	if in.GreaterThan != nil {
+		in, out := &in.GreaterThan, &out.GreaterThan
+		*out = new(string)
+		**out = **in
+	}
+	if in.GreaterThanOrEqual != nil {
+		in, out := &in.GreaterThanOrEqual, &out.GreaterThanOrEqual
+		*out = new(string)
+		**out = **in
+	}
+	if in.LessThan != nil {
+		in, out := &in.LessThan, &out.LessThan
+		*out = new(string)
+		**out = **in
+	}
+	if in.LessThanOrEqual != nil {
+		in, out := &in.LessThanOrEqual, &out.LessThanOrEqual
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotEquals != nil {
+		in, out := &in.NotEquals, &out.NotEquals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CriterionObservation.
@@ -129,6 +181,27 @@ func (in *CriterionParameters) DeepCopy() *CriterionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DatasourcesObservation) DeepCopyInto(out *DatasourcesObservation) {
 	*out = *in
+	if in.Kubernetes != nil {
+		in, out := &in.Kubernetes, &out.Kubernetes
+		*out = make([]KubernetesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MalwareProtection != nil {
+		in, out := &in.MalwareProtection, &out.MalwareProtection
+		*out = make([]MalwareProtectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Logs != nil {
+		in, out := &in.S3Logs, &out.S3Logs
+		*out = make([]S3LogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DatasourcesObservation.
@@ -249,11 +322,43 @@ func (in *DetectorObservation) DeepCopyInto(out *DetectorObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Datasources != nil {
+		in, out := &in.Datasources, &out.Datasources
+		*out = make([]DatasourcesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FindingPublishingFrequency != nil {
+		in, out := &in.FindingPublishingFrequency, &out.FindingPublishingFrequency
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -370,6 +475,11 @@ func (in *DetectorStatus) DeepCopy() *DetectorStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSVolumesObservation) DeepCopyInto(out *EBSVolumesObservation) {
 	*out = *in
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSVolumesObservation.
@@ -464,16 +574,58 @@ func (in *FilterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterObservation) DeepCopyInto(out *FilterObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DetectorID != nil {
+		in, out := &in.DetectorID, &out.DetectorID
+		*out = new(string)
+		**out = **in
+	}
+	if in.FindingCriteria != nil {
+		in, out := &in.FindingCriteria, &out.FindingCriteria
+		*out = make([]FindingCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Rank != nil {
+		in, out := &in.Rank, &out.Rank
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -610,6 +762,13 @@ func (in *FilterStatus) DeepCopy() *FilterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingCriteriaObservation) DeepCopyInto(out *FindingCriteriaObservation) {
 	*out = *in
+	if in.Criterion != nil {
+		in, out := &in.Criterion, &out.Criterion
+		*out = make([]CriterionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingCriteriaObservation.
@@ -647,6 +806,13 @@ func (in *FindingCriteriaParameters) DeepCopy() *FindingCriteriaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KubernetesObservation) DeepCopyInto(out *KubernetesObservation) {
 	*out = *in
+	if in.AuditLogs != nil {
+		in, out := &in.AuditLogs, &out.AuditLogs
+		*out = make([]AuditLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KubernetesObservation.
@@ -684,6 +850,13 @@ func (in *KubernetesParameters) DeepCopy() *KubernetesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MalwareProtectionObservation) DeepCopyInto(out *MalwareProtectionObservation) {
 	*out = *in
+	if in.ScanEC2InstanceWithFindings != nil {
+		in, out := &in.ScanEC2InstanceWithFindings, &out.ScanEC2InstanceWithFindings
+		*out = make([]ScanEC2InstanceWithFindingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MalwareProtectionObservation.
@@ -780,11 +953,41 @@ func (in *MemberList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DetectorID != nil {
+		in, out := &in.DetectorID, &out.DetectorID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableEmailNotification != nil {
+		in, out := &in.DisableEmailNotification, &out.DisableEmailNotification
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InvitationMessage != nil {
+		in, out := &in.InvitationMessage, &out.InvitationMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Invite != nil {
+		in, out := &in.Invite, &out.Invite
+		*out = new(bool)
+		**out = **in
+	}
 	if in.RelationshipStatus != nil {
 		in, out := &in.RelationshipStatus, &out.RelationshipStatus
 		*out = new(string)
@@ -909,6 +1112,11 @@ func (in *MemberStatus) DeepCopy() *MemberStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3LogsObservation) DeepCopyInto(out *S3LogsObservation) {
 	*out = *in
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3LogsObservation.
@@ -944,6 +1152,13 @@ func (in *S3LogsParameters) DeepCopy() *S3LogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScanEC2InstanceWithFindingsObservation) DeepCopyInto(out *ScanEC2InstanceWithFindingsObservation) {
 	*out = *in
+	if in.EBSVolumes != nil {
+		in, out := &in.EBSVolumes, &out.EBSVolumes
+		*out = make([]EBSVolumesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScanEC2InstanceWithFindingsObservation.
diff --git a/apis/guardduty/v1beta1/zz_member_types.go b/apis/guardduty/v1beta1/zz_member_types.go
index fe585786b8..f51d7fb27a 100755
--- a/apis/guardduty/v1beta1/zz_member_types.go
+++ b/apis/guardduty/v1beta1/zz_member_types.go
@@ -15,9 +15,27 @@ import (
 
 type MemberObservation struct {
 
+	// AWS account ID for member account.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// The detector ID of the GuardDuty account where you want to create member accounts.
+	DetectorID *string `json:"detectorId,omitempty" tf:"detector_id,omitempty"`
+
+	// Boolean whether an email notification is sent to the accounts. Defaults to false.
+	DisableEmailNotification *bool `json:"disableEmailNotification,omitempty" tf:"disable_email_notification,omitempty"`
+
+	// Email address for member account.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
 	// The ID of the GuardDuty member
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Message for invitation.
+	InvitationMessage *string `json:"invitationMessage,omitempty" tf:"invitation_message,omitempty"`
+
+	// Boolean whether to invite the account to GuardDuty as a member. Defaults to false.
+	Invite *bool `json:"invite,omitempty" tf:"invite,omitempty"`
+
 	// The status of the relationship between the member account and its primary account. More information can be found in Amazon GuardDuty API Reference.
 	RelationshipStatus *string `json:"relationshipStatus,omitempty" tf:"relationship_status,omitempty"`
 }
@@ -57,8 +75,8 @@ type MemberParameters struct {
 	DisableEmailNotification *bool `json:"disableEmailNotification,omitempty" tf:"disable_email_notification,omitempty"`
 
 	// Email address for member account.
-	// +kubebuilder:validation:Required
-	Email *string `json:"email" tf:"email,omitempty"`
+	// +kubebuilder:validation:Optional
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
 
 	// Message for invitation.
 	// +kubebuilder:validation:Optional
@@ -98,8 +116,9 @@ type MemberStatus struct {
 type Member struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MemberSpec   `json:"spec"`
-	Status            MemberStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)",message="email is a required parameter"
+	Spec   MemberSpec   `json:"spec"`
+	Status MemberStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_accesskey_types.go b/apis/iam/v1beta1/zz_accesskey_types.go
index def27556e6..b6e48adaeb 100755
--- a/apis/iam/v1beta1/zz_accesskey_types.go
+++ b/apis/iam/v1beta1/zz_accesskey_types.go
@@ -29,6 +29,15 @@ type AccessKeyObservation struct {
 
 	// Fingerprint of the PGP key used to encrypt the secret. This attribute is not available for imported resources.
 	KeyFingerprint *string `json:"keyFingerprint,omitempty" tf:"key_fingerprint,omitempty"`
+
+	// Either a base-64 encoded PGP public key, or a keybase username in the form keybase:some_person_that_exists, for use in the encrypted_secret output attribute. If providing a base-64 encoded PGP public key, make sure to provide the "raw" version and not the "armored" one (e.g. avoid passing the -a option to gpg --export).
+	PgpKey *string `json:"pgpKey,omitempty" tf:"pgp_key,omitempty"`
+
+	// Access key status to apply. Defaults to Active. Valid values are Active and Inactive.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// IAM user to associate with this access key.
+	User *string `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type AccessKeyParameters struct {
diff --git a/apis/iam/v1beta1/zz_accountpasswordpolicy_types.go b/apis/iam/v1beta1/zz_accountpasswordpolicy_types.go
index 18c33cf133..b8e07998d5 100755
--- a/apis/iam/v1beta1/zz_accountpasswordpolicy_types.go
+++ b/apis/iam/v1beta1/zz_accountpasswordpolicy_types.go
@@ -15,10 +15,37 @@ import (
 
 type AccountPasswordPolicyObservation struct {
 
+	// Whether to allow users to change their own password
+	AllowUsersToChangePassword *bool `json:"allowUsersToChangePassword,omitempty" tf:"allow_users_to_change_password,omitempty"`
+
 	// Indicates whether passwords in the account expire. Returns true if max_password_age contains a value greater than 0. Returns false if it is 0 or not present.
 	ExpirePasswords *bool `json:"expirePasswords,omitempty" tf:"expire_passwords,omitempty"`
 
+	// Whether users are prevented from setting a new password after their password has expired (i.e., require administrator reset)
+	HardExpiry *bool `json:"hardExpiry,omitempty" tf:"hard_expiry,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The number of days that an user password is valid.
+	MaxPasswordAge *float64 `json:"maxPasswordAge,omitempty" tf:"max_password_age,omitempty"`
+
+	// Minimum length to require for user passwords.
+	MinimumPasswordLength *float64 `json:"minimumPasswordLength,omitempty" tf:"minimum_password_length,omitempty"`
+
+	// The number of previous passwords that users are prevented from reusing.
+	PasswordReusePrevention *float64 `json:"passwordReusePrevention,omitempty" tf:"password_reuse_prevention,omitempty"`
+
+	// Whether to require lowercase characters for user passwords.
+	RequireLowercaseCharacters *bool `json:"requireLowercaseCharacters,omitempty" tf:"require_lowercase_characters,omitempty"`
+
+	// Whether to require numbers for user passwords.
+	RequireNumbers *bool `json:"requireNumbers,omitempty" tf:"require_numbers,omitempty"`
+
+	// Whether to require symbols for user passwords.
+	RequireSymbols *bool `json:"requireSymbols,omitempty" tf:"require_symbols,omitempty"`
+
+	// Whether to require uppercase characters for user passwords.
+	RequireUppercaseCharacters *bool `json:"requireUppercaseCharacters,omitempty" tf:"require_uppercase_characters,omitempty"`
 }
 
 type AccountPasswordPolicyParameters struct {
diff --git a/apis/iam/v1beta1/zz_generated.deepcopy.go b/apis/iam/v1beta1/zz_generated.deepcopy.go
index 6fe1ca9484..c77d113bcc 100644
--- a/apis/iam/v1beta1/zz_generated.deepcopy.go
+++ b/apis/iam/v1beta1/zz_generated.deepcopy.go
@@ -101,6 +101,21 @@ func (in *AccessKeyObservation) DeepCopyInto(out *AccessKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PgpKey != nil {
+		in, out := &in.PgpKey, &out.PgpKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessKeyObservation.
@@ -377,16 +392,61 @@ func (in *AccountPasswordPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountPasswordPolicyObservation) DeepCopyInto(out *AccountPasswordPolicyObservation) {
 	*out = *in
+	if in.AllowUsersToChangePassword != nil {
+		in, out := &in.AllowUsersToChangePassword, &out.AllowUsersToChangePassword
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ExpirePasswords != nil {
 		in, out := &in.ExpirePasswords, &out.ExpirePasswords
 		*out = new(bool)
 		**out = **in
 	}
+	if in.HardExpiry != nil {
+		in, out := &in.HardExpiry, &out.HardExpiry
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxPasswordAge != nil {
+		in, out := &in.MaxPasswordAge, &out.MaxPasswordAge
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinimumPasswordLength != nil {
+		in, out := &in.MinimumPasswordLength, &out.MinimumPasswordLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PasswordReusePrevention != nil {
+		in, out := &in.PasswordReusePrevention, &out.PasswordReusePrevention
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RequireLowercaseCharacters != nil {
+		in, out := &in.RequireLowercaseCharacters, &out.RequireLowercaseCharacters
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireNumbers != nil {
+		in, out := &in.RequireNumbers, &out.RequireNumbers
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireSymbols != nil {
+		in, out := &in.RequireSymbols, &out.RequireSymbols
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequireUppercaseCharacters != nil {
+		in, out := &in.RequireUppercaseCharacters, &out.RequireUppercaseCharacters
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountPasswordPolicyObservation.
@@ -614,11 +674,32 @@ func (in *GroupMembershipList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupMembershipObservation) DeepCopyInto(out *GroupMembershipObservation) {
 	*out = *in
+	if in.Group != nil {
+		in, out := &in.Group, &out.Group
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Users != nil {
+		in, out := &in.Users, &out.Users
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupMembershipObservation.
@@ -736,6 +817,11 @@ func (in *GroupObservation) DeepCopyInto(out *GroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 	if in.UniqueID != nil {
 		in, out := &in.UniqueID, &out.UniqueID
 		*out = new(string)
@@ -835,11 +921,21 @@ func (in *GroupPolicyAttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GroupPolicyAttachmentObservation) DeepCopyInto(out *GroupPolicyAttachmentObservation) {
 	*out = *in
+	if in.Group != nil {
+		in, out := &in.Group, &out.Group
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyArn != nil {
+		in, out := &in.PolicyArn, &out.PolicyArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupPolicyAttachmentObservation.
@@ -1082,6 +1178,31 @@ func (in *InstanceProfileObservation) DeepCopyInto(out *InstanceProfileObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1265,11 +1386,37 @@ func (in *OpenIDConnectProviderObservation) DeepCopyInto(out *OpenIDConnectProvi
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClientIDList != nil {
+		in, out := &in.ClientIDList, &out.ClientIDList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1285,6 +1432,22 @@ func (in *OpenIDConnectProviderObservation) DeepCopyInto(out *OpenIDConnectProvi
 			(*out)[key] = outVal
 		}
 	}
+	if in.ThumbprintList != nil {
+		in, out := &in.ThumbprintList, &out.ThumbprintList
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenIDConnectProviderObservation.
@@ -1455,16 +1618,46 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 	if in.PolicyID != nil {
 		in, out := &in.PolicyID, &out.PolicyID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1638,11 +1831,26 @@ func (in *RoleObservation) DeepCopyInto(out *RoleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssumeRolePolicy != nil {
+		in, out := &in.AssumeRolePolicy, &out.AssumeRolePolicy
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreateDate != nil {
 		in, out := &in.CreateDate, &out.CreateDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDetachPolicies != nil {
+		in, out := &in.ForceDetachPolicies, &out.ForceDetachPolicies
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1666,6 +1874,36 @@ func (in *RoleObservation) DeepCopyInto(out *RoleObservation) {
 			}
 		}
 	}
+	if in.MaxSessionDuration != nil {
+		in, out := &in.MaxSessionDuration, &out.MaxSessionDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionsBoundary != nil {
+		in, out := &in.PermissionsBoundary, &out.PermissionsBoundary
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1825,6 +2063,16 @@ func (in *RolePolicyAttachmentObservation) DeepCopyInto(out *RolePolicyAttachmen
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyArn != nil {
+		in, out := &in.PolicyArn, &out.PolicyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RolePolicyAttachmentObservation.
@@ -2022,6 +2270,26 @@ func (in *SAMLProviderObservation) DeepCopyInto(out *SAMLProviderObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SAMLMetadataDocument != nil {
+		in, out := &in.SAMLMetadataDocument, &out.SAMLMetadataDocument
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2190,6 +2458,16 @@ func (in *ServerCertificateObservation) DeepCopyInto(out *ServerCertificateObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.CertificateBody != nil {
+		in, out := &in.CertificateBody, &out.CertificateBody
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateChain != nil {
+		in, out := &in.CertificateChain, &out.CertificateChain
+		*out = new(string)
+		**out = **in
+	}
 	if in.Expiration != nil {
 		in, out := &in.Expiration, &out.Expiration
 		*out = new(string)
@@ -2200,6 +2478,26 @@ func (in *ServerCertificateObservation) DeepCopyInto(out *ServerCertificateObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2379,11 +2677,26 @@ func (in *ServiceLinkedRoleObservation) DeepCopyInto(out *ServiceLinkedRoleObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.AwsServiceName != nil {
+		in, out := &in.AwsServiceName, &out.AwsServiceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreateDate != nil {
 		in, out := &in.CreateDate, &out.CreateDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomSuffix != nil {
+		in, out := &in.CustomSuffix, &out.CustomSuffix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2399,6 +2712,21 @@ func (in *ServiceLinkedRoleObservation) DeepCopyInto(out *ServiceLinkedRoleObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2577,6 +2905,11 @@ func (in *ServiceSpecificCredentialObservation) DeepCopyInto(out *ServiceSpecifi
 		*out = new(string)
 		**out = **in
 	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ServiceSpecificCredentialID != nil {
 		in, out := &in.ServiceSpecificCredentialID, &out.ServiceSpecificCredentialID
 		*out = new(string)
@@ -2587,6 +2920,16 @@ func (in *ServiceSpecificCredentialObservation) DeepCopyInto(out *ServiceSpecifi
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserName != nil {
+		in, out := &in.UserName, &out.UserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSpecificCredentialObservation.
@@ -2735,6 +3078,11 @@ func (in *SigningCertificateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SigningCertificateObservation) DeepCopyInto(out *SigningCertificateObservation) {
 	*out = *in
+	if in.CertificateBody != nil {
+		in, out := &in.CertificateBody, &out.CertificateBody
+		*out = new(string)
+		**out = **in
+	}
 	if in.CertificateID != nil {
 		in, out := &in.CertificateID, &out.CertificateID
 		*out = new(string)
@@ -2745,6 +3093,16 @@ func (in *SigningCertificateObservation) DeepCopyInto(out *SigningCertificateObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserName != nil {
+		in, out := &in.UserName, &out.UserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SigningCertificateObservation.
@@ -2910,11 +3268,27 @@ func (in *UserGroupMembershipList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserGroupMembershipObservation) DeepCopyInto(out *UserGroupMembershipObservation) {
 	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserGroupMembershipObservation.
@@ -3128,6 +3502,26 @@ func (in *UserLoginProfileObservation) DeepCopyInto(out *UserLoginProfileObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.PasswordLength != nil {
+		in, out := &in.PasswordLength, &out.PasswordLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PasswordResetRequired != nil {
+		in, out := &in.PasswordResetRequired, &out.PasswordResetRequired
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PgpKey != nil {
+		in, out := &in.PgpKey, &out.PgpKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserLoginProfileObservation.
@@ -3227,11 +3621,41 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionsBoundary != nil {
+		in, out := &in.PermissionsBoundary, &out.PermissionsBoundary
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3376,6 +3800,16 @@ func (in *UserPolicyAttachmentObservation) DeepCopyInto(out *UserPolicyAttachmen
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyArn != nil {
+		in, out := &in.PolicyArn, &out.PolicyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserPolicyAttachmentObservation.
@@ -3529,6 +3963,11 @@ func (in *UserSSHKeyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSSHKeyObservation) DeepCopyInto(out *UserSSHKeyObservation) {
 	*out = *in
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
 	if in.Fingerprint != nil {
 		in, out := &in.Fingerprint, &out.Fingerprint
 		*out = new(string)
@@ -3539,11 +3978,26 @@ func (in *UserSSHKeyObservation) DeepCopyInto(out *UserSSHKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.SSHPublicKeyID != nil {
 		in, out := &in.SSHPublicKeyID, &out.SSHPublicKeyID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSSHKeyObservation.
@@ -3746,11 +4200,31 @@ func (in *VirtualMfaDeviceObservation) DeepCopyInto(out *VirtualMfaDeviceObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 	if in.QrCodePng != nil {
 		in, out := &in.QrCodePng, &out.QrCodePng
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3766,6 +4240,11 @@ func (in *VirtualMfaDeviceObservation) DeepCopyInto(out *VirtualMfaDeviceObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.VirtualMfaDeviceName != nil {
+		in, out := &in.VirtualMfaDeviceName, &out.VirtualMfaDeviceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VirtualMfaDeviceObservation.
diff --git a/apis/iam/v1beta1/zz_group_types.go b/apis/iam/v1beta1/zz_group_types.go
index 44af6f89f8..9028cdceac 100755
--- a/apis/iam/v1beta1/zz_group_types.go
+++ b/apis/iam/v1beta1/zz_group_types.go
@@ -21,6 +21,9 @@ type GroupObservation struct {
 	// The group's ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Path in which to create the group.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
 	// The unique ID assigned by AWS.
 	UniqueID *string `json:"uniqueId,omitempty" tf:"unique_id,omitempty"`
 }
diff --git a/apis/iam/v1beta1/zz_groupmembership_types.go b/apis/iam/v1beta1/zz_groupmembership_types.go
index 10b2f072e4..6a5ee1adaf 100755
--- a/apis/iam/v1beta1/zz_groupmembership_types.go
+++ b/apis/iam/v1beta1/zz_groupmembership_types.go
@@ -14,7 +14,17 @@ import (
 )
 
 type GroupMembershipObservation struct {
+
+	// –  The IAM Group name to attach the list of users to
+	Group *string `json:"group,omitempty" tf:"group,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name to identify the Group Membership
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of IAM User names to associate with the Group
+	Users []*string `json:"users,omitempty" tf:"users,omitempty"`
 }
 
 type GroupMembershipParameters struct {
@@ -33,8 +43,8 @@ type GroupMembershipParameters struct {
 	GroupSelector *v1.Selector `json:"groupSelector,omitempty" tf:"-"`
 
 	// The name to identify the Group Membership
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// References to User to populate users.
 	// +kubebuilder:validation:Optional
@@ -76,8 +86,9 @@ type GroupMembershipStatus struct {
 type GroupMembership struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GroupMembershipSpec   `json:"spec"`
-	Status            GroupMembershipStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   GroupMembershipSpec   `json:"spec"`
+	Status GroupMembershipStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_grouppolicyattachment_types.go b/apis/iam/v1beta1/zz_grouppolicyattachment_types.go
index 53a6d749d6..6800865003 100755
--- a/apis/iam/v1beta1/zz_grouppolicyattachment_types.go
+++ b/apis/iam/v1beta1/zz_grouppolicyattachment_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type GroupPolicyAttachmentObservation struct {
+
+	// The group the policy should be applied to
+	Group *string `json:"group,omitempty" tf:"group,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the policy you want to apply
+	PolicyArn *string `json:"policyArn,omitempty" tf:"policy_arn,omitempty"`
 }
 
 type GroupPolicyAttachmentParameters struct {
diff --git a/apis/iam/v1beta1/zz_instanceprofile_types.go b/apis/iam/v1beta1/zz_instanceprofile_types.go
index fd5861677d..2f1a25fbfd 100755
--- a/apis/iam/v1beta1/zz_instanceprofile_types.go
+++ b/apis/iam/v1beta1/zz_instanceprofile_types.go
@@ -24,6 +24,15 @@ type InstanceProfileObservation struct {
 	// Instance profile's ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Path to the instance profile. For more information about paths, see IAM Identifiers in the IAM User Guide. Can be a string of characters consisting of either a forward slash (/) by itself or a string that must begin and end with forward slashes. Can include any ASCII character from the ! (\u0021) through the DEL character (\u007F), including most punctuation characters, digits, and upper and lowercase letters.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Name of the role to add to the profile.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
diff --git a/apis/iam/v1beta1/zz_openidconnectprovider_types.go b/apis/iam/v1beta1/zz_openidconnectprovider_types.go
index 853635b4ee..8dba256d12 100755
--- a/apis/iam/v1beta1/zz_openidconnectprovider_types.go
+++ b/apis/iam/v1beta1/zz_openidconnectprovider_types.go
@@ -18,29 +18,41 @@ type OpenIDConnectProviderObservation struct {
 	// The ARN assigned by AWS for this provider.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
+	ClientIDList []*string `json:"clientIdList,omitempty" tf:"client_id_list,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s).
+	ThumbprintList []*string `json:"thumbprintList,omitempty" tf:"thumbprint_list,omitempty"`
+
+	// The URL of the identity provider. Corresponds to the iss claim.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
 
 type OpenIDConnectProviderParameters struct {
 
 	// A list of client IDs (also known as audiences). When a mobile or web app registers with an OpenID Connect provider, they establish a value that identifies the application. (This is the value that's sent as the client_id parameter on OAuth requests.)
-	// +kubebuilder:validation:Required
-	ClientIDList []*string `json:"clientIdList" tf:"client_id_list,omitempty"`
+	// +kubebuilder:validation:Optional
+	ClientIDList []*string `json:"clientIdList,omitempty" tf:"client_id_list,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// A list of server certificate thumbprints for the OpenID Connect (OIDC) identity provider's server certificate(s).
-	// +kubebuilder:validation:Required
-	ThumbprintList []*string `json:"thumbprintList" tf:"thumbprint_list,omitempty"`
+	// +kubebuilder:validation:Optional
+	ThumbprintList []*string `json:"thumbprintList,omitempty" tf:"thumbprint_list,omitempty"`
 
 	// The URL of the identity provider. Corresponds to the iss claim.
-	// +kubebuilder:validation:Required
-	URL *string `json:"url" tf:"url,omitempty"`
+	// +kubebuilder:validation:Optional
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
 
 // OpenIDConnectProviderSpec defines the desired state of OpenIDConnectProvider
@@ -67,8 +79,11 @@ type OpenIDConnectProviderStatus struct {
 type OpenIDConnectProvider struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OpenIDConnectProviderSpec   `json:"spec"`
-	Status            OpenIDConnectProviderStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.clientIdList)",message="clientIdList is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.thumbprintList)",message="thumbprintList is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.url)",message="url is a required parameter"
+	Spec   OpenIDConnectProviderSpec   `json:"spec"`
+	Status OpenIDConnectProviderStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_policy_types.go b/apis/iam/v1beta1/zz_policy_types.go
index bd80e4aacc..263055d748 100755
--- a/apis/iam/v1beta1/zz_policy_types.go
+++ b/apis/iam/v1beta1/zz_policy_types.go
@@ -18,12 +18,25 @@ type PolicyObservation struct {
 	// The ARN assigned by AWS to this policy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the IAM policy.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ARN assigned by AWS to this policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Path in which to create the policy.
+	// See IAM Identifiers for more information.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The policy document. This is a JSON formatted string
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
 	// The policy's ID.
 	PolicyID *string `json:"policyId,omitempty" tf:"policy_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -40,8 +53,8 @@ type PolicyParameters struct {
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
 	// The policy document. This is a JSON formatted string
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -72,8 +85,9 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicySpec   `json:"spec"`
-	Status            PolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   PolicySpec   `json:"spec"`
+	Status PolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_role_types.go b/apis/iam/v1beta1/zz_role_types.go
index 289154e537..5af1c3b692 100755
--- a/apis/iam/v1beta1/zz_role_types.go
+++ b/apis/iam/v1beta1/zz_role_types.go
@@ -30,9 +30,18 @@ type RoleObservation struct {
 	// Amazon Resource Name (ARN) specifying the role.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Policy that grants an entity permission to assume the role.
+	AssumeRolePolicy *string `json:"assumeRolePolicy,omitempty" tf:"assume_role_policy,omitempty"`
+
 	// Creation date of the IAM role.
 	CreateDate *string `json:"createDate,omitempty" tf:"create_date,omitempty"`
 
+	// Description of the role.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether to force detaching any policies the role has before destroying it. Defaults to false.
+	ForceDetachPolicies *bool `json:"forceDetachPolicies,omitempty" tf:"force_detach_policies,omitempty"`
+
 	// Name of the role.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -42,6 +51,18 @@ type RoleObservation struct {
 	// Set of exclusive IAM managed policy ARNs to attach to the IAM role. Configuring an empty set (i.e.
 	ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"`
 
+	// Maximum session duration (in seconds) that you want to set for the specified role. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 1 hour to 12 hours.
+	MaxSessionDuration *float64 `json:"maxSessionDuration,omitempty" tf:"max_session_duration,omitempty"`
+
+	// Path to the role. See IAM Identifiers for more information.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// ARN of the policy that is used to set the permissions boundary for the role.
+	PermissionsBoundary *string `json:"permissionsBoundary,omitempty" tf:"permissions_boundary,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -52,8 +73,8 @@ type RoleObservation struct {
 type RoleParameters struct {
 
 	// Policy that grants an entity permission to assume the role.
-	// +kubebuilder:validation:Required
-	AssumeRolePolicy *string `json:"assumeRolePolicy" tf:"assume_role_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	AssumeRolePolicy *string `json:"assumeRolePolicy,omitempty" tf:"assume_role_policy,omitempty"`
 
 	// Description of the role.
 	// +kubebuilder:validation:Optional
@@ -104,8 +125,9 @@ type RoleStatus struct {
 type Role struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RoleSpec   `json:"spec"`
-	Status            RoleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.assumeRolePolicy)",message="assumeRolePolicy is a required parameter"
+	Spec   RoleSpec   `json:"spec"`
+	Status RoleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_rolepolicyattachment_types.go b/apis/iam/v1beta1/zz_rolepolicyattachment_types.go
index 1035ee8301..1359651dd1 100755
--- a/apis/iam/v1beta1/zz_rolepolicyattachment_types.go
+++ b/apis/iam/v1beta1/zz_rolepolicyattachment_types.go
@@ -15,6 +15,12 @@ import (
 
 type RolePolicyAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the policy you want to apply
+	PolicyArn *string `json:"policyArn,omitempty" tf:"policy_arn,omitempty"`
+
+	// The name of the IAM role to which the policy should be applied
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
 }
 
 type RolePolicyAttachmentParameters struct {
diff --git a/apis/iam/v1beta1/zz_samlprovider_types.go b/apis/iam/v1beta1/zz_samlprovider_types.go
index 1de4498bbd..14185754f6 100755
--- a/apis/iam/v1beta1/zz_samlprovider_types.go
+++ b/apis/iam/v1beta1/zz_samlprovider_types.go
@@ -20,6 +20,12 @@ type SAMLProviderObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An XML document generated by an identity provider that supports SAML 2.0.
+	SAMLMetadataDocument *string `json:"samlMetadataDocument,omitempty" tf:"saml_metadata_document,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -30,8 +36,8 @@ type SAMLProviderObservation struct {
 type SAMLProviderParameters struct {
 
 	// An XML document generated by an identity provider that supports SAML 2.0.
-	// +kubebuilder:validation:Required
-	SAMLMetadataDocument *string `json:"samlMetadataDocument" tf:"saml_metadata_document,omitempty"`
+	// +kubebuilder:validation:Optional
+	SAMLMetadataDocument *string `json:"samlMetadataDocument,omitempty" tf:"saml_metadata_document,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -62,8 +68,9 @@ type SAMLProviderStatus struct {
 type SAMLProvider struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SAMLProviderSpec   `json:"spec"`
-	Status            SAMLProviderStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.samlMetadataDocument)",message="samlMetadataDocument is a required parameter"
+	Spec   SAMLProviderSpec   `json:"spec"`
+	Status SAMLProviderStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_servercertificate_types.go b/apis/iam/v1beta1/zz_servercertificate_types.go
index ca9b6c7664..86aba63057 100755
--- a/apis/iam/v1beta1/zz_servercertificate_types.go
+++ b/apis/iam/v1beta1/zz_servercertificate_types.go
@@ -18,12 +18,28 @@ type ServerCertificateObservation struct {
 	// The Amazon Resource Name (ARN) specifying the server certificate.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// encoded format.
+	CertificateBody *string `json:"certificateBody,omitempty" tf:"certificate_body,omitempty"`
+
+	// encoded public key certificates
+	// of the chain.
+	CertificateChain *string `json:"certificateChain,omitempty" tf:"certificate_chain,omitempty"`
+
 	// Date and time in RFC3339 format on which the certificate is set to expire.
 	Expiration *string `json:"expiration,omitempty" tf:"expiration,omitempty"`
 
 	// The unique Server Certificate name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IAM path for the server certificate.  If it is not
+	// included, it defaults to a slash (/). If this certificate is for use with
+	// AWS CloudFront, the path must be in format /cloudfront/your_path_here.
+	// See IAM Identifiers for more details on IAM Paths.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -34,8 +50,8 @@ type ServerCertificateObservation struct {
 type ServerCertificateParameters struct {
 
 	// encoded format.
-	// +kubebuilder:validation:Required
-	CertificateBody *string `json:"certificateBody" tf:"certificate_body,omitempty"`
+	// +kubebuilder:validation:Optional
+	CertificateBody *string `json:"certificateBody,omitempty" tf:"certificate_body,omitempty"`
 
 	// encoded public key certificates
 	// of the chain.
@@ -50,7 +66,7 @@ type ServerCertificateParameters struct {
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
 	// encoded format.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	PrivateKeySecretRef v1.SecretKeySelector `json:"privateKeySecretRef" tf:"-"`
 
 	// Key-value map of resource tags.
@@ -82,8 +98,10 @@ type ServerCertificateStatus struct {
 type ServerCertificate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServerCertificateSpec   `json:"spec"`
-	Status            ServerCertificateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateBody)",message="certificateBody is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.privateKeySecretRef)",message="privateKeySecretRef is a required parameter"
+	Spec   ServerCertificateSpec   `json:"spec"`
+	Status ServerCertificateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_servicelinkedrole_types.go b/apis/iam/v1beta1/zz_servicelinkedrole_types.go
index 84c6759b5f..2ad2f7cb22 100755
--- a/apis/iam/v1beta1/zz_servicelinkedrole_types.go
+++ b/apis/iam/v1beta1/zz_servicelinkedrole_types.go
@@ -18,9 +18,18 @@ type ServiceLinkedRoleObservation struct {
 	// The Amazon Resource Name (ARN) specifying the role.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.
+	AwsServiceName *string `json:"awsServiceName,omitempty" tf:"aws_service_name,omitempty"`
+
 	// The creation date of the IAM role.
 	CreateDate *string `json:"createDate,omitempty" tf:"create_date,omitempty"`
 
+	// Additional string appended to the role name. Not all AWS services support custom suffixes.
+	CustomSuffix *string `json:"customSuffix,omitempty" tf:"custom_suffix,omitempty"`
+
+	// The description of the role.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the role.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -30,6 +39,9 @@ type ServiceLinkedRoleObservation struct {
 	// The path of the role.
 	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -40,8 +52,8 @@ type ServiceLinkedRoleObservation struct {
 type ServiceLinkedRoleParameters struct {
 
 	// The AWS service to which this role is attached. You use a string similar to a URL but without the http:// in front. For example: elasticbeanstalk.amazonaws.com. To find the full list of services that support service-linked roles, check the docs.
-	// +kubebuilder:validation:Required
-	AwsServiceName *string `json:"awsServiceName" tf:"aws_service_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	AwsServiceName *string `json:"awsServiceName,omitempty" tf:"aws_service_name,omitempty"`
 
 	// Additional string appended to the role name. Not all AWS services support custom suffixes.
 	// +kubebuilder:validation:Optional
@@ -80,8 +92,9 @@ type ServiceLinkedRoleStatus struct {
 type ServiceLinkedRole struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceLinkedRoleSpec   `json:"spec"`
-	Status            ServiceLinkedRoleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.awsServiceName)",message="awsServiceName is a required parameter"
+	Spec   ServiceLinkedRoleSpec   `json:"spec"`
+	Status ServiceLinkedRoleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_servicespecificcredential_types.go b/apis/iam/v1beta1/zz_servicespecificcredential_types.go
index 02bb20fded..f99fb22535 100755
--- a/apis/iam/v1beta1/zz_servicespecificcredential_types.go
+++ b/apis/iam/v1beta1/zz_servicespecificcredential_types.go
@@ -18,18 +18,27 @@ type ServiceSpecificCredentialObservation struct {
 	// The combination of service_name and user_name as such: service_name:user_name:service_specific_credential_id.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
 	// The unique identifier for the service-specific credential.
 	ServiceSpecificCredentialID *string `json:"serviceSpecificCredentialId,omitempty" tf:"service_specific_credential_id,omitempty"`
 
 	// The generated user name for the service-specific credential. This value is generated by combining the IAM user's name combined with the ID number of the AWS account, as in jane-at-123456789012, for example.
 	ServiceUserName *string `json:"serviceUserName,omitempty" tf:"service_user_name,omitempty"`
+
+	// The status to be assigned to the service-specific credential. Valid values are Active and Inactive. Default value is Active.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// The name of the IAM user that is to be associated with the credentials. The new service-specific credentials have the same permissions as the associated user except that they can be used only to access the specified service.
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 type ServiceSpecificCredentialParameters struct {
 
 	// The name of the AWS service that is to be associated with the credentials. The service you specify here is the only service that can be accessed using these credentials.
-	// +kubebuilder:validation:Required
-	ServiceName *string `json:"serviceName" tf:"service_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 
 	// The status to be assigned to the service-specific credential. Valid values are Active and Inactive. Default value is Active.
 	// +kubebuilder:validation:Optional
@@ -73,8 +82,9 @@ type ServiceSpecificCredentialStatus struct {
 type ServiceSpecificCredential struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceSpecificCredentialSpec   `json:"spec"`
-	Status            ServiceSpecificCredentialStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceName)",message="serviceName is a required parameter"
+	Spec   ServiceSpecificCredentialSpec   `json:"spec"`
+	Status ServiceSpecificCredentialStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_signingcertificate_types.go b/apis/iam/v1beta1/zz_signingcertificate_types.go
index 75ec91b552..e7d1474ed6 100755
--- a/apis/iam/v1beta1/zz_signingcertificate_types.go
+++ b/apis/iam/v1beta1/zz_signingcertificate_types.go
@@ -15,26 +15,35 @@ import (
 
 type SigningCertificateObservation struct {
 
+	// encoded format.
+	CertificateBody *string `json:"certificateBody,omitempty" tf:"certificate_body,omitempty"`
+
 	// The ID for the signing certificate.
 	CertificateID *string `json:"certificateId,omitempty" tf:"certificate_id,omitempty"`
 
 	// The certificate_id:user_name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// –   The status you want to assign to the certificate. Active means that the certificate can be used for programmatic calls to Amazon Web Services Inactive means that the certificate cannot be used.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// –  The name of the user the signing certificate is for.
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 type SigningCertificateParameters struct {
 
 	// encoded format.
-	// +kubebuilder:validation:Required
-	CertificateBody *string `json:"certificateBody" tf:"certificate_body,omitempty"`
+	// +kubebuilder:validation:Optional
+	CertificateBody *string `json:"certificateBody,omitempty" tf:"certificate_body,omitempty"`
 
 	// –   The status you want to assign to the certificate. Active means that the certificate can be used for programmatic calls to Amazon Web Services Inactive means that the certificate cannot be used.
 	// +kubebuilder:validation:Optional
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
 	// –  The name of the user the signing certificate is for.
-	// +kubebuilder:validation:Required
-	UserName *string `json:"userName" tf:"user_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 // SigningCertificateSpec defines the desired state of SigningCertificate
@@ -61,8 +70,10 @@ type SigningCertificateStatus struct {
 type SigningCertificate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SigningCertificateSpec   `json:"spec"`
-	Status            SigningCertificateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateBody)",message="certificateBody is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userName)",message="userName is a required parameter"
+	Spec   SigningCertificateSpec   `json:"spec"`
+	Status SigningCertificateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_user_types.go b/apis/iam/v1beta1/zz_user_types.go
index d6ce6cee48..9f7ce9a622 100755
--- a/apis/iam/v1beta1/zz_user_types.go
+++ b/apis/iam/v1beta1/zz_user_types.go
@@ -18,8 +18,23 @@ type UserObservation struct {
 	// The ARN assigned by AWS for this user.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// when destroying this user, destroy even if it
+	// has non-Upbound official provider-managed iam access keys, login profile or mfa devices. without force_destroy
+	// a user with non-Upbound official provider-managed access keys and login profile will fail to be destroyed.
+	// delete user even if it has non-Upbound official provider-managed iam access keys, login profile or mfa devices
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Path in which to create the user.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
+	// The ARN of the policy that is used to set the permissions boundary for the user.
+	PermissionsBoundary *string `json:"permissionsBoundary,omitempty" tf:"permissions_boundary,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
diff --git a/apis/iam/v1beta1/zz_usergroupmembership_types.go b/apis/iam/v1beta1/zz_usergroupmembership_types.go
index ae79da7b54..602373cfda 100755
--- a/apis/iam/v1beta1/zz_usergroupmembership_types.go
+++ b/apis/iam/v1beta1/zz_usergroupmembership_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type UserGroupMembershipObservation struct {
+
+	// A list of IAM Groups to add the user to
+	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the IAM User to add to groups
+	User *string `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type UserGroupMembershipParameters struct {
diff --git a/apis/iam/v1beta1/zz_userloginprofile_types.go b/apis/iam/v1beta1/zz_userloginprofile_types.go
index 426f01e5d2..cbdf64c450 100755
--- a/apis/iam/v1beta1/zz_userloginprofile_types.go
+++ b/apis/iam/v1beta1/zz_userloginprofile_types.go
@@ -25,6 +25,18 @@ type UserLoginProfileObservation struct {
 
 	// The plain text password, only available when pgp_key is not provided.
 	Password *string `json:"password,omitempty" tf:"password,omitempty"`
+
+	// The length of the generated password on resource creation. Only applies on resource creation. Drift detection is not possible with this argument. Default value is 20.
+	PasswordLength *float64 `json:"passwordLength,omitempty" tf:"password_length,omitempty"`
+
+	// Whether the user should be forced to reset the generated password on resource creation. Only applies on resource creation.
+	PasswordResetRequired *bool `json:"passwordResetRequired,omitempty" tf:"password_reset_required,omitempty"`
+
+	// Either a base-64 encoded PGP public key, or a keybase username in the form keybase:username. Only applies on resource creation. Drift detection is not possible with this argument.
+	PgpKey *string `json:"pgpKey,omitempty" tf:"pgp_key,omitempty"`
+
+	// The IAM user's name.
+	User *string `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type UserLoginProfileParameters struct {
diff --git a/apis/iam/v1beta1/zz_userpolicyattachment_types.go b/apis/iam/v1beta1/zz_userpolicyattachment_types.go
index aa22850c8d..070e9efd07 100755
--- a/apis/iam/v1beta1/zz_userpolicyattachment_types.go
+++ b/apis/iam/v1beta1/zz_userpolicyattachment_types.go
@@ -15,6 +15,12 @@ import (
 
 type UserPolicyAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the policy you want to apply
+	PolicyArn *string `json:"policyArn,omitempty" tf:"policy_arn,omitempty"`
+
+	// The user the policy should be applied to
+	User *string `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type UserPolicyAttachmentParameters struct {
diff --git a/apis/iam/v1beta1/zz_usersshkey_types.go b/apis/iam/v1beta1/zz_usersshkey_types.go
index 41029ca79e..1244be32ba 100755
--- a/apis/iam/v1beta1/zz_usersshkey_types.go
+++ b/apis/iam/v1beta1/zz_usersshkey_types.go
@@ -15,24 +15,36 @@ import (
 
 type UserSSHKeyObservation struct {
 
+	// Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
 	// The MD5 message digest of the SSH public key.
 	Fingerprint *string `json:"fingerprint,omitempty" tf:"fingerprint,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
+
 	// The unique identifier for the SSH public key.
 	SSHPublicKeyID *string `json:"sshPublicKeyId,omitempty" tf:"ssh_public_key_id,omitempty"`
+
+	// The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// The name of the IAM user to associate the SSH public key with.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type UserSSHKeyParameters struct {
 
 	// Specifies the public key encoding format to use in the response. To retrieve the public key in ssh-rsa format, use SSH. To retrieve the public key in PEM format, use PEM.
-	// +kubebuilder:validation:Required
-	Encoding *string `json:"encoding" tf:"encoding,omitempty"`
+	// +kubebuilder:validation:Optional
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
 
 	// The SSH public key. The public key must be encoded in ssh-rsa format or PEM format.
-	// +kubebuilder:validation:Required
-	PublicKey *string `json:"publicKey" tf:"public_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
 
 	// The status to assign to the SSH public key. Active means the key can be used for authentication with an AWS CodeCommit repository. Inactive means the key cannot be used. Default is active.
 	// +kubebuilder:validation:Optional
@@ -76,8 +88,10 @@ type UserSSHKeyStatus struct {
 type UserSSHKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserSSHKeySpec   `json:"spec"`
-	Status            UserSSHKeyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encoding)",message="encoding is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.publicKey)",message="publicKey is a required parameter"
+	Spec   UserSSHKeySpec   `json:"spec"`
+	Status UserSSHKeyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iam/v1beta1/zz_virtualmfadevice_types.go b/apis/iam/v1beta1/zz_virtualmfadevice_types.go
index 5f1afc5ecc..6778fd1a51 100755
--- a/apis/iam/v1beta1/zz_virtualmfadevice_types.go
+++ b/apis/iam/v1beta1/zz_virtualmfadevice_types.go
@@ -23,11 +23,20 @@ type VirtualMfaDeviceObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// –  The path for the virtual MFA device.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
+
 	// A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String where $virtualMFADeviceName is one of the create call arguments. AccountName is the user name if set (otherwise, the account ID otherwise), and Base32String is the seed in base32 format.
 	QrCodePng *string `json:"qrCodePng,omitempty" tf:"qr_code_png,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.
+	VirtualMfaDeviceName *string `json:"virtualMfaDeviceName,omitempty" tf:"virtual_mfa_device_name,omitempty"`
 }
 
 type VirtualMfaDeviceParameters struct {
@@ -41,8 +50,8 @@ type VirtualMfaDeviceParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The name of the virtual MFA device. Use with path to uniquely identify a virtual MFA device.
-	// +kubebuilder:validation:Required
-	VirtualMfaDeviceName *string `json:"virtualMfaDeviceName" tf:"virtual_mfa_device_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	VirtualMfaDeviceName *string `json:"virtualMfaDeviceName,omitempty" tf:"virtual_mfa_device_name,omitempty"`
 }
 
 // VirtualMfaDeviceSpec defines the desired state of VirtualMfaDevice
@@ -69,8 +78,9 @@ type VirtualMfaDeviceStatus struct {
 type VirtualMfaDevice struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VirtualMfaDeviceSpec   `json:"spec"`
-	Status            VirtualMfaDeviceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.virtualMfaDeviceName)",message="virtualMfaDeviceName is a required parameter"
+	Spec   VirtualMfaDeviceSpec   `json:"spec"`
+	Status VirtualMfaDeviceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/imagebuilder/v1beta1/zz_component_types.go b/apis/imagebuilder/v1beta1/zz_component_types.go
index 89d99173cd..10db8521b4 100755
--- a/apis/imagebuilder/v1beta1/zz_component_types.go
+++ b/apis/imagebuilder/v1beta1/zz_component_types.go
@@ -18,22 +18,55 @@ type ComponentObservation struct {
 	// Amazon Resource Name (ARN) of the component.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Change description of the component.
+	ChangeDescription *string `json:"changeDescription,omitempty" tf:"change_description,omitempty"`
+
+	// Inline YAML string with data of the component. Exactly one of data and uri can be specified.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
 	// Date the component was created.
 	DateCreated *string `json:"dateCreated,omitempty" tf:"date_created,omitempty"`
 
+	// Description of the component.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Encryption status of the component.
 	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amazon Resource Name (ARN) of the Key Management Service (KMS) Key used to encrypt the component.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Name of the component.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Owner of the component.
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
+	// Platform of the component.
+	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
+
+	// Whether to retain the old version when the resource is destroyed or replacement is necessary. Defaults to false.
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Set of Operating Systems (OS) supported by the component.
+	SupportedOsVersions []*string `json:"supportedOsVersions,omitempty" tf:"supported_os_versions,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Type of the component.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// S3 URI with data of the component. Exactly one of data and uri can be specified.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
+
+	// Version of the component.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type ComponentParameters struct {
@@ -64,12 +97,12 @@ type ComponentParameters struct {
 	KMSKeyIDSelector *v1.Selector `json:"kmsKeyIdSelector,omitempty" tf:"-"`
 
 	// Name of the component.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Platform of the component.
-	// +kubebuilder:validation:Required
-	Platform *string `json:"platform" tf:"platform,omitempty"`
+	// +kubebuilder:validation:Optional
+	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -93,8 +126,8 @@ type ComponentParameters struct {
 	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 
 	// Version of the component.
-	// +kubebuilder:validation:Required
-	Version *string `json:"version" tf:"version,omitempty"`
+	// +kubebuilder:validation:Optional
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 // ComponentSpec defines the desired state of Component
@@ -121,8 +154,11 @@ type ComponentStatus struct {
 type Component struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ComponentSpec   `json:"spec"`
-	Status            ComponentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platform)",message="platform is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)",message="version is a required parameter"
+	Spec   ComponentSpec   `json:"spec"`
+	Status ComponentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/imagebuilder/v1beta1/zz_containerrecipe_types.go b/apis/imagebuilder/v1beta1/zz_containerrecipe_types.go
index 8493d67cc6..cb83f60862 100755
--- a/apis/imagebuilder/v1beta1/zz_containerrecipe_types.go
+++ b/apis/imagebuilder/v1beta1/zz_containerrecipe_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type BlockDeviceMappingObservation struct {
+
+	// Name of the device. For example, /dev/sda or /dev/xvdb.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Configuration block with Elastic Block Storage (EBS) block device mapping settings. Detailed below.
+	EBS []EBSObservation `json:"ebs,omitempty" tf:"ebs,omitempty"`
+
+	// Set to true to remove a mapping from the parent image.
+	NoDevice *bool `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	// Virtual device name. For example, ephemeral0. Instance store volumes are numbered starting from 0.
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type BlockDeviceMappingParameters struct {
@@ -36,6 +48,12 @@ type BlockDeviceMappingParameters struct {
 }
 
 type ContainerRecipeComponentObservation struct {
+
+	// Amazon Resource Name (ARN) of the Image Builder Component to associate.
+	ComponentArn *string `json:"componentArn,omitempty" tf:"component_arn,omitempty"`
+
+	// Configuration block(s) for parameters to configure the component. Detailed below.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
 }
 
 type ContainerRecipeComponentParameters struct {
@@ -64,33 +82,72 @@ type ContainerRecipeObservation struct {
 	// Amazon Resource Name (ARN) of the container recipe.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Ordered configuration block(s) with components for the container recipe. Detailed below.
+	Component []ContainerRecipeComponentObservation `json:"component,omitempty" tf:"component,omitempty"`
+
+	// The type of the container to create. Valid values: DOCKER.
+	ContainerType *string `json:"containerType,omitempty" tf:"container_type,omitempty"`
+
 	// Date the container recipe was created.
 	DateCreated *string `json:"dateCreated,omitempty" tf:"date_created,omitempty"`
 
+	// The description of the container recipe.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The Dockerfile template used to build the image as an inline data blob.
+	DockerfileTemplateData *string `json:"dockerfileTemplateData,omitempty" tf:"dockerfile_template_data,omitempty"`
+
+	// The Amazon S3 URI for the Dockerfile that will be used to build the container image.
+	DockerfileTemplateURI *string `json:"dockerfileTemplateUri,omitempty" tf:"dockerfile_template_uri,omitempty"`
+
 	// A flag that indicates if the target container is encrypted.
 	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block used to configure an instance for building and testing container images. Detailed below.
+	InstanceConfiguration []InstanceConfigurationObservation `json:"instanceConfiguration,omitempty" tf:"instance_configuration,omitempty"`
+
+	// The KMS key used to encrypt the container image.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The name of the container recipe.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Owner of the container recipe.
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
+	// The base image for the container recipe.
+	ParentImage *string `json:"parentImage,omitempty" tf:"parent_image,omitempty"`
+
 	// Platform of the container recipe.
 	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The destination repository for the container image. Detailed below.
+	TargetRepository []TargetRepositoryObservation `json:"targetRepository,omitempty" tf:"target_repository,omitempty"`
+
+	// Version of the container recipe.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
+
+	// The working directory to be used during build and test workflows.
+	WorkingDirectory *string `json:"workingDirectory,omitempty" tf:"working_directory,omitempty"`
 }
 
 type ContainerRecipeParameters struct {
 
 	// Ordered configuration block(s) with components for the container recipe. Detailed below.
-	// +kubebuilder:validation:Required
-	Component []ContainerRecipeComponentParameters `json:"component" tf:"component,omitempty"`
+	// +kubebuilder:validation:Optional
+	Component []ContainerRecipeComponentParameters `json:"component,omitempty" tf:"component,omitempty"`
 
 	// The type of the container to create. Valid values: DOCKER.
-	// +kubebuilder:validation:Required
-	ContainerType *string `json:"containerType" tf:"container_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ContainerType *string `json:"containerType,omitempty" tf:"container_type,omitempty"`
 
 	// The description of the container recipe.
 	// +kubebuilder:validation:Optional
@@ -122,12 +179,12 @@ type ContainerRecipeParameters struct {
 	KMSKeyIDSelector *v1.Selector `json:"kmsKeyIdSelector,omitempty" tf:"-"`
 
 	// The name of the container recipe.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The base image for the container recipe.
-	// +kubebuilder:validation:Required
-	ParentImage *string `json:"parentImage" tf:"parent_image,omitempty"`
+	// +kubebuilder:validation:Optional
+	ParentImage *string `json:"parentImage,omitempty" tf:"parent_image,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -139,12 +196,12 @@ type ContainerRecipeParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The destination repository for the container image. Detailed below.
-	// +kubebuilder:validation:Required
-	TargetRepository []TargetRepositoryParameters `json:"targetRepository" tf:"target_repository,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetRepository []TargetRepositoryParameters `json:"targetRepository,omitempty" tf:"target_repository,omitempty"`
 
 	// Version of the container recipe.
-	// +kubebuilder:validation:Required
-	Version *string `json:"version" tf:"version,omitempty"`
+	// +kubebuilder:validation:Optional
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 
 	// The working directory to be used during build and test workflows.
 	// +kubebuilder:validation:Optional
@@ -152,6 +209,30 @@ type ContainerRecipeParameters struct {
 }
 
 type EBSObservation struct {
+
+	// Whether to delete the volume on termination. Defaults to unset, which is the value inherited from the parent image.
+	DeleteOnTermination *string `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Whether to encrypt the volume. Defaults to unset, which is the value inherited from the parent image.
+	Encrypted *string `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// Number of Input/Output (I/O) operations per second to provision for an io1 or io2 volume.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Key Management Service (KMS) Key for encryption.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Identifier of the EC2 Volume Snapshot.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// For GP3 volumes only. The throughput in MiB/s that the volume supports.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// Size of the volume, in GiB.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of the volume. For example, gp2 or io2.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSParameters struct {
@@ -190,6 +271,12 @@ type EBSParameters struct {
 }
 
 type InstanceConfigurationObservation struct {
+
+	// Configuration block(s) with block device mappings for the container recipe. Detailed below.
+	BlockDeviceMapping []BlockDeviceMappingObservation `json:"blockDeviceMapping,omitempty" tf:"block_device_mapping,omitempty"`
+
+	// The AMI ID to use as the base image for a container build and test instance. If not specified, Image Builder will use the appropriate ECS-optimized AMI as a base image.
+	Image *string `json:"image,omitempty" tf:"image,omitempty"`
 }
 
 type InstanceConfigurationParameters struct {
@@ -204,6 +291,12 @@ type InstanceConfigurationParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// The name of the component parameter.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value for the named component parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -218,6 +311,12 @@ type ParameterParameters struct {
 }
 
 type TargetRepositoryObservation struct {
+
+	// The name of the container repository where the output container image is stored. This name is prefixed by the repository location.
+	RepositoryName *string `json:"repositoryName,omitempty" tf:"repository_name,omitempty"`
+
+	// The service in which this image is registered. Valid values: ECR.
+	Service *string `json:"service,omitempty" tf:"service,omitempty"`
 }
 
 type TargetRepositoryParameters struct {
@@ -264,8 +363,14 @@ type ContainerRecipeStatus struct {
 type ContainerRecipe struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ContainerRecipeSpec   `json:"spec"`
-	Status            ContainerRecipeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.component)",message="component is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.containerType)",message="containerType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parentImage)",message="parentImage is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetRepository)",message="targetRepository is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)",message="version is a required parameter"
+	Spec   ContainerRecipeSpec   `json:"spec"`
+	Status ContainerRecipeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/imagebuilder/v1beta1/zz_distributionconfiguration_types.go b/apis/imagebuilder/v1beta1/zz_distributionconfiguration_types.go
index cb1ab76eeb..910495545b 100755
--- a/apis/imagebuilder/v1beta1/zz_distributionconfiguration_types.go
+++ b/apis/imagebuilder/v1beta1/zz_distributionconfiguration_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type AMIDistributionConfigurationObservation struct {
+
+	// Key-value map of tags to apply to the distributed AMI.
+	AMITags map[string]*string `json:"amiTags,omitempty" tf:"ami_tags,omitempty"`
+
+	// Description to apply to the distributed AMI.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Key Management Service (KMS) Key to encrypt the distributed AMI.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Configuration block of EC2 launch permissions to apply to the distributed AMI. Detailed below.
+	LaunchPermission []LaunchPermissionObservation `json:"launchPermission,omitempty" tf:"launch_permission,omitempty"`
+
+	// Name to apply to the distributed AMI.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Set of AWS Account identifiers to distribute the AMI.
+	TargetAccountIds []*string `json:"targetAccountIds,omitempty" tf:"target_account_ids,omitempty"`
 }
 
 type AMIDistributionConfigurationParameters struct {
@@ -44,6 +62,15 @@ type AMIDistributionConfigurationParameters struct {
 }
 
 type ContainerDistributionConfigurationObservation struct {
+
+	// Set of tags that are attached to the container distribution configuration.
+	ContainerTags []*string `json:"containerTags,omitempty" tf:"container_tags,omitempty"`
+
+	// Description of the container distribution configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Configuration block with the destination repository for the container distribution configuration.
+	TargetRepository []ContainerDistributionConfigurationTargetRepositoryObservation `json:"targetRepository,omitempty" tf:"target_repository,omitempty"`
 }
 
 type ContainerDistributionConfigurationParameters struct {
@@ -62,6 +89,12 @@ type ContainerDistributionConfigurationParameters struct {
 }
 
 type ContainerDistributionConfigurationTargetRepositoryObservation struct {
+
+	// The name of the container repository where the output container image is stored. This name is prefixed by the repository location.
+	RepositoryName *string `json:"repositoryName,omitempty" tf:"repository_name,omitempty"`
+
+	// The service in which this image is registered. Valid values: ECR.
+	Service *string `json:"service,omitempty" tf:"service,omitempty"`
 }
 
 type ContainerDistributionConfigurationTargetRepositoryParameters struct {
@@ -86,8 +119,20 @@ type DistributionConfigurationObservation struct {
 	// Date the distribution configuration was updated.
 	DateUpdated *string `json:"dateUpdated,omitempty" tf:"date_updated,omitempty"`
 
+	// Description of the distribution configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// One or more configuration blocks with distribution settings. Detailed below.
+	Distribution []DistributionObservation `json:"distribution,omitempty" tf:"distribution,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the distribution configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -99,12 +144,12 @@ type DistributionConfigurationParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// One or more configuration blocks with distribution settings. Detailed below.
-	// +kubebuilder:validation:Required
-	Distribution []DistributionParameters `json:"distribution" tf:"distribution,omitempty"`
+	// +kubebuilder:validation:Optional
+	Distribution []DistributionParameters `json:"distribution,omitempty" tf:"distribution,omitempty"`
 
 	// Name of the distribution configuration.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// AWS Region for the distribution.
 	// Region is the region you'd like your resource to be created in.
@@ -118,6 +163,24 @@ type DistributionConfigurationParameters struct {
 }
 
 type DistributionObservation struct {
+
+	// Configuration block with Amazon Machine Image (AMI) distribution settings. Detailed below.
+	AMIDistributionConfiguration []AMIDistributionConfigurationObservation `json:"amiDistributionConfiguration,omitempty" tf:"ami_distribution_configuration,omitempty"`
+
+	// Configuration block with container distribution settings. Detailed below.
+	ContainerDistributionConfiguration []ContainerDistributionConfigurationObservation `json:"containerDistributionConfiguration,omitempty" tf:"container_distribution_configuration,omitempty"`
+
+	// Set of Windows faster-launching configurations to use for AMI distribution. Detailed below.
+	FastLaunchConfiguration []FastLaunchConfigurationObservation `json:"fastLaunchConfiguration,omitempty" tf:"fast_launch_configuration,omitempty"`
+
+	// Set of launch template configuration settings that apply to image distribution. Detailed below.
+	LaunchTemplateConfiguration []LaunchTemplateConfigurationObservation `json:"launchTemplateConfiguration,omitempty" tf:"launch_template_configuration,omitempty"`
+
+	// Set of Amazon Resource Names (ARNs) of License Manager License Configurations.
+	LicenseConfigurationArns []*string `json:"licenseConfigurationArns,omitempty" tf:"license_configuration_arns,omitempty"`
+
+	// AWS Region for the distribution.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 }
 
 type DistributionParameters struct {
@@ -148,6 +211,21 @@ type DistributionParameters struct {
 }
 
 type FastLaunchConfigurationObservation struct {
+
+	// The owner account ID for the fast-launch enabled Windows AMI.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// A Boolean that represents the current state of faster launching for the Windows AMI. Set to true to start using Windows faster launching, or false to stop using it.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Configuration block for the launch template that the fast-launch enabled Windows AMI uses when it launches Windows instances to create pre-provisioned snapshots. Detailed below.
+	LaunchTemplate []LaunchTemplateObservation `json:"launchTemplate,omitempty" tf:"launch_template,omitempty"`
+
+	// The maximum number of parallel instances that are launched for creating resources.
+	MaxParallelLaunches *float64 `json:"maxParallelLaunches,omitempty" tf:"max_parallel_launches,omitempty"`
+
+	// Configuration block for managing the number of snapshots that are created from pre-provisioned instances for the Windows AMI when faster launching is enabled. Detailed below.
+	SnapshotConfiguration []SnapshotConfigurationObservation `json:"snapshotConfiguration,omitempty" tf:"snapshot_configuration,omitempty"`
 }
 
 type FastLaunchConfigurationParameters struct {
@@ -174,6 +252,18 @@ type FastLaunchConfigurationParameters struct {
 }
 
 type LaunchPermissionObservation struct {
+
+	// Set of AWS Organization ARNs to assign.
+	OrganizationArns []*string `json:"organizationArns,omitempty" tf:"organization_arns,omitempty"`
+
+	// Set of AWS Organizational Unit ARNs to assign.
+	OrganizationalUnitArns []*string `json:"organizationalUnitArns,omitempty" tf:"organizational_unit_arns,omitempty"`
+
+	// Set of EC2 launch permission user groups to assign. Use all to distribute a public AMI.
+	UserGroups []*string `json:"userGroups,omitempty" tf:"user_groups,omitempty"`
+
+	// Set of AWS Account identifiers to assign.
+	UserIds []*string `json:"userIds,omitempty" tf:"user_ids,omitempty"`
 }
 
 type LaunchPermissionParameters struct {
@@ -196,6 +286,15 @@ type LaunchPermissionParameters struct {
 }
 
 type LaunchTemplateConfigurationObservation struct {
+
+	// The account ID that this configuration applies to.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// Indicates whether to set the specified Amazon EC2 launch template as the default launch template. Defaults to true.
+	Default *bool `json:"default,omitempty" tf:"default,omitempty"`
+
+	// The ID of the Amazon EC2 launch template to use.
+	LaunchTemplateID *string `json:"launchTemplateId,omitempty" tf:"launch_template_id,omitempty"`
 }
 
 type LaunchTemplateConfigurationParameters struct {
@@ -214,6 +313,15 @@ type LaunchTemplateConfigurationParameters struct {
 }
 
 type LaunchTemplateObservation struct {
+
+	// The ID of the launch template to use for faster launching for a Windows AMI.
+	LaunchTemplateID *string `json:"launchTemplateId,omitempty" tf:"launch_template_id,omitempty"`
+
+	// The name of the launch template to use for faster launching for a Windows AMI.
+	LaunchTemplateName *string `json:"launchTemplateName,omitempty" tf:"launch_template_name,omitempty"`
+
+	// The version of the launch template to use for faster launching for a Windows AMI.
+	LaunchTemplateVersion *string `json:"launchTemplateVersion,omitempty" tf:"launch_template_version,omitempty"`
 }
 
 type LaunchTemplateParameters struct {
@@ -232,6 +340,9 @@ type LaunchTemplateParameters struct {
 }
 
 type SnapshotConfigurationObservation struct {
+
+	// The number of pre-provisioned snapshots to keep on hand for a fast-launch enabled Windows AMI.
+	TargetResourceCount *float64 `json:"targetResourceCount,omitempty" tf:"target_resource_count,omitempty"`
 }
 
 type SnapshotConfigurationParameters struct {
@@ -265,8 +376,10 @@ type DistributionConfigurationStatus struct {
 type DistributionConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DistributionConfigurationSpec   `json:"spec"`
-	Status            DistributionConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.distribution)",message="distribution is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   DistributionConfigurationSpec   `json:"spec"`
+	Status DistributionConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/imagebuilder/v1beta1/zz_generated.deepcopy.go b/apis/imagebuilder/v1beta1/zz_generated.deepcopy.go
index c65ec6080a..18913f4c77 100644
--- a/apis/imagebuilder/v1beta1/zz_generated.deepcopy.go
+++ b/apis/imagebuilder/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,54 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AMIDistributionConfigurationObservation) DeepCopyInto(out *AMIDistributionConfigurationObservation) {
 	*out = *in
+	if in.AMITags != nil {
+		in, out := &in.AMITags, &out.AMITags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchPermission != nil {
+		in, out := &in.LaunchPermission, &out.LaunchPermission
+		*out = make([]LaunchPermissionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetAccountIds != nil {
+		in, out := &in.TargetAccountIds, &out.TargetAccountIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AMIDistributionConfigurationObservation.
@@ -150,6 +198,46 @@ func (in *AmisParameters) DeepCopy() *AmisParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BlockDeviceMappingEBSObservation) DeepCopyInto(out *BlockDeviceMappingEBSObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(string)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BlockDeviceMappingEBSObservation.
@@ -220,6 +308,28 @@ func (in *BlockDeviceMappingEBSParameters) DeepCopy() *BlockDeviceMappingEBSPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BlockDeviceMappingObservation) DeepCopyInto(out *BlockDeviceMappingObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBS != nil {
+		in, out := &in.EBS, &out.EBS
+		*out = make([]EBSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BlockDeviceMappingObservation.
@@ -336,11 +446,26 @@ func (in *ComponentObservation) DeepCopyInto(out *ComponentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ChangeDescription != nil {
+		in, out := &in.ChangeDescription, &out.ChangeDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
 	if in.DateCreated != nil {
 		in, out := &in.DateCreated, &out.DateCreated
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Encrypted != nil {
 		in, out := &in.Encrypted, &out.Encrypted
 		*out = new(bool)
@@ -351,11 +476,57 @@ func (in *ComponentObservation) DeepCopyInto(out *ComponentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Owner != nil {
 		in, out := &in.Owner, &out.Owner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Platform != nil {
+		in, out := &in.Platform, &out.Platform
+		*out = new(string)
+		**out = **in
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SupportedOsVersions != nil {
+		in, out := &in.SupportedOsVersions, &out.SupportedOsVersions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -376,6 +547,16 @@ func (in *ComponentObservation) DeepCopyInto(out *ComponentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentObservation.
@@ -391,6 +572,16 @@ func (in *ComponentObservation) DeepCopy() *ComponentObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ComponentParameterObservation) DeepCopyInto(out *ComponentParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComponentParameterObservation.
@@ -566,6 +757,29 @@ func (in *ComponentStatus) DeepCopy() *ComponentStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContainerDistributionConfigurationObservation) DeepCopyInto(out *ContainerDistributionConfigurationObservation) {
 	*out = *in
+	if in.ContainerTags != nil {
+		in, out := &in.ContainerTags, &out.ContainerTags
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetRepository != nil {
+		in, out := &in.TargetRepository, &out.TargetRepository
+		*out = make([]ContainerDistributionConfigurationTargetRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerDistributionConfigurationObservation.
@@ -619,6 +833,16 @@ func (in *ContainerDistributionConfigurationParameters) DeepCopy() *ContainerDis
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContainerDistributionConfigurationTargetRepositoryObservation) DeepCopyInto(out *ContainerDistributionConfigurationTargetRepositoryObservation) {
 	*out = *in
+	if in.RepositoryName != nil {
+		in, out := &in.RepositoryName, &out.RepositoryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerDistributionConfigurationTargetRepositoryObservation.
@@ -686,6 +910,18 @@ func (in *ContainerRecipe) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContainerRecipeComponentObservation) DeepCopyInto(out *ContainerRecipeComponentObservation) {
 	*out = *in
+	if in.ComponentArn != nil {
+		in, out := &in.ComponentArn, &out.ComponentArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerRecipeComponentObservation.
@@ -775,11 +1011,38 @@ func (in *ContainerRecipeObservation) DeepCopyInto(out *ContainerRecipeObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Component != nil {
+		in, out := &in.Component, &out.Component
+		*out = make([]ContainerRecipeComponentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ContainerType != nil {
+		in, out := &in.ContainerType, &out.ContainerType
+		*out = new(string)
+		**out = **in
+	}
 	if in.DateCreated != nil {
 		in, out := &in.DateCreated, &out.DateCreated
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DockerfileTemplateData != nil {
+		in, out := &in.DockerfileTemplateData, &out.DockerfileTemplateData
+		*out = new(string)
+		**out = **in
+	}
+	if in.DockerfileTemplateURI != nil {
+		in, out := &in.DockerfileTemplateURI, &out.DockerfileTemplateURI
+		*out = new(string)
+		**out = **in
+	}
 	if in.Encrypted != nil {
 		in, out := &in.Encrypted, &out.Encrypted
 		*out = new(bool)
@@ -790,16 +1053,53 @@ func (in *ContainerRecipeObservation) DeepCopyInto(out *ContainerRecipeObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceConfiguration != nil {
+		in, out := &in.InstanceConfiguration, &out.InstanceConfiguration
+		*out = make([]InstanceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Owner != nil {
 		in, out := &in.Owner, &out.Owner
 		*out = new(string)
 		**out = **in
 	}
+	if in.ParentImage != nil {
+		in, out := &in.ParentImage, &out.ParentImage
+		*out = new(string)
+		**out = **in
+	}
 	if in.Platform != nil {
 		in, out := &in.Platform, &out.Platform
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -815,6 +1115,23 @@ func (in *ContainerRecipeObservation) DeepCopyInto(out *ContainerRecipeObservati
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetRepository != nil {
+		in, out := &in.TargetRepository, &out.TargetRepository
+		*out = make([]TargetRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkingDirectory != nil {
+		in, out := &in.WorkingDirectory, &out.WorkingDirectory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerRecipeObservation.
@@ -1049,11 +1366,43 @@ func (in *DistributionConfigurationObservation) DeepCopyInto(out *DistributionCo
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Distribution != nil {
+		in, out := &in.Distribution, &out.Distribution
+		*out = make([]DistributionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1170,6 +1519,50 @@ func (in *DistributionConfigurationStatus) DeepCopy() *DistributionConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DistributionObservation) DeepCopyInto(out *DistributionObservation) {
 	*out = *in
+	if in.AMIDistributionConfiguration != nil {
+		in, out := &in.AMIDistributionConfiguration, &out.AMIDistributionConfiguration
+		*out = make([]AMIDistributionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ContainerDistributionConfiguration != nil {
+		in, out := &in.ContainerDistributionConfiguration, &out.ContainerDistributionConfiguration
+		*out = make([]ContainerDistributionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FastLaunchConfiguration != nil {
+		in, out := &in.FastLaunchConfiguration, &out.FastLaunchConfiguration
+		*out = make([]FastLaunchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LaunchTemplateConfiguration != nil {
+		in, out := &in.LaunchTemplateConfiguration, &out.LaunchTemplateConfiguration
+		*out = make([]LaunchTemplateConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LicenseConfigurationArns != nil {
+		in, out := &in.LicenseConfigurationArns, &out.LicenseConfigurationArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DistributionObservation.
@@ -1244,6 +1637,46 @@ func (in *DistributionParameters) DeepCopy() *DistributionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSObservation) DeepCopyInto(out *EBSObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(string)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSObservation.
@@ -1314,6 +1747,35 @@ func (in *EBSParameters) DeepCopy() *EBSParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FastLaunchConfigurationObservation) DeepCopyInto(out *FastLaunchConfigurationObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LaunchTemplate != nil {
+		in, out := &in.LaunchTemplate, &out.LaunchTemplate
+		*out = make([]LaunchTemplateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaxParallelLaunches != nil {
+		in, out := &in.MaxParallelLaunches, &out.MaxParallelLaunches
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SnapshotConfiguration != nil {
+		in, out := &in.SnapshotConfiguration, &out.SnapshotConfiguration
+		*out = make([]SnapshotConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FastLaunchConfigurationObservation.
@@ -1437,16 +1899,48 @@ func (in *ImageObservation) DeepCopyInto(out *ImageObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContainerRecipeArn != nil {
+		in, out := &in.ContainerRecipeArn, &out.ContainerRecipeArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.DateCreated != nil {
 		in, out := &in.DateCreated, &out.DateCreated
 		*out = new(string)
 		**out = **in
 	}
+	if in.DistributionConfigurationArn != nil {
+		in, out := &in.DistributionConfigurationArn, &out.DistributionConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnhancedImageMetadataEnabled != nil {
+		in, out := &in.EnhancedImageMetadataEnabled, &out.EnhancedImageMetadataEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageRecipeArn != nil {
+		in, out := &in.ImageRecipeArn, &out.ImageRecipeArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageTestsConfiguration != nil {
+		in, out := &in.ImageTestsConfiguration, &out.ImageTestsConfiguration
+		*out = make([]ImageTestsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InfrastructureConfigurationArn != nil {
+		in, out := &in.InfrastructureConfigurationArn, &out.InfrastructureConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.Name != nil {
 		in, out := &in.Name, &out.Name
 		*out = new(string)
@@ -1469,6 +1963,21 @@ func (in *ImageObservation) DeepCopyInto(out *ImageObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1628,6 +2137,16 @@ func (in *ImagePipeline) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImagePipelineImageTestsConfigurationObservation) DeepCopyInto(out *ImagePipelineImageTestsConfigurationObservation) {
 	*out = *in
+	if in.ImageTestsEnabled != nil {
+		in, out := &in.ImageTestsEnabled, &out.ImageTestsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TimeoutMinutes != nil {
+		in, out := &in.TimeoutMinutes, &out.TimeoutMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImagePipelineImageTestsConfigurationObservation.
@@ -1705,6 +2224,11 @@ func (in *ImagePipelineObservation) DeepCopyInto(out *ImagePipelineObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContainerRecipeArn != nil {
+		in, out := &in.ContainerRecipeArn, &out.ContainerRecipeArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.DateCreated != nil {
 		in, out := &in.DateCreated, &out.DateCreated
 		*out = new(string)
@@ -1725,16 +2249,80 @@ func (in *ImagePipelineObservation) DeepCopyInto(out *ImagePipelineObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DistributionConfigurationArn != nil {
+		in, out := &in.DistributionConfigurationArn, &out.DistributionConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnhancedImageMetadataEnabled != nil {
+		in, out := &in.EnhancedImageMetadataEnabled, &out.EnhancedImageMetadataEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageRecipeArn != nil {
+		in, out := &in.ImageRecipeArn, &out.ImageRecipeArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageTestsConfiguration != nil {
+		in, out := &in.ImageTestsConfiguration, &out.ImageTestsConfiguration
+		*out = make([]ImagePipelineImageTestsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InfrastructureConfigurationArn != nil {
+		in, out := &in.InfrastructureConfigurationArn, &out.InfrastructureConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Platform != nil {
 		in, out := &in.Platform, &out.Platform
 		*out = new(string)
 		**out = **in
 	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = make([]ScheduleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1935,6 +2523,28 @@ func (in *ImageRecipe) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageRecipeBlockDeviceMappingObservation) DeepCopyInto(out *ImageRecipeBlockDeviceMappingObservation) {
 	*out = *in
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBS != nil {
+		in, out := &in.EBS, &out.EBS
+		*out = make([]BlockDeviceMappingEBSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoDevice != nil {
+		in, out := &in.NoDevice, &out.NoDevice
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRecipeBlockDeviceMappingObservation.
@@ -1987,6 +2597,18 @@ func (in *ImageRecipeBlockDeviceMappingParameters) DeepCopy() *ImageRecipeBlockD
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageRecipeComponentObservation) DeepCopyInto(out *ImageRecipeComponentObservation) {
 	*out = *in
+	if in.ComponentArn != nil {
+		in, out := &in.ComponentArn, &out.ComponentArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ComponentParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRecipeComponentObservation.
@@ -2076,26 +2698,77 @@ func (in *ImageRecipeObservation) DeepCopyInto(out *ImageRecipeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BlockDeviceMapping != nil {
+		in, out := &in.BlockDeviceMapping, &out.BlockDeviceMapping
+		*out = make([]ImageRecipeBlockDeviceMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Component != nil {
+		in, out := &in.Component, &out.Component
+		*out = make([]ImageRecipeComponentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DateCreated != nil {
 		in, out := &in.DateCreated, &out.DateCreated
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Owner != nil {
 		in, out := &in.Owner, &out.Owner
 		*out = new(string)
 		**out = **in
 	}
+	if in.ParentImage != nil {
+		in, out := &in.ParentImage, &out.ParentImage
+		*out = new(string)
+		**out = **in
+	}
 	if in.Platform != nil {
 		in, out := &in.Platform, &out.Platform
 		*out = new(string)
 		**out = **in
 	}
+	if in.SystemsManagerAgent != nil {
+		in, out := &in.SystemsManagerAgent, &out.SystemsManagerAgent
+		*out = make([]SystemsManagerAgentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2111,6 +2784,21 @@ func (in *ImageRecipeObservation) DeepCopyInto(out *ImageRecipeObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserDataBase64 != nil {
+		in, out := &in.UserDataBase64, &out.UserDataBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkingDirectory != nil {
+		in, out := &in.WorkingDirectory, &out.WorkingDirectory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageRecipeObservation.
@@ -2280,6 +2968,16 @@ func (in *ImageStatus) DeepCopy() *ImageStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageTestsConfigurationObservation) DeepCopyInto(out *ImageTestsConfigurationObservation) {
 	*out = *in
+	if in.ImageTestsEnabled != nil {
+		in, out := &in.ImageTestsEnabled, &out.ImageTestsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TimeoutMinutes != nil {
+		in, out := &in.TimeoutMinutes, &out.TimeoutMinutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageTestsConfigurationObservation.
@@ -2394,11 +3092,107 @@ func (in *InfrastructureConfigurationObservation) DeepCopyInto(out *Infrastructu
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceMetadataOptions != nil {
+		in, out := &in.InstanceMetadataOptions, &out.InstanceMetadataOptions
+		*out = make([]InstanceMetadataOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceProfileName != nil {
+		in, out := &in.InstanceProfileName, &out.InstanceProfileName
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceTypes != nil {
+		in, out := &in.InstanceTypes, &out.InstanceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.KeyPair != nil {
+		in, out := &in.KeyPair, &out.KeyPair
+		*out = new(string)
+		**out = **in
+	}
+	if in.Logging != nil {
+		in, out := &in.Logging, &out.Logging
+		*out = make([]LoggingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceTags != nil {
+		in, out := &in.ResourceTags, &out.ResourceTags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2414,6 +3208,11 @@ func (in *InfrastructureConfigurationObservation) DeepCopyInto(out *Infrastructu
 			(*out)[key] = outVal
 		}
 	}
+	if in.TerminateInstanceOnFailure != nil {
+		in, out := &in.TerminateInstanceOnFailure, &out.TerminateInstanceOnFailure
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InfrastructureConfigurationObservation.
@@ -2636,6 +3435,18 @@ func (in *InfrastructureConfigurationStatus) DeepCopy() *InfrastructureConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceConfigurationObservation) DeepCopyInto(out *InstanceConfigurationObservation) {
 	*out = *in
+	if in.BlockDeviceMapping != nil {
+		in, out := &in.BlockDeviceMapping, &out.BlockDeviceMapping
+		*out = make([]BlockDeviceMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Image != nil {
+		in, out := &in.Image, &out.Image
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceConfigurationObservation.
@@ -2678,6 +3489,16 @@ func (in *InstanceConfigurationParameters) DeepCopy() *InstanceConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceMetadataOptionsObservation) DeepCopyInto(out *InstanceMetadataOptionsObservation) {
 	*out = *in
+	if in.HTTPPutResponseHopLimit != nil {
+		in, out := &in.HTTPPutResponseHopLimit, &out.HTTPPutResponseHopLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTokens != nil {
+		in, out := &in.HTTPTokens, &out.HTTPTokens
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceMetadataOptionsObservation.
@@ -2718,6 +3539,50 @@ func (in *InstanceMetadataOptionsParameters) DeepCopy() *InstanceMetadataOptions
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchPermissionObservation) DeepCopyInto(out *LaunchPermissionObservation) {
 	*out = *in
+	if in.OrganizationArns != nil {
+		in, out := &in.OrganizationArns, &out.OrganizationArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OrganizationalUnitArns != nil {
+		in, out := &in.OrganizationalUnitArns, &out.OrganizationalUnitArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UserGroups != nil {
+		in, out := &in.UserGroups, &out.UserGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.UserIds != nil {
+		in, out := &in.UserIds, &out.UserIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchPermissionObservation.
@@ -2792,6 +3657,21 @@ func (in *LaunchPermissionParameters) DeepCopy() *LaunchPermissionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateConfigurationObservation) DeepCopyInto(out *LaunchTemplateConfigurationObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Default != nil {
+		in, out := &in.Default, &out.Default
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LaunchTemplateID != nil {
+		in, out := &in.LaunchTemplateID, &out.LaunchTemplateID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateConfigurationObservation.
@@ -2837,6 +3717,21 @@ func (in *LaunchTemplateConfigurationParameters) DeepCopy() *LaunchTemplateConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LaunchTemplateObservation) DeepCopyInto(out *LaunchTemplateObservation) {
 	*out = *in
+	if in.LaunchTemplateID != nil {
+		in, out := &in.LaunchTemplateID, &out.LaunchTemplateID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchTemplateName != nil {
+		in, out := &in.LaunchTemplateName, &out.LaunchTemplateName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchTemplateVersion != nil {
+		in, out := &in.LaunchTemplateVersion, &out.LaunchTemplateVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LaunchTemplateObservation.
@@ -2882,6 +3777,13 @@ func (in *LaunchTemplateParameters) DeepCopy() *LaunchTemplateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingObservation) DeepCopyInto(out *LoggingObservation) {
 	*out = *in
+	if in.S3Logs != nil {
+		in, out := &in.S3Logs, &out.S3Logs
+		*out = make([]S3LogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingObservation.
@@ -2956,6 +3858,16 @@ func (in *OutputResourcesParameters) DeepCopy() *OutputResourcesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -2996,6 +3908,16 @@ func (in *ParameterParameters) DeepCopy() *ParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3LogsObservation) DeepCopyInto(out *S3LogsObservation) {
 	*out = *in
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3LogsObservation.
@@ -3046,6 +3968,21 @@ func (in *S3LogsParameters) DeepCopy() *S3LogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduleObservation) DeepCopyInto(out *ScheduleObservation) {
 	*out = *in
+	if in.PipelineExecutionStartCondition != nil {
+		in, out := &in.PipelineExecutionStartCondition, &out.PipelineExecutionStartCondition
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleExpression != nil {
+		in, out := &in.ScheduleExpression, &out.ScheduleExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timezone != nil {
+		in, out := &in.Timezone, &out.Timezone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleObservation.
@@ -3091,6 +4028,11 @@ func (in *ScheduleParameters) DeepCopy() *ScheduleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotConfigurationObservation) DeepCopyInto(out *SnapshotConfigurationObservation) {
 	*out = *in
+	if in.TargetResourceCount != nil {
+		in, out := &in.TargetResourceCount, &out.TargetResourceCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotConfigurationObservation.
@@ -3126,6 +4068,11 @@ func (in *SnapshotConfigurationParameters) DeepCopy() *SnapshotConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SystemsManagerAgentObservation) DeepCopyInto(out *SystemsManagerAgentObservation) {
 	*out = *in
+	if in.UninstallAfterBuild != nil {
+		in, out := &in.UninstallAfterBuild, &out.UninstallAfterBuild
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SystemsManagerAgentObservation.
@@ -3161,6 +4108,16 @@ func (in *SystemsManagerAgentParameters) DeepCopy() *SystemsManagerAgentParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetRepositoryObservation) DeepCopyInto(out *TargetRepositoryObservation) {
 	*out = *in
+	if in.RepositoryName != nil {
+		in, out := &in.RepositoryName, &out.RepositoryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Service != nil {
+		in, out := &in.Service, &out.Service
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetRepositoryObservation.
diff --git a/apis/imagebuilder/v1beta1/zz_image_types.go b/apis/imagebuilder/v1beta1/zz_image_types.go
index 7b77935dd9..ada57950a7 100755
--- a/apis/imagebuilder/v1beta1/zz_image_types.go
+++ b/apis/imagebuilder/v1beta1/zz_image_types.go
@@ -39,11 +39,29 @@ type ImageObservation struct {
 	// Amazon Resource Name (ARN) of the image.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// - Amazon Resource Name (ARN) of the container recipe.
+	ContainerRecipeArn *string `json:"containerRecipeArn,omitempty" tf:"container_recipe_arn,omitempty"`
+
 	// Date the image was created.
 	DateCreated *string `json:"dateCreated,omitempty" tf:"date_created,omitempty"`
 
+	// Amazon Resource Name (ARN) of the Image Builder Distribution Configuration.
+	DistributionConfigurationArn *string `json:"distributionConfigurationArn,omitempty" tf:"distribution_configuration_arn,omitempty"`
+
+	// Whether additional information about the image being created is collected. Defaults to true.
+	EnhancedImageMetadataEnabled *bool `json:"enhancedImageMetadataEnabled,omitempty" tf:"enhanced_image_metadata_enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amazon Resource Name (ARN) of the image recipe.
+	ImageRecipeArn *string `json:"imageRecipeArn,omitempty" tf:"image_recipe_arn,omitempty"`
+
+	// Configuration block with image tests configuration. Detailed below.
+	ImageTestsConfiguration []ImageTestsConfigurationObservation `json:"imageTestsConfiguration,omitempty" tf:"image_tests_configuration,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Image Builder Infrastructure Configuration.
+	InfrastructureConfigurationArn *string `json:"infrastructureConfigurationArn,omitempty" tf:"infrastructure_configuration_arn,omitempty"`
+
 	// Name of the AMI.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
@@ -56,6 +74,9 @@ type ImageObservation struct {
 	// Platform of the image.
 	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -131,6 +152,12 @@ type ImageParameters struct {
 }
 
 type ImageTestsConfigurationObservation struct {
+
+	// Whether image tests are enabled. Defaults to true.
+	ImageTestsEnabled *bool `json:"imageTestsEnabled,omitempty" tf:"image_tests_enabled,omitempty"`
+
+	// Number of minutes before image tests time out. Valid values are between 60 and 1440. Defaults to 720.
+	TimeoutMinutes *float64 `json:"timeoutMinutes,omitempty" tf:"timeout_minutes,omitempty"`
 }
 
 type ImageTestsConfigurationParameters struct {
diff --git a/apis/imagebuilder/v1beta1/zz_imagepipeline_types.go b/apis/imagebuilder/v1beta1/zz_imagepipeline_types.go
index a65be837a0..408cb971d5 100755
--- a/apis/imagebuilder/v1beta1/zz_imagepipeline_types.go
+++ b/apis/imagebuilder/v1beta1/zz_imagepipeline_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ImagePipelineImageTestsConfigurationObservation struct {
+
+	// Whether image tests are enabled. Defaults to true.
+	ImageTestsEnabled *bool `json:"imageTestsEnabled,omitempty" tf:"image_tests_enabled,omitempty"`
+
+	// Number of minutes before image tests time out. Valid values are between 60 and 1440. Defaults to 720.
+	TimeoutMinutes *float64 `json:"timeoutMinutes,omitempty" tf:"timeout_minutes,omitempty"`
 }
 
 type ImagePipelineImageTestsConfigurationParameters struct {
@@ -32,6 +38,9 @@ type ImagePipelineObservation struct {
 	// Amazon Resource Name (ARN) of the image pipeline.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Amazon Resource Name (ARN) of the container recipe.
+	ContainerRecipeArn *string `json:"containerRecipeArn,omitempty" tf:"container_recipe_arn,omitempty"`
+
 	// Date the image pipeline was created.
 	DateCreated *string `json:"dateCreated,omitempty" tf:"date_created,omitempty"`
 
@@ -44,11 +53,41 @@ type ImagePipelineObservation struct {
 	// Date the image pipeline was updated.
 	DateUpdated *string `json:"dateUpdated,omitempty" tf:"date_updated,omitempty"`
 
+	// Description of the image pipeline.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Image Builder Distribution Configuration.
+	DistributionConfigurationArn *string `json:"distributionConfigurationArn,omitempty" tf:"distribution_configuration_arn,omitempty"`
+
+	// Whether additional information about the image being created is collected. Defaults to true.
+	EnhancedImageMetadataEnabled *bool `json:"enhancedImageMetadataEnabled,omitempty" tf:"enhanced_image_metadata_enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amazon Resource Name (ARN) of the image recipe.
+	ImageRecipeArn *string `json:"imageRecipeArn,omitempty" tf:"image_recipe_arn,omitempty"`
+
+	// Configuration block with image tests configuration. Detailed below.
+	ImageTestsConfiguration []ImagePipelineImageTestsConfigurationObservation `json:"imageTestsConfiguration,omitempty" tf:"image_tests_configuration,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Image Builder Infrastructure Configuration.
+	InfrastructureConfigurationArn *string `json:"infrastructureConfigurationArn,omitempty" tf:"infrastructure_configuration_arn,omitempty"`
+
+	// Name of the image pipeline.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Platform of the image pipeline.
 	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
+	// Configuration block with schedule settings. Detailed below.
+	Schedule []ScheduleObservation `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// Status of the image pipeline. Valid values are DISABLED and ENABLED. Defaults to ENABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -104,8 +143,8 @@ type ImagePipelineParameters struct {
 	InfrastructureConfigurationArnSelector *v1.Selector `json:"infrastructureConfigurationArnSelector,omitempty" tf:"-"`
 
 	// Name of the image pipeline.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -126,6 +165,15 @@ type ImagePipelineParameters struct {
 }
 
 type ScheduleObservation struct {
+
+	// Condition when the pipeline should trigger a new image build. Valid values are EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE and EXPRESSION_MATCH_ONLY. Defaults to EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE.
+	PipelineExecutionStartCondition *string `json:"pipelineExecutionStartCondition,omitempty" tf:"pipeline_execution_start_condition,omitempty"`
+
+	// Cron expression of how often the pipeline start condition is evaluated. For example, cron(0 0 * * ? *) is evaluated every day at midnight UTC. Configurations using the five field syntax that was previously accepted by the API, such as cron(0 0 * * *), must be updated to the six field syntax. For more information, see the Image Builder User Guide.
+	ScheduleExpression *string `json:"scheduleExpression,omitempty" tf:"schedule_expression,omitempty"`
+
+	// The timezone that applies to the scheduling expression. For example, "Etc/UTC", "America/Los_Angeles" in the IANA timezone format. If not specified this defaults to UTC.
+	Timezone *string `json:"timezone,omitempty" tf:"timezone,omitempty"`
 }
 
 type ScheduleParameters struct {
@@ -167,8 +215,9 @@ type ImagePipelineStatus struct {
 type ImagePipeline struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ImagePipelineSpec   `json:"spec"`
-	Status            ImagePipelineStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ImagePipelineSpec   `json:"spec"`
+	Status ImagePipelineStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/imagebuilder/v1beta1/zz_imagerecipe_types.go b/apis/imagebuilder/v1beta1/zz_imagerecipe_types.go
index 42ac9d09ad..0283dd41d4 100755
--- a/apis/imagebuilder/v1beta1/zz_imagerecipe_types.go
+++ b/apis/imagebuilder/v1beta1/zz_imagerecipe_types.go
@@ -14,6 +14,30 @@ import (
 )
 
 type BlockDeviceMappingEBSObservation struct {
+
+	// Whether to delete the volume on termination. Defaults to unset, which is the value inherited from the parent image.
+	DeleteOnTermination *string `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Whether to encrypt the volume. Defaults to unset, which is the value inherited from the parent image.
+	Encrypted *string `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// Number of Input/Output (I/O) operations per second to provision for an io1 or io2 volume.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Key Management Service (KMS) Key for encryption.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Identifier of the EC2 Volume Snapshot.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// For GP3 volumes only. The throughput in MiB/s that the volume supports.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// Size of the volume, in GiB.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of the volume. For example, gp2 or io2.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type BlockDeviceMappingEBSParameters struct {
@@ -52,6 +76,12 @@ type BlockDeviceMappingEBSParameters struct {
 }
 
 type ComponentParameterObservation struct {
+
+	// The name of the component parameter.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value for the named component parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ComponentParameterParameters struct {
@@ -66,6 +96,18 @@ type ComponentParameterParameters struct {
 }
 
 type ImageRecipeBlockDeviceMappingObservation struct {
+
+	// Name of the device. For example, /dev/sda or /dev/xvdb.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Configuration block with Elastic Block Storage (EBS) block device mapping settings. Detailed below.
+	EBS []BlockDeviceMappingEBSObservation `json:"ebs,omitempty" tf:"ebs,omitempty"`
+
+	// Set to true to remove a mapping from the parent image.
+	NoDevice *bool `json:"noDevice,omitempty" tf:"no_device,omitempty"`
+
+	// Virtual device name. For example, ephemeral0. Instance store volumes are numbered starting from 0.
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type ImageRecipeBlockDeviceMappingParameters struct {
@@ -88,6 +130,12 @@ type ImageRecipeBlockDeviceMappingParameters struct {
 }
 
 type ImageRecipeComponentObservation struct {
+
+	// Amazon Resource Name (ARN) of the Image Builder Component to associate.
+	ComponentArn *string `json:"componentArn,omitempty" tf:"component_arn,omitempty"`
+
+	// Configuration block(s) for parameters to configure the component. Detailed below.
+	Parameter []ComponentParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
 }
 
 type ImageRecipeComponentParameters struct {
@@ -116,19 +164,49 @@ type ImageRecipeObservation struct {
 	// Amazon Resource Name (ARN) of the image recipe.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block(s) with block device mappings for the image recipe. Detailed below.
+	BlockDeviceMapping []ImageRecipeBlockDeviceMappingObservation `json:"blockDeviceMapping,omitempty" tf:"block_device_mapping,omitempty"`
+
+	// Ordered configuration block(s) with components for the image recipe. Detailed below.
+	Component []ImageRecipeComponentObservation `json:"component,omitempty" tf:"component,omitempty"`
+
 	// Date the image recipe was created.
 	DateCreated *string `json:"dateCreated,omitempty" tf:"date_created,omitempty"`
 
+	// Description of the image recipe.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the image recipe.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Owner of the image recipe.
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
+	// The image recipe uses this image as a base from which to build your customized image. The value can be the base image ARN or an AMI ID.
+	ParentImage *string `json:"parentImage,omitempty" tf:"parent_image,omitempty"`
+
 	// Platform of the image recipe.
 	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
+	// Configuration block for the Systems Manager Agent installed by default by Image Builder. Detailed below.
+	SystemsManagerAgent []SystemsManagerAgentObservation `json:"systemsManagerAgent,omitempty" tf:"systems_manager_agent,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Base64 encoded user data. Use this to provide commands or a command script to run when you launch your build instance.
+	UserDataBase64 *string `json:"userDataBase64,omitempty" tf:"user_data_base64,omitempty"`
+
+	// The semantic version of the image recipe, which specifies the version in the following format, with numeric values in each position to indicate a specific version: major.minor.patch. For example: 1.0.0.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
+
+	// The working directory to be used during build and test workflows.
+	WorkingDirectory *string `json:"workingDirectory,omitempty" tf:"working_directory,omitempty"`
 }
 
 type ImageRecipeParameters struct {
@@ -138,20 +216,20 @@ type ImageRecipeParameters struct {
 	BlockDeviceMapping []ImageRecipeBlockDeviceMappingParameters `json:"blockDeviceMapping,omitempty" tf:"block_device_mapping,omitempty"`
 
 	// Ordered configuration block(s) with components for the image recipe. Detailed below.
-	// +kubebuilder:validation:Required
-	Component []ImageRecipeComponentParameters `json:"component" tf:"component,omitempty"`
+	// +kubebuilder:validation:Optional
+	Component []ImageRecipeComponentParameters `json:"component,omitempty" tf:"component,omitempty"`
 
 	// Description of the image recipe.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Name of the image recipe.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The image recipe uses this image as a base from which to build your customized image. The value can be the base image ARN or an AMI ID.
-	// +kubebuilder:validation:Required
-	ParentImage *string `json:"parentImage" tf:"parent_image,omitempty"`
+	// +kubebuilder:validation:Optional
+	ParentImage *string `json:"parentImage,omitempty" tf:"parent_image,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -171,8 +249,8 @@ type ImageRecipeParameters struct {
 	UserDataBase64 *string `json:"userDataBase64,omitempty" tf:"user_data_base64,omitempty"`
 
 	// The semantic version of the image recipe, which specifies the version in the following format, with numeric values in each position to indicate a specific version: major.minor.patch. For example: 1.0.0.
-	// +kubebuilder:validation:Required
-	Version *string `json:"version" tf:"version,omitempty"`
+	// +kubebuilder:validation:Optional
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 
 	// The working directory to be used during build and test workflows.
 	// +kubebuilder:validation:Optional
@@ -180,6 +258,9 @@ type ImageRecipeParameters struct {
 }
 
 type SystemsManagerAgentObservation struct {
+
+	// Whether to remove the Systems Manager Agent after the image has been built. Defaults to false.
+	UninstallAfterBuild *bool `json:"uninstallAfterBuild,omitempty" tf:"uninstall_after_build,omitempty"`
 }
 
 type SystemsManagerAgentParameters struct {
@@ -213,8 +294,12 @@ type ImageRecipeStatus struct {
 type ImageRecipe struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ImageRecipeSpec   `json:"spec"`
-	Status            ImageRecipeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.component)",message="component is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parentImage)",message="parentImage is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)",message="version is a required parameter"
+	Spec   ImageRecipeSpec   `json:"spec"`
+	Status ImageRecipeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/imagebuilder/v1beta1/zz_infrastructureconfiguration_types.go b/apis/imagebuilder/v1beta1/zz_infrastructureconfiguration_types.go
index 8e960a8ca7..1441e86bd6 100755
--- a/apis/imagebuilder/v1beta1/zz_infrastructureconfiguration_types.go
+++ b/apis/imagebuilder/v1beta1/zz_infrastructureconfiguration_types.go
@@ -24,11 +24,50 @@ type InfrastructureConfigurationObservation struct {
 	// Date when the configuration was updated.
 	DateUpdated *string `json:"dateUpdated,omitempty" tf:"date_updated,omitempty"`
 
+	// Description for the configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Amazon Resource Name (ARN) of the configuration.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block with instance metadata options for the HTTP requests that pipeline builds use to launch EC2 build and test instances. Detailed below.
+	InstanceMetadataOptions []InstanceMetadataOptionsObservation `json:"instanceMetadataOptions,omitempty" tf:"instance_metadata_options,omitempty"`
+
+	// Name of IAM Instance Profile.
+	InstanceProfileName *string `json:"instanceProfileName,omitempty" tf:"instance_profile_name,omitempty"`
+
+	// Set of EC2 Instance Types.
+	InstanceTypes []*string `json:"instanceTypes,omitempty" tf:"instance_types,omitempty"`
+
+	// Name of EC2 Key Pair.
+	KeyPair *string `json:"keyPair,omitempty" tf:"key_pair,omitempty"`
+
+	// Configuration block with logging settings. Detailed below.
+	Logging []LoggingObservation `json:"logging,omitempty" tf:"logging,omitempty"`
+
+	// Name for the configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags to assign to infrastructure created by the configuration.
+	ResourceTags map[string]*string `json:"resourceTags,omitempty" tf:"resource_tags,omitempty"`
+
+	// Set of EC2 Security Group identifiers.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Amazon Resource Name (ARN) of SNS Topic.
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
+
+	// EC2 Subnet identifier. Also requires security_group_ids argument.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Enable if the instance should be terminated when the pipeline fails. Defaults to false.
+	TerminateInstanceOnFailure *bool `json:"terminateInstanceOnFailure,omitempty" tf:"terminate_instance_on_failure,omitempty"`
 }
 
 type InfrastructureConfigurationParameters struct {
@@ -76,8 +115,8 @@ type InfrastructureConfigurationParameters struct {
 	Logging []LoggingParameters `json:"logging,omitempty" tf:"logging,omitempty"`
 
 	// Name for the configuration.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -140,6 +179,12 @@ type InfrastructureConfigurationParameters struct {
 }
 
 type InstanceMetadataOptionsObservation struct {
+
+	// The number of hops that an instance can traverse to reach its destonation.
+	HTTPPutResponseHopLimit *float64 `json:"httpPutResponseHopLimit,omitempty" tf:"http_put_response_hop_limit,omitempty"`
+
+	// Whether a signed token is required for instance metadata retrieval requests. Valid values: required, optional.
+	HTTPTokens *string `json:"httpTokens,omitempty" tf:"http_tokens,omitempty"`
 }
 
 type InstanceMetadataOptionsParameters struct {
@@ -154,6 +199,9 @@ type InstanceMetadataOptionsParameters struct {
 }
 
 type LoggingObservation struct {
+
+	// Configuration block with S3 logging settings. Detailed below.
+	S3Logs []S3LogsObservation `json:"s3Logs,omitempty" tf:"s3_logs,omitempty"`
 }
 
 type LoggingParameters struct {
@@ -164,6 +212,12 @@ type LoggingParameters struct {
 }
 
 type S3LogsObservation struct {
+
+	// Name of the S3 Bucket.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// Prefix to use for S3 logs. Defaults to /.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
 }
 
 type S3LogsParameters struct {
@@ -210,8 +264,9 @@ type InfrastructureConfigurationStatus struct {
 type InfrastructureConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InfrastructureConfigurationSpec   `json:"spec"`
-	Status            InfrastructureConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   InfrastructureConfigurationSpec   `json:"spec"`
+	Status InfrastructureConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/inspector/v1beta1/zz_assessmenttarget_types.go b/apis/inspector/v1beta1/zz_assessmenttarget_types.go
index 434cf6f947..6ec2fb1b29 100755
--- a/apis/inspector/v1beta1/zz_assessmenttarget_types.go
+++ b/apis/inspector/v1beta1/zz_assessmenttarget_types.go
@@ -19,13 +19,19 @@ type AssessmentTargetObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the assessment target.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Inspector Resource Group Amazon Resource Name (ARN) stating tags for instance matching. If not specified, all EC2 instances in the current AWS account and region are included in the assessment target.
+	ResourceGroupArn *string `json:"resourceGroupArn,omitempty" tf:"resource_group_arn,omitempty"`
 }
 
 type AssessmentTargetParameters struct {
 
 	// The name of the assessment target.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -71,8 +77,9 @@ type AssessmentTargetStatus struct {
 type AssessmentTarget struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AssessmentTargetSpec   `json:"spec"`
-	Status            AssessmentTargetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AssessmentTargetSpec   `json:"spec"`
+	Status AssessmentTargetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/inspector/v1beta1/zz_assessmenttemplate_types.go b/apis/inspector/v1beta1/zz_assessmenttemplate_types.go
index 3b01c6f252..f5da38fedb 100755
--- a/apis/inspector/v1beta1/zz_assessmenttemplate_types.go
+++ b/apis/inspector/v1beta1/zz_assessmenttemplate_types.go
@@ -18,25 +18,43 @@ type AssessmentTemplateObservation struct {
 	// The template assessment ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The duration of the inspector run.
+	Duration *float64 `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// A block that enables sending notifications about a specified assessment template event to a designated SNS topic. See Event Subscriptions for details.
+	EventSubscription []EventSubscriptionObservation `json:"eventSubscription,omitempty" tf:"event_subscription,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the assessment template.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The rules to be used during the run.
+	RulesPackageArns []*string `json:"rulesPackageArns,omitempty" tf:"rules_package_arns,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The assessment target ARN to attach the template to.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 }
 
 type AssessmentTemplateParameters struct {
 
 	// The duration of the inspector run.
-	// +kubebuilder:validation:Required
-	Duration *float64 `json:"duration" tf:"duration,omitempty"`
+	// +kubebuilder:validation:Optional
+	Duration *float64 `json:"duration,omitempty" tf:"duration,omitempty"`
 
 	// A block that enables sending notifications about a specified assessment template event to a designated SNS topic. See Event Subscriptions for details.
 	// +kubebuilder:validation:Optional
 	EventSubscription []EventSubscriptionParameters `json:"eventSubscription,omitempty" tf:"event_subscription,omitempty"`
 
 	// The name of the assessment template.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -44,8 +62,8 @@ type AssessmentTemplateParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The rules to be used during the run.
-	// +kubebuilder:validation:Required
-	RulesPackageArns []*string `json:"rulesPackageArns" tf:"rules_package_arns,omitempty"`
+	// +kubebuilder:validation:Optional
+	RulesPackageArns []*string `json:"rulesPackageArns,omitempty" tf:"rules_package_arns,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -67,6 +85,12 @@ type AssessmentTemplateParameters struct {
 }
 
 type EventSubscriptionObservation struct {
+
+	// The event for which you want to receive SNS notifications. Valid values are ASSESSMENT_RUN_STARTED, ASSESSMENT_RUN_COMPLETED, ASSESSMENT_RUN_STATE_CHANGED, and FINDING_REPORTED.
+	Event *string `json:"event,omitempty" tf:"event,omitempty"`
+
+	// The ARN of the SNS topic to which notifications are sent.
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type EventSubscriptionParameters struct {
@@ -114,8 +138,11 @@ type AssessmentTemplateStatus struct {
 type AssessmentTemplate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AssessmentTemplateSpec   `json:"spec"`
-	Status            AssessmentTemplateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.duration)",message="duration is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rulesPackageArns)",message="rulesPackageArns is a required parameter"
+	Spec   AssessmentTemplateSpec   `json:"spec"`
+	Status AssessmentTemplateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/inspector/v1beta1/zz_generated.deepcopy.go b/apis/inspector/v1beta1/zz_generated.deepcopy.go
index e1882e2a35..59d51aa9e3 100644
--- a/apis/inspector/v1beta1/zz_generated.deepcopy.go
+++ b/apis/inspector/v1beta1/zz_generated.deepcopy.go
@@ -86,6 +86,16 @@ func (in *AssessmentTargetObservation) DeepCopyInto(out *AssessmentTargetObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceGroupArn != nil {
+		in, out := &in.ResourceGroupArn, &out.ResourceGroupArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AssessmentTargetObservation.
@@ -239,11 +249,54 @@ func (in *AssessmentTemplateObservation) DeepCopyInto(out *AssessmentTemplateObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EventSubscription != nil {
+		in, out := &in.EventSubscription, &out.EventSubscription
+		*out = make([]EventSubscriptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RulesPackageArns != nil {
+		in, out := &in.RulesPackageArns, &out.RulesPackageArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -259,6 +312,11 @@ func (in *AssessmentTemplateObservation) DeepCopyInto(out *AssessmentTemplateObs
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AssessmentTemplateObservation.
@@ -386,6 +444,16 @@ func (in *AssessmentTemplateStatus) DeepCopy() *AssessmentTemplateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventSubscriptionObservation) DeepCopyInto(out *EventSubscriptionObservation) {
 	*out = *in
+	if in.Event != nil {
+		in, out := &in.Event, &out.Event
+		*out = new(string)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventSubscriptionObservation.
@@ -505,6 +573,21 @@ func (in *ResourceGroupObservation) DeepCopyInto(out *ResourceGroupObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceGroupObservation.
diff --git a/apis/inspector/v1beta1/zz_resourcegroup_types.go b/apis/inspector/v1beta1/zz_resourcegroup_types.go
index 0f22fdde94..d1520ee94a 100755
--- a/apis/inspector/v1beta1/zz_resourcegroup_types.go
+++ b/apis/inspector/v1beta1/zz_resourcegroup_types.go
@@ -19,6 +19,9 @@ type ResourceGroupObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type ResourceGroupParameters struct {
@@ -29,8 +32,8 @@ type ResourceGroupParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Key-value map of resource tags.
-	// +kubebuilder:validation:Required
-	Tags map[string]*string `json:"tags" tf:"tags,omitempty"`
+	// +kubebuilder:validation:Optional
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 // ResourceGroupSpec defines the desired state of ResourceGroup
@@ -57,8 +60,9 @@ type ResourceGroupStatus struct {
 type ResourceGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceGroupSpec   `json:"spec"`
-	Status            ResourceGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tags)",message="tags is a required parameter"
+	Spec   ResourceGroupSpec   `json:"spec"`
+	Status ResourceGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/inspector2/v1beta1/zz_enabler_types.go b/apis/inspector2/v1beta1/zz_enabler_types.go
index 8f0ec6c8da..3bed78ee1a 100755
--- a/apis/inspector2/v1beta1/zz_enabler_types.go
+++ b/apis/inspector2/v1beta1/zz_enabler_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type EnablerObservation struct {
+
+	// Set of account IDs.
+	AccountIds []*string `json:"accountIds,omitempty" tf:"account_ids,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Type of resources to scan. Valid values are EC2, ECR, and LAMBDA.
+	ResourceTypes []*string `json:"resourceTypes,omitempty" tf:"resource_types,omitempty"`
 }
 
 type EnablerParameters struct {
 
 	// Set of account IDs.
-	// +kubebuilder:validation:Required
-	AccountIds []*string `json:"accountIds" tf:"account_ids,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccountIds []*string `json:"accountIds,omitempty" tf:"account_ids,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -29,8 +36,8 @@ type EnablerParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Type of resources to scan. Valid values are EC2, ECR, and LAMBDA.
-	// +kubebuilder:validation:Required
-	ResourceTypes []*string `json:"resourceTypes" tf:"resource_types,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceTypes []*string `json:"resourceTypes,omitempty" tf:"resource_types,omitempty"`
 }
 
 // EnablerSpec defines the desired state of Enabler
@@ -57,8 +64,10 @@ type EnablerStatus struct {
 type Enabler struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EnablerSpec   `json:"spec"`
-	Status            EnablerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountIds)",message="accountIds is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceTypes)",message="resourceTypes is a required parameter"
+	Spec   EnablerSpec   `json:"spec"`
+	Status EnablerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/inspector2/v1beta1/zz_generated.deepcopy.go b/apis/inspector2/v1beta1/zz_generated.deepcopy.go
index 403d5c4936..d0a4ab23b3 100644
--- a/apis/inspector2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/inspector2/v1beta1/zz_generated.deepcopy.go
@@ -75,11 +75,33 @@ func (in *EnablerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnablerObservation) DeepCopyInto(out *EnablerObservation) {
 	*out = *in
+	if in.AccountIds != nil {
+		in, out := &in.AccountIds, &out.AccountIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceTypes != nil {
+		in, out := &in.ResourceTypes, &out.ResourceTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnablerObservation.
diff --git a/apis/iot/v1beta1/zz_certificate_types.go b/apis/iot/v1beta1/zz_certificate_types.go
index 7e1ba9366a..b9470d080f 100755
--- a/apis/iot/v1beta1/zz_certificate_types.go
+++ b/apis/iot/v1beta1/zz_certificate_types.go
@@ -15,9 +15,19 @@ import (
 
 type CertificateObservation struct {
 
+	// Boolean flag to indicate if the certificate should be active
+	Active *bool `json:"active,omitempty" tf:"active,omitempty"`
+
 	// The ARN of the created certificate.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The certificate signing request. Review
+	// CreateCertificateFromCsr
+	// for more information on generating a certificate from a certificate signing request (CSR).
+	// If none is specified both the certificate and keys will be generated, review CreateKeysAndCertificate
+	// for more information on generating keys and a certificate.
+	Csr *string `json:"csr,omitempty" tf:"csr,omitempty"`
+
 	// The internal ID assigned to this certificate.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -25,8 +35,8 @@ type CertificateObservation struct {
 type CertificateParameters struct {
 
 	// Boolean flag to indicate if the certificate should be active
-	// +kubebuilder:validation:Required
-	Active *bool `json:"active" tf:"active,omitempty"`
+	// +kubebuilder:validation:Optional
+	Active *bool `json:"active,omitempty" tf:"active,omitempty"`
 
 	// The CA certificate for the certificate to be registered. If this is set, the CA needs to be registered with AWS IoT beforehand.
 	// +kubebuilder:validation:Optional
@@ -78,8 +88,9 @@ type CertificateStatus struct {
 type Certificate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CertificateSpec   `json:"spec"`
-	Status            CertificateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.active)",message="active is a required parameter"
+	Spec   CertificateSpec   `json:"spec"`
+	Status CertificateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_generated.deepcopy.go b/apis/iot/v1beta1/zz_generated.deepcopy.go
index 53fd46cb93..f3e0de5096 100644
--- a/apis/iot/v1beta1/zz_generated.deepcopy.go
+++ b/apis/iot/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttributePayloadObservation) DeepCopyInto(out *AttributePayloadObservation) {
 	*out = *in
+	if in.Attributes != nil {
+		in, out := &in.Attributes, &out.Attributes
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttributePayloadObservation.
@@ -121,11 +136,21 @@ func (in *CertificateList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 	*out = *in
+	if in.Active != nil {
+		in, out := &in.Active, &out.Active
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Csr != nil {
+		in, out := &in.Csr, &out.Csr
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -220,6 +245,26 @@ func (in *CertificateStatus) DeepCopy() *CertificateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchAlarmObservation) DeepCopyInto(out *CloudwatchAlarmObservation) {
 	*out = *in
+	if in.AlarmName != nil {
+		in, out := &in.AlarmName, &out.AlarmName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StateReason != nil {
+		in, out := &in.StateReason, &out.StateReason
+		*out = new(string)
+		**out = **in
+	}
+	if in.StateValue != nil {
+		in, out := &in.StateValue, &out.StateValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchAlarmObservation.
@@ -270,6 +315,16 @@ func (in *CloudwatchAlarmParameters) DeepCopy() *CloudwatchAlarmParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchLogsObservation) DeepCopyInto(out *CloudwatchLogsObservation) {
 	*out = *in
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLogsObservation.
@@ -310,6 +365,36 @@ func (in *CloudwatchLogsParameters) DeepCopy() *CloudwatchLogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchMetricObservation) DeepCopyInto(out *CloudwatchMetricObservation) {
 	*out = *in
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricNamespace != nil {
+		in, out := &in.MetricNamespace, &out.MetricNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricTimestamp != nil {
+		in, out := &in.MetricTimestamp, &out.MetricTimestamp
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricUnit != nil {
+		in, out := &in.MetricUnit, &out.MetricUnit
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricValue != nil {
+		in, out := &in.MetricValue, &out.MetricValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchMetricObservation.
@@ -370,6 +455,16 @@ func (in *CloudwatchMetricParameters) DeepCopy() *CloudwatchMetricParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomFieldObservation) DeepCopyInto(out *CustomFieldObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomFieldObservation.
@@ -410,6 +505,16 @@ func (in *CustomFieldParameters) DeepCopy() *CustomFieldParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DimensionObservation) DeepCopyInto(out *DimensionObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DimensionObservation.
@@ -450,6 +555,56 @@ func (in *DimensionParameters) DeepCopy() *DimensionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DynamodbObservation) DeepCopyInto(out *DynamodbObservation) {
 	*out = *in
+	if in.HashKeyField != nil {
+		in, out := &in.HashKeyField, &out.HashKeyField
+		*out = new(string)
+		**out = **in
+	}
+	if in.HashKeyType != nil {
+		in, out := &in.HashKeyType, &out.HashKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.HashKeyValue != nil {
+		in, out := &in.HashKeyValue, &out.HashKeyValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Operation != nil {
+		in, out := &in.Operation, &out.Operation
+		*out = new(string)
+		**out = **in
+	}
+	if in.PayloadField != nil {
+		in, out := &in.PayloadField, &out.PayloadField
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKeyField != nil {
+		in, out := &in.RangeKeyField, &out.RangeKeyField
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKeyType != nil {
+		in, out := &in.RangeKeyType, &out.RangeKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKeyValue != nil {
+		in, out := &in.RangeKeyValue, &out.RangeKeyValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DynamodbObservation.
@@ -530,6 +685,18 @@ func (in *DynamodbParameters) DeepCopy() *DynamodbParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Dynamodbv2Observation) DeepCopyInto(out *Dynamodbv2Observation) {
 	*out = *in
+	if in.PutItem != nil {
+		in, out := &in.PutItem, &out.PutItem
+		*out = make([]PutItemObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Dynamodbv2Observation.
@@ -572,6 +739,11 @@ func (in *Dynamodbv2Parameters) DeepCopy() *Dynamodbv2Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Dynamodbv2PutItemObservation) DeepCopyInto(out *Dynamodbv2PutItemObservation) {
 	*out = *in
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Dynamodbv2PutItemObservation.
@@ -607,6 +779,31 @@ func (in *Dynamodbv2PutItemParameters) DeepCopy() *Dynamodbv2PutItemParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ElasticsearchObservation) DeepCopyInto(out *ElasticsearchObservation) {
 	*out = *in
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Index != nil {
+		in, out := &in.Index, &out.Index
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ElasticsearchObservation.
@@ -662,6 +859,26 @@ func (in *ElasticsearchParameters) DeepCopy() *ElasticsearchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionCloudwatchAlarmObservation) DeepCopyInto(out *ErrorActionCloudwatchAlarmObservation) {
 	*out = *in
+	if in.AlarmName != nil {
+		in, out := &in.AlarmName, &out.AlarmName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StateReason != nil {
+		in, out := &in.StateReason, &out.StateReason
+		*out = new(string)
+		**out = **in
+	}
+	if in.StateValue != nil {
+		in, out := &in.StateValue, &out.StateValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionCloudwatchAlarmObservation.
@@ -712,6 +929,16 @@ func (in *ErrorActionCloudwatchAlarmParameters) DeepCopy() *ErrorActionCloudwatc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionCloudwatchLogsObservation) DeepCopyInto(out *ErrorActionCloudwatchLogsObservation) {
 	*out = *in
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionCloudwatchLogsObservation.
@@ -752,6 +979,36 @@ func (in *ErrorActionCloudwatchLogsParameters) DeepCopy() *ErrorActionCloudwatch
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionCloudwatchMetricObservation) DeepCopyInto(out *ErrorActionCloudwatchMetricObservation) {
 	*out = *in
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricNamespace != nil {
+		in, out := &in.MetricNamespace, &out.MetricNamespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricTimestamp != nil {
+		in, out := &in.MetricTimestamp, &out.MetricTimestamp
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricUnit != nil {
+		in, out := &in.MetricUnit, &out.MetricUnit
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricValue != nil {
+		in, out := &in.MetricValue, &out.MetricValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionCloudwatchMetricObservation.
@@ -812,6 +1069,56 @@ func (in *ErrorActionCloudwatchMetricParameters) DeepCopy() *ErrorActionCloudwat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionDynamodbObservation) DeepCopyInto(out *ErrorActionDynamodbObservation) {
 	*out = *in
+	if in.HashKeyField != nil {
+		in, out := &in.HashKeyField, &out.HashKeyField
+		*out = new(string)
+		**out = **in
+	}
+	if in.HashKeyType != nil {
+		in, out := &in.HashKeyType, &out.HashKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.HashKeyValue != nil {
+		in, out := &in.HashKeyValue, &out.HashKeyValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Operation != nil {
+		in, out := &in.Operation, &out.Operation
+		*out = new(string)
+		**out = **in
+	}
+	if in.PayloadField != nil {
+		in, out := &in.PayloadField, &out.PayloadField
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKeyField != nil {
+		in, out := &in.RangeKeyField, &out.RangeKeyField
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKeyType != nil {
+		in, out := &in.RangeKeyType, &out.RangeKeyType
+		*out = new(string)
+		**out = **in
+	}
+	if in.RangeKeyValue != nil {
+		in, out := &in.RangeKeyValue, &out.RangeKeyValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionDynamodbObservation.
@@ -892,6 +1199,18 @@ func (in *ErrorActionDynamodbParameters) DeepCopy() *ErrorActionDynamodbParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionDynamodbv2Observation) DeepCopyInto(out *ErrorActionDynamodbv2Observation) {
 	*out = *in
+	if in.PutItem != nil {
+		in, out := &in.PutItem, &out.PutItem
+		*out = make([]Dynamodbv2PutItemObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionDynamodbv2Observation.
@@ -934,6 +1253,31 @@ func (in *ErrorActionDynamodbv2Parameters) DeepCopy() *ErrorActionDynamodbv2Para
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionElasticsearchObservation) DeepCopyInto(out *ErrorActionElasticsearchObservation) {
 	*out = *in
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Index != nil {
+		in, out := &in.Index, &out.Index
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionElasticsearchObservation.
@@ -989,6 +1333,139 @@ func (in *ErrorActionElasticsearchParameters) DeepCopy() *ErrorActionElasticsear
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorActionObservation) DeepCopyInto(out *ErrorActionObservation) {
 	*out = *in
+	if in.CloudwatchAlarm != nil {
+		in, out := &in.CloudwatchAlarm, &out.CloudwatchAlarm
+		*out = make([]ErrorActionCloudwatchAlarmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CloudwatchLogs != nil {
+		in, out := &in.CloudwatchLogs, &out.CloudwatchLogs
+		*out = make([]ErrorActionCloudwatchLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CloudwatchMetric != nil {
+		in, out := &in.CloudwatchMetric, &out.CloudwatchMetric
+		*out = make([]ErrorActionCloudwatchMetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Dynamodb != nil {
+		in, out := &in.Dynamodb, &out.Dynamodb
+		*out = make([]ErrorActionDynamodbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Dynamodbv2 != nil {
+		in, out := &in.Dynamodbv2, &out.Dynamodbv2
+		*out = make([]ErrorActionDynamodbv2Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]ErrorActionElasticsearchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Firehose != nil {
+		in, out := &in.Firehose, &out.Firehose
+		*out = make([]FirehoseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		*out = make([]HTTPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IotAnalytics != nil {
+		in, out := &in.IotAnalytics, &out.IotAnalytics
+		*out = make([]IotAnalyticsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IotEvents != nil {
+		in, out := &in.IotEvents, &out.IotEvents
+		*out = make([]IotEventsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Kafka != nil {
+		in, out := &in.Kafka, &out.Kafka
+		*out = make([]KafkaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Kinesis != nil {
+		in, out := &in.Kinesis, &out.Kinesis
+		*out = make([]KinesisObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Lambda != nil {
+		in, out := &in.Lambda, &out.Lambda
+		*out = make([]LambdaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Republish != nil {
+		in, out := &in.Republish, &out.Republish
+		*out = make([]RepublishObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sns != nil {
+		in, out := &in.Sns, &out.Sns
+		*out = make([]SnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sqs != nil {
+		in, out := &in.Sqs, &out.Sqs
+		*out = make([]SqsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StepFunctions != nil {
+		in, out := &in.StepFunctions, &out.StepFunctions
+		*out = make([]StepFunctionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Timestream != nil {
+		in, out := &in.Timestream, &out.Timestream
+		*out = make([]TimestreamObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorActionObservation.
@@ -1152,6 +1629,21 @@ func (in *ErrorActionParameters) DeepCopy() *ErrorActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FirehoseObservation) DeepCopyInto(out *FirehoseObservation) {
 	*out = *in
+	if in.DeliveryStreamName != nil {
+		in, out := &in.DeliveryStreamName, &out.DeliveryStreamName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Separator != nil {
+		in, out := &in.Separator, &out.Separator
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirehoseObservation.
@@ -1197,6 +1689,16 @@ func (in *FirehoseParameters) DeepCopy() *FirehoseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPHTTPHeaderObservation) DeepCopyInto(out *HTTPHTTPHeaderObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHTTPHeaderObservation.
@@ -1237,6 +1739,16 @@ func (in *HTTPHTTPHeaderParameters) DeepCopy() *HTTPHTTPHeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPHeaderObservation) DeepCopyInto(out *HTTPHeaderObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPHeaderObservation.
@@ -1277,6 +1789,23 @@ func (in *HTTPHeaderParameters) DeepCopy() *HTTPHeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HTTPObservation) DeepCopyInto(out *HTTPObservation) {
 	*out = *in
+	if in.ConfirmationURL != nil {
+		in, out := &in.ConfirmationURL, &out.ConfirmationURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPHeader != nil {
+		in, out := &in.HTTPHeader, &out.HTTPHeader
+		*out = make([]HTTPHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HTTPObservation.
@@ -1388,11 +1917,25 @@ func (in *IndexingConfigurationObservation) DeepCopyInto(out *IndexingConfigurat
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IndexingConfigurationObservation.
-func (in *IndexingConfigurationObservation) DeepCopy() *IndexingConfigurationObservation {
-	if in == nil {
+	if in.ThingGroupIndexingConfiguration != nil {
+		in, out := &in.ThingGroupIndexingConfiguration, &out.ThingGroupIndexingConfiguration
+		*out = make([]ThingGroupIndexingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThingIndexingConfiguration != nil {
+		in, out := &in.ThingIndexingConfiguration, &out.ThingIndexingConfiguration
+		*out = make([]ThingIndexingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IndexingConfigurationObservation.
+func (in *IndexingConfigurationObservation) DeepCopy() *IndexingConfigurationObservation {
+	if in == nil {
 		return nil
 	}
 	out := new(IndexingConfigurationObservation)
@@ -1471,6 +2014,16 @@ func (in *IndexingConfigurationStatus) DeepCopy() *IndexingConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IotAnalyticsObservation) DeepCopyInto(out *IotAnalyticsObservation) {
 	*out = *in
+	if in.ChannelName != nil {
+		in, out := &in.ChannelName, &out.ChannelName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IotAnalyticsObservation.
@@ -1511,6 +2064,21 @@ func (in *IotAnalyticsParameters) DeepCopy() *IotAnalyticsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IotEventsObservation) DeepCopyInto(out *IotEventsObservation) {
 	*out = *in
+	if in.InputName != nil {
+		in, out := &in.InputName, &out.InputName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MessageID != nil {
+		in, out := &in.MessageID, &out.MessageID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IotEventsObservation.
@@ -1556,6 +2124,41 @@ func (in *IotEventsParameters) DeepCopy() *IotEventsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KafkaObservation) DeepCopyInto(out *KafkaObservation) {
 	*out = *in
+	if in.ClientProperties != nil {
+		in, out := &in.ClientProperties, &out.ClientProperties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Partition != nil {
+		in, out := &in.Partition, &out.Partition
+		*out = new(string)
+		**out = **in
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaObservation.
@@ -1621,6 +2224,21 @@ func (in *KafkaParameters) DeepCopy() *KafkaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisObservation) DeepCopyInto(out *KinesisObservation) {
 	*out = *in
+	if in.PartitionKey != nil {
+		in, out := &in.PartitionKey, &out.PartitionKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamName != nil {
+		in, out := &in.StreamName, &out.StreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisObservation.
@@ -1666,6 +2284,11 @@ func (in *KinesisParameters) DeepCopy() *KinesisParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaObservation) DeepCopyInto(out *LambdaObservation) {
 	*out = *in
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaObservation.
@@ -1760,11 +2383,26 @@ func (in *LoggingOptionsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingOptionsObservation) DeepCopyInto(out *LoggingOptionsObservation) {
 	*out = *in
+	if in.DefaultLogLevel != nil {
+		in, out := &in.DefaultLogLevel, &out.DefaultLogLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableAllLogs != nil {
+		in, out := &in.DisableAllLogs, &out.DisableAllLogs
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingOptionsObservation.
@@ -1859,6 +2497,16 @@ func (in *LoggingOptionsStatus) DeepCopy() *LoggingOptionsStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ManagedFieldObservation) DeepCopyInto(out *ManagedFieldObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedFieldObservation.
@@ -2037,6 +2685,16 @@ func (in *PolicyAttachmentObservation) DeepCopyInto(out *PolicyAttachmentObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyAttachmentObservation.
@@ -2183,6 +2841,11 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation.
@@ -2257,6 +2920,16 @@ func (in *PolicyStatus) DeepCopy() *PolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PreProvisioningHookObservation) DeepCopyInto(out *PreProvisioningHookObservation) {
 	*out = *in
+	if in.PayloadVersion != nil {
+		in, out := &in.PayloadVersion, &out.PayloadVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreProvisioningHookObservation.
@@ -2297,6 +2970,18 @@ func (in *PreProvisioningHookParameters) DeepCopy() *PreProvisioningHookParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PropertiesObservation) DeepCopyInto(out *PropertiesObservation) {
 	*out = *in
+	if in.AttributePayload != nil {
+		in, out := &in.AttributePayload, &out.AttributePayload
+		*out = make([]AttributePayloadObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PropertiesObservation.
@@ -2408,11 +3093,48 @@ func (in *ProvisioningTemplateObservation) DeepCopyInto(out *ProvisioningTemplat
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PreProvisioningHook != nil {
+		in, out := &in.PreProvisioningHook, &out.PreProvisioningHook
+		*out = make([]PreProvisioningHookObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProvisioningRoleArn != nil {
+		in, out := &in.ProvisioningRoleArn, &out.ProvisioningRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2428,6 +3150,11 @@ func (in *ProvisioningTemplateObservation) DeepCopyInto(out *ProvisioningTemplat
 			(*out)[key] = outVal
 		}
 	}
+	if in.TemplateBody != nil {
+		in, out := &in.TemplateBody, &out.TemplateBody
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisioningTemplateObservation.
@@ -2549,6 +3276,11 @@ func (in *ProvisioningTemplateStatus) DeepCopy() *ProvisioningTemplateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PutItemObservation) DeepCopyInto(out *PutItemObservation) {
 	*out = *in
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PutItemObservation.
@@ -2584,6 +3316,21 @@ func (in *PutItemParameters) DeepCopy() *PutItemParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RepublishObservation) DeepCopyInto(out *RepublishObservation) {
 	*out = *in
+	if in.Qos != nil {
+		in, out := &in.Qos, &out.Qos
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RepublishObservation.
@@ -2688,16 +3435,31 @@ func (in *RoleAliasList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoleAliasObservation) DeepCopyInto(out *RoleAliasObservation) {
 	*out = *in
+	if in.Alias != nil {
+		in, out := &in.Alias, &out.Alias
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.CredentialDuration != nil {
+		in, out := &in.CredentialDuration, &out.CredentialDuration
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoleAliasObservation.
@@ -2832,6 +3594,26 @@ func (in *RootToParentGroupsParameters) DeepCopy() *RootToParentGroupsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CannedACL != nil {
+		in, out := &in.CannedACL, &out.CannedACL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -2882,8 +3664,23 @@ func (in *S3Parameters) DeepCopy() *S3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnsObservation) DeepCopyInto(out *SnsObservation) {
 	*out = *in
-}
-
+	if in.MessageFormat != nil {
+		in, out := &in.MessageFormat, &out.MessageFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnsObservation.
 func (in *SnsObservation) DeepCopy() *SnsObservation {
 	if in == nil {
@@ -2947,6 +3744,21 @@ func (in *SnsParameters) DeepCopy() *SnsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SqsObservation) DeepCopyInto(out *SqsObservation) {
 	*out = *in
+	if in.QueueURL != nil {
+		in, out := &in.QueueURL, &out.QueueURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseBase64 != nil {
+		in, out := &in.UseBase64, &out.UseBase64
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SqsObservation.
@@ -2992,6 +3804,21 @@ func (in *SqsParameters) DeepCopy() *SqsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepFunctionsObservation) DeepCopyInto(out *StepFunctionsObservation) {
 	*out = *in
+	if in.ExecutionNamePrefix != nil {
+		in, out := &in.ExecutionNamePrefix, &out.ExecutionNamePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StateMachineName != nil {
+		in, out := &in.StateMachineName, &out.StateMachineName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepFunctionsObservation.
@@ -3091,6 +3918,25 @@ func (in *ThingGroup) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThingGroupIndexingConfigurationObservation) DeepCopyInto(out *ThingGroupIndexingConfigurationObservation) {
 	*out = *in
+	if in.CustomField != nil {
+		in, out := &in.CustomField, &out.CustomField
+		*out = make([]CustomFieldObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ManagedField != nil {
+		in, out := &in.ManagedField, &out.ManagedField
+		*out = make([]ManagedFieldObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThingGroupIndexingMode != nil {
+		in, out := &in.ThingGroupIndexingMode, &out.ThingGroupIndexingMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingGroupIndexingConfigurationObservation.
@@ -3236,6 +4082,21 @@ func (in *ThingGroupMembershipObservation) DeepCopyInto(out *ThingGroupMembershi
 		*out = new(string)
 		**out = **in
 	}
+	if in.OverrideDynamicGroup != nil {
+		in, out := &in.OverrideDynamicGroup, &out.OverrideDynamicGroup
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ThingGroupName != nil {
+		in, out := &in.ThingGroupName, &out.ThingGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThingName != nil {
+		in, out := &in.ThingName, &out.ThingName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingGroupMembershipObservation.
@@ -3337,6 +4198,33 @@ func (in *ThingGroupObservation) DeepCopyInto(out *ThingGroupObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ParentGroupName != nil {
+		in, out := &in.ParentGroupName, &out.ParentGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = make([]PropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3463,6 +4351,16 @@ func (in *ThingGroupStatus) DeepCopy() *ThingGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThingIndexingConfigurationCustomFieldObservation) DeepCopyInto(out *ThingIndexingConfigurationCustomFieldObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingIndexingConfigurationCustomFieldObservation.
@@ -3503,6 +4401,16 @@ func (in *ThingIndexingConfigurationCustomFieldParameters) DeepCopy() *ThingInde
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThingIndexingConfigurationManagedFieldObservation) DeepCopyInto(out *ThingIndexingConfigurationManagedFieldObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingIndexingConfigurationManagedFieldObservation.
@@ -3543,6 +4451,40 @@ func (in *ThingIndexingConfigurationManagedFieldParameters) DeepCopy() *ThingInd
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThingIndexingConfigurationObservation) DeepCopyInto(out *ThingIndexingConfigurationObservation) {
 	*out = *in
+	if in.CustomField != nil {
+		in, out := &in.CustomField, &out.CustomField
+		*out = make([]ThingIndexingConfigurationCustomFieldObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeviceDefenderIndexingMode != nil {
+		in, out := &in.DeviceDefenderIndexingMode, &out.DeviceDefenderIndexingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedField != nil {
+		in, out := &in.ManagedField, &out.ManagedField
+		*out = make([]ThingIndexingConfigurationManagedFieldObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NamedShadowIndexingMode != nil {
+		in, out := &in.NamedShadowIndexingMode, &out.NamedShadowIndexingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThingConnectivityIndexingMode != nil {
+		in, out := &in.ThingConnectivityIndexingMode, &out.ThingConnectivityIndexingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ThingIndexingMode != nil {
+		in, out := &in.ThingIndexingMode, &out.ThingIndexingMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingIndexingConfigurationObservation.
@@ -3644,6 +4586,21 @@ func (in *ThingObservation) DeepCopyInto(out *ThingObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Attributes != nil {
+		in, out := &in.Attributes, &out.Attributes
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.DefaultClientID != nil {
 		in, out := &in.DefaultClientID, &out.DefaultClientID
 		*out = new(string)
@@ -3654,6 +4611,11 @@ func (in *ThingObservation) DeepCopyInto(out *ThingObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ThingTypeName != nil {
+		in, out := &in.ThingTypeName, &out.ThingTypeName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(float64)
@@ -3778,6 +4740,16 @@ func (in *ThingPrincipalAttachmentObservation) DeepCopyInto(out *ThingPrincipalA
 		*out = new(string)
 		**out = **in
 	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
+	if in.Thing != nil {
+		in, out := &in.Thing, &out.Thing
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingPrincipalAttachmentObservation.
@@ -3975,11 +4947,43 @@ func (in *ThingTypeObservation) DeepCopyInto(out *ThingTypeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Deprecated != nil {
+		in, out := &in.Deprecated, &out.Deprecated
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Properties != nil {
+		in, out := &in.Properties, &out.Properties
+		*out = make([]ThingTypePropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4062,6 +5066,22 @@ func (in *ThingTypeParameters) DeepCopy() *ThingTypeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThingTypePropertiesObservation) DeepCopyInto(out *ThingTypePropertiesObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.SearchableAttributes != nil {
+		in, out := &in.SearchableAttributes, &out.SearchableAttributes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThingTypePropertiesObservation.
@@ -4142,6 +5162,16 @@ func (in *ThingTypeStatus) DeepCopy() *ThingTypeStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimestampObservation) DeepCopyInto(out *TimestampObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimestampObservation.
@@ -4182,6 +5212,16 @@ func (in *TimestampParameters) DeepCopy() *TimestampParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimestreamDimensionObservation) DeepCopyInto(out *TimestreamDimensionObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimestreamDimensionObservation.
@@ -4222,8 +5262,37 @@ func (in *TimestreamDimensionParameters) DeepCopy() *TimestreamDimensionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimestreamObservation) DeepCopyInto(out *TimestreamObservation) {
 	*out = *in
-}
-
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dimension != nil {
+		in, out := &in.Dimension, &out.Dimension
+		*out = make([]DimensionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timestamp != nil {
+		in, out := &in.Timestamp, &out.Timestamp
+		*out = make([]TimestampObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimestreamObservation.
 func (in *TimestreamObservation) DeepCopy() *TimestreamObservation {
 	if in == nil {
@@ -4281,6 +5350,16 @@ func (in *TimestreamParameters) DeepCopy() *TimestreamParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimestreamTimestampObservation) DeepCopyInto(out *TimestreamTimestampObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimestreamTimestampObservation.
@@ -4348,6 +5427,21 @@ func (in *TopicRule) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleFirehoseObservation) DeepCopyInto(out *TopicRuleFirehoseObservation) {
 	*out = *in
+	if in.DeliveryStreamName != nil {
+		in, out := &in.DeliveryStreamName, &out.DeliveryStreamName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Separator != nil {
+		in, out := &in.Separator, &out.Separator
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleFirehoseObservation.
@@ -4393,6 +5487,23 @@ func (in *TopicRuleFirehoseParameters) DeepCopy() *TopicRuleFirehoseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleHTTPObservation) DeepCopyInto(out *TopicRuleHTTPObservation) {
 	*out = *in
+	if in.ConfirmationURL != nil {
+		in, out := &in.ConfirmationURL, &out.ConfirmationURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPHeader != nil {
+		in, out := &in.HTTPHeader, &out.HTTPHeader
+		*out = make([]HTTPHTTPHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleHTTPObservation.
@@ -4440,6 +5551,16 @@ func (in *TopicRuleHTTPParameters) DeepCopy() *TopicRuleHTTPParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleIotAnalyticsObservation) DeepCopyInto(out *TopicRuleIotAnalyticsObservation) {
 	*out = *in
+	if in.ChannelName != nil {
+		in, out := &in.ChannelName, &out.ChannelName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleIotAnalyticsObservation.
@@ -4480,6 +5601,21 @@ func (in *TopicRuleIotAnalyticsParameters) DeepCopy() *TopicRuleIotAnalyticsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleIotEventsObservation) DeepCopyInto(out *TopicRuleIotEventsObservation) {
 	*out = *in
+	if in.InputName != nil {
+		in, out := &in.InputName, &out.InputName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MessageID != nil {
+		in, out := &in.MessageID, &out.MessageID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleIotEventsObservation.
@@ -4525,6 +5661,41 @@ func (in *TopicRuleIotEventsParameters) DeepCopy() *TopicRuleIotEventsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleKafkaObservation) DeepCopyInto(out *TopicRuleKafkaObservation) {
 	*out = *in
+	if in.ClientProperties != nil {
+		in, out := &in.ClientProperties, &out.ClientProperties
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Partition != nil {
+		in, out := &in.Partition, &out.Partition
+		*out = new(string)
+		**out = **in
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleKafkaObservation.
@@ -4590,6 +5761,21 @@ func (in *TopicRuleKafkaParameters) DeepCopy() *TopicRuleKafkaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleKinesisObservation) DeepCopyInto(out *TopicRuleKinesisObservation) {
 	*out = *in
+	if in.PartitionKey != nil {
+		in, out := &in.PartitionKey, &out.PartitionKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamName != nil {
+		in, out := &in.StreamName, &out.StreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleKinesisObservation.
@@ -4635,6 +5821,11 @@ func (in *TopicRuleKinesisParameters) DeepCopy() *TopicRuleKinesisParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleLambdaObservation) DeepCopyInto(out *TopicRuleLambdaObservation) {
 	*out = *in
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleLambdaObservation.
@@ -4707,11 +5898,179 @@ func (in *TopicRuleObservation) DeepCopyInto(out *TopicRuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CloudwatchAlarm != nil {
+		in, out := &in.CloudwatchAlarm, &out.CloudwatchAlarm
+		*out = make([]CloudwatchAlarmObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CloudwatchLogs != nil {
+		in, out := &in.CloudwatchLogs, &out.CloudwatchLogs
+		*out = make([]CloudwatchLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CloudwatchMetric != nil {
+		in, out := &in.CloudwatchMetric, &out.CloudwatchMetric
+		*out = make([]CloudwatchMetricObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dynamodb != nil {
+		in, out := &in.Dynamodb, &out.Dynamodb
+		*out = make([]DynamodbObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Dynamodbv2 != nil {
+		in, out := &in.Dynamodbv2, &out.Dynamodbv2
+		*out = make([]Dynamodbv2Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Elasticsearch != nil {
+		in, out := &in.Elasticsearch, &out.Elasticsearch
+		*out = make([]ElasticsearchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ErrorAction != nil {
+		in, out := &in.ErrorAction, &out.ErrorAction
+		*out = make([]ErrorActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Firehose != nil {
+		in, out := &in.Firehose, &out.Firehose
+		*out = make([]TopicRuleFirehoseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HTTP != nil {
+		in, out := &in.HTTP, &out.HTTP
+		*out = make([]TopicRuleHTTPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IotAnalytics != nil {
+		in, out := &in.IotAnalytics, &out.IotAnalytics
+		*out = make([]TopicRuleIotAnalyticsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.IotEvents != nil {
+		in, out := &in.IotEvents, &out.IotEvents
+		*out = make([]TopicRuleIotEventsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Kafka != nil {
+		in, out := &in.Kafka, &out.Kafka
+		*out = make([]TopicRuleKafkaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Kinesis != nil {
+		in, out := &in.Kinesis, &out.Kinesis
+		*out = make([]TopicRuleKinesisObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Lambda != nil {
+		in, out := &in.Lambda, &out.Lambda
+		*out = make([]TopicRuleLambdaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Republish != nil {
+		in, out := &in.Republish, &out.Republish
+		*out = make([]TopicRuleRepublishObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]TopicRuleS3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SQL != nil {
+		in, out := &in.SQL, &out.SQL
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLVersion != nil {
+		in, out := &in.SQLVersion, &out.SQLVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Sns != nil {
+		in, out := &in.Sns, &out.Sns
+		*out = make([]TopicRuleSnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Sqs != nil {
+		in, out := &in.Sqs, &out.Sqs
+		*out = make([]TopicRuleSqsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StepFunctions != nil {
+		in, out := &in.StepFunctions, &out.StepFunctions
+		*out = make([]TopicRuleStepFunctionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4727,6 +6086,13 @@ func (in *TopicRuleObservation) DeepCopyInto(out *TopicRuleObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Timestream != nil {
+		in, out := &in.Timestream, &out.Timestream
+		*out = make([]TopicRuleTimestreamObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleObservation.
@@ -4937,6 +6303,21 @@ func (in *TopicRuleParameters) DeepCopy() *TopicRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleRepublishObservation) DeepCopyInto(out *TopicRuleRepublishObservation) {
 	*out = *in
+	if in.Qos != nil {
+		in, out := &in.Qos, &out.Qos
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleRepublishObservation.
@@ -4982,6 +6363,26 @@ func (in *TopicRuleRepublishParameters) DeepCopy() *TopicRuleRepublishParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleS3Observation) DeepCopyInto(out *TopicRuleS3Observation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CannedACL != nil {
+		in, out := &in.CannedACL, &out.CannedACL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleS3Observation.
@@ -5032,6 +6433,21 @@ func (in *TopicRuleS3Parameters) DeepCopy() *TopicRuleS3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleSnsObservation) DeepCopyInto(out *TopicRuleSnsObservation) {
 	*out = *in
+	if in.MessageFormat != nil {
+		in, out := &in.MessageFormat, &out.MessageFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleSnsObservation.
@@ -5114,6 +6530,21 @@ func (in *TopicRuleSpec) DeepCopy() *TopicRuleSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleSqsObservation) DeepCopyInto(out *TopicRuleSqsObservation) {
 	*out = *in
+	if in.QueueURL != nil {
+		in, out := &in.QueueURL, &out.QueueURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseBase64 != nil {
+		in, out := &in.UseBase64, &out.UseBase64
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleSqsObservation.
@@ -5176,6 +6607,21 @@ func (in *TopicRuleStatus) DeepCopy() *TopicRuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleStepFunctionsObservation) DeepCopyInto(out *TopicRuleStepFunctionsObservation) {
 	*out = *in
+	if in.ExecutionNamePrefix != nil {
+		in, out := &in.ExecutionNamePrefix, &out.ExecutionNamePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StateMachineName != nil {
+		in, out := &in.StateMachineName, &out.StateMachineName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleStepFunctionsObservation.
@@ -5221,6 +6667,35 @@ func (in *TopicRuleStepFunctionsParameters) DeepCopy() *TopicRuleStepFunctionsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicRuleTimestreamObservation) DeepCopyInto(out *TopicRuleTimestreamObservation) {
 	*out = *in
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dimension != nil {
+		in, out := &in.Dimension, &out.Dimension
+		*out = make([]TimestreamDimensionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Timestamp != nil {
+		in, out := &in.Timestamp, &out.Timestamp
+		*out = make([]TimestreamTimestampObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicRuleTimestreamObservation.
diff --git a/apis/iot/v1beta1/zz_indexingconfiguration_types.go b/apis/iot/v1beta1/zz_indexingconfiguration_types.go
index 62fcff20e0..d4f7a3268b 100755
--- a/apis/iot/v1beta1/zz_indexingconfiguration_types.go
+++ b/apis/iot/v1beta1/zz_indexingconfiguration_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CustomFieldObservation struct {
+
+	// The name of the field.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The data type of the field. Valid values: Number, String, Boolean.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type CustomFieldParameters struct {
@@ -29,6 +35,12 @@ type CustomFieldParameters struct {
 
 type IndexingConfigurationObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Thing group indexing configuration. See below.
+	ThingGroupIndexingConfiguration []ThingGroupIndexingConfigurationObservation `json:"thingGroupIndexingConfiguration,omitempty" tf:"thing_group_indexing_configuration,omitempty"`
+
+	// Thing indexing configuration. See below.
+	ThingIndexingConfiguration []ThingIndexingConfigurationObservation `json:"thingIndexingConfiguration,omitempty" tf:"thing_indexing_configuration,omitempty"`
 }
 
 type IndexingConfigurationParameters struct {
@@ -48,6 +60,12 @@ type IndexingConfigurationParameters struct {
 }
 
 type ManagedFieldObservation struct {
+
+	// The name of the field.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The data type of the field. Valid values: Number, String, Boolean.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ManagedFieldParameters struct {
@@ -62,6 +80,15 @@ type ManagedFieldParameters struct {
 }
 
 type ThingGroupIndexingConfigurationObservation struct {
+
+	// A list of thing group fields to index. This list cannot contain any managed fields. See below.
+	CustomField []CustomFieldObservation `json:"customField,omitempty" tf:"custom_field,omitempty"`
+
+	// Contains fields that are indexed and whose types are already known by the Fleet Indexing service. See below.
+	ManagedField []ManagedFieldObservation `json:"managedField,omitempty" tf:"managed_field,omitempty"`
+
+	// Thing group indexing mode. Valid values: OFF, ON.
+	ThingGroupIndexingMode *string `json:"thingGroupIndexingMode,omitempty" tf:"thing_group_indexing_mode,omitempty"`
 }
 
 type ThingGroupIndexingConfigurationParameters struct {
@@ -80,6 +107,12 @@ type ThingGroupIndexingConfigurationParameters struct {
 }
 
 type ThingIndexingConfigurationCustomFieldObservation struct {
+
+	// The name of the field.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The data type of the field. Valid values: Number, String, Boolean.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ThingIndexingConfigurationCustomFieldParameters struct {
@@ -94,6 +127,12 @@ type ThingIndexingConfigurationCustomFieldParameters struct {
 }
 
 type ThingIndexingConfigurationManagedFieldObservation struct {
+
+	// The name of the field.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The data type of the field. Valid values: Number, String, Boolean.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ThingIndexingConfigurationManagedFieldParameters struct {
@@ -108,6 +147,24 @@ type ThingIndexingConfigurationManagedFieldParameters struct {
 }
 
 type ThingIndexingConfigurationObservation struct {
+
+	// Contains custom field names and their data type. See below.
+	CustomField []ThingIndexingConfigurationCustomFieldObservation `json:"customField,omitempty" tf:"custom_field,omitempty"`
+
+	// Device Defender indexing mode. Valid values: VIOLATIONS, OFF. Default: OFF.
+	DeviceDefenderIndexingMode *string `json:"deviceDefenderIndexingMode,omitempty" tf:"device_defender_indexing_mode,omitempty"`
+
+	// Contains fields that are indexed and whose types are already known by the Fleet Indexing service. See below.
+	ManagedField []ThingIndexingConfigurationManagedFieldObservation `json:"managedField,omitempty" tf:"managed_field,omitempty"`
+
+	// Named shadow indexing mode. Valid values: ON, OFF. Default: OFF.
+	NamedShadowIndexingMode *string `json:"namedShadowIndexingMode,omitempty" tf:"named_shadow_indexing_mode,omitempty"`
+
+	// Thing connectivity indexing mode. Valid values: STATUS, OFF. Default: OFF.
+	ThingConnectivityIndexingMode *string `json:"thingConnectivityIndexingMode,omitempty" tf:"thing_connectivity_indexing_mode,omitempty"`
+
+	// Thing indexing mode. Valid values: REGISTRY, REGISTRY_AND_SHADOW, OFF.
+	ThingIndexingMode *string `json:"thingIndexingMode,omitempty" tf:"thing_indexing_mode,omitempty"`
 }
 
 type ThingIndexingConfigurationParameters struct {
diff --git a/apis/iot/v1beta1/zz_loggingoptions_types.go b/apis/iot/v1beta1/zz_loggingoptions_types.go
index 7a41012241..4118d5143f 100755
--- a/apis/iot/v1beta1/zz_loggingoptions_types.go
+++ b/apis/iot/v1beta1/zz_loggingoptions_types.go
@@ -14,14 +14,24 @@ import (
 )
 
 type LoggingOptionsObservation struct {
+
+	// The default logging level. Valid Values: "DEBUG", "INFO", "ERROR", "WARN", "DISABLED".
+	DefaultLogLevel *string `json:"defaultLogLevel,omitempty" tf:"default_log_level,omitempty"`
+
+	// If true all logs are disabled. The default is false.
+	DisableAllLogs *bool `json:"disableAllLogs,omitempty" tf:"disable_all_logs,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the role that allows IoT to write to Cloudwatch logs.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type LoggingOptionsParameters struct {
 
 	// The default logging level. Valid Values: "DEBUG", "INFO", "ERROR", "WARN", "DISABLED".
-	// +kubebuilder:validation:Required
-	DefaultLogLevel *string `json:"defaultLogLevel" tf:"default_log_level,omitempty"`
+	// +kubebuilder:validation:Optional
+	DefaultLogLevel *string `json:"defaultLogLevel,omitempty" tf:"default_log_level,omitempty"`
 
 	// If true all logs are disabled. The default is false.
 	// +kubebuilder:validation:Optional
@@ -71,8 +81,9 @@ type LoggingOptionsStatus struct {
 type LoggingOptions struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LoggingOptionsSpec   `json:"spec"`
-	Status            LoggingOptionsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultLogLevel)",message="defaultLogLevel is a required parameter"
+	Spec   LoggingOptionsSpec   `json:"spec"`
+	Status LoggingOptionsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_policy_types.go b/apis/iot/v1beta1/zz_policy_types.go
index f89aa7fd3b..7e0688f7b6 100755
--- a/apis/iot/v1beta1/zz_policy_types.go
+++ b/apis/iot/v1beta1/zz_policy_types.go
@@ -22,13 +22,16 @@ type PolicyObservation struct {
 	DefaultVersionID *string `json:"defaultVersionId,omitempty" tf:"default_version_id,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The policy document. This is a JSON formatted string. Use the IoT Developer Guide for more information on IoT Policies.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type PolicyParameters struct {
 
 	// The policy document. This is a JSON formatted string. Use the IoT Developer Guide for more information on IoT Policies.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -60,8 +63,9 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicySpec   `json:"spec"`
-	Status            PolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   PolicySpec   `json:"spec"`
+	Status PolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_policyattachment_types.go b/apis/iot/v1beta1/zz_policyattachment_types.go
index 3ff8d59b38..b144782f8a 100755
--- a/apis/iot/v1beta1/zz_policyattachment_types.go
+++ b/apis/iot/v1beta1/zz_policyattachment_types.go
@@ -15,6 +15,12 @@ import (
 
 type PolicyAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the policy to attach.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// The identity to which the policy is attached.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type PolicyAttachmentParameters struct {
diff --git a/apis/iot/v1beta1/zz_provisioningtemplate_types.go b/apis/iot/v1beta1/zz_provisioningtemplate_types.go
index 3d3b8ee88c..cc127756c1 100755
--- a/apis/iot/v1beta1/zz_provisioningtemplate_types.go
+++ b/apis/iot/v1beta1/zz_provisioningtemplate_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type PreProvisioningHookObservation struct {
+
+	// The version of the payload that was sent to the target function. The only valid (and the default) payload version is "2020-04-01".
+	PayloadVersion *string `json:"payloadVersion,omitempty" tf:"payload_version,omitempty"`
+
+	// The ARN of the target function.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 }
 
 type PreProvisioningHookParameters struct {
@@ -35,10 +41,28 @@ type ProvisioningTemplateObservation struct {
 	// The default version of the fleet provisioning template.
 	DefaultVersionID *float64 `json:"defaultVersionId,omitempty" tf:"default_version_id,omitempty"`
 
+	// The description of the fleet provisioning template.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// True to enable the fleet provisioning template, otherwise false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Creates a pre-provisioning hook template. Details below.
+	PreProvisioningHook []PreProvisioningHookObservation `json:"preProvisioningHook,omitempty" tf:"pre_provisioning_hook,omitempty"`
+
+	// The role ARN for the role associated with the fleet provisioning template. This IoT role grants permission to provision a device.
+	ProvisioningRoleArn *string `json:"provisioningRoleArn,omitempty" tf:"provisioning_role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The JSON formatted contents of the fleet provisioning template.
+	TemplateBody *string `json:"templateBody,omitempty" tf:"template_body,omitempty"`
 }
 
 type ProvisioningTemplateParameters struct {
@@ -79,8 +103,8 @@ type ProvisioningTemplateParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The JSON formatted contents of the fleet provisioning template.
-	// +kubebuilder:validation:Required
-	TemplateBody *string `json:"templateBody" tf:"template_body,omitempty"`
+	// +kubebuilder:validation:Optional
+	TemplateBody *string `json:"templateBody,omitempty" tf:"template_body,omitempty"`
 }
 
 // ProvisioningTemplateSpec defines the desired state of ProvisioningTemplate
@@ -107,8 +131,9 @@ type ProvisioningTemplateStatus struct {
 type ProvisioningTemplate struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProvisioningTemplateSpec   `json:"spec"`
-	Status            ProvisioningTemplateStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.templateBody)",message="templateBody is a required parameter"
+	Spec   ProvisioningTemplateSpec   `json:"spec"`
+	Status ProvisioningTemplateStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_rolealias_types.go b/apis/iot/v1beta1/zz_rolealias_types.go
index 2016fb14ea..3251f3cb8d 100755
--- a/apis/iot/v1beta1/zz_rolealias_types.go
+++ b/apis/iot/v1beta1/zz_rolealias_types.go
@@ -15,17 +15,26 @@ import (
 
 type RoleAliasObservation struct {
 
+	// The name of the role alias.
+	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
+
 	// The ARN assigned by AWS to this role alias.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The duration of the credential, in seconds. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 900 seconds (15 minutes) to 43200 seconds (12 hours).
+	CredentialDuration *float64 `json:"credentialDuration,omitempty" tf:"credential_duration,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The identity of the role to which the alias refers.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type RoleAliasParameters struct {
 
 	// The name of the role alias.
-	// +kubebuilder:validation:Required
-	Alias *string `json:"alias" tf:"alias,omitempty"`
+	// +kubebuilder:validation:Optional
+	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
 
 	// The duration of the credential, in seconds. If you do not specify a value for this setting, the default maximum of one hour is applied. This setting can have a value from 900 seconds (15 minutes) to 43200 seconds (12 hours).
 	// +kubebuilder:validation:Optional
@@ -75,8 +84,9 @@ type RoleAliasStatus struct {
 type RoleAlias struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RoleAliasSpec   `json:"spec"`
-	Status            RoleAliasStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.alias)",message="alias is a required parameter"
+	Spec   RoleAliasSpec   `json:"spec"`
+	Status RoleAliasStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_thing_types.go b/apis/iot/v1beta1/zz_thing_types.go
index 2e231a4177..3560525f41 100755
--- a/apis/iot/v1beta1/zz_thing_types.go
+++ b/apis/iot/v1beta1/zz_thing_types.go
@@ -18,11 +18,17 @@ type ThingObservation struct {
 	// The ARN of the thing.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Map of attributes of the thing.
+	Attributes map[string]*string `json:"attributes,omitempty" tf:"attributes,omitempty"`
+
 	// The default client ID.
 	DefaultClientID *string `json:"defaultClientId,omitempty" tf:"default_client_id,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The thing type name.
+	ThingTypeName *string `json:"thingTypeName,omitempty" tf:"thing_type_name,omitempty"`
+
 	// The current version of the thing record in the registry.
 	Version *float64 `json:"version,omitempty" tf:"version,omitempty"`
 }
diff --git a/apis/iot/v1beta1/zz_thinggroup_types.go b/apis/iot/v1beta1/zz_thinggroup_types.go
index 3bca81eb57..efed30f389 100755
--- a/apis/iot/v1beta1/zz_thinggroup_types.go
+++ b/apis/iot/v1beta1/zz_thinggroup_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AttributePayloadObservation struct {
+
+	// Key-value map.
+	Attributes map[string]*string `json:"attributes,omitempty" tf:"attributes,omitempty"`
 }
 
 type AttributePayloadParameters struct {
@@ -36,6 +39,12 @@ type MetadataParameters struct {
 }
 
 type PropertiesObservation struct {
+
+	// The Thing Group attributes. Defined below.
+	AttributePayload []AttributePayloadObservation `json:"attributePayload,omitempty" tf:"attribute_payload,omitempty"`
+
+	// A description of the Thing Group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 }
 
 type PropertiesParameters struct {
@@ -71,6 +80,15 @@ type ThingGroupObservation struct {
 
 	Metadata []MetadataObservation `json:"metadata,omitempty" tf:"metadata,omitempty"`
 
+	// The name of the parent Thing Group.
+	ParentGroupName *string `json:"parentGroupName,omitempty" tf:"parent_group_name,omitempty"`
+
+	// The Thing Group properties. Defined below.
+	Properties []PropertiesObservation `json:"properties,omitempty" tf:"properties,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The current version of the Thing Group record in the registry.
diff --git a/apis/iot/v1beta1/zz_thinggroupmembership_types.go b/apis/iot/v1beta1/zz_thinggroupmembership_types.go
index 271566bad3..64cf33dab2 100755
--- a/apis/iot/v1beta1/zz_thinggroupmembership_types.go
+++ b/apis/iot/v1beta1/zz_thinggroupmembership_types.go
@@ -17,6 +17,15 @@ type ThingGroupMembershipObservation struct {
 
 	// The membership ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Override dynamic thing groups with static thing groups when 10-group limit is reached. If a thing belongs to 10 thing groups, and one or more of those groups are dynamic thing groups, adding a thing to a static group removes the thing from the last dynamic group.
+	OverrideDynamicGroup *bool `json:"overrideDynamicGroup,omitempty" tf:"override_dynamic_group,omitempty"`
+
+	// The name of the group to which you are adding a thing.
+	ThingGroupName *string `json:"thingGroupName,omitempty" tf:"thing_group_name,omitempty"`
+
+	// The name of the thing to add to a group.
+	ThingName *string `json:"thingName,omitempty" tf:"thing_name,omitempty"`
 }
 
 type ThingGroupMembershipParameters struct {
@@ -31,12 +40,12 @@ type ThingGroupMembershipParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The name of the group to which you are adding a thing.
-	// +kubebuilder:validation:Required
-	ThingGroupName *string `json:"thingGroupName" tf:"thing_group_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ThingGroupName *string `json:"thingGroupName,omitempty" tf:"thing_group_name,omitempty"`
 
 	// The name of the thing to add to a group.
-	// +kubebuilder:validation:Required
-	ThingName *string `json:"thingName" tf:"thing_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ThingName *string `json:"thingName,omitempty" tf:"thing_name,omitempty"`
 }
 
 // ThingGroupMembershipSpec defines the desired state of ThingGroupMembership
@@ -63,8 +72,10 @@ type ThingGroupMembershipStatus struct {
 type ThingGroupMembership struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ThingGroupMembershipSpec   `json:"spec"`
-	Status            ThingGroupMembershipStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.thingGroupName)",message="thingGroupName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.thingName)",message="thingName is a required parameter"
+	Spec   ThingGroupMembershipSpec   `json:"spec"`
+	Status ThingGroupMembershipStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_thingprincipalattachment_types.go b/apis/iot/v1beta1/zz_thingprincipalattachment_types.go
index fcf7145869..e770085be4 100755
--- a/apis/iot/v1beta1/zz_thingprincipalattachment_types.go
+++ b/apis/iot/v1beta1/zz_thingprincipalattachment_types.go
@@ -15,6 +15,12 @@ import (
 
 type ThingPrincipalAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The AWS IoT Certificate ARN or Amazon Cognito Identity ID.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
+	// The name of the thing.
+	Thing *string `json:"thing,omitempty" tf:"thing,omitempty"`
 }
 
 type ThingPrincipalAttachmentParameters struct {
diff --git a/apis/iot/v1beta1/zz_thingtype_types.go b/apis/iot/v1beta1/zz_thingtype_types.go
index aa19267d54..3c039ad769 100755
--- a/apis/iot/v1beta1/zz_thingtype_types.go
+++ b/apis/iot/v1beta1/zz_thingtype_types.go
@@ -18,8 +18,20 @@ type ThingTypeObservation struct {
 	// The ARN of the created AWS IoT Thing Type.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether the thing type is deprecated. If true, no new things could be associated with this type.
+	Deprecated *bool `json:"deprecated,omitempty" tf:"deprecated,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the thing type.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// , Configuration block that can contain the following properties of the thing type:
+	Properties []ThingTypePropertiesObservation `json:"properties,omitempty" tf:"properties,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -31,8 +43,8 @@ type ThingTypeParameters struct {
 	Deprecated *bool `json:"deprecated,omitempty" tf:"deprecated,omitempty"`
 
 	// The name of the thing type.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// , Configuration block that can contain the following properties of the thing type:
 	// +kubebuilder:validation:Optional
@@ -49,6 +61,12 @@ type ThingTypeParameters struct {
 }
 
 type ThingTypePropertiesObservation struct {
+
+	// The description of the thing type.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A list of searchable thing attribute names.
+	SearchableAttributes []*string `json:"searchableAttributes,omitempty" tf:"searchable_attributes,omitempty"`
 }
 
 type ThingTypePropertiesParameters struct {
@@ -86,8 +104,9 @@ type ThingTypeStatus struct {
 type ThingType struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ThingTypeSpec   `json:"spec"`
-	Status            ThingTypeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ThingTypeSpec   `json:"spec"`
+	Status ThingTypeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/iot/v1beta1/zz_topicrule_types.go b/apis/iot/v1beta1/zz_topicrule_types.go
index 02e5586e47..3d500e8f4b 100755
--- a/apis/iot/v1beta1/zz_topicrule_types.go
+++ b/apis/iot/v1beta1/zz_topicrule_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type CloudwatchAlarmObservation struct {
+
+	// The CloudWatch alarm name.
+	AlarmName *string `json:"alarmName,omitempty" tf:"alarm_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The reason for the alarm change.
+	StateReason *string `json:"stateReason,omitempty" tf:"state_reason,omitempty"`
+
+	// The value of the alarm state. Acceptable values are: OK, ALARM, INSUFFICIENT_DATA.
+	StateValue *string `json:"stateValue,omitempty" tf:"state_value,omitempty"`
 }
 
 type CloudwatchAlarmParameters struct {
@@ -36,6 +48,12 @@ type CloudwatchAlarmParameters struct {
 }
 
 type CloudwatchLogsObservation struct {
+
+	// The CloudWatch log group name.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type CloudwatchLogsParameters struct {
@@ -50,6 +68,24 @@ type CloudwatchLogsParameters struct {
 }
 
 type CloudwatchMetricObservation struct {
+
+	// The CloudWatch metric name.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The CloudWatch metric namespace name.
+	MetricNamespace *string `json:"metricNamespace,omitempty" tf:"metric_namespace,omitempty"`
+
+	// An optional Unix timestamp (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#about_timestamp).
+	MetricTimestamp *string `json:"metricTimestamp,omitempty" tf:"metric_timestamp,omitempty"`
+
+	// The metric unit (supported units can be found here: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#Unit)
+	MetricUnit *string `json:"metricUnit,omitempty" tf:"metric_unit,omitempty"`
+
+	// The CloudWatch metric value.
+	MetricValue *string `json:"metricValue,omitempty" tf:"metric_value,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type CloudwatchMetricParameters struct {
@@ -80,6 +116,12 @@ type CloudwatchMetricParameters struct {
 }
 
 type DimensionObservation struct {
+
+	// The name of the rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the HTTP header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DimensionParameters struct {
@@ -94,6 +136,36 @@ type DimensionParameters struct {
 }
 
 type DynamodbObservation struct {
+
+	// The hash key name.
+	HashKeyField *string `json:"hashKeyField,omitempty" tf:"hash_key_field,omitempty"`
+
+	// The hash key type. Valid values are "STRING" or "NUMBER".
+	HashKeyType *string `json:"hashKeyType,omitempty" tf:"hash_key_type,omitempty"`
+
+	// The hash key value.
+	HashKeyValue *string `json:"hashKeyValue,omitempty" tf:"hash_key_value,omitempty"`
+
+	// The operation. Valid values are "INSERT", "UPDATE", or "DELETE".
+	Operation *string `json:"operation,omitempty" tf:"operation,omitempty"`
+
+	// The action payload.
+	PayloadField *string `json:"payloadField,omitempty" tf:"payload_field,omitempty"`
+
+	// The range key name.
+	RangeKeyField *string `json:"rangeKeyField,omitempty" tf:"range_key_field,omitempty"`
+
+	// The range key type. Valid values are "STRING" or "NUMBER".
+	RangeKeyType *string `json:"rangeKeyType,omitempty" tf:"range_key_type,omitempty"`
+
+	// The range key value.
+	RangeKeyValue *string `json:"rangeKeyValue,omitempty" tf:"range_key_value,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type DynamodbParameters struct {
@@ -140,6 +212,12 @@ type DynamodbParameters struct {
 }
 
 type Dynamodbv2Observation struct {
+
+	// Configuration block with DynamoDB Table to which the message will be written. Nested arguments below.
+	PutItem []PutItemObservation `json:"putItem,omitempty" tf:"put_item,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type Dynamodbv2Parameters struct {
@@ -154,6 +232,9 @@ type Dynamodbv2Parameters struct {
 }
 
 type Dynamodbv2PutItemObservation struct {
+
+	// The name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type Dynamodbv2PutItemParameters struct {
@@ -164,6 +245,21 @@ type Dynamodbv2PutItemParameters struct {
 }
 
 type ElasticsearchObservation struct {
+
+	// The endpoint of your Elasticsearch domain.
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// The unique identifier for the document you are storing.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Elasticsearch index where you want to store your data.
+	Index *string `json:"index,omitempty" tf:"index,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The type of document you are storing.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ElasticsearchParameters struct {
@@ -190,6 +286,18 @@ type ElasticsearchParameters struct {
 }
 
 type ErrorActionCloudwatchAlarmObservation struct {
+
+	// The CloudWatch alarm name.
+	AlarmName *string `json:"alarmName,omitempty" tf:"alarm_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The reason for the alarm change.
+	StateReason *string `json:"stateReason,omitempty" tf:"state_reason,omitempty"`
+
+	// The value of the alarm state. Acceptable values are: OK, ALARM, INSUFFICIENT_DATA.
+	StateValue *string `json:"stateValue,omitempty" tf:"state_value,omitempty"`
 }
 
 type ErrorActionCloudwatchAlarmParameters struct {
@@ -212,6 +320,12 @@ type ErrorActionCloudwatchAlarmParameters struct {
 }
 
 type ErrorActionCloudwatchLogsObservation struct {
+
+	// The CloudWatch log group name.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ErrorActionCloudwatchLogsParameters struct {
@@ -226,6 +340,24 @@ type ErrorActionCloudwatchLogsParameters struct {
 }
 
 type ErrorActionCloudwatchMetricObservation struct {
+
+	// The CloudWatch metric name.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The CloudWatch metric namespace name.
+	MetricNamespace *string `json:"metricNamespace,omitempty" tf:"metric_namespace,omitempty"`
+
+	// An optional Unix timestamp (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#about_timestamp).
+	MetricTimestamp *string `json:"metricTimestamp,omitempty" tf:"metric_timestamp,omitempty"`
+
+	// The metric unit (supported units can be found here: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#Unit)
+	MetricUnit *string `json:"metricUnit,omitempty" tf:"metric_unit,omitempty"`
+
+	// The CloudWatch metric value.
+	MetricValue *string `json:"metricValue,omitempty" tf:"metric_value,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ErrorActionCloudwatchMetricParameters struct {
@@ -256,6 +388,36 @@ type ErrorActionCloudwatchMetricParameters struct {
 }
 
 type ErrorActionDynamodbObservation struct {
+
+	// The hash key name.
+	HashKeyField *string `json:"hashKeyField,omitempty" tf:"hash_key_field,omitempty"`
+
+	// The hash key type. Valid values are "STRING" or "NUMBER".
+	HashKeyType *string `json:"hashKeyType,omitempty" tf:"hash_key_type,omitempty"`
+
+	// The hash key value.
+	HashKeyValue *string `json:"hashKeyValue,omitempty" tf:"hash_key_value,omitempty"`
+
+	// The operation. Valid values are "INSERT", "UPDATE", or "DELETE".
+	Operation *string `json:"operation,omitempty" tf:"operation,omitempty"`
+
+	// The action payload.
+	PayloadField *string `json:"payloadField,omitempty" tf:"payload_field,omitempty"`
+
+	// The range key name.
+	RangeKeyField *string `json:"rangeKeyField,omitempty" tf:"range_key_field,omitempty"`
+
+	// The range key type. Valid values are "STRING" or "NUMBER".
+	RangeKeyType *string `json:"rangeKeyType,omitempty" tf:"range_key_type,omitempty"`
+
+	// The range key value.
+	RangeKeyValue *string `json:"rangeKeyValue,omitempty" tf:"range_key_value,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type ErrorActionDynamodbParameters struct {
@@ -302,6 +464,12 @@ type ErrorActionDynamodbParameters struct {
 }
 
 type ErrorActionDynamodbv2Observation struct {
+
+	// Configuration block with DynamoDB Table to which the message will be written. Nested arguments below.
+	PutItem []Dynamodbv2PutItemObservation `json:"putItem,omitempty" tf:"put_item,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ErrorActionDynamodbv2Parameters struct {
@@ -316,6 +484,21 @@ type ErrorActionDynamodbv2Parameters struct {
 }
 
 type ErrorActionElasticsearchObservation struct {
+
+	// The endpoint of your Elasticsearch domain.
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// The unique identifier for the document you are storing.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Elasticsearch index where you want to store your data.
+	Index *string `json:"index,omitempty" tf:"index,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The type of document you are storing.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ErrorActionElasticsearchParameters struct {
@@ -342,6 +525,43 @@ type ErrorActionElasticsearchParameters struct {
 }
 
 type ErrorActionObservation struct {
+	CloudwatchAlarm []ErrorActionCloudwatchAlarmObservation `json:"cloudwatchAlarm,omitempty" tf:"cloudwatch_alarm,omitempty"`
+
+	CloudwatchLogs []ErrorActionCloudwatchLogsObservation `json:"cloudwatchLogs,omitempty" tf:"cloudwatch_logs,omitempty"`
+
+	CloudwatchMetric []ErrorActionCloudwatchMetricObservation `json:"cloudwatchMetric,omitempty" tf:"cloudwatch_metric,omitempty"`
+
+	Dynamodb []ErrorActionDynamodbObservation `json:"dynamodb,omitempty" tf:"dynamodb,omitempty"`
+
+	Dynamodbv2 []ErrorActionDynamodbv2Observation `json:"dynamodbv2,omitempty" tf:"dynamodbv2,omitempty"`
+
+	Elasticsearch []ErrorActionElasticsearchObservation `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
+
+	Firehose []FirehoseObservation `json:"firehose,omitempty" tf:"firehose,omitempty"`
+
+	HTTP []HTTPObservation `json:"http,omitempty" tf:"http,omitempty"`
+
+	IotAnalytics []IotAnalyticsObservation `json:"iotAnalytics,omitempty" tf:"iot_analytics,omitempty"`
+
+	IotEvents []IotEventsObservation `json:"iotEvents,omitempty" tf:"iot_events,omitempty"`
+
+	Kafka []KafkaObservation `json:"kafka,omitempty" tf:"kafka,omitempty"`
+
+	Kinesis []KinesisObservation `json:"kinesis,omitempty" tf:"kinesis,omitempty"`
+
+	Lambda []LambdaObservation `json:"lambda,omitempty" tf:"lambda,omitempty"`
+
+	Republish []RepublishObservation `json:"republish,omitempty" tf:"republish,omitempty"`
+
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
+
+	Sns []SnsObservation `json:"sns,omitempty" tf:"sns,omitempty"`
+
+	Sqs []SqsObservation `json:"sqs,omitempty" tf:"sqs,omitempty"`
+
+	StepFunctions []StepFunctionsObservation `json:"stepFunctions,omitempty" tf:"step_functions,omitempty"`
+
+	Timestream []TimestreamObservation `json:"timestream,omitempty" tf:"timestream,omitempty"`
 }
 
 type ErrorActionParameters struct {
@@ -405,6 +625,15 @@ type ErrorActionParameters struct {
 }
 
 type FirehoseObservation struct {
+
+	// The delivery stream name.
+	DeliveryStreamName *string `json:"deliveryStreamName,omitempty" tf:"delivery_stream_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// A character separator that is used to separate records written to the Firehose stream. Valid values are: '\n' (newline), '\t' (tab), '\r\n' (Windows newline), ',' (comma).
+	Separator *string `json:"separator,omitempty" tf:"separator,omitempty"`
 }
 
 type FirehoseParameters struct {
@@ -423,6 +652,12 @@ type FirehoseParameters struct {
 }
 
 type HTTPHTTPHeaderObservation struct {
+
+	// The name of the HTTP header.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value of the HTTP header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPHTTPHeaderParameters struct {
@@ -437,6 +672,12 @@ type HTTPHTTPHeaderParameters struct {
 }
 
 type HTTPHeaderObservation struct {
+
+	// The name of the HTTP header.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value of the HTTP header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type HTTPHeaderParameters struct {
@@ -451,6 +692,15 @@ type HTTPHeaderParameters struct {
 }
 
 type HTTPObservation struct {
+
+	// The HTTPS URL used to verify ownership of url.
+	ConfirmationURL *string `json:"confirmationUrl,omitempty" tf:"confirmation_url,omitempty"`
+
+	// Custom HTTP header IoT Core should send. It is possible to define more than one custom header.
+	HTTPHeader []HTTPHeaderObservation `json:"httpHeader,omitempty" tf:"http_header,omitempty"`
+
+	// The HTTPS URL.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
 
 type HTTPParameters struct {
@@ -469,6 +719,12 @@ type HTTPParameters struct {
 }
 
 type IotAnalyticsObservation struct {
+
+	// Name of AWS IOT Analytics channel.
+	ChannelName *string `json:"channelName,omitempty" tf:"channel_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type IotAnalyticsParameters struct {
@@ -483,6 +739,15 @@ type IotAnalyticsParameters struct {
 }
 
 type IotEventsObservation struct {
+
+	// The name of the AWS IoT Events input.
+	InputName *string `json:"inputName,omitempty" tf:"input_name,omitempty"`
+
+	// Use this to ensure that only one input (message) with a given messageId is processed by an AWS IoT Events detector.
+	MessageID *string `json:"messageId,omitempty" tf:"message_id,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type IotEventsParameters struct {
@@ -501,6 +766,21 @@ type IotEventsParameters struct {
 }
 
 type KafkaObservation struct {
+
+	// Properties of the Apache Kafka producer client. For more info, see the AWS documentation.
+	ClientProperties map[string]*string `json:"clientProperties,omitempty" tf:"client_properties,omitempty"`
+
+	// The ARN of Kafka action's VPC aws_iot_topic_rule_destination .
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// The name of the HTTP header.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The Kafka message partition.
+	Partition *string `json:"partition,omitempty" tf:"partition,omitempty"`
+
+	// The Kafka topic for messages to be sent to the Kafka broker.
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
 }
 
 type KafkaParameters struct {
@@ -527,6 +807,15 @@ type KafkaParameters struct {
 }
 
 type KinesisObservation struct {
+
+	// The partition key.
+	PartitionKey *string `json:"partitionKey,omitempty" tf:"partition_key,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the Amazon Kinesis stream.
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
 }
 
 type KinesisParameters struct {
@@ -545,6 +834,9 @@ type KinesisParameters struct {
 }
 
 type LambdaObservation struct {
+
+	// The ARN of the Lambda function.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 }
 
 type LambdaParameters struct {
@@ -555,6 +847,9 @@ type LambdaParameters struct {
 }
 
 type PutItemObservation struct {
+
+	// The name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type PutItemParameters struct {
@@ -565,6 +860,15 @@ type PutItemParameters struct {
 }
 
 type RepublishObservation struct {
+
+	// The Quality of Service (QoS) level to use when republishing messages. Valid values are 0 or 1. The default value is 0.
+	Qos *float64 `json:"qos,omitempty" tf:"qos,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The Kafka topic for messages to be sent to the Kafka broker.
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
 }
 
 type RepublishParameters struct {
@@ -583,6 +887,18 @@ type RepublishParameters struct {
 }
 
 type S3Observation struct {
+
+	// The Amazon S3 bucket name.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// The Amazon S3 canned ACL that controls access to the object identified by the object key. Valid values.
+	CannedACL *string `json:"cannedAcl,omitempty" tf:"canned_acl,omitempty"`
+
+	// The name of the HTTP header.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type S3Parameters struct {
@@ -605,6 +921,15 @@ type S3Parameters struct {
 }
 
 type SnsObservation struct {
+
+	// The message format of the message to publish. Accepted values are "JSON" and "RAW".
+	MessageFormat *string `json:"messageFormat,omitempty" tf:"message_format,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The ARN of the SNS topic.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 }
 
 type SnsParameters struct {
@@ -643,6 +968,15 @@ type SnsParameters struct {
 }
 
 type SqsObservation struct {
+
+	// The URL of the Amazon SQS queue.
+	QueueURL *string `json:"queueUrl,omitempty" tf:"queue_url,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Specifies whether to use Base64 encoding.
+	UseBase64 *bool `json:"useBase64,omitempty" tf:"use_base64,omitempty"`
 }
 
 type SqsParameters struct {
@@ -661,6 +995,15 @@ type SqsParameters struct {
 }
 
 type StepFunctionsObservation struct {
+
+	// The prefix used to generate, along with a UUID, the unique state machine execution name.
+	ExecutionNamePrefix *string `json:"executionNamePrefix,omitempty" tf:"execution_name_prefix,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the Step Functions state machine whose execution will be started.
+	StateMachineName *string `json:"stateMachineName,omitempty" tf:"state_machine_name,omitempty"`
 }
 
 type StepFunctionsParameters struct {
@@ -679,6 +1022,12 @@ type StepFunctionsParameters struct {
 }
 
 type TimestampObservation struct {
+
+	// The precision of the timestamp value that results from the expression described in value. Valid values: SECONDS, MILLISECONDS, MICROSECONDS, NANOSECONDS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// The value of the HTTP header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TimestampParameters struct {
@@ -693,6 +1042,12 @@ type TimestampParameters struct {
 }
 
 type TimestreamDimensionObservation struct {
+
+	// The name of the rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the HTTP header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TimestreamDimensionParameters struct {
@@ -707,6 +1062,21 @@ type TimestreamDimensionParameters struct {
 }
 
 type TimestreamObservation struct {
+
+	// The name of an Amazon Timestream database.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Configuration blocks with metadata attributes of the time series that are written in each measure record. Nested arguments below.
+	Dimension []DimensionObservation `json:"dimension,omitempty" tf:"dimension,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
+
+	// Configuration block specifying an application-defined value to replace the default value assigned to the Timestream record's timestamp in the time column. Nested arguments below.
+	Timestamp []TimestampObservation `json:"timestamp,omitempty" tf:"timestamp,omitempty"`
 }
 
 type TimestreamParameters struct {
@@ -733,6 +1103,12 @@ type TimestreamParameters struct {
 }
 
 type TimestreamTimestampObservation struct {
+
+	// The precision of the timestamp value that results from the expression described in value. Valid values: SECONDS, MILLISECONDS, MICROSECONDS, NANOSECONDS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// The value of the HTTP header.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TimestreamTimestampParameters struct {
@@ -747,6 +1123,15 @@ type TimestreamTimestampParameters struct {
 }
 
 type TopicRuleFirehoseObservation struct {
+
+	// The delivery stream name.
+	DeliveryStreamName *string `json:"deliveryStreamName,omitempty" tf:"delivery_stream_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// A character separator that is used to separate records written to the Firehose stream. Valid values are: '\n' (newline), '\t' (tab), '\r\n' (Windows newline), ',' (comma).
+	Separator *string `json:"separator,omitempty" tf:"separator,omitempty"`
 }
 
 type TopicRuleFirehoseParameters struct {
@@ -765,6 +1150,15 @@ type TopicRuleFirehoseParameters struct {
 }
 
 type TopicRuleHTTPObservation struct {
+
+	// The HTTPS URL used to verify ownership of url.
+	ConfirmationURL *string `json:"confirmationUrl,omitempty" tf:"confirmation_url,omitempty"`
+
+	// Custom HTTP header IoT Core should send. It is possible to define more than one custom header.
+	HTTPHeader []HTTPHTTPHeaderObservation `json:"httpHeader,omitempty" tf:"http_header,omitempty"`
+
+	// The HTTPS URL.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
 }
 
 type TopicRuleHTTPParameters struct {
@@ -783,6 +1177,12 @@ type TopicRuleHTTPParameters struct {
 }
 
 type TopicRuleIotAnalyticsObservation struct {
+
+	// Name of AWS IOT Analytics channel.
+	ChannelName *string `json:"channelName,omitempty" tf:"channel_name,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type TopicRuleIotAnalyticsParameters struct {
@@ -797,6 +1197,15 @@ type TopicRuleIotAnalyticsParameters struct {
 }
 
 type TopicRuleIotEventsObservation struct {
+
+	// The name of the AWS IoT Events input.
+	InputName *string `json:"inputName,omitempty" tf:"input_name,omitempty"`
+
+	// Use this to ensure that only one input (message) with a given messageId is processed by an AWS IoT Events detector.
+	MessageID *string `json:"messageId,omitempty" tf:"message_id,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type TopicRuleIotEventsParameters struct {
@@ -815,6 +1224,21 @@ type TopicRuleIotEventsParameters struct {
 }
 
 type TopicRuleKafkaObservation struct {
+
+	// Properties of the Apache Kafka producer client. For more info, see the AWS documentation.
+	ClientProperties map[string]*string `json:"clientProperties,omitempty" tf:"client_properties,omitempty"`
+
+	// The ARN of Kafka action's VPC aws_iot_topic_rule_destination .
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// The name of the HTTP header.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The Kafka message partition.
+	Partition *string `json:"partition,omitempty" tf:"partition,omitempty"`
+
+	// The Kafka topic for messages to be sent to the Kafka broker.
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
 }
 
 type TopicRuleKafkaParameters struct {
@@ -841,6 +1265,15 @@ type TopicRuleKafkaParameters struct {
 }
 
 type TopicRuleKinesisObservation struct {
+
+	// The partition key.
+	PartitionKey *string `json:"partitionKey,omitempty" tf:"partition_key,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the Amazon Kinesis stream.
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
 }
 
 type TopicRuleKinesisParameters struct {
@@ -859,6 +1292,9 @@ type TopicRuleKinesisParameters struct {
 }
 
 type TopicRuleLambdaObservation struct {
+
+	// The ARN of the Lambda function.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 }
 
 type TopicRuleLambdaParameters struct {
@@ -873,11 +1309,67 @@ type TopicRuleObservation struct {
 	// The ARN of the topic rule
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	CloudwatchAlarm []CloudwatchAlarmObservation `json:"cloudwatchAlarm,omitempty" tf:"cloudwatch_alarm,omitempty"`
+
+	CloudwatchLogs []CloudwatchLogsObservation `json:"cloudwatchLogs,omitempty" tf:"cloudwatch_logs,omitempty"`
+
+	CloudwatchMetric []CloudwatchMetricObservation `json:"cloudwatchMetric,omitempty" tf:"cloudwatch_metric,omitempty"`
+
+	// The description of the rule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	Dynamodb []DynamodbObservation `json:"dynamodb,omitempty" tf:"dynamodb,omitempty"`
+
+	Dynamodbv2 []Dynamodbv2Observation `json:"dynamodbv2,omitempty" tf:"dynamodbv2,omitempty"`
+
+	Elasticsearch []ElasticsearchObservation `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
+
+	// Specifies whether the rule is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Configuration block with error action to be associated with the rule. See the documentation for cloudwatch_alarm, cloudwatch_logs, cloudwatch_metric, dynamodb, dynamodbv2, elasticsearch, firehose, http, iot_analytics, iot_events, kafka, kinesis, lambda, republish, s3, sns, sqs, step_functions, timestream configuration blocks for further configuration details.
+	ErrorAction []ErrorActionObservation `json:"errorAction,omitempty" tf:"error_action,omitempty"`
+
+	Firehose []TopicRuleFirehoseObservation `json:"firehose,omitempty" tf:"firehose,omitempty"`
+
+	HTTP []TopicRuleHTTPObservation `json:"http,omitempty" tf:"http,omitempty"`
+
 	// The unique identifier for the document you are storing.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	IotAnalytics []TopicRuleIotAnalyticsObservation `json:"iotAnalytics,omitempty" tf:"iot_analytics,omitempty"`
+
+	IotEvents []TopicRuleIotEventsObservation `json:"iotEvents,omitempty" tf:"iot_events,omitempty"`
+
+	Kafka []TopicRuleKafkaObservation `json:"kafka,omitempty" tf:"kafka,omitempty"`
+
+	Kinesis []TopicRuleKinesisObservation `json:"kinesis,omitempty" tf:"kinesis,omitempty"`
+
+	Lambda []TopicRuleLambdaObservation `json:"lambda,omitempty" tf:"lambda,omitempty"`
+
+	Republish []TopicRuleRepublishObservation `json:"republish,omitempty" tf:"republish,omitempty"`
+
+	S3 []TopicRuleS3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
+
+	// The SQL statement used to query the topic. For more information, see AWS IoT SQL Reference (http://docs.aws.amazon.com/iot/latest/developerguide/iot-rules.html#aws-iot-sql-reference) in the AWS IoT Developer Guide.
+	SQL *string `json:"sql,omitempty" tf:"sql,omitempty"`
+
+	// The version of the SQL rules engine to use when evaluating the rule.
+	SQLVersion *string `json:"sqlVersion,omitempty" tf:"sql_version,omitempty"`
+
+	Sns []TopicRuleSnsObservation `json:"sns,omitempty" tf:"sns,omitempty"`
+
+	Sqs []TopicRuleSqsObservation `json:"sqs,omitempty" tf:"sqs,omitempty"`
+
+	StepFunctions []TopicRuleStepFunctionsObservation `json:"stepFunctions,omitempty" tf:"step_functions,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	Timestream []TopicRuleTimestreamObservation `json:"timestream,omitempty" tf:"timestream,omitempty"`
 }
 
 type TopicRuleParameters struct {
@@ -905,8 +1397,8 @@ type TopicRuleParameters struct {
 	Elasticsearch []ElasticsearchParameters `json:"elasticsearch,omitempty" tf:"elasticsearch,omitempty"`
 
 	// Specifies whether the rule is enabled.
-	// +kubebuilder:validation:Required
-	Enabled *bool `json:"enabled" tf:"enabled,omitempty"`
+	// +kubebuilder:validation:Optional
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 
 	// Configuration block with error action to be associated with the rule. See the documentation for cloudwatch_alarm, cloudwatch_logs, cloudwatch_metric, dynamodb, dynamodbv2, elasticsearch, firehose, http, iot_analytics, iot_events, kafka, kinesis, lambda, republish, s3, sns, sqs, step_functions, timestream configuration blocks for further configuration details.
 	// +kubebuilder:validation:Optional
@@ -945,12 +1437,12 @@ type TopicRuleParameters struct {
 	S3 []TopicRuleS3Parameters `json:"s3,omitempty" tf:"s3,omitempty"`
 
 	// The SQL statement used to query the topic. For more information, see AWS IoT SQL Reference (http://docs.aws.amazon.com/iot/latest/developerguide/iot-rules.html#aws-iot-sql-reference) in the AWS IoT Developer Guide.
-	// +kubebuilder:validation:Required
-	SQL *string `json:"sql" tf:"sql,omitempty"`
+	// +kubebuilder:validation:Optional
+	SQL *string `json:"sql,omitempty" tf:"sql,omitempty"`
 
 	// The version of the SQL rules engine to use when evaluating the rule.
-	// +kubebuilder:validation:Required
-	SQLVersion *string `json:"sqlVersion" tf:"sql_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	SQLVersion *string `json:"sqlVersion,omitempty" tf:"sql_version,omitempty"`
 
 	// +kubebuilder:validation:Optional
 	Sns []TopicRuleSnsParameters `json:"sns,omitempty" tf:"sns,omitempty"`
@@ -970,6 +1462,15 @@ type TopicRuleParameters struct {
 }
 
 type TopicRuleRepublishObservation struct {
+
+	// The Quality of Service (QoS) level to use when republishing messages. Valid values are 0 or 1. The default value is 0.
+	Qos *float64 `json:"qos,omitempty" tf:"qos,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The Kafka topic for messages to be sent to the Kafka broker.
+	Topic *string `json:"topic,omitempty" tf:"topic,omitempty"`
 }
 
 type TopicRuleRepublishParameters struct {
@@ -988,6 +1489,18 @@ type TopicRuleRepublishParameters struct {
 }
 
 type TopicRuleS3Observation struct {
+
+	// The Amazon S3 bucket name.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// The Amazon S3 canned ACL that controls access to the object identified by the object key. Valid values.
+	CannedACL *string `json:"cannedAcl,omitempty" tf:"canned_acl,omitempty"`
+
+	// The name of the HTTP header.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type TopicRuleS3Parameters struct {
@@ -1010,6 +1523,15 @@ type TopicRuleS3Parameters struct {
 }
 
 type TopicRuleSnsObservation struct {
+
+	// The message format of the message to publish. Accepted values are "JSON" and "RAW".
+	MessageFormat *string `json:"messageFormat,omitempty" tf:"message_format,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The ARN of the SNS topic.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 }
 
 type TopicRuleSnsParameters struct {
@@ -1048,6 +1570,15 @@ type TopicRuleSnsParameters struct {
 }
 
 type TopicRuleSqsObservation struct {
+
+	// The URL of the Amazon SQS queue.
+	QueueURL *string `json:"queueUrl,omitempty" tf:"queue_url,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Specifies whether to use Base64 encoding.
+	UseBase64 *bool `json:"useBase64,omitempty" tf:"use_base64,omitempty"`
 }
 
 type TopicRuleSqsParameters struct {
@@ -1066,6 +1597,15 @@ type TopicRuleSqsParameters struct {
 }
 
 type TopicRuleStepFunctionsObservation struct {
+
+	// The prefix used to generate, along with a UUID, the unique state machine execution name.
+	ExecutionNamePrefix *string `json:"executionNamePrefix,omitempty" tf:"execution_name_prefix,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the Step Functions state machine whose execution will be started.
+	StateMachineName *string `json:"stateMachineName,omitempty" tf:"state_machine_name,omitempty"`
 }
 
 type TopicRuleStepFunctionsParameters struct {
@@ -1084,6 +1624,21 @@ type TopicRuleStepFunctionsParameters struct {
 }
 
 type TopicRuleTimestreamObservation struct {
+
+	// The name of an Amazon Timestream database.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Configuration blocks with metadata attributes of the time series that are written in each measure record. Nested arguments below.
+	Dimension []TimestreamDimensionObservation `json:"dimension,omitempty" tf:"dimension,omitempty"`
+
+	// The IAM role ARN that allows access to the CloudWatch alarm.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name of the DynamoDB table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
+
+	// Configuration block specifying an application-defined value to replace the default value assigned to the Timestream record's timestamp in the time column. Nested arguments below.
+	Timestamp []TimestreamTimestampObservation `json:"timestamp,omitempty" tf:"timestamp,omitempty"`
 }
 
 type TopicRuleTimestreamParameters struct {
@@ -1133,8 +1688,11 @@ type TopicRuleStatus struct {
 type TopicRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TopicRuleSpec   `json:"spec"`
-	Status            TopicRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enabled)",message="enabled is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sql)",message="sql is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sqlVersion)",message="sqlVersion is a required parameter"
+	Spec   TopicRuleSpec   `json:"spec"`
+	Status TopicRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ivs/v1beta1/zz_channel_types.go b/apis/ivs/v1beta1/zz_channel_types.go
index 97e6e4c3c3..35289e3510 100755
--- a/apis/ivs/v1beta1/zz_channel_types.go
+++ b/apis/ivs/v1beta1/zz_channel_types.go
@@ -18,16 +18,34 @@ type ChannelObservation struct {
 	// ARN of the Channel.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// If true, channel is private (enabled for playback authorization).
+	Authorized *bool `json:"authorized,omitempty" tf:"authorized,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Channel ingest endpoint, part of the definition of an ingest server, used when setting up streaming software.
 	IngestEndpoint *string `json:"ingestEndpoint,omitempty" tf:"ingest_endpoint,omitempty"`
 
+	// Channel latency mode. Valid values: NORMAL, LOW.
+	LatencyMode *string `json:"latencyMode,omitempty" tf:"latency_mode,omitempty"`
+
+	// Channel name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Channel playback URL.
 	PlaybackURL *string `json:"playbackUrl,omitempty" tf:"playback_url,omitempty"`
 
+	// Recording configuration ARN.
+	RecordingConfigurationArn *string `json:"recordingConfigurationArn,omitempty" tf:"recording_configuration_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Channel type, which determines the allowable resolution and bitrate. Valid values: STANDARD, BASIC.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ChannelParameters struct {
diff --git a/apis/ivs/v1beta1/zz_generated.deepcopy.go b/apis/ivs/v1beta1/zz_generated.deepcopy.go
index 92123832f0..91aa1cf3d9 100644
--- a/apis/ivs/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ivs/v1beta1/zz_generated.deepcopy.go
@@ -80,6 +80,11 @@ func (in *ChannelObservation) DeepCopyInto(out *ChannelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Authorized != nil {
+		in, out := &in.Authorized, &out.Authorized
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -90,11 +95,41 @@ func (in *ChannelObservation) DeepCopyInto(out *ChannelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LatencyMode != nil {
+		in, out := &in.LatencyMode, &out.LatencyMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.PlaybackURL != nil {
 		in, out := &in.PlaybackURL, &out.PlaybackURL
 		*out = new(string)
 		**out = **in
 	}
+	if in.RecordingConfigurationArn != nil {
+		in, out := &in.RecordingConfigurationArn, &out.RecordingConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -110,6 +145,11 @@ func (in *ChannelObservation) DeepCopyInto(out *ChannelObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChannelObservation.
@@ -219,6 +259,13 @@ func (in *ChannelStatus) DeepCopy() *ChannelStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationConfigurationObservation) DeepCopyInto(out *DestinationConfigurationObservation) {
 	*out = *in
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationConfigurationObservation.
@@ -320,16 +367,48 @@ func (in *RecordingConfigurationObservation) DeepCopyInto(out *RecordingConfigur
 		*out = new(string)
 		**out = **in
 	}
+	if in.DestinationConfiguration != nil {
+		in, out := &in.DestinationConfiguration, &out.DestinationConfiguration
+		*out = make([]DestinationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordingReconnectWindowSeconds != nil {
+		in, out := &in.RecordingReconnectWindowSeconds, &out.RecordingReconnectWindowSeconds
+		*out = new(float64)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -345,6 +424,13 @@ func (in *RecordingConfigurationObservation) DeepCopyInto(out *RecordingConfigur
 			(*out)[key] = outVal
 		}
 	}
+	if in.ThumbnailConfiguration != nil {
+		in, out := &in.ThumbnailConfiguration, &out.ThumbnailConfiguration
+		*out = make([]ThumbnailConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordingConfigurationObservation.
@@ -453,6 +539,11 @@ func (in *RecordingConfigurationStatus) DeepCopy() *RecordingConfigurationStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -488,6 +579,16 @@ func (in *S3Parameters) DeepCopy() *S3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThumbnailConfigurationObservation) DeepCopyInto(out *ThumbnailConfigurationObservation) {
 	*out = *in
+	if in.RecordingMode != nil {
+		in, out := &in.RecordingMode, &out.RecordingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetIntervalSeconds != nil {
+		in, out := &in.TargetIntervalSeconds, &out.TargetIntervalSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThumbnailConfigurationObservation.
diff --git a/apis/ivs/v1beta1/zz_recordingconfiguration_types.go b/apis/ivs/v1beta1/zz_recordingconfiguration_types.go
index 068faf7068..8f36cb1031 100755
--- a/apis/ivs/v1beta1/zz_recordingconfiguration_types.go
+++ b/apis/ivs/v1beta1/zz_recordingconfiguration_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type DestinationConfigurationObservation struct {
+
+	// S3 destination configuration where recorded videos will be stored.
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
 }
 
 type DestinationConfigurationParameters struct {
@@ -28,20 +31,35 @@ type RecordingConfigurationObservation struct {
 	// ARN of the Recording Configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Object containing destination configuration for where recorded video will be stored.
+	DestinationConfiguration []DestinationConfigurationObservation `json:"destinationConfiguration,omitempty" tf:"destination_configuration,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Recording Configuration name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// If a broadcast disconnects and then reconnects within the specified interval, the multiple streams will be considered a single broadcast and merged together.
+	RecordingReconnectWindowSeconds *float64 `json:"recordingReconnectWindowSeconds,omitempty" tf:"recording_reconnect_window_seconds,omitempty"`
+
 	// The current state of the Recording Configuration.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Object containing information to enable/disable the recording of thumbnails for a live session and modify the interval at which thumbnails are generated for the live session.
+	ThumbnailConfiguration []ThumbnailConfigurationObservation `json:"thumbnailConfiguration,omitempty" tf:"thumbnail_configuration,omitempty"`
 }
 
 type RecordingConfigurationParameters struct {
 
 	// Object containing destination configuration for where recorded video will be stored.
-	// +kubebuilder:validation:Required
-	DestinationConfiguration []DestinationConfigurationParameters `json:"destinationConfiguration" tf:"destination_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	DestinationConfiguration []DestinationConfigurationParameters `json:"destinationConfiguration,omitempty" tf:"destination_configuration,omitempty"`
 
 	// Recording Configuration name.
 	// +kubebuilder:validation:Optional
@@ -66,6 +84,9 @@ type RecordingConfigurationParameters struct {
 }
 
 type S3Observation struct {
+
+	// S3 bucket name where recorded videos will be stored.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
 }
 
 type S3Parameters struct {
@@ -76,6 +97,12 @@ type S3Parameters struct {
 }
 
 type ThumbnailConfigurationObservation struct {
+
+	// Thumbnail recording mode. Valid values: DISABLED, INTERVAL.
+	RecordingMode *string `json:"recordingMode,omitempty" tf:"recording_mode,omitempty"`
+
+	// The targeted thumbnail-generation interval in seconds.
+	TargetIntervalSeconds *float64 `json:"targetIntervalSeconds,omitempty" tf:"target_interval_seconds,omitempty"`
 }
 
 type ThumbnailConfigurationParameters struct {
@@ -113,8 +140,9 @@ type RecordingConfigurationStatus struct {
 type RecordingConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RecordingConfigurationSpec   `json:"spec"`
-	Status            RecordingConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationConfiguration)",message="destinationConfiguration is a required parameter"
+	Spec   RecordingConfigurationSpec   `json:"spec"`
+	Status RecordingConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kafka/v1beta1/zz_cluster_types.go b/apis/kafka/v1beta1/zz_cluster_types.go
index d488167fac..e8f0231b27 100755
--- a/apis/kafka/v1beta1/zz_cluster_types.go
+++ b/apis/kafka/v1beta1/zz_cluster_types.go
@@ -14,6 +14,11 @@ import (
 )
 
 type BrokerLogsObservation struct {
+	CloudwatchLogs []CloudwatchLogsObservation `json:"cloudwatchLogs,omitempty" tf:"cloudwatch_logs,omitempty"`
+
+	Firehose []FirehoseObservation `json:"firehose,omitempty" tf:"firehose,omitempty"`
+
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
 }
 
 type BrokerLogsParameters struct {
@@ -29,6 +34,27 @@ type BrokerLogsParameters struct {
 }
 
 type BrokerNodeGroupInfoObservation struct {
+
+	// The distribution of broker nodes across availability zones (documentation). Currently the only valid value is DEFAULT.
+	AzDistribution *string `json:"azDistribution,omitempty" tf:"az_distribution,omitempty"`
+
+	// A list of subnets to connect to in client VPC (documentation).
+	ClientSubnets []*string `json:"clientSubnets,omitempty" tf:"client_subnets,omitempty"`
+
+	// Information about the cluster access configuration. See below. For security reasons, you can't turn on public access while creating an MSK cluster. However, you can update an existing cluster to make it publicly accessible. You can also create a new cluster and then update it to make it publicly accessible (documentation).
+	ConnectivityInfo []ConnectivityInfoObservation `json:"connectivityInfo,omitempty" tf:"connectivity_info,omitempty"`
+
+	// The size in GiB of the EBS volume for the data drive on each broker node.
+	EBSVolumeSize *float64 `json:"ebsVolumeSize,omitempty" tf:"ebs_volume_size,omitempty"`
+
+	// Specify the instance type to use for the kafka brokersE.g., kafka.m5.large. (Pricing info)
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// A list of the security groups to associate with the elastic network interfaces to control who can communicate with the cluster.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// A block that contains information about storage volumes attached to MSK broker nodes. See below.
+	StorageInfo []StorageInfoObservation `json:"storageInfo,omitempty" tf:"storage_info,omitempty"`
 }
 
 type BrokerNodeGroupInfoParameters struct {
@@ -81,6 +107,15 @@ type BrokerNodeGroupInfoParameters struct {
 }
 
 type ClientAuthenticationObservation struct {
+
+	// Configuration block for specifying SASL client authentication. See below.
+	Sasl []SaslObservation `json:"sasl,omitempty" tf:"sasl,omitempty"`
+
+	// Configuration block for specifying TLS client authentication. See below.
+	TLS []TLSObservation `json:"tls,omitempty" tf:"tls,omitempty"`
+
+	// Enables unauthenticated access.
+	Unauthenticated *bool `json:"unauthenticated,omitempty" tf:"unauthenticated,omitempty"`
 }
 
 type ClientAuthenticationParameters struct {
@@ -99,6 +134,12 @@ type ClientAuthenticationParameters struct {
 }
 
 type CloudwatchLogsObservation struct {
+
+	// Controls whether provisioned throughput is enabled or not. Default value: false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Name of the Cloudwatch Log Group to deliver logs to.
+	LogGroup *string `json:"logGroup,omitempty" tf:"log_group,omitempty"`
 }
 
 type CloudwatchLogsParameters struct {
@@ -147,11 +188,47 @@ type ClusterObservation struct {
 	// One or more DNS names (or IP addresses) and TLS port pairs. For example, b-1.exampleClusterName.abcde.c2.kafka.us-east-1.amazonaws.com:9094,b-2.exampleClusterName.abcde.c2.kafka.us-east-1.amazonaws.com:9094,b-3.exampleClusterName.abcde.c2.kafka.us-east-1.amazonaws.com:9094. This attribute will have a value if encryption_info.0.encryption_in_transit.0.client_broker is set to TLS_PLAINTEXT or TLS. The resource sorts the list alphabetically. AWS may not always return all endpoints so the values may not be stable across applies.
 	BootstrapBrokersTLS *string `json:"bootstrapBrokersTls,omitempty" tf:"bootstrap_brokers_tls,omitempty"`
 
+	// Configuration block for the broker nodes of the Kafka cluster.
+	BrokerNodeGroupInfo []BrokerNodeGroupInfoObservation `json:"brokerNodeGroupInfo,omitempty" tf:"broker_node_group_info,omitempty"`
+
+	// Configuration block for specifying a client authentication. See below.
+	ClientAuthentication []ClientAuthenticationObservation `json:"clientAuthentication,omitempty" tf:"client_authentication,omitempty"`
+
+	// Name of the MSK cluster.
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
+	// Configuration block for specifying a MSK Configuration to attach to Kafka brokers. See below.
+	ConfigurationInfo []ConfigurationInfoObservation `json:"configurationInfo,omitempty" tf:"configuration_info,omitempty"`
+
 	// Current version of the MSK Cluster used for updates, e.g., K13V1IB3VIYZZH
 	CurrentVersion *string `json:"currentVersion,omitempty" tf:"current_version,omitempty"`
 
+	// Configuration block for specifying encryption. See below.
+	EncryptionInfo []EncryptionInfoObservation `json:"encryptionInfo,omitempty" tf:"encryption_info,omitempty"`
+
+	// Specify the desired enhanced MSK CloudWatch monitoring level. See Monitoring Amazon MSK with Amazon CloudWatch
+	EnhancedMonitoring *string `json:"enhancedMonitoring,omitempty" tf:"enhanced_monitoring,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specify the desired Kafka software version.
+	KafkaVersion *string `json:"kafkaVersion,omitempty" tf:"kafka_version,omitempty"`
+
+	// Configuration block for streaming broker logs to Cloudwatch/S3/Kinesis Firehose. See below.
+	LoggingInfo []LoggingInfoObservation `json:"loggingInfo,omitempty" tf:"logging_info,omitempty"`
+
+	// The desired total number of broker nodes in the kafka cluster.  It must be a multiple of the number of specified client subnets.
+	NumberOfBrokerNodes *float64 `json:"numberOfBrokerNodes,omitempty" tf:"number_of_broker_nodes,omitempty"`
+
+	// Configuration block for JMX and Node monitoring for the MSK cluster. See below.
+	OpenMonitoring []OpenMonitoringObservation `json:"openMonitoring,omitempty" tf:"open_monitoring,omitempty"`
+
+	// Controls storage mode for supported storage tiers. Valid values are: LOCAL or TIERED.
+	StorageMode *string `json:"storageMode,omitempty" tf:"storage_mode,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -165,16 +242,16 @@ type ClusterObservation struct {
 type ClusterParameters struct {
 
 	// Configuration block for the broker nodes of the Kafka cluster.
-	// +kubebuilder:validation:Required
-	BrokerNodeGroupInfo []BrokerNodeGroupInfoParameters `json:"brokerNodeGroupInfo" tf:"broker_node_group_info,omitempty"`
+	// +kubebuilder:validation:Optional
+	BrokerNodeGroupInfo []BrokerNodeGroupInfoParameters `json:"brokerNodeGroupInfo,omitempty" tf:"broker_node_group_info,omitempty"`
 
 	// Configuration block for specifying a client authentication. See below.
 	// +kubebuilder:validation:Optional
 	ClientAuthentication []ClientAuthenticationParameters `json:"clientAuthentication,omitempty" tf:"client_authentication,omitempty"`
 
 	// Name of the MSK cluster.
-	// +kubebuilder:validation:Required
-	ClusterName *string `json:"clusterName" tf:"cluster_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
 
 	// Configuration block for specifying a MSK Configuration to attach to Kafka brokers. See below.
 	// +kubebuilder:validation:Optional
@@ -189,16 +266,16 @@ type ClusterParameters struct {
 	EnhancedMonitoring *string `json:"enhancedMonitoring,omitempty" tf:"enhanced_monitoring,omitempty"`
 
 	// Specify the desired Kafka software version.
-	// +kubebuilder:validation:Required
-	KafkaVersion *string `json:"kafkaVersion" tf:"kafka_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	KafkaVersion *string `json:"kafkaVersion,omitempty" tf:"kafka_version,omitempty"`
 
 	// Configuration block for streaming broker logs to Cloudwatch/S3/Kinesis Firehose. See below.
 	// +kubebuilder:validation:Optional
 	LoggingInfo []LoggingInfoParameters `json:"loggingInfo,omitempty" tf:"logging_info,omitempty"`
 
 	// The desired total number of broker nodes in the kafka cluster.  It must be a multiple of the number of specified client subnets.
-	// +kubebuilder:validation:Required
-	NumberOfBrokerNodes *float64 `json:"numberOfBrokerNodes" tf:"number_of_broker_nodes,omitempty"`
+	// +kubebuilder:validation:Optional
+	NumberOfBrokerNodes *float64 `json:"numberOfBrokerNodes,omitempty" tf:"number_of_broker_nodes,omitempty"`
 
 	// Configuration block for JMX and Node monitoring for the MSK cluster. See below.
 	// +kubebuilder:validation:Optional
@@ -219,6 +296,12 @@ type ClusterParameters struct {
 }
 
 type ConfigurationInfoObservation struct {
+
+	// Amazon Resource Name (ARN) of the MSK Configuration to use in the cluster.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Revision of the MSK Configuration to use in the cluster.
+	Revision *float64 `json:"revision,omitempty" tf:"revision,omitempty"`
 }
 
 type ConfigurationInfoParameters struct {
@@ -233,6 +316,9 @@ type ConfigurationInfoParameters struct {
 }
 
 type ConnectivityInfoObservation struct {
+
+	// Access control settings for brokers. See below.
+	PublicAccess []PublicAccessObservation `json:"publicAccess,omitempty" tf:"public_access,omitempty"`
 }
 
 type ConnectivityInfoParameters struct {
@@ -243,6 +329,12 @@ type ConnectivityInfoParameters struct {
 }
 
 type EBSStorageInfoObservation struct {
+
+	// A block that contains EBS volume provisioned throughput information. To provision storage throughput, you must choose broker type kafka.m5.4xlarge or larger. See below.
+	ProvisionedThroughput []ProvisionedThroughputObservation `json:"provisionedThroughput,omitempty" tf:"provisioned_throughput,omitempty"`
+
+	// The size in GiB of the EBS volume for the data drive on each broker node. Minimum value of 1 and maximum value of 16384.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
 }
 
 type EBSStorageInfoParameters struct {
@@ -257,6 +349,12 @@ type EBSStorageInfoParameters struct {
 }
 
 type EncryptionInTransitObservation struct {
+
+	// Encryption setting for data in transit between clients and brokers. Valid values: TLS, TLS_PLAINTEXT, and PLAINTEXT. Default value is TLS.
+	ClientBroker *string `json:"clientBroker,omitempty" tf:"client_broker,omitempty"`
+
+	// Whether data communication among broker nodes is encrypted. Default value: true.
+	InCluster *bool `json:"inCluster,omitempty" tf:"in_cluster,omitempty"`
 }
 
 type EncryptionInTransitParameters struct {
@@ -271,6 +369,12 @@ type EncryptionInTransitParameters struct {
 }
 
 type EncryptionInfoObservation struct {
+
+	// The ARN of the KMS key used for encryption at rest of the broker data volumes.
+	EncryptionAtRestKMSKeyArn *string `json:"encryptionAtRestKmsKeyArn,omitempty" tf:"encryption_at_rest_kms_key_arn,omitempty"`
+
+	// Configuration block to specify encryption in transit. See below.
+	EncryptionInTransit []EncryptionInTransitObservation `json:"encryptionInTransit,omitempty" tf:"encryption_in_transit,omitempty"`
 }
 
 type EncryptionInfoParameters struct {
@@ -295,6 +399,12 @@ type EncryptionInfoParameters struct {
 }
 
 type FirehoseObservation struct {
+
+	// Name of the Kinesis Data Firehose delivery stream to deliver logs to.
+	DeliveryStream *string `json:"deliveryStream,omitempty" tf:"delivery_stream,omitempty"`
+
+	// Controls whether provisioned throughput is enabled or not. Default value: false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type FirehoseParameters struct {
@@ -319,6 +429,9 @@ type FirehoseParameters struct {
 }
 
 type JmxExporterObservation struct {
+
+	// Indicates whether you want to enable or disable the JMX Exporter.
+	EnabledInBroker *bool `json:"enabledInBroker,omitempty" tf:"enabled_in_broker,omitempty"`
 }
 
 type JmxExporterParameters struct {
@@ -329,6 +442,9 @@ type JmxExporterParameters struct {
 }
 
 type LoggingInfoObservation struct {
+
+	// Configuration block for Broker Logs settings for logging info. See below.
+	BrokerLogs []BrokerLogsObservation `json:"brokerLogs,omitempty" tf:"broker_logs,omitempty"`
 }
 
 type LoggingInfoParameters struct {
@@ -339,6 +455,9 @@ type LoggingInfoParameters struct {
 }
 
 type NodeExporterObservation struct {
+
+	// Indicates whether you want to enable or disable the JMX Exporter.
+	EnabledInBroker *bool `json:"enabledInBroker,omitempty" tf:"enabled_in_broker,omitempty"`
 }
 
 type NodeExporterParameters struct {
@@ -349,6 +468,9 @@ type NodeExporterParameters struct {
 }
 
 type OpenMonitoringObservation struct {
+
+	// Configuration block for Prometheus settings for open monitoring. See below.
+	Prometheus []PrometheusObservation `json:"prometheus,omitempty" tf:"prometheus,omitempty"`
 }
 
 type OpenMonitoringParameters struct {
@@ -359,6 +481,12 @@ type OpenMonitoringParameters struct {
 }
 
 type PrometheusObservation struct {
+
+	// Configuration block for JMX Exporter. See below.
+	JmxExporter []JmxExporterObservation `json:"jmxExporter,omitempty" tf:"jmx_exporter,omitempty"`
+
+	// Configuration block for Node Exporter. See below.
+	NodeExporter []NodeExporterObservation `json:"nodeExporter,omitempty" tf:"node_exporter,omitempty"`
 }
 
 type PrometheusParameters struct {
@@ -373,6 +501,12 @@ type PrometheusParameters struct {
 }
 
 type ProvisionedThroughputObservation struct {
+
+	// Controls whether provisioned throughput is enabled or not. Default value: false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Throughput value of the EBS volumes for the data drive on each kafka broker node in MiB per second. The minimum value is 250. The maximum value varies between broker type. You can refer to the valid values for the maximum volume throughput at the following documentation on throughput bottlenecks
+	VolumeThroughput *float64 `json:"volumeThroughput,omitempty" tf:"volume_throughput,omitempty"`
 }
 
 type ProvisionedThroughputParameters struct {
@@ -387,6 +521,9 @@ type ProvisionedThroughputParameters struct {
 }
 
 type PublicAccessObservation struct {
+
+	// Public access type. Valida values: DISABLED, SERVICE_PROVIDED_EIPS.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PublicAccessParameters struct {
@@ -397,6 +534,15 @@ type PublicAccessParameters struct {
 }
 
 type S3Observation struct {
+
+	// Name of the S3 bucket to deliver logs to.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Controls whether provisioned throughput is enabled or not. Default value: false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Prefix to append to the folder name.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type S3Parameters struct {
@@ -424,6 +570,12 @@ type S3Parameters struct {
 }
 
 type SaslObservation struct {
+
+	// Enables IAM client authentication. Defaults to false.
+	IAM *bool `json:"iam,omitempty" tf:"iam,omitempty"`
+
+	// Enables SCRAM client authentication via AWS Secrets Manager. Defaults to false.
+	Scram *bool `json:"scram,omitempty" tf:"scram,omitempty"`
 }
 
 type SaslParameters struct {
@@ -438,6 +590,9 @@ type SaslParameters struct {
 }
 
 type StorageInfoObservation struct {
+
+	// A block that contains EBS volume information. See below.
+	EBSStorageInfo []EBSStorageInfoObservation `json:"ebsStorageInfo,omitempty" tf:"ebs_storage_info,omitempty"`
 }
 
 type StorageInfoParameters struct {
@@ -448,6 +603,9 @@ type StorageInfoParameters struct {
 }
 
 type TLSObservation struct {
+
+	// List of ACM Certificate Authority Amazon Resource Names (ARNs).
+	CertificateAuthorityArns []*string `json:"certificateAuthorityArns,omitempty" tf:"certificate_authority_arns,omitempty"`
 }
 
 type TLSParameters struct {
@@ -481,8 +639,12 @@ type ClusterStatus struct {
 type Cluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSpec   `json:"spec"`
-	Status            ClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.brokerNodeGroupInfo)",message="brokerNodeGroupInfo is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.clusterName)",message="clusterName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.kafkaVersion)",message="kafkaVersion is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.numberOfBrokerNodes)",message="numberOfBrokerNodes is a required parameter"
+	Spec   ClusterSpec   `json:"spec"`
+	Status ClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kafka/v1beta1/zz_configuration_types.go b/apis/kafka/v1beta1/zz_configuration_types.go
index ab4fbee82f..f0c2594f63 100755
--- a/apis/kafka/v1beta1/zz_configuration_types.go
+++ b/apis/kafka/v1beta1/zz_configuration_types.go
@@ -18,10 +18,22 @@ type ConfigurationObservation struct {
 	// Amazon Resource Name (ARN) of the configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of Apache Kafka versions which can use this configuration.
+	KafkaVersions []*string `json:"kafkaVersions,omitempty" tf:"kafka_versions,omitempty"`
+
 	// Latest revision of the configuration.
 	LatestRevision *float64 `json:"latestRevision,omitempty" tf:"latest_revision,omitempty"`
+
+	// Name of the configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Contents of the server.properties file. Supported properties are documented in the MSK Developer Guide.
+	ServerProperties *string `json:"serverProperties,omitempty" tf:"server_properties,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -35,8 +47,8 @@ type ConfigurationParameters struct {
 	KafkaVersions []*string `json:"kafkaVersions,omitempty" tf:"kafka_versions,omitempty"`
 
 	// Name of the configuration.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -44,8 +56,8 @@ type ConfigurationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Contents of the server.properties file. Supported properties are documented in the MSK Developer Guide.
-	// +kubebuilder:validation:Required
-	ServerProperties *string `json:"serverProperties" tf:"server_properties,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServerProperties *string `json:"serverProperties,omitempty" tf:"server_properties,omitempty"`
 }
 
 // ConfigurationSpec defines the desired state of Configuration
@@ -72,8 +84,10 @@ type ConfigurationStatus struct {
 type Configuration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConfigurationSpec   `json:"spec"`
-	Status            ConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serverProperties)",message="serverProperties is a required parameter"
+	Spec   ConfigurationSpec   `json:"spec"`
+	Status ConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kafka/v1beta1/zz_generated.deepcopy.go b/apis/kafka/v1beta1/zz_generated.deepcopy.go
index c907235d43..85ab5db09e 100644
--- a/apis/kafka/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kafka/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,27 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BrokerLogsObservation) DeepCopyInto(out *BrokerLogsObservation) {
 	*out = *in
+	if in.CloudwatchLogs != nil {
+		in, out := &in.CloudwatchLogs, &out.CloudwatchLogs
+		*out = make([]CloudwatchLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Firehose != nil {
+		in, out := &in.Firehose, &out.Firehose
+		*out = make([]FirehoseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BrokerLogsObservation.
@@ -68,6 +89,57 @@ func (in *BrokerLogsParameters) DeepCopy() *BrokerLogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BrokerNodeGroupInfoObservation) DeepCopyInto(out *BrokerNodeGroupInfoObservation) {
 	*out = *in
+	if in.AzDistribution != nil {
+		in, out := &in.AzDistribution, &out.AzDistribution
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientSubnets != nil {
+		in, out := &in.ClientSubnets, &out.ClientSubnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ConnectivityInfo != nil {
+		in, out := &in.ConnectivityInfo, &out.ConnectivityInfo
+		*out = make([]ConnectivityInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EBSVolumeSize != nil {
+		in, out := &in.EBSVolumeSize, &out.EBSVolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StorageInfo != nil {
+		in, out := &in.StorageInfo, &out.StorageInfo
+		*out = make([]StorageInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BrokerNodeGroupInfoObservation.
@@ -173,6 +245,25 @@ func (in *BrokerNodeGroupInfoParameters) DeepCopy() *BrokerNodeGroupInfoParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientAuthenticationObservation) DeepCopyInto(out *ClientAuthenticationObservation) {
 	*out = *in
+	if in.Sasl != nil {
+		in, out := &in.Sasl, &out.Sasl
+		*out = make([]SaslObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TLS != nil {
+		in, out := &in.TLS, &out.TLS
+		*out = make([]TLSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Unauthenticated != nil {
+		in, out := &in.Unauthenticated, &out.Unauthenticated
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientAuthenticationObservation.
@@ -222,6 +313,16 @@ func (in *ClientAuthenticationParameters) DeepCopy() *ClientAuthenticationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchLogsObservation) DeepCopyInto(out *CloudwatchLogsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogGroup != nil {
+		in, out := &in.LogGroup, &out.LogGroup
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLogsObservation.
@@ -371,16 +472,98 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BrokerNodeGroupInfo != nil {
+		in, out := &in.BrokerNodeGroupInfo, &out.BrokerNodeGroupInfo
+		*out = make([]BrokerNodeGroupInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClientAuthentication != nil {
+		in, out := &in.ClientAuthentication, &out.ClientAuthentication
+		*out = make([]ClientAuthenticationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigurationInfo != nil {
+		in, out := &in.ConfigurationInfo, &out.ConfigurationInfo
+		*out = make([]ConfigurationInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.CurrentVersion != nil {
 		in, out := &in.CurrentVersion, &out.CurrentVersion
 		*out = new(string)
 		**out = **in
 	}
+	if in.EncryptionInfo != nil {
+		in, out := &in.EncryptionInfo, &out.EncryptionInfo
+		*out = make([]EncryptionInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnhancedMonitoring != nil {
+		in, out := &in.EnhancedMonitoring, &out.EnhancedMonitoring
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KafkaVersion != nil {
+		in, out := &in.KafkaVersion, &out.KafkaVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoggingInfo != nil {
+		in, out := &in.LoggingInfo, &out.LoggingInfo
+		*out = make([]LoggingInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NumberOfBrokerNodes != nil {
+		in, out := &in.NumberOfBrokerNodes, &out.NumberOfBrokerNodes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OpenMonitoring != nil {
+		in, out := &in.OpenMonitoring, &out.OpenMonitoring
+		*out = make([]OpenMonitoringObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StorageMode != nil {
+		in, out := &in.StorageMode, &out.StorageMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -584,6 +767,16 @@ func (in *Configuration) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationInfoObservation) DeepCopyInto(out *ConfigurationInfoObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Revision != nil {
+		in, out := &in.Revision, &out.Revision
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationInfoObservation.
@@ -661,16 +854,42 @@ func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KafkaVersions != nil {
+		in, out := &in.KafkaVersions, &out.KafkaVersions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.LatestRevision != nil {
 		in, out := &in.LatestRevision, &out.LatestRevision
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerProperties != nil {
+		in, out := &in.ServerProperties, &out.ServerProperties
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -766,6 +985,13 @@ func (in *ConfigurationStatus) DeepCopy() *ConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectivityInfoObservation) DeepCopyInto(out *ConnectivityInfoObservation) {
 	*out = *in
+	if in.PublicAccess != nil {
+		in, out := &in.PublicAccess, &out.PublicAccess
+		*out = make([]PublicAccessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectivityInfoObservation.
@@ -803,6 +1029,18 @@ func (in *ConnectivityInfoParameters) DeepCopy() *ConnectivityInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSStorageInfoObservation) DeepCopyInto(out *EBSStorageInfoObservation) {
 	*out = *in
+	if in.ProvisionedThroughput != nil {
+		in, out := &in.ProvisionedThroughput, &out.ProvisionedThroughput
+		*out = make([]ProvisionedThroughputObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSStorageInfoObservation.
@@ -845,6 +1083,16 @@ func (in *EBSStorageInfoParameters) DeepCopy() *EBSStorageInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionInTransitObservation) DeepCopyInto(out *EncryptionInTransitObservation) {
 	*out = *in
+	if in.ClientBroker != nil {
+		in, out := &in.ClientBroker, &out.ClientBroker
+		*out = new(string)
+		**out = **in
+	}
+	if in.InCluster != nil {
+		in, out := &in.InCluster, &out.InCluster
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionInTransitObservation.
@@ -885,6 +1133,18 @@ func (in *EncryptionInTransitParameters) DeepCopy() *EncryptionInTransitParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionInfoObservation) DeepCopyInto(out *EncryptionInfoObservation) {
 	*out = *in
+	if in.EncryptionAtRestKMSKeyArn != nil {
+		in, out := &in.EncryptionAtRestKMSKeyArn, &out.EncryptionAtRestKMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionInTransit != nil {
+		in, out := &in.EncryptionInTransit, &out.EncryptionInTransit
+		*out = make([]EncryptionInTransitObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionInfoObservation.
@@ -937,6 +1197,16 @@ func (in *EncryptionInfoParameters) DeepCopy() *EncryptionInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FirehoseObservation) DeepCopyInto(out *FirehoseObservation) {
 	*out = *in
+	if in.DeliveryStream != nil {
+		in, out := &in.DeliveryStream, &out.DeliveryStream
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirehoseObservation.
@@ -987,6 +1257,11 @@ func (in *FirehoseParameters) DeepCopy() *FirehoseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JmxExporterObservation) DeepCopyInto(out *JmxExporterObservation) {
 	*out = *in
+	if in.EnabledInBroker != nil {
+		in, out := &in.EnabledInBroker, &out.EnabledInBroker
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JmxExporterObservation.
@@ -1022,6 +1297,13 @@ func (in *JmxExporterParameters) DeepCopy() *JmxExporterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingInfoObservation) DeepCopyInto(out *LoggingInfoObservation) {
 	*out = *in
+	if in.BrokerLogs != nil {
+		in, out := &in.BrokerLogs, &out.BrokerLogs
+		*out = make([]BrokerLogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingInfoObservation.
@@ -1059,6 +1341,11 @@ func (in *LoggingInfoParameters) DeepCopy() *LoggingInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeExporterObservation) DeepCopyInto(out *NodeExporterObservation) {
 	*out = *in
+	if in.EnabledInBroker != nil {
+		in, out := &in.EnabledInBroker, &out.EnabledInBroker
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeExporterObservation.
@@ -1094,6 +1381,13 @@ func (in *NodeExporterParameters) DeepCopy() *NodeExporterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OpenMonitoringObservation) DeepCopyInto(out *OpenMonitoringObservation) {
 	*out = *in
+	if in.Prometheus != nil {
+		in, out := &in.Prometheus, &out.Prometheus
+		*out = make([]PrometheusObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OpenMonitoringObservation.
@@ -1131,6 +1425,20 @@ func (in *OpenMonitoringParameters) DeepCopy() *OpenMonitoringParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrometheusObservation) DeepCopyInto(out *PrometheusObservation) {
 	*out = *in
+	if in.JmxExporter != nil {
+		in, out := &in.JmxExporter, &out.JmxExporter
+		*out = make([]JmxExporterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NodeExporter != nil {
+		in, out := &in.NodeExporter, &out.NodeExporter
+		*out = make([]NodeExporterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrometheusObservation.
@@ -1175,6 +1483,16 @@ func (in *PrometheusParameters) DeepCopy() *PrometheusParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProvisionedThroughputObservation) DeepCopyInto(out *ProvisionedThroughputObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VolumeThroughput != nil {
+		in, out := &in.VolumeThroughput, &out.VolumeThroughput
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionedThroughputObservation.
@@ -1215,6 +1533,11 @@ func (in *ProvisionedThroughputParameters) DeepCopy() *ProvisionedThroughputPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublicAccessObservation) DeepCopyInto(out *PublicAccessObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicAccessObservation.
@@ -1250,6 +1573,21 @@ func (in *PublicAccessParameters) DeepCopy() *PublicAccessParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -1305,6 +1643,16 @@ func (in *S3Parameters) DeepCopy() *S3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SaslObservation) DeepCopyInto(out *SaslObservation) {
 	*out = *in
+	if in.IAM != nil {
+		in, out := &in.IAM, &out.IAM
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Scram != nil {
+		in, out := &in.Scram, &out.Scram
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SaslObservation.
@@ -1345,6 +1693,13 @@ func (in *SaslParameters) DeepCopy() *SaslParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageInfoObservation) DeepCopyInto(out *StorageInfoObservation) {
 	*out = *in
+	if in.EBSStorageInfo != nil {
+		in, out := &in.EBSStorageInfo, &out.EBSStorageInfo
+		*out = make([]EBSStorageInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageInfoObservation.
@@ -1382,6 +1737,17 @@ func (in *StorageInfoParameters) DeepCopy() *StorageInfoParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSObservation) DeepCopyInto(out *TLSObservation) {
 	*out = *in
+	if in.CertificateAuthorityArns != nil {
+		in, out := &in.CertificateAuthorityArns, &out.CertificateAuthorityArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSObservation.
diff --git a/apis/kendra/v1beta1/zz_datasource_types.go b/apis/kendra/v1beta1/zz_datasource_types.go
index cdcf61377c..7210b58d2a 100755
--- a/apis/kendra/v1beta1/zz_datasource_types.go
+++ b/apis/kendra/v1beta1/zz_datasource_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AccessControlListConfigurationObservation struct {
+
+	// Path to the AWS S3 bucket that contains the ACL files.
+	KeyPath *string `json:"keyPath,omitempty" tf:"key_path,omitempty"`
 }
 
 type AccessControlListConfigurationParameters struct {
@@ -24,6 +27,9 @@ type AccessControlListConfigurationParameters struct {
 }
 
 type AuthenticationConfigurationObservation struct {
+
+	// The list of configuration information that's required to connect to and crawl a website host using basic authentication credentials. The list includes the name and port number of the website host. Detailed below.
+	BasicAuthentication []BasicAuthenticationObservation `json:"basicAuthentication,omitempty" tf:"basic_authentication,omitempty"`
 }
 
 type AuthenticationConfigurationParameters struct {
@@ -34,6 +40,15 @@ type AuthenticationConfigurationParameters struct {
 }
 
 type BasicAuthenticationObservation struct {
+
+	// Your secret ARN, which you can create in AWS Secrets Manager. You use a secret if basic authentication credentials are required to connect to a website. The secret stores your credentials of user name and password.
+	Credentials *string `json:"credentials,omitempty" tf:"credentials,omitempty"`
+
+	// The name of the website host you want to connect to using authentication credentials. For example, the host name of https://a.example.com/page1.html is "a.example.com".
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// The port number of the website host you want to connect to using authentication credentials. For example, the port for https://a.example.com/page1.html is 443, the standard port for HTTPS.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 }
 
 type BasicAuthenticationParameters struct {
@@ -62,9 +77,29 @@ type BasicAuthenticationParameters struct {
 }
 
 type ConditionObservation struct {
+
+	// The identifier of the document attribute used for the condition. For example, _source_uri could be an identifier for the attribute or metadata field that contains source URIs associated with the documents. Amazon Kendra currently does not support _document_body as an attribute key used for the condition.
+	ConditionDocumentAttributeKey *string `json:"conditionDocumentAttributeKey,omitempty" tf:"condition_document_attribute_key,omitempty"`
+
+	// The value used by the operator. For example, you can specify the value 'financial' for strings in the _source_uri field that partially match or contain this value. See Document Attribute Value.
+	ConditionOnValue []ConditionOnValueObservation `json:"conditionOnValue,omitempty" tf:"condition_on_value,omitempty"`
+
+	// The condition operator. For example, you can use Contains to partially match a string. Valid Values: GreaterThan | GreaterThanOrEquals | LessThan | LessThanOrEquals | Equals | NotEquals | Contains | NotContains | Exists | NotExists | BeginsWith.
+	Operator *string `json:"operator,omitempty" tf:"operator,omitempty"`
 }
 
 type ConditionOnValueObservation struct {
+
+	// A date expressed as an ISO 8601 string. It is important for the time zone to be included in the ISO 8601 date-time format. As of this writing only UTC is supported. For example, 2012-03-25T12:30:10+00:00.
+	DateValue *string `json:"dateValue,omitempty" tf:"date_value,omitempty"`
+
+	// A long integer value.
+	LongValue *float64 `json:"longValue,omitempty" tf:"long_value,omitempty"`
+
+	// A list of strings.
+	StringListValue []*string `json:"stringListValue,omitempty" tf:"string_list_value,omitempty"`
+
+	StringValue *string `json:"stringValue,omitempty" tf:"string_value,omitempty"`
 }
 
 type ConditionOnValueParameters struct {
@@ -101,6 +136,12 @@ type ConditionParameters struct {
 }
 
 type ConfigurationObservation struct {
+
+	// A block that provides the configuration information to connect to an Amazon S3 bucket as your data source. Detailed below.
+	S3Configuration []S3ConfigurationObservation `json:"s3Configuration,omitempty" tf:"s3_configuration,omitempty"`
+
+	// A block that provides the configuration information required for Amazon Kendra Web Crawler. Detailed below.
+	WebCrawlerConfiguration []WebCrawlerConfigurationObservation `json:"webCrawlerConfiguration,omitempty" tf:"web_crawler_configuration,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -115,6 +156,18 @@ type ConfigurationParameters struct {
 }
 
 type CustomDocumentEnrichmentConfigurationObservation struct {
+
+	// Configuration information to alter document attributes or metadata fields and content when ingesting documents into Amazon Kendra. Minimum number of 0 items. Maximum number of 100 items. Detailed below.
+	InlineConfigurations []InlineConfigurationsObservation `json:"inlineConfigurations,omitempty" tf:"inline_configurations,omitempty"`
+
+	// A block that specifies the configuration information for invoking a Lambda function in AWS Lambda on the structured documents with their metadata and text extracted. You can use a Lambda function to apply advanced logic for creating, modifying, or deleting document metadata and content. For more information, see Advanced data manipulation. Detailed below.
+	PostExtractionHookConfiguration []PostExtractionHookConfigurationObservation `json:"postExtractionHookConfiguration,omitempty" tf:"post_extraction_hook_configuration,omitempty"`
+
+	// Configuration information for invoking a Lambda function in AWS Lambda on the original or raw documents before extracting their metadata and text. You can use a Lambda function to apply advanced logic for creating, modifying, or deleting document metadata and content. For more information, see Advanced data manipulation. Detailed below.
+	PreExtractionHookConfiguration []PreExtractionHookConfigurationObservation `json:"preExtractionHookConfiguration,omitempty" tf:"pre_extraction_hook_configuration,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a role with permission to run pre_extraction_hook_configuration and post_extraction_hook_configuration for altering document metadata and content during the document ingestion process. For more information, see IAM roles for Amazon Kendra.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type CustomDocumentEnrichmentConfigurationParameters struct {
@@ -141,24 +194,54 @@ type DataSourceObservation struct {
 	// ARN of the Data Source.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A block with the configuration information to connect to your Data Source repository. You can't specify the configuration argument when the type parameter is set to CUSTOM. Detailed below.
+	Configuration []ConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
 	// The Unix timestamp of when the Data Source was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// A block with the configuration information for altering document metadata and content during the document ingestion process. For more information on how to create, modify and delete document metadata, or make other content alterations when you ingest documents into Amazon Kendra, see Customizing document metadata during the ingestion process. Detailed below.
+	CustomDocumentEnrichmentConfiguration []CustomDocumentEnrichmentConfigurationObservation `json:"customDocumentEnrichmentConfiguration,omitempty" tf:"custom_document_enrichment_configuration,omitempty"`
+
 	// The unique identifiers of the Data Source.
 	DataSourceID *string `json:"dataSourceId,omitempty" tf:"data_source_id,omitempty"`
 
+	// A description for the Data Source connector.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// When the Status field value is FAILED, the ErrorMessage field contains a description of the error that caused the Data Source to fail.
 	ErrorMessage *string `json:"errorMessage,omitempty" tf:"error_message,omitempty"`
 
 	// The unique identifiers of the Data Source and index separated by a slash (/).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The identifier of the index for your Amazon Kendra data_source.
+	IndexID *string `json:"indexId,omitempty" tf:"index_id,omitempty"`
+
+	// The code for a language. This allows you to support a language for all documents when creating the Data Source connector. English is supported by default. For more information on supported languages, including their codes, see Adding documents in languages other than English.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	// A name for your Data Source connector.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a role with permission to access the data source connector. For more information, see IAM roles for Amazon Kendra. You can't specify the role_arn parameter when the type parameter is set to CUSTOM. The role_arn parameter is required for all other data sources.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Sets the frequency for Amazon Kendra to check the documents in your Data Source repository and update the index. If you don't set a schedule Amazon Kendra will not periodically update the index. You can call the StartDataSourceSyncJob API to update the index.
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
 	// The current status of the Data Source. When the status is ACTIVE the Data Source is ready to use. When the status is FAILED, the error_message field contains the reason that the Data Source failed.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The type of data source repository. For an updated list of values, refer to Valid Values for Type.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
 	// The Unix timestamp of when the Data Source was last updated.
 	UpdatedAt *string `json:"updatedAt,omitempty" tf:"updated_at,omitempty"`
 }
@@ -196,8 +279,8 @@ type DataSourceParameters struct {
 	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
 
 	// A name for your Data Source connector.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -227,11 +310,14 @@ type DataSourceParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The type of data source repository. For an updated list of values, refer to Valid Values for Type.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DocumentsMetadataConfigurationObservation struct {
+
+	// A prefix used to filter metadata configuration files in the AWS S3 bucket. The S3 bucket might contain multiple metadata files. Use s3_prefix to include only the desired metadata files.
+	S3Prefix *string `json:"s3Prefix,omitempty" tf:"s3_prefix,omitempty"`
 }
 
 type DocumentsMetadataConfigurationParameters struct {
@@ -242,6 +328,15 @@ type DocumentsMetadataConfigurationParameters struct {
 }
 
 type InlineConfigurationsObservation struct {
+
+	// Configuration of the condition used for the target document attribute or metadata field when ingesting documents into Amazon Kendra. See Document Attribute Condition.
+	Condition []ConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"`
+
+	// TRUE to delete content if the condition used for the target attribute is met.
+	DocumentContentDeletion *bool `json:"documentContentDeletion,omitempty" tf:"document_content_deletion,omitempty"`
+
+	// Configuration of the target document attribute or metadata field when ingesting documents into Amazon Kendra. You can also include a value. Detailed below.
+	Target []TargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type InlineConfigurationsParameters struct {
@@ -260,6 +355,17 @@ type InlineConfigurationsParameters struct {
 }
 
 type InvocationConditionConditionOnValueObservation struct {
+
+	// A date expressed as an ISO 8601 string. It is important for the time zone to be included in the ISO 8601 date-time format. As of this writing only UTC is supported. For example, 2012-03-25T12:30:10+00:00.
+	DateValue *string `json:"dateValue,omitempty" tf:"date_value,omitempty"`
+
+	// A long integer value.
+	LongValue *float64 `json:"longValue,omitempty" tf:"long_value,omitempty"`
+
+	// A list of strings.
+	StringListValue []*string `json:"stringListValue,omitempty" tf:"string_list_value,omitempty"`
+
+	StringValue *string `json:"stringValue,omitempty" tf:"string_value,omitempty"`
 }
 
 type InvocationConditionConditionOnValueParameters struct {
@@ -281,6 +387,15 @@ type InvocationConditionConditionOnValueParameters struct {
 }
 
 type InvocationConditionObservation struct {
+
+	// The identifier of the document attribute used for the condition. For example, _source_uri could be an identifier for the attribute or metadata field that contains source URIs associated with the documents. Amazon Kendra currently does not support _document_body as an attribute key used for the condition.
+	ConditionDocumentAttributeKey *string `json:"conditionDocumentAttributeKey,omitempty" tf:"condition_document_attribute_key,omitempty"`
+
+	// The value used by the operator. For example, you can specify the value 'financial' for strings in the _source_uri field that partially match or contain this value. See Document Attribute Value.
+	ConditionOnValue []InvocationConditionConditionOnValueObservation `json:"conditionOnValue,omitempty" tf:"condition_on_value,omitempty"`
+
+	// The condition operator. For example, you can use Contains to partially match a string. Valid Values: GreaterThan | GreaterThanOrEquals | LessThan | LessThanOrEquals | Equals | NotEquals | Contains | NotContains | Exists | NotExists | BeginsWith.
+	Operator *string `json:"operator,omitempty" tf:"operator,omitempty"`
 }
 
 type InvocationConditionParameters struct {
@@ -299,6 +414,15 @@ type InvocationConditionParameters struct {
 }
 
 type PostExtractionHookConfigurationObservation struct {
+
+	// A block that specifies the condition used for when a Lambda function should be invoked. For example, you can specify a condition that if there are empty date-time values, then Amazon Kendra should invoke a function that inserts the current date-time. See Document Attribute Condition.
+	InvocationCondition []InvocationConditionObservation `json:"invocationCondition,omitempty" tf:"invocation_condition,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a Lambda Function that can manipulate your document metadata fields or attributes and content.
+	LambdaArn *string `json:"lambdaArn,omitempty" tf:"lambda_arn,omitempty"`
+
+	// Stores the original, raw documents or the structured, parsed documents before and after altering them. For more information, see Data contracts for Lambda functions.
+	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
 }
 
 type PostExtractionHookConfigurationParameters struct {
@@ -317,6 +441,17 @@ type PostExtractionHookConfigurationParameters struct {
 }
 
 type PreExtractionHookConfigurationInvocationConditionConditionOnValueObservation struct {
+
+	// A date expressed as an ISO 8601 string. It is important for the time zone to be included in the ISO 8601 date-time format. As of this writing only UTC is supported. For example, 2012-03-25T12:30:10+00:00.
+	DateValue *string `json:"dateValue,omitempty" tf:"date_value,omitempty"`
+
+	// A long integer value.
+	LongValue *float64 `json:"longValue,omitempty" tf:"long_value,omitempty"`
+
+	// A list of strings.
+	StringListValue []*string `json:"stringListValue,omitempty" tf:"string_list_value,omitempty"`
+
+	StringValue *string `json:"stringValue,omitempty" tf:"string_value,omitempty"`
 }
 
 type PreExtractionHookConfigurationInvocationConditionConditionOnValueParameters struct {
@@ -338,6 +473,15 @@ type PreExtractionHookConfigurationInvocationConditionConditionOnValueParameters
 }
 
 type PreExtractionHookConfigurationInvocationConditionObservation struct {
+
+	// The identifier of the document attribute used for the condition. For example, _source_uri could be an identifier for the attribute or metadata field that contains source URIs associated with the documents. Amazon Kendra currently does not support _document_body as an attribute key used for the condition.
+	ConditionDocumentAttributeKey *string `json:"conditionDocumentAttributeKey,omitempty" tf:"condition_document_attribute_key,omitempty"`
+
+	// The value used by the operator. For example, you can specify the value 'financial' for strings in the _source_uri field that partially match or contain this value. See Document Attribute Value.
+	ConditionOnValue []PreExtractionHookConfigurationInvocationConditionConditionOnValueObservation `json:"conditionOnValue,omitempty" tf:"condition_on_value,omitempty"`
+
+	// The condition operator. For example, you can use Contains to partially match a string. Valid Values: GreaterThan | GreaterThanOrEquals | LessThan | LessThanOrEquals | Equals | NotEquals | Contains | NotContains | Exists | NotExists | BeginsWith.
+	Operator *string `json:"operator,omitempty" tf:"operator,omitempty"`
 }
 
 type PreExtractionHookConfigurationInvocationConditionParameters struct {
@@ -356,6 +500,15 @@ type PreExtractionHookConfigurationInvocationConditionParameters struct {
 }
 
 type PreExtractionHookConfigurationObservation struct {
+
+	// A block that specifies the condition used for when a Lambda function should be invoked. For example, you can specify a condition that if there are empty date-time values, then Amazon Kendra should invoke a function that inserts the current date-time. See Document Attribute Condition.
+	InvocationCondition []PreExtractionHookConfigurationInvocationConditionObservation `json:"invocationCondition,omitempty" tf:"invocation_condition,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a Lambda Function that can manipulate your document metadata fields or attributes and content.
+	LambdaArn *string `json:"lambdaArn,omitempty" tf:"lambda_arn,omitempty"`
+
+	// Stores the original, raw documents or the structured, parsed documents before and after altering them. For more information, see Data contracts for Lambda functions.
+	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
 }
 
 type PreExtractionHookConfigurationParameters struct {
@@ -374,6 +527,15 @@ type PreExtractionHookConfigurationParameters struct {
 }
 
 type ProxyConfigurationObservation struct {
+
+	// Your secret ARN, which you can create in AWS Secrets Manager. You use a secret if basic authentication credentials are required to connect to a website. The secret stores your credentials of user name and password.
+	Credentials *string `json:"credentials,omitempty" tf:"credentials,omitempty"`
+
+	// The name of the website host you want to connect to using authentication credentials. For example, the host name of https://a.example.com/page1.html is "a.example.com".
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
+	// The port number of the website host you want to connect to using authentication credentials. For example, the port for https://a.example.com/page1.html is 443, the standard port for HTTPS.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 }
 
 type ProxyConfigurationParameters struct {
@@ -402,6 +564,24 @@ type ProxyConfigurationParameters struct {
 }
 
 type S3ConfigurationObservation struct {
+
+	// A block that provides the path to the S3 bucket that contains the user context filtering files for the data source. For the format of the file, see Access control for S3 data sources. Detailed below.
+	AccessControlListConfiguration []AccessControlListConfigurationObservation `json:"accessControlListConfiguration,omitempty" tf:"access_control_list_configuration,omitempty"`
+
+	// The name of the bucket that contains the documents.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// A block that defines the Ddcument metadata files that contain information such as the document access control information, source URI, document author, and custom attributes. Each metadata file contains metadata about a single document. Detailed below.
+	DocumentsMetadataConfiguration []DocumentsMetadataConfigurationObservation `json:"documentsMetadataConfiguration,omitempty" tf:"documents_metadata_configuration,omitempty"`
+
+	// A list of glob patterns for documents that should not be indexed. If a document that matches an inclusion prefix or inclusion pattern also matches an exclusion pattern, the document is not indexed. Refer to Exclusion Patterns for more examples.
+	ExclusionPatterns []*string `json:"exclusionPatterns,omitempty" tf:"exclusion_patterns,omitempty"`
+
+	// A list of glob patterns for documents that should be indexed. If a document that matches an inclusion pattern also matches an exclusion pattern, the document is not indexed. Refer to Inclusion Patterns for more examples.
+	InclusionPatterns []*string `json:"inclusionPatterns,omitempty" tf:"inclusion_patterns,omitempty"`
+
+	// A list of S3 prefixes for the documents that should be included in the index.
+	InclusionPrefixes []*string `json:"inclusionPrefixes,omitempty" tf:"inclusion_prefixes,omitempty"`
 }
 
 type S3ConfigurationParameters struct {
@@ -442,6 +622,12 @@ type S3ConfigurationParameters struct {
 }
 
 type SeedURLConfigurationObservation struct {
+
+	// The list of seed or starting point URLs of the websites you want to crawl. The list can include a maximum of 100 seed URLs. Array Members: Minimum number of 0 items. Maximum number of 100 items. Length Constraints: Minimum length of 1. Maximum length of 2048.
+	SeedUrls []*string `json:"seedUrls,omitempty" tf:"seed_urls,omitempty"`
+
+	// The default mode is set to HOST_ONLY. You can choose one of the following modes:
+	WebCrawlerMode *string `json:"webCrawlerMode,omitempty" tf:"web_crawler_mode,omitempty"`
 }
 
 type SeedURLConfigurationParameters struct {
@@ -456,6 +642,9 @@ type SeedURLConfigurationParameters struct {
 }
 
 type SiteMapsConfigurationObservation struct {
+
+	// The list of sitemap URLs of the websites you want to crawl. The list can include a maximum of 3 sitemap URLs.
+	SiteMaps []*string `json:"siteMaps,omitempty" tf:"site_maps,omitempty"`
 }
 
 type SiteMapsConfigurationParameters struct {
@@ -466,6 +655,17 @@ type SiteMapsConfigurationParameters struct {
 }
 
 type TargetDocumentAttributeValueObservation struct {
+
+	// A date expressed as an ISO 8601 string. It is important for the time zone to be included in the ISO 8601 date-time format. As of this writing only UTC is supported. For example, 2012-03-25T12:30:10+00:00.
+	DateValue *string `json:"dateValue,omitempty" tf:"date_value,omitempty"`
+
+	// A long integer value.
+	LongValue *float64 `json:"longValue,omitempty" tf:"long_value,omitempty"`
+
+	// A list of strings.
+	StringListValue []*string `json:"stringListValue,omitempty" tf:"string_list_value,omitempty"`
+
+	StringValue *string `json:"stringValue,omitempty" tf:"string_value,omitempty"`
 }
 
 type TargetDocumentAttributeValueParameters struct {
@@ -487,6 +687,16 @@ type TargetDocumentAttributeValueParameters struct {
 }
 
 type TargetObservation struct {
+
+	// The identifier of the target document attribute or metadata field. For example, 'Department' could be an identifier for the target attribute or metadata field that includes the department names associated with the documents.
+	TargetDocumentAttributeKey *string `json:"targetDocumentAttributeKey,omitempty" tf:"target_document_attribute_key,omitempty"`
+
+	// The target value you want to create for the target attribute. For example, 'Finance' could be the target value for the target attribute key 'Department'.
+	// See Document Attribute Value.
+	TargetDocumentAttributeValue []TargetDocumentAttributeValueObservation `json:"targetDocumentAttributeValue,omitempty" tf:"target_document_attribute_value,omitempty"`
+
+	// TRUE to delete the existing target value for your specified target attribute key. You cannot create a target value and set this to TRUE. To create a target value (TargetDocumentAttributeValue), set this to FALSE.
+	TargetDocumentAttributeValueDeletion *bool `json:"targetDocumentAttributeValueDeletion,omitempty" tf:"target_document_attribute_value_deletion,omitempty"`
 }
 
 type TargetParameters struct {
@@ -506,6 +716,12 @@ type TargetParameters struct {
 }
 
 type UrlsObservation struct {
+
+	// A block that specifies the configuration of the seed or starting point URLs of the websites you want to crawl. You can choose to crawl only the website host names, or the website host names with subdomains, or the website host names with subdomains and other domains that the webpages link to. You can list up to 100 seed URLs. Detailed below.
+	SeedURLConfiguration []SeedURLConfigurationObservation `json:"seedUrlConfiguration,omitempty" tf:"seed_url_configuration,omitempty"`
+
+	// A block that specifies the configuration of the sitemap URLs of the websites you want to crawl. Only URLs belonging to the same website host names are crawled. You can list up to 3 sitemap URLs. Detailed below.
+	SiteMapsConfiguration []SiteMapsConfigurationObservation `json:"siteMapsConfiguration,omitempty" tf:"site_maps_configuration,omitempty"`
 }
 
 type UrlsParameters struct {
@@ -520,6 +736,33 @@ type UrlsParameters struct {
 }
 
 type WebCrawlerConfigurationObservation struct {
+
+	// A block with the configuration information required to connect to websites using authentication. You can connect to websites using basic authentication of user name and password. You use a secret in AWS Secrets Manager to store your authentication credentials. You must provide the website host name and port number. For example, the host name of https://a.example.com/page1.html is "a.example.com" and the port is 443, the standard port for HTTPS. Detailed below.
+	AuthenticationConfiguration []AuthenticationConfigurationObservation `json:"authenticationConfiguration,omitempty" tf:"authentication_configuration,omitempty"`
+
+	// Specifies the number of levels in a website that you want to crawl. The first level begins from the website seed or starting point URL. For example, if a website has 3 levels – index level (i.e. seed in this example), sections level, and subsections level – and you are only interested in crawling information up to the sections level (i.e. levels 0-1), you can set your depth to 1. The default crawl depth is set to 2. Minimum value of 0. Maximum value of 10.
+	CrawlDepth *float64 `json:"crawlDepth,omitempty" tf:"crawl_depth,omitempty"`
+
+	// The maximum size (in MB) of a webpage or attachment to crawl. Files larger than this size (in MB) are skipped/not crawled. The default maximum size of a webpage or attachment is set to 50 MB. Minimum value of 1.0e-06. Maximum value of 50.
+	MaxContentSizePerPageInMegaBytes *float64 `json:"maxContentSizePerPageInMegaBytes,omitempty" tf:"max_content_size_per_page_in_mega_bytes,omitempty"`
+
+	// The maximum number of URLs on a webpage to include when crawling a website. This number is per webpage. As a website’s webpages are crawled, any URLs the webpages link to are also crawled. URLs on a webpage are crawled in order of appearance. The default maximum links per page is 100. Minimum value of 1. Maximum value of 1000.
+	MaxLinksPerPage *float64 `json:"maxLinksPerPage,omitempty" tf:"max_links_per_page,omitempty"`
+
+	// The maximum number of URLs crawled per website host per minute. The default maximum number of URLs crawled per website host per minute is 300. Minimum value of 1. Maximum value of 300.
+	MaxUrlsPerMinuteCrawlRate *float64 `json:"maxUrlsPerMinuteCrawlRate,omitempty" tf:"max_urls_per_minute_crawl_rate,omitempty"`
+
+	// Configuration information required to connect to your internal websites via a web proxy. You must provide the website host name and port number. For example, the host name of https://a.example.com/page1.html is "a.example.com" and the port is 443, the standard port for HTTPS. Web proxy credentials are optional and you can use them to connect to a web proxy server that requires basic authentication. To store web proxy credentials, you use a secret in AWS Secrets Manager. Detailed below.
+	ProxyConfiguration []ProxyConfigurationObservation `json:"proxyConfiguration,omitempty" tf:"proxy_configuration,omitempty"`
+
+	// A list of regular expression patterns to exclude certain URLs to crawl. URLs that match the patterns are excluded from the index. URLs that don't match the patterns are included in the index. If a URL matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence and the URL file isn't included in the index. Array Members: Minimum number of 0 items. Maximum number of 100 items. Length Constraints: Minimum length of 1. Maximum length of 150.
+	URLExclusionPatterns []*string `json:"urlExclusionPatterns,omitempty" tf:"url_exclusion_patterns,omitempty"`
+
+	// A list of regular expression patterns to include certain URLs to crawl. URLs that match the patterns are included in the index. URLs that don't match the patterns are excluded from the index. If a URL matches both an inclusion and exclusion pattern, the exclusion pattern takes precedence and the URL file isn't included in the index. Array Members: Minimum number of 0 items. Maximum number of 100 items. Length Constraints: Minimum length of 1. Maximum length of 150.
+	URLInclusionPatterns []*string `json:"urlInclusionPatterns,omitempty" tf:"url_inclusion_patterns,omitempty"`
+
+	// A block that specifies the seed or starting point URLs of the websites or the sitemap URLs of the websites you want to crawl. You can include website subdomains. You can list up to 100 seed URLs and up to 3 sitemap URLs. You can only crawl websites that use the secure communication protocol, Hypertext Transfer Protocol Secure (HTTPS). If you receive an error when crawling a website, it could be that the website is blocked from crawling. When selecting websites to index, you must adhere to the Amazon Acceptable Use Policy and all other Amazon terms. Remember that you must only use Amazon Kendra Web Crawler to index your own webpages, or webpages that you have authorization to index. Detailed below.
+	Urls []UrlsObservation `json:"urls,omitempty" tf:"urls,omitempty"`
 }
 
 type WebCrawlerConfigurationParameters struct {
@@ -585,8 +828,10 @@ type DataSourceStatus struct {
 type DataSource struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DataSourceSpec   `json:"spec"`
-	Status            DataSourceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   DataSourceSpec   `json:"spec"`
+	Status DataSourceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kendra/v1beta1/zz_experience_types.go b/apis/kendra/v1beta1/zz_experience_types.go
index 43fd403131..44cbc47ce6 100755
--- a/apis/kendra/v1beta1/zz_experience_types.go
+++ b/apis/kendra/v1beta1/zz_experience_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type ContentSourceConfigurationObservation struct {
+
+	// The identifiers of the data sources you want to use for your Amazon Kendra experience. Maximum number of 100 items.
+	DataSourceIds []*string `json:"dataSourceIds,omitempty" tf:"data_source_ids,omitempty"`
+
+	// Whether to use documents you indexed directly using the BatchPutDocument API. Defaults to false.
+	DirectPutContent *bool `json:"directPutContent,omitempty" tf:"direct_put_content,omitempty"`
+
+	// The identifier of the FAQs that you want to use for your Amazon Kendra experience. Maximum number of 100 items.
+	FaqIds []*string `json:"faqIds,omitempty" tf:"faq_ids,omitempty"`
 }
 
 type ContentSourceConfigurationParameters struct {
@@ -44,6 +53,12 @@ type EndpointsParameters struct {
 }
 
 type ExperienceConfigurationObservation struct {
+
+	// The identifiers of your data sources and FAQs. Or, you can specify that you want to use documents indexed via the BatchPutDocument API. Detailed below.
+	ContentSourceConfiguration []ContentSourceConfigurationObservation `json:"contentSourceConfiguration,omitempty" tf:"content_source_configuration,omitempty"`
+
+	// The AWS SSO field name that contains the identifiers of your users, such as their emails. Detailed below.
+	UserIdentityConfiguration []UserIdentityConfigurationObservation `json:"userIdentityConfiguration,omitempty" tf:"user_identity_configuration,omitempty"`
 }
 
 type ExperienceConfigurationParameters struct {
@@ -62,6 +77,12 @@ type ExperienceObservation struct {
 	// ARN of the Experience.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration information for your Amazon Kendra experience. Detailed below.
+	Configuration []ExperienceConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// A description for your Amazon Kendra experience.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Shows the endpoint URLs for your Amazon Kendra experiences. The URLs are unique and fully hosted by AWS.
 	Endpoints []EndpointsObservation `json:"endpoints,omitempty" tf:"endpoints,omitempty"`
 
@@ -71,6 +92,15 @@ type ExperienceObservation struct {
 	// The unique identifiers of the experience and index separated by a slash (/).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The identifier of the index for your Amazon Kendra experience.
+	IndexID *string `json:"indexId,omitempty" tf:"index_id,omitempty"`
+
+	// A name for your Amazon Kendra experience.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Amazon Resource Name (ARN) of a role with permission to access Query API, QuerySuggestions API, SubmitFeedback API, and AWS SSO that stores your user and group information. For more information, see IAM roles for Amazon Kendra.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
 	// The current processing status of your Amazon Kendra experience.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -100,8 +130,8 @@ type ExperienceParameters struct {
 	IndexIDSelector *v1.Selector `json:"indexIdSelector,omitempty" tf:"-"`
 
 	// A name for your Amazon Kendra experience.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -124,6 +154,9 @@ type ExperienceParameters struct {
 }
 
 type UserIdentityConfigurationObservation struct {
+
+	// The AWS SSO field name that contains the identifiers of your users, such as their emails.
+	IdentityAttributeName *string `json:"identityAttributeName,omitempty" tf:"identity_attribute_name,omitempty"`
 }
 
 type UserIdentityConfigurationParameters struct {
@@ -157,8 +190,9 @@ type ExperienceStatus struct {
 type Experience struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ExperienceSpec   `json:"spec"`
-	Status            ExperienceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ExperienceSpec   `json:"spec"`
+	Status ExperienceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kendra/v1beta1/zz_generated.deepcopy.go b/apis/kendra/v1beta1/zz_generated.deepcopy.go
index e92d45d026..a4890d68ae 100644
--- a/apis/kendra/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kendra/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessControlListConfigurationObservation) DeepCopyInto(out *AccessControlListConfigurationObservation) {
 	*out = *in
+	if in.KeyPath != nil {
+		in, out := &in.KeyPath, &out.KeyPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlListConfigurationObservation.
@@ -52,6 +57,13 @@ func (in *AccessControlListConfigurationParameters) DeepCopy() *AccessControlLis
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthenticationConfigurationObservation) DeepCopyInto(out *AuthenticationConfigurationObservation) {
 	*out = *in
+	if in.BasicAuthentication != nil {
+		in, out := &in.BasicAuthentication, &out.BasicAuthentication
+		*out = make([]BasicAuthenticationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthenticationConfigurationObservation.
@@ -89,6 +101,21 @@ func (in *AuthenticationConfigurationParameters) DeepCopy() *AuthenticationConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BasicAuthenticationObservation) DeepCopyInto(out *BasicAuthenticationObservation) {
 	*out = *in
+	if in.Credentials != nil {
+		in, out := &in.Credentials, &out.Credentials
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BasicAuthenticationObservation.
@@ -144,6 +171,16 @@ func (in *BasicAuthenticationParameters) DeepCopy() *BasicAuthenticationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityUnitsObservation) DeepCopyInto(out *CapacityUnitsObservation) {
 	*out = *in
+	if in.QueryCapacityUnits != nil {
+		in, out := &in.QueryCapacityUnits, &out.QueryCapacityUnits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageCapacityUnits != nil {
+		in, out := &in.StorageCapacityUnits, &out.StorageCapacityUnits
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityUnitsObservation.
@@ -184,6 +221,23 @@ func (in *CapacityUnitsParameters) DeepCopy() *CapacityUnitsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionObservation) DeepCopyInto(out *ConditionObservation) {
 	*out = *in
+	if in.ConditionDocumentAttributeKey != nil {
+		in, out := &in.ConditionDocumentAttributeKey, &out.ConditionDocumentAttributeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConditionOnValue != nil {
+		in, out := &in.ConditionOnValue, &out.ConditionOnValue
+		*out = make([]ConditionOnValueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Operator != nil {
+		in, out := &in.Operator, &out.Operator
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionObservation.
@@ -199,6 +253,32 @@ func (in *ConditionObservation) DeepCopy() *ConditionObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionOnValueObservation) DeepCopyInto(out *ConditionOnValueObservation) {
 	*out = *in
+	if in.DateValue != nil {
+		in, out := &in.DateValue, &out.DateValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.LongValue != nil {
+		in, out := &in.LongValue, &out.LongValue
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StringListValue != nil {
+		in, out := &in.StringListValue, &out.StringListValue
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StringValue != nil {
+		in, out := &in.StringValue, &out.StringValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionOnValueObservation.
@@ -287,6 +367,20 @@ func (in *ConditionParameters) DeepCopy() *ConditionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation) {
 	*out = *in
+	if in.S3Configuration != nil {
+		in, out := &in.S3Configuration, &out.S3Configuration
+		*out = make([]S3ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WebCrawlerConfiguration != nil {
+		in, out := &in.WebCrawlerConfiguration, &out.WebCrawlerConfiguration
+		*out = make([]WebCrawlerConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -331,6 +425,33 @@ func (in *ConfigurationParameters) DeepCopy() *ConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentSourceConfigurationObservation) DeepCopyInto(out *ContentSourceConfigurationObservation) {
 	*out = *in
+	if in.DataSourceIds != nil {
+		in, out := &in.DataSourceIds, &out.DataSourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DirectPutContent != nil {
+		in, out := &in.DirectPutContent, &out.DirectPutContent
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FaqIds != nil {
+		in, out := &in.FaqIds, &out.FaqIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentSourceConfigurationObservation.
@@ -388,6 +509,32 @@ func (in *ContentSourceConfigurationParameters) DeepCopy() *ContentSourceConfigu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomDocumentEnrichmentConfigurationObservation) DeepCopyInto(out *CustomDocumentEnrichmentConfigurationObservation) {
 	*out = *in
+	if in.InlineConfigurations != nil {
+		in, out := &in.InlineConfigurations, &out.InlineConfigurations
+		*out = make([]InlineConfigurationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PostExtractionHookConfiguration != nil {
+		in, out := &in.PostExtractionHookConfiguration, &out.PostExtractionHookConfiguration
+		*out = make([]PostExtractionHookConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PreExtractionHookConfiguration != nil {
+		in, out := &in.PreExtractionHookConfiguration, &out.PreExtractionHookConfiguration
+		*out = make([]PreExtractionHookConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomDocumentEnrichmentConfigurationObservation.
@@ -508,16 +655,35 @@ func (in *DataSourceObservation) DeepCopyInto(out *DataSourceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make([]ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomDocumentEnrichmentConfiguration != nil {
+		in, out := &in.CustomDocumentEnrichmentConfiguration, &out.CustomDocumentEnrichmentConfiguration
+		*out = make([]CustomDocumentEnrichmentConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DataSourceID != nil {
 		in, out := &in.DataSourceID, &out.DataSourceID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ErrorMessage != nil {
 		in, out := &in.ErrorMessage, &out.ErrorMessage
 		*out = new(string)
@@ -528,11 +694,51 @@ func (in *DataSourceObservation) DeepCopyInto(out *DataSourceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IndexID != nil {
+		in, out := &in.IndexID, &out.IndexID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -548,6 +754,11 @@ func (in *DataSourceObservation) DeepCopyInto(out *DataSourceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 	if in.UpdatedAt != nil {
 		in, out := &in.UpdatedAt, &out.UpdatedAt
 		*out = new(string)
@@ -706,6 +917,30 @@ func (in *DataSourceStatus) DeepCopy() *DataSourceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DocumentMetadataConfigurationUpdatesObservation) DeepCopyInto(out *DocumentMetadataConfigurationUpdatesObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Relevance != nil {
+		in, out := &in.Relevance, &out.Relevance
+		*out = make([]RelevanceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Search != nil {
+		in, out := &in.Search, &out.Search
+		*out = make([]SearchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DocumentMetadataConfigurationUpdatesObservation.
@@ -760,6 +995,11 @@ func (in *DocumentMetadataConfigurationUpdatesParameters) DeepCopy() *DocumentMe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DocumentsMetadataConfigurationObservation) DeepCopyInto(out *DocumentsMetadataConfigurationObservation) {
 	*out = *in
+	if in.S3Prefix != nil {
+		in, out := &in.S3Prefix, &out.S3Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DocumentsMetadataConfigurationObservation.
@@ -862,6 +1102,20 @@ func (in *Experience) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExperienceConfigurationObservation) DeepCopyInto(out *ExperienceConfigurationObservation) {
 	*out = *in
+	if in.ContentSourceConfiguration != nil {
+		in, out := &in.ContentSourceConfiguration, &out.ContentSourceConfiguration
+		*out = make([]ContentSourceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserIdentityConfiguration != nil {
+		in, out := &in.UserIdentityConfiguration, &out.UserIdentityConfiguration
+		*out = make([]UserIdentityConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExperienceConfigurationObservation.
@@ -943,6 +1197,18 @@ func (in *ExperienceObservation) DeepCopyInto(out *ExperienceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make([]ExperienceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoints != nil {
 		in, out := &in.Endpoints, &out.Endpoints
 		*out = make([]EndpointsObservation, len(*in))
@@ -960,8 +1226,23 @@ func (in *ExperienceObservation) DeepCopyInto(out *ExperienceObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.Status != nil {
-		in, out := &in.Status, &out.Status
+	if in.IndexID != nil {
+		in, out := &in.IndexID, &out.IndexID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
@@ -1180,11 +1461,35 @@ func (in *IndexObservation) DeepCopyInto(out *IndexObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CapacityUnits != nil {
+		in, out := &in.CapacityUnits, &out.CapacityUnits
+		*out = make([]CapacityUnitsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentMetadataConfigurationUpdates != nil {
+		in, out := &in.DocumentMetadataConfigurationUpdates, &out.DocumentMetadataConfigurationUpdates
+		*out = make([]DocumentMetadataConfigurationUpdatesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Edition != nil {
+		in, out := &in.Edition, &out.Edition
+		*out = new(string)
+		**out = **in
+	}
 	if in.ErrorMessage != nil {
 		in, out := &in.ErrorMessage, &out.ErrorMessage
 		*out = new(string)
@@ -1202,11 +1507,43 @@ func (in *IndexObservation) DeepCopyInto(out *IndexObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerSideEncryptionConfiguration != nil {
+		in, out := &in.ServerSideEncryptionConfiguration, &out.ServerSideEncryptionConfiguration
+		*out = make([]ServerSideEncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1227,6 +1564,25 @@ func (in *IndexObservation) DeepCopyInto(out *IndexObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.UserContextPolicy != nil {
+		in, out := &in.UserContextPolicy, &out.UserContextPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserGroupResolutionConfiguration != nil {
+		in, out := &in.UserGroupResolutionConfiguration, &out.UserGroupResolutionConfiguration
+		*out = make([]UserGroupResolutionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserTokenConfigurations != nil {
+		in, out := &in.UserTokenConfigurations, &out.UserTokenConfigurations
+		*out = make([]UserTokenConfigurationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IndexObservation.
@@ -1425,6 +1781,25 @@ func (in *IndexStatus) DeepCopy() *IndexStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InlineConfigurationsObservation) DeepCopyInto(out *InlineConfigurationsObservation) {
 	*out = *in
+	if in.Condition != nil {
+		in, out := &in.Condition, &out.Condition
+		*out = make([]ConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DocumentContentDeletion != nil {
+		in, out := &in.DocumentContentDeletion, &out.DocumentContentDeletion
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]TargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InlineConfigurationsObservation.
@@ -1474,6 +1849,32 @@ func (in *InlineConfigurationsParameters) DeepCopy() *InlineConfigurationsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InvocationConditionConditionOnValueObservation) DeepCopyInto(out *InvocationConditionConditionOnValueObservation) {
 	*out = *in
+	if in.DateValue != nil {
+		in, out := &in.DateValue, &out.DateValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.LongValue != nil {
+		in, out := &in.LongValue, &out.LongValue
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StringListValue != nil {
+		in, out := &in.StringListValue, &out.StringListValue
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StringValue != nil {
+		in, out := &in.StringValue, &out.StringValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InvocationConditionConditionOnValueObservation.
@@ -1530,6 +1931,23 @@ func (in *InvocationConditionConditionOnValueParameters) DeepCopy() *InvocationC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InvocationConditionObservation) DeepCopyInto(out *InvocationConditionObservation) {
 	*out = *in
+	if in.ConditionDocumentAttributeKey != nil {
+		in, out := &in.ConditionDocumentAttributeKey, &out.ConditionDocumentAttributeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConditionOnValue != nil {
+		in, out := &in.ConditionOnValue, &out.ConditionOnValue
+		*out = make([]InvocationConditionConditionOnValueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Operator != nil {
+		in, out := &in.Operator, &out.Operator
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InvocationConditionObservation.
@@ -1577,6 +1995,16 @@ func (in *InvocationConditionParameters) DeepCopy() *InvocationConditionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JSONTokenTypeConfigurationObservation) DeepCopyInto(out *JSONTokenTypeConfigurationObservation) {
 	*out = *in
+	if in.GroupAttributeField != nil {
+		in, out := &in.GroupAttributeField, &out.GroupAttributeField
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserNameAttributeField != nil {
+		in, out := &in.UserNameAttributeField, &out.UserNameAttributeField
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSONTokenTypeConfigurationObservation.
@@ -1617,6 +2045,41 @@ func (in *JSONTokenTypeConfigurationParameters) DeepCopy() *JSONTokenTypeConfigu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JwtTokenTypeConfigurationObservation) DeepCopyInto(out *JwtTokenTypeConfigurationObservation) {
 	*out = *in
+	if in.ClaimRegex != nil {
+		in, out := &in.ClaimRegex, &out.ClaimRegex
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupAttributeField != nil {
+		in, out := &in.GroupAttributeField, &out.GroupAttributeField
+		*out = new(string)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyLocation != nil {
+		in, out := &in.KeyLocation, &out.KeyLocation
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretsManagerArn != nil {
+		in, out := &in.SecretsManagerArn, &out.SecretsManagerArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserNameAttributeField != nil {
+		in, out := &in.UserNameAttributeField, &out.UserNameAttributeField
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JwtTokenTypeConfigurationObservation.
@@ -1682,6 +2145,23 @@ func (in *JwtTokenTypeConfigurationParameters) DeepCopy() *JwtTokenTypeConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PostExtractionHookConfigurationObservation) DeepCopyInto(out *PostExtractionHookConfigurationObservation) {
 	*out = *in
+	if in.InvocationCondition != nil {
+		in, out := &in.InvocationCondition, &out.InvocationCondition
+		*out = make([]InvocationConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Bucket != nil {
+		in, out := &in.S3Bucket, &out.S3Bucket
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostExtractionHookConfigurationObservation.
@@ -1729,6 +2209,32 @@ func (in *PostExtractionHookConfigurationParameters) DeepCopy() *PostExtractionH
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PreExtractionHookConfigurationInvocationConditionConditionOnValueObservation) DeepCopyInto(out *PreExtractionHookConfigurationInvocationConditionConditionOnValueObservation) {
 	*out = *in
+	if in.DateValue != nil {
+		in, out := &in.DateValue, &out.DateValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.LongValue != nil {
+		in, out := &in.LongValue, &out.LongValue
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StringListValue != nil {
+		in, out := &in.StringListValue, &out.StringListValue
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StringValue != nil {
+		in, out := &in.StringValue, &out.StringValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreExtractionHookConfigurationInvocationConditionConditionOnValueObservation.
@@ -1785,6 +2291,23 @@ func (in *PreExtractionHookConfigurationInvocationConditionConditionOnValueParam
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PreExtractionHookConfigurationInvocationConditionObservation) DeepCopyInto(out *PreExtractionHookConfigurationInvocationConditionObservation) {
 	*out = *in
+	if in.ConditionDocumentAttributeKey != nil {
+		in, out := &in.ConditionDocumentAttributeKey, &out.ConditionDocumentAttributeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConditionOnValue != nil {
+		in, out := &in.ConditionOnValue, &out.ConditionOnValue
+		*out = make([]PreExtractionHookConfigurationInvocationConditionConditionOnValueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Operator != nil {
+		in, out := &in.Operator, &out.Operator
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreExtractionHookConfigurationInvocationConditionObservation.
@@ -1832,6 +2355,23 @@ func (in *PreExtractionHookConfigurationInvocationConditionParameters) DeepCopy(
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PreExtractionHookConfigurationObservation) DeepCopyInto(out *PreExtractionHookConfigurationObservation) {
 	*out = *in
+	if in.InvocationCondition != nil {
+		in, out := &in.InvocationCondition, &out.InvocationCondition
+		*out = make([]PreExtractionHookConfigurationInvocationConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LambdaArn != nil {
+		in, out := &in.LambdaArn, &out.LambdaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Bucket != nil {
+		in, out := &in.S3Bucket, &out.S3Bucket
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PreExtractionHookConfigurationObservation.
@@ -1879,6 +2419,21 @@ func (in *PreExtractionHookConfigurationParameters) DeepCopy() *PreExtractionHoo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyConfigurationObservation) DeepCopyInto(out *ProxyConfigurationObservation) {
 	*out = *in
+	if in.Credentials != nil {
+		in, out := &in.Credentials, &out.Credentials
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyConfigurationObservation.
@@ -1998,21 +2553,63 @@ func (in *QuerySuggestionsBlockListObservation) DeepCopyInto(out *QuerySuggestio
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IndexID != nil {
+		in, out := &in.IndexID, &out.IndexID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.QuerySuggestionsBlockListID != nil {
 		in, out := &in.QuerySuggestionsBlockListID, &out.QuerySuggestionsBlockListID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceS3Path != nil {
+		in, out := &in.SourceS3Path, &out.SourceS3Path
+		*out = make([]SourceS3PathObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2159,6 +2756,41 @@ func (in *QuerySuggestionsBlockListStatus) DeepCopy() *QuerySuggestionsBlockList
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RelevanceObservation) DeepCopyInto(out *RelevanceObservation) {
 	*out = *in
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Freshness != nil {
+		in, out := &in.Freshness, &out.Freshness
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Importance != nil {
+		in, out := &in.Importance, &out.Importance
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RankOrder != nil {
+		in, out := &in.RankOrder, &out.RankOrder
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValuesImportanceMap != nil {
+		in, out := &in.ValuesImportanceMap, &out.ValuesImportanceMap
+		*out = make(map[string]*float64, len(*in))
+		for key, val := range *in {
+			var outVal *float64
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(float64)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RelevanceObservation.
@@ -2224,6 +2856,58 @@ func (in *RelevanceParameters) DeepCopy() *RelevanceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ConfigurationObservation) DeepCopyInto(out *S3ConfigurationObservation) {
 	*out = *in
+	if in.AccessControlListConfiguration != nil {
+		in, out := &in.AccessControlListConfiguration, &out.AccessControlListConfiguration
+		*out = make([]AccessControlListConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentsMetadataConfiguration != nil {
+		in, out := &in.DocumentsMetadataConfiguration, &out.DocumentsMetadataConfiguration
+		*out = make([]DocumentsMetadataConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExclusionPatterns != nil {
+		in, out := &in.ExclusionPatterns, &out.ExclusionPatterns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InclusionPatterns != nil {
+		in, out := &in.InclusionPatterns, &out.InclusionPatterns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.InclusionPrefixes != nil {
+		in, out := &in.InclusionPrefixes, &out.InclusionPrefixes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ConfigurationObservation.
@@ -2316,6 +3000,26 @@ func (in *S3ConfigurationParameters) DeepCopy() *S3ConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SearchObservation) DeepCopyInto(out *SearchObservation) {
 	*out = *in
+	if in.Displayable != nil {
+		in, out := &in.Displayable, &out.Displayable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Facetable != nil {
+		in, out := &in.Facetable, &out.Facetable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Searchable != nil {
+		in, out := &in.Searchable, &out.Searchable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Sortable != nil {
+		in, out := &in.Sortable, &out.Sortable
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SearchObservation.
@@ -2366,6 +3070,22 @@ func (in *SearchParameters) DeepCopy() *SearchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SeedURLConfigurationObservation) DeepCopyInto(out *SeedURLConfigurationObservation) {
 	*out = *in
+	if in.SeedUrls != nil {
+		in, out := &in.SeedUrls, &out.SeedUrls
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WebCrawlerMode != nil {
+		in, out := &in.WebCrawlerMode, &out.WebCrawlerMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SeedURLConfigurationObservation.
@@ -2412,6 +3132,11 @@ func (in *SeedURLConfigurationParameters) DeepCopy() *SeedURLConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerSideEncryptionConfigurationObservation) DeepCopyInto(out *ServerSideEncryptionConfigurationObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerSideEncryptionConfigurationObservation.
@@ -2447,6 +3172,17 @@ func (in *ServerSideEncryptionConfigurationParameters) DeepCopy() *ServerSideEnc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SiteMapsConfigurationObservation) DeepCopyInto(out *SiteMapsConfigurationObservation) {
 	*out = *in
+	if in.SiteMaps != nil {
+		in, out := &in.SiteMaps, &out.SiteMaps
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SiteMapsConfigurationObservation.
@@ -2488,6 +3224,16 @@ func (in *SiteMapsConfigurationParameters) DeepCopy() *SiteMapsConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceS3PathObservation) DeepCopyInto(out *SourceS3PathObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceS3PathObservation.
@@ -2538,6 +3284,32 @@ func (in *SourceS3PathParameters) DeepCopy() *SourceS3PathParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetDocumentAttributeValueObservation) DeepCopyInto(out *TargetDocumentAttributeValueObservation) {
 	*out = *in
+	if in.DateValue != nil {
+		in, out := &in.DateValue, &out.DateValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.LongValue != nil {
+		in, out := &in.LongValue, &out.LongValue
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StringListValue != nil {
+		in, out := &in.StringListValue, &out.StringListValue
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StringValue != nil {
+		in, out := &in.StringValue, &out.StringValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetDocumentAttributeValueObservation.
@@ -2594,6 +3366,23 @@ func (in *TargetDocumentAttributeValueParameters) DeepCopy() *TargetDocumentAttr
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.TargetDocumentAttributeKey != nil {
+		in, out := &in.TargetDocumentAttributeKey, &out.TargetDocumentAttributeKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetDocumentAttributeValue != nil {
+		in, out := &in.TargetDocumentAttributeValue, &out.TargetDocumentAttributeValue
+		*out = make([]TargetDocumentAttributeValueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TargetDocumentAttributeValueDeletion != nil {
+		in, out := &in.TargetDocumentAttributeValueDeletion, &out.TargetDocumentAttributeValueDeletion
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
@@ -2745,16 +3534,58 @@ func (in *ThesaurusObservation) DeepCopyInto(out *ThesaurusObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IndexID != nil {
+		in, out := &in.IndexID, &out.IndexID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceS3Path != nil {
+		in, out := &in.SourceS3Path, &out.SourceS3Path
+		*out = make([]ThesaurusSourceS3PathObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2872,6 +3703,16 @@ func (in *ThesaurusParameters) DeepCopy() *ThesaurusParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThesaurusSourceS3PathObservation) DeepCopyInto(out *ThesaurusSourceS3PathObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThesaurusSourceS3PathObservation.
@@ -2966,6 +3807,20 @@ func (in *ThesaurusStatus) DeepCopy() *ThesaurusStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UrlsObservation) DeepCopyInto(out *UrlsObservation) {
 	*out = *in
+	if in.SeedURLConfiguration != nil {
+		in, out := &in.SeedURLConfiguration, &out.SeedURLConfiguration
+		*out = make([]SeedURLConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SiteMapsConfiguration != nil {
+		in, out := &in.SiteMapsConfiguration, &out.SiteMapsConfiguration
+		*out = make([]SiteMapsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UrlsObservation.
@@ -3010,6 +3865,11 @@ func (in *UrlsParameters) DeepCopy() *UrlsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserGroupResolutionConfigurationObservation) DeepCopyInto(out *UserGroupResolutionConfigurationObservation) {
 	*out = *in
+	if in.UserGroupResolutionMode != nil {
+		in, out := &in.UserGroupResolutionMode, &out.UserGroupResolutionMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserGroupResolutionConfigurationObservation.
@@ -3045,6 +3905,11 @@ func (in *UserGroupResolutionConfigurationParameters) DeepCopy() *UserGroupResol
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserIdentityConfigurationObservation) DeepCopyInto(out *UserIdentityConfigurationObservation) {
 	*out = *in
+	if in.IdentityAttributeName != nil {
+		in, out := &in.IdentityAttributeName, &out.IdentityAttributeName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserIdentityConfigurationObservation.
@@ -3080,6 +3945,20 @@ func (in *UserIdentityConfigurationParameters) DeepCopy() *UserIdentityConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserTokenConfigurationsObservation) DeepCopyInto(out *UserTokenConfigurationsObservation) {
 	*out = *in
+	if in.JSONTokenTypeConfiguration != nil {
+		in, out := &in.JSONTokenTypeConfiguration, &out.JSONTokenTypeConfiguration
+		*out = make([]JSONTokenTypeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.JwtTokenTypeConfiguration != nil {
+		in, out := &in.JwtTokenTypeConfiguration, &out.JwtTokenTypeConfiguration
+		*out = make([]JwtTokenTypeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserTokenConfigurationsObservation.
@@ -3124,6 +4003,69 @@ func (in *UserTokenConfigurationsParameters) DeepCopy() *UserTokenConfigurations
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WebCrawlerConfigurationObservation) DeepCopyInto(out *WebCrawlerConfigurationObservation) {
 	*out = *in
+	if in.AuthenticationConfiguration != nil {
+		in, out := &in.AuthenticationConfiguration, &out.AuthenticationConfiguration
+		*out = make([]AuthenticationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CrawlDepth != nil {
+		in, out := &in.CrawlDepth, &out.CrawlDepth
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxContentSizePerPageInMegaBytes != nil {
+		in, out := &in.MaxContentSizePerPageInMegaBytes, &out.MaxContentSizePerPageInMegaBytes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxLinksPerPage != nil {
+		in, out := &in.MaxLinksPerPage, &out.MaxLinksPerPage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxUrlsPerMinuteCrawlRate != nil {
+		in, out := &in.MaxUrlsPerMinuteCrawlRate, &out.MaxUrlsPerMinuteCrawlRate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ProxyConfiguration != nil {
+		in, out := &in.ProxyConfiguration, &out.ProxyConfiguration
+		*out = make([]ProxyConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.URLExclusionPatterns != nil {
+		in, out := &in.URLExclusionPatterns, &out.URLExclusionPatterns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.URLInclusionPatterns != nil {
+		in, out := &in.URLInclusionPatterns, &out.URLInclusionPatterns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Urls != nil {
+		in, out := &in.Urls, &out.Urls
+		*out = make([]UrlsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebCrawlerConfigurationObservation.
diff --git a/apis/kendra/v1beta1/zz_index_types.go b/apis/kendra/v1beta1/zz_index_types.go
index 4804cc0101..239f871731 100755
--- a/apis/kendra/v1beta1/zz_index_types.go
+++ b/apis/kendra/v1beta1/zz_index_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CapacityUnitsObservation struct {
+
+	// The amount of extra query capacity for an index and GetQuerySuggestions capacity. For more information, refer to QueryCapacityUnits.
+	QueryCapacityUnits *float64 `json:"queryCapacityUnits,omitempty" tf:"query_capacity_units,omitempty"`
+
+	// The amount of extra storage capacity for an index. A single capacity unit provides 30 GB of storage space or 100,000 documents, whichever is reached first. Minimum value of 0.
+	StorageCapacityUnits *float64 `json:"storageCapacityUnits,omitempty" tf:"storage_capacity_units,omitempty"`
 }
 
 type CapacityUnitsParameters struct {
@@ -28,6 +34,18 @@ type CapacityUnitsParameters struct {
 }
 
 type DocumentMetadataConfigurationUpdatesObservation struct {
+
+	// The name of the index field. Minimum length of 1. Maximum length of 30.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A block that provides manual tuning parameters to determine how the field affects the search results. Detailed below
+	Relevance []RelevanceObservation `json:"relevance,omitempty" tf:"relevance,omitempty"`
+
+	// A block that provides information about how the field is used during a search. Documented below. Detailed below
+	Search []SearchObservation `json:"search,omitempty" tf:"search,omitempty"`
+
+	// The data type of the index field. Valid values are STRING_VALUE, STRING_LIST_VALUE, LONG_VALUE, DATE_VALUE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DocumentMetadataConfigurationUpdatesParameters struct {
@@ -63,9 +81,21 @@ type IndexObservation struct {
 	// The Amazon Resource Name (ARN) of the Index.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A block that sets the number of additional document storage and query capacity units that should be used by the index. Detailed below.
+	CapacityUnits []CapacityUnitsObservation `json:"capacityUnits,omitempty" tf:"capacity_units,omitempty"`
+
 	// The Unix datetime that the index was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// The description of the Index.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// One or more blocks that specify the configuration settings for any metadata applied to the documents in the index. Minimum number of 0 items. Maximum number of 500 items. If specified, you must define all elements, including those that are provided by default. These index fields are documented at Amazon Kendra Index documentation. For an example resource that defines these default index fields, refer to the default example above. For an example resource that appends additional index fields, refer to the append example above. All arguments for each block must be specified. Note that blocks cannot be removed since index fields cannot be deleted. This argument is detailed below.
+	DocumentMetadataConfigurationUpdates []DocumentMetadataConfigurationUpdatesObservation `json:"documentMetadataConfigurationUpdates,omitempty" tf:"document_metadata_configuration_updates,omitempty"`
+
+	// The Amazon Kendra edition to use for the index. Choose DEVELOPER_EDITION for indexes intended for development, testing, or proof of concept. Use ENTERPRISE_EDITION for your production databases. Once you set the edition for an index, it can't be changed. Defaults to ENTERPRISE_EDITION
+	Edition *string `json:"edition,omitempty" tf:"edition,omitempty"`
+
 	// When the Status field value is FAILED, this contains a message that explains why.
 	ErrorMessage *string `json:"errorMessage,omitempty" tf:"error_message,omitempty"`
 
@@ -75,14 +105,35 @@ type IndexObservation struct {
 	// A block that provides information about the number of FAQ questions and answers and the number of text documents indexed. Detailed below.
 	IndexStatistics []IndexStatisticsObservation `json:"indexStatistics,omitempty" tf:"index_statistics,omitempty"`
 
+	// Specifies the name of the Index.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// An AWS Identity and Access Management (IAM) role that gives Amazon Kendra permissions to access your Amazon CloudWatch logs and metrics. This is also the role you use when you call the BatchPutDocument API to index documents from an Amazon S3 bucket.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// A block that specifies the identifier of the AWS KMS customer managed key (CMK) that's used to encrypt data indexed by Amazon Kendra. Amazon Kendra doesn't support asymmetric CMKs. Detailed below.
+	ServerSideEncryptionConfiguration []ServerSideEncryptionConfigurationObservation `json:"serverSideEncryptionConfiguration,omitempty" tf:"server_side_encryption_configuration,omitempty"`
+
 	// The current status of the index. When the value is ACTIVE, the index is ready for use. If the Status field value is FAILED, the error_message field contains a message that explains why.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The Unix datetime that the index was last updated.
 	UpdatedAt *string `json:"updatedAt,omitempty" tf:"updated_at,omitempty"`
+
+	// The user context policy. Valid values are ATTRIBUTE_FILTER or USER_TOKEN. For more information, refer to UserContextPolicy. Defaults to ATTRIBUTE_FILTER.
+	UserContextPolicy *string `json:"userContextPolicy,omitempty" tf:"user_context_policy,omitempty"`
+
+	// A block that enables fetching access levels of groups and users from an AWS Single Sign-On identity source. To configure this, see UserGroupResolutionConfiguration. Detailed below.
+	UserGroupResolutionConfiguration []UserGroupResolutionConfigurationObservation `json:"userGroupResolutionConfiguration,omitempty" tf:"user_group_resolution_configuration,omitempty"`
+
+	// A block that specifies the user token configuration. Detailed below.
+	UserTokenConfigurations []UserTokenConfigurationsObservation `json:"userTokenConfigurations,omitempty" tf:"user_token_configurations,omitempty"`
 }
 
 type IndexParameters struct {
@@ -104,8 +155,8 @@ type IndexParameters struct {
 	Edition *string `json:"edition,omitempty" tf:"edition,omitempty"`
 
 	// Specifies the name of the Index.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -160,6 +211,12 @@ type IndexStatisticsParameters struct {
 }
 
 type JSONTokenTypeConfigurationObservation struct {
+
+	// The group attribute field. Minimum length of 1. Maximum length of 2048.
+	GroupAttributeField *string `json:"groupAttributeField,omitempty" tf:"group_attribute_field,omitempty"`
+
+	// The user name attribute field. Minimum length of 1. Maximum length of 2048.
+	UserNameAttributeField *string `json:"userNameAttributeField,omitempty" tf:"user_name_attribute_field,omitempty"`
 }
 
 type JSONTokenTypeConfigurationParameters struct {
@@ -174,6 +231,27 @@ type JSONTokenTypeConfigurationParameters struct {
 }
 
 type JwtTokenTypeConfigurationObservation struct {
+
+	// The regular expression that identifies the claim. Minimum length of 1. Maximum length of 100.
+	ClaimRegex *string `json:"claimRegex,omitempty" tf:"claim_regex,omitempty"`
+
+	// The group attribute field. Minimum length of 1. Maximum length of 2048.
+	GroupAttributeField *string `json:"groupAttributeField,omitempty" tf:"group_attribute_field,omitempty"`
+
+	// The issuer of the token. Minimum length of 1. Maximum length of 65.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// The location of the key. Valid values are URL or SECRET_MANAGER
+	KeyLocation *string `json:"keyLocation,omitempty" tf:"key_location,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the secret.
+	SecretsManagerArn *string `json:"secretsManagerArn,omitempty" tf:"secrets_manager_arn,omitempty"`
+
+	// The signing key URL. Valid pattern is ^(https?|ftp|file):\/\/([^\s]*)
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The user name attribute field. Minimum length of 1. Maximum length of 2048.
+	UserNameAttributeField *string `json:"userNameAttributeField,omitempty" tf:"user_name_attribute_field,omitempty"`
 }
 
 type JwtTokenTypeConfigurationParameters struct {
@@ -208,6 +286,21 @@ type JwtTokenTypeConfigurationParameters struct {
 }
 
 type RelevanceObservation struct {
+
+	// Specifies the time period that the boost applies to. For more information, refer to Duration.
+	Duration *string `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// Indicates that this field determines how "fresh" a document is. For more information, refer to Freshness.
+	Freshness *bool `json:"freshness,omitempty" tf:"freshness,omitempty"`
+
+	// The relative importance of the field in the search. Larger numbers provide more of a boost than smaller numbers. Minimum value of 1. Maximum value of 10.
+	Importance *float64 `json:"importance,omitempty" tf:"importance,omitempty"`
+
+	// Determines how values should be interpreted. For more information, refer to RankOrder.
+	RankOrder *string `json:"rankOrder,omitempty" tf:"rank_order,omitempty"`
+
+	// A list of values that should be given a different boost when they appear in the result list. For more information, refer to ValueImportanceMap.
+	ValuesImportanceMap map[string]*float64 `json:"valuesImportanceMap,omitempty" tf:"values_importance_map,omitempty"`
 }
 
 type RelevanceParameters struct {
@@ -234,6 +327,18 @@ type RelevanceParameters struct {
 }
 
 type SearchObservation struct {
+
+	// Determines whether the field is returned in the query response. The default is true.
+	Displayable *bool `json:"displayable,omitempty" tf:"displayable,omitempty"`
+
+	// Indicates that the field can be used to create search facets, a count of results for each value in the field. The default is false.
+	Facetable *bool `json:"facetable,omitempty" tf:"facetable,omitempty"`
+
+	// Determines whether the field is used in the search. If the Searchable field is true, you can use relevance tuning to manually tune how Amazon Kendra weights the field in the search. The default is true for string fields and false for number and date fields.
+	Searchable *bool `json:"searchable,omitempty" tf:"searchable,omitempty"`
+
+	// Determines whether the field can be used to sort the results of a query. If you specify sorting on a field that does not have Sortable set to true, Amazon Kendra returns an exception. The default is false.
+	Sortable *bool `json:"sortable,omitempty" tf:"sortable,omitempty"`
 }
 
 type SearchParameters struct {
@@ -256,6 +361,9 @@ type SearchParameters struct {
 }
 
 type ServerSideEncryptionConfigurationObservation struct {
+
+	// The identifier of the AWS KMScustomer master key (CMK). Amazon Kendra doesn't support asymmetric CMKs.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type ServerSideEncryptionConfigurationParameters struct {
@@ -278,6 +386,9 @@ type TextDocumentStatisticsParameters struct {
 }
 
 type UserGroupResolutionConfigurationObservation struct {
+
+	// The identity store provider (mode) you want to use to fetch access levels of groups and users. AWS Single Sign-On is currently the only available mode. Your users and groups must exist in an AWS SSO identity source in order to use this mode. Valid Values are AWS_SSO or NONE.
+	UserGroupResolutionMode *string `json:"userGroupResolutionMode,omitempty" tf:"user_group_resolution_mode,omitempty"`
 }
 
 type UserGroupResolutionConfigurationParameters struct {
@@ -288,6 +399,12 @@ type UserGroupResolutionConfigurationParameters struct {
 }
 
 type UserTokenConfigurationsObservation struct {
+
+	// A block that specifies the information about the JSON token type configuration. Detailed below.
+	JSONTokenTypeConfiguration []JSONTokenTypeConfigurationObservation `json:"jsonTokenTypeConfiguration,omitempty" tf:"json_token_type_configuration,omitempty"`
+
+	// A block that specifies the information about the JWT token type configuration. Detailed below.
+	JwtTokenTypeConfiguration []JwtTokenTypeConfigurationObservation `json:"jwtTokenTypeConfiguration,omitempty" tf:"jwt_token_type_configuration,omitempty"`
 }
 
 type UserTokenConfigurationsParameters struct {
@@ -325,8 +442,9 @@ type IndexStatus struct {
 type Index struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IndexSpec   `json:"spec"`
-	Status            IndexStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   IndexSpec   `json:"spec"`
+	Status IndexStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kendra/v1beta1/zz_querysuggestionsblocklist_types.go b/apis/kendra/v1beta1/zz_querysuggestionsblocklist_types.go
index 1d4b2cb15e..09a019593e 100755
--- a/apis/kendra/v1beta1/zz_querysuggestionsblocklist_types.go
+++ b/apis/kendra/v1beta1/zz_querysuggestionsblocklist_types.go
@@ -18,13 +18,31 @@ type QuerySuggestionsBlockListObservation struct {
 	// ARN of the block list.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description for a block list.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The identifier of the index for a block list.
+	IndexID *string `json:"indexId,omitempty" tf:"index_id,omitempty"`
+
+	// The name for the block list.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The unique indentifier of the block list.
 	QuerySuggestionsBlockListID *string `json:"querySuggestionsBlockListId,omitempty" tf:"query_suggestions_block_list_id,omitempty"`
 
+	// The IAM (Identity and Access Management) role used to access the block list text file in S3.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The S3 path where your block list text file sits in S3. Detailed below.
+	SourceS3Path []SourceS3PathObservation `json:"sourceS3Path,omitempty" tf:"source_s3_path,omitempty"`
+
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -50,8 +68,8 @@ type QuerySuggestionsBlockListParameters struct {
 	IndexIDSelector *v1.Selector `json:"indexIdSelector,omitempty" tf:"-"`
 
 	// The name for the block list.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -73,8 +91,8 @@ type QuerySuggestionsBlockListParameters struct {
 	RoleArnSelector *v1.Selector `json:"roleArnSelector,omitempty" tf:"-"`
 
 	// The S3 path where your block list text file sits in S3. Detailed below.
-	// +kubebuilder:validation:Required
-	SourceS3Path []SourceS3PathParameters `json:"sourceS3Path" tf:"source_s3_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceS3Path []SourceS3PathParameters `json:"sourceS3Path,omitempty" tf:"source_s3_path,omitempty"`
 
 	// Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
 	// +kubebuilder:validation:Optional
@@ -82,6 +100,12 @@ type QuerySuggestionsBlockListParameters struct {
 }
 
 type SourceS3PathObservation struct {
+
+	// The name of the S3 bucket that contains the file.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The name of the file.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type SourceS3PathParameters struct {
@@ -129,8 +153,10 @@ type QuerySuggestionsBlockListStatus struct {
 type QuerySuggestionsBlockList struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              QuerySuggestionsBlockListSpec   `json:"spec"`
-	Status            QuerySuggestionsBlockListStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceS3Path)",message="sourceS3Path is a required parameter"
+	Spec   QuerySuggestionsBlockListSpec   `json:"spec"`
+	Status QuerySuggestionsBlockListStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kendra/v1beta1/zz_thesaurus_types.go b/apis/kendra/v1beta1/zz_thesaurus_types.go
index 86ff68e5d4..b9e0b6a362 100755
--- a/apis/kendra/v1beta1/zz_thesaurus_types.go
+++ b/apis/kendra/v1beta1/zz_thesaurus_types.go
@@ -18,12 +18,30 @@ type ThesaurusObservation struct {
 	// ARN of the thesaurus.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description for a thesaurus.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The unique identifiers of the thesaurus and index separated by a slash (/).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The identifier of the index for a thesaurus.
+	IndexID *string `json:"indexId,omitempty" tf:"index_id,omitempty"`
+
+	// The name for the thesaurus.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The IAM (Identity and Access Management) role used to access the thesaurus file in S3.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The S3 path where your thesaurus file sits in S3. Detailed below.
+	SourceS3Path []ThesaurusSourceS3PathObservation `json:"sourceS3Path,omitempty" tf:"source_s3_path,omitempty"`
+
 	// The current status of the thesaurus.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -52,8 +70,8 @@ type ThesaurusParameters struct {
 	IndexIDSelector *v1.Selector `json:"indexIdSelector,omitempty" tf:"-"`
 
 	// The name for the thesaurus.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -75,8 +93,8 @@ type ThesaurusParameters struct {
 	RoleArnSelector *v1.Selector `json:"roleArnSelector,omitempty" tf:"-"`
 
 	// The S3 path where your thesaurus file sits in S3. Detailed below.
-	// +kubebuilder:validation:Required
-	SourceS3Path []ThesaurusSourceS3PathParameters `json:"sourceS3Path" tf:"source_s3_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	SourceS3Path []ThesaurusSourceS3PathParameters `json:"sourceS3Path,omitempty" tf:"source_s3_path,omitempty"`
 
 	// Key-value map of resource tags. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
 	// +kubebuilder:validation:Optional
@@ -84,6 +102,12 @@ type ThesaurusParameters struct {
 }
 
 type ThesaurusSourceS3PathObservation struct {
+
+	// The name of the S3 bucket that contains the file.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The name of the file.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type ThesaurusSourceS3PathParameters struct {
@@ -141,8 +165,10 @@ type ThesaurusStatus struct {
 type Thesaurus struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ThesaurusSpec   `json:"spec"`
-	Status            ThesaurusStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceS3Path)",message="sourceS3Path is a required parameter"
+	Spec   ThesaurusSpec   `json:"spec"`
+	Status ThesaurusStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/keyspaces/v1beta1/zz_generated.deepcopy.go b/apis/keyspaces/v1beta1/zz_generated.deepcopy.go
index 03cf46352e..e91e4d560c 100644
--- a/apis/keyspaces/v1beta1/zz_generated.deepcopy.go
+++ b/apis/keyspaces/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacitySpecificationObservation) DeepCopyInto(out *CapacitySpecificationObservation) {
 	*out = *in
+	if in.ReadCapacityUnits != nil {
+		in, out := &in.ReadCapacityUnits, &out.ReadCapacityUnits
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThroughputMode != nil {
+		in, out := &in.ThroughputMode, &out.ThroughputMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.WriteCapacityUnits != nil {
+		in, out := &in.WriteCapacityUnits, &out.WriteCapacityUnits
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacitySpecificationObservation.
@@ -62,6 +77,16 @@ func (in *CapacitySpecificationParameters) DeepCopy() *CapacitySpecificationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusteringKeyObservation) DeepCopyInto(out *ClusteringKeyObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrderBy != nil {
+		in, out := &in.OrderBy, &out.OrderBy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusteringKeyObservation.
@@ -102,6 +127,16 @@ func (in *ClusteringKeyParameters) DeepCopy() *ClusteringKeyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ColumnObservation) DeepCopyInto(out *ColumnObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ColumnObservation.
@@ -142,6 +177,11 @@ func (in *ColumnParameters) DeepCopy() *ColumnParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CommentObservation) DeepCopyInto(out *CommentObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CommentObservation.
@@ -177,6 +217,16 @@ func (in *CommentParameters) DeepCopy() *CommentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionSpecificationObservation) DeepCopyInto(out *EncryptionSpecificationObservation) {
 	*out = *in
+	if in.KMSKeyIdentifier != nil {
+		in, out := &in.KMSKeyIdentifier, &out.KMSKeyIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionSpecificationObservation.
@@ -286,6 +336,21 @@ func (in *KeyspaceObservation) DeepCopyInto(out *KeyspaceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -385,6 +450,11 @@ func (in *KeyspaceStatus) DeepCopy() *KeyspaceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PartitionKeyObservation) DeepCopyInto(out *PartitionKeyObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PartitionKeyObservation.
@@ -420,6 +490,11 @@ func (in *PartitionKeyParameters) DeepCopy() *PartitionKeyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PointInTimeRecoveryObservation) DeepCopyInto(out *PointInTimeRecoveryObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PointInTimeRecoveryObservation.
@@ -455,6 +530,34 @@ func (in *PointInTimeRecoveryParameters) DeepCopy() *PointInTimeRecoveryParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaDefinitionObservation) DeepCopyInto(out *SchemaDefinitionObservation) {
 	*out = *in
+	if in.ClusteringKey != nil {
+		in, out := &in.ClusteringKey, &out.ClusteringKey
+		*out = make([]ClusteringKeyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Column != nil {
+		in, out := &in.Column, &out.Column
+		*out = make([]ColumnObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PartitionKey != nil {
+		in, out := &in.PartitionKey, &out.PartitionKey
+		*out = make([]PartitionKeyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StaticColumn != nil {
+		in, out := &in.StaticColumn, &out.StaticColumn
+		*out = make([]StaticColumnObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaDefinitionObservation.
@@ -513,6 +616,11 @@ func (in *SchemaDefinitionParameters) DeepCopy() *SchemaDefinitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticColumnObservation) DeepCopyInto(out *StaticColumnObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticColumnObservation.
@@ -548,6 +656,11 @@ func (in *StaticColumnParameters) DeepCopy() *StaticColumnParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TTLObservation) DeepCopyInto(out *TTLObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TTLObservation.
@@ -647,11 +760,83 @@ func (in *TableObservation) DeepCopyInto(out *TableObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CapacitySpecification != nil {
+		in, out := &in.CapacitySpecification, &out.CapacitySpecification
+		*out = make([]CapacitySpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = make([]CommentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultTimeToLive != nil {
+		in, out := &in.DefaultTimeToLive, &out.DefaultTimeToLive
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EncryptionSpecification != nil {
+		in, out := &in.EncryptionSpecification, &out.EncryptionSpecification
+		*out = make([]EncryptionSpecificationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyspaceName != nil {
+		in, out := &in.KeyspaceName, &out.KeyspaceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PointInTimeRecovery != nil {
+		in, out := &in.PointInTimeRecovery, &out.PointInTimeRecovery
+		*out = make([]PointInTimeRecoveryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SchemaDefinition != nil {
+		in, out := &in.SchemaDefinition, &out.SchemaDefinition
+		*out = make([]SchemaDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = make([]TTLObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/keyspaces/v1beta1/zz_keyspace_types.go b/apis/keyspaces/v1beta1/zz_keyspace_types.go
index 64391c7ae2..4049d7fa4c 100755
--- a/apis/keyspaces/v1beta1/zz_keyspace_types.go
+++ b/apis/keyspaces/v1beta1/zz_keyspace_types.go
@@ -21,6 +21,9 @@ type KeyspaceObservation struct {
 	// The name of the keyspace.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/keyspaces/v1beta1/zz_table_types.go b/apis/keyspaces/v1beta1/zz_table_types.go
index b8f05a26f1..2c0fa498c4 100755
--- a/apis/keyspaces/v1beta1/zz_table_types.go
+++ b/apis/keyspaces/v1beta1/zz_table_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CapacitySpecificationObservation struct {
+
+	// The throughput capacity specified for read operations defined in read capacity units (RCUs).
+	ReadCapacityUnits *float64 `json:"readCapacityUnits,omitempty" tf:"read_capacity_units,omitempty"`
+
+	// The read/write throughput capacity mode for a table. Valid values: PAY_PER_REQUEST, PROVISIONED. The default value is PAY_PER_REQUEST.
+	ThroughputMode *string `json:"throughputMode,omitempty" tf:"throughput_mode,omitempty"`
+
+	// The throughput capacity specified for write operations defined in write capacity units (WCUs).
+	WriteCapacityUnits *float64 `json:"writeCapacityUnits,omitempty" tf:"write_capacity_units,omitempty"`
 }
 
 type CapacitySpecificationParameters struct {
@@ -32,6 +41,12 @@ type CapacitySpecificationParameters struct {
 }
 
 type ClusteringKeyObservation struct {
+
+	// The name of the column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The order modifier. Valid values: ASC, DESC.
+	OrderBy *string `json:"orderBy,omitempty" tf:"order_by,omitempty"`
 }
 
 type ClusteringKeyParameters struct {
@@ -46,6 +61,12 @@ type ClusteringKeyParameters struct {
 }
 
 type ColumnObservation struct {
+
+	// The name of the column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The encryption option specified for the table. Valid values: AWS_OWNED_KMS_KEY, CUSTOMER_MANAGED_KMS_KEY. The default value is AWS_OWNED_KMS_KEY.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ColumnParameters struct {
@@ -60,6 +81,9 @@ type ColumnParameters struct {
 }
 
 type CommentObservation struct {
+
+	// A description of the table.
+	Message *string `json:"message,omitempty" tf:"message,omitempty"`
 }
 
 type CommentParameters struct {
@@ -70,6 +94,12 @@ type CommentParameters struct {
 }
 
 type EncryptionSpecificationObservation struct {
+
+	// The Amazon Resource Name (ARN) of the customer managed KMS key.
+	KMSKeyIdentifier *string `json:"kmsKeyIdentifier,omitempty" tf:"kms_key_identifier,omitempty"`
+
+	// The encryption option specified for the table. Valid values: AWS_OWNED_KMS_KEY, CUSTOMER_MANAGED_KMS_KEY. The default value is AWS_OWNED_KMS_KEY.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EncryptionSpecificationParameters struct {
@@ -84,6 +114,9 @@ type EncryptionSpecificationParameters struct {
 }
 
 type PartitionKeyObservation struct {
+
+	// The name of the column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type PartitionKeyParameters struct {
@@ -94,6 +127,9 @@ type PartitionKeyParameters struct {
 }
 
 type PointInTimeRecoveryObservation struct {
+
+	// Valid values: ENABLED, DISABLED. The default value is DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type PointInTimeRecoveryParameters struct {
@@ -104,6 +140,18 @@ type PointInTimeRecoveryParameters struct {
 }
 
 type SchemaDefinitionObservation struct {
+
+	// The columns that are part of the clustering key of the table.
+	ClusteringKey []ClusteringKeyObservation `json:"clusteringKey,omitempty" tf:"clustering_key,omitempty"`
+
+	// The regular columns of the table.
+	Column []ColumnObservation `json:"column,omitempty" tf:"column,omitempty"`
+
+	// The columns that are part of the partition key of the table .
+	PartitionKey []PartitionKeyObservation `json:"partitionKey,omitempty" tf:"partition_key,omitempty"`
+
+	// The columns that have been defined as STATIC. Static columns store values that are shared by all rows in the same partition.
+	StaticColumn []StaticColumnObservation `json:"staticColumn,omitempty" tf:"static_column,omitempty"`
 }
 
 type SchemaDefinitionParameters struct {
@@ -126,6 +174,9 @@ type SchemaDefinitionParameters struct {
 }
 
 type StaticColumnObservation struct {
+
+	// The name of the column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type StaticColumnParameters struct {
@@ -136,6 +187,9 @@ type StaticColumnParameters struct {
 }
 
 type TTLObservation struct {
+
+	// Valid values: ENABLED, DISABLED. The default value is DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type TTLParameters struct {
@@ -150,8 +204,38 @@ type TableObservation struct {
 	// The ARN of the table.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies the read/write throughput capacity mode for the table.
+	CapacitySpecification []CapacitySpecificationObservation `json:"capacitySpecification,omitempty" tf:"capacity_specification,omitempty"`
+
+	// A description of the table.
+	Comment []CommentObservation `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The default Time to Live setting in seconds for the table. More information can be found in the Developer Guide.
+	DefaultTimeToLive *float64 `json:"defaultTimeToLive,omitempty" tf:"default_time_to_live,omitempty"`
+
+	// Specifies how the encryption key for encryption at rest is managed for the table. More information can be found in the Developer Guide.
+	EncryptionSpecification []EncryptionSpecificationObservation `json:"encryptionSpecification,omitempty" tf:"encryption_specification,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the keyspace that the table is going to be created in.
+	KeyspaceName *string `json:"keyspaceName,omitempty" tf:"keyspace_name,omitempty"`
+
+	// Specifies if point-in-time recovery is enabled or disabled for the table. More information can be found in the Developer Guide.
+	PointInTimeRecovery []PointInTimeRecoveryObservation `json:"pointInTimeRecovery,omitempty" tf:"point_in_time_recovery,omitempty"`
+
+	// Describes the schema of the table.
+	SchemaDefinition []SchemaDefinitionObservation `json:"schemaDefinition,omitempty" tf:"schema_definition,omitempty"`
+
+	// Enables Time to Live custom settings for the table. More information can be found in the Developer Guide.
+	TTL []TTLObservation `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// The name of the table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -197,16 +281,16 @@ type TableParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Describes the schema of the table.
-	// +kubebuilder:validation:Required
-	SchemaDefinition []SchemaDefinitionParameters `json:"schemaDefinition" tf:"schema_definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	SchemaDefinition []SchemaDefinitionParameters `json:"schemaDefinition,omitempty" tf:"schema_definition,omitempty"`
 
 	// Enables Time to Live custom settings for the table. More information can be found in the Developer Guide.
 	// +kubebuilder:validation:Optional
 	TTL []TTLParameters `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
 	// The name of the table.
-	// +kubebuilder:validation:Required
-	TableName *string `json:"tableName" tf:"table_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -237,8 +321,10 @@ type TableStatus struct {
 type Table struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TableSpec   `json:"spec"`
-	Status            TableStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schemaDefinition)",message="schemaDefinition is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tableName)",message="tableName is a required parameter"
+	Spec   TableSpec   `json:"spec"`
+	Status TableStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kinesis/v1beta1/zz_generated.deepcopy.go b/apis/kinesis/v1beta1/zz_generated.deepcopy.go
index 9d497d7331..ecda20dd97 100644
--- a/apis/kinesis/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kinesis/v1beta1/zz_generated.deepcopy.go
@@ -118,6 +118,16 @@ func (in *StreamConsumerObservation) DeepCopyInto(out *StreamConsumerObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StreamConsumerObservation.
@@ -239,6 +249,11 @@ func (in *StreamList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StreamModeDetailsObservation) DeepCopyInto(out *StreamModeDetailsObservation) {
 	*out = *in
+	if in.StreamMode != nil {
+		in, out := &in.StreamMode, &out.StreamMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StreamModeDetailsObservation.
@@ -279,11 +294,69 @@ func (in *StreamObservation) DeepCopyInto(out *StreamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EncryptionType != nil {
+		in, out := &in.EncryptionType, &out.EncryptionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnforceConsumerDeletion != nil {
+		in, out := &in.EnforceConsumerDeletion, &out.EnforceConsumerDeletion
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetentionPeriod != nil {
+		in, out := &in.RetentionPeriod, &out.RetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ShardCount != nil {
+		in, out := &in.ShardCount, &out.ShardCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ShardLevelMetrics != nil {
+		in, out := &in.ShardLevelMetrics, &out.ShardLevelMetrics
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StreamModeDetails != nil {
+		in, out := &in.StreamModeDetails, &out.StreamModeDetails
+		*out = make([]StreamModeDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/kinesis/v1beta1/zz_stream_types.go b/apis/kinesis/v1beta1/zz_stream_types.go
index 39b6b84eda..d81a669546 100755
--- a/apis/kinesis/v1beta1/zz_stream_types.go
+++ b/apis/kinesis/v1beta1/zz_stream_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type StreamModeDetailsObservation struct {
+
+	// Specifies the capacity mode of the stream. Must be either PROVISIONED or ON_DEMAND.
+	StreamMode *string `json:"streamMode,omitempty" tf:"stream_mode,omitempty"`
 }
 
 type StreamModeDetailsParameters struct {
@@ -28,9 +31,34 @@ type StreamObservation struct {
 	// The Amazon Resource Name (ARN) specifying the Stream (same as id)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The encryption type to use. The only acceptable values are NONE or KMS. The default value is NONE.
+	EncryptionType *string `json:"encryptionType,omitempty" tf:"encryption_type,omitempty"`
+
+	// A boolean that indicates all registered consumers should be deregistered from the stream so that the stream can be destroyed without error. The default value is false.
+	EnforceConsumerDeletion *bool `json:"enforceConsumerDeletion,omitempty" tf:"enforce_consumer_deletion,omitempty"`
+
 	// The unique Stream id
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The GUID for the customer-managed KMS key to use for encryption. You can also use a Kinesis-owned master key by specifying the alias alias/aws/kinesis.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Length of time data records are accessible after they are added to the stream. The maximum value of a stream's retention period is 8760 hours. Minimum value is 24. Default is 24.
+	RetentionPeriod *float64 `json:"retentionPeriod,omitempty" tf:"retention_period,omitempty"`
+
+	// –  The number of shards that the stream will use. If the stream_mode is PROVISIONED, this field is required.
+	// Amazon has guidelines for specifying the Stream size that should be referenced when creating a Kinesis stream. See Amazon Kinesis Streams for more.
+	ShardCount *float64 `json:"shardCount,omitempty" tf:"shard_count,omitempty"`
+
+	// A list of shard-level CloudWatch metrics which can be enabled for the stream. See Monitoring with CloudWatch for more. Note that the value ALL should not be used; instead you should provide an explicit list of metrics you wish to enable.
+	ShardLevelMetrics []*string `json:"shardLevelMetrics,omitempty" tf:"shard_level_metrics,omitempty"`
+
+	// Indicates the capacity mode of the data stream. Detailed below.
+	StreamModeDetails []StreamModeDetailsObservation `json:"streamModeDetails,omitempty" tf:"stream_mode_details,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/kinesis/v1beta1/zz_streamconsumer_types.go b/apis/kinesis/v1beta1/zz_streamconsumer_types.go
index 6a111517a4..3e6e07f998 100755
--- a/apis/kinesis/v1beta1/zz_streamconsumer_types.go
+++ b/apis/kinesis/v1beta1/zz_streamconsumer_types.go
@@ -23,13 +23,19 @@ type StreamConsumerObservation struct {
 
 	// Amazon Resource Name (ARN) of the stream consumer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the stream consumer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// –  Amazon Resource Name (ARN) of the data stream the consumer is registered with.
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 }
 
 type StreamConsumerParameters struct {
 
 	// Name of the stream consumer.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -75,8 +81,9 @@ type StreamConsumerStatus struct {
 type StreamConsumer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StreamConsumerSpec   `json:"spec"`
-	Status            StreamConsumerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   StreamConsumerSpec   `json:"spec"`
+	Status StreamConsumerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kinesisanalytics/v1beta1/zz_application_types.go b/apis/kinesisanalytics/v1beta1/zz_application_types.go
index 37c62061f1..dc8e605d87 100755
--- a/apis/kinesisanalytics/v1beta1/zz_application_types.go
+++ b/apis/kinesisanalytics/v1beta1/zz_application_types.go
@@ -20,34 +20,43 @@ type ApplicationObservation struct {
 
 	// The CloudWatch log stream options to monitor application errors.
 	// See CloudWatch Logging Options below for more details.
-	// +kubebuilder:validation:Optional
 	CloudwatchLoggingOptions []CloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
 
+	// SQL Code to transform input data, and generate output.
+	Code *string `json:"code,omitempty" tf:"code,omitempty"`
+
 	// The Timestamp when the application version was created.
 	CreateTimestamp *string `json:"createTimestamp,omitempty" tf:"create_timestamp,omitempty"`
 
+	// Description of the application.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ARN of the Kinesis Analytics Application.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Input configuration of the application. See Inputs below for more details.
-	// +kubebuilder:validation:Optional
 	Inputs []InputsObservation `json:"inputs,omitempty" tf:"inputs,omitempty"`
 
 	// The Timestamp when the application was last updated.
 	LastUpdateTimestamp *string `json:"lastUpdateTimestamp,omitempty" tf:"last_update_timestamp,omitempty"`
 
 	// Output destination configuration of the application. See Outputs below for more details.
-	// +kubebuilder:validation:Optional
 	Outputs []OutputsObservation `json:"outputs,omitempty" tf:"outputs,omitempty"`
 
 	// An S3 Reference Data Source for the application.
 	// See Reference Data Sources below for more details.
-	// +kubebuilder:validation:Optional
 	ReferenceDataSources []ReferenceDataSourcesObservation `json:"referenceDataSources,omitempty" tf:"reference_data_sources,omitempty"`
 
+	// Whether to start or stop the Kinesis Analytics Application. To start an application, an input with a defined starting_position must be configured.
+	// To modify an application's starting position, first stop the application by setting start_application = false, then update starting_position and set start_application = true.
+	StartApplication *bool `json:"startApplication,omitempty" tf:"start_application,omitempty"`
+
 	// The Status of the application.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -102,6 +111,12 @@ type CloudwatchLoggingOptionsObservation struct {
 
 	// The ARN of the Kinesis Analytics Application.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the CloudWatch Log Stream.
+	LogStreamArn *string `json:"logStreamArn,omitempty" tf:"log_stream_arn,omitempty"`
+
+	// The ARN of the IAM Role used to send application messages.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type CloudwatchLoggingOptionsParameters struct {
@@ -136,6 +151,12 @@ type CloudwatchLoggingOptionsParameters struct {
 }
 
 type CsvObservation struct {
+
+	// The Column Delimiter.
+	RecordColumnDelimiter *string `json:"recordColumnDelimiter,omitempty" tf:"record_column_delimiter,omitempty"`
+
+	// The Row Delimiter.
+	RecordRowDelimiter *string `json:"recordRowDelimiter,omitempty" tf:"record_row_delimiter,omitempty"`
 }
 
 type CsvParameters struct {
@@ -154,10 +175,32 @@ type InputsObservation struct {
 	// The ARN of the Kinesis Analytics Application.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Kinesis Firehose configuration for the streaming source. Conflicts with kinesis_stream.
+	// See Kinesis Firehose below for more details.
+	KinesisFirehose []KinesisFirehoseObservation `json:"kinesisFirehose,omitempty" tf:"kinesis_firehose,omitempty"`
+
+	// The Kinesis Stream configuration for the streaming source. Conflicts with kinesis_firehose.
+	// See Kinesis Stream below for more details.
+	KinesisStream []KinesisStreamObservation `json:"kinesisStream,omitempty" tf:"kinesis_stream,omitempty"`
+
+	// The Name Prefix to use when creating an in-application stream.
+	NamePrefix *string `json:"namePrefix,omitempty" tf:"name_prefix,omitempty"`
+
+	// The number of Parallel in-application streams to create.
+	// See Parallelism below for more details.
+	Parallelism []ParallelismObservation `json:"parallelism,omitempty" tf:"parallelism,omitempty"`
+
+	// The Processing Configuration to transform records as they are received from the stream.
+	// See Processing Configuration below for more details.
+	ProcessingConfiguration []ProcessingConfigurationObservation `json:"processingConfiguration,omitempty" tf:"processing_configuration,omitempty"`
+
 	// The Schema format of the data in the streaming source. See Source Schema below for more details.
-	// +kubebuilder:validation:Required
 	Schema []SchemaObservation `json:"schema,omitempty" tf:"schema,omitempty"`
 
+	// The point at which the application starts processing records from the streaming source.
+	// See Starting Position Configuration below for more details.
+	StartingPositionConfiguration []StartingPositionConfigurationObservation `json:"startingPositionConfiguration,omitempty" tf:"starting_position_configuration,omitempty"`
+
 	StreamNames []*string `json:"streamNames,omitempty" tf:"stream_names,omitempty"`
 }
 
@@ -198,6 +241,9 @@ type InputsParameters struct {
 }
 
 type JSONObservation struct {
+
+	// Path to the top-level parent that contains the records.
+	RecordRowPath *string `json:"recordRowPath,omitempty" tf:"record_row_path,omitempty"`
 }
 
 type JSONParameters struct {
@@ -208,6 +254,12 @@ type JSONParameters struct {
 }
 
 type KinesisFirehoseObservation struct {
+
+	// The ARN of the Lambda function.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type KinesisFirehoseParameters struct {
@@ -222,6 +274,12 @@ type KinesisFirehoseParameters struct {
 }
 
 type KinesisStreamObservation struct {
+
+	// The ARN of the Lambda function.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type KinesisStreamParameters struct {
@@ -256,6 +314,12 @@ type KinesisStreamParameters struct {
 }
 
 type LambdaObservation struct {
+
+	// The ARN of the Lambda function.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type LambdaParameters struct {
@@ -270,6 +334,12 @@ type LambdaParameters struct {
 }
 
 type MappingParametersCsvObservation struct {
+
+	// The Column Delimiter.
+	RecordColumnDelimiter *string `json:"recordColumnDelimiter,omitempty" tf:"record_column_delimiter,omitempty"`
+
+	// The Row Delimiter.
+	RecordRowDelimiter *string `json:"recordRowDelimiter,omitempty" tf:"record_row_delimiter,omitempty"`
 }
 
 type MappingParametersCsvParameters struct {
@@ -284,6 +354,9 @@ type MappingParametersCsvParameters struct {
 }
 
 type MappingParametersJSONObservation struct {
+
+	// Path to the top-level parent that contains the records.
+	RecordRowPath *string `json:"recordRowPath,omitempty" tf:"record_row_path,omitempty"`
 }
 
 type MappingParametersJSONParameters struct {
@@ -294,6 +367,14 @@ type MappingParametersJSONParameters struct {
 }
 
 type MappingParametersObservation struct {
+
+	// Mapping information when the record format uses delimiters.
+	// See CSV Mapping Parameters below for more details.
+	Csv []CsvObservation `json:"csv,omitempty" tf:"csv,omitempty"`
+
+	// Mapping information when JSON is the record format on the streaming source.
+	// See JSON Mapping Parameters below for more details.
+	JSON []JSONObservation `json:"json,omitempty" tf:"json,omitempty"`
 }
 
 type MappingParametersParameters struct {
@@ -310,6 +391,12 @@ type MappingParametersParameters struct {
 }
 
 type OutputsKinesisFirehoseObservation struct {
+
+	// The ARN of the Lambda function.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type OutputsKinesisFirehoseParameters struct {
@@ -344,6 +431,12 @@ type OutputsKinesisFirehoseParameters struct {
 }
 
 type OutputsKinesisStreamObservation struct {
+
+	// The ARN of the Lambda function.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type OutputsKinesisStreamParameters struct {
@@ -358,6 +451,12 @@ type OutputsKinesisStreamParameters struct {
 }
 
 type OutputsLambdaObservation struct {
+
+	// The ARN of the Lambda function.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type OutputsLambdaParameters struct {
@@ -375,6 +474,23 @@ type OutputsObservation struct {
 
 	// The ARN of the Kinesis Analytics Application.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Kinesis Firehose configuration for the destination stream. Conflicts with kinesis_stream.
+	// See Kinesis Firehose below for more details.
+	KinesisFirehose []OutputsKinesisFirehoseObservation `json:"kinesisFirehose,omitempty" tf:"kinesis_firehose,omitempty"`
+
+	// The Kinesis Stream configuration for the destination stream. Conflicts with kinesis_firehose.
+	// See Kinesis Stream below for more details.
+	KinesisStream []OutputsKinesisStreamObservation `json:"kinesisStream,omitempty" tf:"kinesis_stream,omitempty"`
+
+	// The Lambda function destination. See Lambda below for more details.
+	Lambda []OutputsLambdaObservation `json:"lambda,omitempty" tf:"lambda,omitempty"`
+
+	// The Name of the in-application stream.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Schema format of the data written to the destination. See Destination Schema below for more details.
+	Schema []OutputsSchemaObservation `json:"schema,omitempty" tf:"schema,omitempty"`
 }
 
 type OutputsParameters struct {
@@ -403,6 +519,9 @@ type OutputsParameters struct {
 }
 
 type OutputsSchemaObservation struct {
+
+	// The Format Type of the records on the output stream. Can be CSV or JSON.
+	RecordFormatType *string `json:"recordFormatType,omitempty" tf:"record_format_type,omitempty"`
 }
 
 type OutputsSchemaParameters struct {
@@ -413,6 +532,9 @@ type OutputsSchemaParameters struct {
 }
 
 type ParallelismObservation struct {
+
+	// The Count of streams.
+	Count *float64 `json:"count,omitempty" tf:"count,omitempty"`
 }
 
 type ParallelismParameters struct {
@@ -423,6 +545,9 @@ type ParallelismParameters struct {
 }
 
 type ProcessingConfigurationObservation struct {
+
+	// The Lambda function configuration. See Lambda below for more details.
+	Lambda []LambdaObservation `json:"lambda,omitempty" tf:"lambda,omitempty"`
 }
 
 type ProcessingConfigurationParameters struct {
@@ -433,6 +558,15 @@ type ProcessingConfigurationParameters struct {
 }
 
 type RecordColumnsObservation struct {
+
+	// The Mapping reference to the data element.
+	Mapping *string `json:"mapping,omitempty" tf:"mapping,omitempty"`
+
+	// Name of the column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The SQL Type of the column.
+	SQLType *string `json:"sqlType,omitempty" tf:"sql_type,omitempty"`
 }
 
 type RecordColumnsParameters struct {
@@ -451,6 +585,14 @@ type RecordColumnsParameters struct {
 }
 
 type RecordFormatMappingParametersObservation struct {
+
+	// Mapping information when the record format uses delimiters.
+	// See CSV Mapping Parameters below for more details.
+	Csv []MappingParametersCsvObservation `json:"csv,omitempty" tf:"csv,omitempty"`
+
+	// Mapping information when JSON is the record format on the streaming source.
+	// See JSON Mapping Parameters below for more details.
+	JSON []MappingParametersJSONObservation `json:"json,omitempty" tf:"json,omitempty"`
 }
 
 type RecordFormatMappingParametersParameters struct {
@@ -468,6 +610,10 @@ type RecordFormatMappingParametersParameters struct {
 
 type RecordFormatObservation struct {
 
+	// The Mapping Information for the record format.
+	// See Mapping Parameters below for more details.
+	MappingParameters []MappingParametersObservation `json:"mappingParameters,omitempty" tf:"mapping_parameters,omitempty"`
+
 	// The Format Type of the records on the output stream. Can be CSV or JSON.
 	RecordFormatType *string `json:"recordFormatType,omitempty" tf:"record_format_type,omitempty"`
 }
@@ -485,9 +631,14 @@ type ReferenceDataSourcesObservation struct {
 	// The ARN of the Kinesis Analytics Application.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The S3 configuration for the reference data source. See S3 Reference below for more details.
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
+
 	// The Schema format of the data in the streaming source. See Source Schema below for more details.
-	// +kubebuilder:validation:Required
 	Schema []ReferenceDataSourcesSchemaObservation `json:"schema,omitempty" tf:"schema,omitempty"`
+
+	// The in-application Table Name.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type ReferenceDataSourcesParameters struct {
@@ -507,9 +658,15 @@ type ReferenceDataSourcesParameters struct {
 
 type ReferenceDataSourcesSchemaObservation struct {
 
+	// The Record Column mapping for the streaming source data element.
+	// See Record Columns below for more details.
+	RecordColumns []SchemaRecordColumnsObservation `json:"recordColumns,omitempty" tf:"record_columns,omitempty"`
+
+	// The Encoding of the record in the streaming source.
+	RecordEncoding *string `json:"recordEncoding,omitempty" tf:"record_encoding,omitempty"`
+
 	// The Record Format and mapping information to schematize a record.
 	// See Record Format below for more details.
-	// +kubebuilder:validation:Required
 	RecordFormat []SchemaRecordFormatObservation `json:"recordFormat,omitempty" tf:"record_format,omitempty"`
 }
 
@@ -531,6 +688,15 @@ type ReferenceDataSourcesSchemaParameters struct {
 }
 
 type S3Observation struct {
+
+	// The S3 Bucket ARN.
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// The File Key name containing reference data.
+	FileKey *string `json:"fileKey,omitempty" tf:"file_key,omitempty"`
+
+	// The IAM Role ARN to read the data.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type S3Parameters struct {
@@ -550,9 +716,15 @@ type S3Parameters struct {
 
 type SchemaObservation struct {
 
+	// The Record Column mapping for the streaming source data element.
+	// See Record Columns below for more details.
+	RecordColumns []RecordColumnsObservation `json:"recordColumns,omitempty" tf:"record_columns,omitempty"`
+
+	// The Encoding of the record in the streaming source.
+	RecordEncoding *string `json:"recordEncoding,omitempty" tf:"record_encoding,omitempty"`
+
 	// The Record Format and mapping information to schematize a record.
 	// See Record Format below for more details.
-	// +kubebuilder:validation:Required
 	RecordFormat []RecordFormatObservation `json:"recordFormat,omitempty" tf:"record_format,omitempty"`
 }
 
@@ -574,6 +746,15 @@ type SchemaParameters struct {
 }
 
 type SchemaRecordColumnsObservation struct {
+
+	// The Mapping reference to the data element.
+	Mapping *string `json:"mapping,omitempty" tf:"mapping,omitempty"`
+
+	// Name of the column.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The SQL Type of the column.
+	SQLType *string `json:"sqlType,omitempty" tf:"sql_type,omitempty"`
 }
 
 type SchemaRecordColumnsParameters struct {
@@ -593,6 +774,10 @@ type SchemaRecordColumnsParameters struct {
 
 type SchemaRecordFormatObservation struct {
 
+	// The Mapping Information for the record format.
+	// See Mapping Parameters below for more details.
+	MappingParameters []RecordFormatMappingParametersObservation `json:"mappingParameters,omitempty" tf:"mapping_parameters,omitempty"`
+
 	// The Format Type of the records on the output stream. Can be CSV or JSON.
 	RecordFormatType *string `json:"recordFormatType,omitempty" tf:"record_format_type,omitempty"`
 }
@@ -606,6 +791,9 @@ type SchemaRecordFormatParameters struct {
 }
 
 type StartingPositionConfigurationObservation struct {
+
+	// The starting position on the stream. Valid values: LAST_STOPPED_POINT, NOW, TRIM_HORIZON.
+	StartingPosition *string `json:"startingPosition,omitempty" tf:"starting_position,omitempty"`
 }
 
 type StartingPositionConfigurationParameters struct {
diff --git a/apis/kinesisanalytics/v1beta1/zz_generated.deepcopy.go b/apis/kinesisanalytics/v1beta1/zz_generated.deepcopy.go
index b97cfa0469..f76e90ce8a 100644
--- a/apis/kinesisanalytics/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kinesisanalytics/v1beta1/zz_generated.deepcopy.go
@@ -88,11 +88,21 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Code != nil {
+		in, out := &in.Code, &out.Code
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreateTimestamp != nil {
 		in, out := &in.CreateTimestamp, &out.CreateTimestamp
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -124,11 +134,31 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.StartApplication != nil {
+		in, out := &in.StartApplication, &out.StartApplication
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -281,6 +311,16 @@ func (in *CloudwatchLoggingOptionsObservation) DeepCopyInto(out *CloudwatchLoggi
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogStreamArn != nil {
+		in, out := &in.LogStreamArn, &out.LogStreamArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLoggingOptionsObservation.
@@ -341,6 +381,16 @@ func (in *CloudwatchLoggingOptionsParameters) DeepCopy() *CloudwatchLoggingOptio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CsvObservation) DeepCopyInto(out *CsvObservation) {
 	*out = *in
+	if in.RecordColumnDelimiter != nil {
+		in, out := &in.RecordColumnDelimiter, &out.RecordColumnDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordRowDelimiter != nil {
+		in, out := &in.RecordRowDelimiter, &out.RecordRowDelimiter
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CsvObservation.
@@ -386,6 +436,39 @@ func (in *InputsObservation) DeepCopyInto(out *InputsObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KinesisFirehose != nil {
+		in, out := &in.KinesisFirehose, &out.KinesisFirehose
+		*out = make([]KinesisFirehoseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisStream != nil {
+		in, out := &in.KinesisStream, &out.KinesisStream
+		*out = make([]KinesisStreamObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NamePrefix != nil {
+		in, out := &in.NamePrefix, &out.NamePrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parallelism != nil {
+		in, out := &in.Parallelism, &out.Parallelism
+		*out = make([]ParallelismObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessingConfiguration != nil {
+		in, out := &in.ProcessingConfiguration, &out.ProcessingConfiguration
+		*out = make([]ProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Schema != nil {
 		in, out := &in.Schema, &out.Schema
 		*out = make([]SchemaObservation, len(*in))
@@ -393,6 +476,13 @@ func (in *InputsObservation) DeepCopyInto(out *InputsObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.StartingPositionConfiguration != nil {
+		in, out := &in.StartingPositionConfiguration, &out.StartingPositionConfiguration
+		*out = make([]StartingPositionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.StreamNames != nil {
 		in, out := &in.StreamNames, &out.StreamNames
 		*out = make([]*string, len(*in))
@@ -481,6 +571,11 @@ func (in *InputsParameters) DeepCopy() *InputsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JSONObservation) DeepCopyInto(out *JSONObservation) {
 	*out = *in
+	if in.RecordRowPath != nil {
+		in, out := &in.RecordRowPath, &out.RecordRowPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSONObservation.
@@ -516,6 +611,16 @@ func (in *JSONParameters) DeepCopy() *JSONParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisFirehoseObservation) DeepCopyInto(out *KinesisFirehoseObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisFirehoseObservation.
@@ -556,6 +661,16 @@ func (in *KinesisFirehoseParameters) DeepCopy() *KinesisFirehoseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisStreamObservation) DeepCopyInto(out *KinesisStreamObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisStreamObservation.
@@ -616,6 +731,16 @@ func (in *KinesisStreamParameters) DeepCopy() *KinesisStreamParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaObservation) DeepCopyInto(out *LambdaObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaObservation.
@@ -656,6 +781,16 @@ func (in *LambdaParameters) DeepCopy() *LambdaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingParametersCsvObservation) DeepCopyInto(out *MappingParametersCsvObservation) {
 	*out = *in
+	if in.RecordColumnDelimiter != nil {
+		in, out := &in.RecordColumnDelimiter, &out.RecordColumnDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordRowDelimiter != nil {
+		in, out := &in.RecordRowDelimiter, &out.RecordRowDelimiter
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingParametersCsvObservation.
@@ -696,6 +831,11 @@ func (in *MappingParametersCsvParameters) DeepCopy() *MappingParametersCsvParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingParametersJSONObservation) DeepCopyInto(out *MappingParametersJSONObservation) {
 	*out = *in
+	if in.RecordRowPath != nil {
+		in, out := &in.RecordRowPath, &out.RecordRowPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingParametersJSONObservation.
@@ -731,6 +871,20 @@ func (in *MappingParametersJSONParameters) DeepCopy() *MappingParametersJSONPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingParametersObservation) DeepCopyInto(out *MappingParametersObservation) {
 	*out = *in
+	if in.Csv != nil {
+		in, out := &in.Csv, &out.Csv
+		*out = make([]CsvObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.JSON != nil {
+		in, out := &in.JSON, &out.JSON
+		*out = make([]JSONObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingParametersObservation.
@@ -775,6 +929,16 @@ func (in *MappingParametersParameters) DeepCopy() *MappingParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputsKinesisFirehoseObservation) DeepCopyInto(out *OutputsKinesisFirehoseObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputsKinesisFirehoseObservation.
@@ -835,6 +999,16 @@ func (in *OutputsKinesisFirehoseParameters) DeepCopy() *OutputsKinesisFirehosePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputsKinesisStreamObservation) DeepCopyInto(out *OutputsKinesisStreamObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputsKinesisStreamObservation.
@@ -875,6 +1049,16 @@ func (in *OutputsKinesisStreamParameters) DeepCopy() *OutputsKinesisStreamParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputsLambdaObservation) DeepCopyInto(out *OutputsLambdaObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputsLambdaObservation.
@@ -920,6 +1104,39 @@ func (in *OutputsObservation) DeepCopyInto(out *OutputsObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KinesisFirehose != nil {
+		in, out := &in.KinesisFirehose, &out.KinesisFirehose
+		*out = make([]OutputsKinesisFirehoseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisStream != nil {
+		in, out := &in.KinesisStream, &out.KinesisStream
+		*out = make([]OutputsKinesisStreamObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Lambda != nil {
+		in, out := &in.Lambda, &out.Lambda
+		*out = make([]OutputsLambdaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schema != nil {
+		in, out := &in.Schema, &out.Schema
+		*out = make([]OutputsSchemaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputsObservation.
@@ -983,6 +1200,11 @@ func (in *OutputsParameters) DeepCopy() *OutputsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputsSchemaObservation) DeepCopyInto(out *OutputsSchemaObservation) {
 	*out = *in
+	if in.RecordFormatType != nil {
+		in, out := &in.RecordFormatType, &out.RecordFormatType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputsSchemaObservation.
@@ -1018,6 +1240,11 @@ func (in *OutputsSchemaParameters) DeepCopy() *OutputsSchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParallelismObservation) DeepCopyInto(out *ParallelismObservation) {
 	*out = *in
+	if in.Count != nil {
+		in, out := &in.Count, &out.Count
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParallelismObservation.
@@ -1053,6 +1280,13 @@ func (in *ParallelismParameters) DeepCopy() *ParallelismParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessingConfigurationObservation) DeepCopyInto(out *ProcessingConfigurationObservation) {
 	*out = *in
+	if in.Lambda != nil {
+		in, out := &in.Lambda, &out.Lambda
+		*out = make([]LambdaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessingConfigurationObservation.
@@ -1090,6 +1324,21 @@ func (in *ProcessingConfigurationParameters) DeepCopy() *ProcessingConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordColumnsObservation) DeepCopyInto(out *RecordColumnsObservation) {
 	*out = *in
+	if in.Mapping != nil {
+		in, out := &in.Mapping, &out.Mapping
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLType != nil {
+		in, out := &in.SQLType, &out.SQLType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordColumnsObservation.
@@ -1135,6 +1384,20 @@ func (in *RecordColumnsParameters) DeepCopy() *RecordColumnsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordFormatMappingParametersObservation) DeepCopyInto(out *RecordFormatMappingParametersObservation) {
 	*out = *in
+	if in.Csv != nil {
+		in, out := &in.Csv, &out.Csv
+		*out = make([]MappingParametersCsvObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.JSON != nil {
+		in, out := &in.JSON, &out.JSON
+		*out = make([]MappingParametersJSONObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordFormatMappingParametersObservation.
@@ -1179,6 +1442,13 @@ func (in *RecordFormatMappingParametersParameters) DeepCopy() *RecordFormatMappi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordFormatObservation) DeepCopyInto(out *RecordFormatObservation) {
 	*out = *in
+	if in.MappingParameters != nil {
+		in, out := &in.MappingParameters, &out.MappingParameters
+		*out = make([]MappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.RecordFormatType != nil {
 		in, out := &in.RecordFormatType, &out.RecordFormatType
 		*out = new(string)
@@ -1226,6 +1496,13 @@ func (in *ReferenceDataSourcesObservation) DeepCopyInto(out *ReferenceDataSource
 		*out = new(string)
 		**out = **in
 	}
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Schema != nil {
 		in, out := &in.Schema, &out.Schema
 		*out = make([]ReferenceDataSourcesSchemaObservation, len(*in))
@@ -1233,6 +1510,11 @@ func (in *ReferenceDataSourcesObservation) DeepCopyInto(out *ReferenceDataSource
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceDataSourcesObservation.
@@ -1282,6 +1564,18 @@ func (in *ReferenceDataSourcesParameters) DeepCopy() *ReferenceDataSourcesParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReferenceDataSourcesSchemaObservation) DeepCopyInto(out *ReferenceDataSourcesSchemaObservation) {
 	*out = *in
+	if in.RecordColumns != nil {
+		in, out := &in.RecordColumns, &out.RecordColumns
+		*out = make([]SchemaRecordColumnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordEncoding != nil {
+		in, out := &in.RecordEncoding, &out.RecordEncoding
+		*out = new(string)
+		**out = **in
+	}
 	if in.RecordFormat != nil {
 		in, out := &in.RecordFormat, &out.RecordFormat
 		*out = make([]SchemaRecordFormatObservation, len(*in))
@@ -1338,6 +1632,21 @@ func (in *ReferenceDataSourcesSchemaParameters) DeepCopy() *ReferenceDataSources
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileKey != nil {
+		in, out := &in.FileKey, &out.FileKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -1383,6 +1692,18 @@ func (in *S3Parameters) DeepCopy() *S3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 	*out = *in
+	if in.RecordColumns != nil {
+		in, out := &in.RecordColumns, &out.RecordColumns
+		*out = make([]RecordColumnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordEncoding != nil {
+		in, out := &in.RecordEncoding, &out.RecordEncoding
+		*out = new(string)
+		**out = **in
+	}
 	if in.RecordFormat != nil {
 		in, out := &in.RecordFormat, &out.RecordFormat
 		*out = make([]RecordFormatObservation, len(*in))
@@ -1439,6 +1760,21 @@ func (in *SchemaParameters) DeepCopy() *SchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaRecordColumnsObservation) DeepCopyInto(out *SchemaRecordColumnsObservation) {
 	*out = *in
+	if in.Mapping != nil {
+		in, out := &in.Mapping, &out.Mapping
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLType != nil {
+		in, out := &in.SQLType, &out.SQLType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SchemaRecordColumnsObservation.
@@ -1484,6 +1820,13 @@ func (in *SchemaRecordColumnsParameters) DeepCopy() *SchemaRecordColumnsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SchemaRecordFormatObservation) DeepCopyInto(out *SchemaRecordFormatObservation) {
 	*out = *in
+	if in.MappingParameters != nil {
+		in, out := &in.MappingParameters, &out.MappingParameters
+		*out = make([]RecordFormatMappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.RecordFormatType != nil {
 		in, out := &in.RecordFormatType, &out.RecordFormatType
 		*out = new(string)
@@ -1526,6 +1869,11 @@ func (in *SchemaRecordFormatParameters) DeepCopy() *SchemaRecordFormatParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StartingPositionConfigurationObservation) DeepCopyInto(out *StartingPositionConfigurationObservation) {
 	*out = *in
+	if in.StartingPosition != nil {
+		in, out := &in.StartingPosition, &out.StartingPosition
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StartingPositionConfigurationObservation.
diff --git a/apis/kinesisanalyticsv2/v1beta1/zz_application_types.go b/apis/kinesisanalyticsv2/v1beta1/zz_application_types.go
index eb030b6b1a..db0745983f 100755
--- a/apis/kinesisanalyticsv2/v1beta1/zz_application_types.go
+++ b/apis/kinesisanalyticsv2/v1beta1/zz_application_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ApplicationCodeConfigurationObservation struct {
+
+	// The location and type of the application code.
+	CodeContent []CodeContentObservation `json:"codeContent,omitempty" tf:"code_content,omitempty"`
+
+	// Specifies whether the code content is in text or zip format. Valid values: PLAINTEXT, ZIPFILE.
+	CodeContentType *string `json:"codeContentType,omitempty" tf:"code_content_type,omitempty"`
 }
 
 type ApplicationCodeConfigurationParameters struct {
@@ -29,12 +35,25 @@ type ApplicationCodeConfigurationParameters struct {
 
 type ApplicationConfigurationObservation struct {
 
+	// The code location and type parameters for the application.
+	ApplicationCodeConfiguration []ApplicationCodeConfigurationObservation `json:"applicationCodeConfiguration,omitempty" tf:"application_code_configuration,omitempty"`
+
+	// Describes whether snapshots are enabled for a Flink-based application.
+	ApplicationSnapshotConfiguration []ApplicationSnapshotConfigurationObservation `json:"applicationSnapshotConfiguration,omitempty" tf:"application_snapshot_configuration,omitempty"`
+
+	// Describes execution properties for a Flink-based application.
+	EnvironmentProperties []EnvironmentPropertiesObservation `json:"environmentProperties,omitempty" tf:"environment_properties,omitempty"`
+
+	// The configuration of a Flink-based application.
+	FlinkApplicationConfiguration []FlinkApplicationConfigurationObservation `json:"flinkApplicationConfiguration,omitempty" tf:"flink_application_configuration,omitempty"`
+
+	// Describes the starting properties for a Flink-based application.
+	RunConfiguration []RunConfigurationObservation `json:"runConfiguration,omitempty" tf:"run_configuration,omitempty"`
+
 	// The configuration of a SQL-based application.
-	// +kubebuilder:validation:Optional
 	SQLApplicationConfiguration []SQLApplicationConfigurationObservation `json:"sqlApplicationConfiguration,omitempty" tf:"sql_application_configuration,omitempty"`
 
 	// The VPC configuration of a Flink-based application.
-	// +kubebuilder:validation:Optional
 	VPCConfiguration []VPCConfigurationObservation `json:"vpcConfiguration,omitempty" tf:"vpc_configuration,omitempty"`
 }
 
@@ -72,28 +91,44 @@ type ApplicationConfigurationParameters struct {
 type ApplicationObservation struct {
 
 	// The application's configuration
-	// +kubebuilder:validation:Optional
 	ApplicationConfiguration []ApplicationConfigurationObservation `json:"applicationConfiguration,omitempty" tf:"application_configuration,omitempty"`
 
 	// The ARN of the application.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// A CloudWatch log stream to monitor application configuration errors.
-	// +kubebuilder:validation:Optional
 	CloudwatchLoggingOptions []CloudwatchLoggingOptionsObservation `json:"cloudwatchLoggingOptions,omitempty" tf:"cloudwatch_logging_options,omitempty"`
 
 	// The current timestamp when the application was created.
 	CreateTimestamp *string `json:"createTimestamp,omitempty" tf:"create_timestamp,omitempty"`
 
+	// A summary description of the application.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether to force stop an unresponsive Flink-based application.
+	ForceStop *bool `json:"forceStop,omitempty" tf:"force_stop,omitempty"`
+
 	// The application identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The current timestamp when the application was last updated.
 	LastUpdateTimestamp *string `json:"lastUpdateTimestamp,omitempty" tf:"last_update_timestamp,omitempty"`
 
+	// The runtime environment for the application. Valid values: SQL-1_0, FLINK-1_6, FLINK-1_8, FLINK-1_11, FLINK-1_13, FLINK-1_15.
+	RuntimeEnvironment *string `json:"runtimeEnvironment,omitempty" tf:"runtime_environment,omitempty"`
+
+	// The ARN of the IAM role used by the application to access Kinesis data streams, Kinesis Data Firehose delivery streams, Amazon S3 objects, and other external resources.
+	ServiceExecutionRole *string `json:"serviceExecutionRole,omitempty" tf:"service_execution_role,omitempty"`
+
+	// Whether to start or stop the application.
+	StartApplication *bool `json:"startApplication,omitempty" tf:"start_application,omitempty"`
+
 	// The status of the application.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -125,8 +160,8 @@ type ApplicationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The runtime environment for the application. Valid values: SQL-1_0, FLINK-1_6, FLINK-1_8, FLINK-1_11, FLINK-1_13, FLINK-1_15.
-	// +kubebuilder:validation:Required
-	RuntimeEnvironment *string `json:"runtimeEnvironment" tf:"runtime_environment,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuntimeEnvironment *string `json:"runtimeEnvironment,omitempty" tf:"runtime_environment,omitempty"`
 
 	// The ARN of the IAM role used by the application to access Kinesis data streams, Kinesis Data Firehose delivery streams, Amazon S3 objects, and other external resources.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/iam/v1beta1.Role
@@ -152,6 +187,12 @@ type ApplicationParameters struct {
 }
 
 type ApplicationRestoreConfigurationObservation struct {
+
+	// Specifies how the application should be restored. Valid values: RESTORE_FROM_CUSTOM_SNAPSHOT, RESTORE_FROM_LATEST_SNAPSHOT, SKIP_RESTORE_FROM_SNAPSHOT.
+	ApplicationRestoreType *string `json:"applicationRestoreType,omitempty" tf:"application_restore_type,omitempty"`
+
+	// The identifier of an existing snapshot of application state to use to restart an application. The application uses this value if RESTORE_FROM_CUSTOM_SNAPSHOT is specified for application_restore_type.
+	SnapshotName *string `json:"snapshotName,omitempty" tf:"snapshot_name,omitempty"`
 }
 
 type ApplicationRestoreConfigurationParameters struct {
@@ -166,6 +207,9 @@ type ApplicationRestoreConfigurationParameters struct {
 }
 
 type ApplicationSnapshotConfigurationObservation struct {
+
+	// Describes whether snapshots are enabled for a Flink-based Kinesis Data Analytics application.
+	SnapshotsEnabled *bool `json:"snapshotsEnabled,omitempty" tf:"snapshots_enabled,omitempty"`
 }
 
 type ApplicationSnapshotConfigurationParameters struct {
@@ -176,6 +220,18 @@ type ApplicationSnapshotConfigurationParameters struct {
 }
 
 type CheckpointConfigurationObservation struct {
+
+	// Describes the interval in milliseconds between checkpoint operations.
+	CheckpointInterval *float64 `json:"checkpointInterval,omitempty" tf:"checkpoint_interval,omitempty"`
+
+	// Describes whether checkpointing is enabled for a Flink-based Kinesis Data Analytics application.
+	CheckpointingEnabled *bool `json:"checkpointingEnabled,omitempty" tf:"checkpointing_enabled,omitempty"`
+
+	// Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. Valid values: CUSTOM, DEFAULT. Set this attribute to CUSTOM in order for any specified checkpointing_enabled, checkpoint_interval, or min_pause_between_checkpoints attribute values to be effective. If this attribute is set to DEFAULT, the application will always use the following values:
+	ConfigurationType *string `json:"configurationType,omitempty" tf:"configuration_type,omitempty"`
+
+	// Describes the minimum time in milliseconds after a checkpoint operation completes that a new checkpoint operation can start.
+	MinPauseBetweenCheckpoints *float64 `json:"minPauseBetweenCheckpoints,omitempty" tf:"min_pause_between_checkpoints,omitempty"`
 }
 
 type CheckpointConfigurationParameters struct {
@@ -201,6 +257,9 @@ type CloudwatchLoggingOptionsObservation struct {
 
 	// The application identifier.
 	CloudwatchLoggingOptionID *string `json:"cloudwatchLoggingOptionId,omitempty" tf:"cloudwatch_logging_option_id,omitempty"`
+
+	// The ARN of the CloudWatch log stream to receive application messages.
+	LogStreamArn *string `json:"logStreamArn,omitempty" tf:"log_stream_arn,omitempty"`
 }
 
 type CloudwatchLoggingOptionsParameters struct {
@@ -221,6 +280,12 @@ type CloudwatchLoggingOptionsParameters struct {
 }
 
 type CodeContentObservation struct {
+
+	// Information about the Amazon S3 bucket containing the application code.
+	S3ContentLocation []S3ContentLocationObservation `json:"s3ContentLocation,omitempty" tf:"s3_content_location,omitempty"`
+
+	// The text-format code for the application.
+	TextContent *string `json:"textContent,omitempty" tf:"text_content,omitempty"`
 }
 
 type CodeContentParameters struct {
@@ -235,6 +300,12 @@ type CodeContentParameters struct {
 }
 
 type CsvMappingParametersObservation struct {
+
+	// The column delimiter. For example, in a CSV format, a comma (,) is the typical column delimiter.
+	RecordColumnDelimiter *string `json:"recordColumnDelimiter,omitempty" tf:"record_column_delimiter,omitempty"`
+
+	// The row delimiter. For example, in a CSV format, \n is the typical row delimiter.
+	RecordRowDelimiter *string `json:"recordRowDelimiter,omitempty" tf:"record_row_delimiter,omitempty"`
 }
 
 type CsvMappingParametersParameters struct {
@@ -249,6 +320,9 @@ type CsvMappingParametersParameters struct {
 }
 
 type DestinationSchemaObservation struct {
+
+	// The type of record format. Valid values: CSV, JSON.
+	RecordFormatType *string `json:"recordFormatType,omitempty" tf:"record_format_type,omitempty"`
 }
 
 type DestinationSchemaParameters struct {
@@ -259,6 +333,9 @@ type DestinationSchemaParameters struct {
 }
 
 type EnvironmentPropertiesObservation struct {
+
+	// Describes the execution property groups.
+	PropertyGroup []PropertyGroupObservation `json:"propertyGroup,omitempty" tf:"property_group,omitempty"`
 }
 
 type EnvironmentPropertiesParameters struct {
@@ -269,6 +346,15 @@ type EnvironmentPropertiesParameters struct {
 }
 
 type FlinkApplicationConfigurationObservation struct {
+
+	// Describes an application's checkpointing configuration.
+	CheckpointConfiguration []CheckpointConfigurationObservation `json:"checkpointConfiguration,omitempty" tf:"checkpoint_configuration,omitempty"`
+
+	// Describes configuration parameters for CloudWatch logging for an application.
+	MonitoringConfiguration []MonitoringConfigurationObservation `json:"monitoringConfiguration,omitempty" tf:"monitoring_configuration,omitempty"`
+
+	// Describes parameters for how an application executes multiple tasks simultaneously.
+	ParallelismConfiguration []ParallelismConfigurationObservation `json:"parallelismConfiguration,omitempty" tf:"parallelism_configuration,omitempty"`
 }
 
 type FlinkApplicationConfigurationParameters struct {
@@ -287,6 +373,9 @@ type FlinkApplicationConfigurationParameters struct {
 }
 
 type FlinkRunConfigurationObservation struct {
+
+	// When restoring from a snapshot, specifies whether the runtime is allowed to skip a state that cannot be mapped to the new program. Default is false.
+	AllowNonRestoredState *bool `json:"allowNonRestoredState,omitempty" tf:"allow_non_restored_state,omitempty"`
 }
 
 type FlinkRunConfigurationParameters struct {
@@ -297,6 +386,9 @@ type FlinkRunConfigurationParameters struct {
 }
 
 type InputLambdaProcessorObservation struct {
+
+	// The ARN of the Lambda function that operates on records in the stream.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type InputLambdaProcessorParameters struct {
@@ -311,9 +403,34 @@ type InputObservation struct {
 
 	// The application identifier.
 	InputID *string `json:"inputId,omitempty" tf:"input_id,omitempty"`
+
+	// Describes the number of in-application streams to create.
+	InputParallelism []InputParallelismObservation `json:"inputParallelism,omitempty" tf:"input_parallelism,omitempty"`
+
+	// The input processing configuration for the input.
+	// An input processor transforms records as they are received from the stream, before the application's SQL code executes.
+	InputProcessingConfiguration []InputProcessingConfigurationObservation `json:"inputProcessingConfiguration,omitempty" tf:"input_processing_configuration,omitempty"`
+
+	// Describes the format of the data in the streaming source, and how each data element maps to corresponding columns in the in-application stream that is being created.
+	InputSchema []InputSchemaObservation `json:"inputSchema,omitempty" tf:"input_schema,omitempty"`
+
+	// The point at which the application starts processing records from the streaming source.
+	InputStartingPositionConfiguration []InputStartingPositionConfigurationObservation `json:"inputStartingPositionConfiguration,omitempty" tf:"input_starting_position_configuration,omitempty"`
+
+	// If the streaming source is a Kinesis Data Firehose delivery stream, identifies the delivery stream's ARN.
+	KinesisFirehoseInput []KinesisFirehoseInputObservation `json:"kinesisFirehoseInput,omitempty" tf:"kinesis_firehose_input,omitempty"`
+
+	// If the streaming source is a Kinesis data stream, identifies the stream's Amazon Resource Name (ARN).
+	KinesisStreamsInput []KinesisStreamsInputObservation `json:"kinesisStreamsInput,omitempty" tf:"kinesis_streams_input,omitempty"`
+
+	// The name prefix to use when creating an in-application stream.
+	NamePrefix *string `json:"namePrefix,omitempty" tf:"name_prefix,omitempty"`
 }
 
 type InputParallelismObservation struct {
+
+	// The number of in-application streams to create.
+	Count *float64 `json:"count,omitempty" tf:"count,omitempty"`
 }
 
 type InputParallelismParameters struct {
@@ -356,6 +473,9 @@ type InputParameters struct {
 }
 
 type InputProcessingConfigurationObservation struct {
+
+	// Describes the Lambda function that is used to preprocess the records in the stream before being processed by your application code.
+	InputLambdaProcessor []InputLambdaProcessorObservation `json:"inputLambdaProcessor,omitempty" tf:"input_lambda_processor,omitempty"`
 }
 
 type InputProcessingConfigurationParameters struct {
@@ -366,6 +486,15 @@ type InputProcessingConfigurationParameters struct {
 }
 
 type InputSchemaObservation struct {
+
+	// Describes the mapping of each data element in the streaming source to the corresponding column in the in-application stream.
+	RecordColumn []RecordColumnObservation `json:"recordColumn,omitempty" tf:"record_column,omitempty"`
+
+	// Specifies the encoding of the records in the streaming source. For example, UTF-8.
+	RecordEncoding *string `json:"recordEncoding,omitempty" tf:"record_encoding,omitempty"`
+
+	// Specifies the format of the records on the streaming source.
+	RecordFormat []RecordFormatObservation `json:"recordFormat,omitempty" tf:"record_format,omitempty"`
 }
 
 type InputSchemaParameters struct {
@@ -384,6 +513,9 @@ type InputSchemaParameters struct {
 }
 
 type InputStartingPositionConfigurationObservation struct {
+
+	// The starting position on the stream. Valid values: LAST_STOPPED_POINT, NOW, TRIM_HORIZON.
+	InputStartingPosition *string `json:"inputStartingPosition,omitempty" tf:"input_starting_position,omitempty"`
 }
 
 type InputStartingPositionConfigurationParameters struct {
@@ -394,6 +526,9 @@ type InputStartingPositionConfigurationParameters struct {
 }
 
 type JSONMappingParametersObservation struct {
+
+	// The path to the top-level parent that contains the records.
+	RecordRowPath *string `json:"recordRowPath,omitempty" tf:"record_row_path,omitempty"`
 }
 
 type JSONMappingParametersParameters struct {
@@ -404,6 +539,9 @@ type JSONMappingParametersParameters struct {
 }
 
 type KinesisFirehoseInputObservation struct {
+
+	// The ARN of the Lambda function that operates on records in the stream.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type KinesisFirehoseInputParameters struct {
@@ -414,6 +552,9 @@ type KinesisFirehoseInputParameters struct {
 }
 
 type KinesisFirehoseOutputObservation struct {
+
+	// The ARN of the Lambda function that operates on records in the stream.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type KinesisFirehoseOutputParameters struct {
@@ -434,6 +575,9 @@ type KinesisFirehoseOutputParameters struct {
 }
 
 type KinesisStreamsInputObservation struct {
+
+	// The ARN of the Lambda function that operates on records in the stream.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type KinesisStreamsInputParameters struct {
@@ -454,6 +598,9 @@ type KinesisStreamsInputParameters struct {
 }
 
 type KinesisStreamsOutputObservation struct {
+
+	// The ARN of the Lambda function that operates on records in the stream.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type KinesisStreamsOutputParameters struct {
@@ -464,6 +611,9 @@ type KinesisStreamsOutputParameters struct {
 }
 
 type LambdaOutputObservation struct {
+
+	// The ARN of the Lambda function that operates on records in the stream.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type LambdaOutputParameters struct {
@@ -484,6 +634,12 @@ type LambdaOutputParameters struct {
 }
 
 type MappingParametersCsvMappingParametersObservation struct {
+
+	// The column delimiter. For example, in a CSV format, a comma (,) is the typical column delimiter.
+	RecordColumnDelimiter *string `json:"recordColumnDelimiter,omitempty" tf:"record_column_delimiter,omitempty"`
+
+	// The row delimiter. For example, in a CSV format, \n is the typical row delimiter.
+	RecordRowDelimiter *string `json:"recordRowDelimiter,omitempty" tf:"record_row_delimiter,omitempty"`
 }
 
 type MappingParametersCsvMappingParametersParameters struct {
@@ -498,6 +654,9 @@ type MappingParametersCsvMappingParametersParameters struct {
 }
 
 type MappingParametersJSONMappingParametersObservation struct {
+
+	// The path to the top-level parent that contains the records.
+	RecordRowPath *string `json:"recordRowPath,omitempty" tf:"record_row_path,omitempty"`
 }
 
 type MappingParametersJSONMappingParametersParameters struct {
@@ -508,6 +667,12 @@ type MappingParametersJSONMappingParametersParameters struct {
 }
 
 type MappingParametersObservation struct {
+
+	// Provides additional mapping information when the record format uses delimiters (for example, CSV).
+	CsvMappingParameters []CsvMappingParametersObservation `json:"csvMappingParameters,omitempty" tf:"csv_mapping_parameters,omitempty"`
+
+	// Provides additional mapping information when JSON is the record format on the streaming source.
+	JSONMappingParameters []JSONMappingParametersObservation `json:"jsonMappingParameters,omitempty" tf:"json_mapping_parameters,omitempty"`
 }
 
 type MappingParametersParameters struct {
@@ -522,6 +687,15 @@ type MappingParametersParameters struct {
 }
 
 type MonitoringConfigurationObservation struct {
+
+	// Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. Valid values: CUSTOM, DEFAULT. Set this attribute to CUSTOM in order for any specified checkpointing_enabled, checkpoint_interval, or min_pause_between_checkpoints attribute values to be effective. If this attribute is set to DEFAULT, the application will always use the following values:
+	ConfigurationType *string `json:"configurationType,omitempty" tf:"configuration_type,omitempty"`
+
+	// Describes the verbosity of the CloudWatch Logs for an application. Valid values: DEBUG, ERROR, INFO, WARN.
+	LogLevel *string `json:"logLevel,omitempty" tf:"log_level,omitempty"`
+
+	// Describes the granularity of the CloudWatch Logs for an application. Valid values: APPLICATION, OPERATOR, PARALLELISM, TASK.
+	MetricsLevel *string `json:"metricsLevel,omitempty" tf:"metrics_level,omitempty"`
 }
 
 type MonitoringConfigurationParameters struct {
@@ -541,6 +715,21 @@ type MonitoringConfigurationParameters struct {
 
 type OutputObservation struct {
 
+	// Describes the data format when records are written to the destination.
+	DestinationSchema []DestinationSchemaObservation `json:"destinationSchema,omitempty" tf:"destination_schema,omitempty"`
+
+	// Identifies a Kinesis Data Firehose delivery stream as the destination.
+	KinesisFirehoseOutput []KinesisFirehoseOutputObservation `json:"kinesisFirehoseOutput,omitempty" tf:"kinesis_firehose_output,omitempty"`
+
+	// Identifies a Kinesis data stream as the destination.
+	KinesisStreamsOutput []KinesisStreamsOutputObservation `json:"kinesisStreamsOutput,omitempty" tf:"kinesis_streams_output,omitempty"`
+
+	// Identifies a Lambda function as the destination.
+	LambdaOutput []LambdaOutputObservation `json:"lambdaOutput,omitempty" tf:"lambda_output,omitempty"`
+
+	// The name of the application.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The application identifier.
 	OutputID *string `json:"outputId,omitempty" tf:"output_id,omitempty"`
 }
@@ -569,6 +758,18 @@ type OutputParameters struct {
 }
 
 type ParallelismConfigurationObservation struct {
+
+	// Describes whether the Kinesis Data Analytics service can increase the parallelism of the application in response to increased throughput.
+	AutoScalingEnabled *bool `json:"autoScalingEnabled,omitempty" tf:"auto_scaling_enabled,omitempty"`
+
+	// Describes whether the application uses Kinesis Data Analytics' default checkpointing behavior. Valid values: CUSTOM, DEFAULT. Set this attribute to CUSTOM in order for any specified checkpointing_enabled, checkpoint_interval, or min_pause_between_checkpoints attribute values to be effective. If this attribute is set to DEFAULT, the application will always use the following values:
+	ConfigurationType *string `json:"configurationType,omitempty" tf:"configuration_type,omitempty"`
+
+	// Describes the initial number of parallel tasks that a Flink-based Kinesis Data Analytics application can perform.
+	Parallelism *float64 `json:"parallelism,omitempty" tf:"parallelism,omitempty"`
+
+	// Describes the number of parallel tasks that a Flink-based Kinesis Data Analytics application can perform per Kinesis Processing Unit (KPU) used by the application.
+	ParallelismPerKpu *float64 `json:"parallelismPerKpu,omitempty" tf:"parallelism_per_kpu,omitempty"`
 }
 
 type ParallelismConfigurationParameters struct {
@@ -591,6 +792,12 @@ type ParallelismConfigurationParameters struct {
 }
 
 type PropertyGroupObservation struct {
+
+	// The key of the application execution property key-value map.
+	PropertyGroupID *string `json:"propertyGroupId,omitempty" tf:"property_group_id,omitempty"`
+
+	// Application execution property key-value map.
+	PropertyMap map[string]*string `json:"propertyMap,omitempty" tf:"property_map,omitempty"`
 }
 
 type PropertyGroupParameters struct {
@@ -605,6 +812,15 @@ type PropertyGroupParameters struct {
 }
 
 type RecordColumnObservation struct {
+
+	// A reference to the data element in the streaming input or the reference data source.
+	Mapping *string `json:"mapping,omitempty" tf:"mapping,omitempty"`
+
+	// The name of the application.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The type of column created in the in-application input stream or reference table.
+	SQLType *string `json:"sqlType,omitempty" tf:"sql_type,omitempty"`
 }
 
 type RecordColumnParameters struct {
@@ -623,6 +839,12 @@ type RecordColumnParameters struct {
 }
 
 type RecordFormatMappingParametersObservation struct {
+
+	// Provides additional mapping information when the record format uses delimiters (for example, CSV).
+	CsvMappingParameters []MappingParametersCsvMappingParametersObservation `json:"csvMappingParameters,omitempty" tf:"csv_mapping_parameters,omitempty"`
+
+	// Provides additional mapping information when JSON is the record format on the streaming source.
+	JSONMappingParameters []MappingParametersJSONMappingParametersObservation `json:"jsonMappingParameters,omitempty" tf:"json_mapping_parameters,omitempty"`
 }
 
 type RecordFormatMappingParametersParameters struct {
@@ -637,6 +859,12 @@ type RecordFormatMappingParametersParameters struct {
 }
 
 type RecordFormatObservation struct {
+
+	// Provides additional mapping information specific to the record format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
+	MappingParameters []MappingParametersObservation `json:"mappingParameters,omitempty" tf:"mapping_parameters,omitempty"`
+
+	// The type of record format. Valid values: CSV, JSON.
+	RecordFormatType *string `json:"recordFormatType,omitempty" tf:"record_format_type,omitempty"`
 }
 
 type RecordFormatParameters struct {
@@ -654,6 +882,15 @@ type ReferenceDataSourceObservation struct {
 
 	// The application identifier.
 	ReferenceID *string `json:"referenceId,omitempty" tf:"reference_id,omitempty"`
+
+	// Describes the format of the data in the streaming source, and how each data element maps to corresponding columns created in the in-application stream.
+	ReferenceSchema []ReferenceSchemaObservation `json:"referenceSchema,omitempty" tf:"reference_schema,omitempty"`
+
+	// Identifies the S3 bucket and object that contains the reference data.
+	S3ReferenceDataSource []S3ReferenceDataSourceObservation `json:"s3ReferenceDataSource,omitempty" tf:"s3_reference_data_source,omitempty"`
+
+	// The name of the in-application table to create.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type ReferenceDataSourceParameters struct {
@@ -672,6 +909,15 @@ type ReferenceDataSourceParameters struct {
 }
 
 type ReferenceSchemaObservation struct {
+
+	// Describes the mapping of each data element in the streaming source to the corresponding column in the in-application stream.
+	RecordColumn []ReferenceSchemaRecordColumnObservation `json:"recordColumn,omitempty" tf:"record_column,omitempty"`
+
+	// Specifies the encoding of the records in the streaming source. For example, UTF-8.
+	RecordEncoding *string `json:"recordEncoding,omitempty" tf:"record_encoding,omitempty"`
+
+	// Specifies the format of the records on the streaming source.
+	RecordFormat []ReferenceSchemaRecordFormatObservation `json:"recordFormat,omitempty" tf:"record_format,omitempty"`
 }
 
 type ReferenceSchemaParameters struct {
@@ -690,6 +936,15 @@ type ReferenceSchemaParameters struct {
 }
 
 type ReferenceSchemaRecordColumnObservation struct {
+
+	// A reference to the data element in the streaming input or the reference data source.
+	Mapping *string `json:"mapping,omitempty" tf:"mapping,omitempty"`
+
+	// The name of the application.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The type of column created in the in-application input stream or reference table.
+	SQLType *string `json:"sqlType,omitempty" tf:"sql_type,omitempty"`
 }
 
 type ReferenceSchemaRecordColumnParameters struct {
@@ -708,6 +963,12 @@ type ReferenceSchemaRecordColumnParameters struct {
 }
 
 type ReferenceSchemaRecordFormatObservation struct {
+
+	// Provides additional mapping information specific to the record format (such as JSON, CSV, or record fields delimited by some delimiter) on the streaming source.
+	MappingParameters []RecordFormatMappingParametersObservation `json:"mappingParameters,omitempty" tf:"mapping_parameters,omitempty"`
+
+	// The type of record format. Valid values: CSV, JSON.
+	RecordFormatType *string `json:"recordFormatType,omitempty" tf:"record_format_type,omitempty"`
 }
 
 type ReferenceSchemaRecordFormatParameters struct {
@@ -722,6 +983,12 @@ type ReferenceSchemaRecordFormatParameters struct {
 }
 
 type RunConfigurationObservation struct {
+
+	// The restore behavior of a restarting application.
+	ApplicationRestoreConfiguration []ApplicationRestoreConfigurationObservation `json:"applicationRestoreConfiguration,omitempty" tf:"application_restore_configuration,omitempty"`
+
+	// The starting parameters for a Flink-based Kinesis Data Analytics application.
+	FlinkRunConfiguration []FlinkRunConfigurationObservation `json:"flinkRunConfiguration,omitempty" tf:"flink_run_configuration,omitempty"`
 }
 
 type RunConfigurationParameters struct {
@@ -736,6 +1003,15 @@ type RunConfigurationParameters struct {
 }
 
 type S3ContentLocationObservation struct {
+
+	// The ARN for the S3 bucket containing the application code.
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// The file key for the object containing the application code.
+	FileKey *string `json:"fileKey,omitempty" tf:"file_key,omitempty"`
+
+	// The version of the object containing the application code.
+	ObjectVersion *string `json:"objectVersion,omitempty" tf:"object_version,omitempty"`
 }
 
 type S3ContentLocationParameters struct {
@@ -774,6 +1050,12 @@ type S3ContentLocationParameters struct {
 }
 
 type S3ReferenceDataSourceObservation struct {
+
+	// The ARN for the S3 bucket containing the application code.
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// The file key for the object containing the application code.
+	FileKey *string `json:"fileKey,omitempty" tf:"file_key,omitempty"`
 }
 
 type S3ReferenceDataSourceParameters struct {
@@ -800,15 +1082,12 @@ type S3ReferenceDataSourceParameters struct {
 type SQLApplicationConfigurationObservation struct {
 
 	// The input stream used by the application.
-	// +kubebuilder:validation:Optional
 	Input []InputObservation `json:"input,omitempty" tf:"input,omitempty"`
 
 	// The destination streams used by the application.
-	// +kubebuilder:validation:Optional
 	Output []OutputObservation `json:"output,omitempty" tf:"output,omitempty"`
 
 	// The reference data source used by the application.
-	// +kubebuilder:validation:Optional
 	ReferenceDataSource []ReferenceDataSourceObservation `json:"referenceDataSource,omitempty" tf:"reference_data_source,omitempty"`
 }
 
@@ -829,6 +1108,12 @@ type SQLApplicationConfigurationParameters struct {
 
 type VPCConfigurationObservation struct {
 
+	// The Security Group IDs used by the VPC configuration.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// The Subnet IDs used by the VPC configuration.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// The application identifier.
 	VPCConfigurationID *string `json:"vpcConfigurationId,omitempty" tf:"vpc_configuration_id,omitempty"`
 
@@ -871,8 +1156,9 @@ type ApplicationStatus struct {
 type Application struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ApplicationSpec   `json:"spec"`
-	Status            ApplicationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.runtimeEnvironment)",message="runtimeEnvironment is a required parameter"
+	Spec   ApplicationSpec   `json:"spec"`
+	Status ApplicationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kinesisanalyticsv2/v1beta1/zz_applicationsnapshot_types.go b/apis/kinesisanalyticsv2/v1beta1/zz_applicationsnapshot_types.go
index 86e8892052..dc225d3798 100755
--- a/apis/kinesisanalyticsv2/v1beta1/zz_applicationsnapshot_types.go
+++ b/apis/kinesisanalyticsv2/v1beta1/zz_applicationsnapshot_types.go
@@ -15,6 +15,9 @@ import (
 
 type ApplicationSnapshotObservation struct {
 
+	// The name of an existing  Kinesis Analytics v2 Application. Note that the application must be running for a snapshot to be created.
+	ApplicationName *string `json:"applicationName,omitempty" tf:"application_name,omitempty"`
+
 	// The current application version ID when the snapshot was created.
 	ApplicationVersionID *float64 `json:"applicationVersionId,omitempty" tf:"application_version_id,omitempty"`
 
diff --git a/apis/kinesisanalyticsv2/v1beta1/zz_generated.deepcopy.go b/apis/kinesisanalyticsv2/v1beta1/zz_generated.deepcopy.go
index 855da78989..c9de6a74eb 100644
--- a/apis/kinesisanalyticsv2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kinesisanalyticsv2/v1beta1/zz_generated.deepcopy.go
@@ -44,6 +44,18 @@ func (in *Application) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationCodeConfigurationObservation) DeepCopyInto(out *ApplicationCodeConfigurationObservation) {
 	*out = *in
+	if in.CodeContent != nil {
+		in, out := &in.CodeContent, &out.CodeContent
+		*out = make([]CodeContentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CodeContentType != nil {
+		in, out := &in.CodeContentType, &out.CodeContentType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationCodeConfigurationObservation.
@@ -86,6 +98,41 @@ func (in *ApplicationCodeConfigurationParameters) DeepCopy() *ApplicationCodeCon
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationConfigurationObservation) DeepCopyInto(out *ApplicationConfigurationObservation) {
 	*out = *in
+	if in.ApplicationCodeConfiguration != nil {
+		in, out := &in.ApplicationCodeConfiguration, &out.ApplicationCodeConfiguration
+		*out = make([]ApplicationCodeConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ApplicationSnapshotConfiguration != nil {
+		in, out := &in.ApplicationSnapshotConfiguration, &out.ApplicationSnapshotConfiguration
+		*out = make([]ApplicationSnapshotConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnvironmentProperties != nil {
+		in, out := &in.EnvironmentProperties, &out.EnvironmentProperties
+		*out = make([]EnvironmentPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FlinkApplicationConfiguration != nil {
+		in, out := &in.FlinkApplicationConfiguration, &out.FlinkApplicationConfiguration
+		*out = make([]FlinkApplicationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RunConfiguration != nil {
+		in, out := &in.RunConfiguration, &out.RunConfiguration
+		*out = make([]RunConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.SQLApplicationConfiguration != nil {
 		in, out := &in.SQLApplicationConfiguration, &out.SQLApplicationConfiguration
 		*out = make([]SQLApplicationConfigurationObservation, len(*in))
@@ -235,6 +282,16 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceStop != nil {
+		in, out := &in.ForceStop, &out.ForceStop
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -245,11 +302,41 @@ func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RuntimeEnvironment != nil {
+		in, out := &in.RuntimeEnvironment, &out.RuntimeEnvironment
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceExecutionRole != nil {
+		in, out := &in.ServiceExecutionRole, &out.ServiceExecutionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartApplication != nil {
+		in, out := &in.StartApplication, &out.StartApplication
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -369,6 +456,16 @@ func (in *ApplicationParameters) DeepCopy() *ApplicationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationRestoreConfigurationObservation) DeepCopyInto(out *ApplicationRestoreConfigurationObservation) {
 	*out = *in
+	if in.ApplicationRestoreType != nil {
+		in, out := &in.ApplicationRestoreType, &out.ApplicationRestoreType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotName != nil {
+		in, out := &in.SnapshotName, &out.SnapshotName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationRestoreConfigurationObservation.
@@ -436,6 +533,11 @@ func (in *ApplicationSnapshot) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationSnapshotConfigurationObservation) DeepCopyInto(out *ApplicationSnapshotConfigurationObservation) {
 	*out = *in
+	if in.SnapshotsEnabled != nil {
+		in, out := &in.SnapshotsEnabled, &out.SnapshotsEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationSnapshotConfigurationObservation.
@@ -503,6 +605,11 @@ func (in *ApplicationSnapshotList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationSnapshotObservation) DeepCopyInto(out *ApplicationSnapshotObservation) {
 	*out = *in
+	if in.ApplicationName != nil {
+		in, out := &in.ApplicationName, &out.ApplicationName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ApplicationVersionID != nil {
 		in, out := &in.ApplicationVersionID, &out.ApplicationVersionID
 		*out = new(float64)
@@ -636,6 +743,26 @@ func (in *ApplicationStatus) DeepCopy() *ApplicationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CheckpointConfigurationObservation) DeepCopyInto(out *CheckpointConfigurationObservation) {
 	*out = *in
+	if in.CheckpointInterval != nil {
+		in, out := &in.CheckpointInterval, &out.CheckpointInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CheckpointingEnabled != nil {
+		in, out := &in.CheckpointingEnabled, &out.CheckpointingEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ConfigurationType != nil {
+		in, out := &in.ConfigurationType, &out.ConfigurationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.MinPauseBetweenCheckpoints != nil {
+		in, out := &in.MinPauseBetweenCheckpoints, &out.MinPauseBetweenCheckpoints
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CheckpointConfigurationObservation.
@@ -691,6 +818,11 @@ func (in *CloudwatchLoggingOptionsObservation) DeepCopyInto(out *CloudwatchLoggi
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogStreamArn != nil {
+		in, out := &in.LogStreamArn, &out.LogStreamArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchLoggingOptionsObservation.
@@ -736,6 +868,18 @@ func (in *CloudwatchLoggingOptionsParameters) DeepCopy() *CloudwatchLoggingOptio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodeContentObservation) DeepCopyInto(out *CodeContentObservation) {
 	*out = *in
+	if in.S3ContentLocation != nil {
+		in, out := &in.S3ContentLocation, &out.S3ContentLocation
+		*out = make([]S3ContentLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TextContent != nil {
+		in, out := &in.TextContent, &out.TextContent
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodeContentObservation.
@@ -778,6 +922,16 @@ func (in *CodeContentParameters) DeepCopy() *CodeContentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CsvMappingParametersObservation) DeepCopyInto(out *CsvMappingParametersObservation) {
 	*out = *in
+	if in.RecordColumnDelimiter != nil {
+		in, out := &in.RecordColumnDelimiter, &out.RecordColumnDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordRowDelimiter != nil {
+		in, out := &in.RecordRowDelimiter, &out.RecordRowDelimiter
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CsvMappingParametersObservation.
@@ -818,6 +972,11 @@ func (in *CsvMappingParametersParameters) DeepCopy() *CsvMappingParametersParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationSchemaObservation) DeepCopyInto(out *DestinationSchemaObservation) {
 	*out = *in
+	if in.RecordFormatType != nil {
+		in, out := &in.RecordFormatType, &out.RecordFormatType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationSchemaObservation.
@@ -853,6 +1012,13 @@ func (in *DestinationSchemaParameters) DeepCopy() *DestinationSchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvironmentPropertiesObservation) DeepCopyInto(out *EnvironmentPropertiesObservation) {
 	*out = *in
+	if in.PropertyGroup != nil {
+		in, out := &in.PropertyGroup, &out.PropertyGroup
+		*out = make([]PropertyGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvironmentPropertiesObservation.
@@ -890,6 +1056,27 @@ func (in *EnvironmentPropertiesParameters) DeepCopy() *EnvironmentPropertiesPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FlinkApplicationConfigurationObservation) DeepCopyInto(out *FlinkApplicationConfigurationObservation) {
 	*out = *in
+	if in.CheckpointConfiguration != nil {
+		in, out := &in.CheckpointConfiguration, &out.CheckpointConfiguration
+		*out = make([]CheckpointConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MonitoringConfiguration != nil {
+		in, out := &in.MonitoringConfiguration, &out.MonitoringConfiguration
+		*out = make([]MonitoringConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ParallelismConfiguration != nil {
+		in, out := &in.ParallelismConfiguration, &out.ParallelismConfiguration
+		*out = make([]ParallelismConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlinkApplicationConfigurationObservation.
@@ -941,6 +1128,11 @@ func (in *FlinkApplicationConfigurationParameters) DeepCopy() *FlinkApplicationC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FlinkRunConfigurationObservation) DeepCopyInto(out *FlinkRunConfigurationObservation) {
 	*out = *in
+	if in.AllowNonRestoredState != nil {
+		in, out := &in.AllowNonRestoredState, &out.AllowNonRestoredState
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlinkRunConfigurationObservation.
@@ -976,6 +1168,11 @@ func (in *FlinkRunConfigurationParameters) DeepCopy() *FlinkRunConfigurationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputLambdaProcessorObservation) DeepCopyInto(out *InputLambdaProcessorObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputLambdaProcessorObservation.
@@ -1027,6 +1224,53 @@ func (in *InputObservation) DeepCopyInto(out *InputObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputParallelism != nil {
+		in, out := &in.InputParallelism, &out.InputParallelism
+		*out = make([]InputParallelismObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputProcessingConfiguration != nil {
+		in, out := &in.InputProcessingConfiguration, &out.InputProcessingConfiguration
+		*out = make([]InputProcessingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputSchema != nil {
+		in, out := &in.InputSchema, &out.InputSchema
+		*out = make([]InputSchemaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputStartingPositionConfiguration != nil {
+		in, out := &in.InputStartingPositionConfiguration, &out.InputStartingPositionConfiguration
+		*out = make([]InputStartingPositionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisFirehoseInput != nil {
+		in, out := &in.KinesisFirehoseInput, &out.KinesisFirehoseInput
+		*out = make([]KinesisFirehoseInputObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisStreamsInput != nil {
+		in, out := &in.KinesisStreamsInput, &out.KinesisStreamsInput
+		*out = make([]KinesisStreamsInputObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NamePrefix != nil {
+		in, out := &in.NamePrefix, &out.NamePrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputObservation.
@@ -1042,6 +1286,11 @@ func (in *InputObservation) DeepCopy() *InputObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputParallelismObservation) DeepCopyInto(out *InputParallelismObservation) {
 	*out = *in
+	if in.Count != nil {
+		in, out := &in.Count, &out.Count
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputParallelismObservation.
@@ -1139,6 +1388,13 @@ func (in *InputParameters) DeepCopy() *InputParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputProcessingConfigurationObservation) DeepCopyInto(out *InputProcessingConfigurationObservation) {
 	*out = *in
+	if in.InputLambdaProcessor != nil {
+		in, out := &in.InputLambdaProcessor, &out.InputLambdaProcessor
+		*out = make([]InputLambdaProcessorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputProcessingConfigurationObservation.
@@ -1176,6 +1432,25 @@ func (in *InputProcessingConfigurationParameters) DeepCopy() *InputProcessingCon
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputSchemaObservation) DeepCopyInto(out *InputSchemaObservation) {
 	*out = *in
+	if in.RecordColumn != nil {
+		in, out := &in.RecordColumn, &out.RecordColumn
+		*out = make([]RecordColumnObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordEncoding != nil {
+		in, out := &in.RecordEncoding, &out.RecordEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordFormat != nil {
+		in, out := &in.RecordFormat, &out.RecordFormat
+		*out = make([]RecordFormatObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputSchemaObservation.
@@ -1225,7 +1500,12 @@ func (in *InputSchemaParameters) DeepCopy() *InputSchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputStartingPositionConfigurationObservation) DeepCopyInto(out *InputStartingPositionConfigurationObservation) {
 	*out = *in
-}
+	if in.InputStartingPosition != nil {
+		in, out := &in.InputStartingPosition, &out.InputStartingPosition
+		*out = new(string)
+		**out = **in
+	}
+}
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputStartingPositionConfigurationObservation.
 func (in *InputStartingPositionConfigurationObservation) DeepCopy() *InputStartingPositionConfigurationObservation {
@@ -1260,6 +1540,11 @@ func (in *InputStartingPositionConfigurationParameters) DeepCopy() *InputStartin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JSONMappingParametersObservation) DeepCopyInto(out *JSONMappingParametersObservation) {
 	*out = *in
+	if in.RecordRowPath != nil {
+		in, out := &in.RecordRowPath, &out.RecordRowPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JSONMappingParametersObservation.
@@ -1295,6 +1580,11 @@ func (in *JSONMappingParametersParameters) DeepCopy() *JSONMappingParametersPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisFirehoseInputObservation) DeepCopyInto(out *KinesisFirehoseInputObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisFirehoseInputObservation.
@@ -1330,6 +1620,11 @@ func (in *KinesisFirehoseInputParameters) DeepCopy() *KinesisFirehoseInputParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisFirehoseOutputObservation) DeepCopyInto(out *KinesisFirehoseOutputObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisFirehoseOutputObservation.
@@ -1375,6 +1670,11 @@ func (in *KinesisFirehoseOutputParameters) DeepCopy() *KinesisFirehoseOutputPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisStreamsInputObservation) DeepCopyInto(out *KinesisStreamsInputObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisStreamsInputObservation.
@@ -1420,6 +1720,11 @@ func (in *KinesisStreamsInputParameters) DeepCopy() *KinesisStreamsInputParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisStreamsOutputObservation) DeepCopyInto(out *KinesisStreamsOutputObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisStreamsOutputObservation.
@@ -1455,6 +1760,11 @@ func (in *KinesisStreamsOutputParameters) DeepCopy() *KinesisStreamsOutputParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaOutputObservation) DeepCopyInto(out *LambdaOutputObservation) {
 	*out = *in
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaOutputObservation.
@@ -1500,6 +1810,16 @@ func (in *LambdaOutputParameters) DeepCopy() *LambdaOutputParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingParametersCsvMappingParametersObservation) DeepCopyInto(out *MappingParametersCsvMappingParametersObservation) {
 	*out = *in
+	if in.RecordColumnDelimiter != nil {
+		in, out := &in.RecordColumnDelimiter, &out.RecordColumnDelimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordRowDelimiter != nil {
+		in, out := &in.RecordRowDelimiter, &out.RecordRowDelimiter
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingParametersCsvMappingParametersObservation.
@@ -1540,6 +1860,11 @@ func (in *MappingParametersCsvMappingParametersParameters) DeepCopy() *MappingPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingParametersJSONMappingParametersObservation) DeepCopyInto(out *MappingParametersJSONMappingParametersObservation) {
 	*out = *in
+	if in.RecordRowPath != nil {
+		in, out := &in.RecordRowPath, &out.RecordRowPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingParametersJSONMappingParametersObservation.
@@ -1575,6 +1900,20 @@ func (in *MappingParametersJSONMappingParametersParameters) DeepCopy() *MappingP
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MappingParametersObservation) DeepCopyInto(out *MappingParametersObservation) {
 	*out = *in
+	if in.CsvMappingParameters != nil {
+		in, out := &in.CsvMappingParameters, &out.CsvMappingParameters
+		*out = make([]CsvMappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.JSONMappingParameters != nil {
+		in, out := &in.JSONMappingParameters, &out.JSONMappingParameters
+		*out = make([]JSONMappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MappingParametersObservation.
@@ -1619,6 +1958,21 @@ func (in *MappingParametersParameters) DeepCopy() *MappingParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MonitoringConfigurationObservation) DeepCopyInto(out *MonitoringConfigurationObservation) {
 	*out = *in
+	if in.ConfigurationType != nil {
+		in, out := &in.ConfigurationType, &out.ConfigurationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogLevel != nil {
+		in, out := &in.LogLevel, &out.LogLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetricsLevel != nil {
+		in, out := &in.MetricsLevel, &out.MetricsLevel
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MonitoringConfigurationObservation.
@@ -1664,6 +2018,39 @@ func (in *MonitoringConfigurationParameters) DeepCopy() *MonitoringConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputObservation) DeepCopyInto(out *OutputObservation) {
 	*out = *in
+	if in.DestinationSchema != nil {
+		in, out := &in.DestinationSchema, &out.DestinationSchema
+		*out = make([]DestinationSchemaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisFirehoseOutput != nil {
+		in, out := &in.KinesisFirehoseOutput, &out.KinesisFirehoseOutput
+		*out = make([]KinesisFirehoseOutputObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KinesisStreamsOutput != nil {
+		in, out := &in.KinesisStreamsOutput, &out.KinesisStreamsOutput
+		*out = make([]KinesisStreamsOutputObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LambdaOutput != nil {
+		in, out := &in.LambdaOutput, &out.LambdaOutput
+		*out = make([]LambdaOutputObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OutputID != nil {
 		in, out := &in.OutputID, &out.OutputID
 		*out = new(string)
@@ -1732,6 +2119,26 @@ func (in *OutputParameters) DeepCopy() *OutputParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParallelismConfigurationObservation) DeepCopyInto(out *ParallelismConfigurationObservation) {
 	*out = *in
+	if in.AutoScalingEnabled != nil {
+		in, out := &in.AutoScalingEnabled, &out.AutoScalingEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ConfigurationType != nil {
+		in, out := &in.ConfigurationType, &out.ConfigurationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parallelism != nil {
+		in, out := &in.Parallelism, &out.Parallelism
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParallelismPerKpu != nil {
+		in, out := &in.ParallelismPerKpu, &out.ParallelismPerKpu
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParallelismConfigurationObservation.
@@ -1782,6 +2189,26 @@ func (in *ParallelismConfigurationParameters) DeepCopy() *ParallelismConfigurati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PropertyGroupObservation) DeepCopyInto(out *PropertyGroupObservation) {
 	*out = *in
+	if in.PropertyGroupID != nil {
+		in, out := &in.PropertyGroupID, &out.PropertyGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PropertyMap != nil {
+		in, out := &in.PropertyMap, &out.PropertyMap
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PropertyGroupObservation.
@@ -1832,6 +2259,21 @@ func (in *PropertyGroupParameters) DeepCopy() *PropertyGroupParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordColumnObservation) DeepCopyInto(out *RecordColumnObservation) {
 	*out = *in
+	if in.Mapping != nil {
+		in, out := &in.Mapping, &out.Mapping
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLType != nil {
+		in, out := &in.SQLType, &out.SQLType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordColumnObservation.
@@ -1877,6 +2319,20 @@ func (in *RecordColumnParameters) DeepCopy() *RecordColumnParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordFormatMappingParametersObservation) DeepCopyInto(out *RecordFormatMappingParametersObservation) {
 	*out = *in
+	if in.CsvMappingParameters != nil {
+		in, out := &in.CsvMappingParameters, &out.CsvMappingParameters
+		*out = make([]MappingParametersCsvMappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.JSONMappingParameters != nil {
+		in, out := &in.JSONMappingParameters, &out.JSONMappingParameters
+		*out = make([]MappingParametersJSONMappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordFormatMappingParametersObservation.
@@ -1921,6 +2377,18 @@ func (in *RecordFormatMappingParametersParameters) DeepCopy() *RecordFormatMappi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordFormatObservation) DeepCopyInto(out *RecordFormatObservation) {
 	*out = *in
+	if in.MappingParameters != nil {
+		in, out := &in.MappingParameters, &out.MappingParameters
+		*out = make([]MappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordFormatType != nil {
+		in, out := &in.RecordFormatType, &out.RecordFormatType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordFormatObservation.
@@ -1968,6 +2436,25 @@ func (in *ReferenceDataSourceObservation) DeepCopyInto(out *ReferenceDataSourceO
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReferenceSchema != nil {
+		in, out := &in.ReferenceSchema, &out.ReferenceSchema
+		*out = make([]ReferenceSchemaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3ReferenceDataSource != nil {
+		in, out := &in.S3ReferenceDataSource, &out.S3ReferenceDataSource
+		*out = make([]S3ReferenceDataSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceDataSourceObservation.
@@ -2017,6 +2504,25 @@ func (in *ReferenceDataSourceParameters) DeepCopy() *ReferenceDataSourceParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReferenceSchemaObservation) DeepCopyInto(out *ReferenceSchemaObservation) {
 	*out = *in
+	if in.RecordColumn != nil {
+		in, out := &in.RecordColumn, &out.RecordColumn
+		*out = make([]ReferenceSchemaRecordColumnObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordEncoding != nil {
+		in, out := &in.RecordEncoding, &out.RecordEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordFormat != nil {
+		in, out := &in.RecordFormat, &out.RecordFormat
+		*out = make([]ReferenceSchemaRecordFormatObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceSchemaObservation.
@@ -2066,6 +2572,21 @@ func (in *ReferenceSchemaParameters) DeepCopy() *ReferenceSchemaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReferenceSchemaRecordColumnObservation) DeepCopyInto(out *ReferenceSchemaRecordColumnObservation) {
 	*out = *in
+	if in.Mapping != nil {
+		in, out := &in.Mapping, &out.Mapping
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLType != nil {
+		in, out := &in.SQLType, &out.SQLType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceSchemaRecordColumnObservation.
@@ -2111,6 +2632,18 @@ func (in *ReferenceSchemaRecordColumnParameters) DeepCopy() *ReferenceSchemaReco
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReferenceSchemaRecordFormatObservation) DeepCopyInto(out *ReferenceSchemaRecordFormatObservation) {
 	*out = *in
+	if in.MappingParameters != nil {
+		in, out := &in.MappingParameters, &out.MappingParameters
+		*out = make([]RecordFormatMappingParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordFormatType != nil {
+		in, out := &in.RecordFormatType, &out.RecordFormatType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceSchemaRecordFormatObservation.
@@ -2153,6 +2686,20 @@ func (in *ReferenceSchemaRecordFormatParameters) DeepCopy() *ReferenceSchemaReco
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunConfigurationObservation) DeepCopyInto(out *RunConfigurationObservation) {
 	*out = *in
+	if in.ApplicationRestoreConfiguration != nil {
+		in, out := &in.ApplicationRestoreConfiguration, &out.ApplicationRestoreConfiguration
+		*out = make([]ApplicationRestoreConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FlinkRunConfiguration != nil {
+		in, out := &in.FlinkRunConfiguration, &out.FlinkRunConfiguration
+		*out = make([]FlinkRunConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunConfigurationObservation.
@@ -2197,6 +2744,21 @@ func (in *RunConfigurationParameters) DeepCopy() *RunConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ContentLocationObservation) DeepCopyInto(out *S3ContentLocationObservation) {
 	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileKey != nil {
+		in, out := &in.FileKey, &out.FileKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectVersion != nil {
+		in, out := &in.ObjectVersion, &out.ObjectVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ContentLocationObservation.
@@ -2262,6 +2824,16 @@ func (in *S3ContentLocationParameters) DeepCopy() *S3ContentLocationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ReferenceDataSourceObservation) DeepCopyInto(out *S3ReferenceDataSourceObservation) {
 	*out = *in
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileKey != nil {
+		in, out := &in.FileKey, &out.FileKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ReferenceDataSourceObservation.
@@ -2384,6 +2956,28 @@ func (in *SQLApplicationConfigurationParameters) DeepCopy() *SQLApplicationConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigurationObservation) DeepCopyInto(out *VPCConfigurationObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCConfigurationID != nil {
 		in, out := &in.VPCConfigurationID, &out.VPCConfigurationID
 		*out = new(string)
diff --git a/apis/kinesisvideo/v1beta1/zz_generated.deepcopy.go b/apis/kinesisvideo/v1beta1/zz_generated.deepcopy.go
index 61da4ced8b..c7b00d0c2d 100644
--- a/apis/kinesisvideo/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kinesisvideo/v1beta1/zz_generated.deepcopy.go
@@ -86,11 +86,51 @@ func (in *StreamObservation) DeepCopyInto(out *StreamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DataRetentionInHours != nil {
+		in, out := &in.DataRetentionInHours, &out.DataRetentionInHours
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MediaType != nil {
+		in, out := &in.MediaType, &out.MediaType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/kinesisvideo/v1beta1/zz_stream_types.go b/apis/kinesisvideo/v1beta1/zz_stream_types.go
index 32422f9284..4fca012337 100755
--- a/apis/kinesisvideo/v1beta1/zz_stream_types.go
+++ b/apis/kinesisvideo/v1beta1/zz_stream_types.go
@@ -21,9 +21,28 @@ type StreamObservation struct {
 	// A time stamp that indicates when the stream was created.
 	CreationTime *string `json:"creationTime,omitempty" tf:"creation_time,omitempty"`
 
+	// –  The number of hours that you want to retain the data in the stream. Kinesis Video Streams retains the data in a data store that is associated with the stream. The default value is 0, indicating that the stream does not persist data.
+	DataRetentionInHours *float64 `json:"dataRetentionInHours,omitempty" tf:"data_retention_in_hours,omitempty"`
+
+	// The name of the device that is writing to the stream. In the current implementation, Kinesis Video Streams does not use this name.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
 	// The unique Stream id
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ID of the AWS Key Management Service (AWS KMS) key that you want Kinesis Video Streams to use to encrypt stream data. If no key ID is specified, the default, Kinesis Video-managed key (aws/kinesisvideo) is used.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The media type of the stream. Consumers of the stream can use this information when processing the stream. For more information about media types, see Media Types. If you choose to specify the MediaType, see Naming Requirements for guidelines.
+	MediaType *string `json:"mediaType,omitempty" tf:"media_type,omitempty"`
+
+	// A name to identify the stream. This is unique to the
+	// AWS account and region the Stream is created in.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -60,8 +79,8 @@ type StreamParameters struct {
 
 	// A name to identify the stream. This is unique to the
 	// AWS account and region the Stream is created in.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -97,8 +116,9 @@ type StreamStatus struct {
 type Stream struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StreamSpec   `json:"spec"`
-	Status            StreamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   StreamSpec   `json:"spec"`
+	Status StreamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kms/v1beta1/zz_alias_types.go b/apis/kms/v1beta1/zz_alias_types.go
index 30791ca62c..3aed59867c 100755
--- a/apis/kms/v1beta1/zz_alias_types.go
+++ b/apis/kms/v1beta1/zz_alias_types.go
@@ -22,6 +22,9 @@ type AliasObservation struct {
 
 	// The Amazon Resource Name (ARN) of the target key identifier.
 	TargetKeyArn *string `json:"targetKeyArn,omitempty" tf:"target_key_arn,omitempty"`
+
+	// Identifier for the key for which the alias is for, can be either an ARN or key_id.
+	TargetKeyID *string `json:"targetKeyId,omitempty" tf:"target_key_id,omitempty"`
 }
 
 type AliasParameters struct {
diff --git a/apis/kms/v1beta1/zz_ciphertext_types.go b/apis/kms/v1beta1/zz_ciphertext_types.go
index 666a5e458e..4ac59e93dd 100755
--- a/apis/kms/v1beta1/zz_ciphertext_types.go
+++ b/apis/kms/v1beta1/zz_ciphertext_types.go
@@ -18,7 +18,13 @@ type CiphertextObservation struct {
 	// Base64 encoded ciphertext
 	CiphertextBlob *string `json:"ciphertextBlob,omitempty" tf:"ciphertext_blob,omitempty"`
 
+	// An optional mapping that makes up the encryption context.
+	Context map[string]*string `json:"context,omitempty" tf:"context,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Globally unique key ID for the customer master key.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 }
 
 type CiphertextParameters struct {
@@ -41,7 +47,7 @@ type CiphertextParameters struct {
 	KeyIDSelector *v1.Selector `json:"keyIdSelector,omitempty" tf:"-"`
 
 	// Data to be encrypted. Note that this may show up in logs, and it will be stored in the state file.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	PlaintextSecretRef v1.SecretKeySelector `json:"plaintextSecretRef" tf:"-"`
 
 	// Region is the region you'd like your resource to be created in.
@@ -74,8 +80,9 @@ type CiphertextStatus struct {
 type Ciphertext struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CiphertextSpec   `json:"spec"`
-	Status            CiphertextStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.plaintextSecretRef)",message="plaintextSecretRef is a required parameter"
+	Spec   CiphertextSpec   `json:"spec"`
+	Status CiphertextStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kms/v1beta1/zz_externalkey_types.go b/apis/kms/v1beta1/zz_externalkey_types.go
index 5a759b493c..b6bd948dec 100755
--- a/apis/kms/v1beta1/zz_externalkey_types.go
+++ b/apis/kms/v1beta1/zz_externalkey_types.go
@@ -18,6 +18,18 @@ type ExternalKeyObservation struct {
 	// The Amazon Resource Name (ARN) of the key.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies whether to disable the policy lockout check performed when creating or updating the key's policy. Setting this value to true increases the risk that the key becomes unmanageable. For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide. Defaults to false.
+	BypassPolicyLockoutSafetyCheck *bool `json:"bypassPolicyLockoutSafetyCheck,omitempty" tf:"bypass_policy_lockout_safety_check,omitempty"`
+
+	// Duration in days after which the key is deleted after destruction of the resource. Must be between 7 and 30 days. Defaults to 30.
+	DeletionWindowInDays *float64 `json:"deletionWindowInDays,omitempty" tf:"deletion_window_in_days,omitempty"`
+
+	// Description of the key.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies whether the key is enabled. Keys pending import can only be false. Imported keys default to true unless expired.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
 	ExpirationModel *string `json:"expirationModel,omitempty" tf:"expiration_model,omitempty"`
 
@@ -30,8 +42,20 @@ type ExternalKeyObservation struct {
 	// The cryptographic operations for which you can use the CMK.
 	KeyUsage *string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
 
+	// Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
+	MultiRegion *bool `json:"multiRegion,omitempty" tf:"multi_region,omitempty"`
+
+	// A key policy JSON document. If you do not provide a key policy, AWS KMS attaches a default key policy to the CMK.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
+	ValidTo *string `json:"validTo,omitempty" tf:"valid_to,omitempty"`
 }
 
 type ExternalKeyParameters struct {
diff --git a/apis/kms/v1beta1/zz_generated.deepcopy.go b/apis/kms/v1beta1/zz_generated.deepcopy.go
index 87a249cb27..9231418ba0 100644
--- a/apis/kms/v1beta1/zz_generated.deepcopy.go
+++ b/apis/kms/v1beta1/zz_generated.deepcopy.go
@@ -91,6 +91,11 @@ func (in *AliasObservation) DeepCopyInto(out *AliasObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.TargetKeyID != nil {
+		in, out := &in.TargetKeyID, &out.TargetKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AliasObservation.
@@ -239,11 +244,31 @@ func (in *CiphertextObservation) DeepCopyInto(out *CiphertextObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Context != nil {
+		in, out := &in.Context, &out.Context
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiphertextObservation.
@@ -344,6 +369,36 @@ func (in *CiphertextStatus) DeepCopy() *CiphertextStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConstraintsObservation) DeepCopyInto(out *ConstraintsObservation) {
 	*out = *in
+	if in.EncryptionContextEquals != nil {
+		in, out := &in.EncryptionContextEquals, &out.EncryptionContextEquals
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.EncryptionContextSubset != nil {
+		in, out := &in.EncryptionContextSubset, &out.EncryptionContextSubset
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConstraintsObservation.
@@ -468,6 +523,26 @@ func (in *ExternalKeyObservation) DeepCopyInto(out *ExternalKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BypassPolicyLockoutSafetyCheck != nil {
+		in, out := &in.BypassPolicyLockoutSafetyCheck, &out.BypassPolicyLockoutSafetyCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeletionWindowInDays != nil {
+		in, out := &in.DeletionWindowInDays, &out.DeletionWindowInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ExpirationModel != nil {
 		in, out := &in.ExpirationModel, &out.ExpirationModel
 		*out = new(string)
@@ -488,6 +563,31 @@ func (in *ExternalKeyObservation) DeepCopyInto(out *ExternalKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MultiRegion != nil {
+		in, out := &in.MultiRegion, &out.MultiRegion
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -503,6 +603,11 @@ func (in *ExternalKeyObservation) DeepCopyInto(out *ExternalKeyObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.ValidTo != nil {
+		in, out := &in.ValidTo, &out.ValidTo
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExternalKeyObservation.
@@ -686,6 +791,24 @@ func (in *GrantList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GrantObservation) DeepCopyInto(out *GrantObservation) {
 	*out = *in
+	if in.Constraints != nil {
+		in, out := &in.Constraints, &out.Constraints
+		*out = make([]ConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GrantCreationTokens != nil {
+		in, out := &in.GrantCreationTokens, &out.GrantCreationTokens
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.GrantID != nil {
 		in, out := &in.GrantID, &out.GrantID
 		*out = new(string)
@@ -696,11 +819,47 @@ func (in *GrantObservation) DeepCopyInto(out *GrantObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.GranteePrincipal != nil {
+		in, out := &in.GranteePrincipal, &out.GranteePrincipal
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Operations != nil {
+		in, out := &in.Operations, &out.Operations
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RetireOnDelete != nil {
+		in, out := &in.RetireOnDelete, &out.RetireOnDelete
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RetiringPrincipal != nil {
+		in, out := &in.RetiringPrincipal, &out.RetiringPrincipal
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GrantObservation.
@@ -908,16 +1067,81 @@ func (in *KeyObservation) DeepCopyInto(out *KeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BypassPolicyLockoutSafetyCheck != nil {
+		in, out := &in.BypassPolicyLockoutSafetyCheck, &out.BypassPolicyLockoutSafetyCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CustomKeyStoreID != nil {
+		in, out := &in.CustomKeyStoreID, &out.CustomKeyStoreID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerMasterKeySpec != nil {
+		in, out := &in.CustomerMasterKeySpec, &out.CustomerMasterKeySpec
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeletionWindowInDays != nil {
+		in, out := &in.DeletionWindowInDays, &out.DeletionWindowInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableKeyRotation != nil {
+		in, out := &in.EnableKeyRotation, &out.EnableKeyRotation
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IsEnabled != nil {
+		in, out := &in.IsEnabled, &out.IsEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.KeyID != nil {
 		in, out := &in.KeyID, &out.KeyID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyUsage != nil {
+		in, out := &in.KeyUsage, &out.KeyUsage
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultiRegion != nil {
+		in, out := &in.MultiRegion, &out.MultiRegion
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1131,6 +1355,26 @@ func (in *ReplicaExternalKeyObservation) DeepCopyInto(out *ReplicaExternalKeyObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.BypassPolicyLockoutSafetyCheck != nil {
+		in, out := &in.BypassPolicyLockoutSafetyCheck, &out.BypassPolicyLockoutSafetyCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeletionWindowInDays != nil {
+		in, out := &in.DeletionWindowInDays, &out.DeletionWindowInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ExpirationModel != nil {
 		in, out := &in.ExpirationModel, &out.ExpirationModel
 		*out = new(string)
@@ -1156,6 +1400,31 @@ func (in *ReplicaExternalKeyObservation) DeepCopyInto(out *ReplicaExternalKeyObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrimaryKeyArn != nil {
+		in, out := &in.PrimaryKeyArn, &out.PrimaryKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1171,6 +1440,11 @@ func (in *ReplicaExternalKeyObservation) DeepCopyInto(out *ReplicaExternalKeyObs
 			(*out)[key] = outVal
 		}
 	}
+	if in.ValidTo != nil {
+		in, out := &in.ValidTo, &out.ValidTo
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaExternalKeyObservation.
@@ -1369,6 +1643,26 @@ func (in *ReplicaKeyObservation) DeepCopyInto(out *ReplicaKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BypassPolicyLockoutSafetyCheck != nil {
+		in, out := &in.BypassPolicyLockoutSafetyCheck, &out.BypassPolicyLockoutSafetyCheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeletionWindowInDays != nil {
+		in, out := &in.DeletionWindowInDays, &out.DeletionWindowInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1394,6 +1688,31 @@ func (in *ReplicaKeyObservation) DeepCopyInto(out *ReplicaKeyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrimaryKeyArn != nil {
+		in, out := &in.PrimaryKeyArn, &out.PrimaryKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/kms/v1beta1/zz_grant_types.go b/apis/kms/v1beta1/zz_grant_types.go
index ca81852b90..11773beed3 100755
--- a/apis/kms/v1beta1/zz_grant_types.go
+++ b/apis/kms/v1beta1/zz_grant_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ConstraintsObservation struct {
+
+	// A list of key-value pairs that must match the encryption context in subsequent cryptographic operation requests. The grant allows the operation only when the encryption context in the request is the same as the encryption context specified in this constraint. Conflicts with encryption_context_subset.
+	EncryptionContextEquals map[string]*string `json:"encryptionContextEquals,omitempty" tf:"encryption_context_equals,omitempty"`
+
+	// A list of key-value pairs that must be included in the encryption context of subsequent cryptographic operation requests. The grant allows the cryptographic operation only when the encryption context in the request includes the key-value pairs specified in this constraint, although it can include additional key-value pairs. Conflicts with encryption_context_equals.
+	EncryptionContextSubset map[string]*string `json:"encryptionContextSubset,omitempty" tf:"encryption_context_subset,omitempty"`
 }
 
 type ConstraintsParameters struct {
@@ -29,13 +35,38 @@ type ConstraintsParameters struct {
 
 type GrantObservation struct {
 
+	// A structure that you can use to allow certain operations in the grant only when the desired encryption context is present. For more information about encryption context, see Encryption Context.
+	Constraints []ConstraintsObservation `json:"constraints,omitempty" tf:"constraints,omitempty"`
+
+	// A list of grant tokens to be used when creating the grant. See Grant Tokens for more information about grant tokens.
+	GrantCreationTokens []*string `json:"grantCreationTokens,omitempty" tf:"grant_creation_tokens,omitempty"`
+
 	// The unique identifier for the grant.
 	GrantID *string `json:"grantId,omitempty" tf:"grant_id,omitempty"`
 
 	// The grant token for the created grant. For more information, see Grant Tokens.
 	GrantToken *string `json:"grantToken,omitempty" tf:"grant_token,omitempty"`
 
+	// The principal that is given permission to perform the operations that the grant permits in ARN format.
+	GranteePrincipal *string `json:"granteePrincipal,omitempty" tf:"grantee_principal,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// A friendly name for identifying the grant.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, or GenerateDataKeyPairWithoutPlaintext.
+	Operations []*string `json:"operations,omitempty" tf:"operations,omitempty"`
+
+	// (Defaults to false, Forces new resources) If set to false (the default) the grants will be revoked upon deletion, and if set to true the grants will try to be retired upon deletion. Note that retiring grants requires special permissions, hence why we default to revoking grants.
+	// See RetireGrant for more information.
+	RetireOnDelete *bool `json:"retireOnDelete,omitempty" tf:"retire_on_delete,omitempty"`
+
+	// The principal that is given permission to retire the grant by using RetireGrant operation in ARN format.
+	RetiringPrincipal *string `json:"retiringPrincipal,omitempty" tf:"retiring_principal,omitempty"`
 }
 
 type GrantParameters struct {
@@ -81,8 +112,8 @@ type GrantParameters struct {
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A list of operations that the grant permits. The permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext, ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant, RetireGrant, DescribeKey, GenerateDataKeyPair, or GenerateDataKeyPairWithoutPlaintext.
-	// +kubebuilder:validation:Required
-	Operations []*string `json:"operations" tf:"operations,omitempty"`
+	// +kubebuilder:validation:Optional
+	Operations []*string `json:"operations,omitempty" tf:"operations,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -123,8 +154,9 @@ type GrantStatus struct {
 type Grant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GrantSpec   `json:"spec"`
-	Status            GrantStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.operations)",message="operations is a required parameter"
+	Spec   GrantSpec   `json:"spec"`
+	Status GrantStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/kms/v1beta1/zz_key_types.go b/apis/kms/v1beta1/zz_key_types.go
index 352baed30f..4c889308fa 100755
--- a/apis/kms/v1beta1/zz_key_types.go
+++ b/apis/kms/v1beta1/zz_key_types.go
@@ -18,11 +18,51 @@ type KeyObservation struct {
 	// The Amazon Resource Name (ARN) of the key.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A flag to indicate whether to bypass the key policy lockout safety check.
+	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
+	// For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
+	// The default value is false.
+	BypassPolicyLockoutSafetyCheck *bool `json:"bypassPolicyLockoutSafetyCheck,omitempty" tf:"bypass_policy_lockout_safety_check,omitempty"`
+
+	// ID of the KMS Custom Key Store where the key will be stored instead of KMS (eg CloudHSM).
+	CustomKeyStoreID *string `json:"customKeyStoreId,omitempty" tf:"custom_key_store_id,omitempty"`
+
+	// Specifies whether the key contains a symmetric key or an asymmetric key pair and the encryption algorithms or signing algorithms that the key supports.
+	// Valid values: SYMMETRIC_DEFAULT,  RSA_2048, RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384, ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT. For help with choosing a key spec, see the AWS KMS Developer Guide.
+	CustomerMasterKeySpec *string `json:"customerMasterKeySpec,omitempty" tf:"customer_master_key_spec,omitempty"`
+
+	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
+	// If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30.
+	// If the KMS key is a multi-Region primary key with replicas, the waiting period begins when the last of its replica keys is deleted. Otherwise, the waiting period begins immediately.
+	DeletionWindowInDays *float64 `json:"deletionWindowInDays,omitempty" tf:"deletion_window_in_days,omitempty"`
+
+	// The description of the key as viewed in AWS console.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies whether key rotation is enabled. Defaults to false.
+	EnableKeyRotation *bool `json:"enableKeyRotation,omitempty" tf:"enable_key_rotation,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies whether the key is enabled. Defaults to true.
+	IsEnabled *bool `json:"isEnabled,omitempty" tf:"is_enabled,omitempty"`
+
 	// The globally unique identifier for the key.
 	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 
+	// Specifies the intended use of the key. Valid values: ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC.
+	// Defaults to ENCRYPT_DECRYPT.
+	KeyUsage *string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
+
+	// Indicates whether the KMS key is a multi-Region (true) or regional (false) key. Defaults to false.
+	MultiRegion *bool `json:"multiRegion,omitempty" tf:"multi_region,omitempty"`
+
+	// A valid policy JSON document. Although this is a key policy, not an IAM policy, an aws_iam_policy_document, in the form that designates a principal, can be used.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/kms/v1beta1/zz_replicaexternalkey_types.go b/apis/kms/v1beta1/zz_replicaexternalkey_types.go
index 78d3a861a7..b85011fa0b 100755
--- a/apis/kms/v1beta1/zz_replicaexternalkey_types.go
+++ b/apis/kms/v1beta1/zz_replicaexternalkey_types.go
@@ -18,6 +18,22 @@ type ReplicaExternalKeyObservation struct {
 	// The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A flag to indicate whether to bypass the key policy lockout safety check.
+	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
+	// For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
+	// The default value is false.
+	BypassPolicyLockoutSafetyCheck *bool `json:"bypassPolicyLockoutSafetyCheck,omitempty" tf:"bypass_policy_lockout_safety_check,omitempty"`
+
+	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
+	// If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30.
+	DeletionWindowInDays *float64 `json:"deletionWindowInDays,omitempty" tf:"deletion_window_in_days,omitempty"`
+
+	// A description of the KMS key.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. Keys pending import can only be false. Imported keys default to true unless expired.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// Whether the key material expires. Empty when pending key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
 	ExpirationModel *string `json:"expirationModel,omitempty" tf:"expiration_model,omitempty"`
 
@@ -32,8 +48,20 @@ type ReplicaExternalKeyObservation struct {
 	// The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
 	KeyUsage *string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
 
+	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
+	PrimaryKeyArn *string `json:"primaryKeyArn,omitempty" tf:"primary_key_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the key becomes unusable. If not specified, key material does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)
+	ValidTo *string `json:"validTo,omitempty" tf:"valid_to,omitempty"`
 }
 
 type ReplicaExternalKeyParameters struct {
diff --git a/apis/kms/v1beta1/zz_replicakey_types.go b/apis/kms/v1beta1/zz_replicakey_types.go
index e454d53ae6..0c9c029ca9 100755
--- a/apis/kms/v1beta1/zz_replicakey_types.go
+++ b/apis/kms/v1beta1/zz_replicakey_types.go
@@ -18,6 +18,22 @@ type ReplicaKeyObservation struct {
 	// The Amazon Resource Name (ARN) of the replica key. The key ARNs of related multi-Region keys differ only in the Region value.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A flag to indicate whether to bypass the key policy lockout safety check.
+	// Setting this value to true increases the risk that the KMS key becomes unmanageable. Do not set this value to true indiscriminately.
+	// For more information, refer to the scenario in the Default Key Policy section in the AWS Key Management Service Developer Guide.
+	// The default value is false.
+	BypassPolicyLockoutSafetyCheck *bool `json:"bypassPolicyLockoutSafetyCheck,omitempty" tf:"bypass_policy_lockout_safety_check,omitempty"`
+
+	// The waiting period, specified in number of days. After the waiting period ends, AWS KMS deletes the KMS key.
+	// If you specify a value, it must be between 7 and 30, inclusive. If you do not specify a value, it defaults to 30.
+	DeletionWindowInDays *float64 `json:"deletionWindowInDays,omitempty" tf:"deletion_window_in_days,omitempty"`
+
+	// A description of the KMS key.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies whether the replica key is enabled. Disabled KMS keys cannot be used in cryptographic operations. The default value is true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The key ID of the replica key. Related multi-Region keys have the same key ID.
@@ -32,6 +48,15 @@ type ReplicaKeyObservation struct {
 	// The cryptographic operations for which you can use the KMS key. This is a shared property of multi-Region keys.
 	KeyUsage *string `json:"keyUsage,omitempty" tf:"key_usage,omitempty"`
 
+	// The key policy to attach to the KMS key. If you do not specify a key policy, AWS KMS attaches the default key policy to the KMS key.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// The ARN of the multi-Region primary key to replicate. The primary key must be in a different AWS Region of the same AWS Partition. You can create only one replica of a given primary key in each AWS Region.
+	PrimaryKeyArn *string `json:"primaryKeyArn,omitempty" tf:"primary_key_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/lakeformation/v1beta1/zz_datalakesettings_types.go b/apis/lakeformation/v1beta1/zz_datalakesettings_types.go
index e3a17a18d9..7fe3b6cb5f 100755
--- a/apis/lakeformation/v1beta1/zz_datalakesettings_types.go
+++ b/apis/lakeformation/v1beta1/zz_datalakesettings_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CreateDatabaseDefaultPermissionsObservation struct {
+
+	// List of permissions that are granted to the principal. Valid values may include ALL, SELECT, ALTER, DROP, DELETE, INSERT, DESCRIBE, and CREATE_TABLE. For more details, see Lake Formation Permissions Reference.
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
+	// Principal who is granted permissions. To enforce metadata and underlying data access control only by IAM on new databases and tables set principal to IAM_ALLOWED_PRINCIPALS and permissions to ["ALL"].
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 }
 
 type CreateDatabaseDefaultPermissionsParameters struct {
@@ -28,6 +34,12 @@ type CreateDatabaseDefaultPermissionsParameters struct {
 }
 
 type CreateTableDefaultPermissionsObservation struct {
+
+	// List of permissions that are granted to the principal. Valid values may include ALL, SELECT, ALTER, DROP, DELETE, INSERT, and DESCRIBE. For more details, see Lake Formation Permissions Reference.
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
+	// Principal who is granted permissions. To enforce metadata and underlying data access control only by IAM on new databases and tables set principal to IAM_ALLOWED_PRINCIPALS and permissions to ["ALL"].
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 }
 
 type CreateTableDefaultPermissionsParameters struct {
@@ -42,7 +54,23 @@ type CreateTableDefaultPermissionsParameters struct {
 }
 
 type DataLakeSettingsObservation struct {
+
+	// –  Set of ARNs of AWS Lake Formation principals (IAM users or roles).
+	Admins []*string `json:"admins,omitempty" tf:"admins,omitempty"`
+
+	// –  Identifier for the Data Catalog. By default, the account ID.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Up to three configuration blocks of principal permissions for default create database permissions. Detailed below.
+	CreateDatabaseDefaultPermissions []CreateDatabaseDefaultPermissionsObservation `json:"createDatabaseDefaultPermissions,omitempty" tf:"create_database_default_permissions,omitempty"`
+
+	// Up to three configuration blocks of principal permissions for default create table permissions. Detailed below.
+	CreateTableDefaultPermissions []CreateTableDefaultPermissionsObservation `json:"createTableDefaultPermissions,omitempty" tf:"create_table_default_permissions,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// owning account IDs that the caller's account can use to share their user access details (user ARNs).
+	TrustedResourceOwners []*string `json:"trustedResourceOwners,omitempty" tf:"trusted_resource_owners,omitempty"`
 }
 
 type DataLakeSettingsParameters struct {
diff --git a/apis/lakeformation/v1beta1/zz_generated.deepcopy.go b/apis/lakeformation/v1beta1/zz_generated.deepcopy.go
index ce663bf9a7..70d2c271be 100644
--- a/apis/lakeformation/v1beta1/zz_generated.deepcopy.go
+++ b/apis/lakeformation/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,22 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreateDatabaseDefaultPermissionsObservation) DeepCopyInto(out *CreateDatabaseDefaultPermissionsObservation) {
 	*out = *in
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreateDatabaseDefaultPermissionsObservation.
@@ -63,6 +79,22 @@ func (in *CreateDatabaseDefaultPermissionsParameters) DeepCopy() *CreateDatabase
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreateTableDefaultPermissionsObservation) DeepCopyInto(out *CreateTableDefaultPermissionsObservation) {
 	*out = *in
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreateTableDefaultPermissionsObservation.
@@ -168,11 +200,52 @@ func (in *DataLakeSettingsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataLakeSettingsObservation) DeepCopyInto(out *DataLakeSettingsObservation) {
 	*out = *in
+	if in.Admins != nil {
+		in, out := &in.Admins, &out.Admins
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreateDatabaseDefaultPermissions != nil {
+		in, out := &in.CreateDatabaseDefaultPermissions, &out.CreateDatabaseDefaultPermissions
+		*out = make([]CreateDatabaseDefaultPermissionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreateTableDefaultPermissions != nil {
+		in, out := &in.CreateTableDefaultPermissions, &out.CreateTableDefaultPermissions
+		*out = make([]CreateTableDefaultPermissionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TrustedResourceOwners != nil {
+		in, out := &in.TrustedResourceOwners, &out.TrustedResourceOwners
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataLakeSettingsObservation.
@@ -283,6 +356,16 @@ func (in *DataLakeSettingsStatus) DeepCopy() *DataLakeSettingsStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataLocationObservation) DeepCopyInto(out *DataLocationObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataLocationObservation.
@@ -333,6 +416,16 @@ func (in *DataLocationParameters) DeepCopy() *DataLocationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DatabaseObservation) DeepCopyInto(out *DatabaseObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DatabaseObservation.
@@ -383,6 +476,22 @@ func (in *DatabaseParameters) DeepCopy() *DatabaseParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExpressionObservation) DeepCopyInto(out *ExpressionObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExpressionObservation.
@@ -429,6 +538,27 @@ func (in *ExpressionParameters) DeepCopy() *ExpressionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LfTagObservation) DeepCopyInto(out *LfTagObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LfTagObservation.
@@ -480,6 +610,23 @@ func (in *LfTagParameters) DeepCopy() *LfTagParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LfTagPolicyObservation) DeepCopyInto(out *LfTagPolicyObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = make([]ExpressionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LfTagPolicyObservation.
@@ -586,11 +733,90 @@ func (in *PermissionsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PermissionsObservation) DeepCopyInto(out *PermissionsObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CatalogResource != nil {
+		in, out := &in.CatalogResource, &out.CatalogResource
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DataLocation != nil {
+		in, out := &in.DataLocation, &out.DataLocation
+		*out = make([]DataLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Database != nil {
+		in, out := &in.Database, &out.Database
+		*out = make([]DatabaseObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LfTag != nil {
+		in, out := &in.LfTag, &out.LfTag
+		*out = make([]LfTagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LfTagPolicy != nil {
+		in, out := &in.LfTagPolicy, &out.LfTagPolicy
+		*out = make([]LfTagPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PermissionsWithGrantOption != nil {
+		in, out := &in.PermissionsWithGrantOption, &out.PermissionsWithGrantOption
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
+	if in.Table != nil {
+		in, out := &in.Table, &out.Table
+		*out = make([]TableObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TableWithColumns != nil {
+		in, out := &in.TableWithColumns, &out.TableWithColumns
+		*out = make([]TableWithColumnsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionsObservation.
@@ -798,6 +1024,11 @@ func (in *ResourceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceObservation) DeepCopyInto(out *ResourceObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -808,6 +1039,11 @@ func (in *ResourceObservation) DeepCopyInto(out *ResourceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceObservation.
@@ -897,6 +1133,26 @@ func (in *ResourceStatus) DeepCopy() *ResourceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TableObservation) DeepCopyInto(out *TableObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Wildcard != nil {
+		in, out := &in.Wildcard, &out.Wildcard
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableObservation.
@@ -947,6 +1203,48 @@ func (in *TableParameters) DeepCopy() *TableParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TableWithColumnsObservation) DeepCopyInto(out *TableWithColumnsObservation) {
 	*out = *in
+	if in.CatalogID != nil {
+		in, out := &in.CatalogID, &out.CatalogID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ColumnNames != nil {
+		in, out := &in.ColumnNames, &out.ColumnNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludedColumnNames != nil {
+		in, out := &in.ExcludedColumnNames, &out.ExcludedColumnNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Wildcard != nil {
+		in, out := &in.Wildcard, &out.Wildcard
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TableWithColumnsObservation.
diff --git a/apis/lakeformation/v1beta1/zz_permissions_types.go b/apis/lakeformation/v1beta1/zz_permissions_types.go
index 3351c9cf0e..95d2e5c0ac 100755
--- a/apis/lakeformation/v1beta1/zz_permissions_types.go
+++ b/apis/lakeformation/v1beta1/zz_permissions_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type DataLocationObservation struct {
+
+	// –  Amazon Resource Name (ARN) that uniquely identifies the data location resource.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Identifier for the Data Catalog where the location is registered with Lake Formation. By default, it is the account ID of the caller.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
 }
 
 type DataLocationParameters struct {
@@ -38,6 +44,12 @@ type DataLocationParameters struct {
 }
 
 type DatabaseObservation struct {
+
+	// Identifier for the Data Catalog. By default, it is the account ID of the caller.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// –  Name of the database resource. Unique to the Data Catalog.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type DatabaseParameters struct {
@@ -61,6 +73,12 @@ type DatabaseParameters struct {
 }
 
 type ExpressionObservation struct {
+
+	// name of an LF-Tag.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A list of possible values of an LF-Tag.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type ExpressionParameters struct {
@@ -75,6 +93,15 @@ type ExpressionParameters struct {
 }
 
 type LfTagObservation struct {
+
+	// Identifier for the Data Catalog. By default, it is the account ID of the caller.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// name for the tag.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A list of possible values an attribute can take.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type LfTagParameters struct {
@@ -93,6 +120,15 @@ type LfTagParameters struct {
 }
 
 type LfTagPolicyObservation struct {
+
+	// Identifier for the Data Catalog. By default, it is the account ID of the caller.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// A list of tag conditions that apply to the resource's tag policy. Configuration block for tag conditions that apply to the policy. See expression below.
+	Expression []ExpressionObservation `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// –  The resource type for which the tag policy applies. Valid values are DATABASE and TABLE.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
 }
 
 type LfTagPolicyParameters struct {
@@ -111,7 +147,41 @@ type LfTagPolicyParameters struct {
 }
 
 type PermissionsObservation struct {
+
+	// –  Identifier for the Data Catalog. By default, the account ID. The Data Catalog is the persistent metadata store. It contains database definitions, table definitions, and other control information to manage your Lake Formation environment.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Whether the permissions are to be granted for the Data Catalog. Defaults to false.
+	CatalogResource *bool `json:"catalogResource,omitempty" tf:"catalog_resource,omitempty"`
+
+	// Configuration block for a data location resource. Detailed below.
+	DataLocation []DataLocationObservation `json:"dataLocation,omitempty" tf:"data_location,omitempty"`
+
+	// Configuration block for a database resource. Detailed below.
+	Database []DatabaseObservation `json:"database,omitempty" tf:"database,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Configuration block for an LF-tag resource. Detailed below.
+	LfTag []LfTagObservation `json:"lfTag,omitempty" tf:"lf_tag,omitempty"`
+
+	// Configuration block for an LF-tag policy resource. Detailed below.
+	LfTagPolicy []LfTagPolicyObservation `json:"lfTagPolicy,omitempty" tf:"lf_tag_policy,omitempty"`
+
+	// –  List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
+	// Subset of permissions which the principal can pass.
+	PermissionsWithGrantOption []*string `json:"permissionsWithGrantOption,omitempty" tf:"permissions_with_grant_option,omitempty"`
+
+	// account permissions. For more information, see Lake Formation Permissions Reference.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
+	// Configuration block for a table resource. Detailed below.
+	Table []TableObservation `json:"table,omitempty" tf:"table,omitempty"`
+
+	// Configuration block for a table with columns resource. Detailed below.
+	TableWithColumns []TableWithColumnsObservation `json:"tableWithColumns,omitempty" tf:"table_with_columns,omitempty"`
 }
 
 type PermissionsParameters struct {
@@ -141,16 +211,16 @@ type PermissionsParameters struct {
 	LfTagPolicy []LfTagPolicyParameters `json:"lfTagPolicy,omitempty" tf:"lf_tag_policy,omitempty"`
 
 	// –  List of permissions granted to the principal. Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE, CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP, INSERT, and SELECT. For details on each permission, see Lake Formation Permissions Reference.
-	// +kubebuilder:validation:Required
-	Permissions []*string `json:"permissions" tf:"permissions,omitempty"`
+	// +kubebuilder:validation:Optional
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
 
 	// Subset of permissions which the principal can pass.
 	// +kubebuilder:validation:Optional
 	PermissionsWithGrantOption []*string `json:"permissionsWithGrantOption,omitempty" tf:"permissions_with_grant_option,omitempty"`
 
 	// account permissions. For more information, see Lake Formation Permissions Reference.
-	// +kubebuilder:validation:Required
-	Principal *string `json:"principal" tf:"principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -167,6 +237,18 @@ type PermissionsParameters struct {
 }
 
 type TableObservation struct {
+
+	// Identifier for the Data Catalog. By default, it is the account ID of the caller.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// –  Name of the database for the table. Unique to a Data Catalog.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Name of the table.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Whether to use a wildcard representing every table under a database. Defaults to false.
+	Wildcard *bool `json:"wildcard,omitempty" tf:"wildcard,omitempty"`
 }
 
 type TableParameters struct {
@@ -189,6 +271,24 @@ type TableParameters struct {
 }
 
 type TableWithColumnsObservation struct {
+
+	// Identifier for the Data Catalog. By default, it is the account ID of the caller.
+	CatalogID *string `json:"catalogId,omitempty" tf:"catalog_id,omitempty"`
+
+	// Set of column names for the table.
+	ColumnNames []*string `json:"columnNames,omitempty" tf:"column_names,omitempty"`
+
+	// –  Name of the database for the table with columns resource. Unique to the Data Catalog.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// Set of column names for the table to exclude.
+	ExcludedColumnNames []*string `json:"excludedColumnNames,omitempty" tf:"excluded_column_names,omitempty"`
+
+	// –  Name of the table resource.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Whether to use a column wildcard.
+	Wildcard *bool `json:"wildcard,omitempty" tf:"wildcard,omitempty"`
 }
 
 type TableWithColumnsParameters struct {
@@ -251,8 +351,10 @@ type PermissionsStatus struct {
 type Permissions struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PermissionsSpec   `json:"spec"`
-	Status            PermissionsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissions)",message="permissions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)",message="principal is a required parameter"
+	Spec   PermissionsSpec   `json:"spec"`
+	Status PermissionsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lakeformation/v1beta1/zz_resource_types.go b/apis/lakeformation/v1beta1/zz_resource_types.go
index f8900ab037..6ea16932e2 100755
--- a/apis/lakeformation/v1beta1/zz_resource_types.go
+++ b/apis/lakeformation/v1beta1/zz_resource_types.go
@@ -14,17 +14,24 @@ import (
 )
 
 type ResourceObservation struct {
+
+	// –  Amazon Resource Name (ARN) of the resource, an S3 path.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date and time the resource was last modified in RFC 3339 format.
 	LastModified *string `json:"lastModified,omitempty" tf:"last_modified,omitempty"`
+
+	// linked role must exist and is used.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ResourceParameters struct {
 
 	// –  Amazon Resource Name (ARN) of the resource, an S3 path.
-	// +kubebuilder:validation:Required
-	Arn *string `json:"arn" tf:"arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -70,8 +77,9 @@ type ResourceStatus struct {
 type Resource struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceSpec   `json:"spec"`
-	Status            ResourceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.arn)",message="arn is a required parameter"
+	Spec   ResourceSpec   `json:"spec"`
+	Status ResourceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_alias_types.go b/apis/lambda/v1beta1/zz_alias_types.go
index d56fdc0cdc..99f088b1ae 100755
--- a/apis/lambda/v1beta1/zz_alias_types.go
+++ b/apis/lambda/v1beta1/zz_alias_types.go
@@ -18,10 +18,22 @@ type AliasObservation struct {
 	// The Amazon Resource Name (ARN) identifying your Lambda function alias.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the alias.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Lambda Function name or ARN.
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
+	// Lambda function version for which you are creating the alias. Pattern: (\$LATEST|[0-9]+).
+	FunctionVersion *string `json:"functionVersion,omitempty" tf:"function_version,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The ARN to be used for invoking Lambda Function from API Gateway - to be used in aws_api_gateway_integration's uri
 	InvokeArn *string `json:"invokeArn,omitempty" tf:"invoke_arn,omitempty"`
+
+	// The Lambda alias' route configuration settings. Fields documented below
+	RoutingConfig []RoutingConfigObservation `json:"routingConfig,omitempty" tf:"routing_config,omitempty"`
 }
 
 type AliasParameters struct {
@@ -44,8 +56,8 @@ type AliasParameters struct {
 	FunctionNameSelector *v1.Selector `json:"functionNameSelector,omitempty" tf:"-"`
 
 	// Lambda function version for which you are creating the alias. Pattern: (\$LATEST|[0-9]+).
-	// +kubebuilder:validation:Required
-	FunctionVersion *string `json:"functionVersion" tf:"function_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	FunctionVersion *string `json:"functionVersion,omitempty" tf:"function_version,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -58,6 +70,9 @@ type AliasParameters struct {
 }
 
 type RoutingConfigObservation struct {
+
+	// A map that defines the proportion of events that should be sent to different versions of a lambda function.
+	AdditionalVersionWeights map[string]*float64 `json:"additionalVersionWeights,omitempty" tf:"additional_version_weights,omitempty"`
 }
 
 type RoutingConfigParameters struct {
@@ -91,8 +106,9 @@ type AliasStatus struct {
 type Alias struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AliasSpec   `json:"spec"`
-	Status            AliasStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.functionVersion)",message="functionVersion is a required parameter"
+	Spec   AliasSpec   `json:"spec"`
+	Status AliasStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_codesigningconfig_types.go b/apis/lambda/v1beta1/zz_codesigningconfig_types.go
index 7a11fc7f77..e19f5b3c14 100755
--- a/apis/lambda/v1beta1/zz_codesigningconfig_types.go
+++ b/apis/lambda/v1beta1/zz_codesigningconfig_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AllowedPublishersObservation struct {
+
+	// The Amazon Resource Name (ARN) for each of the signing profiles. A signing profile defines a trusted user who can sign a code package.
+	SigningProfileVersionArns []*string `json:"signingProfileVersionArns,omitempty" tf:"signing_profile_version_arns,omitempty"`
 }
 
 type AllowedPublishersParameters struct {
@@ -35,23 +38,32 @@ type AllowedPublishersParameters struct {
 
 type CodeSigningConfigObservation struct {
 
+	// A configuration block of allowed publishers as signing profiles for this code signing configuration. Detailed below.
+	AllowedPublishers []AllowedPublishersObservation `json:"allowedPublishers,omitempty" tf:"allowed_publishers,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the code signing configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Unique identifier for the code signing configuration.
 	ConfigID *string `json:"configId,omitempty" tf:"config_id,omitempty"`
 
+	// Descriptive name for this code signing configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date and time that the code signing configuration was last modified.
 	LastModified *string `json:"lastModified,omitempty" tf:"last_modified,omitempty"`
+
+	// A configuration block of code signing policies that define the actions to take if the validation checks fail. Detailed below.
+	Policies []PoliciesObservation `json:"policies,omitempty" tf:"policies,omitempty"`
 }
 
 type CodeSigningConfigParameters struct {
 
 	// A configuration block of allowed publishers as signing profiles for this code signing configuration. Detailed below.
-	// +kubebuilder:validation:Required
-	AllowedPublishers []AllowedPublishersParameters `json:"allowedPublishers" tf:"allowed_publishers,omitempty"`
+	// +kubebuilder:validation:Optional
+	AllowedPublishers []AllowedPublishersParameters `json:"allowedPublishers,omitempty" tf:"allowed_publishers,omitempty"`
 
 	// Descriptive name for this code signing configuration.
 	// +kubebuilder:validation:Optional
@@ -68,6 +80,9 @@ type CodeSigningConfigParameters struct {
 }
 
 type PoliciesObservation struct {
+
+	// Code signing configuration policy for deployment validation failure. If you set the policy to Enforce, Lambda blocks the deployment request if code-signing validation checks fail. If you set the policy to Warn, Lambda allows the deployment and creates a CloudWatch log. Valid values: Warn, Enforce. Default value: Warn.
+	UntrustedArtifactOnDeployment *string `json:"untrustedArtifactOnDeployment,omitempty" tf:"untrusted_artifact_on_deployment,omitempty"`
 }
 
 type PoliciesParameters struct {
@@ -101,8 +116,9 @@ type CodeSigningConfigStatus struct {
 type CodeSigningConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CodeSigningConfigSpec   `json:"spec"`
-	Status            CodeSigningConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.allowedPublishers)",message="allowedPublishers is a required parameter"
+	Spec   CodeSigningConfigSpec   `json:"spec"`
+	Status CodeSigningConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_eventsourcemapping_types.go b/apis/lambda/v1beta1/zz_eventsourcemapping_types.go
index 39141133e5..c91d7af93a 100755
--- a/apis/lambda/v1beta1/zz_eventsourcemapping_types.go
+++ b/apis/lambda/v1beta1/zz_eventsourcemapping_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AmazonManagedKafkaEventSourceConfigObservation struct {
+
+	// A Kafka consumer group ID between 1 and 200 characters for use when creating this event source mapping. If one is not specified, this value will be automatically generated. See AmazonManagedKafkaEventSourceConfig Syntax.
+	ConsumerGroupID *string `json:"consumerGroupId,omitempty" tf:"consumer_group_id,omitempty"`
 }
 
 type AmazonManagedKafkaEventSourceConfigParameters struct {
@@ -24,6 +27,9 @@ type AmazonManagedKafkaEventSourceConfigParameters struct {
 }
 
 type DestinationConfigObservation struct {
+
+	// The destination configuration for failed invocations. Detailed below.
+	OnFailure []OnFailureObservation `json:"onFailure,omitempty" tf:"on_failure,omitempty"`
 }
 
 type DestinationConfigParameters struct {
@@ -35,9 +41,36 @@ type DestinationConfigParameters struct {
 
 type EventSourceMappingObservation struct {
 
+	// Additional configuration block for Amazon Managed Kafka sources. Incompatible with "self_managed_event_source" and "self_managed_kafka_event_source_config". Detailed below.
+	AmazonManagedKafkaEventSourceConfig []AmazonManagedKafkaEventSourceConfigObservation `json:"amazonManagedKafkaEventSourceConfig,omitempty" tf:"amazon_managed_kafka_event_source_config,omitempty"`
+
+	// The largest number of records that Lambda will retrieve from your event source at the time of invocation. Defaults to 100 for DynamoDB, Kinesis, MQ and MSK, 10 for SQS.
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	// If the function returns an error, split the batch in two and retry. Only available for stream sources (DynamoDB and Kinesis). Defaults to false.
+	BisectBatchOnFunctionError *bool `json:"bisectBatchOnFunctionError,omitempty" tf:"bisect_batch_on_function_error,omitempty"`
+
+	// An Amazon SQS queue or Amazon SNS topic destination for failed records. Only available for stream sources (DynamoDB and Kinesis). Detailed below.
+	DestinationConfig []DestinationConfigObservation `json:"destinationConfig,omitempty" tf:"destination_config,omitempty"`
+
+	// Determines if the mapping will be enabled on creation. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// The event source ARN - this is required for Kinesis stream, DynamoDB stream, SQS queue, MQ broker or MSK cluster.  It is incompatible with a Self Managed Kafka source.
+	EventSourceArn *string `json:"eventSourceArn,omitempty" tf:"event_source_arn,omitempty"`
+
+	// The criteria to use for event filtering Kinesis stream, DynamoDB stream, SQS queue event sources. Detailed below.
+	FilterCriteria []FilterCriteriaObservation `json:"filterCriteria,omitempty" tf:"filter_criteria,omitempty"`
+
 	// The the ARN of the Lambda function the event source mapping is sending events to. (Note: this is a computed value that differs from function_name above.)
 	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 
+	// The name or the ARN of the Lambda function that will be subscribing to events.
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
+	// A list of current response type enums applied to the event source mapping for AWS Lambda checkpointing. Only available for SQS and stream sources (DynamoDB and Kinesis). Valid values: ReportBatchItemFailures.
+	FunctionResponseTypes []*string `json:"functionResponseTypes,omitempty" tf:"function_response_types,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date this resource was last modified.
@@ -46,12 +79,51 @@ type EventSourceMappingObservation struct {
 	// The result of the last AWS Lambda invocation of your Lambda function.
 	LastProcessingResult *string `json:"lastProcessingResult,omitempty" tf:"last_processing_result,omitempty"`
 
+	// The maximum amount of time to gather records before invoking the function, in seconds (between 0 and 300). Records will continue to buffer (or accumulate in the case of an SQS queue event source) until either maximum_batching_window_in_seconds expires or batch_size has been met. For streaming event sources, defaults to as soon as records are available in the stream. If the batch it reads from the stream/queue only has one record in it, Lambda only sends one record to the function. Only available for stream sources (DynamoDB and Kinesis) and SQS standard queues.
+	MaximumBatchingWindowInSeconds *float64 `json:"maximumBatchingWindowInSeconds,omitempty" tf:"maximum_batching_window_in_seconds,omitempty"`
+
+	// The maximum age of a record that Lambda sends to a function for processing. Only available for stream sources (DynamoDB and Kinesis). Must be either -1 (forever, and the default value) or between 60 and 604800 (inclusive).
+	MaximumRecordAgeInSeconds *float64 `json:"maximumRecordAgeInSeconds,omitempty" tf:"maximum_record_age_in_seconds,omitempty"`
+
+	// The maximum number of times to retry when the function returns an error. Only available for stream sources (DynamoDB and Kinesis). Minimum and default of -1 (forever), maximum of 10000.
+	MaximumRetryAttempts *float64 `json:"maximumRetryAttempts,omitempty" tf:"maximum_retry_attempts,omitempty"`
+
+	// The number of batches to process from each shard concurrently. Only available for stream sources (DynamoDB and Kinesis). Minimum and default of 1, maximum of 10.
+	ParallelizationFactor *float64 `json:"parallelizationFactor,omitempty" tf:"parallelization_factor,omitempty"`
+
+	// The name of the Amazon MQ broker destination queue to consume. Only available for MQ sources. A single queue name must be specified.
+	Queues []*string `json:"queues,omitempty" tf:"queues,omitempty"`
+
+	// Scaling configuration of the event source. Only available for SQS queues. Detailed below.
+	ScalingConfig []ScalingConfigObservation `json:"scalingConfig,omitempty" tf:"scaling_config,omitempty"`
+
+	// For Self Managed Kafka sources, the location of the self managed cluster. If set, configuration must also include source_access_configuration. Detailed below.
+	SelfManagedEventSource []SelfManagedEventSourceObservation `json:"selfManagedEventSource,omitempty" tf:"self_managed_event_source,omitempty"`
+
+	// Additional configuration block for Self Managed Kafka sources. Incompatible with "event_source_arn" and "amazon_managed_kafka_event_source_config". Detailed below.
+	SelfManagedKafkaEventSourceConfig []SelfManagedKafkaEventSourceConfigObservation `json:"selfManagedKafkaEventSourceConfig,omitempty" tf:"self_managed_kafka_event_source_config,omitempty"`
+
+	// :  For Self Managed Kafka sources, the access configuration for the source. If set, configuration must also include self_managed_event_source. Detailed below.
+	SourceAccessConfiguration []SourceAccessConfigurationObservation `json:"sourceAccessConfiguration,omitempty" tf:"source_access_configuration,omitempty"`
+
+	// The position in the stream where AWS Lambda should start reading. Must be one of AT_TIMESTAMP (Kinesis only), LATEST or TRIM_HORIZON if getting events from Kinesis, DynamoDB, MSK or Self Managed Apache Kafka. Must not be provided if getting events from SQS. More information about these positions can be found in the AWS DynamoDB Streams API Reference and AWS Kinesis API Reference.
+	StartingPosition *string `json:"startingPosition,omitempty" tf:"starting_position,omitempty"`
+
+	// A timestamp in RFC3339 format of the data record which to start reading when using starting_position set to AT_TIMESTAMP. If a record with this exact timestamp does not exist, the next later record is chosen. If the timestamp is older than the current trim horizon, the oldest available record is chosen.
+	StartingPositionTimestamp *string `json:"startingPositionTimestamp,omitempty" tf:"starting_position_timestamp,omitempty"`
+
 	// The state of the event source mapping.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
 	// The reason the event source mapping is in its current state.
 	StateTransitionReason *string `json:"stateTransitionReason,omitempty" tf:"state_transition_reason,omitempty"`
 
+	// The name of the Kafka topics. Only available for MSK sources. A single topic name must be specified.
+	Topics []*string `json:"topics,omitempty" tf:"topics,omitempty"`
+
+	// The duration in seconds of a processing window for AWS Lambda streaming analytics. The range is between 1 second up to 900 seconds. Only available for stream sources (DynamoDB and Kinesis).
+	TumblingWindowInSeconds *float64 `json:"tumblingWindowInSeconds,omitempty" tf:"tumbling_window_in_seconds,omitempty"`
+
 	// The UUID of the created event source mapping.
 	UUID *string `json:"uuid,omitempty" tf:"uuid,omitempty"`
 }
@@ -163,6 +235,9 @@ type EventSourceMappingParameters struct {
 }
 
 type FilterCriteriaObservation struct {
+
+	// A set of up to 5 filter. If an event satisfies at least one, Lambda sends the event to the function or adds it to the next batch. Detailed below.
+	Filter []FilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
 }
 
 type FilterCriteriaParameters struct {
@@ -173,6 +248,9 @@ type FilterCriteriaParameters struct {
 }
 
 type FilterObservation struct {
+
+	// A filter pattern up to 4096 characters. See Filter Rule Syntax.
+	Pattern *string `json:"pattern,omitempty" tf:"pattern,omitempty"`
 }
 
 type FilterParameters struct {
@@ -183,6 +261,9 @@ type FilterParameters struct {
 }
 
 type OnFailureObservation struct {
+
+	// The Amazon Resource Name (ARN) of the destination resource.
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
 }
 
 type OnFailureParameters struct {
@@ -193,6 +274,9 @@ type OnFailureParameters struct {
 }
 
 type ScalingConfigObservation struct {
+
+	// Limits the number of concurrent instances that the Amazon SQS event source can invoke. Must be between 2 and 1000. See Configuring maximum concurrency for Amazon SQS event sources.
+	MaximumConcurrency *float64 `json:"maximumConcurrency,omitempty" tf:"maximum_concurrency,omitempty"`
 }
 
 type ScalingConfigParameters struct {
@@ -203,6 +287,9 @@ type ScalingConfigParameters struct {
 }
 
 type SelfManagedEventSourceObservation struct {
+
+	// A map of endpoints for the self managed source.  For Kafka self-managed sources, the key should be KAFKA_BOOTSTRAP_SERVERS and the value should be a string with a comma separated list of broker endpoints.
+	Endpoints map[string]*string `json:"endpoints,omitempty" tf:"endpoints,omitempty"`
 }
 
 type SelfManagedEventSourceParameters struct {
@@ -213,6 +300,9 @@ type SelfManagedEventSourceParameters struct {
 }
 
 type SelfManagedKafkaEventSourceConfigObservation struct {
+
+	// A Kafka consumer group ID between 1 and 200 characters for use when creating this event source mapping. If one is not specified, this value will be automatically generated. See SelfManagedKafkaEventSourceConfig Syntax.
+	ConsumerGroupID *string `json:"consumerGroupId,omitempty" tf:"consumer_group_id,omitempty"`
 }
 
 type SelfManagedKafkaEventSourceConfigParameters struct {
@@ -223,6 +313,12 @@ type SelfManagedKafkaEventSourceConfigParameters struct {
 }
 
 type SourceAccessConfigurationObservation struct {
+
+	// The type of this configuration.  For Self Managed Kafka you will need to supply blocks for type VPC_SUBNET and VPC_SECURITY_GROUP.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The URI for this configuration.  For type VPC_SUBNET the value should be subnet:subnet_id where subnet_id is the value you would find in an aws_subnet resource's id attribute.  For type VPC_SECURITY_GROUP the value should be security_group:security_group_id where security_group_id is the value you would find in an aws_security_group resource's id attribute.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type SourceAccessConfigurationParameters struct {
diff --git a/apis/lambda/v1beta1/zz_function_types.go b/apis/lambda/v1beta1/zz_function_types.go
index 27ff2fcb8a..21e4e8cdcf 100755
--- a/apis/lambda/v1beta1/zz_function_types.go
+++ b/apis/lambda/v1beta1/zz_function_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type DeadLetterConfigObservation struct {
+
+	// ARN of an SNS topic or SQS queue to notify when an invocation fails. If this option is used, the function's IAM role must be granted suitable access to write to the target object, which means allowing either the sns:Publish or sqs:SendMessage action on this ARN, depending on which service is targeted.
+	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 }
 
 type DeadLetterConfigParameters struct {
@@ -24,6 +27,9 @@ type DeadLetterConfigParameters struct {
 }
 
 type EnvironmentObservation struct {
+
+	// Map of environment variables that are accessible from the function code during execution. If provided at least one key must be present.
+	Variables map[string]*string `json:"variables,omitempty" tf:"variables,omitempty"`
 }
 
 type EnvironmentParameters struct {
@@ -34,6 +40,9 @@ type EnvironmentParameters struct {
 }
 
 type EphemeralStorageObservation struct {
+
+	// The size of the Lambda function Ephemeral storage(/tmp) represented in MB. The minimum supported ephemeral_storage value defaults to 512MB and the maximum supported value is 10240MB.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
 }
 
 type EphemeralStorageParameters struct {
@@ -44,6 +53,12 @@ type EphemeralStorageParameters struct {
 }
 
 type FileSystemConfigObservation struct {
+
+	// Amazon Resource Name (ARN) of the Amazon EFS Access Point that provides access to the file system.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Path where the function can access the file system, starting with /mnt/.
+	LocalMountPath *string `json:"localMountPath,omitempty" tf:"local_mount_path,omitempty"`
 }
 
 type FileSystemConfigParameters struct {
@@ -69,23 +84,92 @@ type FileSystemConfigParameters struct {
 
 type FunctionObservation struct {
 
+	// Instruction set architecture for your Lambda function. Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"]. Removing this attribute, function's architecture stay the same.
+	Architectures []*string `json:"architectures,omitempty" tf:"architectures,omitempty"`
+
 	// Amazon Resource Name (ARN) identifying your Lambda Function.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// To enable code signing for this function, specify the ARN of a code-signing configuration. A code-signing configuration includes a set of signing profiles, which define the trusted publishers for this function.
+	CodeSigningConfigArn *string `json:"codeSigningConfigArn,omitempty" tf:"code_signing_config_arn,omitempty"`
+
+	// Configuration block. Detailed below.
+	DeadLetterConfig []DeadLetterConfigObservation `json:"deadLetterConfig,omitempty" tf:"dead_letter_config,omitempty"`
+
+	// Description of what your Lambda Function does.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Configuration block. Detailed below.
+	Environment []EnvironmentObservation `json:"environment,omitempty" tf:"environment,omitempty"`
+
+	// The amount of Ephemeral storage(/tmp) to allocate for the Lambda Function in MB. This parameter is used to expand the total amount of Ephemeral storage available, beyond the default amount of 512MB. Detailed below.
+	EphemeralStorage []EphemeralStorageObservation `json:"ephemeralStorage,omitempty" tf:"ephemeral_storage,omitempty"`
+
+	// Configuration block. Detailed below.
+	FileSystemConfig []FileSystemConfigObservation `json:"fileSystemConfig,omitempty" tf:"file_system_config,omitempty"`
+
+	// Function entrypoint in your code.
+	Handler *string `json:"handler,omitempty" tf:"handler,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block. Detailed below.
+	ImageConfig []ImageConfigObservation `json:"imageConfig,omitempty" tf:"image_config,omitempty"`
+
+	// ECR image URI containing the function's deployment package. Exactly one of filename, image_uri,  or s3_bucket must be specified.
+	ImageURI *string `json:"imageUri,omitempty" tf:"image_uri,omitempty"`
+
 	// ARN to be used for invoking Lambda Function from API Gateway - to be used in aws_api_gateway_integration's uri.
 	InvokeArn *string `json:"invokeArn,omitempty" tf:"invoke_arn,omitempty"`
 
+	// Amazon Resource Name (ARN) of the AWS Key Management Service (KMS) key that is used to encrypt environment variables. If this configuration is not provided when environment variables are in use, AWS Lambda uses a default service key. To fix the perpetual difference, remove this configuration.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
 	// Date this resource was last modified.
 	LastModified *string `json:"lastModified,omitempty" tf:"last_modified,omitempty"`
 
+	// List of Lambda Layer Version ARNs (maximum of 5) to attach to your Lambda Function. See Lambda Layers
+	Layers []*string `json:"layers,omitempty" tf:"layers,omitempty"`
+
+	// Amount of memory in MB your Lambda Function can use at runtime. Defaults to 128. See Limits
+	MemorySize *float64 `json:"memorySize,omitempty" tf:"memory_size,omitempty"`
+
+	// Lambda deployment package type. Valid values are Zip and Image. Defaults to Zip.
+	PackageType *string `json:"packageType,omitempty" tf:"package_type,omitempty"`
+
+	// Whether to publish creation/change as new Lambda Function Version. Defaults to false.
+	Publish *bool `json:"publish,omitempty" tf:"publish,omitempty"`
+
 	// ARN identifying your Lambda Function Version (if versioning is enabled via publish = true).
 	QualifiedArn *string `json:"qualifiedArn,omitempty" tf:"qualified_arn,omitempty"`
 
 	// Qualified ARN (ARN with lambda version number) to be used for invoking Lambda Function from API Gateway - to be used in aws_api_gateway_integration's uri.
 	QualifiedInvokeArn *string `json:"qualifiedInvokeArn,omitempty" tf:"qualified_invoke_arn,omitempty"`
 
+	// Whether to replace the security groups on associated lambda network interfaces upon destruction. Removing these security groups from orphaned network interfaces can speed up security group deletion times by avoiding a dependency on AWS's internal cleanup operations. By default, the ENI security groups will be replaced with the default security group in the function's VPC. Set the replacement_security_group_ids attribute to use a custom list of security groups for replacement.
+	ReplaceSecurityGroupsOnDestroy *bool `json:"replaceSecurityGroupsOnDestroy,omitempty" tf:"replace_security_groups_on_destroy,omitempty"`
+
+	// List of security group IDs to assign to orphaned Lambda function network interfaces upon destruction. replace_security_groups_on_destroy must be set to true to use this attribute.
+	ReplacementSecurityGroupIds []*string `json:"replacementSecurityGroupIds,omitempty" tf:"replacement_security_group_ids,omitempty"`
+
+	// Amount of reserved concurrent executions for this lambda function. A value of 0 disables lambda from being triggered and -1 removes any concurrency limitations. Defaults to Unreserved Concurrency Limits -1. See Managing Concurrency
+	ReservedConcurrentExecutions *float64 `json:"reservedConcurrentExecutions,omitempty" tf:"reserved_concurrent_executions,omitempty"`
+
+	// Amazon Resource Name (ARN) of the function's execution role. The role provides the function's identity and access to AWS services and resources.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// Identifier of the function's runtime. See Runtimes for valid values.
+	Runtime *string `json:"runtime,omitempty" tf:"runtime,omitempty"`
+
+	// S3 bucket location containing the function's deployment package. This bucket must reside in the same AWS region where you are creating the Lambda function. Exactly one of filename, image_uri, or s3_bucket must be specified. When s3_bucket is set, s3_key is required.
+	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
+
+	// S3 key of an object containing the function's deployment package. When s3_bucket is set, s3_key is required.
+	S3Key *string `json:"s3Key,omitempty" tf:"s3_key,omitempty"`
+
+	// Object version containing the function's deployment package. Conflicts with filename and image_uri.
+	S3ObjectVersion *string `json:"s3ObjectVersion,omitempty" tf:"s3_object_version,omitempty"`
+
 	// ARN of the signing job.
 	SigningJobArn *string `json:"signingJobArn,omitempty" tf:"signing_job_arn,omitempty"`
 
@@ -93,17 +177,27 @@ type FunctionObservation struct {
 	SigningProfileVersionArn *string `json:"signingProfileVersionArn,omitempty" tf:"signing_profile_version_arn,omitempty"`
 
 	// Snap start settings block. Detailed below.
-	// +kubebuilder:validation:Optional
 	SnapStart []SnapStartObservation `json:"snapStart,omitempty" tf:"snap_start,omitempty"`
 
+	// Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either filename or s3_key. The usual way to set this is filebase64sha256("file.11.12 and later) or base64sha256(file("file.11.11 and earlier), where "file.zip" is the local filename of the lambda function source archive.
+	SourceCodeHash *string `json:"sourceCodeHash,omitempty" tf:"source_code_hash,omitempty"`
+
 	// Size in bytes of the function .zip file.
 	SourceCodeSize *float64 `json:"sourceCodeSize,omitempty" tf:"source_code_size,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Amount of time your Lambda Function has to run in seconds. Defaults to 3. See Limits.
+	Timeout *float64 `json:"timeout,omitempty" tf:"timeout,omitempty"`
+
+	// Configuration block. Detailed below.
+	TracingConfig []TracingConfigObservation `json:"tracingConfig,omitempty" tf:"tracing_config,omitempty"`
+
 	// Configuration block. Detailed below.
-	// +kubebuilder:validation:Optional
 	VPCConfig []VPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 
 	// Latest published version of your Lambda Function.
@@ -274,6 +368,15 @@ type FunctionParameters struct {
 }
 
 type ImageConfigObservation struct {
+
+	// Parameters that you want to pass in with entry_point.
+	Command []*string `json:"command,omitempty" tf:"command,omitempty"`
+
+	// Entry point to your application, which is typically the location of the runtime executable.
+	EntryPoint []*string `json:"entryPoint,omitempty" tf:"entry_point,omitempty"`
+
+	// Working directory.
+	WorkingDirectory *string `json:"workingDirectory,omitempty" tf:"working_directory,omitempty"`
 }
 
 type ImageConfigParameters struct {
@@ -293,6 +396,9 @@ type ImageConfigParameters struct {
 
 type SnapStartObservation struct {
 
+	// Conditions where snap start is enabled. Valid values are PublishedVersions.
+	ApplyOn *string `json:"applyOn,omitempty" tf:"apply_on,omitempty"`
+
 	// Optimization status of the snap start configuration. Valid values are On and Off.
 	OptimizationStatus *string `json:"optimizationStatus,omitempty" tf:"optimization_status,omitempty"`
 }
@@ -305,6 +411,9 @@ type SnapStartParameters struct {
 }
 
 type TracingConfigObservation struct {
+
+	// Whether to sample and trace a subset of incoming requests with AWS X-Ray. Valid values are PassThrough and Active. If PassThrough, Lambda will only trace the request from an upstream service if it contains a tracing header with "sampled=1". If Active, Lambda will respect any tracing header it receives from an upstream service. If no tracing header is received, Lambda will call X-Ray for a tracing decision.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
 }
 
 type TracingConfigParameters struct {
@@ -316,6 +425,12 @@ type TracingConfigParameters struct {
 
 type VPCConfigObservation struct {
 
+	// List of security group IDs associated with the Lambda function.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// List of subnet IDs associated with the Lambda function.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// ID of the VPC.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
diff --git a/apis/lambda/v1beta1/zz_functioneventinvokeconfig_types.go b/apis/lambda/v1beta1/zz_functioneventinvokeconfig_types.go
index 9649d002b9..71ca2fe616 100755
--- a/apis/lambda/v1beta1/zz_functioneventinvokeconfig_types.go
+++ b/apis/lambda/v1beta1/zz_functioneventinvokeconfig_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type DestinationConfigOnFailureObservation struct {
+
+	// Amazon Resource Name (ARN) of the destination resource. See the Lambda Developer Guide for acceptable resource types and associated IAM permissions.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
 }
 
 type DestinationConfigOnFailureParameters struct {
@@ -34,6 +37,12 @@ type DestinationConfigOnFailureParameters struct {
 }
 
 type FunctionEventInvokeConfigDestinationConfigObservation struct {
+
+	// Configuration block with destination configuration for failed asynchronous invocations. See below for details.
+	OnFailure []DestinationConfigOnFailureObservation `json:"onFailure,omitempty" tf:"on_failure,omitempty"`
+
+	// Configuration block with destination configuration for successful asynchronous invocations. See below for details.
+	OnSuccess []OnSuccessObservation `json:"onSuccess,omitempty" tf:"on_success,omitempty"`
 }
 
 type FunctionEventInvokeConfigDestinationConfigParameters struct {
@@ -49,8 +58,23 @@ type FunctionEventInvokeConfigDestinationConfigParameters struct {
 
 type FunctionEventInvokeConfigObservation struct {
 
+	// Configuration block with destination configuration. See below for details.
+	DestinationConfig []FunctionEventInvokeConfigDestinationConfigObservation `json:"destinationConfig,omitempty" tf:"destination_config,omitempty"`
+
+	// Name or Amazon Resource Name (ARN) of the Lambda Function, omitting any version or alias qualifier.
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
 	// Fully qualified Lambda Function name or Amazon Resource Name (ARN)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Maximum age of a request that Lambda sends to a function for processing in seconds. Valid values between 60 and 21600.
+	MaximumEventAgeInSeconds *float64 `json:"maximumEventAgeInSeconds,omitempty" tf:"maximum_event_age_in_seconds,omitempty"`
+
+	// Maximum number of times to retry when the function returns an error. Valid values between 0 and 2. Defaults to 2.
+	MaximumRetryAttempts *float64 `json:"maximumRetryAttempts,omitempty" tf:"maximum_retry_attempts,omitempty"`
+
+	// Lambda Function published version, $LATEST, or Lambda Alias name.
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
 }
 
 type FunctionEventInvokeConfigParameters struct {
@@ -60,8 +84,8 @@ type FunctionEventInvokeConfigParameters struct {
 	DestinationConfig []FunctionEventInvokeConfigDestinationConfigParameters `json:"destinationConfig,omitempty" tf:"destination_config,omitempty"`
 
 	// Name or Amazon Resource Name (ARN) of the Lambda Function, omitting any version or alias qualifier.
-	// +kubebuilder:validation:Required
-	FunctionName *string `json:"functionName" tf:"function_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
 
 	// Maximum age of a request that Lambda sends to a function for processing in seconds. Valid values between 60 and 21600.
 	// +kubebuilder:validation:Optional
@@ -82,6 +106,9 @@ type FunctionEventInvokeConfigParameters struct {
 }
 
 type OnSuccessObservation struct {
+
+	// Amazon Resource Name (ARN) of the destination resource. See the Lambda Developer Guide for acceptable resource types and associated IAM permissions.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
 }
 
 type OnSuccessParameters struct {
@@ -125,8 +152,9 @@ type FunctionEventInvokeConfigStatus struct {
 type FunctionEventInvokeConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FunctionEventInvokeConfigSpec   `json:"spec"`
-	Status            FunctionEventInvokeConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.functionName)",message="functionName is a required parameter"
+	Spec   FunctionEventInvokeConfigSpec   `json:"spec"`
+	Status FunctionEventInvokeConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_functionurl_types.go b/apis/lambda/v1beta1/zz_functionurl_types.go
index 659e4020e1..22e2a52a60 100755
--- a/apis/lambda/v1beta1/zz_functionurl_types.go
+++ b/apis/lambda/v1beta1/zz_functionurl_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type CorsObservation struct {
+
+	// Whether to allow cookies or other credentials in requests to the function URL. The default is false.
+	AllowCredentials *bool `json:"allowCredentials,omitempty" tf:"allow_credentials,omitempty"`
+
+	// The HTTP headers that origins can include in requests to the function URL. For example: ["date", "keep-alive", "x-custom-header"].
+	AllowHeaders []*string `json:"allowHeaders,omitempty" tf:"allow_headers,omitempty"`
+
+	// The HTTP methods that are allowed when calling the function URL. For example: ["GET", "POST", "DELETE"], or the wildcard character (["*"]).
+	AllowMethods []*string `json:"allowMethods,omitempty" tf:"allow_methods,omitempty"`
+
+	// The origins that can access the function URL. You can list any number of specific origins (or the wildcard character ("*")), separated by a comma. For example: ["https://www.example.com", "http://localhost:60905"].
+	AllowOrigins []*string `json:"allowOrigins,omitempty" tf:"allow_origins,omitempty"`
+
+	// The HTTP headers in your function response that you want to expose to origins that call the function URL.
+	ExposeHeaders []*string `json:"exposeHeaders,omitempty" tf:"expose_headers,omitempty"`
+
+	// The maximum amount of time, in seconds, that web browsers can cache results of a preflight request. By default, this is set to 0, which means that the browser doesn't cache results. The maximum value is 86400.
+	MaxAge *float64 `json:"maxAge,omitempty" tf:"max_age,omitempty"`
 }
 
 type CorsParameters struct {
@@ -45,14 +63,26 @@ type CorsParameters struct {
 
 type FunctionURLObservation struct {
 
+	// The type of authentication that the function URL uses. Set to "AWS_IAM" to restrict access to authenticated IAM users only. Set to "NONE" to bypass IAM authentication and create a public endpoint. See the AWS documentation for more details.
+	AuthorizationType *string `json:"authorizationType,omitempty" tf:"authorization_type,omitempty"`
+
+	// The cross-origin resource sharing (CORS) settings for the function URL. Documented below.
+	Cors []CorsObservation `json:"cors,omitempty" tf:"cors,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the function.
 	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
 
+	// The name (or ARN) of the Lambda function.
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
 	// The HTTP URL endpoint for the function in the format https://<url_id>.lambda-url.<region>.on.aws.
 	FunctionURL *string `json:"functionUrl,omitempty" tf:"function_url,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The alias name or "$LATEST".
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
+
 	// A generated ID for the endpoint.
 	URLID *string `json:"urlId,omitempty" tf:"url_id,omitempty"`
 }
@@ -60,8 +90,8 @@ type FunctionURLObservation struct {
 type FunctionURLParameters struct {
 
 	// The type of authentication that the function URL uses. Set to "AWS_IAM" to restrict access to authenticated IAM users only. Set to "NONE" to bypass IAM authentication and create a public endpoint. See the AWS documentation for more details.
-	// +kubebuilder:validation:Required
-	AuthorizationType *string `json:"authorizationType" tf:"authorization_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthorizationType *string `json:"authorizationType,omitempty" tf:"authorization_type,omitempty"`
 
 	// The cross-origin resource sharing (CORS) settings for the function URL. Documented below.
 	// +kubebuilder:validation:Optional
@@ -114,8 +144,9 @@ type FunctionURLStatus struct {
 type FunctionURL struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FunctionURLSpec   `json:"spec"`
-	Status            FunctionURLStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorizationType)",message="authorizationType is a required parameter"
+	Spec   FunctionURLSpec   `json:"spec"`
+	Status FunctionURLStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_generated.deepcopy.go b/apis/lambda/v1beta1/zz_generated.deepcopy.go
index 58e2a65752..cee2b01b2c 100644
--- a/apis/lambda/v1beta1/zz_generated.deepcopy.go
+++ b/apis/lambda/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,21 @@ func (in *AliasObservation) DeepCopyInto(out *AliasObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionVersion != nil {
+		in, out := &in.FunctionVersion, &out.FunctionVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -91,6 +106,13 @@ func (in *AliasObservation) DeepCopyInto(out *AliasObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoutingConfig != nil {
+		in, out := &in.RoutingConfig, &out.RoutingConfig
+		*out = make([]RoutingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AliasObservation.
@@ -192,6 +214,17 @@ func (in *AliasStatus) DeepCopy() *AliasStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AllowedPublishersObservation) DeepCopyInto(out *AllowedPublishersObservation) {
 	*out = *in
+	if in.SigningProfileVersionArns != nil {
+		in, out := &in.SigningProfileVersionArns, &out.SigningProfileVersionArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllowedPublishersObservation.
@@ -245,6 +278,11 @@ func (in *AllowedPublishersParameters) DeepCopy() *AllowedPublishersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AmazonManagedKafkaEventSourceConfigObservation) DeepCopyInto(out *AmazonManagedKafkaEventSourceConfigObservation) {
 	*out = *in
+	if in.ConsumerGroupID != nil {
+		in, out := &in.ConsumerGroupID, &out.ConsumerGroupID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AmazonManagedKafkaEventSourceConfigObservation.
@@ -339,6 +377,13 @@ func (in *CodeSigningConfigList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodeSigningConfigObservation) DeepCopyInto(out *CodeSigningConfigObservation) {
 	*out = *in
+	if in.AllowedPublishers != nil {
+		in, out := &in.AllowedPublishers, &out.AllowedPublishers
+		*out = make([]AllowedPublishersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -349,6 +394,11 @@ func (in *CodeSigningConfigObservation) DeepCopyInto(out *CodeSigningConfigObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -359,6 +409,13 @@ func (in *CodeSigningConfigObservation) DeepCopyInto(out *CodeSigningConfigObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policies != nil {
+		in, out := &in.Policies, &out.Policies
+		*out = make([]PoliciesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodeSigningConfigObservation.
@@ -447,6 +504,60 @@ func (in *CodeSigningConfigStatus) DeepCopy() *CodeSigningConfigStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CorsObservation) DeepCopyInto(out *CorsObservation) {
 	*out = *in
+	if in.AllowCredentials != nil {
+		in, out := &in.AllowCredentials, &out.AllowCredentials
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowHeaders != nil {
+		in, out := &in.AllowHeaders, &out.AllowHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowMethods != nil {
+		in, out := &in.AllowMethods, &out.AllowMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowOrigins != nil {
+		in, out := &in.AllowOrigins, &out.AllowOrigins
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ExposeHeaders != nil {
+		in, out := &in.ExposeHeaders, &out.ExposeHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaxAge != nil {
+		in, out := &in.MaxAge, &out.MaxAge
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CorsObservation.
@@ -531,6 +642,11 @@ func (in *CorsParameters) DeepCopy() *CorsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeadLetterConfigObservation) DeepCopyInto(out *DeadLetterConfigObservation) {
 	*out = *in
+	if in.TargetArn != nil {
+		in, out := &in.TargetArn, &out.TargetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeadLetterConfigObservation.
@@ -566,6 +682,13 @@ func (in *DeadLetterConfigParameters) DeepCopy() *DeadLetterConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationConfigObservation) DeepCopyInto(out *DestinationConfigObservation) {
 	*out = *in
+	if in.OnFailure != nil {
+		in, out := &in.OnFailure, &out.OnFailure
+		*out = make([]OnFailureObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationConfigObservation.
@@ -581,6 +704,11 @@ func (in *DestinationConfigObservation) DeepCopy() *DestinationConfigObservation
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationConfigOnFailureObservation) DeepCopyInto(out *DestinationConfigOnFailureObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationConfigOnFailureObservation.
@@ -648,6 +776,21 @@ func (in *DestinationConfigParameters) DeepCopy() *DestinationConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvironmentObservation) DeepCopyInto(out *EnvironmentObservation) {
 	*out = *in
+	if in.Variables != nil {
+		in, out := &in.Variables, &out.Variables
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvironmentObservation.
@@ -693,6 +836,11 @@ func (in *EnvironmentParameters) DeepCopy() *EnvironmentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralStorageObservation) DeepCopyInto(out *EphemeralStorageObservation) {
 	*out = *in
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralStorageObservation.
@@ -787,11 +935,68 @@ func (in *EventSourceMappingList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventSourceMappingObservation) DeepCopyInto(out *EventSourceMappingObservation) {
 	*out = *in
+	if in.AmazonManagedKafkaEventSourceConfig != nil {
+		in, out := &in.AmazonManagedKafkaEventSourceConfig, &out.AmazonManagedKafkaEventSourceConfig
+		*out = make([]AmazonManagedKafkaEventSourceConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BisectBatchOnFunctionError != nil {
+		in, out := &in.BisectBatchOnFunctionError, &out.BisectBatchOnFunctionError
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DestinationConfig != nil {
+		in, out := &in.DestinationConfig, &out.DestinationConfig
+		*out = make([]DestinationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventSourceArn != nil {
+		in, out := &in.EventSourceArn, &out.EventSourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterCriteria != nil {
+		in, out := &in.FilterCriteria, &out.FilterCriteria
+		*out = make([]FilterCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.FunctionArn != nil {
 		in, out := &in.FunctionArn, &out.FunctionArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionResponseTypes != nil {
+		in, out := &in.FunctionResponseTypes, &out.FunctionResponseTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -807,6 +1012,75 @@ func (in *EventSourceMappingObservation) DeepCopyInto(out *EventSourceMappingObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaximumBatchingWindowInSeconds != nil {
+		in, out := &in.MaximumBatchingWindowInSeconds, &out.MaximumBatchingWindowInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumRecordAgeInSeconds != nil {
+		in, out := &in.MaximumRecordAgeInSeconds, &out.MaximumRecordAgeInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumRetryAttempts != nil {
+		in, out := &in.MaximumRetryAttempts, &out.MaximumRetryAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParallelizationFactor != nil {
+		in, out := &in.ParallelizationFactor, &out.ParallelizationFactor
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Queues != nil {
+		in, out := &in.Queues, &out.Queues
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ScalingConfig != nil {
+		in, out := &in.ScalingConfig, &out.ScalingConfig
+		*out = make([]ScalingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SelfManagedEventSource != nil {
+		in, out := &in.SelfManagedEventSource, &out.SelfManagedEventSource
+		*out = make([]SelfManagedEventSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SelfManagedKafkaEventSourceConfig != nil {
+		in, out := &in.SelfManagedKafkaEventSourceConfig, &out.SelfManagedKafkaEventSourceConfig
+		*out = make([]SelfManagedKafkaEventSourceConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceAccessConfiguration != nil {
+		in, out := &in.SourceAccessConfiguration, &out.SourceAccessConfiguration
+		*out = make([]SourceAccessConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartingPosition != nil {
+		in, out := &in.StartingPosition, &out.StartingPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartingPositionTimestamp != nil {
+		in, out := &in.StartingPositionTimestamp, &out.StartingPositionTimestamp
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
@@ -817,6 +1091,22 @@ func (in *EventSourceMappingObservation) DeepCopyInto(out *EventSourceMappingObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Topics != nil {
+		in, out := &in.Topics, &out.Topics
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.TumblingWindowInSeconds != nil {
+		in, out := &in.TumblingWindowInSeconds, &out.TumblingWindowInSeconds
+		*out = new(float64)
+		**out = **in
+	}
 	if in.UUID != nil {
 		in, out := &in.UUID, &out.UUID
 		*out = new(string)
@@ -1043,6 +1333,16 @@ func (in *EventSourceMappingStatus) DeepCopy() *EventSourceMappingStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FileSystemConfigObservation) DeepCopyInto(out *FileSystemConfigObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LocalMountPath != nil {
+		in, out := &in.LocalMountPath, &out.LocalMountPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSystemConfigObservation.
@@ -1093,6 +1393,13 @@ func (in *FileSystemConfigParameters) DeepCopy() *FileSystemConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterCriteriaObservation) DeepCopyInto(out *FilterCriteriaObservation) {
 	*out = *in
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]FilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterCriteriaObservation.
@@ -1130,6 +1437,11 @@ func (in *FilterCriteriaParameters) DeepCopy() *FilterCriteriaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterObservation) DeepCopyInto(out *FilterObservation) {
 	*out = *in
+	if in.Pattern != nil {
+		in, out := &in.Pattern, &out.Pattern
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterObservation.
@@ -1219,6 +1531,20 @@ func (in *FunctionEventInvokeConfig) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FunctionEventInvokeConfigDestinationConfigObservation) DeepCopyInto(out *FunctionEventInvokeConfigDestinationConfigObservation) {
 	*out = *in
+	if in.OnFailure != nil {
+		in, out := &in.OnFailure, &out.OnFailure
+		*out = make([]DestinationConfigOnFailureObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OnSuccess != nil {
+		in, out := &in.OnSuccess, &out.OnSuccess
+		*out = make([]OnSuccessObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionEventInvokeConfigDestinationConfigObservation.
@@ -1295,11 +1621,38 @@ func (in *FunctionEventInvokeConfigList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FunctionEventInvokeConfigObservation) DeepCopyInto(out *FunctionEventInvokeConfigObservation) {
 	*out = *in
+	if in.DestinationConfig != nil {
+		in, out := &in.DestinationConfig, &out.DestinationConfig
+		*out = make([]FunctionEventInvokeConfigDestinationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaximumEventAgeInSeconds != nil {
+		in, out := &in.MaximumEventAgeInSeconds, &out.MaximumEventAgeInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumRetryAttempts != nil {
+		in, out := &in.MaximumRetryAttempts, &out.MaximumRetryAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Qualifier != nil {
+		in, out := &in.Qualifier, &out.Qualifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionEventInvokeConfigObservation.
@@ -1405,31 +1758,85 @@ func (in *FunctionList) DeepCopyInto(out *FunctionList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionList.
-func (in *FunctionList) DeepCopy() *FunctionList {
-	if in == nil {
-		return nil
-	}
-	out := new(FunctionList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *FunctionList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FunctionList.
+func (in *FunctionList) DeepCopy() *FunctionList {
+	if in == nil {
+		return nil
+	}
+	out := new(FunctionList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FunctionList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
+	*out = *in
+	if in.Architectures != nil {
+		in, out := &in.Architectures, &out.Architectures
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CodeSigningConfigArn != nil {
+		in, out := &in.CodeSigningConfigArn, &out.CodeSigningConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeadLetterConfig != nil {
+		in, out := &in.DeadLetterConfig, &out.DeadLetterConfig
+		*out = make([]DeadLetterConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = make([]EnvironmentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EphemeralStorage != nil {
+		in, out := &in.EphemeralStorage, &out.EphemeralStorage
+		*out = make([]EphemeralStorageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FileSystemConfig != nil {
+		in, out := &in.FileSystemConfig, &out.FileSystemConfig
+		*out = make([]FileSystemConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.Handler != nil {
+		in, out := &in.Handler, &out.Handler
 		*out = new(string)
 		**out = **in
 	}
@@ -1438,16 +1845,59 @@ func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageConfig != nil {
+		in, out := &in.ImageConfig, &out.ImageConfig
+		*out = make([]ImageConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ImageURI != nil {
+		in, out := &in.ImageURI, &out.ImageURI
+		*out = new(string)
+		**out = **in
+	}
 	if in.InvokeArn != nil {
 		in, out := &in.InvokeArn, &out.InvokeArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.LastModified != nil {
 		in, out := &in.LastModified, &out.LastModified
 		*out = new(string)
 		**out = **in
 	}
+	if in.Layers != nil {
+		in, out := &in.Layers, &out.Layers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MemorySize != nil {
+		in, out := &in.MemorySize, &out.MemorySize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PackageType != nil {
+		in, out := &in.PackageType, &out.PackageType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Publish != nil {
+		in, out := &in.Publish, &out.Publish
+		*out = new(bool)
+		**out = **in
+	}
 	if in.QualifiedArn != nil {
 		in, out := &in.QualifiedArn, &out.QualifiedArn
 		*out = new(string)
@@ -1458,6 +1908,52 @@ func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReplaceSecurityGroupsOnDestroy != nil {
+		in, out := &in.ReplaceSecurityGroupsOnDestroy, &out.ReplaceSecurityGroupsOnDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReplacementSecurityGroupIds != nil {
+		in, out := &in.ReplacementSecurityGroupIds, &out.ReplacementSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ReservedConcurrentExecutions != nil {
+		in, out := &in.ReservedConcurrentExecutions, &out.ReservedConcurrentExecutions
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.Runtime != nil {
+		in, out := &in.Runtime, &out.Runtime
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Bucket != nil {
+		in, out := &in.S3Bucket, &out.S3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Key != nil {
+		in, out := &in.S3Key, &out.S3Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3ObjectVersion != nil {
+		in, out := &in.S3ObjectVersion, &out.S3ObjectVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.SigningJobArn != nil {
 		in, out := &in.SigningJobArn, &out.SigningJobArn
 		*out = new(string)
@@ -1475,11 +1971,31 @@ func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.SourceCodeHash != nil {
+		in, out := &in.SourceCodeHash, &out.SourceCodeHash
+		*out = new(string)
+		**out = **in
+	}
 	if in.SourceCodeSize != nil {
 		in, out := &in.SourceCodeSize, &out.SourceCodeSize
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1495,6 +2011,18 @@ func (in *FunctionObservation) DeepCopyInto(out *FunctionObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Timeout != nil {
+		in, out := &in.Timeout, &out.Timeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TracingConfig != nil {
+		in, out := &in.TracingConfig, &out.TracingConfig
+		*out = make([]TracingConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.VPCConfig != nil {
 		in, out := &in.VPCConfig, &out.VPCConfig
 		*out = make([]VPCConfigObservation, len(*in))
@@ -1866,11 +2394,28 @@ func (in *FunctionURLList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FunctionURLObservation) DeepCopyInto(out *FunctionURLObservation) {
 	*out = *in
+	if in.AuthorizationType != nil {
+		in, out := &in.AuthorizationType, &out.AuthorizationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Cors != nil {
+		in, out := &in.Cors, &out.Cors
+		*out = make([]CorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.FunctionArn != nil {
 		in, out := &in.FunctionArn, &out.FunctionArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
 	if in.FunctionURL != nil {
 		in, out := &in.FunctionURL, &out.FunctionURL
 		*out = new(string)
@@ -1881,6 +2426,11 @@ func (in *FunctionURLObservation) DeepCopyInto(out *FunctionURLObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Qualifier != nil {
+		in, out := &in.Qualifier, &out.Qualifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.URLID != nil {
 		in, out := &in.URLID, &out.URLID
 		*out = new(string)
@@ -1987,6 +2537,33 @@ func (in *FunctionURLStatus) DeepCopy() *FunctionURLStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageConfigObservation) DeepCopyInto(out *ImageConfigObservation) {
 	*out = *in
+	if in.Command != nil {
+		in, out := &in.Command, &out.Command
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EntryPoint != nil {
+		in, out := &in.EntryPoint, &out.EntryPoint
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WorkingDirectory != nil {
+		in, out := &in.WorkingDirectory, &out.WorkingDirectory
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageConfigObservation.
@@ -2103,16 +2680,46 @@ func (in *InvocationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InvocationObservation) DeepCopyInto(out *InvocationObservation) {
 	*out = *in
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Input != nil {
+		in, out := &in.Input, &out.Input
+		*out = new(string)
+		**out = **in
+	}
+	if in.Qualifier != nil {
+		in, out := &in.Qualifier, &out.Qualifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.Result != nil {
 		in, out := &in.Result, &out.Result
 		*out = new(string)
 		**out = **in
 	}
+	if in.Triggers != nil {
+		in, out := &in.Triggers, &out.Triggers
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InvocationObservation.
@@ -2275,19 +2882,51 @@ func (in *LayerVersionList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *LayerVersionObservation) DeepCopyInto(out *LayerVersionObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *LayerVersionObservation) DeepCopyInto(out *LayerVersionObservation) {
+	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CompatibleArchitectures != nil {
+		in, out := &in.CompatibleArchitectures, &out.CompatibleArchitectures
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CompatibleRuntimes != nil {
+		in, out := &in.CompatibleRuntimes, &out.CompatibleRuntimes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CreatedDate != nil {
+		in, out := &in.CreatedDate, &out.CreatedDate
 		*out = new(string)
 		**out = **in
 	}
-	if in.CreatedDate != nil {
-		in, out := &in.CreatedDate, &out.CreatedDate
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filename != nil {
+		in, out := &in.Filename, &out.Filename
 		*out = new(string)
 		**out = **in
 	}
@@ -2301,6 +2940,31 @@ func (in *LayerVersionObservation) DeepCopyInto(out *LayerVersionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LayerName != nil {
+		in, out := &in.LayerName, &out.LayerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LicenseInfo != nil {
+		in, out := &in.LicenseInfo, &out.LicenseInfo
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Bucket != nil {
+		in, out := &in.S3Bucket, &out.S3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Key != nil {
+		in, out := &in.S3Key, &out.S3Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3ObjectVersion != nil {
+		in, out := &in.S3ObjectVersion, &out.S3ObjectVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.SigningJobArn != nil {
 		in, out := &in.SigningJobArn, &out.SigningJobArn
 		*out = new(string)
@@ -2311,6 +2975,16 @@ func (in *LayerVersionObservation) DeepCopyInto(out *LayerVersionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SourceCodeHash != nil {
+		in, out := &in.SourceCodeHash, &out.SourceCodeHash
+		*out = new(string)
+		**out = **in
+	}
 	if in.SourceCodeSize != nil {
 		in, out := &in.SourceCodeSize, &out.SourceCodeSize
 		*out = new(float64)
@@ -2482,21 +3156,51 @@ func (in *LayerVersionPermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LayerVersionPermissionObservation) DeepCopyInto(out *LayerVersionPermissionObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LayerName != nil {
+		in, out := &in.LayerName, &out.LayerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OrganizationID != nil {
+		in, out := &in.OrganizationID, &out.OrganizationID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(string)
 		**out = **in
 	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
 	if in.RevisionID != nil {
 		in, out := &in.RevisionID, &out.RevisionID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StatementID != nil {
+		in, out := &in.StatementID, &out.StatementID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VersionNumber != nil {
+		in, out := &in.VersionNumber, &out.VersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LayerVersionPermissionObservation.
@@ -2630,6 +3334,11 @@ func (in *LayerVersionStatus) DeepCopy() *LayerVersionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnFailureObservation) DeepCopyInto(out *OnFailureObservation) {
 	*out = *in
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnFailureObservation.
@@ -2665,6 +3374,11 @@ func (in *OnFailureParameters) DeepCopy() *OnFailureParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnSuccessObservation) DeepCopyInto(out *OnSuccessObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnSuccessObservation.
@@ -2769,11 +3483,66 @@ func (in *PermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PermissionObservation) DeepCopyInto(out *PermissionObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventSourceToken != nil {
+		in, out := &in.EventSourceToken, &out.EventSourceToken
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionURLAuthType != nil {
+		in, out := &in.FunctionURLAuthType, &out.FunctionURLAuthType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalOrgID != nil {
+		in, out := &in.PrincipalOrgID, &out.PrincipalOrgID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Qualifier != nil {
+		in, out := &in.Qualifier, &out.Qualifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceAccount != nil {
+		in, out := &in.SourceAccount, &out.SourceAccount
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceArn != nil {
+		in, out := &in.SourceArn, &out.SourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatementID != nil {
+		in, out := &in.StatementID, &out.StatementID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatementIDPrefix != nil {
+		in, out := &in.StatementIDPrefix, &out.StatementIDPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionObservation.
@@ -2918,6 +3687,11 @@ func (in *PermissionStatus) DeepCopy() *PermissionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PoliciesObservation) DeepCopyInto(out *PoliciesObservation) {
 	*out = *in
+	if in.UntrustedArtifactOnDeployment != nil {
+		in, out := &in.UntrustedArtifactOnDeployment, &out.UntrustedArtifactOnDeployment
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PoliciesObservation.
@@ -3012,11 +3786,26 @@ func (in *ProvisionedConcurrencyConfigList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProvisionedConcurrencyConfigObservation) DeepCopyInto(out *ProvisionedConcurrencyConfigObservation) {
 	*out = *in
+	if in.FunctionName != nil {
+		in, out := &in.FunctionName, &out.FunctionName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProvisionedConcurrentExecutions != nil {
+		in, out := &in.ProvisionedConcurrentExecutions, &out.ProvisionedConcurrentExecutions
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Qualifier != nil {
+		in, out := &in.Qualifier, &out.Qualifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisionedConcurrencyConfigObservation.
@@ -3101,6 +3890,21 @@ func (in *ProvisionedConcurrencyConfigStatus) DeepCopy() *ProvisionedConcurrency
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoutingConfigObservation) DeepCopyInto(out *RoutingConfigObservation) {
 	*out = *in
+	if in.AdditionalVersionWeights != nil {
+		in, out := &in.AdditionalVersionWeights, &out.AdditionalVersionWeights
+		*out = make(map[string]*float64, len(*in))
+		for key, val := range *in {
+			var outVal *float64
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(float64)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoutingConfigObservation.
@@ -3146,6 +3950,11 @@ func (in *RoutingConfigParameters) DeepCopy() *RoutingConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalingConfigObservation) DeepCopyInto(out *ScalingConfigObservation) {
 	*out = *in
+	if in.MaximumConcurrency != nil {
+		in, out := &in.MaximumConcurrency, &out.MaximumConcurrency
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalingConfigObservation.
@@ -3181,6 +3990,21 @@ func (in *ScalingConfigParameters) DeepCopy() *ScalingConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelfManagedEventSourceObservation) DeepCopyInto(out *SelfManagedEventSourceObservation) {
 	*out = *in
+	if in.Endpoints != nil {
+		in, out := &in.Endpoints, &out.Endpoints
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfManagedEventSourceObservation.
@@ -3226,6 +4050,11 @@ func (in *SelfManagedEventSourceParameters) DeepCopy() *SelfManagedEventSourcePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelfManagedKafkaEventSourceConfigObservation) DeepCopyInto(out *SelfManagedKafkaEventSourceConfigObservation) {
 	*out = *in
+	if in.ConsumerGroupID != nil {
+		in, out := &in.ConsumerGroupID, &out.ConsumerGroupID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfManagedKafkaEventSourceConfigObservation.
@@ -3261,6 +4090,11 @@ func (in *SelfManagedKafkaEventSourceConfigParameters) DeepCopy() *SelfManagedKa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapStartObservation) DeepCopyInto(out *SnapStartObservation) {
 	*out = *in
+	if in.ApplyOn != nil {
+		in, out := &in.ApplyOn, &out.ApplyOn
+		*out = new(string)
+		**out = **in
+	}
 	if in.OptimizationStatus != nil {
 		in, out := &in.OptimizationStatus, &out.OptimizationStatus
 		*out = new(string)
@@ -3301,6 +4135,16 @@ func (in *SnapStartParameters) DeepCopy() *SnapStartParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceAccessConfigurationObservation) DeepCopyInto(out *SourceAccessConfigurationObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceAccessConfigurationObservation.
@@ -3341,6 +4185,11 @@ func (in *SourceAccessConfigurationParameters) DeepCopy() *SourceAccessConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TracingConfigObservation) DeepCopyInto(out *TracingConfigObservation) {
 	*out = *in
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TracingConfigObservation.
@@ -3376,6 +4225,28 @@ func (in *TracingConfigParameters) DeepCopy() *TracingConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigObservation) DeepCopyInto(out *VPCConfigObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
diff --git a/apis/lambda/v1beta1/zz_invocation_types.go b/apis/lambda/v1beta1/zz_invocation_types.go
index 7aeacee22e..c5fcdcaf5f 100755
--- a/apis/lambda/v1beta1/zz_invocation_types.go
+++ b/apis/lambda/v1beta1/zz_invocation_types.go
@@ -14,10 +14,23 @@ import (
 )
 
 type InvocationObservation struct {
+
+	// Name of the lambda function.
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// JSON payload to the lambda function.
+	Input *string `json:"input,omitempty" tf:"input,omitempty"`
+
+	// Qualifier (i.e., version) of the lambda function. Defaults to $LATEST.
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
+
 	// String result of the lambda function invocation.
 	Result *string `json:"result,omitempty" tf:"result,omitempty"`
+
+	// Map of arbitrary keys and values that, when changed, will trigger a re-invocation.
+	Triggers map[string]*string `json:"triggers,omitempty" tf:"triggers,omitempty"`
 }
 
 type InvocationParameters struct {
@@ -36,8 +49,8 @@ type InvocationParameters struct {
 	FunctionNameSelector *v1.Selector `json:"functionNameSelector,omitempty" tf:"-"`
 
 	// JSON payload to the lambda function.
-	// +kubebuilder:validation:Required
-	Input *string `json:"input" tf:"input,omitempty"`
+	// +kubebuilder:validation:Optional
+	Input *string `json:"input,omitempty" tf:"input,omitempty"`
 
 	// Qualifier (i.e., version) of the lambda function. Defaults to $LATEST.
 	// +kubebuilder:validation:Optional
@@ -77,8 +90,9 @@ type InvocationStatus struct {
 type Invocation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InvocationSpec   `json:"spec"`
-	Status            InvocationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.input)",message="input is a required parameter"
+	Spec   InvocationSpec   `json:"spec"`
+	Status InvocationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_layerversion_types.go b/apis/lambda/v1beta1/zz_layerversion_types.go
index e2818cc2a8..01778dbd96 100755
--- a/apis/lambda/v1beta1/zz_layerversion_types.go
+++ b/apis/lambda/v1beta1/zz_layerversion_types.go
@@ -18,20 +18,53 @@ type LayerVersionObservation struct {
 	// ARN of the Lambda Layer with version.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of Architectures this layer is compatible with. Currently x86_64 and arm64 can be specified.
+	CompatibleArchitectures []*string `json:"compatibleArchitectures,omitempty" tf:"compatible_architectures,omitempty"`
+
+	// List of Runtimes this layer is compatible with. Up to 5 runtimes can be specified.
+	CompatibleRuntimes []*string `json:"compatibleRuntimes,omitempty" tf:"compatible_runtimes,omitempty"`
+
 	// Date this resource was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// Description of what your Lambda Layer does.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// prefixed options cannot be used.
+	Filename *string `json:"filename,omitempty" tf:"filename,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// ARN of the Lambda Layer without version.
 	LayerArn *string `json:"layerArn,omitempty" tf:"layer_arn,omitempty"`
 
+	// Unique name for your Lambda Layer
+	LayerName *string `json:"layerName,omitempty" tf:"layer_name,omitempty"`
+
+	// License info for your Lambda Layer. See License Info.
+	LicenseInfo *string `json:"licenseInfo,omitempty" tf:"license_info,omitempty"`
+
+	// S3 bucket location containing the function's deployment package. Conflicts with filename. This bucket must reside in the same AWS region where you are creating the Lambda function.
+	S3Bucket *string `json:"s3Bucket,omitempty" tf:"s3_bucket,omitempty"`
+
+	// S3 key of an object containing the function's deployment package. Conflicts with filename.
+	S3Key *string `json:"s3Key,omitempty" tf:"s3_key,omitempty"`
+
+	// Object version containing the function's deployment package. Conflicts with filename.
+	S3ObjectVersion *string `json:"s3ObjectVersion,omitempty" tf:"s3_object_version,omitempty"`
+
 	// ARN of a signing job.
 	SigningJobArn *string `json:"signingJobArn,omitempty" tf:"signing_job_arn,omitempty"`
 
 	// ARN for a signing profile version.
 	SigningProfileVersionArn *string `json:"signingProfileVersionArn,omitempty" tf:"signing_profile_version_arn,omitempty"`
 
+	// Whether to retain the old version of a previously deployed Lambda Layer. Default is false. When this is not set to true, changing any of compatible_architectures, compatible_runtimes, description, filename, layer_name, license_info, s3_bucket, s3_key, s3_object_version, or source_code_hash forces deletion of the existing layer version and creation of a new layer version.
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Used to trigger updates. Must be set to a base64-encoded SHA256 hash of the package file specified with either filename or s3_key. The usual way to set this is ${filebase64sha256("file.11.12 or later) or ${base64sha256(file("file.11.11 and earlier), where "file.zip" is the local filename of the lambda layer source archive.
+	SourceCodeHash *string `json:"sourceCodeHash,omitempty" tf:"source_code_hash,omitempty"`
+
 	// Size in bytes of the function .zip file.
 	SourceCodeSize *float64 `json:"sourceCodeSize,omitempty" tf:"source_code_size,omitempty"`
 
@@ -58,8 +91,8 @@ type LayerVersionParameters struct {
 	Filename *string `json:"filename,omitempty" tf:"filename,omitempty"`
 
 	// Unique name for your Lambda Layer
-	// +kubebuilder:validation:Required
-	LayerName *string `json:"layerName" tf:"layer_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	LayerName *string `json:"layerName,omitempty" tf:"layer_name,omitempty"`
 
 	// License info for your Lambda Layer. See License Info.
 	// +kubebuilder:validation:Optional
@@ -115,8 +148,9 @@ type LayerVersionStatus struct {
 type LayerVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LayerVersionSpec   `json:"spec"`
-	Status            LayerVersionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.layerName)",message="layerName is a required parameter"
+	Spec   LayerVersionSpec   `json:"spec"`
+	Status LayerVersionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_layerversionpermission_types.go b/apis/lambda/v1beta1/zz_layerversionpermission_types.go
index 24a3c681f1..f7b5a100da 100755
--- a/apis/lambda/v1beta1/zz_layerversionpermission_types.go
+++ b/apis/lambda/v1beta1/zz_layerversionpermission_types.go
@@ -15,33 +15,51 @@ import (
 
 type LayerVersionPermissionObservation struct {
 
+	// Action, which will be allowed. lambda:GetLayerVersion value is suggested by AWS documantation.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
 	// The layer_name and version_number, separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name or ARN of the Lambda Layer, which you want to grant access to.
+	LayerName *string `json:"layerName,omitempty" tf:"layer_name,omitempty"`
+
+	// An identifier of AWS Organization, which should be able to use your Lambda Layer. principal should be equal to * if organization_id provided.
+	OrganizationID *string `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
+
 	// Full Lambda Layer Permission policy.
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
+	// AWS account ID which should be able to use your Lambda Layer. * can be used here, if you want to share your Lambda Layer widely.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
 	// A unique identifier for the current revision of the policy.
 	RevisionID *string `json:"revisionId,omitempty" tf:"revision_id,omitempty"`
+
+	// The name of Lambda Layer Permission, for example dev-account - human readable note about what is this permission for.
+	StatementID *string `json:"statementId,omitempty" tf:"statement_id,omitempty"`
+
+	// Version of Lambda Layer, which you want to grant access to. Note: permissions only apply to a single version of a layer.
+	VersionNumber *float64 `json:"versionNumber,omitempty" tf:"version_number,omitempty"`
 }
 
 type LayerVersionPermissionParameters struct {
 
 	// Action, which will be allowed. lambda:GetLayerVersion value is suggested by AWS documantation.
-	// +kubebuilder:validation:Required
-	Action *string `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 
 	// The name or ARN of the Lambda Layer, which you want to grant access to.
-	// +kubebuilder:validation:Required
-	LayerName *string `json:"layerName" tf:"layer_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	LayerName *string `json:"layerName,omitempty" tf:"layer_name,omitempty"`
 
 	// An identifier of AWS Organization, which should be able to use your Lambda Layer. principal should be equal to * if organization_id provided.
 	// +kubebuilder:validation:Optional
 	OrganizationID *string `json:"organizationId,omitempty" tf:"organization_id,omitempty"`
 
 	// AWS account ID which should be able to use your Lambda Layer. * can be used here, if you want to share your Lambda Layer widely.
-	// +kubebuilder:validation:Required
-	Principal *string `json:"principal" tf:"principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -49,12 +67,12 @@ type LayerVersionPermissionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The name of Lambda Layer Permission, for example dev-account - human readable note about what is this permission for.
-	// +kubebuilder:validation:Required
-	StatementID *string `json:"statementId" tf:"statement_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	StatementID *string `json:"statementId,omitempty" tf:"statement_id,omitempty"`
 
 	// Version of Lambda Layer, which you want to grant access to. Note: permissions only apply to a single version of a layer.
-	// +kubebuilder:validation:Required
-	VersionNumber *float64 `json:"versionNumber" tf:"version_number,omitempty"`
+	// +kubebuilder:validation:Optional
+	VersionNumber *float64 `json:"versionNumber,omitempty" tf:"version_number,omitempty"`
 }
 
 // LayerVersionPermissionSpec defines the desired state of LayerVersionPermission
@@ -81,8 +99,13 @@ type LayerVersionPermissionStatus struct {
 type LayerVersionPermission struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LayerVersionPermissionSpec   `json:"spec"`
-	Status            LayerVersionPermissionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.layerName)",message="layerName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)",message="principal is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statementId)",message="statementId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.versionNumber)",message="versionNumber is a required parameter"
+	Spec   LayerVersionPermissionSpec   `json:"spec"`
+	Status LayerVersionPermissionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_permission_types.go b/apis/lambda/v1beta1/zz_permission_types.go
index 58c6407fe2..fe6bd2ef3e 100755
--- a/apis/lambda/v1beta1/zz_permission_types.go
+++ b/apis/lambda/v1beta1/zz_permission_types.go
@@ -14,14 +14,52 @@ import (
 )
 
 type PermissionObservation struct {
+
+	// The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// The Event Source Token to validate.  Used with Alexa Skills.
+	EventSourceToken *string `json:"eventSourceToken,omitempty" tf:"event_source_token,omitempty"`
+
+	// Name of the Lambda function whose resource policy you are updating
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
+	// Lambda Function URLs authentication type. Valid values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl action.
+	FunctionURLAuthType *string `json:"functionUrlAuthType,omitempty" tf:"function_url_auth_type,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
+	// The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
+	PrincipalOrgID *string `json:"principalOrgId,omitempty" tf:"principal_org_id,omitempty"`
+
+	// Query parameter to specify function version or alias name. The permission will then apply to the specific qualified ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
+
+	// This parameter is used when allowing cross-account access, or for S3 and SES. The AWS account ID (without a hyphen) of the source owner.
+	SourceAccount *string `json:"sourceAccount,omitempty" tf:"source_account,omitempty"`
+
+	// When the principal is an AWS service, the ARN of the specific resource within that service to grant permission to.
+	// Without this, any resource from principal will be granted permission – even if that resource is from another account.
+	// For S3, this should be the ARN of the S3 Bucket.
+	// For EventBridge events, this should be the ARN of the EventBridge Rule.
+	// For API Gateway, this should be the ARN of the API, as described here.
+	SourceArn *string `json:"sourceArn,omitempty" tf:"source_arn,omitempty"`
+
+	// A unique statement identifier.
+	StatementID *string `json:"statementId,omitempty" tf:"statement_id,omitempty"`
+
+	// A statement identifier prefix. Conflicts with statement_id.
+	StatementIDPrefix *string `json:"statementIdPrefix,omitempty" tf:"statement_id_prefix,omitempty"`
 }
 
 type PermissionParameters struct {
 
 	// The AWS Lambda action you want to allow in this statement. (e.g., lambda:InvokeFunction)
-	// +kubebuilder:validation:Required
-	Action *string `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 
 	// The Event Source Token to validate.  Used with Alexa Skills.
 	// +kubebuilder:validation:Optional
@@ -45,8 +83,8 @@ type PermissionParameters struct {
 	FunctionURLAuthType *string `json:"functionUrlAuthType,omitempty" tf:"function_url_auth_type,omitempty"`
 
 	// The principal who is getting this permission e.g., s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
-	// +kubebuilder:validation:Required
-	Principal *string `json:"principal" tf:"principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 
 	// The identifier for your organization in AWS Organizations. Use this to grant permissions to all the AWS accounts under this organization.
 	// +kubebuilder:validation:Optional
@@ -115,8 +153,10 @@ type PermissionStatus struct {
 type Permission struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PermissionSpec   `json:"spec"`
-	Status            PermissionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)",message="principal is a required parameter"
+	Spec   PermissionSpec   `json:"spec"`
+	Status PermissionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lambda/v1beta1/zz_provisionedconcurrencyconfig_types.go b/apis/lambda/v1beta1/zz_provisionedconcurrencyconfig_types.go
index dfdd2bd1d4..d2fedf0926 100755
--- a/apis/lambda/v1beta1/zz_provisionedconcurrencyconfig_types.go
+++ b/apis/lambda/v1beta1/zz_provisionedconcurrencyconfig_types.go
@@ -15,23 +15,32 @@ import (
 
 type ProvisionedConcurrencyConfigObservation struct {
 
+	// Name or Amazon Resource Name (ARN) of the Lambda Function.
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
+
 	// Lambda Function name and qualifier separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amount of capacity to allocate. Must be greater than or equal to 1.
+	ProvisionedConcurrentExecutions *float64 `json:"provisionedConcurrentExecutions,omitempty" tf:"provisioned_concurrent_executions,omitempty"`
+
+	// Lambda Function version or Lambda Alias name.
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
 }
 
 type ProvisionedConcurrencyConfigParameters struct {
 
 	// Name or Amazon Resource Name (ARN) of the Lambda Function.
-	// +kubebuilder:validation:Required
-	FunctionName *string `json:"functionName" tf:"function_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	FunctionName *string `json:"functionName,omitempty" tf:"function_name,omitempty"`
 
 	// Amount of capacity to allocate. Must be greater than or equal to 1.
-	// +kubebuilder:validation:Required
-	ProvisionedConcurrentExecutions *float64 `json:"provisionedConcurrentExecutions" tf:"provisioned_concurrent_executions,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProvisionedConcurrentExecutions *float64 `json:"provisionedConcurrentExecutions,omitempty" tf:"provisioned_concurrent_executions,omitempty"`
 
 	// Lambda Function version or Lambda Alias name.
-	// +kubebuilder:validation:Required
-	Qualifier *string `json:"qualifier" tf:"qualifier,omitempty"`
+	// +kubebuilder:validation:Optional
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -63,8 +72,11 @@ type ProvisionedConcurrencyConfigStatus struct {
 type ProvisionedConcurrencyConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProvisionedConcurrencyConfigSpec   `json:"spec"`
-	Status            ProvisionedConcurrencyConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.functionName)",message="functionName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.provisionedConcurrentExecutions)",message="provisionedConcurrentExecutions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.qualifier)",message="qualifier is a required parameter"
+	Spec   ProvisionedConcurrencyConfigSpec   `json:"spec"`
+	Status ProvisionedConcurrencyConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lexmodels/v1beta1/zz_bot_types.go b/apis/lexmodels/v1beta1/zz_bot_types.go
index 0e476eb194..afee9f82c5 100755
--- a/apis/lexmodels/v1beta1/zz_bot_types.go
+++ b/apis/lexmodels/v1beta1/zz_bot_types.go
@@ -14,6 +14,16 @@ import (
 )
 
 type AbortStatementObservation struct {
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message.
+	Message []MessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type AbortStatementParameters struct {
@@ -32,23 +42,60 @@ type AbortStatementParameters struct {
 }
 
 type BotObservation struct {
+
+	// The message that Amazon Lex uses to abort a conversation. Attributes are documented under statement.
+	AbortStatement []AbortStatementObservation `json:"abortStatement,omitempty" tf:"abort_statement,omitempty"`
+
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Checksum identifying the version of the bot that was created. The checksum is not
 	// included as an argument because the resource will add it automatically when updating the bot.
 	Checksum *string `json:"checksum,omitempty" tf:"checksum,omitempty"`
 
+	// By specifying true, you confirm that your use of Amazon Lex is related to a website, program, or other application that is directed or targeted, in whole or in part, to children under age 13 and subject to COPPA. For more information see the Amazon Lex FAQ and the Amazon Lex PutBot API Docs.
+	ChildDirected *bool `json:"childDirected,omitempty" tf:"child_directed,omitempty"`
+
+	// The message that Amazon Lex uses when it doesn't understand the user's request. Attributes are documented under prompt.
+	ClarificationPrompt []ClarificationPromptObservation `json:"clarificationPrompt,omitempty" tf:"clarification_prompt,omitempty"`
+
+	// Determines if a new bot version is created when the initial resource is created and on each update. Defaults to false.
+	CreateVersion *bool `json:"createVersion,omitempty" tf:"create_version,omitempty"`
+
 	// The date when the bot version was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// A description of the bot. Must be less than or equal to 200 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// When set to true user utterances are sent to Amazon Comprehend for sentiment analysis. If you don't specify detectSentiment, the default is false.
+	DetectSentiment *bool `json:"detectSentiment,omitempty" tf:"detect_sentiment,omitempty"`
+
+	// Set to true to enable access to natural language understanding improvements. When you set the enable_model_improvements parameter to true you can use the nlu_intent_confidence_threshold parameter to configure confidence scores. For more information, see Confidence Scores. You can only set the enable_model_improvements parameter in certain Regions. If you set the parameter to true, your bot has access to accuracy improvements. For more information see the Amazon Lex Bot PutBot API Docs.
+	EnableModelImprovements *bool `json:"enableModelImprovements,omitempty" tf:"enable_model_improvements,omitempty"`
+
 	// If status is FAILED, Amazon Lex provides the reason that it failed to build the bot.
 	FailureReason *string `json:"failureReason,omitempty" tf:"failure_reason,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum time in seconds that Amazon Lex retains the data gathered in a conversation. Default is 300. Must be a number between 60 and 86400 (inclusive).
+	IdleSessionTTLInSeconds *float64 `json:"idleSessionTtlInSeconds,omitempty" tf:"idle_session_ttl_in_seconds,omitempty"`
+
+	// A set of Intent objects. Each intent represents a command that a user can express. Attributes are documented under intent. Can have up to 250 Intent objects.
+	Intent []IntentObservation `json:"intent,omitempty" tf:"intent,omitempty"`
+
 	// The date when the $LATEST version of this bot was updated.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Specifies the target locale for the bot. Any intent used in the bot must be compatible with the locale of the bot. For available locales, see Amazon Lex Bot PutBot API Docs. Default is en-US.
+	Locale *string `json:"locale,omitempty" tf:"locale,omitempty"`
+
+	// Determines the threshold where Amazon Lex will insert the AMAZON.FallbackIntent, AMAZON.KendraSearchIntent, or both when returning alternative intents in a PostContent or PostText response. AMAZON.FallbackIntent and AMAZON.KendraSearchIntent are only inserted if they are configured for the bot. For more information see Amazon Lex Bot PutBot API Docs This value requires enable_model_improvements to be set to true and the default is 0. Must be a float between 0 and 1.
+	NluIntentConfidenceThreshold *float64 `json:"nluIntentConfidenceThreshold,omitempty" tf:"nlu_intent_confidence_threshold,omitempty"`
+
+	// If you set the process_behavior element to BUILD, Amazon Lex builds the bot so that it can be run. If you set the element to SAVE Amazon Lex saves the bot, but doesn't build it. Default is SAVE.
+	ProcessBehavior *string `json:"processBehavior,omitempty" tf:"process_behavior,omitempty"`
+
 	// When you send a request to create or update a bot, Amazon Lex sets the status response
 	// element to BUILDING. After Amazon Lex builds the bot, it sets status to READY. If Amazon Lex can't
 	// build the bot, it sets status to FAILED. Amazon Lex returns the reason for the failure in the
@@ -57,17 +104,20 @@ type BotObservation struct {
 
 	// The version of the bot.
 	Version *string `json:"version,omitempty" tf:"version,omitempty"`
+
+	// The Amazon Polly voice ID that you want Amazon Lex to use for voice interactions with the user. The locale configured for the voice must match the locale of the bot. For more information, see Available Voices in the Amazon Polly Developer Guide.
+	VoiceID *string `json:"voiceId,omitempty" tf:"voice_id,omitempty"`
 }
 
 type BotParameters struct {
 
 	// The message that Amazon Lex uses to abort a conversation. Attributes are documented under statement.
-	// +kubebuilder:validation:Required
-	AbortStatement []AbortStatementParameters `json:"abortStatement" tf:"abort_statement,omitempty"`
+	// +kubebuilder:validation:Optional
+	AbortStatement []AbortStatementParameters `json:"abortStatement,omitempty" tf:"abort_statement,omitempty"`
 
 	// By specifying true, you confirm that your use of Amazon Lex is related to a website, program, or other application that is directed or targeted, in whole or in part, to children under age 13 and subject to COPPA. For more information see the Amazon Lex FAQ and the Amazon Lex PutBot API Docs.
-	// +kubebuilder:validation:Required
-	ChildDirected *bool `json:"childDirected" tf:"child_directed,omitempty"`
+	// +kubebuilder:validation:Optional
+	ChildDirected *bool `json:"childDirected,omitempty" tf:"child_directed,omitempty"`
 
 	// The message that Amazon Lex uses when it doesn't understand the user's request. Attributes are documented under prompt.
 	// +kubebuilder:validation:Optional
@@ -94,8 +144,8 @@ type BotParameters struct {
 	IdleSessionTTLInSeconds *float64 `json:"idleSessionTtlInSeconds,omitempty" tf:"idle_session_ttl_in_seconds,omitempty"`
 
 	// A set of Intent objects. Each intent represents a command that a user can express. Attributes are documented under intent. Can have up to 250 Intent objects.
-	// +kubebuilder:validation:Required
-	Intent []IntentParameters `json:"intent" tf:"intent,omitempty"`
+	// +kubebuilder:validation:Optional
+	Intent []IntentParameters `json:"intent,omitempty" tf:"intent,omitempty"`
 
 	// Specifies the target locale for the bot. Any intent used in the bot must be compatible with the locale of the bot. For available locales, see Amazon Lex Bot PutBot API Docs. Default is en-US.
 	// +kubebuilder:validation:Optional
@@ -120,6 +170,16 @@ type BotParameters struct {
 }
 
 type ClarificationPromptMessageObservation struct {
+
+	// The text of the message.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response.
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type ClarificationPromptMessageParameters struct {
@@ -139,6 +199,19 @@ type ClarificationPromptMessageParameters struct {
 }
 
 type ClarificationPromptObservation struct {
+
+	// The number of times to prompt the user for information.
+	MaxAttempts *float64 `json:"maxAttempts,omitempty" tf:"max_attempts,omitempty"`
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message.
+	Message []ClarificationPromptMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type ClarificationPromptParameters struct {
@@ -161,6 +234,12 @@ type ClarificationPromptParameters struct {
 }
 
 type IntentObservation struct {
+
+	// The name of the intent. Must be less than or equal to 100 characters in length.
+	IntentName *string `json:"intentName,omitempty" tf:"intent_name,omitempty"`
+
+	// The version of the intent. Must be less than or equal to 64 characters in length.
+	IntentVersion *string `json:"intentVersion,omitempty" tf:"intent_version,omitempty"`
 }
 
 type IntentParameters struct {
@@ -175,6 +254,16 @@ type IntentParameters struct {
 }
 
 type MessageObservation struct {
+
+	// The text of the message.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response.
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type MessageParameters struct {
@@ -217,8 +306,11 @@ type BotStatus struct {
 type Bot struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BotSpec   `json:"spec"`
-	Status            BotStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.abortStatement)",message="abortStatement is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.childDirected)",message="childDirected is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.intent)",message="intent is a required parameter"
+	Spec   BotSpec   `json:"spec"`
+	Status BotStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lexmodels/v1beta1/zz_botalias_types.go b/apis/lexmodels/v1beta1/zz_botalias_types.go
index 9b75b050a3..40fd276ccd 100755
--- a/apis/lexmodels/v1beta1/zz_botalias_types.go
+++ b/apis/lexmodels/v1beta1/zz_botalias_types.go
@@ -18,16 +18,24 @@ type BotAliasObservation struct {
 	// The ARN of the bot alias.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The name of the bot.
+	BotName *string `json:"botName,omitempty" tf:"bot_name,omitempty"`
+
+	// The name of the bot.
+	BotVersion *string `json:"botVersion,omitempty" tf:"bot_version,omitempty"`
+
 	// Checksum of the bot alias.
 	Checksum *string `json:"checksum,omitempty" tf:"checksum,omitempty"`
 
 	// The settings that determine how Amazon Lex uses conversation logs for the alias. Attributes are documented under conversation_logs.
-	// +kubebuilder:validation:Optional
 	ConversationLogs []ConversationLogsObservation `json:"conversationLogs,omitempty" tf:"conversation_logs,omitempty"`
 
 	// The date that the bot alias was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// A description of the alias. Must be less than or equal to 200 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date that the bot alias was updated. When you create a resource, the creation date and the last updated date are the same.
@@ -37,12 +45,12 @@ type BotAliasObservation struct {
 type BotAliasParameters struct {
 
 	// The name of the bot.
-	// +kubebuilder:validation:Required
-	BotName *string `json:"botName" tf:"bot_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	BotName *string `json:"botName,omitempty" tf:"bot_name,omitempty"`
 
 	// The name of the bot.
-	// +kubebuilder:validation:Required
-	BotVersion *string `json:"botVersion" tf:"bot_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	BotVersion *string `json:"botVersion,omitempty" tf:"bot_version,omitempty"`
 
 	// The settings that determine how Amazon Lex uses conversation logs for the alias. Attributes are documented under conversation_logs.
 	// +kubebuilder:validation:Optional
@@ -60,8 +68,10 @@ type BotAliasParameters struct {
 
 type ConversationLogsObservation struct {
 
+	// The Amazon Resource Name (ARN) of the IAM role used to write your logs to CloudWatch Logs or an S3 bucket. Must be between 20 and 2048 characters in length.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// The settings for your conversation logs. You can log text, audio, or both. Attributes are documented under log_settings.
-	// +kubebuilder:validation:Optional
 	LogSettings []LogSettingsObservation `json:"logSettings,omitempty" tf:"log_settings,omitempty"`
 }
 
@@ -78,6 +88,18 @@ type ConversationLogsParameters struct {
 
 type LogSettingsObservation struct {
 
+	// The destination where logs are delivered. Options are CLOUDWATCH_LOGS or S3.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the key used to encrypt audio logs in an S3 bucket. This can only be specified when destination is set to S3. Must be between 20 and 2048 characters in length.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// The type of logging that is enabled. Options are AUDIO or TEXT.
+	LogType *string `json:"logType,omitempty" tf:"log_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the CloudWatch Logs log group or S3 bucket where the logs are delivered. Must be less than or equal to 2048 characters in length.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
 	// (Computed) The prefix of the S3 object key for AUDIO logs or the log stream name for TEXT logs.
 	ResourcePrefix *string `json:"resourcePrefix,omitempty" tf:"resource_prefix,omitempty"`
 }
@@ -125,8 +147,10 @@ type BotAliasStatus struct {
 type BotAlias struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BotAliasSpec   `json:"spec"`
-	Status            BotAliasStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.botName)",message="botName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.botVersion)",message="botVersion is a required parameter"
+	Spec   BotAliasSpec   `json:"spec"`
+	Status BotAliasStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lexmodels/v1beta1/zz_generated.deepcopy.go b/apis/lexmodels/v1beta1/zz_generated.deepcopy.go
index e90ff66e2e..dafb4ee9d6 100644
--- a/apis/lexmodels/v1beta1/zz_generated.deepcopy.go
+++ b/apis/lexmodels/v1beta1/zz_generated.deepcopy.go
@@ -16,6 +16,18 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AbortStatementObservation) DeepCopyInto(out *AbortStatementObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]MessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AbortStatementObservation.
@@ -149,6 +161,16 @@ func (in *BotAliasObservation) DeepCopyInto(out *BotAliasObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BotName != nil {
+		in, out := &in.BotName, &out.BotName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BotVersion != nil {
+		in, out := &in.BotVersion, &out.BotVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.Checksum != nil {
 		in, out := &in.Checksum, &out.Checksum
 		*out = new(string)
@@ -166,6 +188,11 @@ func (in *BotAliasObservation) DeepCopyInto(out *BotAliasObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -299,6 +326,13 @@ func (in *BotList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BotObservation) DeepCopyInto(out *BotObservation) {
 	*out = *in
+	if in.AbortStatement != nil {
+		in, out := &in.AbortStatement, &out.AbortStatement
+		*out = make([]AbortStatementObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -309,11 +343,43 @@ func (in *BotObservation) DeepCopyInto(out *BotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ChildDirected != nil {
+		in, out := &in.ChildDirected, &out.ChildDirected
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ClarificationPrompt != nil {
+		in, out := &in.ClarificationPrompt, &out.ClarificationPrompt
+		*out = make([]ClarificationPromptObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreateVersion != nil {
+		in, out := &in.CreateVersion, &out.CreateVersion
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CreatedDate != nil {
 		in, out := &in.CreatedDate, &out.CreatedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DetectSentiment != nil {
+		in, out := &in.DetectSentiment, &out.DetectSentiment
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableModelImprovements != nil {
+		in, out := &in.EnableModelImprovements, &out.EnableModelImprovements
+		*out = new(bool)
+		**out = **in
+	}
 	if in.FailureReason != nil {
 		in, out := &in.FailureReason, &out.FailureReason
 		*out = new(string)
@@ -324,11 +390,38 @@ func (in *BotObservation) DeepCopyInto(out *BotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdleSessionTTLInSeconds != nil {
+		in, out := &in.IdleSessionTTLInSeconds, &out.IdleSessionTTLInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Intent != nil {
+		in, out := &in.Intent, &out.Intent
+		*out = make([]IntentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.LastUpdatedDate != nil {
 		in, out := &in.LastUpdatedDate, &out.LastUpdatedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Locale != nil {
+		in, out := &in.Locale, &out.Locale
+		*out = new(string)
+		**out = **in
+	}
+	if in.NluIntentConfidenceThreshold != nil {
+		in, out := &in.NluIntentConfidenceThreshold, &out.NluIntentConfidenceThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ProcessBehavior != nil {
+		in, out := &in.ProcessBehavior, &out.ProcessBehavior
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -339,6 +432,11 @@ func (in *BotObservation) DeepCopyInto(out *BotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.VoiceID != nil {
+		in, out := &in.VoiceID, &out.VoiceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BotObservation.
@@ -479,6 +577,21 @@ func (in *BotStatus) DeepCopy() *BotStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClarificationPromptMessageObservation) DeepCopyInto(out *ClarificationPromptMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClarificationPromptMessageObservation.
@@ -524,6 +637,23 @@ func (in *ClarificationPromptMessageParameters) DeepCopy() *ClarificationPromptM
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClarificationPromptObservation) DeepCopyInto(out *ClarificationPromptObservation) {
 	*out = *in
+	if in.MaxAttempts != nil {
+		in, out := &in.MaxAttempts, &out.MaxAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]ClarificationPromptMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClarificationPromptObservation.
@@ -571,6 +701,16 @@ func (in *ClarificationPromptParameters) DeepCopy() *ClarificationPromptParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodeHookObservation) DeepCopyInto(out *CodeHookObservation) {
 	*out = *in
+	if in.MessageVersion != nil {
+		in, out := &in.MessageVersion, &out.MessageVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodeHookObservation.
@@ -611,6 +751,21 @@ func (in *CodeHookParameters) DeepCopy() *CodeHookParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConclusionStatementMessageObservation) DeepCopyInto(out *ConclusionStatementMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConclusionStatementMessageObservation.
@@ -656,6 +811,18 @@ func (in *ConclusionStatementMessageParameters) DeepCopy() *ConclusionStatementM
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConclusionStatementObservation) DeepCopyInto(out *ConclusionStatementObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]ConclusionStatementMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConclusionStatementObservation.
@@ -698,6 +865,21 @@ func (in *ConclusionStatementParameters) DeepCopy() *ConclusionStatementParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfirmationPromptMessageObservation) DeepCopyInto(out *ConfirmationPromptMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfirmationPromptMessageObservation.
@@ -743,6 +925,23 @@ func (in *ConfirmationPromptMessageParameters) DeepCopy() *ConfirmationPromptMes
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfirmationPromptObservation) DeepCopyInto(out *ConfirmationPromptObservation) {
 	*out = *in
+	if in.MaxAttempts != nil {
+		in, out := &in.MaxAttempts, &out.MaxAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]ConfirmationPromptMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfirmationPromptObservation.
@@ -790,6 +989,11 @@ func (in *ConfirmationPromptParameters) DeepCopy() *ConfirmationPromptParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConversationLogsObservation) DeepCopyInto(out *ConversationLogsObservation) {
 	*out = *in
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.LogSettings != nil {
 		in, out := &in.LogSettings, &out.LogSettings
 		*out = make([]LogSettingsObservation, len(*in))
@@ -839,6 +1043,16 @@ func (in *ConversationLogsParameters) DeepCopy() *ConversationLogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DialogCodeHookObservation) DeepCopyInto(out *DialogCodeHookObservation) {
 	*out = *in
+	if in.MessageVersion != nil {
+		in, out := &in.MessageVersion, &out.MessageVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DialogCodeHookObservation.
@@ -879,6 +1093,22 @@ func (in *DialogCodeHookParameters) DeepCopy() *DialogCodeHookParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnumerationValueObservation) DeepCopyInto(out *EnumerationValueObservation) {
 	*out = *in
+	if in.Synonyms != nil {
+		in, out := &in.Synonyms, &out.Synonyms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnumerationValueObservation.
@@ -925,6 +1155,20 @@ func (in *EnumerationValueParameters) DeepCopy() *EnumerationValueParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FollowUpPromptObservation) DeepCopyInto(out *FollowUpPromptObservation) {
 	*out = *in
+	if in.Prompt != nil {
+		in, out := &in.Prompt, &out.Prompt
+		*out = make([]PromptObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RejectionStatement != nil {
+		in, out := &in.RejectionStatement, &out.RejectionStatement
+		*out = make([]RejectionStatementObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FollowUpPromptObservation.
@@ -969,6 +1213,18 @@ func (in *FollowUpPromptParameters) DeepCopy() *FollowUpPromptParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FulfillmentActivityObservation) DeepCopyInto(out *FulfillmentActivityObservation) {
 	*out = *in
+	if in.CodeHook != nil {
+		in, out := &in.CodeHook, &out.CodeHook
+		*out = make([]CodeHookObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FulfillmentActivityObservation.
@@ -1070,6 +1326,16 @@ func (in *IntentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntentObservation) DeepCopyInto(out *IntentObservation) {
 	*out = *in
+	if in.IntentName != nil {
+		in, out := &in.IntentName, &out.IntentName
+		*out = new(string)
+		**out = **in
+	}
+	if in.IntentVersion != nil {
+		in, out := &in.IntentVersion, &out.IntentVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntentObservation.
@@ -1095,11 +1361,56 @@ func (in *IntentObservation_2) DeepCopyInto(out *IntentObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConclusionStatement != nil {
+		in, out := &in.ConclusionStatement, &out.ConclusionStatement
+		*out = make([]ConclusionStatementObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ConfirmationPrompt != nil {
+		in, out := &in.ConfirmationPrompt, &out.ConfirmationPrompt
+		*out = make([]ConfirmationPromptObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreateVersion != nil {
+		in, out := &in.CreateVersion, &out.CreateVersion
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CreatedDate != nil {
 		in, out := &in.CreatedDate, &out.CreatedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DialogCodeHook != nil {
+		in, out := &in.DialogCodeHook, &out.DialogCodeHook
+		*out = make([]DialogCodeHookObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FollowUpPrompt != nil {
+		in, out := &in.FollowUpPrompt, &out.FollowUpPrompt
+		*out = make([]FollowUpPromptObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FulfillmentActivity != nil {
+		in, out := &in.FulfillmentActivity, &out.FulfillmentActivity
+		*out = make([]FulfillmentActivityObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1110,6 +1421,36 @@ func (in *IntentObservation_2) DeepCopyInto(out *IntentObservation_2) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ParentIntentSignature != nil {
+		in, out := &in.ParentIntentSignature, &out.ParentIntentSignature
+		*out = new(string)
+		**out = **in
+	}
+	if in.RejectionStatement != nil {
+		in, out := &in.RejectionStatement, &out.RejectionStatement
+		*out = make([]IntentRejectionStatementObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SampleUtterances != nil {
+		in, out := &in.SampleUtterances, &out.SampleUtterances
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Slot != nil {
+		in, out := &in.Slot, &out.Slot
+		*out = make([]SlotObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(string)
@@ -1250,6 +1591,21 @@ func (in *IntentParameters_2) DeepCopy() *IntentParameters_2 {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntentRejectionStatementMessageObservation) DeepCopyInto(out *IntentRejectionStatementMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntentRejectionStatementMessageObservation.
@@ -1295,6 +1651,18 @@ func (in *IntentRejectionStatementMessageParameters) DeepCopy() *IntentRejection
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IntentRejectionStatementObservation) DeepCopyInto(out *IntentRejectionStatementObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]IntentRejectionStatementMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IntentRejectionStatementObservation.
@@ -1371,6 +1739,26 @@ func (in *IntentStatus) DeepCopy() *IntentStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogSettingsObservation) DeepCopyInto(out *LogSettingsObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourcePrefix != nil {
 		in, out := &in.ResourcePrefix, &out.ResourcePrefix
 		*out = new(string)
@@ -1426,6 +1814,21 @@ func (in *LogSettingsParameters) DeepCopy() *LogSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MessageObservation) DeepCopyInto(out *MessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MessageObservation.
@@ -1471,6 +1874,21 @@ func (in *MessageParameters) DeepCopy() *MessageParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PromptMessageObservation) DeepCopyInto(out *PromptMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PromptMessageObservation.
@@ -1516,6 +1934,23 @@ func (in *PromptMessageParameters) DeepCopy() *PromptMessageParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PromptObservation) DeepCopyInto(out *PromptObservation) {
 	*out = *in
+	if in.MaxAttempts != nil {
+		in, out := &in.MaxAttempts, &out.MaxAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]PromptMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PromptObservation.
@@ -1563,6 +1998,21 @@ func (in *PromptParameters) DeepCopy() *PromptParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RejectionStatementMessageObservation) DeepCopyInto(out *RejectionStatementMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RejectionStatementMessageObservation.
@@ -1608,6 +2058,18 @@ func (in *RejectionStatementMessageParameters) DeepCopy() *RejectionStatementMes
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RejectionStatementObservation) DeepCopyInto(out *RejectionStatementObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]RejectionStatementMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RejectionStatementObservation.
@@ -1650,6 +2112,59 @@ func (in *RejectionStatementParameters) DeepCopy() *RejectionStatementParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SlotObservation) DeepCopyInto(out *SlotObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
+	if in.SampleUtterances != nil {
+		in, out := &in.SampleUtterances, &out.SampleUtterances
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SlotConstraint != nil {
+		in, out := &in.SlotConstraint, &out.SlotConstraint
+		*out = new(string)
+		**out = **in
+	}
+	if in.SlotType != nil {
+		in, out := &in.SlotType, &out.SlotType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SlotTypeVersion != nil {
+		in, out := &in.SlotTypeVersion, &out.SlotTypeVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValueElicitationPrompt != nil {
+		in, out := &in.ValueElicitationPrompt, &out.ValueElicitationPrompt
+		*out = make([]ValueElicitationPromptObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SlotObservation.
@@ -1797,11 +2312,28 @@ func (in *SlotTypeObservation) DeepCopyInto(out *SlotTypeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CreateVersion != nil {
+		in, out := &in.CreateVersion, &out.CreateVersion
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CreatedDate != nil {
 		in, out := &in.CreatedDate, &out.CreatedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnumerationValue != nil {
+		in, out := &in.EnumerationValue, &out.EnumerationValue
+		*out = make([]EnumerationValueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1812,6 +2344,11 @@ func (in *SlotTypeObservation) DeepCopyInto(out *SlotTypeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ValueSelectionStrategy != nil {
+		in, out := &in.ValueSelectionStrategy, &out.ValueSelectionStrategy
+		*out = new(string)
+		**out = **in
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(string)
@@ -1908,6 +2445,21 @@ func (in *SlotTypeStatus) DeepCopy() *SlotTypeStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValueElicitationPromptMessageObservation) DeepCopyInto(out *ValueElicitationPromptMessageObservation) {
 	*out = *in
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupNumber != nil {
+		in, out := &in.GroupNumber, &out.GroupNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValueElicitationPromptMessageObservation.
@@ -1953,6 +2505,23 @@ func (in *ValueElicitationPromptMessageParameters) DeepCopy() *ValueElicitationP
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ValueElicitationPromptObservation) DeepCopyInto(out *ValueElicitationPromptObservation) {
 	*out = *in
+	if in.MaxAttempts != nil {
+		in, out := &in.MaxAttempts, &out.MaxAttempts
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = make([]ValueElicitationPromptMessageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResponseCard != nil {
+		in, out := &in.ResponseCard, &out.ResponseCard
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ValueElicitationPromptObservation.
diff --git a/apis/lexmodels/v1beta1/zz_intent_types.go b/apis/lexmodels/v1beta1/zz_intent_types.go
index 5a528af9de..d419c3a123 100755
--- a/apis/lexmodels/v1beta1/zz_intent_types.go
+++ b/apis/lexmodels/v1beta1/zz_intent_types.go
@@ -14,6 +14,14 @@ import (
 )
 
 type CodeHookObservation struct {
+
+	// The version of the request-response that you want Amazon Lex to use
+	// to invoke your Lambda function. For more information, see
+	// Using Lambda Functions. Must be less than or equal to 5 characters in length.
+	MessageVersion *string `json:"messageVersion,omitempty" tf:"message_version,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lambda function.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type CodeHookParameters struct {
@@ -30,6 +38,16 @@ type CodeHookParameters struct {
 }
 
 type ConclusionStatementMessageObservation struct {
+
+	// The text of the message. Must be less than or equal to 1000 characters in length.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response. Must be a number between 1 and 5 (inclusive).
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type ConclusionStatementMessageParameters struct {
@@ -49,6 +67,16 @@ type ConclusionStatementMessageParameters struct {
 }
 
 type ConclusionStatementObservation struct {
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message. Must contain between 1 and 15 messages.
+	Message []ConclusionStatementMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type ConclusionStatementParameters struct {
@@ -67,6 +95,16 @@ type ConclusionStatementParameters struct {
 }
 
 type ConfirmationPromptMessageObservation struct {
+
+	// The text of the message. Must be less than or equal to 1000 characters in length.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response. Must be a number between 1 and 5 (inclusive).
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type ConfirmationPromptMessageParameters struct {
@@ -86,6 +124,19 @@ type ConfirmationPromptMessageParameters struct {
 }
 
 type ConfirmationPromptObservation struct {
+
+	// The number of times to prompt the user for information. Must be a number between 1 and 5 (inclusive).
+	MaxAttempts *float64 `json:"maxAttempts,omitempty" tf:"max_attempts,omitempty"`
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message. Must contain between 1 and 15 messages.
+	Message []ConfirmationPromptMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type ConfirmationPromptParameters struct {
@@ -108,6 +159,14 @@ type ConfirmationPromptParameters struct {
 }
 
 type DialogCodeHookObservation struct {
+
+	// The version of the request-response that you want Amazon Lex to use
+	// to invoke your Lambda function. For more information, see
+	// Using Lambda Functions. Must be less than or equal to 5 characters in length.
+	MessageVersion *string `json:"messageVersion,omitempty" tf:"message_version,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lambda function.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type DialogCodeHookParameters struct {
@@ -124,6 +183,14 @@ type DialogCodeHookParameters struct {
 }
 
 type FollowUpPromptObservation struct {
+
+	// Prompts for information from the user. Attributes are documented under prompt.
+	Prompt []PromptObservation `json:"prompt,omitempty" tf:"prompt,omitempty"`
+
+	// If the user answers "no" to the question defined in the prompt field,
+	// Amazon Lex responds with this statement to acknowledge that the intent was canceled. Attributes are
+	// documented below under statement.
+	RejectionStatement []RejectionStatementObservation `json:"rejectionStatement,omitempty" tf:"rejection_statement,omitempty"`
 }
 
 type FollowUpPromptParameters struct {
@@ -140,6 +207,14 @@ type FollowUpPromptParameters struct {
 }
 
 type FulfillmentActivityObservation struct {
+
+	// A description of the Lambda function that is run to fulfill the intent.
+	// Required if type is CodeHook. Attributes are documented under code_hook.
+	CodeHook []CodeHookObservation `json:"codeHook,omitempty" tf:"code_hook,omitempty"`
+
+	// How the intent should be fulfilled, either by running a Lambda function or by
+	// returning the slot data to the client application. Type can be either ReturnIntent or CodeHook, as documented here.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type FulfillmentActivityParameters struct {
@@ -164,14 +239,69 @@ type IntentObservation_2 struct {
 	// included as an argument because the resource will add it automatically when updating the intent.
 	Checksum *string `json:"checksum,omitempty" tf:"checksum,omitempty"`
 
+	// The statement that you want Amazon Lex to convey to the user
+	// after the intent is successfully fulfilled by the Lambda function. This element is relevant only if
+	// you provide a Lambda function in the fulfillment_activity. If you return the intent to the client
+	// application, you can't specify this element. The follow_up_prompt and conclusion_statement are
+	// mutually exclusive. You can specify only one. Attributes are documented under statement.
+	ConclusionStatement []ConclusionStatementObservation `json:"conclusionStatement,omitempty" tf:"conclusion_statement,omitempty"`
+
+	// Prompts the user to confirm the intent. This question should
+	// have a yes or no answer. You you must provide both the rejection_statement and confirmation_prompt,
+	// or neither. Attributes are documented under prompt.
+	ConfirmationPrompt []ConfirmationPromptObservation `json:"confirmationPrompt,omitempty" tf:"confirmation_prompt,omitempty"`
+
+	// Determines if a new slot type version is created when the initial
+	// resource is created and on each update. Defaults to false.
+	CreateVersion *bool `json:"createVersion,omitempty" tf:"create_version,omitempty"`
+
 	// The date when the intent version was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// A description of the intent. Must be less than or equal to 200 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Specifies a Lambda function to invoke for each user input. You can
+	// invoke this Lambda function to personalize user interaction. Attributes are documented under code_hook.
+	DialogCodeHook []DialogCodeHookObservation `json:"dialogCodeHook,omitempty" tf:"dialog_code_hook,omitempty"`
+
+	// Amazon Lex uses this prompt to solicit additional activity after
+	// fulfilling an intent. For example, after the OrderPizza intent is fulfilled, you might prompt the
+	// user to order a drink. The follow_up_prompt field and the conclusion_statement field are mutually
+	// exclusive. You can specify only one. Attributes are documented under follow_up_prompt.
+	FollowUpPrompt []FollowUpPromptObservation `json:"followUpPrompt,omitempty" tf:"follow_up_prompt,omitempty"`
+
+	// Describes how the intent is fulfilled. For example, after a
+	// user provides all of the information for a pizza order, fulfillment_activity defines how the bot
+	// places an order with a local pizza store. Attributes are documented under fulfillment_activity.
+	FulfillmentActivity []FulfillmentActivityObservation `json:"fulfillmentActivity,omitempty" tf:"fulfillment_activity,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date when the $LATEST version of this intent was updated.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// A unique identifier for the built-in intent to base this
+	// intent on. To find the signature for an intent, see
+	// Standard Built-in Intents
+	// in the Alexa Skills Kit.
+	ParentIntentSignature *string `json:"parentIntentSignature,omitempty" tf:"parent_intent_signature,omitempty"`
+
+	// When the user answers "no" to the question defined in
+	// confirmation_prompt, Amazon Lex responds with this statement to acknowledge that the intent was
+	// canceled. You must provide both the rejection_statement and the confirmation_prompt, or neither.
+	// Attributes are documented under statement.
+	RejectionStatement []IntentRejectionStatementObservation `json:"rejectionStatement,omitempty" tf:"rejection_statement,omitempty"`
+
+	// An array of utterances (strings) that a user might say to signal
+	// the intent. For example, "I want {PizzaSize} pizza", "Order {Quantity} {PizzaSize} pizzas".
+	// In each utterance, a slot name is enclosed in curly braces. Must have between 1 and 10 items in the list, and each item must be less than or equal to 200 characters in length.
+	SampleUtterances []*string `json:"sampleUtterances,omitempty" tf:"sample_utterances,omitempty"`
+
+	// An list of intent slots. At runtime, Amazon Lex elicits required slot values
+	// from the user using prompts defined in the slots. Attributes are documented under slot.
+	Slot []SlotObservation `json:"slot,omitempty" tf:"slot,omitempty"`
+
 	// The version of the bot.
 	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
@@ -216,8 +346,8 @@ type IntentParameters_2 struct {
 	// Describes how the intent is fulfilled. For example, after a
 	// user provides all of the information for a pizza order, fulfillment_activity defines how the bot
 	// places an order with a local pizza store. Attributes are documented under fulfillment_activity.
-	// +kubebuilder:validation:Required
-	FulfillmentActivity []FulfillmentActivityParameters `json:"fulfillmentActivity" tf:"fulfillment_activity,omitempty"`
+	// +kubebuilder:validation:Optional
+	FulfillmentActivity []FulfillmentActivityParameters `json:"fulfillmentActivity,omitempty" tf:"fulfillment_activity,omitempty"`
 
 	// A unique identifier for the built-in intent to base this
 	// intent on. To find the signature for an intent, see
@@ -251,6 +381,16 @@ type IntentParameters_2 struct {
 }
 
 type IntentRejectionStatementMessageObservation struct {
+
+	// The text of the message. Must be less than or equal to 1000 characters in length.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response. Must be a number between 1 and 5 (inclusive).
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type IntentRejectionStatementMessageParameters struct {
@@ -270,6 +410,16 @@ type IntentRejectionStatementMessageParameters struct {
 }
 
 type IntentRejectionStatementObservation struct {
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message. Must contain between 1 and 15 messages.
+	Message []IntentRejectionStatementMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type IntentRejectionStatementParameters struct {
@@ -288,6 +438,16 @@ type IntentRejectionStatementParameters struct {
 }
 
 type PromptMessageObservation struct {
+
+	// The text of the message. Must be less than or equal to 1000 characters in length.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response. Must be a number between 1 and 5 (inclusive).
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type PromptMessageParameters struct {
@@ -307,6 +467,19 @@ type PromptMessageParameters struct {
 }
 
 type PromptObservation struct {
+
+	// The number of times to prompt the user for information. Must be a number between 1 and 5 (inclusive).
+	MaxAttempts *float64 `json:"maxAttempts,omitempty" tf:"max_attempts,omitempty"`
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message. Must contain between 1 and 15 messages.
+	Message []PromptMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type PromptParameters struct {
@@ -329,6 +502,16 @@ type PromptParameters struct {
 }
 
 type RejectionStatementMessageObservation struct {
+
+	// The text of the message. Must be less than or equal to 1000 characters in length.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response. Must be a number between 1 and 5 (inclusive).
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type RejectionStatementMessageParameters struct {
@@ -348,6 +531,16 @@ type RejectionStatementMessageParameters struct {
 }
 
 type RejectionStatementObservation struct {
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message. Must contain between 1 and 15 messages.
+	Message []RejectionStatementMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type RejectionStatementParameters struct {
@@ -366,6 +559,42 @@ type RejectionStatementParameters struct {
 }
 
 type SlotObservation struct {
+
+	// A description of the bot. Must be less than or equal to 200 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The name of the intent slot that you want to create. The name is case sensitive. Must be less than or equal to 100 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Directs Lex the order in which to elicit this slot value from the user.
+	// For example, if the intent has two slots with priorities 1 and 2, AWS Lex first elicits a value for
+	// the slot with priority 1. If multiple slots share the same priority, the order in which Lex elicits
+	// values is arbitrary. Must be between 1 and 100.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
+
+	// If you know a specific pattern with which users might respond to
+	// an Amazon Lex request for a slot value, you can provide those utterances to improve accuracy. This
+	// is optional. In most cases, Amazon Lex is capable of understanding user utterances. Must have between 1 and 10 items in the list, and each item must be less than or equal to 200 characters in length.
+	SampleUtterances []*string `json:"sampleUtterances,omitempty" tf:"sample_utterances,omitempty"`
+
+	// Specifies whether the slot is required or optional.
+	SlotConstraint *string `json:"slotConstraint,omitempty" tf:"slot_constraint,omitempty"`
+
+	// The type of the slot, either a custom slot type that you defined or one of
+	// the built-in slot types. Must be less than or equal to 100 characters in length.
+	SlotType *string `json:"slotType,omitempty" tf:"slot_type,omitempty"`
+
+	// The version of the slot type. Must be less than or equal to 64 characters in length.
+	SlotTypeVersion *string `json:"slotTypeVersion,omitempty" tf:"slot_type_version,omitempty"`
+
+	// The prompt that Amazon Lex uses to elicit the slot value
+	// from the user. Attributes are documented under prompt.
+	ValueElicitationPrompt []ValueElicitationPromptObservation `json:"valueElicitationPrompt,omitempty" tf:"value_elicitation_prompt,omitempty"`
 }
 
 type SlotParameters struct {
@@ -417,6 +646,16 @@ type SlotParameters struct {
 }
 
 type ValueElicitationPromptMessageObservation struct {
+
+	// The text of the message. Must be less than or equal to 1000 characters in length.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The content type of the message string.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Identifies the message group that the message belongs to. When a group
+	// is assigned to a message, Amazon Lex returns one message from each group in the response. Must be a number between 1 and 5 (inclusive).
+	GroupNumber *float64 `json:"groupNumber,omitempty" tf:"group_number,omitempty"`
 }
 
 type ValueElicitationPromptMessageParameters struct {
@@ -436,6 +675,19 @@ type ValueElicitationPromptMessageParameters struct {
 }
 
 type ValueElicitationPromptObservation struct {
+
+	// The number of times to prompt the user for information. Must be a number between 1 and 5 (inclusive).
+	MaxAttempts *float64 `json:"maxAttempts,omitempty" tf:"max_attempts,omitempty"`
+
+	// A set of messages, each of which provides a message string and its type.
+	// You can specify the message string in plain text or in Speech Synthesis Markup Language (SSML).
+	// Attributes are documented under message. Must contain between 1 and 15 messages.
+	Message []ValueElicitationPromptMessageObservation `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The response card. Amazon Lex will substitute session attributes and
+	// slot values into the response card. For more information, see
+	// Example: Using a Response Card. Must be less than or equal to 50000 characters in length.
+	ResponseCard *string `json:"responseCard,omitempty" tf:"response_card,omitempty"`
 }
 
 type ValueElicitationPromptParameters struct {
@@ -481,8 +733,9 @@ type IntentStatus struct {
 type Intent struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IntentSpec   `json:"spec"`
-	Status            IntentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fulfillmentActivity)",message="fulfillmentActivity is a required parameter"
+	Spec   IntentSpec   `json:"spec"`
+	Status IntentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lexmodels/v1beta1/zz_slottype_types.go b/apis/lexmodels/v1beta1/zz_slottype_types.go
index b2c1de309d..70a4a303c3 100755
--- a/apis/lexmodels/v1beta1/zz_slottype_types.go
+++ b/apis/lexmodels/v1beta1/zz_slottype_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type EnumerationValueObservation struct {
+
+	// Additional values related to the slot type value. Each item must be less than or equal to 140 characters in length.
+	Synonyms []*string `json:"synonyms,omitempty" tf:"synonyms,omitempty"`
+
+	// The value of the slot type. Must be less than or equal to 140 characters in length.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type EnumerationValueParameters struct {
@@ -33,14 +39,33 @@ type SlotTypeObservation struct {
 	// not included as an argument because the resource will add it automatically when updating the slot type.
 	Checksum *string `json:"checksum,omitempty" tf:"checksum,omitempty"`
 
+	// Determines if a new slot type version is created when the initial resource is created and on each
+	// update. Defaults to false.
+	CreateVersion *bool `json:"createVersion,omitempty" tf:"create_version,omitempty"`
+
 	// The date when the slot type version was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// A description of the slot type. Must be less than or equal to 200 characters in length.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A list of EnumerationValue objects that defines the values that
+	// the slot type can take. Each value can have a list of synonyms, which are additional values that help
+	// train the machine learning model about the values that it resolves for a slot. Attributes are
+	// documented under enumeration_value.
+	EnumerationValue []EnumerationValueObservation `json:"enumerationValue,omitempty" tf:"enumeration_value,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The date when the $LATEST version of this slot type was updated.
 	LastUpdatedDate *string `json:"lastUpdatedDate,omitempty" tf:"last_updated_date,omitempty"`
 
+	// Determines the slot resolution strategy that Amazon Lex
+	// uses to return slot type values. ORIGINAL_VALUE returns the value entered by the user if the user
+	// value is similar to the slot value. TOP_RESOLUTION returns the first value in the resolution list
+	// if there is a resolution list for the slot, otherwise null is returned. Defaults to ORIGINAL_VALUE.
+	ValueSelectionStrategy *string `json:"valueSelectionStrategy,omitempty" tf:"value_selection_strategy,omitempty"`
+
 	// The version of the slot type.
 	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
@@ -60,8 +85,8 @@ type SlotTypeParameters struct {
 	// the slot type can take. Each value can have a list of synonyms, which are additional values that help
 	// train the machine learning model about the values that it resolves for a slot. Attributes are
 	// documented under enumeration_value.
-	// +kubebuilder:validation:Required
-	EnumerationValue []EnumerationValueParameters `json:"enumerationValue" tf:"enumeration_value,omitempty"`
+	// +kubebuilder:validation:Optional
+	EnumerationValue []EnumerationValueParameters `json:"enumerationValue,omitempty" tf:"enumeration_value,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -100,8 +125,9 @@ type SlotTypeStatus struct {
 type SlotType struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SlotTypeSpec   `json:"spec"`
-	Status            SlotTypeStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enumerationValue)",message="enumerationValue is a required parameter"
+	Spec   SlotTypeSpec   `json:"spec"`
+	Status SlotTypeStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/licensemanager/v1beta1/zz_association_types.go b/apis/licensemanager/v1beta1/zz_association_types.go
index 186682a4e6..6f36a146f8 100755
--- a/apis/licensemanager/v1beta1/zz_association_types.go
+++ b/apis/licensemanager/v1beta1/zz_association_types.go
@@ -17,6 +17,12 @@ type AssociationObservation struct {
 
 	// The license configuration ARN.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ARN of the license configuration.
+	LicenseConfigurationArn *string `json:"licenseConfigurationArn,omitempty" tf:"license_configuration_arn,omitempty"`
+
+	// ARN of the resource associated with the license configuration.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type AssociationParameters struct {
diff --git a/apis/licensemanager/v1beta1/zz_generated.deepcopy.go b/apis/licensemanager/v1beta1/zz_generated.deepcopy.go
index 89b799e950..9d3152b137 100644
--- a/apis/licensemanager/v1beta1/zz_generated.deepcopy.go
+++ b/apis/licensemanager/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,16 @@ func (in *AssociationObservation) DeepCopyInto(out *AssociationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LicenseConfigurationArn != nil {
+		in, out := &in.LicenseConfigurationArn, &out.LicenseConfigurationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AssociationObservation.
@@ -244,16 +254,67 @@ func (in *LicenseConfigurationObservation) DeepCopyInto(out *LicenseConfiguratio
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LicenseCount != nil {
+		in, out := &in.LicenseCount, &out.LicenseCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LicenseCountHardLimit != nil {
+		in, out := &in.LicenseCountHardLimit, &out.LicenseCountHardLimit
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LicenseCountingType != nil {
+		in, out := &in.LicenseCountingType, &out.LicenseCountingType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LicenseRules != nil {
+		in, out := &in.LicenseRules, &out.LicenseRules
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerAccountID != nil {
 		in, out := &in.OwnerAccountID, &out.OwnerAccountID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/licensemanager/v1beta1/zz_licenseconfiguration_types.go b/apis/licensemanager/v1beta1/zz_licenseconfiguration_types.go
index 1ed11d1411..da94401fcb 100755
--- a/apis/licensemanager/v1beta1/zz_licenseconfiguration_types.go
+++ b/apis/licensemanager/v1beta1/zz_licenseconfiguration_types.go
@@ -18,12 +18,33 @@ type LicenseConfigurationObservation struct {
 	// The license configuration ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the license configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The license configuration ARN.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Number of licenses managed by the license configuration.
+	LicenseCount *float64 `json:"licenseCount,omitempty" tf:"license_count,omitempty"`
+
+	// Sets the number of available licenses as a hard limit.
+	LicenseCountHardLimit *bool `json:"licenseCountHardLimit,omitempty" tf:"license_count_hard_limit,omitempty"`
+
+	// Dimension to use to track license inventory. Specify either vCPU, Instance, Core or Socket.
+	LicenseCountingType *string `json:"licenseCountingType,omitempty" tf:"license_counting_type,omitempty"`
+
+	// Array of configured License Manager rules.
+	LicenseRules []*string `json:"licenseRules,omitempty" tf:"license_rules,omitempty"`
+
+	// Name of the license configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Account ID of the owner of the license configuration.
 	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -43,16 +64,16 @@ type LicenseConfigurationParameters struct {
 	LicenseCountHardLimit *bool `json:"licenseCountHardLimit,omitempty" tf:"license_count_hard_limit,omitempty"`
 
 	// Dimension to use to track license inventory. Specify either vCPU, Instance, Core or Socket.
-	// +kubebuilder:validation:Required
-	LicenseCountingType *string `json:"licenseCountingType" tf:"license_counting_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	LicenseCountingType *string `json:"licenseCountingType,omitempty" tf:"license_counting_type,omitempty"`
 
 	// Array of configured License Manager rules.
 	// +kubebuilder:validation:Optional
 	LicenseRules []*string `json:"licenseRules,omitempty" tf:"license_rules,omitempty"`
 
 	// Name of the license configuration.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -88,8 +109,10 @@ type LicenseConfigurationStatus struct {
 type LicenseConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LicenseConfigurationSpec   `json:"spec"`
-	Status            LicenseConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.licenseCountingType)",message="licenseCountingType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   LicenseConfigurationSpec   `json:"spec"`
+	Status LicenseConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_bucket_types.go b/apis/lightsail/v1beta1/zz_bucket_types.go
index 7b45a173c2..3320316119 100755
--- a/apis/lightsail/v1beta1/zz_bucket_types.go
+++ b/apis/lightsail/v1beta1/zz_bucket_types.go
@@ -21,6 +21,9 @@ type BucketObservation struct {
 	// The resource Availability Zone. Follows the format us-east-2a (case-sensitive).
 	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
+	// - The ID of the bundle to use for the bucket. A bucket bundle specifies the monthly cost, storage space, and data transfer quota for a bucket. Use the get-bucket-bundles cli command to get a list of bundle IDs that you can specify.
+	BundleID *string `json:"bundleId,omitempty" tf:"bundle_id,omitempty"`
+
 	// The timestamp when the bucket was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
@@ -30,6 +33,9 @@ type BucketObservation struct {
 	// The support code for the resource. Include this code in your email to support when you have questions about a resource in Lightsail. This code enables our support team to look up your Lightsail information more easily.
 	SupportCode *string `json:"supportCode,omitempty" tf:"support_code,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -39,8 +45,8 @@ type BucketObservation struct {
 type BucketParameters struct {
 
 	// - The ID of the bundle to use for the bucket. A bucket bundle specifies the monthly cost, storage space, and data transfer quota for a bucket. Use the get-bucket-bundles cli command to get a list of bundle IDs that you can specify.
-	// +kubebuilder:validation:Required
-	BundleID *string `json:"bundleId" tf:"bundle_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	BundleID *string `json:"bundleId,omitempty" tf:"bundle_id,omitempty"`
 
 	// The Amazon Web Services Region name.
 	// Region is the region you'd like your resource to be created in.
@@ -77,8 +83,9 @@ type BucketStatus struct {
 type Bucket struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketSpec   `json:"spec"`
-	Status            BucketStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bundleId)",message="bundleId is a required parameter"
+	Spec   BucketSpec   `json:"spec"`
+	Status BucketStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_certificate_types.go b/apis/lightsail/v1beta1/zz_certificate_types.go
index d24a61df28..bdfabd2aca 100755
--- a/apis/lightsail/v1beta1/zz_certificate_types.go
+++ b/apis/lightsail/v1beta1/zz_certificate_types.go
@@ -21,12 +21,21 @@ type CertificateObservation struct {
 	// The timestamp when the instance was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// A domain name for which the certificate should be issued.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// Set of domain validation objects which can be used to complete certificate validation. Can have more than one element, e.g., if SANs are defined.
 	DomainValidationOptions []DomainValidationOptionsObservation `json:"domainValidationOptions,omitempty" tf:"domain_validation_options,omitempty"`
 
 	// The name of the lightsail certificate (matches name).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Set of domains that should be SANs in the issued certificate. domain_name attribute is automatically added as a Subject Alternative Name.
+	SubjectAlternativeNames []*string `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/lightsail/v1beta1/zz_containerservice_types.go b/apis/lightsail/v1beta1/zz_containerservice_types.go
index b1b62e7e5f..34fcac9478 100755
--- a/apis/lightsail/v1beta1/zz_containerservice_types.go
+++ b/apis/lightsail/v1beta1/zz_containerservice_types.go
@@ -26,6 +26,14 @@ type ContainerServiceObservation struct {
 	// Same as name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A Boolean value indicating whether the container service is disabled. Defaults to false.
+	IsDisabled *bool `json:"isDisabled,omitempty" tf:"is_disabled,omitempty"`
+
+	// The power specification for the container service. The power specifies the amount of memory,
+	// the number of vCPUs, and the monthly price of each node of the container service.
+	// Possible values: nano, micro, small, medium, large, xlarge.
+	Power *string `json:"power,omitempty" tf:"power,omitempty"`
+
 	// The ID of the power of the container service.
 	PowerID *string `json:"powerId,omitempty" tf:"power_id,omitempty"`
 
@@ -39,15 +47,28 @@ type ContainerServiceObservation struct {
 	PrivateDomainName *string `json:"privateDomainName,omitempty" tf:"private_domain_name,omitempty"`
 
 	// An object to describe the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry (Amazon ECR) private repositories. See Private Registry Access below for more details.
-	// +kubebuilder:validation:Optional
 	PrivateRegistryAccess []PrivateRegistryAccessObservation `json:"privateRegistryAccess,omitempty" tf:"private_registry_access,omitempty"`
 
+	// The public domain names to use with the container service, such as example.com
+	// and www.example.com. You can specify up to four public domain names for a container service. The domain names that you
+	// specify are used when you create a deployment with a container configured as the public endpoint of your container
+	// service. If you don't specify public domain names, then you can use the default domain of the container service.
+	// Defined below.
+	PublicDomainNames []PublicDomainNamesObservation `json:"publicDomainNames,omitempty" tf:"public_domain_names,omitempty"`
+
 	// The Lightsail resource type of the container service (i.e., ContainerService).
 	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
 
+	// The scale specification for the container service. The scale specifies the allocated compute
+	// nodes of the container service.
+	Scale *float64 `json:"scale,omitempty" tf:"scale,omitempty"`
+
 	// The current state of the container service.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider
 	// default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
@@ -66,8 +87,8 @@ type ContainerServiceParameters struct {
 	// The power specification for the container service. The power specifies the amount of memory,
 	// the number of vCPUs, and the monthly price of each node of the container service.
 	// Possible values: nano, micro, small, medium, large, xlarge.
-	// +kubebuilder:validation:Required
-	Power *string `json:"power" tf:"power,omitempty"`
+	// +kubebuilder:validation:Optional
+	Power *string `json:"power,omitempty" tf:"power,omitempty"`
 
 	// An object to describe the configuration for the container service to access private container image repositories, such as Amazon Elastic Container Registry (Amazon ECR) private repositories. See Private Registry Access below for more details.
 	// +kubebuilder:validation:Optional
@@ -88,8 +109,8 @@ type ContainerServiceParameters struct {
 
 	// The scale specification for the container service. The scale specifies the allocated compute
 	// nodes of the container service.
-	// +kubebuilder:validation:Required
-	Scale *float64 `json:"scale" tf:"scale,omitempty"`
+	// +kubebuilder:validation:Optional
+	Scale *float64 `json:"scale,omitempty" tf:"scale,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -98,6 +119,9 @@ type ContainerServiceParameters struct {
 
 type EcrImagePullerRoleObservation struct {
 
+	// A Boolean value that indicates whether to activate the role. The default is false.
+	IsActive *bool `json:"isActive,omitempty" tf:"is_active,omitempty"`
+
 	// The principal ARN of the container service. The principal ARN can be used to create a trust
 	// relationship between your standard AWS account and your Lightsail container service. This allows you to give your
 	// service permission to access resources in your standard AWS account.
@@ -114,7 +138,6 @@ type EcrImagePullerRoleParameters struct {
 type PrivateRegistryAccessObservation struct {
 
 	// Describes a request to configure an Amazon Lightsail container service to access private container image repositories, such as Amazon Elastic Container Registry (Amazon ECR) private repositories. See ECR Image Puller Role below for more details.
-	// +kubebuilder:validation:Optional
 	EcrImagePullerRole []EcrImagePullerRoleObservation `json:"ecrImagePullerRole,omitempty" tf:"ecr_image_puller_role,omitempty"`
 }
 
@@ -126,6 +149,12 @@ type PrivateRegistryAccessParameters struct {
 }
 
 type PublicDomainNamesCertificateObservation struct {
+
+	// The name for the container service. Names must be of length 1 to 63, and be
+	// unique within each AWS Region in your Lightsail account.
+	CertificateName *string `json:"certificateName,omitempty" tf:"certificate_name,omitempty"`
+
+	DomainNames []*string `json:"domainNames,omitempty" tf:"domain_names,omitempty"`
 }
 
 type PublicDomainNamesCertificateParameters struct {
@@ -140,6 +169,7 @@ type PublicDomainNamesCertificateParameters struct {
 }
 
 type PublicDomainNamesObservation struct {
+	Certificate []PublicDomainNamesCertificateObservation `json:"certificate,omitempty" tf:"certificate,omitempty"`
 }
 
 type PublicDomainNamesParameters struct {
@@ -172,8 +202,10 @@ type ContainerServiceStatus struct {
 type ContainerService struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ContainerServiceSpec   `json:"spec"`
-	Status            ContainerServiceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.power)",message="power is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scale)",message="scale is a required parameter"
+	Spec   ContainerServiceSpec   `json:"spec"`
+	Status ContainerServiceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_disk_types.go b/apis/lightsail/v1beta1/zz_disk_types.go
index 9101f4ce00..609d925f4b 100755
--- a/apis/lightsail/v1beta1/zz_disk_types.go
+++ b/apis/lightsail/v1beta1/zz_disk_types.go
@@ -18,15 +18,24 @@ type DiskObservation struct {
 	// The ARN of the Lightsail load balancer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Availability Zone in which to create your disk.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
 	// The timestamp when the load balancer was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
 	// The name of the disk  (matches name).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The instance port the load balancer will connect.
+	SizeInGb *float64 `json:"sizeInGb,omitempty" tf:"size_in_gb,omitempty"`
+
 	// The support code for the disk. Include this code in your email to support when you have questions about a disk in Lightsail. This code enables our support team to look up your Lightsail information more easily.
 	SupportCode *string `json:"supportCode,omitempty" tf:"support_code,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -34,8 +43,8 @@ type DiskObservation struct {
 type DiskParameters struct {
 
 	// The Availability Zone in which to create your disk.
-	// +kubebuilder:validation:Required
-	AvailabilityZone *string `json:"availabilityZone" tf:"availability_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -43,8 +52,8 @@ type DiskParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The instance port the load balancer will connect.
-	// +kubebuilder:validation:Required
-	SizeInGb *float64 `json:"sizeInGb" tf:"size_in_gb,omitempty"`
+	// +kubebuilder:validation:Optional
+	SizeInGb *float64 `json:"sizeInGb,omitempty" tf:"size_in_gb,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -75,8 +84,10 @@ type DiskStatus struct {
 type Disk struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DiskSpec   `json:"spec"`
-	Status            DiskStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)",message="availabilityZone is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sizeInGb)",message="sizeInGb is a required parameter"
+	Spec   DiskSpec   `json:"spec"`
+	Status DiskStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_diskattachment_types.go b/apis/lightsail/v1beta1/zz_diskattachment_types.go
index 6791b9cc64..a359132037 100755
--- a/apis/lightsail/v1beta1/zz_diskattachment_types.go
+++ b/apis/lightsail/v1beta1/zz_diskattachment_types.go
@@ -15,8 +15,17 @@ import (
 
 type DiskAttachmentObservation struct {
 
+	// The name of the Lightsail Disk.
+	DiskName *string `json:"diskName,omitempty" tf:"disk_name,omitempty"`
+
+	// The disk path to expose to the instance.
+	DiskPath *string `json:"diskPath,omitempty" tf:"disk_path,omitempty"`
+
 	// A combination of attributes to create a unique id: disk_name,instance_name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the Lightsail Instance to attach to.
+	InstanceName *string `json:"instanceName,omitempty" tf:"instance_name,omitempty"`
 }
 
 type DiskAttachmentParameters struct {
@@ -35,8 +44,8 @@ type DiskAttachmentParameters struct {
 	DiskNameSelector *v1.Selector `json:"diskNameSelector,omitempty" tf:"-"`
 
 	// The disk path to expose to the instance.
-	// +kubebuilder:validation:Required
-	DiskPath *string `json:"diskPath" tf:"disk_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	DiskPath *string `json:"diskPath,omitempty" tf:"disk_path,omitempty"`
 
 	// The name of the Lightsail Instance to attach to.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/lightsail/v1beta1.Instance
@@ -81,8 +90,9 @@ type DiskAttachmentStatus struct {
 type DiskAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DiskAttachmentSpec   `json:"spec"`
-	Status            DiskAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.diskPath)",message="diskPath is a required parameter"
+	Spec   DiskAttachmentSpec   `json:"spec"`
+	Status DiskAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_domain_types.go b/apis/lightsail/v1beta1/zz_domain_types.go
index 293a96b3d2..4fd6bd0e2b 100755
--- a/apis/lightsail/v1beta1/zz_domain_types.go
+++ b/apis/lightsail/v1beta1/zz_domain_types.go
@@ -18,6 +18,9 @@ type DomainObservation struct {
 	// The ARN of the Lightsail domain
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The name of the Lightsail domain to manage
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// The name used for this domain
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -25,8 +28,8 @@ type DomainObservation struct {
 type DomainParameters struct {
 
 	// The name of the Lightsail domain to manage
-	// +kubebuilder:validation:Required
-	DomainName *string `json:"domainName" tf:"domain_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -58,8 +61,9 @@ type DomainStatus struct {
 type Domain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainSpec   `json:"spec"`
-	Status            DomainStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)",message="domainName is a required parameter"
+	Spec   DomainSpec   `json:"spec"`
+	Status DomainStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_domainentry_types.go b/apis/lightsail/v1beta1/zz_domainentry_types.go
index a0bc53a944..d416644b02 100755
--- a/apis/lightsail/v1beta1/zz_domainentry_types.go
+++ b/apis/lightsail/v1beta1/zz_domainentry_types.go
@@ -15,8 +15,20 @@ import (
 
 type DomainEntryObservation struct {
 
+	// The name of the Lightsail domain in which to create the entry
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// A combination of attributes to create a unique id: name_domain_name_type_target
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// If the entry should be an alias Defaults to false
+	IsAlias *bool `json:"isAlias,omitempty" tf:"is_alias,omitempty"`
+
+	// Target of the domain entry
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
+
+	// Type of record
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DomainEntryParameters struct {
@@ -45,8 +57,8 @@ type DomainEntryParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Target of the domain entry
-	// +kubebuilder:validation:Required
-	Target *string `json:"target" tf:"target,omitempty"`
+	// +kubebuilder:validation:Optional
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 
 	// Type of record
 	// +kubebuilder:validation:Required
@@ -77,8 +89,9 @@ type DomainEntryStatus struct {
 type DomainEntry struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainEntrySpec   `json:"spec"`
-	Status            DomainEntryStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.target)",message="target is a required parameter"
+	Spec   DomainEntrySpec   `json:"spec"`
+	Status DomainEntryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_generated.deepcopy.go b/apis/lightsail/v1beta1/zz_generated.deepcopy.go
index bbeff9b4c5..869b594d5d 100644
--- a/apis/lightsail/v1beta1/zz_generated.deepcopy.go
+++ b/apis/lightsail/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AddOnObservation) DeepCopyInto(out *AddOnObservation) {
 	*out = *in
+	if in.SnapshotTime != nil {
+		in, out := &in.SnapshotTime, &out.SnapshotTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AddOnObservation.
@@ -131,6 +146,11 @@ func (in *BucketObservation) DeepCopyInto(out *BucketObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BundleID != nil {
+		in, out := &in.BundleID, &out.BundleID
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
@@ -146,6 +166,21 @@ func (in *BucketObservation) DeepCopyInto(out *BucketObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -324,6 +359,11 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DomainValidationOptions != nil {
 		in, out := &in.DomainValidationOptions, &out.DomainValidationOptions
 		*out = make([]DomainValidationOptionsObservation, len(*in))
@@ -336,6 +376,32 @@ func (in *CertificateObservation) DeepCopyInto(out *CertificateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -530,6 +596,16 @@ func (in *ContainerServiceObservation) DeepCopyInto(out *ContainerServiceObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.IsDisabled != nil {
+		in, out := &in.IsDisabled, &out.IsDisabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Power != nil {
+		in, out := &in.Power, &out.Power
+		*out = new(string)
+		**out = **in
+	}
 	if in.PowerID != nil {
 		in, out := &in.PowerID, &out.PowerID
 		*out = new(string)
@@ -552,16 +628,43 @@ func (in *ContainerServiceObservation) DeepCopyInto(out *ContainerServiceObserva
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.PublicDomainNames != nil {
+		in, out := &in.PublicDomainNames, &out.PublicDomainNames
+		*out = make([]PublicDomainNamesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ResourceType != nil {
 		in, out := &in.ResourceType, &out.ResourceType
 		*out = new(string)
 		**out = **in
 	}
+	if in.Scale != nil {
+		in, out := &in.Scale, &out.Scale
+		*out = new(float64)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -781,11 +884,26 @@ func (in *DiskAttachmentList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DiskAttachmentObservation) DeepCopyInto(out *DiskAttachmentObservation) {
 	*out = *in
+	if in.DiskName != nil {
+		in, out := &in.DiskName, &out.DiskName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DiskPath != nil {
+		in, out := &in.DiskPath, &out.DiskPath
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceName != nil {
+		in, out := &in.InstanceName, &out.InstanceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DiskAttachmentObservation.
@@ -927,6 +1045,11 @@ func (in *DiskObservation) DeepCopyInto(out *DiskObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
@@ -937,11 +1060,31 @@ func (in *DiskObservation) DeepCopyInto(out *DiskObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SizeInGb != nil {
+		in, out := &in.SizeInGb, &out.SizeInGb
+		*out = new(float64)
+		**out = **in
+	}
 	if in.SupportCode != nil {
 		in, out := &in.SupportCode, &out.SupportCode
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1137,11 +1280,31 @@ func (in *DomainEntryList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainEntryObservation) DeepCopyInto(out *DomainEntryObservation) {
 	*out = *in
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IsAlias != nil {
+		in, out := &in.IsAlias, &out.IsAlias
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainEntryObservation.
@@ -1278,6 +1441,11 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1457,6 +1625,11 @@ func (in *DomainValidationRecordsParameters) DeepCopy() *DomainValidationRecords
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcrImagePullerRoleObservation) DeepCopyInto(out *EcrImagePullerRoleObservation) {
 	*out = *in
+	if in.IsActive != nil {
+		in, out := &in.IsActive, &out.IsActive
+		*out = new(bool)
+		**out = **in
+	}
 	if in.PrincipalArn != nil {
 		in, out := &in.PrincipalArn, &out.PrincipalArn
 		*out = new(string)
@@ -1556,11 +1729,33 @@ func (in *InstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 	*out = *in
+	if in.AddOn != nil {
+		in, out := &in.AddOn, &out.AddOn
+		*out = make([]AddOnObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.BlueprintID != nil {
+		in, out := &in.BlueprintID, &out.BlueprintID
+		*out = new(string)
+		**out = **in
+	}
+	if in.BundleID != nil {
+		in, out := &in.BundleID, &out.BundleID
+		*out = new(string)
+		**out = **in
+	}
 	if in.CPUCount != nil {
 		in, out := &in.CPUCount, &out.CPUCount
 		*out = new(float64)
@@ -1576,6 +1771,11 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
 	if in.IPv6Address != nil {
 		in, out := &in.IPv6Address, &out.IPv6Address
 		*out = new(string)
@@ -1597,6 +1797,11 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.KeyPairName != nil {
+		in, out := &in.KeyPairName, &out.KeyPairName
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrivateIPAddress != nil {
 		in, out := &in.PrivateIPAddress, &out.PrivateIPAddress
 		*out = new(string)
@@ -1612,6 +1817,21 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1627,6 +1847,11 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserData != nil {
+		in, out := &in.UserData, &out.UserData
+		*out = new(string)
+		**out = **in
+	}
 	if in.Username != nil {
 		in, out := &in.Username, &out.Username
 		*out = new(string)
@@ -1783,6 +2008,18 @@ func (in *InstancePublicPortsObservation) DeepCopyInto(out *InstancePublicPortsO
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceName != nil {
+		in, out := &in.InstanceName, &out.InstanceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PortInfo != nil {
+		in, out := &in.PortInfo, &out.PortInfo
+		*out = make([]PortInfoObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstancePublicPortsObservation.
@@ -1992,11 +2229,26 @@ func (in *KeyPairObservation) DeepCopyInto(out *KeyPairObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PgpKey != nil {
+		in, out := &in.PgpKey, &out.PgpKey
+		*out = new(string)
+		**out = **in
+	}
 	if in.PrivateKey != nil {
 		in, out := &in.PrivateKey, &out.PrivateKey
 		*out = new(string)
 		**out = **in
 	}
+	if in.PublicKey != nil {
+		in, out := &in.PublicKey, &out.PublicKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyPairObservation.
@@ -2172,6 +2424,16 @@ func (in *LBAttachmentObservation) DeepCopyInto(out *LBAttachmentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceName != nil {
+		in, out := &in.InstanceName, &out.InstanceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.LBName != nil {
+		in, out := &in.LBName, &out.LBName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LBAttachmentObservation.
@@ -2340,6 +2602,11 @@ func (in *LBCertificateObservation) DeepCopyInto(out *LBCertificateObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DomainValidationRecords != nil {
 		in, out := &in.DomainValidationRecords, &out.DomainValidationRecords
 		*out = make([]DomainValidationRecordsObservation, len(*in))
@@ -2352,6 +2619,22 @@ func (in *LBCertificateObservation) DeepCopyInto(out *LBCertificateObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.LBName != nil {
+		in, out := &in.LBName, &out.LBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubjectAlternativeNames != nil {
+		in, out := &in.SubjectAlternativeNames, &out.SubjectAlternativeNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.SupportCode != nil {
 		in, out := &in.SupportCode, &out.SupportCode
 		*out = new(string)
@@ -2504,11 +2787,26 @@ func (in *LBObservation) DeepCopyInto(out *LBObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.HealthCheckPath != nil {
+		in, out := &in.HealthCheckPath, &out.HealthCheckPath
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstancePort != nil {
+		in, out := &in.InstancePort, &out.InstancePort
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Protocol != nil {
 		in, out := &in.Protocol, &out.Protocol
 		*out = new(string)
@@ -2530,6 +2828,21 @@ func (in *LBObservation) DeepCopyInto(out *LBObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2703,6 +3016,16 @@ func (in *LBStickinessPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LBStickinessPolicyObservation) DeepCopyInto(out *LBStickinessPolicyObservation) {
 	*out = *in
+	if in.CookieDuration != nil {
+		in, out := &in.CookieDuration, &out.CookieDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2787,6 +3110,54 @@ func (in *LBStickinessPolicyStatus) DeepCopy() *LBStickinessPolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortInfoObservation) DeepCopyInto(out *PortInfoObservation) {
 	*out = *in
+	if in.CidrListAliases != nil {
+		in, out := &in.CidrListAliases, &out.CidrListAliases
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Cidrs != nil {
+		in, out := &in.Cidrs, &out.Cidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IPv6Cidrs != nil {
+		in, out := &in.IPv6Cidrs, &out.IPv6Cidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortInfoObservation.
@@ -2909,6 +3280,22 @@ func (in *PrivateRegistryAccessParameters) DeepCopy() *PrivateRegistryAccessPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublicDomainNamesCertificateObservation) DeepCopyInto(out *PublicDomainNamesCertificateObservation) {
 	*out = *in
+	if in.CertificateName != nil {
+		in, out := &in.CertificateName, &out.CertificateName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainNames != nil {
+		in, out := &in.DomainNames, &out.DomainNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicDomainNamesCertificateObservation.
@@ -2955,6 +3342,13 @@ func (in *PublicDomainNamesCertificateParameters) DeepCopy() *PublicDomainNamesC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublicDomainNamesObservation) DeepCopyInto(out *PublicDomainNamesObservation) {
 	*out = *in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = make([]PublicDomainNamesCertificateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicDomainNamesObservation.
@@ -3088,6 +3482,16 @@ func (in *StaticIPAttachmentObservation) DeepCopyInto(out *StaticIPAttachmentObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceName != nil {
+		in, out := &in.InstanceName, &out.InstanceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.StaticIPName != nil {
+		in, out := &in.StaticIPName, &out.StaticIPName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticIPAttachmentObservation.
@@ -3234,6 +3638,11 @@ func (in *StaticIPObservation) DeepCopyInto(out *StaticIPObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.SupportCode != nil {
 		in, out := &in.SupportCode, &out.SupportCode
 		*out = new(string)
diff --git a/apis/lightsail/v1beta1/zz_instance_types.go b/apis/lightsail/v1beta1/zz_instance_types.go
index 6e7306d466..27111e6aec 100755
--- a/apis/lightsail/v1beta1/zz_instance_types.go
+++ b/apis/lightsail/v1beta1/zz_instance_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AddOnObservation struct {
+
+	// The daily time when an automatic snapshot will be created. Must be in HH:00 format, and in an hourly increment and specified in Coordinated Universal Time (UTC). The snapshot will be automatically created between the time specified and up to 45 minutes after.
+	SnapshotTime *string `json:"snapshotTime,omitempty" tf:"snapshot_time,omitempty"`
+
+	// The status of the add on. Valid Values: Enabled, Disabled.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// The add-on type. There is currently only one valid type AutoSnapshot.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type AddOnParameters struct {
@@ -33,9 +42,22 @@ type AddOnParameters struct {
 
 type InstanceObservation struct {
 
+	// The add on configuration for the instance. Detailed below.
+	AddOn []AddOnObservation `json:"addOn,omitempty" tf:"add_on,omitempty"`
+
 	// The ARN of the Lightsail instance (matches id).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Availability Zone in which to create your
+	// instance (see list below)
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The ID for a virtual private server image. A list of available blueprint IDs can be obtained using the AWS CLI command: aws lightsail get-blueprints
+	BlueprintID *string `json:"blueprintId,omitempty" tf:"blueprint_id,omitempty"`
+
+	// The bundle of specification information (see list below)
+	BundleID *string `json:"bundleId,omitempty" tf:"bundle_id,omitempty"`
+
 	// The number of vCPUs the instance has.
 	CPUCount *float64 `json:"cpuCount,omitempty" tf:"cpu_count,omitempty"`
 
@@ -45,6 +67,9 @@ type InstanceObservation struct {
 	// The ARN of the Lightsail instance (matches arn).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IP address type of the Lightsail Instance. Valid Values: dualstack | ipv4.
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
 	// (Deprecated) The first IPv6 address of the Lightsail instance. Use ipv6_addresses attribute instead.
 	IPv6Address *string `json:"ipv6Address,omitempty" tf:"ipv6_address,omitempty"`
 
@@ -54,6 +79,10 @@ type InstanceObservation struct {
 	// A Boolean value indicating whether this instance has a static IP assigned to it.
 	IsStaticIP *bool `json:"isStaticIp,omitempty" tf:"is_static_ip,omitempty"`
 
+	// The name of your key pair. Created in the
+	// Lightsail console (cannot use aws_key_pair at this time)
+	KeyPairName *string `json:"keyPairName,omitempty" tf:"key_pair_name,omitempty"`
+
 	// The private IP address of the instance.
 	PrivateIPAddress *string `json:"privateIpAddress,omitempty" tf:"private_ip_address,omitempty"`
 
@@ -63,9 +92,15 @@ type InstanceObservation struct {
 	// The amount of RAM in GB on the instance (e.g., 1.0).
 	RAMSize *float64 `json:"ramSize,omitempty" tf:"ram_size,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// launch script to configure server with additional user data
+	UserData *string `json:"userData,omitempty" tf:"user_data,omitempty"`
+
 	// The user name for connecting to the instance (e.g., ec2-user).
 	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
@@ -78,16 +113,16 @@ type InstanceParameters struct {
 
 	// The Availability Zone in which to create your
 	// instance (see list below)
-	// +kubebuilder:validation:Required
-	AvailabilityZone *string `json:"availabilityZone" tf:"availability_zone,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
 	// The ID for a virtual private server image. A list of available blueprint IDs can be obtained using the AWS CLI command: aws lightsail get-blueprints
-	// +kubebuilder:validation:Required
-	BlueprintID *string `json:"blueprintId" tf:"blueprint_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	BlueprintID *string `json:"blueprintId,omitempty" tf:"blueprint_id,omitempty"`
 
 	// The bundle of specification information (see list below)
-	// +kubebuilder:validation:Required
-	BundleID *string `json:"bundleId" tf:"bundle_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	BundleID *string `json:"bundleId,omitempty" tf:"bundle_id,omitempty"`
 
 	// The IP address type of the Lightsail Instance. Valid Values: dualstack | ipv4.
 	// +kubebuilder:validation:Optional
@@ -136,8 +171,11 @@ type InstanceStatus struct {
 type Instance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceSpec   `json:"spec"`
-	Status            InstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)",message="availabilityZone is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.blueprintId)",message="blueprintId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bundleId)",message="bundleId is a required parameter"
+	Spec   InstanceSpec   `json:"spec"`
+	Status InstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_instancepublicports_types.go b/apis/lightsail/v1beta1/zz_instancepublicports_types.go
index 6fbce059a8..54237fc4bc 100755
--- a/apis/lightsail/v1beta1/zz_instancepublicports_types.go
+++ b/apis/lightsail/v1beta1/zz_instancepublicports_types.go
@@ -17,6 +17,12 @@ type InstancePublicPortsObservation struct {
 
 	// ID of the resource.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the Lightsail Instance.
+	InstanceName *string `json:"instanceName,omitempty" tf:"instance_name,omitempty"`
+
+	// Configuration block with port information. AWS closes all currently open ports that are not included in the port_info. Detailed below.
+	PortInfo []PortInfoObservation `json:"portInfo,omitempty" tf:"port_info,omitempty"`
 }
 
 type InstancePublicPortsParameters struct {
@@ -35,8 +41,8 @@ type InstancePublicPortsParameters struct {
 	InstanceNameSelector *v1.Selector `json:"instanceNameSelector,omitempty" tf:"-"`
 
 	// Configuration block with port information. AWS closes all currently open ports that are not included in the port_info. Detailed below.
-	// +kubebuilder:validation:Required
-	PortInfo []PortInfoParameters `json:"portInfo" tf:"port_info,omitempty"`
+	// +kubebuilder:validation:Optional
+	PortInfo []PortInfoParameters `json:"portInfo,omitempty" tf:"port_info,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -45,6 +51,23 @@ type InstancePublicPortsParameters struct {
 }
 
 type PortInfoObservation struct {
+
+	// Set of CIDR aliases that define access for a preconfigured range of IP addresses.
+	CidrListAliases []*string `json:"cidrListAliases,omitempty" tf:"cidr_list_aliases,omitempty"`
+
+	// Set of CIDR blocks.
+	Cidrs []*string `json:"cidrs,omitempty" tf:"cidrs,omitempty"`
+
+	// First port in a range of open ports on an instance.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	IPv6Cidrs []*string `json:"ipv6Cidrs,omitempty" tf:"ipv6_cidrs,omitempty"`
+
+	// IP protocol name. Valid values are tcp, all, udp, and icmp.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Last port in a range of open ports on an instance.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type PortInfoParameters struct {
@@ -97,8 +120,9 @@ type InstancePublicPortsStatus struct {
 type InstancePublicPorts struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstancePublicPortsSpec   `json:"spec"`
-	Status            InstancePublicPortsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.portInfo)",message="portInfo is a required parameter"
+	Spec   InstancePublicPortsSpec   `json:"spec"`
+	Status InstancePublicPortsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_keypair_types.go b/apis/lightsail/v1beta1/zz_keypair_types.go
index 67e91373e9..d14cfd24b4 100755
--- a/apis/lightsail/v1beta1/zz_keypair_types.go
+++ b/apis/lightsail/v1beta1/zz_keypair_types.go
@@ -33,9 +33,20 @@ type KeyPairObservation struct {
 	// The name used for this key pair
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the Lightsail Key Pair
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// –  An optional PGP key to encrypt the resulting private
+	// key material. Only used when creating a new key pair
+	PgpKey *string `json:"pgpKey,omitempty" tf:"pgp_key,omitempty"`
+
 	// the private key, base64 encoded. This is only populated
 	// when creating a new key, and when no pgp_key is provided
 	PrivateKey *string `json:"privateKey,omitempty" tf:"private_key,omitempty"`
+
+	// The public key material. This public key will be
+	// imported into Lightsail
+	PublicKey *string `json:"publicKey,omitempty" tf:"public_key,omitempty"`
 }
 
 type KeyPairParameters struct {
diff --git a/apis/lightsail/v1beta1/zz_lb_types.go b/apis/lightsail/v1beta1/zz_lb_types.go
index b8a069ba53..c1788fa63b 100755
--- a/apis/lightsail/v1beta1/zz_lb_types.go
+++ b/apis/lightsail/v1beta1/zz_lb_types.go
@@ -24,9 +24,17 @@ type LBObservation struct {
 	// The DNS name of the load balancer.
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// The health check path of the load balancer. Default value "/".
+	HealthCheckPath *string `json:"healthCheckPath,omitempty" tf:"health_check_path,omitempty"`
+
 	// The name used for this load balancer (matches name).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
+	// The instance port the load balancer will connect.
+	InstancePort *float64 `json:"instancePort,omitempty" tf:"instance_port,omitempty"`
+
 	// The protocol of the load balancer.
 	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 
@@ -36,6 +44,9 @@ type LBObservation struct {
 	// The support code for the database. Include this code in your email to support when you have questions about a database in Lightsail. This code enables our support team to look up your Lightsail information more easily.
 	SupportCode *string `json:"supportCode,omitempty" tf:"support_code,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -50,8 +61,8 @@ type LBParameters struct {
 	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
 
 	// The instance port the load balancer will connect.
-	// +kubebuilder:validation:Required
-	InstancePort *float64 `json:"instancePort" tf:"instance_port,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstancePort *float64 `json:"instancePort,omitempty" tf:"instance_port,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -87,8 +98,9 @@ type LBStatus struct {
 type LB struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBSpec   `json:"spec"`
-	Status            LBStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePort)",message="instancePort is a required parameter"
+	Spec   LBSpec   `json:"spec"`
+	Status LBStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_lbattachment_types.go b/apis/lightsail/v1beta1/zz_lbattachment_types.go
index 429492d3f7..028610094b 100755
--- a/apis/lightsail/v1beta1/zz_lbattachment_types.go
+++ b/apis/lightsail/v1beta1/zz_lbattachment_types.go
@@ -17,6 +17,12 @@ type LBAttachmentObservation struct {
 
 	// A combination of attributes to create a unique id: lb_name,instance_name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the instance to attach to the load balancer.
+	InstanceName *string `json:"instanceName,omitempty" tf:"instance_name,omitempty"`
+
+	// The name of the Lightsail load balancer.
+	LBName *string `json:"lbName,omitempty" tf:"lb_name,omitempty"`
 }
 
 type LBAttachmentParameters struct {
diff --git a/apis/lightsail/v1beta1/zz_lbcertificate_types.go b/apis/lightsail/v1beta1/zz_lbcertificate_types.go
index c4ff500535..c5396fc8f1 100755
--- a/apis/lightsail/v1beta1/zz_lbcertificate_types.go
+++ b/apis/lightsail/v1beta1/zz_lbcertificate_types.go
@@ -37,11 +37,20 @@ type LBCertificateObservation struct {
 	// The timestamp when the instance was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// The domain name (e.g., example.com) for your SSL/TLS certificate.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	DomainValidationRecords []DomainValidationRecordsObservation `json:"domainValidationRecords,omitempty" tf:"domain_validation_records,omitempty"`
 
 	// A combination of attributes to create a unique id: lb_name,name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The load balancer name where you want to create the SSL/TLS certificate.
+	LBName *string `json:"lbName,omitempty" tf:"lb_name,omitempty"`
+
+	// Set of domains that should be SANs in the issued certificate. domain_name attribute is automatically added as a Subject Alternative Name.
+	SubjectAlternativeNames []*string `json:"subjectAlternativeNames,omitempty" tf:"subject_alternative_names,omitempty"`
+
 	SupportCode *string `json:"supportCode,omitempty" tf:"support_code,omitempty"`
 }
 
diff --git a/apis/lightsail/v1beta1/zz_lbstickinesspolicy_types.go b/apis/lightsail/v1beta1/zz_lbstickinesspolicy_types.go
index 46d304d7c9..05ac0d979b 100755
--- a/apis/lightsail/v1beta1/zz_lbstickinesspolicy_types.go
+++ b/apis/lightsail/v1beta1/zz_lbstickinesspolicy_types.go
@@ -15,6 +15,12 @@ import (
 
 type LBStickinessPolicyObservation struct {
 
+	// The cookie duration in seconds. This determines the length of the session stickiness.
+	CookieDuration *float64 `json:"cookieDuration,omitempty" tf:"cookie_duration,omitempty"`
+
+	// - The Session Stickiness state of the load balancer. true to activate session stickiness or false to deactivate session stickiness.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// The name used for this load balancer (matches lb_name).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -22,12 +28,12 @@ type LBStickinessPolicyObservation struct {
 type LBStickinessPolicyParameters struct {
 
 	// The cookie duration in seconds. This determines the length of the session stickiness.
-	// +kubebuilder:validation:Required
-	CookieDuration *float64 `json:"cookieDuration" tf:"cookie_duration,omitempty"`
+	// +kubebuilder:validation:Optional
+	CookieDuration *float64 `json:"cookieDuration,omitempty" tf:"cookie_duration,omitempty"`
 
 	// - The Session Stickiness state of the load balancer. true to activate session stickiness or false to deactivate session stickiness.
-	// +kubebuilder:validation:Required
-	Enabled *bool `json:"enabled" tf:"enabled,omitempty"`
+	// +kubebuilder:validation:Optional
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -59,8 +65,10 @@ type LBStickinessPolicyStatus struct {
 type LBStickinessPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LBStickinessPolicySpec   `json:"spec"`
-	Status            LBStickinessPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cookieDuration)",message="cookieDuration is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enabled)",message="enabled is a required parameter"
+	Spec   LBStickinessPolicySpec   `json:"spec"`
+	Status LBStickinessPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_staticip_types.go b/apis/lightsail/v1beta1/zz_staticip_types.go
index 1b8628c340..1fba825660 100755
--- a/apis/lightsail/v1beta1/zz_staticip_types.go
+++ b/apis/lightsail/v1beta1/zz_staticip_types.go
@@ -23,6 +23,9 @@ type StaticIPObservation struct {
 	// The allocated static IP address
 	IPAddress *string `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
 
+	// The name for the allocated static IP
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The support code.
 	SupportCode *string `json:"supportCode,omitempty" tf:"support_code,omitempty"`
 }
@@ -30,8 +33,8 @@ type StaticIPObservation struct {
 type StaticIPParameters struct {
 
 	// The name for the allocated static IP
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -63,8 +66,9 @@ type StaticIPStatus struct {
 type StaticIP struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StaticIPSpec   `json:"spec"`
-	Status            StaticIPStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   StaticIPSpec   `json:"spec"`
+	Status StaticIPStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/lightsail/v1beta1/zz_staticipattachment_types.go b/apis/lightsail/v1beta1/zz_staticipattachment_types.go
index b439d40c3e..6491f02352 100755
--- a/apis/lightsail/v1beta1/zz_staticipattachment_types.go
+++ b/apis/lightsail/v1beta1/zz_staticipattachment_types.go
@@ -18,6 +18,12 @@ type StaticIPAttachmentObservation struct {
 
 	// The allocated static IP address
 	IPAddress *string `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
+
+	// The name of the Lightsail instance to attach the IP to
+	InstanceName *string `json:"instanceName,omitempty" tf:"instance_name,omitempty"`
+
+	// The name of the allocated static IP
+	StaticIPName *string `json:"staticIpName,omitempty" tf:"static_ip_name,omitempty"`
 }
 
 type StaticIPAttachmentParameters struct {
diff --git a/apis/location/v1beta1/zz_generated.deepcopy.go b/apis/location/v1beta1/zz_generated.deepcopy.go
index db9dbad229..d3438932fa 100644
--- a/apis/location/v1beta1/zz_generated.deepcopy.go
+++ b/apis/location/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataSourceConfigurationObservation) DeepCopyInto(out *DataSourceConfigurationObservation) {
 	*out = *in
+	if in.IntendedUse != nil {
+		in, out := &in.IntendedUse, &out.IntendedUse
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataSourceConfigurationObservation.
@@ -121,11 +126,36 @@ func (in *GeofenceCollectionObservation) DeepCopyInto(out *GeofenceCollectionObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -314,6 +344,23 @@ func (in *PlaceIndexObservation) DeepCopyInto(out *PlaceIndexObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DataSource != nil {
+		in, out := &in.DataSource, &out.DataSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSourceConfiguration != nil {
+		in, out := &in.DataSourceConfiguration, &out.DataSourceConfiguration
+		*out = make([]DataSourceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -324,6 +371,21 @@ func (in *PlaceIndexObservation) DeepCopyInto(out *PlaceIndexObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -514,11 +576,36 @@ func (in *RouteCalculatorObservation) DeepCopyInto(out *RouteCalculatorObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.DataSource != nil {
+		in, out := &in.DataSource, &out.DataSource
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -719,11 +806,21 @@ func (in *TrackerAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrackerAssociationObservation) DeepCopyInto(out *TrackerAssociationObservation) {
 	*out = *in
+	if in.ConsumerArn != nil {
+		in, out := &in.ConsumerArn, &out.ConsumerArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TrackerName != nil {
+		in, out := &in.TrackerName, &out.TrackerName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrackerAssociationObservation.
@@ -860,11 +957,41 @@ func (in *TrackerObservation) DeepCopyInto(out *TrackerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PositionFiltering != nil {
+		in, out := &in.PositionFiltering, &out.PositionFiltering
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/location/v1beta1/zz_geofencecollection_types.go b/apis/location/v1beta1/zz_geofencecollection_types.go
index 243e2ce10b..9f10f9ff42 100755
--- a/apis/location/v1beta1/zz_geofencecollection_types.go
+++ b/apis/location/v1beta1/zz_geofencecollection_types.go
@@ -21,8 +21,17 @@ type GeofenceCollectionObservation struct {
 	// The timestamp for when the geofence collection resource was created in ISO 8601 format.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`
 
+	// The optional description for the geofence collection.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A key identifier for an AWS KMS customer managed key assigned to the Amazon Location resource.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The timestamp for when the geofence collection resource was last updated in ISO 8601 format.
diff --git a/apis/location/v1beta1/zz_placeindex_types.go b/apis/location/v1beta1/zz_placeindex_types.go
index 88c31c2ba0..9cc3578641 100755
--- a/apis/location/v1beta1/zz_placeindex_types.go
+++ b/apis/location/v1beta1/zz_placeindex_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type DataSourceConfigurationObservation struct {
+
+	// Specifies how the results of an operation will be stored by the caller. Valid values: SingleUse, Storage. Default: SingleUse.
+	IntendedUse *string `json:"intendedUse,omitempty" tf:"intended_use,omitempty"`
 }
 
 type DataSourceConfigurationParameters struct {
@@ -28,11 +31,23 @@ type PlaceIndexObservation struct {
 	// The timestamp for when the place index resource was created in ISO 8601 format.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`
 
+	// Specifies the geospatial data provider for the new place index.
+	DataSource *string `json:"dataSource,omitempty" tf:"data_source,omitempty"`
+
+	// Configuration block with the data storage option chosen for requesting Places. Detailed below.
+	DataSourceConfiguration []DataSourceConfigurationObservation `json:"dataSourceConfiguration,omitempty" tf:"data_source_configuration,omitempty"`
+
+	// The optional description for the place index resource.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The Amazon Resource Name (ARN) for the place index resource. Used to specify a resource across AWS.
 	IndexArn *string `json:"indexArn,omitempty" tf:"index_arn,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -43,8 +58,8 @@ type PlaceIndexObservation struct {
 type PlaceIndexParameters struct {
 
 	// Specifies the geospatial data provider for the new place index.
-	// +kubebuilder:validation:Required
-	DataSource *string `json:"dataSource" tf:"data_source,omitempty"`
+	// +kubebuilder:validation:Optional
+	DataSource *string `json:"dataSource,omitempty" tf:"data_source,omitempty"`
 
 	// Configuration block with the data storage option chosen for requesting Places. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -88,8 +103,9 @@ type PlaceIndexStatus struct {
 type PlaceIndex struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PlaceIndexSpec   `json:"spec"`
-	Status            PlaceIndexStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataSource)",message="dataSource is a required parameter"
+	Spec   PlaceIndexSpec   `json:"spec"`
+	Status PlaceIndexStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/location/v1beta1/zz_routecalculator_types.go b/apis/location/v1beta1/zz_routecalculator_types.go
index b3afa209b2..8005ef4606 100755
--- a/apis/location/v1beta1/zz_routecalculator_types.go
+++ b/apis/location/v1beta1/zz_routecalculator_types.go
@@ -21,8 +21,17 @@ type RouteCalculatorObservation struct {
 	// The timestamp for when the route calculator resource was created in ISO 8601 format.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`
 
+	// Specifies the data provider of traffic and road network data.
+	DataSource *string `json:"dataSource,omitempty" tf:"data_source,omitempty"`
+
+	// The optional description for the route calculator resource.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -33,8 +42,8 @@ type RouteCalculatorObservation struct {
 type RouteCalculatorParameters struct {
 
 	// Specifies the data provider of traffic and road network data.
-	// +kubebuilder:validation:Required
-	DataSource *string `json:"dataSource" tf:"data_source,omitempty"`
+	// +kubebuilder:validation:Optional
+	DataSource *string `json:"dataSource,omitempty" tf:"data_source,omitempty"`
 
 	// The optional description for the route calculator resource.
 	// +kubebuilder:validation:Optional
@@ -74,8 +83,9 @@ type RouteCalculatorStatus struct {
 type RouteCalculator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RouteCalculatorSpec   `json:"spec"`
-	Status            RouteCalculatorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataSource)",message="dataSource is a required parameter"
+	Spec   RouteCalculatorSpec   `json:"spec"`
+	Status RouteCalculatorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/location/v1beta1/zz_tracker_types.go b/apis/location/v1beta1/zz_tracker_types.go
index b9d07f0026..35adaa3e90 100755
--- a/apis/location/v1beta1/zz_tracker_types.go
+++ b/apis/location/v1beta1/zz_tracker_types.go
@@ -18,8 +18,20 @@ type TrackerObservation struct {
 	// The timestamp for when the tracker resource was created in ISO 8601 format.
 	CreateTime *string `json:"createTime,omitempty" tf:"create_time,omitempty"`
 
+	// The optional description for the tracker resource.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A key identifier for an AWS KMS customer managed key assigned to the Amazon Location resource.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The position filtering method of the tracker resource. Valid values: TimeBased, DistanceBased, AccuracyBased. Default: TimeBased.
+	PositionFiltering *string `json:"positionFiltering,omitempty" tf:"position_filtering,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
diff --git a/apis/location/v1beta1/zz_trackerassociation_types.go b/apis/location/v1beta1/zz_trackerassociation_types.go
index cfacf76e7a..8a03f6b5cd 100755
--- a/apis/location/v1beta1/zz_trackerassociation_types.go
+++ b/apis/location/v1beta1/zz_trackerassociation_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type TrackerAssociationObservation struct {
+
+	// The Amazon Resource Name (ARN) for the geofence collection to be associated to tracker resource. Used when you need to specify a resource across all AWS.
+	ConsumerArn *string `json:"consumerArn,omitempty" tf:"consumer_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the tracker resource to be associated with a geofence collection.
+	TrackerName *string `json:"trackerName,omitempty" tf:"tracker_name,omitempty"`
 }
 
 type TrackerAssociationParameters struct {
diff --git a/apis/macie2/v1beta1/zz_account_types.go b/apis/macie2/v1beta1/zz_account_types.go
index 5189634863..65230fcf1a 100755
--- a/apis/macie2/v1beta1/zz_account_types.go
+++ b/apis/macie2/v1beta1/zz_account_types.go
@@ -18,12 +18,18 @@ type AccountObservation struct {
 	// The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie account was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// Specifies how often to publish updates to policy findings for the account. This includes publishing updates to AWS Security Hub and Amazon EventBridge (formerly called Amazon CloudWatch Events). Valid values are FIFTEEN_MINUTES, ONE_HOUR or SIX_HOURS.
+	FindingPublishingFrequency *string `json:"findingPublishingFrequency,omitempty" tf:"finding_publishing_frequency,omitempty"`
+
 	// The unique identifier (ID) of the macie account.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the service-linked role that allows Macie to monitor and analyze data in AWS resources for the account.
 	ServiceRole *string `json:"serviceRole,omitempty" tf:"service_role,omitempty"`
 
+	// Specifies the status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED. Valid values are ENABLED or PAUSED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
 	// The date and time, in UTC and extended RFC 3339 format, of the most recent change to the status of the Macie account.
 	UpdatedAt *string `json:"updatedAt,omitempty" tf:"updated_at,omitempty"`
 }
diff --git a/apis/macie2/v1beta1/zz_classificationjob_types.go b/apis/macie2/v1beta1/zz_classificationjob_types.go
index 476158e72a..bfafa9edf4 100755
--- a/apis/macie2/v1beta1/zz_classificationjob_types.go
+++ b/apis/macie2/v1beta1/zz_classificationjob_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AndObservation struct {
+
+	// A property-based condition that defines a property, operator, and one or more values for including or excluding an S3 buckets from the job. (documented below)
+	SimpleCriterion []SimpleCriterionObservation `json:"simpleCriterion,omitempty" tf:"simple_criterion,omitempty"`
+
+	// A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding an S3 buckets from the job. (documented below)
+	TagCriterion []TagCriterionObservation `json:"tagCriterion,omitempty" tf:"tag_criterion,omitempty"`
 }
 
 type AndParameters struct {
@@ -28,6 +34,15 @@ type AndParameters struct {
 }
 
 type AndSimpleCriterionObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// An array that lists the values to use in the condition.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type AndSimpleCriterionParameters struct {
@@ -46,6 +61,15 @@ type AndSimpleCriterionParameters struct {
 }
 
 type AndSimpleScopeTermObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// An array that lists the values to use in the condition.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type AndSimpleScopeTermParameters struct {
@@ -64,6 +88,12 @@ type AndSimpleScopeTermParameters struct {
 }
 
 type AndTagCriterionObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The tag keys or tag key and value pairs to use in the condition.
+	TagValues []TagCriterionTagValuesObservation `json:"tagValues,omitempty" tf:"tag_values,omitempty"`
 }
 
 type AndTagCriterionParameters struct {
@@ -78,6 +108,18 @@ type AndTagCriterionParameters struct {
 }
 
 type AndTagScopeTermObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The tag keys or tag key and value pairs to use in the condition.
+	TagValues []AndTagScopeTermTagValuesObservation `json:"tagValues,omitempty" tf:"tag_values,omitempty"`
+
+	// The type of object to apply the condition to. The only valid value is S3_OBJECT.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type AndTagScopeTermParameters struct {
@@ -100,6 +142,12 @@ type AndTagScopeTermParameters struct {
 }
 
 type AndTagScopeTermTagValuesObservation struct {
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type AndTagScopeTermTagValuesParameters struct {
@@ -114,6 +162,12 @@ type AndTagScopeTermTagValuesParameters struct {
 }
 
 type BucketCriteriaObservation struct {
+
+	// The property- or tag-based conditions that determine which objects to exclude from the analysis. (documented below)
+	Excludes []ExcludesObservation `json:"excludes,omitempty" tf:"excludes,omitempty"`
+
+	// The property- or tag-based conditions that determine which objects to include in the analysis. (documented below)
+	Includes []IncludesObservation `json:"includes,omitempty" tf:"includes,omitempty"`
 }
 
 type BucketCriteriaParameters struct {
@@ -128,6 +182,12 @@ type BucketCriteriaParameters struct {
 }
 
 type BucketDefinitionsObservation struct {
+
+	// The unique identifier for the AWS account that owns the buckets.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// An array that lists the names of the buckets.
+	Buckets []*string `json:"buckets,omitempty" tf:"buckets,omitempty"`
 }
 
 type BucketDefinitionsParameters struct {
@@ -146,14 +206,44 @@ type ClassificationJobObservation struct {
 	// The date and time, in UTC and extended RFC 3339 format, when the job was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// The custom data identifiers to use for data analysis and classification.
+	CustomDataIdentifierIds []*string `json:"customDataIdentifierIds,omitempty" tf:"custom_data_identifier_ids,omitempty"`
+
+	// A custom description of the job. The description can contain as many as 200 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The unique identifier (ID) of the macie classification job.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies whether to analyze all existing, eligible objects immediately after the job is created.
+	InitialRun *bool `json:"initialRun,omitempty" tf:"initial_run,omitempty"`
+
 	JobArn *string `json:"jobArn,omitempty" tf:"job_arn,omitempty"`
 
 	// The unique identifier (ID) of the macie classification job.
 	JobID *string `json:"jobId,omitempty" tf:"job_id,omitempty"`
 
+	// The status for the job. Valid values are: CANCELLED, RUNNING and USER_PAUSED
+	JobStatus *string `json:"jobStatus,omitempty" tf:"job_status,omitempty"`
+
+	// The schedule for running the job. Valid values are: ONE_TIME - Run the job only once. If you specify this value, don't specify a value for the schedule_frequency property. SCHEDULED - Run the job on a daily, weekly, or monthly basis. If you specify this value, use the schedule_frequency property to define the recurrence pattern for the job.
+	JobType *string `json:"jobType,omitempty" tf:"job_type,omitempty"`
+
+	// A custom name for the job. The name can contain as many as 500 characters. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The S3 buckets that contain the objects to analyze, and the scope of that analysis. (documented below)
+	S3JobDefinition []S3JobDefinitionObservation `json:"s3JobDefinition,omitempty" tf:"s3_job_definition,omitempty"`
+
+	// The sampling depth, as a percentage, to apply when processing objects. This value determines the percentage of eligible objects that the job analyzes. If this value is less than 100, Amazon Macie selects the objects to analyze at random, up to the specified percentage, and analyzes all the data in those objects.
+	SamplingPercentage *float64 `json:"samplingPercentage,omitempty" tf:"sampling_percentage,omitempty"`
+
+	// The recurrence pattern for running the job. To run the job only once, don't specify a value for this property and set the value for the job_type property to ONE_TIME. (documented below)
+	ScheduleFrequency []ScheduleFrequencyObservation `json:"scheduleFrequency,omitempty" tf:"schedule_frequency,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// If the current status of the job is USER_PAUSED, specifies when the job was paused and when the job or job run will expire and be cancelled if it isn't resumed. This value is present only if the value for job-status is USER_PAUSED.
@@ -179,8 +269,8 @@ type ClassificationJobParameters struct {
 	JobStatus *string `json:"jobStatus,omitempty" tf:"job_status,omitempty"`
 
 	// The schedule for running the job. Valid values are: ONE_TIME - Run the job only once. If you specify this value, don't specify a value for the schedule_frequency property. SCHEDULED - Run the job on a daily, weekly, or monthly basis. If you specify this value, use the schedule_frequency property to define the recurrence pattern for the job.
-	// +kubebuilder:validation:Required
-	JobType *string `json:"jobType" tf:"job_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	JobType *string `json:"jobType,omitempty" tf:"job_type,omitempty"`
 
 	// A custom name for the job. The name can contain as many as 500 characters. Conflicts with name_prefix.
 	// +kubebuilder:validation:Optional
@@ -192,8 +282,8 @@ type ClassificationJobParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The S3 buckets that contain the objects to analyze, and the scope of that analysis. (documented below)
-	// +kubebuilder:validation:Required
-	S3JobDefinition []S3JobDefinitionParameters `json:"s3JobDefinition" tf:"s3_job_definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	S3JobDefinition []S3JobDefinitionParameters `json:"s3JobDefinition,omitempty" tf:"s3_job_definition,omitempty"`
 
 	// The sampling depth, as a percentage, to apply when processing objects. This value determines the percentage of eligible objects that the job analyzes. If this value is less than 100, Amazon Macie selects the objects to analyze at random, up to the specified percentage, and analyzes all the data in those objects.
 	// +kubebuilder:validation:Optional
@@ -209,6 +299,12 @@ type ClassificationJobParameters struct {
 }
 
 type ExcludesAndObservation struct {
+
+	// A property-based condition that defines a property, operator, and one or more values for including or excluding an object from the job. (documented below)
+	SimpleScopeTerm []SimpleScopeTermObservation `json:"simpleScopeTerm,omitempty" tf:"simple_scope_term,omitempty"`
+
+	// A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding an object from the job. (documented below)
+	TagScopeTerm []TagScopeTermObservation `json:"tagScopeTerm,omitempty" tf:"tag_scope_term,omitempty"`
 }
 
 type ExcludesAndParameters struct {
@@ -223,6 +319,9 @@ type ExcludesAndParameters struct {
 }
 
 type ExcludesObservation struct {
+
+	// An array of conditions, one for each condition that determines which objects to include or exclude from the job. (documented below)
+	And []AndObservation `json:"and,omitempty" tf:"and,omitempty"`
 }
 
 type ExcludesParameters struct {
@@ -233,6 +332,12 @@ type ExcludesParameters struct {
 }
 
 type IncludesAndObservation struct {
+
+	// A property-based condition that defines a property, operator, and one or more values for including or excluding an S3 buckets from the job. (documented below)
+	SimpleCriterion []AndSimpleCriterionObservation `json:"simpleCriterion,omitempty" tf:"simple_criterion,omitempty"`
+
+	// A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding an S3 buckets from the job. (documented below)
+	TagCriterion []AndTagCriterionObservation `json:"tagCriterion,omitempty" tf:"tag_criterion,omitempty"`
 }
 
 type IncludesAndParameters struct {
@@ -247,6 +352,9 @@ type IncludesAndParameters struct {
 }
 
 type IncludesObservation struct {
+
+	// An array of conditions, one for each condition that determines which objects to include or exclude from the job. (documented below)
+	And []IncludesAndObservation `json:"and,omitempty" tf:"and,omitempty"`
 }
 
 type IncludesParameters struct {
@@ -257,6 +365,15 @@ type IncludesParameters struct {
 }
 
 type S3JobDefinitionObservation struct {
+
+	// The property- and tag-based conditions that determine which S3 buckets to include or exclude from the analysis. Conflicts with bucket_definitions. (documented below)
+	BucketCriteria []BucketCriteriaObservation `json:"bucketCriteria,omitempty" tf:"bucket_criteria,omitempty"`
+
+	// An array of objects, one for each AWS account that owns buckets to analyze. Each object specifies the account ID for an account and one or more buckets to analyze for the account. Conflicts with bucket_criteria. (documented below)
+	BucketDefinitions []BucketDefinitionsObservation `json:"bucketDefinitions,omitempty" tf:"bucket_definitions,omitempty"`
+
+	// The property- and tag-based conditions that determine which objects to include or exclude from the analysis. (documented below)
+	Scoping []ScopingObservation `json:"scoping,omitempty" tf:"scoping,omitempty"`
 }
 
 type S3JobDefinitionParameters struct {
@@ -275,6 +392,15 @@ type S3JobDefinitionParameters struct {
 }
 
 type ScheduleFrequencyObservation struct {
+
+	// Specifies a daily recurrence pattern for running the job.
+	DailySchedule *bool `json:"dailySchedule,omitempty" tf:"daily_schedule,omitempty"`
+
+	// Specifies a monthly recurrence pattern for running the job.
+	MonthlySchedule *float64 `json:"monthlySchedule,omitempty" tf:"monthly_schedule,omitempty"`
+
+	// Specifies a weekly recurrence pattern for running the job.
+	WeeklySchedule *string `json:"weeklySchedule,omitempty" tf:"weekly_schedule,omitempty"`
 }
 
 type ScheduleFrequencyParameters struct {
@@ -293,6 +419,9 @@ type ScheduleFrequencyParameters struct {
 }
 
 type ScopingExcludesObservation struct {
+
+	// An array of conditions, one for each condition that determines which objects to include or exclude from the job. (documented below)
+	And []ExcludesAndObservation `json:"and,omitempty" tf:"and,omitempty"`
 }
 
 type ScopingExcludesParameters struct {
@@ -303,6 +432,12 @@ type ScopingExcludesParameters struct {
 }
 
 type ScopingIncludesAndObservation struct {
+
+	// A property-based condition that defines a property, operator, and one or more values for including or excluding an object from the job. (documented below)
+	SimpleScopeTerm []AndSimpleScopeTermObservation `json:"simpleScopeTerm,omitempty" tf:"simple_scope_term,omitempty"`
+
+	// A tag-based condition that defines the operator and tag keys or tag key and value pairs for including or excluding an object from the job. (documented below)
+	TagScopeTerm []AndTagScopeTermObservation `json:"tagScopeTerm,omitempty" tf:"tag_scope_term,omitempty"`
 }
 
 type ScopingIncludesAndParameters struct {
@@ -317,6 +452,9 @@ type ScopingIncludesAndParameters struct {
 }
 
 type ScopingIncludesObservation struct {
+
+	// An array of conditions, one for each condition that determines which objects to include or exclude from the job. (documented below)
+	And []ScopingIncludesAndObservation `json:"and,omitempty" tf:"and,omitempty"`
 }
 
 type ScopingIncludesParameters struct {
@@ -327,6 +465,12 @@ type ScopingIncludesParameters struct {
 }
 
 type ScopingObservation struct {
+
+	// The property- or tag-based conditions that determine which objects to exclude from the analysis. (documented below)
+	Excludes []ScopingExcludesObservation `json:"excludes,omitempty" tf:"excludes,omitempty"`
+
+	// The property- or tag-based conditions that determine which objects to include in the analysis. (documented below)
+	Includes []ScopingIncludesObservation `json:"includes,omitempty" tf:"includes,omitempty"`
 }
 
 type ScopingParameters struct {
@@ -341,6 +485,15 @@ type ScopingParameters struct {
 }
 
 type SimpleCriterionObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// An array that lists the values to use in the condition.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type SimpleCriterionParameters struct {
@@ -359,6 +512,15 @@ type SimpleCriterionParameters struct {
 }
 
 type SimpleScopeTermObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// An array that lists the values to use in the condition.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type SimpleScopeTermParameters struct {
@@ -377,6 +539,12 @@ type SimpleScopeTermParameters struct {
 }
 
 type TagCriterionObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The tag keys or tag key and value pairs to use in the condition.
+	TagValues []TagValuesObservation `json:"tagValues,omitempty" tf:"tag_values,omitempty"`
 }
 
 type TagCriterionParameters struct {
@@ -391,6 +559,12 @@ type TagCriterionParameters struct {
 }
 
 type TagCriterionTagValuesObservation struct {
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagCriterionTagValuesParameters struct {
@@ -405,6 +579,18 @@ type TagCriterionTagValuesParameters struct {
 }
 
 type TagScopeTermObservation struct {
+
+	// The operator to use in a condition. Valid values are: EQ, GT, GTE, LT, LTE, NE, CONTAINS, STARTS_WITH
+	Comparator *string `json:"comparator,omitempty" tf:"comparator,omitempty"`
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The tag keys or tag key and value pairs to use in the condition.
+	TagValues []TagScopeTermTagValuesObservation `json:"tagValues,omitempty" tf:"tag_values,omitempty"`
+
+	// The type of object to apply the condition to. The only valid value is S3_OBJECT.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type TagScopeTermParameters struct {
@@ -427,6 +613,12 @@ type TagScopeTermParameters struct {
 }
 
 type TagScopeTermTagValuesObservation struct {
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagScopeTermTagValuesParameters struct {
@@ -441,6 +633,12 @@ type TagScopeTermTagValuesParameters struct {
 }
 
 type TagValuesObservation struct {
+
+	// The object property to use in the condition.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagValuesParameters struct {
@@ -489,8 +687,10 @@ type ClassificationJobStatus struct {
 type ClassificationJob struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClassificationJobSpec   `json:"spec"`
-	Status            ClassificationJobStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.jobType)",message="jobType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.s3JobDefinition)",message="s3JobDefinition is a required parameter"
+	Spec   ClassificationJobSpec   `json:"spec"`
+	Status ClassificationJobStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/macie2/v1beta1/zz_customdataidentifier_types.go b/apis/macie2/v1beta1/zz_customdataidentifier_types.go
index c07f8267fa..90800447e7 100755
--- a/apis/macie2/v1beta1/zz_customdataidentifier_types.go
+++ b/apis/macie2/v1beta1/zz_customdataidentifier_types.go
@@ -21,9 +21,30 @@ type CustomDataIdentifierObservation struct {
 	// The date and time, in UTC and extended RFC 3339 format, when the Amazon Macie account was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// A custom description of the custom data identifier. The description can contain as many as 512 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The unique identifier (ID) of the macie custom data identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An array that lists specific character sequences (ignore words) to exclude from the results. If the text matched by the regular expression is the same as any string in this array, Amazon Macie ignores it. The array can contain as many as 10 ignore words. Each ignore word can contain 4 - 90 characters. Ignore words are case sensitive.
+	IgnoreWords []*string `json:"ignoreWords,omitempty" tf:"ignore_words,omitempty"`
+
+	// An array that lists specific character sequences (keywords), one of which must be within proximity (maximum_match_distance) of the regular expression to match. The array can contain as many as 50 keywords. Each keyword can contain 3 - 90 characters. Keywords aren't case sensitive.
+	Keywords []*string `json:"keywords,omitempty" tf:"keywords,omitempty"`
+
+	// The maximum number of characters that can exist between text that matches the regex pattern and the character sequences specified by the keywords array. Macie includes or excludes a result based on the proximity of a keyword to text that matches the regex pattern. The distance can be 1 - 300 characters. The default value is 50.
+	MaximumMatchDistance *float64 `json:"maximumMatchDistance,omitempty" tf:"maximum_match_distance,omitempty"`
+
+	// A custom name for the custom data identifier. The name can contain as many as 128 characters. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The regular expression (regex) that defines the pattern to match. The expression can contain as many as 512 characters.
+	Regex *string `json:"regex,omitempty" tf:"regex,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
diff --git a/apis/macie2/v1beta1/zz_findingsfilter_types.go b/apis/macie2/v1beta1/zz_findingsfilter_types.go
index 2fc71233d1..d371fb58e7 100755
--- a/apis/macie2/v1beta1/zz_findingsfilter_types.go
+++ b/apis/macie2/v1beta1/zz_findingsfilter_types.go
@@ -14,6 +14,30 @@ import (
 )
 
 type CriterionObservation struct {
+
+	// The value for the property matches (equals) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
+	Eq []*string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The value for the property exclusively matches (equals an exact match for) all the specified values. If you specify multiple values, Amazon Macie uses AND logic to join the values.
+	EqExactMatch []*string `json:"eqExactMatch,omitempty" tf:"eq_exact_match,omitempty"`
+
+	// The name of the field to be evaluated.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
+	// The value for the property is greater than the specified value.
+	Gt *string `json:"gt,omitempty" tf:"gt,omitempty"`
+
+	// The value for the property is greater than or equal to the specified value.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The value for the property is less than the specified value.
+	Lt *string `json:"lt,omitempty" tf:"lt,omitempty"`
+
+	// The value for the property is less than or equal to the specified value.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
+
+	// The value for the property doesn't match (doesn't equal) the specified value. If you specify multiple values, Amazon Macie uses OR logic to join the values.
+	Neq []*string `json:"neq,omitempty" tf:"neq,omitempty"`
 }
 
 type CriterionParameters struct {
@@ -52,6 +76,9 @@ type CriterionParameters struct {
 }
 
 type FindingCriteriaObservation struct {
+
+	// A condition that specifies the property, operator, and one or more values to use to filter the results.  (documented below)
+	Criterion []CriterionObservation `json:"criterion,omitempty" tf:"criterion,omitempty"`
 }
 
 type FindingCriteriaParameters struct {
@@ -63,28 +90,46 @@ type FindingCriteriaParameters struct {
 
 type FindingsFilterObservation struct {
 
+	// The action to perform on findings that meet the filter criteria (finding_criteria). Valid values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the Findings Filter.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A custom description of the filter. The description can contain as many as 512 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The criteria to use to filter findings.
+	FindingCriteria []FindingCriteriaObservation `json:"findingCriteria,omitempty" tf:"finding_criteria,omitempty"`
+
 	// The unique identifier (ID) of the macie Findings Filter.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The position of the filter in the list of saved filters on the Amazon Macie console. This value also determines the order in which the filter is applied to findings, relative to other filters that are also applied to the findings.
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
 type FindingsFilterParameters struct {
 
 	// The action to perform on findings that meet the filter criteria (finding_criteria). Valid values are: ARCHIVE, suppress (automatically archive) the findings; and, NOOP, don't perform any action on the findings.
-	// +kubebuilder:validation:Required
-	Action *string `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 
 	// A custom description of the filter. The description can contain as many as 512 characters.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The criteria to use to filter findings.
-	// +kubebuilder:validation:Required
-	FindingCriteria []FindingCriteriaParameters `json:"findingCriteria" tf:"finding_criteria,omitempty"`
+	// +kubebuilder:validation:Optional
+	FindingCriteria []FindingCriteriaParameters `json:"findingCriteria,omitempty" tf:"finding_criteria,omitempty"`
 
 	// A custom name for the filter. The name must contain at least 3 characters and can contain as many as 64 characters. Conflicts with name_prefix.
 	// +kubebuilder:validation:Optional
@@ -128,8 +173,10 @@ type FindingsFilterStatus struct {
 type FindingsFilter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FindingsFilterSpec   `json:"spec"`
-	Status            FindingsFilterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.findingCriteria)",message="findingCriteria is a required parameter"
+	Spec   FindingsFilterSpec   `json:"spec"`
+	Status FindingsFilterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/macie2/v1beta1/zz_generated.deepcopy.go b/apis/macie2/v1beta1/zz_generated.deepcopy.go
index 73a4105ccc..8928d7191b 100644
--- a/apis/macie2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/macie2/v1beta1/zz_generated.deepcopy.go
@@ -80,6 +80,11 @@ func (in *AccountObservation) DeepCopyInto(out *AccountObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.FindingPublishingFrequency != nil {
+		in, out := &in.FindingPublishingFrequency, &out.FindingPublishingFrequency
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -90,6 +95,11 @@ func (in *AccountObservation) DeepCopyInto(out *AccountObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 	if in.UpdatedAt != nil {
 		in, out := &in.UpdatedAt, &out.UpdatedAt
 		*out = new(string)
@@ -174,6 +184,20 @@ func (in *AccountStatus) DeepCopy() *AccountStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndObservation) DeepCopyInto(out *AndObservation) {
 	*out = *in
+	if in.SimpleCriterion != nil {
+		in, out := &in.SimpleCriterion, &out.SimpleCriterion
+		*out = make([]SimpleCriterionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagCriterion != nil {
+		in, out := &in.TagCriterion, &out.TagCriterion
+		*out = make([]TagCriterionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndObservation.
@@ -218,6 +242,27 @@ func (in *AndParameters) DeepCopy() *AndParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndSimpleCriterionObservation) DeepCopyInto(out *AndSimpleCriterionObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndSimpleCriterionObservation.
@@ -269,6 +314,27 @@ func (in *AndSimpleCriterionParameters) DeepCopy() *AndSimpleCriterionParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndSimpleScopeTermObservation) DeepCopyInto(out *AndSimpleScopeTermObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndSimpleScopeTermObservation.
@@ -320,6 +386,18 @@ func (in *AndSimpleScopeTermParameters) DeepCopy() *AndSimpleScopeTermParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndTagCriterionObservation) DeepCopyInto(out *AndTagCriterionObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.TagValues != nil {
+		in, out := &in.TagValues, &out.TagValues
+		*out = make([]TagCriterionTagValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndTagCriterionObservation.
@@ -362,6 +440,28 @@ func (in *AndTagCriterionParameters) DeepCopy() *AndTagCriterionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndTagScopeTermObservation) DeepCopyInto(out *AndTagScopeTermObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.TagValues != nil {
+		in, out := &in.TagValues, &out.TagValues
+		*out = make([]AndTagScopeTermTagValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndTagScopeTermObservation.
@@ -414,6 +514,16 @@ func (in *AndTagScopeTermParameters) DeepCopy() *AndTagScopeTermParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndTagScopeTermTagValuesObservation) DeepCopyInto(out *AndTagScopeTermTagValuesObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndTagScopeTermTagValuesObservation.
@@ -454,6 +564,20 @@ func (in *AndTagScopeTermTagValuesParameters) DeepCopy() *AndTagScopeTermTagValu
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketCriteriaObservation) DeepCopyInto(out *BucketCriteriaObservation) {
 	*out = *in
+	if in.Excludes != nil {
+		in, out := &in.Excludes, &out.Excludes
+		*out = make([]ExcludesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Includes != nil {
+		in, out := &in.Includes, &out.Includes
+		*out = make([]IncludesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketCriteriaObservation.
@@ -498,6 +622,22 @@ func (in *BucketCriteriaParameters) DeepCopy() *BucketCriteriaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketDefinitionsObservation) DeepCopyInto(out *BucketDefinitionsObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Buckets != nil {
+		in, out := &in.Buckets, &out.Buckets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketDefinitionsObservation.
@@ -608,11 +748,32 @@ func (in *ClassificationJobObservation) DeepCopyInto(out *ClassificationJobObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomDataIdentifierIds != nil {
+		in, out := &in.CustomDataIdentifierIds, &out.CustomDataIdentifierIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InitialRun != nil {
+		in, out := &in.InitialRun, &out.InitialRun
+		*out = new(bool)
+		**out = **in
+	}
 	if in.JobArn != nil {
 		in, out := &in.JobArn, &out.JobArn
 		*out = new(string)
@@ -623,6 +784,55 @@ func (in *ClassificationJobObservation) DeepCopyInto(out *ClassificationJobObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.JobStatus != nil {
+		in, out := &in.JobStatus, &out.JobStatus
+		*out = new(string)
+		**out = **in
+	}
+	if in.JobType != nil {
+		in, out := &in.JobType, &out.JobType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3JobDefinition != nil {
+		in, out := &in.S3JobDefinition, &out.S3JobDefinition
+		*out = make([]S3JobDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SamplingPercentage != nil {
+		in, out := &in.SamplingPercentage, &out.SamplingPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ScheduleFrequency != nil {
+		in, out := &in.ScheduleFrequency, &out.ScheduleFrequency
+		*out = make([]ScheduleFrequencyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -784,6 +994,64 @@ func (in *ClassificationJobStatus) DeepCopy() *ClassificationJobStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CriterionObservation) DeepCopyInto(out *CriterionObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EqExactMatch != nil {
+		in, out := &in.EqExactMatch, &out.EqExactMatch
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gt != nil {
+		in, out := &in.Gt, &out.Gt
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lt != nil {
+		in, out := &in.Lt, &out.Lt
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Neq != nil {
+		in, out := &in.Neq, &out.Neq
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CriterionObservation.
@@ -941,11 +1209,68 @@ func (in *CustomDataIdentifierObservation) DeepCopyInto(out *CustomDataIdentifie
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IgnoreWords != nil {
+		in, out := &in.IgnoreWords, &out.IgnoreWords
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Keywords != nil {
+		in, out := &in.Keywords, &out.Keywords
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MaximumMatchDistance != nil {
+		in, out := &in.MaximumMatchDistance, &out.MaximumMatchDistance
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Regex != nil {
+		in, out := &in.Regex, &out.Regex
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1087,6 +1412,20 @@ func (in *CustomDataIdentifierStatus) DeepCopy() *CustomDataIdentifierStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExcludesAndObservation) DeepCopyInto(out *ExcludesAndObservation) {
 	*out = *in
+	if in.SimpleScopeTerm != nil {
+		in, out := &in.SimpleScopeTerm, &out.SimpleScopeTerm
+		*out = make([]SimpleScopeTermObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagScopeTerm != nil {
+		in, out := &in.TagScopeTerm, &out.TagScopeTerm
+		*out = make([]TagScopeTermObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludesAndObservation.
@@ -1131,6 +1470,13 @@ func (in *ExcludesAndParameters) DeepCopy() *ExcludesAndParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExcludesObservation) DeepCopyInto(out *ExcludesObservation) {
 	*out = *in
+	if in.And != nil {
+		in, out := &in.And, &out.And
+		*out = make([]AndObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludesObservation.
@@ -1168,6 +1514,13 @@ func (in *ExcludesParameters) DeepCopy() *ExcludesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingCriteriaObservation) DeepCopyInto(out *FindingCriteriaObservation) {
 	*out = *in
+	if in.Criterion != nil {
+		in, out := &in.Criterion, &out.Criterion
+		*out = make([]CriterionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingCriteriaObservation.
@@ -1264,16 +1617,58 @@ func (in *FindingsFilterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingsFilterObservation) DeepCopyInto(out *FindingsFilterObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.FindingCriteria != nil {
+		in, out := &in.FindingCriteria, &out.FindingCriteria
+		*out = make([]FindingCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1400,6 +1795,20 @@ func (in *FindingsFilterStatus) DeepCopy() *FindingsFilterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IncludesAndObservation) DeepCopyInto(out *IncludesAndObservation) {
 	*out = *in
+	if in.SimpleCriterion != nil {
+		in, out := &in.SimpleCriterion, &out.SimpleCriterion
+		*out = make([]AndSimpleCriterionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagCriterion != nil {
+		in, out := &in.TagCriterion, &out.TagCriterion
+		*out = make([]AndTagCriterionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IncludesAndObservation.
@@ -1444,6 +1853,13 @@ func (in *IncludesAndParameters) DeepCopy() *IncludesAndParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IncludesObservation) DeepCopyInto(out *IncludesObservation) {
 	*out = *in
+	if in.And != nil {
+		in, out := &in.And, &out.And
+		*out = make([]IncludesAndObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IncludesObservation.
@@ -1540,6 +1956,11 @@ func (in *InvitationAccepterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InvitationAccepterObservation) DeepCopyInto(out *InvitationAccepterObservation) {
 	*out = *in
+	if in.AdministratorAccountID != nil {
+		in, out := &in.AdministratorAccountID, &out.AdministratorAccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1683,6 +2104,11 @@ func (in *MemberList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.AdministratorAccountID != nil {
 		in, out := &in.AdministratorAccountID, &out.AdministratorAccountID
 		*out = new(string)
@@ -1693,11 +2119,31 @@ func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InvitationDisableEmailNotification != nil {
+		in, out := &in.InvitationDisableEmailNotification, &out.InvitationDisableEmailNotification
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InvitationMessage != nil {
+		in, out := &in.InvitationMessage, &out.InvitationMessage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Invite != nil {
+		in, out := &in.Invite, &out.Invite
+		*out = new(bool)
+		**out = **in
+	}
 	if in.InvitedAt != nil {
 		in, out := &in.InvitedAt, &out.InvitedAt
 		*out = new(string)
@@ -1713,6 +2159,26 @@ func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1847,6 +2313,27 @@ func (in *MemberStatus) DeepCopy() *MemberStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3JobDefinitionObservation) DeepCopyInto(out *S3JobDefinitionObservation) {
 	*out = *in
+	if in.BucketCriteria != nil {
+		in, out := &in.BucketCriteria, &out.BucketCriteria
+		*out = make([]BucketCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BucketDefinitions != nil {
+		in, out := &in.BucketDefinitions, &out.BucketDefinitions
+		*out = make([]BucketDefinitionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Scoping != nil {
+		in, out := &in.Scoping, &out.Scoping
+		*out = make([]ScopingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3JobDefinitionObservation.
@@ -1898,6 +2385,21 @@ func (in *S3JobDefinitionParameters) DeepCopy() *S3JobDefinitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduleFrequencyObservation) DeepCopyInto(out *ScheduleFrequencyObservation) {
 	*out = *in
+	if in.DailySchedule != nil {
+		in, out := &in.DailySchedule, &out.DailySchedule
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MonthlySchedule != nil {
+		in, out := &in.MonthlySchedule, &out.MonthlySchedule
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WeeklySchedule != nil {
+		in, out := &in.WeeklySchedule, &out.WeeklySchedule
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleFrequencyObservation.
@@ -1943,6 +2445,13 @@ func (in *ScheduleFrequencyParameters) DeepCopy() *ScheduleFrequencyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopingExcludesObservation) DeepCopyInto(out *ScopingExcludesObservation) {
 	*out = *in
+	if in.And != nil {
+		in, out := &in.And, &out.And
+		*out = make([]ExcludesAndObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopingExcludesObservation.
@@ -1980,6 +2489,20 @@ func (in *ScopingExcludesParameters) DeepCopy() *ScopingExcludesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopingIncludesAndObservation) DeepCopyInto(out *ScopingIncludesAndObservation) {
 	*out = *in
+	if in.SimpleScopeTerm != nil {
+		in, out := &in.SimpleScopeTerm, &out.SimpleScopeTerm
+		*out = make([]AndSimpleScopeTermObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagScopeTerm != nil {
+		in, out := &in.TagScopeTerm, &out.TagScopeTerm
+		*out = make([]AndTagScopeTermObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopingIncludesAndObservation.
@@ -2024,6 +2547,13 @@ func (in *ScopingIncludesAndParameters) DeepCopy() *ScopingIncludesAndParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopingIncludesObservation) DeepCopyInto(out *ScopingIncludesObservation) {
 	*out = *in
+	if in.And != nil {
+		in, out := &in.And, &out.And
+		*out = make([]ScopingIncludesAndObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopingIncludesObservation.
@@ -2061,6 +2591,20 @@ func (in *ScopingIncludesParameters) DeepCopy() *ScopingIncludesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScopingObservation) DeepCopyInto(out *ScopingObservation) {
 	*out = *in
+	if in.Excludes != nil {
+		in, out := &in.Excludes, &out.Excludes
+		*out = make([]ScopingExcludesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Includes != nil {
+		in, out := &in.Includes, &out.Includes
+		*out = make([]ScopingIncludesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScopingObservation.
@@ -2105,6 +2649,27 @@ func (in *ScopingParameters) DeepCopy() *ScopingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SimpleCriterionObservation) DeepCopyInto(out *SimpleCriterionObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SimpleCriterionObservation.
@@ -2156,6 +2721,27 @@ func (in *SimpleCriterionParameters) DeepCopy() *SimpleCriterionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SimpleScopeTermObservation) DeepCopyInto(out *SimpleScopeTermObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SimpleScopeTermObservation.
@@ -2207,6 +2793,18 @@ func (in *SimpleScopeTermParameters) DeepCopy() *SimpleScopeTermParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagCriterionObservation) DeepCopyInto(out *TagCriterionObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.TagValues != nil {
+		in, out := &in.TagValues, &out.TagValues
+		*out = make([]TagValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagCriterionObservation.
@@ -2249,6 +2847,16 @@ func (in *TagCriterionParameters) DeepCopy() *TagCriterionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagCriterionTagValuesObservation) DeepCopyInto(out *TagCriterionTagValuesObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagCriterionTagValuesObservation.
@@ -2289,6 +2897,28 @@ func (in *TagCriterionTagValuesParameters) DeepCopy() *TagCriterionTagValuesPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagScopeTermObservation) DeepCopyInto(out *TagScopeTermObservation) {
 	*out = *in
+	if in.Comparator != nil {
+		in, out := &in.Comparator, &out.Comparator
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.TagValues != nil {
+		in, out := &in.TagValues, &out.TagValues
+		*out = make([]TagScopeTermTagValuesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagScopeTermObservation.
@@ -2341,6 +2971,16 @@ func (in *TagScopeTermParameters) DeepCopy() *TagScopeTermParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagScopeTermTagValuesObservation) DeepCopyInto(out *TagScopeTermTagValuesObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagScopeTermTagValuesObservation.
@@ -2381,6 +3021,16 @@ func (in *TagScopeTermTagValuesParameters) DeepCopy() *TagScopeTermTagValuesPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagValuesObservation) DeepCopyInto(out *TagValuesObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagValuesObservation.
diff --git a/apis/macie2/v1beta1/zz_invitationaccepter_types.go b/apis/macie2/v1beta1/zz_invitationaccepter_types.go
index 8c5ef7a2f2..f2cf9f9391 100755
--- a/apis/macie2/v1beta1/zz_invitationaccepter_types.go
+++ b/apis/macie2/v1beta1/zz_invitationaccepter_types.go
@@ -15,6 +15,9 @@ import (
 
 type InvitationAccepterObservation struct {
 
+	// The AWS account ID for the account that sent the invitation.
+	AdministratorAccountID *string `json:"administratorAccountId,omitempty" tf:"administrator_account_id,omitempty"`
+
 	// The unique identifier (ID) of the macie invitation accepter.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -25,8 +28,8 @@ type InvitationAccepterObservation struct {
 type InvitationAccepterParameters struct {
 
 	// The AWS account ID for the account that sent the invitation.
-	// +kubebuilder:validation:Required
-	AdministratorAccountID *string `json:"administratorAccountId" tf:"administrator_account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	AdministratorAccountID *string `json:"administratorAccountId,omitempty" tf:"administrator_account_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -58,8 +61,9 @@ type InvitationAccepterStatus struct {
 type InvitationAccepter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InvitationAccepterSpec   `json:"spec"`
-	Status            InvitationAccepterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.administratorAccountId)",message="administratorAccountId is a required parameter"
+	Spec   InvitationAccepterSpec   `json:"spec"`
+	Status InvitationAccepterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/macie2/v1beta1/zz_member_types.go b/apis/macie2/v1beta1/zz_member_types.go
index b04211ecb8..ed0bb57c50 100755
--- a/apis/macie2/v1beta1/zz_member_types.go
+++ b/apis/macie2/v1beta1/zz_member_types.go
@@ -15,15 +15,30 @@ import (
 
 type MemberObservation struct {
 
+	// The AWS account ID for the account.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// The AWS account ID for the administrator account.
 	AdministratorAccountID *string `json:"administratorAccountId,omitempty" tf:"administrator_account_id,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the account.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The email address for the account.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
 	// The unique identifier (ID) of the macie Member.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies whether to send an email notification to the root user of each account that the invitation will be sent to. This notification is in addition to an alert that the root user receives in AWS Personal Health Dashboard. To send an email notification to the root user of each account, set this value to true.
+	InvitationDisableEmailNotification *bool `json:"invitationDisableEmailNotification,omitempty" tf:"invitation_disable_email_notification,omitempty"`
+
+	// A custom message to include in the invitation. Amazon Macie adds this message to the standard content that it sends for an invitation.
+	InvitationMessage *string `json:"invitationMessage,omitempty" tf:"invitation_message,omitempty"`
+
+	// Send an invitation to a member
+	Invite *bool `json:"invite,omitempty" tf:"invite,omitempty"`
+
 	// The date and time, in UTC and extended RFC 3339 format, when an Amazon Macie membership invitation was last sent to the account. This value is null if a Macie invitation hasn't been sent to the account.
 	InvitedAt *string `json:"invitedAt,omitempty" tf:"invited_at,omitempty"`
 
@@ -33,6 +48,12 @@ type MemberObservation struct {
 	// The current status of the relationship between the account and the administrator account.
 	RelationshipStatus *string `json:"relationshipStatus,omitempty" tf:"relationship_status,omitempty"`
 
+	// Specifies the status for the account. To enable Amazon Macie and start all Macie activities for the account, set this value to ENABLED. Valid values are ENABLED or PAUSED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The date and time, in UTC and extended RFC 3339 format, of the most recent change to the status of the relationship between the account and the administrator account.
@@ -42,12 +63,12 @@ type MemberObservation struct {
 type MemberParameters struct {
 
 	// The AWS account ID for the account.
-	// +kubebuilder:validation:Required
-	AccountID *string `json:"accountId" tf:"account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// The email address for the account.
-	// +kubebuilder:validation:Required
-	Email *string `json:"email" tf:"email,omitempty"`
+	// +kubebuilder:validation:Optional
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
 
 	// Specifies whether to send an email notification to the root user of each account that the invitation will be sent to. This notification is in addition to an alert that the root user receives in AWS Personal Health Dashboard. To send an email notification to the root user of each account, set this value to true.
 	// +kubebuilder:validation:Optional
@@ -99,8 +120,10 @@ type MemberStatus struct {
 type Member struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MemberSpec   `json:"spec"`
-	Status            MemberStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)",message="accountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)",message="email is a required parameter"
+	Spec   MemberSpec   `json:"spec"`
+	Status MemberStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/mediaconvert/v1beta1/zz_generated.deepcopy.go b/apis/mediaconvert/v1beta1/zz_generated.deepcopy.go
index ad06e96f07..fba75bc4cc 100644
--- a/apis/mediaconvert/v1beta1/zz_generated.deepcopy.go
+++ b/apis/mediaconvert/v1beta1/zz_generated.deepcopy.go
@@ -80,11 +80,48 @@ func (in *QueueObservation) DeepCopyInto(out *QueueObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PricingPlan != nil {
+		in, out := &in.PricingPlan, &out.PricingPlan
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReservationPlanSettings != nil {
+		in, out := &in.ReservationPlanSettings, &out.ReservationPlanSettings
+		*out = make([]ReservationPlanSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -206,6 +243,21 @@ func (in *QueueStatus) DeepCopy() *QueueStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReservationPlanSettingsObservation) DeepCopyInto(out *ReservationPlanSettingsObservation) {
 	*out = *in
+	if in.Commitment != nil {
+		in, out := &in.Commitment, &out.Commitment
+		*out = new(string)
+		**out = **in
+	}
+	if in.RenewalType != nil {
+		in, out := &in.RenewalType, &out.RenewalType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReservedSlots != nil {
+		in, out := &in.ReservedSlots, &out.ReservedSlots
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReservationPlanSettingsObservation.
diff --git a/apis/mediaconvert/v1beta1/zz_queue_types.go b/apis/mediaconvert/v1beta1/zz_queue_types.go
index e3a9c6e305..17992b175a 100755
--- a/apis/mediaconvert/v1beta1/zz_queue_types.go
+++ b/apis/mediaconvert/v1beta1/zz_queue_types.go
@@ -18,9 +18,24 @@ type QueueObservation struct {
 	// The Arn of the queue
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A description of the queue
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The same as name
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies whether the pricing plan for the queue is on-demand or reserved. Valid values are ON_DEMAND or RESERVED. Default to ON_DEMAND.
+	PricingPlan *string `json:"pricingPlan,omitempty" tf:"pricing_plan,omitempty"`
+
+	// A detail pricing plan of the  reserved queue. See below.
+	ReservationPlanSettings []ReservationPlanSettingsObservation `json:"reservationPlanSettings,omitempty" tf:"reservation_plan_settings,omitempty"`
+
+	// A status of the queue. Valid values are ACTIVE or RESERVED. Default to PAUSED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -54,6 +69,15 @@ type QueueParameters struct {
 }
 
 type ReservationPlanSettingsObservation struct {
+
+	// The length of the term of your reserved queue pricing plan commitment. Valid value is ONE_YEAR.
+	Commitment *string `json:"commitment,omitempty" tf:"commitment,omitempty"`
+
+	// Specifies whether the term of your reserved queue pricing plan. Valid values are AUTO_RENEW or EXPIRE.
+	RenewalType *string `json:"renewalType,omitempty" tf:"renewal_type,omitempty"`
+
+	// Specifies the number of reserved transcode slots (RTS) for queue.
+	ReservedSlots *float64 `json:"reservedSlots,omitempty" tf:"reserved_slots,omitempty"`
 }
 
 type ReservationPlanSettingsParameters struct {
diff --git a/apis/medialive/v1beta1/zz_channel_types.go b/apis/medialive/v1beta1/zz_channel_types.go
index 131a863150..a28eb2dfa8 100755
--- a/apis/medialive/v1beta1/zz_channel_types.go
+++ b/apis/medialive/v1beta1/zz_channel_types.go
@@ -14,6 +14,33 @@ import (
 )
 
 type AacSettingsObservation struct {
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	// Mono, Stereo, or 5.1 channel layout.
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	// Set to "broadcasterMixedAd" when input contains pre-mixed main audio + AD (narration) as a stereo pair.
+	InputType *string `json:"inputType,omitempty" tf:"input_type,omitempty"`
+
+	// AAC profile.
+	Profile *string `json:"profile,omitempty" tf:"profile,omitempty"`
+
+	// The rate control mode.
+	RateControlMode *string `json:"rateControlMode,omitempty" tf:"rate_control_mode,omitempty"`
+
+	// Sets LATM/LOAS AAC output for raw containers.
+	RawFormat *string `json:"rawFormat,omitempty" tf:"raw_format,omitempty"`
+
+	// Sample rate in Hz.
+	SampleRate *float64 `json:"sampleRate,omitempty" tf:"sample_rate,omitempty"`
+
+	// Use MPEG-2 AAC audio instead of MPEG-4 AAC audio for raw or MPEG-2 Transport Stream containers.
+	Spec *string `json:"spec,omitempty" tf:"spec,omitempty"`
+
+	// VBR Quality Level - Only used if rateControlMode is VBR.
+	VbrQuality *string `json:"vbrQuality,omitempty" tf:"vbr_quality,omitempty"`
 }
 
 type AacSettingsParameters struct {
@@ -56,6 +83,27 @@ type AacSettingsParameters struct {
 }
 
 type Ac3SettingsObservation struct {
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	// Specifies the bitstream mode (bsmod) for the emitted AC-3 stream.
+	BitstreamMode *string `json:"bitstreamMode,omitempty" tf:"bitstream_mode,omitempty"`
+
+	// Mono, Stereo, or 5.1 channel layout.
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	// Sets the dialnorm of the output.
+	Dialnorm *float64 `json:"dialnorm,omitempty" tf:"dialnorm,omitempty"`
+
+	// If set to filmStandard, adds dynamic range compression signaling to the output bitstream as defined in the Dolby Digital specification.
+	DrcProfile *string `json:"drcProfile,omitempty" tf:"drc_profile,omitempty"`
+
+	// When set to enabled, applies a 120Hz lowpass filter to the LFE channel prior to encoding.
+	LfeFilter *string `json:"lfeFilter,omitempty" tf:"lfe_filter,omitempty"`
+
+	// Metadata control.
+	MetadataControl *string `json:"metadataControl,omitempty" tf:"metadata_control,omitempty"`
 }
 
 type Ac3SettingsParameters struct {
@@ -90,6 +138,7 @@ type Ac3SettingsParameters struct {
 }
 
 type AncillarySourceSettingsObservation struct {
+	SourceAncillaryChannelNumber *float64 `json:"sourceAncillaryChannelNumber,omitempty" tf:"source_ancillary_channel_number,omitempty"`
 }
 
 type AncillarySourceSettingsParameters struct {
@@ -99,6 +148,9 @@ type AncillarySourceSettingsParameters struct {
 }
 
 type ArchiveCdnSettingsObservation struct {
+
+	// Archive S3 Settings. See Archive S3 Settings for more details.
+	ArchiveS3Settings []ArchiveS3SettingsObservation `json:"archiveS3Settings,omitempty" tf:"archive_s3_settings,omitempty"`
 }
 
 type ArchiveCdnSettingsParameters struct {
@@ -109,6 +161,15 @@ type ArchiveCdnSettingsParameters struct {
 }
 
 type ArchiveGroupSettingsObservation struct {
+
+	// Parameters that control the interactions with the CDN. See Archive CDN Settings for more details.
+	ArchiveCdnSettings []ArchiveCdnSettingsObservation `json:"archiveCdnSettings,omitempty" tf:"archive_cdn_settings,omitempty"`
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []DestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Number of seconds to write to archive file before closing and starting a new one.
+	RolloverInterval *float64 `json:"rolloverInterval,omitempty" tf:"rollover_interval,omitempty"`
 }
 
 type ArchiveGroupSettingsParameters struct {
@@ -127,6 +188,15 @@ type ArchiveGroupSettingsParameters struct {
 }
 
 type ArchiveOutputSettingsObservation struct {
+
+	// Settings specific to the container type of the file. See Container Settings for more details.
+	ContainerSettings []ContainerSettingsObservation `json:"containerSettings,omitempty" tf:"container_settings,omitempty"`
+
+	// Output file extension.
+	Extension *string `json:"extension,omitempty" tf:"extension,omitempty"`
+
+	// String concatenated to the end of the destination filename. Required for multiple outputs of the same type.
+	NameModifier *string `json:"nameModifier,omitempty" tf:"name_modifier,omitempty"`
 }
 
 type ArchiveOutputSettingsParameters struct {
@@ -145,6 +215,9 @@ type ArchiveOutputSettingsParameters struct {
 }
 
 type ArchiveS3SettingsObservation struct {
+
+	// Specify the canned ACL to apply to each S3 request.
+	CannedACL *string `json:"cannedAcl,omitempty" tf:"canned_acl,omitempty"`
 }
 
 type ArchiveS3SettingsParameters struct {
@@ -155,6 +228,38 @@ type ArchiveS3SettingsParameters struct {
 }
 
 type AudioDescriptionsObservation struct {
+
+	// Advanced audio normalization settings. See Audio Normalization Settings for more details.
+	AudioNormalizationSettings []AudioNormalizationSettingsObservation `json:"audioNormalizationSettings,omitempty" tf:"audio_normalization_settings,omitempty"`
+
+	// The name of the audio selector used as the source for this AudioDescription.
+	AudioSelectorName *string `json:"audioSelectorName,omitempty" tf:"audio_selector_name,omitempty"`
+
+	// Applies only if audioTypeControl is useConfigured. The values for audioType are defined in ISO-IEC 13818-1.
+	AudioType *string `json:"audioType,omitempty" tf:"audio_type,omitempty"`
+
+	// Determined how audio type is determined.
+	AudioTypeControl *string `json:"audioTypeControl,omitempty" tf:"audio_type_control,omitempty"`
+
+	// Settings to configure one or more solutions that insert audio watermarks in the audio encode. See Audio Watermark Settings for more details.
+	AudioWatermarkSettings []AudioWatermarkSettingsObservation `json:"audioWatermarkSettings,omitempty" tf:"audio_watermark_settings,omitempty"`
+
+	// Audio codec settings. See Audio Codec Settings for more details.
+	CodecSettings []CodecSettingsObservation `json:"codecSettings,omitempty" tf:"codec_settings,omitempty"`
+
+	// When specified this field indicates the three letter language code of the caption track to extract from the source.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	LanguageCodeControl *string `json:"languageCodeControl,omitempty" tf:"language_code_control,omitempty"`
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	RemixSettings []RemixSettingsObservation `json:"remixSettings,omitempty" tf:"remix_settings,omitempty"`
+
+	// Stream name RTMP destinations (URLs of type rtmp://)
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
 }
 
 type AudioDescriptionsParameters struct {
@@ -204,6 +309,12 @@ type AudioDescriptionsParameters struct {
 }
 
 type AudioHlsRenditionSelectionObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	GroupID *string `json:"groupId,omitempty" tf:"group_id,omitempty"`
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type AudioHlsRenditionSelectionParameters struct {
@@ -218,6 +329,11 @@ type AudioHlsRenditionSelectionParameters struct {
 }
 
 type AudioLanguageSelectionObservation struct {
+
+	// When specified this field indicates the three letter language code of the caption track to extract from the source.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	LanguageSelectionPolicy *string `json:"languageSelectionPolicy,omitempty" tf:"language_selection_policy,omitempty"`
 }
 
 type AudioLanguageSelectionParameters struct {
@@ -231,6 +347,15 @@ type AudioLanguageSelectionParameters struct {
 }
 
 type AudioNormalizationSettingsObservation struct {
+
+	// Audio normalization algorithm to use. itu17701 conforms to the CALM Act specification, itu17702 to the EBU R-128 specification.
+	Algorithm *string `json:"algorithm,omitempty" tf:"algorithm,omitempty"`
+
+	// Algorithm control for the audio description.
+	AlgorithmControl *string `json:"algorithmControl,omitempty" tf:"algorithm_control,omitempty"`
+
+	// Target LKFS (loudness) to adjust volume to.
+	TargetLkfs *float64 `json:"targetLkfs,omitempty" tf:"target_lkfs,omitempty"`
 }
 
 type AudioNormalizationSettingsParameters struct {
@@ -249,6 +374,15 @@ type AudioNormalizationSettingsParameters struct {
 }
 
 type AudioOnlyHlsSettingsObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	AudioGroupID *string `json:"audioGroupId,omitempty" tf:"audio_group_id,omitempty"`
+
+	AudioOnlyImage []AudioOnlyImageObservation `json:"audioOnlyImage,omitempty" tf:"audio_only_image,omitempty"`
+
+	AudioTrackType *string `json:"audioTrackType,omitempty" tf:"audio_track_type,omitempty"`
+
+	SegmentType *string `json:"segmentType,omitempty" tf:"segment_type,omitempty"`
 }
 
 type AudioOnlyHlsSettingsParameters struct {
@@ -268,6 +402,15 @@ type AudioOnlyHlsSettingsParameters struct {
 }
 
 type AudioOnlyImageObservation struct {
+
+	// Key used to extract the password from EC2 Parameter store.
+	PasswordParam *string `json:"passwordParam,omitempty" tf:"password_param,omitempty"`
+
+	// Path to a file accessible to the live stream.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
+
+	// Username for destination.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type AudioOnlyImageParameters struct {
@@ -286,6 +429,9 @@ type AudioOnlyImageParameters struct {
 }
 
 type AudioPidSelectionObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	Pid *float64 `json:"pid,omitempty" tf:"pid,omitempty"`
 }
 
 type AudioPidSelectionParameters struct {
@@ -296,6 +442,12 @@ type AudioPidSelectionParameters struct {
 }
 
 type AudioSelectorObservation struct {
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	SelectorSettings []SelectorSettingsObservation `json:"selectorSettings,omitempty" tf:"selector_settings,omitempty"`
 }
 
 type AudioSelectorParameters struct {
@@ -310,6 +462,11 @@ type AudioSelectorParameters struct {
 }
 
 type AudioSilenceSettingsObservation struct {
+
+	// The name of the audio selector used as the source for this AudioDescription.
+	AudioSelectorName *string `json:"audioSelectorName,omitempty" tf:"audio_selector_name,omitempty"`
+
+	AudioSilenceThresholdMsec *float64 `json:"audioSilenceThresholdMsec,omitempty" tf:"audio_silence_threshold_msec,omitempty"`
 }
 
 type AudioSilenceSettingsParameters struct {
@@ -323,6 +480,7 @@ type AudioSilenceSettingsParameters struct {
 }
 
 type AudioTrackSelectionObservation struct {
+	Track []TrackObservation `json:"track,omitempty" tf:"track,omitempty"`
 }
 
 type AudioTrackSelectionParameters struct {
@@ -332,6 +490,9 @@ type AudioTrackSelectionParameters struct {
 }
 
 type AudioWatermarkSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	NielsenWatermarksSettings []NielsenWatermarksSettingsObservation `json:"nielsenWatermarksSettings,omitempty" tf:"nielsen_watermarks_settings,omitempty"`
 }
 
 type AudioWatermarkSettingsParameters struct {
@@ -342,6 +503,14 @@ type AudioWatermarkSettingsParameters struct {
 }
 
 type AutomaticInputFailoverSettingsObservation struct {
+	ErrorClearTimeMsec *float64 `json:"errorClearTimeMsec,omitempty" tf:"error_clear_time_msec,omitempty"`
+
+	FailoverCondition []FailoverConditionObservation `json:"failoverCondition,omitempty" tf:"failover_condition,omitempty"`
+
+	InputPreference *string `json:"inputPreference,omitempty" tf:"input_preference,omitempty"`
+
+	// The ID of the input.
+	SecondaryInputID *string `json:"secondaryInputId,omitempty" tf:"secondary_input_id,omitempty"`
 }
 
 type AutomaticInputFailoverSettingsParameters struct {
@@ -361,6 +530,15 @@ type AutomaticInputFailoverSettingsParameters struct {
 }
 
 type AvailBlankingImageObservation struct {
+
+	// Key used to extract the password from EC2 Parameter store.
+	PasswordParam *string `json:"passwordParam,omitempty" tf:"password_param,omitempty"`
+
+	// Path to a file accessible to the live stream.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
+
+	// Username for destination.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type AvailBlankingImageParameters struct {
@@ -379,6 +557,12 @@ type AvailBlankingImageParameters struct {
 }
 
 type AvailBlankingObservation struct {
+
+	// Blanking image to be used. See Avail Blanking Image for more details.
+	AvailBlankingImage []AvailBlankingImageObservation `json:"availBlankingImage,omitempty" tf:"avail_blanking_image,omitempty"`
+
+	// When set to enabled, causes video, audio and captions to be blanked when insertion metadata is added.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
 }
 
 type AvailBlankingParameters struct {
@@ -393,6 +577,12 @@ type AvailBlankingParameters struct {
 }
 
 type CaptionLanguageMappingsObservation struct {
+	CaptionChannel *float64 `json:"captionChannel,omitempty" tf:"caption_channel,omitempty"`
+
+	// When specified this field indicates the three letter language code of the caption track to extract from the source.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	LanguageDescription *string `json:"languageDescription,omitempty" tf:"language_description,omitempty"`
 }
 
 type CaptionLanguageMappingsParameters struct {
@@ -409,6 +599,15 @@ type CaptionLanguageMappingsParameters struct {
 }
 
 type CaptionSelectorObservation struct {
+
+	// When specified this field indicates the three letter language code of the caption track to extract from the source.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	SelectorSettings []CaptionSelectorSelectorSettingsObservation `json:"selectorSettings,omitempty" tf:"selector_settings,omitempty"`
 }
 
 type CaptionSelectorParameters struct {
@@ -427,6 +626,24 @@ type CaptionSelectorParameters struct {
 }
 
 type CaptionSelectorSelectorSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	AncillarySourceSettings []AncillarySourceSettingsObservation `json:"ancillarySourceSettings,omitempty" tf:"ancillary_source_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbTdtSettings []SelectorSettingsDvbTdtSettingsObservation `json:"dvbTdtSettings,omitempty" tf:"dvb_tdt_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	EmbeddedSourceSettings []EmbeddedSourceSettingsObservation `json:"embeddedSourceSettings,omitempty" tf:"embedded_source_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	Scte20SourceSettings []Scte20SourceSettingsObservation `json:"scte20SourceSettings,omitempty" tf:"scte20_source_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	Scte27SourceSettings []Scte27SourceSettingsObservation `json:"scte27SourceSettings,omitempty" tf:"scte27_source_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	TeletextSourceSettings []TeletextSourceSettingsObservation `json:"teletextSourceSettings,omitempty" tf:"teletext_source_settings,omitempty"`
 }
 
 type CaptionSelectorSelectorSettingsParameters struct {
@@ -457,6 +674,9 @@ type CaptionSelectorSelectorSettingsParameters struct {
 }
 
 type CdiInputSpecificationObservation struct {
+
+	// - Maximum CDI input resolution.
+	Resolution *string `json:"resolution,omitempty" tf:"resolution,omitempty"`
 }
 
 type CdiInputSpecificationParameters struct {
@@ -467,6 +687,9 @@ type CdiInputSpecificationParameters struct {
 }
 
 type ChannelMappingsObservation struct {
+	InputChannelLevels []InputChannelLevelsObservation `json:"inputChannelLevels,omitempty" tf:"input_channel_levels,omitempty"`
+
+	OutputChannel *float64 `json:"outputChannel,omitempty" tf:"output_channel,omitempty"`
 }
 
 type ChannelMappingsParameters struct {
@@ -483,16 +706,51 @@ type ChannelObservation struct {
 	// ARN of the Channel.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specification of CDI inputs for this channel. See CDI Input Specification for more details.
+	CdiInputSpecification []CdiInputSpecificationObservation `json:"cdiInputSpecification,omitempty" tf:"cdi_input_specification,omitempty"`
+
+	// Concise argument description.
+	ChannelClass *string `json:"channelClass,omitempty" tf:"channel_class,omitempty"`
+
 	// ID of the channel in MediaPackage that is the destination for this output group.
 	ChannelID *string `json:"channelId,omitempty" tf:"channel_id,omitempty"`
 
+	// Destinations for channel. See Destinations for more details.
+	Destinations []DestinationsObservation `json:"destinations,omitempty" tf:"destinations,omitempty"`
+
+	// Encoder settings. See Encoder Settings for more details.
+	EncoderSettings []EncoderSettingsObservation `json:"encoderSettings,omitempty" tf:"encoder_settings,omitempty"`
+
 	// User-specified id. Ths is used in an output group or an output.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Input attachments for the channel. See Input Attachments for more details.
+	InputAttachments []InputAttachmentsObservation `json:"inputAttachments,omitempty" tf:"input_attachments,omitempty"`
+
+	// Specification of network and file inputs for the channel.
+	InputSpecification []InputSpecificationObservation `json:"inputSpecification,omitempty" tf:"input_specification,omitempty"`
+
+	// The log level to write to Cloudwatch logs.
+	LogLevel *string `json:"logLevel,omitempty" tf:"log_level,omitempty"`
+
+	// Maintenance settings for this channel. See Maintenance for more details.
+	Maintenance []MaintenanceObservation `json:"maintenance,omitempty" tf:"maintenance,omitempty"`
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Concise argument description.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Whether to start/stop channel. Default: false
+	StartChannel *bool `json:"startChannel,omitempty" tf:"start_channel,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Settings for the VPC outputs.
-	// +kubebuilder:validation:Optional
 	VPC []VPCObservation `json:"vpc,omitempty" tf:"vpc,omitempty"`
 }
 
@@ -503,24 +761,24 @@ type ChannelParameters struct {
 	CdiInputSpecification []CdiInputSpecificationParameters `json:"cdiInputSpecification,omitempty" tf:"cdi_input_specification,omitempty"`
 
 	// Concise argument description.
-	// +kubebuilder:validation:Required
-	ChannelClass *string `json:"channelClass" tf:"channel_class,omitempty"`
+	// +kubebuilder:validation:Optional
+	ChannelClass *string `json:"channelClass,omitempty" tf:"channel_class,omitempty"`
 
 	// Destinations for channel. See Destinations for more details.
-	// +kubebuilder:validation:Required
-	Destinations []DestinationsParameters `json:"destinations" tf:"destinations,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destinations []DestinationsParameters `json:"destinations,omitempty" tf:"destinations,omitempty"`
 
 	// Encoder settings. See Encoder Settings for more details.
-	// +kubebuilder:validation:Required
-	EncoderSettings []EncoderSettingsParameters `json:"encoderSettings" tf:"encoder_settings,omitempty"`
+	// +kubebuilder:validation:Optional
+	EncoderSettings []EncoderSettingsParameters `json:"encoderSettings,omitempty" tf:"encoder_settings,omitempty"`
 
 	// Input attachments for the channel. See Input Attachments for more details.
-	// +kubebuilder:validation:Required
-	InputAttachments []InputAttachmentsParameters `json:"inputAttachments" tf:"input_attachments,omitempty"`
+	// +kubebuilder:validation:Optional
+	InputAttachments []InputAttachmentsParameters `json:"inputAttachments,omitempty" tf:"input_attachments,omitempty"`
 
 	// Specification of network and file inputs for the channel.
-	// +kubebuilder:validation:Required
-	InputSpecification []InputSpecificationParameters `json:"inputSpecification" tf:"input_specification,omitempty"`
+	// +kubebuilder:validation:Optional
+	InputSpecification []InputSpecificationParameters `json:"inputSpecification,omitempty" tf:"input_specification,omitempty"`
 
 	// The log level to write to Cloudwatch logs.
 	// +kubebuilder:validation:Optional
@@ -531,8 +789,8 @@ type ChannelParameters struct {
 	Maintenance []MaintenanceParameters `json:"maintenance,omitempty" tf:"maintenance,omitempty"`
 
 	// Name of the Channel.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -567,6 +825,27 @@ type ChannelParameters struct {
 }
 
 type CodecSettingsObservation struct {
+
+	// Aac Settings. See AAC Settings for more details.
+	AacSettings []AacSettingsObservation `json:"aacSettings,omitempty" tf:"aac_settings,omitempty"`
+
+	// Ac3 Settings. See AC3 Settings for more details.
+	Ac3Settings []Ac3SettingsObservation `json:"ac3Settings,omitempty" tf:"ac3_settings,omitempty"`
+
+	// - Eac3 Atmos Settings. See EAC3 Atmos Settings
+	Eac3AtmosSettings []Eac3AtmosSettingsObservation `json:"eac3AtmosSettings,omitempty" tf:"eac3_atmos_settings,omitempty"`
+
+	// - Eac3 Settings. See EAC3 Settings
+	Eac3Settings []Eac3SettingsObservation `json:"eac3Settings,omitempty" tf:"eac3_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	Mp2Settings []Mp2SettingsObservation `json:"mp2Settings,omitempty" tf:"mp2_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	PassThroughSettings []PassThroughSettingsParameters `json:"passThroughSettings,omitempty" tf:"pass_through_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	WavSettings []WavSettingsObservation `json:"wavSettings,omitempty" tf:"wav_settings,omitempty"`
 }
 
 type CodecSettingsParameters struct {
@@ -601,14 +880,123 @@ type CodecSettingsParameters struct {
 }
 
 type ContainerSettingsM2TsSettingsObservation struct {
-}
-
-type ContainerSettingsM2TsSettingsParameters struct {
-
-	// +kubebuilder:validation:Optional
 	AbsentInputAudioBehavior *string `json:"absentInputAudioBehavior,omitempty" tf:"absent_input_audio_behavior,omitempty"`
 
-	// +kubebuilder:validation:Optional
+	Arib *string `json:"arib,omitempty" tf:"arib,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	AribCaptionsPid *string `json:"aribCaptionsPid,omitempty" tf:"arib_captions_pid,omitempty"`
+
+	AribCaptionsPidControl *string `json:"aribCaptionsPidControl,omitempty" tf:"arib_captions_pid_control,omitempty"`
+
+	AudioBufferModel *string `json:"audioBufferModel,omitempty" tf:"audio_buffer_model,omitempty"`
+
+	AudioFramesPerPes *float64 `json:"audioFramesPerPes,omitempty" tf:"audio_frames_per_pes,omitempty"`
+
+	AudioPids *string `json:"audioPids,omitempty" tf:"audio_pids,omitempty"`
+
+	AudioStreamType *string `json:"audioStreamType,omitempty" tf:"audio_stream_type,omitempty"`
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	BufferModel *string `json:"bufferModel,omitempty" tf:"buffer_model,omitempty"`
+
+	CcDescriptor *string `json:"ccDescriptor,omitempty" tf:"cc_descriptor,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbNitSettings []M2TsSettingsDvbNitSettingsObservation `json:"dvbNitSettings,omitempty" tf:"dvb_nit_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbSdtSettings []M2TsSettingsDvbSdtSettingsObservation `json:"dvbSdtSettings,omitempty" tf:"dvb_sdt_settings,omitempty"`
+
+	DvbSubPids *string `json:"dvbSubPids,omitempty" tf:"dvb_sub_pids,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbTdtSettings []M2TsSettingsDvbTdtSettingsObservation `json:"dvbTdtSettings,omitempty" tf:"dvb_tdt_settings,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	DvbTeletextPid *string `json:"dvbTeletextPid,omitempty" tf:"dvb_teletext_pid,omitempty"`
+
+	Ebif *string `json:"ebif,omitempty" tf:"ebif,omitempty"`
+
+	EbpAudioInterval *string `json:"ebpAudioInterval,omitempty" tf:"ebp_audio_interval,omitempty"`
+
+	EbpLookaheadMs *float64 `json:"ebpLookaheadMs,omitempty" tf:"ebp_lookahead_ms,omitempty"`
+
+	EbpPlacement *string `json:"ebpPlacement,omitempty" tf:"ebp_placement,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EcmPid *string `json:"ecmPid,omitempty" tf:"ecm_pid,omitempty"`
+
+	EsRateInPes *string `json:"esRateInPes,omitempty" tf:"es_rate_in_pes,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EtvPlatformPid *string `json:"etvPlatformPid,omitempty" tf:"etv_platform_pid,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EtvSignalPid *string `json:"etvSignalPid,omitempty" tf:"etv_signal_pid,omitempty"`
+
+	FragmentTime *float64 `json:"fragmentTime,omitempty" tf:"fragment_time,omitempty"`
+
+	Klv *string `json:"klv,omitempty" tf:"klv,omitempty"`
+
+	KlvDataPids *string `json:"klvDataPids,omitempty" tf:"klv_data_pids,omitempty"`
+
+	NielsenId3Behavior *string `json:"nielsenId3Behavior,omitempty" tf:"nielsen_id3_behavior,omitempty"`
+
+	// Average bitrate in bits/second.
+	NullPacketBitrate *float64 `json:"nullPacketBitrate,omitempty" tf:"null_packet_bitrate,omitempty"`
+
+	PatInterval *float64 `json:"patInterval,omitempty" tf:"pat_interval,omitempty"`
+
+	PcrControl *string `json:"pcrControl,omitempty" tf:"pcr_control,omitempty"`
+
+	PcrPeriod *float64 `json:"pcrPeriod,omitempty" tf:"pcr_period,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	PcrPid *string `json:"pcrPid,omitempty" tf:"pcr_pid,omitempty"`
+
+	PmtInterval *float64 `json:"pmtInterval,omitempty" tf:"pmt_interval,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	PmtPid *string `json:"pmtPid,omitempty" tf:"pmt_pid,omitempty"`
+
+	ProgramNum *float64 `json:"programNum,omitempty" tf:"program_num,omitempty"`
+
+	RateMode *string `json:"rateMode,omitempty" tf:"rate_mode,omitempty"`
+
+	Scte27Pids *string `json:"scte27Pids,omitempty" tf:"scte27_pids,omitempty"`
+
+	Scte35Control *string `json:"scte35Control,omitempty" tf:"scte35_control,omitempty"`
+
+	// PID from which to read SCTE-35 messages.
+	Scte35Pid *string `json:"scte35Pid,omitempty" tf:"scte35_pid,omitempty"`
+
+	SegmentationMarkers *string `json:"segmentationMarkers,omitempty" tf:"segmentation_markers,omitempty"`
+
+	SegmentationStyle *string `json:"segmentationStyle,omitempty" tf:"segmentation_style,omitempty"`
+
+	SegmentationTime *float64 `json:"segmentationTime,omitempty" tf:"segmentation_time,omitempty"`
+
+	TimedMetadataBehavior *string `json:"timedMetadataBehavior,omitempty" tf:"timed_metadata_behavior,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	TimedMetadataPid *string `json:"timedMetadataPid,omitempty" tf:"timed_metadata_pid,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	TransportStreamID *float64 `json:"transportStreamId,omitempty" tf:"transport_stream_id,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	VideoPid *string `json:"videoPid,omitempty" tf:"video_pid,omitempty"`
+}
+
+type ContainerSettingsM2TsSettingsParameters struct {
+
+	// +kubebuilder:validation:Optional
+	AbsentInputAudioBehavior *string `json:"absentInputAudioBehavior,omitempty" tf:"absent_input_audio_behavior,omitempty"`
+
+	// +kubebuilder:validation:Optional
 	Arib *string `json:"arib,omitempty" tf:"arib,omitempty"`
 
 	// User-specified id. Ths is used in an output group or an output.
@@ -764,6 +1152,12 @@ type ContainerSettingsM2TsSettingsParameters struct {
 }
 
 type ContainerSettingsObservation struct {
+
+	// M2ts Settings. See M2ts Settings for more details.
+	M2TsSettings []M2TsSettingsObservation `json:"m2tsSettings,omitempty" tf:"m2ts_settings,omitempty"`
+
+	// Raw Settings. This can be set as an empty block.
+	RawSettings []RawSettingsParameters `json:"rawSettings,omitempty" tf:"raw_settings,omitempty"`
 }
 
 type ContainerSettingsParameters struct {
@@ -778,6 +1172,9 @@ type ContainerSettingsParameters struct {
 }
 
 type DestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type DestinationParameters struct {
@@ -788,6 +1185,18 @@ type DestinationParameters struct {
 }
 
 type DestinationsObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Destination settings for a MediaPackage output; one destination for both encoders. See Media Package Settings for more details.
+	MediaPackageSettings []MediaPackageSettingsObservation `json:"mediaPackageSettings,omitempty" tf:"media_package_settings,omitempty"`
+
+	// Destination settings for a Multiplex output; one destination for both encoders. See Multiplex Settings for more details.
+	MultiplexSettings []MultiplexSettingsObservation `json:"multiplexSettings,omitempty" tf:"multiplex_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	Settings []SettingsObservation `json:"settings,omitempty" tf:"settings,omitempty"`
 }
 
 type DestinationsParameters struct {
@@ -810,6 +1219,14 @@ type DestinationsParameters struct {
 }
 
 type DvbNitSettingsObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	NetworkID *float64 `json:"networkId,omitempty" tf:"network_id,omitempty"`
+
+	// Name of the Channel.
+	NetworkName *string `json:"networkName,omitempty" tf:"network_name,omitempty"`
+
+	RepInterval *float64 `json:"repInterval,omitempty" tf:"rep_interval,omitempty"`
 }
 
 type DvbNitSettingsParameters struct {
@@ -827,6 +1244,15 @@ type DvbNitSettingsParameters struct {
 }
 
 type DvbSdtSettingsObservation struct {
+	OutputSdt *string `json:"outputSdt,omitempty" tf:"output_sdt,omitempty"`
+
+	RepInterval *float64 `json:"repInterval,omitempty" tf:"rep_interval,omitempty"`
+
+	// Name of the Channel.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
+	// Name of the Channel.
+	ServiceProviderName *string `json:"serviceProviderName,omitempty" tf:"service_provider_name,omitempty"`
 }
 
 type DvbSdtSettingsParameters struct {
@@ -847,6 +1273,7 @@ type DvbSdtSettingsParameters struct {
 }
 
 type DvbTdtSettingsObservation struct {
+	RepInterval *float64 `json:"repInterval,omitempty" tf:"rep_interval,omitempty"`
 }
 
 type DvbTdtSettingsParameters struct {
@@ -856,6 +1283,27 @@ type DvbTdtSettingsParameters struct {
 }
 
 type Eac3AtmosSettingsObservation struct {
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	// Mono, Stereo, or 5.1 channel layout.
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	// Sets the dialnorm of the output.
+	Dialnorm *float64 `json:"dialnorm,omitempty" tf:"dialnorm,omitempty"`
+
+	// Sets the Dolby dynamic range compression profile.
+	DrcLine *string `json:"drcLine,omitempty" tf:"drc_line,omitempty"`
+
+	// Sets the profile for heavy Dolby dynamic range compression.
+	DrcRf *string `json:"drcRf,omitempty" tf:"drc_rf,omitempty"`
+
+	// Height dimensional trim.
+	HeightTrim *float64 `json:"heightTrim,omitempty" tf:"height_trim,omitempty"`
+
+	// Surround dimensional trim.
+	SurroundTrim *float64 `json:"surroundTrim,omitempty" tf:"surround_trim,omitempty"`
 }
 
 type Eac3AtmosSettingsParameters struct {
@@ -890,6 +1338,59 @@ type Eac3AtmosSettingsParameters struct {
 }
 
 type Eac3SettingsObservation struct {
+
+	// Sets the attenuation control.
+	AttenuationControl *string `json:"attenuationControl,omitempty" tf:"attenuation_control,omitempty"`
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	// Specifies the bitstream mode (bsmod) for the emitted AC-3 stream.
+	BitstreamMode *string `json:"bitstreamMode,omitempty" tf:"bitstream_mode,omitempty"`
+
+	// Mono, Stereo, or 5.1 channel layout.
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	DcFilter *string `json:"dcFilter,omitempty" tf:"dc_filter,omitempty"`
+
+	// Sets the dialnorm of the output.
+	Dialnorm *float64 `json:"dialnorm,omitempty" tf:"dialnorm,omitempty"`
+
+	// Sets the Dolby dynamic range compression profile.
+	DrcLine *string `json:"drcLine,omitempty" tf:"drc_line,omitempty"`
+
+	// Sets the profile for heavy Dolby dynamic range compression.
+	DrcRf *string `json:"drcRf,omitempty" tf:"drc_rf,omitempty"`
+
+	LfeControl *string `json:"lfeControl,omitempty" tf:"lfe_control,omitempty"`
+
+	// When set to enabled, applies a 120Hz lowpass filter to the LFE channel prior to encoding.
+	LfeFilter *string `json:"lfeFilter,omitempty" tf:"lfe_filter,omitempty"`
+
+	// H264 level.
+	LoRoCenterMixLevel *float64 `json:"loRoCenterMixLevel,omitempty" tf:"lo_ro_center_mix_level,omitempty"`
+
+	// H264 level.
+	LoRoSurroundMixLevel *float64 `json:"loRoSurroundMixLevel,omitempty" tf:"lo_ro_surround_mix_level,omitempty"`
+
+	// H264 level.
+	LtRtCenterMixLevel *float64 `json:"ltRtCenterMixLevel,omitempty" tf:"lt_rt_center_mix_level,omitempty"`
+
+	// H264 level.
+	LtRtSurroundMixLevel *float64 `json:"ltRtSurroundMixLevel,omitempty" tf:"lt_rt_surround_mix_level,omitempty"`
+
+	// Metadata control.
+	MetadataControl *string `json:"metadataControl,omitempty" tf:"metadata_control,omitempty"`
+
+	PassthroughControl *string `json:"passthroughControl,omitempty" tf:"passthrough_control,omitempty"`
+
+	PhaseControl *string `json:"phaseControl,omitempty" tf:"phase_control,omitempty"`
+
+	StereoDownmix *string `json:"stereoDownmix,omitempty" tf:"stereo_downmix,omitempty"`
+
+	SurroundExMode *string `json:"surroundExMode,omitempty" tf:"surround_ex_mode,omitempty"`
+
+	SurroundMode *string `json:"surroundMode,omitempty" tf:"surround_mode,omitempty"`
 }
 
 type Eac3SettingsParameters struct {
@@ -969,6 +1470,13 @@ type Eac3SettingsParameters struct {
 }
 
 type EmbeddedSourceSettingsObservation struct {
+	Convert608To708 *string `json:"convert608To708,omitempty" tf:"convert_608_to_708,omitempty"`
+
+	Scte20Detection *string `json:"scte20Detection,omitempty" tf:"scte20_detection,omitempty"`
+
+	Source608ChannelNumber *float64 `json:"source608ChannelNumber,omitempty" tf:"source_608_channel_number,omitempty"`
+
+	Source608TrackNumber *float64 `json:"source608TrackNumber,omitempty" tf:"source_608_track_number,omitempty"`
 }
 
 type EmbeddedSourceSettingsParameters struct {
@@ -987,6 +1495,21 @@ type EmbeddedSourceSettingsParameters struct {
 }
 
 type EncoderSettingsObservation struct {
+
+	// Audio descriptions for the channel. See Audio Descriptions for more details.
+	AudioDescriptions []AudioDescriptionsObservation `json:"audioDescriptions,omitempty" tf:"audio_descriptions,omitempty"`
+
+	// Settings for ad avail blanking. See Avail Blanking for more details.
+	AvailBlanking []AvailBlankingObservation `json:"availBlanking,omitempty" tf:"avail_blanking,omitempty"`
+
+	// Output groups for the channel. See Output Groups for more details.
+	OutputGroups []OutputGroupsObservation `json:"outputGroups,omitempty" tf:"output_groups,omitempty"`
+
+	// Contains settings used to acquire and adjust timecode information from inputs. See Timecode Config for more details.
+	TimecodeConfig []TimecodeConfigObservation `json:"timecodeConfig,omitempty" tf:"timecode_config,omitempty"`
+
+	// Video Descriptions. See Video Descriptions for more details.
+	VideoDescriptions []VideoDescriptionsObservation `json:"videoDescriptions,omitempty" tf:"video_descriptions,omitempty"`
 }
 
 type EncoderSettingsParameters struct {
@@ -1013,6 +1536,9 @@ type EncoderSettingsParameters struct {
 }
 
 type FailoverConditionObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	FailoverConditionSettings []FailoverConditionSettingsObservation `json:"failoverConditionSettings,omitempty" tf:"failover_condition_settings,omitempty"`
 }
 
 type FailoverConditionParameters struct {
@@ -1023,6 +1549,15 @@ type FailoverConditionParameters struct {
 }
 
 type FailoverConditionSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	AudioSilenceSettings []AudioSilenceSettingsObservation `json:"audioSilenceSettings,omitempty" tf:"audio_silence_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	InputLossSettings []InputLossSettingsObservation `json:"inputLossSettings,omitempty" tf:"input_loss_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	VideoBlackSettings []VideoBlackSettingsObservation `json:"videoBlackSettings,omitempty" tf:"video_black_settings,omitempty"`
 }
 
 type FailoverConditionSettingsParameters struct {
@@ -1041,6 +1576,15 @@ type FailoverConditionSettingsParameters struct {
 }
 
 type FecOutputSettingsObservation struct {
+
+	// The height of the FEC protection matrix.
+	ColumnDepth *float64 `json:"columnDepth,omitempty" tf:"column_depth,omitempty"`
+
+	// Enables column only or column and row based FEC.
+	IncludeFec *string `json:"includeFec,omitempty" tf:"include_fec,omitempty"`
+
+	// The width of the FEC protection matrix.
+	RowLength *float64 `json:"rowLength,omitempty" tf:"row_length,omitempty"`
 }
 
 type FecOutputSettingsParameters struct {
@@ -1059,6 +1603,9 @@ type FecOutputSettingsParameters struct {
 }
 
 type FilterSettingsObservation struct {
+
+	// Temporal filter settings. See Temporal Filter Settings
+	TemporalFilterSettings []TemporalFilterSettingsObservation `json:"temporalFilterSettings,omitempty" tf:"temporal_filter_settings,omitempty"`
 }
 
 type FilterSettingsParameters struct {
@@ -1069,7 +1616,12 @@ type FilterSettingsParameters struct {
 }
 
 type Fmp4HlsSettingsObservation struct {
-}
+	AudioRenditionSets *string `json:"audioRenditionSets,omitempty" tf:"audio_rendition_sets,omitempty"`
+
+	NielsenId3Behavior *string `json:"nielsenId3Behavior,omitempty" tf:"nielsen_id3_behavior,omitempty"`
+
+	TimedMetadataBehavior *string `json:"timedMetadataBehavior,omitempty" tf:"timed_metadata_behavior,omitempty"`
+}
 
 type Fmp4HlsSettingsParameters struct {
 
@@ -1084,6 +1636,9 @@ type Fmp4HlsSettingsParameters struct {
 }
 
 type FrameCaptureCdnSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	FrameCaptureS3Settings []FrameCaptureS3SettingsObservation `json:"frameCaptureS3Settings,omitempty" tf:"frame_capture_s3_settings,omitempty"`
 }
 
 type FrameCaptureCdnSettingsParameters struct {
@@ -1094,6 +1649,9 @@ type FrameCaptureCdnSettingsParameters struct {
 }
 
 type FrameCaptureGroupSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type FrameCaptureGroupSettingsDestinationParameters struct {
@@ -1104,6 +1662,12 @@ type FrameCaptureGroupSettingsDestinationParameters struct {
 }
 
 type FrameCaptureGroupSettingsObservation struct {
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []FrameCaptureGroupSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	FrameCaptureCdnSettings []FrameCaptureCdnSettingsObservation `json:"frameCaptureCdnSettings,omitempty" tf:"frame_capture_cdn_settings,omitempty"`
 }
 
 type FrameCaptureGroupSettingsParameters struct {
@@ -1124,6 +1688,9 @@ type FrameCaptureHlsSettingsParameters struct {
 }
 
 type FrameCaptureOutputSettingsObservation struct {
+
+	// String concatenated to the end of the destination filename. Required for multiple outputs of the same type.
+	NameModifier *string `json:"nameModifier,omitempty" tf:"name_modifier,omitempty"`
 }
 
 type FrameCaptureOutputSettingsParameters struct {
@@ -1134,6 +1701,9 @@ type FrameCaptureOutputSettingsParameters struct {
 }
 
 type FrameCaptureS3SettingsObservation struct {
+
+	// Specify the canned ACL to apply to each S3 request.
+	CannedACL *string `json:"cannedAcl,omitempty" tf:"canned_acl,omitempty"`
 }
 
 type FrameCaptureS3SettingsParameters struct {
@@ -1144,6 +1714,12 @@ type FrameCaptureS3SettingsParameters struct {
 }
 
 type FrameCaptureSettingsObservation struct {
+
+	// The frequency at which to capture frames for inclusion in the output.
+	CaptureInterval *float64 `json:"captureInterval,omitempty" tf:"capture_interval,omitempty"`
+
+	// Unit for the frame capture interval.
+	CaptureIntervalUnits *string `json:"captureIntervalUnits,omitempty" tf:"capture_interval_units,omitempty"`
 }
 
 type FrameCaptureSettingsParameters struct {
@@ -1158,6 +1734,123 @@ type FrameCaptureSettingsParameters struct {
 }
 
 type H264SettingsObservation struct {
+
+	// Enables or disables adaptive quantization.
+	AdaptiveQuantization *string `json:"adaptiveQuantization,omitempty" tf:"adaptive_quantization,omitempty"`
+
+	// Indicates that AFD values will be written into the output stream.
+	AfdSignaling *string `json:"afdSignaling,omitempty" tf:"afd_signaling,omitempty"`
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	BufFillPct *float64 `json:"bufFillPct,omitempty" tf:"buf_fill_pct,omitempty"`
+
+	// Size of buffer in bits.
+	BufSize *float64 `json:"bufSize,omitempty" tf:"buf_size,omitempty"`
+
+	// Includes color space metadata in the output.
+	ColorMetadata *string `json:"colorMetadata,omitempty" tf:"color_metadata,omitempty"`
+
+	// Entropy encoding mode.
+	EntropyEncoding *string `json:"entropyEncoding,omitempty" tf:"entropy_encoding,omitempty"`
+
+	// Filters to apply to an encode. See H264 Filter Settings for more details.
+	FilterSettings []FilterSettingsObservation `json:"filterSettings,omitempty" tf:"filter_settings,omitempty"`
+
+	// Four bit AFD value to write on all frames of video in the output stream.
+	FixedAfd *string `json:"fixedAfd,omitempty" tf:"fixed_afd,omitempty"`
+
+	FlickerAq *string `json:"flickerAq,omitempty" tf:"flicker_aq,omitempty"`
+
+	// Controls whether coding is performed on a field basis or on a frame basis.
+	ForceFieldPictures *string `json:"forceFieldPictures,omitempty" tf:"force_field_pictures,omitempty"`
+
+	// Indicates how the output video frame rate is specified.
+	FramerateControl *string `json:"framerateControl,omitempty" tf:"framerate_control,omitempty"`
+
+	// Framerate denominator.
+	FramerateDenominator *float64 `json:"framerateDenominator,omitempty" tf:"framerate_denominator,omitempty"`
+
+	// Framerate numerator.
+	FramerateNumerator *float64 `json:"framerateNumerator,omitempty" tf:"framerate_numerator,omitempty"`
+
+	// GOP-B reference.
+	GopBReference *string `json:"gopBReference,omitempty" tf:"gop_b_reference,omitempty"`
+
+	// Frequency of closed GOPs.
+	GopClosedCadence *float64 `json:"gopClosedCadence,omitempty" tf:"gop_closed_cadence,omitempty"`
+
+	// Number of B-frames between reference frames.
+	GopNumBFrames *float64 `json:"gopNumBFrames,omitempty" tf:"gop_num_b_frames,omitempty"`
+
+	// GOP size in units of either frames of seconds per gop_size_units.
+	GopSize *float64 `json:"gopSize,omitempty" tf:"gop_size,omitempty"`
+
+	// Indicates if the gop_size is specified in frames or seconds.
+	GopSizeUnits *string `json:"gopSizeUnits,omitempty" tf:"gop_size_units,omitempty"`
+
+	// H264 level.
+	Level *string `json:"level,omitempty" tf:"level,omitempty"`
+
+	// Amount of lookahead.
+	LookAheadRateControl *string `json:"lookAheadRateControl,omitempty" tf:"look_ahead_rate_control,omitempty"`
+
+	// Set the maximum bitrate in order to accommodate expected spikes in the complexity of the video.
+	MaxBitrate *float64 `json:"maxBitrate,omitempty" tf:"max_bitrate,omitempty"`
+
+	MinIInterval *float64 `json:"minIInterval,omitempty" tf:"min_i_interval,omitempty"`
+
+	// Number of reference frames to use.
+	NumRefFrames *float64 `json:"numRefFrames,omitempty" tf:"num_ref_frames,omitempty"`
+
+	// Indicates how the output pixel aspect ratio is specified.
+	ParControl *string `json:"parControl,omitempty" tf:"par_control,omitempty"`
+
+	// Pixel Aspect Ratio denominator.
+	ParDenominator *float64 `json:"parDenominator,omitempty" tf:"par_denominator,omitempty"`
+
+	// Pixel Aspect Ratio numerator.
+	ParNumerator *float64 `json:"parNumerator,omitempty" tf:"par_numerator,omitempty"`
+
+	// AAC profile.
+	Profile *string `json:"profile,omitempty" tf:"profile,omitempty"`
+
+	// Quality level.
+	QualityLevel *string `json:"qualityLevel,omitempty" tf:"quality_level,omitempty"`
+
+	// Controls the target quality for the video encode.
+	QvbrQualityLevel *float64 `json:"qvbrQualityLevel,omitempty" tf:"qvbr_quality_level,omitempty"`
+
+	// The rate control mode.
+	RateControlMode *string `json:"rateControlMode,omitempty" tf:"rate_control_mode,omitempty"`
+
+	// Sets the scan type of the output.
+	ScanType *string `json:"scanType,omitempty" tf:"scan_type,omitempty"`
+
+	// Scene change detection.
+	SceneChangeDetect *string `json:"sceneChangeDetect,omitempty" tf:"scene_change_detect,omitempty"`
+
+	// Number of slices per picture.
+	Slices *float64 `json:"slices,omitempty" tf:"slices,omitempty"`
+
+	// Softness.
+	Softness *float64 `json:"softness,omitempty" tf:"softness,omitempty"`
+
+	// Makes adjustments within each frame based on spatial variation of content complexity.
+	SpatialAq *string `json:"spatialAq,omitempty" tf:"spatial_aq,omitempty"`
+
+	// Subgop length.
+	SubgopLength *string `json:"subgopLength,omitempty" tf:"subgop_length,omitempty"`
+
+	// Produces a bitstream compliant with SMPTE RP-2027.
+	Syntax *string `json:"syntax,omitempty" tf:"syntax,omitempty"`
+
+	// Makes adjustments within each frame based on temporal variation of content complexity.
+	TemporalAq *string `json:"temporalAq,omitempty" tf:"temporal_aq,omitempty"`
+
+	// Determines how timecodes should be inserted into the video elementary stream.
+	TimecodeInsertion *string `json:"timecodeInsertion,omitempty" tf:"timecode_insertion,omitempty"`
 }
 
 type H264SettingsParameters struct {
@@ -1321,6 +2014,23 @@ type H264SettingsParameters struct {
 }
 
 type HlsAkamaiSettingsObservation struct {
+
+	// Number of seconds to wait before retrying connection to the flash media server if the connection is lost.
+	ConnectionRetryInterval *float64 `json:"connectionRetryInterval,omitempty" tf:"connection_retry_interval,omitempty"`
+
+	FilecacheDuration *float64 `json:"filecacheDuration,omitempty" tf:"filecache_duration,omitempty"`
+
+	HTTPTransferMode *string `json:"httpTransferMode,omitempty" tf:"http_transfer_mode,omitempty"`
+
+	// Number of retry attempts.
+	NumRetries *float64 `json:"numRetries,omitempty" tf:"num_retries,omitempty"`
+
+	// Number of seconds to wait until a restart is initiated.
+	RestartDelay *float64 `json:"restartDelay,omitempty" tf:"restart_delay,omitempty"`
+
+	Salt *string `json:"salt,omitempty" tf:"salt,omitempty"`
+
+	Token *string `json:"token,omitempty" tf:"token,omitempty"`
 }
 
 type HlsAkamaiSettingsParameters struct {
@@ -1351,6 +2061,17 @@ type HlsAkamaiSettingsParameters struct {
 }
 
 type HlsBasicPutSettingsObservation struct {
+
+	// Number of seconds to wait before retrying connection to the flash media server if the connection is lost.
+	ConnectionRetryInterval *float64 `json:"connectionRetryInterval,omitempty" tf:"connection_retry_interval,omitempty"`
+
+	FilecacheDuration *float64 `json:"filecacheDuration,omitempty" tf:"filecache_duration,omitempty"`
+
+	// Number of retry attempts.
+	NumRetries *float64 `json:"numRetries,omitempty" tf:"num_retries,omitempty"`
+
+	// Number of seconds to wait until a restart is initiated.
+	RestartDelay *float64 `json:"restartDelay,omitempty" tf:"restart_delay,omitempty"`
 }
 
 type HlsBasicPutSettingsParameters struct {
@@ -1372,6 +2093,21 @@ type HlsBasicPutSettingsParameters struct {
 }
 
 type HlsCdnSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsAkamaiSettings []HlsAkamaiSettingsObservation `json:"hlsAkamaiSettings,omitempty" tf:"hls_akamai_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsBasicPutSettings []HlsBasicPutSettingsObservation `json:"hlsBasicPutSettings,omitempty" tf:"hls_basic_put_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsMediaStoreSettings []HlsMediaStoreSettingsObservation `json:"hlsMediaStoreSettings,omitempty" tf:"hls_media_store_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsS3Settings []HlsS3SettingsObservation `json:"hlsS3Settings,omitempty" tf:"hls_s3_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsWebdavSettings []HlsWebdavSettingsObservation `json:"hlsWebdavSettings,omitempty" tf:"hls_webdav_settings,omitempty"`
 }
 
 type HlsCdnSettingsParameters struct {
@@ -1398,6 +2134,9 @@ type HlsCdnSettingsParameters struct {
 }
 
 type HlsGroupSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type HlsGroupSettingsDestinationParameters struct {
@@ -1408,174 +2147,295 @@ type HlsGroupSettingsDestinationParameters struct {
 }
 
 type HlsGroupSettingsObservation struct {
-}
-
-type HlsGroupSettingsParameters struct {
 
 	// The ad marker type for this output group.
-	// +kubebuilder:validation:Optional
 	AdMarkers []*string `json:"adMarkers,omitempty" tf:"ad_markers,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	BaseURLContent *string `json:"baseUrlContent,omitempty" tf:"base_url_content,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	BaseURLContent1 *string `json:"baseUrlContent1,omitempty" tf:"base_url_content1,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	BaseURLManifest *string `json:"baseUrlManifest,omitempty" tf:"base_url_manifest,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	BaseURLManifest1 *string `json:"baseUrlManifest1,omitempty" tf:"base_url_manifest1,omitempty"`
 
-	// +kubebuilder:validation:Optional
-	CaptionLanguageMappings []CaptionLanguageMappingsParameters `json:"captionLanguageMappings,omitempty" tf:"caption_language_mappings,omitempty"`
+	CaptionLanguageMappings []CaptionLanguageMappingsObservation `json:"captionLanguageMappings,omitempty" tf:"caption_language_mappings,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	CaptionLanguageSetting *string `json:"captionLanguageSetting,omitempty" tf:"caption_language_setting,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ClientCache *string `json:"clientCache,omitempty" tf:"client_cache,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	CodecSpecification *string `json:"codecSpecification,omitempty" tf:"codec_specification,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ConstantIv *string `json:"constantIv,omitempty" tf:"constant_iv,omitempty"`
 
 	// A director and base filename where archive files should be written. See Destination for more details.
-	// +kubebuilder:validation:Required
-	Destination []HlsGroupSettingsDestinationParameters `json:"destination" tf:"destination,omitempty"`
+	Destination []HlsGroupSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	DirectoryStructure *string `json:"directoryStructure,omitempty" tf:"directory_structure,omitempty"`
 
 	// Key-value map of resource tags.
-	// +kubebuilder:validation:Optional
 	DiscontinuityTags *string `json:"discontinuityTags,omitempty" tf:"discontinuity_tags,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	EncryptionType *string `json:"encryptionType,omitempty" tf:"encryption_type,omitempty"`
 
 	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
-	// +kubebuilder:validation:Optional
-	HlsCdnSettings []HlsCdnSettingsParameters `json:"hlsCdnSettings,omitempty" tf:"hls_cdn_settings,omitempty"`
+	HlsCdnSettings []HlsCdnSettingsObservation `json:"hlsCdnSettings,omitempty" tf:"hls_cdn_settings,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	HlsId3SegmentTagging *string `json:"hlsId3SegmentTagging,omitempty" tf:"hls_id3_segment_tagging,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	IframeOnlyPlaylists *string `json:"iframeOnlyPlaylists,omitempty" tf:"iframe_only_playlists,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	IncompleteSegmentBehavior *string `json:"incompleteSegmentBehavior,omitempty" tf:"incomplete_segment_behavior,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	IndexNSegments *float64 `json:"indexNSegments,omitempty" tf:"index_n_segments,omitempty"`
 
 	// Controls the behavior of the RTMP group if input becomes unavailable.
-	// +kubebuilder:validation:Optional
 	InputLossAction *string `json:"inputLossAction,omitempty" tf:"input_loss_action,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	IvInManifest *string `json:"ivInManifest,omitempty" tf:"iv_in_manifest,omitempty"`
 
 	// The source for the timecode that will be associated with the events outputs.
-	// +kubebuilder:validation:Optional
 	IvSource *string `json:"ivSource,omitempty" tf:"iv_source,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	KeepSegments *float64 `json:"keepSegments,omitempty" tf:"keep_segments,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	KeyFormat *string `json:"keyFormat,omitempty" tf:"key_format,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	KeyFormatVersions *string `json:"keyFormatVersions,omitempty" tf:"key_format_versions,omitempty"`
 
 	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
-	// +kubebuilder:validation:Optional
-	KeyProviderSettings []KeyProviderSettingsParameters `json:"keyProviderSettings,omitempty" tf:"key_provider_settings,omitempty"`
+	KeyProviderSettings []KeyProviderSettingsObservation `json:"keyProviderSettings,omitempty" tf:"key_provider_settings,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ManifestCompression *string `json:"manifestCompression,omitempty" tf:"manifest_compression,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ManifestDurationFormat *string `json:"manifestDurationFormat,omitempty" tf:"manifest_duration_format,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	MinSegmentLength *float64 `json:"minSegmentLength,omitempty" tf:"min_segment_length,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	OutputSelection *string `json:"outputSelection,omitempty" tf:"output_selection,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ProgramDateTime *string `json:"programDateTime,omitempty" tf:"program_date_time,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ProgramDateTimeClock *string `json:"programDateTimeClock,omitempty" tf:"program_date_time_clock,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	ProgramDateTimePeriod *float64 `json:"programDateTimePeriod,omitempty" tf:"program_date_time_period,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	RedundantManifest *string `json:"redundantManifest,omitempty" tf:"redundant_manifest,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	SegmentLength *float64 `json:"segmentLength,omitempty" tf:"segment_length,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	SegmentsPerSubdirectory *float64 `json:"segmentsPerSubdirectory,omitempty" tf:"segments_per_subdirectory,omitempty"`
 
 	// - Maximum CDI input resolution.
-	// +kubebuilder:validation:Optional
 	StreamInfResolution *string `json:"streamInfResolution,omitempty" tf:"stream_inf_resolution,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	TSFileMode *string `json:"tsFileMode,omitempty" tf:"ts_file_mode,omitempty"`
 
 	// Indicates ID3 frame that has the timecode.
-	// +kubebuilder:validation:Optional
 	TimedMetadataId3Frame *string `json:"timedMetadataId3Frame,omitempty" tf:"timed_metadata_id3_frame,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	TimedMetadataId3Period *float64 `json:"timedMetadataId3Period,omitempty" tf:"timed_metadata_id3_period,omitempty"`
 
-	// +kubebuilder:validation:Optional
 	TimestampDeltaMilliseconds *float64 `json:"timestampDeltaMilliseconds,omitempty" tf:"timestamp_delta_milliseconds,omitempty"`
 }
 
-type HlsInputSettingsObservation struct {
-}
-
-type HlsInputSettingsParameters struct {
+type HlsGroupSettingsParameters struct {
 
-	// The bitrate is specified in bits per second, as in an HLS manifest.
+	// The ad marker type for this output group.
 	// +kubebuilder:validation:Optional
-	Bandwidth *float64 `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
+	AdMarkers []*string `json:"adMarkers,omitempty" tf:"ad_markers,omitempty"`
 
-	// Buffer segments.
 	// +kubebuilder:validation:Optional
-	BufferSegments *float64 `json:"bufferSegments,omitempty" tf:"buffer_segments,omitempty"`
+	BaseURLContent *string `json:"baseUrlContent,omitempty" tf:"base_url_content,omitempty"`
 
-	// The number of consecutive times that attempts to read a manifest or segment must fail before the input is considered unavailable.
 	// +kubebuilder:validation:Optional
-	Retries *float64 `json:"retries,omitempty" tf:"retries,omitempty"`
+	BaseURLContent1 *string `json:"baseUrlContent1,omitempty" tf:"base_url_content1,omitempty"`
 
-	// The number of seconds between retries when an attempt to read a manifest or segment fails.
 	// +kubebuilder:validation:Optional
-	RetryInterval *float64 `json:"retryInterval,omitempty" tf:"retry_interval,omitempty"`
+	BaseURLManifest *string `json:"baseUrlManifest,omitempty" tf:"base_url_manifest,omitempty"`
 
-	// The source for the timecode that will be associated with the events outputs.
 	// +kubebuilder:validation:Optional
-	Scte35Source *string `json:"scte35Source,omitempty" tf:"scte35_source,omitempty"`
-}
+	BaseURLManifest1 *string `json:"baseUrlManifest1,omitempty" tf:"base_url_manifest1,omitempty"`
 
-type HlsMediaStoreSettingsObservation struct {
-}
+	// +kubebuilder:validation:Optional
+	CaptionLanguageMappings []CaptionLanguageMappingsParameters `json:"captionLanguageMappings,omitempty" tf:"caption_language_mappings,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	CaptionLanguageSetting *string `json:"captionLanguageSetting,omitempty" tf:"caption_language_setting,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ClientCache *string `json:"clientCache,omitempty" tf:"client_cache,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	CodecSpecification *string `json:"codecSpecification,omitempty" tf:"codec_specification,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ConstantIv *string `json:"constantIv,omitempty" tf:"constant_iv,omitempty"`
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	// +kubebuilder:validation:Required
+	Destination []HlsGroupSettingsDestinationParameters `json:"destination" tf:"destination,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	DirectoryStructure *string `json:"directoryStructure,omitempty" tf:"directory_structure,omitempty"`
+
+	// Key-value map of resource tags.
+	// +kubebuilder:validation:Optional
+	DiscontinuityTags *string `json:"discontinuityTags,omitempty" tf:"discontinuity_tags,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	EncryptionType *string `json:"encryptionType,omitempty" tf:"encryption_type,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	// +kubebuilder:validation:Optional
+	HlsCdnSettings []HlsCdnSettingsParameters `json:"hlsCdnSettings,omitempty" tf:"hls_cdn_settings,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	HlsId3SegmentTagging *string `json:"hlsId3SegmentTagging,omitempty" tf:"hls_id3_segment_tagging,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	IframeOnlyPlaylists *string `json:"iframeOnlyPlaylists,omitempty" tf:"iframe_only_playlists,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	IncompleteSegmentBehavior *string `json:"incompleteSegmentBehavior,omitempty" tf:"incomplete_segment_behavior,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	IndexNSegments *float64 `json:"indexNSegments,omitempty" tf:"index_n_segments,omitempty"`
+
+	// Controls the behavior of the RTMP group if input becomes unavailable.
+	// +kubebuilder:validation:Optional
+	InputLossAction *string `json:"inputLossAction,omitempty" tf:"input_loss_action,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	IvInManifest *string `json:"ivInManifest,omitempty" tf:"iv_in_manifest,omitempty"`
+
+	// The source for the timecode that will be associated with the events outputs.
+	// +kubebuilder:validation:Optional
+	IvSource *string `json:"ivSource,omitempty" tf:"iv_source,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	KeepSegments *float64 `json:"keepSegments,omitempty" tf:"keep_segments,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	KeyFormat *string `json:"keyFormat,omitempty" tf:"key_format,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	KeyFormatVersions *string `json:"keyFormatVersions,omitempty" tf:"key_format_versions,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	// +kubebuilder:validation:Optional
+	KeyProviderSettings []KeyProviderSettingsParameters `json:"keyProviderSettings,omitempty" tf:"key_provider_settings,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ManifestCompression *string `json:"manifestCompression,omitempty" tf:"manifest_compression,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ManifestDurationFormat *string `json:"manifestDurationFormat,omitempty" tf:"manifest_duration_format,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	MinSegmentLength *float64 `json:"minSegmentLength,omitempty" tf:"min_segment_length,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	OutputSelection *string `json:"outputSelection,omitempty" tf:"output_selection,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ProgramDateTime *string `json:"programDateTime,omitempty" tf:"program_date_time,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ProgramDateTimeClock *string `json:"programDateTimeClock,omitempty" tf:"program_date_time_clock,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	ProgramDateTimePeriod *float64 `json:"programDateTimePeriod,omitempty" tf:"program_date_time_period,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	RedundantManifest *string `json:"redundantManifest,omitempty" tf:"redundant_manifest,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	SegmentLength *float64 `json:"segmentLength,omitempty" tf:"segment_length,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	SegmentsPerSubdirectory *float64 `json:"segmentsPerSubdirectory,omitempty" tf:"segments_per_subdirectory,omitempty"`
+
+	// - Maximum CDI input resolution.
+	// +kubebuilder:validation:Optional
+	StreamInfResolution *string `json:"streamInfResolution,omitempty" tf:"stream_inf_resolution,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	TSFileMode *string `json:"tsFileMode,omitempty" tf:"ts_file_mode,omitempty"`
+
+	// Indicates ID3 frame that has the timecode.
+	// +kubebuilder:validation:Optional
+	TimedMetadataId3Frame *string `json:"timedMetadataId3Frame,omitempty" tf:"timed_metadata_id3_frame,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	TimedMetadataId3Period *float64 `json:"timedMetadataId3Period,omitempty" tf:"timed_metadata_id3_period,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	TimestampDeltaMilliseconds *float64 `json:"timestampDeltaMilliseconds,omitempty" tf:"timestamp_delta_milliseconds,omitempty"`
+}
+
+type HlsInputSettingsObservation struct {
+
+	// The bitrate is specified in bits per second, as in an HLS manifest.
+	Bandwidth *float64 `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
+
+	// Buffer segments.
+	BufferSegments *float64 `json:"bufferSegments,omitempty" tf:"buffer_segments,omitempty"`
+
+	// The number of consecutive times that attempts to read a manifest or segment must fail before the input is considered unavailable.
+	Retries *float64 `json:"retries,omitempty" tf:"retries,omitempty"`
+
+	// The number of seconds between retries when an attempt to read a manifest or segment fails.
+	RetryInterval *float64 `json:"retryInterval,omitempty" tf:"retry_interval,omitempty"`
+
+	// The source for the timecode that will be associated with the events outputs.
+	Scte35Source *string `json:"scte35Source,omitempty" tf:"scte35_source,omitempty"`
+}
+
+type HlsInputSettingsParameters struct {
+
+	// The bitrate is specified in bits per second, as in an HLS manifest.
+	// +kubebuilder:validation:Optional
+	Bandwidth *float64 `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
+
+	// Buffer segments.
+	// +kubebuilder:validation:Optional
+	BufferSegments *float64 `json:"bufferSegments,omitempty" tf:"buffer_segments,omitempty"`
+
+	// The number of consecutive times that attempts to read a manifest or segment must fail before the input is considered unavailable.
+	// +kubebuilder:validation:Optional
+	Retries *float64 `json:"retries,omitempty" tf:"retries,omitempty"`
+
+	// The number of seconds between retries when an attempt to read a manifest or segment fails.
+	// +kubebuilder:validation:Optional
+	RetryInterval *float64 `json:"retryInterval,omitempty" tf:"retry_interval,omitempty"`
+
+	// The source for the timecode that will be associated with the events outputs.
+	// +kubebuilder:validation:Optional
+	Scte35Source *string `json:"scte35Source,omitempty" tf:"scte35_source,omitempty"`
+}
+
+type HlsMediaStoreSettingsObservation struct {
+
+	// Number of seconds to wait before retrying connection to the flash media server if the connection is lost.
+	ConnectionRetryInterval *float64 `json:"connectionRetryInterval,omitempty" tf:"connection_retry_interval,omitempty"`
+
+	FilecacheDuration *float64 `json:"filecacheDuration,omitempty" tf:"filecache_duration,omitempty"`
+
+	MediaStoreStorageClass *string `json:"mediaStoreStorageClass,omitempty" tf:"media_store_storage_class,omitempty"`
+
+	// Number of retry attempts.
+	NumRetries *float64 `json:"numRetries,omitempty" tf:"num_retries,omitempty"`
+
+	// Number of seconds to wait until a restart is initiated.
+	RestartDelay *float64 `json:"restartDelay,omitempty" tf:"restart_delay,omitempty"`
+}
 
 type HlsMediaStoreSettingsParameters struct {
 
@@ -1599,6 +2459,15 @@ type HlsMediaStoreSettingsParameters struct {
 }
 
 type HlsOutputSettingsObservation struct {
+	H265PackagingType *string `json:"h265PackagingType,omitempty" tf:"h265_packaging_type,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsSettings []HlsSettingsObservation `json:"hlsSettings,omitempty" tf:"hls_settings,omitempty"`
+
+	// String concatenated to the end of the destination filename. Required for multiple outputs of the same type.
+	NameModifier *string `json:"nameModifier,omitempty" tf:"name_modifier,omitempty"`
+
+	SegmentModifier *string `json:"segmentModifier,omitempty" tf:"segment_modifier,omitempty"`
 }
 
 type HlsOutputSettingsParameters struct {
@@ -1619,6 +2488,9 @@ type HlsOutputSettingsParameters struct {
 }
 
 type HlsS3SettingsObservation struct {
+
+	// Specify the canned ACL to apply to each S3 request.
+	CannedACL *string `json:"cannedAcl,omitempty" tf:"canned_acl,omitempty"`
 }
 
 type HlsS3SettingsParameters struct {
@@ -1629,6 +2501,18 @@ type HlsS3SettingsParameters struct {
 }
 
 type HlsSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	AudioOnlyHlsSettings []AudioOnlyHlsSettingsObservation `json:"audioOnlyHlsSettings,omitempty" tf:"audio_only_hls_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	Fmp4HlsSettings []Fmp4HlsSettingsObservation `json:"fmp4HlsSettings,omitempty" tf:"fmp4_hls_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	FrameCaptureHlsSettings []FrameCaptureHlsSettingsParameters `json:"frameCaptureHlsSettings,omitempty" tf:"frame_capture_hls_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	StandardHlsSettings []StandardHlsSettingsObservation `json:"standardHlsSettings,omitempty" tf:"standard_hls_settings,omitempty"`
 }
 
 type HlsSettingsParameters struct {
@@ -1651,6 +2535,19 @@ type HlsSettingsParameters struct {
 }
 
 type HlsWebdavSettingsObservation struct {
+
+	// Number of seconds to wait before retrying connection to the flash media server if the connection is lost.
+	ConnectionRetryInterval *float64 `json:"connectionRetryInterval,omitempty" tf:"connection_retry_interval,omitempty"`
+
+	FilecacheDuration *float64 `json:"filecacheDuration,omitempty" tf:"filecache_duration,omitempty"`
+
+	HTTPTransferMode *string `json:"httpTransferMode,omitempty" tf:"http_transfer_mode,omitempty"`
+
+	// Number of retry attempts.
+	NumRetries *float64 `json:"numRetries,omitempty" tf:"num_retries,omitempty"`
+
+	// Number of seconds to wait until a restart is initiated.
+	RestartDelay *float64 `json:"restartDelay,omitempty" tf:"restart_delay,omitempty"`
 }
 
 type HlsWebdavSettingsParameters struct {
@@ -1675,6 +2572,18 @@ type HlsWebdavSettingsParameters struct {
 }
 
 type InputAttachmentsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	AutomaticInputFailoverSettings []AutomaticInputFailoverSettingsObservation `json:"automaticInputFailoverSettings,omitempty" tf:"automatic_input_failover_settings,omitempty"`
+
+	// User-specified name for the attachment.
+	InputAttachmentName *string `json:"inputAttachmentName,omitempty" tf:"input_attachment_name,omitempty"`
+
+	// The ID of the input.
+	InputID *string `json:"inputId,omitempty" tf:"input_id,omitempty"`
+
+	// Settings of an input. See Input Settings for more details
+	InputSettings []InputSettingsObservation `json:"inputSettings,omitempty" tf:"input_settings,omitempty"`
 }
 
 type InputAttachmentsParameters struct {
@@ -1707,6 +2616,9 @@ type InputAttachmentsParameters struct {
 }
 
 type InputChannelLevelsObservation struct {
+	Gain *float64 `json:"gain,omitempty" tf:"gain,omitempty"`
+
+	InputChannel *float64 `json:"inputChannel,omitempty" tf:"input_channel,omitempty"`
 }
 
 type InputChannelLevelsParameters struct {
@@ -1719,6 +2631,7 @@ type InputChannelLevelsParameters struct {
 }
 
 type InputLossSettingsObservation struct {
+	InputLossThresholdMsec *float64 `json:"inputLossThresholdMsec,omitempty" tf:"input_loss_threshold_msec,omitempty"`
 }
 
 type InputLossSettingsParameters struct {
@@ -1728,6 +2641,35 @@ type InputLossSettingsParameters struct {
 }
 
 type InputSettingsObservation struct {
+	AudioSelector []AudioSelectorObservation `json:"audioSelector,omitempty" tf:"audio_selector,omitempty"`
+
+	CaptionSelector []CaptionSelectorObservation `json:"captionSelector,omitempty" tf:"caption_selector,omitempty"`
+
+	// Enable or disable the deblock filter when filtering.
+	DeblockFilter *string `json:"deblockFilter,omitempty" tf:"deblock_filter,omitempty"`
+
+	// Enable or disable the denoise filter when filtering.
+	DenoiseFilter *string `json:"denoiseFilter,omitempty" tf:"denoise_filter,omitempty"`
+
+	// Adjusts the magnitude of filtering from 1 (minimal) to 5 (strongest).
+	FilterStrength *float64 `json:"filterStrength,omitempty" tf:"filter_strength,omitempty"`
+
+	// Turns on the filter for the input.
+	InputFilter *string `json:"inputFilter,omitempty" tf:"input_filter,omitempty"`
+
+	// Input settings. See Network Input Settings for more details.
+	NetworkInputSettings []NetworkInputSettingsObservation `json:"networkInputSettings,omitempty" tf:"network_input_settings,omitempty"`
+
+	// PID from which to read SCTE-35 messages.
+	Scte35Pid *float64 `json:"scte35Pid,omitempty" tf:"scte35_pid,omitempty"`
+
+	// Specifies whether to extract applicable ancillary data from a SMPTE-2038 source in the input.
+	Smpte2038DataPreference *string `json:"smpte2038DataPreference,omitempty" tf:"smpte2038_data_preference,omitempty"`
+
+	// Loop input if it is a file.
+	SourceEndBehavior *string `json:"sourceEndBehavior,omitempty" tf:"source_end_behavior,omitempty"`
+
+	VideoSelector []VideoSelectorObservation `json:"videoSelector,omitempty" tf:"video_selector,omitempty"`
 }
 
 type InputSettingsParameters struct {
@@ -1775,6 +2717,13 @@ type InputSettingsParameters struct {
 }
 
 type InputSpecificationObservation struct {
+	Codec *string `json:"codec,omitempty" tf:"codec,omitempty"`
+
+	// - Maximum CDI input resolution.
+	InputResolution *string `json:"inputResolution,omitempty" tf:"input_resolution,omitempty"`
+
+	// Average bitrate in bits/second.
+	MaximumBitrate *string `json:"maximumBitrate,omitempty" tf:"maximum_bitrate,omitempty"`
 }
 
 type InputSpecificationParameters struct {
@@ -1792,6 +2741,15 @@ type InputSpecificationParameters struct {
 }
 
 type KeyProviderServerObservation struct {
+
+	// Key used to extract the password from EC2 Parameter store.
+	PasswordParam *string `json:"passwordParam,omitempty" tf:"password_param,omitempty"`
+
+	// Path to a file accessible to the live stream.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
+
+	// Username for destination.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type KeyProviderServerParameters struct {
@@ -1810,6 +2768,9 @@ type KeyProviderServerParameters struct {
 }
 
 type KeyProviderSettingsObservation struct {
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	StaticKeySettings []StaticKeySettingsObservation `json:"staticKeySettings,omitempty" tf:"static_key_settings,omitempty"`
 }
 
 type KeyProviderSettingsParameters struct {
@@ -1820,6 +2781,14 @@ type KeyProviderSettingsParameters struct {
 }
 
 type M2TsSettingsDvbNitSettingsObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	NetworkID *float64 `json:"networkId,omitempty" tf:"network_id,omitempty"`
+
+	// Name of the Channel.
+	NetworkName *string `json:"networkName,omitempty" tf:"network_name,omitempty"`
+
+	RepInterval *float64 `json:"repInterval,omitempty" tf:"rep_interval,omitempty"`
 }
 
 type M2TsSettingsDvbNitSettingsParameters struct {
@@ -1837,6 +2806,15 @@ type M2TsSettingsDvbNitSettingsParameters struct {
 }
 
 type M2TsSettingsDvbSdtSettingsObservation struct {
+	OutputSdt *string `json:"outputSdt,omitempty" tf:"output_sdt,omitempty"`
+
+	RepInterval *float64 `json:"repInterval,omitempty" tf:"rep_interval,omitempty"`
+
+	// Name of the Channel.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
+	// Name of the Channel.
+	ServiceProviderName *string `json:"serviceProviderName,omitempty" tf:"service_provider_name,omitempty"`
 }
 
 type M2TsSettingsDvbSdtSettingsParameters struct {
@@ -1857,6 +2835,7 @@ type M2TsSettingsDvbSdtSettingsParameters struct {
 }
 
 type M2TsSettingsDvbTdtSettingsObservation struct {
+	RepInterval *float64 `json:"repInterval,omitempty" tf:"rep_interval,omitempty"`
 }
 
 type M2TsSettingsDvbTdtSettingsParameters struct {
@@ -1866,6 +2845,115 @@ type M2TsSettingsDvbTdtSettingsParameters struct {
 }
 
 type M2TsSettingsObservation struct {
+	AbsentInputAudioBehavior *string `json:"absentInputAudioBehavior,omitempty" tf:"absent_input_audio_behavior,omitempty"`
+
+	Arib *string `json:"arib,omitempty" tf:"arib,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	AribCaptionsPid *string `json:"aribCaptionsPid,omitempty" tf:"arib_captions_pid,omitempty"`
+
+	AribCaptionsPidControl *string `json:"aribCaptionsPidControl,omitempty" tf:"arib_captions_pid_control,omitempty"`
+
+	AudioBufferModel *string `json:"audioBufferModel,omitempty" tf:"audio_buffer_model,omitempty"`
+
+	AudioFramesPerPes *float64 `json:"audioFramesPerPes,omitempty" tf:"audio_frames_per_pes,omitempty"`
+
+	AudioPids *string `json:"audioPids,omitempty" tf:"audio_pids,omitempty"`
+
+	AudioStreamType *string `json:"audioStreamType,omitempty" tf:"audio_stream_type,omitempty"`
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	BufferModel *string `json:"bufferModel,omitempty" tf:"buffer_model,omitempty"`
+
+	CcDescriptor *string `json:"ccDescriptor,omitempty" tf:"cc_descriptor,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbNitSettings []DvbNitSettingsObservation `json:"dvbNitSettings,omitempty" tf:"dvb_nit_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbSdtSettings []DvbSdtSettingsObservation `json:"dvbSdtSettings,omitempty" tf:"dvb_sdt_settings,omitempty"`
+
+	DvbSubPids *string `json:"dvbSubPids,omitempty" tf:"dvb_sub_pids,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	DvbTdtSettings []DvbTdtSettingsObservation `json:"dvbTdtSettings,omitempty" tf:"dvb_tdt_settings,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	DvbTeletextPid *string `json:"dvbTeletextPid,omitempty" tf:"dvb_teletext_pid,omitempty"`
+
+	Ebif *string `json:"ebif,omitempty" tf:"ebif,omitempty"`
+
+	EbpAudioInterval *string `json:"ebpAudioInterval,omitempty" tf:"ebp_audio_interval,omitempty"`
+
+	EbpLookaheadMs *float64 `json:"ebpLookaheadMs,omitempty" tf:"ebp_lookahead_ms,omitempty"`
+
+	EbpPlacement *string `json:"ebpPlacement,omitempty" tf:"ebp_placement,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EcmPid *string `json:"ecmPid,omitempty" tf:"ecm_pid,omitempty"`
+
+	EsRateInPes *string `json:"esRateInPes,omitempty" tf:"es_rate_in_pes,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EtvPlatformPid *string `json:"etvPlatformPid,omitempty" tf:"etv_platform_pid,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EtvSignalPid *string `json:"etvSignalPid,omitempty" tf:"etv_signal_pid,omitempty"`
+
+	FragmentTime *float64 `json:"fragmentTime,omitempty" tf:"fragment_time,omitempty"`
+
+	Klv *string `json:"klv,omitempty" tf:"klv,omitempty"`
+
+	KlvDataPids *string `json:"klvDataPids,omitempty" tf:"klv_data_pids,omitempty"`
+
+	NielsenId3Behavior *string `json:"nielsenId3Behavior,omitempty" tf:"nielsen_id3_behavior,omitempty"`
+
+	// Average bitrate in bits/second.
+	NullPacketBitrate *float64 `json:"nullPacketBitrate,omitempty" tf:"null_packet_bitrate,omitempty"`
+
+	PatInterval *float64 `json:"patInterval,omitempty" tf:"pat_interval,omitempty"`
+
+	PcrControl *string `json:"pcrControl,omitempty" tf:"pcr_control,omitempty"`
+
+	PcrPeriod *float64 `json:"pcrPeriod,omitempty" tf:"pcr_period,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	PcrPid *string `json:"pcrPid,omitempty" tf:"pcr_pid,omitempty"`
+
+	PmtInterval *float64 `json:"pmtInterval,omitempty" tf:"pmt_interval,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	PmtPid *string `json:"pmtPid,omitempty" tf:"pmt_pid,omitempty"`
+
+	ProgramNum *float64 `json:"programNum,omitempty" tf:"program_num,omitempty"`
+
+	RateMode *string `json:"rateMode,omitempty" tf:"rate_mode,omitempty"`
+
+	Scte27Pids *string `json:"scte27Pids,omitempty" tf:"scte27_pids,omitempty"`
+
+	Scte35Control *string `json:"scte35Control,omitempty" tf:"scte35_control,omitempty"`
+
+	// PID from which to read SCTE-35 messages.
+	Scte35Pid *string `json:"scte35Pid,omitempty" tf:"scte35_pid,omitempty"`
+
+	SegmentationMarkers *string `json:"segmentationMarkers,omitempty" tf:"segmentation_markers,omitempty"`
+
+	SegmentationStyle *string `json:"segmentationStyle,omitempty" tf:"segmentation_style,omitempty"`
+
+	SegmentationTime *float64 `json:"segmentationTime,omitempty" tf:"segmentation_time,omitempty"`
+
+	TimedMetadataBehavior *string `json:"timedMetadataBehavior,omitempty" tf:"timed_metadata_behavior,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	TimedMetadataPid *string `json:"timedMetadataPid,omitempty" tf:"timed_metadata_pid,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	TransportStreamID *float64 `json:"transportStreamId,omitempty" tf:"transport_stream_id,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	VideoPid *string `json:"videoPid,omitempty" tf:"video_pid,omitempty"`
 }
 
 type M2TsSettingsParameters struct {
@@ -2029,6 +3117,46 @@ type M2TsSettingsParameters struct {
 }
 
 type M3U8SettingsObservation struct {
+	AudioFramesPerPes *float64 `json:"audioFramesPerPes,omitempty" tf:"audio_frames_per_pes,omitempty"`
+
+	AudioPids *string `json:"audioPids,omitempty" tf:"audio_pids,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EcmPid *string `json:"ecmPid,omitempty" tf:"ecm_pid,omitempty"`
+
+	NielsenId3Behavior *string `json:"nielsenId3Behavior,omitempty" tf:"nielsen_id3_behavior,omitempty"`
+
+	PatInterval *float64 `json:"patInterval,omitempty" tf:"pat_interval,omitempty"`
+
+	PcrControl *string `json:"pcrControl,omitempty" tf:"pcr_control,omitempty"`
+
+	PcrPeriod *float64 `json:"pcrPeriod,omitempty" tf:"pcr_period,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	PcrPid *string `json:"pcrPid,omitempty" tf:"pcr_pid,omitempty"`
+
+	PmtInterval *float64 `json:"pmtInterval,omitempty" tf:"pmt_interval,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	PmtPid *string `json:"pmtPid,omitempty" tf:"pmt_pid,omitempty"`
+
+	ProgramNum *float64 `json:"programNum,omitempty" tf:"program_num,omitempty"`
+
+	Scte35Behavior *string `json:"scte35Behavior,omitempty" tf:"scte35_behavior,omitempty"`
+
+	// PID from which to read SCTE-35 messages.
+	Scte35Pid *string `json:"scte35Pid,omitempty" tf:"scte35_pid,omitempty"`
+
+	TimedMetadataBehavior *string `json:"timedMetadataBehavior,omitempty" tf:"timed_metadata_behavior,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	TimedMetadataPid *string `json:"timedMetadataPid,omitempty" tf:"timed_metadata_pid,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	TransportStreamID *float64 `json:"transportStreamId,omitempty" tf:"transport_stream_id,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	VideoPid *string `json:"videoPid,omitempty" tf:"video_pid,omitempty"`
 }
 
 type M3U8SettingsParameters struct {
@@ -2093,6 +3221,12 @@ type M3U8SettingsParameters struct {
 }
 
 type MaintenanceObservation struct {
+
+	// The day of the week to use for maintenance.
+	MaintenanceDay *string `json:"maintenanceDay,omitempty" tf:"maintenance_day,omitempty"`
+
+	// The hour maintenance will start.
+	MaintenanceStartTime *string `json:"maintenanceStartTime,omitempty" tf:"maintenance_start_time,omitempty"`
 }
 
 type MaintenanceParameters struct {
@@ -2107,6 +3241,9 @@ type MaintenanceParameters struct {
 }
 
 type MediaPackageGroupSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type MediaPackageGroupSettingsDestinationParameters struct {
@@ -2117,6 +3254,9 @@ type MediaPackageGroupSettingsDestinationParameters struct {
 }
 
 type MediaPackageGroupSettingsObservation struct {
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []MediaPackageGroupSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
 }
 
 type MediaPackageGroupSettingsParameters struct {
@@ -2133,6 +3273,9 @@ type MediaPackageOutputSettingsParameters struct {
 }
 
 type MediaPackageSettingsObservation struct {
+
+	// ID of the channel in MediaPackage that is the destination for this output group.
+	ChannelID *string `json:"channelId,omitempty" tf:"channel_id,omitempty"`
 }
 
 type MediaPackageSettingsParameters struct {
@@ -2143,6 +3286,15 @@ type MediaPackageSettingsParameters struct {
 }
 
 type Mp2SettingsObservation struct {
+
+	// Average bitrate in bits/second.
+	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
+
+	// Mono, Stereo, or 5.1 channel layout.
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	// Sample rate in Hz.
+	SampleRate *float64 `json:"sampleRate,omitempty" tf:"sample_rate,omitempty"`
 }
 
 type Mp2SettingsParameters struct {
@@ -2151,26 +3303,75 @@ type Mp2SettingsParameters struct {
 	// +kubebuilder:validation:Optional
 	Bitrate *float64 `json:"bitrate,omitempty" tf:"bitrate,omitempty"`
 
-	// Mono, Stereo, or 5.1 channel layout.
-	// +kubebuilder:validation:Optional
-	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+	// Mono, Stereo, or 5.1 channel layout.
+	// +kubebuilder:validation:Optional
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	// Sample rate in Hz.
+	// +kubebuilder:validation:Optional
+	SampleRate *float64 `json:"sampleRate,omitempty" tf:"sample_rate,omitempty"`
+}
+
+type MsSmoothGroupSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
+}
+
+type MsSmoothGroupSettingsDestinationParameters struct {
+
+	// Reference ID for the destination.
+	// +kubebuilder:validation:Required
+	DestinationRefID *string `json:"destinationRefId" tf:"destination_ref_id,omitempty"`
+}
+
+type MsSmoothGroupSettingsObservation struct {
+
+	// User-specified id. Ths is used in an output group or an output.
+	AcquisitionPointID *string `json:"acquisitionPointId,omitempty" tf:"acquisition_point_id,omitempty"`
+
+	AudioOnlyTimecodecControl *string `json:"audioOnlyTimecodecControl,omitempty" tf:"audio_only_timecodec_control,omitempty"`
+
+	// Setting to allow self signed or verified RTMP certificates.
+	CertificateMode *string `json:"certificateMode,omitempty" tf:"certificate_mode,omitempty"`
+
+	// Number of seconds to wait before retrying connection to the flash media server if the connection is lost.
+	ConnectionRetryInterval *float64 `json:"connectionRetryInterval,omitempty" tf:"connection_retry_interval,omitempty"`
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []MsSmoothGroupSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	EventID *float64 `json:"eventId,omitempty" tf:"event_id,omitempty"`
+
+	EventIDMode *string `json:"eventIdMode,omitempty" tf:"event_id_mode,omitempty"`
+
+	EventStopBehavior *string `json:"eventStopBehavior,omitempty" tf:"event_stop_behavior,omitempty"`
+
+	FilecacheDuration *float64 `json:"filecacheDuration,omitempty" tf:"filecache_duration,omitempty"`
+
+	FragmentLength *float64 `json:"fragmentLength,omitempty" tf:"fragment_length,omitempty"`
+
+	// Controls the behavior of the RTMP group if input becomes unavailable.
+	InputLossAction *string `json:"inputLossAction,omitempty" tf:"input_loss_action,omitempty"`
+
+	// Number of retry attempts.
+	NumRetries *float64 `json:"numRetries,omitempty" tf:"num_retries,omitempty"`
+
+	// Number of seconds to wait until a restart is initiated.
+	RestartDelay *float64 `json:"restartDelay,omitempty" tf:"restart_delay,omitempty"`
+
+	SegmentationMode *string `json:"segmentationMode,omitempty" tf:"segmentation_mode,omitempty"`
 
-	// Sample rate in Hz.
-	// +kubebuilder:validation:Optional
-	SampleRate *float64 `json:"sampleRate,omitempty" tf:"sample_rate,omitempty"`
-}
+	SendDelayMs *float64 `json:"sendDelayMs,omitempty" tf:"send_delay_ms,omitempty"`
 
-type MsSmoothGroupSettingsDestinationObservation struct {
-}
+	SparseTrackType *string `json:"sparseTrackType,omitempty" tf:"sparse_track_type,omitempty"`
 
-type MsSmoothGroupSettingsDestinationParameters struct {
+	StreamManifestBehavior *string `json:"streamManifestBehavior,omitempty" tf:"stream_manifest_behavior,omitempty"`
 
-	// Reference ID for the destination.
-	// +kubebuilder:validation:Required
-	DestinationRefID *string `json:"destinationRefId" tf:"destination_ref_id,omitempty"`
-}
+	TimestampOffset *string `json:"timestampOffset,omitempty" tf:"timestamp_offset,omitempty"`
 
-type MsSmoothGroupSettingsObservation struct {
+	TimestampOffsetMode *string `json:"timestampOffsetMode,omitempty" tf:"timestamp_offset_mode,omitempty"`
 }
 
 type MsSmoothGroupSettingsParameters struct {
@@ -2242,6 +3443,10 @@ type MsSmoothGroupSettingsParameters struct {
 }
 
 type MsSmoothOutputSettingsObservation struct {
+	H265PackagingType *string `json:"h265PackagingType,omitempty" tf:"h265_packaging_type,omitempty"`
+
+	// String concatenated to the end of the destination filename. Required for multiple outputs of the same type.
+	NameModifier *string `json:"nameModifier,omitempty" tf:"name_modifier,omitempty"`
 }
 
 type MsSmoothOutputSettingsParameters struct {
@@ -2261,6 +3466,9 @@ type MultiplexGroupSettingsParameters struct {
 }
 
 type MultiplexOutputSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type MultiplexOutputSettingsDestinationParameters struct {
@@ -2271,6 +3479,9 @@ type MultiplexOutputSettingsDestinationParameters struct {
 }
 
 type MultiplexOutputSettingsObservation struct {
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []MultiplexOutputSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
 }
 
 type MultiplexOutputSettingsParameters struct {
@@ -2281,6 +3492,12 @@ type MultiplexOutputSettingsParameters struct {
 }
 
 type MultiplexSettingsObservation struct {
+
+	// The ID of the Multiplex that the encoder is providing output to.
+	MultiplexID *string `json:"multiplexId,omitempty" tf:"multiplex_id,omitempty"`
+
+	// The program name of the Multiplex program that the encoder is providing output to.
+	ProgramName *string `json:"programName,omitempty" tf:"program_name,omitempty"`
 }
 
 type MultiplexSettingsParameters struct {
@@ -2295,6 +3512,12 @@ type MultiplexSettingsParameters struct {
 }
 
 type NetworkInputSettingsObservation struct {
+
+	// Specifies HLS input settings when the uri is for a HLS manifest. See HLS Input Settings for more details.
+	HlsInputSettings []HlsInputSettingsObservation `json:"hlsInputSettings,omitempty" tf:"hls_input_settings,omitempty"`
+
+	// Check HTTPS server certificates.
+	ServerValidation *string `json:"serverValidation,omitempty" tf:"server_validation,omitempty"`
 }
 
 type NetworkInputSettingsParameters struct {
@@ -2309,6 +3532,13 @@ type NetworkInputSettingsParameters struct {
 }
 
 type NielsenCbetSettingsObservation struct {
+	CbetCheckDigitString *string `json:"cbetCheckDigitString,omitempty" tf:"cbet_check_digit_string,omitempty"`
+
+	// Determines the method of CBET insertion mode when prior encoding is detected on the same layer.
+	CbetStepaside *string `json:"cbetStepaside,omitempty" tf:"cbet_stepaside,omitempty"`
+
+	// CBET source ID to use in the watermark.
+	Csid *string `json:"csid,omitempty" tf:"csid,omitempty"`
 }
 
 type NielsenCbetSettingsParameters struct {
@@ -2326,6 +3556,10 @@ type NielsenCbetSettingsParameters struct {
 }
 
 type NielsenNaesIiNwSettingsObservation struct {
+	CheckDigitString *string `json:"checkDigitString,omitempty" tf:"check_digit_string,omitempty"`
+
+	// The Nielsen Source ID to include in the watermark.
+	Sid *float64 `json:"sid,omitempty" tf:"sid,omitempty"`
 }
 
 type NielsenNaesIiNwSettingsParameters struct {
@@ -2339,6 +3573,15 @@ type NielsenNaesIiNwSettingsParameters struct {
 }
 
 type NielsenWatermarksSettingsObservation struct {
+
+	// Used to insert watermarks of type Nielsen CBET. See Nielsen CBET Settings for more details.
+	NielsenCbetSettings []NielsenCbetSettingsObservation `json:"nielsenCbetSettings,omitempty" tf:"nielsen_cbet_settings,omitempty"`
+
+	// Distribution types to assign to the watermarks. Options are PROGRAM_CONTENT and FINAL_DISTRIBUTOR.
+	NielsenDistributionType *string `json:"nielsenDistributionType,omitempty" tf:"nielsen_distribution_type,omitempty"`
+
+	// Used to insert watermarks of type Nielsen NAES, II (N2) and Nielsen NAES VI (NW). See Nielsen NAES II NW Settings for more details.
+	NielsenNaesIiNwSettings []NielsenNaesIiNwSettingsObservation `json:"nielsenNaesIiNwSettings,omitempty" tf:"nielsen_naes_ii_nw_settings,omitempty"`
 }
 
 type NielsenWatermarksSettingsParameters struct {
@@ -2357,6 +3600,30 @@ type NielsenWatermarksSettingsParameters struct {
 }
 
 type OutputGroupSettingsObservation struct {
+
+	// Archive group settings. See Archive Group Settings for more details.
+	ArchiveGroupSettings []ArchiveGroupSettingsObservation `json:"archiveGroupSettings,omitempty" tf:"archive_group_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	FrameCaptureGroupSettings []FrameCaptureGroupSettingsObservation `json:"frameCaptureGroupSettings,omitempty" tf:"frame_capture_group_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	HlsGroupSettings []HlsGroupSettingsObservation `json:"hlsGroupSettings,omitempty" tf:"hls_group_settings,omitempty"`
+
+	// Media package group settings. See Media Package Group Settings for more details.
+	MediaPackageGroupSettings []MediaPackageGroupSettingsObservation `json:"mediaPackageGroupSettings,omitempty" tf:"media_package_group_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	MsSmoothGroupSettings []MsSmoothGroupSettingsObservation `json:"msSmoothGroupSettings,omitempty" tf:"ms_smooth_group_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	MultiplexGroupSettings []MultiplexGroupSettingsParameters `json:"multiplexGroupSettings,omitempty" tf:"multiplex_group_settings,omitempty"`
+
+	// RTMP group settings. See RTMP Group Settings for more details.
+	RtmpGroupSettings []RtmpGroupSettingsObservation `json:"rtmpGroupSettings,omitempty" tf:"rtmp_group_settings,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	UDPGroupSettings []UDPGroupSettingsObservation `json:"udpGroupSettings,omitempty" tf:"udp_group_settings,omitempty"`
 }
 
 type OutputGroupSettingsParameters struct {
@@ -2395,6 +3662,15 @@ type OutputGroupSettingsParameters struct {
 }
 
 type OutputGroupsObservation struct {
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Settings associated with the output group. See Output Group Settings for more details.
+	OutputGroupSettings []OutputGroupSettingsObservation `json:"outputGroupSettings,omitempty" tf:"output_group_settings,omitempty"`
+
+	// List of outputs. See Outputs for more details.
+	Outputs []OutputsObservation `json:"outputs,omitempty" tf:"outputs,omitempty"`
 }
 
 type OutputGroupsParameters struct {
@@ -2413,6 +3689,16 @@ type OutputGroupsParameters struct {
 }
 
 type OutputRectangleObservation struct {
+
+	// Output video height in pixels.
+	Height *float64 `json:"height,omitempty" tf:"height,omitempty"`
+
+	LeftOffset *float64 `json:"leftOffset,omitempty" tf:"left_offset,omitempty"`
+
+	TopOffset *float64 `json:"topOffset,omitempty" tf:"top_offset,omitempty"`
+
+	// Output video width in pixels.
+	Width *float64 `json:"width,omitempty" tf:"width,omitempty"`
 }
 
 type OutputRectangleParameters struct {
@@ -2433,6 +3719,30 @@ type OutputRectangleParameters struct {
 }
 
 type OutputSettingsObservation struct {
+
+	// Archive output settings. See Archive Output Settings for more details.
+	ArchiveOutputSettings []ArchiveOutputSettingsObservation `json:"archiveOutputSettings,omitempty" tf:"archive_output_settings,omitempty"`
+
+	// Settings for output. See Output Settings for more details.
+	FrameCaptureOutputSettings []FrameCaptureOutputSettingsObservation `json:"frameCaptureOutputSettings,omitempty" tf:"frame_capture_output_settings,omitempty"`
+
+	// Settings for output. See Output Settings for more details.
+	HlsOutputSettings []HlsOutputSettingsObservation `json:"hlsOutputSettings,omitempty" tf:"hls_output_settings,omitempty"`
+
+	// Media package output settings. This can be set as an empty block.
+	MediaPackageOutputSettings []MediaPackageOutputSettingsParameters `json:"mediaPackageOutputSettings,omitempty" tf:"media_package_output_settings,omitempty"`
+
+	// Settings for output. See Output Settings for more details.
+	MsSmoothOutputSettings []MsSmoothOutputSettingsObservation `json:"msSmoothOutputSettings,omitempty" tf:"ms_smooth_output_settings,omitempty"`
+
+	// Multiplex output settings. See Multiplex Output Settings for more details.
+	MultiplexOutputSettings []MultiplexOutputSettingsObservation `json:"multiplexOutputSettings,omitempty" tf:"multiplex_output_settings,omitempty"`
+
+	// RTMP output settings. See RTMP Output Settings for more details.
+	RtmpOutputSettings []RtmpOutputSettingsObservation `json:"rtmpOutputSettings,omitempty" tf:"rtmp_output_settings,omitempty"`
+
+	// UDP output settings. See UDP Output Settings for more details
+	UDPOutputSettings []UDPOutputSettingsObservation `json:"udpOutputSettings,omitempty" tf:"udp_output_settings,omitempty"`
 }
 
 type OutputSettingsParameters struct {
@@ -2471,6 +3781,21 @@ type OutputSettingsParameters struct {
 }
 
 type OutputsObservation struct {
+
+	// The names of the audio descriptions used as audio sources for the output.
+	AudioDescriptionNames []*string `json:"audioDescriptionNames,omitempty" tf:"audio_description_names,omitempty"`
+
+	// The names of the caption descriptions used as caption sources for the output.
+	CaptionDescriptionNames []*string `json:"captionDescriptionNames,omitempty" tf:"caption_description_names,omitempty"`
+
+	// The name used to identify an output.
+	OutputName *string `json:"outputName,omitempty" tf:"output_name,omitempty"`
+
+	// Settings for output. See Output Settings for more details.
+	OutputSettings []OutputSettingsObservation `json:"outputSettings,omitempty" tf:"output_settings,omitempty"`
+
+	// The name of the video description used as video source for the output.
+	VideoDescriptionName *string `json:"videoDescriptionName,omitempty" tf:"video_description_name,omitempty"`
 }
 
 type OutputsParameters struct {
@@ -2509,6 +3834,11 @@ type RawSettingsParameters struct {
 }
 
 type RemixSettingsObservation struct {
+	ChannelMappings []ChannelMappingsObservation `json:"channelMappings,omitempty" tf:"channel_mappings,omitempty"`
+
+	ChannelsIn *float64 `json:"channelsIn,omitempty" tf:"channels_in,omitempty"`
+
+	ChannelsOut *float64 `json:"channelsOut,omitempty" tf:"channels_out,omitempty"`
 }
 
 type RemixSettingsParameters struct {
@@ -2524,6 +3854,27 @@ type RemixSettingsParameters struct {
 }
 
 type RtmpGroupSettingsObservation struct {
+
+	// The ad marker type for this output group.
+	AdMarkers []*string `json:"adMarkers,omitempty" tf:"ad_markers,omitempty"`
+
+	// Authentication scheme to use when connecting with CDN.
+	AuthenticationScheme *string `json:"authenticationScheme,omitempty" tf:"authentication_scheme,omitempty"`
+
+	// Controls behavior when content cache fills up.
+	CacheFullBehavior *string `json:"cacheFullBehavior,omitempty" tf:"cache_full_behavior,omitempty"`
+
+	// Cache length in seconds, is used to calculate buffer size.
+	CacheLength *float64 `json:"cacheLength,omitempty" tf:"cache_length,omitempty"`
+
+	// Controls the types of data that passes to onCaptionInfo outputs.
+	CaptionData *string `json:"captionData,omitempty" tf:"caption_data,omitempty"`
+
+	// Controls the behavior of the RTMP group if input becomes unavailable.
+	InputLossAction *string `json:"inputLossAction,omitempty" tf:"input_loss_action,omitempty"`
+
+	// Number of seconds to wait until a restart is initiated.
+	RestartDelay *float64 `json:"restartDelay,omitempty" tf:"restart_delay,omitempty"`
 }
 
 type RtmpGroupSettingsParameters struct {
@@ -2558,6 +3909,9 @@ type RtmpGroupSettingsParameters struct {
 }
 
 type RtmpOutputSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type RtmpOutputSettingsDestinationParameters struct {
@@ -2568,6 +3922,16 @@ type RtmpOutputSettingsDestinationParameters struct {
 }
 
 type RtmpOutputSettingsObservation struct {
+	CertficateMode *string `json:"certficateMode,omitempty" tf:"certficate_mode,omitempty"`
+
+	// Number of seconds to wait before retrying connection to the flash media server if the connection is lost.
+	ConnectionRetryInterval *float64 `json:"connectionRetryInterval,omitempty" tf:"connection_retry_interval,omitempty"`
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []RtmpOutputSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Number of retry attempts.
+	NumRetries *float64 `json:"numRetries,omitempty" tf:"num_retries,omitempty"`
 }
 
 type RtmpOutputSettingsParameters struct {
@@ -2589,6 +3953,9 @@ type RtmpOutputSettingsParameters struct {
 }
 
 type Scte20SourceSettingsObservation struct {
+	Convert608To708 *string `json:"convert608To708,omitempty" tf:"convert_608_to_708,omitempty"`
+
+	Source608ChannelNumber *float64 `json:"source608ChannelNumber,omitempty" tf:"source_608_channel_number,omitempty"`
 }
 
 type Scte20SourceSettingsParameters struct {
@@ -2601,6 +3968,10 @@ type Scte20SourceSettingsParameters struct {
 }
 
 type Scte27SourceSettingsObservation struct {
+	OcrLanguage *string `json:"ocrLanguage,omitempty" tf:"ocr_language,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	Pid *float64 `json:"pid,omitempty" tf:"pid,omitempty"`
 }
 
 type Scte27SourceSettingsParameters struct {
@@ -2614,6 +3985,10 @@ type Scte27SourceSettingsParameters struct {
 }
 
 type SelectorSettingsDvbTdtSettingsObservation struct {
+	OcrLanguage *string `json:"ocrLanguage,omitempty" tf:"ocr_language,omitempty"`
+
+	// User-specified id. Ths is used in an output group or an output.
+	Pid *float64 `json:"pid,omitempty" tf:"pid,omitempty"`
 }
 
 type SelectorSettingsDvbTdtSettingsParameters struct {
@@ -2627,6 +4002,13 @@ type SelectorSettingsDvbTdtSettingsParameters struct {
 }
 
 type SelectorSettingsObservation struct {
+	AudioHlsRenditionSelection []AudioHlsRenditionSelectionObservation `json:"audioHlsRenditionSelection,omitempty" tf:"audio_hls_rendition_selection,omitempty"`
+
+	AudioLanguageSelection []AudioLanguageSelectionObservation `json:"audioLanguageSelection,omitempty" tf:"audio_language_selection,omitempty"`
+
+	AudioPidSelection []AudioPidSelectionObservation `json:"audioPidSelection,omitempty" tf:"audio_pid_selection,omitempty"`
+
+	AudioTrackSelection []AudioTrackSelectionObservation `json:"audioTrackSelection,omitempty" tf:"audio_track_selection,omitempty"`
 }
 
 type SelectorSettingsParameters struct {
@@ -2645,6 +4027,18 @@ type SelectorSettingsParameters struct {
 }
 
 type SettingsObservation struct {
+
+	// Key used to extract the password from EC2 Parameter store.
+	PasswordParam *string `json:"passwordParam,omitempty" tf:"password_param,omitempty"`
+
+	// Stream name RTMP destinations (URLs of type rtmp://)
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
+
+	// A URL specifying a destination.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Username for destination.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type SettingsParameters struct {
@@ -2667,6 +4061,10 @@ type SettingsParameters struct {
 }
 
 type StandardHlsSettingsObservation struct {
+	AudioRenditionSets *string `json:"audioRenditionSets,omitempty" tf:"audio_rendition_sets,omitempty"`
+
+	// Destination settings for a standard output; one destination for each redundant encoder. See Settings for more details.
+	M3U8Settings []M3U8SettingsObservation `json:"m3u8Settings,omitempty" tf:"m3u8_settings,omitempty"`
 }
 
 type StandardHlsSettingsParameters struct {
@@ -2680,6 +4078,9 @@ type StandardHlsSettingsParameters struct {
 }
 
 type StaticKeySettingsObservation struct {
+	KeyProviderServer []KeyProviderServerObservation `json:"keyProviderServer,omitempty" tf:"key_provider_server,omitempty"`
+
+	StaticKeyValue *string `json:"staticKeyValue,omitempty" tf:"static_key_value,omitempty"`
 }
 
 type StaticKeySettingsParameters struct {
@@ -2692,6 +4093,9 @@ type StaticKeySettingsParameters struct {
 }
 
 type TeletextSourceSettingsObservation struct {
+	OutputRectangle []OutputRectangleObservation `json:"outputRectangle,omitempty" tf:"output_rectangle,omitempty"`
+
+	PageNumber *string `json:"pageNumber,omitempty" tf:"page_number,omitempty"`
 }
 
 type TeletextSourceSettingsParameters struct {
@@ -2704,6 +4108,12 @@ type TeletextSourceSettingsParameters struct {
 }
 
 type TemporalFilterSettingsObservation struct {
+
+	// Post filter sharpening.
+	PostFilterSharpening *string `json:"postFilterSharpening,omitempty" tf:"post_filter_sharpening,omitempty"`
+
+	// Filter strength.
+	Strength *string `json:"strength,omitempty" tf:"strength,omitempty"`
 }
 
 type TemporalFilterSettingsParameters struct {
@@ -2718,6 +4128,12 @@ type TemporalFilterSettingsParameters struct {
 }
 
 type TimecodeConfigObservation struct {
+
+	// The source for the timecode that will be associated with the events outputs.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Threshold in frames beyond which output timecode is resynchronized to the input timecode.
+	SyncThreshold *float64 `json:"syncThreshold,omitempty" tf:"sync_threshold,omitempty"`
 }
 
 type TimecodeConfigParameters struct {
@@ -2732,6 +4148,7 @@ type TimecodeConfigParameters struct {
 }
 
 type TrackObservation struct {
+	Track *float64 `json:"track,omitempty" tf:"track,omitempty"`
 }
 
 type TrackParameters struct {
@@ -2741,6 +4158,14 @@ type TrackParameters struct {
 }
 
 type UDPGroupSettingsObservation struct {
+
+	// Controls the behavior of the RTMP group if input becomes unavailable.
+	InputLossAction *string `json:"inputLossAction,omitempty" tf:"input_loss_action,omitempty"`
+
+	// Indicates ID3 frame that has the timecode.
+	TimedMetadataId3Frame *string `json:"timedMetadataId3Frame,omitempty" tf:"timed_metadata_id3_frame,omitempty"`
+
+	TimedMetadataId3Period *float64 `json:"timedMetadataId3Period,omitempty" tf:"timed_metadata_id3_period,omitempty"`
 }
 
 type UDPGroupSettingsParameters struct {
@@ -2758,6 +4183,9 @@ type UDPGroupSettingsParameters struct {
 }
 
 type UDPOutputSettingsContainerSettingsObservation struct {
+
+	// M2ts Settings. See M2ts Settings for more details.
+	M2TsSettings []ContainerSettingsM2TsSettingsObservation `json:"m2tsSettings,omitempty" tf:"m2ts_settings,omitempty"`
 }
 
 type UDPOutputSettingsContainerSettingsParameters struct {
@@ -2768,6 +4196,9 @@ type UDPOutputSettingsContainerSettingsParameters struct {
 }
 
 type UDPOutputSettingsDestinationObservation struct {
+
+	// Reference ID for the destination.
+	DestinationRefID *string `json:"destinationRefId,omitempty" tf:"destination_ref_id,omitempty"`
 }
 
 type UDPOutputSettingsDestinationParameters struct {
@@ -2778,6 +4209,18 @@ type UDPOutputSettingsDestinationParameters struct {
 }
 
 type UDPOutputSettingsObservation struct {
+
+	// UDP output buffering in milliseconds.
+	BufferMsec *float64 `json:"bufferMsec,omitempty" tf:"buffer_msec,omitempty"`
+
+	// Settings specific to the container type of the file. See Container Settings for more details.
+	ContainerSettings []UDPOutputSettingsContainerSettingsObservation `json:"containerSettings,omitempty" tf:"container_settings,omitempty"`
+
+	// A director and base filename where archive files should be written. See Destination for more details.
+	Destination []UDPOutputSettingsDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Settings for output. See Output Settings for more details.
+	FecOutputSettings []FecOutputSettingsObservation `json:"fecOutputSettings,omitempty" tf:"fec_output_settings,omitempty"`
 }
 
 type UDPOutputSettingsParameters struct {
@@ -2801,6 +4244,12 @@ type UDPOutputSettingsParameters struct {
 
 type VPCObservation struct {
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	PublicAddressAllocationIds []*string `json:"publicAddressAllocationIds,omitempty" tf:"public_address_allocation_ids,omitempty"`
+
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 }
 
 type VPCParameters struct {
@@ -2816,6 +4265,9 @@ type VPCParameters struct {
 }
 
 type VideoBlackSettingsObservation struct {
+	BlackDetectThreshold *float64 `json:"blackDetectThreshold,omitempty" tf:"black_detect_threshold,omitempty"`
+
+	VideoBlackThresholdMsec *float64 `json:"videoBlackThresholdMsec,omitempty" tf:"video_black_threshold_msec,omitempty"`
 }
 
 type VideoBlackSettingsParameters struct {
@@ -2828,6 +4280,12 @@ type VideoBlackSettingsParameters struct {
 }
 
 type VideoDescriptionsCodecSettingsObservation struct {
+
+	// Frame capture settings. See Frame Capture Settings for more details.
+	FrameCaptureSettings []FrameCaptureSettingsObservation `json:"frameCaptureSettings,omitempty" tf:"frame_capture_settings,omitempty"`
+
+	// H264 settings. See H264 Settings for more details.
+	H264Settings []H264SettingsObservation `json:"h264Settings,omitempty" tf:"h264_settings,omitempty"`
 }
 
 type VideoDescriptionsCodecSettingsParameters struct {
@@ -2842,6 +4300,27 @@ type VideoDescriptionsCodecSettingsParameters struct {
 }
 
 type VideoDescriptionsObservation struct {
+
+	// Audio codec settings. See Audio Codec Settings for more details.
+	CodecSettings []VideoDescriptionsCodecSettingsObservation `json:"codecSettings,omitempty" tf:"codec_settings,omitempty"`
+
+	// Output video height in pixels.
+	Height *float64 `json:"height,omitempty" tf:"height,omitempty"`
+
+	// Name of the Channel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Indicate how to respond to the AFD values that might be in the input video.
+	RespondToAfd *string `json:"respondToAfd,omitempty" tf:"respond_to_afd,omitempty"`
+
+	// Behavior on how to scale.
+	ScalingBehavior *string `json:"scalingBehavior,omitempty" tf:"scaling_behavior,omitempty"`
+
+	// Changes the strength of the anti-alias filter used for scaling.
+	Sharpness *float64 `json:"sharpness,omitempty" tf:"sharpness,omitempty"`
+
+	// Output video width in pixels.
+	Width *float64 `json:"width,omitempty" tf:"width,omitempty"`
 }
 
 type VideoDescriptionsParameters struct {
@@ -2876,6 +4355,9 @@ type VideoDescriptionsParameters struct {
 }
 
 type VideoSelectorObservation struct {
+	ColorSpace *string `json:"colorSpace,omitempty" tf:"color_space,omitempty"`
+
+	ColorSpaceUsage *string `json:"colorSpaceUsage,omitempty" tf:"color_space_usage,omitempty"`
 }
 
 type VideoSelectorParameters struct {
@@ -2888,6 +4370,13 @@ type VideoSelectorParameters struct {
 }
 
 type WavSettingsObservation struct {
+	BitDepth *float64 `json:"bitDepth,omitempty" tf:"bit_depth,omitempty"`
+
+	// Mono, Stereo, or 5.1 channel layout.
+	CodingMode *string `json:"codingMode,omitempty" tf:"coding_mode,omitempty"`
+
+	// Sample rate in Hz.
+	SampleRate *float64 `json:"sampleRate,omitempty" tf:"sample_rate,omitempty"`
 }
 
 type WavSettingsParameters struct {
@@ -2928,8 +4417,14 @@ type ChannelStatus struct {
 type Channel struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ChannelSpec   `json:"spec"`
-	Status            ChannelStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.channelClass)",message="channelClass is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinations)",message="destinations is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encoderSettings)",message="encoderSettings is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputAttachments)",message="inputAttachments is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputSpecification)",message="inputSpecification is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ChannelSpec   `json:"spec"`
+	Status ChannelStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/medialive/v1beta1/zz_generated.deepcopy.go b/apis/medialive/v1beta1/zz_generated.deepcopy.go
index 1a797c5515..a95701f748 100644
--- a/apis/medialive/v1beta1/zz_generated.deepcopy.go
+++ b/apis/medialive/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,51 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AacSettingsObservation) DeepCopyInto(out *AacSettingsObservation) {
 	*out = *in
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputType != nil {
+		in, out := &in.InputType, &out.InputType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Profile != nil {
+		in, out := &in.Profile, &out.Profile
+		*out = new(string)
+		**out = **in
+	}
+	if in.RateControlMode != nil {
+		in, out := &in.RateControlMode, &out.RateControlMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.RawFormat != nil {
+		in, out := &in.RawFormat, &out.RawFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.SampleRate != nil {
+		in, out := &in.SampleRate, &out.SampleRate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Spec != nil {
+		in, out := &in.Spec, &out.Spec
+		*out = new(string)
+		**out = **in
+	}
+	if in.VbrQuality != nil {
+		in, out := &in.VbrQuality, &out.VbrQuality
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AacSettingsObservation.
@@ -92,6 +137,41 @@ func (in *AacSettingsParameters) DeepCopy() *AacSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Ac3SettingsObservation) DeepCopyInto(out *Ac3SettingsObservation) {
 	*out = *in
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BitstreamMode != nil {
+		in, out := &in.BitstreamMode, &out.BitstreamMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dialnorm != nil {
+		in, out := &in.Dialnorm, &out.Dialnorm
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DrcProfile != nil {
+		in, out := &in.DrcProfile, &out.DrcProfile
+		*out = new(string)
+		**out = **in
+	}
+	if in.LfeFilter != nil {
+		in, out := &in.LfeFilter, &out.LfeFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetadataControl != nil {
+		in, out := &in.MetadataControl, &out.MetadataControl
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Ac3SettingsObservation.
@@ -157,6 +237,11 @@ func (in *Ac3SettingsParameters) DeepCopy() *Ac3SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AncillarySourceSettingsObservation) DeepCopyInto(out *AncillarySourceSettingsObservation) {
 	*out = *in
+	if in.SourceAncillaryChannelNumber != nil {
+		in, out := &in.SourceAncillaryChannelNumber, &out.SourceAncillaryChannelNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AncillarySourceSettingsObservation.
@@ -192,6 +277,13 @@ func (in *AncillarySourceSettingsParameters) DeepCopy() *AncillarySourceSettings
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArchiveCdnSettingsObservation) DeepCopyInto(out *ArchiveCdnSettingsObservation) {
 	*out = *in
+	if in.ArchiveS3Settings != nil {
+		in, out := &in.ArchiveS3Settings, &out.ArchiveS3Settings
+		*out = make([]ArchiveS3SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArchiveCdnSettingsObservation.
@@ -229,6 +321,25 @@ func (in *ArchiveCdnSettingsParameters) DeepCopy() *ArchiveCdnSettingsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArchiveGroupSettingsObservation) DeepCopyInto(out *ArchiveGroupSettingsObservation) {
 	*out = *in
+	if in.ArchiveCdnSettings != nil {
+		in, out := &in.ArchiveCdnSettings, &out.ArchiveCdnSettings
+		*out = make([]ArchiveCdnSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]DestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RolloverInterval != nil {
+		in, out := &in.RolloverInterval, &out.RolloverInterval
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArchiveGroupSettingsObservation.
@@ -278,6 +389,23 @@ func (in *ArchiveGroupSettingsParameters) DeepCopy() *ArchiveGroupSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArchiveOutputSettingsObservation) DeepCopyInto(out *ArchiveOutputSettingsObservation) {
 	*out = *in
+	if in.ContainerSettings != nil {
+		in, out := &in.ContainerSettings, &out.ContainerSettings
+		*out = make([]ContainerSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Extension != nil {
+		in, out := &in.Extension, &out.Extension
+		*out = new(string)
+		**out = **in
+	}
+	if in.NameModifier != nil {
+		in, out := &in.NameModifier, &out.NameModifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArchiveOutputSettingsObservation.
@@ -325,6 +453,11 @@ func (in *ArchiveOutputSettingsParameters) DeepCopy() *ArchiveOutputSettingsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ArchiveS3SettingsObservation) DeepCopyInto(out *ArchiveS3SettingsObservation) {
 	*out = *in
+	if in.CannedACL != nil {
+		in, out := &in.CannedACL, &out.CannedACL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ArchiveS3SettingsObservation.
@@ -360,6 +493,69 @@ func (in *ArchiveS3SettingsParameters) DeepCopy() *ArchiveS3SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioDescriptionsObservation) DeepCopyInto(out *AudioDescriptionsObservation) {
 	*out = *in
+	if in.AudioNormalizationSettings != nil {
+		in, out := &in.AudioNormalizationSettings, &out.AudioNormalizationSettings
+		*out = make([]AudioNormalizationSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AudioSelectorName != nil {
+		in, out := &in.AudioSelectorName, &out.AudioSelectorName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioType != nil {
+		in, out := &in.AudioType, &out.AudioType
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioTypeControl != nil {
+		in, out := &in.AudioTypeControl, &out.AudioTypeControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioWatermarkSettings != nil {
+		in, out := &in.AudioWatermarkSettings, &out.AudioWatermarkSettings
+		*out = make([]AudioWatermarkSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CodecSettings != nil {
+		in, out := &in.CodecSettings, &out.CodecSettings
+		*out = make([]CodecSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.LanguageCodeControl != nil {
+		in, out := &in.LanguageCodeControl, &out.LanguageCodeControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RemixSettings != nil {
+		in, out := &in.RemixSettings, &out.RemixSettings
+		*out = make([]RemixSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StreamName != nil {
+		in, out := &in.StreamName, &out.StreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioDescriptionsObservation.
@@ -453,6 +649,16 @@ func (in *AudioDescriptionsParameters) DeepCopy() *AudioDescriptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioHlsRenditionSelectionObservation) DeepCopyInto(out *AudioHlsRenditionSelectionObservation) {
 	*out = *in
+	if in.GroupID != nil {
+		in, out := &in.GroupID, &out.GroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioHlsRenditionSelectionObservation.
@@ -493,6 +699,16 @@ func (in *AudioHlsRenditionSelectionParameters) DeepCopy() *AudioHlsRenditionSel
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioLanguageSelectionObservation) DeepCopyInto(out *AudioLanguageSelectionObservation) {
 	*out = *in
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.LanguageSelectionPolicy != nil {
+		in, out := &in.LanguageSelectionPolicy, &out.LanguageSelectionPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioLanguageSelectionObservation.
@@ -533,6 +749,21 @@ func (in *AudioLanguageSelectionParameters) DeepCopy() *AudioLanguageSelectionPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioNormalizationSettingsObservation) DeepCopyInto(out *AudioNormalizationSettingsObservation) {
 	*out = *in
+	if in.Algorithm != nil {
+		in, out := &in.Algorithm, &out.Algorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.AlgorithmControl != nil {
+		in, out := &in.AlgorithmControl, &out.AlgorithmControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetLkfs != nil {
+		in, out := &in.TargetLkfs, &out.TargetLkfs
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioNormalizationSettingsObservation.
@@ -578,6 +809,28 @@ func (in *AudioNormalizationSettingsParameters) DeepCopy() *AudioNormalizationSe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioOnlyHlsSettingsObservation) DeepCopyInto(out *AudioOnlyHlsSettingsObservation) {
 	*out = *in
+	if in.AudioGroupID != nil {
+		in, out := &in.AudioGroupID, &out.AudioGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioOnlyImage != nil {
+		in, out := &in.AudioOnlyImage, &out.AudioOnlyImage
+		*out = make([]AudioOnlyImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AudioTrackType != nil {
+		in, out := &in.AudioTrackType, &out.AudioTrackType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SegmentType != nil {
+		in, out := &in.SegmentType, &out.SegmentType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioOnlyHlsSettingsObservation.
@@ -630,15 +883,30 @@ func (in *AudioOnlyHlsSettingsParameters) DeepCopy() *AudioOnlyHlsSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioOnlyImageObservation) DeepCopyInto(out *AudioOnlyImageObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioOnlyImageObservation.
-func (in *AudioOnlyImageObservation) DeepCopy() *AudioOnlyImageObservation {
-	if in == nil {
-		return nil
+	if in.PasswordParam != nil {
+		in, out := &in.PasswordParam, &out.PasswordParam
+		*out = new(string)
+		**out = **in
 	}
-	out := new(AudioOnlyImageObservation)
-	in.DeepCopyInto(out)
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioOnlyImageObservation.
+func (in *AudioOnlyImageObservation) DeepCopy() *AudioOnlyImageObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(AudioOnlyImageObservation)
+	in.DeepCopyInto(out)
 	return out
 }
 
@@ -675,6 +943,11 @@ func (in *AudioOnlyImageParameters) DeepCopy() *AudioOnlyImageParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioPidSelectionObservation) DeepCopyInto(out *AudioPidSelectionObservation) {
 	*out = *in
+	if in.Pid != nil {
+		in, out := &in.Pid, &out.Pid
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioPidSelectionObservation.
@@ -710,6 +983,18 @@ func (in *AudioPidSelectionParameters) DeepCopy() *AudioPidSelectionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioSelectorObservation) DeepCopyInto(out *AudioSelectorObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SelectorSettings != nil {
+		in, out := &in.SelectorSettings, &out.SelectorSettings
+		*out = make([]SelectorSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioSelectorObservation.
@@ -752,6 +1037,16 @@ func (in *AudioSelectorParameters) DeepCopy() *AudioSelectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioSilenceSettingsObservation) DeepCopyInto(out *AudioSilenceSettingsObservation) {
 	*out = *in
+	if in.AudioSelectorName != nil {
+		in, out := &in.AudioSelectorName, &out.AudioSelectorName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioSilenceThresholdMsec != nil {
+		in, out := &in.AudioSilenceThresholdMsec, &out.AudioSilenceThresholdMsec
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioSilenceSettingsObservation.
@@ -792,6 +1087,13 @@ func (in *AudioSilenceSettingsParameters) DeepCopy() *AudioSilenceSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioTrackSelectionObservation) DeepCopyInto(out *AudioTrackSelectionObservation) {
 	*out = *in
+	if in.Track != nil {
+		in, out := &in.Track, &out.Track
+		*out = make([]TrackObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioTrackSelectionObservation.
@@ -829,6 +1131,13 @@ func (in *AudioTrackSelectionParameters) DeepCopy() *AudioTrackSelectionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AudioWatermarkSettingsObservation) DeepCopyInto(out *AudioWatermarkSettingsObservation) {
 	*out = *in
+	if in.NielsenWatermarksSettings != nil {
+		in, out := &in.NielsenWatermarksSettings, &out.NielsenWatermarksSettings
+		*out = make([]NielsenWatermarksSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AudioWatermarkSettingsObservation.
@@ -866,6 +1175,28 @@ func (in *AudioWatermarkSettingsParameters) DeepCopy() *AudioWatermarkSettingsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutomaticInputFailoverSettingsObservation) DeepCopyInto(out *AutomaticInputFailoverSettingsObservation) {
 	*out = *in
+	if in.ErrorClearTimeMsec != nil {
+		in, out := &in.ErrorClearTimeMsec, &out.ErrorClearTimeMsec
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FailoverCondition != nil {
+		in, out := &in.FailoverCondition, &out.FailoverCondition
+		*out = make([]FailoverConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputPreference != nil {
+		in, out := &in.InputPreference, &out.InputPreference
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecondaryInputID != nil {
+		in, out := &in.SecondaryInputID, &out.SecondaryInputID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutomaticInputFailoverSettingsObservation.
@@ -918,6 +1249,21 @@ func (in *AutomaticInputFailoverSettingsParameters) DeepCopy() *AutomaticInputFa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AvailBlankingImageObservation) DeepCopyInto(out *AvailBlankingImageObservation) {
 	*out = *in
+	if in.PasswordParam != nil {
+		in, out := &in.PasswordParam, &out.PasswordParam
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AvailBlankingImageObservation.
@@ -963,6 +1309,18 @@ func (in *AvailBlankingImageParameters) DeepCopy() *AvailBlankingImageParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AvailBlankingObservation) DeepCopyInto(out *AvailBlankingObservation) {
 	*out = *in
+	if in.AvailBlankingImage != nil {
+		in, out := &in.AvailBlankingImage, &out.AvailBlankingImage
+		*out = make([]AvailBlankingImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AvailBlankingObservation.
@@ -1005,6 +1363,21 @@ func (in *AvailBlankingParameters) DeepCopy() *AvailBlankingParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CaptionLanguageMappingsObservation) DeepCopyInto(out *CaptionLanguageMappingsObservation) {
 	*out = *in
+	if in.CaptionChannel != nil {
+		in, out := &in.CaptionChannel, &out.CaptionChannel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.LanguageDescription != nil {
+		in, out := &in.LanguageDescription, &out.LanguageDescription
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CaptionLanguageMappingsObservation.
@@ -1050,6 +1423,23 @@ func (in *CaptionLanguageMappingsParameters) DeepCopy() *CaptionLanguageMappings
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CaptionSelectorObservation) DeepCopyInto(out *CaptionSelectorObservation) {
 	*out = *in
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SelectorSettings != nil {
+		in, out := &in.SelectorSettings, &out.SelectorSettings
+		*out = make([]CaptionSelectorSelectorSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CaptionSelectorObservation.
@@ -1097,6 +1487,48 @@ func (in *CaptionSelectorParameters) DeepCopy() *CaptionSelectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CaptionSelectorSelectorSettingsObservation) DeepCopyInto(out *CaptionSelectorSelectorSettingsObservation) {
 	*out = *in
+	if in.AncillarySourceSettings != nil {
+		in, out := &in.AncillarySourceSettings, &out.AncillarySourceSettings
+		*out = make([]AncillarySourceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DvbTdtSettings != nil {
+		in, out := &in.DvbTdtSettings, &out.DvbTdtSettings
+		*out = make([]SelectorSettingsDvbTdtSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EmbeddedSourceSettings != nil {
+		in, out := &in.EmbeddedSourceSettings, &out.EmbeddedSourceSettings
+		*out = make([]EmbeddedSourceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Scte20SourceSettings != nil {
+		in, out := &in.Scte20SourceSettings, &out.Scte20SourceSettings
+		*out = make([]Scte20SourceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Scte27SourceSettings != nil {
+		in, out := &in.Scte27SourceSettings, &out.Scte27SourceSettings
+		*out = make([]Scte27SourceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TeletextSourceSettings != nil {
+		in, out := &in.TeletextSourceSettings, &out.TeletextSourceSettings
+		*out = make([]TeletextSourceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CaptionSelectorSelectorSettingsObservation.
@@ -1169,6 +1601,11 @@ func (in *CaptionSelectorSelectorSettingsParameters) DeepCopy() *CaptionSelector
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CdiInputSpecificationObservation) DeepCopyInto(out *CdiInputSpecificationObservation) {
 	*out = *in
+	if in.Resolution != nil {
+		in, out := &in.Resolution, &out.Resolution
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CdiInputSpecificationObservation.
@@ -1263,6 +1700,18 @@ func (in *ChannelList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ChannelMappingsObservation) DeepCopyInto(out *ChannelMappingsObservation) {
 	*out = *in
+	if in.InputChannelLevels != nil {
+		in, out := &in.InputChannelLevels, &out.InputChannelLevels
+		*out = make([]InputChannelLevelsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputChannel != nil {
+		in, out := &in.OutputChannel, &out.OutputChannel
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChannelMappingsObservation.
@@ -1310,56 +1759,9 @@ func (in *ChannelObservation) DeepCopyInto(out *ChannelObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.ChannelID != nil {
-		in, out := &in.ChannelID, &out.ChannelID
-		*out = new(string)
-		**out = **in
-	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-	if in.VPC != nil {
-		in, out := &in.VPC, &out.VPC
-		*out = make([]VPCObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChannelObservation.
-func (in *ChannelObservation) DeepCopy() *ChannelObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(ChannelObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ChannelParameters) DeepCopyInto(out *ChannelParameters) {
-	*out = *in
 	if in.CdiInputSpecification != nil {
 		in, out := &in.CdiInputSpecification, &out.CdiInputSpecification
-		*out = make([]CdiInputSpecificationParameters, len(*in))
+		*out = make([]CdiInputSpecificationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1369,30 +1771,40 @@ func (in *ChannelParameters) DeepCopyInto(out *ChannelParameters) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ChannelID != nil {
+		in, out := &in.ChannelID, &out.ChannelID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Destinations != nil {
 		in, out := &in.Destinations, &out.Destinations
-		*out = make([]DestinationsParameters, len(*in))
+		*out = make([]DestinationsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.EncoderSettings != nil {
 		in, out := &in.EncoderSettings, &out.EncoderSettings
-		*out = make([]EncoderSettingsParameters, len(*in))
+		*out = make([]EncoderSettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 	if in.InputAttachments != nil {
 		in, out := &in.InputAttachments, &out.InputAttachments
-		*out = make([]InputAttachmentsParameters, len(*in))
+		*out = make([]InputAttachmentsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.InputSpecification != nil {
 		in, out := &in.InputSpecification, &out.InputSpecification
-		*out = make([]InputSpecificationParameters, len(*in))
+		*out = make([]InputSpecificationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1404,7 +1816,7 @@ func (in *ChannelParameters) DeepCopyInto(out *ChannelParameters) {
 	}
 	if in.Maintenance != nil {
 		in, out := &in.Maintenance, &out.Maintenance
-		*out = make([]MaintenanceParameters, len(*in))
+		*out = make([]MaintenanceObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1414,17 +1826,136 @@ func (in *ChannelParameters) DeepCopyInto(out *ChannelParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.Region != nil {
-		in, out := &in.Region, &out.Region
-		*out = new(string)
-		**out = **in
-	}
 	if in.RoleArn != nil {
 		in, out := &in.RoleArn, &out.RoleArn
 		*out = new(string)
 		**out = **in
 	}
-	if in.RoleArnRef != nil {
+	if in.StartChannel != nil {
+		in, out := &in.StartChannel, &out.StartChannel
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VPC != nil {
+		in, out := &in.VPC, &out.VPC
+		*out = make([]VPCObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ChannelObservation.
+func (in *ChannelObservation) DeepCopy() *ChannelObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(ChannelObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ChannelParameters) DeepCopyInto(out *ChannelParameters) {
+	*out = *in
+	if in.CdiInputSpecification != nil {
+		in, out := &in.CdiInputSpecification, &out.CdiInputSpecification
+		*out = make([]CdiInputSpecificationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ChannelClass != nil {
+		in, out := &in.ChannelClass, &out.ChannelClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.Destinations != nil {
+		in, out := &in.Destinations, &out.Destinations
+		*out = make([]DestinationsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EncoderSettings != nil {
+		in, out := &in.EncoderSettings, &out.EncoderSettings
+		*out = make([]EncoderSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputAttachments != nil {
+		in, out := &in.InputAttachments, &out.InputAttachments
+		*out = make([]InputAttachmentsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputSpecification != nil {
+		in, out := &in.InputSpecification, &out.InputSpecification
+		*out = make([]InputSpecificationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LogLevel != nil {
+		in, out := &in.LogLevel, &out.LogLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Maintenance != nil {
+		in, out := &in.Maintenance, &out.Maintenance
+		*out = make([]MaintenanceParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArnRef != nil {
 		in, out := &in.RoleArnRef, &out.RoleArnRef
 		*out = new(v1.Reference)
 		(*in).DeepCopyInto(*out)
@@ -1510,6 +2041,53 @@ func (in *ChannelStatus) DeepCopy() *ChannelStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CodecSettingsObservation) DeepCopyInto(out *CodecSettingsObservation) {
 	*out = *in
+	if in.AacSettings != nil {
+		in, out := &in.AacSettings, &out.AacSettings
+		*out = make([]AacSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Ac3Settings != nil {
+		in, out := &in.Ac3Settings, &out.Ac3Settings
+		*out = make([]Ac3SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Eac3AtmosSettings != nil {
+		in, out := &in.Eac3AtmosSettings, &out.Eac3AtmosSettings
+		*out = make([]Eac3AtmosSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Eac3Settings != nil {
+		in, out := &in.Eac3Settings, &out.Eac3Settings
+		*out = make([]Eac3SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mp2Settings != nil {
+		in, out := &in.Mp2Settings, &out.Mp2Settings
+		*out = make([]Mp2SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PassThroughSettings != nil {
+		in, out := &in.PassThroughSettings, &out.PassThroughSettings
+		*out = make([]PassThroughSettingsParameters, len(*in))
+		copy(*out, *in)
+	}
+	if in.WavSettings != nil {
+		in, out := &in.WavSettings, &out.WavSettings
+		*out = make([]WavSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CodecSettingsObservation.
@@ -1587,21 +2165,6 @@ func (in *CodecSettingsParameters) DeepCopy() *CodecSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContainerSettingsM2TsSettingsObservation) DeepCopyInto(out *ContainerSettingsM2TsSettingsObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsM2TsSettingsObservation.
-func (in *ContainerSettingsM2TsSettingsObservation) DeepCopy() *ContainerSettingsM2TsSettingsObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(ContainerSettingsM2TsSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ContainerSettingsM2TsSettingsParameters) DeepCopyInto(out *ContainerSettingsM2TsSettingsParameters) {
-	*out = *in
 	if in.AbsentInputAudioBehavior != nil {
 		in, out := &in.AbsentInputAudioBehavior, &out.AbsentInputAudioBehavior
 		*out = new(string)
@@ -1659,14 +2222,14 @@ func (in *ContainerSettingsM2TsSettingsParameters) DeepCopyInto(out *ContainerSe
 	}
 	if in.DvbNitSettings != nil {
 		in, out := &in.DvbNitSettings, &out.DvbNitSettings
-		*out = make([]M2TsSettingsDvbNitSettingsParameters, len(*in))
+		*out = make([]M2TsSettingsDvbNitSettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.DvbSdtSettings != nil {
 		in, out := &in.DvbSdtSettings, &out.DvbSdtSettings
-		*out = make([]M2TsSettingsDvbSdtSettingsParameters, len(*in))
+		*out = make([]M2TsSettingsDvbSdtSettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1678,7 +2241,7 @@ func (in *ContainerSettingsM2TsSettingsParameters) DeepCopyInto(out *ContainerSe
 	}
 	if in.DvbTdtSettings != nil {
 		in, out := &in.DvbTdtSettings, &out.DvbTdtSettings
-		*out = make([]M2TsSettingsDvbTdtSettingsParameters, len(*in))
+		*out = make([]M2TsSettingsDvbTdtSettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1845,1510 +2408,2671 @@ func (in *ContainerSettingsM2TsSettingsParameters) DeepCopyInto(out *ContainerSe
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsM2TsSettingsParameters.
-func (in *ContainerSettingsM2TsSettingsParameters) DeepCopy() *ContainerSettingsM2TsSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsM2TsSettingsObservation.
+func (in *ContainerSettingsM2TsSettingsObservation) DeepCopy() *ContainerSettingsM2TsSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(ContainerSettingsM2TsSettingsParameters)
+	out := new(ContainerSettingsM2TsSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ContainerSettingsObservation) DeepCopyInto(out *ContainerSettingsObservation) {
+func (in *ContainerSettingsM2TsSettingsParameters) DeepCopyInto(out *ContainerSettingsM2TsSettingsParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsObservation.
-func (in *ContainerSettingsObservation) DeepCopy() *ContainerSettingsObservation {
-	if in == nil {
-		return nil
+	if in.AbsentInputAudioBehavior != nil {
+		in, out := &in.AbsentInputAudioBehavior, &out.AbsentInputAudioBehavior
+		*out = new(string)
+		**out = **in
 	}
-	out := new(ContainerSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ContainerSettingsParameters) DeepCopyInto(out *ContainerSettingsParameters) {
-	*out = *in
-	if in.M2TsSettings != nil {
-		in, out := &in.M2TsSettings, &out.M2TsSettings
-		*out = make([]M2TsSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.Arib != nil {
+		in, out := &in.Arib, &out.Arib
+		*out = new(string)
+		**out = **in
 	}
-	if in.RawSettings != nil {
-		in, out := &in.RawSettings, &out.RawSettings
-		*out = make([]RawSettingsParameters, len(*in))
-		copy(*out, *in)
+	if in.AribCaptionsPid != nil {
+		in, out := &in.AribCaptionsPid, &out.AribCaptionsPid
+		*out = new(string)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsParameters.
-func (in *ContainerSettingsParameters) DeepCopy() *ContainerSettingsParameters {
-	if in == nil {
-		return nil
+	if in.AribCaptionsPidControl != nil {
+		in, out := &in.AribCaptionsPidControl, &out.AribCaptionsPidControl
+		*out = new(string)
+		**out = **in
 	}
-	out := new(ContainerSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationObservation.
-func (in *DestinationObservation) DeepCopy() *DestinationObservation {
-	if in == nil {
-		return nil
+	if in.AudioBufferModel != nil {
+		in, out := &in.AudioBufferModel, &out.AudioBufferModel
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DestinationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DestinationParameters) DeepCopyInto(out *DestinationParameters) {
-	*out = *in
-	if in.DestinationRefID != nil {
-		in, out := &in.DestinationRefID, &out.DestinationRefID
+	if in.AudioFramesPerPes != nil {
+		in, out := &in.AudioFramesPerPes, &out.AudioFramesPerPes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AudioPids != nil {
+		in, out := &in.AudioPids, &out.AudioPids
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationParameters.
-func (in *DestinationParameters) DeepCopy() *DestinationParameters {
-	if in == nil {
-		return nil
+	if in.AudioStreamType != nil {
+		in, out := &in.AudioStreamType, &out.AudioStreamType
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DestinationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DestinationsObservation) DeepCopyInto(out *DestinationsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationsObservation.
-func (in *DestinationsObservation) DeepCopy() *DestinationsObservation {
-	if in == nil {
-		return nil
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(DestinationsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DestinationsParameters) DeepCopyInto(out *DestinationsParameters) {
-	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.BufferModel != nil {
+		in, out := &in.BufferModel, &out.BufferModel
 		*out = new(string)
 		**out = **in
 	}
-	if in.MediaPackageSettings != nil {
-		in, out := &in.MediaPackageSettings, &out.MediaPackageSettings
-		*out = make([]MediaPackageSettingsParameters, len(*in))
+	if in.CcDescriptor != nil {
+		in, out := &in.CcDescriptor, &out.CcDescriptor
+		*out = new(string)
+		**out = **in
+	}
+	if in.DvbNitSettings != nil {
+		in, out := &in.DvbNitSettings, &out.DvbNitSettings
+		*out = make([]M2TsSettingsDvbNitSettingsParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.MultiplexSettings != nil {
-		in, out := &in.MultiplexSettings, &out.MultiplexSettings
-		*out = make([]MultiplexSettingsParameters, len(*in))
+	if in.DvbSdtSettings != nil {
+		in, out := &in.DvbSdtSettings, &out.DvbSdtSettings
+		*out = make([]M2TsSettingsDvbSdtSettingsParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.Settings != nil {
-		in, out := &in.Settings, &out.Settings
-		*out = make([]SettingsParameters, len(*in))
+	if in.DvbSubPids != nil {
+		in, out := &in.DvbSubPids, &out.DvbSubPids
+		*out = new(string)
+		**out = **in
+	}
+	if in.DvbTdtSettings != nil {
+		in, out := &in.DvbTdtSettings, &out.DvbTdtSettings
+		*out = make([]M2TsSettingsDvbTdtSettingsParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationsParameters.
-func (in *DestinationsParameters) DeepCopy() *DestinationsParameters {
-	if in == nil {
-		return nil
+	if in.DvbTeletextPid != nil {
+		in, out := &in.DvbTeletextPid, &out.DvbTeletextPid
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DestinationsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DvbNitSettingsObservation) DeepCopyInto(out *DvbNitSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbNitSettingsObservation.
-func (in *DvbNitSettingsObservation) DeepCopy() *DvbNitSettingsObservation {
-	if in == nil {
-		return nil
+	if in.Ebif != nil {
+		in, out := &in.Ebif, &out.Ebif
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DvbNitSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DvbNitSettingsParameters) DeepCopyInto(out *DvbNitSettingsParameters) {
-	*out = *in
-	if in.NetworkID != nil {
-		in, out := &in.NetworkID, &out.NetworkID
+	if in.EbpAudioInterval != nil {
+		in, out := &in.EbpAudioInterval, &out.EbpAudioInterval
+		*out = new(string)
+		**out = **in
+	}
+	if in.EbpLookaheadMs != nil {
+		in, out := &in.EbpLookaheadMs, &out.EbpLookaheadMs
 		*out = new(float64)
 		**out = **in
 	}
-	if in.NetworkName != nil {
-		in, out := &in.NetworkName, &out.NetworkName
+	if in.EbpPlacement != nil {
+		in, out := &in.EbpPlacement, &out.EbpPlacement
 		*out = new(string)
 		**out = **in
 	}
-	if in.RepInterval != nil {
-		in, out := &in.RepInterval, &out.RepInterval
-		*out = new(float64)
+	if in.EcmPid != nil {
+		in, out := &in.EcmPid, &out.EcmPid
+		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbNitSettingsParameters.
-func (in *DvbNitSettingsParameters) DeepCopy() *DvbNitSettingsParameters {
-	if in == nil {
-		return nil
+	if in.EsRateInPes != nil {
+		in, out := &in.EsRateInPes, &out.EsRateInPes
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DvbNitSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DvbSdtSettingsObservation) DeepCopyInto(out *DvbSdtSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbSdtSettingsObservation.
-func (in *DvbSdtSettingsObservation) DeepCopy() *DvbSdtSettingsObservation {
-	if in == nil {
-		return nil
+	if in.EtvPlatformPid != nil {
+		in, out := &in.EtvPlatformPid, &out.EtvPlatformPid
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DvbSdtSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DvbSdtSettingsParameters) DeepCopyInto(out *DvbSdtSettingsParameters) {
-	*out = *in
-	if in.OutputSdt != nil {
-		in, out := &in.OutputSdt, &out.OutputSdt
+	if in.EtvSignalPid != nil {
+		in, out := &in.EtvSignalPid, &out.EtvSignalPid
 		*out = new(string)
 		**out = **in
 	}
-	if in.RepInterval != nil {
-		in, out := &in.RepInterval, &out.RepInterval
+	if in.FragmentTime != nil {
+		in, out := &in.FragmentTime, &out.FragmentTime
 		*out = new(float64)
 		**out = **in
 	}
-	if in.ServiceName != nil {
-		in, out := &in.ServiceName, &out.ServiceName
+	if in.Klv != nil {
+		in, out := &in.Klv, &out.Klv
 		*out = new(string)
 		**out = **in
 	}
-	if in.ServiceProviderName != nil {
-		in, out := &in.ServiceProviderName, &out.ServiceProviderName
+	if in.KlvDataPids != nil {
+		in, out := &in.KlvDataPids, &out.KlvDataPids
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbSdtSettingsParameters.
-func (in *DvbSdtSettingsParameters) DeepCopy() *DvbSdtSettingsParameters {
-	if in == nil {
-		return nil
+	if in.NielsenId3Behavior != nil {
+		in, out := &in.NielsenId3Behavior, &out.NielsenId3Behavior
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DvbSdtSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DvbTdtSettingsObservation) DeepCopyInto(out *DvbTdtSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbTdtSettingsObservation.
-func (in *DvbTdtSettingsObservation) DeepCopy() *DvbTdtSettingsObservation {
-	if in == nil {
-		return nil
+	if in.NullPacketBitrate != nil {
+		in, out := &in.NullPacketBitrate, &out.NullPacketBitrate
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(DvbTdtSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DvbTdtSettingsParameters) DeepCopyInto(out *DvbTdtSettingsParameters) {
-	*out = *in
-	if in.RepInterval != nil {
-		in, out := &in.RepInterval, &out.RepInterval
+	if in.PatInterval != nil {
+		in, out := &in.PatInterval, &out.PatInterval
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbTdtSettingsParameters.
-func (in *DvbTdtSettingsParameters) DeepCopy() *DvbTdtSettingsParameters {
-	if in == nil {
-		return nil
+	if in.PcrControl != nil {
+		in, out := &in.PcrControl, &out.PcrControl
+		*out = new(string)
+		**out = **in
 	}
-	out := new(DvbTdtSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Eac3AtmosSettingsObservation) DeepCopyInto(out *Eac3AtmosSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3AtmosSettingsObservation.
-func (in *Eac3AtmosSettingsObservation) DeepCopy() *Eac3AtmosSettingsObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(Eac3AtmosSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Eac3AtmosSettingsParameters) DeepCopyInto(out *Eac3AtmosSettingsParameters) {
-	*out = *in
-	if in.Bitrate != nil {
-		in, out := &in.Bitrate, &out.Bitrate
-		*out = new(float64)
-		**out = **in
-	}
-	if in.CodingMode != nil {
-		in, out := &in.CodingMode, &out.CodingMode
-		*out = new(string)
-		**out = **in
-	}
-	if in.Dialnorm != nil {
-		in, out := &in.Dialnorm, &out.Dialnorm
+	if in.PcrPeriod != nil {
+		in, out := &in.PcrPeriod, &out.PcrPeriod
 		*out = new(float64)
 		**out = **in
 	}
-	if in.DrcLine != nil {
-		in, out := &in.DrcLine, &out.DrcLine
-		*out = new(string)
-		**out = **in
-	}
-	if in.DrcRf != nil {
-		in, out := &in.DrcRf, &out.DrcRf
+	if in.PcrPid != nil {
+		in, out := &in.PcrPid, &out.PcrPid
 		*out = new(string)
 		**out = **in
 	}
-	if in.HeightTrim != nil {
-		in, out := &in.HeightTrim, &out.HeightTrim
-		*out = new(float64)
-		**out = **in
-	}
-	if in.SurroundTrim != nil {
-		in, out := &in.SurroundTrim, &out.SurroundTrim
+	if in.PmtInterval != nil {
+		in, out := &in.PmtInterval, &out.PmtInterval
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3AtmosSettingsParameters.
-func (in *Eac3AtmosSettingsParameters) DeepCopy() *Eac3AtmosSettingsParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(Eac3AtmosSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Eac3SettingsObservation) DeepCopyInto(out *Eac3SettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3SettingsObservation.
-func (in *Eac3SettingsObservation) DeepCopy() *Eac3SettingsObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(Eac3SettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Eac3SettingsParameters) DeepCopyInto(out *Eac3SettingsParameters) {
-	*out = *in
-	if in.AttenuationControl != nil {
-		in, out := &in.AttenuationControl, &out.AttenuationControl
+	if in.PmtPid != nil {
+		in, out := &in.PmtPid, &out.PmtPid
 		*out = new(string)
 		**out = **in
 	}
-	if in.Bitrate != nil {
-		in, out := &in.Bitrate, &out.Bitrate
+	if in.ProgramNum != nil {
+		in, out := &in.ProgramNum, &out.ProgramNum
 		*out = new(float64)
 		**out = **in
 	}
-	if in.BitstreamMode != nil {
-		in, out := &in.BitstreamMode, &out.BitstreamMode
-		*out = new(string)
-		**out = **in
-	}
-	if in.CodingMode != nil {
-		in, out := &in.CodingMode, &out.CodingMode
+	if in.RateMode != nil {
+		in, out := &in.RateMode, &out.RateMode
 		*out = new(string)
 		**out = **in
 	}
-	if in.DcFilter != nil {
-		in, out := &in.DcFilter, &out.DcFilter
+	if in.Scte27Pids != nil {
+		in, out := &in.Scte27Pids, &out.Scte27Pids
 		*out = new(string)
 		**out = **in
 	}
-	if in.Dialnorm != nil {
-		in, out := &in.Dialnorm, &out.Dialnorm
-		*out = new(float64)
-		**out = **in
-	}
-	if in.DrcLine != nil {
-		in, out := &in.DrcLine, &out.DrcLine
+	if in.Scte35Control != nil {
+		in, out := &in.Scte35Control, &out.Scte35Control
 		*out = new(string)
 		**out = **in
 	}
-	if in.DrcRf != nil {
-		in, out := &in.DrcRf, &out.DrcRf
+	if in.Scte35Pid != nil {
+		in, out := &in.Scte35Pid, &out.Scte35Pid
 		*out = new(string)
 		**out = **in
 	}
-	if in.LfeControl != nil {
-		in, out := &in.LfeControl, &out.LfeControl
+	if in.SegmentationMarkers != nil {
+		in, out := &in.SegmentationMarkers, &out.SegmentationMarkers
 		*out = new(string)
 		**out = **in
 	}
-	if in.LfeFilter != nil {
-		in, out := &in.LfeFilter, &out.LfeFilter
+	if in.SegmentationStyle != nil {
+		in, out := &in.SegmentationStyle, &out.SegmentationStyle
 		*out = new(string)
 		**out = **in
 	}
-	if in.LoRoCenterMixLevel != nil {
-		in, out := &in.LoRoCenterMixLevel, &out.LoRoCenterMixLevel
-		*out = new(float64)
-		**out = **in
-	}
-	if in.LoRoSurroundMixLevel != nil {
-		in, out := &in.LoRoSurroundMixLevel, &out.LoRoSurroundMixLevel
-		*out = new(float64)
-		**out = **in
-	}
-	if in.LtRtCenterMixLevel != nil {
-		in, out := &in.LtRtCenterMixLevel, &out.LtRtCenterMixLevel
-		*out = new(float64)
-		**out = **in
-	}
-	if in.LtRtSurroundMixLevel != nil {
-		in, out := &in.LtRtSurroundMixLevel, &out.LtRtSurroundMixLevel
+	if in.SegmentationTime != nil {
+		in, out := &in.SegmentationTime, &out.SegmentationTime
 		*out = new(float64)
 		**out = **in
 	}
-	if in.MetadataControl != nil {
-		in, out := &in.MetadataControl, &out.MetadataControl
-		*out = new(string)
-		**out = **in
-	}
-	if in.PassthroughControl != nil {
-		in, out := &in.PassthroughControl, &out.PassthroughControl
-		*out = new(string)
-		**out = **in
-	}
-	if in.PhaseControl != nil {
-		in, out := &in.PhaseControl, &out.PhaseControl
+	if in.TimedMetadataBehavior != nil {
+		in, out := &in.TimedMetadataBehavior, &out.TimedMetadataBehavior
 		*out = new(string)
 		**out = **in
 	}
-	if in.StereoDownmix != nil {
-		in, out := &in.StereoDownmix, &out.StereoDownmix
+	if in.TimedMetadataPid != nil {
+		in, out := &in.TimedMetadataPid, &out.TimedMetadataPid
 		*out = new(string)
 		**out = **in
 	}
-	if in.SurroundExMode != nil {
-		in, out := &in.SurroundExMode, &out.SurroundExMode
-		*out = new(string)
+	if in.TransportStreamID != nil {
+		in, out := &in.TransportStreamID, &out.TransportStreamID
+		*out = new(float64)
 		**out = **in
 	}
-	if in.SurroundMode != nil {
-		in, out := &in.SurroundMode, &out.SurroundMode
+	if in.VideoPid != nil {
+		in, out := &in.VideoPid, &out.VideoPid
 		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3SettingsParameters.
-func (in *Eac3SettingsParameters) DeepCopy() *Eac3SettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsM2TsSettingsParameters.
+func (in *ContainerSettingsM2TsSettingsParameters) DeepCopy() *ContainerSettingsM2TsSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(Eac3SettingsParameters)
+	out := new(ContainerSettingsM2TsSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EmbeddedSourceSettingsObservation) DeepCopyInto(out *EmbeddedSourceSettingsObservation) {
+func (in *ContainerSettingsObservation) DeepCopyInto(out *ContainerSettingsObservation) {
 	*out = *in
+	if in.M2TsSettings != nil {
+		in, out := &in.M2TsSettings, &out.M2TsSettings
+		*out = make([]M2TsSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RawSettings != nil {
+		in, out := &in.RawSettings, &out.RawSettings
+		*out = make([]RawSettingsParameters, len(*in))
+		copy(*out, *in)
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedSourceSettingsObservation.
-func (in *EmbeddedSourceSettingsObservation) DeepCopy() *EmbeddedSourceSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsObservation.
+func (in *ContainerSettingsObservation) DeepCopy() *ContainerSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(EmbeddedSourceSettingsObservation)
+	out := new(ContainerSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EmbeddedSourceSettingsParameters) DeepCopyInto(out *EmbeddedSourceSettingsParameters) {
+func (in *ContainerSettingsParameters) DeepCopyInto(out *ContainerSettingsParameters) {
 	*out = *in
-	if in.Convert608To708 != nil {
-		in, out := &in.Convert608To708, &out.Convert608To708
-		*out = new(string)
-		**out = **in
+	if in.M2TsSettings != nil {
+		in, out := &in.M2TsSettings, &out.M2TsSettings
+		*out = make([]M2TsSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.Scte20Detection != nil {
-		in, out := &in.Scte20Detection, &out.Scte20Detection
-		*out = new(string)
-		**out = **in
+	if in.RawSettings != nil {
+		in, out := &in.RawSettings, &out.RawSettings
+		*out = make([]RawSettingsParameters, len(*in))
+		copy(*out, *in)
 	}
-	if in.Source608ChannelNumber != nil {
-		in, out := &in.Source608ChannelNumber, &out.Source608ChannelNumber
-		*out = new(float64)
-		**out = **in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerSettingsParameters.
+func (in *ContainerSettingsParameters) DeepCopy() *ContainerSettingsParameters {
+	if in == nil {
+		return nil
 	}
-	if in.Source608TrackNumber != nil {
-		in, out := &in.Source608TrackNumber, &out.Source608TrackNumber
-		*out = new(float64)
+	out := new(ContainerSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
+	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedSourceSettingsParameters.
-func (in *EmbeddedSourceSettingsParameters) DeepCopy() *EmbeddedSourceSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationObservation.
+func (in *DestinationObservation) DeepCopy() *DestinationObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(EmbeddedSourceSettingsParameters)
+	out := new(DestinationObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EncoderSettingsObservation) DeepCopyInto(out *EncoderSettingsObservation) {
+func (in *DestinationParameters) DeepCopyInto(out *DestinationParameters) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncoderSettingsObservation.
-func (in *EncoderSettingsObservation) DeepCopy() *EncoderSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationParameters.
+func (in *DestinationParameters) DeepCopy() *DestinationParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(EncoderSettingsObservation)
+	out := new(DestinationParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EncoderSettingsParameters) DeepCopyInto(out *EncoderSettingsParameters) {
+func (in *DestinationsObservation) DeepCopyInto(out *DestinationsObservation) {
 	*out = *in
-	if in.AudioDescriptions != nil {
-		in, out := &in.AudioDescriptions, &out.AudioDescriptions
-		*out = make([]AudioDescriptionsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.AvailBlanking != nil {
-		in, out := &in.AvailBlanking, &out.AvailBlanking
-		*out = make([]AvailBlankingParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
 	}
-	if in.OutputGroups != nil {
-		in, out := &in.OutputGroups, &out.OutputGroups
-		*out = make([]OutputGroupsParameters, len(*in))
+	if in.MediaPackageSettings != nil {
+		in, out := &in.MediaPackageSettings, &out.MediaPackageSettings
+		*out = make([]MediaPackageSettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.TimecodeConfig != nil {
-		in, out := &in.TimecodeConfig, &out.TimecodeConfig
-		*out = make([]TimecodeConfigParameters, len(*in))
+	if in.MultiplexSettings != nil {
+		in, out := &in.MultiplexSettings, &out.MultiplexSettings
+		*out = make([]MultiplexSettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.VideoDescriptions != nil {
-		in, out := &in.VideoDescriptions, &out.VideoDescriptions
-		*out = make([]VideoDescriptionsParameters, len(*in))
+	if in.Settings != nil {
+		in, out := &in.Settings, &out.Settings
+		*out = make([]SettingsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncoderSettingsParameters.
-func (in *EncoderSettingsParameters) DeepCopy() *EncoderSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationsObservation.
+func (in *DestinationsObservation) DeepCopy() *DestinationsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(EncoderSettingsParameters)
+	out := new(DestinationsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FailoverConditionObservation) DeepCopyInto(out *FailoverConditionObservation) {
+func (in *DestinationsParameters) DeepCopyInto(out *DestinationsParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionObservation.
-func (in *FailoverConditionObservation) DeepCopy() *FailoverConditionObservation {
-	if in == nil {
-		return nil
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
 	}
-	out := new(FailoverConditionObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FailoverConditionParameters) DeepCopyInto(out *FailoverConditionParameters) {
-	*out = *in
-	if in.FailoverConditionSettings != nil {
-		in, out := &in.FailoverConditionSettings, &out.FailoverConditionSettings
-		*out = make([]FailoverConditionSettingsParameters, len(*in))
+	if in.MediaPackageSettings != nil {
+		in, out := &in.MediaPackageSettings, &out.MediaPackageSettings
+		*out = make([]MediaPackageSettingsParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionParameters.
-func (in *FailoverConditionParameters) DeepCopy() *FailoverConditionParameters {
-	if in == nil {
-		return nil
+	if in.MultiplexSettings != nil {
+		in, out := &in.MultiplexSettings, &out.MultiplexSettings
+		*out = make([]MultiplexSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Settings != nil {
+		in, out := &in.Settings, &out.Settings
+		*out = make([]SettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(FailoverConditionParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FailoverConditionSettingsObservation) DeepCopyInto(out *FailoverConditionSettingsObservation) {
-	*out = *in
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionSettingsObservation.
-func (in *FailoverConditionSettingsObservation) DeepCopy() *FailoverConditionSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationsParameters.
+func (in *DestinationsParameters) DeepCopy() *DestinationsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(FailoverConditionSettingsObservation)
+	out := new(DestinationsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FailoverConditionSettingsParameters) DeepCopyInto(out *FailoverConditionSettingsParameters) {
+func (in *DvbNitSettingsObservation) DeepCopyInto(out *DvbNitSettingsObservation) {
 	*out = *in
-	if in.AudioSilenceSettings != nil {
-		in, out := &in.AudioSilenceSettings, &out.AudioSilenceSettings
-		*out = make([]AudioSilenceSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.NetworkID != nil {
+		in, out := &in.NetworkID, &out.NetworkID
+		*out = new(float64)
+		**out = **in
 	}
-	if in.InputLossSettings != nil {
-		in, out := &in.InputLossSettings, &out.InputLossSettings
-		*out = make([]InputLossSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.NetworkName != nil {
+		in, out := &in.NetworkName, &out.NetworkName
+		*out = new(string)
+		**out = **in
 	}
-	if in.VideoBlackSettings != nil {
-		in, out := &in.VideoBlackSettings, &out.VideoBlackSettings
-		*out = make([]VideoBlackSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionSettingsParameters.
-func (in *FailoverConditionSettingsParameters) DeepCopy() *FailoverConditionSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbNitSettingsObservation.
+func (in *DvbNitSettingsObservation) DeepCopy() *DvbNitSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FailoverConditionSettingsParameters)
+	out := new(DvbNitSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FecOutputSettingsObservation) DeepCopyInto(out *FecOutputSettingsObservation) {
+func (in *DvbNitSettingsParameters) DeepCopyInto(out *DvbNitSettingsParameters) {
 	*out = *in
+	if in.NetworkID != nil {
+		in, out := &in.NetworkID, &out.NetworkID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkName != nil {
+		in, out := &in.NetworkName, &out.NetworkName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FecOutputSettingsObservation.
-func (in *FecOutputSettingsObservation) DeepCopy() *FecOutputSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbNitSettingsParameters.
+func (in *DvbNitSettingsParameters) DeepCopy() *DvbNitSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(FecOutputSettingsObservation)
+	out := new(DvbNitSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FecOutputSettingsParameters) DeepCopyInto(out *FecOutputSettingsParameters) {
+func (in *DvbSdtSettingsObservation) DeepCopyInto(out *DvbSdtSettingsObservation) {
 	*out = *in
-	if in.ColumnDepth != nil {
-		in, out := &in.ColumnDepth, &out.ColumnDepth
+	if in.OutputSdt != nil {
+		in, out := &in.OutputSdt, &out.OutputSdt
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
 		*out = new(float64)
 		**out = **in
 	}
-	if in.IncludeFec != nil {
-		in, out := &in.IncludeFec, &out.IncludeFec
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
 		*out = new(string)
 		**out = **in
 	}
-	if in.RowLength != nil {
-		in, out := &in.RowLength, &out.RowLength
-		*out = new(float64)
+	if in.ServiceProviderName != nil {
+		in, out := &in.ServiceProviderName, &out.ServiceProviderName
+		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FecOutputSettingsParameters.
-func (in *FecOutputSettingsParameters) DeepCopy() *FecOutputSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbSdtSettingsObservation.
+func (in *DvbSdtSettingsObservation) DeepCopy() *DvbSdtSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FecOutputSettingsParameters)
+	out := new(DvbSdtSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FilterSettingsObservation) DeepCopyInto(out *FilterSettingsObservation) {
+func (in *DvbSdtSettingsParameters) DeepCopyInto(out *DvbSdtSettingsParameters) {
 	*out = *in
+	if in.OutputSdt != nil {
+		in, out := &in.OutputSdt, &out.OutputSdt
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceProviderName != nil {
+		in, out := &in.ServiceProviderName, &out.ServiceProviderName
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterSettingsObservation.
-func (in *FilterSettingsObservation) DeepCopy() *FilterSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbSdtSettingsParameters.
+func (in *DvbSdtSettingsParameters) DeepCopy() *DvbSdtSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(FilterSettingsObservation)
+	out := new(DvbSdtSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FilterSettingsParameters) DeepCopyInto(out *FilterSettingsParameters) {
+func (in *DvbTdtSettingsObservation) DeepCopyInto(out *DvbTdtSettingsObservation) {
 	*out = *in
-	if in.TemporalFilterSettings != nil {
-		in, out := &in.TemporalFilterSettings, &out.TemporalFilterSettings
-		*out = make([]TemporalFilterSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterSettingsParameters.
-func (in *FilterSettingsParameters) DeepCopy() *FilterSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbTdtSettingsObservation.
+func (in *DvbTdtSettingsObservation) DeepCopy() *DvbTdtSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FilterSettingsParameters)
+	out := new(DvbTdtSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Fmp4HlsSettingsObservation) DeepCopyInto(out *Fmp4HlsSettingsObservation) {
+func (in *DvbTdtSettingsParameters) DeepCopyInto(out *DvbTdtSettingsParameters) {
 	*out = *in
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Fmp4HlsSettingsObservation.
-func (in *Fmp4HlsSettingsObservation) DeepCopy() *Fmp4HlsSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DvbTdtSettingsParameters.
+func (in *DvbTdtSettingsParameters) DeepCopy() *DvbTdtSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(Fmp4HlsSettingsObservation)
+	out := new(DvbTdtSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *Fmp4HlsSettingsParameters) DeepCopyInto(out *Fmp4HlsSettingsParameters) {
+func (in *Eac3AtmosSettingsObservation) DeepCopyInto(out *Eac3AtmosSettingsObservation) {
 	*out = *in
-	if in.AudioRenditionSets != nil {
-		in, out := &in.AudioRenditionSets, &out.AudioRenditionSets
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dialnorm != nil {
+		in, out := &in.Dialnorm, &out.Dialnorm
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DrcLine != nil {
+		in, out := &in.DrcLine, &out.DrcLine
+		*out = new(string)
+		**out = **in
+	}
+	if in.DrcRf != nil {
+		in, out := &in.DrcRf, &out.DrcRf
+		*out = new(string)
+		**out = **in
+	}
+	if in.HeightTrim != nil {
+		in, out := &in.HeightTrim, &out.HeightTrim
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SurroundTrim != nil {
+		in, out := &in.SurroundTrim, &out.SurroundTrim
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3AtmosSettingsObservation.
+func (in *Eac3AtmosSettingsObservation) DeepCopy() *Eac3AtmosSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(Eac3AtmosSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Eac3AtmosSettingsParameters) DeepCopyInto(out *Eac3AtmosSettingsParameters) {
+	*out = *in
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dialnorm != nil {
+		in, out := &in.Dialnorm, &out.Dialnorm
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DrcLine != nil {
+		in, out := &in.DrcLine, &out.DrcLine
+		*out = new(string)
+		**out = **in
+	}
+	if in.DrcRf != nil {
+		in, out := &in.DrcRf, &out.DrcRf
+		*out = new(string)
+		**out = **in
+	}
+	if in.HeightTrim != nil {
+		in, out := &in.HeightTrim, &out.HeightTrim
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SurroundTrim != nil {
+		in, out := &in.SurroundTrim, &out.SurroundTrim
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3AtmosSettingsParameters.
+func (in *Eac3AtmosSettingsParameters) DeepCopy() *Eac3AtmosSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(Eac3AtmosSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Eac3SettingsObservation) DeepCopyInto(out *Eac3SettingsObservation) {
+	*out = *in
+	if in.AttenuationControl != nil {
+		in, out := &in.AttenuationControl, &out.AttenuationControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BitstreamMode != nil {
+		in, out := &in.BitstreamMode, &out.BitstreamMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.DcFilter != nil {
+		in, out := &in.DcFilter, &out.DcFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dialnorm != nil {
+		in, out := &in.Dialnorm, &out.Dialnorm
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DrcLine != nil {
+		in, out := &in.DrcLine, &out.DrcLine
+		*out = new(string)
+		**out = **in
+	}
+	if in.DrcRf != nil {
+		in, out := &in.DrcRf, &out.DrcRf
+		*out = new(string)
+		**out = **in
+	}
+	if in.LfeControl != nil {
+		in, out := &in.LfeControl, &out.LfeControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.LfeFilter != nil {
+		in, out := &in.LfeFilter, &out.LfeFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoRoCenterMixLevel != nil {
+		in, out := &in.LoRoCenterMixLevel, &out.LoRoCenterMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoRoSurroundMixLevel != nil {
+		in, out := &in.LoRoSurroundMixLevel, &out.LoRoSurroundMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LtRtCenterMixLevel != nil {
+		in, out := &in.LtRtCenterMixLevel, &out.LtRtCenterMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LtRtSurroundMixLevel != nil {
+		in, out := &in.LtRtSurroundMixLevel, &out.LtRtSurroundMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MetadataControl != nil {
+		in, out := &in.MetadataControl, &out.MetadataControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughControl != nil {
+		in, out := &in.PassthroughControl, &out.PassthroughControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.PhaseControl != nil {
+		in, out := &in.PhaseControl, &out.PhaseControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.StereoDownmix != nil {
+		in, out := &in.StereoDownmix, &out.StereoDownmix
+		*out = new(string)
+		**out = **in
+	}
+	if in.SurroundExMode != nil {
+		in, out := &in.SurroundExMode, &out.SurroundExMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SurroundMode != nil {
+		in, out := &in.SurroundMode, &out.SurroundMode
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3SettingsObservation.
+func (in *Eac3SettingsObservation) DeepCopy() *Eac3SettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(Eac3SettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Eac3SettingsParameters) DeepCopyInto(out *Eac3SettingsParameters) {
+	*out = *in
+	if in.AttenuationControl != nil {
+		in, out := &in.AttenuationControl, &out.AttenuationControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BitstreamMode != nil {
+		in, out := &in.BitstreamMode, &out.BitstreamMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.DcFilter != nil {
+		in, out := &in.DcFilter, &out.DcFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.Dialnorm != nil {
+		in, out := &in.Dialnorm, &out.Dialnorm
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DrcLine != nil {
+		in, out := &in.DrcLine, &out.DrcLine
+		*out = new(string)
+		**out = **in
+	}
+	if in.DrcRf != nil {
+		in, out := &in.DrcRf, &out.DrcRf
+		*out = new(string)
+		**out = **in
+	}
+	if in.LfeControl != nil {
+		in, out := &in.LfeControl, &out.LfeControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.LfeFilter != nil {
+		in, out := &in.LfeFilter, &out.LfeFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoRoCenterMixLevel != nil {
+		in, out := &in.LoRoCenterMixLevel, &out.LoRoCenterMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoRoSurroundMixLevel != nil {
+		in, out := &in.LoRoSurroundMixLevel, &out.LoRoSurroundMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LtRtCenterMixLevel != nil {
+		in, out := &in.LtRtCenterMixLevel, &out.LtRtCenterMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LtRtSurroundMixLevel != nil {
+		in, out := &in.LtRtSurroundMixLevel, &out.LtRtSurroundMixLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MetadataControl != nil {
+		in, out := &in.MetadataControl, &out.MetadataControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.PassthroughControl != nil {
+		in, out := &in.PassthroughControl, &out.PassthroughControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.PhaseControl != nil {
+		in, out := &in.PhaseControl, &out.PhaseControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.StereoDownmix != nil {
+		in, out := &in.StereoDownmix, &out.StereoDownmix
+		*out = new(string)
+		**out = **in
+	}
+	if in.SurroundExMode != nil {
+		in, out := &in.SurroundExMode, &out.SurroundExMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SurroundMode != nil {
+		in, out := &in.SurroundMode, &out.SurroundMode
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Eac3SettingsParameters.
+func (in *Eac3SettingsParameters) DeepCopy() *Eac3SettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(Eac3SettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EmbeddedSourceSettingsObservation) DeepCopyInto(out *EmbeddedSourceSettingsObservation) {
+	*out = *in
+	if in.Convert608To708 != nil {
+		in, out := &in.Convert608To708, &out.Convert608To708
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scte20Detection != nil {
+		in, out := &in.Scte20Detection, &out.Scte20Detection
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source608ChannelNumber != nil {
+		in, out := &in.Source608ChannelNumber, &out.Source608ChannelNumber
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Source608TrackNumber != nil {
+		in, out := &in.Source608TrackNumber, &out.Source608TrackNumber
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedSourceSettingsObservation.
+func (in *EmbeddedSourceSettingsObservation) DeepCopy() *EmbeddedSourceSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(EmbeddedSourceSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EmbeddedSourceSettingsParameters) DeepCopyInto(out *EmbeddedSourceSettingsParameters) {
+	*out = *in
+	if in.Convert608To708 != nil {
+		in, out := &in.Convert608To708, &out.Convert608To708
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scte20Detection != nil {
+		in, out := &in.Scte20Detection, &out.Scte20Detection
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source608ChannelNumber != nil {
+		in, out := &in.Source608ChannelNumber, &out.Source608ChannelNumber
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Source608TrackNumber != nil {
+		in, out := &in.Source608TrackNumber, &out.Source608TrackNumber
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedSourceSettingsParameters.
+func (in *EmbeddedSourceSettingsParameters) DeepCopy() *EmbeddedSourceSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EmbeddedSourceSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EncoderSettingsObservation) DeepCopyInto(out *EncoderSettingsObservation) {
+	*out = *in
+	if in.AudioDescriptions != nil {
+		in, out := &in.AudioDescriptions, &out.AudioDescriptions
+		*out = make([]AudioDescriptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AvailBlanking != nil {
+		in, out := &in.AvailBlanking, &out.AvailBlanking
+		*out = make([]AvailBlankingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputGroups != nil {
+		in, out := &in.OutputGroups, &out.OutputGroups
+		*out = make([]OutputGroupsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TimecodeConfig != nil {
+		in, out := &in.TimecodeConfig, &out.TimecodeConfig
+		*out = make([]TimecodeConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VideoDescriptions != nil {
+		in, out := &in.VideoDescriptions, &out.VideoDescriptions
+		*out = make([]VideoDescriptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncoderSettingsObservation.
+func (in *EncoderSettingsObservation) DeepCopy() *EncoderSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(EncoderSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EncoderSettingsParameters) DeepCopyInto(out *EncoderSettingsParameters) {
+	*out = *in
+	if in.AudioDescriptions != nil {
+		in, out := &in.AudioDescriptions, &out.AudioDescriptions
+		*out = make([]AudioDescriptionsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AvailBlanking != nil {
+		in, out := &in.AvailBlanking, &out.AvailBlanking
+		*out = make([]AvailBlankingParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputGroups != nil {
+		in, out := &in.OutputGroups, &out.OutputGroups
+		*out = make([]OutputGroupsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TimecodeConfig != nil {
+		in, out := &in.TimecodeConfig, &out.TimecodeConfig
+		*out = make([]TimecodeConfigParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VideoDescriptions != nil {
+		in, out := &in.VideoDescriptions, &out.VideoDescriptions
+		*out = make([]VideoDescriptionsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncoderSettingsParameters.
+func (in *EncoderSettingsParameters) DeepCopy() *EncoderSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(EncoderSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FailoverConditionObservation) DeepCopyInto(out *FailoverConditionObservation) {
+	*out = *in
+	if in.FailoverConditionSettings != nil {
+		in, out := &in.FailoverConditionSettings, &out.FailoverConditionSettings
+		*out = make([]FailoverConditionSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionObservation.
+func (in *FailoverConditionObservation) DeepCopy() *FailoverConditionObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FailoverConditionObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FailoverConditionParameters) DeepCopyInto(out *FailoverConditionParameters) {
+	*out = *in
+	if in.FailoverConditionSettings != nil {
+		in, out := &in.FailoverConditionSettings, &out.FailoverConditionSettings
+		*out = make([]FailoverConditionSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionParameters.
+func (in *FailoverConditionParameters) DeepCopy() *FailoverConditionParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FailoverConditionParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FailoverConditionSettingsObservation) DeepCopyInto(out *FailoverConditionSettingsObservation) {
+	*out = *in
+	if in.AudioSilenceSettings != nil {
+		in, out := &in.AudioSilenceSettings, &out.AudioSilenceSettings
+		*out = make([]AudioSilenceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputLossSettings != nil {
+		in, out := &in.InputLossSettings, &out.InputLossSettings
+		*out = make([]InputLossSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VideoBlackSettings != nil {
+		in, out := &in.VideoBlackSettings, &out.VideoBlackSettings
+		*out = make([]VideoBlackSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionSettingsObservation.
+func (in *FailoverConditionSettingsObservation) DeepCopy() *FailoverConditionSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FailoverConditionSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FailoverConditionSettingsParameters) DeepCopyInto(out *FailoverConditionSettingsParameters) {
+	*out = *in
+	if in.AudioSilenceSettings != nil {
+		in, out := &in.AudioSilenceSettings, &out.AudioSilenceSettings
+		*out = make([]AudioSilenceSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputLossSettings != nil {
+		in, out := &in.InputLossSettings, &out.InputLossSettings
+		*out = make([]InputLossSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VideoBlackSettings != nil {
+		in, out := &in.VideoBlackSettings, &out.VideoBlackSettings
+		*out = make([]VideoBlackSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverConditionSettingsParameters.
+func (in *FailoverConditionSettingsParameters) DeepCopy() *FailoverConditionSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FailoverConditionSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FecOutputSettingsObservation) DeepCopyInto(out *FecOutputSettingsObservation) {
+	*out = *in
+	if in.ColumnDepth != nil {
+		in, out := &in.ColumnDepth, &out.ColumnDepth
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IncludeFec != nil {
+		in, out := &in.IncludeFec, &out.IncludeFec
+		*out = new(string)
+		**out = **in
+	}
+	if in.RowLength != nil {
+		in, out := &in.RowLength, &out.RowLength
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FecOutputSettingsObservation.
+func (in *FecOutputSettingsObservation) DeepCopy() *FecOutputSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FecOutputSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FecOutputSettingsParameters) DeepCopyInto(out *FecOutputSettingsParameters) {
+	*out = *in
+	if in.ColumnDepth != nil {
+		in, out := &in.ColumnDepth, &out.ColumnDepth
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IncludeFec != nil {
+		in, out := &in.IncludeFec, &out.IncludeFec
+		*out = new(string)
+		**out = **in
+	}
+	if in.RowLength != nil {
+		in, out := &in.RowLength, &out.RowLength
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FecOutputSettingsParameters.
+func (in *FecOutputSettingsParameters) DeepCopy() *FecOutputSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FecOutputSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FilterSettingsObservation) DeepCopyInto(out *FilterSettingsObservation) {
+	*out = *in
+	if in.TemporalFilterSettings != nil {
+		in, out := &in.TemporalFilterSettings, &out.TemporalFilterSettings
+		*out = make([]TemporalFilterSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterSettingsObservation.
+func (in *FilterSettingsObservation) DeepCopy() *FilterSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FilterSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FilterSettingsParameters) DeepCopyInto(out *FilterSettingsParameters) {
+	*out = *in
+	if in.TemporalFilterSettings != nil {
+		in, out := &in.TemporalFilterSettings, &out.TemporalFilterSettings
+		*out = make([]TemporalFilterSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterSettingsParameters.
+func (in *FilterSettingsParameters) DeepCopy() *FilterSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FilterSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Fmp4HlsSettingsObservation) DeepCopyInto(out *Fmp4HlsSettingsObservation) {
+	*out = *in
+	if in.AudioRenditionSets != nil {
+		in, out := &in.AudioRenditionSets, &out.AudioRenditionSets
+		*out = new(string)
+		**out = **in
+	}
+	if in.NielsenId3Behavior != nil {
+		in, out := &in.NielsenId3Behavior, &out.NielsenId3Behavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataBehavior != nil {
+		in, out := &in.TimedMetadataBehavior, &out.TimedMetadataBehavior
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Fmp4HlsSettingsObservation.
+func (in *Fmp4HlsSettingsObservation) DeepCopy() *Fmp4HlsSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(Fmp4HlsSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Fmp4HlsSettingsParameters) DeepCopyInto(out *Fmp4HlsSettingsParameters) {
+	*out = *in
+	if in.AudioRenditionSets != nil {
+		in, out := &in.AudioRenditionSets, &out.AudioRenditionSets
+		*out = new(string)
+		**out = **in
+	}
+	if in.NielsenId3Behavior != nil {
+		in, out := &in.NielsenId3Behavior, &out.NielsenId3Behavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataBehavior != nil {
+		in, out := &in.TimedMetadataBehavior, &out.TimedMetadataBehavior
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Fmp4HlsSettingsParameters.
+func (in *Fmp4HlsSettingsParameters) DeepCopy() *Fmp4HlsSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(Fmp4HlsSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureCdnSettingsObservation) DeepCopyInto(out *FrameCaptureCdnSettingsObservation) {
+	*out = *in
+	if in.FrameCaptureS3Settings != nil {
+		in, out := &in.FrameCaptureS3Settings, &out.FrameCaptureS3Settings
+		*out = make([]FrameCaptureS3SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureCdnSettingsObservation.
+func (in *FrameCaptureCdnSettingsObservation) DeepCopy() *FrameCaptureCdnSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureCdnSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureCdnSettingsParameters) DeepCopyInto(out *FrameCaptureCdnSettingsParameters) {
+	*out = *in
+	if in.FrameCaptureS3Settings != nil {
+		in, out := &in.FrameCaptureS3Settings, &out.FrameCaptureS3Settings
+		*out = make([]FrameCaptureS3SettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureCdnSettingsParameters.
+func (in *FrameCaptureCdnSettingsParameters) DeepCopy() *FrameCaptureCdnSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureCdnSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureGroupSettingsDestinationObservation) DeepCopyInto(out *FrameCaptureGroupSettingsDestinationObservation) {
+	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsDestinationObservation.
+func (in *FrameCaptureGroupSettingsDestinationObservation) DeepCopy() *FrameCaptureGroupSettingsDestinationObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureGroupSettingsDestinationObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureGroupSettingsDestinationParameters) DeepCopyInto(out *FrameCaptureGroupSettingsDestinationParameters) {
+	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsDestinationParameters.
+func (in *FrameCaptureGroupSettingsDestinationParameters) DeepCopy() *FrameCaptureGroupSettingsDestinationParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureGroupSettingsDestinationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureGroupSettingsObservation) DeepCopyInto(out *FrameCaptureGroupSettingsObservation) {
+	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]FrameCaptureGroupSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FrameCaptureCdnSettings != nil {
+		in, out := &in.FrameCaptureCdnSettings, &out.FrameCaptureCdnSettings
+		*out = make([]FrameCaptureCdnSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsObservation.
+func (in *FrameCaptureGroupSettingsObservation) DeepCopy() *FrameCaptureGroupSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureGroupSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureGroupSettingsParameters) DeepCopyInto(out *FrameCaptureGroupSettingsParameters) {
+	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]FrameCaptureGroupSettingsDestinationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FrameCaptureCdnSettings != nil {
+		in, out := &in.FrameCaptureCdnSettings, &out.FrameCaptureCdnSettings
+		*out = make([]FrameCaptureCdnSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsParameters.
+func (in *FrameCaptureGroupSettingsParameters) DeepCopy() *FrameCaptureGroupSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureGroupSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureHlsSettingsObservation) DeepCopyInto(out *FrameCaptureHlsSettingsObservation) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureHlsSettingsObservation.
+func (in *FrameCaptureHlsSettingsObservation) DeepCopy() *FrameCaptureHlsSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureHlsSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureHlsSettingsParameters) DeepCopyInto(out *FrameCaptureHlsSettingsParameters) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureHlsSettingsParameters.
+func (in *FrameCaptureHlsSettingsParameters) DeepCopy() *FrameCaptureHlsSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureHlsSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureOutputSettingsObservation) DeepCopyInto(out *FrameCaptureOutputSettingsObservation) {
+	*out = *in
+	if in.NameModifier != nil {
+		in, out := &in.NameModifier, &out.NameModifier
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureOutputSettingsObservation.
+func (in *FrameCaptureOutputSettingsObservation) DeepCopy() *FrameCaptureOutputSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureOutputSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureOutputSettingsParameters) DeepCopyInto(out *FrameCaptureOutputSettingsParameters) {
+	*out = *in
+	if in.NameModifier != nil {
+		in, out := &in.NameModifier, &out.NameModifier
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureOutputSettingsParameters.
+func (in *FrameCaptureOutputSettingsParameters) DeepCopy() *FrameCaptureOutputSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureOutputSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureS3SettingsObservation) DeepCopyInto(out *FrameCaptureS3SettingsObservation) {
+	*out = *in
+	if in.CannedACL != nil {
+		in, out := &in.CannedACL, &out.CannedACL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureS3SettingsObservation.
+func (in *FrameCaptureS3SettingsObservation) DeepCopy() *FrameCaptureS3SettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureS3SettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureS3SettingsParameters) DeepCopyInto(out *FrameCaptureS3SettingsParameters) {
+	*out = *in
+	if in.CannedACL != nil {
+		in, out := &in.CannedACL, &out.CannedACL
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureS3SettingsParameters.
+func (in *FrameCaptureS3SettingsParameters) DeepCopy() *FrameCaptureS3SettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureS3SettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureSettingsObservation) DeepCopyInto(out *FrameCaptureSettingsObservation) {
+	*out = *in
+	if in.CaptureInterval != nil {
+		in, out := &in.CaptureInterval, &out.CaptureInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CaptureIntervalUnits != nil {
+		in, out := &in.CaptureIntervalUnits, &out.CaptureIntervalUnits
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureSettingsObservation.
+func (in *FrameCaptureSettingsObservation) DeepCopy() *FrameCaptureSettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureSettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FrameCaptureSettingsParameters) DeepCopyInto(out *FrameCaptureSettingsParameters) {
+	*out = *in
+	if in.CaptureInterval != nil {
+		in, out := &in.CaptureInterval, &out.CaptureInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CaptureIntervalUnits != nil {
+		in, out := &in.CaptureIntervalUnits, &out.CaptureIntervalUnits
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureSettingsParameters.
+func (in *FrameCaptureSettingsParameters) DeepCopy() *FrameCaptureSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FrameCaptureSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *H264SettingsObservation) DeepCopyInto(out *H264SettingsObservation) {
+	*out = *in
+	if in.AdaptiveQuantization != nil {
+		in, out := &in.AdaptiveQuantization, &out.AdaptiveQuantization
+		*out = new(string)
+		**out = **in
+	}
+	if in.AfdSignaling != nil {
+		in, out := &in.AfdSignaling, &out.AfdSignaling
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufFillPct != nil {
+		in, out := &in.BufFillPct, &out.BufFillPct
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufSize != nil {
+		in, out := &in.BufSize, &out.BufSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ColorMetadata != nil {
+		in, out := &in.ColorMetadata, &out.ColorMetadata
+		*out = new(string)
+		**out = **in
+	}
+	if in.EntropyEncoding != nil {
+		in, out := &in.EntropyEncoding, &out.EntropyEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterSettings != nil {
+		in, out := &in.FilterSettings, &out.FilterSettings
+		*out = make([]FilterSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FixedAfd != nil {
+		in, out := &in.FixedAfd, &out.FixedAfd
+		*out = new(string)
+		**out = **in
+	}
+	if in.FlickerAq != nil {
+		in, out := &in.FlickerAq, &out.FlickerAq
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceFieldPictures != nil {
+		in, out := &in.ForceFieldPictures, &out.ForceFieldPictures
+		*out = new(string)
+		**out = **in
+	}
+	if in.FramerateControl != nil {
+		in, out := &in.FramerateControl, &out.FramerateControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.FramerateDenominator != nil {
+		in, out := &in.FramerateDenominator, &out.FramerateDenominator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FramerateNumerator != nil {
+		in, out := &in.FramerateNumerator, &out.FramerateNumerator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopBReference != nil {
+		in, out := &in.GopBReference, &out.GopBReference
+		*out = new(string)
+		**out = **in
+	}
+	if in.GopClosedCadence != nil {
+		in, out := &in.GopClosedCadence, &out.GopClosedCadence
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopNumBFrames != nil {
+		in, out := &in.GopNumBFrames, &out.GopNumBFrames
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopSize != nil {
+		in, out := &in.GopSize, &out.GopSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopSizeUnits != nil {
+		in, out := &in.GopSizeUnits, &out.GopSizeUnits
+		*out = new(string)
+		**out = **in
+	}
+	if in.Level != nil {
+		in, out := &in.Level, &out.Level
+		*out = new(string)
+		**out = **in
+	}
+	if in.LookAheadRateControl != nil {
+		in, out := &in.LookAheadRateControl, &out.LookAheadRateControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxBitrate != nil {
+		in, out := &in.MaxBitrate, &out.MaxBitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinIInterval != nil {
+		in, out := &in.MinIInterval, &out.MinIInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NumRefFrames != nil {
+		in, out := &in.NumRefFrames, &out.NumRefFrames
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParControl != nil {
+		in, out := &in.ParControl, &out.ParControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParDenominator != nil {
+		in, out := &in.ParDenominator, &out.ParDenominator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParNumerator != nil {
+		in, out := &in.ParNumerator, &out.ParNumerator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Profile != nil {
+		in, out := &in.Profile, &out.Profile
+		*out = new(string)
+		**out = **in
+	}
+	if in.QualityLevel != nil {
+		in, out := &in.QualityLevel, &out.QualityLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.QvbrQualityLevel != nil {
+		in, out := &in.QvbrQualityLevel, &out.QvbrQualityLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RateControlMode != nil {
+		in, out := &in.RateControlMode, &out.RateControlMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScanType != nil {
+		in, out := &in.ScanType, &out.ScanType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SceneChangeDetect != nil {
+		in, out := &in.SceneChangeDetect, &out.SceneChangeDetect
+		*out = new(string)
+		**out = **in
+	}
+	if in.Slices != nil {
+		in, out := &in.Slices, &out.Slices
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Softness != nil {
+		in, out := &in.Softness, &out.Softness
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SpatialAq != nil {
+		in, out := &in.SpatialAq, &out.SpatialAq
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubgopLength != nil {
+		in, out := &in.SubgopLength, &out.SubgopLength
+		*out = new(string)
+		**out = **in
+	}
+	if in.Syntax != nil {
+		in, out := &in.Syntax, &out.Syntax
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemporalAq != nil {
+		in, out := &in.TemporalAq, &out.TemporalAq
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimecodeInsertion != nil {
+		in, out := &in.TimecodeInsertion, &out.TimecodeInsertion
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new H264SettingsObservation.
+func (in *H264SettingsObservation) DeepCopy() *H264SettingsObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(H264SettingsObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *H264SettingsParameters) DeepCopyInto(out *H264SettingsParameters) {
+	*out = *in
+	if in.AdaptiveQuantization != nil {
+		in, out := &in.AdaptiveQuantization, &out.AdaptiveQuantization
+		*out = new(string)
+		**out = **in
+	}
+	if in.AfdSignaling != nil {
+		in, out := &in.AfdSignaling, &out.AfdSignaling
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufFillPct != nil {
+		in, out := &in.BufFillPct, &out.BufFillPct
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufSize != nil {
+		in, out := &in.BufSize, &out.BufSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ColorMetadata != nil {
+		in, out := &in.ColorMetadata, &out.ColorMetadata
+		*out = new(string)
+		**out = **in
+	}
+	if in.EntropyEncoding != nil {
+		in, out := &in.EntropyEncoding, &out.EntropyEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterSettings != nil {
+		in, out := &in.FilterSettings, &out.FilterSettings
+		*out = make([]FilterSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FixedAfd != nil {
+		in, out := &in.FixedAfd, &out.FixedAfd
+		*out = new(string)
+		**out = **in
+	}
+	if in.FlickerAq != nil {
+		in, out := &in.FlickerAq, &out.FlickerAq
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceFieldPictures != nil {
+		in, out := &in.ForceFieldPictures, &out.ForceFieldPictures
+		*out = new(string)
+		**out = **in
+	}
+	if in.FramerateControl != nil {
+		in, out := &in.FramerateControl, &out.FramerateControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.FramerateDenominator != nil {
+		in, out := &in.FramerateDenominator, &out.FramerateDenominator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FramerateNumerator != nil {
+		in, out := &in.FramerateNumerator, &out.FramerateNumerator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopBReference != nil {
+		in, out := &in.GopBReference, &out.GopBReference
+		*out = new(string)
+		**out = **in
+	}
+	if in.GopClosedCadence != nil {
+		in, out := &in.GopClosedCadence, &out.GopClosedCadence
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopNumBFrames != nil {
+		in, out := &in.GopNumBFrames, &out.GopNumBFrames
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopSize != nil {
+		in, out := &in.GopSize, &out.GopSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.GopSizeUnits != nil {
+		in, out := &in.GopSizeUnits, &out.GopSizeUnits
+		*out = new(string)
+		**out = **in
+	}
+	if in.Level != nil {
+		in, out := &in.Level, &out.Level
+		*out = new(string)
+		**out = **in
+	}
+	if in.LookAheadRateControl != nil {
+		in, out := &in.LookAheadRateControl, &out.LookAheadRateControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxBitrate != nil {
+		in, out := &in.MaxBitrate, &out.MaxBitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinIInterval != nil {
+		in, out := &in.MinIInterval, &out.MinIInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NumRefFrames != nil {
+		in, out := &in.NumRefFrames, &out.NumRefFrames
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParControl != nil {
+		in, out := &in.ParControl, &out.ParControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParDenominator != nil {
+		in, out := &in.ParDenominator, &out.ParDenominator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParNumerator != nil {
+		in, out := &in.ParNumerator, &out.ParNumerator
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Profile != nil {
+		in, out := &in.Profile, &out.Profile
+		*out = new(string)
+		**out = **in
+	}
+	if in.QualityLevel != nil {
+		in, out := &in.QualityLevel, &out.QualityLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.QvbrQualityLevel != nil {
+		in, out := &in.QvbrQualityLevel, &out.QvbrQualityLevel
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RateControlMode != nil {
+		in, out := &in.RateControlMode, &out.RateControlMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScanType != nil {
+		in, out := &in.ScanType, &out.ScanType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SceneChangeDetect != nil {
+		in, out := &in.SceneChangeDetect, &out.SceneChangeDetect
+		*out = new(string)
+		**out = **in
+	}
+	if in.Slices != nil {
+		in, out := &in.Slices, &out.Slices
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Softness != nil {
+		in, out := &in.Softness, &out.Softness
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SpatialAq != nil {
+		in, out := &in.SpatialAq, &out.SpatialAq
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubgopLength != nil {
+		in, out := &in.SubgopLength, &out.SubgopLength
+		*out = new(string)
+		**out = **in
+	}
+	if in.Syntax != nil {
+		in, out := &in.Syntax, &out.Syntax
 		*out = new(string)
 		**out = **in
 	}
-	if in.NielsenId3Behavior != nil {
-		in, out := &in.NielsenId3Behavior, &out.NielsenId3Behavior
+	if in.TemporalAq != nil {
+		in, out := &in.TemporalAq, &out.TemporalAq
 		*out = new(string)
 		**out = **in
 	}
-	if in.TimedMetadataBehavior != nil {
-		in, out := &in.TimedMetadataBehavior, &out.TimedMetadataBehavior
+	if in.TimecodeInsertion != nil {
+		in, out := &in.TimecodeInsertion, &out.TimecodeInsertion
 		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Fmp4HlsSettingsParameters.
-func (in *Fmp4HlsSettingsParameters) DeepCopy() *Fmp4HlsSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new H264SettingsParameters.
+func (in *H264SettingsParameters) DeepCopy() *H264SettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(Fmp4HlsSettingsParameters)
+	out := new(H264SettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureCdnSettingsObservation) DeepCopyInto(out *FrameCaptureCdnSettingsObservation) {
+func (in *HlsAkamaiSettingsObservation) DeepCopyInto(out *HlsAkamaiSettingsObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureCdnSettingsObservation.
-func (in *FrameCaptureCdnSettingsObservation) DeepCopy() *FrameCaptureCdnSettingsObservation {
-	if in == nil {
-		return nil
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(FrameCaptureCdnSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureCdnSettingsParameters) DeepCopyInto(out *FrameCaptureCdnSettingsParameters) {
-	*out = *in
-	if in.FrameCaptureS3Settings != nil {
-		in, out := &in.FrameCaptureS3Settings, &out.FrameCaptureS3Settings
-		*out = make([]FrameCaptureS3SettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureCdnSettingsParameters.
-func (in *FrameCaptureCdnSettingsParameters) DeepCopy() *FrameCaptureCdnSettingsParameters {
-	if in == nil {
-		return nil
+	if in.HTTPTransferMode != nil {
+		in, out := &in.HTTPTransferMode, &out.HTTPTransferMode
+		*out = new(string)
+		**out = **in
 	}
-	out := new(FrameCaptureCdnSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureGroupSettingsDestinationObservation) DeepCopyInto(out *FrameCaptureGroupSettingsDestinationObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsDestinationObservation.
-func (in *FrameCaptureGroupSettingsDestinationObservation) DeepCopy() *FrameCaptureGroupSettingsDestinationObservation {
-	if in == nil {
-		return nil
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(FrameCaptureGroupSettingsDestinationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureGroupSettingsDestinationParameters) DeepCopyInto(out *FrameCaptureGroupSettingsDestinationParameters) {
-	*out = *in
-	if in.DestinationRefID != nil {
-		in, out := &in.DestinationRefID, &out.DestinationRefID
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Salt != nil {
+		in, out := &in.Salt, &out.Salt
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsDestinationParameters.
-func (in *FrameCaptureGroupSettingsDestinationParameters) DeepCopy() *FrameCaptureGroupSettingsDestinationParameters {
-	if in == nil {
-		return nil
+	if in.Token != nil {
+		in, out := &in.Token, &out.Token
+		*out = new(string)
+		**out = **in
 	}
-	out := new(FrameCaptureGroupSettingsDestinationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureGroupSettingsObservation) DeepCopyInto(out *FrameCaptureGroupSettingsObservation) {
-	*out = *in
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsObservation.
-func (in *FrameCaptureGroupSettingsObservation) DeepCopy() *FrameCaptureGroupSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsAkamaiSettingsObservation.
+func (in *HlsAkamaiSettingsObservation) DeepCopy() *HlsAkamaiSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureGroupSettingsObservation)
+	out := new(HlsAkamaiSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureGroupSettingsParameters) DeepCopyInto(out *FrameCaptureGroupSettingsParameters) {
+func (in *HlsAkamaiSettingsParameters) DeepCopyInto(out *HlsAkamaiSettingsParameters) {
 	*out = *in
-	if in.Destination != nil {
-		in, out := &in.Destination, &out.Destination
-		*out = make([]FrameCaptureGroupSettingsDestinationParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
 	}
-	if in.FrameCaptureCdnSettings != nil {
-		in, out := &in.FrameCaptureCdnSettings, &out.FrameCaptureCdnSettings
-		*out = make([]FrameCaptureCdnSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureGroupSettingsParameters.
-func (in *FrameCaptureGroupSettingsParameters) DeepCopy() *FrameCaptureGroupSettingsParameters {
-	if in == nil {
-		return nil
+	if in.HTTPTransferMode != nil {
+		in, out := &in.HTTPTransferMode, &out.HTTPTransferMode
+		*out = new(string)
+		**out = **in
 	}
-	out := new(FrameCaptureGroupSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureHlsSettingsObservation) DeepCopyInto(out *FrameCaptureHlsSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureHlsSettingsObservation.
-func (in *FrameCaptureHlsSettingsObservation) DeepCopy() *FrameCaptureHlsSettingsObservation {
-	if in == nil {
-		return nil
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(FrameCaptureHlsSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureHlsSettingsParameters) DeepCopyInto(out *FrameCaptureHlsSettingsParameters) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureHlsSettingsParameters.
-func (in *FrameCaptureHlsSettingsParameters) DeepCopy() *FrameCaptureHlsSettingsParameters {
-	if in == nil {
-		return nil
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Salt != nil {
+		in, out := &in.Salt, &out.Salt
+		*out = new(string)
+		**out = **in
+	}
+	if in.Token != nil {
+		in, out := &in.Token, &out.Token
+		*out = new(string)
+		**out = **in
 	}
-	out := new(FrameCaptureHlsSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureOutputSettingsObservation) DeepCopyInto(out *FrameCaptureOutputSettingsObservation) {
-	*out = *in
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureOutputSettingsObservation.
-func (in *FrameCaptureOutputSettingsObservation) DeepCopy() *FrameCaptureOutputSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsAkamaiSettingsParameters.
+func (in *HlsAkamaiSettingsParameters) DeepCopy() *HlsAkamaiSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureOutputSettingsObservation)
+	out := new(HlsAkamaiSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureOutputSettingsParameters) DeepCopyInto(out *FrameCaptureOutputSettingsParameters) {
+func (in *HlsBasicPutSettingsObservation) DeepCopyInto(out *HlsBasicPutSettingsObservation) {
 	*out = *in
-	if in.NameModifier != nil {
-		in, out := &in.NameModifier, &out.NameModifier
-		*out = new(string)
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureOutputSettingsParameters.
-func (in *FrameCaptureOutputSettingsParameters) DeepCopy() *FrameCaptureOutputSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsBasicPutSettingsObservation.
+func (in *HlsBasicPutSettingsObservation) DeepCopy() *HlsBasicPutSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureOutputSettingsParameters)
+	out := new(HlsBasicPutSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureS3SettingsObservation) DeepCopyInto(out *FrameCaptureS3SettingsObservation) {
+func (in *HlsBasicPutSettingsParameters) DeepCopyInto(out *HlsBasicPutSettingsParameters) {
 	*out = *in
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureS3SettingsObservation.
-func (in *FrameCaptureS3SettingsObservation) DeepCopy() *FrameCaptureS3SettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsBasicPutSettingsParameters.
+func (in *HlsBasicPutSettingsParameters) DeepCopy() *HlsBasicPutSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureS3SettingsObservation)
+	out := new(HlsBasicPutSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureS3SettingsParameters) DeepCopyInto(out *FrameCaptureS3SettingsParameters) {
+func (in *HlsCdnSettingsObservation) DeepCopyInto(out *HlsCdnSettingsObservation) {
 	*out = *in
-	if in.CannedACL != nil {
-		in, out := &in.CannedACL, &out.CannedACL
-		*out = new(string)
-		**out = **in
+	if in.HlsAkamaiSettings != nil {
+		in, out := &in.HlsAkamaiSettings, &out.HlsAkamaiSettings
+		*out = make([]HlsAkamaiSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsBasicPutSettings != nil {
+		in, out := &in.HlsBasicPutSettings, &out.HlsBasicPutSettings
+		*out = make([]HlsBasicPutSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsMediaStoreSettings != nil {
+		in, out := &in.HlsMediaStoreSettings, &out.HlsMediaStoreSettings
+		*out = make([]HlsMediaStoreSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsS3Settings != nil {
+		in, out := &in.HlsS3Settings, &out.HlsS3Settings
+		*out = make([]HlsS3SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsWebdavSettings != nil {
+		in, out := &in.HlsWebdavSettings, &out.HlsWebdavSettings
+		*out = make([]HlsWebdavSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureS3SettingsParameters.
-func (in *FrameCaptureS3SettingsParameters) DeepCopy() *FrameCaptureS3SettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsCdnSettingsObservation.
+func (in *HlsCdnSettingsObservation) DeepCopy() *HlsCdnSettingsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureS3SettingsParameters)
+	out := new(HlsCdnSettingsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureSettingsObservation) DeepCopyInto(out *FrameCaptureSettingsObservation) {
+func (in *HlsCdnSettingsParameters) DeepCopyInto(out *HlsCdnSettingsParameters) {
 	*out = *in
+	if in.HlsAkamaiSettings != nil {
+		in, out := &in.HlsAkamaiSettings, &out.HlsAkamaiSettings
+		*out = make([]HlsAkamaiSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsBasicPutSettings != nil {
+		in, out := &in.HlsBasicPutSettings, &out.HlsBasicPutSettings
+		*out = make([]HlsBasicPutSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsMediaStoreSettings != nil {
+		in, out := &in.HlsMediaStoreSettings, &out.HlsMediaStoreSettings
+		*out = make([]HlsMediaStoreSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsS3Settings != nil {
+		in, out := &in.HlsS3Settings, &out.HlsS3Settings
+		*out = make([]HlsS3SettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsWebdavSettings != nil {
+		in, out := &in.HlsWebdavSettings, &out.HlsWebdavSettings
+		*out = make([]HlsWebdavSettingsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureSettingsObservation.
-func (in *FrameCaptureSettingsObservation) DeepCopy() *FrameCaptureSettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsCdnSettingsParameters.
+func (in *HlsCdnSettingsParameters) DeepCopy() *HlsCdnSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureSettingsObservation)
+	out := new(HlsCdnSettingsParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FrameCaptureSettingsParameters) DeepCopyInto(out *FrameCaptureSettingsParameters) {
+func (in *HlsGroupSettingsDestinationObservation) DeepCopyInto(out *HlsGroupSettingsDestinationObservation) {
 	*out = *in
-	if in.CaptureInterval != nil {
-		in, out := &in.CaptureInterval, &out.CaptureInterval
-		*out = new(float64)
-		**out = **in
-	}
-	if in.CaptureIntervalUnits != nil {
-		in, out := &in.CaptureIntervalUnits, &out.CaptureIntervalUnits
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
 		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FrameCaptureSettingsParameters.
-func (in *FrameCaptureSettingsParameters) DeepCopy() *FrameCaptureSettingsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsGroupSettingsDestinationObservation.
+func (in *HlsGroupSettingsDestinationObservation) DeepCopy() *HlsGroupSettingsDestinationObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FrameCaptureSettingsParameters)
+	out := new(HlsGroupSettingsDestinationObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *H264SettingsObservation) DeepCopyInto(out *H264SettingsObservation) {
+func (in *HlsGroupSettingsDestinationParameters) DeepCopyInto(out *HlsGroupSettingsDestinationParameters) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new H264SettingsObservation.
-func (in *H264SettingsObservation) DeepCopy() *H264SettingsObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsGroupSettingsDestinationParameters.
+func (in *HlsGroupSettingsDestinationParameters) DeepCopy() *HlsGroupSettingsDestinationParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(H264SettingsObservation)
+	out := new(HlsGroupSettingsDestinationParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *H264SettingsParameters) DeepCopyInto(out *H264SettingsParameters) {
+func (in *HlsGroupSettingsObservation) DeepCopyInto(out *HlsGroupSettingsObservation) {
 	*out = *in
-	if in.AdaptiveQuantization != nil {
-		in, out := &in.AdaptiveQuantization, &out.AdaptiveQuantization
-		*out = new(string)
-		**out = **in
-	}
-	if in.AfdSignaling != nil {
-		in, out := &in.AfdSignaling, &out.AfdSignaling
-		*out = new(string)
-		**out = **in
-	}
-	if in.Bitrate != nil {
-		in, out := &in.Bitrate, &out.Bitrate
-		*out = new(float64)
-		**out = **in
-	}
-	if in.BufFillPct != nil {
-		in, out := &in.BufFillPct, &out.BufFillPct
-		*out = new(float64)
-		**out = **in
-	}
-	if in.BufSize != nil {
-		in, out := &in.BufSize, &out.BufSize
-		*out = new(float64)
-		**out = **in
-	}
-	if in.ColorMetadata != nil {
-		in, out := &in.ColorMetadata, &out.ColorMetadata
-		*out = new(string)
-		**out = **in
-	}
-	if in.EntropyEncoding != nil {
-		in, out := &in.EntropyEncoding, &out.EntropyEncoding
-		*out = new(string)
-		**out = **in
-	}
-	if in.FilterSettings != nil {
-		in, out := &in.FilterSettings, &out.FilterSettings
-		*out = make([]FilterSettingsParameters, len(*in))
+	if in.AdMarkers != nil {
+		in, out := &in.AdMarkers, &out.AdMarkers
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.FixedAfd != nil {
-		in, out := &in.FixedAfd, &out.FixedAfd
-		*out = new(string)
-		**out = **in
-	}
-	if in.FlickerAq != nil {
-		in, out := &in.FlickerAq, &out.FlickerAq
-		*out = new(string)
-		**out = **in
-	}
-	if in.ForceFieldPictures != nil {
-		in, out := &in.ForceFieldPictures, &out.ForceFieldPictures
-		*out = new(string)
-		**out = **in
-	}
-	if in.FramerateControl != nil {
-		in, out := &in.FramerateControl, &out.FramerateControl
-		*out = new(string)
-		**out = **in
-	}
-	if in.FramerateDenominator != nil {
-		in, out := &in.FramerateDenominator, &out.FramerateDenominator
-		*out = new(float64)
-		**out = **in
-	}
-	if in.FramerateNumerator != nil {
-		in, out := &in.FramerateNumerator, &out.FramerateNumerator
-		*out = new(float64)
-		**out = **in
-	}
-	if in.GopBReference != nil {
-		in, out := &in.GopBReference, &out.GopBReference
-		*out = new(string)
-		**out = **in
-	}
-	if in.GopClosedCadence != nil {
-		in, out := &in.GopClosedCadence, &out.GopClosedCadence
-		*out = new(float64)
-		**out = **in
-	}
-	if in.GopNumBFrames != nil {
-		in, out := &in.GopNumBFrames, &out.GopNumBFrames
-		*out = new(float64)
-		**out = **in
-	}
-	if in.GopSize != nil {
-		in, out := &in.GopSize, &out.GopSize
-		*out = new(float64)
-		**out = **in
-	}
-	if in.GopSizeUnits != nil {
-		in, out := &in.GopSizeUnits, &out.GopSizeUnits
-		*out = new(string)
-		**out = **in
-	}
-	if in.Level != nil {
-		in, out := &in.Level, &out.Level
-		*out = new(string)
-		**out = **in
-	}
-	if in.LookAheadRateControl != nil {
-		in, out := &in.LookAheadRateControl, &out.LookAheadRateControl
-		*out = new(string)
-		**out = **in
-	}
-	if in.MaxBitrate != nil {
-		in, out := &in.MaxBitrate, &out.MaxBitrate
-		*out = new(float64)
-		**out = **in
-	}
-	if in.MinIInterval != nil {
-		in, out := &in.MinIInterval, &out.MinIInterval
-		*out = new(float64)
-		**out = **in
-	}
-	if in.NumRefFrames != nil {
-		in, out := &in.NumRefFrames, &out.NumRefFrames
-		*out = new(float64)
-		**out = **in
-	}
-	if in.ParControl != nil {
-		in, out := &in.ParControl, &out.ParControl
-		*out = new(string)
-		**out = **in
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	if in.ParDenominator != nil {
-		in, out := &in.ParDenominator, &out.ParDenominator
-		*out = new(float64)
+	if in.BaseURLContent != nil {
+		in, out := &in.BaseURLContent, &out.BaseURLContent
+		*out = new(string)
 		**out = **in
 	}
-	if in.ParNumerator != nil {
-		in, out := &in.ParNumerator, &out.ParNumerator
-		*out = new(float64)
+	if in.BaseURLContent1 != nil {
+		in, out := &in.BaseURLContent1, &out.BaseURLContent1
+		*out = new(string)
 		**out = **in
 	}
-	if in.Profile != nil {
-		in, out := &in.Profile, &out.Profile
+	if in.BaseURLManifest != nil {
+		in, out := &in.BaseURLManifest, &out.BaseURLManifest
 		*out = new(string)
 		**out = **in
 	}
-	if in.QualityLevel != nil {
-		in, out := &in.QualityLevel, &out.QualityLevel
+	if in.BaseURLManifest1 != nil {
+		in, out := &in.BaseURLManifest1, &out.BaseURLManifest1
 		*out = new(string)
 		**out = **in
 	}
-	if in.QvbrQualityLevel != nil {
-		in, out := &in.QvbrQualityLevel, &out.QvbrQualityLevel
-		*out = new(float64)
-		**out = **in
+	if in.CaptionLanguageMappings != nil {
+		in, out := &in.CaptionLanguageMappings, &out.CaptionLanguageMappings
+		*out = make([]CaptionLanguageMappingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.RateControlMode != nil {
-		in, out := &in.RateControlMode, &out.RateControlMode
+	if in.CaptionLanguageSetting != nil {
+		in, out := &in.CaptionLanguageSetting, &out.CaptionLanguageSetting
 		*out = new(string)
 		**out = **in
 	}
-	if in.ScanType != nil {
-		in, out := &in.ScanType, &out.ScanType
+	if in.ClientCache != nil {
+		in, out := &in.ClientCache, &out.ClientCache
 		*out = new(string)
 		**out = **in
 	}
-	if in.SceneChangeDetect != nil {
-		in, out := &in.SceneChangeDetect, &out.SceneChangeDetect
+	if in.CodecSpecification != nil {
+		in, out := &in.CodecSpecification, &out.CodecSpecification
 		*out = new(string)
 		**out = **in
 	}
-	if in.Slices != nil {
-		in, out := &in.Slices, &out.Slices
-		*out = new(float64)
+	if in.ConstantIv != nil {
+		in, out := &in.ConstantIv, &out.ConstantIv
+		*out = new(string)
 		**out = **in
 	}
-	if in.Softness != nil {
-		in, out := &in.Softness, &out.Softness
-		*out = new(float64)
-		**out = **in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]HlsGroupSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.SpatialAq != nil {
-		in, out := &in.SpatialAq, &out.SpatialAq
+	if in.DirectoryStructure != nil {
+		in, out := &in.DirectoryStructure, &out.DirectoryStructure
 		*out = new(string)
 		**out = **in
 	}
-	if in.SubgopLength != nil {
-		in, out := &in.SubgopLength, &out.SubgopLength
+	if in.DiscontinuityTags != nil {
+		in, out := &in.DiscontinuityTags, &out.DiscontinuityTags
 		*out = new(string)
 		**out = **in
 	}
-	if in.Syntax != nil {
-		in, out := &in.Syntax, &out.Syntax
+	if in.EncryptionType != nil {
+		in, out := &in.EncryptionType, &out.EncryptionType
 		*out = new(string)
 		**out = **in
 	}
-	if in.TemporalAq != nil {
-		in, out := &in.TemporalAq, &out.TemporalAq
+	if in.HlsCdnSettings != nil {
+		in, out := &in.HlsCdnSettings, &out.HlsCdnSettings
+		*out = make([]HlsCdnSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsId3SegmentTagging != nil {
+		in, out := &in.HlsId3SegmentTagging, &out.HlsId3SegmentTagging
 		*out = new(string)
 		**out = **in
 	}
-	if in.TimecodeInsertion != nil {
-		in, out := &in.TimecodeInsertion, &out.TimecodeInsertion
+	if in.IframeOnlyPlaylists != nil {
+		in, out := &in.IframeOnlyPlaylists, &out.IframeOnlyPlaylists
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new H264SettingsParameters.
-func (in *H264SettingsParameters) DeepCopy() *H264SettingsParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(H264SettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsAkamaiSettingsObservation) DeepCopyInto(out *HlsAkamaiSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsAkamaiSettingsObservation.
-func (in *HlsAkamaiSettingsObservation) DeepCopy() *HlsAkamaiSettingsObservation {
-	if in == nil {
-		return nil
+	if in.IncompleteSegmentBehavior != nil {
+		in, out := &in.IncompleteSegmentBehavior, &out.IncompleteSegmentBehavior
+		*out = new(string)
+		**out = **in
 	}
-	out := new(HlsAkamaiSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsAkamaiSettingsParameters) DeepCopyInto(out *HlsAkamaiSettingsParameters) {
-	*out = *in
-	if in.ConnectionRetryInterval != nil {
-		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+	if in.IndexNSegments != nil {
+		in, out := &in.IndexNSegments, &out.IndexNSegments
 		*out = new(float64)
 		**out = **in
 	}
-	if in.FilecacheDuration != nil {
-		in, out := &in.FilecacheDuration, &out.FilecacheDuration
-		*out = new(float64)
+	if in.InputLossAction != nil {
+		in, out := &in.InputLossAction, &out.InputLossAction
+		*out = new(string)
 		**out = **in
 	}
-	if in.HTTPTransferMode != nil {
-		in, out := &in.HTTPTransferMode, &out.HTTPTransferMode
+	if in.IvInManifest != nil {
+		in, out := &in.IvInManifest, &out.IvInManifest
 		*out = new(string)
 		**out = **in
 	}
-	if in.NumRetries != nil {
-		in, out := &in.NumRetries, &out.NumRetries
-		*out = new(float64)
+	if in.IvSource != nil {
+		in, out := &in.IvSource, &out.IvSource
+		*out = new(string)
 		**out = **in
 	}
-	if in.RestartDelay != nil {
-		in, out := &in.RestartDelay, &out.RestartDelay
+	if in.KeepSegments != nil {
+		in, out := &in.KeepSegments, &out.KeepSegments
 		*out = new(float64)
 		**out = **in
 	}
-	if in.Salt != nil {
-		in, out := &in.Salt, &out.Salt
+	if in.KeyFormat != nil {
+		in, out := &in.KeyFormat, &out.KeyFormat
 		*out = new(string)
 		**out = **in
 	}
-	if in.Token != nil {
-		in, out := &in.Token, &out.Token
+	if in.KeyFormatVersions != nil {
+		in, out := &in.KeyFormatVersions, &out.KeyFormatVersions
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsAkamaiSettingsParameters.
-func (in *HlsAkamaiSettingsParameters) DeepCopy() *HlsAkamaiSettingsParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(HlsAkamaiSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsBasicPutSettingsObservation) DeepCopyInto(out *HlsBasicPutSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsBasicPutSettingsObservation.
-func (in *HlsBasicPutSettingsObservation) DeepCopy() *HlsBasicPutSettingsObservation {
-	if in == nil {
-		return nil
+	if in.KeyProviderSettings != nil {
+		in, out := &in.KeyProviderSettings, &out.KeyProviderSettings
+		*out = make([]KeyProviderSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(HlsBasicPutSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsBasicPutSettingsParameters) DeepCopyInto(out *HlsBasicPutSettingsParameters) {
-	*out = *in
-	if in.ConnectionRetryInterval != nil {
-		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
-		*out = new(float64)
+	if in.ManifestCompression != nil {
+		in, out := &in.ManifestCompression, &out.ManifestCompression
+		*out = new(string)
 		**out = **in
 	}
-	if in.FilecacheDuration != nil {
-		in, out := &in.FilecacheDuration, &out.FilecacheDuration
-		*out = new(float64)
+	if in.ManifestDurationFormat != nil {
+		in, out := &in.ManifestDurationFormat, &out.ManifestDurationFormat
+		*out = new(string)
 		**out = **in
 	}
-	if in.NumRetries != nil {
-		in, out := &in.NumRetries, &out.NumRetries
+	if in.MinSegmentLength != nil {
+		in, out := &in.MinSegmentLength, &out.MinSegmentLength
 		*out = new(float64)
 		**out = **in
 	}
-	if in.RestartDelay != nil {
-		in, out := &in.RestartDelay, &out.RestartDelay
-		*out = new(float64)
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsBasicPutSettingsParameters.
-func (in *HlsBasicPutSettingsParameters) DeepCopy() *HlsBasicPutSettingsParameters {
-	if in == nil {
-		return nil
+	if in.OutputSelection != nil {
+		in, out := &in.OutputSelection, &out.OutputSelection
+		*out = new(string)
+		**out = **in
 	}
-	out := new(HlsBasicPutSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsCdnSettingsObservation) DeepCopyInto(out *HlsCdnSettingsObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsCdnSettingsObservation.
-func (in *HlsCdnSettingsObservation) DeepCopy() *HlsCdnSettingsObservation {
-	if in == nil {
-		return nil
+	if in.ProgramDateTime != nil {
+		in, out := &in.ProgramDateTime, &out.ProgramDateTime
+		*out = new(string)
+		**out = **in
 	}
-	out := new(HlsCdnSettingsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsCdnSettingsParameters) DeepCopyInto(out *HlsCdnSettingsParameters) {
-	*out = *in
-	if in.HlsAkamaiSettings != nil {
-		in, out := &in.HlsAkamaiSettings, &out.HlsAkamaiSettings
-		*out = make([]HlsAkamaiSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.ProgramDateTimeClock != nil {
+		in, out := &in.ProgramDateTimeClock, &out.ProgramDateTimeClock
+		*out = new(string)
+		**out = **in
 	}
-	if in.HlsBasicPutSettings != nil {
-		in, out := &in.HlsBasicPutSettings, &out.HlsBasicPutSettings
-		*out = make([]HlsBasicPutSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.ProgramDateTimePeriod != nil {
+		in, out := &in.ProgramDateTimePeriod, &out.ProgramDateTimePeriod
+		*out = new(float64)
+		**out = **in
 	}
-	if in.HlsMediaStoreSettings != nil {
-		in, out := &in.HlsMediaStoreSettings, &out.HlsMediaStoreSettings
-		*out = make([]HlsMediaStoreSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.RedundantManifest != nil {
+		in, out := &in.RedundantManifest, &out.RedundantManifest
+		*out = new(string)
+		**out = **in
 	}
-	if in.HlsS3Settings != nil {
-		in, out := &in.HlsS3Settings, &out.HlsS3Settings
-		*out = make([]HlsS3SettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.SegmentLength != nil {
+		in, out := &in.SegmentLength, &out.SegmentLength
+		*out = new(float64)
+		**out = **in
 	}
-	if in.HlsWebdavSettings != nil {
-		in, out := &in.HlsWebdavSettings, &out.HlsWebdavSettings
-		*out = make([]HlsWebdavSettingsParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.SegmentsPerSubdirectory != nil {
+		in, out := &in.SegmentsPerSubdirectory, &out.SegmentsPerSubdirectory
+		*out = new(float64)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsCdnSettingsParameters.
-func (in *HlsCdnSettingsParameters) DeepCopy() *HlsCdnSettingsParameters {
-	if in == nil {
-		return nil
+	if in.StreamInfResolution != nil {
+		in, out := &in.StreamInfResolution, &out.StreamInfResolution
+		*out = new(string)
+		**out = **in
 	}
-	out := new(HlsCdnSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsGroupSettingsDestinationObservation) DeepCopyInto(out *HlsGroupSettingsDestinationObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsGroupSettingsDestinationObservation.
-func (in *HlsGroupSettingsDestinationObservation) DeepCopy() *HlsGroupSettingsDestinationObservation {
-	if in == nil {
-		return nil
+	if in.TSFileMode != nil {
+		in, out := &in.TSFileMode, &out.TSFileMode
+		*out = new(string)
+		**out = **in
 	}
-	out := new(HlsGroupSettingsDestinationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsGroupSettingsDestinationParameters) DeepCopyInto(out *HlsGroupSettingsDestinationParameters) {
-	*out = *in
-	if in.DestinationRefID != nil {
-		in, out := &in.DestinationRefID, &out.DestinationRefID
+	if in.TimedMetadataId3Frame != nil {
+		in, out := &in.TimedMetadataId3Frame, &out.TimedMetadataId3Frame
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsGroupSettingsDestinationParameters.
-func (in *HlsGroupSettingsDestinationParameters) DeepCopy() *HlsGroupSettingsDestinationParameters {
-	if in == nil {
-		return nil
+	if in.TimedMetadataId3Period != nil {
+		in, out := &in.TimedMetadataId3Period, &out.TimedMetadataId3Period
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TimestampDeltaMilliseconds != nil {
+		in, out := &in.TimestampDeltaMilliseconds, &out.TimestampDeltaMilliseconds
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(HlsGroupSettingsDestinationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HlsGroupSettingsObservation) DeepCopyInto(out *HlsGroupSettingsObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsGroupSettingsObservation.
@@ -3603,6 +5327,31 @@ func (in *HlsGroupSettingsParameters) DeepCopy() *HlsGroupSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HlsInputSettingsObservation) DeepCopyInto(out *HlsInputSettingsObservation) {
 	*out = *in
+	if in.Bandwidth != nil {
+		in, out := &in.Bandwidth, &out.Bandwidth
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferSegments != nil {
+		in, out := &in.BufferSegments, &out.BufferSegments
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Retries != nil {
+		in, out := &in.Retries, &out.Retries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RetryInterval != nil {
+		in, out := &in.RetryInterval, &out.RetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Scte35Source != nil {
+		in, out := &in.Scte35Source, &out.Scte35Source
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsInputSettingsObservation.
@@ -3658,6 +5407,31 @@ func (in *HlsInputSettingsParameters) DeepCopy() *HlsInputSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HlsMediaStoreSettingsObservation) DeepCopyInto(out *HlsMediaStoreSettingsObservation) {
 	*out = *in
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MediaStoreStorageClass != nil {
+		in, out := &in.MediaStoreStorageClass, &out.MediaStoreStorageClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsMediaStoreSettingsObservation.
@@ -3713,6 +5487,28 @@ func (in *HlsMediaStoreSettingsParameters) DeepCopy() *HlsMediaStoreSettingsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HlsOutputSettingsObservation) DeepCopyInto(out *HlsOutputSettingsObservation) {
 	*out = *in
+	if in.H265PackagingType != nil {
+		in, out := &in.H265PackagingType, &out.H265PackagingType
+		*out = new(string)
+		**out = **in
+	}
+	if in.HlsSettings != nil {
+		in, out := &in.HlsSettings, &out.HlsSettings
+		*out = make([]HlsSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NameModifier != nil {
+		in, out := &in.NameModifier, &out.NameModifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.SegmentModifier != nil {
+		in, out := &in.SegmentModifier, &out.SegmentModifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsOutputSettingsObservation.
@@ -3765,6 +5561,11 @@ func (in *HlsOutputSettingsParameters) DeepCopy() *HlsOutputSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HlsS3SettingsObservation) DeepCopyInto(out *HlsS3SettingsObservation) {
 	*out = *in
+	if in.CannedACL != nil {
+		in, out := &in.CannedACL, &out.CannedACL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsS3SettingsObservation.
@@ -3800,6 +5601,32 @@ func (in *HlsS3SettingsParameters) DeepCopy() *HlsS3SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HlsSettingsObservation) DeepCopyInto(out *HlsSettingsObservation) {
 	*out = *in
+	if in.AudioOnlyHlsSettings != nil {
+		in, out := &in.AudioOnlyHlsSettings, &out.AudioOnlyHlsSettings
+		*out = make([]AudioOnlyHlsSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Fmp4HlsSettings != nil {
+		in, out := &in.Fmp4HlsSettings, &out.Fmp4HlsSettings
+		*out = make([]Fmp4HlsSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FrameCaptureHlsSettings != nil {
+		in, out := &in.FrameCaptureHlsSettings, &out.FrameCaptureHlsSettings
+		*out = make([]FrameCaptureHlsSettingsParameters, len(*in))
+		copy(*out, *in)
+	}
+	if in.StandardHlsSettings != nil {
+		in, out := &in.StandardHlsSettings, &out.StandardHlsSettings
+		*out = make([]StandardHlsSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsSettingsObservation.
@@ -3856,6 +5683,31 @@ func (in *HlsSettingsParameters) DeepCopy() *HlsSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HlsWebdavSettingsObservation) DeepCopyInto(out *HlsWebdavSettingsObservation) {
 	*out = *in
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPTransferMode != nil {
+		in, out := &in.HTTPTransferMode, &out.HTTPTransferMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HlsWebdavSettingsObservation.
@@ -3938,6 +5790,30 @@ func (in *Input) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputAttachmentsObservation) DeepCopyInto(out *InputAttachmentsObservation) {
 	*out = *in
+	if in.AutomaticInputFailoverSettings != nil {
+		in, out := &in.AutomaticInputFailoverSettings, &out.AutomaticInputFailoverSettings
+		*out = make([]AutomaticInputFailoverSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InputAttachmentName != nil {
+		in, out := &in.InputAttachmentName, &out.InputAttachmentName
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputID != nil {
+		in, out := &in.InputID, &out.InputID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputSettings != nil {
+		in, out := &in.InputSettings, &out.InputSettings
+		*out = make([]InputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputAttachmentsObservation.
@@ -4002,6 +5878,16 @@ func (in *InputAttachmentsParameters) DeepCopy() *InputAttachmentsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputChannelLevelsObservation) DeepCopyInto(out *InputChannelLevelsObservation) {
 	*out = *in
+	if in.Gain != nil {
+		in, out := &in.Gain, &out.Gain
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InputChannel != nil {
+		in, out := &in.InputChannel, &out.InputChannel
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputChannelLevelsObservation.
@@ -4042,6 +5928,11 @@ func (in *InputChannelLevelsParameters) DeepCopy() *InputChannelLevelsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputDestinationsObservation) DeepCopyInto(out *InputDestinationsObservation) {
 	*out = *in
+	if in.StreamName != nil {
+		in, out := &in.StreamName, &out.StreamName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputDestinationsObservation.
@@ -4077,6 +5968,11 @@ func (in *InputDestinationsParameters) DeepCopy() *InputDestinationsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputDevicesObservation) DeepCopyInto(out *InputDevicesObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputDevicesObservation.
@@ -4144,6 +6040,11 @@ func (in *InputList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputLossSettingsObservation) DeepCopyInto(out *InputLossSettingsObservation) {
 	*out = *in
+	if in.InputLossThresholdMsec != nil {
+		in, out := &in.InputLossThresholdMsec, &out.InputLossThresholdMsec
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputLossSettingsObservation.
@@ -4195,6 +6096,13 @@ func (in *InputObservation) DeepCopyInto(out *InputObservation) {
 			}
 		}
 	}
+	if in.Destinations != nil {
+		in, out := &in.Destinations, &out.Destinations
+		*out = make([]InputDestinationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -4205,6 +6113,13 @@ func (in *InputObservation) DeepCopyInto(out *InputObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputDevices != nil {
+		in, out := &in.InputDevices, &out.InputDevices
+		*out = make([]InputDevicesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.InputPartnerIds != nil {
 		in, out := &in.InputPartnerIds, &out.InputPartnerIds
 		*out = make([]*string, len(*in))
@@ -4216,11 +6131,61 @@ func (in *InputObservation) DeepCopyInto(out *InputObservation) {
 			}
 		}
 	}
+	if in.InputSecurityGroups != nil {
+		in, out := &in.InputSecurityGroups, &out.InputSecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.InputSourceType != nil {
 		in, out := &in.InputSourceType, &out.InputSourceType
 		*out = new(string)
 		**out = **in
 	}
+	if in.MediaConnectFlows != nil {
+		in, out := &in.MediaConnectFlows, &out.MediaConnectFlows
+		*out = make([]MediaConnectFlowsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Sources != nil {
+		in, out := &in.Sources, &out.Sources
+		*out = make([]SourcesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4236,6 +6201,18 @@ func (in *InputObservation) DeepCopyInto(out *InputObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPC != nil {
+		in, out := &in.VPC, &out.VPC
+		*out = make([]InputVPCObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputObservation.
@@ -4437,6 +6414,21 @@ func (in *InputSecurityGroupObservation) DeepCopyInto(out *InputSecurityGroupObs
 			}
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4452,6 +6444,13 @@ func (in *InputSecurityGroupObservation) DeepCopyInto(out *InputSecurityGroupObs
 			(*out)[key] = outVal
 		}
 	}
+	if in.WhitelistRules != nil {
+		in, out := &in.WhitelistRules, &out.WhitelistRules
+		*out = make([]WhitelistRulesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputSecurityGroupObservation.
@@ -4543,6 +6542,69 @@ func (in *InputSecurityGroupStatus) DeepCopy() *InputSecurityGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputSettingsObservation) DeepCopyInto(out *InputSettingsObservation) {
 	*out = *in
+	if in.AudioSelector != nil {
+		in, out := &in.AudioSelector, &out.AudioSelector
+		*out = make([]AudioSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CaptionSelector != nil {
+		in, out := &in.CaptionSelector, &out.CaptionSelector
+		*out = make([]CaptionSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeblockFilter != nil {
+		in, out := &in.DeblockFilter, &out.DeblockFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.DenoiseFilter != nil {
+		in, out := &in.DenoiseFilter, &out.DenoiseFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterStrength != nil {
+		in, out := &in.FilterStrength, &out.FilterStrength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InputFilter != nil {
+		in, out := &in.InputFilter, &out.InputFilter
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkInputSettings != nil {
+		in, out := &in.NetworkInputSettings, &out.NetworkInputSettings
+		*out = make([]NetworkInputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Scte35Pid != nil {
+		in, out := &in.Scte35Pid, &out.Scte35Pid
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Smpte2038DataPreference != nil {
+		in, out := &in.Smpte2038DataPreference, &out.Smpte2038DataPreference
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceEndBehavior != nil {
+		in, out := &in.SourceEndBehavior, &out.SourceEndBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.VideoSelector != nil {
+		in, out := &in.VideoSelector, &out.VideoSelector
+		*out = make([]VideoSelectorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputSettingsObservation.
@@ -4653,6 +6715,21 @@ func (in *InputSpec) DeepCopy() *InputSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputSpecificationObservation) DeepCopyInto(out *InputSpecificationObservation) {
 	*out = *in
+	if in.Codec != nil {
+		in, out := &in.Codec, &out.Codec
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputResolution != nil {
+		in, out := &in.InputResolution, &out.InputResolution
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaximumBitrate != nil {
+		in, out := &in.MaximumBitrate, &out.MaximumBitrate
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputSpecificationObservation.
@@ -4715,6 +6792,28 @@ func (in *InputStatus) DeepCopy() *InputStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputVPCObservation) DeepCopyInto(out *InputVPCObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputVPCObservation.
@@ -4767,6 +6866,21 @@ func (in *InputVPCParameters) DeepCopy() *InputVPCParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KeyProviderServerObservation) DeepCopyInto(out *KeyProviderServerObservation) {
 	*out = *in
+	if in.PasswordParam != nil {
+		in, out := &in.PasswordParam, &out.PasswordParam
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyProviderServerObservation.
@@ -4812,6 +6926,13 @@ func (in *KeyProviderServerParameters) DeepCopy() *KeyProviderServerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KeyProviderSettingsObservation) DeepCopyInto(out *KeyProviderSettingsObservation) {
 	*out = *in
+	if in.StaticKeySettings != nil {
+		in, out := &in.StaticKeySettings, &out.StaticKeySettings
+		*out = make([]StaticKeySettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeyProviderSettingsObservation.
@@ -4849,6 +6970,21 @@ func (in *KeyProviderSettingsParameters) DeepCopy() *KeyProviderSettingsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *M2TsSettingsDvbNitSettingsObservation) DeepCopyInto(out *M2TsSettingsDvbNitSettingsObservation) {
 	*out = *in
+	if in.NetworkID != nil {
+		in, out := &in.NetworkID, &out.NetworkID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NetworkName != nil {
+		in, out := &in.NetworkName, &out.NetworkName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M2TsSettingsDvbNitSettingsObservation.
@@ -4894,6 +7030,26 @@ func (in *M2TsSettingsDvbNitSettingsParameters) DeepCopy() *M2TsSettingsDvbNitSe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *M2TsSettingsDvbSdtSettingsObservation) DeepCopyInto(out *M2TsSettingsDvbSdtSettingsObservation) {
 	*out = *in
+	if in.OutputSdt != nil {
+		in, out := &in.OutputSdt, &out.OutputSdt
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceProviderName != nil {
+		in, out := &in.ServiceProviderName, &out.ServiceProviderName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M2TsSettingsDvbSdtSettingsObservation.
@@ -4944,6 +7100,11 @@ func (in *M2TsSettingsDvbSdtSettingsParameters) DeepCopy() *M2TsSettingsDvbSdtSe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *M2TsSettingsDvbTdtSettingsObservation) DeepCopyInto(out *M2TsSettingsDvbTdtSettingsObservation) {
 	*out = *in
+	if in.RepInterval != nil {
+		in, out := &in.RepInterval, &out.RepInterval
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M2TsSettingsDvbTdtSettingsObservation.
@@ -4966,21 +7127,262 @@ func (in *M2TsSettingsDvbTdtSettingsParameters) DeepCopyInto(out *M2TsSettingsDv
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M2TsSettingsDvbTdtSettingsParameters.
-func (in *M2TsSettingsDvbTdtSettingsParameters) DeepCopy() *M2TsSettingsDvbTdtSettingsParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(M2TsSettingsDvbTdtSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *M2TsSettingsObservation) DeepCopyInto(out *M2TsSettingsObservation) {
-	*out = *in
-}
-
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M2TsSettingsDvbTdtSettingsParameters.
+func (in *M2TsSettingsDvbTdtSettingsParameters) DeepCopy() *M2TsSettingsDvbTdtSettingsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(M2TsSettingsDvbTdtSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *M2TsSettingsObservation) DeepCopyInto(out *M2TsSettingsObservation) {
+	*out = *in
+	if in.AbsentInputAudioBehavior != nil {
+		in, out := &in.AbsentInputAudioBehavior, &out.AbsentInputAudioBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Arib != nil {
+		in, out := &in.Arib, &out.Arib
+		*out = new(string)
+		**out = **in
+	}
+	if in.AribCaptionsPid != nil {
+		in, out := &in.AribCaptionsPid, &out.AribCaptionsPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.AribCaptionsPidControl != nil {
+		in, out := &in.AribCaptionsPidControl, &out.AribCaptionsPidControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioBufferModel != nil {
+		in, out := &in.AudioBufferModel, &out.AudioBufferModel
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioFramesPerPes != nil {
+		in, out := &in.AudioFramesPerPes, &out.AudioFramesPerPes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AudioPids != nil {
+		in, out := &in.AudioPids, &out.AudioPids
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioStreamType != nil {
+		in, out := &in.AudioStreamType, &out.AudioStreamType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferModel != nil {
+		in, out := &in.BufferModel, &out.BufferModel
+		*out = new(string)
+		**out = **in
+	}
+	if in.CcDescriptor != nil {
+		in, out := &in.CcDescriptor, &out.CcDescriptor
+		*out = new(string)
+		**out = **in
+	}
+	if in.DvbNitSettings != nil {
+		in, out := &in.DvbNitSettings, &out.DvbNitSettings
+		*out = make([]DvbNitSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DvbSdtSettings != nil {
+		in, out := &in.DvbSdtSettings, &out.DvbSdtSettings
+		*out = make([]DvbSdtSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DvbSubPids != nil {
+		in, out := &in.DvbSubPids, &out.DvbSubPids
+		*out = new(string)
+		**out = **in
+	}
+	if in.DvbTdtSettings != nil {
+		in, out := &in.DvbTdtSettings, &out.DvbTdtSettings
+		*out = make([]DvbTdtSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DvbTeletextPid != nil {
+		in, out := &in.DvbTeletextPid, &out.DvbTeletextPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.Ebif != nil {
+		in, out := &in.Ebif, &out.Ebif
+		*out = new(string)
+		**out = **in
+	}
+	if in.EbpAudioInterval != nil {
+		in, out := &in.EbpAudioInterval, &out.EbpAudioInterval
+		*out = new(string)
+		**out = **in
+	}
+	if in.EbpLookaheadMs != nil {
+		in, out := &in.EbpLookaheadMs, &out.EbpLookaheadMs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EbpPlacement != nil {
+		in, out := &in.EbpPlacement, &out.EbpPlacement
+		*out = new(string)
+		**out = **in
+	}
+	if in.EcmPid != nil {
+		in, out := &in.EcmPid, &out.EcmPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.EsRateInPes != nil {
+		in, out := &in.EsRateInPes, &out.EsRateInPes
+		*out = new(string)
+		**out = **in
+	}
+	if in.EtvPlatformPid != nil {
+		in, out := &in.EtvPlatformPid, &out.EtvPlatformPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.EtvSignalPid != nil {
+		in, out := &in.EtvSignalPid, &out.EtvSignalPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.FragmentTime != nil {
+		in, out := &in.FragmentTime, &out.FragmentTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Klv != nil {
+		in, out := &in.Klv, &out.Klv
+		*out = new(string)
+		**out = **in
+	}
+	if in.KlvDataPids != nil {
+		in, out := &in.KlvDataPids, &out.KlvDataPids
+		*out = new(string)
+		**out = **in
+	}
+	if in.NielsenId3Behavior != nil {
+		in, out := &in.NielsenId3Behavior, &out.NielsenId3Behavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.NullPacketBitrate != nil {
+		in, out := &in.NullPacketBitrate, &out.NullPacketBitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PatInterval != nil {
+		in, out := &in.PatInterval, &out.PatInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PcrControl != nil {
+		in, out := &in.PcrControl, &out.PcrControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.PcrPeriod != nil {
+		in, out := &in.PcrPeriod, &out.PcrPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PcrPid != nil {
+		in, out := &in.PcrPid, &out.PcrPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.PmtInterval != nil {
+		in, out := &in.PmtInterval, &out.PmtInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PmtPid != nil {
+		in, out := &in.PmtPid, &out.PmtPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProgramNum != nil {
+		in, out := &in.ProgramNum, &out.ProgramNum
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RateMode != nil {
+		in, out := &in.RateMode, &out.RateMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scte27Pids != nil {
+		in, out := &in.Scte27Pids, &out.Scte27Pids
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scte35Control != nil {
+		in, out := &in.Scte35Control, &out.Scte35Control
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scte35Pid != nil {
+		in, out := &in.Scte35Pid, &out.Scte35Pid
+		*out = new(string)
+		**out = **in
+	}
+	if in.SegmentationMarkers != nil {
+		in, out := &in.SegmentationMarkers, &out.SegmentationMarkers
+		*out = new(string)
+		**out = **in
+	}
+	if in.SegmentationStyle != nil {
+		in, out := &in.SegmentationStyle, &out.SegmentationStyle
+		*out = new(string)
+		**out = **in
+	}
+	if in.SegmentationTime != nil {
+		in, out := &in.SegmentationTime, &out.SegmentationTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TimedMetadataBehavior != nil {
+		in, out := &in.TimedMetadataBehavior, &out.TimedMetadataBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataPid != nil {
+		in, out := &in.TimedMetadataPid, &out.TimedMetadataPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransportStreamID != nil {
+		in, out := &in.TransportStreamID, &out.TransportStreamID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VideoPid != nil {
+		in, out := &in.VideoPid, &out.VideoPid
+		*out = new(string)
+		**out = **in
+	}
+}
+
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M2TsSettingsObservation.
 func (in *M2TsSettingsObservation) DeepCopy() *M2TsSettingsObservation {
 	if in == nil {
@@ -5250,6 +7652,91 @@ func (in *M2TsSettingsParameters) DeepCopy() *M2TsSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *M3U8SettingsObservation) DeepCopyInto(out *M3U8SettingsObservation) {
 	*out = *in
+	if in.AudioFramesPerPes != nil {
+		in, out := &in.AudioFramesPerPes, &out.AudioFramesPerPes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AudioPids != nil {
+		in, out := &in.AudioPids, &out.AudioPids
+		*out = new(string)
+		**out = **in
+	}
+	if in.EcmPid != nil {
+		in, out := &in.EcmPid, &out.EcmPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.NielsenId3Behavior != nil {
+		in, out := &in.NielsenId3Behavior, &out.NielsenId3Behavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.PatInterval != nil {
+		in, out := &in.PatInterval, &out.PatInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PcrControl != nil {
+		in, out := &in.PcrControl, &out.PcrControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.PcrPeriod != nil {
+		in, out := &in.PcrPeriod, &out.PcrPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PcrPid != nil {
+		in, out := &in.PcrPid, &out.PcrPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.PmtInterval != nil {
+		in, out := &in.PmtInterval, &out.PmtInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PmtPid != nil {
+		in, out := &in.PmtPid, &out.PmtPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProgramNum != nil {
+		in, out := &in.ProgramNum, &out.ProgramNum
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Scte35Behavior != nil {
+		in, out := &in.Scte35Behavior, &out.Scte35Behavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scte35Pid != nil {
+		in, out := &in.Scte35Pid, &out.Scte35Pid
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataBehavior != nil {
+		in, out := &in.TimedMetadataBehavior, &out.TimedMetadataBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataPid != nil {
+		in, out := &in.TimedMetadataPid, &out.TimedMetadataPid
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransportStreamID != nil {
+		in, out := &in.TransportStreamID, &out.TransportStreamID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VideoPid != nil {
+		in, out := &in.VideoPid, &out.VideoPid
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new M3U8SettingsObservation.
@@ -5365,6 +7852,16 @@ func (in *M3U8SettingsParameters) DeepCopy() *M3U8SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceObservation) DeepCopyInto(out *MaintenanceObservation) {
 	*out = *in
+	if in.MaintenanceDay != nil {
+		in, out := &in.MaintenanceDay, &out.MaintenanceDay
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaintenanceStartTime != nil {
+		in, out := &in.MaintenanceStartTime, &out.MaintenanceStartTime
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceObservation.
@@ -5405,6 +7902,11 @@ func (in *MaintenanceParameters) DeepCopy() *MaintenanceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MediaConnectFlowsObservation) DeepCopyInto(out *MediaConnectFlowsObservation) {
 	*out = *in
+	if in.FlowArn != nil {
+		in, out := &in.FlowArn, &out.FlowArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MediaConnectFlowsObservation.
@@ -5440,6 +7942,11 @@ func (in *MediaConnectFlowsParameters) DeepCopy() *MediaConnectFlowsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MediaPackageGroupSettingsDestinationObservation) DeepCopyInto(out *MediaPackageGroupSettingsDestinationObservation) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MediaPackageGroupSettingsDestinationObservation.
@@ -5475,6 +7982,13 @@ func (in *MediaPackageGroupSettingsDestinationParameters) DeepCopy() *MediaPacka
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MediaPackageGroupSettingsObservation) DeepCopyInto(out *MediaPackageGroupSettingsObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]MediaPackageGroupSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MediaPackageGroupSettingsObservation.
@@ -5542,6 +8056,11 @@ func (in *MediaPackageOutputSettingsParameters) DeepCopy() *MediaPackageOutputSe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MediaPackageSettingsObservation) DeepCopyInto(out *MediaPackageSettingsObservation) {
 	*out = *in
+	if in.ChannelID != nil {
+		in, out := &in.ChannelID, &out.ChannelID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MediaPackageSettingsObservation.
@@ -5577,6 +8096,21 @@ func (in *MediaPackageSettingsParameters) DeepCopy() *MediaPackageSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Mp2SettingsObservation) DeepCopyInto(out *Mp2SettingsObservation) {
 	*out = *in
+	if in.Bitrate != nil {
+		in, out := &in.Bitrate, &out.Bitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SampleRate != nil {
+		in, out := &in.SampleRate, &out.SampleRate
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Mp2SettingsObservation.
@@ -5622,6 +8156,11 @@ func (in *Mp2SettingsParameters) DeepCopy() *Mp2SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MsSmoothGroupSettingsDestinationObservation) DeepCopyInto(out *MsSmoothGroupSettingsDestinationObservation) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MsSmoothGroupSettingsDestinationObservation.
@@ -5642,21 +8181,118 @@ func (in *MsSmoothGroupSettingsDestinationParameters) DeepCopyInto(out *MsSmooth
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MsSmoothGroupSettingsDestinationParameters.
-func (in *MsSmoothGroupSettingsDestinationParameters) DeepCopy() *MsSmoothGroupSettingsDestinationParameters {
-	if in == nil {
-		return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MsSmoothGroupSettingsDestinationParameters.
+func (in *MsSmoothGroupSettingsDestinationParameters) DeepCopy() *MsSmoothGroupSettingsDestinationParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MsSmoothGroupSettingsDestinationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MsSmoothGroupSettingsObservation) DeepCopyInto(out *MsSmoothGroupSettingsObservation) {
+	*out = *in
+	if in.AcquisitionPointID != nil {
+		in, out := &in.AcquisitionPointID, &out.AcquisitionPointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.AudioOnlyTimecodecControl != nil {
+		in, out := &in.AudioOnlyTimecodecControl, &out.AudioOnlyTimecodecControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.CertificateMode != nil {
+		in, out := &in.CertificateMode, &out.CertificateMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]MsSmoothGroupSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventID != nil {
+		in, out := &in.EventID, &out.EventID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.EventIDMode != nil {
+		in, out := &in.EventIDMode, &out.EventIDMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventStopBehavior != nil {
+		in, out := &in.EventStopBehavior, &out.EventStopBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilecacheDuration != nil {
+		in, out := &in.FilecacheDuration, &out.FilecacheDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FragmentLength != nil {
+		in, out := &in.FragmentLength, &out.FragmentLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InputLossAction != nil {
+		in, out := &in.InputLossAction, &out.InputLossAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SegmentationMode != nil {
+		in, out := &in.SegmentationMode, &out.SegmentationMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SendDelayMs != nil {
+		in, out := &in.SendDelayMs, &out.SendDelayMs
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SparseTrackType != nil {
+		in, out := &in.SparseTrackType, &out.SparseTrackType
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamManifestBehavior != nil {
+		in, out := &in.StreamManifestBehavior, &out.StreamManifestBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimestampOffset != nil {
+		in, out := &in.TimestampOffset, &out.TimestampOffset
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimestampOffsetMode != nil {
+		in, out := &in.TimestampOffsetMode, &out.TimestampOffsetMode
+		*out = new(string)
+		**out = **in
 	}
-	out := new(MsSmoothGroupSettingsDestinationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MsSmoothGroupSettingsObservation) DeepCopyInto(out *MsSmoothGroupSettingsObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MsSmoothGroupSettingsObservation.
@@ -5784,6 +8420,16 @@ func (in *MsSmoothGroupSettingsParameters) DeepCopy() *MsSmoothGroupSettingsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MsSmoothOutputSettingsObservation) DeepCopyInto(out *MsSmoothOutputSettingsObservation) {
 	*out = *in
+	if in.H265PackagingType != nil {
+		in, out := &in.H265PackagingType, &out.H265PackagingType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NameModifier != nil {
+		in, out := &in.NameModifier, &out.NameModifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MsSmoothOutputSettingsObservation.
@@ -5913,6 +8559,26 @@ func (in *MultiplexList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiplexMultiplexSettingsObservation) DeepCopyInto(out *MultiplexMultiplexSettingsObservation) {
 	*out = *in
+	if in.MaximumVideoBufferDelayMilliseconds != nil {
+		in, out := &in.MaximumVideoBufferDelayMilliseconds, &out.MaximumVideoBufferDelayMilliseconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TransportStreamBitrate != nil {
+		in, out := &in.TransportStreamBitrate, &out.TransportStreamBitrate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TransportStreamID != nil {
+		in, out := &in.TransportStreamID, &out.TransportStreamID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TransportStreamReservedBitrate != nil {
+		in, out := &in.TransportStreamReservedBitrate, &out.TransportStreamReservedBitrate
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MultiplexMultiplexSettingsObservation.
@@ -5968,11 +8634,54 @@ func (in *MultiplexObservation) DeepCopyInto(out *MultiplexObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MultiplexSettings != nil {
+		in, out := &in.MultiplexSettings, &out.MultiplexSettings
+		*out = make([]MultiplexMultiplexSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartMultiplex != nil {
+		in, out := &in.StartMultiplex, &out.StartMultiplex
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6003,6 +8712,11 @@ func (in *MultiplexObservation) DeepCopy() *MultiplexObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiplexOutputSettingsDestinationObservation) DeepCopyInto(out *MultiplexOutputSettingsDestinationObservation) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MultiplexOutputSettingsDestinationObservation.
@@ -6038,6 +8752,13 @@ func (in *MultiplexOutputSettingsDestinationParameters) DeepCopy() *MultiplexOut
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiplexOutputSettingsObservation) DeepCopyInto(out *MultiplexOutputSettingsObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]MultiplexOutputSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MultiplexOutputSettingsObservation.
@@ -6138,6 +8859,16 @@ func (in *MultiplexParameters) DeepCopy() *MultiplexParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiplexSettingsObservation) DeepCopyInto(out *MultiplexSettingsObservation) {
 	*out = *in
+	if in.MultiplexID != nil {
+		in, out := &in.MultiplexID, &out.MultiplexID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProgramName != nil {
+		in, out := &in.ProgramName, &out.ProgramName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MultiplexSettingsObservation.
@@ -6212,6 +8943,18 @@ func (in *MultiplexStatus) DeepCopy() *MultiplexStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkInputSettingsObservation) DeepCopyInto(out *NetworkInputSettingsObservation) {
 	*out = *in
+	if in.HlsInputSettings != nil {
+		in, out := &in.HlsInputSettings, &out.HlsInputSettings
+		*out = make([]HlsInputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServerValidation != nil {
+		in, out := &in.ServerValidation, &out.ServerValidation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkInputSettingsObservation.
@@ -6254,6 +8997,21 @@ func (in *NetworkInputSettingsParameters) DeepCopy() *NetworkInputSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NielsenCbetSettingsObservation) DeepCopyInto(out *NielsenCbetSettingsObservation) {
 	*out = *in
+	if in.CbetCheckDigitString != nil {
+		in, out := &in.CbetCheckDigitString, &out.CbetCheckDigitString
+		*out = new(string)
+		**out = **in
+	}
+	if in.CbetStepaside != nil {
+		in, out := &in.CbetStepaside, &out.CbetStepaside
+		*out = new(string)
+		**out = **in
+	}
+	if in.Csid != nil {
+		in, out := &in.Csid, &out.Csid
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NielsenCbetSettingsObservation.
@@ -6299,6 +9057,16 @@ func (in *NielsenCbetSettingsParameters) DeepCopy() *NielsenCbetSettingsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NielsenNaesIiNwSettingsObservation) DeepCopyInto(out *NielsenNaesIiNwSettingsObservation) {
 	*out = *in
+	if in.CheckDigitString != nil {
+		in, out := &in.CheckDigitString, &out.CheckDigitString
+		*out = new(string)
+		**out = **in
+	}
+	if in.Sid != nil {
+		in, out := &in.Sid, &out.Sid
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NielsenNaesIiNwSettingsObservation.
@@ -6339,6 +9107,25 @@ func (in *NielsenNaesIiNwSettingsParameters) DeepCopy() *NielsenNaesIiNwSettings
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NielsenWatermarksSettingsObservation) DeepCopyInto(out *NielsenWatermarksSettingsObservation) {
 	*out = *in
+	if in.NielsenCbetSettings != nil {
+		in, out := &in.NielsenCbetSettings, &out.NielsenCbetSettings
+		*out = make([]NielsenCbetSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NielsenDistributionType != nil {
+		in, out := &in.NielsenDistributionType, &out.NielsenDistributionType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NielsenNaesIiNwSettings != nil {
+		in, out := &in.NielsenNaesIiNwSettings, &out.NielsenNaesIiNwSettings
+		*out = make([]NielsenNaesIiNwSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NielsenWatermarksSettingsObservation.
@@ -6388,6 +9175,60 @@ func (in *NielsenWatermarksSettingsParameters) DeepCopy() *NielsenWatermarksSett
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputGroupSettingsObservation) DeepCopyInto(out *OutputGroupSettingsObservation) {
 	*out = *in
+	if in.ArchiveGroupSettings != nil {
+		in, out := &in.ArchiveGroupSettings, &out.ArchiveGroupSettings
+		*out = make([]ArchiveGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FrameCaptureGroupSettings != nil {
+		in, out := &in.FrameCaptureGroupSettings, &out.FrameCaptureGroupSettings
+		*out = make([]FrameCaptureGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsGroupSettings != nil {
+		in, out := &in.HlsGroupSettings, &out.HlsGroupSettings
+		*out = make([]HlsGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MediaPackageGroupSettings != nil {
+		in, out := &in.MediaPackageGroupSettings, &out.MediaPackageGroupSettings
+		*out = make([]MediaPackageGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MsSmoothGroupSettings != nil {
+		in, out := &in.MsSmoothGroupSettings, &out.MsSmoothGroupSettings
+		*out = make([]MsSmoothGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MultiplexGroupSettings != nil {
+		in, out := &in.MultiplexGroupSettings, &out.MultiplexGroupSettings
+		*out = make([]MultiplexGroupSettingsParameters, len(*in))
+		copy(*out, *in)
+	}
+	if in.RtmpGroupSettings != nil {
+		in, out := &in.RtmpGroupSettings, &out.RtmpGroupSettings
+		*out = make([]RtmpGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UDPGroupSettings != nil {
+		in, out := &in.UDPGroupSettings, &out.UDPGroupSettings
+		*out = make([]UDPGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputGroupSettingsObservation.
@@ -6472,6 +9313,25 @@ func (in *OutputGroupSettingsParameters) DeepCopy() *OutputGroupSettingsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputGroupsObservation) DeepCopyInto(out *OutputGroupsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputGroupSettings != nil {
+		in, out := &in.OutputGroupSettings, &out.OutputGroupSettings
+		*out = make([]OutputGroupSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Outputs != nil {
+		in, out := &in.Outputs, &out.Outputs
+		*out = make([]OutputsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputGroupsObservation.
@@ -6513,14 +9373,34 @@ func (in *OutputGroupsParameters) DeepCopy() *OutputGroupsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(OutputGroupsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *OutputRectangleObservation) DeepCopyInto(out *OutputRectangleObservation) {
-	*out = *in
+	out := new(OutputGroupsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *OutputRectangleObservation) DeepCopyInto(out *OutputRectangleObservation) {
+	*out = *in
+	if in.Height != nil {
+		in, out := &in.Height, &out.Height
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LeftOffset != nil {
+		in, out := &in.LeftOffset, &out.LeftOffset
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TopOffset != nil {
+		in, out := &in.TopOffset, &out.TopOffset
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Width != nil {
+		in, out := &in.Width, &out.Width
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputRectangleObservation.
@@ -6571,6 +9451,60 @@ func (in *OutputRectangleParameters) DeepCopy() *OutputRectangleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputSettingsObservation) DeepCopyInto(out *OutputSettingsObservation) {
 	*out = *in
+	if in.ArchiveOutputSettings != nil {
+		in, out := &in.ArchiveOutputSettings, &out.ArchiveOutputSettings
+		*out = make([]ArchiveOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FrameCaptureOutputSettings != nil {
+		in, out := &in.FrameCaptureOutputSettings, &out.FrameCaptureOutputSettings
+		*out = make([]FrameCaptureOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HlsOutputSettings != nil {
+		in, out := &in.HlsOutputSettings, &out.HlsOutputSettings
+		*out = make([]HlsOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MediaPackageOutputSettings != nil {
+		in, out := &in.MediaPackageOutputSettings, &out.MediaPackageOutputSettings
+		*out = make([]MediaPackageOutputSettingsParameters, len(*in))
+		copy(*out, *in)
+	}
+	if in.MsSmoothOutputSettings != nil {
+		in, out := &in.MsSmoothOutputSettings, &out.MsSmoothOutputSettings
+		*out = make([]MsSmoothOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MultiplexOutputSettings != nil {
+		in, out := &in.MultiplexOutputSettings, &out.MultiplexOutputSettings
+		*out = make([]MultiplexOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RtmpOutputSettings != nil {
+		in, out := &in.RtmpOutputSettings, &out.RtmpOutputSettings
+		*out = make([]RtmpOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UDPOutputSettings != nil {
+		in, out := &in.UDPOutputSettings, &out.UDPOutputSettings
+		*out = make([]UDPOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputSettingsObservation.
@@ -6655,6 +9589,45 @@ func (in *OutputSettingsParameters) DeepCopy() *OutputSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputsObservation) DeepCopyInto(out *OutputsObservation) {
 	*out = *in
+	if in.AudioDescriptionNames != nil {
+		in, out := &in.AudioDescriptionNames, &out.AudioDescriptionNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CaptionDescriptionNames != nil {
+		in, out := &in.CaptionDescriptionNames, &out.CaptionDescriptionNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OutputName != nil {
+		in, out := &in.OutputName, &out.OutputName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputSettings != nil {
+		in, out := &in.OutputSettings, &out.OutputSettings
+		*out = make([]OutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VideoDescriptionName != nil {
+		in, out := &in.VideoDescriptionName, &out.VideoDescriptionName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputsObservation.
@@ -6784,6 +9757,23 @@ func (in *RawSettingsParameters) DeepCopy() *RawSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RemixSettingsObservation) DeepCopyInto(out *RemixSettingsObservation) {
 	*out = *in
+	if in.ChannelMappings != nil {
+		in, out := &in.ChannelMappings, &out.ChannelMappings
+		*out = make([]ChannelMappingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ChannelsIn != nil {
+		in, out := &in.ChannelsIn, &out.ChannelsIn
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ChannelsOut != nil {
+		in, out := &in.ChannelsOut, &out.ChannelsOut
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RemixSettingsObservation.
@@ -6831,6 +9821,47 @@ func (in *RemixSettingsParameters) DeepCopy() *RemixSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RtmpGroupSettingsObservation) DeepCopyInto(out *RtmpGroupSettingsObservation) {
 	*out = *in
+	if in.AdMarkers != nil {
+		in, out := &in.AdMarkers, &out.AdMarkers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AuthenticationScheme != nil {
+		in, out := &in.AuthenticationScheme, &out.AuthenticationScheme
+		*out = new(string)
+		**out = **in
+	}
+	if in.CacheFullBehavior != nil {
+		in, out := &in.CacheFullBehavior, &out.CacheFullBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.CacheLength != nil {
+		in, out := &in.CacheLength, &out.CacheLength
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CaptionData != nil {
+		in, out := &in.CaptionData, &out.CaptionData
+		*out = new(string)
+		**out = **in
+	}
+	if in.InputLossAction != nil {
+		in, out := &in.InputLossAction, &out.InputLossAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestartDelay != nil {
+		in, out := &in.RestartDelay, &out.RestartDelay
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RtmpGroupSettingsObservation.
@@ -6902,6 +9933,11 @@ func (in *RtmpGroupSettingsParameters) DeepCopy() *RtmpGroupSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RtmpOutputSettingsDestinationObservation) DeepCopyInto(out *RtmpOutputSettingsDestinationObservation) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RtmpOutputSettingsDestinationObservation.
@@ -6937,6 +9973,28 @@ func (in *RtmpOutputSettingsDestinationParameters) DeepCopy() *RtmpOutputSetting
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RtmpOutputSettingsObservation) DeepCopyInto(out *RtmpOutputSettingsObservation) {
 	*out = *in
+	if in.CertficateMode != nil {
+		in, out := &in.CertficateMode, &out.CertficateMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectionRetryInterval != nil {
+		in, out := &in.ConnectionRetryInterval, &out.ConnectionRetryInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]RtmpOutputSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NumRetries != nil {
+		in, out := &in.NumRetries, &out.NumRetries
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RtmpOutputSettingsObservation.
@@ -6989,6 +10047,16 @@ func (in *RtmpOutputSettingsParameters) DeepCopy() *RtmpOutputSettingsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Scte20SourceSettingsObservation) DeepCopyInto(out *Scte20SourceSettingsObservation) {
 	*out = *in
+	if in.Convert608To708 != nil {
+		in, out := &in.Convert608To708, &out.Convert608To708
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source608ChannelNumber != nil {
+		in, out := &in.Source608ChannelNumber, &out.Source608ChannelNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scte20SourceSettingsObservation.
@@ -7029,6 +10097,16 @@ func (in *Scte20SourceSettingsParameters) DeepCopy() *Scte20SourceSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Scte27SourceSettingsObservation) DeepCopyInto(out *Scte27SourceSettingsObservation) {
 	*out = *in
+	if in.OcrLanguage != nil {
+		in, out := &in.OcrLanguage, &out.OcrLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pid != nil {
+		in, out := &in.Pid, &out.Pid
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Scte27SourceSettingsObservation.
@@ -7069,6 +10147,16 @@ func (in *Scte27SourceSettingsParameters) DeepCopy() *Scte27SourceSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelectorSettingsDvbTdtSettingsObservation) DeepCopyInto(out *SelectorSettingsDvbTdtSettingsObservation) {
 	*out = *in
+	if in.OcrLanguage != nil {
+		in, out := &in.OcrLanguage, &out.OcrLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Pid != nil {
+		in, out := &in.Pid, &out.Pid
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelectorSettingsDvbTdtSettingsObservation.
@@ -7109,6 +10197,34 @@ func (in *SelectorSettingsDvbTdtSettingsParameters) DeepCopy() *SelectorSettings
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelectorSettingsObservation) DeepCopyInto(out *SelectorSettingsObservation) {
 	*out = *in
+	if in.AudioHlsRenditionSelection != nil {
+		in, out := &in.AudioHlsRenditionSelection, &out.AudioHlsRenditionSelection
+		*out = make([]AudioHlsRenditionSelectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AudioLanguageSelection != nil {
+		in, out := &in.AudioLanguageSelection, &out.AudioLanguageSelection
+		*out = make([]AudioLanguageSelectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AudioPidSelection != nil {
+		in, out := &in.AudioPidSelection, &out.AudioPidSelection
+		*out = make([]AudioPidSelectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AudioTrackSelection != nil {
+		in, out := &in.AudioTrackSelection, &out.AudioTrackSelection
+		*out = make([]AudioTrackSelectionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelectorSettingsObservation.
@@ -7159,14 +10275,34 @@ func (in *SelectorSettingsParameters) DeepCopy() *SelectorSettingsParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(SelectorSettingsParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *SettingsObservation) DeepCopyInto(out *SettingsObservation) {
-	*out = *in
+	out := new(SelectorSettingsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *SettingsObservation) DeepCopyInto(out *SettingsObservation) {
+	*out = *in
+	if in.PasswordParam != nil {
+		in, out := &in.PasswordParam, &out.PasswordParam
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamName != nil {
+		in, out := &in.StreamName, &out.StreamName
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SettingsObservation.
@@ -7217,6 +10353,21 @@ func (in *SettingsParameters) DeepCopy() *SettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourcesObservation) DeepCopyInto(out *SourcesObservation) {
 	*out = *in
+	if in.PasswordParam != nil {
+		in, out := &in.PasswordParam, &out.PasswordParam
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcesObservation.
@@ -7262,6 +10413,18 @@ func (in *SourcesParameters) DeepCopy() *SourcesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StandardHlsSettingsObservation) DeepCopyInto(out *StandardHlsSettingsObservation) {
 	*out = *in
+	if in.AudioRenditionSets != nil {
+		in, out := &in.AudioRenditionSets, &out.AudioRenditionSets
+		*out = new(string)
+		**out = **in
+	}
+	if in.M3U8Settings != nil {
+		in, out := &in.M3U8Settings, &out.M3U8Settings
+		*out = make([]M3U8SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StandardHlsSettingsObservation.
@@ -7304,6 +10467,18 @@ func (in *StandardHlsSettingsParameters) DeepCopy() *StandardHlsSettingsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticKeySettingsObservation) DeepCopyInto(out *StaticKeySettingsObservation) {
 	*out = *in
+	if in.KeyProviderServer != nil {
+		in, out := &in.KeyProviderServer, &out.KeyProviderServer
+		*out = make([]KeyProviderServerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StaticKeyValue != nil {
+		in, out := &in.StaticKeyValue, &out.StaticKeyValue
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticKeySettingsObservation.
@@ -7346,6 +10521,18 @@ func (in *StaticKeySettingsParameters) DeepCopy() *StaticKeySettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TeletextSourceSettingsObservation) DeepCopyInto(out *TeletextSourceSettingsObservation) {
 	*out = *in
+	if in.OutputRectangle != nil {
+		in, out := &in.OutputRectangle, &out.OutputRectangle
+		*out = make([]OutputRectangleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PageNumber != nil {
+		in, out := &in.PageNumber, &out.PageNumber
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TeletextSourceSettingsObservation.
@@ -7388,6 +10575,16 @@ func (in *TeletextSourceSettingsParameters) DeepCopy() *TeletextSourceSettingsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TemporalFilterSettingsObservation) DeepCopyInto(out *TemporalFilterSettingsObservation) {
 	*out = *in
+	if in.PostFilterSharpening != nil {
+		in, out := &in.PostFilterSharpening, &out.PostFilterSharpening
+		*out = new(string)
+		**out = **in
+	}
+	if in.Strength != nil {
+		in, out := &in.Strength, &out.Strength
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemporalFilterSettingsObservation.
@@ -7428,6 +10625,16 @@ func (in *TemporalFilterSettingsParameters) DeepCopy() *TemporalFilterSettingsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimecodeConfigObservation) DeepCopyInto(out *TimecodeConfigObservation) {
 	*out = *in
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.SyncThreshold != nil {
+		in, out := &in.SyncThreshold, &out.SyncThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimecodeConfigObservation.
@@ -7468,6 +10675,11 @@ func (in *TimecodeConfigParameters) DeepCopy() *TimecodeConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrackObservation) DeepCopyInto(out *TrackObservation) {
 	*out = *in
+	if in.Track != nil {
+		in, out := &in.Track, &out.Track
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrackObservation.
@@ -7503,6 +10715,21 @@ func (in *TrackParameters) DeepCopy() *TrackParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UDPGroupSettingsObservation) DeepCopyInto(out *UDPGroupSettingsObservation) {
 	*out = *in
+	if in.InputLossAction != nil {
+		in, out := &in.InputLossAction, &out.InputLossAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataId3Frame != nil {
+		in, out := &in.TimedMetadataId3Frame, &out.TimedMetadataId3Frame
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimedMetadataId3Period != nil {
+		in, out := &in.TimedMetadataId3Period, &out.TimedMetadataId3Period
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPGroupSettingsObservation.
@@ -7548,6 +10775,13 @@ func (in *UDPGroupSettingsParameters) DeepCopy() *UDPGroupSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UDPOutputSettingsContainerSettingsObservation) DeepCopyInto(out *UDPOutputSettingsContainerSettingsObservation) {
 	*out = *in
+	if in.M2TsSettings != nil {
+		in, out := &in.M2TsSettings, &out.M2TsSettings
+		*out = make([]ContainerSettingsM2TsSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPOutputSettingsContainerSettingsObservation.
@@ -7585,6 +10819,11 @@ func (in *UDPOutputSettingsContainerSettingsParameters) DeepCopy() *UDPOutputSet
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UDPOutputSettingsDestinationObservation) DeepCopyInto(out *UDPOutputSettingsDestinationObservation) {
 	*out = *in
+	if in.DestinationRefID != nil {
+		in, out := &in.DestinationRefID, &out.DestinationRefID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPOutputSettingsDestinationObservation.
@@ -7620,6 +10859,32 @@ func (in *UDPOutputSettingsDestinationParameters) DeepCopy() *UDPOutputSettingsD
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UDPOutputSettingsObservation) DeepCopyInto(out *UDPOutputSettingsObservation) {
 	*out = *in
+	if in.BufferMsec != nil {
+		in, out := &in.BufferMsec, &out.BufferMsec
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ContainerSettings != nil {
+		in, out := &in.ContainerSettings, &out.ContainerSettings
+		*out = make([]UDPOutputSettingsContainerSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]UDPOutputSettingsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FecOutputSettings != nil {
+		in, out := &in.FecOutputSettings, &out.FecOutputSettings
+		*out = make([]FecOutputSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UDPOutputSettingsObservation.
@@ -7687,6 +10952,39 @@ func (in *VPCObservation) DeepCopyInto(out *VPCObservation) {
 			}
 		}
 	}
+	if in.PublicAddressAllocationIds != nil {
+		in, out := &in.PublicAddressAllocationIds, &out.PublicAddressAllocationIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCObservation.
@@ -7750,6 +11048,16 @@ func (in *VPCParameters) DeepCopy() *VPCParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VideoBlackSettingsObservation) DeepCopyInto(out *VideoBlackSettingsObservation) {
 	*out = *in
+	if in.BlackDetectThreshold != nil {
+		in, out := &in.BlackDetectThreshold, &out.BlackDetectThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VideoBlackThresholdMsec != nil {
+		in, out := &in.VideoBlackThresholdMsec, &out.VideoBlackThresholdMsec
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VideoBlackSettingsObservation.
@@ -7790,6 +11098,20 @@ func (in *VideoBlackSettingsParameters) DeepCopy() *VideoBlackSettingsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VideoDescriptionsCodecSettingsObservation) DeepCopyInto(out *VideoDescriptionsCodecSettingsObservation) {
 	*out = *in
+	if in.FrameCaptureSettings != nil {
+		in, out := &in.FrameCaptureSettings, &out.FrameCaptureSettings
+		*out = make([]FrameCaptureSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.H264Settings != nil {
+		in, out := &in.H264Settings, &out.H264Settings
+		*out = make([]H264SettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VideoDescriptionsCodecSettingsObservation.
@@ -7834,6 +11156,43 @@ func (in *VideoDescriptionsCodecSettingsParameters) DeepCopy() *VideoDescription
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VideoDescriptionsObservation) DeepCopyInto(out *VideoDescriptionsObservation) {
 	*out = *in
+	if in.CodecSettings != nil {
+		in, out := &in.CodecSettings, &out.CodecSettings
+		*out = make([]VideoDescriptionsCodecSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Height != nil {
+		in, out := &in.Height, &out.Height
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RespondToAfd != nil {
+		in, out := &in.RespondToAfd, &out.RespondToAfd
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScalingBehavior != nil {
+		in, out := &in.ScalingBehavior, &out.ScalingBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Sharpness != nil {
+		in, out := &in.Sharpness, &out.Sharpness
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Width != nil {
+		in, out := &in.Width, &out.Width
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VideoDescriptionsObservation.
@@ -7901,6 +11260,16 @@ func (in *VideoDescriptionsParameters) DeepCopy() *VideoDescriptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VideoSelectorObservation) DeepCopyInto(out *VideoSelectorObservation) {
 	*out = *in
+	if in.ColorSpace != nil {
+		in, out := &in.ColorSpace, &out.ColorSpace
+		*out = new(string)
+		**out = **in
+	}
+	if in.ColorSpaceUsage != nil {
+		in, out := &in.ColorSpaceUsage, &out.ColorSpaceUsage
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VideoSelectorObservation.
@@ -7941,6 +11310,21 @@ func (in *VideoSelectorParameters) DeepCopy() *VideoSelectorParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WavSettingsObservation) DeepCopyInto(out *WavSettingsObservation) {
 	*out = *in
+	if in.BitDepth != nil {
+		in, out := &in.BitDepth, &out.BitDepth
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CodingMode != nil {
+		in, out := &in.CodingMode, &out.CodingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SampleRate != nil {
+		in, out := &in.SampleRate, &out.SampleRate
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WavSettingsObservation.
@@ -7986,6 +11370,11 @@ func (in *WavSettingsParameters) DeepCopy() *WavSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WhitelistRulesObservation) DeepCopyInto(out *WhitelistRulesObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WhitelistRulesObservation.
diff --git a/apis/medialive/v1beta1/zz_input_types.go b/apis/medialive/v1beta1/zz_input_types.go
index 22f2a6d8e1..6865a5817c 100755
--- a/apis/medialive/v1beta1/zz_input_types.go
+++ b/apis/medialive/v1beta1/zz_input_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type InputDestinationsObservation struct {
+
+	// A unique name for the location the RTMP stream is being pushed to.
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
 }
 
 type InputDestinationsParameters struct {
@@ -24,6 +27,9 @@ type InputDestinationsParameters struct {
 }
 
 type InputDevicesObservation struct {
+
+	// The unique ID for the device.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type InputDevicesParameters struct {
@@ -41,19 +47,49 @@ type InputObservation struct {
 	// Channels attached to Input.
 	AttachedChannels []*string `json:"attachedChannels,omitempty" tf:"attached_channels,omitempty"`
 
+	// Destination settings for PUSH type inputs. See Destinations for more details.
+	Destinations []InputDestinationsObservation `json:"destinations,omitempty" tf:"destinations,omitempty"`
+
 	// The unique ID for the device.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The input class.
 	InputClass *string `json:"inputClass,omitempty" tf:"input_class,omitempty"`
 
+	// Settings for the devices. See Input Devices for more details.
+	InputDevices []InputDevicesObservation `json:"inputDevices,omitempty" tf:"input_devices,omitempty"`
+
 	// A list of IDs for all Inputs which are partners of this one.
 	InputPartnerIds []*string `json:"inputPartnerIds,omitempty" tf:"input_partner_ids,omitempty"`
 
+	// List of input security groups.
+	InputSecurityGroups []*string `json:"inputSecurityGroups,omitempty" tf:"input_security_groups,omitempty"`
+
 	// Source type of the input.
 	InputSourceType *string `json:"inputSourceType,omitempty" tf:"input_source_type,omitempty"`
 
+	// A list of the MediaConnect Flows. See Media Connect Flows for more details.
+	MediaConnectFlows []MediaConnectFlowsObservation `json:"mediaConnectFlows,omitempty" tf:"media_connect_flows,omitempty"`
+
+	// Name of the input.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ARN of the role this input assumes during and after creation.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The source URLs for a PULL-type input. See Sources for more details.
+	Sources []SourcesObservation `json:"sources,omitempty" tf:"sources,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The different types of inputs that AWS Elemental MediaLive supports.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Settings for a private VPC Input. See VPC for more details.
+	VPC []InputVPCObservation `json:"vpc,omitempty" tf:"vpc,omitempty"`
 }
 
 type InputParameters struct {
@@ -75,8 +111,8 @@ type InputParameters struct {
 	MediaConnectFlows []MediaConnectFlowsParameters `json:"mediaConnectFlows,omitempty" tf:"media_connect_flows,omitempty"`
 
 	// Name of the input.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -106,8 +142,8 @@ type InputParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The different types of inputs that AWS Elemental MediaLive supports.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
 	// Settings for a private VPC Input. See VPC for more details.
 	// +kubebuilder:validation:Optional
@@ -115,6 +151,12 @@ type InputParameters struct {
 }
 
 type InputVPCObservation struct {
+
+	// A list of up to 5 EC2 VPC security group IDs to attach to the Input.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// A list of 2 VPC subnet IDs from the same VPC.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
 }
 
 type InputVPCParameters struct {
@@ -129,6 +171,9 @@ type InputVPCParameters struct {
 }
 
 type MediaConnectFlowsObservation struct {
+
+	// The ARN of the MediaConnect Flow
+	FlowArn *string `json:"flowArn,omitempty" tf:"flow_arn,omitempty"`
 }
 
 type MediaConnectFlowsParameters struct {
@@ -139,6 +184,15 @@ type MediaConnectFlowsParameters struct {
 }
 
 type SourcesObservation struct {
+
+	// The key used to extract the password from EC2 Parameter store.
+	PasswordParam *string `json:"passwordParam,omitempty" tf:"password_param,omitempty"`
+
+	// The URL where the stream is pulled from.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The username for the input source.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type SourcesParameters struct {
@@ -180,8 +234,10 @@ type InputStatus struct {
 type Input struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InputSpec   `json:"spec"`
-	Status            InputStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   InputSpec   `json:"spec"`
+	Status InputStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/medialive/v1beta1/zz_inputsecuritygroup_types.go b/apis/medialive/v1beta1/zz_inputsecuritygroup_types.go
index 755f80d40e..432ed2aedc 100755
--- a/apis/medialive/v1beta1/zz_inputsecuritygroup_types.go
+++ b/apis/medialive/v1beta1/zz_inputsecuritygroup_types.go
@@ -24,7 +24,13 @@ type InputSecurityGroupObservation struct {
 	// The list of inputs currently using this InputSecurityGroup.
 	Inputs []*string `json:"inputs,omitempty" tf:"inputs,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whitelist rules. See Whitelist Rules for more details.
+	WhitelistRules []WhitelistRulesObservation `json:"whitelistRules,omitempty" tf:"whitelist_rules,omitempty"`
 }
 
 type InputSecurityGroupParameters struct {
@@ -39,11 +45,14 @@ type InputSecurityGroupParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Whitelist rules. See Whitelist Rules for more details.
-	// +kubebuilder:validation:Required
-	WhitelistRules []WhitelistRulesParameters `json:"whitelistRules" tf:"whitelist_rules,omitempty"`
+	// +kubebuilder:validation:Optional
+	WhitelistRules []WhitelistRulesParameters `json:"whitelistRules,omitempty" tf:"whitelist_rules,omitempty"`
 }
 
 type WhitelistRulesObservation struct {
+
+	// The IPv4 CIDR that's whitelisted.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type WhitelistRulesParameters struct {
@@ -77,8 +86,9 @@ type InputSecurityGroupStatus struct {
 type InputSecurityGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InputSecurityGroupSpec   `json:"spec"`
-	Status            InputSecurityGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.whitelistRules)",message="whitelistRules is a required parameter"
+	Spec   InputSecurityGroupSpec   `json:"spec"`
+	Status InputSecurityGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/medialive/v1beta1/zz_multiplex_types.go b/apis/medialive/v1beta1/zz_multiplex_types.go
index 7ebf41e439..127b334e44 100755
--- a/apis/medialive/v1beta1/zz_multiplex_types.go
+++ b/apis/medialive/v1beta1/zz_multiplex_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type MultiplexMultiplexSettingsObservation struct {
+
+	// Maximum video buffer delay.
+	MaximumVideoBufferDelayMilliseconds *float64 `json:"maximumVideoBufferDelayMilliseconds,omitempty" tf:"maximum_video_buffer_delay_milliseconds,omitempty"`
+
+	// Transport stream bit rate.
+	TransportStreamBitrate *float64 `json:"transportStreamBitrate,omitempty" tf:"transport_stream_bitrate,omitempty"`
+
+	// Unique ID for each multiplex.
+	TransportStreamID *float64 `json:"transportStreamId,omitempty" tf:"transport_stream_id,omitempty"`
+
+	// Transport stream reserved bit rate.
+	TransportStreamReservedBitrate *float64 `json:"transportStreamReservedBitrate,omitempty" tf:"transport_stream_reserved_bitrate,omitempty"`
 }
 
 type MultiplexMultiplexSettingsParameters struct {
@@ -40,24 +52,39 @@ type MultiplexObservation struct {
 	// ARN of the Multiplex.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A list of availability zones. You must specify exactly two.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Multiplex settings. See Multiplex Settings for more details.
+	MultiplexSettings []MultiplexMultiplexSettingsObservation `json:"multiplexSettings,omitempty" tf:"multiplex_settings,omitempty"`
+
+	// name of Multiplex.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Whether to start the Multiplex. Defaults to false.
+	StartMultiplex *bool `json:"startMultiplex,omitempty" tf:"start_multiplex,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
 type MultiplexParameters struct {
 
 	// A list of availability zones. You must specify exactly two.
-	// +kubebuilder:validation:Required
-	AvailabilityZones []*string `json:"availabilityZones" tf:"availability_zones,omitempty"`
+	// +kubebuilder:validation:Optional
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
 
 	// Multiplex settings. See Multiplex Settings for more details.
 	// +kubebuilder:validation:Optional
 	MultiplexSettings []MultiplexMultiplexSettingsParameters `json:"multiplexSettings,omitempty" tf:"multiplex_settings,omitempty"`
 
 	// name of Multiplex.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -97,8 +124,10 @@ type MultiplexStatus struct {
 type Multiplex struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MultiplexSpec   `json:"spec"`
-	Status            MultiplexStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZones)",message="availabilityZones is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   MultiplexSpec   `json:"spec"`
+	Status MultiplexStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/mediapackage/v1beta1/zz_channel_types.go b/apis/mediapackage/v1beta1/zz_channel_types.go
index 709a3c7eb0..dba198bfc3 100755
--- a/apis/mediapackage/v1beta1/zz_channel_types.go
+++ b/apis/mediapackage/v1beta1/zz_channel_types.go
@@ -18,12 +18,21 @@ type ChannelObservation struct {
 	// The ARN of the channel
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A unique identifier describing the channel
+	ChannelID *string `json:"channelId,omitempty" tf:"channel_id,omitempty"`
+
+	// A description of the channel
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// A single item list of HLS ingest information
 	HlsIngest []HlsIngestObservation `json:"hlsIngest,omitempty" tf:"hls_ingest,omitempty"`
 
 	// The same as channel_id
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -31,8 +40,8 @@ type ChannelObservation struct {
 type ChannelParameters struct {
 
 	// A unique identifier describing the channel
-	// +kubebuilder:validation:Required
-	ChannelID *string `json:"channelId" tf:"channel_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	ChannelID *string `json:"channelId,omitempty" tf:"channel_id,omitempty"`
 
 	// A description of the channel
 	// +kubebuilder:validation:Optional
@@ -96,8 +105,9 @@ type ChannelStatus struct {
 type Channel struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ChannelSpec   `json:"spec"`
-	Status            ChannelStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.channelId)",message="channelId is a required parameter"
+	Spec   ChannelSpec   `json:"spec"`
+	Status ChannelStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/mediapackage/v1beta1/zz_generated.deepcopy.go b/apis/mediapackage/v1beta1/zz_generated.deepcopy.go
index 3dd016f8d4..6c54caf5b4 100644
--- a/apis/mediapackage/v1beta1/zz_generated.deepcopy.go
+++ b/apis/mediapackage/v1beta1/zz_generated.deepcopy.go
@@ -80,6 +80,16 @@ func (in *ChannelObservation) DeepCopyInto(out *ChannelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ChannelID != nil {
+		in, out := &in.ChannelID, &out.ChannelID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.HlsIngest != nil {
 		in, out := &in.HlsIngest, &out.HlsIngest
 		*out = make([]HlsIngestObservation, len(*in))
@@ -92,6 +102,21 @@ func (in *ChannelObservation) DeepCopyInto(out *ChannelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/mediastore/v1beta1/zz_container_types.go b/apis/mediastore/v1beta1/zz_container_types.go
index d85f0abb8b..db1ede2b49 100755
--- a/apis/mediastore/v1beta1/zz_container_types.go
+++ b/apis/mediastore/v1beta1/zz_container_types.go
@@ -23,6 +23,9 @@ type ContainerObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/mediastore/v1beta1/zz_containerpolicy_types.go b/apis/mediastore/v1beta1/zz_containerpolicy_types.go
index 7e93e5b9c4..bba6696300 100755
--- a/apis/mediastore/v1beta1/zz_containerpolicy_types.go
+++ b/apis/mediastore/v1beta1/zz_containerpolicy_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type ContainerPolicyObservation struct {
+
+	// The name of the container.
+	ContainerName *string `json:"containerName,omitempty" tf:"container_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The contents of the policy.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type ContainerPolicyParameters struct {
@@ -33,8 +40,8 @@ type ContainerPolicyParameters struct {
 	ContainerNameSelector *v1.Selector `json:"containerNameSelector,omitempty" tf:"-"`
 
 	// The contents of the policy.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -66,8 +73,9 @@ type ContainerPolicyStatus struct {
 type ContainerPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ContainerPolicySpec   `json:"spec"`
-	Status            ContainerPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   ContainerPolicySpec   `json:"spec"`
+	Status ContainerPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/mediastore/v1beta1/zz_generated.deepcopy.go b/apis/mediastore/v1beta1/zz_generated.deepcopy.go
index 92caf5ccd8..1bcf585f23 100644
--- a/apis/mediastore/v1beta1/zz_generated.deepcopy.go
+++ b/apis/mediastore/v1beta1/zz_generated.deepcopy.go
@@ -91,6 +91,21 @@ func (in *ContainerObservation) DeepCopyInto(out *ContainerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -215,11 +230,21 @@ func (in *ContainerPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContainerPolicyObservation) DeepCopyInto(out *ContainerPolicyObservation) {
 	*out = *in
+	if in.ContainerName != nil {
+		in, out := &in.ContainerName, &out.ContainerName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerPolicyObservation.
diff --git a/apis/memorydb/v1beta1/zz_acl_types.go b/apis/memorydb/v1beta1/zz_acl_types.go
index 000f5a5316..c971e1aa89 100755
--- a/apis/memorydb/v1beta1/zz_acl_types.go
+++ b/apis/memorydb/v1beta1/zz_acl_types.go
@@ -24,8 +24,14 @@ type ACLObservation struct {
 	// The minimum engine version supported by the ACL.
 	MinimumEngineVersion *string `json:"minimumEngineVersion,omitempty" tf:"minimum_engine_version,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Set of MemoryDB user names to be included in this ACL.
+	UserNames []*string `json:"userNames,omitempty" tf:"user_names,omitempty"`
 }
 
 type ACLParameters struct {
diff --git a/apis/memorydb/v1beta1/zz_cluster_types.go b/apis/memorydb/v1beta1/zz_cluster_types.go
index e3716f1f3a..68c9b04d57 100755
--- a/apis/memorydb/v1beta1/zz_cluster_types.go
+++ b/apis/memorydb/v1beta1/zz_cluster_types.go
@@ -27,20 +27,86 @@ type ClusterEndpointParameters struct {
 
 type ClusterObservation struct {
 
+	// The name of the Access Control List to associate with the cluster.
+	ACLName *string `json:"aclName,omitempty" tf:"acl_name,omitempty"`
+
 	// The ARN of the cluster.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// When set to true, the cluster will automatically receive minor engine version upgrades after launch. Defaults to true.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
 	ClusterEndpoint []ClusterEndpointObservation `json:"clusterEndpoint,omitempty" tf:"cluster_endpoint,omitempty"`
 
+	// Enables data tiering. This option is not supported by all instance types. For more information, see Data tiering.
+	DataTiering *bool `json:"dataTiering,omitempty" tf:"data_tiering,omitempty"`
+
+	// Description for the cluster.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Patch version number of the Redis engine used by the cluster.
 	EnginePatchVersion *string `json:"enginePatchVersion,omitempty" tf:"engine_patch_version,omitempty"`
 
+	// Version number of the Redis engine to be used for the cluster. Downgrades are not supported.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
+	// Name of the final cluster snapshot to be created when this resource is deleted. If omitted, no final snapshot will be made.
+	FinalSnapshotName *string `json:"finalSnapshotName,omitempty" tf:"final_snapshot_name,omitempty"`
+
 	// Same as name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the KMS key used to encrypt the cluster at rest.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Specifies the weekly time range during which maintenance on the cluster is performed. Specify as a range in the format ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance window is a 60 minute period. Example: sun:23:00-mon:01:30.
+	MaintenanceWindow *string `json:"maintenanceWindow,omitempty" tf:"maintenance_window,omitempty"`
+
+	// The compute and memory capacity of the nodes in the cluster. See AWS documentation on supported node types as well as vertical scaling.
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
+
+	// The number of replicas to apply to each shard, up to a maximum of 5. Defaults to 1 (i.e. 2 nodes per shard).
+	NumReplicasPerShard *float64 `json:"numReplicasPerShard,omitempty" tf:"num_replicas_per_shard,omitempty"`
+
+	// The number of shards in the cluster. Defaults to 1.
+	NumShards *float64 `json:"numShards,omitempty" tf:"num_shards,omitempty"`
+
+	// The name of the parameter group associated with the cluster.
+	ParameterGroupName *string `json:"parameterGroupName,omitempty" tf:"parameter_group_name,omitempty"`
+
+	// The port number on which each of the nodes accepts connections. Defaults to 6379.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Set of VPC Security Group ID-s to associate with this cluster.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
 	// Set of shards in this cluster.
 	Shards []ShardsObservation `json:"shards,omitempty" tf:"shards,omitempty"`
 
+	// List of ARN-s that uniquely identify RDB snapshot files stored in S3. The snapshot files will be used to populate the new cluster. Object names in the ARN-s cannot contain any commas.
+	SnapshotArns []*string `json:"snapshotArns,omitempty" tf:"snapshot_arns,omitempty"`
+
+	// The name of a snapshot from which to restore data into the new cluster.
+	SnapshotName *string `json:"snapshotName,omitempty" tf:"snapshot_name,omitempty"`
+
+	// The number of days for which MemoryDB retains automatic snapshots before deleting them. When set to 0, automatic backups are disabled. Defaults to 0.
+	SnapshotRetentionLimit *float64 `json:"snapshotRetentionLimit,omitempty" tf:"snapshot_retention_limit,omitempty"`
+
+	// The daily time range (in UTC) during which MemoryDB begins taking a daily snapshot of your shard. Example: 05:00-09:00.
+	SnapshotWindow *string `json:"snapshotWindow,omitempty" tf:"snapshot_window,omitempty"`
+
+	// ARN of the SNS topic to which cluster notifications are sent.
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
+
+	// The name of the subnet group to be used for the cluster. Defaults to a subnet group consisting of default VPC subnets.
+	SubnetGroupName *string `json:"subnetGroupName,omitempty" tf:"subnet_group_name,omitempty"`
+
+	// A flag to enable in-transit encryption on the cluster. When set to false, the acl_name must be open-access. Defaults to true.
+	TLSEnabled *bool `json:"tlsEnabled,omitempty" tf:"tls_enabled,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -48,8 +114,8 @@ type ClusterObservation struct {
 type ClusterParameters struct {
 
 	// The name of the Access Control List to associate with the cluster.
-	// +kubebuilder:validation:Required
-	ACLName *string `json:"aclName" tf:"acl_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ACLName *string `json:"aclName,omitempty" tf:"acl_name,omitempty"`
 
 	// When set to true, the cluster will automatically receive minor engine version upgrades after launch. Defaults to true.
 	// +kubebuilder:validation:Optional
@@ -89,8 +155,8 @@ type ClusterParameters struct {
 	MaintenanceWindow *string `json:"maintenanceWindow,omitempty" tf:"maintenance_window,omitempty"`
 
 	// The compute and memory capacity of the nodes in the cluster. See AWS documentation on supported node types as well as vertical scaling.
-	// +kubebuilder:validation:Required
-	NodeType *string `json:"nodeType" tf:"node_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
 
 	// The number of replicas to apply to each shard, up to a maximum of 5. Defaults to 1 (i.e. 2 nodes per shard).
 	// +kubebuilder:validation:Optional
@@ -242,8 +308,10 @@ type ClusterStatus struct {
 type Cluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSpec   `json:"spec"`
-	Status            ClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.aclName)",message="aclName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.nodeType)",message="nodeType is a required parameter"
+	Spec   ClusterSpec   `json:"spec"`
+	Status ClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/memorydb/v1beta1/zz_generated.deepcopy.go b/apis/memorydb/v1beta1/zz_generated.deepcopy.go
index 7972fde4f6..be18ab2cd4 100644
--- a/apis/memorydb/v1beta1/zz_generated.deepcopy.go
+++ b/apis/memorydb/v1beta1/zz_generated.deepcopy.go
@@ -91,6 +91,21 @@ func (in *ACLObservation) DeepCopyInto(out *ACLObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -106,6 +121,17 @@ func (in *ACLObservation) DeepCopyInto(out *ACLObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserNames != nil {
+		in, out := &in.UserNames, &out.UserNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACLObservation.
@@ -395,11 +421,21 @@ func (in *ClusterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 	*out = *in
+	if in.ACLName != nil {
+		in, out := &in.ACLName, &out.ACLName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ClusterEndpoint != nil {
 		in, out := &in.ClusterEndpoint, &out.ClusterEndpoint
 		*out = make([]ClusterEndpointObservation, len(*in))
@@ -407,16 +443,82 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.DataTiering != nil {
+		in, out := &in.DataTiering, &out.DataTiering
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.EnginePatchVersion != nil {
 		in, out := &in.EnginePatchVersion, &out.EnginePatchVersion
 		*out = new(string)
 		**out = **in
 	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.FinalSnapshotName != nil {
+		in, out := &in.FinalSnapshotName, &out.FinalSnapshotName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaintenanceWindow != nil {
+		in, out := &in.MaintenanceWindow, &out.MaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.NodeType != nil {
+		in, out := &in.NodeType, &out.NodeType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumReplicasPerShard != nil {
+		in, out := &in.NumReplicasPerShard, &out.NumReplicasPerShard
+		*out = new(float64)
+		**out = **in
+	}
+	if in.NumShards != nil {
+		in, out := &in.NumShards, &out.NumShards
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ParameterGroupName != nil {
+		in, out := &in.ParameterGroupName, &out.ParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Shards != nil {
 		in, out := &in.Shards, &out.Shards
 		*out = make([]ShardsObservation, len(*in))
@@ -424,6 +526,62 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.SnapshotArns != nil {
+		in, out := &in.SnapshotArns, &out.SnapshotArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnapshotName != nil {
+		in, out := &in.SnapshotName, &out.SnapshotName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotRetentionLimit != nil {
+		in, out := &in.SnapshotRetentionLimit, &out.SnapshotRetentionLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SnapshotWindow != nil {
+		in, out := &in.SnapshotWindow, &out.SnapshotWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetGroupName != nil {
+		in, out := &in.SubnetGroupName, &out.SubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSEnabled != nil {
+		in, out := &in.TLSEnabled, &out.TLSEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -828,11 +986,43 @@ func (in *ParameterGroupObservation) DeepCopyInto(out *ParameterGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -949,6 +1139,16 @@ func (in *ParameterGroupStatus) DeepCopy() *ParameterGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -1112,16 +1312,41 @@ func (in *SnapshotObservation) DeepCopyInto(out *SnapshotObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ClusterName != nil {
+		in, out := &in.ClusterName, &out.ClusterName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.Source != nil {
 		in, out := &in.Source, &out.Source
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1315,11 +1540,42 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/memorydb/v1beta1/zz_parametergroup_types.go b/apis/memorydb/v1beta1/zz_parametergroup_types.go
index e927778874..af4bc87358 100755
--- a/apis/memorydb/v1beta1/zz_parametergroup_types.go
+++ b/apis/memorydb/v1beta1/zz_parametergroup_types.go
@@ -18,9 +18,21 @@ type ParameterGroupObservation struct {
 	// The ARN of the parameter group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description for the parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The engine version that the parameter group can be used with.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// Same as name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Set of MemoryDB parameters to apply. Any parameters not specified will fall back to their family defaults. Detailed below.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +44,8 @@ type ParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The engine version that the parameter group can be used with.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// Set of MemoryDB parameters to apply. Any parameters not specified will fall back to their family defaults. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,12 @@ type ParameterGroupParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// The name of the parameter.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -87,8 +105,9 @@ type ParameterGroupStatus struct {
 type ParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ParameterGroupSpec   `json:"spec"`
-	Status            ParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   ParameterGroupSpec   `json:"spec"`
+	Status ParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/memorydb/v1beta1/zz_snapshot_types.go b/apis/memorydb/v1beta1/zz_snapshot_types.go
index e4eaf4b35f..cf3cbc32e0 100755
--- a/apis/memorydb/v1beta1/zz_snapshot_types.go
+++ b/apis/memorydb/v1beta1/zz_snapshot_types.go
@@ -66,12 +66,21 @@ type SnapshotObservation struct {
 	// The configuration of the cluster from which the snapshot was taken.
 	ClusterConfiguration []ClusterConfigurationObservation `json:"clusterConfiguration,omitempty" tf:"cluster_configuration,omitempty"`
 
+	// Name of the MemoryDB cluster to take a snapshot of.
+	ClusterName *string `json:"clusterName,omitempty" tf:"cluster_name,omitempty"`
+
 	// The name of the snapshot.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the KMS key used to encrypt the snapshot at rest.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
 	// Indicates whether the snapshot is from an automatic backup (automated) or was created manually (manual).
 	Source *string `json:"source,omitempty" tf:"source,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/memorydb/v1beta1/zz_subnetgroup_types.go b/apis/memorydb/v1beta1/zz_subnetgroup_types.go
index 465343b312..7160df4f73 100755
--- a/apis/memorydb/v1beta1/zz_subnetgroup_types.go
+++ b/apis/memorydb/v1beta1/zz_subnetgroup_types.go
@@ -18,9 +18,18 @@ type SubnetGroupObservation struct {
 	// The ARN of the subnet group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description for the subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of the subnet group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Set of VPC Subnet ID-s for the subnet group. At least one subnet must be provided.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
diff --git a/apis/mq/v1beta1/zz_broker_types.go b/apis/mq/v1beta1/zz_broker_types.go
index 029c32a949..5f98b12798 100755
--- a/apis/mq/v1beta1/zz_broker_types.go
+++ b/apis/mq/v1beta1/zz_broker_types.go
@@ -15,17 +15,74 @@ import (
 
 type BrokerObservation struct {
 
+	// Specifies whether any broker modifications are applied immediately, or during the next maintenance window. Default is false.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// ARN of the broker.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Authentication strategy used to secure the broker. Valid values are simple and ldap. ldap is not supported for engine_type RabbitMQ.
+	AuthenticationStrategy *string `json:"authenticationStrategy,omitempty" tf:"authentication_strategy,omitempty"`
+
+	// Whether to automatically upgrade to new minor versions of brokers as Amazon MQ makes releases available.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// Name of the broker.
+	BrokerName *string `json:"brokerName,omitempty" tf:"broker_name,omitempty"`
+
+	// Configuration block for broker configuration. Applies to engine_type of ActiveMQ only. Detailed below.
+	Configuration []ConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// Deployment mode of the broker. Valid values are SINGLE_INSTANCE, ACTIVE_STANDBY_MULTI_AZ, and CLUSTER_MULTI_AZ. Default is SINGLE_INSTANCE.
+	DeploymentMode *string `json:"deploymentMode,omitempty" tf:"deployment_mode,omitempty"`
+
+	// Configuration block containing encryption options. Detailed below.
+	EncryptionOptions []EncryptionOptionsObservation `json:"encryptionOptions,omitempty" tf:"encryption_options,omitempty"`
+
+	// Type of broker engine. Valid values are ActiveMQ and RabbitMQ.
+	EngineType *string `json:"engineType,omitempty" tf:"engine_type,omitempty"`
+
+	// Version of the broker engine. See the AmazonMQ Broker Engine docs for supported versions. For example, 5.15.0.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
+	// Broker's instance type. For example, mq.t3.micro, mq.m5.large.
+	HostInstanceType *string `json:"hostInstanceType,omitempty" tf:"host_instance_type,omitempty"`
+
 	// Unique ID that Amazon MQ generates for the broker.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// List of information about allocated brokers (both active & standby).
 	Instances []InstancesObservation `json:"instances,omitempty" tf:"instances,omitempty"`
 
+	// Configuration block for the LDAP server used to authenticate and authorize connections to the broker. Not supported for engine_type RabbitMQ. Detailed below. (Currently, AWS may not process changes to LDAP server metadata.)
+	LdapServerMetadata []LdapServerMetadataObservation `json:"ldapServerMetadata,omitempty" tf:"ldap_server_metadata,omitempty"`
+
+	// Configuration block for the logging configuration of the broker. Detailed below.
+	Logs []LogsObservation `json:"logs,omitempty" tf:"logs,omitempty"`
+
+	// Configuration block for the maintenance window start time. Detailed below.
+	MaintenanceWindowStartTime []MaintenanceWindowStartTimeObservation `json:"maintenanceWindowStartTime,omitempty" tf:"maintenance_window_start_time,omitempty"`
+
+	// Whether to enable connections from applications outside of the VPC that hosts the broker's subnets.
+	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
+
+	// List of security group IDs assigned to the broker.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// Storage type of the broker. For engine_type ActiveMQ, the valid values are efs and ebs, and the AWS-default is efs. For engine_type RabbitMQ, only ebs is supported. When using ebs, only the mq.m5 broker instance type family is supported.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+
+	// List of subnet IDs in which to launch the broker. A SINGLE_INSTANCE deployment requires one subnet. An ACTIVE_STANDBY_MULTI_AZ deployment requires multiple subnets.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block for broker users. For engine_type of RabbitMQ, Amazon MQ does not return broker users preventing this resource from making user updates and drift detection. Detailed below.
+	User []UserObservation `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type BrokerParameters struct {
@@ -43,8 +100,8 @@ type BrokerParameters struct {
 	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
 
 	// Name of the broker.
-	// +kubebuilder:validation:Required
-	BrokerName *string `json:"brokerName" tf:"broker_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	BrokerName *string `json:"brokerName,omitempty" tf:"broker_name,omitempty"`
 
 	// Configuration block for broker configuration. Applies to engine_type of ActiveMQ only. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -59,16 +116,16 @@ type BrokerParameters struct {
 	EncryptionOptions []EncryptionOptionsParameters `json:"encryptionOptions,omitempty" tf:"encryption_options,omitempty"`
 
 	// Type of broker engine. Valid values are ActiveMQ and RabbitMQ.
-	// +kubebuilder:validation:Required
-	EngineType *string `json:"engineType" tf:"engine_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineType *string `json:"engineType,omitempty" tf:"engine_type,omitempty"`
 
 	// Version of the broker engine. See the AmazonMQ Broker Engine docs for supported versions. For example, 5.15.0.
-	// +kubebuilder:validation:Required
-	EngineVersion *string `json:"engineVersion" tf:"engine_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
 
 	// Broker's instance type. For example, mq.t3.micro, mq.m5.large.
-	// +kubebuilder:validation:Required
-	HostInstanceType *string `json:"hostInstanceType" tf:"host_instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	HostInstanceType *string `json:"hostInstanceType,omitempty" tf:"host_instance_type,omitempty"`
 
 	// Configuration block for the LDAP server used to authenticate and authorize connections to the broker. Not supported for engine_type RabbitMQ. Detailed below. (Currently, AWS may not process changes to LDAP server metadata.)
 	// +kubebuilder:validation:Optional
@@ -119,11 +176,17 @@ type BrokerParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Configuration block for broker users. For engine_type of RabbitMQ, Amazon MQ does not return broker users preventing this resource from making user updates and drift detection. Detailed below.
-	// +kubebuilder:validation:Required
-	User []UserParameters `json:"user" tf:"user,omitempty"`
+	// +kubebuilder:validation:Optional
+	User []UserParameters `json:"user,omitempty" tf:"user,omitempty"`
 }
 
 type ConfigurationObservation struct {
+
+	// The Configuration ID.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Revision of the Configuration.
+	Revision *float64 `json:"revision,omitempty" tf:"revision,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -148,6 +211,12 @@ type ConfigurationParameters struct {
 }
 
 type EncryptionOptionsObservation struct {
+
+	// Amazon Resource Name (ARN) of Key Management Service (KMS) Customer Master Key (CMK) to use for encryption at rest. Requires setting use_aws_owned_key to false. To perform drift detection when AWS-managed CMKs or customer-managed CMKs are in use, this value must be configured.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Whether to enable an AWS-owned KMS CMK that is not in your account. Defaults to true. Setting to false without configuring kms_key_id will create an AWS-managed CMK aliased to aws/mq in your account.
+	UseAwsOwnedKey *bool `json:"useAwsOwnedKey,omitempty" tf:"use_aws_owned_key,omitempty"`
 }
 
 type EncryptionOptionsParameters struct {
@@ -177,6 +246,36 @@ type InstancesParameters struct {
 }
 
 type LdapServerMetadataObservation struct {
+
+	// List of a fully qualified domain name of the LDAP server and an optional failover server.
+	Hosts []*string `json:"hosts,omitempty" tf:"hosts,omitempty"`
+
+	// Fully qualified name of the directory to search for a user’s groups.
+	RoleBase *string `json:"roleBase,omitempty" tf:"role_base,omitempty"`
+
+	// Specifies the LDAP attribute that identifies the group name attribute in the object returned from the group membership query.
+	RoleName *string `json:"roleName,omitempty" tf:"role_name,omitempty"`
+
+	// Search criteria for groups.
+	RoleSearchMatching *string `json:"roleSearchMatching,omitempty" tf:"role_search_matching,omitempty"`
+
+	// Whether the directory search scope is the entire sub-tree.
+	RoleSearchSubtree *bool `json:"roleSearchSubtree,omitempty" tf:"role_search_subtree,omitempty"`
+
+	// Service account username.
+	ServiceAccountUsername *string `json:"serviceAccountUsername,omitempty" tf:"service_account_username,omitempty"`
+
+	// Fully qualified name of the directory where you want to search for users.
+	UserBase *string `json:"userBase,omitempty" tf:"user_base,omitempty"`
+
+	// Specifies the name of the LDAP attribute for the user group membership.
+	UserRoleName *string `json:"userRoleName,omitempty" tf:"user_role_name,omitempty"`
+
+	// Search criteria for users.
+	UserSearchMatching *string `json:"userSearchMatching,omitempty" tf:"user_search_matching,omitempty"`
+
+	// Whether the directory search scope is the entire sub-tree.
+	UserSearchSubtree *bool `json:"userSearchSubtree,omitempty" tf:"user_search_subtree,omitempty"`
 }
 
 type LdapServerMetadataParameters struct {
@@ -227,6 +326,12 @@ type LdapServerMetadataParameters struct {
 }
 
 type LogsObservation struct {
+
+	// Enables audit logging. Auditing is only possible for engine_type of ActiveMQ. User management action made using JMX or the ActiveMQ Web Console is logged. Defaults to false.
+	Audit *string `json:"audit,omitempty" tf:"audit,omitempty"`
+
+	// Enables general logging via CloudWatch. Defaults to false.
+	General *bool `json:"general,omitempty" tf:"general,omitempty"`
 }
 
 type LogsParameters struct {
@@ -241,6 +346,15 @@ type LogsParameters struct {
 }
 
 type MaintenanceWindowStartTimeObservation struct {
+
+	// Day of the week, e.g., MONDAY, TUESDAY, or WEDNESDAY.
+	DayOfWeek *string `json:"dayOfWeek,omitempty" tf:"day_of_week,omitempty"`
+
+	// Time, in 24-hour format, e.g., 02:00.
+	TimeOfDay *string `json:"timeOfDay,omitempty" tf:"time_of_day,omitempty"`
+
+	// Time zone in either the Country/City format or the UTC offset format, e.g., CET.
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type MaintenanceWindowStartTimeParameters struct {
@@ -259,6 +373,15 @@ type MaintenanceWindowStartTimeParameters struct {
 }
 
 type UserObservation struct {
+
+	// Whether to enable access to the ActiveMQ Web Console for the user. Applies to engine_type of ActiveMQ only.
+	ConsoleAccess *bool `json:"consoleAccess,omitempty" tf:"console_access,omitempty"`
+
+	// List of groups (20 maximum) to which the ActiveMQ user belongs. Applies to engine_type of ActiveMQ only.
+	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
+
+	// Username of the user.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type UserParameters struct {
@@ -304,8 +427,13 @@ type BrokerStatus struct {
 type Broker struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BrokerSpec   `json:"spec"`
-	Status            BrokerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.brokerName)",message="brokerName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineType)",message="engineType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineVersion)",message="engineVersion is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hostInstanceType)",message="hostInstanceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.user)",message="user is a required parameter"
+	Spec   BrokerSpec   `json:"spec"`
+	Status BrokerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/mq/v1beta1/zz_configuration_types.go b/apis/mq/v1beta1/zz_configuration_types.go
index aa2f389bfa..ca8496ad15 100755
--- a/apis/mq/v1beta1/zz_configuration_types.go
+++ b/apis/mq/v1beta1/zz_configuration_types.go
@@ -18,12 +18,33 @@ type ConfigurationObservation_2 struct {
 	// ARN of the configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Authentication strategy associated with the configuration. Valid values are simple and ldap. ldap is not supported for engine_type RabbitMQ.
+	AuthenticationStrategy *string `json:"authenticationStrategy,omitempty" tf:"authentication_strategy,omitempty"`
+
+	// Broker configuration in XML format. See official docs for supported parameters and format of the XML.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Description of the configuration.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Type of broker engine. Valid values are ActiveMQ and RabbitMQ.
+	EngineType *string `json:"engineType,omitempty" tf:"engine_type,omitempty"`
+
+	// Version of the broker engine.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// Unique ID that Amazon MQ generates for the configuration.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Latest revision of the configuration.
 	LatestRevision *float64 `json:"latestRevision,omitempty" tf:"latest_revision,omitempty"`
 
+	// Name of the configuration.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,24 +56,24 @@ type ConfigurationParameters_2 struct {
 	AuthenticationStrategy *string `json:"authenticationStrategy,omitempty" tf:"authentication_strategy,omitempty"`
 
 	// Broker configuration in XML format. See official docs for supported parameters and format of the XML.
-	// +kubebuilder:validation:Required
-	Data *string `json:"data" tf:"data,omitempty"`
+	// +kubebuilder:validation:Optional
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
 
 	// Description of the configuration.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Type of broker engine. Valid values are ActiveMQ and RabbitMQ.
-	// +kubebuilder:validation:Required
-	EngineType *string `json:"engineType" tf:"engine_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineType *string `json:"engineType,omitempty" tf:"engine_type,omitempty"`
 
 	// Version of the broker engine.
-	// +kubebuilder:validation:Required
-	EngineVersion *string `json:"engineVersion" tf:"engine_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
 
 	// Name of the configuration.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -88,8 +109,12 @@ type ConfigurationStatus struct {
 type Configuration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConfigurationSpec   `json:"spec"`
-	Status            ConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.data)",message="data is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineType)",message="engineType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineVersion)",message="engineVersion is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ConfigurationSpec   `json:"spec"`
+	Status ConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/mq/v1beta1/zz_generated.deepcopy.go b/apis/mq/v1beta1/zz_generated.deepcopy.go
index 8390e14830..04e317cff0 100644
--- a/apis/mq/v1beta1/zz_generated.deepcopy.go
+++ b/apis/mq/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,65 @@ func (in *BrokerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BrokerObservation) DeepCopyInto(out *BrokerObservation) {
 	*out = *in
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthenticationStrategy != nil {
+		in, out := &in.AuthenticationStrategy, &out.AuthenticationStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BrokerName != nil {
+		in, out := &in.BrokerName, &out.BrokerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make([]ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeploymentMode != nil {
+		in, out := &in.DeploymentMode, &out.DeploymentMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionOptions != nil {
+		in, out := &in.EncryptionOptions, &out.EncryptionOptions
+		*out = make([]EncryptionOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EngineType != nil {
+		in, out := &in.EngineType, &out.EngineType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostInstanceType != nil {
+		in, out := &in.HostInstanceType, &out.HostInstanceType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -93,6 +147,74 @@ func (in *BrokerObservation) DeepCopyInto(out *BrokerObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.LdapServerMetadata != nil {
+		in, out := &in.LdapServerMetadata, &out.LdapServerMetadata
+		*out = make([]LdapServerMetadataObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Logs != nil {
+		in, out := &in.Logs, &out.Logs
+		*out = make([]LogsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaintenanceWindowStartTime != nil {
+		in, out := &in.MaintenanceWindowStartTime, &out.MaintenanceWindowStartTime
+		*out = make([]MaintenanceWindowStartTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PubliclyAccessible != nil {
+		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -108,6 +230,13 @@ func (in *BrokerObservation) DeepCopyInto(out *BrokerObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.User != nil {
+		in, out := &in.User, &out.User
+		*out = make([]UserObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BrokerObservation.
@@ -377,6 +506,16 @@ func (in *ConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation) {
 	*out = *in
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Revision != nil {
+		in, out := &in.Revision, &out.Revision
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -397,6 +536,31 @@ func (in *ConfigurationObservation_2) DeepCopyInto(out *ConfigurationObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthenticationStrategy != nil {
+		in, out := &in.AuthenticationStrategy, &out.AuthenticationStrategy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineType != nil {
+		in, out := &in.EngineType, &out.EngineType
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -407,6 +571,26 @@ func (in *ConfigurationObservation_2) DeepCopyInto(out *ConfigurationObservation
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -571,6 +755,16 @@ func (in *ConfigurationStatus) DeepCopy() *ConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionOptionsObservation) DeepCopyInto(out *EncryptionOptionsObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseAwsOwnedKey != nil {
+		in, out := &in.UseAwsOwnedKey, &out.UseAwsOwnedKey
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionOptionsObservation.
@@ -662,6 +856,62 @@ func (in *InstancesParameters) DeepCopy() *InstancesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LdapServerMetadataObservation) DeepCopyInto(out *LdapServerMetadataObservation) {
 	*out = *in
+	if in.Hosts != nil {
+		in, out := &in.Hosts, &out.Hosts
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RoleBase != nil {
+		in, out := &in.RoleBase, &out.RoleBase
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleName != nil {
+		in, out := &in.RoleName, &out.RoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleSearchMatching != nil {
+		in, out := &in.RoleSearchMatching, &out.RoleSearchMatching
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleSearchSubtree != nil {
+		in, out := &in.RoleSearchSubtree, &out.RoleSearchSubtree
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ServiceAccountUsername != nil {
+		in, out := &in.ServiceAccountUsername, &out.ServiceAccountUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserBase != nil {
+		in, out := &in.UserBase, &out.UserBase
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserRoleName != nil {
+		in, out := &in.UserRoleName, &out.UserRoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserSearchMatching != nil {
+		in, out := &in.UserSearchMatching, &out.UserSearchMatching
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserSearchSubtree != nil {
+		in, out := &in.UserSearchSubtree, &out.UserSearchSubtree
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LdapServerMetadataObservation.
@@ -753,6 +1003,16 @@ func (in *LdapServerMetadataParameters) DeepCopy() *LdapServerMetadataParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogsObservation) DeepCopyInto(out *LogsObservation) {
 	*out = *in
+	if in.Audit != nil {
+		in, out := &in.Audit, &out.Audit
+		*out = new(string)
+		**out = **in
+	}
+	if in.General != nil {
+		in, out := &in.General, &out.General
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogsObservation.
@@ -793,6 +1053,21 @@ func (in *LogsParameters) DeepCopy() *LogsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceWindowStartTimeObservation) DeepCopyInto(out *MaintenanceWindowStartTimeObservation) {
 	*out = *in
+	if in.DayOfWeek != nil {
+		in, out := &in.DayOfWeek, &out.DayOfWeek
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeOfDay != nil {
+		in, out := &in.TimeOfDay, &out.TimeOfDay
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceWindowStartTimeObservation.
@@ -838,6 +1113,27 @@ func (in *MaintenanceWindowStartTimeParameters) DeepCopy() *MaintenanceWindowSta
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 	*out = *in
+	if in.ConsoleAccess != nil {
+		in, out := &in.ConsoleAccess, &out.ConsoleAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserObservation.
diff --git a/apis/neptune/v1beta1/zz_cluster_types.go b/apis/neptune/v1beta1/zz_cluster_types.go
index 4cc52bfcd6..49c0c85b19 100755
--- a/apis/neptune/v1beta1/zz_cluster_types.go
+++ b/apis/neptune/v1beta1/zz_cluster_types.go
@@ -15,29 +15,110 @@ import (
 
 type ClusterObservation struct {
 
+	// Specifies whether upgrades between different major versions are allowed. You must set it to true when providing an engine_version parameter that uses a different major version than the DB cluster's current version. Default is false.
+	AllowMajorVersionUpgrade *bool `json:"allowMajorVersionUpgrade,omitempty" tf:"allow_major_version_upgrade,omitempty"`
+
+	// Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is false.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// The Neptune Cluster Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A list of EC2 Availability Zones that instances in the Neptune cluster can be created in.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// The days to retain backups for. Default 1
+	BackupRetentionPeriod *float64 `json:"backupRetentionPeriod,omitempty" tf:"backup_retention_period,omitempty"`
+
 	// – List of Neptune Instances that are a part of this cluster
 	ClusterMembers []*string `json:"clusterMembers,omitempty" tf:"cluster_members,omitempty"`
 
 	// The Neptune Cluster Resource ID
 	ClusterResourceID *string `json:"clusterResourceId,omitempty" tf:"cluster_resource_id,omitempty"`
 
+	// If set to true, tags are copied to any snapshot of the DB cluster that is created.
+	CopyTagsToSnapshot *bool `json:"copyTagsToSnapshot,omitempty" tf:"copy_tags_to_snapshot,omitempty"`
+
+	// A value that indicates whether the DB cluster has deletion protection enabled.The database can't be deleted when deletion protection is enabled. By default, deletion protection is disabled.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// A list of the log types this DB cluster is configured to export to Cloudwatch Logs. Currently only supports audit.
+	EnableCloudwatchLogsExports []*string `json:"enableCloudwatchLogsExports,omitempty" tf:"enable_cloudwatch_logs_exports,omitempty"`
+
 	// The DNS address of the Neptune instance
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The name of the database engine to be used for this Neptune cluster. Defaults to neptune.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// The database engine version.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
+	// The name of your final Neptune snapshot when this Neptune cluster is deleted. If omitted, no final snapshot will be made.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
+	// The global cluster identifier specified on aws_neptune_global_cluster.
+	GlobalClusterIdentifier *string `json:"globalClusterIdentifier,omitempty" tf:"global_cluster_identifier,omitempty"`
+
 	// The Route53 Hosted Zone ID of the endpoint
 	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
 
+	// Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled.
+	IAMDatabaseAuthenticationEnabled *bool `json:"iamDatabaseAuthenticationEnabled,omitempty" tf:"iam_database_authentication_enabled,omitempty"`
+
+	// A List of ARNs for the IAM roles to associate to the Neptune Cluster.
+	IAMRoles []*string `json:"iamRoles,omitempty" tf:"iam_roles,omitempty"`
+
 	// The Neptune Cluster Identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN for the KMS encryption key. When specifying kms_key_arn, storage_encrypted needs to be set to true.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// A cluster parameter group to associate with the cluster.
+	NeptuneClusterParameterGroupName *string `json:"neptuneClusterParameterGroupName,omitempty" tf:"neptune_cluster_parameter_group_name,omitempty"`
+
+	// The name of the DB parameter group to apply to all instances of the DB cluster.
+	NeptuneInstanceParameterGroupName *string `json:"neptuneInstanceParameterGroupName,omitempty" tf:"neptune_instance_parameter_group_name,omitempty"`
+
+	// A Neptune subnet group to associate with this Neptune instance.
+	NeptuneSubnetGroupName *string `json:"neptuneSubnetGroupName,omitempty" tf:"neptune_subnet_group_name,omitempty"`
+
+	// The port on which the Neptune accepts connections. Default is 8182.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter. Time in UTC. Default: A 30-minute window selected at random from an 8-hour block of time per regionE.g., 04:00-09:00
+	PreferredBackupWindow *string `json:"preferredBackupWindow,omitempty" tf:"preferred_backup_window,omitempty"`
+
+	// The weekly time range during which system maintenance can occur, in (UTC) e.g., wed:04:00-wed:04:30
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
 	// A read-only endpoint for the Neptune cluster, automatically load-balanced across replicas
 	ReaderEndpoint *string `json:"readerEndpoint,omitempty" tf:"reader_endpoint,omitempty"`
 
+	// ARN of a source Neptune cluster or Neptune instance if this Neptune cluster is to be created as a Read Replica.
+	ReplicationSourceIdentifier *string `json:"replicationSourceIdentifier,omitempty" tf:"replication_source_identifier,omitempty"`
+
+	// If set, create the Neptune cluster as a serverless one. See Serverless for example block attributes.
+	ServerlessV2ScalingConfiguration []ServerlessV2ScalingConfigurationObservation `json:"serverlessV2ScalingConfiguration,omitempty" tf:"serverless_v2_scaling_configuration,omitempty"`
+
+	// Determines whether a final Neptune snapshot is created before the Neptune cluster is deleted. If true is specified, no Neptune snapshot is created. If false is specified, a Neptune snapshot is created before the Neptune cluster is deleted, using the value from final_snapshot_identifier. Default is false.
+	SkipFinalSnapshot *bool `json:"skipFinalSnapshot,omitempty" tf:"skip_final_snapshot,omitempty"`
+
+	// Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a Neptune cluster snapshot, or the ARN when specifying a Neptune snapshot.
+	SnapshotIdentifier *string `json:"snapshotIdentifier,omitempty" tf:"snapshot_identifier,omitempty"`
+
+	// Specifies whether the Neptune cluster is encrypted. The default is false if not specified.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// List of VPC security groups to associate with the Cluster
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type ClusterParameters struct {
@@ -224,6 +305,12 @@ type ClusterParameters struct {
 }
 
 type ServerlessV2ScalingConfigurationObservation struct {
+
+	// : (default: 128) The maximum Neptune Capacity Units (NCUs) for this cluster. Must be lower or equal than 128. See AWS Documentation for more details.
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// : (default: 2.5) The minimum Neptune Capacity Units (NCUs) for this cluster. Must be greater or equal than 2.5. See AWS Documentation for more details.
+	MinCapacity *float64 `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
 }
 
 type ServerlessV2ScalingConfigurationParameters struct {
diff --git a/apis/neptune/v1beta1/zz_clusterendpoint_types.go b/apis/neptune/v1beta1/zz_clusterendpoint_types.go
index a63e3f6f54..1d6af16601 100755
--- a/apis/neptune/v1beta1/zz_clusterendpoint_types.go
+++ b/apis/neptune/v1beta1/zz_clusterendpoint_types.go
@@ -18,12 +18,27 @@ type ClusterEndpointObservation struct {
 	// The Neptune Cluster Endpoint Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The DB cluster identifier of the DB cluster associated with the endpoint.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
 	// The DNS address of the endpoint.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The type of the endpoint. One of: READER, WRITER, ANY.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
+	// List of DB instance identifiers that aren't part of the custom endpoint group. All other eligible instances are reachable through the custom endpoint. Only relevant if the list of static members is empty.
+	ExcludedMembers []*string `json:"excludedMembers,omitempty" tf:"excluded_members,omitempty"`
+
 	// The Neptune Cluster Endpoint Identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of DB instance identifiers that are part of the custom endpoint group.
+	StaticMembers []*string `json:"staticMembers,omitempty" tf:"static_members,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -44,8 +59,8 @@ type ClusterEndpointParameters struct {
 	ClusterIdentifierSelector *v1.Selector `json:"clusterIdentifierSelector,omitempty" tf:"-"`
 
 	// The type of the endpoint. One of: READER, WRITER, ANY.
-	// +kubebuilder:validation:Required
-	EndpointType *string `json:"endpointType" tf:"endpoint_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
 
 	// List of DB instance identifiers that aren't part of the custom endpoint group. All other eligible instances are reachable through the custom endpoint. Only relevant if the list of static members is empty.
 	// +kubebuilder:validation:Optional
@@ -89,8 +104,9 @@ type ClusterEndpointStatus struct {
 type ClusterEndpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterEndpointSpec   `json:"spec"`
-	Status            ClusterEndpointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpointType)",message="endpointType is a required parameter"
+	Spec   ClusterEndpointSpec   `json:"spec"`
+	Status ClusterEndpointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/neptune/v1beta1/zz_clusterinstance_types.go b/apis/neptune/v1beta1/zz_clusterinstance_types.go
index 730c537bea..7eedb2dd8e 100755
--- a/apis/neptune/v1beta1/zz_clusterinstance_types.go
+++ b/apis/neptune/v1beta1/zz_clusterinstance_types.go
@@ -18,24 +18,71 @@ type ClusterInstanceObservation struct {
 	// The hostname of the instance. See also endpoint and port.
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
+	// Specifies whether any instance modifications
+	// are applied immediately, or during the next maintenance window. Default isfalse.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// Amazon Resource Name (ARN) of neptune instance
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Indicates that minor engine upgrades will be applied automatically to the instance during the maintenance window. Default is true.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// The EC2 Availability Zone that the neptune instance is created in.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The identifier of the aws_neptune_cluster in which to launch this instance.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
 	// The region-unique, immutable identifier for the neptune instance.
 	DbiResourceID *string `json:"dbiResourceId,omitempty" tf:"dbi_resource_id,omitempty"`
 
 	// The connection endpoint in address:port format.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The name of the database engine to be used for the neptune instance. Defaults to neptune. Valid Values: neptune.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// The neptune engine version.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// The Instance identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The instance class to use.
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
+
 	// The ARN for the KMS encryption key if one is set to the neptune cluster.
 	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
 
+	// The name of the neptune parameter group to associate with this instance.
+	NeptuneParameterGroupName *string `json:"neptuneParameterGroupName,omitempty" tf:"neptune_parameter_group_name,omitempty"`
+
+	// A subnet group to associate with this neptune instance. NOTE: This must match the neptune_subnet_group_name of the attached aws_neptune_cluster.
+	NeptuneSubnetGroupName *string `json:"neptuneSubnetGroupName,omitempty" tf:"neptune_subnet_group_name,omitempty"`
+
+	// The port on which the DB accepts connections. Defaults to 8182.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The daily time range during which automated backups are created if automated backups are enabled. Eg: "04:00-09:00"
+	PreferredBackupWindow *string `json:"preferredBackupWindow,omitempty" tf:"preferred_backup_window,omitempty"`
+
+	// The window to perform maintenance in.
+	// Syntax: "ddd:hh24:mi-ddd:hh24:mi". Eg: "Mon:00:00-Mon:03:00".
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
+	// Default 0. Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoter to writer.
+	PromotionTier *float64 `json:"promotionTier,omitempty" tf:"promotion_tier,omitempty"`
+
+	// Bool to control if instance is publicly accessible. Default is false.
+	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
+
 	// Specifies whether the neptune cluster is encrypted.
 	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -80,8 +127,8 @@ type ClusterInstanceParameters struct {
 	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
 
 	// The instance class to use.
-	// +kubebuilder:validation:Required
-	InstanceClass *string `json:"instanceClass" tf:"instance_class,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
 
 	// The name of the neptune parameter group to associate with this instance.
 	// +crossplane:generate:reference:type=ParameterGroup
@@ -164,8 +211,9 @@ type ClusterInstanceStatus struct {
 type ClusterInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterInstanceSpec   `json:"spec"`
-	Status            ClusterInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)",message="instanceClass is a required parameter"
+	Spec   ClusterInstanceSpec   `json:"spec"`
+	Status ClusterInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/neptune/v1beta1/zz_clusterparametergroup_types.go b/apis/neptune/v1beta1/zz_clusterparametergroup_types.go
index b2a32e3e70..9aef77adcf 100755
--- a/apis/neptune/v1beta1/zz_clusterparametergroup_types.go
+++ b/apis/neptune/v1beta1/zz_clusterparametergroup_types.go
@@ -18,9 +18,21 @@ type ClusterParameterGroupObservation struct {
 	// The ARN of the neptune cluster parameter group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the neptune cluster parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the neptune cluster parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The neptune cluster parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of neptune parameters to apply.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +44,8 @@ type ClusterParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the neptune cluster parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// A list of neptune parameters to apply.
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,15 @@ type ClusterParameterGroupParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// Valid values are immediate and pending-reboot. Defaults to pending-reboot.
+	ApplyMethod *string `json:"applyMethod,omitempty" tf:"apply_method,omitempty"`
+
+	// The name of the neptune cluster parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the neptune parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -91,8 +112,9 @@ type ClusterParameterGroupStatus struct {
 type ClusterParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterParameterGroupSpec   `json:"spec"`
-	Status            ClusterParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   ClusterParameterGroupSpec   `json:"spec"`
+	Status ClusterParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/neptune/v1beta1/zz_clustersnapshot_types.go b/apis/neptune/v1beta1/zz_clustersnapshot_types.go
index 0fc4959ac1..e178202a39 100755
--- a/apis/neptune/v1beta1/zz_clustersnapshot_types.go
+++ b/apis/neptune/v1beta1/zz_clustersnapshot_types.go
@@ -21,6 +21,9 @@ type ClusterSnapshotObservation struct {
 	// List of EC2 Availability Zones that instances in the DB cluster snapshot can be restored in.
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
 
+	// The DB Cluster Identifier from which to take the snapshot.
+	DBClusterIdentifier *string `json:"dbClusterIdentifier,omitempty" tf:"db_cluster_identifier,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the DB Cluster Snapshot.
 	DBClusterSnapshotArn *string `json:"dbClusterSnapshotArn,omitempty" tf:"db_cluster_snapshot_arn,omitempty"`
 
diff --git a/apis/neptune/v1beta1/zz_eventsubscription_types.go b/apis/neptune/v1beta1/zz_eventsubscription_types.go
index 6d5a76136c..3e468d94b5 100755
--- a/apis/neptune/v1beta1/zz_eventsubscription_types.go
+++ b/apis/neptune/v1beta1/zz_eventsubscription_types.go
@@ -21,9 +21,27 @@ type EventSubscriptionObservation struct {
 	// The AWS customer account associated with the Neptune event notification subscription.
 	CustomerAwsID *string `json:"customerAwsId,omitempty" tf:"customer_aws_id,omitempty"`
 
+	// A boolean flag to enable/disable the subscription. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// A list of event categories for a source_type that you want to subscribe to. Run aws neptune describe-event-categories to find all the event categories.
+	EventCategories []*string `json:"eventCategories,omitempty" tf:"event_categories,omitempty"`
+
 	// The name of the Neptune event notification subscription.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of the SNS topic to send events to.
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
+
+	// A list of identifiers of the event sources for which events will be returned. If not specified, then all sources are included in the response. If specified, a source_type must also be specified.
+	SourceIds []*string `json:"sourceIds,omitempty" tf:"source_ids,omitempty"`
+
+	// The type of source that will be generating the events. Valid options are db-instance, db-security-group, db-parameter-group, db-snapshot, db-cluster or db-cluster-snapshot. If not set, all sources will be subscribed to.
+	SourceType *string `json:"sourceType,omitempty" tf:"source_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/neptune/v1beta1/zz_generated.deepcopy.go b/apis/neptune/v1beta1/zz_generated.deepcopy.go
index eb0a5ca4b4..b34c57b664 100644
--- a/apis/neptune/v1beta1/zz_generated.deepcopy.go
+++ b/apis/neptune/v1beta1/zz_generated.deepcopy.go
@@ -108,16 +108,63 @@ func (in *ClusterEndpointObservation) DeepCopyInto(out *ClusterEndpointObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExcludedMembers != nil {
+		in, out := &in.ExcludedMembers, &out.ExcludedMembers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StaticMembers != nil {
+		in, out := &in.StaticMembers, &out.StaticMembers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -323,11 +370,31 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.DbiResourceID != nil {
 		in, out := &in.DbiResourceID, &out.DbiResourceID
 		*out = new(string)
@@ -338,21 +405,86 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceClass != nil {
+		in, out := &in.InstanceClass, &out.InstanceClass
+		*out = new(string)
+		**out = **in
+	}
 	if in.KMSKeyArn != nil {
 		in, out := &in.KMSKeyArn, &out.KMSKeyArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.NeptuneParameterGroupName != nil {
+		in, out := &in.NeptuneParameterGroupName, &out.NeptuneParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NeptuneSubnetGroupName != nil {
+		in, out := &in.NeptuneSubnetGroupName, &out.NeptuneSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreferredBackupWindow != nil {
+		in, out := &in.PreferredBackupWindow, &out.PreferredBackupWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PromotionTier != nil {
+		in, out := &in.PromotionTier, &out.PromotionTier
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PubliclyAccessible != nil {
+		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
 	if in.StorageEncrypted != nil {
 		in, out := &in.StorageEncrypted, &out.StorageEncrypted
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -589,11 +721,37 @@ func (in *ClusterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 	*out = *in
+	if in.AllowMajorVersionUpgrade != nil {
+		in, out := &in.AllowMajorVersionUpgrade, &out.AllowMajorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.BackupRetentionPeriod != nil {
+		in, out := &in.BackupRetentionPeriod, &out.BackupRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ClusterMembers != nil {
 		in, out := &in.ClusterMembers, &out.ClusterMembers
 		*out = make([]*string, len(*in))
@@ -610,25 +768,159 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CopyTagsToSnapshot != nil {
+		in, out := &in.CopyTagsToSnapshot, &out.CopyTagsToSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableCloudwatchLogsExports != nil {
+		in, out := &in.EnableCloudwatchLogsExports, &out.EnableCloudwatchLogsExports
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
-	if in.HostedZoneID != nil {
-		in, out := &in.HostedZoneID, &out.HostedZoneID
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalClusterIdentifier != nil {
+		in, out := &in.GlobalClusterIdentifier, &out.GlobalClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostedZoneID != nil {
+		in, out := &in.HostedZoneID, &out.HostedZoneID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMDatabaseAuthenticationEnabled != nil {
+		in, out := &in.IAMDatabaseAuthenticationEnabled, &out.IAMDatabaseAuthenticationEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IAMRoles != nil {
+		in, out := &in.IAMRoles, &out.IAMRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.NeptuneClusterParameterGroupName != nil {
+		in, out := &in.NeptuneClusterParameterGroupName, &out.NeptuneClusterParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NeptuneInstanceParameterGroupName != nil {
+		in, out := &in.NeptuneInstanceParameterGroupName, &out.NeptuneInstanceParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NeptuneSubnetGroupName != nil {
+		in, out := &in.NeptuneSubnetGroupName, &out.NeptuneSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreferredBackupWindow != nil {
+		in, out := &in.PreferredBackupWindow, &out.PreferredBackupWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReaderEndpoint != nil {
+		in, out := &in.ReaderEndpoint, &out.ReaderEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplicationSourceIdentifier != nil {
+		in, out := &in.ReplicationSourceIdentifier, &out.ReplicationSourceIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerlessV2ScalingConfiguration != nil {
+		in, out := &in.ServerlessV2ScalingConfiguration, &out.ServerlessV2ScalingConfiguration
+		*out = make([]ServerlessV2ScalingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SkipFinalSnapshot != nil {
+		in, out := &in.SkipFinalSnapshot, &out.SkipFinalSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnapshotIdentifier != nil {
+		in, out := &in.SnapshotIdentifier, &out.SnapshotIdentifier
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
 		**out = **in
 	}
-	if in.ReaderEndpoint != nil {
-		in, out := &in.ReaderEndpoint, &out.ReaderEndpoint
-		*out = new(string)
-		**out = **in
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
 	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
@@ -645,6 +937,17 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterObservation.
@@ -724,11 +1027,43 @@ func (in *ClusterParameterGroupObservation) DeepCopyInto(out *ClusterParameterGr
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1185,6 +1520,11 @@ func (in *ClusterSnapshotObservation) DeepCopyInto(out *ClusterSnapshotObservati
 			}
 		}
 	}
+	if in.DBClusterIdentifier != nil {
+		in, out := &in.DBClusterIdentifier, &out.DBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.DBClusterSnapshotArn != nil {
 		in, out := &in.DBClusterSnapshotArn, &out.DBClusterSnapshotArn
 		*out = new(string)
@@ -1432,11 +1772,63 @@ func (in *EventSubscriptionObservation) DeepCopyInto(out *EventSubscriptionObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventCategories != nil {
+		in, out := &in.EventCategories, &out.EventCategories
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceIds != nil {
+		in, out := &in.SourceIds, &out.SourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceType != nil {
+		in, out := &in.SourceType, &out.SourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1687,6 +2079,21 @@ func (in *GlobalClusterObservation) DeepCopyInto(out *GlobalClusterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.GlobalClusterMembers != nil {
 		in, out := &in.GlobalClusterMembers, &out.GlobalClusterMembers
 		*out = make([]GlobalClusterMembersObservation, len(*in))
@@ -1704,11 +2111,21 @@ func (in *GlobalClusterObservation) DeepCopyInto(out *GlobalClusterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceDBClusterIdentifier != nil {
+		in, out := &in.SourceDBClusterIdentifier, &out.SourceDBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalClusterObservation.
@@ -1877,11 +2294,43 @@ func (in *ParameterGroupObservation) DeepCopyInto(out *ParameterGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterGroupParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1912,6 +2361,21 @@ func (in *ParameterGroupObservation) DeepCopy() *ParameterGroupObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterGroupParameterObservation) DeepCopyInto(out *ParameterGroupParameterObservation) {
 	*out = *in
+	if in.ApplyMethod != nil {
+		in, out := &in.ApplyMethod, &out.ApplyMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterGroupParameterObservation.
@@ -2043,6 +2507,21 @@ func (in *ParameterGroupStatus) DeepCopy() *ParameterGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.ApplyMethod != nil {
+		in, out := &in.ApplyMethod, &out.ApplyMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -2088,6 +2567,16 @@ func (in *ParameterParameters) DeepCopy() *ParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerlessV2ScalingConfigurationObservation) DeepCopyInto(out *ServerlessV2ScalingConfigurationObservation) {
 	*out = *in
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinCapacity != nil {
+		in, out := &in.MinCapacity, &out.MinCapacity
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerlessV2ScalingConfigurationObservation.
@@ -2192,11 +2681,42 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/neptune/v1beta1/zz_globalcluster_types.go b/apis/neptune/v1beta1/zz_globalcluster_types.go
index 97905cf53c..87e03dce5b 100755
--- a/apis/neptune/v1beta1/zz_globalcluster_types.go
+++ b/apis/neptune/v1beta1/zz_globalcluster_types.go
@@ -30,6 +30,15 @@ type GlobalClusterObservation struct {
 	// Global Cluster Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// If the Global Cluster should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// Name of the database engine to be used for this DB cluster. Current Valid values: neptune. Conflicts with source_db_cluster_identifier.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// Engine version of the global database. Upgrading the engine version will result in all cluster members being immediately updated and will.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// Set of objects containing Global Cluster members.
 	GlobalClusterMembers []GlobalClusterMembersObservation `json:"globalClusterMembers,omitempty" tf:"global_cluster_members,omitempty"`
 
@@ -39,7 +48,13 @@ type GlobalClusterObservation struct {
 	// Neptune Global Cluster.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amazon Resource Name (ARN) to use as the primary DB Cluster of the Global Cluster on creation.
+	SourceDBClusterIdentifier *string `json:"sourceDbClusterIdentifier,omitempty" tf:"source_db_cluster_identifier,omitempty"`
+
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Specifies whether the DB cluster is encrypted. The default is false unless source_db_cluster_identifier is specified and encrypted.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 }
 
 type GlobalClusterParameters struct {
diff --git a/apis/neptune/v1beta1/zz_parametergroup_types.go b/apis/neptune/v1beta1/zz_parametergroup_types.go
index 50f1628a3d..1e832a0f89 100755
--- a/apis/neptune/v1beta1/zz_parametergroup_types.go
+++ b/apis/neptune/v1beta1/zz_parametergroup_types.go
@@ -18,14 +18,35 @@ type ParameterGroupObservation struct {
 	// The Neptune parameter group Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the Neptune parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the Neptune parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The Neptune parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of Neptune parameters to apply.
+	Parameter []ParameterGroupParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
 type ParameterGroupParameterObservation struct {
+
+	// The apply method of the Neptune parameter. Valid values are immediate and pending-reboot. Defaults to pending-reboot.
+	ApplyMethod *string `json:"applyMethod,omitempty" tf:"apply_method,omitempty"`
+
+	// The name of the Neptune parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the Neptune parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterGroupParameterParameters struct {
@@ -50,8 +71,8 @@ type ParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the Neptune parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// A list of Neptune parameters to apply.
 	// +kubebuilder:validation:Optional
@@ -91,8 +112,9 @@ type ParameterGroupStatus struct {
 type ParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ParameterGroupSpec   `json:"spec"`
-	Status            ParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   ParameterGroupSpec   `json:"spec"`
+	Status ParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/neptune/v1beta1/zz_subnetgroup_types.go b/apis/neptune/v1beta1/zz_subnetgroup_types.go
index b124da18e1..7360a12551 100755
--- a/apis/neptune/v1beta1/zz_subnetgroup_types.go
+++ b/apis/neptune/v1beta1/zz_subnetgroup_types.go
@@ -18,9 +18,18 @@ type SubnetGroupObservation struct {
 	// The ARN of the neptune subnet group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the neptune subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The neptune subnet group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of VPC subnet IDs.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/networkfirewall/v1beta1/zz_firewall_types.go b/apis/networkfirewall/v1beta1/zz_firewall_types.go
index aaaf4b462e..2ee6908314 100755
--- a/apis/networkfirewall/v1beta1/zz_firewall_types.go
+++ b/apis/networkfirewall/v1beta1/zz_firewall_types.go
@@ -26,6 +26,12 @@ type AttachmentParameters struct {
 }
 
 type EncryptionConfigurationObservation struct {
+
+	// The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
@@ -44,17 +50,47 @@ type FirewallObservation struct {
 	// The Amazon Resource Name (ARN) that identifies the firewall.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A boolean flag indicating whether it is possible to delete the firewall. Defaults to false.
+	DeleteProtection *bool `json:"deleteProtection,omitempty" tf:"delete_protection,omitempty"`
+
+	// A friendly description of the firewall.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// KMS encryption configuration settings. See Encryption Configuration below for details.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the VPC Firewall policy.
+	FirewallPolicyArn *string `json:"firewallPolicyArn,omitempty" tf:"firewall_policy_arn,omitempty"`
+
+	// (Option) A boolean flag indicating whether it is possible to change the associated firewall policy. Defaults to false.
+	FirewallPolicyChangeProtection *bool `json:"firewallPolicyChangeProtection,omitempty" tf:"firewall_policy_change_protection,omitempty"`
+
 	// Nested list of information about the current status of the firewall.
 	FirewallStatus []FirewallStatusObservation `json:"firewallStatus,omitempty" tf:"firewall_status,omitempty"`
 
 	// The Amazon Resource Name (ARN) that identifies the firewall.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A friendly name of the firewall.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A boolean flag indicating whether it is possible to change the associated subnet(s). Defaults to false.
+	SubnetChangeProtection *bool `json:"subnetChangeProtection,omitempty" tf:"subnet_change_protection,omitempty"`
+
+	// Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
+	SubnetMapping []SubnetMappingObservation `json:"subnetMapping,omitempty" tf:"subnet_mapping,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// A string token used when updating a firewall.
 	UpdateToken *string `json:"updateToken,omitempty" tf:"update_token,omitempty"`
+
+	// The unique identifier of the VPC where AWS Network Firewall should create the firewall.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type FirewallParameters struct {
@@ -90,8 +126,8 @@ type FirewallParameters struct {
 	FirewallPolicyChangeProtection *bool `json:"firewallPolicyChangeProtection,omitempty" tf:"firewall_policy_change_protection,omitempty"`
 
 	// A friendly name of the firewall.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -103,8 +139,8 @@ type FirewallParameters struct {
 	SubnetChangeProtection *bool `json:"subnetChangeProtection,omitempty" tf:"subnet_change_protection,omitempty"`
 
 	// Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
-	// +kubebuilder:validation:Required
-	SubnetMapping []SubnetMappingParameters `json:"subnetMapping" tf:"subnet_mapping,omitempty"`
+	// +kubebuilder:validation:Optional
+	SubnetMapping []SubnetMappingParameters `json:"subnetMapping,omitempty" tf:"subnet_mapping,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -134,6 +170,12 @@ type FirewallStatusParameters struct {
 }
 
 type SubnetMappingObservation struct {
+
+	// The subnet's IP address type. Valida values: "DUALSTACK", "IPV4".
+	IPAddressType *string `json:"ipAddressType,omitempty" tf:"ip_address_type,omitempty"`
+
+	// The unique identifier for the subnet.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type SubnetMappingParameters struct {
@@ -193,8 +235,10 @@ type FirewallStatus struct {
 type Firewall struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FirewallSpec   `json:"spec"`
-	Status            FirewallStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.subnetMapping)",message="subnetMapping is a required parameter"
+	Spec   FirewallSpec   `json:"spec"`
+	Status FirewallStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/networkfirewall/v1beta1/zz_firewallpolicy_types.go b/apis/networkfirewall/v1beta1/zz_firewallpolicy_types.go
index 129490b97d..cbdc09cb56 100755
--- a/apis/networkfirewall/v1beta1/zz_firewallpolicy_types.go
+++ b/apis/networkfirewall/v1beta1/zz_firewallpolicy_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ActionDefinitionObservation struct {
+
+	// A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
+	PublishMetricAction []PublishMetricActionObservation `json:"publishMetricAction,omitempty" tf:"publish_metric_action,omitempty"`
 }
 
 type ActionDefinitionParameters struct {
@@ -24,6 +27,9 @@ type ActionDefinitionParameters struct {
 }
 
 type DimensionObservation struct {
+
+	// The string value to use in the custom metric dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DimensionParameters struct {
@@ -34,6 +40,12 @@ type DimensionParameters struct {
 }
 
 type FirewallPolicyEncryptionConfigurationObservation struct {
+
+	// The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type FirewallPolicyEncryptionConfigurationParameters struct {
@@ -48,6 +60,29 @@ type FirewallPolicyEncryptionConfigurationParameters struct {
 }
 
 type FirewallPolicyFirewallPolicyObservation struct {
+
+	// Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
+	StatefulDefaultActions []*string `json:"statefulDefaultActions,omitempty" tf:"stateful_default_actions,omitempty"`
+
+	// A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
+	StatefulEngineOptions []StatefulEngineOptionsObservation `json:"statefulEngineOptions,omitempty" tf:"stateful_engine_options,omitempty"`
+
+	// Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
+	StatefulRuleGroupReference []StatefulRuleGroupReferenceObservation `json:"statefulRuleGroupReference,omitempty" tf:"stateful_rule_group_reference,omitempty"`
+
+	// Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
+	StatelessCustomAction []StatelessCustomActionObservation `json:"statelessCustomAction,omitempty" tf:"stateless_custom_action,omitempty"`
+
+	// Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe.
+	// In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
+	StatelessDefaultActions []*string `json:"statelessDefaultActions,omitempty" tf:"stateless_default_actions,omitempty"`
+
+	// Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe.
+	// In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
+	StatelessFragmentDefaultActions []*string `json:"statelessFragmentDefaultActions,omitempty" tf:"stateless_fragment_default_actions,omitempty"`
+
+	// Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
+	StatelessRuleGroupReference []StatelessRuleGroupReferenceObservation `json:"statelessRuleGroupReference,omitempty" tf:"stateless_rule_group_reference,omitempty"`
 }
 
 type FirewallPolicyFirewallPolicyParameters struct {
@@ -88,9 +123,21 @@ type FirewallPolicyObservation struct {
 	// The Amazon Resource Name (ARN) that identifies the firewall policy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A friendly description of the firewall policy.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// KMS encryption configuration settings. See Encryption Configuration below for details.
+	EncryptionConfiguration []FirewallPolicyEncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
+	FirewallPolicy []FirewallPolicyFirewallPolicyObservation `json:"firewallPolicy,omitempty" tf:"firewall_policy,omitempty"`
+
 	// The Amazon Resource Name (ARN) that identifies the firewall policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -109,8 +156,8 @@ type FirewallPolicyParameters struct {
 	EncryptionConfiguration []FirewallPolicyEncryptionConfigurationParameters `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
 
 	// A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
-	// +kubebuilder:validation:Required
-	FirewallPolicy []FirewallPolicyFirewallPolicyParameters `json:"firewallPolicy" tf:"firewall_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	FirewallPolicy []FirewallPolicyFirewallPolicyParameters `json:"firewallPolicy,omitempty" tf:"firewall_policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -123,6 +170,9 @@ type FirewallPolicyParameters struct {
 }
 
 type OverrideObservation struct {
+
+	// The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 }
 
 type OverrideParameters struct {
@@ -133,6 +183,9 @@ type OverrideParameters struct {
 }
 
 type PublishMetricActionObservation struct {
+
+	// Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
+	Dimension []DimensionObservation `json:"dimension,omitempty" tf:"dimension,omitempty"`
 }
 
 type PublishMetricActionParameters struct {
@@ -143,6 +196,9 @@ type PublishMetricActionParameters struct {
 }
 
 type StatefulEngineOptionsObservation struct {
+
+	// Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
+	RuleOrder *string `json:"ruleOrder,omitempty" tf:"rule_order,omitempty"`
 }
 
 type StatefulEngineOptionsParameters struct {
@@ -153,6 +209,15 @@ type StatefulEngineOptionsParameters struct {
 }
 
 type StatefulRuleGroupReferenceObservation struct {
+
+	// Configuration block for override values
+	Override []OverrideObservation `json:"override,omitempty" tf:"override,omitempty"`
+
+	// An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the stateless rule group.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type StatefulRuleGroupReferenceParameters struct {
@@ -171,6 +236,12 @@ type StatefulRuleGroupReferenceParameters struct {
 }
 
 type StatelessCustomActionObservation struct {
+
+	// A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
+	ActionDefinition []ActionDefinitionObservation `json:"actionDefinition,omitempty" tf:"action_definition,omitempty"`
+
+	// A friendly name of the custom action.
+	ActionName *string `json:"actionName,omitempty" tf:"action_name,omitempty"`
 }
 
 type StatelessCustomActionParameters struct {
@@ -185,6 +256,12 @@ type StatelessCustomActionParameters struct {
 }
 
 type StatelessRuleGroupReferenceObservation struct {
+
+	// An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the stateless rule group.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type StatelessRuleGroupReferenceParameters struct {
@@ -232,8 +309,9 @@ type FirewallPolicyStatus struct {
 type FirewallPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FirewallPolicySpec   `json:"spec"`
-	Status            FirewallPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.firewallPolicy)",message="firewallPolicy is a required parameter"
+	Spec   FirewallPolicySpec   `json:"spec"`
+	Status FirewallPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/networkfirewall/v1beta1/zz_generated.deepcopy.go b/apis/networkfirewall/v1beta1/zz_generated.deepcopy.go
index 4112020031..945c94a71e 100644
--- a/apis/networkfirewall/v1beta1/zz_generated.deepcopy.go
+++ b/apis/networkfirewall/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,13 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionDefinitionObservation) DeepCopyInto(out *ActionDefinitionObservation) {
 	*out = *in
+	if in.PublishMetricAction != nil {
+		in, out := &in.PublishMetricAction, &out.PublishMetricAction
+		*out = make([]PublishMetricActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionDefinitionObservation.
@@ -54,6 +61,13 @@ func (in *ActionDefinitionParameters) DeepCopy() *ActionDefinitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionDefinitionPublishMetricActionObservation) DeepCopyInto(out *ActionDefinitionPublishMetricActionObservation) {
 	*out = *in
+	if in.Dimension != nil {
+		in, out := &in.Dimension, &out.Dimension
+		*out = make([]PublishMetricActionDimensionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionDefinitionPublishMetricActionObservation.
@@ -131,6 +145,13 @@ func (in *AttachmentParameters) DeepCopy() *AttachmentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomActionActionDefinitionObservation) DeepCopyInto(out *CustomActionActionDefinitionObservation) {
 	*out = *in
+	if in.PublishMetricAction != nil {
+		in, out := &in.PublishMetricAction, &out.PublishMetricAction
+		*out = make([]ActionDefinitionPublishMetricActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomActionActionDefinitionObservation.
@@ -168,6 +189,18 @@ func (in *CustomActionActionDefinitionParameters) DeepCopy() *CustomActionAction
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomActionObservation) DeepCopyInto(out *CustomActionObservation) {
 	*out = *in
+	if in.ActionDefinition != nil {
+		in, out := &in.ActionDefinition, &out.ActionDefinition
+		*out = make([]CustomActionActionDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ActionName != nil {
+		in, out := &in.ActionName, &out.ActionName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomActionObservation.
@@ -210,6 +243,11 @@ func (in *CustomActionParameters) DeepCopy() *CustomActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
 	*out = *in
+	if in.AddressDefinition != nil {
+		in, out := &in.AddressDefinition, &out.AddressDefinition
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationObservation.
@@ -245,6 +283,16 @@ func (in *DestinationParameters) DeepCopy() *DestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationPortObservation) DeepCopyInto(out *DestinationPortObservation) {
 	*out = *in
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationPortObservation.
@@ -285,6 +333,11 @@ func (in *DestinationPortParameters) DeepCopy() *DestinationPortParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DimensionObservation) DeepCopyInto(out *DimensionObservation) {
 	*out = *in
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DimensionObservation.
@@ -320,6 +373,16 @@ func (in *DimensionParameters) DeepCopy() *DimensionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -424,6 +487,33 @@ func (in *FirewallObservation) DeepCopyInto(out *FirewallObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeleteProtection != nil {
+		in, out := &in.DeleteProtection, &out.DeleteProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FirewallPolicyArn != nil {
+		in, out := &in.FirewallPolicyArn, &out.FirewallPolicyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FirewallPolicyChangeProtection != nil {
+		in, out := &in.FirewallPolicyChangeProtection, &out.FirewallPolicyChangeProtection
+		*out = new(bool)
+		**out = **in
+	}
 	if in.FirewallStatus != nil {
 		in, out := &in.FirewallStatus, &out.FirewallStatus
 		*out = make([]FirewallStatusObservation, len(*in))
@@ -436,6 +526,38 @@ func (in *FirewallObservation) DeepCopyInto(out *FirewallObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetChangeProtection != nil {
+		in, out := &in.SubnetChangeProtection, &out.SubnetChangeProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SubnetMapping != nil {
+		in, out := &in.SubnetMapping, &out.SubnetMapping
+		*out = make([]SubnetMappingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -456,6 +578,11 @@ func (in *FirewallObservation) DeepCopyInto(out *FirewallObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallObservation.
@@ -602,6 +729,16 @@ func (in *FirewallPolicy) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FirewallPolicyEncryptionConfigurationObservation) DeepCopyInto(out *FirewallPolicyEncryptionConfigurationObservation) {
 	*out = *in
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallPolicyEncryptionConfigurationObservation.
@@ -642,6 +779,67 @@ func (in *FirewallPolicyEncryptionConfigurationParameters) DeepCopy() *FirewallP
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FirewallPolicyFirewallPolicyObservation) DeepCopyInto(out *FirewallPolicyFirewallPolicyObservation) {
 	*out = *in
+	if in.StatefulDefaultActions != nil {
+		in, out := &in.StatefulDefaultActions, &out.StatefulDefaultActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StatefulEngineOptions != nil {
+		in, out := &in.StatefulEngineOptions, &out.StatefulEngineOptions
+		*out = make([]StatefulEngineOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StatefulRuleGroupReference != nil {
+		in, out := &in.StatefulRuleGroupReference, &out.StatefulRuleGroupReference
+		*out = make([]StatefulRuleGroupReferenceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StatelessCustomAction != nil {
+		in, out := &in.StatelessCustomAction, &out.StatelessCustomAction
+		*out = make([]StatelessCustomActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StatelessDefaultActions != nil {
+		in, out := &in.StatelessDefaultActions, &out.StatelessDefaultActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StatelessFragmentDefaultActions != nil {
+		in, out := &in.StatelessFragmentDefaultActions, &out.StatelessFragmentDefaultActions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StatelessRuleGroupReference != nil {
+		in, out := &in.StatelessRuleGroupReference, &out.StatelessRuleGroupReference
+		*out = make([]StatelessRuleGroupReferenceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallPolicyFirewallPolicyObservation.
@@ -770,11 +968,45 @@ func (in *FirewallPolicyObservation) DeepCopyInto(out *FirewallPolicyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]FirewallPolicyEncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FirewallPolicy != nil {
+		in, out := &in.FirewallPolicy, &out.FirewallPolicy
+		*out = make([]FirewallPolicyFirewallPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -969,6 +1201,36 @@ func (in *FirewallStatusParameters) DeepCopy() *FirewallStatusParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HeaderObservation) DeepCopyInto(out *HeaderObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationPort != nil {
+		in, out := &in.DestinationPort, &out.DestinationPort
+		*out = new(string)
+		**out = **in
+	}
+	if in.Direction != nil {
+		in, out := &in.Direction, &out.Direction
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourcePort != nil {
+		in, out := &in.SourcePort, &out.SourcePort
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderObservation.
@@ -1029,12 +1291,23 @@ func (in *HeaderParameters) DeepCopy() *HeaderParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetObservation) DeepCopyInto(out *IPSetObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetObservation.
-func (in *IPSetObservation) DeepCopy() *IPSetObservation {
-	if in == nil {
-		return nil
+	if in.Definition != nil {
+		in, out := &in.Definition, &out.Definition
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetObservation.
+func (in *IPSetObservation) DeepCopy() *IPSetObservation {
+	if in == nil {
+		return nil
 	}
 	out := new(IPSetObservation)
 	in.DeepCopyInto(out)
@@ -1070,6 +1343,11 @@ func (in *IPSetParameters) DeepCopy() *IPSetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetReferenceObservation) DeepCopyInto(out *IPSetReferenceObservation) {
 	*out = *in
+	if in.ReferenceArn != nil {
+		in, out := &in.ReferenceArn, &out.ReferenceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetReferenceObservation.
@@ -1115,6 +1393,18 @@ func (in *IPSetReferenceParameters) DeepCopy() *IPSetReferenceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetReferencesObservation) DeepCopyInto(out *IPSetReferencesObservation) {
 	*out = *in
+	if in.IPSetReference != nil {
+		in, out := &in.IPSetReference, &out.IPSetReference
+		*out = make([]IPSetReferenceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetReferencesObservation.
@@ -1157,6 +1447,18 @@ func (in *IPSetReferencesParameters) DeepCopy() *IPSetReferencesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetsObservation) DeepCopyInto(out *IPSetsObservation) {
 	*out = *in
+	if in.IPSet != nil {
+		in, out := &in.IPSet, &out.IPSet
+		*out = make([]IPSetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetsObservation.
@@ -1199,6 +1501,31 @@ func (in *IPSetsParameters) DeepCopy() *IPSetsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogDestinationConfigObservation) DeepCopyInto(out *LogDestinationConfigObservation) {
 	*out = *in
+	if in.LogDestination != nil {
+		in, out := &in.LogDestination, &out.LogDestination
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.LogDestinationType != nil {
+		in, out := &in.LogDestinationType, &out.LogDestinationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogDestinationConfigObservation.
@@ -1313,6 +1640,13 @@ func (in *LoggingConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigurationLoggingConfigurationObservation) DeepCopyInto(out *LoggingConfigurationLoggingConfigurationObservation) {
 	*out = *in
+	if in.LogDestinationConfig != nil {
+		in, out := &in.LogDestinationConfig, &out.LogDestinationConfig
+		*out = make([]LogDestinationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigurationLoggingConfigurationObservation.
@@ -1350,11 +1684,23 @@ func (in *LoggingConfigurationLoggingConfigurationParameters) DeepCopy() *Loggin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigurationObservation) DeepCopyInto(out *LoggingConfigurationObservation) {
 	*out = *in
+	if in.FirewallArn != nil {
+		in, out := &in.FirewallArn, &out.FirewallArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoggingConfiguration != nil {
+		in, out := &in.LoggingConfiguration, &out.LoggingConfiguration
+		*out = make([]LoggingConfigurationLoggingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigurationObservation.
@@ -1446,6 +1792,52 @@ func (in *LoggingConfigurationStatus) DeepCopy() *LoggingConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MatchAttributesObservation) DeepCopyInto(out *MatchAttributesObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]DestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DestinationPort != nil {
+		in, out := &in.DestinationPort, &out.DestinationPort
+		*out = make([]DestinationPortObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Protocols != nil {
+		in, out := &in.Protocols, &out.Protocols
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = make([]SourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourcePort != nil {
+		in, out := &in.SourcePort, &out.SourcePort
+		*out = make([]SourcePortObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TCPFlag != nil {
+		in, out := &in.TCPFlag, &out.TCPFlag
+		*out = make([]TCPFlagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MatchAttributesObservation.
@@ -1522,6 +1914,11 @@ func (in *MatchAttributesParameters) DeepCopy() *MatchAttributesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverrideObservation) DeepCopyInto(out *OverrideObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverrideObservation.
@@ -1557,6 +1954,17 @@ func (in *OverrideParameters) DeepCopy() *OverrideParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortSetObservation) DeepCopyInto(out *PortSetObservation) {
 	*out = *in
+	if in.Definition != nil {
+		in, out := &in.Definition, &out.Definition
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSetObservation.
@@ -1598,6 +2006,18 @@ func (in *PortSetParameters) DeepCopy() *PortSetParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortSetsObservation) DeepCopyInto(out *PortSetsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.PortSet != nil {
+		in, out := &in.PortSet, &out.PortSet
+		*out = make([]PortSetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSetsObservation.
@@ -1640,6 +2060,11 @@ func (in *PortSetsParameters) DeepCopy() *PortSetsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublishMetricActionDimensionObservation) DeepCopyInto(out *PublishMetricActionDimensionObservation) {
 	*out = *in
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublishMetricActionDimensionObservation.
@@ -1675,6 +2100,13 @@ func (in *PublishMetricActionDimensionParameters) DeepCopy() *PublishMetricActio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublishMetricActionObservation) DeepCopyInto(out *PublishMetricActionObservation) {
 	*out = *in
+	if in.Dimension != nil {
+		in, out := &in.Dimension, &out.Dimension
+		*out = make([]DimensionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublishMetricActionObservation.
@@ -1712,6 +2144,13 @@ func (in *PublishMetricActionParameters) DeepCopy() *PublishMetricActionParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReferenceSetsObservation) DeepCopyInto(out *ReferenceSetsObservation) {
 	*out = *in
+	if in.IPSetReferences != nil {
+		in, out := &in.IPSetReferences, &out.IPSetReferences
+		*out = make([]IPSetReferencesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReferenceSetsObservation.
@@ -1749,6 +2188,24 @@ func (in *ReferenceSetsParameters) DeepCopy() *ReferenceSetsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleDefinitionObservation) DeepCopyInto(out *RuleDefinitionObservation) {
 	*out = *in
+	if in.Actions != nil {
+		in, out := &in.Actions, &out.Actions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.MatchAttributes != nil {
+		in, out := &in.MatchAttributes, &out.MatchAttributes
+		*out = make([]MatchAttributesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleDefinitionObservation.
@@ -1824,6 +2281,16 @@ func (in *RuleGroup) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleGroupEncryptionConfigurationObservation) DeepCopyInto(out *RuleGroupEncryptionConfigurationObservation) {
 	*out = *in
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleGroupEncryptionConfigurationObservation.
@@ -1901,11 +2368,60 @@ func (in *RuleGroupObservation) DeepCopyInto(out *RuleGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Capacity != nil {
+		in, out := &in.Capacity, &out.Capacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]RuleGroupEncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleGroup != nil {
+		in, out := &in.RuleGroup, &out.RuleGroup
+		*out = make([]RuleGroupRuleGroupObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1921,6 +2437,11 @@ func (in *RuleGroupObservation) DeepCopyInto(out *RuleGroupObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 	if in.UpdateToken != nil {
 		in, out := &in.UpdateToken, &out.UpdateToken
 		*out = new(string)
@@ -2015,6 +2536,34 @@ func (in *RuleGroupParameters) DeepCopy() *RuleGroupParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleGroupRuleGroupObservation) DeepCopyInto(out *RuleGroupRuleGroupObservation) {
 	*out = *in
+	if in.ReferenceSets != nil {
+		in, out := &in.ReferenceSets, &out.ReferenceSets
+		*out = make([]ReferenceSetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RuleVariables != nil {
+		in, out := &in.RuleVariables, &out.RuleVariables
+		*out = make([]RuleVariablesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RulesSource != nil {
+		in, out := &in.RulesSource, &out.RulesSource
+		*out = make([]RulesSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StatefulRuleOptions != nil {
+		in, out := &in.StatefulRuleOptions, &out.StatefulRuleOptions
+		*out = make([]StatefulRuleOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleGroupRuleGroupObservation.
@@ -2107,6 +2656,22 @@ func (in *RuleGroupStatus) DeepCopy() *RuleGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleOptionObservation) DeepCopyInto(out *RuleOptionObservation) {
 	*out = *in
+	if in.Keyword != nil {
+		in, out := &in.Keyword, &out.Keyword
+		*out = new(string)
+		**out = **in
+	}
+	if in.Settings != nil {
+		in, out := &in.Settings, &out.Settings
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleOptionObservation.
@@ -2153,6 +2718,20 @@ func (in *RuleOptionParameters) DeepCopy() *RuleOptionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleVariablesObservation) DeepCopyInto(out *RuleVariablesObservation) {
 	*out = *in
+	if in.IPSets != nil {
+		in, out := &in.IPSets, &out.IPSets
+		*out = make([]IPSetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PortSets != nil {
+		in, out := &in.PortSets, &out.PortSets
+		*out = make([]PortSetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleVariablesObservation.
@@ -2197,6 +2776,33 @@ func (in *RuleVariablesParameters) DeepCopy() *RuleVariablesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RulesSourceListObservation) DeepCopyInto(out *RulesSourceListObservation) {
 	*out = *in
+	if in.GeneratedRulesType != nil {
+		in, out := &in.GeneratedRulesType, &out.GeneratedRulesType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetTypes != nil {
+		in, out := &in.TargetTypes, &out.TargetTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Targets != nil {
+		in, out := &in.Targets, &out.Targets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesSourceListObservation.
@@ -2254,6 +2860,32 @@ func (in *RulesSourceListParameters) DeepCopy() *RulesSourceListParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RulesSourceObservation) DeepCopyInto(out *RulesSourceObservation) {
 	*out = *in
+	if in.RulesSourceList != nil {
+		in, out := &in.RulesSourceList, &out.RulesSourceList
+		*out = make([]RulesSourceListObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RulesString != nil {
+		in, out := &in.RulesString, &out.RulesString
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatefulRule != nil {
+		in, out := &in.StatefulRule, &out.StatefulRule
+		*out = make([]StatefulRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StatelessRulesAndCustomActions != nil {
+		in, out := &in.StatelessRulesAndCustomActions, &out.StatelessRulesAndCustomActions
+		*out = make([]StatelessRulesAndCustomActionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesSourceObservation.
@@ -2310,6 +2942,11 @@ func (in *RulesSourceParameters) DeepCopy() *RulesSourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceObservation) DeepCopyInto(out *SourceObservation) {
 	*out = *in
+	if in.AddressDefinition != nil {
+		in, out := &in.AddressDefinition, &out.AddressDefinition
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceObservation.
@@ -2345,6 +2982,16 @@ func (in *SourceParameters) DeepCopy() *SourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourcePortObservation) DeepCopyInto(out *SourcePortObservation) {
 	*out = *in
+	if in.FromPort != nil {
+		in, out := &in.FromPort, &out.FromPort
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ToPort != nil {
+		in, out := &in.ToPort, &out.ToPort
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourcePortObservation.
@@ -2385,6 +3032,11 @@ func (in *SourcePortParameters) DeepCopy() *SourcePortParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatefulEngineOptionsObservation) DeepCopyInto(out *StatefulEngineOptionsObservation) {
 	*out = *in
+	if in.RuleOrder != nil {
+		in, out := &in.RuleOrder, &out.RuleOrder
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulEngineOptionsObservation.
@@ -2420,6 +3072,23 @@ func (in *StatefulEngineOptionsParameters) DeepCopy() *StatefulEngineOptionsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatefulRuleGroupReferenceObservation) DeepCopyInto(out *StatefulRuleGroupReferenceObservation) {
 	*out = *in
+	if in.Override != nil {
+		in, out := &in.Override, &out.Override
+		*out = make([]OverrideObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulRuleGroupReferenceObservation.
@@ -2467,6 +3136,25 @@ func (in *StatefulRuleGroupReferenceParameters) DeepCopy() *StatefulRuleGroupRef
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatefulRuleObservation) DeepCopyInto(out *StatefulRuleObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
+	if in.Header != nil {
+		in, out := &in.Header, &out.Header
+		*out = make([]HeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RuleOption != nil {
+		in, out := &in.RuleOption, &out.RuleOption
+		*out = make([]RuleOptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulRuleObservation.
@@ -2482,6 +3170,11 @@ func (in *StatefulRuleObservation) DeepCopy() *StatefulRuleObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatefulRuleOptionsObservation) DeepCopyInto(out *StatefulRuleOptionsObservation) {
 	*out = *in
+	if in.RuleOrder != nil {
+		in, out := &in.RuleOrder, &out.RuleOrder
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatefulRuleOptionsObservation.
@@ -2551,6 +3244,18 @@ func (in *StatefulRuleParameters) DeepCopy() *StatefulRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatelessCustomActionObservation) DeepCopyInto(out *StatelessCustomActionObservation) {
 	*out = *in
+	if in.ActionDefinition != nil {
+		in, out := &in.ActionDefinition, &out.ActionDefinition
+		*out = make([]ActionDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ActionName != nil {
+		in, out := &in.ActionName, &out.ActionName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatelessCustomActionObservation.
@@ -2593,6 +3298,16 @@ func (in *StatelessCustomActionParameters) DeepCopy() *StatelessCustomActionPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatelessRuleGroupReferenceObservation) DeepCopyInto(out *StatelessRuleGroupReferenceObservation) {
 	*out = *in
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatelessRuleGroupReferenceObservation.
@@ -2643,6 +3358,18 @@ func (in *StatelessRuleGroupReferenceParameters) DeepCopy() *StatelessRuleGroupR
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatelessRuleObservation) DeepCopyInto(out *StatelessRuleObservation) {
 	*out = *in
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RuleDefinition != nil {
+		in, out := &in.RuleDefinition, &out.RuleDefinition
+		*out = make([]RuleDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatelessRuleObservation.
@@ -2685,6 +3412,20 @@ func (in *StatelessRuleParameters) DeepCopy() *StatelessRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StatelessRulesAndCustomActionsObservation) DeepCopyInto(out *StatelessRulesAndCustomActionsObservation) {
 	*out = *in
+	if in.CustomAction != nil {
+		in, out := &in.CustomAction, &out.CustomAction
+		*out = make([]CustomActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StatelessRule != nil {
+		in, out := &in.StatelessRule, &out.StatelessRule
+		*out = make([]StatelessRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StatelessRulesAndCustomActionsObservation.
@@ -2729,6 +3470,16 @@ func (in *StatelessRulesAndCustomActionsParameters) DeepCopy() *StatelessRulesAn
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SubnetMappingObservation) DeepCopyInto(out *SubnetMappingObservation) {
 	*out = *in
+	if in.IPAddressType != nil {
+		in, out := &in.IPAddressType, &out.IPAddressType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SubnetMappingObservation.
@@ -2821,6 +3572,28 @@ func (in *SyncStatesParameters) DeepCopy() *SyncStatesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TCPFlagObservation) DeepCopyInto(out *TCPFlagObservation) {
 	*out = *in
+	if in.Flags != nil {
+		in, out := &in.Flags, &out.Flags
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Masks != nil {
+		in, out := &in.Masks, &out.Masks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TCPFlagObservation.
diff --git a/apis/networkfirewall/v1beta1/zz_loggingconfiguration_types.go b/apis/networkfirewall/v1beta1/zz_loggingconfiguration_types.go
index fdfaab6d8b..a72ca20012 100755
--- a/apis/networkfirewall/v1beta1/zz_loggingconfiguration_types.go
+++ b/apis/networkfirewall/v1beta1/zz_loggingconfiguration_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type LogDestinationConfigObservation struct {
+
+	// A map describing the logging destination for the chosen log_destination_type.
+	LogDestination map[string]*string `json:"logDestination,omitempty" tf:"log_destination,omitempty"`
+
+	// The location to send logs to. Valid values: S3, CloudWatchLogs, KinesisDataFirehose.
+	LogDestinationType *string `json:"logDestinationType,omitempty" tf:"log_destination_type,omitempty"`
+
+	// The type of log to send. Valid values: ALERT or FLOW. Alert logs report traffic that matches a StatefulRule with an action setting that sends a log message. Flow logs are standard network traffic flow logs.
+	LogType *string `json:"logType,omitempty" tf:"log_type,omitempty"`
 }
 
 type LogDestinationConfigParameters struct {
@@ -32,6 +41,9 @@ type LogDestinationConfigParameters struct {
 }
 
 type LoggingConfigurationLoggingConfigurationObservation struct {
+
+	// Set of configuration blocks describing the logging details for a firewall. See Log Destination Config below for details. At most, only two blocks can be specified; one for FLOW logs and one for ALERT logs.
+	LogDestinationConfig []LogDestinationConfigObservation `json:"logDestinationConfig,omitempty" tf:"log_destination_config,omitempty"`
 }
 
 type LoggingConfigurationLoggingConfigurationParameters struct {
@@ -43,8 +55,14 @@ type LoggingConfigurationLoggingConfigurationParameters struct {
 
 type LoggingConfigurationObservation struct {
 
+	// The Amazon Resource Name (ARN) of the Network Firewall firewall.
+	FirewallArn *string `json:"firewallArn,omitempty" tf:"firewall_arn,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the associated firewall.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A configuration block describing how AWS Network Firewall performs logging for a firewall. See Logging Configuration below for details.
+	LoggingConfiguration []LoggingConfigurationLoggingConfigurationObservation `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
 }
 
 type LoggingConfigurationParameters struct {
@@ -64,8 +82,8 @@ type LoggingConfigurationParameters struct {
 	FirewallArnSelector *v1.Selector `json:"firewallArnSelector,omitempty" tf:"-"`
 
 	// A configuration block describing how AWS Network Firewall performs logging for a firewall. See Logging Configuration below for details.
-	// +kubebuilder:validation:Required
-	LoggingConfiguration []LoggingConfigurationLoggingConfigurationParameters `json:"loggingConfiguration" tf:"logging_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	LoggingConfiguration []LoggingConfigurationLoggingConfigurationParameters `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -97,8 +115,9 @@ type LoggingConfigurationStatus struct {
 type LoggingConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LoggingConfigurationSpec   `json:"spec"`
-	Status            LoggingConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.loggingConfiguration)",message="loggingConfiguration is a required parameter"
+	Spec   LoggingConfigurationSpec   `json:"spec"`
+	Status LoggingConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/networkfirewall/v1beta1/zz_rulegroup_types.go b/apis/networkfirewall/v1beta1/zz_rulegroup_types.go
index d87aebe280..91212d60f9 100755
--- a/apis/networkfirewall/v1beta1/zz_rulegroup_types.go
+++ b/apis/networkfirewall/v1beta1/zz_rulegroup_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ActionDefinitionPublishMetricActionObservation struct {
+
+	// Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
+	Dimension []PublishMetricActionDimensionObservation `json:"dimension,omitempty" tf:"dimension,omitempty"`
 }
 
 type ActionDefinitionPublishMetricActionParameters struct {
@@ -24,6 +27,9 @@ type ActionDefinitionPublishMetricActionParameters struct {
 }
 
 type CustomActionActionDefinitionObservation struct {
+
+	// A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
+	PublishMetricAction []ActionDefinitionPublishMetricActionObservation `json:"publishMetricAction,omitempty" tf:"publish_metric_action,omitempty"`
 }
 
 type CustomActionActionDefinitionParameters struct {
@@ -34,6 +40,12 @@ type CustomActionActionDefinitionParameters struct {
 }
 
 type CustomActionObservation struct {
+
+	// A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
+	ActionDefinition []CustomActionActionDefinitionObservation `json:"actionDefinition,omitempty" tf:"action_definition,omitempty"`
+
+	// A friendly name of the custom action.
+	ActionName *string `json:"actionName,omitempty" tf:"action_name,omitempty"`
 }
 
 type CustomActionParameters struct {
@@ -48,6 +60,9 @@ type CustomActionParameters struct {
 }
 
 type DestinationObservation struct {
+
+	// An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
+	AddressDefinition *string `json:"addressDefinition,omitempty" tf:"address_definition,omitempty"`
 }
 
 type DestinationParameters struct {
@@ -58,6 +73,12 @@ type DestinationParameters struct {
 }
 
 type DestinationPortObservation struct {
+
+	// The lower limit of the port range. This must be less than or equal to the to_port.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// The upper limit of the port range. This must be greater than or equal to the from_port.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type DestinationPortParameters struct {
@@ -72,6 +93,24 @@ type DestinationPortParameters struct {
 }
 
 type HeaderObservation struct {
+
+	// Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
+	DestinationPort *string `json:"destinationPort,omitempty" tf:"destination_port,omitempty"`
+
+	// The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
+	Direction *string `json:"direction,omitempty" tf:"direction,omitempty"`
+
+	// The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
+	SourcePort *string `json:"sourcePort,omitempty" tf:"source_port,omitempty"`
 }
 
 type HeaderParameters struct {
@@ -102,6 +141,9 @@ type HeaderParameters struct {
 }
 
 type IPSetObservation struct {
+
+	// Set of port ranges.
+	Definition []*string `json:"definition,omitempty" tf:"definition,omitempty"`
 }
 
 type IPSetParameters struct {
@@ -112,6 +154,9 @@ type IPSetParameters struct {
 }
 
 type IPSetReferenceObservation struct {
+
+	// Set of Managed Prefix IP ARN(s)
+	ReferenceArn *string `json:"referenceArn,omitempty" tf:"reference_arn,omitempty"`
 }
 
 type IPSetReferenceParameters struct {
@@ -132,6 +177,12 @@ type IPSetReferenceParameters struct {
 }
 
 type IPSetReferencesObservation struct {
+
+	// Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
+	IPSetReference []IPSetReferenceObservation `json:"ipSetReference,omitempty" tf:"ip_set_reference,omitempty"`
+
+	// An unique alphanumeric string to identify the port_set.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type IPSetReferencesParameters struct {
@@ -146,6 +197,12 @@ type IPSetReferencesParameters struct {
 }
 
 type IPSetsObservation struct {
+
+	// A configuration block that defines a set of IP addresses. See IP Set below for details.
+	IPSet []IPSetObservation `json:"ipSet,omitempty" tf:"ip_set,omitempty"`
+
+	// An unique alphanumeric string to identify the port_set.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type IPSetsParameters struct {
@@ -160,6 +217,24 @@ type IPSetsParameters struct {
 }
 
 type MatchAttributesObservation struct {
+
+	// Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
+	Destination []DestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
+	DestinationPort []DestinationPortObservation `json:"destinationPort,omitempty" tf:"destination_port,omitempty"`
+
+	// Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
+	Protocols []*float64 `json:"protocols,omitempty" tf:"protocols,omitempty"`
+
+	// Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
+	Source []SourceObservation `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
+	SourcePort []SourcePortObservation `json:"sourcePort,omitempty" tf:"source_port,omitempty"`
+
+	// Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
+	TCPFlag []TCPFlagObservation `json:"tcpFlag,omitempty" tf:"tcp_flag,omitempty"`
 }
 
 type MatchAttributesParameters struct {
@@ -190,6 +265,9 @@ type MatchAttributesParameters struct {
 }
 
 type PortSetObservation struct {
+
+	// Set of port ranges.
+	Definition []*string `json:"definition,omitempty" tf:"definition,omitempty"`
 }
 
 type PortSetParameters struct {
@@ -200,6 +278,12 @@ type PortSetParameters struct {
 }
 
 type PortSetsObservation struct {
+
+	// An unique alphanumeric string to identify the port_set.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A configuration block that defines a set of port ranges. See Port Set below for details.
+	PortSet []PortSetObservation `json:"portSet,omitempty" tf:"port_set,omitempty"`
 }
 
 type PortSetsParameters struct {
@@ -214,6 +298,9 @@ type PortSetsParameters struct {
 }
 
 type PublishMetricActionDimensionObservation struct {
+
+	// The value to use in the custom metric dimension.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type PublishMetricActionDimensionParameters struct {
@@ -224,6 +311,7 @@ type PublishMetricActionDimensionParameters struct {
 }
 
 type ReferenceSetsObservation struct {
+	IPSetReferences []IPSetReferencesObservation `json:"ipSetReferences,omitempty" tf:"ip_set_references,omitempty"`
 }
 
 type ReferenceSetsParameters struct {
@@ -233,6 +321,12 @@ type ReferenceSetsParameters struct {
 }
 
 type RuleDefinitionObservation struct {
+
+	// Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
+	Actions []*string `json:"actions,omitempty" tf:"actions,omitempty"`
+
+	// A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
+	MatchAttributes []MatchAttributesObservation `json:"matchAttributes,omitempty" tf:"match_attributes,omitempty"`
 }
 
 type RuleDefinitionParameters struct {
@@ -247,6 +341,12 @@ type RuleDefinitionParameters struct {
 }
 
 type RuleGroupEncryptionConfigurationObservation struct {
+
+	// The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RuleGroupEncryptionConfigurationParameters struct {
@@ -265,12 +365,36 @@ type RuleGroupObservation struct {
 	// The Amazon Resource Name (ARN) that identifies the rule group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
+	Capacity *float64 `json:"capacity,omitempty" tf:"capacity,omitempty"`
+
+	// A friendly description of the rule group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// KMS encryption configuration settings. See Encryption Configuration below for details.
+	EncryptionConfiguration []RuleGroupEncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
 	// The Amazon Resource Name (ARN) that identifies the rule group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A friendly name of the rule group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
+	RuleGroup []RuleGroupRuleGroupObservation `json:"ruleGroup,omitempty" tf:"rule_group,omitempty"`
+
+	// The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
+	Rules *string `json:"rules,omitempty" tf:"rules,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
 	// A string token used when updating the rule group.
 	UpdateToken *string `json:"updateToken,omitempty" tf:"update_token,omitempty"`
 }
@@ -278,8 +402,8 @@ type RuleGroupObservation struct {
 type RuleGroupParameters struct {
 
 	// The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
-	// +kubebuilder:validation:Required
-	Capacity *float64 `json:"capacity" tf:"capacity,omitempty"`
+	// +kubebuilder:validation:Optional
+	Capacity *float64 `json:"capacity,omitempty" tf:"capacity,omitempty"`
 
 	// A friendly description of the rule group.
 	// +kubebuilder:validation:Optional
@@ -290,8 +414,8 @@ type RuleGroupParameters struct {
 	EncryptionConfiguration []RuleGroupEncryptionConfigurationParameters `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
 
 	// A friendly name of the rule group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -311,11 +435,23 @@ type RuleGroupParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RuleGroupRuleGroupObservation struct {
+
+	// A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details.
+	ReferenceSets []ReferenceSetsObservation `json:"referenceSets,omitempty" tf:"reference_sets,omitempty"`
+
+	// A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
+	RuleVariables []RuleVariablesObservation `json:"ruleVariables,omitempty" tf:"rule_variables,omitempty"`
+
+	// A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
+	RulesSource []RulesSourceObservation `json:"rulesSource,omitempty" tf:"rules_source,omitempty"`
+
+	// A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
+	StatefulRuleOptions []StatefulRuleOptionsObservation `json:"statefulRuleOptions,omitempty" tf:"stateful_rule_options,omitempty"`
 }
 
 type RuleGroupRuleGroupParameters struct {
@@ -338,6 +474,13 @@ type RuleGroupRuleGroupParameters struct {
 }
 
 type RuleOptionObservation struct {
+
+	// Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection.
+	// See Snort General Rule Options or Suricata Rule Options for more details.
+	Keyword *string `json:"keyword,omitempty" tf:"keyword,omitempty"`
+
+	// Set of strings for additional settings to use in stateful rule inspection.
+	Settings []*string `json:"settings,omitempty" tf:"settings,omitempty"`
 }
 
 type RuleOptionParameters struct {
@@ -353,6 +496,12 @@ type RuleOptionParameters struct {
 }
 
 type RuleVariablesObservation struct {
+
+	// Set of configuration blocks that define IP address information. See IP Sets below for details.
+	IPSets []IPSetsObservation `json:"ipSets,omitempty" tf:"ip_sets,omitempty"`
+
+	// Set of configuration blocks that define port range information. See Port Sets below for details.
+	PortSets []PortSetsObservation `json:"portSets,omitempty" tf:"port_sets,omitempty"`
 }
 
 type RuleVariablesParameters struct {
@@ -367,6 +516,15 @@ type RuleVariablesParameters struct {
 }
 
 type RulesSourceListObservation struct {
+
+	// String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
+	GeneratedRulesType *string `json:"generatedRulesType,omitempty" tf:"generated_rules_type,omitempty"`
+
+	// Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
+	TargetTypes []*string `json:"targetTypes,omitempty" tf:"target_types,omitempty"`
+
+	// Set of domains that you want to inspect for in your traffic flows.
+	Targets []*string `json:"targets,omitempty" tf:"targets,omitempty"`
 }
 
 type RulesSourceListParameters struct {
@@ -385,6 +543,18 @@ type RulesSourceListParameters struct {
 }
 
 type RulesSourceObservation struct {
+
+	// A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
+	RulesSourceList []RulesSourceListObservation `json:"rulesSourceList,omitempty" tf:"rules_source_list,omitempty"`
+
+	// The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
+	RulesString *string `json:"rulesString,omitempty" tf:"rules_string,omitempty"`
+
+	// Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
+	StatefulRule []StatefulRuleObservation `json:"statefulRule,omitempty" tf:"stateful_rule,omitempty"`
+
+	// A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
+	StatelessRulesAndCustomActions []StatelessRulesAndCustomActionsObservation `json:"statelessRulesAndCustomActions,omitempty" tf:"stateless_rules_and_custom_actions,omitempty"`
 }
 
 type RulesSourceParameters struct {
@@ -407,6 +577,9 @@ type RulesSourceParameters struct {
 }
 
 type SourceObservation struct {
+
+	// An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
+	AddressDefinition *string `json:"addressDefinition,omitempty" tf:"address_definition,omitempty"`
 }
 
 type SourceParameters struct {
@@ -417,6 +590,12 @@ type SourceParameters struct {
 }
 
 type SourcePortObservation struct {
+
+	// The lower limit of the port range. This must be less than or equal to the to_port.
+	FromPort *float64 `json:"fromPort,omitempty" tf:"from_port,omitempty"`
+
+	// The upper limit of the port range. This must be greater than or equal to the from_port.
+	ToPort *float64 `json:"toPort,omitempty" tf:"to_port,omitempty"`
 }
 
 type SourcePortParameters struct {
@@ -431,9 +610,21 @@ type SourcePortParameters struct {
 }
 
 type StatefulRuleObservation struct {
+
+	// Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
+	// A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
+	Header []HeaderObservation `json:"header,omitempty" tf:"header,omitempty"`
+
+	// Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
+	RuleOption []RuleOptionObservation `json:"ruleOption,omitempty" tf:"rule_option,omitempty"`
 }
 
 type StatefulRuleOptionsObservation struct {
+
+	// Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
+	RuleOrder *string `json:"ruleOrder,omitempty" tf:"rule_order,omitempty"`
 }
 
 type StatefulRuleOptionsParameters struct {
@@ -459,6 +650,12 @@ type StatefulRuleParameters struct {
 }
 
 type StatelessRuleObservation struct {
+
+	// A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
+	RuleDefinition []RuleDefinitionObservation `json:"ruleDefinition,omitempty" tf:"rule_definition,omitempty"`
 }
 
 type StatelessRuleParameters struct {
@@ -473,6 +670,12 @@ type StatelessRuleParameters struct {
 }
 
 type StatelessRulesAndCustomActionsObservation struct {
+
+	// Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
+	CustomAction []CustomActionObservation `json:"customAction,omitempty" tf:"custom_action,omitempty"`
+
+	// Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
+	StatelessRule []StatelessRuleObservation `json:"statelessRule,omitempty" tf:"stateless_rule,omitempty"`
 }
 
 type StatelessRulesAndCustomActionsParameters struct {
@@ -487,6 +690,14 @@ type StatelessRulesAndCustomActionsParameters struct {
 }
 
 type TCPFlagObservation struct {
+
+	// Set of flags to look for in a packet. This setting can only specify values that are also specified in masks.
+	// Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
+	Flags []*string `json:"flags,omitempty" tf:"flags,omitempty"`
+
+	// Set of flags to consider in the inspection. To inspect all flags, leave this empty.
+	// Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
+	Masks []*string `json:"masks,omitempty" tf:"masks,omitempty"`
 }
 
 type TCPFlagParameters struct {
@@ -526,8 +737,11 @@ type RuleGroupStatus struct {
 type RuleGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RuleGroupSpec   `json:"spec"`
-	Status            RuleGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.capacity)",message="capacity is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   RuleGroupSpec   `json:"spec"`
+	Status RuleGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/networkmanager/v1beta1/zz_attachmentaccepter_types.go b/apis/networkmanager/v1beta1/zz_attachmentaccepter_types.go
index 98bcea9bc2..7d7694b073 100755
--- a/apis/networkmanager/v1beta1/zz_attachmentaccepter_types.go
+++ b/apis/networkmanager/v1beta1/zz_attachmentaccepter_types.go
@@ -15,9 +15,15 @@ import (
 
 type AttachmentAccepterObservation struct {
 
+	// The ID of the attachment.
+	AttachmentID *string `json:"attachmentId,omitempty" tf:"attachment_id,omitempty"`
+
 	// The policy rule number associated with the attachment.
 	AttachmentPolicyRuleNumber *float64 `json:"attachmentPolicyRuleNumber,omitempty" tf:"attachment_policy_rule_number,omitempty"`
 
+	// The type of attachment. Valid values can be found in the AWS Documentation
+	AttachmentType *string `json:"attachmentType,omitempty" tf:"attachment_type,omitempty"`
+
 	// The ARN of a core network.
 	CoreNetworkArn *string `json:"coreNetworkArn,omitempty" tf:"core_network_arn,omitempty"`
 
diff --git a/apis/networkmanager/v1beta1/zz_connectattachment_types.go b/apis/networkmanager/v1beta1/zz_connectattachment_types.go
index e0b606a665..bc270a9b65 100755
--- a/apis/networkmanager/v1beta1/zz_connectattachment_types.go
+++ b/apis/networkmanager/v1beta1/zz_connectattachment_types.go
@@ -30,9 +30,18 @@ type ConnectAttachmentObservation struct {
 	// The ARN of a core network.
 	CoreNetworkArn *string `json:"coreNetworkArn,omitempty" tf:"core_network_arn,omitempty"`
 
+	// The ID of a core network where you want to create the attachment.
+	CoreNetworkID *string `json:"coreNetworkId,omitempty" tf:"core_network_id,omitempty"`
+
+	// The Region where the edge is located.
+	EdgeLocation *string `json:"edgeLocation,omitempty" tf:"edge_location,omitempty"`
+
 	// The ID of the attachment.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Options for creating an attachment.
+	Options []OptionsObservation `json:"options,omitempty" tf:"options,omitempty"`
+
 	// The ID of the attachment account owner.
 	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
@@ -45,8 +54,14 @@ type ConnectAttachmentObservation struct {
 	// The state of the attachment.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of the attachment between the two connections.
+	TransportAttachmentID *string `json:"transportAttachmentId,omitempty" tf:"transport_attachment_id,omitempty"`
 }
 
 type ConnectAttachmentParameters struct {
@@ -79,8 +94,8 @@ type ConnectAttachmentParameters struct {
 	EdgeLocationSelector *v1.Selector `json:"edgeLocationSelector,omitempty" tf:"-"`
 
 	// Options for creating an attachment.
-	// +kubebuilder:validation:Required
-	Options []OptionsParameters `json:"options" tf:"options,omitempty"`
+	// +kubebuilder:validation:Optional
+	Options []OptionsParameters `json:"options,omitempty" tf:"options,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -107,6 +122,7 @@ type ConnectAttachmentParameters struct {
 }
 
 type OptionsObservation struct {
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 }
 
 type OptionsParameters struct {
@@ -139,8 +155,9 @@ type ConnectAttachmentStatus struct {
 type ConnectAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConnectAttachmentSpec   `json:"spec"`
-	Status            ConnectAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.options)",message="options is a required parameter"
+	Spec   ConnectAttachmentSpec   `json:"spec"`
+	Status ConnectAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/networkmanager/v1beta1/zz_connection_types.go b/apis/networkmanager/v1beta1/zz_connection_types.go
index a06ae5e1d8..0715d2b99c 100755
--- a/apis/networkmanager/v1beta1/zz_connection_types.go
+++ b/apis/networkmanager/v1beta1/zz_connection_types.go
@@ -18,8 +18,29 @@ type ConnectionObservation struct {
 	// The Amazon Resource Name (ARN) of the connection.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the second device in the connection.
+	ConnectedDeviceID *string `json:"connectedDeviceId,omitempty" tf:"connected_device_id,omitempty"`
+
+	// The ID of the link for the second device.
+	ConnectedLinkID *string `json:"connectedLinkId,omitempty" tf:"connected_link_id,omitempty"`
+
+	// A description of the connection.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The ID of the first device in the connection.
+	DeviceID *string `json:"deviceId,omitempty" tf:"device_id,omitempty"`
+
+	// The ID of the global network.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ID of the link for the first device.
+	LinkID *string `json:"linkId,omitempty" tf:"link_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/networkmanager/v1beta1/zz_corenetwork_types.go b/apis/networkmanager/v1beta1/zz_corenetwork_types.go
index 208b1154ad..f31542a3ca 100755
--- a/apis/networkmanager/v1beta1/zz_corenetwork_types.go
+++ b/apis/networkmanager/v1beta1/zz_corenetwork_types.go
@@ -18,21 +18,39 @@ type CoreNetworkObservation struct {
 	// Core Network Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The base policy created by setting the create_base_policy argument to true requires a region to be set in the edge-locations, location key. If base_policy_region is not specified, the region used in the base policy defaults to the region specified in the provider block.
+	BasePolicyRegion *string `json:"basePolicyRegion,omitempty" tf:"base_policy_region,omitempty"`
+
+	// Specifies whether to create a base policy when a core network is created or updated. A base policy is created and set to LIVE to allow attachments to the core network (e.g. VPC Attachments) before applying a policy document provided using the aws_networkmanager_core_network_policy_attachment resource. This base policy is needed if your core network does not have any LIVE policies (e.g. a core network resource created without the policy_document argument) and your policy document has static routes pointing to VPC attachments and you want to attach your VPCs to the core network before applying the desired policy document. Valid values are true or false. Conflicts with policy_document. An example of a base policy created is shown below. The region specified in the location key can be configured using the base_policy_region argument. If base_policy_region is not specified, the region defaults to the region specified in the provider block. This base policy is overridden with the policy that you specify in the aws_networkmanager_core_network_policy_attachment resource.
+	CreateBasePolicy *bool `json:"createBasePolicy,omitempty" tf:"create_base_policy,omitempty"`
+
 	// Timestamp when a core network was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// Description of the Core Network.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// One or more blocks detailing the edges within a core network. Detailed below.
 	Edges []EdgesObservation `json:"edges,omitempty" tf:"edges,omitempty"`
 
+	// The ID of the global network that a core network will be a part of.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	// Core Network ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Policy document for creating a core network. Note that updating this argument will result in the new policy document version being set as the LATEST and LIVE policy document. Refer to the Core network policies documentation for more information. Conflicts with create_base_policy.
+	PolicyDocument *string `json:"policyDocument,omitempty" tf:"policy_document,omitempty"`
+
 	// One or more blocks detailing the segments within a core network. Detailed below.
 	Segments []SegmentsObservation `json:"segments,omitempty" tf:"segments,omitempty"`
 
 	// Current state of a core network.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/networkmanager/v1beta1/zz_customergatewayassociation_types.go b/apis/networkmanager/v1beta1/zz_customergatewayassociation_types.go
index 045967b4c5..13067f59ce 100755
--- a/apis/networkmanager/v1beta1/zz_customergatewayassociation_types.go
+++ b/apis/networkmanager/v1beta1/zz_customergatewayassociation_types.go
@@ -14,7 +14,20 @@ import (
 )
 
 type CustomerGatewayAssociationObservation struct {
+
+	// The Amazon Resource Name (ARN) of the customer gateway.
+	CustomerGatewayArn *string `json:"customerGatewayArn,omitempty" tf:"customer_gateway_arn,omitempty"`
+
+	// The ID of the device.
+	DeviceID *string `json:"deviceId,omitempty" tf:"device_id,omitempty"`
+
+	// The ID of the global network.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the link.
+	LinkID *string `json:"linkId,omitempty" tf:"link_id,omitempty"`
 }
 
 type CustomerGatewayAssociationParameters struct {
diff --git a/apis/networkmanager/v1beta1/zz_device_types.go b/apis/networkmanager/v1beta1/zz_device_types.go
index b34cdfc6df..80b069810f 100755
--- a/apis/networkmanager/v1beta1/zz_device_types.go
+++ b/apis/networkmanager/v1beta1/zz_device_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AwsLocationObservation struct {
+
+	// The Amazon Resource Name (ARN) of the subnet that the device is located in.
+	SubnetArn *string `json:"subnetArn,omitempty" tf:"subnet_arn,omitempty"`
+
+	// The Zone that the device is located in. Specify the ID of an Availability Zone, Local Zone, Wavelength Zone, or an Outpost.
+	Zone *string `json:"zone,omitempty" tf:"zone,omitempty"`
 }
 
 type AwsLocationParameters struct {
@@ -32,10 +38,40 @@ type DeviceObservation struct {
 	// The Amazon Resource Name (ARN) of the device.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The AWS location of the device. Documented below.
+	AwsLocation []AwsLocationObservation `json:"awsLocation,omitempty" tf:"aws_location,omitempty"`
+
+	// A description of the device.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The ID of the global network.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The location of the device. Documented below.
+	Location []LocationObservation `json:"location,omitempty" tf:"location,omitempty"`
+
+	// The model of device.
+	Model *string `json:"model,omitempty" tf:"model,omitempty"`
+
+	// The serial number of the device.
+	SerialNumber *string `json:"serialNumber,omitempty" tf:"serial_number,omitempty"`
+
+	// The ID of the site.
+	SiteID *string `json:"siteId,omitempty" tf:"site_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The type of device.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The vendor of the device.
+	Vendor *string `json:"vendor,omitempty" tf:"vendor,omitempty"`
 }
 
 type DeviceParameters struct {
@@ -107,6 +143,15 @@ type DeviceParameters struct {
 }
 
 type LocationObservation struct {
+
+	// The physical address.
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
+	// The latitude.
+	Latitude *string `json:"latitude,omitempty" tf:"latitude,omitempty"`
+
+	// The longitude.
+	Longitude *string `json:"longitude,omitempty" tf:"longitude,omitempty"`
 }
 
 type LocationParameters struct {
diff --git a/apis/networkmanager/v1beta1/zz_generated.deepcopy.go b/apis/networkmanager/v1beta1/zz_generated.deepcopy.go
index 38a1a97018..95c539802d 100644
--- a/apis/networkmanager/v1beta1/zz_generated.deepcopy.go
+++ b/apis/networkmanager/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,21 @@ func (in *AttachmentAccepterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttachmentAccepterObservation) DeepCopyInto(out *AttachmentAccepterObservation) {
 	*out = *in
+	if in.AttachmentID != nil {
+		in, out := &in.AttachmentID, &out.AttachmentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.AttachmentPolicyRuleNumber != nil {
 		in, out := &in.AttachmentPolicyRuleNumber, &out.AttachmentPolicyRuleNumber
 		*out = new(float64)
 		**out = **in
 	}
+	if in.AttachmentType != nil {
+		in, out := &in.AttachmentType, &out.AttachmentType
+		*out = new(string)
+		**out = **in
+	}
 	if in.CoreNetworkArn != nil {
 		in, out := &in.CoreNetworkArn, &out.CoreNetworkArn
 		*out = new(string)
@@ -220,6 +230,16 @@ func (in *AttachmentAccepterStatus) DeepCopy() *AttachmentAccepterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsLocationObservation) DeepCopyInto(out *AwsLocationObservation) {
 	*out = *in
+	if in.SubnetArn != nil {
+		in, out := &in.SubnetArn, &out.SubnetArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Zone != nil {
+		in, out := &in.Zone, &out.Zone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsLocationObservation.
@@ -260,6 +280,16 @@ func (in *AwsLocationParameters) DeepCopy() *AwsLocationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BandwidthObservation) DeepCopyInto(out *BandwidthObservation) {
 	*out = *in
+	if in.DownloadSpeed != nil {
+		in, out := &in.DownloadSpeed, &out.DownloadSpeed
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UploadSpeed != nil {
+		in, out := &in.UploadSpeed, &out.UploadSpeed
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BandwidthObservation.
@@ -384,11 +414,28 @@ func (in *ConnectAttachmentObservation) DeepCopyInto(out *ConnectAttachmentObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.CoreNetworkID != nil {
+		in, out := &in.CoreNetworkID, &out.CoreNetworkID
+		*out = new(string)
+		**out = **in
+	}
+	if in.EdgeLocation != nil {
+		in, out := &in.EdgeLocation, &out.EdgeLocation
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make([]OptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.OwnerAccountID != nil {
 		in, out := &in.OwnerAccountID, &out.OwnerAccountID
 		*out = new(string)
@@ -409,6 +456,21 @@ func (in *ConnectAttachmentObservation) DeepCopyInto(out *ConnectAttachmentObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -424,6 +486,11 @@ func (in *ConnectAttachmentObservation) DeepCopyInto(out *ConnectAttachmentObser
 			(*out)[key] = outVal
 		}
 	}
+	if in.TransportAttachmentID != nil {
+		in, out := &in.TransportAttachmentID, &out.TransportAttachmentID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectAttachmentObservation.
@@ -624,11 +691,56 @@ func (in *ConnectionObservation) DeepCopyInto(out *ConnectionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConnectedDeviceID != nil {
+		in, out := &in.ConnectedDeviceID, &out.ConnectedDeviceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConnectedLinkID != nil {
+		in, out := &in.ConnectedLinkID, &out.ConnectedLinkID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceID != nil {
+		in, out := &in.DeviceID, &out.DeviceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LinkID != nil {
+		in, out := &in.LinkID, &out.LinkID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -852,11 +964,26 @@ func (in *CoreNetworkObservation) DeepCopyInto(out *CoreNetworkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BasePolicyRegion != nil {
+		in, out := &in.BasePolicyRegion, &out.BasePolicyRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.CreateBasePolicy != nil {
+		in, out := &in.CreateBasePolicy, &out.CreateBasePolicy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.Edges != nil {
 		in, out := &in.Edges, &out.Edges
 		*out = make([]EdgesObservation, len(*in))
@@ -864,11 +991,21 @@ func (in *CoreNetworkObservation) DeepCopyInto(out *CoreNetworkObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyDocument != nil {
+		in, out := &in.PolicyDocument, &out.PolicyDocument
+		*out = new(string)
+		**out = **in
+	}
 	if in.Segments != nil {
 		in, out := &in.Segments, &out.Segments
 		*out = make([]SegmentsObservation, len(*in))
@@ -881,6 +1018,21 @@ func (in *CoreNetworkObservation) DeepCopyInto(out *CoreNetworkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1074,11 +1226,31 @@ func (in *CustomerGatewayAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomerGatewayAssociationObservation) DeepCopyInto(out *CustomerGatewayAssociationObservation) {
 	*out = *in
+	if in.CustomerGatewayArn != nil {
+		in, out := &in.CustomerGatewayArn, &out.CustomerGatewayArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceID != nil {
+		in, out := &in.DeviceID, &out.DeviceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LinkID != nil {
+		in, out := &in.LinkID, &out.LinkID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomerGatewayAssociationObservation.
@@ -1262,11 +1434,65 @@ func (in *DeviceObservation) DeepCopyInto(out *DeviceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AwsLocation != nil {
+		in, out := &in.AwsLocation, &out.AwsLocation
+		*out = make([]AwsLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = make([]LocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Model != nil {
+		in, out := &in.Model, &out.Model
+		*out = new(string)
+		**out = **in
+	}
+	if in.SerialNumber != nil {
+		in, out := &in.SerialNumber, &out.SerialNumber
+		*out = new(string)
+		**out = **in
+	}
+	if in.SiteID != nil {
+		in, out := &in.SiteID, &out.SiteID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1282,6 +1508,16 @@ func (in *DeviceObservation) DeepCopyInto(out *DeviceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Vendor != nil {
+		in, out := &in.Vendor, &out.Vendor
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceObservation.
@@ -1550,11 +1786,31 @@ func (in *GlobalNetworkObservation) DeepCopyInto(out *GlobalNetworkObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1745,11 +2001,26 @@ func (in *LinkAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LinkAssociationObservation) DeepCopyInto(out *LinkAssociationObservation) {
 	*out = *in
+	if in.DeviceID != nil {
+		in, out := &in.DeviceID, &out.DeviceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LinkID != nil {
+		in, out := &in.LinkID, &out.LinkID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LinkAssociationObservation.
@@ -1901,11 +2172,53 @@ func (in *LinkObservation) DeepCopyInto(out *LinkObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Bandwidth != nil {
+		in, out := &in.Bandwidth, &out.Bandwidth
+		*out = make([]BandwidthObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SiteID != nil {
+		in, out := &in.SiteID, &out.SiteID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1921,6 +2234,11 @@ func (in *LinkObservation) DeepCopyInto(out *LinkObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LinkObservation.
@@ -2057,6 +2375,21 @@ func (in *LinkStatus) DeepCopy() *LinkStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LocationObservation) DeepCopyInto(out *LocationObservation) {
 	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.Latitude != nil {
+		in, out := &in.Latitude, &out.Latitude
+		*out = new(string)
+		**out = **in
+	}
+	if in.Longitude != nil {
+		in, out := &in.Longitude, &out.Longitude
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LocationObservation.
@@ -2102,6 +2435,11 @@ func (in *LocationParameters) DeepCopy() *LocationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OptionsObservation) DeepCopyInto(out *OptionsObservation) {
 	*out = *in
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OptionsObservation.
@@ -2253,6 +2591,21 @@ func (in *SiteList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SiteLocationObservation) DeepCopyInto(out *SiteLocationObservation) {
 	*out = *in
+	if in.Address != nil {
+		in, out := &in.Address, &out.Address
+		*out = new(string)
+		**out = **in
+	}
+	if in.Latitude != nil {
+		in, out := &in.Latitude, &out.Latitude
+		*out = new(string)
+		**out = **in
+	}
+	if in.Longitude != nil {
+		in, out := &in.Longitude, &out.Longitude
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SiteLocationObservation.
@@ -2303,11 +2656,43 @@ func (in *SiteObservation) DeepCopyInto(out *SiteObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Location != nil {
+		in, out := &in.Location, &out.Location
+		*out = make([]SiteLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2493,11 +2878,31 @@ func (in *TransitGatewayConnectPeerAssociationList) DeepCopyObject() runtime.Obj
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayConnectPeerAssociationObservation) DeepCopyInto(out *TransitGatewayConnectPeerAssociationObservation) {
 	*out = *in
+	if in.DeviceID != nil {
+		in, out := &in.DeviceID, &out.DeviceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LinkID != nil {
+		in, out := &in.LinkID, &out.LinkID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransitGatewayConnectPeerArn != nil {
+		in, out := &in.TransitGatewayConnectPeerArn, &out.TransitGatewayConnectPeerArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayConnectPeerAssociationObservation.
@@ -2676,11 +3081,21 @@ func (in *TransitGatewayRegistrationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransitGatewayRegistrationObservation) DeepCopyInto(out *TransitGatewayRegistrationObservation) {
 	*out = *in
+	if in.GlobalNetworkID != nil {
+		in, out := &in.GlobalNetworkID, &out.GlobalNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TransitGatewayArn != nil {
+		in, out := &in.TransitGatewayArn, &out.TransitGatewayArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransitGatewayRegistrationObservation.
@@ -2859,6 +3274,11 @@ func (in *VPCAttachmentObservation) DeepCopyInto(out *VPCAttachmentObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.CoreNetworkID != nil {
+		in, out := &in.CoreNetworkID, &out.CoreNetworkID
+		*out = new(string)
+		**out = **in
+	}
 	if in.EdgeLocation != nil {
 		in, out := &in.EdgeLocation, &out.EdgeLocation
 		*out = new(string)
@@ -2869,6 +3289,13 @@ func (in *VPCAttachmentObservation) DeepCopyInto(out *VPCAttachmentObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Options != nil {
+		in, out := &in.Options, &out.Options
+		*out = make([]VPCAttachmentOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.OwnerAccountID != nil {
 		in, out := &in.OwnerAccountID, &out.OwnerAccountID
 		*out = new(string)
@@ -2889,6 +3316,32 @@ func (in *VPCAttachmentObservation) DeepCopyInto(out *VPCAttachmentObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetArns != nil {
+		in, out := &in.SubnetArns, &out.SubnetArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2904,6 +3357,11 @@ func (in *VPCAttachmentObservation) DeepCopyInto(out *VPCAttachmentObservation)
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCArn != nil {
+		in, out := &in.VPCArn, &out.VPCArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCAttachmentObservation.
@@ -2919,6 +3377,16 @@ func (in *VPCAttachmentObservation) DeepCopy() *VPCAttachmentObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCAttachmentOptionsObservation) DeepCopyInto(out *VPCAttachmentOptionsObservation) {
 	*out = *in
+	if in.ApplianceModeSupport != nil {
+		in, out := &in.ApplianceModeSupport, &out.ApplianceModeSupport
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IPv6Support != nil {
+		in, out := &in.IPv6Support, &out.IPv6Support
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCAttachmentOptionsObservation.
diff --git a/apis/networkmanager/v1beta1/zz_globalnetwork_types.go b/apis/networkmanager/v1beta1/zz_globalnetwork_types.go
index 1af1894805..466cb50f88 100755
--- a/apis/networkmanager/v1beta1/zz_globalnetwork_types.go
+++ b/apis/networkmanager/v1beta1/zz_globalnetwork_types.go
@@ -18,8 +18,14 @@ type GlobalNetworkObservation struct {
 	// Global Network Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the Global Network.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/networkmanager/v1beta1/zz_link_types.go b/apis/networkmanager/v1beta1/zz_link_types.go
index 6f4ea848af..d442576e5f 100755
--- a/apis/networkmanager/v1beta1/zz_link_types.go
+++ b/apis/networkmanager/v1beta1/zz_link_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type BandwidthObservation struct {
+
+	// Download speed in Mbps.
+	DownloadSpeed *float64 `json:"downloadSpeed,omitempty" tf:"download_speed,omitempty"`
+
+	// Upload speed in Mbps.
+	UploadSpeed *float64 `json:"uploadSpeed,omitempty" tf:"upload_speed,omitempty"`
 }
 
 type BandwidthParameters struct {
@@ -32,17 +38,38 @@ type LinkObservation struct {
 	// Link Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The upload speed and download speed in Mbps. Documented below.
+	Bandwidth []BandwidthObservation `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
+
+	// A description of the link.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The ID of the global network.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The provider of the link.
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// The ID of the site.
+	SiteID *string `json:"siteId,omitempty" tf:"site_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The type of the link.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type LinkParameters struct {
 
 	// The upload speed and download speed in Mbps. Documented below.
-	// +kubebuilder:validation:Required
-	Bandwidth []BandwidthParameters `json:"bandwidth" tf:"bandwidth,omitempty"`
+	// +kubebuilder:validation:Optional
+	Bandwidth []BandwidthParameters `json:"bandwidth,omitempty" tf:"bandwidth,omitempty"`
 
 	// A description of the link.
 	// +kubebuilder:validation:Optional
@@ -117,8 +144,9 @@ type LinkStatus struct {
 type Link struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LinkSpec   `json:"spec"`
-	Status            LinkStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bandwidth)",message="bandwidth is a required parameter"
+	Spec   LinkSpec   `json:"spec"`
+	Status LinkStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/networkmanager/v1beta1/zz_linkassociation_types.go b/apis/networkmanager/v1beta1/zz_linkassociation_types.go
index 2840a4d7a1..1d873881dd 100755
--- a/apis/networkmanager/v1beta1/zz_linkassociation_types.go
+++ b/apis/networkmanager/v1beta1/zz_linkassociation_types.go
@@ -14,7 +14,17 @@ import (
 )
 
 type LinkAssociationObservation struct {
+
+	// The ID of the device.
+	DeviceID *string `json:"deviceId,omitempty" tf:"device_id,omitempty"`
+
+	// The ID of the global network.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the link.
+	LinkID *string `json:"linkId,omitempty" tf:"link_id,omitempty"`
 }
 
 type LinkAssociationParameters struct {
diff --git a/apis/networkmanager/v1beta1/zz_site_types.go b/apis/networkmanager/v1beta1/zz_site_types.go
index 785cdfa029..82d025ee9a 100755
--- a/apis/networkmanager/v1beta1/zz_site_types.go
+++ b/apis/networkmanager/v1beta1/zz_site_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type SiteLocationObservation struct {
+
+	// Address of the location.
+	Address *string `json:"address,omitempty" tf:"address,omitempty"`
+
+	// Latitude of the location.
+	Latitude *string `json:"latitude,omitempty" tf:"latitude,omitempty"`
+
+	// Longitude of the location.
+	Longitude *string `json:"longitude,omitempty" tf:"longitude,omitempty"`
 }
 
 type SiteLocationParameters struct {
@@ -36,8 +45,20 @@ type SiteObservation struct {
 	// Site Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the Site.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The ID of the Global Network to create the site in.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The site location as documented below.
+	Location []SiteLocationObservation `json:"location,omitempty" tf:"location,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/networkmanager/v1beta1/zz_transitgatewayconnectpeerassociation_types.go b/apis/networkmanager/v1beta1/zz_transitgatewayconnectpeerassociation_types.go
index 0bc3d62da2..d1fd79c7b2 100755
--- a/apis/networkmanager/v1beta1/zz_transitgatewayconnectpeerassociation_types.go
+++ b/apis/networkmanager/v1beta1/zz_transitgatewayconnectpeerassociation_types.go
@@ -14,7 +14,20 @@ import (
 )
 
 type TransitGatewayConnectPeerAssociationObservation struct {
+
+	// The ID of the device.
+	DeviceID *string `json:"deviceId,omitempty" tf:"device_id,omitempty"`
+
+	// The ID of the global network.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ID of the link.
+	LinkID *string `json:"linkId,omitempty" tf:"link_id,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Connect peer.
+	TransitGatewayConnectPeerArn *string `json:"transitGatewayConnectPeerArn,omitempty" tf:"transit_gateway_connect_peer_arn,omitempty"`
 }
 
 type TransitGatewayConnectPeerAssociationParameters struct {
diff --git a/apis/networkmanager/v1beta1/zz_transitgatewayregistration_types.go b/apis/networkmanager/v1beta1/zz_transitgatewayregistration_types.go
index 66c582ff84..8d79843678 100755
--- a/apis/networkmanager/v1beta1/zz_transitgatewayregistration_types.go
+++ b/apis/networkmanager/v1beta1/zz_transitgatewayregistration_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type TransitGatewayRegistrationObservation struct {
+
+	// The ID of the Global Network to register to.
+	GlobalNetworkID *string `json:"globalNetworkId,omitempty" tf:"global_network_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the Transit Gateway to register.
+	TransitGatewayArn *string `json:"transitGatewayArn,omitempty" tf:"transit_gateway_arn,omitempty"`
 }
 
 type TransitGatewayRegistrationParameters struct {
diff --git a/apis/networkmanager/v1beta1/zz_vpcattachment_types.go b/apis/networkmanager/v1beta1/zz_vpcattachment_types.go
index a6672989a8..67d77b6924 100755
--- a/apis/networkmanager/v1beta1/zz_vpcattachment_types.go
+++ b/apis/networkmanager/v1beta1/zz_vpcattachment_types.go
@@ -27,12 +27,18 @@ type VPCAttachmentObservation struct {
 	// The ARN of a core network.
 	CoreNetworkArn *string `json:"coreNetworkArn,omitempty" tf:"core_network_arn,omitempty"`
 
+	// The ID of a core network for the VPC attachment.
+	CoreNetworkID *string `json:"coreNetworkId,omitempty" tf:"core_network_id,omitempty"`
+
 	// The Region where the edge is located.
 	EdgeLocation *string `json:"edgeLocation,omitempty" tf:"edge_location,omitempty"`
 
 	// The ID of the attachment.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Options for the VPC attachment.
+	Options []VPCAttachmentOptionsObservation `json:"options,omitempty" tf:"options,omitempty"`
+
 	// The ID of the attachment account owner.
 	OwnerAccountID *string `json:"ownerAccountId,omitempty" tf:"owner_account_id,omitempty"`
 
@@ -45,11 +51,26 @@ type VPCAttachmentObservation struct {
 	// The state of the attachment.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// The subnet ARN of the VPC attachment.
+	SubnetArns []*string `json:"subnetArns,omitempty" tf:"subnet_arns,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ARN of the VPC.
+	VPCArn *string `json:"vpcArn,omitempty" tf:"vpc_arn,omitempty"`
 }
 
 type VPCAttachmentOptionsObservation struct {
+
+	// Indicates whether appliance mode is supported. If enabled, traffic flow between a source and destination use the same Availability Zone for the VPC attachment for the lifetime of that flow.
+	ApplianceModeSupport *bool `json:"applianceModeSupport,omitempty" tf:"appliance_mode_support,omitempty"`
+
+	// Indicates whether IPv6 is supported.
+	IPv6Support *bool `json:"ipv6Support,omitempty" tf:"ipv6_support,omitempty"`
 }
 
 type VPCAttachmentOptionsParameters struct {
diff --git a/apis/opensearch/v1beta1/zz_domain_types.go b/apis/opensearch/v1beta1/zz_domain_types.go
index 2e936b6007..ac368f4f31 100755
--- a/apis/opensearch/v1beta1/zz_domain_types.go
+++ b/apis/opensearch/v1beta1/zz_domain_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type AdvancedSecurityOptionsObservation struct {
+
+	// Whether Anonymous auth is enabled. Enables fine-grained access control on an existing domain. Ignored unless advanced_security_options are enabled. Can only be enabled on an existing domain.
+	AnonymousAuthEnabled *bool `json:"anonymousAuthEnabled,omitempty" tf:"anonymous_auth_enabled,omitempty"`
+
+	// Whether advanced security is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Whether the internal user database is enabled. Default is false.
+	InternalUserDatabaseEnabled *bool `json:"internalUserDatabaseEnabled,omitempty" tf:"internal_user_database_enabled,omitempty"`
+
+	// Configuration block for the main user. Detailed below.
+	MasterUserOptions []MasterUserOptionsObservation `json:"masterUserOptions,omitempty" tf:"master_user_options,omitempty"`
 }
 
 type AdvancedSecurityOptionsParameters struct {
@@ -36,6 +48,15 @@ type AdvancedSecurityOptionsParameters struct {
 }
 
 type AutoTuneOptionsObservation struct {
+
+	// Auto-Tune desired state for the domain. Valid values: ENABLED or DISABLED.
+	DesiredState *string `json:"desiredState,omitempty" tf:"desired_state,omitempty"`
+
+	// Configuration block for Auto-Tune maintenance windows. Can be specified multiple times for each maintenance window. Detailed below.
+	MaintenanceSchedule []MaintenanceScheduleObservation `json:"maintenanceSchedule,omitempty" tf:"maintenance_schedule,omitempty"`
+
+	// Whether to roll back to default Auto-Tune settings when disabling Auto-Tune. Valid values: DEFAULT_ROLLBACK or NO_ROLLBACK.
+	RollbackOnDisable *string `json:"rollbackOnDisable,omitempty" tf:"rollback_on_disable,omitempty"`
 }
 
 type AutoTuneOptionsParameters struct {
@@ -54,6 +75,39 @@ type AutoTuneOptionsParameters struct {
 }
 
 type ClusterConfigObservation struct {
+
+	// Configuration block containing cold storage configuration. Detailed below.
+	ColdStorageOptions []ColdStorageOptionsObservation `json:"coldStorageOptions,omitempty" tf:"cold_storage_options,omitempty"`
+
+	// Number of dedicated main nodes in the cluster.
+	DedicatedMasterCount *float64 `json:"dedicatedMasterCount,omitempty" tf:"dedicated_master_count,omitempty"`
+
+	// Whether dedicated main nodes are enabled for the cluster.
+	DedicatedMasterEnabled *bool `json:"dedicatedMasterEnabled,omitempty" tf:"dedicated_master_enabled,omitempty"`
+
+	// Instance type of the dedicated main nodes in the cluster.
+	DedicatedMasterType *string `json:"dedicatedMasterType,omitempty" tf:"dedicated_master_type,omitempty"`
+
+	// Number of instances in the cluster.
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	// Instance type of data nodes in the cluster.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// Number of warm nodes in the cluster. Valid values are between 2 and 150. warm_count can be only and must be set when warm_enabled is set to true.
+	WarmCount *float64 `json:"warmCount,omitempty" tf:"warm_count,omitempty"`
+
+	// Whether to enable warm storage.
+	WarmEnabled *bool `json:"warmEnabled,omitempty" tf:"warm_enabled,omitempty"`
+
+	// Instance type for the OpenSearch cluster's warm nodes. Valid values are ultrawarm1.medium.search, ultrawarm1.large.search and ultrawarm1.xlarge.search. warm_type can be only and must be set when warm_enabled is set to true.
+	WarmType *string `json:"warmType,omitempty" tf:"warm_type,omitempty"`
+
+	// Configuration block containing zone awareness settings. Detailed below.
+	ZoneAwarenessConfig []ZoneAwarenessConfigObservation `json:"zoneAwarenessConfig,omitempty" tf:"zone_awareness_config,omitempty"`
+
+	// Whether zone awareness is enabled, set to true for multi-az deployment. To enable awareness with three Availability Zones, the availability_zone_count within the zone_awareness_config must be set to 3.
+	ZoneAwarenessEnabled *bool `json:"zoneAwarenessEnabled,omitempty" tf:"zone_awareness_enabled,omitempty"`
 }
 
 type ClusterConfigParameters struct {
@@ -104,6 +158,18 @@ type ClusterConfigParameters struct {
 }
 
 type CognitoOptionsObservation struct {
+
+	// Whether Amazon Cognito authentication with Kibana is enabled or not. Default is false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// ID of the Cognito Identity Pool to use.
+	IdentityPoolID *string `json:"identityPoolId,omitempty" tf:"identity_pool_id,omitempty"`
+
+	// ARN of the IAM role that has the AmazonOpenSearchServiceCognitoAccess policy attached.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// ID of the Cognito User Pool to use.
+	UserPoolID *string `json:"userPoolId,omitempty" tf:"user_pool_id,omitempty"`
 }
 
 type CognitoOptionsParameters struct {
@@ -126,6 +192,9 @@ type CognitoOptionsParameters struct {
 }
 
 type ColdStorageOptionsObservation struct {
+
+	// Boolean to enable cold storage for an OpenSearch domain. Defaults to false. Master and ultrawarm nodes must be enabled for cold storage.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type ColdStorageOptionsParameters struct {
@@ -136,6 +205,21 @@ type ColdStorageOptionsParameters struct {
 }
 
 type DomainEndpointOptionsObservation struct {
+
+	// Fully qualified domain for your custom endpoint.
+	CustomEndpoint *string `json:"customEndpoint,omitempty" tf:"custom_endpoint,omitempty"`
+
+	// ACM certificate ARN for your custom endpoint.
+	CustomEndpointCertificateArn *string `json:"customEndpointCertificateArn,omitempty" tf:"custom_endpoint_certificate_arn,omitempty"`
+
+	// Whether to enable custom endpoint for the OpenSearch domain.
+	CustomEndpointEnabled *bool `json:"customEndpointEnabled,omitempty" tf:"custom_endpoint_enabled,omitempty"`
+
+	// Whether or not to require HTTPS. Defaults to true.
+	EnforceHTTPS *bool `json:"enforceHttps,omitempty" tf:"enforce_https,omitempty"`
+
+	// Name of the TLS security policy that needs to be applied to the HTTPS endpoint. Valid values:  Policy-Min-TLS-1-0-2019-07 and Policy-Min-TLS-1-2-2019-07.
+	TLSSecurityPolicy *string `json:"tlsSecurityPolicy,omitempty" tf:"tls_security_policy,omitempty"`
 }
 
 type DomainEndpointOptionsParameters struct {
@@ -166,25 +250,66 @@ type DomainObservation struct {
 	// , are prefaced with es: for both.
 	AccessPolicies *string `json:"accessPolicies,omitempty" tf:"access_policies,omitempty"`
 
+	// Key-value string pairs to specify advanced configuration options.
+	AdvancedOptions map[string]*string `json:"advancedOptions,omitempty" tf:"advanced_options,omitempty"`
+
+	// Configuration block for fine-grained access control. Detailed below.
+	AdvancedSecurityOptions []AdvancedSecurityOptionsObservation `json:"advancedSecurityOptions,omitempty" tf:"advanced_security_options,omitempty"`
+
 	// ARN of the domain.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block for the Auto-Tune options of the domain. Detailed below.
+	AutoTuneOptions []AutoTuneOptionsObservation `json:"autoTuneOptions,omitempty" tf:"auto_tune_options,omitempty"`
+
+	// Configuration block for the cluster of the domain. Detailed below.
+	ClusterConfig []ClusterConfigObservation `json:"clusterConfig,omitempty" tf:"cluster_config,omitempty"`
+
+	// Configuration block for authenticating Kibana with Cognito. Detailed below.
+	CognitoOptions []CognitoOptionsObservation `json:"cognitoOptions,omitempty" tf:"cognito_options,omitempty"`
+
+	// Configuration block for domain endpoint HTTP(S) related options. Detailed below.
+	DomainEndpointOptions []DomainEndpointOptionsObservation `json:"domainEndpointOptions,omitempty" tf:"domain_endpoint_options,omitempty"`
+
 	// Unique identifier for the domain.
 	DomainID *string `json:"domainId,omitempty" tf:"domain_id,omitempty"`
 
+	// Name of the domain.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Configuration block for EBS related options, may be required based on chosen instance size. Detailed below.
+	EBSOptions []EBSOptionsObservation `json:"ebsOptions,omitempty" tf:"ebs_options,omitempty"`
+
+	// Configuration block for encrypt at rest options. Only available for certain instance types. Detailed below.
+	EncryptAtRest []EncryptAtRestObservation `json:"encryptAtRest,omitempty" tf:"encrypt_at_rest,omitempty"`
+
 	// Domain-specific endpoint used to submit index, search, and data upload requests.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// while Elasticsearch has elasticsearch_version
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Domain-specific endpoint for kibana without https scheme.
 	KibanaEndpoint *string `json:"kibanaEndpoint,omitempty" tf:"kibana_endpoint,omitempty"`
 
+	// Configuration block for publishing slow and application logs to CloudWatch Logs. This block can be declared multiple times, for each log_type, within the same resource. Detailed below.
+	LogPublishingOptions []LogPublishingOptionsObservation `json:"logPublishingOptions,omitempty" tf:"log_publishing_options,omitempty"`
+
+	// Configuration block for node-to-node encryption options. Detailed below.
+	NodeToNodeEncryption []NodeToNodeEncryptionObservation `json:"nodeToNodeEncryption,omitempty" tf:"node_to_node_encryption,omitempty"`
+
+	// Configuration block for snapshot related options. Detailed below. DEPRECATED. For domains running OpenSearch 5.3 and later, Amazon OpenSearch takes hourly automated snapshots, making this setting irrelevant. For domains running earlier versions, OpenSearch takes daily automated snapshots.
+	SnapshotOptions []SnapshotOptionsObservation `json:"snapshotOptions,omitempty" tf:"snapshot_options,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Configuration block for VPC related options. Adding or removing this configuration forces a new resource (documentation). Detailed below.
-	// +kubebuilder:validation:Optional
 	VPCOptions []VPCOptionsObservation `json:"vpcOptions,omitempty" tf:"vpc_options,omitempty"`
 }
 
@@ -215,8 +340,8 @@ type DomainParameters struct {
 	DomainEndpointOptions []DomainEndpointOptionsParameters `json:"domainEndpointOptions,omitempty" tf:"domain_endpoint_options,omitempty"`
 
 	// Name of the domain.
-	// +kubebuilder:validation:Required
-	DomainName *string `json:"domainName" tf:"domain_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
 	// Configuration block for EBS related options, may be required based on chosen instance size. Detailed below.
 	// +kubebuilder:validation:Optional
@@ -257,6 +382,12 @@ type DomainParameters struct {
 }
 
 type DurationObservation struct {
+
+	// Unit of time specifying the duration of an Auto-Tune maintenance window. Valid values: HOURS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// An integer specifying the value of the duration of an Auto-Tune maintenance window.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DurationParameters struct {
@@ -271,6 +402,21 @@ type DurationParameters struct {
 }
 
 type EBSOptionsObservation struct {
+
+	// Whether EBS volumes are attached to data nodes in the domain.
+	EBSEnabled *bool `json:"ebsEnabled,omitempty" tf:"ebs_enabled,omitempty"`
+
+	// Baseline input/output (I/O) performance of EBS volumes attached to data nodes. Applicable only for the GP3 and Provisioned IOPS EBS volume types.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Specifies the throughput (in MiB/s) of the EBS volumes attached to data nodes. Applicable only for the gp3 volume type. Valid values are between 125 and 1000.
+	Throughput *float64 `json:"throughput,omitempty" tf:"throughput,omitempty"`
+
+	// Size of EBS volumes attached to data nodes (in GiB).
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of EBS volumes attached to data nodes.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSOptionsParameters struct {
@@ -297,6 +443,12 @@ type EBSOptionsParameters struct {
 }
 
 type EncryptAtRestObservation struct {
+
+	// Whether to enable encryption at rest. If the encrypt_at_rest block is not provided then this defaults to false. Enabling encryption on new domains requires an engine_version of OpenSearch_X.Y or Elasticsearch_5.1 or greater.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// KMS key ARN to encrypt the Elasticsearch domain with. If not specified then it defaults to using the aws/es service KMS key. Note that KMS will accept a KMS key ID but will return the key ARN.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type EncryptAtRestParameters struct {
@@ -311,6 +463,15 @@ type EncryptAtRestParameters struct {
 }
 
 type LogPublishingOptionsObservation struct {
+
+	// ARN of the Cloudwatch log group to which log needs to be published.
+	CloudwatchLogGroupArn *string `json:"cloudwatchLogGroupArn,omitempty" tf:"cloudwatch_log_group_arn,omitempty"`
+
+	// Whether given log publishing option is enabled or not.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Type of OpenSearch log. Valid values: INDEX_SLOW_LOGS, SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, AUDIT_LOGS.
+	LogType *string `json:"logType,omitempty" tf:"log_type,omitempty"`
 }
 
 type LogPublishingOptionsParameters struct {
@@ -339,6 +500,15 @@ type LogPublishingOptionsParameters struct {
 }
 
 type MaintenanceScheduleObservation struct {
+
+	// A cron expression specifying the recurrence pattern for an Auto-Tune maintenance schedule.
+	CronExpressionForRecurrence *string `json:"cronExpressionForRecurrence,omitempty" tf:"cron_expression_for_recurrence,omitempty"`
+
+	// Configuration block for the duration of the Auto-Tune maintenance window. Detailed below.
+	Duration []DurationObservation `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// Date and time at which to start the Auto-Tune maintenance schedule in RFC3339 format.
+	StartAt *string `json:"startAt,omitempty" tf:"start_at,omitempty"`
 }
 
 type MaintenanceScheduleParameters struct {
@@ -357,6 +527,12 @@ type MaintenanceScheduleParameters struct {
 }
 
 type MasterUserOptionsObservation struct {
+
+	// ARN for the main user. Only specify if internal_user_database_enabled is not set or set to false.
+	MasterUserArn *string `json:"masterUserArn,omitempty" tf:"master_user_arn,omitempty"`
+
+	// Main user's username, which is stored in the Amazon OpenSearch Service domain's internal database. Only specify if internal_user_database_enabled is set to true.
+	MasterUserName *string `json:"masterUserName,omitempty" tf:"master_user_name,omitempty"`
 }
 
 type MasterUserOptionsParameters struct {
@@ -375,6 +551,9 @@ type MasterUserOptionsParameters struct {
 }
 
 type NodeToNodeEncryptionObservation struct {
+
+	// Whether to enable node-to-node encryption. If the node_to_node_encryption block is not provided then this defaults to false. Enabling node-to-node encryption of a new domain requires an engine_version of OpenSearch_X.Y or Elasticsearch_6.0 or greater.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type NodeToNodeEncryptionParameters struct {
@@ -385,6 +564,9 @@ type NodeToNodeEncryptionParameters struct {
 }
 
 type SnapshotOptionsObservation struct {
+
+	// Hour during which the service takes an automated daily snapshot of the indices in the domain.
+	AutomatedSnapshotStartHour *float64 `json:"automatedSnapshotStartHour,omitempty" tf:"automated_snapshot_start_hour,omitempty"`
 }
 
 type SnapshotOptionsParameters struct {
@@ -399,6 +581,12 @@ type VPCOptionsObservation struct {
 	// If the domain was created inside a VPC, the names of the availability zones the configured subnet_ids were created inside.
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
 
+	// List of VPC Security Group IDs to be applied to the OpenSearch domain endpoints. If omitted, the default Security Group for the VPC will be used.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// List of VPC Subnet IDs for the OpenSearch domain endpoints to be created in.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// If the domain was created inside a VPC, the ID of the VPC.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
@@ -415,6 +603,9 @@ type VPCOptionsParameters struct {
 }
 
 type ZoneAwarenessConfigObservation struct {
+
+	// Number of Availability Zones for the domain to use with zone_awareness_enabled. Defaults to 2. Valid values: 2 or 3.
+	AvailabilityZoneCount *float64 `json:"availabilityZoneCount,omitempty" tf:"availability_zone_count,omitempty"`
 }
 
 type ZoneAwarenessConfigParameters struct {
@@ -448,8 +639,9 @@ type DomainStatus struct {
 type Domain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainSpec   `json:"spec"`
-	Status            DomainStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)",message="domainName is a required parameter"
+	Spec   DomainSpec   `json:"spec"`
+	Status DomainStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opensearch/v1beta1/zz_domainpolicy_types.go b/apis/opensearch/v1beta1/zz_domainpolicy_types.go
index 6bc3deb94c..90d6fdbda3 100755
--- a/apis/opensearch/v1beta1/zz_domainpolicy_types.go
+++ b/apis/opensearch/v1beta1/zz_domainpolicy_types.go
@@ -14,14 +14,21 @@ import (
 )
 
 type DomainPolicyObservation struct {
+
+	// IAM policy document specifying the access policies for the domain
+	AccessPolicies *string `json:"accessPolicies,omitempty" tf:"access_policies,omitempty"`
+
+	// Name of the domain.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type DomainPolicyParameters struct {
 
 	// IAM policy document specifying the access policies for the domain
-	// +kubebuilder:validation:Required
-	AccessPolicies *string `json:"accessPolicies" tf:"access_policies,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccessPolicies *string `json:"accessPolicies,omitempty" tf:"access_policies,omitempty"`
 
 	// Name of the domain.
 	// +crossplane:generate:reference:type=Domain
@@ -66,8 +73,9 @@ type DomainPolicyStatus struct {
 type DomainPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainPolicySpec   `json:"spec"`
-	Status            DomainPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicies)",message="accessPolicies is a required parameter"
+	Spec   DomainPolicySpec   `json:"spec"`
+	Status DomainPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opensearch/v1beta1/zz_domainsamloptions_types.go b/apis/opensearch/v1beta1/zz_domainsamloptions_types.go
index 35aae77499..f5e1088b4c 100755
--- a/apis/opensearch/v1beta1/zz_domainsamloptions_types.go
+++ b/apis/opensearch/v1beta1/zz_domainsamloptions_types.go
@@ -15,8 +15,14 @@ import (
 
 type DomainSAMLOptionsObservation struct {
 
+	// Name of the domain.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// Name of the domain the SAML options are associated with.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// SAML authentication options for an AWS OpenSearch Domain.
+	SAMLOptions []SAMLOptionsObservation `json:"samlOptions,omitempty" tf:"saml_options,omitempty"`
 }
 
 type DomainSAMLOptionsParameters struct {
@@ -46,6 +52,12 @@ type DomainSAMLOptionsParameters struct {
 }
 
 type IdpObservation struct {
+
+	// Unique Entity ID of the application in SAML Identity Provider.
+	EntityID *string `json:"entityId,omitempty" tf:"entity_id,omitempty"`
+
+	// Metadata of the SAML application in xml format.
+	MetadataContent *string `json:"metadataContent,omitempty" tf:"metadata_content,omitempty"`
 }
 
 type IdpParameters struct {
@@ -60,6 +72,24 @@ type IdpParameters struct {
 }
 
 type SAMLOptionsObservation struct {
+
+	// Whether SAML authentication is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Information from your identity provider.
+	Idp []IdpObservation `json:"idp,omitempty" tf:"idp,omitempty"`
+
+	// This backend role from the SAML IdP receives full permissions to the cluster, equivalent to a new master user.
+	MasterBackendRole *string `json:"masterBackendRole,omitempty" tf:"master_backend_role,omitempty"`
+
+	// Element of the SAML assertion to use for backend roles. Default is roles.
+	RolesKey *string `json:"rolesKey,omitempty" tf:"roles_key,omitempty"`
+
+	// Duration of a session in minutes after a user logs in. Default is 60. Maximum value is 1,440.
+	SessionTimeoutMinutes *float64 `json:"sessionTimeoutMinutes,omitempty" tf:"session_timeout_minutes,omitempty"`
+
+	// Element of the SAML assertion to use for username. Default is NameID.
+	SubjectKey *string `json:"subjectKey,omitempty" tf:"subject_key,omitempty"`
 }
 
 type SAMLOptionsParameters struct {
diff --git a/apis/opensearch/v1beta1/zz_generated.deepcopy.go b/apis/opensearch/v1beta1/zz_generated.deepcopy.go
index 44413268bf..3da3c5fff2 100644
--- a/apis/opensearch/v1beta1/zz_generated.deepcopy.go
+++ b/apis/opensearch/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,28 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedSecurityOptionsObservation) DeepCopyInto(out *AdvancedSecurityOptionsObservation) {
 	*out = *in
+	if in.AnonymousAuthEnabled != nil {
+		in, out := &in.AnonymousAuthEnabled, &out.AnonymousAuthEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InternalUserDatabaseEnabled != nil {
+		in, out := &in.InternalUserDatabaseEnabled, &out.InternalUserDatabaseEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MasterUserOptions != nil {
+		in, out := &in.MasterUserOptions, &out.MasterUserOptions
+		*out = make([]MasterUserOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedSecurityOptionsObservation.
@@ -69,6 +91,23 @@ func (in *AdvancedSecurityOptionsParameters) DeepCopy() *AdvancedSecurityOptions
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutoTuneOptionsObservation) DeepCopyInto(out *AutoTuneOptionsObservation) {
 	*out = *in
+	if in.DesiredState != nil {
+		in, out := &in.DesiredState, &out.DesiredState
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaintenanceSchedule != nil {
+		in, out := &in.MaintenanceSchedule, &out.MaintenanceSchedule
+		*out = make([]MaintenanceScheduleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RollbackOnDisable != nil {
+		in, out := &in.RollbackOnDisable, &out.RollbackOnDisable
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutoTuneOptionsObservation.
@@ -116,6 +155,65 @@ func (in *AutoTuneOptionsParameters) DeepCopy() *AutoTuneOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterConfigObservation) DeepCopyInto(out *ClusterConfigObservation) {
 	*out = *in
+	if in.ColdStorageOptions != nil {
+		in, out := &in.ColdStorageOptions, &out.ColdStorageOptions
+		*out = make([]ColdStorageOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DedicatedMasterCount != nil {
+		in, out := &in.DedicatedMasterCount, &out.DedicatedMasterCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DedicatedMasterEnabled != nil {
+		in, out := &in.DedicatedMasterEnabled, &out.DedicatedMasterEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DedicatedMasterType != nil {
+		in, out := &in.DedicatedMasterType, &out.DedicatedMasterType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.WarmCount != nil {
+		in, out := &in.WarmCount, &out.WarmCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.WarmEnabled != nil {
+		in, out := &in.WarmEnabled, &out.WarmEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.WarmType != nil {
+		in, out := &in.WarmType, &out.WarmType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ZoneAwarenessConfig != nil {
+		in, out := &in.ZoneAwarenessConfig, &out.ZoneAwarenessConfig
+		*out = make([]ZoneAwarenessConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ZoneAwarenessEnabled != nil {
+		in, out := &in.ZoneAwarenessEnabled, &out.ZoneAwarenessEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterConfigObservation.
@@ -205,6 +303,26 @@ func (in *ClusterConfigParameters) DeepCopy() *ClusterConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CognitoOptionsObservation) DeepCopyInto(out *CognitoOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IdentityPoolID != nil {
+		in, out := &in.IdentityPoolID, &out.IdentityPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPoolID != nil {
+		in, out := &in.UserPoolID, &out.UserPoolID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CognitoOptionsObservation.
@@ -255,6 +373,11 @@ func (in *CognitoOptionsParameters) DeepCopy() *CognitoOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ColdStorageOptionsObservation) DeepCopyInto(out *ColdStorageOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ColdStorageOptionsObservation.
@@ -317,6 +440,31 @@ func (in *Domain) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainEndpointOptionsObservation) DeepCopyInto(out *DomainEndpointOptionsObservation) {
 	*out = *in
+	if in.CustomEndpoint != nil {
+		in, out := &in.CustomEndpoint, &out.CustomEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomEndpointCertificateArn != nil {
+		in, out := &in.CustomEndpointCertificateArn, &out.CustomEndpointCertificateArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomEndpointEnabled != nil {
+		in, out := &in.CustomEndpointEnabled, &out.CustomEndpointEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnforceHTTPS != nil {
+		in, out := &in.EnforceHTTPS, &out.EnforceHTTPS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TLSSecurityPolicy != nil {
+		in, out := &in.TLSSecurityPolicy, &out.TLSSecurityPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainEndpointOptionsObservation.
@@ -409,21 +557,95 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AdvancedOptions != nil {
+		in, out := &in.AdvancedOptions, &out.AdvancedOptions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.AdvancedSecurityOptions != nil {
+		in, out := &in.AdvancedSecurityOptions, &out.AdvancedSecurityOptions
+		*out = make([]AdvancedSecurityOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoTuneOptions != nil {
+		in, out := &in.AutoTuneOptions, &out.AutoTuneOptions
+		*out = make([]AutoTuneOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ClusterConfig != nil {
+		in, out := &in.ClusterConfig, &out.ClusterConfig
+		*out = make([]ClusterConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CognitoOptions != nil {
+		in, out := &in.CognitoOptions, &out.CognitoOptions
+		*out = make([]CognitoOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DomainEndpointOptions != nil {
+		in, out := &in.DomainEndpointOptions, &out.DomainEndpointOptions
+		*out = make([]DomainEndpointOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DomainID != nil {
 		in, out := &in.DomainID, &out.DomainID
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EBSOptions != nil {
+		in, out := &in.EBSOptions, &out.EBSOptions
+		*out = make([]EBSOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EncryptAtRest != nil {
+		in, out := &in.EncryptAtRest, &out.EncryptAtRest
+		*out = make([]EncryptAtRestObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -434,6 +656,42 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LogPublishingOptions != nil {
+		in, out := &in.LogPublishingOptions, &out.LogPublishingOptions
+		*out = make([]LogPublishingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NodeToNodeEncryption != nil {
+		in, out := &in.NodeToNodeEncryption, &out.NodeToNodeEncryption
+		*out = make([]NodeToNodeEncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SnapshotOptions != nil {
+		in, out := &in.SnapshotOptions, &out.SnapshotOptions
+		*out = make([]SnapshotOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -667,6 +925,16 @@ func (in *DomainPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainPolicyObservation) DeepCopyInto(out *DomainPolicyObservation) {
 	*out = *in
+	if in.AccessPolicies != nil {
+		in, out := &in.AccessPolicies, &out.AccessPolicies
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -820,11 +1088,23 @@ func (in *DomainSAMLOptionsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainSAMLOptionsObservation) DeepCopyInto(out *DomainSAMLOptionsObservation) {
 	*out = *in
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SAMLOptions != nil {
+		in, out := &in.SAMLOptions, &out.SAMLOptions
+		*out = make([]SAMLOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainSAMLOptionsObservation.
@@ -950,6 +1230,16 @@ func (in *DomainStatus) DeepCopy() *DomainStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DurationObservation) DeepCopyInto(out *DurationObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DurationObservation.
@@ -990,6 +1280,31 @@ func (in *DurationParameters) DeepCopy() *DurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSOptionsObservation) DeepCopyInto(out *EBSOptionsObservation) {
 	*out = *in
+	if in.EBSEnabled != nil {
+		in, out := &in.EBSEnabled, &out.EBSEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Throughput != nil {
+		in, out := &in.Throughput, &out.Throughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSOptionsObservation.
@@ -1045,6 +1360,16 @@ func (in *EBSOptionsParameters) DeepCopy() *EBSOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptAtRestObservation) DeepCopyInto(out *EncryptAtRestObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptAtRestObservation.
@@ -1085,6 +1410,16 @@ func (in *EncryptAtRestParameters) DeepCopy() *EncryptAtRestParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IdpObservation) DeepCopyInto(out *IdpObservation) {
 	*out = *in
+	if in.EntityID != nil {
+		in, out := &in.EntityID, &out.EntityID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MetadataContent != nil {
+		in, out := &in.MetadataContent, &out.MetadataContent
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdpObservation.
@@ -1125,6 +1460,21 @@ func (in *IdpParameters) DeepCopy() *IdpParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogPublishingOptionsObservation) DeepCopyInto(out *LogPublishingOptionsObservation) {
 	*out = *in
+	if in.CloudwatchLogGroupArn != nil {
+		in, out := &in.CloudwatchLogGroupArn, &out.CloudwatchLogGroupArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogType != nil {
+		in, out := &in.LogType, &out.LogType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogPublishingOptionsObservation.
@@ -1180,6 +1530,23 @@ func (in *LogPublishingOptionsParameters) DeepCopy() *LogPublishingOptionsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceScheduleObservation) DeepCopyInto(out *MaintenanceScheduleObservation) {
 	*out = *in
+	if in.CronExpressionForRecurrence != nil {
+		in, out := &in.CronExpressionForRecurrence, &out.CronExpressionForRecurrence
+		*out = new(string)
+		**out = **in
+	}
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = make([]DurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StartAt != nil {
+		in, out := &in.StartAt, &out.StartAt
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceScheduleObservation.
@@ -1227,6 +1594,16 @@ func (in *MaintenanceScheduleParameters) DeepCopy() *MaintenanceScheduleParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MasterUserOptionsObservation) DeepCopyInto(out *MasterUserOptionsObservation) {
 	*out = *in
+	if in.MasterUserArn != nil {
+		in, out := &in.MasterUserArn, &out.MasterUserArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.MasterUserName != nil {
+		in, out := &in.MasterUserName, &out.MasterUserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MasterUserOptionsObservation.
@@ -1272,6 +1649,11 @@ func (in *MasterUserOptionsParameters) DeepCopy() *MasterUserOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeToNodeEncryptionObservation) DeepCopyInto(out *NodeToNodeEncryptionObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeToNodeEncryptionObservation.
@@ -1307,6 +1689,38 @@ func (in *NodeToNodeEncryptionParameters) DeepCopy() *NodeToNodeEncryptionParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SAMLOptionsObservation) DeepCopyInto(out *SAMLOptionsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Idp != nil {
+		in, out := &in.Idp, &out.Idp
+		*out = make([]IdpObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MasterBackendRole != nil {
+		in, out := &in.MasterBackendRole, &out.MasterBackendRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.RolesKey != nil {
+		in, out := &in.RolesKey, &out.RolesKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionTimeoutMinutes != nil {
+		in, out := &in.SessionTimeoutMinutes, &out.SessionTimeoutMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SubjectKey != nil {
+		in, out := &in.SubjectKey, &out.SubjectKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SAMLOptionsObservation.
@@ -1374,6 +1788,11 @@ func (in *SAMLOptionsParameters) DeepCopy() *SAMLOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotOptionsObservation) DeepCopyInto(out *SnapshotOptionsObservation) {
 	*out = *in
+	if in.AutomatedSnapshotStartHour != nil {
+		in, out := &in.AutomatedSnapshotStartHour, &out.AutomatedSnapshotStartHour
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotOptionsObservation.
@@ -1420,6 +1839,28 @@ func (in *VPCOptionsObservation) DeepCopyInto(out *VPCOptionsObservation) {
 			}
 		}
 	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
@@ -1477,6 +1918,11 @@ func (in *VPCOptionsParameters) DeepCopy() *VPCOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ZoneAwarenessConfigObservation) DeepCopyInto(out *ZoneAwarenessConfigObservation) {
 	*out = *in
+	if in.AvailabilityZoneCount != nil {
+		in, out := &in.AvailabilityZoneCount, &out.AvailabilityZoneCount
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ZoneAwarenessConfigObservation.
diff --git a/apis/opsworks/v1beta1/zz_application_types.go b/apis/opsworks/v1beta1/zz_application_types.go
index 6737b97a51..6c38ca8f77 100755
--- a/apis/opsworks/v1beta1/zz_application_types.go
+++ b/apis/opsworks/v1beta1/zz_application_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type AppSourceObservation struct {
+
+	// For sources that are version-aware, the revision to use.
+	Revision *string `json:"revision,omitempty" tf:"revision,omitempty"`
+
+	// The type of source to use. For example, "archive".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The URL where the app resource can be found.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Username to use when authenticating to the source.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type AppSourceParameters struct {
@@ -45,8 +57,59 @@ type AppSourceParameters struct {
 
 type ApplicationObservation struct {
 
+	// SCM configuration of the app as described below.
+	AppSource []AppSourceObservation `json:"appSource,omitempty" tf:"app_source,omitempty"`
+
+	// Run bundle install when deploying for application of type rails.
+	AutoBundleOnDeploy *string `json:"autoBundleOnDeploy,omitempty" tf:"auto_bundle_on_deploy,omitempty"`
+
+	// Specify activity and workflow workers for your app using the aws-flow gem.
+	AwsFlowRubySettings *string `json:"awsFlowRubySettings,omitempty" tf:"aws_flow_ruby_settings,omitempty"`
+
+	// The data source's ARN.
+	DataSourceArn *string `json:"dataSourceArn,omitempty" tf:"data_source_arn,omitempty"`
+
+	// The database name.
+	DataSourceDatabaseName *string `json:"dataSourceDatabaseName,omitempty" tf:"data_source_database_name,omitempty"`
+
+	// The data source's type one of AutoSelectOpsworksMysqlInstance, OpsworksMysqlInstance, or RdsDbInstance.
+	DataSourceType *string `json:"dataSourceType,omitempty" tf:"data_source_type,omitempty"`
+
+	// A description of the app.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Subfolder for the document root for application of type rails.
+	DocumentRoot *string `json:"documentRoot,omitempty" tf:"document_root,omitempty"`
+
+	// A list of virtual host alias.
+	Domains []*string `json:"domains,omitempty" tf:"domains,omitempty"`
+
+	// Whether to enable SSL for the app. This must be set in order to let ssl_configuration.private_key, ssl_configuration.certificate and ssl_configuration.chain take effect.
+	EnableSSL *bool `json:"enableSsl,omitempty" tf:"enable_ssl,omitempty"`
+
+	// Object to define environment variables.  Object is described below.
+	Environment []EnvironmentObservation `json:"environment,omitempty" tf:"environment,omitempty"`
+
 	// The id of the application.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A human-readable name for the application.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The name of the Rails environment for application of type rails.
+	RailsEnv *string `json:"railsEnv,omitempty" tf:"rails_env,omitempty"`
+
+	// The SSL configuration of the app. Object is described below.
+	SSLConfiguration []SSLConfigurationObservation `json:"sslConfiguration,omitempty" tf:"ssl_configuration,omitempty"`
+
+	// A short, machine-readable name for the application. This can only be defined on resource creation and ignored on resource update.
+	ShortName *string `json:"shortName,omitempty" tf:"short_name,omitempty"`
+
+	// ID of the stack the application will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Opsworks application type. One of aws-flow-ruby, java, rails, php, nodejs, static or other.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ApplicationParameters struct {
@@ -96,8 +159,8 @@ type ApplicationParameters struct {
 	Environment []EnvironmentParameters `json:"environment,omitempty" tf:"environment,omitempty"`
 
 	// A human-readable name for the application.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The name of the Rails environment for application of type rails.
 	// +kubebuilder:validation:Optional
@@ -126,11 +189,20 @@ type ApplicationParameters struct {
 	StackIDSelector *v1.Selector `json:"stackIdSelector,omitempty" tf:"-"`
 
 	// Opsworks application type. One of aws-flow-ruby, java, rails, php, nodejs, static or other.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EnvironmentObservation struct {
+
+	// Variable name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Set visibility of the variable value to true or false.
+	Secure *bool `json:"secure,omitempty" tf:"secure,omitempty"`
+
+	// Variable value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type EnvironmentParameters struct {
@@ -149,6 +221,12 @@ type EnvironmentParameters struct {
 }
 
 type SSLConfigurationObservation struct {
+
+	// The contents of the certificate's domain.crt file.
+	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// Can be used to specify an intermediate certificate authority key or client authentication.
+	Chain *string `json:"chain,omitempty" tf:"chain,omitempty"`
 }
 
 type SSLConfigurationParameters struct {
@@ -190,8 +268,10 @@ type ApplicationStatus struct {
 type Application struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ApplicationSpec   `json:"spec"`
-	Status            ApplicationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   ApplicationSpec   `json:"spec"`
+	Status ApplicationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opsworks/v1beta1/zz_customlayer_types.go b/apis/opsworks/v1beta1/zz_customlayer_types.go
index f559ad9bdc..60d766ddfc 100755
--- a/apis/opsworks/v1beta1/zz_customlayer_types.go
+++ b/apis/opsworks/v1beta1/zz_customlayer_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type CloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// A block the specifies how an opsworks logs look like. See Log Streams.
+	LogStreams []LogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type CloudwatchConfigurationParameters struct {
@@ -31,11 +35,78 @@ type CustomLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	// Will create an EBS volume and connect it to the layer's instances. See Cloudwatch Configuration.
+	CloudwatchConfiguration []CloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// Will create an EBS volume and connect it to the layer's instances. See EBS Volume.
+	EBSVolume []EBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	// Load-based auto scaling configuration. See Load Based AutoScaling
+	LoadBasedAutoScaling []LoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A short, machine-readable name for the layer, which will be used to identify it in the Chef node JSON.
+	ShortName *string `json:"shortName,omitempty" tf:"short_name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type CustomLayerParameters struct {
@@ -119,12 +190,12 @@ type CustomLayerParameters struct {
 	LoadBasedAutoScaling []LoadBasedAutoScalingParameters `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
 
 	// A human-readable name for the layer.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A short, machine-readable name for the layer, which will be used to identify it in the Chef node JSON.
-	// +kubebuilder:validation:Required
-	ShortName *string `json:"shortName" tf:"short_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ShortName *string `json:"shortName,omitempty" tf:"short_name,omitempty"`
 
 	// ID of the stack the layer will belong to.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/opsworks/v1beta1.Stack
@@ -154,6 +225,27 @@ type CustomLayerParameters struct {
 }
 
 type DownscalingObservation struct {
+
+	// Custom Cloudwatch auto scaling alarms, to be used as thresholds. This parameter takes a list of up to five alarm names, which are case sensitive and must be in the same region as the stack.
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	// The CPU utilization threshold, as a percent of the available CPU. A value of -1 disables the threshold.
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	// The amount of time (in minutes) after a scaling event occurs that AWS OpsWorks Stacks should ignore metrics and suppress additional scaling events.
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	// The number of instances to add or remove when the load exceeds a threshold.
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	// The load threshold. A value of -1 disables the threshold.
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	// The memory utilization threshold, as a percent of the available memory. A value of -1 disables the threshold.
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	// The amount of time, in minutes, that the load must exceed a threshold before more instances are added or removed.
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type DownscalingParameters struct {
@@ -188,6 +280,27 @@ type DownscalingParameters struct {
 }
 
 type EBSVolumeObservation struct {
+
+	// Encrypt the volume.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EBSVolumeParameters struct {
@@ -222,6 +335,15 @@ type EBSVolumeParameters struct {
 }
 
 type LoadBasedAutoScalingObservation struct {
+
+	// The downscaling settings, as defined below, used for load-based autoscaling
+	Downscaling []DownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	// Whether load-based auto scaling is enabled for the layer.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	// The upscaling settings, as defined below, used for load-based autoscaling
+	Upscaling []UpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type LoadBasedAutoScalingParameters struct {
@@ -240,6 +362,39 @@ type LoadBasedAutoScalingParameters struct {
 }
 
 type LogStreamsObservation struct {
+
+	// Specifies the max number of log events in a batch, up to 10000. The default value is 1000.
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	// Specifies the maximum size of log events in a batch, in bytes, up to 1048576 bytes. The default value is 32768 bytes.
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	// Specifies the time duration for the batching of log events. The minimum value is 5000 and default value is 5000.
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	// Specifies how the timestamp is extracted from logs. For more information, see the CloudWatch Logs Agent Reference (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html).
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	// Specifies the encoding of the log file so that the file can be read correctly. The default is utf_8.
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	// Specifies log files that you want to push to CloudWatch Logs. File can point to a specific file or multiple files (by using wild card characters such as /var/log/system.log*).
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	// Specifies the range of lines for identifying a file. The valid values are one number, or two dash-delimited numbers, such as 1, 2-5. The default value is 1.
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	// Specifies where to start to read data (start_of_file or end_of_file). The default is start_of_file.
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// Specifies the destination log group. A log group is created automatically if it doesn't already exist.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	// Specifies the pattern for identifying the start of a log message.
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	// Specifies the time zone of log event time stamps.
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type LogStreamsParameters struct {
@@ -290,6 +445,27 @@ type LogStreamsParameters struct {
 }
 
 type UpscalingObservation struct {
+
+	// Custom Cloudwatch auto scaling alarms, to be used as thresholds. This parameter takes a list of up to five alarm names, which are case sensitive and must be in the same region as the stack.
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	// The CPU utilization threshold, as a percent of the available CPU. A value of -1 disables the threshold.
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	// The amount of time (in minutes) after a scaling event occurs that AWS OpsWorks Stacks should ignore metrics and suppress additional scaling events.
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	// The number of instances to add or remove when the load exceeds a threshold.
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	// The load threshold. A value of -1 disables the threshold.
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	// The memory utilization threshold, as a percent of the available memory. A value of -1 disables the threshold.
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	// The amount of time, in minutes, that the load must exceed a threshold before more instances are added or removed.
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type UpscalingParameters struct {
@@ -347,8 +523,10 @@ type CustomLayerStatus struct {
 type CustomLayer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CustomLayerSpec   `json:"spec"`
-	Status            CustomLayerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.shortName)",message="shortName is a required parameter"
+	Spec   CustomLayerSpec   `json:"spec"`
+	Status CustomLayerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opsworks/v1beta1/zz_ecsclusterlayer_types.go b/apis/opsworks/v1beta1/zz_ecsclusterlayer_types.go
index 3c59feeaeb..4a3d324193 100755
--- a/apis/opsworks/v1beta1/zz_ecsclusterlayer_types.go
+++ b/apis/opsworks/v1beta1/zz_ecsclusterlayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type CloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type CloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type CloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type EcsClusterLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []CloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type EcsClusterLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type EcsClusterLayerCloudwatchConfigurationParameters struct {
 }
 
 type EcsClusterLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EcsClusterLayerEBSVolumeParameters struct {
@@ -99,6 +143,11 @@ type EcsClusterLayerEBSVolumeParameters struct {
 }
 
 type EcsClusterLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []LoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []LoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type EcsClusterLayerLoadBasedAutoScalingParameters struct {
@@ -118,10 +167,75 @@ type EcsClusterLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []EcsClusterLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []EcsClusterLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// The ECS Cluster ARN of the layer.
+	EcsClusterArn *string `json:"ecsClusterArn,omitempty" tf:"ecs_cluster_arn,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []EcsClusterLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type EcsClusterLayerParameters struct {
@@ -248,6 +362,19 @@ type EcsClusterLayerParameters struct {
 }
 
 type LoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type LoadBasedAutoScalingDownscalingParameters struct {
@@ -275,6 +402,19 @@ type LoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type LoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type LoadBasedAutoScalingUpscalingParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_ganglialayer_types.go b/apis/opsworks/v1beta1/zz_ganglialayer_types.go
index 169a4455db..0496c4a151 100755
--- a/apis/opsworks/v1beta1/zz_ganglialayer_types.go
+++ b/apis/opsworks/v1beta1/zz_ganglialayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type GangliaLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type GangliaLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type GangliaLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type GangliaLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []GangliaLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type GangliaLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type GangliaLayerCloudwatchConfigurationParameters struct {
 }
 
 type GangliaLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type GangliaLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type GangliaLayerEBSVolumeParameters struct {
 }
 
 type GangliaLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type GangliaLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type GangliaLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type GangliaLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []GangliaLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []GangliaLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type GangliaLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type GangliaLayerLoadBasedAutoScalingParameters struct {
 }
 
 type GangliaLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type GangliaLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -172,11 +247,82 @@ type GangliaLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []GangliaLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []GangliaLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []GangliaLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The password to use for Ganglia.
+	Password *string `json:"password,omitempty" tf:"password,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The URL path to use for Ganglia. Defaults to "/ganglia".
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
+
+	// (Optiona) The username to use for Ganglia. Defaults to "opsworks".
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type GangliaLayerParameters struct {
@@ -262,8 +408,8 @@ type GangliaLayerParameters struct {
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The password to use for Ganglia.
-	// +kubebuilder:validation:Required
-	Password *string `json:"password" tf:"password,omitempty"`
+	// +kubebuilder:validation:Optional
+	Password *string `json:"password,omitempty" tf:"password,omitempty"`
 
 	// ID of the stack the layer will belong to.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/opsworks/v1beta1.Stack
@@ -324,8 +470,9 @@ type GangliaLayerStatus struct {
 type GangliaLayer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GangliaLayerSpec   `json:"spec"`
-	Status            GangliaLayerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.password)",message="password is a required parameter"
+	Spec   GangliaLayerSpec   `json:"spec"`
+	Status GangliaLayerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opsworks/v1beta1/zz_generated.deepcopy.go b/apis/opsworks/v1beta1/zz_generated.deepcopy.go
index f42f037de1..4dec204af5 100644
--- a/apis/opsworks/v1beta1/zz_generated.deepcopy.go
+++ b/apis/opsworks/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,26 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppSourceObservation) DeepCopyInto(out *AppSourceObservation) {
 	*out = *in
+	if in.Revision != nil {
+		in, out := &in.Revision, &out.Revision
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppSourceObservation.
@@ -136,11 +156,108 @@ func (in *ApplicationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApplicationObservation) DeepCopyInto(out *ApplicationObservation) {
 	*out = *in
+	if in.AppSource != nil {
+		in, out := &in.AppSource, &out.AppSource
+		*out = make([]AppSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AutoBundleOnDeploy != nil {
+		in, out := &in.AutoBundleOnDeploy, &out.AutoBundleOnDeploy
+		*out = new(string)
+		**out = **in
+	}
+	if in.AwsFlowRubySettings != nil {
+		in, out := &in.AwsFlowRubySettings, &out.AwsFlowRubySettings
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSourceArn != nil {
+		in, out := &in.DataSourceArn, &out.DataSourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSourceDatabaseName != nil {
+		in, out := &in.DataSourceDatabaseName, &out.DataSourceDatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataSourceType != nil {
+		in, out := &in.DataSourceType, &out.DataSourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentRoot != nil {
+		in, out := &in.DocumentRoot, &out.DocumentRoot
+		*out = new(string)
+		**out = **in
+	}
+	if in.Domains != nil {
+		in, out := &in.Domains, &out.Domains
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EnableSSL != nil {
+		in, out := &in.EnableSSL, &out.EnableSSL
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = make([]EnvironmentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RailsEnv != nil {
+		in, out := &in.RailsEnv, &out.RailsEnv
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSLConfiguration != nil {
+		in, out := &in.SSLConfiguration, &out.SSLConfiguration
+		*out = make([]SSLConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ShortName != nil {
+		in, out := &in.ShortName, &out.ShortName
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplicationObservation.
@@ -312,6 +429,61 @@ func (in *ApplicationStatus) DeepCopy() *ApplicationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *CloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchConfigurationLogStreamsObservation.
@@ -397,6 +569,18 @@ func (in *CloudwatchConfigurationLogStreamsParameters) DeepCopy() *CloudwatchCon
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchConfigurationObservation) DeepCopyInto(out *CloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]LogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchConfigurationObservation.
@@ -439,6 +623,26 @@ func (in *CloudwatchConfigurationParameters) DeepCopy() *CloudwatchConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomCookbooksSourceObservation) DeepCopyInto(out *CustomCookbooksSourceObservation) {
 	*out = *in
+	if in.Revision != nil {
+		in, out := &in.Revision, &out.Revision
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomCookbooksSourceObservation.
@@ -563,41 +767,6 @@ func (in *CustomLayerObservation) DeepCopyInto(out *CustomLayerObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomLayerObservation.
-func (in *CustomLayerObservation) DeepCopy() *CustomLayerObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(CustomLayerObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
-	*out = *in
 	if in.AutoAssignElasticIps != nil {
 		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
 		*out = new(bool)
@@ -615,7 +784,7 @@ func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
 	}
 	if in.CloudwatchConfiguration != nil {
 		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
-		*out = make([]CloudwatchConfigurationParameters, len(*in))
+		*out = make([]CloudwatchConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -652,18 +821,6 @@ func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.CustomSecurityGroupIDRefs != nil {
-		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
-		*out = make([]v1.Reference, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.CustomSecurityGroupIDSelector != nil {
-		in, out := &in.CustomSecurityGroupIDSelector, &out.CustomSecurityGroupIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.CustomSecurityGroupIds != nil {
 		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
 		*out = make([]*string, len(*in))
@@ -715,7 +872,7 @@ func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
 	}
 	if in.EBSVolume != nil {
 		in, out := &in.EBSVolume, &out.EBSVolume
-		*out = make([]EBSVolumeParameters, len(*in))
+		*out = make([]EBSVolumeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -725,6 +882,11 @@ func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 	if in.InstallUpdatesOnBoot != nil {
 		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
 		*out = new(bool)
@@ -737,7 +899,7 @@ func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
 	}
 	if in.LoadBasedAutoScaling != nil {
 		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
-		*out = make([]LoadBasedAutoScalingParameters, len(*in))
+		*out = make([]LoadBasedAutoScalingObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -757,7 +919,227 @@ func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.StackIDRef != nil {
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomLayerObservation.
+func (in *CustomLayerObservation) DeepCopy() *CustomLayerObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(CustomLayerObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *CustomLayerParameters) DeepCopyInto(out *CustomLayerParameters) {
+	*out = *in
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]CloudwatchConfigurationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIDRefs != nil {
+		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
+		*out = make([]v1.Reference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomSecurityGroupIDSelector != nil {
+		in, out := &in.CustomSecurityGroupIDSelector, &out.CustomSecurityGroupIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]EBSVolumeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]LoadBasedAutoScalingParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ShortName != nil {
+		in, out := &in.ShortName, &out.ShortName
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackIDRef != nil {
 		in, out := &in.StackIDRef, &out.StackIDRef
 		*out = new(v1.Reference)
 		(*in).DeepCopyInto(*out)
@@ -847,21 +1229,6 @@ func (in *CustomLayerStatus) DeepCopy() *CustomLayerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DownscalingObservation) DeepCopyInto(out *DownscalingObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownscalingObservation.
-func (in *DownscalingObservation) DeepCopy() *DownscalingObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(DownscalingObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *DownscalingParameters) DeepCopyInto(out *DownscalingParameters) {
-	*out = *in
 	if in.Alarms != nil {
 		in, out := &in.Alarms, &out.Alarms
 		*out = make([]*string, len(*in))
@@ -905,31 +1272,117 @@ func (in *DownscalingParameters) DeepCopyInto(out *DownscalingParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownscalingParameters.
-func (in *DownscalingParameters) DeepCopy() *DownscalingParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownscalingObservation.
+func (in *DownscalingObservation) DeepCopy() *DownscalingObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(DownscalingParameters)
+	out := new(DownscalingObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EBSBlockDeviceObservation) DeepCopyInto(out *EBSBlockDeviceObservation) {
+func (in *DownscalingParameters) DeepCopyInto(out *DownscalingParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSBlockDeviceObservation.
-func (in *EBSBlockDeviceObservation) DeepCopy() *EBSBlockDeviceObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(EBSBlockDeviceObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DownscalingParameters.
+func (in *DownscalingParameters) DeepCopy() *DownscalingParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(DownscalingParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EBSBlockDeviceObservation) DeepCopyInto(out *EBSBlockDeviceObservation) {
+	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SnapshotID != nil {
+		in, out := &in.SnapshotID, &out.SnapshotID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSBlockDeviceObservation.
+func (in *EBSBlockDeviceObservation) DeepCopy() *EBSBlockDeviceObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(EBSBlockDeviceObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSBlockDeviceParameters) DeepCopyInto(out *EBSBlockDeviceParameters) {
 	*out = *in
@@ -978,6 +1431,41 @@ func (in *EBSBlockDeviceParameters) DeepCopy() *EBSBlockDeviceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EBSVolumeObservation) DeepCopyInto(out *EBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EBSVolumeObservation.
@@ -1070,6 +1558,18 @@ func (in *EcsClusterLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcsClusterLayerCloudwatchConfigurationObservation) DeepCopyInto(out *EcsClusterLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]CloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsClusterLayerCloudwatchConfigurationObservation.
@@ -1112,6 +1612,41 @@ func (in *EcsClusterLayerCloudwatchConfigurationParameters) DeepCopy() *EcsClust
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcsClusterLayerEBSVolumeObservation) DeepCopyInto(out *EcsClusterLayerEBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsClusterLayerEBSVolumeObservation.
@@ -1209,6 +1744,25 @@ func (in *EcsClusterLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcsClusterLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *EcsClusterLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]LoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]LoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsClusterLayerLoadBasedAutoScalingObservation.
@@ -1263,41 +1817,6 @@ func (in *EcsClusterLayerObservation) DeepCopyInto(out *EcsClusterLayerObservati
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsClusterLayerObservation.
-func (in *EcsClusterLayerObservation) DeepCopy() *EcsClusterLayerObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(EcsClusterLayerObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *EcsClusterLayerParameters) DeepCopyInto(out *EcsClusterLayerParameters) {
-	*out = *in
 	if in.AutoAssignElasticIps != nil {
 		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
 		*out = new(bool)
@@ -1315,7 +1834,7 @@ func (in *EcsClusterLayerParameters) DeepCopyInto(out *EcsClusterLayerParameters
 	}
 	if in.CloudwatchConfiguration != nil {
 		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
-		*out = make([]EcsClusterLayerCloudwatchConfigurationParameters, len(*in))
+		*out = make([]EcsClusterLayerCloudwatchConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1352,18 +1871,6 @@ func (in *EcsClusterLayerParameters) DeepCopyInto(out *EcsClusterLayerParameters
 		*out = new(string)
 		**out = **in
 	}
-	if in.CustomSecurityGroupIDRefs != nil {
-		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
-		*out = make([]v1.Reference, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.CustomSecurityGroupIDSelector != nil {
-		in, out := &in.CustomSecurityGroupIDSelector, &out.CustomSecurityGroupIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.CustomSecurityGroupIds != nil {
 		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
 		*out = make([]*string, len(*in))
@@ -1415,7 +1922,7 @@ func (in *EcsClusterLayerParameters) DeepCopyInto(out *EcsClusterLayerParameters
 	}
 	if in.EBSVolume != nil {
 		in, out := &in.EBSVolume, &out.EBSVolume
-		*out = make([]EcsClusterLayerEBSVolumeParameters, len(*in))
+		*out = make([]EcsClusterLayerEBSVolumeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -1425,22 +1932,247 @@ func (in *EcsClusterLayerParameters) DeepCopyInto(out *EcsClusterLayerParameters
 		*out = new(string)
 		**out = **in
 	}
-	if in.EcsClusterArnRef != nil {
-		in, out := &in.EcsClusterArnRef, &out.EcsClusterArnRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.EcsClusterArnSelector != nil {
-		in, out := &in.EcsClusterArnSelector, &out.EcsClusterArnSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.ElasticLoadBalancer != nil {
 		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
 		*out = new(string)
 		**out = **in
 	}
-	if in.InstallUpdatesOnBoot != nil {
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]EcsClusterLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsClusterLayerObservation.
+func (in *EcsClusterLayerObservation) DeepCopy() *EcsClusterLayerObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(EcsClusterLayerObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EcsClusterLayerParameters) DeepCopyInto(out *EcsClusterLayerParameters) {
+	*out = *in
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]EcsClusterLayerCloudwatchConfigurationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIDRefs != nil {
+		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
+		*out = make([]v1.Reference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomSecurityGroupIDSelector != nil {
+		in, out := &in.CustomSecurityGroupIDSelector, &out.CustomSecurityGroupIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]EcsClusterLayerEBSVolumeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EcsClusterArn != nil {
+		in, out := &in.EcsClusterArn, &out.EcsClusterArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EcsClusterArnRef != nil {
+		in, out := &in.EcsClusterArnRef, &out.EcsClusterArnRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.EcsClusterArnSelector != nil {
+		in, out := &in.EcsClusterArnSelector, &out.EcsClusterArnSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
 		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
 		*out = new(bool)
 		**out = **in
@@ -1557,6 +2289,21 @@ func (in *EcsClusterLayerStatus) DeepCopy() *EcsClusterLayerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EnvironmentObservation) DeepCopyInto(out *EnvironmentObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Secure != nil {
+		in, out := &in.Secure, &out.Secure
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvironmentObservation.
@@ -1602,12 +2349,22 @@ func (in *EnvironmentParameters) DeepCopy() *EnvironmentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EphemeralBlockDeviceObservation) DeepCopyInto(out *EphemeralBlockDeviceObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralBlockDeviceObservation.
-func (in *EphemeralBlockDeviceObservation) DeepCopy() *EphemeralBlockDeviceObservation {
-	if in == nil {
-		return nil
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.VirtualName != nil {
+		in, out := &in.VirtualName, &out.VirtualName
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EphemeralBlockDeviceObservation.
+func (in *EphemeralBlockDeviceObservation) DeepCopy() *EphemeralBlockDeviceObservation {
+	if in == nil {
+		return nil
 	}
 	out := new(EphemeralBlockDeviceObservation)
 	in.DeepCopyInto(out)
@@ -1669,6 +2426,61 @@ func (in *GangliaLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GangliaLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *GangliaLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerCloudwatchConfigurationLogStreamsObservation.
@@ -1754,6 +2566,18 @@ func (in *GangliaLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *G
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GangliaLayerCloudwatchConfigurationObservation) DeepCopyInto(out *GangliaLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]GangliaLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerCloudwatchConfigurationObservation.
@@ -1796,6 +2620,41 @@ func (in *GangliaLayerCloudwatchConfigurationParameters) DeepCopy() *GangliaLaye
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GangliaLayerEBSVolumeObservation) DeepCopyInto(out *GangliaLayerEBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerEBSVolumeObservation.
@@ -1893,6 +2752,47 @@ func (in *GangliaLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GangliaLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *GangliaLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerLoadBasedAutoScalingDownscalingObservation.
@@ -1964,6 +2864,25 @@ func (in *GangliaLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *Gan
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GangliaLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *GangliaLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]GangliaLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]GangliaLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerLoadBasedAutoScalingObservation.
@@ -2013,6 +2932,47 @@ func (in *GangliaLayerLoadBasedAutoScalingParameters) DeepCopy() *GangliaLayerLo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GangliaLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *GangliaLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerLoadBasedAutoScalingUpscalingObservation.
@@ -2089,41 +3049,6 @@ func (in *GangliaLayerObservation) DeepCopyInto(out *GangliaLayerObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerObservation.
-func (in *GangliaLayerObservation) DeepCopy() *GangliaLayerObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(GangliaLayerObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *GangliaLayerParameters) DeepCopyInto(out *GangliaLayerParameters) {
-	*out = *in
 	if in.AutoAssignElasticIps != nil {
 		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
 		*out = new(bool)
@@ -2141,7 +3066,7 @@ func (in *GangliaLayerParameters) DeepCopyInto(out *GangliaLayerParameters) {
 	}
 	if in.CloudwatchConfiguration != nil {
 		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
-		*out = make([]GangliaLayerCloudwatchConfigurationParameters, len(*in))
+		*out = make([]GangliaLayerCloudwatchConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -2178,10 +3103,233 @@ func (in *GangliaLayerParameters) DeepCopyInto(out *GangliaLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.CustomSecurityGroupIDRefs != nil {
-		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
-		*out = make([]v1.Reference, len(*in))
-		for i := range *in {
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]GangliaLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]GangliaLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Password != nil {
+		in, out := &in.Password, &out.Password
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GangliaLayerObservation.
+func (in *GangliaLayerObservation) DeepCopy() *GangliaLayerObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(GangliaLayerObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *GangliaLayerParameters) DeepCopyInto(out *GangliaLayerParameters) {
+	*out = *in
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]GangliaLayerCloudwatchConfigurationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIDRefs != nil {
+		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
+		*out = make([]v1.Reference, len(*in))
+		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
@@ -2410,21 +3558,6 @@ func (in *HAProxyLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HAProxyLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *HAProxyLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerCloudwatchConfigurationLogStreamsObservation.
-func (in *HAProxyLayerCloudwatchConfigurationLogStreamsObservation) DeepCopy() *HAProxyLayerCloudwatchConfigurationLogStreamsObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(HAProxyLayerCloudwatchConfigurationLogStreamsObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) DeepCopyInto(out *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) {
-	*out = *in
 	if in.BatchCount != nil {
 		in, out := &in.BatchCount, &out.BatchCount
 		*out = new(float64)
@@ -2482,27 +3615,109 @@ func (in *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) DeepCopyInto(
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerCloudwatchConfigurationLogStreamsParameters.
-func (in *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *HAProxyLayerCloudwatchConfigurationLogStreamsParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerCloudwatchConfigurationLogStreamsObservation.
+func (in *HAProxyLayerCloudwatchConfigurationLogStreamsObservation) DeepCopy() *HAProxyLayerCloudwatchConfigurationLogStreamsObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(HAProxyLayerCloudwatchConfigurationLogStreamsParameters)
+	out := new(HAProxyLayerCloudwatchConfigurationLogStreamsObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *HAProxyLayerCloudwatchConfigurationObservation) DeepCopyInto(out *HAProxyLayerCloudwatchConfigurationObservation) {
+func (in *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) DeepCopyInto(out *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerCloudwatchConfigurationObservation.
-func (in *HAProxyLayerCloudwatchConfigurationObservation) DeepCopy() *HAProxyLayerCloudwatchConfigurationObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(HAProxyLayerCloudwatchConfigurationObservation)
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerCloudwatchConfigurationLogStreamsParameters.
+func (in *HAProxyLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *HAProxyLayerCloudwatchConfigurationLogStreamsParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(HAProxyLayerCloudwatchConfigurationLogStreamsParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *HAProxyLayerCloudwatchConfigurationObservation) DeepCopyInto(out *HAProxyLayerCloudwatchConfigurationObservation) {
+	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]HAProxyLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerCloudwatchConfigurationObservation.
+func (in *HAProxyLayerCloudwatchConfigurationObservation) DeepCopy() *HAProxyLayerCloudwatchConfigurationObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(HAProxyLayerCloudwatchConfigurationObservation)
 	in.DeepCopyInto(out)
 	return out
 }
@@ -2537,6 +3752,41 @@ func (in *HAProxyLayerCloudwatchConfigurationParameters) DeepCopy() *HAProxyLaye
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HAProxyLayerEBSVolumeObservation) DeepCopyInto(out *HAProxyLayerEBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerEBSVolumeObservation.
@@ -2634,6 +3884,47 @@ func (in *HAProxyLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HAProxyLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *HAProxyLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerLoadBasedAutoScalingDownscalingObservation.
@@ -2705,6 +3996,25 @@ func (in *HAProxyLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *HAP
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HAProxyLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *HAProxyLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]HAProxyLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]HAProxyLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerLoadBasedAutoScalingObservation.
@@ -2754,6 +4064,47 @@ func (in *HAProxyLayerLoadBasedAutoScalingParameters) DeepCopy() *HAProxyLayerLo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HAProxyLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *HAProxyLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerLoadBasedAutoScalingUpscalingObservation.
@@ -2830,26 +4181,229 @@ func (in *HAProxyLayerObservation) DeepCopyInto(out *HAProxyLayerObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]HAProxyLayerCloudwatchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]HAProxyLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.HealthcheckMethod != nil {
+		in, out := &in.HealthcheckMethod, &out.HealthcheckMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.HealthcheckURL != nil {
+		in, out := &in.HealthcheckURL, &out.HealthcheckURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]HAProxyLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatsEnabled != nil {
+		in, out := &in.StatsEnabled, &out.StatsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StatsPassword != nil {
+		in, out := &in.StatsPassword, &out.StatsPassword
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatsURL != nil {
+		in, out := &in.StatsURL, &out.StatsURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatsUser != nil {
+		in, out := &in.StatsUser, &out.StatsUser
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HAProxyLayerObservation.
@@ -3198,62 +4752,172 @@ func (in *InstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 	*out = *in
-	if in.EC2InstanceID != nil {
-		in, out := &in.EC2InstanceID, &out.EC2InstanceID
+	if in.AMIID != nil {
+		in, out := &in.AMIID, &out.AMIID
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.AgentVersion != nil {
+		in, out := &in.AgentVersion, &out.AgentVersion
 		*out = new(string)
 		**out = **in
 	}
-	if in.LastServiceErrorID != nil {
-		in, out := &in.LastServiceErrorID, &out.LastServiceErrorID
+	if in.Architecture != nil {
+		in, out := &in.Architecture, &out.Architecture
 		*out = new(string)
 		**out = **in
 	}
-	if in.Platform != nil {
-		in, out := &in.Platform, &out.Platform
+	if in.AutoScalingType != nil {
+		in, out := &in.AutoScalingType, &out.AutoScalingType
 		*out = new(string)
 		**out = **in
 	}
-	if in.PrivateDNS != nil {
-		in, out := &in.PrivateDNS, &out.PrivateDNS
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
 		*out = new(string)
 		**out = **in
 	}
-	if in.PrivateIP != nil {
-		in, out := &in.PrivateIP, &out.PrivateIP
+	if in.CreatedAt != nil {
+		in, out := &in.CreatedAt, &out.CreatedAt
 		*out = new(string)
 		**out = **in
 	}
-	if in.PublicDNS != nil {
-		in, out := &in.PublicDNS, &out.PublicDNS
-		*out = new(string)
+	if in.DeleteEBS != nil {
+		in, out := &in.DeleteEBS, &out.DeleteEBS
+		*out = new(bool)
 		**out = **in
 	}
-	if in.PublicIP != nil {
-		in, out := &in.PublicIP, &out.PublicIP
-		*out = new(string)
+	if in.DeleteEIP != nil {
+		in, out := &in.DeleteEIP, &out.DeleteEIP
+		*out = new(bool)
 		**out = **in
 	}
-	if in.RegisteredBy != nil {
-		in, out := &in.RegisteredBy, &out.RegisteredBy
-		*out = new(string)
+	if in.EBSBlockDevice != nil {
+		in, out := &in.EBSBlockDevice, &out.EBSBlockDevice
+		*out = make([]EBSBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EBSOptimized != nil {
+		in, out := &in.EBSOptimized, &out.EBSOptimized
+		*out = new(bool)
 		**out = **in
 	}
-	if in.ReportedAgentVersion != nil {
-		in, out := &in.ReportedAgentVersion, &out.ReportedAgentVersion
+	if in.EC2InstanceID != nil {
+		in, out := &in.EC2InstanceID, &out.EC2InstanceID
 		*out = new(string)
 		**out = **in
 	}
-	if in.ReportedOsFamily != nil {
-		in, out := &in.ReportedOsFamily, &out.ReportedOsFamily
+	if in.EcsClusterArn != nil {
+		in, out := &in.EcsClusterArn, &out.EcsClusterArn
 		*out = new(string)
 		**out = **in
 	}
-	if in.ReportedOsName != nil {
+	if in.ElasticIP != nil {
+		in, out := &in.ElasticIP, &out.ElasticIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.EphemeralBlockDevice != nil {
+		in, out := &in.EphemeralBlockDevice, &out.EphemeralBlockDevice
+		*out = make([]EphemeralBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Hostname != nil {
+		in, out := &in.Hostname, &out.Hostname
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.InfrastructureClass != nil {
+		in, out := &in.InfrastructureClass, &out.InfrastructureClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceProfileArn != nil {
+		in, out := &in.InstanceProfileArn, &out.InstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LastServiceErrorID != nil {
+		in, out := &in.LastServiceErrorID, &out.LastServiceErrorID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LayerIds != nil {
+		in, out := &in.LayerIds, &out.LayerIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Os != nil {
+		in, out := &in.Os, &out.Os
+		*out = new(string)
+		**out = **in
+	}
+	if in.Platform != nil {
+		in, out := &in.Platform, &out.Platform
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateDNS != nil {
+		in, out := &in.PrivateDNS, &out.PrivateDNS
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrivateIP != nil {
+		in, out := &in.PrivateIP, &out.PrivateIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicDNS != nil {
+		in, out := &in.PublicDNS, &out.PublicDNS
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicIP != nil {
+		in, out := &in.PublicIP, &out.PublicIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegisteredBy != nil {
+		in, out := &in.RegisteredBy, &out.RegisteredBy
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReportedAgentVersion != nil {
+		in, out := &in.ReportedAgentVersion, &out.ReportedAgentVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReportedOsFamily != nil {
+		in, out := &in.ReportedOsFamily, &out.ReportedOsFamily
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReportedOsName != nil {
 		in, out := &in.ReportedOsName, &out.ReportedOsName
 		*out = new(string)
 		**out = **in
@@ -3263,6 +4927,18 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.RootBlockDevice != nil {
+		in, out := &in.RootBlockDevice, &out.RootBlockDevice
+		*out = make([]RootBlockDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RootDeviceType != nil {
+		in, out := &in.RootDeviceType, &out.RootDeviceType
+		*out = new(string)
+		**out = **in
+	}
 	if in.RootDeviceVolumeID != nil {
 		in, out := &in.RootDeviceVolumeID, &out.RootDeviceVolumeID
 		*out = new(string)
@@ -3278,6 +4954,52 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SSHKeyName != nil {
+		in, out := &in.SSHKeyName, &out.SSHKeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tenancy != nil {
+		in, out := &in.Tenancy, &out.Tenancy
+		*out = new(string)
+		**out = **in
+	}
+	if in.VirtualizationType != nil {
+		in, out := &in.VirtualizationType, &out.VirtualizationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceObservation.
@@ -3581,6 +5303,61 @@ func (in *JavaAppLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *JavaAppLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerCloudwatchConfigurationLogStreamsObservation.
@@ -3666,6 +5443,18 @@ func (in *JavaAppLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *J
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerCloudwatchConfigurationObservation) DeepCopyInto(out *JavaAppLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]JavaAppLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerCloudwatchConfigurationObservation.
@@ -3708,21 +5497,6 @@ func (in *JavaAppLayerCloudwatchConfigurationParameters) DeepCopy() *JavaAppLaye
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerEBSVolumeObservation) DeepCopyInto(out *JavaAppLayerEBSVolumeObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerEBSVolumeObservation.
-func (in *JavaAppLayerEBSVolumeObservation) DeepCopy() *JavaAppLayerEBSVolumeObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(JavaAppLayerEBSVolumeObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *JavaAppLayerEBSVolumeParameters) DeepCopyInto(out *JavaAppLayerEBSVolumeParameters) {
-	*out = *in
 	if in.Encrypted != nil {
 		in, out := &in.Encrypted, &out.Encrypted
 		*out = new(bool)
@@ -3760,26 +5534,76 @@ func (in *JavaAppLayerEBSVolumeParameters) DeepCopyInto(out *JavaAppLayerEBSVolu
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerEBSVolumeParameters.
-func (in *JavaAppLayerEBSVolumeParameters) DeepCopy() *JavaAppLayerEBSVolumeParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerEBSVolumeObservation.
+func (in *JavaAppLayerEBSVolumeObservation) DeepCopy() *JavaAppLayerEBSVolumeObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(JavaAppLayerEBSVolumeParameters)
+	out := new(JavaAppLayerEBSVolumeObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *JavaAppLayerList) DeepCopyInto(out *JavaAppLayerList) {
+func (in *JavaAppLayerEBSVolumeParameters) DeepCopyInto(out *JavaAppLayerEBSVolumeParameters) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]JavaAppLayer, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerEBSVolumeParameters.
+func (in *JavaAppLayerEBSVolumeParameters) DeepCopy() *JavaAppLayerEBSVolumeParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(JavaAppLayerEBSVolumeParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JavaAppLayerList) DeepCopyInto(out *JavaAppLayerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]JavaAppLayer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
@@ -3805,6 +5629,47 @@ func (in *JavaAppLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *JavaAppLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerLoadBasedAutoScalingDownscalingObservation.
@@ -3876,6 +5741,25 @@ func (in *JavaAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *Jav
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *JavaAppLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]JavaAppLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]JavaAppLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerLoadBasedAutoScalingObservation.
@@ -3925,6 +5809,47 @@ func (in *JavaAppLayerLoadBasedAutoScalingParameters) DeepCopy() *JavaAppLayerLo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *JavaAppLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerLoadBasedAutoScalingUpscalingObservation.
@@ -3995,46 +5920,6 @@ func (in *JavaAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *JavaA
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JavaAppLayerObservation) DeepCopyInto(out *JavaAppLayerObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
-		*out = new(string)
-		**out = **in
-	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerObservation.
-func (in *JavaAppLayerObservation) DeepCopy() *JavaAppLayerObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(JavaAppLayerObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 	*out = *in
 	if in.AppServer != nil {
 		in, out := &in.AppServer, &out.AppServer
@@ -4046,6 +5931,11 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 	if in.AutoAssignElasticIps != nil {
 		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
 		*out = new(bool)
@@ -4063,7 +5953,7 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 	}
 	if in.CloudwatchConfiguration != nil {
 		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
-		*out = make([]JavaAppLayerCloudwatchConfigurationParameters, len(*in))
+		*out = make([]JavaAppLayerCloudwatchConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -4100,18 +5990,6 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.CustomSecurityGroupIDRefs != nil {
-		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
-		*out = make([]v1.Reference, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-	if in.CustomSecurityGroupIDSelector != nil {
-		in, out := &in.CustomSecurityGroupIDSelector, &out.CustomSecurityGroupIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.CustomSecurityGroupIds != nil {
 		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
 		*out = make([]*string, len(*in))
@@ -4163,7 +6041,7 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 	}
 	if in.EBSVolume != nil {
 		in, out := &in.EBSVolume, &out.EBSVolume
-		*out = make([]JavaAppLayerEBSVolumeParameters, len(*in))
+		*out = make([]JavaAppLayerEBSVolumeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -4173,6 +6051,11 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 	if in.InstallUpdatesOnBoot != nil {
 		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
 		*out = new(bool)
@@ -4200,7 +6083,7 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 	}
 	if in.LoadBasedAutoScaling != nil {
 		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
-		*out = make([]JavaAppLayerLoadBasedAutoScalingParameters, len(*in))
+		*out = make([]JavaAppLayerLoadBasedAutoScalingObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
@@ -4215,16 +6098,6 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.StackIDRef != nil {
-		in, out := &in.StackIDRef, &out.StackIDRef
-		*out = new(v1.Reference)
-		(*in).DeepCopyInto(*out)
-	}
-	if in.StackIDSelector != nil {
-		in, out := &in.StackIDSelector, &out.StackIDSelector
-		*out = new(v1.Selector)
-		(*in).DeepCopyInto(*out)
-	}
 	if in.SystemPackages != nil {
 		in, out := &in.SystemPackages, &out.SystemPackages
 		*out = make([]*string, len(*in))
@@ -4251,6 +6124,21 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.UseEBSOptimizedInstances != nil {
 		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
 		*out = new(bool)
@@ -4258,21 +6146,256 @@ func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerParameters.
-func (in *JavaAppLayerParameters) DeepCopy() *JavaAppLayerParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerObservation.
+func (in *JavaAppLayerObservation) DeepCopy() *JavaAppLayerObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(JavaAppLayerParameters)
+	out := new(JavaAppLayerObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *JavaAppLayerSpec) DeepCopyInto(out *JavaAppLayerSpec) {
+func (in *JavaAppLayerParameters) DeepCopyInto(out *JavaAppLayerParameters) {
 	*out = *in
-	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
-	in.ForProvider.DeepCopyInto(&out.ForProvider)
+	if in.AppServer != nil {
+		in, out := &in.AppServer, &out.AppServer
+		*out = new(string)
+		**out = **in
+	}
+	if in.AppServerVersion != nil {
+		in, out := &in.AppServerVersion, &out.AppServerVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]JavaAppLayerCloudwatchConfigurationParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIDRefs != nil {
+		in, out := &in.CustomSecurityGroupIDRefs, &out.CustomSecurityGroupIDRefs
+		*out = make([]v1.Reference, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomSecurityGroupIDSelector != nil {
+		in, out := &in.CustomSecurityGroupIDSelector, &out.CustomSecurityGroupIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]JavaAppLayerEBSVolumeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.JvmOptions != nil {
+		in, out := &in.JvmOptions, &out.JvmOptions
+		*out = new(string)
+		**out = **in
+	}
+	if in.JvmType != nil {
+		in, out := &in.JvmType, &out.JvmType
+		*out = new(string)
+		**out = **in
+	}
+	if in.JvmVersion != nil {
+		in, out := &in.JvmVersion, &out.JvmVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]JavaAppLayerLoadBasedAutoScalingParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackIDRef != nil {
+		in, out := &in.StackIDRef, &out.StackIDRef
+		*out = new(v1.Reference)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.StackIDSelector != nil {
+		in, out := &in.StackIDSelector, &out.StackIDSelector
+		*out = new(v1.Selector)
+		(*in).DeepCopyInto(*out)
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerParameters.
+func (in *JavaAppLayerParameters) DeepCopy() *JavaAppLayerParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(JavaAppLayerParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *JavaAppLayerSpec) DeepCopyInto(out *JavaAppLayerSpec) {
+	*out = *in
+	in.ResourceSpec.DeepCopyInto(&out.ResourceSpec)
+	in.ForProvider.DeepCopyInto(&out.ForProvider)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JavaAppLayerSpec.
@@ -4305,6 +6428,47 @@ func (in *JavaAppLayerStatus) DeepCopy() *JavaAppLayerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *LoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBasedAutoScalingDownscalingObservation.
@@ -4376,6 +6540,25 @@ func (in *LoadBasedAutoScalingDownscalingParameters) DeepCopy() *LoadBasedAutoSc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoadBasedAutoScalingObservation) DeepCopyInto(out *LoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]DownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]UpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBasedAutoScalingObservation.
@@ -4425,6 +6608,47 @@ func (in *LoadBasedAutoScalingParameters) DeepCopy() *LoadBasedAutoScalingParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *LoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoadBasedAutoScalingUpscalingObservation.
@@ -4496,6 +6720,61 @@ func (in *LoadBasedAutoScalingUpscalingParameters) DeepCopy() *LoadBasedAutoScal
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LogStreamsObservation) DeepCopyInto(out *LogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LogStreamsObservation.
@@ -4608,6 +6887,61 @@ func (in *MemcachedLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemcachedLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *MemcachedLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerCloudwatchConfigurationLogStreamsObservation.
@@ -4693,6 +7027,18 @@ func (in *MemcachedLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemcachedLayerCloudwatchConfigurationObservation) DeepCopyInto(out *MemcachedLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]MemcachedLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerCloudwatchConfigurationObservation.
@@ -4727,14 +7073,49 @@ func (in *MemcachedLayerCloudwatchConfigurationParameters) DeepCopy() *Memcached
 	if in == nil {
 		return nil
 	}
-	out := new(MemcachedLayerCloudwatchConfigurationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MemcachedLayerEBSVolumeObservation) DeepCopyInto(out *MemcachedLayerEBSVolumeObservation) {
-	*out = *in
+	out := new(MemcachedLayerCloudwatchConfigurationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MemcachedLayerEBSVolumeObservation) DeepCopyInto(out *MemcachedLayerEBSVolumeObservation) {
+	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerEBSVolumeObservation.
@@ -4832,6 +7213,47 @@ func (in *MemcachedLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemcachedLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *MemcachedLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerLoadBasedAutoScalingDownscalingObservation.
@@ -4903,6 +7325,25 @@ func (in *MemcachedLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *M
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemcachedLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *MemcachedLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]MemcachedLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]MemcachedLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerLoadBasedAutoScalingObservation.
@@ -4952,6 +7393,47 @@ func (in *MemcachedLayerLoadBasedAutoScalingParameters) DeepCopy() *MemcachedLay
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemcachedLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *MemcachedLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerLoadBasedAutoScalingUpscalingObservation.
@@ -4978,61 +7460,234 @@ func (in *MemcachedLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(ou
 			}
 		}
 	}
-	if in.CPUThreshold != nil {
-		in, out := &in.CPUThreshold, &out.CPUThreshold
-		*out = new(float64)
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerLoadBasedAutoScalingUpscalingParameters.
+func (in *MemcachedLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *MemcachedLayerLoadBasedAutoScalingUpscalingParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(MemcachedLayerLoadBasedAutoScalingUpscalingParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MemcachedLayerObservation) DeepCopyInto(out *MemcachedLayerObservation) {
+	*out = *in
+	if in.AllocatedMemory != nil {
+		in, out := &in.AllocatedMemory, &out.AllocatedMemory
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]MemcachedLayerCloudwatchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
 		**out = **in
 	}
-	if in.IgnoreMetricsTime != nil {
-		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
-		*out = new(float64)
-		**out = **in
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]MemcachedLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.InstanceCount != nil {
-		in, out := &in.InstanceCount, &out.InstanceCount
-		*out = new(float64)
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
 		**out = **in
 	}
-	if in.LoadThreshold != nil {
-		in, out := &in.LoadThreshold, &out.LoadThreshold
-		*out = new(float64)
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
 		**out = **in
 	}
-	if in.MemoryThreshold != nil {
-		in, out := &in.MemoryThreshold, &out.MemoryThreshold
-		*out = new(float64)
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
 		**out = **in
 	}
-	if in.ThresholdsWaitTime != nil {
-		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerLoadBasedAutoScalingUpscalingParameters.
-func (in *MemcachedLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *MemcachedLayerLoadBasedAutoScalingUpscalingParameters {
-	if in == nil {
-		return nil
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]MemcachedLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(MemcachedLayerLoadBasedAutoScalingUpscalingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MemcachedLayerObservation) DeepCopyInto(out *MemcachedLayerObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5048,6 +7703,11 @@ func (in *MemcachedLayerObservation) DeepCopyInto(out *MemcachedLayerObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemcachedLayerObservation.
@@ -5339,6 +7999,61 @@ func (in *MySQLLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MySQLLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *MySQLLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerCloudwatchConfigurationLogStreamsObservation.
@@ -5424,6 +8139,18 @@ func (in *MySQLLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *MyS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MySQLLayerCloudwatchConfigurationObservation) DeepCopyInto(out *MySQLLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]MySQLLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerCloudwatchConfigurationObservation.
@@ -5466,6 +8193,41 @@ func (in *MySQLLayerCloudwatchConfigurationParameters) DeepCopy() *MySQLLayerClo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MySQLLayerEBSVolumeObservation) DeepCopyInto(out *MySQLLayerEBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerEBSVolumeObservation.
@@ -5540,29 +8302,70 @@ func (in *MySQLLayerList) DeepCopyInto(out *MySQLLayerList) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerList.
-func (in *MySQLLayerList) DeepCopy() *MySQLLayerList {
-	if in == nil {
-		return nil
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerList.
+func (in *MySQLLayerList) DeepCopy() *MySQLLayerList {
+	if in == nil {
+		return nil
+	}
+	out := new(MySQLLayerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *MySQLLayerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MySQLLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *MySQLLayerLoadBasedAutoScalingDownscalingObservation) {
+	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(MySQLLayerList)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *MySQLLayerList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *MySQLLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *MySQLLayerLoadBasedAutoScalingDownscalingObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerLoadBasedAutoScalingDownscalingObservation.
@@ -5634,6 +8437,25 @@ func (in *MySQLLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *MySQL
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MySQLLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *MySQLLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]MySQLLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]MySQLLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerLoadBasedAutoScalingObservation.
@@ -5683,6 +8505,47 @@ func (in *MySQLLayerLoadBasedAutoScalingParameters) DeepCopy() *MySQLLayerLoadBa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MySQLLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *MySQLLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerLoadBasedAutoScalingUpscalingObservation.
@@ -5759,11 +8622,189 @@ func (in *MySQLLayerObservation) DeepCopyInto(out *MySQLLayerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]MySQLLayerCloudwatchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]MySQLLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]MySQLLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootPassword != nil {
+		in, out := &in.RootPassword, &out.RootPassword
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootPasswordOnAllInstances != nil {
+		in, out := &in.RootPasswordOnAllInstances, &out.RootPasswordOnAllInstances
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5779,6 +8820,11 @@ func (in *MySQLLayerObservation) DeepCopyInto(out *MySQLLayerObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MySQLLayerObservation.
@@ -6075,6 +9121,61 @@ func (in *NodeJSAppLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeJSAppLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *NodeJSAppLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerCloudwatchConfigurationLogStreamsObservation.
@@ -6160,6 +9261,18 @@ func (in *NodeJSAppLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NodeJSAppLayerCloudwatchConfigurationObservation) DeepCopyInto(out *NodeJSAppLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]NodeJSAppLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerCloudwatchConfigurationObservation.
@@ -6194,125 +9307,325 @@ func (in *NodeJSAppLayerCloudwatchConfigurationParameters) DeepCopy() *NodeJSApp
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerCloudwatchConfigurationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerEBSVolumeObservation) DeepCopyInto(out *NodeJSAppLayerEBSVolumeObservation) {
-	*out = *in
+	out := new(NodeJSAppLayerCloudwatchConfigurationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeJSAppLayerEBSVolumeObservation) DeepCopyInto(out *NodeJSAppLayerEBSVolumeObservation) {
+	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerEBSVolumeObservation.
+func (in *NodeJSAppLayerEBSVolumeObservation) DeepCopy() *NodeJSAppLayerEBSVolumeObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeJSAppLayerEBSVolumeObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeJSAppLayerEBSVolumeParameters) DeepCopyInto(out *NodeJSAppLayerEBSVolumeParameters) {
+	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerEBSVolumeParameters.
+func (in *NodeJSAppLayerEBSVolumeParameters) DeepCopy() *NodeJSAppLayerEBSVolumeParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeJSAppLayerEBSVolumeParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeJSAppLayerList) DeepCopyInto(out *NodeJSAppLayerList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]NodeJSAppLayer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerList.
+func (in *NodeJSAppLayerList) DeepCopy() *NodeJSAppLayerList {
+	if in == nil {
+		return nil
+	}
+	out := new(NodeJSAppLayerList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *NodeJSAppLayerList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation) {
+	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerEBSVolumeObservation.
-func (in *NodeJSAppLayerEBSVolumeObservation) DeepCopy() *NodeJSAppLayerEBSVolumeObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation.
+func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerEBSVolumeObservation)
+	out := new(NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerEBSVolumeParameters) DeepCopyInto(out *NodeJSAppLayerEBSVolumeParameters) {
+func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) {
 	*out = *in
-	if in.Encrypted != nil {
-		in, out := &in.Encrypted, &out.Encrypted
-		*out = new(bool)
-		**out = **in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	if in.Iops != nil {
-		in, out := &in.Iops, &out.Iops
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
 		*out = new(float64)
 		**out = **in
 	}
-	if in.MountPoint != nil {
-		in, out := &in.MountPoint, &out.MountPoint
-		*out = new(string)
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
 		**out = **in
 	}
-	if in.NumberOfDisks != nil {
-		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
 		*out = new(float64)
 		**out = **in
 	}
-	if in.RaidLevel != nil {
-		in, out := &in.RaidLevel, &out.RaidLevel
-		*out = new(string)
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
 		**out = **in
 	}
-	if in.Size != nil {
-		in, out := &in.Size, &out.Size
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
 		*out = new(float64)
 		**out = **in
 	}
-	if in.Type != nil {
-		in, out := &in.Type, &out.Type
-		*out = new(string)
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerEBSVolumeParameters.
-func (in *NodeJSAppLayerEBSVolumeParameters) DeepCopy() *NodeJSAppLayerEBSVolumeParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters.
+func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerEBSVolumeParameters)
+	out := new(NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerList) DeepCopyInto(out *NodeJSAppLayerList) {
+func (in *NodeJSAppLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingObservation) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]NodeJSAppLayer, len(*in))
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerList.
-func (in *NodeJSAppLayerList) DeepCopy() *NodeJSAppLayerList {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingObservation.
+func (in *NodeJSAppLayerLoadBasedAutoScalingObservation) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerList)
+	out := new(NodeJSAppLayerLoadBasedAutoScalingObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *NodeJSAppLayerList) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation) {
+func (in *NodeJSAppLayerLoadBasedAutoScalingParameters) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingParameters) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation.
-func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingParameters.
+func (in *NodeJSAppLayerLoadBasedAutoScalingParameters) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation)
+	out := new(NodeJSAppLayerLoadBasedAutoScalingParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) {
+func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
 	if in.Alarms != nil {
 		in, out := &in.Alarms, &out.Alarms
@@ -6357,85 +9670,169 @@ func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopyInto(
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters.
-func (in *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation.
+func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters)
+	out := new(NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingObservation) {
+func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingObservation.
-func (in *NodeJSAppLayerLoadBasedAutoScalingObservation) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingObservation {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters.
+func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters {
 	if in == nil {
 		return nil
 	}
-	out := new(NodeJSAppLayerLoadBasedAutoScalingObservation)
+	out := new(NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters)
 	in.DeepCopyInto(out)
 	return out
 }
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerLoadBasedAutoScalingParameters) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingParameters) {
+func (in *NodeJSAppLayerObservation) DeepCopyInto(out *NodeJSAppLayerObservation) {
 	*out = *in
-	if in.Downscaling != nil {
-		in, out := &in.Downscaling, &out.Downscaling
-		*out = make([]NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters, len(*in))
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]NodeJSAppLayerCloudwatchConfigurationObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.Enable != nil {
-		in, out := &in.Enable, &out.Enable
-		*out = new(bool)
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
 		**out = **in
 	}
-	if in.Upscaling != nil {
-		in, out := &in.Upscaling, &out.Upscaling
-		*out = make([]NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters, len(*in))
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
 		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingParameters.
-func (in *NodeJSAppLayerLoadBasedAutoScalingParameters) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(NodeJSAppLayerLoadBasedAutoScalingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation.
-func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation {
-	if in == nil {
-		return nil
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	out := new(NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) {
-	*out = *in
-	if in.Alarms != nil {
-		in, out := &in.Alarms, &out.Alarms
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -6445,61 +9842,86 @@ func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(ou
 			}
 		}
 	}
-	if in.CPUThreshold != nil {
-		in, out := &in.CPUThreshold, &out.CPUThreshold
-		*out = new(float64)
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
 		**out = **in
 	}
-	if in.IgnoreMetricsTime != nil {
-		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
-		*out = new(float64)
-		**out = **in
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]NodeJSAppLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.InstanceCount != nil {
-		in, out := &in.InstanceCount, &out.InstanceCount
-		*out = new(float64)
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
 		**out = **in
 	}
-	if in.LoadThreshold != nil {
-		in, out := &in.LoadThreshold, &out.LoadThreshold
-		*out = new(float64)
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
 		**out = **in
 	}
-	if in.MemoryThreshold != nil {
-		in, out := &in.MemoryThreshold, &out.MemoryThreshold
-		*out = new(float64)
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
 		**out = **in
 	}
-	if in.ThresholdsWaitTime != nil {
-		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters.
-func (in *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters {
-	if in == nil {
-		return nil
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]NodeJSAppLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *NodeJSAppLayerObservation) DeepCopyInto(out *NodeJSAppLayerObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.NodeJSVersion != nil {
+		in, out := &in.NodeJSVersion, &out.NodeJSVersion
 		*out = new(string)
 		**out = **in
 	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6515,6 +9937,11 @@ func (in *NodeJSAppLayerObservation) DeepCopyInto(out *NodeJSAppLayerObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeJSAppLayerObservation.
@@ -6806,6 +10233,61 @@ func (in *PHPAppLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PHPAppLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *PHPAppLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerCloudwatchConfigurationLogStreamsObservation.
@@ -6891,6 +10373,18 @@ func (in *PHPAppLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *PH
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PHPAppLayerCloudwatchConfigurationObservation) DeepCopyInto(out *PHPAppLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]PHPAppLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerCloudwatchConfigurationObservation.
@@ -6925,14 +10419,49 @@ func (in *PHPAppLayerCloudwatchConfigurationParameters) DeepCopy() *PHPAppLayerC
 	if in == nil {
 		return nil
 	}
-	out := new(PHPAppLayerCloudwatchConfigurationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PHPAppLayerEBSVolumeObservation) DeepCopyInto(out *PHPAppLayerEBSVolumeObservation) {
-	*out = *in
+	out := new(PHPAppLayerCloudwatchConfigurationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PHPAppLayerEBSVolumeObservation) DeepCopyInto(out *PHPAppLayerEBSVolumeObservation) {
+	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerEBSVolumeObservation.
@@ -7030,6 +10559,47 @@ func (in *PHPAppLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PHPAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *PHPAppLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerLoadBasedAutoScalingDownscalingObservation.
@@ -7101,6 +10671,25 @@ func (in *PHPAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *PHPA
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PHPAppLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *PHPAppLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]PHPAppLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]PHPAppLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerLoadBasedAutoScalingObservation.
@@ -7150,6 +10739,47 @@ func (in *PHPAppLayerLoadBasedAutoScalingParameters) DeepCopy() *PHPAppLayerLoad
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PHPAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *PHPAppLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerLoadBasedAutoScalingUpscalingObservation.
@@ -7157,16 +10787,153 @@ func (in *PHPAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopy() *PHPAp
 	if in == nil {
 		return nil
 	}
-	out := new(PHPAppLayerLoadBasedAutoScalingUpscalingObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) {
-	*out = *in
-	if in.Alarms != nil {
-		in, out := &in.Alarms, &out.Alarms
+	out := new(PHPAppLayerLoadBasedAutoScalingUpscalingObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) {
+	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerLoadBasedAutoScalingUpscalingParameters.
+func (in *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *PHPAppLayerLoadBasedAutoScalingUpscalingParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(PHPAppLayerLoadBasedAutoScalingUpscalingParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PHPAppLayerObservation) DeepCopyInto(out *PHPAppLayerObservation) {
+	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]PHPAppLayerCloudwatchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -7176,61 +10943,92 @@ func (in *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *
 			}
 		}
 	}
-	if in.CPUThreshold != nil {
-		in, out := &in.CPUThreshold, &out.CPUThreshold
-		*out = new(float64)
-		**out = **in
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
 	}
-	if in.IgnoreMetricsTime != nil {
-		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
-		*out = new(float64)
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
 		**out = **in
 	}
-	if in.InstanceCount != nil {
-		in, out := &in.InstanceCount, &out.InstanceCount
-		*out = new(float64)
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]PHPAppLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
 		**out = **in
 	}
-	if in.LoadThreshold != nil {
-		in, out := &in.LoadThreshold, &out.LoadThreshold
-		*out = new(float64)
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
 		**out = **in
 	}
-	if in.MemoryThreshold != nil {
-		in, out := &in.MemoryThreshold, &out.MemoryThreshold
-		*out = new(float64)
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
 		**out = **in
 	}
-	if in.ThresholdsWaitTime != nil {
-		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
 		*out = new(float64)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerLoadBasedAutoScalingUpscalingParameters.
-func (in *PHPAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *PHPAppLayerLoadBasedAutoScalingUpscalingParameters {
-	if in == nil {
-		return nil
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]PHPAppLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	out := new(PHPAppLayerLoadBasedAutoScalingUpscalingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PHPAppLayerObservation) DeepCopyInto(out *PHPAppLayerObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -7246,6 +11044,11 @@ func (in *PHPAppLayerObservation) DeepCopyInto(out *PHPAppLayerObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PHPAppLayerObservation.
@@ -7564,11 +11367,36 @@ func (in *PermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PermissionObservation) DeepCopyInto(out *PermissionObservation) {
 	*out = *in
+	if in.AllowSSH != nil {
+		in, out := &in.AllowSSH, &out.AllowSSH
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AllowSudo != nil {
+		in, out := &in.AllowSudo, &out.AllowSudo
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Level != nil {
+		in, out := &in.Level, &out.Level
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserArn != nil {
+		in, out := &in.UserArn, &out.UserArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionObservation.
@@ -7737,11 +11565,26 @@ func (in *RDSDBInstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RDSDBInstanceObservation) DeepCopyInto(out *RDSDBInstanceObservation) {
 	*out = *in
+	if in.DBUser != nil {
+		in, out := &in.DBUser, &out.DBUser
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RDSDBInstanceArn != nil {
+		in, out := &in.RDSDBInstanceArn, &out.RDSDBInstanceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RDSDBInstanceObservation.
@@ -7869,6 +11712,61 @@ func (in *RailsAppLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RailsAppLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *RailsAppLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerCloudwatchConfigurationLogStreamsObservation.
@@ -7954,6 +11852,18 @@ func (in *RailsAppLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy() *
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RailsAppLayerCloudwatchConfigurationObservation) DeepCopyInto(out *RailsAppLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]RailsAppLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerCloudwatchConfigurationObservation.
@@ -7996,6 +11906,41 @@ func (in *RailsAppLayerCloudwatchConfigurationParameters) DeepCopy() *RailsAppLa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RailsAppLayerEBSVolumeObservation) DeepCopyInto(out *RailsAppLayerEBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerEBSVolumeObservation.
@@ -8093,6 +12038,47 @@ func (in *RailsAppLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RailsAppLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *RailsAppLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerLoadBasedAutoScalingDownscalingObservation.
@@ -8164,6 +12150,25 @@ func (in *RailsAppLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *Ra
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RailsAppLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *RailsAppLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]RailsAppLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]RailsAppLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerLoadBasedAutoScalingObservation.
@@ -8213,6 +12218,47 @@ func (in *RailsAppLayerLoadBasedAutoScalingParameters) DeepCopy() *RailsAppLayer
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RailsAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *RailsAppLayerLoadBasedAutoScalingUpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerLoadBasedAutoScalingUpscalingObservation.
@@ -8220,16 +12266,163 @@ func (in *RailsAppLayerLoadBasedAutoScalingUpscalingObservation) DeepCopy() *Rai
 	if in == nil {
 		return nil
 	}
-	out := new(RailsAppLayerLoadBasedAutoScalingUpscalingObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) {
-	*out = *in
-	if in.Alarms != nil {
-		in, out := &in.Alarms, &out.Alarms
+	out := new(RailsAppLayerLoadBasedAutoScalingUpscalingObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) {
+	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerLoadBasedAutoScalingUpscalingParameters.
+func (in *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *RailsAppLayerLoadBasedAutoScalingUpscalingParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RailsAppLayerLoadBasedAutoScalingUpscalingParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RailsAppLayerObservation) DeepCopyInto(out *RailsAppLayerObservation) {
+	*out = *in
+	if in.AppServer != nil {
+		in, out := &in.AppServer, &out.AppServer
+		*out = new(string)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BundlerVersion != nil {
+		in, out := &in.BundlerVersion, &out.BundlerVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]RailsAppLayerCloudwatchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -8239,61 +12432,112 @@ func (in *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopyInto(out
 			}
 		}
 	}
-	if in.CPUThreshold != nil {
-		in, out := &in.CPUThreshold, &out.CPUThreshold
-		*out = new(float64)
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
 		**out = **in
 	}
-	if in.IgnoreMetricsTime != nil {
-		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
-		*out = new(float64)
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]RailsAppLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
 		**out = **in
 	}
-	if in.InstanceCount != nil {
-		in, out := &in.InstanceCount, &out.InstanceCount
-		*out = new(float64)
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
 		**out = **in
 	}
-	if in.LoadThreshold != nil {
-		in, out := &in.LoadThreshold, &out.LoadThreshold
-		*out = new(float64)
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
 		**out = **in
 	}
-	if in.MemoryThreshold != nil {
-		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
 		*out = new(float64)
 		**out = **in
 	}
-	if in.ThresholdsWaitTime != nil {
-		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
-		*out = new(float64)
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]RailsAppLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ManageBundler != nil {
+		in, out := &in.ManageBundler, &out.ManageBundler
+		*out = new(bool)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerLoadBasedAutoScalingUpscalingParameters.
-func (in *RailsAppLayerLoadBasedAutoScalingUpscalingParameters) DeepCopy() *RailsAppLayerLoadBasedAutoScalingUpscalingParameters {
-	if in == nil {
-		return nil
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
 	}
-	out := new(RailsAppLayerLoadBasedAutoScalingUpscalingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RailsAppLayerObservation) DeepCopyInto(out *RailsAppLayerObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	if in.PassengerVersion != nil {
+		in, out := &in.PassengerVersion, &out.PassengerVersion
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.RubyVersion != nil {
+		in, out := &in.RubyVersion, &out.RubyVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.RubygemsVersion != nil {
+		in, out := &in.RubygemsVersion, &out.RubygemsVersion
 		*out = new(string)
 		**out = **in
 	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8309,6 +12553,11 @@ func (in *RailsAppLayerObservation) DeepCopyInto(out *RailsAppLayerObservation)
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RailsAppLayerObservation.
@@ -8598,6 +12847,26 @@ func (in *RailsAppLayerStatus) DeepCopy() *RailsAppLayerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RootBlockDeviceObservation) DeepCopyInto(out *RootBlockDeviceObservation) {
 	*out = *in
+	if in.DeleteOnTermination != nil {
+		in, out := &in.DeleteOnTermination, &out.DeleteOnTermination
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VolumeType != nil {
+		in, out := &in.VolumeType, &out.VolumeType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RootBlockDeviceObservation.
@@ -8648,6 +12917,16 @@ func (in *RootBlockDeviceParameters) DeepCopy() *RootBlockDeviceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SSLConfigurationObservation) DeepCopyInto(out *SSLConfigurationObservation) {
 	*out = *in
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Chain != nil {
+		in, out := &in.Chain, &out.Chain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSLConfigurationObservation.
@@ -8748,13 +13027,105 @@ func (in *StackList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 	*out = *in
+	if in.AgentVersion != nil {
+		in, out := &in.AgentVersion, &out.AgentVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.BerkshelfVersion != nil {
+		in, out := &in.BerkshelfVersion, &out.BerkshelfVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Color != nil {
+		in, out := &in.Color, &out.Color
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigurationManagerName != nil {
+		in, out := &in.ConfigurationManagerName, &out.ConfigurationManagerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ConfigurationManagerVersion != nil {
+		in, out := &in.ConfigurationManagerVersion, &out.ConfigurationManagerVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomCookbooksSource != nil {
+		in, out := &in.CustomCookbooksSource, &out.CustomCookbooksSource
+		*out = make([]CustomCookbooksSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultAvailabilityZone != nil {
+		in, out := &in.DefaultAvailabilityZone, &out.DefaultAvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultInstanceProfileArn != nil {
+		in, out := &in.DefaultInstanceProfileArn, &out.DefaultInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultOs != nil {
+		in, out := &in.DefaultOs, &out.DefaultOs
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultRootDeviceType != nil {
+		in, out := &in.DefaultRootDeviceType, &out.DefaultRootDeviceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultSSHKeyName != nil {
+		in, out := &in.DefaultSSHKeyName, &out.DefaultSSHKeyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultSubnetID != nil {
+		in, out := &in.DefaultSubnetID, &out.DefaultSubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostnameTheme != nil {
+		in, out := &in.HostnameTheme, &out.HostnameTheme
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManageBerkshelf != nil {
+		in, out := &in.ManageBerkshelf, &out.ManageBerkshelf
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceRoleArn != nil {
+		in, out := &in.ServiceRoleArn, &out.ServiceRoleArn
 		*out = new(string)
 		**out = **in
 	}
@@ -8763,6 +13134,21 @@ func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8778,6 +13164,21 @@ func (in *StackObservation) DeepCopyInto(out *StackObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseCustomCookbooks != nil {
+		in, out := &in.UseCustomCookbooks, &out.UseCustomCookbooks
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UseOpsworksSecurityGroups != nil {
+		in, out := &in.UseOpsworksSecurityGroups, &out.UseOpsworksSecurityGroups
+		*out = new(bool)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StackObservation.
@@ -9031,6 +13432,61 @@ func (in *StaticWebLayer) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticWebLayerCloudwatchConfigurationLogStreamsObservation) DeepCopyInto(out *StaticWebLayerCloudwatchConfigurationLogStreamsObservation) {
 	*out = *in
+	if in.BatchCount != nil {
+		in, out := &in.BatchCount, &out.BatchCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BatchSize != nil {
+		in, out := &in.BatchSize, &out.BatchSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BufferDuration != nil {
+		in, out := &in.BufferDuration, &out.BufferDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DatetimeFormat != nil {
+		in, out := &in.DatetimeFormat, &out.DatetimeFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.File != nil {
+		in, out := &in.File, &out.File
+		*out = new(string)
+		**out = **in
+	}
+	if in.FileFingerprintLines != nil {
+		in, out := &in.FileFingerprintLines, &out.FileFingerprintLines
+		*out = new(string)
+		**out = **in
+	}
+	if in.InitialPosition != nil {
+		in, out := &in.InitialPosition, &out.InitialPosition
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogGroupName != nil {
+		in, out := &in.LogGroupName, &out.LogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultilineStartPattern != nil {
+		in, out := &in.MultilineStartPattern, &out.MultilineStartPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeZone != nil {
+		in, out := &in.TimeZone, &out.TimeZone
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerCloudwatchConfigurationLogStreamsObservation.
@@ -9116,6 +13572,18 @@ func (in *StaticWebLayerCloudwatchConfigurationLogStreamsParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticWebLayerCloudwatchConfigurationObservation) DeepCopyInto(out *StaticWebLayerCloudwatchConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogStreams != nil {
+		in, out := &in.LogStreams, &out.LogStreams
+		*out = make([]StaticWebLayerCloudwatchConfigurationLogStreamsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerCloudwatchConfigurationObservation.
@@ -9158,6 +13626,41 @@ func (in *StaticWebLayerCloudwatchConfigurationParameters) DeepCopy() *StaticWeb
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticWebLayerEBSVolumeObservation) DeepCopyInto(out *StaticWebLayerEBSVolumeObservation) {
 	*out = *in
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPoint != nil {
+		in, out := &in.MountPoint, &out.MountPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfDisks != nil {
+		in, out := &in.NumberOfDisks, &out.NumberOfDisks
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RaidLevel != nil {
+		in, out := &in.RaidLevel, &out.RaidLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerEBSVolumeObservation.
@@ -9255,6 +13758,47 @@ func (in *StaticWebLayerList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticWebLayerLoadBasedAutoScalingDownscalingObservation) DeepCopyInto(out *StaticWebLayerLoadBasedAutoScalingDownscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerLoadBasedAutoScalingDownscalingObservation.
@@ -9326,6 +13870,25 @@ func (in *StaticWebLayerLoadBasedAutoScalingDownscalingParameters) DeepCopy() *S
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StaticWebLayerLoadBasedAutoScalingObservation) DeepCopyInto(out *StaticWebLayerLoadBasedAutoScalingObservation) {
 	*out = *in
+	if in.Downscaling != nil {
+		in, out := &in.Downscaling, &out.Downscaling
+		*out = make([]StaticWebLayerLoadBasedAutoScalingDownscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]StaticWebLayerLoadBasedAutoScalingUpscalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerLoadBasedAutoScalingObservation.
@@ -9353,28 +13916,69 @@ func (in *StaticWebLayerLoadBasedAutoScalingParameters) DeepCopyInto(out *Static
 		*out = new(bool)
 		**out = **in
 	}
-	if in.Upscaling != nil {
-		in, out := &in.Upscaling, &out.Upscaling
-		*out = make([]StaticWebLayerLoadBasedAutoScalingUpscalingParameters, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerLoadBasedAutoScalingParameters.
-func (in *StaticWebLayerLoadBasedAutoScalingParameters) DeepCopy() *StaticWebLayerLoadBasedAutoScalingParameters {
-	if in == nil {
-		return nil
+	if in.Upscaling != nil {
+		in, out := &in.Upscaling, &out.Upscaling
+		*out = make([]StaticWebLayerLoadBasedAutoScalingUpscalingParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerLoadBasedAutoScalingParameters.
+func (in *StaticWebLayerLoadBasedAutoScalingParameters) DeepCopy() *StaticWebLayerLoadBasedAutoScalingParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(StaticWebLayerLoadBasedAutoScalingParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *StaticWebLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *StaticWebLayerLoadBasedAutoScalingUpscalingObservation) {
+	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
 	}
-	out := new(StaticWebLayerLoadBasedAutoScalingParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *StaticWebLayerLoadBasedAutoScalingUpscalingObservation) DeepCopyInto(out *StaticWebLayerLoadBasedAutoScalingUpscalingObservation) {
-	*out = *in
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerLoadBasedAutoScalingUpscalingObservation.
@@ -9451,11 +14055,179 @@ func (in *StaticWebLayerObservation) DeepCopyInto(out *StaticWebLayerObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoAssignElasticIps != nil {
+		in, out := &in.AutoAssignElasticIps, &out.AutoAssignElasticIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoAssignPublicIps != nil {
+		in, out := &in.AutoAssignPublicIps, &out.AutoAssignPublicIps
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AutoHealing != nil {
+		in, out := &in.AutoHealing, &out.AutoHealing
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CloudwatchConfiguration != nil {
+		in, out := &in.CloudwatchConfiguration, &out.CloudwatchConfiguration
+		*out = make([]StaticWebLayerCloudwatchConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomConfigureRecipes != nil {
+		in, out := &in.CustomConfigureRecipes, &out.CustomConfigureRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomDeployRecipes != nil {
+		in, out := &in.CustomDeployRecipes, &out.CustomDeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomInstanceProfileArn != nil {
+		in, out := &in.CustomInstanceProfileArn, &out.CustomInstanceProfileArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomJSON != nil {
+		in, out := &in.CustomJSON, &out.CustomJSON
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomSecurityGroupIds != nil {
+		in, out := &in.CustomSecurityGroupIds, &out.CustomSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomSetupRecipes != nil {
+		in, out := &in.CustomSetupRecipes, &out.CustomSetupRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomShutdownRecipes != nil {
+		in, out := &in.CustomShutdownRecipes, &out.CustomShutdownRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CustomUndeployRecipes != nil {
+		in, out := &in.CustomUndeployRecipes, &out.CustomUndeployRecipes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.DrainELBOnShutdown != nil {
+		in, out := &in.DrainELBOnShutdown, &out.DrainELBOnShutdown
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EBSVolume != nil {
+		in, out := &in.EBSVolume, &out.EBSVolume
+		*out = make([]StaticWebLayerEBSVolumeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ElasticLoadBalancer != nil {
+		in, out := &in.ElasticLoadBalancer, &out.ElasticLoadBalancer
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstallUpdatesOnBoot != nil {
+		in, out := &in.InstallUpdatesOnBoot, &out.InstallUpdatesOnBoot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InstanceShutdownTimeout != nil {
+		in, out := &in.InstanceShutdownTimeout, &out.InstanceShutdownTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadBasedAutoScaling != nil {
+		in, out := &in.LoadBasedAutoScaling, &out.LoadBasedAutoScaling
+		*out = make([]StaticWebLayerLoadBasedAutoScalingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StackID != nil {
+		in, out := &in.StackID, &out.StackID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SystemPackages != nil {
+		in, out := &in.SystemPackages, &out.SystemPackages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -9471,6 +14243,11 @@ func (in *StaticWebLayerObservation) DeepCopyInto(out *StaticWebLayerObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.UseEBSOptimizedInstances != nil {
+		in, out := &in.UseEBSOptimizedInstances, &out.UseEBSOptimizedInstances
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StaticWebLayerObservation.
@@ -9730,6 +14507,47 @@ func (in *StaticWebLayerStatus) DeepCopy() *StaticWebLayerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UpscalingObservation) DeepCopyInto(out *UpscalingObservation) {
 	*out = *in
+	if in.Alarms != nil {
+		in, out := &in.Alarms, &out.Alarms
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CPUThreshold != nil {
+		in, out := &in.CPUThreshold, &out.CPUThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.IgnoreMetricsTime != nil {
+		in, out := &in.IgnoreMetricsTime, &out.IgnoreMetricsTime
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceCount != nil {
+		in, out := &in.InstanceCount, &out.InstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.LoadThreshold != nil {
+		in, out := &in.LoadThreshold, &out.LoadThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryThreshold != nil {
+		in, out := &in.MemoryThreshold, &out.MemoryThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ThresholdsWaitTime != nil {
+		in, out := &in.ThresholdsWaitTime, &out.ThresholdsWaitTime
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpscalingObservation.
@@ -9860,11 +14678,31 @@ func (in *UserProfileList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserProfileObservation) DeepCopyInto(out *UserProfileObservation) {
 	*out = *in
+	if in.AllowSelfManagement != nil {
+		in, out := &in.AllowSelfManagement, &out.AllowSelfManagement
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SSHPublicKey != nil {
+		in, out := &in.SSHPublicKey, &out.SSHPublicKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.SSHUsername != nil {
+		in, out := &in.SSHUsername, &out.SSHUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserArn != nil {
+		in, out := &in.UserArn, &out.UserArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserProfileObservation.
diff --git a/apis/opsworks/v1beta1/zz_haproxylayer_types.go b/apis/opsworks/v1beta1/zz_haproxylayer_types.go
index c4b869ba91..ebd122490a 100755
--- a/apis/opsworks/v1beta1/zz_haproxylayer_types.go
+++ b/apis/opsworks/v1beta1/zz_haproxylayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type HAProxyLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type HAProxyLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type HAProxyLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type HAProxyLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []HAProxyLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type HAProxyLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type HAProxyLayerCloudwatchConfigurationParameters struct {
 }
 
 type HAProxyLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type HAProxyLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type HAProxyLayerEBSVolumeParameters struct {
 }
 
 type HAProxyLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type HAProxyLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type HAProxyLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type HAProxyLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []HAProxyLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []HAProxyLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type HAProxyLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type HAProxyLayerLoadBasedAutoScalingParameters struct {
 }
 
 type HAProxyLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type HAProxyLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -172,11 +247,91 @@ type HAProxyLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []HAProxyLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []HAProxyLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
+	// HTTP method to use for instance healthchecks. Defaults to "OPTIONS".
+	HealthcheckMethod *string `json:"healthcheckMethod,omitempty" tf:"healthcheck_method,omitempty"`
+
+	// URL path to use for instance healthchecks. Defaults to "/".
+	HealthcheckURL *string `json:"healthcheckUrl,omitempty" tf:"healthcheck_url,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []HAProxyLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Whether to enable HAProxy stats.
+	StatsEnabled *bool `json:"statsEnabled,omitempty" tf:"stats_enabled,omitempty"`
+
+	// The password to use for HAProxy stats.
+	StatsPassword *string `json:"statsPassword,omitempty" tf:"stats_password,omitempty"`
+
+	// The HAProxy stats URL. Defaults to "/haproxy?stats".
+	StatsURL *string `json:"statsUrl,omitempty" tf:"stats_url,omitempty"`
+
+	// The username for HAProxy stats. Defaults to "opsworks".
+	StatsUser *string `json:"statsUser,omitempty" tf:"stats_user,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type HAProxyLayerParameters struct {
@@ -288,8 +443,8 @@ type HAProxyLayerParameters struct {
 	StatsEnabled *bool `json:"statsEnabled,omitempty" tf:"stats_enabled,omitempty"`
 
 	// The password to use for HAProxy stats.
-	// +kubebuilder:validation:Required
-	StatsPassword *string `json:"statsPassword" tf:"stats_password,omitempty"`
+	// +kubebuilder:validation:Optional
+	StatsPassword *string `json:"statsPassword,omitempty" tf:"stats_password,omitempty"`
 
 	// The HAProxy stats URL. Defaults to "/haproxy?stats".
 	// +kubebuilder:validation:Optional
@@ -336,8 +491,9 @@ type HAProxyLayerStatus struct {
 type HAProxyLayer struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HAProxyLayerSpec   `json:"spec"`
-	Status            HAProxyLayerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statsPassword)",message="statsPassword is a required parameter"
+	Spec   HAProxyLayerSpec   `json:"spec"`
+	Status HAProxyLayerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opsworks/v1beta1/zz_instance_types.go b/apis/opsworks/v1beta1/zz_instance_types.go
index e54a9beded..28eb896e74 100755
--- a/apis/opsworks/v1beta1/zz_instance_types.go
+++ b/apis/opsworks/v1beta1/zz_instance_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type EBSBlockDeviceObservation struct {
+
+	// Whether the volume should be destroyed on instance termination. Default is true.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Name of the device to mount.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Amount of provisioned IOPS. This must be set with a volume_type of io1.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Snapshot ID to mount.
+	SnapshotID *string `json:"snapshotId,omitempty" tf:"snapshot_id,omitempty"`
+
+	// Size of the volume in gigabytes.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of volume. Valid values are standard, gp2, or io1. Default is standard.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type EBSBlockDeviceParameters struct {
@@ -44,6 +62,12 @@ type EBSBlockDeviceParameters struct {
 }
 
 type EphemeralBlockDeviceObservation struct {
+
+	// Name of the block device to mount on the instance.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// The Instance Store Device Name (e.g., ephemeral0).
+	VirtualName *string `json:"virtualName,omitempty" tf:"virtual_name,omitempty"`
 }
 
 type EphemeralBlockDeviceParameters struct {
@@ -59,15 +83,75 @@ type EphemeralBlockDeviceParameters struct {
 
 type InstanceObservation struct {
 
+	// AMI to use for the instance.  If an AMI is specified, os must be Custom.
+	AMIID *string `json:"amiId,omitempty" tf:"ami_id,omitempty"`
+
+	// OpsWorks agent to install. Default is INHERIT.
+	AgentVersion *string `json:"agentVersion,omitempty" tf:"agent_version,omitempty"`
+
+	// Machine architecture for created instances.  Valid values are x86_64 or i386. The default is x86_64.
+	Architecture *string `json:"architecture,omitempty" tf:"architecture,omitempty"`
+
+	// Creates load-based or time-based instances.  Valid values are load, timer.
+	AutoScalingType *string `json:"autoScalingType,omitempty" tf:"auto_scaling_type,omitempty"`
+
+	// Name of the availability zone where instances will be created by default.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// Time that the instance was created.
+	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
+
+	// Whether to delete EBS volume on deletion. Default is true.
+	DeleteEBS *bool `json:"deleteEbs,omitempty" tf:"delete_ebs,omitempty"`
+
+	// Whether to delete the Elastic IP on deletion.
+	DeleteEIP *bool `json:"deleteEip,omitempty" tf:"delete_eip,omitempty"`
+
+	// Configuration block for additional EBS block devices to attach to the instance. See Block Devices below.
+	EBSBlockDevice []EBSBlockDeviceObservation `json:"ebsBlockDevice,omitempty" tf:"ebs_block_device,omitempty"`
+
+	// Whether the launched EC2 instance will be EBS-optimized.
+	EBSOptimized *bool `json:"ebsOptimized,omitempty" tf:"ebs_optimized,omitempty"`
+
 	// EC2 instance ID.
 	EC2InstanceID *string `json:"ec2InstanceId,omitempty" tf:"ec2_instance_id,omitempty"`
 
+	// ECS cluster's ARN for container instances.
+	EcsClusterArn *string `json:"ecsClusterArn,omitempty" tf:"ecs_cluster_arn,omitempty"`
+
+	// Instance Elastic IP address.
+	ElasticIP *string `json:"elasticIp,omitempty" tf:"elastic_ip,omitempty"`
+
+	// Configuration block for ephemeral (also known as "Instance Store") volumes on the instance. See Block Devices below.
+	EphemeralBlockDevice []EphemeralBlockDeviceObservation `json:"ephemeralBlockDevice,omitempty" tf:"ephemeral_block_device,omitempty"`
+
+	// Instance's host name.
+	Hostname *string `json:"hostname,omitempty" tf:"hostname,omitempty"`
+
 	// ID of the OpsWorks instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// For registered instances, infrastructure class: ec2 or on-premises.
+	InfrastructureClass *string `json:"infrastructureClass,omitempty" tf:"infrastructure_class,omitempty"`
+
+	// Controls where to install OS and package updates when the instance boots.  Default is true.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// ARN of the instance's IAM profile.
+	InstanceProfileArn *string `json:"instanceProfileArn,omitempty" tf:"instance_profile_arn,omitempty"`
+
+	// Type of instance to start.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
 	// ID of the last service error.
 	LastServiceErrorID *string `json:"lastServiceErrorId,omitempty" tf:"last_service_error_id,omitempty"`
 
+	// List of the layers the instance will belong to.
+	LayerIds []*string `json:"layerIds,omitempty" tf:"layer_ids,omitempty"`
+
+	// Name of operating system that will be installed.
+	Os *string `json:"os,omitempty" tf:"os,omitempty"`
+
 	// Instance's platform.
 	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
@@ -98,6 +182,12 @@ type InstanceObservation struct {
 	// For registered instances, the reported operating system version.
 	ReportedOsVersion *string `json:"reportedOsVersion,omitempty" tf:"reported_os_version,omitempty"`
 
+	// Configuration block for the root block device of the instance. See Block Devices below.
+	RootBlockDevice []RootBlockDeviceObservation `json:"rootBlockDevice,omitempty" tf:"root_block_device,omitempty"`
+
+	// Name of the type of root device instances will have by default. Valid values are ebs or instance-store.
+	RootDeviceType *string `json:"rootDeviceType,omitempty" tf:"root_device_type,omitempty"`
+
 	// Root device volume ID.
 	RootDeviceVolumeID *string `json:"rootDeviceVolumeId,omitempty" tf:"root_device_volume_id,omitempty"`
 
@@ -106,6 +196,30 @@ type InstanceObservation struct {
 
 	// SSH key's RSA fingerprint.
 	SSHHostRsaKeyFingerprint *string `json:"sshHostRsaKeyFingerprint,omitempty" tf:"ssh_host_rsa_key_fingerprint,omitempty"`
+
+	// Name of the SSH keypair that instances will have by default.
+	SSHKeyName *string `json:"sshKeyName,omitempty" tf:"ssh_key_name,omitempty"`
+
+	// Associated security groups.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Identifier of the stack the instance will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Desired state of the instance. Valid values are running or stopped.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// Instance status. Will be one of booting, connection_lost, online, pending, rebooting, requested, running_setup, setup_failed, shutting_down, start_failed, stop_failed, stopped, stopping, terminated, or terminating.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Subnet ID to attach to.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Instance tenancy to use. Valid values are default, dedicated or host.
+	Tenancy *string `json:"tenancy,omitempty" tf:"tenancy,omitempty"`
+
+	// Keyword to choose what virtualization mode created instances will use. Valid values are paravirtual or hvm.
+	VirtualizationType *string `json:"virtualizationType,omitempty" tf:"virtualization_type,omitempty"`
 }
 
 type InstanceParameters struct {
@@ -271,6 +385,18 @@ type InstanceParameters struct {
 }
 
 type RootBlockDeviceObservation struct {
+
+	// Whether the volume should be destroyed on instance termination. Default is true.
+	DeleteOnTermination *bool `json:"deleteOnTermination,omitempty" tf:"delete_on_termination,omitempty"`
+
+	// Amount of provisioned IOPS. This must be set with a volume_type of io1.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// Size of the volume in gigabytes.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
+
+	// Type of volume. Valid values are standard, gp2, or io1. Default is standard.
+	VolumeType *string `json:"volumeType,omitempty" tf:"volume_type,omitempty"`
 }
 
 type RootBlockDeviceParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_javaapplayer_types.go b/apis/opsworks/v1beta1/zz_javaapplayer_types.go
index a037d1bce3..9914be80bb 100755
--- a/apis/opsworks/v1beta1/zz_javaapplayer_types.go
+++ b/apis/opsworks/v1beta1/zz_javaapplayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type JavaAppLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type JavaAppLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type JavaAppLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type JavaAppLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []JavaAppLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type JavaAppLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type JavaAppLayerCloudwatchConfigurationParameters struct {
 }
 
 type JavaAppLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type JavaAppLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type JavaAppLayerEBSVolumeParameters struct {
 }
 
 type JavaAppLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type JavaAppLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type JavaAppLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type JavaAppLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []JavaAppLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []JavaAppLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type JavaAppLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type JavaAppLayerLoadBasedAutoScalingParameters struct {
 }
 
 type JavaAppLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type JavaAppLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -169,14 +244,91 @@ type JavaAppLayerLoadBasedAutoScalingUpscalingParameters struct {
 
 type JavaAppLayerObservation struct {
 
+	// Keyword for the application container to use. Defaults to "tomcat".
+	AppServer *string `json:"appServer,omitempty" tf:"app_server,omitempty"`
+
+	// Version of the selected application container to use. Defaults to "7".
+	AppServerVersion *string `json:"appServerVersion,omitempty" tf:"app_server_version,omitempty"`
+
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []JavaAppLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []JavaAppLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	// Options to set for the JVM.
+	JvmOptions *string `json:"jvmOptions,omitempty" tf:"jvm_options,omitempty"`
+
+	// Keyword for the type of JVM to use. Defaults to openjdk.
+	JvmType *string `json:"jvmType,omitempty" tf:"jvm_type,omitempty"`
+
+	// Version of JVM to use. Defaults to "7".
+	JvmVersion *string `json:"jvmVersion,omitempty" tf:"jvm_version,omitempty"`
+
+	LoadBasedAutoScaling []JavaAppLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type JavaAppLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_memcachedlayer_types.go b/apis/opsworks/v1beta1/zz_memcachedlayer_types.go
index 054375f0d1..a87279a476 100755
--- a/apis/opsworks/v1beta1/zz_memcachedlayer_types.go
+++ b/apis/opsworks/v1beta1/zz_memcachedlayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type MemcachedLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type MemcachedLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type MemcachedLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type MemcachedLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []MemcachedLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type MemcachedLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type MemcachedLayerCloudwatchConfigurationParameters struct {
 }
 
 type MemcachedLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type MemcachedLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type MemcachedLayerEBSVolumeParameters struct {
 }
 
 type MemcachedLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type MemcachedLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type MemcachedLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type MemcachedLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []MemcachedLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []MemcachedLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type MemcachedLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type MemcachedLayerLoadBasedAutoScalingParameters struct {
 }
 
 type MemcachedLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type MemcachedLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -169,14 +244,79 @@ type MemcachedLayerLoadBasedAutoScalingUpscalingParameters struct {
 
 type MemcachedLayerObservation struct {
 
+	// Amount of memory to allocate for the cache on each instance, in megabytes. Defaults to 512MB.
+	AllocatedMemory *float64 `json:"allocatedMemory,omitempty" tf:"allocated_memory,omitempty"`
+
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []MemcachedLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []MemcachedLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []MemcachedLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type MemcachedLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_mysqllayer_types.go b/apis/opsworks/v1beta1/zz_mysqllayer_types.go
index 07d982ab4f..561414db2d 100755
--- a/apis/opsworks/v1beta1/zz_mysqllayer_types.go
+++ b/apis/opsworks/v1beta1/zz_mysqllayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type MySQLLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type MySQLLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type MySQLLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type MySQLLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []MySQLLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type MySQLLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type MySQLLayerCloudwatchConfigurationParameters struct {
 }
 
 type MySQLLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type MySQLLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type MySQLLayerEBSVolumeParameters struct {
 }
 
 type MySQLLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type MySQLLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type MySQLLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type MySQLLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []MySQLLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []MySQLLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type MySQLLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type MySQLLayerLoadBasedAutoScalingParameters struct {
 }
 
 type MySQLLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type MySQLLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -172,11 +247,79 @@ type MySQLLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []MySQLLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []MySQLLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []MySQLLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Root password to use for MySQL.
+	RootPassword *string `json:"rootPassword,omitempty" tf:"root_password,omitempty"`
+
+	// Whether to set the root user password to all instances in the stack so they can access the instances in this layer.
+	RootPasswordOnAllInstances *bool `json:"rootPasswordOnAllInstances,omitempty" tf:"root_password_on_all_instances,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type MySQLLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_nodejsapplayer_types.go b/apis/opsworks/v1beta1/zz_nodejsapplayer_types.go
index 384de371a3..b6b58c225b 100755
--- a/apis/opsworks/v1beta1/zz_nodejsapplayer_types.go
+++ b/apis/opsworks/v1beta1/zz_nodejsapplayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type NodeJSAppLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type NodeJSAppLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type NodeJSAppLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type NodeJSAppLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []NodeJSAppLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type NodeJSAppLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type NodeJSAppLayerCloudwatchConfigurationParameters struct {
 }
 
 type NodeJSAppLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type NodeJSAppLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type NodeJSAppLayerEBSVolumeParameters struct {
 }
 
 type NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type NodeJSAppLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type NodeJSAppLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []NodeJSAppLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type NodeJSAppLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type NodeJSAppLayerLoadBasedAutoScalingParameters struct {
 }
 
 type NodeJSAppLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type NodeJSAppLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -172,11 +247,76 @@ type NodeJSAppLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []NodeJSAppLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []NodeJSAppLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []NodeJSAppLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The version of NodeJS to use. Defaults to "0.10.38".
+	NodeJSVersion *string `json:"nodejsVersion,omitempty" tf:"nodejs_version,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type NodeJSAppLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_permission_types.go b/apis/opsworks/v1beta1/zz_permission_types.go
index bf282174c5..3091e748e8 100755
--- a/apis/opsworks/v1beta1/zz_permission_types.go
+++ b/apis/opsworks/v1beta1/zz_permission_types.go
@@ -15,8 +15,23 @@ import (
 
 type PermissionObservation struct {
 
+	// Whether the user is allowed to use SSH to communicate with the instance
+	AllowSSH *bool `json:"allowSsh,omitempty" tf:"allow_ssh,omitempty"`
+
+	// Whether the user is allowed to use sudo to elevate privileges
+	AllowSudo *bool `json:"allowSudo,omitempty" tf:"allow_sudo,omitempty"`
+
 	// The computed id of the permission. Please note that this is only used internally to identify the permission. This value is not used in aws.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The users permission level. Mus be one of deny, show, deploy, manage, iam_only
+	Level *string `json:"level,omitempty" tf:"level,omitempty"`
+
+	// The stack to set the permissions for
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// The user's IAM ARN to set permissions for
+	UserArn *string `json:"userArn,omitempty" tf:"user_arn,omitempty"`
 }
 
 type PermissionParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_phpapplayer_types.go b/apis/opsworks/v1beta1/zz_phpapplayer_types.go
index 47e418034d..a18745acd3 100755
--- a/apis/opsworks/v1beta1/zz_phpapplayer_types.go
+++ b/apis/opsworks/v1beta1/zz_phpapplayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type PHPAppLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type PHPAppLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type PHPAppLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type PHPAppLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []PHPAppLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type PHPAppLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type PHPAppLayerCloudwatchConfigurationParameters struct {
 }
 
 type PHPAppLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PHPAppLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type PHPAppLayerEBSVolumeParameters struct {
 }
 
 type PHPAppLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type PHPAppLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type PHPAppLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type PHPAppLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []PHPAppLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []PHPAppLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type PHPAppLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type PHPAppLayerLoadBasedAutoScalingParameters struct {
 }
 
 type PHPAppLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type PHPAppLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -172,11 +247,73 @@ type PHPAppLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []PHPAppLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []PHPAppLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []PHPAppLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type PHPAppLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_railsapplayer_types.go b/apis/opsworks/v1beta1/zz_railsapplayer_types.go
index 7a3eb66511..4590da4b93 100755
--- a/apis/opsworks/v1beta1/zz_railsapplayer_types.go
+++ b/apis/opsworks/v1beta1/zz_railsapplayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type RailsAppLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type RailsAppLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type RailsAppLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type RailsAppLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []RailsAppLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type RailsAppLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type RailsAppLayerCloudwatchConfigurationParameters struct {
 }
 
 type RailsAppLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RailsAppLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type RailsAppLayerEBSVolumeParameters struct {
 }
 
 type RailsAppLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type RailsAppLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type RailsAppLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type RailsAppLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []RailsAppLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []RailsAppLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type RailsAppLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type RailsAppLayerLoadBasedAutoScalingParameters struct {
 }
 
 type RailsAppLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type RailsAppLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -169,14 +244,94 @@ type RailsAppLayerLoadBasedAutoScalingUpscalingParameters struct {
 
 type RailsAppLayerObservation struct {
 
+	// Keyword for the app server to use. Defaults to "apache_passenger".
+	AppServer *string `json:"appServer,omitempty" tf:"app_server,omitempty"`
+
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	// When OpsWorks is managing Bundler, which version to use. Defaults to "1.5.3".
+	BundlerVersion *string `json:"bundlerVersion,omitempty" tf:"bundler_version,omitempty"`
+
+	CloudwatchConfiguration []RailsAppLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	// Custom JSON attributes to apply to the layer.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []RailsAppLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []RailsAppLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// Whether OpsWorks should manage bundler. On by default.
+	ManageBundler *bool `json:"manageBundler,omitempty" tf:"manage_bundler,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The version of Passenger to use. Defaults to "4.0.46".
+	PassengerVersion *string `json:"passengerVersion,omitempty" tf:"passenger_version,omitempty"`
+
+	// The version of Ruby to use. Defaults to "2.0.0".
+	RubyVersion *string `json:"rubyVersion,omitempty" tf:"ruby_version,omitempty"`
+
+	// The version of RubyGems to use. Defaults to "2.2.2".
+	RubygemsVersion *string `json:"rubygemsVersion,omitempty" tf:"rubygems_version,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type RailsAppLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_rdsdbinstance_types.go b/apis/opsworks/v1beta1/zz_rdsdbinstance_types.go
index 176d9b43ba..57ed01b5ce 100755
--- a/apis/opsworks/v1beta1/zz_rdsdbinstance_types.go
+++ b/apis/opsworks/v1beta1/zz_rdsdbinstance_types.go
@@ -15,19 +15,28 @@ import (
 
 type RDSDBInstanceObservation struct {
 
+	// A db username
+	DBUser *string `json:"dbUser,omitempty" tf:"db_user,omitempty"`
+
 	// The computed id. Please note that this is only used internally to identify the stack <-> instance relation. This value is not used in aws.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The db instance to register for this stack. Changing this will force a new resource.
+	RDSDBInstanceArn *string `json:"rdsDbInstanceArn,omitempty" tf:"rds_db_instance_arn,omitempty"`
+
+	// The stack to register a db instance for. Changing this will force a new resource.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
 }
 
 type RDSDBInstanceParameters struct {
 
 	// A db password
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	DBPasswordSecretRef v1.SecretKeySelector `json:"dbPasswordSecretRef" tf:"-"`
 
 	// A db username
-	// +kubebuilder:validation:Required
-	DBUser *string `json:"dbUser" tf:"db_user,omitempty"`
+	// +kubebuilder:validation:Optional
+	DBUser *string `json:"dbUser,omitempty" tf:"db_user,omitempty"`
 
 	// The db instance to register for this stack. Changing this will force a new resource.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/rds/v1beta1.Instance
@@ -82,8 +91,10 @@ type RDSDBInstanceStatus struct {
 type RDSDBInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RDSDBInstanceSpec   `json:"spec"`
-	Status            RDSDBInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbPasswordSecretRef)",message="dbPasswordSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbUser)",message="dbUser is a required parameter"
+	Spec   RDSDBInstanceSpec   `json:"spec"`
+	Status RDSDBInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opsworks/v1beta1/zz_stack_types.go b/apis/opsworks/v1beta1/zz_stack_types.go
index 5dba51b074..2580dc7d3b 100755
--- a/apis/opsworks/v1beta1/zz_stack_types.go
+++ b/apis/opsworks/v1beta1/zz_stack_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type CustomCookbooksSourceObservation struct {
+
+	// For sources that are version-aware, the revision to use.
+	Revision *string `json:"revision,omitempty" tf:"revision,omitempty"`
+
+	// The type of source to use. For example, "archive".
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The URL where the cookbooks resource can be found.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Username to use when authenticating to the source.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type CustomCookbooksSourceParameters struct {
@@ -44,15 +56,85 @@ type CustomCookbooksSourceParameters struct {
 }
 
 type StackObservation struct {
+
+	// If set to "LATEST", OpsWorks will automatically install the latest version.
+	AgentVersion *string `json:"agentVersion,omitempty" tf:"agent_version,omitempty"`
+
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// If manage_berkshelf is enabled, the version of Berkshelf to use.
+	BerkshelfVersion *string `json:"berkshelfVersion,omitempty" tf:"berkshelf_version,omitempty"`
+
+	// Color to paint next to the stack's resources in the OpsWorks console.
+	Color *string `json:"color,omitempty" tf:"color,omitempty"`
+
+	// Name of the configuration manager to use. Defaults to "Chef".
+	ConfigurationManagerName *string `json:"configurationManagerName,omitempty" tf:"configuration_manager_name,omitempty"`
+
+	// Version of the configuration manager to use. Defaults to "11.4".
+	ConfigurationManagerVersion *string `json:"configurationManagerVersion,omitempty" tf:"configuration_manager_version,omitempty"`
+
+	// When use_custom_cookbooks is set, provide this sub-object as described below.
+	CustomCookbooksSource []CustomCookbooksSourceObservation `json:"customCookbooksSource,omitempty" tf:"custom_cookbooks_source,omitempty"`
+
+	// User defined JSON passed to "Chef". Use a "here doc" for multiline JSON.
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Name of the availability zone where instances will be created by default.
+	// Cannot be set when vpc_id is set.
+	DefaultAvailabilityZone *string `json:"defaultAvailabilityZone,omitempty" tf:"default_availability_zone,omitempty"`
+
+	// The ARN of an IAM Instance Profile that created instances will have by default.
+	DefaultInstanceProfileArn *string `json:"defaultInstanceProfileArn,omitempty" tf:"default_instance_profile_arn,omitempty"`
+
+	// Name of OS that will be installed on instances by default.
+	DefaultOs *string `json:"defaultOs,omitempty" tf:"default_os,omitempty"`
+
+	// Name of the type of root device instances will have by default.
+	DefaultRootDeviceType *string `json:"defaultRootDeviceType,omitempty" tf:"default_root_device_type,omitempty"`
+
+	// Name of the SSH keypair that instances will have by default.
+	DefaultSSHKeyName *string `json:"defaultSshKeyName,omitempty" tf:"default_ssh_key_name,omitempty"`
+
+	// ID of the subnet in which instances will be created by default.
+	// Required if vpc_id is set to a VPC other than the default VPC, and forbidden if it isn't.
+	DefaultSubnetID *string `json:"defaultSubnetId,omitempty" tf:"default_subnet_id,omitempty"`
+
+	// Keyword representing the naming scheme that will be used for instance hostnames within this stack.
+	HostnameTheme *string `json:"hostnameTheme,omitempty" tf:"hostname_theme,omitempty"`
+
 	// The id of the stack.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Boolean value controlling whether Opsworks will run Berkshelf for this stack.
+	ManageBerkshelf *bool `json:"manageBerkshelf,omitempty" tf:"manage_berkshelf,omitempty"`
+
+	// The name of the stack.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The name of the region where the stack will exist.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// The ARN of an IAM role that the OpsWorks service will act as.
+	ServiceRoleArn *string `json:"serviceRoleArn,omitempty" tf:"service_role_arn,omitempty"`
+
 	StackEndpoint *string `json:"stackEndpoint,omitempty" tf:"stack_endpoint,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Boolean value controlling whether the custom cookbook settings are enabled.
+	UseCustomCookbooks *bool `json:"useCustomCookbooks,omitempty" tf:"use_custom_cookbooks,omitempty"`
+
+	// Boolean value controlling whether the standard OpsWorks security groups apply to created instances.
+	UseOpsworksSecurityGroups *bool `json:"useOpsworksSecurityGroups,omitempty" tf:"use_opsworks_security_groups,omitempty"`
+
+	// ID of the VPC that this stack belongs to.
+	// Defaults to the region's default VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type StackParameters struct {
@@ -139,8 +221,8 @@ type StackParameters struct {
 	ManageBerkshelf *bool `json:"manageBerkshelf,omitempty" tf:"manage_berkshelf,omitempty"`
 
 	// The name of the stack.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The name of the region where the stack will exist.
 	// +kubebuilder:validation:Required
@@ -211,8 +293,9 @@ type StackStatus struct {
 type Stack struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StackSpec   `json:"spec"`
-	Status            StackStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   StackSpec   `json:"spec"`
+	Status StackStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/opsworks/v1beta1/zz_staticweblayer_types.go b/apis/opsworks/v1beta1/zz_staticweblayer_types.go
index a87c5e3ec3..4181be99d8 100755
--- a/apis/opsworks/v1beta1/zz_staticweblayer_types.go
+++ b/apis/opsworks/v1beta1/zz_staticweblayer_types.go
@@ -14,6 +14,28 @@ import (
 )
 
 type StaticWebLayerCloudwatchConfigurationLogStreamsObservation struct {
+	BatchCount *float64 `json:"batchCount,omitempty" tf:"batch_count,omitempty"`
+
+	BatchSize *float64 `json:"batchSize,omitempty" tf:"batch_size,omitempty"`
+
+	BufferDuration *float64 `json:"bufferDuration,omitempty" tf:"buffer_duration,omitempty"`
+
+	DatetimeFormat *string `json:"datetimeFormat,omitempty" tf:"datetime_format,omitempty"`
+
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	File *string `json:"file,omitempty" tf:"file,omitempty"`
+
+	FileFingerprintLines *string `json:"fileFingerprintLines,omitempty" tf:"file_fingerprint_lines,omitempty"`
+
+	InitialPosition *string `json:"initialPosition,omitempty" tf:"initial_position,omitempty"`
+
+	// A human-readable name for the layer.
+	LogGroupName *string `json:"logGroupName,omitempty" tf:"log_group_name,omitempty"`
+
+	MultilineStartPattern *string `json:"multilineStartPattern,omitempty" tf:"multiline_start_pattern,omitempty"`
+
+	TimeZone *string `json:"timeZone,omitempty" tf:"time_zone,omitempty"`
 }
 
 type StaticWebLayerCloudwatchConfigurationLogStreamsParameters struct {
@@ -54,6 +76,9 @@ type StaticWebLayerCloudwatchConfigurationLogStreamsParameters struct {
 }
 
 type StaticWebLayerCloudwatchConfigurationObservation struct {
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	LogStreams []StaticWebLayerCloudwatchConfigurationLogStreamsObservation `json:"logStreams,omitempty" tf:"log_streams,omitempty"`
 }
 
 type StaticWebLayerCloudwatchConfigurationParameters struct {
@@ -66,6 +91,25 @@ type StaticWebLayerCloudwatchConfigurationParameters struct {
 }
 
 type StaticWebLayerEBSVolumeObservation struct {
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// For PIOPS volumes, the IOPS per disk.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The path to mount the EBS volume on the layer's instances.
+	MountPoint *string `json:"mountPoint,omitempty" tf:"mount_point,omitempty"`
+
+	// The number of disks to use for the EBS volume.
+	NumberOfDisks *float64 `json:"numberOfDisks,omitempty" tf:"number_of_disks,omitempty"`
+
+	// The RAID level to use for the volume.
+	RaidLevel *string `json:"raidLevel,omitempty" tf:"raid_level,omitempty"`
+
+	// The size of the volume in gigabytes.
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// The type of volume to create. This may be standard (the default), io1 or gp2.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type StaticWebLayerEBSVolumeParameters struct {
@@ -99,6 +143,19 @@ type StaticWebLayerEBSVolumeParameters struct {
 }
 
 type StaticWebLayerLoadBasedAutoScalingDownscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type StaticWebLayerLoadBasedAutoScalingDownscalingParameters struct {
@@ -126,6 +183,11 @@ type StaticWebLayerLoadBasedAutoScalingDownscalingParameters struct {
 }
 
 type StaticWebLayerLoadBasedAutoScalingObservation struct {
+	Downscaling []StaticWebLayerLoadBasedAutoScalingDownscalingObservation `json:"downscaling,omitempty" tf:"downscaling,omitempty"`
+
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	Upscaling []StaticWebLayerLoadBasedAutoScalingUpscalingObservation `json:"upscaling,omitempty" tf:"upscaling,omitempty"`
 }
 
 type StaticWebLayerLoadBasedAutoScalingParameters struct {
@@ -141,6 +203,19 @@ type StaticWebLayerLoadBasedAutoScalingParameters struct {
 }
 
 type StaticWebLayerLoadBasedAutoScalingUpscalingObservation struct {
+	Alarms []*string `json:"alarms,omitempty" tf:"alarms,omitempty"`
+
+	CPUThreshold *float64 `json:"cpuThreshold,omitempty" tf:"cpu_threshold,omitempty"`
+
+	IgnoreMetricsTime *float64 `json:"ignoreMetricsTime,omitempty" tf:"ignore_metrics_time,omitempty"`
+
+	InstanceCount *float64 `json:"instanceCount,omitempty" tf:"instance_count,omitempty"`
+
+	LoadThreshold *float64 `json:"loadThreshold,omitempty" tf:"load_threshold,omitempty"`
+
+	MemoryThreshold *float64 `json:"memoryThreshold,omitempty" tf:"memory_threshold,omitempty"`
+
+	ThresholdsWaitTime *float64 `json:"thresholdsWaitTime,omitempty" tf:"thresholds_wait_time,omitempty"`
 }
 
 type StaticWebLayerLoadBasedAutoScalingUpscalingParameters struct {
@@ -172,11 +247,72 @@ type StaticWebLayerObservation struct {
 	// The Amazon Resource Name(ARN) of the layer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether to automatically assign an elastic IP address to the layer's instances.
+	AutoAssignElasticIps *bool `json:"autoAssignElasticIps,omitempty" tf:"auto_assign_elastic_ips,omitempty"`
+
+	// For stacks belonging to a VPC, whether to automatically assign a public IP address to each of the layer's instances.
+	AutoAssignPublicIps *bool `json:"autoAssignPublicIps,omitempty" tf:"auto_assign_public_ips,omitempty"`
+
+	// Whether to enable auto-healing for the layer.
+	AutoHealing *bool `json:"autoHealing,omitempty" tf:"auto_healing,omitempty"`
+
+	CloudwatchConfiguration []StaticWebLayerCloudwatchConfigurationObservation `json:"cloudwatchConfiguration,omitempty" tf:"cloudwatch_configuration,omitempty"`
+
+	CustomConfigureRecipes []*string `json:"customConfigureRecipes,omitempty" tf:"custom_configure_recipes,omitempty"`
+
+	CustomDeployRecipes []*string `json:"customDeployRecipes,omitempty" tf:"custom_deploy_recipes,omitempty"`
+
+	// The ARN of an IAM profile that will be used for the layer's instances.
+	CustomInstanceProfileArn *string `json:"customInstanceProfileArn,omitempty" tf:"custom_instance_profile_arn,omitempty"`
+
+	CustomJSON *string `json:"customJson,omitempty" tf:"custom_json,omitempty"`
+
+	// Ids for a set of security groups to apply to the layer's instances.
+	CustomSecurityGroupIds []*string `json:"customSecurityGroupIds,omitempty" tf:"custom_security_group_ids,omitempty"`
+
+	CustomSetupRecipes []*string `json:"customSetupRecipes,omitempty" tf:"custom_setup_recipes,omitempty"`
+
+	CustomShutdownRecipes []*string `json:"customShutdownRecipes,omitempty" tf:"custom_shutdown_recipes,omitempty"`
+
+	CustomUndeployRecipes []*string `json:"customUndeployRecipes,omitempty" tf:"custom_undeploy_recipes,omitempty"`
+
+	// Whether to enable Elastic Load Balancing connection draining.
+	DrainELBOnShutdown *bool `json:"drainElbOnShutdown,omitempty" tf:"drain_elb_on_shutdown,omitempty"`
+
+	// ebs_volume blocks, as described below, will each create an EBS volume and connect it to the layer's instances.
+	EBSVolume []StaticWebLayerEBSVolumeObservation `json:"ebsVolume,omitempty" tf:"ebs_volume,omitempty"`
+
+	// Name of an Elastic Load Balancer to attach to this layer
+	ElasticLoadBalancer *string `json:"elasticLoadBalancer,omitempty" tf:"elastic_load_balancer,omitempty"`
+
 	// The id of the layer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Whether to install OS and package updates on each instance when it boots.
+	InstallUpdatesOnBoot *bool `json:"installUpdatesOnBoot,omitempty" tf:"install_updates_on_boot,omitempty"`
+
+	// The time, in seconds, that OpsWorks will wait for Chef to complete after triggering the Shutdown event.
+	InstanceShutdownTimeout *float64 `json:"instanceShutdownTimeout,omitempty" tf:"instance_shutdown_timeout,omitempty"`
+
+	LoadBasedAutoScaling []StaticWebLayerLoadBasedAutoScalingObservation `json:"loadBasedAutoScaling,omitempty" tf:"load_based_auto_scaling,omitempty"`
+
+	// A human-readable name for the layer.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the stack the layer will belong to.
+	StackID *string `json:"stackId,omitempty" tf:"stack_id,omitempty"`
+
+	// Names of a set of system packages to install on the layer's instances.
+	SystemPackages []*string `json:"systemPackages,omitempty" tf:"system_packages,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Whether to use EBS-optimized instances.
+	UseEBSOptimizedInstances *bool `json:"useEbsOptimizedInstances,omitempty" tf:"use_ebs_optimized_instances,omitempty"`
 }
 
 type StaticWebLayerParameters struct {
diff --git a/apis/opsworks/v1beta1/zz_userprofile_types.go b/apis/opsworks/v1beta1/zz_userprofile_types.go
index f8a824e9fe..d4b56e1a69 100755
--- a/apis/opsworks/v1beta1/zz_userprofile_types.go
+++ b/apis/opsworks/v1beta1/zz_userprofile_types.go
@@ -15,8 +15,20 @@ import (
 
 type UserProfileObservation struct {
 
+	// Whether users can specify their own SSH public key through the My Settings page
+	AllowSelfManagement *bool `json:"allowSelfManagement,omitempty" tf:"allow_self_management,omitempty"`
+
 	// Same value as user_arn
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The users public key
+	SSHPublicKey *string `json:"sshPublicKey,omitempty" tf:"ssh_public_key,omitempty"`
+
+	// The ssh username, with witch this user wants to log in
+	SSHUsername *string `json:"sshUsername,omitempty" tf:"ssh_username,omitempty"`
+
+	// The user's IAM ARN
+	UserArn *string `json:"userArn,omitempty" tf:"user_arn,omitempty"`
 }
 
 type UserProfileParameters struct {
@@ -30,8 +42,8 @@ type UserProfileParameters struct {
 	SSHPublicKey *string `json:"sshPublicKey,omitempty" tf:"ssh_public_key,omitempty"`
 
 	// The ssh username, with witch this user wants to log in
-	// +kubebuilder:validation:Required
-	SSHUsername *string `json:"sshUsername" tf:"ssh_username,omitempty"`
+	// +kubebuilder:validation:Optional
+	SSHUsername *string `json:"sshUsername,omitempty" tf:"ssh_username,omitempty"`
 
 	// The user's IAM ARN
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/iam/v1beta1.User
@@ -72,8 +84,9 @@ type UserProfileStatus struct {
 type UserProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserProfileSpec   `json:"spec"`
-	Status            UserProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sshUsername)",message="sshUsername is a required parameter"
+	Spec   UserProfileSpec   `json:"spec"`
+	Status UserProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/organizations/v1beta1/zz_account_types.go b/apis/organizations/v1beta1/zz_account_types.go
index 50d445fd9d..a22a0ba5da 100755
--- a/apis/organizations/v1beta1/zz_account_types.go
+++ b/apis/organizations/v1beta1/zz_account_types.go
@@ -18,9 +18,21 @@ type AccountObservation struct {
 	// The ARN for this account.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// If true, a deletion event will close the account. Otherwise, it will only remove from the organization. This is not supported for GovCloud accounts.
+	CloseOnDeletion *bool `json:"closeOnDeletion,omitempty" tf:"close_on_deletion,omitempty"`
+
+	// Whether to also create a GovCloud account. The GovCloud account is tied to the main (commercial) account this resource creates. If true, the GovCloud account ID is available in the govcloud_id attribute.
+	CreateGovcloud *bool `json:"createGovcloud,omitempty" tf:"create_govcloud,omitempty"`
+
+	// Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
 	// ID for a GovCloud account created with the account.
 	GovcloudID *string `json:"govcloudId,omitempty" tf:"govcloud_id,omitempty"`
 
+	// If set to ALLOW, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set to DENY, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this to ALLOW. If the resource is created and this option is changed, it will try to recreate the account.
+	IAMUserAccessToBilling *string `json:"iamUserAccessToBilling,omitempty" tf:"iam_user_access_to_billing,omitempty"`
+
 	// The AWS account id
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -28,8 +40,17 @@ type AccountObservation struct {
 
 	JoinedTimestamp *string `json:"joinedTimestamp,omitempty" tf:"joined_timestamp,omitempty"`
 
+	// Friendly name for the member account.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.
+	ParentID *string `json:"parentId,omitempty" tf:"parent_id,omitempty"`
+
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -45,16 +66,16 @@ type AccountParameters struct {
 	CreateGovcloud *bool `json:"createGovcloud,omitempty" tf:"create_govcloud,omitempty"`
 
 	// Email address of the owner to assign to the new member account. This email address must not already be associated with another AWS account.
-	// +kubebuilder:validation:Required
-	Email *string `json:"email" tf:"email,omitempty"`
+	// +kubebuilder:validation:Optional
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
 
 	// If set to ALLOW, the new account enables IAM users and roles to access account billing information if they have the required permissions. If set to DENY, then only the root user (and no roles) of the new account can access account billing information. If this is unset, the AWS API will default this to ALLOW. If the resource is created and this option is changed, it will try to recreate the account.
 	// +kubebuilder:validation:Optional
 	IAMUserAccessToBilling *string `json:"iamUserAccessToBilling,omitempty" tf:"iam_user_access_to_billing,omitempty"`
 
 	// Friendly name for the member account.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Parent Organizational Unit ID or Root ID for the account. Defaults to the Organization default Root ID. A configuration must be present for this argument to perform drift detection.
 	// +kubebuilder:validation:Optional
@@ -94,8 +115,10 @@ type AccountStatus struct {
 type Account struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AccountSpec   `json:"spec"`
-	Status            AccountStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)",message="email is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AccountSpec   `json:"spec"`
+	Status AccountStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/organizations/v1beta1/zz_delegatedadministrator_types.go b/apis/organizations/v1beta1/zz_delegatedadministrator_types.go
index 05f8741334..bf61c8a88b 100755
--- a/apis/organizations/v1beta1/zz_delegatedadministrator_types.go
+++ b/apis/organizations/v1beta1/zz_delegatedadministrator_types.go
@@ -15,6 +15,9 @@ import (
 
 type DelegatedAdministratorObservation struct {
 
+	// The account ID number of the member account in the organization to register as a delegated administrator.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the delegated administrator's account.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
@@ -36,6 +39,9 @@ type DelegatedAdministratorObservation struct {
 	// The friendly name of the delegated administrator's account.
 	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
+	// The service principal of the AWS service for which you want to make the member account a delegated administrator.
+	ServicePrincipal *string `json:"servicePrincipal,omitempty" tf:"service_principal,omitempty"`
+
 	// The status of the delegated administrator's account in the organization.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -61,8 +67,8 @@ type DelegatedAdministratorParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The service principal of the AWS service for which you want to make the member account a delegated administrator.
-	// +kubebuilder:validation:Required
-	ServicePrincipal *string `json:"servicePrincipal" tf:"service_principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServicePrincipal *string `json:"servicePrincipal,omitempty" tf:"service_principal,omitempty"`
 }
 
 // DelegatedAdministratorSpec defines the desired state of DelegatedAdministrator
@@ -89,8 +95,9 @@ type DelegatedAdministratorStatus struct {
 type DelegatedAdministrator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DelegatedAdministratorSpec   `json:"spec"`
-	Status            DelegatedAdministratorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.servicePrincipal)",message="servicePrincipal is a required parameter"
+	Spec   DelegatedAdministratorSpec   `json:"spec"`
+	Status DelegatedAdministratorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/organizations/v1beta1/zz_generated.deepcopy.go b/apis/organizations/v1beta1/zz_generated.deepcopy.go
index be84ec052c..f737a8aa86 100644
--- a/apis/organizations/v1beta1/zz_generated.deepcopy.go
+++ b/apis/organizations/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,31 @@ func (in *AccountObservation) DeepCopyInto(out *AccountObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CloseOnDeletion != nil {
+		in, out := &in.CloseOnDeletion, &out.CloseOnDeletion
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CreateGovcloud != nil {
+		in, out := &in.CreateGovcloud, &out.CreateGovcloud
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
 	if in.GovcloudID != nil {
 		in, out := &in.GovcloudID, &out.GovcloudID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IAMUserAccessToBilling != nil {
+		in, out := &in.IAMUserAccessToBilling, &out.IAMUserAccessToBilling
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -101,11 +121,36 @@ func (in *AccountObservation) DeepCopyInto(out *AccountObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParentID != nil {
+		in, out := &in.ParentID, &out.ParentID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -349,6 +394,11 @@ func (in *DelegatedAdministratorList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DelegatedAdministratorObservation) DeepCopyInto(out *DelegatedAdministratorObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -384,6 +434,11 @@ func (in *DelegatedAdministratorObservation) DeepCopyInto(out *DelegatedAdminist
 		*out = new(string)
 		**out = **in
 	}
+	if in.ServicePrincipal != nil {
+		in, out := &in.ServicePrincipal, &out.ServicePrincipal
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -604,6 +659,33 @@ func (in *OrganizationObservation) DeepCopyInto(out *OrganizationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AwsServiceAccessPrincipals != nil {
+		in, out := &in.AwsServiceAccessPrincipals, &out.AwsServiceAccessPrincipals
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.EnabledPolicyTypes != nil {
+		in, out := &in.EnabledPolicyTypes, &out.EnabledPolicyTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FeatureSet != nil {
+		in, out := &in.FeatureSet, &out.FeatureSet
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -860,6 +942,31 @@ func (in *OrganizationalUnitObservation) DeepCopyInto(out *OrganizationalUnitObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParentID != nil {
+		in, out := &in.ParentID, &out.ParentID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1060,6 +1167,21 @@ func (in *PolicyAttachmentObservation) DeepCopyInto(out *PolicyAttachmentObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.PolicyID != nil {
+		in, out := &in.PolicyID, &out.PolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TargetID != nil {
+		in, out := &in.TargetID, &out.TargetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyAttachmentObservation.
@@ -1191,11 +1313,46 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SkipDestroy != nil {
+		in, out := &in.SkipDestroy, &out.SkipDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1211,6 +1368,11 @@ func (in *PolicyObservation) DeepCopyInto(out *PolicyObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyObservation.
diff --git a/apis/organizations/v1beta1/zz_organization_types.go b/apis/organizations/v1beta1/zz_organization_types.go
index dbf514bc05..c1595c7721 100755
--- a/apis/organizations/v1beta1/zz_organization_types.go
+++ b/apis/organizations/v1beta1/zz_organization_types.go
@@ -63,6 +63,15 @@ type OrganizationObservation struct {
 	// ARN of the account
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of AWS service principal names for which you want to enable integration with your organization. This is typically in the form of a URL, such as service-abbreviation.amazonaws.com. Organization must have feature_set set to ALL. Some services do not support enablement via this endpoint, see warning in aws docs.
+	AwsServiceAccessPrincipals []*string `json:"awsServiceAccessPrincipals,omitempty" tf:"aws_service_access_principals,omitempty"`
+
+	// List of Organizations policy types to enable in the Organization Root. Organization must have feature_set set to ALL. For additional information about valid policy types (e.g., AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY, and TAG_POLICY), see the AWS Organizations API Reference.
+	EnabledPolicyTypes []*string `json:"enabledPolicyTypes,omitempty" tf:"enabled_policy_types,omitempty"`
+
+	// Specify "ALL" (default) or "CONSOLIDATED_BILLING".
+	FeatureSet *string `json:"featureSet,omitempty" tf:"feature_set,omitempty"`
+
 	// Identifier of the account
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
diff --git a/apis/organizations/v1beta1/zz_organizationalunit_types.go b/apis/organizations/v1beta1/zz_organizationalunit_types.go
index 57ef56ff3b..320747afc0 100755
--- a/apis/organizations/v1beta1/zz_organizationalunit_types.go
+++ b/apis/organizations/v1beta1/zz_organizationalunit_types.go
@@ -42,6 +42,15 @@ type OrganizationalUnitObservation struct {
 	// Identifier of the account
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name for the organizational unit
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// ID of the parent organizational unit, which may be the root
+	ParentID *string `json:"parentId,omitempty" tf:"parent_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -49,12 +58,12 @@ type OrganizationalUnitObservation struct {
 type OrganizationalUnitParameters struct {
 
 	// The name for the organizational unit
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// ID of the parent organizational unit, which may be the root
-	// +kubebuilder:validation:Required
-	ParentID *string `json:"parentId" tf:"parent_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	ParentID *string `json:"parentId,omitempty" tf:"parent_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -90,8 +99,10 @@ type OrganizationalUnitStatus struct {
 type OrganizationalUnit struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OrganizationalUnitSpec   `json:"spec"`
-	Status            OrganizationalUnitStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parentId)",message="parentId is a required parameter"
+	Spec   OrganizationalUnitSpec   `json:"spec"`
+	Status OrganizationalUnitStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/organizations/v1beta1/zz_policy_types.go b/apis/organizations/v1beta1/zz_policy_types.go
index 78c069775d..daec2780df 100755
--- a/apis/organizations/v1beta1/zz_policy_types.go
+++ b/apis/organizations/v1beta1/zz_policy_types.go
@@ -18,26 +18,44 @@ type PolicyObservation struct {
 	// Amazon Resource Name (ARN) of the policy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// A description to assign to the policy.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The unique identifier (ID) of the policy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The friendly name to assign to the policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// If set to true, destroy will not delete the policy and instead just remove the resource from state. This can be useful in situations where the policies (and the associated attachment) must be preserved to meet the AWS minimum requirement of 1 attached policy.
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The type of policy to create. Valid values are AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY (SCP), and TAG_POLICY. Defaults to SERVICE_CONTROL_POLICY.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PolicyParameters struct {
 
 	// The policy content to add to the new policy. For example, if you create a service control policy (SCP), this string must be JSON text that specifies the permissions that admins in attached accounts can delegate to their users, groups, and roles. For more information about the SCP syntax, see the Service Control Policy Syntax documentation and for more information on the Tag Policy syntax, see the Tag Policy Syntax documentation.
-	// +kubebuilder:validation:Required
-	Content *string `json:"content" tf:"content,omitempty"`
+	// +kubebuilder:validation:Optional
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
 
 	// A description to assign to the policy.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The friendly name to assign to the policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -81,8 +99,10 @@ type PolicyStatus struct {
 type Policy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicySpec   `json:"spec"`
-	Status            PolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)",message="content is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   PolicySpec   `json:"spec"`
+	Status PolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/organizations/v1beta1/zz_policyattachment_types.go b/apis/organizations/v1beta1/zz_policyattachment_types.go
index 086493c822..02cff8e07c 100755
--- a/apis/organizations/v1beta1/zz_policyattachment_types.go
+++ b/apis/organizations/v1beta1/zz_policyattachment_types.go
@@ -15,6 +15,15 @@ import (
 
 type PolicyAttachmentObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The unique identifier (ID) of the policy that you want to attach to the target.
+	PolicyID *string `json:"policyId,omitempty" tf:"policy_id,omitempty"`
+
+	// If set to true, destroy will not detach the policy and instead just remove the resource from state. This can be useful in situations where the attachment must be preserved to meet the AWS minimum requirement of 1 attached policy.
+	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
+
+	// The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
 }
 
 type PolicyAttachmentParameters struct {
@@ -43,8 +52,8 @@ type PolicyAttachmentParameters struct {
 	SkipDestroy *bool `json:"skipDestroy,omitempty" tf:"skip_destroy,omitempty"`
 
 	// The unique identifier (ID) of the root, organizational unit, or account number that you want to attach the policy to.
-	// +kubebuilder:validation:Required
-	TargetID *string `json:"targetId" tf:"target_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
 }
 
 // PolicyAttachmentSpec defines the desired state of PolicyAttachment
@@ -71,8 +80,9 @@ type PolicyAttachmentStatus struct {
 type PolicyAttachment struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PolicyAttachmentSpec   `json:"spec"`
-	Status            PolicyAttachmentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetId)",message="targetId is a required parameter"
+	Spec   PolicyAttachmentSpec   `json:"spec"`
+	Status PolicyAttachmentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/pinpoint/v1beta1/zz_app_types.go b/apis/pinpoint/v1beta1/zz_app_types.go
index c04e1cd587..996c5a0cea 100755
--- a/apis/pinpoint/v1beta1/zz_app_types.go
+++ b/apis/pinpoint/v1beta1/zz_app_types.go
@@ -21,8 +21,23 @@ type AppObservation struct {
 	// Amazon Resource Name (ARN) of the PinPoint Application
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies settings for invoking an AWS Lambda function that customizes a segment for a campaign
+	CampaignHook []CampaignHookObservation `json:"campaignHook,omitempty" tf:"campaign_hook,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The default campaign limits for the app. These limits apply to each campaign for the app, unless the campaign overrides the default with limits of its own
+	Limits []LimitsObservation `json:"limits,omitempty" tf:"limits,omitempty"`
+
+	// The application name
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The default quiet time for the app. Each campaign for this app sends no messages during this time unless the campaign overrides the default with a quiet time of its own
+	QuietTime []QuietTimeObservation `json:"quietTime,omitempty" tf:"quiet_time,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -56,6 +71,15 @@ type AppParameters struct {
 }
 
 type CampaignHookObservation struct {
+
+	// Lambda function name or ARN to be called for delivery. Conflicts with web_url
+	LambdaFunctionName *string `json:"lambdaFunctionName,omitempty" tf:"lambda_function_name,omitempty"`
+
+	// What mode Lambda should be invoked in. Valid values for this parameter are DELIVERY, FILTER.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// Web URL to call for hook. If the URL has authentication specified it will be added as authentication to the request. Conflicts with lambda_function_name
+	WebURL *string `json:"webUrl,omitempty" tf:"web_url,omitempty"`
 }
 
 type CampaignHookParameters struct {
@@ -74,6 +98,18 @@ type CampaignHookParameters struct {
 }
 
 type LimitsObservation struct {
+
+	// The maximum number of messages that the campaign can send daily.
+	Daily *float64 `json:"daily,omitempty" tf:"daily,omitempty"`
+
+	// The length of time (in seconds) that the campaign can run before it ends and message deliveries stop. This duration begins at the scheduled start time for the campaign. The minimum value is 60.
+	MaximumDuration *float64 `json:"maximumDuration,omitempty" tf:"maximum_duration,omitempty"`
+
+	// The number of messages that the campaign can send per second. The minimum value is 50, and the maximum is 20000.
+	MessagesPerSecond *float64 `json:"messagesPerSecond,omitempty" tf:"messages_per_second,omitempty"`
+
+	// The maximum total number of messages that the campaign can send.
+	Total *float64 `json:"total,omitempty" tf:"total,omitempty"`
 }
 
 type LimitsParameters struct {
@@ -96,6 +132,12 @@ type LimitsParameters struct {
 }
 
 type QuietTimeObservation struct {
+
+	// The default end time for quiet time in ISO 8601 format. Required if start is set
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// The default start time for quiet time in ISO 8601 format. Required if end is set
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type QuietTimeParameters struct {
diff --git a/apis/pinpoint/v1beta1/zz_generated.deepcopy.go b/apis/pinpoint/v1beta1/zz_generated.deepcopy.go
index 0ba4812e72..6a6cceb5fa 100644
--- a/apis/pinpoint/v1beta1/zz_generated.deepcopy.go
+++ b/apis/pinpoint/v1beta1/zz_generated.deepcopy.go
@@ -86,11 +86,52 @@ func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CampaignHook != nil {
+		in, out := &in.CampaignHook, &out.CampaignHook
+		*out = make([]CampaignHookObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Limits != nil {
+		in, out := &in.Limits, &out.Limits
+		*out = make([]LimitsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.QuietTime != nil {
+		in, out := &in.QuietTime, &out.QuietTime
+		*out = make([]QuietTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -216,6 +257,21 @@ func (in *AppStatus) DeepCopy() *AppStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CampaignHookObservation) DeepCopyInto(out *CampaignHookObservation) {
 	*out = *in
+	if in.LambdaFunctionName != nil {
+		in, out := &in.LambdaFunctionName, &out.LambdaFunctionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.WebURL != nil {
+		in, out := &in.WebURL, &out.WebURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CampaignHookObservation.
@@ -261,6 +317,26 @@ func (in *CampaignHookParameters) DeepCopy() *CampaignHookParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LimitsObservation) DeepCopyInto(out *LimitsObservation) {
 	*out = *in
+	if in.Daily != nil {
+		in, out := &in.Daily, &out.Daily
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumDuration != nil {
+		in, out := &in.MaximumDuration, &out.MaximumDuration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MessagesPerSecond != nil {
+		in, out := &in.MessagesPerSecond, &out.MessagesPerSecond
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Total != nil {
+		in, out := &in.Total, &out.Total
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LimitsObservation.
@@ -311,6 +387,16 @@ func (in *LimitsParameters) DeepCopy() *LimitsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QuietTimeObservation) DeepCopyInto(out *QuietTimeObservation) {
 	*out = *in
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QuietTimeObservation.
@@ -410,6 +496,16 @@ func (in *SMSChannelList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SMSChannelObservation) DeepCopyInto(out *SMSChannelObservation) {
 	*out = *in
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -420,6 +516,16 @@ func (in *SMSChannelObservation) DeepCopyInto(out *SMSChannelObservation) {
 		*out = new(float64)
 		**out = **in
 	}
+	if in.SenderID != nil {
+		in, out := &in.SenderID, &out.SenderID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ShortCode != nil {
+		in, out := &in.ShortCode, &out.ShortCode
+		*out = new(string)
+		**out = **in
+	}
 	if in.TransactionalMessagesPerSecond != nil {
 		in, out := &in.TransactionalMessagesPerSecond, &out.TransactionalMessagesPerSecond
 		*out = new(float64)
diff --git a/apis/pinpoint/v1beta1/zz_smschannel_types.go b/apis/pinpoint/v1beta1/zz_smschannel_types.go
index b504cc1de3..e3f2b0de11 100755
--- a/apis/pinpoint/v1beta1/zz_smschannel_types.go
+++ b/apis/pinpoint/v1beta1/zz_smschannel_types.go
@@ -14,11 +14,24 @@ import (
 )
 
 type SMSChannelObservation struct {
+
+	// The application ID.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
+	// Whether the channel is enabled or disabled. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Promotional messages per second that can be sent.
 	PromotionalMessagesPerSecond *float64 `json:"promotionalMessagesPerSecond,omitempty" tf:"promotional_messages_per_second,omitempty"`
 
+	// Sender identifier of your messages.
+	SenderID *string `json:"senderId,omitempty" tf:"sender_id,omitempty"`
+
+	// The Short Code registered with the phone provider.
+	ShortCode *string `json:"shortCode,omitempty" tf:"short_code,omitempty"`
+
 	// Transactional messages per second that can be sent.
 	TransactionalMessagesPerSecond *float64 `json:"transactionalMessagesPerSecond,omitempty" tf:"transactional_messages_per_second,omitempty"`
 }
diff --git a/apis/qldb/v1beta1/zz_generated.deepcopy.go b/apis/qldb/v1beta1/zz_generated.deepcopy.go
index 8380d46346..e0ff40b1a6 100644
--- a/apis/qldb/v1beta1/zz_generated.deepcopy.go
+++ b/apis/qldb/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,16 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisConfigurationObservation) DeepCopyInto(out *KinesisConfigurationObservation) {
 	*out = *in
+	if in.AggregationEnabled != nil {
+		in, out := &in.AggregationEnabled, &out.AggregationEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisConfigurationObservation.
@@ -131,11 +141,41 @@ func (in *LedgerObservation) DeepCopyInto(out *LedgerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKey != nil {
+		in, out := &in.KMSKey, &out.KMSKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionsMode != nil {
+		in, out := &in.PermissionsMode, &out.PermissionsMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -324,11 +364,58 @@ func (in *StreamObservation) DeepCopyInto(out *StreamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ExclusiveEndTime != nil {
+		in, out := &in.ExclusiveEndTime, &out.ExclusiveEndTime
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InclusiveStartTime != nil {
+		in, out := &in.InclusiveStartTime, &out.InclusiveStartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.KinesisConfiguration != nil {
+		in, out := &in.KinesisConfiguration, &out.KinesisConfiguration
+		*out = make([]KinesisConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LedgerName != nil {
+		in, out := &in.LedgerName, &out.LedgerName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamName != nil {
+		in, out := &in.StreamName, &out.StreamName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/qldb/v1beta1/zz_ledger_types.go b/apis/qldb/v1beta1/zz_ledger_types.go
index f47ed22cba..fe33f83453 100755
--- a/apis/qldb/v1beta1/zz_ledger_types.go
+++ b/apis/qldb/v1beta1/zz_ledger_types.go
@@ -18,9 +18,21 @@ type LedgerObservation struct {
 	// The ARN of the QLDB Ledger
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The deletion protection for the QLDB Ledger instance. By default it is true.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
 	// The Name of the QLDB Ledger
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The key in AWS Key Management Service (AWS KMS) to use for encryption of data at rest in the ledger. For more information, see the AWS documentation. Valid values are "AWS_OWNED_KMS_KEY" to use an AWS KMS key that is owned and managed by AWS on your behalf, or the ARN of a valid symmetric customer managed KMS key.
+	KMSKey *string `json:"kmsKey,omitempty" tf:"kms_key,omitempty"`
+
+	// The permissions mode for the QLDB ledger instance. Specify either ALLOW_ALL or STANDARD.
+	PermissionsMode *string `json:"permissionsMode,omitempty" tf:"permissions_mode,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -45,8 +57,8 @@ type LedgerParameters struct {
 	KMSKeySelector *v1.Selector `json:"kmsKeySelector,omitempty" tf:"-"`
 
 	// The permissions mode for the QLDB ledger instance. Specify either ALLOW_ALL or STANDARD.
-	// +kubebuilder:validation:Required
-	PermissionsMode *string `json:"permissionsMode" tf:"permissions_mode,omitempty"`
+	// +kubebuilder:validation:Optional
+	PermissionsMode *string `json:"permissionsMode,omitempty" tf:"permissions_mode,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,8 +94,9 @@ type LedgerStatus struct {
 type Ledger struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LedgerSpec   `json:"spec"`
-	Status            LedgerStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissionsMode)",message="permissionsMode is a required parameter"
+	Spec   LedgerSpec   `json:"spec"`
+	Status LedgerStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/qldb/v1beta1/zz_stream_types.go b/apis/qldb/v1beta1/zz_stream_types.go
index 4f807016e9..c1fe58e226 100755
--- a/apis/qldb/v1beta1/zz_stream_types.go
+++ b/apis/qldb/v1beta1/zz_stream_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type KinesisConfigurationObservation struct {
+
+	// Enables QLDB to publish multiple data records in a single Kinesis Data Streams record, increasing the number of records sent per API call. Default: true.
+	AggregationEnabled *bool `json:"aggregationEnabled,omitempty" tf:"aggregation_enabled,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Kinesis Data Streams resource.
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 }
 
 type KinesisConfigurationParameters struct {
@@ -42,9 +48,30 @@ type StreamObservation struct {
 	// The ARN of the QLDB Stream.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The exclusive date and time that specifies when the stream ends. If you don't define this parameter, the stream runs indefinitely until you cancel it. It must be in ISO 8601 date and time format and in Universal Coordinated Time (UTC). For example: "2019-06-13T21:36:34Z".
+	ExclusiveEndTime *string `json:"exclusiveEndTime,omitempty" tf:"exclusive_end_time,omitempty"`
+
 	// The ID of the QLDB Stream.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The inclusive start date and time from which to start streaming journal data. This parameter must be in ISO 8601 date and time format and in Universal Coordinated Time (UTC). For example: "2019-06-13T21:36:34Z".  This cannot be in the future and must be before exclusive_end_time.  If you provide a value that is before the ledger's CreationDateTime, QLDB effectively defaults it to the ledger's CreationDateTime.
+	InclusiveStartTime *string `json:"inclusiveStartTime,omitempty" tf:"inclusive_start_time,omitempty"`
+
+	// The configuration settings of the Kinesis Data Streams destination for your stream request. Documented below.
+	KinesisConfiguration []KinesisConfigurationObservation `json:"kinesisConfiguration,omitempty" tf:"kinesis_configuration,omitempty"`
+
+	// The name of the QLDB ledger.
+	LedgerName *string `json:"ledgerName,omitempty" tf:"ledger_name,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the IAM role that grants QLDB permissions for a journal stream to write data records to a Kinesis Data Streams resource.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The name that you want to assign to the QLDB journal stream. User-defined names can help identify and indicate the purpose of a stream.  Your stream name must be unique among other active streams for a given ledger. Stream names have the same naming constraints as ledger names, as defined in the Amazon QLDB Developer Guide.
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -56,12 +83,12 @@ type StreamParameters struct {
 	ExclusiveEndTime *string `json:"exclusiveEndTime,omitempty" tf:"exclusive_end_time,omitempty"`
 
 	// The inclusive start date and time from which to start streaming journal data. This parameter must be in ISO 8601 date and time format and in Universal Coordinated Time (UTC). For example: "2019-06-13T21:36:34Z".  This cannot be in the future and must be before exclusive_end_time.  If you provide a value that is before the ledger's CreationDateTime, QLDB effectively defaults it to the ledger's CreationDateTime.
-	// +kubebuilder:validation:Required
-	InclusiveStartTime *string `json:"inclusiveStartTime" tf:"inclusive_start_time,omitempty"`
+	// +kubebuilder:validation:Optional
+	InclusiveStartTime *string `json:"inclusiveStartTime,omitempty" tf:"inclusive_start_time,omitempty"`
 
 	// The configuration settings of the Kinesis Data Streams destination for your stream request. Documented below.
-	// +kubebuilder:validation:Required
-	KinesisConfiguration []KinesisConfigurationParameters `json:"kinesisConfiguration" tf:"kinesis_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	KinesisConfiguration []KinesisConfigurationParameters `json:"kinesisConfiguration,omitempty" tf:"kinesis_configuration,omitempty"`
 
 	// The name of the QLDB ledger.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/qldb/v1beta1.Ledger
@@ -97,8 +124,8 @@ type StreamParameters struct {
 	RoleArnSelector *v1.Selector `json:"roleArnSelector,omitempty" tf:"-"`
 
 	// The name that you want to assign to the QLDB journal stream. User-defined names can help identify and indicate the purpose of a stream.  Your stream name must be unique among other active streams for a given ledger. Stream names have the same naming constraints as ledger names, as defined in the Amazon QLDB Developer Guide.
-	// +kubebuilder:validation:Required
-	StreamName *string `json:"streamName" tf:"stream_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	StreamName *string `json:"streamName,omitempty" tf:"stream_name,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -129,8 +156,11 @@ type StreamStatus struct {
 type Stream struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StreamSpec   `json:"spec"`
-	Status            StreamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inclusiveStartTime)",message="inclusiveStartTime is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.kinesisConfiguration)",message="kinesisConfiguration is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.streamName)",message="streamName is a required parameter"
+	Spec   StreamSpec   `json:"spec"`
+	Status StreamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/quicksight/v1beta1/zz_generated.deepcopy.go b/apis/quicksight/v1beta1/zz_generated.deepcopy.go
index 2726917334..8b5381a6e6 100644
--- a/apis/quicksight/v1beta1/zz_generated.deepcopy.go
+++ b/apis/quicksight/v1beta1/zz_generated.deepcopy.go
@@ -80,11 +80,31 @@ func (in *GroupObservation) DeepCopyInto(out *GroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AwsAccountID != nil {
+		in, out := &in.AwsAccountID, &out.AwsAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GroupObservation.
@@ -238,11 +258,51 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AwsAccountID != nil {
+		in, out := &in.AwsAccountID, &out.AwsAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMArn != nil {
+		in, out := &in.IAMArn, &out.IAMArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityType != nil {
+		in, out := &in.IdentityType, &out.IdentityType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Namespace != nil {
+		in, out := &in.Namespace, &out.Namespace
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionName != nil {
+		in, out := &in.SessionName, &out.SessionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserName != nil {
+		in, out := &in.UserName, &out.UserName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserRole != nil {
+		in, out := &in.UserRole, &out.UserRole
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserObservation.
diff --git a/apis/quicksight/v1beta1/zz_group_types.go b/apis/quicksight/v1beta1/zz_group_types.go
index 1136dcb9bb..96f7dcae39 100755
--- a/apis/quicksight/v1beta1/zz_group_types.go
+++ b/apis/quicksight/v1beta1/zz_group_types.go
@@ -18,7 +18,19 @@ type GroupObservation struct {
 	// Amazon Resource Name (ARN) of group
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID for the AWS account that the group is in. Currently, you use the ID for the AWS account that contains your Amazon QuickSight account.
+	AwsAccountID *string `json:"awsAccountId,omitempty" tf:"aws_account_id,omitempty"`
+
+	// A description for the group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A name for the group.
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The namespace. Currently, you should set this to default.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
 }
 
 type GroupParameters struct {
@@ -32,8 +44,8 @@ type GroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A name for the group.
-	// +kubebuilder:validation:Required
-	GroupName *string `json:"groupName" tf:"group_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 
 	// The namespace. Currently, you should set this to default.
 	// +kubebuilder:validation:Optional
@@ -69,8 +81,9 @@ type GroupStatus struct {
 type Group struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GroupSpec   `json:"spec"`
-	Status            GroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupName)",message="groupName is a required parameter"
+	Spec   GroupSpec   `json:"spec"`
+	Status GroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/quicksight/v1beta1/zz_user_types.go b/apis/quicksight/v1beta1/zz_user_types.go
index d8d595c66f..53505abe31 100755
--- a/apis/quicksight/v1beta1/zz_user_types.go
+++ b/apis/quicksight/v1beta1/zz_user_types.go
@@ -18,7 +18,31 @@ type UserObservation struct {
 	// Amazon Resource Name (ARN) of the user
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID for the AWS account that the user is in. Currently, you use the ID for the AWS account that contains your Amazon QuickSight account.
+	AwsAccountID *string `json:"awsAccountId,omitempty" tf:"aws_account_id,omitempty"`
+
+	// The email address of the user that you want to register.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
+	// The ARN of the IAM user or role that you are registering with Amazon QuickSight.
+	IAMArn *string `json:"iamArn,omitempty" tf:"iam_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon QuickSight supports several ways of managing the identity of users. This parameter accepts either  IAM or QUICKSIGHT. If IAM is specified, the iam_arn must also be specified.
+	IdentityType *string `json:"identityType,omitempty" tf:"identity_type,omitempty"`
+
+	// The Amazon Quicksight namespace to create the user in. Defaults to default.
+	Namespace *string `json:"namespace,omitempty" tf:"namespace,omitempty"`
+
+	// The name of the IAM session to use when assuming roles that can embed QuickSight dashboards. Only valid for registering users using an assumed IAM role. Additionally, if registering multiple users using the same IAM role, each user needs to have a unique session name.
+	SessionName *string `json:"sessionName,omitempty" tf:"session_name,omitempty"`
+
+	// The Amazon QuickSight user name that you want to create for the user you are registering. Only valid for registering a user with identity_type set to QUICKSIGHT.
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
+
+	// The Amazon QuickSight role of the user. The user role can be one of the following: READER, AUTHOR, or ADMIN
+	UserRole *string `json:"userRole,omitempty" tf:"user_role,omitempty"`
 }
 
 type UserParameters struct {
@@ -28,16 +52,16 @@ type UserParameters struct {
 	AwsAccountID *string `json:"awsAccountId,omitempty" tf:"aws_account_id,omitempty"`
 
 	// The email address of the user that you want to register.
-	// +kubebuilder:validation:Required
-	Email *string `json:"email" tf:"email,omitempty"`
+	// +kubebuilder:validation:Optional
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
 
 	// The ARN of the IAM user or role that you are registering with Amazon QuickSight.
 	// +kubebuilder:validation:Optional
 	IAMArn *string `json:"iamArn,omitempty" tf:"iam_arn,omitempty"`
 
 	// Amazon QuickSight supports several ways of managing the identity of users. This parameter accepts either  IAM or QUICKSIGHT. If IAM is specified, the iam_arn must also be specified.
-	// +kubebuilder:validation:Required
-	IdentityType *string `json:"identityType" tf:"identity_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	IdentityType *string `json:"identityType,omitempty" tf:"identity_type,omitempty"`
 
 	// The Amazon Quicksight namespace to create the user in. Defaults to default.
 	// +kubebuilder:validation:Optional
@@ -57,8 +81,8 @@ type UserParameters struct {
 	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 
 	// The Amazon QuickSight role of the user. The user role can be one of the following: READER, AUTHOR, or ADMIN
-	// +kubebuilder:validation:Required
-	UserRole *string `json:"userRole" tf:"user_role,omitempty"`
+	// +kubebuilder:validation:Optional
+	UserRole *string `json:"userRole,omitempty" tf:"user_role,omitempty"`
 }
 
 // UserSpec defines the desired state of User
@@ -85,8 +109,11 @@ type UserStatus struct {
 type User struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserSpec   `json:"spec"`
-	Status            UserStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)",message="email is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identityType)",message="identityType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userRole)",message="userRole is a required parameter"
+	Spec   UserSpec   `json:"spec"`
+	Status UserStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ram/v1beta1/zz_generated.deepcopy.go b/apis/ram/v1beta1/zz_generated.deepcopy.go
index 2d39f4d24c..6991605ddf 100644
--- a/apis/ram/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ram/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,16 @@ func (in *ResourceAssociationObservation) DeepCopyInto(out *ResourceAssociationO
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceShareArn != nil {
+		in, out := &in.ResourceShareArn, &out.ResourceShareArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAssociationObservation.
@@ -229,6 +239,11 @@ func (in *ResourceShareList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceShareObservation) DeepCopyInto(out *ResourceShareObservation) {
 	*out = *in
+	if in.AllowExternalPrincipals != nil {
+		in, out := &in.AllowExternalPrincipals, &out.AllowExternalPrincipals
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -239,6 +254,37 @@ func (in *ResourceShareObservation) DeepCopyInto(out *ResourceShareObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionArns != nil {
+		in, out := &in.PermissionArns, &out.PermissionArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/ram/v1beta1/zz_resourceassociation_types.go b/apis/ram/v1beta1/zz_resourceassociation_types.go
index 4d8df0000a..a88792e87e 100755
--- a/apis/ram/v1beta1/zz_resourceassociation_types.go
+++ b/apis/ram/v1beta1/zz_resourceassociation_types.go
@@ -17,6 +17,12 @@ type ResourceAssociationObservation struct {
 
 	// The Amazon Resource Name (ARN) of the resource share.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon Resource Name (ARN) of the resource to associate with the RAM Resource Share.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// Amazon Resource Name (ARN) of the RAM Resource Share.
+	ResourceShareArn *string `json:"resourceShareArn,omitempty" tf:"resource_share_arn,omitempty"`
 }
 
 type ResourceAssociationParameters struct {
@@ -27,8 +33,8 @@ type ResourceAssociationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Amazon Resource Name (ARN) of the resource to associate with the RAM Resource Share.
-	// +kubebuilder:validation:Required
-	ResourceArn *string `json:"resourceArn" tf:"resource_arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 
 	// Amazon Resource Name (ARN) of the RAM Resource Share.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ram/v1beta1.ResourceShare
@@ -69,8 +75,9 @@ type ResourceAssociationStatus struct {
 type ResourceAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceAssociationSpec   `json:"spec"`
-	Status            ResourceAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceArn)",message="resourceArn is a required parameter"
+	Spec   ResourceAssociationSpec   `json:"spec"`
+	Status ResourceAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ram/v1beta1/zz_resourceshare_types.go b/apis/ram/v1beta1/zz_resourceshare_types.go
index 994ce59a18..c4cc255203 100755
--- a/apis/ram/v1beta1/zz_resourceshare_types.go
+++ b/apis/ram/v1beta1/zz_resourceshare_types.go
@@ -15,12 +15,24 @@ import (
 
 type ResourceShareObservation struct {
 
+	// Indicates whether principals outside your organization can be associated with a resource share.
+	AllowExternalPrincipals *bool `json:"allowExternalPrincipals,omitempty" tf:"allow_external_principals,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the resource share.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the resource share.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the resource share.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the Amazon Resource Names (ARNs) of the RAM permission to associate with the resource share. If you do not specify an ARN for the permission, RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share.
+	PermissionArns []*string `json:"permissionArns,omitempty" tf:"permission_arns,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +44,8 @@ type ResourceShareParameters struct {
 	AllowExternalPrincipals *bool `json:"allowExternalPrincipals,omitempty" tf:"allow_external_principals,omitempty"`
 
 	// The name of the resource share.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Specifies the Amazon Resource Names (ARNs) of the RAM permission to associate with the resource share. If you do not specify an ARN for the permission, RAM automatically attaches the default version of the permission for each resource type. You can associate only one permission with each resource type included in the resource share.
 	// +kubebuilder:validation:Optional
@@ -73,8 +85,9 @@ type ResourceShareStatus struct {
 type ResourceShare struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceShareSpec   `json:"spec"`
-	Status            ResourceShareStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ResourceShareSpec   `json:"spec"`
+	Status ResourceShareStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_cluster_types.go b/apis/rds/v1beta1/zz_cluster_types.go
index 88ef0bcd43..ccce6cde93 100755
--- a/apis/rds/v1beta1/zz_cluster_types.go
+++ b/apis/rds/v1beta1/zz_cluster_types.go
@@ -15,33 +15,159 @@ import (
 
 type ClusterObservation struct {
 
+	// The amount of storage in gibibytes (GiB) to allocate to each DB instance in the Multi-AZ DB cluster. (This setting is required to create a Multi-AZ DB cluster).
+	AllocatedStorage *float64 `json:"allocatedStorage,omitempty" tf:"allocated_storage,omitempty"`
+
+	// Enable to allow major engine version upgrades when changing engine versions. Defaults to false.
+	AllowMajorVersionUpgrade *bool `json:"allowMajorVersionUpgrade,omitempty" tf:"allow_major_version_upgrade,omitempty"`
+
+	// Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is false. See Amazon RDS Documentation for more information.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// Amazon Resource Name (ARN) of cluster
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of EC2 Availability Zones for the DB cluster storage where DB cluster instances can be created. We recommend specifying 3 AZs or using the  if necessary. A maximum of 3 AZs can be configured.
+	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
+
+	// The target backtrack window, in seconds. Only available for aurora and aurora-mysql engines currently. To disable backtracking, set this value to 0. Defaults to 0. Must be between 0 and 259200 (72 hours)
+	BacktrackWindow *float64 `json:"backtrackWindow,omitempty" tf:"backtrack_window,omitempty"`
+
+	// The days to retain backups for. Default 1
+	BackupRetentionPeriod *float64 `json:"backupRetentionPeriod,omitempty" tf:"backup_retention_period,omitempty"`
+
+	// – List of RDS Instances that are a part of this cluster
+	ClusterMembers []*string `json:"clusterMembers,omitempty" tf:"cluster_members,omitempty"`
+
 	// The RDS Cluster Resource ID
 	ClusterResourceID *string `json:"clusterResourceId,omitempty" tf:"cluster_resource_id,omitempty"`
 
+	// –  Copy all Cluster tags to snapshots. Default is false.
+	CopyTagsToSnapshot *bool `json:"copyTagsToSnapshot,omitempty" tf:"copy_tags_to_snapshot,omitempty"`
+
+	// The compute and memory capacity of each DB instance in the Multi-AZ DB cluster, for example db.m6g.xlarge. Not all DB instance classes are available in all AWS Regions, or for all database engines. For the full list of DB instance classes and availability for your engine, see DB instance class in the Amazon RDS User Guide. (This setting is required to create a Multi-AZ DB cluster).
+	DBClusterInstanceClass *string `json:"dbClusterInstanceClass,omitempty" tf:"db_cluster_instance_class,omitempty"`
+
+	// A cluster parameter group to associate with the cluster.
+	DBClusterParameterGroupName *string `json:"dbClusterParameterGroupName,omitempty" tf:"db_cluster_parameter_group_name,omitempty"`
+
+	// Instance parameter group to associate with all instances of the DB cluster. The db_instance_parameter_group_name parameter is only valid in combination with the allow_major_version_upgrade parameter.
+	DBInstanceParameterGroupName *string `json:"dbInstanceParameterGroupName,omitempty" tf:"db_instance_parameter_group_name,omitempty"`
+
+	// A DB subnet group to associate with this DB instance. NOTE: This must match the db_subnet_group_name specified on every aws_rds_cluster_instance in the cluster.
+	DBSubnetGroupName *string `json:"dbSubnetGroupName,omitempty" tf:"db_subnet_group_name,omitempty"`
+
+	// Name for an automatically created database on cluster creation. There are different naming restrictions per database engine: RDS Naming Constraints
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// Whether cluster should forward writes to an associated global cluster. Applied to secondary clusters to enable them to forward writes to an aws_rds_global_cluster's primary cluster. See the Aurora Userguide documentation for more information.
+	EnableGlobalWriteForwarding *bool `json:"enableGlobalWriteForwarding,omitempty" tf:"enable_global_write_forwarding,omitempty"`
+
+	// Enable HTTP endpoint (data API). Only valid when engine_mode is set to serverless.
+	EnableHTTPEndpoint *bool `json:"enableHttpEndpoint,omitempty" tf:"enable_http_endpoint,omitempty"`
+
+	// Set of log types to export to cloudwatch. If omitted, no logs will be exported. The following log types are supported: audit, error, general, slowquery, postgresql (PostgreSQL).
+	EnabledCloudwatchLogsExports []*string `json:"enabledCloudwatchLogsExports,omitempty" tf:"enabled_cloudwatch_logs_exports,omitempty"`
+
 	// The DNS address of the RDS instance
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The name of the database engine to be used for this DB cluster. Defaults to aurora. Valid Values: aurora, aurora-mysql, aurora-postgresql, mysql, postgres. (Note that mysql and postgres are Multi-AZ RDS clusters).
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// The database engine mode. Valid values: global (only valid for Aurora MySQL 1.21 and earlier), multimaster, parallelquery, provisioned, serverless. Defaults to: provisioned. See the RDS User Guide for limitations when using serverless.
+	EngineMode *string `json:"engineMode,omitempty" tf:"engine_mode,omitempty"`
+
+	// The database engine version. Updating this argument results in an outage. See the Aurora MySQL and Aurora Postgres documentation for your configured engine to determine this value. For example with Aurora MySQL 2, a potential value for this argument is 5.7.mysql_aurora.2.03.2. The value can contain a partial version where supported by the API. The actual engine version used is returned in the attribute engine_version_actual, , see Attributes Reference below.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// The running version of the database.
 	EngineVersionActual *string `json:"engineVersionActual,omitempty" tf:"engine_version_actual,omitempty"`
 
+	// The name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
+	// The global cluster identifier specified on aws_rds_global_cluster.
+	GlobalClusterIdentifier *string `json:"globalClusterIdentifier,omitempty" tf:"global_cluster_identifier,omitempty"`
+
 	// The Route53 Hosted Zone ID of the endpoint
 	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
 
+	// Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. Please see AWS Documentation for availability and limitations.
+	IAMDatabaseAuthenticationEnabled *bool `json:"iamDatabaseAuthenticationEnabled,omitempty" tf:"iam_database_authentication_enabled,omitempty"`
+
 	// A List of ARNs for the IAM roles to associate to the RDS Cluster.
 	IAMRoles []*string `json:"iamRoles,omitempty" tf:"iam_roles,omitempty"`
 
 	// The RDS Cluster Identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The amount of Provisioned IOPS (input/output operations per second) to be initially allocated for each DB instance in the Multi-AZ DB cluster. For information about valid Iops values, see Amazon RDS Provisioned IOPS storage to improve performance in the Amazon RDS User Guide. (This setting is required to create a Multi-AZ DB cluster). Must be a multiple between .5 and 50 of the storage amount for the DB cluster.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The ARN for the KMS encryption key. When specifying kms_key_id, storage_encrypted needs to be set to true.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Username for the master DB user. Please refer to the RDS Naming Constraints. This argument does not support in-place updates and cannot be changed during a restore from snapshot.
+	MasterUsername *string `json:"masterUsername,omitempty" tf:"master_username,omitempty"`
+
+	// The network type of the cluster. Valid values: IPV4, DUAL.
+	NetworkType *string `json:"networkType,omitempty" tf:"network_type,omitempty"`
+
+	// The port on which the DB accepts connections
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The daily time range during which automated backups are created if automated backups are enabled using the BackupRetentionPeriod parameter.Time in UTC. Default: A 30-minute window selected at random from an 8-hour block of time per regionE.g., 04:00-09:00
+	PreferredBackupWindow *string `json:"preferredBackupWindow,omitempty" tf:"preferred_backup_window,omitempty"`
+
+	// The weekly time range during which system maintenance can occur, in (UTC) e.g., wed:04:00-wed:04:30
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
 	// A read-only endpoint for the Aurora cluster, automatically
 	// load-balanced across replicas
 	ReaderEndpoint *string `json:"readerEndpoint,omitempty" tf:"reader_endpoint,omitempty"`
 
+	// ARN of a source DB cluster or DB instance if this DB cluster is to be created as a Read Replica.
+	ReplicationSourceIdentifier *string `json:"replicationSourceIdentifier,omitempty" tf:"replication_source_identifier,omitempty"`
+
+	// Nested attribute for point in time restore. More details below.
+	RestoreToPointInTime []ClusterRestoreToPointInTimeObservation `json:"restoreToPointInTime,omitempty" tf:"restore_to_point_in_time,omitempty"`
+
+	// The port on which the DB accepts connections
+	S3Import []ClusterS3ImportObservation `json:"s3Import,omitempty" tf:"s3_import,omitempty"`
+
+	// Nested attribute with scaling properties. Only valid when engine_mode is set to serverless. More details below.
+	ScalingConfiguration []ScalingConfigurationObservation `json:"scalingConfiguration,omitempty" tf:"scaling_configuration,omitempty"`
+
+	// Nested attribute with scaling properties for ServerlessV2. Only valid when engine_mode is set to provisioned. More details below.
+	Serverlessv2ScalingConfiguration []Serverlessv2ScalingConfigurationObservation `json:"serverlessv2ScalingConfiguration,omitempty" tf:"serverlessv2_scaling_configuration,omitempty"`
+
+	// Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier. Default is false.
+	SkipFinalSnapshot *bool `json:"skipFinalSnapshot,omitempty" tf:"skip_final_snapshot,omitempty"`
+
+	// Specifies whether or not to create this cluster from a snapshot. You can use either the name or ARN when specifying a DB cluster snapshot, or the ARN when specifying a DB snapshot.
+	SnapshotIdentifier *string `json:"snapshotIdentifier,omitempty" tf:"snapshot_identifier,omitempty"`
+
+	// The source region for an encrypted replica DB cluster.
+	SourceRegion *string `json:"sourceRegion,omitempty" tf:"source_region,omitempty"`
+
+	// Specifies whether the DB cluster is encrypted. The default is false for provisioned engine_mode and true for serverless engine_mode. When restoring an unencrypted snapshot_identifier, the kms_key_id argument must be provided to encrypt the restored cluster.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
+
+	// Specifies the storage type to be associated with the DB cluster. (This setting is required to create a Multi-AZ DB cluster). Valid values: io1, Default: io1.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// List of VPC security groups to associate with the Cluster
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type ClusterParameters struct {
@@ -254,6 +380,19 @@ type ClusterParameters struct {
 }
 
 type ClusterRestoreToPointInTimeObservation struct {
+
+	// Date and time in UTC format to restore the database cluster to. Conflicts with use_latest_restorable_time.
+	RestoreToTime *string `json:"restoreToTime,omitempty" tf:"restore_to_time,omitempty"`
+
+	// Type of restore to be performed.
+	// Valid options are full-copy (default) and copy-on-write.
+	RestoreType *string `json:"restoreType,omitempty" tf:"restore_type,omitempty"`
+
+	// The identifier of the source database cluster from which to restore.
+	SourceClusterIdentifier *string `json:"sourceClusterIdentifier,omitempty" tf:"source_cluster_identifier,omitempty"`
+
+	// Set to true to restore the database cluster to the latest restorable backup time. Defaults to false. Conflicts with restore_to_time.
+	UseLatestRestorableTime *bool `json:"useLatestRestorableTime,omitempty" tf:"use_latest_restorable_time,omitempty"`
 }
 
 type ClusterRestoreToPointInTimeParameters struct {
@@ -286,6 +425,21 @@ type ClusterRestoreToPointInTimeParameters struct {
 }
 
 type ClusterS3ImportObservation struct {
+
+	// The bucket name where your backup is stored
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Can be blank, but is the path to your backup
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Role applied to load the data.
+	IngestionRole *string `json:"ingestionRole,omitempty" tf:"ingestion_role,omitempty"`
+
+	// Source engine for the backup
+	SourceEngine *string `json:"sourceEngine,omitempty" tf:"source_engine,omitempty"`
+
+	// Version of the source engine used to make the backup
+	SourceEngineVersion *string `json:"sourceEngineVersion,omitempty" tf:"source_engine_version,omitempty"`
 }
 
 type ClusterS3ImportParameters struct {
@@ -321,6 +475,21 @@ type ClusterS3ImportParameters struct {
 }
 
 type ScalingConfigurationObservation struct {
+
+	// Whether to enable automatic pause. A DB cluster can be paused only when it's idle (it has no connections). If a DB cluster is paused for more than seven days, the DB cluster might be backed up with a snapshot. In this case, the DB cluster is restored when there is a request to connect to it. Defaults to true.
+	AutoPause *bool `json:"autoPause,omitempty" tf:"auto_pause,omitempty"`
+
+	// The maximum capacity for an Aurora DB cluster in serverless DB engine mode. The maximum capacity must be greater than or equal to the minimum capacity. Valid Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64, 128, 256. Valid Aurora PostgreSQL capacity values are (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 16.
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// The minimum capacity for an Aurora DB cluster in serverless DB engine mode. The minimum capacity must be lesser than or equal to the maximum capacity. Valid Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64, 128, 256. Valid Aurora PostgreSQL capacity values are (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 1.
+	MinCapacity *float64 `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
+
+	// The time, in seconds, before an Aurora DB cluster in serverless mode is paused. Valid values are 300 through 86400. Defaults to 300.
+	SecondsUntilAutoPause *float64 `json:"secondsUntilAutoPause,omitempty" tf:"seconds_until_auto_pause,omitempty"`
+
+	// The action to take when the timeout is reached. Valid values: ForceApplyCapacityChange, RollbackCapacityChange. Defaults to RollbackCapacityChange. See documentation.
+	TimeoutAction *string `json:"timeoutAction,omitempty" tf:"timeout_action,omitempty"`
 }
 
 type ScalingConfigurationParameters struct {
@@ -347,6 +516,12 @@ type ScalingConfigurationParameters struct {
 }
 
 type Serverlessv2ScalingConfigurationObservation struct {
+
+	// The maximum capacity for an Aurora DB cluster in serverless DB engine mode. The maximum capacity must be greater than or equal to the minimum capacity. Valid Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64, 128, 256. Valid Aurora PostgreSQL capacity values are (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 16.
+	MaxCapacity *float64 `json:"maxCapacity,omitempty" tf:"max_capacity,omitempty"`
+
+	// The minimum capacity for an Aurora DB cluster in serverless DB engine mode. The minimum capacity must be lesser than or equal to the maximum capacity. Valid Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64, 128, 256. Valid Aurora PostgreSQL capacity values are (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 1.
+	MinCapacity *float64 `json:"minCapacity,omitempty" tf:"min_capacity,omitempty"`
 }
 
 type Serverlessv2ScalingConfigurationParameters struct {
diff --git a/apis/rds/v1beta1/zz_clusteractivitystream_types.go b/apis/rds/v1beta1/zz_clusteractivitystream_types.go
index 13b3014e18..a4740a1376 100755
--- a/apis/rds/v1beta1/zz_clusteractivitystream_types.go
+++ b/apis/rds/v1beta1/zz_clusteractivitystream_types.go
@@ -15,11 +15,23 @@ import (
 
 type ClusterActivityStreamObservation struct {
 
+	// Specifies whether the database activity stream includes engine-native audit fields. This option only applies to an Oracle DB instance. By default, no engine-native audit fields are included. Defaults false.
+	EngineNativeAuditFieldsIncluded *bool `json:"engineNativeAuditFieldsIncluded,omitempty" tf:"engine_native_audit_fields_included,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the DB cluster.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The AWS KMS key identifier for encrypting messages in the database activity stream. The AWS KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// The name of the Amazon Kinesis data stream to be used for the database activity stream.
 	KinesisStreamName *string `json:"kinesisStreamName,omitempty" tf:"kinesis_stream_name,omitempty"`
+
+	// Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the DB cluster.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type ClusterActivityStreamParameters struct {
@@ -42,8 +54,8 @@ type ClusterActivityStreamParameters struct {
 	KMSKeyIDSelector *v1.Selector `json:"kmsKeyIdSelector,omitempty" tf:"-"`
 
 	// Specifies the mode of the database activity stream. Database events such as a change or access generate an activity stream event. The database session can handle these events either synchronously or asynchronously. One of: sync, async.
-	// +kubebuilder:validation:Required
-	Mode *string `json:"mode" tf:"mode,omitempty"`
+	// +kubebuilder:validation:Optional
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -89,8 +101,9 @@ type ClusterActivityStreamStatus struct {
 type ClusterActivityStream struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterActivityStreamSpec   `json:"spec"`
-	Status            ClusterActivityStreamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mode)",message="mode is a required parameter"
+	Spec   ClusterActivityStreamSpec   `json:"spec"`
+	Status ClusterActivityStreamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_clusterendpoint_types.go b/apis/rds/v1beta1/zz_clusterendpoint_types.go
index 382f4927c2..9665e929d1 100755
--- a/apis/rds/v1beta1/zz_clusterendpoint_types.go
+++ b/apis/rds/v1beta1/zz_clusterendpoint_types.go
@@ -18,12 +18,27 @@ type ClusterEndpointObservation struct {
 	// Amazon Resource Name (ARN) of cluster
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The cluster identifier.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
+	// The type of the endpoint. One of: READER , ANY .
+	CustomEndpointType *string `json:"customEndpointType,omitempty" tf:"custom_endpoint_type,omitempty"`
+
 	// A custom endpoint for the Aurora cluster
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// List of DB instance identifiers that aren't part of the custom endpoint group. All other eligible instances are reachable through the custom endpoint. Only relevant if the list of static members is empty. Conflicts with static_members.
+	ExcludedMembers []*string `json:"excludedMembers,omitempty" tf:"excluded_members,omitempty"`
+
 	// The RDS Cluster Endpoint Identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// List of DB instance identifiers that are part of the custom endpoint group. Conflicts with excluded_members.
+	StaticMembers []*string `json:"staticMembers,omitempty" tf:"static_members,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -45,8 +60,8 @@ type ClusterEndpointParameters struct {
 	ClusterIdentifierSelector *v1.Selector `json:"clusterIdentifierSelector,omitempty" tf:"-"`
 
 	// The type of the endpoint. One of: READER , ANY .
-	// +kubebuilder:validation:Required
-	CustomEndpointType *string `json:"customEndpointType" tf:"custom_endpoint_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	CustomEndpointType *string `json:"customEndpointType,omitempty" tf:"custom_endpoint_type,omitempty"`
 
 	// List of DB instance identifiers that aren't part of the custom endpoint group. All other eligible instances are reachable through the custom endpoint. Only relevant if the list of static members is empty. Conflicts with static_members.
 	// +kubebuilder:validation:Optional
@@ -90,8 +105,9 @@ type ClusterEndpointStatus struct {
 type ClusterEndpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterEndpointSpec   `json:"spec"`
-	Status            ClusterEndpointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.customEndpointType)",message="customEndpointType is a required parameter"
+	Spec   ClusterEndpointSpec   `json:"spec"`
+	Status ClusterEndpointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_clusterinstance_types.go b/apis/rds/v1beta1/zz_clusterinstance_types.go
index e1f347891f..1f218cbec3 100755
--- a/apis/rds/v1beta1/zz_clusterinstance_types.go
+++ b/apis/rds/v1beta1/zz_clusterinstance_types.go
@@ -15,33 +15,106 @@ import (
 
 type ClusterInstanceObservation struct {
 
+	// Specifies whether any database modifications
+	// are applied immediately, or during the next maintenance window. Default isfalse.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// Amazon Resource Name (ARN) of cluster instance
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Indicates that minor engine upgrades will be applied automatically to the DB instance during the maintenance window. Default true.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// The EC2 Availability Zone that the DB instance is created in. See docs about the details.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The identifier of the CA certificate for the DB instance.
+	CACertIdentifier *string `json:"caCertIdentifier,omitempty" tf:"ca_cert_identifier,omitempty"`
+
+	// The identifier of the aws_rds_cluster in which to launch this instance.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
+	// defined tags from the DB instance to snapshots of the DB instance. Default false.
+	CopyTagsToSnapshot *bool `json:"copyTagsToSnapshot,omitempty" tf:"copy_tags_to_snapshot,omitempty"`
+
+	// The name of the DB parameter group to associate with this instance.
+	DBParameterGroupName *string `json:"dbParameterGroupName,omitempty" tf:"db_parameter_group_name,omitempty"`
+
+	// A DB subnet group to associate with this DB instance. NOTE: This must match the db_subnet_group_name of the attached aws_rds_cluster.
+	DBSubnetGroupName *string `json:"dbSubnetGroupName,omitempty" tf:"db_subnet_group_name,omitempty"`
+
 	// The region-unique, immutable identifier for the DB instance.
 	DbiResourceID *string `json:"dbiResourceId,omitempty" tf:"dbi_resource_id,omitempty"`
 
 	// The DNS address for this instance. May not be writable
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The name of the database engine to be used for the RDS instance. Defaults to aurora. Valid Values: aurora, aurora-mysql, aurora-postgresql.
+	// For information on the difference between the available Aurora MySQL engines
+	// see Comparison between Aurora MySQL 1 and Aurora MySQL 2
+	// in the Amazon RDS User Guide.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// The database engine version.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// The database engine version
 	EngineVersionActual *string `json:"engineVersionActual,omitempty" tf:"engine_version_actual,omitempty"`
 
 	// The Instance identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The instance class to use. For details on CPU
+	// and memory, see Scaling Aurora DB Instances. Aurora uses db.* instance classes/types. Please see AWS Documentation for currently available instance classes and complete details.
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
+
 	// The ARN for the KMS encryption key if one is set to the cluster.
 	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 
+	// The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60.
+	MonitoringInterval *float64 `json:"monitoringInterval,omitempty" tf:"monitoring_interval,omitempty"`
+
+	// The ARN for the IAM role that permits RDS to send
+	// enhanced monitoring metrics to CloudWatch Logs. You can find more information on the AWS Documentation
+	// what IAM permissions are needed to allow Enhanced Monitoring for RDS Instances.
+	MonitoringRoleArn *string `json:"monitoringRoleArn,omitempty" tf:"monitoring_role_arn,omitempty"`
+
 	// The network type of the DB instance.
 	NetworkType *string `json:"networkType,omitempty" tf:"network_type,omitempty"`
 
+	// Specifies whether Performance Insights is enabled or not.
+	PerformanceInsightsEnabled *bool `json:"performanceInsightsEnabled,omitempty" tf:"performance_insights_enabled,omitempty"`
+
+	// ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true.
+	PerformanceInsightsKMSKeyID *string `json:"performanceInsightsKmsKeyId,omitempty" tf:"performance_insights_kms_key_id,omitempty"`
+
+	// Amount of time in days to retain Performance Insights data. Valid values are 7, 731 (2 years) or a multiple of 31. When specifying performance_insights_retention_period, performance_insights_enabled needs to be set to true. Defaults to '7'.
+	PerformanceInsightsRetentionPeriod *float64 `json:"performanceInsightsRetentionPeriod,omitempty" tf:"performance_insights_retention_period,omitempty"`
+
 	// The database port
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// The daily time range during which automated backups are created if automated backups are enabled. Eg: "04:00-09:00". NOTE: If preferred_backup_window is set at the cluster level, this argument must be omitted.
+	PreferredBackupWindow *string `json:"preferredBackupWindow,omitempty" tf:"preferred_backup_window,omitempty"`
+
+	// The window to perform maintenance in.
+	// Syntax: "ddd:hh24:mi-ddd:hh24:mi". Eg: "Mon:00:00-Mon:03:00".
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
+	// Default 0. Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoted to writer.
+	PromotionTier *float64 `json:"promotionTier,omitempty" tf:"promotion_tier,omitempty"`
+
+	// Bool to control if instance is publicly accessible.
+	// Default false. See the documentation on Creating DB Instances for more
+	// details on controlling this property.
+	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
+
 	// Specifies whether the DB cluster is encrypted.
 	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -116,8 +189,8 @@ type ClusterInstanceParameters struct {
 
 	// The instance class to use. For details on CPU
 	// and memory, see Scaling Aurora DB Instances. Aurora uses db.* instance classes/types. Please see AWS Documentation for currently available instance classes and complete details.
-	// +kubebuilder:validation:Required
-	InstanceClass *string `json:"instanceClass" tf:"instance_class,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
 
 	// The interval, in seconds, between points when Enhanced Monitoring metrics are collected for the DB instance. To disable collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60.
 	// +kubebuilder:validation:Optional
@@ -213,8 +286,9 @@ type ClusterInstanceStatus struct {
 type ClusterInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterInstanceSpec   `json:"spec"`
-	Status            ClusterInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)",message="instanceClass is a required parameter"
+	Spec   ClusterInstanceSpec   `json:"spec"`
+	Status ClusterInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_clusterparametergroup_types.go b/apis/rds/v1beta1/zz_clusterparametergroup_types.go
index 8aac025077..f8fdd09d4f 100755
--- a/apis/rds/v1beta1/zz_clusterparametergroup_types.go
+++ b/apis/rds/v1beta1/zz_clusterparametergroup_types.go
@@ -18,14 +18,37 @@ type ClusterParameterGroupObservation struct {
 	// The ARN of the db cluster parameter group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the DB cluster parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the DB cluster parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The db cluster parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of DB parameters to apply. Note that parameters may differ from a family to an other. Full list of all parameters can be discovered via aws rds describe-db-cluster-parameters after initial creation of the group.
+	Parameter []ClusterParameterGroupParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
 type ClusterParameterGroupParameterObservation struct {
+
+	// "immediate" (default), or "pending-reboot". Some
+	// engines can't apply some parameters without a reboot, and you will need to
+	// specify "pending-reboot" here.
+	ApplyMethod *string `json:"applyMethod,omitempty" tf:"apply_method,omitempty"`
+
+	// The name of the DB cluster parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the DB parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ClusterParameterGroupParameterParameters struct {
@@ -52,8 +75,8 @@ type ClusterParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the DB cluster parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// A list of DB parameters to apply. Note that parameters may differ from a family to an other. Full list of all parameters can be discovered via aws rds describe-db-cluster-parameters after initial creation of the group.
 	// +kubebuilder:validation:Optional
@@ -93,8 +116,9 @@ type ClusterParameterGroupStatus struct {
 type ClusterParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterParameterGroupSpec   `json:"spec"`
-	Status            ClusterParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   ClusterParameterGroupSpec   `json:"spec"`
+	Status ClusterParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_clusterroleassociation_types.go b/apis/rds/v1beta1/zz_clusterroleassociation_types.go
index 68ffff91d5..c471c7c9e1 100755
--- a/apis/rds/v1beta1/zz_clusterroleassociation_types.go
+++ b/apis/rds/v1beta1/zz_clusterroleassociation_types.go
@@ -15,8 +15,17 @@ import (
 
 type ClusterRoleAssociationObservation struct {
 
+	// DB Cluster Identifier to associate with the IAM Role.
+	DBClusterIdentifier *string `json:"dbClusterIdentifier,omitempty" tf:"db_cluster_identifier,omitempty"`
+
+	// Name of the feature for association. This can be found in the AWS documentation relevant to the integration or a full list is available in the SupportedFeatureNames list returned by AWS CLI rds describe-db-engine-versions.
+	FeatureName *string `json:"featureName,omitempty" tf:"feature_name,omitempty"`
+
 	// DB Cluster Identifier and IAM Role ARN separated by a comma (,)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon Resource Name (ARN) of the IAM Role to associate with the DB Cluster.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type ClusterRoleAssociationParameters struct {
@@ -36,8 +45,8 @@ type ClusterRoleAssociationParameters struct {
 	DBClusterIdentifierSelector *v1.Selector `json:"dbClusterIdentifierSelector,omitempty" tf:"-"`
 
 	// Name of the feature for association. This can be found in the AWS documentation relevant to the integration or a full list is available in the SupportedFeatureNames list returned by AWS CLI rds describe-db-engine-versions.
-	// +kubebuilder:validation:Required
-	FeatureName *string `json:"featureName" tf:"feature_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	FeatureName *string `json:"featureName,omitempty" tf:"feature_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +92,9 @@ type ClusterRoleAssociationStatus struct {
 type ClusterRoleAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterRoleAssociationSpec   `json:"spec"`
-	Status            ClusterRoleAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureName)",message="featureName is a required parameter"
+	Spec   ClusterRoleAssociationSpec   `json:"spec"`
+	Status ClusterRoleAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_clustersnapshot_types.go b/apis/rds/v1beta1/zz_clustersnapshot_types.go
index dd0e220e44..e4238b4cc5 100755
--- a/apis/rds/v1beta1/zz_clustersnapshot_types.go
+++ b/apis/rds/v1beta1/zz_clustersnapshot_types.go
@@ -21,9 +21,15 @@ type ClusterSnapshotObservation struct {
 	// List of EC2 Availability Zones that instances in the DB cluster snapshot can be restored in.
 	AvailabilityZones []*string `json:"availabilityZones,omitempty" tf:"availability_zones,omitempty"`
 
+	// The DB Cluster Identifier from which to take the snapshot.
+	DBClusterIdentifier *string `json:"dbClusterIdentifier,omitempty" tf:"db_cluster_identifier,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the DB Cluster Snapshot.
 	DBClusterSnapshotArn *string `json:"dbClusterSnapshotArn,omitempty" tf:"db_cluster_snapshot_arn,omitempty"`
 
+	// The Identifier for the snapshot.
+	DBClusterSnapshotIdentifier *string `json:"dbClusterSnapshotIdentifier,omitempty" tf:"db_cluster_snapshot_identifier,omitempty"`
+
 	// Name of the database engine.
 	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
 
@@ -52,6 +58,9 @@ type ClusterSnapshotObservation struct {
 	// Whether the DB cluster snapshot is encrypted.
 	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -76,8 +85,8 @@ type ClusterSnapshotParameters struct {
 	DBClusterIdentifierSelector *v1.Selector `json:"dbClusterIdentifierSelector,omitempty" tf:"-"`
 
 	// The Identifier for the snapshot.
-	// +kubebuilder:validation:Required
-	DBClusterSnapshotIdentifier *string `json:"dbClusterSnapshotIdentifier" tf:"db_cluster_snapshot_identifier,omitempty"`
+	// +kubebuilder:validation:Optional
+	DBClusterSnapshotIdentifier *string `json:"dbClusterSnapshotIdentifier,omitempty" tf:"db_cluster_snapshot_identifier,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -113,8 +122,9 @@ type ClusterSnapshotStatus struct {
 type ClusterSnapshot struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSnapshotSpec   `json:"spec"`
-	Status            ClusterSnapshotStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbClusterSnapshotIdentifier)",message="dbClusterSnapshotIdentifier is a required parameter"
+	Spec   ClusterSnapshotSpec   `json:"spec"`
+	Status ClusterSnapshotStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_dbinstanceautomatedbackupsreplication_types.go b/apis/rds/v1beta1/zz_dbinstanceautomatedbackupsreplication_types.go
index 5b4ec30ac8..d519661fb0 100755
--- a/apis/rds/v1beta1/zz_dbinstanceautomatedbackupsreplication_types.go
+++ b/apis/rds/v1beta1/zz_dbinstanceautomatedbackupsreplication_types.go
@@ -17,6 +17,18 @@ type DBInstanceAutomatedBackupsReplicationObservation struct {
 
 	// The Amazon Resource Name (ARN) of the replicated automated backups.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The AWS KMS key identifier for encryption of the replicated automated backups. The KMS key ID is the Amazon Resource Name (ARN) for the KMS encryption key in the destination AWS Region, for example, arn:aws:kms:us-east-1:123456789012:key/AKIAIOSFODNN7EXAMPLE.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// A URL that contains a Signature Version 4 signed request for the StartDBInstanceAutomatedBackupsReplication action to be called in the AWS Region of the source DB instance.
+	PreSignedURL *string `json:"preSignedUrl,omitempty" tf:"pre_signed_url,omitempty"`
+
+	// The retention period for the replicated automated backups, defaults to 7.
+	RetentionPeriod *float64 `json:"retentionPeriod,omitempty" tf:"retention_period,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the source DB instance for the replicated automated backups, for example, arn:aws:rds:us-west-2:123456789012:db:mydatabase.
+	SourceDBInstanceArn *string `json:"sourceDbInstanceArn,omitempty" tf:"source_db_instance_arn,omitempty"`
 }
 
 type DBInstanceAutomatedBackupsReplicationParameters struct {
diff --git a/apis/rds/v1beta1/zz_dbsnapshotcopy_types.go b/apis/rds/v1beta1/zz_dbsnapshotcopy_types.go
index 60733f462a..58475081ee 100755
--- a/apis/rds/v1beta1/zz_dbsnapshotcopy_types.go
+++ b/apis/rds/v1beta1/zz_dbsnapshotcopy_types.go
@@ -21,9 +21,15 @@ type DBSnapshotCopyObservation struct {
 	// Specifies the name of the Availability Zone the DB instance was located in at the time of the DB snapshot.
 	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
+	// Whether to copy existing tags. Defaults to false.
+	CopyTags *bool `json:"copyTags,omitempty" tf:"copy_tags,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the DB snapshot.
 	DBSnapshotArn *string `json:"dbSnapshotArn,omitempty" tf:"db_snapshot_arn,omitempty"`
 
+	// The Destination region to place snapshot copy.
+	DestinationRegion *string `json:"destinationRegion,omitempty" tf:"destination_region,omitempty"`
+
 	// Specifies whether the DB snapshot is encrypted.
 	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
 
@@ -39,22 +45,43 @@ type DBSnapshotCopyObservation struct {
 	// Specifies the Provisioned IOPS (I/O operations per second) value of the DB instance at the time of the snapshot.
 	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
 
+	// KMS key ID.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// License model information for the restored DB instance.
 	LicenseModel *string `json:"licenseModel,omitempty" tf:"license_model,omitempty"`
 
+	// The name of an option group to associate with the copy of the snapshot.
+	OptionGroupName *string `json:"optionGroupName,omitempty" tf:"option_group_name,omitempty"`
+
 	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 
+	// he URL that contains a Signature Version 4 signed request.
+	PresignedURL *string `json:"presignedUrl,omitempty" tf:"presigned_url,omitempty"`
+
 	SnapshotType *string `json:"snapshotType,omitempty" tf:"snapshot_type,omitempty"`
 
+	// Snapshot identifier of the source snapshot.
+	SourceDBSnapshotIdentifier *string `json:"sourceDbSnapshotIdentifier,omitempty" tf:"source_db_snapshot_identifier,omitempty"`
+
 	// The region that the DB snapshot was created in or copied from.
 	SourceRegion *string `json:"sourceRegion,omitempty" tf:"source_region,omitempty"`
 
 	// Specifies the storage type associated with DB snapshot.
 	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The external custom Availability Zone.
+	TargetCustomAvailabilityZone *string `json:"targetCustomAvailabilityZone,omitempty" tf:"target_custom_availability_zone,omitempty"`
+
+	// The Identifier for the snapshot.
+	TargetDBSnapshotIdentifier *string `json:"targetDbSnapshotIdentifier,omitempty" tf:"target_db_snapshot_identifier,omitempty"`
+
 	// Provides the VPC ID associated with the DB snapshot.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
@@ -118,8 +145,8 @@ type DBSnapshotCopyParameters struct {
 	TargetCustomAvailabilityZone *string `json:"targetCustomAvailabilityZone,omitempty" tf:"target_custom_availability_zone,omitempty"`
 
 	// The Identifier for the snapshot.
-	// +kubebuilder:validation:Required
-	TargetDBSnapshotIdentifier *string `json:"targetDbSnapshotIdentifier" tf:"target_db_snapshot_identifier,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetDBSnapshotIdentifier *string `json:"targetDbSnapshotIdentifier,omitempty" tf:"target_db_snapshot_identifier,omitempty"`
 }
 
 // DBSnapshotCopySpec defines the desired state of DBSnapshotCopy
@@ -146,8 +173,9 @@ type DBSnapshotCopyStatus struct {
 type DBSnapshotCopy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DBSnapshotCopySpec   `json:"spec"`
-	Status            DBSnapshotCopyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetDbSnapshotIdentifier)",message="targetDbSnapshotIdentifier is a required parameter"
+	Spec   DBSnapshotCopySpec   `json:"spec"`
+	Status DBSnapshotCopyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_eventsubscription_types.go b/apis/rds/v1beta1/zz_eventsubscription_types.go
index cb0b9b146a..a99701dabe 100755
--- a/apis/rds/v1beta1/zz_eventsubscription_types.go
+++ b/apis/rds/v1beta1/zz_eventsubscription_types.go
@@ -21,9 +21,27 @@ type EventSubscriptionObservation struct {
 	// The AWS customer account associated with the RDS event notification subscription
 	CustomerAwsID *string `json:"customerAwsId,omitempty" tf:"customer_aws_id,omitempty"`
 
+	// A boolean flag to enable/disable the subscription. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// A list of event categories for a SourceType that you want to subscribe to. See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html or run aws rds describe-event-categories.
+	EventCategories []*string `json:"eventCategories,omitempty" tf:"event_categories,omitempty"`
+
 	// The name of the RDS event notification subscription
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The SNS topic to send events to.
+	SnsTopic *string `json:"snsTopic,omitempty" tf:"sns_topic,omitempty"`
+
+	// A list of identifiers of the event sources for which events will be returned. If not specified, then all sources are included in the response. If specified, a source_type must also be specified.
+	SourceIds []*string `json:"sourceIds,omitempty" tf:"source_ids,omitempty"`
+
+	// The type of source that will be generating the events. Valid options are db-instance, db-security-group, db-parameter-group, db-snapshot, db-cluster or db-cluster-snapshot. If not set, all sources will be subscribed to.
+	SourceType *string `json:"sourceType,omitempty" tf:"source_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/rds/v1beta1/zz_generated.deepcopy.go b/apis/rds/v1beta1/zz_generated.deepcopy.go
index de0318d098..7f30f1230f 100644
--- a/apis/rds/v1beta1/zz_generated.deepcopy.go
+++ b/apis/rds/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,36 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthObservation) DeepCopyInto(out *AuthObservation) {
 	*out = *in
+	if in.AuthScheme != nil {
+		in, out := &in.AuthScheme, &out.AuthScheme
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientPasswordAuthType != nil {
+		in, out := &in.ClientPasswordAuthType, &out.ClientPasswordAuthType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMAuth != nil {
+		in, out := &in.IAMAuth, &out.IAMAuth
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretArn != nil {
+		in, out := &in.SecretArn, &out.SecretArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AuthObservation.
@@ -87,6 +117,11 @@ func (in *AuthParameters) DeepCopy() *AuthParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BlueGreenUpdateObservation) DeepCopyInto(out *BlueGreenUpdateObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BlueGreenUpdateObservation.
@@ -208,16 +243,36 @@ func (in *ClusterActivityStreamList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterActivityStreamObservation) DeepCopyInto(out *ClusterActivityStreamObservation) {
 	*out = *in
+	if in.EngineNativeAuditFieldsIncluded != nil {
+		in, out := &in.EngineNativeAuditFieldsIncluded, &out.EngineNativeAuditFieldsIncluded
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.KinesisStreamName != nil {
 		in, out := &in.KinesisStreamName, &out.KinesisStreamName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterActivityStreamObservation.
@@ -391,16 +446,63 @@ func (in *ClusterEndpointObservation) DeepCopyInto(out *ClusterEndpointObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomEndpointType != nil {
+		in, out := &in.CustomEndpointType, &out.CustomEndpointType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.ExcludedMembers != nil {
+		in, out := &in.ExcludedMembers, &out.ExcludedMembers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StaticMembers != nil {
+		in, out := &in.StaticMembers, &out.StaticMembers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -601,11 +703,51 @@ func (in *ClusterInstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservation) {
 	*out = *in
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.CACertIdentifier != nil {
+		in, out := &in.CACertIdentifier, &out.CACertIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyTagsToSnapshot != nil {
+		in, out := &in.CopyTagsToSnapshot, &out.CopyTagsToSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DBParameterGroupName != nil {
+		in, out := &in.DBParameterGroupName, &out.DBParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBSubnetGroupName != nil {
+		in, out := &in.DBSubnetGroupName, &out.DBSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DbiResourceID != nil {
 		in, out := &in.DbiResourceID, &out.DbiResourceID
 		*out = new(string)
@@ -616,6 +758,16 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.EngineVersionActual != nil {
 		in, out := &in.EngineVersionActual, &out.EngineVersionActual
 		*out = new(string)
@@ -626,26 +778,91 @@ func (in *ClusterInstanceObservation) DeepCopyInto(out *ClusterInstanceObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceClass != nil {
+		in, out := &in.InstanceClass, &out.InstanceClass
+		*out = new(string)
+		**out = **in
+	}
 	if in.KMSKeyID != nil {
 		in, out := &in.KMSKeyID, &out.KMSKeyID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MonitoringInterval != nil {
+		in, out := &in.MonitoringInterval, &out.MonitoringInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MonitoringRoleArn != nil {
+		in, out := &in.MonitoringRoleArn, &out.MonitoringRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.NetworkType != nil {
 		in, out := &in.NetworkType, &out.NetworkType
 		*out = new(string)
 		**out = **in
 	}
+	if in.PerformanceInsightsEnabled != nil {
+		in, out := &in.PerformanceInsightsEnabled, &out.PerformanceInsightsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PerformanceInsightsKMSKeyID != nil {
+		in, out := &in.PerformanceInsightsKMSKeyID, &out.PerformanceInsightsKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PerformanceInsightsRetentionPeriod != nil {
+		in, out := &in.PerformanceInsightsRetentionPeriod, &out.PerformanceInsightsRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Port != nil {
 		in, out := &in.Port, &out.Port
 		*out = new(float64)
 		**out = **in
 	}
+	if in.PreferredBackupWindow != nil {
+		in, out := &in.PreferredBackupWindow, &out.PreferredBackupWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PromotionTier != nil {
+		in, out := &in.PromotionTier, &out.PromotionTier
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PubliclyAccessible != nil {
+		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
 	if in.StorageEncrypted != nil {
 		in, out := &in.StorageEncrypted, &out.StorageEncrypted
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -922,33 +1139,28 @@ func (in *ClusterList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
-		*out = new(string)
-		**out = **in
-	}
-	if in.ClusterResourceID != nil {
-		in, out := &in.ClusterResourceID, &out.ClusterResourceID
-		*out = new(string)
+	if in.AllocatedStorage != nil {
+		in, out := &in.AllocatedStorage, &out.AllocatedStorage
+		*out = new(float64)
 		**out = **in
 	}
-	if in.Endpoint != nil {
-		in, out := &in.Endpoint, &out.Endpoint
-		*out = new(string)
+	if in.AllowMajorVersionUpgrade != nil {
+		in, out := &in.AllowMajorVersionUpgrade, &out.AllowMajorVersionUpgrade
+		*out = new(bool)
 		**out = **in
 	}
-	if in.EngineVersionActual != nil {
-		in, out := &in.EngineVersionActual, &out.EngineVersionActual
-		*out = new(string)
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
 		**out = **in
 	}
-	if in.HostedZoneID != nil {
-		in, out := &in.HostedZoneID, &out.HostedZoneID
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
-	if in.IAMRoles != nil {
-		in, out := &in.IAMRoles, &out.IAMRoles
+	if in.AvailabilityZones != nil {
+		in, out := &in.AvailabilityZones, &out.AvailabilityZones
 		*out = make([]*string, len(*in))
 		for i := range *in {
 			if (*in)[i] != nil {
@@ -958,16 +1170,262 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			}
 		}
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
+	if in.BacktrackWindow != nil {
+		in, out := &in.BacktrackWindow, &out.BacktrackWindow
+		*out = new(float64)
 		**out = **in
 	}
-	if in.ReaderEndpoint != nil {
-		in, out := &in.ReaderEndpoint, &out.ReaderEndpoint
+	if in.BackupRetentionPeriod != nil {
+		in, out := &in.BackupRetentionPeriod, &out.BackupRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ClusterMembers != nil {
+		in, out := &in.ClusterMembers, &out.ClusterMembers
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ClusterResourceID != nil {
+		in, out := &in.ClusterResourceID, &out.ClusterResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyTagsToSnapshot != nil {
+		in, out := &in.CopyTagsToSnapshot, &out.CopyTagsToSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DBClusterInstanceClass != nil {
+		in, out := &in.DBClusterInstanceClass, &out.DBClusterInstanceClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBClusterParameterGroupName != nil {
+		in, out := &in.DBClusterParameterGroupName, &out.DBClusterParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBInstanceParameterGroupName != nil {
+		in, out := &in.DBInstanceParameterGroupName, &out.DBInstanceParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBSubnetGroupName != nil {
+		in, out := &in.DBSubnetGroupName, &out.DBSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableGlobalWriteForwarding != nil {
+		in, out := &in.EnableGlobalWriteForwarding, &out.EnableGlobalWriteForwarding
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableHTTPEndpoint != nil {
+		in, out := &in.EnableHTTPEndpoint, &out.EnableHTTPEndpoint
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnabledCloudwatchLogsExports != nil {
+		in, out := &in.EnabledCloudwatchLogsExports, &out.EnabledCloudwatchLogsExports
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineMode != nil {
+		in, out := &in.EngineMode, &out.EngineMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersionActual != nil {
+		in, out := &in.EngineVersionActual, &out.EngineVersionActual
+		*out = new(string)
+		**out = **in
+	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalClusterIdentifier != nil {
+		in, out := &in.GlobalClusterIdentifier, &out.GlobalClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostedZoneID != nil {
+		in, out := &in.HostedZoneID, &out.HostedZoneID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMDatabaseAuthenticationEnabled != nil {
+		in, out := &in.IAMDatabaseAuthenticationEnabled, &out.IAMDatabaseAuthenticationEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IAMRoles != nil {
+		in, out := &in.IAMRoles, &out.IAMRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MasterUsername != nil {
+		in, out := &in.MasterUsername, &out.MasterUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkType != nil {
+		in, out := &in.NetworkType, &out.NetworkType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreferredBackupWindow != nil {
+		in, out := &in.PreferredBackupWindow, &out.PreferredBackupWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReaderEndpoint != nil {
+		in, out := &in.ReaderEndpoint, &out.ReaderEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplicationSourceIdentifier != nil {
+		in, out := &in.ReplicationSourceIdentifier, &out.ReplicationSourceIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestoreToPointInTime != nil {
+		in, out := &in.RestoreToPointInTime, &out.RestoreToPointInTime
+		*out = make([]ClusterRestoreToPointInTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Import != nil {
+		in, out := &in.S3Import, &out.S3Import
+		*out = make([]ClusterS3ImportObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScalingConfiguration != nil {
+		in, out := &in.ScalingConfiguration, &out.ScalingConfiguration
+		*out = make([]ScalingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Serverlessv2ScalingConfiguration != nil {
+		in, out := &in.Serverlessv2ScalingConfiguration, &out.Serverlessv2ScalingConfiguration
+		*out = make([]Serverlessv2ScalingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SkipFinalSnapshot != nil {
+		in, out := &in.SkipFinalSnapshot, &out.SkipFinalSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnapshotIdentifier != nil {
+		in, out := &in.SnapshotIdentifier, &out.SnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceRegion != nil {
+		in, out := &in.SourceRegion, &out.SourceRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -983,6 +1441,17 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterObservation.
@@ -1062,11 +1531,43 @@ func (in *ClusterParameterGroupObservation) DeepCopyInto(out *ClusterParameterGr
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ClusterParameterGroupParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1097,6 +1598,21 @@ func (in *ClusterParameterGroupObservation) DeepCopy() *ClusterParameterGroupObs
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterParameterGroupParameterObservation) DeepCopyInto(out *ClusterParameterGroupParameterObservation) {
 	*out = *in
+	if in.ApplyMethod != nil {
+		in, out := &in.ApplyMethod, &out.ApplyMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterParameterGroupParameterObservation.
@@ -1537,6 +2053,26 @@ func (in *ClusterParameters) DeepCopy() *ClusterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterRestoreToPointInTimeObservation) DeepCopyInto(out *ClusterRestoreToPointInTimeObservation) {
 	*out = *in
+	if in.RestoreToTime != nil {
+		in, out := &in.RestoreToTime, &out.RestoreToTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.RestoreType != nil {
+		in, out := &in.RestoreType, &out.RestoreType
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceClusterIdentifier != nil {
+		in, out := &in.SourceClusterIdentifier, &out.SourceClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseLatestRestorableTime != nil {
+		in, out := &in.UseLatestRestorableTime, &out.UseLatestRestorableTime
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRestoreToPointInTimeObservation.
@@ -1656,11 +2192,26 @@ func (in *ClusterRoleAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterRoleAssociationObservation) DeepCopyInto(out *ClusterRoleAssociationObservation) {
 	*out = *in
+	if in.DBClusterIdentifier != nil {
+		in, out := &in.DBClusterIdentifier, &out.DBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.FeatureName != nil {
+		in, out := &in.FeatureName, &out.FeatureName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterRoleAssociationObservation.
@@ -1765,6 +2316,31 @@ func (in *ClusterRoleAssociationStatus) DeepCopy() *ClusterRoleAssociationStatus
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterS3ImportObservation) DeepCopyInto(out *ClusterS3ImportObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.IngestionRole != nil {
+		in, out := &in.IngestionRole, &out.IngestionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceEngine != nil {
+		in, out := &in.SourceEngine, &out.SourceEngine
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceEngineVersion != nil {
+		in, out := &in.SourceEngineVersion, &out.SourceEngineVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterS3ImportObservation.
@@ -1905,11 +2481,21 @@ func (in *ClusterSnapshotObservation) DeepCopyInto(out *ClusterSnapshotObservati
 			}
 		}
 	}
+	if in.DBClusterIdentifier != nil {
+		in, out := &in.DBClusterIdentifier, &out.DBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.DBClusterSnapshotArn != nil {
 		in, out := &in.DBClusterSnapshotArn, &out.DBClusterSnapshotArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.DBClusterSnapshotIdentifier != nil {
+		in, out := &in.DBClusterSnapshotIdentifier, &out.DBClusterSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.Engine != nil {
 		in, out := &in.Engine, &out.Engine
 		*out = new(string)
@@ -1960,6 +2546,21 @@ func (in *ClusterSnapshotObservation) DeepCopyInto(out *ClusterSnapshotObservati
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2118,6 +2719,37 @@ func (in *ClusterStatus) DeepCopy() *ClusterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConnectionPoolConfigObservation) DeepCopyInto(out *ConnectionPoolConfigObservation) {
 	*out = *in
+	if in.ConnectionBorrowTimeout != nil {
+		in, out := &in.ConnectionBorrowTimeout, &out.ConnectionBorrowTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InitQuery != nil {
+		in, out := &in.InitQuery, &out.InitQuery
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxConnectionsPercent != nil {
+		in, out := &in.MaxConnectionsPercent, &out.MaxConnectionsPercent
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaxIdleConnectionsPercent != nil {
+		in, out := &in.MaxIdleConnectionsPercent, &out.MaxIdleConnectionsPercent
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SessionPinningFilters != nil {
+		in, out := &in.SessionPinningFilters, &out.SessionPinningFilters
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConnectionPoolConfigObservation.
@@ -2243,6 +2875,26 @@ func (in *DBInstanceAutomatedBackupsReplicationObservation) DeepCopyInto(out *DB
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PreSignedURL != nil {
+		in, out := &in.PreSignedURL, &out.PreSignedURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetentionPeriod != nil {
+		in, out := &in.RetentionPeriod, &out.RetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SourceDBInstanceArn != nil {
+		in, out := &in.SourceDBInstanceArn, &out.SourceDBInstanceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DBInstanceAutomatedBackupsReplicationObservation.
@@ -2421,11 +3073,21 @@ func (in *DBSnapshotCopyObservation) DeepCopyInto(out *DBSnapshotCopyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.CopyTags != nil {
+		in, out := &in.CopyTags, &out.CopyTags
+		*out = new(bool)
+		**out = **in
+	}
 	if in.DBSnapshotArn != nil {
 		in, out := &in.DBSnapshotArn, &out.DBSnapshotArn
 		*out = new(string)
 		**out = **in
 	}
+	if in.DestinationRegion != nil {
+		in, out := &in.DestinationRegion, &out.DestinationRegion
+		*out = new(string)
+		**out = **in
+	}
 	if in.Encrypted != nil {
 		in, out := &in.Encrypted, &out.Encrypted
 		*out = new(bool)
@@ -2451,21 +3113,41 @@ func (in *DBSnapshotCopyObservation) DeepCopyInto(out *DBSnapshotCopyObservation
 		*out = new(float64)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.LicenseModel != nil {
 		in, out := &in.LicenseModel, &out.LicenseModel
 		*out = new(string)
 		**out = **in
 	}
+	if in.OptionGroupName != nil {
+		in, out := &in.OptionGroupName, &out.OptionGroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Port != nil {
 		in, out := &in.Port, &out.Port
 		*out = new(float64)
 		**out = **in
 	}
+	if in.PresignedURL != nil {
+		in, out := &in.PresignedURL, &out.PresignedURL
+		*out = new(string)
+		**out = **in
+	}
 	if in.SnapshotType != nil {
 		in, out := &in.SnapshotType, &out.SnapshotType
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceDBSnapshotIdentifier != nil {
+		in, out := &in.SourceDBSnapshotIdentifier, &out.SourceDBSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.SourceRegion != nil {
 		in, out := &in.SourceRegion, &out.SourceRegion
 		*out = new(string)
@@ -2476,6 +3158,21 @@ func (in *DBSnapshotCopyObservation) DeepCopyInto(out *DBSnapshotCopyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2491,6 +3188,16 @@ func (in *DBSnapshotCopyObservation) DeepCopyInto(out *DBSnapshotCopyObservation
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetCustomAvailabilityZone != nil {
+		in, out := &in.TargetCustomAvailabilityZone, &out.TargetCustomAvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetDBSnapshotIdentifier != nil {
+		in, out := &in.TargetDBSnapshotIdentifier, &out.TargetDBSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.VPCID != nil {
 		in, out := &in.VPCID, &out.VPCID
 		*out = new(string)
@@ -2709,13 +3416,65 @@ func (in *EventSubscriptionObservation) DeepCopyInto(out *EventSubscriptionObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventCategories != nil {
+		in, out := &in.EventCategories, &out.EventCategories
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
+	if in.SnsTopic != nil {
+		in, out := &in.SnsTopic, &out.SnsTopic
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceIds != nil {
+		in, out := &in.SourceIds, &out.SourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceType != nil {
+		in, out := &in.SourceType, &out.SourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -2964,11 +3723,36 @@ func (in *GlobalClusterObservation) DeepCopyInto(out *GlobalClusterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.EngineVersionActual != nil {
 		in, out := &in.EngineVersionActual, &out.EngineVersionActual
 		*out = new(string)
 		**out = **in
 	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.GlobalClusterMembers != nil {
 		in, out := &in.GlobalClusterMembers, &out.GlobalClusterMembers
 		*out = make([]GlobalClusterMembersObservation, len(*in))
@@ -2986,6 +3770,16 @@ func (in *GlobalClusterObservation) DeepCopyInto(out *GlobalClusterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceDBClusterIdentifier != nil {
+		in, out := &in.SourceDBClusterIdentifier, &out.SourceDBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalClusterObservation.
@@ -3100,6 +3894,26 @@ func (in *GlobalClusterStatus) DeepCopy() *GlobalClusterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IngressObservation) DeepCopyInto(out *IngressObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupID != nil {
+		in, out := &in.SecurityGroupID, &out.SecurityGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupName != nil {
+		in, out := &in.SecurityGroupName, &out.SecurityGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupOwnerID != nil {
+		in, out := &in.SecurityGroupOwnerID, &out.SecurityGroupOwnerID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressObservation.
@@ -3214,36 +4028,264 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AllocatedStorage != nil {
+		in, out := &in.AllocatedStorage, &out.AllocatedStorage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AllowMajorVersionUpgrade != nil {
+		in, out := &in.AllowMajorVersionUpgrade, &out.AllowMajorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutoMinorVersionUpgrade != nil {
+		in, out := &in.AutoMinorVersionUpgrade, &out.AutoMinorVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.BackupRetentionPeriod != nil {
+		in, out := &in.BackupRetentionPeriod, &out.BackupRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.BackupWindow != nil {
+		in, out := &in.BackupWindow, &out.BackupWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.BlueGreenUpdate != nil {
+		in, out := &in.BlueGreenUpdate, &out.BlueGreenUpdate
+		*out = make([]BlueGreenUpdateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CACertIdentifier != nil {
+		in, out := &in.CACertIdentifier, &out.CACertIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.CharacterSetName != nil {
+		in, out := &in.CharacterSetName, &out.CharacterSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyTagsToSnapshot != nil {
+		in, out := &in.CopyTagsToSnapshot, &out.CopyTagsToSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CustomIAMInstanceProfile != nil {
+		in, out := &in.CustomIAMInstanceProfile, &out.CustomIAMInstanceProfile
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerOwnedIPEnabled != nil {
+		in, out := &in.CustomerOwnedIPEnabled, &out.CustomerOwnedIPEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DBName != nil {
+		in, out := &in.DBName, &out.DBName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBSubnetGroupName != nil {
+		in, out := &in.DBSubnetGroupName, &out.DBSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeleteAutomatedBackups != nil {
+		in, out := &in.DeleteAutomatedBackups, &out.DeleteAutomatedBackups
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeletionProtection != nil {
+		in, out := &in.DeletionProtection, &out.DeletionProtection
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainIAMRoleName != nil {
+		in, out := &in.DomainIAMRoleName, &out.DomainIAMRoleName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnabledCloudwatchLogsExports != nil {
+		in, out := &in.EnabledCloudwatchLogsExports, &out.EnabledCloudwatchLogsExports
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.Engine != nil {
+		in, out := &in.Engine, &out.Engine
+		*out = new(string)
+		**out = **in
+	}
+	if in.EngineVersion != nil {
+		in, out := &in.EngineVersion, &out.EngineVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.EngineVersionActual != nil {
 		in, out := &in.EngineVersionActual, &out.EngineVersionActual
 		*out = new(string)
 		**out = **in
 	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostedZoneID != nil {
 		in, out := &in.HostedZoneID, &out.HostedZoneID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IAMDatabaseAuthenticationEnabled != nil {
+		in, out := &in.IAMDatabaseAuthenticationEnabled, &out.IAMDatabaseAuthenticationEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceClass != nil {
+		in, out := &in.InstanceClass, &out.InstanceClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.Iops != nil {
+		in, out := &in.Iops, &out.Iops
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.LatestRestorableTime != nil {
 		in, out := &in.LatestRestorableTime, &out.LatestRestorableTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.LicenseModel != nil {
+		in, out := &in.LicenseModel, &out.LicenseModel
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaintenanceWindow != nil {
+		in, out := &in.MaintenanceWindow, &out.MaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxAllocatedStorage != nil {
+		in, out := &in.MaxAllocatedStorage, &out.MaxAllocatedStorage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MonitoringInterval != nil {
+		in, out := &in.MonitoringInterval, &out.MonitoringInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MonitoringRoleArn != nil {
+		in, out := &in.MonitoringRoleArn, &out.MonitoringRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.MultiAz != nil {
+		in, out := &in.MultiAz, &out.MultiAz
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NcharCharacterSetName != nil {
+		in, out := &in.NcharCharacterSetName, &out.NcharCharacterSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkType != nil {
+		in, out := &in.NetworkType, &out.NetworkType
+		*out = new(string)
+		**out = **in
+	}
+	if in.OptionGroupName != nil {
+		in, out := &in.OptionGroupName, &out.OptionGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ParameterGroupName != nil {
+		in, out := &in.ParameterGroupName, &out.ParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.PerformanceInsightsEnabled != nil {
+		in, out := &in.PerformanceInsightsEnabled, &out.PerformanceInsightsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PerformanceInsightsKMSKeyID != nil {
+		in, out := &in.PerformanceInsightsKMSKeyID, &out.PerformanceInsightsKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PerformanceInsightsRetentionPeriod != nil {
+		in, out := &in.PerformanceInsightsRetentionPeriod, &out.PerformanceInsightsRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PubliclyAccessible != nil {
+		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ReplicaMode != nil {
+		in, out := &in.ReplicaMode, &out.ReplicaMode
+		*out = new(string)
+		**out = **in
+	}
 	if in.Replicas != nil {
 		in, out := &in.Replicas, &out.Replicas
 		*out = make([]*string, len(*in))
@@ -3255,16 +4297,86 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 			}
 		}
 	}
+	if in.ReplicateSourceDB != nil {
+		in, out := &in.ReplicateSourceDB, &out.ReplicateSourceDB
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceID != nil {
 		in, out := &in.ResourceID, &out.ResourceID
 		*out = new(string)
 		**out = **in
 	}
-	if in.Status != nil {
-		in, out := &in.Status, &out.Status
+	if in.RestoreToPointInTime != nil {
+		in, out := &in.RestoreToPointInTime, &out.RestoreToPointInTime
+		*out = make([]RestoreToPointInTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3Import != nil {
+		in, out := &in.S3Import, &out.S3Import
+		*out = make([]S3ImportObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroupNames != nil {
+		in, out := &in.SecurityGroupNames, &out.SecurityGroupNames
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SkipFinalSnapshot != nil {
+		in, out := &in.SkipFinalSnapshot, &out.SkipFinalSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnapshotIdentifier != nil {
+		in, out := &in.SnapshotIdentifier, &out.SnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageEncrypted != nil {
+		in, out := &in.StorageEncrypted, &out.StorageEncrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.StorageThroughput != nil {
+		in, out := &in.StorageThroughput, &out.StorageThroughput
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageType != nil {
+		in, out := &in.StorageType, &out.StorageType
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3280,6 +4392,27 @@ func (in *InstanceObservation) DeepCopyInto(out *InstanceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Timezone != nil {
+		in, out := &in.Timezone, &out.Timezone
+		*out = new(string)
+		**out = **in
+	}
+	if in.Username != nil {
+		in, out := &in.Username, &out.Username
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceObservation.
@@ -3745,11 +4878,26 @@ func (in *InstanceRoleAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceRoleAssociationObservation) DeepCopyInto(out *InstanceRoleAssociationObservation) {
 	*out = *in
+	if in.DBInstanceIdentifier != nil {
+		in, out := &in.DBInstanceIdentifier, &out.DBInstanceIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.FeatureName != nil {
+		in, out := &in.FeatureName, &out.FeatureName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceRoleAssociationObservation.
@@ -3952,11 +5100,48 @@ func (in *OptionGroupObservation) DeepCopyInto(out *OptionGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EngineName != nil {
+		in, out := &in.EngineName, &out.EngineName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MajorEngineVersion != nil {
+		in, out := &in.MajorEngineVersion, &out.MajorEngineVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Option != nil {
+		in, out := &in.Option, &out.Option
+		*out = make([]OptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OptionGroupDescription != nil {
+		in, out := &in.OptionGroupDescription, &out.OptionGroupDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4078,6 +5263,50 @@ func (in *OptionGroupStatus) DeepCopy() *OptionGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OptionObservation) DeepCopyInto(out *OptionObservation) {
 	*out = *in
+	if in.DBSecurityGroupMemberships != nil {
+		in, out := &in.DBSecurityGroupMemberships, &out.DBSecurityGroupMemberships
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.OptionName != nil {
+		in, out := &in.OptionName, &out.OptionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.OptionSettings != nil {
+		in, out := &in.OptionSettings, &out.OptionSettings
+		*out = make([]OptionSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.VPCSecurityGroupMemberships != nil {
+		in, out := &in.VPCSecurityGroupMemberships, &out.VPCSecurityGroupMemberships
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OptionObservation.
@@ -4152,6 +5381,16 @@ func (in *OptionParameters) DeepCopy() *OptionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OptionSettingsObservation) DeepCopyInto(out *OptionSettingsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OptionSettingsObservation.
@@ -4256,11 +5495,43 @@ func (in *ParameterGroupObservation) DeepCopyInto(out *ParameterGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4377,6 +5648,21 @@ func (in *ParameterGroupStatus) DeepCopy() *ParameterGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.ApplyMethod != nil {
+		in, out := &in.ApplyMethod, &out.ApplyMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -4513,6 +5799,18 @@ func (in *ProxyDefaultTargetGroupObservation) DeepCopyInto(out *ProxyDefaultTarg
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConnectionPoolConfig != nil {
+		in, out := &in.ConnectionPoolConfig, &out.ConnectionPoolConfig
+		*out = make([]ConnectionPoolConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DBProxyName != nil {
+		in, out := &in.DBProxyName, &out.DBProxyName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -4678,6 +5976,11 @@ func (in *ProxyEndpointObservation) DeepCopyInto(out *ProxyEndpointObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.DBProxyName != nil {
+		in, out := &in.DBProxyName, &out.DBProxyName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
@@ -4693,6 +5996,21 @@ func (in *ProxyEndpointObservation) DeepCopyInto(out *ProxyEndpointObservation)
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4705,14 +6023,41 @@ func (in *ProxyEndpointObservation) DeepCopyInto(out *ProxyEndpointObservation)
 				*out = new(string)
 				**out = **in
 			}
-			(*out)[key] = outVal
+			(*out)[key] = outVal
+		}
+	}
+	if in.TargetRole != nil {
+		in, out := &in.TargetRole, &out.TargetRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCSubnetIds != nil {
+		in, out := &in.VPCSubnetIds, &out.VPCSubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
 		}
 	}
-	if in.VPCID != nil {
-		in, out := &in.VPCID, &out.VPCID
-		*out = new(string)
-		**out = **in
-	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyEndpointObservation.
@@ -4888,16 +6233,63 @@ func (in *ProxyObservation) DeepCopyInto(out *ProxyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Auth != nil {
+		in, out := &in.Auth, &out.Auth
+		*out = make([]AuthObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DebugLogging != nil {
+		in, out := &in.DebugLogging, &out.DebugLogging
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.EngineFamily != nil {
+		in, out := &in.EngineFamily, &out.EngineFamily
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdleClientTimeout != nil {
+		in, out := &in.IdleClientTimeout, &out.IdleClientTimeout
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RequireTLS != nil {
+		in, out := &in.RequireTLS, &out.RequireTLS
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4913,6 +6305,28 @@ func (in *ProxyObservation) DeepCopyInto(out *ProxyObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCSubnetIds != nil {
+		in, out := &in.VPCSubnetIds, &out.VPCSubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProxyObservation.
@@ -5132,6 +6546,21 @@ func (in *ProxyTargetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProxyTargetObservation) DeepCopyInto(out *ProxyTargetObservation) {
 	*out = *in
+	if in.DBClusterIdentifier != nil {
+		in, out := &in.DBClusterIdentifier, &out.DBClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBInstanceIdentifier != nil {
+		in, out := &in.DBInstanceIdentifier, &out.DBInstanceIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.DBProxyName != nil {
+		in, out := &in.DBProxyName, &out.DBProxyName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
@@ -5157,6 +6586,11 @@ func (in *ProxyTargetObservation) DeepCopyInto(out *ProxyTargetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.TargetGroupName != nil {
+		in, out := &in.TargetGroupName, &out.TargetGroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.TrackedClusterID != nil {
 		in, out := &in.TrackedClusterID, &out.TrackedClusterID
 		*out = new(string)
@@ -5276,6 +6710,31 @@ func (in *ProxyTargetStatus) DeepCopy() *ProxyTargetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RestoreToPointInTimeObservation) DeepCopyInto(out *RestoreToPointInTimeObservation) {
 	*out = *in
+	if in.RestoreTime != nil {
+		in, out := &in.RestoreTime, &out.RestoreTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceDBInstanceAutomatedBackupsArn != nil {
+		in, out := &in.SourceDBInstanceAutomatedBackupsArn, &out.SourceDBInstanceAutomatedBackupsArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceDBInstanceIdentifier != nil {
+		in, out := &in.SourceDBInstanceIdentifier, &out.SourceDBInstanceIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceDbiResourceID != nil {
+		in, out := &in.SourceDbiResourceID, &out.SourceDbiResourceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UseLatestRestorableTime != nil {
+		in, out := &in.UseLatestRestorableTime, &out.UseLatestRestorableTime
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RestoreToPointInTimeObservation.
@@ -5331,6 +6790,31 @@ func (in *RestoreToPointInTimeParameters) DeepCopy() *RestoreToPointInTimeParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ImportObservation) DeepCopyInto(out *S3ImportObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketPrefix != nil {
+		in, out := &in.BucketPrefix, &out.BucketPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.IngestionRole != nil {
+		in, out := &in.IngestionRole, &out.IngestionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceEngine != nil {
+		in, out := &in.SourceEngine, &out.SourceEngine
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceEngineVersion != nil {
+		in, out := &in.SourceEngineVersion, &out.SourceEngineVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ImportObservation.
@@ -5386,6 +6870,31 @@ func (in *S3ImportParameters) DeepCopy() *S3ImportParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScalingConfigurationObservation) DeepCopyInto(out *ScalingConfigurationObservation) {
 	*out = *in
+	if in.AutoPause != nil {
+		in, out := &in.AutoPause, &out.AutoPause
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinCapacity != nil {
+		in, out := &in.MinCapacity, &out.MinCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecondsUntilAutoPause != nil {
+		in, out := &in.SecondsUntilAutoPause, &out.SecondsUntilAutoPause
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TimeoutAction != nil {
+		in, out := &in.TimeoutAction, &out.TimeoutAction
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScalingConfigurationObservation.
@@ -5505,11 +7014,38 @@ func (in *SecurityGroupObservation) DeepCopyInto(out *SecurityGroupObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Ingress != nil {
+		in, out := &in.Ingress, &out.Ingress
+		*out = make([]IngressObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5621,6 +7157,16 @@ func (in *SecurityGroupStatus) DeepCopy() *SecurityGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *Serverlessv2ScalingConfigurationObservation) DeepCopyInto(out *Serverlessv2ScalingConfigurationObservation) {
 	*out = *in
+	if in.MaxCapacity != nil {
+		in, out := &in.MaxCapacity, &out.MaxCapacity
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinCapacity != nil {
+		in, out := &in.MinCapacity, &out.MinCapacity
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Serverlessv2ScalingConfigurationObservation.
@@ -5730,6 +7276,11 @@ func (in *SnapshotObservation) DeepCopyInto(out *SnapshotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DBInstanceIdentifier != nil {
+		in, out := &in.DBInstanceIdentifier, &out.DBInstanceIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.DBSnapshotArn != nil {
 		in, out := &in.DBSnapshotArn, &out.DBSnapshotArn
 		*out = new(string)
@@ -5805,6 +7356,21 @@ func (in *SnapshotObservation) DeepCopyInto(out *SnapshotObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -5988,11 +7554,27 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.SupportedNetworkTypes != nil {
 		in, out := &in.SupportedNetworkTypes, &out.SupportedNetworkTypes
 		*out = make([]*string, len(*in))
@@ -6004,6 +7586,21 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 			}
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/rds/v1beta1/zz_globalcluster_types.go b/apis/rds/v1beta1/zz_globalcluster_types.go
index f5c50e4170..204fe0574e 100755
--- a/apis/rds/v1beta1/zz_globalcluster_types.go
+++ b/apis/rds/v1beta1/zz_globalcluster_types.go
@@ -30,8 +30,23 @@ type GlobalClusterObservation struct {
 	// RDS Global Cluster Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name for an automatically created database on cluster creation.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// If the Global Cluster should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// Name of the database engine to be used for this DB cluster. Valid values: aurora, aurora-mysql, aurora-postgresql. Defaults to aurora. Conflicts with source_db_cluster_identifier.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// Engine version of the Aurora global database. The engine, engine_version, and instance_class (on the aws_rds_cluster_instance) must together support global databases. See Using Amazon Aurora global databases for more information. NOTE: To avoid an inconsistent final plan error while upgrading, use the lifecycle ignore_changes for engine_version meta argument on the associated aws_rds_cluster resource as shown above in Upgrading Engine Versions example.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	EngineVersionActual *string `json:"engineVersionActual,omitempty" tf:"engine_version_actual,omitempty"`
 
+	// Enable to remove DB Cluster members from Global Cluster on destroy. Required with source_db_cluster_identifier.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// Set of objects containing Global Cluster members.
 	GlobalClusterMembers []GlobalClusterMembersObservation `json:"globalClusterMembers,omitempty" tf:"global_cluster_members,omitempty"`
 
@@ -40,6 +55,12 @@ type GlobalClusterObservation struct {
 
 	// RDS Global Cluster identifier
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon Resource Name (ARN) to use as the primary DB Cluster of the Global Cluster on creation.
+	SourceDBClusterIdentifier *string `json:"sourceDbClusterIdentifier,omitempty" tf:"source_db_cluster_identifier,omitempty"`
+
+	// Specifies whether the DB cluster is encrypted. The default is false unless source_db_cluster_identifier is specified and encrypted.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
 }
 
 type GlobalClusterParameters struct {
diff --git a/apis/rds/v1beta1/zz_instance_types.go b/apis/rds/v1beta1/zz_instance_types.go
index 20e23085b4..655b54468a 100755
--- a/apis/rds/v1beta1/zz_instance_types.go
+++ b/apis/rds/v1beta1/zz_instance_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type BlueGreenUpdateObservation struct {
+
+	// Enables [low-downtime updates](#Low-Downtime Updates) when true.
+	// Default is false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type BlueGreenUpdateParameters struct {
@@ -29,35 +33,285 @@ type InstanceObservation struct {
 	// The hostname of the RDS instance. See also endpoint and port.
 	Address *string `json:"address,omitempty" tf:"address,omitempty"`
 
+	// The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance.
+	AllocatedStorage *float64 `json:"allocatedStorage,omitempty" tf:"allocated_storage,omitempty"`
+
+	// Indicates that major version
+	// upgrades are allowed. Changing this parameter does not result in an outage and
+	// the change is asynchronously applied as soon as possible.
+	AllowMajorVersionUpgrade *bool `json:"allowMajorVersionUpgrade,omitempty" tf:"allow_major_version_upgrade,omitempty"`
+
+	// Specifies whether any database modifications
+	// are applied immediately, or during the next maintenance window. Default is
+	// false. See Amazon RDS Documentation for more
+	// information.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
 	// The ARN of the RDS instance.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Indicates that minor engine upgrades
+	// will be applied automatically to the DB instance during the maintenance window.
+	// Defaults to true.
+	AutoMinorVersionUpgrade *bool `json:"autoMinorVersionUpgrade,omitempty" tf:"auto_minor_version_upgrade,omitempty"`
+
+	// The AZ for the RDS instance.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// The days to retain backups for.
+	// Must be between 0 and 35.
+	// Default is 0.
+	// Must be greater than 0 if the database is used as a source for a Read Replica,
+	// uses low-downtime updates,
+	// or will use RDS Blue/Green deployments.
+	BackupRetentionPeriod *float64 `json:"backupRetentionPeriod,omitempty" tf:"backup_retention_period,omitempty"`
+
+	// The daily time range (in UTC) during which automated backups are created if they are enabled.
+	// Example: "09:46-10:16". Must not overlap with maintenance_window.
+	BackupWindow *string `json:"backupWindow,omitempty" tf:"backup_window,omitempty"`
+
+	// Enables low-downtime updates using RDS Blue/Green deployments.
+	// See blue_green_update below
+	BlueGreenUpdate []BlueGreenUpdateObservation `json:"blueGreenUpdate,omitempty" tf:"blue_green_update,omitempty"`
+
+	// The identifier of the CA certificate for the DB instance.
+	CACertIdentifier *string `json:"caCertIdentifier,omitempty" tf:"ca_cert_identifier,omitempty"`
+
+	// The character set name to use for DB
+	// encoding in Oracle and Microsoft SQL instances (collation). This can't be changed. See Oracle Character Sets
+	// Supported in Amazon RDS
+	// or Server-Level Collation for Microsoft SQL Server for more information.
+	CharacterSetName *string `json:"characterSetName,omitempty" tf:"character_set_name,omitempty"`
+
+	// –  Copy all Instance tags to snapshots. Default is false.
+	CopyTagsToSnapshot *bool `json:"copyTagsToSnapshot,omitempty" tf:"copy_tags_to_snapshot,omitempty"`
+
+	// The instance profile associated with the underlying Amazon EC2 instance of an RDS Custom DB instance.
+	CustomIAMInstanceProfile *string `json:"customIamInstanceProfile,omitempty" tf:"custom_iam_instance_profile,omitempty"`
+
+	// Indicates whether to enable a customer-owned IP address (CoIP) for an RDS on Outposts DB instance. See CoIP for RDS on Outposts for more information.
+	CustomerOwnedIPEnabled *bool `json:"customerOwnedIpEnabled,omitempty" tf:"customer_owned_ip_enabled,omitempty"`
+
+	// The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance. Note that this does not apply for Oracle or SQL Server engines. See the AWS documentation for more details on what applies for those engines. If you are providing an Oracle db name, it needs to be in all upper case. Cannot be specified for a replica.
+	DBName *string `json:"dbName,omitempty" tf:"db_name,omitempty"`
+
+	// Name of DB subnet group. DB instance will
+	// be created in the VPC associated with the DB subnet group. If unspecified, will
+	// be created in the default VPC, or in EC2 Classic, if available. When working
+	// with read replicas, it should be specified only if the source database
+	// specifies an instance in another AWS Region. See DBSubnetGroupName in API
+	// action CreateDBInstanceReadReplica
+	// for additional read replica contraints.
+	DBSubnetGroupName *string `json:"dbSubnetGroupName,omitempty" tf:"db_subnet_group_name,omitempty"`
+
+	// Specifies whether to remove automated backups immediately after the DB instance is deleted. Default is true.
+	DeleteAutomatedBackups *bool `json:"deleteAutomatedBackups,omitempty" tf:"delete_automated_backups,omitempty"`
+
+	// If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. The default is false.
+	DeletionProtection *bool `json:"deletionProtection,omitempty" tf:"deletion_protection,omitempty"`
+
+	// The ID of the Directory Service Active Directory domain to create the instance in.
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
+
+	// The name of the IAM role to be used when making API calls to the Directory Service.
+	DomainIAMRoleName *string `json:"domainIamRoleName,omitempty" tf:"domain_iam_role_name,omitempty"`
+
+	// Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. Valid values (depending on engine). MySQL and MariaDB: audit, error, general, slowquery. PostgreSQL: postgresql, upgrade. MSSQL: agent , error. Oracle: alert, audit, listener, trace.
+	EnabledCloudwatchLogsExports []*string `json:"enabledCloudwatchLogsExports,omitempty" tf:"enabled_cloudwatch_logs_exports,omitempty"`
+
 	// The connection endpoint in address:port format.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The database engine to use.  For supported values, see the Engine parameter in API action CreateDBInstance. Cannot be specified for a replica.
+	// Note that for Amazon Aurora instances the engine must match the DB cluster's engine'.
+	// For information on the difference between the available Aurora MySQL engines
+	// see Comparison between Aurora MySQL 1 and Aurora MySQL 2
+	// in the Amazon RDS User Guide.
+	Engine *string `json:"engine,omitempty" tf:"engine,omitempty"`
+
+	// The engine version to use. If auto_minor_version_upgrade
+	// is enabled, you can provide a prefix of the version such as 5.7 (for 5.7.10).
+	// The actual engine version used is returned in the attribute engine_version_actual, see Attributes Reference below.
+	// For supported values, see the EngineVersion parameter in API action CreateDBInstance.
+	// Note that for Amazon Aurora instances the engine version must match the DB cluster's engine version'. Cannot be specified for a replica.
+	EngineVersion *string `json:"engineVersion,omitempty" tf:"engine_version,omitempty"`
+
 	// The running version of the database.
 	EngineVersionActual *string `json:"engineVersionActual,omitempty" tf:"engine_version_actual,omitempty"`
 
+	// The name of your final DB snapshot
+	// when this DB instance is deleted. Must be provided if skip_final_snapshot is
+	// set to false. The value must begin with a letter, only contain alphanumeric characters and hyphens, and not end with a hyphen or contain two consecutive hyphens. Must not be provided when deleting a read replica.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
 	// The canonical hosted zone ID of the DB instance (to be used
 	// in a Route 53 Alias record).
 	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
 
+	// Specifies whether mappings of AWS Identity and Access Management (IAM) accounts to database
+	// accounts is enabled.
+	IAMDatabaseAuthenticationEnabled *bool `json:"iamDatabaseAuthenticationEnabled,omitempty" tf:"iam_database_authentication_enabled,omitempty"`
+
 	// The RDS instance ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The instance type of the RDS instance.
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
+
+	// The amount of provisioned IOPS. Setting this implies a
+	// storage_type of "io1". Can only be set when storage_type is "io1" or "gp3".
+	// Cannot be specified for gp3 storage if the allocated_storage value is below a per-engine threshold.
+	// See the RDS User Guide for details.
+	Iops *float64 `json:"iops,omitempty" tf:"iops,omitempty"`
+
+	// The ARN for the KMS encryption key. If creating an
+	// encrypted replica, set this to the destination KMS ARN.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// The latest time, in UTC RFC3339 format, to which a database can be restored with point-in-time restore.
 	LatestRestorableTime *string `json:"latestRestorableTime,omitempty" tf:"latest_restorable_time,omitempty"`
 
+	// License model information for this DB instance.
+	LicenseModel *string `json:"licenseModel,omitempty" tf:"license_model,omitempty"`
+
+	// The window to perform maintenance in.
+	// Syntax: "ddd:hh24:mi-ddd:hh24:mi". Eg: "Mon:00:00-Mon:03:00". See RDS
+	// Maintenance Window
+	// docs
+	// for more information.
+	MaintenanceWindow *string `json:"maintenanceWindow,omitempty" tf:"maintenance_window,omitempty"`
+
+	// When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage. Must be greater than or equal to allocated_storage or 0 to disable Storage Autoscaling.
+	MaxAllocatedStorage *float64 `json:"maxAllocatedStorage,omitempty" tf:"max_allocated_storage,omitempty"`
+
+	// The interval, in seconds, between points
+	// when Enhanced Monitoring metrics are collected for the DB instance. To disable
+	// collecting Enhanced Monitoring metrics, specify 0. The default is 0. Valid
+	// Values: 0, 1, 5, 10, 15, 30, 60.
+	MonitoringInterval *float64 `json:"monitoringInterval,omitempty" tf:"monitoring_interval,omitempty"`
+
+	// The ARN for the IAM role that permits RDS
+	// to send enhanced monitoring metrics to CloudWatch Logs. You can find more
+	// information on the AWS
+	// Documentation
+	// what IAM permissions are needed to allow Enhanced Monitoring for RDS Instances.
+	MonitoringRoleArn *string `json:"monitoringRoleArn,omitempty" tf:"monitoring_role_arn,omitempty"`
+
+	// Specifies if the RDS instance is multi-AZ
+	MultiAz *bool `json:"multiAz,omitempty" tf:"multi_az,omitempty"`
+
+	// The name of the database to create when the DB instance is created. If this parameter is not specified, no database is created in the DB instance. Note that this does not apply for Oracle or SQL Server engines. See the AWS documentation for more details on what applies for those engines. If you are providing an Oracle db name, it needs to be in all upper case. Cannot be specified for a replica.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The national character set is used in the NCHAR, NVARCHAR2, and NCLOB data types for Oracle instances. This can't be changed. See Oracle Character Sets
+	// Supported in Amazon RDS.
+	NcharCharacterSetName *string `json:"ncharCharacterSetName,omitempty" tf:"nchar_character_set_name,omitempty"`
+
+	// The network type of the DB instance. Valid values: IPV4, DUAL.
+	NetworkType *string `json:"networkType,omitempty" tf:"network_type,omitempty"`
+
+	// Name of the DB option group to associate.
+	OptionGroupName *string `json:"optionGroupName,omitempty" tf:"option_group_name,omitempty"`
+
+	// Name of the DB parameter group to
+	// associate.
+	ParameterGroupName *string `json:"parameterGroupName,omitempty" tf:"parameter_group_name,omitempty"`
+
+	// Specifies whether Performance Insights are enabled. Defaults to false.
+	PerformanceInsightsEnabled *bool `json:"performanceInsightsEnabled,omitempty" tf:"performance_insights_enabled,omitempty"`
+
+	// The ARN for the KMS key to encrypt Performance Insights data. When specifying performance_insights_kms_key_id, performance_insights_enabled needs to be set to true. Once KMS key is set, it can never be changed.
+	PerformanceInsightsKMSKeyID *string `json:"performanceInsightsKmsKeyId,omitempty" tf:"performance_insights_kms_key_id,omitempty"`
+
+	// Amount of time in days to retain Performance Insights data. Valid values are 7, 731 (2 years) or a multiple of 31. When specifying performance_insights_retention_period, performance_insights_enabled needs to be set to true. Defaults to '7'.
+	PerformanceInsightsRetentionPeriod *float64 `json:"performanceInsightsRetentionPeriod,omitempty" tf:"performance_insights_retention_period,omitempty"`
+
+	// The port on which the DB accepts connections.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// Bool to control if instance is publicly
+	// accessible. Default is false.
+	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
+
+	// Specifies whether the replica is in either mounted or open-read-only mode. This attribute
+	// is only supported by Oracle instances. Oracle replicas operate in open-read-only mode unless otherwise specified. See Working with Oracle Read Replicas for more information.
+	ReplicaMode *string `json:"replicaMode,omitempty" tf:"replica_mode,omitempty"`
+
 	Replicas []*string `json:"replicas,omitempty" tf:"replicas,omitempty"`
 
+	// Specifies that this resource is a Replicate
+	// database, and to use this value as the source database. This correlates to the
+	// identifier of another Amazon RDS Database to replicate (if replicating within
+	// a single region) or ARN of the Amazon RDS Database to replicate (if replicating
+	// cross-region). Note that if you are
+	// creating a cross-region replica of an encrypted database you will also need to
+	// specify a kms_key_id. See DB Instance Replication and Working with
+	// PostgreSQL and MySQL Read Replicas
+	// for more information on using Replication.
+	ReplicateSourceDB *string `json:"replicateSourceDb,omitempty" tf:"replicate_source_db,omitempty"`
+
 	// The RDS Resource ID of this instance.
 	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
 
+	// A configuration block for restoring a DB instance to an arbitrary point in time. Requires the identifier argument to be set with the name of the new DB instance to be created. See Restore To Point In Time below for details.
+	RestoreToPointInTime []RestoreToPointInTimeObservation `json:"restoreToPointInTime,omitempty" tf:"restore_to_point_in_time,omitempty"`
+
+	// Restore from a Percona Xtrabackup in S3.  See Importing Data into an Amazon RDS MySQL DB Instance
+	S3Import []S3ImportObservation `json:"s3Import,omitempty" tf:"s3_import,omitempty"`
+
+	// List of DB Security Groups to
+	// associate. Only used for DB Instances on the .
+	SecurityGroupNames []*string `json:"securityGroupNames,omitempty" tf:"security_group_names,omitempty"`
+
+	// Determines whether a final DB snapshot is
+	// created before the DB instance is deleted. If true is specified, no DBSnapshot
+	// is created. If false is specified, a DB snapshot is created before the DB
+	// instance is deleted, using the value from final_snapshot_identifier. Default
+	// is false.
+	SkipFinalSnapshot *bool `json:"skipFinalSnapshot,omitempty" tf:"skip_final_snapshot,omitempty"`
+
+	// Specifies whether or not to create this
+	// database from a snapshot. This correlates to the snapshot ID you'd find in the
+	// RDS console, e.g: rds:production-2015-06-26-06-05.
+	SnapshotIdentifier *string `json:"snapshotIdentifier,omitempty" tf:"snapshot_identifier,omitempty"`
+
 	// The RDS instance status.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Specifies whether the DB instance is
+	// encrypted. Note that if you are creating a cross-region read replica this field
+	// is ignored and you should instead declare kms_key_id with a valid ARN. The
+	// default is false if not specified.
+	StorageEncrypted *bool `json:"storageEncrypted,omitempty" tf:"storage_encrypted,omitempty"`
+
+	// The storage throughput value for the DB instance. Can only be set when storage_type is "gp3". Cannot be specified if the allocated_storage value is below a per-engine threshold. See the RDS User Guide for details.
+	StorageThroughput *float64 `json:"storageThroughput,omitempty" tf:"storage_throughput,omitempty"`
+
+	// One of "standard" (magnetic), "gp2" (general
+	// purpose SSD), "gp3" (general purpose SSD that needs iops independently)
+	// or "io1" (provisioned IOPS SSD). The default is "io1" if iops is specified,
+	// "gp2" if not.
+	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Time zone of the DB instance. timezone is currently
+	// only supported by Microsoft SQL Server. The timezone can only be set on
+	// creation. See MSSQL User
+	// Guide
+	// for more information.
+	Timezone *string `json:"timezone,omitempty" tf:"timezone,omitempty"`
+
+	// Username for the master DB user. Cannot be specified for a replica.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
+
+	// List of VPC security groups to
+	// associate.
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type InstanceParameters struct {
@@ -209,8 +463,8 @@ type InstanceParameters struct {
 	IAMDatabaseAuthenticationEnabled *bool `json:"iamDatabaseAuthenticationEnabled,omitempty" tf:"iam_database_authentication_enabled,omitempty"`
 
 	// The instance type of the RDS instance.
-	// +kubebuilder:validation:Required
-	InstanceClass *string `json:"instanceClass" tf:"instance_class,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceClass *string `json:"instanceClass,omitempty" tf:"instance_class,omitempty"`
 
 	// The amount of provisioned IOPS. Setting this implies a
 	// storage_type of "io1". Can only be set when storage_type is "io1" or "gp3".
@@ -429,6 +683,21 @@ type InstanceParameters struct {
 }
 
 type RestoreToPointInTimeObservation struct {
+
+	// The date and time to restore from. Value must be a time in Universal Coordinated Time (UTC) format and must be before the latest restorable time for the DB instance. Cannot be specified with use_latest_restorable_time.
+	RestoreTime *string `json:"restoreTime,omitempty" tf:"restore_time,omitempty"`
+
+	// The ARN of the automated backup from which to restore. Required if source_db_instance_identifier or source_dbi_resource_id is not specified.
+	SourceDBInstanceAutomatedBackupsArn *string `json:"sourceDbInstanceAutomatedBackupsArn,omitempty" tf:"source_db_instance_automated_backups_arn,omitempty"`
+
+	// The identifier of the source DB instance from which to restore. Must match the identifier of an existing DB instance. Required if source_db_instance_automated_backups_arn or source_dbi_resource_id is not specified.
+	SourceDBInstanceIdentifier *string `json:"sourceDbInstanceIdentifier,omitempty" tf:"source_db_instance_identifier,omitempty"`
+
+	// The resource ID of the source DB instance from which to restore. Required if source_db_instance_identifier or source_db_instance_automated_backups_arn is not specified.
+	SourceDbiResourceID *string `json:"sourceDbiResourceId,omitempty" tf:"source_dbi_resource_id,omitempty"`
+
+	// A boolean value that indicates whether the DB instance is restored from the latest backup time. Defaults to false. Cannot be specified with restore_time.
+	UseLatestRestorableTime *bool `json:"useLatestRestorableTime,omitempty" tf:"use_latest_restorable_time,omitempty"`
 }
 
 type RestoreToPointInTimeParameters struct {
@@ -455,6 +724,21 @@ type RestoreToPointInTimeParameters struct {
 }
 
 type S3ImportObservation struct {
+
+	// The bucket name where your backup is stored
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Can be blank, but is the path to your backup
+	BucketPrefix *string `json:"bucketPrefix,omitempty" tf:"bucket_prefix,omitempty"`
+
+	// Role applied to load the data.
+	IngestionRole *string `json:"ingestionRole,omitempty" tf:"ingestion_role,omitempty"`
+
+	// Source engine for the backup
+	SourceEngine *string `json:"sourceEngine,omitempty" tf:"source_engine,omitempty"`
+
+	// Version of the source engine used to make the backup
+	SourceEngineVersion *string `json:"sourceEngineVersion,omitempty" tf:"source_engine_version,omitempty"`
 }
 
 type S3ImportParameters struct {
@@ -504,8 +788,9 @@ type InstanceStatus struct {
 type Instance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceSpec   `json:"spec"`
-	Status            InstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)",message="instanceClass is a required parameter"
+	Spec   InstanceSpec   `json:"spec"`
+	Status InstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_instanceroleassociation_types.go b/apis/rds/v1beta1/zz_instanceroleassociation_types.go
index 5d1df278df..d5346c3171 100755
--- a/apis/rds/v1beta1/zz_instanceroleassociation_types.go
+++ b/apis/rds/v1beta1/zz_instanceroleassociation_types.go
@@ -15,8 +15,17 @@ import (
 
 type InstanceRoleAssociationObservation struct {
 
+	// DB Instance Identifier to associate with the IAM Role.
+	DBInstanceIdentifier *string `json:"dbInstanceIdentifier,omitempty" tf:"db_instance_identifier,omitempty"`
+
+	// Name of the feature for association. This can be found in the AWS documentation relevant to the integration or a full list is available in the SupportedFeatureNames list returned by AWS CLI rds describe-db-engine-versions.
+	FeatureName *string `json:"featureName,omitempty" tf:"feature_name,omitempty"`
+
 	// DB Instance Identifier and IAM Role ARN separated by a comma (,)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon Resource Name (ARN) of the IAM Role to associate with the DB Instance.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
 }
 
 type InstanceRoleAssociationParameters struct {
@@ -36,8 +45,8 @@ type InstanceRoleAssociationParameters struct {
 	DBInstanceIdentifierSelector *v1.Selector `json:"dbInstanceIdentifierSelector,omitempty" tf:"-"`
 
 	// Name of the feature for association. This can be found in the AWS documentation relevant to the integration or a full list is available in the SupportedFeatureNames list returned by AWS CLI rds describe-db-engine-versions.
-	// +kubebuilder:validation:Required
-	FeatureName *string `json:"featureName" tf:"feature_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	FeatureName *string `json:"featureName,omitempty" tf:"feature_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -83,8 +92,9 @@ type InstanceRoleAssociationStatus struct {
 type InstanceRoleAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InstanceRoleAssociationSpec   `json:"spec"`
-	Status            InstanceRoleAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureName)",message="featureName is a required parameter"
+	Spec   InstanceRoleAssociationSpec   `json:"spec"`
+	Status InstanceRoleAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_optiongroup_types.go b/apis/rds/v1beta1/zz_optiongroup_types.go
index ccc77b035d..79f734cb3b 100755
--- a/apis/rds/v1beta1/zz_optiongroup_types.go
+++ b/apis/rds/v1beta1/zz_optiongroup_types.go
@@ -18,9 +18,24 @@ type OptionGroupObservation struct {
 	// The ARN of the db option group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies the name of the engine that this option group should be associated with.
+	EngineName *string `json:"engineName,omitempty" tf:"engine_name,omitempty"`
+
 	// The db option group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the major version of the engine that this option group should be associated with.
+	MajorEngineVersion *string `json:"majorEngineVersion,omitempty" tf:"major_engine_version,omitempty"`
+
+	// A list of Options to apply.
+	Option []OptionObservation `json:"option,omitempty" tf:"option,omitempty"`
+
+	// The description of the option group.
+	OptionGroupDescription *string `json:"optionGroupDescription,omitempty" tf:"option_group_description,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,12 +43,12 @@ type OptionGroupObservation struct {
 type OptionGroupParameters struct {
 
 	// Specifies the name of the engine that this option group should be associated with.
-	// +kubebuilder:validation:Required
-	EngineName *string `json:"engineName" tf:"engine_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineName *string `json:"engineName,omitempty" tf:"engine_name,omitempty"`
 
 	// Specifies the major version of the engine that this option group should be associated with.
-	// +kubebuilder:validation:Required
-	MajorEngineVersion *string `json:"majorEngineVersion" tf:"major_engine_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	MajorEngineVersion *string `json:"majorEngineVersion,omitempty" tf:"major_engine_version,omitempty"`
 
 	// A list of Options to apply.
 	// +kubebuilder:validation:Optional
@@ -54,6 +69,24 @@ type OptionGroupParameters struct {
 }
 
 type OptionObservation struct {
+
+	// A list of DB Security Groups for which the option is enabled.
+	DBSecurityGroupMemberships []*string `json:"dbSecurityGroupMemberships,omitempty" tf:"db_security_group_memberships,omitempty"`
+
+	// The Name of the Option (e.g., MEMCACHED).
+	OptionName *string `json:"optionName,omitempty" tf:"option_name,omitempty"`
+
+	// A list of option settings to apply.
+	OptionSettings []OptionSettingsObservation `json:"optionSettings,omitempty" tf:"option_settings,omitempty"`
+
+	// The Port number when connecting to the Option (e.g., 11211).
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// A list of VPC Security Groups for which the option is enabled.
+	VPCSecurityGroupMemberships []*string `json:"vpcSecurityGroupMemberships,omitempty" tf:"vpc_security_group_memberships,omitempty"`
+
+	// The version of the option (e.g., 13.1.0.0).
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type OptionParameters struct {
@@ -84,6 +117,12 @@ type OptionParameters struct {
 }
 
 type OptionSettingsObservation struct {
+
+	// The name of the option group. Must be lowercase, to match as it is stored in AWS.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Value of the setting.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type OptionSettingsParameters struct {
@@ -121,8 +160,10 @@ type OptionGroupStatus struct {
 type OptionGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              OptionGroupSpec   `json:"spec"`
-	Status            OptionGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineName)",message="engineName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.majorEngineVersion)",message="majorEngineVersion is a required parameter"
+	Spec   OptionGroupSpec   `json:"spec"`
+	Status OptionGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_parametergroup_types.go b/apis/rds/v1beta1/zz_parametergroup_types.go
index f73365d7bd..e3a933cb26 100755
--- a/apis/rds/v1beta1/zz_parametergroup_types.go
+++ b/apis/rds/v1beta1/zz_parametergroup_types.go
@@ -18,9 +18,21 @@ type ParameterGroupObservation struct {
 	// The ARN of the db parameter group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the DB parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the DB parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The db parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of DB parameters to apply. Note that parameters may differ from a family to an other. Full list of all parameters can be discovered via aws rds describe-db-parameters after initial creation of the group.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +44,8 @@ type ParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the DB parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// A list of DB parameters to apply. Note that parameters may differ from a family to an other. Full list of all parameters can be discovered via aws rds describe-db-parameters after initial creation of the group.
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,17 @@ type ParameterGroupParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// "immediate" (default), or "pending-reboot". Some
+	// engines can't apply some parameters without a reboot, and you will need to
+	// specify "pending-reboot" here.
+	ApplyMethod *string `json:"applyMethod,omitempty" tf:"apply_method,omitempty"`
+
+	// The name of the DB parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the DB parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -93,8 +116,9 @@ type ParameterGroupStatus struct {
 type ParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ParameterGroupSpec   `json:"spec"`
-	Status            ParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	Spec   ParameterGroupSpec   `json:"spec"`
+	Status ParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_proxy_types.go b/apis/rds/v1beta1/zz_proxy_types.go
index 6b7c9bbd8b..5dfb5396ff 100755
--- a/apis/rds/v1beta1/zz_proxy_types.go
+++ b/apis/rds/v1beta1/zz_proxy_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type AuthObservation struct {
+
+	// The type of authentication that the proxy uses for connections from the proxy to the underlying database. One of SECRETS.
+	AuthScheme *string `json:"authScheme,omitempty" tf:"auth_scheme,omitempty"`
+
+	// The type of authentication the proxy uses for connections from clients. Valid values are MYSQL_NATIVE_PASSWORD, POSTGRES_SCRAM_SHA_256, POSTGRES_MD5, and SQL_SERVER_AUTHENTICATION.
+	ClientPasswordAuthType *string `json:"clientPasswordAuthType,omitempty" tf:"client_password_auth_type,omitempty"`
+
+	// A user-specified description about the authentication used by a proxy to log in as a specific database user.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether to require or disallow AWS Identity and Access Management (IAM) authentication for connections to the proxy. One of DISABLED, REQUIRED.
+	IAMAuth *string `json:"iamAuth,omitempty" tf:"iam_auth,omitempty"`
+
+	// The Amazon Resource Name (ARN) representing the secret that the proxy uses to authenticate to the RDS DB instance or Aurora DB cluster. These secrets are stored within Amazon Secrets Manager.
+	SecretArn *string `json:"secretArn,omitempty" tf:"secret_arn,omitempty"`
+
+	// The name of the database user to which the proxy connects.
+	Username *string `json:"username,omitempty" tf:"username,omitempty"`
 }
 
 type AuthParameters struct {
@@ -58,29 +76,56 @@ type ProxyObservation struct {
 	// The Amazon Resource Name (ARN) for the proxy.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters. Described below.
+	Auth []AuthObservation `json:"auth,omitempty" tf:"auth,omitempty"`
+
+	// Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.
+	DebugLogging *bool `json:"debugLogging,omitempty" tf:"debug_logging,omitempty"`
+
 	// The endpoint that you can use to connect to the proxy. You include the endpoint value in the connection string for a database client application.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. Valid values are MYSQL and POSTGRESQL.
+	EngineFamily *string `json:"engineFamily,omitempty" tf:"engine_family,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the proxy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.
+	IdleClientTimeout *float64 `json:"idleClientTimeout,omitempty" tf:"idle_client_timeout,omitempty"`
+
+	// A Boolean parameter that specifies whether Transport Layer Security (TLS) encryption is required for connections to the proxy. By enabling this setting, you can enforce encrypted TLS connections to the proxy.
+	RequireTLS *bool `json:"requireTls,omitempty" tf:"require_tls,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the IAM role that the proxy uses to access secrets in AWS Secrets Manager.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// One or more VPC security group IDs to associate with the new proxy.
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
+
+	// One or more VPC subnet IDs to associate with the new proxy.
+	VPCSubnetIds []*string `json:"vpcSubnetIds,omitempty" tf:"vpc_subnet_ids,omitempty"`
 }
 
 type ProxyParameters struct {
 
 	// Configuration block(s) with authorization mechanisms to connect to the associated instances or clusters. Described below.
-	// +kubebuilder:validation:Required
-	Auth []AuthParameters `json:"auth" tf:"auth,omitempty"`
+	// +kubebuilder:validation:Optional
+	Auth []AuthParameters `json:"auth,omitempty" tf:"auth,omitempty"`
 
 	// Whether the proxy includes detailed information about SQL statements in its logs. This information helps you to debug issues involving SQL behavior or the performance and scalability of the proxy connections. The debug information includes the text of SQL statements that you submit through the proxy. Thus, only enable this setting when needed for debugging, and only when you have security measures in place to safeguard any sensitive information that appears in the logs.
 	// +kubebuilder:validation:Optional
 	DebugLogging *bool `json:"debugLogging,omitempty" tf:"debug_logging,omitempty"`
 
 	// The kinds of databases that the proxy can connect to. This value determines which database network protocol the proxy recognizes when it interprets network traffic to and from the database. The engine family applies to MySQL and PostgreSQL for both RDS and Aurora. Valid values are MYSQL and POSTGRESQL.
-	// +kubebuilder:validation:Required
-	EngineFamily *string `json:"engineFamily" tf:"engine_family,omitempty"`
+	// +kubebuilder:validation:Optional
+	EngineFamily *string `json:"engineFamily,omitempty" tf:"engine_family,omitempty"`
 
 	// The number of seconds that a connection to the proxy can be inactive before the proxy disconnects it. You can set this value higher or lower than the connection timeout limit for the associated database.
 	// +kubebuilder:validation:Optional
@@ -129,8 +174,8 @@ type ProxyParameters struct {
 	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 
 	// One or more VPC subnet IDs to associate with the new proxy.
-	// +kubebuilder:validation:Required
-	VPCSubnetIds []*string `json:"vpcSubnetIds" tf:"vpc_subnet_ids,omitempty"`
+	// +kubebuilder:validation:Optional
+	VPCSubnetIds []*string `json:"vpcSubnetIds,omitempty" tf:"vpc_subnet_ids,omitempty"`
 }
 
 // ProxySpec defines the desired state of Proxy
@@ -157,8 +202,11 @@ type ProxyStatus struct {
 type Proxy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProxySpec   `json:"spec"`
-	Status            ProxyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.auth)",message="auth is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineFamily)",message="engineFamily is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcSubnetIds)",message="vpcSubnetIds is a required parameter"
+	Spec   ProxySpec   `json:"spec"`
+	Status ProxyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_proxydefaulttargetgroup_types.go b/apis/rds/v1beta1/zz_proxydefaulttargetgroup_types.go
index 61688b8417..e880044005 100755
--- a/apis/rds/v1beta1/zz_proxydefaulttargetgroup_types.go
+++ b/apis/rds/v1beta1/zz_proxydefaulttargetgroup_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type ConnectionPoolConfigObservation struct {
+
+	// The number of seconds for a proxy to wait for a connection to become available in the connection pool. Only applies when the proxy has opened its maximum number of connections and all connections are busy with client sessions.
+	ConnectionBorrowTimeout *float64 `json:"connectionBorrowTimeout,omitempty" tf:"connection_borrow_timeout,omitempty"`
+
+	// One or more SQL statements for the proxy to run when opening each new database connection. Typically used with SET statements to make sure that each connection has identical settings such as time zone and character set. This setting is empty by default. For multiple statements, use semicolons as the separator. You can also include multiple variables in a single SET statement, such as SET x=1, y=2.
+	InitQuery *string `json:"initQuery,omitempty" tf:"init_query,omitempty"`
+
+	// The maximum size of the connection pool for each target in a target group. For Aurora MySQL, it is expressed as a percentage of the max_connections setting for the RDS DB instance or Aurora DB cluster used by the target group.
+	MaxConnectionsPercent *float64 `json:"maxConnectionsPercent,omitempty" tf:"max_connections_percent,omitempty"`
+
+	// Controls how actively the proxy closes idle database connections in the connection pool. A high value enables the proxy to leave a high percentage of idle connections open. A low value causes the proxy to close idle client connections and return the underlying database connections to the connection pool. For Aurora MySQL, it is expressed as a percentage of the max_connections setting for the RDS DB instance or Aurora DB cluster used by the target group.
+	MaxIdleConnectionsPercent *float64 `json:"maxIdleConnectionsPercent,omitempty" tf:"max_idle_connections_percent,omitempty"`
+
+	// Each item in the list represents a class of SQL operations that normally cause all later statements in a session using a proxy to be pinned to the same underlying database connection. Including an item in the list exempts that class of SQL operations from the pinning behavior. Currently, the only allowed value is EXCLUDE_VARIABLE_SETS.
+	SessionPinningFilters []*string `json:"sessionPinningFilters,omitempty" tf:"session_pinning_filters,omitempty"`
 }
 
 type ConnectionPoolConfigParameters struct {
@@ -44,6 +59,12 @@ type ProxyDefaultTargetGroupObservation struct {
 	// The Amazon Resource Name (ARN) representing the target group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The settings that determine the size and behavior of the connection pool for the target group.
+	ConnectionPoolConfig []ConnectionPoolConfigObservation `json:"connectionPoolConfig,omitempty" tf:"connection_pool_config,omitempty"`
+
+	// Name of the RDS DB Proxy.
+	DBProxyName *string `json:"dbProxyName,omitempty" tf:"db_proxy_name,omitempty"`
+
 	// Name of the RDS DB Proxy.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
diff --git a/apis/rds/v1beta1/zz_proxyendpoint_types.go b/apis/rds/v1beta1/zz_proxyendpoint_types.go
index 81bed095e1..4ed1766554 100755
--- a/apis/rds/v1beta1/zz_proxyendpoint_types.go
+++ b/apis/rds/v1beta1/zz_proxyendpoint_types.go
@@ -18,6 +18,9 @@ type ProxyEndpointObservation struct {
 	// The Amazon Resource Name (ARN) for the proxy endpoint.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The name of the DB proxy associated with the DB proxy endpoint that you create.
+	DBProxyName *string `json:"dbProxyName,omitempty" tf:"db_proxy_name,omitempty"`
+
 	// The endpoint that you can use to connect to the proxy. You include the endpoint value in the connection string for a database client application.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
@@ -27,10 +30,22 @@ type ProxyEndpointObservation struct {
 	// Indicates whether this endpoint is the default endpoint for the associated DB proxy.
 	IsDefault *bool `json:"isDefault,omitempty" tf:"is_default,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Indicates whether the DB proxy endpoint can be used for read/write or read-only operations. The default is READ_WRITE. Valid values are READ_WRITE and READ_ONLY.
+	TargetRole *string `json:"targetRole,omitempty" tf:"target_role,omitempty"`
+
 	// The VPC ID of the DB proxy endpoint.
 	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// One or more VPC security group IDs to associate with the new proxy.
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
+
+	// One or more VPC subnet IDs to associate with the new proxy.
+	VPCSubnetIds []*string `json:"vpcSubnetIds,omitempty" tf:"vpc_subnet_ids,omitempty"`
 }
 
 type ProxyEndpointParameters struct {
@@ -77,8 +92,8 @@ type ProxyEndpointParameters struct {
 	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 
 	// One or more VPC subnet IDs to associate with the new proxy.
-	// +kubebuilder:validation:Required
-	VPCSubnetIds []*string `json:"vpcSubnetIds" tf:"vpc_subnet_ids,omitempty"`
+	// +kubebuilder:validation:Optional
+	VPCSubnetIds []*string `json:"vpcSubnetIds,omitempty" tf:"vpc_subnet_ids,omitempty"`
 }
 
 // ProxyEndpointSpec defines the desired state of ProxyEndpoint
@@ -105,8 +120,9 @@ type ProxyEndpointStatus struct {
 type ProxyEndpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProxyEndpointSpec   `json:"spec"`
-	Status            ProxyEndpointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcSubnetIds)",message="vpcSubnetIds is a required parameter"
+	Spec   ProxyEndpointSpec   `json:"spec"`
+	Status ProxyEndpointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_proxytarget_types.go b/apis/rds/v1beta1/zz_proxytarget_types.go
index bf579fbb06..7add3f530e 100755
--- a/apis/rds/v1beta1/zz_proxytarget_types.go
+++ b/apis/rds/v1beta1/zz_proxytarget_types.go
@@ -15,6 +15,15 @@ import (
 
 type ProxyTargetObservation struct {
 
+	// DB cluster identifier.
+	DBClusterIdentifier *string `json:"dbClusterIdentifier,omitempty" tf:"db_cluster_identifier,omitempty"`
+
+	// DB instance identifier.
+	DBInstanceIdentifier *string `json:"dbInstanceIdentifier,omitempty" tf:"db_instance_identifier,omitempty"`
+
+	// The name of the DB proxy.
+	DBProxyName *string `json:"dbProxyName,omitempty" tf:"db_proxy_name,omitempty"`
+
 	// Hostname for the target RDS DB Instance. Only returned for RDS_INSTANCE type.
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
@@ -30,6 +39,9 @@ type ProxyTargetObservation struct {
 	// Amazon Resource Name (ARN) for the DB instance or DB cluster. Currently not returned by the RDS API.
 	TargetArn *string `json:"targetArn,omitempty" tf:"target_arn,omitempty"`
 
+	// The name of the target group.
+	TargetGroupName *string `json:"targetGroupName,omitempty" tf:"target_group_name,omitempty"`
+
 	// DB Cluster identifier for the DB Instance target. Not returned unless manually importing an RDS_INSTANCE target that is part of a DB Cluster.
 	TrackedClusterID *string `json:"trackedClusterId,omitempty" tf:"tracked_cluster_id,omitempty"`
 
@@ -76,8 +88,8 @@ type ProxyTargetParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The name of the target group.
-	// +kubebuilder:validation:Required
-	TargetGroupName *string `json:"targetGroupName" tf:"target_group_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetGroupName *string `json:"targetGroupName,omitempty" tf:"target_group_name,omitempty"`
 }
 
 // ProxyTargetSpec defines the desired state of ProxyTarget
@@ -104,8 +116,9 @@ type ProxyTargetStatus struct {
 type ProxyTarget struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProxyTargetSpec   `json:"spec"`
-	Status            ProxyTargetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetGroupName)",message="targetGroupName is a required parameter"
+	Spec   ProxyTargetSpec   `json:"spec"`
+	Status ProxyTargetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_securitygroup_types.go b/apis/rds/v1beta1/zz_securitygroup_types.go
index 175d68b5f5..6eeab5000c 100755
--- a/apis/rds/v1beta1/zz_securitygroup_types.go
+++ b/apis/rds/v1beta1/zz_securitygroup_types.go
@@ -14,6 +14,19 @@ import (
 )
 
 type IngressObservation struct {
+
+	// The CIDR block to accept
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
+
+	// The ID of the security group to authorize
+	SecurityGroupID *string `json:"securityGroupId,omitempty" tf:"security_group_id,omitempty"`
+
+	// The name of the security group to authorize
+	SecurityGroupName *string `json:"securityGroupName,omitempty" tf:"security_group_name,omitempty"`
+
+	// The owner Id of the security group provided
+	// by security_group_name.
+	SecurityGroupOwnerID *string `json:"securityGroupOwnerId,omitempty" tf:"security_group_owner_id,omitempty"`
 }
 
 type IngressParameters struct {
@@ -41,9 +54,18 @@ type SecurityGroupObservation struct {
 	// The arn of the DB security group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the DB security group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The db security group ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of ingress rules.
+	Ingress []IngressObservation `json:"ingress,omitempty" tf:"ingress,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -55,8 +77,8 @@ type SecurityGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A list of ingress rules.
-	// +kubebuilder:validation:Required
-	Ingress []IngressParameters `json:"ingress" tf:"ingress,omitempty"`
+	// +kubebuilder:validation:Optional
+	Ingress []IngressParameters `json:"ingress,omitempty" tf:"ingress,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -92,8 +114,9 @@ type SecurityGroupStatus struct {
 type SecurityGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecurityGroupSpec   `json:"spec"`
-	Status            SecurityGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ingress)",message="ingress is a required parameter"
+	Spec   SecurityGroupSpec   `json:"spec"`
+	Status SecurityGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rds/v1beta1/zz_snapshot_types.go b/apis/rds/v1beta1/zz_snapshot_types.go
index d82e1b98a5..9c45bfb7db 100755
--- a/apis/rds/v1beta1/zz_snapshot_types.go
+++ b/apis/rds/v1beta1/zz_snapshot_types.go
@@ -21,6 +21,9 @@ type SnapshotObservation struct {
 	// Specifies the name of the Availability Zone the DB instance was located in at the time of the DB snapshot.
 	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
 
+	// The DB Instance Identifier from which to take the snapshot.
+	DBInstanceIdentifier *string `json:"dbInstanceIdentifier,omitempty" tf:"db_instance_identifier,omitempty"`
+
 	// The Amazon Resource Name (ARN) for the DB snapshot.
 	DBSnapshotArn *string `json:"dbSnapshotArn,omitempty" tf:"db_snapshot_arn,omitempty"`
 
@@ -63,6 +66,9 @@ type SnapshotObservation struct {
 	// Specifies the storage type associated with DB snapshot.
 	StorageType *string `json:"storageType,omitempty" tf:"storage_type,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
diff --git a/apis/rds/v1beta1/zz_subnetgroup_types.go b/apis/rds/v1beta1/zz_subnetgroup_types.go
index d70f0fc456..3900d5d253 100755
--- a/apis/rds/v1beta1/zz_subnetgroup_types.go
+++ b/apis/rds/v1beta1/zz_subnetgroup_types.go
@@ -18,12 +18,21 @@ type SubnetGroupObservation struct {
 	// The ARN of the db subnet group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the DB subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The db subnet group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of VPC subnet IDs.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
 	// The network type of the db subnet group.
 	SupportedNetworkTypes []*string `json:"supportedNetworkTypes,omitempty" tf:"supported_network_types,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/redshift/v1beta1/zz_authenticationprofile_types.go b/apis/redshift/v1beta1/zz_authenticationprofile_types.go
index f29aeb73c2..e5a1155e66 100755
--- a/apis/redshift/v1beta1/zz_authenticationprofile_types.go
+++ b/apis/redshift/v1beta1/zz_authenticationprofile_types.go
@@ -15,6 +15,9 @@ import (
 
 type AuthenticationProfileObservation struct {
 
+	// The content of the authentication profile in JSON format. The maximum length of the JSON string is determined by a quota for your account.
+	AuthenticationProfileContent *string `json:"authenticationProfileContent,omitempty" tf:"authentication_profile_content,omitempty"`
+
 	// The name of the authentication profile.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -22,8 +25,8 @@ type AuthenticationProfileObservation struct {
 type AuthenticationProfileParameters struct {
 
 	// The content of the authentication profile in JSON format. The maximum length of the JSON string is determined by a quota for your account.
-	// +kubebuilder:validation:Required
-	AuthenticationProfileContent *string `json:"authenticationProfileContent" tf:"authentication_profile_content,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthenticationProfileContent *string `json:"authenticationProfileContent,omitempty" tf:"authentication_profile_content,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -55,8 +58,9 @@ type AuthenticationProfileStatus struct {
 type AuthenticationProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AuthenticationProfileSpec   `json:"spec"`
-	Status            AuthenticationProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authenticationProfileContent)",message="authenticationProfileContent is a required parameter"
+	Spec   AuthenticationProfileSpec   `json:"spec"`
+	Status AuthenticationProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_cluster_types.go b/apis/redshift/v1beta1/zz_cluster_types.go
index 216340a570..3492a75779 100755
--- a/apis/redshift/v1beta1/zz_cluster_types.go
+++ b/apis/redshift/v1beta1/zz_cluster_types.go
@@ -30,20 +30,140 @@ type ClusterNodesParameters struct {
 
 type ClusterObservation struct {
 
+	// If true , major version upgrades can be applied during the maintenance window to the Amazon Redshift engine that is running on the cluster. Default is true.
+	AllowVersionUpgrade *bool `json:"allowVersionUpgrade,omitempty" tf:"allow_version_upgrade,omitempty"`
+
+	// Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. Default is false.
+	ApplyImmediately *bool `json:"applyImmediately,omitempty" tf:"apply_immediately,omitempty"`
+
+	// The value represents how the cluster is configured to use AQUA (Advanced Query Accelerator) after the cluster is restored. Possible values are enabled, disabled, and auto. Requires Cluster reboot.
+	AquaConfigurationStatus *string `json:"aquaConfigurationStatus,omitempty" tf:"aqua_configuration_status,omitempty"`
+
 	// Amazon Resource Name (ARN) of cluster
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The number of days that automated snapshots are retained. If the value is 0, automated snapshots are disabled. Even if automated snapshots are disabled, you can still create manual snapshots when you want with create-cluster-snapshot. Default is 1.
+	AutomatedSnapshotRetentionPeriod *float64 `json:"automatedSnapshotRetentionPeriod,omitempty" tf:"automated_snapshot_retention_period,omitempty"`
+
+	// The EC2 Availability Zone (AZ) in which you want Amazon Redshift to provision the cluster. For example, if you have several EC2 instances running in a specific Availability Zone, then you might want the cluster to be provisioned in the same zone in order to decrease network latency. Can only be changed if availability_zone_relocation_enabled is true.
+	AvailabilityZone *string `json:"availabilityZone,omitempty" tf:"availability_zone,omitempty"`
+
+	// If true, the cluster can be relocated to another availabity zone, either automatically by AWS or when requested. Default is false. Available for use on clusters from the RA3 instance family.
+	AvailabilityZoneRelocationEnabled *bool `json:"availabilityZoneRelocationEnabled,omitempty" tf:"availability_zone_relocation_enabled,omitempty"`
+
 	// The nodes in the cluster. Cluster node blocks are documented below
 	ClusterNodes []ClusterNodesObservation `json:"clusterNodes,omitempty" tf:"cluster_nodes,omitempty"`
 
+	// The name of the parameter group to be associated with this cluster.
+	ClusterParameterGroupName *string `json:"clusterParameterGroupName,omitempty" tf:"cluster_parameter_group_name,omitempty"`
+
+	// The public key for the cluster
+	ClusterPublicKey *string `json:"clusterPublicKey,omitempty" tf:"cluster_public_key,omitempty"`
+
+	// The specific revision number of the database in the cluster
+	ClusterRevisionNumber *string `json:"clusterRevisionNumber,omitempty" tf:"cluster_revision_number,omitempty"`
+
+	// A list of security groups to be associated with this cluster.
+	ClusterSecurityGroups []*string `json:"clusterSecurityGroups,omitempty" tf:"cluster_security_groups,omitempty"`
+
+	// The name of a cluster subnet group to be associated with this cluster. If this parameter is not provided the resulting cluster will be deployed outside virtual private cloud (VPC).
+	ClusterSubnetGroupName *string `json:"clusterSubnetGroupName,omitempty" tf:"cluster_subnet_group_name,omitempty"`
+
+	// The cluster type to use. Either single-node or multi-node.
+	ClusterType *string `json:"clusterType,omitempty" tf:"cluster_type,omitempty"`
+
+	// The version of the Amazon Redshift engine software that you want to deploy on the cluster.
+	// The version selected runs on all the nodes in the cluster.
+	ClusterVersion *string `json:"clusterVersion,omitempty" tf:"cluster_version,omitempty"`
+
 	// The DNS name of the cluster
 	DNSName *string `json:"dnsName,omitempty" tf:"dns_name,omitempty"`
 
+	// The name of the first database to be created when the cluster is created.
+	// If you do not provide a name, Amazon Redshift will create a default database called dev.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
+	// The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created.
+	DefaultIAMRoleArn *string `json:"defaultIamRoleArn,omitempty" tf:"default_iam_role_arn,omitempty"`
+
+	// The Elastic IP (EIP) address for the cluster.
+	ElasticIP *string `json:"elasticIp,omitempty" tf:"elastic_ip,omitempty"`
+
+	// If true , the data in the cluster is encrypted at rest.
+	Encrypted *bool `json:"encrypted,omitempty" tf:"encrypted,omitempty"`
+
+	// The connection endpoint
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// If true , enhanced VPC routing is enabled.
+	EnhancedVPCRouting *bool `json:"enhancedVpcRouting,omitempty" tf:"enhanced_vpc_routing,omitempty"`
+
+	// The identifier of the final snapshot that is to be created immediately before deleting the cluster. If this parameter is provided, skip_final_snapshot must be false.
+	FinalSnapshotIdentifier *string `json:"finalSnapshotIdentifier,omitempty" tf:"final_snapshot_identifier,omitempty"`
+
+	// A list of IAM Role ARNs to associate with the cluster. A Maximum of 10 can be associated to the cluster at any time.
+	IAMRoles []*string `json:"iamRoles,omitempty" tf:"iam_roles,omitempty"`
+
 	// The Redshift Cluster ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN for the KMS encryption key. When specifying kms_key_id, encrypted needs to be set to true.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Logging, documented below.
+	Logging []LoggingObservation `json:"logging,omitempty" tf:"logging,omitempty"`
+
+	// The name of the maintenance track for the restored cluster. When you take a snapshot, the snapshot inherits the MaintenanceTrack value from the cluster. The snapshot might be on a different track than the cluster that was the source for the snapshot. For example, suppose that you take a snapshot of  a cluster that is on the current track and then change the cluster to be on the trailing track. In this case, the snapshot and the source cluster are on different tracks. Default value is current.
+	MaintenanceTrackName *string `json:"maintenanceTrackName,omitempty" tf:"maintenance_track_name,omitempty"`
+
+	// The default number of days to retain a manual snapshot. If the value is -1, the snapshot is retained indefinitely. This setting doesn't change the retention period of existing snapshots. Valid values are between -1 and 3653. Default value is -1.
+	ManualSnapshotRetentionPeriod *float64 `json:"manualSnapshotRetentionPeriod,omitempty" tf:"manual_snapshot_retention_period,omitempty"`
+
+	// Username for the master DB user.
+	MasterUsername *string `json:"masterUsername,omitempty" tf:"master_username,omitempty"`
+
+	// The node type to be provisioned for the cluster.
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
+
+	// The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node. Default is 1.
+	NumberOfNodes *float64 `json:"numberOfNodes,omitempty" tf:"number_of_nodes,omitempty"`
+
+	// The AWS customer account used to create or copy the snapshot. Required if you are restoring a snapshot you do not own, optional if you own the snapshot.
+	OwnerAccount *string `json:"ownerAccount,omitempty" tf:"owner_account,omitempty"`
+
+	// The port number on which the cluster accepts incoming connections. Valid values are between 1115 and 65535.
+	// The cluster is accessible only via the JDBC and ODBC connection strings.
+	// Part of the connection string requires the port on which the cluster will listen for incoming connections.
+	// Default port is 5439.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// The weekly time range (in UTC) during which automated cluster maintenance can occur.
+	// Format: ddd:hh24:mi-ddd:hh24:mi
+	PreferredMaintenanceWindow *string `json:"preferredMaintenanceWindow,omitempty" tf:"preferred_maintenance_window,omitempty"`
+
+	// If true, the cluster can be accessed from a public network. Default is true.
+	PubliclyAccessible *bool `json:"publiclyAccessible,omitempty" tf:"publicly_accessible,omitempty"`
+
+	// Determines whether a final snapshot of the cluster is created before Amazon Redshift deletes the cluster. If true , a final cluster snapshot is not created. If false , a final cluster snapshot is created before the cluster is deleted. Default is false.
+	SkipFinalSnapshot *bool `json:"skipFinalSnapshot,omitempty" tf:"skip_final_snapshot,omitempty"`
+
+	// The name of the cluster the source snapshot was created from.
+	SnapshotClusterIdentifier *string `json:"snapshotClusterIdentifier,omitempty" tf:"snapshot_cluster_identifier,omitempty"`
+
+	// Configuration of automatic copy of snapshots from one region to another. Documented below.
+	SnapshotCopy []SnapshotCopyObservation `json:"snapshotCopy,omitempty" tf:"snapshot_copy,omitempty"`
+
+	// The name of the snapshot from which to create the new cluster.
+	SnapshotIdentifier *string `json:"snapshotIdentifier,omitempty" tf:"snapshot_identifier,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// A list of Virtual Private Cloud (VPC) security groups to be associated with the cluster.
+	VPCSecurityGroupIds []*string `json:"vpcSecurityGroupIds,omitempty" tf:"vpc_security_group_ids,omitempty"`
 }
 
 type ClusterParameters struct {
@@ -191,8 +311,8 @@ type ClusterParameters struct {
 	MasterUsername *string `json:"masterUsername,omitempty" tf:"master_username,omitempty"`
 
 	// The node type to be provisioned for the cluster.
-	// +kubebuilder:validation:Required
-	NodeType *string `json:"nodeType" tf:"node_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
 
 	// The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node. Default is 1.
 	// +kubebuilder:validation:Optional
@@ -260,6 +380,22 @@ type ClusterParameters struct {
 }
 
 type LoggingObservation struct {
+
+	// The name of an existing S3 bucket where the log files are to be stored. Must be in the same region as the cluster and the cluster must have read bucket and put object permissions.
+	// For more information on the permissions required for the bucket, please read the AWS documentation
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Enables logging information such as queries and connection attempts, for the specified Amazon Redshift cluster.
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	// The log destination type. An enum with possible values of s3 and cloudwatch.
+	LogDestinationType *string `json:"logDestinationType,omitempty" tf:"log_destination_type,omitempty"`
+
+	// The collection of exported log types. Log types include the connection log, user log and user activity log. Required when log_destination_type is cloudwatch. Valid log types are connectionlog, userlog, and useractivitylog.
+	LogExports []*string `json:"logExports,omitempty" tf:"log_exports,omitempty"`
+
+	// The prefix applied to the log file names.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
 }
 
 type LoggingParameters struct {
@@ -287,6 +423,15 @@ type LoggingParameters struct {
 }
 
 type SnapshotCopyObservation struct {
+
+	// The destination region that you want to copy snapshots to.
+	DestinationRegion *string `json:"destinationRegion,omitempty" tf:"destination_region,omitempty"`
+
+	// The name of the snapshot copy grant to use when snapshots of an AWS KMS-encrypted cluster are copied to the destination region.
+	GrantName *string `json:"grantName,omitempty" tf:"grant_name,omitempty"`
+
+	// The number of days to retain automated snapshots in the destination region after they are copied from the source region. Defaults to 7.
+	RetentionPeriod *float64 `json:"retentionPeriod,omitempty" tf:"retention_period,omitempty"`
 }
 
 type SnapshotCopyParameters struct {
@@ -328,8 +473,9 @@ type ClusterStatus struct {
 type Cluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSpec   `json:"spec"`
-	Status            ClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.nodeType)",message="nodeType is a required parameter"
+	Spec   ClusterSpec   `json:"spec"`
+	Status ClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_eventsubscription_types.go b/apis/redshift/v1beta1/zz_eventsubscription_types.go
index ba7d5eb57d..9a9afedea9 100755
--- a/apis/redshift/v1beta1/zz_eventsubscription_types.go
+++ b/apis/redshift/v1beta1/zz_eventsubscription_types.go
@@ -21,11 +21,32 @@ type EventSubscriptionObservation struct {
 	// The AWS customer account associated with the Redshift event notification subscription
 	CustomerAwsID *string `json:"customerAwsId,omitempty" tf:"customer_aws_id,omitempty"`
 
+	// A boolean flag to enable/disable the subscription. Defaults to true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// A list of event categories for a SourceType that you want to subscribe to. See https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-event-notifications.html or run aws redshift describe-event-categories.
+	EventCategories []*string `json:"eventCategories,omitempty" tf:"event_categories,omitempty"`
+
 	// The name of the Redshift event notification subscription
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The event severity to be published by the notification subscription. Valid options are INFO or ERROR. Default value of INFO.
+	Severity *string `json:"severity,omitempty" tf:"severity,omitempty"`
+
+	// The ARN of the SNS topic to send events to.
+	SnsTopicArn *string `json:"snsTopicArn,omitempty" tf:"sns_topic_arn,omitempty"`
+
+	// A list of identifiers of the event sources for which events will be returned. If not specified, then all sources are included in the response. If specified, a source_type must also be specified.
+	SourceIds []*string `json:"sourceIds,omitempty" tf:"source_ids,omitempty"`
+
+	// The type of source that will be generating the events. Valid options are cluster, cluster-parameter-group, cluster-security-group, cluster-snapshot, or scheduled-action. If not set, all sources will be subscribed to.
+	SourceType *string `json:"sourceType,omitempty" tf:"source_type,omitempty"`
+
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/redshift/v1beta1/zz_generated.deepcopy.go b/apis/redshift/v1beta1/zz_generated.deepcopy.go
index ed7af193ad..5f45ed0d18 100644
--- a/apis/redshift/v1beta1/zz_generated.deepcopy.go
+++ b/apis/redshift/v1beta1/zz_generated.deepcopy.go
@@ -76,6 +76,11 @@ func (in *AuthenticationProfileList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AuthenticationProfileObservation) DeepCopyInto(out *AuthenticationProfileObservation) {
 	*out = *in
+	if in.AuthenticationProfileContent != nil {
+		in, out := &in.AuthenticationProfileContent, &out.AuthenticationProfileContent
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -259,11 +264,41 @@ func (in *ClusterNodesParameters) DeepCopy() *ClusterNodesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 	*out = *in
+	if in.AllowVersionUpgrade != nil {
+		in, out := &in.AllowVersionUpgrade, &out.AllowVersionUpgrade
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ApplyImmediately != nil {
+		in, out := &in.ApplyImmediately, &out.ApplyImmediately
+		*out = new(bool)
+		**out = **in
+	}
+	if in.AquaConfigurationStatus != nil {
+		in, out := &in.AquaConfigurationStatus, &out.AquaConfigurationStatus
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AutomatedSnapshotRetentionPeriod != nil {
+		in, out := &in.AutomatedSnapshotRetentionPeriod, &out.AutomatedSnapshotRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.AvailabilityZone != nil {
+		in, out := &in.AvailabilityZone, &out.AvailabilityZone
+		*out = new(string)
+		**out = **in
+	}
+	if in.AvailabilityZoneRelocationEnabled != nil {
+		in, out := &in.AvailabilityZoneRelocationEnabled, &out.AvailabilityZoneRelocationEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ClusterNodes != nil {
 		in, out := &in.ClusterNodes, &out.ClusterNodes
 		*out = make([]ClusterNodesObservation, len(*in))
@@ -271,16 +306,197 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ClusterParameterGroupName != nil {
+		in, out := &in.ClusterParameterGroupName, &out.ClusterParameterGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterPublicKey != nil {
+		in, out := &in.ClusterPublicKey, &out.ClusterPublicKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterRevisionNumber != nil {
+		in, out := &in.ClusterRevisionNumber, &out.ClusterRevisionNumber
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterSecurityGroups != nil {
+		in, out := &in.ClusterSecurityGroups, &out.ClusterSecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ClusterSubnetGroupName != nil {
+		in, out := &in.ClusterSubnetGroupName, &out.ClusterSubnetGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterType != nil {
+		in, out := &in.ClusterType, &out.ClusterType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterVersion != nil {
+		in, out := &in.ClusterVersion, &out.ClusterVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.DNSName != nil {
 		in, out := &in.DNSName, &out.DNSName
 		*out = new(string)
 		**out = **in
 	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultIAMRoleArn != nil {
+		in, out := &in.DefaultIAMRoleArn, &out.DefaultIAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ElasticIP != nil {
+		in, out := &in.ElasticIP, &out.ElasticIP
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encrypted != nil {
+		in, out := &in.Encrypted, &out.Encrypted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnhancedVPCRouting != nil {
+		in, out := &in.EnhancedVPCRouting, &out.EnhancedVPCRouting
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FinalSnapshotIdentifier != nil {
+		in, out := &in.FinalSnapshotIdentifier, &out.FinalSnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRoles != nil {
+		in, out := &in.IAMRoles, &out.IAMRoles
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Logging != nil {
+		in, out := &in.Logging, &out.Logging
+		*out = make([]LoggingObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MaintenanceTrackName != nil {
+		in, out := &in.MaintenanceTrackName, &out.MaintenanceTrackName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManualSnapshotRetentionPeriod != nil {
+		in, out := &in.ManualSnapshotRetentionPeriod, &out.ManualSnapshotRetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MasterUsername != nil {
+		in, out := &in.MasterUsername, &out.MasterUsername
+		*out = new(string)
+		**out = **in
+	}
+	if in.NodeType != nil {
+		in, out := &in.NodeType, &out.NodeType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfNodes != nil {
+		in, out := &in.NumberOfNodes, &out.NumberOfNodes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.OwnerAccount != nil {
+		in, out := &in.OwnerAccount, &out.OwnerAccount
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.PreferredMaintenanceWindow != nil {
+		in, out := &in.PreferredMaintenanceWindow, &out.PreferredMaintenanceWindow
+		*out = new(string)
+		**out = **in
+	}
+	if in.PubliclyAccessible != nil {
+		in, out := &in.PubliclyAccessible, &out.PubliclyAccessible
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SkipFinalSnapshot != nil {
+		in, out := &in.SkipFinalSnapshot, &out.SkipFinalSnapshot
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnapshotClusterIdentifier != nil {
+		in, out := &in.SnapshotClusterIdentifier, &out.SnapshotClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotCopy != nil {
+		in, out := &in.SnapshotCopy, &out.SnapshotCopy
+		*out = make([]SnapshotCopyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SnapshotIdentifier != nil {
+		in, out := &in.SnapshotIdentifier, &out.SnapshotIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -296,6 +512,17 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCSecurityGroupIds != nil {
+		in, out := &in.VPCSecurityGroupIds, &out.VPCSecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterObservation.
@@ -705,16 +932,73 @@ func (in *EventSubscriptionObservation) DeepCopyInto(out *EventSubscriptionObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EventCategories != nil {
+		in, out := &in.EventCategories, &out.EventCategories
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Severity != nil {
+		in, out := &in.Severity, &out.Severity
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnsTopicArn != nil {
+		in, out := &in.SnsTopicArn, &out.SnsTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceIds != nil {
+		in, out := &in.SourceIds, &out.SourceIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SourceType != nil {
+		in, out := &in.SourceType, &out.SourceType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -940,6 +1224,21 @@ func (in *HSMClientCertificateObservation) DeepCopyInto(out *HSMClientCertificat
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1103,11 +1402,46 @@ func (in *HSMConfigurationObservation) DeepCopyInto(out *HSMConfigurationObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.HSMIPAddress != nil {
+		in, out := &in.HSMIPAddress, &out.HSMIPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.HSMPartitionName != nil {
+		in, out := &in.HSMPartitionName, &out.HSMPartitionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.HSMServerPublicCertificate != nil {
+		in, out := &in.HSMServerPublicCertificate, &out.HSMServerPublicCertificate
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1228,6 +1562,37 @@ func (in *HSMConfigurationStatus) DeepCopy() *HSMConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingObservation) DeepCopyInto(out *LoggingObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.LogDestinationType != nil {
+		in, out := &in.LogDestinationType, &out.LogDestinationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogExports != nil {
+		in, out := &in.LogExports, &out.LogExports
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingObservation.
@@ -1353,11 +1718,48 @@ func (in *ParameterGroupObservation) DeepCopyInto(out *ParameterGroupObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Family != nil {
+		in, out := &in.Family, &out.Family
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]ParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1479,6 +1881,16 @@ func (in *ParameterGroupStatus) DeepCopy() *ParameterGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation) DeepCopyInto(out *ParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParameterObservation.
@@ -1519,6 +1931,11 @@ func (in *ParameterParameters) DeepCopy() *ParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PauseClusterObservation) DeepCopyInto(out *PauseClusterObservation) {
 	*out = *in
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PauseClusterObservation.
@@ -1554,6 +1971,31 @@ func (in *PauseClusterParameters) DeepCopy() *PauseClusterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResizeClusterObservation) DeepCopyInto(out *ResizeClusterObservation) {
 	*out = *in
+	if in.Classic != nil {
+		in, out := &in.Classic, &out.Classic
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterType != nil {
+		in, out := &in.ClusterType, &out.ClusterType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NodeType != nil {
+		in, out := &in.NodeType, &out.NodeType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NumberOfNodes != nil {
+		in, out := &in.NumberOfNodes, &out.NumberOfNodes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResizeClusterObservation.
@@ -1609,6 +2051,11 @@ func (in *ResizeClusterParameters) DeepCopy() *ResizeClusterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResumeClusterObservation) DeepCopyInto(out *ResumeClusterObservation) {
 	*out = *in
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResumeClusterObservation.
@@ -1703,11 +2150,48 @@ func (in *ScheduledActionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduledActionObservation) DeepCopyInto(out *ScheduledActionObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enable != nil {
+		in, out := &in.Enable, &out.Enable
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EndTime != nil {
+		in, out := &in.EndTime, &out.EndTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRole != nil {
+		in, out := &in.IAMRole, &out.IAMRole
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartTime != nil {
+		in, out := &in.StartTime, &out.StartTime
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetAction != nil {
+		in, out := &in.TargetAction, &out.TargetAction
+		*out = make([]TargetActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduledActionObservation.
@@ -1893,6 +2377,31 @@ func (in *SnapshotCopyGrantObservation) DeepCopyInto(out *SnapshotCopyGrantObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SnapshotCopyGrantName != nil {
+		in, out := &in.SnapshotCopyGrantName, &out.SnapshotCopyGrantName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2012,6 +2521,21 @@ func (in *SnapshotCopyGrantStatus) DeepCopy() *SnapshotCopyGrantStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotCopyObservation) DeepCopyInto(out *SnapshotCopyObservation) {
 	*out = *in
+	if in.DestinationRegion != nil {
+		in, out := &in.DestinationRegion, &out.DestinationRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.GrantName != nil {
+		in, out := &in.GrantName, &out.GrantName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetentionPeriod != nil {
+		in, out := &in.RetentionPeriod, &out.RetentionPeriod
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotCopyObservation.
@@ -2143,11 +2667,21 @@ func (in *SnapshotScheduleAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnapshotScheduleAssociationObservation) DeepCopyInto(out *SnapshotScheduleAssociationObservation) {
 	*out = *in
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ScheduleIdentifier != nil {
+		in, out := &in.ScheduleIdentifier, &out.ScheduleIdentifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnapshotScheduleAssociationObservation.
@@ -2284,11 +2818,47 @@ func (in *SnapshotScheduleObservation) DeepCopyInto(out *SnapshotScheduleObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.Definitions != nil {
+		in, out := &in.Definitions, &out.Definitions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2473,11 +3043,42 @@ func (in *SubnetGroupObservation) DeepCopyInto(out *SubnetGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2605,6 +3206,27 @@ func (in *SubnetGroupStatus) DeepCopy() *SubnetGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetActionObservation) DeepCopyInto(out *TargetActionObservation) {
 	*out = *in
+	if in.PauseCluster != nil {
+		in, out := &in.PauseCluster, &out.PauseCluster
+		*out = make([]PauseClusterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResizeCluster != nil {
+		in, out := &in.ResizeCluster, &out.ResizeCluster
+		*out = make([]ResizeClusterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResumeCluster != nil {
+		in, out := &in.ResumeCluster, &out.ResumeCluster
+		*out = make([]ResumeClusterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetActionObservation.
@@ -2715,16 +3337,61 @@ func (in *UsageLimitList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UsageLimitObservation) DeepCopyInto(out *UsageLimitObservation) {
 	*out = *in
+	if in.Amount != nil {
+		in, out := &in.Amount, &out.Amount
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BreachAction != nil {
+		in, out := &in.BreachAction, &out.BreachAction
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClusterIdentifier != nil {
+		in, out := &in.ClusterIdentifier, &out.ClusterIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.FeatureType != nil {
+		in, out := &in.FeatureType, &out.FeatureType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LimitType != nil {
+		in, out := &in.LimitType, &out.LimitType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Period != nil {
+		in, out := &in.Period, &out.Period
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/redshift/v1beta1/zz_hsmclientcertificate_types.go b/apis/redshift/v1beta1/zz_hsmclientcertificate_types.go
index c178d4116d..6647d1a096 100755
--- a/apis/redshift/v1beta1/zz_hsmclientcertificate_types.go
+++ b/apis/redshift/v1beta1/zz_hsmclientcertificate_types.go
@@ -23,6 +23,9 @@ type HSMClientCertificateObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/redshift/v1beta1/zz_hsmconfiguration_types.go b/apis/redshift/v1beta1/zz_hsmconfiguration_types.go
index 4842b015d7..b0233ffd53 100755
--- a/apis/redshift/v1beta1/zz_hsmconfiguration_types.go
+++ b/apis/redshift/v1beta1/zz_hsmconfiguration_types.go
@@ -18,8 +18,23 @@ type HSMConfigurationObservation struct {
 	// Amazon Resource Name (ARN) of the Hsm Client Certificate.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A text description of the HSM configuration to be created.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The IP address that the Amazon Redshift cluster must use to access the HSM.
+	HSMIPAddress *string `json:"hsmIpAddress,omitempty" tf:"hsm_ip_address,omitempty"`
+
+	// The name of the partition in the HSM where the Amazon Redshift clusters will store their database encryption keys.
+	HSMPartitionName *string `json:"hsmPartitionName,omitempty" tf:"hsm_partition_name,omitempty"`
+
+	// The HSMs public certificate file. When using Cloud HSM, the file name is server.pem.
+	HSMServerPublicCertificate *string `json:"hsmServerPublicCertificate,omitempty" tf:"hsm_server_public_certificate,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -27,24 +42,24 @@ type HSMConfigurationObservation struct {
 type HSMConfigurationParameters struct {
 
 	// A text description of the HSM configuration to be created.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The IP address that the Amazon Redshift cluster must use to access the HSM.
-	// +kubebuilder:validation:Required
-	HSMIPAddress *string `json:"hsmIpAddress" tf:"hsm_ip_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	HSMIPAddress *string `json:"hsmIpAddress,omitempty" tf:"hsm_ip_address,omitempty"`
 
 	// The name of the partition in the HSM where the Amazon Redshift clusters will store their database encryption keys.
-	// +kubebuilder:validation:Required
-	HSMPartitionName *string `json:"hsmPartitionName" tf:"hsm_partition_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	HSMPartitionName *string `json:"hsmPartitionName,omitempty" tf:"hsm_partition_name,omitempty"`
 
 	// The password required to access the HSM partition.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	HSMPartitionPasswordSecretRef v1.SecretKeySelector `json:"hsmPartitionPasswordSecretRef" tf:"-"`
 
 	// The HSMs public certificate file. When using Cloud HSM, the file name is server.pem.
-	// +kubebuilder:validation:Required
-	HSMServerPublicCertificate *string `json:"hsmServerPublicCertificate" tf:"hsm_server_public_certificate,omitempty"`
+	// +kubebuilder:validation:Optional
+	HSMServerPublicCertificate *string `json:"hsmServerPublicCertificate,omitempty" tf:"hsm_server_public_certificate,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -80,8 +95,13 @@ type HSMConfigurationStatus struct {
 type HSMConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HSMConfigurationSpec   `json:"spec"`
-	Status            HSMConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmIpAddress)",message="hsmIpAddress is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmPartitionName)",message="hsmPartitionName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmPartitionPasswordSecretRef)",message="hsmPartitionPasswordSecretRef is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmServerPublicCertificate)",message="hsmServerPublicCertificate is a required parameter"
+	Spec   HSMConfigurationSpec   `json:"spec"`
+	Status HSMConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_parametergroup_types.go b/apis/redshift/v1beta1/zz_parametergroup_types.go
index 420003ed23..5277900482 100755
--- a/apis/redshift/v1beta1/zz_parametergroup_types.go
+++ b/apis/redshift/v1beta1/zz_parametergroup_types.go
@@ -18,9 +18,24 @@ type ParameterGroupObservation struct {
 	// Amazon Resource Name (ARN) of parameter group
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the Redshift parameter group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The family of the Redshift parameter group.
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
+
 	// The Redshift parameter group name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the Redshift parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of Redshift parameters to apply.
+	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,12 +47,12 @@ type ParameterGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The family of the Redshift parameter group.
-	// +kubebuilder:validation:Required
-	Family *string `json:"family" tf:"family,omitempty"`
+	// +kubebuilder:validation:Optional
+	Family *string `json:"family,omitempty" tf:"family,omitempty"`
 
 	// The name of the Redshift parameter group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A list of Redshift parameters to apply.
 	// +kubebuilder:validation:Optional
@@ -54,6 +69,12 @@ type ParameterGroupParameters struct {
 }
 
 type ParameterObservation struct {
+
+	// The name of the Redshift parameter group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value of the Redshift parameter.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ParameterParameters struct {
@@ -91,8 +112,10 @@ type ParameterGroupStatus struct {
 type ParameterGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ParameterGroupSpec   `json:"spec"`
-	Status            ParameterGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)",message="family is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ParameterGroupSpec   `json:"spec"`
+	Status ParameterGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_scheduledaction_types.go b/apis/redshift/v1beta1/zz_scheduledaction_types.go
index 0266195b96..5af31010c3 100755
--- a/apis/redshift/v1beta1/zz_scheduledaction_types.go
+++ b/apis/redshift/v1beta1/zz_scheduledaction_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type PauseClusterObservation struct {
+
+	// The identifier of the cluster to be paused.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
 }
 
 type PauseClusterParameters struct {
@@ -24,6 +27,21 @@ type PauseClusterParameters struct {
 }
 
 type ResizeClusterObservation struct {
+
+	// A boolean value indicating whether the resize operation is using the classic resize process. Default: false.
+	Classic *bool `json:"classic,omitempty" tf:"classic,omitempty"`
+
+	// The unique identifier for the cluster to resize.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
+	// The new cluster type for the specified cluster.
+	ClusterType *string `json:"clusterType,omitempty" tf:"cluster_type,omitempty"`
+
+	// The new node type for the nodes you are adding.
+	NodeType *string `json:"nodeType,omitempty" tf:"node_type,omitempty"`
+
+	// The new number of nodes for the cluster.
+	NumberOfNodes *float64 `json:"numberOfNodes,omitempty" tf:"number_of_nodes,omitempty"`
 }
 
 type ResizeClusterParameters struct {
@@ -50,6 +68,9 @@ type ResizeClusterParameters struct {
 }
 
 type ResumeClusterObservation struct {
+
+	// The identifier of the cluster to be resumed.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
 }
 
 type ResumeClusterParameters struct {
@@ -61,8 +82,29 @@ type ResumeClusterParameters struct {
 
 type ScheduledActionObservation struct {
 
+	// The description of the scheduled action.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether to enable the scheduled action. Default is true .
+	Enable *bool `json:"enable,omitempty" tf:"enable,omitempty"`
+
+	// The end time in UTC when the schedule is active, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ).
+	EndTime *string `json:"endTime,omitempty" tf:"end_time,omitempty"`
+
+	// The IAM role to assume to run the scheduled action.
+	IAMRole *string `json:"iamRole,omitempty" tf:"iam_role,omitempty"`
+
 	// The Redshift Scheduled Action name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The schedule of action. The schedule is defined format of "at expression" or "cron expression", for example at(2016-03-04T17:27:00) or cron(0 10 ? * MON *). See Scheduled Action for more information.
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// The start time in UTC when the schedule is active, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ).
+	StartTime *string `json:"startTime,omitempty" tf:"start_time,omitempty"`
+
+	// Target action. Documented below.
+	TargetAction []TargetActionObservation `json:"targetAction,omitempty" tf:"target_action,omitempty"`
 }
 
 type ScheduledActionParameters struct {
@@ -99,19 +141,28 @@ type ScheduledActionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The schedule of action. The schedule is defined format of "at expression" or "cron expression", for example at(2016-03-04T17:27:00) or cron(0 10 ? * MON *). See Scheduled Action for more information.
-	// +kubebuilder:validation:Required
-	Schedule *string `json:"schedule" tf:"schedule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
 
 	// The start time in UTC when the schedule is active, in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ).
 	// +kubebuilder:validation:Optional
 	StartTime *string `json:"startTime,omitempty" tf:"start_time,omitempty"`
 
 	// Target action. Documented below.
-	// +kubebuilder:validation:Required
-	TargetAction []TargetActionParameters `json:"targetAction" tf:"target_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetAction []TargetActionParameters `json:"targetAction,omitempty" tf:"target_action,omitempty"`
 }
 
 type TargetActionObservation struct {
+
+	// An action that runs a PauseCluster API operation. Documented below.
+	PauseCluster []PauseClusterObservation `json:"pauseCluster,omitempty" tf:"pause_cluster,omitempty"`
+
+	// An action that runs a ResizeCluster API operation. Documented below.
+	ResizeCluster []ResizeClusterObservation `json:"resizeCluster,omitempty" tf:"resize_cluster,omitempty"`
+
+	// An action that runs a ResumeCluster API operation. Documented below.
+	ResumeCluster []ResumeClusterObservation `json:"resumeCluster,omitempty" tf:"resume_cluster,omitempty"`
 }
 
 type TargetActionParameters struct {
@@ -153,8 +204,10 @@ type ScheduledActionStatus struct {
 type ScheduledAction struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ScheduledActionSpec   `json:"spec"`
-	Status            ScheduledActionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)",message="schedule is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetAction)",message="targetAction is a required parameter"
+	Spec   ScheduledActionSpec   `json:"spec"`
+	Status ScheduledActionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_snapshotcopygrant_types.go b/apis/redshift/v1beta1/zz_snapshotcopygrant_types.go
index ad2b1f8f8d..a480650bc0 100755
--- a/apis/redshift/v1beta1/zz_snapshotcopygrant_types.go
+++ b/apis/redshift/v1beta1/zz_snapshotcopygrant_types.go
@@ -20,6 +20,15 @@ type SnapshotCopyGrantObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The unique identifier for the customer master key (CMK) that the grant applies to. Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify a CMK in a different AWS account, you must use the key ARN. If not specified, the default key is used.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// A friendly name for identifying the grant.
+	SnapshotCopyGrantName *string `json:"snapshotCopyGrantName,omitempty" tf:"snapshot_copy_grant_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -45,8 +54,8 @@ type SnapshotCopyGrantParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A friendly name for identifying the grant.
-	// +kubebuilder:validation:Required
-	SnapshotCopyGrantName *string `json:"snapshotCopyGrantName" tf:"snapshot_copy_grant_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	SnapshotCopyGrantName *string `json:"snapshotCopyGrantName,omitempty" tf:"snapshot_copy_grant_name,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -77,8 +86,9 @@ type SnapshotCopyGrantStatus struct {
 type SnapshotCopyGrant struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SnapshotCopyGrantSpec   `json:"spec"`
-	Status            SnapshotCopyGrantStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.snapshotCopyGrantName)",message="snapshotCopyGrantName is a required parameter"
+	Spec   SnapshotCopyGrantSpec   `json:"spec"`
+	Status SnapshotCopyGrantStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_snapshotschedule_types.go b/apis/redshift/v1beta1/zz_snapshotschedule_types.go
index b8452e2612..dc3af5acbf 100755
--- a/apis/redshift/v1beta1/zz_snapshotschedule_types.go
+++ b/apis/redshift/v1beta1/zz_snapshotschedule_types.go
@@ -18,8 +18,20 @@ type SnapshotScheduleObservation struct {
 	// Amazon Resource Name (ARN) of the Redshift Snapshot Schedule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The definition of the snapshot schedule. The definition is made up of schedule expressions, for example cron(30 12 *) or rate(12 hours).
+	Definitions []*string `json:"definitions,omitempty" tf:"definitions,omitempty"`
+
+	// The description of the snapshot schedule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether to destroy all associated clusters with this snapshot schedule on deletion. Must be enabled and applied before attempting deletion.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -27,8 +39,8 @@ type SnapshotScheduleObservation struct {
 type SnapshotScheduleParameters struct {
 
 	// The definition of the snapshot schedule. The definition is made up of schedule expressions, for example cron(30 12 *) or rate(12 hours).
-	// +kubebuilder:validation:Required
-	Definitions []*string `json:"definitions" tf:"definitions,omitempty"`
+	// +kubebuilder:validation:Optional
+	Definitions []*string `json:"definitions,omitempty" tf:"definitions,omitempty"`
 
 	// The description of the snapshot schedule.
 	// +kubebuilder:validation:Optional
@@ -72,8 +84,9 @@ type SnapshotScheduleStatus struct {
 type SnapshotSchedule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SnapshotScheduleSpec   `json:"spec"`
-	Status            SnapshotScheduleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definitions)",message="definitions is a required parameter"
+	Spec   SnapshotScheduleSpec   `json:"spec"`
+	Status SnapshotScheduleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/redshift/v1beta1/zz_snapshotscheduleassociation_types.go b/apis/redshift/v1beta1/zz_snapshotscheduleassociation_types.go
index f71206a3bb..8ee23783a8 100755
--- a/apis/redshift/v1beta1/zz_snapshotscheduleassociation_types.go
+++ b/apis/redshift/v1beta1/zz_snapshotscheduleassociation_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type SnapshotScheduleAssociationObservation struct {
+
+	// The cluster identifier.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The snapshot schedule identifier.
+	ScheduleIdentifier *string `json:"scheduleIdentifier,omitempty" tf:"schedule_identifier,omitempty"`
 }
 
 type SnapshotScheduleAssociationParameters struct {
diff --git a/apis/redshift/v1beta1/zz_subnetgroup_types.go b/apis/redshift/v1beta1/zz_subnetgroup_types.go
index fa04747f4c..0118f52a30 100755
--- a/apis/redshift/v1beta1/zz_subnetgroup_types.go
+++ b/apis/redshift/v1beta1/zz_subnetgroup_types.go
@@ -18,9 +18,18 @@ type SubnetGroupObservation struct {
 	// Amazon Resource Name (ARN) of the Redshift Subnet group name
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the Redshift Subnet group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The Redshift Subnet group ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An array of VPC subnet IDs.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/redshift/v1beta1/zz_usagelimit_types.go b/apis/redshift/v1beta1/zz_usagelimit_types.go
index 1e49dbb8c8..09b8970018 100755
--- a/apis/redshift/v1beta1/zz_usagelimit_types.go
+++ b/apis/redshift/v1beta1/zz_usagelimit_types.go
@@ -15,12 +15,33 @@ import (
 
 type UsageLimitObservation struct {
 
+	// The limit amount. If time-based, this amount is in minutes. If data-based, this amount is in terabytes (TB). The value must be a positive number.
+	Amount *float64 `json:"amount,omitempty" tf:"amount,omitempty"`
+
 	// Amazon Resource Name (ARN) of the Redshift Usage Limit.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The action that Amazon Redshift takes when the limit is reached. The default is log. Valid values are log, emit-metric, and disable.
+	BreachAction *string `json:"breachAction,omitempty" tf:"breach_action,omitempty"`
+
+	// The identifier of the cluster that you want to limit usage.
+	ClusterIdentifier *string `json:"clusterIdentifier,omitempty" tf:"cluster_identifier,omitempty"`
+
+	// The Amazon Redshift feature that you want to limit. Valid values are spectrum, concurrency-scaling, and cross-region-datasharing.
+	FeatureType *string `json:"featureType,omitempty" tf:"feature_type,omitempty"`
+
 	// The Redshift Usage Limit ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The type of limit. Depending on the feature type, this can be based on a time duration or data size. If FeatureType is spectrum, then LimitType must be data-scanned. If FeatureType is concurrency-scaling, then LimitType must be time. If FeatureType is cross-region-datasharing, then LimitType must be data-scanned. Valid values are data-scanned, and time.
+	LimitType *string `json:"limitType,omitempty" tf:"limit_type,omitempty"`
+
+	// The time period that the amount applies to. A weekly period begins on Sunday. The default is monthly. Valid values are daily, weekly, and monthly.
+	Period *string `json:"period,omitempty" tf:"period,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,8 +49,8 @@ type UsageLimitObservation struct {
 type UsageLimitParameters struct {
 
 	// The limit amount. If time-based, this amount is in minutes. If data-based, this amount is in terabytes (TB). The value must be a positive number.
-	// +kubebuilder:validation:Required
-	Amount *float64 `json:"amount" tf:"amount,omitempty"`
+	// +kubebuilder:validation:Optional
+	Amount *float64 `json:"amount,omitempty" tf:"amount,omitempty"`
 
 	// The action that Amazon Redshift takes when the limit is reached. The default is log. Valid values are log, emit-metric, and disable.
 	// +kubebuilder:validation:Optional
@@ -50,12 +71,12 @@ type UsageLimitParameters struct {
 	ClusterIdentifierSelector *v1.Selector `json:"clusterIdentifierSelector,omitempty" tf:"-"`
 
 	// The Amazon Redshift feature that you want to limit. Valid values are spectrum, concurrency-scaling, and cross-region-datasharing.
-	// +kubebuilder:validation:Required
-	FeatureType *string `json:"featureType" tf:"feature_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	FeatureType *string `json:"featureType,omitempty" tf:"feature_type,omitempty"`
 
 	// The type of limit. Depending on the feature type, this can be based on a time duration or data size. If FeatureType is spectrum, then LimitType must be data-scanned. If FeatureType is concurrency-scaling, then LimitType must be time. If FeatureType is cross-region-datasharing, then LimitType must be data-scanned. Valid values are data-scanned, and time.
-	// +kubebuilder:validation:Required
-	LimitType *string `json:"limitType" tf:"limit_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	LimitType *string `json:"limitType,omitempty" tf:"limit_type,omitempty"`
 
 	// The time period that the amount applies to. A weekly period begins on Sunday. The default is monthly. Valid values are daily, weekly, and monthly.
 	// +kubebuilder:validation:Optional
@@ -95,8 +116,11 @@ type UsageLimitStatus struct {
 type UsageLimit struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UsageLimitSpec   `json:"spec"`
-	Status            UsageLimitStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.amount)",message="amount is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureType)",message="featureType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.limitType)",message="limitType is a required parameter"
+	Spec   UsageLimitSpec   `json:"spec"`
+	Status UsageLimitStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/resourcegroups/v1beta1/zz_generated.deepcopy.go b/apis/resourcegroups/v1beta1/zz_generated.deepcopy.go
index 737a9a9791..f1cc8eec03 100644
--- a/apis/resourcegroups/v1beta1/zz_generated.deepcopy.go
+++ b/apis/resourcegroups/v1beta1/zz_generated.deepcopy.go
@@ -16,6 +16,18 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation) {
 	*out = *in
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make([]ParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -122,11 +134,45 @@ func (in *GroupObservation) DeepCopyInto(out *GroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make([]ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceQuery != nil {
+		in, out := &in.ResourceQuery, &out.ResourceQuery
+		*out = make([]ResourceQueryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -245,6 +291,22 @@ func (in *GroupStatus) DeepCopy() *GroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParametersObservation) DeepCopyInto(out *ParametersObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ParametersObservation.
@@ -291,6 +353,16 @@ func (in *ParametersParameters) DeepCopy() *ParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceQueryObservation) DeepCopyInto(out *ResourceQueryObservation) {
 	*out = *in
+	if in.Query != nil {
+		in, out := &in.Query, &out.Query
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceQueryObservation.
diff --git a/apis/resourcegroups/v1beta1/zz_group_types.go b/apis/resourcegroups/v1beta1/zz_group_types.go
index 6d57047e2e..e1fa72a803 100755
--- a/apis/resourcegroups/v1beta1/zz_group_types.go
+++ b/apis/resourcegroups/v1beta1/zz_group_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type ConfigurationObservation struct {
+
+	// A collection of parameters for this group configuration item. See below for details.
+	Parameters []ParametersObservation `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Specifies the type of group configuration item.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -32,8 +38,20 @@ type GroupObservation struct {
 	// The ARN assigned by AWS for this resource group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A configuration associates the resource group with an AWS service and specifies how the service can interact with the resources in the group. See below for details.
+	Configuration []ConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// A description of the resource group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A resource_query block. Resource queries are documented below.
+	ResourceQuery []ResourceQueryObservation `json:"resourceQuery,omitempty" tf:"resource_query,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -63,6 +81,12 @@ type GroupParameters struct {
 }
 
 type ParametersObservation struct {
+
+	// The name of the group configuration parameter.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value or values to be used for the specified parameter.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type ParametersParameters struct {
@@ -77,6 +101,12 @@ type ParametersParameters struct {
 }
 
 type ResourceQueryObservation struct {
+
+	// The resource query as a JSON string.
+	Query *string `json:"query,omitempty" tf:"query,omitempty"`
+
+	// The type of the resource query. Defaults to TAG_FILTERS_1_0.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ResourceQueryParameters struct {
diff --git a/apis/rolesanywhere/v1beta1/zz_generated.deepcopy.go b/apis/rolesanywhere/v1beta1/zz_generated.deepcopy.go
index d75fcf8189..814376e4db 100644
--- a/apis/rolesanywhere/v1beta1/zz_generated.deepcopy.go
+++ b/apis/rolesanywhere/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,73 @@ func (in *ProfileObservation) DeepCopyInto(out *ProfileObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DurationSeconds != nil {
+		in, out := &in.DurationSeconds, &out.DurationSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ManagedPolicyArns != nil {
+		in, out := &in.ManagedPolicyArns, &out.ManagedPolicyArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequireInstanceProperties != nil {
+		in, out := &in.RequireInstanceProperties, &out.RequireInstanceProperties
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RoleArns != nil {
+		in, out := &in.RoleArns, &out.RoleArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SessionPolicy != nil {
+		in, out := &in.SessionPolicy, &out.SessionPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/rolesanywhere/v1beta1/zz_profile_types.go b/apis/rolesanywhere/v1beta1/zz_profile_types.go
index 5dc750256b..cfec46a2a4 100755
--- a/apis/rolesanywhere/v1beta1/zz_profile_types.go
+++ b/apis/rolesanywhere/v1beta1/zz_profile_types.go
@@ -18,9 +18,33 @@ type ProfileObservation struct {
 	// Amazon Resource Name (ARN) of the Profile
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The number of seconds the vended session credentials are valid for. Defaults to 3600.
+	DurationSeconds *float64 `json:"durationSeconds,omitempty" tf:"duration_seconds,omitempty"`
+
+	// Whether or not the Profile is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// The Profile ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of managed policy ARNs that apply to the vended session credentials.
+	ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"`
+
+	// The name of the Profile.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies whether instance properties are required in CreateSession requests with this profile.
+	RequireInstanceProperties *bool `json:"requireInstanceProperties,omitempty" tf:"require_instance_properties,omitempty"`
+
+	// A list of IAM roles that this profile can assume
+	RoleArns []*string `json:"roleArns,omitempty" tf:"role_arns,omitempty"`
+
+	// A session policy that applies to the trust boundary of the vended session credentials.
+	SessionPolicy *string `json:"sessionPolicy,omitempty" tf:"session_policy,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -40,8 +64,8 @@ type ProfileParameters struct {
 	ManagedPolicyArns []*string `json:"managedPolicyArns,omitempty" tf:"managed_policy_arns,omitempty"`
 
 	// The name of the Profile.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -99,8 +123,9 @@ type ProfileStatus struct {
 type Profile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProfileSpec   `json:"spec"`
-	Status            ProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ProfileSpec   `json:"spec"`
+	Status ProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53/v1beta1/zz_delegationset_types.go b/apis/route53/v1beta1/zz_delegationset_types.go
index 2d821901ed..8597fec6a8 100755
--- a/apis/route53/v1beta1/zz_delegationset_types.go
+++ b/apis/route53/v1beta1/zz_delegationset_types.go
@@ -24,6 +24,10 @@ type DelegationSetObservation struct {
 	// A list of authoritative name servers for the hosted zone
 	// (effectively a list of NS records).
 	NameServers []*string `json:"nameServers,omitempty" tf:"name_servers,omitempty"`
+
+	// This is a reference name used in Caller Reference
+	// (helpful for identifying single delegation set amongst others)
+	ReferenceName *string `json:"referenceName,omitempty" tf:"reference_name,omitempty"`
 }
 
 type DelegationSetParameters struct {
diff --git a/apis/route53/v1beta1/zz_generated.deepcopy.go b/apis/route53/v1beta1/zz_generated.deepcopy.go
index 55e4ac5624..990278ebb6 100644
--- a/apis/route53/v1beta1/zz_generated.deepcopy.go
+++ b/apis/route53/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AliasObservation) DeepCopyInto(out *AliasObservation) {
 	*out = *in
+	if in.EvaluateTargetHealth != nil {
+		in, out := &in.EvaluateTargetHealth, &out.EvaluateTargetHealth
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ZoneID != nil {
+		in, out := &in.ZoneID, &out.ZoneID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AliasObservation.
@@ -62,6 +77,16 @@ func (in *AliasParameters) DeepCopy() *AliasParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CidrRoutingPolicyObservation) DeepCopyInto(out *CidrRoutingPolicyObservation) {
 	*out = *in
+	if in.CollectionID != nil {
+		in, out := &in.CollectionID, &out.CollectionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LocationName != nil {
+		in, out := &in.LocationName, &out.LocationName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CidrRoutingPolicyObservation.
@@ -182,6 +207,11 @@ func (in *DelegationSetObservation) DeepCopyInto(out *DelegationSetObservation)
 			}
 		}
 	}
+	if in.ReferenceName != nil {
+		in, out := &in.ReferenceName, &out.ReferenceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DelegationSetObservation.
@@ -256,6 +286,11 @@ func (in *DelegationSetStatus) DeepCopy() *DelegationSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FailoverRoutingPolicyObservation) DeepCopyInto(out *FailoverRoutingPolicyObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FailoverRoutingPolicyObservation.
@@ -291,6 +326,21 @@ func (in *FailoverRoutingPolicyParameters) DeepCopy() *FailoverRoutingPolicyPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeolocationRoutingPolicyObservation) DeepCopyInto(out *GeolocationRoutingPolicyObservation) {
 	*out = *in
+	if in.Continent != nil {
+		in, out := &in.Continent, &out.Continent
+		*out = new(string)
+		**out = **in
+	}
+	if in.Country != nil {
+		in, out := &in.Country, &out.Country
+		*out = new(string)
+		**out = **in
+	}
+	if in.Subdivision != nil {
+		in, out := &in.Subdivision, &out.Subdivision
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeolocationRoutingPolicyObservation.
@@ -400,11 +450,133 @@ func (in *HealthCheckObservation) DeepCopyInto(out *HealthCheckObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ChildHealthThreshold != nil {
+		in, out := &in.ChildHealthThreshold, &out.ChildHealthThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ChildHealthchecks != nil {
+		in, out := &in.ChildHealthchecks, &out.ChildHealthchecks
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CloudwatchAlarmName != nil {
+		in, out := &in.CloudwatchAlarmName, &out.CloudwatchAlarmName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CloudwatchAlarmRegion != nil {
+		in, out := &in.CloudwatchAlarmRegion, &out.CloudwatchAlarmRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Disabled != nil {
+		in, out := &in.Disabled, &out.Disabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableSni != nil {
+		in, out := &in.EnableSni, &out.EnableSni
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FailureThreshold != nil {
+		in, out := &in.FailureThreshold, &out.FailureThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Fqdn != nil {
+		in, out := &in.Fqdn, &out.Fqdn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddress != nil {
+		in, out := &in.IPAddress, &out.IPAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.InsufficientDataHealthStatus != nil {
+		in, out := &in.InsufficientDataHealthStatus, &out.InsufficientDataHealthStatus
+		*out = new(string)
+		**out = **in
+	}
+	if in.InvertHealthcheck != nil {
+		in, out := &in.InvertHealthcheck, &out.InvertHealthcheck
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MeasureLatency != nil {
+		in, out := &in.MeasureLatency, &out.MeasureLatency
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ReferenceName != nil {
+		in, out := &in.ReferenceName, &out.ReferenceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Regions != nil {
+		in, out := &in.Regions, &out.Regions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RequestInterval != nil {
+		in, out := &in.RequestInterval, &out.RequestInterval
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResourcePath != nil {
+		in, out := &in.ResourcePath, &out.ResourcePath
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoutingControlArn != nil {
+		in, out := &in.RoutingControlArn, &out.RoutingControlArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SearchString != nil {
+		in, out := &in.SearchString, &out.SearchString
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -420,6 +592,11 @@ func (in *HealthCheckObservation) DeepCopyInto(out *HealthCheckObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckObservation.
@@ -685,11 +862,21 @@ func (in *HostedZoneDNSSECList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HostedZoneDNSSECObservation) DeepCopyInto(out *HostedZoneDNSSECObservation) {
 	*out = *in
+	if in.HostedZoneID != nil {
+		in, out := &in.HostedZoneID, &out.HostedZoneID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SigningStatus != nil {
+		in, out := &in.SigningStatus, &out.SigningStatus
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HostedZoneDNSSECObservation.
@@ -779,6 +966,11 @@ func (in *HostedZoneDNSSECStatus) DeepCopy() *HostedZoneDNSSECStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LatencyRoutingPolicyObservation) DeepCopyInto(out *LatencyRoutingPolicyObservation) {
 	*out = *in
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LatencyRoutingPolicyObservation.
@@ -873,16 +1065,109 @@ func (in *RecordList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordObservation) DeepCopyInto(out *RecordObservation) {
 	*out = *in
+	if in.Alias != nil {
+		in, out := &in.Alias, &out.Alias
+		*out = make([]AliasObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AllowOverwrite != nil {
+		in, out := &in.AllowOverwrite, &out.AllowOverwrite
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CidrRoutingPolicy != nil {
+		in, out := &in.CidrRoutingPolicy, &out.CidrRoutingPolicy
+		*out = make([]CidrRoutingPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FailoverRoutingPolicy != nil {
+		in, out := &in.FailoverRoutingPolicy, &out.FailoverRoutingPolicy
+		*out = make([]FailoverRoutingPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Fqdn != nil {
 		in, out := &in.Fqdn, &out.Fqdn
 		*out = new(string)
 		**out = **in
 	}
+	if in.GeolocationRoutingPolicy != nil {
+		in, out := &in.GeolocationRoutingPolicy, &out.GeolocationRoutingPolicy
+		*out = make([]GeolocationRoutingPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HealthCheckID != nil {
+		in, out := &in.HealthCheckID, &out.HealthCheckID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LatencyRoutingPolicy != nil {
+		in, out := &in.LatencyRoutingPolicy, &out.LatencyRoutingPolicy
+		*out = make([]LatencyRoutingPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MultivalueAnswerRoutingPolicy != nil {
+		in, out := &in.MultivalueAnswerRoutingPolicy, &out.MultivalueAnswerRoutingPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Records != nil {
+		in, out := &in.Records, &out.Records
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SetIdentifier != nil {
+		in, out := &in.SetIdentifier, &out.SetIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.WeightedRoutingPolicy != nil {
+		in, out := &in.WeightedRoutingPolicy, &out.WeightedRoutingPolicy
+		*out = make([]WeightedRoutingPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ZoneID != nil {
+		in, out := &in.ZoneID, &out.ZoneID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordObservation.
@@ -1124,6 +1409,11 @@ func (in *ResolverConfigList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResolverConfigObservation) DeepCopyInto(out *ResolverConfigObservation) {
 	*out = *in
+	if in.AutodefinedReverseFlag != nil {
+		in, out := &in.AutodefinedReverseFlag, &out.AutodefinedReverseFlag
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1134,6 +1424,11 @@ func (in *ResolverConfigObservation) DeepCopyInto(out *ResolverConfigObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResolverConfigObservation.
@@ -1309,11 +1604,36 @@ func (in *TrafficPolicyInstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrafficPolicyInstanceObservation) DeepCopyInto(out *TrafficPolicyInstanceObservation) {
 	*out = *in
+	if in.HostedZoneID != nil {
+		in, out := &in.HostedZoneID, &out.HostedZoneID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TrafficPolicyID != nil {
+		in, out := &in.TrafficPolicyID, &out.TrafficPolicyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TrafficPolicyVersion != nil {
+		in, out := &in.TrafficPolicyVersion, &out.TrafficPolicyVersion
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrafficPolicyInstanceObservation.
@@ -1460,11 +1780,26 @@ func (in *TrafficPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrafficPolicyObservation) DeepCopyInto(out *TrafficPolicyObservation) {
 	*out = *in
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.Document != nil {
+		in, out := &in.Document, &out.Document
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Type != nil {
 		in, out := &in.Type, &out.Type
 		*out = new(string)
@@ -1623,6 +1958,21 @@ func (in *VPCAssociationAuthorizationObservation) DeepCopyInto(out *VPCAssociati
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCRegion != nil {
+		in, out := &in.VPCRegion, &out.VPCRegion
+		*out = new(string)
+		**out = **in
+	}
+	if in.ZoneID != nil {
+		in, out := &in.ZoneID, &out.ZoneID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCAssociationAuthorizationObservation.
@@ -1727,6 +2077,16 @@ func (in *VPCAssociationAuthorizationStatus) DeepCopy() *VPCAssociationAuthoriza
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCObservation) DeepCopyInto(out *VPCObservation) {
 	*out = *in
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCRegion != nil {
+		in, out := &in.VPCRegion, &out.VPCRegion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCObservation.
@@ -1777,6 +2137,11 @@ func (in *VPCParameters) DeepCopy() *VPCParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WeightedRoutingPolicyObservation) DeepCopyInto(out *WeightedRoutingPolicyObservation) {
 	*out = *in
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WeightedRoutingPolicyObservation.
@@ -1876,11 +2241,31 @@ func (in *ZoneObservation) DeepCopyInto(out *ZoneObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.DelegationSetID != nil {
+		in, out := &in.DelegationSetID, &out.DelegationSetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.NameServers != nil {
 		in, out := &in.NameServers, &out.NameServers
 		*out = make([]*string, len(*in))
@@ -1897,6 +2282,21 @@ func (in *ZoneObservation) DeepCopyInto(out *ZoneObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1912,6 +2312,13 @@ func (in *ZoneObservation) DeepCopyInto(out *ZoneObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPC != nil {
+		in, out := &in.VPC, &out.VPC
+		*out = make([]VPCObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ZoneID != nil {
 		in, out := &in.ZoneID, &out.ZoneID
 		*out = new(string)
diff --git a/apis/route53/v1beta1/zz_healthcheck_types.go b/apis/route53/v1beta1/zz_healthcheck_types.go
index c10284e867..14d4332a65 100755
--- a/apis/route53/v1beta1/zz_healthcheck_types.go
+++ b/apis/route53/v1beta1/zz_healthcheck_types.go
@@ -18,11 +18,75 @@ type HealthCheckObservation struct {
 	// The Amazon Resource Name (ARN) of the Health Check.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The minimum number of child health checks that must be healthy for Route 53 to consider the parent health check to be healthy. Valid values are integers between 0 and 256, inclusive
+	ChildHealthThreshold *float64 `json:"childHealthThreshold,omitempty" tf:"child_health_threshold,omitempty"`
+
+	// For a specified parent health check, a list of HealthCheckId values for the associated child health checks.
+	ChildHealthchecks []*string `json:"childHealthchecks,omitempty" tf:"child_healthchecks,omitempty"`
+
+	// The name of the CloudWatch alarm.
+	CloudwatchAlarmName *string `json:"cloudwatchAlarmName,omitempty" tf:"cloudwatch_alarm_name,omitempty"`
+
+	// The CloudWatchRegion that the CloudWatch alarm was created in.
+	CloudwatchAlarmRegion *string `json:"cloudwatchAlarmRegion,omitempty" tf:"cloudwatch_alarm_region,omitempty"`
+
+	// A boolean value that stops Route 53 from performing health checks. When set to true, Route 53 will do the following depending on the type of health check:
+	Disabled *bool `json:"disabled,omitempty" tf:"disabled,omitempty"`
+
+	// A boolean value that indicates whether Route53 should send the fqdn to the endpoint when performing the health check. This defaults to AWS' defaults: when the type is "HTTPS" enable_sni defaults to true, when type is anything else enable_sni defaults to false.
+	EnableSni *bool `json:"enableSni,omitempty" tf:"enable_sni,omitempty"`
+
+	// The number of consecutive health checks that an endpoint must pass or fail.
+	FailureThreshold *float64 `json:"failureThreshold,omitempty" tf:"failure_threshold,omitempty"`
+
+	// The fully qualified domain name of the endpoint to be checked.
+	Fqdn *string `json:"fqdn,omitempty" tf:"fqdn,omitempty"`
+
 	// The id of the health check
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The IP address of the endpoint to be checked.
+	IPAddress *string `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
+
+	// The status of the health check when CloudWatch has insufficient data about the state of associated alarm. Valid values are Healthy , Unhealthy and LastKnownStatus.
+	InsufficientDataHealthStatus *string `json:"insufficientDataHealthStatus,omitempty" tf:"insufficient_data_health_status,omitempty"`
+
+	// A boolean value that indicates whether the status of health check should be inverted. For example, if a health check is healthy but Inverted is True , then Route 53 considers the health check to be unhealthy.
+	InvertHealthcheck *bool `json:"invertHealthcheck,omitempty" tf:"invert_healthcheck,omitempty"`
+
+	// A Boolean value that indicates whether you want Route 53 to measure the latency between health checkers in multiple AWS regions and your endpoint and to display CloudWatch latency graphs in the Route 53 console.
+	MeasureLatency *bool `json:"measureLatency,omitempty" tf:"measure_latency,omitempty"`
+
+	// The port of the endpoint to be checked.
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
+
+	// This is a reference name used in Caller Reference
+	// (helpful for identifying single health_check set amongst others)
+	ReferenceName *string `json:"referenceName,omitempty" tf:"reference_name,omitempty"`
+
+	// A list of AWS regions that you want Amazon Route 53 health checkers to check the specified endpoint from.
+	Regions []*string `json:"regions,omitempty" tf:"regions,omitempty"`
+
+	// The number of seconds between the time that Amazon Route 53 gets a response from your endpoint and the time that it sends the next health-check request.
+	RequestInterval *float64 `json:"requestInterval,omitempty" tf:"request_interval,omitempty"`
+
+	// The path that you want Amazon Route 53 to request when performing health checks.
+	ResourcePath *string `json:"resourcePath,omitempty" tf:"resource_path,omitempty"`
+
+	// The Amazon Resource Name (ARN) for the Route 53 Application Recovery Controller routing control. This is used when health check type is RECOVERY_CONTROL
+	RoutingControlArn *string `json:"routingControlArn,omitempty" tf:"routing_control_arn,omitempty"`
+
+	// String searched in the first 5120 bytes of the response body for check to be considered healthy. Only valid with HTTP_STR_MATCH and HTTPS_STR_MATCH.
+	SearchString *string `json:"searchString,omitempty" tf:"search_string,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The protocol to use when performing health checks. Valid values are HTTP, HTTPS, HTTP_STR_MATCH, HTTPS_STR_MATCH, TCP, CALCULATED, CLOUDWATCH_METRIC and RECOVERY_CONTROL.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type HealthCheckParameters struct {
@@ -123,8 +187,8 @@ type HealthCheckParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The protocol to use when performing health checks. Valid values are HTTP, HTTPS, HTTP_STR_MATCH, HTTPS_STR_MATCH, TCP, CALCULATED, CLOUDWATCH_METRIC and RECOVERY_CONTROL.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // HealthCheckSpec defines the desired state of HealthCheck
@@ -151,8 +215,9 @@ type HealthCheckStatus struct {
 type HealthCheck struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HealthCheckSpec   `json:"spec"`
-	Status            HealthCheckStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   HealthCheckSpec   `json:"spec"`
+	Status HealthCheckStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53/v1beta1/zz_hostedzonednssec_types.go b/apis/route53/v1beta1/zz_hostedzonednssec_types.go
index 22713df0b1..1165103f94 100755
--- a/apis/route53/v1beta1/zz_hostedzonednssec_types.go
+++ b/apis/route53/v1beta1/zz_hostedzonednssec_types.go
@@ -15,8 +15,14 @@ import (
 
 type HostedZoneDNSSECObservation struct {
 
+	// Identifier of the Route 53 Hosted Zone.
+	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
+
 	// Route 53 Hosted Zone identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Hosted Zone signing status. Valid values: SIGNING, NOT_SIGNING. Defaults to SIGNING.
+	SigningStatus *string `json:"signingStatus,omitempty" tf:"signing_status,omitempty"`
 }
 
 type HostedZoneDNSSECParameters struct {
diff --git a/apis/route53/v1beta1/zz_record_types.go b/apis/route53/v1beta1/zz_record_types.go
index 563531b0b3..b2059c16d4 100755
--- a/apis/route53/v1beta1/zz_record_types.go
+++ b/apis/route53/v1beta1/zz_record_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AliasObservation struct {
+
+	// Set to true if you want Route 53 to determine whether to respond to DNS queries using this resource record set by checking the health of the resource record set. Some resources have special requirements, see related part of documentation.
+	EvaluateTargetHealth *bool `json:"evaluateTargetHealth,omitempty" tf:"evaluate_target_health,omitempty"`
+
+	// The name of the record.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ID of the hosted zone to contain this record.
+	ZoneID *string `json:"zoneId,omitempty" tf:"zone_id,omitempty"`
 }
 
 type AliasParameters struct {
@@ -32,6 +41,12 @@ type AliasParameters struct {
 }
 
 type CidrRoutingPolicyObservation struct {
+
+	// The CIDR collection ID. See the aws_route53_cidr_collection resource for more details.
+	CollectionID *string `json:"collectionId,omitempty" tf:"collection_id,omitempty"`
+
+	// The CIDR collection location name. See the aws_route53_cidr_location resource for more details. A location_name with an asterisk "*" can be used to create a default CIDR record. collection_id is still required for default record.
+	LocationName *string `json:"locationName,omitempty" tf:"location_name,omitempty"`
 }
 
 type CidrRoutingPolicyParameters struct {
@@ -46,6 +61,9 @@ type CidrRoutingPolicyParameters struct {
 }
 
 type FailoverRoutingPolicyObservation struct {
+
+	// The record type. Valid values are A, AAAA, CAA, CNAME, DS, MX, NAPTR, NS, PTR, SOA, SPF, SRV and TXT.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type FailoverRoutingPolicyParameters struct {
@@ -56,6 +74,15 @@ type FailoverRoutingPolicyParameters struct {
 }
 
 type GeolocationRoutingPolicyObservation struct {
+
+	// A two-letter continent code. See http://docs.aws.amazon.com/Route53/latest/APIReference/API_GetGeoLocation.html for code details. Either continent or country must be specified.
+	Continent *string `json:"continent,omitempty" tf:"continent,omitempty"`
+
+	// A two-character country code or * to indicate a default resource record set.
+	Country *string `json:"country,omitempty" tf:"country,omitempty"`
+
+	// A subdivision code for a country.
+	Subdivision *string `json:"subdivision,omitempty" tf:"subdivision,omitempty"`
 }
 
 type GeolocationRoutingPolicyParameters struct {
@@ -74,6 +101,9 @@ type GeolocationRoutingPolicyParameters struct {
 }
 
 type LatencyRoutingPolicyObservation struct {
+
+	// An AWS region from which to measure latency. See http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-latency
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
 }
 
 type LatencyRoutingPolicyParameters struct {
@@ -85,10 +115,56 @@ type LatencyRoutingPolicyParameters struct {
 
 type RecordObservation struct {
 
+	// An alias block. Conflicts with ttl & records.
+	// Documented below.
+	Alias []AliasObservation `json:"alias,omitempty" tf:"alias,omitempty"`
+
+	// false by default. This configuration is not recommended for most environments.
+	AllowOverwrite *bool `json:"allowOverwrite,omitempty" tf:"allow_overwrite,omitempty"`
+
+	// A block indicating a routing policy based on the IP network ranges of requestors. Conflicts with any other routing policy. Documented below.
+	CidrRoutingPolicy []CidrRoutingPolicyObservation `json:"cidrRoutingPolicy,omitempty" tf:"cidr_routing_policy,omitempty"`
+
+	// A block indicating the routing behavior when associated health check fails. Conflicts with any other routing policy. Documented below.
+	FailoverRoutingPolicy []FailoverRoutingPolicyObservation `json:"failoverRoutingPolicy,omitempty" tf:"failover_routing_policy,omitempty"`
+
 	// FQDN built using the zone domain and name.
 	Fqdn *string `json:"fqdn,omitempty" tf:"fqdn,omitempty"`
 
+	// A block indicating a routing policy based on the geolocation of the requestor. Conflicts with any other routing policy. Documented below.
+	GeolocationRoutingPolicy []GeolocationRoutingPolicyObservation `json:"geolocationRoutingPolicy,omitempty" tf:"geolocation_routing_policy,omitempty"`
+
+	// The health check the record should be associated with.
+	HealthCheckID *string `json:"healthCheckId,omitempty" tf:"health_check_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A block indicating a routing policy based on the latency between the requestor and an AWS region. Conflicts with any other routing policy. Documented below.
+	LatencyRoutingPolicy []LatencyRoutingPolicyObservation `json:"latencyRoutingPolicy,omitempty" tf:"latency_routing_policy,omitempty"`
+
+	// Set to true to indicate a multivalue answer routing policy. Conflicts with any other routing policy.
+	MultivalueAnswerRoutingPolicy *bool `json:"multivalueAnswerRoutingPolicy,omitempty" tf:"multivalue_answer_routing_policy,omitempty"`
+
+	// The name of the record.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A string list of records.g., "first255characters\"\"morecharacters").
+	Records []*string `json:"records,omitempty" tf:"records,omitempty"`
+
+	// Unique identifier to differentiate records with routing policies from one another. Required if using cidr_routing_policy, failover_routing_policy, geolocation_routing_policy, latency_routing_policy, multivalue_answer_routing_policy, or weighted_routing_policy.
+	SetIdentifier *string `json:"setIdentifier,omitempty" tf:"set_identifier,omitempty"`
+
+	// The TTL of the record.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// The record type. Valid values are A, AAAA, CAA, CNAME, DS, MX, NAPTR, NS, PTR, SOA, SPF, SRV and TXT.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// A block indicating a weighted routing policy. Conflicts with any other routing policy. Documented below.
+	WeightedRoutingPolicy []WeightedRoutingPolicyObservation `json:"weightedRoutingPolicy,omitempty" tf:"weighted_routing_policy,omitempty"`
+
+	// The ID of the hosted zone to contain this record.
+	ZoneID *string `json:"zoneId,omitempty" tf:"zone_id,omitempty"`
 }
 
 type RecordParameters struct {
@@ -136,8 +212,8 @@ type RecordParameters struct {
 	MultivalueAnswerRoutingPolicy *bool `json:"multivalueAnswerRoutingPolicy,omitempty" tf:"multivalue_answer_routing_policy,omitempty"`
 
 	// The name of the record.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A string list of records.g., "first255characters\"\"morecharacters").
 	// +kubebuilder:validation:Optional
@@ -158,8 +234,8 @@ type RecordParameters struct {
 	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
 	// The record type. Valid values are A, AAAA, CAA, CNAME, DS, MX, NAPTR, NS, PTR, SOA, SPF, SRV and TXT.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
 	// A block indicating a weighted routing policy. Conflicts with any other routing policy. Documented below.
 	// +kubebuilder:validation:Optional
@@ -180,6 +256,9 @@ type RecordParameters struct {
 }
 
 type WeightedRoutingPolicyObservation struct {
+
+	// A numeric value indicating the relative weight of the record. See http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-weighted.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type WeightedRoutingPolicyParameters struct {
@@ -213,8 +292,10 @@ type RecordStatus struct {
 type Record struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RecordSpec   `json:"spec"`
-	Status            RecordStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   RecordSpec   `json:"spec"`
+	Status RecordStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53/v1beta1/zz_resolverconfig_types.go b/apis/route53/v1beta1/zz_resolverconfig_types.go
index 4d0509cada..15f140b509 100755
--- a/apis/route53/v1beta1/zz_resolverconfig_types.go
+++ b/apis/route53/v1beta1/zz_resolverconfig_types.go
@@ -15,18 +15,24 @@ import (
 
 type ResolverConfigObservation struct {
 
+	// Indicates whether or not the Resolver will create autodefined rules for reverse DNS lookups. Valid values: ENABLE, DISABLE.
+	AutodefinedReverseFlag *string `json:"autodefinedReverseFlag,omitempty" tf:"autodefined_reverse_flag,omitempty"`
+
 	// The ID of the resolver configuration.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The AWS account ID of the owner of the VPC that this resolver configuration applies to.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
+
+	// The ID of the VPC that the configuration is for.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
 }
 
 type ResolverConfigParameters struct {
 
 	// Indicates whether or not the Resolver will create autodefined rules for reverse DNS lookups. Valid values: ENABLE, DISABLE.
-	// +kubebuilder:validation:Required
-	AutodefinedReverseFlag *string `json:"autodefinedReverseFlag" tf:"autodefined_reverse_flag,omitempty"`
+	// +kubebuilder:validation:Optional
+	AutodefinedReverseFlag *string `json:"autodefinedReverseFlag,omitempty" tf:"autodefined_reverse_flag,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -72,8 +78,9 @@ type ResolverConfigStatus struct {
 type ResolverConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResolverConfigSpec   `json:"spec"`
-	Status            ResolverConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.autodefinedReverseFlag)",message="autodefinedReverseFlag is a required parameter"
+	Spec   ResolverConfigSpec   `json:"spec"`
+	Status ResolverConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53/v1beta1/zz_trafficpolicy_types.go b/apis/route53/v1beta1/zz_trafficpolicy_types.go
index ca285b16ad..9bcd442478 100755
--- a/apis/route53/v1beta1/zz_trafficpolicy_types.go
+++ b/apis/route53/v1beta1/zz_trafficpolicy_types.go
@@ -15,9 +15,18 @@ import (
 
 type TrafficPolicyObservation struct {
 
+	// Comment for the traffic policy.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// Policy document. This is a JSON formatted string. For more information about building Route53 traffic policy documents, see the AWS Route53 Traffic Policy document format
+	Document *string `json:"document,omitempty" tf:"document,omitempty"`
+
 	// ID of the traffic policy
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the traffic policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// DNS type of the resource record sets that Amazon Route 53 creates when you use a traffic policy to create a traffic policy instance.
 	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
@@ -32,12 +41,12 @@ type TrafficPolicyParameters struct {
 	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
 
 	// Policy document. This is a JSON formatted string. For more information about building Route53 traffic policy documents, see the AWS Route53 Traffic Policy document format
-	// +kubebuilder:validation:Required
-	Document *string `json:"document" tf:"document,omitempty"`
+	// +kubebuilder:validation:Optional
+	Document *string `json:"document,omitempty" tf:"document,omitempty"`
 
 	// Name of the traffic policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +78,10 @@ type TrafficPolicyStatus struct {
 type TrafficPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TrafficPolicySpec   `json:"spec"`
-	Status            TrafficPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.document)",message="document is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   TrafficPolicySpec   `json:"spec"`
+	Status TrafficPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53/v1beta1/zz_trafficpolicyinstance_types.go b/apis/route53/v1beta1/zz_trafficpolicyinstance_types.go
index 63d52f5cf1..5dd47424fd 100755
--- a/apis/route53/v1beta1/zz_trafficpolicyinstance_types.go
+++ b/apis/route53/v1beta1/zz_trafficpolicyinstance_types.go
@@ -15,8 +15,23 @@ import (
 
 type TrafficPolicyInstanceObservation struct {
 
+	// ID of the hosted zone that you want Amazon Route 53 to create resource record sets in by using the configuration in a traffic policy.
+	HostedZoneID *string `json:"hostedZoneId,omitempty" tf:"hosted_zone_id,omitempty"`
+
 	// ID of traffic policy instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Domain name for which Amazon Route 53 responds to DNS queries by using the resource record sets that Route 53 creates for this traffic policy instance.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// TTL that you want Amazon Route 53 to assign to all the resource record sets that it creates in the specified hosted zone.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// ID of the traffic policy that you want to use to create resource record sets in the specified hosted zone.
+	TrafficPolicyID *string `json:"trafficPolicyId,omitempty" tf:"traffic_policy_id,omitempty"`
+
+	// Version of the traffic policy
+	TrafficPolicyVersion *float64 `json:"trafficPolicyVersion,omitempty" tf:"traffic_policy_version,omitempty"`
 }
 
 type TrafficPolicyInstanceParameters struct {
@@ -35,8 +50,8 @@ type TrafficPolicyInstanceParameters struct {
 	HostedZoneIDSelector *v1.Selector `json:"hostedZoneIdSelector,omitempty" tf:"-"`
 
 	// Domain name for which Amazon Route 53 responds to DNS queries by using the resource record sets that Route 53 creates for this traffic policy instance.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -44,8 +59,8 @@ type TrafficPolicyInstanceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// TTL that you want Amazon Route 53 to assign to all the resource record sets that it creates in the specified hosted zone.
-	// +kubebuilder:validation:Required
-	TTL *float64 `json:"ttl" tf:"ttl,omitempty"`
+	// +kubebuilder:validation:Optional
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
 
 	// ID of the traffic policy that you want to use to create resource record sets in the specified hosted zone.
 	// +crossplane:generate:reference:type=TrafficPolicy
@@ -61,8 +76,8 @@ type TrafficPolicyInstanceParameters struct {
 	TrafficPolicyIDSelector *v1.Selector `json:"trafficPolicyIdSelector,omitempty" tf:"-"`
 
 	// Version of the traffic policy
-	// +kubebuilder:validation:Required
-	TrafficPolicyVersion *float64 `json:"trafficPolicyVersion" tf:"traffic_policy_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	TrafficPolicyVersion *float64 `json:"trafficPolicyVersion,omitempty" tf:"traffic_policy_version,omitempty"`
 }
 
 // TrafficPolicyInstanceSpec defines the desired state of TrafficPolicyInstance
@@ -89,8 +104,11 @@ type TrafficPolicyInstanceStatus struct {
 type TrafficPolicyInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TrafficPolicyInstanceSpec   `json:"spec"`
-	Status            TrafficPolicyInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.trafficPolicyVersion)",message="trafficPolicyVersion is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ttl)",message="ttl is a required parameter"
+	Spec   TrafficPolicyInstanceSpec   `json:"spec"`
+	Status TrafficPolicyInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53/v1beta1/zz_vpcassociationauthorization_types.go b/apis/route53/v1beta1/zz_vpcassociationauthorization_types.go
index fccbf2b1cc..3d5ec60676 100755
--- a/apis/route53/v1beta1/zz_vpcassociationauthorization_types.go
+++ b/apis/route53/v1beta1/zz_vpcassociationauthorization_types.go
@@ -17,6 +17,15 @@ type VPCAssociationAuthorizationObservation struct {
 
 	// The calculated unique identifier for the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The VPC to authorize for association with the private hosted zone.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// The VPC's region. Defaults to the region of the AWS provider.
+	VPCRegion *string `json:"vpcRegion,omitempty" tf:"vpc_region,omitempty"`
+
+	// The ID of the private hosted zone that you want to authorize associating a VPC with.
+	ZoneID *string `json:"zoneId,omitempty" tf:"zone_id,omitempty"`
 }
 
 type VPCAssociationAuthorizationParameters struct {
diff --git a/apis/route53/v1beta1/zz_zone_types.go b/apis/route53/v1beta1/zz_zone_types.go
index a54f7681b0..8b8e4d9839 100755
--- a/apis/route53/v1beta1/zz_zone_types.go
+++ b/apis/route53/v1beta1/zz_zone_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type VPCObservation struct {
+
+	// ID of the VPC to associate.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
+
+	// Region of the VPC to associate. Defaults to AWS provider region.
+	VPCRegion *string `json:"vpcRegion,omitempty" tf:"vpc_region,omitempty"`
 }
 
 type VPCParameters struct {
@@ -42,8 +48,19 @@ type ZoneObservation struct {
 	// The Amazon Resource Name (ARN) of the Hosted Zone.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A comment for the hosted zone.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The ID of the reusable delegation set whose NS records you want to assign to the hosted zone. Conflicts with vpc as delegation sets can only be used for public zones.
+	DelegationSetID *string `json:"delegationSetId,omitempty" tf:"delegation_set_id,omitempty"`
+
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// This is the name of the hosted zone.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// A list of name servers in associated (or default) delegation set.
 	// Find more about delegation sets in AWS docs.
 	NameServers []*string `json:"nameServers,omitempty" tf:"name_servers,omitempty"`
@@ -51,9 +68,15 @@ type ZoneObservation struct {
 	// The Route 53 name server that created the SOA record.
 	PrimaryNameServer *string `json:"primaryNameServer,omitempty" tf:"primary_name_server,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Configuration block(s) specifying VPC(s) to associate with a private hosted zone. Conflicts with the delegation_set_id argument in this resource and any aws_route53_zone_association resource specifying the same zone ID. Detailed below.
+	VPC []VPCObservation `json:"vpc,omitempty" tf:"vpc,omitempty"`
+
 	// The Hosted Zone ID. This can be referenced by zone records.
 	ZoneID *string `json:"zoneId,omitempty" tf:"zone_id,omitempty"`
 }
@@ -81,8 +104,8 @@ type ZoneParameters struct {
 	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
 
 	// This is the name of the hosted zone.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -122,8 +145,9 @@ type ZoneStatus struct {
 type Zone struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ZoneSpec   `json:"spec"`
-	Status            ZoneStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ZoneSpec   `json:"spec"`
+	Status ZoneStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53recoverycontrolconfig/v1beta1/zz_cluster_types.go b/apis/route53recoverycontrolconfig/v1beta1/zz_cluster_types.go
index 0d3fa0746d..05e8e092ba 100755
--- a/apis/route53recoverycontrolconfig/v1beta1/zz_cluster_types.go
+++ b/apis/route53recoverycontrolconfig/v1beta1/zz_cluster_types.go
@@ -35,6 +35,9 @@ type ClusterObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Unique name describing the cluster.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Status of cluster. PENDING when it is being created, PENDING_DELETION when it is being deleted and DEPLOYED otherwise.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -42,8 +45,8 @@ type ClusterObservation struct {
 type ClusterParameters struct {
 
 	// Unique name describing the cluster.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region of the endpoint.
 	// Region is the region you'd like your resource to be created in.
@@ -76,8 +79,9 @@ type ClusterStatus struct {
 type Cluster struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ClusterSpec   `json:"spec"`
-	Status            ClusterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ClusterSpec   `json:"spec"`
+	Status ClusterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53recoverycontrolconfig/v1beta1/zz_controlpanel_types.go b/apis/route53recoverycontrolconfig/v1beta1/zz_controlpanel_types.go
index 29482b0034..2771708872 100755
--- a/apis/route53recoverycontrolconfig/v1beta1/zz_controlpanel_types.go
+++ b/apis/route53recoverycontrolconfig/v1beta1/zz_controlpanel_types.go
@@ -18,11 +18,17 @@ type ControlPanelObservation struct {
 	// ARN of the control panel.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of the cluster in which this control panel will reside.
+	ClusterArn *string `json:"clusterArn,omitempty" tf:"cluster_arn,omitempty"`
+
 	// Whether a control panel is default.
 	DefaultControlPanel *bool `json:"defaultControlPanel,omitempty" tf:"default_control_panel,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name describing the control panel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Number routing controls in a control panel.
 	RoutingControlCount *float64 `json:"routingControlCount,omitempty" tf:"routing_control_count,omitempty"`
 
@@ -47,8 +53,8 @@ type ControlPanelParameters struct {
 	ClusterArnSelector *v1.Selector `json:"clusterArnSelector,omitempty" tf:"-"`
 
 	// Name describing the control panel.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -80,8 +86,9 @@ type ControlPanelStatus struct {
 type ControlPanel struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ControlPanelSpec   `json:"spec"`
-	Status            ControlPanelStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ControlPanelSpec   `json:"spec"`
+	Status ControlPanelStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53recoverycontrolconfig/v1beta1/zz_generated.deepcopy.go b/apis/route53recoverycontrolconfig/v1beta1/zz_generated.deepcopy.go
index 6ad9b28909..0ba31c237d 100644
--- a/apis/route53recoverycontrolconfig/v1beta1/zz_generated.deepcopy.go
+++ b/apis/route53recoverycontrolconfig/v1beta1/zz_generated.deepcopy.go
@@ -133,6 +133,11 @@ func (in *ClusterObservation) DeepCopyInto(out *ClusterObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -276,6 +281,11 @@ func (in *ControlPanelObservation) DeepCopyInto(out *ControlPanelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterArn != nil {
+		in, out := &in.ClusterArn, &out.ClusterArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.DefaultControlPanel != nil {
 		in, out := &in.DefaultControlPanel, &out.DefaultControlPanel
 		*out = new(bool)
@@ -286,6 +296,11 @@ func (in *ControlPanelObservation) DeepCopyInto(out *ControlPanelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.RoutingControlCount != nil {
 		in, out := &in.RoutingControlCount, &out.RoutingControlCount
 		*out = new(float64)
@@ -449,11 +464,26 @@ func (in *RoutingControlObservation) DeepCopyInto(out *RoutingControlObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.ClusterArn != nil {
+		in, out := &in.ClusterArn, &out.ClusterArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ControlPanelArn != nil {
+		in, out := &in.ControlPanelArn, &out.ControlPanelArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -563,6 +593,21 @@ func (in *RoutingControlStatus) DeepCopy() *RoutingControlStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleConfigObservation) DeepCopyInto(out *RuleConfigObservation) {
 	*out = *in
+	if in.Inverted != nil {
+		in, out := &in.Inverted, &out.Inverted
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Threshold != nil {
+		in, out := &in.Threshold, &out.Threshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleConfigObservation.
@@ -672,16 +717,71 @@ func (in *SafetyRuleObservation) DeepCopyInto(out *SafetyRuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssertedControls != nil {
+		in, out := &in.AssertedControls, &out.AssertedControls
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ControlPanelArn != nil {
+		in, out := &in.ControlPanelArn, &out.ControlPanelArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.GatingControls != nil {
+		in, out := &in.GatingControls, &out.GatingControls
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleConfig != nil {
+		in, out := &in.RuleConfig, &out.RuleConfig
+		*out = make([]RuleConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.TargetControls != nil {
+		in, out := &in.TargetControls, &out.TargetControls
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.WaitPeriodMs != nil {
+		in, out := &in.WaitPeriodMs, &out.WaitPeriodMs
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SafetyRuleObservation.
diff --git a/apis/route53recoverycontrolconfig/v1beta1/zz_routingcontrol_types.go b/apis/route53recoverycontrolconfig/v1beta1/zz_routingcontrol_types.go
index bffcbbd893..aa55502746 100755
--- a/apis/route53recoverycontrolconfig/v1beta1/zz_routingcontrol_types.go
+++ b/apis/route53recoverycontrolconfig/v1beta1/zz_routingcontrol_types.go
@@ -18,8 +18,17 @@ type RoutingControlObservation struct {
 	// ARN of the routing control.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// ARN of the cluster in which this routing control will reside.
+	ClusterArn *string `json:"clusterArn,omitempty" tf:"cluster_arn,omitempty"`
+
+	// ARN of the control panel in which this routing control will reside.
+	ControlPanelArn *string `json:"controlPanelArn,omitempty" tf:"control_panel_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name describing the routing control.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Status of routing control. PENDING when it is being created/updated, PENDING_DELETION when it is being deleted, and DEPLOYED otherwise.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -55,8 +64,8 @@ type RoutingControlParameters struct {
 	ControlPanelArnSelector *v1.Selector `json:"controlPanelArnSelector,omitempty" tf:"-"`
 
 	// The name describing the routing control.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -88,8 +97,9 @@ type RoutingControlStatus struct {
 type RoutingControl struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RoutingControlSpec   `json:"spec"`
-	Status            RoutingControlStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RoutingControlSpec   `json:"spec"`
+	Status RoutingControlStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53recoverycontrolconfig/v1beta1/zz_safetyrule_types.go b/apis/route53recoverycontrolconfig/v1beta1/zz_safetyrule_types.go
index f56862b8be..af41ac9469 100755
--- a/apis/route53recoverycontrolconfig/v1beta1/zz_safetyrule_types.go
+++ b/apis/route53recoverycontrolconfig/v1beta1/zz_safetyrule_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type RuleConfigObservation struct {
+
+	// Logical negation of the rule.
+	Inverted *bool `json:"inverted,omitempty" tf:"inverted,omitempty"`
+
+	// Number of controls that must be set when you specify an ATLEAST type rule.
+	Threshold *float64 `json:"threshold,omitempty" tf:"threshold,omitempty"`
+
+	// Rule type. Valid values are ATLEAST, AND, and OR.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RuleConfigParameters struct {
@@ -36,10 +45,31 @@ type SafetyRuleObservation struct {
 	// ARN of the safety rule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Routing controls that are part of transactions that are evaluated to determine if a request to change a routing control state is allowed.
+	AssertedControls []*string `json:"assertedControls,omitempty" tf:"asserted_controls,omitempty"`
+
+	// ARN of the control panel in which this safety rule will reside.
+	ControlPanelArn *string `json:"controlPanelArn,omitempty" tf:"control_panel_arn,omitempty"`
+
+	// Gating controls for the new gating rule. That is, routing controls that are evaluated by the rule configuration that you specify.
+	GatingControls []*string `json:"gatingControls,omitempty" tf:"gating_controls,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name describing the safety rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration block for safety rule criteria. See below.
+	RuleConfig []RuleConfigObservation `json:"ruleConfig,omitempty" tf:"rule_config,omitempty"`
+
 	// Status of the safety rule. PENDING when it is being created/updated, PENDING_DELETION when it is being deleted, and DEPLOYED otherwise.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Routing controls that can only be set or unset if the specified rule_config evaluates to true for the specified gating_controls.
+	TargetControls []*string `json:"targetControls,omitempty" tf:"target_controls,omitempty"`
+
+	// Evaluation period, in milliseconds (ms), during which any request against the target routing controls will fail.
+	WaitPeriodMs *float64 `json:"waitPeriodMs,omitempty" tf:"wait_period_ms,omitempty"`
 }
 
 type SafetyRuleParameters struct {
@@ -77,8 +107,8 @@ type SafetyRuleParameters struct {
 	GatingControls []*string `json:"gatingControls,omitempty" tf:"gating_controls,omitempty"`
 
 	// Name describing the safety rule.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -86,16 +116,16 @@ type SafetyRuleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Configuration block for safety rule criteria. See below.
-	// +kubebuilder:validation:Required
-	RuleConfig []RuleConfigParameters `json:"ruleConfig" tf:"rule_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleConfig []RuleConfigParameters `json:"ruleConfig,omitempty" tf:"rule_config,omitempty"`
 
 	// Routing controls that can only be set or unset if the specified rule_config evaluates to true for the specified gating_controls.
 	// +kubebuilder:validation:Optional
 	TargetControls []*string `json:"targetControls,omitempty" tf:"target_controls,omitempty"`
 
 	// Evaluation period, in milliseconds (ms), during which any request against the target routing controls will fail.
-	// +kubebuilder:validation:Required
-	WaitPeriodMs *float64 `json:"waitPeriodMs" tf:"wait_period_ms,omitempty"`
+	// +kubebuilder:validation:Optional
+	WaitPeriodMs *float64 `json:"waitPeriodMs,omitempty" tf:"wait_period_ms,omitempty"`
 }
 
 // SafetyRuleSpec defines the desired state of SafetyRule
@@ -122,8 +152,11 @@ type SafetyRuleStatus struct {
 type SafetyRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SafetyRuleSpec   `json:"spec"`
-	Status            SafetyRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleConfig)",message="ruleConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.waitPeriodMs)",message="waitPeriodMs is a required parameter"
+	Spec   SafetyRuleSpec   `json:"spec"`
+	Status SafetyRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53recoveryreadiness/v1beta1/zz_cell_types.go b/apis/route53recoveryreadiness/v1beta1/zz_cell_types.go
index ca33f07724..ae3e4b1031 100755
--- a/apis/route53recoveryreadiness/v1beta1/zz_cell_types.go
+++ b/apis/route53recoveryreadiness/v1beta1/zz_cell_types.go
@@ -18,11 +18,17 @@ type CellObservation struct {
 	// ARN of the cell
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of cell arns to add as nested fault domains within this cell.
+	Cells []*string `json:"cells,omitempty" tf:"cells,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// List of readiness scopes (recovery groups or cells) that contain this cell.
 	ParentReadinessScopes []*string `json:"parentReadinessScopes,omitempty" tf:"parent_readiness_scopes,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/route53recoveryreadiness/v1beta1/zz_generated.deepcopy.go b/apis/route53recoveryreadiness/v1beta1/zz_generated.deepcopy.go
index d5d8aa8b9b..f7b6b8c3eb 100644
--- a/apis/route53recoveryreadiness/v1beta1/zz_generated.deepcopy.go
+++ b/apis/route53recoveryreadiness/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,17 @@ func (in *CellObservation) DeepCopyInto(out *CellObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Cells != nil {
+		in, out := &in.Cells, &out.Cells
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -97,6 +108,21 @@ func (in *CellObservation) DeepCopyInto(out *CellObservation) {
 			}
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -207,6 +233,33 @@ func (in *CellStatus) DeepCopy() *CellStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DNSTargetResourceObservation) DeepCopyInto(out *DNSTargetResourceObservation) {
 	*out = *in
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostedZoneArn != nil {
+		in, out := &in.HostedZoneArn, &out.HostedZoneArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordSetID != nil {
+		in, out := &in.RecordSetID, &out.RecordSetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordType != nil {
+		in, out := &in.RecordType, &out.RecordType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetResource != nil {
+		in, out := &in.TargetResource, &out.TargetResource
+		*out = make([]TargetResourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSTargetResourceObservation.
@@ -264,6 +317,11 @@ func (in *DNSTargetResourceParameters) DeepCopy() *DNSTargetResourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NlbResourceObservation) DeepCopyInto(out *NlbResourceObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NlbResourceObservation.
@@ -299,6 +357,16 @@ func (in *NlbResourceParameters) DeepCopy() *NlbResourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *R53ResourceObservation) DeepCopyInto(out *R53ResourceObservation) {
 	*out = *in
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RecordSetID != nil {
+		in, out := &in.RecordSetID, &out.RecordSetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new R53ResourceObservation.
@@ -408,6 +476,26 @@ func (in *ReadinessCheckObservation) DeepCopyInto(out *ReadinessCheckObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceSetName != nil {
+		in, out := &in.ResourceSetName, &out.ResourceSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -576,11 +664,37 @@ func (in *RecoveryGroupObservation) DeepCopyInto(out *RecoveryGroupObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Cells != nil {
+		in, out := &in.Cells, &out.Cells
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -760,6 +874,11 @@ func (in *ResourceSetObservation) DeepCopyInto(out *ResourceSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceSetType != nil {
+		in, out := &in.ResourceSetType, &out.ResourceSetType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Resources != nil {
 		in, out := &in.Resources, &out.Resources
 		*out = make([]ResourcesObservation, len(*in))
@@ -767,6 +886,21 @@ func (in *ResourceSetObservation) DeepCopyInto(out *ResourceSetObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -883,6 +1017,29 @@ func (in *ResourcesObservation) DeepCopyInto(out *ResourcesObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DNSTargetResource != nil {
+		in, out := &in.DNSTargetResource, &out.DNSTargetResource
+		*out = make([]DNSTargetResourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReadinessScopes != nil {
+		in, out := &in.ReadinessScopes, &out.ReadinessScopes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcesObservation.
@@ -946,6 +1103,20 @@ func (in *ResourcesParameters) DeepCopy() *ResourcesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetResourceObservation) DeepCopyInto(out *TargetResourceObservation) {
 	*out = *in
+	if in.NlbResource != nil {
+		in, out := &in.NlbResource, &out.NlbResource
+		*out = make([]NlbResourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.R53Resource != nil {
+		in, out := &in.R53Resource, &out.R53Resource
+		*out = make([]R53ResourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetResourceObservation.
diff --git a/apis/route53recoveryreadiness/v1beta1/zz_readinesscheck_types.go b/apis/route53recoveryreadiness/v1beta1/zz_readinesscheck_types.go
index f50896ae35..ab5ce2408f 100755
--- a/apis/route53recoveryreadiness/v1beta1/zz_readinesscheck_types.go
+++ b/apis/route53recoveryreadiness/v1beta1/zz_readinesscheck_types.go
@@ -20,6 +20,12 @@ type ReadinessCheckObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name describing the resource set that will be monitored for readiness.
+	ResourceSetName *string `json:"resourceSetName,omitempty" tf:"resource_set_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,8 +38,8 @@ type ReadinessCheckParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Name describing the resource set that will be monitored for readiness.
-	// +kubebuilder:validation:Required
-	ResourceSetName *string `json:"resourceSetName" tf:"resource_set_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceSetName *string `json:"resourceSetName,omitempty" tf:"resource_set_name,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -64,8 +70,9 @@ type ReadinessCheckStatus struct {
 type ReadinessCheck struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReadinessCheckSpec   `json:"spec"`
-	Status            ReadinessCheckStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceSetName)",message="resourceSetName is a required parameter"
+	Spec   ReadinessCheckSpec   `json:"spec"`
+	Status ReadinessCheckStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53recoveryreadiness/v1beta1/zz_recoverygroup_types.go b/apis/route53recoveryreadiness/v1beta1/zz_recoverygroup_types.go
index c2e584ccae..0b0909f6b0 100755
--- a/apis/route53recoveryreadiness/v1beta1/zz_recoverygroup_types.go
+++ b/apis/route53recoveryreadiness/v1beta1/zz_recoverygroup_types.go
@@ -18,8 +18,14 @@ type RecoveryGroupObservation struct {
 	// ARN of the recovery group
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// List of cell arns to add as nested fault domains within this recovery group
+	Cells []*string `json:"cells,omitempty" tf:"cells,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/route53recoveryreadiness/v1beta1/zz_resourceset_types.go b/apis/route53recoveryreadiness/v1beta1/zz_resourceset_types.go
index a91141177b..1cabf2c4eb 100755
--- a/apis/route53recoveryreadiness/v1beta1/zz_resourceset_types.go
+++ b/apis/route53recoveryreadiness/v1beta1/zz_resourceset_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type DNSTargetResourceObservation struct {
+
+	// DNS Name that acts as the ingress point to a portion of application.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Hosted Zone ARN that contains the DNS record with the provided name of target resource.
+	HostedZoneArn *string `json:"hostedZoneArn,omitempty" tf:"hosted_zone_arn,omitempty"`
+
+	// Route53 record set id to uniquely identify a record given a domain_name and a record_type.
+	RecordSetID *string `json:"recordSetId,omitempty" tf:"record_set_id,omitempty"`
+
+	// Type of DNS Record of target resource.
+	RecordType *string `json:"recordType,omitempty" tf:"record_type,omitempty"`
+
+	// Target resource the R53 record specified with the above params points to.
+	TargetResource []TargetResourceObservation `json:"targetResource,omitempty" tf:"target_resource,omitempty"`
 }
 
 type DNSTargetResourceParameters struct {
@@ -40,6 +55,9 @@ type DNSTargetResourceParameters struct {
 }
 
 type NlbResourceObservation struct {
+
+	// NLB resource ARN.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 }
 
 type NlbResourceParameters struct {
@@ -50,6 +68,12 @@ type NlbResourceParameters struct {
 }
 
 type R53ResourceObservation struct {
+
+	// Domain name that is targeted.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// Resource record set ID that is targeted.
+	RecordSetID *string `json:"recordSetId,omitempty" tf:"record_set_id,omitempty"`
 }
 
 type R53ResourceParameters struct {
@@ -70,10 +94,15 @@ type ResourceSetObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Type of the resources in the resource set.
+	ResourceSetType *string `json:"resourceSetType,omitempty" tf:"resource_set_type,omitempty"`
+
 	// List of resources to add to this resource set. See below.
-	// +kubebuilder:validation:Required
 	Resources []ResourcesObservation `json:"resources,omitempty" tf:"resources,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -86,12 +115,12 @@ type ResourceSetParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Type of the resources in the resource set.
-	// +kubebuilder:validation:Required
-	ResourceSetType *string `json:"resourceSetType" tf:"resource_set_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceSetType *string `json:"resourceSetType,omitempty" tf:"resource_set_type,omitempty"`
 
 	// List of resources to add to this resource set. See below.
-	// +kubebuilder:validation:Required
-	Resources []ResourcesParameters `json:"resources" tf:"resources,omitempty"`
+	// +kubebuilder:validation:Optional
+	Resources []ResourcesParameters `json:"resources,omitempty" tf:"resources,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -102,6 +131,15 @@ type ResourcesObservation struct {
 
 	// Unique identified for DNS Target Resources, use for readiness checks.
 	ComponentID *string `json:"componentId,omitempty" tf:"component_id,omitempty"`
+
+	// Component for DNS/Routing Control Readiness Checks.
+	DNSTargetResource []DNSTargetResourceObservation `json:"dnsTargetResource,omitempty" tf:"dns_target_resource,omitempty"`
+
+	// Recovery group ARN or cell ARN that contains this resource set.
+	ReadinessScopes []*string `json:"readinessScopes,omitempty" tf:"readiness_scopes,omitempty"`
+
+	// ARN of the resource.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 }
 
 type ResourcesParameters struct {
@@ -130,6 +168,12 @@ type ResourcesParameters struct {
 }
 
 type TargetResourceObservation struct {
+
+	// NLB resource a DNS Target Resource points to. Required if r53_resource is not set.
+	NlbResource []NlbResourceObservation `json:"nlbResource,omitempty" tf:"nlb_resource,omitempty"`
+
+	// Route53 resource a DNS Target Resource record points to.
+	R53Resource []R53ResourceObservation `json:"r53Resource,omitempty" tf:"r53_resource,omitempty"`
 }
 
 type TargetResourceParameters struct {
@@ -167,8 +211,10 @@ type ResourceSetStatus struct {
 type ResourceSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceSetSpec   `json:"spec"`
-	Status            ResourceSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceSetType)",message="resourceSetType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resources)",message="resources is a required parameter"
+	Spec   ResourceSetSpec   `json:"spec"`
+	Status ResourceSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53resolver/v1beta1/zz_endpoint_types.go b/apis/route53resolver/v1beta1/zz_endpoint_types.go
index 02ccd7a52b..472aa5ca03 100755
--- a/apis/route53resolver/v1beta1/zz_endpoint_types.go
+++ b/apis/route53resolver/v1beta1/zz_endpoint_types.go
@@ -18,6 +18,11 @@ type EndpointObservation struct {
 	// The ARN of the Route 53 Resolver endpoint.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The direction of DNS queries to or from the Route 53 Resolver endpoint.
+	// Valid values are INBOUND (resolver forwards DNS queries to the DNS service for a VPC from your network or another VPC)
+	// or OUTBOUND (resolver forwards DNS queries from the DNS service for a VPC to your network or another VPC).
+	Direction *string `json:"direction,omitempty" tf:"direction,omitempty"`
+
 	// The ID of the VPC that you want to create the resolver endpoint in.
 	HostVPCID *string `json:"hostVpcId,omitempty" tf:"host_vpc_id,omitempty"`
 
@@ -26,9 +31,17 @@ type EndpointObservation struct {
 
 	// The subnets and IP addresses in your VPC that you want DNS queries to pass through on the way from your VPCs
 	// to your network (for outbound endpoints) or on the way from your network to your VPCs (for inbound endpoints). Described below.
-	// +kubebuilder:validation:Required
 	IPAddress []IPAddressObservation `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
 
+	// The friendly name of the Route 53 Resolver endpoint.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ID of one or more security groups that you want to use to control access to this VPC.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -38,13 +51,13 @@ type EndpointParameters struct {
 	// The direction of DNS queries to or from the Route 53 Resolver endpoint.
 	// Valid values are INBOUND (resolver forwards DNS queries to the DNS service for a VPC from your network or another VPC)
 	// or OUTBOUND (resolver forwards DNS queries from the DNS service for a VPC to your network or another VPC).
-	// +kubebuilder:validation:Required
-	Direction *string `json:"direction" tf:"direction,omitempty"`
+	// +kubebuilder:validation:Optional
+	Direction *string `json:"direction,omitempty" tf:"direction,omitempty"`
 
 	// The subnets and IP addresses in your VPC that you want DNS queries to pass through on the way from your VPCs
 	// to your network (for outbound endpoints) or on the way from your network to your VPCs (for inbound endpoints). Described below.
-	// +kubebuilder:validation:Required
-	IPAddress []IPAddressParameters `json:"ipAddress" tf:"ip_address,omitempty"`
+	// +kubebuilder:validation:Optional
+	IPAddress []IPAddressParameters `json:"ipAddress,omitempty" tf:"ip_address,omitempty"`
 
 	// The friendly name of the Route 53 Resolver endpoint.
 	// +kubebuilder:validation:Optional
@@ -77,8 +90,14 @@ type EndpointParameters struct {
 
 type IPAddressObservation struct {
 
+	// The IP address in the subnet that you want to use for DNS queries.
+	IP *string `json:"ip,omitempty" tf:"ip,omitempty"`
+
 	// The ID of the Route 53 Resolver endpoint.
 	IPID *string `json:"ipId,omitempty" tf:"ip_id,omitempty"`
+
+	// The ID of the subnet that contains the IP address.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
 }
 
 type IPAddressParameters struct {
@@ -126,8 +145,10 @@ type EndpointStatus struct {
 type Endpoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EndpointSpec   `json:"spec"`
-	Status            EndpointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.direction)",message="direction is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ipAddress)",message="ipAddress is a required parameter"
+	Spec   EndpointSpec   `json:"spec"`
+	Status EndpointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53resolver/v1beta1/zz_generated.deepcopy.go b/apis/route53resolver/v1beta1/zz_generated.deepcopy.go
index d5a05c6474..6a6dfef175 100644
--- a/apis/route53resolver/v1beta1/zz_generated.deepcopy.go
+++ b/apis/route53resolver/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,11 @@ func (in *EndpointObservation) DeepCopyInto(out *EndpointObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Direction != nil {
+		in, out := &in.Direction, &out.Direction
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostVPCID != nil {
 		in, out := &in.HostVPCID, &out.HostVPCID
 		*out = new(string)
@@ -98,6 +103,37 @@ func (in *EndpointObservation) DeepCopyInto(out *EndpointObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -237,11 +273,21 @@ func (in *EndpointStatus) DeepCopy() *EndpointStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPAddressObservation) DeepCopyInto(out *IPAddressObservation) {
 	*out = *in
+	if in.IP != nil {
+		in, out := &in.IP, &out.IP
+		*out = new(string)
+		**out = **in
+	}
 	if in.IPID != nil {
 		in, out := &in.IPID, &out.IPID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAddressObservation.
@@ -383,6 +429,21 @@ func (in *RuleAssociationObservation) DeepCopyInto(out *RuleAssociationObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResolverRuleID != nil {
+		in, out := &in.ResolverRuleID, &out.ResolverRuleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleAssociationObservation.
@@ -524,21 +585,56 @@ func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.OwnerID != nil {
 		in, out := &in.OwnerID, &out.OwnerID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResolverEndpointID != nil {
+		in, out := &in.ResolverEndpointID, &out.ResolverEndpointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RuleType != nil {
+		in, out := &in.RuleType, &out.RuleType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ShareStatus != nil {
 		in, out := &in.ShareStatus, &out.ShareStatus
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -554,6 +650,13 @@ func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TargetIP != nil {
+		in, out := &in.TargetIP, &out.TargetIP
+		*out = make([]TargetIPObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleObservation.
@@ -675,6 +778,16 @@ func (in *RuleStatus) DeepCopy() *RuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetIPObservation) DeepCopyInto(out *TargetIPObservation) {
 	*out = *in
+	if in.IP != nil {
+		in, out := &in.IP, &out.IP
+		*out = new(string)
+		**out = **in
+	}
+	if in.Port != nil {
+		in, out := &in.Port, &out.Port
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetIPObservation.
diff --git a/apis/route53resolver/v1beta1/zz_rule_types.go b/apis/route53resolver/v1beta1/zz_rule_types.go
index 4cbcc3ba9a..9679146c49 100755
--- a/apis/route53resolver/v1beta1/zz_rule_types.go
+++ b/apis/route53resolver/v1beta1/zz_rule_types.go
@@ -18,25 +18,45 @@ type RuleObservation struct {
 	// The ARN (Amazon Resource Name) for the resolver rule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// DNS queries for this domain name are forwarded to the IP addresses that are specified using target_ip.
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
 	// The ID of the resolver rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A friendly name that lets you easily find a rule in the Resolver dashboard in the Route 53 console.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// When a rule is shared with another AWS account, the account ID of the account that the rule is shared with.
 	OwnerID *string `json:"ownerId,omitempty" tf:"owner_id,omitempty"`
 
+	// The ID of the outbound resolver endpoint that you want to use to route DNS queries to the IP addresses that you specify using target_ip.
+	// This argument should only be specified for FORWARD type rules.
+	ResolverEndpointID *string `json:"resolverEndpointId,omitempty" tf:"resolver_endpoint_id,omitempty"`
+
+	// The rule type. Valid values are FORWARD, SYSTEM and RECURSIVE.
+	RuleType *string `json:"ruleType,omitempty" tf:"rule_type,omitempty"`
+
 	// Whether the rules is shared and, if so, whether the current account is sharing the rule with another account, or another account is sharing the rule with the current account.
 	// Values are NOT_SHARED, SHARED_BY_ME or SHARED_WITH_ME
 	ShareStatus *string `json:"shareStatus,omitempty" tf:"share_status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Configuration block(s) indicating the IPs that you want Resolver to forward DNS queries to (documented below).
+	// This argument should only be specified for FORWARD type rules.
+	TargetIP []TargetIPObservation `json:"targetIp,omitempty" tf:"target_ip,omitempty"`
 }
 
 type RuleParameters struct {
 
 	// DNS queries for this domain name are forwarded to the IP addresses that are specified using target_ip.
-	// +kubebuilder:validation:Required
-	DomainName *string `json:"domainName" tf:"domain_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
 	// A friendly name that lets you easily find a rule in the Resolver dashboard in the Route 53 console.
 	// +kubebuilder:validation:Optional
@@ -63,8 +83,8 @@ type RuleParameters struct {
 	ResolverEndpointIDSelector *v1.Selector `json:"resolverEndpointIdSelector,omitempty" tf:"-"`
 
 	// The rule type. Valid values are FORWARD, SYSTEM and RECURSIVE.
-	// +kubebuilder:validation:Required
-	RuleType *string `json:"ruleType" tf:"rule_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleType *string `json:"ruleType,omitempty" tf:"rule_type,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -77,6 +97,12 @@ type RuleParameters struct {
 }
 
 type TargetIPObservation struct {
+
+	// One IP address that you want to forward DNS queries to. You can specify only IPv4 addresses.
+	IP *string `json:"ip,omitempty" tf:"ip,omitempty"`
+
+	// The port at ip that you want to forward DNS queries to. Default value is 53
+	Port *float64 `json:"port,omitempty" tf:"port,omitempty"`
 }
 
 type TargetIPParameters struct {
@@ -114,8 +140,10 @@ type RuleStatus struct {
 type Rule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RuleSpec   `json:"spec"`
-	Status            RuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)",message="domainName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleType)",message="ruleType is a required parameter"
+	Spec   RuleSpec   `json:"spec"`
+	Status RuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/route53resolver/v1beta1/zz_ruleassociation_types.go b/apis/route53resolver/v1beta1/zz_ruleassociation_types.go
index 17d83cd4bb..4f694881cd 100755
--- a/apis/route53resolver/v1beta1/zz_ruleassociation_types.go
+++ b/apis/route53resolver/v1beta1/zz_ruleassociation_types.go
@@ -17,6 +17,15 @@ type RuleAssociationObservation struct {
 
 	// The ID of the resolver rule association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A name for the association that you're creating between a resolver rule and a VPC.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ID of the resolver rule that you want to associate with the VPC.
+	ResolverRuleID *string `json:"resolverRuleId,omitempty" tf:"resolver_rule_id,omitempty"`
+
+	// The ID of the VPC that you want to associate the resolver rule with.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type RuleAssociationParameters struct {
diff --git a/apis/rum/v1beta1/zz_appmonitor_types.go b/apis/rum/v1beta1/zz_appmonitor_types.go
index 6bbee2a8e4..fe0d8f8ecf 100755
--- a/apis/rum/v1beta1/zz_appmonitor_types.go
+++ b/apis/rum/v1beta1/zz_appmonitor_types.go
@@ -14,6 +14,33 @@ import (
 )
 
 type AppMonitorConfigurationObservation struct {
+
+	// If you set this to true, RUM web client sets two cookies, a session cookie  and a user cookie. The cookies allow the RUM web client to collect data relating to the number of users an application has and the behavior of the application across a sequence of events. Cookies are stored in the top-level domain of the current page.
+	AllowCookies *bool `json:"allowCookies,omitempty" tf:"allow_cookies,omitempty"`
+
+	// If you set this to true, RUM enables X-Ray tracing for the user sessions  that RUM samples. RUM adds an X-Ray trace header to allowed HTTP requests. It also records an X-Ray segment for allowed HTTP requests.
+	EnableXray *bool `json:"enableXray,omitempty" tf:"enable_xray,omitempty"`
+
+	// A list of URLs in your website or application to exclude from RUM data collection.
+	ExcludedPages []*string `json:"excludedPages,omitempty" tf:"excluded_pages,omitempty"`
+
+	// A list of pages in the CloudWatch RUM console that are to be displayed with a "favorite" icon.
+	FavoritePages []*string `json:"favoritePages,omitempty" tf:"favorite_pages,omitempty"`
+
+	// The ARN of the guest IAM role that is attached to the Amazon Cognito identity pool that is used to authorize the sending of data to RUM.
+	GuestRoleArn *string `json:"guestRoleArn,omitempty" tf:"guest_role_arn,omitempty"`
+
+	// The ID of the Amazon Cognito identity pool that is used to authorize the sending of data to RUM.
+	IdentityPoolID *string `json:"identityPoolId,omitempty" tf:"identity_pool_id,omitempty"`
+
+	// If this app monitor is to collect data from only certain pages in your application, this structure lists those pages.
+	IncludedPages []*string `json:"includedPages,omitempty" tf:"included_pages,omitempty"`
+
+	// Specifies the percentage of user sessions to use for RUM data collection. Choosing a higher percentage gives you more data but also incurs more costs. The number you specify is the percentage of user sessions that will be used. Default value is 0.1.
+	SessionSampleRate *float64 `json:"sessionSampleRate,omitempty" tf:"session_sample_rate,omitempty"`
+
+	// An array that lists the types of telemetry data that this app monitor is to collect. Valid values are errors, performance, and http.
+	Telemetries []*string `json:"telemetries,omitempty" tf:"telemetries,omitempty"`
 }
 
 type AppMonitorConfigurationParameters struct {
@@ -57,18 +84,33 @@ type AppMonitorConfigurationParameters struct {
 
 type AppMonitorObservation struct {
 
+	// configuration data for the app monitor. See app_monitor_configuration below.
+	AppMonitorConfiguration []AppMonitorConfigurationObservation `json:"appMonitorConfiguration,omitempty" tf:"app_monitor_configuration,omitempty"`
+
 	// The unique ID of the app monitor. Useful for JS templates.
 	AppMonitorID *string `json:"appMonitorId,omitempty" tf:"app_monitor_id,omitempty"`
 
 	// The Amazon Resource Name (ARN) specifying the app monitor.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies whether this app monitor allows the web client to define and send custom events. If you omit this parameter, custom events are DISABLED. See custom_events below.
+	CustomEvents []CustomEventsObservation `json:"customEvents,omitempty" tf:"custom_events,omitempty"`
+
+	// Data collected by RUM is kept by RUM for 30 days and then deleted. This parameter  specifies whether RUM sends a copy of this telemetry data to Amazon CloudWatch Logs in your account. This enables you to keep the telemetry data for more than 30 days, but it does incur Amazon CloudWatch Logs charges. Default value is false.
+	CwLogEnabled *bool `json:"cwLogEnabled,omitempty" tf:"cw_log_enabled,omitempty"`
+
 	// The name of the log group where the copies are stored.
 	CwLogGroup *string `json:"cwLogGroup,omitempty" tf:"cw_log_group,omitempty"`
 
+	// The top-level internet domain name for which your application has administrative authority.
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
+
 	// The CloudWatch RUM name as it is the identifier of a RUM.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -88,8 +130,8 @@ type AppMonitorParameters struct {
 	CwLogEnabled *bool `json:"cwLogEnabled,omitempty" tf:"cw_log_enabled,omitempty"`
 
 	// The top-level internet domain name for which your application has administrative authority.
-	// +kubebuilder:validation:Required
-	Domain *string `json:"domain" tf:"domain,omitempty"`
+	// +kubebuilder:validation:Optional
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -102,6 +144,9 @@ type AppMonitorParameters struct {
 }
 
 type CustomEventsObservation struct {
+
+	// Specifies whether this app monitor allows the web client to define and send custom events. The default is for custom events to be DISABLED. Valid values are DISABLED and ENABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type CustomEventsParameters struct {
@@ -135,8 +180,9 @@ type AppMonitorStatus struct {
 type AppMonitor struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AppMonitorSpec   `json:"spec"`
-	Status            AppMonitorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domain)",message="domain is a required parameter"
+	Spec   AppMonitorSpec   `json:"spec"`
+	Status AppMonitorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/rum/v1beta1/zz_generated.deepcopy.go b/apis/rum/v1beta1/zz_generated.deepcopy.go
index c75923dc6d..3ea34048bf 100644
--- a/apis/rum/v1beta1/zz_generated.deepcopy.go
+++ b/apis/rum/v1beta1/zz_generated.deepcopy.go
@@ -44,6 +44,75 @@ func (in *AppMonitor) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppMonitorConfigurationObservation) DeepCopyInto(out *AppMonitorConfigurationObservation) {
 	*out = *in
+	if in.AllowCookies != nil {
+		in, out := &in.AllowCookies, &out.AllowCookies
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableXray != nil {
+		in, out := &in.EnableXray, &out.EnableXray
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExcludedPages != nil {
+		in, out := &in.ExcludedPages, &out.ExcludedPages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FavoritePages != nil {
+		in, out := &in.FavoritePages, &out.FavoritePages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.GuestRoleArn != nil {
+		in, out := &in.GuestRoleArn, &out.GuestRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.IdentityPoolID != nil {
+		in, out := &in.IdentityPoolID, &out.IdentityPoolID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludedPages != nil {
+		in, out := &in.IncludedPages, &out.IncludedPages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SessionSampleRate != nil {
+		in, out := &in.SessionSampleRate, &out.SessionSampleRate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Telemetries != nil {
+		in, out := &in.Telemetries, &out.Telemetries
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppMonitorConfigurationObservation.
@@ -175,6 +244,13 @@ func (in *AppMonitorList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppMonitorObservation) DeepCopyInto(out *AppMonitorObservation) {
 	*out = *in
+	if in.AppMonitorConfiguration != nil {
+		in, out := &in.AppMonitorConfiguration, &out.AppMonitorConfiguration
+		*out = make([]AppMonitorConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.AppMonitorID != nil {
 		in, out := &in.AppMonitorID, &out.AppMonitorID
 		*out = new(string)
@@ -185,16 +261,48 @@ func (in *AppMonitorObservation) DeepCopyInto(out *AppMonitorObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CustomEvents != nil {
+		in, out := &in.CustomEvents, &out.CustomEvents
+		*out = make([]CustomEventsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CwLogEnabled != nil {
+		in, out := &in.CwLogEnabled, &out.CwLogEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CwLogGroup != nil {
 		in, out := &in.CwLogGroup, &out.CwLogGroup
 		*out = new(string)
 		**out = **in
 	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -318,6 +426,11 @@ func (in *AppMonitorStatus) DeepCopy() *AppMonitorStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomEventsObservation) DeepCopyInto(out *CustomEventsObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomEventsObservation.
@@ -412,6 +525,26 @@ func (in *MetricsDestinationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MetricsDestinationObservation) DeepCopyInto(out *MetricsDestinationObservation) {
 	*out = *in
+	if in.AppMonitorName != nil {
+		in, out := &in.AppMonitorName, &out.AppMonitorName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
+	if in.DestinationArn != nil {
+		in, out := &in.DestinationArn, &out.DestinationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
diff --git a/apis/rum/v1beta1/zz_metricsdestination_types.go b/apis/rum/v1beta1/zz_metricsdestination_types.go
index 3034d1d4f8..5d17460618 100755
--- a/apis/rum/v1beta1/zz_metricsdestination_types.go
+++ b/apis/rum/v1beta1/zz_metricsdestination_types.go
@@ -15,6 +15,18 @@ import (
 
 type MetricsDestinationObservation struct {
 
+	// The name of the CloudWatch RUM app monitor that will send the metrics.
+	AppMonitorName *string `json:"appMonitorName,omitempty" tf:"app_monitor_name,omitempty"`
+
+	// Defines the destination to send the metrics to. Valid values are CloudWatch and Evidently. If you specify Evidently, you must also specify the ARN of the CloudWatchEvidently experiment that is to be the destination and an IAM role that has permission to write to the experiment.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Use this parameter only if Destination is Evidently. This parameter specifies the ARN of the Evidently experiment that will receive the extended metrics.
+	DestinationArn *string `json:"destinationArn,omitempty" tf:"destination_arn,omitempty"`
+
+	// This parameter is required if Destination is Evidently. If Destination is CloudWatch, do not use this parameter.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
+
 	// The name of the CloudWatch RUM app monitor that will send the metrics.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -35,8 +47,8 @@ type MetricsDestinationParameters struct {
 	AppMonitorNameSelector *v1.Selector `json:"appMonitorNameSelector,omitempty" tf:"-"`
 
 	// Defines the destination to send the metrics to. Valid values are CloudWatch and Evidently. If you specify Evidently, you must also specify the ARN of the CloudWatchEvidently experiment that is to be the destination and an IAM role that has permission to write to the experiment.
-	// +kubebuilder:validation:Required
-	Destination *string `json:"destination" tf:"destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	// Use this parameter only if Destination is Evidently. This parameter specifies the ARN of the Evidently experiment that will receive the extended metrics.
 	// +kubebuilder:validation:Optional
@@ -86,8 +98,9 @@ type MetricsDestinationStatus struct {
 type MetricsDestination struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MetricsDestinationSpec   `json:"spec"`
-	Status            MetricsDestinationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)",message="destination is a required parameter"
+	Spec   MetricsDestinationSpec   `json:"spec"`
+	Status MetricsDestinationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucket_types.go b/apis/s3/v1beta1/zz_bucket_types.go
index 18a22057f2..3f48756eed 100755
--- a/apis/s3/v1beta1/zz_bucket_types.go
+++ b/apis/s3/v1beta1/zz_bucket_types.go
@@ -53,6 +53,9 @@ type BucketObservation struct {
 	// Rule of Cross-Origin Resource Sharing. See CORS rule below for details. Use the resource aws_s3_bucket_cors_configuration instead.
 	CorsRule []CorsRuleObservation `json:"corsRule,omitempty" tf:"cors_rule,omitempty"`
 
+	// Boolean that indicates all objects (including any locked objects) should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. These objects are not recoverable. This only deletes objects when the bucket is destroyed, not when setting this parameter to true.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// An ACL policy grant. See Grant below for details. Conflicts with acl. Use the resource aws_s3_bucket_acl instead.
 	Grant []GrantObservation `json:"grant,omitempty" tf:"grant,omitempty"`
 
@@ -74,6 +77,9 @@ type BucketObservation struct {
 	// Use the object_lock_enabled parameter and the resource aws_s3_bucket_object_lock_configuration instead.
 	ObjectLockConfiguration []ObjectLockConfigurationObservation `json:"objectLockConfiguration,omitempty" tf:"object_lock_configuration,omitempty"`
 
+	// Indicates whether this bucket has an Object Lock configuration enabled. Valid values are true or false. This argument is not supported in all regions or partitions.
+	ObjectLockEnabled *bool `json:"objectLockEnabled,omitempty" tf:"object_lock_enabled,omitempty"`
+
 	// Valid bucket policy JSON document. In this case, please make sure you use the verbose/specific version of the policy.
 	// Use the resource aws_s3_bucket_policy instead.
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
@@ -92,6 +98,9 @@ type BucketObservation struct {
 	// Use the resource aws_s3_bucket_server_side_encryption_configuration instead.
 	ServerSideEncryptionConfiguration []ServerSideEncryptionConfigurationObservation `json:"serverSideEncryptionConfiguration,omitempty" tf:"server_side_encryption_configuration,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
diff --git a/apis/s3/v1beta1/zz_bucketaccelerateconfiguration_types.go b/apis/s3/v1beta1/zz_bucketaccelerateconfiguration_types.go
index 3dde0cb7b6..94907fc7fb 100755
--- a/apis/s3/v1beta1/zz_bucketaccelerateconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketaccelerateconfiguration_types.go
@@ -15,8 +15,17 @@ import (
 
 type BucketAccelerateConfigurationObservation struct {
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Transfer acceleration state of the bucket. Valid values: Enabled, Suspended.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type BucketAccelerateConfigurationParameters struct {
@@ -45,8 +54,8 @@ type BucketAccelerateConfigurationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Transfer acceleration state of the bucket. Valid values: Enabled, Suspended.
-	// +kubebuilder:validation:Required
-	Status *string `json:"status" tf:"status,omitempty"`
+	// +kubebuilder:validation:Optional
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 // BucketAccelerateConfigurationSpec defines the desired state of BucketAccelerateConfiguration
@@ -73,8 +82,9 @@ type BucketAccelerateConfigurationStatus struct {
 type BucketAccelerateConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketAccelerateConfigurationSpec   `json:"spec"`
-	Status            BucketAccelerateConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.status)",message="status is a required parameter"
+	Spec   BucketAccelerateConfigurationSpec   `json:"spec"`
+	Status BucketAccelerateConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketacl_types.go b/apis/s3/v1beta1/zz_bucketacl_types.go
index 895170a6ec..f0bb95f078 100755
--- a/apis/s3/v1beta1/zz_bucketacl_types.go
+++ b/apis/s3/v1beta1/zz_bucketacl_types.go
@@ -16,8 +16,10 @@ import (
 type AccessControlPolicyGrantObservation struct {
 
 	// Configuration block for the person being granted permissions. See below.
-	// +kubebuilder:validation:Optional
 	Grantee []GranteeObservation `json:"grantee,omitempty" tf:"grantee,omitempty"`
+
+	// Logging permissions assigned to the grantee for the bucket.
+	Permission *string `json:"permission,omitempty" tf:"permission,omitempty"`
 }
 
 type AccessControlPolicyGrantParameters struct {
@@ -34,8 +36,10 @@ type AccessControlPolicyGrantParameters struct {
 type AccessControlPolicyObservation struct {
 
 	// Set of grant configuration blocks. See below.
-	// +kubebuilder:validation:Optional
 	Grant []AccessControlPolicyGrantObservation `json:"grant,omitempty" tf:"grant,omitempty"`
+
+	// Configuration block of the bucket owner's display name and ID. See below.
+	Owner []OwnerObservation `json:"owner,omitempty" tf:"owner,omitempty"`
 }
 
 type AccessControlPolicyParameters struct {
@@ -51,10 +55,18 @@ type AccessControlPolicyParameters struct {
 
 type BucketACLObservation struct {
 
+	// Canned ACL to apply to the bucket.
+	ACL *string `json:"acl,omitempty" tf:"acl,omitempty"`
+
 	// Configuration block that sets the ACL permissions for an object per grantee. See below.
-	// +kubebuilder:validation:Optional
 	AccessControlPolicy []AccessControlPolicyObservation `json:"accessControlPolicy,omitempty" tf:"access_control_policy,omitempty"`
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket, expected_bucket_owner (if configured), and acl (if configured) separated by commas (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -97,6 +109,18 @@ type GranteeObservation struct {
 
 	// Display name of the owner.
 	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Email address of the grantee. See Regions and Endpoints for supported AWS regions where this argument can be specified.
+	EmailAddress *string `json:"emailAddress,omitempty" tf:"email_address,omitempty"`
+
+	// ID of the owner.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Type of grantee. Valid values: CanonicalUser, AmazonCustomerByEmail, Group.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// URI of the grantee group.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type GranteeParameters struct {
@@ -119,6 +143,12 @@ type GranteeParameters struct {
 }
 
 type OwnerObservation struct {
+
+	// Display name of the owner.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// ID of the owner.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type OwnerParameters struct {
diff --git a/apis/s3/v1beta1/zz_bucketanalyticsconfiguration_types.go b/apis/s3/v1beta1/zz_bucketanalyticsconfiguration_types.go
index 0b4e1fd24e..b74447afee 100755
--- a/apis/s3/v1beta1/zz_bucketanalyticsconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketanalyticsconfiguration_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type BucketAnalyticsConfigurationFilterObservation struct {
+
+	// Object prefix for filtering.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type BucketAnalyticsConfigurationFilterParameters struct {
@@ -28,7 +34,20 @@ type BucketAnalyticsConfigurationFilterParameters struct {
 }
 
 type BucketAnalyticsConfigurationObservation struct {
+
+	// Name of the bucket this analytics configuration is associated with.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Object filtering that accepts a prefix, tags, or a logical AND of prefix and tags (documented below).
+	Filter []BucketAnalyticsConfigurationFilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Unique identifier of the analytics configuration for the bucket.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration for the analytics data export (documented below).
+	StorageClassAnalysis []StorageClassAnalysisObservation `json:"storageClassAnalysis,omitempty" tf:"storage_class_analysis,omitempty"`
 }
 
 type BucketAnalyticsConfigurationParameters struct {
@@ -52,8 +71,8 @@ type BucketAnalyticsConfigurationParameters struct {
 	Filter []BucketAnalyticsConfigurationFilterParameters `json:"filter,omitempty" tf:"filter,omitempty"`
 
 	// Unique identifier of the analytics configuration for the bucket.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -66,6 +85,9 @@ type BucketAnalyticsConfigurationParameters struct {
 }
 
 type DataExportDestinationObservation struct {
+
+	// Analytics data export currently only supports an S3 bucket destination (documented below).
+	S3BucketDestination []S3BucketDestinationObservation `json:"s3BucketDestination,omitempty" tf:"s3_bucket_destination,omitempty"`
 }
 
 type DataExportDestinationParameters struct {
@@ -76,6 +98,12 @@ type DataExportDestinationParameters struct {
 }
 
 type DataExportObservation struct {
+
+	// Specifies the destination for the exported analytics data (documented below).
+	Destination []DataExportDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Schema version of exported analytics data. Allowed values: V_1. Default value: V_1.
+	OutputSchemaVersion *string `json:"outputSchemaVersion,omitempty" tf:"output_schema_version,omitempty"`
 }
 
 type DataExportParameters struct {
@@ -90,6 +118,18 @@ type DataExportParameters struct {
 }
 
 type S3BucketDestinationObservation struct {
+
+	// Account ID that owns the destination bucket.
+	BucketAccountID *string `json:"bucketAccountId,omitempty" tf:"bucket_account_id,omitempty"`
+
+	// ARN of the destination bucket.
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// Output format of exported analytics data. Allowed values: CSV. Default value: CSV.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// Object prefix for filtering.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type S3BucketDestinationParameters struct {
@@ -122,6 +162,9 @@ type S3BucketDestinationParameters struct {
 }
 
 type StorageClassAnalysisObservation struct {
+
+	// Data export configuration (documented below).
+	DataExport []DataExportObservation `json:"dataExport,omitempty" tf:"data_export,omitempty"`
 }
 
 type StorageClassAnalysisParameters struct {
@@ -155,8 +198,9 @@ type BucketAnalyticsConfigurationStatus struct {
 type BucketAnalyticsConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketAnalyticsConfigurationSpec   `json:"spec"`
-	Status            BucketAnalyticsConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   BucketAnalyticsConfigurationSpec   `json:"spec"`
+	Status BucketAnalyticsConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketcorsconfiguration_types.go b/apis/s3/v1beta1/zz_bucketcorsconfiguration_types.go
index b4551f466c..ab6d88b703 100755
--- a/apis/s3/v1beta1/zz_bucketcorsconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketcorsconfiguration_types.go
@@ -14,6 +14,24 @@ import (
 )
 
 type BucketCorsConfigurationCorsRuleObservation struct {
+
+	// Set of Headers that are specified in the Access-Control-Request-Headers header.
+	AllowedHeaders []*string `json:"allowedHeaders,omitempty" tf:"allowed_headers,omitempty"`
+
+	// Set of HTTP methods that you allow the origin to execute. Valid values are GET, PUT, HEAD, POST, and DELETE.
+	AllowedMethods []*string `json:"allowedMethods,omitempty" tf:"allowed_methods,omitempty"`
+
+	// Set of origins you want customers to be able to access the bucket from.
+	AllowedOrigins []*string `json:"allowedOrigins,omitempty" tf:"allowed_origins,omitempty"`
+
+	// Set of headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript XMLHttpRequest object).
+	ExposeHeaders []*string `json:"exposeHeaders,omitempty" tf:"expose_headers,omitempty"`
+
+	// Unique identifier for the rule. The value cannot be longer than 255 characters.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Time in seconds that your browser is to cache the preflight response for the specified resource.
+	MaxAgeSeconds *float64 `json:"maxAgeSeconds,omitempty" tf:"max_age_seconds,omitempty"`
 }
 
 type BucketCorsConfigurationCorsRuleParameters struct {
@@ -45,6 +63,15 @@ type BucketCorsConfigurationCorsRuleParameters struct {
 
 type BucketCorsConfigurationObservation struct {
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Set of origins and methods (cross-origin access that you want to allow). See below. You can configure up to 100 rules.
+	CorsRule []BucketCorsConfigurationCorsRuleObservation `json:"corsRule,omitempty" tf:"cors_rule,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -66,8 +93,8 @@ type BucketCorsConfigurationParameters struct {
 	BucketSelector *v1.Selector `json:"bucketSelector,omitempty" tf:"-"`
 
 	// Set of origins and methods (cross-origin access that you want to allow). See below. You can configure up to 100 rules.
-	// +kubebuilder:validation:Required
-	CorsRule []BucketCorsConfigurationCorsRuleParameters `json:"corsRule" tf:"cors_rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	CorsRule []BucketCorsConfigurationCorsRuleParameters `json:"corsRule,omitempty" tf:"cors_rule,omitempty"`
 
 	// Account ID of the expected bucket owner.
 	// +kubebuilder:validation:Optional
@@ -103,8 +130,9 @@ type BucketCorsConfigurationStatus struct {
 type BucketCorsConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketCorsConfigurationSpec   `json:"spec"`
-	Status            BucketCorsConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.corsRule)",message="corsRule is a required parameter"
+	Spec   BucketCorsConfigurationSpec   `json:"spec"`
+	Status BucketCorsConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketintelligenttieringconfiguration_types.go b/apis/s3/v1beta1/zz_bucketintelligenttieringconfiguration_types.go
index 24997722f9..828ac4f338 100755
--- a/apis/s3/v1beta1/zz_bucketintelligenttieringconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketintelligenttieringconfiguration_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type BucketIntelligentTieringConfigurationFilterObservation struct {
+
+	// Object key name prefix that identifies the subset of objects to which the configuration applies.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type BucketIntelligentTieringConfigurationFilterParameters struct {
@@ -28,7 +34,23 @@ type BucketIntelligentTieringConfigurationFilterParameters struct {
 }
 
 type BucketIntelligentTieringConfigurationObservation struct {
+
+	// Name of the bucket this intelligent tiering configuration is associated with.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Bucket filter. The configuration only includes objects that meet the filter's criteria (documented below).
+	Filter []BucketIntelligentTieringConfigurationFilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Unique name used to identify the S3 Intelligent-Tiering configuration for the bucket.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the status of the configuration. Valid values: Enabled, Disabled.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// S3 Intelligent-Tiering storage class tiers of the configuration (documented below).
+	Tiering []TieringObservation `json:"tiering,omitempty" tf:"tiering,omitempty"`
 }
 
 type BucketIntelligentTieringConfigurationParameters struct {
@@ -52,8 +74,8 @@ type BucketIntelligentTieringConfigurationParameters struct {
 	Filter []BucketIntelligentTieringConfigurationFilterParameters `json:"filter,omitempty" tf:"filter,omitempty"`
 
 	// Unique name used to identify the S3 Intelligent-Tiering configuration for the bucket.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -65,11 +87,17 @@ type BucketIntelligentTieringConfigurationParameters struct {
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
 	// S3 Intelligent-Tiering storage class tiers of the configuration (documented below).
-	// +kubebuilder:validation:Required
-	Tiering []TieringParameters `json:"tiering" tf:"tiering,omitempty"`
+	// +kubebuilder:validation:Optional
+	Tiering []TieringParameters `json:"tiering,omitempty" tf:"tiering,omitempty"`
 }
 
 type TieringObservation struct {
+
+	// S3 Intelligent-Tiering access tier. Valid values: ARCHIVE_ACCESS, DEEP_ARCHIVE_ACCESS.
+	AccessTier *string `json:"accessTier,omitempty" tf:"access_tier,omitempty"`
+
+	// Number of consecutive days of no access after which an object will be eligible to be transitioned to the corresponding tier.
+	Days *float64 `json:"days,omitempty" tf:"days,omitempty"`
 }
 
 type TieringParameters struct {
@@ -107,8 +135,10 @@ type BucketIntelligentTieringConfigurationStatus struct {
 type BucketIntelligentTieringConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketIntelligentTieringConfigurationSpec   `json:"spec"`
-	Status            BucketIntelligentTieringConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tiering)",message="tiering is a required parameter"
+	Spec   BucketIntelligentTieringConfigurationSpec   `json:"spec"`
+	Status BucketIntelligentTieringConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketinventory_types.go b/apis/s3/v1beta1/zz_bucketinventory_types.go
index dd53a9a347..fa03ab4a40 100755
--- a/apis/s3/v1beta1/zz_bucketinventory_types.go
+++ b/apis/s3/v1beta1/zz_bucketinventory_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type BucketInventoryDestinationObservation struct {
+
+	// Name of the source bucket that inventory lists the objects for.
+	Bucket []DestinationBucketObservation `json:"bucket,omitempty" tf:"bucket,omitempty"`
 }
 
 type BucketInventoryDestinationParameters struct {
@@ -24,6 +27,9 @@ type BucketInventoryDestinationParameters struct {
 }
 
 type BucketInventoryFilterObservation struct {
+
+	// Prefix that an object must have to be included in the inventory results.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type BucketInventoryFilterParameters struct {
@@ -34,7 +40,32 @@ type BucketInventoryFilterParameters struct {
 }
 
 type BucketInventoryObservation struct {
+
+	// Name of the source bucket that inventory lists the objects for.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Contains information about where to publish the inventory results (documented below).
+	Destination []BucketInventoryDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Specifies whether the inventory is enabled or disabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Specifies an inventory filter. The inventory only includes objects that meet the filter's criteria (documented below).
+	Filter []BucketInventoryFilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Object versions to include in the inventory list. Valid values: All, Current.
+	IncludedObjectVersions *string `json:"includedObjectVersions,omitempty" tf:"included_object_versions,omitempty"`
+
+	// Unique identifier of the inventory configuration for the bucket.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// List of optional fields that are included in the inventory results. Please refer to the S3 documentation for more details.
+	OptionalFields []*string `json:"optionalFields,omitempty" tf:"optional_fields,omitempty"`
+
+	// Specifies the schedule for generating inventory results (documented below).
+	Schedule []ScheduleObservation `json:"schedule,omitempty" tf:"schedule,omitempty"`
 }
 
 type BucketInventoryParameters struct {
@@ -54,8 +85,8 @@ type BucketInventoryParameters struct {
 	BucketSelector *v1.Selector `json:"bucketSelector,omitempty" tf:"-"`
 
 	// Contains information about where to publish the inventory results (documented below).
-	// +kubebuilder:validation:Required
-	Destination []BucketInventoryDestinationParameters `json:"destination" tf:"destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destination []BucketInventoryDestinationParameters `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	// Specifies whether the inventory is enabled or disabled.
 	// +kubebuilder:validation:Optional
@@ -66,12 +97,12 @@ type BucketInventoryParameters struct {
 	Filter []BucketInventoryFilterParameters `json:"filter,omitempty" tf:"filter,omitempty"`
 
 	// Object versions to include in the inventory list. Valid values: All, Current.
-	// +kubebuilder:validation:Required
-	IncludedObjectVersions *string `json:"includedObjectVersions" tf:"included_object_versions,omitempty"`
+	// +kubebuilder:validation:Optional
+	IncludedObjectVersions *string `json:"includedObjectVersions,omitempty" tf:"included_object_versions,omitempty"`
 
 	// Unique identifier of the inventory configuration for the bucket.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// List of optional fields that are included in the inventory results. Please refer to the S3 documentation for more details.
 	// +kubebuilder:validation:Optional
@@ -83,11 +114,26 @@ type BucketInventoryParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Specifies the schedule for generating inventory results (documented below).
-	// +kubebuilder:validation:Required
-	Schedule []ScheduleParameters `json:"schedule" tf:"schedule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Schedule []ScheduleParameters `json:"schedule,omitempty" tf:"schedule,omitempty"`
 }
 
 type DestinationBucketObservation struct {
+
+	// ID of the account that owns the destination bucket. Recommended to be set to prevent problems if the destination bucket ownership changes.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// Amazon S3 bucket ARN of the destination.
+	BucketArn *string `json:"bucketArn,omitempty" tf:"bucket_arn,omitempty"`
+
+	// Contains the type of server-side encryption to use to encrypt the inventory (documented below).
+	Encryption []EncryptionObservation `json:"encryption,omitempty" tf:"encryption,omitempty"`
+
+	// Specifies the output format of the inventory results. Can be CSV, ORC or Parquet.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// Prefix that an object must have to be included in the inventory results.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type DestinationBucketParameters struct {
@@ -124,6 +170,12 @@ type DestinationBucketParameters struct {
 }
 
 type EncryptionObservation struct {
+
+	// Specifies to use server-side encryption with AWS KMS-managed keys to encrypt the inventory file (documented below).
+	SseKMS []SseKMSObservation `json:"sseKms,omitempty" tf:"sse_kms,omitempty"`
+
+	// Specifies to use server-side encryption with Amazon S3-managed keys (SSE-S3) to encrypt the inventory file.
+	SseS3 []SseS3Parameters `json:"sseS3,omitempty" tf:"sse_s3,omitempty"`
 }
 
 type EncryptionParameters struct {
@@ -138,6 +190,9 @@ type EncryptionParameters struct {
 }
 
 type ScheduleObservation struct {
+
+	// Specifies how frequently inventory results are produced. Valid values: Daily, Weekly.
+	Frequency *string `json:"frequency,omitempty" tf:"frequency,omitempty"`
 }
 
 type ScheduleParameters struct {
@@ -148,6 +203,9 @@ type ScheduleParameters struct {
 }
 
 type SseKMSObservation struct {
+
+	// ARN of the KMS customer master key (CMK) used to encrypt the inventory file.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 }
 
 type SseKMSParameters struct {
@@ -187,8 +245,12 @@ type BucketInventoryStatus struct {
 type BucketInventory struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketInventorySpec   `json:"spec"`
-	Status            BucketInventoryStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)",message="destination is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.includedObjectVersions)",message="includedObjectVersions is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)",message="schedule is a required parameter"
+	Spec   BucketInventorySpec   `json:"spec"`
+	Status BucketInventoryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketlifecycleconfiguration_types.go b/apis/s3/v1beta1/zz_bucketlifecycleconfiguration_types.go
index 0425e30bb4..9f6b7706e8 100755
--- a/apis/s3/v1beta1/zz_bucketlifecycleconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketlifecycleconfiguration_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AbortIncompleteMultipartUploadObservation struct {
+
+	// Number of days after which Amazon S3 aborts an incomplete multipart upload.
+	DaysAfterInitiation *float64 `json:"daysAfterInitiation,omitempty" tf:"days_after_initiation,omitempty"`
 }
 
 type AbortIncompleteMultipartUploadParameters struct {
@@ -24,6 +27,18 @@ type AbortIncompleteMultipartUploadParameters struct {
 }
 
 type AndObservation struct {
+
+	// Minimum object size (in bytes) to which the rule applies.
+	ObjectSizeGreaterThan *float64 `json:"objectSizeGreaterThan,omitempty" tf:"object_size_greater_than,omitempty"`
+
+	// Maximum object size (in bytes) to which the rule applies.
+	ObjectSizeLessThan *float64 `json:"objectSizeLessThan,omitempty" tf:"object_size_less_than,omitempty"`
+
+	// DEPRECATED Use filter instead. This has been deprecated by Amazon S3. Prefix identifying one or more objects to which the rule applies. Defaults to an empty string ("") if filter is not specified.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Key-value map of resource tags. All of these tags must exist in the object's tag set in order for the rule to apply.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type AndParameters struct {
@@ -47,8 +62,17 @@ type AndParameters struct {
 
 type BucketLifecycleConfigurationObservation struct {
 
+	// Name of the source S3 bucket you want Amazon S3 to monitor.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner. If the bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// and status)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// List of configuration blocks describing the rules managing the replication. See below.
+	Rule []BucketLifecycleConfigurationRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketLifecycleConfigurationParameters struct {
@@ -77,11 +101,38 @@ type BucketLifecycleConfigurationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// List of configuration blocks describing the rules managing the replication. See below.
-	// +kubebuilder:validation:Required
-	Rule []BucketLifecycleConfigurationRuleParameters `json:"rule" tf:"rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rule []BucketLifecycleConfigurationRuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketLifecycleConfigurationRuleObservation struct {
+
+	// Configuration block that specifies the days since the initiation of an incomplete multipart upload that Amazon S3 will wait before permanently removing all parts of the upload. See below.
+	AbortIncompleteMultipartUpload []AbortIncompleteMultipartUploadObservation `json:"abortIncompleteMultipartUpload,omitempty" tf:"abort_incomplete_multipart_upload,omitempty"`
+
+	// Configuration block that specifies the expiration for the lifecycle of the object in the form of date, days and, whether the object has a delete marker. See below.
+	Expiration []RuleExpirationObservation `json:"expiration,omitempty" tf:"expiration,omitempty"`
+
+	// Configuration block used to identify objects that a Lifecycle Rule applies to. See below. If not specified, the rule will default to using prefix.
+	Filter []RuleFilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
+	// Unique identifier for the rule. The value cannot be longer than 255 characters.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Configuration block that specifies when noncurrent object versions expire. See below.
+	NoncurrentVersionExpiration []RuleNoncurrentVersionExpirationObservation `json:"noncurrentVersionExpiration,omitempty" tf:"noncurrent_version_expiration,omitempty"`
+
+	// Set of configuration blocks that specify the transition rule for the lifecycle rule that describes when noncurrent objects transition to a specific storage class. See below.
+	NoncurrentVersionTransition []RuleNoncurrentVersionTransitionObservation `json:"noncurrentVersionTransition,omitempty" tf:"noncurrent_version_transition,omitempty"`
+
+	// DEPRECATED Use filter instead. This has been deprecated by Amazon S3. Prefix identifying one or more objects to which the rule applies. Defaults to an empty string ("") if filter is not specified.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Whether the rule is currently being applied. Valid values: Enabled or Disabled.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Set of configuration blocks that specify when an Amazon S3 object transitions to a specified storage class. See below.
+	Transition []RuleTransitionObservation `json:"transition,omitempty" tf:"transition,omitempty"`
 }
 
 type BucketLifecycleConfigurationRuleParameters struct {
@@ -124,6 +175,15 @@ type BucketLifecycleConfigurationRuleParameters struct {
 }
 
 type RuleExpirationObservation struct {
+
+	// Date objects are transitioned to the specified storage class. The date value must be in RFC3339 format and set to midnight UTC e.g. 2023-01-13T00:00:00Z.
+	Date *string `json:"date,omitempty" tf:"date,omitempty"`
+
+	// Number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. If both days and date are not specified, defaults to 0. Valid values depend on storage_class, see Transition objects using Amazon S3 Lifecycle for more details.
+	Days *float64 `json:"days,omitempty" tf:"days,omitempty"`
+
+	// Indicates whether Amazon S3 will remove a delete marker with no noncurrent versions. If set to true, the delete marker will be expired; if set to false the policy takes no action.
+	ExpiredObjectDeleteMarker *bool `json:"expiredObjectDeleteMarker,omitempty" tf:"expired_object_delete_marker,omitempty"`
 }
 
 type RuleExpirationParameters struct {
@@ -142,6 +202,21 @@ type RuleExpirationParameters struct {
 }
 
 type RuleFilterObservation struct {
+
+	// Configuration block used to apply a logical AND to two or more predicates. See below. The Lifecycle Rule will apply to any object matching all the predicates configured inside the and block.
+	And []AndObservation `json:"and,omitempty" tf:"and,omitempty"`
+
+	// Minimum object size (in bytes) to which the rule applies.
+	ObjectSizeGreaterThan *string `json:"objectSizeGreaterThan,omitempty" tf:"object_size_greater_than,omitempty"`
+
+	// Maximum object size (in bytes) to which the rule applies.
+	ObjectSizeLessThan *string `json:"objectSizeLessThan,omitempty" tf:"object_size_less_than,omitempty"`
+
+	// DEPRECATED Use filter instead. This has been deprecated by Amazon S3. Prefix identifying one or more objects to which the rule applies. Defaults to an empty string ("") if filter is not specified.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Configuration block for specifying a tag key and value. See below.
+	Tag []TagObservation `json:"tag,omitempty" tf:"tag,omitempty"`
 }
 
 type RuleFilterParameters struct {
@@ -168,6 +243,12 @@ type RuleFilterParameters struct {
 }
 
 type RuleNoncurrentVersionExpirationObservation struct {
+
+	// Number of noncurrent versions Amazon S3 will retain. Must be a non-zero positive integer.
+	NewerNoncurrentVersions *string `json:"newerNoncurrentVersions,omitempty" tf:"newer_noncurrent_versions,omitempty"`
+
+	// Number of days an object is noncurrent before Amazon S3 can perform the associated action.
+	NoncurrentDays *float64 `json:"noncurrentDays,omitempty" tf:"noncurrent_days,omitempty"`
 }
 
 type RuleNoncurrentVersionExpirationParameters struct {
@@ -182,6 +263,15 @@ type RuleNoncurrentVersionExpirationParameters struct {
 }
 
 type RuleNoncurrentVersionTransitionObservation struct {
+
+	// Number of noncurrent versions Amazon S3 will retain. Must be a non-zero positive integer.
+	NewerNoncurrentVersions *string `json:"newerNoncurrentVersions,omitempty" tf:"newer_noncurrent_versions,omitempty"`
+
+	// Number of days an object is noncurrent before Amazon S3 can perform the associated action.
+	NoncurrentDays *float64 `json:"noncurrentDays,omitempty" tf:"noncurrent_days,omitempty"`
+
+	// Class of storage used to store the object. Valid Values: GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
 }
 
 type RuleNoncurrentVersionTransitionParameters struct {
@@ -200,6 +290,15 @@ type RuleNoncurrentVersionTransitionParameters struct {
 }
 
 type RuleTransitionObservation struct {
+
+	// Date objects are transitioned to the specified storage class. The date value must be in RFC3339 format and set to midnight UTC e.g. 2023-01-13T00:00:00Z.
+	Date *string `json:"date,omitempty" tf:"date,omitempty"`
+
+	// Number of days after creation when objects are transitioned to the specified storage class. The value must be a positive integer. If both days and date are not specified, defaults to 0. Valid values depend on storage_class, see Transition objects using Amazon S3 Lifecycle for more details.
+	Days *float64 `json:"days,omitempty" tf:"days,omitempty"`
+
+	// Class of storage used to store the object. Valid Values: GLACIER, STANDARD_IA, ONEZONE_IA, INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
 }
 
 type RuleTransitionParameters struct {
@@ -218,6 +317,12 @@ type RuleTransitionParameters struct {
 }
 
 type TagObservation struct {
+
+	// Name of the object key.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Value of the tag.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagParameters struct {
@@ -255,8 +360,9 @@ type BucketLifecycleConfigurationStatus struct {
 type BucketLifecycleConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketLifecycleConfigurationSpec   `json:"spec"`
-	Status            BucketLifecycleConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)",message="rule is a required parameter"
+	Spec   BucketLifecycleConfigurationSpec   `json:"spec"`
+	Status BucketLifecycleConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketlogging_types.go b/apis/s3/v1beta1/zz_bucketlogging_types.go
index add7e260f1..348573d71a 100755
--- a/apis/s3/v1beta1/zz_bucketlogging_types.go
+++ b/apis/s3/v1beta1/zz_bucketlogging_types.go
@@ -15,12 +15,23 @@ import (
 
 type BucketLoggingObservation struct {
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the bucket where you want Amazon S3 to store server access logs.
+	TargetBucket *string `json:"targetBucket,omitempty" tf:"target_bucket,omitempty"`
+
 	// Set of configuration blocks with information for granting permissions. See below.
-	// +kubebuilder:validation:Optional
 	TargetGrant []TargetGrantObservation `json:"targetGrant,omitempty" tf:"target_grant,omitempty"`
+
+	// Prefix for all log object keys.
+	TargetPrefix *string `json:"targetPrefix,omitempty" tf:"target_prefix,omitempty"`
 }
 
 type BucketLoggingParameters struct {
@@ -67,12 +78,24 @@ type BucketLoggingParameters struct {
 	TargetGrant []TargetGrantParameters `json:"targetGrant,omitempty" tf:"target_grant,omitempty"`
 
 	// Prefix for all log object keys.
-	// +kubebuilder:validation:Required
-	TargetPrefix *string `json:"targetPrefix" tf:"target_prefix,omitempty"`
+	// +kubebuilder:validation:Optional
+	TargetPrefix *string `json:"targetPrefix,omitempty" tf:"target_prefix,omitempty"`
 }
 
 type TargetGrantGranteeObservation struct {
 	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Email address of the grantee. See Regions and Endpoints for supported AWS regions where this argument can be specified.
+	EmailAddress *string `json:"emailAddress,omitempty" tf:"email_address,omitempty"`
+
+	// Canonical user ID of the grantee.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Type of grantee. Valid values: CanonicalUser, AmazonCustomerByEmail, Group.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// URI of the grantee group.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type TargetGrantGranteeParameters struct {
@@ -97,8 +120,10 @@ type TargetGrantGranteeParameters struct {
 type TargetGrantObservation struct {
 
 	// Configuration block for the person being granted permissions. See below.
-	// +kubebuilder:validation:Required
 	Grantee []TargetGrantGranteeObservation `json:"grantee,omitempty" tf:"grantee,omitempty"`
+
+	// Logging permissions assigned to the grantee for the bucket. Valid values: FULL_CONTROL, READ, WRITE.
+	Permission *string `json:"permission,omitempty" tf:"permission,omitempty"`
 }
 
 type TargetGrantParameters struct {
@@ -136,8 +161,9 @@ type BucketLoggingStatus struct {
 type BucketLogging struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketLoggingSpec   `json:"spec"`
-	Status            BucketLoggingStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetPrefix)",message="targetPrefix is a required parameter"
+	Spec   BucketLoggingSpec   `json:"spec"`
+	Status BucketLoggingStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketmetric_types.go b/apis/s3/v1beta1/zz_bucketmetric_types.go
index d001be503b..f6b9df9f16 100755
--- a/apis/s3/v1beta1/zz_bucketmetric_types.go
+++ b/apis/s3/v1beta1/zz_bucketmetric_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type BucketMetricFilterObservation struct {
+
+	// Object prefix for filtering (singular).
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type BucketMetricFilterParameters struct {
@@ -28,7 +34,17 @@ type BucketMetricFilterParameters struct {
 }
 
 type BucketMetricObservation struct {
+
+	// Name of the bucket to put metric configuration.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Object filtering that accepts a prefix, tags, or a logical AND of prefix and tags (documented below).
+	Filter []BucketMetricFilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Unique identifier of the metrics configuration for the bucket. Must be less than or equal to 64 characters in length.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type BucketMetricParameters struct {
@@ -52,8 +68,8 @@ type BucketMetricParameters struct {
 	Filter []BucketMetricFilterParameters `json:"filter,omitempty" tf:"filter,omitempty"`
 
 	// Unique identifier of the metrics configuration for the bucket. Must be less than or equal to 64 characters in length.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -85,8 +101,9 @@ type BucketMetricStatus struct {
 type BucketMetric struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketMetricSpec   `json:"spec"`
-	Status            BucketMetricStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   BucketMetricSpec   `json:"spec"`
+	Status BucketMetricStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketnotification_types.go b/apis/s3/v1beta1/zz_bucketnotification_types.go
index 9e098fbdf9..9275dc9f4c 100755
--- a/apis/s3/v1beta1/zz_bucketnotification_types.go
+++ b/apis/s3/v1beta1/zz_bucketnotification_types.go
@@ -15,8 +15,23 @@ import (
 
 type BucketNotificationObservation struct {
 
+	// Name of the bucket for notification configuration.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Whether to enable Amazon EventBridge notifications.
+	Eventbridge *bool `json:"eventbridge,omitempty" tf:"eventbridge,omitempty"`
+
 	// Unique identifier for each of the notification configurations.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Used to configure notifications to a Lambda Function. See below.
+	LambdaFunction []LambdaFunctionObservation `json:"lambdaFunction,omitempty" tf:"lambda_function,omitempty"`
+
+	// Notification configuration to SQS Queue. See below.
+	Queue []QueueObservation `json:"queue,omitempty" tf:"queue,omitempty"`
+
+	// Notification configuration to SNS Topic. See below.
+	Topic []TopicObservation `json:"topic,omitempty" tf:"topic,omitempty"`
 }
 
 type BucketNotificationParameters struct {
@@ -58,6 +73,21 @@ type BucketNotificationParameters struct {
 }
 
 type LambdaFunctionObservation struct {
+
+	// Event for which to send notifications.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
+
+	// Object key name prefix.
+	FilterPrefix *string `json:"filterPrefix,omitempty" tf:"filter_prefix,omitempty"`
+
+	// Object key name suffix.
+	FilterSuffix *string `json:"filterSuffix,omitempty" tf:"filter_suffix,omitempty"`
+
+	// Unique identifier for each of the notification configurations.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Lambda function ARN.
+	LambdaFunctionArn *string `json:"lambdaFunctionArn,omitempty" tf:"lambda_function_arn,omitempty"`
 }
 
 type LambdaFunctionParameters struct {
@@ -84,6 +114,21 @@ type LambdaFunctionParameters struct {
 }
 
 type QueueObservation struct {
+
+	// Specifies event for which to send notifications.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
+
+	// Object key name prefix.
+	FilterPrefix *string `json:"filterPrefix,omitempty" tf:"filter_prefix,omitempty"`
+
+	// Object key name suffix.
+	FilterSuffix *string `json:"filterSuffix,omitempty" tf:"filter_suffix,omitempty"`
+
+	// Unique identifier for each of the notification configurations.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// SQS queue ARN.
+	QueueArn *string `json:"queueArn,omitempty" tf:"queue_arn,omitempty"`
 }
 
 type QueueParameters struct {
@@ -120,6 +165,21 @@ type QueueParameters struct {
 }
 
 type TopicObservation struct {
+
+	// Event for which to send notifications.
+	Events []*string `json:"events,omitempty" tf:"events,omitempty"`
+
+	// Object key name prefix.
+	FilterPrefix *string `json:"filterPrefix,omitempty" tf:"filter_prefix,omitempty"`
+
+	// Object key name suffix.
+	FilterSuffix *string `json:"filterSuffix,omitempty" tf:"filter_suffix,omitempty"`
+
+	// Unique identifier for each of the notification configurations.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// SNS topic ARN.
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type TopicParameters struct {
diff --git a/apis/s3/v1beta1/zz_bucketobject_types.go b/apis/s3/v1beta1/zz_bucketobject_types.go
index eae794aaf9..6e7aef8ac2 100755
--- a/apis/s3/v1beta1/zz_bucketobject_types.go
+++ b/apis/s3/v1beta1/zz_bucketobject_types.go
@@ -15,14 +15,86 @@ import (
 
 type BucketObjectObservation struct {
 
+	// Canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private.
+	ACL *string `json:"acl,omitempty" tf:"acl,omitempty"`
+
+	// Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.
+	BucketKeyEnabled *bool `json:"bucketKeyEnabled,omitempty" tf:"bucket_key_enabled,omitempty"`
+
+	// Caching behavior along the request/reply chain Read w3c cache_control for further details.
+	CacheControl *string `json:"cacheControl,omitempty" tf:"cache_control,omitempty"`
+
+	// Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// Base64-encoded data that will be decoded and uploaded as raw bytes for the object content. This allows safely uploading non-UTF8 binary data, but is recommended only for small content such as the result of the gzipbase64 function with small text strings. For larger objects, use source to stream the content from a disk file.
+	ContentBase64 *string `json:"contentBase64,omitempty" tf:"content_base64,omitempty"`
+
+	// Presentational information for the object. Read w3c content_disposition for further information.
+	ContentDisposition *string `json:"contentDisposition,omitempty" tf:"content_disposition,omitempty"`
+
+	// Content encodings that have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. Read w3c content encoding for further information.
+	ContentEncoding *string `json:"contentEncoding,omitempty" tf:"content_encoding,omitempty"`
+
+	// Language the content is in e.g., en-US or en-GB.
+	ContentLanguage *string `json:"contentLanguage,omitempty" tf:"content_language,omitempty"`
+
+	// Standard MIME type describing the format of the object data, e.g., application/octet-stream. All Valid MIME Types are valid for this input.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Triggers updates when the value changes.11.11.11 or earlier). This attribute is not compatible with KMS encryption, kms_key_id or server_side_encryption = "aws:kms" (see source_hash instead).
+	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
+
+	// Whether to allow the object to be deleted by removing any legal hold on any object version. Default is false. This value should be set to true only if the bucket has S3 object lock enabled.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// key of the resource supplied above
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the KMS Key to use for object encryption. If the S3 Bucket has server-side encryption enabled, that value will automatically be used. If referencing the aws_kms_key resource, use the arn attribute. If referencing the aws_kms_alias data source or resource, use the target_key_arn attribute.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Name of the object once it is in the bucket.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API).
+	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// Legal hold status that you want to apply to the specified object. Valid values are ON and OFF.
+	ObjectLockLegalHoldStatus *string `json:"objectLockLegalHoldStatus,omitempty" tf:"object_lock_legal_hold_status,omitempty"`
+
+	// Object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE and COMPLIANCE.
+	ObjectLockMode *string `json:"objectLockMode,omitempty" tf:"object_lock_mode,omitempty"`
+
+	// Date and time, in RFC3339 format, when this object's object lock will expire.
+	ObjectLockRetainUntilDate *string `json:"objectLockRetainUntilDate,omitempty" tf:"object_lock_retain_until_date,omitempty"`
+
+	// Server-side encryption of the object in S3. Valid values are "AES256" and "aws:kms".
+	ServerSideEncryption *string `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
+
+	// Path to a file that will be read and uploaded as raw bytes for the object content.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Triggers updates like etag but useful to address etag encryption limitations.11.12 or later). (The value is only stored in state and not saved by AWS.)
+	SourceHash *string `json:"sourceHash,omitempty" tf:"source_hash,omitempty"`
+
+	// Storage Class for the object. Defaults to "STANDARD".
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Unique version ID value for the object, if bucket versioning is enabled.
 	VersionID *string `json:"versionId,omitempty" tf:"version_id,omitempty"`
+
+	// Target URL for website redirect.
+	WebsiteRedirect *string `json:"websiteRedirect,omitempty" tf:"website_redirect,omitempty"`
 }
 
 type BucketObjectParameters struct {
@@ -99,8 +171,8 @@ type BucketObjectParameters struct {
 	KMSKeyIDSelector *v1.Selector `json:"kmsKeyIdSelector,omitempty" tf:"-"`
 
 	// Name of the object once it is in the bucket.
-	// +kubebuilder:validation:Required
-	Key *string `json:"key" tf:"key,omitempty"`
+	// +kubebuilder:validation:Optional
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
 	// Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API).
 	// +kubebuilder:validation:Optional
@@ -172,8 +244,9 @@ type BucketObjectStatus struct {
 type BucketObject struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketObjectSpec   `json:"spec"`
-	Status            BucketObjectStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)",message="key is a required parameter"
+	Spec   BucketObjectSpec   `json:"spec"`
+	Status BucketObjectStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketobjectlockconfiguration_types.go b/apis/s3/v1beta1/zz_bucketobjectlockconfiguration_types.go
index e09610ce46..0c6592ab50 100755
--- a/apis/s3/v1beta1/zz_bucketobjectlockconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketobjectlockconfiguration_types.go
@@ -15,8 +15,20 @@ import (
 
 type BucketObjectLockConfigurationObservation struct {
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Indicates whether this bucket has an Object Lock configuration enabled. Defaults to Enabled. Valid values: Enabled.
+	ObjectLockEnabled *string `json:"objectLockEnabled,omitempty" tf:"object_lock_enabled,omitempty"`
+
+	// Configuration block for specifying the Object Lock rule for the specified object. See below.
+	Rule []BucketObjectLockConfigurationRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketObjectLockConfigurationParameters struct {
@@ -59,6 +71,9 @@ type BucketObjectLockConfigurationParameters struct {
 }
 
 type BucketObjectLockConfigurationRuleObservation struct {
+
+	// Configuration block for specifying the default Object Lock retention settings for new objects placed in the specified bucket. See below.
+	DefaultRetention []RuleDefaultRetentionObservation `json:"defaultRetention,omitempty" tf:"default_retention,omitempty"`
 }
 
 type BucketObjectLockConfigurationRuleParameters struct {
@@ -69,6 +84,15 @@ type BucketObjectLockConfigurationRuleParameters struct {
 }
 
 type RuleDefaultRetentionObservation struct {
+
+	// Number of days that you want to specify for the default retention period.
+	Days *float64 `json:"days,omitempty" tf:"days,omitempty"`
+
+	// Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: COMPLIANCE, GOVERNANCE.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// Number of years that you want to specify for the default retention period.
+	Years *float64 `json:"years,omitempty" tf:"years,omitempty"`
 }
 
 type RuleDefaultRetentionParameters struct {
diff --git a/apis/s3/v1beta1/zz_bucketownershipcontrols_types.go b/apis/s3/v1beta1/zz_bucketownershipcontrols_types.go
index 25b54c8f07..45e3f2bf81 100755
--- a/apis/s3/v1beta1/zz_bucketownershipcontrols_types.go
+++ b/apis/s3/v1beta1/zz_bucketownershipcontrols_types.go
@@ -15,8 +15,14 @@ import (
 
 type BucketOwnershipControlsObservation struct {
 
+	// Name of the bucket that you want to associate this access point with.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
 	// S3 Bucket name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Configuration block(s) with Ownership Controls rules. Detailed below.
+	Rule []BucketOwnershipControlsRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketOwnershipControlsParameters struct {
@@ -41,11 +47,14 @@ type BucketOwnershipControlsParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Configuration block(s) with Ownership Controls rules. Detailed below.
-	// +kubebuilder:validation:Required
-	Rule []BucketOwnershipControlsRuleParameters `json:"rule" tf:"rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rule []BucketOwnershipControlsRuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketOwnershipControlsRuleObservation struct {
+
+	// Object ownership. Valid values: BucketOwnerPreferred, ObjectWriter or BucketOwnerEnforced
+	ObjectOwnership *string `json:"objectOwnership,omitempty" tf:"object_ownership,omitempty"`
 }
 
 type BucketOwnershipControlsRuleParameters struct {
@@ -79,8 +88,9 @@ type BucketOwnershipControlsStatus struct {
 type BucketOwnershipControls struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketOwnershipControlsSpec   `json:"spec"`
-	Status            BucketOwnershipControlsStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)",message="rule is a required parameter"
+	Spec   BucketOwnershipControlsSpec   `json:"spec"`
+	Status BucketOwnershipControlsStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketpolicy_types.go b/apis/s3/v1beta1/zz_bucketpolicy_types.go
index 76048ce4d8..b01708f424 100755
--- a/apis/s3/v1beta1/zz_bucketpolicy_types.go
+++ b/apis/s3/v1beta1/zz_bucketpolicy_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type BucketPolicyObservation struct {
+
+	// Name of the bucket to which to apply the policy.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Text of the policy. Although this is a bucket policy rather than an IAM policy, the aws_iam_policy_document data source may be used, so long as it specifies a principal. Note: Bucket policies are limited to 20 KB in size.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type BucketPolicyParameters struct {
@@ -34,8 +41,8 @@ type BucketPolicyParameters struct {
 	BucketSelector *v1.Selector `json:"bucketSelector,omitempty" tf:"-"`
 
 	// Text of the policy. Although this is a bucket policy rather than an IAM policy, the aws_iam_policy_document data source may be used, so long as it specifies a principal. Note: Bucket policies are limited to 20 KB in size.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +74,9 @@ type BucketPolicyStatus struct {
 type BucketPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketPolicySpec   `json:"spec"`
-	Status            BucketPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   BucketPolicySpec   `json:"spec"`
+	Status BucketPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketpublicaccessblock_types.go b/apis/s3/v1beta1/zz_bucketpublicaccessblock_types.go
index e86c30c5b5..897e0e0200 100755
--- a/apis/s3/v1beta1/zz_bucketpublicaccessblock_types.go
+++ b/apis/s3/v1beta1/zz_bucketpublicaccessblock_types.go
@@ -15,8 +15,23 @@ import (
 
 type BucketPublicAccessBlockObservation struct {
 
+	// Whether Amazon S3 should block public ACLs for this bucket. Defaults to false. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior:
+	BlockPublicAcls *bool `json:"blockPublicAcls,omitempty" tf:"block_public_acls,omitempty"`
+
+	// Whether Amazon S3 should block public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the existing bucket policy. When set to true causes Amazon S3 to:
+	BlockPublicPolicy *bool `json:"blockPublicPolicy,omitempty" tf:"block_public_policy,omitempty"`
+
+	// S3 Bucket to which this Public Access Block configuration should be applied.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
 	// Name of the S3 bucket the configuration is attached to
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Whether Amazon S3 should ignore public ACLs for this bucket. Defaults to false. Enabling this setting does not affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. When set to true causes Amazon S3 to:
+	IgnorePublicAcls *bool `json:"ignorePublicAcls,omitempty" tf:"ignore_public_acls,omitempty"`
+
+	// Whether Amazon S3 should restrict public bucket policies for this bucket. Defaults to false. Enabling this setting does not affect the previously stored bucket policy, except that public and cross-account access within the public bucket policy, including non-public delegation to specific accounts, is blocked. When set to true:
+	RestrictPublicBuckets *bool `json:"restrictPublicBuckets,omitempty" tf:"restrict_public_buckets,omitempty"`
 }
 
 type BucketPublicAccessBlockParameters struct {
diff --git a/apis/s3/v1beta1/zz_bucketreplicationconfiguration_types.go b/apis/s3/v1beta1/zz_bucketreplicationconfiguration_types.go
index 522de0310b..7a906dc6fd 100755
--- a/apis/s3/v1beta1/zz_bucketreplicationconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketreplicationconfiguration_types.go
@@ -15,8 +15,17 @@ import (
 
 type BucketReplicationConfigurationObservation struct {
 
+	// Name of the source S3 bucket you want Amazon S3 to monitor.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
 	// S3 source bucket name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ARN of the IAM role for Amazon S3 to assume when replicating the objects.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// List of configuration blocks describing the rules managing the replication. See below.
+	Rule []BucketReplicationConfigurationRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketReplicationConfigurationParameters struct {
@@ -55,8 +64,8 @@ type BucketReplicationConfigurationParameters struct {
 	RoleSelector *v1.Selector `json:"roleSelector,omitempty" tf:"-"`
 
 	// List of configuration blocks describing the rules managing the replication. See below.
-	// +kubebuilder:validation:Required
-	Rule []BucketReplicationConfigurationRuleParameters `json:"rule" tf:"rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rule []BucketReplicationConfigurationRuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 
 	// Token to allow replication to be enabled on an Object Lock-enabled bucket. You must contact AWS support for the bucket's "Object Lock token".
 	// For more details, see Using S3 Object Lock with replication.
@@ -65,6 +74,15 @@ type BucketReplicationConfigurationParameters struct {
 }
 
 type BucketReplicationConfigurationRuleFilterObservation struct {
+
+	// Configuration block for specifying rule filters. This element is required only if you specify more than one filter. See and below for more details.
+	And []FilterAndObservation `json:"and,omitempty" tf:"and,omitempty"`
+
+	// Object key name prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. Defaults to an empty string ("") if filter is not specified.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Configuration block for specifying a tag key and value. See below.
+	Tag []FilterTagObservation `json:"tag,omitempty" tf:"tag,omitempty"`
 }
 
 type BucketReplicationConfigurationRuleFilterParameters struct {
@@ -83,6 +101,33 @@ type BucketReplicationConfigurationRuleFilterParameters struct {
 }
 
 type BucketReplicationConfigurationRuleObservation struct {
+
+	// Whether delete markers are replicated. This argument is only valid with V2 replication configurations (i.e., when filter is used)documented below.
+	DeleteMarkerReplication []DeleteMarkerReplicationObservation `json:"deleteMarkerReplication,omitempty" tf:"delete_marker_replication,omitempty"`
+
+	// Specifies the destination for the rule. See below.
+	Destination []RuleDestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
+	// Replicate existing objects in the source bucket according to the rule configurations. See below.
+	ExistingObjectReplication []ExistingObjectReplicationObservation `json:"existingObjectReplication,omitempty" tf:"existing_object_replication,omitempty"`
+
+	// Filter that identifies subset of objects to which the replication rule applies. See below. If not specified, the rule will default to using prefix.
+	Filter []BucketReplicationConfigurationRuleFilterObservation `json:"filter,omitempty" tf:"filter,omitempty"`
+
+	// Unique identifier for the rule. Must be less than or equal to 255 characters in length.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Object key name prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. Defaults to an empty string ("") if filter is not specified.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Priority associated with the rule. Priority should only be set if filter is configured. If not provided, defaults to 0. Priority must be unique between multiple rules.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// Specifies special object selection criteria. See below.
+	SourceSelectionCriteria []RuleSourceSelectionCriteriaObservation `json:"sourceSelectionCriteria,omitempty" tf:"source_selection_criteria,omitempty"`
+
+	// Status of the rule. Either "Enabled" or "Disabled". The rule is ignored if status is not "Enabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type BucketReplicationConfigurationRuleParameters struct {
@@ -125,6 +170,9 @@ type BucketReplicationConfigurationRuleParameters struct {
 }
 
 type DeleteMarkerReplicationObservation struct {
+
+	// Whether delete markers should be replicated. Either "Enabled" or "Disabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type DeleteMarkerReplicationParameters struct {
@@ -135,6 +183,9 @@ type DeleteMarkerReplicationParameters struct {
 }
 
 type DestinationAccessControlTranslationObservation struct {
+
+	// Specifies the replica ownership. For default and valid values, see PUT bucket replication in the Amazon S3 API Reference. Valid values: Destination.
+	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 }
 
 type DestinationAccessControlTranslationParameters struct {
@@ -145,6 +196,12 @@ type DestinationAccessControlTranslationParameters struct {
 }
 
 type DestinationMetricsObservation struct {
+
+	// Configuration block that specifies the time threshold for emitting the s3:Replication:OperationMissedThreshold event. See below.
+	EventThreshold []EventThresholdObservation `json:"eventThreshold,omitempty" tf:"event_threshold,omitempty"`
+
+	// Whether the existing objects should be replicated. Either "Enabled" or "Disabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type DestinationMetricsParameters struct {
@@ -159,6 +216,12 @@ type DestinationMetricsParameters struct {
 }
 
 type DestinationReplicationTimeObservation struct {
+
+	// Whether the existing objects should be replicated. Either "Enabled" or "Disabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Configuration block specifying the time by which replication should be complete for all objects and operations on objects. See below.
+	Time []TimeObservation `json:"time,omitempty" tf:"time,omitempty"`
 }
 
 type DestinationReplicationTimeParameters struct {
@@ -173,6 +236,9 @@ type DestinationReplicationTimeParameters struct {
 }
 
 type EncryptionConfigurationObservation struct {
+
+	// ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket.
+	ReplicaKMSKeyID *string `json:"replicaKmsKeyId,omitempty" tf:"replica_kms_key_id,omitempty"`
 }
 
 type EncryptionConfigurationParameters struct {
@@ -183,6 +249,9 @@ type EncryptionConfigurationParameters struct {
 }
 
 type EventThresholdObservation struct {
+
+	// Time in minutes. Valid values: 15.
+	Minutes *float64 `json:"minutes,omitempty" tf:"minutes,omitempty"`
 }
 
 type EventThresholdParameters struct {
@@ -193,6 +262,9 @@ type EventThresholdParameters struct {
 }
 
 type ExistingObjectReplicationObservation struct {
+
+	// Whether the existing objects should be replicated. Either "Enabled" or "Disabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type ExistingObjectReplicationParameters struct {
@@ -203,6 +275,12 @@ type ExistingObjectReplicationParameters struct {
 }
 
 type FilterAndObservation struct {
+
+	// Object key name prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. Defaults to an empty string ("") if filter is not specified.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Map of tags (key and value pairs) that identifies a subset of objects to which the rule applies. The rule applies only to objects having all the tags in its tagset.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type FilterAndParameters struct {
@@ -217,6 +295,12 @@ type FilterAndParameters struct {
 }
 
 type FilterTagObservation struct {
+
+	// Name of the object key.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Value of the tag.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FilterTagParameters struct {
@@ -231,6 +315,9 @@ type FilterTagParameters struct {
 }
 
 type ReplicaModificationsObservation struct {
+
+	// Whether the existing objects should be replicated. Either "Enabled" or "Disabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type ReplicaModificationsParameters struct {
@@ -241,6 +328,27 @@ type ReplicaModificationsParameters struct {
 }
 
 type RuleDestinationObservation struct {
+
+	// Configuration block that specifies the overrides to use for object owners on replication. See below. Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. Must be used in conjunction with account owner override configuration.
+	AccessControlTranslation []DestinationAccessControlTranslationObservation `json:"accessControlTranslation,omitempty" tf:"access_control_translation,omitempty"`
+
+	// Account ID to specify the replica ownership. Must be used in conjunction with access_control_translation override configuration.
+	Account *string `json:"account,omitempty" tf:"account,omitempty"`
+
+	// ARN of the bucket where you want Amazon S3 to store the results.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Configuration block that provides information about encryption. See below. If source_selection_criteria is specified, you must specify this element.
+	EncryptionConfiguration []EncryptionConfigurationObservation `json:"encryptionConfiguration,omitempty" tf:"encryption_configuration,omitempty"`
+
+	// Configuration block that specifies replication metrics-related settings enabling replication metrics and events. See below.
+	Metrics []DestinationMetricsObservation `json:"metrics,omitempty" tf:"metrics,omitempty"`
+
+	// Configuration block that specifies S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. See below. Replication Time Control must be used in conjunction with metrics.
+	ReplicationTime []DestinationReplicationTimeObservation `json:"replicationTime,omitempty" tf:"replication_time,omitempty"`
+
+	// The storage class used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica.
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
 }
 
 type RuleDestinationParameters struct {
@@ -285,6 +393,12 @@ type RuleDestinationParameters struct {
 }
 
 type RuleSourceSelectionCriteriaObservation struct {
+
+	// Configuration block that you can specify for selections for modifications on replicas. Amazon S3 doesn't replicate replica modifications by default. In the latest version of replication configuration (when filter is specified), you can specify this element and set the status to Enabled to replicate modifications on replicas.
+	ReplicaModifications []ReplicaModificationsObservation `json:"replicaModifications,omitempty" tf:"replica_modifications,omitempty"`
+
+	// Configuration block for filter information for the selection of Amazon S3 objects encrypted with AWS KMS. If specified, replica_kms_key_id in destination encryption_configuration must be specified as well.
+	SseKMSEncryptedObjects []SourceSelectionCriteriaSseKMSEncryptedObjectsObservation `json:"sseKmsEncryptedObjects,omitempty" tf:"sse_kms_encrypted_objects,omitempty"`
 }
 
 type RuleSourceSelectionCriteriaParameters struct {
@@ -299,6 +413,9 @@ type RuleSourceSelectionCriteriaParameters struct {
 }
 
 type SourceSelectionCriteriaSseKMSEncryptedObjectsObservation struct {
+
+	// Whether the existing objects should be replicated. Either "Enabled" or "Disabled".
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type SourceSelectionCriteriaSseKMSEncryptedObjectsParameters struct {
@@ -309,6 +426,9 @@ type SourceSelectionCriteriaSseKMSEncryptedObjectsParameters struct {
 }
 
 type TimeObservation struct {
+
+	// Time in minutes. Valid values: 15.
+	Minutes *float64 `json:"minutes,omitempty" tf:"minutes,omitempty"`
 }
 
 type TimeParameters struct {
@@ -342,8 +462,9 @@ type BucketReplicationConfigurationStatus struct {
 type BucketReplicationConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketReplicationConfigurationSpec   `json:"spec"`
-	Status            BucketReplicationConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)",message="rule is a required parameter"
+	Spec   BucketReplicationConfigurationSpec   `json:"spec"`
+	Status BucketReplicationConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketrequestpaymentconfiguration_types.go b/apis/s3/v1beta1/zz_bucketrequestpaymentconfiguration_types.go
index a55e669a70..d2eb7d99fb 100755
--- a/apis/s3/v1beta1/zz_bucketrequestpaymentconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketrequestpaymentconfiguration_types.go
@@ -15,8 +15,17 @@ import (
 
 type BucketRequestPaymentConfigurationObservation struct {
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Specifies who pays for the download and request fees. Valid values: BucketOwner, Requester.
+	Payer *string `json:"payer,omitempty" tf:"payer,omitempty"`
 }
 
 type BucketRequestPaymentConfigurationParameters struct {
@@ -40,8 +49,8 @@ type BucketRequestPaymentConfigurationParameters struct {
 	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
 
 	// Specifies who pays for the download and request fees. Valid values: BucketOwner, Requester.
-	// +kubebuilder:validation:Required
-	Payer *string `json:"payer" tf:"payer,omitempty"`
+	// +kubebuilder:validation:Optional
+	Payer *string `json:"payer,omitempty" tf:"payer,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -73,8 +82,9 @@ type BucketRequestPaymentConfigurationStatus struct {
 type BucketRequestPaymentConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketRequestPaymentConfigurationSpec   `json:"spec"`
-	Status            BucketRequestPaymentConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.payer)",message="payer is a required parameter"
+	Spec   BucketRequestPaymentConfigurationSpec   `json:"spec"`
+	Status BucketRequestPaymentConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketserversideencryptionconfiguration_types.go b/apis/s3/v1beta1/zz_bucketserversideencryptionconfiguration_types.go
index 21429c149e..84b0642cd0 100755
--- a/apis/s3/v1beta1/zz_bucketserversideencryptionconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketserversideencryptionconfiguration_types.go
@@ -15,8 +15,17 @@ import (
 
 type BucketServerSideEncryptionConfigurationObservation struct {
 
+	// ID (name) of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Set of server-side encryption configuration rules. See below. Currently, only a single rule is supported.
+	Rule []BucketServerSideEncryptionConfigurationRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketServerSideEncryptionConfigurationParameters struct {
@@ -45,11 +54,17 @@ type BucketServerSideEncryptionConfigurationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Set of server-side encryption configuration rules. See below. Currently, only a single rule is supported.
-	// +kubebuilder:validation:Required
-	Rule []BucketServerSideEncryptionConfigurationRuleParameters `json:"rule" tf:"rule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Rule []BucketServerSideEncryptionConfigurationRuleParameters `json:"rule,omitempty" tf:"rule,omitempty"`
 }
 
 type BucketServerSideEncryptionConfigurationRuleObservation struct {
+
+	// Single object for setting server-side encryption by default. See below.
+	ApplyServerSideEncryptionByDefault []RuleApplyServerSideEncryptionByDefaultObservation `json:"applyServerSideEncryptionByDefault,omitempty" tf:"apply_server_side_encryption_by_default,omitempty"`
+
+	// Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.
+	BucketKeyEnabled *bool `json:"bucketKeyEnabled,omitempty" tf:"bucket_key_enabled,omitempty"`
 }
 
 type BucketServerSideEncryptionConfigurationRuleParameters struct {
@@ -64,6 +79,12 @@ type BucketServerSideEncryptionConfigurationRuleParameters struct {
 }
 
 type RuleApplyServerSideEncryptionByDefaultObservation struct {
+
+	// AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of sse_algorithm as aws:kms. The default aws/s3 AWS KMS master key is used if this element is absent while the sse_algorithm is aws:kms.
+	KMSMasterKeyID *string `json:"kmsMasterKeyId,omitempty" tf:"kms_master_key_id,omitempty"`
+
+	// Server-side encryption algorithm to use. Valid values are AES256 and aws:kms
+	SseAlgorithm *string `json:"sseAlgorithm,omitempty" tf:"sse_algorithm,omitempty"`
 }
 
 type RuleApplyServerSideEncryptionByDefaultParameters struct {
@@ -111,8 +132,9 @@ type BucketServerSideEncryptionConfigurationStatus struct {
 type BucketServerSideEncryptionConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketServerSideEncryptionConfigurationSpec   `json:"spec"`
-	Status            BucketServerSideEncryptionConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)",message="rule is a required parameter"
+	Spec   BucketServerSideEncryptionConfigurationSpec   `json:"spec"`
+	Status BucketServerSideEncryptionConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketversioning_types.go b/apis/s3/v1beta1/zz_bucketversioning_types.go
index 1b9b643b70..ea3e8fa5c0 100755
--- a/apis/s3/v1beta1/zz_bucketversioning_types.go
+++ b/apis/s3/v1beta1/zz_bucketversioning_types.go
@@ -15,8 +15,20 @@ import (
 
 type BucketVersioningObservation struct {
 
+	// Name of the S3 bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Concatenation of the authentication device's serial number, a space, and the value that is displayed on your authentication device.
+	Mfa *string `json:"mfa,omitempty" tf:"mfa,omitempty"`
+
+	// Configuration block for the versioning parameters. See below.
+	VersioningConfiguration []VersioningConfigurationObservation `json:"versioningConfiguration,omitempty" tf:"versioning_configuration,omitempty"`
 }
 
 type BucketVersioningParameters struct {
@@ -49,11 +61,17 @@ type BucketVersioningParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Configuration block for the versioning parameters. See below.
-	// +kubebuilder:validation:Required
-	VersioningConfiguration []VersioningConfigurationParameters `json:"versioningConfiguration" tf:"versioning_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	VersioningConfiguration []VersioningConfigurationParameters `json:"versioningConfiguration,omitempty" tf:"versioning_configuration,omitempty"`
 }
 
 type VersioningConfigurationObservation struct {
+
+	// Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: Enabled or Disabled.
+	MfaDelete *string `json:"mfaDelete,omitempty" tf:"mfa_delete,omitempty"`
+
+	// Versioning state of the bucket. Valid values: Enabled, Suspended, or Disabled. Disabled should only be used when creating or importing resources that correspond to unversioned S3 buckets.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type VersioningConfigurationParameters struct {
@@ -91,8 +109,9 @@ type BucketVersioningStatus struct {
 type BucketVersioning struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              BucketVersioningSpec   `json:"spec"`
-	Status            BucketVersioningStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.versioningConfiguration)",message="versioningConfiguration is a required parameter"
+	Spec   BucketVersioningSpec   `json:"spec"`
+	Status BucketVersioningStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_bucketwebsiteconfiguration_types.go b/apis/s3/v1beta1/zz_bucketwebsiteconfiguration_types.go
index e2cb1b2c7d..ea45b720e5 100755
--- a/apis/s3/v1beta1/zz_bucketwebsiteconfiguration_types.go
+++ b/apis/s3/v1beta1/zz_bucketwebsiteconfiguration_types.go
@@ -15,9 +15,31 @@ import (
 
 type BucketWebsiteConfigurationObservation struct {
 
+	// Name of the bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Name of the error document for the website. See below.
+	ErrorDocument []ErrorDocumentObservation `json:"errorDocument,omitempty" tf:"error_document,omitempty"`
+
+	// Account ID of the expected bucket owner.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
 	// The bucket or bucket and expected_bucket_owner separated by a comma (,) if the latter is provided.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the index document for the website. See below.
+	IndexDocument []IndexDocumentObservation `json:"indexDocument,omitempty" tf:"index_document,omitempty"`
+
+	// Redirect behavior for every request to this bucket's website endpoint. See below. Conflicts with error_document, index_document, and routing_rule.
+	RedirectAllRequestsTo []RedirectAllRequestsToObservation `json:"redirectAllRequestsTo,omitempty" tf:"redirect_all_requests_to,omitempty"`
+
+	// List of rules that define when a redirect is applied and the redirect behavior. See below.
+	RoutingRule []RoutingRuleObservation `json:"routingRule,omitempty" tf:"routing_rule,omitempty"`
+
+	// JSON array containing routing rules
+	// describing redirect behavior and when redirects are applied. Use this parameter when your routing rules contain empty String values ("") as seen in the example above.
+	RoutingRules *string `json:"routingRules,omitempty" tf:"routing_rules,omitempty"`
+
 	// Domain of the website endpoint. This is used to create Route 53 alias records.
 	WebsiteDomain *string `json:"websiteDomain,omitempty" tf:"website_domain,omitempty"`
 
@@ -73,6 +95,12 @@ type BucketWebsiteConfigurationParameters struct {
 }
 
 type ConditionObservation struct {
+
+	// HTTP error code when the redirect is applied. If specified with key_prefix_equals, then both must be true for the redirect to be applied.
+	HTTPErrorCodeReturnedEquals *string `json:"httpErrorCodeReturnedEquals,omitempty" tf:"http_error_code_returned_equals,omitempty"`
+
+	// Object key name prefix when the redirect is applied. If specified with http_error_code_returned_equals, then both must be true for the redirect to be applied.
+	KeyPrefixEquals *string `json:"keyPrefixEquals,omitempty" tf:"key_prefix_equals,omitempty"`
 }
 
 type ConditionParameters struct {
@@ -87,6 +115,9 @@ type ConditionParameters struct {
 }
 
 type ErrorDocumentObservation struct {
+
+	// Object key name to use when a 4XX class error occurs.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type ErrorDocumentParameters struct {
@@ -97,6 +128,11 @@ type ErrorDocumentParameters struct {
 }
 
 type IndexDocumentObservation struct {
+
+	// Suffix that is appended to a request that is for a directory on the website endpoint.
+	// For example, if the suffix is index.html and you make a request to samplebucket/images/, the data that is returned will be for the object with the key name images/index.html.
+	// The suffix must not be empty and must not include a slash character.
+	Suffix *string `json:"suffix,omitempty" tf:"suffix,omitempty"`
 }
 
 type IndexDocumentParameters struct {
@@ -109,6 +145,12 @@ type IndexDocumentParameters struct {
 }
 
 type RedirectAllRequestsToObservation struct {
+
+	// Name of the host where requests are redirected.
+	HostName *string `json:"hostName,omitempty" tf:"host_name,omitempty"`
+
+	// Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: http, https.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 }
 
 type RedirectAllRequestsToParameters struct {
@@ -123,6 +165,21 @@ type RedirectAllRequestsToParameters struct {
 }
 
 type RedirectObservation struct {
+
+	// HTTP redirect code to use on the response.
+	HTTPRedirectCode *string `json:"httpRedirectCode,omitempty" tf:"http_redirect_code,omitempty"`
+
+	// Name of the host where requests are redirected.
+	HostName *string `json:"hostName,omitempty" tf:"host_name,omitempty"`
+
+	// Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: http, https.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix docs/ (objects in the docs/ folder) to documents/, you can set a condition block with key_prefix_equals set to docs/ and in the redirect set replace_key_prefix_with to /documents.
+	ReplaceKeyPrefixWith *string `json:"replaceKeyPrefixWith,omitempty" tf:"replace_key_prefix_with,omitempty"`
+
+	// Specific object key to use in the redirect request. For example, redirect request to error.html.
+	ReplaceKeyWith *string `json:"replaceKeyWith,omitempty" tf:"replace_key_with,omitempty"`
 }
 
 type RedirectParameters struct {
@@ -149,6 +206,12 @@ type RedirectParameters struct {
 }
 
 type RoutingRuleObservation struct {
+
+	// Configuration block for describing a condition that must be met for the specified redirect to apply. See below.
+	Condition []ConditionObservation `json:"condition,omitempty" tf:"condition,omitempty"`
+
+	// Configuration block for redirect information. See below.
+	Redirect []RedirectObservation `json:"redirect,omitempty" tf:"redirect,omitempty"`
 }
 
 type RoutingRuleParameters struct {
diff --git a/apis/s3/v1beta1/zz_generated.deepcopy.go b/apis/s3/v1beta1/zz_generated.deepcopy.go
index 7904ba0476..ebafc78a54 100644
--- a/apis/s3/v1beta1/zz_generated.deepcopy.go
+++ b/apis/s3/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AbortIncompleteMultipartUploadObservation) DeepCopyInto(out *AbortIncompleteMultipartUploadObservation) {
 	*out = *in
+	if in.DaysAfterInitiation != nil {
+		in, out := &in.DaysAfterInitiation, &out.DaysAfterInitiation
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AbortIncompleteMultipartUploadObservation.
@@ -59,6 +64,11 @@ func (in *AccessControlPolicyGrantObservation) DeepCopyInto(out *AccessControlPo
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Permission != nil {
+		in, out := &in.Permission, &out.Permission
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlPolicyGrantObservation.
@@ -108,6 +118,13 @@ func (in *AccessControlPolicyObservation) DeepCopyInto(out *AccessControlPolicyO
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Owner != nil {
+		in, out := &in.Owner, &out.Owner
+		*out = make([]OwnerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessControlPolicyObservation.
@@ -187,6 +204,36 @@ func (in *AccessControlTranslationParameters) DeepCopy() *AccessControlTranslati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AndObservation) DeepCopyInto(out *AndObservation) {
 	*out = *in
+	if in.ObjectSizeGreaterThan != nil {
+		in, out := &in.ObjectSizeGreaterThan, &out.ObjectSizeGreaterThan
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ObjectSizeLessThan != nil {
+		in, out := &in.ObjectSizeLessThan, &out.ObjectSizeLessThan
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AndObservation.
@@ -373,6 +420,11 @@ func (in *BucketACLList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketACLObservation) DeepCopyInto(out *BucketACLObservation) {
 	*out = *in
+	if in.ACL != nil {
+		in, out := &in.ACL, &out.ACL
+		*out = new(string)
+		**out = **in
+	}
 	if in.AccessControlPolicy != nil {
 		in, out := &in.AccessControlPolicy, &out.AccessControlPolicy
 		*out = make([]AccessControlPolicyObservation, len(*in))
@@ -380,6 +432,16 @@ func (in *BucketACLObservation) DeepCopyInto(out *BucketACLObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -545,11 +607,26 @@ func (in *BucketAccelerateConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketAccelerateConfigurationObservation) DeepCopyInto(out *BucketAccelerateConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketAccelerateConfigurationObservation.
@@ -671,6 +748,26 @@ func (in *BucketAnalyticsConfiguration) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketAnalyticsConfigurationFilterObservation) DeepCopyInto(out *BucketAnalyticsConfigurationFilterObservation) {
 	*out = *in
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketAnalyticsConfigurationFilterObservation.
@@ -753,11 +850,35 @@ func (in *BucketAnalyticsConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketAnalyticsConfigurationObservation) DeepCopyInto(out *BucketAnalyticsConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]BucketAnalyticsConfigurationFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageClassAnalysis != nil {
+		in, out := &in.StorageClassAnalysis, &out.StorageClassAnalysis
+		*out = make([]StorageClassAnalysisObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketAnalyticsConfigurationObservation.
@@ -888,6 +1009,60 @@ func (in *BucketCorsConfiguration) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketCorsConfigurationCorsRuleObservation) DeepCopyInto(out *BucketCorsConfigurationCorsRuleObservation) {
 	*out = *in
+	if in.AllowedHeaders != nil {
+		in, out := &in.AllowedHeaders, &out.AllowedHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedMethods != nil {
+		in, out := &in.AllowedMethods, &out.AllowedMethods
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AllowedOrigins != nil {
+		in, out := &in.AllowedOrigins, &out.AllowedOrigins
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ExposeHeaders != nil {
+		in, out := &in.ExposeHeaders, &out.ExposeHeaders
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxAgeSeconds != nil {
+		in, out := &in.MaxAgeSeconds, &out.MaxAgeSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketCorsConfigurationCorsRuleObservation.
@@ -1004,6 +1179,23 @@ func (in *BucketCorsConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketCorsConfigurationObservation) DeepCopyInto(out *BucketCorsConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.CorsRule != nil {
+		in, out := &in.CorsRule, &out.CorsRule
+		*out = make([]BucketCorsConfigurationCorsRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1132,6 +1324,26 @@ func (in *BucketIntelligentTieringConfiguration) DeepCopyObject() runtime.Object
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketIntelligentTieringConfigurationFilterObservation) DeepCopyInto(out *BucketIntelligentTieringConfigurationFilterObservation) {
 	*out = *in
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketIntelligentTieringConfigurationFilterObservation.
@@ -1214,11 +1426,40 @@ func (in *BucketIntelligentTieringConfigurationList) DeepCopyObject() runtime.Ob
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketIntelligentTieringConfigurationObservation) DeepCopyInto(out *BucketIntelligentTieringConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]BucketIntelligentTieringConfigurationFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tiering != nil {
+		in, out := &in.Tiering, &out.Tiering
+		*out = make([]TieringObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketIntelligentTieringConfigurationObservation.
@@ -1354,6 +1595,13 @@ func (in *BucketInventory) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketInventoryDestinationObservation) DeepCopyInto(out *BucketInventoryDestinationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = make([]DestinationBucketObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketInventoryDestinationObservation.
@@ -1391,6 +1639,11 @@ func (in *BucketInventoryDestinationParameters) DeepCopy() *BucketInventoryDesti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketInventoryFilterObservation) DeepCopyInto(out *BucketInventoryFilterObservation) {
 	*out = *in
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketInventoryFilterObservation.
@@ -1458,17 +1711,69 @@ func (in *BucketInventoryList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketInventoryObservation) DeepCopyInto(out *BucketInventoryObservation) {
 	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
 		*out = new(string)
 		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketInventoryObservation.
-func (in *BucketInventoryObservation) DeepCopy() *BucketInventoryObservation {
-	if in == nil {
-		return nil
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]BucketInventoryDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]BucketInventoryFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludedObjectVersions != nil {
+		in, out := &in.IncludedObjectVersions, &out.IncludedObjectVersions
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OptionalFields != nil {
+		in, out := &in.OptionalFields, &out.OptionalFields
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = make([]ScheduleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketInventoryObservation.
+func (in *BucketInventoryObservation) DeepCopy() *BucketInventoryObservation {
+	if in == nil {
+		return nil
 	}
 	out := new(BucketInventoryObservation)
 	in.DeepCopyInto(out)
@@ -1653,11 +1958,28 @@ func (in *BucketLifecycleConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLifecycleConfigurationObservation) DeepCopyInto(out *BucketLifecycleConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]BucketLifecycleConfigurationRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLifecycleConfigurationObservation.
@@ -1720,6 +2042,63 @@ func (in *BucketLifecycleConfigurationParameters) DeepCopy() *BucketLifecycleCon
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLifecycleConfigurationRuleObservation) DeepCopyInto(out *BucketLifecycleConfigurationRuleObservation) {
 	*out = *in
+	if in.AbortIncompleteMultipartUpload != nil {
+		in, out := &in.AbortIncompleteMultipartUpload, &out.AbortIncompleteMultipartUpload
+		*out = make([]AbortIncompleteMultipartUploadObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Expiration != nil {
+		in, out := &in.Expiration, &out.Expiration
+		*out = make([]RuleExpirationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]RuleFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoncurrentVersionExpiration != nil {
+		in, out := &in.NoncurrentVersionExpiration, &out.NoncurrentVersionExpiration
+		*out = make([]RuleNoncurrentVersionExpirationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoncurrentVersionTransition != nil {
+		in, out := &in.NoncurrentVersionTransition, &out.NoncurrentVersionTransition
+		*out = make([]RuleNoncurrentVersionTransitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Transition != nil {
+		in, out := &in.Transition, &out.Transition
+		*out = make([]RuleTransitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLifecycleConfigurationRuleObservation.
@@ -1932,11 +2311,26 @@ func (in *BucketLoggingList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLoggingObservation) DeepCopyInto(out *BucketLoggingObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.TargetBucket != nil {
+		in, out := &in.TargetBucket, &out.TargetBucket
+		*out = new(string)
+		**out = **in
+	}
 	if in.TargetGrant != nil {
 		in, out := &in.TargetGrant, &out.TargetGrant
 		*out = make([]TargetGrantObservation, len(*in))
@@ -1944,6 +2338,11 @@ func (in *BucketLoggingObservation) DeepCopyInto(out *BucketLoggingObservation)
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.TargetPrefix != nil {
+		in, out := &in.TargetPrefix, &out.TargetPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLoggingObservation.
@@ -2087,6 +2486,26 @@ func (in *BucketMetric) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketMetricFilterObservation) DeepCopyInto(out *BucketMetricFilterObservation) {
 	*out = *in
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketMetricFilterObservation.
@@ -2169,11 +2588,28 @@ func (in *BucketMetricList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketMetricObservation) DeepCopyInto(out *BucketMetricObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]BucketMetricFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketMetricObservation.
@@ -2329,11 +2765,42 @@ func (in *BucketNotificationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketNotificationObservation) DeepCopyInto(out *BucketNotificationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Eventbridge != nil {
+		in, out := &in.Eventbridge, &out.Eventbridge
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LambdaFunction != nil {
+		in, out := &in.LambdaFunction, &out.LambdaFunction
+		*out = make([]LambdaFunctionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Queue != nil {
+		in, out := &in.Queue, &out.Queue
+		*out = make([]QueueObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Topic != nil {
+		in, out := &in.Topic, &out.Topic
+		*out = make([]TopicObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketNotificationObservation.
@@ -2562,11 +3029,33 @@ func (in *BucketObjectLockConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketObjectLockConfigurationObservation) DeepCopyInto(out *BucketObjectLockConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ObjectLockEnabled != nil {
+		in, out := &in.ObjectLockEnabled, &out.ObjectLockEnabled
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]BucketObjectLockConfigurationRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketObjectLockConfigurationObservation.
@@ -2639,6 +3128,13 @@ func (in *BucketObjectLockConfigurationParameters) DeepCopy() *BucketObjectLockC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketObjectLockConfigurationRuleObservation) DeepCopyInto(out *BucketObjectLockConfigurationRuleObservation) {
 	*out = *in
+	if in.DefaultRetention != nil {
+		in, out := &in.DefaultRetention, &out.DefaultRetention
+		*out = make([]RuleDefaultRetentionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketObjectLockConfigurationRuleObservation.
@@ -2710,28 +3206,168 @@ func (in *BucketObjectLockConfigurationStatus) DeepCopy() *BucketObjectLockConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketObjectObservation) DeepCopyInto(out *BucketObjectObservation) {
 	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.ACL != nil {
+		in, out := &in.ACL, &out.ACL
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-	if in.VersionID != nil {
-		in, out := &in.VersionID, &out.VersionID
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketKeyEnabled != nil {
+		in, out := &in.BucketKeyEnabled, &out.BucketKeyEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CacheControl != nil {
+		in, out := &in.CacheControl, &out.CacheControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentBase64 != nil {
+		in, out := &in.ContentBase64, &out.ContentBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentDisposition != nil {
+		in, out := &in.ContentDisposition, &out.ContentDisposition
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentEncoding != nil {
+		in, out := &in.ContentEncoding, &out.ContentEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentLanguage != nil {
+		in, out := &in.ContentLanguage, &out.ContentLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Etag != nil {
+		in, out := &in.Etag, &out.Etag
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ObjectLockLegalHoldStatus != nil {
+		in, out := &in.ObjectLockLegalHoldStatus, &out.ObjectLockLegalHoldStatus
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectLockMode != nil {
+		in, out := &in.ObjectLockMode, &out.ObjectLockMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectLockRetainUntilDate != nil {
+		in, out := &in.ObjectLockRetainUntilDate, &out.ObjectLockRetainUntilDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerSideEncryption != nil {
+		in, out := &in.ServerSideEncryption, &out.ServerSideEncryption
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceHash != nil {
+		in, out := &in.SourceHash, &out.SourceHash
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VersionID != nil {
+		in, out := &in.VersionID, &out.VersionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.WebsiteRedirect != nil {
+		in, out := &in.WebsiteRedirect, &out.WebsiteRedirect
 		*out = new(string)
 		**out = **in
 	}
@@ -2996,6 +3632,11 @@ func (in *BucketObservation) DeepCopyInto(out *BucketObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Grant != nil {
 		in, out := &in.Grant, &out.Grant
 		*out = make([]GrantObservation, len(*in))
@@ -3034,6 +3675,11 @@ func (in *BucketObservation) DeepCopyInto(out *BucketObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.ObjectLockEnabled != nil {
+		in, out := &in.ObjectLockEnabled, &out.ObjectLockEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(string)
@@ -3058,6 +3704,21 @@ func (in *BucketObservation) DeepCopyInto(out *BucketObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3171,11 +3832,23 @@ func (in *BucketOwnershipControlsList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketOwnershipControlsObservation) DeepCopyInto(out *BucketOwnershipControlsObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]BucketOwnershipControlsRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketOwnershipControlsObservation.
@@ -3233,6 +3906,11 @@ func (in *BucketOwnershipControlsParameters) DeepCopy() *BucketOwnershipControls
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketOwnershipControlsRuleObservation) DeepCopyInto(out *BucketOwnershipControlsRuleObservation) {
 	*out = *in
+	if in.ObjectOwnership != nil {
+		in, out := &in.ObjectOwnership, &out.ObjectOwnership
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketOwnershipControlsRuleObservation.
@@ -3406,11 +4084,21 @@ func (in *BucketPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketPolicyObservation) DeepCopyInto(out *BucketPolicyObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketPolicyObservation.
@@ -3559,11 +4247,36 @@ func (in *BucketPublicAccessBlockList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketPublicAccessBlockObservation) DeepCopyInto(out *BucketPublicAccessBlockObservation) {
 	*out = *in
+	if in.BlockPublicAcls != nil {
+		in, out := &in.BlockPublicAcls, &out.BlockPublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BlockPublicPolicy != nil {
+		in, out := &in.BlockPublicPolicy, &out.BlockPublicPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IgnorePublicAcls != nil {
+		in, out := &in.IgnorePublicAcls, &out.IgnorePublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RestrictPublicBuckets != nil {
+		in, out := &in.RestrictPublicBuckets, &out.RestrictPublicBuckets
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketPublicAccessBlockObservation.
@@ -3727,11 +4440,28 @@ func (in *BucketReplicationConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketReplicationConfigurationObservation) DeepCopyInto(out *BucketReplicationConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]BucketReplicationConfigurationRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketReplicationConfigurationObservation.
@@ -3809,15 +4539,34 @@ func (in *BucketReplicationConfigurationParameters) DeepCopy() *BucketReplicatio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketReplicationConfigurationRuleFilterObservation) DeepCopyInto(out *BucketReplicationConfigurationRuleFilterObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketReplicationConfigurationRuleFilterObservation.
-func (in *BucketReplicationConfigurationRuleFilterObservation) DeepCopy() *BucketReplicationConfigurationRuleFilterObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(BucketReplicationConfigurationRuleFilterObservation)
-	in.DeepCopyInto(out)
+	if in.And != nil {
+		in, out := &in.And, &out.And
+		*out = make([]FilterAndObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tag != nil {
+		in, out := &in.Tag, &out.Tag
+		*out = make([]FilterTagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketReplicationConfigurationRuleFilterObservation.
+func (in *BucketReplicationConfigurationRuleFilterObservation) DeepCopy() *BucketReplicationConfigurationRuleFilterObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(BucketReplicationConfigurationRuleFilterObservation)
+	in.DeepCopyInto(out)
 	return out
 }
 
@@ -3858,6 +4607,61 @@ func (in *BucketReplicationConfigurationRuleFilterParameters) DeepCopy() *Bucket
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketReplicationConfigurationRuleObservation) DeepCopyInto(out *BucketReplicationConfigurationRuleObservation) {
 	*out = *in
+	if in.DeleteMarkerReplication != nil {
+		in, out := &in.DeleteMarkerReplication, &out.DeleteMarkerReplication
+		*out = make([]DeleteMarkerReplicationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]RuleDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExistingObjectReplication != nil {
+		in, out := &in.ExistingObjectReplication, &out.ExistingObjectReplication
+		*out = make([]ExistingObjectReplicationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Filter != nil {
+		in, out := &in.Filter, &out.Filter
+		*out = make([]BucketReplicationConfigurationRuleFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SourceSelectionCriteria != nil {
+		in, out := &in.SourceSelectionCriteria, &out.SourceSelectionCriteria
+		*out = make([]RuleSourceSelectionCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketReplicationConfigurationRuleObservation.
@@ -4036,11 +4840,26 @@ func (in *BucketRequestPaymentConfigurationList) DeepCopyObject() runtime.Object
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketRequestPaymentConfigurationObservation) DeepCopyInto(out *BucketRequestPaymentConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Payer != nil {
+		in, out := &in.Payer, &out.Payer
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketRequestPaymentConfigurationObservation.
@@ -4194,11 +5013,28 @@ func (in *BucketServerSideEncryptionConfigurationList) DeepCopyObject() runtime.
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketServerSideEncryptionConfigurationObservation) DeepCopyInto(out *BucketServerSideEncryptionConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]BucketServerSideEncryptionConfigurationRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketServerSideEncryptionConfigurationObservation.
@@ -4261,6 +5097,18 @@ func (in *BucketServerSideEncryptionConfigurationParameters) DeepCopy() *BucketS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketServerSideEncryptionConfigurationRuleObservation) DeepCopyInto(out *BucketServerSideEncryptionConfigurationRuleObservation) {
 	*out = *in
+	if in.ApplyServerSideEncryptionByDefault != nil {
+		in, out := &in.ApplyServerSideEncryptionByDefault, &out.ApplyServerSideEncryptionByDefault
+		*out = make([]RuleApplyServerSideEncryptionByDefaultObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BucketKeyEnabled != nil {
+		in, out := &in.BucketKeyEnabled, &out.BucketKeyEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketServerSideEncryptionConfigurationRuleObservation.
@@ -4430,11 +5278,33 @@ func (in *BucketVersioningList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketVersioningObservation) DeepCopyInto(out *BucketVersioningObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Mfa != nil {
+		in, out := &in.Mfa, &out.Mfa
+		*out = new(string)
+		**out = **in
+	}
+	if in.VersioningConfiguration != nil {
+		in, out := &in.VersioningConfiguration, &out.VersioningConfiguration
+		*out = make([]VersioningConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketVersioningObservation.
@@ -4595,11 +5465,54 @@ func (in *BucketWebsiteConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketWebsiteConfigurationObservation) DeepCopyInto(out *BucketWebsiteConfigurationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.ErrorDocument != nil {
+		in, out := &in.ErrorDocument, &out.ErrorDocument
+		*out = make([]ErrorDocumentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IndexDocument != nil {
+		in, out := &in.IndexDocument, &out.IndexDocument
+		*out = make([]IndexDocumentObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RedirectAllRequestsTo != nil {
+		in, out := &in.RedirectAllRequestsTo, &out.RedirectAllRequestsTo
+		*out = make([]RedirectAllRequestsToObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoutingRule != nil {
+		in, out := &in.RoutingRule, &out.RoutingRule
+		*out = make([]RoutingRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoutingRules != nil {
+		in, out := &in.RoutingRules, &out.RoutingRules
+		*out = new(string)
+		**out = **in
+	}
 	if in.WebsiteDomain != nil {
 		in, out := &in.WebsiteDomain, &out.WebsiteDomain
 		*out = new(string)
@@ -4732,6 +5645,16 @@ func (in *BucketWebsiteConfigurationStatus) DeepCopy() *BucketWebsiteConfigurati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConditionObservation) DeepCopyInto(out *ConditionObservation) {
 	*out = *in
+	if in.HTTPErrorCodeReturnedEquals != nil {
+		in, out := &in.HTTPErrorCodeReturnedEquals, &out.HTTPErrorCodeReturnedEquals
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyPrefixEquals != nil {
+		in, out := &in.KeyPrefixEquals, &out.KeyPrefixEquals
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConditionObservation.
@@ -4851,6 +5774,13 @@ func (in *CorsRuleParameters) DeepCopy() *CorsRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataExportDestinationObservation) DeepCopyInto(out *DataExportDestinationObservation) {
 	*out = *in
+	if in.S3BucketDestination != nil {
+		in, out := &in.S3BucketDestination, &out.S3BucketDestination
+		*out = make([]S3BucketDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataExportDestinationObservation.
@@ -4888,6 +5818,18 @@ func (in *DataExportDestinationParameters) DeepCopy() *DataExportDestinationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataExportObservation) DeepCopyInto(out *DataExportObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]DataExportDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputSchemaVersion != nil {
+		in, out := &in.OutputSchemaVersion, &out.OutputSchemaVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataExportObservation.
@@ -4975,6 +5917,11 @@ func (in *DefaultRetentionParameters) DeepCopy() *DefaultRetentionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeleteMarkerReplicationObservation) DeepCopyInto(out *DeleteMarkerReplicationObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeleteMarkerReplicationObservation.
@@ -5010,6 +5957,11 @@ func (in *DeleteMarkerReplicationParameters) DeepCopy() *DeleteMarkerReplication
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationAccessControlTranslationObservation) DeepCopyInto(out *DestinationAccessControlTranslationObservation) {
 	*out = *in
+	if in.Owner != nil {
+		in, out := &in.Owner, &out.Owner
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationAccessControlTranslationObservation.
@@ -5045,6 +5997,33 @@ func (in *DestinationAccessControlTranslationParameters) DeepCopy() *Destination
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationBucketObservation) DeepCopyInto(out *DestinationBucketObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encryption != nil {
+		in, out := &in.Encryption, &out.Encryption
+		*out = make([]EncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationBucketObservation.
@@ -5112,6 +6091,18 @@ func (in *DestinationBucketParameters) DeepCopy() *DestinationBucketParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationMetricsObservation) DeepCopyInto(out *DestinationMetricsObservation) {
 	*out = *in
+	if in.EventThreshold != nil {
+		in, out := &in.EventThreshold, &out.EventThreshold
+		*out = make([]EventThresholdObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationMetricsObservation.
@@ -5225,10 +6216,22 @@ func (in *DestinationParameters) DeepCopy() *DestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationReplicationTimeObservation) DeepCopyInto(out *DestinationReplicationTimeObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationReplicationTimeObservation.
-func (in *DestinationReplicationTimeObservation) DeepCopy() *DestinationReplicationTimeObservation {
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
+	if in.Time != nil {
+		in, out := &in.Time, &out.Time
+		*out = make([]TimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationReplicationTimeObservation.
+func (in *DestinationReplicationTimeObservation) DeepCopy() *DestinationReplicationTimeObservation {
 	if in == nil {
 		return nil
 	}
@@ -5267,6 +6270,11 @@ func (in *DestinationReplicationTimeParameters) DeepCopy() *DestinationReplicati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionConfigurationObservation) DeepCopyInto(out *EncryptionConfigurationObservation) {
 	*out = *in
+	if in.ReplicaKMSKeyID != nil {
+		in, out := &in.ReplicaKMSKeyID, &out.ReplicaKMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigurationObservation.
@@ -5302,6 +6310,18 @@ func (in *EncryptionConfigurationParameters) DeepCopy() *EncryptionConfiguration
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionObservation) DeepCopyInto(out *EncryptionObservation) {
 	*out = *in
+	if in.SseKMS != nil {
+		in, out := &in.SseKMS, &out.SseKMS
+		*out = make([]SseKMSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SseS3 != nil {
+		in, out := &in.SseS3, &out.SseS3
+		*out = make([]SseS3Parameters, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionObservation.
@@ -5344,6 +6364,11 @@ func (in *EncryptionParameters) DeepCopy() *EncryptionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ErrorDocumentObservation) DeepCopyInto(out *ErrorDocumentObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ErrorDocumentObservation.
@@ -5379,6 +6404,11 @@ func (in *ErrorDocumentParameters) DeepCopy() *ErrorDocumentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventThresholdObservation) DeepCopyInto(out *EventThresholdObservation) {
 	*out = *in
+	if in.Minutes != nil {
+		in, out := &in.Minutes, &out.Minutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventThresholdObservation.
@@ -5414,6 +6444,11 @@ func (in *EventThresholdParameters) DeepCopy() *EventThresholdParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExistingObjectReplicationObservation) DeepCopyInto(out *ExistingObjectReplicationObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExistingObjectReplicationObservation.
@@ -5494,6 +6529,26 @@ func (in *ExpirationParameters) DeepCopy() *ExpirationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterAndObservation) DeepCopyInto(out *FilterAndObservation) {
 	*out = *in
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterAndObservation.
@@ -5594,6 +6649,16 @@ func (in *FilterParameters) DeepCopy() *FilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FilterTagObservation) DeepCopyInto(out *FilterTagObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FilterTagObservation.
@@ -5695,6 +6760,26 @@ func (in *GranteeObservation) DeepCopyInto(out *GranteeObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.EmailAddress != nil {
+		in, out := &in.EmailAddress, &out.EmailAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GranteeObservation.
@@ -5745,6 +6830,11 @@ func (in *GranteeParameters) DeepCopy() *GranteeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IndexDocumentObservation) DeepCopyInto(out *IndexDocumentObservation) {
 	*out = *in
+	if in.Suffix != nil {
+		in, out := &in.Suffix, &out.Suffix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IndexDocumentObservation.
@@ -5780,6 +6870,37 @@ func (in *IndexDocumentParameters) DeepCopy() *IndexDocumentParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaFunctionObservation) DeepCopyInto(out *LambdaFunctionObservation) {
 	*out = *in
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FilterPrefix != nil {
+		in, out := &in.FilterPrefix, &out.FilterPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterSuffix != nil {
+		in, out := &in.FilterSuffix, &out.FilterSuffix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaFunctionArn != nil {
+		in, out := &in.LambdaFunctionArn, &out.LambdaFunctionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaFunctionObservation.
@@ -6143,6 +7264,37 @@ func (in *ObjectCopy) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ObjectCopyGrantObservation) DeepCopyInto(out *ObjectCopyGrantObservation) {
 	*out = *in
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectCopyGrantObservation.
@@ -6235,71 +7387,6 @@ func (in *ObjectCopyList) DeepCopyObject() runtime.Object {
 
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ObjectCopyObservation) DeepCopyInto(out *ObjectCopyObservation) {
-	*out = *in
-	if in.Etag != nil {
-		in, out := &in.Etag, &out.Etag
-		*out = new(string)
-		**out = **in
-	}
-	if in.Expiration != nil {
-		in, out := &in.Expiration, &out.Expiration
-		*out = new(string)
-		**out = **in
-	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
-		*out = new(string)
-		**out = **in
-	}
-	if in.LastModified != nil {
-		in, out := &in.LastModified, &out.LastModified
-		*out = new(string)
-		**out = **in
-	}
-	if in.RequestCharged != nil {
-		in, out := &in.RequestCharged, &out.RequestCharged
-		*out = new(bool)
-		**out = **in
-	}
-	if in.SourceVersionID != nil {
-		in, out := &in.SourceVersionID, &out.SourceVersionID
-		*out = new(string)
-		**out = **in
-	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
-			(*out)[key] = outVal
-		}
-	}
-	if in.VersionID != nil {
-		in, out := &in.VersionID, &out.VersionID
-		*out = new(string)
-		**out = **in
-	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectCopyObservation.
-func (in *ObjectCopyObservation) DeepCopy() *ObjectCopyObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(ObjectCopyObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ObjectCopyParameters) DeepCopyInto(out *ObjectCopyParameters) {
 	*out = *in
 	if in.ACL != nil {
 		in, out := &in.ACL, &out.ACL
@@ -6371,9 +7458,9 @@ func (in *ObjectCopyParameters) DeepCopyInto(out *ObjectCopyParameters) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.CustomerKeySecretRef != nil {
-		in, out := &in.CustomerKeySecretRef, &out.CustomerKeySecretRef
-		*out = new(v1.SecretKeySelector)
+	if in.Etag != nil {
+		in, out := &in.Etag, &out.Etag
+		*out = new(string)
 		**out = **in
 	}
 	if in.ExpectedBucketOwner != nil {
@@ -6386,6 +7473,11 @@ func (in *ObjectCopyParameters) DeepCopyInto(out *ObjectCopyParameters) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Expiration != nil {
+		in, out := &in.Expiration, &out.Expiration
+		*out = new(string)
+		**out = **in
+	}
 	if in.Expires != nil {
 		in, out := &in.Expires, &out.Expires
 		*out = new(string)
@@ -6398,19 +7490,271 @@ func (in *ObjectCopyParameters) DeepCopyInto(out *ObjectCopyParameters) {
 	}
 	if in.Grant != nil {
 		in, out := &in.Grant, &out.Grant
-		*out = make([]ObjectCopyGrantParameters, len(*in))
+		*out = make([]ObjectCopyGrantObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-	if in.KMSEncryptionContextSecretRef != nil {
-		in, out := &in.KMSEncryptionContextSecretRef, &out.KMSEncryptionContextSecretRef
-		*out = new(v1.SecretKeySelector)
-		**out = **in
-	}
-	if in.KMSKeyIDSecretRef != nil {
-		in, out := &in.KMSKeyIDSecretRef, &out.KMSKeyIDSecretRef
-		*out = new(v1.SecretKeySelector)
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.LastModified != nil {
+		in, out := &in.LastModified, &out.LastModified
+		*out = new(string)
+		**out = **in
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.MetadataDirective != nil {
+		in, out := &in.MetadataDirective, &out.MetadataDirective
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectLockLegalHoldStatus != nil {
+		in, out := &in.ObjectLockLegalHoldStatus, &out.ObjectLockLegalHoldStatus
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectLockMode != nil {
+		in, out := &in.ObjectLockMode, &out.ObjectLockMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectLockRetainUntilDate != nil {
+		in, out := &in.ObjectLockRetainUntilDate, &out.ObjectLockRetainUntilDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.RequestCharged != nil {
+		in, out := &in.RequestCharged, &out.RequestCharged
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RequestPayer != nil {
+		in, out := &in.RequestPayer, &out.RequestPayer
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerSideEncryption != nil {
+		in, out := &in.ServerSideEncryption, &out.ServerSideEncryption
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceCustomerAlgorithm != nil {
+		in, out := &in.SourceCustomerAlgorithm, &out.SourceCustomerAlgorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceCustomerKeyMd5 != nil {
+		in, out := &in.SourceCustomerKeyMd5, &out.SourceCustomerKeyMd5
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceVersionID != nil {
+		in, out := &in.SourceVersionID, &out.SourceVersionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
+		**out = **in
+	}
+	if in.TaggingDirective != nil {
+		in, out := &in.TaggingDirective, &out.TaggingDirective
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.VersionID != nil {
+		in, out := &in.VersionID, &out.VersionID
+		*out = new(string)
+		**out = **in
+	}
+	if in.WebsiteRedirect != nil {
+		in, out := &in.WebsiteRedirect, &out.WebsiteRedirect
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectCopyObservation.
+func (in *ObjectCopyObservation) DeepCopy() *ObjectCopyObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectCopyObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectCopyParameters) DeepCopyInto(out *ObjectCopyParameters) {
+	*out = *in
+	if in.ACL != nil {
+		in, out := &in.ACL, &out.ACL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketKeyEnabled != nil {
+		in, out := &in.BucketKeyEnabled, &out.BucketKeyEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CacheControl != nil {
+		in, out := &in.CacheControl, &out.CacheControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentDisposition != nil {
+		in, out := &in.ContentDisposition, &out.ContentDisposition
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentEncoding != nil {
+		in, out := &in.ContentEncoding, &out.ContentEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentLanguage != nil {
+		in, out := &in.ContentLanguage, &out.ContentLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyIfMatch != nil {
+		in, out := &in.CopyIfMatch, &out.CopyIfMatch
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyIfModifiedSince != nil {
+		in, out := &in.CopyIfModifiedSince, &out.CopyIfModifiedSince
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyIfNoneMatch != nil {
+		in, out := &in.CopyIfNoneMatch, &out.CopyIfNoneMatch
+		*out = new(string)
+		**out = **in
+	}
+	if in.CopyIfUnmodifiedSince != nil {
+		in, out := &in.CopyIfUnmodifiedSince, &out.CopyIfUnmodifiedSince
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerAlgorithm != nil {
+		in, out := &in.CustomerAlgorithm, &out.CustomerAlgorithm
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerKeyMd5 != nil {
+		in, out := &in.CustomerKeyMd5, &out.CustomerKeyMd5
+		*out = new(string)
+		**out = **in
+	}
+	if in.CustomerKeySecretRef != nil {
+		in, out := &in.CustomerKeySecretRef, &out.CustomerKeySecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.ExpectedBucketOwner != nil {
+		in, out := &in.ExpectedBucketOwner, &out.ExpectedBucketOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpectedSourceBucketOwner != nil {
+		in, out := &in.ExpectedSourceBucketOwner, &out.ExpectedSourceBucketOwner
+		*out = new(string)
+		**out = **in
+	}
+	if in.Expires != nil {
+		in, out := &in.Expires, &out.Expires
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Grant != nil {
+		in, out := &in.Grant, &out.Grant
+		*out = make([]ObjectCopyGrantParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KMSEncryptionContextSecretRef != nil {
+		in, out := &in.KMSEncryptionContextSecretRef, &out.KMSEncryptionContextSecretRef
+		*out = new(v1.SecretKeySelector)
+		**out = **in
+	}
+	if in.KMSKeyIDSecretRef != nil {
+		in, out := &in.KMSKeyIDSecretRef, &out.KMSKeyIDSecretRef
+		*out = new(v1.SecretKeySelector)
 		**out = **in
 	}
 	if in.Key != nil {
@@ -6593,59 +7937,194 @@ func (in *ObjectList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ObjectLockConfigurationObservation) DeepCopyInto(out *ObjectLockConfigurationObservation) {
-	*out = *in
-	if in.ObjectLockEnabled != nil {
-		in, out := &in.ObjectLockEnabled, &out.ObjectLockEnabled
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectLockConfigurationObservation) DeepCopyInto(out *ObjectLockConfigurationObservation) {
+	*out = *in
+	if in.ObjectLockEnabled != nil {
+		in, out := &in.ObjectLockEnabled, &out.ObjectLockEnabled
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]RuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectLockConfigurationObservation.
+func (in *ObjectLockConfigurationObservation) DeepCopy() *ObjectLockConfigurationObservation {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectLockConfigurationObservation)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectLockConfigurationParameters) DeepCopyInto(out *ObjectLockConfigurationParameters) {
+	*out = *in
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectLockConfigurationParameters.
+func (in *ObjectLockConfigurationParameters) DeepCopy() *ObjectLockConfigurationParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectLockConfigurationParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectObservation) DeepCopyInto(out *ObjectObservation) {
+	*out = *in
+	if in.ACL != nil {
+		in, out := &in.ACL, &out.ACL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketKeyEnabled != nil {
+		in, out := &in.BucketKeyEnabled, &out.BucketKeyEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.CacheControl != nil {
+		in, out := &in.CacheControl, &out.CacheControl
+		*out = new(string)
+		**out = **in
+	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentBase64 != nil {
+		in, out := &in.ContentBase64, &out.ContentBase64
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentDisposition != nil {
+		in, out := &in.ContentDisposition, &out.ContentDisposition
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentEncoding != nil {
+		in, out := &in.ContentEncoding, &out.ContentEncoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentLanguage != nil {
+		in, out := &in.ContentLanguage, &out.ContentLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContentType != nil {
+		in, out := &in.ContentType, &out.ContentType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Etag != nil {
+		in, out := &in.Etag, &out.Etag
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Metadata != nil {
+		in, out := &in.Metadata, &out.Metadata
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ObjectLockLegalHoldStatus != nil {
+		in, out := &in.ObjectLockLegalHoldStatus, &out.ObjectLockLegalHoldStatus
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectLockMode != nil {
+		in, out := &in.ObjectLockMode, &out.ObjectLockMode
 		*out = new(string)
 		**out = **in
 	}
-	if in.Rule != nil {
-		in, out := &in.Rule, &out.Rule
-		*out = make([]RuleObservation, len(*in))
-		for i := range *in {
-			(*in)[i].DeepCopyInto(&(*out)[i])
-		}
+	if in.ObjectLockRetainUntilDate != nil {
+		in, out := &in.ObjectLockRetainUntilDate, &out.ObjectLockRetainUntilDate
+		*out = new(string)
+		**out = **in
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectLockConfigurationObservation.
-func (in *ObjectLockConfigurationObservation) DeepCopy() *ObjectLockConfigurationObservation {
-	if in == nil {
-		return nil
+	if in.ServerSideEncryption != nil {
+		in, out := &in.ServerSideEncryption, &out.ServerSideEncryption
+		*out = new(string)
+		**out = **in
 	}
-	out := new(ObjectLockConfigurationObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ObjectLockConfigurationParameters) DeepCopyInto(out *ObjectLockConfigurationParameters) {
-	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectLockConfigurationParameters.
-func (in *ObjectLockConfigurationParameters) DeepCopy() *ObjectLockConfigurationParameters {
-	if in == nil {
-		return nil
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
 	}
-	out := new(ObjectLockConfigurationParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *ObjectObservation) DeepCopyInto(out *ObjectObservation) {
-	*out = *in
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.SourceHash != nil {
+		in, out := &in.SourceHash, &out.SourceHash
+		*out = new(string)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6666,6 +8145,11 @@ func (in *ObjectObservation) DeepCopyInto(out *ObjectObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.WebsiteRedirect != nil {
+		in, out := &in.WebsiteRedirect, &out.WebsiteRedirect
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectObservation.
@@ -6895,6 +8379,16 @@ func (in *ObjectStatus) DeepCopy() *ObjectStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OwnerObservation) DeepCopyInto(out *OwnerObservation) {
 	*out = *in
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OwnerObservation.
@@ -6935,6 +8429,37 @@ func (in *OwnerParameters) DeepCopy() *OwnerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *QueueObservation) DeepCopyInto(out *QueueObservation) {
 	*out = *in
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FilterPrefix != nil {
+		in, out := &in.FilterPrefix, &out.FilterPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterSuffix != nil {
+		in, out := &in.FilterSuffix, &out.FilterSuffix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.QueueArn != nil {
+		in, out := &in.QueueArn, &out.QueueArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueueObservation.
@@ -7006,6 +8531,16 @@ func (in *QueueParameters) DeepCopy() *QueueParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedirectAllRequestsToObservation) DeepCopyInto(out *RedirectAllRequestsToObservation) {
 	*out = *in
+	if in.HostName != nil {
+		in, out := &in.HostName, &out.HostName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedirectAllRequestsToObservation.
@@ -7046,6 +8581,31 @@ func (in *RedirectAllRequestsToParameters) DeepCopy() *RedirectAllRequestsToPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedirectObservation) DeepCopyInto(out *RedirectObservation) {
 	*out = *in
+	if in.HTTPRedirectCode != nil {
+		in, out := &in.HTTPRedirectCode, &out.HTTPRedirectCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.HostName != nil {
+		in, out := &in.HostName, &out.HostName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplaceKeyPrefixWith != nil {
+		in, out := &in.ReplaceKeyPrefixWith, &out.ReplaceKeyPrefixWith
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReplaceKeyWith != nil {
+		in, out := &in.ReplaceKeyWith, &out.ReplaceKeyWith
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedirectObservation.
@@ -7101,6 +8661,11 @@ func (in *RedirectParameters) DeepCopy() *RedirectParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicaModificationsObservation) DeepCopyInto(out *ReplicaModificationsObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReplicaModificationsObservation.
@@ -7218,6 +8783,20 @@ func (in *ReplicationTimeParameters) DeepCopy() *ReplicationTimeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RoutingRuleObservation) DeepCopyInto(out *RoutingRuleObservation) {
 	*out = *in
+	if in.Condition != nil {
+		in, out := &in.Condition, &out.Condition
+		*out = make([]ConditionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Redirect != nil {
+		in, out := &in.Redirect, &out.Redirect
+		*out = make([]RedirectObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RoutingRuleObservation.
@@ -7262,6 +8841,16 @@ func (in *RoutingRuleParameters) DeepCopy() *RoutingRuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleApplyServerSideEncryptionByDefaultObservation) DeepCopyInto(out *RuleApplyServerSideEncryptionByDefaultObservation) {
 	*out = *in
+	if in.KMSMasterKeyID != nil {
+		in, out := &in.KMSMasterKeyID, &out.KMSMasterKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SseAlgorithm != nil {
+		in, out := &in.SseAlgorithm, &out.SseAlgorithm
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleApplyServerSideEncryptionByDefaultObservation.
@@ -7312,6 +8901,21 @@ func (in *RuleApplyServerSideEncryptionByDefaultParameters) DeepCopy() *RuleAppl
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleDefaultRetentionObservation) DeepCopyInto(out *RuleDefaultRetentionObservation) {
 	*out = *in
+	if in.Days != nil {
+		in, out := &in.Days, &out.Days
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Years != nil {
+		in, out := &in.Years, &out.Years
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleDefaultRetentionObservation.
@@ -7332,33 +8936,76 @@ func (in *RuleDefaultRetentionParameters) DeepCopyInto(out *RuleDefaultRetention
 		*out = new(float64)
 		**out = **in
 	}
-	if in.Mode != nil {
-		in, out := &in.Mode, &out.Mode
-		*out = new(string)
-		**out = **in
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Years != nil {
+		in, out := &in.Years, &out.Years
+		*out = new(float64)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleDefaultRetentionParameters.
+func (in *RuleDefaultRetentionParameters) DeepCopy() *RuleDefaultRetentionParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(RuleDefaultRetentionParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *RuleDestinationObservation) DeepCopyInto(out *RuleDestinationObservation) {
+	*out = *in
+	if in.AccessControlTranslation != nil {
+		in, out := &in.AccessControlTranslation, &out.AccessControlTranslation
+		*out = make([]DestinationAccessControlTranslationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Account != nil {
+		in, out := &in.Account, &out.Account
+		*out = new(string)
+		**out = **in
+	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionConfiguration != nil {
+		in, out := &in.EncryptionConfiguration, &out.EncryptionConfiguration
+		*out = make([]EncryptionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Metrics != nil {
+		in, out := &in.Metrics, &out.Metrics
+		*out = make([]DestinationMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ReplicationTime != nil {
+		in, out := &in.ReplicationTime, &out.ReplicationTime
+		*out = make([]DestinationReplicationTimeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
 	}
-	if in.Years != nil {
-		in, out := &in.Years, &out.Years
-		*out = new(float64)
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
 		**out = **in
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleDefaultRetentionParameters.
-func (in *RuleDefaultRetentionParameters) DeepCopy() *RuleDefaultRetentionParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(RuleDefaultRetentionParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *RuleDestinationObservation) DeepCopyInto(out *RuleDestinationObservation) {
-	*out = *in
-}
-
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleDestinationObservation.
 func (in *RuleDestinationObservation) DeepCopy() *RuleDestinationObservation {
 	if in == nil {
@@ -7440,6 +9087,21 @@ func (in *RuleDestinationParameters) DeepCopy() *RuleDestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleExpirationObservation) DeepCopyInto(out *RuleExpirationObservation) {
 	*out = *in
+	if in.Date != nil {
+		in, out := &in.Date, &out.Date
+		*out = new(string)
+		**out = **in
+	}
+	if in.Days != nil {
+		in, out := &in.Days, &out.Days
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ExpiredObjectDeleteMarker != nil {
+		in, out := &in.ExpiredObjectDeleteMarker, &out.ExpiredObjectDeleteMarker
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleExpirationObservation.
@@ -7485,6 +9147,35 @@ func (in *RuleExpirationParameters) DeepCopy() *RuleExpirationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleFilterObservation) DeepCopyInto(out *RuleFilterObservation) {
 	*out = *in
+	if in.And != nil {
+		in, out := &in.And, &out.And
+		*out = make([]AndObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ObjectSizeGreaterThan != nil {
+		in, out := &in.ObjectSizeGreaterThan, &out.ObjectSizeGreaterThan
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectSizeLessThan != nil {
+		in, out := &in.ObjectSizeLessThan, &out.ObjectSizeLessThan
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tag != nil {
+		in, out := &in.Tag, &out.Tag
+		*out = make([]TagObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleFilterObservation.
@@ -7544,6 +9235,16 @@ func (in *RuleFilterParameters) DeepCopy() *RuleFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleNoncurrentVersionExpirationObservation) DeepCopyInto(out *RuleNoncurrentVersionExpirationObservation) {
 	*out = *in
+	if in.NewerNoncurrentVersions != nil {
+		in, out := &in.NewerNoncurrentVersions, &out.NewerNoncurrentVersions
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoncurrentDays != nil {
+		in, out := &in.NoncurrentDays, &out.NoncurrentDays
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleNoncurrentVersionExpirationObservation.
@@ -7584,6 +9285,21 @@ func (in *RuleNoncurrentVersionExpirationParameters) DeepCopy() *RuleNoncurrentV
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleNoncurrentVersionTransitionObservation) DeepCopyInto(out *RuleNoncurrentVersionTransitionObservation) {
 	*out = *in
+	if in.NewerNoncurrentVersions != nil {
+		in, out := &in.NewerNoncurrentVersions, &out.NewerNoncurrentVersions
+		*out = new(string)
+		**out = **in
+	}
+	if in.NoncurrentDays != nil {
+		in, out := &in.NoncurrentDays, &out.NoncurrentDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleNoncurrentVersionTransitionObservation.
@@ -7666,6 +9382,20 @@ func (in *RuleParameters) DeepCopy() *RuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleSourceSelectionCriteriaObservation) DeepCopyInto(out *RuleSourceSelectionCriteriaObservation) {
 	*out = *in
+	if in.ReplicaModifications != nil {
+		in, out := &in.ReplicaModifications, &out.ReplicaModifications
+		*out = make([]ReplicaModificationsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SseKMSEncryptedObjects != nil {
+		in, out := &in.SseKMSEncryptedObjects, &out.SseKMSEncryptedObjects
+		*out = make([]SourceSelectionCriteriaSseKMSEncryptedObjectsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleSourceSelectionCriteriaObservation.
@@ -7710,6 +9440,21 @@ func (in *RuleSourceSelectionCriteriaParameters) DeepCopy() *RuleSourceSelection
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RuleTransitionObservation) DeepCopyInto(out *RuleTransitionObservation) {
 	*out = *in
+	if in.Date != nil {
+		in, out := &in.Date, &out.Date
+		*out = new(string)
+		**out = **in
+	}
+	if in.Days != nil {
+		in, out := &in.Days, &out.Days
+		*out = new(float64)
+		**out = **in
+	}
+	if in.StorageClass != nil {
+		in, out := &in.StorageClass, &out.StorageClass
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleTransitionObservation.
@@ -7831,6 +9576,26 @@ func (in *RulesParameters) DeepCopy() *RulesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3BucketDestinationObservation) DeepCopyInto(out *S3BucketDestinationObservation) {
 	*out = *in
+	if in.BucketAccountID != nil {
+		in, out := &in.BucketAccountID, &out.BucketAccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketArn != nil {
+		in, out := &in.BucketArn, &out.BucketArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3BucketDestinationObservation.
@@ -7891,6 +9656,11 @@ func (in *S3BucketDestinationParameters) DeepCopy() *S3BucketDestinationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ScheduleObservation) DeepCopyInto(out *ScheduleObservation) {
 	*out = *in
+	if in.Frequency != nil {
+		in, out := &in.Frequency, &out.Frequency
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleObservation.
@@ -8042,6 +9812,11 @@ func (in *SourceSelectionCriteriaParameters) DeepCopy() *SourceSelectionCriteria
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceSelectionCriteriaSseKMSEncryptedObjectsObservation) DeepCopyInto(out *SourceSelectionCriteriaSseKMSEncryptedObjectsObservation) {
 	*out = *in
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceSelectionCriteriaSseKMSEncryptedObjectsObservation.
@@ -8112,6 +9887,11 @@ func (in *SseKMSEncryptedObjectsParameters) DeepCopy() *SseKMSEncryptedObjectsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SseKMSObservation) DeepCopyInto(out *SseKMSObservation) {
 	*out = *in
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SseKMSObservation.
@@ -8177,6 +9957,13 @@ func (in *SseS3Parameters) DeepCopy() *SseS3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageClassAnalysisObservation) DeepCopyInto(out *StorageClassAnalysisObservation) {
 	*out = *in
+	if in.DataExport != nil {
+		in, out := &in.DataExport, &out.DataExport
+		*out = make([]DataExportObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageClassAnalysisObservation.
@@ -8214,6 +10001,16 @@ func (in *StorageClassAnalysisParameters) DeepCopy() *StorageClassAnalysisParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagObservation) DeepCopyInto(out *TagObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagObservation.
@@ -8259,6 +10056,26 @@ func (in *TargetGrantGranteeObservation) DeepCopyInto(out *TargetGrantGranteeObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.EmailAddress != nil {
+		in, out := &in.EmailAddress, &out.EmailAddress
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.URI != nil {
+		in, out := &in.URI, &out.URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetGrantGranteeObservation.
@@ -8316,6 +10133,11 @@ func (in *TargetGrantObservation) DeepCopyInto(out *TargetGrantObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Permission != nil {
+		in, out := &in.Permission, &out.Permission
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetGrantObservation.
@@ -8358,6 +10180,16 @@ func (in *TargetGrantParameters) DeepCopy() *TargetGrantParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TieringObservation) DeepCopyInto(out *TieringObservation) {
 	*out = *in
+	if in.AccessTier != nil {
+		in, out := &in.AccessTier, &out.AccessTier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Days != nil {
+		in, out := &in.Days, &out.Days
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TieringObservation.
@@ -8398,6 +10230,11 @@ func (in *TieringParameters) DeepCopy() *TieringParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeObservation) DeepCopyInto(out *TimeObservation) {
 	*out = *in
+	if in.Minutes != nil {
+		in, out := &in.Minutes, &out.Minutes
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeObservation.
@@ -8433,6 +10270,37 @@ func (in *TimeParameters) DeepCopy() *TimeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicObservation) DeepCopyInto(out *TopicObservation) {
 	*out = *in
+	if in.Events != nil {
+		in, out := &in.Events, &out.Events
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.FilterPrefix != nil {
+		in, out := &in.FilterPrefix, &out.FilterPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterSuffix != nil {
+		in, out := &in.FilterSuffix, &out.FilterSuffix
+		*out = new(string)
+		**out = **in
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicObservation.
@@ -8549,6 +10417,16 @@ func (in *TransitionParameters) DeepCopy() *TransitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VersioningConfigurationObservation) DeepCopyInto(out *VersioningConfigurationObservation) {
 	*out = *in
+	if in.MfaDelete != nil {
+		in, out := &in.MfaDelete, &out.MfaDelete
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VersioningConfigurationObservation.
diff --git a/apis/s3/v1beta1/zz_object_types.go b/apis/s3/v1beta1/zz_object_types.go
index db33c0f8c3..7da0fbca1a 100755
--- a/apis/s3/v1beta1/zz_object_types.go
+++ b/apis/s3/v1beta1/zz_object_types.go
@@ -15,14 +15,86 @@ import (
 
 type ObjectObservation struct {
 
+	// Canned ACL to apply. Valid values are private, public-read, public-read-write, aws-exec-read, authenticated-read, bucket-owner-read, and bucket-owner-full-control. Defaults to private.
+	ACL *string `json:"acl,omitempty" tf:"acl,omitempty"`
+
+	// Name of the bucket to put the file in. Alternatively, an S3 access point ARN can be specified.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.
+	BucketKeyEnabled *bool `json:"bucketKeyEnabled,omitempty" tf:"bucket_key_enabled,omitempty"`
+
+	// Caching behavior along the request/reply chain Read w3c cache_control for further details.
+	CacheControl *string `json:"cacheControl,omitempty" tf:"cache_control,omitempty"`
+
+	// Literal string value to use as the object content, which will be uploaded as UTF-8-encoded text.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// Base64-encoded data that will be decoded and uploaded as raw bytes for the object content. This allows safely uploading non-UTF8 binary data, but is recommended only for small content such as the result of the gzipbase64 function with small text strings. For larger objects, use source to stream the content from a disk file.
+	ContentBase64 *string `json:"contentBase64,omitempty" tf:"content_base64,omitempty"`
+
+	// Presentational information for the object. Read w3c content_disposition for further information.
+	ContentDisposition *string `json:"contentDisposition,omitempty" tf:"content_disposition,omitempty"`
+
+	// Content encodings that have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. Read w3c content encoding for further information.
+	ContentEncoding *string `json:"contentEncoding,omitempty" tf:"content_encoding,omitempty"`
+
+	// Language the content is in e.g., en-US or en-GB.
+	ContentLanguage *string `json:"contentLanguage,omitempty" tf:"content_language,omitempty"`
+
+	// Standard MIME type describing the format of the object data, e.g., application/octet-stream. All Valid MIME Types are valid for this input.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Triggers updates when the value changes.11.11.11 or earlier). This attribute is not compatible with KMS encryption, kms_key_id or server_side_encryption = "aws:kms", also if an object is larger than 16 MB, the AWS Management Console will upload or copy that object as a Multipart Upload, and therefore the ETag will not be an MD5 digest (see source_hash instead).
+	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
+
+	// Whether to allow the object to be deleted by removing any legal hold on any object version. Default is false. This value should be set to true only if the bucket has S3 object lock enabled.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
 	// key of the resource supplied above
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN of the KMS Key to use for object encryption. If the S3 Bucket has server-side encryption enabled, that value will automatically be used. If referencing the aws_kms_key resource, use the arn attribute. If referencing the aws_kms_alias data source or resource, use the target_key_arn attribute.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Name of the object once it is in the bucket.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API).
+	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// Legal hold status that you want to apply to the specified object. Valid values are ON and OFF.
+	ObjectLockLegalHoldStatus *string `json:"objectLockLegalHoldStatus,omitempty" tf:"object_lock_legal_hold_status,omitempty"`
+
+	// Object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE and COMPLIANCE.
+	ObjectLockMode *string `json:"objectLockMode,omitempty" tf:"object_lock_mode,omitempty"`
+
+	// Date and time, in RFC3339 format, when this object's object lock will expire.
+	ObjectLockRetainUntilDate *string `json:"objectLockRetainUntilDate,omitempty" tf:"object_lock_retain_until_date,omitempty"`
+
+	// Server-side encryption of the object in S3. Valid values are "AES256" and "aws:kms".
+	ServerSideEncryption *string `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
+
+	// Path to a file that will be read and uploaded as raw bytes for the object content.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Triggers updates like etag but useful to address etag encryption limitations.11.12 or later). (The value is only stored in state and not saved by AWS.)
+	SourceHash *string `json:"sourceHash,omitempty" tf:"source_hash,omitempty"`
+
+	// Storage Class for the object. Defaults to "STANDARD".
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Unique version ID value for the object, if bucket versioning is enabled.
 	VersionID *string `json:"versionId,omitempty" tf:"version_id,omitempty"`
+
+	// Target URL for website redirect.
+	WebsiteRedirect *string `json:"websiteRedirect,omitempty" tf:"website_redirect,omitempty"`
 }
 
 type ObjectParameters struct {
@@ -99,8 +171,8 @@ type ObjectParameters struct {
 	KMSKeyIDSelector *v1.Selector `json:"kmsKeyIdSelector,omitempty" tf:"-"`
 
 	// Name of the object once it is in the bucket.
-	// +kubebuilder:validation:Required
-	Key *string `json:"key" tf:"key,omitempty"`
+	// +kubebuilder:validation:Optional
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
 	// Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API).
 	// +kubebuilder:validation:Optional
@@ -172,8 +244,9 @@ type ObjectStatus struct {
 type Object struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ObjectSpec   `json:"spec"`
-	Status            ObjectStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)",message="key is a required parameter"
+	Spec   ObjectSpec   `json:"spec"`
+	Status ObjectStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3/v1beta1/zz_objectcopy_types.go b/apis/s3/v1beta1/zz_objectcopy_types.go
index 8716c58ac7..17d225b4b6 100755
--- a/apis/s3/v1beta1/zz_objectcopy_types.go
+++ b/apis/s3/v1beta1/zz_objectcopy_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type ObjectCopyGrantObservation struct {
+
+	// Email address of the grantee. Used only when type is AmazonCustomerByEmail.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
+	// Canonical user ID of the grantee. Used only when type is CanonicalUser.
+	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// List of permissions to grant to grantee. Valid values are READ, READ_ACP, WRITE_ACP, FULL_CONTROL.
+	Permissions []*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
+	// - Type of grantee. Valid values are CanonicalUser, Group, and AmazonCustomerByEmail.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// URI of the grantee group. Used only when type is Group.
+	URI *string `json:"uri,omitempty" tf:"uri,omitempty"`
 }
 
 type ObjectCopyGrantParameters struct {
@@ -41,29 +56,130 @@ type ObjectCopyGrantParameters struct {
 
 type ObjectCopyObservation struct {
 
+	// Canned ACL to apply. Defaults to private. Valid values are private, public-read, public-read-write, authenticated-read, aws-exec-read, bucket-owner-read, and bucket-owner-full-control. Conflicts with grant.
+	ACL *string `json:"acl,omitempty" tf:"acl,omitempty"`
+
+	// Name of the bucket to put the file in.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	BucketKeyEnabled *bool `json:"bucketKeyEnabled,omitempty" tf:"bucket_key_enabled,omitempty"`
+
+	// Specifies caching behavior along the request/reply chain Read w3c cache_control for further details.
+	CacheControl *string `json:"cacheControl,omitempty" tf:"cache_control,omitempty"`
+
+	// Specifies presentational information for the object. Read w3c content_disposition for further information.
+	ContentDisposition *string `json:"contentDisposition,omitempty" tf:"content_disposition,omitempty"`
+
+	// Specifies what content encodings have been applied to the object and thus what decoding mechanisms must be applied to obtain the media-type referenced by the Content-Type header field. Read w3c content encoding for further information.
+	ContentEncoding *string `json:"contentEncoding,omitempty" tf:"content_encoding,omitempty"`
+
+	// Language the content is in e.g., en-US or en-GB.
+	ContentLanguage *string `json:"contentLanguage,omitempty" tf:"content_language,omitempty"`
+
+	// Standard MIME type describing the format of the object data, e.g., application/octet-stream. All Valid MIME Types are valid for this input.
+	ContentType *string `json:"contentType,omitempty" tf:"content_type,omitempty"`
+
+	// Copies the object if its entity tag (ETag) matches the specified tag.
+	CopyIfMatch *string `json:"copyIfMatch,omitempty" tf:"copy_if_match,omitempty"`
+
+	// Copies the object if it has been modified since the specified time, in RFC3339 format.
+	CopyIfModifiedSince *string `json:"copyIfModifiedSince,omitempty" tf:"copy_if_modified_since,omitempty"`
+
+	// Copies the object if its entity tag (ETag) is different than the specified ETag.
+	CopyIfNoneMatch *string `json:"copyIfNoneMatch,omitempty" tf:"copy_if_none_match,omitempty"`
+
+	// Copies the object if it hasn't been modified since the specified time, in RFC3339 format.
+	CopyIfUnmodifiedSince *string `json:"copyIfUnmodifiedSince,omitempty" tf:"copy_if_unmodified_since,omitempty"`
+
+	// Specifies the algorithm to use to when encrypting the object (for example, AES256).
+	CustomerAlgorithm *string `json:"customerAlgorithm,omitempty" tf:"customer_algorithm,omitempty"`
+
+	// Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.
+	CustomerKeyMd5 *string `json:"customerKeyMd5,omitempty" tf:"customer_key_md5,omitempty"`
+
 	// ETag generated for the object (an MD5 sum of the object content). For plaintext objects or objects encrypted with an AWS-managed key, the hash is an MD5 digest of the object data. For objects encrypted with a KMS key or objects created by either the Multipart Upload or Part Copy operation, the hash is not an MD5 digest, regardless of the method of encryption. More information on possible values can be found on Common Response Headers.
 	Etag *string `json:"etag,omitempty" tf:"etag,omitempty"`
 
+	// Account id of the expected destination bucket owner. If the destination bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.
+	ExpectedBucketOwner *string `json:"expectedBucketOwner,omitempty" tf:"expected_bucket_owner,omitempty"`
+
+	// Account id of the expected source bucket owner. If the source bucket is owned by a different account, the request will fail with an HTTP 403 (Access Denied) error.
+	ExpectedSourceBucketOwner *string `json:"expectedSourceBucketOwner,omitempty" tf:"expected_source_bucket_owner,omitempty"`
+
 	// If the object expiration is configured, this attribute will be set.
 	Expiration *string `json:"expiration,omitempty" tf:"expiration,omitempty"`
 
+	// Date and time at which the object is no longer cacheable, in RFC3339 format.
+	Expires *string `json:"expires,omitempty" tf:"expires,omitempty"`
+
+	// Allow the object to be deleted by removing any legal hold on any object version. Default is false. This value should be set to true only if the bucket has S3 object lock enabled.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
+	// Configuration block for header grants. Documented below. Conflicts with acl.
+	Grant []ObjectCopyGrantObservation `json:"grant,omitempty" tf:"grant,omitempty"`
+
 	// Canonical user ID of the grantee. Used only when type is CanonicalUser.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the object once it is in the bucket.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
 	// Returns the date that the object was last modified, in RFC3339 format.
 	LastModified *string `json:"lastModified,omitempty" tf:"last_modified,omitempty"`
 
+	// Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API).
+	Metadata map[string]*string `json:"metadata,omitempty" tf:"metadata,omitempty"`
+
+	// Specifies whether the metadata is copied from the source object or replaced with metadata provided in the request. Valid values are COPY and REPLACE.
+	MetadataDirective *string `json:"metadataDirective,omitempty" tf:"metadata_directive,omitempty"`
+
+	// The legal hold status that you want to apply to the specified object. Valid values are ON and OFF.
+	ObjectLockLegalHoldStatus *string `json:"objectLockLegalHoldStatus,omitempty" tf:"object_lock_legal_hold_status,omitempty"`
+
+	// Object lock retention mode that you want to apply to this object. Valid values are GOVERNANCE and COMPLIANCE.
+	ObjectLockMode *string `json:"objectLockMode,omitempty" tf:"object_lock_mode,omitempty"`
+
+	// Date and time, in RFC3339 format, when this object's object lock will expire.
+	ObjectLockRetainUntilDate *string `json:"objectLockRetainUntilDate,omitempty" tf:"object_lock_retain_until_date,omitempty"`
+
 	// If present, indicates that the requester was successfully charged for the request.
 	RequestCharged *bool `json:"requestCharged,omitempty" tf:"request_charged,omitempty"`
 
+	// Confirms that the requester knows that they will be charged for the request. Bucket owners need not specify this parameter in their requests. For information about downloading objects from requester pays buckets, see Downloading Objects in Requestor Pays Buckets (https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html) in the Amazon S3 Developer Guide. If included, the only valid value is requester.
+	RequestPayer *string `json:"requestPayer,omitempty" tf:"request_payer,omitempty"`
+
+	// Specifies server-side encryption of the object in S3. Valid values are AES256 and aws:kms.
+	ServerSideEncryption *string `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
+
+	// Specifies the source object for the copy operation. You specify the value in one of two formats. For objects not accessed through an access point, specify the name of the source bucket and the key of the source object, separated by a slash (/). For example, testbucket/test1.json. For objects accessed through access points, specify the ARN of the object as accessed through the access point, in the format arn:aws:s3:<Region>:<account-id>:accesspoint/<access-point-name>/object/<key>. For example, arn:aws:s3:us-west-2:9999912999:accesspoint/my-access-point/object/testbucket/test1.json.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Specifies the algorithm to use when decrypting the source object (for example, AES256).
+	SourceCustomerAlgorithm *string `json:"sourceCustomerAlgorithm,omitempty" tf:"source_customer_algorithm,omitempty"`
+
+	// Specifies the 128-bit MD5 digest of the encryption key according to RFC 1321. Amazon S3 uses this header for a message integrity check to ensure that the encryption key was transmitted without error.
+	SourceCustomerKeyMd5 *string `json:"sourceCustomerKeyMd5,omitempty" tf:"source_customer_key_md5,omitempty"`
+
 	// Version of the copied object in the source bucket.
 	SourceVersionID *string `json:"sourceVersionId,omitempty" tf:"source_version_id,omitempty"`
 
+	// Specifies the desired storage class for the object. Defaults to STANDARD.
+	StorageClass *string `json:"storageClass,omitempty" tf:"storage_class,omitempty"`
+
+	// Specifies whether the object tag-set are copied from the source object or replaced with tag-set provided in the request. Valid values are COPY and REPLACE.
+	TaggingDirective *string `json:"taggingDirective,omitempty" tf:"tagging_directive,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Version ID of the newly created copy.
 	VersionID *string `json:"versionId,omitempty" tf:"version_id,omitempty"`
+
+	// Specifies a target URL for website redirect.
+	WebsiteRedirect *string `json:"websiteRedirect,omitempty" tf:"website_redirect,omitempty"`
 }
 
 type ObjectCopyParameters struct {
@@ -73,8 +189,8 @@ type ObjectCopyParameters struct {
 	ACL *string `json:"acl,omitempty" tf:"acl,omitempty"`
 
 	// Name of the bucket to put the file in.
-	// +kubebuilder:validation:Required
-	Bucket *string `json:"bucket" tf:"bucket,omitempty"`
+	// +kubebuilder:validation:Optional
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
 
 	// +kubebuilder:validation:Optional
 	BucketKeyEnabled *bool `json:"bucketKeyEnabled,omitempty" tf:"bucket_key_enabled,omitempty"`
@@ -156,8 +272,8 @@ type ObjectCopyParameters struct {
 	KMSKeyIDSecretRef *v1.SecretKeySelector `json:"kmsKeyIdSecretRef,omitempty" tf:"-"`
 
 	// Name of the object once it is in the bucket.
-	// +kubebuilder:validation:Required
-	Key *string `json:"key" tf:"key,omitempty"`
+	// +kubebuilder:validation:Optional
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
 	// Map of keys/values to provision metadata (will be automatically prefixed by x-amz-meta-, note that only lowercase label are currently supported by the AWS Go API).
 	// +kubebuilder:validation:Optional
@@ -193,8 +309,8 @@ type ObjectCopyParameters struct {
 	ServerSideEncryption *string `json:"serverSideEncryption,omitempty" tf:"server_side_encryption,omitempty"`
 
 	// Specifies the source object for the copy operation. You specify the value in one of two formats. For objects not accessed through an access point, specify the name of the source bucket and the key of the source object, separated by a slash (/). For example, testbucket/test1.json. For objects accessed through access points, specify the ARN of the object as accessed through the access point, in the format arn:aws:s3:<Region>:<account-id>:accesspoint/<access-point-name>/object/<key>. For example, arn:aws:s3:us-west-2:9999912999:accesspoint/my-access-point/object/testbucket/test1.json.
-	// +kubebuilder:validation:Required
-	Source *string `json:"source" tf:"source,omitempty"`
+	// +kubebuilder:validation:Optional
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
 
 	// Specifies the algorithm to use when decrypting the source object (for example, AES256).
 	// +kubebuilder:validation:Optional
@@ -249,8 +365,11 @@ type ObjectCopyStatus struct {
 type ObjectCopy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ObjectCopySpec   `json:"spec"`
-	Status            ObjectCopyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bucket)",message="bucket is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)",message="key is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)",message="source is a required parameter"
+	Spec   ObjectCopySpec   `json:"spec"`
+	Status ObjectCopyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_accesspoint_types.go b/apis/s3control/v1beta1/zz_accesspoint_types.go
index ecf58af99f..6af1ef5ec5 100755
--- a/apis/s3control/v1beta1/zz_accesspoint_types.go
+++ b/apis/s3control/v1beta1/zz_accesspoint_types.go
@@ -15,12 +15,21 @@ import (
 
 type AccessPointObservation struct {
 
+	// AWS account ID for the owner of the bucket for which you want to create an access point.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// Alias of the S3 Access Point.
 	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
 
 	// ARN of the S3 Access Point.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name of an AWS Partition S3 Bucket or the ARN of S3 on Outposts Bucket that you want to associate this access point with.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// AWS account ID associated with the S3 bucket associated with this access point.
+	BucketAccountID *string `json:"bucketAccountId,omitempty" tf:"bucket_account_id,omitempty"`
+
 	// DNS domain name of the S3 Access Point in the format name-account_id.s3-accesspoint.region.amazonaws.com.
 	// Note: S3 access points only support secure access by HTTPS. HTTP isn't supported.
 	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
@@ -34,8 +43,20 @@ type AccessPointObservation struct {
 	// For Access Point of an AWS Partition S3 Bucket, the AWS account ID and access point name separated by a colon (:). For S3 on Outposts Bucket, the ARN of the Access Point.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name you want to assign to this access point.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Indicates whether this access point allows access from the public Internet. Values are VPC (the access point doesn't allow access from the public Internet) and Internet (the access point allows access from the public Internet, subject to the access point and bucket access policies).
 	NetworkOrigin *string `json:"networkOrigin,omitempty" tf:"network_origin,omitempty"`
+
+	// Valid JSON document that specifies the policy that you want to apply to this access point. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws_s3control_access_point_policy. To remove the policy, set it to "{}" (an empty JSON document).
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// Configuration block to manage the PublicAccessBlock configuration that you want to apply to this Amazon S3 bucket. You can enable the configuration options in any combination. Detailed below.
+	PublicAccessBlockConfiguration []PublicAccessBlockConfigurationObservation `json:"publicAccessBlockConfiguration,omitempty" tf:"public_access_block_configuration,omitempty"`
+
+	// Configuration block to restrict access to this access point to requests from the specified Virtual Private Cloud (VPC). Required for S3 on Outposts. Detailed below.
+	VPCConfiguration []VPCConfigurationObservation `json:"vpcConfiguration,omitempty" tf:"vpc_configuration,omitempty"`
 }
 
 type AccessPointParameters struct {
@@ -63,8 +84,8 @@ type AccessPointParameters struct {
 	BucketSelector *v1.Selector `json:"bucketSelector,omitempty" tf:"-"`
 
 	// Name you want to assign to this access point.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Valid JSON document that specifies the policy that you want to apply to this access point. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws_s3control_access_point_policy. To remove the policy, set it to "{}" (an empty JSON document).
 	// +kubebuilder:validation:Optional
@@ -85,6 +106,18 @@ type AccessPointParameters struct {
 }
 
 type PublicAccessBlockConfigurationObservation struct {
+
+	// Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior:
+	BlockPublicAcls *bool `json:"blockPublicAcls,omitempty" tf:"block_public_acls,omitempty"`
+
+	// Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. Enabling this setting does not affect existing bucket policies. When set to true causes Amazon S3 to:
+	BlockPublicPolicy *bool `json:"blockPublicPolicy,omitempty" tf:"block_public_policy,omitempty"`
+
+	// Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. Enabling this setting does not affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. When set to true causes Amazon S3 to:
+	IgnorePublicAcls *bool `json:"ignorePublicAcls,omitempty" tf:"ignore_public_acls,omitempty"`
+
+	// Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. Enabling this setting does not affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. When set to true:
+	RestrictPublicBuckets *bool `json:"restrictPublicBuckets,omitempty" tf:"restrict_public_buckets,omitempty"`
 }
 
 type PublicAccessBlockConfigurationParameters struct {
@@ -107,6 +140,9 @@ type PublicAccessBlockConfigurationParameters struct {
 }
 
 type VPCConfigurationObservation struct {
+
+	// This access point will only allow connections from the specified VPC ID.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type VPCConfigurationParameters struct {
@@ -150,8 +186,9 @@ type AccessPointStatus struct {
 type AccessPoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AccessPointSpec   `json:"spec"`
-	Status            AccessPointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   AccessPointSpec   `json:"spec"`
+	Status AccessPointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_accesspointpolicy_types.go b/apis/s3control/v1beta1/zz_accesspointpolicy_types.go
index 09b066376f..26b5cf577a 100755
--- a/apis/s3control/v1beta1/zz_accesspointpolicy_types.go
+++ b/apis/s3control/v1beta1/zz_accesspointpolicy_types.go
@@ -15,11 +15,17 @@ import (
 
 type AccessPointPolicyObservation struct {
 
+	// The ARN of the access point that you want to associate with the specified policy.
+	AccessPointArn *string `json:"accessPointArn,omitempty" tf:"access_point_arn,omitempty"`
+
 	// Indicates whether this access point currently has a policy that allows public access.
 	HasPublicAccessPolicy *bool `json:"hasPublicAccessPolicy,omitempty" tf:"has_public_access_policy,omitempty"`
 
 	// The AWS account ID and access point name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The policy that you want to apply to the specified access point.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type AccessPointPolicyParameters struct {
@@ -39,8 +45,8 @@ type AccessPointPolicyParameters struct {
 	AccessPointArnSelector *v1.Selector `json:"accessPointArnSelector,omitempty" tf:"-"`
 
 	// The policy that you want to apply to the specified access point.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -72,8 +78,9 @@ type AccessPointPolicyStatus struct {
 type AccessPointPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AccessPointPolicySpec   `json:"spec"`
-	Status            AccessPointPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   AccessPointPolicySpec   `json:"spec"`
+	Status AccessPointPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_accountpublicaccessblock_types.go b/apis/s3control/v1beta1/zz_accountpublicaccessblock_types.go
index b170c431fa..146de51035 100755
--- a/apis/s3control/v1beta1/zz_accountpublicaccessblock_types.go
+++ b/apis/s3control/v1beta1/zz_accountpublicaccessblock_types.go
@@ -15,8 +15,23 @@ import (
 
 type AccountPublicAccessBlockObservation struct {
 
+	// AWS account ID to configure.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to false. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior:
+	BlockPublicAcls *bool `json:"blockPublicAcls,omitempty" tf:"block_public_acls,omitempty"`
+
+	// Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to false. Enabling this setting does not affect existing bucket policies. When set to true causes Amazon S3 to:
+	BlockPublicPolicy *bool `json:"blockPublicPolicy,omitempty" tf:"block_public_policy,omitempty"`
+
 	// AWS account ID
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to false. Enabling this setting does not affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. When set to true causes Amazon S3 to:
+	IgnorePublicAcls *bool `json:"ignorePublicAcls,omitempty" tf:"ignore_public_acls,omitempty"`
+
+	// Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to false. Enabling this setting does not affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. When set to true:
+	RestrictPublicBuckets *bool `json:"restrictPublicBuckets,omitempty" tf:"restrict_public_buckets,omitempty"`
 }
 
 type AccountPublicAccessBlockParameters struct {
diff --git a/apis/s3control/v1beta1/zz_generated.deepcopy.go b/apis/s3control/v1beta1/zz_generated.deepcopy.go
index eb763db99c..a2cdbf1682 100644
--- a/apis/s3control/v1beta1/zz_generated.deepcopy.go
+++ b/apis/s3control/v1beta1/zz_generated.deepcopy.go
@@ -76,6 +76,11 @@ func (in *AccessPointList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessPointObservation) DeepCopyInto(out *AccessPointObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Alias != nil {
 		in, out := &in.Alias, &out.Alias
 		*out = new(string)
@@ -86,6 +91,16 @@ func (in *AccessPointObservation) DeepCopyInto(out *AccessPointObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.BucketAccountID != nil {
+		in, out := &in.BucketAccountID, &out.BucketAccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.DomainName != nil {
 		in, out := &in.DomainName, &out.DomainName
 		*out = new(string)
@@ -116,11 +131,35 @@ func (in *AccessPointObservation) DeepCopyInto(out *AccessPointObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.NetworkOrigin != nil {
 		in, out := &in.NetworkOrigin, &out.NetworkOrigin
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicAccessBlockConfiguration != nil {
+		in, out := &in.PublicAccessBlockConfiguration, &out.PublicAccessBlockConfiguration
+		*out = make([]PublicAccessBlockConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VPCConfiguration != nil {
+		in, out := &in.VPCConfiguration, &out.VPCConfiguration
+		*out = make([]VPCConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessPointObservation.
@@ -264,6 +303,11 @@ func (in *AccessPointPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccessPointPolicyObservation) DeepCopyInto(out *AccessPointPolicyObservation) {
 	*out = *in
+	if in.AccessPointArn != nil {
+		in, out := &in.AccessPointArn, &out.AccessPointArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.HasPublicAccessPolicy != nil {
 		in, out := &in.HasPublicAccessPolicy, &out.HasPublicAccessPolicy
 		*out = new(bool)
@@ -274,6 +318,11 @@ func (in *AccessPointPolicyObservation) DeepCopyInto(out *AccessPointPolicyObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccessPointPolicyObservation.
@@ -397,6 +446,11 @@ func (in *AccessPointStatus) DeepCopy() *AccessPointStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountLevelDetailedStatusCodeMetricsObservation) DeepCopyInto(out *AccountLevelDetailedStatusCodeMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountLevelDetailedStatusCodeMetricsObservation.
@@ -432,6 +486,41 @@ func (in *AccountLevelDetailedStatusCodeMetricsParameters) DeepCopy() *AccountLe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountLevelObservation) DeepCopyInto(out *AccountLevelObservation) {
 	*out = *in
+	if in.ActivityMetrics != nil {
+		in, out := &in.ActivityMetrics, &out.ActivityMetrics
+		*out = make([]ActivityMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AdvancedCostOptimizationMetrics != nil {
+		in, out := &in.AdvancedCostOptimizationMetrics, &out.AdvancedCostOptimizationMetrics
+		*out = make([]AdvancedCostOptimizationMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AdvancedDataProtectionMetrics != nil {
+		in, out := &in.AdvancedDataProtectionMetrics, &out.AdvancedDataProtectionMetrics
+		*out = make([]AdvancedDataProtectionMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.BucketLevel != nil {
+		in, out := &in.BucketLevel, &out.BucketLevel
+		*out = make([]BucketLevelObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DetailedStatusCodeMetrics != nil {
+		in, out := &in.DetailedStatusCodeMetrics, &out.DetailedStatusCodeMetrics
+		*out = make([]AccountLevelDetailedStatusCodeMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountLevelObservation.
@@ -556,11 +645,36 @@ func (in *AccountPublicAccessBlockList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AccountPublicAccessBlockObservation) DeepCopyInto(out *AccountPublicAccessBlockObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.BlockPublicAcls != nil {
+		in, out := &in.BlockPublicAcls, &out.BlockPublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BlockPublicPolicy != nil {
+		in, out := &in.BlockPublicPolicy, &out.BlockPublicPolicy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IgnorePublicAcls != nil {
+		in, out := &in.IgnorePublicAcls, &out.IgnorePublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RestrictPublicBuckets != nil {
+		in, out := &in.RestrictPublicBuckets, &out.RestrictPublicBuckets
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountPublicAccessBlockObservation.
@@ -655,6 +769,11 @@ func (in *AccountPublicAccessBlockStatus) DeepCopy() *AccountPublicAccessBlockSt
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActivityMetricsObservation) DeepCopyInto(out *ActivityMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActivityMetricsObservation.
@@ -690,6 +809,11 @@ func (in *ActivityMetricsParameters) DeepCopy() *ActivityMetricsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedCostOptimizationMetricsObservation) DeepCopyInto(out *AdvancedCostOptimizationMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedCostOptimizationMetricsObservation.
@@ -725,6 +849,11 @@ func (in *AdvancedCostOptimizationMetricsParameters) DeepCopy() *AdvancedCostOpt
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AdvancedDataProtectionMetricsObservation) DeepCopyInto(out *AdvancedDataProtectionMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdvancedDataProtectionMetricsObservation.
@@ -760,6 +889,16 @@ func (in *AdvancedDataProtectionMetricsParameters) DeepCopy() *AdvancedDataProte
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsLambdaObservation) DeepCopyInto(out *AwsLambdaObservation) {
 	*out = *in
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FunctionPayload != nil {
+		in, out := &in.FunctionPayload, &out.FunctionPayload
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsLambdaObservation.
@@ -810,6 +949,11 @@ func (in *AwsLambdaParameters) DeepCopy() *AwsLambdaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsOrgObservation) DeepCopyInto(out *AwsOrgObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsOrgObservation.
@@ -845,6 +989,11 @@ func (in *AwsOrgParameters) DeepCopy() *AwsOrgParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLevelActivityMetricsObservation) DeepCopyInto(out *BucketLevelActivityMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLevelActivityMetricsObservation.
@@ -880,6 +1029,11 @@ func (in *BucketLevelActivityMetricsParameters) DeepCopy() *BucketLevelActivityM
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLevelAdvancedCostOptimizationMetricsObservation) DeepCopyInto(out *BucketLevelAdvancedCostOptimizationMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLevelAdvancedCostOptimizationMetricsObservation.
@@ -915,6 +1069,11 @@ func (in *BucketLevelAdvancedCostOptimizationMetricsParameters) DeepCopy() *Buck
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLevelAdvancedDataProtectionMetricsObservation) DeepCopyInto(out *BucketLevelAdvancedDataProtectionMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLevelAdvancedDataProtectionMetricsObservation.
@@ -950,6 +1109,41 @@ func (in *BucketLevelAdvancedDataProtectionMetricsParameters) DeepCopy() *Bucket
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BucketLevelObservation) DeepCopyInto(out *BucketLevelObservation) {
 	*out = *in
+	if in.ActivityMetrics != nil {
+		in, out := &in.ActivityMetrics, &out.ActivityMetrics
+		*out = make([]BucketLevelActivityMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AdvancedCostOptimizationMetrics != nil {
+		in, out := &in.AdvancedCostOptimizationMetrics, &out.AdvancedCostOptimizationMetrics
+		*out = make([]BucketLevelAdvancedCostOptimizationMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AdvancedDataProtectionMetrics != nil {
+		in, out := &in.AdvancedDataProtectionMetrics, &out.AdvancedDataProtectionMetrics
+		*out = make([]BucketLevelAdvancedDataProtectionMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DetailedStatusCodeMetrics != nil {
+		in, out := &in.DetailedStatusCodeMetrics, &out.DetailedStatusCodeMetrics
+		*out = make([]DetailedStatusCodeMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PrefixLevel != nil {
+		in, out := &in.PrefixLevel, &out.PrefixLevel
+		*out = make([]PrefixLevelObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BucketLevelObservation.
@@ -1015,6 +1209,11 @@ func (in *BucketLevelParameters) DeepCopy() *BucketLevelParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudWatchMetricsObservation) DeepCopyInto(out *CloudWatchMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudWatchMetricsObservation.
@@ -1050,6 +1249,34 @@ func (in *CloudWatchMetricsParameters) DeepCopy() *CloudWatchMetricsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationObservation) DeepCopyInto(out *ConfigurationObservation) {
 	*out = *in
+	if in.AllowedFeatures != nil {
+		in, out := &in.AllowedFeatures, &out.AllowedFeatures
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.CloudWatchMetricsEnabled != nil {
+		in, out := &in.CloudWatchMetricsEnabled, &out.CloudWatchMetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SupportingAccessPoint != nil {
+		in, out := &in.SupportingAccessPoint, &out.SupportingAccessPoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.TransformationConfiguration != nil {
+		in, out := &in.TransformationConfiguration, &out.TransformationConfiguration
+		*out = make([]TransformationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationObservation.
@@ -1118,6 +1345,13 @@ func (in *ConfigurationParameters) DeepCopy() *ConfigurationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContentTransformationObservation) DeepCopyInto(out *ContentTransformationObservation) {
 	*out = *in
+	if in.AwsLambda != nil {
+		in, out := &in.AwsLambda, &out.AwsLambda
+		*out = make([]AwsLambdaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContentTransformationObservation.
@@ -1155,6 +1389,20 @@ func (in *ContentTransformationParameters) DeepCopy() *ContentTransformationPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataExportObservation) DeepCopyInto(out *DataExportObservation) {
 	*out = *in
+	if in.CloudWatchMetrics != nil {
+		in, out := &in.CloudWatchMetrics, &out.CloudWatchMetrics
+		*out = make([]CloudWatchMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3BucketDestination != nil {
+		in, out := &in.S3BucketDestination, &out.S3BucketDestination
+		*out = make([]S3BucketDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataExportObservation.
@@ -1199,6 +1447,11 @@ func (in *DataExportParameters) DeepCopy() *DataExportParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DetailedStatusCodeMetricsObservation) DeepCopyInto(out *DetailedStatusCodeMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DetailedStatusCodeMetricsObservation.
@@ -1234,6 +1487,25 @@ func (in *DetailedStatusCodeMetricsParameters) DeepCopy() *DetailedStatusCodeMet
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DetailsObservation) DeepCopyInto(out *DetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.PublicAccessBlock != nil {
+		in, out := &in.PublicAccessBlock, &out.PublicAccessBlock
+		*out = make([]PublicAccessBlockObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = make([]RegionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DetailsObservation.
@@ -1283,6 +1555,18 @@ func (in *DetailsParameters) DeepCopy() *DetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EncryptionObservation) DeepCopyInto(out *EncryptionObservation) {
 	*out = *in
+	if in.SseKMS != nil {
+		in, out := &in.SseKMS, &out.SseKMS
+		*out = make([]SseKMSObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SseS3 != nil {
+		in, out := &in.SseS3, &out.SseS3
+		*out = make([]SseS3Parameters, len(*in))
+		copy(*out, *in)
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionObservation.
@@ -1325,6 +1609,28 @@ func (in *EncryptionParameters) DeepCopy() *EncryptionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ExcludeObservation) DeepCopyInto(out *ExcludeObservation) {
 	*out = *in
+	if in.Buckets != nil {
+		in, out := &in.Buckets, &out.Buckets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Regions != nil {
+		in, out := &in.Regions, &out.Regions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ExcludeObservation.
@@ -1377,6 +1683,28 @@ func (in *ExcludeParameters) DeepCopy() *ExcludeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IncludeObservation) DeepCopyInto(out *IncludeObservation) {
 	*out = *in
+	if in.Buckets != nil {
+		in, out := &in.Buckets, &out.Buckets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Regions != nil {
+		in, out := &in.Regions, &out.Regions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IncludeObservation.
@@ -1488,6 +1816,11 @@ func (in *MultiRegionAccessPointList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiRegionAccessPointObservation) DeepCopyInto(out *MultiRegionAccessPointObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Alias != nil {
 		in, out := &in.Alias, &out.Alias
 		*out = new(string)
@@ -1498,6 +1831,13 @@ func (in *MultiRegionAccessPointObservation) DeepCopyInto(out *MultiRegionAccess
 		*out = new(string)
 		**out = **in
 	}
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make([]DetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.DomainName != nil {
 		in, out := &in.DomainName, &out.DomainName
 		*out = new(string)
@@ -1587,6 +1927,16 @@ func (in *MultiRegionAccessPointPolicy) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiRegionAccessPointPolicyDetailsObservation) DeepCopyInto(out *MultiRegionAccessPointPolicyDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MultiRegionAccessPointPolicyDetailsObservation.
@@ -1659,6 +2009,18 @@ func (in *MultiRegionAccessPointPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MultiRegionAccessPointPolicyObservation) DeepCopyInto(out *MultiRegionAccessPointPolicyObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Details != nil {
+		in, out := &in.Details, &out.Details
+		*out = make([]MultiRegionAccessPointPolicyDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Established != nil {
 		in, out := &in.Established, &out.Established
 		*out = new(string)
@@ -1848,16 +2210,33 @@ func (in *ObjectLambdaAccessPointList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ObjectLambdaAccessPointObservation) DeepCopyInto(out *ObjectLambdaAccessPointObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = make([]ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectLambdaAccessPointObservation.
@@ -1969,6 +2348,11 @@ func (in *ObjectLambdaAccessPointPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ObjectLambdaAccessPointPolicyObservation) DeepCopyInto(out *ObjectLambdaAccessPointPolicyObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.HasPublicAccessPolicy != nil {
 		in, out := &in.HasPublicAccessPolicy, &out.HasPublicAccessPolicy
 		*out = new(bool)
@@ -1979,6 +2363,16 @@ func (in *ObjectLambdaAccessPointPolicyObservation) DeepCopyInto(out *ObjectLamb
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectLambdaAccessPointPolicyObservation.
@@ -2107,6 +2501,13 @@ func (in *ObjectLambdaAccessPointStatus) DeepCopy() *ObjectLambdaAccessPointStat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrefixLevelObservation) DeepCopyInto(out *PrefixLevelObservation) {
 	*out = *in
+	if in.StorageMetrics != nil {
+		in, out := &in.StorageMetrics, &out.StorageMetrics
+		*out = make([]StorageMetricsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrefixLevelObservation.
@@ -2144,6 +2545,26 @@ func (in *PrefixLevelParameters) DeepCopy() *PrefixLevelParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublicAccessBlockConfigurationObservation) DeepCopyInto(out *PublicAccessBlockConfigurationObservation) {
 	*out = *in
+	if in.BlockPublicAcls != nil {
+		in, out := &in.BlockPublicAcls, &out.BlockPublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BlockPublicPolicy != nil {
+		in, out := &in.BlockPublicPolicy, &out.BlockPublicPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IgnorePublicAcls != nil {
+		in, out := &in.IgnorePublicAcls, &out.IgnorePublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RestrictPublicBuckets != nil {
+		in, out := &in.RestrictPublicBuckets, &out.RestrictPublicBuckets
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicAccessBlockConfigurationObservation.
@@ -2194,6 +2615,26 @@ func (in *PublicAccessBlockConfigurationParameters) DeepCopy() *PublicAccessBloc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PublicAccessBlockObservation) DeepCopyInto(out *PublicAccessBlockObservation) {
 	*out = *in
+	if in.BlockPublicAcls != nil {
+		in, out := &in.BlockPublicAcls, &out.BlockPublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.BlockPublicPolicy != nil {
+		in, out := &in.BlockPublicPolicy, &out.BlockPublicPolicy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IgnorePublicAcls != nil {
+		in, out := &in.IgnorePublicAcls, &out.IgnorePublicAcls
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RestrictPublicBuckets != nil {
+		in, out := &in.RestrictPublicBuckets, &out.RestrictPublicBuckets
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PublicAccessBlockObservation.
@@ -2244,6 +2685,11 @@ func (in *PublicAccessBlockParameters) DeepCopy() *PublicAccessBlockParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegionObservation) DeepCopyInto(out *RegionObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegionObservation.
@@ -2289,6 +2735,38 @@ func (in *RegionParameters) DeepCopy() *RegionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3BucketDestinationObservation) DeepCopyInto(out *S3BucketDestinationObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Encryption != nil {
+		in, out := &in.Encryption, &out.Encryption
+		*out = make([]EncryptionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Format != nil {
+		in, out := &in.Format, &out.Format
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputSchemaVersion != nil {
+		in, out := &in.OutputSchemaVersion, &out.OutputSchemaVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3BucketDestinationObservation.
@@ -2361,6 +2839,21 @@ func (in *S3BucketDestinationParameters) DeepCopy() *S3BucketDestinationParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelectionCriteriaObservation) DeepCopyInto(out *SelectionCriteriaObservation) {
 	*out = *in
+	if in.Delimiter != nil {
+		in, out := &in.Delimiter, &out.Delimiter
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxDepth != nil {
+		in, out := &in.MaxDepth, &out.MaxDepth
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MinStorageBytesPercentage != nil {
+		in, out := &in.MinStorageBytesPercentage, &out.MinStorageBytesPercentage
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelectionCriteriaObservation.
@@ -2406,6 +2899,11 @@ func (in *SelectionCriteriaParameters) DeepCopy() *SelectionCriteriaParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SseKMSObservation) DeepCopyInto(out *SseKMSObservation) {
 	*out = *in
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SseKMSObservation.
@@ -2530,16 +3028,48 @@ func (in *StorageLensConfigurationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageLensConfigurationObservation) DeepCopyInto(out *StorageLensConfigurationObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConfigID != nil {
+		in, out := &in.ConfigID, &out.ConfigID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.StorageLensConfiguration != nil {
+		in, out := &in.StorageLensConfiguration, &out.StorageLensConfiguration
+		*out = make([]StorageLensConfigurationStorageLensConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2656,6 +3186,46 @@ func (in *StorageLensConfigurationStatus) DeepCopy() *StorageLensConfigurationSt
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageLensConfigurationStorageLensConfigurationObservation) DeepCopyInto(out *StorageLensConfigurationStorageLensConfigurationObservation) {
 	*out = *in
+	if in.AccountLevel != nil {
+		in, out := &in.AccountLevel, &out.AccountLevel
+		*out = make([]AccountLevelObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.AwsOrg != nil {
+		in, out := &in.AwsOrg, &out.AwsOrg
+		*out = make([]AwsOrgObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DataExport != nil {
+		in, out := &in.DataExport, &out.DataExport
+		*out = make([]DataExportObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Exclude != nil {
+		in, out := &in.Exclude, &out.Exclude
+		*out = make([]ExcludeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Include != nil {
+		in, out := &in.Include, &out.Include
+		*out = make([]IncludeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageLensConfigurationStorageLensConfigurationObservation.
@@ -2726,6 +3296,18 @@ func (in *StorageLensConfigurationStorageLensConfigurationParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StorageMetricsObservation) DeepCopyInto(out *StorageMetricsObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SelectionCriteria != nil {
+		in, out := &in.SelectionCriteria, &out.SelectionCriteria
+		*out = make([]SelectionCriteriaObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StorageMetricsObservation.
@@ -2768,6 +3350,24 @@ func (in *StorageMetricsParameters) DeepCopy() *StorageMetricsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TransformationConfigurationObservation) DeepCopyInto(out *TransformationConfigurationObservation) {
 	*out = *in
+	if in.Actions != nil {
+		in, out := &in.Actions, &out.Actions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ContentTransformation != nil {
+		in, out := &in.ContentTransformation, &out.ContentTransformation
+		*out = make([]ContentTransformationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TransformationConfigurationObservation.
@@ -2816,6 +3416,11 @@ func (in *TransformationConfigurationParameters) DeepCopy() *TransformationConfi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigurationObservation) DeepCopyInto(out *VPCConfigurationObservation) {
 	*out = *in
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCConfigurationObservation.
diff --git a/apis/s3control/v1beta1/zz_multiregionaccesspoint_types.go b/apis/s3control/v1beta1/zz_multiregionaccesspoint_types.go
index c650525c5a..00fd3b1b94 100755
--- a/apis/s3control/v1beta1/zz_multiregionaccesspoint_types.go
+++ b/apis/s3control/v1beta1/zz_multiregionaccesspoint_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type DetailsObservation struct {
+
+	// The name of the Multi-Region Access Point.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration block to manage the PublicAccessBlock configuration that you want to apply to this Multi-Region Access Point. You can enable the configuration options in any combination. See Public Access Block Configuration below for more details.
+	PublicAccessBlock []PublicAccessBlockObservation `json:"publicAccessBlock,omitempty" tf:"public_access_block,omitempty"`
+
+	// The Region configuration block to specify the bucket associated with the Multi-Region Access Point. See Region Configuration below for more details.
+	Region []RegionObservation `json:"region,omitempty" tf:"region,omitempty"`
 }
 
 type DetailsParameters struct {
@@ -33,12 +42,18 @@ type DetailsParameters struct {
 
 type MultiRegionAccessPointObservation struct {
 
+	// The AWS account ID for the owner of the buckets for which you want to create a Multi-Region Access Point.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// The alias for the Multi-Region Access Point.
 	Alias *string `json:"alias,omitempty" tf:"alias,omitempty"`
 
 	// Amazon Resource Name (ARN) of the Multi-Region Access Point.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A configuration block containing details about the Multi-Region Access Point. See Details Configuration Block below for more details
+	Details []DetailsObservation `json:"details,omitempty" tf:"details,omitempty"`
+
 	// The DNS domain name of the S3 Multi-Region Access Point in the format alias.accesspoint.s3-global.amazonaws.com. For more information, see the documentation on Multi-Region Access Point Requests.
 	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
@@ -56,8 +71,8 @@ type MultiRegionAccessPointParameters struct {
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// A configuration block containing details about the Multi-Region Access Point. See Details Configuration Block below for more details
-	// +kubebuilder:validation:Required
-	Details []DetailsParameters `json:"details" tf:"details,omitempty"`
+	// +kubebuilder:validation:Optional
+	Details []DetailsParameters `json:"details,omitempty" tf:"details,omitempty"`
 
 	// The Region configuration block to specify the bucket associated with the Multi-Region Access Point. See Region Configuration below for more details.
 	// Region is the region you'd like your resource to be created in.
@@ -67,6 +82,18 @@ type MultiRegionAccessPointParameters struct {
 }
 
 type PublicAccessBlockObservation struct {
+
+	// Whether Amazon S3 should block public ACLs for buckets in this account. Defaults to true. Enabling this setting does not affect existing policies or ACLs. When set to true causes the following behavior:
+	BlockPublicAcls *bool `json:"blockPublicAcls,omitempty" tf:"block_public_acls,omitempty"`
+
+	// Whether Amazon S3 should block public bucket policies for buckets in this account. Defaults to true. Enabling this setting does not affect existing bucket policies. When set to true causes Amazon S3 to:
+	BlockPublicPolicy *bool `json:"blockPublicPolicy,omitempty" tf:"block_public_policy,omitempty"`
+
+	// Whether Amazon S3 should ignore public ACLs for buckets in this account. Defaults to true. Enabling this setting does not affect the persistence of any existing ACLs and doesn't prevent new public ACLs from being set. When set to true causes Amazon S3 to:
+	IgnorePublicAcls *bool `json:"ignorePublicAcls,omitempty" tf:"ignore_public_acls,omitempty"`
+
+	// Whether Amazon S3 should restrict public bucket policies for buckets in this account. Defaults to true. Enabling this setting does not affect previously stored bucket policies, except that public and cross-account access within any public bucket policy, including non-public delegation to specific accounts, is blocked. When set to true:
+	RestrictPublicBuckets *bool `json:"restrictPublicBuckets,omitempty" tf:"restrict_public_buckets,omitempty"`
 }
 
 type PublicAccessBlockParameters struct {
@@ -89,6 +116,9 @@ type PublicAccessBlockParameters struct {
 }
 
 type RegionObservation struct {
+
+	// The name of the associated bucket for the Region.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
 }
 
 type RegionParameters struct {
@@ -132,8 +162,9 @@ type MultiRegionAccessPointStatus struct {
 type MultiRegionAccessPoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MultiRegionAccessPointSpec   `json:"spec"`
-	Status            MultiRegionAccessPointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.details)",message="details is a required parameter"
+	Spec   MultiRegionAccessPointSpec   `json:"spec"`
+	Status MultiRegionAccessPointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_multiregionaccesspointpolicy_types.go b/apis/s3control/v1beta1/zz_multiregionaccesspointpolicy_types.go
index b200658300..66b21cfa36 100755
--- a/apis/s3control/v1beta1/zz_multiregionaccesspointpolicy_types.go
+++ b/apis/s3control/v1beta1/zz_multiregionaccesspointpolicy_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type MultiRegionAccessPointPolicyDetailsObservation struct {
+
+	// The name of the Multi-Region Access Point.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A valid JSON document that specifies the policy that you want to associate with this Multi-Region Access Point. Once applied, the policy can be edited, but not deleted. For more information, see the documentation on Multi-Region Access Point Permissions.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type MultiRegionAccessPointPolicyDetailsParameters struct {
@@ -29,6 +35,12 @@ type MultiRegionAccessPointPolicyDetailsParameters struct {
 
 type MultiRegionAccessPointPolicyObservation struct {
 
+	// The AWS account ID for the owner of the Multi-Region Access Point.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// A configuration block containing details about the policy for the Multi-Region Access Point. See Details Configuration Block below for more details
+	Details []MultiRegionAccessPointPolicyDetailsObservation `json:"details,omitempty" tf:"details,omitempty"`
+
 	// The last established policy for the Multi-Region Access Point.
 	Established *string `json:"established,omitempty" tf:"established,omitempty"`
 
@@ -46,8 +58,8 @@ type MultiRegionAccessPointPolicyParameters struct {
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// A configuration block containing details about the policy for the Multi-Region Access Point. See Details Configuration Block below for more details
-	// +kubebuilder:validation:Required
-	Details []MultiRegionAccessPointPolicyDetailsParameters `json:"details" tf:"details,omitempty"`
+	// +kubebuilder:validation:Optional
+	Details []MultiRegionAccessPointPolicyDetailsParameters `json:"details,omitempty" tf:"details,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -79,8 +91,9 @@ type MultiRegionAccessPointPolicyStatus struct {
 type MultiRegionAccessPointPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MultiRegionAccessPointPolicySpec   `json:"spec"`
-	Status            MultiRegionAccessPointPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.details)",message="details is a required parameter"
+	Spec   MultiRegionAccessPointPolicySpec   `json:"spec"`
+	Status MultiRegionAccessPointPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_objectlambdaaccesspoint_types.go b/apis/s3control/v1beta1/zz_objectlambdaaccesspoint_types.go
index 2eda32cfd5..93c172e899 100755
--- a/apis/s3control/v1beta1/zz_objectlambdaaccesspoint_types.go
+++ b/apis/s3control/v1beta1/zz_objectlambdaaccesspoint_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AwsLambdaObservation struct {
+
+	// The Amazon Resource Name (ARN) of the AWS Lambda function.
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
+
+	// Additional JSON that provides supplemental data to the Lambda function used to transform objects.
+	FunctionPayload *string `json:"functionPayload,omitempty" tf:"function_payload,omitempty"`
 }
 
 type AwsLambdaParameters struct {
@@ -38,6 +44,18 @@ type AwsLambdaParameters struct {
 }
 
 type ConfigurationObservation struct {
+
+	// Allowed features. Valid values: GetObject-Range, GetObject-PartNumber.
+	AllowedFeatures []*string `json:"allowedFeatures,omitempty" tf:"allowed_features,omitempty"`
+
+	// Whether or not the CloudWatch metrics configuration is enabled.
+	CloudWatchMetricsEnabled *bool `json:"cloudWatchMetricsEnabled,omitempty" tf:"cloud_watch_metrics_enabled,omitempty"`
+
+	// Standard access point associated with the Object Lambda Access Point.
+	SupportingAccessPoint *string `json:"supportingAccessPoint,omitempty" tf:"supporting_access_point,omitempty"`
+
+	// List of transformation configurations for the Object Lambda Access Point. See Transformation Configuration below for more details.
+	TransformationConfiguration []TransformationConfigurationObservation `json:"transformationConfiguration,omitempty" tf:"transformation_configuration,omitempty"`
 }
 
 type ConfigurationParameters struct {
@@ -70,6 +88,9 @@ type ConfigurationParameters struct {
 }
 
 type ContentTransformationObservation struct {
+
+	// Configuration for an AWS Lambda function. See AWS Lambda below for more details.
+	AwsLambda []AwsLambdaObservation `json:"awsLambda,omitempty" tf:"aws_lambda,omitempty"`
 }
 
 type ContentTransformationParameters struct {
@@ -81,11 +102,20 @@ type ContentTransformationParameters struct {
 
 type ObjectLambdaAccessPointObservation struct {
 
+	// The AWS account ID for the owner of the bucket for which you want to create an Object Lambda Access Point.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// Amazon Resource Name (ARN) of the Object Lambda Access Point.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A configuration block containing details about the Object Lambda Access Point. See Configuration below for more details.
+	Configuration []ConfigurationObservation `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
 	// The AWS account ID and access point name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name for this Object Lambda Access Point.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ObjectLambdaAccessPointParameters struct {
@@ -95,12 +125,12 @@ type ObjectLambdaAccessPointParameters struct {
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// A configuration block containing details about the Object Lambda Access Point. See Configuration below for more details.
-	// +kubebuilder:validation:Required
-	Configuration []ConfigurationParameters `json:"configuration" tf:"configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	Configuration []ConfigurationParameters `json:"configuration,omitempty" tf:"configuration,omitempty"`
 
 	// The name for this Object Lambda Access Point.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -109,6 +139,12 @@ type ObjectLambdaAccessPointParameters struct {
 }
 
 type TransformationConfigurationObservation struct {
+
+	// The actions of an Object Lambda Access Point configuration. Valid values: GetObject.
+	Actions []*string `json:"actions,omitempty" tf:"actions,omitempty"`
+
+	// The content transformation of an Object Lambda Access Point configuration. See Content Transformation below for more details.
+	ContentTransformation []ContentTransformationObservation `json:"contentTransformation,omitempty" tf:"content_transformation,omitempty"`
 }
 
 type TransformationConfigurationParameters struct {
@@ -146,8 +182,10 @@ type ObjectLambdaAccessPointStatus struct {
 type ObjectLambdaAccessPoint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ObjectLambdaAccessPointSpec   `json:"spec"`
-	Status            ObjectLambdaAccessPointStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.configuration)",message="configuration is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ObjectLambdaAccessPointSpec   `json:"spec"`
+	Status ObjectLambdaAccessPointStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_objectlambdaaccesspointpolicy_types.go b/apis/s3control/v1beta1/zz_objectlambdaaccesspointpolicy_types.go
index abd325aa66..d0750d6f94 100755
--- a/apis/s3control/v1beta1/zz_objectlambdaaccesspointpolicy_types.go
+++ b/apis/s3control/v1beta1/zz_objectlambdaaccesspointpolicy_types.go
@@ -15,11 +15,20 @@ import (
 
 type ObjectLambdaAccessPointPolicyObservation struct {
 
+	// The AWS account ID for the account that owns the Object Lambda Access Point.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// Indicates whether this access point currently has a policy that allows public access.
 	HasPublicAccessPolicy *bool `json:"hasPublicAccessPolicy,omitempty" tf:"has_public_access_policy,omitempty"`
 
 	// The AWS account ID and access point name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the Object Lambda Access Point.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The Object Lambda Access Point resource policy document.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type ObjectLambdaAccessPointPolicyParameters struct {
@@ -43,8 +52,8 @@ type ObjectLambdaAccessPointPolicyParameters struct {
 	NameSelector *v1.Selector `json:"nameSelector,omitempty" tf:"-"`
 
 	// The Object Lambda Access Point resource policy document.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -76,8 +85,9 @@ type ObjectLambdaAccessPointPolicyStatus struct {
 type ObjectLambdaAccessPointPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ObjectLambdaAccessPointPolicySpec   `json:"spec"`
-	Status            ObjectLambdaAccessPointPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   ObjectLambdaAccessPointPolicySpec   `json:"spec"`
+	Status ObjectLambdaAccessPointPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/s3control/v1beta1/zz_storagelensconfiguration_types.go b/apis/s3control/v1beta1/zz_storagelensconfiguration_types.go
index c6c0383f12..3c57114e80 100755
--- a/apis/s3control/v1beta1/zz_storagelensconfiguration_types.go
+++ b/apis/s3control/v1beta1/zz_storagelensconfiguration_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type AccountLevelDetailedStatusCodeMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type AccountLevelDetailedStatusCodeMetricsParameters struct {
@@ -24,6 +27,21 @@ type AccountLevelDetailedStatusCodeMetricsParameters struct {
 }
 
 type AccountLevelObservation struct {
+
+	// S3 Storage Lens activity metrics. See Activity Metrics below for more details.
+	ActivityMetrics []ActivityMetricsObservation `json:"activityMetrics,omitempty" tf:"activity_metrics,omitempty"`
+
+	// optimization metrics for S3 Storage Lens. See Advanced Cost-Optimization Metrics below for more details.
+	AdvancedCostOptimizationMetrics []AdvancedCostOptimizationMetricsObservation `json:"advancedCostOptimizationMetrics,omitempty" tf:"advanced_cost_optimization_metrics,omitempty"`
+
+	// protection metrics for S3 Storage Lens. See Advanced Data-Protection Metrics below for more details.
+	AdvancedDataProtectionMetrics []AdvancedDataProtectionMetricsObservation `json:"advancedDataProtectionMetrics,omitempty" tf:"advanced_data_protection_metrics,omitempty"`
+
+	// level configuration. See Bucket Level below for more details.
+	BucketLevel []BucketLevelObservation `json:"bucketLevel,omitempty" tf:"bucket_level,omitempty"`
+
+	// Detailed status code metrics for S3 Storage Lens. See Detailed Status Code Metrics below for more details.
+	DetailedStatusCodeMetrics []AccountLevelDetailedStatusCodeMetricsObservation `json:"detailedStatusCodeMetrics,omitempty" tf:"detailed_status_code_metrics,omitempty"`
 }
 
 type AccountLevelParameters struct {
@@ -50,6 +68,9 @@ type AccountLevelParameters struct {
 }
 
 type ActivityMetricsObservation struct {
+
+	// Whether the activity metrics are enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type ActivityMetricsParameters struct {
@@ -60,6 +81,9 @@ type ActivityMetricsParameters struct {
 }
 
 type AdvancedCostOptimizationMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type AdvancedCostOptimizationMetricsParameters struct {
@@ -70,6 +94,9 @@ type AdvancedCostOptimizationMetricsParameters struct {
 }
 
 type AdvancedDataProtectionMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type AdvancedDataProtectionMetricsParameters struct {
@@ -80,6 +107,9 @@ type AdvancedDataProtectionMetricsParameters struct {
 }
 
 type AwsOrgObservation struct {
+
+	// The Amazon Resource Name (ARN) of the bucket.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 }
 
 type AwsOrgParameters struct {
@@ -90,6 +120,9 @@ type AwsOrgParameters struct {
 }
 
 type BucketLevelActivityMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type BucketLevelActivityMetricsParameters struct {
@@ -100,6 +133,9 @@ type BucketLevelActivityMetricsParameters struct {
 }
 
 type BucketLevelAdvancedCostOptimizationMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type BucketLevelAdvancedCostOptimizationMetricsParameters struct {
@@ -110,6 +146,9 @@ type BucketLevelAdvancedCostOptimizationMetricsParameters struct {
 }
 
 type BucketLevelAdvancedDataProtectionMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type BucketLevelAdvancedDataProtectionMetricsParameters struct {
@@ -120,6 +159,21 @@ type BucketLevelAdvancedDataProtectionMetricsParameters struct {
 }
 
 type BucketLevelObservation struct {
+
+	// S3 Storage Lens activity metrics. See Activity Metrics below for more details.
+	ActivityMetrics []BucketLevelActivityMetricsObservation `json:"activityMetrics,omitempty" tf:"activity_metrics,omitempty"`
+
+	// optimization metrics for S3 Storage Lens. See Advanced Cost-Optimization Metrics below for more details.
+	AdvancedCostOptimizationMetrics []BucketLevelAdvancedCostOptimizationMetricsObservation `json:"advancedCostOptimizationMetrics,omitempty" tf:"advanced_cost_optimization_metrics,omitempty"`
+
+	// protection metrics for S3 Storage Lens. See Advanced Data-Protection Metrics below for more details.
+	AdvancedDataProtectionMetrics []BucketLevelAdvancedDataProtectionMetricsObservation `json:"advancedDataProtectionMetrics,omitempty" tf:"advanced_data_protection_metrics,omitempty"`
+
+	// Detailed status code metrics for S3 Storage Lens. See Detailed Status Code Metrics below for more details.
+	DetailedStatusCodeMetrics []DetailedStatusCodeMetricsObservation `json:"detailedStatusCodeMetrics,omitempty" tf:"detailed_status_code_metrics,omitempty"`
+
+	// level metrics for S3 Storage Lens. See Prefix Level below for more details.
+	PrefixLevel []PrefixLevelObservation `json:"prefixLevel,omitempty" tf:"prefix_level,omitempty"`
 }
 
 type BucketLevelParameters struct {
@@ -146,6 +200,9 @@ type BucketLevelParameters struct {
 }
 
 type CloudWatchMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type CloudWatchMetricsParameters struct {
@@ -156,6 +213,12 @@ type CloudWatchMetricsParameters struct {
 }
 
 type DataExportObservation struct {
+
+	// Amazon CloudWatch publishing for S3 Storage Lens metrics. See Cloud Watch Metrics below for more details.
+	CloudWatchMetrics []CloudWatchMetricsObservation `json:"cloudWatchMetrics,omitempty" tf:"cloud_watch_metrics,omitempty"`
+
+	// The bucket where the S3 Storage Lens metrics export will be located. See S3 Bucket Destination below for more details.
+	S3BucketDestination []S3BucketDestinationObservation `json:"s3BucketDestination,omitempty" tf:"s3_bucket_destination,omitempty"`
 }
 
 type DataExportParameters struct {
@@ -170,6 +233,9 @@ type DataExportParameters struct {
 }
 
 type DetailedStatusCodeMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type DetailedStatusCodeMetricsParameters struct {
@@ -180,6 +246,12 @@ type DetailedStatusCodeMetricsParameters struct {
 }
 
 type EncryptionObservation struct {
+
+	// KMS encryption. See SSE KMS below for more details.
+	SseKMS []SseKMSObservation `json:"sseKms,omitempty" tf:"sse_kms,omitempty"`
+
+	// S3 encryption. An empty configuration block {} should be used.
+	SseS3 []SseS3Parameters `json:"sseS3,omitempty" tf:"sse_s3,omitempty"`
 }
 
 type EncryptionParameters struct {
@@ -194,6 +266,12 @@ type EncryptionParameters struct {
 }
 
 type ExcludeObservation struct {
+
+	// List of S3 bucket ARNs.
+	Buckets []*string `json:"buckets,omitempty" tf:"buckets,omitempty"`
+
+	// List of AWS Regions.
+	Regions []*string `json:"regions,omitempty" tf:"regions,omitempty"`
 }
 
 type ExcludeParameters struct {
@@ -208,6 +286,12 @@ type ExcludeParameters struct {
 }
 
 type IncludeObservation struct {
+
+	// List of S3 bucket ARNs.
+	Buckets []*string `json:"buckets,omitempty" tf:"buckets,omitempty"`
+
+	// List of AWS Regions.
+	Regions []*string `json:"regions,omitempty" tf:"regions,omitempty"`
 }
 
 type IncludeParameters struct {
@@ -222,6 +306,9 @@ type IncludeParameters struct {
 }
 
 type PrefixLevelObservation struct {
+
+	// level storage metrics for S3 Storage Lens. See Prefix Level Storage Metrics below for more details.
+	StorageMetrics []StorageMetricsObservation `json:"storageMetrics,omitempty" tf:"storage_metrics,omitempty"`
 }
 
 type PrefixLevelParameters struct {
@@ -232,6 +319,24 @@ type PrefixLevelParameters struct {
 }
 
 type S3BucketDestinationObservation struct {
+
+	// The account ID of the owner of the S3 Storage Lens metrics export bucket.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the bucket.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Encryption of the metrics exports in this bucket. See Encryption below for more details.
+	Encryption []EncryptionObservation `json:"encryption,omitempty" tf:"encryption,omitempty"`
+
+	// The export format. Valid values: CSV, Parquet.
+	Format *string `json:"format,omitempty" tf:"format,omitempty"`
+
+	// The schema version of the export file. Valid values: V_1.
+	OutputSchemaVersion *string `json:"outputSchemaVersion,omitempty" tf:"output_schema_version,omitempty"`
+
+	// The prefix of the destination bucket where the metrics export will be delivered.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type S3BucketDestinationParameters struct {
@@ -272,6 +377,15 @@ type S3BucketDestinationParameters struct {
 }
 
 type SelectionCriteriaObservation struct {
+
+	// The delimiter of the selection criteria being used.
+	Delimiter *string `json:"delimiter,omitempty" tf:"delimiter,omitempty"`
+
+	// The max depth of the selection criteria.
+	MaxDepth *float64 `json:"maxDepth,omitempty" tf:"max_depth,omitempty"`
+
+	// The minimum number of storage bytes percentage whose metrics will be selected.
+	MinStorageBytesPercentage *float64 `json:"minStorageBytesPercentage,omitempty" tf:"min_storage_bytes_percentage,omitempty"`
 }
 
 type SelectionCriteriaParameters struct {
@@ -290,6 +404,9 @@ type SelectionCriteriaParameters struct {
 }
 
 type SseKMSObservation struct {
+
+	// KMS key ARN.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
 }
 
 type SseKMSParameters struct {
@@ -307,11 +424,23 @@ type SseS3Parameters struct {
 
 type StorageLensConfigurationObservation struct {
 
+	// The AWS account ID for the S3 Storage Lens configuration.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
 	// Amazon Resource Name (ARN) of the S3 Storage Lens configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the S3 Storage Lens configuration.
+	ConfigID *string `json:"configId,omitempty" tf:"config_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The S3 Storage Lens configuration. See Storage Lens Configuration below for more details.
+	StorageLensConfiguration []StorageLensConfigurationStorageLensConfigurationObservation `json:"storageLensConfiguration,omitempty" tf:"storage_lens_configuration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -323,8 +452,8 @@ type StorageLensConfigurationParameters struct {
 	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// The ID of the S3 Storage Lens configuration.
-	// +kubebuilder:validation:Required
-	ConfigID *string `json:"configId" tf:"config_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	ConfigID *string `json:"configId,omitempty" tf:"config_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -332,8 +461,8 @@ type StorageLensConfigurationParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The S3 Storage Lens configuration. See Storage Lens Configuration below for more details.
-	// +kubebuilder:validation:Required
-	StorageLensConfiguration []StorageLensConfigurationStorageLensConfigurationParameters `json:"storageLensConfiguration" tf:"storage_lens_configuration,omitempty"`
+	// +kubebuilder:validation:Optional
+	StorageLensConfiguration []StorageLensConfigurationStorageLensConfigurationParameters `json:"storageLensConfiguration,omitempty" tf:"storage_lens_configuration,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -341,6 +470,24 @@ type StorageLensConfigurationParameters struct {
 }
 
 type StorageLensConfigurationStorageLensConfigurationObservation struct {
+
+	// level configurations of the S3 Storage Lens configuration. See Account Level below for more details.
+	AccountLevel []AccountLevelObservation `json:"accountLevel,omitempty" tf:"account_level,omitempty"`
+
+	// The Amazon Web Services organization for the S3 Storage Lens configuration. See AWS Org below for more details.
+	AwsOrg []AwsOrgObservation `json:"awsOrg,omitempty" tf:"aws_org,omitempty"`
+
+	// Properties of S3 Storage Lens metrics export including the destination, schema and format. See Data Export below for more details.
+	DataExport []DataExportObservation `json:"dataExport,omitempty" tf:"data_export,omitempty"`
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// What is excluded in this configuration. Conflicts with include. See Exclude below for more details.
+	Exclude []ExcludeObservation `json:"exclude,omitempty" tf:"exclude,omitempty"`
+
+	// What is included in this configuration. Conflicts with exclude. See Include below for more details.
+	Include []IncludeObservation `json:"include,omitempty" tf:"include,omitempty"`
 }
 
 type StorageLensConfigurationStorageLensConfigurationParameters struct {
@@ -371,6 +518,12 @@ type StorageLensConfigurationStorageLensConfigurationParameters struct {
 }
 
 type StorageMetricsObservation struct {
+
+	// Whether the S3 Storage Lens configuration is enabled.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Selection criteria. See Selection Criteria below for more details.
+	SelectionCriteria []SelectionCriteriaObservation `json:"selectionCriteria,omitempty" tf:"selection_criteria,omitempty"`
 }
 
 type StorageMetricsParameters struct {
@@ -408,8 +561,10 @@ type StorageLensConfigurationStatus struct {
 type StorageLensConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StorageLensConfigurationSpec   `json:"spec"`
-	Status            StorageLensConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.configId)",message="configId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageLensConfiguration)",message="storageLensConfiguration is a required parameter"
+	Spec   StorageLensConfigurationSpec   `json:"spec"`
+	Status StorageLensConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_app_types.go b/apis/sagemaker/v1beta1/zz_app_types.go
index 5bb0c2cd49..7bd337ab96 100755
--- a/apis/sagemaker/v1beta1/zz_app_types.go
+++ b/apis/sagemaker/v1beta1/zz_app_types.go
@@ -15,25 +15,46 @@ import (
 
 type AppObservation struct {
 
+	// The name of the app.
+	AppName *string `json:"appName,omitempty" tf:"app_name,omitempty"`
+
+	// The type of app. Valid values are JupyterServer, KernelGateway, RStudioServerPro, RSessionGateway and TensorBoard.
+	AppType *string `json:"appType,omitempty" tf:"app_type,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the app.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The domain ID.
+	DomainID *string `json:"domainId,omitempty" tf:"domain_id,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the app.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance.See Resource Spec below.
+	ResourceSpec []ResourceSpecObservation `json:"resourceSpec,omitempty" tf:"resource_spec,omitempty"`
+
+	// The name of the space. At least on of user_profile_name or space_name required.
+	SpaceName *string `json:"spaceName,omitempty" tf:"space_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The user profile name. At least on of user_profile_name or space_name required.
+	UserProfileName *string `json:"userProfileName,omitempty" tf:"user_profile_name,omitempty"`
 }
 
 type AppParameters struct {
 
 	// The name of the app.
-	// +kubebuilder:validation:Required
-	AppName *string `json:"appName" tf:"app_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	AppName *string `json:"appName,omitempty" tf:"app_name,omitempty"`
 
 	// The type of app. Valid values are JupyterServer, KernelGateway, RStudioServerPro, RSessionGateway and TensorBoard.
-	// +kubebuilder:validation:Required
-	AppType *string `json:"appType" tf:"app_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	AppType *string `json:"appType,omitempty" tf:"app_type,omitempty"`
 
 	// The domain ID.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/sagemaker/v1beta1.Domain
@@ -82,6 +103,18 @@ type AppParameters struct {
 }
 
 type ResourceSpecObservation struct {
+
+	// The instance type that the image version runs on. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type ResourceSpecParameters struct {
@@ -127,8 +160,10 @@ type AppStatus struct {
 type App struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              AppSpec   `json:"spec"`
-	Status            AppStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.appName)",message="appName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.appType)",message="appType is a required parameter"
+	Spec   AppSpec   `json:"spec"`
+	Status AppStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_appimageconfig_types.go b/apis/sagemaker/v1beta1/zz_appimageconfig_types.go
index 4cb062c38a..b77e117eb9 100755
--- a/apis/sagemaker/v1beta1/zz_appimageconfig_types.go
+++ b/apis/sagemaker/v1beta1/zz_appimageconfig_types.go
@@ -21,6 +21,12 @@ type AppImageConfigObservation struct {
 	// The name of the App Image Config.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The configuration for the file system and kernels in a SageMaker image running as a KernelGateway app. See Kernel Gateway Image Config details below.
+	KernelGatewayImageConfig []KernelGatewayImageConfigObservation `json:"kernelGatewayImageConfig,omitempty" tf:"kernel_gateway_image_config,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -42,6 +48,15 @@ type AppImageConfigParameters struct {
 }
 
 type FileSystemConfigObservation struct {
+
+	// The default POSIX group ID (GID). If not specified, defaults to 100. Valid values are 0 and 100.
+	DefaultGID *float64 `json:"defaultGid,omitempty" tf:"default_gid,omitempty"`
+
+	// The default POSIX user ID (UID). If not specified, defaults to 1000. Valid values are 0 and 1000.
+	DefaultUID *float64 `json:"defaultUid,omitempty" tf:"default_uid,omitempty"`
+
+	// The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to /home/sagemaker-user.
+	MountPath *string `json:"mountPath,omitempty" tf:"mount_path,omitempty"`
 }
 
 type FileSystemConfigParameters struct {
@@ -60,6 +75,12 @@ type FileSystemConfigParameters struct {
 }
 
 type KernelGatewayImageConfigObservation struct {
+
+	// The URL where the Git repository is located. See File System Config details below.
+	FileSystemConfig []FileSystemConfigObservation `json:"fileSystemConfig,omitempty" tf:"file_system_config,omitempty"`
+
+	// The default branch for the Git repository. See Kernel Spec details below.
+	KernelSpec []KernelSpecObservation `json:"kernelSpec,omitempty" tf:"kernel_spec,omitempty"`
 }
 
 type KernelGatewayImageConfigParameters struct {
@@ -74,6 +95,12 @@ type KernelGatewayImageConfigParameters struct {
 }
 
 type KernelSpecObservation struct {
+
+	// The display name of the kernel.
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// The name of the kernel.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type KernelSpecParameters struct {
diff --git a/apis/sagemaker/v1beta1/zz_coderepository_types.go b/apis/sagemaker/v1beta1/zz_coderepository_types.go
index b4c73fbe1f..528910bfce 100755
--- a/apis/sagemaker/v1beta1/zz_coderepository_types.go
+++ b/apis/sagemaker/v1beta1/zz_coderepository_types.go
@@ -18,9 +18,15 @@ type CodeRepositoryObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Code Repository.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies details about the repository. see Git Config details below.
+	GitConfig []GitConfigObservation `json:"gitConfig,omitempty" tf:"git_config,omitempty"`
+
 	// The name of the Code Repository.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,8 +34,8 @@ type CodeRepositoryObservation struct {
 type CodeRepositoryParameters struct {
 
 	// Specifies details about the repository. see Git Config details below.
-	// +kubebuilder:validation:Required
-	GitConfig []GitConfigParameters `json:"gitConfig" tf:"git_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	GitConfig []GitConfigParameters `json:"gitConfig,omitempty" tf:"git_config,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -42,6 +48,15 @@ type CodeRepositoryParameters struct {
 }
 
 type GitConfigObservation struct {
+
+	// The default branch for the Git repository.
+	Branch *string `json:"branch,omitempty" tf:"branch,omitempty"`
+
+	// The URL where the Git repository is located.
+	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the credentials used to access the git repository. The secret must have a staging label of AWSCURRENT and must be in the following format: {"username": UserName, "password": Password}
+	SecretArn *string `json:"secretArn,omitempty" tf:"secret_arn,omitempty"`
 }
 
 type GitConfigParameters struct {
@@ -93,8 +108,9 @@ type CodeRepositoryStatus struct {
 type CodeRepository struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CodeRepositorySpec   `json:"spec"`
-	Status            CodeRepositoryStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.gitConfig)",message="gitConfig is a required parameter"
+	Spec   CodeRepositorySpec   `json:"spec"`
+	Status CodeRepositoryStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_device_types.go b/apis/sagemaker/v1beta1/zz_device_types.go
index 60fa9c231d..76daa6de67 100755
--- a/apis/sagemaker/v1beta1/zz_device_types.go
+++ b/apis/sagemaker/v1beta1/zz_device_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type DeviceDeviceObservation struct {
+
+	// A description for the device.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The name of the device.
+	DeviceName *string `json:"deviceName,omitempty" tf:"device_name,omitempty"`
+
+	// Amazon Web Services Internet of Things (IoT) object name.
+	IotThingName *string `json:"iotThingName,omitempty" tf:"iot_thing_name,omitempty"`
 }
 
 type DeviceDeviceParameters struct {
@@ -37,6 +46,12 @@ type DeviceObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Device.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The device to register with SageMaker Edge Manager. See Device details below.
+	Device []DeviceDeviceObservation `json:"device,omitempty" tf:"device,omitempty"`
+
+	// The name of the Device Fleet.
+	DeviceFleetName *string `json:"deviceFleetName,omitempty" tf:"device_fleet_name,omitempty"`
+
 	// The id is constructed from device-fleet-name/device-name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -44,8 +59,8 @@ type DeviceObservation struct {
 type DeviceParameters struct {
 
 	// The device to register with SageMaker Edge Manager. See Device details below.
-	// +kubebuilder:validation:Required
-	Device []DeviceDeviceParameters `json:"device" tf:"device,omitempty"`
+	// +kubebuilder:validation:Optional
+	Device []DeviceDeviceParameters `json:"device,omitempty" tf:"device,omitempty"`
 
 	// The name of the Device Fleet.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/sagemaker/v1beta1.DeviceFleet
@@ -90,8 +105,9 @@ type DeviceStatus struct {
 type Device struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DeviceSpec   `json:"spec"`
-	Status            DeviceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.device)",message="device is a required parameter"
+	Spec   DeviceSpec   `json:"spec"`
+	Status DeviceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_devicefleet_types.go b/apis/sagemaker/v1beta1/zz_devicefleet_types.go
index 7f7e0324a9..2f291cd6a9 100755
--- a/apis/sagemaker/v1beta1/zz_devicefleet_types.go
+++ b/apis/sagemaker/v1beta1/zz_devicefleet_types.go
@@ -18,11 +18,26 @@ type DeviceFleetObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Device Fleet.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A description of the fleet.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether to create an AWS IoT Role Alias during device fleet creation. The name of the role alias generated will match this pattern: "SageMakerEdge-{DeviceFleetName}".
+	EnableIotRoleAlias *bool `json:"enableIotRoleAlias,omitempty" tf:"enable_iot_role_alias,omitempty"`
+
 	// The name of the Device Fleet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	IotRoleAlias *string `json:"iotRoleAlias,omitempty" tf:"iot_role_alias,omitempty"`
 
+	// Specifies details about the repository. see Output Config details below.
+	OutputConfig []OutputConfigObservation `json:"outputConfig,omitempty" tf:"output_config,omitempty"`
+
+	// The Amazon Resource Name (ARN) that has access to AWS Internet of Things (IoT).
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -38,8 +53,8 @@ type DeviceFleetParameters struct {
 	EnableIotRoleAlias *bool `json:"enableIotRoleAlias,omitempty" tf:"enable_iot_role_alias,omitempty"`
 
 	// Specifies details about the repository. see Output Config details below.
-	// +kubebuilder:validation:Required
-	OutputConfig []OutputConfigParameters `json:"outputConfig" tf:"output_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	OutputConfig []OutputConfigParameters `json:"outputConfig,omitempty" tf:"output_config,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -66,6 +81,12 @@ type DeviceFleetParameters struct {
 }
 
 type OutputConfigObservation struct {
+
+	// The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume after compilation job. If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The Amazon Simple Storage (S3) bucker URI.
+	S3OutputLocation *string `json:"s3OutputLocation,omitempty" tf:"s3_output_location,omitempty"`
 }
 
 type OutputConfigParameters struct {
@@ -103,8 +124,9 @@ type DeviceFleetStatus struct {
 type DeviceFleet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DeviceFleetSpec   `json:"spec"`
-	Status            DeviceFleetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outputConfig)",message="outputConfig is a required parameter"
+	Spec   DeviceFleetSpec   `json:"spec"`
+	Status DeviceFleetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_domain_types.go b/apis/sagemaker/v1beta1/zz_domain_types.go
index 21576d979b..626bf3d936 100755
--- a/apis/sagemaker/v1beta1/zz_domain_types.go
+++ b/apis/sagemaker/v1beta1/zz_domain_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CanvasAppSettingsObservation struct {
+
+	// Time series forecast settings for the Canvas app. see Time Series Forecasting Settings below.
+	TimeSeriesForecastingSettings []TimeSeriesForecastingSettingsObservation `json:"timeSeriesForecastingSettings,omitempty" tf:"time_series_forecasting_settings,omitempty"`
 }
 
 type CanvasAppSettingsParameters struct {
@@ -24,6 +27,15 @@ type CanvasAppSettingsParameters struct {
 }
 
 type CustomImageObservation struct {
+
+	// The name of the App Image Config.
+	AppImageConfigName *string `json:"appImageConfigName,omitempty" tf:"app_image_config_name,omitempty"`
+
+	// The name of the Custom Image.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// The version number of the Custom Image.
+	ImageVersionNumber *float64 `json:"imageVersionNumber,omitempty" tf:"image_version_number,omitempty"`
 }
 
 type CustomImageParameters struct {
@@ -42,6 +54,18 @@ type CustomImageParameters struct {
 }
 
 type DefaultResourceSpecObservation struct {
+
+	// The instance type that the image version runs on.. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type DefaultResourceSpecParameters struct {
@@ -64,6 +88,18 @@ type DefaultResourceSpecParameters struct {
 }
 
 type DefaultSpaceSettingsObservation struct {
+
+	// The execution role for the space.
+	ExecutionRole *string `json:"executionRole,omitempty" tf:"execution_role,omitempty"`
+
+	// The Jupyter server's app settings. See Jupyter Server App Settings below.
+	JupyterServerAppSettings []JupyterServerAppSettingsObservation `json:"jupyterServerAppSettings,omitempty" tf:"jupyter_server_app_settings,omitempty"`
+
+	// The kernel gateway app settings. See Kernel Gateway App Settings below.
+	KernelGatewayAppSettings []KernelGatewayAppSettingsObservation `json:"kernelGatewayAppSettings,omitempty" tf:"kernel_gateway_app_settings,omitempty"`
+
+	// The security groups for the Amazon Virtual Private Cloud that the space uses for communication.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
 }
 
 type DefaultSpaceSettingsParameters struct {
@@ -86,6 +122,9 @@ type DefaultSpaceSettingsParameters struct {
 }
 
 type DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryObservation struct {
+
+	// The URL of the Git repository.
+	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
 }
 
 type DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryParameters struct {
@@ -96,6 +135,15 @@ type DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryParameters struct
 }
 
 type DefaultUserSettingsJupyterServerAppSettingsObservation struct {
+
+	// A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below.
+	CodeRepository []DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryObservation `json:"codeRepository,omitempty" tf:"code_repository,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []JupyterServerAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type DefaultUserSettingsJupyterServerAppSettingsParameters struct {
@@ -114,6 +162,18 @@ type DefaultUserSettingsJupyterServerAppSettingsParameters struct {
 }
 
 type DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type that the image version runs on.. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters struct {
@@ -136,6 +196,15 @@ type DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters st
 }
 
 type DefaultUserSettingsKernelGatewayAppSettingsObservation struct {
+
+	// A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below.
+	CustomImage []KernelGatewayAppSettingsCustomImageObservation `json:"customImage,omitempty" tf:"custom_image,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type DefaultUserSettingsKernelGatewayAppSettingsParameters struct {
@@ -154,6 +223,30 @@ type DefaultUserSettingsKernelGatewayAppSettingsParameters struct {
 }
 
 type DefaultUserSettingsObservation struct {
+
+	// The Canvas app settings. See Canvas App Settings below.
+	CanvasAppSettings []CanvasAppSettingsObservation `json:"canvasAppSettings,omitempty" tf:"canvas_app_settings,omitempty"`
+
+	// The execution role ARN for the user.
+	ExecutionRole *string `json:"executionRole,omitempty" tf:"execution_role,omitempty"`
+
+	// The Jupyter server's app settings. See Jupyter Server App Settings below.
+	JupyterServerAppSettings []DefaultUserSettingsJupyterServerAppSettingsObservation `json:"jupyterServerAppSettings,omitempty" tf:"jupyter_server_app_settings,omitempty"`
+
+	// The kernel gateway app settings. See Kernel Gateway App Settings below.
+	KernelGatewayAppSettings []DefaultUserSettingsKernelGatewayAppSettingsObservation `json:"kernelGatewayAppSettings,omitempty" tf:"kernel_gateway_app_settings,omitempty"`
+
+	// The RSession app settings. See RSession App Settings below.
+	RSessionAppSettings []RSessionAppSettingsObservation `json:"rSessionAppSettings,omitempty" tf:"r_session_app_settings,omitempty"`
+
+	// A list of security group IDs that will be attached to the user.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The sharing settings. See Sharing Settings below.
+	SharingSettings []SharingSettingsObservation `json:"sharingSettings,omitempty" tf:"sharing_settings,omitempty"`
+
+	// The TensorBoard app settings. See TensorBoard App Settings below.
+	TensorBoardAppSettings []TensorBoardAppSettingsObservation `json:"tensorBoardAppSettings,omitempty" tf:"tensor_board_app_settings,omitempty"`
 }
 
 type DefaultUserSettingsParameters struct {
@@ -203,26 +296,61 @@ type DefaultUserSettingsParameters struct {
 
 type DomainObservation struct {
 
+	// Specifies the VPC used for non-EFS traffic. The default value is PublicInternetOnly. Valid values are PublicInternetOnly and VpcOnly.
+	AppNetworkAccessType *string `json:"appNetworkAccessType,omitempty" tf:"app_network_access_type,omitempty"`
+
+	// The entity that creates and manages the required security groups for inter-app communication in VPCOnly mode. Valid values are Service and Customer.* domain_settings -  The domain settings. See Domain Settings below.
+	AppSecurityGroupManagement *string `json:"appSecurityGroupManagement,omitempty" tf:"app_security_group_management,omitempty"`
+
 	// The Amazon Resource Name (ARN) assigned by AWS to this Domain.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The mode of authentication that members use to access the domain. Valid values are IAM and SSO.
+	AuthMode *string `json:"authMode,omitempty" tf:"auth_mode,omitempty"`
+
+	// The default space settings. See Default Space Settings below.
+	DefaultSpaceSettings []DefaultSpaceSettingsObservation `json:"defaultSpaceSettings,omitempty" tf:"default_space_settings,omitempty"`
+
+	// The default user settings. See Default User Settings below.* domain_name -  The domain name.
+	DefaultUserSettings []DefaultUserSettingsObservation `json:"defaultUserSettings,omitempty" tf:"default_user_settings,omitempty"`
+
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
+
+	// The domain's settings.
+	DomainSettings []DomainSettingsObservation `json:"domainSettings,omitempty" tf:"domain_settings,omitempty"`
+
 	// The ID of the Amazon Elastic File System (EFS) managed by this Domain.
 	HomeEFSFileSystemID *string `json:"homeEfsFileSystemId,omitempty" tf:"home_efs_file_system_id,omitempty"`
 
 	// The ID of the Domain.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The AWS KMS customer managed CMK used to encrypt the EFS volume attached to the domain.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The retention policy for this domain, which specifies whether resources will be retained after the Domain is deleted. By default, all resources are retained. See Retention Policy below.
+	RetentionPolicy []RetentionPolicyObservation `json:"retentionPolicy,omitempty" tf:"retention_policy,omitempty"`
+
 	// The ID of the security group that authorizes traffic between the RSessionGateway apps and the RStudioServerPro app.
 	SecurityGroupIDForDomainBoundary *string `json:"securityGroupIdForDomainBoundary,omitempty" tf:"security_group_id_for_domain_boundary,omitempty"`
 
 	// The SSO managed application instance ID.
 	SingleSignOnManagedApplicationInstanceID *string `json:"singleSignOnManagedApplicationInstanceId,omitempty" tf:"single_sign_on_managed_application_instance_id,omitempty"`
 
+	// The VPC subnets that Studio uses for communication.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The domain's URL.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The ID of the Amazon Virtual Private Cloud (VPC) that Studio uses for communication.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type DomainParameters struct {
@@ -236,19 +364,19 @@ type DomainParameters struct {
 	AppSecurityGroupManagement *string `json:"appSecurityGroupManagement,omitempty" tf:"app_security_group_management,omitempty"`
 
 	// The mode of authentication that members use to access the domain. Valid values are IAM and SSO.
-	// +kubebuilder:validation:Required
-	AuthMode *string `json:"authMode" tf:"auth_mode,omitempty"`
+	// +kubebuilder:validation:Optional
+	AuthMode *string `json:"authMode,omitempty" tf:"auth_mode,omitempty"`
 
 	// The default space settings. See Default Space Settings below.
 	// +kubebuilder:validation:Optional
 	DefaultSpaceSettings []DefaultSpaceSettingsParameters `json:"defaultSpaceSettings,omitempty" tf:"default_space_settings,omitempty"`
 
 	// The default user settings. See Default User Settings below.* domain_name -  The domain name.
-	// +kubebuilder:validation:Required
-	DefaultUserSettings []DefaultUserSettingsParameters `json:"defaultUserSettings" tf:"default_user_settings,omitempty"`
+	// +kubebuilder:validation:Optional
+	DefaultUserSettings []DefaultUserSettingsParameters `json:"defaultUserSettings,omitempty" tf:"default_user_settings,omitempty"`
 
-	// +kubebuilder:validation:Required
-	DomainName *string `json:"domainName" tf:"domain_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	DomainName *string `json:"domainName,omitempty" tf:"domain_name,omitempty"`
 
 	// The domain's settings.
 	// +kubebuilder:validation:Optional
@@ -310,6 +438,12 @@ type DomainParameters struct {
 }
 
 type DomainSettingsObservation struct {
+
+	// The configuration for attaching a SageMaker user profile name to the execution role as a sts:SourceIdentity key AWS Docs. Valid values are USER_PROFILE_NAME and DISABLED.
+	ExecutionRoleIdentityConfig *string `json:"executionRoleIdentityConfig,omitempty" tf:"execution_role_identity_config,omitempty"`
+
+	// The security groups for the Amazon Virtual Private Cloud that the Domain uses for communication between Domain-level apps and user apps.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
 }
 
 type DomainSettingsParameters struct {
@@ -324,6 +458,9 @@ type DomainSettingsParameters struct {
 }
 
 type JupyterServerAppSettingsCodeRepositoryObservation struct {
+
+	// The URL of the Git repository.
+	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
 }
 
 type JupyterServerAppSettingsCodeRepositoryParameters struct {
@@ -334,6 +471,18 @@ type JupyterServerAppSettingsCodeRepositoryParameters struct {
 }
 
 type JupyterServerAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type that the image version runs on.. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type JupyterServerAppSettingsDefaultResourceSpecParameters struct {
@@ -356,6 +505,15 @@ type JupyterServerAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type JupyterServerAppSettingsObservation struct {
+
+	// A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below.
+	CodeRepository []JupyterServerAppSettingsCodeRepositoryObservation `json:"codeRepository,omitempty" tf:"code_repository,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []DefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type JupyterServerAppSettingsParameters struct {
@@ -374,6 +532,15 @@ type JupyterServerAppSettingsParameters struct {
 }
 
 type KernelGatewayAppSettingsCustomImageObservation struct {
+
+	// The name of the App Image Config.
+	AppImageConfigName *string `json:"appImageConfigName,omitempty" tf:"app_image_config_name,omitempty"`
+
+	// The name of the Custom Image.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// The version number of the Custom Image.
+	ImageVersionNumber *float64 `json:"imageVersionNumber,omitempty" tf:"image_version_number,omitempty"`
 }
 
 type KernelGatewayAppSettingsCustomImageParameters struct {
@@ -411,6 +578,18 @@ type KernelGatewayAppSettingsCustomImageParameters struct {
 }
 
 type KernelGatewayAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type that the image version runs on.. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type KernelGatewayAppSettingsDefaultResourceSpecParameters struct {
@@ -433,6 +612,15 @@ type KernelGatewayAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type KernelGatewayAppSettingsObservation struct {
+
+	// A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below.
+	CustomImage []CustomImageObservation `json:"customImage,omitempty" tf:"custom_image,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []KernelGatewayAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type KernelGatewayAppSettingsParameters struct {
@@ -451,6 +639,15 @@ type KernelGatewayAppSettingsParameters struct {
 }
 
 type RSessionAppSettingsCustomImageObservation struct {
+
+	// The name of the App Image Config.
+	AppImageConfigName *string `json:"appImageConfigName,omitempty" tf:"app_image_config_name,omitempty"`
+
+	// The name of the Custom Image.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// The version number of the Custom Image.
+	ImageVersionNumber *float64 `json:"imageVersionNumber,omitempty" tf:"image_version_number,omitempty"`
 }
 
 type RSessionAppSettingsCustomImageParameters struct {
@@ -469,6 +666,18 @@ type RSessionAppSettingsCustomImageParameters struct {
 }
 
 type RSessionAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type that the image version runs on.. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type RSessionAppSettingsDefaultResourceSpecParameters struct {
@@ -491,6 +700,12 @@ type RSessionAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type RSessionAppSettingsObservation struct {
+
+	// A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below.
+	CustomImage []RSessionAppSettingsCustomImageObservation `json:"customImage,omitempty" tf:"custom_image,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []RSessionAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
 }
 
 type RSessionAppSettingsParameters struct {
@@ -505,6 +720,9 @@ type RSessionAppSettingsParameters struct {
 }
 
 type RetentionPolicyObservation struct {
+
+	// The retention policy for data stored on an Amazon Elastic File System (EFS) volume. Valid values are Retain or Delete.  Default value is Retain.
+	HomeEFSFileSystem *string `json:"homeEfsFileSystem,omitempty" tf:"home_efs_file_system,omitempty"`
 }
 
 type RetentionPolicyParameters struct {
@@ -515,6 +733,15 @@ type RetentionPolicyParameters struct {
 }
 
 type SharingSettingsObservation struct {
+
+	// Whether to include the notebook cell output when sharing the notebook. The default is Disabled. Valid values are Allowed and Disabled.
+	NotebookOutputOption *string `json:"notebookOutputOption,omitempty" tf:"notebook_output_option,omitempty"`
+
+	// When notebook_output_option is Allowed, the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket.
+	S3KMSKeyID *string `json:"s3KmsKeyId,omitempty" tf:"s3_kms_key_id,omitempty"`
+
+	// When notebook_output_option is Allowed, the Amazon S3 bucket used to save the notebook cell output.
+	S3OutputPath *string `json:"s3OutputPath,omitempty" tf:"s3_output_path,omitempty"`
 }
 
 type SharingSettingsParameters struct {
@@ -533,6 +760,18 @@ type SharingSettingsParameters struct {
 }
 
 type TensorBoardAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type that the image version runs on.. For valid values see SageMaker Instance Types.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The ARN of the SageMaker image that the image version belongs to.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type TensorBoardAppSettingsDefaultResourceSpecParameters struct {
@@ -555,6 +794,9 @@ type TensorBoardAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type TensorBoardAppSettingsObservation struct {
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []TensorBoardAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
 }
 
 type TensorBoardAppSettingsParameters struct {
@@ -565,6 +807,12 @@ type TensorBoardAppSettingsParameters struct {
 }
 
 type TimeSeriesForecastingSettingsObservation struct {
+
+	// The IAM role that Canvas passes to Amazon Forecast for time series forecasting. By default, Canvas uses the execution role specified in the UserProfile that launches the Canvas app. If an execution role is not specified in the UserProfile, Canvas uses the execution role specified in the Domain that owns the UserProfile. To allow time series forecasting, this IAM role should have the AmazonSageMakerCanvasForecastAccess policy attached and forecast.amazonaws.com added in the trust relationship as a service principal.
+	AmazonForecastRoleArn *string `json:"amazonForecastRoleArn,omitempty" tf:"amazon_forecast_role_arn,omitempty"`
+
+	// Describes whether time series forecasting is enabled or disabled in the Canvas app. Valid values are ENABLED and DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type TimeSeriesForecastingSettingsParameters struct {
@@ -602,8 +850,11 @@ type DomainStatus struct {
 type Domain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainSpec   `json:"spec"`
-	Status            DomainStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authMode)",message="authMode is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultUserSettings)",message="defaultUserSettings is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)",message="domainName is a required parameter"
+	Spec   DomainSpec   `json:"spec"`
+	Status DomainStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_endpointconfiguration_types.go b/apis/sagemaker/v1beta1/zz_endpointconfiguration_types.go
index bfa3adf2fe..739bbd6f49 100755
--- a/apis/sagemaker/v1beta1/zz_endpointconfiguration_types.go
+++ b/apis/sagemaker/v1beta1/zz_endpointconfiguration_types.go
@@ -14,9 +14,24 @@ import (
 )
 
 type AsyncInferenceConfigObservation struct {
+
+	// Configures the behavior of the client used by Amazon SageMaker to interact with the model container during asynchronous inference.
+	ClientConfig []ClientConfigObservation `json:"clientConfig,omitempty" tf:"client_config,omitempty"`
+
+	// Specifies the configuration for asynchronous inference invocation outputs.
+	OutputConfig []AsyncInferenceConfigOutputConfigObservation `json:"outputConfig,omitempty" tf:"output_config,omitempty"`
 }
 
 type AsyncInferenceConfigOutputConfigObservation struct {
+
+	// The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that Amazon SageMaker uses to encrypt the asynchronous inference output in Amazon S3.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Specifies the configuration for notifications of inference results for asynchronous inference.
+	NotificationConfig []NotificationConfigObservation `json:"notificationConfig,omitempty" tf:"notification_config,omitempty"`
+
+	// The Amazon S3 location to upload inference responses to.
+	S3OutputPath *string `json:"s3OutputPath,omitempty" tf:"s3_output_path,omitempty"`
 }
 
 type AsyncInferenceConfigOutputConfigParameters struct {
@@ -46,6 +61,12 @@ type AsyncInferenceConfigParameters struct {
 }
 
 type CaptureContentTypeHeaderObservation struct {
+
+	// The CSV content type headers to capture.
+	CsvContentTypes []*string `json:"csvContentTypes,omitempty" tf:"csv_content_types,omitempty"`
+
+	// The JSON content type headers to capture.
+	JSONContentTypes []*string `json:"jsonContentTypes,omitempty" tf:"json_content_types,omitempty"`
 }
 
 type CaptureContentTypeHeaderParameters struct {
@@ -60,6 +81,9 @@ type CaptureContentTypeHeaderParameters struct {
 }
 
 type CaptureOptionsObservation struct {
+
+	// Specifies the data to be captured. Should be one of Input or Output.
+	CaptureMode *string `json:"captureMode,omitempty" tf:"capture_mode,omitempty"`
 }
 
 type CaptureOptionsParameters struct {
@@ -70,6 +94,9 @@ type CaptureOptionsParameters struct {
 }
 
 type ClientConfigObservation struct {
+
+	// The maximum number of concurrent requests sent by the SageMaker client to the model container. If no value is provided, Amazon SageMaker will choose an optimal value for you.
+	MaxConcurrentInvocationsPerInstance *float64 `json:"maxConcurrentInvocationsPerInstance,omitempty" tf:"max_concurrent_invocations_per_instance,omitempty"`
 }
 
 type ClientConfigParameters struct {
@@ -80,6 +107,12 @@ type ClientConfigParameters struct {
 }
 
 type CoreDumpConfigObservation struct {
+
+	// The Amazon S3 bucket to send the core dump to.
+	DestinationS3URI *string `json:"destinationS3Uri,omitempty" tf:"destination_s3_uri,omitempty"`
+
+	// The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that SageMaker uses to encrypt the core dump data at rest using Amazon S3 server-side encryption.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type CoreDumpConfigParameters struct {
@@ -94,6 +127,24 @@ type CoreDumpConfigParameters struct {
 }
 
 type DataCaptureConfigObservation struct {
+
+	// The content type headers to capture. Fields are documented below.
+	CaptureContentTypeHeader []CaptureContentTypeHeaderObservation `json:"captureContentTypeHeader,omitempty" tf:"capture_content_type_header,omitempty"`
+
+	// Specifies what data to capture. Fields are documented below.
+	CaptureOptions []CaptureOptionsObservation `json:"captureOptions,omitempty" tf:"capture_options,omitempty"`
+
+	// The URL for S3 location where the captured data is stored.
+	DestinationS3URI *string `json:"destinationS3Uri,omitempty" tf:"destination_s3_uri,omitempty"`
+
+	// Flag to enable data capture. Defaults to false.
+	EnableCapture *bool `json:"enableCapture,omitempty" tf:"enable_capture,omitempty"`
+
+	// Portion of data to capture. Should be between 0 and 100.
+	InitialSamplingPercentage *float64 `json:"initialSamplingPercentage,omitempty" tf:"initial_sampling_percentage,omitempty"`
+
+	// Amazon Resource Name (ARN) of a AWS Key Management Service key that Amazon SageMaker uses to encrypt the captured data on Amazon S3.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type DataCaptureConfigParameters struct {
@@ -128,8 +179,26 @@ type EndpointConfigurationObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this endpoint configuration.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies configuration for how an endpoint performs asynchronous inference.
+	AsyncInferenceConfig []AsyncInferenceConfigObservation `json:"asyncInferenceConfig,omitempty" tf:"async_inference_config,omitempty"`
+
+	// Specifies the parameters to capture input/output of SageMaker models endpoints. Fields are documented below.
+	DataCaptureConfig []DataCaptureConfigObservation `json:"dataCaptureConfig,omitempty" tf:"data_capture_config,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Amazon Resource Name (ARN) of a AWS Key Management Service key that Amazon SageMaker uses to encrypt data on the storage volume attached to the ML compute instance that hosts the endpoint.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// An list of ProductionVariant objects, one for each model that you want to host at this endpoint. Fields are documented below.
+	ProductionVariants []ProductionVariantsObservation `json:"productionVariants,omitempty" tf:"production_variants,omitempty"`
+
+	// Array of ProductionVariant objects. There is one for each model that you want to host at this endpoint in shadow mode with production traffic replicated from the model specified on ProductionVariants.If you use this field, you can only specify one variant for ProductionVariants and one variant for ShadowProductionVariants. Fields are documented below.
+	ShadowProductionVariants []ShadowProductionVariantsObservation `json:"shadowProductionVariants,omitempty" tf:"shadow_production_variants,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -158,8 +227,8 @@ type EndpointConfigurationParameters struct {
 	KMSKeyArnSelector *v1.Selector `json:"kmsKeyArnSelector,omitempty" tf:"-"`
 
 	// An list of ProductionVariant objects, one for each model that you want to host at this endpoint. Fields are documented below.
-	// +kubebuilder:validation:Required
-	ProductionVariants []ProductionVariantsParameters `json:"productionVariants" tf:"production_variants,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProductionVariants []ProductionVariantsParameters `json:"productionVariants,omitempty" tf:"production_variants,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -176,6 +245,12 @@ type EndpointConfigurationParameters struct {
 }
 
 type NotificationConfigObservation struct {
+
+	// Amazon SNS topic to post a notification to when inference fails. If no topic is provided, no notification is sent on failure.
+	ErrorTopic *string `json:"errorTopic,omitempty" tf:"error_topic,omitempty"`
+
+	// Amazon SNS topic to post a notification to when inference completes successfully. If no topic is provided, no notification is sent on success.
+	SuccessTopic *string `json:"successTopic,omitempty" tf:"success_topic,omitempty"`
 }
 
 type NotificationConfigParameters struct {
@@ -190,6 +265,39 @@ type NotificationConfigParameters struct {
 }
 
 type ProductionVariantsObservation struct {
+
+	// The size of the Elastic Inference (EI) instance to use for the production variant.
+	AcceleratorType *string `json:"acceleratorType,omitempty" tf:"accelerator_type,omitempty"`
+
+	// The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see How Your Container Should Respond to Health Check (Ping) Requests. Valid values between 60 and 3600.
+	ContainerStartupHealthCheckTimeoutInSeconds *float64 `json:"containerStartupHealthCheckTimeoutInSeconds,omitempty" tf:"container_startup_health_check_timeout_in_seconds,omitempty"`
+
+	// Specifies configuration for a core dump from the model container when the process crashes. Fields are documented below.
+	CoreDumpConfig []CoreDumpConfigObservation `json:"coreDumpConfig,omitempty" tf:"core_dump_config,omitempty"`
+
+	// Initial number of instances used for auto-scaling.
+	InitialInstanceCount *float64 `json:"initialInstanceCount,omitempty" tf:"initial_instance_count,omitempty"`
+
+	// Determines initial traffic distribution among all of the models that you specify in the endpoint configuration. If unspecified, it defaults to 1.0.
+	InitialVariantWeight *float64 `json:"initialVariantWeight,omitempty" tf:"initial_variant_weight,omitempty"`
+
+	// The type of instance to start.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant. Valid values between 60 and 3600.
+	ModelDataDownloadTimeoutInSeconds *float64 `json:"modelDataDownloadTimeoutInSeconds,omitempty" tf:"model_data_download_timeout_in_seconds,omitempty"`
+
+	// The name of the model to use.
+	ModelName *string `json:"modelName,omitempty" tf:"model_name,omitempty"`
+
+	// Specifies configuration for how an endpoint performs asynchronous inference.
+	ServerlessConfig []ServerlessConfigObservation `json:"serverlessConfig,omitempty" tf:"serverless_config,omitempty"`
+
+	// The name of the variant.
+	VariantName *string `json:"variantName,omitempty" tf:"variant_name,omitempty"`
+
+	// The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Valid values between 1 and 512.
+	VolumeSizeInGb *float64 `json:"volumeSizeInGb,omitempty" tf:"volume_size_in_gb,omitempty"`
 }
 
 type ProductionVariantsParameters struct {
@@ -249,6 +357,12 @@ type ProductionVariantsParameters struct {
 }
 
 type ServerlessConfigObservation struct {
+
+	// The maximum number of concurrent invocations your serverless endpoint can process. Valid values are between 1 and 200.
+	MaxConcurrency *float64 `json:"maxConcurrency,omitempty" tf:"max_concurrency,omitempty"`
+
+	// The memory size of your serverless endpoint. Valid values are in 1 GB increments: 1024 MB, 2048 MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.
+	MemorySizeInMb *float64 `json:"memorySizeInMb,omitempty" tf:"memory_size_in_mb,omitempty"`
 }
 
 type ServerlessConfigParameters struct {
@@ -263,6 +377,12 @@ type ServerlessConfigParameters struct {
 }
 
 type ShadowProductionVariantsCoreDumpConfigObservation struct {
+
+	// The Amazon S3 bucket to send the core dump to.
+	DestinationS3URI *string `json:"destinationS3Uri,omitempty" tf:"destination_s3_uri,omitempty"`
+
+	// The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that SageMaker uses to encrypt the core dump data at rest using Amazon S3 server-side encryption.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type ShadowProductionVariantsCoreDumpConfigParameters struct {
@@ -277,6 +397,39 @@ type ShadowProductionVariantsCoreDumpConfigParameters struct {
 }
 
 type ShadowProductionVariantsObservation struct {
+
+	// The size of the Elastic Inference (EI) instance to use for the production variant.
+	AcceleratorType *string `json:"acceleratorType,omitempty" tf:"accelerator_type,omitempty"`
+
+	// The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see How Your Container Should Respond to Health Check (Ping) Requests. Valid values between 60 and 3600.
+	ContainerStartupHealthCheckTimeoutInSeconds *float64 `json:"containerStartupHealthCheckTimeoutInSeconds,omitempty" tf:"container_startup_health_check_timeout_in_seconds,omitempty"`
+
+	// Specifies configuration for a core dump from the model container when the process crashes. Fields are documented below.
+	CoreDumpConfig []ShadowProductionVariantsCoreDumpConfigObservation `json:"coreDumpConfig,omitempty" tf:"core_dump_config,omitempty"`
+
+	// Initial number of instances used for auto-scaling.
+	InitialInstanceCount *float64 `json:"initialInstanceCount,omitempty" tf:"initial_instance_count,omitempty"`
+
+	// Determines initial traffic distribution among all of the models that you specify in the endpoint configuration. If unspecified, it defaults to 1.0.
+	InitialVariantWeight *float64 `json:"initialVariantWeight,omitempty" tf:"initial_variant_weight,omitempty"`
+
+	// The type of instance to start.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant. Valid values between 60 and 3600.
+	ModelDataDownloadTimeoutInSeconds *float64 `json:"modelDataDownloadTimeoutInSeconds,omitempty" tf:"model_data_download_timeout_in_seconds,omitempty"`
+
+	// The name of the model to use.
+	ModelName *string `json:"modelName,omitempty" tf:"model_name,omitempty"`
+
+	// Specifies configuration for how an endpoint performs asynchronous inference.
+	ServerlessConfig []ShadowProductionVariantsServerlessConfigObservation `json:"serverlessConfig,omitempty" tf:"serverless_config,omitempty"`
+
+	// The name of the variant.
+	VariantName *string `json:"variantName,omitempty" tf:"variant_name,omitempty"`
+
+	// The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Valid values between 1 and 512.
+	VolumeSizeInGb *float64 `json:"volumeSizeInGb,omitempty" tf:"volume_size_in_gb,omitempty"`
 }
 
 type ShadowProductionVariantsParameters struct {
@@ -327,6 +480,12 @@ type ShadowProductionVariantsParameters struct {
 }
 
 type ShadowProductionVariantsServerlessConfigObservation struct {
+
+	// The maximum number of concurrent invocations your serverless endpoint can process. Valid values are between 1 and 200.
+	MaxConcurrency *float64 `json:"maxConcurrency,omitempty" tf:"max_concurrency,omitempty"`
+
+	// The memory size of your serverless endpoint. Valid values are in 1 GB increments: 1024 MB, 2048 MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.
+	MemorySizeInMb *float64 `json:"memorySizeInMb,omitempty" tf:"memory_size_in_mb,omitempty"`
 }
 
 type ShadowProductionVariantsServerlessConfigParameters struct {
@@ -364,8 +523,9 @@ type EndpointConfigurationStatus struct {
 type EndpointConfiguration struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EndpointConfigurationSpec   `json:"spec"`
-	Status            EndpointConfigurationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.productionVariants)",message="productionVariants is a required parameter"
+	Spec   EndpointConfigurationSpec   `json:"spec"`
+	Status EndpointConfigurationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_featuregroup_types.go b/apis/sagemaker/v1beta1/zz_featuregroup_types.go
index 7c96149ac6..1f03d3e243 100755
--- a/apis/sagemaker/v1beta1/zz_featuregroup_types.go
+++ b/apis/sagemaker/v1beta1/zz_featuregroup_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type DataCatalogConfigObservation struct {
+
+	// The name of the Glue table catalog.
+	Catalog *string `json:"catalog,omitempty" tf:"catalog,omitempty"`
+
+	// The name of the Glue table database.
+	Database *string `json:"database,omitempty" tf:"database,omitempty"`
+
+	// The name of the Glue table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
 }
 
 type DataCatalogConfigParameters struct {
@@ -32,6 +41,12 @@ type DataCatalogConfigParameters struct {
 }
 
 type FeatureDefinitionObservation struct {
+
+	// The name of a feature. feature_name cannot be any of the following: is_deleted, write_time, api_invocation_time.
+	FeatureName *string `json:"featureName,omitempty" tf:"feature_name,omitempty"`
+
+	// The value type of a feature. Valid values are Integral, Fractional, or String.
+	FeatureType *string `json:"featureType,omitempty" tf:"feature_type,omitempty"`
 }
 
 type FeatureDefinitionParameters struct {
@@ -50,8 +65,32 @@ type FeatureGroupObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this feature_group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A free-form description of a Feature Group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The name of the feature that stores the EventTime of a Record in a Feature Group.
+	EventTimeFeatureName *string `json:"eventTimeFeatureName,omitempty" tf:"event_time_feature_name,omitempty"`
+
+	// A list of Feature names and types. See Feature Definition Below.
+	FeatureDefinition []FeatureDefinitionObservation `json:"featureDefinition,omitempty" tf:"feature_definition,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Offline Feature Store Configuration. See Offline Store Config Below.
+	OfflineStoreConfig []OfflineStoreConfigObservation `json:"offlineStoreConfig,omitempty" tf:"offline_store_config,omitempty"`
+
+	// The Online Feature Store Configuration. See Online Store Config Below.
+	OnlineStoreConfig []OnlineStoreConfigObservation `json:"onlineStoreConfig,omitempty" tf:"online_store_config,omitempty"`
+
+	// The name of the Feature whose value uniquely identifies a Record defined in the Feature Store. Only the latest record per identifier value will be stored in the Online Store.
+	RecordIdentifierFeatureName *string `json:"recordIdentifierFeatureName,omitempty" tf:"record_identifier_feature_name,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the IAM execution role used to persist data into the Offline Store if an offline_store_config is provided.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -63,12 +102,12 @@ type FeatureGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the feature that stores the EventTime of a Record in a Feature Group.
-	// +kubebuilder:validation:Required
-	EventTimeFeatureName *string `json:"eventTimeFeatureName" tf:"event_time_feature_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventTimeFeatureName *string `json:"eventTimeFeatureName,omitempty" tf:"event_time_feature_name,omitempty"`
 
 	// A list of Feature names and types. See Feature Definition Below.
-	// +kubebuilder:validation:Required
-	FeatureDefinition []FeatureDefinitionParameters `json:"featureDefinition" tf:"feature_definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	FeatureDefinition []FeatureDefinitionParameters `json:"featureDefinition,omitempty" tf:"feature_definition,omitempty"`
 
 	// The Offline Feature Store Configuration. See Offline Store Config Below.
 	// +kubebuilder:validation:Optional
@@ -79,8 +118,8 @@ type FeatureGroupParameters struct {
 	OnlineStoreConfig []OnlineStoreConfigParameters `json:"onlineStoreConfig,omitempty" tf:"online_store_config,omitempty"`
 
 	// The name of the Feature whose value uniquely identifies a Record defined in the Feature Store. Only the latest record per identifier value will be stored in the Online Store.
-	// +kubebuilder:validation:Required
-	RecordIdentifierFeatureName *string `json:"recordIdentifierFeatureName" tf:"record_identifier_feature_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	RecordIdentifierFeatureName *string `json:"recordIdentifierFeatureName,omitempty" tf:"record_identifier_feature_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -107,6 +146,15 @@ type FeatureGroupParameters struct {
 }
 
 type OfflineStoreConfigObservation struct {
+
+	// The meta data of the Glue table that is autogenerated when an OfflineStore is created. See Data Catalog Config Below.
+	DataCatalogConfig []DataCatalogConfigObservation `json:"dataCatalogConfig,omitempty" tf:"data_catalog_config,omitempty"`
+
+	// Set to true to turn Online Store On.
+	DisableGlueTableCreation *bool `json:"disableGlueTableCreation,omitempty" tf:"disable_glue_table_creation,omitempty"`
+
+	// The Amazon Simple Storage (Amazon S3) location of OfflineStore. See S3 Storage Config Below.
+	S3StorageConfig []S3StorageConfigObservation `json:"s3StorageConfig,omitempty" tf:"s3_storage_config,omitempty"`
 }
 
 type OfflineStoreConfigParameters struct {
@@ -125,6 +173,12 @@ type OfflineStoreConfigParameters struct {
 }
 
 type OnlineStoreConfigObservation struct {
+
+	// Set to true to disable the automatic creation of an AWS Glue table when configuring an OfflineStore.
+	EnableOnlineStore *bool `json:"enableOnlineStore,omitempty" tf:"enable_online_store,omitempty"`
+
+	// Security config for at-rest encryption of your OnlineStore. See Security Config Below.
+	SecurityConfig []SecurityConfigObservation `json:"securityConfig,omitempty" tf:"security_config,omitempty"`
 }
 
 type OnlineStoreConfigParameters struct {
@@ -139,6 +193,12 @@ type OnlineStoreConfigParameters struct {
 }
 
 type S3StorageConfigObservation struct {
+
+	// The AWS Key Management Service (KMS) key ID of the key used to encrypt any objects written into the OfflineStore S3 location.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The S3 URI, or location in Amazon S3, of OfflineStore.
+	S3URI *string `json:"s3Uri,omitempty" tf:"s3_uri,omitempty"`
 }
 
 type S3StorageConfigParameters struct {
@@ -153,6 +213,9 @@ type S3StorageConfigParameters struct {
 }
 
 type SecurityConfigObservation struct {
+
+	// The AWS Key Management Service (KMS) key ID of the key used to encrypt any objects written into the OfflineStore S3 location.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
 }
 
 type SecurityConfigParameters struct {
@@ -186,8 +249,11 @@ type FeatureGroupStatus struct {
 type FeatureGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FeatureGroupSpec   `json:"spec"`
-	Status            FeatureGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventTimeFeatureName)",message="eventTimeFeatureName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureDefinition)",message="featureDefinition is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.recordIdentifierFeatureName)",message="recordIdentifierFeatureName is a required parameter"
+	Spec   FeatureGroupSpec   `json:"spec"`
+	Status FeatureGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_generated.deepcopy.go b/apis/sagemaker/v1beta1/zz_generated.deepcopy.go
index d331f808ca..6d6fca0e27 100644
--- a/apis/sagemaker/v1beta1/zz_generated.deepcopy.go
+++ b/apis/sagemaker/v1beta1/zz_generated.deepcopy.go
@@ -113,6 +113,28 @@ func (in *AppImageConfigObservation) DeepCopyInto(out *AppImageConfigObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.KernelGatewayImageConfig != nil {
+		in, out := &in.KernelGatewayImageConfig, &out.KernelGatewayImageConfig
+		*out = make([]KernelGatewayImageConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -251,16 +273,58 @@ func (in *AppList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 	*out = *in
+	if in.AppName != nil {
+		in, out := &in.AppName, &out.AppName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AppType != nil {
+		in, out := &in.AppType, &out.AppType
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainID != nil {
+		in, out := &in.DomainID, &out.DomainID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceSpec != nil {
+		in, out := &in.ResourceSpec, &out.ResourceSpec
+		*out = make([]ResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SpaceName != nil {
+		in, out := &in.SpaceName, &out.SpaceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -276,6 +340,11 @@ func (in *AppObservation) DeepCopyInto(out *AppObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserProfileName != nil {
+		in, out := &in.UserProfileName, &out.UserProfileName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AppObservation.
@@ -412,6 +481,20 @@ func (in *AppStatus) DeepCopy() *AppStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AsyncInferenceConfigObservation) DeepCopyInto(out *AsyncInferenceConfigObservation) {
 	*out = *in
+	if in.ClientConfig != nil {
+		in, out := &in.ClientConfig, &out.ClientConfig
+		*out = make([]ClientConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputConfig != nil {
+		in, out := &in.OutputConfig, &out.OutputConfig
+		*out = make([]AsyncInferenceConfigOutputConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AsyncInferenceConfigObservation.
@@ -427,6 +510,23 @@ func (in *AsyncInferenceConfigObservation) DeepCopy() *AsyncInferenceConfigObser
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AsyncInferenceConfigOutputConfigObservation) DeepCopyInto(out *AsyncInferenceConfigOutputConfigObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationConfig != nil {
+		in, out := &in.NotificationConfig, &out.NotificationConfig
+		*out = make([]NotificationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3OutputPath != nil {
+		in, out := &in.S3OutputPath, &out.S3OutputPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AsyncInferenceConfigOutputConfigObservation.
@@ -503,6 +603,13 @@ func (in *AsyncInferenceConfigParameters) DeepCopy() *AsyncInferenceConfigParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CanvasAppSettingsObservation) DeepCopyInto(out *CanvasAppSettingsObservation) {
 	*out = *in
+	if in.TimeSeriesForecastingSettings != nil {
+		in, out := &in.TimeSeriesForecastingSettings, &out.TimeSeriesForecastingSettings
+		*out = make([]TimeSeriesForecastingSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CanvasAppSettingsObservation.
@@ -540,6 +647,16 @@ func (in *CanvasAppSettingsParameters) DeepCopy() *CanvasAppSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CanvasAppSettingsTimeSeriesForecastingSettingsObservation) DeepCopyInto(out *CanvasAppSettingsTimeSeriesForecastingSettingsObservation) {
 	*out = *in
+	if in.AmazonForecastRoleArn != nil {
+		in, out := &in.AmazonForecastRoleArn, &out.AmazonForecastRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CanvasAppSettingsTimeSeriesForecastingSettingsObservation.
@@ -580,6 +697,28 @@ func (in *CanvasAppSettingsTimeSeriesForecastingSettingsParameters) DeepCopy() *
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CaptureContentTypeHeaderObservation) DeepCopyInto(out *CaptureContentTypeHeaderObservation) {
 	*out = *in
+	if in.CsvContentTypes != nil {
+		in, out := &in.CsvContentTypes, &out.CsvContentTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.JSONContentTypes != nil {
+		in, out := &in.JSONContentTypes, &out.JSONContentTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CaptureContentTypeHeaderObservation.
@@ -632,6 +771,11 @@ func (in *CaptureContentTypeHeaderParameters) DeepCopy() *CaptureContentTypeHead
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CaptureOptionsObservation) DeepCopyInto(out *CaptureOptionsObservation) {
 	*out = *in
+	if in.CaptureMode != nil {
+		in, out := &in.CaptureMode, &out.CaptureMode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CaptureOptionsObservation.
@@ -667,6 +811,11 @@ func (in *CaptureOptionsParameters) DeepCopy() *CaptureOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ClientConfigObservation) DeepCopyInto(out *ClientConfigObservation) {
 	*out = *in
+	if in.MaxConcurrentInvocationsPerInstance != nil {
+		in, out := &in.MaxConcurrentInvocationsPerInstance, &out.MaxConcurrentInvocationsPerInstance
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClientConfigObservation.
@@ -766,11 +915,33 @@ func (in *CodeRepositoryObservation) DeepCopyInto(out *CodeRepositoryObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.GitConfig != nil {
+		in, out := &in.GitConfig, &out.GitConfig
+		*out = make([]GitConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -877,6 +1048,16 @@ func (in *CodeRepositoryStatus) DeepCopy() *CodeRepositoryStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CognitoConfigObservation) DeepCopyInto(out *CognitoConfigObservation) {
 	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPool != nil {
+		in, out := &in.UserPool, &out.UserPool
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CognitoConfigObservation.
@@ -937,6 +1118,21 @@ func (in *CognitoConfigParameters) DeepCopy() *CognitoConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CognitoMemberDefinitionObservation) DeepCopyInto(out *CognitoMemberDefinitionObservation) {
 	*out = *in
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserGroup != nil {
+		in, out := &in.UserGroup, &out.UserGroup
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserPool != nil {
+		in, out := &in.UserPool, &out.UserPool
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CognitoMemberDefinitionObservation.
@@ -1012,6 +1208,48 @@ func (in *CognitoMemberDefinitionParameters) DeepCopy() *CognitoMemberDefinition
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ContainerObservation) DeepCopyInto(out *ContainerObservation) {
 	*out = *in
+	if in.ContainerHostname != nil {
+		in, out := &in.ContainerHostname, &out.ContainerHostname
+		*out = new(string)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Image != nil {
+		in, out := &in.Image, &out.Image
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageConfig != nil {
+		in, out := &in.ImageConfig, &out.ImageConfig
+		*out = make([]ImageConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ModelDataURL != nil {
+		in, out := &in.ModelDataURL, &out.ModelDataURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ContainerObservation.
@@ -1084,6 +1322,16 @@ func (in *ContainerParameters) DeepCopy() *ContainerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CoreDumpConfigObservation) DeepCopyInto(out *CoreDumpConfigObservation) {
 	*out = *in
+	if in.DestinationS3URI != nil {
+		in, out := &in.DestinationS3URI, &out.DestinationS3URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CoreDumpConfigObservation.
@@ -1124,6 +1372,21 @@ func (in *CoreDumpConfigParameters) DeepCopy() *CoreDumpConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomImageObservation) DeepCopyInto(out *CustomImageObservation) {
 	*out = *in
+	if in.AppImageConfigName != nil {
+		in, out := &in.AppImageConfigName, &out.AppImageConfigName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageVersionNumber != nil {
+		in, out := &in.ImageVersionNumber, &out.ImageVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomImageObservation.
@@ -1169,7 +1432,41 @@ func (in *CustomImageParameters) DeepCopy() *CustomImageParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataCaptureConfigObservation) DeepCopyInto(out *DataCaptureConfigObservation) {
 	*out = *in
-}
+	if in.CaptureContentTypeHeader != nil {
+		in, out := &in.CaptureContentTypeHeader, &out.CaptureContentTypeHeader
+		*out = make([]CaptureContentTypeHeaderObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CaptureOptions != nil {
+		in, out := &in.CaptureOptions, &out.CaptureOptions
+		*out = make([]CaptureOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DestinationS3URI != nil {
+		in, out := &in.DestinationS3URI, &out.DestinationS3URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableCapture != nil {
+		in, out := &in.EnableCapture, &out.EnableCapture
+		*out = new(bool)
+		**out = **in
+	}
+	if in.InitialSamplingPercentage != nil {
+		in, out := &in.InitialSamplingPercentage, &out.InitialSamplingPercentage
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+}
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataCaptureConfigObservation.
 func (in *DataCaptureConfigObservation) DeepCopy() *DataCaptureConfigObservation {
@@ -1233,6 +1530,21 @@ func (in *DataCaptureConfigParameters) DeepCopy() *DataCaptureConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DataCatalogConfigObservation) DeepCopyInto(out *DataCatalogConfigObservation) {
 	*out = *in
+	if in.Catalog != nil {
+		in, out := &in.Catalog, &out.Catalog
+		*out = new(string)
+		**out = **in
+	}
+	if in.Database != nil {
+		in, out := &in.Database, &out.Database
+		*out = new(string)
+		**out = **in
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DataCatalogConfigObservation.
@@ -1278,6 +1590,26 @@ func (in *DataCatalogConfigParameters) DeepCopy() *DataCatalogConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultResourceSpecObservation) DeepCopyInto(out *DefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultResourceSpecObservation.
@@ -1328,6 +1660,36 @@ func (in *DefaultResourceSpecParameters) DeepCopy() *DefaultResourceSpecParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultSpaceSettingsObservation) DeepCopyInto(out *DefaultSpaceSettingsObservation) {
 	*out = *in
+	if in.ExecutionRole != nil {
+		in, out := &in.ExecutionRole, &out.ExecutionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.JupyterServerAppSettings != nil {
+		in, out := &in.JupyterServerAppSettings, &out.JupyterServerAppSettings
+		*out = make([]JupyterServerAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KernelGatewayAppSettings != nil {
+		in, out := &in.KernelGatewayAppSettings, &out.KernelGatewayAppSettings
+		*out = make([]KernelGatewayAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultSpaceSettingsObservation.
@@ -1388,6 +1750,11 @@ func (in *DefaultSpaceSettingsParameters) DeepCopy() *DefaultSpaceSettingsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryObservation) DeepCopyInto(out *DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryObservation) {
 	*out = *in
+	if in.RepositoryURL != nil {
+		in, out := &in.RepositoryURL, &out.RepositoryURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryObservation.
@@ -1423,6 +1790,31 @@ func (in *DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryParameters) D
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultUserSettingsJupyterServerAppSettingsObservation) DeepCopyInto(out *DefaultUserSettingsJupyterServerAppSettingsObservation) {
 	*out = *in
+	if in.CodeRepository != nil {
+		in, out := &in.CodeRepository, &out.CodeRepository
+		*out = make([]DefaultUserSettingsJupyterServerAppSettingsCodeRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]JupyterServerAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultUserSettingsJupyterServerAppSettingsObservation.
@@ -1478,6 +1870,26 @@ func (in *DefaultUserSettingsJupyterServerAppSettingsParameters) DeepCopy() *Def
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation.
@@ -1528,6 +1940,31 @@ func (in *DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultUserSettingsKernelGatewayAppSettingsObservation) DeepCopyInto(out *DefaultUserSettingsKernelGatewayAppSettingsObservation) {
 	*out = *in
+	if in.CustomImage != nil {
+		in, out := &in.CustomImage, &out.CustomImage
+		*out = make([]KernelGatewayAppSettingsCustomImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]DefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultUserSettingsKernelGatewayAppSettingsObservation.
@@ -1583,6 +2020,64 @@ func (in *DefaultUserSettingsKernelGatewayAppSettingsParameters) DeepCopy() *Def
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultUserSettingsObservation) DeepCopyInto(out *DefaultUserSettingsObservation) {
 	*out = *in
+	if in.CanvasAppSettings != nil {
+		in, out := &in.CanvasAppSettings, &out.CanvasAppSettings
+		*out = make([]CanvasAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExecutionRole != nil {
+		in, out := &in.ExecutionRole, &out.ExecutionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.JupyterServerAppSettings != nil {
+		in, out := &in.JupyterServerAppSettings, &out.JupyterServerAppSettings
+		*out = make([]DefaultUserSettingsJupyterServerAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KernelGatewayAppSettings != nil {
+		in, out := &in.KernelGatewayAppSettings, &out.KernelGatewayAppSettings
+		*out = make([]DefaultUserSettingsKernelGatewayAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RSessionAppSettings != nil {
+		in, out := &in.RSessionAppSettings, &out.RSessionAppSettings
+		*out = make([]RSessionAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SharingSettings != nil {
+		in, out := &in.SharingSettings, &out.SharingSettings
+		*out = make([]SharingSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TensorBoardAppSettings != nil {
+		in, out := &in.TensorBoardAppSettings, &out.TensorBoardAppSettings
+		*out = make([]TensorBoardAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultUserSettingsObservation.
@@ -1708,6 +2203,21 @@ func (in *Device) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeviceDeviceObservation) DeepCopyInto(out *DeviceDeviceObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceName != nil {
+		in, out := &in.DeviceName, &out.DeviceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.IotThingName != nil {
+		in, out := &in.IotThingName, &out.IotThingName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceDeviceObservation.
@@ -1817,6 +2327,16 @@ func (in *DeviceFleetObservation) DeepCopyInto(out *DeviceFleetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableIotRoleAlias != nil {
+		in, out := &in.EnableIotRoleAlias, &out.EnableIotRoleAlias
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1827,18 +2347,45 @@ func (in *DeviceFleetObservation) DeepCopyInto(out *DeviceFleetObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
-		*out = make(map[string]*string, len(*in))
-		for key, val := range *in {
-			var outVal *string
-			if val == nil {
-				(*out)[key] = nil
-			} else {
-				in, out := &val, &outVal
-				*out = new(string)
-				**out = **in
-			}
+	if in.OutputConfig != nil {
+		in, out := &in.OutputConfig, &out.OutputConfig
+		*out = make([]OutputConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
 			(*out)[key] = outVal
 		}
 	}
@@ -2000,6 +2547,18 @@ func (in *DeviceObservation) DeepCopyInto(out *DeviceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Device != nil {
+		in, out := &in.Device, &out.Device
+		*out = make([]DeviceDeviceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeviceFleetName != nil {
+		in, out := &in.DeviceFleetName, &out.DeviceFleetName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -2155,11 +2714,52 @@ func (in *DomainList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 	*out = *in
+	if in.AppNetworkAccessType != nil {
+		in, out := &in.AppNetworkAccessType, &out.AppNetworkAccessType
+		*out = new(string)
+		**out = **in
+	}
+	if in.AppSecurityGroupManagement != nil {
+		in, out := &in.AppSecurityGroupManagement, &out.AppSecurityGroupManagement
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.AuthMode != nil {
+		in, out := &in.AuthMode, &out.AuthMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultSpaceSettings != nil {
+		in, out := &in.DefaultSpaceSettings, &out.DefaultSpaceSettings
+		*out = make([]DefaultSpaceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultUserSettings != nil {
+		in, out := &in.DefaultUserSettings, &out.DefaultUserSettings
+		*out = make([]DefaultUserSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DomainName != nil {
+		in, out := &in.DomainName, &out.DomainName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainSettings != nil {
+		in, out := &in.DomainSettings, &out.DomainSettings
+		*out = make([]DomainSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.HomeEFSFileSystemID != nil {
 		in, out := &in.HomeEFSFileSystemID, &out.HomeEFSFileSystemID
 		*out = new(string)
@@ -2170,6 +2770,18 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RetentionPolicy != nil {
+		in, out := &in.RetentionPolicy, &out.RetentionPolicy
+		*out = make([]RetentionPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.SecurityGroupIDForDomainBoundary != nil {
 		in, out := &in.SecurityGroupIDForDomainBoundary, &out.SecurityGroupIDForDomainBoundary
 		*out = new(string)
@@ -2180,6 +2792,32 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2200,6 +2838,11 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainObservation.
@@ -2351,6 +2994,22 @@ func (in *DomainParameters) DeepCopy() *DomainParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainSettingsObservation) DeepCopyInto(out *DomainSettingsObservation) {
 	*out = *in
+	if in.ExecutionRoleIdentityConfig != nil {
+		in, out := &in.ExecutionRoleIdentityConfig, &out.ExecutionRoleIdentityConfig
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainSettingsObservation.
@@ -2495,11 +3154,59 @@ func (in *EndpointConfigurationObservation) DeepCopyInto(out *EndpointConfigurat
 		*out = new(string)
 		**out = **in
 	}
+	if in.AsyncInferenceConfig != nil {
+		in, out := &in.AsyncInferenceConfig, &out.AsyncInferenceConfig
+		*out = make([]AsyncInferenceConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DataCaptureConfig != nil {
+		in, out := &in.DataCaptureConfig, &out.DataCaptureConfig
+		*out = make([]DataCaptureConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProductionVariants != nil {
+		in, out := &in.ProductionVariants, &out.ProductionVariants
+		*out = make([]ProductionVariantsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ShadowProductionVariants != nil {
+		in, out := &in.ShadowProductionVariants, &out.ShadowProductionVariants
+		*out = make([]ShadowProductionVariantsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2642,6 +3349,16 @@ func (in *EndpointConfigurationStatus) DeepCopy() *EndpointConfigurationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FeatureDefinitionObservation) DeepCopyInto(out *FeatureDefinitionObservation) {
 	*out = *in
+	if in.FeatureName != nil {
+		in, out := &in.FeatureName, &out.FeatureName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FeatureType != nil {
+		in, out := &in.FeatureType, &out.FeatureType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FeatureDefinitionObservation.
@@ -2746,11 +3463,67 @@ func (in *FeatureGroupObservation) DeepCopyInto(out *FeatureGroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventTimeFeatureName != nil {
+		in, out := &in.EventTimeFeatureName, &out.EventTimeFeatureName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FeatureDefinition != nil {
+		in, out := &in.FeatureDefinition, &out.FeatureDefinition
+		*out = make([]FeatureDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OfflineStoreConfig != nil {
+		in, out := &in.OfflineStoreConfig, &out.OfflineStoreConfig
+		*out = make([]OfflineStoreConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OnlineStoreConfig != nil {
+		in, out := &in.OnlineStoreConfig, &out.OnlineStoreConfig
+		*out = make([]OnlineStoreConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordIdentifierFeatureName != nil {
+		in, out := &in.RecordIdentifierFeatureName, &out.RecordIdentifierFeatureName
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2901,10 +3674,25 @@ func (in *FeatureGroupStatus) DeepCopy() *FeatureGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FileSystemConfigObservation) DeepCopyInto(out *FileSystemConfigObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSystemConfigObservation.
-func (in *FileSystemConfigObservation) DeepCopy() *FileSystemConfigObservation {
+	if in.DefaultGID != nil {
+		in, out := &in.DefaultGID, &out.DefaultGID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.DefaultUID != nil {
+		in, out := &in.DefaultUID, &out.DefaultUID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MountPath != nil {
+		in, out := &in.MountPath, &out.MountPath
+		*out = new(string)
+		**out = **in
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FileSystemConfigObservation.
+func (in *FileSystemConfigObservation) DeepCopy() *FileSystemConfigObservation {
 	if in == nil {
 		return nil
 	}
@@ -2946,6 +3734,21 @@ func (in *FileSystemConfigParameters) DeepCopy() *FileSystemConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GitConfigObservation) DeepCopyInto(out *GitConfigObservation) {
 	*out = *in
+	if in.Branch != nil {
+		in, out := &in.Branch, &out.Branch
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepositoryURL != nil {
+		in, out := &in.RepositoryURL, &out.RepositoryURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretArn != nil {
+		in, out := &in.SecretArn, &out.SecretArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GitConfigObservation.
@@ -3028,6 +3831,18 @@ func (in *Image) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageConfigObservation) DeepCopyInto(out *ImageConfigObservation) {
 	*out = *in
+	if in.RepositoryAccessMode != nil {
+		in, out := &in.RepositoryAccessMode, &out.RepositoryAccessMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepositoryAuthConfig != nil {
+		in, out := &in.RepositoryAuthConfig, &out.RepositoryAuthConfig
+		*out = make([]RepositoryAuthConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageConfigObservation.
@@ -3070,6 +3885,11 @@ func (in *ImageConfigParameters) DeepCopy() *ImageConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ImageConfigRepositoryAuthConfigObservation) DeepCopyInto(out *ImageConfigRepositoryAuthConfigObservation) {
 	*out = *in
+	if in.RepositoryCredentialsProviderArn != nil {
+		in, out := &in.RepositoryCredentialsProviderArn, &out.RepositoryCredentialsProviderArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ImageConfigRepositoryAuthConfigObservation.
@@ -3142,11 +3962,41 @@ func (in *ImageObservation) DeepCopyInto(out *ImageObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -3335,6 +4185,11 @@ func (in *ImageVersionObservation) DeepCopyInto(out *ImageVersionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.BaseImage != nil {
+		in, out := &in.BaseImage, &out.BaseImage
+		*out = new(string)
+		**out = **in
+	}
 	if in.ContainerImage != nil {
 		in, out := &in.ContainerImage, &out.ContainerImage
 		*out = new(string)
@@ -3350,6 +4205,11 @@ func (in *ImageVersionObservation) DeepCopyInto(out *ImageVersionObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(float64)
@@ -3444,6 +4304,11 @@ func (in *ImageVersionStatus) DeepCopy() *ImageVersionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InferenceExecutionConfigObservation) DeepCopyInto(out *InferenceExecutionConfigObservation) {
 	*out = *in
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InferenceExecutionConfigObservation.
@@ -3479,6 +4344,11 @@ func (in *InferenceExecutionConfigParameters) DeepCopy() *InferenceExecutionConf
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InstanceMetadataServiceConfigurationObservation) DeepCopyInto(out *InstanceMetadataServiceConfigurationObservation) {
 	*out = *in
+	if in.MinimumInstanceMetadataServiceVersion != nil {
+		in, out := &in.MinimumInstanceMetadataServiceVersion, &out.MinimumInstanceMetadataServiceVersion
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InstanceMetadataServiceConfigurationObservation.
@@ -3514,6 +4384,11 @@ func (in *InstanceMetadataServiceConfigurationParameters) DeepCopy() *InstanceMe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JupyterServerAppSettingsCodeRepositoryObservation) DeepCopyInto(out *JupyterServerAppSettingsCodeRepositoryObservation) {
 	*out = *in
+	if in.RepositoryURL != nil {
+		in, out := &in.RepositoryURL, &out.RepositoryURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JupyterServerAppSettingsCodeRepositoryObservation.
@@ -3549,6 +4424,26 @@ func (in *JupyterServerAppSettingsCodeRepositoryParameters) DeepCopy() *JupyterS
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JupyterServerAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *JupyterServerAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JupyterServerAppSettingsDefaultResourceSpecObservation.
@@ -3599,6 +4494,31 @@ func (in *JupyterServerAppSettingsDefaultResourceSpecParameters) DeepCopy() *Jup
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *JupyterServerAppSettingsObservation) DeepCopyInto(out *JupyterServerAppSettingsObservation) {
 	*out = *in
+	if in.CodeRepository != nil {
+		in, out := &in.CodeRepository, &out.CodeRepository
+		*out = make([]JupyterServerAppSettingsCodeRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]DefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new JupyterServerAppSettingsObservation.
@@ -3654,6 +4574,21 @@ func (in *JupyterServerAppSettingsParameters) DeepCopy() *JupyterServerAppSettin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KernelGatewayAppSettingsCustomImageObservation) DeepCopyInto(out *KernelGatewayAppSettingsCustomImageObservation) {
 	*out = *in
+	if in.AppImageConfigName != nil {
+		in, out := &in.AppImageConfigName, &out.AppImageConfigName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageVersionNumber != nil {
+		in, out := &in.ImageVersionNumber, &out.ImageVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KernelGatewayAppSettingsCustomImageObservation.
@@ -3719,6 +4654,26 @@ func (in *KernelGatewayAppSettingsCustomImageParameters) DeepCopy() *KernelGatew
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KernelGatewayAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *KernelGatewayAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KernelGatewayAppSettingsDefaultResourceSpecObservation.
@@ -3769,6 +4724,31 @@ func (in *KernelGatewayAppSettingsDefaultResourceSpecParameters) DeepCopy() *Ker
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KernelGatewayAppSettingsObservation) DeepCopyInto(out *KernelGatewayAppSettingsObservation) {
 	*out = *in
+	if in.CustomImage != nil {
+		in, out := &in.CustomImage, &out.CustomImage
+		*out = make([]CustomImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]KernelGatewayAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KernelGatewayAppSettingsObservation.
@@ -3824,6 +4804,20 @@ func (in *KernelGatewayAppSettingsParameters) DeepCopy() *KernelGatewayAppSettin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KernelGatewayImageConfigObservation) DeepCopyInto(out *KernelGatewayImageConfigObservation) {
 	*out = *in
+	if in.FileSystemConfig != nil {
+		in, out := &in.FileSystemConfig, &out.FileSystemConfig
+		*out = make([]FileSystemConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KernelSpec != nil {
+		in, out := &in.KernelSpec, &out.KernelSpec
+		*out = make([]KernelSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KernelGatewayImageConfigObservation.
@@ -3868,6 +4862,16 @@ func (in *KernelGatewayImageConfigParameters) DeepCopy() *KernelGatewayImageConf
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KernelSpecObservation) DeepCopyInto(out *KernelSpecObservation) {
 	*out = *in
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KernelSpecObservation.
@@ -3908,6 +4912,20 @@ func (in *KernelSpecParameters) DeepCopy() *KernelSpecParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemberDefinitionObservation) DeepCopyInto(out *MemberDefinitionObservation) {
 	*out = *in
+	if in.CognitoMemberDefinition != nil {
+		in, out := &in.CognitoMemberDefinition, &out.CognitoMemberDefinition
+		*out = make([]CognitoMemberDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OidcMemberDefinition != nil {
+		in, out := &in.OidcMemberDefinition, &out.OidcMemberDefinition
+		*out = make([]OidcMemberDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MemberDefinitionObservation.
@@ -4016,11 +5034,57 @@ func (in *ModelObservation) DeepCopyInto(out *ModelObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Container != nil {
+		in, out := &in.Container, &out.Container
+		*out = make([]ContainerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnableNetworkIsolation != nil {
+		in, out := &in.EnableNetworkIsolation, &out.EnableNetworkIsolation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ExecutionRoleArn != nil {
+		in, out := &in.ExecutionRoleArn, &out.ExecutionRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InferenceExecutionConfig != nil {
+		in, out := &in.InferenceExecutionConfig, &out.InferenceExecutionConfig
+		*out = make([]InferenceExecutionConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PrimaryContainer != nil {
+		in, out := &in.PrimaryContainer, &out.PrimaryContainer
+		*out = make([]PrimaryContainerObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4036,6 +5100,13 @@ func (in *ModelObservation) DeepCopyInto(out *ModelObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPCConfig != nil {
+		in, out := &in.VPCConfig, &out.VPCConfig
+		*out = make([]VPCConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModelObservation.
@@ -4120,6 +5191,26 @@ func (in *ModelPackageGroupObservation) DeepCopyInto(out *ModelPackageGroupObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.ModelPackageGroupDescription != nil {
+		in, out := &in.ModelPackageGroupDescription, &out.ModelPackageGroupDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4254,6 +5345,16 @@ func (in *ModelPackageGroupPolicyObservation) DeepCopyInto(out *ModelPackageGrou
 		*out = new(string)
 		**out = **in
 	}
+	if in.ModelPackageGroupName != nil {
+		in, out := &in.ModelPackageGroupName, &out.ModelPackageGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourcePolicy != nil {
+		in, out := &in.ResourcePolicy, &out.ResourcePolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ModelPackageGroupPolicyObservation.
@@ -4590,6 +5691,16 @@ func (in *NotebookInstanceLifecycleConfigurationObservation) DeepCopyInto(out *N
 		*out = new(string)
 		**out = **in
 	}
+	if in.OnCreate != nil {
+		in, out := &in.OnCreate, &out.OnCreate
+		*out = new(string)
+		**out = **in
+	}
+	if in.OnStart != nil {
+		in, out := &in.OnStart, &out.OnStart
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotebookInstanceLifecycleConfigurationObservation.
@@ -4701,21 +5812,121 @@ func (in *NotebookInstanceList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotebookInstanceObservation) DeepCopyInto(out *NotebookInstanceObservation) {
 	*out = *in
+	if in.AcceleratorTypes != nil {
+		in, out := &in.AcceleratorTypes, &out.AcceleratorTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.AdditionalCodeRepositories != nil {
+		in, out := &in.AdditionalCodeRepositories, &out.AdditionalCodeRepositories
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultCodeRepository != nil {
+		in, out := &in.DefaultCodeRepository, &out.DefaultCodeRepository
+		*out = new(string)
+		**out = **in
+	}
+	if in.DirectInternetAccess != nil {
+		in, out := &in.DirectInternetAccess, &out.DirectInternetAccess
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceMetadataServiceConfiguration != nil {
+		in, out := &in.InstanceMetadataServiceConfiguration, &out.InstanceMetadataServiceConfiguration
+		*out = make([]InstanceMetadataServiceConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigName != nil {
+		in, out := &in.LifecycleConfigName, &out.LifecycleConfigName
+		*out = new(string)
+		**out = **in
+	}
 	if in.NetworkInterfaceID != nil {
 		in, out := &in.NetworkInterfaceID, &out.NetworkInterfaceID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PlatformIdentifier != nil {
+		in, out := &in.PlatformIdentifier, &out.PlatformIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RootAccess != nil {
+		in, out := &in.RootAccess, &out.RootAccess
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetID != nil {
+		in, out := &in.SubnetID, &out.SubnetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -4736,6 +5947,11 @@ func (in *NotebookInstanceObservation) DeepCopyInto(out *NotebookInstanceObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.VolumeSize != nil {
+		in, out := &in.VolumeSize, &out.VolumeSize
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotebookInstanceObservation.
@@ -4950,6 +6166,16 @@ func (in *NotebookInstanceStatus) DeepCopy() *NotebookInstanceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationConfigObservation) DeepCopyInto(out *NotificationConfigObservation) {
 	*out = *in
+	if in.ErrorTopic != nil {
+		in, out := &in.ErrorTopic, &out.ErrorTopic
+		*out = new(string)
+		**out = **in
+	}
+	if in.SuccessTopic != nil {
+		in, out := &in.SuccessTopic, &out.SuccessTopic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationConfigObservation.
@@ -4990,6 +6216,11 @@ func (in *NotificationConfigParameters) DeepCopy() *NotificationConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationConfigurationObservation) DeepCopyInto(out *NotificationConfigurationObservation) {
 	*out = *in
+	if in.NotificationTopicArn != nil {
+		in, out := &in.NotificationTopicArn, &out.NotificationTopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationConfigurationObservation.
@@ -5025,6 +6256,25 @@ func (in *NotificationConfigurationParameters) DeepCopy() *NotificationConfigura
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OfflineStoreConfigObservation) DeepCopyInto(out *OfflineStoreConfigObservation) {
 	*out = *in
+	if in.DataCatalogConfig != nil {
+		in, out := &in.DataCatalogConfig, &out.DataCatalogConfig
+		*out = make([]DataCatalogConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DisableGlueTableCreation != nil {
+		in, out := &in.DisableGlueTableCreation, &out.DisableGlueTableCreation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.S3StorageConfig != nil {
+		in, out := &in.S3StorageConfig, &out.S3StorageConfig
+		*out = make([]S3StorageConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OfflineStoreConfigObservation.
@@ -5074,6 +6324,41 @@ func (in *OfflineStoreConfigParameters) DeepCopy() *OfflineStoreConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcConfigObservation) DeepCopyInto(out *OidcConfigObservation) {
 	*out = *in
+	if in.AuthorizationEndpoint != nil {
+		in, out := &in.AuthorizationEndpoint, &out.AuthorizationEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.ClientID != nil {
+		in, out := &in.ClientID, &out.ClientID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Issuer != nil {
+		in, out := &in.Issuer, &out.Issuer
+		*out = new(string)
+		**out = **in
+	}
+	if in.JwksURI != nil {
+		in, out := &in.JwksURI, &out.JwksURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogoutEndpoint != nil {
+		in, out := &in.LogoutEndpoint, &out.LogoutEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.TokenEndpoint != nil {
+		in, out := &in.TokenEndpoint, &out.TokenEndpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserInfoEndpoint != nil {
+		in, out := &in.UserInfoEndpoint, &out.UserInfoEndpoint
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcConfigObservation.
@@ -5140,6 +6425,17 @@ func (in *OidcConfigParameters) DeepCopy() *OidcConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OidcMemberDefinitionObservation) DeepCopyInto(out *OidcMemberDefinitionObservation) {
 	*out = *in
+	if in.Groups != nil {
+		in, out := &in.Groups, &out.Groups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OidcMemberDefinitionObservation.
@@ -5181,6 +6477,18 @@ func (in *OidcMemberDefinitionParameters) DeepCopy() *OidcMemberDefinitionParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnlineStoreConfigObservation) DeepCopyInto(out *OnlineStoreConfigObservation) {
 	*out = *in
+	if in.EnableOnlineStore != nil {
+		in, out := &in.EnableOnlineStore, &out.EnableOnlineStore
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityConfig != nil {
+		in, out := &in.SecurityConfig, &out.SecurityConfig
+		*out = make([]SecurityConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnlineStoreConfigObservation.
@@ -5223,6 +6531,16 @@ func (in *OnlineStoreConfigParameters) DeepCopy() *OnlineStoreConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputConfigObservation) DeepCopyInto(out *OutputConfigObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3OutputLocation != nil {
+		in, out := &in.S3OutputLocation, &out.S3OutputLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputConfigObservation.
@@ -5263,6 +6581,18 @@ func (in *OutputConfigParameters) DeepCopy() *OutputConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrimaryContainerImageConfigObservation) DeepCopyInto(out *PrimaryContainerImageConfigObservation) {
 	*out = *in
+	if in.RepositoryAccessMode != nil {
+		in, out := &in.RepositoryAccessMode, &out.RepositoryAccessMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.RepositoryAuthConfig != nil {
+		in, out := &in.RepositoryAuthConfig, &out.RepositoryAuthConfig
+		*out = make([]ImageConfigRepositoryAuthConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrimaryContainerImageConfigObservation.
@@ -5305,6 +6635,48 @@ func (in *PrimaryContainerImageConfigParameters) DeepCopy() *PrimaryContainerIma
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrimaryContainerObservation) DeepCopyInto(out *PrimaryContainerObservation) {
 	*out = *in
+	if in.ContainerHostname != nil {
+		in, out := &in.ContainerHostname, &out.ContainerHostname
+		*out = new(string)
+		**out = **in
+	}
+	if in.Environment != nil {
+		in, out := &in.Environment, &out.Environment
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.Image != nil {
+		in, out := &in.Image, &out.Image
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageConfig != nil {
+		in, out := &in.ImageConfig, &out.ImageConfig
+		*out = make([]PrimaryContainerImageConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
+	if in.ModelDataURL != nil {
+		in, out := &in.ModelDataURL, &out.ModelDataURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrimaryContainerObservation.
@@ -5377,6 +6749,65 @@ func (in *PrimaryContainerParameters) DeepCopy() *PrimaryContainerParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProductionVariantsObservation) DeepCopyInto(out *ProductionVariantsObservation) {
 	*out = *in
+	if in.AcceleratorType != nil {
+		in, out := &in.AcceleratorType, &out.AcceleratorType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContainerStartupHealthCheckTimeoutInSeconds != nil {
+		in, out := &in.ContainerStartupHealthCheckTimeoutInSeconds, &out.ContainerStartupHealthCheckTimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CoreDumpConfig != nil {
+		in, out := &in.CoreDumpConfig, &out.CoreDumpConfig
+		*out = make([]CoreDumpConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InitialInstanceCount != nil {
+		in, out := &in.InitialInstanceCount, &out.InitialInstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InitialVariantWeight != nil {
+		in, out := &in.InitialVariantWeight, &out.InitialVariantWeight
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ModelDataDownloadTimeoutInSeconds != nil {
+		in, out := &in.ModelDataDownloadTimeoutInSeconds, &out.ModelDataDownloadTimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ModelName != nil {
+		in, out := &in.ModelName, &out.ModelName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerlessConfig != nil {
+		in, out := &in.ServerlessConfig, &out.ServerlessConfig
+		*out = make([]ServerlessConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VariantName != nil {
+		in, out := &in.VariantName, &out.VariantName
+		*out = new(string)
+		**out = **in
+	}
+	if in.VolumeSizeInGb != nil {
+		in, out := &in.VolumeSizeInGb, &out.VolumeSizeInGb
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductionVariantsObservation.
@@ -5476,6 +6907,21 @@ func (in *ProductionVariantsParameters) DeepCopy() *ProductionVariantsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RSessionAppSettingsCustomImageObservation) DeepCopyInto(out *RSessionAppSettingsCustomImageObservation) {
 	*out = *in
+	if in.AppImageConfigName != nil {
+		in, out := &in.AppImageConfigName, &out.AppImageConfigName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageVersionNumber != nil {
+		in, out := &in.ImageVersionNumber, &out.ImageVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RSessionAppSettingsCustomImageObservation.
@@ -5521,6 +6967,26 @@ func (in *RSessionAppSettingsCustomImageParameters) DeepCopy() *RSessionAppSetti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RSessionAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *RSessionAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RSessionAppSettingsDefaultResourceSpecObservation.
@@ -5571,6 +7037,20 @@ func (in *RSessionAppSettingsDefaultResourceSpecParameters) DeepCopy() *RSession
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RSessionAppSettingsObservation) DeepCopyInto(out *RSessionAppSettingsObservation) {
 	*out = *in
+	if in.CustomImage != nil {
+		in, out := &in.CustomImage, &out.CustomImage
+		*out = make([]RSessionAppSettingsCustomImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]RSessionAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RSessionAppSettingsObservation.
@@ -5615,6 +7095,11 @@ func (in *RSessionAppSettingsParameters) DeepCopy() *RSessionAppSettingsParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RepositoryAuthConfigObservation) DeepCopyInto(out *RepositoryAuthConfigObservation) {
 	*out = *in
+	if in.RepositoryCredentialsProviderArn != nil {
+		in, out := &in.RepositoryCredentialsProviderArn, &out.RepositoryCredentialsProviderArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RepositoryAuthConfigObservation.
@@ -5650,6 +7135,26 @@ func (in *RepositoryAuthConfigParameters) DeepCopy() *RepositoryAuthConfigParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceSpecObservation) DeepCopyInto(out *ResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceSpecObservation.
@@ -5700,6 +7205,11 @@ func (in *ResourceSpecParameters) DeepCopy() *ResourceSpecParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetentionPolicyObservation) DeepCopyInto(out *RetentionPolicyObservation) {
 	*out = *in
+	if in.HomeEFSFileSystem != nil {
+		in, out := &in.HomeEFSFileSystem, &out.HomeEFSFileSystem
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetentionPolicyObservation.
@@ -5735,6 +7245,16 @@ func (in *RetentionPolicyParameters) DeepCopy() *RetentionPolicyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3StorageConfigObservation) DeepCopyInto(out *S3StorageConfigObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3URI != nil {
+		in, out := &in.S3URI, &out.S3URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3StorageConfigObservation.
@@ -5775,6 +7295,11 @@ func (in *S3StorageConfigParameters) DeepCopy() *S3StorageConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecurityConfigObservation) DeepCopyInto(out *SecurityConfigObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityConfigObservation.
@@ -5810,6 +7335,16 @@ func (in *SecurityConfigParameters) DeepCopy() *SecurityConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServerlessConfigObservation) DeepCopyInto(out *ServerlessConfigObservation) {
 	*out = *in
+	if in.MaxConcurrency != nil {
+		in, out := &in.MaxConcurrency, &out.MaxConcurrency
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemorySizeInMb != nil {
+		in, out := &in.MemorySizeInMb, &out.MemorySizeInMb
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerlessConfigObservation.
@@ -5914,6 +7449,11 @@ func (in *ServicecatalogPortfolioStatusObservation) DeepCopyInto(out *Servicecat
 		*out = new(string)
 		**out = **in
 	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServicecatalogPortfolioStatusObservation.
@@ -5988,6 +7528,16 @@ func (in *ServicecatalogPortfolioStatusStatus) DeepCopy() *ServicecatalogPortfol
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ShadowProductionVariantsCoreDumpConfigObservation) DeepCopyInto(out *ShadowProductionVariantsCoreDumpConfigObservation) {
 	*out = *in
+	if in.DestinationS3URI != nil {
+		in, out := &in.DestinationS3URI, &out.DestinationS3URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShadowProductionVariantsCoreDumpConfigObservation.
@@ -6028,6 +7578,65 @@ func (in *ShadowProductionVariantsCoreDumpConfigParameters) DeepCopy() *ShadowPr
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ShadowProductionVariantsObservation) DeepCopyInto(out *ShadowProductionVariantsObservation) {
 	*out = *in
+	if in.AcceleratorType != nil {
+		in, out := &in.AcceleratorType, &out.AcceleratorType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ContainerStartupHealthCheckTimeoutInSeconds != nil {
+		in, out := &in.ContainerStartupHealthCheckTimeoutInSeconds, &out.ContainerStartupHealthCheckTimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CoreDumpConfig != nil {
+		in, out := &in.CoreDumpConfig, &out.CoreDumpConfig
+		*out = make([]ShadowProductionVariantsCoreDumpConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.InitialInstanceCount != nil {
+		in, out := &in.InitialInstanceCount, &out.InitialInstanceCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InitialVariantWeight != nil {
+		in, out := &in.InitialVariantWeight, &out.InitialVariantWeight
+		*out = new(float64)
+		**out = **in
+	}
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ModelDataDownloadTimeoutInSeconds != nil {
+		in, out := &in.ModelDataDownloadTimeoutInSeconds, &out.ModelDataDownloadTimeoutInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ModelName != nil {
+		in, out := &in.ModelName, &out.ModelName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerlessConfig != nil {
+		in, out := &in.ServerlessConfig, &out.ServerlessConfig
+		*out = make([]ShadowProductionVariantsServerlessConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VariantName != nil {
+		in, out := &in.VariantName, &out.VariantName
+		*out = new(string)
+		**out = **in
+	}
+	if in.VolumeSizeInGb != nil {
+		in, out := &in.VolumeSizeInGb, &out.VolumeSizeInGb
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShadowProductionVariantsObservation.
@@ -6117,6 +7726,16 @@ func (in *ShadowProductionVariantsParameters) DeepCopy() *ShadowProductionVarian
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ShadowProductionVariantsServerlessConfigObservation) DeepCopyInto(out *ShadowProductionVariantsServerlessConfigObservation) {
 	*out = *in
+	if in.MaxConcurrency != nil {
+		in, out := &in.MaxConcurrency, &out.MaxConcurrency
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemorySizeInMb != nil {
+		in, out := &in.MemorySizeInMb, &out.MemorySizeInMb
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShadowProductionVariantsServerlessConfigObservation.
@@ -6157,6 +7776,21 @@ func (in *ShadowProductionVariantsServerlessConfigParameters) DeepCopy() *Shadow
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SharingSettingsObservation) DeepCopyInto(out *SharingSettingsObservation) {
 	*out = *in
+	if in.NotebookOutputOption != nil {
+		in, out := &in.NotebookOutputOption, &out.NotebookOutputOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KMSKeyID != nil {
+		in, out := &in.S3KMSKeyID, &out.S3KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3OutputPath != nil {
+		in, out := &in.S3OutputPath, &out.S3OutputPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SharingSettingsObservation.
@@ -6202,6 +7836,17 @@ func (in *SharingSettingsParameters) DeepCopy() *SharingSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceIPConfigObservation) DeepCopyInto(out *SourceIPConfigObservation) {
 	*out = *in
+	if in.Cidrs != nil {
+		in, out := &in.Cidrs, &out.Cidrs
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceIPConfigObservation.
@@ -6307,6 +7952,11 @@ func (in *SpaceObservation) DeepCopyInto(out *SpaceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainID != nil {
+		in, out := &in.DomainID, &out.DomainID
+		*out = new(string)
+		**out = **in
+	}
 	if in.HomeEFSFileSystemUID != nil {
 		in, out := &in.HomeEFSFileSystemUID, &out.HomeEFSFileSystemUID
 		*out = new(string)
@@ -6317,6 +7967,33 @@ func (in *SpaceObservation) DeepCopyInto(out *SpaceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SpaceName != nil {
+		in, out := &in.SpaceName, &out.SpaceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.SpaceSettings != nil {
+		in, out := &in.SpaceSettings, &out.SpaceSettings
+		*out = make([]SpaceSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6409,6 +8086,11 @@ func (in *SpaceParameters) DeepCopy() *SpaceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsJupyterServerAppSettingsCodeRepositoryObservation) DeepCopyInto(out *SpaceSettingsJupyterServerAppSettingsCodeRepositoryObservation) {
 	*out = *in
+	if in.RepositoryURL != nil {
+		in, out := &in.RepositoryURL, &out.RepositoryURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsJupyterServerAppSettingsCodeRepositoryObservation.
@@ -6444,6 +8126,26 @@ func (in *SpaceSettingsJupyterServerAppSettingsCodeRepositoryParameters) DeepCop
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecObservation.
@@ -6494,6 +8196,31 @@ func (in *SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecParameters) De
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsJupyterServerAppSettingsObservation) DeepCopyInto(out *SpaceSettingsJupyterServerAppSettingsObservation) {
 	*out = *in
+	if in.CodeRepository != nil {
+		in, out := &in.CodeRepository, &out.CodeRepository
+		*out = make([]SpaceSettingsJupyterServerAppSettingsCodeRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsJupyterServerAppSettingsObservation.
@@ -6549,6 +8276,21 @@ func (in *SpaceSettingsJupyterServerAppSettingsParameters) DeepCopy() *SpaceSett
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsKernelGatewayAppSettingsCustomImageObservation) DeepCopyInto(out *SpaceSettingsKernelGatewayAppSettingsCustomImageObservation) {
 	*out = *in
+	if in.AppImageConfigName != nil {
+		in, out := &in.AppImageConfigName, &out.AppImageConfigName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageVersionNumber != nil {
+		in, out := &in.ImageVersionNumber, &out.ImageVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsKernelGatewayAppSettingsCustomImageObservation.
@@ -6594,6 +8336,26 @@ func (in *SpaceSettingsKernelGatewayAppSettingsCustomImageParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation.
@@ -6644,6 +8406,31 @@ func (in *SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters) De
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsKernelGatewayAppSettingsObservation) DeepCopyInto(out *SpaceSettingsKernelGatewayAppSettingsObservation) {
 	*out = *in
+	if in.CustomImage != nil {
+		in, out := &in.CustomImage, &out.CustomImage
+		*out = make([]SpaceSettingsKernelGatewayAppSettingsCustomImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsKernelGatewayAppSettingsObservation.
@@ -6699,6 +8486,20 @@ func (in *SpaceSettingsKernelGatewayAppSettingsParameters) DeepCopy() *SpaceSett
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SpaceSettingsObservation) DeepCopyInto(out *SpaceSettingsObservation) {
 	*out = *in
+	if in.JupyterServerAppSettings != nil {
+		in, out := &in.JupyterServerAppSettings, &out.JupyterServerAppSettings
+		*out = make([]SpaceSettingsJupyterServerAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KernelGatewayAppSettings != nil {
+		in, out := &in.KernelGatewayAppSettings, &out.KernelGatewayAppSettings
+		*out = make([]SpaceSettingsKernelGatewayAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SpaceSettingsObservation.
@@ -6846,6 +8647,31 @@ func (in *StudioLifecycleConfigObservation) DeepCopyInto(out *StudioLifecycleCon
 		*out = new(string)
 		**out = **in
 	}
+	if in.StudioLifecycleConfigAppType != nil {
+		in, out := &in.StudioLifecycleConfigAppType, &out.StudioLifecycleConfigAppType
+		*out = new(string)
+		**out = **in
+	}
+	if in.StudioLifecycleConfigContent != nil {
+		in, out := &in.StudioLifecycleConfigContent, &out.StudioLifecycleConfigContent
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -6955,6 +8781,26 @@ func (in *StudioLifecycleConfigStatus) DeepCopy() *StudioLifecycleConfigStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TensorBoardAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *TensorBoardAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TensorBoardAppSettingsDefaultResourceSpecObservation.
@@ -7005,6 +8851,13 @@ func (in *TensorBoardAppSettingsDefaultResourceSpecParameters) DeepCopy() *Tenso
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TensorBoardAppSettingsObservation) DeepCopyInto(out *TensorBoardAppSettingsObservation) {
 	*out = *in
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]TensorBoardAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TensorBoardAppSettingsObservation.
@@ -7042,6 +8895,16 @@ func (in *TensorBoardAppSettingsParameters) DeepCopy() *TensorBoardAppSettingsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TimeSeriesForecastingSettingsObservation) DeepCopyInto(out *TimeSeriesForecastingSettingsObservation) {
 	*out = *in
+	if in.AmazonForecastRoleArn != nil {
+		in, out := &in.AmazonForecastRoleArn, &out.AmazonForecastRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Status != nil {
+		in, out := &in.Status, &out.Status
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TimeSeriesForecastingSettingsObservation.
@@ -7146,6 +9009,11 @@ func (in *UserProfileObservation) DeepCopyInto(out *UserProfileObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainID != nil {
+		in, out := &in.DomainID, &out.DomainID
+		*out = new(string)
+		**out = **in
+	}
 	if in.HomeEFSFileSystemUID != nil {
 		in, out := &in.HomeEFSFileSystemUID, &out.HomeEFSFileSystemUID
 		*out = new(string)
@@ -7156,6 +9024,31 @@ func (in *UserProfileObservation) DeepCopyInto(out *UserProfileObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.SingleSignOnUserIdentifier != nil {
+		in, out := &in.SingleSignOnUserIdentifier, &out.SingleSignOnUserIdentifier
+		*out = new(string)
+		**out = **in
+	}
+	if in.SingleSignOnUserValue != nil {
+		in, out := &in.SingleSignOnUserValue, &out.SingleSignOnUserValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -7171,6 +9064,18 @@ func (in *UserProfileObservation) DeepCopyInto(out *UserProfileObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.UserProfileName != nil {
+		in, out := &in.UserProfileName, &out.UserProfileName
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserSettings != nil {
+		in, out := &in.UserSettings, &out.UserSettings
+		*out = make([]UserSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserProfileObservation.
@@ -7292,6 +9197,13 @@ func (in *UserProfileStatus) DeepCopy() *UserProfileStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsCanvasAppSettingsObservation) DeepCopyInto(out *UserSettingsCanvasAppSettingsObservation) {
 	*out = *in
+	if in.TimeSeriesForecastingSettings != nil {
+		in, out := &in.TimeSeriesForecastingSettings, &out.TimeSeriesForecastingSettings
+		*out = make([]CanvasAppSettingsTimeSeriesForecastingSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsCanvasAppSettingsObservation.
@@ -7329,6 +9241,11 @@ func (in *UserSettingsCanvasAppSettingsParameters) DeepCopy() *UserSettingsCanva
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsJupyterServerAppSettingsCodeRepositoryObservation) DeepCopyInto(out *UserSettingsJupyterServerAppSettingsCodeRepositoryObservation) {
 	*out = *in
+	if in.RepositoryURL != nil {
+		in, out := &in.RepositoryURL, &out.RepositoryURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsJupyterServerAppSettingsCodeRepositoryObservation.
@@ -7364,6 +9281,26 @@ func (in *UserSettingsJupyterServerAppSettingsCodeRepositoryParameters) DeepCopy
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsJupyterServerAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *UserSettingsJupyterServerAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsJupyterServerAppSettingsDefaultResourceSpecObservation.
@@ -7414,6 +9351,31 @@ func (in *UserSettingsJupyterServerAppSettingsDefaultResourceSpecParameters) Dee
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsJupyterServerAppSettingsObservation) DeepCopyInto(out *UserSettingsJupyterServerAppSettingsObservation) {
 	*out = *in
+	if in.CodeRepository != nil {
+		in, out := &in.CodeRepository, &out.CodeRepository
+		*out = make([]UserSettingsJupyterServerAppSettingsCodeRepositoryObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]UserSettingsJupyterServerAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsJupyterServerAppSettingsObservation.
@@ -7469,6 +9431,21 @@ func (in *UserSettingsJupyterServerAppSettingsParameters) DeepCopy() *UserSettin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsKernelGatewayAppSettingsCustomImageObservation) DeepCopyInto(out *UserSettingsKernelGatewayAppSettingsCustomImageObservation) {
 	*out = *in
+	if in.AppImageConfigName != nil {
+		in, out := &in.AppImageConfigName, &out.AppImageConfigName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageVersionNumber != nil {
+		in, out := &in.ImageVersionNumber, &out.ImageVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsKernelGatewayAppSettingsCustomImageObservation.
@@ -7514,6 +9491,26 @@ func (in *UserSettingsKernelGatewayAppSettingsCustomImageParameters) DeepCopy()
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *UserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation.
@@ -7556,14 +9553,39 @@ func (in *UserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters) Dee
 	if in == nil {
 		return nil
 	}
-	out := new(UserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *UserSettingsKernelGatewayAppSettingsObservation) DeepCopyInto(out *UserSettingsKernelGatewayAppSettingsObservation) {
-	*out = *in
+	out := new(UserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *UserSettingsKernelGatewayAppSettingsObservation) DeepCopyInto(out *UserSettingsKernelGatewayAppSettingsObservation) {
+	*out = *in
+	if in.CustomImage != nil {
+		in, out := &in.CustomImage, &out.CustomImage
+		*out = make([]UserSettingsKernelGatewayAppSettingsCustomImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]UserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LifecycleConfigArns != nil {
+		in, out := &in.LifecycleConfigArns, &out.LifecycleConfigArns
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsKernelGatewayAppSettingsObservation.
@@ -7619,6 +9641,64 @@ func (in *UserSettingsKernelGatewayAppSettingsParameters) DeepCopy() *UserSettin
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsObservation) DeepCopyInto(out *UserSettingsObservation) {
 	*out = *in
+	if in.CanvasAppSettings != nil {
+		in, out := &in.CanvasAppSettings, &out.CanvasAppSettings
+		*out = make([]UserSettingsCanvasAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ExecutionRole != nil {
+		in, out := &in.ExecutionRole, &out.ExecutionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.JupyterServerAppSettings != nil {
+		in, out := &in.JupyterServerAppSettings, &out.JupyterServerAppSettings
+		*out = make([]UserSettingsJupyterServerAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.KernelGatewayAppSettings != nil {
+		in, out := &in.KernelGatewayAppSettings, &out.KernelGatewayAppSettings
+		*out = make([]UserSettingsKernelGatewayAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RSessionAppSettings != nil {
+		in, out := &in.RSessionAppSettings, &out.RSessionAppSettings
+		*out = make([]UserSettingsRSessionAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SharingSettings != nil {
+		in, out := &in.SharingSettings, &out.SharingSettings
+		*out = make([]UserSettingsSharingSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TensorBoardAppSettings != nil {
+		in, out := &in.TensorBoardAppSettings, &out.TensorBoardAppSettings
+		*out = make([]UserSettingsTensorBoardAppSettingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsObservation.
@@ -7707,6 +9787,21 @@ func (in *UserSettingsParameters) DeepCopy() *UserSettingsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsRSessionAppSettingsCustomImageObservation) DeepCopyInto(out *UserSettingsRSessionAppSettingsCustomImageObservation) {
 	*out = *in
+	if in.AppImageConfigName != nil {
+		in, out := &in.AppImageConfigName, &out.AppImageConfigName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageName != nil {
+		in, out := &in.ImageName, &out.ImageName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ImageVersionNumber != nil {
+		in, out := &in.ImageVersionNumber, &out.ImageVersionNumber
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsRSessionAppSettingsCustomImageObservation.
@@ -7752,6 +9847,26 @@ func (in *UserSettingsRSessionAppSettingsCustomImageParameters) DeepCopy() *User
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsRSessionAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *UserSettingsRSessionAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsRSessionAppSettingsDefaultResourceSpecObservation.
@@ -7802,6 +9917,20 @@ func (in *UserSettingsRSessionAppSettingsDefaultResourceSpecParameters) DeepCopy
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsRSessionAppSettingsObservation) DeepCopyInto(out *UserSettingsRSessionAppSettingsObservation) {
 	*out = *in
+	if in.CustomImage != nil {
+		in, out := &in.CustomImage, &out.CustomImage
+		*out = make([]UserSettingsRSessionAppSettingsCustomImageObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]UserSettingsRSessionAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsRSessionAppSettingsObservation.
@@ -7846,6 +9975,21 @@ func (in *UserSettingsRSessionAppSettingsParameters) DeepCopy() *UserSettingsRSe
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsSharingSettingsObservation) DeepCopyInto(out *UserSettingsSharingSettingsObservation) {
 	*out = *in
+	if in.NotebookOutputOption != nil {
+		in, out := &in.NotebookOutputOption, &out.NotebookOutputOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KMSKeyID != nil {
+		in, out := &in.S3KMSKeyID, &out.S3KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3OutputPath != nil {
+		in, out := &in.S3OutputPath, &out.S3OutputPath
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsSharingSettingsObservation.
@@ -7891,6 +10035,26 @@ func (in *UserSettingsSharingSettingsParameters) DeepCopy() *UserSettingsSharing
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsTensorBoardAppSettingsDefaultResourceSpecObservation) DeepCopyInto(out *UserSettingsTensorBoardAppSettingsDefaultResourceSpecObservation) {
 	*out = *in
+	if in.InstanceType != nil {
+		in, out := &in.InstanceType, &out.InstanceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.LifecycleConfigArn != nil {
+		in, out := &in.LifecycleConfigArn, &out.LifecycleConfigArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageArn != nil {
+		in, out := &in.SagemakerImageArn, &out.SagemakerImageArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerImageVersionArn != nil {
+		in, out := &in.SagemakerImageVersionArn, &out.SagemakerImageVersionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsTensorBoardAppSettingsDefaultResourceSpecObservation.
@@ -7941,6 +10105,13 @@ func (in *UserSettingsTensorBoardAppSettingsDefaultResourceSpecParameters) DeepC
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserSettingsTensorBoardAppSettingsObservation) DeepCopyInto(out *UserSettingsTensorBoardAppSettingsObservation) {
 	*out = *in
+	if in.DefaultResourceSpec != nil {
+		in, out := &in.DefaultResourceSpec, &out.DefaultResourceSpec
+		*out = make([]UserSettingsTensorBoardAppSettingsDefaultResourceSpecObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserSettingsTensorBoardAppSettingsObservation.
@@ -7978,6 +10149,28 @@ func (in *UserSettingsTensorBoardAppSettingsParameters) DeepCopy() *UserSettings
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VPCConfigObservation) DeepCopyInto(out *VPCConfigObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VPCConfigObservation.
@@ -8094,11 +10287,32 @@ func (in *WorkforceObservation) DeepCopyInto(out *WorkforceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.CognitoConfig != nil {
+		in, out := &in.CognitoConfig, &out.CognitoConfig
+		*out = make([]CognitoConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OidcConfig != nil {
+		in, out := &in.OidcConfig, &out.OidcConfig
+		*out = make([]OidcConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceIPConfig != nil {
+		in, out := &in.SourceIPConfig, &out.SourceIPConfig
+		*out = make([]SourceIPConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Subdomain != nil {
 		in, out := &in.Subdomain, &out.Subdomain
 		*out = new(string)
@@ -8208,11 +10422,38 @@ func (in *WorkforceStatus) DeepCopy() *WorkforceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkforceVPCConfigObservation) DeepCopyInto(out *WorkforceVPCConfigObservation) {
 	*out = *in
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.VPCEndpointID != nil {
 		in, out := &in.VPCEndpointID, &out.VPCEndpointID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkforceVPCConfigObservation.
@@ -8334,16 +10575,50 @@ func (in *WorkteamObservation) DeepCopyInto(out *WorkteamObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MemberDefinition != nil {
+		in, out := &in.MemberDefinition, &out.MemberDefinition
+		*out = make([]MemberDefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NotificationConfiguration != nil {
+		in, out := &in.NotificationConfiguration, &out.NotificationConfiguration
+		*out = make([]NotificationConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Subdomain != nil {
 		in, out := &in.Subdomain, &out.Subdomain
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -8359,6 +10634,11 @@ func (in *WorkteamObservation) DeepCopyInto(out *WorkteamObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.WorkforceName != nil {
+		in, out := &in.WorkforceName, &out.WorkforceName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkteamObservation.
diff --git a/apis/sagemaker/v1beta1/zz_image_types.go b/apis/sagemaker/v1beta1/zz_image_types.go
index 7c470a05ef..6ed04f2d36 100755
--- a/apis/sagemaker/v1beta1/zz_image_types.go
+++ b/apis/sagemaker/v1beta1/zz_image_types.go
@@ -18,9 +18,21 @@ type ImageObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Image.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the image.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The display name of the image. When the image is added to a domain (must be unique to the domain).
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
 	// The name of the Image.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Amazon Resource Name (ARN) of an IAM role that enables Amazon SageMaker to perform tasks on your behalf.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/sagemaker/v1beta1/zz_imageversion_types.go b/apis/sagemaker/v1beta1/zz_imageversion_types.go
index 32602c281b..d1117963a8 100755
--- a/apis/sagemaker/v1beta1/zz_imageversion_types.go
+++ b/apis/sagemaker/v1beta1/zz_imageversion_types.go
@@ -18,6 +18,9 @@ type ImageVersionObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Image Version.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The registry path of the container image on which this image version is based.
+	BaseImage *string `json:"baseImage,omitempty" tf:"base_image,omitempty"`
+
 	// The registry path of the container image that contains this image version.
 	ContainerImage *string `json:"containerImage,omitempty" tf:"container_image,omitempty"`
 
@@ -27,14 +30,17 @@ type ImageVersionObservation struct {
 	// The Amazon Resource Name (ARN) of the image the version is based on.
 	ImageArn *string `json:"imageArn,omitempty" tf:"image_arn,omitempty"`
 
+	// The name of the image. Must be unique to your account.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
 	Version *float64 `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type ImageVersionParameters struct {
 
 	// The registry path of the container image on which this image version is based.
-	// +kubebuilder:validation:Required
-	BaseImage *string `json:"baseImage" tf:"base_image,omitempty"`
+	// +kubebuilder:validation:Optional
+	BaseImage *string `json:"baseImage,omitempty" tf:"base_image,omitempty"`
 
 	// The name of the image. Must be unique to your account.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/sagemaker/v1beta1.Image
@@ -80,8 +86,9 @@ type ImageVersionStatus struct {
 type ImageVersion struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ImageVersionSpec   `json:"spec"`
-	Status            ImageVersionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.baseImage)",message="baseImage is a required parameter"
+	Spec   ImageVersionSpec   `json:"spec"`
+	Status ImageVersionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_model_types.go b/apis/sagemaker/v1beta1/zz_model_types.go
index 3ab9c93a85..d18e2d88b8 100755
--- a/apis/sagemaker/v1beta1/zz_model_types.go
+++ b/apis/sagemaker/v1beta1/zz_model_types.go
@@ -14,6 +14,25 @@ import (
 )
 
 type ContainerObservation struct {
+
+	// The DNS host name for the container.
+	ContainerHostname *string `json:"containerHostname,omitempty" tf:"container_hostname,omitempty"`
+
+	// Environment variables for the Docker container.
+	// A list of key value pairs.
+	Environment map[string]*string `json:"environment,omitempty" tf:"environment,omitempty"`
+
+	// The registry path where the inference code image is stored in Amazon ECR.
+	Image *string `json:"image,omitempty" tf:"image,omitempty"`
+
+	// Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). For more information see Using a Private Docker Registry for Real-Time Inference Containers. see Image Config.
+	ImageConfig []ImageConfigObservation `json:"imageConfig,omitempty" tf:"image_config,omitempty"`
+
+	// The container hosts value SingleModel/MultiModel. The default value is SingleModel.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// The URL for the S3 location where model artifacts are stored.
+	ModelDataURL *string `json:"modelDataUrl,omitempty" tf:"model_data_url,omitempty"`
 }
 
 type ContainerParameters struct {
@@ -45,6 +64,12 @@ type ContainerParameters struct {
 }
 
 type ImageConfigObservation struct {
+
+	// Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: Platform and Vpc.
+	RepositoryAccessMode *string `json:"repositoryAccessMode,omitempty" tf:"repository_access_mode,omitempty"`
+
+	// Specifies an authentication configuration for the private docker registry where your model image is hosted. Specify a value for this property only if you specified Vpc as the value for the RepositoryAccessMode field, and the private Docker registry where the model image is hosted requires authentication. see Repository Auth Config.
+	RepositoryAuthConfig []RepositoryAuthConfigObservation `json:"repositoryAuthConfig,omitempty" tf:"repository_auth_config,omitempty"`
 }
 
 type ImageConfigParameters struct {
@@ -59,6 +84,9 @@ type ImageConfigParameters struct {
 }
 
 type ImageConfigRepositoryAuthConfigObservation struct {
+
+	// The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see Create a Lambda function with the console in the AWS Lambda Developer Guide.
+	RepositoryCredentialsProviderArn *string `json:"repositoryCredentialsProviderArn,omitempty" tf:"repository_credentials_provider_arn,omitempty"`
 }
 
 type ImageConfigRepositoryAuthConfigParameters struct {
@@ -69,6 +97,9 @@ type ImageConfigRepositoryAuthConfigParameters struct {
 }
 
 type InferenceExecutionConfigObservation struct {
+
+	// The container hosts value SingleModel/MultiModel. The default value is SingleModel.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
 }
 
 type InferenceExecutionConfigParameters struct {
@@ -83,10 +114,31 @@ type ModelObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this model.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Specifies containers in the inference pipeline. If not specified, the primary_container argument is required. Fields are documented below.
+	Container []ContainerObservation `json:"container,omitempty" tf:"container,omitempty"`
+
+	// Isolates the model container. No inbound or outbound network calls can be made to or from the model container.
+	EnableNetworkIsolation *bool `json:"enableNetworkIsolation,omitempty" tf:"enable_network_isolation,omitempty"`
+
+	// A role that SageMaker can assume to access model artifacts and docker images for deployment.
+	ExecutionRoleArn *string `json:"executionRoleArn,omitempty" tf:"execution_role_arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies details of how containers in a multi-container endpoint are called. see Inference Execution Config.
+	InferenceExecutionConfig []InferenceExecutionConfigObservation `json:"inferenceExecutionConfig,omitempty" tf:"inference_execution_config,omitempty"`
+
+	// The primary docker image containing inference code that is used when the model is deployed for predictions.  If not specified, the container argument is required. Fields are documented below.
+	PrimaryContainer []PrimaryContainerObservation `json:"primaryContainer,omitempty" tf:"primary_container,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Specifies the VPC that you want your model to connect to. VpcConfig is used in hosting services and in batch transform.
+	VPCConfig []VPCConfigObservation `json:"vpcConfig,omitempty" tf:"vpc_config,omitempty"`
 }
 
 type ModelParameters struct {
@@ -136,6 +188,12 @@ type ModelParameters struct {
 }
 
 type PrimaryContainerImageConfigObservation struct {
+
+	// Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: Platform and Vpc.
+	RepositoryAccessMode *string `json:"repositoryAccessMode,omitempty" tf:"repository_access_mode,omitempty"`
+
+	// Specifies an authentication configuration for the private docker registry where your model image is hosted. Specify a value for this property only if you specified Vpc as the value for the RepositoryAccessMode field, and the private Docker registry where the model image is hosted requires authentication. see Repository Auth Config.
+	RepositoryAuthConfig []ImageConfigRepositoryAuthConfigObservation `json:"repositoryAuthConfig,omitempty" tf:"repository_auth_config,omitempty"`
 }
 
 type PrimaryContainerImageConfigParameters struct {
@@ -150,6 +208,25 @@ type PrimaryContainerImageConfigParameters struct {
 }
 
 type PrimaryContainerObservation struct {
+
+	// The DNS host name for the container.
+	ContainerHostname *string `json:"containerHostname,omitempty" tf:"container_hostname,omitempty"`
+
+	// Environment variables for the Docker container.
+	// A list of key value pairs.
+	Environment map[string]*string `json:"environment,omitempty" tf:"environment,omitempty"`
+
+	// The registry path where the inference code image is stored in Amazon ECR.
+	Image *string `json:"image,omitempty" tf:"image,omitempty"`
+
+	// Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). For more information see Using a Private Docker Registry for Real-Time Inference Containers. see Image Config.
+	ImageConfig []PrimaryContainerImageConfigObservation `json:"imageConfig,omitempty" tf:"image_config,omitempty"`
+
+	// The container hosts value SingleModel/MultiModel. The default value is SingleModel.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
+
+	// The URL for the S3 location where model artifacts are stored.
+	ModelDataURL *string `json:"modelDataUrl,omitempty" tf:"model_data_url,omitempty"`
 }
 
 type PrimaryContainerParameters struct {
@@ -181,6 +258,9 @@ type PrimaryContainerParameters struct {
 }
 
 type RepositoryAuthConfigObservation struct {
+
+	// The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see Create a Lambda function with the console in the AWS Lambda Developer Guide.
+	RepositoryCredentialsProviderArn *string `json:"repositoryCredentialsProviderArn,omitempty" tf:"repository_credentials_provider_arn,omitempty"`
 }
 
 type RepositoryAuthConfigParameters struct {
@@ -191,6 +271,9 @@ type RepositoryAuthConfigParameters struct {
 }
 
 type VPCConfigObservation struct {
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
 }
 
 type VPCConfigParameters struct {
diff --git a/apis/sagemaker/v1beta1/zz_modelpackagegroup_types.go b/apis/sagemaker/v1beta1/zz_modelpackagegroup_types.go
index 7a1c3273b8..fdc4bcce77 100755
--- a/apis/sagemaker/v1beta1/zz_modelpackagegroup_types.go
+++ b/apis/sagemaker/v1beta1/zz_modelpackagegroup_types.go
@@ -21,6 +21,12 @@ type ModelPackageGroupObservation struct {
 	// The name of the Model Package Group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A description for the model group.
+	ModelPackageGroupDescription *string `json:"modelPackageGroupDescription,omitempty" tf:"model_package_group_description,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/sagemaker/v1beta1/zz_modelpackagegrouppolicy_types.go b/apis/sagemaker/v1beta1/zz_modelpackagegrouppolicy_types.go
index fea072cbcc..727712243e 100755
--- a/apis/sagemaker/v1beta1/zz_modelpackagegrouppolicy_types.go
+++ b/apis/sagemaker/v1beta1/zz_modelpackagegrouppolicy_types.go
@@ -17,6 +17,11 @@ type ModelPackageGroupPolicyObservation struct {
 
 	// The name of the Model Package Package Group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the model package group.
+	ModelPackageGroupName *string `json:"modelPackageGroupName,omitempty" tf:"model_package_group_name,omitempty"`
+
+	ResourcePolicy *string `json:"resourcePolicy,omitempty" tf:"resource_policy,omitempty"`
 }
 
 type ModelPackageGroupPolicyParameters struct {
@@ -39,8 +44,8 @@ type ModelPackageGroupPolicyParameters struct {
 	// +kubebuilder:validation:Required
 	Region *string `json:"region" tf:"-"`
 
-	// +kubebuilder:validation:Required
-	ResourcePolicy *string `json:"resourcePolicy" tf:"resource_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourcePolicy *string `json:"resourcePolicy,omitempty" tf:"resource_policy,omitempty"`
 }
 
 // ModelPackageGroupPolicySpec defines the desired state of ModelPackageGroupPolicy
@@ -67,8 +72,9 @@ type ModelPackageGroupPolicyStatus struct {
 type ModelPackageGroupPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ModelPackageGroupPolicySpec   `json:"spec"`
-	Status            ModelPackageGroupPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourcePolicy)",message="resourcePolicy is a required parameter"
+	Spec   ModelPackageGroupPolicySpec   `json:"spec"`
+	Status ModelPackageGroupPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_notebookinstance_types.go b/apis/sagemaker/v1beta1/zz_notebookinstance_types.go
index 2f189176b0..904ffeaf17 100755
--- a/apis/sagemaker/v1beta1/zz_notebookinstance_types.go
+++ b/apis/sagemaker/v1beta1/zz_notebookinstance_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type InstanceMetadataServiceConfigurationObservation struct {
+
+	// Indicates the minimum IMDS version that the notebook instance supports. When passed "1" is passed. This means that both IMDSv1 and IMDSv2 are supported. Valid values are 1 and 2.
+	MinimumInstanceMetadataServiceVersion *string `json:"minimumInstanceMetadataServiceVersion,omitempty" tf:"minimum_instance_metadata_service_version,omitempty"`
 }
 
 type InstanceMetadataServiceConfigurationParameters struct {
@@ -25,20 +28,66 @@ type InstanceMetadataServiceConfigurationParameters struct {
 
 type NotebookInstanceObservation struct {
 
+	// A list of Elastic Inference (EI) instance types to associate with this notebook instance. See Elastic Inference Accelerator for more details. Valid values: ml.eia1.medium, ml.eia1.large, ml.eia1.xlarge, ml.eia2.medium, ml.eia2.large, ml.eia2.xlarge.
+	AcceleratorTypes []*string `json:"acceleratorTypes,omitempty" tf:"accelerator_types,omitempty"`
+
+	// An array of up to three Git repositories to associate with the notebook instance.
+	// These can be either the names of Git repositories stored as resources in your account, or the URL of Git repositories in AWS CodeCommit or in any other Git repository. These repositories are cloned at the same level as the default repository of your notebook instance.
+	AdditionalCodeRepositories []*string `json:"additionalCodeRepositories,omitempty" tf:"additional_code_repositories,omitempty"`
+
 	// The Amazon Resource Name (ARN) assigned by AWS to this notebook instance.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Git repository associated with the notebook instance as its default code repository. This can be either the name of a Git repository stored as a resource in your account, or the URL of a Git repository in AWS CodeCommit or in any other Git repository.
+	DefaultCodeRepository *string `json:"defaultCodeRepository,omitempty" tf:"default_code_repository,omitempty"`
+
+	// Set to Disabled to disable internet access to notebook. Requires security_groups and subnet_id to be set. Supported values: Enabled (Default) or Disabled. If set to Disabled, the notebook instance will be able to access resources only in your VPC, and will not be able to connect to Amazon SageMaker training and endpoint services unless your configure a NAT Gateway in your VPC.
+	DirectInternetAccess *string `json:"directInternetAccess,omitempty" tf:"direct_internet_access,omitempty"`
+
 	// The name of the notebook instance.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Information on the IMDS configuration of the notebook instance. Conflicts with instance_metadata_service_configuration. see details below.
+	InstanceMetadataServiceConfiguration []InstanceMetadataServiceConfigurationObservation `json:"instanceMetadataServiceConfiguration,omitempty" tf:"instance_metadata_service_configuration,omitempty"`
+
+	// The name of ML compute instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// The name of a lifecycle configuration to associate with the notebook instance.
+	LifecycleConfigName *string `json:"lifecycleConfigName,omitempty" tf:"lifecycle_config_name,omitempty"`
+
 	// The network interface ID that Amazon SageMaker created at the time of creating the instance. Only available when setting subnet_id.
 	NetworkInterfaceID *string `json:"networkInterfaceId,omitempty" tf:"network_interface_id,omitempty"`
 
+	// The platform identifier of the notebook instance runtime environment. This value can be either notebook-al1-v1, notebook-al2-v1, or  notebook-al2-v2, depending on which version of Amazon Linux you require.
+	PlatformIdentifier *string `json:"platformIdentifier,omitempty" tf:"platform_identifier,omitempty"`
+
+	// The ARN of the IAM role to be used by the notebook instance which allows SageMaker to call other services on your behalf.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Whether root access is Enabled or Disabled for users of the notebook instance. The default value is Enabled.
+	RootAccess *string `json:"rootAccess,omitempty" tf:"root_access,omitempty"`
+
+	// The associated security groups.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The VPC subnet ID.
+	SubnetID *string `json:"subnetId,omitempty" tf:"subnet_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// The URL that you use to connect to the Jupyter notebook that is running in your notebook instance.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The size, in GB, of the ML storage volume to attach to the notebook instance. The default value is 5 GB.
+	VolumeSize *float64 `json:"volumeSize,omitempty" tf:"volume_size,omitempty"`
 }
 
 type NotebookInstanceParameters struct {
@@ -74,8 +123,8 @@ type NotebookInstanceParameters struct {
 	InstanceMetadataServiceConfiguration []InstanceMetadataServiceConfigurationParameters `json:"instanceMetadataServiceConfiguration,omitempty" tf:"instance_metadata_service_configuration,omitempty"`
 
 	// The name of ML compute instance type.
-	// +kubebuilder:validation:Required
-	InstanceType *string `json:"instanceType" tf:"instance_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
 
 	// The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/kms/v1beta1.Key
@@ -171,8 +220,9 @@ type NotebookInstanceStatus struct {
 type NotebookInstance struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NotebookInstanceSpec   `json:"spec"`
-	Status            NotebookInstanceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)",message="instanceType is a required parameter"
+	Spec   NotebookInstanceSpec   `json:"spec"`
+	Status NotebookInstanceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_notebookinstancelifecycleconfiguration_types.go b/apis/sagemaker/v1beta1/zz_notebookinstancelifecycleconfiguration_types.go
index 383684634e..25c87f2a0f 100755
--- a/apis/sagemaker/v1beta1/zz_notebookinstancelifecycleconfiguration_types.go
+++ b/apis/sagemaker/v1beta1/zz_notebookinstancelifecycleconfiguration_types.go
@@ -19,6 +19,12 @@ type NotebookInstanceLifecycleConfigurationObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A shell script (base64-encoded) that runs only once when the SageMaker Notebook Instance is created.
+	OnCreate *string `json:"onCreate,omitempty" tf:"on_create,omitempty"`
+
+	// A shell script (base64-encoded) that runs every time the SageMaker Notebook Instance is started including the time it's created.
+	OnStart *string `json:"onStart,omitempty" tf:"on_start,omitempty"`
 }
 
 type NotebookInstanceLifecycleConfigurationParameters struct {
diff --git a/apis/sagemaker/v1beta1/zz_servicecatalogportfoliostatus_types.go b/apis/sagemaker/v1beta1/zz_servicecatalogportfoliostatus_types.go
index 9cc31bd4c8..b57bfb49d2 100755
--- a/apis/sagemaker/v1beta1/zz_servicecatalogportfoliostatus_types.go
+++ b/apis/sagemaker/v1beta1/zz_servicecatalogportfoliostatus_types.go
@@ -17,6 +17,9 @@ type ServicecatalogPortfolioStatusObservation struct {
 
 	// The AWS Region the Servicecatalog portfolio status resides in.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Whether Service Catalog is enabled or disabled in SageMaker. Valid values are Enabled and Disabled.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type ServicecatalogPortfolioStatusParameters struct {
@@ -27,8 +30,8 @@ type ServicecatalogPortfolioStatusParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Whether Service Catalog is enabled or disabled in SageMaker. Valid values are Enabled and Disabled.
-	// +kubebuilder:validation:Required
-	Status *string `json:"status" tf:"status,omitempty"`
+	// +kubebuilder:validation:Optional
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 // ServicecatalogPortfolioStatusSpec defines the desired state of ServicecatalogPortfolioStatus
@@ -55,8 +58,9 @@ type ServicecatalogPortfolioStatusStatus struct {
 type ServicecatalogPortfolioStatus struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServicecatalogPortfolioStatusSpec   `json:"spec"`
-	Status            ServicecatalogPortfolioStatusStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.status)",message="status is a required parameter"
+	Spec   ServicecatalogPortfolioStatusSpec   `json:"spec"`
+	Status ServicecatalogPortfolioStatusStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_space_types.go b/apis/sagemaker/v1beta1/zz_space_types.go
index 0448e583d3..4e0371b2ac 100755
--- a/apis/sagemaker/v1beta1/zz_space_types.go
+++ b/apis/sagemaker/v1beta1/zz_space_types.go
@@ -18,12 +18,24 @@ type SpaceObservation struct {
 	// The space's Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the associated Domain.
+	DomainID *string `json:"domainId,omitempty" tf:"domain_id,omitempty"`
+
 	// The ID of the space's profile in the Amazon Elastic File System volume.
 	HomeEFSFileSystemUID *string `json:"homeEfsFileSystemUid,omitempty" tf:"home_efs_file_system_uid,omitempty"`
 
 	// The space's Amazon Resource Name (ARN).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the space.
+	SpaceName *string `json:"spaceName,omitempty" tf:"space_name,omitempty"`
+
+	// A collection of space settings. See Space Settings below.
+	SpaceSettings []SpaceSettingsObservation `json:"spaceSettings,omitempty" tf:"space_settings,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -50,8 +62,8 @@ type SpaceParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The name of the space.
-	// +kubebuilder:validation:Required
-	SpaceName *string `json:"spaceName" tf:"space_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	SpaceName *string `json:"spaceName,omitempty" tf:"space_name,omitempty"`
 
 	// A collection of space settings. See Space Settings below.
 	// +kubebuilder:validation:Optional
@@ -63,6 +75,9 @@ type SpaceParameters struct {
 }
 
 type SpaceSettingsJupyterServerAppSettingsCodeRepositoryObservation struct {
+
+	// The URL of the Git repository.
+	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
 }
 
 type SpaceSettingsJupyterServerAppSettingsCodeRepositoryParameters struct {
@@ -73,6 +88,18 @@ type SpaceSettingsJupyterServerAppSettingsCodeRepositoryParameters struct {
 }
 
 type SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SageMaker image created on the instance.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecParameters struct {
@@ -95,6 +122,15 @@ type SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type SpaceSettingsJupyterServerAppSettingsObservation struct {
+
+	// A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below.
+	CodeRepository []SpaceSettingsJupyterServerAppSettingsCodeRepositoryObservation `json:"codeRepository,omitempty" tf:"code_repository,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []SpaceSettingsJupyterServerAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type SpaceSettingsJupyterServerAppSettingsParameters struct {
@@ -113,6 +149,15 @@ type SpaceSettingsJupyterServerAppSettingsParameters struct {
 }
 
 type SpaceSettingsKernelGatewayAppSettingsCustomImageObservation struct {
+
+	// The name of the App Image Config.
+	AppImageConfigName *string `json:"appImageConfigName,omitempty" tf:"app_image_config_name,omitempty"`
+
+	// The name of the Custom Image.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// The version number of the Custom Image.
+	ImageVersionNumber *float64 `json:"imageVersionNumber,omitempty" tf:"image_version_number,omitempty"`
 }
 
 type SpaceSettingsKernelGatewayAppSettingsCustomImageParameters struct {
@@ -131,6 +176,18 @@ type SpaceSettingsKernelGatewayAppSettingsCustomImageParameters struct {
 }
 
 type SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SageMaker image created on the instance.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters struct {
@@ -153,6 +210,15 @@ type SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type SpaceSettingsKernelGatewayAppSettingsObservation struct {
+
+	// A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below.
+	CustomImage []SpaceSettingsKernelGatewayAppSettingsCustomImageObservation `json:"customImage,omitempty" tf:"custom_image,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []SpaceSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type SpaceSettingsKernelGatewayAppSettingsParameters struct {
@@ -171,6 +237,12 @@ type SpaceSettingsKernelGatewayAppSettingsParameters struct {
 }
 
 type SpaceSettingsObservation struct {
+
+	// The Jupyter server's app settings. See Jupyter Server App Settings below.
+	JupyterServerAppSettings []SpaceSettingsJupyterServerAppSettingsObservation `json:"jupyterServerAppSettings,omitempty" tf:"jupyter_server_app_settings,omitempty"`
+
+	// The kernel gateway app settings. See Kernel Gateway App Settings below.
+	KernelGatewayAppSettings []SpaceSettingsKernelGatewayAppSettingsObservation `json:"kernelGatewayAppSettings,omitempty" tf:"kernel_gateway_app_settings,omitempty"`
 }
 
 type SpaceSettingsParameters struct {
@@ -208,8 +280,9 @@ type SpaceStatus struct {
 type Space struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SpaceSpec   `json:"spec"`
-	Status            SpaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spaceName)",message="spaceName is a required parameter"
+	Spec   SpaceSpec   `json:"spec"`
+	Status SpaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_studiolifecycleconfig_types.go b/apis/sagemaker/v1beta1/zz_studiolifecycleconfig_types.go
index ace8a9be65..763abe74e4 100755
--- a/apis/sagemaker/v1beta1/zz_studiolifecycleconfig_types.go
+++ b/apis/sagemaker/v1beta1/zz_studiolifecycleconfig_types.go
@@ -21,6 +21,15 @@ type StudioLifecycleConfigObservation struct {
 	// The name of the Studio Lifecycle Config.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The App type that the Lifecycle Configuration is attached to. Valid values are JupyterServer and KernelGateway.
+	StudioLifecycleConfigAppType *string `json:"studioLifecycleConfigAppType,omitempty" tf:"studio_lifecycle_config_app_type,omitempty"`
+
+	// The content of your Studio Lifecycle Configuration script. This content must be base64 encoded.
+	StudioLifecycleConfigContent *string `json:"studioLifecycleConfigContent,omitempty" tf:"studio_lifecycle_config_content,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -33,12 +42,12 @@ type StudioLifecycleConfigParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The App type that the Lifecycle Configuration is attached to. Valid values are JupyterServer and KernelGateway.
-	// +kubebuilder:validation:Required
-	StudioLifecycleConfigAppType *string `json:"studioLifecycleConfigAppType" tf:"studio_lifecycle_config_app_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	StudioLifecycleConfigAppType *string `json:"studioLifecycleConfigAppType,omitempty" tf:"studio_lifecycle_config_app_type,omitempty"`
 
 	// The content of your Studio Lifecycle Configuration script. This content must be base64 encoded.
-	// +kubebuilder:validation:Required
-	StudioLifecycleConfigContent *string `json:"studioLifecycleConfigContent" tf:"studio_lifecycle_config_content,omitempty"`
+	// +kubebuilder:validation:Optional
+	StudioLifecycleConfigContent *string `json:"studioLifecycleConfigContent,omitempty" tf:"studio_lifecycle_config_content,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -69,8 +78,10 @@ type StudioLifecycleConfigStatus struct {
 type StudioLifecycleConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StudioLifecycleConfigSpec   `json:"spec"`
-	Status            StudioLifecycleConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.studioLifecycleConfigAppType)",message="studioLifecycleConfigAppType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.studioLifecycleConfigContent)",message="studioLifecycleConfigContent is a required parameter"
+	Spec   StudioLifecycleConfigSpec   `json:"spec"`
+	Status StudioLifecycleConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_userprofile_types.go b/apis/sagemaker/v1beta1/zz_userprofile_types.go
index c15a560b25..3d14c5f2f9 100755
--- a/apis/sagemaker/v1beta1/zz_userprofile_types.go
+++ b/apis/sagemaker/v1beta1/zz_userprofile_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CanvasAppSettingsTimeSeriesForecastingSettingsObservation struct {
+
+	// The IAM role that Canvas passes to Amazon Forecast for time series forecasting. By default, Canvas uses the execution role specified in the UserProfile that launches the Canvas app. If an execution role is not specified in the UserProfile, Canvas uses the execution role specified in the Domain that owns the UserProfile. To allow time series forecasting, this IAM role should have the AmazonSageMakerCanvasForecastAccess policy attached and forecast.amazonaws.com added in the trust relationship as a service principal.
+	AmazonForecastRoleArn *string `json:"amazonForecastRoleArn,omitempty" tf:"amazon_forecast_role_arn,omitempty"`
+
+	// Describes whether time series forecasting is enabled or disabled in the Canvas app. Valid values are ENABLED and DISABLED.
+	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
 
 type CanvasAppSettingsTimeSeriesForecastingSettingsParameters struct {
@@ -32,14 +38,32 @@ type UserProfileObservation struct {
 	// The user profile Amazon Resource Name (ARN).
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ID of the associated Domain.
+	DomainID *string `json:"domainId,omitempty" tf:"domain_id,omitempty"`
+
 	// The ID of the user's profile in the Amazon Elastic File System (EFS) volume.
 	HomeEFSFileSystemUID *string `json:"homeEfsFileSystemUid,omitempty" tf:"home_efs_file_system_uid,omitempty"`
 
 	// The user profile Amazon Resource Name (ARN).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A specifier for the type of value specified in single_sign_on_user_value. Currently, the only supported value is UserName. If the Domain's AuthMode is SSO, this field is required. If the Domain's AuthMode is not SSO, this field cannot be specified.
+	SingleSignOnUserIdentifier *string `json:"singleSignOnUserIdentifier,omitempty" tf:"single_sign_on_user_identifier,omitempty"`
+
+	// The username of the associated AWS Single Sign-On User for this User Profile. If the Domain's AuthMode is SSO, this field is required, and must match a valid username of a user in your directory. If the Domain's AuthMode is not SSO, this field cannot be specified.
+	SingleSignOnUserValue *string `json:"singleSignOnUserValue,omitempty" tf:"single_sign_on_user_value,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The name for the User Profile.
+	UserProfileName *string `json:"userProfileName,omitempty" tf:"user_profile_name,omitempty"`
+
+	// The user settings. See User Settings below.
+	UserSettings []UserSettingsObservation `json:"userSettings,omitempty" tf:"user_settings,omitempty"`
 }
 
 type UserProfileParameters struct {
@@ -76,8 +100,8 @@ type UserProfileParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The name for the User Profile.
-	// +kubebuilder:validation:Required
-	UserProfileName *string `json:"userProfileName" tf:"user_profile_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	UserProfileName *string `json:"userProfileName,omitempty" tf:"user_profile_name,omitempty"`
 
 	// The user settings. See User Settings below.
 	// +kubebuilder:validation:Optional
@@ -85,6 +109,9 @@ type UserProfileParameters struct {
 }
 
 type UserSettingsCanvasAppSettingsObservation struct {
+
+	// Time series forecast settings for the Canvas app. see Time Series Forecasting Settings below.
+	TimeSeriesForecastingSettings []CanvasAppSettingsTimeSeriesForecastingSettingsObservation `json:"timeSeriesForecastingSettings,omitempty" tf:"time_series_forecasting_settings,omitempty"`
 }
 
 type UserSettingsCanvasAppSettingsParameters struct {
@@ -95,6 +122,9 @@ type UserSettingsCanvasAppSettingsParameters struct {
 }
 
 type UserSettingsJupyterServerAppSettingsCodeRepositoryObservation struct {
+
+	// The URL of the Git repository.
+	RepositoryURL *string `json:"repositoryUrl,omitempty" tf:"repository_url,omitempty"`
 }
 
 type UserSettingsJupyterServerAppSettingsCodeRepositoryParameters struct {
@@ -105,6 +135,18 @@ type UserSettingsJupyterServerAppSettingsCodeRepositoryParameters struct {
 }
 
 type UserSettingsJupyterServerAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SageMaker image created on the instance.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type UserSettingsJupyterServerAppSettingsDefaultResourceSpecParameters struct {
@@ -127,6 +169,15 @@ type UserSettingsJupyterServerAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type UserSettingsJupyterServerAppSettingsObservation struct {
+
+	// A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below.
+	CodeRepository []UserSettingsJupyterServerAppSettingsCodeRepositoryObservation `json:"codeRepository,omitempty" tf:"code_repository,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []UserSettingsJupyterServerAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type UserSettingsJupyterServerAppSettingsParameters struct {
@@ -145,6 +196,15 @@ type UserSettingsJupyterServerAppSettingsParameters struct {
 }
 
 type UserSettingsKernelGatewayAppSettingsCustomImageObservation struct {
+
+	// The name of the App Image Config.
+	AppImageConfigName *string `json:"appImageConfigName,omitempty" tf:"app_image_config_name,omitempty"`
+
+	// The name of the Custom Image.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// The version number of the Custom Image.
+	ImageVersionNumber *float64 `json:"imageVersionNumber,omitempty" tf:"image_version_number,omitempty"`
 }
 
 type UserSettingsKernelGatewayAppSettingsCustomImageParameters struct {
@@ -163,6 +223,18 @@ type UserSettingsKernelGatewayAppSettingsCustomImageParameters struct {
 }
 
 type UserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SageMaker image created on the instance.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type UserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters struct {
@@ -185,6 +257,15 @@ type UserSettingsKernelGatewayAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type UserSettingsKernelGatewayAppSettingsObservation struct {
+
+	// A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below.
+	CustomImage []UserSettingsKernelGatewayAppSettingsCustomImageObservation `json:"customImage,omitempty" tf:"custom_image,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []UserSettingsKernelGatewayAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configurations.
+	LifecycleConfigArns []*string `json:"lifecycleConfigArns,omitempty" tf:"lifecycle_config_arns,omitempty"`
 }
 
 type UserSettingsKernelGatewayAppSettingsParameters struct {
@@ -203,6 +284,30 @@ type UserSettingsKernelGatewayAppSettingsParameters struct {
 }
 
 type UserSettingsObservation struct {
+
+	// The Canvas app settings. See Canvas App Settings below.
+	CanvasAppSettings []UserSettingsCanvasAppSettingsObservation `json:"canvasAppSettings,omitempty" tf:"canvas_app_settings,omitempty"`
+
+	// The execution role ARN for the user.
+	ExecutionRole *string `json:"executionRole,omitempty" tf:"execution_role,omitempty"`
+
+	// The Jupyter server's app settings. See Jupyter Server App Settings below.
+	JupyterServerAppSettings []UserSettingsJupyterServerAppSettingsObservation `json:"jupyterServerAppSettings,omitempty" tf:"jupyter_server_app_settings,omitempty"`
+
+	// The kernel gateway app settings. See Kernel Gateway App Settings below.
+	KernelGatewayAppSettings []UserSettingsKernelGatewayAppSettingsObservation `json:"kernelGatewayAppSettings,omitempty" tf:"kernel_gateway_app_settings,omitempty"`
+
+	// The RSession app settings. See RSession App Settings below.
+	RSessionAppSettings []UserSettingsRSessionAppSettingsObservation `json:"rSessionAppSettings,omitempty" tf:"r_session_app_settings,omitempty"`
+
+	// The security groups.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// The sharing settings. See Sharing Settings below.
+	SharingSettings []UserSettingsSharingSettingsObservation `json:"sharingSettings,omitempty" tf:"sharing_settings,omitempty"`
+
+	// The TensorBoard app settings. See TensorBoard App Settings below.
+	TensorBoardAppSettings []UserSettingsTensorBoardAppSettingsObservation `json:"tensorBoardAppSettings,omitempty" tf:"tensor_board_app_settings,omitempty"`
 }
 
 type UserSettingsParameters struct {
@@ -241,6 +346,15 @@ type UserSettingsParameters struct {
 }
 
 type UserSettingsRSessionAppSettingsCustomImageObservation struct {
+
+	// The name of the App Image Config.
+	AppImageConfigName *string `json:"appImageConfigName,omitempty" tf:"app_image_config_name,omitempty"`
+
+	// The name of the Custom Image.
+	ImageName *string `json:"imageName,omitempty" tf:"image_name,omitempty"`
+
+	// The version number of the Custom Image.
+	ImageVersionNumber *float64 `json:"imageVersionNumber,omitempty" tf:"image_version_number,omitempty"`
 }
 
 type UserSettingsRSessionAppSettingsCustomImageParameters struct {
@@ -259,6 +373,18 @@ type UserSettingsRSessionAppSettingsCustomImageParameters struct {
 }
 
 type UserSettingsRSessionAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SageMaker image created on the instance.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type UserSettingsRSessionAppSettingsDefaultResourceSpecParameters struct {
@@ -281,6 +407,12 @@ type UserSettingsRSessionAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type UserSettingsRSessionAppSettingsObservation struct {
+
+	// A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below.
+	CustomImage []UserSettingsRSessionAppSettingsCustomImageObservation `json:"customImage,omitempty" tf:"custom_image,omitempty"`
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []UserSettingsRSessionAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
 }
 
 type UserSettingsRSessionAppSettingsParameters struct {
@@ -295,6 +427,15 @@ type UserSettingsRSessionAppSettingsParameters struct {
 }
 
 type UserSettingsSharingSettingsObservation struct {
+
+	// Whether to include the notebook cell output when sharing the notebook. The default is Disabled. Valid values are Allowed and Disabled.
+	NotebookOutputOption *string `json:"notebookOutputOption,omitempty" tf:"notebook_output_option,omitempty"`
+
+	// When notebook_output_option is Allowed, the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket.
+	S3KMSKeyID *string `json:"s3KmsKeyId,omitempty" tf:"s3_kms_key_id,omitempty"`
+
+	// When notebook_output_option is Allowed, the Amazon S3 bucket used to save the notebook cell output.
+	S3OutputPath *string `json:"s3OutputPath,omitempty" tf:"s3_output_path,omitempty"`
 }
 
 type UserSettingsSharingSettingsParameters struct {
@@ -313,6 +454,18 @@ type UserSettingsSharingSettingsParameters struct {
 }
 
 type UserSettingsTensorBoardAppSettingsDefaultResourceSpecObservation struct {
+
+	// The instance type.
+	InstanceType *string `json:"instanceType,omitempty" tf:"instance_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource.
+	LifecycleConfigArn *string `json:"lifecycleConfigArn,omitempty" tf:"lifecycle_config_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SageMaker image created on the instance.
+	SagemakerImageArn *string `json:"sagemakerImageArn,omitempty" tf:"sagemaker_image_arn,omitempty"`
+
+	// The ARN of the image version created on the instance.
+	SagemakerImageVersionArn *string `json:"sagemakerImageVersionArn,omitempty" tf:"sagemaker_image_version_arn,omitempty"`
 }
 
 type UserSettingsTensorBoardAppSettingsDefaultResourceSpecParameters struct {
@@ -335,6 +488,9 @@ type UserSettingsTensorBoardAppSettingsDefaultResourceSpecParameters struct {
 }
 
 type UserSettingsTensorBoardAppSettingsObservation struct {
+
+	// The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below.
+	DefaultResourceSpec []UserSettingsTensorBoardAppSettingsDefaultResourceSpecObservation `json:"defaultResourceSpec,omitempty" tf:"default_resource_spec,omitempty"`
 }
 
 type UserSettingsTensorBoardAppSettingsParameters struct {
@@ -368,8 +524,9 @@ type UserProfileStatus struct {
 type UserProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              UserProfileSpec   `json:"spec"`
-	Status            UserProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userProfileName)",message="userProfileName is a required parameter"
+	Spec   UserProfileSpec   `json:"spec"`
+	Status UserProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sagemaker/v1beta1/zz_workforce_types.go b/apis/sagemaker/v1beta1/zz_workforce_types.go
index 3386e7a9ce..4cef01ee3d 100755
--- a/apis/sagemaker/v1beta1/zz_workforce_types.go
+++ b/apis/sagemaker/v1beta1/zz_workforce_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CognitoConfigObservation struct {
+
+	// The client ID for your Amazon Cognito user pool.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// ID for your Amazon Cognito user pool.
+	UserPool *string `json:"userPool,omitempty" tf:"user_pool,omitempty"`
 }
 
 type CognitoConfigParameters struct {
@@ -48,6 +54,27 @@ type CognitoConfigParameters struct {
 }
 
 type OidcConfigObservation struct {
+
+	// The OIDC IdP authorization endpoint used to configure your private workforce.
+	AuthorizationEndpoint *string `json:"authorizationEndpoint,omitempty" tf:"authorization_endpoint,omitempty"`
+
+	// The client ID for your Amazon Cognito user pool.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// The OIDC IdP issuer used to configure your private workforce.
+	Issuer *string `json:"issuer,omitempty" tf:"issuer,omitempty"`
+
+	// The OIDC IdP JSON Web Key Set (Jwks) URI used to configure your private workforce.
+	JwksURI *string `json:"jwksUri,omitempty" tf:"jwks_uri,omitempty"`
+
+	// The OIDC IdP logout endpoint used to configure your private workforce.
+	LogoutEndpoint *string `json:"logoutEndpoint,omitempty" tf:"logout_endpoint,omitempty"`
+
+	// The OIDC IdP token endpoint used to configure your private workforce.
+	TokenEndpoint *string `json:"tokenEndpoint,omitempty" tf:"token_endpoint,omitempty"`
+
+	// The OIDC IdP user information endpoint used to configure your private workforce.
+	UserInfoEndpoint *string `json:"userInfoEndpoint,omitempty" tf:"user_info_endpoint,omitempty"`
 }
 
 type OidcConfigParameters struct {
@@ -86,6 +113,9 @@ type OidcConfigParameters struct {
 }
 
 type SourceIPConfigObservation struct {
+
+	// A list of up to 10 CIDR values.
+	Cidrs []*string `json:"cidrs,omitempty" tf:"cidrs,omitempty"`
 }
 
 type SourceIPConfigParameters struct {
@@ -100,14 +130,22 @@ type WorkforceObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Workforce.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Use this parameter to configure an Amazon Cognito private workforce. A single Cognito workforce is created using and corresponds to a single Amazon Cognito user pool. Conflicts with oidc_config. see Cognito Config details below.
+	CognitoConfig []CognitoConfigObservation `json:"cognitoConfig,omitempty" tf:"cognito_config,omitempty"`
+
 	// The name of the Workforce.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Use this parameter to configure a private workforce using your own OIDC Identity Provider. Conflicts with cognito_config. see OIDC Config details below.
+	OidcConfig []OidcConfigObservation `json:"oidcConfig,omitempty" tf:"oidc_config,omitempty"`
+
+	// A list of IP address ranges Used to create an allow list of IP addresses for a private workforce. By default, a workforce isn't restricted to specific IP addresses. see Source Ip Config details below.
+	SourceIPConfig []SourceIPConfigObservation `json:"sourceIpConfig,omitempty" tf:"source_ip_config,omitempty"`
+
 	// The subdomain for your OIDC Identity Provider.
 	Subdomain *string `json:"subdomain,omitempty" tf:"subdomain,omitempty"`
 
 	// configure a workforce using VPC. see Workforce VPC Config details below.
-	// +kubebuilder:validation:Optional
 	WorkforceVPCConfig []WorkforceVPCConfigObservation `json:"workforceVpcConfig,omitempty" tf:"workforce_vpc_config,omitempty"`
 }
 
@@ -137,8 +175,17 @@ type WorkforceParameters struct {
 
 type WorkforceVPCConfigObservation struct {
 
+	// The VPC security group IDs. The security groups must be for the same VPC as specified in the subnet.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// The ID of the subnets in the VPC that you want to connect.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
+
 	// The IDs for the VPC service endpoints of your VPC workforce.
 	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
+
+	// The ID of the VPC that the workforce uses for communication.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type WorkforceVPCConfigParameters struct {
diff --git a/apis/sagemaker/v1beta1/zz_workteam_types.go b/apis/sagemaker/v1beta1/zz_workteam_types.go
index 3266071915..adcf0c0275 100755
--- a/apis/sagemaker/v1beta1/zz_workteam_types.go
+++ b/apis/sagemaker/v1beta1/zz_workteam_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CognitoMemberDefinitionObservation struct {
+
+	// An identifier for an application client. You must create the app client ID using Amazon Cognito.
+	ClientID *string `json:"clientId,omitempty" tf:"client_id,omitempty"`
+
+	// An identifier for a user group.
+	UserGroup *string `json:"userGroup,omitempty" tf:"user_group,omitempty"`
+
+	// An identifier for a user pool. The user pool must be in the same region as the service that you are calling.
+	UserPool *string `json:"userPool,omitempty" tf:"user_pool,omitempty"`
 }
 
 type CognitoMemberDefinitionParameters struct {
@@ -62,6 +71,12 @@ type CognitoMemberDefinitionParameters struct {
 }
 
 type MemberDefinitionObservation struct {
+
+	// The Amazon Cognito user group that is part of the work team. See Cognito Member Definition details below.
+	CognitoMemberDefinition []CognitoMemberDefinitionObservation `json:"cognitoMemberDefinition,omitempty" tf:"cognito_member_definition,omitempty"`
+
+	// A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. See Cognito Member Definition details below.
+	OidcMemberDefinition []OidcMemberDefinitionObservation `json:"oidcMemberDefinition,omitempty" tf:"oidc_member_definition,omitempty"`
 }
 
 type MemberDefinitionParameters struct {
@@ -76,6 +91,9 @@ type MemberDefinitionParameters struct {
 }
 
 type NotificationConfigurationObservation struct {
+
+	// The ARN for the SNS topic to which notifications should be published.
+	NotificationTopicArn *string `json:"notificationTopicArn,omitempty" tf:"notification_topic_arn,omitempty"`
 }
 
 type NotificationConfigurationParameters struct {
@@ -86,6 +104,9 @@ type NotificationConfigurationParameters struct {
 }
 
 type OidcMemberDefinitionObservation struct {
+
+	// A list of comma separated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers.
+	Groups []*string `json:"groups,omitempty" tf:"groups,omitempty"`
 }
 
 type OidcMemberDefinitionParameters struct {
@@ -100,25 +121,40 @@ type WorkteamObservation struct {
 	// The Amazon Resource Name (ARN) assigned by AWS to this Workteam.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A description of the work team.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of the Workteam.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// A list of Member Definitions that contains objects that identify the workers that make up the work team. Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use cognito_member_definition. For workforces created using your own OIDC identity provider (IdP) use oidc_member_definition. Do not provide input for both of these parameters in a single request. see Member Definition details below.
+	MemberDefinition []MemberDefinitionObservation `json:"memberDefinition,omitempty" tf:"member_definition,omitempty"`
+
+	// Configures notification of workers regarding available or expiring work items. see Notification Configuration details below.
+	NotificationConfiguration []NotificationConfigurationObservation `json:"notificationConfiguration,omitempty" tf:"notification_configuration,omitempty"`
+
 	// The subdomain for your OIDC Identity Provider.
 	Subdomain *string `json:"subdomain,omitempty" tf:"subdomain,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The name of the Workteam (must be unique).
+	WorkforceName *string `json:"workforceName,omitempty" tf:"workforce_name,omitempty"`
 }
 
 type WorkteamParameters struct {
 
 	// A description of the work team.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A list of Member Definitions that contains objects that identify the workers that make up the work team. Workforces can be created using Amazon Cognito or your own OIDC Identity Provider (IdP). For private workforces created using Amazon Cognito use cognito_member_definition. For workforces created using your own OIDC identity provider (IdP) use oidc_member_definition. Do not provide input for both of these parameters in a single request. see Member Definition details below.
-	// +kubebuilder:validation:Required
-	MemberDefinition []MemberDefinitionParameters `json:"memberDefinition" tf:"member_definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	MemberDefinition []MemberDefinitionParameters `json:"memberDefinition,omitempty" tf:"member_definition,omitempty"`
 
 	// Configures notification of workers regarding available or expiring work items. see Notification Configuration details below.
 	// +kubebuilder:validation:Optional
@@ -172,8 +208,10 @@ type WorkteamStatus struct {
 type Workteam struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WorkteamSpec   `json:"spec"`
-	Status            WorkteamStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.memberDefinition)",message="memberDefinition is a required parameter"
+	Spec   WorkteamSpec   `json:"spec"`
+	Status WorkteamStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/scheduler/v1beta1/zz_generated.deepcopy.go b/apis/scheduler/v1beta1/zz_generated.deepcopy.go
index 6b0f6c0478..34032394ae 100644
--- a/apis/scheduler/v1beta1/zz_generated.deepcopy.go
+++ b/apis/scheduler/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CapacityProviderStrategyObservation) DeepCopyInto(out *CapacityProviderStrategyObservation) {
 	*out = *in
+	if in.Base != nil {
+		in, out := &in.Base, &out.Base
+		*out = new(float64)
+		**out = **in
+	}
+	if in.CapacityProvider != nil {
+		in, out := &in.CapacityProvider, &out.CapacityProvider
+		*out = new(string)
+		**out = **in
+	}
+	if in.Weight != nil {
+		in, out := &in.Weight, &out.Weight
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapacityProviderStrategyObservation.
@@ -62,6 +77,11 @@ func (in *CapacityProviderStrategyParameters) DeepCopy() *CapacityProviderStrate
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeadLetterConfigObservation) DeepCopyInto(out *DeadLetterConfigObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeadLetterConfigObservation.
@@ -97,6 +117,94 @@ func (in *DeadLetterConfigParameters) DeepCopy() *DeadLetterConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EcsParametersObservation) DeepCopyInto(out *EcsParametersObservation) {
 	*out = *in
+	if in.CapacityProviderStrategy != nil {
+		in, out := &in.CapacityProviderStrategy, &out.CapacityProviderStrategy
+		*out = make([]CapacityProviderStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EnableEcsManagedTags != nil {
+		in, out := &in.EnableEcsManagedTags, &out.EnableEcsManagedTags
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableExecuteCommand != nil {
+		in, out := &in.EnableExecuteCommand, &out.EnableExecuteCommand
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Group != nil {
+		in, out := &in.Group, &out.Group
+		*out = new(string)
+		**out = **in
+	}
+	if in.LaunchType != nil {
+		in, out := &in.LaunchType, &out.LaunchType
+		*out = new(string)
+		**out = **in
+	}
+	if in.NetworkConfiguration != nil {
+		in, out := &in.NetworkConfiguration, &out.NetworkConfiguration
+		*out = make([]NetworkConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlacementConstraints != nil {
+		in, out := &in.PlacementConstraints, &out.PlacementConstraints
+		*out = make([]PlacementConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlacementStrategy != nil {
+		in, out := &in.PlacementStrategy, &out.PlacementStrategy
+		*out = make([]PlacementStrategyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PlatformVersion != nil {
+		in, out := &in.PlatformVersion, &out.PlatformVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.PropagateTags != nil {
+		in, out := &in.PropagateTags, &out.PropagateTags
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReferenceID != nil {
+		in, out := &in.ReferenceID, &out.ReferenceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TaskCount != nil {
+		in, out := &in.TaskCount, &out.TaskCount
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TaskDefinitionArn != nil {
+		in, out := &in.TaskDefinitionArn, &out.TaskDefinitionArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EcsParametersObservation.
@@ -215,6 +323,16 @@ func (in *EcsParametersParameters) DeepCopy() *EcsParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventbridgeParametersObservation) DeepCopyInto(out *EventbridgeParametersObservation) {
 	*out = *in
+	if in.DetailType != nil {
+		in, out := &in.DetailType, &out.DetailType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventbridgeParametersObservation.
@@ -255,6 +373,16 @@ func (in *EventbridgeParametersParameters) DeepCopy() *EventbridgeParametersPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FlexibleTimeWindowObservation) DeepCopyInto(out *FlexibleTimeWindowObservation) {
 	*out = *in
+	if in.MaximumWindowInMinutes != nil {
+		in, out := &in.MaximumWindowInMinutes, &out.MaximumWindowInMinutes
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Mode != nil {
+		in, out := &in.Mode, &out.Mode
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FlexibleTimeWindowObservation.
@@ -295,6 +423,11 @@ func (in *FlexibleTimeWindowParameters) DeepCopy() *FlexibleTimeWindowParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisParametersObservation) DeepCopyInto(out *KinesisParametersObservation) {
 	*out = *in
+	if in.PartitionKey != nil {
+		in, out := &in.PartitionKey, &out.PartitionKey
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisParametersObservation.
@@ -330,6 +463,33 @@ func (in *KinesisParametersParameters) DeepCopy() *KinesisParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkConfigurationObservation) DeepCopyInto(out *NetworkConfigurationObservation) {
 	*out = *in
+	if in.AssignPublicIP != nil {
+		in, out := &in.AssignPublicIP, &out.AssignPublicIP
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SecurityGroups != nil {
+		in, out := &in.SecurityGroups, &out.SecurityGroups
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Subnets != nil {
+		in, out := &in.Subnets, &out.Subnets
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkConfigurationObservation.
@@ -387,6 +547,16 @@ func (in *NetworkConfigurationParameters) DeepCopy() *NetworkConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PipelineParameterObservation) DeepCopyInto(out *PipelineParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PipelineParameterObservation.
@@ -427,6 +597,16 @@ func (in *PipelineParameterParameters) DeepCopy() *PipelineParameterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementConstraintsObservation) DeepCopyInto(out *PlacementConstraintsObservation) {
 	*out = *in
+	if in.Expression != nil {
+		in, out := &in.Expression, &out.Expression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementConstraintsObservation.
@@ -467,6 +647,16 @@ func (in *PlacementConstraintsParameters) DeepCopy() *PlacementConstraintsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlacementStrategyObservation) DeepCopyInto(out *PlacementStrategyObservation) {
 	*out = *in
+	if in.Field != nil {
+		in, out := &in.Field, &out.Field
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlacementStrategyObservation.
@@ -507,6 +697,16 @@ func (in *PlacementStrategyParameters) DeepCopy() *PlacementStrategyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetryPolicyObservation) DeepCopyInto(out *RetryPolicyObservation) {
 	*out = *in
+	if in.MaximumEventAgeInSeconds != nil {
+		in, out := &in.MaximumEventAgeInSeconds, &out.MaximumEventAgeInSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MaximumRetryAttempts != nil {
+		in, out := &in.MaximumRetryAttempts, &out.MaximumRetryAttempts
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetryPolicyObservation.
@@ -547,6 +747,13 @@ func (in *RetryPolicyParameters) DeepCopy() *RetryPolicyParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SagemakerPipelineParametersObservation) DeepCopyInto(out *SagemakerPipelineParametersObservation) {
 	*out = *in
+	if in.PipelineParameter != nil {
+		in, out := &in.PipelineParameter, &out.PipelineParameter
+		*out = make([]PipelineParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SagemakerPipelineParametersObservation.
@@ -690,11 +897,31 @@ func (in *ScheduleGroupObservation) DeepCopyInto(out *ScheduleGroupObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.State != nil {
 		in, out := &in.State, &out.State
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -836,11 +1063,70 @@ func (in *ScheduleObservation) DeepCopyInto(out *ScheduleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.EndDate != nil {
+		in, out := &in.EndDate, &out.EndDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.FlexibleTimeWindow != nil {
+		in, out := &in.FlexibleTimeWindow, &out.FlexibleTimeWindow
+		*out = make([]FlexibleTimeWindowObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleExpression != nil {
+		in, out := &in.ScheduleExpression, &out.ScheduleExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleExpressionTimezone != nil {
+		in, out := &in.ScheduleExpressionTimezone, &out.ScheduleExpressionTimezone
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartDate != nil {
+		in, out := &in.StartDate, &out.StartDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.State != nil {
+		in, out := &in.State, &out.State
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = make([]TargetObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ScheduleObservation.
@@ -979,6 +1265,11 @@ func (in *ScheduleStatus) DeepCopy() *ScheduleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SqsParametersObservation) DeepCopyInto(out *SqsParametersObservation) {
 	*out = *in
+	if in.MessageGroupID != nil {
+		in, out := &in.MessageGroupID, &out.MessageGroupID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SqsParametersObservation.
@@ -1014,6 +1305,70 @@ func (in *SqsParametersParameters) DeepCopy() *SqsParametersParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetObservation) DeepCopyInto(out *TargetObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeadLetterConfig != nil {
+		in, out := &in.DeadLetterConfig, &out.DeadLetterConfig
+		*out = make([]DeadLetterConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EcsParameters != nil {
+		in, out := &in.EcsParameters, &out.EcsParameters
+		*out = make([]EcsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventbridgeParameters != nil {
+		in, out := &in.EventbridgeParameters, &out.EventbridgeParameters
+		*out = make([]EventbridgeParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Input != nil {
+		in, out := &in.Input, &out.Input
+		*out = new(string)
+		**out = **in
+	}
+	if in.KinesisParameters != nil {
+		in, out := &in.KinesisParameters, &out.KinesisParameters
+		*out = make([]KinesisParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetryPolicy != nil {
+		in, out := &in.RetryPolicy, &out.RetryPolicy
+		*out = make([]RetryPolicyObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SagemakerPipelineParameters != nil {
+		in, out := &in.SagemakerPipelineParameters, &out.SagemakerPipelineParameters
+		*out = make([]SagemakerPipelineParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SqsParameters != nil {
+		in, out := &in.SqsParameters, &out.SqsParameters
+		*out = make([]SqsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetObservation.
diff --git a/apis/scheduler/v1beta1/zz_schedule_types.go b/apis/scheduler/v1beta1/zz_schedule_types.go
index 99dd8cec1f..12c751f445 100755
--- a/apis/scheduler/v1beta1/zz_schedule_types.go
+++ b/apis/scheduler/v1beta1/zz_schedule_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CapacityProviderStrategyObservation struct {
+
+	// How many tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined. Ranges from 0 (default) to 100000.
+	Base *float64 `json:"base,omitempty" tf:"base,omitempty"`
+
+	// Short name of the capacity provider.
+	CapacityProvider *string `json:"capacityProvider,omitempty" tf:"capacity_provider,omitempty"`
+
+	// Designates the relative percentage of the total number of tasks launched that should use the specified capacity provider. The weight value is taken into consideration after the base value, if defined, is satisfied. Ranges from from 0 to 1000.
+	Weight *float64 `json:"weight,omitempty" tf:"weight,omitempty"`
 }
 
 type CapacityProviderStrategyParameters struct {
@@ -32,6 +41,9 @@ type CapacityProviderStrategyParameters struct {
 }
 
 type DeadLetterConfigObservation struct {
+
+	// ARN of the target of this schedule, such as a SQS queue or ECS cluster. For universal targets, this is a Service ARN specific to the target service.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 }
 
 type DeadLetterConfigParameters struct {
@@ -42,6 +54,48 @@ type DeadLetterConfigParameters struct {
 }
 
 type EcsParametersObservation struct {
+
+	// Up to 6 capacity provider strategies to use for the task. Detailed below.
+	CapacityProviderStrategy []CapacityProviderStrategyObservation `json:"capacityProviderStrategy,omitempty" tf:"capacity_provider_strategy,omitempty"`
+
+	// Specifies whether to enable Amazon ECS managed tags for the task. For more information, see Tagging Your Amazon ECS Resources in the Amazon ECS Developer Guide.
+	EnableEcsManagedTags *bool `json:"enableEcsManagedTags,omitempty" tf:"enable_ecs_managed_tags,omitempty"`
+
+	// Specifies whether to enable the execute command functionality for the containers in this task.
+	EnableExecuteCommand *bool `json:"enableExecuteCommand,omitempty" tf:"enable_execute_command,omitempty"`
+
+	// Specifies an ECS task group for the task. At most 255 characters.
+	Group *string `json:"group,omitempty" tf:"group,omitempty"`
+
+	// Specifies the launch type on which your task is running. The launch type that you specify here must match one of the launch type (compatibilities) of the target task. One of: EC2, FARGATE, EXTERNAL.
+	LaunchType *string `json:"launchType,omitempty" tf:"launch_type,omitempty"`
+
+	// Configures the networking associated with the task. Detailed below.
+	NetworkConfiguration []NetworkConfigurationObservation `json:"networkConfiguration,omitempty" tf:"network_configuration,omitempty"`
+
+	// A set of up to 10 placement constraints to use for the task. Detailed below.
+	PlacementConstraints []PlacementConstraintsObservation `json:"placementConstraints,omitempty" tf:"placement_constraints,omitempty"`
+
+	// A set of up to 5 placement strategies. Detailed below.
+	PlacementStrategy []PlacementStrategyObservation `json:"placementStrategy,omitempty" tf:"placement_strategy,omitempty"`
+
+	// Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as 1.1.0.
+	PlatformVersion *string `json:"platformVersion,omitempty" tf:"platform_version,omitempty"`
+
+	// Specifies whether to propagate the tags from the task definition to the task. One of: TASK_DEFINITION.
+	PropagateTags *string `json:"propagateTags,omitempty" tf:"propagate_tags,omitempty"`
+
+	// Reference ID to use for the task.
+	ReferenceID *string `json:"referenceId,omitempty" tf:"reference_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
+	// The number of tasks to create. Ranges from 1 (default) to 10.
+	TaskCount *float64 `json:"taskCount,omitempty" tf:"task_count,omitempty"`
+
+	// ARN of the task definition to use.
+	TaskDefinitionArn *string `json:"taskDefinitionArn,omitempty" tf:"task_definition_arn,omitempty"`
 }
 
 type EcsParametersParameters struct {
@@ -104,6 +158,12 @@ type EcsParametersParameters struct {
 }
 
 type EventbridgeParametersObservation struct {
+
+	// Free-form string used to decide what fields to expect in the event detail. Up to 128 characters.
+	DetailType *string `json:"detailType,omitempty" tf:"detail_type,omitempty"`
+
+	// Source of the event.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
 }
 
 type EventbridgeParametersParameters struct {
@@ -118,6 +178,12 @@ type EventbridgeParametersParameters struct {
 }
 
 type FlexibleTimeWindowObservation struct {
+
+	// Maximum time window during which a schedule can be invoked. Ranges from 1 to 1440 minutes.
+	MaximumWindowInMinutes *float64 `json:"maximumWindowInMinutes,omitempty" tf:"maximum_window_in_minutes,omitempty"`
+
+	// Determines whether the schedule is invoked within a flexible time window. One of: OFF, FLEXIBLE.
+	Mode *string `json:"mode,omitempty" tf:"mode,omitempty"`
 }
 
 type FlexibleTimeWindowParameters struct {
@@ -132,6 +198,9 @@ type FlexibleTimeWindowParameters struct {
 }
 
 type KinesisParametersObservation struct {
+
+	// Specifies the shard to which EventBridge Scheduler sends the event. Up to 256 characters.
+	PartitionKey *string `json:"partitionKey,omitempty" tf:"partition_key,omitempty"`
 }
 
 type KinesisParametersParameters struct {
@@ -142,6 +211,15 @@ type KinesisParametersParameters struct {
 }
 
 type NetworkConfigurationObservation struct {
+
+	// Specifies whether the task's elastic network interface receives a public IP address. You can specify ENABLED only when the launch_type is set to FARGATE. One of: ENABLED, DISABLED.
+	AssignPublicIP *bool `json:"assignPublicIp,omitempty" tf:"assign_public_ip,omitempty"`
+
+	// Set of 1 to 5 Security Group ID-s to be associated with the task. These security groups must all be in the same VPC.
+	SecurityGroups []*string `json:"securityGroups,omitempty" tf:"security_groups,omitempty"`
+
+	// Set of 1 to 16 subnets to be associated with the task. These subnets must all be in the same VPC.
+	Subnets []*string `json:"subnets,omitempty" tf:"subnets,omitempty"`
 }
 
 type NetworkConfigurationParameters struct {
@@ -160,6 +238,12 @@ type NetworkConfigurationParameters struct {
 }
 
 type PipelineParameterObservation struct {
+
+	// Name of parameter to start execution of a SageMaker Model Building Pipeline.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Value of parameter to start execution of a SageMaker Model Building Pipeline.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type PipelineParameterParameters struct {
@@ -174,6 +258,12 @@ type PipelineParameterParameters struct {
 }
 
 type PlacementConstraintsObservation struct {
+
+	// A cluster query language expression to apply to the constraint. You cannot specify an expression if the constraint type is distinctInstance. For more information, see Cluster query language in the Amazon ECS Developer Guide.
+	Expression *string `json:"expression,omitempty" tf:"expression,omitempty"`
+
+	// The type of placement strategy. One of: random, spread, binpack.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PlacementConstraintsParameters struct {
@@ -188,6 +278,12 @@ type PlacementConstraintsParameters struct {
 }
 
 type PlacementStrategyObservation struct {
+
+	// The field to apply the placement strategy against.
+	Field *string `json:"field,omitempty" tf:"field,omitempty"`
+
+	// The type of placement strategy. One of: random, spread, binpack.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PlacementStrategyParameters struct {
@@ -202,6 +298,12 @@ type PlacementStrategyParameters struct {
 }
 
 type RetryPolicyObservation struct {
+
+	// Maximum amount of time, in seconds, to continue to make retry attempts. Ranges from 60 to 86400 (default).
+	MaximumEventAgeInSeconds *float64 `json:"maximumEventAgeInSeconds,omitempty" tf:"maximum_event_age_in_seconds,omitempty"`
+
+	// Maximum number of retry attempts to make before the request fails. Ranges from 0 to 185 (default).
+	MaximumRetryAttempts *float64 `json:"maximumRetryAttempts,omitempty" tf:"maximum_retry_attempts,omitempty"`
 }
 
 type RetryPolicyParameters struct {
@@ -216,6 +318,9 @@ type RetryPolicyParameters struct {
 }
 
 type SagemakerPipelineParametersObservation struct {
+
+	// Set of up to 200 parameter names and values to use when executing the SageMaker Model Building Pipeline. Detailed below.
+	PipelineParameter []PipelineParameterObservation `json:"pipelineParameter,omitempty" tf:"pipeline_parameter,omitempty"`
 }
 
 type SagemakerPipelineParametersParameters struct {
@@ -230,8 +335,41 @@ type ScheduleObservation struct {
 	// ARN of the SQS queue specified as the destination for the dead-letter queue.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Brief description of the schedule.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The date, in UTC, before which the schedule can invoke its target. Depending on the schedule's recurrence expression, invocations might stop on, or before, the end date you specify. EventBridge Scheduler ignores the end date for one-time schedules. Example: 2030-01-01T01:00:00Z.
+	EndDate *string `json:"endDate,omitempty" tf:"end_date,omitempty"`
+
+	// Configures a time window during which EventBridge Scheduler invokes the schedule. Detailed below.
+	FlexibleTimeWindow []FlexibleTimeWindowObservation `json:"flexibleTimeWindow,omitempty" tf:"flexible_time_window,omitempty"`
+
+	// Name of the schedule group to associate with this schedule. When omitted, the default schedule group is used.
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+
 	// Name of the schedule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// ARN for the customer managed KMS key that EventBridge Scheduler will use to encrypt and decrypt your data.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Name of the schedule. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Defines when the schedule runs. Read more in Schedule types on EventBridge Scheduler.
+	ScheduleExpression *string `json:"scheduleExpression,omitempty" tf:"schedule_expression,omitempty"`
+
+	// Timezone in which the scheduling expression is evaluated. Defaults to UTC. Example: Australia/Sydney.
+	ScheduleExpressionTimezone *string `json:"scheduleExpressionTimezone,omitempty" tf:"schedule_expression_timezone,omitempty"`
+
+	// The date, in UTC, after which the schedule can begin invoking its target. Depending on the schedule's recurrence expression, invocations might occur on, or after, the start date you specify. EventBridge Scheduler ignores the start date for one-time schedules. Example: 2030-01-01T01:00:00Z.
+	StartDate *string `json:"startDate,omitempty" tf:"start_date,omitempty"`
+
+	// Specifies whether the schedule is enabled or disabled. One of: ENABLED (default), DISABLED.
+	State *string `json:"state,omitempty" tf:"state,omitempty"`
+
+	// Configures the target of the schedule. Detailed below.
+	Target []TargetObservation `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type ScheduleParameters struct {
@@ -245,8 +383,8 @@ type ScheduleParameters struct {
 	EndDate *string `json:"endDate,omitempty" tf:"end_date,omitempty"`
 
 	// Configures a time window during which EventBridge Scheduler invokes the schedule. Detailed below.
-	// +kubebuilder:validation:Required
-	FlexibleTimeWindow []FlexibleTimeWindowParameters `json:"flexibleTimeWindow" tf:"flexible_time_window,omitempty"`
+	// +kubebuilder:validation:Optional
+	FlexibleTimeWindow []FlexibleTimeWindowParameters `json:"flexibleTimeWindow,omitempty" tf:"flexible_time_window,omitempty"`
 
 	// Name of the schedule group to associate with this schedule. When omitted, the default schedule group is used.
 	// +kubebuilder:validation:Optional
@@ -275,8 +413,8 @@ type ScheduleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Defines when the schedule runs. Read more in Schedule types on EventBridge Scheduler.
-	// +kubebuilder:validation:Required
-	ScheduleExpression *string `json:"scheduleExpression" tf:"schedule_expression,omitempty"`
+	// +kubebuilder:validation:Optional
+	ScheduleExpression *string `json:"scheduleExpression,omitempty" tf:"schedule_expression,omitempty"`
 
 	// Timezone in which the scheduling expression is evaluated. Defaults to UTC. Example: Australia/Sydney.
 	// +kubebuilder:validation:Optional
@@ -291,11 +429,14 @@ type ScheduleParameters struct {
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
 	// Configures the target of the schedule. Detailed below.
-	// +kubebuilder:validation:Required
-	Target []TargetParameters `json:"target" tf:"target,omitempty"`
+	// +kubebuilder:validation:Optional
+	Target []TargetParameters `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type SqsParametersObservation struct {
+
+	// FIFO message group ID to use as the target.
+	MessageGroupID *string `json:"messageGroupId,omitempty" tf:"message_group_id,omitempty"`
 }
 
 type SqsParametersParameters struct {
@@ -306,6 +447,36 @@ type SqsParametersParameters struct {
 }
 
 type TargetObservation struct {
+
+	// ARN of the target of this schedule, such as a SQS queue or ECS cluster. For universal targets, this is a Service ARN specific to the target service.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Information about an Amazon SQS queue that EventBridge Scheduler uses as a dead-letter queue for your schedule. If specified, EventBridge Scheduler delivers failed events that could not be successfully delivered to a target to the queue. Detailed below.
+	DeadLetterConfig []DeadLetterConfigObservation `json:"deadLetterConfig,omitempty" tf:"dead_letter_config,omitempty"`
+
+	// Templated target type for the Amazon ECS RunTask API operation. Detailed below.
+	EcsParameters []EcsParametersObservation `json:"ecsParameters,omitempty" tf:"ecs_parameters,omitempty"`
+
+	// Templated target type for the EventBridge PutEvents API operation. Detailed below.
+	EventbridgeParameters []EventbridgeParametersObservation `json:"eventbridgeParameters,omitempty" tf:"eventbridge_parameters,omitempty"`
+
+	// Text, or well-formed JSON, passed to the target. Read more in Universal target.
+	Input *string `json:"input,omitempty" tf:"input,omitempty"`
+
+	// Templated target type for the Amazon Kinesis PutRecord API operation. Detailed below.
+	KinesisParameters []KinesisParametersObservation `json:"kinesisParameters,omitempty" tf:"kinesis_parameters,omitempty"`
+
+	// Information about the retry policy settings. Detailed below.
+	RetryPolicy []RetryPolicyObservation `json:"retryPolicy,omitempty" tf:"retry_policy,omitempty"`
+
+	// ARN of the IAM role that EventBridge Scheduler will use for this target when the schedule is invoked. Read more in Set up the execution role.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// Templated target type for the Amazon SageMaker StartPipelineExecution API operation. Detailed below.
+	SagemakerPipelineParameters []SagemakerPipelineParametersObservation `json:"sagemakerPipelineParameters,omitempty" tf:"sagemaker_pipeline_parameters,omitempty"`
+
+	// The templated target type for the Amazon SQS SendMessage API operation. Detailed below.
+	SqsParameters []SqsParametersObservation `json:"sqsParameters,omitempty" tf:"sqs_parameters,omitempty"`
 }
 
 type TargetParameters struct {
@@ -395,8 +566,11 @@ type ScheduleStatus struct {
 type Schedule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ScheduleSpec   `json:"spec"`
-	Status            ScheduleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.flexibleTimeWindow)",message="flexibleTimeWindow is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scheduleExpression)",message="scheduleExpression is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.target)",message="target is a required parameter"
+	Spec   ScheduleSpec   `json:"spec"`
+	Status ScheduleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/scheduler/v1beta1/zz_schedulegroup_types.go b/apis/scheduler/v1beta1/zz_schedulegroup_types.go
index 9f692837f1..defd288b69 100755
--- a/apis/scheduler/v1beta1/zz_schedulegroup_types.go
+++ b/apis/scheduler/v1beta1/zz_schedulegroup_types.go
@@ -27,9 +27,15 @@ type ScheduleGroupObservation struct {
 	// Time at which the schedule group was last modified.
 	LastModificationDate *string `json:"lastModificationDate,omitempty" tf:"last_modification_date,omitempty"`
 
+	// Name of the schedule group. Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// State of the schedule group. Can be ACTIVE or DELETING.
 	State *string `json:"state,omitempty" tf:"state,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/schemas/v1beta1/zz_discoverer_types.go b/apis/schemas/v1beta1/zz_discoverer_types.go
index 12c133b914..d9dcd7ef69 100755
--- a/apis/schemas/v1beta1/zz_discoverer_types.go
+++ b/apis/schemas/v1beta1/zz_discoverer_types.go
@@ -18,9 +18,18 @@ type DiscovererObservation struct {
 	// The Amazon Resource Name (ARN) of the discoverer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the discoverer. Maximum of 256 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the discoverer.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN of the event bus to discover event schemas on.
+	SourceArn *string `json:"sourceArn,omitempty" tf:"source_arn,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/schemas/v1beta1/zz_generated.deepcopy.go b/apis/schemas/v1beta1/zz_generated.deepcopy.go
index d63f4c02e1..a2b57a6fa0 100644
--- a/apis/schemas/v1beta1/zz_generated.deepcopy.go
+++ b/apis/schemas/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,36 @@ func (in *DiscovererObservation) DeepCopyInto(out *DiscovererObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.SourceArn != nil {
+		in, out := &in.SourceArn, &out.SourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -269,11 +294,31 @@ func (in *RegistryObservation) DeepCopyInto(out *RegistryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -442,6 +487,16 @@ func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -452,6 +507,31 @@ func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegistryName != nil {
+		in, out := &in.RegistryName, &out.RegistryName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -467,6 +547,11 @@ func (in *SchemaObservation) DeepCopyInto(out *SchemaObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(string)
diff --git a/apis/schemas/v1beta1/zz_registry_types.go b/apis/schemas/v1beta1/zz_registry_types.go
index 7e52d714e5..3432b33198 100755
--- a/apis/schemas/v1beta1/zz_registry_types.go
+++ b/apis/schemas/v1beta1/zz_registry_types.go
@@ -18,8 +18,14 @@ type RegistryObservation struct {
 	// The Amazon Resource Name (ARN) of the discoverer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the discoverer. Maximum of 256 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/schemas/v1beta1/zz_schema_types.go b/apis/schemas/v1beta1/zz_schema_types.go
index eefb49e879..1710f9e86e 100755
--- a/apis/schemas/v1beta1/zz_schema_types.go
+++ b/apis/schemas/v1beta1/zz_schema_types.go
@@ -18,14 +18,32 @@ type SchemaObservation struct {
 	// The Amazon Resource Name (ARN) of the discoverer.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The schema specification. Must be a valid Open API 3.0 spec.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
+	// The description of the schema. Maximum of 256 characters.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The last modified date of the schema.
 	LastModified *string `json:"lastModified,omitempty" tf:"last_modified,omitempty"`
 
+	// The name of the schema. Maximum of 385 characters consisting of lower case letters, upper case letters, ., -, _, @.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The name of the registry in which this schema belongs.
+	RegistryName *string `json:"registryName,omitempty" tf:"registry_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// The type of the schema. Valid values: OpenApi3.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
 	// The version of the schema.
 	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 
@@ -36,16 +54,16 @@ type SchemaObservation struct {
 type SchemaParameters struct {
 
 	// The schema specification. Must be a valid Open API 3.0 spec.
-	// +kubebuilder:validation:Required
-	Content *string `json:"content" tf:"content,omitempty"`
+	// +kubebuilder:validation:Optional
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
 
 	// The description of the schema. Maximum of 256 characters.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the schema. Maximum of 385 characters consisting of lower case letters, upper case letters, ., -, _, @.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -70,8 +88,8 @@ type SchemaParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// The type of the schema. Valid values: OpenApi3.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // SchemaSpec defines the desired state of Schema
@@ -98,8 +116,11 @@ type SchemaStatus struct {
 type Schema struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SchemaSpec   `json:"spec"`
-	Status            SchemaStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)",message="content is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   SchemaSpec   `json:"spec"`
+	Status SchemaStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/secretsmanager/v1beta1/zz_generated.deepcopy.go b/apis/secretsmanager/v1beta1/zz_generated.deepcopy.go
index 529943f517..a4e4315ebb 100644
--- a/apis/secretsmanager/v1beta1/zz_generated.deepcopy.go
+++ b/apis/secretsmanager/v1beta1/zz_generated.deepcopy.go
@@ -17,11 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReplicaObservation) DeepCopyInto(out *ReplicaObservation) {
 	*out = *in
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.LastAccessedDate != nil {
 		in, out := &in.LastAccessedDate, &out.LastAccessedDate
 		*out = new(string)
 		**out = **in
 	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -171,16 +181,41 @@ func (in *SecretObservation) DeepCopyInto(out *SecretObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceOverwriteReplicaSecret != nil {
+		in, out := &in.ForceOverwriteReplicaSecret, &out.ForceOverwriteReplicaSecret
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Policy != nil {
 		in, out := &in.Policy, &out.Policy
 		*out = new(string)
 		**out = **in
 	}
+	if in.RecoveryWindowInDays != nil {
+		in, out := &in.RecoveryWindowInDays, &out.RecoveryWindowInDays
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Replica != nil {
 		in, out := &in.Replica, &out.Replica
 		*out = make([]ReplicaObservation, len(*in))
@@ -205,6 +240,21 @@ func (in *SecretObservation) DeepCopyInto(out *SecretObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -371,11 +421,26 @@ func (in *SecretPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretPolicyObservation) DeepCopyInto(out *SecretPolicyObservation) {
 	*out = *in
+	if in.BlockPublicPolicy != nil {
+		in, out := &in.BlockPublicPolicy, &out.BlockPublicPolicy
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.SecretArn != nil {
+		in, out := &in.SecretArn, &out.SecretArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretPolicyObservation.
@@ -539,6 +604,23 @@ func (in *SecretRotationObservation) DeepCopyInto(out *SecretRotationObservation
 		*out = new(bool)
 		**out = **in
 	}
+	if in.RotationLambdaArn != nil {
+		in, out := &in.RotationLambdaArn, &out.RotationLambdaArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.RotationRules != nil {
+		in, out := &in.RotationRules, &out.RotationRules
+		*out = make([]SecretRotationRotationRulesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SecretID != nil {
+		in, out := &in.SecretID, &out.SecretID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRotationObservation.
@@ -611,6 +693,11 @@ func (in *SecretRotationParameters) DeepCopy() *SecretRotationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SecretRotationRotationRulesObservation) DeepCopyInto(out *SecretRotationRotationRulesObservation) {
 	*out = *in
+	if in.AutomaticallyAfterDays != nil {
+		in, out := &in.AutomaticallyAfterDays, &out.AutomaticallyAfterDays
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretRotationRotationRulesObservation.
@@ -783,11 +870,27 @@ func (in *SecretVersionObservation) DeepCopyInto(out *SecretVersionObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.SecretID != nil {
+		in, out := &in.SecretID, &out.SecretID
+		*out = new(string)
+		**out = **in
+	}
 	if in.VersionID != nil {
 		in, out := &in.VersionID, &out.VersionID
 		*out = new(string)
 		**out = **in
 	}
+	if in.VersionStages != nil {
+		in, out := &in.VersionStages, &out.VersionStages
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecretVersionObservation.
diff --git a/apis/secretsmanager/v1beta1/zz_secret_types.go b/apis/secretsmanager/v1beta1/zz_secret_types.go
index 68fef299c7..7c6bb9b30c 100755
--- a/apis/secretsmanager/v1beta1/zz_secret_types.go
+++ b/apis/secretsmanager/v1beta1/zz_secret_types.go
@@ -15,9 +15,15 @@ import (
 
 type ReplicaObservation struct {
 
+	// ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (aws/secretsmanager) in the region or creates one for use if non-existent.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// Date that you last accessed the secret in the Region.
 	LastAccessedDate *string `json:"lastAccessedDate,omitempty" tf:"last_accessed_date,omitempty"`
 
+	// Region for replicating the secret.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
 	// Status can be InProgress, Failed, or InSync.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
@@ -50,14 +56,28 @@ type SecretObservation struct {
 	// ARN of the secret.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Description of the secret.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Accepts boolean value to specify whether to overwrite a secret with the same name in the destination Region.
+	ForceOverwriteReplicaSecret *bool `json:"forceOverwriteReplicaSecret,omitempty" tf:"force_overwrite_replica_secret,omitempty"`
+
 	// ARN of the secret.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default KMS key (the one named aws/secretsmanager). If the default KMS key with that name doesn't yet exist, then AWS Secrets Manager creates it for you automatically the first time.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Friendly name of the new secret. The secret name can consist of uppercase letters, lowercase letters, digits, and any of the following characters: /_+=.@- Conflicts with name_prefix.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// Valid JSON document representing a resource policy. Removing policy from your configuration or setting policy to null or an empty string (i.e., policy = "") will not delete the policy since it could have been set by aws_secretsmanager_secret_policy. To delete the policy, set it to "{}" (an empty JSON document).
 	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
+	// Number of days that AWS Secrets Manager waits before it can delete the secret. This value can be 0 to force deletion without recovery or range from 7 to 30 days. The default value is 30.
+	RecoveryWindowInDays *float64 `json:"recoveryWindowInDays,omitempty" tf:"recovery_window_in_days,omitempty"`
+
 	// Configuration block to support secret replication. See details below.
-	// +kubebuilder:validation:Optional
 	Replica []ReplicaObservation `json:"replica,omitempty" tf:"replica,omitempty"`
 
 	// Whether automatic rotation is enabled for this secret.
@@ -69,6 +89,9 @@ type SecretObservation struct {
 	// Configuration block for the rotation configuration of this secret. Defined below. Use the aws_secretsmanager_secret_rotation resource to manage this configuration instead. As of version 2.67.0, removal of this configuration will no longer remove rotation due to supporting the new resource. Either import the new resource and remove the configuration or manually remove rotation.
 	RotationRules []RotationRulesObservation `json:"rotationRules,omitempty" tf:"rotation_rules,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/secretsmanager/v1beta1/zz_secretpolicy_types.go b/apis/secretsmanager/v1beta1/zz_secretpolicy_types.go
index fd4311f547..d59c79aaf5 100755
--- a/apis/secretsmanager/v1beta1/zz_secretpolicy_types.go
+++ b/apis/secretsmanager/v1beta1/zz_secretpolicy_types.go
@@ -15,8 +15,17 @@ import (
 
 type SecretPolicyObservation struct {
 
+	// Makes an optional API call to Zelkova to validate the Resource Policy to prevent broad access to your secret.
+	BlockPublicPolicy *bool `json:"blockPublicPolicy,omitempty" tf:"block_public_policy,omitempty"`
+
 	// Amazon Resource Name (ARN) of the secret.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Valid JSON document representing a resource policy. Unlike aws_secretsmanager_secret, where policy can be set to "{}" to delete the policy, "{}" is not a valid policy since policy is required.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// Secret ARN.
+	SecretArn *string `json:"secretArn,omitempty" tf:"secret_arn,omitempty"`
 }
 
 type SecretPolicyParameters struct {
@@ -26,8 +35,8 @@ type SecretPolicyParameters struct {
 	BlockPublicPolicy *bool `json:"blockPublicPolicy,omitempty" tf:"block_public_policy,omitempty"`
 
 	// Valid JSON document representing a resource policy. Unlike aws_secretsmanager_secret, where policy can be set to "{}" to delete the policy, "{}" is not a valid policy since policy is required.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -73,8 +82,9 @@ type SecretPolicyStatus struct {
 type SecretPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecretPolicySpec   `json:"spec"`
-	Status            SecretPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   SecretPolicySpec   `json:"spec"`
+	Status SecretPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/secretsmanager/v1beta1/zz_secretrotation_types.go b/apis/secretsmanager/v1beta1/zz_secretrotation_types.go
index acc425458c..4a62b3ccfb 100755
--- a/apis/secretsmanager/v1beta1/zz_secretrotation_types.go
+++ b/apis/secretsmanager/v1beta1/zz_secretrotation_types.go
@@ -20,6 +20,15 @@ type SecretRotationObservation struct {
 
 	// Specifies whether automatic rotation is enabled for this secret.
 	RotationEnabled *bool `json:"rotationEnabled,omitempty" tf:"rotation_enabled,omitempty"`
+
+	// Specifies the ARN of the Lambda function that can rotate the secret.
+	RotationLambdaArn *string `json:"rotationLambdaArn,omitempty" tf:"rotation_lambda_arn,omitempty"`
+
+	// A structure that defines the rotation configuration for this secret. Defined below.
+	RotationRules []SecretRotationRotationRulesObservation `json:"rotationRules,omitempty" tf:"rotation_rules,omitempty"`
+
+	// Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.
+	SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"`
 }
 
 type SecretRotationParameters struct {
@@ -44,8 +53,8 @@ type SecretRotationParameters struct {
 	RotationLambdaArnSelector *v1.Selector `json:"rotationLambdaArnSelector,omitempty" tf:"-"`
 
 	// A structure that defines the rotation configuration for this secret. Defined below.
-	// +kubebuilder:validation:Required
-	RotationRules []SecretRotationRotationRulesParameters `json:"rotationRules" tf:"rotation_rules,omitempty"`
+	// +kubebuilder:validation:Optional
+	RotationRules []SecretRotationRotationRulesParameters `json:"rotationRules,omitempty" tf:"rotation_rules,omitempty"`
 
 	// Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/secretsmanager/v1beta1.Secret
@@ -63,6 +72,9 @@ type SecretRotationParameters struct {
 }
 
 type SecretRotationRotationRulesObservation struct {
+
+	// Specifies the number of days between automatic scheduled rotations of the secret.
+	AutomaticallyAfterDays *float64 `json:"automaticallyAfterDays,omitempty" tf:"automatically_after_days,omitempty"`
 }
 
 type SecretRotationRotationRulesParameters struct {
@@ -96,8 +108,9 @@ type SecretRotationStatus struct {
 type SecretRotation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SecretRotationSpec   `json:"spec"`
-	Status            SecretRotationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rotationRules)",message="rotationRules is a required parameter"
+	Spec   SecretRotationSpec   `json:"spec"`
+	Status SecretRotationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/secretsmanager/v1beta1/zz_secretversion_types.go b/apis/secretsmanager/v1beta1/zz_secretversion_types.go
index 3d7b8710d6..e768d88bbd 100755
--- a/apis/secretsmanager/v1beta1/zz_secretversion_types.go
+++ b/apis/secretsmanager/v1beta1/zz_secretversion_types.go
@@ -21,8 +21,14 @@ type SecretVersionObservation struct {
 	// A pipe delimited combination of secret ID and version ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.
+	SecretID *string `json:"secretId,omitempty" tf:"secret_id,omitempty"`
+
 	// The unique identifier of the version of the secret.
 	VersionID *string `json:"versionId,omitempty" tf:"version_id,omitempty"`
+
+	// Specifies a list of staging labels that are attached to this version of the secret. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value, then AWS Secrets Manager automatically moves the staging label AWSCURRENT to this new version on creation.
+	VersionStages []*string `json:"versionStages,omitempty" tf:"version_stages,omitempty"`
 }
 
 type SecretVersionParameters struct {
diff --git a/apis/securityhub/v1beta1/zz_actiontarget_types.go b/apis/securityhub/v1beta1/zz_actiontarget_types.go
index 25d0dd26e5..56fc5dc6fa 100755
--- a/apis/securityhub/v1beta1/zz_actiontarget_types.go
+++ b/apis/securityhub/v1beta1/zz_actiontarget_types.go
@@ -18,18 +18,24 @@ type ActionTargetObservation struct {
 	// Amazon Resource Name (ARN) of the Security Hub custom action target.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The name of the custom action target.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The description for the custom action target.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ActionTargetParameters struct {
 
 	// The name of the custom action target.
-	// +kubebuilder:validation:Required
-	Description *string `json:"description" tf:"description,omitempty"`
+	// +kubebuilder:validation:Optional
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The description for the custom action target.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -61,8 +67,10 @@ type ActionTargetStatus struct {
 type ActionTarget struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ActionTargetSpec   `json:"spec"`
-	Status            ActionTargetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)",message="description is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ActionTargetSpec   `json:"spec"`
+	Status ActionTargetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/securityhub/v1beta1/zz_findingaggregator_types.go b/apis/securityhub/v1beta1/zz_findingaggregator_types.go
index 87ecee1272..ef5d3f4c9f 100755
--- a/apis/securityhub/v1beta1/zz_findingaggregator_types.go
+++ b/apis/securityhub/v1beta1/zz_findingaggregator_types.go
@@ -15,13 +15,19 @@ import (
 
 type FindingAggregatorObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Indicates whether to aggregate findings from all of the available Regions or from a specified list. The options are ALL_REGIONS, ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS. When ALL_REGIONS or ALL_REGIONS_EXCEPT_SPECIFIED are used, Security Hub will automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
+	LinkingMode *string `json:"linkingMode,omitempty" tf:"linking_mode,omitempty"`
+
+	// List of regions to include or exclude
+	SpecifiedRegions []*string `json:"specifiedRegions,omitempty" tf:"specified_regions,omitempty"`
 }
 
 type FindingAggregatorParameters struct {
 
 	// Indicates whether to aggregate findings from all of the available Regions or from a specified list. The options are ALL_REGIONS, ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS. When ALL_REGIONS or ALL_REGIONS_EXCEPT_SPECIFIED are used, Security Hub will automatically aggregate findings from new Regions as Security Hub supports them and you opt into them.
-	// +kubebuilder:validation:Required
-	LinkingMode *string `json:"linkingMode" tf:"linking_mode,omitempty"`
+	// +kubebuilder:validation:Optional
+	LinkingMode *string `json:"linkingMode,omitempty" tf:"linking_mode,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -57,8 +63,9 @@ type FindingAggregatorStatus struct {
 type FindingAggregator struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              FindingAggregatorSpec   `json:"spec"`
-	Status            FindingAggregatorStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.linkingMode)",message="linkingMode is a required parameter"
+	Spec   FindingAggregatorSpec   `json:"spec"`
+	Status FindingAggregatorStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/securityhub/v1beta1/zz_generated.deepcopy.go b/apis/securityhub/v1beta1/zz_generated.deepcopy.go
index 60d0756185..2abaa2f9b6 100644
--- a/apis/securityhub/v1beta1/zz_generated.deepcopy.go
+++ b/apis/securityhub/v1beta1/zz_generated.deepcopy.go
@@ -214,11 +214,21 @@ func (in *ActionTargetObservation) DeepCopyInto(out *ActionTargetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionTargetObservation.
@@ -298,6 +308,16 @@ func (in *ActionTargetStatus) DeepCopy() *ActionTargetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AwsAccountIDObservation) DeepCopyInto(out *AwsAccountIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsAccountIDObservation.
@@ -338,6 +358,16 @@ func (in *AwsAccountIDParameters) DeepCopy() *AwsAccountIDParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CompanyNameObservation) DeepCopyInto(out *CompanyNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CompanyNameObservation.
@@ -378,6 +408,16 @@ func (in *CompanyNameParameters) DeepCopy() *CompanyNameParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ComplianceStatusObservation) DeepCopyInto(out *ComplianceStatusObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ComplianceStatusObservation.
@@ -418,6 +458,21 @@ func (in *ComplianceStatusParameters) DeepCopy() *ComplianceStatusParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfidenceObservation) DeepCopyInto(out *ConfidenceObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfidenceObservation.
@@ -463,6 +518,23 @@ func (in *ConfidenceParameters) DeepCopy() *ConfidenceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CreatedAtObservation) DeepCopyInto(out *CreatedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]DateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CreatedAtObservation.
@@ -510,6 +582,21 @@ func (in *CreatedAtParameters) DeepCopy() *CreatedAtParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CriticalityObservation) DeepCopyInto(out *CriticalityObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CriticalityObservation.
@@ -555,6 +642,16 @@ func (in *CriticalityParameters) DeepCopy() *CriticalityParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DateRangeObservation) DeepCopyInto(out *DateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DateRangeObservation.
@@ -595,6 +692,16 @@ func (in *DateRangeParameters) DeepCopy() *DateRangeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DescriptionObservation) DeepCopyInto(out *DescriptionObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DescriptionObservation.
@@ -635,692 +742,1308 @@ func (in *DescriptionParameters) DeepCopy() *DescriptionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FiltersObservation) DeepCopyInto(out *FiltersObservation) {
 	*out = *in
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FiltersObservation.
-func (in *FiltersObservation) DeepCopy() *FiltersObservation {
-	if in == nil {
-		return nil
-	}
-	out := new(FiltersObservation)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FiltersParameters) DeepCopyInto(out *FiltersParameters) {
-	*out = *in
 	if in.AwsAccountID != nil {
 		in, out := &in.AwsAccountID, &out.AwsAccountID
-		*out = make([]AwsAccountIDParameters, len(*in))
+		*out = make([]AwsAccountIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.CompanyName != nil {
 		in, out := &in.CompanyName, &out.CompanyName
-		*out = make([]CompanyNameParameters, len(*in))
+		*out = make([]CompanyNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ComplianceStatus != nil {
 		in, out := &in.ComplianceStatus, &out.ComplianceStatus
-		*out = make([]ComplianceStatusParameters, len(*in))
+		*out = make([]ComplianceStatusObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Confidence != nil {
 		in, out := &in.Confidence, &out.Confidence
-		*out = make([]ConfidenceParameters, len(*in))
+		*out = make([]ConfidenceObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.CreatedAt != nil {
 		in, out := &in.CreatedAt, &out.CreatedAt
-		*out = make([]CreatedAtParameters, len(*in))
+		*out = make([]CreatedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Criticality != nil {
 		in, out := &in.Criticality, &out.Criticality
-		*out = make([]CriticalityParameters, len(*in))
+		*out = make([]CriticalityObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Description != nil {
 		in, out := &in.Description, &out.Description
-		*out = make([]DescriptionParameters, len(*in))
+		*out = make([]DescriptionObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsConfidence != nil {
 		in, out := &in.FindingProviderFieldsConfidence, &out.FindingProviderFieldsConfidence
-		*out = make([]FindingProviderFieldsConfidenceParameters, len(*in))
+		*out = make([]FindingProviderFieldsConfidenceObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsCriticality != nil {
 		in, out := &in.FindingProviderFieldsCriticality, &out.FindingProviderFieldsCriticality
-		*out = make([]FindingProviderFieldsCriticalityParameters, len(*in))
+		*out = make([]FindingProviderFieldsCriticalityObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsRelatedFindingsID != nil {
 		in, out := &in.FindingProviderFieldsRelatedFindingsID, &out.FindingProviderFieldsRelatedFindingsID
-		*out = make([]FindingProviderFieldsRelatedFindingsIDParameters, len(*in))
+		*out = make([]FindingProviderFieldsRelatedFindingsIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsRelatedFindingsProductArn != nil {
 		in, out := &in.FindingProviderFieldsRelatedFindingsProductArn, &out.FindingProviderFieldsRelatedFindingsProductArn
-		*out = make([]FindingProviderFieldsRelatedFindingsProductArnParameters, len(*in))
+		*out = make([]FindingProviderFieldsRelatedFindingsProductArnObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsSeverityLabel != nil {
 		in, out := &in.FindingProviderFieldsSeverityLabel, &out.FindingProviderFieldsSeverityLabel
-		*out = make([]FindingProviderFieldsSeverityLabelParameters, len(*in))
+		*out = make([]FindingProviderFieldsSeverityLabelObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsSeverityOriginal != nil {
 		in, out := &in.FindingProviderFieldsSeverityOriginal, &out.FindingProviderFieldsSeverityOriginal
-		*out = make([]FindingProviderFieldsSeverityOriginalParameters, len(*in))
+		*out = make([]FindingProviderFieldsSeverityOriginalObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FindingProviderFieldsTypes != nil {
 		in, out := &in.FindingProviderFieldsTypes, &out.FindingProviderFieldsTypes
-		*out = make([]FindingProviderFieldsTypesParameters, len(*in))
+		*out = make([]FindingProviderFieldsTypesObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.FirstObservedAt != nil {
 		in, out := &in.FirstObservedAt, &out.FirstObservedAt
-		*out = make([]FirstObservedAtParameters, len(*in))
+		*out = make([]FirstObservedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.GeneratorID != nil {
 		in, out := &in.GeneratorID, &out.GeneratorID
-		*out = make([]GeneratorIDParameters, len(*in))
+		*out = make([]GeneratorIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
-		*out = make([]IDParameters, len(*in))
+		*out = make([]IDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Keyword != nil {
 		in, out := &in.Keyword, &out.Keyword
-		*out = make([]KeywordParameters, len(*in))
+		*out = make([]KeywordObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.LastObservedAt != nil {
 		in, out := &in.LastObservedAt, &out.LastObservedAt
-		*out = make([]LastObservedAtParameters, len(*in))
+		*out = make([]LastObservedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MalwareName != nil {
 		in, out := &in.MalwareName, &out.MalwareName
-		*out = make([]MalwareNameParameters, len(*in))
+		*out = make([]MalwareNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MalwarePath != nil {
 		in, out := &in.MalwarePath, &out.MalwarePath
-		*out = make([]MalwarePathParameters, len(*in))
+		*out = make([]MalwarePathObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MalwareState != nil {
 		in, out := &in.MalwareState, &out.MalwareState
-		*out = make([]MalwareStateParameters, len(*in))
+		*out = make([]MalwareStateObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.MalwareType != nil {
 		in, out := &in.MalwareType, &out.MalwareType
-		*out = make([]MalwareTypeParameters, len(*in))
+		*out = make([]MalwareTypeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkDestinationDomain != nil {
 		in, out := &in.NetworkDestinationDomain, &out.NetworkDestinationDomain
-		*out = make([]NetworkDestinationDomainParameters, len(*in))
+		*out = make([]NetworkDestinationDomainObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkDestinationIPv4 != nil {
 		in, out := &in.NetworkDestinationIPv4, &out.NetworkDestinationIPv4
-		*out = make([]NetworkDestinationIPv4Parameters, len(*in))
+		*out = make([]NetworkDestinationIPv4Observation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkDestinationIPv6 != nil {
 		in, out := &in.NetworkDestinationIPv6, &out.NetworkDestinationIPv6
-		*out = make([]NetworkDestinationIPv6Parameters, len(*in))
+		*out = make([]NetworkDestinationIPv6Observation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkDestinationPort != nil {
 		in, out := &in.NetworkDestinationPort, &out.NetworkDestinationPort
-		*out = make([]NetworkDestinationPortParameters, len(*in))
+		*out = make([]NetworkDestinationPortObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkDirection != nil {
 		in, out := &in.NetworkDirection, &out.NetworkDirection
-		*out = make([]NetworkDirectionParameters, len(*in))
+		*out = make([]NetworkDirectionObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkProtocol != nil {
 		in, out := &in.NetworkProtocol, &out.NetworkProtocol
-		*out = make([]NetworkProtocolParameters, len(*in))
+		*out = make([]NetworkProtocolObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkSourceDomain != nil {
 		in, out := &in.NetworkSourceDomain, &out.NetworkSourceDomain
-		*out = make([]NetworkSourceDomainParameters, len(*in))
+		*out = make([]NetworkSourceDomainObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkSourceIPv4 != nil {
 		in, out := &in.NetworkSourceIPv4, &out.NetworkSourceIPv4
-		*out = make([]NetworkSourceIPv4Parameters, len(*in))
+		*out = make([]NetworkSourceIPv4Observation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkSourceIPv6 != nil {
 		in, out := &in.NetworkSourceIPv6, &out.NetworkSourceIPv6
-		*out = make([]NetworkSourceIPv6Parameters, len(*in))
+		*out = make([]NetworkSourceIPv6Observation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkSourceMac != nil {
 		in, out := &in.NetworkSourceMac, &out.NetworkSourceMac
-		*out = make([]NetworkSourceMacParameters, len(*in))
+		*out = make([]NetworkSourceMacObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NetworkSourcePort != nil {
 		in, out := &in.NetworkSourcePort, &out.NetworkSourcePort
-		*out = make([]NetworkSourcePortParameters, len(*in))
+		*out = make([]NetworkSourcePortObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NoteText != nil {
 		in, out := &in.NoteText, &out.NoteText
-		*out = make([]NoteTextParameters, len(*in))
+		*out = make([]NoteTextObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NoteUpdatedAt != nil {
 		in, out := &in.NoteUpdatedAt, &out.NoteUpdatedAt
-		*out = make([]NoteUpdatedAtParameters, len(*in))
+		*out = make([]NoteUpdatedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.NoteUpdatedBy != nil {
 		in, out := &in.NoteUpdatedBy, &out.NoteUpdatedBy
-		*out = make([]NoteUpdatedByParameters, len(*in))
+		*out = make([]NoteUpdatedByObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProcessLaunchedAt != nil {
 		in, out := &in.ProcessLaunchedAt, &out.ProcessLaunchedAt
-		*out = make([]ProcessLaunchedAtParameters, len(*in))
+		*out = make([]ProcessLaunchedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProcessName != nil {
 		in, out := &in.ProcessName, &out.ProcessName
-		*out = make([]ProcessNameParameters, len(*in))
+		*out = make([]ProcessNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProcessParentPid != nil {
 		in, out := &in.ProcessParentPid, &out.ProcessParentPid
-		*out = make([]ProcessParentPidParameters, len(*in))
+		*out = make([]ProcessParentPidObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProcessPath != nil {
 		in, out := &in.ProcessPath, &out.ProcessPath
-		*out = make([]ProcessPathParameters, len(*in))
+		*out = make([]ProcessPathObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProcessPid != nil {
 		in, out := &in.ProcessPid, &out.ProcessPid
-		*out = make([]ProcessPidParameters, len(*in))
+		*out = make([]ProcessPidObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProcessTerminatedAt != nil {
 		in, out := &in.ProcessTerminatedAt, &out.ProcessTerminatedAt
-		*out = make([]ProcessTerminatedAtParameters, len(*in))
+		*out = make([]ProcessTerminatedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProductArn != nil {
 		in, out := &in.ProductArn, &out.ProductArn
-		*out = make([]ProductArnParameters, len(*in))
+		*out = make([]ProductArnObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProductFields != nil {
 		in, out := &in.ProductFields, &out.ProductFields
-		*out = make([]ProductFieldsParameters, len(*in))
+		*out = make([]ProductFieldsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ProductName != nil {
 		in, out := &in.ProductName, &out.ProductName
-		*out = make([]ProductNameParameters, len(*in))
+		*out = make([]ProductNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.RecommendationText != nil {
 		in, out := &in.RecommendationText, &out.RecommendationText
-		*out = make([]RecommendationTextParameters, len(*in))
+		*out = make([]RecommendationTextObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.RecordState != nil {
 		in, out := &in.RecordState, &out.RecordState
-		*out = make([]RecordStateParameters, len(*in))
+		*out = make([]RecordStateObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.RelatedFindingsID != nil {
 		in, out := &in.RelatedFindingsID, &out.RelatedFindingsID
-		*out = make([]RelatedFindingsIDParameters, len(*in))
+		*out = make([]RelatedFindingsIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.RelatedFindingsProductArn != nil {
 		in, out := &in.RelatedFindingsProductArn, &out.RelatedFindingsProductArn
-		*out = make([]RelatedFindingsProductArnParameters, len(*in))
+		*out = make([]RelatedFindingsProductArnObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceIAMInstanceProfileArn != nil {
 		in, out := &in.ResourceAwsEC2InstanceIAMInstanceProfileArn, &out.ResourceAwsEC2InstanceIAMInstanceProfileArn
-		*out = make([]ResourceAwsEC2InstanceIAMInstanceProfileArnParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceIAMInstanceProfileArnObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceIPv4Addresses != nil {
 		in, out := &in.ResourceAwsEC2InstanceIPv4Addresses, &out.ResourceAwsEC2InstanceIPv4Addresses
-		*out = make([]ResourceAwsEC2InstanceIPv4AddressesParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceIPv4AddressesObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceIPv6Addresses != nil {
 		in, out := &in.ResourceAwsEC2InstanceIPv6Addresses, &out.ResourceAwsEC2InstanceIPv6Addresses
-		*out = make([]ResourceAwsEC2InstanceIPv6AddressesParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceIPv6AddressesObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceImageID != nil {
 		in, out := &in.ResourceAwsEC2InstanceImageID, &out.ResourceAwsEC2InstanceImageID
-		*out = make([]ResourceAwsEC2InstanceImageIDParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceImageIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceKeyName != nil {
 		in, out := &in.ResourceAwsEC2InstanceKeyName, &out.ResourceAwsEC2InstanceKeyName
-		*out = make([]ResourceAwsEC2InstanceKeyNameParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceKeyNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceLaunchedAt != nil {
 		in, out := &in.ResourceAwsEC2InstanceLaunchedAt, &out.ResourceAwsEC2InstanceLaunchedAt
-		*out = make([]ResourceAwsEC2InstanceLaunchedAtParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceLaunchedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceSubnetID != nil {
 		in, out := &in.ResourceAwsEC2InstanceSubnetID, &out.ResourceAwsEC2InstanceSubnetID
-		*out = make([]ResourceAwsEC2InstanceSubnetIDParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceSubnetIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceType != nil {
 		in, out := &in.ResourceAwsEC2InstanceType, &out.ResourceAwsEC2InstanceType
-		*out = make([]ResourceAwsEC2InstanceTypeParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceTypeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsEC2InstanceVPCID != nil {
 		in, out := &in.ResourceAwsEC2InstanceVPCID, &out.ResourceAwsEC2InstanceVPCID
-		*out = make([]ResourceAwsEC2InstanceVPCIDParameters, len(*in))
+		*out = make([]ResourceAwsEC2InstanceVPCIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsIAMAccessKeyCreatedAt != nil {
 		in, out := &in.ResourceAwsIAMAccessKeyCreatedAt, &out.ResourceAwsIAMAccessKeyCreatedAt
-		*out = make([]ResourceAwsIAMAccessKeyCreatedAtParameters, len(*in))
+		*out = make([]ResourceAwsIAMAccessKeyCreatedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsIAMAccessKeyStatus != nil {
 		in, out := &in.ResourceAwsIAMAccessKeyStatus, &out.ResourceAwsIAMAccessKeyStatus
-		*out = make([]ResourceAwsIAMAccessKeyStatusParameters, len(*in))
+		*out = make([]ResourceAwsIAMAccessKeyStatusObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsIAMAccessKeyUserName != nil {
 		in, out := &in.ResourceAwsIAMAccessKeyUserName, &out.ResourceAwsIAMAccessKeyUserName
-		*out = make([]ResourceAwsIAMAccessKeyUserNameParameters, len(*in))
+		*out = make([]ResourceAwsIAMAccessKeyUserNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsS3BucketOwnerID != nil {
 		in, out := &in.ResourceAwsS3BucketOwnerID, &out.ResourceAwsS3BucketOwnerID
-		*out = make([]ResourceAwsS3BucketOwnerIDParameters, len(*in))
+		*out = make([]ResourceAwsS3BucketOwnerIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceAwsS3BucketOwnerName != nil {
 		in, out := &in.ResourceAwsS3BucketOwnerName, &out.ResourceAwsS3BucketOwnerName
-		*out = make([]ResourceAwsS3BucketOwnerNameParameters, len(*in))
+		*out = make([]ResourceAwsS3BucketOwnerNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceContainerImageID != nil {
 		in, out := &in.ResourceContainerImageID, &out.ResourceContainerImageID
-		*out = make([]ResourceContainerImageIDParameters, len(*in))
+		*out = make([]ResourceContainerImageIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceContainerImageName != nil {
 		in, out := &in.ResourceContainerImageName, &out.ResourceContainerImageName
-		*out = make([]ResourceContainerImageNameParameters, len(*in))
+		*out = make([]ResourceContainerImageNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceContainerLaunchedAt != nil {
 		in, out := &in.ResourceContainerLaunchedAt, &out.ResourceContainerLaunchedAt
-		*out = make([]ResourceContainerLaunchedAtParameters, len(*in))
+		*out = make([]ResourceContainerLaunchedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceContainerName != nil {
 		in, out := &in.ResourceContainerName, &out.ResourceContainerName
-		*out = make([]ResourceContainerNameParameters, len(*in))
+		*out = make([]ResourceContainerNameObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceDetailsOther != nil {
 		in, out := &in.ResourceDetailsOther, &out.ResourceDetailsOther
-		*out = make([]ResourceDetailsOtherParameters, len(*in))
+		*out = make([]ResourceDetailsOtherObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceID != nil {
 		in, out := &in.ResourceID, &out.ResourceID
-		*out = make([]ResourceIDParameters, len(*in))
+		*out = make([]ResourceIDObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourcePartition != nil {
 		in, out := &in.ResourcePartition, &out.ResourcePartition
-		*out = make([]ResourcePartitionParameters, len(*in))
+		*out = make([]ResourcePartitionObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceRegion != nil {
 		in, out := &in.ResourceRegion, &out.ResourceRegion
-		*out = make([]ResourceRegionParameters, len(*in))
+		*out = make([]ResourceRegionObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceTags != nil {
 		in, out := &in.ResourceTags, &out.ResourceTags
-		*out = make([]ResourceTagsParameters, len(*in))
+		*out = make([]ResourceTagsObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ResourceType != nil {
 		in, out := &in.ResourceType, &out.ResourceType
-		*out = make([]ResourceTypeParameters, len(*in))
+		*out = make([]ResourceTypeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.SeverityLabel != nil {
 		in, out := &in.SeverityLabel, &out.SeverityLabel
-		*out = make([]SeverityLabelParameters, len(*in))
+		*out = make([]SeverityLabelObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.SourceURL != nil {
 		in, out := &in.SourceURL, &out.SourceURL
-		*out = make([]SourceURLParameters, len(*in))
+		*out = make([]SourceURLObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ThreatIntelIndicatorCategory != nil {
 		in, out := &in.ThreatIntelIndicatorCategory, &out.ThreatIntelIndicatorCategory
-		*out = make([]ThreatIntelIndicatorCategoryParameters, len(*in))
+		*out = make([]ThreatIntelIndicatorCategoryObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ThreatIntelIndicatorLastObservedAt != nil {
 		in, out := &in.ThreatIntelIndicatorLastObservedAt, &out.ThreatIntelIndicatorLastObservedAt
-		*out = make([]ThreatIntelIndicatorLastObservedAtParameters, len(*in))
+		*out = make([]ThreatIntelIndicatorLastObservedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ThreatIntelIndicatorSource != nil {
 		in, out := &in.ThreatIntelIndicatorSource, &out.ThreatIntelIndicatorSource
-		*out = make([]ThreatIntelIndicatorSourceParameters, len(*in))
+		*out = make([]ThreatIntelIndicatorSourceObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ThreatIntelIndicatorSourceURL != nil {
 		in, out := &in.ThreatIntelIndicatorSourceURL, &out.ThreatIntelIndicatorSourceURL
-		*out = make([]ThreatIntelIndicatorSourceURLParameters, len(*in))
+		*out = make([]ThreatIntelIndicatorSourceURLObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ThreatIntelIndicatorType != nil {
 		in, out := &in.ThreatIntelIndicatorType, &out.ThreatIntelIndicatorType
-		*out = make([]ThreatIntelIndicatorTypeParameters, len(*in))
+		*out = make([]ThreatIntelIndicatorTypeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.ThreatIntelIndicatorValue != nil {
 		in, out := &in.ThreatIntelIndicatorValue, &out.ThreatIntelIndicatorValue
-		*out = make([]ThreatIntelIndicatorValueParameters, len(*in))
+		*out = make([]ThreatIntelIndicatorValueObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Title != nil {
 		in, out := &in.Title, &out.Title
-		*out = make([]TitleParameters, len(*in))
+		*out = make([]TitleObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.Type != nil {
 		in, out := &in.Type, &out.Type
-		*out = make([]TypeParameters, len(*in))
+		*out = make([]TypeObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.UpdatedAt != nil {
 		in, out := &in.UpdatedAt, &out.UpdatedAt
-		*out = make([]UpdatedAtParameters, len(*in))
+		*out = make([]UpdatedAtObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.UserDefinedValues != nil {
 		in, out := &in.UserDefinedValues, &out.UserDefinedValues
-		*out = make([]UserDefinedValuesParameters, len(*in))
+		*out = make([]UserDefinedValuesObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.VerificationState != nil {
 		in, out := &in.VerificationState, &out.VerificationState
-		*out = make([]VerificationStateParameters, len(*in))
+		*out = make([]VerificationStateObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 	if in.WorkflowStatus != nil {
 		in, out := &in.WorkflowStatus, &out.WorkflowStatus
-		*out = make([]WorkflowStatusParameters, len(*in))
+		*out = make([]WorkflowStatusObservation, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
 }
 
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FiltersParameters.
-func (in *FiltersParameters) DeepCopy() *FiltersParameters {
-	if in == nil {
-		return nil
-	}
-	out := new(FiltersParameters)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FindingAggregator) DeepCopyInto(out *FindingAggregator) {
-	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
-	in.Spec.DeepCopyInto(&out.Spec)
-	in.Status.DeepCopyInto(&out.Status)
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingAggregator.
-func (in *FindingAggregator) DeepCopy() *FindingAggregator {
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FiltersObservation.
+func (in *FiltersObservation) DeepCopy() *FiltersObservation {
 	if in == nil {
 		return nil
 	}
-	out := new(FindingAggregator)
+	out := new(FiltersObservation)
 	in.DeepCopyInto(out)
 	return out
 }
 
-// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
-func (in *FindingAggregator) DeepCopyObject() runtime.Object {
-	if c := in.DeepCopy(); c != nil {
-		return c
-	}
-	return nil
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FindingAggregatorList) DeepCopyInto(out *FindingAggregatorList) {
+func (in *FiltersParameters) DeepCopyInto(out *FiltersParameters) {
 	*out = *in
-	out.TypeMeta = in.TypeMeta
-	in.ListMeta.DeepCopyInto(&out.ListMeta)
-	if in.Items != nil {
-		in, out := &in.Items, &out.Items
-		*out = make([]FindingAggregator, len(*in))
+	if in.AwsAccountID != nil {
+		in, out := &in.AwsAccountID, &out.AwsAccountID
+		*out = make([]AwsAccountIDParameters, len(*in))
 		for i := range *in {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingAggregatorList.
-func (in *FindingAggregatorList) DeepCopy() *FindingAggregatorList {
+	if in.CompanyName != nil {
+		in, out := &in.CompanyName, &out.CompanyName
+		*out = make([]CompanyNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ComplianceStatus != nil {
+		in, out := &in.ComplianceStatus, &out.ComplianceStatus
+		*out = make([]ComplianceStatusParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Confidence != nil {
+		in, out := &in.Confidence, &out.Confidence
+		*out = make([]ConfidenceParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CreatedAt != nil {
+		in, out := &in.CreatedAt, &out.CreatedAt
+		*out = make([]CreatedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Criticality != nil {
+		in, out := &in.Criticality, &out.Criticality
+		*out = make([]CriticalityParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = make([]DescriptionParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsConfidence != nil {
+		in, out := &in.FindingProviderFieldsConfidence, &out.FindingProviderFieldsConfidence
+		*out = make([]FindingProviderFieldsConfidenceParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsCriticality != nil {
+		in, out := &in.FindingProviderFieldsCriticality, &out.FindingProviderFieldsCriticality
+		*out = make([]FindingProviderFieldsCriticalityParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsRelatedFindingsID != nil {
+		in, out := &in.FindingProviderFieldsRelatedFindingsID, &out.FindingProviderFieldsRelatedFindingsID
+		*out = make([]FindingProviderFieldsRelatedFindingsIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsRelatedFindingsProductArn != nil {
+		in, out := &in.FindingProviderFieldsRelatedFindingsProductArn, &out.FindingProviderFieldsRelatedFindingsProductArn
+		*out = make([]FindingProviderFieldsRelatedFindingsProductArnParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsSeverityLabel != nil {
+		in, out := &in.FindingProviderFieldsSeverityLabel, &out.FindingProviderFieldsSeverityLabel
+		*out = make([]FindingProviderFieldsSeverityLabelParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsSeverityOriginal != nil {
+		in, out := &in.FindingProviderFieldsSeverityOriginal, &out.FindingProviderFieldsSeverityOriginal
+		*out = make([]FindingProviderFieldsSeverityOriginalParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FindingProviderFieldsTypes != nil {
+		in, out := &in.FindingProviderFieldsTypes, &out.FindingProviderFieldsTypes
+		*out = make([]FindingProviderFieldsTypesParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.FirstObservedAt != nil {
+		in, out := &in.FirstObservedAt, &out.FirstObservedAt
+		*out = make([]FirstObservedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GeneratorID != nil {
+		in, out := &in.GeneratorID, &out.GeneratorID
+		*out = make([]GeneratorIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = make([]IDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Keyword != nil {
+		in, out := &in.Keyword, &out.Keyword
+		*out = make([]KeywordParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LastObservedAt != nil {
+		in, out := &in.LastObservedAt, &out.LastObservedAt
+		*out = make([]LastObservedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MalwareName != nil {
+		in, out := &in.MalwareName, &out.MalwareName
+		*out = make([]MalwareNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MalwarePath != nil {
+		in, out := &in.MalwarePath, &out.MalwarePath
+		*out = make([]MalwarePathParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MalwareState != nil {
+		in, out := &in.MalwareState, &out.MalwareState
+		*out = make([]MalwareStateParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MalwareType != nil {
+		in, out := &in.MalwareType, &out.MalwareType
+		*out = make([]MalwareTypeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkDestinationDomain != nil {
+		in, out := &in.NetworkDestinationDomain, &out.NetworkDestinationDomain
+		*out = make([]NetworkDestinationDomainParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkDestinationIPv4 != nil {
+		in, out := &in.NetworkDestinationIPv4, &out.NetworkDestinationIPv4
+		*out = make([]NetworkDestinationIPv4Parameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkDestinationIPv6 != nil {
+		in, out := &in.NetworkDestinationIPv6, &out.NetworkDestinationIPv6
+		*out = make([]NetworkDestinationIPv6Parameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkDestinationPort != nil {
+		in, out := &in.NetworkDestinationPort, &out.NetworkDestinationPort
+		*out = make([]NetworkDestinationPortParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkDirection != nil {
+		in, out := &in.NetworkDirection, &out.NetworkDirection
+		*out = make([]NetworkDirectionParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkProtocol != nil {
+		in, out := &in.NetworkProtocol, &out.NetworkProtocol
+		*out = make([]NetworkProtocolParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkSourceDomain != nil {
+		in, out := &in.NetworkSourceDomain, &out.NetworkSourceDomain
+		*out = make([]NetworkSourceDomainParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkSourceIPv4 != nil {
+		in, out := &in.NetworkSourceIPv4, &out.NetworkSourceIPv4
+		*out = make([]NetworkSourceIPv4Parameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkSourceIPv6 != nil {
+		in, out := &in.NetworkSourceIPv6, &out.NetworkSourceIPv6
+		*out = make([]NetworkSourceIPv6Parameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkSourceMac != nil {
+		in, out := &in.NetworkSourceMac, &out.NetworkSourceMac
+		*out = make([]NetworkSourceMacParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NetworkSourcePort != nil {
+		in, out := &in.NetworkSourcePort, &out.NetworkSourcePort
+		*out = make([]NetworkSourcePortParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoteText != nil {
+		in, out := &in.NoteText, &out.NoteText
+		*out = make([]NoteTextParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoteUpdatedAt != nil {
+		in, out := &in.NoteUpdatedAt, &out.NoteUpdatedAt
+		*out = make([]NoteUpdatedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NoteUpdatedBy != nil {
+		in, out := &in.NoteUpdatedBy, &out.NoteUpdatedBy
+		*out = make([]NoteUpdatedByParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessLaunchedAt != nil {
+		in, out := &in.ProcessLaunchedAt, &out.ProcessLaunchedAt
+		*out = make([]ProcessLaunchedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessName != nil {
+		in, out := &in.ProcessName, &out.ProcessName
+		*out = make([]ProcessNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessParentPid != nil {
+		in, out := &in.ProcessParentPid, &out.ProcessParentPid
+		*out = make([]ProcessParentPidParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessPath != nil {
+		in, out := &in.ProcessPath, &out.ProcessPath
+		*out = make([]ProcessPathParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessPid != nil {
+		in, out := &in.ProcessPid, &out.ProcessPid
+		*out = make([]ProcessPidParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProcessTerminatedAt != nil {
+		in, out := &in.ProcessTerminatedAt, &out.ProcessTerminatedAt
+		*out = make([]ProcessTerminatedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProductArn != nil {
+		in, out := &in.ProductArn, &out.ProductArn
+		*out = make([]ProductArnParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProductFields != nil {
+		in, out := &in.ProductFields, &out.ProductFields
+		*out = make([]ProductFieldsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ProductName != nil {
+		in, out := &in.ProductName, &out.ProductName
+		*out = make([]ProductNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecommendationText != nil {
+		in, out := &in.RecommendationText, &out.RecommendationText
+		*out = make([]RecommendationTextParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RecordState != nil {
+		in, out := &in.RecordState, &out.RecordState
+		*out = make([]RecordStateParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RelatedFindingsID != nil {
+		in, out := &in.RelatedFindingsID, &out.RelatedFindingsID
+		*out = make([]RelatedFindingsIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RelatedFindingsProductArn != nil {
+		in, out := &in.RelatedFindingsProductArn, &out.RelatedFindingsProductArn
+		*out = make([]RelatedFindingsProductArnParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceIAMInstanceProfileArn != nil {
+		in, out := &in.ResourceAwsEC2InstanceIAMInstanceProfileArn, &out.ResourceAwsEC2InstanceIAMInstanceProfileArn
+		*out = make([]ResourceAwsEC2InstanceIAMInstanceProfileArnParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceIPv4Addresses != nil {
+		in, out := &in.ResourceAwsEC2InstanceIPv4Addresses, &out.ResourceAwsEC2InstanceIPv4Addresses
+		*out = make([]ResourceAwsEC2InstanceIPv4AddressesParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceIPv6Addresses != nil {
+		in, out := &in.ResourceAwsEC2InstanceIPv6Addresses, &out.ResourceAwsEC2InstanceIPv6Addresses
+		*out = make([]ResourceAwsEC2InstanceIPv6AddressesParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceImageID != nil {
+		in, out := &in.ResourceAwsEC2InstanceImageID, &out.ResourceAwsEC2InstanceImageID
+		*out = make([]ResourceAwsEC2InstanceImageIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceKeyName != nil {
+		in, out := &in.ResourceAwsEC2InstanceKeyName, &out.ResourceAwsEC2InstanceKeyName
+		*out = make([]ResourceAwsEC2InstanceKeyNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceLaunchedAt != nil {
+		in, out := &in.ResourceAwsEC2InstanceLaunchedAt, &out.ResourceAwsEC2InstanceLaunchedAt
+		*out = make([]ResourceAwsEC2InstanceLaunchedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceSubnetID != nil {
+		in, out := &in.ResourceAwsEC2InstanceSubnetID, &out.ResourceAwsEC2InstanceSubnetID
+		*out = make([]ResourceAwsEC2InstanceSubnetIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceType != nil {
+		in, out := &in.ResourceAwsEC2InstanceType, &out.ResourceAwsEC2InstanceType
+		*out = make([]ResourceAwsEC2InstanceTypeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsEC2InstanceVPCID != nil {
+		in, out := &in.ResourceAwsEC2InstanceVPCID, &out.ResourceAwsEC2InstanceVPCID
+		*out = make([]ResourceAwsEC2InstanceVPCIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsIAMAccessKeyCreatedAt != nil {
+		in, out := &in.ResourceAwsIAMAccessKeyCreatedAt, &out.ResourceAwsIAMAccessKeyCreatedAt
+		*out = make([]ResourceAwsIAMAccessKeyCreatedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsIAMAccessKeyStatus != nil {
+		in, out := &in.ResourceAwsIAMAccessKeyStatus, &out.ResourceAwsIAMAccessKeyStatus
+		*out = make([]ResourceAwsIAMAccessKeyStatusParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsIAMAccessKeyUserName != nil {
+		in, out := &in.ResourceAwsIAMAccessKeyUserName, &out.ResourceAwsIAMAccessKeyUserName
+		*out = make([]ResourceAwsIAMAccessKeyUserNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsS3BucketOwnerID != nil {
+		in, out := &in.ResourceAwsS3BucketOwnerID, &out.ResourceAwsS3BucketOwnerID
+		*out = make([]ResourceAwsS3BucketOwnerIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceAwsS3BucketOwnerName != nil {
+		in, out := &in.ResourceAwsS3BucketOwnerName, &out.ResourceAwsS3BucketOwnerName
+		*out = make([]ResourceAwsS3BucketOwnerNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceContainerImageID != nil {
+		in, out := &in.ResourceContainerImageID, &out.ResourceContainerImageID
+		*out = make([]ResourceContainerImageIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceContainerImageName != nil {
+		in, out := &in.ResourceContainerImageName, &out.ResourceContainerImageName
+		*out = make([]ResourceContainerImageNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceContainerLaunchedAt != nil {
+		in, out := &in.ResourceContainerLaunchedAt, &out.ResourceContainerLaunchedAt
+		*out = make([]ResourceContainerLaunchedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceContainerName != nil {
+		in, out := &in.ResourceContainerName, &out.ResourceContainerName
+		*out = make([]ResourceContainerNameParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceDetailsOther != nil {
+		in, out := &in.ResourceDetailsOther, &out.ResourceDetailsOther
+		*out = make([]ResourceDetailsOtherParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = make([]ResourceIDParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourcePartition != nil {
+		in, out := &in.ResourcePartition, &out.ResourcePartition
+		*out = make([]ResourcePartitionParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceRegion != nil {
+		in, out := &in.ResourceRegion, &out.ResourceRegion
+		*out = make([]ResourceRegionParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceTags != nil {
+		in, out := &in.ResourceTags, &out.ResourceTags
+		*out = make([]ResourceTagsParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = make([]ResourceTypeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SeverityLabel != nil {
+		in, out := &in.SeverityLabel, &out.SeverityLabel
+		*out = make([]SeverityLabelParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SourceURL != nil {
+		in, out := &in.SourceURL, &out.SourceURL
+		*out = make([]SourceURLParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThreatIntelIndicatorCategory != nil {
+		in, out := &in.ThreatIntelIndicatorCategory, &out.ThreatIntelIndicatorCategory
+		*out = make([]ThreatIntelIndicatorCategoryParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThreatIntelIndicatorLastObservedAt != nil {
+		in, out := &in.ThreatIntelIndicatorLastObservedAt, &out.ThreatIntelIndicatorLastObservedAt
+		*out = make([]ThreatIntelIndicatorLastObservedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThreatIntelIndicatorSource != nil {
+		in, out := &in.ThreatIntelIndicatorSource, &out.ThreatIntelIndicatorSource
+		*out = make([]ThreatIntelIndicatorSourceParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThreatIntelIndicatorSourceURL != nil {
+		in, out := &in.ThreatIntelIndicatorSourceURL, &out.ThreatIntelIndicatorSourceURL
+		*out = make([]ThreatIntelIndicatorSourceURLParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThreatIntelIndicatorType != nil {
+		in, out := &in.ThreatIntelIndicatorType, &out.ThreatIntelIndicatorType
+		*out = make([]ThreatIntelIndicatorTypeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ThreatIntelIndicatorValue != nil {
+		in, out := &in.ThreatIntelIndicatorValue, &out.ThreatIntelIndicatorValue
+		*out = make([]ThreatIntelIndicatorValueParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Title != nil {
+		in, out := &in.Title, &out.Title
+		*out = make([]TitleParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = make([]TypeParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UpdatedAt != nil {
+		in, out := &in.UpdatedAt, &out.UpdatedAt
+		*out = make([]UpdatedAtParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.UserDefinedValues != nil {
+		in, out := &in.UserDefinedValues, &out.UserDefinedValues
+		*out = make([]UserDefinedValuesParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.VerificationState != nil {
+		in, out := &in.VerificationState, &out.VerificationState
+		*out = make([]VerificationStateParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WorkflowStatus != nil {
+		in, out := &in.WorkflowStatus, &out.WorkflowStatus
+		*out = make([]WorkflowStatusParameters, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FiltersParameters.
+func (in *FiltersParameters) DeepCopy() *FiltersParameters {
+	if in == nil {
+		return nil
+	}
+	out := new(FiltersParameters)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FindingAggregator) DeepCopyInto(out *FindingAggregator) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	in.Status.DeepCopyInto(&out.Status)
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingAggregator.
+func (in *FindingAggregator) DeepCopy() *FindingAggregator {
+	if in == nil {
+		return nil
+	}
+	out := new(FindingAggregator)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *FindingAggregator) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FindingAggregatorList) DeepCopyInto(out *FindingAggregatorList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]FindingAggregator, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingAggregatorList.
+func (in *FindingAggregatorList) DeepCopy() *FindingAggregatorList {
 	if in == nil {
 		return nil
 	}
@@ -1345,6 +2068,22 @@ func (in *FindingAggregatorObservation) DeepCopyInto(out *FindingAggregatorObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.LinkingMode != nil {
+		in, out := &in.LinkingMode, &out.LinkingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.SpecifiedRegions != nil {
+		in, out := &in.SpecifiedRegions, &out.SpecifiedRegions
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingAggregatorObservation.
@@ -1422,14 +2161,29 @@ func (in *FindingAggregatorStatus) DeepCopy() *FindingAggregatorStatus {
 	if in == nil {
 		return nil
 	}
-	out := new(FindingAggregatorStatus)
-	in.DeepCopyInto(out)
-	return out
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *FindingProviderFieldsConfidenceObservation) DeepCopyInto(out *FindingProviderFieldsConfidenceObservation) {
-	*out = *in
+	out := new(FindingAggregatorStatus)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *FindingProviderFieldsConfidenceObservation) DeepCopyInto(out *FindingProviderFieldsConfidenceObservation) {
+	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsConfidenceObservation.
@@ -1475,6 +2229,21 @@ func (in *FindingProviderFieldsConfidenceParameters) DeepCopy() *FindingProvider
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingProviderFieldsCriticalityObservation) DeepCopyInto(out *FindingProviderFieldsCriticalityObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsCriticalityObservation.
@@ -1520,6 +2289,16 @@ func (in *FindingProviderFieldsCriticalityParameters) DeepCopy() *FindingProvide
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingProviderFieldsRelatedFindingsIDObservation) DeepCopyInto(out *FindingProviderFieldsRelatedFindingsIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsRelatedFindingsIDObservation.
@@ -1560,6 +2339,16 @@ func (in *FindingProviderFieldsRelatedFindingsIDParameters) DeepCopy() *FindingP
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingProviderFieldsRelatedFindingsProductArnObservation) DeepCopyInto(out *FindingProviderFieldsRelatedFindingsProductArnObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsRelatedFindingsProductArnObservation.
@@ -1600,6 +2389,16 @@ func (in *FindingProviderFieldsRelatedFindingsProductArnParameters) DeepCopy() *
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingProviderFieldsSeverityLabelObservation) DeepCopyInto(out *FindingProviderFieldsSeverityLabelObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsSeverityLabelObservation.
@@ -1640,6 +2439,16 @@ func (in *FindingProviderFieldsSeverityLabelParameters) DeepCopy() *FindingProvi
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingProviderFieldsSeverityOriginalObservation) DeepCopyInto(out *FindingProviderFieldsSeverityOriginalObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsSeverityOriginalObservation.
@@ -1680,6 +2489,16 @@ func (in *FindingProviderFieldsSeverityOriginalParameters) DeepCopy() *FindingPr
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FindingProviderFieldsTypesObservation) DeepCopyInto(out *FindingProviderFieldsTypesObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FindingProviderFieldsTypesObservation.
@@ -1720,6 +2539,16 @@ func (in *FindingProviderFieldsTypesParameters) DeepCopy() *FindingProviderField
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FirstObservedAtDateRangeObservation) DeepCopyInto(out *FirstObservedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirstObservedAtDateRangeObservation.
@@ -1760,6 +2589,23 @@ func (in *FirstObservedAtDateRangeParameters) DeepCopy() *FirstObservedAtDateRan
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FirstObservedAtObservation) DeepCopyInto(out *FirstObservedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]FirstObservedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirstObservedAtObservation.
@@ -1807,6 +2653,16 @@ func (in *FirstObservedAtParameters) DeepCopy() *FirstObservedAtParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeneratorIDObservation) DeepCopyInto(out *GeneratorIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeneratorIDObservation.
@@ -1847,6 +2703,16 @@ func (in *GeneratorIDParameters) DeepCopy() *GeneratorIDParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IDObservation) DeepCopyInto(out *IDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDObservation.
@@ -1951,11 +2817,28 @@ func (in *InsightObservation) DeepCopyInto(out *InsightObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Filters != nil {
+		in, out := &in.Filters, &out.Filters
+		*out = make([]FiltersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.GroupByAttribute != nil {
+		in, out := &in.GroupByAttribute, &out.GroupByAttribute
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightObservation.
@@ -2111,6 +2994,11 @@ func (in *InviteAccepterObservation) DeepCopyInto(out *InviteAccepterObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.MasterID != nil {
+		in, out := &in.MasterID, &out.MasterID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InviteAccepterObservation.
@@ -2195,6 +3083,11 @@ func (in *InviteAccepterStatus) DeepCopy() *InviteAccepterStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KeywordObservation) DeepCopyInto(out *KeywordObservation) {
 	*out = *in
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KeywordObservation.
@@ -2230,6 +3123,16 @@ func (in *KeywordParameters) DeepCopy() *KeywordParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LastObservedAtDateRangeObservation) DeepCopyInto(out *LastObservedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LastObservedAtDateRangeObservation.
@@ -2270,6 +3173,23 @@ func (in *LastObservedAtDateRangeParameters) DeepCopy() *LastObservedAtDateRange
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LastObservedAtObservation) DeepCopyInto(out *LastObservedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]LastObservedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LastObservedAtObservation.
@@ -2317,6 +3237,16 @@ func (in *LastObservedAtParameters) DeepCopy() *LastObservedAtParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MalwareNameObservation) DeepCopyInto(out *MalwareNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MalwareNameObservation.
@@ -2357,6 +3287,16 @@ func (in *MalwareNameParameters) DeepCopy() *MalwareNameParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MalwarePathObservation) DeepCopyInto(out *MalwarePathObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MalwarePathObservation.
@@ -2397,6 +3337,16 @@ func (in *MalwarePathParameters) DeepCopy() *MalwarePathParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MalwareStateObservation) DeepCopyInto(out *MalwareStateObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MalwareStateObservation.
@@ -2437,6 +3387,16 @@ func (in *MalwareStateParameters) DeepCopy() *MalwareStateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MalwareTypeObservation) DeepCopyInto(out *MalwareTypeObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MalwareTypeObservation.
@@ -2536,11 +3496,26 @@ func (in *MemberList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MemberObservation) DeepCopyInto(out *MemberObservation) {
 	*out = *in
+	if in.AccountID != nil {
+		in, out := &in.AccountID, &out.AccountID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Invite != nil {
+		in, out := &in.Invite, &out.Invite
+		*out = new(bool)
+		**out = **in
+	}
 	if in.MasterID != nil {
 		in, out := &in.MasterID, &out.MasterID
 		*out = new(string)
@@ -2635,6 +3610,16 @@ func (in *MemberStatus) DeepCopy() *MemberStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDestinationDomainObservation) DeepCopyInto(out *NetworkDestinationDomainObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDestinationDomainObservation.
@@ -2675,6 +3660,11 @@ func (in *NetworkDestinationDomainParameters) DeepCopy() *NetworkDestinationDoma
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDestinationIPv4Observation) DeepCopyInto(out *NetworkDestinationIPv4Observation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDestinationIPv4Observation.
@@ -2710,6 +3700,11 @@ func (in *NetworkDestinationIPv4Parameters) DeepCopy() *NetworkDestinationIPv4Pa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDestinationIPv6Observation) DeepCopyInto(out *NetworkDestinationIPv6Observation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDestinationIPv6Observation.
@@ -2745,6 +3740,21 @@ func (in *NetworkDestinationIPv6Parameters) DeepCopy() *NetworkDestinationIPv6Pa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDestinationPortObservation) DeepCopyInto(out *NetworkDestinationPortObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDestinationPortObservation.
@@ -2790,6 +3800,16 @@ func (in *NetworkDestinationPortParameters) DeepCopy() *NetworkDestinationPortPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkDirectionObservation) DeepCopyInto(out *NetworkDirectionObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkDirectionObservation.
@@ -2830,6 +3850,16 @@ func (in *NetworkDirectionParameters) DeepCopy() *NetworkDirectionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkProtocolObservation) DeepCopyInto(out *NetworkProtocolObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkProtocolObservation.
@@ -2870,6 +3900,16 @@ func (in *NetworkProtocolParameters) DeepCopy() *NetworkProtocolParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkSourceDomainObservation) DeepCopyInto(out *NetworkSourceDomainObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSourceDomainObservation.
@@ -2910,6 +3950,11 @@ func (in *NetworkSourceDomainParameters) DeepCopy() *NetworkSourceDomainParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkSourceIPv4Observation) DeepCopyInto(out *NetworkSourceIPv4Observation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSourceIPv4Observation.
@@ -2945,6 +3990,11 @@ func (in *NetworkSourceIPv4Parameters) DeepCopy() *NetworkSourceIPv4Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkSourceIPv6Observation) DeepCopyInto(out *NetworkSourceIPv6Observation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSourceIPv6Observation.
@@ -2980,6 +4030,16 @@ func (in *NetworkSourceIPv6Parameters) DeepCopy() *NetworkSourceIPv6Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkSourceMacObservation) DeepCopyInto(out *NetworkSourceMacObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSourceMacObservation.
@@ -3020,6 +4080,21 @@ func (in *NetworkSourceMacParameters) DeepCopy() *NetworkSourceMacParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkSourcePortObservation) DeepCopyInto(out *NetworkSourcePortObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkSourcePortObservation.
@@ -3065,6 +4140,16 @@ func (in *NetworkSourcePortParameters) DeepCopy() *NetworkSourcePortParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NoteTextObservation) DeepCopyInto(out *NoteTextObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoteTextObservation.
@@ -3105,6 +4190,16 @@ func (in *NoteTextParameters) DeepCopy() *NoteTextParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NoteUpdatedAtDateRangeObservation) DeepCopyInto(out *NoteUpdatedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoteUpdatedAtDateRangeObservation.
@@ -3145,6 +4240,23 @@ func (in *NoteUpdatedAtDateRangeParameters) DeepCopy() *NoteUpdatedAtDateRangePa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NoteUpdatedAtObservation) DeepCopyInto(out *NoteUpdatedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]NoteUpdatedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoteUpdatedAtObservation.
@@ -3192,6 +4304,16 @@ func (in *NoteUpdatedAtParameters) DeepCopy() *NoteUpdatedAtParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NoteUpdatedByObservation) DeepCopyInto(out *NoteUpdatedByObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NoteUpdatedByObservation.
@@ -3232,6 +4354,16 @@ func (in *NoteUpdatedByParameters) DeepCopy() *NoteUpdatedByParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessLaunchedAtDateRangeObservation) DeepCopyInto(out *ProcessLaunchedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessLaunchedAtDateRangeObservation.
@@ -3272,6 +4404,23 @@ func (in *ProcessLaunchedAtDateRangeParameters) DeepCopy() *ProcessLaunchedAtDat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessLaunchedAtObservation) DeepCopyInto(out *ProcessLaunchedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]ProcessLaunchedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessLaunchedAtObservation.
@@ -3319,6 +4468,16 @@ func (in *ProcessLaunchedAtParameters) DeepCopy() *ProcessLaunchedAtParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessNameObservation) DeepCopyInto(out *ProcessNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessNameObservation.
@@ -3359,6 +4518,21 @@ func (in *ProcessNameParameters) DeepCopy() *ProcessNameParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessParentPidObservation) DeepCopyInto(out *ProcessParentPidObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessParentPidObservation.
@@ -3404,6 +4578,16 @@ func (in *ProcessParentPidParameters) DeepCopy() *ProcessParentPidParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessPathObservation) DeepCopyInto(out *ProcessPathObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessPathObservation.
@@ -3444,6 +4628,21 @@ func (in *ProcessPathParameters) DeepCopy() *ProcessPathParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessPidObservation) DeepCopyInto(out *ProcessPidObservation) {
 	*out = *in
+	if in.Eq != nil {
+		in, out := &in.Eq, &out.Eq
+		*out = new(string)
+		**out = **in
+	}
+	if in.Gte != nil {
+		in, out := &in.Gte, &out.Gte
+		*out = new(string)
+		**out = **in
+	}
+	if in.Lte != nil {
+		in, out := &in.Lte, &out.Lte
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessPidObservation.
@@ -3489,6 +4688,16 @@ func (in *ProcessPidParameters) DeepCopy() *ProcessPidParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessTerminatedAtDateRangeObservation) DeepCopyInto(out *ProcessTerminatedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessTerminatedAtDateRangeObservation.
@@ -3529,6 +4738,23 @@ func (in *ProcessTerminatedAtDateRangeParameters) DeepCopy() *ProcessTerminatedA
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProcessTerminatedAtObservation) DeepCopyInto(out *ProcessTerminatedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]ProcessTerminatedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProcessTerminatedAtObservation.
@@ -3576,6 +4802,16 @@ func (in *ProcessTerminatedAtParameters) DeepCopy() *ProcessTerminatedAtParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProductArnObservation) DeepCopyInto(out *ProductArnObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductArnObservation.
@@ -3616,6 +4852,21 @@ func (in *ProductArnParameters) DeepCopy() *ProductArnParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProductFieldsObservation) DeepCopyInto(out *ProductFieldsObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductFieldsObservation.
@@ -3661,6 +4912,16 @@ func (in *ProductFieldsParameters) DeepCopy() *ProductFieldsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProductNameObservation) DeepCopyInto(out *ProductNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductNameObservation.
@@ -3770,6 +5031,11 @@ func (in *ProductSubscriptionObservation) DeepCopyInto(out *ProductSubscriptionO
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProductArn != nil {
+		in, out := &in.ProductArn, &out.ProductArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductSubscriptionObservation.
@@ -3844,6 +5110,16 @@ func (in *ProductSubscriptionStatus) DeepCopy() *ProductSubscriptionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecommendationTextObservation) DeepCopyInto(out *RecommendationTextObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecommendationTextObservation.
@@ -3884,6 +5160,16 @@ func (in *RecommendationTextParameters) DeepCopy() *RecommendationTextParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RecordStateObservation) DeepCopyInto(out *RecordStateObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RecordStateObservation.
@@ -3924,6 +5210,16 @@ func (in *RecordStateParameters) DeepCopy() *RecordStateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RelatedFindingsIDObservation) DeepCopyInto(out *RelatedFindingsIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RelatedFindingsIDObservation.
@@ -3964,6 +5260,16 @@ func (in *RelatedFindingsIDParameters) DeepCopy() *RelatedFindingsIDParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RelatedFindingsProductArnObservation) DeepCopyInto(out *RelatedFindingsProductArnObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RelatedFindingsProductArnObservation.
@@ -4004,6 +5310,16 @@ func (in *RelatedFindingsProductArnParameters) DeepCopy() *RelatedFindingsProduc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceIAMInstanceProfileArnObservation) DeepCopyInto(out *ResourceAwsEC2InstanceIAMInstanceProfileArnObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceIAMInstanceProfileArnObservation.
@@ -4044,6 +5360,11 @@ func (in *ResourceAwsEC2InstanceIAMInstanceProfileArnParameters) DeepCopy() *Res
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceIPv4AddressesObservation) DeepCopyInto(out *ResourceAwsEC2InstanceIPv4AddressesObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceIPv4AddressesObservation.
@@ -4079,6 +5400,11 @@ func (in *ResourceAwsEC2InstanceIPv4AddressesParameters) DeepCopy() *ResourceAws
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceIPv6AddressesObservation) DeepCopyInto(out *ResourceAwsEC2InstanceIPv6AddressesObservation) {
 	*out = *in
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceIPv6AddressesObservation.
@@ -4114,6 +5440,16 @@ func (in *ResourceAwsEC2InstanceIPv6AddressesParameters) DeepCopy() *ResourceAws
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceImageIDObservation) DeepCopyInto(out *ResourceAwsEC2InstanceImageIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceImageIDObservation.
@@ -4154,6 +5490,16 @@ func (in *ResourceAwsEC2InstanceImageIDParameters) DeepCopy() *ResourceAwsEC2Ins
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceKeyNameObservation) DeepCopyInto(out *ResourceAwsEC2InstanceKeyNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceKeyNameObservation.
@@ -4194,6 +5540,16 @@ func (in *ResourceAwsEC2InstanceKeyNameParameters) DeepCopy() *ResourceAwsEC2Ins
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceLaunchedAtDateRangeObservation) DeepCopyInto(out *ResourceAwsEC2InstanceLaunchedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceLaunchedAtDateRangeObservation.
@@ -4234,6 +5590,23 @@ func (in *ResourceAwsEC2InstanceLaunchedAtDateRangeParameters) DeepCopy() *Resou
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceLaunchedAtObservation) DeepCopyInto(out *ResourceAwsEC2InstanceLaunchedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]ResourceAwsEC2InstanceLaunchedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceLaunchedAtObservation.
@@ -4281,6 +5654,16 @@ func (in *ResourceAwsEC2InstanceLaunchedAtParameters) DeepCopy() *ResourceAwsEC2
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceSubnetIDObservation) DeepCopyInto(out *ResourceAwsEC2InstanceSubnetIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceSubnetIDObservation.
@@ -4321,6 +5704,16 @@ func (in *ResourceAwsEC2InstanceSubnetIDParameters) DeepCopy() *ResourceAwsEC2In
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceTypeObservation) DeepCopyInto(out *ResourceAwsEC2InstanceTypeObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceTypeObservation.
@@ -4361,6 +5754,16 @@ func (in *ResourceAwsEC2InstanceTypeParameters) DeepCopy() *ResourceAwsEC2Instan
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsEC2InstanceVPCIDObservation) DeepCopyInto(out *ResourceAwsEC2InstanceVPCIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsEC2InstanceVPCIDObservation.
@@ -4401,6 +5804,16 @@ func (in *ResourceAwsEC2InstanceVPCIDParameters) DeepCopy() *ResourceAwsEC2Insta
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsIAMAccessKeyCreatedAtDateRangeObservation) DeepCopyInto(out *ResourceAwsIAMAccessKeyCreatedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsIAMAccessKeyCreatedAtDateRangeObservation.
@@ -4441,6 +5854,23 @@ func (in *ResourceAwsIAMAccessKeyCreatedAtDateRangeParameters) DeepCopy() *Resou
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsIAMAccessKeyCreatedAtObservation) DeepCopyInto(out *ResourceAwsIAMAccessKeyCreatedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]ResourceAwsIAMAccessKeyCreatedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsIAMAccessKeyCreatedAtObservation.
@@ -4488,6 +5918,16 @@ func (in *ResourceAwsIAMAccessKeyCreatedAtParameters) DeepCopy() *ResourceAwsIAM
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsIAMAccessKeyStatusObservation) DeepCopyInto(out *ResourceAwsIAMAccessKeyStatusObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsIAMAccessKeyStatusObservation.
@@ -4528,6 +5968,16 @@ func (in *ResourceAwsIAMAccessKeyStatusParameters) DeepCopy() *ResourceAwsIAMAcc
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsIAMAccessKeyUserNameObservation) DeepCopyInto(out *ResourceAwsIAMAccessKeyUserNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsIAMAccessKeyUserNameObservation.
@@ -4568,6 +6018,16 @@ func (in *ResourceAwsIAMAccessKeyUserNameParameters) DeepCopy() *ResourceAwsIAMA
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsS3BucketOwnerIDObservation) DeepCopyInto(out *ResourceAwsS3BucketOwnerIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsS3BucketOwnerIDObservation.
@@ -4608,6 +6068,16 @@ func (in *ResourceAwsS3BucketOwnerIDParameters) DeepCopy() *ResourceAwsS3BucketO
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceAwsS3BucketOwnerNameObservation) DeepCopyInto(out *ResourceAwsS3BucketOwnerNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceAwsS3BucketOwnerNameObservation.
@@ -4648,6 +6118,16 @@ func (in *ResourceAwsS3BucketOwnerNameParameters) DeepCopy() *ResourceAwsS3Bucke
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceContainerImageIDObservation) DeepCopyInto(out *ResourceContainerImageIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceContainerImageIDObservation.
@@ -4688,6 +6168,16 @@ func (in *ResourceContainerImageIDParameters) DeepCopy() *ResourceContainerImage
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceContainerImageNameObservation) DeepCopyInto(out *ResourceContainerImageNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceContainerImageNameObservation.
@@ -4728,6 +6218,16 @@ func (in *ResourceContainerImageNameParameters) DeepCopy() *ResourceContainerIma
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceContainerLaunchedAtDateRangeObservation) DeepCopyInto(out *ResourceContainerLaunchedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceContainerLaunchedAtDateRangeObservation.
@@ -4768,6 +6268,23 @@ func (in *ResourceContainerLaunchedAtDateRangeParameters) DeepCopy() *ResourceCo
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceContainerLaunchedAtObservation) DeepCopyInto(out *ResourceContainerLaunchedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]ResourceContainerLaunchedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceContainerLaunchedAtObservation.
@@ -4815,6 +6332,16 @@ func (in *ResourceContainerLaunchedAtParameters) DeepCopy() *ResourceContainerLa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceContainerNameObservation) DeepCopyInto(out *ResourceContainerNameObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceContainerNameObservation.
@@ -4855,6 +6382,21 @@ func (in *ResourceContainerNameParameters) DeepCopy() *ResourceContainerNamePara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceDetailsOtherObservation) DeepCopyInto(out *ResourceDetailsOtherObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDetailsOtherObservation.
@@ -4900,6 +6442,16 @@ func (in *ResourceDetailsOtherParameters) DeepCopy() *ResourceDetailsOtherParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceIDObservation) DeepCopyInto(out *ResourceIDObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceIDObservation.
@@ -4940,6 +6492,16 @@ func (in *ResourceIDParameters) DeepCopy() *ResourceIDParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourcePartitionObservation) DeepCopyInto(out *ResourcePartitionObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourcePartitionObservation.
@@ -4980,6 +6542,16 @@ func (in *ResourcePartitionParameters) DeepCopy() *ResourcePartitionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceRegionObservation) DeepCopyInto(out *ResourceRegionObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceRegionObservation.
@@ -5020,6 +6592,21 @@ func (in *ResourceRegionParameters) DeepCopy() *ResourceRegionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceTagsObservation) DeepCopyInto(out *ResourceTagsObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTagsObservation.
@@ -5065,6 +6652,16 @@ func (in *ResourceTagsParameters) DeepCopy() *ResourceTagsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ResourceTypeObservation) DeepCopyInto(out *ResourceTypeObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceTypeObservation.
@@ -5105,6 +6702,16 @@ func (in *ResourceTypeParameters) DeepCopy() *ResourceTypeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SeverityLabelObservation) DeepCopyInto(out *SeverityLabelObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SeverityLabelObservation.
@@ -5145,6 +6752,16 @@ func (in *SeverityLabelParameters) DeepCopy() *SeverityLabelParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceURLObservation) DeepCopyInto(out *SourceURLObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceURLObservation.
@@ -5249,6 +6866,11 @@ func (in *StandardsSubscriptionObservation) DeepCopyInto(out *StandardsSubscript
 		*out = new(string)
 		**out = **in
 	}
+	if in.StandardsArn != nil {
+		in, out := &in.StandardsArn, &out.StandardsArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StandardsSubscriptionObservation.
@@ -5323,6 +6945,16 @@ func (in *StandardsSubscriptionStatus) DeepCopy() *StandardsSubscriptionStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorCategoryObservation) DeepCopyInto(out *ThreatIntelIndicatorCategoryObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorCategoryObservation.
@@ -5363,6 +6995,16 @@ func (in *ThreatIntelIndicatorCategoryParameters) DeepCopy() *ThreatIntelIndicat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorLastObservedAtDateRangeObservation) DeepCopyInto(out *ThreatIntelIndicatorLastObservedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorLastObservedAtDateRangeObservation.
@@ -5403,6 +7045,23 @@ func (in *ThreatIntelIndicatorLastObservedAtDateRangeParameters) DeepCopy() *Thr
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorLastObservedAtObservation) DeepCopyInto(out *ThreatIntelIndicatorLastObservedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]ThreatIntelIndicatorLastObservedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorLastObservedAtObservation.
@@ -5450,6 +7109,16 @@ func (in *ThreatIntelIndicatorLastObservedAtParameters) DeepCopy() *ThreatIntelI
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorSourceObservation) DeepCopyInto(out *ThreatIntelIndicatorSourceObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorSourceObservation.
@@ -5490,6 +7159,16 @@ func (in *ThreatIntelIndicatorSourceParameters) DeepCopy() *ThreatIntelIndicator
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorSourceURLObservation) DeepCopyInto(out *ThreatIntelIndicatorSourceURLObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorSourceURLObservation.
@@ -5530,6 +7209,16 @@ func (in *ThreatIntelIndicatorSourceURLParameters) DeepCopy() *ThreatIntelIndica
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorTypeObservation) DeepCopyInto(out *ThreatIntelIndicatorTypeObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorTypeObservation.
@@ -5570,6 +7259,16 @@ func (in *ThreatIntelIndicatorTypeParameters) DeepCopy() *ThreatIntelIndicatorTy
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ThreatIntelIndicatorValueObservation) DeepCopyInto(out *ThreatIntelIndicatorValueObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ThreatIntelIndicatorValueObservation.
@@ -5610,6 +7309,16 @@ func (in *ThreatIntelIndicatorValueParameters) DeepCopy() *ThreatIntelIndicatorV
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TitleObservation) DeepCopyInto(out *TitleObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TitleObservation.
@@ -5650,6 +7359,16 @@ func (in *TitleParameters) DeepCopy() *TitleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TypeObservation) DeepCopyInto(out *TypeObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TypeObservation.
@@ -5690,6 +7409,16 @@ func (in *TypeParameters) DeepCopy() *TypeParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UpdatedAtDateRangeObservation) DeepCopyInto(out *UpdatedAtDateRangeObservation) {
 	*out = *in
+	if in.Unit != nil {
+		in, out := &in.Unit, &out.Unit
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdatedAtDateRangeObservation.
@@ -5730,6 +7459,23 @@ func (in *UpdatedAtDateRangeParameters) DeepCopy() *UpdatedAtDateRangeParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UpdatedAtObservation) DeepCopyInto(out *UpdatedAtObservation) {
 	*out = *in
+	if in.DateRange != nil {
+		in, out := &in.DateRange, &out.DateRange
+		*out = make([]UpdatedAtDateRangeObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.End != nil {
+		in, out := &in.End, &out.End
+		*out = new(string)
+		**out = **in
+	}
+	if in.Start != nil {
+		in, out := &in.Start, &out.Start
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UpdatedAtObservation.
@@ -5777,6 +7523,21 @@ func (in *UpdatedAtParameters) DeepCopy() *UpdatedAtParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *UserDefinedValuesObservation) DeepCopyInto(out *UserDefinedValuesObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new UserDefinedValuesObservation.
@@ -5822,6 +7583,16 @@ func (in *UserDefinedValuesParameters) DeepCopy() *UserDefinedValuesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *VerificationStateObservation) DeepCopyInto(out *VerificationStateObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VerificationStateObservation.
@@ -5862,6 +7633,16 @@ func (in *VerificationStateParameters) DeepCopy() *VerificationStateParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowStatusObservation) DeepCopyInto(out *WorkflowStatusObservation) {
 	*out = *in
+	if in.Comparison != nil {
+		in, out := &in.Comparison, &out.Comparison
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowStatusObservation.
diff --git a/apis/securityhub/v1beta1/zz_insight_types.go b/apis/securityhub/v1beta1/zz_insight_types.go
index 56d60a5fdb..c69e4ee5e3 100755
--- a/apis/securityhub/v1beta1/zz_insight_types.go
+++ b/apis/securityhub/v1beta1/zz_insight_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type AwsAccountIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type AwsAccountIDParameters struct {
@@ -28,6 +34,12 @@ type AwsAccountIDParameters struct {
 }
 
 type CompanyNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type CompanyNameParameters struct {
@@ -42,6 +54,12 @@ type CompanyNameParameters struct {
 }
 
 type ComplianceStatusObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ComplianceStatusParameters struct {
@@ -56,6 +74,15 @@ type ComplianceStatusParameters struct {
 }
 
 type ConfidenceObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type ConfidenceParameters struct {
@@ -74,6 +101,15 @@ type ConfidenceParameters struct {
 }
 
 type CreatedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []DateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type CreatedAtParameters struct {
@@ -92,6 +128,15 @@ type CreatedAtParameters struct {
 }
 
 type CriticalityObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type CriticalityParameters struct {
@@ -110,6 +155,12 @@ type CriticalityParameters struct {
 }
 
 type DateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DateRangeParameters struct {
@@ -124,6 +175,12 @@ type DateRangeParameters struct {
 }
 
 type DescriptionObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type DescriptionParameters struct {
@@ -138,6 +195,270 @@ type DescriptionParameters struct {
 }
 
 type FiltersObservation struct {
+
+	// AWS account ID that a finding is generated in. See String_Filter below for more details.
+	AwsAccountID []AwsAccountIDObservation `json:"awsAccountId,omitempty" tf:"aws_account_id,omitempty"`
+
+	// The name of the findings provider (company) that owns the solution (product) that generates findings. See String_Filter below for more details.
+	CompanyName []CompanyNameObservation `json:"companyName,omitempty" tf:"company_name,omitempty"`
+
+	// Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details. See String Filter below for more details.
+	ComplianceStatus []ComplianceStatusObservation `json:"complianceStatus,omitempty" tf:"compliance_status,omitempty"`
+
+	// A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details.
+	Confidence []ConfidenceObservation `json:"confidence,omitempty" tf:"confidence,omitempty"`
+
+	// An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured. See Date Filter below for more details.
+	CreatedAt []CreatedAtObservation `json:"createdAt,omitempty" tf:"created_at,omitempty"`
+
+	// The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details.
+	Criticality []CriticalityObservation `json:"criticality,omitempty" tf:"criticality,omitempty"`
+
+	// A finding's description. See String Filter below for more details.
+	Description []DescriptionObservation `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details.
+	FindingProviderFieldsConfidence []FindingProviderFieldsConfidenceObservation `json:"findingProviderFieldsConfidence,omitempty" tf:"finding_provider_fields_confidence,omitempty"`
+
+	// The finding provider value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details.
+	FindingProviderFieldsCriticality []FindingProviderFieldsCriticalityObservation `json:"findingProviderFieldsCriticality,omitempty" tf:"finding_provider_fields_criticality,omitempty"`
+
+	// The finding identifier of a related finding that is identified by the finding provider. See String Filter below for more details.
+	FindingProviderFieldsRelatedFindingsID []FindingProviderFieldsRelatedFindingsIDObservation `json:"findingProviderFieldsRelatedFindingsId,omitempty" tf:"finding_provider_fields_related_findings_id,omitempty"`
+
+	// The ARN of the solution that generated a related finding that is identified by the finding provider. See String Filter below for more details.
+	FindingProviderFieldsRelatedFindingsProductArn []FindingProviderFieldsRelatedFindingsProductArnObservation `json:"findingProviderFieldsRelatedFindingsProductArn,omitempty" tf:"finding_provider_fields_related_findings_product_arn,omitempty"`
+
+	// The finding provider value for the severity label. See String Filter below for more details.
+	FindingProviderFieldsSeverityLabel []FindingProviderFieldsSeverityLabelObservation `json:"findingProviderFieldsSeverityLabel,omitempty" tf:"finding_provider_fields_severity_label,omitempty"`
+
+	// The finding provider's original value for the severity. See String Filter below for more details.
+	FindingProviderFieldsSeverityOriginal []FindingProviderFieldsSeverityOriginalObservation `json:"findingProviderFieldsSeverityOriginal,omitempty" tf:"finding_provider_fields_severity_original,omitempty"`
+
+	// One or more finding types that the finding provider assigned to the finding. Uses the format of namespace/category/classifier that classify a finding. Valid namespace values include: Software and Configuration Checks, TTPs, Effects, Unusual Behaviors, and Sensitive Data Identifications. See String Filter below for more details.
+	FindingProviderFieldsTypes []FindingProviderFieldsTypesObservation `json:"findingProviderFieldsTypes,omitempty" tf:"finding_provider_fields_types,omitempty"`
+
+	// An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured. See Date Filter below for more details.
+	FirstObservedAt []FirstObservedAtObservation `json:"firstObservedAt,omitempty" tf:"first_observed_at,omitempty"`
+
+	// The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. See String Filter below for more details.
+	GeneratorID []GeneratorIDObservation `json:"generatorId,omitempty" tf:"generator_id,omitempty"`
+
+	// The security findings provider-specific identifier for a finding. See String Filter below for more details.
+	ID []IDObservation `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A keyword for a finding. See Keyword Filter below for more details.
+	Keyword []KeywordObservation `json:"keyword,omitempty" tf:"keyword,omitempty"`
+
+	// An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured. See Date Filter below for more details.
+	LastObservedAt []LastObservedAtObservation `json:"lastObservedAt,omitempty" tf:"last_observed_at,omitempty"`
+
+	// The name of the malware that was observed. See String Filter below for more details.
+	MalwareName []MalwareNameObservation `json:"malwareName,omitempty" tf:"malware_name,omitempty"`
+
+	// The filesystem path of the malware that was observed. See String Filter below for more details.
+	MalwarePath []MalwarePathObservation `json:"malwarePath,omitempty" tf:"malware_path,omitempty"`
+
+	// The state of the malware that was observed. See String Filter below for more details.
+	MalwareState []MalwareStateObservation `json:"malwareState,omitempty" tf:"malware_state,omitempty"`
+
+	// The type of the malware that was observed. See String Filter below for more details.
+	MalwareType []MalwareTypeObservation `json:"malwareType,omitempty" tf:"malware_type,omitempty"`
+
+	// The destination domain of network-related information about a finding. See String Filter below for more details.
+	NetworkDestinationDomain []NetworkDestinationDomainObservation `json:"networkDestinationDomain,omitempty" tf:"network_destination_domain,omitempty"`
+
+	// The destination IPv4 address of network-related information about a finding. See Ip Filter below for more details.
+	NetworkDestinationIPv4 []NetworkDestinationIPv4Observation `json:"networkDestinationIpv4,omitempty" tf:"network_destination_ipv4,omitempty"`
+
+	// The destination IPv6 address of network-related information about a finding. See Ip Filter below for more details.
+	NetworkDestinationIPv6 []NetworkDestinationIPv6Observation `json:"networkDestinationIpv6,omitempty" tf:"network_destination_ipv6,omitempty"`
+
+	// The destination port of network-related information about a finding. See Number Filter below for more details.
+	NetworkDestinationPort []NetworkDestinationPortObservation `json:"networkDestinationPort,omitempty" tf:"network_destination_port,omitempty"`
+
+	// Indicates the direction of network traffic associated with a finding. See String Filter below for more details.
+	NetworkDirection []NetworkDirectionObservation `json:"networkDirection,omitempty" tf:"network_direction,omitempty"`
+
+	// The protocol of network-related information about a finding. See String Filter below for more details.
+	NetworkProtocol []NetworkProtocolObservation `json:"networkProtocol,omitempty" tf:"network_protocol,omitempty"`
+
+	// The source domain of network-related information about a finding. See String Filter below for more details.
+	NetworkSourceDomain []NetworkSourceDomainObservation `json:"networkSourceDomain,omitempty" tf:"network_source_domain,omitempty"`
+
+	// The source IPv4 address of network-related information about a finding. See Ip Filter below for more details.
+	NetworkSourceIPv4 []NetworkSourceIPv4Observation `json:"networkSourceIpv4,omitempty" tf:"network_source_ipv4,omitempty"`
+
+	// The source IPv6 address of network-related information about a finding. See Ip Filter below for more details.
+	NetworkSourceIPv6 []NetworkSourceIPv6Observation `json:"networkSourceIpv6,omitempty" tf:"network_source_ipv6,omitempty"`
+
+	// The source media access control (MAC) address of network-related information about a finding. See String Filter below for more details.
+	NetworkSourceMac []NetworkSourceMacObservation `json:"networkSourceMac,omitempty" tf:"network_source_mac,omitempty"`
+
+	// The source port of network-related information about a finding. See Number Filter below for more details.
+	NetworkSourcePort []NetworkSourcePortObservation `json:"networkSourcePort,omitempty" tf:"network_source_port,omitempty"`
+
+	// The text of a note. See String Filter below for more details.
+	NoteText []NoteTextObservation `json:"noteText,omitempty" tf:"note_text,omitempty"`
+
+	// The timestamp of when the note was updated. See Date Filter below for more details.
+	NoteUpdatedAt []NoteUpdatedAtObservation `json:"noteUpdatedAt,omitempty" tf:"note_updated_at,omitempty"`
+
+	// The principal that created a note. See String Filter below for more details.
+	NoteUpdatedBy []NoteUpdatedByObservation `json:"noteUpdatedBy,omitempty" tf:"note_updated_by,omitempty"`
+
+	// The date/time that the process was launched. See Date Filter below for more details.
+	ProcessLaunchedAt []ProcessLaunchedAtObservation `json:"processLaunchedAt,omitempty" tf:"process_launched_at,omitempty"`
+
+	// The name of the process. See String Filter below for more details.
+	ProcessName []ProcessNameObservation `json:"processName,omitempty" tf:"process_name,omitempty"`
+
+	// The parent process ID. See Number Filter below for more details.
+	ProcessParentPid []ProcessParentPidObservation `json:"processParentPid,omitempty" tf:"process_parent_pid,omitempty"`
+
+	// The path to the process executable. See String Filter below for more details.
+	ProcessPath []ProcessPathObservation `json:"processPath,omitempty" tf:"process_path,omitempty"`
+
+	// The process ID. See Number Filter below for more details.
+	ProcessPid []ProcessPidObservation `json:"processPid,omitempty" tf:"process_pid,omitempty"`
+
+	// The date/time that the process was terminated. See Date Filter below for more details.
+	ProcessTerminatedAt []ProcessTerminatedAtObservation `json:"processTerminatedAt,omitempty" tf:"process_terminated_at,omitempty"`
+
+	// The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub. See String Filter below for more details.
+	ProductArn []ProductArnObservation `json:"productArn,omitempty" tf:"product_arn,omitempty"`
+
+	// A data type where security-findings providers can include additional solution-specific details that aren't part of the defined AwsSecurityFinding format. See Map Filter below for more details.
+	ProductFields []ProductFieldsObservation `json:"productFields,omitempty" tf:"product_fields,omitempty"`
+
+	// The name of the solution (product) that generates findings. See String Filter below for more details.
+	ProductName []ProductNameObservation `json:"productName,omitempty" tf:"product_name,omitempty"`
+
+	// The recommendation of what to do about the issue described in a finding. See String Filter below for more details.
+	RecommendationText []RecommendationTextObservation `json:"recommendationText,omitempty" tf:"recommendation_text,omitempty"`
+
+	// The updated record state for the finding. See String Filter below for more details.
+	RecordState []RecordStateObservation `json:"recordState,omitempty" tf:"record_state,omitempty"`
+
+	// The solution-generated identifier for a related finding. See String Filter below for more details.
+	RelatedFindingsID []RelatedFindingsIDObservation `json:"relatedFindingsId,omitempty" tf:"related_findings_id,omitempty"`
+
+	// The ARN of the solution that generated a related finding. See String Filter below for more details.
+	RelatedFindingsProductArn []RelatedFindingsProductArnObservation `json:"relatedFindingsProductArn,omitempty" tf:"related_findings_product_arn,omitempty"`
+
+	// The IAM profile ARN of the instance. See String Filter below for more details.
+	ResourceAwsEC2InstanceIAMInstanceProfileArn []ResourceAwsEC2InstanceIAMInstanceProfileArnObservation `json:"resourceAwsEc2InstanceIamInstanceProfileArn,omitempty" tf:"resource_aws_ec2_instance_iam_instance_profile_arn,omitempty"`
+
+	// The IPv4 addresses associated with the instance. See Ip Filter below for more details.
+	ResourceAwsEC2InstanceIPv4Addresses []ResourceAwsEC2InstanceIPv4AddressesObservation `json:"resourceAwsEc2InstanceIpv4Addresses,omitempty" tf:"resource_aws_ec2_instance_ipv4_addresses,omitempty"`
+
+	// The IPv6 addresses associated with the instance. See Ip Filter below for more details.
+	ResourceAwsEC2InstanceIPv6Addresses []ResourceAwsEC2InstanceIPv6AddressesObservation `json:"resourceAwsEc2InstanceIpv6Addresses,omitempty" tf:"resource_aws_ec2_instance_ipv6_addresses,omitempty"`
+
+	// The Amazon Machine Image (AMI) ID of the instance. See String Filter below for more details.
+	ResourceAwsEC2InstanceImageID []ResourceAwsEC2InstanceImageIDObservation `json:"resourceAwsEc2InstanceImageId,omitempty" tf:"resource_aws_ec2_instance_image_id,omitempty"`
+
+	// The key name associated with the instance. See String Filter below for more details.
+	ResourceAwsEC2InstanceKeyName []ResourceAwsEC2InstanceKeyNameObservation `json:"resourceAwsEc2InstanceKeyName,omitempty" tf:"resource_aws_ec2_instance_key_name,omitempty"`
+
+	// The date and time the instance was launched. See Date Filter below for more details.
+	ResourceAwsEC2InstanceLaunchedAt []ResourceAwsEC2InstanceLaunchedAtObservation `json:"resourceAwsEc2InstanceLaunchedAt,omitempty" tf:"resource_aws_ec2_instance_launched_at,omitempty"`
+
+	// The identifier of the subnet that the instance was launched in. See String Filter below for more details.
+	ResourceAwsEC2InstanceSubnetID []ResourceAwsEC2InstanceSubnetIDObservation `json:"resourceAwsEc2InstanceSubnetId,omitempty" tf:"resource_aws_ec2_instance_subnet_id,omitempty"`
+
+	// The instance type of the instance. See String Filter below for more details.
+	ResourceAwsEC2InstanceType []ResourceAwsEC2InstanceTypeObservation `json:"resourceAwsEc2InstanceType,omitempty" tf:"resource_aws_ec2_instance_type,omitempty"`
+
+	// The identifier of the VPC that the instance was launched in. See String Filter below for more details.
+	ResourceAwsEC2InstanceVPCID []ResourceAwsEC2InstanceVPCIDObservation `json:"resourceAwsEc2InstanceVpcId,omitempty" tf:"resource_aws_ec2_instance_vpc_id,omitempty"`
+
+	// The creation date/time of the IAM access key related to a finding. See Date Filter below for more details.
+	ResourceAwsIAMAccessKeyCreatedAt []ResourceAwsIAMAccessKeyCreatedAtObservation `json:"resourceAwsIamAccessKeyCreatedAt,omitempty" tf:"resource_aws_iam_access_key_created_at,omitempty"`
+
+	// The status of the IAM access key related to a finding. See String Filter below for more details.
+	ResourceAwsIAMAccessKeyStatus []ResourceAwsIAMAccessKeyStatusObservation `json:"resourceAwsIamAccessKeyStatus,omitempty" tf:"resource_aws_iam_access_key_status,omitempty"`
+
+	// The user associated with the IAM access key related to a finding. See String Filter below for more details.
+	ResourceAwsIAMAccessKeyUserName []ResourceAwsIAMAccessKeyUserNameObservation `json:"resourceAwsIamAccessKeyUserName,omitempty" tf:"resource_aws_iam_access_key_user_name,omitempty"`
+
+	// The canonical user ID of the owner of the S3 bucket. See String Filter below for more details.
+	ResourceAwsS3BucketOwnerID []ResourceAwsS3BucketOwnerIDObservation `json:"resourceAwsS3BucketOwnerId,omitempty" tf:"resource_aws_s3_bucket_owner_id,omitempty"`
+
+	// The display name of the owner of the S3 bucket. See String Filter below for more details.
+	ResourceAwsS3BucketOwnerName []ResourceAwsS3BucketOwnerNameObservation `json:"resourceAwsS3BucketOwnerName,omitempty" tf:"resource_aws_s3_bucket_owner_name,omitempty"`
+
+	// The identifier of the image related to a finding. See String Filter below for more details.
+	ResourceContainerImageID []ResourceContainerImageIDObservation `json:"resourceContainerImageId,omitempty" tf:"resource_container_image_id,omitempty"`
+
+	// The name of the image related to a finding. See String Filter below for more details.
+	ResourceContainerImageName []ResourceContainerImageNameObservation `json:"resourceContainerImageName,omitempty" tf:"resource_container_image_name,omitempty"`
+
+	// The date/time that the container was started. See Date Filter below for more details.
+	ResourceContainerLaunchedAt []ResourceContainerLaunchedAtObservation `json:"resourceContainerLaunchedAt,omitempty" tf:"resource_container_launched_at,omitempty"`
+
+	// The name of the container related to a finding. See String Filter below for more details.
+	ResourceContainerName []ResourceContainerNameObservation `json:"resourceContainerName,omitempty" tf:"resource_container_name,omitempty"`
+
+	// The details of a resource that doesn't have a specific subfield for the resource type defined. See Map Filter below for more details.
+	ResourceDetailsOther []ResourceDetailsOtherObservation `json:"resourceDetailsOther,omitempty" tf:"resource_details_other,omitempty"`
+
+	// The canonical identifier for the given resource type. See String Filter below for more details.
+	ResourceID []ResourceIDObservation `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
+	// The canonical AWS partition name that the Region is assigned to. See String Filter below for more details.
+	ResourcePartition []ResourcePartitionObservation `json:"resourcePartition,omitempty" tf:"resource_partition,omitempty"`
+
+	// The canonical AWS external Region name where this resource is located. See String Filter below for more details.
+	ResourceRegion []ResourceRegionObservation `json:"resourceRegion,omitempty" tf:"resource_region,omitempty"`
+
+	// A list of AWS tags associated with a resource at the time the finding was processed. See Map Filter below for more details.
+	ResourceTags []ResourceTagsObservation `json:"resourceTags,omitempty" tf:"resource_tags,omitempty"`
+
+	// Specifies the type of the resource that details are provided for. See String Filter below for more details.
+	ResourceType []ResourceTypeObservation `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// The label of a finding's severity. See String Filter below for more details.
+	SeverityLabel []SeverityLabelObservation `json:"severityLabel,omitempty" tf:"severity_label,omitempty"`
+
+	// A URL that links to a page about the current finding in the security-findings provider's solution. See String Filter below for more details.
+	SourceURL []SourceURLObservation `json:"sourceUrl,omitempty" tf:"source_url,omitempty"`
+
+	// The category of a threat intelligence indicator. See String Filter below for more details.
+	ThreatIntelIndicatorCategory []ThreatIntelIndicatorCategoryObservation `json:"threatIntelIndicatorCategory,omitempty" tf:"threat_intel_indicator_category,omitempty"`
+
+	// The date/time of the last observation of a threat intelligence indicator. See Date Filter below for more details.
+	ThreatIntelIndicatorLastObservedAt []ThreatIntelIndicatorLastObservedAtObservation `json:"threatIntelIndicatorLastObservedAt,omitempty" tf:"threat_intel_indicator_last_observed_at,omitempty"`
+
+	// The source of the threat intelligence. See String Filter below for more details.
+	ThreatIntelIndicatorSource []ThreatIntelIndicatorSourceObservation `json:"threatIntelIndicatorSource,omitempty" tf:"threat_intel_indicator_source,omitempty"`
+
+	// The URL for more details from the source of the threat intelligence. See String Filter below for more details.
+	ThreatIntelIndicatorSourceURL []ThreatIntelIndicatorSourceURLObservation `json:"threatIntelIndicatorSourceUrl,omitempty" tf:"threat_intel_indicator_source_url,omitempty"`
+
+	// The type of a threat intelligence indicator. See String Filter below for more details.
+	ThreatIntelIndicatorType []ThreatIntelIndicatorTypeObservation `json:"threatIntelIndicatorType,omitempty" tf:"threat_intel_indicator_type,omitempty"`
+
+	// The value of a threat intelligence indicator. See String Filter below for more details.
+	ThreatIntelIndicatorValue []ThreatIntelIndicatorValueObservation `json:"threatIntelIndicatorValue,omitempty" tf:"threat_intel_indicator_value,omitempty"`
+
+	// A finding's title. See String Filter below for more details.
+	Title []TitleObservation `json:"title,omitempty" tf:"title,omitempty"`
+
+	// A finding type in the format of namespace/category/classifier that classifies a finding. See String Filter below for more details.
+	Type []TypeObservation `json:"type,omitempty" tf:"type,omitempty"`
+
+	// An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record. See Date Filter below for more details.
+	UpdatedAt []UpdatedAtObservation `json:"updatedAt,omitempty" tf:"updated_at,omitempty"`
+
+	// A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. See Map Filter below for more details.
+	UserDefinedValues []UserDefinedValuesObservation `json:"userDefinedValues,omitempty" tf:"user_defined_values,omitempty"`
+
+	// The veracity of a finding. See String Filter below for more details.
+	VerificationState []VerificationStateObservation `json:"verificationState,omitempty" tf:"verification_state,omitempty"`
+
+	// The status of the investigation into a finding. See Workflow Status Filter below for more details.
+	WorkflowStatus []WorkflowStatusObservation `json:"workflowStatus,omitempty" tf:"workflow_status,omitempty"`
 }
 
 type FiltersParameters struct {
@@ -496,6 +817,15 @@ type FiltersParameters struct {
 }
 
 type FindingProviderFieldsConfidenceObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type FindingProviderFieldsConfidenceParameters struct {
@@ -514,6 +844,15 @@ type FindingProviderFieldsConfidenceParameters struct {
 }
 
 type FindingProviderFieldsCriticalityObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type FindingProviderFieldsCriticalityParameters struct {
@@ -532,6 +871,12 @@ type FindingProviderFieldsCriticalityParameters struct {
 }
 
 type FindingProviderFieldsRelatedFindingsIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FindingProviderFieldsRelatedFindingsIDParameters struct {
@@ -546,6 +891,12 @@ type FindingProviderFieldsRelatedFindingsIDParameters struct {
 }
 
 type FindingProviderFieldsRelatedFindingsProductArnObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FindingProviderFieldsRelatedFindingsProductArnParameters struct {
@@ -560,6 +911,12 @@ type FindingProviderFieldsRelatedFindingsProductArnParameters struct {
 }
 
 type FindingProviderFieldsSeverityLabelObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FindingProviderFieldsSeverityLabelParameters struct {
@@ -574,6 +931,12 @@ type FindingProviderFieldsSeverityLabelParameters struct {
 }
 
 type FindingProviderFieldsSeverityOriginalObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FindingProviderFieldsSeverityOriginalParameters struct {
@@ -588,6 +951,12 @@ type FindingProviderFieldsSeverityOriginalParameters struct {
 }
 
 type FindingProviderFieldsTypesObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FindingProviderFieldsTypesParameters struct {
@@ -602,6 +971,12 @@ type FindingProviderFieldsTypesParameters struct {
 }
 
 type FirstObservedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type FirstObservedAtDateRangeParameters struct {
@@ -616,6 +991,15 @@ type FirstObservedAtDateRangeParameters struct {
 }
 
 type FirstObservedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []FirstObservedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type FirstObservedAtParameters struct {
@@ -634,6 +1018,12 @@ type FirstObservedAtParameters struct {
 }
 
 type GeneratorIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type GeneratorIDParameters struct {
@@ -648,6 +1038,12 @@ type GeneratorIDParameters struct {
 }
 
 type IDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type IDParameters struct {
@@ -666,23 +1062,32 @@ type InsightObservation struct {
 	// ARN of the insight.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A configuration block including one or more (up to 10 distinct) attributes used to filter the findings included in the insight. The insight only includes findings that match criteria defined in the filters. See filters below for more details.
+	Filters []FiltersObservation `json:"filters,omitempty" tf:"filters,omitempty"`
+
+	// The attribute used to group the findings for the insight e.g., if an insight is grouped by ResourceId, then the insight produces a list of resource identifiers.
+	GroupByAttribute *string `json:"groupByAttribute,omitempty" tf:"group_by_attribute,omitempty"`
+
 	// ARN of the insight.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the custom insight.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type InsightParameters struct {
 
 	// A configuration block including one or more (up to 10 distinct) attributes used to filter the findings included in the insight. The insight only includes findings that match criteria defined in the filters. See filters below for more details.
-	// +kubebuilder:validation:Required
-	Filters []FiltersParameters `json:"filters" tf:"filters,omitempty"`
+	// +kubebuilder:validation:Optional
+	Filters []FiltersParameters `json:"filters,omitempty" tf:"filters,omitempty"`
 
 	// The attribute used to group the findings for the insight e.g., if an insight is grouped by ResourceId, then the insight produces a list of resource identifiers.
-	// +kubebuilder:validation:Required
-	GroupByAttribute *string `json:"groupByAttribute" tf:"group_by_attribute,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupByAttribute *string `json:"groupByAttribute,omitempty" tf:"group_by_attribute,omitempty"`
 
 	// The name of the custom insight.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -691,6 +1096,9 @@ type InsightParameters struct {
 }
 
 type KeywordObservation struct {
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type KeywordParameters struct {
@@ -701,6 +1109,12 @@ type KeywordParameters struct {
 }
 
 type LastObservedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type LastObservedAtDateRangeParameters struct {
@@ -715,6 +1129,15 @@ type LastObservedAtDateRangeParameters struct {
 }
 
 type LastObservedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []LastObservedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type LastObservedAtParameters struct {
@@ -733,6 +1156,12 @@ type LastObservedAtParameters struct {
 }
 
 type MalwareNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MalwareNameParameters struct {
@@ -747,6 +1176,12 @@ type MalwareNameParameters struct {
 }
 
 type MalwarePathObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MalwarePathParameters struct {
@@ -761,6 +1196,12 @@ type MalwarePathParameters struct {
 }
 
 type MalwareStateObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MalwareStateParameters struct {
@@ -775,6 +1216,12 @@ type MalwareStateParameters struct {
 }
 
 type MalwareTypeObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type MalwareTypeParameters struct {
@@ -789,6 +1236,12 @@ type MalwareTypeParameters struct {
 }
 
 type NetworkDestinationDomainObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NetworkDestinationDomainParameters struct {
@@ -803,6 +1256,9 @@ type NetworkDestinationDomainParameters struct {
 }
 
 type NetworkDestinationIPv4Observation struct {
+
+	// A finding's CIDR value.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type NetworkDestinationIPv4Parameters struct {
@@ -813,6 +1269,9 @@ type NetworkDestinationIPv4Parameters struct {
 }
 
 type NetworkDestinationIPv6Observation struct {
+
+	// A finding's CIDR value.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type NetworkDestinationIPv6Parameters struct {
@@ -823,6 +1282,15 @@ type NetworkDestinationIPv6Parameters struct {
 }
 
 type NetworkDestinationPortObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type NetworkDestinationPortParameters struct {
@@ -841,6 +1309,12 @@ type NetworkDestinationPortParameters struct {
 }
 
 type NetworkDirectionObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NetworkDirectionParameters struct {
@@ -855,6 +1329,12 @@ type NetworkDirectionParameters struct {
 }
 
 type NetworkProtocolObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NetworkProtocolParameters struct {
@@ -869,6 +1349,12 @@ type NetworkProtocolParameters struct {
 }
 
 type NetworkSourceDomainObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NetworkSourceDomainParameters struct {
@@ -883,6 +1369,9 @@ type NetworkSourceDomainParameters struct {
 }
 
 type NetworkSourceIPv4Observation struct {
+
+	// A finding's CIDR value.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type NetworkSourceIPv4Parameters struct {
@@ -893,6 +1382,9 @@ type NetworkSourceIPv4Parameters struct {
 }
 
 type NetworkSourceIPv6Observation struct {
+
+	// A finding's CIDR value.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type NetworkSourceIPv6Parameters struct {
@@ -903,6 +1395,12 @@ type NetworkSourceIPv6Parameters struct {
 }
 
 type NetworkSourceMacObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NetworkSourceMacParameters struct {
@@ -917,6 +1415,15 @@ type NetworkSourceMacParameters struct {
 }
 
 type NetworkSourcePortObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type NetworkSourcePortParameters struct {
@@ -935,6 +1442,12 @@ type NetworkSourcePortParameters struct {
 }
 
 type NoteTextObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NoteTextParameters struct {
@@ -949,6 +1462,12 @@ type NoteTextParameters struct {
 }
 
 type NoteUpdatedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NoteUpdatedAtDateRangeParameters struct {
@@ -963,6 +1482,15 @@ type NoteUpdatedAtDateRangeParameters struct {
 }
 
 type NoteUpdatedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []NoteUpdatedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type NoteUpdatedAtParameters struct {
@@ -981,6 +1509,12 @@ type NoteUpdatedAtParameters struct {
 }
 
 type NoteUpdatedByObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type NoteUpdatedByParameters struct {
@@ -995,6 +1529,12 @@ type NoteUpdatedByParameters struct {
 }
 
 type ProcessLaunchedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProcessLaunchedAtDateRangeParameters struct {
@@ -1009,6 +1549,15 @@ type ProcessLaunchedAtDateRangeParameters struct {
 }
 
 type ProcessLaunchedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []ProcessLaunchedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type ProcessLaunchedAtParameters struct {
@@ -1027,6 +1576,12 @@ type ProcessLaunchedAtParameters struct {
 }
 
 type ProcessNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProcessNameParameters struct {
@@ -1040,7 +1595,16 @@ type ProcessNameParameters struct {
 	Value *string `json:"value" tf:"value,omitempty"`
 }
 
-type ProcessParentPidObservation struct {
+type ProcessParentPidObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type ProcessParentPidParameters struct {
@@ -1059,6 +1623,12 @@ type ProcessParentPidParameters struct {
 }
 
 type ProcessPathObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProcessPathParameters struct {
@@ -1073,6 +1643,15 @@ type ProcessPathParameters struct {
 }
 
 type ProcessPidObservation struct {
+
+	// The equal-to condition to be applied to a single field when querying for findings, provided as a String.
+	Eq *string `json:"eq,omitempty" tf:"eq,omitempty"`
+
+	// The greater-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Gte *string `json:"gte,omitempty" tf:"gte,omitempty"`
+
+	// The less-than-equal condition to be applied to a single field when querying for findings, provided as a String.
+	Lte *string `json:"lte,omitempty" tf:"lte,omitempty"`
 }
 
 type ProcessPidParameters struct {
@@ -1091,6 +1670,12 @@ type ProcessPidParameters struct {
 }
 
 type ProcessTerminatedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProcessTerminatedAtDateRangeParameters struct {
@@ -1105,6 +1690,15 @@ type ProcessTerminatedAtDateRangeParameters struct {
 }
 
 type ProcessTerminatedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []ProcessTerminatedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type ProcessTerminatedAtParameters struct {
@@ -1123,6 +1717,12 @@ type ProcessTerminatedAtParameters struct {
 }
 
 type ProductArnObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProductArnParameters struct {
@@ -1137,6 +1737,15 @@ type ProductArnParameters struct {
 }
 
 type ProductFieldsObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProductFieldsParameters struct {
@@ -1155,6 +1764,12 @@ type ProductFieldsParameters struct {
 }
 
 type ProductNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ProductNameParameters struct {
@@ -1169,6 +1784,12 @@ type ProductNameParameters struct {
 }
 
 type RecommendationTextObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RecommendationTextParameters struct {
@@ -1183,6 +1804,12 @@ type RecommendationTextParameters struct {
 }
 
 type RecordStateObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RecordStateParameters struct {
@@ -1197,6 +1824,12 @@ type RecordStateParameters struct {
 }
 
 type RelatedFindingsIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RelatedFindingsIDParameters struct {
@@ -1211,6 +1844,12 @@ type RelatedFindingsIDParameters struct {
 }
 
 type RelatedFindingsProductArnObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type RelatedFindingsProductArnParameters struct {
@@ -1225,6 +1864,12 @@ type RelatedFindingsProductArnParameters struct {
 }
 
 type ResourceAwsEC2InstanceIAMInstanceProfileArnObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceIAMInstanceProfileArnParameters struct {
@@ -1239,6 +1884,9 @@ type ResourceAwsEC2InstanceIAMInstanceProfileArnParameters struct {
 }
 
 type ResourceAwsEC2InstanceIPv4AddressesObservation struct {
+
+	// A finding's CIDR value.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type ResourceAwsEC2InstanceIPv4AddressesParameters struct {
@@ -1249,6 +1897,9 @@ type ResourceAwsEC2InstanceIPv4AddressesParameters struct {
 }
 
 type ResourceAwsEC2InstanceIPv6AddressesObservation struct {
+
+	// A finding's CIDR value.
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 }
 
 type ResourceAwsEC2InstanceIPv6AddressesParameters struct {
@@ -1259,6 +1910,12 @@ type ResourceAwsEC2InstanceIPv6AddressesParameters struct {
 }
 
 type ResourceAwsEC2InstanceImageIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceImageIDParameters struct {
@@ -1273,6 +1930,12 @@ type ResourceAwsEC2InstanceImageIDParameters struct {
 }
 
 type ResourceAwsEC2InstanceKeyNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceKeyNameParameters struct {
@@ -1287,6 +1950,12 @@ type ResourceAwsEC2InstanceKeyNameParameters struct {
 }
 
 type ResourceAwsEC2InstanceLaunchedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceLaunchedAtDateRangeParameters struct {
@@ -1301,6 +1970,15 @@ type ResourceAwsEC2InstanceLaunchedAtDateRangeParameters struct {
 }
 
 type ResourceAwsEC2InstanceLaunchedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []ResourceAwsEC2InstanceLaunchedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type ResourceAwsEC2InstanceLaunchedAtParameters struct {
@@ -1319,6 +1997,12 @@ type ResourceAwsEC2InstanceLaunchedAtParameters struct {
 }
 
 type ResourceAwsEC2InstanceSubnetIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceSubnetIDParameters struct {
@@ -1333,6 +2017,12 @@ type ResourceAwsEC2InstanceSubnetIDParameters struct {
 }
 
 type ResourceAwsEC2InstanceTypeObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceTypeParameters struct {
@@ -1347,6 +2037,12 @@ type ResourceAwsEC2InstanceTypeParameters struct {
 }
 
 type ResourceAwsEC2InstanceVPCIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsEC2InstanceVPCIDParameters struct {
@@ -1361,6 +2057,12 @@ type ResourceAwsEC2InstanceVPCIDParameters struct {
 }
 
 type ResourceAwsIAMAccessKeyCreatedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsIAMAccessKeyCreatedAtDateRangeParameters struct {
@@ -1375,6 +2077,15 @@ type ResourceAwsIAMAccessKeyCreatedAtDateRangeParameters struct {
 }
 
 type ResourceAwsIAMAccessKeyCreatedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []ResourceAwsIAMAccessKeyCreatedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type ResourceAwsIAMAccessKeyCreatedAtParameters struct {
@@ -1393,6 +2104,12 @@ type ResourceAwsIAMAccessKeyCreatedAtParameters struct {
 }
 
 type ResourceAwsIAMAccessKeyStatusObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsIAMAccessKeyStatusParameters struct {
@@ -1407,6 +2124,12 @@ type ResourceAwsIAMAccessKeyStatusParameters struct {
 }
 
 type ResourceAwsIAMAccessKeyUserNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsIAMAccessKeyUserNameParameters struct {
@@ -1421,6 +2144,12 @@ type ResourceAwsIAMAccessKeyUserNameParameters struct {
 }
 
 type ResourceAwsS3BucketOwnerIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsS3BucketOwnerIDParameters struct {
@@ -1435,6 +2164,12 @@ type ResourceAwsS3BucketOwnerIDParameters struct {
 }
 
 type ResourceAwsS3BucketOwnerNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceAwsS3BucketOwnerNameParameters struct {
@@ -1449,6 +2184,12 @@ type ResourceAwsS3BucketOwnerNameParameters struct {
 }
 
 type ResourceContainerImageIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceContainerImageIDParameters struct {
@@ -1463,6 +2204,12 @@ type ResourceContainerImageIDParameters struct {
 }
 
 type ResourceContainerImageNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceContainerImageNameParameters struct {
@@ -1477,6 +2224,12 @@ type ResourceContainerImageNameParameters struct {
 }
 
 type ResourceContainerLaunchedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceContainerLaunchedAtDateRangeParameters struct {
@@ -1491,6 +2244,15 @@ type ResourceContainerLaunchedAtDateRangeParameters struct {
 }
 
 type ResourceContainerLaunchedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []ResourceContainerLaunchedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type ResourceContainerLaunchedAtParameters struct {
@@ -1509,6 +2271,12 @@ type ResourceContainerLaunchedAtParameters struct {
 }
 
 type ResourceContainerNameObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceContainerNameParameters struct {
@@ -1523,6 +2291,15 @@ type ResourceContainerNameParameters struct {
 }
 
 type ResourceDetailsOtherObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceDetailsOtherParameters struct {
@@ -1541,6 +2318,12 @@ type ResourceDetailsOtherParameters struct {
 }
 
 type ResourceIDObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceIDParameters struct {
@@ -1555,6 +2338,12 @@ type ResourceIDParameters struct {
 }
 
 type ResourcePartitionObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourcePartitionParameters struct {
@@ -1569,6 +2358,12 @@ type ResourcePartitionParameters struct {
 }
 
 type ResourceRegionObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceRegionParameters struct {
@@ -1583,6 +2378,15 @@ type ResourceRegionParameters struct {
 }
 
 type ResourceTagsObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceTagsParameters struct {
@@ -1601,6 +2405,12 @@ type ResourceTagsParameters struct {
 }
 
 type ResourceTypeObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ResourceTypeParameters struct {
@@ -1615,6 +2425,12 @@ type ResourceTypeParameters struct {
 }
 
 type SeverityLabelObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SeverityLabelParameters struct {
@@ -1629,6 +2445,12 @@ type SeverityLabelParameters struct {
 }
 
 type SourceURLObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SourceURLParameters struct {
@@ -1643,6 +2465,12 @@ type SourceURLParameters struct {
 }
 
 type ThreatIntelIndicatorCategoryObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ThreatIntelIndicatorCategoryParameters struct {
@@ -1657,6 +2485,12 @@ type ThreatIntelIndicatorCategoryParameters struct {
 }
 
 type ThreatIntelIndicatorLastObservedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ThreatIntelIndicatorLastObservedAtDateRangeParameters struct {
@@ -1671,6 +2505,15 @@ type ThreatIntelIndicatorLastObservedAtDateRangeParameters struct {
 }
 
 type ThreatIntelIndicatorLastObservedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []ThreatIntelIndicatorLastObservedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type ThreatIntelIndicatorLastObservedAtParameters struct {
@@ -1689,6 +2532,12 @@ type ThreatIntelIndicatorLastObservedAtParameters struct {
 }
 
 type ThreatIntelIndicatorSourceObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ThreatIntelIndicatorSourceParameters struct {
@@ -1703,6 +2552,12 @@ type ThreatIntelIndicatorSourceParameters struct {
 }
 
 type ThreatIntelIndicatorSourceURLObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ThreatIntelIndicatorSourceURLParameters struct {
@@ -1717,6 +2572,12 @@ type ThreatIntelIndicatorSourceURLParameters struct {
 }
 
 type ThreatIntelIndicatorTypeObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ThreatIntelIndicatorTypeParameters struct {
@@ -1731,6 +2592,12 @@ type ThreatIntelIndicatorTypeParameters struct {
 }
 
 type ThreatIntelIndicatorValueObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ThreatIntelIndicatorValueParameters struct {
@@ -1745,6 +2612,12 @@ type ThreatIntelIndicatorValueParameters struct {
 }
 
 type TitleObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TitleParameters struct {
@@ -1759,6 +2632,12 @@ type TitleParameters struct {
 }
 
 type TypeObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TypeParameters struct {
@@ -1773,6 +2652,12 @@ type TypeParameters struct {
 }
 
 type UpdatedAtDateRangeObservation struct {
+
+	// A date range unit for the date filter. Valid values: DAYS.
+	Unit *string `json:"unit,omitempty" tf:"unit,omitempty"`
+
+	// A value for the keyword.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type UpdatedAtDateRangeParameters struct {
@@ -1787,6 +2672,15 @@ type UpdatedAtDateRangeParameters struct {
 }
 
 type UpdatedAtObservation struct {
+
+	// A configuration block of the date range for the date filter. See date_range below for more details.
+	DateRange []UpdatedAtDateRangeObservation `json:"dateRange,omitempty" tf:"date_range,omitempty"`
+
+	// An end date for the date filter. Required with start if date_range is not specified.
+	End *string `json:"end,omitempty" tf:"end,omitempty"`
+
+	// A start date for the date filter. Required with end if date_range is not specified.
+	Start *string `json:"start,omitempty" tf:"start,omitempty"`
 }
 
 type UpdatedAtParameters struct {
@@ -1805,6 +2699,15 @@ type UpdatedAtParameters struct {
 }
 
 type UserDefinedValuesObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// The key of the map filter. For example, for ResourceTags, Key identifies the name of the tag. For UserDefinedFields, Key is the name of the field.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type UserDefinedValuesParameters struct {
@@ -1823,6 +2726,12 @@ type UserDefinedValuesParameters struct {
 }
 
 type VerificationStateObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type VerificationStateParameters struct {
@@ -1837,6 +2746,12 @@ type VerificationStateParameters struct {
 }
 
 type WorkflowStatusObservation struct {
+
+	// The condition to apply to a string value when querying for findings. Valid values include: EQUALS and NOT_EQUALS.
+	Comparison *string `json:"comparison,omitempty" tf:"comparison,omitempty"`
+
+	// A value for the keyword.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type WorkflowStatusParameters struct {
@@ -1874,8 +2789,11 @@ type InsightStatus struct {
 type Insight struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              InsightSpec   `json:"spec"`
-	Status            InsightStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filters)",message="filters is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupByAttribute)",message="groupByAttribute is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   InsightSpec   `json:"spec"`
+	Status InsightStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/securityhub/v1beta1/zz_inviteaccepter_types.go b/apis/securityhub/v1beta1/zz_inviteaccepter_types.go
index 1ae4781871..023f13d5c2 100755
--- a/apis/securityhub/v1beta1/zz_inviteaccepter_types.go
+++ b/apis/securityhub/v1beta1/zz_inviteaccepter_types.go
@@ -18,6 +18,9 @@ type InviteAccepterObservation struct {
 
 	// The ID of the invitation.
 	InvitationID *string `json:"invitationId,omitempty" tf:"invitation_id,omitempty"`
+
+	// The account ID of the master Security Hub account whose invitation you're accepting.
+	MasterID *string `json:"masterId,omitempty" tf:"master_id,omitempty"`
 }
 
 type InviteAccepterParameters struct {
diff --git a/apis/securityhub/v1beta1/zz_member_types.go b/apis/securityhub/v1beta1/zz_member_types.go
index a62531e9e6..891cda9ee7 100755
--- a/apis/securityhub/v1beta1/zz_member_types.go
+++ b/apis/securityhub/v1beta1/zz_member_types.go
@@ -15,9 +15,18 @@ import (
 
 type MemberObservation struct {
 
+	// The ID of the member AWS account.
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
+
+	// The email of the member AWS account.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
 	// The ID of the member AWS account (matches account_id).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Boolean whether to invite the account to Security Hub as a member. Defaults to false.
+	Invite *bool `json:"invite,omitempty" tf:"invite,omitempty"`
+
 	// The ID of the master Security Hub AWS account.
 	MasterID *string `json:"masterId,omitempty" tf:"master_id,omitempty"`
 
@@ -28,12 +37,12 @@ type MemberObservation struct {
 type MemberParameters struct {
 
 	// The ID of the member AWS account.
-	// +kubebuilder:validation:Required
-	AccountID *string `json:"accountId" tf:"account_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	AccountID *string `json:"accountId,omitempty" tf:"account_id,omitempty"`
 
 	// The email of the member AWS account.
-	// +kubebuilder:validation:Required
-	Email *string `json:"email" tf:"email,omitempty"`
+	// +kubebuilder:validation:Optional
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
 
 	// Boolean whether to invite the account to Security Hub as a member. Defaults to false.
 	// +kubebuilder:validation:Optional
@@ -69,8 +78,10 @@ type MemberStatus struct {
 type Member struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MemberSpec   `json:"spec"`
-	Status            MemberStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)",message="accountId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)",message="email is a required parameter"
+	Spec   MemberSpec   `json:"spec"`
+	Status MemberStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/securityhub/v1beta1/zz_productsubscription_types.go b/apis/securityhub/v1beta1/zz_productsubscription_types.go
index e2005b1433..029c98a9e2 100755
--- a/apis/securityhub/v1beta1/zz_productsubscription_types.go
+++ b/apis/securityhub/v1beta1/zz_productsubscription_types.go
@@ -19,13 +19,16 @@ type ProductSubscriptionObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of the product that generates findings that you want to import into Security Hub - see below.
+	ProductArn *string `json:"productArn,omitempty" tf:"product_arn,omitempty"`
 }
 
 type ProductSubscriptionParameters struct {
 
 	// The ARN of the product that generates findings that you want to import into Security Hub - see below.
-	// +kubebuilder:validation:Required
-	ProductArn *string `json:"productArn" tf:"product_arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProductArn *string `json:"productArn,omitempty" tf:"product_arn,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -57,8 +60,9 @@ type ProductSubscriptionStatus struct {
 type ProductSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProductSubscriptionSpec   `json:"spec"`
-	Status            ProductSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.productArn)",message="productArn is a required parameter"
+	Spec   ProductSubscriptionSpec   `json:"spec"`
+	Status ProductSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/securityhub/v1beta1/zz_standardssubscription_types.go b/apis/securityhub/v1beta1/zz_standardssubscription_types.go
index f8fe53668a..10d030834b 100755
--- a/apis/securityhub/v1beta1/zz_standardssubscription_types.go
+++ b/apis/securityhub/v1beta1/zz_standardssubscription_types.go
@@ -17,6 +17,9 @@ type StandardsSubscriptionObservation struct {
 
 	// The ARN of a resource that represents your subscription to a supported standard.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The ARN of a standard - see below.
+	StandardsArn *string `json:"standardsArn,omitempty" tf:"standards_arn,omitempty"`
 }
 
 type StandardsSubscriptionParameters struct {
@@ -27,8 +30,8 @@ type StandardsSubscriptionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The ARN of a standard - see below.
-	// +kubebuilder:validation:Required
-	StandardsArn *string `json:"standardsArn" tf:"standards_arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	StandardsArn *string `json:"standardsArn,omitempty" tf:"standards_arn,omitempty"`
 }
 
 // StandardsSubscriptionSpec defines the desired state of StandardsSubscription
@@ -55,8 +58,9 @@ type StandardsSubscriptionStatus struct {
 type StandardsSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StandardsSubscriptionSpec   `json:"spec"`
-	Status            StandardsSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.standardsArn)",message="standardsArn is a required parameter"
+	Spec   StandardsSubscriptionSpec   `json:"spec"`
+	Status StandardsSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/serverlessrepo/v1beta1/zz_cloudformationstack_types.go b/apis/serverlessrepo/v1beta1/zz_cloudformationstack_types.go
index a29856d5c7..7bf5f0fba6 100755
--- a/apis/serverlessrepo/v1beta1/zz_cloudformationstack_types.go
+++ b/apis/serverlessrepo/v1beta1/zz_cloudformationstack_types.go
@@ -15,12 +15,30 @@ import (
 
 type CloudFormationStackObservation struct {
 
+	// The ARN of the application from the Serverless Application Repository.
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
+
+	// A list of capabilities. Valid values are CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_RESOURCE_POLICY, or CAPABILITY_AUTO_EXPAND
+	Capabilities []*string `json:"capabilities,omitempty" tf:"capabilities,omitempty"`
+
 	// A unique identifier of the stack.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the stack to create. The resource deployed in AWS will be prefixed with serverlessrepo-
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// A map of outputs from the stack.
 	Outputs map[string]*string `json:"outputs,omitempty" tf:"outputs,omitempty"`
 
+	// A map of Parameter structures that specify input parameters for the stack.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// The version of the application to deploy. If not supplied, deploys the latest version.
+	SemanticVersion *string `json:"semanticVersion,omitempty" tf:"semantic_version,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,16 +46,16 @@ type CloudFormationStackObservation struct {
 type CloudFormationStackParameters struct {
 
 	// The ARN of the application from the Serverless Application Repository.
-	// +kubebuilder:validation:Required
-	ApplicationID *string `json:"applicationId" tf:"application_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	ApplicationID *string `json:"applicationId,omitempty" tf:"application_id,omitempty"`
 
 	// A list of capabilities. Valid values are CAPABILITY_IAM, CAPABILITY_NAMED_IAM, CAPABILITY_RESOURCE_POLICY, or CAPABILITY_AUTO_EXPAND
-	// +kubebuilder:validation:Required
-	Capabilities []*string `json:"capabilities" tf:"capabilities,omitempty"`
+	// +kubebuilder:validation:Optional
+	Capabilities []*string `json:"capabilities,omitempty" tf:"capabilities,omitempty"`
 
 	// The name of the stack to create. The resource deployed in AWS will be prefixed with serverlessrepo-
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A map of Parameter structures that specify input parameters for the stack.
 	// +kubebuilder:validation:Optional
@@ -81,8 +99,11 @@ type CloudFormationStackStatus struct {
 type CloudFormationStack struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              CloudFormationStackSpec   `json:"spec"`
-	Status            CloudFormationStackStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.applicationId)",message="applicationId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.capabilities)",message="capabilities is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   CloudFormationStackSpec   `json:"spec"`
+	Status CloudFormationStackStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/serverlessrepo/v1beta1/zz_generated.deepcopy.go b/apis/serverlessrepo/v1beta1/zz_generated.deepcopy.go
index 13d2ec57b1..f206e0be45 100644
--- a/apis/serverlessrepo/v1beta1/zz_generated.deepcopy.go
+++ b/apis/serverlessrepo/v1beta1/zz_generated.deepcopy.go
@@ -75,11 +75,32 @@ func (in *CloudFormationStackList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudFormationStackObservation) DeepCopyInto(out *CloudFormationStackObservation) {
 	*out = *in
+	if in.ApplicationID != nil {
+		in, out := &in.ApplicationID, &out.ApplicationID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Capabilities != nil {
+		in, out := &in.Capabilities, &out.Capabilities
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.Outputs != nil {
 		in, out := &in.Outputs, &out.Outputs
 		*out = make(map[string]*string, len(*in))
@@ -95,6 +116,41 @@ func (in *CloudFormationStackObservation) DeepCopyInto(out *CloudFormationStackO
 			(*out)[key] = outVal
 		}
 	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.SemanticVersion != nil {
+		in, out := &in.SemanticVersion, &out.SemanticVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/servicecatalog/v1beta1/zz_budgetresourceassociation_types.go b/apis/servicecatalog/v1beta1/zz_budgetresourceassociation_types.go
index 8769ba7cae..0335acbc74 100755
--- a/apis/servicecatalog/v1beta1/zz_budgetresourceassociation_types.go
+++ b/apis/servicecatalog/v1beta1/zz_budgetresourceassociation_types.go
@@ -15,8 +15,14 @@ import (
 
 type BudgetResourceAssociationObservation struct {
 
+	// Budget name.
+	BudgetName *string `json:"budgetName,omitempty" tf:"budget_name,omitempty"`
+
 	// Identifier of the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Resource identifier.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
 }
 
 type BudgetResourceAssociationParameters struct {
diff --git a/apis/servicecatalog/v1beta1/zz_constraint_types.go b/apis/servicecatalog/v1beta1/zz_constraint_types.go
index 71702920c7..d053d0a0b5 100755
--- a/apis/servicecatalog/v1beta1/zz_constraint_types.go
+++ b/apis/servicecatalog/v1beta1/zz_constraint_types.go
@@ -15,13 +15,31 @@ import (
 
 type ConstraintObservation struct {
 
+	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
+	// Description of the constraint.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Constraint identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Owner of the constraint.
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
+	// Constraint parameters in JSON format. The syntax depends on the constraint type. See details below.
+	Parameters *string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Portfolio identifier.
+	PortfolioID *string `json:"portfolioId,omitempty" tf:"portfolio_id,omitempty"`
+
+	// Product identifier.
+	ProductID *string `json:"productId,omitempty" tf:"product_id,omitempty"`
+
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
+
+	// Type of constraint. Valid values are LAUNCH, NOTIFICATION, RESOURCE_UPDATE, STACKSET, and TEMPLATE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ConstraintParameters struct {
@@ -35,8 +53,8 @@ type ConstraintParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Constraint parameters in JSON format. The syntax depends on the constraint type. See details below.
-	// +kubebuilder:validation:Required
-	Parameters *string `json:"parameters" tf:"parameters,omitempty"`
+	// +kubebuilder:validation:Optional
+	Parameters *string `json:"parameters,omitempty" tf:"parameters,omitempty"`
 
 	// Portfolio identifier.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/servicecatalog/v1beta1.Portfolio
@@ -72,8 +90,8 @@ type ConstraintParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Type of constraint. Valid values are LAUNCH, NOTIFICATION, RESOURCE_UPDATE, STACKSET, and TEMPLATE.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // ConstraintSpec defines the desired state of Constraint
@@ -100,8 +118,10 @@ type ConstraintStatus struct {
 type Constraint struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConstraintSpec   `json:"spec"`
-	Status            ConstraintStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parameters)",message="parameters is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   ConstraintSpec   `json:"spec"`
+	Status ConstraintStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_generated.deepcopy.go b/apis/servicecatalog/v1beta1/zz_generated.deepcopy.go
index bef39d583a..2f9eb7a713 100644
--- a/apis/servicecatalog/v1beta1/zz_generated.deepcopy.go
+++ b/apis/servicecatalog/v1beta1/zz_generated.deepcopy.go
@@ -76,11 +76,21 @@ func (in *BudgetResourceAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BudgetResourceAssociationObservation) DeepCopyInto(out *BudgetResourceAssociationObservation) {
 	*out = *in
+	if in.BudgetName != nil {
+		in, out := &in.BudgetName, &out.BudgetName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BudgetResourceAssociationObservation.
@@ -239,6 +249,16 @@ func (in *ConstraintList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConstraintObservation) DeepCopyInto(out *ConstraintObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -249,11 +269,31 @@ func (in *ConstraintObservation) DeepCopyInto(out *ConstraintObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = new(string)
+		**out = **in
+	}
+	if in.PortfolioID != nil {
+		in, out := &in.PortfolioID, &out.PortfolioID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProductID != nil {
+		in, out := &in.ProductID, &out.ProductID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConstraintObservation.
@@ -373,6 +413,31 @@ func (in *ConstraintStatus) DeepCopy() *ConstraintStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefinitionObservation) DeepCopyInto(out *DefinitionObservation) {
 	*out = *in
+	if in.AssumeRole != nil {
+		in, out := &in.AssumeRole, &out.AssumeRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefinitionObservation.
@@ -497,11 +562,41 @@ func (in *PortfolioObservation) DeepCopyInto(out *PortfolioObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProviderName != nil {
+		in, out := &in.ProviderName, &out.ProviderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -641,6 +736,11 @@ func (in *PortfolioShareList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PortfolioShareObservation) DeepCopyInto(out *PortfolioShareObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
 	if in.Accepted != nil {
 		in, out := &in.Accepted, &out.Accepted
 		*out = new(bool)
@@ -651,6 +751,36 @@ func (in *PortfolioShareObservation) DeepCopyInto(out *PortfolioShareObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.PortfolioID != nil {
+		in, out := &in.PortfolioID, &out.PortfolioID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalID != nil {
+		in, out := &in.PrincipalID, &out.PrincipalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SharePrincipals != nil {
+		in, out := &in.SharePrincipals, &out.SharePrincipals
+		*out = new(bool)
+		**out = **in
+	}
+	if in.ShareTagOptions != nil {
+		in, out := &in.ShareTagOptions, &out.ShareTagOptions
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.WaitForAcceptance != nil {
+		in, out := &in.WaitForAcceptance, &out.WaitForAcceptance
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortfolioShareObservation.
@@ -858,11 +988,31 @@ func (in *PrincipalPortfolioAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PrincipalPortfolioAssociationObservation) DeepCopyInto(out *PrincipalPortfolioAssociationObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PortfolioID != nil {
+		in, out := &in.PortfolioID, &out.PortfolioID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalArn != nil {
+		in, out := &in.PrincipalArn, &out.PrincipalArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalType != nil {
+		in, out := &in.PrincipalType, &out.PrincipalType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrincipalPortfolioAssociationObservation.
@@ -1031,6 +1181,11 @@ func (in *ProductList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProductObservation) DeepCopyInto(out *ProductObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -1041,6 +1196,16 @@ func (in *ProductObservation) DeepCopyInto(out *ProductObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Distributor != nil {
+		in, out := &in.Distributor, &out.Distributor
+		*out = new(string)
+		**out = **in
+	}
 	if in.HasDefaultPath != nil {
 		in, out := &in.HasDefaultPath, &out.HasDefaultPath
 		*out = new(bool)
@@ -1051,11 +1216,58 @@ func (in *ProductObservation) DeepCopyInto(out *ProductObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Owner != nil {
+		in, out := &in.Owner, &out.Owner
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProvisioningArtifactParameters != nil {
+		in, out := &in.ProvisioningArtifactParameters, &out.ProvisioningArtifactParameters
+		*out = make([]ProvisioningArtifactParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.SupportDescription != nil {
+		in, out := &in.SupportDescription, &out.SupportDescription
+		*out = new(string)
+		**out = **in
+	}
+	if in.SupportEmail != nil {
+		in, out := &in.SupportEmail, &out.SupportEmail
+		*out = new(string)
+		**out = **in
+	}
+	if in.SupportURL != nil {
+		in, out := &in.SupportURL, &out.SupportURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1071,6 +1283,11 @@ func (in *ProductObservation) DeepCopyInto(out *ProductObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductObservation.
@@ -1232,11 +1449,31 @@ func (in *ProductPortfolioAssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProductPortfolioAssociationObservation) DeepCopyInto(out *ProductPortfolioAssociationObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PortfolioID != nil {
+		in, out := &in.PortfolioID, &out.PortfolioID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProductID != nil {
+		in, out := &in.ProductID, &out.ProductID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourcePortfolioID != nil {
+		in, out := &in.SourcePortfolioID, &out.SourcePortfolioID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProductPortfolioAssociationObservation.
@@ -1439,16 +1676,66 @@ func (in *ProvisioningArtifactList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProvisioningArtifactObservation) DeepCopyInto(out *ProvisioningArtifactObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Active != nil {
+		in, out := &in.Active, &out.Active
+		*out = new(bool)
+		**out = **in
+	}
 	if in.CreatedTime != nil {
 		in, out := &in.CreatedTime, &out.CreatedTime
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableTemplateValidation != nil {
+		in, out := &in.DisableTemplateValidation, &out.DisableTemplateValidation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Guidance != nil {
+		in, out := &in.Guidance, &out.Guidance
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProductID != nil {
+		in, out := &in.ProductID, &out.ProductID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplatePhysicalID != nil {
+		in, out := &in.TemplatePhysicalID, &out.TemplatePhysicalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplateURL != nil {
+		in, out := &in.TemplateURL, &out.TemplateURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisioningArtifactObservation.
@@ -1544,6 +1831,36 @@ func (in *ProvisioningArtifactParameters) DeepCopy() *ProvisioningArtifactParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ProvisioningArtifactParametersObservation) DeepCopyInto(out *ProvisioningArtifactParametersObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisableTemplateValidation != nil {
+		in, out := &in.DisableTemplateValidation, &out.DisableTemplateValidation
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplatePhysicalID != nil {
+		in, out := &in.TemplatePhysicalID, &out.TemplatePhysicalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TemplateURL != nil {
+		in, out := &in.TemplateURL, &out.TemplateURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ProvisioningArtifactParametersObservation.
@@ -1697,11 +2014,33 @@ func (in *ServiceActionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ServiceActionObservation) DeepCopyInto(out *ServiceActionObservation) {
 	*out = *in
+	if in.AcceptLanguage != nil {
+		in, out := &in.AcceptLanguage, &out.AcceptLanguage
+		*out = new(string)
+		**out = **in
+	}
+	if in.Definition != nil {
+		in, out := &in.Definition, &out.Definition
+		*out = make([]DefinitionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceActionObservation.
@@ -1852,16 +2191,31 @@ func (in *TagOptionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagOptionObservation) DeepCopyInto(out *TagOptionObservation) {
 	*out = *in
+	if in.Active != nil {
+		in, out := &in.Active, &out.Active
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 	if in.Owner != nil {
 		in, out := &in.Owner, &out.Owner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagOptionObservation.
@@ -1991,11 +2345,21 @@ func (in *TagOptionResourceAssociationObservation) DeepCopyInto(out *TagOptionRe
 		*out = new(string)
 		**out = **in
 	}
+	if in.ResourceID != nil {
+		in, out := &in.ResourceID, &out.ResourceID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ResourceName != nil {
 		in, out := &in.ResourceName, &out.ResourceName
 		*out = new(string)
 		**out = **in
 	}
+	if in.TagOptionID != nil {
+		in, out := &in.TagOptionID, &out.TagOptionID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagOptionResourceAssociationObservation.
diff --git a/apis/servicecatalog/v1beta1/zz_portfolio_types.go b/apis/servicecatalog/v1beta1/zz_portfolio_types.go
index 0dd0173902..609d2ee62b 100755
--- a/apis/servicecatalog/v1beta1/zz_portfolio_types.go
+++ b/apis/servicecatalog/v1beta1/zz_portfolio_types.go
@@ -18,9 +18,21 @@ type PortfolioObservation struct {
 
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Description of the portfolio
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the Service Catalog Portfolio.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the portfolio.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Name of the person or organization who owns the portfolio.
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -32,12 +44,12 @@ type PortfolioParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the portfolio.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Name of the person or organization who owns the portfolio.
-	// +kubebuilder:validation:Required
-	ProviderName *string `json:"providerName" tf:"provider_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProviderName *string `json:"providerName,omitempty" tf:"provider_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -73,8 +85,10 @@ type PortfolioStatus struct {
 type Portfolio struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PortfolioSpec   `json:"spec"`
-	Status            PortfolioStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerName)",message="providerName is a required parameter"
+	Spec   PortfolioSpec   `json:"spec"`
+	Status PortfolioStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_portfolioshare_types.go b/apis/servicecatalog/v1beta1/zz_portfolioshare_types.go
index 3dd7e07327..725d7b7135 100755
--- a/apis/servicecatalog/v1beta1/zz_portfolioshare_types.go
+++ b/apis/servicecatalog/v1beta1/zz_portfolioshare_types.go
@@ -15,10 +15,31 @@ import (
 
 type PortfolioShareObservation struct {
 
+	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
 	// Whether the shared portfolio is imported by the recipient account. If the recipient is organizational, the share is automatically imported, and the field is always set to true.
 	Accepted *bool `json:"accepted,omitempty" tf:"accepted,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Portfolio identifier.
+	PortfolioID *string `json:"portfolioId,omitempty" tf:"portfolio_id,omitempty"`
+
+	// Identifier of the principal with whom you will share the portfolio. Valid values AWS account IDs and ARNs of AWS Organizations and organizational units.
+	PrincipalID *string `json:"principalId,omitempty" tf:"principal_id,omitempty"`
+
+	// Enables or disables Principal sharing when creating the portfolio share. If this flag is not provided, principal sharing is disabled.
+	SharePrincipals *bool `json:"sharePrincipals,omitempty" tf:"share_principals,omitempty"`
+
+	// Whether to enable sharing of aws_servicecatalog_tag_option resources when creating the portfolio share.
+	ShareTagOptions *bool `json:"shareTagOptions,omitempty" tf:"share_tag_options,omitempty"`
+
+	// Type of portfolio share. Valid values are ACCOUNT (an external account), ORGANIZATION (a share to every account in an organization), ORGANIZATIONAL_UNIT, ORGANIZATION_MEMBER_ACCOUNT (a share to an account in an organization).
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// Whether to wait (up to the timeout) for the share to be accepted. Organizational shares are automatically accepted.
+	WaitForAcceptance *bool `json:"waitForAcceptance,omitempty" tf:"wait_for_acceptance,omitempty"`
 }
 
 type PortfolioShareParameters struct {
@@ -42,8 +63,8 @@ type PortfolioShareParameters struct {
 	PortfolioIDSelector *v1.Selector `json:"portfolioIdSelector,omitempty" tf:"-"`
 
 	// Identifier of the principal with whom you will share the portfolio. Valid values AWS account IDs and ARNs of AWS Organizations and organizational units.
-	// +kubebuilder:validation:Required
-	PrincipalID *string `json:"principalId" tf:"principal_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	PrincipalID *string `json:"principalId,omitempty" tf:"principal_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -59,8 +80,8 @@ type PortfolioShareParameters struct {
 	ShareTagOptions *bool `json:"shareTagOptions,omitempty" tf:"share_tag_options,omitempty"`
 
 	// Type of portfolio share. Valid values are ACCOUNT (an external account), ORGANIZATION (a share to every account in an organization), ORGANIZATIONAL_UNIT, ORGANIZATION_MEMBER_ACCOUNT (a share to an account in an organization).
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
 	// Whether to wait (up to the timeout) for the share to be accepted. Organizational shares are automatically accepted.
 	// +kubebuilder:validation:Optional
@@ -91,8 +112,10 @@ type PortfolioShareStatus struct {
 type PortfolioShare struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PortfolioShareSpec   `json:"spec"`
-	Status            PortfolioShareStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principalId)",message="principalId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   PortfolioShareSpec   `json:"spec"`
+	Status PortfolioShareStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_principalportfolioassociation_types.go b/apis/servicecatalog/v1beta1/zz_principalportfolioassociation_types.go
index a1d4dd8a67..a397dc3b6c 100755
--- a/apis/servicecatalog/v1beta1/zz_principalportfolioassociation_types.go
+++ b/apis/servicecatalog/v1beta1/zz_principalportfolioassociation_types.go
@@ -15,15 +15,27 @@ import (
 
 type PrincipalPortfolioAssociationObservation struct {
 
+	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
 	// Identifier of the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Portfolio identifier.
+	PortfolioID *string `json:"portfolioId,omitempty" tf:"portfolio_id,omitempty"`
+
+	// Principal ARN.
+	PrincipalArn *string `json:"principalArn,omitempty" tf:"principal_arn,omitempty"`
+
+	// Principal type. Setting this argument empty (e.g., principal_type = "") will result in an error. Valid value is IAM. Default is IAM.
+	PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`
 }
 
 type PrincipalPortfolioAssociationParameters struct {
 
 	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
-	// +kubebuilder:validation:Required
-	AcceptLanguage *string `json:"acceptLanguage" tf:"accept_language,omitempty"`
+	// +kubebuilder:validation:Optional
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
 
 	// Portfolio identifier.
 	// +crossplane:generate:reference:type=Portfolio
@@ -86,8 +98,9 @@ type PrincipalPortfolioAssociationStatus struct {
 type PrincipalPortfolioAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PrincipalPortfolioAssociationSpec   `json:"spec"`
-	Status            PrincipalPortfolioAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.acceptLanguage)",message="acceptLanguage is a required parameter"
+	Spec   PrincipalPortfolioAssociationSpec   `json:"spec"`
+	Status PrincipalPortfolioAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_product_types.go b/apis/servicecatalog/v1beta1/zz_product_types.go
index dfd3d1d97d..b8383158af 100755
--- a/apis/servicecatalog/v1beta1/zz_product_types.go
+++ b/apis/servicecatalog/v1beta1/zz_product_types.go
@@ -15,23 +15,56 @@ import (
 
 type ProductObservation struct {
 
+	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
 	// ARN of the product.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// Time when the product was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Description of the product.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Distributor (i.e., vendor) of the product.
+	Distributor *string `json:"distributor,omitempty" tf:"distributor,omitempty"`
+
 	// Whether the product has a default path. If the product does not have a default path, call ListLaunchPaths to disambiguate between paths.  Otherwise, ListLaunchPaths is not required, and the output of ProductViewSummary can be used directly with DescribeProvisioningParameters.
 	HasDefaultPath *bool `json:"hasDefaultPath,omitempty" tf:"has_default_path,omitempty"`
 
 	// Product ID. For example, prod-dnigbtea24ste.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Name of the product.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Owner of the product.
+	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
+
+	// Configuration block for provisioning artifact (i.e., version) parameters. Detailed below.
+	ProvisioningArtifactParameters []ProvisioningArtifactParametersObservation `json:"provisioningArtifactParameters,omitempty" tf:"provisioning_artifact_parameters,omitempty"`
+
 	// Status of the product.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Support information about the product.
+	SupportDescription *string `json:"supportDescription,omitempty" tf:"support_description,omitempty"`
+
+	// Contact email for product support.
+	SupportEmail *string `json:"supportEmail,omitempty" tf:"support_email,omitempty"`
+
+	// Contact URL for product support.
+	SupportURL *string `json:"supportUrl,omitempty" tf:"support_url,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Type of product. Valid values are CLOUD_FORMATION_TEMPLATE, MARKETPLACE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProductParameters struct {
@@ -49,16 +82,16 @@ type ProductParameters struct {
 	Distributor *string `json:"distributor,omitempty" tf:"distributor,omitempty"`
 
 	// Name of the product.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Owner of the product.
-	// +kubebuilder:validation:Required
-	Owner *string `json:"owner" tf:"owner,omitempty"`
+	// +kubebuilder:validation:Optional
+	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
 	// Configuration block for provisioning artifact (i.e., version) parameters. Detailed below.
-	// +kubebuilder:validation:Required
-	ProvisioningArtifactParameters []ProvisioningArtifactParametersParameters `json:"provisioningArtifactParameters" tf:"provisioning_artifact_parameters,omitempty"`
+	// +kubebuilder:validation:Optional
+	ProvisioningArtifactParameters []ProvisioningArtifactParametersParameters `json:"provisioningArtifactParameters,omitempty" tf:"provisioning_artifact_parameters,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,11 +115,29 @@ type ProductParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Type of product. Valid values are CLOUD_FORMATION_TEMPLATE, MARKETPLACE.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProvisioningArtifactParametersObservation struct {
+
+	// Description of the provisioning artifact (i.e., version), including how it differs from the previous provisioning artifact.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether AWS Service Catalog stops validating the specified provisioning artifact template even if it is invalid.
+	DisableTemplateValidation *bool `json:"disableTemplateValidation,omitempty" tf:"disable_template_validation,omitempty"`
+
+	// Name of the provisioning artifact (for example, v1, v2beta). No spaces are allowed.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Template source as the physical ID of the resource that contains the template. Currently only supports CloudFormation stack ARN. Specify the physical ID as arn:[partition]:cloudformation:[region]:[account ID]:stack/[stack name]/[resource ID].
+	TemplatePhysicalID *string `json:"templatePhysicalId,omitempty" tf:"template_physical_id,omitempty"`
+
+	// Template source as URL of the CloudFormation template in Amazon S3.
+	TemplateURL *string `json:"templateUrl,omitempty" tf:"template_url,omitempty"`
+
+	// Type of provisioning artifact. Valid values: CLOUD_FORMATION_TEMPLATE, MARKETPLACE_AMI, MARKETPLACE_CAR (Marketplace Clusters and AWS Resources).
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProvisioningArtifactParametersParameters struct {
@@ -140,8 +191,12 @@ type ProductStatus struct {
 type Product struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProductSpec   `json:"spec"`
-	Status            ProductStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.owner)",message="owner is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.provisioningArtifactParameters)",message="provisioningArtifactParameters is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   ProductSpec   `json:"spec"`
+	Status ProductStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_productportfolioassociation_types.go b/apis/servicecatalog/v1beta1/zz_productportfolioassociation_types.go
index 21a784af39..05c47e9a37 100755
--- a/apis/servicecatalog/v1beta1/zz_productportfolioassociation_types.go
+++ b/apis/servicecatalog/v1beta1/zz_productportfolioassociation_types.go
@@ -15,15 +15,27 @@ import (
 
 type ProductPortfolioAssociationObservation struct {
 
+	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
 	// Identifier of the association.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Portfolio identifier.
+	PortfolioID *string `json:"portfolioId,omitempty" tf:"portfolio_id,omitempty"`
+
+	// Product identifier.
+	ProductID *string `json:"productId,omitempty" tf:"product_id,omitempty"`
+
+	// Identifier of the source portfolio.
+	SourcePortfolioID *string `json:"sourcePortfolioId,omitempty" tf:"source_portfolio_id,omitempty"`
 }
 
 type ProductPortfolioAssociationParameters struct {
 
 	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). Default value is en.
-	// +kubebuilder:validation:Required
-	AcceptLanguage *string `json:"acceptLanguage" tf:"accept_language,omitempty"`
+	// +kubebuilder:validation:Optional
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
 
 	// Portfolio identifier.
 	// +crossplane:generate:reference:type=Portfolio
@@ -85,8 +97,9 @@ type ProductPortfolioAssociationStatus struct {
 type ProductPortfolioAssociation struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ProductPortfolioAssociationSpec   `json:"spec"`
-	Status            ProductPortfolioAssociationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.acceptLanguage)",message="acceptLanguage is a required parameter"
+	Spec   ProductPortfolioAssociationSpec   `json:"spec"`
+	Status ProductPortfolioAssociationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_provisioningartifact_types.go b/apis/servicecatalog/v1beta1/zz_provisioningartifact_types.go
index d9475998e7..3770c46c5e 100755
--- a/apis/servicecatalog/v1beta1/zz_provisioningartifact_types.go
+++ b/apis/servicecatalog/v1beta1/zz_provisioningartifact_types.go
@@ -15,11 +15,41 @@ import (
 
 type ProvisioningArtifactObservation struct {
 
+	// Language code. Valid values: en (English), jp (Japanese), zh (Chinese). The default value is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
+	// Whether the product version is active. Inactive provisioning artifacts are invisible to end users. End users cannot launch or update a provisioned product from an inactive provisioning artifact. Default is true.
+	Active *bool `json:"active,omitempty" tf:"active,omitempty"`
+
 	// Time when the provisioning artifact was created.
 	CreatedTime *string `json:"createdTime,omitempty" tf:"created_time,omitempty"`
 
+	// Description of the provisioning artifact (i.e., version), including how it differs from the previous provisioning artifact.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// Whether AWS Service Catalog stops validating the specified provisioning artifact template even if it is invalid.
+	DisableTemplateValidation *bool `json:"disableTemplateValidation,omitempty" tf:"disable_template_validation,omitempty"`
+
+	// Information set by the administrator to provide guidance to end users about which provisioning artifacts to use. Valid values are DEFAULT and DEPRECATED. The default is DEFAULT. Users are able to make updates to a provisioned product of a deprecated version but cannot launch new provisioned products using a deprecated version.
+	Guidance *string `json:"guidance,omitempty" tf:"guidance,omitempty"`
+
 	// Provisioning Artifact identifier and product identifier separated by a colon.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the provisioning artifact (for example, v1, v2beta). No spaces are allowed.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Identifier of the product.
+	ProductID *string `json:"productId,omitempty" tf:"product_id,omitempty"`
+
+	// Template source as the physical ID of the resource that contains the template. Currently only supports CloudFormation stack ARN. Specify the physical ID as arn:[partition]:cloudformation:[region]:[account ID]:stack/[stack name]/[resource ID].
+	TemplatePhysicalID *string `json:"templatePhysicalId,omitempty" tf:"template_physical_id,omitempty"`
+
+	// Template source as URL of the CloudFormation template in Amazon S3.
+	TemplateURL *string `json:"templateUrl,omitempty" tf:"template_url,omitempty"`
+
+	// Type of provisioning artifact. Valid values: CLOUD_FORMATION_TEMPLATE, MARKETPLACE_AMI, MARKETPLACE_CAR (Marketplace Clusters and AWS Resources).
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ProvisioningArtifactParameters struct {
diff --git a/apis/servicecatalog/v1beta1/zz_serviceaction_types.go b/apis/servicecatalog/v1beta1/zz_serviceaction_types.go
index 860363a296..ed6cccd367 100755
--- a/apis/servicecatalog/v1beta1/zz_serviceaction_types.go
+++ b/apis/servicecatalog/v1beta1/zz_serviceaction_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type DefinitionObservation struct {
+
+	// ARN of the role that performs the self-service actions on your behalf. For example, arn:aws:iam::12345678910:role/ActionRole. To reuse the provisioned product launch role, set to LAUNCH_ROLE.
+	AssumeRole *string `json:"assumeRole,omitempty" tf:"assume_role,omitempty"`
+
+	// Name of the SSM document. For example, AWS-RestartEC2Instance. If you are using a shared SSM document, you must provide the ARN instead of the name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// List of parameters in JSON format. For example: [{\"Name\":\"InstanceId\",\"Type\":\"TARGET\"}] or [{\"Name\":\"InstanceId\",\"Type\":\"TEXT_VALUE\"}].
+	Parameters *string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// Service action definition type. Valid value is SSM_AUTOMATION. Default is SSM_AUTOMATION.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// SSM document version. For example, 1.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type DefinitionParameters struct {
@@ -41,8 +56,20 @@ type DefinitionParameters struct {
 
 type ServiceActionObservation struct {
 
+	// Language code. Valid values are en (English), jp (Japanese), and zh (Chinese). Default is en.
+	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
+
+	// Self-service action definition configuration block. Detailed below.
+	Definition []DefinitionObservation `json:"definition,omitempty" tf:"definition,omitempty"`
+
+	// Self-service action description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// Identifier of the service action.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Self-service action name.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ServiceActionParameters struct {
@@ -52,16 +79,16 @@ type ServiceActionParameters struct {
 	AcceptLanguage *string `json:"acceptLanguage,omitempty" tf:"accept_language,omitempty"`
 
 	// Self-service action definition configuration block. Detailed below.
-	// +kubebuilder:validation:Required
-	Definition []DefinitionParameters `json:"definition" tf:"definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	Definition []DefinitionParameters `json:"definition,omitempty" tf:"definition,omitempty"`
 
 	// Self-service action description.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Self-service action name.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -93,8 +120,10 @@ type ServiceActionStatus struct {
 type ServiceAction struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceActionSpec   `json:"spec"`
-	Status            ServiceActionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)",message="definition is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ServiceActionSpec   `json:"spec"`
+	Status ServiceActionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_tagoption_types.go b/apis/servicecatalog/v1beta1/zz_tagoption_types.go
index a0e890738b..910acfe6cb 100755
--- a/apis/servicecatalog/v1beta1/zz_tagoption_types.go
+++ b/apis/servicecatalog/v1beta1/zz_tagoption_types.go
@@ -15,10 +15,19 @@ import (
 
 type TagOptionObservation struct {
 
+	// Whether tag option is active. Default is true.
+	Active *bool `json:"active,omitempty" tf:"active,omitempty"`
+
 	// Identifier (e.g., tag-pjtvagohlyo3m).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Tag option key.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
+
+	// Tag option value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagOptionParameters struct {
@@ -28,8 +37,8 @@ type TagOptionParameters struct {
 	Active *bool `json:"active,omitempty" tf:"active,omitempty"`
 
 	// Tag option key.
-	// +kubebuilder:validation:Required
-	Key *string `json:"key" tf:"key,omitempty"`
+	// +kubebuilder:validation:Optional
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -37,8 +46,8 @@ type TagOptionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Tag option value.
-	// +kubebuilder:validation:Required
-	Value *string `json:"value" tf:"value,omitempty"`
+	// +kubebuilder:validation:Optional
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 // TagOptionSpec defines the desired state of TagOption
@@ -65,8 +74,10 @@ type TagOptionStatus struct {
 type TagOption struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TagOptionSpec   `json:"spec"`
-	Status            TagOptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)",message="key is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)",message="value is a required parameter"
+	Spec   TagOptionSpec   `json:"spec"`
+	Status TagOptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicecatalog/v1beta1/zz_tagoptionresourceassociation_types.go b/apis/servicecatalog/v1beta1/zz_tagoptionresourceassociation_types.go
index f935484ff4..2943b81794 100755
--- a/apis/servicecatalog/v1beta1/zz_tagoptionresourceassociation_types.go
+++ b/apis/servicecatalog/v1beta1/zz_tagoptionresourceassociation_types.go
@@ -27,8 +27,14 @@ type TagOptionResourceAssociationObservation struct {
 	// Description of the resource.
 	ResourceDescription *string `json:"resourceDescription,omitempty" tf:"resource_description,omitempty"`
 
+	// Resource identifier.
+	ResourceID *string `json:"resourceId,omitempty" tf:"resource_id,omitempty"`
+
 	// Description of the resource.
 	ResourceName *string `json:"resourceName,omitempty" tf:"resource_name,omitempty"`
+
+	// Tag Option identifier.
+	TagOptionID *string `json:"tagOptionId,omitempty" tf:"tag_option_id,omitempty"`
 }
 
 type TagOptionResourceAssociationParameters struct {
diff --git a/apis/servicediscovery/v1beta1/zz_generated.deepcopy.go b/apis/servicediscovery/v1beta1/zz_generated.deepcopy.go
index 4e562cdfea..fa05256a05 100644
--- a/apis/servicediscovery/v1beta1/zz_generated.deepcopy.go
+++ b/apis/servicediscovery/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,23 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DNSConfigObservation) DeepCopyInto(out *DNSConfigObservation) {
 	*out = *in
+	if in.DNSRecords != nil {
+		in, out := &in.DNSRecords, &out.DNSRecords
+		*out = make([]DNSRecordsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.NamespaceID != nil {
+		in, out := &in.NamespaceID, &out.NamespaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.RoutingPolicy != nil {
+		in, out := &in.RoutingPolicy, &out.RoutingPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSConfigObservation.
@@ -74,6 +91,16 @@ func (in *DNSConfigParameters) DeepCopy() *DNSConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DNSRecordsObservation) DeepCopyInto(out *DNSRecordsObservation) {
 	*out = *in
+	if in.TTL != nil {
+		in, out := &in.TTL, &out.TTL
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DNSRecordsObservation.
@@ -178,6 +205,11 @@ func (in *HTTPNamespaceObservation) DeepCopyInto(out *HTTPNamespaceObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.HTTPName != nil {
 		in, out := &in.HTTPName, &out.HTTPName
 		*out = new(string)
@@ -188,6 +220,26 @@ func (in *HTTPNamespaceObservation) DeepCopyInto(out *HTTPNamespaceObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -297,6 +349,21 @@ func (in *HTTPNamespaceStatus) DeepCopy() *HTTPNamespaceStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthCheckConfigObservation) DeepCopyInto(out *HealthCheckConfigObservation) {
 	*out = *in
+	if in.FailureThreshold != nil {
+		in, out := &in.FailureThreshold, &out.FailureThreshold
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResourcePath != nil {
+		in, out := &in.ResourcePath, &out.ResourcePath
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckConfigObservation.
@@ -342,6 +409,11 @@ func (in *HealthCheckConfigParameters) DeepCopy() *HealthCheckConfigParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HealthCheckCustomConfigObservation) DeepCopyInto(out *HealthCheckCustomConfigObservation) {
 	*out = *in
+	if in.FailureThreshold != nil {
+		in, out := &in.FailureThreshold, &out.FailureThreshold
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthCheckCustomConfigObservation.
@@ -441,6 +513,11 @@ func (in *PrivateDNSNamespaceObservation) DeepCopyInto(out *PrivateDNSNamespaceO
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostedZone != nil {
 		in, out := &in.HostedZone, &out.HostedZone
 		*out = new(string)
@@ -451,6 +528,26 @@ func (in *PrivateDNSNamespaceObservation) DeepCopyInto(out *PrivateDNSNamespaceO
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -466,6 +563,11 @@ func (in *PrivateDNSNamespaceObservation) DeepCopyInto(out *PrivateDNSNamespaceO
 			(*out)[key] = outVal
 		}
 	}
+	if in.VPC != nil {
+		in, out := &in.VPC, &out.VPC
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PrivateDNSNamespaceObservation.
@@ -639,6 +741,11 @@ func (in *PublicDNSNamespaceObservation) DeepCopyInto(out *PublicDNSNamespaceObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostedZone != nil {
 		in, out := &in.HostedZone, &out.HostedZone
 		*out = new(string)
@@ -649,6 +756,26 @@ func (in *PublicDNSNamespaceObservation) DeepCopyInto(out *PublicDNSNamespaceObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -822,11 +949,67 @@ func (in *ServiceObservation) DeepCopyInto(out *ServiceObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DNSConfig != nil {
+		in, out := &in.DNSConfig, &out.DNSConfig
+		*out = make([]DNSConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.HealthCheckConfig != nil {
+		in, out := &in.HealthCheckConfig, &out.HealthCheckConfig
+		*out = make([]HealthCheckConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HealthCheckCustomConfig != nil {
+		in, out := &in.HealthCheckCustomConfig, &out.HealthCheckCustomConfig
+		*out = make([]HealthCheckCustomConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.NamespaceID != nil {
+		in, out := &in.NamespaceID, &out.NamespaceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -842,6 +1025,11 @@ func (in *ServiceObservation) DeepCopyInto(out *ServiceObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceObservation.
diff --git a/apis/servicediscovery/v1beta1/zz_httpnamespace_types.go b/apis/servicediscovery/v1beta1/zz_httpnamespace_types.go
index 55dee5e001..f9f1884a70 100755
--- a/apis/servicediscovery/v1beta1/zz_httpnamespace_types.go
+++ b/apis/servicediscovery/v1beta1/zz_httpnamespace_types.go
@@ -18,12 +18,21 @@ type HTTPNamespaceObservation struct {
 	// The ARN that Amazon Route 53 assigns to the namespace when you create it.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description that you specify for the namespace when you create it.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of an HTTP namespace.
 	HTTPName *string `json:"httpName,omitempty" tf:"http_name,omitempty"`
 
 	// The ID of a namespace.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the http namespace.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +44,8 @@ type HTTPNamespaceParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the http namespace.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -72,8 +81,9 @@ type HTTPNamespaceStatus struct {
 type HTTPNamespace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              HTTPNamespaceSpec   `json:"spec"`
-	Status            HTTPNamespaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   HTTPNamespaceSpec   `json:"spec"`
+	Status HTTPNamespaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicediscovery/v1beta1/zz_privatednsnamespace_types.go b/apis/servicediscovery/v1beta1/zz_privatednsnamespace_types.go
index 70f4b1ffea..0ce151b187 100755
--- a/apis/servicediscovery/v1beta1/zz_privatednsnamespace_types.go
+++ b/apis/servicediscovery/v1beta1/zz_privatednsnamespace_types.go
@@ -18,14 +18,26 @@ type PrivateDNSNamespaceObservation struct {
 	// The ARN that Amazon Route 53 assigns to the namespace when you create it.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description that you specify for the namespace when you create it.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID for the hosted zone that Amazon Route 53 creates when you create a namespace.
 	HostedZone *string `json:"hostedZone,omitempty" tf:"hosted_zone,omitempty"`
 
 	// The ID of a namespace.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the namespace.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The ID of VPC that you want to associate the namespace with.
+	VPC *string `json:"vpc,omitempty" tf:"vpc,omitempty"`
 }
 
 type PrivateDNSNamespaceParameters struct {
@@ -35,8 +47,8 @@ type PrivateDNSNamespaceParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the namespace.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -85,8 +97,9 @@ type PrivateDNSNamespaceStatus struct {
 type PrivateDNSNamespace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PrivateDNSNamespaceSpec   `json:"spec"`
-	Status            PrivateDNSNamespaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   PrivateDNSNamespaceSpec   `json:"spec"`
+	Status PrivateDNSNamespaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicediscovery/v1beta1/zz_publicdnsnamespace_types.go b/apis/servicediscovery/v1beta1/zz_publicdnsnamespace_types.go
index b5c493371c..27e181ae29 100755
--- a/apis/servicediscovery/v1beta1/zz_publicdnsnamespace_types.go
+++ b/apis/servicediscovery/v1beta1/zz_publicdnsnamespace_types.go
@@ -18,12 +18,21 @@ type PublicDNSNamespaceObservation struct {
 	// The ARN that Amazon Route 53 assigns to the namespace when you create it.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description that you specify for the namespace when you create it.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID for the hosted zone that Amazon Route 53 creates when you create a namespace.
 	HostedZone *string `json:"hostedZone,omitempty" tf:"hosted_zone,omitempty"`
 
 	// The ID of a namespace.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the namespace.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,8 +44,8 @@ type PublicDNSNamespaceParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the namespace.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -72,8 +81,9 @@ type PublicDNSNamespaceStatus struct {
 type PublicDNSNamespace struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PublicDNSNamespaceSpec   `json:"spec"`
-	Status            PublicDNSNamespaceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   PublicDNSNamespaceSpec   `json:"spec"`
+	Status PublicDNSNamespaceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicediscovery/v1beta1/zz_service_types.go b/apis/servicediscovery/v1beta1/zz_service_types.go
index 2eb83cb601..6692ffb2dc 100755
--- a/apis/servicediscovery/v1beta1/zz_service_types.go
+++ b/apis/servicediscovery/v1beta1/zz_service_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type DNSConfigObservation struct {
+
+	// An array that contains one DnsRecord object for each resource record set.
+	DNSRecords []DNSRecordsObservation `json:"dnsRecords,omitempty" tf:"dns_records,omitempty"`
+
+	// The ID of the namespace to use for DNS configuration.
+	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
+
+	// The routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED
+	RoutingPolicy *string `json:"routingPolicy,omitempty" tf:"routing_policy,omitempty"`
 }
 
 type DNSConfigParameters struct {
@@ -42,6 +51,12 @@ type DNSConfigParameters struct {
 }
 
 type DNSRecordsObservation struct {
+
+	// The amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set.
+	TTL *float64 `json:"ttl,omitempty" tf:"ttl,omitempty"`
+
+	// The type of the resource, which indicates the value that Amazon Route 53 returns in response to DNS queries. Valid Values: A, AAAA, SRV, CNAME
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DNSRecordsParameters struct {
@@ -56,6 +71,15 @@ type DNSRecordsParameters struct {
 }
 
 type HealthCheckConfigObservation struct {
+
+	// The number of consecutive health checks. Maximum value of 10.
+	FailureThreshold *float64 `json:"failureThreshold,omitempty" tf:"failure_threshold,omitempty"`
+
+	// The path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /.
+	ResourcePath *string `json:"resourcePath,omitempty" tf:"resource_path,omitempty"`
+
+	// The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type HealthCheckConfigParameters struct {
@@ -74,6 +98,9 @@ type HealthCheckConfigParameters struct {
 }
 
 type HealthCheckCustomConfigObservation struct {
+
+	// The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance.  Maximum value of 10.
+	FailureThreshold *float64 `json:"failureThreshold,omitempty" tf:"failure_threshold,omitempty"`
 }
 
 type HealthCheckCustomConfigParameters struct {
@@ -88,11 +115,38 @@ type ServiceObservation struct {
 	// The ARN of the service.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A complex type that contains information about the resource record sets that you want Amazon Route 53 to create when you register an instance.
+	DNSConfig []DNSConfigObservation `json:"dnsConfig,omitempty" tf:"dns_config,omitempty"`
+
+	// The description of the service.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A boolean that indicates all instances should be deleted from the service so that the service can be destroyed without error. These instances are not recoverable.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
+	// A complex type that contains settings for an optional health check. Only for Public DNS namespaces.
+	HealthCheckConfig []HealthCheckConfigObservation `json:"healthCheckConfig,omitempty" tf:"health_check_config,omitempty"`
+
+	// A complex type that contains settings for ECS managed health checks.
+	HealthCheckCustomConfig []HealthCheckCustomConfigObservation `json:"healthCheckCustomConfig,omitempty" tf:"health_check_custom_config,omitempty"`
+
 	// The ID of the service.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the service.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The ID of the namespace that you want to use to create the service.
+	NamespaceID *string `json:"namespaceId,omitempty" tf:"namespace_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// If present, specifies that the service instances are only discoverable using the DiscoverInstances API operation. No DNS records is registered for the service instances. The only valid value is HTTP.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ServiceParameters struct {
@@ -118,8 +172,8 @@ type ServiceParameters struct {
 	HealthCheckCustomConfig []HealthCheckCustomConfigParameters `json:"healthCheckCustomConfig,omitempty" tf:"health_check_custom_config,omitempty"`
 
 	// The name of the service.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The ID of the namespace that you want to use to create the service.
 	// +kubebuilder:validation:Optional
@@ -163,8 +217,9 @@ type ServiceStatus struct {
 type Service struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceSpec   `json:"spec"`
-	Status            ServiceStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ServiceSpec   `json:"spec"`
+	Status ServiceStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/servicequotas/v1beta1/zz_generated.deepcopy.go b/apis/servicequotas/v1beta1/zz_generated.deepcopy.go
index 3380df2b45..e5f62b2166 100644
--- a/apis/servicequotas/v1beta1/zz_generated.deepcopy.go
+++ b/apis/servicequotas/v1beta1/zz_generated.deepcopy.go
@@ -95,6 +95,11 @@ func (in *ServiceQuotaObservation) DeepCopyInto(out *ServiceQuotaObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.QuotaCode != nil {
+		in, out := &in.QuotaCode, &out.QuotaCode
+		*out = new(string)
+		**out = **in
+	}
 	if in.QuotaName != nil {
 		in, out := &in.QuotaName, &out.QuotaName
 		*out = new(string)
@@ -110,11 +115,21 @@ func (in *ServiceQuotaObservation) DeepCopyInto(out *ServiceQuotaObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ServiceCode != nil {
+		in, out := &in.ServiceCode, &out.ServiceCode
+		*out = new(string)
+		**out = **in
+	}
 	if in.ServiceName != nil {
 		in, out := &in.ServiceName, &out.ServiceName
 		*out = new(string)
 		**out = **in
 	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceQuotaObservation.
diff --git a/apis/servicequotas/v1beta1/zz_servicequota_types.go b/apis/servicequotas/v1beta1/zz_servicequota_types.go
index c8cc6df50d..71f24c15ea 100755
--- a/apis/servicequotas/v1beta1/zz_servicequota_types.go
+++ b/apis/servicequotas/v1beta1/zz_servicequota_types.go
@@ -27,6 +27,9 @@ type ServiceQuotaObservation struct {
 	// Service code and quota code, separated by a front slash (/)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Code of the service quota to track. For example: L-F678F1CE. Available values can be found with the AWS CLI service-quotas list-service-quotas command.
+	QuotaCode *string `json:"quotaCode,omitempty" tf:"quota_code,omitempty"`
+
 	// Name of the quota.
 	QuotaName *string `json:"quotaName,omitempty" tf:"quota_name,omitempty"`
 
@@ -35,15 +38,21 @@ type ServiceQuotaObservation struct {
 
 	RequestStatus *string `json:"requestStatus,omitempty" tf:"request_status,omitempty"`
 
+	// Code of the service to track. For example: vpc. Available values can be found with the AWS CLI service-quotas list-services command.
+	ServiceCode *string `json:"serviceCode,omitempty" tf:"service_code,omitempty"`
+
 	// Name of the service.
 	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
+	// Float specifying the desired value for the service quota. If the desired value is higher than the current value, a quota increase request is submitted. When a known request is submitted and pending, the value reflects the desired value of the pending request.
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type ServiceQuotaParameters struct {
 
 	// Code of the service quota to track. For example: L-F678F1CE. Available values can be found with the AWS CLI service-quotas list-service-quotas command.
-	// +kubebuilder:validation:Required
-	QuotaCode *string `json:"quotaCode" tf:"quota_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	QuotaCode *string `json:"quotaCode,omitempty" tf:"quota_code,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -51,12 +60,12 @@ type ServiceQuotaParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Code of the service to track. For example: vpc. Available values can be found with the AWS CLI service-quotas list-services command.
-	// +kubebuilder:validation:Required
-	ServiceCode *string `json:"serviceCode" tf:"service_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServiceCode *string `json:"serviceCode,omitempty" tf:"service_code,omitempty"`
 
 	// Float specifying the desired value for the service quota. If the desired value is higher than the current value, a quota increase request is submitted. When a known request is submitted and pending, the value reflects the desired value of the pending request.
-	// +kubebuilder:validation:Required
-	Value *float64 `json:"value" tf:"value,omitempty"`
+	// +kubebuilder:validation:Optional
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 // ServiceQuotaSpec defines the desired state of ServiceQuota
@@ -83,8 +92,11 @@ type ServiceQuotaStatus struct {
 type ServiceQuota struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceQuotaSpec   `json:"spec"`
-	Status            ServiceQuotaStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.quotaCode)",message="quotaCode is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceCode)",message="serviceCode is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)",message="value is a required parameter"
+	Spec   ServiceQuotaSpec   `json:"spec"`
+	Status ServiceQuotaStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_activereceiptruleset_types.go b/apis/ses/v1beta1/zz_activereceiptruleset_types.go
index dbf865a7b5..e74b0609dd 100755
--- a/apis/ses/v1beta1/zz_activereceiptruleset_types.go
+++ b/apis/ses/v1beta1/zz_activereceiptruleset_types.go
@@ -20,6 +20,9 @@ type ActiveReceiptRuleSetObservation struct {
 
 	// The SES receipt rule set name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the rule set
+	RuleSetName *string `json:"ruleSetName,omitempty" tf:"rule_set_name,omitempty"`
 }
 
 type ActiveReceiptRuleSetParameters struct {
@@ -30,8 +33,8 @@ type ActiveReceiptRuleSetParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The name of the rule set
-	// +kubebuilder:validation:Required
-	RuleSetName *string `json:"ruleSetName" tf:"rule_set_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleSetName *string `json:"ruleSetName,omitempty" tf:"rule_set_name,omitempty"`
 }
 
 // ActiveReceiptRuleSetSpec defines the desired state of ActiveReceiptRuleSet
@@ -58,8 +61,9 @@ type ActiveReceiptRuleSetStatus struct {
 type ActiveReceiptRuleSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ActiveReceiptRuleSetSpec   `json:"spec"`
-	Status            ActiveReceiptRuleSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleSetName)",message="ruleSetName is a required parameter"
+	Spec   ActiveReceiptRuleSetSpec   `json:"spec"`
+	Status ActiveReceiptRuleSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_configurationset_types.go b/apis/ses/v1beta1/zz_configurationset_types.go
index e78ced1b0a..2221f21a6a 100755
--- a/apis/ses/v1beta1/zz_configurationset_types.go
+++ b/apis/ses/v1beta1/zz_configurationset_types.go
@@ -18,11 +18,23 @@ type ConfigurationSetObservation struct {
 	// SES configuration set ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Whether messages that use the configuration set are required to use TLS. See below.
+	DeliveryOptions []DeliveryOptionsObservation `json:"deliveryOptions,omitempty" tf:"delivery_options,omitempty"`
+
 	// SES configuration set name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// Date and time at which the reputation metrics for the configuration set were last reset. Resetting these metrics is known as a fresh start.
 	LastFreshStart *string `json:"lastFreshStart,omitempty" tf:"last_fresh_start,omitempty"`
+
+	// Whether or not Amazon SES publishes reputation metrics for the configuration set, such as bounce and complaint rates, to Amazon CloudWatch. The default value is false.
+	ReputationMetricsEnabled *bool `json:"reputationMetricsEnabled,omitempty" tf:"reputation_metrics_enabled,omitempty"`
+
+	// Whether email sending is enabled or disabled for the configuration set. The default value is true.
+	SendingEnabled *bool `json:"sendingEnabled,omitempty" tf:"sending_enabled,omitempty"`
+
+	// Domain that is used to redirect email recipients to an Amazon SES-operated domain. See below. NOTE: This functionality is best effort.
+	TrackingOptions []TrackingOptionsObservation `json:"trackingOptions,omitempty" tf:"tracking_options,omitempty"`
 }
 
 type ConfigurationSetParameters struct {
@@ -50,6 +62,9 @@ type ConfigurationSetParameters struct {
 }
 
 type DeliveryOptionsObservation struct {
+
+	// Whether messages that use the configuration set are required to use Transport Layer Security (TLS). If the value is Require, messages are only delivered if a TLS connection can be established. If the value is Optional, messages can be delivered in plain text if a TLS connection can't be established. Valid values: Require or Optional. Defaults to Optional.
+	TLSPolicy *string `json:"tlsPolicy,omitempty" tf:"tls_policy,omitempty"`
 }
 
 type DeliveryOptionsParameters struct {
@@ -60,6 +75,9 @@ type DeliveryOptionsParameters struct {
 }
 
 type TrackingOptionsObservation struct {
+
+	// Custom subdomain that is used to redirect email recipients to the Amazon SES event tracking domain.
+	CustomRedirectDomain *string `json:"customRedirectDomain,omitempty" tf:"custom_redirect_domain,omitempty"`
 }
 
 type TrackingOptionsParameters struct {
diff --git a/apis/ses/v1beta1/zz_domainidentity_types.go b/apis/ses/v1beta1/zz_domainidentity_types.go
index 50c68158b1..bc5bc887f3 100755
--- a/apis/ses/v1beta1/zz_domainidentity_types.go
+++ b/apis/ses/v1beta1/zz_domainidentity_types.go
@@ -18,6 +18,9 @@ type DomainIdentityObservation struct {
 	// The ARN of the domain identity.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The domain name to assign to SES
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// A code which when added to the domain as a TXT record
@@ -32,8 +35,8 @@ type DomainIdentityObservation struct {
 type DomainIdentityParameters struct {
 
 	// The domain name to assign to SES
-	// +kubebuilder:validation:Required
-	Domain *string `json:"domain" tf:"domain,omitempty"`
+	// +kubebuilder:validation:Optional
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -65,8 +68,9 @@ type DomainIdentityStatus struct {
 type DomainIdentity struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainIdentitySpec   `json:"spec"`
-	Status            DomainIdentityStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domain)",message="domain is a required parameter"
+	Spec   DomainIdentitySpec   `json:"spec"`
+	Status DomainIdentityStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_domainmailfrom_types.go b/apis/ses/v1beta1/zz_domainmailfrom_types.go
index afdc2e927d..8de7d51459 100755
--- a/apis/ses/v1beta1/zz_domainmailfrom_types.go
+++ b/apis/ses/v1beta1/zz_domainmailfrom_types.go
@@ -15,8 +15,17 @@ import (
 
 type DomainMailFromObservation struct {
 
+	// The action that you want Amazon SES to take if it cannot successfully read the required MX record when you send an email. Defaults to UseDefaultValue. See the SES API documentation for more information.
+	BehaviorOnMxFailure *string `json:"behaviorOnMxFailure,omitempty" tf:"behavior_on_mx_failure,omitempty"`
+
+	// Verified domain name or email identity to generate DKIM tokens for.
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
+
 	// The domain name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Subdomain (of above domain) which is to be used as MAIL FROM address
+	MailFromDomain *string `json:"mailFromDomain,omitempty" tf:"mail_from_domain,omitempty"`
 }
 
 type DomainMailFromParameters struct {
@@ -40,8 +49,8 @@ type DomainMailFromParameters struct {
 	DomainSelector *v1.Selector `json:"domainSelector,omitempty" tf:"-"`
 
 	// Subdomain (of above domain) which is to be used as MAIL FROM address
-	// +kubebuilder:validation:Required
-	MailFromDomain *string `json:"mailFromDomain" tf:"mail_from_domain,omitempty"`
+	// +kubebuilder:validation:Optional
+	MailFromDomain *string `json:"mailFromDomain,omitempty" tf:"mail_from_domain,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -73,8 +82,9 @@ type DomainMailFromStatus struct {
 type DomainMailFrom struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainMailFromSpec   `json:"spec"`
-	Status            DomainMailFromStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mailFromDomain)",message="mailFromDomain is a required parameter"
+	Spec   DomainMailFromSpec   `json:"spec"`
+	Status DomainMailFromStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_emailidentity_types.go b/apis/ses/v1beta1/zz_emailidentity_types.go
index 51ebcafe30..755cf9e569 100755
--- a/apis/ses/v1beta1/zz_emailidentity_types.go
+++ b/apis/ses/v1beta1/zz_emailidentity_types.go
@@ -18,14 +18,17 @@ type EmailIdentityObservation struct {
 	// The ARN of the email identity.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The email address to assign to SES.
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
 type EmailIdentityParameters struct {
 
 	// The email address to assign to SES.
-	// +kubebuilder:validation:Required
-	Email *string `json:"email" tf:"email,omitempty"`
+	// +kubebuilder:validation:Optional
+	Email *string `json:"email,omitempty" tf:"email,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -57,8 +60,9 @@ type EmailIdentityStatus struct {
 type EmailIdentity struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EmailIdentitySpec   `json:"spec"`
-	Status            EmailIdentityStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)",message="email is a required parameter"
+	Spec   EmailIdentitySpec   `json:"spec"`
+	Status EmailIdentityStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_eventdestination_types.go b/apis/ses/v1beta1/zz_eventdestination_types.go
index 766a09f859..558a0c35d6 100755
--- a/apis/ses/v1beta1/zz_eventdestination_types.go
+++ b/apis/ses/v1beta1/zz_eventdestination_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type CloudwatchDestinationObservation struct {
+
+	// The default value for the event
+	DefaultValue *string `json:"defaultValue,omitempty" tf:"default_value,omitempty"`
+
+	// The name for the dimension
+	DimensionName *string `json:"dimensionName,omitempty" tf:"dimension_name,omitempty"`
+
+	// The source for the value. May be any of "messageTag", "emailHeader" or "linkTag".
+	ValueSource *string `json:"valueSource,omitempty" tf:"value_source,omitempty"`
 }
 
 type CloudwatchDestinationParameters struct {
@@ -36,8 +45,26 @@ type EventDestinationObservation struct {
 	// The SES event destination ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// CloudWatch destination for the events
+	CloudwatchDestination []CloudwatchDestinationObservation `json:"cloudwatchDestination,omitempty" tf:"cloudwatch_destination,omitempty"`
+
+	// The name of the configuration set
+	ConfigurationSetName *string `json:"configurationSetName,omitempty" tf:"configuration_set_name,omitempty"`
+
+	// If true, the event destination will be enabled
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// The SES event destination name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Send the events to a kinesis firehose destination
+	KinesisDestination []KinesisDestinationObservation `json:"kinesisDestination,omitempty" tf:"kinesis_destination,omitempty"`
+
+	// A list of matching types. May be any of "send", "reject", "bounce", "complaint", "delivery", "open", "click", or "renderingFailure".
+	MatchingTypes []*string `json:"matchingTypes,omitempty" tf:"matching_types,omitempty"`
+
+	// Send the events to an SNS Topic destination
+	SnsDestination []SnsDestinationObservation `json:"snsDestination,omitempty" tf:"sns_destination,omitempty"`
 }
 
 type EventDestinationParameters struct {
@@ -68,8 +95,8 @@ type EventDestinationParameters struct {
 	KinesisDestination []KinesisDestinationParameters `json:"kinesisDestination,omitempty" tf:"kinesis_destination,omitempty"`
 
 	// A list of matching types. May be any of "send", "reject", "bounce", "complaint", "delivery", "open", "click", or "renderingFailure".
-	// +kubebuilder:validation:Required
-	MatchingTypes []*string `json:"matchingTypes" tf:"matching_types,omitempty"`
+	// +kubebuilder:validation:Optional
+	MatchingTypes []*string `json:"matchingTypes,omitempty" tf:"matching_types,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -82,6 +109,12 @@ type EventDestinationParameters struct {
 }
 
 type KinesisDestinationObservation struct {
+
+	// The ARN of the role that has permissions to access the Kinesis Stream
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
+	// The ARN of the Kinesis Stream
+	StreamArn *string `json:"streamArn,omitempty" tf:"stream_arn,omitempty"`
 }
 
 type KinesisDestinationParameters struct {
@@ -116,6 +149,9 @@ type KinesisDestinationParameters struct {
 }
 
 type SnsDestinationObservation struct {
+
+	// The ARN of the SNS topic
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type SnsDestinationParameters struct {
@@ -159,8 +195,9 @@ type EventDestinationStatus struct {
 type EventDestination struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EventDestinationSpec   `json:"spec"`
-	Status            EventDestinationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.matchingTypes)",message="matchingTypes is a required parameter"
+	Spec   EventDestinationSpec   `json:"spec"`
+	Status EventDestinationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_generated.deepcopy.go b/apis/ses/v1beta1/zz_generated.deepcopy.go
index b638a337da..f8af88d256 100644
--- a/apis/ses/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ses/v1beta1/zz_generated.deepcopy.go
@@ -86,6 +86,11 @@ func (in *ActiveReceiptRuleSetObservation) DeepCopyInto(out *ActiveReceiptRuleSe
 		*out = new(string)
 		**out = **in
 	}
+	if in.RuleSetName != nil {
+		in, out := &in.RuleSetName, &out.RuleSetName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActiveReceiptRuleSetObservation.
@@ -160,6 +165,21 @@ func (in *ActiveReceiptRuleSetStatus) DeepCopy() *ActiveReceiptRuleSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AddHeaderActionObservation) DeepCopyInto(out *AddHeaderActionObservation) {
 	*out = *in
+	if in.HeaderName != nil {
+		in, out := &in.HeaderName, &out.HeaderName
+		*out = new(string)
+		**out = **in
+	}
+	if in.HeaderValue != nil {
+		in, out := &in.HeaderValue, &out.HeaderValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AddHeaderActionObservation.
@@ -205,6 +225,36 @@ func (in *AddHeaderActionParameters) DeepCopy() *AddHeaderActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BounceActionObservation) DeepCopyInto(out *BounceActionObservation) {
 	*out = *in
+	if in.Message != nil {
+		in, out := &in.Message, &out.Message
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SMTPReplyCode != nil {
+		in, out := &in.SMTPReplyCode, &out.SMTPReplyCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Sender != nil {
+		in, out := &in.Sender, &out.Sender
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatusCode != nil {
+		in, out := &in.StatusCode, &out.StatusCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BounceActionObservation.
@@ -265,6 +315,21 @@ func (in *BounceActionParameters) DeepCopy() *BounceActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchDestinationObservation) DeepCopyInto(out *CloudwatchDestinationObservation) {
 	*out = *in
+	if in.DefaultValue != nil {
+		in, out := &in.DefaultValue, &out.DefaultValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.DimensionName != nil {
+		in, out := &in.DimensionName, &out.DimensionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ValueSource != nil {
+		in, out := &in.ValueSource, &out.ValueSource
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchDestinationObservation.
@@ -374,6 +439,13 @@ func (in *ConfigurationSetObservation) DeepCopyInto(out *ConfigurationSetObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeliveryOptions != nil {
+		in, out := &in.DeliveryOptions, &out.DeliveryOptions
+		*out = make([]DeliveryOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -384,6 +456,23 @@ func (in *ConfigurationSetObservation) DeepCopyInto(out *ConfigurationSetObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReputationMetricsEnabled != nil {
+		in, out := &in.ReputationMetricsEnabled, &out.ReputationMetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SendingEnabled != nil {
+		in, out := &in.SendingEnabled, &out.SendingEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.TrackingOptions != nil {
+		in, out := &in.TrackingOptions, &out.TrackingOptions
+		*out = make([]TrackingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationSetObservation.
@@ -477,6 +566,11 @@ func (in *ConfigurationSetStatus) DeepCopy() *ConfigurationSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeliveryOptionsObservation) DeepCopyInto(out *DeliveryOptionsObservation) {
 	*out = *in
+	if in.TLSPolicy != nil {
+		in, out := &in.TLSPolicy, &out.TLSPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeliveryOptionsObservation.
@@ -720,6 +814,11 @@ func (in *DomainIdentityObservation) DeepCopyInto(out *DomainIdentityObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -863,11 +962,26 @@ func (in *DomainMailFromList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DomainMailFromObservation) DeepCopyInto(out *DomainMailFromObservation) {
 	*out = *in
+	if in.BehaviorOnMxFailure != nil {
+		in, out := &in.BehaviorOnMxFailure, &out.BehaviorOnMxFailure
+		*out = new(string)
+		**out = **in
+	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MailFromDomain != nil {
+		in, out := &in.MailFromDomain, &out.MailFromDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainMailFromObservation.
@@ -1026,6 +1140,11 @@ func (in *EmailIdentityObservation) DeepCopyInto(out *EmailIdentityObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Email != nil {
+		in, out := &in.Email, &out.Email
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1169,11 +1288,53 @@ func (in *EventDestinationObservation) DeepCopyInto(out *EventDestinationObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.CloudwatchDestination != nil {
+		in, out := &in.CloudwatchDestination, &out.CloudwatchDestination
+		*out = make([]CloudwatchDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ConfigurationSetName != nil {
+		in, out := &in.ConfigurationSetName, &out.ConfigurationSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KinesisDestination != nil {
+		in, out := &in.KinesisDestination, &out.KinesisDestination
+		*out = make([]KinesisDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MatchingTypes != nil {
+		in, out := &in.MatchingTypes, &out.MatchingTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SnsDestination != nil {
+		in, out := &in.SnsDestination, &out.SnsDestination
+		*out = make([]SnsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventDestinationObservation.
@@ -1359,6 +1520,26 @@ func (in *IdentityNotificationTopicObservation) DeepCopyInto(out *IdentityNotifi
 		*out = new(string)
 		**out = **in
 	}
+	if in.Identity != nil {
+		in, out := &in.Identity, &out.Identity
+		*out = new(string)
+		**out = **in
+	}
+	if in.IncludeOriginalHeaders != nil {
+		in, out := &in.IncludeOriginalHeaders, &out.IncludeOriginalHeaders
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NotificationType != nil {
+		in, out := &in.NotificationType, &out.NotificationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityNotificationTopicObservation.
@@ -1532,6 +1713,21 @@ func (in *IdentityPolicyObservation) DeepCopyInto(out *IdentityPolicyObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.Identity != nil {
+		in, out := &in.Identity, &out.Identity
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityPolicyObservation.
@@ -1626,6 +1822,16 @@ func (in *IdentityPolicyStatus) DeepCopy() *IdentityPolicyStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisDestinationObservation) DeepCopyInto(out *KinesisDestinationObservation) {
 	*out = *in
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.StreamArn != nil {
+		in, out := &in.StreamArn, &out.StreamArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisDestinationObservation.
@@ -1686,6 +1892,26 @@ func (in *KinesisDestinationParameters) DeepCopy() *KinesisDestinationParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaActionObservation) DeepCopyInto(out *LambdaActionObservation) {
 	*out = *in
+	if in.FunctionArn != nil {
+		in, out := &in.FunctionArn, &out.FunctionArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.InvocationType != nil {
+		in, out := &in.InvocationType, &out.InvocationType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaActionObservation.
@@ -1800,11 +2026,21 @@ func (in *ReceiptFilterObservation) DeepCopyInto(out *ReceiptFilterObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Cidr != nil {
+		in, out := &in.Cidr, &out.Cidr
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiptFilterObservation.
@@ -1943,16 +2179,106 @@ func (in *ReceiptRuleList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ReceiptRuleObservation) DeepCopyInto(out *ReceiptRuleObservation) {
 	*out = *in
+	if in.AddHeaderAction != nil {
+		in, out := &in.AddHeaderAction, &out.AddHeaderAction
+		*out = make([]AddHeaderActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.After != nil {
+		in, out := &in.After, &out.After
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.BounceAction != nil {
+		in, out := &in.BounceAction, &out.BounceAction
+		*out = make([]BounceActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LambdaAction != nil {
+		in, out := &in.LambdaAction, &out.LambdaAction
+		*out = make([]LambdaActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Recipients != nil {
+		in, out := &in.Recipients, &out.Recipients
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RuleSetName != nil {
+		in, out := &in.RuleSetName, &out.RuleSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Action != nil {
+		in, out := &in.S3Action, &out.S3Action
+		*out = make([]S3ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ScanEnabled != nil {
+		in, out := &in.ScanEnabled, &out.ScanEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SnsAction != nil {
+		in, out := &in.SnsAction, &out.SnsAction
+		*out = make([]SnsActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StopAction != nil {
+		in, out := &in.StopAction, &out.StopAction
+		*out = make([]StopActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TLSPolicy != nil {
+		in, out := &in.TLSPolicy, &out.TLSPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkmailAction != nil {
+		in, out := &in.WorkmailAction, &out.WorkmailAction
+		*out = make([]WorkmailActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiptRuleObservation.
@@ -2147,6 +2473,11 @@ func (in *ReceiptRuleSetObservation) DeepCopyInto(out *ReceiptRuleSetObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.RuleSetName != nil {
+		in, out := &in.RuleSetName, &out.RuleSetName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReceiptRuleSetObservation.
@@ -2255,6 +2586,31 @@ func (in *ReceiptRuleStatus) DeepCopy() *ReceiptRuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ActionObservation) DeepCopyInto(out *S3ActionObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectKeyPrefix != nil {
+		in, out := &in.ObjectKeyPrefix, &out.ObjectKeyPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ActionObservation.
@@ -2310,6 +2666,21 @@ func (in *S3ActionParameters) DeepCopy() *S3ActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnsActionObservation) DeepCopyInto(out *SnsActionObservation) {
 	*out = *in
+	if in.Encoding != nil {
+		in, out := &in.Encoding, &out.Encoding
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnsActionObservation.
@@ -2355,6 +2726,11 @@ func (in *SnsActionParameters) DeepCopy() *SnsActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnsDestinationObservation) DeepCopyInto(out *SnsDestinationObservation) {
 	*out = *in
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnsDestinationObservation.
@@ -2400,6 +2776,21 @@ func (in *SnsDestinationParameters) DeepCopy() *SnsDestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StopActionObservation) DeepCopyInto(out *StopActionObservation) {
 	*out = *in
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StopActionObservation.
@@ -2509,11 +2900,26 @@ func (in *TemplateObservation) DeepCopyInto(out *TemplateObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.HTML != nil {
+		in, out := &in.HTML, &out.HTML
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Subject != nil {
+		in, out := &in.Subject, &out.Subject
+		*out = new(string)
+		**out = **in
+	}
+	if in.Text != nil {
+		in, out := &in.Text, &out.Text
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TemplateObservation.
@@ -2598,6 +3004,11 @@ func (in *TemplateStatus) DeepCopy() *TemplateStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrackingOptionsObservation) DeepCopyInto(out *TrackingOptionsObservation) {
 	*out = *in
+	if in.CustomRedirectDomain != nil {
+		in, out := &in.CustomRedirectDomain, &out.CustomRedirectDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrackingOptionsObservation.
@@ -2633,6 +3044,21 @@ func (in *TrackingOptionsParameters) DeepCopy() *TrackingOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkmailActionObservation) DeepCopyInto(out *WorkmailActionObservation) {
 	*out = *in
+	if in.OrganizationArn != nil {
+		in, out := &in.OrganizationArn, &out.OrganizationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Position != nil {
+		in, out := &in.Position, &out.Position
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkmailActionObservation.
diff --git a/apis/ses/v1beta1/zz_identitynotificationtopic_types.go b/apis/ses/v1beta1/zz_identitynotificationtopic_types.go
index 801bfa101a..0fdf26f78b 100755
--- a/apis/ses/v1beta1/zz_identitynotificationtopic_types.go
+++ b/apis/ses/v1beta1/zz_identitynotificationtopic_types.go
@@ -15,6 +15,18 @@ import (
 
 type IdentityNotificationTopicObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The identity for which the Amazon SNS topic will be set. You can specify an identity by using its name or by using its Amazon Resource Name (ARN).
+	Identity *string `json:"identity,omitempty" tf:"identity,omitempty"`
+
+	// Whether SES should include original email headers in SNS notifications of this type. false by default.
+	IncludeOriginalHeaders *bool `json:"includeOriginalHeaders,omitempty" tf:"include_original_headers,omitempty"`
+
+	// The type of notifications that will be published to the specified Amazon SNS topic. Valid Values: Bounce, Complaint or Delivery.
+	NotificationType *string `json:"notificationType,omitempty" tf:"notification_type,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Amazon SNS topic. Can be set to "" (an empty string) to disable publishing.
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type IdentityNotificationTopicParameters struct {
@@ -38,8 +50,8 @@ type IdentityNotificationTopicParameters struct {
 	IncludeOriginalHeaders *bool `json:"includeOriginalHeaders,omitempty" tf:"include_original_headers,omitempty"`
 
 	// The type of notifications that will be published to the specified Amazon SNS topic. Valid Values: Bounce, Complaint or Delivery.
-	// +kubebuilder:validation:Required
-	NotificationType *string `json:"notificationType" tf:"notification_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	NotificationType *string `json:"notificationType,omitempty" tf:"notification_type,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -85,8 +97,9 @@ type IdentityNotificationTopicStatus struct {
 type IdentityNotificationTopic struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IdentityNotificationTopicSpec   `json:"spec"`
-	Status            IdentityNotificationTopicStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.notificationType)",message="notificationType is a required parameter"
+	Spec   IdentityNotificationTopicSpec   `json:"spec"`
+	Status IdentityNotificationTopicStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_identitypolicy_types.go b/apis/ses/v1beta1/zz_identitypolicy_types.go
index 6ae8d9ed63..e3cf204219 100755
--- a/apis/ses/v1beta1/zz_identitypolicy_types.go
+++ b/apis/ses/v1beta1/zz_identitypolicy_types.go
@@ -15,6 +15,15 @@ import (
 
 type IdentityPolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name or Amazon Resource Name (ARN) of the SES Identity.
+	Identity *string `json:"identity,omitempty" tf:"identity,omitempty"`
+
+	// Name of the policy.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// JSON string of the policy.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type IdentityPolicyParameters struct {
@@ -34,12 +43,12 @@ type IdentityPolicyParameters struct {
 	IdentitySelector *v1.Selector `json:"identitySelector,omitempty" tf:"-"`
 
 	// Name of the policy.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// JSON string of the policy.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -71,8 +80,10 @@ type IdentityPolicyStatus struct {
 type IdentityPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IdentityPolicySpec   `json:"spec"`
-	Status            IdentityPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   IdentityPolicySpec   `json:"spec"`
+	Status IdentityPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_receiptfilter_types.go b/apis/ses/v1beta1/zz_receiptfilter_types.go
index a6593397b7..a07822aacb 100755
--- a/apis/ses/v1beta1/zz_receiptfilter_types.go
+++ b/apis/ses/v1beta1/zz_receiptfilter_types.go
@@ -18,19 +18,25 @@ type ReceiptFilterObservation struct {
 	// The SES receipt filter ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The IP address or address range to filter, in CIDR notation
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
+
 	// The SES receipt filter name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Block or Allow
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type ReceiptFilterParameters struct {
 
 	// The IP address or address range to filter, in CIDR notation
-	// +kubebuilder:validation:Required
-	Cidr *string `json:"cidr" tf:"cidr,omitempty"`
+	// +kubebuilder:validation:Optional
+	Cidr *string `json:"cidr,omitempty" tf:"cidr,omitempty"`
 
 	// Block or Allow
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -62,8 +68,10 @@ type ReceiptFilterStatus struct {
 type ReceiptFilter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReceiptFilterSpec   `json:"spec"`
-	Status            ReceiptFilterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cidr)",message="cidr is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   ReceiptFilterSpec   `json:"spec"`
+	Status ReceiptFilterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_receiptrule_types.go b/apis/ses/v1beta1/zz_receiptrule_types.go
index 12fa756295..6e34eb95e4 100755
--- a/apis/ses/v1beta1/zz_receiptrule_types.go
+++ b/apis/ses/v1beta1/zz_receiptrule_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AddHeaderActionObservation struct {
+
+	// The name of the header to add
+	HeaderName *string `json:"headerName,omitempty" tf:"header_name,omitempty"`
+
+	// The value of the header to add
+	HeaderValue *string `json:"headerValue,omitempty" tf:"header_value,omitempty"`
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
 }
 
 type AddHeaderActionParameters struct {
@@ -32,6 +41,24 @@ type AddHeaderActionParameters struct {
 }
 
 type BounceActionObservation struct {
+
+	// The message to send
+	Message *string `json:"message,omitempty" tf:"message,omitempty"`
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// The RFC 5321 SMTP reply code
+	SMTPReplyCode *string `json:"smtpReplyCode,omitempty" tf:"smtp_reply_code,omitempty"`
+
+	// The email address of the sender
+	Sender *string `json:"sender,omitempty" tf:"sender,omitempty"`
+
+	// The RFC 3463 SMTP enhanced status code
+	StatusCode *string `json:"statusCode,omitempty" tf:"status_code,omitempty"`
+
+	// The ARN of an SNS topic to notify
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type BounceActionParameters struct {
@@ -62,6 +89,18 @@ type BounceActionParameters struct {
 }
 
 type LambdaActionObservation struct {
+
+	// The ARN of the Lambda function to invoke
+	FunctionArn *string `json:"functionArn,omitempty" tf:"function_arn,omitempty"`
+
+	// Event or RequestResponse
+	InvocationType *string `json:"invocationType,omitempty" tf:"invocation_type,omitempty"`
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// The ARN of an SNS topic to notify
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type LambdaActionParameters struct {
@@ -85,11 +124,53 @@ type LambdaActionParameters struct {
 
 type ReceiptRuleObservation struct {
 
+	// A list of Add Header Action blocks. Documented below.
+	AddHeaderAction []AddHeaderActionObservation `json:"addHeaderAction,omitempty" tf:"add_header_action,omitempty"`
+
+	// The name of the rule to place this rule after
+	After *string `json:"after,omitempty" tf:"after,omitempty"`
+
 	// The SES receipt rule ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A list of Bounce Action blocks. Documented below.
+	BounceAction []BounceActionObservation `json:"bounceAction,omitempty" tf:"bounce_action,omitempty"`
+
+	// If true, the rule will be enabled
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
 	// The SES receipt rule name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// A list of Lambda Action blocks. Documented below.
+	LambdaAction []LambdaActionObservation `json:"lambdaAction,omitempty" tf:"lambda_action,omitempty"`
+
+	// The name of the rule
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of email addresses
+	Recipients []*string `json:"recipients,omitempty" tf:"recipients,omitempty"`
+
+	// The name of the rule set
+	RuleSetName *string `json:"ruleSetName,omitempty" tf:"rule_set_name,omitempty"`
+
+	// A list of S3 Action blocks. Documented below.
+	S3Action []S3ActionObservation `json:"s3Action,omitempty" tf:"s3_action,omitempty"`
+
+	// If true, incoming emails will be scanned for spam and viruses
+	ScanEnabled *bool `json:"scanEnabled,omitempty" tf:"scan_enabled,omitempty"`
+
+	// A list of SNS Action blocks. Documented below.
+	SnsAction []SnsActionObservation `json:"snsAction,omitempty" tf:"sns_action,omitempty"`
+
+	// A list of Stop Action blocks. Documented below.
+	StopAction []StopActionObservation `json:"stopAction,omitempty" tf:"stop_action,omitempty"`
+
+	// Require or Optional
+	TLSPolicy *string `json:"tlsPolicy,omitempty" tf:"tls_policy,omitempty"`
+
+	// A list of WorkMail Action blocks. Documented below.
+	WorkmailAction []WorkmailActionObservation `json:"workmailAction,omitempty" tf:"workmail_action,omitempty"`
 }
 
 type ReceiptRuleParameters struct {
@@ -115,8 +196,8 @@ type ReceiptRuleParameters struct {
 	LambdaAction []LambdaActionParameters `json:"lambdaAction,omitempty" tf:"lambda_action,omitempty"`
 
 	// The name of the rule
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A list of email addresses
 	// +kubebuilder:validation:Optional
@@ -128,8 +209,8 @@ type ReceiptRuleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The name of the rule set
-	// +kubebuilder:validation:Required
-	RuleSetName *string `json:"ruleSetName" tf:"rule_set_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleSetName *string `json:"ruleSetName,omitempty" tf:"rule_set_name,omitempty"`
 
 	// A list of S3 Action blocks. Documented below.
 	// +kubebuilder:validation:Optional
@@ -157,6 +238,21 @@ type ReceiptRuleParameters struct {
 }
 
 type S3ActionObservation struct {
+
+	// The name of the S3 bucket
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// The ARN of the KMS key
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// The key prefix of the S3 bucket
+	ObjectKeyPrefix *string `json:"objectKeyPrefix,omitempty" tf:"object_key_prefix,omitempty"`
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// The ARN of an SNS topic to notify
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type S3ActionParameters struct {
@@ -183,6 +279,15 @@ type S3ActionParameters struct {
 }
 
 type SnsActionObservation struct {
+
+	// The encoding to use for the email within the Amazon SNS notification. Default value is UTF-8.
+	Encoding *string `json:"encoding,omitempty" tf:"encoding,omitempty"`
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// The ARN of an SNS topic to notify
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type SnsActionParameters struct {
@@ -201,6 +306,15 @@ type SnsActionParameters struct {
 }
 
 type StopActionObservation struct {
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// The scope to apply. The only acceptable value is RuleSet.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// The ARN of an SNS topic to notify
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type StopActionParameters struct {
@@ -219,6 +333,15 @@ type StopActionParameters struct {
 }
 
 type WorkmailActionObservation struct {
+
+	// The ARN of the WorkMail organization
+	OrganizationArn *string `json:"organizationArn,omitempty" tf:"organization_arn,omitempty"`
+
+	// The position of the action in the receipt rule
+	Position *float64 `json:"position,omitempty" tf:"position,omitempty"`
+
+	// The ARN of an SNS topic to notify
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type WorkmailActionParameters struct {
@@ -260,8 +383,10 @@ type ReceiptRuleStatus struct {
 type ReceiptRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReceiptRuleSpec   `json:"spec"`
-	Status            ReceiptRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleSetName)",message="ruleSetName is a required parameter"
+	Spec   ReceiptRuleSpec   `json:"spec"`
+	Status ReceiptRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_receiptruleset_types.go b/apis/ses/v1beta1/zz_receiptruleset_types.go
index 6a7a4fed23..a33adf5d58 100755
--- a/apis/ses/v1beta1/zz_receiptruleset_types.go
+++ b/apis/ses/v1beta1/zz_receiptruleset_types.go
@@ -20,6 +20,9 @@ type ReceiptRuleSetObservation struct {
 
 	// SES receipt rule set name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Name of the rule set.
+	RuleSetName *string `json:"ruleSetName,omitempty" tf:"rule_set_name,omitempty"`
 }
 
 type ReceiptRuleSetParameters struct {
@@ -30,8 +33,8 @@ type ReceiptRuleSetParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Name of the rule set.
-	// +kubebuilder:validation:Required
-	RuleSetName *string `json:"ruleSetName" tf:"rule_set_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	RuleSetName *string `json:"ruleSetName,omitempty" tf:"rule_set_name,omitempty"`
 }
 
 // ReceiptRuleSetSpec defines the desired state of ReceiptRuleSet
@@ -58,8 +61,9 @@ type ReceiptRuleSetStatus struct {
 type ReceiptRuleSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ReceiptRuleSetSpec   `json:"spec"`
-	Status            ReceiptRuleSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleSetName)",message="ruleSetName is a required parameter"
+	Spec   ReceiptRuleSetSpec   `json:"spec"`
+	Status ReceiptRuleSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ses/v1beta1/zz_template_types.go b/apis/ses/v1beta1/zz_template_types.go
index ebe1dd626b..bef976f671 100755
--- a/apis/ses/v1beta1/zz_template_types.go
+++ b/apis/ses/v1beta1/zz_template_types.go
@@ -18,8 +18,17 @@ type TemplateObservation struct {
 	// The ARN of the SES template
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The HTML body of the email. Must be less than 500KB in size, including both the text and HTML parts.
+	HTML *string `json:"html,omitempty" tf:"html,omitempty"`
+
 	// The name of the SES template
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The subject line of the email.
+	Subject *string `json:"subject,omitempty" tf:"subject,omitempty"`
+
+	// The email body that will be visible to recipients whose email clients do not display HTML. Must be less than 500KB in size, including both the text and HTML parts.
+	Text *string `json:"text,omitempty" tf:"text,omitempty"`
 }
 
 type TemplateParameters struct {
diff --git a/apis/sesv2/v1beta1/zz_configurationset_types.go b/apis/sesv2/v1beta1/zz_configurationset_types.go
index 414fc7c573..b4ec0247aa 100755
--- a/apis/sesv2/v1beta1/zz_configurationset_types.go
+++ b/apis/sesv2/v1beta1/zz_configurationset_types.go
@@ -18,13 +18,27 @@ type ConfigurationSetObservation struct {
 	// ARN of the Configuration Set.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// An object that defines the dedicated IP pool that is used to send emails that you send using the configuration set.
+	DeliveryOptions []DeliveryOptionsObservation `json:"deliveryOptions,omitempty" tf:"delivery_options,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// An object that defines whether or not Amazon SES collects reputation metrics for the emails that you send that use the configuration set.
-	// +kubebuilder:validation:Optional
 	ReputationOptions []ReputationOptionsObservation `json:"reputationOptions,omitempty" tf:"reputation_options,omitempty"`
 
+	// An object that defines whether or not Amazon SES can send email that you send using the configuration set.
+	SendingOptions []SendingOptionsObservation `json:"sendingOptions,omitempty" tf:"sending_options,omitempty"`
+
+	// An object that contains information about the suppression list preferences for your account.
+	SuppressionOptions []SuppressionOptionsObservation `json:"suppressionOptions,omitempty" tf:"suppression_options,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// An object that defines the open and click tracking options for emails that you send using the configuration set.
+	TrackingOptions []TrackingOptionsObservation `json:"trackingOptions,omitempty" tf:"tracking_options,omitempty"`
 }
 
 type ConfigurationSetParameters struct {
@@ -60,6 +74,12 @@ type ConfigurationSetParameters struct {
 }
 
 type DeliveryOptionsObservation struct {
+
+	// The name of the dedicated IP pool to associate with the configuration set.
+	SendingPoolName *string `json:"sendingPoolName,omitempty" tf:"sending_pool_name,omitempty"`
+
+	// Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). Valid values: REQUIRE, OPTIONAL.
+	TLSPolicy *string `json:"tlsPolicy,omitempty" tf:"tls_policy,omitempty"`
 }
 
 type DeliveryOptionsParameters struct {
@@ -77,6 +97,9 @@ type ReputationOptionsObservation struct {
 
 	// The date and time (in Unix time) when the reputation metrics were last given a fresh start. When your account is given a fresh start, your reputation metrics are calculated starting from the date of the fresh start.
 	LastFreshStart *string `json:"lastFreshStart,omitempty" tf:"last_fresh_start,omitempty"`
+
+	// If true, tracking of reputation metrics is enabled for the configuration set. If false, tracking of reputation metrics is disabled for the configuration set.
+	ReputationMetricsEnabled *bool `json:"reputationMetricsEnabled,omitempty" tf:"reputation_metrics_enabled,omitempty"`
 }
 
 type ReputationOptionsParameters struct {
@@ -87,6 +110,9 @@ type ReputationOptionsParameters struct {
 }
 
 type SendingOptionsObservation struct {
+
+	// If true, email sending is enabled for the configuration set. If false, email sending is disabled for the configuration set.
+	SendingEnabled *bool `json:"sendingEnabled,omitempty" tf:"sending_enabled,omitempty"`
 }
 
 type SendingOptionsParameters struct {
@@ -97,6 +123,9 @@ type SendingOptionsParameters struct {
 }
 
 type SuppressionOptionsObservation struct {
+
+	// A list that contains the reasons that email addresses are automatically added to the suppression list for your account. Valid values: BOUNCE, COMPLAINT.
+	SuppressedReasons []*string `json:"suppressedReasons,omitempty" tf:"suppressed_reasons,omitempty"`
 }
 
 type SuppressionOptionsParameters struct {
@@ -107,6 +136,9 @@ type SuppressionOptionsParameters struct {
 }
 
 type TrackingOptionsObservation struct {
+
+	// The domain to use for tracking open and click events.
+	CustomRedirectDomain *string `json:"customRedirectDomain,omitempty" tf:"custom_redirect_domain,omitempty"`
 }
 
 type TrackingOptionsParameters struct {
diff --git a/apis/sesv2/v1beta1/zz_configurationseteventdestination_types.go b/apis/sesv2/v1beta1/zz_configurationseteventdestination_types.go
index 5a886050d9..197a4291d1 100755
--- a/apis/sesv2/v1beta1/zz_configurationseteventdestination_types.go
+++ b/apis/sesv2/v1beta1/zz_configurationseteventdestination_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type CloudWatchDestinationObservation struct {
+
+	// An array of objects that define the dimensions to use when you send email events to Amazon CloudWatch. See dimension_configuration below.
+	DimensionConfiguration []DimensionConfigurationObservation `json:"dimensionConfiguration,omitempty" tf:"dimension_configuration,omitempty"`
 }
 
 type CloudWatchDestinationParameters struct {
@@ -25,6 +28,15 @@ type CloudWatchDestinationParameters struct {
 
 type ConfigurationSetEventDestinationObservation struct {
 
+	// The name of the configuration set.
+	ConfigurationSetName *string `json:"configurationSetName,omitempty" tf:"configuration_set_name,omitempty"`
+
+	// A name that identifies the event destination within the configuration set.
+	EventDestination []EventDestinationObservation `json:"eventDestination,omitempty" tf:"event_destination,omitempty"`
+
+	// An object that defines the event destination. See event_destination below.
+	EventDestinationName *string `json:"eventDestinationName,omitempty" tf:"event_destination_name,omitempty"`
+
 	// A pipe-delimited string combining configuration_set_name and event_destination_name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
@@ -45,12 +57,12 @@ type ConfigurationSetEventDestinationParameters struct {
 	ConfigurationSetNameSelector *v1.Selector `json:"configurationSetNameSelector,omitempty" tf:"-"`
 
 	// A name that identifies the event destination within the configuration set.
-	// +kubebuilder:validation:Required
-	EventDestination []EventDestinationParameters `json:"eventDestination" tf:"event_destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventDestination []EventDestinationParameters `json:"eventDestination,omitempty" tf:"event_destination,omitempty"`
 
 	// An object that defines the event destination. See event_destination below.
-	// +kubebuilder:validation:Required
-	EventDestinationName *string `json:"eventDestinationName" tf:"event_destination_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	EventDestinationName *string `json:"eventDestinationName,omitempty" tf:"event_destination_name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -59,6 +71,15 @@ type ConfigurationSetEventDestinationParameters struct {
 }
 
 type DimensionConfigurationObservation struct {
+
+	// The default value of the dimension that is published to Amazon CloudWatch if you don't provide the value of the dimension when you send an email.
+	// ( dimension_name -  The name of an Amazon CloudWatch dimension associated with an email sending metric.
+	DefaultDimensionValue *string `json:"defaultDimensionValue,omitempty" tf:"default_dimension_value,omitempty"`
+
+	DimensionName *string `json:"dimensionName,omitempty" tf:"dimension_name,omitempty"`
+
+	// The location where the Amazon SES API v2 finds the value of a dimension to publish to Amazon CloudWatch. Valid values: MESSAGE_TAG, EMAIL_HEADER, LINK_TAG.
+	DimensionValueSource *string `json:"dimensionValueSource,omitempty" tf:"dimension_value_source,omitempty"`
 }
 
 type DimensionConfigurationParameters struct {
@@ -77,6 +98,24 @@ type DimensionConfigurationParameters struct {
 }
 
 type EventDestinationObservation struct {
+
+	// An object that defines an Amazon CloudWatch destination for email events. See cloud_watch_destination below
+	CloudWatchDestination []CloudWatchDestinationObservation `json:"cloudWatchDestination,omitempty" tf:"cloud_watch_destination,omitempty"`
+
+	// When the event destination is enabled, the specified event types are sent to the destinations. Default: false.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// An object that defines an Amazon Kinesis Data Firehose destination for email events. See kinesis_firehose_destination below.
+	KinesisFirehoseDestination []KinesisFirehoseDestinationObservation `json:"kinesisFirehoseDestination,omitempty" tf:"kinesis_firehose_destination,omitempty"`
+
+	// - An array that specifies which events the Amazon SES API v2 should send to the destinations. Valid values: SEND, REJECT, BOUNCE, COMPLAINT, DELIVERY, OPEN, CLICK, RENDERING_FAILURE, DELIVERY_DELAY, SUBSCRIPTION.
+	MatchingEventTypes []*string `json:"matchingEventTypes,omitempty" tf:"matching_event_types,omitempty"`
+
+	// An object that defines an Amazon Pinpoint project destination for email events. See pinpoint_destination below.
+	PinpointDestination []PinpointDestinationObservation `json:"pinpointDestination,omitempty" tf:"pinpoint_destination,omitempty"`
+
+	// An object that defines an Amazon SNS destination for email events. See sns_destination below.
+	SnsDestination []SnsDestinationObservation `json:"snsDestination,omitempty" tf:"sns_destination,omitempty"`
 }
 
 type EventDestinationParameters struct {
@@ -107,6 +146,12 @@ type EventDestinationParameters struct {
 }
 
 type KinesisFirehoseDestinationObservation struct {
+
+	// The Amazon Resource Name (ARN) of the Amazon Kinesis Data Firehose stream that the Amazon SES API v2 sends email events to.
+	DeliveryStreamArn *string `json:"deliveryStreamArn,omitempty" tf:"delivery_stream_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the IAM role that the Amazon SES API v2 uses to send email events to the Amazon Kinesis Data Firehose stream.
+	IAMRoleArn *string `json:"iamRoleArn,omitempty" tf:"iam_role_arn,omitempty"`
 }
 
 type KinesisFirehoseDestinationParameters struct {
@@ -141,6 +186,7 @@ type KinesisFirehoseDestinationParameters struct {
 }
 
 type PinpointDestinationObservation struct {
+	ApplicationArn *string `json:"applicationArn,omitempty" tf:"application_arn,omitempty"`
 }
 
 type PinpointDestinationParameters struct {
@@ -160,6 +206,9 @@ type PinpointDestinationParameters struct {
 }
 
 type SnsDestinationObservation struct {
+
+	// The Amazon Resource Name (ARN) of the Amazon SNS topic to publish email events to.
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type SnsDestinationParameters struct {
@@ -203,8 +252,10 @@ type ConfigurationSetEventDestinationStatus struct {
 type ConfigurationSetEventDestination struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ConfigurationSetEventDestinationSpec   `json:"spec"`
-	Status            ConfigurationSetEventDestinationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventDestination)",message="eventDestination is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventDestinationName)",message="eventDestinationName is a required parameter"
+	Spec   ConfigurationSetEventDestinationSpec   `json:"spec"`
+	Status ConfigurationSetEventDestinationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sesv2/v1beta1/zz_dedicatedippool_types.go b/apis/sesv2/v1beta1/zz_dedicatedippool_types.go
index 12bf1f6d3f..d53355507f 100755
--- a/apis/sesv2/v1beta1/zz_dedicatedippool_types.go
+++ b/apis/sesv2/v1beta1/zz_dedicatedippool_types.go
@@ -20,6 +20,12 @@ type DedicatedIPPoolObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// IP pool scaling mode. Valid values: STANDARD, MANAGED. If omitted, the AWS API will default to a standard pool.
+	ScalingMode *string `json:"scalingMode,omitempty" tf:"scaling_mode,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
diff --git a/apis/sesv2/v1beta1/zz_emailidentity_types.go b/apis/sesv2/v1beta1/zz_emailidentity_types.go
index dba36a1aa0..14d3d6f87d 100755
--- a/apis/sesv2/v1beta1/zz_emailidentity_types.go
+++ b/apis/sesv2/v1beta1/zz_emailidentity_types.go
@@ -18,9 +18,18 @@ type DKIMSigningAttributesObservation struct {
 	// [Easy DKIM] The key length of the DKIM key pair in use.
 	CurrentSigningKeyLength *string `json:"currentSigningKeyLength,omitempty" tf:"current_signing_key_length,omitempty"`
 
+	// [Bring Your Own DKIM] A private key that's used to generate a DKIM signature. The private key must use 1024 or 2048-bit RSA encryption, and must be encoded using base64 encoding.
+	DomainSigningPrivateKey *string `json:"domainSigningPrivateKey,omitempty" tf:"domain_signing_private_key,omitempty"`
+
+	// [Bring Your Own DKIM] A string that's used to identify a public key in the DNS configuration for a domain.
+	DomainSigningSelector *string `json:"domainSigningSelector,omitempty" tf:"domain_signing_selector,omitempty"`
+
 	// [Easy DKIM] The last time a key pair was generated for this identity.
 	LastKeyGenerationTimestamp *string `json:"lastKeyGenerationTimestamp,omitempty" tf:"last_key_generation_timestamp,omitempty"`
 
+	// [Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. Valid values: RSA_1024_BIT, RSA_2048_BIT.
+	NextSigningKeyLength *string `json:"nextSigningKeyLength,omitempty" tf:"next_signing_key_length,omitempty"`
+
 	// A string that indicates how DKIM was configured for the identity. AWS_SES indicates that DKIM was configured for the identity by using Easy DKIM. EXTERNAL indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM).
 	SigningAttributesOrigin *string `json:"signingAttributesOrigin,omitempty" tf:"signing_attributes_origin,omitempty"`
 
@@ -51,8 +60,10 @@ type EmailIdentityObservation struct {
 	// ARN of the Email Identity.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The configuration set to use by default when sending from this identity. Note that any configuration set defined in the email sending request takes precedence.
+	ConfigurationSetName *string `json:"configurationSetName,omitempty" tf:"configuration_set_name,omitempty"`
+
 	// The configuration of the DKIM authentication settings for an email domain identity.
-	// +kubebuilder:validation:Optional
 	DKIMSigningAttributes []DKIMSigningAttributesObservation `json:"dkimSigningAttributes,omitempty" tf:"dkim_signing_attributes,omitempty"`
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
@@ -60,6 +71,9 @@ type EmailIdentityObservation struct {
 	// The email identity type. Valid values: EMAIL_ADDRESS, DOMAIN.
 	IdentityType *string `json:"identityType,omitempty" tf:"identity_type,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Specifies whether or not the identity is verified.
diff --git a/apis/sesv2/v1beta1/zz_emailidentityfeedbackattributes_types.go b/apis/sesv2/v1beta1/zz_emailidentityfeedbackattributes_types.go
index 2c6880836d..f3b5cad4d9 100755
--- a/apis/sesv2/v1beta1/zz_emailidentityfeedbackattributes_types.go
+++ b/apis/sesv2/v1beta1/zz_emailidentityfeedbackattributes_types.go
@@ -14,6 +14,10 @@ import (
 )
 
 type EmailIdentityFeedbackAttributesObservation struct {
+
+	// Sets the feedback forwarding configuration for the identity.
+	EmailForwardingEnabled *bool `json:"emailForwardingEnabled,omitempty" tf:"email_forwarding_enabled,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 }
 
diff --git a/apis/sesv2/v1beta1/zz_emailidentitymailfromattributes_types.go b/apis/sesv2/v1beta1/zz_emailidentitymailfromattributes_types.go
index 8db004e3f1..b2c37d8e9f 100755
--- a/apis/sesv2/v1beta1/zz_emailidentitymailfromattributes_types.go
+++ b/apis/sesv2/v1beta1/zz_emailidentitymailfromattributes_types.go
@@ -14,7 +14,14 @@ import (
 )
 
 type EmailIdentityMailFromAttributesObservation struct {
+
+	// The action to take if the required MX record isn't found when you send an email. Valid values: USE_DEFAULT_VALUE, REJECT_MESSAGE.
+	BehaviorOnMxFailure *string `json:"behaviorOnMxFailure,omitempty" tf:"behavior_on_mx_failure,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The custom MAIL FROM domain that you want the verified identity to use. Required if behavior_on_mx_failure is REJECT_MESSAGE.
+	MailFromDomain *string `json:"mailFromDomain,omitempty" tf:"mail_from_domain,omitempty"`
 }
 
 type EmailIdentityMailFromAttributesParameters struct {
diff --git a/apis/sesv2/v1beta1/zz_generated.deepcopy.go b/apis/sesv2/v1beta1/zz_generated.deepcopy.go
index fe964ff2f7..6a9e797999 100644
--- a/apis/sesv2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/sesv2/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,13 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudWatchDestinationObservation) DeepCopyInto(out *CloudWatchDestinationObservation) {
 	*out = *in
+	if in.DimensionConfiguration != nil {
+		in, out := &in.DimensionConfiguration, &out.DimensionConfiguration
+		*out = make([]DimensionConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudWatchDestinationObservation.
@@ -140,6 +147,23 @@ func (in *ConfigurationSetEventDestinationList) DeepCopyObject() runtime.Object
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ConfigurationSetEventDestinationObservation) DeepCopyInto(out *ConfigurationSetEventDestinationObservation) {
 	*out = *in
+	if in.ConfigurationSetName != nil {
+		in, out := &in.ConfigurationSetName, &out.ConfigurationSetName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventDestination != nil {
+		in, out := &in.EventDestination, &out.EventDestination
+		*out = make([]EventDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EventDestinationName != nil {
+		in, out := &in.EventDestinationName, &out.EventDestinationName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -278,6 +302,13 @@ func (in *ConfigurationSetObservation) DeepCopyInto(out *ConfigurationSetObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.DeliveryOptions != nil {
+		in, out := &in.DeliveryOptions, &out.DeliveryOptions
+		*out = make([]DeliveryOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -290,6 +321,35 @@ func (in *ConfigurationSetObservation) DeepCopyInto(out *ConfigurationSetObserva
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.SendingOptions != nil {
+		in, out := &in.SendingOptions, &out.SendingOptions
+		*out = make([]SendingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SuppressionOptions != nil {
+		in, out := &in.SuppressionOptions, &out.SuppressionOptions
+		*out = make([]SuppressionOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -305,6 +365,13 @@ func (in *ConfigurationSetObservation) DeepCopyInto(out *ConfigurationSetObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.TrackingOptions != nil {
+		in, out := &in.TrackingOptions, &out.TrackingOptions
+		*out = make([]TrackingOptionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigurationSetObservation.
@@ -429,11 +496,26 @@ func (in *DKIMSigningAttributesObservation) DeepCopyInto(out *DKIMSigningAttribu
 		*out = new(string)
 		**out = **in
 	}
+	if in.DomainSigningPrivateKey != nil {
+		in, out := &in.DomainSigningPrivateKey, &out.DomainSigningPrivateKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.DomainSigningSelector != nil {
+		in, out := &in.DomainSigningSelector, &out.DomainSigningSelector
+		*out = new(string)
+		**out = **in
+	}
 	if in.LastKeyGenerationTimestamp != nil {
 		in, out := &in.LastKeyGenerationTimestamp, &out.LastKeyGenerationTimestamp
 		*out = new(string)
 		**out = **in
 	}
+	if in.NextSigningKeyLength != nil {
+		in, out := &in.NextSigningKeyLength, &out.NextSigningKeyLength
+		*out = new(string)
+		**out = **in
+	}
 	if in.SigningAttributesOrigin != nil {
 		in, out := &in.SigningAttributesOrigin, &out.SigningAttributesOrigin
 		*out = new(string)
@@ -569,6 +651,26 @@ func (in *DedicatedIPPoolObservation) DeepCopyInto(out *DedicatedIPPoolObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.ScalingMode != nil {
+		in, out := &in.ScalingMode, &out.ScalingMode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -673,6 +775,16 @@ func (in *DedicatedIPPoolStatus) DeepCopy() *DedicatedIPPoolStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeliveryOptionsObservation) DeepCopyInto(out *DeliveryOptionsObservation) {
 	*out = *in
+	if in.SendingPoolName != nil {
+		in, out := &in.SendingPoolName, &out.SendingPoolName
+		*out = new(string)
+		**out = **in
+	}
+	if in.TLSPolicy != nil {
+		in, out := &in.TLSPolicy, &out.TLSPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeliveryOptionsObservation.
@@ -713,6 +825,21 @@ func (in *DeliveryOptionsParameters) DeepCopy() *DeliveryOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DimensionConfigurationObservation) DeepCopyInto(out *DimensionConfigurationObservation) {
 	*out = *in
+	if in.DefaultDimensionValue != nil {
+		in, out := &in.DefaultDimensionValue, &out.DefaultDimensionValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.DimensionName != nil {
+		in, out := &in.DimensionName, &out.DimensionName
+		*out = new(string)
+		**out = **in
+	}
+	if in.DimensionValueSource != nil {
+		in, out := &in.DimensionValueSource, &out.DimensionValueSource
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DimensionConfigurationObservation.
@@ -844,6 +971,11 @@ func (in *EmailIdentityFeedbackAttributesList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EmailIdentityFeedbackAttributesObservation) DeepCopyInto(out *EmailIdentityFeedbackAttributesObservation) {
 	*out = *in
+	if in.EmailForwardingEnabled != nil {
+		in, out := &in.EmailForwardingEnabled, &out.EmailForwardingEnabled
+		*out = new(bool)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1014,11 +1146,21 @@ func (in *EmailIdentityMailFromAttributesList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EmailIdentityMailFromAttributesObservation) DeepCopyInto(out *EmailIdentityMailFromAttributesObservation) {
 	*out = *in
+	if in.BehaviorOnMxFailure != nil {
+		in, out := &in.BehaviorOnMxFailure, &out.BehaviorOnMxFailure
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MailFromDomain != nil {
+		in, out := &in.MailFromDomain, &out.MailFromDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmailIdentityMailFromAttributesObservation.
@@ -1103,6 +1245,11 @@ func (in *EmailIdentityObservation) DeepCopyInto(out *EmailIdentityObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConfigurationSetName != nil {
+		in, out := &in.ConfigurationSetName, &out.ConfigurationSetName
+		*out = new(string)
+		**out = **in
+	}
 	if in.DKIMSigningAttributes != nil {
 		in, out := &in.DKIMSigningAttributes, &out.DKIMSigningAttributes
 		*out = make([]DKIMSigningAttributesObservation, len(*in))
@@ -1120,6 +1267,21 @@ func (in *EmailIdentityObservation) DeepCopyInto(out *EmailIdentityObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1246,6 +1408,50 @@ func (in *EmailIdentityStatus) DeepCopy() *EmailIdentityStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EventDestinationObservation) DeepCopyInto(out *EventDestinationObservation) {
 	*out = *in
+	if in.CloudWatchDestination != nil {
+		in, out := &in.CloudWatchDestination, &out.CloudWatchDestination
+		*out = make([]CloudWatchDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.KinesisFirehoseDestination != nil {
+		in, out := &in.KinesisFirehoseDestination, &out.KinesisFirehoseDestination
+		*out = make([]KinesisFirehoseDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MatchingEventTypes != nil {
+		in, out := &in.MatchingEventTypes, &out.MatchingEventTypes
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.PinpointDestination != nil {
+		in, out := &in.PinpointDestination, &out.PinpointDestination
+		*out = make([]PinpointDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SnsDestination != nil {
+		in, out := &in.SnsDestination, &out.SnsDestination
+		*out = make([]SnsDestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventDestinationObservation.
@@ -1320,6 +1526,16 @@ func (in *EventDestinationParameters) DeepCopy() *EventDestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *KinesisFirehoseDestinationObservation) DeepCopyInto(out *KinesisFirehoseDestinationObservation) {
 	*out = *in
+	if in.DeliveryStreamArn != nil {
+		in, out := &in.DeliveryStreamArn, &out.DeliveryStreamArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.IAMRoleArn != nil {
+		in, out := &in.IAMRoleArn, &out.IAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KinesisFirehoseDestinationObservation.
@@ -1380,6 +1596,11 @@ func (in *KinesisFirehoseDestinationParameters) DeepCopy() *KinesisFirehoseDesti
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PinpointDestinationObservation) DeepCopyInto(out *PinpointDestinationObservation) {
 	*out = *in
+	if in.ApplicationArn != nil {
+		in, out := &in.ApplicationArn, &out.ApplicationArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PinpointDestinationObservation.
@@ -1430,6 +1651,11 @@ func (in *ReputationOptionsObservation) DeepCopyInto(out *ReputationOptionsObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.ReputationMetricsEnabled != nil {
+		in, out := &in.ReputationMetricsEnabled, &out.ReputationMetricsEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ReputationOptionsObservation.
@@ -1465,6 +1691,11 @@ func (in *ReputationOptionsParameters) DeepCopy() *ReputationOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SendingOptionsObservation) DeepCopyInto(out *SendingOptionsObservation) {
 	*out = *in
+	if in.SendingEnabled != nil {
+		in, out := &in.SendingEnabled, &out.SendingEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SendingOptionsObservation.
@@ -1500,6 +1731,11 @@ func (in *SendingOptionsParameters) DeepCopy() *SendingOptionsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SnsDestinationObservation) DeepCopyInto(out *SnsDestinationObservation) {
 	*out = *in
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SnsDestinationObservation.
@@ -1545,6 +1781,17 @@ func (in *SnsDestinationParameters) DeepCopy() *SnsDestinationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SuppressionOptionsObservation) DeepCopyInto(out *SuppressionOptionsObservation) {
 	*out = *in
+	if in.SuppressedReasons != nil {
+		in, out := &in.SuppressedReasons, &out.SuppressedReasons
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SuppressionOptionsObservation.
@@ -1586,6 +1833,11 @@ func (in *SuppressionOptionsParameters) DeepCopy() *SuppressionOptionsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TrackingOptionsObservation) DeepCopyInto(out *TrackingOptionsObservation) {
 	*out = *in
+	if in.CustomRedirectDomain != nil {
+		in, out := &in.CustomRedirectDomain, &out.CustomRedirectDomain
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TrackingOptionsObservation.
diff --git a/apis/sfn/v1beta1/zz_activity_types.go b/apis/sfn/v1beta1/zz_activity_types.go
index 24901b29e9..0656eea593 100755
--- a/apis/sfn/v1beta1/zz_activity_types.go
+++ b/apis/sfn/v1beta1/zz_activity_types.go
@@ -21,6 +21,9 @@ type ActivityObservation struct {
 	// The Amazon Resource Name (ARN) that identifies the created activity.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/sfn/v1beta1/zz_generated.deepcopy.go b/apis/sfn/v1beta1/zz_generated.deepcopy.go
index b24884f3cf..59f6611c43 100644
--- a/apis/sfn/v1beta1/zz_generated.deepcopy.go
+++ b/apis/sfn/v1beta1/zz_generated.deepcopy.go
@@ -86,6 +86,21 @@ func (in *ActivityObservation) DeepCopyInto(out *ActivityObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -185,6 +200,21 @@ func (in *ActivityStatus) DeepCopy() *ActivityStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigurationObservation) DeepCopyInto(out *LoggingConfigurationObservation) {
 	*out = *in
+	if in.IncludeExecutionData != nil {
+		in, out := &in.IncludeExecutionData, &out.IncludeExecutionData
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Level != nil {
+		in, out := &in.Level, &out.Level
+		*out = new(string)
+		**out = **in
+	}
+	if in.LogDestination != nil {
+		in, out := &in.LogDestination, &out.LogDestination
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigurationObservation.
@@ -299,16 +329,48 @@ func (in *StateMachineObservation) DeepCopyInto(out *StateMachineObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Definition != nil {
+		in, out := &in.Definition, &out.Definition
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoggingConfiguration != nil {
+		in, out := &in.LoggingConfiguration, &out.LoggingConfiguration
+		*out = make([]LoggingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RoleArn != nil {
+		in, out := &in.RoleArn, &out.RoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -324,6 +386,18 @@ func (in *StateMachineObservation) DeepCopyInto(out *StateMachineObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TracingConfiguration != nil {
+		in, out := &in.TracingConfiguration, &out.TracingConfiguration
+		*out = make([]TracingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StateMachineObservation.
@@ -447,6 +521,11 @@ func (in *StateMachineStatus) DeepCopy() *StateMachineStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TracingConfigurationObservation) DeepCopyInto(out *TracingConfigurationObservation) {
 	*out = *in
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TracingConfigurationObservation.
diff --git a/apis/sfn/v1beta1/zz_statemachine_types.go b/apis/sfn/v1beta1/zz_statemachine_types.go
index db1f7fc3c8..530ec08b09 100755
--- a/apis/sfn/v1beta1/zz_statemachine_types.go
+++ b/apis/sfn/v1beta1/zz_statemachine_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type LoggingConfigurationObservation struct {
+
+	// Determines whether execution data is included in your log. When set to false, data is excluded.
+	IncludeExecutionData *bool `json:"includeExecutionData,omitempty" tf:"include_execution_data,omitempty"`
+
+	// Defines which category of execution history events are logged. Valid values: ALL, ERROR, FATAL, OFF
+	Level *string `json:"level,omitempty" tf:"level,omitempty"`
+
+	// Amazon Resource Name (ARN) of a CloudWatch log group. Make sure the State Machine has the correct IAM policies for logging. The ARN must end with :*
+	LogDestination *string `json:"logDestination,omitempty" tf:"log_destination,omitempty"`
 }
 
 type LoggingConfigurationParameters struct {
@@ -39,21 +48,39 @@ type StateMachineObservation struct {
 	// The date the state machine was created.
 	CreationDate *string `json:"creationDate,omitempty" tf:"creation_date,omitempty"`
 
+	// The Amazon States Language definition of the state machine.
+	Definition *string `json:"definition,omitempty" tf:"definition,omitempty"`
+
 	// The ARN of the state machine.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Defines what execution history events are logged and where they are logged. The logging_configuration parameter is only valid when type is set to EXPRESS. Defaults to OFF. For more information see Logging Express Workflows and Log Levels in the AWS Step Functions User Guide.
+	LoggingConfiguration []LoggingConfigurationObservation `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the IAM role to use for this state machine.
+	RoleArn *string `json:"roleArn,omitempty" tf:"role_arn,omitempty"`
+
 	// The current status of the state machine. Either ACTIVE or DELETING.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Selects whether AWS X-Ray tracing is enabled.
+	TracingConfiguration []TracingConfigurationObservation `json:"tracingConfiguration,omitempty" tf:"tracing_configuration,omitempty"`
+
+	// Determines whether a Standard or Express state machine is created. The default is STANDARD. You cannot update the type of a state machine once it has been created. Valid values: STANDARD, EXPRESS.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type StateMachineParameters struct {
 
 	// The Amazon States Language definition of the state machine.
-	// +kubebuilder:validation:Required
-	Definition *string `json:"definition" tf:"definition,omitempty"`
+	// +kubebuilder:validation:Optional
+	Definition *string `json:"definition,omitempty" tf:"definition,omitempty"`
 
 	// Defines what execution history events are logged and where they are logged. The logging_configuration parameter is only valid when type is set to EXPRESS. Defaults to OFF. For more information see Logging Express Workflows and Log Levels in the AWS Step Functions User Guide.
 	// +kubebuilder:validation:Optional
@@ -91,6 +118,9 @@ type StateMachineParameters struct {
 }
 
 type TracingConfigurationObservation struct {
+
+	// When set to true, AWS X-Ray tracing is enabled. Make sure the State Machine has the correct IAM policies for logging. See the AWS Step Functions Developer Guide for details.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
 }
 
 type TracingConfigurationParameters struct {
@@ -124,8 +154,9 @@ type StateMachineStatus struct {
 type StateMachine struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              StateMachineSpec   `json:"spec"`
-	Status            StateMachineStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)",message="definition is a required parameter"
+	Spec   StateMachineSpec   `json:"spec"`
+	Status StateMachineStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/signer/v1beta1/zz_generated.deepcopy.go b/apis/signer/v1beta1/zz_generated.deepcopy.go
index 8365c6a393..7a90f286bb 100644
--- a/apis/signer/v1beta1/zz_generated.deepcopy.go
+++ b/apis/signer/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,13 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationObservation) DeepCopyInto(out *DestinationObservation) {
 	*out = *in
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]S3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationObservation.
@@ -99,6 +106,16 @@ func (in *RevocationRecordParameters) DeepCopy() *RevocationRecordParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3Observation) DeepCopyInto(out *S3Observation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3Observation.
@@ -139,6 +156,16 @@ func (in *S3Parameters) DeepCopy() *S3Parameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SignatureValidityPeriodObservation) DeepCopyInto(out *SignatureValidityPeriodObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SignatureValidityPeriodObservation.
@@ -325,11 +352,23 @@ func (in *SigningJobObservation) DeepCopyInto(out *SigningJobObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = make([]DestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IgnoreSigningJobFailure != nil {
+		in, out := &in.IgnoreSigningJobFailure, &out.IgnoreSigningJobFailure
+		*out = new(bool)
+		**out = **in
+	}
 	if in.JobID != nil {
 		in, out := &in.JobID, &out.JobID
 		*out = new(string)
@@ -355,6 +394,11 @@ func (in *SigningJobObservation) DeepCopyInto(out *SigningJobObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ProfileName != nil {
+		in, out := &in.ProfileName, &out.ProfileName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ProfileVersion != nil {
 		in, out := &in.ProfileVersion, &out.ProfileVersion
 		*out = new(string)
@@ -384,6 +428,13 @@ func (in *SigningJobObservation) DeepCopyInto(out *SigningJobObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = make([]SourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -571,6 +622,11 @@ func (in *SigningProfileObservation) DeepCopyInto(out *SigningProfileObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.PlatformID != nil {
+		in, out := &in.PlatformID, &out.PlatformID
+		*out = new(string)
+		**out = **in
+	}
 	if in.RevocationRecord != nil {
 		in, out := &in.RevocationRecord, &out.RevocationRecord
 		*out = make([]SigningProfileRevocationRecordObservation, len(*in))
@@ -578,11 +634,33 @@ func (in *SigningProfileObservation) DeepCopyInto(out *SigningProfileObservation
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.SignatureValidityPeriod != nil {
+		in, out := &in.SignatureValidityPeriod, &out.SignatureValidityPeriod
+		*out = make([]SignatureValidityPeriodObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -729,11 +807,41 @@ func (in *SigningProfilePermissionList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SigningProfilePermissionObservation) DeepCopyInto(out *SigningProfilePermissionObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Principal != nil {
+		in, out := &in.Principal, &out.Principal
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProfileName != nil {
+		in, out := &in.ProfileName, &out.ProfileName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ProfileVersion != nil {
+		in, out := &in.ProfileVersion, &out.ProfileVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatementID != nil {
+		in, out := &in.StatementID, &out.StatementID
+		*out = new(string)
+		**out = **in
+	}
+	if in.StatementIDPrefix != nil {
+		in, out := &in.StatementIDPrefix, &out.StatementIDPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SigningProfilePermissionObservation.
@@ -932,6 +1040,13 @@ func (in *SigningProfileStatus) DeepCopy() *SigningProfileStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceObservation) DeepCopyInto(out *SourceObservation) {
 	*out = *in
+	if in.S3 != nil {
+		in, out := &in.S3, &out.S3
+		*out = make([]SourceS3Observation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceObservation.
@@ -969,6 +1084,21 @@ func (in *SourceParameters) DeepCopy() *SourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceS3Observation) DeepCopyInto(out *SourceS3Observation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceS3Observation.
diff --git a/apis/signer/v1beta1/zz_signingjob_types.go b/apis/signer/v1beta1/zz_signingjob_types.go
index e814ed9184..81f095d83f 100755
--- a/apis/signer/v1beta1/zz_signingjob_types.go
+++ b/apis/signer/v1beta1/zz_signingjob_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type DestinationObservation struct {
+
+	// A configuration block describing the S3 Source object: See S3 Source below for details.
+	S3 []S3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
 }
 
 type DestinationParameters struct {
@@ -35,6 +38,12 @@ type RevocationRecordParameters struct {
 }
 
 type S3Observation struct {
+
+	// Name of the S3 bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// An Amazon S3 object key prefix that you can use to limit signed objects keys to begin with the specified prefix.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
 }
 
 type S3Parameters struct {
@@ -77,8 +86,14 @@ type SigningJobObservation struct {
 	// Date and time in RFC3339 format that the signing job was created.
 	CreatedAt *string `json:"createdAt,omitempty" tf:"created_at,omitempty"`
 
+	// The S3 bucket in which to save your signed object. See Destination below for details.
+	Destination []DestinationObservation `json:"destination,omitempty" tf:"destination,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Set this argument to true to ignore signing job failures and retrieve failed status and reason. Default false.
+	IgnoreSigningJobFailure *bool `json:"ignoreSigningJobFailure,omitempty" tf:"ignore_signing_job_failure,omitempty"`
+
 	// The ID of the signing job on output.
 	JobID *string `json:"jobId,omitempty" tf:"job_id,omitempty"`
 
@@ -94,6 +109,9 @@ type SigningJobObservation struct {
 	// The platform to which your signed code image will be distributed.
 	PlatformID *string `json:"platformId,omitempty" tf:"platform_id,omitempty"`
 
+	// The name of the profile to initiate the signing operation.
+	ProfileName *string `json:"profileName,omitempty" tf:"profile_name,omitempty"`
+
 	// The version of the signing profile used to initiate the signing job.
 	ProfileVersion *string `json:"profileVersion,omitempty" tf:"profile_version,omitempty"`
 
@@ -109,6 +127,9 @@ type SigningJobObservation struct {
 	// Name of the S3 bucket where the signed code image is saved by code signing.
 	SignedObject []SignedObjectObservation `json:"signedObject,omitempty" tf:"signed_object,omitempty"`
 
+	// The S3 bucket that contains the object to sign. See Source below for details.
+	Source []SourceObservation `json:"source,omitempty" tf:"source,omitempty"`
+
 	// Status of the signing job.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
@@ -119,8 +140,8 @@ type SigningJobObservation struct {
 type SigningJobParameters struct {
 
 	// The S3 bucket in which to save your signed object. See Destination below for details.
-	// +kubebuilder:validation:Required
-	Destination []DestinationParameters `json:"destination" tf:"destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destination []DestinationParameters `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	// Set this argument to true to ignore signing job failures and retrieve failed status and reason. Default false.
 	// +kubebuilder:validation:Optional
@@ -145,11 +166,14 @@ type SigningJobParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The S3 bucket that contains the object to sign. See Source below for details.
-	// +kubebuilder:validation:Required
-	Source []SourceParameters `json:"source" tf:"source,omitempty"`
+	// +kubebuilder:validation:Optional
+	Source []SourceParameters `json:"source,omitempty" tf:"source,omitempty"`
 }
 
 type SourceObservation struct {
+
+	// A configuration block describing the S3 Source object: See S3 Source below for details.
+	S3 []SourceS3Observation `json:"s3,omitempty" tf:"s3,omitempty"`
 }
 
 type SourceParameters struct {
@@ -160,6 +184,15 @@ type SourceParameters struct {
 }
 
 type SourceS3Observation struct {
+
+	// Name of the S3 bucket.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// Key name of the object that contains your unsigned code.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Version of your source image in your version enabled S3 bucket.
+	Version *string `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type SourceS3Parameters struct {
@@ -201,8 +234,10 @@ type SigningJobStatus struct {
 type SigningJob struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SigningJobSpec   `json:"spec"`
-	Status            SigningJobStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)",message="destination is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)",message="source is a required parameter"
+	Spec   SigningJobSpec   `json:"spec"`
+	Status SigningJobStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/signer/v1beta1/zz_signingprofile_types.go b/apis/signer/v1beta1/zz_signingprofile_types.go
index 5dc05407ed..c05e017713 100755
--- a/apis/signer/v1beta1/zz_signingprofile_types.go
+++ b/apis/signer/v1beta1/zz_signingprofile_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type SignatureValidityPeriodObservation struct {
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	Value *float64 `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type SignatureValidityPeriodParameters struct {
@@ -35,12 +38,21 @@ type SigningProfileObservation struct {
 	// A human-readable name for the signing platform associated with the signing profile.
 	PlatformDisplayName *string `json:"platformDisplayName,omitempty" tf:"platform_display_name,omitempty"`
 
+	// The ID of the platform that is used by the target signing profile.
+	PlatformID *string `json:"platformId,omitempty" tf:"platform_id,omitempty"`
+
 	// Revocation information for a signing profile.
 	RevocationRecord []SigningProfileRevocationRecordObservation `json:"revocationRecord,omitempty" tf:"revocation_record,omitempty"`
 
+	// The validity period for a signing job.
+	SignatureValidityPeriod []SignatureValidityPeriodObservation `json:"signatureValidityPeriod,omitempty" tf:"signature_validity_period,omitempty"`
+
 	// The status of the target signing profile.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
@@ -54,8 +66,8 @@ type SigningProfileObservation struct {
 type SigningProfileParameters struct {
 
 	// The ID of the platform that is used by the target signing profile.
-	// +kubebuilder:validation:Required
-	PlatformID *string `json:"platformId" tf:"platform_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	PlatformID *string `json:"platformId,omitempty" tf:"platform_id,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -106,8 +118,9 @@ type SigningProfileStatus struct {
 type SigningProfile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SigningProfileSpec   `json:"spec"`
-	Status            SigningProfileStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platformId)",message="platformId is a required parameter"
+	Spec   SigningProfileSpec   `json:"spec"`
+	Status SigningProfileStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/signer/v1beta1/zz_signingprofilepermission_types.go b/apis/signer/v1beta1/zz_signingprofilepermission_types.go
index 98deaf1db6..b845a47de0 100755
--- a/apis/signer/v1beta1/zz_signingprofilepermission_types.go
+++ b/apis/signer/v1beta1/zz_signingprofilepermission_types.go
@@ -14,18 +14,37 @@ import (
 )
 
 type SigningProfilePermissionObservation struct {
+
+	// An AWS Signer action permitted as part of cross-account permissions. Valid values: signer:StartSigningJob, signer:GetSigningProfile, or signer:RevokeSignature.
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The AWS principal to be granted a cross-account permission.
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
+
+	// Name of the signing profile to add the cross-account permissions.
+	ProfileName *string `json:"profileName,omitempty" tf:"profile_name,omitempty"`
+
+	// The signing profile version that a permission applies to.
+	ProfileVersion *string `json:"profileVersion,omitempty" tf:"profile_version,omitempty"`
+
+	// A unique statement identifier.
+	StatementID *string `json:"statementId,omitempty" tf:"statement_id,omitempty"`
+
+	// A statement identifier prefix. Conflicts with statement_id.
+	StatementIDPrefix *string `json:"statementIdPrefix,omitempty" tf:"statement_id_prefix,omitempty"`
 }
 
 type SigningProfilePermissionParameters struct {
 
 	// An AWS Signer action permitted as part of cross-account permissions. Valid values: signer:StartSigningJob, signer:GetSigningProfile, or signer:RevokeSignature.
-	// +kubebuilder:validation:Required
-	Action *string `json:"action" tf:"action,omitempty"`
+	// +kubebuilder:validation:Optional
+	Action *string `json:"action,omitempty" tf:"action,omitempty"`
 
 	// The AWS principal to be granted a cross-account permission.
-	// +kubebuilder:validation:Required
-	Principal *string `json:"principal" tf:"principal,omitempty"`
+	// +kubebuilder:validation:Optional
+	Principal *string `json:"principal,omitempty" tf:"principal,omitempty"`
 
 	// Name of the signing profile to add the cross-account permissions.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/signer/v1beta1.SigningProfile
@@ -92,8 +111,10 @@ type SigningProfilePermissionStatus struct {
 type SigningProfilePermission struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SigningProfilePermissionSpec   `json:"spec"`
-	Status            SigningProfilePermissionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)",message="action is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)",message="principal is a required parameter"
+	Spec   SigningProfilePermissionSpec   `json:"spec"`
+	Status SigningProfilePermissionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sns/v1beta1/zz_generated.deepcopy.go b/apis/sns/v1beta1/zz_generated.deepcopy.go
index e8cdf94008..3d51ea7719 100644
--- a/apis/sns/v1beta1/zz_generated.deepcopy.go
+++ b/apis/sns/v1beta1/zz_generated.deepcopy.go
@@ -76,16 +76,66 @@ func (in *PlatformApplicationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PlatformApplicationObservation) DeepCopyInto(out *PlatformApplicationObservation) {
 	*out = *in
+	if in.ApplePlatformBundleID != nil {
+		in, out := &in.ApplePlatformBundleID, &out.ApplePlatformBundleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ApplePlatformTeamID != nil {
+		in, out := &in.ApplePlatformTeamID, &out.ApplePlatformTeamID
+		*out = new(string)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.EventDeliveryFailureTopicArn != nil {
+		in, out := &in.EventDeliveryFailureTopicArn, &out.EventDeliveryFailureTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventEndpointCreatedTopicArn != nil {
+		in, out := &in.EventEndpointCreatedTopicArn, &out.EventEndpointCreatedTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventEndpointDeletedTopicArn != nil {
+		in, out := &in.EventEndpointDeletedTopicArn, &out.EventEndpointDeletedTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.EventEndpointUpdatedTopicArn != nil {
+		in, out := &in.EventEndpointUpdatedTopicArn, &out.EventEndpointUpdatedTopicArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FailureFeedbackRoleArn != nil {
+		in, out := &in.FailureFeedbackRoleArn, &out.FailureFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Platform != nil {
+		in, out := &in.Platform, &out.Platform
+		*out = new(string)
+		**out = **in
+	}
+	if in.SuccessFeedbackRoleArn != nil {
+		in, out := &in.SuccessFeedbackRoleArn, &out.SuccessFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SuccessFeedbackSampleRate != nil {
+		in, out := &in.SuccessFeedbackSampleRate, &out.SuccessFeedbackSampleRate
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PlatformApplicationObservation.
@@ -290,11 +340,41 @@ func (in *SMSPreferencesList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SMSPreferencesObservation) DeepCopyInto(out *SMSPreferencesObservation) {
 	*out = *in
+	if in.DefaultSMSType != nil {
+		in, out := &in.DefaultSMSType, &out.DefaultSMSType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultSenderID != nil {
+		in, out := &in.DefaultSenderID, &out.DefaultSenderID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeliveryStatusIAMRoleArn != nil {
+		in, out := &in.DeliveryStatusIAMRoleArn, &out.DeliveryStatusIAMRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeliveryStatusSuccessSamplingRate != nil {
+		in, out := &in.DeliveryStatusSuccessSamplingRate, &out.DeliveryStatusSuccessSamplingRate
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MonthlySpendLimit != nil {
+		in, out := &in.MonthlySpendLimit, &out.MonthlySpendLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.UsageReportS3Bucket != nil {
+		in, out := &in.UsageReportS3Bucket, &out.UsageReportS3Bucket
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SMSPreferencesObservation.
@@ -463,21 +543,146 @@ func (in *TopicList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicObservation) DeepCopyInto(out *TopicObservation) {
 	*out = *in
+	if in.ApplicationFailureFeedbackRoleArn != nil {
+		in, out := &in.ApplicationFailureFeedbackRoleArn, &out.ApplicationFailureFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ApplicationSuccessFeedbackRoleArn != nil {
+		in, out := &in.ApplicationSuccessFeedbackRoleArn, &out.ApplicationSuccessFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ApplicationSuccessFeedbackSampleRate != nil {
+		in, out := &in.ApplicationSuccessFeedbackSampleRate, &out.ApplicationSuccessFeedbackSampleRate
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContentBasedDeduplication != nil {
+		in, out := &in.ContentBasedDeduplication, &out.ContentBasedDeduplication
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeliveryPolicy != nil {
+		in, out := &in.DeliveryPolicy, &out.DeliveryPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.DisplayName != nil {
+		in, out := &in.DisplayName, &out.DisplayName
+		*out = new(string)
+		**out = **in
+	}
+	if in.FifoTopic != nil {
+		in, out := &in.FifoTopic, &out.FifoTopic
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FirehoseFailureFeedbackRoleArn != nil {
+		in, out := &in.FirehoseFailureFeedbackRoleArn, &out.FirehoseFailureFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FirehoseSuccessFeedbackRoleArn != nil {
+		in, out := &in.FirehoseSuccessFeedbackRoleArn, &out.FirehoseSuccessFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.FirehoseSuccessFeedbackSampleRate != nil {
+		in, out := &in.FirehoseSuccessFeedbackSampleRate, &out.FirehoseSuccessFeedbackSampleRate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPFailureFeedbackRoleArn != nil {
+		in, out := &in.HTTPFailureFeedbackRoleArn, &out.HTTPFailureFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPSuccessFeedbackRoleArn != nil {
+		in, out := &in.HTTPSuccessFeedbackRoleArn, &out.HTTPSuccessFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.HTTPSuccessFeedbackSampleRate != nil {
+		in, out := &in.HTTPSuccessFeedbackSampleRate, &out.HTTPSuccessFeedbackSampleRate
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSMasterKeyID != nil {
+		in, out := &in.KMSMasterKeyID, &out.KMSMasterKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaFailureFeedbackRoleArn != nil {
+		in, out := &in.LambdaFailureFeedbackRoleArn, &out.LambdaFailureFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaSuccessFeedbackRoleArn != nil {
+		in, out := &in.LambdaSuccessFeedbackRoleArn, &out.LambdaSuccessFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.LambdaSuccessFeedbackSampleRate != nil {
+		in, out := &in.LambdaSuccessFeedbackSampleRate, &out.LambdaSuccessFeedbackSampleRate
+		*out = new(float64)
+		**out = **in
+	}
 	if in.Owner != nil {
 		in, out := &in.Owner, &out.Owner
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.SignatureVersion != nil {
+		in, out := &in.SignatureVersion, &out.SignatureVersion
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SqsFailureFeedbackRoleArn != nil {
+		in, out := &in.SqsFailureFeedbackRoleArn, &out.SqsFailureFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SqsSuccessFeedbackRoleArn != nil {
+		in, out := &in.SqsSuccessFeedbackRoleArn, &out.SqsSuccessFeedbackRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.SqsSuccessFeedbackSampleRate != nil {
+		in, out := &in.SqsSuccessFeedbackSampleRate, &out.SqsSuccessFeedbackSampleRate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -493,6 +698,11 @@ func (in *TopicObservation) DeepCopyInto(out *TopicObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TracingConfig != nil {
+		in, out := &in.TracingConfig, &out.TracingConfig
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicObservation.
@@ -817,6 +1027,11 @@ func (in *TopicPolicyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TopicPolicyObservation) DeepCopyInto(out *TopicPolicyObservation) {
 	*out = *in
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -827,6 +1042,11 @@ func (in *TopicPolicyObservation) DeepCopyInto(out *TopicPolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicPolicyObservation.
@@ -1014,11 +1234,41 @@ func (in *TopicSubscriptionObservation) DeepCopyInto(out *TopicSubscriptionObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.ConfirmationTimeoutInMinutes != nil {
+		in, out := &in.ConfirmationTimeoutInMinutes, &out.ConfirmationTimeoutInMinutes
+		*out = new(float64)
+		**out = **in
+	}
 	if in.ConfirmationWasAuthenticated != nil {
 		in, out := &in.ConfirmationWasAuthenticated, &out.ConfirmationWasAuthenticated
 		*out = new(bool)
 		**out = **in
 	}
+	if in.DeliveryPolicy != nil {
+		in, out := &in.DeliveryPolicy, &out.DeliveryPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.Endpoint != nil {
+		in, out := &in.Endpoint, &out.Endpoint
+		*out = new(string)
+		**out = **in
+	}
+	if in.EndpointAutoConfirms != nil {
+		in, out := &in.EndpointAutoConfirms, &out.EndpointAutoConfirms
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FilterPolicy != nil {
+		in, out := &in.FilterPolicy, &out.FilterPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.FilterPolicyScope != nil {
+		in, out := &in.FilterPolicyScope, &out.FilterPolicyScope
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -1034,6 +1284,31 @@ func (in *TopicSubscriptionObservation) DeepCopyInto(out *TopicSubscriptionObser
 		*out = new(bool)
 		**out = **in
 	}
+	if in.Protocol != nil {
+		in, out := &in.Protocol, &out.Protocol
+		*out = new(string)
+		**out = **in
+	}
+	if in.RawMessageDelivery != nil {
+		in, out := &in.RawMessageDelivery, &out.RawMessageDelivery
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RedrivePolicy != nil {
+		in, out := &in.RedrivePolicy, &out.RedrivePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.SubscriptionRoleArn != nil {
+		in, out := &in.SubscriptionRoleArn, &out.SubscriptionRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TopicArn != nil {
+		in, out := &in.TopicArn, &out.TopicArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TopicSubscriptionObservation.
diff --git a/apis/sns/v1beta1/zz_platformapplication_types.go b/apis/sns/v1beta1/zz_platformapplication_types.go
index 619dc047b5..cc9c66bcbb 100755
--- a/apis/sns/v1beta1/zz_platformapplication_types.go
+++ b/apis/sns/v1beta1/zz_platformapplication_types.go
@@ -15,11 +15,41 @@ import (
 
 type PlatformApplicationObservation struct {
 
+	// The bundle identifier that's assigned to your iOS app. May only include alphanumeric characters, hyphens (-), and periods (.).
+	ApplePlatformBundleID *string `json:"applePlatformBundleId,omitempty" tf:"apple_platform_bundle_id,omitempty"`
+
+	// The identifier that's assigned to your Apple developer account team. Must be 10 alphanumeric characters.
+	ApplePlatformTeamID *string `json:"applePlatformTeamId,omitempty" tf:"apple_platform_team_id,omitempty"`
+
 	// The ARN of the SNS platform application
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The ARN of the SNS Topic triggered when a delivery to any of the platform endpoints associated with your platform application encounters a permanent failure.
+	EventDeliveryFailureTopicArn *string `json:"eventDeliveryFailureTopicArn,omitempty" tf:"event_delivery_failure_topic_arn,omitempty"`
+
+	// The ARN of the SNS Topic triggered when a new platform endpoint is added to your platform application.
+	EventEndpointCreatedTopicArn *string `json:"eventEndpointCreatedTopicArn,omitempty" tf:"event_endpoint_created_topic_arn,omitempty"`
+
+	// The ARN of the SNS Topic triggered when an existing platform endpoint is deleted from your platform application.
+	EventEndpointDeletedTopicArn *string `json:"eventEndpointDeletedTopicArn,omitempty" tf:"event_endpoint_deleted_topic_arn,omitempty"`
+
+	// The ARN of the SNS Topic triggered when an existing platform endpoint is changed from your platform application.
+	EventEndpointUpdatedTopicArn *string `json:"eventEndpointUpdatedTopicArn,omitempty" tf:"event_endpoint_updated_topic_arn,omitempty"`
+
+	// The IAM role ARN permitted to receive failure feedback for this application and give SNS write access to use CloudWatch logs on your behalf.
+	FailureFeedbackRoleArn *string `json:"failureFeedbackRoleArn,omitempty" tf:"failure_feedback_role_arn,omitempty"`
+
 	// The ARN of the SNS platform application
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The platform that the app is registered with. See Platform for supported platforms.
+	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
+
+	// The IAM role ARN permitted to receive success feedback for this application and give SNS write access to use CloudWatch logs on your behalf.
+	SuccessFeedbackRoleArn *string `json:"successFeedbackRoleArn,omitempty" tf:"success_feedback_role_arn,omitempty"`
+
+	// The sample rate percentage (0-100) of successfully delivered messages.
+	SuccessFeedbackSampleRate *string `json:"successFeedbackSampleRate,omitempty" tf:"success_feedback_sample_rate,omitempty"`
 }
 
 type PlatformApplicationParameters struct {
@@ -63,11 +93,11 @@ type PlatformApplicationParameters struct {
 	FailureFeedbackRoleArnSelector *v1.Selector `json:"failureFeedbackRoleArnSelector,omitempty" tf:"-"`
 
 	// The platform that the app is registered with. See Platform for supported platforms.
-	// +kubebuilder:validation:Required
-	Platform *string `json:"platform" tf:"platform,omitempty"`
+	// +kubebuilder:validation:Optional
+	Platform *string `json:"platform,omitempty" tf:"platform,omitempty"`
 
 	// Application Platform credential. See Credential for type of credential required for platform.
-	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Optional
 	PlatformCredentialSecretRef v1.SecretKeySelector `json:"platformCredentialSecretRef" tf:"-"`
 
 	// Application Platform principal. See Principal for type of principal required for platform.
@@ -122,8 +152,10 @@ type PlatformApplicationStatus struct {
 type PlatformApplication struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PlatformApplicationSpec   `json:"spec"`
-	Status            PlatformApplicationStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platform)",message="platform is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platformCredentialSecretRef)",message="platformCredentialSecretRef is a required parameter"
+	Spec   PlatformApplicationSpec   `json:"spec"`
+	Status PlatformApplicationStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sns/v1beta1/zz_smspreferences_types.go b/apis/sns/v1beta1/zz_smspreferences_types.go
index 71a94307c3..c1b949aa1d 100755
--- a/apis/sns/v1beta1/zz_smspreferences_types.go
+++ b/apis/sns/v1beta1/zz_smspreferences_types.go
@@ -14,7 +14,26 @@ import (
 )
 
 type SMSPreferencesObservation struct {
+
+	// The type of SMS message that you will send by default. Possible values are: Promotional, Transactional
+	DefaultSMSType *string `json:"defaultSmsType,omitempty" tf:"default_sms_type,omitempty"`
+
+	// A string, such as your business brand, that is displayed as the sender on the receiving device.
+	DefaultSenderID *string `json:"defaultSenderId,omitempty" tf:"default_sender_id,omitempty"`
+
+	// The ARN of the IAM role that allows Amazon SNS to write logs about SMS deliveries in CloudWatch Logs.
+	DeliveryStatusIAMRoleArn *string `json:"deliveryStatusIamRoleArn,omitempty" tf:"delivery_status_iam_role_arn,omitempty"`
+
+	// The percentage of successful SMS deliveries for which Amazon SNS will write logs in CloudWatch Logs. The value must be between 0 and 100.
+	DeliveryStatusSuccessSamplingRate *string `json:"deliveryStatusSuccessSamplingRate,omitempty" tf:"delivery_status_success_sampling_rate,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The maximum amount in USD that you are willing to spend each month to send SMS messages.
+	MonthlySpendLimit *float64 `json:"monthlySpendLimit,omitempty" tf:"monthly_spend_limit,omitempty"`
+
+	// The name of the Amazon S3 bucket to receive daily SMS usage reports from Amazon SNS.
+	UsageReportS3Bucket *string `json:"usageReportS3Bucket,omitempty" tf:"usage_report_s3_bucket,omitempty"`
 }
 
 type SMSPreferencesParameters struct {
diff --git a/apis/sns/v1beta1/zz_topic_types.go b/apis/sns/v1beta1/zz_topic_types.go
index e3589d51b3..4492a12d9c 100755
--- a/apis/sns/v1beta1/zz_topic_types.go
+++ b/apis/sns/v1beta1/zz_topic_types.go
@@ -15,17 +15,89 @@ import (
 
 type TopicObservation struct {
 
+	// IAM role for failure feedback
+	ApplicationFailureFeedbackRoleArn *string `json:"applicationFailureFeedbackRoleArn,omitempty" tf:"application_failure_feedback_role_arn,omitempty"`
+
+	// The IAM role permitted to receive success feedback for this topic
+	ApplicationSuccessFeedbackRoleArn *string `json:"applicationSuccessFeedbackRoleArn,omitempty" tf:"application_success_feedback_role_arn,omitempty"`
+
+	// Percentage of success to sample
+	ApplicationSuccessFeedbackSampleRate *float64 `json:"applicationSuccessFeedbackSampleRate,omitempty" tf:"application_success_feedback_sample_rate,omitempty"`
+
 	// The ARN of the SNS topic, as a more obvious property (clone of id)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Enables content-based deduplication for FIFO topics. For more information, see the related documentation
+	ContentBasedDeduplication *bool `json:"contentBasedDeduplication,omitempty" tf:"content_based_deduplication,omitempty"`
+
+	// The SNS delivery policy. More on AWS documentation
+	DeliveryPolicy *string `json:"deliveryPolicy,omitempty" tf:"delivery_policy,omitempty"`
+
+	// The display name for the topic
+	DisplayName *string `json:"displayName,omitempty" tf:"display_name,omitempty"`
+
+	// Boolean indicating whether or not to create a FIFO (first-in-first-out) topic (default is false).
+	FifoTopic *bool `json:"fifoTopic,omitempty" tf:"fifo_topic,omitempty"`
+
+	// IAM role for failure feedback
+	FirehoseFailureFeedbackRoleArn *string `json:"firehoseFailureFeedbackRoleArn,omitempty" tf:"firehose_failure_feedback_role_arn,omitempty"`
+
+	// The IAM role permitted to receive success feedback for this topic
+	FirehoseSuccessFeedbackRoleArn *string `json:"firehoseSuccessFeedbackRoleArn,omitempty" tf:"firehose_success_feedback_role_arn,omitempty"`
+
+	// Percentage of success to sample
+	FirehoseSuccessFeedbackSampleRate *float64 `json:"firehoseSuccessFeedbackSampleRate,omitempty" tf:"firehose_success_feedback_sample_rate,omitempty"`
+
+	// IAM role for failure feedback
+	HTTPFailureFeedbackRoleArn *string `json:"httpFailureFeedbackRoleArn,omitempty" tf:"http_failure_feedback_role_arn,omitempty"`
+
+	// The IAM role permitted to receive success feedback for this topic
+	HTTPSuccessFeedbackRoleArn *string `json:"httpSuccessFeedbackRoleArn,omitempty" tf:"http_success_feedback_role_arn,omitempty"`
+
+	// Percentage of success to sample
+	HTTPSuccessFeedbackSampleRate *float64 `json:"httpSuccessFeedbackSampleRate,omitempty" tf:"http_success_feedback_sample_rate,omitempty"`
+
 	// The ARN of the SNS topic
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ID of an AWS-managed customer master key (CMK) for Amazon SNS or a custom CMK. For more information, see Key Terms
+	KMSMasterKeyID *string `json:"kmsMasterKeyId,omitempty" tf:"kms_master_key_id,omitempty"`
+
+	// IAM role for failure feedback
+	LambdaFailureFeedbackRoleArn *string `json:"lambdaFailureFeedbackRoleArn,omitempty" tf:"lambda_failure_feedback_role_arn,omitempty"`
+
+	// The IAM role permitted to receive success feedback for this topic
+	LambdaSuccessFeedbackRoleArn *string `json:"lambdaSuccessFeedbackRoleArn,omitempty" tf:"lambda_success_feedback_role_arn,omitempty"`
+
+	// Percentage of success to sample
+	LambdaSuccessFeedbackSampleRate *float64 `json:"lambdaSuccessFeedbackSampleRate,omitempty" tf:"lambda_success_feedback_sample_rate,omitempty"`
+
 	// The AWS Account ID of the SNS topic owner
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
 
+	// The fully-formed AWS policy as JSON.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// If SignatureVersion should be 1 (SHA1) or 2 (SHA256). The signature version corresponds to the hashing algorithm used while creating the signature of the notifications, subscription confirmations, or unsubscribe confirmation messages sent by Amazon SNS.
+	SignatureVersion *float64 `json:"signatureVersion,omitempty" tf:"signature_version,omitempty"`
+
+	// IAM role for failure feedback
+	SqsFailureFeedbackRoleArn *string `json:"sqsFailureFeedbackRoleArn,omitempty" tf:"sqs_failure_feedback_role_arn,omitempty"`
+
+	// The IAM role permitted to receive success feedback for this topic
+	SqsSuccessFeedbackRoleArn *string `json:"sqsSuccessFeedbackRoleArn,omitempty" tf:"sqs_success_feedback_role_arn,omitempty"`
+
+	// Percentage of success to sample
+	SqsSuccessFeedbackSampleRate *float64 `json:"sqsSuccessFeedbackSampleRate,omitempty" tf:"sqs_success_feedback_sample_rate,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Tracing mode of an Amazon SNS topic. Valid values: "PassThrough", "Active".
+	TracingConfig *string `json:"tracingConfig,omitempty" tf:"tracing_config,omitempty"`
 }
 
 type TopicParameters struct {
diff --git a/apis/sns/v1beta1/zz_topicpolicy_types.go b/apis/sns/v1beta1/zz_topicpolicy_types.go
index 6555444ae0..1d9477f160 100755
--- a/apis/sns/v1beta1/zz_topicpolicy_types.go
+++ b/apis/sns/v1beta1/zz_topicpolicy_types.go
@@ -14,10 +14,17 @@ import (
 )
 
 type TopicPolicyObservation struct {
+
+	// The ARN of the SNS topic
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	// The AWS Account ID of the SNS topic owner
 	Owner *string `json:"owner,omitempty" tf:"owner,omitempty"`
+
+	// The fully-formed AWS policy as JSON.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 }
 
 type TopicPolicyParameters struct {
@@ -37,8 +44,8 @@ type TopicPolicyParameters struct {
 	ArnSelector *v1.Selector `json:"arnSelector,omitempty" tf:"-"`
 
 	// The fully-formed AWS policy as JSON.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -70,8 +77,9 @@ type TopicPolicyStatus struct {
 type TopicPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TopicPolicySpec   `json:"spec"`
-	Status            TopicPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   TopicPolicySpec   `json:"spec"`
+	Status TopicPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sns/v1beta1/zz_topicsubscription_types.go b/apis/sns/v1beta1/zz_topicsubscription_types.go
index 31f61f7431..dec6183708 100755
--- a/apis/sns/v1beta1/zz_topicsubscription_types.go
+++ b/apis/sns/v1beta1/zz_topicsubscription_types.go
@@ -18,9 +18,27 @@ type TopicSubscriptionObservation struct {
 	// ARN of the subscription.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Integer indicating number of minutes to wait in retrying mode for fetching subscription arn before marking it as failure. Only applicable for http and https protocols. Default is 1.
+	ConfirmationTimeoutInMinutes *float64 `json:"confirmationTimeoutInMinutes,omitempty" tf:"confirmation_timeout_in_minutes,omitempty"`
+
 	// Whether the subscription confirmation request was authenticated.
 	ConfirmationWasAuthenticated *bool `json:"confirmationWasAuthenticated,omitempty" tf:"confirmation_was_authenticated,omitempty"`
 
+	// JSON String with the delivery policy (retries, backoff, etc.) that will be used in the subscription - this only applies to HTTP/S subscriptions. Refer to the SNS docs for more details.
+	DeliveryPolicy *string `json:"deliveryPolicy,omitempty" tf:"delivery_policy,omitempty"`
+
+	// Endpoint to send data to. The contents vary with the protocol. See details below.
+	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
+
+	// Whether the endpoint is capable of auto confirming subscription (e.g., PagerDuty). Default is false.
+	EndpointAutoConfirms *bool `json:"endpointAutoConfirms,omitempty" tf:"endpoint_auto_confirms,omitempty"`
+
+	// JSON String with the filter policy that will be used in the subscription to filter messages seen by the target resource. Refer to the SNS docs for more details.
+	FilterPolicy *string `json:"filterPolicy,omitempty" tf:"filter_policy,omitempty"`
+
+	// Whether the filter_policy applies to MessageAttributes (default) or MessageBody.
+	FilterPolicyScope *string `json:"filterPolicyScope,omitempty" tf:"filter_policy_scope,omitempty"`
+
 	// ARN of the subscription.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
@@ -29,6 +47,21 @@ type TopicSubscriptionObservation struct {
 
 	// Whether the subscription has not been confirmed.
 	PendingConfirmation *bool `json:"pendingConfirmation,omitempty" tf:"pending_confirmation,omitempty"`
+
+	// Protocol to use. Valid values are: sqs, sms, lambda, firehose, and application. Protocols email, email-json, http and https are also valid but partially supported. See details below.
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
+
+	// Whether to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false.
+	RawMessageDelivery *bool `json:"rawMessageDelivery,omitempty" tf:"raw_message_delivery,omitempty"`
+
+	// JSON String with the redrive policy that will be used in the subscription. Refer to the SNS docs for more details.
+	RedrivePolicy *string `json:"redrivePolicy,omitempty" tf:"redrive_policy,omitempty"`
+
+	// ARN of the IAM role to publish to Kinesis Data Firehose delivery stream. Refer to SNS docs.
+	SubscriptionRoleArn *string `json:"subscriptionRoleArn,omitempty" tf:"subscription_role_arn,omitempty"`
+
+	// ARN of the SNS topic to subscribe to.
+	TopicArn *string `json:"topicArn,omitempty" tf:"topic_arn,omitempty"`
 }
 
 type TopicSubscriptionParameters struct {
@@ -68,8 +101,8 @@ type TopicSubscriptionParameters struct {
 	FilterPolicyScope *string `json:"filterPolicyScope,omitempty" tf:"filter_policy_scope,omitempty"`
 
 	// Protocol to use. Valid values are: sqs, sms, lambda, firehose, and application. Protocols email, email-json, http and https are also valid but partially supported. See details below.
-	// +kubebuilder:validation:Required
-	Protocol *string `json:"protocol" tf:"protocol,omitempty"`
+	// +kubebuilder:validation:Optional
+	Protocol *string `json:"protocol,omitempty" tf:"protocol,omitempty"`
 
 	// Whether to enable raw message delivery (the original message is directly passed, not wrapped in JSON with the original message in the message property). Default is false.
 	// +kubebuilder:validation:Optional
@@ -137,8 +170,9 @@ type TopicSubscriptionStatus struct {
 type TopicSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TopicSubscriptionSpec   `json:"spec"`
-	Status            TopicSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)",message="protocol is a required parameter"
+	Spec   TopicSubscriptionSpec   `json:"spec"`
+	Status TopicSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sqs/v1beta1/zz_generated.deepcopy.go b/apis/sqs/v1beta1/zz_generated.deepcopy.go
index 15b02b8bf7..dfd881c3cb 100644
--- a/apis/sqs/v1beta1/zz_generated.deepcopy.go
+++ b/apis/sqs/v1beta1/zz_generated.deepcopy.go
@@ -81,11 +81,101 @@ func (in *QueueObservation) DeepCopyInto(out *QueueObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.ContentBasedDeduplication != nil {
+		in, out := &in.ContentBasedDeduplication, &out.ContentBasedDeduplication
+		*out = new(bool)
+		**out = **in
+	}
+	if in.DeduplicationScope != nil {
+		in, out := &in.DeduplicationScope, &out.DeduplicationScope
+		*out = new(string)
+		**out = **in
+	}
+	if in.DelaySeconds != nil {
+		in, out := &in.DelaySeconds, &out.DelaySeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.FifoQueue != nil {
+		in, out := &in.FifoQueue, &out.FifoQueue
+		*out = new(bool)
+		**out = **in
+	}
+	if in.FifoThroughputLimit != nil {
+		in, out := &in.FifoThroughputLimit, &out.FifoThroughputLimit
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSDataKeyReusePeriodSeconds != nil {
+		in, out := &in.KMSDataKeyReusePeriodSeconds, &out.KMSDataKeyReusePeriodSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.KMSMasterKeyID != nil {
+		in, out := &in.KMSMasterKeyID, &out.KMSMasterKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxMessageSize != nil {
+		in, out := &in.MaxMessageSize, &out.MaxMessageSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MessageRetentionSeconds != nil {
+		in, out := &in.MessageRetentionSeconds, &out.MessageRetentionSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.ReceiveWaitTimeSeconds != nil {
+		in, out := &in.ReceiveWaitTimeSeconds, &out.ReceiveWaitTimeSeconds
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RedriveAllowPolicy != nil {
+		in, out := &in.RedriveAllowPolicy, &out.RedriveAllowPolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedrivePolicy != nil {
+		in, out := &in.RedrivePolicy, &out.RedrivePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.SqsManagedSseEnabled != nil {
+		in, out := &in.SqsManagedSseEnabled, &out.SqsManagedSseEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -106,6 +196,11 @@ func (in *QueueObservation) DeepCopyInto(out *QueueObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.VisibilityTimeoutSeconds != nil {
+		in, out := &in.VisibilityTimeoutSeconds, &out.VisibilityTimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueueObservation.
@@ -300,6 +395,16 @@ func (in *QueuePolicyObservation) DeepCopyInto(out *QueuePolicyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.QueueURL != nil {
+		in, out := &in.QueueURL, &out.QueueURL
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueuePolicyObservation.
@@ -453,6 +558,16 @@ func (in *QueueRedriveAllowPolicyObservation) DeepCopyInto(out *QueueRedriveAllo
 		*out = new(string)
 		**out = **in
 	}
+	if in.QueueURL != nil {
+		in, out := &in.QueueURL, &out.QueueURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedriveAllowPolicy != nil {
+		in, out := &in.RedriveAllowPolicy, &out.RedriveAllowPolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueueRedriveAllowPolicyObservation.
@@ -606,6 +721,16 @@ func (in *QueueRedrivePolicyObservation) DeepCopyInto(out *QueueRedrivePolicyObs
 		*out = new(string)
 		**out = **in
 	}
+	if in.QueueURL != nil {
+		in, out := &in.QueueURL, &out.QueueURL
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedrivePolicy != nil {
+		in, out := &in.RedrivePolicy, &out.RedrivePolicy
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new QueueRedrivePolicyObservation.
diff --git a/apis/sqs/v1beta1/zz_queue_types.go b/apis/sqs/v1beta1/zz_queue_types.go
index b029bfff4a..ffb4e105ed 100755
--- a/apis/sqs/v1beta1/zz_queue_types.go
+++ b/apis/sqs/v1beta1/zz_queue_types.go
@@ -18,14 +18,65 @@ type QueueObservation struct {
 	// The ARN of the SQS queue
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Enables content-based deduplication for FIFO queues. For more information, see the related documentation
+	ContentBasedDeduplication *bool `json:"contentBasedDeduplication,omitempty" tf:"content_based_deduplication,omitempty"`
+
+	// Specifies whether message deduplication occurs at the message group or queue level. Valid values are messageGroup and queue (default).
+	DeduplicationScope *string `json:"deduplicationScope,omitempty" tf:"deduplication_scope,omitempty"`
+
+	// The time in seconds that the delivery of all messages in the queue will be delayed. An integer from 0 to 900 (15 minutes). The default for this attribute is 0 seconds.
+	DelaySeconds *float64 `json:"delaySeconds,omitempty" tf:"delay_seconds,omitempty"`
+
+	// Boolean designating a FIFO queue. If not set, it defaults to false making it standard.
+	FifoQueue *bool `json:"fifoQueue,omitempty" tf:"fifo_queue,omitempty"`
+
+	// Specifies whether the FIFO queue throughput quota applies to the entire queue or per message group. Valid values are perQueue (default) and perMessageGroupId.
+	FifoThroughputLimit *string `json:"fifoThroughputLimit,omitempty" tf:"fifo_throughput_limit,omitempty"`
+
 	// The URL for the created Amazon SQS queue.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The length of time, in seconds, for which Amazon SQS can reuse a data key to encrypt or decrypt messages before calling AWS KMS again. An integer representing seconds, between 60 seconds (1 minute) and 86,400 seconds (24 hours). The default is 300 (5 minutes).
+	KMSDataKeyReusePeriodSeconds *float64 `json:"kmsDataKeyReusePeriodSeconds,omitempty" tf:"kms_data_key_reuse_period_seconds,omitempty"`
+
+	// The ID of an AWS-managed customer master key (CMK) for Amazon SQS or a custom CMK. For more information, see Key Terms.
+	KMSMasterKeyID *string `json:"kmsMasterKeyId,omitempty" tf:"kms_master_key_id,omitempty"`
+
+	// The limit of how many bytes a message can contain before Amazon SQS rejects it. An integer from 1024 bytes (1 KiB) up to 262144 bytes (256 KiB). The default for this attribute is 262144 (256 KiB).
+	MaxMessageSize *float64 `json:"maxMessageSize,omitempty" tf:"max_message_size,omitempty"`
+
+	// The number of seconds Amazon SQS retains a message. Integer representing seconds, from 60 (1 minute) to 1209600 (14 days). The default for this attribute is 345600 (4 days).
+	MessageRetentionSeconds *float64 `json:"messageRetentionSeconds,omitempty" tf:"message_retention_seconds,omitempty"`
+
+	// The name of the queue. Queue names must be made up of only uppercase and lowercase ASCII letters, numbers, underscores, and hyphens, and must be between 1 and 80 characters long. For a FIFO (first-in-first-out) queue, the name must end with the .fifo suffix. Conflicts with name_prefix
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The JSON policy for the SQS queue.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// The time for which a ReceiveMessage call will wait for a message to arrive (long polling) before returning. An integer from 0 to 20 (seconds). The default for this attribute is 0, meaning that the call will return immediately.
+	ReceiveWaitTimeSeconds *float64 `json:"receiveWaitTimeSeconds,omitempty" tf:"receive_wait_time_seconds,omitempty"`
+
+	// The JSON policy to set up the Dead Letter Queue redrive permission, see AWS docs.
+	RedriveAllowPolicy *string `json:"redriveAllowPolicy,omitempty" tf:"redrive_allow_policy,omitempty"`
+
+	// The JSON policy to set up the Dead Letter Queue, see AWS docs. Note: when specifying maxReceiveCount, you must specify it as an integer (5), and not a string ("5").
+	RedrivePolicy *string `json:"redrivePolicy,omitempty" tf:"redrive_policy,omitempty"`
+
+	// Boolean to enable server-side encryption (SSE) of message content with SQS-owned encryption keys. See Encryption at rest.
+	SqsManagedSseEnabled *bool `json:"sqsManagedSseEnabled,omitempty" tf:"sqs_managed_sse_enabled,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
 	// Same as id: The URL for the created Amazon SQS queue.
 	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// The visibility timeout for the queue. An integer from 0 to 43200 (12 hours). The default for this attribute is 30. For more information about visibility timeout, see AWS docs.
+	VisibilityTimeoutSeconds *float64 `json:"visibilityTimeoutSeconds,omitempty" tf:"visibility_timeout_seconds,omitempty"`
 }
 
 type QueueParameters struct {
diff --git a/apis/sqs/v1beta1/zz_queuepolicy_types.go b/apis/sqs/v1beta1/zz_queuepolicy_types.go
index a2894c241c..68e30de429 100755
--- a/apis/sqs/v1beta1/zz_queuepolicy_types.go
+++ b/apis/sqs/v1beta1/zz_queuepolicy_types.go
@@ -15,13 +15,19 @@ import (
 
 type QueuePolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The JSON policy for the SQS queue.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// The URL of the SQS Queue to which to attach the policy
+	QueueURL *string `json:"queueUrl,omitempty" tf:"queue_url,omitempty"`
 }
 
 type QueuePolicyParameters struct {
 
 	// The JSON policy for the SQS queue.
-	// +kubebuilder:validation:Required
-	Policy *string `json:"policy" tf:"policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
 
 	// The URL of the SQS Queue to which to attach the policy
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/sqs/v1beta1.Queue
@@ -67,8 +73,9 @@ type QueuePolicyStatus struct {
 type QueuePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              QueuePolicySpec   `json:"spec"`
-	Status            QueuePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)",message="policy is a required parameter"
+	Spec   QueuePolicySpec   `json:"spec"`
+	Status QueuePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sqs/v1beta1/zz_queueredriveallowpolicy_types.go b/apis/sqs/v1beta1/zz_queueredriveallowpolicy_types.go
index 620ef83a9e..41efcb7fab 100755
--- a/apis/sqs/v1beta1/zz_queueredriveallowpolicy_types.go
+++ b/apis/sqs/v1beta1/zz_queueredriveallowpolicy_types.go
@@ -15,6 +15,12 @@ import (
 
 type QueueRedriveAllowPolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The URL of the SQS Queue to which to attach the policy
+	QueueURL *string `json:"queueUrl,omitempty" tf:"queue_url,omitempty"`
+
+	// The JSON redrive allow policy for the SQS queue. Learn more in the Amazon SQS dead-letter queues documentation.
+	RedriveAllowPolicy *string `json:"redriveAllowPolicy,omitempty" tf:"redrive_allow_policy,omitempty"`
 }
 
 type QueueRedriveAllowPolicyParameters struct {
@@ -34,8 +40,8 @@ type QueueRedriveAllowPolicyParameters struct {
 	QueueURLSelector *v1.Selector `json:"queueUrlSelector,omitempty" tf:"-"`
 
 	// The JSON redrive allow policy for the SQS queue. Learn more in the Amazon SQS dead-letter queues documentation.
-	// +kubebuilder:validation:Required
-	RedriveAllowPolicy *string `json:"redriveAllowPolicy" tf:"redrive_allow_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	RedriveAllowPolicy *string `json:"redriveAllowPolicy,omitempty" tf:"redrive_allow_policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +73,9 @@ type QueueRedriveAllowPolicyStatus struct {
 type QueueRedriveAllowPolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              QueueRedriveAllowPolicySpec   `json:"spec"`
-	Status            QueueRedriveAllowPolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.redriveAllowPolicy)",message="redriveAllowPolicy is a required parameter"
+	Spec   QueueRedriveAllowPolicySpec   `json:"spec"`
+	Status QueueRedriveAllowPolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/sqs/v1beta1/zz_queueredrivepolicy_types.go b/apis/sqs/v1beta1/zz_queueredrivepolicy_types.go
index b69565e38d..d5e037b674 100755
--- a/apis/sqs/v1beta1/zz_queueredrivepolicy_types.go
+++ b/apis/sqs/v1beta1/zz_queueredrivepolicy_types.go
@@ -15,6 +15,12 @@ import (
 
 type QueueRedrivePolicyObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The URL of the SQS Queue to which to attach the policy
+	QueueURL *string `json:"queueUrl,omitempty" tf:"queue_url,omitempty"`
+
+	// The JSON redrive policy for the SQS queue. Accepts two key/val pairs: deadLetterTargetArn and maxReceiveCount. Learn more in the Amazon SQS dead-letter queues documentation.
+	RedrivePolicy *string `json:"redrivePolicy,omitempty" tf:"redrive_policy,omitempty"`
 }
 
 type QueueRedrivePolicyParameters struct {
@@ -34,8 +40,8 @@ type QueueRedrivePolicyParameters struct {
 	QueueURLSelector *v1.Selector `json:"queueUrlSelector,omitempty" tf:"-"`
 
 	// The JSON redrive policy for the SQS queue. Accepts two key/val pairs: deadLetterTargetArn and maxReceiveCount. Learn more in the Amazon SQS dead-letter queues documentation.
-	// +kubebuilder:validation:Required
-	RedrivePolicy *string `json:"redrivePolicy" tf:"redrive_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	RedrivePolicy *string `json:"redrivePolicy,omitempty" tf:"redrive_policy,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -67,8 +73,9 @@ type QueueRedrivePolicyStatus struct {
 type QueueRedrivePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              QueueRedrivePolicySpec   `json:"spec"`
-	Status            QueueRedrivePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.redrivePolicy)",message="redrivePolicy is a required parameter"
+	Spec   QueueRedrivePolicySpec   `json:"spec"`
+	Status QueueRedrivePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_activation_types.go b/apis/ssm/v1beta1/zz_activation_types.go
index e721880585..8001eaa294 100755
--- a/apis/ssm/v1beta1/zz_activation_types.go
+++ b/apis/ssm/v1beta1/zz_activation_types.go
@@ -18,15 +18,33 @@ type ActivationObservation struct {
 	// The code the system generates when it processes the activation.
 	ActivationCode *string `json:"activationCode,omitempty" tf:"activation_code,omitempty"`
 
+	// The description of the resource that you want to register.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// UTC timestamp in RFC3339 format by which this activation request should expire. The default value is 24 hours from resource creation time.
+	ExpirationDate *string `json:"expirationDate,omitempty" tf:"expiration_date,omitempty"`
+
 	// If the current activation has expired.
 	Expired *bool `json:"expired,omitempty" tf:"expired,omitempty"`
 
+	// The IAM Role to attach to the managed instance.
+	IAMRole *string `json:"iamRole,omitempty" tf:"iam_role,omitempty"`
+
 	// The activation ID.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The default name of the registered managed instance.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
 	// The number of managed instances that are currently registered using this activation.
 	RegistrationCount *float64 `json:"registrationCount,omitempty" tf:"registration_count,omitempty"`
 
+	// The maximum number of managed instances you want to register. The default value is 1 instance.
+	RegistrationLimit *float64 `json:"registrationLimit,omitempty" tf:"registration_limit,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/ssm/v1beta1/zz_association_types.go b/apis/ssm/v1beta1/zz_association_types.go
index b780d104c7..807c244153 100755
--- a/apis/ssm/v1beta1/zz_association_types.go
+++ b/apis/ssm/v1beta1/zz_association_types.go
@@ -15,13 +15,55 @@ import (
 
 type AssociationObservation struct {
 
+	// By default, when you create a new or update associations, the system runs it immediately and then according to the schedule you specified. Enable this option if you do not want an association to run immediately after you create or update it. This parameter is not supported for rate expressions. Default: false.
+	ApplyOnlyAtCronInterval *bool `json:"applyOnlyAtCronInterval,omitempty" tf:"apply_only_at_cron_interval,omitempty"`
+
 	// The ARN of the SSM association
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
 	// The ID of the SSM association.
 	AssociationID *string `json:"associationId,omitempty" tf:"association_id,omitempty"`
 
+	// The descriptive name for the association.
+	AssociationName *string `json:"associationName,omitempty" tf:"association_name,omitempty"`
+
+	// Specify the target for the association. This target is required for associations that use an Automation document and target resources by using rate controls. This should be set to the SSM document parameter that will define how your automation will branch out.
+	AutomationTargetParameterName *string `json:"automationTargetParameterName,omitempty" tf:"automation_target_parameter_name,omitempty"`
+
+	// The compliance severity for the association. Can be one of the following: UNSPECIFIED, LOW, MEDIUM, HIGH or CRITICAL
+	ComplianceSeverity *string `json:"complianceSeverity,omitempty" tf:"compliance_severity,omitempty"`
+
+	// The document version you want to associate with the target(s). Can be a specific version or the default version.
+	DocumentVersion *string `json:"documentVersion,omitempty" tf:"document_version,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The instance ID to apply an SSM document to. Use targets with key InstanceIds for document schema versions 2.0 and above.
+	InstanceID *string `json:"instanceId,omitempty" tf:"instance_id,omitempty"`
+
+	// The maximum number of targets allowed to run the association at the same time. You can specify a number, for example 10, or a percentage of the target set, for example 10%.
+	MaxConcurrency *string `json:"maxConcurrency,omitempty" tf:"max_concurrency,omitempty"`
+
+	// The number of errors that are allowed before the system stops sending requests to run the association on additional targets. You can specify a number, for example 10, or a percentage of the target set, for example 10%.
+	MaxErrors *string `json:"maxErrors,omitempty" tf:"max_errors,omitempty"`
+
+	// The name of the SSM document to apply.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// An output location block. Output Location is documented below.
+	OutputLocation []OutputLocationObservation `json:"outputLocation,omitempty" tf:"output_location,omitempty"`
+
+	// A block of arbitrary string parameters to pass to the SSM document.
+	Parameters map[string]*string `json:"parameters,omitempty" tf:"parameters,omitempty"`
+
+	// A cron or rate expression that specifies when the association runs.
+	ScheduleExpression *string `json:"scheduleExpression,omitempty" tf:"schedule_expression,omitempty"`
+
+	// A block containing the targets of the SSM association. Targets are documented below. AWS currently supports a maximum of 5 targets.
+	Targets []TargetsObservation `json:"targets,omitempty" tf:"targets,omitempty"`
+
+	// The number of seconds to wait for the association status to be Success. If Success status is not reached within the given time, create opration will fail.
+	WaitForSuccessTimeoutSeconds *float64 `json:"waitForSuccessTimeoutSeconds,omitempty" tf:"wait_for_success_timeout_seconds,omitempty"`
 }
 
 type AssociationParameters struct {
@@ -98,6 +140,15 @@ type AssociationParameters struct {
 }
 
 type OutputLocationObservation struct {
+
+	// The S3 bucket name.
+	S3BucketName *string `json:"s3BucketName,omitempty" tf:"s3_bucket_name,omitempty"`
+
+	// The S3 bucket prefix. Results stored in the root if not configured.
+	S3KeyPrefix *string `json:"s3KeyPrefix,omitempty" tf:"s3_key_prefix,omitempty"`
+
+	// The S3 bucket region.
+	S3Region *string `json:"s3Region,omitempty" tf:"s3_region,omitempty"`
 }
 
 type OutputLocationParameters struct {
@@ -116,6 +167,12 @@ type OutputLocationParameters struct {
 }
 
 type TargetsObservation struct {
+
+	// Either InstanceIds or tag:Tag Name to specify an EC2 tag.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// A list of instance IDs or tag values. AWS currently limits this list size to one value.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type TargetsParameters struct {
diff --git a/apis/ssm/v1beta1/zz_defaultpatchbaseline_types.go b/apis/ssm/v1beta1/zz_defaultpatchbaseline_types.go
index cf265a68c5..3cbccfdbc3 100755
--- a/apis/ssm/v1beta1/zz_defaultpatchbaseline_types.go
+++ b/apis/ssm/v1beta1/zz_defaultpatchbaseline_types.go
@@ -14,7 +14,30 @@ import (
 )
 
 type DefaultPatchBaselineObservation struct {
+
+	// ID of the patch baseline.
+	// Can be an ID or an ARN.
+	// When specifying an AWS-provided patch baseline, must be the ARN.
+	BaselineID *string `json:"baselineId,omitempty" tf:"baseline_id,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The operating system the patch baseline applies to.
+	// Valid values are
+	// AMAZON_LINUX,
+	// AMAZON_LINUX_2,
+	// AMAZON_LINUX_2022,
+	// CENTOS,
+	// DEBIAN,
+	// MACOS,
+	// ORACLE_LINUX,
+	// RASPBIAN,
+	// REDHAT_ENTERPRISE_LINUX,
+	// ROCKY_LINUX,
+	// SUSE,
+	// UBUNTU, and
+	// WINDOWS.
+	OperatingSystem *string `json:"operatingSystem,omitempty" tf:"operating_system,omitempty"`
 }
 
 type DefaultPatchBaselineParameters struct {
diff --git a/apis/ssm/v1beta1/zz_document_types.go b/apis/ssm/v1beta1/zz_document_types.go
index 8baf375eb0..a875772166 100755
--- a/apis/ssm/v1beta1/zz_document_types.go
+++ b/apis/ssm/v1beta1/zz_document_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type AttachmentsSourceObservation struct {
+
+	// The key describing the location of an attachment to a document. Valid key types include: SourceUrl and S3FileUrl
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The name of the document attachment file
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The value describing the location of an attachment to a document
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type AttachmentsSourceParameters struct {
@@ -34,6 +43,12 @@ type AttachmentsSourceParameters struct {
 type DocumentObservation struct {
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// One or more configuration blocks describing attachments sources to a version of a document. Defined below.
+	AttachmentsSource []AttachmentsSourceObservation `json:"attachmentsSource,omitempty" tf:"attachments_source,omitempty"`
+
+	// The JSON or YAML content of the document.
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
+
 	// The date the document was created.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
@@ -43,6 +58,12 @@ type DocumentObservation struct {
 	// The description of the document.
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
+	// The format of the document. Valid document types include: JSON and YAML
+	DocumentFormat *string `json:"documentFormat,omitempty" tf:"document_format,omitempty"`
+
+	// The type of the document. Valid document types include: Automation, Command, Package, Policy, and Session
+	DocumentType *string `json:"documentType,omitempty" tf:"document_type,omitempty"`
+
 	// The document version.
 	DocumentVersion *string `json:"documentVersion,omitempty" tf:"document_version,omitempty"`
 
@@ -63,6 +84,9 @@ type DocumentObservation struct {
 	// The parameters that are available to this document.
 	Parameter []ParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
 
+	// Additional Permissions to attach to the document. See Permissions below for details.
+	Permissions map[string]*string `json:"permissions,omitempty" tf:"permissions,omitempty"`
+
 	// A list of OS platforms compatible with this SSM document, either "Windows" or "Linux".
 	PlatformTypes []*string `json:"platformTypes,omitempty" tf:"platform_types,omitempty"`
 
@@ -72,8 +96,17 @@ type DocumentObservation struct {
 	// "Creating", "Active" or "Deleting". The current status of the document.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The target type which defines the kinds of resources the document can run on. For example, /AWS::EC2::Instance. For a list of valid resource types, see AWS Resource Types Reference (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html)
+	TargetType *string `json:"targetType,omitempty" tf:"target_type,omitempty"`
+
+	// A field specifying the version of the artifact you are creating with the document. For example, "Release 12, Update 6". This value is unique across all versions of a document and cannot be changed for an existing document version.
+	VersionName *string `json:"versionName,omitempty" tf:"version_name,omitempty"`
 }
 
 type DocumentParameters struct {
@@ -83,16 +116,16 @@ type DocumentParameters struct {
 	AttachmentsSource []AttachmentsSourceParameters `json:"attachmentsSource,omitempty" tf:"attachments_source,omitempty"`
 
 	// The JSON or YAML content of the document.
-	// +kubebuilder:validation:Required
-	Content *string `json:"content" tf:"content,omitempty"`
+	// +kubebuilder:validation:Optional
+	Content *string `json:"content,omitempty" tf:"content,omitempty"`
 
 	// The format of the document. Valid document types include: JSON and YAML
 	// +kubebuilder:validation:Optional
 	DocumentFormat *string `json:"documentFormat,omitempty" tf:"document_format,omitempty"`
 
 	// The type of the document. Valid document types include: Automation, Command, Package, Policy, and Session
-	// +kubebuilder:validation:Required
-	DocumentType *string `json:"documentType" tf:"document_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	DocumentType *string `json:"documentType,omitempty" tf:"document_type,omitempty"`
 
 	// Additional Permissions to attach to the document. See Permissions below for details.
 	// +kubebuilder:validation:Optional
@@ -156,8 +189,10 @@ type DocumentStatus struct {
 type Document struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DocumentSpec   `json:"spec"`
-	Status            DocumentStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)",message="content is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.documentType)",message="documentType is a required parameter"
+	Spec   DocumentSpec   `json:"spec"`
+	Status DocumentStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_generated.deepcopy.go b/apis/ssm/v1beta1/zz_generated.deepcopy.go
index 7396fc2168..f047b7dba2 100644
--- a/apis/ssm/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ssm/v1beta1/zz_generated.deepcopy.go
@@ -81,21 +81,61 @@ func (in *ActivationObservation) DeepCopyInto(out *ActivationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.ExpirationDate != nil {
+		in, out := &in.ExpirationDate, &out.ExpirationDate
+		*out = new(string)
+		**out = **in
+	}
 	if in.Expired != nil {
 		in, out := &in.Expired, &out.Expired
 		*out = new(bool)
 		**out = **in
 	}
+	if in.IAMRole != nil {
+		in, out := &in.IAMRole, &out.IAMRole
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 	if in.RegistrationCount != nil {
 		in, out := &in.RegistrationCount, &out.RegistrationCount
 		*out = new(float64)
 		**out = **in
 	}
+	if in.RegistrationLimit != nil {
+		in, out := &in.RegistrationLimit, &out.RegistrationLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -230,6 +270,33 @@ func (in *ActivationStatus) DeepCopy() *ActivationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ApprovalRuleObservation) DeepCopyInto(out *ApprovalRuleObservation) {
 	*out = *in
+	if in.ApproveAfterDays != nil {
+		in, out := &in.ApproveAfterDays, &out.ApproveAfterDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ApproveUntilDate != nil {
+		in, out := &in.ApproveUntilDate, &out.ApproveUntilDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.ComplianceLevel != nil {
+		in, out := &in.ComplianceLevel, &out.ComplianceLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableNonSecurity != nil {
+		in, out := &in.EnableNonSecurity, &out.EnableNonSecurity
+		*out = new(bool)
+		**out = **in
+	}
+	if in.PatchFilter != nil {
+		in, out := &in.PatchFilter, &out.PatchFilter
+		*out = make([]PatchFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApprovalRuleObservation.
@@ -346,6 +413,11 @@ func (in *AssociationList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AssociationObservation) DeepCopyInto(out *AssociationObservation) {
 	*out = *in
+	if in.ApplyOnlyAtCronInterval != nil {
+		in, out := &in.ApplyOnlyAtCronInterval, &out.ApplyOnlyAtCronInterval
+		*out = new(bool)
+		**out = **in
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
@@ -356,11 +428,90 @@ func (in *AssociationObservation) DeepCopyInto(out *AssociationObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AssociationName != nil {
+		in, out := &in.AssociationName, &out.AssociationName
+		*out = new(string)
+		**out = **in
+	}
+	if in.AutomationTargetParameterName != nil {
+		in, out := &in.AutomationTargetParameterName, &out.AutomationTargetParameterName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ComplianceSeverity != nil {
+		in, out := &in.ComplianceSeverity, &out.ComplianceSeverity
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentVersion != nil {
+		in, out := &in.DocumentVersion, &out.DocumentVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceID != nil {
+		in, out := &in.InstanceID, &out.InstanceID
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxConcurrency != nil {
+		in, out := &in.MaxConcurrency, &out.MaxConcurrency
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxErrors != nil {
+		in, out := &in.MaxErrors, &out.MaxErrors
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputLocation != nil {
+		in, out := &in.OutputLocation, &out.OutputLocation
+		*out = make([]OutputLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Parameters != nil {
+		in, out := &in.Parameters, &out.Parameters
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.ScheduleExpression != nil {
+		in, out := &in.ScheduleExpression, &out.ScheduleExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.Targets != nil {
+		in, out := &in.Targets, &out.Targets
+		*out = make([]TargetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WaitForSuccessTimeoutSeconds != nil {
+		in, out := &in.WaitForSuccessTimeoutSeconds, &out.WaitForSuccessTimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AssociationObservation.
@@ -524,6 +675,27 @@ func (in *AssociationStatus) DeepCopy() *AssociationStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AttachmentsSourceObservation) DeepCopyInto(out *AttachmentsSourceObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AttachmentsSourceObservation.
@@ -575,6 +747,18 @@ func (in *AttachmentsSourceParameters) DeepCopy() *AttachmentsSourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutomationParametersObservation) DeepCopyInto(out *AutomationParametersObservation) {
 	*out = *in
+	if in.DocumentVersion != nil {
+		in, out := &in.DocumentVersion, &out.DocumentVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]AutomationParametersParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutomationParametersObservation.
@@ -590,6 +774,22 @@ func (in *AutomationParametersObservation) DeepCopy() *AutomationParametersObser
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *AutomationParametersParameterObservation) DeepCopyInto(out *AutomationParametersParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AutomationParametersParameterObservation.
@@ -663,6 +863,16 @@ func (in *AutomationParametersParameters) DeepCopy() *AutomationParametersParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CloudwatchConfigObservation) DeepCopyInto(out *CloudwatchConfigObservation) {
 	*out = *in
+	if in.CloudwatchLogGroupName != nil {
+		in, out := &in.CloudwatchLogGroupName, &out.CloudwatchLogGroupName
+		*out = new(string)
+		**out = **in
+	}
+	if in.CloudwatchOutputEnabled != nil {
+		in, out := &in.CloudwatchOutputEnabled, &out.CloudwatchOutputEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CloudwatchConfigObservation.
@@ -762,11 +972,21 @@ func (in *DefaultPatchBaselineList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultPatchBaselineObservation) DeepCopyInto(out *DefaultPatchBaselineObservation) {
 	*out = *in
+	if in.BaselineID != nil {
+		in, out := &in.BaselineID, &out.BaselineID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OperatingSystem != nil {
+		in, out := &in.OperatingSystem, &out.OperatingSystem
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultPatchBaselineObservation.
@@ -930,6 +1150,18 @@ func (in *DocumentObservation) DeepCopyInto(out *DocumentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.AttachmentsSource != nil {
+		in, out := &in.AttachmentsSource, &out.AttachmentsSource
+		*out = make([]AttachmentsSourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Content != nil {
+		in, out := &in.Content, &out.Content
+		*out = new(string)
+		**out = **in
+	}
 	if in.CreatedDate != nil {
 		in, out := &in.CreatedDate, &out.CreatedDate
 		*out = new(string)
@@ -945,6 +1177,16 @@ func (in *DocumentObservation) DeepCopyInto(out *DocumentObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DocumentFormat != nil {
+		in, out := &in.DocumentFormat, &out.DocumentFormat
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentType != nil {
+		in, out := &in.DocumentType, &out.DocumentType
+		*out = new(string)
+		**out = **in
+	}
 	if in.DocumentVersion != nil {
 		in, out := &in.DocumentVersion, &out.DocumentVersion
 		*out = new(string)
@@ -982,6 +1224,21 @@ func (in *DocumentObservation) DeepCopyInto(out *DocumentObservation) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Permissions != nil {
+		in, out := &in.Permissions, &out.Permissions
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.PlatformTypes != nil {
 		in, out := &in.PlatformTypes, &out.PlatformTypes
 		*out = make([]*string, len(*in))
@@ -1003,8 +1260,8 @@ func (in *DocumentObservation) DeepCopyInto(out *DocumentObservation) {
 		*out = new(string)
 		**out = **in
 	}
-	if in.TagsAll != nil {
-		in, out := &in.TagsAll, &out.TagsAll
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
 		*out = make(map[string]*string, len(*in))
 		for key, val := range *in {
 			var outVal *string
@@ -1018,6 +1275,31 @@ func (in *DocumentObservation) DeepCopyInto(out *DocumentObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.TagsAll != nil {
+		in, out := &in.TagsAll, &out.TagsAll
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.TargetType != nil {
+		in, out := &in.TargetType, &out.TargetType
+		*out = new(string)
+		**out = **in
+	}
+	if in.VersionName != nil {
+		in, out := &in.VersionName, &out.VersionName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DocumentObservation.
@@ -1149,6 +1431,22 @@ func (in *DocumentStatus) DeepCopy() *DocumentStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GlobalFilterObservation) DeepCopyInto(out *GlobalFilterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalFilterObservation.
@@ -1195,6 +1493,16 @@ func (in *GlobalFilterParameters) DeepCopy() *GlobalFilterParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LambdaParametersObservation) DeepCopyInto(out *LambdaParametersObservation) {
 	*out = *in
+	if in.ClientContext != nil {
+		in, out := &in.ClientContext, &out.ClientContext
+		*out = new(string)
+		**out = **in
+	}
+	if in.Qualifier != nil {
+		in, out := &in.Qualifier, &out.Qualifier
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LambdaParametersObservation.
@@ -1299,11 +1607,81 @@ func (in *MaintenanceWindowList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceWindowObservation) DeepCopyInto(out *MaintenanceWindowObservation) {
 	*out = *in
+	if in.AllowUnassociatedTargets != nil {
+		in, out := &in.AllowUnassociatedTargets, &out.AllowUnassociatedTargets
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Cutoff != nil {
+		in, out := &in.Cutoff, &out.Cutoff
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Duration != nil {
+		in, out := &in.Duration, &out.Duration
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Enabled != nil {
+		in, out := &in.Enabled, &out.Enabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EndDate != nil {
+		in, out := &in.EndDate, &out.EndDate
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Schedule != nil {
+		in, out := &in.Schedule, &out.Schedule
+		*out = new(string)
+		**out = **in
+	}
+	if in.ScheduleOffset != nil {
+		in, out := &in.ScheduleOffset, &out.ScheduleOffset
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ScheduleTimezone != nil {
+		in, out := &in.ScheduleTimezone, &out.ScheduleTimezone
+		*out = new(string)
+		**out = **in
+	}
+	if in.StartDate != nil {
+		in, out := &in.StartDate, &out.StartDate
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1517,11 +1895,43 @@ func (in *MaintenanceWindowTargetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceWindowTargetObservation) DeepCopyInto(out *MaintenanceWindowTargetObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OwnerInformation != nil {
+		in, out := &in.OwnerInformation, &out.OwnerInformation
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceType != nil {
+		in, out := &in.ResourceType, &out.ResourceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Targets != nil {
+		in, out := &in.Targets, &out.Targets
+		*out = make([]MaintenanceWindowTargetTargetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WindowID != nil {
+		in, out := &in.WindowID, &out.WindowID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceWindowTargetObservation.
@@ -1633,6 +2043,22 @@ func (in *MaintenanceWindowTargetStatus) DeepCopy() *MaintenanceWindowTargetStat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceWindowTargetTargetsObservation) DeepCopyInto(out *MaintenanceWindowTargetTargetsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceWindowTargetTargetsObservation.
@@ -1743,11 +2169,75 @@ func (in *MaintenanceWindowTaskObservation) DeepCopyInto(out *MaintenanceWindowT
 		*out = new(string)
 		**out = **in
 	}
+	if in.CutoffBehavior != nil {
+		in, out := &in.CutoffBehavior, &out.CutoffBehavior
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MaxConcurrency != nil {
+		in, out := &in.MaxConcurrency, &out.MaxConcurrency
+		*out = new(string)
+		**out = **in
+	}
+	if in.MaxErrors != nil {
+		in, out := &in.MaxErrors, &out.MaxErrors
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ServiceRoleArn != nil {
+		in, out := &in.ServiceRoleArn, &out.ServiceRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Targets != nil {
+		in, out := &in.Targets, &out.Targets
+		*out = make([]MaintenanceWindowTaskTargetsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TaskArn != nil {
+		in, out := &in.TaskArn, &out.TaskArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TaskInvocationParameters != nil {
+		in, out := &in.TaskInvocationParameters, &out.TaskInvocationParameters
+		*out = make([]TaskInvocationParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TaskType != nil {
+		in, out := &in.TaskType, &out.TaskType
+		*out = new(string)
+		**out = **in
+	}
+	if in.WindowID != nil {
+		in, out := &in.WindowID, &out.WindowID
+		*out = new(string)
+		**out = **in
+	}
 	if in.WindowTaskID != nil {
 		in, out := &in.WindowTaskID, &out.WindowTaskID
 		*out = new(string)
@@ -1916,6 +2406,22 @@ func (in *MaintenanceWindowTaskStatus) DeepCopy() *MaintenanceWindowTaskStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MaintenanceWindowTaskTargetsObservation) DeepCopyInto(out *MaintenanceWindowTaskTargetsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MaintenanceWindowTaskTargetsObservation.
@@ -1962,6 +2468,27 @@ func (in *MaintenanceWindowTaskTargetsParameters) DeepCopy() *MaintenanceWindowT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NotificationConfigObservation) DeepCopyInto(out *NotificationConfigObservation) {
 	*out = *in
+	if in.NotificationArn != nil {
+		in, out := &in.NotificationArn, &out.NotificationArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationEvents != nil {
+		in, out := &in.NotificationEvents, &out.NotificationEvents
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.NotificationType != nil {
+		in, out := &in.NotificationType, &out.NotificationType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NotificationConfigObservation.
@@ -2023,6 +2550,21 @@ func (in *NotificationConfigParameters) DeepCopy() *NotificationConfigParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OutputLocationObservation) DeepCopyInto(out *OutputLocationObservation) {
 	*out = *in
+	if in.S3BucketName != nil {
+		in, out := &in.S3BucketName, &out.S3BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3KeyPrefix != nil {
+		in, out := &in.S3KeyPrefix, &out.S3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3Region != nil {
+		in, out := &in.S3Region, &out.S3Region
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OutputLocationObservation.
@@ -2162,11 +2704,61 @@ func (in *ParameterObservation) DeepCopy() *ParameterObservation {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ParameterObservation_2) DeepCopyInto(out *ParameterObservation_2) {
 	*out = *in
+	if in.AllowedPattern != nil {
+		in, out := &in.AllowedPattern, &out.AllowedPattern
+		*out = new(string)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.DataType != nil {
+		in, out := &in.DataType, &out.DataType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InsecureValue != nil {
+		in, out := &in.InsecureValue, &out.InsecureValue
+		*out = new(string)
+		**out = **in
+	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Overwrite != nil {
+		in, out := &in.Overwrite, &out.Overwrite
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2182,6 +2774,16 @@ func (in *ParameterObservation_2) DeepCopyInto(out *ParameterObservation_2) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.Tier != nil {
+		in, out := &in.Tier, &out.Tier
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 	if in.Version != nil {
 		in, out := &in.Version, &out.Version
 		*out = new(float64)
@@ -2389,22 +2991,110 @@ func (in *PatchBaselineList) DeepCopyObject() runtime.Object {
 	if c := in.DeepCopy(); c != nil {
 		return c
 	}
-	return nil
-}
-
-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *PatchBaselineObservation) DeepCopyInto(out *PatchBaselineObservation) {
-	*out = *in
-	if in.Arn != nil {
-		in, out := &in.Arn, &out.Arn
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *PatchBaselineObservation) DeepCopyInto(out *PatchBaselineObservation) {
+	*out = *in
+	if in.ApprovalRule != nil {
+		in, out := &in.ApprovalRule, &out.ApprovalRule
+		*out = make([]ApprovalRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ApprovedPatches != nil {
+		in, out := &in.ApprovedPatches, &out.ApprovedPatches
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.ApprovedPatchesComplianceLevel != nil {
+		in, out := &in.ApprovedPatchesComplianceLevel, &out.ApprovedPatchesComplianceLevel
+		*out = new(string)
+		**out = **in
+	}
+	if in.ApprovedPatchesEnableNonSecurity != nil {
+		in, out := &in.ApprovedPatchesEnableNonSecurity, &out.ApprovedPatchesEnableNonSecurity
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Arn != nil {
+		in, out := &in.Arn, &out.Arn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.GlobalFilter != nil {
+		in, out := &in.GlobalFilter, &out.GlobalFilter
+		*out = make([]GlobalFilterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ID != nil {
+		in, out := &in.ID, &out.ID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OperatingSystem != nil {
+		in, out := &in.OperatingSystem, &out.OperatingSystem
 		*out = new(string)
 		**out = **in
 	}
-	if in.ID != nil {
-		in, out := &in.ID, &out.ID
+	if in.RejectedPatches != nil {
+		in, out := &in.RejectedPatches, &out.RejectedPatches
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.RejectedPatchesAction != nil {
+		in, out := &in.RejectedPatchesAction, &out.RejectedPatchesAction
 		*out = new(string)
 		**out = **in
 	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = make([]SourceObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2577,6 +3267,22 @@ func (in *PatchBaselineStatus) DeepCopy() *PatchBaselineStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PatchFilterObservation) DeepCopyInto(out *PatchFilterObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PatchFilterObservation.
@@ -2682,11 +3388,21 @@ func (in *PatchGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PatchGroupObservation) DeepCopyInto(out *PatchGroupObservation) {
 	*out = *in
+	if in.BaselineID != nil {
+		in, out := &in.BaselineID, &out.BaselineID
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.PatchGroup != nil {
+		in, out := &in.PatchGroup, &out.PatchGroup
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PatchGroupObservation.
@@ -2840,6 +3556,13 @@ func (in *ResourceDataSyncObservation) DeepCopyInto(out *ResourceDataSyncObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.S3Destination != nil {
+		in, out := &in.S3Destination, &out.S3Destination
+		*out = make([]S3DestinationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ResourceDataSyncObservation.
@@ -2916,6 +3639,67 @@ func (in *ResourceDataSyncStatus) DeepCopy() *ResourceDataSyncStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunCommandParametersObservation) DeepCopyInto(out *RunCommandParametersObservation) {
 	*out = *in
+	if in.CloudwatchConfig != nil {
+		in, out := &in.CloudwatchConfig, &out.CloudwatchConfig
+		*out = make([]CloudwatchConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Comment != nil {
+		in, out := &in.Comment, &out.Comment
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentHash != nil {
+		in, out := &in.DocumentHash, &out.DocumentHash
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentHashType != nil {
+		in, out := &in.DocumentHashType, &out.DocumentHashType
+		*out = new(string)
+		**out = **in
+	}
+	if in.DocumentVersion != nil {
+		in, out := &in.DocumentVersion, &out.DocumentVersion
+		*out = new(string)
+		**out = **in
+	}
+	if in.NotificationConfig != nil {
+		in, out := &in.NotificationConfig, &out.NotificationConfig
+		*out = make([]NotificationConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OutputS3Bucket != nil {
+		in, out := &in.OutputS3Bucket, &out.OutputS3Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.OutputS3KeyPrefix != nil {
+		in, out := &in.OutputS3KeyPrefix, &out.OutputS3KeyPrefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Parameter != nil {
+		in, out := &in.Parameter, &out.Parameter
+		*out = make([]RunCommandParametersParameterObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.ServiceRoleArn != nil {
+		in, out := &in.ServiceRoleArn, &out.ServiceRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunCommandParametersObservation.
@@ -2931,6 +3715,22 @@ func (in *RunCommandParametersObservation) DeepCopy() *RunCommandParametersObser
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RunCommandParametersParameterObservation) DeepCopyInto(out *RunCommandParametersParameterObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RunCommandParametersParameterObservation.
@@ -3073,6 +3873,31 @@ func (in *RunCommandParametersParameters) DeepCopy() *RunCommandParametersParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3DestinationObservation) DeepCopyInto(out *S3DestinationObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyArn != nil {
+		in, out := &in.KMSKeyArn, &out.KMSKeyArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Prefix != nil {
+		in, out := &in.Prefix, &out.Prefix
+		*out = new(string)
+		**out = **in
+	}
+	if in.Region != nil {
+		in, out := &in.Region, &out.Region
+		*out = new(string)
+		**out = **in
+	}
+	if in.SyncFormat != nil {
+		in, out := &in.SyncFormat, &out.SyncFormat
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3DestinationObservation.
@@ -3217,6 +4042,16 @@ func (in *ServiceSettingObservation) DeepCopyInto(out *ServiceSettingObservation
 		*out = new(string)
 		**out = **in
 	}
+	if in.SettingID != nil {
+		in, out := &in.SettingID, &out.SettingID
+		*out = new(string)
+		**out = **in
+	}
+	if in.SettingValue != nil {
+		in, out := &in.SettingValue, &out.SettingValue
+		*out = new(string)
+		**out = **in
+	}
 	if in.Status != nil {
 		in, out := &in.Status, &out.Status
 		*out = new(string)
@@ -3301,6 +4136,27 @@ func (in *ServiceSettingStatus) DeepCopy() *ServiceSettingStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SourceObservation) DeepCopyInto(out *SourceObservation) {
 	*out = *in
+	if in.Configuration != nil {
+		in, out := &in.Configuration, &out.Configuration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Products != nil {
+		in, out := &in.Products, &out.Products
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SourceObservation.
@@ -3352,6 +4208,11 @@ func (in *SourceParameters) DeepCopy() *SourceParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepFunctionsParametersObservation) DeepCopyInto(out *StepFunctionsParametersObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepFunctionsParametersObservation.
@@ -3392,6 +4253,22 @@ func (in *StepFunctionsParametersParameters) DeepCopy() *StepFunctionsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TargetsObservation) DeepCopyInto(out *TargetsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Values != nil {
+		in, out := &in.Values, &out.Values
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetsObservation.
@@ -3438,6 +4315,34 @@ func (in *TargetsParameters) DeepCopy() *TargetsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TaskInvocationParametersObservation) DeepCopyInto(out *TaskInvocationParametersObservation) {
 	*out = *in
+	if in.AutomationParameters != nil {
+		in, out := &in.AutomationParameters, &out.AutomationParameters
+		*out = make([]AutomationParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LambdaParameters != nil {
+		in, out := &in.LambdaParameters, &out.LambdaParameters
+		*out = make([]LambdaParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RunCommandParameters != nil {
+		in, out := &in.RunCommandParameters, &out.RunCommandParameters
+		*out = make([]RunCommandParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.StepFunctionsParameters != nil {
+		in, out := &in.StepFunctionsParameters, &out.StepFunctionsParameters
+		*out = make([]StepFunctionsParametersObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TaskInvocationParametersObservation.
diff --git a/apis/ssm/v1beta1/zz_maintenancewindow_types.go b/apis/ssm/v1beta1/zz_maintenancewindow_types.go
index 690fde2608..ee2c96e4b8 100755
--- a/apis/ssm/v1beta1/zz_maintenancewindow_types.go
+++ b/apis/ssm/v1beta1/zz_maintenancewindow_types.go
@@ -15,9 +15,45 @@ import (
 
 type MaintenanceWindowObservation struct {
 
+	// Whether targets must be registered with the Maintenance Window before tasks can be defined for those targets.
+	AllowUnassociatedTargets *bool `json:"allowUnassociatedTargets,omitempty" tf:"allow_unassociated_targets,omitempty"`
+
+	// The number of hours before the end of the Maintenance Window that Systems Manager stops scheduling new tasks for execution.
+	Cutoff *float64 `json:"cutoff,omitempty" tf:"cutoff,omitempty"`
+
+	// A description for the maintenance window.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The duration of the Maintenance Window in hours.
+	Duration *float64 `json:"duration,omitempty" tf:"duration,omitempty"`
+
+	// Whether the maintenance window is enabled. Default: true.
+	Enabled *bool `json:"enabled,omitempty" tf:"enabled,omitempty"`
+
+	// Timestamp in ISO-8601 extended format when to no longer run the maintenance window.
+	EndDate *string `json:"endDate,omitempty" tf:"end_date,omitempty"`
+
 	// The ID of the maintenance window.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the maintenance window.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The schedule of the Maintenance Window in the form of a cron or rate expression.
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
+
+	// The number of days to wait after the date and time specified by a CRON expression before running the maintenance window.
+	ScheduleOffset *float64 `json:"scheduleOffset,omitempty" tf:"schedule_offset,omitempty"`
+
+	// Timezone for schedule in Internet Assigned Numbers Authority (IANA) Time Zone Database format. For example: America/Los_Angeles, etc/UTC, or Asia/Seoul.
+	ScheduleTimezone *string `json:"scheduleTimezone,omitempty" tf:"schedule_timezone,omitempty"`
+
+	// Timestamp in ISO-8601 extended format when to begin the maintenance window.
+	StartDate *string `json:"startDate,omitempty" tf:"start_date,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -29,16 +65,16 @@ type MaintenanceWindowParameters struct {
 	AllowUnassociatedTargets *bool `json:"allowUnassociatedTargets,omitempty" tf:"allow_unassociated_targets,omitempty"`
 
 	// The number of hours before the end of the Maintenance Window that Systems Manager stops scheduling new tasks for execution.
-	// +kubebuilder:validation:Required
-	Cutoff *float64 `json:"cutoff" tf:"cutoff,omitempty"`
+	// +kubebuilder:validation:Optional
+	Cutoff *float64 `json:"cutoff,omitempty" tf:"cutoff,omitempty"`
 
 	// A description for the maintenance window.
 	// +kubebuilder:validation:Optional
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The duration of the Maintenance Window in hours.
-	// +kubebuilder:validation:Required
-	Duration *float64 `json:"duration" tf:"duration,omitempty"`
+	// +kubebuilder:validation:Optional
+	Duration *float64 `json:"duration,omitempty" tf:"duration,omitempty"`
 
 	// Whether the maintenance window is enabled. Default: true.
 	// +kubebuilder:validation:Optional
@@ -49,8 +85,8 @@ type MaintenanceWindowParameters struct {
 	EndDate *string `json:"endDate,omitempty" tf:"end_date,omitempty"`
 
 	// The name of the maintenance window.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -58,8 +94,8 @@ type MaintenanceWindowParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The schedule of the Maintenance Window in the form of a cron or rate expression.
-	// +kubebuilder:validation:Required
-	Schedule *string `json:"schedule" tf:"schedule,omitempty"`
+	// +kubebuilder:validation:Optional
+	Schedule *string `json:"schedule,omitempty" tf:"schedule,omitempty"`
 
 	// The number of days to wait after the date and time specified by a CRON expression before running the maintenance window.
 	// +kubebuilder:validation:Optional
@@ -102,8 +138,12 @@ type MaintenanceWindowStatus struct {
 type MaintenanceWindow struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MaintenanceWindowSpec   `json:"spec"`
-	Status            MaintenanceWindowStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cutoff)",message="cutoff is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.duration)",message="duration is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)",message="schedule is a required parameter"
+	Spec   MaintenanceWindowSpec   `json:"spec"`
+	Status MaintenanceWindowStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_maintenancewindowtarget_types.go b/apis/ssm/v1beta1/zz_maintenancewindowtarget_types.go
index a8b152ee0f..39a6c9903a 100755
--- a/apis/ssm/v1beta1/zz_maintenancewindowtarget_types.go
+++ b/apis/ssm/v1beta1/zz_maintenancewindowtarget_types.go
@@ -15,8 +15,27 @@ import (
 
 type MaintenanceWindowTargetObservation struct {
 
+	// The description of the maintenance window target.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the maintenance window target.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the maintenance window target.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// User-provided value that will be included in any CloudWatch events raised while running tasks for these targets in this Maintenance Window.
+	OwnerInformation *string `json:"ownerInformation,omitempty" tf:"owner_information,omitempty"`
+
+	// The type of target being registered with the Maintenance Window. Possible values are INSTANCE and RESOURCE_GROUP.
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
+
+	// The targets to register with the maintenance window. In other words, the instances to run commands on when the maintenance window runs. You can specify targets using instance IDs, resource group names, or tags that have been applied to instances. For more information about these examples formats see
+	// (https://docs.aws.amazon.com/systems-manager/latest/userguide/mw-cli-tutorial-targets-examples.html)
+	Targets []MaintenanceWindowTargetTargetsObservation `json:"targets,omitempty" tf:"targets,omitempty"`
+
+	// The Id of the maintenance window to register the target with.
+	WindowID *string `json:"windowId,omitempty" tf:"window_id,omitempty"`
 }
 
 type MaintenanceWindowTargetParameters struct {
@@ -39,13 +58,13 @@ type MaintenanceWindowTargetParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The type of target being registered with the Maintenance Window. Possible values are INSTANCE and RESOURCE_GROUP.
-	// +kubebuilder:validation:Required
-	ResourceType *string `json:"resourceType" tf:"resource_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceType *string `json:"resourceType,omitempty" tf:"resource_type,omitempty"`
 
 	// The targets to register with the maintenance window. In other words, the instances to run commands on when the maintenance window runs. You can specify targets using instance IDs, resource group names, or tags that have been applied to instances. For more information about these examples formats see
 	// (https://docs.aws.amazon.com/systems-manager/latest/userguide/mw-cli-tutorial-targets-examples.html)
-	// +kubebuilder:validation:Required
-	Targets []MaintenanceWindowTargetTargetsParameters `json:"targets" tf:"targets,omitempty"`
+	// +kubebuilder:validation:Optional
+	Targets []MaintenanceWindowTargetTargetsParameters `json:"targets,omitempty" tf:"targets,omitempty"`
 
 	// The Id of the maintenance window to register the target with.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ssm/v1beta1.MaintenanceWindow
@@ -63,6 +82,9 @@ type MaintenanceWindowTargetParameters struct {
 }
 
 type MaintenanceWindowTargetTargetsObservation struct {
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type MaintenanceWindowTargetTargetsParameters struct {
@@ -98,8 +120,10 @@ type MaintenanceWindowTargetStatus struct {
 type MaintenanceWindowTarget struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MaintenanceWindowTargetSpec   `json:"spec"`
-	Status            MaintenanceWindowTargetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceType)",message="resourceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targets)",message="targets is a required parameter"
+	Spec   MaintenanceWindowTargetSpec   `json:"spec"`
+	Status MaintenanceWindowTargetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_maintenancewindowtask_types.go b/apis/ssm/v1beta1/zz_maintenancewindowtask_types.go
index 7a0a0151a5..5c3d78e3f9 100755
--- a/apis/ssm/v1beta1/zz_maintenancewindowtask_types.go
+++ b/apis/ssm/v1beta1/zz_maintenancewindowtask_types.go
@@ -14,9 +14,21 @@ import (
 )
 
 type AutomationParametersObservation struct {
+
+	// The version of an Automation document to use during task execution.
+	DocumentVersion *string `json:"documentVersion,omitempty" tf:"document_version,omitempty"`
+
+	// The parameters for the RUN_COMMAND task execution. Documented below.
+	Parameter []AutomationParametersParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
 }
 
 type AutomationParametersParameterObservation struct {
+
+	// The name of the maintenance window task.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The array of strings.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type AutomationParametersParameterParameters struct {
@@ -42,6 +54,12 @@ type AutomationParametersParameters struct {
 }
 
 type CloudwatchConfigObservation struct {
+
+	// The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName.
+	CloudwatchLogGroupName *string `json:"cloudwatchLogGroupName,omitempty" tf:"cloudwatch_log_group_name,omitempty"`
+
+	// Enables Systems Manager to send command output to CloudWatch Logs.
+	CloudwatchOutputEnabled *bool `json:"cloudwatchOutputEnabled,omitempty" tf:"cloudwatch_output_enabled,omitempty"`
 }
 
 type CloudwatchConfigParameters struct {
@@ -56,6 +74,12 @@ type CloudwatchConfigParameters struct {
 }
 
 type LambdaParametersObservation struct {
+
+	// Pass client-specific information to the Lambda function that you are invoking.
+	ClientContext *string `json:"clientContext,omitempty" tf:"client_context,omitempty"`
+
+	// Specify a Lambda function version or alias name.
+	Qualifier *string `json:"qualifier,omitempty" tf:"qualifier,omitempty"`
 }
 
 type LambdaParametersParameters struct {
@@ -78,9 +102,45 @@ type MaintenanceWindowTaskObservation struct {
 	// The ARN of the maintenance window task.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Indicates whether tasks should continue to run after the cutoff time specified in the maintenance windows is reached. Valid values are CONTINUE_TASK and CANCEL_TASK.
+	CutoffBehavior *string `json:"cutoffBehavior,omitempty" tf:"cutoff_behavior,omitempty"`
+
+	// The description of the maintenance window task.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The ID of the maintenance window task.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The maximum number of targets this task can be run for in parallel.
+	MaxConcurrency *string `json:"maxConcurrency,omitempty" tf:"max_concurrency,omitempty"`
+
+	// The maximum number of errors allowed before this task stops being scheduled.
+	MaxErrors *string `json:"maxErrors,omitempty" tf:"max_errors,omitempty"`
+
+	// The name of the maintenance window task.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The priority of the task in the Maintenance Window, the lower the number the higher the priority. Tasks in a Maintenance Window are scheduled in priority order with tasks that have the same priority scheduled in parallel.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// The role that should be assumed when executing the task. If a role is not provided, Systems Manager uses your account's service-linked role. If no service-linked role for Systems Manager exists in your account, it is created for you.
+	ServiceRoleArn *string `json:"serviceRoleArn,omitempty" tf:"service_role_arn,omitempty"`
+
+	// The targets (either instances or window target ids). Instances are specified using Key=InstanceIds,Values=instanceid1,instanceid2. Window target ids are specified using Key=WindowTargetIds,Values=window target id1, window target id2.
+	Targets []MaintenanceWindowTaskTargetsObservation `json:"targets,omitempty" tf:"targets,omitempty"`
+
+	// The ARN of the task to execute.
+	TaskArn *string `json:"taskArn,omitempty" tf:"task_arn,omitempty"`
+
+	// Configuration block with parameters for task execution.
+	TaskInvocationParameters []TaskInvocationParametersObservation `json:"taskInvocationParameters,omitempty" tf:"task_invocation_parameters,omitempty"`
+
+	// The type of task being registered. Valid values: AUTOMATION, LAMBDA, RUN_COMMAND or STEP_FUNCTIONS.
+	TaskType *string `json:"taskType,omitempty" tf:"task_type,omitempty"`
+
+	// The Id of the maintenance window to register the task with.
+	WindowID *string `json:"windowId,omitempty" tf:"window_id,omitempty"`
+
 	// The ID of the maintenance window task.
 	WindowTaskID *string `json:"windowTaskId,omitempty" tf:"window_task_id,omitempty"`
 }
@@ -153,8 +213,8 @@ type MaintenanceWindowTaskParameters struct {
 	TaskInvocationParameters []TaskInvocationParametersParameters `json:"taskInvocationParameters,omitempty" tf:"task_invocation_parameters,omitempty"`
 
 	// The type of task being registered. Valid values: AUTOMATION, LAMBDA, RUN_COMMAND or STEP_FUNCTIONS.
-	// +kubebuilder:validation:Required
-	TaskType *string `json:"taskType" tf:"task_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	TaskType *string `json:"taskType,omitempty" tf:"task_type,omitempty"`
 
 	// The Id of the maintenance window to register the task with.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ssm/v1beta1.MaintenanceWindow
@@ -172,6 +232,10 @@ type MaintenanceWindowTaskParameters struct {
 }
 
 type MaintenanceWindowTaskTargetsObservation struct {
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The array of strings.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type MaintenanceWindowTaskTargetsParameters struct {
@@ -185,6 +249,15 @@ type MaintenanceWindowTaskTargetsParameters struct {
 }
 
 type NotificationConfigObservation struct {
+
+	// An Amazon Resource Name (ARN) for a Simple Notification Service (SNS) topic. Run Command pushes notifications about command status changes to this topic.
+	NotificationArn *string `json:"notificationArn,omitempty" tf:"notification_arn,omitempty"`
+
+	// The different events for which you can receive notifications. Valid values: All, InProgress, Success, TimedOut, Cancelled, and Failed
+	NotificationEvents []*string `json:"notificationEvents,omitempty" tf:"notification_events,omitempty"`
+
+	// When specified with Command, receive notification when the status of a command changes. When specified with Invocation, for commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes. Valid values: Command and Invocation
+	NotificationType *string `json:"notificationType,omitempty" tf:"notification_type,omitempty"`
 }
 
 type NotificationConfigParameters struct {
@@ -213,9 +286,48 @@ type NotificationConfigParameters struct {
 }
 
 type RunCommandParametersObservation struct {
+
+	// Configuration options for sending command output to CloudWatch Logs. Documented below.
+	CloudwatchConfig []CloudwatchConfigObservation `json:"cloudwatchConfig,omitempty" tf:"cloudwatch_config,omitempty"`
+
+	// Information about the command(s) to execute.
+	Comment *string `json:"comment,omitempty" tf:"comment,omitempty"`
+
+	// The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated.
+	DocumentHash *string `json:"documentHash,omitempty" tf:"document_hash,omitempty"`
+
+	// SHA-256 or SHA-1. SHA-1 hashes have been deprecated. Valid values: Sha256 and Sha1
+	DocumentHashType *string `json:"documentHashType,omitempty" tf:"document_hash_type,omitempty"`
+
+	// The version of an Automation document to use during task execution.
+	DocumentVersion *string `json:"documentVersion,omitempty" tf:"document_version,omitempty"`
+
+	// Configurations for sending notifications about command status changes on a per-instance basis. Documented below.
+	NotificationConfig []NotificationConfigObservation `json:"notificationConfig,omitempty" tf:"notification_config,omitempty"`
+
+	// The name of the Amazon S3 bucket.
+	OutputS3Bucket *string `json:"outputS3Bucket,omitempty" tf:"output_s3_bucket,omitempty"`
+
+	// The Amazon S3 bucket subfolder.
+	OutputS3KeyPrefix *string `json:"outputS3KeyPrefix,omitempty" tf:"output_s3_key_prefix,omitempty"`
+
+	// The parameters for the RUN_COMMAND task execution. Documented below.
+	Parameter []RunCommandParametersParameterObservation `json:"parameter,omitempty" tf:"parameter,omitempty"`
+
+	// The role that should be assumed when executing the task. If a role is not provided, Systems Manager uses your account's service-linked role. If no service-linked role for Systems Manager exists in your account, it is created for you.
+	ServiceRoleArn *string `json:"serviceRoleArn,omitempty" tf:"service_role_arn,omitempty"`
+
+	// If this time is reached and the command has not already started executing, it doesn't run.
+	TimeoutSeconds *float64 `json:"timeoutSeconds,omitempty" tf:"timeout_seconds,omitempty"`
 }
 
 type RunCommandParametersParameterObservation struct {
+
+	// The name of the maintenance window task.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The array of strings.
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type RunCommandParametersParameterParameters struct {
@@ -297,6 +409,9 @@ type RunCommandParametersParameters struct {
 }
 
 type StepFunctionsParametersObservation struct {
+
+	// The name of the maintenance window task.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type StepFunctionsParametersParameters struct {
@@ -311,6 +426,18 @@ type StepFunctionsParametersParameters struct {
 }
 
 type TaskInvocationParametersObservation struct {
+
+	// The parameters for an AUTOMATION task type. Documented below.
+	AutomationParameters []AutomationParametersObservation `json:"automationParameters,omitempty" tf:"automation_parameters,omitempty"`
+
+	// The parameters for a LAMBDA task type. Documented below.
+	LambdaParameters []LambdaParametersObservation `json:"lambdaParameters,omitempty" tf:"lambda_parameters,omitempty"`
+
+	// The parameters for a RUN_COMMAND task type. Documented below.
+	RunCommandParameters []RunCommandParametersObservation `json:"runCommandParameters,omitempty" tf:"run_command_parameters,omitempty"`
+
+	// The parameters for a STEP_FUNCTIONS task type. Documented below.
+	StepFunctionsParameters []StepFunctionsParametersObservation `json:"stepFunctionsParameters,omitempty" tf:"step_functions_parameters,omitempty"`
 }
 
 type TaskInvocationParametersParameters struct {
@@ -356,8 +483,9 @@ type MaintenanceWindowTaskStatus struct {
 type MaintenanceWindowTask struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              MaintenanceWindowTaskSpec   `json:"spec"`
-	Status            MaintenanceWindowTaskStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.taskType)",message="taskType is a required parameter"
+	Spec   MaintenanceWindowTaskSpec   `json:"spec"`
+	Status MaintenanceWindowTaskStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_parameter_types.go b/apis/ssm/v1beta1/zz_parameter_types.go
index 28bf3071be..95d7c255e0 100755
--- a/apis/ssm/v1beta1/zz_parameter_types.go
+++ b/apis/ssm/v1beta1/zz_parameter_types.go
@@ -14,11 +14,42 @@ import (
 )
 
 type ParameterObservation_2 struct {
+
+	// Regular expression used to validate the parameter value.
+	AllowedPattern *string `json:"allowedPattern,omitempty" tf:"allowed_pattern,omitempty"`
+
+	// ARN of the parameter.
+	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
+
+	// Data type of the parameter. Valid values: text, aws:ssm:integration and aws:ec2:image for AMI format, see the Native parameter support for Amazon Machine Image IDs.
+	DataType *string `json:"dataType,omitempty" tf:"data_type,omitempty"`
+
+	// Description of the parameter.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Value of the parameter. This argument is not valid with a type of SecureString.
+	InsecureValue *string `json:"insecureValue,omitempty" tf:"insecure_value,omitempty"`
+
+	// KMS key ID or ARN for encrypting a SecureString.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// Overwrite an existing parameter.
+	Overwrite *bool `json:"overwrite,omitempty" tf:"overwrite,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// Map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// Parameter tier to assign to the parameter. If not specified, will use the default parameter tier for the region. Valid tiers are Standard, Advanced, and Intelligent-Tiering. Downgrading an Advanced tier parameter to Standard will recreate the resource. For more information on parameter tiers, see the AWS SSM Parameter tier comparison and guide.
+	Tier *string `json:"tier,omitempty" tf:"tier,omitempty"`
+
+	// Type of the parameter. Valid types are String, StringList and SecureString.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
 	// Version of the parameter.
 	Version *float64 `json:"version,omitempty" tf:"version,omitempty"`
 }
@@ -67,8 +98,8 @@ type ParameterParameters_2 struct {
 	Tier *string `json:"tier,omitempty" tf:"tier,omitempty"`
 
 	// Type of the parameter. Valid types are String, StringList and SecureString.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 
 	// Value of the parameter.15 and later, this may require additional configuration handling for certain scenarios.15 Upgrade Guide.
 	// +kubebuilder:validation:Optional
@@ -99,8 +130,9 @@ type ParameterStatus struct {
 type Parameter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ParameterSpec   `json:"spec"`
-	Status            ParameterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   ParameterSpec   `json:"spec"`
+	Status ParameterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_patchbaseline_types.go b/apis/ssm/v1beta1/zz_patchbaseline_types.go
index ce3a1bf63f..6805354475 100755
--- a/apis/ssm/v1beta1/zz_patchbaseline_types.go
+++ b/apis/ssm/v1beta1/zz_patchbaseline_types.go
@@ -14,6 +14,33 @@ import (
 )
 
 type ApprovalRuleObservation struct {
+
+	// The number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline.
+	// Valid Range: 0 to 100.
+	// Conflicts with approve_until_date.
+	ApproveAfterDays *float64 `json:"approveAfterDays,omitempty" tf:"approve_after_days,omitempty"`
+
+	// The cutoff date for auto approval of released patches.
+	// Any patches released on or before this date are installed automatically.
+	// Date is formatted as YYYY-MM-DD.
+	// Conflicts with approve_after_days
+	ApproveUntilDate *string `json:"approveUntilDate,omitempty" tf:"approve_until_date,omitempty"`
+
+	// The compliance level for patches approved by this rule.
+	// Valid values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, and UNSPECIFIED.
+	// The default value is UNSPECIFIED.
+	ComplianceLevel *string `json:"complianceLevel,omitempty" tf:"compliance_level,omitempty"`
+
+	// Boolean enabling the application of non-security updates.
+	// The default value is false.
+	// Valid for Linux instances only.
+	EnableNonSecurity *bool `json:"enableNonSecurity,omitempty" tf:"enable_non_security,omitempty"`
+
+	// The patch filter group that defines the criteria for the rule.
+	// Up to 5 patch filters can be specified per approval rule using Key/Value pairs.
+	// Valid combinations of these Keys and the operating_system value can be found in the SSM DescribePatchProperties API Reference.
+	// Valid Values are exact values for the patch property given as the key, or a wildcard *, which matches all values.
+	PatchFilter []PatchFilterObservation `json:"patchFilter,omitempty" tf:"patch_filter,omitempty"`
 }
 
 type ApprovalRuleParameters struct {
@@ -52,6 +79,9 @@ type ApprovalRuleParameters struct {
 }
 
 type GlobalFilterObservation struct {
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type GlobalFilterParameters struct {
@@ -65,12 +95,75 @@ type GlobalFilterParameters struct {
 
 type PatchBaselineObservation struct {
 
+	// A set of rules used to include patches in the baseline.
+	// Up to 10 approval rules can be specified.
+	// See approval_rule below.
+	ApprovalRule []ApprovalRuleObservation `json:"approvalRule,omitempty" tf:"approval_rule,omitempty"`
+
+	// A list of explicitly approved patches for the baseline.
+	// Cannot be specified with approval_rule.
+	ApprovedPatches []*string `json:"approvedPatches,omitempty" tf:"approved_patches,omitempty"`
+
+	// The compliance level for approved patches.
+	// This means that if an approved patch is reported as missing, this is the severity of the compliance violation.
+	// Valid values are CRITICAL, HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED.
+	// The default value is UNSPECIFIED.
+	ApprovedPatchesComplianceLevel *string `json:"approvedPatchesComplianceLevel,omitempty" tf:"approved_patches_compliance_level,omitempty"`
+
+	// Indicates whether the list of approved patches includes non-security updates that should be applied to the instances.
+	// Applies to Linux instances only.
+	ApprovedPatchesEnableNonSecurity *bool `json:"approvedPatchesEnableNonSecurity,omitempty" tf:"approved_patches_enable_non_security,omitempty"`
+
 	// The ARN of the patch baseline.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The description of the patch baseline.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// A set of global filters used to exclude patches from the baseline.
+	// Up to 4 global filters can be specified using Key/Value pairs.
+	// Valid Keys are PRODUCT, CLASSIFICATION, MSRC_SEVERITY, and PATCH_ID.
+	GlobalFilter []GlobalFilterObservation `json:"globalFilter,omitempty" tf:"global_filter,omitempty"`
+
 	// The ID of the patch baseline.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the patch baseline.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The operating system the patch baseline applies to.
+	// Valid values are
+	// AMAZON_LINUX,
+	// AMAZON_LINUX_2,
+	// AMAZON_LINUX_2022,
+	// CENTOS,
+	// DEBIAN,
+	// MACOS,
+	// ORACLE_LINUX,
+	// RASPBIAN,
+	// REDHAT_ENTERPRISE_LINUX,
+	// ROCKY_LINUX,
+	// SUSE,
+	// UBUNTU, and
+	// WINDOWS.
+	// The default value is WINDOWS.
+	OperatingSystem *string `json:"operatingSystem,omitempty" tf:"operating_system,omitempty"`
+
+	// A list of rejected patches.
+	RejectedPatches []*string `json:"rejectedPatches,omitempty" tf:"rejected_patches,omitempty"`
+
+	// The action for Patch Manager to take on patches included in the rejected_patches list.
+	// Valid values are ALLOW_AS_DEPENDENCY and BLOCK.
+	RejectedPatchesAction *string `json:"rejectedPatchesAction,omitempty" tf:"rejected_patches_action,omitempty"`
+
+	// Configuration block with alternate sources for patches.
+	// Applies to Linux instances only.
+	// See source below.
+	Source []SourceObservation `json:"source,omitempty" tf:"source,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -111,8 +204,8 @@ type PatchBaselineParameters struct {
 	GlobalFilter []GlobalFilterParameters `json:"globalFilter,omitempty" tf:"global_filter,omitempty"`
 
 	// The name of the patch baseline.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The operating system the patch baseline applies to.
 	// Valid values are
@@ -159,6 +252,9 @@ type PatchBaselineParameters struct {
 }
 
 type PatchFilterObservation struct {
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	Values []*string `json:"values,omitempty" tf:"values,omitempty"`
 }
 
 type PatchFilterParameters struct {
@@ -171,6 +267,17 @@ type PatchFilterParameters struct {
 }
 
 type SourceObservation struct {
+
+	// The value of the yum repo configuration.
+	// For information about other options available for your yum repository configuration, see the dnf.conf documentation
+	Configuration *string `json:"configuration,omitempty" tf:"configuration,omitempty"`
+
+	// The name specified to identify the patch source.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The specific operating system versions a patch repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09", "RedhatEnterpriseLinux7.2" or "Suse12.7".
+	// For lists of supported product values, see PatchFilter.
+	Products []*string `json:"products,omitempty" tf:"products,omitempty"`
 }
 
 type SourceParameters struct {
@@ -214,8 +321,9 @@ type PatchBaselineStatus struct {
 type PatchBaseline struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PatchBaselineSpec   `json:"spec"`
-	Status            PatchBaselineStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   PatchBaselineSpec   `json:"spec"`
+	Status PatchBaselineStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_patchgroup_types.go b/apis/ssm/v1beta1/zz_patchgroup_types.go
index 4bba7bc475..0b9c00e791 100755
--- a/apis/ssm/v1beta1/zz_patchgroup_types.go
+++ b/apis/ssm/v1beta1/zz_patchgroup_types.go
@@ -15,8 +15,14 @@ import (
 
 type PatchGroupObservation struct {
 
+	// The ID of the patch baseline to register the patch group with.
+	BaselineID *string `json:"baselineId,omitempty" tf:"baseline_id,omitempty"`
+
 	// The name of the patch group and ID of the patch baseline separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the patch group that should be registered with the patch baseline.
+	PatchGroup *string `json:"patchGroup,omitempty" tf:"patch_group,omitempty"`
 }
 
 type PatchGroupParameters struct {
@@ -36,8 +42,8 @@ type PatchGroupParameters struct {
 	BaselineIDSelector *v1.Selector `json:"baselineIdSelector,omitempty" tf:"-"`
 
 	// The name of the patch group that should be registered with the patch baseline.
-	// +kubebuilder:validation:Required
-	PatchGroup *string `json:"patchGroup" tf:"patch_group,omitempty"`
+	// +kubebuilder:validation:Optional
+	PatchGroup *string `json:"patchGroup,omitempty" tf:"patch_group,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -69,8 +75,9 @@ type PatchGroupStatus struct {
 type PatchGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PatchGroupSpec   `json:"spec"`
-	Status            PatchGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.patchGroup)",message="patchGroup is a required parameter"
+	Spec   PatchGroupSpec   `json:"spec"`
+	Status PatchGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_resourcedatasync_types.go b/apis/ssm/v1beta1/zz_resourcedatasync_types.go
index 897cf9a4aa..9d21d2f89b 100755
--- a/apis/ssm/v1beta1/zz_resourcedatasync_types.go
+++ b/apis/ssm/v1beta1/zz_resourcedatasync_types.go
@@ -15,6 +15,9 @@ import (
 
 type ResourceDataSyncObservation struct {
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Amazon S3 configuration details for the sync.
+	S3Destination []S3DestinationObservation `json:"s3Destination,omitempty" tf:"s3_destination,omitempty"`
 }
 
 type ResourceDataSyncParameters struct {
@@ -26,11 +29,26 @@ type ResourceDataSyncParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Amazon S3 configuration details for the sync.
-	// +kubebuilder:validation:Required
-	S3Destination []S3DestinationParameters `json:"s3Destination" tf:"s3_destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	S3Destination []S3DestinationParameters `json:"s3Destination,omitempty" tf:"s3_destination,omitempty"`
 }
 
 type S3DestinationObservation struct {
+
+	// Name of S3 bucket where the aggregated data is stored.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// ARN of an encryption key for a destination in Amazon S3.
+	KMSKeyArn *string `json:"kmsKeyArn,omitempty" tf:"kms_key_arn,omitempty"`
+
+	// Prefix for the bucket.
+	Prefix *string `json:"prefix,omitempty" tf:"prefix,omitempty"`
+
+	// Region with the bucket targeted by the Resource Data Sync.
+	Region *string `json:"region,omitempty" tf:"region,omitempty"`
+
+	// A supported sync format. Only JsonSerDe is currently supported. Defaults to JsonSerDe.
+	SyncFormat *string `json:"syncFormat,omitempty" tf:"sync_format,omitempty"`
 }
 
 type S3DestinationParameters struct {
@@ -99,8 +117,9 @@ type ResourceDataSyncStatus struct {
 type ResourceDataSync struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ResourceDataSyncSpec   `json:"spec"`
-	Status            ResourceDataSyncStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.s3Destination)",message="s3Destination is a required parameter"
+	Spec   ResourceDataSyncSpec   `json:"spec"`
+	Status ResourceDataSyncStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssm/v1beta1/zz_servicesetting_types.go b/apis/ssm/v1beta1/zz_servicesetting_types.go
index efead5f3f5..80eb589853 100755
--- a/apis/ssm/v1beta1/zz_servicesetting_types.go
+++ b/apis/ssm/v1beta1/zz_servicesetting_types.go
@@ -20,6 +20,12 @@ type ServiceSettingObservation struct {
 
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// ID of the service setting.
+	SettingID *string `json:"settingId,omitempty" tf:"setting_id,omitempty"`
+
+	// Value of the service setting.
+	SettingValue *string `json:"settingValue,omitempty" tf:"setting_value,omitempty"`
+
 	// Status of the service setting. Value can be Default, Customized or PendingUpdate.
 	Status *string `json:"status,omitempty" tf:"status,omitempty"`
 }
@@ -32,12 +38,12 @@ type ServiceSettingParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// ID of the service setting.
-	// +kubebuilder:validation:Required
-	SettingID *string `json:"settingId" tf:"setting_id,omitempty"`
+	// +kubebuilder:validation:Optional
+	SettingID *string `json:"settingId,omitempty" tf:"setting_id,omitempty"`
 
 	// Value of the service setting.
-	// +kubebuilder:validation:Required
-	SettingValue *string `json:"settingValue" tf:"setting_value,omitempty"`
+	// +kubebuilder:validation:Optional
+	SettingValue *string `json:"settingValue,omitempty" tf:"setting_value,omitempty"`
 }
 
 // ServiceSettingSpec defines the desired state of ServiceSetting
@@ -64,8 +70,10 @@ type ServiceSettingStatus struct {
 type ServiceSetting struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ServiceSettingSpec   `json:"spec"`
-	Status            ServiceSettingStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingId)",message="settingId is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingValue)",message="settingValue is a required parameter"
+	Spec   ServiceSettingSpec   `json:"spec"`
+	Status ServiceSettingStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssoadmin/v1beta1/zz_accountassignment_types.go b/apis/ssoadmin/v1beta1/zz_accountassignment_types.go
index 31b2b92729..2824152266 100755
--- a/apis/ssoadmin/v1beta1/zz_accountassignment_types.go
+++ b/apis/ssoadmin/v1beta1/zz_accountassignment_types.go
@@ -17,6 +17,24 @@ type AccountAssignmentObservation struct {
 
 	// The identifier of the Account Assignment i.e., principal_id, principal_type, target_id, target_type, permission_set_arn, instance_arn separated by commas (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SSO Instance.
+	InstanceArn *string `json:"instanceArn,omitempty" tf:"instance_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Permission Set that the admin wants to grant the principal access to.
+	PermissionSetArn *string `json:"permissionSetArn,omitempty" tf:"permission_set_arn,omitempty"`
+
+	// An identifier for an object in SSO, such as a user or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
+	PrincipalID *string `json:"principalId,omitempty" tf:"principal_id,omitempty"`
+
+	// The entity type for which the assignment will be created. Valid values: USER, GROUP.
+	PrincipalType *string `json:"principalType,omitempty" tf:"principal_type,omitempty"`
+
+	// An AWS account identifier, typically a 10-12 digit string.
+	TargetID *string `json:"targetId,omitempty" tf:"target_id,omitempty"`
+
+	// The entity type for which the assignment will be created. Valid values: AWS_ACCOUNT.
+	TargetType *string `json:"targetType,omitempty" tf:"target_type,omitempty"`
 }
 
 type AccountAssignmentParameters struct {
diff --git a/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go b/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go
index c9a596667e..5c30628a39 100644
--- a/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go
+++ b/apis/ssoadmin/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,36 @@ func (in *AccountAssignmentObservation) DeepCopyInto(out *AccountAssignmentObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceArn != nil {
+		in, out := &in.InstanceArn, &out.InstanceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionSetArn != nil {
+		in, out := &in.PermissionSetArn, &out.PermissionSetArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalID != nil {
+		in, out := &in.PrincipalID, &out.PrincipalID
+		*out = new(string)
+		**out = **in
+	}
+	if in.PrincipalType != nil {
+		in, out := &in.PrincipalType, &out.PrincipalType
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetID != nil {
+		in, out := &in.TargetID, &out.TargetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetType != nil {
+		in, out := &in.TargetType, &out.TargetType
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AccountAssignmentObservation.
@@ -244,11 +274,26 @@ func (in *ManagedPolicyAttachmentObservation) DeepCopyInto(out *ManagedPolicyAtt
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceArn != nil {
+		in, out := &in.InstanceArn, &out.InstanceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ManagedPolicyArn != nil {
+		in, out := &in.ManagedPolicyArn, &out.ManagedPolicyArn
+		*out = new(string)
+		**out = **in
+	}
 	if in.ManagedPolicyName != nil {
 		in, out := &in.ManagedPolicyName, &out.ManagedPolicyName
 		*out = new(string)
 		**out = **in
 	}
+	if in.PermissionSetArn != nil {
+		in, out := &in.PermissionSetArn, &out.PermissionSetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ManagedPolicyAttachmentObservation.
@@ -434,6 +479,21 @@ func (in *PermissionSetInlinePolicyObservation) DeepCopyInto(out *PermissionSetI
 		*out = new(string)
 		**out = **in
 	}
+	if in.InlinePolicy != nil {
+		in, out := &in.InlinePolicy, &out.InlinePolicy
+		*out = new(string)
+		**out = **in
+	}
+	if in.InstanceArn != nil {
+		in, out := &in.InstanceArn, &out.InstanceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.PermissionSetArn != nil {
+		in, out := &in.PermissionSetArn, &out.PermissionSetArn
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PermissionSetInlinePolicyObservation.
@@ -580,11 +640,51 @@ func (in *PermissionSetObservation) DeepCopyInto(out *PermissionSetObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InstanceArn != nil {
+		in, out := &in.InstanceArn, &out.InstanceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RelayState != nil {
+		in, out := &in.RelayState, &out.RelayState
+		*out = new(string)
+		**out = **in
+	}
+	if in.SessionDuration != nil {
+		in, out := &in.SessionDuration, &out.SessionDuration
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/ssoadmin/v1beta1/zz_managedpolicyattachment_types.go b/apis/ssoadmin/v1beta1/zz_managedpolicyattachment_types.go
index ab89cdd26f..a6ce99017a 100755
--- a/apis/ssoadmin/v1beta1/zz_managedpolicyattachment_types.go
+++ b/apis/ssoadmin/v1beta1/zz_managedpolicyattachment_types.go
@@ -18,8 +18,17 @@ type ManagedPolicyAttachmentObservation struct {
 	// The Amazon Resource Names (ARNs) of the Managed Policy, Permission Set, and SSO Instance, separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
+	InstanceArn *string `json:"instanceArn,omitempty" tf:"instance_arn,omitempty"`
+
+	// The IAM managed policy Amazon Resource Name (ARN) to be attached to the Permission Set.
+	ManagedPolicyArn *string `json:"managedPolicyArn,omitempty" tf:"managed_policy_arn,omitempty"`
+
 	// The name of the IAM Managed Policy.
 	ManagedPolicyName *string `json:"managedPolicyName,omitempty" tf:"managed_policy_name,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Permission Set.
+	PermissionSetArn *string `json:"permissionSetArn,omitempty" tf:"permission_set_arn,omitempty"`
 }
 
 type ManagedPolicyAttachmentParameters struct {
diff --git a/apis/ssoadmin/v1beta1/zz_permissionset_types.go b/apis/ssoadmin/v1beta1/zz_permissionset_types.go
index 11f8aba924..720d65c863 100755
--- a/apis/ssoadmin/v1beta1/zz_permissionset_types.go
+++ b/apis/ssoadmin/v1beta1/zz_permissionset_types.go
@@ -21,9 +21,27 @@ type PermissionSetObservation struct {
 	// The date the Permission Set was created in RFC3339 format.
 	CreatedDate *string `json:"createdDate,omitempty" tf:"created_date,omitempty"`
 
+	// The description of the Permission Set.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The Amazon Resource Names (ARNs) of the Permission Set and SSO Instance, separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
+	InstanceArn *string `json:"instanceArn,omitempty" tf:"instance_arn,omitempty"`
+
+	// The name of the Permission Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The relay state URL used to redirect users within the application during the federation authentication process.
+	RelayState *string `json:"relayState,omitempty" tf:"relay_state,omitempty"`
+
+	// The length of time that the application user sessions are valid in the ISO-8601 standard. Default: PT1H.
+	SessionDuration *string `json:"sessionDuration,omitempty" tf:"session_duration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -35,12 +53,12 @@ type PermissionSetParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
-	// +kubebuilder:validation:Required
-	InstanceArn *string `json:"instanceArn" tf:"instance_arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	InstanceArn *string `json:"instanceArn,omitempty" tf:"instance_arn,omitempty"`
 
 	// The name of the Permission Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -84,8 +102,10 @@ type PermissionSetStatus struct {
 type PermissionSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PermissionSetSpec   `json:"spec"`
-	Status            PermissionSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceArn)",message="instanceArn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   PermissionSetSpec   `json:"spec"`
+	Status PermissionSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/ssoadmin/v1beta1/zz_permissionsetinlinepolicy_types.go b/apis/ssoadmin/v1beta1/zz_permissionsetinlinepolicy_types.go
index b245dbce06..091eac1d68 100755
--- a/apis/ssoadmin/v1beta1/zz_permissionsetinlinepolicy_types.go
+++ b/apis/ssoadmin/v1beta1/zz_permissionsetinlinepolicy_types.go
@@ -17,13 +17,22 @@ type PermissionSetInlinePolicyObservation struct {
 
 	// The Amazon Resource Names (ARNs) of the Permission Set and SSO Instance, separated by a comma (,).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The IAM inline policy to attach to a Permission Set.
+	InlinePolicy *string `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
+	InstanceArn *string `json:"instanceArn,omitempty" tf:"instance_arn,omitempty"`
+
+	// The Amazon Resource Name (ARN) of the Permission Set.
+	PermissionSetArn *string `json:"permissionSetArn,omitempty" tf:"permission_set_arn,omitempty"`
 }
 
 type PermissionSetInlinePolicyParameters struct {
 
 	// The IAM inline policy to attach to a Permission Set.
-	// +kubebuilder:validation:Required
-	InlinePolicy *string `json:"inlinePolicy" tf:"inline_policy,omitempty"`
+	// +kubebuilder:validation:Optional
+	InlinePolicy *string `json:"inlinePolicy,omitempty" tf:"inline_policy,omitempty"`
 
 	// The Amazon Resource Name (ARN) of the SSO Instance under which the operation will be executed.
 	// +crossplane:generate:reference:type=github.com/upbound/provider-aws/apis/ssoadmin/v1beta1.PermissionSet
@@ -83,8 +92,9 @@ type PermissionSetInlinePolicyStatus struct {
 type PermissionSetInlinePolicy struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              PermissionSetInlinePolicySpec   `json:"spec"`
-	Status            PermissionSetInlinePolicyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inlinePolicy)",message="inlinePolicy is a required parameter"
+	Spec   PermissionSetInlinePolicySpec   `json:"spec"`
+	Status PermissionSetInlinePolicyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/swf/v1beta1/zz_domain_types.go b/apis/swf/v1beta1/zz_domain_types.go
index d5afa7760a..52189f9115 100755
--- a/apis/swf/v1beta1/zz_domain_types.go
+++ b/apis/swf/v1beta1/zz_domain_types.go
@@ -18,11 +18,20 @@ type DomainObservation struct {
 	// Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The domain description.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The name of the domain.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Length of time that SWF will continue to retain information about the workflow execution after the workflow execution is complete, must be between 0 and 90 days.
+	WorkflowExecutionRetentionPeriodInDays *string `json:"workflowExecutionRetentionPeriodInDays,omitempty" tf:"workflow_execution_retention_period_in_days,omitempty"`
 }
 
 type DomainParameters struct {
@@ -41,8 +50,8 @@ type DomainParameters struct {
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Length of time that SWF will continue to retain information about the workflow execution after the workflow execution is complete, must be between 0 and 90 days.
-	// +kubebuilder:validation:Required
-	WorkflowExecutionRetentionPeriodInDays *string `json:"workflowExecutionRetentionPeriodInDays" tf:"workflow_execution_retention_period_in_days,omitempty"`
+	// +kubebuilder:validation:Optional
+	WorkflowExecutionRetentionPeriodInDays *string `json:"workflowExecutionRetentionPeriodInDays,omitempty" tf:"workflow_execution_retention_period_in_days,omitempty"`
 }
 
 // DomainSpec defines the desired state of Domain
@@ -69,8 +78,9 @@ type DomainStatus struct {
 type Domain struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              DomainSpec   `json:"spec"`
-	Status            DomainStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.workflowExecutionRetentionPeriodInDays)",message="workflowExecutionRetentionPeriodInDays is a required parameter"
+	Spec   DomainSpec   `json:"spec"`
+	Status DomainStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/swf/v1beta1/zz_generated.deepcopy.go b/apis/swf/v1beta1/zz_generated.deepcopy.go
index 4e6ed623fa..85e7ff7e7d 100644
--- a/apis/swf/v1beta1/zz_generated.deepcopy.go
+++ b/apis/swf/v1beta1/zz_generated.deepcopy.go
@@ -80,11 +80,31 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -100,6 +120,11 @@ func (in *DomainObservation) DeepCopyInto(out *DomainObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.WorkflowExecutionRetentionPeriodInDays != nil {
+		in, out := &in.WorkflowExecutionRetentionPeriodInDays, &out.WorkflowExecutionRetentionPeriodInDays
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DomainObservation.
diff --git a/apis/timestreamwrite/v1beta1/zz_database_types.go b/apis/timestreamwrite/v1beta1/zz_database_types.go
index b144c47cf4..9b08331a43 100755
--- a/apis/timestreamwrite/v1beta1/zz_database_types.go
+++ b/apis/timestreamwrite/v1beta1/zz_database_types.go
@@ -21,9 +21,15 @@ type DatabaseObservation struct {
 	// The name of the Timestream database.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The ARN (not Alias ARN) of the KMS key to be used to encrypt the data stored in the database. If the KMS key is not specified, the database will be encrypted with a Timestream managed KMS key located in your account. Refer to AWS managed KMS keys for more info.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
 	// The total number of tables found within the Timestream database.
 	TableCount *float64 `json:"tableCount,omitempty" tf:"table_count,omitempty"`
 
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/timestreamwrite/v1beta1/zz_generated.deepcopy.go b/apis/timestreamwrite/v1beta1/zz_generated.deepcopy.go
index 3765a914bb..37b47d6d8b 100644
--- a/apis/timestreamwrite/v1beta1/zz_generated.deepcopy.go
+++ b/apis/timestreamwrite/v1beta1/zz_generated.deepcopy.go
@@ -86,11 +86,31 @@ func (in *DatabaseObservation) DeepCopyInto(out *DatabaseObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
 	if in.TableCount != nil {
 		in, out := &in.TableCount, &out.TableCount
 		*out = new(float64)
 		**out = **in
 	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -205,6 +225,13 @@ func (in *DatabaseStatus) DeepCopy() *DatabaseStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MagneticStoreRejectedDataLocationObservation) DeepCopyInto(out *MagneticStoreRejectedDataLocationObservation) {
 	*out = *in
+	if in.S3Configuration != nil {
+		in, out := &in.S3Configuration, &out.S3Configuration
+		*out = make([]S3ConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MagneticStoreRejectedDataLocationObservation.
@@ -242,6 +269,18 @@ func (in *MagneticStoreRejectedDataLocationParameters) DeepCopy() *MagneticStore
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MagneticStoreWritePropertiesObservation) DeepCopyInto(out *MagneticStoreWritePropertiesObservation) {
 	*out = *in
+	if in.EnableMagneticStoreWrites != nil {
+		in, out := &in.EnableMagneticStoreWrites, &out.EnableMagneticStoreWrites
+		*out = new(bool)
+		**out = **in
+	}
+	if in.MagneticStoreRejectedDataLocation != nil {
+		in, out := &in.MagneticStoreRejectedDataLocation, &out.MagneticStoreRejectedDataLocation
+		*out = make([]MagneticStoreRejectedDataLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MagneticStoreWritePropertiesObservation.
@@ -284,6 +323,16 @@ func (in *MagneticStoreWritePropertiesParameters) DeepCopy() *MagneticStoreWrite
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RetentionPropertiesObservation) DeepCopyInto(out *RetentionPropertiesObservation) {
 	*out = *in
+	if in.MagneticStoreRetentionPeriodInDays != nil {
+		in, out := &in.MagneticStoreRetentionPeriodInDays, &out.MagneticStoreRetentionPeriodInDays
+		*out = new(float64)
+		**out = **in
+	}
+	if in.MemoryStoreRetentionPeriodInHours != nil {
+		in, out := &in.MemoryStoreRetentionPeriodInHours, &out.MemoryStoreRetentionPeriodInHours
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RetentionPropertiesObservation.
@@ -324,6 +373,26 @@ func (in *RetentionPropertiesParameters) DeepCopy() *RetentionPropertiesParamete
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3ConfigurationObservation) DeepCopyInto(out *S3ConfigurationObservation) {
 	*out = *in
+	if in.BucketName != nil {
+		in, out := &in.BucketName, &out.BucketName
+		*out = new(string)
+		**out = **in
+	}
+	if in.EncryptionOption != nil {
+		in, out := &in.EncryptionOption, &out.EncryptionOption
+		*out = new(string)
+		**out = **in
+	}
+	if in.KMSKeyID != nil {
+		in, out := &in.KMSKeyID, &out.KMSKeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.ObjectKeyPrefix != nil {
+		in, out := &in.ObjectKeyPrefix, &out.ObjectKeyPrefix
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3ConfigurationObservation.
@@ -438,11 +507,50 @@ func (in *TableObservation) DeepCopyInto(out *TableObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DatabaseName != nil {
+		in, out := &in.DatabaseName, &out.DatabaseName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.MagneticStoreWriteProperties != nil {
+		in, out := &in.MagneticStoreWriteProperties, &out.MagneticStoreWriteProperties
+		*out = make([]MagneticStoreWritePropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RetentionProperties != nil {
+		in, out := &in.RetentionProperties, &out.RetentionProperties
+		*out = make([]RetentionPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TableName != nil {
+		in, out := &in.TableName, &out.TableName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/timestreamwrite/v1beta1/zz_table_types.go b/apis/timestreamwrite/v1beta1/zz_table_types.go
index d004e6ea70..a5ab832655 100755
--- a/apis/timestreamwrite/v1beta1/zz_table_types.go
+++ b/apis/timestreamwrite/v1beta1/zz_table_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type MagneticStoreRejectedDataLocationObservation struct {
+
+	// Configuration of an S3 location to write error reports for records rejected, asynchronously, during magnetic store writes. See S3 Configuration below for more details.
+	S3Configuration []S3ConfigurationObservation `json:"s3Configuration,omitempty" tf:"s3_configuration,omitempty"`
 }
 
 type MagneticStoreRejectedDataLocationParameters struct {
@@ -24,6 +27,12 @@ type MagneticStoreRejectedDataLocationParameters struct {
 }
 
 type MagneticStoreWritePropertiesObservation struct {
+
+	// A flag to enable magnetic store writes.
+	EnableMagneticStoreWrites *bool `json:"enableMagneticStoreWrites,omitempty" tf:"enable_magnetic_store_writes,omitempty"`
+
+	// The location to write error reports for records rejected asynchronously during magnetic store writes. See Magnetic Store Rejected Data Location below for more details.
+	MagneticStoreRejectedDataLocation []MagneticStoreRejectedDataLocationObservation `json:"magneticStoreRejectedDataLocation,omitempty" tf:"magnetic_store_rejected_data_location,omitempty"`
 }
 
 type MagneticStoreWritePropertiesParameters struct {
@@ -38,6 +47,12 @@ type MagneticStoreWritePropertiesParameters struct {
 }
 
 type RetentionPropertiesObservation struct {
+
+	// The duration for which data must be stored in the magnetic store. Minimum value of 1. Maximum value of 73000.
+	MagneticStoreRetentionPeriodInDays *float64 `json:"magneticStoreRetentionPeriodInDays,omitempty" tf:"magnetic_store_retention_period_in_days,omitempty"`
+
+	// The duration for which data must be stored in the memory store. Minimum value of 1. Maximum value of 8766.
+	MemoryStoreRetentionPeriodInHours *float64 `json:"memoryStoreRetentionPeriodInHours,omitempty" tf:"memory_store_retention_period_in_hours,omitempty"`
 }
 
 type RetentionPropertiesParameters struct {
@@ -52,6 +67,18 @@ type RetentionPropertiesParameters struct {
 }
 
 type S3ConfigurationObservation struct {
+
+	// Bucket name of the customer S3 bucket.
+	BucketName *string `json:"bucketName,omitempty" tf:"bucket_name,omitempty"`
+
+	// Encryption option for the customer s3 location. Options are S3 server side encryption with an S3-managed key or KMS managed key. Valid values are SSE_KMS and SSE_S3.
+	EncryptionOption *string `json:"encryptionOption,omitempty" tf:"encryption_option,omitempty"`
+
+	// KMS key arn for the customer s3 location when encrypting with a KMS managed key.
+	KMSKeyID *string `json:"kmsKeyId,omitempty" tf:"kms_key_id,omitempty"`
+
+	// Object key prefix for the customer S3 location.
+	ObjectKeyPrefix *string `json:"objectKeyPrefix,omitempty" tf:"object_key_prefix,omitempty"`
 }
 
 type S3ConfigurationParameters struct {
@@ -78,9 +105,24 @@ type TableObservation struct {
 	// The ARN that uniquely identifies this table.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// –  The name of the Timestream database.
+	DatabaseName *string `json:"databaseName,omitempty" tf:"database_name,omitempty"`
+
 	// The table_name and database_name separated by a colon (:).
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Contains properties to set on the table when enabling magnetic store writes. See Magnetic Store Write Properties below for more details.
+	MagneticStoreWriteProperties []MagneticStoreWritePropertiesObservation `json:"magneticStoreWriteProperties,omitempty" tf:"magnetic_store_write_properties,omitempty"`
+
+	// The retention duration for the memory store and magnetic store. See Retention Properties below for more details. If not provided, magnetic_store_retention_period_in_days default to 73000 and memory_store_retention_period_in_hours defaults to 6.
+	RetentionProperties []RetentionPropertiesObservation `json:"retentionProperties,omitempty" tf:"retention_properties,omitempty"`
+
+	// The name of the Timestream table.
+	TableName *string `json:"tableName,omitempty" tf:"table_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/transcribe/v1beta1/zz_generated.deepcopy.go b/apis/transcribe/v1beta1/zz_generated.deepcopy.go
index 3ed03c3c97..008fdf0257 100644
--- a/apis/transcribe/v1beta1/zz_generated.deepcopy.go
+++ b/apis/transcribe/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,21 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InputDataConfigObservation) DeepCopyInto(out *InputDataConfigObservation) {
 	*out = *in
+	if in.DataAccessRoleArn != nil {
+		in, out := &in.DataAccessRoleArn, &out.DataAccessRoleArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.S3URI != nil {
+		in, out := &in.S3URI, &out.S3URI
+		*out = new(string)
+		**out = **in
+	}
+	if in.TuningDataS3URI != nil {
+		in, out := &in.TuningDataS3URI, &out.TuningDataS3URI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InputDataConfigObservation.
@@ -136,11 +151,43 @@ func (in *LanguageModelObservation) DeepCopyInto(out *LanguageModelObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.BaseModelName != nil {
+		in, out := &in.BaseModelName, &out.BaseModelName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InputDataConfig != nil {
+		in, out := &in.InputDataConfig, &out.InputDataConfig
+		*out = make([]InputDataConfigObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -358,6 +405,26 @@ func (in *VocabularyFilterObservation) DeepCopyInto(out *VocabularyFilterObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -373,6 +440,22 @@ func (in *VocabularyFilterObservation) DeepCopyInto(out *VocabularyFilterObserva
 			(*out)[key] = outVal
 		}
 	}
+	if in.VocabularyFilterFileURI != nil {
+		in, out := &in.VocabularyFilterFileURI, &out.VocabularyFilterFileURI
+		*out = new(string)
+		**out = **in
+	}
+	if in.Words != nil {
+		in, out := &in.Words, &out.Words
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VocabularyFilterObservation.
@@ -525,6 +608,37 @@ func (in *VocabularyObservation) DeepCopyInto(out *VocabularyObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.LanguageCode != nil {
+		in, out := &in.LanguageCode, &out.LanguageCode
+		*out = new(string)
+		**out = **in
+	}
+	if in.Phrases != nil {
+		in, out := &in.Phrases, &out.Phrases
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -540,6 +654,11 @@ func (in *VocabularyObservation) DeepCopyInto(out *VocabularyObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.VocabularyFileURI != nil {
+		in, out := &in.VocabularyFileURI, &out.VocabularyFileURI
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VocabularyObservation.
diff --git a/apis/transcribe/v1beta1/zz_languagemodel_types.go b/apis/transcribe/v1beta1/zz_languagemodel_types.go
index ae1c4619fd..9574417da3 100755
--- a/apis/transcribe/v1beta1/zz_languagemodel_types.go
+++ b/apis/transcribe/v1beta1/zz_languagemodel_types.go
@@ -14,6 +14,15 @@ import (
 )
 
 type InputDataConfigObservation struct {
+
+	// IAM role with access to S3 bucket.
+	DataAccessRoleArn *string `json:"dataAccessRoleArn,omitempty" tf:"data_access_role_arn,omitempty"`
+
+	// S3 URI where training data is located.
+	S3URI *string `json:"s3Uri,omitempty" tf:"s3_uri,omitempty"`
+
+	// S3 URI where tuning data is located.
+	TuningDataS3URI *string `json:"tuningDataS3Uri,omitempty" tf:"tuning_data_s3_uri,omitempty"`
 }
 
 type InputDataConfigParameters struct {
@@ -46,25 +55,37 @@ type LanguageModelObservation struct {
 	// ARN of the LanguageModel.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Name of reference base model.
+	BaseModelName *string `json:"baseModelName,omitempty" tf:"base_model_name,omitempty"`
+
 	// LanguageModel name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The input data config for the LanguageModel. See Input Data Config for more details.
+	InputDataConfig []InputDataConfigObservation `json:"inputDataConfig,omitempty" tf:"input_data_config,omitempty"`
+
+	// The language code you selected for your language model. Refer to the supported languages page for accepted codes.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
 
 type LanguageModelParameters struct {
 
 	// Name of reference base model.
-	// +kubebuilder:validation:Required
-	BaseModelName *string `json:"baseModelName" tf:"base_model_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	BaseModelName *string `json:"baseModelName,omitempty" tf:"base_model_name,omitempty"`
 
 	// The input data config for the LanguageModel. See Input Data Config for more details.
-	// +kubebuilder:validation:Required
-	InputDataConfig []InputDataConfigParameters `json:"inputDataConfig" tf:"input_data_config,omitempty"`
+	// +kubebuilder:validation:Optional
+	InputDataConfig []InputDataConfigParameters `json:"inputDataConfig,omitempty" tf:"input_data_config,omitempty"`
 
 	// The language code you selected for your language model. Refer to the supported languages page for accepted codes.
-	// +kubebuilder:validation:Required
-	LanguageCode *string `json:"languageCode" tf:"language_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -100,8 +121,11 @@ type LanguageModelStatus struct {
 type LanguageModel struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              LanguageModelSpec   `json:"spec"`
-	Status            LanguageModelStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.baseModelName)",message="baseModelName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputDataConfig)",message="inputDataConfig is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)",message="languageCode is a required parameter"
+	Spec   LanguageModelSpec   `json:"spec"`
+	Status LanguageModelStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/transcribe/v1beta1/zz_vocabulary_types.go b/apis/transcribe/v1beta1/zz_vocabulary_types.go
index 2d0d332cb3..ed5e06f149 100755
--- a/apis/transcribe/v1beta1/zz_vocabulary_types.go
+++ b/apis/transcribe/v1beta1/zz_vocabulary_types.go
@@ -24,14 +24,26 @@ type VocabularyObservation struct {
 	// Name of the Vocabulary.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The language code you selected for your vocabulary.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	// - A list of terms to include in the vocabulary. Conflicts with vocabulary_file_uri
+	Phrases []*string `json:"phrases,omitempty" tf:"phrases,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The Amazon S3 location (URI) of the text file that contains your custom vocabulary.
+	VocabularyFileURI *string `json:"vocabularyFileUri,omitempty" tf:"vocabulary_file_uri,omitempty"`
 }
 
 type VocabularyParameters struct {
 
 	// The language code you selected for your vocabulary.
-	// +kubebuilder:validation:Required
-	LanguageCode *string `json:"languageCode" tf:"language_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
 
 	// - A list of terms to include in the vocabulary. Conflicts with vocabulary_file_uri
 	// +kubebuilder:validation:Optional
@@ -75,8 +87,9 @@ type VocabularyStatus struct {
 type Vocabulary struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VocabularySpec   `json:"spec"`
-	Status            VocabularyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)",message="languageCode is a required parameter"
+	Spec   VocabularySpec   `json:"spec"`
+	Status VocabularyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/transcribe/v1beta1/zz_vocabularyfilter_types.go b/apis/transcribe/v1beta1/zz_vocabularyfilter_types.go
index f7a6515a36..d0d05d3281 100755
--- a/apis/transcribe/v1beta1/zz_vocabularyfilter_types.go
+++ b/apis/transcribe/v1beta1/zz_vocabularyfilter_types.go
@@ -24,14 +24,26 @@ type VocabularyFilterObservation struct {
 	// VocabularyFilter name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The language code you selected for your vocabulary filter. Refer to the supported languages page for accepted codes.
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// The Amazon S3 location (URI) of the text file that contains your custom VocabularyFilter. Conflicts with words.
+	VocabularyFilterFileURI *string `json:"vocabularyFilterFileUri,omitempty" tf:"vocabulary_filter_file_uri,omitempty"`
+
+	// - A list of terms to include in the vocabulary. Conflicts with vocabulary_file_uri
+	Words []*string `json:"words,omitempty" tf:"words,omitempty"`
 }
 
 type VocabularyFilterParameters struct {
 
 	// The language code you selected for your vocabulary filter. Refer to the supported languages page for accepted codes.
-	// +kubebuilder:validation:Required
-	LanguageCode *string `json:"languageCode" tf:"language_code,omitempty"`
+	// +kubebuilder:validation:Optional
+	LanguageCode *string `json:"languageCode,omitempty" tf:"language_code,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -75,8 +87,9 @@ type VocabularyFilterStatus struct {
 type VocabularyFilter struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              VocabularyFilterSpec   `json:"spec"`
-	Status            VocabularyFilterStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)",message="languageCode is a required parameter"
+	Spec   VocabularyFilterSpec   `json:"spec"`
+	Status VocabularyFilterStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/transfer/v1beta1/zz_generated.deepcopy.go b/apis/transfer/v1beta1/zz_generated.deepcopy.go
index a32460c1d8..c8cb4cea61 100644
--- a/apis/transfer/v1beta1/zz_generated.deepcopy.go
+++ b/apis/transfer/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,20 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CopyStepDetailsDestinationFileLocationObservation) DeepCopyInto(out *CopyStepDetailsDestinationFileLocationObservation) {
 	*out = *in
+	if in.EFSFileLocation != nil {
+		in, out := &in.EFSFileLocation, &out.EFSFileLocation
+		*out = make([]DestinationFileLocationEFSFileLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3FileLocation != nil {
+		in, out := &in.S3FileLocation, &out.S3FileLocation
+		*out = make([]DestinationFileLocationS3FileLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CopyStepDetailsDestinationFileLocationObservation.
@@ -61,6 +75,28 @@ func (in *CopyStepDetailsDestinationFileLocationParameters) DeepCopy() *CopyStep
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CopyStepDetailsObservation) DeepCopyInto(out *CopyStepDetailsObservation) {
 	*out = *in
+	if in.DestinationFileLocation != nil {
+		in, out := &in.DestinationFileLocation, &out.DestinationFileLocation
+		*out = make([]DestinationFileLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OverwriteExisting != nil {
+		in, out := &in.OverwriteExisting, &out.OverwriteExisting
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CopyStepDetailsObservation.
@@ -113,6 +149,26 @@ func (in *CopyStepDetailsParameters) DeepCopy() *CopyStepDetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *CustomStepDetailsObservation) DeepCopyInto(out *CustomStepDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CustomStepDetailsObservation.
@@ -163,6 +219,16 @@ func (in *CustomStepDetailsParameters) DeepCopy() *CustomStepDetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DeleteStepDetailsObservation) DeepCopyInto(out *DeleteStepDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeleteStepDetailsObservation.
@@ -203,6 +269,16 @@ func (in *DeleteStepDetailsParameters) DeepCopy() *DeleteStepDetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationFileLocationEFSFileLocationObservation) DeepCopyInto(out *DestinationFileLocationEFSFileLocationObservation) {
 	*out = *in
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationFileLocationEFSFileLocationObservation.
@@ -243,6 +319,20 @@ func (in *DestinationFileLocationEFSFileLocationParameters) DeepCopy() *Destinat
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationFileLocationObservation) DeepCopyInto(out *DestinationFileLocationObservation) {
 	*out = *in
+	if in.EFSFileLocation != nil {
+		in, out := &in.EFSFileLocation, &out.EFSFileLocation
+		*out = make([]EFSFileLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.S3FileLocation != nil {
+		in, out := &in.S3FileLocation, &out.S3FileLocation
+		*out = make([]S3FileLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationFileLocationObservation.
@@ -287,6 +377,16 @@ func (in *DestinationFileLocationParameters) DeepCopy() *DestinationFileLocation
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DestinationFileLocationS3FileLocationObservation) DeepCopyInto(out *DestinationFileLocationS3FileLocationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DestinationFileLocationS3FileLocationObservation.
@@ -327,6 +427,16 @@ func (in *DestinationFileLocationS3FileLocationParameters) DeepCopy() *Destinati
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EFSFileLocationObservation) DeepCopyInto(out *EFSFileLocationObservation) {
 	*out = *in
+	if in.FileSystemID != nil {
+		in, out := &in.FileSystemID, &out.FileSystemID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Path != nil {
+		in, out := &in.Path, &out.Path
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EFSFileLocationObservation.
@@ -367,6 +477,49 @@ func (in *EFSFileLocationParameters) DeepCopy() *EFSFileLocationParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *EndpointDetailsObservation) DeepCopyInto(out *EndpointDetailsObservation) {
 	*out = *in
+	if in.AddressAllocationIds != nil {
+		in, out := &in.AddressAllocationIds, &out.AddressAllocationIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityGroupIds != nil {
+		in, out := &in.SecurityGroupIds, &out.SecurityGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.VPCEndpointID != nil {
+		in, out := &in.VPCEndpointID, &out.VPCEndpointID
+		*out = new(string)
+		**out = **in
+	}
+	if in.VPCID != nil {
+		in, out := &in.VPCID, &out.VPCID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointDetailsObservation.
@@ -450,6 +603,16 @@ func (in *EndpointDetailsParameters) DeepCopy() *EndpointDetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *HomeDirectoryMappingsObservation) DeepCopyInto(out *HomeDirectoryMappingsObservation) {
 	*out = *in
+	if in.Entry != nil {
+		in, out := &in.Entry, &out.Entry
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HomeDirectoryMappingsObservation.
@@ -490,6 +653,39 @@ func (in *HomeDirectoryMappingsParameters) DeepCopy() *HomeDirectoryMappingsPara
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnExceptionStepsObservation) DeepCopyInto(out *OnExceptionStepsObservation) {
 	*out = *in
+	if in.CopyStepDetails != nil {
+		in, out := &in.CopyStepDetails, &out.CopyStepDetails
+		*out = make([]CopyStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomStepDetails != nil {
+		in, out := &in.CustomStepDetails, &out.CustomStepDetails
+		*out = make([]CustomStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeleteStepDetails != nil {
+		in, out := &in.DeleteStepDetails, &out.DeleteStepDetails
+		*out = make([]DeleteStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagStepDetails != nil {
+		in, out := &in.TagStepDetails, &out.TagStepDetails
+		*out = make([]TagStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnExceptionStepsObservation.
@@ -553,6 +749,16 @@ func (in *OnExceptionStepsParameters) DeepCopy() *OnExceptionStepsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OnUploadObservation) DeepCopyInto(out *OnUploadObservation) {
 	*out = *in
+	if in.ExecutionRole != nil {
+		in, out := &in.ExecutionRole, &out.ExecutionRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkflowID != nil {
+		in, out := &in.WorkflowID, &out.WorkflowID
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OnUploadObservation.
@@ -593,6 +799,27 @@ func (in *OnUploadParameters) DeepCopy() *OnUploadParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PosixProfileObservation) DeepCopyInto(out *PosixProfileObservation) {
 	*out = *in
+	if in.GID != nil {
+		in, out := &in.GID, &out.GID
+		*out = new(float64)
+		**out = **in
+	}
+	if in.SecondaryGids != nil {
+		in, out := &in.SecondaryGids, &out.SecondaryGids
+		*out = make([]*float64, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(float64)
+				**out = **in
+			}
+		}
+	}
+	if in.UID != nil {
+		in, out := &in.UID, &out.UID
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PosixProfileObservation.
@@ -644,6 +871,16 @@ func (in *PosixProfileParameters) DeepCopy() *PosixProfileParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *S3FileLocationObservation) DeepCopyInto(out *S3FileLocationObservation) {
 	*out = *in
+	if in.Bucket != nil {
+		in, out := &in.Bucket, &out.Bucket
+		*out = new(string)
+		**out = **in
+	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new S3FileLocationObservation.
@@ -743,11 +980,26 @@ func (in *SSHKeyList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SSHKeyObservation) DeepCopyInto(out *SSHKeyObservation) {
 	*out = *in
+	if in.Body != nil {
+		in, out := &in.Body, &out.Body
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.ServerID != nil {
+		in, out := &in.ServerID, &out.ServerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.UserName != nil {
+		in, out := &in.UserName, &out.UserName
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SSHKeyObservation.
@@ -916,11 +1168,48 @@ func (in *ServerObservation) DeepCopyInto(out *ServerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Certificate != nil {
+		in, out := &in.Certificate, &out.Certificate
+		*out = new(string)
+		**out = **in
+	}
+	if in.DirectoryID != nil {
+		in, out := &in.DirectoryID, &out.DirectoryID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Domain != nil {
+		in, out := &in.Domain, &out.Domain
+		*out = new(string)
+		**out = **in
+	}
 	if in.Endpoint != nil {
 		in, out := &in.Endpoint, &out.Endpoint
 		*out = new(string)
 		**out = **in
 	}
+	if in.EndpointDetails != nil {
+		in, out := &in.EndpointDetails, &out.EndpointDetails
+		*out = make([]EndpointDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.EndpointType != nil {
+		in, out := &in.EndpointType, &out.EndpointType
+		*out = new(string)
+		**out = **in
+	}
+	if in.ForceDestroy != nil {
+		in, out := &in.ForceDestroy, &out.ForceDestroy
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Function != nil {
+		in, out := &in.Function, &out.Function
+		*out = new(string)
+		**out = **in
+	}
 	if in.HostKeyFingerprint != nil {
 		in, out := &in.HostKeyFingerprint, &out.HostKeyFingerprint
 		*out = new(string)
@@ -931,6 +1220,52 @@ func (in *ServerObservation) DeepCopyInto(out *ServerObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IdentityProviderType != nil {
+		in, out := &in.IdentityProviderType, &out.IdentityProviderType
+		*out = new(string)
+		**out = **in
+	}
+	if in.InvocationRole != nil {
+		in, out := &in.InvocationRole, &out.InvocationRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.LoggingRole != nil {
+		in, out := &in.LoggingRole, &out.LoggingRole
+		*out = new(string)
+		**out = **in
+	}
+	if in.Protocols != nil {
+		in, out := &in.Protocols, &out.Protocols
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.SecurityPolicyName != nil {
+		in, out := &in.SecurityPolicyName, &out.SecurityPolicyName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -946,6 +1281,18 @@ func (in *ServerObservation) DeepCopyInto(out *ServerObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.URL != nil {
+		in, out := &in.URL, &out.URL
+		*out = new(string)
+		**out = **in
+	}
+	if in.WorkflowDetails != nil {
+		in, out := &in.WorkflowDetails, &out.WorkflowDetails
+		*out = make([]WorkflowDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServerObservation.
@@ -1145,6 +1492,28 @@ func (in *ServerStatus) DeepCopy() *ServerStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepsCopyStepDetailsObservation) DeepCopyInto(out *StepsCopyStepDetailsObservation) {
 	*out = *in
+	if in.DestinationFileLocation != nil {
+		in, out := &in.DestinationFileLocation, &out.DestinationFileLocation
+		*out = make([]CopyStepDetailsDestinationFileLocationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.OverwriteExisting != nil {
+		in, out := &in.OverwriteExisting, &out.OverwriteExisting
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepsCopyStepDetailsObservation.
@@ -1197,6 +1566,26 @@ func (in *StepsCopyStepDetailsParameters) DeepCopy() *StepsCopyStepDetailsParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepsCustomStepDetailsObservation) DeepCopyInto(out *StepsCustomStepDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
+	if in.Target != nil {
+		in, out := &in.Target, &out.Target
+		*out = new(string)
+		**out = **in
+	}
+	if in.TimeoutSeconds != nil {
+		in, out := &in.TimeoutSeconds, &out.TimeoutSeconds
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepsCustomStepDetailsObservation.
@@ -1257,6 +1646,16 @@ func (in *StepsCustomStepDetailsParameters) DeepCopy() *StepsCustomStepDetailsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepsDeleteStepDetailsObservation) DeepCopyInto(out *StepsDeleteStepDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepsDeleteStepDetailsObservation.
@@ -1297,6 +1696,39 @@ func (in *StepsDeleteStepDetailsParameters) DeepCopy() *StepsDeleteStepDetailsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepsObservation) DeepCopyInto(out *StepsObservation) {
 	*out = *in
+	if in.CopyStepDetails != nil {
+		in, out := &in.CopyStepDetails, &out.CopyStepDetails
+		*out = make([]StepsCopyStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.CustomStepDetails != nil {
+		in, out := &in.CustomStepDetails, &out.CustomStepDetails
+		*out = make([]StepsCustomStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.DeleteStepDetails != nil {
+		in, out := &in.DeleteStepDetails, &out.DeleteStepDetails
+		*out = make([]StepsDeleteStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TagStepDetails != nil {
+		in, out := &in.TagStepDetails, &out.TagStepDetails
+		*out = make([]StepsTagStepDetailsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepsObservation.
@@ -1360,6 +1792,23 @@ func (in *StepsParameters) DeepCopy() *StepsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *StepsTagStepDetailsObservation) DeepCopyInto(out *StepsTagStepDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make([]TagStepDetailsTagsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StepsTagStepDetailsObservation.
@@ -1471,6 +1920,21 @@ func (in *TagObservation) DeepCopyInto(out *TagObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagObservation.
@@ -1565,6 +2029,23 @@ func (in *TagStatus) DeepCopy() *TagStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagStepDetailsObservation) DeepCopyInto(out *TagStepDetailsObservation) {
 	*out = *in
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SourceFileLocation != nil {
+		in, out := &in.SourceFileLocation, &out.SourceFileLocation
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make([]TagsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagStepDetailsObservation.
@@ -1612,6 +2093,16 @@ func (in *TagStepDetailsParameters) DeepCopy() *TagStepDetailsParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagStepDetailsTagsObservation) DeepCopyInto(out *TagStepDetailsTagsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagStepDetailsTagsObservation.
@@ -1652,6 +2143,16 @@ func (in *TagStepDetailsTagsParameters) DeepCopy() *TagStepDetailsTagsParameters
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TagsObservation) DeepCopyInto(out *TagsObservation) {
 	*out = *in
+	if in.Key != nil {
+		in, out := &in.Key, &out.Key
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TagsObservation.
@@ -1756,11 +2257,65 @@ func (in *UserObservation) DeepCopyInto(out *UserObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.HomeDirectory != nil {
+		in, out := &in.HomeDirectory, &out.HomeDirectory
+		*out = new(string)
+		**out = **in
+	}
+	if in.HomeDirectoryMappings != nil {
+		in, out := &in.HomeDirectoryMappings, &out.HomeDirectoryMappings
+		*out = make([]HomeDirectoryMappingsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.HomeDirectoryType != nil {
+		in, out := &in.HomeDirectoryType, &out.HomeDirectoryType
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Policy != nil {
+		in, out := &in.Policy, &out.Policy
+		*out = new(string)
+		**out = **in
+	}
+	if in.PosixProfile != nil {
+		in, out := &in.PosixProfile, &out.PosixProfile
+		*out = make([]PosixProfileObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Role != nil {
+		in, out := &in.Role, &out.Role
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServerID != nil {
+		in, out := &in.ServerID, &out.ServerID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1946,6 +2501,13 @@ func (in *Workflow) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkflowDetailsObservation) DeepCopyInto(out *WorkflowDetailsObservation) {
 	*out = *in
+	if in.OnUpload != nil {
+		in, out := &in.OnUpload, &out.OnUpload
+		*out = make([]OnUploadObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkflowDetailsObservation.
@@ -2020,11 +2582,45 @@ func (in *WorkflowObservation) DeepCopyInto(out *WorkflowObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.OnExceptionSteps != nil {
+		in, out := &in.OnExceptionSteps, &out.OnExceptionSteps
+		*out = make([]OnExceptionStepsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Steps != nil {
+		in, out := &in.Steps, &out.Steps
+		*out = make([]StepsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
diff --git a/apis/transfer/v1beta1/zz_server_types.go b/apis/transfer/v1beta1/zz_server_types.go
index abd4079a5d..dba7db8639 100755
--- a/apis/transfer/v1beta1/zz_server_types.go
+++ b/apis/transfer/v1beta1/zz_server_types.go
@@ -14,6 +14,21 @@ import (
 )
 
 type EndpointDetailsObservation struct {
+
+	// A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when endpoint_type is set to VPC.
+	AddressAllocationIds []*string `json:"addressAllocationIds,omitempty" tf:"address_allocation_ids,omitempty"`
+
+	// A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when endpoint_type is set to VPC.
+	SecurityGroupIds []*string `json:"securityGroupIds,omitempty" tf:"security_group_ids,omitempty"`
+
+	// A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when endpoint_type is set to VPC.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// The ID of the VPC endpoint. This property can only be used when endpoint_type is set to VPC_ENDPOINT
+	VPCEndpointID *string `json:"vpcEndpointId,omitempty" tf:"vpc_endpoint_id,omitempty"`
+
+	// The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when endpoint_type is set to VPC.
+	VPCID *string `json:"vpcId,omitempty" tf:"vpc_id,omitempty"`
 }
 
 type EndpointDetailsParameters struct {
@@ -50,6 +65,12 @@ type EndpointDetailsParameters struct {
 }
 
 type OnUploadObservation struct {
+
+	// Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.
+	ExecutionRole *string `json:"executionRole,omitempty" tf:"execution_role,omitempty"`
+
+	// A unique identifier for the workflow.
+	WorkflowID *string `json:"workflowId,omitempty" tf:"workflow_id,omitempty"`
 }
 
 type OnUploadParameters struct {
@@ -68,17 +89,62 @@ type ServerObservation struct {
 	// Amazon Resource Name (ARN) of Transfer Server
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The Amazon Resource Name (ARN) of the AWS Certificate Manager (ACM) certificate. This is required when protocols is set to FTPS
+	Certificate *string `json:"certificate,omitempty" tf:"certificate,omitempty"`
+
+	// The directory service ID of the directory service you want to connect to with an identity_provider_type of AWS_DIRECTORY_SERVICE.
+	DirectoryID *string `json:"directoryId,omitempty" tf:"directory_id,omitempty"`
+
+	// The domain of the storage system that is used for file transfers. Valid values are: S3 and EFS. The default value is S3.
+	Domain *string `json:"domain,omitempty" tf:"domain,omitempty"`
+
 	// The endpoint of the Transfer Server (e.g., s-12345678.server.transfer.REGION.amazonaws.com)
 	Endpoint *string `json:"endpoint,omitempty" tf:"endpoint,omitempty"`
 
+	// The virtual private cloud (VPC) endpoint settings that you want to configure for your SFTP server. Fields documented below.
+	EndpointDetails []EndpointDetailsObservation `json:"endpointDetails,omitempty" tf:"endpoint_details,omitempty"`
+
+	// The type of endpoint that you want your SFTP server connect to. If you connect to a VPC (or VPC_ENDPOINT), your SFTP server isn't accessible over the public internet. If you want to connect your SFTP server via public internet, set PUBLIC.  Defaults to PUBLIC.
+	EndpointType *string `json:"endpointType,omitempty" tf:"endpoint_type,omitempty"`
+
+	// A boolean that indicates all users associated with the server should be deleted so that the Server can be destroyed without error. The default value is false. This option only applies to servers configured with a SERVICE_MANAGED identity_provider_type.
+	ForceDestroy *bool `json:"forceDestroy,omitempty" tf:"force_destroy,omitempty"`
+
+	// The ARN for a lambda function to use for the Identity provider.
+	Function *string `json:"function,omitempty" tf:"function,omitempty"`
+
 	// This value contains the message-digest algorithm (MD5) hash of the server's host key. This value is equivalent to the output of the ssh-keygen -l -E md5 -f my-new-server-key command.
 	HostKeyFingerprint *string `json:"hostKeyFingerprint,omitempty" tf:"host_key_fingerprint,omitempty"`
 
 	// The Server ID of the Transfer Server (e.g., s-12345678)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The mode of authentication enabled for this service. The default value is SERVICE_MANAGED, which allows you to store and access SFTP user credentials within the service. API_GATEWAY indicates that user authentication requires a call to an API Gateway endpoint URL provided by you to integrate an identity provider of your choice. Using AWS_DIRECTORY_SERVICE will allow for authentication against AWS Managed Active Directory or Microsoft Active Directory in your on-premises environment, or in AWS using AD Connectors. Use the AWS_LAMBDA value to directly use a Lambda function as your identity provider. If you choose this value, you must specify the ARN for the lambda function in the function argument.
+	IdentityProviderType *string `json:"identityProviderType,omitempty" tf:"identity_provider_type,omitempty"`
+
+	// Amazon Resource Name (ARN) of the IAM role used to authenticate the user account with an identity_provider_type of API_GATEWAY.
+	InvocationRole *string `json:"invocationRole,omitempty" tf:"invocation_role,omitempty"`
+
+	// Amazon Resource Name (ARN) of an IAM role that allows the service to write your SFTP users’ activity to your Amazon CloudWatch logs for monitoring and auditing purposes.
+	LoggingRole *string `json:"loggingRole,omitempty" tf:"logging_role,omitempty"`
+
+	// Specifies the file transfer protocol or protocols over which your file transfer protocol client can connect to your server's endpoint. This defaults to SFTP . The available protocols are:
+	Protocols []*string `json:"protocols,omitempty" tf:"protocols,omitempty"`
+
+	// Specifies the name of the security policy that is attached to the server. Possible values are TransferSecurityPolicy-2018-11, TransferSecurityPolicy-2020-06, TransferSecurityPolicy-FIPS-2020-06 and TransferSecurityPolicy-2022-03. Default value is: TransferSecurityPolicy-2018-11.
+	SecurityPolicyName *string `json:"securityPolicyName,omitempty" tf:"security_policy_name,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// - URL of the service endpoint used to authenticate users with an identity_provider_type of API_GATEWAY.
+	URL *string `json:"url,omitempty" tf:"url,omitempty"`
+
+	// Specifies the workflow details. See Workflow Details below.
+	WorkflowDetails []WorkflowDetailsObservation `json:"workflowDetails,omitempty" tf:"workflow_details,omitempty"`
 }
 
 type ServerParameters struct {
@@ -182,6 +248,9 @@ type ServerParameters struct {
 }
 
 type WorkflowDetailsObservation struct {
+
+	// A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See Workflow Detail below.
+	OnUpload []OnUploadObservation `json:"onUpload,omitempty" tf:"on_upload,omitempty"`
 }
 
 type WorkflowDetailsParameters struct {
diff --git a/apis/transfer/v1beta1/zz_sshkey_types.go b/apis/transfer/v1beta1/zz_sshkey_types.go
index 02f71d9b5f..2f10c6157c 100755
--- a/apis/transfer/v1beta1/zz_sshkey_types.go
+++ b/apis/transfer/v1beta1/zz_sshkey_types.go
@@ -14,14 +14,24 @@ import (
 )
 
 type SSHKeyObservation struct {
+
+	// (Requirement) The public key portion of an SSH key pair.
+	Body *string `json:"body,omitempty" tf:"body,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// (Requirement) The Server ID of the Transfer Server (e.g., s-12345678)
+	ServerID *string `json:"serverId,omitempty" tf:"server_id,omitempty"`
+
+	// (Requirement) The name of the user account that is assigned to one or more servers.
+	UserName *string `json:"userName,omitempty" tf:"user_name,omitempty"`
 }
 
 type SSHKeyParameters struct {
 
 	// (Requirement) The public key portion of an SSH key pair.
-	// +kubebuilder:validation:Required
-	Body *string `json:"body" tf:"body,omitempty"`
+	// +kubebuilder:validation:Optional
+	Body *string `json:"body,omitempty" tf:"body,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -80,8 +90,9 @@ type SSHKeyStatus struct {
 type SSHKey struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SSHKeySpec   `json:"spec"`
-	Status            SSHKeyStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.body)",message="body is a required parameter"
+	Spec   SSHKeySpec   `json:"spec"`
+	Status SSHKeyStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/transfer/v1beta1/zz_tag_types.go b/apis/transfer/v1beta1/zz_tag_types.go
index 17d1802dcb..4fc4c35682 100755
--- a/apis/transfer/v1beta1/zz_tag_types.go
+++ b/apis/transfer/v1beta1/zz_tag_types.go
@@ -17,13 +17,22 @@ type TagObservation struct {
 
 	// Transfer Family resource identifier and key, separated by a comma (,)
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// Tag name.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// Amazon Resource Name (ARN) of the Transfer Family resource to tag.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// Tag value.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagParameters struct {
 
 	// Tag name.
-	// +kubebuilder:validation:Required
-	Key *string `json:"key" tf:"key,omitempty"`
+	// +kubebuilder:validation:Optional
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -45,8 +54,8 @@ type TagParameters struct {
 	ResourceArnSelector *v1.Selector `json:"resourceArnSelector,omitempty" tf:"-"`
 
 	// Tag value.
-	// +kubebuilder:validation:Required
-	Value *string `json:"value" tf:"value,omitempty"`
+	// +kubebuilder:validation:Optional
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 // TagSpec defines the desired state of Tag
@@ -73,8 +82,10 @@ type TagStatus struct {
 type Tag struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              TagSpec   `json:"spec"`
-	Status            TagStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)",message="key is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)",message="value is a required parameter"
+	Spec   TagSpec   `json:"spec"`
+	Status TagStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/transfer/v1beta1/zz_user_types.go b/apis/transfer/v1beta1/zz_user_types.go
index f0beed494b..d7981b7355 100755
--- a/apis/transfer/v1beta1/zz_user_types.go
+++ b/apis/transfer/v1beta1/zz_user_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type HomeDirectoryMappingsObservation struct {
+
+	// Represents an entry and a target.
+	Entry *string `json:"entry,omitempty" tf:"entry,omitempty"`
+
+	// Represents the map target.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
 }
 
 type HomeDirectoryMappingsParameters struct {
@@ -28,6 +34,15 @@ type HomeDirectoryMappingsParameters struct {
 }
 
 type PosixProfileObservation struct {
+
+	// The POSIX group ID used for all EFS operations by this user.
+	GID *float64 `json:"gid,omitempty" tf:"gid,omitempty"`
+
+	// The secondary POSIX group IDs used for all EFS operations by this user.
+	SecondaryGids []*float64 `json:"secondaryGids,omitempty" tf:"secondary_gids,omitempty"`
+
+	// The POSIX user ID used for all EFS operations by this user.
+	UID *float64 `json:"uid,omitempty" tf:"uid,omitempty"`
 }
 
 type PosixProfileParameters struct {
@@ -50,8 +65,32 @@ type UserObservation struct {
 	// Amazon Resource Name (ARN) of Transfer User
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The landing directory (folder) for a user when they log in to the server using their SFTP client.  It should begin with a /.  The first item in the path is the name of the home bucket (accessible as ${Transfer:HomeBucket} in the policy) and the rest is the home directory (accessible as ${Transfer:HomeDirectory} in the policy). For example, /example-bucket-1234/username would set the home bucket to example-bucket-1234 and the home directory to username.
+	HomeDirectory *string `json:"homeDirectory,omitempty" tf:"home_directory,omitempty"`
+
+	// Logical directory mappings that specify what S3 paths and keys should be visible to your user and how you want to make them visible. See Home Directory Mappings below.
+	HomeDirectoryMappings []HomeDirectoryMappingsObservation `json:"homeDirectoryMappings,omitempty" tf:"home_directory_mappings,omitempty"`
+
+	// The type of landing directory (folder) you mapped for your users' home directory. Valid values are PATH and LOGICAL.
+	HomeDirectoryType *string `json:"homeDirectoryType,omitempty" tf:"home_directory_type,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// An IAM JSON policy document that scopes down user access to portions of their Amazon S3 bucket. IAM variables you can use inside this policy include ${Transfer:UserName}, ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.  These are evaluated on-the-fly when navigating the bucket.
+	Policy *string `json:"policy,omitempty" tf:"policy,omitempty"`
+
+	// Specifies the full POSIX identity, including user ID (Uid), group ID (Gid), and any secondary groups IDs (SecondaryGids), that controls your users' access to your Amazon EFS file systems. See Posix Profile below.
+	PosixProfile []PosixProfileObservation `json:"posixProfile,omitempty" tf:"posix_profile,omitempty"`
+
+	// Amazon Resource Name (ARN) of an IAM role that allows the service to controls your user’s access to your Amazon S3 bucket.
+	Role *string `json:"role,omitempty" tf:"role,omitempty"`
+
+	// The Server ID of the Transfer Server (e.g., s-12345678)
+	ServerID *string `json:"serverId,omitempty" tf:"server_id,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
diff --git a/apis/transfer/v1beta1/zz_workflow_types.go b/apis/transfer/v1beta1/zz_workflow_types.go
index 6dc2c35924..3bb6decdae 100755
--- a/apis/transfer/v1beta1/zz_workflow_types.go
+++ b/apis/transfer/v1beta1/zz_workflow_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type CopyStepDetailsDestinationFileLocationObservation struct {
+
+	// Specifies the details for the EFS file being copied.
+	EFSFileLocation []DestinationFileLocationEFSFileLocationObservation `json:"efsFileLocation,omitempty" tf:"efs_file_location,omitempty"`
+
+	// Specifies the details for the S3 file being copied.
+	S3FileLocation []DestinationFileLocationS3FileLocationObservation `json:"s3FileLocation,omitempty" tf:"s3_file_location,omitempty"`
 }
 
 type CopyStepDetailsDestinationFileLocationParameters struct {
@@ -28,6 +34,18 @@ type CopyStepDetailsDestinationFileLocationParameters struct {
 }
 
 type CopyStepDetailsObservation struct {
+
+	// Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.
+	DestinationFileLocation []DestinationFileLocationObservation `json:"destinationFileLocation,omitempty" tf:"destination_file_location,omitempty"`
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A flag that indicates whether or not to overwrite an existing file of the same name. The default is FALSE. Valid values are TRUE and FALSE.
+	OverwriteExisting *string `json:"overwriteExisting,omitempty" tf:"overwrite_existing,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
 }
 
 type CopyStepDetailsParameters struct {
@@ -50,6 +68,18 @@ type CopyStepDetailsParameters struct {
 }
 
 type CustomStepDetailsObservation struct {
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
+
+	// The ARN for the lambda function that is being called.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
+
+	// Timeout, in seconds, for the step.
+	TimeoutSeconds *float64 `json:"timeoutSeconds,omitempty" tf:"timeout_seconds,omitempty"`
 }
 
 type CustomStepDetailsParameters struct {
@@ -72,6 +102,12 @@ type CustomStepDetailsParameters struct {
 }
 
 type DeleteStepDetailsObservation struct {
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
 }
 
 type DeleteStepDetailsParameters struct {
@@ -86,6 +122,12 @@ type DeleteStepDetailsParameters struct {
 }
 
 type DestinationFileLocationEFSFileLocationObservation struct {
+
+	// The ID of the file system, assigned by Amazon EFS.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
+	// The pathname for the folder being used by a workflow.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type DestinationFileLocationEFSFileLocationParameters struct {
@@ -100,6 +142,12 @@ type DestinationFileLocationEFSFileLocationParameters struct {
 }
 
 type DestinationFileLocationObservation struct {
+
+	// Specifies the details for the EFS file being copied.
+	EFSFileLocation []EFSFileLocationObservation `json:"efsFileLocation,omitempty" tf:"efs_file_location,omitempty"`
+
+	// Specifies the details for the S3 file being copied.
+	S3FileLocation []S3FileLocationObservation `json:"s3FileLocation,omitempty" tf:"s3_file_location,omitempty"`
 }
 
 type DestinationFileLocationParameters struct {
@@ -114,6 +162,12 @@ type DestinationFileLocationParameters struct {
 }
 
 type DestinationFileLocationS3FileLocationObservation struct {
+
+	// Specifies the S3 bucket for the customer input file.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The name assigned to the file when it was created in S3. You use the object key to retrieve the object.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type DestinationFileLocationS3FileLocationParameters struct {
@@ -128,6 +182,12 @@ type DestinationFileLocationS3FileLocationParameters struct {
 }
 
 type EFSFileLocationObservation struct {
+
+	// The ID of the file system, assigned by Amazon EFS.
+	FileSystemID *string `json:"fileSystemId,omitempty" tf:"file_system_id,omitempty"`
+
+	// The pathname for the folder being used by a workflow.
+	Path *string `json:"path,omitempty" tf:"path,omitempty"`
 }
 
 type EFSFileLocationParameters struct {
@@ -142,6 +202,21 @@ type EFSFileLocationParameters struct {
 }
 
 type OnExceptionStepsObservation struct {
+
+	// Details for a step that performs a file copy. See Copy Step Details below.
+	CopyStepDetails []CopyStepDetailsObservation `json:"copyStepDetails,omitempty" tf:"copy_step_details,omitempty"`
+
+	// Details for a step that invokes a lambda function.
+	CustomStepDetails []CustomStepDetailsObservation `json:"customStepDetails,omitempty" tf:"custom_step_details,omitempty"`
+
+	// Details for a step that deletes the file.
+	DeleteStepDetails []DeleteStepDetailsObservation `json:"deleteStepDetails,omitempty" tf:"delete_step_details,omitempty"`
+
+	// Details for a step that creates one or more tags.
+	TagStepDetails []TagStepDetailsObservation `json:"tagStepDetails,omitempty" tf:"tag_step_details,omitempty"`
+
+	// One of the following step types are supported. COPY, CUSTOM, DELETE, and TAG.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type OnExceptionStepsParameters struct {
@@ -168,6 +243,12 @@ type OnExceptionStepsParameters struct {
 }
 
 type S3FileLocationObservation struct {
+
+	// Specifies the S3 bucket for the customer input file.
+	Bucket *string `json:"bucket,omitempty" tf:"bucket,omitempty"`
+
+	// The name assigned to the file when it was created in S3. You use the object key to retrieve the object.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
 }
 
 type S3FileLocationParameters struct {
@@ -182,6 +263,18 @@ type S3FileLocationParameters struct {
 }
 
 type StepsCopyStepDetailsObservation struct {
+
+	// Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.
+	DestinationFileLocation []CopyStepDetailsDestinationFileLocationObservation `json:"destinationFileLocation,omitempty" tf:"destination_file_location,omitempty"`
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A flag that indicates whether or not to overwrite an existing file of the same name. The default is FALSE. Valid values are TRUE and FALSE.
+	OverwriteExisting *string `json:"overwriteExisting,omitempty" tf:"overwrite_existing,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
 }
 
 type StepsCopyStepDetailsParameters struct {
@@ -204,6 +297,18 @@ type StepsCopyStepDetailsParameters struct {
 }
 
 type StepsCustomStepDetailsObservation struct {
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
+
+	// The ARN for the lambda function that is being called.
+	Target *string `json:"target,omitempty" tf:"target,omitempty"`
+
+	// Timeout, in seconds, for the step.
+	TimeoutSeconds *float64 `json:"timeoutSeconds,omitempty" tf:"timeout_seconds,omitempty"`
 }
 
 type StepsCustomStepDetailsParameters struct {
@@ -236,6 +341,12 @@ type StepsCustomStepDetailsParameters struct {
 }
 
 type StepsDeleteStepDetailsObservation struct {
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
 }
 
 type StepsDeleteStepDetailsParameters struct {
@@ -250,6 +361,21 @@ type StepsDeleteStepDetailsParameters struct {
 }
 
 type StepsObservation struct {
+
+	// Details for a step that performs a file copy. See Copy Step Details below.
+	CopyStepDetails []StepsCopyStepDetailsObservation `json:"copyStepDetails,omitempty" tf:"copy_step_details,omitempty"`
+
+	// Details for a step that invokes a lambda function.
+	CustomStepDetails []StepsCustomStepDetailsObservation `json:"customStepDetails,omitempty" tf:"custom_step_details,omitempty"`
+
+	// Details for a step that deletes the file.
+	DeleteStepDetails []StepsDeleteStepDetailsObservation `json:"deleteStepDetails,omitempty" tf:"delete_step_details,omitempty"`
+
+	// Details for a step that creates one or more tags.
+	TagStepDetails []StepsTagStepDetailsObservation `json:"tagStepDetails,omitempty" tf:"tag_step_details,omitempty"`
+
+	// One of the following step types are supported. COPY, CUSTOM, DELETE, and TAG.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type StepsParameters struct {
@@ -276,6 +402,15 @@ type StepsParameters struct {
 }
 
 type StepsTagStepDetailsObservation struct {
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags []TagStepDetailsTagsObservation `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type StepsTagStepDetailsParameters struct {
@@ -294,6 +429,15 @@ type StepsTagStepDetailsParameters struct {
 }
 
 type TagStepDetailsObservation struct {
+
+	// The name of the step, used as an identifier.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.
+	SourceFileLocation *string `json:"sourceFileLocation,omitempty" tf:"source_file_location,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags []TagsObservation `json:"tags,omitempty" tf:"tags,omitempty"`
 }
 
 type TagStepDetailsParameters struct {
@@ -312,6 +456,12 @@ type TagStepDetailsParameters struct {
 }
 
 type TagStepDetailsTagsObservation struct {
+
+	// The name assigned to the file when it was created in S3. You use the object key to retrieve the object.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value that corresponds to the key.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagStepDetailsTagsParameters struct {
@@ -326,6 +476,12 @@ type TagStepDetailsTagsParameters struct {
 }
 
 type TagsObservation struct {
+
+	// The name assigned to the file when it was created in S3. You use the object key to retrieve the object.
+	Key *string `json:"key,omitempty" tf:"key,omitempty"`
+
+	// The value that corresponds to the key.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type TagsParameters struct {
@@ -344,9 +500,21 @@ type WorkflowObservation struct {
 	// The Workflow ARN.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A textual description for the workflow.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The Workflow id.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specifies the steps (actions) to take if errors are encountered during execution of the workflow. See Workflow Steps below.
+	OnExceptionSteps []OnExceptionStepsObservation `json:"onExceptionSteps,omitempty" tf:"on_exception_steps,omitempty"`
+
+	// Specifies the details for the steps that are in the specified workflow. See Workflow Steps below.
+	Steps []StepsObservation `json:"steps,omitempty" tf:"steps,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -367,8 +535,8 @@ type WorkflowParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Specifies the details for the steps that are in the specified workflow. See Workflow Steps below.
-	// +kubebuilder:validation:Required
-	Steps []StepsParameters `json:"steps" tf:"steps,omitempty"`
+	// +kubebuilder:validation:Optional
+	Steps []StepsParameters `json:"steps,omitempty" tf:"steps,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -399,8 +567,9 @@ type WorkflowStatus struct {
 type Workflow struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WorkflowSpec   `json:"spec"`
-	Status            WorkflowStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.steps)",message="steps is a required parameter"
+	Spec   WorkflowSpec   `json:"spec"`
+	Status WorkflowStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/vpc/v1beta1/zz_generated.deepcopy.go b/apis/vpc/v1beta1/zz_generated.deepcopy.go
index a0bae11b89..5424a28994 100644
--- a/apis/vpc/v1beta1/zz_generated.deepcopy.go
+++ b/apis/vpc/v1beta1/zz_generated.deepcopy.go
@@ -75,16 +75,36 @@ func (in *NetworkPerformanceMetricSubscriptionList) DeepCopyObject() runtime.Obj
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkPerformanceMetricSubscriptionObservation) DeepCopyInto(out *NetworkPerformanceMetricSubscriptionObservation) {
 	*out = *in
+	if in.Destination != nil {
+		in, out := &in.Destination, &out.Destination
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Metric != nil {
+		in, out := &in.Metric, &out.Metric
+		*out = new(string)
+		**out = **in
+	}
 	if in.Period != nil {
 		in, out := &in.Period, &out.Period
 		*out = new(string)
 		**out = **in
 	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
+	if in.Statistic != nil {
+		in, out := &in.Statistic, &out.Statistic
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPerformanceMetricSubscriptionObservation.
diff --git a/apis/vpc/v1beta1/zz_networkperformancemetricsubscription_types.go b/apis/vpc/v1beta1/zz_networkperformancemetricsubscription_types.go
index 9143c81e34..40ded311ca 100755
--- a/apis/vpc/v1beta1/zz_networkperformancemetricsubscription_types.go
+++ b/apis/vpc/v1beta1/zz_networkperformancemetricsubscription_types.go
@@ -14,17 +14,30 @@ import (
 )
 
 type NetworkPerformanceMetricSubscriptionObservation struct {
+
+	// The target Region or Availability Zone that the metric subscription is enabled for. For example, eu-west-1.
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
+
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The metric used for the enabled subscription. Valid values: aggregate-latency. Default: aggregate-latency.
+	Metric *string `json:"metric,omitempty" tf:"metric,omitempty"`
+
 	// The data aggregation time for the subscription.
 	Period *string `json:"period,omitempty" tf:"period,omitempty"`
+
+	// The source Region or Availability Zone that the metric subscription is enabled for. For example, us-east-1.
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
+
+	// The statistic used for the enabled subscription. Valid values: p50. Default: p50.
+	Statistic *string `json:"statistic,omitempty" tf:"statistic,omitempty"`
 }
 
 type NetworkPerformanceMetricSubscriptionParameters struct {
 
 	// The target Region or Availability Zone that the metric subscription is enabled for. For example, eu-west-1.
-	// +kubebuilder:validation:Required
-	Destination *string `json:"destination" tf:"destination,omitempty"`
+	// +kubebuilder:validation:Optional
+	Destination *string `json:"destination,omitempty" tf:"destination,omitempty"`
 
 	// The metric used for the enabled subscription. Valid values: aggregate-latency. Default: aggregate-latency.
 	// +kubebuilder:validation:Optional
@@ -36,8 +49,8 @@ type NetworkPerformanceMetricSubscriptionParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The source Region or Availability Zone that the metric subscription is enabled for. For example, us-east-1.
-	// +kubebuilder:validation:Required
-	Source *string `json:"source" tf:"source,omitempty"`
+	// +kubebuilder:validation:Optional
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
 
 	// The statistic used for the enabled subscription. Valid values: p50. Default: p50.
 	// +kubebuilder:validation:Optional
@@ -68,8 +81,10 @@ type NetworkPerformanceMetricSubscriptionStatus struct {
 type NetworkPerformanceMetricSubscription struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              NetworkPerformanceMetricSubscriptionSpec   `json:"spec"`
-	Status            NetworkPerformanceMetricSubscriptionStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)",message="destination is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)",message="source is a required parameter"
+	Spec   NetworkPerformanceMetricSubscriptionSpec   `json:"spec"`
+	Status NetworkPerformanceMetricSubscriptionStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_bytematchset_types.go b/apis/waf/v1beta1/zz_bytematchset_types.go
index 63efd70667..6ce090fb64 100755
--- a/apis/waf/v1beta1/zz_bytematchset_types.go
+++ b/apis/waf/v1beta1/zz_bytematchset_types.go
@@ -15,8 +15,16 @@ import (
 
 type ByteMatchSetObservation struct {
 
+	// Specifies the bytes (typically a string that corresponds
+	// with ASCII characters) that you want to search for in web requests,
+	// the location in requests that you want to search, and other settings.
+	ByteMatchTuples []ByteMatchTuplesObservation `json:"byteMatchTuples,omitempty" tf:"byte_match_tuples,omitempty"`
+
 	// The ID of the WAF Byte Match Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Byte Match Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ByteMatchSetParameters struct {
@@ -28,8 +36,8 @@ type ByteMatchSetParameters struct {
 	ByteMatchTuples []ByteMatchTuplesParameters `json:"byteMatchTuples,omitempty" tf:"byte_match_tuples,omitempty"`
 
 	// The name or description of the Byte Match Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -38,6 +46,28 @@ type ByteMatchSetParameters struct {
 }
 
 type ByteMatchTuplesObservation struct {
+
+	// The part of a web request that you want to search, such as a specified header or a query string.
+	FieldToMatch []FieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// Within the portion of a web request that you want to search
+	// (for example, in the query string, if any), specify where you want to search.
+	// e.g., CONTAINS, CONTAINS_WORD or EXACTLY.
+	// See docs
+	// for all supported values.
+	PositionalConstraint *string `json:"positionalConstraint,omitempty" tf:"positional_constraint,omitempty"`
+
+	// The value that you want to search for within the field specified by field_to_match, e.g., badrefer1.
+	// See docs
+	// for all supported values.
+	TargetString *string `json:"targetString,omitempty" tf:"target_string,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type ByteMatchTuplesParameters struct {
@@ -70,6 +100,16 @@ type ByteMatchTuplesParameters struct {
 }
 
 type FieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type FieldToMatchParameters struct {
@@ -111,8 +151,9 @@ type ByteMatchSetStatus struct {
 type ByteMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ByteMatchSetSpec   `json:"spec"`
-	Status            ByteMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ByteMatchSetSpec   `json:"spec"`
+	Status ByteMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_generated.deepcopy.go b/apis/waf/v1beta1/zz_generated.deepcopy.go
index fe2a198108..e43e975b3d 100644
--- a/apis/waf/v1beta1/zz_generated.deepcopy.go
+++ b/apis/waf/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -111,11 +116,23 @@ func (in *ByteMatchSetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ByteMatchSetObservation) DeepCopyInto(out *ByteMatchSetObservation) {
 	*out = *in
+	if in.ByteMatchTuples != nil {
+		in, out := &in.ByteMatchTuples, &out.ByteMatchTuples
+		*out = make([]ByteMatchTuplesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByteMatchSetObservation.
@@ -197,6 +214,28 @@ func (in *ByteMatchSetStatus) DeepCopy() *ByteMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ByteMatchTuplesObservation) DeepCopyInto(out *ByteMatchTuplesObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]FieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PositionalConstraint != nil {
+		in, out := &in.PositionalConstraint, &out.PositionalConstraint
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetString != nil {
+		in, out := &in.TargetString, &out.TargetString
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByteMatchTuplesObservation.
@@ -249,6 +288,11 @@ func (in *ByteMatchTuplesParameters) DeepCopy() *ByteMatchTuplesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultActionObservation) DeepCopyInto(out *DefaultActionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultActionObservation.
@@ -284,6 +328,16 @@ func (in *DefaultActionParameters) DeepCopy() *DefaultActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FieldToMatchObservation) DeepCopyInto(out *FieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldToMatchObservation.
@@ -324,6 +378,16 @@ func (in *FieldToMatchParameters) DeepCopy() *FieldToMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeoMatchConstraintObservation) DeepCopyInto(out *GeoMatchConstraintObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeoMatchConstraintObservation.
@@ -428,11 +492,23 @@ func (in *GeoMatchSetObservation) DeepCopyInto(out *GeoMatchSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.GeoMatchConstraint != nil {
+		in, out := &in.GeoMatchConstraint, &out.GeoMatchConstraint
+		*out = make([]GeoMatchConstraintObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeoMatchSetObservation.
@@ -541,6 +617,16 @@ func (in *IPSet) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetDescriptorsObservation) DeepCopyInto(out *IPSetDescriptorsObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetDescriptorsObservation.
@@ -623,6 +709,18 @@ func (in *IPSetObservation) DeepCopyInto(out *IPSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPSetDescriptors != nil {
+		in, out := &in.IPSetDescriptors, &out.IPSetDescriptors
+		*out = make([]IPSetDescriptorsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetObservation.
@@ -704,6 +802,18 @@ func (in *IPSetStatus) DeepCopy() *IPSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigurationObservation) DeepCopyInto(out *LoggingConfigurationObservation) {
 	*out = *in
+	if in.LogDestination != nil {
+		in, out := &in.LogDestination, &out.LogDestination
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedactedFields != nil {
+		in, out := &in.RedactedFields, &out.RedactedFields
+		*out = make([]RedactedFieldsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigurationObservation.
@@ -756,6 +866,11 @@ func (in *LoggingConfigurationParameters) DeepCopy() *LoggingConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverrideActionObservation) DeepCopyInto(out *OverrideActionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverrideActionObservation.
@@ -791,6 +906,21 @@ func (in *OverrideActionParameters) DeepCopy() *OverrideActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredicatesObservation) DeepCopyInto(out *PredicatesObservation) {
 	*out = *in
+	if in.DataID != nil {
+		in, out := &in.DataID, &out.DataID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Negated != nil {
+		in, out := &in.Negated, &out.Negated
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredicatesObservation.
@@ -915,6 +1045,48 @@ func (in *RateBasedRuleObservation) DeepCopyInto(out *RateBasedRuleObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Predicates != nil {
+		in, out := &in.Predicates, &out.Predicates
+		*out = make([]PredicatesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RateKey != nil {
+		in, out := &in.RateKey, &out.RateKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.RateLimit != nil {
+		in, out := &in.RateLimit, &out.RateLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1041,6 +1213,16 @@ func (in *RateBasedRuleStatus) DeepCopy() *RateBasedRuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedactedFieldsFieldToMatchObservation) DeepCopyInto(out *RedactedFieldsFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedactedFieldsFieldToMatchObservation.
@@ -1081,6 +1263,13 @@ func (in *RedactedFieldsFieldToMatchParameters) DeepCopy() *RedactedFieldsFieldT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedactedFieldsObservation) DeepCopyInto(out *RedactedFieldsObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]RedactedFieldsFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedactedFieldsObservation.
@@ -1187,6 +1376,18 @@ func (in *RegexMatchSetObservation) DeepCopyInto(out *RegexMatchSetObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegexMatchTuple != nil {
+		in, out := &in.RegexMatchTuple, &out.RegexMatchTuple
+		*out = make([]RegexMatchTupleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchSetObservation.
@@ -1268,6 +1469,16 @@ func (in *RegexMatchSetStatus) DeepCopy() *RegexMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegexMatchTupleFieldToMatchObservation) DeepCopyInto(out *RegexMatchTupleFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchTupleFieldToMatchObservation.
@@ -1308,6 +1519,23 @@ func (in *RegexMatchTupleFieldToMatchParameters) DeepCopy() *RegexMatchTupleFiel
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegexMatchTupleObservation) DeepCopyInto(out *RegexMatchTupleObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]RegexMatchTupleFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RegexPatternSetID != nil {
+		in, out := &in.RegexPatternSetID, &out.RegexPatternSetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchTupleObservation.
@@ -1434,6 +1662,22 @@ func (in *RegexPatternSetObservation) DeepCopyInto(out *RegexPatternSetObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegexPatternStrings != nil {
+		in, out := &in.RegexPatternStrings, &out.RegexPatternStrings
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexPatternSetObservation.
@@ -1588,6 +1832,38 @@ func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Predicates != nil {
+		in, out := &in.Predicates, &out.Predicates
+		*out = make([]RulePredicatesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1670,6 +1946,21 @@ func (in *RuleParameters) DeepCopy() *RuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RulePredicatesObservation) DeepCopyInto(out *RulePredicatesObservation) {
 	*out = *in
+	if in.DataID != nil {
+		in, out := &in.DataID, &out.DataID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Negated != nil {
+		in, out := &in.Negated, &out.Negated
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulePredicatesObservation.
@@ -1759,6 +2050,35 @@ func (in *RuleStatus) DeepCopy() *RuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RulesObservation) DeepCopyInto(out *RulesObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OverrideAction != nil {
+		in, out := &in.OverrideAction, &out.OverrideAction
+		*out = make([]OverrideActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RuleID != nil {
+		in, out := &in.RuleID, &out.RuleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesObservation.
@@ -1892,6 +2212,18 @@ func (in *SQLInjectionMatchSetObservation) DeepCopyInto(out *SQLInjectionMatchSe
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLInjectionMatchTuples != nil {
+		in, out := &in.SQLInjectionMatchTuples, &out.SQLInjectionMatchTuples
+		*out = make([]SQLInjectionMatchTuplesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SQLInjectionMatchSetObservation.
@@ -1973,6 +2305,16 @@ func (in *SQLInjectionMatchSetStatus) DeepCopy() *SQLInjectionMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SQLInjectionMatchTuplesFieldToMatchObservation) DeepCopyInto(out *SQLInjectionMatchTuplesFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SQLInjectionMatchTuplesFieldToMatchObservation.
@@ -2013,6 +2355,18 @@ func (in *SQLInjectionMatchTuplesFieldToMatchParameters) DeepCopy() *SQLInjectio
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SQLInjectionMatchTuplesObservation) DeepCopyInto(out *SQLInjectionMatchTuplesObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]SQLInjectionMatchTuplesFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SQLInjectionMatchTuplesObservation.
@@ -2124,6 +2478,18 @@ func (in *SizeConstraintSetObservation) DeepCopyInto(out *SizeConstraintSetObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SizeConstraints != nil {
+		in, out := &in.SizeConstraints, &out.SizeConstraints
+		*out = make([]SizeConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SizeConstraintSetObservation.
@@ -2205,6 +2571,16 @@ func (in *SizeConstraintSetStatus) DeepCopy() *SizeConstraintSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SizeConstraintsFieldToMatchObservation) DeepCopyInto(out *SizeConstraintsFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SizeConstraintsFieldToMatchObservation.
@@ -2245,6 +2621,28 @@ func (in *SizeConstraintsFieldToMatchParameters) DeepCopy() *SizeConstraintsFiel
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SizeConstraintsObservation) DeepCopyInto(out *SizeConstraintsObservation) {
 	*out = *in
+	if in.ComparisonOperator != nil {
+		in, out := &in.ComparisonOperator, &out.ComparisonOperator
+		*out = new(string)
+		**out = **in
+	}
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]SizeConstraintsFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SizeConstraintsObservation.
@@ -2361,11 +2759,57 @@ func (in *WebACLObservation) DeepCopyInto(out *WebACLObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultAction != nil {
+		in, out := &in.DefaultAction, &out.DefaultAction
+		*out = make([]DefaultActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoggingConfiguration != nil {
+		in, out := &in.LoggingConfiguration, &out.LoggingConfiguration
+		*out = make([]LoggingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]RulesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2565,6 +3009,18 @@ func (in *XSSMatchSetObservation) DeepCopyInto(out *XSSMatchSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.XSSMatchTuples != nil {
+		in, out := &in.XSSMatchTuples, &out.XSSMatchTuples
+		*out = make([]XSSMatchTuplesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSMatchSetObservation.
@@ -2646,6 +3102,16 @@ func (in *XSSMatchSetStatus) DeepCopy() *XSSMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *XSSMatchTuplesFieldToMatchObservation) DeepCopyInto(out *XSSMatchTuplesFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSMatchTuplesFieldToMatchObservation.
@@ -2686,6 +3152,18 @@ func (in *XSSMatchTuplesFieldToMatchParameters) DeepCopy() *XSSMatchTuplesFieldT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *XSSMatchTuplesObservation) DeepCopyInto(out *XSSMatchTuplesObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]XSSMatchTuplesFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSMatchTuplesObservation.
diff --git a/apis/waf/v1beta1/zz_geomatchset_types.go b/apis/waf/v1beta1/zz_geomatchset_types.go
index ea246560c9..34e8b10899 100755
--- a/apis/waf/v1beta1/zz_geomatchset_types.go
+++ b/apis/waf/v1beta1/zz_geomatchset_types.go
@@ -14,6 +14,14 @@ import (
 )
 
 type GeoMatchConstraintObservation struct {
+
+	// The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The country that you want AWS WAF to search for.
+	// This is the two-letter country code, e.g., US, CA, RU, CN, etc.
+	// See docs for all supported values.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type GeoMatchConstraintParameters struct {
@@ -34,8 +42,14 @@ type GeoMatchSetObservation struct {
 	// Amazon Resource Name (ARN)
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The GeoMatchConstraint objects which contain the country that you want AWS WAF to search for.
+	GeoMatchConstraint []GeoMatchConstraintObservation `json:"geoMatchConstraint,omitempty" tf:"geo_match_constraint,omitempty"`
+
 	// The ID of the WAF GeoMatchSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the GeoMatchSet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type GeoMatchSetParameters struct {
@@ -45,8 +59,8 @@ type GeoMatchSetParameters struct {
 	GeoMatchConstraint []GeoMatchConstraintParameters `json:"geoMatchConstraint,omitempty" tf:"geo_match_constraint,omitempty"`
 
 	// The name or description of the GeoMatchSet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -78,8 +92,9 @@ type GeoMatchSetStatus struct {
 type GeoMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GeoMatchSetSpec   `json:"spec"`
-	Status            GeoMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   GeoMatchSetSpec   `json:"spec"`
+	Status GeoMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_ipset_types.go b/apis/waf/v1beta1/zz_ipset_types.go
index d8dae6b9c0..2f356154a5 100755
--- a/apis/waf/v1beta1/zz_ipset_types.go
+++ b/apis/waf/v1beta1/zz_ipset_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type IPSetDescriptorsObservation struct {
+
+	// Type of the IP address - IPV4 or IPV6.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// An IPv4 or IPv6 address specified via CIDR notationE.g., 192.0.2.44/32 or 1111:0000:0000:0000:0000:0000:0000:0000/64
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type IPSetDescriptorsParameters struct {
@@ -34,6 +40,12 @@ type IPSetObservation struct {
 
 	// The ID of the WAF IPSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR format) from which web requests originate.
+	IPSetDescriptors []IPSetDescriptorsObservation `json:"ipSetDescriptors,omitempty" tf:"ip_set_descriptors,omitempty"`
+
+	// The name or description of the IPSet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type IPSetParameters struct {
@@ -43,8 +55,8 @@ type IPSetParameters struct {
 	IPSetDescriptors []IPSetDescriptorsParameters `json:"ipSetDescriptors,omitempty" tf:"ip_set_descriptors,omitempty"`
 
 	// The name or description of the IPSet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -76,8 +88,9 @@ type IPSetStatus struct {
 type IPSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IPSetSpec   `json:"spec"`
-	Status            IPSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   IPSetSpec   `json:"spec"`
+	Status IPSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_ratebasedrule_types.go b/apis/waf/v1beta1/zz_ratebasedrule_types.go
index 966e18a021..eeb7642f6f 100755
--- a/apis/waf/v1beta1/zz_ratebasedrule_types.go
+++ b/apis/waf/v1beta1/zz_ratebasedrule_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type PredicatesObservation struct {
+
+	// A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.
+	DataID *string `json:"dataId,omitempty" tf:"data_id,omitempty"`
+
+	// Set this to false if you want to allow, block, or count requests
+	// based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet.
+	// For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address.
+	// If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.
+	Negated *bool `json:"negated,omitempty" tf:"negated,omitempty"`
+
+	// The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PredicatesParameters struct {
@@ -52,6 +64,24 @@ type RateBasedRuleObservation struct {
 	// The ID of the WAF rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name or description for the Amazon CloudWatch metric of this rule.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The name or description of the rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The objects to include in a rule (documented below).
+	Predicates []PredicatesObservation `json:"predicates,omitempty" tf:"predicates,omitempty"`
+
+	// Valid value is IP.
+	RateKey *string `json:"rateKey,omitempty" tf:"rate_key,omitempty"`
+
+	// The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.
+	RateLimit *float64 `json:"rateLimit,omitempty" tf:"rate_limit,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -59,24 +89,24 @@ type RateBasedRuleObservation struct {
 type RateBasedRuleParameters struct {
 
 	// The name or description for the Amazon CloudWatch metric of this rule.
-	// +kubebuilder:validation:Required
-	MetricName *string `json:"metricName" tf:"metric_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
 
 	// The name or description of the rule.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The objects to include in a rule (documented below).
 	// +kubebuilder:validation:Optional
 	Predicates []PredicatesParameters `json:"predicates,omitempty" tf:"predicates,omitempty"`
 
 	// Valid value is IP.
-	// +kubebuilder:validation:Required
-	RateKey *string `json:"rateKey" tf:"rate_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	RateKey *string `json:"rateKey,omitempty" tf:"rate_key,omitempty"`
 
 	// The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.
-	// +kubebuilder:validation:Required
-	RateLimit *float64 `json:"rateLimit" tf:"rate_limit,omitempty"`
+	// +kubebuilder:validation:Optional
+	RateLimit *float64 `json:"rateLimit,omitempty" tf:"rate_limit,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -112,8 +142,12 @@ type RateBasedRuleStatus struct {
 type RateBasedRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RateBasedRuleSpec   `json:"spec"`
-	Status            RateBasedRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)",message="metricName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateKey)",message="rateKey is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateLimit)",message="rateLimit is a required parameter"
+	Spec   RateBasedRuleSpec   `json:"spec"`
+	Status RateBasedRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_regexmatchset_types.go b/apis/waf/v1beta1/zz_regexmatchset_types.go
index c3c63f099d..c0200a92c4 100755
--- a/apis/waf/v1beta1/zz_regexmatchset_types.go
+++ b/apis/waf/v1beta1/zz_regexmatchset_types.go
@@ -20,13 +20,19 @@ type RegexMatchSetObservation struct {
 
 	// The ID of the WAF Regex Match Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Regex Match Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.
+	RegexMatchTuple []RegexMatchTupleObservation `json:"regexMatchTuple,omitempty" tf:"regex_match_tuple,omitempty"`
 }
 
 type RegexMatchSetParameters struct {
 
 	// The name or description of the Regex Match Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.
 	// +kubebuilder:validation:Optional
@@ -39,6 +45,16 @@ type RegexMatchSetParameters struct {
 }
 
 type RegexMatchTupleFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RegexMatchTupleFieldToMatchParameters struct {
@@ -57,6 +73,18 @@ type RegexMatchTupleFieldToMatchParameters struct {
 }
 
 type RegexMatchTupleObservation struct {
+
+	// The part of a web request that you want to search, such as a specified header or a query string.
+	FieldToMatch []RegexMatchTupleFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// The ID of a Regex Pattern Set.
+	RegexPatternSetID *string `json:"regexPatternSetId,omitempty" tf:"regex_pattern_set_id,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type RegexMatchTupleParameters struct {
@@ -111,8 +139,9 @@ type RegexMatchSetStatus struct {
 type RegexMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegexMatchSetSpec   `json:"spec"`
-	Status            RegexMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RegexMatchSetSpec   `json:"spec"`
+	Status RegexMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_regexpatternset_types.go b/apis/waf/v1beta1/zz_regexpatternset_types.go
index 976105b706..4eb6f5b5dc 100755
--- a/apis/waf/v1beta1/zz_regexpatternset_types.go
+++ b/apis/waf/v1beta1/zz_regexpatternset_types.go
@@ -20,13 +20,19 @@ type RegexPatternSetObservation struct {
 
 	// The ID of the WAF Regex Pattern Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Regex Pattern Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.
+	RegexPatternStrings []*string `json:"regexPatternStrings,omitempty" tf:"regex_pattern_strings,omitempty"`
 }
 
 type RegexPatternSetParameters struct {
 
 	// The name or description of the Regex Pattern Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.
 	// +kubebuilder:validation:Optional
@@ -62,8 +68,9 @@ type RegexPatternSetStatus struct {
 type RegexPatternSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegexPatternSetSpec   `json:"spec"`
-	Status            RegexPatternSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RegexPatternSetSpec   `json:"spec"`
+	Status RegexPatternSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_rule_types.go b/apis/waf/v1beta1/zz_rule_types.go
index b9d1fe2dbc..318604b899 100755
--- a/apis/waf/v1beta1/zz_rule_types.go
+++ b/apis/waf/v1beta1/zz_rule_types.go
@@ -21,6 +21,18 @@ type RuleObservation struct {
 	// The ID of the WAF rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name or description for the Amazon CloudWatch metric of this rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The name or description of the rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The objects to include in a rule (documented below).
+	Predicates []RulePredicatesObservation `json:"predicates,omitempty" tf:"predicates,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,12 +40,12 @@ type RuleObservation struct {
 type RuleParameters struct {
 
 	// The name or description for the Amazon CloudWatch metric of this rule. The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't contain whitespace.
-	// +kubebuilder:validation:Required
-	MetricName *string `json:"metricName" tf:"metric_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
 
 	// The name or description of the rule.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The objects to include in a rule (documented below).
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,18 @@ type RuleParameters struct {
 }
 
 type RulePredicatesObservation struct {
+
+	// A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.
+	DataID *string `json:"dataId,omitempty" tf:"data_id,omitempty"`
+
+	// Set this to false if you want to allow, block, or count requests
+	// based on the settings in the specified waf_byte_match_set, waf_ipset, aws_waf_size_constraint_set, aws_waf_sql_injection_match_set or aws_waf_xss_match_set.
+	// For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address.
+	// If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.
+	Negated *bool `json:"negated,omitempty" tf:"negated,omitempty"`
+
+	// The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RulePredicatesParameters struct {
@@ -104,8 +128,10 @@ type RuleStatus struct {
 type Rule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RuleSpec   `json:"spec"`
-	Status            RuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)",message="metricName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RuleSpec   `json:"spec"`
+	Status RuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_sizeconstraintset_types.go b/apis/waf/v1beta1/zz_sizeconstraintset_types.go
index 89a59a3529..de0b32bd84 100755
--- a/apis/waf/v1beta1/zz_sizeconstraintset_types.go
+++ b/apis/waf/v1beta1/zz_sizeconstraintset_types.go
@@ -20,13 +20,19 @@ type SizeConstraintSetObservation struct {
 
 	// The ID of the WAF Size Constraint Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Size Constraint Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the parts of web requests that you want to inspect the size of.
+	SizeConstraints []SizeConstraintsObservation `json:"sizeConstraints,omitempty" tf:"size_constraints,omitempty"`
 }
 
 type SizeConstraintSetParameters struct {
 
 	// The name or description of the Size Constraint Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -39,6 +45,16 @@ type SizeConstraintSetParameters struct {
 }
 
 type SizeConstraintsFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SizeConstraintsFieldToMatchParameters struct {
@@ -57,6 +73,26 @@ type SizeConstraintsFieldToMatchParameters struct {
 }
 
 type SizeConstraintsObservation struct {
+
+	// The type of comparison you want to perform.
+	// e.g., EQ, NE, LT, GT.
+	// See docs for all supported values.
+	ComparisonOperator *string `json:"comparisonOperator,omitempty" tf:"comparison_operator,omitempty"`
+
+	// Specifies where in a web request to look for the size constraint.
+	FieldToMatch []SizeConstraintsFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// The size in bytes that you want to compare against the size of the specified field_to_match.
+	// Valid values are between 0 - 21474836480 bytes (0 - 20 GB).
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	// Note: if you choose BODY as type, you must choose NONE because CloudFront forwards only the first 8192 bytes for inspection.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type SizeConstraintsParameters struct {
@@ -110,8 +146,9 @@ type SizeConstraintSetStatus struct {
 type SizeConstraintSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SizeConstraintSetSpec   `json:"spec"`
-	Status            SizeConstraintSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SizeConstraintSetSpec   `json:"spec"`
+	Status SizeConstraintSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_sqlinjectionmatchset_types.go b/apis/waf/v1beta1/zz_sqlinjectionmatchset_types.go
index 6b5e0d39ec..2a8d643c02 100755
--- a/apis/waf/v1beta1/zz_sqlinjectionmatchset_types.go
+++ b/apis/waf/v1beta1/zz_sqlinjectionmatchset_types.go
@@ -17,13 +17,19 @@ type SQLInjectionMatchSetObservation struct {
 
 	// The ID of the WAF SQL Injection Match Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the SQL Injection Match Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.
+	SQLInjectionMatchTuples []SQLInjectionMatchTuplesObservation `json:"sqlInjectionMatchTuples,omitempty" tf:"sql_injection_match_tuples,omitempty"`
 }
 
 type SQLInjectionMatchSetParameters struct {
 
 	// The name or description of the SQL Injection Match Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -36,6 +42,16 @@ type SQLInjectionMatchSetParameters struct {
 }
 
 type SQLInjectionMatchTuplesFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SQLInjectionMatchTuplesFieldToMatchParameters struct {
@@ -54,6 +70,16 @@ type SQLInjectionMatchTuplesFieldToMatchParameters struct {
 }
 
 type SQLInjectionMatchTuplesObservation struct {
+
+	// Specifies where in a web request to look for snippets of malicious SQL code.
+	FieldToMatch []SQLInjectionMatchTuplesFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type SQLInjectionMatchTuplesParameters struct {
@@ -95,8 +121,9 @@ type SQLInjectionMatchSetStatus struct {
 type SQLInjectionMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SQLInjectionMatchSetSpec   `json:"spec"`
-	Status            SQLInjectionMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SQLInjectionMatchSetSpec   `json:"spec"`
+	Status SQLInjectionMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_webacl_types.go b/apis/waf/v1beta1/zz_webacl_types.go
index 0aae2ff7c4..df14aa9782 100755
--- a/apis/waf/v1beta1/zz_webacl_types.go
+++ b/apis/waf/v1beta1/zz_webacl_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ActionObservation struct {
+
+	// valid values are: BLOCK, ALLOW, or COUNT
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ActionParameters struct {
@@ -24,6 +27,10 @@ type ActionParameters struct {
 }
 
 type DefaultActionObservation struct {
+
+	// Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the rules.
+	// e.g., ALLOW or BLOCK
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DefaultActionParameters struct {
@@ -35,6 +42,12 @@ type DefaultActionParameters struct {
 }
 
 type LoggingConfigurationObservation struct {
+
+	// Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
+	LogDestination *string `json:"logDestination,omitempty" tf:"log_destination,omitempty"`
+
+	// Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
+	RedactedFields []RedactedFieldsObservation `json:"redactedFields,omitempty" tf:"redacted_fields,omitempty"`
 }
 
 type LoggingConfigurationParameters struct {
@@ -59,6 +72,9 @@ type LoggingConfigurationParameters struct {
 }
 
 type OverrideActionObservation struct {
+
+	// valid values are: BLOCK, ALLOW, or COUNT
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type OverrideActionParameters struct {
@@ -69,6 +85,12 @@ type OverrideActionParameters struct {
 }
 
 type RedactedFieldsFieldToMatchObservation struct {
+
+	// When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// valid values are: BLOCK, ALLOW, or COUNT
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RedactedFieldsFieldToMatchParameters struct {
@@ -83,6 +105,9 @@ type RedactedFieldsFieldToMatchParameters struct {
 }
 
 type RedactedFieldsObservation struct {
+
+	// Set of configuration blocks for fields to redact. Detailed below.
+	FieldToMatch []RedactedFieldsFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
 }
 
 type RedactedFieldsParameters struct {
@@ -93,6 +118,22 @@ type RedactedFieldsParameters struct {
 }
 
 type RulesObservation struct {
+
+	// The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if type is GROUP.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if type is GROUP.
+	OverrideAction []OverrideActionObservation `json:"overrideAction,omitempty" tf:"override_action,omitempty"`
+
+	// Specifies the order in which the rules in a WebACL are evaluated.
+	// Rules with a lower value are evaluated before rules with a higher value.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// ID of the associated WAF (Global) rule (e.g., aws_waf_rule). WAF (Regional) rules cannot be used.
+	RuleID *string `json:"ruleId,omitempty" tf:"rule_id,omitempty"`
+
+	// The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RulesParameters struct {
@@ -134,9 +175,27 @@ type WebACLObservation struct {
 	// The ARN of the WAF WebACL.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
+	DefaultAction []DefaultActionObservation `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
+
 	// The ID of the WAF WebACL.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block to enable WAF logging. Detailed below.
+	LoggingConfiguration []LoggingConfigurationObservation `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
+
+	// The name or description for the Amazon CloudWatch metric of this web ACL.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The name or description of the web ACL.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Configuration blocks containing rules to associate with the web ACL and the settings for each rule. Detailed below.
+	Rules []RulesObservation `json:"rules,omitempty" tf:"rules,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -144,20 +203,20 @@ type WebACLObservation struct {
 type WebACLParameters struct {
 
 	// Configuration block with action that you want AWS WAF to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL. Detailed below.
-	// +kubebuilder:validation:Required
-	DefaultAction []DefaultActionParameters `json:"defaultAction" tf:"default_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	DefaultAction []DefaultActionParameters `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
 
 	// Configuration block to enable WAF logging. Detailed below.
 	// +kubebuilder:validation:Optional
 	LoggingConfiguration []LoggingConfigurationParameters `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
 
 	// The name or description for the Amazon CloudWatch metric of this web ACL.
-	// +kubebuilder:validation:Required
-	MetricName *string `json:"metricName" tf:"metric_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
 
 	// The name or description of the web ACL.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -197,8 +256,11 @@ type WebACLStatus struct {
 type WebACL struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WebACLSpec   `json:"spec"`
-	Status            WebACLStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultAction)",message="defaultAction is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)",message="metricName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   WebACLSpec   `json:"spec"`
+	Status WebACLStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/waf/v1beta1/zz_xssmatchset_types.go b/apis/waf/v1beta1/zz_xssmatchset_types.go
index b906bcc50b..9f967782f3 100755
--- a/apis/waf/v1beta1/zz_xssmatchset_types.go
+++ b/apis/waf/v1beta1/zz_xssmatchset_types.go
@@ -20,13 +20,19 @@ type XSSMatchSetObservation struct {
 
 	// The ID of the WAF XssMatchSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the SizeConstraintSet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The parts of web requests that you want to inspect for cross-site scripting attacks.
+	XSSMatchTuples []XSSMatchTuplesObservation `json:"xssMatchTuples,omitempty" tf:"xss_match_tuples,omitempty"`
 }
 
 type XSSMatchSetParameters struct {
 
 	// The name or description of the SizeConstraintSet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -39,6 +45,16 @@ type XSSMatchSetParameters struct {
 }
 
 type XSSMatchTuplesFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type XSSMatchTuplesFieldToMatchParameters struct {
@@ -57,6 +73,16 @@ type XSSMatchTuplesFieldToMatchParameters struct {
 }
 
 type XSSMatchTuplesObservation struct {
+
+	// Specifies where in a web request to look for cross-site scripting attacks.
+	FieldToMatch []XSSMatchTuplesFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// If you specify a transformation, AWS WAF performs the transformation on target_string before inspecting a request for a match.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type XSSMatchTuplesParameters struct {
@@ -98,8 +124,9 @@ type XSSMatchSetStatus struct {
 type XSSMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              XSSMatchSetSpec   `json:"spec"`
-	Status            XSSMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   XSSMatchSetSpec   `json:"spec"`
+	Status XSSMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_bytematchset_types.go b/apis/wafregional/v1beta1/zz_bytematchset_types.go
index ab2eedcbd0..ebfa7d84b3 100755
--- a/apis/wafregional/v1beta1/zz_bytematchset_types.go
+++ b/apis/wafregional/v1beta1/zz_bytematchset_types.go
@@ -15,8 +15,14 @@ import (
 
 type ByteMatchSetObservation struct {
 
+	// Settings for the ByteMatchSet, such as the bytes (typically a string that corresponds with ASCII characters) that you want AWS WAF to search for in web requests. ByteMatchTuple documented below.
+	ByteMatchTuples []ByteMatchTuplesObservation `json:"byteMatchTuples,omitempty" tf:"byte_match_tuples,omitempty"`
+
 	// The ID of the WAF ByteMatchSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the ByteMatchSet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type ByteMatchSetParameters struct {
@@ -26,8 +32,8 @@ type ByteMatchSetParameters struct {
 	ByteMatchTuples []ByteMatchTuplesParameters `json:"byteMatchTuples,omitempty" tf:"byte_match_tuples,omitempty"`
 
 	// The name or description of the ByteMatchSet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -36,6 +42,18 @@ type ByteMatchSetParameters struct {
 }
 
 type ByteMatchTuplesObservation struct {
+
+	// Settings for the ByteMatchTuple. FieldToMatch documented below.
+	FieldToMatch []FieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// Within the portion of a web request that you want to search.
+	PositionalConstraint *string `json:"positionalConstraint,omitempty" tf:"positional_constraint,omitempty"`
+
+	// The value that you want AWS WAF to search for. The maximum length of the value is 50 bytes.
+	TargetString *string `json:"targetString,omitempty" tf:"target_string,omitempty"`
+
+	// The formatting way for web request.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type ByteMatchTuplesParameters struct {
@@ -58,6 +76,12 @@ type ByteMatchTuplesParameters struct {
 }
 
 type FieldToMatchObservation struct {
+
+	// When the value of Type is HEADER, enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. If the value of Type is any other value, omit Data.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type FieldToMatchParameters struct {
@@ -95,8 +119,9 @@ type ByteMatchSetStatus struct {
 type ByteMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              ByteMatchSetSpec   `json:"spec"`
-	Status            ByteMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   ByteMatchSetSpec   `json:"spec"`
+	Status ByteMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_generated.deepcopy.go b/apis/wafregional/v1beta1/zz_generated.deepcopy.go
index 32cfca8aee..78e0c80342 100644
--- a/apis/wafregional/v1beta1/zz_generated.deepcopy.go
+++ b/apis/wafregional/v1beta1/zz_generated.deepcopy.go
@@ -17,6 +17,11 @@ import (
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ActionObservation) DeepCopyInto(out *ActionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ActionObservation.
@@ -111,11 +116,23 @@ func (in *ByteMatchSetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ByteMatchSetObservation) DeepCopyInto(out *ByteMatchSetObservation) {
 	*out = *in
+	if in.ByteMatchTuples != nil {
+		in, out := &in.ByteMatchTuples, &out.ByteMatchTuples
+		*out = make([]ByteMatchTuplesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByteMatchSetObservation.
@@ -197,6 +214,28 @@ func (in *ByteMatchSetStatus) DeepCopy() *ByteMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ByteMatchTuplesObservation) DeepCopyInto(out *ByteMatchTuplesObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]FieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PositionalConstraint != nil {
+		in, out := &in.PositionalConstraint, &out.PositionalConstraint
+		*out = new(string)
+		**out = **in
+	}
+	if in.TargetString != nil {
+		in, out := &in.TargetString, &out.TargetString
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ByteMatchTuplesObservation.
@@ -249,6 +288,11 @@ func (in *ByteMatchTuplesParameters) DeepCopy() *ByteMatchTuplesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *DefaultActionObservation) DeepCopyInto(out *DefaultActionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DefaultActionObservation.
@@ -284,6 +328,16 @@ func (in *DefaultActionParameters) DeepCopy() *DefaultActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *FieldToMatchObservation) DeepCopyInto(out *FieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FieldToMatchObservation.
@@ -324,6 +378,16 @@ func (in *FieldToMatchParameters) DeepCopy() *FieldToMatchParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeoMatchConstraintObservation) DeepCopyInto(out *GeoMatchConstraintObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeoMatchConstraintObservation.
@@ -423,11 +487,23 @@ func (in *GeoMatchSetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *GeoMatchSetObservation) DeepCopyInto(out *GeoMatchSetObservation) {
 	*out = *in
+	if in.GeoMatchConstraint != nil {
+		in, out := &in.GeoMatchConstraint, &out.GeoMatchConstraint
+		*out = make([]GeoMatchConstraintObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GeoMatchSetObservation.
@@ -536,6 +612,16 @@ func (in *IPSet) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetDescriptorObservation) DeepCopyInto(out *IPSetDescriptorObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
+	if in.Value != nil {
+		in, out := &in.Value, &out.Value
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetDescriptorObservation.
@@ -618,6 +704,18 @@ func (in *IPSetObservation) DeepCopyInto(out *IPSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPSetDescriptor != nil {
+		in, out := &in.IPSetDescriptor, &out.IPSetDescriptor
+		*out = make([]IPSetDescriptorObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSetObservation.
@@ -699,6 +797,18 @@ func (in *IPSetStatus) DeepCopy() *IPSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *LoggingConfigurationObservation) DeepCopyInto(out *LoggingConfigurationObservation) {
 	*out = *in
+	if in.LogDestination != nil {
+		in, out := &in.LogDestination, &out.LogDestination
+		*out = new(string)
+		**out = **in
+	}
+	if in.RedactedFields != nil {
+		in, out := &in.RedactedFields, &out.RedactedFields
+		*out = make([]RedactedFieldsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new LoggingConfigurationObservation.
@@ -751,6 +861,11 @@ func (in *LoggingConfigurationParameters) DeepCopy() *LoggingConfigurationParame
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *OverrideActionObservation) DeepCopyInto(out *OverrideActionObservation) {
 	*out = *in
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OverrideActionObservation.
@@ -786,6 +901,21 @@ func (in *OverrideActionParameters) DeepCopy() *OverrideActionParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *PredicateObservation) DeepCopyInto(out *PredicateObservation) {
 	*out = *in
+	if in.DataID != nil {
+		in, out := &in.DataID, &out.DataID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Negated != nil {
+		in, out := &in.Negated, &out.Negated
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PredicateObservation.
@@ -910,6 +1040,48 @@ func (in *RateBasedRuleObservation) DeepCopyInto(out *RateBasedRuleObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Predicate != nil {
+		in, out := &in.Predicate, &out.Predicate
+		*out = make([]PredicateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RateKey != nil {
+		in, out := &in.RateKey, &out.RateKey
+		*out = new(string)
+		**out = **in
+	}
+	if in.RateLimit != nil {
+		in, out := &in.RateLimit, &out.RateLimit
+		*out = new(float64)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1036,6 +1208,16 @@ func (in *RateBasedRuleStatus) DeepCopy() *RateBasedRuleStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedactedFieldsFieldToMatchObservation) DeepCopyInto(out *RedactedFieldsFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedactedFieldsFieldToMatchObservation.
@@ -1076,6 +1258,13 @@ func (in *RedactedFieldsFieldToMatchParameters) DeepCopy() *RedactedFieldsFieldT
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RedactedFieldsObservation) DeepCopyInto(out *RedactedFieldsObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]RedactedFieldsFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedactedFieldsObservation.
@@ -1177,6 +1366,18 @@ func (in *RegexMatchSetObservation) DeepCopyInto(out *RegexMatchSetObservation)
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegexMatchTuple != nil {
+		in, out := &in.RegexMatchTuple, &out.RegexMatchTuple
+		*out = make([]RegexMatchTupleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchSetObservation.
@@ -1258,6 +1459,16 @@ func (in *RegexMatchSetStatus) DeepCopy() *RegexMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegexMatchTupleFieldToMatchObservation) DeepCopyInto(out *RegexMatchTupleFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchTupleFieldToMatchObservation.
@@ -1298,6 +1509,23 @@ func (in *RegexMatchTupleFieldToMatchParameters) DeepCopy() *RegexMatchTupleFiel
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegexMatchTupleObservation) DeepCopyInto(out *RegexMatchTupleObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]RegexMatchTupleFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.RegexPatternSetID != nil {
+		in, out := &in.RegexPatternSetID, &out.RegexPatternSetID
+		*out = new(string)
+		**out = **in
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexMatchTupleObservation.
@@ -1419,6 +1647,22 @@ func (in *RegexPatternSetObservation) DeepCopyInto(out *RegexPatternSetObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegexPatternStrings != nil {
+		in, out := &in.RegexPatternStrings, &out.RegexPatternStrings
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegexPatternSetObservation.
@@ -1573,6 +1817,38 @@ func (in *RuleObservation) DeepCopyInto(out *RuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Predicate != nil {
+		in, out := &in.Predicate, &out.Predicate
+		*out = make([]RulePredicateObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -1655,6 +1931,21 @@ func (in *RuleParameters) DeepCopy() *RuleParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RulePredicateObservation) DeepCopyInto(out *RulePredicateObservation) {
 	*out = *in
+	if in.DataID != nil {
+		in, out := &in.DataID, &out.DataID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Negated != nil {
+		in, out := &in.Negated, &out.Negated
+		*out = new(bool)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulePredicateObservation.
@@ -1808,6 +2099,18 @@ func (in *SQLInjectionMatchSetObservation) DeepCopyInto(out *SQLInjectionMatchSe
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SQLInjectionMatchTuple != nil {
+		in, out := &in.SQLInjectionMatchTuple, &out.SQLInjectionMatchTuple
+		*out = make([]SQLInjectionMatchTupleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SQLInjectionMatchSetObservation.
@@ -1889,6 +2192,16 @@ func (in *SQLInjectionMatchSetStatus) DeepCopy() *SQLInjectionMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SQLInjectionMatchTupleFieldToMatchObservation) DeepCopyInto(out *SQLInjectionMatchTupleFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SQLInjectionMatchTupleFieldToMatchObservation.
@@ -1929,6 +2242,18 @@ func (in *SQLInjectionMatchTupleFieldToMatchParameters) DeepCopy() *SQLInjection
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SQLInjectionMatchTupleObservation) DeepCopyInto(out *SQLInjectionMatchTupleObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]SQLInjectionMatchTupleFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SQLInjectionMatchTupleObservation.
@@ -2040,6 +2365,18 @@ func (in *SizeConstraintSetObservation) DeepCopyInto(out *SizeConstraintSetObser
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.SizeConstraints != nil {
+		in, out := &in.SizeConstraints, &out.SizeConstraints
+		*out = make([]SizeConstraintsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SizeConstraintSetObservation.
@@ -2121,6 +2458,16 @@ func (in *SizeConstraintSetStatus) DeepCopy() *SizeConstraintSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SizeConstraintsFieldToMatchObservation) DeepCopyInto(out *SizeConstraintsFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SizeConstraintsFieldToMatchObservation.
@@ -2161,6 +2508,28 @@ func (in *SizeConstraintsFieldToMatchParameters) DeepCopy() *SizeConstraintsFiel
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SizeConstraintsObservation) DeepCopyInto(out *SizeConstraintsObservation) {
 	*out = *in
+	if in.ComparisonOperator != nil {
+		in, out := &in.ComparisonOperator, &out.ComparisonOperator
+		*out = new(string)
+		**out = **in
+	}
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]SizeConstraintsFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Size != nil {
+		in, out := &in.Size, &out.Size
+		*out = new(float64)
+		**out = **in
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SizeConstraintsObservation.
@@ -2277,11 +2646,57 @@ func (in *WebACLObservation) DeepCopyInto(out *WebACLObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.DefaultAction != nil {
+		in, out := &in.DefaultAction, &out.DefaultAction
+		*out = make([]DefaultActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.LoggingConfiguration != nil {
+		in, out := &in.LoggingConfiguration, &out.LoggingConfiguration
+		*out = make([]LoggingConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.MetricName != nil {
+		in, out := &in.MetricName, &out.MetricName
+		*out = new(string)
+		**out = **in
+	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rule != nil {
+		in, out := &in.Rule, &out.Rule
+		*out = make([]WebACLRuleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -2378,6 +2793,35 @@ func (in *WebACLParameters) DeepCopy() *WebACLParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WebACLRuleObservation) DeepCopyInto(out *WebACLRuleObservation) {
 	*out = *in
+	if in.Action != nil {
+		in, out := &in.Action, &out.Action
+		*out = make([]ActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.OverrideAction != nil {
+		in, out := &in.OverrideAction, &out.OverrideAction
+		*out = make([]OverrideActionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.RuleID != nil {
+		in, out := &in.RuleID, &out.RuleID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WebACLRuleObservation.
@@ -2545,6 +2989,18 @@ func (in *XSSMatchSetObservation) DeepCopyInto(out *XSSMatchSetObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.XSSMatchTuple != nil {
+		in, out := &in.XSSMatchTuple, &out.XSSMatchTuple
+		*out = make([]XSSMatchTupleObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSMatchSetObservation.
@@ -2626,6 +3082,16 @@ func (in *XSSMatchSetStatus) DeepCopy() *XSSMatchSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *XSSMatchTupleFieldToMatchObservation) DeepCopyInto(out *XSSMatchTupleFieldToMatchObservation) {
 	*out = *in
+	if in.Data != nil {
+		in, out := &in.Data, &out.Data
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSMatchTupleFieldToMatchObservation.
@@ -2666,6 +3132,18 @@ func (in *XSSMatchTupleFieldToMatchParameters) DeepCopy() *XSSMatchTupleFieldToM
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *XSSMatchTupleObservation) DeepCopyInto(out *XSSMatchTupleObservation) {
 	*out = *in
+	if in.FieldToMatch != nil {
+		in, out := &in.FieldToMatch, &out.FieldToMatch
+		*out = make([]XSSMatchTupleFieldToMatchObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.TextTransformation != nil {
+		in, out := &in.TextTransformation, &out.TextTransformation
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new XSSMatchTupleObservation.
diff --git a/apis/wafregional/v1beta1/zz_geomatchset_types.go b/apis/wafregional/v1beta1/zz_geomatchset_types.go
index 942e7e1783..972c9e68f8 100755
--- a/apis/wafregional/v1beta1/zz_geomatchset_types.go
+++ b/apis/wafregional/v1beta1/zz_geomatchset_types.go
@@ -14,6 +14,14 @@ import (
 )
 
 type GeoMatchConstraintObservation struct {
+
+	// The type of geographical area you want AWS WAF to search for. Currently Country is the only valid value.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The country that you want AWS WAF to search for.
+	// This is the two-letter country code, e.g., US, CA, RU, CN, etc.
+	// See docs for all supported values.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type GeoMatchConstraintParameters struct {
@@ -31,8 +39,14 @@ type GeoMatchConstraintParameters struct {
 
 type GeoMatchSetObservation struct {
 
+	// The Geo Match Constraint objects which contain the country that you want AWS WAF to search for.
+	GeoMatchConstraint []GeoMatchConstraintObservation `json:"geoMatchConstraint,omitempty" tf:"geo_match_constraint,omitempty"`
+
 	// The ID of the WAF Regional Geo Match Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Geo Match Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type GeoMatchSetParameters struct {
@@ -42,8 +56,8 @@ type GeoMatchSetParameters struct {
 	GeoMatchConstraint []GeoMatchConstraintParameters `json:"geoMatchConstraint,omitempty" tf:"geo_match_constraint,omitempty"`
 
 	// The name or description of the Geo Match Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -75,8 +89,9 @@ type GeoMatchSetStatus struct {
 type GeoMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GeoMatchSetSpec   `json:"spec"`
-	Status            GeoMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   GeoMatchSetSpec   `json:"spec"`
+	Status GeoMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_ipset_types.go b/apis/wafregional/v1beta1/zz_ipset_types.go
index a542c2134c..cd05078e13 100755
--- a/apis/wafregional/v1beta1/zz_ipset_types.go
+++ b/apis/wafregional/v1beta1/zz_ipset_types.go
@@ -14,6 +14,12 @@ import (
 )
 
 type IPSetDescriptorObservation struct {
+
+	// The string like IPV4 or IPV6.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
+
+	// The CIDR notation.
+	Value *string `json:"value,omitempty" tf:"value,omitempty"`
 }
 
 type IPSetDescriptorParameters struct {
@@ -34,6 +40,12 @@ type IPSetObservation struct {
 
 	// The ID of the WAF IPSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// One or more pairs specifying the IP address type (IPV4 or IPV6) and the IP address range (in CIDR notation) from which web requests originate.
+	IPSetDescriptor []IPSetDescriptorObservation `json:"ipSetDescriptor,omitempty" tf:"ip_set_descriptor,omitempty"`
+
+	// The name or description of the IPSet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 }
 
 type IPSetParameters struct {
@@ -43,8 +55,8 @@ type IPSetParameters struct {
 	IPSetDescriptor []IPSetDescriptorParameters `json:"ipSetDescriptor,omitempty" tf:"ip_set_descriptor,omitempty"`
 
 	// The name or description of the IPSet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -76,8 +88,9 @@ type IPSetStatus struct {
 type IPSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IPSetSpec   `json:"spec"`
-	Status            IPSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   IPSetSpec   `json:"spec"`
+	Status IPSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_ratebasedrule_types.go b/apis/wafregional/v1beta1/zz_ratebasedrule_types.go
index 6cca443a51..0ca4ee3cd7 100755
--- a/apis/wafregional/v1beta1/zz_ratebasedrule_types.go
+++ b/apis/wafregional/v1beta1/zz_ratebasedrule_types.go
@@ -14,6 +14,18 @@ import (
 )
 
 type PredicateObservation struct {
+
+	// A unique identifier for a predicate in the rule, such as Byte Match Set ID or IPSet ID.
+	DataID *string `json:"dataId,omitempty" tf:"data_id,omitempty"`
+
+	// Set this to false if you want to allow, block, or count requests
+	// based on the settings in the specified ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet, or SizeConstraintSet.
+	// For example, if an IPSet includes the IP address 192.0.2.44, AWS WAF will allow or block requests based on that IP address.
+	// If set to true, AWS WAF will allow, block, or count requests based on all IP addresses except 192.0.2.44.
+	Negated *bool `json:"negated,omitempty" tf:"negated,omitempty"`
+
+	// The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type PredicateParameters struct {
@@ -52,6 +64,24 @@ type RateBasedRuleObservation struct {
 	// The ID of the WAF Regional Rate Based Rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name or description for the Amazon CloudWatch metric of this rule.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The name or description of the rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The objects to include in a rule (documented below).
+	Predicate []PredicateObservation `json:"predicate,omitempty" tf:"predicate,omitempty"`
+
+	// Valid value is IP.
+	RateKey *string `json:"rateKey,omitempty" tf:"rate_key,omitempty"`
+
+	// The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.
+	RateLimit *float64 `json:"rateLimit,omitempty" tf:"rate_limit,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -59,24 +89,24 @@ type RateBasedRuleObservation struct {
 type RateBasedRuleParameters struct {
 
 	// The name or description for the Amazon CloudWatch metric of this rule.
-	// +kubebuilder:validation:Required
-	MetricName *string `json:"metricName" tf:"metric_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
 
 	// The name or description of the rule.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The objects to include in a rule (documented below).
 	// +kubebuilder:validation:Optional
 	Predicate []PredicateParameters `json:"predicate,omitempty" tf:"predicate,omitempty"`
 
 	// Valid value is IP.
-	// +kubebuilder:validation:Required
-	RateKey *string `json:"rateKey" tf:"rate_key,omitempty"`
+	// +kubebuilder:validation:Optional
+	RateKey *string `json:"rateKey,omitempty" tf:"rate_key,omitempty"`
 
 	// The maximum number of requests, which have an identical value in the field specified by the RateKey, allowed in a five-minute period. Minimum value is 100.
-	// +kubebuilder:validation:Required
-	RateLimit *float64 `json:"rateLimit" tf:"rate_limit,omitempty"`
+	// +kubebuilder:validation:Optional
+	RateLimit *float64 `json:"rateLimit,omitempty" tf:"rate_limit,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -112,8 +142,12 @@ type RateBasedRuleStatus struct {
 type RateBasedRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RateBasedRuleSpec   `json:"spec"`
-	Status            RateBasedRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)",message="metricName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateKey)",message="rateKey is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateLimit)",message="rateLimit is a required parameter"
+	Spec   RateBasedRuleSpec   `json:"spec"`
+	Status RateBasedRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_regexmatchset_types.go b/apis/wafregional/v1beta1/zz_regexmatchset_types.go
index 7b36edf18a..ca6ad119b3 100755
--- a/apis/wafregional/v1beta1/zz_regexmatchset_types.go
+++ b/apis/wafregional/v1beta1/zz_regexmatchset_types.go
@@ -17,13 +17,19 @@ type RegexMatchSetObservation struct {
 
 	// The ID of the WAF Regional Regex Match Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Regex Match Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.
+	RegexMatchTuple []RegexMatchTupleObservation `json:"regexMatchTuple,omitempty" tf:"regex_match_tuple,omitempty"`
 }
 
 type RegexMatchSetParameters struct {
 
 	// The name or description of the Regex Match Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The regular expression pattern that you want AWS WAF to search for in web requests, the location in requests that you want AWS WAF to search, and other settings. See below.
 	// +kubebuilder:validation:Optional
@@ -36,6 +42,16 @@ type RegexMatchSetParameters struct {
 }
 
 type RegexMatchTupleFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RegexMatchTupleFieldToMatchParameters struct {
@@ -54,6 +70,18 @@ type RegexMatchTupleFieldToMatchParameters struct {
 }
 
 type RegexMatchTupleObservation struct {
+
+	// The part of a web request that you want to search, such as a specified header or a query string.
+	FieldToMatch []RegexMatchTupleFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// The ID of a Regex Pattern Set.
+	RegexPatternSetID *string `json:"regexPatternSetId,omitempty" tf:"regex_pattern_set_id,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type RegexMatchTupleParameters struct {
@@ -108,8 +136,9 @@ type RegexMatchSetStatus struct {
 type RegexMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegexMatchSetSpec   `json:"spec"`
-	Status            RegexMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RegexMatchSetSpec   `json:"spec"`
+	Status RegexMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_regexpatternset_types.go b/apis/wafregional/v1beta1/zz_regexpatternset_types.go
index 7f12425463..de609d4fd8 100755
--- a/apis/wafregional/v1beta1/zz_regexpatternset_types.go
+++ b/apis/wafregional/v1beta1/zz_regexpatternset_types.go
@@ -17,13 +17,19 @@ type RegexPatternSetObservation struct {
 
 	// The ID of the WAF Regional Regex Pattern Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Regex Pattern Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.
+	RegexPatternStrings []*string `json:"regexPatternStrings,omitempty" tf:"regex_pattern_strings,omitempty"`
 }
 
 type RegexPatternSetParameters struct {
 
 	// The name or description of the Regex Pattern Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// A list of regular expression (regex) patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t.
 	// +kubebuilder:validation:Optional
@@ -59,8 +65,9 @@ type RegexPatternSetStatus struct {
 type RegexPatternSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegexPatternSetSpec   `json:"spec"`
-	Status            RegexPatternSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RegexPatternSetSpec   `json:"spec"`
+	Status RegexPatternSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_rule_types.go b/apis/wafregional/v1beta1/zz_rule_types.go
index e57377f7e6..cb0da91910 100755
--- a/apis/wafregional/v1beta1/zz_rule_types.go
+++ b/apis/wafregional/v1beta1/zz_rule_types.go
@@ -21,6 +21,18 @@ type RuleObservation struct {
 	// The ID of the WAF Regional Rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name or description for the Amazon CloudWatch metric of this rule.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The name or description of the rule.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The objects to include in a rule (documented below).
+	Predicate []RulePredicateObservation `json:"predicate,omitempty" tf:"predicate,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,12 +40,12 @@ type RuleObservation struct {
 type RuleParameters struct {
 
 	// The name or description for the Amazon CloudWatch metric of this rule.
-	// +kubebuilder:validation:Required
-	MetricName *string `json:"metricName" tf:"metric_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
 
 	// The name or description of the rule.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// The objects to include in a rule (documented below).
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,15 @@ type RuleParameters struct {
 }
 
 type RulePredicateObservation struct {
+
+	// The unique identifier of a predicate, such as the ID of a ByteMatchSet or IPSet.
+	DataID *string `json:"dataId,omitempty" tf:"data_id,omitempty"`
+
+	// Whether to use the settings or the negated settings that you specified in the objects.
+	Negated *bool `json:"negated,omitempty" tf:"negated,omitempty"`
+
+	// The type of predicate in a rule. Valid values: ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint, SqlInjectionMatch, or XssMatch
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RulePredicateParameters struct {
@@ -101,8 +122,10 @@ type RuleStatus struct {
 type Rule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RuleSpec   `json:"spec"`
-	Status            RuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)",message="metricName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   RuleSpec   `json:"spec"`
+	Status RuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_sizeconstraintset_types.go b/apis/wafregional/v1beta1/zz_sizeconstraintset_types.go
index 0169478433..e388e13e32 100755
--- a/apis/wafregional/v1beta1/zz_sizeconstraintset_types.go
+++ b/apis/wafregional/v1beta1/zz_sizeconstraintset_types.go
@@ -18,13 +18,19 @@ type SizeConstraintSetObservation struct {
 
 	// The ID of the WAF Size Constraint Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the Size Constraint Set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies the parts of web requests that you want to inspect the size of.
+	SizeConstraints []SizeConstraintsObservation `json:"sizeConstraints,omitempty" tf:"size_constraints,omitempty"`
 }
 
 type SizeConstraintSetParameters struct {
 
 	// The name or description of the Size Constraint Set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -37,6 +43,16 @@ type SizeConstraintSetParameters struct {
 }
 
 type SizeConstraintsFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SizeConstraintsFieldToMatchParameters struct {
@@ -55,6 +71,26 @@ type SizeConstraintsFieldToMatchParameters struct {
 }
 
 type SizeConstraintsObservation struct {
+
+	// The type of comparison you want to perform.
+	// e.g., EQ, NE, LT, GT.
+	// See docs for all supported values.
+	ComparisonOperator *string `json:"comparisonOperator,omitempty" tf:"comparison_operator,omitempty"`
+
+	// Specifies where in a web request to look for the size constraint.
+	FieldToMatch []SizeConstraintsFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// The size in bytes that you want to compare against the size of the specified field_to_match.
+	// Valid values are between 0 - 21474836480 bytes (0 - 20 GB).
+	Size *float64 `json:"size,omitempty" tf:"size,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	// Note: if you choose BODY as type, you must choose NONE because CloudFront forwards only the first 8192 bytes for inspection.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type SizeConstraintsParameters struct {
@@ -108,8 +144,9 @@ type SizeConstraintSetStatus struct {
 type SizeConstraintSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SizeConstraintSetSpec   `json:"spec"`
-	Status            SizeConstraintSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SizeConstraintSetSpec   `json:"spec"`
+	Status SizeConstraintSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_sqlinjectionmatchset_types.go b/apis/wafregional/v1beta1/zz_sqlinjectionmatchset_types.go
index 7bc49fb3bd..3261e90ca0 100755
--- a/apis/wafregional/v1beta1/zz_sqlinjectionmatchset_types.go
+++ b/apis/wafregional/v1beta1/zz_sqlinjectionmatchset_types.go
@@ -17,13 +17,19 @@ type SQLInjectionMatchSetObservation struct {
 
 	// The ID of the WAF SqlInjectionMatchSet.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name or description of the SizeConstraintSet.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The parts of web requests that you want AWS WAF to inspect for malicious SQL code and, if you want AWS WAF to inspect a header, the name of the header.
+	SQLInjectionMatchTuple []SQLInjectionMatchTupleObservation `json:"sqlInjectionMatchTuple,omitempty" tf:"sql_injection_match_tuple,omitempty"`
 }
 
 type SQLInjectionMatchSetParameters struct {
 
 	// The name or description of the SizeConstraintSet.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -36,6 +42,16 @@ type SQLInjectionMatchSetParameters struct {
 }
 
 type SQLInjectionMatchTupleFieldToMatchObservation struct {
+
+	// When type is HEADER, enter the name of the header that you want to search, e.g., User-Agent or Referer.
+	// If type is any other value, omit this field.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified string.
+	// e.g., HEADER, METHOD or BODY.
+	// See docs
+	// for all supported values.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type SQLInjectionMatchTupleFieldToMatchParameters struct {
@@ -54,6 +70,16 @@ type SQLInjectionMatchTupleFieldToMatchParameters struct {
 }
 
 type SQLInjectionMatchTupleObservation struct {
+
+	// Specifies where in a web request to look for snippets of malicious SQL code.
+	FieldToMatch []SQLInjectionMatchTupleFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.
+	// If you specify a transformation, AWS WAF performs the transformation on field_to_match before inspecting a request for a match.
+	// e.g., CMD_LINE, HTML_ENTITY_DECODE or NONE.
+	// See docs
+	// for all supported values.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type SQLInjectionMatchTupleParameters struct {
@@ -95,8 +121,9 @@ type SQLInjectionMatchSetStatus struct {
 type SQLInjectionMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SQLInjectionMatchSetSpec   `json:"spec"`
-	Status            SQLInjectionMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   SQLInjectionMatchSetSpec   `json:"spec"`
+	Status SQLInjectionMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_webacl_types.go b/apis/wafregional/v1beta1/zz_webacl_types.go
index b4da5a0bbf..71bf07c315 100755
--- a/apis/wafregional/v1beta1/zz_webacl_types.go
+++ b/apis/wafregional/v1beta1/zz_webacl_types.go
@@ -14,6 +14,9 @@ import (
 )
 
 type ActionObservation struct {
+
+	// Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for action are ALLOW, BLOCK or COUNT. Valid values for override_action are COUNT and NONE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type ActionParameters struct {
@@ -24,6 +27,9 @@ type ActionParameters struct {
 }
 
 type DefaultActionObservation struct {
+
+	// Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g., ALLOW, BLOCK or COUNT
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type DefaultActionParameters struct {
@@ -34,6 +40,12 @@ type DefaultActionParameters struct {
 }
 
 type LoggingConfigurationObservation struct {
+
+	// Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream
+	LogDestination *string `json:"logDestination,omitempty" tf:"log_destination,omitempty"`
+
+	// Configuration block containing parts of the request that you want redacted from the logs. Detailed below.
+	RedactedFields []RedactedFieldsObservation `json:"redactedFields,omitempty" tf:"redacted_fields,omitempty"`
 }
 
 type LoggingConfigurationParameters struct {
@@ -58,6 +70,9 @@ type LoggingConfigurationParameters struct {
 }
 
 type OverrideActionObservation struct {
+
+	// Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for action are ALLOW, BLOCK or COUNT. Valid values for override_action are COUNT and NONE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type OverrideActionParameters struct {
@@ -68,6 +83,12 @@ type OverrideActionParameters struct {
 }
 
 type RedactedFieldsFieldToMatchObservation struct {
+
+	// When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for action are ALLOW, BLOCK or COUNT. Valid values for override_action are COUNT and NONE.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type RedactedFieldsFieldToMatchParameters struct {
@@ -82,6 +103,9 @@ type RedactedFieldsFieldToMatchParameters struct {
 }
 
 type RedactedFieldsObservation struct {
+
+	// Set of configuration blocks for fields to redact. Detailed below.
+	FieldToMatch []RedactedFieldsFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
 }
 
 type RedactedFieldsParameters struct {
@@ -96,9 +120,27 @@ type WebACLObservation struct {
 	// Amazon Resource Name (ARN) of the WAF Regional WebACL.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
+	DefaultAction []DefaultActionObservation `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
+
 	// The ID of the WAF Regional WebACL.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration block to enable WAF logging. Detailed below.
+	LoggingConfiguration []LoggingConfigurationObservation `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
+
+	// The name or description for the Amazon CloudWatch metric of this web ACL.
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
+
+	// The name or description of the web ACL.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Set of configuration blocks containing rules for the web ACL. Detailed below.
+	Rule []WebACLRuleObservation `json:"rule,omitempty" tf:"rule,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -106,20 +148,20 @@ type WebACLObservation struct {
 type WebACLParameters struct {
 
 	// The action that you want AWS WAF Regional to take when a request doesn't match the criteria in any of the rules that are associated with the web ACL.
-	// +kubebuilder:validation:Required
-	DefaultAction []DefaultActionParameters `json:"defaultAction" tf:"default_action,omitempty"`
+	// +kubebuilder:validation:Optional
+	DefaultAction []DefaultActionParameters `json:"defaultAction,omitempty" tf:"default_action,omitempty"`
 
 	// Configuration block to enable WAF logging. Detailed below.
 	// +kubebuilder:validation:Optional
 	LoggingConfiguration []LoggingConfigurationParameters `json:"loggingConfiguration,omitempty" tf:"logging_configuration,omitempty"`
 
 	// The name or description for the Amazon CloudWatch metric of this web ACL.
-	// +kubebuilder:validation:Required
-	MetricName *string `json:"metricName" tf:"metric_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	MetricName *string `json:"metricName,omitempty" tf:"metric_name,omitempty"`
 
 	// The name or description of the web ACL.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -136,6 +178,22 @@ type WebACLParameters struct {
 }
 
 type WebACLRuleObservation struct {
+
+	// Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule.  Not used if type is GROUP. Detailed below.
+	Action []ActionObservation `json:"action,omitempty" tf:"action,omitempty"`
+
+	// Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule.  Only used if type is GROUP. Detailed below.
+	OverrideAction []OverrideActionObservation `json:"overrideAction,omitempty" tf:"override_action,omitempty"`
+
+	// Specifies the order in which the rules in a WebACL are evaluated.
+	// Rules with a lower value are evaluated before rules with a higher value.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// ID of the associated WAF (Regional) rule (e.g., aws_wafregional_rule). WAF (Global) rules cannot be used.
+	RuleID *string `json:"ruleId,omitempty" tf:"rule_id,omitempty"`
+
+	// The rule type, either REGULAR, as defined by Rule, RATE_BASED, as defined by RateBasedRule, or GROUP, as defined by RuleGroup. The default is REGULAR. If you add a RATE_BASED rule, you need to set type as RATE_BASED. If you add a GROUP rule, you need to set type as GROUP.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type WebACLRuleParameters struct {
@@ -196,8 +254,11 @@ type WebACLStatus struct {
 type WebACL struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              WebACLSpec   `json:"spec"`
-	Status            WebACLStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultAction)",message="defaultAction is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)",message="metricName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   WebACLSpec   `json:"spec"`
+	Status WebACLStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafregional/v1beta1/zz_xssmatchset_types.go b/apis/wafregional/v1beta1/zz_xssmatchset_types.go
index 476a638fd3..f4e20f69ae 100755
--- a/apis/wafregional/v1beta1/zz_xssmatchset_types.go
+++ b/apis/wafregional/v1beta1/zz_xssmatchset_types.go
@@ -17,13 +17,19 @@ type XSSMatchSetObservation struct {
 
 	// The ID of the Regional WAF XSS Match Set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// The name of the set
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// The parts of web requests that you want to inspect for cross-site scripting attacks.
+	XSSMatchTuple []XSSMatchTupleObservation `json:"xssMatchTuple,omitempty" tf:"xss_match_tuple,omitempty"`
 }
 
 type XSSMatchSetParameters struct {
 
 	// The name of the set
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -36,6 +42,12 @@ type XSSMatchSetParameters struct {
 }
 
 type XSSMatchTupleFieldToMatchObservation struct {
+
+	// When the value of type is HEADER, enter the name of the header that you want the WAF to search, for example, User-Agent or Referer. If the value of type is any other value, omit data.
+	Data *string `json:"data,omitempty" tf:"data,omitempty"`
+
+	// The part of the web request that you want AWS WAF to search for a specified stringE.g., HEADER or METHOD
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type XSSMatchTupleFieldToMatchParameters struct {
@@ -50,6 +62,12 @@ type XSSMatchTupleFieldToMatchParameters struct {
 }
 
 type XSSMatchTupleObservation struct {
+
+	// Specifies where in a web request to look for cross-site scripting attacks.
+	FieldToMatch []XSSMatchTupleFieldToMatchObservation `json:"fieldToMatch,omitempty" tf:"field_to_match,omitempty"`
+
+	// Which text transformation, if any, to perform on the web request before inspecting the request for cross-site scripting attacks.
+	TextTransformation *string `json:"textTransformation,omitempty" tf:"text_transformation,omitempty"`
 }
 
 type XSSMatchTupleParameters struct {
@@ -87,8 +105,9 @@ type XSSMatchSetStatus struct {
 type XSSMatchSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              XSSMatchSetSpec   `json:"spec"`
-	Status            XSSMatchSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   XSSMatchSetSpec   `json:"spec"`
+	Status XSSMatchSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafv2/v1beta1/zz_generated.deepcopy.go b/apis/wafv2/v1beta1/zz_generated.deepcopy.go
index dca01bd6b8..24b0624a8f 100644
--- a/apis/wafv2/v1beta1/zz_generated.deepcopy.go
+++ b/apis/wafv2/v1beta1/zz_generated.deepcopy.go
@@ -75,21 +75,67 @@ func (in *IPSetList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPSetObservation) DeepCopyInto(out *IPSetObservation) {
 	*out = *in
+	if in.Addresses != nil {
+		in, out := &in.Addresses, &out.Addresses
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.Arn != nil {
 		in, out := &in.Arn, &out.Arn
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPAddressVersion != nil {
+		in, out := &in.IPAddressVersion, &out.IPAddressVersion
+		*out = new(string)
+		**out = **in
+	}
 	if in.LockToken != nil {
 		in, out := &in.LockToken, &out.LockToken
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -284,6 +330,11 @@ func (in *RegexPatternSetObservation) DeepCopyInto(out *RegexPatternSetObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
@@ -294,6 +345,38 @@ func (in *RegexPatternSetObservation) DeepCopyInto(out *RegexPatternSetObservati
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.RegularExpression != nil {
+		in, out := &in.RegularExpression, &out.RegularExpression
+		*out = make([]RegularExpressionObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Scope != nil {
+		in, out := &in.Scope, &out.Scope
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -415,6 +498,11 @@ func (in *RegexPatternSetStatus) DeepCopy() *RegexPatternSetStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RegularExpressionObservation) DeepCopyInto(out *RegularExpressionObservation) {
 	*out = *in
+	if in.RegexString != nil {
+		in, out := &in.RegexString, &out.RegexString
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RegularExpressionObservation.
diff --git a/apis/wafv2/v1beta1/zz_ipset_types.go b/apis/wafv2/v1beta1/zz_ipset_types.go
index f14bf898cf..5b39572dc8 100755
--- a/apis/wafv2/v1beta1/zz_ipset_types.go
+++ b/apis/wafv2/v1beta1/zz_ipset_types.go
@@ -15,14 +15,32 @@ import (
 
 type IPSetObservation struct {
 
+	// Contains an array of strings that specify one or more IP addresses or blocks of IP addresses in Classless Inter-Domain Routing (CIDR) notation. AWS WAF supports all address ranges for IP versions IPv4 and IPv6.
+	Addresses []*string `json:"addresses,omitempty" tf:"addresses,omitempty"`
+
 	// The Amazon Resource Name (ARN) of the IP set.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A friendly description of the IP set.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// A unique identifier for the IP set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Specify IPV4 or IPV6. Valid values are IPV4 or IPV6.
+	IPAddressVersion *string `json:"ipAddressVersion,omitempty" tf:"ip_address_version,omitempty"`
+
 	LockToken *string `json:"lockToken,omitempty" tf:"lock_token,omitempty"`
 
+	// A friendly name of the IP set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the Region US East (N. Virginia).
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -38,12 +56,12 @@ type IPSetParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// Specify IPV4 or IPV6. Valid values are IPV4 or IPV6.
-	// +kubebuilder:validation:Required
-	IPAddressVersion *string `json:"ipAddressVersion" tf:"ip_address_version,omitempty"`
+	// +kubebuilder:validation:Optional
+	IPAddressVersion *string `json:"ipAddressVersion,omitempty" tf:"ip_address_version,omitempty"`
 
 	// A friendly name of the IP set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -51,8 +69,8 @@ type IPSetParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the Region US East (N. Virginia).
-	// +kubebuilder:validation:Required
-	Scope *string `json:"scope" tf:"scope,omitempty"`
+	// +kubebuilder:validation:Optional
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -83,8 +101,11 @@ type IPSetStatus struct {
 type IPSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IPSetSpec   `json:"spec"`
-	Status            IPSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ipAddressVersion)",message="ipAddressVersion is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)",message="scope is a required parameter"
+	Spec   IPSetSpec   `json:"spec"`
+	Status IPSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/wafv2/v1beta1/zz_regexpatternset_types.go b/apis/wafv2/v1beta1/zz_regexpatternset_types.go
index 83f6b9bcef..77d5271e5b 100755
--- a/apis/wafv2/v1beta1/zz_regexpatternset_types.go
+++ b/apis/wafv2/v1beta1/zz_regexpatternset_types.go
@@ -18,11 +18,26 @@ type RegexPatternSetObservation struct {
 	// The Amazon Resource Name (ARN) that identifies the cluster.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// A friendly description of the regular expression pattern set.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// A unique identifier for the set.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
 	LockToken *string `json:"lockToken,omitempty" tf:"lock_token,omitempty"`
 
+	// A friendly name of the regular expression pattern set.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// One or more blocks of regular expression patterns that you want AWS WAF to search for, such as B[a@]dB[o0]t. See Regular Expression below for details.
+	RegularExpression []RegularExpressionObservation `json:"regularExpression,omitempty" tf:"regular_expression,omitempty"`
+
+	// Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -34,8 +49,8 @@ type RegexPatternSetParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// A friendly name of the regular expression pattern set.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -47,8 +62,8 @@ type RegexPatternSetParameters struct {
 	RegularExpression []RegularExpressionParameters `json:"regularExpression,omitempty" tf:"regular_expression,omitempty"`
 
 	// Specifies whether this is for an AWS CloudFront distribution or for a regional application. Valid values are CLOUDFRONT or REGIONAL. To work with CloudFront, you must also specify the region us-east-1 (N. Virginia) on the AWS provider.
-	// +kubebuilder:validation:Required
-	Scope *string `json:"scope" tf:"scope,omitempty"`
+	// +kubebuilder:validation:Optional
+	Scope *string `json:"scope,omitempty" tf:"scope,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
@@ -56,6 +71,9 @@ type RegexPatternSetParameters struct {
 }
 
 type RegularExpressionObservation struct {
+
+	// The string representing the regular expression, see the AWS WAF documentation for more information.
+	RegexString *string `json:"regexString,omitempty" tf:"regex_string,omitempty"`
 }
 
 type RegularExpressionParameters struct {
@@ -89,8 +107,10 @@ type RegexPatternSetStatus struct {
 type RegexPatternSet struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              RegexPatternSetSpec   `json:"spec"`
-	Status            RegexPatternSetStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)",message="scope is a required parameter"
+	Spec   RegexPatternSetSpec   `json:"spec"`
+	Status RegexPatternSetStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/workspaces/v1beta1/zz_directory_types.go b/apis/workspaces/v1beta1/zz_directory_types.go
index bb17609be5..f33c35e2a3 100755
--- a/apis/workspaces/v1beta1/zz_directory_types.go
+++ b/apis/workspaces/v1beta1/zz_directory_types.go
@@ -24,6 +24,9 @@ type DirectoryObservation struct {
 	// The IP addresses of the DNS servers for the directory.
 	DNSIPAddresses []*string `json:"dnsIpAddresses,omitempty" tf:"dns_ip_addresses,omitempty"`
 
+	// The directory identifier for registration in WorkSpaces service.
+	DirectoryID *string `json:"directoryId,omitempty" tf:"directory_id,omitempty"`
+
 	// The name of the directory.
 	DirectoryName *string `json:"directoryName,omitempty" tf:"directory_name,omitempty"`
 
@@ -36,12 +39,30 @@ type DirectoryObservation struct {
 	// The WorkSpaces directory identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The identifiers of the IP access control groups associated with the directory.
+	IPGroupIds []*string `json:"ipGroupIds,omitempty" tf:"ip_group_ids,omitempty"`
+
 	// The registration code for the directory. This is the code that users enter in their Amazon WorkSpaces client application to connect to the directory.
 	RegistrationCode *string `json:"registrationCode,omitempty" tf:"registration_code,omitempty"`
 
+	// service capabilities. Defined below.
+	SelfServicePermissions []SelfServicePermissionsObservation `json:"selfServicePermissions,omitempty" tf:"self_service_permissions,omitempty"`
+
+	// The identifiers of the subnets where the directory resides.
+	SubnetIds []*string `json:"subnetIds,omitempty" tf:"subnet_ids,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 
+	// –  Specifies which devices and operating systems users can use to access their WorkSpaces. Defined below.
+	WorkspaceAccessProperties []WorkspaceAccessPropertiesObservation `json:"workspaceAccessProperties,omitempty" tf:"workspace_access_properties,omitempty"`
+
+	// –  Default properties that are used for creating WorkSpaces. Defined below.
+	WorkspaceCreationProperties []WorkspaceCreationPropertiesObservation `json:"workspaceCreationProperties,omitempty" tf:"workspace_creation_properties,omitempty"`
+
 	// The identifier of the security group that is assigned to new WorkSpaces.
 	WorkspaceSecurityGroupID *string `json:"workspaceSecurityGroupId,omitempty" tf:"workspace_security_group_id,omitempty"`
 }
@@ -104,6 +125,21 @@ type DirectoryParameters struct {
 }
 
 type SelfServicePermissionsObservation struct {
+
+	// –  Whether WorkSpaces directory users can change the compute type (bundle) for their workspace. Default false.
+	ChangeComputeType *bool `json:"changeComputeType,omitempty" tf:"change_compute_type,omitempty"`
+
+	// –  Whether WorkSpaces directory users can increase the volume size of the drives on their workspace. Default false.
+	IncreaseVolumeSize *bool `json:"increaseVolumeSize,omitempty" tf:"increase_volume_size,omitempty"`
+
+	// –  Whether WorkSpaces directory users can rebuild the operating system of a workspace to its original state. Default false.
+	RebuildWorkspace *bool `json:"rebuildWorkspace,omitempty" tf:"rebuild_workspace,omitempty"`
+
+	// –  Whether WorkSpaces directory users can restart their workspace. Default true.
+	RestartWorkspace *bool `json:"restartWorkspace,omitempty" tf:"restart_workspace,omitempty"`
+
+	// –  Whether WorkSpaces directory users can switch the running mode of their workspace. Default false.
+	SwitchRunningMode *bool `json:"switchRunningMode,omitempty" tf:"switch_running_mode,omitempty"`
 }
 
 type SelfServicePermissionsParameters struct {
@@ -130,6 +166,30 @@ type SelfServicePermissionsParameters struct {
 }
 
 type WorkspaceAccessPropertiesObservation struct {
+
+	// –  Indicates whether users can use Android devices to access their WorkSpaces.
+	DeviceTypeAndroid *string `json:"deviceTypeAndroid,omitempty" tf:"device_type_android,omitempty"`
+
+	// –  Indicates whether users can use Chromebooks to access their WorkSpaces.
+	DeviceTypeChromeos *string `json:"deviceTypeChromeos,omitempty" tf:"device_type_chromeos,omitempty"`
+
+	// –  Indicates whether users can use iOS devices to access their WorkSpaces.
+	DeviceTypeIos *string `json:"deviceTypeIos,omitempty" tf:"device_type_ios,omitempty"`
+
+	// –  Indicates whether users can use Linux clients to access their WorkSpaces.
+	DeviceTypeLinux *string `json:"deviceTypeLinux,omitempty" tf:"device_type_linux,omitempty"`
+
+	// –  Indicates whether users can use macOS clients to access their WorkSpaces.
+	DeviceTypeOsx *string `json:"deviceTypeOsx,omitempty" tf:"device_type_osx,omitempty"`
+
+	// –  Indicates whether users can access their WorkSpaces through a web browser.
+	DeviceTypeWeb *string `json:"deviceTypeWeb,omitempty" tf:"device_type_web,omitempty"`
+
+	// –  Indicates whether users can use Windows clients to access their WorkSpaces.
+	DeviceTypeWindows *string `json:"deviceTypeWindows,omitempty" tf:"device_type_windows,omitempty"`
+
+	// –  Indicates whether users can use zero client devices to access their WorkSpaces.
+	DeviceTypeZeroclient *string `json:"deviceTypeZeroclient,omitempty" tf:"device_type_zeroclient,omitempty"`
 }
 
 type WorkspaceAccessPropertiesParameters struct {
@@ -168,6 +228,21 @@ type WorkspaceAccessPropertiesParameters struct {
 }
 
 type WorkspaceCreationPropertiesObservation struct {
+
+	// –  The identifier of your custom security group. Should relate to the same VPC, where workspaces reside in.
+	CustomSecurityGroupID *string `json:"customSecurityGroupId,omitempty" tf:"custom_security_group_id,omitempty"`
+
+	// –  The default organizational unit (OU) for your WorkSpace directories. Should conform "OU=<value>,DC=<value>,...,DC=<value>" pattern.
+	DefaultOu *string `json:"defaultOu,omitempty" tf:"default_ou,omitempty"`
+
+	// –  Indicates whether internet access is enabled for your WorkSpaces.
+	EnableInternetAccess *bool `json:"enableInternetAccess,omitempty" tf:"enable_internet_access,omitempty"`
+
+	// –  Indicates whether maintenance mode is enabled for your WorkSpaces. For more information, see WorkSpace Maintenance..
+	EnableMaintenanceMode *bool `json:"enableMaintenanceMode,omitempty" tf:"enable_maintenance_mode,omitempty"`
+
+	// –  Indicates whether users are local administrators of their WorkSpaces.
+	UserEnabledAsLocalAdministrator *bool `json:"userEnabledAsLocalAdministrator,omitempty" tf:"user_enabled_as_local_administrator,omitempty"`
 }
 
 type WorkspaceCreationPropertiesParameters struct {
diff --git a/apis/workspaces/v1beta1/zz_generated.deepcopy.go b/apis/workspaces/v1beta1/zz_generated.deepcopy.go
index e4682b4a45..b78817ddba 100644
--- a/apis/workspaces/v1beta1/zz_generated.deepcopy.go
+++ b/apis/workspaces/v1beta1/zz_generated.deepcopy.go
@@ -97,6 +97,11 @@ func (in *DirectoryObservation) DeepCopyInto(out *DirectoryObservation) {
 			}
 		}
 	}
+	if in.DirectoryID != nil {
+		in, out := &in.DirectoryID, &out.DirectoryID
+		*out = new(string)
+		**out = **in
+	}
 	if in.DirectoryName != nil {
 		in, out := &in.DirectoryName, &out.DirectoryName
 		*out = new(string)
@@ -117,11 +122,55 @@ func (in *DirectoryObservation) DeepCopyInto(out *DirectoryObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.IPGroupIds != nil {
+		in, out := &in.IPGroupIds, &out.IPGroupIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
 	if in.RegistrationCode != nil {
 		in, out := &in.RegistrationCode, &out.RegistrationCode
 		*out = new(string)
 		**out = **in
 	}
+	if in.SelfServicePermissions != nil {
+		in, out := &in.SelfServicePermissions, &out.SelfServicePermissions
+		*out = make([]SelfServicePermissionsObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.SubnetIds != nil {
+		in, out := &in.SubnetIds, &out.SubnetIds
+		*out = make([]*string, len(*in))
+		for i := range *in {
+			if (*in)[i] != nil {
+				in, out := &(*in)[i], &(*out)[i]
+				*out = new(string)
+				**out = **in
+			}
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -137,6 +186,20 @@ func (in *DirectoryObservation) DeepCopyInto(out *DirectoryObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.WorkspaceAccessProperties != nil {
+		in, out := &in.WorkspaceAccessProperties, &out.WorkspaceAccessProperties
+		*out = make([]WorkspaceAccessPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.WorkspaceCreationProperties != nil {
+		in, out := &in.WorkspaceCreationProperties, &out.WorkspaceCreationProperties
+		*out = make([]WorkspaceCreationPropertiesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
 	if in.WorkspaceSecurityGroupID != nil {
 		in, out := &in.WorkspaceSecurityGroupID, &out.WorkspaceSecurityGroupID
 		*out = new(string)
@@ -355,11 +418,43 @@ func (in *IPGroupList) DeepCopyObject() runtime.Object {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *IPGroupObservation) DeepCopyInto(out *IPGroupObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Name != nil {
+		in, out := &in.Name, &out.Name
+		*out = new(string)
+		**out = **in
+	}
+	if in.Rules != nil {
+		in, out := &in.Rules, &out.Rules
+		*out = make([]RulesObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -476,6 +571,16 @@ func (in *IPGroupStatus) DeepCopy() *IPGroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RulesObservation) DeepCopyInto(out *RulesObservation) {
 	*out = *in
+	if in.Description != nil {
+		in, out := &in.Description, &out.Description
+		*out = new(string)
+		**out = **in
+	}
+	if in.Source != nil {
+		in, out := &in.Source, &out.Source
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RulesObservation.
@@ -516,6 +621,31 @@ func (in *RulesParameters) DeepCopy() *RulesParameters {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *SelfServicePermissionsObservation) DeepCopyInto(out *SelfServicePermissionsObservation) {
 	*out = *in
+	if in.ChangeComputeType != nil {
+		in, out := &in.ChangeComputeType, &out.ChangeComputeType
+		*out = new(bool)
+		**out = **in
+	}
+	if in.IncreaseVolumeSize != nil {
+		in, out := &in.IncreaseVolumeSize, &out.IncreaseVolumeSize
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RebuildWorkspace != nil {
+		in, out := &in.RebuildWorkspace, &out.RebuildWorkspace
+		*out = new(bool)
+		**out = **in
+	}
+	if in.RestartWorkspace != nil {
+		in, out := &in.RestartWorkspace, &out.RestartWorkspace
+		*out = new(bool)
+		**out = **in
+	}
+	if in.SwitchRunningMode != nil {
+		in, out := &in.SwitchRunningMode, &out.SwitchRunningMode
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SelfServicePermissionsObservation.
@@ -571,6 +701,46 @@ func (in *SelfServicePermissionsParameters) DeepCopy() *SelfServicePermissionsPa
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceAccessPropertiesObservation) DeepCopyInto(out *WorkspaceAccessPropertiesObservation) {
 	*out = *in
+	if in.DeviceTypeAndroid != nil {
+		in, out := &in.DeviceTypeAndroid, &out.DeviceTypeAndroid
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeChromeos != nil {
+		in, out := &in.DeviceTypeChromeos, &out.DeviceTypeChromeos
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeIos != nil {
+		in, out := &in.DeviceTypeIos, &out.DeviceTypeIos
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeLinux != nil {
+		in, out := &in.DeviceTypeLinux, &out.DeviceTypeLinux
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeOsx != nil {
+		in, out := &in.DeviceTypeOsx, &out.DeviceTypeOsx
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeWeb != nil {
+		in, out := &in.DeviceTypeWeb, &out.DeviceTypeWeb
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeWindows != nil {
+		in, out := &in.DeviceTypeWindows, &out.DeviceTypeWindows
+		*out = new(string)
+		**out = **in
+	}
+	if in.DeviceTypeZeroclient != nil {
+		in, out := &in.DeviceTypeZeroclient, &out.DeviceTypeZeroclient
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceAccessPropertiesObservation.
@@ -641,6 +811,31 @@ func (in *WorkspaceAccessPropertiesParameters) DeepCopy() *WorkspaceAccessProper
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *WorkspaceCreationPropertiesObservation) DeepCopyInto(out *WorkspaceCreationPropertiesObservation) {
 	*out = *in
+	if in.CustomSecurityGroupID != nil {
+		in, out := &in.CustomSecurityGroupID, &out.CustomSecurityGroupID
+		*out = new(string)
+		**out = **in
+	}
+	if in.DefaultOu != nil {
+		in, out := &in.DefaultOu, &out.DefaultOu
+		*out = new(string)
+		**out = **in
+	}
+	if in.EnableInternetAccess != nil {
+		in, out := &in.EnableInternetAccess, &out.EnableInternetAccess
+		*out = new(bool)
+		**out = **in
+	}
+	if in.EnableMaintenanceMode != nil {
+		in, out := &in.EnableMaintenanceMode, &out.EnableMaintenanceMode
+		*out = new(bool)
+		**out = **in
+	}
+	if in.UserEnabledAsLocalAdministrator != nil {
+		in, out := &in.UserEnabledAsLocalAdministrator, &out.UserEnabledAsLocalAdministrator
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new WorkspaceCreationPropertiesObservation.
diff --git a/apis/workspaces/v1beta1/zz_ipgroup_types.go b/apis/workspaces/v1beta1/zz_ipgroup_types.go
index 3a21c5c5a3..07c1ea5cbc 100755
--- a/apis/workspaces/v1beta1/zz_ipgroup_types.go
+++ b/apis/workspaces/v1beta1/zz_ipgroup_types.go
@@ -15,9 +15,21 @@ import (
 
 type IPGroupObservation struct {
 
+	// The description of the IP group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
 	// The IP group identifier.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The name of the IP group.
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
+
+	// One or more pairs specifying the IP group rule (in CIDR format) from which web requests originate.
+	Rules []RulesObservation `json:"rules,omitempty" tf:"rules,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -29,8 +41,8 @@ type IPGroupParameters struct {
 	Description *string `json:"description,omitempty" tf:"description,omitempty"`
 
 	// The name of the IP group.
-	// +kubebuilder:validation:Required
-	Name *string `json:"name" tf:"name,omitempty"`
+	// +kubebuilder:validation:Optional
+	Name *string `json:"name,omitempty" tf:"name,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -47,6 +59,12 @@ type IPGroupParameters struct {
 }
 
 type RulesObservation struct {
+
+	// The description of the IP group.
+	Description *string `json:"description,omitempty" tf:"description,omitempty"`
+
+	// The IP address range, in CIDR notation, e.g., 10.0.0.0/16
+	Source *string `json:"source,omitempty" tf:"source,omitempty"`
 }
 
 type RulesParameters struct {
@@ -84,8 +102,9 @@ type IPGroupStatus struct {
 type IPGroup struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              IPGroupSpec   `json:"spec"`
-	Status            IPGroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)",message="name is a required parameter"
+	Spec   IPGroupSpec   `json:"spec"`
+	Status IPGroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/xray/v1beta1/zz_encryptionconfig_types.go b/apis/xray/v1beta1/zz_encryptionconfig_types.go
index 79521ce067..a89a178f9a 100755
--- a/apis/xray/v1beta1/zz_encryptionconfig_types.go
+++ b/apis/xray/v1beta1/zz_encryptionconfig_types.go
@@ -17,6 +17,12 @@ type EncryptionConfigObservation struct {
 
 	// Region name.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
+
+	// An AWS KMS customer master key (CMK) ARN.
+	KeyID *string `json:"keyId,omitempty" tf:"key_id,omitempty"`
+
+	// The type of encryption. Set to KMS to use your own key for encryption. Set to NONE for default encryption.
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 type EncryptionConfigParameters struct {
@@ -41,8 +47,8 @@ type EncryptionConfigParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// The type of encryption. Set to KMS to use your own key for encryption. Set to NONE for default encryption.
-	// +kubebuilder:validation:Required
-	Type *string `json:"type" tf:"type,omitempty"`
+	// +kubebuilder:validation:Optional
+	Type *string `json:"type,omitempty" tf:"type,omitempty"`
 }
 
 // EncryptionConfigSpec defines the desired state of EncryptionConfig
@@ -69,8 +75,9 @@ type EncryptionConfigStatus struct {
 type EncryptionConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              EncryptionConfigSpec   `json:"spec"`
-	Status            EncryptionConfigStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)",message="type is a required parameter"
+	Spec   EncryptionConfigSpec   `json:"spec"`
+	Status EncryptionConfigStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/xray/v1beta1/zz_generated.deepcopy.go b/apis/xray/v1beta1/zz_generated.deepcopy.go
index 43dc4df811..2b449697ac 100644
--- a/apis/xray/v1beta1/zz_generated.deepcopy.go
+++ b/apis/xray/v1beta1/zz_generated.deepcopy.go
@@ -81,6 +81,16 @@ func (in *EncryptionConfigObservation) DeepCopyInto(out *EncryptionConfigObserva
 		*out = new(string)
 		**out = **in
 	}
+	if in.KeyID != nil {
+		in, out := &in.KeyID, &out.KeyID
+		*out = new(string)
+		**out = **in
+	}
+	if in.Type != nil {
+		in, out := &in.Type, &out.Type
+		*out = new(string)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionConfigObservation.
@@ -234,11 +244,43 @@ func (in *GroupObservation) DeepCopyInto(out *GroupObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.FilterExpression != nil {
+		in, out := &in.FilterExpression, &out.FilterExpression
+		*out = new(string)
+		**out = **in
+	}
+	if in.GroupName != nil {
+		in, out := &in.GroupName, &out.GroupName
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.InsightsConfiguration != nil {
+		in, out := &in.InsightsConfiguration, &out.InsightsConfiguration
+		*out = make([]InsightsConfigurationObservation, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -355,6 +397,16 @@ func (in *GroupStatus) DeepCopy() *GroupStatus {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *InsightsConfigurationObservation) DeepCopyInto(out *InsightsConfigurationObservation) {
 	*out = *in
+	if in.InsightsEnabled != nil {
+		in, out := &in.InsightsEnabled, &out.InsightsEnabled
+		*out = new(bool)
+		**out = **in
+	}
+	if in.NotificationsEnabled != nil {
+		in, out := &in.NotificationsEnabled, &out.NotificationsEnabled
+		*out = new(bool)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InsightsConfigurationObservation.
@@ -459,11 +511,81 @@ func (in *SamplingRuleObservation) DeepCopyInto(out *SamplingRuleObservation) {
 		*out = new(string)
 		**out = **in
 	}
+	if in.Attributes != nil {
+		in, out := &in.Attributes, &out.Attributes
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
+	if in.FixedRate != nil {
+		in, out := &in.FixedRate, &out.FixedRate
+		*out = new(float64)
+		**out = **in
+	}
+	if in.HTTPMethod != nil {
+		in, out := &in.HTTPMethod, &out.HTTPMethod
+		*out = new(string)
+		**out = **in
+	}
+	if in.Host != nil {
+		in, out := &in.Host, &out.Host
+		*out = new(string)
+		**out = **in
+	}
 	if in.ID != nil {
 		in, out := &in.ID, &out.ID
 		*out = new(string)
 		**out = **in
 	}
+	if in.Priority != nil {
+		in, out := &in.Priority, &out.Priority
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ReservoirSize != nil {
+		in, out := &in.ReservoirSize, &out.ReservoirSize
+		*out = new(float64)
+		**out = **in
+	}
+	if in.ResourceArn != nil {
+		in, out := &in.ResourceArn, &out.ResourceArn
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceName != nil {
+		in, out := &in.ServiceName, &out.ServiceName
+		*out = new(string)
+		**out = **in
+	}
+	if in.ServiceType != nil {
+		in, out := &in.ServiceType, &out.ServiceType
+		*out = new(string)
+		**out = **in
+	}
+	if in.Tags != nil {
+		in, out := &in.Tags, &out.Tags
+		*out = make(map[string]*string, len(*in))
+		for key, val := range *in {
+			var outVal *string
+			if val == nil {
+				(*out)[key] = nil
+			} else {
+				in, out := &val, &outVal
+				*out = new(string)
+				**out = **in
+			}
+			(*out)[key] = outVal
+		}
+	}
 	if in.TagsAll != nil {
 		in, out := &in.TagsAll, &out.TagsAll
 		*out = make(map[string]*string, len(*in))
@@ -479,6 +601,16 @@ func (in *SamplingRuleObservation) DeepCopyInto(out *SamplingRuleObservation) {
 			(*out)[key] = outVal
 		}
 	}
+	if in.URLPath != nil {
+		in, out := &in.URLPath, &out.URLPath
+		*out = new(string)
+		**out = **in
+	}
+	if in.Version != nil {
+		in, out := &in.Version, &out.Version
+		*out = new(float64)
+		**out = **in
+	}
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SamplingRuleObservation.
diff --git a/apis/xray/v1beta1/zz_group_types.go b/apis/xray/v1beta1/zz_group_types.go
index d52f40786b..005188d067 100755
--- a/apis/xray/v1beta1/zz_group_types.go
+++ b/apis/xray/v1beta1/zz_group_types.go
@@ -18,9 +18,21 @@ type GroupObservation struct {
 	// The ARN of the Group.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// The filter expression defining criteria by which to group traces. more info can be found in official docs.
+	FilterExpression *string `json:"filterExpression,omitempty" tf:"filter_expression,omitempty"`
+
+	// The name of the group.
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
+
 	// The ARN of the Group.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// Configuration options for enabling insights.
+	InsightsConfiguration []InsightsConfigurationObservation `json:"insightsConfiguration,omitempty" tf:"insights_configuration,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
 }
@@ -28,12 +40,12 @@ type GroupObservation struct {
 type GroupParameters struct {
 
 	// The filter expression defining criteria by which to group traces. more info can be found in official docs.
-	// +kubebuilder:validation:Required
-	FilterExpression *string `json:"filterExpression" tf:"filter_expression,omitempty"`
+	// +kubebuilder:validation:Optional
+	FilterExpression *string `json:"filterExpression,omitempty" tf:"filter_expression,omitempty"`
 
 	// The name of the group.
-	// +kubebuilder:validation:Required
-	GroupName *string `json:"groupName" tf:"group_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	GroupName *string `json:"groupName,omitempty" tf:"group_name,omitempty"`
 
 	// Configuration options for enabling insights.
 	// +kubebuilder:validation:Optional
@@ -50,6 +62,12 @@ type GroupParameters struct {
 }
 
 type InsightsConfigurationObservation struct {
+
+	// Specifies whether insights are enabled.
+	InsightsEnabled *bool `json:"insightsEnabled,omitempty" tf:"insights_enabled,omitempty"`
+
+	// Specifies whether insight notifications are enabled.
+	NotificationsEnabled *bool `json:"notificationsEnabled,omitempty" tf:"notifications_enabled,omitempty"`
 }
 
 type InsightsConfigurationParameters struct {
@@ -87,8 +105,10 @@ type GroupStatus struct {
 type Group struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              GroupSpec   `json:"spec"`
-	Status            GroupStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filterExpression)",message="filterExpression is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupName)",message="groupName is a required parameter"
+	Spec   GroupSpec   `json:"spec"`
+	Status GroupStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/apis/xray/v1beta1/zz_samplingrule_types.go b/apis/xray/v1beta1/zz_samplingrule_types.go
index 0a408f241e..084825e5ed 100755
--- a/apis/xray/v1beta1/zz_samplingrule_types.go
+++ b/apis/xray/v1beta1/zz_samplingrule_types.go
@@ -18,11 +18,47 @@ type SamplingRuleObservation struct {
 	// The ARN of the sampling rule.
 	Arn *string `json:"arn,omitempty" tf:"arn,omitempty"`
 
+	// Matches attributes derived from the request.
+	Attributes map[string]*string `json:"attributes,omitempty" tf:"attributes,omitempty"`
+
+	// The percentage of matching requests to instrument, after the reservoir is exhausted.
+	FixedRate *float64 `json:"fixedRate,omitempty" tf:"fixed_rate,omitempty"`
+
+	// Matches the HTTP method of a request.
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
+
+	// Matches the hostname from a request URL.
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
+
 	// The name of the sampling rule.
 	ID *string `json:"id,omitempty" tf:"id,omitempty"`
 
+	// The priority of the sampling rule.
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
+
+	// A fixed number of matching requests to instrument per second, prior to applying the fixed rate. The reservoir is not used directly by services, but applies to all services using the rule collectively.
+	ReservoirSize *float64 `json:"reservoirSize,omitempty" tf:"reservoir_size,omitempty"`
+
+	// Matches the ARN of the AWS resource on which the service runs.
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
+
+	// Matches the name that the service uses to identify itself in segments.
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
+
+	// Matches the origin that the service uses to identify its type in segments.
+	ServiceType *string `json:"serviceType,omitempty" tf:"service_type,omitempty"`
+
+	// Key-value map of resource tags.
+	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
+
 	// A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
 	TagsAll map[string]*string `json:"tagsAll,omitempty" tf:"tags_all,omitempty"`
+
+	// Matches the path from a request URL.
+	URLPath *string `json:"urlPath,omitempty" tf:"url_path,omitempty"`
+
+	// The version of the sampling rule format (1 )
+	Version *float64 `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 type SamplingRuleParameters struct {
@@ -32,20 +68,20 @@ type SamplingRuleParameters struct {
 	Attributes map[string]*string `json:"attributes,omitempty" tf:"attributes,omitempty"`
 
 	// The percentage of matching requests to instrument, after the reservoir is exhausted.
-	// +kubebuilder:validation:Required
-	FixedRate *float64 `json:"fixedRate" tf:"fixed_rate,omitempty"`
+	// +kubebuilder:validation:Optional
+	FixedRate *float64 `json:"fixedRate,omitempty" tf:"fixed_rate,omitempty"`
 
 	// Matches the HTTP method of a request.
-	// +kubebuilder:validation:Required
-	HTTPMethod *string `json:"httpMethod" tf:"http_method,omitempty"`
+	// +kubebuilder:validation:Optional
+	HTTPMethod *string `json:"httpMethod,omitempty" tf:"http_method,omitempty"`
 
 	// Matches the hostname from a request URL.
-	// +kubebuilder:validation:Required
-	Host *string `json:"host" tf:"host,omitempty"`
+	// +kubebuilder:validation:Optional
+	Host *string `json:"host,omitempty" tf:"host,omitempty"`
 
 	// The priority of the sampling rule.
-	// +kubebuilder:validation:Required
-	Priority *float64 `json:"priority" tf:"priority,omitempty"`
+	// +kubebuilder:validation:Optional
+	Priority *float64 `json:"priority,omitempty" tf:"priority,omitempty"`
 
 	// Region is the region you'd like your resource to be created in.
 	// +upjet:crd:field:TFTag=-
@@ -53,32 +89,32 @@ type SamplingRuleParameters struct {
 	Region *string `json:"region" tf:"-"`
 
 	// A fixed number of matching requests to instrument per second, prior to applying the fixed rate. The reservoir is not used directly by services, but applies to all services using the rule collectively.
-	// +kubebuilder:validation:Required
-	ReservoirSize *float64 `json:"reservoirSize" tf:"reservoir_size,omitempty"`
+	// +kubebuilder:validation:Optional
+	ReservoirSize *float64 `json:"reservoirSize,omitempty" tf:"reservoir_size,omitempty"`
 
 	// Matches the ARN of the AWS resource on which the service runs.
-	// +kubebuilder:validation:Required
-	ResourceArn *string `json:"resourceArn" tf:"resource_arn,omitempty"`
+	// +kubebuilder:validation:Optional
+	ResourceArn *string `json:"resourceArn,omitempty" tf:"resource_arn,omitempty"`
 
 	// Matches the name that the service uses to identify itself in segments.
-	// +kubebuilder:validation:Required
-	ServiceName *string `json:"serviceName" tf:"service_name,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServiceName *string `json:"serviceName,omitempty" tf:"service_name,omitempty"`
 
 	// Matches the origin that the service uses to identify its type in segments.
-	// +kubebuilder:validation:Required
-	ServiceType *string `json:"serviceType" tf:"service_type,omitempty"`
+	// +kubebuilder:validation:Optional
+	ServiceType *string `json:"serviceType,omitempty" tf:"service_type,omitempty"`
 
 	// Key-value map of resource tags.
 	// +kubebuilder:validation:Optional
 	Tags map[string]*string `json:"tags,omitempty" tf:"tags,omitempty"`
 
 	// Matches the path from a request URL.
-	// +kubebuilder:validation:Required
-	URLPath *string `json:"urlPath" tf:"url_path,omitempty"`
+	// +kubebuilder:validation:Optional
+	URLPath *string `json:"urlPath,omitempty" tf:"url_path,omitempty"`
 
 	// The version of the sampling rule format (1 )
-	// +kubebuilder:validation:Required
-	Version *float64 `json:"version" tf:"version,omitempty"`
+	// +kubebuilder:validation:Optional
+	Version *float64 `json:"version,omitempty" tf:"version,omitempty"`
 }
 
 // SamplingRuleSpec defines the desired state of SamplingRule
@@ -105,8 +141,18 @@ type SamplingRuleStatus struct {
 type SamplingRule struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
-	Spec              SamplingRuleSpec   `json:"spec"`
-	Status            SamplingRuleStatus `json:"status,omitempty"`
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fixedRate)",message="fixedRate is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.host)",message="host is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.httpMethod)",message="httpMethod is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.priority)",message="priority is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reservoirSize)",message="reservoirSize is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceArn)",message="resourceArn is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceName)",message="serviceName is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceType)",message="serviceType is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.urlPath)",message="urlPath is a required parameter"
+	// +kubebuilder:validation:XValidation:rule="self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)",message="version is a required parameter"
+	Spec   SamplingRuleSpec   `json:"spec"`
+	Status SamplingRuleStatus `json:"status,omitempty"`
 }
 
 // +kubebuilder:object:root=true
diff --git a/internal/controller/accessanalyzer/analyzer/zz_controller.go b/internal/controller/accessanalyzer/analyzer/zz_controller.go
index c40bcd2e17..187a46109b 100755
--- a/internal/controller/accessanalyzer/analyzer/zz_controller.go
+++ b/internal/controller/accessanalyzer/analyzer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/accessanalyzer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Analyzer managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Analyzer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_accessanalyzer_analyzer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Analyzer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Analyzer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/accessanalyzer/archiverule/zz_controller.go b/internal/controller/accessanalyzer/archiverule/zz_controller.go
index cc606e9dea..e3a23aa290 100755
--- a/internal/controller/accessanalyzer/archiverule/zz_controller.go
+++ b/internal/controller/accessanalyzer/archiverule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/accessanalyzer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ArchiveRule managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ArchiveRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_accessanalyzer_archive_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ArchiveRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ArchiveRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/account/alternatecontact/zz_controller.go b/internal/controller/account/alternatecontact/zz_controller.go
index 73a04b1b4f..b50ea98411 100755
--- a/internal/controller/account/alternatecontact/zz_controller.go
+++ b/internal/controller/account/alternatecontact/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/account/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AlternateContact managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AlternateContact_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_account_alternate_contact"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AlternateContact_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AlternateContact_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acm/certificate/zz_controller.go b/internal/controller/acm/certificate/zz_controller.go
index 6660dadd07..1676b57452 100755
--- a/internal/controller/acm/certificate/zz_controller.go
+++ b/internal/controller/acm/certificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Certificate managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acm_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acm/certificatevalidation/zz_controller.go b/internal/controller/acm/certificatevalidation/zz_controller.go
index bb0dbfa7c5..f9c38080ae 100755
--- a/internal/controller/acm/certificatevalidation/zz_controller.go
+++ b/internal/controller/acm/certificatevalidation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CertificateValidation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CertificateValidation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acm_certificate_validation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CertificateValidation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CertificateValidation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acmpca/certificate/zz_controller.go b/internal/controller/acmpca/certificate/zz_controller.go
index 98bc36c9fe..f1feccb264 100755
--- a/internal/controller/acmpca/certificate/zz_controller.go
+++ b/internal/controller/acmpca/certificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acmpca/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Certificate managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acmpca_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acmpca/certificateauthority/zz_controller.go b/internal/controller/acmpca/certificateauthority/zz_controller.go
index d056abeece..af98039cc8 100755
--- a/internal/controller/acmpca/certificateauthority/zz_controller.go
+++ b/internal/controller/acmpca/certificateauthority/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acmpca/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CertificateAuthority managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CertificateAuthority_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acmpca_certificate_authority"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CertificateAuthority_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CertificateAuthority_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acmpca/certificateauthoritycertificate/zz_controller.go b/internal/controller/acmpca/certificateauthoritycertificate/zz_controller.go
index e4d4a71e42..e8bf933f12 100755
--- a/internal/controller/acmpca/certificateauthoritycertificate/zz_controller.go
+++ b/internal/controller/acmpca/certificateauthoritycertificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acmpca/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CertificateAuthorityCertificate managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CertificateAuthorityCertificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acmpca_certificate_authority_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CertificateAuthorityCertificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CertificateAuthorityCertificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acmpca/permission/zz_controller.go b/internal/controller/acmpca/permission/zz_controller.go
index f288a978cf..82235d2cc5 100755
--- a/internal/controller/acmpca/permission/zz_controller.go
+++ b/internal/controller/acmpca/permission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acmpca/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Permission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acmpca_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/acmpca/policy/zz_controller.go b/internal/controller/acmpca/policy/zz_controller.go
index 5b87610767..88b3ee3ecb 100755
--- a/internal/controller/acmpca/policy/zz_controller.go
+++ b/internal/controller/acmpca/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/acmpca/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_acmpca_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amp/alertmanagerdefinition/zz_controller.go b/internal/controller/amp/alertmanagerdefinition/zz_controller.go
index 33c05d4687..d8a2da9490 100755
--- a/internal/controller/amp/alertmanagerdefinition/zz_controller.go
+++ b/internal/controller/amp/alertmanagerdefinition/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AlertManagerDefinition managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AlertManagerDefinition_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_prometheus_alert_manager_definition"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AlertManagerDefinition_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AlertManagerDefinition_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amp/rulegroupnamespace/zz_controller.go b/internal/controller/amp/rulegroupnamespace/zz_controller.go
index f3e1a1fb6c..4a50168335 100755
--- a/internal/controller/amp/rulegroupnamespace/zz_controller.go
+++ b/internal/controller/amp/rulegroupnamespace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RuleGroupNamespace managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RuleGroupNamespace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_prometheus_rule_group_namespace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RuleGroupNamespace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RuleGroupNamespace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amp/workspace/zz_controller.go b/internal/controller/amp/workspace/zz_controller.go
index 4aa163d51d..20b336aaf8 100755
--- a/internal/controller/amp/workspace/zz_controller.go
+++ b/internal/controller/amp/workspace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workspace managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workspace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_prometheus_workspace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workspace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workspace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amplify/app/zz_controller.go b/internal/controller/amplify/app/zz_controller.go
index aac051b8ee..d737a01838 100755
--- a/internal/controller/amplify/app/zz_controller.go
+++ b/internal/controller/amplify/app/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amplify/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles App managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.App_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_amplify_app"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amplify/backendenvironment/zz_controller.go b/internal/controller/amplify/backendenvironment/zz_controller.go
index 83b7e485fb..cbf10c9db4 100755
--- a/internal/controller/amplify/backendenvironment/zz_controller.go
+++ b/internal/controller/amplify/backendenvironment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amplify/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BackendEnvironment managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BackendEnvironment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_amplify_backend_environment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BackendEnvironment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BackendEnvironment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amplify/branch/zz_controller.go b/internal/controller/amplify/branch/zz_controller.go
index c8bf82a12a..d61f772aea 100755
--- a/internal/controller/amplify/branch/zz_controller.go
+++ b/internal/controller/amplify/branch/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amplify/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Branch managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Branch_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_amplify_branch"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Branch_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Branch_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/amplify/webhook/zz_controller.go b/internal/controller/amplify/webhook/zz_controller.go
index fea5d42a45..935acbcb11 100755
--- a/internal/controller/amplify/webhook/zz_controller.go
+++ b/internal/controller/amplify/webhook/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/amplify/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Webhook managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Webhook_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_amplify_webhook"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Webhook_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Webhook_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/account/zz_controller.go b/internal/controller/apigateway/account/zz_controller.go
index 535b9e34f4..97ddcb2662 100755
--- a/internal/controller/apigateway/account/zz_controller.go
+++ b/internal/controller/apigateway/account/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Account managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Account_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_account"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/apikey/zz_controller.go b/internal/controller/apigateway/apikey/zz_controller.go
index 4a23c7ca95..ca8de4c927 100755
--- a/internal/controller/apigateway/apikey/zz_controller.go
+++ b/internal/controller/apigateway/apikey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles APIKey managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.APIKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_api_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.APIKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.APIKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/authorizer/zz_controller.go b/internal/controller/apigateway/authorizer/zz_controller.go
index 5fbb02ca0e..aacb84719f 100755
--- a/internal/controller/apigateway/authorizer/zz_controller.go
+++ b/internal/controller/apigateway/authorizer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Authorizer managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Authorizer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_authorizer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Authorizer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Authorizer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/basepathmapping/zz_controller.go b/internal/controller/apigateway/basepathmapping/zz_controller.go
index a4a9384005..49c141767c 100755
--- a/internal/controller/apigateway/basepathmapping/zz_controller.go
+++ b/internal/controller/apigateway/basepathmapping/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BasePathMapping managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BasePathMapping_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_base_path_mapping"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BasePathMapping_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BasePathMapping_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/clientcertificate/zz_controller.go b/internal/controller/apigateway/clientcertificate/zz_controller.go
index 728f7b2cfa..71e34cf153 100755
--- a/internal/controller/apigateway/clientcertificate/zz_controller.go
+++ b/internal/controller/apigateway/clientcertificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClientCertificate managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClientCertificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_client_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClientCertificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClientCertificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/deployment/zz_controller.go b/internal/controller/apigateway/deployment/zz_controller.go
index 78c75174b8..488ca5226d 100755
--- a/internal/controller/apigateway/deployment/zz_controller.go
+++ b/internal/controller/apigateway/deployment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Deployment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_deployment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/documentationpart/zz_controller.go b/internal/controller/apigateway/documentationpart/zz_controller.go
index 9d27c7d9f4..3093f59815 100755
--- a/internal/controller/apigateway/documentationpart/zz_controller.go
+++ b/internal/controller/apigateway/documentationpart/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DocumentationPart managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DocumentationPart_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_documentation_part"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DocumentationPart_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DocumentationPart_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/documentationversion/zz_controller.go b/internal/controller/apigateway/documentationversion/zz_controller.go
index cfff3acbcf..7fa18ad563 100755
--- a/internal/controller/apigateway/documentationversion/zz_controller.go
+++ b/internal/controller/apigateway/documentationversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DocumentationVersion managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DocumentationVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_documentation_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DocumentationVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DocumentationVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/domainname/zz_controller.go b/internal/controller/apigateway/domainname/zz_controller.go
index c8087a3d7a..ae23e5afce 100755
--- a/internal/controller/apigateway/domainname/zz_controller.go
+++ b/internal/controller/apigateway/domainname/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainName managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainName_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_domain_name"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainName_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainName_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/gatewayresponse/zz_controller.go b/internal/controller/apigateway/gatewayresponse/zz_controller.go
index 60d9eee674..cf27ba718f 100755
--- a/internal/controller/apigateway/gatewayresponse/zz_controller.go
+++ b/internal/controller/apigateway/gatewayresponse/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GatewayResponse managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GatewayResponse_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_gateway_response"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GatewayResponse_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GatewayResponse_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/integration/zz_controller.go b/internal/controller/apigateway/integration/zz_controller.go
index 7bbf7a5ebd..0eb3c688f6 100755
--- a/internal/controller/apigateway/integration/zz_controller.go
+++ b/internal/controller/apigateway/integration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Integration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Integration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_integration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Integration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Integration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/integrationresponse/zz_controller.go b/internal/controller/apigateway/integrationresponse/zz_controller.go
index 672d579271..1879b14946 100755
--- a/internal/controller/apigateway/integrationresponse/zz_controller.go
+++ b/internal/controller/apigateway/integrationresponse/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IntegrationResponse managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IntegrationResponse_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_integration_response"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IntegrationResponse_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IntegrationResponse_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/method/zz_controller.go b/internal/controller/apigateway/method/zz_controller.go
index 9ff06bad86..6ba45bb417 100755
--- a/internal/controller/apigateway/method/zz_controller.go
+++ b/internal/controller/apigateway/method/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Method managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Method_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_method"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Method_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Method_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/methodresponse/zz_controller.go b/internal/controller/apigateway/methodresponse/zz_controller.go
index 9069d799ba..748a7fa426 100755
--- a/internal/controller/apigateway/methodresponse/zz_controller.go
+++ b/internal/controller/apigateway/methodresponse/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MethodResponse managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MethodResponse_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_method_response"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MethodResponse_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MethodResponse_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/methodsettings/zz_controller.go b/internal/controller/apigateway/methodsettings/zz_controller.go
index 1ff509e65e..38d2dbc6f1 100755
--- a/internal/controller/apigateway/methodsettings/zz_controller.go
+++ b/internal/controller/apigateway/methodsettings/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MethodSettings managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MethodSettings_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_method_settings"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MethodSettings_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MethodSettings_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/model/zz_controller.go b/internal/controller/apigateway/model/zz_controller.go
index a24fe1548a..ca25379ad8 100755
--- a/internal/controller/apigateway/model/zz_controller.go
+++ b/internal/controller/apigateway/model/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Model managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Model_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_model"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Model_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Model_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/requestvalidator/zz_controller.go b/internal/controller/apigateway/requestvalidator/zz_controller.go
index a3754ad0fb..911af95131 100755
--- a/internal/controller/apigateway/requestvalidator/zz_controller.go
+++ b/internal/controller/apigateway/requestvalidator/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RequestValidator managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RequestValidator_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_request_validator"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RequestValidator_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RequestValidator_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/resource/zz_controller.go b/internal/controller/apigateway/resource/zz_controller.go
index 94f76190f7..3b2b1ae88c 100755
--- a/internal/controller/apigateway/resource/zz_controller.go
+++ b/internal/controller/apigateway/resource/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Resource managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_resource"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/restapi/zz_controller.go b/internal/controller/apigateway/restapi/zz_controller.go
index 51144db792..f2f6c58361 100755
--- a/internal/controller/apigateway/restapi/zz_controller.go
+++ b/internal/controller/apigateway/restapi/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RestAPI managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RestAPI_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_rest_api"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RestAPI_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RestAPI_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/restapipolicy/zz_controller.go b/internal/controller/apigateway/restapipolicy/zz_controller.go
index 16690beca0..11dc44e26c 100755
--- a/internal/controller/apigateway/restapipolicy/zz_controller.go
+++ b/internal/controller/apigateway/restapipolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RestAPIPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RestAPIPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_rest_api_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RestAPIPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RestAPIPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/stage/zz_controller.go b/internal/controller/apigateway/stage/zz_controller.go
index 7163356079..eace5cb356 100755
--- a/internal/controller/apigateway/stage/zz_controller.go
+++ b/internal/controller/apigateway/stage/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stage managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stage_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_stage"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stage_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stage_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/usageplan/zz_controller.go b/internal/controller/apigateway/usageplan/zz_controller.go
index a56200a814..d967a71bcb 100755
--- a/internal/controller/apigateway/usageplan/zz_controller.go
+++ b/internal/controller/apigateway/usageplan/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UsagePlan managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UsagePlan_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_usage_plan"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UsagePlan_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UsagePlan_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/usageplankey/zz_controller.go b/internal/controller/apigateway/usageplankey/zz_controller.go
index b3d093a2ef..4d84373f04 100755
--- a/internal/controller/apigateway/usageplankey/zz_controller.go
+++ b/internal/controller/apigateway/usageplankey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UsagePlanKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UsagePlanKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_usage_plan_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UsagePlanKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UsagePlanKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigateway/vpclink/zz_controller.go b/internal/controller/apigateway/vpclink/zz_controller.go
index cf7c0538ab..3947448583 100755
--- a/internal/controller/apigateway/vpclink/zz_controller.go
+++ b/internal/controller/apigateway/vpclink/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigateway/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCLink managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCLink_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_api_gateway_vpc_link"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCLink_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCLink_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/api/zz_controller.go b/internal/controller/apigatewayv2/api/zz_controller.go
index 45471d19b3..10c05de8f0 100755
--- a/internal/controller/apigatewayv2/api/zz_controller.go
+++ b/internal/controller/apigatewayv2/api/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles API managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.API_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_api"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.API_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.API_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/apimapping/zz_controller.go b/internal/controller/apigatewayv2/apimapping/zz_controller.go
index acc6ba7b33..c3fbd29293 100755
--- a/internal/controller/apigatewayv2/apimapping/zz_controller.go
+++ b/internal/controller/apigatewayv2/apimapping/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles APIMapping managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.APIMapping_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_api_mapping"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.APIMapping_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.APIMapping_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/authorizer/zz_controller.go b/internal/controller/apigatewayv2/authorizer/zz_controller.go
index 6bd3fcf565..d90477319a 100755
--- a/internal/controller/apigatewayv2/authorizer/zz_controller.go
+++ b/internal/controller/apigatewayv2/authorizer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Authorizer managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Authorizer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_authorizer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Authorizer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Authorizer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/deployment/zz_controller.go b/internal/controller/apigatewayv2/deployment/zz_controller.go
index 2f106ac042..00eb128e61 100755
--- a/internal/controller/apigatewayv2/deployment/zz_controller.go
+++ b/internal/controller/apigatewayv2/deployment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Deployment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_deployment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/domainname/zz_controller.go b/internal/controller/apigatewayv2/domainname/zz_controller.go
index 26bb9c7b9d..4c086c5ef7 100755
--- a/internal/controller/apigatewayv2/domainname/zz_controller.go
+++ b/internal/controller/apigatewayv2/domainname/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainName managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainName_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_domain_name"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainName_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainName_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/integration/zz_controller.go b/internal/controller/apigatewayv2/integration/zz_controller.go
index eff85d438c..6ea7f398a2 100755
--- a/internal/controller/apigatewayv2/integration/zz_controller.go
+++ b/internal/controller/apigatewayv2/integration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Integration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Integration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_integration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Integration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Integration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/integrationresponse/zz_controller.go b/internal/controller/apigatewayv2/integrationresponse/zz_controller.go
index 5fc4cca6c7..fe5b5307cb 100755
--- a/internal/controller/apigatewayv2/integrationresponse/zz_controller.go
+++ b/internal/controller/apigatewayv2/integrationresponse/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IntegrationResponse managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IntegrationResponse_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_integration_response"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IntegrationResponse_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IntegrationResponse_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/model/zz_controller.go b/internal/controller/apigatewayv2/model/zz_controller.go
index c8c87fa4ce..fb23af5e8b 100755
--- a/internal/controller/apigatewayv2/model/zz_controller.go
+++ b/internal/controller/apigatewayv2/model/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Model managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Model_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_model"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Model_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Model_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/route/zz_controller.go b/internal/controller/apigatewayv2/route/zz_controller.go
index 456ea86767..84bf482234 100755
--- a/internal/controller/apigatewayv2/route/zz_controller.go
+++ b/internal/controller/apigatewayv2/route/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Route managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Route_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_route"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Route_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Route_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/routeresponse/zz_controller.go b/internal/controller/apigatewayv2/routeresponse/zz_controller.go
index 1548cd997c..d1b682167e 100755
--- a/internal/controller/apigatewayv2/routeresponse/zz_controller.go
+++ b/internal/controller/apigatewayv2/routeresponse/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RouteResponse managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RouteResponse_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_route_response"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RouteResponse_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RouteResponse_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/stage/zz_controller.go b/internal/controller/apigatewayv2/stage/zz_controller.go
index 28cb3121e3..06e4040100 100755
--- a/internal/controller/apigatewayv2/stage/zz_controller.go
+++ b/internal/controller/apigatewayv2/stage/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stage managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stage_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_stage"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stage_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stage_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apigatewayv2/vpclink/zz_controller.go b/internal/controller/apigatewayv2/vpclink/zz_controller.go
index ccccc80d2d..a99d08cc23 100755
--- a/internal/controller/apigatewayv2/vpclink/zz_controller.go
+++ b/internal/controller/apigatewayv2/vpclink/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apigatewayv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCLink managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCLink_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apigatewayv2_vpc_link"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCLink_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCLink_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appautoscaling/policy/zz_controller.go b/internal/controller/appautoscaling/policy/zz_controller.go
index d5164877b1..bcb26d3355 100755
--- a/internal/controller/appautoscaling/policy/zz_controller.go
+++ b/internal/controller/appautoscaling/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appautoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appautoscaling_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appautoscaling/scheduledaction/zz_controller.go b/internal/controller/appautoscaling/scheduledaction/zz_controller.go
index 17468ab24c..dc36861f3b 100755
--- a/internal/controller/appautoscaling/scheduledaction/zz_controller.go
+++ b/internal/controller/appautoscaling/scheduledaction/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appautoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ScheduledAction managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ScheduledAction_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appautoscaling_scheduled_action"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ScheduledAction_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ScheduledAction_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appautoscaling/target/zz_controller.go b/internal/controller/appautoscaling/target/zz_controller.go
index fd839f6ab3..7033ae710f 100755
--- a/internal/controller/appautoscaling/target/zz_controller.go
+++ b/internal/controller/appautoscaling/target/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appautoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Target managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Target_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appautoscaling_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Target_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Target_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/application/zz_controller.go b/internal/controller/appconfig/application/zz_controller.go
index c79721e917..b997fc3b82 100755
--- a/internal/controller/appconfig/application/zz_controller.go
+++ b/internal/controller/appconfig/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/configurationprofile/zz_controller.go b/internal/controller/appconfig/configurationprofile/zz_controller.go
index 77b67e4ce9..e1f418b8e3 100755
--- a/internal/controller/appconfig/configurationprofile/zz_controller.go
+++ b/internal/controller/appconfig/configurationprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationProfile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_configuration_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/deployment/zz_controller.go b/internal/controller/appconfig/deployment/zz_controller.go
index c0b9ba601c..f56c9b7a60 100755
--- a/internal/controller/appconfig/deployment/zz_controller.go
+++ b/internal/controller/appconfig/deployment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Deployment managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_deployment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Deployment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/deploymentstrategy/zz_controller.go b/internal/controller/appconfig/deploymentstrategy/zz_controller.go
index a53c88d75b..fa40cc09e6 100755
--- a/internal/controller/appconfig/deploymentstrategy/zz_controller.go
+++ b/internal/controller/appconfig/deploymentstrategy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DeploymentStrategy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DeploymentStrategy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_deployment_strategy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DeploymentStrategy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DeploymentStrategy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/environment/zz_controller.go b/internal/controller/appconfig/environment/zz_controller.go
index 2471f6474f..b8f2126d04 100755
--- a/internal/controller/appconfig/environment/zz_controller.go
+++ b/internal/controller/appconfig/environment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Environment managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Environment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_environment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Environment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Environment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/extension/zz_controller.go b/internal/controller/appconfig/extension/zz_controller.go
index 45ffac7a81..d0c8d31931 100755
--- a/internal/controller/appconfig/extension/zz_controller.go
+++ b/internal/controller/appconfig/extension/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Extension managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Extension_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_extension"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Extension_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Extension_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/extensionassociation/zz_controller.go b/internal/controller/appconfig/extensionassociation/zz_controller.go
index 7561759c22..7ca4b1735f 100755
--- a/internal/controller/appconfig/extensionassociation/zz_controller.go
+++ b/internal/controller/appconfig/extensionassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ExtensionAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ExtensionAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_extension_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ExtensionAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ExtensionAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appconfig/hostedconfigurationversion/zz_controller.go b/internal/controller/appconfig/hostedconfigurationversion/zz_controller.go
index c0091042a6..8524a77ea9 100755
--- a/internal/controller/appconfig/hostedconfigurationversion/zz_controller.go
+++ b/internal/controller/appconfig/hostedconfigurationversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedConfigurationVersion managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedConfigurationVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appconfig_hosted_configuration_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedConfigurationVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedConfigurationVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appflow/flow/zz_controller.go b/internal/controller/appflow/flow/zz_controller.go
index 303faf0990..bc71c20b21 100755
--- a/internal/controller/appflow/flow/zz_controller.go
+++ b/internal/controller/appflow/flow/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appflow/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Flow managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Flow_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appflow_flow"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Flow_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Flow_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appintegrations/eventintegration/zz_controller.go b/internal/controller/appintegrations/eventintegration/zz_controller.go
index a09eeaa410..48e37a07c2 100755
--- a/internal/controller/appintegrations/eventintegration/zz_controller.go
+++ b/internal/controller/appintegrations/eventintegration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appintegrations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventIntegration managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventIntegration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appintegrations_event_integration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventIntegration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventIntegration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/applicationinsights/application/zz_controller.go b/internal/controller/applicationinsights/application/zz_controller.go
index 0ea81fe965..e8732eeeda 100755
--- a/internal/controller/applicationinsights/application/zz_controller.go
+++ b/internal/controller/applicationinsights/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/applicationinsights/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_applicationinsights_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/gatewayroute/zz_controller.go b/internal/controller/appmesh/gatewayroute/zz_controller.go
index c8d5c926b4..44a85b6db2 100755
--- a/internal/controller/appmesh/gatewayroute/zz_controller.go
+++ b/internal/controller/appmesh/gatewayroute/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GatewayRoute managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GatewayRoute_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_gateway_route"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GatewayRoute_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GatewayRoute_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/mesh/zz_controller.go b/internal/controller/appmesh/mesh/zz_controller.go
index b21b8c88a8..bb558d76b1 100755
--- a/internal/controller/appmesh/mesh/zz_controller.go
+++ b/internal/controller/appmesh/mesh/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Mesh managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Mesh_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_mesh"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Mesh_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Mesh_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/route/zz_controller.go b/internal/controller/appmesh/route/zz_controller.go
index ea2f5ef4de..003d34e2b7 100755
--- a/internal/controller/appmesh/route/zz_controller.go
+++ b/internal/controller/appmesh/route/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Route managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Route_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_route"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Route_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Route_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/virtualgateway/zz_controller.go b/internal/controller/appmesh/virtualgateway/zz_controller.go
index 8c197193a0..788d01b1c1 100755
--- a/internal/controller/appmesh/virtualgateway/zz_controller.go
+++ b/internal/controller/appmesh/virtualgateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VirtualGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VirtualGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_virtual_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VirtualGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VirtualGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/virtualnode/zz_controller.go b/internal/controller/appmesh/virtualnode/zz_controller.go
index 68841acee5..1352bbff6f 100755
--- a/internal/controller/appmesh/virtualnode/zz_controller.go
+++ b/internal/controller/appmesh/virtualnode/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VirtualNode managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VirtualNode_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_virtual_node"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VirtualNode_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VirtualNode_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/virtualrouter/zz_controller.go b/internal/controller/appmesh/virtualrouter/zz_controller.go
index 7650160ac9..693323d59e 100755
--- a/internal/controller/appmesh/virtualrouter/zz_controller.go
+++ b/internal/controller/appmesh/virtualrouter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VirtualRouter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VirtualRouter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_virtual_router"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VirtualRouter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VirtualRouter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appmesh/virtualservice/zz_controller.go b/internal/controller/appmesh/virtualservice/zz_controller.go
index 82a0b0becd..2a5db504ff 100755
--- a/internal/controller/appmesh/virtualservice/zz_controller.go
+++ b/internal/controller/appmesh/virtualservice/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appmesh/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VirtualService managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VirtualService_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appmesh_virtual_service"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VirtualService_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VirtualService_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apprunner/autoscalingconfigurationversion/zz_controller.go b/internal/controller/apprunner/autoscalingconfigurationversion/zz_controller.go
index 8d4cd163c7..6c75bf0189 100755
--- a/internal/controller/apprunner/autoscalingconfigurationversion/zz_controller.go
+++ b/internal/controller/apprunner/autoscalingconfigurationversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apprunner/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AutoScalingConfigurationVersion managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AutoScalingConfigurationVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apprunner_auto_scaling_configuration_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AutoScalingConfigurationVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AutoScalingConfigurationVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apprunner/connection/zz_controller.go b/internal/controller/apprunner/connection/zz_controller.go
index a8a62003bc..09d6a0ada8 100755
--- a/internal/controller/apprunner/connection/zz_controller.go
+++ b/internal/controller/apprunner/connection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apprunner/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Connection managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apprunner_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apprunner/observabilityconfiguration/zz_controller.go b/internal/controller/apprunner/observabilityconfiguration/zz_controller.go
index 5bd83744b2..f0143271bc 100755
--- a/internal/controller/apprunner/observabilityconfiguration/zz_controller.go
+++ b/internal/controller/apprunner/observabilityconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apprunner/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ObservabilityConfiguration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ObservabilityConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apprunner_observability_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ObservabilityConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ObservabilityConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apprunner/service/zz_controller.go b/internal/controller/apprunner/service/zz_controller.go
index 4ae5f80022..a3c6f5ff02 100755
--- a/internal/controller/apprunner/service/zz_controller.go
+++ b/internal/controller/apprunner/service/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apprunner/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Service managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Service_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apprunner_service"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Service_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Service_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/apprunner/vpcconnector/zz_controller.go b/internal/controller/apprunner/vpcconnector/zz_controller.go
index 22f47f759c..bb6f438784 100755
--- a/internal/controller/apprunner/vpcconnector/zz_controller.go
+++ b/internal/controller/apprunner/vpcconnector/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/apprunner/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCConnector managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCConnector_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_apprunner_vpc_connector"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCConnector_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCConnector_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/directoryconfig/zz_controller.go b/internal/controller/appstream/directoryconfig/zz_controller.go
index 6b086367ba..075c70a538 100755
--- a/internal/controller/appstream/directoryconfig/zz_controller.go
+++ b/internal/controller/appstream/directoryconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DirectoryConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DirectoryConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_directory_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DirectoryConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DirectoryConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/fleet/zz_controller.go b/internal/controller/appstream/fleet/zz_controller.go
index 169df280d6..f7185cad7c 100755
--- a/internal/controller/appstream/fleet/zz_controller.go
+++ b/internal/controller/appstream/fleet/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Fleet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Fleet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_fleet"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Fleet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Fleet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/fleetstackassociation/zz_controller.go b/internal/controller/appstream/fleetstackassociation/zz_controller.go
index 14fbbb201e..d76ec916fd 100755
--- a/internal/controller/appstream/fleetstackassociation/zz_controller.go
+++ b/internal/controller/appstream/fleetstackassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FleetStackAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FleetStackAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_fleet_stack_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FleetStackAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FleetStackAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/imagebuilder/zz_controller.go b/internal/controller/appstream/imagebuilder/zz_controller.go
index d605377ef0..c93fd7d7db 100755
--- a/internal/controller/appstream/imagebuilder/zz_controller.go
+++ b/internal/controller/appstream/imagebuilder/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ImageBuilder managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ImageBuilder_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_image_builder"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ImageBuilder_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ImageBuilder_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/stack/zz_controller.go b/internal/controller/appstream/stack/zz_controller.go
index 60fd53c43e..5b5be32149 100755
--- a/internal/controller/appstream/stack/zz_controller.go
+++ b/internal/controller/appstream/stack/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stack managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_stack"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/user/zz_controller.go b/internal/controller/appstream/user/zz_controller.go
index 10444af33c..c5bebc8b8e 100755
--- a/internal/controller/appstream/user/zz_controller.go
+++ b/internal/controller/appstream/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appstream/userstackassociation/zz_controller.go b/internal/controller/appstream/userstackassociation/zz_controller.go
index 92857e9aef..d507701866 100755
--- a/internal/controller/appstream/userstackassociation/zz_controller.go
+++ b/internal/controller/appstream/userstackassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appstream/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserStackAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserStackAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appstream_user_stack_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserStackAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserStackAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appsync/apicache/zz_controller.go b/internal/controller/appsync/apicache/zz_controller.go
index 111fb7c65f..1a76024367 100755
--- a/internal/controller/appsync/apicache/zz_controller.go
+++ b/internal/controller/appsync/apicache/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appsync/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles APICache managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.APICache_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appsync_api_cache"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.APICache_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.APICache_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appsync/apikey/zz_controller.go b/internal/controller/appsync/apikey/zz_controller.go
index eeb739464c..a5c2bd70bb 100755
--- a/internal/controller/appsync/apikey/zz_controller.go
+++ b/internal/controller/appsync/apikey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appsync/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles APIKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.APIKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appsync_api_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.APIKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.APIKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appsync/datasource/zz_controller.go b/internal/controller/appsync/datasource/zz_controller.go
index 96aa46e8dd..e17f2fda53 100755
--- a/internal/controller/appsync/datasource/zz_controller.go
+++ b/internal/controller/appsync/datasource/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appsync/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Datasource managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Datasource_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appsync_datasource"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Datasource_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Datasource_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appsync/function/zz_controller.go b/internal/controller/appsync/function/zz_controller.go
index 1f83912ecc..a95d1bd84f 100755
--- a/internal/controller/appsync/function/zz_controller.go
+++ b/internal/controller/appsync/function/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appsync/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Function managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Function_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appsync_function"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Function_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Function_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appsync/graphqlapi/zz_controller.go b/internal/controller/appsync/graphqlapi/zz_controller.go
index 5586849110..2ef2246b49 100755
--- a/internal/controller/appsync/graphqlapi/zz_controller.go
+++ b/internal/controller/appsync/graphqlapi/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appsync/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GraphQLAPI managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GraphQLAPI_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appsync_graphql_api"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GraphQLAPI_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GraphQLAPI_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/appsync/resolver/zz_controller.go b/internal/controller/appsync/resolver/zz_controller.go
index fa50f32b5a..acfa6fb9cb 100755
--- a/internal/controller/appsync/resolver/zz_controller.go
+++ b/internal/controller/appsync/resolver/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/appsync/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Resolver managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Resolver_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_appsync_resolver"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Resolver_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Resolver_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/athena/database/zz_controller.go b/internal/controller/athena/database/zz_controller.go
index 1a6a8168cb..23ffa40e1b 100755
--- a/internal/controller/athena/database/zz_controller.go
+++ b/internal/controller/athena/database/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/athena/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Database managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Database_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_athena_database"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Database_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Database_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/athena/datacatalog/zz_controller.go b/internal/controller/athena/datacatalog/zz_controller.go
index ffec28d1a0..9aa8d0f81d 100755
--- a/internal/controller/athena/datacatalog/zz_controller.go
+++ b/internal/controller/athena/datacatalog/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/athena/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DataCatalog managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DataCatalog_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_athena_data_catalog"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DataCatalog_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DataCatalog_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/athena/namedquery/zz_controller.go b/internal/controller/athena/namedquery/zz_controller.go
index 461198ea75..e1dbbc1292 100755
--- a/internal/controller/athena/namedquery/zz_controller.go
+++ b/internal/controller/athena/namedquery/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/athena/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NamedQuery managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NamedQuery_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_athena_named_query"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NamedQuery_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NamedQuery_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/athena/workgroup/zz_controller.go b/internal/controller/athena/workgroup/zz_controller.go
index 324ba3de8a..fc72c4f068 100755
--- a/internal/controller/athena/workgroup/zz_controller.go
+++ b/internal/controller/athena/workgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/athena/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workgroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workgroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_athena_workgroup"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workgroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workgroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/attachment/zz_controller.go b/internal/controller/autoscaling/attachment/zz_controller.go
index bfc38b04d1..485c1f8c54 100755
--- a/internal/controller/autoscaling/attachment/zz_controller.go
+++ b/internal/controller/autoscaling/attachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Attachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Attachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Attachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Attachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/autoscalinggroup/zz_controller.go b/internal/controller/autoscaling/autoscalinggroup/zz_controller.go
index d8c3eed9c0..56acceca63 100755
--- a/internal/controller/autoscaling/autoscalinggroup/zz_controller.go
+++ b/internal/controller/autoscaling/autoscalinggroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AutoscalingGroup managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AutoscalingGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AutoscalingGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AutoscalingGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/grouptag/zz_controller.go b/internal/controller/autoscaling/grouptag/zz_controller.go
index a06647f0d3..681d5e9b97 100755
--- a/internal/controller/autoscaling/grouptag/zz_controller.go
+++ b/internal/controller/autoscaling/grouptag/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GroupTag managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GroupTag_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_group_tag"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GroupTag_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GroupTag_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/launchconfiguration/zz_controller.go b/internal/controller/autoscaling/launchconfiguration/zz_controller.go
index e133ec6d5d..488a8bcb7b 100755
--- a/internal/controller/autoscaling/launchconfiguration/zz_controller.go
+++ b/internal/controller/autoscaling/launchconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LaunchConfiguration managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LaunchConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_launch_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LaunchConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LaunchConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/lifecyclehook/zz_controller.go b/internal/controller/autoscaling/lifecyclehook/zz_controller.go
index 57f1e6116c..514f155189 100755
--- a/internal/controller/autoscaling/lifecyclehook/zz_controller.go
+++ b/internal/controller/autoscaling/lifecyclehook/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LifecycleHook managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LifecycleHook_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_lifecycle_hook"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LifecycleHook_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LifecycleHook_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/notification/zz_controller.go b/internal/controller/autoscaling/notification/zz_controller.go
index 7e252b712b..1a2445e442 100755
--- a/internal/controller/autoscaling/notification/zz_controller.go
+++ b/internal/controller/autoscaling/notification/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Notification managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Notification_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_notification"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Notification_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Notification_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/policy/zz_controller.go b/internal/controller/autoscaling/policy/zz_controller.go
index d4d885e905..a6ef35c2c7 100755
--- a/internal/controller/autoscaling/policy/zz_controller.go
+++ b/internal/controller/autoscaling/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscaling/schedule/zz_controller.go b/internal/controller/autoscaling/schedule/zz_controller.go
index a1c0abeefb..29b8d449be 100755
--- a/internal/controller/autoscaling/schedule/zz_controller.go
+++ b/internal/controller/autoscaling/schedule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscaling/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Schedule managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Schedule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscaling_schedule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Schedule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Schedule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/autoscalingplans/scalingplan/zz_controller.go b/internal/controller/autoscalingplans/scalingplan/zz_controller.go
index 3d02b6002f..bedc70deb4 100755
--- a/internal/controller/autoscalingplans/scalingplan/zz_controller.go
+++ b/internal/controller/autoscalingplans/scalingplan/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/autoscalingplans/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ScalingPlan managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ScalingPlan_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_autoscalingplans_scaling_plan"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ScalingPlan_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ScalingPlan_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/framework/zz_controller.go b/internal/controller/backup/framework/zz_controller.go
index 7c51594595..037cef5580 100755
--- a/internal/controller/backup/framework/zz_controller.go
+++ b/internal/controller/backup/framework/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Framework managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Framework_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_framework"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Framework_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Framework_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/globalsettings/zz_controller.go b/internal/controller/backup/globalsettings/zz_controller.go
index 72cf8d65df..0d3b37648d 100755
--- a/internal/controller/backup/globalsettings/zz_controller.go
+++ b/internal/controller/backup/globalsettings/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GlobalSettings managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GlobalSettings_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_global_settings"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GlobalSettings_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GlobalSettings_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/plan/zz_controller.go b/internal/controller/backup/plan/zz_controller.go
index 9bf38b7dff..2ef6dbc1bb 100755
--- a/internal/controller/backup/plan/zz_controller.go
+++ b/internal/controller/backup/plan/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Plan managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Plan_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_plan"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Plan_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Plan_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/regionsettings/zz_controller.go b/internal/controller/backup/regionsettings/zz_controller.go
index faec2b9330..54b26f12b5 100755
--- a/internal/controller/backup/regionsettings/zz_controller.go
+++ b/internal/controller/backup/regionsettings/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegionSettings managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegionSettings_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_region_settings"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegionSettings_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegionSettings_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/reportplan/zz_controller.go b/internal/controller/backup/reportplan/zz_controller.go
index 2115c9fde9..2cd3ba4f5c 100755
--- a/internal/controller/backup/reportplan/zz_controller.go
+++ b/internal/controller/backup/reportplan/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReportPlan managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReportPlan_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_report_plan"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReportPlan_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReportPlan_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/selection/zz_controller.go b/internal/controller/backup/selection/zz_controller.go
index 43cffd30a0..24032ea1ed 100755
--- a/internal/controller/backup/selection/zz_controller.go
+++ b/internal/controller/backup/selection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Selection managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Selection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_selection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Selection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Selection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/vault/zz_controller.go b/internal/controller/backup/vault/zz_controller.go
index bf3b447a67..59d4825255 100755
--- a/internal/controller/backup/vault/zz_controller.go
+++ b/internal/controller/backup/vault/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Vault managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Vault_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_vault"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Vault_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Vault_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/vaultlockconfiguration/zz_controller.go b/internal/controller/backup/vaultlockconfiguration/zz_controller.go
index 24cc630459..0c0d1a3e1d 100755
--- a/internal/controller/backup/vaultlockconfiguration/zz_controller.go
+++ b/internal/controller/backup/vaultlockconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VaultLockConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VaultLockConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_vault_lock_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VaultLockConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VaultLockConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/vaultnotifications/zz_controller.go b/internal/controller/backup/vaultnotifications/zz_controller.go
index 38859b1ac9..42d94fe795 100755
--- a/internal/controller/backup/vaultnotifications/zz_controller.go
+++ b/internal/controller/backup/vaultnotifications/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VaultNotifications managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VaultNotifications_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_vault_notifications"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VaultNotifications_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VaultNotifications_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/backup/vaultpolicy/zz_controller.go b/internal/controller/backup/vaultpolicy/zz_controller.go
index d20c7baf32..73440b5f5f 100755
--- a/internal/controller/backup/vaultpolicy/zz_controller.go
+++ b/internal/controller/backup/vaultpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/backup/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VaultPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VaultPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_backup_vault_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VaultPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VaultPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/batch/schedulingpolicy/zz_controller.go b/internal/controller/batch/schedulingpolicy/zz_controller.go
index 96023de9f2..064cc5c75d 100755
--- a/internal/controller/batch/schedulingpolicy/zz_controller.go
+++ b/internal/controller/batch/schedulingpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/batch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SchedulingPolicy managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SchedulingPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_batch_scheduling_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SchedulingPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SchedulingPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/budgets/budget/zz_controller.go b/internal/controller/budgets/budget/zz_controller.go
index 4f0251df8e..241abb2879 100755
--- a/internal/controller/budgets/budget/zz_controller.go
+++ b/internal/controller/budgets/budget/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/budgets/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Budget managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Budget_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_budgets_budget"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Budget_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Budget_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/budgets/budgetaction/zz_controller.go b/internal/controller/budgets/budgetaction/zz_controller.go
index a427258a9b..94414fc6c9 100755
--- a/internal/controller/budgets/budgetaction/zz_controller.go
+++ b/internal/controller/budgets/budgetaction/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/budgets/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BudgetAction managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BudgetAction_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_budgets_budget_action"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BudgetAction_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BudgetAction_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ce/anomalymonitor/zz_controller.go b/internal/controller/ce/anomalymonitor/zz_controller.go
index e13775dbe5..5ce175f227 100755
--- a/internal/controller/ce/anomalymonitor/zz_controller.go
+++ b/internal/controller/ce/anomalymonitor/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ce/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AnomalyMonitor managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AnomalyMonitor_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ce_anomaly_monitor"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AnomalyMonitor_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AnomalyMonitor_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnector/zz_controller.go b/internal/controller/chime/voiceconnector/zz_controller.go
index b622c47c98..2160589d1e 100755
--- a/internal/controller/chime/voiceconnector/zz_controller.go
+++ b/internal/controller/chime/voiceconnector/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnector managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnector_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnector_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnector_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnectorgroup/zz_controller.go b/internal/controller/chime/voiceconnectorgroup/zz_controller.go
index 472e489a34..328e24c5ab 100755
--- a/internal/controller/chime/voiceconnectorgroup/zz_controller.go
+++ b/internal/controller/chime/voiceconnectorgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnectorGroup managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnectorGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnectorlogging/zz_controller.go b/internal/controller/chime/voiceconnectorlogging/zz_controller.go
index 010570c48b..36ee5991db 100755
--- a/internal/controller/chime/voiceconnectorlogging/zz_controller.go
+++ b/internal/controller/chime/voiceconnectorlogging/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnectorLogging managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnectorLogging_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector_logging"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorLogging_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorLogging_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnectororigination/zz_controller.go b/internal/controller/chime/voiceconnectororigination/zz_controller.go
index 26843a49f8..2fc1272cec 100755
--- a/internal/controller/chime/voiceconnectororigination/zz_controller.go
+++ b/internal/controller/chime/voiceconnectororigination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnectorOrigination managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnectorOrigination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector_origination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorOrigination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorOrigination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnectorstreaming/zz_controller.go b/internal/controller/chime/voiceconnectorstreaming/zz_controller.go
index 60afd356b1..de988243f7 100755
--- a/internal/controller/chime/voiceconnectorstreaming/zz_controller.go
+++ b/internal/controller/chime/voiceconnectorstreaming/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnectorStreaming managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnectorStreaming_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector_streaming"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorStreaming_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorStreaming_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnectortermination/zz_controller.go b/internal/controller/chime/voiceconnectortermination/zz_controller.go
index c1c6594b42..c610aeb3d7 100755
--- a/internal/controller/chime/voiceconnectortermination/zz_controller.go
+++ b/internal/controller/chime/voiceconnectortermination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnectorTermination managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnectorTermination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector_termination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorTermination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorTermination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/chime/voiceconnectorterminationcredentials/zz_controller.go b/internal/controller/chime/voiceconnectorterminationcredentials/zz_controller.go
index 51f9fbe3ff..e39228f762 100755
--- a/internal/controller/chime/voiceconnectorterminationcredentials/zz_controller.go
+++ b/internal/controller/chime/voiceconnectorterminationcredentials/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/chime/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VoiceConnectorTerminationCredentials managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VoiceConnectorTerminationCredentials_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_chime_voice_connector_termination_credentials"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorTerminationCredentials_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VoiceConnectorTerminationCredentials_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloud9/environmentec2/zz_controller.go b/internal/controller/cloud9/environmentec2/zz_controller.go
index 8118646d3d..04287053ed 100755
--- a/internal/controller/cloud9/environmentec2/zz_controller.go
+++ b/internal/controller/cloud9/environmentec2/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloud9/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EnvironmentEC2 managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EnvironmentEC2_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloud9_environment_ec2"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EnvironmentEC2_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EnvironmentEC2_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloud9/environmentmembership/zz_controller.go b/internal/controller/cloud9/environmentmembership/zz_controller.go
index 7399e5caaf..5d519ec6be 100755
--- a/internal/controller/cloud9/environmentmembership/zz_controller.go
+++ b/internal/controller/cloud9/environmentmembership/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloud9/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EnvironmentMembership managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EnvironmentMembership_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloud9_environment_membership"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EnvironmentMembership_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EnvironmentMembership_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudcontrol/resource/zz_controller.go b/internal/controller/cloudcontrol/resource/zz_controller.go
index 83a1af2c8b..d34919025b 100755
--- a/internal/controller/cloudcontrol/resource/zz_controller.go
+++ b/internal/controller/cloudcontrol/resource/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudcontrol/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Resource managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudcontrolapi_resource"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudformation/stack/zz_controller.go b/internal/controller/cloudformation/stack/zz_controller.go
index 247272706b..137ad037ab 100755
--- a/internal/controller/cloudformation/stack/zz_controller.go
+++ b/internal/controller/cloudformation/stack/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudformation/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stack managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudformation_stack"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudformation/stackset/zz_controller.go b/internal/controller/cloudformation/stackset/zz_controller.go
index 0244bd7535..957397da12 100755
--- a/internal/controller/cloudformation/stackset/zz_controller.go
+++ b/internal/controller/cloudformation/stackset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudformation/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StackSet managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StackSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudformation_stack_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StackSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StackSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/cachepolicy/zz_controller.go b/internal/controller/cloudfront/cachepolicy/zz_controller.go
index c81f563c6c..bf87bbfb67 100755
--- a/internal/controller/cloudfront/cachepolicy/zz_controller.go
+++ b/internal/controller/cloudfront/cachepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CachePolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CachePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_cache_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CachePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CachePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/distribution/zz_controller.go b/internal/controller/cloudfront/distribution/zz_controller.go
index 142971833a..62e858ef1f 100755
--- a/internal/controller/cloudfront/distribution/zz_controller.go
+++ b/internal/controller/cloudfront/distribution/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Distribution managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Distribution_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_distribution"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Distribution_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Distribution_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/fieldlevelencryptionconfig/zz_controller.go b/internal/controller/cloudfront/fieldlevelencryptionconfig/zz_controller.go
index 2a1c5249a0..2fd453c0f6 100755
--- a/internal/controller/cloudfront/fieldlevelencryptionconfig/zz_controller.go
+++ b/internal/controller/cloudfront/fieldlevelencryptionconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FieldLevelEncryptionConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FieldLevelEncryptionConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_field_level_encryption_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FieldLevelEncryptionConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FieldLevelEncryptionConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/fieldlevelencryptionprofile/zz_controller.go b/internal/controller/cloudfront/fieldlevelencryptionprofile/zz_controller.go
index 219de95bf6..5201138d2e 100755
--- a/internal/controller/cloudfront/fieldlevelencryptionprofile/zz_controller.go
+++ b/internal/controller/cloudfront/fieldlevelencryptionprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FieldLevelEncryptionProfile managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FieldLevelEncryptionProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_field_level_encryption_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FieldLevelEncryptionProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FieldLevelEncryptionProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/function/zz_controller.go b/internal/controller/cloudfront/function/zz_controller.go
index 4b4c72830d..4296cf22fd 100755
--- a/internal/controller/cloudfront/function/zz_controller.go
+++ b/internal/controller/cloudfront/function/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Function managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Function_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_function"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Function_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Function_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/keygroup/zz_controller.go b/internal/controller/cloudfront/keygroup/zz_controller.go
index 560ab21953..7a6205bd73 100755
--- a/internal/controller/cloudfront/keygroup/zz_controller.go
+++ b/internal/controller/cloudfront/keygroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles KeyGroup managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.KeyGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_key_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.KeyGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.KeyGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/monitoringsubscription/zz_controller.go b/internal/controller/cloudfront/monitoringsubscription/zz_controller.go
index 0e4cced223..f0c70777b7 100755
--- a/internal/controller/cloudfront/monitoringsubscription/zz_controller.go
+++ b/internal/controller/cloudfront/monitoringsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MonitoringSubscription managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MonitoringSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_monitoring_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MonitoringSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MonitoringSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/originaccesscontrol/zz_controller.go b/internal/controller/cloudfront/originaccesscontrol/zz_controller.go
index 869fbec6ff..a81243b7ef 100755
--- a/internal/controller/cloudfront/originaccesscontrol/zz_controller.go
+++ b/internal/controller/cloudfront/originaccesscontrol/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OriginAccessControl managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OriginAccessControl_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_origin_access_control"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OriginAccessControl_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OriginAccessControl_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/originaccessidentity/zz_controller.go b/internal/controller/cloudfront/originaccessidentity/zz_controller.go
index 66a0679465..f2ed568df6 100755
--- a/internal/controller/cloudfront/originaccessidentity/zz_controller.go
+++ b/internal/controller/cloudfront/originaccessidentity/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OriginAccessIdentity managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OriginAccessIdentity_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_origin_access_identity"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OriginAccessIdentity_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OriginAccessIdentity_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/originrequestpolicy/zz_controller.go b/internal/controller/cloudfront/originrequestpolicy/zz_controller.go
index 4830c61d3b..5475bde285 100755
--- a/internal/controller/cloudfront/originrequestpolicy/zz_controller.go
+++ b/internal/controller/cloudfront/originrequestpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OriginRequestPolicy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OriginRequestPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_origin_request_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OriginRequestPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OriginRequestPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/publickey/zz_controller.go b/internal/controller/cloudfront/publickey/zz_controller.go
index 06c8b112e8..a78c25ca23 100755
--- a/internal/controller/cloudfront/publickey/zz_controller.go
+++ b/internal/controller/cloudfront/publickey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PublicKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PublicKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_public_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PublicKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PublicKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/realtimelogconfig/zz_controller.go b/internal/controller/cloudfront/realtimelogconfig/zz_controller.go
index 6fab6bae73..a05b79f43e 100755
--- a/internal/controller/cloudfront/realtimelogconfig/zz_controller.go
+++ b/internal/controller/cloudfront/realtimelogconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RealtimeLogConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RealtimeLogConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_realtime_log_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RealtimeLogConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RealtimeLogConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudfront/responseheaderspolicy/zz_controller.go b/internal/controller/cloudfront/responseheaderspolicy/zz_controller.go
index bcfa7048cd..218a7cc8a6 100755
--- a/internal/controller/cloudfront/responseheaderspolicy/zz_controller.go
+++ b/internal/controller/cloudfront/responseheaderspolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudfront/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResponseHeadersPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResponseHeadersPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudfront_response_headers_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResponseHeadersPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResponseHeadersPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudsearch/domain/zz_controller.go b/internal/controller/cloudsearch/domain/zz_controller.go
index 4b16be11ca..af25cfd5e3 100755
--- a/internal/controller/cloudsearch/domain/zz_controller.go
+++ b/internal/controller/cloudsearch/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudsearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudsearch_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudsearch/domainserviceaccesspolicy/zz_controller.go b/internal/controller/cloudsearch/domainserviceaccesspolicy/zz_controller.go
index 8c46d33649..2a18d6bbc0 100755
--- a/internal/controller/cloudsearch/domainserviceaccesspolicy/zz_controller.go
+++ b/internal/controller/cloudsearch/domainserviceaccesspolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudsearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainServiceAccessPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainServiceAccessPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudsearch_domain_service_access_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainServiceAccessPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainServiceAccessPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudtrail/eventdatastore/zz_controller.go b/internal/controller/cloudtrail/eventdatastore/zz_controller.go
index cad46bb7ac..e4e4e13890 100755
--- a/internal/controller/cloudtrail/eventdatastore/zz_controller.go
+++ b/internal/controller/cloudtrail/eventdatastore/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudtrail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventDataStore managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventDataStore_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudtrail_event_data_store"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventDataStore_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventDataStore_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudtrail/trail/zz_controller.go b/internal/controller/cloudtrail/trail/zz_controller.go
index 370d4884be..c6f86d1e2b 100755
--- a/internal/controller/cloudtrail/trail/zz_controller.go
+++ b/internal/controller/cloudtrail/trail/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudtrail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Trail managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Trail_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudtrail"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Trail_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Trail_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatch/compositealarm/zz_controller.go b/internal/controller/cloudwatch/compositealarm/zz_controller.go
index 1f4dacb91d..07d3b82375 100755
--- a/internal/controller/cloudwatch/compositealarm/zz_controller.go
+++ b/internal/controller/cloudwatch/compositealarm/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CompositeAlarm managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CompositeAlarm_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_composite_alarm"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CompositeAlarm_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CompositeAlarm_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatch/dashboard/zz_controller.go b/internal/controller/cloudwatch/dashboard/zz_controller.go
index 2008c91126..5f5a6f7450 100755
--- a/internal/controller/cloudwatch/dashboard/zz_controller.go
+++ b/internal/controller/cloudwatch/dashboard/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Dashboard managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Dashboard_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_dashboard"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Dashboard_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Dashboard_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatch/metricalarm/zz_controller.go b/internal/controller/cloudwatch/metricalarm/zz_controller.go
index 7c7803717a..c8311a8e4c 100755
--- a/internal/controller/cloudwatch/metricalarm/zz_controller.go
+++ b/internal/controller/cloudwatch/metricalarm/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MetricAlarm managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MetricAlarm_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_metric_alarm"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MetricAlarm_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MetricAlarm_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatch/metricstream/zz_controller.go b/internal/controller/cloudwatch/metricstream/zz_controller.go
index f864e8f2e7..6753d7ca19 100755
--- a/internal/controller/cloudwatch/metricstream/zz_controller.go
+++ b/internal/controller/cloudwatch/metricstream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MetricStream managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MetricStream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_metric_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MetricStream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MetricStream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/apidestination/zz_controller.go b/internal/controller/cloudwatchevents/apidestination/zz_controller.go
index 01e1baa719..ca26e1db2c 100755
--- a/internal/controller/cloudwatchevents/apidestination/zz_controller.go
+++ b/internal/controller/cloudwatchevents/apidestination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles APIDestination managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.APIDestination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_api_destination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.APIDestination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.APIDestination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/archive/zz_controller.go b/internal/controller/cloudwatchevents/archive/zz_controller.go
index be4dbefeac..fc407f846f 100755
--- a/internal/controller/cloudwatchevents/archive/zz_controller.go
+++ b/internal/controller/cloudwatchevents/archive/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Archive managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Archive_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_archive"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Archive_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Archive_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/bus/zz_controller.go b/internal/controller/cloudwatchevents/bus/zz_controller.go
index 109369d1e5..6f21876290 100755
--- a/internal/controller/cloudwatchevents/bus/zz_controller.go
+++ b/internal/controller/cloudwatchevents/bus/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Bus managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Bus_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_bus"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Bus_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Bus_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/buspolicy/zz_controller.go b/internal/controller/cloudwatchevents/buspolicy/zz_controller.go
index 93c86237e8..ec1d77ff6f 100755
--- a/internal/controller/cloudwatchevents/buspolicy/zz_controller.go
+++ b/internal/controller/cloudwatchevents/buspolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BusPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BusPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_bus_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BusPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BusPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/connection/zz_controller.go b/internal/controller/cloudwatchevents/connection/zz_controller.go
index 5896a9b8cf..23d60790b4 100755
--- a/internal/controller/cloudwatchevents/connection/zz_controller.go
+++ b/internal/controller/cloudwatchevents/connection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Connection managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/permission/zz_controller.go b/internal/controller/cloudwatchevents/permission/zz_controller.go
index 9622249d1f..379460cacb 100755
--- a/internal/controller/cloudwatchevents/permission/zz_controller.go
+++ b/internal/controller/cloudwatchevents/permission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Permission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/rule/zz_controller.go b/internal/controller/cloudwatchevents/rule/zz_controller.go
index 6033be9c13..92f39882e4 100755
--- a/internal/controller/cloudwatchevents/rule/zz_controller.go
+++ b/internal/controller/cloudwatchevents/rule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Rule managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchevents/target/zz_controller.go b/internal/controller/cloudwatchevents/target/zz_controller.go
index 3a62b0f743..1dba88ece4 100755
--- a/internal/controller/cloudwatchevents/target/zz_controller.go
+++ b/internal/controller/cloudwatchevents/target/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchevents/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Target managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Target_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_event_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Target_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Target_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/definition/zz_controller.go b/internal/controller/cloudwatchlogs/definition/zz_controller.go
index 8db32be10b..54d757a5d6 100755
--- a/internal/controller/cloudwatchlogs/definition/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/definition/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Definition managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Definition_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_query_definition"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Definition_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Definition_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/destination/zz_controller.go b/internal/controller/cloudwatchlogs/destination/zz_controller.go
index 5e4dc3191a..d45a80a179 100755
--- a/internal/controller/cloudwatchlogs/destination/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/destination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Destination managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Destination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_destination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Destination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Destination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/destinationpolicy/zz_controller.go b/internal/controller/cloudwatchlogs/destinationpolicy/zz_controller.go
index bae3c76c41..530e746c36 100755
--- a/internal/controller/cloudwatchlogs/destinationpolicy/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/destinationpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DestinationPolicy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DestinationPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_destination_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DestinationPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DestinationPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/group/zz_controller.go b/internal/controller/cloudwatchlogs/group/zz_controller.go
index 809afee77c..0127a73e23 100755
--- a/internal/controller/cloudwatchlogs/group/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/group/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Group managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Group_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/metricfilter/zz_controller.go b/internal/controller/cloudwatchlogs/metricfilter/zz_controller.go
index 8181aa2a95..8e316d1858 100755
--- a/internal/controller/cloudwatchlogs/metricfilter/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/metricfilter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MetricFilter managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MetricFilter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_metric_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MetricFilter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MetricFilter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/resourcepolicy/zz_controller.go b/internal/controller/cloudwatchlogs/resourcepolicy/zz_controller.go
index b61ea947cb..a1169728e2 100755
--- a/internal/controller/cloudwatchlogs/resourcepolicy/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/resourcepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourcePolicy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_resource_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/stream/zz_controller.go b/internal/controller/cloudwatchlogs/stream/zz_controller.go
index 547cceeb9d..443b448394 100755
--- a/internal/controller/cloudwatchlogs/stream/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/stream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stream managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cloudwatchlogs/subscriptionfilter/zz_controller.go b/internal/controller/cloudwatchlogs/subscriptionfilter/zz_controller.go
index 5e1b934ba2..dd572c9923 100755
--- a/internal/controller/cloudwatchlogs/subscriptionfilter/zz_controller.go
+++ b/internal/controller/cloudwatchlogs/subscriptionfilter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cloudwatchlogs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubscriptionFilter managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubscriptionFilter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cloudwatch_log_subscription_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubscriptionFilter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubscriptionFilter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codecommit/approvalruletemplate/zz_controller.go b/internal/controller/codecommit/approvalruletemplate/zz_controller.go
index 6a46a8e953..09dba47dd5 100755
--- a/internal/controller/codecommit/approvalruletemplate/zz_controller.go
+++ b/internal/controller/codecommit/approvalruletemplate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codecommit/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ApprovalRuleTemplate managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ApprovalRuleTemplate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codecommit_approval_rule_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ApprovalRuleTemplate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ApprovalRuleTemplate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codecommit/approvalruletemplateassociation/zz_controller.go b/internal/controller/codecommit/approvalruletemplateassociation/zz_controller.go
index 11acad23d4..a2b4271d84 100755
--- a/internal/controller/codecommit/approvalruletemplateassociation/zz_controller.go
+++ b/internal/controller/codecommit/approvalruletemplateassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codecommit/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ApprovalRuleTemplateAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ApprovalRuleTemplateAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codecommit_approval_rule_template_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ApprovalRuleTemplateAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ApprovalRuleTemplateAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codecommit/repository/zz_controller.go b/internal/controller/codecommit/repository/zz_controller.go
index a2003fe308..41f70056a4 100755
--- a/internal/controller/codecommit/repository/zz_controller.go
+++ b/internal/controller/codecommit/repository/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codecommit/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Repository managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codecommit_repository"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codecommit/trigger/zz_controller.go b/internal/controller/codecommit/trigger/zz_controller.go
index 2839c6c2b8..3d113036a3 100755
--- a/internal/controller/codecommit/trigger/zz_controller.go
+++ b/internal/controller/codecommit/trigger/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codecommit/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Trigger managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Trigger_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codecommit_trigger"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Trigger_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Trigger_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codepipeline/codepipeline/zz_controller.go b/internal/controller/codepipeline/codepipeline/zz_controller.go
index bf4a1e7f45..2db9f6148f 100755
--- a/internal/controller/codepipeline/codepipeline/zz_controller.go
+++ b/internal/controller/codepipeline/codepipeline/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codepipeline/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Codepipeline managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Codepipeline_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codepipeline"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Codepipeline_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Codepipeline_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codepipeline/customactiontype/zz_controller.go b/internal/controller/codepipeline/customactiontype/zz_controller.go
index 93fb473601..6abcb5b755 100755
--- a/internal/controller/codepipeline/customactiontype/zz_controller.go
+++ b/internal/controller/codepipeline/customactiontype/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codepipeline/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CustomActionType managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CustomActionType_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codepipeline_custom_action_type"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CustomActionType_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CustomActionType_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codepipeline/webhook/zz_controller.go b/internal/controller/codepipeline/webhook/zz_controller.go
index 63ad780abd..130e708ea5 100755
--- a/internal/controller/codepipeline/webhook/zz_controller.go
+++ b/internal/controller/codepipeline/webhook/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codepipeline/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Webhook managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Webhook_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codepipeline_webhook"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Webhook_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Webhook_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codestarconnections/connection/zz_controller.go b/internal/controller/codestarconnections/connection/zz_controller.go
index adbb25ac86..b6f7dc97dc 100755
--- a/internal/controller/codestarconnections/connection/zz_controller.go
+++ b/internal/controller/codestarconnections/connection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codestarconnections/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Connection managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codestarconnections_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codestarconnections/host/zz_controller.go b/internal/controller/codestarconnections/host/zz_controller.go
index fa3fff9c02..cbc3385a22 100755
--- a/internal/controller/codestarconnections/host/zz_controller.go
+++ b/internal/controller/codestarconnections/host/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codestarconnections/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Host managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Host_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codestarconnections_host"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Host_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Host_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/codestarnotifications/notificationrule/zz_controller.go b/internal/controller/codestarnotifications/notificationrule/zz_controller.go
index cb6e5d47dc..65f04132c4 100755
--- a/internal/controller/codestarnotifications/notificationrule/zz_controller.go
+++ b/internal/controller/codestarnotifications/notificationrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/codestarnotifications/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NotificationRule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NotificationRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codestarnotifications_notification_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NotificationRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NotificationRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidentity/cognitoidentitypoolproviderprincipaltag/zz_controller.go b/internal/controller/cognitoidentity/cognitoidentitypoolproviderprincipaltag/zz_controller.go
index 5749dee270..a0d0773dec 100755
--- a/internal/controller/cognitoidentity/cognitoidentitypoolproviderprincipaltag/zz_controller.go
+++ b/internal/controller/cognitoidentity/cognitoidentitypoolproviderprincipaltag/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidentity/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CognitoIdentityPoolProviderPrincipalTag managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CognitoIdentityPoolProviderPrincipalTag_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_identity_pool_provider_principal_tag"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CognitoIdentityPoolProviderPrincipalTag_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CognitoIdentityPoolProviderPrincipalTag_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidentity/pool/zz_controller.go b/internal/controller/cognitoidentity/pool/zz_controller.go
index 3e241c699c..275b19469f 100755
--- a/internal/controller/cognitoidentity/pool/zz_controller.go
+++ b/internal/controller/cognitoidentity/pool/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidentity/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Pool managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Pool_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_identity_pool"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Pool_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Pool_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidentity/poolrolesattachment/zz_controller.go b/internal/controller/cognitoidentity/poolrolesattachment/zz_controller.go
index aae87cc425..c48ce0c838 100755
--- a/internal/controller/cognitoidentity/poolrolesattachment/zz_controller.go
+++ b/internal/controller/cognitoidentity/poolrolesattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidentity/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PoolRolesAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PoolRolesAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_identity_pool_roles_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PoolRolesAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PoolRolesAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/identityprovider/zz_controller.go b/internal/controller/cognitoidp/identityprovider/zz_controller.go
index 73f2e2ffa0..809b049e03 100755
--- a/internal/controller/cognitoidp/identityprovider/zz_controller.go
+++ b/internal/controller/cognitoidp/identityprovider/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IdentityProvider managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IdentityProvider_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_identity_provider"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IdentityProvider_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IdentityProvider_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/resourceserver/zz_controller.go b/internal/controller/cognitoidp/resourceserver/zz_controller.go
index 70427aeed7..390303887d 100755
--- a/internal/controller/cognitoidp/resourceserver/zz_controller.go
+++ b/internal/controller/cognitoidp/resourceserver/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourceServer managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourceServer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_resource_server"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourceServer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourceServer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/riskconfiguration/zz_controller.go b/internal/controller/cognitoidp/riskconfiguration/zz_controller.go
index c2c4ba0053..c4a64f26e4 100755
--- a/internal/controller/cognitoidp/riskconfiguration/zz_controller.go
+++ b/internal/controller/cognitoidp/riskconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RiskConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RiskConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_risk_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RiskConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RiskConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/user/zz_controller.go b/internal/controller/cognitoidp/user/zz_controller.go
index c12313cd16..c64fe74b7b 100755
--- a/internal/controller/cognitoidp/user/zz_controller.go
+++ b/internal/controller/cognitoidp/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/usergroup/zz_controller.go b/internal/controller/cognitoidp/usergroup/zz_controller.go
index 6ae1ed4209..6b4a062003 100755
--- a/internal/controller/cognitoidp/usergroup/zz_controller.go
+++ b/internal/controller/cognitoidp/usergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserGroup managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/useringroup/zz_controller.go b/internal/controller/cognitoidp/useringroup/zz_controller.go
index 2420055e04..c97a29bc0f 100755
--- a/internal/controller/cognitoidp/useringroup/zz_controller.go
+++ b/internal/controller/cognitoidp/useringroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserInGroup managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserInGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user_in_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserInGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserInGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/userpool/zz_controller.go b/internal/controller/cognitoidp/userpool/zz_controller.go
index cc082e2560..b9450e242d 100755
--- a/internal/controller/cognitoidp/userpool/zz_controller.go
+++ b/internal/controller/cognitoidp/userpool/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserPool managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserPool_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user_pool"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserPool_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserPool_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/userpoolclient/zz_controller.go b/internal/controller/cognitoidp/userpoolclient/zz_controller.go
index 8a083c07e7..b0b2cc9bce 100755
--- a/internal/controller/cognitoidp/userpoolclient/zz_controller.go
+++ b/internal/controller/cognitoidp/userpoolclient/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserPoolClient managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserPoolClient_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user_pool_client"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserPoolClient_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserPoolClient_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/userpooldomain/zz_controller.go b/internal/controller/cognitoidp/userpooldomain/zz_controller.go
index 08ee70089d..ea7db0a91f 100755
--- a/internal/controller/cognitoidp/userpooldomain/zz_controller.go
+++ b/internal/controller/cognitoidp/userpooldomain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserPoolDomain managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserPoolDomain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user_pool_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserPoolDomain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserPoolDomain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cognitoidp/userpooluicustomization/zz_controller.go b/internal/controller/cognitoidp/userpooluicustomization/zz_controller.go
index 423aa24eea..aa1766717e 100755
--- a/internal/controller/cognitoidp/userpooluicustomization/zz_controller.go
+++ b/internal/controller/cognitoidp/userpooluicustomization/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cognitoidp/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserPoolUICustomization managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserPoolUICustomization_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cognito_user_pool_ui_customization"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserPoolUICustomization_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserPoolUICustomization_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/awsconfigurationrecorderstatus/zz_controller.go b/internal/controller/configservice/awsconfigurationrecorderstatus/zz_controller.go
index 196472a013..17159a1705 100755
--- a/internal/controller/configservice/awsconfigurationrecorderstatus/zz_controller.go
+++ b/internal/controller/configservice/awsconfigurationrecorderstatus/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AWSConfigurationRecorderStatus managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AWSConfigurationRecorderStatus_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_configuration_recorder_status"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AWSConfigurationRecorderStatus_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AWSConfigurationRecorderStatus_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/configrule/zz_controller.go b/internal/controller/configservice/configrule/zz_controller.go
index 1c6ea0bf31..2a2b9cfef2 100755
--- a/internal/controller/configservice/configrule/zz_controller.go
+++ b/internal/controller/configservice/configrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigRule managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_config_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/configurationaggregator/zz_controller.go b/internal/controller/configservice/configurationaggregator/zz_controller.go
index 1e81650342..caa2f46377 100755
--- a/internal/controller/configservice/configurationaggregator/zz_controller.go
+++ b/internal/controller/configservice/configurationaggregator/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationAggregator managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationAggregator_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_configuration_aggregator"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationAggregator_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationAggregator_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/configurationrecorder/zz_controller.go b/internal/controller/configservice/configurationrecorder/zz_controller.go
index 96cfba36c4..c002c39311 100755
--- a/internal/controller/configservice/configurationrecorder/zz_controller.go
+++ b/internal/controller/configservice/configurationrecorder/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationRecorder managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationRecorder_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_configuration_recorder"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationRecorder_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationRecorder_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/conformancepack/zz_controller.go b/internal/controller/configservice/conformancepack/zz_controller.go
index 088250028f..566226e07e 100755
--- a/internal/controller/configservice/conformancepack/zz_controller.go
+++ b/internal/controller/configservice/conformancepack/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConformancePack managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConformancePack_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_conformance_pack"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConformancePack_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConformancePack_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/deliverychannel/zz_controller.go b/internal/controller/configservice/deliverychannel/zz_controller.go
index e591b24cde..6abc5850a2 100755
--- a/internal/controller/configservice/deliverychannel/zz_controller.go
+++ b/internal/controller/configservice/deliverychannel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DeliveryChannel managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DeliveryChannel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_delivery_channel"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DeliveryChannel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DeliveryChannel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/configservice/remediationconfiguration/zz_controller.go b/internal/controller/configservice/remediationconfiguration/zz_controller.go
index 1663119301..d78fe263b0 100755
--- a/internal/controller/configservice/remediationconfiguration/zz_controller.go
+++ b/internal/controller/configservice/remediationconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/configservice/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RemediationConfiguration managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RemediationConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_config_remediation_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RemediationConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RemediationConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/botassociation/zz_controller.go b/internal/controller/connect/botassociation/zz_controller.go
index e9d9e95c61..5e6ffe1a58 100755
--- a/internal/controller/connect/botassociation/zz_controller.go
+++ b/internal/controller/connect/botassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BotAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BotAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_bot_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BotAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BotAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/contactflow/zz_controller.go b/internal/controller/connect/contactflow/zz_controller.go
index d63aeb7552..91975c9a5a 100755
--- a/internal/controller/connect/contactflow/zz_controller.go
+++ b/internal/controller/connect/contactflow/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ContactFlow managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ContactFlow_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_contact_flow"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ContactFlow_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ContactFlow_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/contactflowmodule/zz_controller.go b/internal/controller/connect/contactflowmodule/zz_controller.go
index d9c6457fa5..86397496e8 100755
--- a/internal/controller/connect/contactflowmodule/zz_controller.go
+++ b/internal/controller/connect/contactflowmodule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ContactFlowModule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ContactFlowModule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_contact_flow_module"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ContactFlowModule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ContactFlowModule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/hoursofoperation/zz_controller.go b/internal/controller/connect/hoursofoperation/zz_controller.go
index 16f6a779bb..4a493e79a6 100755
--- a/internal/controller/connect/hoursofoperation/zz_controller.go
+++ b/internal/controller/connect/hoursofoperation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HoursOfOperation managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HoursOfOperation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_hours_of_operation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HoursOfOperation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HoursOfOperation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/instance/zz_controller.go b/internal/controller/connect/instance/zz_controller.go
index f0a771609c..9b9d1bf4af 100755
--- a/internal/controller/connect/instance/zz_controller.go
+++ b/internal/controller/connect/instance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Instance managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/instancestorageconfig/zz_controller.go b/internal/controller/connect/instancestorageconfig/zz_controller.go
index b5354a3b20..b544e74f78 100755
--- a/internal/controller/connect/instancestorageconfig/zz_controller.go
+++ b/internal/controller/connect/instancestorageconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InstanceStorageConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InstanceStorageConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_instance_storage_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InstanceStorageConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InstanceStorageConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/lambdafunctionassociation/zz_controller.go b/internal/controller/connect/lambdafunctionassociation/zz_controller.go
index a539b9de1d..17cfbe185d 100755
--- a/internal/controller/connect/lambdafunctionassociation/zz_controller.go
+++ b/internal/controller/connect/lambdafunctionassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LambdaFunctionAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LambdaFunctionAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_lambda_function_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LambdaFunctionAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LambdaFunctionAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/phonenumber/zz_controller.go b/internal/controller/connect/phonenumber/zz_controller.go
index 2bd94cbba3..4b809e5d1f 100755
--- a/internal/controller/connect/phonenumber/zz_controller.go
+++ b/internal/controller/connect/phonenumber/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PhoneNumber managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PhoneNumber_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_phone_number"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PhoneNumber_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PhoneNumber_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/queue/zz_controller.go b/internal/controller/connect/queue/zz_controller.go
index b62b6012b8..a656f5f87d 100755
--- a/internal/controller/connect/queue/zz_controller.go
+++ b/internal/controller/connect/queue/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Queue managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_queue"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/quickconnect/zz_controller.go b/internal/controller/connect/quickconnect/zz_controller.go
index 91b3a02b34..c5a53d10af 100755
--- a/internal/controller/connect/quickconnect/zz_controller.go
+++ b/internal/controller/connect/quickconnect/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles QuickConnect managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.QuickConnect_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_quick_connect"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.QuickConnect_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.QuickConnect_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/routingprofile/zz_controller.go b/internal/controller/connect/routingprofile/zz_controller.go
index 21b3b3bf25..afb89a1b00 100755
--- a/internal/controller/connect/routingprofile/zz_controller.go
+++ b/internal/controller/connect/routingprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RoutingProfile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RoutingProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_routing_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RoutingProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RoutingProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/securityprofile/zz_controller.go b/internal/controller/connect/securityprofile/zz_controller.go
index 3632335252..c3e6594ceb 100755
--- a/internal/controller/connect/securityprofile/zz_controller.go
+++ b/internal/controller/connect/securityprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecurityProfile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecurityProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_security_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecurityProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecurityProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/user/zz_controller.go b/internal/controller/connect/user/zz_controller.go
index 1580adc76e..340a588644 100755
--- a/internal/controller/connect/user/zz_controller.go
+++ b/internal/controller/connect/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/userhierarchystructure/zz_controller.go b/internal/controller/connect/userhierarchystructure/zz_controller.go
index 445027b0aa..d0dc4e7792 100755
--- a/internal/controller/connect/userhierarchystructure/zz_controller.go
+++ b/internal/controller/connect/userhierarchystructure/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserHierarchyStructure managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserHierarchyStructure_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_user_hierarchy_structure"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserHierarchyStructure_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserHierarchyStructure_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/connect/vocabulary/zz_controller.go b/internal/controller/connect/vocabulary/zz_controller.go
index 4b1362cdac..430b836a5b 100755
--- a/internal/controller/connect/vocabulary/zz_controller.go
+++ b/internal/controller/connect/vocabulary/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/connect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Vocabulary managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Vocabulary_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_connect_vocabulary"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Vocabulary_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Vocabulary_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/cur/reportdefinition/zz_controller.go b/internal/controller/cur/reportdefinition/zz_controller.go
index fea7c19515..9e3015a8ad 100755
--- a/internal/controller/cur/reportdefinition/zz_controller.go
+++ b/internal/controller/cur/reportdefinition/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/cur/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReportDefinition managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReportDefinition_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_cur_report_definition"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReportDefinition_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReportDefinition_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dataexchange/dataset/zz_controller.go b/internal/controller/dataexchange/dataset/zz_controller.go
index c44502b9ec..6b54e57868 100755
--- a/internal/controller/dataexchange/dataset/zz_controller.go
+++ b/internal/controller/dataexchange/dataset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dataexchange/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DataSet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DataSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dataexchange_data_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DataSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DataSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dataexchange/revision/zz_controller.go b/internal/controller/dataexchange/revision/zz_controller.go
index 5535d4a5e6..d0f1f774d9 100755
--- a/internal/controller/dataexchange/revision/zz_controller.go
+++ b/internal/controller/dataexchange/revision/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dataexchange/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Revision managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Revision_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dataexchange_revision"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Revision_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Revision_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/datapipeline/pipeline/zz_controller.go b/internal/controller/datapipeline/pipeline/zz_controller.go
index 102936d6be..89cfe7cd8a 100755
--- a/internal/controller/datapipeline/pipeline/zz_controller.go
+++ b/internal/controller/datapipeline/pipeline/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/datapipeline/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Pipeline managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Pipeline_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_datapipeline_pipeline"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Pipeline_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Pipeline_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dax/cluster/zz_controller.go b/internal/controller/dax/cluster/zz_controller.go
index 85d84bd217..495864d8c1 100755
--- a/internal/controller/dax/cluster/zz_controller.go
+++ b/internal/controller/dax/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dax/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dax_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dax/parametergroup/zz_controller.go b/internal/controller/dax/parametergroup/zz_controller.go
index 8931453e52..d62e2a7b12 100755
--- a/internal/controller/dax/parametergroup/zz_controller.go
+++ b/internal/controller/dax/parametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dax/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ParameterGroup managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dax_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dax/subnetgroup/zz_controller.go b/internal/controller/dax/subnetgroup/zz_controller.go
index a2b932f881..58fd061188 100755
--- a/internal/controller/dax/subnetgroup/zz_controller.go
+++ b/internal/controller/dax/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dax/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dax_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/deploy/app/zz_controller.go b/internal/controller/deploy/app/zz_controller.go
index fbcef0541c..388fd373af 100755
--- a/internal/controller/deploy/app/zz_controller.go
+++ b/internal/controller/deploy/app/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/deploy/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles App managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.App_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codedeploy_app"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/deploy/deploymentconfig/zz_controller.go b/internal/controller/deploy/deploymentconfig/zz_controller.go
index ba2638bc16..25ede21635 100755
--- a/internal/controller/deploy/deploymentconfig/zz_controller.go
+++ b/internal/controller/deploy/deploymentconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/deploy/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DeploymentConfig managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DeploymentConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codedeploy_deployment_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DeploymentConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DeploymentConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/deploy/deploymentgroup/zz_controller.go b/internal/controller/deploy/deploymentgroup/zz_controller.go
index 9b9eba5e72..0282c48c7e 100755
--- a/internal/controller/deploy/deploymentgroup/zz_controller.go
+++ b/internal/controller/deploy/deploymentgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/deploy/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DeploymentGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DeploymentGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_codedeploy_deployment_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DeploymentGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DeploymentGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/detective/graph/zz_controller.go b/internal/controller/detective/graph/zz_controller.go
index 79cd99d610..f939ac758e 100755
--- a/internal/controller/detective/graph/zz_controller.go
+++ b/internal/controller/detective/graph/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/detective/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Graph managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Graph_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_detective_graph"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Graph_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Graph_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/detective/invitationaccepter/zz_controller.go b/internal/controller/detective/invitationaccepter/zz_controller.go
index 865cffc790..07cab0d580 100755
--- a/internal/controller/detective/invitationaccepter/zz_controller.go
+++ b/internal/controller/detective/invitationaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/detective/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InvitationAccepter managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InvitationAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_detective_invitation_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InvitationAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InvitationAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/detective/member/zz_controller.go b/internal/controller/detective/member/zz_controller.go
index 2de262dac5..9f8cfa0791 100755
--- a/internal/controller/detective/member/zz_controller.go
+++ b/internal/controller/detective/member/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/detective/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Member managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Member_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_detective_member"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/devicefarm/devicepool/zz_controller.go b/internal/controller/devicefarm/devicepool/zz_controller.go
index ce6b0e2495..93958fe1d9 100755
--- a/internal/controller/devicefarm/devicepool/zz_controller.go
+++ b/internal/controller/devicefarm/devicepool/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/devicefarm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DevicePool managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DevicePool_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_devicefarm_device_pool"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DevicePool_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DevicePool_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/devicefarm/instanceprofile/zz_controller.go b/internal/controller/devicefarm/instanceprofile/zz_controller.go
index 6b332d0b53..dfdedc5fcc 100755
--- a/internal/controller/devicefarm/instanceprofile/zz_controller.go
+++ b/internal/controller/devicefarm/instanceprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/devicefarm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InstanceProfile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InstanceProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_devicefarm_instance_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InstanceProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InstanceProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/devicefarm/networkprofile/zz_controller.go b/internal/controller/devicefarm/networkprofile/zz_controller.go
index 40080b7def..7603c8b77f 100755
--- a/internal/controller/devicefarm/networkprofile/zz_controller.go
+++ b/internal/controller/devicefarm/networkprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/devicefarm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkProfile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_devicefarm_network_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/devicefarm/project/zz_controller.go b/internal/controller/devicefarm/project/zz_controller.go
index 1b705b07ad..13fca7a7ec 100755
--- a/internal/controller/devicefarm/project/zz_controller.go
+++ b/internal/controller/devicefarm/project/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/devicefarm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Project managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Project_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_devicefarm_project"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Project_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Project_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/devicefarm/testgridproject/zz_controller.go b/internal/controller/devicefarm/testgridproject/zz_controller.go
index b0f4352616..960f0e9e63 100755
--- a/internal/controller/devicefarm/testgridproject/zz_controller.go
+++ b/internal/controller/devicefarm/testgridproject/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/devicefarm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TestGridProject managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TestGridProject_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_devicefarm_test_grid_project"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TestGridProject_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TestGridProject_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/devicefarm/upload/zz_controller.go b/internal/controller/devicefarm/upload/zz_controller.go
index 43fee81b57..d42a216e98 100755
--- a/internal/controller/devicefarm/upload/zz_controller.go
+++ b/internal/controller/devicefarm/upload/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/devicefarm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Upload managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Upload_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_devicefarm_upload"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Upload_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Upload_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/bgppeer/zz_controller.go b/internal/controller/directconnect/bgppeer/zz_controller.go
index e4c1b9962a..107069eb2f 100755
--- a/internal/controller/directconnect/bgppeer/zz_controller.go
+++ b/internal/controller/directconnect/bgppeer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BGPPeer managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BGPPeer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_bgp_peer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BGPPeer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BGPPeer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/connection/zz_controller.go b/internal/controller/directconnect/connection/zz_controller.go
index e8a847dfa8..08dcdcd5ea 100755
--- a/internal/controller/directconnect/connection/zz_controller.go
+++ b/internal/controller/directconnect/connection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Connection managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/connectionassociation/zz_controller.go b/internal/controller/directconnect/connectionassociation/zz_controller.go
index 3da1bce984..9a9adb7e9c 100755
--- a/internal/controller/directconnect/connectionassociation/zz_controller.go
+++ b/internal/controller/directconnect/connectionassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConnectionAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConnectionAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_connection_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConnectionAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConnectionAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/gateway/zz_controller.go b/internal/controller/directconnect/gateway/zz_controller.go
index c79cbfdf6b..30856ce748 100755
--- a/internal/controller/directconnect/gateway/zz_controller.go
+++ b/internal/controller/directconnect/gateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Gateway managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Gateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Gateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Gateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/gatewayassociation/zz_controller.go b/internal/controller/directconnect/gatewayassociation/zz_controller.go
index 0efbc047ea..11c43fc65a 100755
--- a/internal/controller/directconnect/gatewayassociation/zz_controller.go
+++ b/internal/controller/directconnect/gatewayassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GatewayAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GatewayAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_gateway_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GatewayAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GatewayAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/gatewayassociationproposal/zz_controller.go b/internal/controller/directconnect/gatewayassociationproposal/zz_controller.go
index ec36961bac..f514bde222 100755
--- a/internal/controller/directconnect/gatewayassociationproposal/zz_controller.go
+++ b/internal/controller/directconnect/gatewayassociationproposal/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GatewayAssociationProposal managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GatewayAssociationProposal_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_gateway_association_proposal"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GatewayAssociationProposal_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GatewayAssociationProposal_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/hostedprivatevirtualinterface/zz_controller.go b/internal/controller/directconnect/hostedprivatevirtualinterface/zz_controller.go
index 9259b803b7..870cee2461 100755
--- a/internal/controller/directconnect/hostedprivatevirtualinterface/zz_controller.go
+++ b/internal/controller/directconnect/hostedprivatevirtualinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedPrivateVirtualInterface managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedPrivateVirtualInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_hosted_private_virtual_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedPrivateVirtualInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedPrivateVirtualInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/hostedprivatevirtualinterfaceaccepter/zz_controller.go b/internal/controller/directconnect/hostedprivatevirtualinterfaceaccepter/zz_controller.go
index 0da1db9e91..bf9c491d80 100755
--- a/internal/controller/directconnect/hostedprivatevirtualinterfaceaccepter/zz_controller.go
+++ b/internal/controller/directconnect/hostedprivatevirtualinterfaceaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedPrivateVirtualInterfaceAccepter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedPrivateVirtualInterfaceAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_hosted_private_virtual_interface_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedPrivateVirtualInterfaceAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedPrivateVirtualInterfaceAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/hostedpublicvirtualinterface/zz_controller.go b/internal/controller/directconnect/hostedpublicvirtualinterface/zz_controller.go
index e17ffab218..18f09ddeed 100755
--- a/internal/controller/directconnect/hostedpublicvirtualinterface/zz_controller.go
+++ b/internal/controller/directconnect/hostedpublicvirtualinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedPublicVirtualInterface managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedPublicVirtualInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_hosted_public_virtual_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedPublicVirtualInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedPublicVirtualInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/hostedpublicvirtualinterfaceaccepter/zz_controller.go b/internal/controller/directconnect/hostedpublicvirtualinterfaceaccepter/zz_controller.go
index 601ea8f0f5..d0eed2fcac 100755
--- a/internal/controller/directconnect/hostedpublicvirtualinterfaceaccepter/zz_controller.go
+++ b/internal/controller/directconnect/hostedpublicvirtualinterfaceaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedPublicVirtualInterfaceAccepter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedPublicVirtualInterfaceAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_hosted_public_virtual_interface_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedPublicVirtualInterfaceAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedPublicVirtualInterfaceAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/hostedtransitvirtualinterface/zz_controller.go b/internal/controller/directconnect/hostedtransitvirtualinterface/zz_controller.go
index 69bed4f368..099898558b 100755
--- a/internal/controller/directconnect/hostedtransitvirtualinterface/zz_controller.go
+++ b/internal/controller/directconnect/hostedtransitvirtualinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedTransitVirtualInterface managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedTransitVirtualInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_hosted_transit_virtual_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedTransitVirtualInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedTransitVirtualInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/hostedtransitvirtualinterfaceaccepter/zz_controller.go b/internal/controller/directconnect/hostedtransitvirtualinterfaceaccepter/zz_controller.go
index f844a74414..3e6de78eaa 100755
--- a/internal/controller/directconnect/hostedtransitvirtualinterfaceaccepter/zz_controller.go
+++ b/internal/controller/directconnect/hostedtransitvirtualinterfaceaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedTransitVirtualInterfaceAccepter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedTransitVirtualInterfaceAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_hosted_transit_virtual_interface_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedTransitVirtualInterfaceAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedTransitVirtualInterfaceAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/lag/zz_controller.go b/internal/controller/directconnect/lag/zz_controller.go
index 6434389689..fc26bf42ce 100755
--- a/internal/controller/directconnect/lag/zz_controller.go
+++ b/internal/controller/directconnect/lag/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Lag managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Lag_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_lag"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Lag_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Lag_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/privatevirtualinterface/zz_controller.go b/internal/controller/directconnect/privatevirtualinterface/zz_controller.go
index c4d15d0655..c0116e2cf0 100755
--- a/internal/controller/directconnect/privatevirtualinterface/zz_controller.go
+++ b/internal/controller/directconnect/privatevirtualinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PrivateVirtualInterface managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PrivateVirtualInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_private_virtual_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PrivateVirtualInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PrivateVirtualInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/publicvirtualinterface/zz_controller.go b/internal/controller/directconnect/publicvirtualinterface/zz_controller.go
index c5165c2b76..4b464fca0c 100755
--- a/internal/controller/directconnect/publicvirtualinterface/zz_controller.go
+++ b/internal/controller/directconnect/publicvirtualinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PublicVirtualInterface managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PublicVirtualInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_public_virtual_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PublicVirtualInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PublicVirtualInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/directconnect/transitvirtualinterface/zz_controller.go b/internal/controller/directconnect/transitvirtualinterface/zz_controller.go
index 5ae5229a1c..248034a525 100755
--- a/internal/controller/directconnect/transitvirtualinterface/zz_controller.go
+++ b/internal/controller/directconnect/transitvirtualinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/directconnect/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitVirtualInterface managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitVirtualInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dx_transit_virtual_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitVirtualInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitVirtualInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dlm/lifecyclepolicy/zz_controller.go b/internal/controller/dlm/lifecyclepolicy/zz_controller.go
index 0a4ec861e9..9f2c956400 100755
--- a/internal/controller/dlm/lifecyclepolicy/zz_controller.go
+++ b/internal/controller/dlm/lifecyclepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dlm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LifecyclePolicy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LifecyclePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dlm_lifecycle_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LifecyclePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LifecyclePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/certificate/zz_controller.go b/internal/controller/dms/certificate/zz_controller.go
index ea372b9f3a..c38de69e8e 100755
--- a/internal/controller/dms/certificate/zz_controller.go
+++ b/internal/controller/dms/certificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Certificate managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/endpoint/zz_controller.go b/internal/controller/dms/endpoint/zz_controller.go
index ec617be03d..b8ec86eedb 100755
--- a/internal/controller/dms/endpoint/zz_controller.go
+++ b/internal/controller/dms/endpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Endpoint managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Endpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Endpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Endpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/eventsubscription/zz_controller.go b/internal/controller/dms/eventsubscription/zz_controller.go
index 2fb3986eed..18a5d1c09b 100755
--- a/internal/controller/dms/eventsubscription/zz_controller.go
+++ b/internal/controller/dms/eventsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventSubscription managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_event_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/replicationinstance/zz_controller.go b/internal/controller/dms/replicationinstance/zz_controller.go
index 65b01672f0..0ea28214f8 100755
--- a/internal/controller/dms/replicationinstance/zz_controller.go
+++ b/internal/controller/dms/replicationinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicationInstance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicationInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_replication_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicationInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicationInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/replicationsubnetgroup/zz_controller.go b/internal/controller/dms/replicationsubnetgroup/zz_controller.go
index 60c453cc77..92f99951f0 100755
--- a/internal/controller/dms/replicationsubnetgroup/zz_controller.go
+++ b/internal/controller/dms/replicationsubnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicationSubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicationSubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_replication_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicationSubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicationSubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/replicationtask/zz_controller.go b/internal/controller/dms/replicationtask/zz_controller.go
index 32044bd89d..40a4e1d2f2 100755
--- a/internal/controller/dms/replicationtask/zz_controller.go
+++ b/internal/controller/dms/replicationtask/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicationTask managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicationTask_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_replication_task"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicationTask_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicationTask_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dms/s3endpoint/zz_controller.go b/internal/controller/dms/s3endpoint/zz_controller.go
index 977a2a9624..013e5b3e1b 100755
--- a/internal/controller/dms/s3endpoint/zz_controller.go
+++ b/internal/controller/dms/s3endpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles S3Endpoint managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.S3Endpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dms_s3_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.S3Endpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.S3Endpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/cluster/zz_controller.go b/internal/controller/docdb/cluster/zz_controller.go
index 69e2efc6f3..c5d3fe3f97 100755
--- a/internal/controller/docdb/cluster/zz_controller.go
+++ b/internal/controller/docdb/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/clusterinstance/zz_controller.go b/internal/controller/docdb/clusterinstance/zz_controller.go
index dc324b2fa5..27310a7754 100755
--- a/internal/controller/docdb/clusterinstance/zz_controller.go
+++ b/internal/controller/docdb/clusterinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterInstance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_cluster_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/clusterparametergroup/zz_controller.go b/internal/controller/docdb/clusterparametergroup/zz_controller.go
index c15cd5e161..37c20a4363 100755
--- a/internal/controller/docdb/clusterparametergroup/zz_controller.go
+++ b/internal/controller/docdb/clusterparametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterParameterGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_cluster_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/clustersnapshot/zz_controller.go b/internal/controller/docdb/clustersnapshot/zz_controller.go
index 461b7408c3..14992b3a47 100755
--- a/internal/controller/docdb/clustersnapshot/zz_controller.go
+++ b/internal/controller/docdb/clustersnapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterSnapshot managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_cluster_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/eventsubscription/zz_controller.go b/internal/controller/docdb/eventsubscription/zz_controller.go
index 96d7b71931..166db8ecf5 100755
--- a/internal/controller/docdb/eventsubscription/zz_controller.go
+++ b/internal/controller/docdb/eventsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventSubscription managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_event_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/globalcluster/zz_controller.go b/internal/controller/docdb/globalcluster/zz_controller.go
index 5319b91940..d341fe490c 100755
--- a/internal/controller/docdb/globalcluster/zz_controller.go
+++ b/internal/controller/docdb/globalcluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GlobalCluster managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_global_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/docdb/subnetgroup/zz_controller.go b/internal/controller/docdb/subnetgroup/zz_controller.go
index 37c62b77b7..68170dce76 100755
--- a/internal/controller/docdb/subnetgroup/zz_controller.go
+++ b/internal/controller/docdb/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/docdb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_docdb_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ds/conditionalforwarder/zz_controller.go b/internal/controller/ds/conditionalforwarder/zz_controller.go
index b8ae2890fa..869827acc6 100755
--- a/internal/controller/ds/conditionalforwarder/zz_controller.go
+++ b/internal/controller/ds/conditionalforwarder/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConditionalForwarder managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConditionalForwarder_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_directory_service_conditional_forwarder"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConditionalForwarder_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConditionalForwarder_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ds/directory/zz_controller.go b/internal/controller/ds/directory/zz_controller.go
index 3acac5a322..37503a7c48 100755
--- a/internal/controller/ds/directory/zz_controller.go
+++ b/internal/controller/ds/directory/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Directory managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Directory_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_directory_service_directory"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Directory_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Directory_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ds/shareddirectory/zz_controller.go b/internal/controller/ds/shareddirectory/zz_controller.go
index 47a300cb23..c049f24765 100755
--- a/internal/controller/ds/shareddirectory/zz_controller.go
+++ b/internal/controller/ds/shareddirectory/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SharedDirectory managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SharedDirectory_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_directory_service_shared_directory"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SharedDirectory_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SharedDirectory_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/contributorinsights/zz_controller.go b/internal/controller/dynamodb/contributorinsights/zz_controller.go
index 42f2d6c968..ea1b357827 100755
--- a/internal/controller/dynamodb/contributorinsights/zz_controller.go
+++ b/internal/controller/dynamodb/contributorinsights/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ContributorInsights managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ContributorInsights_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_contributor_insights"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ContributorInsights_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ContributorInsights_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/globaltable/zz_controller.go b/internal/controller/dynamodb/globaltable/zz_controller.go
index 7760842eae..d8c851388d 100755
--- a/internal/controller/dynamodb/globaltable/zz_controller.go
+++ b/internal/controller/dynamodb/globaltable/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GlobalTable managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GlobalTable_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_global_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GlobalTable_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GlobalTable_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/kinesisstreamingdestination/zz_controller.go b/internal/controller/dynamodb/kinesisstreamingdestination/zz_controller.go
index 128b97ca86..12d8020292 100755
--- a/internal/controller/dynamodb/kinesisstreamingdestination/zz_controller.go
+++ b/internal/controller/dynamodb/kinesisstreamingdestination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles KinesisStreamingDestination managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.KinesisStreamingDestination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_kinesis_streaming_destination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.KinesisStreamingDestination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.KinesisStreamingDestination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/table/zz_controller.go b/internal/controller/dynamodb/table/zz_controller.go
index defa1e8149..1818f8bf38 100755
--- a/internal/controller/dynamodb/table/zz_controller.go
+++ b/internal/controller/dynamodb/table/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Table managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Table_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Table_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Table_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/tableitem/zz_controller.go b/internal/controller/dynamodb/tableitem/zz_controller.go
index 39546042ca..108e0ce754 100755
--- a/internal/controller/dynamodb/tableitem/zz_controller.go
+++ b/internal/controller/dynamodb/tableitem/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TableItem managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TableItem_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_table_item"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TableItem_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TableItem_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/tablereplica/zz_controller.go b/internal/controller/dynamodb/tablereplica/zz_controller.go
index af78a876d5..6a0a6b0fd0 100755
--- a/internal/controller/dynamodb/tablereplica/zz_controller.go
+++ b/internal/controller/dynamodb/tablereplica/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TableReplica managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TableReplica_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_table_replica"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TableReplica_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TableReplica_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/dynamodb/tag/zz_controller.go b/internal/controller/dynamodb/tag/zz_controller.go
index deb7cfbfc3..3124e3c5ee 100755
--- a/internal/controller/dynamodb/tag/zz_controller.go
+++ b/internal/controller/dynamodb/tag/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/dynamodb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Tag managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_dynamodb_tag"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ami/zz_controller.go b/internal/controller/ec2/ami/zz_controller.go
index 0912e21bb0..381e185908 100755
--- a/internal/controller/ec2/ami/zz_controller.go
+++ b/internal/controller/ec2/ami/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AMI managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AMI_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ami"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AMI_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AMI_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/amicopy/zz_controller.go b/internal/controller/ec2/amicopy/zz_controller.go
index 7b06f02608..abf5ab5d7b 100755
--- a/internal/controller/ec2/amicopy/zz_controller.go
+++ b/internal/controller/ec2/amicopy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AMICopy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AMICopy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ami_copy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AMICopy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AMICopy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/amilaunchpermission/zz_controller.go b/internal/controller/ec2/amilaunchpermission/zz_controller.go
index 0f5d6af60f..d0e6f79542 100755
--- a/internal/controller/ec2/amilaunchpermission/zz_controller.go
+++ b/internal/controller/ec2/amilaunchpermission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AMILaunchPermission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AMILaunchPermission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ami_launch_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AMILaunchPermission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AMILaunchPermission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/availabilityzonegroup/zz_controller.go b/internal/controller/ec2/availabilityzonegroup/zz_controller.go
index d499ed6c02..4de7b09ee5 100755
--- a/internal/controller/ec2/availabilityzonegroup/zz_controller.go
+++ b/internal/controller/ec2/availabilityzonegroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AvailabilityZoneGroup managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AvailabilityZoneGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_availability_zone_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AvailabilityZoneGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AvailabilityZoneGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/capacityreservation/zz_controller.go b/internal/controller/ec2/capacityreservation/zz_controller.go
index 038983d939..953f2f93bb 100755
--- a/internal/controller/ec2/capacityreservation/zz_controller.go
+++ b/internal/controller/ec2/capacityreservation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CapacityReservation managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CapacityReservation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_capacity_reservation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CapacityReservation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CapacityReservation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/carriergateway/zz_controller.go b/internal/controller/ec2/carriergateway/zz_controller.go
index 6f8334edf1..5fa01b507b 100755
--- a/internal/controller/ec2/carriergateway/zz_controller.go
+++ b/internal/controller/ec2/carriergateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CarrierGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CarrierGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_carrier_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CarrierGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CarrierGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/customergateway/zz_controller.go b/internal/controller/ec2/customergateway/zz_controller.go
index 83e4188fac..e283ac97ac 100755
--- a/internal/controller/ec2/customergateway/zz_controller.go
+++ b/internal/controller/ec2/customergateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CustomerGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CustomerGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_customer_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CustomerGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CustomerGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/defaultnetworkacl/zz_controller.go b/internal/controller/ec2/defaultnetworkacl/zz_controller.go
index 98d7fe0d1b..24fa788c41 100755
--- a/internal/controller/ec2/defaultnetworkacl/zz_controller.go
+++ b/internal/controller/ec2/defaultnetworkacl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultNetworkACL managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultNetworkACL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_default_network_acl"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultNetworkACL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultNetworkACL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/defaultroutetable/zz_controller.go b/internal/controller/ec2/defaultroutetable/zz_controller.go
index ba2c939cf4..f66582b814 100755
--- a/internal/controller/ec2/defaultroutetable/zz_controller.go
+++ b/internal/controller/ec2/defaultroutetable/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultRouteTable managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultRouteTable_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_default_route_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultRouteTable_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultRouteTable_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/defaultsecuritygroup/zz_controller.go b/internal/controller/ec2/defaultsecuritygroup/zz_controller.go
index 25a629e082..03b5fdda45 100755
--- a/internal/controller/ec2/defaultsecuritygroup/zz_controller.go
+++ b/internal/controller/ec2/defaultsecuritygroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultSecurityGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultSecurityGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_default_security_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultSecurityGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultSecurityGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/defaultsubnet/zz_controller.go b/internal/controller/ec2/defaultsubnet/zz_controller.go
index f9f3ef185b..81ed81f729 100755
--- a/internal/controller/ec2/defaultsubnet/zz_controller.go
+++ b/internal/controller/ec2/defaultsubnet/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultSubnet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultSubnet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_default_subnet"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultSubnet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultSubnet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/defaultvpc/zz_controller.go b/internal/controller/ec2/defaultvpc/zz_controller.go
index d61e192d8e..0f2a6837a5 100755
--- a/internal/controller/ec2/defaultvpc/zz_controller.go
+++ b/internal/controller/ec2/defaultvpc/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultVPC managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultVPC_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_default_vpc"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultVPC_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultVPC_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/defaultvpcdhcpoptions/zz_controller.go b/internal/controller/ec2/defaultvpcdhcpoptions/zz_controller.go
index 4719b321dc..59c2e370f8 100755
--- a/internal/controller/ec2/defaultvpcdhcpoptions/zz_controller.go
+++ b/internal/controller/ec2/defaultvpcdhcpoptions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultVPCDHCPOptions managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultVPCDHCPOptions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_default_vpc_dhcp_options"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultVPCDHCPOptions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultVPCDHCPOptions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ebsdefaultkmskey/zz_controller.go b/internal/controller/ec2/ebsdefaultkmskey/zz_controller.go
index 2135fcebe2..ea95a48196 100755
--- a/internal/controller/ec2/ebsdefaultkmskey/zz_controller.go
+++ b/internal/controller/ec2/ebsdefaultkmskey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EBSDefaultKMSKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EBSDefaultKMSKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ebs_default_kms_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EBSDefaultKMSKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EBSDefaultKMSKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ebsencryptionbydefault/zz_controller.go b/internal/controller/ec2/ebsencryptionbydefault/zz_controller.go
index d6a43a1858..9058f10ef6 100755
--- a/internal/controller/ec2/ebsencryptionbydefault/zz_controller.go
+++ b/internal/controller/ec2/ebsencryptionbydefault/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EBSEncryptionByDefault managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EBSEncryptionByDefault_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ebs_encryption_by_default"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EBSEncryptionByDefault_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EBSEncryptionByDefault_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ebssnapshot/zz_controller.go b/internal/controller/ec2/ebssnapshot/zz_controller.go
index 977a4cf0a9..97210a435e 100755
--- a/internal/controller/ec2/ebssnapshot/zz_controller.go
+++ b/internal/controller/ec2/ebssnapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EBSSnapshot managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EBSSnapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ebs_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EBSSnapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EBSSnapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ebssnapshotcopy/zz_controller.go b/internal/controller/ec2/ebssnapshotcopy/zz_controller.go
index 54a8bc114d..c597fd186c 100755
--- a/internal/controller/ec2/ebssnapshotcopy/zz_controller.go
+++ b/internal/controller/ec2/ebssnapshotcopy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EBSSnapshotCopy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EBSSnapshotCopy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ebs_snapshot_copy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EBSSnapshotCopy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EBSSnapshotCopy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ebssnapshotimport/zz_controller.go b/internal/controller/ec2/ebssnapshotimport/zz_controller.go
index 5abb6cd54f..27bf8252e4 100755
--- a/internal/controller/ec2/ebssnapshotimport/zz_controller.go
+++ b/internal/controller/ec2/ebssnapshotimport/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EBSSnapshotImport managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EBSSnapshotImport_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ebs_snapshot_import"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EBSSnapshotImport_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EBSSnapshotImport_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/ebsvolume/zz_controller.go b/internal/controller/ec2/ebsvolume/zz_controller.go
index a1310a100a..2b3755b90f 100755
--- a/internal/controller/ec2/ebsvolume/zz_controller.go
+++ b/internal/controller/ec2/ebsvolume/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EBSVolume managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EBSVolume_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ebs_volume"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EBSVolume_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EBSVolume_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/egressonlyinternetgateway/zz_controller.go b/internal/controller/ec2/egressonlyinternetgateway/zz_controller.go
index e8b21e8113..eed9baf7fd 100755
--- a/internal/controller/ec2/egressonlyinternetgateway/zz_controller.go
+++ b/internal/controller/ec2/egressonlyinternetgateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EgressOnlyInternetGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EgressOnlyInternetGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_egress_only_internet_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EgressOnlyInternetGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EgressOnlyInternetGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/eip/zz_controller.go b/internal/controller/ec2/eip/zz_controller.go
index 5ff63cde0b..fefce1b4f3 100755
--- a/internal/controller/ec2/eip/zz_controller.go
+++ b/internal/controller/ec2/eip/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EIP managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EIP_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eip"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EIP_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EIP_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/eipassociation/zz_controller.go b/internal/controller/ec2/eipassociation/zz_controller.go
index ee05e6dbcf..35fc3cc282 100755
--- a/internal/controller/ec2/eipassociation/zz_controller.go
+++ b/internal/controller/ec2/eipassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EIPAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EIPAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eip_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EIPAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EIPAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/flowlog/zz_controller.go b/internal/controller/ec2/flowlog/zz_controller.go
index 59c7771748..5d909e59e4 100755
--- a/internal/controller/ec2/flowlog/zz_controller.go
+++ b/internal/controller/ec2/flowlog/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FlowLog managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FlowLog_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_flow_log"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FlowLog_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FlowLog_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/host/zz_controller.go b/internal/controller/ec2/host/zz_controller.go
index 0880d1f675..56be6a156d 100755
--- a/internal/controller/ec2/host/zz_controller.go
+++ b/internal/controller/ec2/host/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Host managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Host_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_host"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Host_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Host_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/instance/zz_controller.go b/internal/controller/ec2/instance/zz_controller.go
index d1f63c07bc..cedf732a81 100755
--- a/internal/controller/ec2/instance/zz_controller.go
+++ b/internal/controller/ec2/instance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Instance managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/instancestate/zz_controller.go b/internal/controller/ec2/instancestate/zz_controller.go
index 66b06213c1..b0fae48904 100755
--- a/internal/controller/ec2/instancestate/zz_controller.go
+++ b/internal/controller/ec2/instancestate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InstanceState managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InstanceState_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_instance_state"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InstanceState_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InstanceState_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/internetgateway/zz_controller.go b/internal/controller/ec2/internetgateway/zz_controller.go
index f3bfc58a2d..ef542dc295 100755
--- a/internal/controller/ec2/internetgateway/zz_controller.go
+++ b/internal/controller/ec2/internetgateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InternetGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InternetGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_internet_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InternetGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InternetGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/keypair/zz_controller.go b/internal/controller/ec2/keypair/zz_controller.go
index 3f99f61a9d..1e3be51155 100755
--- a/internal/controller/ec2/keypair/zz_controller.go
+++ b/internal/controller/ec2/keypair/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles KeyPair managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.KeyPair_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_key_pair"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.KeyPair_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.KeyPair_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/launchtemplate/zz_controller.go b/internal/controller/ec2/launchtemplate/zz_controller.go
index 10ac1524ec..274062b0ef 100755
--- a/internal/controller/ec2/launchtemplate/zz_controller.go
+++ b/internal/controller/ec2/launchtemplate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LaunchTemplate managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LaunchTemplate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_launch_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LaunchTemplate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LaunchTemplate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/mainroutetableassociation/zz_controller.go b/internal/controller/ec2/mainroutetableassociation/zz_controller.go
index 3823088cf9..c4dfb3e7d3 100755
--- a/internal/controller/ec2/mainroutetableassociation/zz_controller.go
+++ b/internal/controller/ec2/mainroutetableassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MainRouteTableAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MainRouteTableAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_main_route_table_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MainRouteTableAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MainRouteTableAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/managedprefixlist/zz_controller.go b/internal/controller/ec2/managedprefixlist/zz_controller.go
index 07f1a4bd39..d29a0a12f5 100755
--- a/internal/controller/ec2/managedprefixlist/zz_controller.go
+++ b/internal/controller/ec2/managedprefixlist/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ManagedPrefixList managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ManagedPrefixList_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_managed_prefix_list"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ManagedPrefixList_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ManagedPrefixList_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/managedprefixlistentry/zz_controller.go b/internal/controller/ec2/managedprefixlistentry/zz_controller.go
index b7cdbe676c..7fef296079 100755
--- a/internal/controller/ec2/managedprefixlistentry/zz_controller.go
+++ b/internal/controller/ec2/managedprefixlistentry/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ManagedPrefixListEntry managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ManagedPrefixListEntry_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_managed_prefix_list_entry"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ManagedPrefixListEntry_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ManagedPrefixListEntry_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/natgateway/zz_controller.go b/internal/controller/ec2/natgateway/zz_controller.go
index 44574031ed..8da79c9ab4 100755
--- a/internal/controller/ec2/natgateway/zz_controller.go
+++ b/internal/controller/ec2/natgateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NATGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NATGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_nat_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NATGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NATGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkacl/zz_controller.go b/internal/controller/ec2/networkacl/zz_controller.go
index 0087a5ee4b..fc044eaff8 100755
--- a/internal/controller/ec2/networkacl/zz_controller.go
+++ b/internal/controller/ec2/networkacl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkACL managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkACL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_network_acl"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkACL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkACL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkaclrule/zz_controller.go b/internal/controller/ec2/networkaclrule/zz_controller.go
index 042b5ea1c1..836505cf5b 100755
--- a/internal/controller/ec2/networkaclrule/zz_controller.go
+++ b/internal/controller/ec2/networkaclrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkACLRule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkACLRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_network_acl_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkACLRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkACLRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkinsightsanalysis/zz_controller.go b/internal/controller/ec2/networkinsightsanalysis/zz_controller.go
index 67b1084554..e42633dd50 100755
--- a/internal/controller/ec2/networkinsightsanalysis/zz_controller.go
+++ b/internal/controller/ec2/networkinsightsanalysis/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkInsightsAnalysis managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkInsightsAnalysis_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_network_insights_analysis"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkInsightsAnalysis_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkInsightsAnalysis_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkinsightspath/zz_controller.go b/internal/controller/ec2/networkinsightspath/zz_controller.go
index 76c6594da3..9a9330a57f 100755
--- a/internal/controller/ec2/networkinsightspath/zz_controller.go
+++ b/internal/controller/ec2/networkinsightspath/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkInsightsPath managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkInsightsPath_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_network_insights_path"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkInsightsPath_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkInsightsPath_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkinterface/zz_controller.go b/internal/controller/ec2/networkinterface/zz_controller.go
index 97b929ed03..a6fcd7f19a 100755
--- a/internal/controller/ec2/networkinterface/zz_controller.go
+++ b/internal/controller/ec2/networkinterface/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkInterface managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkInterface_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_network_interface"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkInterface_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkInterface_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkinterfaceattachment/zz_controller.go b/internal/controller/ec2/networkinterfaceattachment/zz_controller.go
index d8669306ab..54ea8be4e0 100755
--- a/internal/controller/ec2/networkinterfaceattachment/zz_controller.go
+++ b/internal/controller/ec2/networkinterfaceattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkInterfaceAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkInterfaceAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_network_interface_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkInterfaceAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkInterfaceAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/networkinterfacesgattachment/zz_controller.go b/internal/controller/ec2/networkinterfacesgattachment/zz_controller.go
index e22dd4d0e1..5c14a0f040 100755
--- a/internal/controller/ec2/networkinterfacesgattachment/zz_controller.go
+++ b/internal/controller/ec2/networkinterfacesgattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkInterfaceSgAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkInterfaceSgAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_network_interface_sg_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkInterfaceSgAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkInterfaceSgAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/placementgroup/zz_controller.go b/internal/controller/ec2/placementgroup/zz_controller.go
index 40d03b3736..8b8183fbcc 100755
--- a/internal/controller/ec2/placementgroup/zz_controller.go
+++ b/internal/controller/ec2/placementgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PlacementGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PlacementGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_placement_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PlacementGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PlacementGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/route/zz_controller.go b/internal/controller/ec2/route/zz_controller.go
index d9261fc7ea..0977c48189 100755
--- a/internal/controller/ec2/route/zz_controller.go
+++ b/internal/controller/ec2/route/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Route managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Route_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Route_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Route_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/routetable/zz_controller.go b/internal/controller/ec2/routetable/zz_controller.go
index fbe42e8158..a43fefb78b 100755
--- a/internal/controller/ec2/routetable/zz_controller.go
+++ b/internal/controller/ec2/routetable/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RouteTable managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RouteTable_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RouteTable_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RouteTable_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/routetableassociation/zz_controller.go b/internal/controller/ec2/routetableassociation/zz_controller.go
index 971be72e92..b0da0bb9d9 100755
--- a/internal/controller/ec2/routetableassociation/zz_controller.go
+++ b/internal/controller/ec2/routetableassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RouteTableAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RouteTableAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route_table_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RouteTableAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RouteTableAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/securitygroup/zz_controller.go b/internal/controller/ec2/securitygroup/zz_controller.go
index e941a6dcae..e1f6abfa86 100755
--- a/internal/controller/ec2/securitygroup/zz_controller.go
+++ b/internal/controller/ec2/securitygroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecurityGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecurityGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_security_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecurityGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecurityGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/securitygrouprule/zz_controller.go b/internal/controller/ec2/securitygrouprule/zz_controller.go
index 4cbadbfa43..1e24d544b9 100755
--- a/internal/controller/ec2/securitygrouprule/zz_controller.go
+++ b/internal/controller/ec2/securitygrouprule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecurityGroupRule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecurityGroupRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_security_group_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecurityGroupRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecurityGroupRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/serialconsoleaccess/zz_controller.go b/internal/controller/ec2/serialconsoleaccess/zz_controller.go
index 369e2fac55..646453c6ab 100755
--- a/internal/controller/ec2/serialconsoleaccess/zz_controller.go
+++ b/internal/controller/ec2/serialconsoleaccess/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SerialConsoleAccess managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SerialConsoleAccess_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_serial_console_access"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SerialConsoleAccess_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SerialConsoleAccess_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/snapshotcreatevolumepermission/zz_controller.go b/internal/controller/ec2/snapshotcreatevolumepermission/zz_controller.go
index ad90527b52..659e156c35 100755
--- a/internal/controller/ec2/snapshotcreatevolumepermission/zz_controller.go
+++ b/internal/controller/ec2/snapshotcreatevolumepermission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SnapshotCreateVolumePermission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SnapshotCreateVolumePermission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_snapshot_create_volume_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SnapshotCreateVolumePermission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SnapshotCreateVolumePermission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/spotdatafeedsubscription/zz_controller.go b/internal/controller/ec2/spotdatafeedsubscription/zz_controller.go
index ae6327e5d5..c31f1eac76 100755
--- a/internal/controller/ec2/spotdatafeedsubscription/zz_controller.go
+++ b/internal/controller/ec2/spotdatafeedsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SpotDatafeedSubscription managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SpotDatafeedSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_spot_datafeed_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SpotDatafeedSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SpotDatafeedSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/spotfleetrequest/zz_controller.go b/internal/controller/ec2/spotfleetrequest/zz_controller.go
index a44ade54df..bf8c584bd7 100755
--- a/internal/controller/ec2/spotfleetrequest/zz_controller.go
+++ b/internal/controller/ec2/spotfleetrequest/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SpotFleetRequest managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SpotFleetRequest_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_spot_fleet_request"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SpotFleetRequest_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SpotFleetRequest_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/spotinstancerequest/zz_controller.go b/internal/controller/ec2/spotinstancerequest/zz_controller.go
index cef3aeae0d..b0d4e8941e 100755
--- a/internal/controller/ec2/spotinstancerequest/zz_controller.go
+++ b/internal/controller/ec2/spotinstancerequest/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SpotInstanceRequest managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SpotInstanceRequest_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_spot_instance_request"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SpotInstanceRequest_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SpotInstanceRequest_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/subnet/zz_controller.go b/internal/controller/ec2/subnet/zz_controller.go
index 330213c20c..45e5153ad8 100755
--- a/internal/controller/ec2/subnet/zz_controller.go
+++ b/internal/controller/ec2/subnet/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Subnet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Subnet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_subnet"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Subnet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Subnet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/subnetcidrreservation/zz_controller.go b/internal/controller/ec2/subnetcidrreservation/zz_controller.go
index 7a09b0a0cb..49023c6969 100755
--- a/internal/controller/ec2/subnetcidrreservation/zz_controller.go
+++ b/internal/controller/ec2/subnetcidrreservation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetCidrReservation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetCidrReservation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_subnet_cidr_reservation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetCidrReservation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetCidrReservation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/tag/zz_controller.go b/internal/controller/ec2/tag/zz_controller.go
index 1ae41bc27f..0b10a6333f 100755
--- a/internal/controller/ec2/tag/zz_controller.go
+++ b/internal/controller/ec2/tag/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Tag managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_tag"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/trafficmirrorfilter/zz_controller.go b/internal/controller/ec2/trafficmirrorfilter/zz_controller.go
index b57f868780..a3df5c2293 100755
--- a/internal/controller/ec2/trafficmirrorfilter/zz_controller.go
+++ b/internal/controller/ec2/trafficmirrorfilter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TrafficMirrorFilter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TrafficMirrorFilter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_traffic_mirror_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TrafficMirrorFilter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TrafficMirrorFilter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/trafficmirrorfilterrule/zz_controller.go b/internal/controller/ec2/trafficmirrorfilterrule/zz_controller.go
index 8347c6bfe0..b1e969bdff 100755
--- a/internal/controller/ec2/trafficmirrorfilterrule/zz_controller.go
+++ b/internal/controller/ec2/trafficmirrorfilterrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TrafficMirrorFilterRule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TrafficMirrorFilterRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_traffic_mirror_filter_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TrafficMirrorFilterRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TrafficMirrorFilterRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgateway/zz_controller.go b/internal/controller/ec2/transitgateway/zz_controller.go
index 30f2675c19..72338d1941 100755
--- a/internal/controller/ec2/transitgateway/zz_controller.go
+++ b/internal/controller/ec2/transitgateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayconnect/zz_controller.go b/internal/controller/ec2/transitgatewayconnect/zz_controller.go
index f28cd75482..1a6fa76f83 100755
--- a/internal/controller/ec2/transitgatewayconnect/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayconnect/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayConnect managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayConnect_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_connect"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayConnect_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayConnect_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayconnectpeer/zz_controller.go b/internal/controller/ec2/transitgatewayconnectpeer/zz_controller.go
index 37e1680227..1d1b6b45b6 100755
--- a/internal/controller/ec2/transitgatewayconnectpeer/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayconnectpeer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayConnectPeer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayConnectPeer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_connect_peer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayConnectPeer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayConnectPeer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaymulticastdomain/zz_controller.go b/internal/controller/ec2/transitgatewaymulticastdomain/zz_controller.go
index 6da82f2fad..f5a097068f 100755
--- a/internal/controller/ec2/transitgatewaymulticastdomain/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaymulticastdomain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayMulticastDomain managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayMulticastDomain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_multicast_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastDomain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastDomain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaymulticastdomainassociation/zz_controller.go b/internal/controller/ec2/transitgatewaymulticastdomainassociation/zz_controller.go
index 412332fd92..fe13a95e0c 100755
--- a/internal/controller/ec2/transitgatewaymulticastdomainassociation/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaymulticastdomainassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayMulticastDomainAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayMulticastDomainAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_multicast_domain_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastDomainAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastDomainAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaymulticastgroupmember/zz_controller.go b/internal/controller/ec2/transitgatewaymulticastgroupmember/zz_controller.go
index 646d3441b7..74005ee086 100755
--- a/internal/controller/ec2/transitgatewaymulticastgroupmember/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaymulticastgroupmember/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayMulticastGroupMember managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayMulticastGroupMember_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_multicast_group_member"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastGroupMember_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastGroupMember_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaymulticastgroupsource/zz_controller.go b/internal/controller/ec2/transitgatewaymulticastgroupsource/zz_controller.go
index f8c6315056..272f17b9c3 100755
--- a/internal/controller/ec2/transitgatewaymulticastgroupsource/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaymulticastgroupsource/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayMulticastGroupSource managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayMulticastGroupSource_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_multicast_group_source"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastGroupSource_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayMulticastGroupSource_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaypeeringattachment/zz_controller.go b/internal/controller/ec2/transitgatewaypeeringattachment/zz_controller.go
index d86d6068e1..2fe73125b8 100755
--- a/internal/controller/ec2/transitgatewaypeeringattachment/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaypeeringattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayPeeringAttachment managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayPeeringAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_peering_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPeeringAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPeeringAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaypeeringattachmentaccepter/zz_controller.go b/internal/controller/ec2/transitgatewaypeeringattachmentaccepter/zz_controller.go
index 99137843d7..79ba048510 100755
--- a/internal/controller/ec2/transitgatewaypeeringattachmentaccepter/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaypeeringattachmentaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayPeeringAttachmentAccepter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayPeeringAttachmentAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_peering_attachment_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPeeringAttachmentAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPeeringAttachmentAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewaypolicytable/zz_controller.go b/internal/controller/ec2/transitgatewaypolicytable/zz_controller.go
index 5983257fcc..b794f3e947 100755
--- a/internal/controller/ec2/transitgatewaypolicytable/zz_controller.go
+++ b/internal/controller/ec2/transitgatewaypolicytable/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayPolicyTable managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayPolicyTable_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_policy_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPolicyTable_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPolicyTable_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayprefixlistreference/zz_controller.go b/internal/controller/ec2/transitgatewayprefixlistreference/zz_controller.go
index 38f49b3141..e9b9ea33ee 100755
--- a/internal/controller/ec2/transitgatewayprefixlistreference/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayprefixlistreference/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayPrefixListReference managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayPrefixListReference_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_prefix_list_reference"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPrefixListReference_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayPrefixListReference_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayroute/zz_controller.go b/internal/controller/ec2/transitgatewayroute/zz_controller.go
index c80ff07771..fa7df728aa 100755
--- a/internal/controller/ec2/transitgatewayroute/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayroute/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayRoute managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayRoute_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_route"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRoute_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRoute_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayroutetable/zz_controller.go b/internal/controller/ec2/transitgatewayroutetable/zz_controller.go
index f843fa8cc8..8d02712a2c 100755
--- a/internal/controller/ec2/transitgatewayroutetable/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayroutetable/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayRouteTable managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayRouteTable_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_route_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRouteTable_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRouteTable_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayroutetableassociation/zz_controller.go b/internal/controller/ec2/transitgatewayroutetableassociation/zz_controller.go
index 39748c5d74..e4df8f2756 100755
--- a/internal/controller/ec2/transitgatewayroutetableassociation/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayroutetableassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayRouteTableAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayRouteTableAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_route_table_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRouteTableAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRouteTableAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayroutetablepropagation/zz_controller.go b/internal/controller/ec2/transitgatewayroutetablepropagation/zz_controller.go
index 2a0c585539..8c45f5abfe 100755
--- a/internal/controller/ec2/transitgatewayroutetablepropagation/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayroutetablepropagation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayRouteTablePropagation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayRouteTablePropagation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_route_table_propagation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRouteTablePropagation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRouteTablePropagation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayvpcattachment/zz_controller.go b/internal/controller/ec2/transitgatewayvpcattachment/zz_controller.go
index 0144169600..224a4a3a3f 100755
--- a/internal/controller/ec2/transitgatewayvpcattachment/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayvpcattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayVPCAttachment managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayVPCAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_vpc_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayVPCAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayVPCAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/transitgatewayvpcattachmentaccepter/zz_controller.go b/internal/controller/ec2/transitgatewayvpcattachmentaccepter/zz_controller.go
index d316fa59c0..481bbe96f0 100755
--- a/internal/controller/ec2/transitgatewayvpcattachmentaccepter/zz_controller.go
+++ b/internal/controller/ec2/transitgatewayvpcattachmentaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayVPCAttachmentAccepter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayVPCAttachmentAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ec2_transit_gateway_vpc_attachment_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayVPCAttachmentAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayVPCAttachmentAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/volumeattachment/zz_controller.go b/internal/controller/ec2/volumeattachment/zz_controller.go
index c63117b9b9..5dbeff06c7 100755
--- a/internal/controller/ec2/volumeattachment/zz_controller.go
+++ b/internal/controller/ec2/volumeattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VolumeAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VolumeAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_volume_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VolumeAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VolumeAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpc/zz_controller.go b/internal/controller/ec2/vpc/zz_controller.go
index bbcd4a45f6..29715cfbae 100755
--- a/internal/controller/ec2/vpc/zz_controller.go
+++ b/internal/controller/ec2/vpc/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPC managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPC_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPC_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPC_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcdhcpoptions/zz_controller.go b/internal/controller/ec2/vpcdhcpoptions/zz_controller.go
index 5eecc97607..64aac8cffc 100755
--- a/internal/controller/ec2/vpcdhcpoptions/zz_controller.go
+++ b/internal/controller/ec2/vpcdhcpoptions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCDHCPOptions managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCDHCPOptions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_dhcp_options"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCDHCPOptions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCDHCPOptions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcdhcpoptionsassociation/zz_controller.go b/internal/controller/ec2/vpcdhcpoptionsassociation/zz_controller.go
index 1859b4e1ef..5b1b236aa8 100755
--- a/internal/controller/ec2/vpcdhcpoptionsassociation/zz_controller.go
+++ b/internal/controller/ec2/vpcdhcpoptionsassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCDHCPOptionsAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCDHCPOptionsAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_dhcp_options_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCDHCPOptionsAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCDHCPOptionsAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpoint/zz_controller.go b/internal/controller/ec2/vpcendpoint/zz_controller.go
index 058a444093..3baabc2f89 100755
--- a/internal/controller/ec2/vpcendpoint/zz_controller.go
+++ b/internal/controller/ec2/vpcendpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpoint managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpointconnectionnotification/zz_controller.go b/internal/controller/ec2/vpcendpointconnectionnotification/zz_controller.go
index e816bb6c89..23e656a38f 100755
--- a/internal/controller/ec2/vpcendpointconnectionnotification/zz_controller.go
+++ b/internal/controller/ec2/vpcendpointconnectionnotification/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpointConnectionNotification managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpointConnectionNotification_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint_connection_notification"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointConnectionNotification_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointConnectionNotification_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpointroutetableassociation/zz_controller.go b/internal/controller/ec2/vpcendpointroutetableassociation/zz_controller.go
index 6b82cd9341..344da278ac 100755
--- a/internal/controller/ec2/vpcendpointroutetableassociation/zz_controller.go
+++ b/internal/controller/ec2/vpcendpointroutetableassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpointRouteTableAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpointRouteTableAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint_route_table_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointRouteTableAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointRouteTableAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpointsecuritygroupassociation/zz_controller.go b/internal/controller/ec2/vpcendpointsecuritygroupassociation/zz_controller.go
index fa2e4574e0..4950149fc3 100755
--- a/internal/controller/ec2/vpcendpointsecuritygroupassociation/zz_controller.go
+++ b/internal/controller/ec2/vpcendpointsecuritygroupassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpointSecurityGroupAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpointSecurityGroupAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint_security_group_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointSecurityGroupAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointSecurityGroupAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpointservice/zz_controller.go b/internal/controller/ec2/vpcendpointservice/zz_controller.go
index aec0635e58..80e17ce683 100755
--- a/internal/controller/ec2/vpcendpointservice/zz_controller.go
+++ b/internal/controller/ec2/vpcendpointservice/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpointService managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpointService_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint_service"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointService_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointService_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpointserviceallowedprincipal/zz_controller.go b/internal/controller/ec2/vpcendpointserviceallowedprincipal/zz_controller.go
index 3550d83ab3..942abaded9 100755
--- a/internal/controller/ec2/vpcendpointserviceallowedprincipal/zz_controller.go
+++ b/internal/controller/ec2/vpcendpointserviceallowedprincipal/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpointServiceAllowedPrincipal managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpointServiceAllowedPrincipal_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint_service_allowed_principal"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointServiceAllowedPrincipal_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointServiceAllowedPrincipal_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcendpointsubnetassociation/zz_controller.go b/internal/controller/ec2/vpcendpointsubnetassociation/zz_controller.go
index f50e641260..f8a2a922e4 100755
--- a/internal/controller/ec2/vpcendpointsubnetassociation/zz_controller.go
+++ b/internal/controller/ec2/vpcendpointsubnetassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCEndpointSubnetAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCEndpointSubnetAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_endpoint_subnet_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointSubnetAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCEndpointSubnetAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcipam/zz_controller.go b/internal/controller/ec2/vpcipam/zz_controller.go
index 9ff2a63b66..10e0dc1ede 100755
--- a/internal/controller/ec2/vpcipam/zz_controller.go
+++ b/internal/controller/ec2/vpcipam/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCIpam managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCIpam_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_ipam"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCIpam_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCIpam_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcipampool/zz_controller.go b/internal/controller/ec2/vpcipampool/zz_controller.go
index 0e0aa87e41..d642e32655 100755
--- a/internal/controller/ec2/vpcipampool/zz_controller.go
+++ b/internal/controller/ec2/vpcipampool/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCIpamPool managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCIpamPool_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_ipam_pool"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCIpamPool_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCIpamPool_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcipampoolcidr/zz_controller.go b/internal/controller/ec2/vpcipampoolcidr/zz_controller.go
index 7d958399bd..9c9e27a931 100755
--- a/internal/controller/ec2/vpcipampoolcidr/zz_controller.go
+++ b/internal/controller/ec2/vpcipampoolcidr/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCIpamPoolCidr managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCIpamPoolCidr_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_ipam_pool_cidr"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCIpamPoolCidr_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCIpamPoolCidr_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcipampoolcidrallocation/zz_controller.go b/internal/controller/ec2/vpcipampoolcidrallocation/zz_controller.go
index d4059425d1..b5df8f070d 100755
--- a/internal/controller/ec2/vpcipampoolcidrallocation/zz_controller.go
+++ b/internal/controller/ec2/vpcipampoolcidrallocation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCIpamPoolCidrAllocation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCIpamPoolCidrAllocation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_ipam_pool_cidr_allocation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCIpamPoolCidrAllocation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCIpamPoolCidrAllocation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcipamscope/zz_controller.go b/internal/controller/ec2/vpcipamscope/zz_controller.go
index e805add93d..9f40c625df 100755
--- a/internal/controller/ec2/vpcipamscope/zz_controller.go
+++ b/internal/controller/ec2/vpcipamscope/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCIpamScope managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCIpamScope_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_ipam_scope"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCIpamScope_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCIpamScope_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcipv4cidrblockassociation/zz_controller.go b/internal/controller/ec2/vpcipv4cidrblockassociation/zz_controller.go
index 0603fc4c43..b43c9e9d5c 100755
--- a/internal/controller/ec2/vpcipv4cidrblockassociation/zz_controller.go
+++ b/internal/controller/ec2/vpcipv4cidrblockassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCIPv4CidrBlockAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCIPv4CidrBlockAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_ipv4_cidr_block_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCIPv4CidrBlockAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCIPv4CidrBlockAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcpeeringconnection/zz_controller.go b/internal/controller/ec2/vpcpeeringconnection/zz_controller.go
index 18978ef8e6..d75ac28970 100755
--- a/internal/controller/ec2/vpcpeeringconnection/zz_controller.go
+++ b/internal/controller/ec2/vpcpeeringconnection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCPeeringConnection managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCPeeringConnection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_peering_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCPeeringConnection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCPeeringConnection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcpeeringconnectionaccepter/zz_controller.go b/internal/controller/ec2/vpcpeeringconnectionaccepter/zz_controller.go
index 8aa9884d4f..4fdd45bd2c 100755
--- a/internal/controller/ec2/vpcpeeringconnectionaccepter/zz_controller.go
+++ b/internal/controller/ec2/vpcpeeringconnectionaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCPeeringConnectionAccepter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCPeeringConnectionAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_peering_connection_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCPeeringConnectionAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCPeeringConnectionAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpcpeeringconnectionoptions/zz_controller.go b/internal/controller/ec2/vpcpeeringconnectionoptions/zz_controller.go
index 7a1add076a..4382cccbe8 100755
--- a/internal/controller/ec2/vpcpeeringconnectionoptions/zz_controller.go
+++ b/internal/controller/ec2/vpcpeeringconnectionoptions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCPeeringConnectionOptions managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCPeeringConnectionOptions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_peering_connection_options"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCPeeringConnectionOptions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCPeeringConnectionOptions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpnconnection/zz_controller.go b/internal/controller/ec2/vpnconnection/zz_controller.go
index a4cd2294c5..5c5969fbb0 100755
--- a/internal/controller/ec2/vpnconnection/zz_controller.go
+++ b/internal/controller/ec2/vpnconnection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPNConnection managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPNConnection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpn_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPNConnection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPNConnection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpnconnectionroute/zz_controller.go b/internal/controller/ec2/vpnconnectionroute/zz_controller.go
index 6f9ec59c65..d2264d5fe0 100755
--- a/internal/controller/ec2/vpnconnectionroute/zz_controller.go
+++ b/internal/controller/ec2/vpnconnectionroute/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPNConnectionRoute managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPNConnectionRoute_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpn_connection_route"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPNConnectionRoute_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPNConnectionRoute_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpngateway/zz_controller.go b/internal/controller/ec2/vpngateway/zz_controller.go
index d186a5c0a0..8eb30b03e5 100755
--- a/internal/controller/ec2/vpngateway/zz_controller.go
+++ b/internal/controller/ec2/vpngateway/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPNGateway managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPNGateway_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpn_gateway"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPNGateway_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPNGateway_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpngatewayattachment/zz_controller.go b/internal/controller/ec2/vpngatewayattachment/zz_controller.go
index 01211aa3e4..86f2818c37 100755
--- a/internal/controller/ec2/vpngatewayattachment/zz_controller.go
+++ b/internal/controller/ec2/vpngatewayattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPNGatewayAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPNGatewayAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpn_gateway_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPNGatewayAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPNGatewayAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ec2/vpngatewayroutepropagation/zz_controller.go b/internal/controller/ec2/vpngatewayroutepropagation/zz_controller.go
index bb56cba1a8..8d39bc520a 100755
--- a/internal/controller/ec2/vpngatewayroutepropagation/zz_controller.go
+++ b/internal/controller/ec2/vpngatewayroutepropagation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ec2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPNGatewayRoutePropagation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPNGatewayRoutePropagation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpn_gateway_route_propagation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPNGatewayRoutePropagation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPNGatewayRoutePropagation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/lifecyclepolicy/zz_controller.go b/internal/controller/ecr/lifecyclepolicy/zz_controller.go
index ae7671cfb1..7b98e867a1 100755
--- a/internal/controller/ecr/lifecyclepolicy/zz_controller.go
+++ b/internal/controller/ecr/lifecyclepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LifecyclePolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LifecyclePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_lifecycle_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LifecyclePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LifecyclePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/pullthroughcacherule/zz_controller.go b/internal/controller/ecr/pullthroughcacherule/zz_controller.go
index e73eef3954..28b9f20ba4 100755
--- a/internal/controller/ecr/pullthroughcacherule/zz_controller.go
+++ b/internal/controller/ecr/pullthroughcacherule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PullThroughCacheRule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PullThroughCacheRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_pull_through_cache_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PullThroughCacheRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PullThroughCacheRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/registrypolicy/zz_controller.go b/internal/controller/ecr/registrypolicy/zz_controller.go
index 55f0a88216..81ba1eb67f 100755
--- a/internal/controller/ecr/registrypolicy/zz_controller.go
+++ b/internal/controller/ecr/registrypolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegistryPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegistryPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_registry_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegistryPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegistryPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/registryscanningconfiguration/zz_controller.go b/internal/controller/ecr/registryscanningconfiguration/zz_controller.go
index ab998fa1cc..55d5f2e1a1 100755
--- a/internal/controller/ecr/registryscanningconfiguration/zz_controller.go
+++ b/internal/controller/ecr/registryscanningconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegistryScanningConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegistryScanningConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_registry_scanning_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegistryScanningConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegistryScanningConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/replicationconfiguration/zz_controller.go b/internal/controller/ecr/replicationconfiguration/zz_controller.go
index e65685a55d..a5ca09942b 100755
--- a/internal/controller/ecr/replicationconfiguration/zz_controller.go
+++ b/internal/controller/ecr/replicationconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicationConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicationConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_replication_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicationConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicationConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/repository/zz_controller.go b/internal/controller/ecr/repository/zz_controller.go
index 2e7f7ec761..bc356e9cdc 100755
--- a/internal/controller/ecr/repository/zz_controller.go
+++ b/internal/controller/ecr/repository/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Repository managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_repository"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecr/repositorypolicy/zz_controller.go b/internal/controller/ecr/repositorypolicy/zz_controller.go
index 72b24a57d4..cb314b2c90 100755
--- a/internal/controller/ecr/repositorypolicy/zz_controller.go
+++ b/internal/controller/ecr/repositorypolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RepositoryPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RepositoryPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecr_repository_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RepositoryPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RepositoryPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecrpublic/repository/zz_controller.go b/internal/controller/ecrpublic/repository/zz_controller.go
index c72ff3f0a9..287918c5df 100755
--- a/internal/controller/ecrpublic/repository/zz_controller.go
+++ b/internal/controller/ecrpublic/repository/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecrpublic/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Repository managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecrpublic_repository"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Repository_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecrpublic/repositorypolicy/zz_controller.go b/internal/controller/ecrpublic/repositorypolicy/zz_controller.go
index 26176a09c0..fca8765aee 100755
--- a/internal/controller/ecrpublic/repositorypolicy/zz_controller.go
+++ b/internal/controller/ecrpublic/repositorypolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecrpublic/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RepositoryPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RepositoryPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecrpublic_repository_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RepositoryPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RepositoryPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecs/accountsettingdefault/zz_controller.go b/internal/controller/ecs/accountsettingdefault/zz_controller.go
index 07cb724825..93ba4e3c18 100755
--- a/internal/controller/ecs/accountsettingdefault/zz_controller.go
+++ b/internal/controller/ecs/accountsettingdefault/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccountSettingDefault managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccountSettingDefault_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecs_account_setting_default"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccountSettingDefault_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccountSettingDefault_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecs/capacityprovider/zz_controller.go b/internal/controller/ecs/capacityprovider/zz_controller.go
index b0d4c8549b..6f5439d272 100755
--- a/internal/controller/ecs/capacityprovider/zz_controller.go
+++ b/internal/controller/ecs/capacityprovider/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CapacityProvider managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CapacityProvider_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecs_capacity_provider"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CapacityProvider_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CapacityProvider_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecs/cluster/zz_controller.go b/internal/controller/ecs/cluster/zz_controller.go
index 58b2aef3c5..7ff2a63110 100755
--- a/internal/controller/ecs/cluster/zz_controller.go
+++ b/internal/controller/ecs/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecs_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecs/clustercapacityproviders/zz_controller.go b/internal/controller/ecs/clustercapacityproviders/zz_controller.go
index 6d44330722..565ee52155 100755
--- a/internal/controller/ecs/clustercapacityproviders/zz_controller.go
+++ b/internal/controller/ecs/clustercapacityproviders/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterCapacityProviders managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterCapacityProviders_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecs_cluster_capacity_providers"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterCapacityProviders_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterCapacityProviders_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecs/service/zz_controller.go b/internal/controller/ecs/service/zz_controller.go
index 31d0fe22b2..50060e2284 100755
--- a/internal/controller/ecs/service/zz_controller.go
+++ b/internal/controller/ecs/service/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Service managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Service_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecs_service"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Service_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Service_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ecs/taskdefinition/zz_controller.go b/internal/controller/ecs/taskdefinition/zz_controller.go
index 6658d77fcf..5b93cf8485 100755
--- a/internal/controller/ecs/taskdefinition/zz_controller.go
+++ b/internal/controller/ecs/taskdefinition/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ecs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TaskDefinition managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TaskDefinition_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ecs_task_definition"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TaskDefinition_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TaskDefinition_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/efs/accesspoint/zz_controller.go b/internal/controller/efs/accesspoint/zz_controller.go
index 527bd27a91..18102b534a 100755
--- a/internal/controller/efs/accesspoint/zz_controller.go
+++ b/internal/controller/efs/accesspoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/efs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccessPoint managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccessPoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_efs_access_point"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccessPoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccessPoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/efs/backuppolicy/zz_controller.go b/internal/controller/efs/backuppolicy/zz_controller.go
index a59d8f0ba8..a791a5ee55 100755
--- a/internal/controller/efs/backuppolicy/zz_controller.go
+++ b/internal/controller/efs/backuppolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/efs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BackupPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BackupPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_efs_backup_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BackupPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BackupPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/efs/filesystem/zz_controller.go b/internal/controller/efs/filesystem/zz_controller.go
index a51bb51a6c..313e21c145 100755
--- a/internal/controller/efs/filesystem/zz_controller.go
+++ b/internal/controller/efs/filesystem/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/efs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FileSystem managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FileSystem_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_efs_file_system"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FileSystem_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FileSystem_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/efs/filesystempolicy/zz_controller.go b/internal/controller/efs/filesystempolicy/zz_controller.go
index 1d49843ce9..249eeeb8ee 100755
--- a/internal/controller/efs/filesystempolicy/zz_controller.go
+++ b/internal/controller/efs/filesystempolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/efs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FileSystemPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FileSystemPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_efs_file_system_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FileSystemPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FileSystemPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/efs/mounttarget/zz_controller.go b/internal/controller/efs/mounttarget/zz_controller.go
index 27f7f809b4..e29daff012 100755
--- a/internal/controller/efs/mounttarget/zz_controller.go
+++ b/internal/controller/efs/mounttarget/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/efs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MountTarget managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MountTarget_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_efs_mount_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MountTarget_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MountTarget_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/efs/replicationconfiguration/zz_controller.go b/internal/controller/efs/replicationconfiguration/zz_controller.go
index 5314f6c118..ac1a0ee380 100755
--- a/internal/controller/efs/replicationconfiguration/zz_controller.go
+++ b/internal/controller/efs/replicationconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/efs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicationConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicationConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_efs_replication_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicationConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicationConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/eks/addon/zz_controller.go b/internal/controller/eks/addon/zz_controller.go
index b7a2673b6b..440a883efd 100755
--- a/internal/controller/eks/addon/zz_controller.go
+++ b/internal/controller/eks/addon/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/eks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Addon managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Addon_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eks_addon"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Addon_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Addon_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/eks/cluster/zz_controller.go b/internal/controller/eks/cluster/zz_controller.go
index deef693584..7e8230f7f4 100755
--- a/internal/controller/eks/cluster/zz_controller.go
+++ b/internal/controller/eks/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/eks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eks_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/eks/fargateprofile/zz_controller.go b/internal/controller/eks/fargateprofile/zz_controller.go
index 007071c2de..1b79792096 100755
--- a/internal/controller/eks/fargateprofile/zz_controller.go
+++ b/internal/controller/eks/fargateprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/eks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FargateProfile managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FargateProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eks_fargate_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FargateProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FargateProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/eks/identityproviderconfig/zz_controller.go b/internal/controller/eks/identityproviderconfig/zz_controller.go
index 41ce8ec607..d24b5a1c25 100755
--- a/internal/controller/eks/identityproviderconfig/zz_controller.go
+++ b/internal/controller/eks/identityproviderconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/eks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IdentityProviderConfig managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IdentityProviderConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eks_identity_provider_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IdentityProviderConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IdentityProviderConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/eks/nodegroup/zz_controller.go b/internal/controller/eks/nodegroup/zz_controller.go
index 973da09e66..d111450222 100755
--- a/internal/controller/eks/nodegroup/zz_controller.go
+++ b/internal/controller/eks/nodegroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/eks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NodeGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NodeGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_eks_node_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NodeGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NodeGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticache/cluster/zz_controller.go b/internal/controller/elasticache/cluster/zz_controller.go
index 43e6463129..79ff984cb5 100755
--- a/internal/controller/elasticache/cluster/zz_controller.go
+++ b/internal/controller/elasticache/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticache/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticache_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticache/parametergroup/zz_controller.go b/internal/controller/elasticache/parametergroup/zz_controller.go
index 4b5e302f13..ee9179daa2 100755
--- a/internal/controller/elasticache/parametergroup/zz_controller.go
+++ b/internal/controller/elasticache/parametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticache/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ParameterGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticache_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticache/replicationgroup/zz_controller.go b/internal/controller/elasticache/replicationgroup/zz_controller.go
index 8dee90b447..1a11f1b5e1 100755
--- a/internal/controller/elasticache/replicationgroup/zz_controller.go
+++ b/internal/controller/elasticache/replicationgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticache/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicationGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicationGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticache_replication_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicationGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicationGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticache/subnetgroup/zz_controller.go b/internal/controller/elasticache/subnetgroup/zz_controller.go
index 30923f5140..c5944fbeef 100755
--- a/internal/controller/elasticache/subnetgroup/zz_controller.go
+++ b/internal/controller/elasticache/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticache/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticache_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticache/user/zz_controller.go b/internal/controller/elasticache/user/zz_controller.go
index d93d1bbcf5..c66439035a 100755
--- a/internal/controller/elasticache/user/zz_controller.go
+++ b/internal/controller/elasticache/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticache/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticache_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticache/usergroup/zz_controller.go b/internal/controller/elasticache/usergroup/zz_controller.go
index b0697d9f35..f4197685d0 100755
--- a/internal/controller/elasticache/usergroup/zz_controller.go
+++ b/internal/controller/elasticache/usergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticache/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticache_user_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticbeanstalk/application/zz_controller.go b/internal/controller/elasticbeanstalk/application/zz_controller.go
index 69cd97fb12..0616d3b287 100755
--- a/internal/controller/elasticbeanstalk/application/zz_controller.go
+++ b/internal/controller/elasticbeanstalk/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticbeanstalk/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elastic_beanstalk_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticbeanstalk/applicationversion/zz_controller.go b/internal/controller/elasticbeanstalk/applicationversion/zz_controller.go
index 7121147234..f9b4901f2d 100755
--- a/internal/controller/elasticbeanstalk/applicationversion/zz_controller.go
+++ b/internal/controller/elasticbeanstalk/applicationversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticbeanstalk/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ApplicationVersion managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ApplicationVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elastic_beanstalk_application_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ApplicationVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ApplicationVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticbeanstalk/configurationtemplate/zz_controller.go b/internal/controller/elasticbeanstalk/configurationtemplate/zz_controller.go
index 89b6284355..a7cce4f333 100755
--- a/internal/controller/elasticbeanstalk/configurationtemplate/zz_controller.go
+++ b/internal/controller/elasticbeanstalk/configurationtemplate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticbeanstalk/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationTemplate managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationTemplate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elastic_beanstalk_configuration_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationTemplate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationTemplate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticsearch/domain/zz_controller.go b/internal/controller/elasticsearch/domain/zz_controller.go
index 6bdcca63a6..d3560d843e 100755
--- a/internal/controller/elasticsearch/domain/zz_controller.go
+++ b/internal/controller/elasticsearch/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticsearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticsearch_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticsearch/domainpolicy/zz_controller.go b/internal/controller/elasticsearch/domainpolicy/zz_controller.go
index 53d3947d9b..7115c567f0 100755
--- a/internal/controller/elasticsearch/domainpolicy/zz_controller.go
+++ b/internal/controller/elasticsearch/domainpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticsearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticsearch_domain_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elasticsearch/domainsamloptions/zz_controller.go b/internal/controller/elasticsearch/domainsamloptions/zz_controller.go
index 320532b6cd..120e38b986 100755
--- a/internal/controller/elasticsearch/domainsamloptions/zz_controller.go
+++ b/internal/controller/elasticsearch/domainsamloptions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elasticsearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainSAMLOptions managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainSAMLOptions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elasticsearch_domain_saml_options"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainSAMLOptions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainSAMLOptions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elastictranscoder/pipeline/zz_controller.go b/internal/controller/elastictranscoder/pipeline/zz_controller.go
index ded0e0d813..b551afebc6 100755
--- a/internal/controller/elastictranscoder/pipeline/zz_controller.go
+++ b/internal/controller/elastictranscoder/pipeline/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elastictranscoder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Pipeline managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Pipeline_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elastictranscoder_pipeline"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Pipeline_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Pipeline_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elastictranscoder/preset/zz_controller.go b/internal/controller/elastictranscoder/preset/zz_controller.go
index 5ea2867fed..01a2d14737 100755
--- a/internal/controller/elastictranscoder/preset/zz_controller.go
+++ b/internal/controller/elastictranscoder/preset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elastictranscoder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Preset managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Preset_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elastictranscoder_preset"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Preset_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Preset_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/appcookiestickinesspolicy/zz_controller.go b/internal/controller/elb/appcookiestickinesspolicy/zz_controller.go
index bbb54ccc85..46b11fcbdd 100755
--- a/internal/controller/elb/appcookiestickinesspolicy/zz_controller.go
+++ b/internal/controller/elb/appcookiestickinesspolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AppCookieStickinessPolicy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AppCookieStickinessPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_app_cookie_stickiness_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AppCookieStickinessPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AppCookieStickinessPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/attachment/zz_controller.go b/internal/controller/elb/attachment/zz_controller.go
index 86336b0d55..99cbdbbd96 100755
--- a/internal/controller/elb/attachment/zz_controller.go
+++ b/internal/controller/elb/attachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Attachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Attachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elb_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Attachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Attachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/backendserverpolicy/zz_controller.go b/internal/controller/elb/backendserverpolicy/zz_controller.go
index 97b851234a..1894016873 100755
--- a/internal/controller/elb/backendserverpolicy/zz_controller.go
+++ b/internal/controller/elb/backendserverpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BackendServerPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BackendServerPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_load_balancer_backend_server_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BackendServerPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BackendServerPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/elb/zz_controller.go b/internal/controller/elb/elb/zz_controller.go
index 482fc2b8f6..9e5b96b3e2 100755
--- a/internal/controller/elb/elb/zz_controller.go
+++ b/internal/controller/elb/elb/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ELB managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ELB_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_elb"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ELB_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ELB_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/lbcookiestickinesspolicy/zz_controller.go b/internal/controller/elb/lbcookiestickinesspolicy/zz_controller.go
index 39f2c7a98e..238a6dbcb3 100755
--- a/internal/controller/elb/lbcookiestickinesspolicy/zz_controller.go
+++ b/internal/controller/elb/lbcookiestickinesspolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBCookieStickinessPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBCookieStickinessPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb_cookie_stickiness_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBCookieStickinessPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBCookieStickinessPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/lbsslnegotiationpolicy/zz_controller.go b/internal/controller/elb/lbsslnegotiationpolicy/zz_controller.go
index d0ecd3bcd0..6a50d83c4b 100755
--- a/internal/controller/elb/lbsslnegotiationpolicy/zz_controller.go
+++ b/internal/controller/elb/lbsslnegotiationpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBSSLNegotiationPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBSSLNegotiationPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb_ssl_negotiation_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBSSLNegotiationPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBSSLNegotiationPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/listenerpolicy/zz_controller.go b/internal/controller/elb/listenerpolicy/zz_controller.go
index c0469edcce..71dceb7c97 100755
--- a/internal/controller/elb/listenerpolicy/zz_controller.go
+++ b/internal/controller/elb/listenerpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ListenerPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ListenerPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_load_balancer_listener_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ListenerPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ListenerPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/policy/zz_controller.go b/internal/controller/elb/policy/zz_controller.go
index dd7511c163..d57e947d93 100755
--- a/internal/controller/elb/policy/zz_controller.go
+++ b/internal/controller/elb/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_load_balancer_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elb/proxyprotocolpolicy/zz_controller.go b/internal/controller/elb/proxyprotocolpolicy/zz_controller.go
index d9361fbdc6..93cc485994 100755
--- a/internal/controller/elb/proxyprotocolpolicy/zz_controller.go
+++ b/internal/controller/elb/proxyprotocolpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProxyProtocolPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProxyProtocolPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_proxy_protocol_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProxyProtocolPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProxyProtocolPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elbv2/lb/zz_controller.go b/internal/controller/elbv2/lb/zz_controller.go
index 02a9531e61..d2f39a6db3 100755
--- a/internal/controller/elbv2/lb/zz_controller.go
+++ b/internal/controller/elbv2/lb/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elbv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LB managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LB_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LB_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LB_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elbv2/lblistener/zz_controller.go b/internal/controller/elbv2/lblistener/zz_controller.go
index b8da94d30c..66b5468218 100755
--- a/internal/controller/elbv2/lblistener/zz_controller.go
+++ b/internal/controller/elbv2/lblistener/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elbv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBListener managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBListener_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb_listener"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBListener_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBListener_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elbv2/lblistenerrule/zz_controller.go b/internal/controller/elbv2/lblistenerrule/zz_controller.go
index b3c4af9366..09a709494e 100755
--- a/internal/controller/elbv2/lblistenerrule/zz_controller.go
+++ b/internal/controller/elbv2/lblistenerrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elbv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBListenerRule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBListenerRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb_listener_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBListenerRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBListenerRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elbv2/lbtargetgroup/zz_controller.go b/internal/controller/elbv2/lbtargetgroup/zz_controller.go
index 87234467f2..a258a7dcd2 100755
--- a/internal/controller/elbv2/lbtargetgroup/zz_controller.go
+++ b/internal/controller/elbv2/lbtargetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elbv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBTargetGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBTargetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb_target_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBTargetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBTargetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/elbv2/lbtargetgroupattachment/zz_controller.go b/internal/controller/elbv2/lbtargetgroupattachment/zz_controller.go
index 76b2771aa0..8ee0603843 100755
--- a/internal/controller/elbv2/lbtargetgroupattachment/zz_controller.go
+++ b/internal/controller/elbv2/lbtargetgroupattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/elbv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBTargetGroupAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBTargetGroupAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lb_target_group_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBTargetGroupAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBTargetGroupAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/emr/securityconfiguration/zz_controller.go b/internal/controller/emr/securityconfiguration/zz_controller.go
index 7e49b0da21..776d987c5b 100755
--- a/internal/controller/emr/securityconfiguration/zz_controller.go
+++ b/internal/controller/emr/securityconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/emr/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecurityConfiguration managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecurityConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_emr_security_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecurityConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecurityConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/emrserverless/application/zz_controller.go b/internal/controller/emrserverless/application/zz_controller.go
index ce7a56002d..a8d0a76597 100755
--- a/internal/controller/emrserverless/application/zz_controller.go
+++ b/internal/controller/emrserverless/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/emrserverless/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_emrserverless_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/evidently/feature/zz_controller.go b/internal/controller/evidently/feature/zz_controller.go
index 8a971cec81..f93f685318 100755
--- a/internal/controller/evidently/feature/zz_controller.go
+++ b/internal/controller/evidently/feature/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/evidently/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Feature managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Feature_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_evidently_feature"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Feature_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Feature_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/evidently/project/zz_controller.go b/internal/controller/evidently/project/zz_controller.go
index c65313bc14..25f8ad9f16 100755
--- a/internal/controller/evidently/project/zz_controller.go
+++ b/internal/controller/evidently/project/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/evidently/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Project managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Project_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_evidently_project"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Project_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Project_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/evidently/segment/zz_controller.go b/internal/controller/evidently/segment/zz_controller.go
index cee3085060..55a34545fc 100755
--- a/internal/controller/evidently/segment/zz_controller.go
+++ b/internal/controller/evidently/segment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/evidently/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Segment managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Segment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_evidently_segment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Segment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Segment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/firehose/deliverystream/zz_controller.go b/internal/controller/firehose/deliverystream/zz_controller.go
index c32ac85945..59c9f794e9 100755
--- a/internal/controller/firehose/deliverystream/zz_controller.go
+++ b/internal/controller/firehose/deliverystream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/firehose/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DeliveryStream managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DeliveryStream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesis_firehose_delivery_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DeliveryStream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DeliveryStream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fis/experimenttemplate/zz_controller.go b/internal/controller/fis/experimenttemplate/zz_controller.go
index 6dc3014ff3..deac7ce5b9 100755
--- a/internal/controller/fis/experimenttemplate/zz_controller.go
+++ b/internal/controller/fis/experimenttemplate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fis/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ExperimentTemplate managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ExperimentTemplate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fis_experiment_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ExperimentTemplate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ExperimentTemplate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fsx/backup/zz_controller.go b/internal/controller/fsx/backup/zz_controller.go
index faf5b4f1fe..741b3dff33 100755
--- a/internal/controller/fsx/backup/zz_controller.go
+++ b/internal/controller/fsx/backup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fsx/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Backup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Backup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fsx_backup"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Backup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Backup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fsx/datarepositoryassociation/zz_controller.go b/internal/controller/fsx/datarepositoryassociation/zz_controller.go
index 74aa7f7ac3..61163eee6e 100755
--- a/internal/controller/fsx/datarepositoryassociation/zz_controller.go
+++ b/internal/controller/fsx/datarepositoryassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fsx/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DataRepositoryAssociation managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DataRepositoryAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fsx_data_repository_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DataRepositoryAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DataRepositoryAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fsx/lustrefilesystem/zz_controller.go b/internal/controller/fsx/lustrefilesystem/zz_controller.go
index eacf016fec..3f6925b6d4 100755
--- a/internal/controller/fsx/lustrefilesystem/zz_controller.go
+++ b/internal/controller/fsx/lustrefilesystem/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fsx/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LustreFileSystem managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LustreFileSystem_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fsx_lustre_file_system"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LustreFileSystem_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LustreFileSystem_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fsx/ontapfilesystem/zz_controller.go b/internal/controller/fsx/ontapfilesystem/zz_controller.go
index 0fc209e9c0..25ef3d6a2c 100755
--- a/internal/controller/fsx/ontapfilesystem/zz_controller.go
+++ b/internal/controller/fsx/ontapfilesystem/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fsx/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OntapFileSystem managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OntapFileSystem_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fsx_ontap_file_system"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OntapFileSystem_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OntapFileSystem_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fsx/ontapstoragevirtualmachine/zz_controller.go b/internal/controller/fsx/ontapstoragevirtualmachine/zz_controller.go
index f4773bed7f..73e402b339 100755
--- a/internal/controller/fsx/ontapstoragevirtualmachine/zz_controller.go
+++ b/internal/controller/fsx/ontapstoragevirtualmachine/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fsx/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OntapStorageVirtualMachine managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OntapStorageVirtualMachine_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fsx_ontap_storage_virtual_machine"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OntapStorageVirtualMachine_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OntapStorageVirtualMachine_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/fsx/windowsfilesystem/zz_controller.go b/internal/controller/fsx/windowsfilesystem/zz_controller.go
index 5dc12002c4..fdfd701bf1 100755
--- a/internal/controller/fsx/windowsfilesystem/zz_controller.go
+++ b/internal/controller/fsx/windowsfilesystem/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/fsx/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles WindowsFileSystem managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.WindowsFileSystem_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_fsx_windows_file_system"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.WindowsFileSystem_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.WindowsFileSystem_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/gamelift/alias/zz_controller.go b/internal/controller/gamelift/alias/zz_controller.go
index d3d72013a3..716b3a70e9 100755
--- a/internal/controller/gamelift/alias/zz_controller.go
+++ b/internal/controller/gamelift/alias/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/gamelift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Alias managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_gamelift_alias"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/gamelift/build/zz_controller.go b/internal/controller/gamelift/build/zz_controller.go
index 7244be8e6b..43e3c4fe3f 100755
--- a/internal/controller/gamelift/build/zz_controller.go
+++ b/internal/controller/gamelift/build/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/gamelift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Build managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Build_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_gamelift_build"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Build_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Build_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/gamelift/fleet/zz_controller.go b/internal/controller/gamelift/fleet/zz_controller.go
index bb3ecdcffe..3712552111 100755
--- a/internal/controller/gamelift/fleet/zz_controller.go
+++ b/internal/controller/gamelift/fleet/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/gamelift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Fleet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Fleet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_gamelift_fleet"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Fleet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Fleet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/gamelift/gamesessionqueue/zz_controller.go b/internal/controller/gamelift/gamesessionqueue/zz_controller.go
index 3589f16c8f..c1e49dc128 100755
--- a/internal/controller/gamelift/gamesessionqueue/zz_controller.go
+++ b/internal/controller/gamelift/gamesessionqueue/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/gamelift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GameSessionQueue managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GameSessionQueue_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_gamelift_game_session_queue"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GameSessionQueue_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GameSessionQueue_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/gamelift/script/zz_controller.go b/internal/controller/gamelift/script/zz_controller.go
index fced9d6e35..aaba0301ea 100755
--- a/internal/controller/gamelift/script/zz_controller.go
+++ b/internal/controller/gamelift/script/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/gamelift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Script managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Script_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_gamelift_script"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Script_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Script_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glacier/vault/zz_controller.go b/internal/controller/glacier/vault/zz_controller.go
index 3c6cc16294..ba20f350f3 100755
--- a/internal/controller/glacier/vault/zz_controller.go
+++ b/internal/controller/glacier/vault/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glacier/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Vault managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Vault_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glacier_vault"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Vault_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Vault_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glacier/vaultlock/zz_controller.go b/internal/controller/glacier/vaultlock/zz_controller.go
index c54f6ded5a..a9baeaae38 100755
--- a/internal/controller/glacier/vaultlock/zz_controller.go
+++ b/internal/controller/glacier/vaultlock/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glacier/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VaultLock managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VaultLock_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glacier_vault_lock"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VaultLock_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VaultLock_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/globalaccelerator/accelerator/zz_controller.go b/internal/controller/globalaccelerator/accelerator/zz_controller.go
index 8dc8050ac3..b33406ddbc 100755
--- a/internal/controller/globalaccelerator/accelerator/zz_controller.go
+++ b/internal/controller/globalaccelerator/accelerator/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/globalaccelerator/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Accelerator managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Accelerator_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_globalaccelerator_accelerator"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Accelerator_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Accelerator_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/globalaccelerator/endpointgroup/zz_controller.go b/internal/controller/globalaccelerator/endpointgroup/zz_controller.go
index 69babba36f..5b350445a4 100755
--- a/internal/controller/globalaccelerator/endpointgroup/zz_controller.go
+++ b/internal/controller/globalaccelerator/endpointgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/globalaccelerator/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EndpointGroup managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EndpointGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_globalaccelerator_endpoint_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EndpointGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EndpointGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/globalaccelerator/listener/zz_controller.go b/internal/controller/globalaccelerator/listener/zz_controller.go
index 56c455b72d..c55c2871ff 100755
--- a/internal/controller/globalaccelerator/listener/zz_controller.go
+++ b/internal/controller/globalaccelerator/listener/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/globalaccelerator/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Listener managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Listener_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_globalaccelerator_listener"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Listener_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Listener_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/catalogdatabase/zz_controller.go b/internal/controller/glue/catalogdatabase/zz_controller.go
index 4bf4a19407..18b6cdecde 100755
--- a/internal/controller/glue/catalogdatabase/zz_controller.go
+++ b/internal/controller/glue/catalogdatabase/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CatalogDatabase managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CatalogDatabase_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_catalog_database"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CatalogDatabase_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CatalogDatabase_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/catalogtable/zz_controller.go b/internal/controller/glue/catalogtable/zz_controller.go
index f7a1873215..0485c54a2f 100755
--- a/internal/controller/glue/catalogtable/zz_controller.go
+++ b/internal/controller/glue/catalogtable/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CatalogTable managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CatalogTable_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_catalog_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CatalogTable_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CatalogTable_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/classifier/zz_controller.go b/internal/controller/glue/classifier/zz_controller.go
index 9b8d32aae0..60706f74a6 100755
--- a/internal/controller/glue/classifier/zz_controller.go
+++ b/internal/controller/glue/classifier/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Classifier managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Classifier_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_classifier"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Classifier_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Classifier_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/connection/zz_controller.go b/internal/controller/glue/connection/zz_controller.go
index 55b3bd6714..c2693e60ed 100755
--- a/internal/controller/glue/connection/zz_controller.go
+++ b/internal/controller/glue/connection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Connection managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/crawler/zz_controller.go b/internal/controller/glue/crawler/zz_controller.go
index 37412990ae..934175cdfd 100755
--- a/internal/controller/glue/crawler/zz_controller.go
+++ b/internal/controller/glue/crawler/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Crawler managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Crawler_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_crawler"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Crawler_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Crawler_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/datacatalogencryptionsettings/zz_controller.go b/internal/controller/glue/datacatalogencryptionsettings/zz_controller.go
index 325cf7947c..a733e4ad2b 100755
--- a/internal/controller/glue/datacatalogencryptionsettings/zz_controller.go
+++ b/internal/controller/glue/datacatalogencryptionsettings/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DataCatalogEncryptionSettings managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DataCatalogEncryptionSettings_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_data_catalog_encryption_settings"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DataCatalogEncryptionSettings_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DataCatalogEncryptionSettings_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/job/zz_controller.go b/internal/controller/glue/job/zz_controller.go
index 72c417efc0..2aaaa3b025 100755
--- a/internal/controller/glue/job/zz_controller.go
+++ b/internal/controller/glue/job/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Job managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Job_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_job"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Job_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Job_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/registry/zz_controller.go b/internal/controller/glue/registry/zz_controller.go
index fd6e5ababf..0663e28607 100755
--- a/internal/controller/glue/registry/zz_controller.go
+++ b/internal/controller/glue/registry/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Registry managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Registry_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_registry"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Registry_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Registry_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/resourcepolicy/zz_controller.go b/internal/controller/glue/resourcepolicy/zz_controller.go
index c1a0a325d4..ee815eb714 100755
--- a/internal/controller/glue/resourcepolicy/zz_controller.go
+++ b/internal/controller/glue/resourcepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourcePolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_resource_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourcePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/schema/zz_controller.go b/internal/controller/glue/schema/zz_controller.go
index 8652339ae3..ad4d4b1727 100755
--- a/internal/controller/glue/schema/zz_controller.go
+++ b/internal/controller/glue/schema/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Schema managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Schema_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_schema"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Schema_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Schema_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/securityconfiguration/zz_controller.go b/internal/controller/glue/securityconfiguration/zz_controller.go
index 6c42d857da..954d4930bb 100755
--- a/internal/controller/glue/securityconfiguration/zz_controller.go
+++ b/internal/controller/glue/securityconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecurityConfiguration managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecurityConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_security_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecurityConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecurityConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/trigger/zz_controller.go b/internal/controller/glue/trigger/zz_controller.go
index 14d2fb8ef9..3b2b00e8cc 100755
--- a/internal/controller/glue/trigger/zz_controller.go
+++ b/internal/controller/glue/trigger/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Trigger managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Trigger_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_trigger"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Trigger_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Trigger_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/userdefinedfunction/zz_controller.go b/internal/controller/glue/userdefinedfunction/zz_controller.go
index ba4db65642..ed6445cfa7 100755
--- a/internal/controller/glue/userdefinedfunction/zz_controller.go
+++ b/internal/controller/glue/userdefinedfunction/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserDefinedFunction managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserDefinedFunction_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_user_defined_function"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserDefinedFunction_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserDefinedFunction_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/glue/workflow/zz_controller.go b/internal/controller/glue/workflow/zz_controller.go
index 5be43894c4..ae62ca766e 100755
--- a/internal/controller/glue/workflow/zz_controller.go
+++ b/internal/controller/glue/workflow/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/glue/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workflow managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workflow_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_glue_workflow"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workflow_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workflow_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/grafana/licenseassociation/zz_controller.go b/internal/controller/grafana/licenseassociation/zz_controller.go
index 3a220675d4..44ebdb3b43 100755
--- a/internal/controller/grafana/licenseassociation/zz_controller.go
+++ b/internal/controller/grafana/licenseassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/grafana/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LicenseAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LicenseAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_grafana_license_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LicenseAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LicenseAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/grafana/roleassociation/zz_controller.go b/internal/controller/grafana/roleassociation/zz_controller.go
index ede1fb0989..d447d8267d 100755
--- a/internal/controller/grafana/roleassociation/zz_controller.go
+++ b/internal/controller/grafana/roleassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/grafana/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RoleAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RoleAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_grafana_role_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RoleAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RoleAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/grafana/workspace/zz_controller.go b/internal/controller/grafana/workspace/zz_controller.go
index 624fd0f4dc..f4cdab7228 100755
--- a/internal/controller/grafana/workspace/zz_controller.go
+++ b/internal/controller/grafana/workspace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/grafana/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workspace managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workspace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_grafana_workspace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workspace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workspace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/grafana/workspaceapikey/zz_controller.go b/internal/controller/grafana/workspaceapikey/zz_controller.go
index ef6b39a0d2..b8aab21bff 100755
--- a/internal/controller/grafana/workspaceapikey/zz_controller.go
+++ b/internal/controller/grafana/workspaceapikey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/grafana/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles WorkspaceAPIKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.WorkspaceAPIKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_grafana_workspace_api_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.WorkspaceAPIKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.WorkspaceAPIKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/grafana/workspacesamlconfiguration/zz_controller.go b/internal/controller/grafana/workspacesamlconfiguration/zz_controller.go
index aff2377414..f9db24a152 100755
--- a/internal/controller/grafana/workspacesamlconfiguration/zz_controller.go
+++ b/internal/controller/grafana/workspacesamlconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/grafana/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles WorkspaceSAMLConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.WorkspaceSAMLConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_grafana_workspace_saml_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.WorkspaceSAMLConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.WorkspaceSAMLConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/guardduty/detector/zz_controller.go b/internal/controller/guardduty/detector/zz_controller.go
index efc19ea8e4..f6faeaa450 100755
--- a/internal/controller/guardduty/detector/zz_controller.go
+++ b/internal/controller/guardduty/detector/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/guardduty/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Detector managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Detector_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_guardduty_detector"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Detector_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Detector_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/guardduty/filter/zz_controller.go b/internal/controller/guardduty/filter/zz_controller.go
index 8baece2f3f..c833367cd8 100755
--- a/internal/controller/guardduty/filter/zz_controller.go
+++ b/internal/controller/guardduty/filter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/guardduty/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Filter managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Filter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_guardduty_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Filter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Filter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/guardduty/member/zz_controller.go b/internal/controller/guardduty/member/zz_controller.go
index 3f5279c203..0b4dafebc5 100755
--- a/internal/controller/guardduty/member/zz_controller.go
+++ b/internal/controller/guardduty/member/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/guardduty/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Member managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Member_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_guardduty_member"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/accesskey/zz_controller.go b/internal/controller/iam/accesskey/zz_controller.go
index a170218b5a..a34153534d 100755
--- a/internal/controller/iam/accesskey/zz_controller.go
+++ b/internal/controller/iam/accesskey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccessKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccessKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_access_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccessKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccessKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/accountalias/zz_controller.go b/internal/controller/iam/accountalias/zz_controller.go
index 4281596b08..2aa67958be 100755
--- a/internal/controller/iam/accountalias/zz_controller.go
+++ b/internal/controller/iam/accountalias/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccountAlias managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccountAlias_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_account_alias"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccountAlias_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccountAlias_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/accountpasswordpolicy/zz_controller.go b/internal/controller/iam/accountpasswordpolicy/zz_controller.go
index f1b9a64dae..8fb9d6111d 100755
--- a/internal/controller/iam/accountpasswordpolicy/zz_controller.go
+++ b/internal/controller/iam/accountpasswordpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccountPasswordPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccountPasswordPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_account_password_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccountPasswordPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccountPasswordPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/group/zz_controller.go b/internal/controller/iam/group/zz_controller.go
index 7d61a6aa2c..2290719bd3 100755
--- a/internal/controller/iam/group/zz_controller.go
+++ b/internal/controller/iam/group/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Group managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Group_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/groupmembership/zz_controller.go b/internal/controller/iam/groupmembership/zz_controller.go
index 8992d22760..916b837876 100755
--- a/internal/controller/iam/groupmembership/zz_controller.go
+++ b/internal/controller/iam/groupmembership/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GroupMembership managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GroupMembership_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_group_membership"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GroupMembership_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GroupMembership_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/grouppolicyattachment/zz_controller.go b/internal/controller/iam/grouppolicyattachment/zz_controller.go
index 96fae128f5..6907c04b12 100755
--- a/internal/controller/iam/grouppolicyattachment/zz_controller.go
+++ b/internal/controller/iam/grouppolicyattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GroupPolicyAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GroupPolicyAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_group_policy_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GroupPolicyAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GroupPolicyAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/instanceprofile/zz_controller.go b/internal/controller/iam/instanceprofile/zz_controller.go
index b67c84e899..489dc12ffe 100755
--- a/internal/controller/iam/instanceprofile/zz_controller.go
+++ b/internal/controller/iam/instanceprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InstanceProfile managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InstanceProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_instance_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InstanceProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InstanceProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/openidconnectprovider/zz_controller.go b/internal/controller/iam/openidconnectprovider/zz_controller.go
index 30f0c105f8..6238d0ed63 100755
--- a/internal/controller/iam/openidconnectprovider/zz_controller.go
+++ b/internal/controller/iam/openidconnectprovider/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OpenIDConnectProvider managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OpenIDConnectProvider_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_openid_connect_provider"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OpenIDConnectProvider_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OpenIDConnectProvider_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/policy/zz_controller.go b/internal/controller/iam/policy/zz_controller.go
index 06bfec31ff..be93191efe 100755
--- a/internal/controller/iam/policy/zz_controller.go
+++ b/internal/controller/iam/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/role/zz_controller.go b/internal/controller/iam/role/zz_controller.go
index b590f02b6c..96e42cec35 100755
--- a/internal/controller/iam/role/zz_controller.go
+++ b/internal/controller/iam/role/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Role managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Role_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_role"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Role_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Role_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/rolepolicyattachment/zz_controller.go b/internal/controller/iam/rolepolicyattachment/zz_controller.go
index 7ae1a96723..116b622e86 100755
--- a/internal/controller/iam/rolepolicyattachment/zz_controller.go
+++ b/internal/controller/iam/rolepolicyattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RolePolicyAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RolePolicyAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_role_policy_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RolePolicyAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RolePolicyAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/samlprovider/zz_controller.go b/internal/controller/iam/samlprovider/zz_controller.go
index f3d674d5f2..5cbf42ee5c 100755
--- a/internal/controller/iam/samlprovider/zz_controller.go
+++ b/internal/controller/iam/samlprovider/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SAMLProvider managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SAMLProvider_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_saml_provider"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SAMLProvider_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SAMLProvider_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/servercertificate/zz_controller.go b/internal/controller/iam/servercertificate/zz_controller.go
index 73c0735ba2..4054c6814d 100755
--- a/internal/controller/iam/servercertificate/zz_controller.go
+++ b/internal/controller/iam/servercertificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServerCertificate managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServerCertificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_server_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServerCertificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServerCertificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/servicelinkedrole/zz_controller.go b/internal/controller/iam/servicelinkedrole/zz_controller.go
index 9381c885f6..ab38f6c2c6 100755
--- a/internal/controller/iam/servicelinkedrole/zz_controller.go
+++ b/internal/controller/iam/servicelinkedrole/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServiceLinkedRole managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServiceLinkedRole_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_service_linked_role"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServiceLinkedRole_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServiceLinkedRole_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/servicespecificcredential/zz_controller.go b/internal/controller/iam/servicespecificcredential/zz_controller.go
index 12994083da..029164af0e 100755
--- a/internal/controller/iam/servicespecificcredential/zz_controller.go
+++ b/internal/controller/iam/servicespecificcredential/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServiceSpecificCredential managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServiceSpecificCredential_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_service_specific_credential"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServiceSpecificCredential_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServiceSpecificCredential_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/signingcertificate/zz_controller.go b/internal/controller/iam/signingcertificate/zz_controller.go
index 109dd62cf5..8a65a09783 100755
--- a/internal/controller/iam/signingcertificate/zz_controller.go
+++ b/internal/controller/iam/signingcertificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SigningCertificate managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SigningCertificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_signing_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SigningCertificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SigningCertificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/user/zz_controller.go b/internal/controller/iam/user/zz_controller.go
index 1ddc85224c..ff389efda5 100755
--- a/internal/controller/iam/user/zz_controller.go
+++ b/internal/controller/iam/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/usergroupmembership/zz_controller.go b/internal/controller/iam/usergroupmembership/zz_controller.go
index 9f8b1b8304..92422652b6 100755
--- a/internal/controller/iam/usergroupmembership/zz_controller.go
+++ b/internal/controller/iam/usergroupmembership/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserGroupMembership managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserGroupMembership_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_user_group_membership"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserGroupMembership_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserGroupMembership_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/userloginprofile/zz_controller.go b/internal/controller/iam/userloginprofile/zz_controller.go
index 978ccc7caa..d702aa17cd 100755
--- a/internal/controller/iam/userloginprofile/zz_controller.go
+++ b/internal/controller/iam/userloginprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserLoginProfile managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserLoginProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_user_login_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserLoginProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserLoginProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/userpolicyattachment/zz_controller.go b/internal/controller/iam/userpolicyattachment/zz_controller.go
index c81d3985a3..fba5d3ad6f 100755
--- a/internal/controller/iam/userpolicyattachment/zz_controller.go
+++ b/internal/controller/iam/userpolicyattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserPolicyAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserPolicyAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_user_policy_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserPolicyAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserPolicyAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/usersshkey/zz_controller.go b/internal/controller/iam/usersshkey/zz_controller.go
index 1c286c719d..1484c72dde 100755
--- a/internal/controller/iam/usersshkey/zz_controller.go
+++ b/internal/controller/iam/usersshkey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserSSHKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserSSHKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_user_ssh_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserSSHKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserSSHKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iam/virtualmfadevice/zz_controller.go b/internal/controller/iam/virtualmfadevice/zz_controller.go
index 5b5b896cf4..5a719f5580 100755
--- a/internal/controller/iam/virtualmfadevice/zz_controller.go
+++ b/internal/controller/iam/virtualmfadevice/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iam/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VirtualMfaDevice managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VirtualMfaDevice_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iam_virtual_mfa_device"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VirtualMfaDevice_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VirtualMfaDevice_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/component/zz_controller.go b/internal/controller/imagebuilder/component/zz_controller.go
index 24dcdbd673..536ca2ce84 100755
--- a/internal/controller/imagebuilder/component/zz_controller.go
+++ b/internal/controller/imagebuilder/component/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Component managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Component_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_component"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Component_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Component_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/containerrecipe/zz_controller.go b/internal/controller/imagebuilder/containerrecipe/zz_controller.go
index a1169049d6..9d9bd6f1f5 100755
--- a/internal/controller/imagebuilder/containerrecipe/zz_controller.go
+++ b/internal/controller/imagebuilder/containerrecipe/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ContainerRecipe managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ContainerRecipe_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_container_recipe"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ContainerRecipe_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ContainerRecipe_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/distributionconfiguration/zz_controller.go b/internal/controller/imagebuilder/distributionconfiguration/zz_controller.go
index 5b97d13e83..e7a0139604 100755
--- a/internal/controller/imagebuilder/distributionconfiguration/zz_controller.go
+++ b/internal/controller/imagebuilder/distributionconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DistributionConfiguration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DistributionConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_distribution_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DistributionConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DistributionConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/image/zz_controller.go b/internal/controller/imagebuilder/image/zz_controller.go
index 65bb7419aa..7655a03f2d 100755
--- a/internal/controller/imagebuilder/image/zz_controller.go
+++ b/internal/controller/imagebuilder/image/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Image managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Image_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_image"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Image_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Image_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/imagepipeline/zz_controller.go b/internal/controller/imagebuilder/imagepipeline/zz_controller.go
index ef4aaa9a15..8b0be82340 100755
--- a/internal/controller/imagebuilder/imagepipeline/zz_controller.go
+++ b/internal/controller/imagebuilder/imagepipeline/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ImagePipeline managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ImagePipeline_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_image_pipeline"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ImagePipeline_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ImagePipeline_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/imagerecipe/zz_controller.go b/internal/controller/imagebuilder/imagerecipe/zz_controller.go
index d58f9514e0..44e8ffdd16 100755
--- a/internal/controller/imagebuilder/imagerecipe/zz_controller.go
+++ b/internal/controller/imagebuilder/imagerecipe/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ImageRecipe managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ImageRecipe_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_image_recipe"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ImageRecipe_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ImageRecipe_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/imagebuilder/infrastructureconfiguration/zz_controller.go b/internal/controller/imagebuilder/infrastructureconfiguration/zz_controller.go
index 91bdb46dba..3fa39588ed 100755
--- a/internal/controller/imagebuilder/infrastructureconfiguration/zz_controller.go
+++ b/internal/controller/imagebuilder/infrastructureconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/imagebuilder/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InfrastructureConfiguration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InfrastructureConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_imagebuilder_infrastructure_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InfrastructureConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InfrastructureConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/inspector/assessmenttarget/zz_controller.go b/internal/controller/inspector/assessmenttarget/zz_controller.go
index 4f143e2186..d4d0c49b0c 100755
--- a/internal/controller/inspector/assessmenttarget/zz_controller.go
+++ b/internal/controller/inspector/assessmenttarget/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/inspector/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AssessmentTarget managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AssessmentTarget_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_inspector_assessment_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AssessmentTarget_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AssessmentTarget_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/inspector/assessmenttemplate/zz_controller.go b/internal/controller/inspector/assessmenttemplate/zz_controller.go
index dd2b7d0d8d..d326a5479b 100755
--- a/internal/controller/inspector/assessmenttemplate/zz_controller.go
+++ b/internal/controller/inspector/assessmenttemplate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/inspector/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AssessmentTemplate managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AssessmentTemplate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_inspector_assessment_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AssessmentTemplate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AssessmentTemplate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/inspector/resourcegroup/zz_controller.go b/internal/controller/inspector/resourcegroup/zz_controller.go
index 9d0e471390..1304df2d9c 100755
--- a/internal/controller/inspector/resourcegroup/zz_controller.go
+++ b/internal/controller/inspector/resourcegroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/inspector/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourceGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourceGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_inspector_resource_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourceGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourceGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/inspector2/enabler/zz_controller.go b/internal/controller/inspector2/enabler/zz_controller.go
index 1257bb9286..19c816e44b 100755
--- a/internal/controller/inspector2/enabler/zz_controller.go
+++ b/internal/controller/inspector2/enabler/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/inspector2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Enabler managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Enabler_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_inspector2_enabler"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Enabler_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Enabler_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/certificate/zz_controller.go b/internal/controller/iot/certificate/zz_controller.go
index 9a73874c44..d77409a1e4 100755
--- a/internal/controller/iot/certificate/zz_controller.go
+++ b/internal/controller/iot/certificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Certificate managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/indexingconfiguration/zz_controller.go b/internal/controller/iot/indexingconfiguration/zz_controller.go
index 76e7518bdc..c180ce2cc7 100755
--- a/internal/controller/iot/indexingconfiguration/zz_controller.go
+++ b/internal/controller/iot/indexingconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IndexingConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IndexingConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_indexing_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IndexingConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IndexingConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/loggingoptions/zz_controller.go b/internal/controller/iot/loggingoptions/zz_controller.go
index 807e1d18fd..a64b5b5e28 100755
--- a/internal/controller/iot/loggingoptions/zz_controller.go
+++ b/internal/controller/iot/loggingoptions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LoggingOptions managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LoggingOptions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_logging_options"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LoggingOptions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LoggingOptions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/policy/zz_controller.go b/internal/controller/iot/policy/zz_controller.go
index 03b5081ca7..ad42388b9a 100755
--- a/internal/controller/iot/policy/zz_controller.go
+++ b/internal/controller/iot/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/policyattachment/zz_controller.go b/internal/controller/iot/policyattachment/zz_controller.go
index 628c42040d..989438c061 100755
--- a/internal/controller/iot/policyattachment/zz_controller.go
+++ b/internal/controller/iot/policyattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PolicyAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PolicyAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_policy_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PolicyAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PolicyAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/provisioningtemplate/zz_controller.go b/internal/controller/iot/provisioningtemplate/zz_controller.go
index b3fe2e6ce8..1c5a80b041 100755
--- a/internal/controller/iot/provisioningtemplate/zz_controller.go
+++ b/internal/controller/iot/provisioningtemplate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProvisioningTemplate managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProvisioningTemplate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_provisioning_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProvisioningTemplate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProvisioningTemplate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/rolealias/zz_controller.go b/internal/controller/iot/rolealias/zz_controller.go
index 081e7fe889..832ee9beee 100755
--- a/internal/controller/iot/rolealias/zz_controller.go
+++ b/internal/controller/iot/rolealias/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RoleAlias managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RoleAlias_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_role_alias"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RoleAlias_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RoleAlias_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/thing/zz_controller.go b/internal/controller/iot/thing/zz_controller.go
index 3548dc186d..515157ec52 100755
--- a/internal/controller/iot/thing/zz_controller.go
+++ b/internal/controller/iot/thing/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Thing managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Thing_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_thing"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Thing_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Thing_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/thinggroup/zz_controller.go b/internal/controller/iot/thinggroup/zz_controller.go
index 013051105a..cc4a2c9097 100755
--- a/internal/controller/iot/thinggroup/zz_controller.go
+++ b/internal/controller/iot/thinggroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ThingGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ThingGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_thing_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ThingGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ThingGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/thinggroupmembership/zz_controller.go b/internal/controller/iot/thinggroupmembership/zz_controller.go
index b7d2e970fb..af13cd0b44 100755
--- a/internal/controller/iot/thinggroupmembership/zz_controller.go
+++ b/internal/controller/iot/thinggroupmembership/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ThingGroupMembership managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ThingGroupMembership_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_thing_group_membership"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ThingGroupMembership_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ThingGroupMembership_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/thingprincipalattachment/zz_controller.go b/internal/controller/iot/thingprincipalattachment/zz_controller.go
index c6bb548709..7446e91efe 100755
--- a/internal/controller/iot/thingprincipalattachment/zz_controller.go
+++ b/internal/controller/iot/thingprincipalattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ThingPrincipalAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ThingPrincipalAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_thing_principal_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ThingPrincipalAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ThingPrincipalAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/thingtype/zz_controller.go b/internal/controller/iot/thingtype/zz_controller.go
index 7edf5c5608..ddda67277c 100755
--- a/internal/controller/iot/thingtype/zz_controller.go
+++ b/internal/controller/iot/thingtype/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ThingType managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ThingType_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_thing_type"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ThingType_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ThingType_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/iot/topicrule/zz_controller.go b/internal/controller/iot/topicrule/zz_controller.go
index b5620b9a01..a8fdd9a227 100755
--- a/internal/controller/iot/topicrule/zz_controller.go
+++ b/internal/controller/iot/topicrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/iot/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TopicRule managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TopicRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_iot_topic_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TopicRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TopicRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ivs/channel/zz_controller.go b/internal/controller/ivs/channel/zz_controller.go
index 154e2c2015..209eec552a 100755
--- a/internal/controller/ivs/channel/zz_controller.go
+++ b/internal/controller/ivs/channel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ivs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Channel managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ivs_channel"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ivs/recordingconfiguration/zz_controller.go b/internal/controller/ivs/recordingconfiguration/zz_controller.go
index 487e568183..9504953e24 100755
--- a/internal/controller/ivs/recordingconfiguration/zz_controller.go
+++ b/internal/controller/ivs/recordingconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ivs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RecordingConfiguration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RecordingConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ivs_recording_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RecordingConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RecordingConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kafka/cluster/zz_controller.go b/internal/controller/kafka/cluster/zz_controller.go
index 5b92ca2816..2ca3ede495 100755
--- a/internal/controller/kafka/cluster/zz_controller.go
+++ b/internal/controller/kafka/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kafka/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_msk_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kafka/configuration/zz_controller.go b/internal/controller/kafka/configuration/zz_controller.go
index 3df68a6c93..97eb2548bf 100755
--- a/internal/controller/kafka/configuration/zz_controller.go
+++ b/internal/controller/kafka/configuration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kafka/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Configuration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Configuration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_msk_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Configuration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Configuration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kendra/datasource/zz_controller.go b/internal/controller/kendra/datasource/zz_controller.go
index 979d0bc68f..600e53848e 100755
--- a/internal/controller/kendra/datasource/zz_controller.go
+++ b/internal/controller/kendra/datasource/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kendra/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DataSource managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DataSource_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kendra_data_source"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DataSource_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DataSource_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kendra/experience/zz_controller.go b/internal/controller/kendra/experience/zz_controller.go
index 7228e24f69..54bd010393 100755
--- a/internal/controller/kendra/experience/zz_controller.go
+++ b/internal/controller/kendra/experience/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kendra/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Experience managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Experience_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kendra_experience"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Experience_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Experience_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kendra/index/zz_controller.go b/internal/controller/kendra/index/zz_controller.go
index 3912534ad1..f901346f3c 100755
--- a/internal/controller/kendra/index/zz_controller.go
+++ b/internal/controller/kendra/index/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kendra/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Index managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Index_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kendra_index"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Index_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Index_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kendra/querysuggestionsblocklist/zz_controller.go b/internal/controller/kendra/querysuggestionsblocklist/zz_controller.go
index 709a586d77..0bbc6f0c3d 100755
--- a/internal/controller/kendra/querysuggestionsblocklist/zz_controller.go
+++ b/internal/controller/kendra/querysuggestionsblocklist/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kendra/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles QuerySuggestionsBlockList managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.QuerySuggestionsBlockList_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kendra_query_suggestions_block_list"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.QuerySuggestionsBlockList_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.QuerySuggestionsBlockList_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kendra/thesaurus/zz_controller.go b/internal/controller/kendra/thesaurus/zz_controller.go
index cc2d550b02..aa39a066b3 100755
--- a/internal/controller/kendra/thesaurus/zz_controller.go
+++ b/internal/controller/kendra/thesaurus/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kendra/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Thesaurus managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Thesaurus_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kendra_thesaurus"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Thesaurus_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Thesaurus_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/keyspaces/keyspace/zz_controller.go b/internal/controller/keyspaces/keyspace/zz_controller.go
index 43fb053584..9a0595c888 100755
--- a/internal/controller/keyspaces/keyspace/zz_controller.go
+++ b/internal/controller/keyspaces/keyspace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/keyspaces/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Keyspace managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Keyspace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_keyspaces_keyspace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Keyspace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Keyspace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/keyspaces/table/zz_controller.go b/internal/controller/keyspaces/table/zz_controller.go
index 0d59bac804..f9daa5fbd5 100755
--- a/internal/controller/keyspaces/table/zz_controller.go
+++ b/internal/controller/keyspaces/table/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/keyspaces/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Table managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Table_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_keyspaces_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Table_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Table_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kinesis/stream/zz_controller.go b/internal/controller/kinesis/stream/zz_controller.go
index f8b245b553..429a22c597 100755
--- a/internal/controller/kinesis/stream/zz_controller.go
+++ b/internal/controller/kinesis/stream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kinesis/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stream managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesis_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kinesis/streamconsumer/zz_controller.go b/internal/controller/kinesis/streamconsumer/zz_controller.go
index c6d84c8d82..6debb0975e 100755
--- a/internal/controller/kinesis/streamconsumer/zz_controller.go
+++ b/internal/controller/kinesis/streamconsumer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kinesis/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StreamConsumer managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StreamConsumer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesis_stream_consumer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StreamConsumer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StreamConsumer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kinesisanalytics/application/zz_controller.go b/internal/controller/kinesisanalytics/application/zz_controller.go
index f0a8c22a1d..b7bba529b3 100755
--- a/internal/controller/kinesisanalytics/application/zz_controller.go
+++ b/internal/controller/kinesisanalytics/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kinesisanalytics/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesis_analytics_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kinesisanalyticsv2/application/zz_controller.go b/internal/controller/kinesisanalyticsv2/application/zz_controller.go
index c16da6d2dc..d9ada4a932 100755
--- a/internal/controller/kinesisanalyticsv2/application/zz_controller.go
+++ b/internal/controller/kinesisanalyticsv2/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kinesisanalyticsv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesisanalyticsv2_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kinesisanalyticsv2/applicationsnapshot/zz_controller.go b/internal/controller/kinesisanalyticsv2/applicationsnapshot/zz_controller.go
index e632e08901..d97beb34c1 100755
--- a/internal/controller/kinesisanalyticsv2/applicationsnapshot/zz_controller.go
+++ b/internal/controller/kinesisanalyticsv2/applicationsnapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kinesisanalyticsv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ApplicationSnapshot managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ApplicationSnapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesisanalyticsv2_application_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ApplicationSnapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ApplicationSnapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kinesisvideo/stream/zz_controller.go b/internal/controller/kinesisvideo/stream/zz_controller.go
index c86ca7684e..fc63432bba 100755
--- a/internal/controller/kinesisvideo/stream/zz_controller.go
+++ b/internal/controller/kinesisvideo/stream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kinesisvideo/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stream managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kinesis_video_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/alias/zz_controller.go b/internal/controller/kms/alias/zz_controller.go
index 0ac3190a23..551c9108eb 100755
--- a/internal/controller/kms/alias/zz_controller.go
+++ b/internal/controller/kms/alias/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Alias managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_alias"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/ciphertext/zz_controller.go b/internal/controller/kms/ciphertext/zz_controller.go
index 39f7e8cdff..58337672ec 100755
--- a/internal/controller/kms/ciphertext/zz_controller.go
+++ b/internal/controller/kms/ciphertext/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Ciphertext managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Ciphertext_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_ciphertext"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Ciphertext_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Ciphertext_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/externalkey/zz_controller.go b/internal/controller/kms/externalkey/zz_controller.go
index 2d6eb124cd..c12351532f 100755
--- a/internal/controller/kms/externalkey/zz_controller.go
+++ b/internal/controller/kms/externalkey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ExternalKey managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ExternalKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_external_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ExternalKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ExternalKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/grant/zz_controller.go b/internal/controller/kms/grant/zz_controller.go
index ab70cd1439..757a5ce5f5 100755
--- a/internal/controller/kms/grant/zz_controller.go
+++ b/internal/controller/kms/grant/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Grant managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Grant_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_grant"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Grant_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Grant_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/key/zz_controller.go b/internal/controller/kms/key/zz_controller.go
index 5fc2f94a5e..6d9f6a6d6e 100755
--- a/internal/controller/kms/key/zz_controller.go
+++ b/internal/controller/kms/key/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Key managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Key_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Key_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Key_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/replicaexternalkey/zz_controller.go b/internal/controller/kms/replicaexternalkey/zz_controller.go
index 699e73217c..5733b44206 100755
--- a/internal/controller/kms/replicaexternalkey/zz_controller.go
+++ b/internal/controller/kms/replicaexternalkey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicaExternalKey managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicaExternalKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_replica_external_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicaExternalKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicaExternalKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/kms/replicakey/zz_controller.go b/internal/controller/kms/replicakey/zz_controller.go
index 74cf93db92..79cb00ee9a 100755
--- a/internal/controller/kms/replicakey/zz_controller.go
+++ b/internal/controller/kms/replicakey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/kms/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReplicaKey managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReplicaKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_kms_replica_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReplicaKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReplicaKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lakeformation/datalakesettings/zz_controller.go b/internal/controller/lakeformation/datalakesettings/zz_controller.go
index 211b49f334..f0f60e5d84 100755
--- a/internal/controller/lakeformation/datalakesettings/zz_controller.go
+++ b/internal/controller/lakeformation/datalakesettings/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lakeformation/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DataLakeSettings managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DataLakeSettings_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lakeformation_data_lake_settings"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DataLakeSettings_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DataLakeSettings_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lakeformation/permissions/zz_controller.go b/internal/controller/lakeformation/permissions/zz_controller.go
index 9697c4d8f0..791d27292e 100755
--- a/internal/controller/lakeformation/permissions/zz_controller.go
+++ b/internal/controller/lakeformation/permissions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lakeformation/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Permissions managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Permissions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lakeformation_permissions"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Permissions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Permissions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lakeformation/resource/zz_controller.go b/internal/controller/lakeformation/resource/zz_controller.go
index 4d079c6277..a20c9de88c 100755
--- a/internal/controller/lakeformation/resource/zz_controller.go
+++ b/internal/controller/lakeformation/resource/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lakeformation/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Resource managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lakeformation_resource"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Resource_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/alias/zz_controller.go b/internal/controller/lambda/alias/zz_controller.go
index 4f718dd690..0ee568ad5d 100755
--- a/internal/controller/lambda/alias/zz_controller.go
+++ b/internal/controller/lambda/alias/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Alias managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_alias"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Alias_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/codesigningconfig/zz_controller.go b/internal/controller/lambda/codesigningconfig/zz_controller.go
index 96a201b7bd..a601110b0e 100755
--- a/internal/controller/lambda/codesigningconfig/zz_controller.go
+++ b/internal/controller/lambda/codesigningconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CodeSigningConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CodeSigningConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_code_signing_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CodeSigningConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CodeSigningConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/eventsourcemapping/zz_controller.go b/internal/controller/lambda/eventsourcemapping/zz_controller.go
index 856af7a800..764cb4f138 100755
--- a/internal/controller/lambda/eventsourcemapping/zz_controller.go
+++ b/internal/controller/lambda/eventsourcemapping/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventSourceMapping managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventSourceMapping_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_event_source_mapping"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventSourceMapping_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventSourceMapping_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/function/zz_controller.go b/internal/controller/lambda/function/zz_controller.go
index a56c647252..c007521ef4 100755
--- a/internal/controller/lambda/function/zz_controller.go
+++ b/internal/controller/lambda/function/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Function managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Function_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_function"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Function_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Function_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/functioneventinvokeconfig/zz_controller.go b/internal/controller/lambda/functioneventinvokeconfig/zz_controller.go
index 8e3379f302..556a6063c1 100755
--- a/internal/controller/lambda/functioneventinvokeconfig/zz_controller.go
+++ b/internal/controller/lambda/functioneventinvokeconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FunctionEventInvokeConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FunctionEventInvokeConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_function_event_invoke_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FunctionEventInvokeConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FunctionEventInvokeConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/functionurl/zz_controller.go b/internal/controller/lambda/functionurl/zz_controller.go
index 1fbc5ce472..26d2d61b74 100755
--- a/internal/controller/lambda/functionurl/zz_controller.go
+++ b/internal/controller/lambda/functionurl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FunctionURL managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FunctionURL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_function_url"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FunctionURL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FunctionURL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/invocation/zz_controller.go b/internal/controller/lambda/invocation/zz_controller.go
index e6a5c05039..59a1478b23 100755
--- a/internal/controller/lambda/invocation/zz_controller.go
+++ b/internal/controller/lambda/invocation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Invocation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Invocation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_invocation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Invocation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Invocation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/layerversion/zz_controller.go b/internal/controller/lambda/layerversion/zz_controller.go
index 529a9b8400..39993df340 100755
--- a/internal/controller/lambda/layerversion/zz_controller.go
+++ b/internal/controller/lambda/layerversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LayerVersion managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LayerVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_layer_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LayerVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LayerVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/layerversionpermission/zz_controller.go b/internal/controller/lambda/layerversionpermission/zz_controller.go
index 2bf0c67ea1..97fb7144b0 100755
--- a/internal/controller/lambda/layerversionpermission/zz_controller.go
+++ b/internal/controller/lambda/layerversionpermission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LayerVersionPermission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LayerVersionPermission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_layer_version_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LayerVersionPermission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LayerVersionPermission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/permission/zz_controller.go b/internal/controller/lambda/permission/zz_controller.go
index 54d2706dca..8638f295b9 100755
--- a/internal/controller/lambda/permission/zz_controller.go
+++ b/internal/controller/lambda/permission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Permission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lambda/provisionedconcurrencyconfig/zz_controller.go b/internal/controller/lambda/provisionedconcurrencyconfig/zz_controller.go
index 6e097889f3..160ba13827 100755
--- a/internal/controller/lambda/provisionedconcurrencyconfig/zz_controller.go
+++ b/internal/controller/lambda/provisionedconcurrencyconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lambda/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProvisionedConcurrencyConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProvisionedConcurrencyConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lambda_provisioned_concurrency_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProvisionedConcurrencyConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProvisionedConcurrencyConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lexmodels/bot/zz_controller.go b/internal/controller/lexmodels/bot/zz_controller.go
index cbdb4bfe66..99e6b90b5f 100755
--- a/internal/controller/lexmodels/bot/zz_controller.go
+++ b/internal/controller/lexmodels/bot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lexmodels/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Bot managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Bot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lex_bot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Bot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Bot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lexmodels/botalias/zz_controller.go b/internal/controller/lexmodels/botalias/zz_controller.go
index 975e169dc4..df2aad8670 100755
--- a/internal/controller/lexmodels/botalias/zz_controller.go
+++ b/internal/controller/lexmodels/botalias/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lexmodels/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BotAlias managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BotAlias_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lex_bot_alias"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BotAlias_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BotAlias_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lexmodels/intent/zz_controller.go b/internal/controller/lexmodels/intent/zz_controller.go
index 3f07d9dac0..7e51c32fff 100755
--- a/internal/controller/lexmodels/intent/zz_controller.go
+++ b/internal/controller/lexmodels/intent/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lexmodels/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Intent managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Intent_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lex_intent"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Intent_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Intent_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lexmodels/slottype/zz_controller.go b/internal/controller/lexmodels/slottype/zz_controller.go
index 4f0381496a..843ed3dfa4 100755
--- a/internal/controller/lexmodels/slottype/zz_controller.go
+++ b/internal/controller/lexmodels/slottype/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lexmodels/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SlotType managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SlotType_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lex_slot_type"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SlotType_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SlotType_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/licensemanager/association/zz_controller.go b/internal/controller/licensemanager/association/zz_controller.go
index 7486812432..3eebca284c 100755
--- a/internal/controller/licensemanager/association/zz_controller.go
+++ b/internal/controller/licensemanager/association/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/licensemanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Association managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Association_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_licensemanager_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Association_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Association_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/licensemanager/licenseconfiguration/zz_controller.go b/internal/controller/licensemanager/licenseconfiguration/zz_controller.go
index 24b20c4a33..d9008258f6 100755
--- a/internal/controller/licensemanager/licenseconfiguration/zz_controller.go
+++ b/internal/controller/licensemanager/licenseconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/licensemanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LicenseConfiguration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LicenseConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_licensemanager_license_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LicenseConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LicenseConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/bucket/zz_controller.go b/internal/controller/lightsail/bucket/zz_controller.go
index d356f67a78..60840a964f 100755
--- a/internal/controller/lightsail/bucket/zz_controller.go
+++ b/internal/controller/lightsail/bucket/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Bucket managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Bucket_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_bucket"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Bucket_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Bucket_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/certificate/zz_controller.go b/internal/controller/lightsail/certificate/zz_controller.go
index e038b89ee3..7e7792a8a9 100755
--- a/internal/controller/lightsail/certificate/zz_controller.go
+++ b/internal/controller/lightsail/certificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Certificate managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Certificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/containerservice/zz_controller.go b/internal/controller/lightsail/containerservice/zz_controller.go
index 163af262de..208cc19260 100755
--- a/internal/controller/lightsail/containerservice/zz_controller.go
+++ b/internal/controller/lightsail/containerservice/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ContainerService managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ContainerService_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_container_service"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ContainerService_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ContainerService_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/disk/zz_controller.go b/internal/controller/lightsail/disk/zz_controller.go
index 24ce16b79b..318c494903 100755
--- a/internal/controller/lightsail/disk/zz_controller.go
+++ b/internal/controller/lightsail/disk/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Disk managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Disk_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_disk"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Disk_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Disk_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/diskattachment/zz_controller.go b/internal/controller/lightsail/diskattachment/zz_controller.go
index 6187488810..5aff539221 100755
--- a/internal/controller/lightsail/diskattachment/zz_controller.go
+++ b/internal/controller/lightsail/diskattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DiskAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DiskAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_disk_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DiskAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DiskAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/domain/zz_controller.go b/internal/controller/lightsail/domain/zz_controller.go
index 52b99644b4..337483739d 100755
--- a/internal/controller/lightsail/domain/zz_controller.go
+++ b/internal/controller/lightsail/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/domainentry/zz_controller.go b/internal/controller/lightsail/domainentry/zz_controller.go
index 9356f706ad..ee0637eaca 100755
--- a/internal/controller/lightsail/domainentry/zz_controller.go
+++ b/internal/controller/lightsail/domainentry/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainEntry managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainEntry_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_domain_entry"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainEntry_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainEntry_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/instance/zz_controller.go b/internal/controller/lightsail/instance/zz_controller.go
index 7e27faafeb..22acb62549 100755
--- a/internal/controller/lightsail/instance/zz_controller.go
+++ b/internal/controller/lightsail/instance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Instance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/instancepublicports/zz_controller.go b/internal/controller/lightsail/instancepublicports/zz_controller.go
index 0c79ed5a2e..66a3409bcf 100755
--- a/internal/controller/lightsail/instancepublicports/zz_controller.go
+++ b/internal/controller/lightsail/instancepublicports/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InstancePublicPorts managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InstancePublicPorts_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_instance_public_ports"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InstancePublicPorts_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InstancePublicPorts_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/keypair/zz_controller.go b/internal/controller/lightsail/keypair/zz_controller.go
index ef833a07ba..f21990a0bf 100755
--- a/internal/controller/lightsail/keypair/zz_controller.go
+++ b/internal/controller/lightsail/keypair/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles KeyPair managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.KeyPair_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_key_pair"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.KeyPair_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.KeyPair_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/lb/zz_controller.go b/internal/controller/lightsail/lb/zz_controller.go
index e848164259..a733680a0a 100755
--- a/internal/controller/lightsail/lb/zz_controller.go
+++ b/internal/controller/lightsail/lb/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LB managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LB_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_lb"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LB_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LB_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/lbattachment/zz_controller.go b/internal/controller/lightsail/lbattachment/zz_controller.go
index e977bdb447..d720178aa8 100755
--- a/internal/controller/lightsail/lbattachment/zz_controller.go
+++ b/internal/controller/lightsail/lbattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_lb_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/lbcertificate/zz_controller.go b/internal/controller/lightsail/lbcertificate/zz_controller.go
index 3dcf08e2ae..6d8b9c24f0 100755
--- a/internal/controller/lightsail/lbcertificate/zz_controller.go
+++ b/internal/controller/lightsail/lbcertificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBCertificate managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBCertificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_lb_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBCertificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBCertificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/lbstickinesspolicy/zz_controller.go b/internal/controller/lightsail/lbstickinesspolicy/zz_controller.go
index 173dfc9c61..b525870fb6 100755
--- a/internal/controller/lightsail/lbstickinesspolicy/zz_controller.go
+++ b/internal/controller/lightsail/lbstickinesspolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LBStickinessPolicy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LBStickinessPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_lb_stickiness_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LBStickinessPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LBStickinessPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/staticip/zz_controller.go b/internal/controller/lightsail/staticip/zz_controller.go
index 2d73a1d453..e2014d65b5 100755
--- a/internal/controller/lightsail/staticip/zz_controller.go
+++ b/internal/controller/lightsail/staticip/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StaticIP managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StaticIP_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_static_ip"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StaticIP_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StaticIP_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/lightsail/staticipattachment/zz_controller.go b/internal/controller/lightsail/staticipattachment/zz_controller.go
index 74d564fb46..851ecdfb50 100755
--- a/internal/controller/lightsail/staticipattachment/zz_controller.go
+++ b/internal/controller/lightsail/staticipattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/lightsail/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StaticIPAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StaticIPAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_lightsail_static_ip_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StaticIPAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StaticIPAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/location/geofencecollection/zz_controller.go b/internal/controller/location/geofencecollection/zz_controller.go
index 4472733ac6..42ee586203 100755
--- a/internal/controller/location/geofencecollection/zz_controller.go
+++ b/internal/controller/location/geofencecollection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/location/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GeofenceCollection managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GeofenceCollection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_location_geofence_collection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GeofenceCollection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GeofenceCollection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/location/placeindex/zz_controller.go b/internal/controller/location/placeindex/zz_controller.go
index e788f890e6..a08e4bd434 100755
--- a/internal/controller/location/placeindex/zz_controller.go
+++ b/internal/controller/location/placeindex/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/location/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PlaceIndex managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PlaceIndex_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_location_place_index"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PlaceIndex_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PlaceIndex_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/location/routecalculator/zz_controller.go b/internal/controller/location/routecalculator/zz_controller.go
index e646461c34..9d4e2a57a0 100755
--- a/internal/controller/location/routecalculator/zz_controller.go
+++ b/internal/controller/location/routecalculator/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/location/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RouteCalculator managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RouteCalculator_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_location_route_calculator"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RouteCalculator_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RouteCalculator_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/location/tracker/zz_controller.go b/internal/controller/location/tracker/zz_controller.go
index 066b6dc48a..b0d73f8e78 100755
--- a/internal/controller/location/tracker/zz_controller.go
+++ b/internal/controller/location/tracker/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/location/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Tracker managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Tracker_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_location_tracker"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Tracker_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Tracker_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/location/trackerassociation/zz_controller.go b/internal/controller/location/trackerassociation/zz_controller.go
index f33818c036..53df6655fa 100755
--- a/internal/controller/location/trackerassociation/zz_controller.go
+++ b/internal/controller/location/trackerassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/location/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TrackerAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TrackerAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_location_tracker_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TrackerAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TrackerAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/macie2/account/zz_controller.go b/internal/controller/macie2/account/zz_controller.go
index 64a945e53d..11c5d014be 100755
--- a/internal/controller/macie2/account/zz_controller.go
+++ b/internal/controller/macie2/account/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/macie2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Account managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Account_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_macie2_account"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/macie2/classificationjob/zz_controller.go b/internal/controller/macie2/classificationjob/zz_controller.go
index e8158587dc..94d6894ff1 100755
--- a/internal/controller/macie2/classificationjob/zz_controller.go
+++ b/internal/controller/macie2/classificationjob/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/macie2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClassificationJob managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClassificationJob_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_macie2_classification_job"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClassificationJob_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClassificationJob_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/macie2/customdataidentifier/zz_controller.go b/internal/controller/macie2/customdataidentifier/zz_controller.go
index 60611c72fb..03169167ee 100755
--- a/internal/controller/macie2/customdataidentifier/zz_controller.go
+++ b/internal/controller/macie2/customdataidentifier/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/macie2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CustomDataIdentifier managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CustomDataIdentifier_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_macie2_custom_data_identifier"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CustomDataIdentifier_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CustomDataIdentifier_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/macie2/findingsfilter/zz_controller.go b/internal/controller/macie2/findingsfilter/zz_controller.go
index c985a942d2..f0426eeb4c 100755
--- a/internal/controller/macie2/findingsfilter/zz_controller.go
+++ b/internal/controller/macie2/findingsfilter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/macie2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FindingsFilter managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FindingsFilter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_macie2_findings_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FindingsFilter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FindingsFilter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/macie2/invitationaccepter/zz_controller.go b/internal/controller/macie2/invitationaccepter/zz_controller.go
index 95f857f6ff..922f7b7b6f 100755
--- a/internal/controller/macie2/invitationaccepter/zz_controller.go
+++ b/internal/controller/macie2/invitationaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/macie2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InvitationAccepter managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InvitationAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_macie2_invitation_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InvitationAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InvitationAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/macie2/member/zz_controller.go b/internal/controller/macie2/member/zz_controller.go
index 5a7354ae7c..e1eaf43e7d 100755
--- a/internal/controller/macie2/member/zz_controller.go
+++ b/internal/controller/macie2/member/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/macie2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Member managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Member_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_macie2_member"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/mediaconvert/queue/zz_controller.go b/internal/controller/mediaconvert/queue/zz_controller.go
index f6a171291e..23f3074618 100755
--- a/internal/controller/mediaconvert/queue/zz_controller.go
+++ b/internal/controller/mediaconvert/queue/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/mediaconvert/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Queue managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_media_convert_queue"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/medialive/channel/zz_controller.go b/internal/controller/medialive/channel/zz_controller.go
index 57329ad78f..c7b8560aad 100755
--- a/internal/controller/medialive/channel/zz_controller.go
+++ b/internal/controller/medialive/channel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/medialive/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Channel managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_medialive_channel"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/medialive/input/zz_controller.go b/internal/controller/medialive/input/zz_controller.go
index 29b3e42217..77a9278199 100755
--- a/internal/controller/medialive/input/zz_controller.go
+++ b/internal/controller/medialive/input/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/medialive/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Input managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Input_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_medialive_input"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Input_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Input_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/medialive/inputsecuritygroup/zz_controller.go b/internal/controller/medialive/inputsecuritygroup/zz_controller.go
index 0cadf4ab87..1e8214b669 100755
--- a/internal/controller/medialive/inputsecuritygroup/zz_controller.go
+++ b/internal/controller/medialive/inputsecuritygroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/medialive/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InputSecurityGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InputSecurityGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_medialive_input_security_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InputSecurityGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InputSecurityGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/medialive/multiplex/zz_controller.go b/internal/controller/medialive/multiplex/zz_controller.go
index 1cfc9b094e..e805edeb1c 100755
--- a/internal/controller/medialive/multiplex/zz_controller.go
+++ b/internal/controller/medialive/multiplex/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/medialive/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Multiplex managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Multiplex_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_medialive_multiplex"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Multiplex_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Multiplex_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/mediapackage/channel/zz_controller.go b/internal/controller/mediapackage/channel/zz_controller.go
index d32af464a7..cbe0e9f36c 100755
--- a/internal/controller/mediapackage/channel/zz_controller.go
+++ b/internal/controller/mediapackage/channel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/mediapackage/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Channel managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_media_package_channel"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Channel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/mediastore/container/zz_controller.go b/internal/controller/mediastore/container/zz_controller.go
index 38469b12ac..f5662c49d2 100755
--- a/internal/controller/mediastore/container/zz_controller.go
+++ b/internal/controller/mediastore/container/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/mediastore/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Container managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Container_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_media_store_container"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Container_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Container_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/mediastore/containerpolicy/zz_controller.go b/internal/controller/mediastore/containerpolicy/zz_controller.go
index 1249db1305..16efd5045e 100755
--- a/internal/controller/mediastore/containerpolicy/zz_controller.go
+++ b/internal/controller/mediastore/containerpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/mediastore/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ContainerPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ContainerPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_media_store_container_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ContainerPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ContainerPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/memorydb/acl/zz_controller.go b/internal/controller/memorydb/acl/zz_controller.go
index 2cd013e703..cf0da7376b 100755
--- a/internal/controller/memorydb/acl/zz_controller.go
+++ b/internal/controller/memorydb/acl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/memorydb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ACL managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ACL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_memorydb_acl"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ACL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ACL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/memorydb/cluster/zz_controller.go b/internal/controller/memorydb/cluster/zz_controller.go
index 5f3cf2b6e6..fecc34b0d7 100755
--- a/internal/controller/memorydb/cluster/zz_controller.go
+++ b/internal/controller/memorydb/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/memorydb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_memorydb_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/memorydb/parametergroup/zz_controller.go b/internal/controller/memorydb/parametergroup/zz_controller.go
index 843fa5d940..ccd830bc4e 100755
--- a/internal/controller/memorydb/parametergroup/zz_controller.go
+++ b/internal/controller/memorydb/parametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/memorydb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ParameterGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_memorydb_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/memorydb/snapshot/zz_controller.go b/internal/controller/memorydb/snapshot/zz_controller.go
index a17a10b558..ffef330dd2 100755
--- a/internal/controller/memorydb/snapshot/zz_controller.go
+++ b/internal/controller/memorydb/snapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/memorydb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Snapshot managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Snapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_memorydb_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Snapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Snapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/memorydb/subnetgroup/zz_controller.go b/internal/controller/memorydb/subnetgroup/zz_controller.go
index 23933d2455..7c0e03479f 100755
--- a/internal/controller/memorydb/subnetgroup/zz_controller.go
+++ b/internal/controller/memorydb/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/memorydb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_memorydb_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/mq/broker/zz_controller.go b/internal/controller/mq/broker/zz_controller.go
index 14acb31fa8..36abf28157 100755
--- a/internal/controller/mq/broker/zz_controller.go
+++ b/internal/controller/mq/broker/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/mq/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Broker managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Broker_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_mq_broker"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Broker_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Broker_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/mq/configuration/zz_controller.go b/internal/controller/mq/configuration/zz_controller.go
index fee6cf1f92..fd730ecbbf 100755
--- a/internal/controller/mq/configuration/zz_controller.go
+++ b/internal/controller/mq/configuration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/mq/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Configuration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Configuration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_mq_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Configuration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Configuration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/cluster/zz_controller.go b/internal/controller/neptune/cluster/zz_controller.go
index 6c50bbfce0..a940ac8aa8 100755
--- a/internal/controller/neptune/cluster/zz_controller.go
+++ b/internal/controller/neptune/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/clusterendpoint/zz_controller.go b/internal/controller/neptune/clusterendpoint/zz_controller.go
index 3759015306..84f064c596 100755
--- a/internal/controller/neptune/clusterendpoint/zz_controller.go
+++ b/internal/controller/neptune/clusterendpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterEndpoint managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterEndpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_cluster_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterEndpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterEndpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/clusterinstance/zz_controller.go b/internal/controller/neptune/clusterinstance/zz_controller.go
index b3b36c1d4a..c97907909b 100755
--- a/internal/controller/neptune/clusterinstance/zz_controller.go
+++ b/internal/controller/neptune/clusterinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterInstance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_cluster_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/clusterparametergroup/zz_controller.go b/internal/controller/neptune/clusterparametergroup/zz_controller.go
index e3c7a89a9f..232208a4af 100755
--- a/internal/controller/neptune/clusterparametergroup/zz_controller.go
+++ b/internal/controller/neptune/clusterparametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterParameterGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_cluster_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/clustersnapshot/zz_controller.go b/internal/controller/neptune/clustersnapshot/zz_controller.go
index 21169bff03..d24e677aca 100755
--- a/internal/controller/neptune/clustersnapshot/zz_controller.go
+++ b/internal/controller/neptune/clustersnapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterSnapshot managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_cluster_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/eventsubscription/zz_controller.go b/internal/controller/neptune/eventsubscription/zz_controller.go
index 139a5feb6f..02daecf60f 100755
--- a/internal/controller/neptune/eventsubscription/zz_controller.go
+++ b/internal/controller/neptune/eventsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventSubscription managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_event_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/globalcluster/zz_controller.go b/internal/controller/neptune/globalcluster/zz_controller.go
index eb98cc11f2..dd8bfca8a1 100755
--- a/internal/controller/neptune/globalcluster/zz_controller.go
+++ b/internal/controller/neptune/globalcluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GlobalCluster managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_global_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/parametergroup/zz_controller.go b/internal/controller/neptune/parametergroup/zz_controller.go
index 2ebb764c9b..20e444c126 100755
--- a/internal/controller/neptune/parametergroup/zz_controller.go
+++ b/internal/controller/neptune/parametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ParameterGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/neptune/subnetgroup/zz_controller.go b/internal/controller/neptune/subnetgroup/zz_controller.go
index 1eff151f38..bc72b95ab8 100755
--- a/internal/controller/neptune/subnetgroup/zz_controller.go
+++ b/internal/controller/neptune/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/neptune/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_neptune_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkfirewall/firewall/zz_controller.go b/internal/controller/networkfirewall/firewall/zz_controller.go
index 09bb711fc9..0c0702f175 100755
--- a/internal/controller/networkfirewall/firewall/zz_controller.go
+++ b/internal/controller/networkfirewall/firewall/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkfirewall/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Firewall managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Firewall_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkfirewall_firewall"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Firewall_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Firewall_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkfirewall/firewallpolicy/zz_controller.go b/internal/controller/networkfirewall/firewallpolicy/zz_controller.go
index bb3e33fb28..108e32a26b 100755
--- a/internal/controller/networkfirewall/firewallpolicy/zz_controller.go
+++ b/internal/controller/networkfirewall/firewallpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkfirewall/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FirewallPolicy managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FirewallPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkfirewall_firewall_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FirewallPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FirewallPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkfirewall/loggingconfiguration/zz_controller.go b/internal/controller/networkfirewall/loggingconfiguration/zz_controller.go
index e30f6fcdae..68676c7ece 100755
--- a/internal/controller/networkfirewall/loggingconfiguration/zz_controller.go
+++ b/internal/controller/networkfirewall/loggingconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkfirewall/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LoggingConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LoggingConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkfirewall_logging_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LoggingConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LoggingConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkfirewall/rulegroup/zz_controller.go b/internal/controller/networkfirewall/rulegroup/zz_controller.go
index ab2003cf9f..5807a79be8 100755
--- a/internal/controller/networkfirewall/rulegroup/zz_controller.go
+++ b/internal/controller/networkfirewall/rulegroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkfirewall/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RuleGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RuleGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkfirewall_rule_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RuleGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RuleGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/attachmentaccepter/zz_controller.go b/internal/controller/networkmanager/attachmentaccepter/zz_controller.go
index 8ffff25705..bbdec2c087 100755
--- a/internal/controller/networkmanager/attachmentaccepter/zz_controller.go
+++ b/internal/controller/networkmanager/attachmentaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AttachmentAccepter managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AttachmentAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_attachment_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AttachmentAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AttachmentAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/connectattachment/zz_controller.go b/internal/controller/networkmanager/connectattachment/zz_controller.go
index 77f5d77662..e0cfb30314 100755
--- a/internal/controller/networkmanager/connectattachment/zz_controller.go
+++ b/internal/controller/networkmanager/connectattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConnectAttachment managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConnectAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_connect_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConnectAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConnectAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/connection/zz_controller.go b/internal/controller/networkmanager/connection/zz_controller.go
index d516cbb892..4d0248e952 100755
--- a/internal/controller/networkmanager/connection/zz_controller.go
+++ b/internal/controller/networkmanager/connection/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Connection managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_connection"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Connection_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/corenetwork/zz_controller.go b/internal/controller/networkmanager/corenetwork/zz_controller.go
index e70ac462dd..00915f3e92 100755
--- a/internal/controller/networkmanager/corenetwork/zz_controller.go
+++ b/internal/controller/networkmanager/corenetwork/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CoreNetwork managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CoreNetwork_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_core_network"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CoreNetwork_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CoreNetwork_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/customergatewayassociation/zz_controller.go b/internal/controller/networkmanager/customergatewayassociation/zz_controller.go
index 42a73125ce..378dc0e843 100755
--- a/internal/controller/networkmanager/customergatewayassociation/zz_controller.go
+++ b/internal/controller/networkmanager/customergatewayassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CustomerGatewayAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CustomerGatewayAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_customer_gateway_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CustomerGatewayAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CustomerGatewayAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/device/zz_controller.go b/internal/controller/networkmanager/device/zz_controller.go
index 6ca981e812..2e0e786953 100755
--- a/internal/controller/networkmanager/device/zz_controller.go
+++ b/internal/controller/networkmanager/device/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Device managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Device_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_device"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Device_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Device_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/globalnetwork/zz_controller.go b/internal/controller/networkmanager/globalnetwork/zz_controller.go
index 6ae2066d3a..b837edad10 100755
--- a/internal/controller/networkmanager/globalnetwork/zz_controller.go
+++ b/internal/controller/networkmanager/globalnetwork/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GlobalNetwork managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GlobalNetwork_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_global_network"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GlobalNetwork_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GlobalNetwork_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/link/zz_controller.go b/internal/controller/networkmanager/link/zz_controller.go
index 45ee9e395d..dc9fe8c257 100755
--- a/internal/controller/networkmanager/link/zz_controller.go
+++ b/internal/controller/networkmanager/link/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Link managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Link_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_link"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Link_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Link_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/linkassociation/zz_controller.go b/internal/controller/networkmanager/linkassociation/zz_controller.go
index 0a57a0f57b..d3e68fc78c 100755
--- a/internal/controller/networkmanager/linkassociation/zz_controller.go
+++ b/internal/controller/networkmanager/linkassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LinkAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LinkAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_link_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LinkAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LinkAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/site/zz_controller.go b/internal/controller/networkmanager/site/zz_controller.go
index aab766d723..806bb8462f 100755
--- a/internal/controller/networkmanager/site/zz_controller.go
+++ b/internal/controller/networkmanager/site/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Site managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Site_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_site"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Site_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Site_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/transitgatewayconnectpeerassociation/zz_controller.go b/internal/controller/networkmanager/transitgatewayconnectpeerassociation/zz_controller.go
index 01785677b6..e5847a0a38 100755
--- a/internal/controller/networkmanager/transitgatewayconnectpeerassociation/zz_controller.go
+++ b/internal/controller/networkmanager/transitgatewayconnectpeerassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayConnectPeerAssociation managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayConnectPeerAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_transit_gateway_connect_peer_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayConnectPeerAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayConnectPeerAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/transitgatewayregistration/zz_controller.go b/internal/controller/networkmanager/transitgatewayregistration/zz_controller.go
index a46a2f2b05..b9b295e9fc 100755
--- a/internal/controller/networkmanager/transitgatewayregistration/zz_controller.go
+++ b/internal/controller/networkmanager/transitgatewayregistration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TransitGatewayRegistration managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TransitGatewayRegistration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_transit_gateway_registration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRegistration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TransitGatewayRegistration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/networkmanager/vpcattachment/zz_controller.go b/internal/controller/networkmanager/vpcattachment/zz_controller.go
index 53e90957c3..7f2a960cdc 100755
--- a/internal/controller/networkmanager/vpcattachment/zz_controller.go
+++ b/internal/controller/networkmanager/vpcattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/networkmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCAttachment managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_networkmanager_vpc_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opensearch/domain/zz_controller.go b/internal/controller/opensearch/domain/zz_controller.go
index 400849a575..eccb002ecd 100755
--- a/internal/controller/opensearch/domain/zz_controller.go
+++ b/internal/controller/opensearch/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opensearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opensearch_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opensearch/domainpolicy/zz_controller.go b/internal/controller/opensearch/domainpolicy/zz_controller.go
index 5da0960d0d..4be49e8116 100755
--- a/internal/controller/opensearch/domainpolicy/zz_controller.go
+++ b/internal/controller/opensearch/domainpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opensearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opensearch_domain_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opensearch/domainsamloptions/zz_controller.go b/internal/controller/opensearch/domainsamloptions/zz_controller.go
index 642b7f547d..13060e1ccc 100755
--- a/internal/controller/opensearch/domainsamloptions/zz_controller.go
+++ b/internal/controller/opensearch/domainsamloptions/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opensearch/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainSAMLOptions managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainSAMLOptions_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opensearch_domain_saml_options"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainSAMLOptions_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainSAMLOptions_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/application/zz_controller.go b/internal/controller/opsworks/application/zz_controller.go
index ff30094ab4..5075f83f69 100755
--- a/internal/controller/opsworks/application/zz_controller.go
+++ b/internal/controller/opsworks/application/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Application managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Application_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Application_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/customlayer/zz_controller.go b/internal/controller/opsworks/customlayer/zz_controller.go
index 5e157f1d50..6c5fe28642 100755
--- a/internal/controller/opsworks/customlayer/zz_controller.go
+++ b/internal/controller/opsworks/customlayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CustomLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CustomLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_custom_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CustomLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CustomLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/ecsclusterlayer/zz_controller.go b/internal/controller/opsworks/ecsclusterlayer/zz_controller.go
index 3c4cce784b..3d3fe2a2ae 100755
--- a/internal/controller/opsworks/ecsclusterlayer/zz_controller.go
+++ b/internal/controller/opsworks/ecsclusterlayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EcsClusterLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EcsClusterLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_ecs_cluster_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EcsClusterLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EcsClusterLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/ganglialayer/zz_controller.go b/internal/controller/opsworks/ganglialayer/zz_controller.go
index 02c17029ae..257244546e 100755
--- a/internal/controller/opsworks/ganglialayer/zz_controller.go
+++ b/internal/controller/opsworks/ganglialayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GangliaLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GangliaLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_ganglia_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GangliaLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GangliaLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/haproxylayer/zz_controller.go b/internal/controller/opsworks/haproxylayer/zz_controller.go
index 97eb1459e5..a811b91325 100755
--- a/internal/controller/opsworks/haproxylayer/zz_controller.go
+++ b/internal/controller/opsworks/haproxylayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HAProxyLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HAProxyLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_haproxy_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HAProxyLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HAProxyLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/instance/zz_controller.go b/internal/controller/opsworks/instance/zz_controller.go
index 25a57de3e7..e3372dc9d0 100755
--- a/internal/controller/opsworks/instance/zz_controller.go
+++ b/internal/controller/opsworks/instance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Instance managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/javaapplayer/zz_controller.go b/internal/controller/opsworks/javaapplayer/zz_controller.go
index dbbad266e3..1fb2c4009f 100755
--- a/internal/controller/opsworks/javaapplayer/zz_controller.go
+++ b/internal/controller/opsworks/javaapplayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles JavaAppLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.JavaAppLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_java_app_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.JavaAppLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.JavaAppLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/memcachedlayer/zz_controller.go b/internal/controller/opsworks/memcachedlayer/zz_controller.go
index 3be1c68f27..2aeb370a1c 100755
--- a/internal/controller/opsworks/memcachedlayer/zz_controller.go
+++ b/internal/controller/opsworks/memcachedlayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MemcachedLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MemcachedLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_memcached_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MemcachedLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MemcachedLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/mysqllayer/zz_controller.go b/internal/controller/opsworks/mysqllayer/zz_controller.go
index 98f3c28d60..c34c4b7478 100755
--- a/internal/controller/opsworks/mysqllayer/zz_controller.go
+++ b/internal/controller/opsworks/mysqllayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MySQLLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MySQLLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_mysql_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MySQLLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MySQLLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/nodejsapplayer/zz_controller.go b/internal/controller/opsworks/nodejsapplayer/zz_controller.go
index a9cc559a2b..f63fe68054 100755
--- a/internal/controller/opsworks/nodejsapplayer/zz_controller.go
+++ b/internal/controller/opsworks/nodejsapplayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NodeJSAppLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NodeJSAppLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_nodejs_app_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NodeJSAppLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NodeJSAppLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/permission/zz_controller.go b/internal/controller/opsworks/permission/zz_controller.go
index 410a6db450..28698b346b 100755
--- a/internal/controller/opsworks/permission/zz_controller.go
+++ b/internal/controller/opsworks/permission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Permission managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Permission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/phpapplayer/zz_controller.go b/internal/controller/opsworks/phpapplayer/zz_controller.go
index c964d6c9c4..c5dd988721 100755
--- a/internal/controller/opsworks/phpapplayer/zz_controller.go
+++ b/internal/controller/opsworks/phpapplayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PHPAppLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PHPAppLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_php_app_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PHPAppLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PHPAppLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/railsapplayer/zz_controller.go b/internal/controller/opsworks/railsapplayer/zz_controller.go
index e50ee1f2c3..c960f437b8 100755
--- a/internal/controller/opsworks/railsapplayer/zz_controller.go
+++ b/internal/controller/opsworks/railsapplayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RailsAppLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RailsAppLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_rails_app_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RailsAppLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RailsAppLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/rdsdbinstance/zz_controller.go b/internal/controller/opsworks/rdsdbinstance/zz_controller.go
index 7cfa198aaf..5cb3a82e8c 100755
--- a/internal/controller/opsworks/rdsdbinstance/zz_controller.go
+++ b/internal/controller/opsworks/rdsdbinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RDSDBInstance managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RDSDBInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_rds_db_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RDSDBInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RDSDBInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/stack/zz_controller.go b/internal/controller/opsworks/stack/zz_controller.go
index 7d5e5b1926..322909d6e5 100755
--- a/internal/controller/opsworks/stack/zz_controller.go
+++ b/internal/controller/opsworks/stack/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stack managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_stack"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stack_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/staticweblayer/zz_controller.go b/internal/controller/opsworks/staticweblayer/zz_controller.go
index d42771ac85..a3762826d7 100755
--- a/internal/controller/opsworks/staticweblayer/zz_controller.go
+++ b/internal/controller/opsworks/staticweblayer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StaticWebLayer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StaticWebLayer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_static_web_layer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StaticWebLayer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StaticWebLayer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/opsworks/userprofile/zz_controller.go b/internal/controller/opsworks/userprofile/zz_controller.go
index 56defa611d..653c391840 100755
--- a/internal/controller/opsworks/userprofile/zz_controller.go
+++ b/internal/controller/opsworks/userprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/opsworks/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserProfile managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_opsworks_user_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/organizations/account/zz_controller.go b/internal/controller/organizations/account/zz_controller.go
index 79d204b0d1..4aae51182c 100755
--- a/internal/controller/organizations/account/zz_controller.go
+++ b/internal/controller/organizations/account/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/organizations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Account managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Account_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_organizations_account"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/organizations/delegatedadministrator/zz_controller.go b/internal/controller/organizations/delegatedadministrator/zz_controller.go
index ccee67d5b1..132b67487f 100755
--- a/internal/controller/organizations/delegatedadministrator/zz_controller.go
+++ b/internal/controller/organizations/delegatedadministrator/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/organizations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DelegatedAdministrator managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DelegatedAdministrator_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_organizations_delegated_administrator"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DelegatedAdministrator_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DelegatedAdministrator_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/organizations/organization/zz_controller.go b/internal/controller/organizations/organization/zz_controller.go
index 0a4e2c5c24..80552a1615 100755
--- a/internal/controller/organizations/organization/zz_controller.go
+++ b/internal/controller/organizations/organization/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/organizations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Organization managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Organization_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_organizations_organization"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Organization_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Organization_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/organizations/organizationalunit/zz_controller.go b/internal/controller/organizations/organizationalunit/zz_controller.go
index cbbc714742..0ea490967c 100755
--- a/internal/controller/organizations/organizationalunit/zz_controller.go
+++ b/internal/controller/organizations/organizationalunit/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/organizations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OrganizationalUnit managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OrganizationalUnit_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_organizations_organizational_unit"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OrganizationalUnit_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OrganizationalUnit_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/organizations/policy/zz_controller.go b/internal/controller/organizations/policy/zz_controller.go
index f9f8b735af..218ef05e00 100755
--- a/internal/controller/organizations/policy/zz_controller.go
+++ b/internal/controller/organizations/policy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/organizations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Policy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_organizations_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Policy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/organizations/policyattachment/zz_controller.go b/internal/controller/organizations/policyattachment/zz_controller.go
index 0d4b2d1c8f..0d3f772c28 100755
--- a/internal/controller/organizations/policyattachment/zz_controller.go
+++ b/internal/controller/organizations/policyattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/organizations/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PolicyAttachment managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PolicyAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_organizations_policy_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PolicyAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PolicyAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/pinpoint/app/zz_controller.go b/internal/controller/pinpoint/app/zz_controller.go
index 6f50cd1d7d..7f8a57d5ad 100755
--- a/internal/controller/pinpoint/app/zz_controller.go
+++ b/internal/controller/pinpoint/app/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/pinpoint/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles App managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.App_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_pinpoint_app"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/pinpoint/smschannel/zz_controller.go b/internal/controller/pinpoint/smschannel/zz_controller.go
index b54e832a7b..26f9dc522c 100755
--- a/internal/controller/pinpoint/smschannel/zz_controller.go
+++ b/internal/controller/pinpoint/smschannel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/pinpoint/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SMSChannel managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SMSChannel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_pinpoint_sms_channel"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SMSChannel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SMSChannel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/qldb/ledger/zz_controller.go b/internal/controller/qldb/ledger/zz_controller.go
index 636b44b230..22c8a94bf2 100755
--- a/internal/controller/qldb/ledger/zz_controller.go
+++ b/internal/controller/qldb/ledger/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/qldb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Ledger managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Ledger_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_qldb_ledger"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Ledger_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Ledger_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/qldb/stream/zz_controller.go b/internal/controller/qldb/stream/zz_controller.go
index f8f6f0adc2..fa0c831583 100755
--- a/internal/controller/qldb/stream/zz_controller.go
+++ b/internal/controller/qldb/stream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/qldb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Stream managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_qldb_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Stream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/quicksight/group/zz_controller.go b/internal/controller/quicksight/group/zz_controller.go
index 837ab42b94..0b81315512 100755
--- a/internal/controller/quicksight/group/zz_controller.go
+++ b/internal/controller/quicksight/group/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/quicksight/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Group managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Group_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_quicksight_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/quicksight/user/zz_controller.go b/internal/controller/quicksight/user/zz_controller.go
index 4ba4a88ca9..a75c0034b7 100755
--- a/internal/controller/quicksight/user/zz_controller.go
+++ b/internal/controller/quicksight/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/quicksight/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_quicksight_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ram/resourceassociation/zz_controller.go b/internal/controller/ram/resourceassociation/zz_controller.go
index ebdb711e14..c40be6e2bb 100755
--- a/internal/controller/ram/resourceassociation/zz_controller.go
+++ b/internal/controller/ram/resourceassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ram/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourceAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourceAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ram_resource_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourceAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourceAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ram/resourceshare/zz_controller.go b/internal/controller/ram/resourceshare/zz_controller.go
index 8cdb338b7c..332f9689cf 100755
--- a/internal/controller/ram/resourceshare/zz_controller.go
+++ b/internal/controller/ram/resourceshare/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ram/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourceShare managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourceShare_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ram_resource_share"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourceShare_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourceShare_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/cluster/zz_controller.go b/internal/controller/rds/cluster/zz_controller.go
index 85a54ae0f8..bb1941f3ea 100755
--- a/internal/controller/rds/cluster/zz_controller.go
+++ b/internal/controller/rds/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/clusteractivitystream/zz_controller.go b/internal/controller/rds/clusteractivitystream/zz_controller.go
index 2f697b4fbb..edd8ca1c61 100755
--- a/internal/controller/rds/clusteractivitystream/zz_controller.go
+++ b/internal/controller/rds/clusteractivitystream/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterActivityStream managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterActivityStream_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_cluster_activity_stream"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterActivityStream_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterActivityStream_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/clusterendpoint/zz_controller.go b/internal/controller/rds/clusterendpoint/zz_controller.go
index 9688444900..c5d7c10bf3 100755
--- a/internal/controller/rds/clusterendpoint/zz_controller.go
+++ b/internal/controller/rds/clusterendpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterEndpoint managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterEndpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_cluster_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterEndpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterEndpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/clusterinstance/zz_controller.go b/internal/controller/rds/clusterinstance/zz_controller.go
index dd2217339f..e1e5555e75 100755
--- a/internal/controller/rds/clusterinstance/zz_controller.go
+++ b/internal/controller/rds/clusterinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterInstance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_cluster_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/clusterparametergroup/zz_controller.go b/internal/controller/rds/clusterparametergroup/zz_controller.go
index 7f4276971c..db075e6cbd 100755
--- a/internal/controller/rds/clusterparametergroup/zz_controller.go
+++ b/internal/controller/rds/clusterparametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterParameterGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_cluster_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/clusterroleassociation/zz_controller.go b/internal/controller/rds/clusterroleassociation/zz_controller.go
index 5ffc45ad49..1d6acee0b4 100755
--- a/internal/controller/rds/clusterroleassociation/zz_controller.go
+++ b/internal/controller/rds/clusterroleassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterRoleAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterRoleAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_cluster_role_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterRoleAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterRoleAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/clustersnapshot/zz_controller.go b/internal/controller/rds/clustersnapshot/zz_controller.go
index 9f5042766d..1b70262b9b 100755
--- a/internal/controller/rds/clustersnapshot/zz_controller.go
+++ b/internal/controller/rds/clustersnapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ClusterSnapshot managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_cluster_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ClusterSnapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/dbinstanceautomatedbackupsreplication/zz_controller.go b/internal/controller/rds/dbinstanceautomatedbackupsreplication/zz_controller.go
index 6f44c79c6e..5ab496aed2 100755
--- a/internal/controller/rds/dbinstanceautomatedbackupsreplication/zz_controller.go
+++ b/internal/controller/rds/dbinstanceautomatedbackupsreplication/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DBInstanceAutomatedBackupsReplication managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DBInstanceAutomatedBackupsReplication_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_instance_automated_backups_replication"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DBInstanceAutomatedBackupsReplication_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DBInstanceAutomatedBackupsReplication_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/dbsnapshotcopy/zz_controller.go b/internal/controller/rds/dbsnapshotcopy/zz_controller.go
index 47ddb73d67..6f7d0f5f80 100755
--- a/internal/controller/rds/dbsnapshotcopy/zz_controller.go
+++ b/internal/controller/rds/dbsnapshotcopy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DBSnapshotCopy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DBSnapshotCopy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_snapshot_copy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DBSnapshotCopy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DBSnapshotCopy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/eventsubscription/zz_controller.go b/internal/controller/rds/eventsubscription/zz_controller.go
index 8c63532a5a..56f7844993 100755
--- a/internal/controller/rds/eventsubscription/zz_controller.go
+++ b/internal/controller/rds/eventsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventSubscription managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_event_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/globalcluster/zz_controller.go b/internal/controller/rds/globalcluster/zz_controller.go
index 5aa0353ba3..e447bbc319 100755
--- a/internal/controller/rds/globalcluster/zz_controller.go
+++ b/internal/controller/rds/globalcluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GlobalCluster managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rds_global_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GlobalCluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/instance/zz_controller.go b/internal/controller/rds/instance/zz_controller.go
index 02bd7f9c49..a8c3bf94f6 100755
--- a/internal/controller/rds/instance/zz_controller.go
+++ b/internal/controller/rds/instance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Instance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Instance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/instanceroleassociation/zz_controller.go b/internal/controller/rds/instanceroleassociation/zz_controller.go
index 0a01a6c524..3aa13588f1 100755
--- a/internal/controller/rds/instanceroleassociation/zz_controller.go
+++ b/internal/controller/rds/instanceroleassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InstanceRoleAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InstanceRoleAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_instance_role_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InstanceRoleAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InstanceRoleAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/optiongroup/zz_controller.go b/internal/controller/rds/optiongroup/zz_controller.go
index c492ee686b..b58fba6eaa 100755
--- a/internal/controller/rds/optiongroup/zz_controller.go
+++ b/internal/controller/rds/optiongroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles OptionGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.OptionGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_option_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.OptionGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.OptionGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/parametergroup/zz_controller.go b/internal/controller/rds/parametergroup/zz_controller.go
index 051d633b41..841c2634f1 100755
--- a/internal/controller/rds/parametergroup/zz_controller.go
+++ b/internal/controller/rds/parametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ParameterGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/proxy/zz_controller.go b/internal/controller/rds/proxy/zz_controller.go
index 6019be9037..079d885f91 100755
--- a/internal/controller/rds/proxy/zz_controller.go
+++ b/internal/controller/rds/proxy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Proxy managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Proxy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_proxy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Proxy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Proxy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/proxydefaulttargetgroup/zz_controller.go b/internal/controller/rds/proxydefaulttargetgroup/zz_controller.go
index b9aedf54ef..92d7543bab 100755
--- a/internal/controller/rds/proxydefaulttargetgroup/zz_controller.go
+++ b/internal/controller/rds/proxydefaulttargetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProxyDefaultTargetGroup managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProxyDefaultTargetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_proxy_default_target_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProxyDefaultTargetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProxyDefaultTargetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/proxyendpoint/zz_controller.go b/internal/controller/rds/proxyendpoint/zz_controller.go
index e8d5e64205..36b63a2de9 100755
--- a/internal/controller/rds/proxyendpoint/zz_controller.go
+++ b/internal/controller/rds/proxyendpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProxyEndpoint managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProxyEndpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_proxy_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProxyEndpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProxyEndpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/proxytarget/zz_controller.go b/internal/controller/rds/proxytarget/zz_controller.go
index 005db58bf3..6bca194ff9 100755
--- a/internal/controller/rds/proxytarget/zz_controller.go
+++ b/internal/controller/rds/proxytarget/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProxyTarget managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProxyTarget_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_proxy_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProxyTarget_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProxyTarget_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/securitygroup/zz_controller.go b/internal/controller/rds/securitygroup/zz_controller.go
index e9bc6ffab2..0a7aa3661a 100755
--- a/internal/controller/rds/securitygroup/zz_controller.go
+++ b/internal/controller/rds/securitygroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecurityGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecurityGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_security_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecurityGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecurityGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/snapshot/zz_controller.go b/internal/controller/rds/snapshot/zz_controller.go
index 37d90b0f0e..2b2900ab67 100755
--- a/internal/controller/rds/snapshot/zz_controller.go
+++ b/internal/controller/rds/snapshot/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Snapshot managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Snapshot_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_snapshot"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Snapshot_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Snapshot_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rds/subnetgroup/zz_controller.go b/internal/controller/rds/subnetgroup/zz_controller.go
index 20e12a5472..c01a21c24d 100755
--- a/internal/controller/rds/subnetgroup/zz_controller.go
+++ b/internal/controller/rds/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rds/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_db_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/authenticationprofile/zz_controller.go b/internal/controller/redshift/authenticationprofile/zz_controller.go
index 296707478d..5ddf9159c4 100755
--- a/internal/controller/redshift/authenticationprofile/zz_controller.go
+++ b/internal/controller/redshift/authenticationprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AuthenticationProfile managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AuthenticationProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_authentication_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AuthenticationProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AuthenticationProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/cluster/zz_controller.go b/internal/controller/redshift/cluster/zz_controller.go
index 7193679130..3cd8c3fa87 100755
--- a/internal/controller/redshift/cluster/zz_controller.go
+++ b/internal/controller/redshift/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/eventsubscription/zz_controller.go b/internal/controller/redshift/eventsubscription/zz_controller.go
index eb978d3fed..6760928b39 100755
--- a/internal/controller/redshift/eventsubscription/zz_controller.go
+++ b/internal/controller/redshift/eventsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventSubscription managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_event_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/hsmclientcertificate/zz_controller.go b/internal/controller/redshift/hsmclientcertificate/zz_controller.go
index ded65c95a4..7ba0b78fd8 100755
--- a/internal/controller/redshift/hsmclientcertificate/zz_controller.go
+++ b/internal/controller/redshift/hsmclientcertificate/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HSMClientCertificate managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HSMClientCertificate_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_hsm_client_certificate"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HSMClientCertificate_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HSMClientCertificate_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/hsmconfiguration/zz_controller.go b/internal/controller/redshift/hsmconfiguration/zz_controller.go
index 076e7dedbf..73a3906b17 100755
--- a/internal/controller/redshift/hsmconfiguration/zz_controller.go
+++ b/internal/controller/redshift/hsmconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HSMConfiguration managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HSMConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_hsm_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HSMConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HSMConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/parametergroup/zz_controller.go b/internal/controller/redshift/parametergroup/zz_controller.go
index f91277bc4d..abbf6c4f45 100755
--- a/internal/controller/redshift/parametergroup/zz_controller.go
+++ b/internal/controller/redshift/parametergroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ParameterGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_parameter_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ParameterGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/scheduledaction/zz_controller.go b/internal/controller/redshift/scheduledaction/zz_controller.go
index eac9aa1656..6adae6fa54 100755
--- a/internal/controller/redshift/scheduledaction/zz_controller.go
+++ b/internal/controller/redshift/scheduledaction/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ScheduledAction managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ScheduledAction_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_scheduled_action"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ScheduledAction_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ScheduledAction_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/snapshotcopygrant/zz_controller.go b/internal/controller/redshift/snapshotcopygrant/zz_controller.go
index 425d69c5a2..43853e5b01 100755
--- a/internal/controller/redshift/snapshotcopygrant/zz_controller.go
+++ b/internal/controller/redshift/snapshotcopygrant/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SnapshotCopyGrant managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SnapshotCopyGrant_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_snapshot_copy_grant"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SnapshotCopyGrant_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SnapshotCopyGrant_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/snapshotschedule/zz_controller.go b/internal/controller/redshift/snapshotschedule/zz_controller.go
index 9b60eb0e4c..5232e6ec69 100755
--- a/internal/controller/redshift/snapshotschedule/zz_controller.go
+++ b/internal/controller/redshift/snapshotschedule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SnapshotSchedule managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SnapshotSchedule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_snapshot_schedule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SnapshotSchedule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SnapshotSchedule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/snapshotscheduleassociation/zz_controller.go b/internal/controller/redshift/snapshotscheduleassociation/zz_controller.go
index a732b435be..965ee989b3 100755
--- a/internal/controller/redshift/snapshotscheduleassociation/zz_controller.go
+++ b/internal/controller/redshift/snapshotscheduleassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SnapshotScheduleAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SnapshotScheduleAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_snapshot_schedule_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SnapshotScheduleAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SnapshotScheduleAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/subnetgroup/zz_controller.go b/internal/controller/redshift/subnetgroup/zz_controller.go
index fd78ff8cc0..56c900e846 100755
--- a/internal/controller/redshift/subnetgroup/zz_controller.go
+++ b/internal/controller/redshift/subnetgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SubnetGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_subnet_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SubnetGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/redshift/usagelimit/zz_controller.go b/internal/controller/redshift/usagelimit/zz_controller.go
index c29d342a09..d7555b9562 100755
--- a/internal/controller/redshift/usagelimit/zz_controller.go
+++ b/internal/controller/redshift/usagelimit/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/redshift/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UsageLimit managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UsageLimit_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_redshift_usage_limit"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UsageLimit_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UsageLimit_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/resourcegroups/group/zz_controller.go b/internal/controller/resourcegroups/group/zz_controller.go
index 8b88567559..1ad5c132fe 100755
--- a/internal/controller/resourcegroups/group/zz_controller.go
+++ b/internal/controller/resourcegroups/group/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/resourcegroups/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Group managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Group_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_resourcegroups_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rolesanywhere/profile/zz_controller.go b/internal/controller/rolesanywhere/profile/zz_controller.go
index e244ee4dc7..8b7462699e 100755
--- a/internal/controller/rolesanywhere/profile/zz_controller.go
+++ b/internal/controller/rolesanywhere/profile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rolesanywhere/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Profile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Profile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rolesanywhere_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Profile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Profile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/delegationset/zz_controller.go b/internal/controller/route53/delegationset/zz_controller.go
index 71e80508a0..43a53bbe03 100755
--- a/internal/controller/route53/delegationset/zz_controller.go
+++ b/internal/controller/route53/delegationset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DelegationSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DelegationSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_delegation_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DelegationSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DelegationSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/healthcheck/zz_controller.go b/internal/controller/route53/healthcheck/zz_controller.go
index 658fd2e4b0..6c7f3e348d 100755
--- a/internal/controller/route53/healthcheck/zz_controller.go
+++ b/internal/controller/route53/healthcheck/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HealthCheck managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HealthCheck_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_health_check"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HealthCheck_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HealthCheck_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/hostedzonednssec/zz_controller.go b/internal/controller/route53/hostedzonednssec/zz_controller.go
index ced9094795..cb39fe8766 100755
--- a/internal/controller/route53/hostedzonednssec/zz_controller.go
+++ b/internal/controller/route53/hostedzonednssec/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HostedZoneDNSSEC managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HostedZoneDNSSEC_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_hosted_zone_dnssec"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HostedZoneDNSSEC_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HostedZoneDNSSEC_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/record/zz_controller.go b/internal/controller/route53/record/zz_controller.go
index ef245bebb1..c6ac0553bd 100755
--- a/internal/controller/route53/record/zz_controller.go
+++ b/internal/controller/route53/record/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Record managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Record_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_record"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Record_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Record_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/resolverconfig/zz_controller.go b/internal/controller/route53/resolverconfig/zz_controller.go
index c8f6f195d4..a2c1b894b9 100755
--- a/internal/controller/route53/resolverconfig/zz_controller.go
+++ b/internal/controller/route53/resolverconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResolverConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResolverConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_resolver_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResolverConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResolverConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/trafficpolicy/zz_controller.go b/internal/controller/route53/trafficpolicy/zz_controller.go
index 0fd2b72ae2..5ed63202db 100755
--- a/internal/controller/route53/trafficpolicy/zz_controller.go
+++ b/internal/controller/route53/trafficpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TrafficPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TrafficPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_traffic_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TrafficPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TrafficPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/trafficpolicyinstance/zz_controller.go b/internal/controller/route53/trafficpolicyinstance/zz_controller.go
index 37a3619122..a0ea0de6d8 100755
--- a/internal/controller/route53/trafficpolicyinstance/zz_controller.go
+++ b/internal/controller/route53/trafficpolicyinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TrafficPolicyInstance managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TrafficPolicyInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_traffic_policy_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TrafficPolicyInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TrafficPolicyInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/vpcassociationauthorization/zz_controller.go b/internal/controller/route53/vpcassociationauthorization/zz_controller.go
index 745eda9b36..a90197719f 100755
--- a/internal/controller/route53/vpcassociationauthorization/zz_controller.go
+++ b/internal/controller/route53/vpcassociationauthorization/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VPCAssociationAuthorization managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VPCAssociationAuthorization_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_vpc_association_authorization"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VPCAssociationAuthorization_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VPCAssociationAuthorization_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53/zone/zz_controller.go b/internal/controller/route53/zone/zz_controller.go
index 43101fae64..402d0db66c 100755
--- a/internal/controller/route53/zone/zz_controller.go
+++ b/internal/controller/route53/zone/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Zone managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Zone_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_zone"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Zone_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Zone_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoverycontrolconfig/cluster/zz_controller.go b/internal/controller/route53recoverycontrolconfig/cluster/zz_controller.go
index c68cf35620..d51744b18e 100755
--- a/internal/controller/route53recoverycontrolconfig/cluster/zz_controller.go
+++ b/internal/controller/route53recoverycontrolconfig/cluster/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoverycontrolconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cluster managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoverycontrolconfig_cluster"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cluster_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoverycontrolconfig/controlpanel/zz_controller.go b/internal/controller/route53recoverycontrolconfig/controlpanel/zz_controller.go
index 64184898d4..32e32eacc0 100755
--- a/internal/controller/route53recoverycontrolconfig/controlpanel/zz_controller.go
+++ b/internal/controller/route53recoverycontrolconfig/controlpanel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoverycontrolconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ControlPanel managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ControlPanel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoverycontrolconfig_control_panel"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ControlPanel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ControlPanel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoverycontrolconfig/routingcontrol/zz_controller.go b/internal/controller/route53recoverycontrolconfig/routingcontrol/zz_controller.go
index a04d6383ad..20a7c50efb 100755
--- a/internal/controller/route53recoverycontrolconfig/routingcontrol/zz_controller.go
+++ b/internal/controller/route53recoverycontrolconfig/routingcontrol/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoverycontrolconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RoutingControl managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RoutingControl_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoverycontrolconfig_routing_control"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RoutingControl_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RoutingControl_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoverycontrolconfig/safetyrule/zz_controller.go b/internal/controller/route53recoverycontrolconfig/safetyrule/zz_controller.go
index 6d72e9b95e..46a6092848 100755
--- a/internal/controller/route53recoverycontrolconfig/safetyrule/zz_controller.go
+++ b/internal/controller/route53recoverycontrolconfig/safetyrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoverycontrolconfig/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SafetyRule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SafetyRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoverycontrolconfig_safety_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SafetyRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SafetyRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoveryreadiness/cell/zz_controller.go b/internal/controller/route53recoveryreadiness/cell/zz_controller.go
index dbc03c5ef2..3d9bd1bdaa 100755
--- a/internal/controller/route53recoveryreadiness/cell/zz_controller.go
+++ b/internal/controller/route53recoveryreadiness/cell/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoveryreadiness/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Cell managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Cell_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoveryreadiness_cell"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Cell_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Cell_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoveryreadiness/readinesscheck/zz_controller.go b/internal/controller/route53recoveryreadiness/readinesscheck/zz_controller.go
index d0e7507862..7c87dbd4b1 100755
--- a/internal/controller/route53recoveryreadiness/readinesscheck/zz_controller.go
+++ b/internal/controller/route53recoveryreadiness/readinesscheck/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoveryreadiness/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReadinessCheck managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReadinessCheck_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoveryreadiness_readiness_check"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReadinessCheck_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReadinessCheck_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoveryreadiness/recoverygroup/zz_controller.go b/internal/controller/route53recoveryreadiness/recoverygroup/zz_controller.go
index 5cbd5b38df..bd735b2d1c 100755
--- a/internal/controller/route53recoveryreadiness/recoverygroup/zz_controller.go
+++ b/internal/controller/route53recoveryreadiness/recoverygroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoveryreadiness/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RecoveryGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RecoveryGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoveryreadiness_recovery_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RecoveryGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RecoveryGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53recoveryreadiness/resourceset/zz_controller.go b/internal/controller/route53recoveryreadiness/resourceset/zz_controller.go
index 37bf82beae..880b88652e 100755
--- a/internal/controller/route53recoveryreadiness/resourceset/zz_controller.go
+++ b/internal/controller/route53recoveryreadiness/resourceset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53recoveryreadiness/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourceSet managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourceSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53recoveryreadiness_resource_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourceSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourceSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53resolver/endpoint/zz_controller.go b/internal/controller/route53resolver/endpoint/zz_controller.go
index 6a5c5ad40c..d84bdf897c 100755
--- a/internal/controller/route53resolver/endpoint/zz_controller.go
+++ b/internal/controller/route53resolver/endpoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53resolver/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Endpoint managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Endpoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_resolver_endpoint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Endpoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Endpoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53resolver/rule/zz_controller.go b/internal/controller/route53resolver/rule/zz_controller.go
index 99d0385b84..e275e3a5fa 100755
--- a/internal/controller/route53resolver/rule/zz_controller.go
+++ b/internal/controller/route53resolver/rule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53resolver/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Rule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_resolver_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/route53resolver/ruleassociation/zz_controller.go b/internal/controller/route53resolver/ruleassociation/zz_controller.go
index ecb2392fc3..11cc24450b 100755
--- a/internal/controller/route53resolver/ruleassociation/zz_controller.go
+++ b/internal/controller/route53resolver/ruleassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/route53resolver/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RuleAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RuleAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_route53_resolver_rule_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RuleAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RuleAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rum/appmonitor/zz_controller.go b/internal/controller/rum/appmonitor/zz_controller.go
index 99d0a3aa0a..7df09741d1 100755
--- a/internal/controller/rum/appmonitor/zz_controller.go
+++ b/internal/controller/rum/appmonitor/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rum/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AppMonitor managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AppMonitor_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rum_app_monitor"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AppMonitor_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AppMonitor_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/rum/metricsdestination/zz_controller.go b/internal/controller/rum/metricsdestination/zz_controller.go
index 738f15eaa5..e5873cdb5e 100755
--- a/internal/controller/rum/metricsdestination/zz_controller.go
+++ b/internal/controller/rum/metricsdestination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/rum/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MetricsDestination managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MetricsDestination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_rum_metrics_destination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MetricsDestination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MetricsDestination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucket/zz_controller.go b/internal/controller/s3/bucket/zz_controller.go
index 9f78f58f19..b3ebcaca56 100755
--- a/internal/controller/s3/bucket/zz_controller.go
+++ b/internal/controller/s3/bucket/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Bucket managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Bucket_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Bucket_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Bucket_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketaccelerateconfiguration/zz_controller.go b/internal/controller/s3/bucketaccelerateconfiguration/zz_controller.go
index fddaf5cf81..8ba9ab3bb5 100755
--- a/internal/controller/s3/bucketaccelerateconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketaccelerateconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketAccelerateConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketAccelerateConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_accelerate_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketAccelerateConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketAccelerateConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketacl/zz_controller.go b/internal/controller/s3/bucketacl/zz_controller.go
index 204b0986a7..7b44174983 100755
--- a/internal/controller/s3/bucketacl/zz_controller.go
+++ b/internal/controller/s3/bucketacl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketACL managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketACL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_acl"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketACL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketACL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketanalyticsconfiguration/zz_controller.go b/internal/controller/s3/bucketanalyticsconfiguration/zz_controller.go
index 885039140e..ff4a7ddfcc 100755
--- a/internal/controller/s3/bucketanalyticsconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketanalyticsconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketAnalyticsConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketAnalyticsConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_analytics_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketAnalyticsConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketAnalyticsConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketcorsconfiguration/zz_controller.go b/internal/controller/s3/bucketcorsconfiguration/zz_controller.go
index 6338b7ca85..2478103731 100755
--- a/internal/controller/s3/bucketcorsconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketcorsconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketCorsConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketCorsConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_cors_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketCorsConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketCorsConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketintelligenttieringconfiguration/zz_controller.go b/internal/controller/s3/bucketintelligenttieringconfiguration/zz_controller.go
index eedf4b0e3c..9d689fc2ba 100755
--- a/internal/controller/s3/bucketintelligenttieringconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketintelligenttieringconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketIntelligentTieringConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketIntelligentTieringConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_intelligent_tiering_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketIntelligentTieringConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketIntelligentTieringConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketinventory/zz_controller.go b/internal/controller/s3/bucketinventory/zz_controller.go
index 439d06f9a2..7081dc3f18 100755
--- a/internal/controller/s3/bucketinventory/zz_controller.go
+++ b/internal/controller/s3/bucketinventory/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketInventory managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketInventory_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_inventory"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketInventory_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketInventory_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketlifecycleconfiguration/zz_controller.go b/internal/controller/s3/bucketlifecycleconfiguration/zz_controller.go
index fcd6e7857d..8e99a48215 100755
--- a/internal/controller/s3/bucketlifecycleconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketlifecycleconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketLifecycleConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketLifecycleConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_lifecycle_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketLifecycleConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketLifecycleConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketlogging/zz_controller.go b/internal/controller/s3/bucketlogging/zz_controller.go
index b8464dd17c..3c40a2b7cb 100755
--- a/internal/controller/s3/bucketlogging/zz_controller.go
+++ b/internal/controller/s3/bucketlogging/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketLogging managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketLogging_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_logging"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketLogging_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketLogging_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketmetric/zz_controller.go b/internal/controller/s3/bucketmetric/zz_controller.go
index 290dd3e604..51e7d1adc6 100755
--- a/internal/controller/s3/bucketmetric/zz_controller.go
+++ b/internal/controller/s3/bucketmetric/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketMetric managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketMetric_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_metric"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketMetric_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketMetric_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketnotification/zz_controller.go b/internal/controller/s3/bucketnotification/zz_controller.go
index 42ceef10cb..6c661c52bd 100755
--- a/internal/controller/s3/bucketnotification/zz_controller.go
+++ b/internal/controller/s3/bucketnotification/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketNotification managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketNotification_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_notification"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketNotification_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketNotification_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketobject/zz_controller.go b/internal/controller/s3/bucketobject/zz_controller.go
index 93788a918a..f3b2df9db6 100755
--- a/internal/controller/s3/bucketobject/zz_controller.go
+++ b/internal/controller/s3/bucketobject/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketObject managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketObject_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_object"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketObject_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketObject_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketobjectlockconfiguration/zz_controller.go b/internal/controller/s3/bucketobjectlockconfiguration/zz_controller.go
index edbfd09520..7549a9e236 100755
--- a/internal/controller/s3/bucketobjectlockconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketobjectlockconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketObjectLockConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketObjectLockConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_object_lock_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketObjectLockConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketObjectLockConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketownershipcontrols/zz_controller.go b/internal/controller/s3/bucketownershipcontrols/zz_controller.go
index 4db5b5bc56..9b96e95670 100755
--- a/internal/controller/s3/bucketownershipcontrols/zz_controller.go
+++ b/internal/controller/s3/bucketownershipcontrols/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketOwnershipControls managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketOwnershipControls_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_ownership_controls"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketOwnershipControls_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketOwnershipControls_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketpolicy/zz_controller.go b/internal/controller/s3/bucketpolicy/zz_controller.go
index f7608fd8fd..c41e3dfadb 100755
--- a/internal/controller/s3/bucketpolicy/zz_controller.go
+++ b/internal/controller/s3/bucketpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketpublicaccessblock/zz_controller.go b/internal/controller/s3/bucketpublicaccessblock/zz_controller.go
index fcaf97483e..a59b899f86 100755
--- a/internal/controller/s3/bucketpublicaccessblock/zz_controller.go
+++ b/internal/controller/s3/bucketpublicaccessblock/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketPublicAccessBlock managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketPublicAccessBlock_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_public_access_block"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketPublicAccessBlock_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketPublicAccessBlock_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketreplicationconfiguration/zz_controller.go b/internal/controller/s3/bucketreplicationconfiguration/zz_controller.go
index a625d6a55e..e1db06406a 100755
--- a/internal/controller/s3/bucketreplicationconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketreplicationconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketReplicationConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketReplicationConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_replication_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketReplicationConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketReplicationConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketrequestpaymentconfiguration/zz_controller.go b/internal/controller/s3/bucketrequestpaymentconfiguration/zz_controller.go
index 5eeff34498..fd6ed09582 100755
--- a/internal/controller/s3/bucketrequestpaymentconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketrequestpaymentconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketRequestPaymentConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketRequestPaymentConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_request_payment_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketRequestPaymentConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketRequestPaymentConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketserversideencryptionconfiguration/zz_controller.go b/internal/controller/s3/bucketserversideencryptionconfiguration/zz_controller.go
index 03afda5738..fc739c3c9e 100755
--- a/internal/controller/s3/bucketserversideencryptionconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketserversideencryptionconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketServerSideEncryptionConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketServerSideEncryptionConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_server_side_encryption_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketServerSideEncryptionConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketServerSideEncryptionConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketversioning/zz_controller.go b/internal/controller/s3/bucketversioning/zz_controller.go
index e3f5daef2a..a54d66adab 100755
--- a/internal/controller/s3/bucketversioning/zz_controller.go
+++ b/internal/controller/s3/bucketversioning/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketVersioning managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketVersioning_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_versioning"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketVersioning_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketVersioning_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/bucketwebsiteconfiguration/zz_controller.go b/internal/controller/s3/bucketwebsiteconfiguration/zz_controller.go
index 87e4722c4c..8023fa3811 100755
--- a/internal/controller/s3/bucketwebsiteconfiguration/zz_controller.go
+++ b/internal/controller/s3/bucketwebsiteconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BucketWebsiteConfiguration managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BucketWebsiteConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_bucket_website_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BucketWebsiteConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BucketWebsiteConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/object/zz_controller.go b/internal/controller/s3/object/zz_controller.go
index a60c46cd4e..af62b3ad83 100755
--- a/internal/controller/s3/object/zz_controller.go
+++ b/internal/controller/s3/object/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Object managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Object_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_object"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Object_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Object_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3/objectcopy/zz_controller.go b/internal/controller/s3/objectcopy/zz_controller.go
index 9efac1966e..a1e7a506e8 100755
--- a/internal/controller/s3/objectcopy/zz_controller.go
+++ b/internal/controller/s3/objectcopy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ObjectCopy managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ObjectCopy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_object_copy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ObjectCopy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ObjectCopy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/accesspoint/zz_controller.go b/internal/controller/s3control/accesspoint/zz_controller.go
index f46aded678..3b270943b2 100755
--- a/internal/controller/s3control/accesspoint/zz_controller.go
+++ b/internal/controller/s3control/accesspoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccessPoint managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccessPoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_access_point"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccessPoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccessPoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/accesspointpolicy/zz_controller.go b/internal/controller/s3control/accesspointpolicy/zz_controller.go
index 489ae39cf1..da702548b5 100755
--- a/internal/controller/s3control/accesspointpolicy/zz_controller.go
+++ b/internal/controller/s3control/accesspointpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccessPointPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccessPointPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3control_access_point_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccessPointPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccessPointPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/accountpublicaccessblock/zz_controller.go b/internal/controller/s3control/accountpublicaccessblock/zz_controller.go
index 01eec8a193..f4a313f4f4 100755
--- a/internal/controller/s3control/accountpublicaccessblock/zz_controller.go
+++ b/internal/controller/s3control/accountpublicaccessblock/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccountPublicAccessBlock managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccountPublicAccessBlock_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3_account_public_access_block"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccountPublicAccessBlock_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccountPublicAccessBlock_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/multiregionaccesspoint/zz_controller.go b/internal/controller/s3control/multiregionaccesspoint/zz_controller.go
index 8219341e8f..808071c3f4 100755
--- a/internal/controller/s3control/multiregionaccesspoint/zz_controller.go
+++ b/internal/controller/s3control/multiregionaccesspoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MultiRegionAccessPoint managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MultiRegionAccessPoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3control_multi_region_access_point"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MultiRegionAccessPoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MultiRegionAccessPoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/multiregionaccesspointpolicy/zz_controller.go b/internal/controller/s3control/multiregionaccesspointpolicy/zz_controller.go
index 5bff958119..6c7116277e 100755
--- a/internal/controller/s3control/multiregionaccesspointpolicy/zz_controller.go
+++ b/internal/controller/s3control/multiregionaccesspointpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MultiRegionAccessPointPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MultiRegionAccessPointPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3control_multi_region_access_point_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MultiRegionAccessPointPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MultiRegionAccessPointPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/objectlambdaaccesspoint/zz_controller.go b/internal/controller/s3control/objectlambdaaccesspoint/zz_controller.go
index e6c4056afb..8acad69707 100755
--- a/internal/controller/s3control/objectlambdaaccesspoint/zz_controller.go
+++ b/internal/controller/s3control/objectlambdaaccesspoint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ObjectLambdaAccessPoint managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ObjectLambdaAccessPoint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3control_object_lambda_access_point"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ObjectLambdaAccessPoint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ObjectLambdaAccessPoint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/objectlambdaaccesspointpolicy/zz_controller.go b/internal/controller/s3control/objectlambdaaccesspointpolicy/zz_controller.go
index dd6c5f0dfa..e1095a19f7 100755
--- a/internal/controller/s3control/objectlambdaaccesspointpolicy/zz_controller.go
+++ b/internal/controller/s3control/objectlambdaaccesspointpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ObjectLambdaAccessPointPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ObjectLambdaAccessPointPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3control_object_lambda_access_point_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ObjectLambdaAccessPointPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ObjectLambdaAccessPointPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/s3control/storagelensconfiguration/zz_controller.go b/internal/controller/s3control/storagelensconfiguration/zz_controller.go
index ea9a0fa820..0a30c232ba 100755
--- a/internal/controller/s3control/storagelensconfiguration/zz_controller.go
+++ b/internal/controller/s3control/storagelensconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/s3control/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StorageLensConfiguration managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StorageLensConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_s3control_storage_lens_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StorageLensConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StorageLensConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/app/zz_controller.go b/internal/controller/sagemaker/app/zz_controller.go
index 13401876fb..922654c989 100755
--- a/internal/controller/sagemaker/app/zz_controller.go
+++ b/internal/controller/sagemaker/app/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles App managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.App_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_app"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.App_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/appimageconfig/zz_controller.go b/internal/controller/sagemaker/appimageconfig/zz_controller.go
index a0df7505c3..68d55acb55 100755
--- a/internal/controller/sagemaker/appimageconfig/zz_controller.go
+++ b/internal/controller/sagemaker/appimageconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AppImageConfig managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AppImageConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_app_image_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AppImageConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AppImageConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/coderepository/zz_controller.go b/internal/controller/sagemaker/coderepository/zz_controller.go
index 112cc409ee..dda51f9dfe 100755
--- a/internal/controller/sagemaker/coderepository/zz_controller.go
+++ b/internal/controller/sagemaker/coderepository/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CodeRepository managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CodeRepository_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_code_repository"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CodeRepository_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CodeRepository_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/device/zz_controller.go b/internal/controller/sagemaker/device/zz_controller.go
index 149e4b8168..23abc040f0 100755
--- a/internal/controller/sagemaker/device/zz_controller.go
+++ b/internal/controller/sagemaker/device/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Device managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Device_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_device"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Device_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Device_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/devicefleet/zz_controller.go b/internal/controller/sagemaker/devicefleet/zz_controller.go
index 5b88269198..1dd067cb20 100755
--- a/internal/controller/sagemaker/devicefleet/zz_controller.go
+++ b/internal/controller/sagemaker/devicefleet/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DeviceFleet managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DeviceFleet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_device_fleet"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DeviceFleet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DeviceFleet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/domain/zz_controller.go b/internal/controller/sagemaker/domain/zz_controller.go
index 43322ce7eb..0c122b8f60 100755
--- a/internal/controller/sagemaker/domain/zz_controller.go
+++ b/internal/controller/sagemaker/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/endpointconfiguration/zz_controller.go b/internal/controller/sagemaker/endpointconfiguration/zz_controller.go
index d6f1032028..3ae5f0ec50 100755
--- a/internal/controller/sagemaker/endpointconfiguration/zz_controller.go
+++ b/internal/controller/sagemaker/endpointconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EndpointConfiguration managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EndpointConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_endpoint_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EndpointConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EndpointConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/featuregroup/zz_controller.go b/internal/controller/sagemaker/featuregroup/zz_controller.go
index 755d40e4a0..56912efd83 100755
--- a/internal/controller/sagemaker/featuregroup/zz_controller.go
+++ b/internal/controller/sagemaker/featuregroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FeatureGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FeatureGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_feature_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FeatureGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FeatureGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/image/zz_controller.go b/internal/controller/sagemaker/image/zz_controller.go
index 509327e6cf..592d4c169b 100755
--- a/internal/controller/sagemaker/image/zz_controller.go
+++ b/internal/controller/sagemaker/image/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Image managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Image_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_image"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Image_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Image_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/imageversion/zz_controller.go b/internal/controller/sagemaker/imageversion/zz_controller.go
index fde59f88f5..c9d2e1ac39 100755
--- a/internal/controller/sagemaker/imageversion/zz_controller.go
+++ b/internal/controller/sagemaker/imageversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ImageVersion managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ImageVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_image_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ImageVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ImageVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/model/zz_controller.go b/internal/controller/sagemaker/model/zz_controller.go
index 23fabac942..3a0c1c0f05 100755
--- a/internal/controller/sagemaker/model/zz_controller.go
+++ b/internal/controller/sagemaker/model/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Model managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Model_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_model"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Model_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Model_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/modelpackagegroup/zz_controller.go b/internal/controller/sagemaker/modelpackagegroup/zz_controller.go
index 6c6cb4fbda..9145976730 100755
--- a/internal/controller/sagemaker/modelpackagegroup/zz_controller.go
+++ b/internal/controller/sagemaker/modelpackagegroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ModelPackageGroup managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ModelPackageGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_model_package_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ModelPackageGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ModelPackageGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/modelpackagegrouppolicy/zz_controller.go b/internal/controller/sagemaker/modelpackagegrouppolicy/zz_controller.go
index d03ee5be71..04f7738c17 100755
--- a/internal/controller/sagemaker/modelpackagegrouppolicy/zz_controller.go
+++ b/internal/controller/sagemaker/modelpackagegrouppolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ModelPackageGroupPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ModelPackageGroupPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_model_package_group_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ModelPackageGroupPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ModelPackageGroupPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/notebookinstance/zz_controller.go b/internal/controller/sagemaker/notebookinstance/zz_controller.go
index 5611cccbd2..ad1f8047be 100755
--- a/internal/controller/sagemaker/notebookinstance/zz_controller.go
+++ b/internal/controller/sagemaker/notebookinstance/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NotebookInstance managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NotebookInstance_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_notebook_instance"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NotebookInstance_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NotebookInstance_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/notebookinstancelifecycleconfiguration/zz_controller.go b/internal/controller/sagemaker/notebookinstancelifecycleconfiguration/zz_controller.go
index ee4cefb1a6..e4846a0203 100755
--- a/internal/controller/sagemaker/notebookinstancelifecycleconfiguration/zz_controller.go
+++ b/internal/controller/sagemaker/notebookinstancelifecycleconfiguration/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NotebookInstanceLifecycleConfiguration managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NotebookInstanceLifecycleConfiguration_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_notebook_instance_lifecycle_configuration"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NotebookInstanceLifecycleConfiguration_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NotebookInstanceLifecycleConfiguration_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/servicecatalogportfoliostatus/zz_controller.go b/internal/controller/sagemaker/servicecatalogportfoliostatus/zz_controller.go
index f41784a7ff..23d96a0684 100755
--- a/internal/controller/sagemaker/servicecatalogportfoliostatus/zz_controller.go
+++ b/internal/controller/sagemaker/servicecatalogportfoliostatus/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServicecatalogPortfolioStatus managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServicecatalogPortfolioStatus_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_servicecatalog_portfolio_status"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServicecatalogPortfolioStatus_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServicecatalogPortfolioStatus_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/space/zz_controller.go b/internal/controller/sagemaker/space/zz_controller.go
index 14e02b9aad..2e2bd34371 100755
--- a/internal/controller/sagemaker/space/zz_controller.go
+++ b/internal/controller/sagemaker/space/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Space managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Space_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_space"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Space_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Space_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/studiolifecycleconfig/zz_controller.go b/internal/controller/sagemaker/studiolifecycleconfig/zz_controller.go
index d2780e89ce..1df5130fbb 100755
--- a/internal/controller/sagemaker/studiolifecycleconfig/zz_controller.go
+++ b/internal/controller/sagemaker/studiolifecycleconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StudioLifecycleConfig managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StudioLifecycleConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_studio_lifecycle_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StudioLifecycleConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StudioLifecycleConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/userprofile/zz_controller.go b/internal/controller/sagemaker/userprofile/zz_controller.go
index d1e954281b..8485d3d8d0 100755
--- a/internal/controller/sagemaker/userprofile/zz_controller.go
+++ b/internal/controller/sagemaker/userprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles UserProfile managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.UserProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_user_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.UserProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.UserProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/workforce/zz_controller.go b/internal/controller/sagemaker/workforce/zz_controller.go
index 3464b6dd9f..a940cf511a 100755
--- a/internal/controller/sagemaker/workforce/zz_controller.go
+++ b/internal/controller/sagemaker/workforce/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workforce managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workforce_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_workforce"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workforce_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workforce_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sagemaker/workteam/zz_controller.go b/internal/controller/sagemaker/workteam/zz_controller.go
index e56ea47ca0..1646d7d37a 100755
--- a/internal/controller/sagemaker/workteam/zz_controller.go
+++ b/internal/controller/sagemaker/workteam/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sagemaker/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workteam managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workteam_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sagemaker_workteam"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workteam_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workteam_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/scheduler/schedule/zz_controller.go b/internal/controller/scheduler/schedule/zz_controller.go
index b2690baed6..6b19454b9b 100755
--- a/internal/controller/scheduler/schedule/zz_controller.go
+++ b/internal/controller/scheduler/schedule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/scheduler/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Schedule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Schedule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_scheduler_schedule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Schedule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Schedule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/scheduler/schedulegroup/zz_controller.go b/internal/controller/scheduler/schedulegroup/zz_controller.go
index da83baa51e..df5d3021eb 100755
--- a/internal/controller/scheduler/schedulegroup/zz_controller.go
+++ b/internal/controller/scheduler/schedulegroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/scheduler/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ScheduleGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ScheduleGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_scheduler_schedule_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ScheduleGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ScheduleGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/schemas/discoverer/zz_controller.go b/internal/controller/schemas/discoverer/zz_controller.go
index a9e5c5e079..6072416f40 100755
--- a/internal/controller/schemas/discoverer/zz_controller.go
+++ b/internal/controller/schemas/discoverer/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/schemas/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Discoverer managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Discoverer_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_schemas_discoverer"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Discoverer_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Discoverer_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/schemas/registry/zz_controller.go b/internal/controller/schemas/registry/zz_controller.go
index 780a190cf5..f689980ef3 100755
--- a/internal/controller/schemas/registry/zz_controller.go
+++ b/internal/controller/schemas/registry/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/schemas/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Registry managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Registry_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_schemas_registry"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Registry_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Registry_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/schemas/schema/zz_controller.go b/internal/controller/schemas/schema/zz_controller.go
index a395680802..de07f9d4e7 100755
--- a/internal/controller/schemas/schema/zz_controller.go
+++ b/internal/controller/schemas/schema/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/schemas/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Schema managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Schema_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_schemas_schema"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Schema_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Schema_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/secretsmanager/secret/zz_controller.go b/internal/controller/secretsmanager/secret/zz_controller.go
index df669ed6e8..55af87f3e7 100755
--- a/internal/controller/secretsmanager/secret/zz_controller.go
+++ b/internal/controller/secretsmanager/secret/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/secretsmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Secret managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Secret_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_secretsmanager_secret"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Secret_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Secret_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/secretsmanager/secretpolicy/zz_controller.go b/internal/controller/secretsmanager/secretpolicy/zz_controller.go
index c544f952fa..5baa5b03a4 100755
--- a/internal/controller/secretsmanager/secretpolicy/zz_controller.go
+++ b/internal/controller/secretsmanager/secretpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/secretsmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecretPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecretPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_secretsmanager_secret_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecretPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecretPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/secretsmanager/secretrotation/zz_controller.go b/internal/controller/secretsmanager/secretrotation/zz_controller.go
index 9c52b5c135..735ac82259 100755
--- a/internal/controller/secretsmanager/secretrotation/zz_controller.go
+++ b/internal/controller/secretsmanager/secretrotation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/secretsmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecretRotation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecretRotation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_secretsmanager_secret_rotation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecretRotation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecretRotation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/secretsmanager/secretversion/zz_controller.go b/internal/controller/secretsmanager/secretversion/zz_controller.go
index 72be5c843f..348b7f78f1 100755
--- a/internal/controller/secretsmanager/secretversion/zz_controller.go
+++ b/internal/controller/secretsmanager/secretversion/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/secretsmanager/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SecretVersion managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SecretVersion_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_secretsmanager_secret_version"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SecretVersion_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SecretVersion_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/account/zz_controller.go b/internal/controller/securityhub/account/zz_controller.go
index 4bc31e50f2..68d2e4283f 100755
--- a/internal/controller/securityhub/account/zz_controller.go
+++ b/internal/controller/securityhub/account/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Account managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Account_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_account"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Account_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/actiontarget/zz_controller.go b/internal/controller/securityhub/actiontarget/zz_controller.go
index 5703d09120..f1fdfa9458 100755
--- a/internal/controller/securityhub/actiontarget/zz_controller.go
+++ b/internal/controller/securityhub/actiontarget/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ActionTarget managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ActionTarget_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_action_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ActionTarget_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ActionTarget_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/findingaggregator/zz_controller.go b/internal/controller/securityhub/findingaggregator/zz_controller.go
index eb832e1783..41bb834db6 100755
--- a/internal/controller/securityhub/findingaggregator/zz_controller.go
+++ b/internal/controller/securityhub/findingaggregator/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles FindingAggregator managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.FindingAggregator_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_finding_aggregator"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.FindingAggregator_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.FindingAggregator_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/insight/zz_controller.go b/internal/controller/securityhub/insight/zz_controller.go
index f46c1e02fd..c2a25f11c8 100755
--- a/internal/controller/securityhub/insight/zz_controller.go
+++ b/internal/controller/securityhub/insight/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Insight managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Insight_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_insight"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Insight_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Insight_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/inviteaccepter/zz_controller.go b/internal/controller/securityhub/inviteaccepter/zz_controller.go
index fb10d09ab1..b89fba1d4b 100755
--- a/internal/controller/securityhub/inviteaccepter/zz_controller.go
+++ b/internal/controller/securityhub/inviteaccepter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles InviteAccepter managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.InviteAccepter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_invite_accepter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.InviteAccepter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.InviteAccepter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/member/zz_controller.go b/internal/controller/securityhub/member/zz_controller.go
index d67f8b2e8a..5a0e9bf67b 100755
--- a/internal/controller/securityhub/member/zz_controller.go
+++ b/internal/controller/securityhub/member/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Member managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Member_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_member"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Member_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/productsubscription/zz_controller.go b/internal/controller/securityhub/productsubscription/zz_controller.go
index 071702a53c..64c7cd590f 100755
--- a/internal/controller/securityhub/productsubscription/zz_controller.go
+++ b/internal/controller/securityhub/productsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProductSubscription managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProductSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_product_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProductSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProductSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/securityhub/standardssubscription/zz_controller.go b/internal/controller/securityhub/standardssubscription/zz_controller.go
index 81488e695c..48052ba044 100755
--- a/internal/controller/securityhub/standardssubscription/zz_controller.go
+++ b/internal/controller/securityhub/standardssubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/securityhub/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StandardsSubscription managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StandardsSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_securityhub_standards_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StandardsSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StandardsSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/serverlessrepo/cloudformationstack/zz_controller.go b/internal/controller/serverlessrepo/cloudformationstack/zz_controller.go
index 933e8611ea..f1593f4e7e 100755
--- a/internal/controller/serverlessrepo/cloudformationstack/zz_controller.go
+++ b/internal/controller/serverlessrepo/cloudformationstack/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/serverlessrepo/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles CloudFormationStack managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.CloudFormationStack_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_serverlessapplicationrepository_cloudformation_stack"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.CloudFormationStack_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.CloudFormationStack_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/budgetresourceassociation/zz_controller.go b/internal/controller/servicecatalog/budgetresourceassociation/zz_controller.go
index 8f9a99e407..3b1325d4fd 100755
--- a/internal/controller/servicecatalog/budgetresourceassociation/zz_controller.go
+++ b/internal/controller/servicecatalog/budgetresourceassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles BudgetResourceAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.BudgetResourceAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_budget_resource_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.BudgetResourceAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.BudgetResourceAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/constraint/zz_controller.go b/internal/controller/servicecatalog/constraint/zz_controller.go
index 402ac738b5..6a5cda61a3 100755
--- a/internal/controller/servicecatalog/constraint/zz_controller.go
+++ b/internal/controller/servicecatalog/constraint/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Constraint managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Constraint_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_constraint"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Constraint_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Constraint_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/portfolio/zz_controller.go b/internal/controller/servicecatalog/portfolio/zz_controller.go
index 3497d345dd..812f715ea7 100755
--- a/internal/controller/servicecatalog/portfolio/zz_controller.go
+++ b/internal/controller/servicecatalog/portfolio/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Portfolio managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Portfolio_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_portfolio"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Portfolio_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Portfolio_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/portfolioshare/zz_controller.go b/internal/controller/servicecatalog/portfolioshare/zz_controller.go
index 8897a286d4..095e9de136 100755
--- a/internal/controller/servicecatalog/portfolioshare/zz_controller.go
+++ b/internal/controller/servicecatalog/portfolioshare/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PortfolioShare managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PortfolioShare_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_portfolio_share"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PortfolioShare_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PortfolioShare_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/principalportfolioassociation/zz_controller.go b/internal/controller/servicecatalog/principalportfolioassociation/zz_controller.go
index 407d67aa68..b35f0bc1e2 100755
--- a/internal/controller/servicecatalog/principalportfolioassociation/zz_controller.go
+++ b/internal/controller/servicecatalog/principalportfolioassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PrincipalPortfolioAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PrincipalPortfolioAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_principal_portfolio_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PrincipalPortfolioAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PrincipalPortfolioAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/product/zz_controller.go b/internal/controller/servicecatalog/product/zz_controller.go
index 0ffad07b55..ebb7ec77f1 100755
--- a/internal/controller/servicecatalog/product/zz_controller.go
+++ b/internal/controller/servicecatalog/product/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Product managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Product_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_product"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Product_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Product_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/productportfolioassociation/zz_controller.go b/internal/controller/servicecatalog/productportfolioassociation/zz_controller.go
index a87690658c..6e8f289feb 100755
--- a/internal/controller/servicecatalog/productportfolioassociation/zz_controller.go
+++ b/internal/controller/servicecatalog/productportfolioassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProductPortfolioAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProductPortfolioAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_product_portfolio_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProductPortfolioAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProductPortfolioAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/provisioningartifact/zz_controller.go b/internal/controller/servicecatalog/provisioningartifact/zz_controller.go
index 82e213593a..9fe598f325 100755
--- a/internal/controller/servicecatalog/provisioningartifact/zz_controller.go
+++ b/internal/controller/servicecatalog/provisioningartifact/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ProvisioningArtifact managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ProvisioningArtifact_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_provisioning_artifact"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ProvisioningArtifact_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ProvisioningArtifact_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/serviceaction/zz_controller.go b/internal/controller/servicecatalog/serviceaction/zz_controller.go
index 853d72500a..279cb07684 100755
--- a/internal/controller/servicecatalog/serviceaction/zz_controller.go
+++ b/internal/controller/servicecatalog/serviceaction/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServiceAction managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServiceAction_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_service_action"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServiceAction_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServiceAction_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/tagoption/zz_controller.go b/internal/controller/servicecatalog/tagoption/zz_controller.go
index cac266925f..3addba9525 100755
--- a/internal/controller/servicecatalog/tagoption/zz_controller.go
+++ b/internal/controller/servicecatalog/tagoption/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TagOption managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TagOption_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_tag_option"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TagOption_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TagOption_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicecatalog/tagoptionresourceassociation/zz_controller.go b/internal/controller/servicecatalog/tagoptionresourceassociation/zz_controller.go
index 8b1b27476b..bb08733937 100755
--- a/internal/controller/servicecatalog/tagoptionresourceassociation/zz_controller.go
+++ b/internal/controller/servicecatalog/tagoptionresourceassociation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicecatalog/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TagOptionResourceAssociation managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TagOptionResourceAssociation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicecatalog_tag_option_resource_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TagOptionResourceAssociation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TagOptionResourceAssociation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicediscovery/httpnamespace/zz_controller.go b/internal/controller/servicediscovery/httpnamespace/zz_controller.go
index f2e7af817a..955427bb76 100755
--- a/internal/controller/servicediscovery/httpnamespace/zz_controller.go
+++ b/internal/controller/servicediscovery/httpnamespace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicediscovery/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles HTTPNamespace managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.HTTPNamespace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_service_discovery_http_namespace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.HTTPNamespace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.HTTPNamespace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicediscovery/privatednsnamespace/zz_controller.go b/internal/controller/servicediscovery/privatednsnamespace/zz_controller.go
index 580dfe6800..360bd5c328 100755
--- a/internal/controller/servicediscovery/privatednsnamespace/zz_controller.go
+++ b/internal/controller/servicediscovery/privatednsnamespace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicediscovery/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PrivateDNSNamespace managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PrivateDNSNamespace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_service_discovery_private_dns_namespace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PrivateDNSNamespace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PrivateDNSNamespace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicediscovery/publicdnsnamespace/zz_controller.go b/internal/controller/servicediscovery/publicdnsnamespace/zz_controller.go
index 20d104e320..12d92f390d 100755
--- a/internal/controller/servicediscovery/publicdnsnamespace/zz_controller.go
+++ b/internal/controller/servicediscovery/publicdnsnamespace/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicediscovery/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PublicDNSNamespace managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PublicDNSNamespace_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_service_discovery_public_dns_namespace"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PublicDNSNamespace_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PublicDNSNamespace_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicediscovery/service/zz_controller.go b/internal/controller/servicediscovery/service/zz_controller.go
index 625a54dffa..4f79e68bec 100755
--- a/internal/controller/servicediscovery/service/zz_controller.go
+++ b/internal/controller/servicediscovery/service/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicediscovery/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Service managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Service_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_service_discovery_service"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Service_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Service_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/servicequotas/servicequota/zz_controller.go b/internal/controller/servicequotas/servicequota/zz_controller.go
index c3317454dd..08dae654e7 100755
--- a/internal/controller/servicequotas/servicequota/zz_controller.go
+++ b/internal/controller/servicequotas/servicequota/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/servicequotas/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServiceQuota managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServiceQuota_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_servicequotas_service_quota"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServiceQuota_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServiceQuota_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/activereceiptruleset/zz_controller.go b/internal/controller/ses/activereceiptruleset/zz_controller.go
index ac1e3ce617..e5db2c4f90 100755
--- a/internal/controller/ses/activereceiptruleset/zz_controller.go
+++ b/internal/controller/ses/activereceiptruleset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ActiveReceiptRuleSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ActiveReceiptRuleSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_active_receipt_rule_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ActiveReceiptRuleSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ActiveReceiptRuleSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/configurationset/zz_controller.go b/internal/controller/ses/configurationset/zz_controller.go
index 270f65e6ce..a88f6ad60e 100755
--- a/internal/controller/ses/configurationset/zz_controller.go
+++ b/internal/controller/ses/configurationset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationSet managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_configuration_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/domaindkim/zz_controller.go b/internal/controller/ses/domaindkim/zz_controller.go
index e6f0533a0a..41375968c9 100755
--- a/internal/controller/ses/domaindkim/zz_controller.go
+++ b/internal/controller/ses/domaindkim/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainDKIM managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainDKIM_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_domain_dkim"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainDKIM_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainDKIM_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/domainidentity/zz_controller.go b/internal/controller/ses/domainidentity/zz_controller.go
index bb04702330..2e99b3c349 100755
--- a/internal/controller/ses/domainidentity/zz_controller.go
+++ b/internal/controller/ses/domainidentity/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainIdentity managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainIdentity_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_domain_identity"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainIdentity_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainIdentity_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/domainmailfrom/zz_controller.go b/internal/controller/ses/domainmailfrom/zz_controller.go
index df2b71f9eb..b097230af8 100755
--- a/internal/controller/ses/domainmailfrom/zz_controller.go
+++ b/internal/controller/ses/domainmailfrom/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DomainMailFrom managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DomainMailFrom_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_domain_mail_from"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DomainMailFrom_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DomainMailFrom_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/emailidentity/zz_controller.go b/internal/controller/ses/emailidentity/zz_controller.go
index 2fa095f2d0..c76d7c51fd 100755
--- a/internal/controller/ses/emailidentity/zz_controller.go
+++ b/internal/controller/ses/emailidentity/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EmailIdentity managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EmailIdentity_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_email_identity"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EmailIdentity_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EmailIdentity_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/eventdestination/zz_controller.go b/internal/controller/ses/eventdestination/zz_controller.go
index 2b2f97a322..ecf968db61 100755
--- a/internal/controller/ses/eventdestination/zz_controller.go
+++ b/internal/controller/ses/eventdestination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EventDestination managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EventDestination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_event_destination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EventDestination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EventDestination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/identitynotificationtopic/zz_controller.go b/internal/controller/ses/identitynotificationtopic/zz_controller.go
index bc13689823..4947edbb1d 100755
--- a/internal/controller/ses/identitynotificationtopic/zz_controller.go
+++ b/internal/controller/ses/identitynotificationtopic/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IdentityNotificationTopic managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IdentityNotificationTopic_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_identity_notification_topic"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IdentityNotificationTopic_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IdentityNotificationTopic_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/identitypolicy/zz_controller.go b/internal/controller/ses/identitypolicy/zz_controller.go
index a0137b4746..da4f902f80 100755
--- a/internal/controller/ses/identitypolicy/zz_controller.go
+++ b/internal/controller/ses/identitypolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IdentityPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IdentityPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_identity_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IdentityPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IdentityPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/receiptfilter/zz_controller.go b/internal/controller/ses/receiptfilter/zz_controller.go
index 9ac493b0e8..0c7cd995e6 100755
--- a/internal/controller/ses/receiptfilter/zz_controller.go
+++ b/internal/controller/ses/receiptfilter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReceiptFilter managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReceiptFilter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_receipt_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReceiptFilter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReceiptFilter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/receiptrule/zz_controller.go b/internal/controller/ses/receiptrule/zz_controller.go
index 4c17c5a005..d6e6a4d65b 100755
--- a/internal/controller/ses/receiptrule/zz_controller.go
+++ b/internal/controller/ses/receiptrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReceiptRule managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReceiptRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_receipt_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReceiptRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReceiptRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/receiptruleset/zz_controller.go b/internal/controller/ses/receiptruleset/zz_controller.go
index 1949739381..1eaa72e90f 100755
--- a/internal/controller/ses/receiptruleset/zz_controller.go
+++ b/internal/controller/ses/receiptruleset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ReceiptRuleSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ReceiptRuleSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_receipt_rule_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ReceiptRuleSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ReceiptRuleSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ses/template/zz_controller.go b/internal/controller/ses/template/zz_controller.go
index 1d0cc0b270..3943e3be10 100755
--- a/internal/controller/ses/template/zz_controller.go
+++ b/internal/controller/ses/template/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ses/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Template managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Template_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ses_template"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Template_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Template_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sesv2/configurationset/zz_controller.go b/internal/controller/sesv2/configurationset/zz_controller.go
index ff4379267c..a1ea5b54dc 100755
--- a/internal/controller/sesv2/configurationset/zz_controller.go
+++ b/internal/controller/sesv2/configurationset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sesv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationSet managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sesv2_configuration_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sesv2/configurationseteventdestination/zz_controller.go b/internal/controller/sesv2/configurationseteventdestination/zz_controller.go
index 9f1be5c3d4..a4a83902eb 100755
--- a/internal/controller/sesv2/configurationseteventdestination/zz_controller.go
+++ b/internal/controller/sesv2/configurationseteventdestination/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sesv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ConfigurationSetEventDestination managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ConfigurationSetEventDestination_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sesv2_configuration_set_event_destination"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ConfigurationSetEventDestination_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ConfigurationSetEventDestination_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sesv2/dedicatedippool/zz_controller.go b/internal/controller/sesv2/dedicatedippool/zz_controller.go
index ba67a00fe0..81f528954d 100755
--- a/internal/controller/sesv2/dedicatedippool/zz_controller.go
+++ b/internal/controller/sesv2/dedicatedippool/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sesv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DedicatedIPPool managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DedicatedIPPool_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sesv2_dedicated_ip_pool"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DedicatedIPPool_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DedicatedIPPool_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sesv2/emailidentity/zz_controller.go b/internal/controller/sesv2/emailidentity/zz_controller.go
index eda88dcdeb..1bbed8e0e3 100755
--- a/internal/controller/sesv2/emailidentity/zz_controller.go
+++ b/internal/controller/sesv2/emailidentity/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sesv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EmailIdentity managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EmailIdentity_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sesv2_email_identity"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EmailIdentity_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EmailIdentity_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sesv2/emailidentityfeedbackattributes/zz_controller.go b/internal/controller/sesv2/emailidentityfeedbackattributes/zz_controller.go
index 3c14ee5393..f87faeacd1 100755
--- a/internal/controller/sesv2/emailidentityfeedbackattributes/zz_controller.go
+++ b/internal/controller/sesv2/emailidentityfeedbackattributes/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sesv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EmailIdentityFeedbackAttributes managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EmailIdentityFeedbackAttributes_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sesv2_email_identity_feedback_attributes"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EmailIdentityFeedbackAttributes_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EmailIdentityFeedbackAttributes_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sesv2/emailidentitymailfromattributes/zz_controller.go b/internal/controller/sesv2/emailidentitymailfromattributes/zz_controller.go
index 0d7db73505..e59bad3758 100755
--- a/internal/controller/sesv2/emailidentitymailfromattributes/zz_controller.go
+++ b/internal/controller/sesv2/emailidentitymailfromattributes/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sesv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EmailIdentityMailFromAttributes managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EmailIdentityMailFromAttributes_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sesv2_email_identity_mail_from_attributes"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EmailIdentityMailFromAttributes_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EmailIdentityMailFromAttributes_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sfn/activity/zz_controller.go b/internal/controller/sfn/activity/zz_controller.go
index 2b50551d6d..aff832bb3a 100755
--- a/internal/controller/sfn/activity/zz_controller.go
+++ b/internal/controller/sfn/activity/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sfn/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Activity managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Activity_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sfn_activity"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Activity_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Activity_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sfn/statemachine/zz_controller.go b/internal/controller/sfn/statemachine/zz_controller.go
index eb39301ed6..c1247401b8 100755
--- a/internal/controller/sfn/statemachine/zz_controller.go
+++ b/internal/controller/sfn/statemachine/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sfn/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles StateMachine managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.StateMachine_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sfn_state_machine"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.StateMachine_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.StateMachine_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/signer/signingjob/zz_controller.go b/internal/controller/signer/signingjob/zz_controller.go
index 20b7957fdd..b01debe345 100755
--- a/internal/controller/signer/signingjob/zz_controller.go
+++ b/internal/controller/signer/signingjob/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/signer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SigningJob managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SigningJob_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_signer_signing_job"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SigningJob_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SigningJob_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/signer/signingprofile/zz_controller.go b/internal/controller/signer/signingprofile/zz_controller.go
index e8915de493..a3e4db0d15 100755
--- a/internal/controller/signer/signingprofile/zz_controller.go
+++ b/internal/controller/signer/signingprofile/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/signer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SigningProfile managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SigningProfile_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_signer_signing_profile"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SigningProfile_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SigningProfile_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/signer/signingprofilepermission/zz_controller.go b/internal/controller/signer/signingprofilepermission/zz_controller.go
index 221995f790..68dfc3d02a 100755
--- a/internal/controller/signer/signingprofilepermission/zz_controller.go
+++ b/internal/controller/signer/signingprofilepermission/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/signer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SigningProfilePermission managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SigningProfilePermission_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_signer_signing_profile_permission"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SigningProfilePermission_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SigningProfilePermission_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/simpledb/domain/zz_controller.go b/internal/controller/simpledb/domain/zz_controller.go
index 7cd856a179..356b258282 100755
--- a/internal/controller/simpledb/domain/zz_controller.go
+++ b/internal/controller/simpledb/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/simpledb/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_simpledb_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sns/platformapplication/zz_controller.go b/internal/controller/sns/platformapplication/zz_controller.go
index f8924fef8c..7eb0625b95 100755
--- a/internal/controller/sns/platformapplication/zz_controller.go
+++ b/internal/controller/sns/platformapplication/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sns/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PlatformApplication managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PlatformApplication_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sns_platform_application"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PlatformApplication_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PlatformApplication_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sns/smspreferences/zz_controller.go b/internal/controller/sns/smspreferences/zz_controller.go
index d6fb338435..8af815825e 100755
--- a/internal/controller/sns/smspreferences/zz_controller.go
+++ b/internal/controller/sns/smspreferences/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sns/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SMSPreferences managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SMSPreferences_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sns_sms_preferences"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SMSPreferences_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SMSPreferences_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sns/topic/zz_controller.go b/internal/controller/sns/topic/zz_controller.go
index 468923f92a..2e9f9d6566 100755
--- a/internal/controller/sns/topic/zz_controller.go
+++ b/internal/controller/sns/topic/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sns/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Topic managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Topic_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sns_topic"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Topic_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Topic_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sns/topicpolicy/zz_controller.go b/internal/controller/sns/topicpolicy/zz_controller.go
index fb7bb77348..ce48c767b9 100755
--- a/internal/controller/sns/topicpolicy/zz_controller.go
+++ b/internal/controller/sns/topicpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sns/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TopicPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TopicPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sns_topic_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TopicPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TopicPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sns/topicsubscription/zz_controller.go b/internal/controller/sns/topicsubscription/zz_controller.go
index 47a1d38334..48e879ae7f 100755
--- a/internal/controller/sns/topicsubscription/zz_controller.go
+++ b/internal/controller/sns/topicsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sns/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles TopicSubscription managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.TopicSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sns_topic_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.TopicSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.TopicSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sqs/queue/zz_controller.go b/internal/controller/sqs/queue/zz_controller.go
index 9bf29e4d3c..e9afc32a71 100755
--- a/internal/controller/sqs/queue/zz_controller.go
+++ b/internal/controller/sqs/queue/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sqs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Queue managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sqs_queue"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Queue_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sqs/queuepolicy/zz_controller.go b/internal/controller/sqs/queuepolicy/zz_controller.go
index f1f022ecb7..2a267c9f0b 100755
--- a/internal/controller/sqs/queuepolicy/zz_controller.go
+++ b/internal/controller/sqs/queuepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sqs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles QueuePolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.QueuePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sqs_queue_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.QueuePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.QueuePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sqs/queueredriveallowpolicy/zz_controller.go b/internal/controller/sqs/queueredriveallowpolicy/zz_controller.go
index 4b7c4e9fce..2572d6f016 100755
--- a/internal/controller/sqs/queueredriveallowpolicy/zz_controller.go
+++ b/internal/controller/sqs/queueredriveallowpolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sqs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles QueueRedriveAllowPolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.QueueRedriveAllowPolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sqs_queue_redrive_allow_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.QueueRedriveAllowPolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.QueueRedriveAllowPolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/sqs/queueredrivepolicy/zz_controller.go b/internal/controller/sqs/queueredrivepolicy/zz_controller.go
index ec8688f4b2..20c072aab5 100755
--- a/internal/controller/sqs/queueredrivepolicy/zz_controller.go
+++ b/internal/controller/sqs/queueredrivepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/sqs/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles QueueRedrivePolicy managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.QueueRedrivePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_sqs_queue_redrive_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.QueueRedrivePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.QueueRedrivePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/activation/zz_controller.go b/internal/controller/ssm/activation/zz_controller.go
index 8e81493df6..d12d349154 100755
--- a/internal/controller/ssm/activation/zz_controller.go
+++ b/internal/controller/ssm/activation/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Activation managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Activation_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_activation"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Activation_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Activation_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/association/zz_controller.go b/internal/controller/ssm/association/zz_controller.go
index 14885433ce..bc83574e89 100755
--- a/internal/controller/ssm/association/zz_controller.go
+++ b/internal/controller/ssm/association/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Association managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Association_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_association"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Association_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Association_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/defaultpatchbaseline/zz_controller.go b/internal/controller/ssm/defaultpatchbaseline/zz_controller.go
index dd243d1ef6..ac56bd5c23 100755
--- a/internal/controller/ssm/defaultpatchbaseline/zz_controller.go
+++ b/internal/controller/ssm/defaultpatchbaseline/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles DefaultPatchBaseline managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.DefaultPatchBaseline_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_default_patch_baseline"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.DefaultPatchBaseline_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.DefaultPatchBaseline_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/document/zz_controller.go b/internal/controller/ssm/document/zz_controller.go
index 52393f35e5..65ef4070c4 100755
--- a/internal/controller/ssm/document/zz_controller.go
+++ b/internal/controller/ssm/document/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Document managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Document_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_document"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Document_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Document_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/maintenancewindow/zz_controller.go b/internal/controller/ssm/maintenancewindow/zz_controller.go
index 259f608f95..e89aca80d5 100755
--- a/internal/controller/ssm/maintenancewindow/zz_controller.go
+++ b/internal/controller/ssm/maintenancewindow/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MaintenanceWindow managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MaintenanceWindow_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_maintenance_window"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MaintenanceWindow_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MaintenanceWindow_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/maintenancewindowtarget/zz_controller.go b/internal/controller/ssm/maintenancewindowtarget/zz_controller.go
index 964978e54f..552712c18a 100755
--- a/internal/controller/ssm/maintenancewindowtarget/zz_controller.go
+++ b/internal/controller/ssm/maintenancewindowtarget/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MaintenanceWindowTarget managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MaintenanceWindowTarget_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_maintenance_window_target"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MaintenanceWindowTarget_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MaintenanceWindowTarget_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/maintenancewindowtask/zz_controller.go b/internal/controller/ssm/maintenancewindowtask/zz_controller.go
index b83515b54c..14abdbd7e3 100755
--- a/internal/controller/ssm/maintenancewindowtask/zz_controller.go
+++ b/internal/controller/ssm/maintenancewindowtask/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles MaintenanceWindowTask managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.MaintenanceWindowTask_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_maintenance_window_task"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.MaintenanceWindowTask_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.MaintenanceWindowTask_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/parameter/zz_controller.go b/internal/controller/ssm/parameter/zz_controller.go
index 42b223250d..a60ced30e1 100755
--- a/internal/controller/ssm/parameter/zz_controller.go
+++ b/internal/controller/ssm/parameter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Parameter managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Parameter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_parameter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Parameter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Parameter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/patchbaseline/zz_controller.go b/internal/controller/ssm/patchbaseline/zz_controller.go
index 3b1faa7b4e..aa819d1b45 100755
--- a/internal/controller/ssm/patchbaseline/zz_controller.go
+++ b/internal/controller/ssm/patchbaseline/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PatchBaseline managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PatchBaseline_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_patch_baseline"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PatchBaseline_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PatchBaseline_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/patchgroup/zz_controller.go b/internal/controller/ssm/patchgroup/zz_controller.go
index 4cf0ea3874..39cfe57bf4 100755
--- a/internal/controller/ssm/patchgroup/zz_controller.go
+++ b/internal/controller/ssm/patchgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PatchGroup managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PatchGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_patch_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PatchGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PatchGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/resourcedatasync/zz_controller.go b/internal/controller/ssm/resourcedatasync/zz_controller.go
index e2e39f5896..61b016f17c 100755
--- a/internal/controller/ssm/resourcedatasync/zz_controller.go
+++ b/internal/controller/ssm/resourcedatasync/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ResourceDataSync managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ResourceDataSync_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_resource_data_sync"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ResourceDataSync_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ResourceDataSync_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssm/servicesetting/zz_controller.go b/internal/controller/ssm/servicesetting/zz_controller.go
index 70bf72c6bf..ca0d475a56 100755
--- a/internal/controller/ssm/servicesetting/zz_controller.go
+++ b/internal/controller/ssm/servicesetting/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssm/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ServiceSetting managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ServiceSetting_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssm_service_setting"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ServiceSetting_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ServiceSetting_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssoadmin/accountassignment/zz_controller.go b/internal/controller/ssoadmin/accountassignment/zz_controller.go
index 52d945fab2..ddb1e56815 100755
--- a/internal/controller/ssoadmin/accountassignment/zz_controller.go
+++ b/internal/controller/ssoadmin/accountassignment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssoadmin/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles AccountAssignment managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.AccountAssignment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssoadmin_account_assignment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.AccountAssignment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.AccountAssignment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssoadmin/managedpolicyattachment/zz_controller.go b/internal/controller/ssoadmin/managedpolicyattachment/zz_controller.go
index 64bd67af1f..26ad95aaa2 100755
--- a/internal/controller/ssoadmin/managedpolicyattachment/zz_controller.go
+++ b/internal/controller/ssoadmin/managedpolicyattachment/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssoadmin/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ManagedPolicyAttachment managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ManagedPolicyAttachment_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssoadmin_managed_policy_attachment"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ManagedPolicyAttachment_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ManagedPolicyAttachment_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssoadmin/permissionset/zz_controller.go b/internal/controller/ssoadmin/permissionset/zz_controller.go
index 664921423f..b5741af724 100755
--- a/internal/controller/ssoadmin/permissionset/zz_controller.go
+++ b/internal/controller/ssoadmin/permissionset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssoadmin/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PermissionSet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PermissionSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssoadmin_permission_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PermissionSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PermissionSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/ssoadmin/permissionsetinlinepolicy/zz_controller.go b/internal/controller/ssoadmin/permissionsetinlinepolicy/zz_controller.go
index 1d8d497725..1e99c576b4 100755
--- a/internal/controller/ssoadmin/permissionsetinlinepolicy/zz_controller.go
+++ b/internal/controller/ssoadmin/permissionsetinlinepolicy/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/ssoadmin/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles PermissionSetInlinePolicy managed resources.
@@ -30,19 +31,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.PermissionSetInlinePolicy_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_ssoadmin_permission_set_inline_policy"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.PermissionSetInlinePolicy_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.PermissionSetInlinePolicy_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/swf/domain/zz_controller.go b/internal/controller/swf/domain/zz_controller.go
index 84c5f430ae..7e1142738a 100755
--- a/internal/controller/swf/domain/zz_controller.go
+++ b/internal/controller/swf/domain/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/swf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Domain managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_swf_domain"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Domain_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/timestreamwrite/database/zz_controller.go b/internal/controller/timestreamwrite/database/zz_controller.go
index 6486c213dd..22990b5766 100755
--- a/internal/controller/timestreamwrite/database/zz_controller.go
+++ b/internal/controller/timestreamwrite/database/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/timestreamwrite/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Database managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Database_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_timestreamwrite_database"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Database_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Database_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/timestreamwrite/table/zz_controller.go b/internal/controller/timestreamwrite/table/zz_controller.go
index bcd46a4053..45477510fb 100755
--- a/internal/controller/timestreamwrite/table/zz_controller.go
+++ b/internal/controller/timestreamwrite/table/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/timestreamwrite/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Table managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Table_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_timestreamwrite_table"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Table_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Table_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transcribe/languagemodel/zz_controller.go b/internal/controller/transcribe/languagemodel/zz_controller.go
index 9aa1669b9f..513e0c1955 100755
--- a/internal/controller/transcribe/languagemodel/zz_controller.go
+++ b/internal/controller/transcribe/languagemodel/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transcribe/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles LanguageModel managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.LanguageModel_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transcribe_language_model"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.LanguageModel_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.LanguageModel_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transcribe/vocabulary/zz_controller.go b/internal/controller/transcribe/vocabulary/zz_controller.go
index e4d1259daf..2717559c72 100755
--- a/internal/controller/transcribe/vocabulary/zz_controller.go
+++ b/internal/controller/transcribe/vocabulary/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transcribe/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Vocabulary managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Vocabulary_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transcribe_vocabulary"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Vocabulary_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Vocabulary_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transcribe/vocabularyfilter/zz_controller.go b/internal/controller/transcribe/vocabularyfilter/zz_controller.go
index 967c9bc52f..e598bb4c38 100755
--- a/internal/controller/transcribe/vocabularyfilter/zz_controller.go
+++ b/internal/controller/transcribe/vocabularyfilter/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transcribe/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles VocabularyFilter managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.VocabularyFilter_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transcribe_vocabulary_filter"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.VocabularyFilter_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.VocabularyFilter_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transfer/server/zz_controller.go b/internal/controller/transfer/server/zz_controller.go
index cc5f6fd052..a097bc8edc 100755
--- a/internal/controller/transfer/server/zz_controller.go
+++ b/internal/controller/transfer/server/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transfer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Server managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Server_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transfer_server"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Server_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Server_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transfer/sshkey/zz_controller.go b/internal/controller/transfer/sshkey/zz_controller.go
index 2eb64b9103..804ef8eb46 100755
--- a/internal/controller/transfer/sshkey/zz_controller.go
+++ b/internal/controller/transfer/sshkey/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transfer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SSHKey managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SSHKey_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transfer_ssh_key"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SSHKey_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SSHKey_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transfer/tag/zz_controller.go b/internal/controller/transfer/tag/zz_controller.go
index 89ff4cff33..1dca9182e9 100755
--- a/internal/controller/transfer/tag/zz_controller.go
+++ b/internal/controller/transfer/tag/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transfer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Tag managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transfer_tag"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Tag_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transfer/user/zz_controller.go b/internal/controller/transfer/user/zz_controller.go
index fc23c82c20..f37537a281 100755
--- a/internal/controller/transfer/user/zz_controller.go
+++ b/internal/controller/transfer/user/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transfer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles User managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.User_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transfer_user"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.User_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/transfer/workflow/zz_controller.go b/internal/controller/transfer/workflow/zz_controller.go
index b5db04d470..6ef7743b92 100755
--- a/internal/controller/transfer/workflow/zz_controller.go
+++ b/internal/controller/transfer/workflow/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/transfer/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Workflow managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Workflow_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_transfer_workflow"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Workflow_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Workflow_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/vpc/networkperformancemetricsubscription/zz_controller.go b/internal/controller/vpc/networkperformancemetricsubscription/zz_controller.go
index 11389f2bf4..1b7d2e0bc1 100755
--- a/internal/controller/vpc/networkperformancemetricsubscription/zz_controller.go
+++ b/internal/controller/vpc/networkperformancemetricsubscription/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/vpc/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles NetworkPerformanceMetricSubscription managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.NetworkPerformanceMetricSubscription_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_vpc_network_performance_metric_subscription"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.NetworkPerformanceMetricSubscription_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.NetworkPerformanceMetricSubscription_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/bytematchset/zz_controller.go b/internal/controller/waf/bytematchset/zz_controller.go
index bd46867bcb..265aa75ae0 100755
--- a/internal/controller/waf/bytematchset/zz_controller.go
+++ b/internal/controller/waf/bytematchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ByteMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ByteMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_byte_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ByteMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ByteMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/geomatchset/zz_controller.go b/internal/controller/waf/geomatchset/zz_controller.go
index 47a43a0a00..46f4a24144 100755
--- a/internal/controller/waf/geomatchset/zz_controller.go
+++ b/internal/controller/waf/geomatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GeoMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GeoMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_geo_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GeoMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GeoMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/ipset/zz_controller.go b/internal/controller/waf/ipset/zz_controller.go
index 7724374047..54d53b7e73 100755
--- a/internal/controller/waf/ipset/zz_controller.go
+++ b/internal/controller/waf/ipset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IPSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_ipset"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/ratebasedrule/zz_controller.go b/internal/controller/waf/ratebasedrule/zz_controller.go
index 868424ec57..514f119d46 100755
--- a/internal/controller/waf/ratebasedrule/zz_controller.go
+++ b/internal/controller/waf/ratebasedrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RateBasedRule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RateBasedRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_rate_based_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RateBasedRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RateBasedRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/regexmatchset/zz_controller.go b/internal/controller/waf/regexmatchset/zz_controller.go
index b12f9bd867..6082a6b956 100755
--- a/internal/controller/waf/regexmatchset/zz_controller.go
+++ b/internal/controller/waf/regexmatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegexMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegexMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_regex_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegexMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegexMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/regexpatternset/zz_controller.go b/internal/controller/waf/regexpatternset/zz_controller.go
index 3c5cedfbfa..5939f315ef 100755
--- a/internal/controller/waf/regexpatternset/zz_controller.go
+++ b/internal/controller/waf/regexpatternset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegexPatternSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_regex_pattern_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/rule/zz_controller.go b/internal/controller/waf/rule/zz_controller.go
index d1085591ef..12d065fa6f 100755
--- a/internal/controller/waf/rule/zz_controller.go
+++ b/internal/controller/waf/rule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Rule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/sizeconstraintset/zz_controller.go b/internal/controller/waf/sizeconstraintset/zz_controller.go
index 4e8659579f..61bd1c7702 100755
--- a/internal/controller/waf/sizeconstraintset/zz_controller.go
+++ b/internal/controller/waf/sizeconstraintset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SizeConstraintSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SizeConstraintSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_size_constraint_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SizeConstraintSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SizeConstraintSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/sqlinjectionmatchset/zz_controller.go b/internal/controller/waf/sqlinjectionmatchset/zz_controller.go
index 1542305399..600f995fab 100755
--- a/internal/controller/waf/sqlinjectionmatchset/zz_controller.go
+++ b/internal/controller/waf/sqlinjectionmatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SQLInjectionMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SQLInjectionMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_sql_injection_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SQLInjectionMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SQLInjectionMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/webacl/zz_controller.go b/internal/controller/waf/webacl/zz_controller.go
index 3ba830cffa..9a7293b1a0 100755
--- a/internal/controller/waf/webacl/zz_controller.go
+++ b/internal/controller/waf/webacl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles WebACL managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.WebACL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_web_acl"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.WebACL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.WebACL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/waf/xssmatchset/zz_controller.go b/internal/controller/waf/xssmatchset/zz_controller.go
index c244b58d0f..7d2fbb8b99 100755
--- a/internal/controller/waf/xssmatchset/zz_controller.go
+++ b/internal/controller/waf/xssmatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/waf/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles XSSMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.XSSMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_waf_xss_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.XSSMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.XSSMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/bytematchset/zz_controller.go b/internal/controller/wafregional/bytematchset/zz_controller.go
index fe9e111410..840abca090 100755
--- a/internal/controller/wafregional/bytematchset/zz_controller.go
+++ b/internal/controller/wafregional/bytematchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles ByteMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.ByteMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_byte_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.ByteMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.ByteMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/geomatchset/zz_controller.go b/internal/controller/wafregional/geomatchset/zz_controller.go
index b129db85d4..32902e22ba 100755
--- a/internal/controller/wafregional/geomatchset/zz_controller.go
+++ b/internal/controller/wafregional/geomatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles GeoMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.GeoMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_geo_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.GeoMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.GeoMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/ipset/zz_controller.go b/internal/controller/wafregional/ipset/zz_controller.go
index d0bc73c768..bd63691bab 100755
--- a/internal/controller/wafregional/ipset/zz_controller.go
+++ b/internal/controller/wafregional/ipset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IPSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_ipset"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/ratebasedrule/zz_controller.go b/internal/controller/wafregional/ratebasedrule/zz_controller.go
index 26a23f12d8..a65264e5c6 100755
--- a/internal/controller/wafregional/ratebasedrule/zz_controller.go
+++ b/internal/controller/wafregional/ratebasedrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RateBasedRule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RateBasedRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_rate_based_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RateBasedRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RateBasedRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/regexmatchset/zz_controller.go b/internal/controller/wafregional/regexmatchset/zz_controller.go
index 6f0ea07266..563ad1c67f 100755
--- a/internal/controller/wafregional/regexmatchset/zz_controller.go
+++ b/internal/controller/wafregional/regexmatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegexMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegexMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_regex_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegexMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegexMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/regexpatternset/zz_controller.go b/internal/controller/wafregional/regexpatternset/zz_controller.go
index bfbaf89ef3..c04e7f2867 100755
--- a/internal/controller/wafregional/regexpatternset/zz_controller.go
+++ b/internal/controller/wafregional/regexpatternset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegexPatternSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_regex_pattern_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/rule/zz_controller.go b/internal/controller/wafregional/rule/zz_controller.go
index 4cdf2fe9bf..1384835c7a 100755
--- a/internal/controller/wafregional/rule/zz_controller.go
+++ b/internal/controller/wafregional/rule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Rule managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Rule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/sizeconstraintset/zz_controller.go b/internal/controller/wafregional/sizeconstraintset/zz_controller.go
index 06074b21b5..ff05f2db65 100755
--- a/internal/controller/wafregional/sizeconstraintset/zz_controller.go
+++ b/internal/controller/wafregional/sizeconstraintset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SizeConstraintSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SizeConstraintSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_size_constraint_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SizeConstraintSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SizeConstraintSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/sqlinjectionmatchset/zz_controller.go b/internal/controller/wafregional/sqlinjectionmatchset/zz_controller.go
index a98c6f03cf..c49d2af11e 100755
--- a/internal/controller/wafregional/sqlinjectionmatchset/zz_controller.go
+++ b/internal/controller/wafregional/sqlinjectionmatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SQLInjectionMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SQLInjectionMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_sql_injection_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SQLInjectionMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SQLInjectionMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/webacl/zz_controller.go b/internal/controller/wafregional/webacl/zz_controller.go
index f585050d41..065a460274 100755
--- a/internal/controller/wafregional/webacl/zz_controller.go
+++ b/internal/controller/wafregional/webacl/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles WebACL managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.WebACL_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_web_acl"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.WebACL_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.WebACL_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafregional/xssmatchset/zz_controller.go b/internal/controller/wafregional/xssmatchset/zz_controller.go
index fdc9d6cf4d..79025c9a70 100755
--- a/internal/controller/wafregional/xssmatchset/zz_controller.go
+++ b/internal/controller/wafregional/xssmatchset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafregional/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles XSSMatchSet managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.XSSMatchSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafregional_xss_match_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.XSSMatchSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.XSSMatchSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafv2/ipset/zz_controller.go b/internal/controller/wafv2/ipset/zz_controller.go
index c9565d7a00..bb3fa49fa6 100755
--- a/internal/controller/wafv2/ipset/zz_controller.go
+++ b/internal/controller/wafv2/ipset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IPSet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafv2_ip_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IPSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/wafv2/regexpatternset/zz_controller.go b/internal/controller/wafv2/regexpatternset/zz_controller.go
index 2bec8a5d3c..c188ab0c8f 100755
--- a/internal/controller/wafv2/regexpatternset/zz_controller.go
+++ b/internal/controller/wafv2/regexpatternset/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/wafv2/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles RegexPatternSet managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_wafv2_regex_pattern_set"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.RegexPatternSet_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/workspaces/directory/zz_controller.go b/internal/controller/workspaces/directory/zz_controller.go
index 7938fee192..80892f75bf 100755
--- a/internal/controller/workspaces/directory/zz_controller.go
+++ b/internal/controller/workspaces/directory/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/workspaces/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Directory managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Directory_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_workspaces_directory"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Directory_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Directory_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/workspaces/ipgroup/zz_controller.go b/internal/controller/workspaces/ipgroup/zz_controller.go
index 20753b004c..2d807e16d4 100755
--- a/internal/controller/workspaces/ipgroup/zz_controller.go
+++ b/internal/controller/workspaces/ipgroup/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/workspaces/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles IPGroup managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.IPGroup_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_workspaces_ip_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.IPGroup_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.IPGroup_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/xray/encryptionconfig/zz_controller.go b/internal/controller/xray/encryptionconfig/zz_controller.go
index 57506036eb..bf6851a44d 100755
--- a/internal/controller/xray/encryptionconfig/zz_controller.go
+++ b/internal/controller/xray/encryptionconfig/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/xray/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles EncryptionConfig managed resources.
@@ -29,19 +30,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.EncryptionConfig_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_xray_encryption_config"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.EncryptionConfig_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.EncryptionConfig_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/xray/group/zz_controller.go b/internal/controller/xray/group/zz_controller.go
index 523c2938c0..2f5914b516 100755
--- a/internal/controller/xray/group/zz_controller.go
+++ b/internal/controller/xray/group/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/xray/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles Group managed resources.
@@ -32,19 +33,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.Group_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_xray_group"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.Group_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/internal/controller/xray/samplingrule/zz_controller.go b/internal/controller/xray/samplingrule/zz_controller.go
index 8c886b5903..7cdb64f111 100755
--- a/internal/controller/xray/samplingrule/zz_controller.go
+++ b/internal/controller/xray/samplingrule/zz_controller.go
@@ -19,6 +19,7 @@ import (
 	ctrl "sigs.k8s.io/controller-runtime"
 
 	v1beta1 "github.com/upbound/provider-aws/apis/xray/v1beta1"
+	features "github.com/upbound/provider-aws/internal/features"
 )
 
 // Setup adds a controller that reconciles SamplingRule managed resources.
@@ -33,19 +34,22 @@ func Setup(mgr ctrl.Manager, o tjcontroller.Options) error {
 	if o.SecretStoreConfigGVK != nil {
 		cps = append(cps, connection.NewDetailsManager(mgr.GetClient(), *o.SecretStoreConfigGVK))
 	}
-	r := managed.NewReconciler(mgr,
-		xpresource.ManagedKind(v1beta1.SamplingRule_GroupVersionKind),
+	opts := []managed.ReconcilerOption{
 		managed.WithExternalConnecter(tjcontroller.NewConnector(mgr.GetClient(), o.WorkspaceStore, o.SetupFn, o.Provider.Resources["aws_xray_sampling_rule"], tjcontroller.WithLogger(o.Logger),
 			tjcontroller.WithCallbackProvider(tjcontroller.NewAPICallbacks(mgr, xpresource.ManagedKind(v1beta1.SamplingRule_GroupVersionKind))),
 		)),
 		managed.WithLogger(o.Logger.WithValues("controller", name)),
 		managed.WithRecorder(event.NewAPIRecorder(mgr.GetEventRecorderFor(name))),
 		managed.WithFinalizer(terraform.NewWorkspaceFinalizer(o.WorkspaceStore, xpresource.NewAPIFinalizer(mgr.GetClient(), managed.FinalizerName))),
-		managed.WithTimeout(3*time.Minute),
+		managed.WithTimeout(3 * time.Minute),
 		managed.WithInitializers(initializers),
 		managed.WithConnectionPublishers(cps...),
 		managed.WithPollInterval(o.PollInterval),
-	)
+	}
+	if o.Features.Enabled(features.EnableAlphaManagementPolicies) {
+		opts = append(opts, managed.WithManagementPolicies())
+	}
+	r := managed.NewReconciler(mgr, xpresource.ManagedKind(v1beta1.SamplingRule_GroupVersionKind), opts...)
 
 	return ctrl.NewControllerManagedBy(mgr).
 		Named(name).
diff --git a/package/crds/accessanalyzer.aws.upbound.io_analyzers.yaml b/package/crds/accessanalyzer.aws.upbound.io_analyzers.yaml
index 9d7de2b401..13861fa99d 100644
--- a/package/crds/accessanalyzer.aws.upbound.io_analyzers.yaml
+++ b/package/crds/accessanalyzer.aws.upbound.io_analyzers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,6 +84,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -262,12 +281,21 @@ spec:
                   id:
                     description: Analyzer name.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  type:
+                    description: Type of Analyzer. Valid values are ACCOUNT or ORGANIZATION.
+                      Defaults to ACCOUNT.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/accessanalyzer.aws.upbound.io_archiverules.yaml b/package/crds/accessanalyzer.aws.upbound.io_archiverules.yaml
index c5fd6556aa..b7acf15265 100644
--- a/package/crds/accessanalyzer.aws.upbound.io_archiverules.yaml
+++ b/package/crds/accessanalyzer.aws.upbound.io_archiverules.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -102,9 +106,23 @@ spec:
                     type: string
                 required:
                 - analyzerName
-                - filter
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -276,11 +294,45 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: filter is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filter)
           status:
             description: ArchiveRuleStatus defines the observed state of ArchiveRule.
             properties:
               atProvider:
                 properties:
+                  analyzerName:
+                    description: Analyzer name.
+                    type: string
+                  filter:
+                    description: Filter criteria for the archive rule. See Filter
+                      for more details.
+                    items:
+                      properties:
+                        contains:
+                          description: Contains comparator.
+                          items:
+                            type: string
+                          type: array
+                        criteria:
+                          description: Filter criteria.
+                          type: string
+                        eq:
+                          description: Equals comparator.
+                          items:
+                            type: string
+                          type: array
+                        exists:
+                          description: Boolean comparator.
+                          type: string
+                        neq:
+                          description: Not Equals comparator.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: 'Resource ID in the format: analyzer_name/rule_name.'
                     type: string
diff --git a/package/crds/account.aws.upbound.io_alternatecontacts.yaml b/package/crds/account.aws.upbound.io_alternatecontacts.yaml
index 645e5c210e..3b83af56eb 100644
--- a/package/crds/account.aws.upbound.io_alternatecontacts.yaml
+++ b/package/crds/account.aws.upbound.io_alternatecontacts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -90,12 +94,23 @@ spec:
                     type: string
                 required:
                 - alternateContactType
-                - emailAddress
-                - name
-                - phoneNumber
                 - region
-                - title
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -267,13 +282,42 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: emailAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.emailAddress)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: phoneNumber is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.phoneNumber)
+            - message: title is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.title)
           status:
             description: AlternateContactStatus defines the observed state of AlternateContact.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: ID of the target account when managing member accounts.
+                      Will manage current user's account by default if omitted.
+                    type: string
+                  alternateContactType:
+                    description: 'Type of the alternate contact. Allowed values are:
+                      BILLING, OPERATIONS, SECURITY.'
+                    type: string
+                  emailAddress:
+                    description: An email address for the alternate contact.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: Name of the alternate contact.
+                    type: string
+                  phoneNumber:
+                    description: Phone number for the alternate contact.
+                    type: string
+                  title:
+                    description: Title for the alternate contact.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/acm.aws.upbound.io_certificates.yaml b/package/crds/acm.aws.upbound.io_certificates.yaml
index fe235d97a6..010eab9014 100644
--- a/package/crds/acm.aws.upbound.io_certificates.yaml
+++ b/package/crds/acm.aws.upbound.io_certificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,6 +164,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -339,6 +358,18 @@ spec:
                   arn:
                     description: ARN of the certificate
                     type: string
+                  certificateAuthorityArn:
+                    description: ARN of an ACM PCA
+                    type: string
+                  certificateBody:
+                    description: Certificate's PEM-formatted public key
+                    type: string
+                  certificateChain:
+                    description: Certificate's PEM-formatted chain
+                    type: string
+                  domainName:
+                    description: Domain name for which the certificate should be issued
+                    type: string
                   domainValidationOptions:
                     description: Set of domain validation objects which can be used
                       to complete certificate validation. Can have more than one element,
@@ -360,15 +391,39 @@ spec:
                           type: string
                       type: object
                     type: array
+                  earlyRenewalDuration:
+                    description: Amount of time to start automatic renewal process
+                      before expiration. Has no effect if less than 60 days. Represented
+                      by either a subset of RFC 3339 duration supporting years, months,
+                      and days (e.g., P90D), or a string such as 2160h.
+                    type: string
                   id:
                     description: ARN of the certificate
                     type: string
+                  keyAlgorithm:
+                    description: Specifies the algorithm of the public and private
+                      key pair that your Amazon issued certificate uses to encrypt
+                      data. See ACM Certificate characteristics for more details.
+                    type: string
                   notAfter:
                     description: Expiration date and time of the certificate.
                     type: string
                   notBefore:
                     description: Start of the validity period of the certificate.
                     type: string
+                  options:
+                    description: Configuration block used to set certificate options.
+                      Detailed below.
+                    items:
+                      properties:
+                        certificateTransparencyLoggingPreference:
+                          description: Whether certificate details should be added
+                            to a certificate transparency log. Valid values are ENABLED
+                            or DISABLED. See https://docs.aws.amazon.com/acm/latest/userguide/acm-concepts.html#concept-transparency
+                            for more details.
+                          type: string
+                      type: object
+                    type: array
                   pendingRenewal:
                     description: true if a Private certificate eligible for managed
                       renewal is within the early_renewal_duration period.
@@ -396,6 +451,17 @@ spec:
                   status:
                     description: Status of the certificate.
                     type: string
+                  subjectAlternativeNames:
+                    description: Set of domains that should be SANs in the issued
+                      certificate.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -411,6 +477,28 @@ spec:
                     items:
                       type: string
                     type: array
+                  validationMethod:
+                    description: Which method to use for validation.
+                    type: string
+                  validationOption:
+                    description: Configuration block used to specify information about
+                      the initial validation of each domain name. Detailed below.
+                    items:
+                      properties:
+                        domainName:
+                          description: Fully qualified domain name (FQDN) in the certificate.
+                          type: string
+                        validationDomain:
+                          description: Domain name that you want ACM to use to send
+                            you validation emails. This domain name is the suffix
+                            of the email addresses that you want ACM to use. This
+                            must be the same as the domain_name value or a superdomain
+                            of the domain_name value. For example, if you request
+                            a certificate for "testing.example.com", you can specify
+                            "example.com" for this value.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/acm.aws.upbound.io_certificatevalidations.yaml b/package/crds/acm.aws.upbound.io_certificatevalidations.yaml
index a489adc208..4edd2f5b31 100644
--- a/package/crds/acm.aws.upbound.io_certificatevalidations.yaml
+++ b/package/crds/acm.aws.upbound.io_certificatevalidations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,6 +160,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,9 +352,21 @@ spec:
             properties:
               atProvider:
                 properties:
+                  certificateArn:
+                    description: ARN of the certificate that is being validated.
+                    type: string
                   id:
                     description: Time at which the certificate was issued
                     type: string
+                  validationRecordFqdns:
+                    description: List of FQDNs that implement the validation. Only
+                      valid for DNS validation method ACM certificates. If this is
+                      set, the resource can implement additional sanity checks and
+                      has an explicit dependency on the resource that is implementing
+                      the validation
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/acmpca.aws.upbound.io_certificateauthorities.yaml b/package/crds/acmpca.aws.upbound.io_certificateauthorities.yaml
index 9a8830e06e..d51c9f2907 100644
--- a/package/crds/acmpca.aws.upbound.io_certificateauthorities.yaml
+++ b/package/crds/acmpca.aws.upbound.io_certificateauthorities.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -264,9 +268,23 @@ spec:
                       values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.'
                     type: string
                 required:
-                - certificateAuthorityConfiguration
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -438,6 +456,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: certificateAuthorityConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateAuthorityConfiguration)
           status:
             description: CertificateAuthorityStatus defines the observed state of
               CertificateAuthority.
@@ -452,6 +473,105 @@ spec:
                       Only available after the certificate authority certificate has
                       been imported.
                     type: string
+                  certificateAuthorityConfiguration:
+                    description: Nested argument containing algorithms and certificate
+                      subject information. Defined below.
+                    items:
+                      properties:
+                        keyAlgorithm:
+                          description: Type of the public key algorithm and size,
+                            in bits, of the key pair that your key pair creates when
+                            it issues a certificate. Valid values can be found in
+                            the ACM PCA Documentation.
+                          type: string
+                        signingAlgorithm:
+                          description: Name of the algorithm your private CA uses
+                            to sign certificate requests. Valid values can be found
+                            in the ACM PCA Documentation.
+                          type: string
+                        subject:
+                          description: Nested argument that contains X.500 distinguished
+                            name information. At least one nested attribute must be
+                            specified.
+                          items:
+                            properties:
+                              commonName:
+                                description: Fully qualified domain name (FQDN) associated
+                                  with the certificate subject. Must be less than
+                                  or equal to 64 characters in length.
+                                type: string
+                              country:
+                                description: Two digit code that specifies the country
+                                  in which the certificate subject located. Must be
+                                  less than or equal to 2 characters in length.
+                                type: string
+                              distinguishedNameQualifier:
+                                description: Disambiguating information for the certificate
+                                  subject. Must be less than or equal to 64 characters
+                                  in length.
+                                type: string
+                              generationQualifier:
+                                description: Typically a qualifier appended to the
+                                  name of an individual. Examples include Jr. for
+                                  junior, Sr. for senior, and III for third. Must
+                                  be less than or equal to 3 characters in length.
+                                type: string
+                              givenName:
+                                description: First name. Must be less than or equal
+                                  to 16 characters in length.
+                                type: string
+                              initials:
+                                description: Concatenation that typically contains
+                                  the first letter of the given_name, the first letter
+                                  of the middle name if one exists, and the first
+                                  letter of the surname. Must be less than or equal
+                                  to 5 characters in length.
+                                type: string
+                              locality:
+                                description: Locality (such as a city or town) in
+                                  which the certificate subject is located. Must be
+                                  less than or equal to 128 characters in length.
+                                type: string
+                              organization:
+                                description: Legal name of the organization with which
+                                  the certificate subject is affiliated. Must be less
+                                  than or equal to 64 characters in length.
+                                type: string
+                              organizationalUnit:
+                                description: Subdivision or unit of the organization
+                                  (such as sales or finance) with which the certificate
+                                  subject is affiliated. Must be less than or equal
+                                  to 64 characters in length.
+                                type: string
+                              pseudonym:
+                                description: Typically a shortened version of a longer
+                                  given_name. For example, Jonathan is often shortened
+                                  to John. Elizabeth is often shortened to Beth, Liz,
+                                  or Eliza. Must be less than or equal to 128 characters
+                                  in length.
+                                type: string
+                              state:
+                                description: State in which the subject of the certificate
+                                  is located. Must be less than or equal to 128 characters
+                                  in length.
+                                type: string
+                              surname:
+                                description: Family name. In the US and the UK for
+                                  example, the surname of an individual is ordered
+                                  last. In Asian cultures the surname is typically
+                                  ordered first. Must be less than or equal to 40
+                                  characters in length.
+                                type: string
+                              title:
+                                description: Title such as Mr. or Ms. which is pre-pended
+                                  to the name to refer formally to the certificate
+                                  subject. Must be less than or equal to 64 characters
+                                  in length.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   certificateChain:
                     description: Base64-encoded certificate chain that includes any
                       intermediate certificates and chains up to root on-premises
@@ -464,6 +584,11 @@ spec:
                     description: The base64 PEM-encoded certificate signing request
                       (CSR) for your private CA certificate.
                     type: string
+                  enabled:
+                    description: Whether the certificate authority is enabled or disabled.
+                      Defaults to true. Can only be disabled if the CA is in an ACTIVE
+                      state.
+                    type: boolean
                   id:
                     description: ARN of the certificate authority.
                     type: string
@@ -477,6 +602,73 @@ spec:
                       is not valid. Only available after the certificate authority
                       certificate has been imported.
                     type: string
+                  permanentDeletionTimeInDays:
+                    description: Number of days to make a CA restorable after it has
+                      been deleted, must be between 7 to 30 days, with default to
+                      30 days.
+                    type: number
+                  revocationConfiguration:
+                    description: Nested argument containing revocation configuration.
+                      Defined below.
+                    items:
+                      properties:
+                        crlConfiguration:
+                          description: Nested argument containing configuration of
+                            the certificate revocation list (CRL), if any, maintained
+                            by the certificate authority. Defined below.
+                          items:
+                            properties:
+                              customCname:
+                                description: Name inserted into the certificate CRL
+                                  Distribution Points extension that enables the use
+                                  of an alias for the CRL distribution point. Use
+                                  this value if you don't want the name of your S3
+                                  bucket to be public. Must be less than or equal
+                                  to 253 characters in length.
+                                type: string
+                              enabled:
+                                description: Boolean value that specifies whether
+                                  certificate revocation lists (CRLs) are enabled.
+                                  Defaults to false.
+                                type: boolean
+                              expirationInDays:
+                                description: Number of days until a certificate expires.
+                                  Must be between 1 and 5000.
+                                type: number
+                              s3BucketName:
+                                description: Name of the S3 bucket that contains the
+                                  CRL. If you do not provide a value for the custom_cname
+                                  argument, the name of your S3 bucket is placed into
+                                  the CRL Distribution Points extension of the issued
+                                  certificate. You must specify a bucket policy that
+                                  allows ACM PCA to write the CRL to your bucket.
+                                  Must be between 3 and 255 characters in length.
+                                type: string
+                              s3ObjectAcl:
+                                description: Determines whether the CRL will be publicly
+                                  readable or privately held in the CRL Amazon S3
+                                  bucket. Defaults to PUBLIC_READ.
+                                type: string
+                            type: object
+                          type: array
+                        ocspConfiguration:
+                          description: Nested argument containing configuration of
+                            the custom OCSP responder endpoint. Defined below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Boolean value that specifies whether
+                                  a custom OCSP responder is enabled.
+                                type: boolean
+                              ocspCustomCname:
+                                description: 'CNAME specifying a customized OCSP domain.
+                                  Note: The value of the CNAME must not include a
+                                  protocol prefix such as "http://" or "https://".'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   serial:
                     description: Serial number of the certificate authority. Only
                       available after the certificate authority certificate has been
@@ -486,12 +678,29 @@ spec:
                     description: (Deprecated use the enabled attribute instead) Status
                       of the certificate authority.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  type:
+                    description: 'Type of the certificate authority. Defaults to SUBORDINATE.
+                      Valid values: ROOT and SUBORDINATE.'
+                    type: string
+                  usageMode:
+                    description: 'Specifies whether the CA issues general-purpose
+                      certificates that typically require a revocation mechanism,
+                      or short-lived certificates that may optionally omit revocation
+                      because they expire quickly. Short-lived certificate validity
+                      is limited to seven days. Defaults to GENERAL_PURPOSE. Valid
+                      values: GENERAL_PURPOSE and SHORT_LIVED_CERTIFICATE.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/acmpca.aws.upbound.io_certificateauthoritycertificates.yaml b/package/crds/acmpca.aws.upbound.io_certificateauthoritycertificates.yaml
index 2640de0e74..f43b858f60 100644
--- a/package/crds/acmpca.aws.upbound.io_certificateauthoritycertificates.yaml
+++ b/package/crds/acmpca.aws.upbound.io_certificateauthoritycertificates.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -183,9 +187,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - certificateSecretRef
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -357,12 +375,18 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: certificateSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateSecretRef)
           status:
             description: CertificateAuthorityCertificateStatus defines the observed
               state of CertificateAuthorityCertificate.
             properties:
               atProvider:
                 properties:
+                  certificateAuthorityArn:
+                    description: ARN of the Certificate Authority.
+                    type: string
                   id:
                     type: string
                 type: object
diff --git a/package/crds/acmpca.aws.upbound.io_certificates.yaml b/package/crds/acmpca.aws.upbound.io_certificates.yaml
index b6519c66cd..1af17f473f 100644
--- a/package/crds/acmpca.aws.upbound.io_certificates.yaml
+++ b/package/crds/acmpca.aws.upbound.io_certificates.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -192,11 +196,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - certificateSigningRequestSecretRef
                 - region
-                - signingAlgorithm
-                - validity
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -368,6 +384,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: certificateSigningRequestSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateSigningRequestSecretRef)
+            - message: signingAlgorithm is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.signingAlgorithm)
+            - message: validity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.validity)
           status:
             description: CertificateStatus defines the observed state of Certificate.
             properties:
@@ -379,12 +402,41 @@ spec:
                   certificate:
                     description: PEM-encoded certificate value.
                     type: string
+                  certificateAuthorityArn:
+                    description: ARN of the certificate authority.
+                    type: string
                   certificateChain:
                     description: PEM-encoded certificate chain that includes any intermediate
                       certificates and chains up to root CA.
                     type: string
                   id:
                     type: string
+                  signingAlgorithm:
+                    description: 'Algorithm to use to sign certificate requests. Valid
+                      values: SHA256WITHRSA, SHA256WITHECDSA, SHA384WITHRSA, SHA384WITHECDSA,
+                      SHA512WITHRSA, SHA512WITHECDSA.'
+                    type: string
+                  templateArn:
+                    description: Template to use when issuing a certificate. See ACM
+                      PCA Documentation for more information.
+                    type: string
+                  validity:
+                    description: Configures end of the validity period for the certificate.
+                      See validity block below.
+                    items:
+                      properties:
+                        type:
+                          description: 'Determines how value is interpreted. Valid
+                            values: DAYS, MONTHS, YEARS, ABSOLUTE, END_DATE.'
+                          type: string
+                        value:
+                          description: If type is DAYS, MONTHS, or YEARS, the relative
+                            time until the certificate expires. If type is ABSOLUTE,
+                            the date in seconds since the Unix epoch. If type is END_DATE,
+                            the  date in RFC 3339 format.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/acmpca.aws.upbound.io_permissions.yaml b/package/crds/acmpca.aws.upbound.io_permissions.yaml
index ceb5105267..1b5096191c 100644
--- a/package/crds/acmpca.aws.upbound.io_permissions.yaml
+++ b/package/crds/acmpca.aws.upbound.io_permissions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -164,10 +168,23 @@ spec:
                     description: ID of the calling account
                     type: string
                 required:
-                - actions
-                - principal
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -339,16 +356,40 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: actions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actions)
+            - message: principal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)
           status:
             description: PermissionStatus defines the observed state of Permission.
             properties:
               atProvider:
                 properties:
+                  actions:
+                    description: Actions that the specified AWS service principal
+                      can use. These include IssueCertificate, GetCertificate, and
+                      ListPermissions. Note that in order for ACM to automatically
+                      rotate certificates issued by a PCA, it must be granted permission
+                      on all 3 actions, as per the example above.
+                    items:
+                      type: string
+                    type: array
+                  certificateAuthorityArn:
+                    description: ARN of the CA that grants the permissions.
+                    type: string
                   id:
                     type: string
                   policy:
                     description: IAM policy that is associated with the permission.
                     type: string
+                  principal:
+                    description: AWS service or identity that receives the permission.
+                      At this time, the only valid principal is acm.amazonaws.com.
+                    type: string
+                  sourceAccount:
+                    description: ID of the calling account
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/acmpca.aws.upbound.io_policies.yaml b/package/crds/acmpca.aws.upbound.io_policies.yaml
index 99b7f48d75..df79cd4e50 100644
--- a/package/crds/acmpca.aws.upbound.io_policies.yaml
+++ b/package/crds/acmpca.aws.upbound.io_policies.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,9 +156,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,6 +344,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -333,6 +354,13 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: JSON-formatted IAM policy to attach to the specified
+                      private CA resource.
+                    type: string
+                  resourceArn:
+                    description: ARN of the private CA to associate with the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/amp.aws.upbound.io_alertmanagerdefinitions.yaml b/package/crds/amp.aws.upbound.io_alertmanagerdefinitions.yaml
index 67bc18c7c3..97925196d8 100644
--- a/package/crds/amp.aws.upbound.io_alertmanagerdefinitions.yaml
+++ b/package/crds/amp.aws.upbound.io_alertmanagerdefinitions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - definition
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,14 +343,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: definition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)
           status:
             description: AlertManagerDefinitionStatus defines the observed state of
               AlertManagerDefinition.
             properties:
               atProvider:
                 properties:
+                  definition:
+                    description: the alert manager definition that you want to be
+                      applied. See more in AWS Docs.
+                    type: string
                   id:
                     type: string
+                  workspaceId:
+                    description: ID of the prometheus workspace the alert manager
+                      definition should be linked to
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/amp.aws.upbound.io_rulegroupnamespaces.yaml b/package/crds/amp.aws.upbound.io_rulegroupnamespaces.yaml
index 813a6389af..4a54a8d256 100644
--- a/package/crds/amp.aws.upbound.io_rulegroupnamespaces.yaml
+++ b/package/crds/amp.aws.upbound.io_rulegroupnamespaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - data
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,13 +342,24 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: data is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.data)
           status:
             description: RuleGroupNamespaceStatus defines the observed state of RuleGroupNamespace.
             properties:
               atProvider:
                 properties:
+                  data:
+                    description: the rule group namespace data that you want to be
+                      applied. See more in AWS Docs.
+                    type: string
                   id:
                     type: string
+                  workspaceId:
+                    description: ID of the prometheus workspace the rule group namespace
+                      should be linked to
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/amp.aws.upbound.io_workspaces.yaml b/package/crds/amp.aws.upbound.io_workspaces.yaml
index 52a0e71165..4b08a3ef93 100644
--- a/package/crds/amp.aws.upbound.io_workspaces.yaml
+++ b/package/crds/amp.aws.upbound.io_workspaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -94,6 +98,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,15 +289,36 @@ spec:
             properties:
               atProvider:
                 properties:
+                  alias:
+                    description: The alias of the prometheus workspace. See more in
+                      AWS Docs.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the workspace.
                     type: string
                   id:
                     description: Identifier of the workspace
                     type: string
+                  loggingConfiguration:
+                    description: Logging configuration for the workspace. See Logging
+                      Configuration below for details.
+                    items:
+                      properties:
+                        logGroupArn:
+                          description: The ARN of the CloudWatch log group to which
+                            the vended log data will be published. This log group
+                            must exist.
+                          type: string
+                      type: object
+                    type: array
                   prometheusEndpoint:
                     description: Prometheus endpoint available for this workspace.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/amplify.aws.upbound.io_apps.yaml b/package/crds/amplify.aws.upbound.io_apps.yaml
index 9d863d633b..5db97a3ff6 100644
--- a/package/crds/amplify.aws.upbound.io_apps.yaml
+++ b/package/crds/amplify.aws.upbound.io_apps.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -336,9 +340,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -510,6 +528,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AppStatus defines the observed state of App.
             properties:
@@ -518,12 +539,121 @@ spec:
                   arn:
                     description: ARN of the Amplify app.
                     type: string
+                  autoBranchCreationConfig:
+                    description: Automated branch creation configuration for an Amplify
+                      app. An auto_branch_creation_config block is documented below.
+                    items:
+                      properties:
+                        buildSpec:
+                          description: Build specification (build spec) for the autocreated
+                            branch.
+                          type: string
+                        enableAutoBuild:
+                          description: Enables auto building for the autocreated branch.
+                          type: boolean
+                        enableBasicAuth:
+                          description: Enables basic authorization for the autocreated
+                            branch.
+                          type: boolean
+                        enablePerformanceMode:
+                          description: Enables performance mode for the branch.
+                          type: boolean
+                        enablePullRequestPreview:
+                          description: Enables pull request previews for the autocreated
+                            branch.
+                          type: boolean
+                        environmentVariables:
+                          additionalProperties:
+                            type: string
+                          description: Environment variables for the autocreated branch.
+                          type: object
+                        framework:
+                          description: Framework for the autocreated branch.
+                          type: string
+                        pullRequestEnvironmentName:
+                          description: Amplify environment name for the pull request.
+                          type: string
+                        stage:
+                          description: 'Describes the current stage for the autocreated
+                            branch. Valid values: PRODUCTION, BETA, DEVELOPMENT, EXPERIMENTAL,
+                            PULL_REQUEST.'
+                          type: string
+                      type: object
+                    type: array
+                  autoBranchCreationPatterns:
+                    description: Automated branch creation glob patterns for an Amplify
+                      app.
+                    items:
+                      type: string
+                    type: array
+                  buildSpec:
+                    description: The build specification (build spec) for an Amplify
+                      app.
+                    type: string
+                  customRule:
+                    description: Custom rewrite and redirect rules for an Amplify
+                      app. A custom_rule block is documented below.
+                    items:
+                      properties:
+                        condition:
+                          description: Condition for a URL rewrite or redirect rule,
+                            such as a country code.
+                          type: string
+                        source:
+                          description: Source pattern for a URL rewrite or redirect
+                            rule.
+                          type: string
+                        status:
+                          description: 'Status code for a URL rewrite or redirect
+                            rule. Valid values: 200, 301, 302, 404, 404-200.'
+                          type: string
+                        target:
+                          description: Target pattern for a URL rewrite or redirect
+                            rule.
+                          type: string
+                      type: object
+                    type: array
                   defaultDomain:
                     description: Default domain for the Amplify app.
                     type: string
+                  description:
+                    description: Description for an Amplify app.
+                    type: string
+                  enableAutoBranchCreation:
+                    description: Enables automated branch creation for an Amplify
+                      app.
+                    type: boolean
+                  enableBasicAuth:
+                    description: Enables basic authorization for an Amplify app. This
+                      will apply to all branches that are part of this app.
+                    type: boolean
+                  enableBranchAutoBuild:
+                    description: Enables auto-building of branches for the Amplify
+                      App.
+                    type: boolean
+                  enableBranchAutoDeletion:
+                    description: Automatically disconnects a branch in the Amplify
+                      Console when you delete a branch from your Git repository.
+                    type: boolean
+                  environmentVariables:
+                    additionalProperties:
+                      type: string
+                    description: Environment variables map for an Amplify app.
+                    type: object
+                  iamServiceRoleArn:
+                    description: AWS Identity and Access Management (IAM) service
+                      role for an Amplify app.
+                    type: string
                   id:
                     description: Unique ID of the Amplify app.
                     type: string
+                  name:
+                    description: Name for an Amplify app.
+                    type: string
+                  platform:
+                    description: 'Platform or framework for an Amplify app. Valid
+                      values: WEB, WEB_COMPUTE. Default value: WEB.'
+                    type: string
                   productionBranch:
                     description: Describes the information about a production branch
                       for an Amplify app. A production_branch block is documented
@@ -544,6 +674,14 @@ spec:
                           type: string
                       type: object
                     type: array
+                  repository:
+                    description: Repository for an Amplify app.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/amplify.aws.upbound.io_backendenvironments.yaml b/package/crds/amplify.aws.upbound.io_backendenvironments.yaml
index 1a4e3ac255..fbdeb91ab9 100644
--- a/package/crds/amplify.aws.upbound.io_backendenvironments.yaml
+++ b/package/crds/amplify.aws.upbound.io_backendenvironments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,6 +157,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -329,13 +348,22 @@ spec:
             properties:
               atProvider:
                 properties:
+                  appId:
+                    description: Unique ID for an Amplify app.
+                    type: string
                   arn:
                     description: ARN for a backend environment that is part of an
                       Amplify app.
                     type: string
+                  deploymentArtifacts:
+                    description: Name of deployment artifacts.
+                    type: string
                   id:
                     description: Unique ID of the Amplify backend environment.
                     type: string
+                  stackName:
+                    description: AWS CloudFormation stack name of a backend environment.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/amplify.aws.upbound.io_branches.yaml b/package/crds/amplify.aws.upbound.io_branches.yaml
index c8b79cb6e6..a8a2029b46 100644
--- a/package/crds/amplify.aws.upbound.io_branches.yaml
+++ b/package/crds/amplify.aws.upbound.io_branches.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -213,6 +217,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -389,6 +408,9 @@ spec:
             properties:
               atProvider:
                 properties:
+                  appId:
+                    description: Unique ID for an Amplify app.
+                    type: string
                   arn:
                     description: ARN for the branch.
                     type: string
@@ -398,26 +420,75 @@ spec:
                     items:
                       type: string
                     type: array
+                  backendEnvironmentArn:
+                    description: ARN for a backend environment that is part of an
+                      Amplify app.
+                    type: string
                   customDomains:
                     description: Custom domains for the branch.
                     items:
                       type: string
                     type: array
+                  description:
+                    description: Description for the branch.
+                    type: string
                   destinationBranch:
                     description: Destination branch if the branch is a pull request
                       branch.
                     type: string
+                  displayName:
+                    description: Display name for a branch. This is used as the default
+                      domain prefix.
+                    type: string
+                  enableAutoBuild:
+                    description: Enables auto building for the branch.
+                    type: boolean
+                  enableBasicAuth:
+                    description: Enables basic authorization for the branch.
+                    type: boolean
+                  enableNotification:
+                    description: Enables notifications for the branch.
+                    type: boolean
+                  enablePerformanceMode:
+                    description: Enables performance mode for the branch.
+                    type: boolean
+                  enablePullRequestPreview:
+                    description: Enables pull request previews for this branch.
+                    type: boolean
+                  environmentVariables:
+                    additionalProperties:
+                      type: string
+                    description: Environment variables for the branch.
+                    type: object
+                  framework:
+                    description: Framework for the branch.
+                    type: string
                   id:
                     type: string
+                  pullRequestEnvironmentName:
+                    description: Amplify environment name for the pull request.
+                    type: string
                   sourceBranch:
                     description: Source branch if the branch is a pull request branch.
                     type: string
+                  stage:
+                    description: 'Describes the current stage for the branch. Valid
+                      values: PRODUCTION, BETA, DEVELOPMENT, EXPERIMENTAL, PULL_REQUEST.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  ttl:
+                    description: Content Time To Live (TTL) for the website in seconds.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/amplify.aws.upbound.io_webhooks.yaml b/package/crds/amplify.aws.upbound.io_webhooks.yaml
index 8121105870..496ea12877 100644
--- a/package/crds/amplify.aws.upbound.io_webhooks.yaml
+++ b/package/crds/amplify.aws.upbound.io_webhooks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,6 +230,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,9 +421,18 @@ spec:
             properties:
               atProvider:
                 properties:
+                  appId:
+                    description: Unique ID for an Amplify app.
+                    type: string
                   arn:
                     description: ARN for the webhook.
                     type: string
+                  branchName:
+                    description: Name for a branch that is part of the Amplify app.
+                    type: string
+                  description:
+                    description: Description for a webhook.
+                    type: string
                   id:
                     type: string
                   url:
diff --git a/package/crds/apigateway.aws.upbound.io_accounts.yaml b/package/crds/apigateway.aws.upbound.io_accounts.yaml
index 4019ef9b79..fc0b57e98f 100644
--- a/package/crds/apigateway.aws.upbound.io_accounts.yaml
+++ b/package/crds/apigateway.aws.upbound.io_accounts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,6 +154,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,6 +345,12 @@ spec:
             properties:
               atProvider:
                 properties:
+                  cloudwatchRoleArn:
+                    description: ARN of an IAM role for CloudWatch (to allow logging
+                      & monitoring). See more in AWS Docs. Logging & monitoring can
+                      be enabled/disabled and otherwise tuned on the API Gateway Stage
+                      level.
+                    type: string
                   id:
                     type: string
                   throttleSettings:
diff --git a/package/crds/apigateway.aws.upbound.io_apikeys.yaml b/package/crds/apigateway.aws.upbound.io_apikeys.yaml
index d99d944848..048d9cda73 100644
--- a/package/crds/apigateway.aws.upbound.io_apikeys.yaml
+++ b/package/crds/apigateway.aws.upbound.io_apikeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -102,9 +106,23 @@ spec:
                     - namespace
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -276,6 +294,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: APIKeyStatus defines the observed state of APIKey.
             properties:
@@ -287,12 +308,27 @@ spec:
                   createdDate:
                     description: Creation date of the API key
                     type: string
+                  description:
+                    description: API key description.
+                    type: string
+                  enabled:
+                    description: Whether the API key can be used by callers. Defaults
+                      to true.
+                    type: boolean
                   id:
                     description: ID of the API key
                     type: string
                   lastUpdatedDate:
                     description: Last update date of the API key
                     type: string
+                  name:
+                    description: Name of the API key
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apigateway.aws.upbound.io_authorizers.yaml b/package/crds/apigateway.aws.upbound.io_authorizers.yaml
index dbad2a83a1..c6a0e3b69b 100644
--- a/package/crds/apigateway.aws.upbound.io_authorizers.yaml
+++ b/package/crds/apigateway.aws.upbound.io_authorizers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -335,9 +339,23 @@ spec:
                       Cognito user pool. Defaults to TOKEN.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -509,6 +527,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AuthorizerStatus defines the observed state of Authorizer.
             properties:
@@ -517,9 +538,54 @@ spec:
                   arn:
                     description: ARN of the API Gateway Authorizer
                     type: string
+                  authorizerCredentials:
+                    description: Credentials required for the authorizer. To specify
+                      an IAM Role for API Gateway to assume, use the IAM Role ARN.
+                    type: string
+                  authorizerResultTtlInSeconds:
+                    description: TTL of cached authorizer results in seconds. Defaults
+                      to 300.
+                    type: number
+                  authorizerUri:
+                    description: Authorizer's Uniform Resource Identifier (URI). This
+                      must be a well-formed Lambda function URI in the form of arn:aws:apigateway:{region}:lambda:path/{service_api},
+                      e.g., arn:aws:apigateway:us-west-2:lambda:path/2015-03-31/functions/arn:aws:lambda:us-west-2:012345678912:function:my-function/invocations
+                    type: string
                   id:
                     description: Authorizer identifier.
                     type: string
+                  identitySource:
+                    description: Source of the identity in an incoming request. Defaults
+                      to method.request.header.Authorization. For REQUEST type, this
+                      may be a comma-separated list of values, including headers,
+                      query string parameters and stage variables - e.g., "method.request.header.SomeHeaderName,method.request.querystring.SomeQueryStringName,stageVariables.SomeStageVariableName"
+                    type: string
+                  identityValidationExpression:
+                    description: Validation expression for the incoming identity.
+                      For TOKEN type, this value should be a regular expression. The
+                      incoming token from the client is matched against this expression,
+                      and will proceed if the token matches. If the token doesn't
+                      match, the client receives a 401 Unauthorized response.
+                    type: string
+                  name:
+                    description: Name of the authorizer
+                    type: string
+                  providerArns:
+                    description: 'List of the Amazon Cognito user pool ARNs. Each
+                      element is of this format: arn:aws:cognito-idp:{region}:{account_id}:userpool/{user_pool_id}.'
+                    items:
+                      type: string
+                    type: array
+                  restApiId:
+                    description: ID of the associated REST API
+                    type: string
+                  type:
+                    description: Type of the authorizer. Possible values are TOKEN
+                      for a Lambda function using a single authorization token submitted
+                      in a custom header, REQUEST for a Lambda function using incoming
+                      request parameters, or COGNITO_USER_POOLS for using an Amazon
+                      Cognito user pool. Defaults to TOKEN.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_basepathmappings.yaml b/package/crds/apigateway.aws.upbound.io_basepathmappings.yaml
index 7bb1710d79..72f71e0dc6 100644
--- a/package/crds/apigateway.aws.upbound.io_basepathmappings.yaml
+++ b/package/crds/apigateway.aws.upbound.io_basepathmappings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -311,6 +315,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -487,8 +506,25 @@ spec:
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: ID of the API to connect.
+                    type: string
+                  basePath:
+                    description: Path segment that must be prepended to the path when
+                      accessing the API via this mapping. If omitted, the API is exposed
+                      at the root of the given domain.
+                    type: string
+                  domainName:
+                    description: Already-registered domain name to connect the API
+                      to.
+                    type: string
                   id:
                     type: string
+                  stageName:
+                    description: Name of a specific deployment stage to expose at
+                      the given path. If omitted, callers may select any stage by
+                      including its name as a path element after the base path.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_clientcertificates.yaml b/package/crds/apigateway.aws.upbound.io_clientcertificates.yaml
index b1a610e695..9a7369155c 100644
--- a/package/crds/apigateway.aws.upbound.io_clientcertificates.yaml
+++ b/package/crds/apigateway.aws.upbound.io_clientcertificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,6 +280,9 @@ spec:
                   createdDate:
                     description: Date when the client certificate was created.
                     type: string
+                  description:
+                    description: Description of the client certificate.
+                    type: string
                   expirationDate:
                     description: Date when the client certificate will expire.
                     type: string
@@ -270,6 +292,11 @@ spec:
                   pemEncodedCertificate:
                     description: The PEM-encoded public key of the client certificate.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apigateway.aws.upbound.io_deployments.yaml b/package/crds/apigateway.aws.upbound.io_deployments.yaml
index 55eccb3d32..797b45bf1f 100644
--- a/package/crds/apigateway.aws.upbound.io_deployments.yaml
+++ b/package/crds/apigateway.aws.upbound.io_deployments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -177,6 +181,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -356,6 +375,9 @@ spec:
                   createdDate:
                     description: Creation date of the deployment
                     type: string
+                  description:
+                    description: Description of the deployment
+                    type: string
                   executionArn:
                     description: Execution ARN to be used in lambda_permission's source_arn
                       when allowing API Gateway to invoke a Lambda function, e.g.,
@@ -368,6 +390,34 @@ spec:
                     description: URL to invoke the API pointing to the stage, e.g.,
                       https://z4675bid1j.execute-api.eu-west-2.amazonaws.com/prod
                     type: string
+                  restApiId:
+                    description: REST API identifier.
+                    type: string
+                  stageDescription:
+                    description: Description to set on the stage managed by the stage_name
+                      argument.
+                    type: string
+                  stageName:
+                    description: Name of the stage to create with this deployment.
+                      If the specified stage already exists, it will be updated to
+                      point to the new deployment. We recommend using the aws_api_gateway_stage
+                      resource instead to manage stages.
+                    type: string
+                  triggers:
+                    additionalProperties:
+                      type: string
+                    description: argument or explicit resource references using the
+                      resource . The triggers argument should be preferred over depends_on,
+                      since depends_on can only capture dependency ordering and will
+                      not cause the resource to recreate (redeploy the REST API) with
+                      upstream configuration changes.
+                    type: object
+                  variables:
+                    additionalProperties:
+                      type: string
+                    description: Map to set on the stage managed by the stage_name
+                      argument.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_documentationparts.yaml b/package/crds/apigateway.aws.upbound.io_documentationparts.yaml
index 93a4d17798..7a1b64d704 100644
--- a/package/crds/apigateway.aws.upbound.io_documentationparts.yaml
+++ b/package/crds/apigateway.aws.upbound.io_documentationparts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,10 +185,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - location
-                - properties
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -356,6 +373,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: location is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.location)
+            - message: properties is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.properties)
           status:
             description: DocumentationPartStatus defines the observed state of DocumentationPart.
             properties:
@@ -364,6 +386,41 @@ spec:
                   id:
                     description: Unique ID of the Documentation Part
                     type: string
+                  location:
+                    description: Location of the targeted API entity of the to-be-created
+                      documentation part. See below.
+                    items:
+                      properties:
+                        method:
+                          description: HTTP verb of a method. The default value is
+                            * for any method.
+                          type: string
+                        name:
+                          description: Name of the targeted API entity.
+                          type: string
+                        path:
+                          description: URL path of the target. The default value is
+                            / for the root resource.
+                          type: string
+                        statusCode:
+                          description: HTTP status code of a response. The default
+                            value is * for any status code.
+                          type: string
+                        type:
+                          description: Type of API entity to which the documentation
+                            content appliesE.g., API, METHOD or REQUEST_BODY
+                          type: string
+                      type: object
+                    type: array
+                  properties:
+                    description: 'Content map of API-specific key-value pairs describing
+                      the targeted API entity. The map must be encoded as a JSON string,
+                      e.g., "{ "description": "The API does ..." }". Only Swagger-compliant
+                      key-value pairs can be exported and, hence, published.'
+                    type: string
+                  restApiId:
+                    description: ID of the associated Rest API
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_documentationversions.yaml b/package/crds/apigateway.aws.upbound.io_documentationversions.yaml
index f9a3522ce0..2e8da59c33 100644
--- a/package/crds/apigateway.aws.upbound.io_documentationversions.yaml
+++ b/package/crds/apigateway.aws.upbound.io_documentationversions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,8 +158,22 @@ spec:
                     type: string
                 required:
                 - region
-                - version
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,14 +345,26 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: version is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)
           status:
             description: DocumentationVersionStatus defines the observed state of
               DocumentationVersion.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: Description of the API documentation version.
+                    type: string
                   id:
                     type: string
+                  restApiId:
+                    description: ID of the associated Rest API
+                    type: string
+                  version:
+                    description: Version identifier of the API documentation snapshot.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_domainnames.yaml b/package/crds/apigateway.aws.upbound.io_domainnames.yaml
index 61a4f82093..a39c3ecdac 100644
--- a/package/crds/apigateway.aws.upbound.io_domainnames.yaml
+++ b/package/crds/apigateway.aws.upbound.io_domainnames.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -337,9 +341,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - domainName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -511,6 +529,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domainName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)
           status:
             description: DomainNameStatus defines the observed state of DomainName.
             properties:
@@ -519,6 +540,32 @@ spec:
                   arn:
                     description: ARN of domain name.
                     type: string
+                  certificateArn:
+                    description: ARN for an AWS-managed certificate. AWS Certificate
+                      Manager is the only supported source. Used when an edge-optimized
+                      domain name is desired. Conflicts with certificate_name, certificate_body,
+                      certificate_chain, certificate_private_key, regional_certificate_arn,
+                      and regional_certificate_name.
+                    type: string
+                  certificateBody:
+                    description: Certificate issued for the domain name being registered,
+                      in PEM format. Only valid for EDGE endpoint configuration type.
+                      Conflicts with certificate_arn, regional_certificate_arn, and
+                      regional_certificate_name.
+                    type: string
+                  certificateChain:
+                    description: Certificate for the CA that issued the certificate,
+                      along with any intermediate CA certificates required to create
+                      an unbroken chain to a certificate trusted by the intended API
+                      clients. Only valid for EDGE endpoint configuration type. Conflicts
+                      with certificate_arn, regional_certificate_arn, and regional_certificate_name.
+                    type: string
+                  certificateName:
+                    description: Unique name to use when registering this certificate
+                      as an IAM server certificate. Conflicts with certificate_arn,
+                      regional_certificate_arn, and regional_certificate_name. Required
+                      if certificate_arn is not set.
+                    type: string
                   certificateUploadDate:
                     description: Upload date associated with the domain certificate.
                     type: string
@@ -530,10 +577,68 @@ spec:
                     description: For convenience, the hosted zone ID (Z2FDTNDATAQYW2)
                       that can be used to create a Route53 alias record for the distribution.
                     type: string
+                  domainName:
+                    description: Fully-qualified domain name to register.
+                    type: string
+                  endpointConfiguration:
+                    description: Configuration block defining API endpoint information
+                      including type. See below.
+                    items:
+                      properties:
+                        types:
+                          description: 'List of endpoint types. This resource currently
+                            only supports managing a single value. Valid values: EDGE
+                            or REGIONAL. If unspecified, defaults to EDGE. Must be
+                            declared as REGIONAL in non-Commercial partitions. Refer
+                            to the documentation for more information on the difference
+                            between edge-optimized and regional APIs.'
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: Internal identifier assigned to this domain name
                       by API Gateway.
                     type: string
+                  mutualTlsAuthentication:
+                    description: Mutual TLS authentication configuration for the domain
+                      name. See below.
+                    items:
+                      properties:
+                        truststoreUri:
+                          description: Amazon S3 URL that specifies the truststore
+                            for mutual TLS authentication, for example, s3://bucket-name/key-name.
+                            The truststore can contain certificates from public or
+                            private certificate authorities. To update the truststore,
+                            upload a new version to S3, and then update your custom
+                            domain name to use the new version.
+                          type: string
+                        truststoreVersion:
+                          description: Version of the S3 object that contains the
+                            truststore. To specify a version, you must have versioning
+                            enabled for the S3 bucket.
+                          type: string
+                      type: object
+                    type: array
+                  ownershipVerificationCertificateArn:
+                    description: ARN of the AWS-issued certificate used to validate
+                      custom domain ownership (when certificate_arn is issued via
+                      an ACM Private CA or mutual_tls_authentication is configured
+                      with an ACM-imported certificate.)
+                    type: string
+                  regionalCertificateArn:
+                    description: ARN for an AWS-managed certificate. AWS Certificate
+                      Manager is the only supported source. Used when a regional domain
+                      name is desired. Conflicts with certificate_arn, certificate_name,
+                      certificate_body, certificate_chain, and certificate_private_key.
+                    type: string
+                  regionalCertificateName:
+                    description: User-friendly name of the certificate that will be
+                      used by regional endpoint for this domain name. Conflicts with
+                      certificate_arn, certificate_name, certificate_body, certificate_chain,
+                      and certificate_private_key.
+                    type: string
                   regionalDomainName:
                     description: Hostname for the custom domain's regional endpoint.
                     type: string
@@ -541,6 +646,16 @@ spec:
                     description: Hosted zone ID that can be used to create a Route53
                       alias record for the regional endpoint.
                     type: string
+                  securityPolicy:
+                    description: Transport Layer Security (TLS) version + cipher suite
+                      for this DomainName. Valid values are TLS_1_0 and TLS_1_2. Must
+                      be configured to perform drift detection.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apigateway.aws.upbound.io_gatewayresponses.yaml b/package/crds/apigateway.aws.upbound.io_gatewayresponses.yaml
index 89fc726727..e1582e002f 100644
--- a/package/crds/apigateway.aws.upbound.io_gatewayresponses.yaml
+++ b/package/crds/apigateway.aws.upbound.io_gatewayresponses.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -165,8 +169,22 @@ spec:
                     type: string
                 required:
                 - region
-                - responseType
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,6 +356,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: responseType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.responseType)
           status:
             description: GatewayResponseStatus defines the observed state of GatewayResponse.
             properties:
@@ -345,6 +366,26 @@ spec:
                 properties:
                   id:
                     type: string
+                  responseParameters:
+                    additionalProperties:
+                      type: string
+                    description: Map of parameters (paths, query strings and headers)
+                      of the Gateway Response.
+                    type: object
+                  responseTemplates:
+                    additionalProperties:
+                      type: string
+                    description: Map of templates used to transform the response body.
+                    type: object
+                  responseType:
+                    description: Response type of the associated GatewayResponse.
+                    type: string
+                  restApiId:
+                    description: String identifier of the associated REST API.
+                    type: string
+                  statusCode:
+                    description: HTTP status code of the Gateway Response.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_integrationresponses.yaml b/package/crds/apigateway.aws.upbound.io_integrationresponses.yaml
index dda00ab16e..092001d1b1 100644
--- a/package/crds/apigateway.aws.upbound.io_integrationresponses.yaml
+++ b/package/crds/apigateway.aws.upbound.io_integrationresponses.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -410,6 +414,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -586,8 +605,49 @@ spec:
             properties:
               atProvider:
                 properties:
+                  contentHandling:
+                    description: How to handle request payload content type conversions.
+                      Supported values are CONVERT_TO_BINARY and CONVERT_TO_TEXT.
+                      If this property is not defined, the response payload will be
+                      passed through from the integration response to the method response
+                      without modification.
+                    type: string
+                  httpMethod:
+                    description: HTTP method (GET, POST, PUT, DELETE, HEAD, OPTIONS,
+                      ANY).
+                    type: string
                   id:
                     type: string
+                  resourceId:
+                    description: API resource ID.
+                    type: string
+                  responseParameters:
+                    additionalProperties:
+                      type: string
+                    description: 'Map of response parameters that can be read from
+                      the backend response. For example: response_parameters = { "method.response.header.X-Some-Header"
+                      = "integration.response.header.X-Some-Other-Header" }.'
+                    type: object
+                  responseTemplates:
+                    additionalProperties:
+                      type: string
+                    description: Map of templates used to transform the integration
+                      response body.
+                    type: object
+                  restApiId:
+                    description: ID of the associated REST API.
+                    type: string
+                  selectionPattern:
+                    description: Regular expression pattern used to choose an integration
+                      response based on the response from the backend. Omit configuring
+                      this to make the integration the default one. If the backend
+                      is an AWS Lambda function, the AWS Lambda function error header
+                      is matched. For all other HTTP and AWS backends, the HTTP status
+                      code is matched.
+                    type: string
+                  statusCode:
+                    description: HTTP status code.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_integrations.yaml b/package/crds/apigateway.aws.upbound.io_integrations.yaml
index a5c66d7191..c4f7d2db10 100644
--- a/package/crds/apigateway.aws.upbound.io_integrations.yaml
+++ b/package/crds/apigateway.aws.upbound.io_integrations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -552,8 +556,22 @@ spec:
                     type: object
                 required:
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -725,13 +743,127 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: IntegrationStatus defines the observed state of Integration.
             properties:
               atProvider:
                 properties:
+                  cacheKeyParameters:
+                    description: List of cache key parameters for the integration.
+                    items:
+                      type: string
+                    type: array
+                  cacheNamespace:
+                    description: Integration's cache namespace.
+                    type: string
+                  connectionId:
+                    description: ID of the VpcLink used for the integration. Required
+                      if connection_type is VPC_LINK
+                    type: string
+                  connectionType:
+                    description: Integration input's connectionType. Valid values
+                      are INTERNET (default for connections through the public routable
+                      internet), and VPC_LINK (for private connections between API
+                      Gateway and a network load balancer in a VPC).
+                    type: string
+                  contentHandling:
+                    description: How to handle request payload content type conversions.
+                      Supported values are CONVERT_TO_BINARY and CONVERT_TO_TEXT.
+                      If this property is not defined, the request payload will be
+                      passed through from the method request to integration request
+                      without modification, provided that the passthroughBehaviors
+                      is configured to support payload pass-through.
+                    type: string
+                  credentials:
+                    description: Credentials required for the integration. For AWS
+                      integrations, 2 options are available. To specify an IAM Role
+                      for Amazon API Gateway to assume, use the role's ARN. To require
+                      that the caller's identity be passed through from the request,
+                      specify the string arn:aws:iam::\*:user/\*.
+                    type: string
+                  httpMethod:
+                    description: HTTP method (GET, POST, PUT, DELETE, HEAD, OPTION,
+                      ANY) when calling the associated resource.
+                    type: string
                   id:
                     type: string
+                  integrationHttpMethod:
+                    description: Integration HTTP method (GET, POST, PUT, DELETE,
+                      HEAD, OPTIONs, ANY, PATCH) specifying how API Gateway will interact
+                      with the back end. Required if type is AWS, AWS_PROXY, HTTP
+                      or HTTP_PROXY. Not all methods are compatible with all AWS integrations.
+                      e.g., Lambda function can only be invoked via POST.
+                    type: string
+                  passthroughBehavior:
+                    description: Integration passthrough behavior (WHEN_NO_MATCH,
+                      WHEN_NO_TEMPLATES, NEVER).  Required if request_templates is
+                      used.
+                    type: string
+                  requestParameters:
+                    additionalProperties:
+                      type: string
+                    description: 'Map of request query string parameters and headers
+                      that should be passed to the backend responder. For example:
+                      request_parameters = { "integration.request.header.X-Some-Other-Header"
+                      = "method.request.header.X-Some-Header" }'
+                    type: object
+                  requestTemplates:
+                    additionalProperties:
+                      type: string
+                    description: Map of the integration's request templates.
+                    type: object
+                  resourceId:
+                    description: API resource ID.
+                    type: string
+                  restApiId:
+                    description: ID of the associated REST API.
+                    type: string
+                  timeoutMilliseconds:
+                    description: Custom timeout between 50 and 29,000 milliseconds.
+                      The default value is 29,000 milliseconds.
+                    type: number
+                  tlsConfig:
+                    description: TLS configuration. See below.
+                    items:
+                      properties:
+                        insecureSkipVerification:
+                          description: Whether or not API Gateway skips verification
+                            that the certificate for an integration endpoint is issued
+                            by a supported certificate authority. This isn’t recommended,
+                            but it enables you to use certificates that are signed
+                            by private certificate authorities, or certificates that
+                            are self-signed. If enabled, API Gateway still performs
+                            basic certificate validation, which includes checking
+                            the certificate's expiration date, hostname, and presence
+                            of a root certificate authority. Supported only for HTTP
+                            and HTTP_PROXY integrations.
+                          type: boolean
+                      type: object
+                    type: array
+                  type:
+                    description: Integration input's type. Valid values are HTTP (for
+                      HTTP backends), MOCK (not calling any real backend), AWS (for
+                      AWS services), AWS_PROXY (for Lambda proxy integration) and
+                      HTTP_PROXY (for HTTP proxy integration). An HTTP or HTTP_PROXY
+                      integration with a connection_type of VPC_LINK is referred to
+                      as a private integration and uses a VpcLink to connect API Gateway
+                      to a network load balancer of a VPC.
+                    type: string
+                  uri:
+                    description: Input's URI. Required if type is AWS, AWS_PROXY,
+                      HTTP or HTTP_PROXY. For HTTP integrations, the URI must be a
+                      fully formed, encoded HTTP(S) URL according to the RFC-3986
+                      specification . For AWS integrations, the URI should be of the
+                      form arn:aws:apigateway:{region}:{subdomain.service|service}:{path|action}/{service_api}.
+                      region, subdomain and service are used to determine the right
+                      endpoint. e.g., arn:aws:apigateway:eu-west-1:lambda:path/2015-03-31/functions/arn:aws:lambda:eu-west-1:012345678901:function:my-func/invocations.
+                      For private integrations, the URI parameter is not used for
+                      routing requests to your endpoint, but is used for setting the
+                      Host header and for certificate validation.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_methodresponses.yaml b/package/crds/apigateway.aws.upbound.io_methodresponses.yaml
index 2e828dc5f2..d638069eab 100644
--- a/package/crds/apigateway.aws.upbound.io_methodresponses.yaml
+++ b/package/crds/apigateway.aws.upbound.io_methodresponses.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -320,8 +324,22 @@ spec:
                     type: string
                 required:
                 - region
-                - statusCode
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -493,13 +511,43 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: statusCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statusCode)
           status:
             description: MethodResponseStatus defines the observed state of MethodResponse.
             properties:
               atProvider:
                 properties:
+                  httpMethod:
+                    description: HTTP Method (GET, POST, PUT, DELETE, HEAD, OPTIONS,
+                      ANY)
+                    type: string
                   id:
                     type: string
+                  resourceId:
+                    description: API resource ID
+                    type: string
+                  responseModels:
+                    additionalProperties:
+                      type: string
+                    description: Map of the API models used for the response's content
+                      type
+                    type: object
+                  responseParameters:
+                    additionalProperties:
+                      type: boolean
+                    description: 'Map of response parameters that can be sent to the
+                      caller. For example: response_parameters = { "method.response.header.X-Some-Header"
+                      = true } would define that the header X-Some-Header can be provided
+                      on the response.'
+                    type: object
+                  restApiId:
+                    description: ID of the associated REST API
+                    type: string
+                  statusCode:
+                    description: HTTP status code
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_methods.yaml b/package/crds/apigateway.aws.upbound.io_methods.yaml
index df2560d3bd..6d81b8a51b 100644
--- a/package/crds/apigateway.aws.upbound.io_methods.yaml
+++ b/package/crds/apigateway.aws.upbound.io_methods.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -349,10 +353,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - authorization
-                - httpMethod
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -524,13 +541,73 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authorization is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorization)
+            - message: httpMethod is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.httpMethod)
           status:
             description: MethodStatus defines the observed state of Method.
             properties:
               atProvider:
                 properties:
+                  apiKeyRequired:
+                    description: Specify if the method requires an API key
+                    type: boolean
+                  authorization:
+                    description: Type of authorization used for the method (NONE,
+                      CUSTOM, AWS_IAM, COGNITO_USER_POOLS)
+                    type: string
+                  authorizationScopes:
+                    description: Authorization scopes used when the authorization
+                      is COGNITO_USER_POOLS
+                    items:
+                      type: string
+                    type: array
+                  authorizerId:
+                    description: Authorizer id to be used when the authorization is
+                      CUSTOM or COGNITO_USER_POOLS
+                    type: string
+                  httpMethod:
+                    description: HTTP Method (GET, POST, PUT, DELETE, HEAD, OPTIONS,
+                      ANY)
+                    type: string
                   id:
                     type: string
+                  operationName:
+                    description: Function name that will be given to the method when
+                      generating an SDK through API Gateway. If omitted, API Gateway
+                      will generate a function name based on the resource path and
+                      HTTP verb.
+                    type: string
+                  requestModels:
+                    additionalProperties:
+                      type: string
+                    description: Map of the API models used for the request's content
+                      type where key is the content type (e.g., application/json)
+                      and value is either Error, Empty (built-in models) or aws_api_gateway_model's
+                      name.
+                    type: object
+                  requestParameters:
+                    additionalProperties:
+                      type: boolean
+                    description: 'Map of request parameters (from the path, query
+                      string and headers) that should be passed to the integration.
+                      The boolean value indicates whether the parameter is required
+                      (true) or optional (false). For example: request_parameters
+                      = {"method.request.header.X-Some-Header" = true "method.request.querystring.some-query-param"
+                      = true} would define that the header X-Some-Header and the query
+                      string some-query-param must be provided in the request.'
+                    type: object
+                  requestValidatorId:
+                    description: ID of a aws_api_gateway_request_validator
+                    type: string
+                  resourceId:
+                    description: API resource ID
+                    type: string
+                  restApiId:
+                    description: ID of the associated REST API
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_methodsettings.yaml b/package/crds/apigateway.aws.upbound.io_methodsettings.yaml
index e48e4d6ea8..a78be58d99 100644
--- a/package/crds/apigateway.aws.upbound.io_methodsettings.yaml
+++ b/package/crds/apigateway.aws.upbound.io_methodsettings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -280,10 +284,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - methodPath
                 - region
-                - settings
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -455,6 +472,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: methodPath is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.methodPath)
+            - message: settings is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settings)
           status:
             description: MethodSettingsStatus defines the observed state of MethodSettings.
             properties:
@@ -462,6 +484,69 @@ spec:
                 properties:
                   id:
                     type: string
+                  methodPath:
+                    description: Method path defined as {resource_path}/{http_method}
+                      for an individual method override, or */* for overriding all
+                      methods in the stage. Ensure to trim any leading forward slashes
+                      in the path (e.g., trimprefix(aws_api_gateway_resource.example.path,
+                      "/")).
+                    type: string
+                  restApiId:
+                    description: ID of the REST API
+                    type: string
+                  settings:
+                    description: Settings block, see below.
+                    items:
+                      properties:
+                        cacheDataEncrypted:
+                          description: Whether the cached responses are encrypted.
+                          type: boolean
+                        cacheTtlInSeconds:
+                          description: Time to live (TTL), in seconds, for cached
+                            responses. The higher the TTL, the longer the response
+                            will be cached.
+                          type: number
+                        cachingEnabled:
+                          description: Whether responses should be cached and returned
+                            for requests. A cache cluster must be enabled on the stage
+                            for responses to be cached.
+                          type: boolean
+                        dataTraceEnabled:
+                          description: Whether data trace logging is enabled for this
+                            method, which effects the log entries pushed to Amazon
+                            CloudWatch Logs.
+                          type: boolean
+                        loggingLevel:
+                          description: Logging level for this method, which effects
+                            the log entries pushed to Amazon CloudWatch Logs. The
+                            available levels are OFF, ERROR, and INFO.
+                          type: string
+                        metricsEnabled:
+                          description: Whether Amazon CloudWatch metrics are enabled
+                            for this method.
+                          type: boolean
+                        requireAuthorizationForCacheControl:
+                          description: Whether authorization is required for a cache
+                            invalidation request.
+                          type: boolean
+                        throttlingBurstLimit:
+                          description: 'Throttling burst limit. Default: -1 (throttling
+                            disabled).'
+                          type: number
+                        throttlingRateLimit:
+                          description: 'Throttling rate limit. Default: -1 (throttling
+                            disabled).'
+                          type: number
+                        unauthorizedCacheControlHeaderStrategy:
+                          description: How to handle unauthorized requests for cache
+                            invalidation. The available values are FAIL_WITH_403,
+                            SUCCEED_WITH_RESPONSE_HEADER, SUCCEED_WITHOUT_RESPONSE_HEADER.
+                          type: string
+                      type: object
+                    type: array
+                  stageName:
+                    description: Name of the stage
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_models.yaml b/package/crds/apigateway.aws.upbound.io_models.yaml
index 16876ef8c8..6f15ec08a8 100644
--- a/package/crds/apigateway.aws.upbound.io_models.yaml
+++ b/package/crds/apigateway.aws.upbound.io_models.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,10 +163,23 @@ spec:
                     description: Schema of the model in a JSON form
                     type: string
                 required:
-                - contentType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,14 +351,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: contentType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ModelStatus defines the observed state of Model.
             properties:
               atProvider:
                 properties:
+                  contentType:
+                    description: Content type of the model
+                    type: string
+                  description:
+                    description: Description of the model
+                    type: string
                   id:
                     description: ID of the model
                     type: string
+                  name:
+                    description: Name of the model
+                    type: string
+                  restApiId:
+                    description: ID of the associated REST API
+                    type: string
+                  schema:
+                    description: Schema of the model in a JSON form
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_requestvalidators.yaml b/package/crds/apigateway.aws.upbound.io_requestvalidators.yaml
index dc955c9278..cdddbd4f43 100644
--- a/package/crds/apigateway.aws.upbound.io_requestvalidators.yaml
+++ b/package/crds/apigateway.aws.upbound.io_requestvalidators.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,9 +162,23 @@ spec:
                       to false.
                     type: boolean
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -332,6 +350,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RequestValidatorStatus defines the observed state of RequestValidator.
             properties:
@@ -340,6 +361,20 @@ spec:
                   id:
                     description: Unique ID of the request validator
                     type: string
+                  name:
+                    description: Name of the request validator
+                    type: string
+                  restApiId:
+                    description: ID of the associated Rest API
+                    type: string
+                  validateRequestBody:
+                    description: Boolean whether to validate request body. Defaults
+                      to false.
+                    type: boolean
+                  validateRequestParameters:
+                    description: Boolean whether to validate request parameters. Defaults
+                      to false.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_resources.yaml b/package/crds/apigateway.aws.upbound.io_resources.yaml
index ecfe6b2603..b2c610be7d 100644
--- a/package/crds/apigateway.aws.upbound.io_resources.yaml
+++ b/package/crds/apigateway.aws.upbound.io_resources.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,9 +232,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - pathPart
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +420,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: pathPart is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pathPart)
           status:
             description: ResourceStatus defines the observed state of Resource.
             properties:
@@ -410,10 +431,19 @@ spec:
                   id:
                     description: Resource's identifier.
                     type: string
+                  parentId:
+                    description: ID of the parent API resource
+                    type: string
                   path:
                     description: Complete path for this API resource, including all
                       parent paths.
                     type: string
+                  pathPart:
+                    description: Last path segment of this API resource.
+                    type: string
+                  restApiId:
+                    description: ID of the associated REST API
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_restapipolicies.yaml b/package/crds/apigateway.aws.upbound.io_restapipolicies.yaml
index 9b74fa201a..92e800af79 100644
--- a/package/crds/apigateway.aws.upbound.io_restapipolicies.yaml
+++ b/package/crds/apigateway.aws.upbound.io_restapipolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,6 +343,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: RestAPIPolicyStatus defines the observed state of RestAPIPolicy.
             properties:
@@ -333,6 +354,13 @@ spec:
                   id:
                     description: ID of the REST API
                     type: string
+                  policy:
+                    description: JSON formatted policy document that controls access
+                      to the API Gateway
+                    type: string
+                  restApiId:
+                    description: ID of the REST API.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_restapis.yaml b/package/crds/apigateway.aws.upbound.io_restapis.yaml
index 8b952d648e..ce48bc213a 100644
--- a/package/crds/apigateway.aws.upbound.io_restapis.yaml
+++ b/package/crds/apigateway.aws.upbound.io_restapis.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -189,9 +193,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -363,17 +381,98 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RestAPIStatus defines the observed state of RestAPI.
             properties:
               atProvider:
                 properties:
+                  apiKeySource:
+                    description: Source of the API key for requests. Valid values
+                      are HEADER (default) and AUTHORIZER. If importing an OpenAPI
+                      specification via the body argument, this corresponds to the
+                      x-amazon-apigateway-api-key-source extension. If the argument
+                      value is provided and is different than the OpenAPI value, the
+                      argument value will override the OpenAPI value.
+                    type: string
                   arn:
                     description: ARN
                     type: string
+                  binaryMediaTypes:
+                    description: List of binary media types supported by the REST
+                      API. By default, the REST API supports only UTF-8-encoded text
+                      payloads. If importing an OpenAPI specification via the body
+                      argument, this corresponds to the x-amazon-apigateway-binary-media-types
+                      extension. If the argument value is provided and is different
+                      than the OpenAPI value, the argument value will override the
+                      OpenAPI value.
+                    items:
+                      type: string
+                    type: array
+                  body:
+                    description: OpenAPI specification that defines the set of routes
+                      and integrations to create as part of the REST API. This configuration,
+                      and any updates to it, will replace all REST API configuration
+                      except values overridden in this resource configuration and
+                      other resource updates applied after this resource but before
+                      any aws_api_gateway_deployment creation. More information about
+                      REST API OpenAPI support can be found in the API Gateway Developer
+                      Guide.
+                    type: string
                   createdDate:
                     description: Creation date of the REST API
                     type: string
+                  description:
+                    description: Description of the REST API. If importing an OpenAPI
+                      specification via the body argument, this corresponds to the
+                      info.description field. If the argument value is provided and
+                      is different than the OpenAPI value, the argument value will
+                      override the OpenAPI value.
+                    type: string
+                  disableExecuteApiEndpoint:
+                    description: Whether clients can invoke your API by using the
+                      default execute-api endpoint. By default, clients can invoke
+                      your API with the default https://{api_id}.execute-api.{region}.amazonaws.com
+                      endpoint. To require that clients use a custom domain name to
+                      invoke your API, disable the default endpoint. Defaults to false.
+                      If importing an OpenAPI specification via the body argument,
+                      this corresponds to the x-amazon-apigateway-endpoint-configuration
+                      extension disableExecuteApiEndpoint property. If the argument
+                      value is true and is different than the OpenAPI value, the argument
+                      value will override the OpenAPI value.
+                    type: boolean
+                  endpointConfiguration:
+                    description: Configuration block defining API endpoint configuration
+                      including endpoint type. Defined below.
+                    items:
+                      properties:
+                        types:
+                          description: 'List of endpoint types. This resource currently
+                            only supports managing a single value. Valid values: EDGE,
+                            REGIONAL or PRIVATE. If unspecified, defaults to EDGE.
+                            If set to PRIVATE recommend to set put_rest_api_mode =
+                            merge to not cause the endpoints and associated Route53
+                            records to be deleted. Refer to the documentation for
+                            more information on the difference between edge-optimized
+                            and regional APIs.'
+                          items:
+                            type: string
+                          type: array
+                        vpcEndpointIds:
+                          description: Set of VPC Endpoint identifiers. It is only
+                            supported for PRIVATE endpoint type. If importing an OpenAPI
+                            specification via the body argument, this corresponds
+                            to the x-amazon-apigateway-endpoint-configuration extension
+                            vpcEndpointIds property. If the argument value is provided
+                            and is different than the OpenAPI value, the argument
+                            value will override the OpenAPI value.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   executionArn:
                     description: Execution ARN part to be used in lambda_permission's
                       source_arn when allowing API Gateway to invoke a Lambda function,
@@ -384,6 +483,31 @@ spec:
                   id:
                     description: ID of the REST API
                     type: string
+                  minimumCompressionSize:
+                    description: Minimum response size to compress for the REST API.
+                      Integer between -1 and 10485760 (10MB). Setting a value greater
+                      than -1 will enable compression, -1 disables compression (default).
+                      If importing an OpenAPI specification via the body argument,
+                      this corresponds to the x-amazon-apigateway-minimum-compression-size
+                      extension. If the argument value (except -1) is provided and
+                      is different than the OpenAPI value, the argument value will
+                      override the OpenAPI value.
+                    type: number
+                  name:
+                    description: Name of the REST API. If importing an OpenAPI specification
+                      via the body argument, this corresponds to the info.title field.
+                      If the argument value is different than the OpenAPI value, the
+                      argument value will override the OpenAPI value.
+                    type: string
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: Map of customizations for importing the specification
+                      in the body argument. For example, to exclude DocumentationParts
+                      from an imported API, set ignore equal to documentation. Additional
+                      documentation, including other parameters such as basepath,
+                      can be found in the API Gateway Developer Guide.
+                    type: object
                   policy:
                     description: JSON formatted policy document that controls access
                       to the API Gateway. We recommend using the aws_api_gateway_rest_api_policy
@@ -393,9 +517,24 @@ spec:
                       than the OpenAPI value, the argument value will override the
                       OpenAPI value.
                     type: string
+                  putRestApiMode:
+                    description: Mode of the PutRestApi operation when importing an
+                      OpenAPI specification via the body argument (create or update
+                      operation). Valid values are merge and overwrite. If unspecificed,
+                      defaults to overwrite (for backwards compatibility). This corresponds
+                      to the x-amazon-apigateway-put-integration-method extension.
+                      If the argument value is provided and is different than the
+                      OpenAPI value, the argument value will override the OpenAPI
+                      value.
+                    type: string
                   rootResourceId:
                     description: Resource ID of the REST API's root
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apigateway.aws.upbound.io_stages.yaml b/package/crds/apigateway.aws.upbound.io_stages.yaml
index 952be1f3fb..c6272d8916 100644
--- a/package/crds/apigateway.aws.upbound.io_stages.yaml
+++ b/package/crds/apigateway.aws.upbound.io_stages.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -303,8 +307,22 @@ spec:
                     type: boolean
                 required:
                 - region
-                - stageName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -476,14 +494,77 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: stageName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stageName)
           status:
             description: StageStatus defines the observed state of Stage.
             properties:
               atProvider:
                 properties:
+                  accessLogSettings:
+                    description: Enables access logs for the API stage. See Access
+                      Log Settings below.
+                    items:
+                      properties:
+                        destinationArn:
+                          description: ARN of the CloudWatch Logs log group or Kinesis
+                            Data Firehose delivery stream to receive access logs.
+                            If you specify a Kinesis Data Firehose delivery stream,
+                            the stream name must begin with amazon-apigateway-. Automatically
+                            removes trailing :* if present.
+                          type: string
+                        format:
+                          description: Formatting and values recorded in the logs.
+                            For more information on configuring the log format rules
+                            visit the AWS documentation
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: ARN
                     type: string
+                  cacheClusterEnabled:
+                    description: Whether a cache cluster is enabled for the stage
+                    type: boolean
+                  cacheClusterSize:
+                    description: Size of the cache cluster for the stage, if enabled.
+                      Allowed values include 0.5, 1.6, 6.1, 13.5, 28.4, 58.2, 118
+                      and 237.
+                    type: string
+                  canarySettings:
+                    description: Configuration settings of a canary deployment. See
+                      Canary Settings below.
+                    items:
+                      properties:
+                        percentTraffic:
+                          description: Percent 0.0 - 100.0 of traffic to divert to
+                            the canary deployment.
+                          type: number
+                        stageVariableOverrides:
+                          additionalProperties:
+                            type: string
+                          description: Map of overridden stage variables (including
+                            new variables) for the canary deployment.
+                          type: object
+                        useStageCache:
+                          description: Whether the canary deployment uses the stage
+                            cache. Defaults to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  clientCertificateId:
+                    description: Identifier of a client certificate for the stage.
+                    type: string
+                  deploymentId:
+                    description: ID of the deployment that the stage points to
+                    type: string
+                  description:
+                    description: Description of the stage.
+                    type: string
+                  documentationVersion:
+                    description: Version of the associated API documentation
+                    type: string
                   executionArn:
                     description: Execution ARN to be used in lambda_permission's source_arn
                       when allowing API Gateway to invoke a Lambda function, e.g.,
@@ -496,15 +577,35 @@ spec:
                     description: URL to invoke the API pointing to the stage, e.g.,
                       https://z4675bid1j.execute-api.eu-west-2.amazonaws.com/prod
                     type: string
+                  restApiId:
+                    description: ID of the associated REST API
+                    type: string
+                  stageName:
+                    description: Name of the stage
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  variables:
+                    additionalProperties:
+                      type: string
+                    description: Map that defines the stage variables
+                    type: object
                   webAclArn:
                     description: ARN of the WebAcl associated with the Stage.
                     type: string
+                  xrayTracingEnabled:
+                    description: Whether active tracing with X-ray is enabled. Defaults
+                      to false.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_usageplankeys.yaml b/package/crds/apigateway.aws.upbound.io_usageplankeys.yaml
index 5ba8ac390b..9cd4445be5 100644
--- a/package/crds/apigateway.aws.upbound.io_usageplankeys.yaml
+++ b/package/crds/apigateway.aws.upbound.io_usageplankeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,9 +232,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - keyType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +420,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: keyType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyType)
           status:
             description: UsagePlanKeyStatus defines the observed state of UsagePlanKey.
             properties:
@@ -410,9 +431,20 @@ spec:
                   id:
                     description: ID of a usage plan key.
                     type: string
+                  keyId:
+                    description: Identifier of the API key resource.
+                    type: string
+                  keyType:
+                    description: Type of the API key resource. Currently, the valid
+                      key type is API_KEY.
+                    type: string
                   name:
                     description: Name of a usage plan key.
                     type: string
+                  usagePlanId:
+                    description: Id of the usage plan resource representing to associate
+                      the key to.
+                    type: string
                   value:
                     description: Value of a usage plan key.
                     type: string
diff --git a/package/crds/apigateway.aws.upbound.io_usageplans.yaml b/package/crds/apigateway.aws.upbound.io_usageplans.yaml
index fbc961a25f..04aff84d67 100644
--- a/package/crds/apigateway.aws.upbound.io_usageplans.yaml
+++ b/package/crds/apigateway.aws.upbound.io_usageplans.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -311,9 +315,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -485,23 +503,107 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: UsagePlanStatus defines the observed state of UsagePlan.
             properties:
               atProvider:
                 properties:
+                  apiStages:
+                    description: Associated API stages of the usage plan.
+                    items:
+                      properties:
+                        apiId:
+                          description: API Id of the associated API stage in a usage
+                            plan.
+                          type: string
+                        stage:
+                          description: API stage name of the associated API stage
+                            in a usage plan.
+                          type: string
+                        throttle:
+                          description: The throttling limits of the usage plan.
+                          items:
+                            properties:
+                              burstLimit:
+                                description: The API request burst limit, the maximum
+                                  rate limit over a time ranging from one to a few
+                                  seconds, depending upon whether the underlying token
+                                  bucket is at its full capacity.
+                                type: number
+                              path:
+                                description: Method to apply the throttle settings
+                                  for. Specfiy the path and method, for example /test/GET.
+                                type: string
+                              rateLimit:
+                                description: The API request steady-state rate limit.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: ARN
                     type: string
+                  description:
+                    description: Description of a usage plan.
+                    type: string
                   id:
                     description: ID of the API resource
                     type: string
+                  name:
+                    description: Name of the usage plan.
+                    type: string
+                  productCode:
+                    description: AWS Marketplace product identifier to associate with
+                      the usage plan as a SaaS product on AWS Marketplace.
+                    type: string
+                  quotaSettings:
+                    description: The quota settings of the usage plan.
+                    items:
+                      properties:
+                        limit:
+                          description: Maximum number of requests that can be made
+                            in a given time period.
+                          type: number
+                        offset:
+                          description: Number of requests subtracted from the given
+                            limit in the initial time period.
+                          type: number
+                        period:
+                          description: Time period in which the limit applies. Valid
+                            values are "DAY", "WEEK" or "MONTH".
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  throttleSettings:
+                    description: The throttling limits of the usage plan.
+                    items:
+                      properties:
+                        burstLimit:
+                          description: The API request burst limit, the maximum rate
+                            limit over a time ranging from one to a few seconds, depending
+                            upon whether the underlying token bucket is at its full
+                            capacity.
+                          type: number
+                        rateLimit:
+                          description: The API request steady-state rate limit.
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigateway.aws.upbound.io_vpclinks.yaml b/package/crds/apigateway.aws.upbound.io_vpclinks.yaml
index 6741550af5..a1c87af6b8 100644
--- a/package/crds/apigateway.aws.upbound.io_vpclinks.yaml
+++ b/package/crds/apigateway.aws.upbound.io_vpclinks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -162,9 +166,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -336,6 +354,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: VPCLinkStatus defines the observed state of VPCLink.
             properties:
@@ -343,15 +364,32 @@ spec:
                 properties:
                   arn:
                     type: string
+                  description:
+                    description: Description of the VPC link.
+                    type: string
                   id:
                     description: Identifier of the VpcLink.
                     type: string
+                  name:
+                    description: Name used to label and identify the VPC link.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  targetArns:
+                    description: List of network load balancer arns in the VPC targeted
+                      by the VPC link. Currently AWS only supports 1 target.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_apimappings.yaml b/package/crds/apigatewayv2.aws.upbound.io_apimappings.yaml
index ea81a10133..35e222a163 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_apimappings.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_apimappings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -304,6 +308,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -480,9 +499,23 @@ spec:
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
+                  apiMappingKey:
+                    description: The API mapping key.
+                    type: string
+                  domainName:
+                    description: Domain name. Use the aws_apigatewayv2_domain_name
+                      resource to configure a domain name.
+                    type: string
                   id:
                     description: API mapping identifier.
                     type: string
+                  stage:
+                    description: API stage. Use the aws_apigatewayv2_stage resource
+                      to configure an API stage.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_apis.yaml b/package/crds/apigatewayv2.aws.upbound.io_apis.yaml
index b86766a531..aa2dfc9ade 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_apis.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_apis.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,10 +171,23 @@ spec:
                       and 64 characters in length.
                     type: string
                 required:
-                - name
-                - protocolType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -342,6 +359,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: protocolType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocolType)
           status:
             description: APIStatus defines the observed state of API.
             properties:
@@ -352,24 +374,122 @@ spec:
                       for HTTP APIs and wss://{api-id}.execute-api.{region}.amazonaws.com
                       for WebSocket APIs.
                     type: string
+                  apiKeySelectionExpression:
+                    description: 'An API key selection expression. Valid values: $context.authorizer.usageIdentifierKey,
+                      $request.header.x-api-key. Defaults to $request.header.x-api-key.
+                      Applicable for WebSocket APIs.'
+                    type: string
                   arn:
                     description: ARN of the API.
                     type: string
+                  body:
+                    description: An OpenAPI specification that defines the set of
+                      routes and integrations to create as part of the HTTP APIs.
+                      Supported only for HTTP APIs.
+                    type: string
+                  corsConfiguration:
+                    description: Cross-origin resource sharing (CORS) configuration.
+                      Applicable for HTTP APIs.
+                    items:
+                      properties:
+                        allowCredentials:
+                          description: Whether credentials are included in the CORS
+                            request.
+                          type: boolean
+                        allowHeaders:
+                          description: Set of allowed HTTP headers.
+                          items:
+                            type: string
+                          type: array
+                        allowMethods:
+                          description: Set of allowed HTTP methods.
+                          items:
+                            type: string
+                          type: array
+                        allowOrigins:
+                          description: Set of allowed origins.
+                          items:
+                            type: string
+                          type: array
+                        exposeHeaders:
+                          description: Set of exposed HTTP headers.
+                          items:
+                            type: string
+                          type: array
+                        maxAge:
+                          description: Number of seconds that the browser should cache
+                            preflight request results.
+                          type: number
+                      type: object
+                    type: array
+                  credentialsArn:
+                    description: Part of quick create. Specifies any credentials required
+                      for the integration. Applicable for HTTP APIs.
+                    type: string
+                  description:
+                    description: Description of the API. Must be less than or equal
+                      to 1024 characters in length.
+                    type: string
+                  disableExecuteApiEndpoint:
+                    description: Whether clients can invoke the API by using the default
+                      execute-api endpoint. By default, clients can invoke the API
+                      with the default {api_id}.execute-api.{region}.amazonaws.com
+                      endpoint. To require that clients use a custom domain name to
+                      invoke the API, disable the default endpoint.
+                    type: boolean
                   executionArn:
                     description: ARN prefix to be used in an aws_lambda_permission's
                       source_arn attribute or in an aws_iam_policy to authorize access
                       to the @connections API. See the Amazon API Gateway Developer
                       Guide for details.
                     type: string
+                  failOnWarnings:
+                    description: Whether warnings should return an error while API
+                      Gateway is creating or updating the resource using an OpenAPI
+                      specification. Defaults to false. Applicable for HTTP APIs.
+                    type: boolean
                   id:
                     description: API identifier.
                     type: string
+                  name:
+                    description: Name of the API. Must be less than or equal to 128
+                      characters in length.
+                    type: string
+                  protocolType:
+                    description: 'API protocol. Valid values: HTTP, WEBSOCKET.'
+                    type: string
+                  routeKey:
+                    description: Part of quick create. Specifies any route key. Applicable
+                      for HTTP APIs.
+                    type: string
+                  routeSelectionExpression:
+                    description: The route selection expression for the API. Defaults
+                      to $request.method $request.path.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  target:
+                    description: Part of quick create. Quick create produces an API
+                      with an integration, a default catch-all route, and a default
+                      stage which is configured to automatically deploy changes. For
+                      HTTP integrations, specify a fully qualified URL. For Lambda
+                      integrations, specify a function ARN. The type of the integration
+                      will be HTTP_PROXY or AWS_PROXY, respectively. Applicable for
+                      HTTP APIs.
+                    type: string
+                  version:
+                    description: Version identifier for the API. Must be between 1
+                      and 64 characters in length.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_authorizers.yaml b/package/crds/apigatewayv2.aws.upbound.io_authorizers.yaml
index 1a88c7bab1..009d0eccad 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_authorizers.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_authorizers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -284,10 +288,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - authorizerType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -459,14 +476,88 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authorizerType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorizerType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AuthorizerStatus defines the observed state of Authorizer.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
+                  authorizerCredentialsArn:
+                    description: Required credentials as an IAM role for API Gateway
+                      to invoke the authorizer. Supported only for REQUEST authorizers.
+                    type: string
+                  authorizerPayloadFormatVersion:
+                    description: 'Format of the payload sent to an HTTP API Lambda
+                      authorizer. Required for HTTP API Lambda authorizers. Valid
+                      values: 1.0, 2.0.'
+                    type: string
+                  authorizerResultTtlInSeconds:
+                    description: Time to live (TTL) for cached authorizer results,
+                      in seconds. If it equals 0, authorization caching is disabled.
+                      If it is greater than 0, API Gateway caches authorizer responses.
+                      The maximum value is 3600, or 1 hour. Defaults to 300. Supported
+                      only for HTTP API Lambda authorizers.
+                    type: number
+                  authorizerType:
+                    description: 'Authorizer type. Valid values: JWT, REQUEST. Specify
+                      REQUEST for a Lambda function using incoming request parameters.
+                      For HTTP APIs, specify JWT to use JSON Web Tokens.'
+                    type: string
+                  authorizerUri:
+                    description: Authorizer's Uniform Resource Identifier (URI). For
+                      REQUEST authorizers this must be a well-formed Lambda function
+                      URI, such as the invoke_arn attribute of the aws_lambda_function
+                      resource. Supported only for REQUEST authorizers. Must be between
+                      1 and 2048 characters in length.
+                    type: string
+                  enableSimpleResponses:
+                    description: Whether a Lambda authorizer returns a response in
+                      a simple format. If enabled, the Lambda authorizer can return
+                      a boolean value instead of an IAM policy. Supported only for
+                      HTTP APIs.
+                    type: boolean
                   id:
                     description: Authorizer identifier.
                     type: string
+                  identitySources:
+                    description: Identity sources for which authorization is requested.
+                      For REQUEST authorizers the value is a list of one or more mapping
+                      expressions of the specified request parameters. For JWT authorizers
+                      the single entry specifies where to extract the JSON Web Token
+                      (JWT) from inbound requests.
+                    items:
+                      type: string
+                    type: array
+                  jwtConfiguration:
+                    description: Configuration of a JWT authorizer. Required for the
+                      JWT authorizer type. Supported only for HTTP APIs.
+                    items:
+                      properties:
+                        audience:
+                          description: List of the intended recipients of the JWT.
+                            A valid JWT must provide an aud that matches at least
+                            one entry in this list.
+                          items:
+                            type: string
+                          type: array
+                        issuer:
+                          description: Base domain of the identity provider that issues
+                            JSON Web Tokens, such as the endpoint attribute of the
+                            aws_cognito_user_pool resource.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: Name of the authorizer. Must be between 1 and 128
+                      characters in length.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_deployments.yaml b/package/crds/apigatewayv2.aws.upbound.io_deployments.yaml
index 39593361f3..16825eaada 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_deployments.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_deployments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,6 +155,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,9 +346,16 @@ spec:
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
                   autoDeployed:
                     description: Whether the deployment was automatically released.
                     type: boolean
+                  description:
+                    description: Description for the deployment resource. Must be
+                      less than or equal to 1024 characters in length.
+                    type: string
                   id:
                     description: Deployment identifier.
                     type: string
diff --git a/package/crds/apigatewayv2.aws.upbound.io_domainnames.yaml b/package/crds/apigatewayv2.aws.upbound.io_domainnames.yaml
index a5192e0330..b2d8967baa 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_domainnames.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_domainnames.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -203,9 +207,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - domainNameConfiguration
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -377,6 +395,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domainNameConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainNameConfiguration)
           status:
             description: DomainNameStatus defines the observed state of DomainName.
             properties:
@@ -392,10 +413,30 @@ spec:
                     description: Domain name configuration. See below.
                     items:
                       properties:
+                        certificateArn:
+                          description: ARN of an AWS-managed certificate that will
+                            be used by the endpoint for the domain name. AWS Certificate
+                            Manager is the only supported source. Use the aws_acm_certificate
+                            resource to configure an ACM certificate.
+                          type: string
+                        endpointType:
+                          description: 'Endpoint type. Valid values: REGIONAL.'
+                          type: string
                         hostedZoneId:
                           description: (Computed) Amazon Route 53 Hosted Zone ID of
                             the endpoint.
                           type: string
+                        ownershipVerificationCertificateArn:
+                          description: ARN of the AWS-issued certificate used to validate
+                            custom domain ownership (when certificate_arn is issued
+                            via an ACM Private CA or mutual_tls_authentication is
+                            configured with an ACM-imported certificate.)
+                          type: string
+                        securityPolicy:
+                          description: 'Transport Layer Security (TLS) version of
+                            the security policy for the domain name. Valid values:
+                            TLS_1_2.'
+                          type: string
                         targetDomainName:
                           description: (Computed) Target domain name.
                           type: string
@@ -404,6 +445,31 @@ spec:
                   id:
                     description: Domain name identifier.
                     type: string
+                  mutualTlsAuthentication:
+                    description: Mutual TLS authentication configuration for the domain
+                      name.
+                    items:
+                      properties:
+                        truststoreUri:
+                          description: Amazon S3 URL that specifies the truststore
+                            for mutual TLS authentication, for example, s3://bucket-name/key-name.
+                            The truststore can contain certificates from public or
+                            private certificate authorities. To update the truststore,
+                            upload a new version to S3, and then update your custom
+                            domain name to use the new version.
+                          type: string
+                        truststoreVersion:
+                          description: Version of the S3 object that contains the
+                            truststore. To specify a version, you must have versioning
+                            enabled for the S3 bucket.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apigatewayv2.aws.upbound.io_integrationresponses.yaml b/package/crds/apigatewayv2.aws.upbound.io_integrationresponses.yaml
index 999ddcabb5..8ca40f0246 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_integrationresponses.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_integrationresponses.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -239,9 +243,23 @@ spec:
                       response.
                     type: string
                 required:
-                - integrationResponseKey
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,14 +431,41 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: integrationResponseKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationResponseKey)
           status:
             description: IntegrationResponseStatus defines the observed state of IntegrationResponse.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
+                  contentHandlingStrategy:
+                    description: 'How to handle response payload content type conversions.
+                      Valid values: CONVERT_TO_BINARY, CONVERT_TO_TEXT.'
+                    type: string
                   id:
                     description: Integration response identifier.
                     type: string
+                  integrationId:
+                    description: Identifier of the aws_apigatewayv2_integration.
+                    type: string
+                  integrationResponseKey:
+                    description: Integration response key.
+                    type: string
+                  responseTemplates:
+                    additionalProperties:
+                      type: string
+                    description: Map of Velocity templates that are applied on the
+                      request payload based on the value of the Content-Type header
+                      sent by the client.
+                    type: object
+                  templateSelectionExpression:
+                    description: The template selection expression for the integration
+                      response.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_integrations.yaml b/package/crds/apigatewayv2.aws.upbound.io_integrations.yaml
index 15494aca1a..06eddf1464 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_integrations.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_integrations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -484,9 +488,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - integrationType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -658,18 +676,139 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: integrationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.integrationType)
           status:
             description: IntegrationStatus defines the observed state of Integration.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
+                  connectionId:
+                    description: ID of the VPC link for a private integration. Supported
+                      only for HTTP APIs. Must be between 1 and 1024 characters in
+                      length.
+                    type: string
+                  connectionType:
+                    description: 'Type of the network connection to the integration
+                      endpoint. Valid values: INTERNET, VPC_LINK. Default is INTERNET.'
+                    type: string
+                  contentHandlingStrategy:
+                    description: 'How to handle response payload content type conversions.
+                      Valid values: CONVERT_TO_BINARY, CONVERT_TO_TEXT. Supported
+                      only for WebSocket APIs.'
+                    type: string
+                  credentialsArn:
+                    description: Credentials required for the integration, if any.
+                    type: string
+                  description:
+                    description: Description of the integration.
+                    type: string
                   id:
                     description: Integration identifier.
                     type: string
+                  integrationMethod:
+                    description: Integration's HTTP method. Must be specified if integration_type
+                      is not MOCK.
+                    type: string
                   integrationResponseSelectionExpression:
                     description: The integration response selection expression for
                       the integration.
                     type: string
+                  integrationSubtype:
+                    description: AWS service action to invoke. Supported only for
+                      HTTP APIs when integration_type is AWS_PROXY. See the AWS service
+                      integration reference documentation for supported values. Must
+                      be between 1 and 128 characters in length.
+                    type: string
+                  integrationType:
+                    description: 'Integration type of an integration. Valid values:
+                      AWS (supported only for WebSocket APIs), AWS_PROXY, HTTP (supported
+                      only for WebSocket APIs), HTTP_PROXY, MOCK (supported only for
+                      WebSocket APIs). For an HTTP API private integration, use HTTP_PROXY.'
+                    type: string
+                  integrationUri:
+                    description: URI of the Lambda function for a Lambda proxy integration,
+                      when integration_type is AWS_PROXY. For an HTTP integration,
+                      specify a fully-qualified URL. For an HTTP API private integration,
+                      specify the ARN of an Application Load Balancer listener, Network
+                      Load Balancer listener, or AWS Cloud Map service.
+                    type: string
+                  passthroughBehavior:
+                    description: 'Pass-through behavior for incoming requests based
+                      on the Content-Type header in the request, and the available
+                      mapping templates specified as the request_templates attribute.
+                      Valid values: WHEN_NO_MATCH, WHEN_NO_TEMPLATES, NEVER. Default
+                      is WHEN_NO_MATCH. Supported only for WebSocket APIs.'
+                    type: string
+                  payloadFormatVersion:
+                    description: 'The format of the payload sent to an integration.
+                      Valid values: 1.0, 2.0. Default is 1.0.'
+                    type: string
+                  requestParameters:
+                    additionalProperties:
+                      type: string
+                    description: For WebSocket APIs, a key-value map specifying request
+                      parameters that are passed from the method request to the backend.
+                      For HTTP APIs with a specified integration_subtype, a key-value
+                      map specifying parameters that are passed to AWS_PROXY integrations.
+                      For HTTP APIs without a specified integration_subtype, a key-value
+                      map specifying how to transform HTTP requests before sending
+                      them to the backend. See the Amazon API Gateway Developer Guide
+                      for details.
+                    type: object
+                  requestTemplates:
+                    additionalProperties:
+                      type: string
+                    description: Map of Velocity templates that are applied on the
+                      request payload based on the value of the Content-Type header
+                      sent by the client. Supported only for WebSocket APIs.
+                    type: object
+                  responseParameters:
+                    description: Mappings to transform the HTTP response from a backend
+                      integration before returning the response to clients. Supported
+                      only for HTTP APIs.
+                    items:
+                      properties:
+                        mappings:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map. The key of this map identifies
+                            the location of the request parameter to change, and how
+                            to change it. The corresponding value specifies the new
+                            data for the parameter. See the Amazon API Gateway Developer
+                            Guide for details.
+                          type: object
+                        statusCode:
+                          description: HTTP status code in the range 200-599.
+                          type: string
+                      type: object
+                    type: array
+                  templateSelectionExpression:
+                    description: The template selection expression for the integration.
+                    type: string
+                  timeoutMilliseconds:
+                    description: Custom timeout between 50 and 29,000 milliseconds
+                      for WebSocket APIs and between 50 and 30,000 milliseconds for
+                      HTTP APIs. The default timeout is 29 seconds for WebSocket APIs
+                      and 30 seconds for HTTP APIs.
+                    type: number
+                  tlsConfig:
+                    description: TLS configuration for a private integration. Supported
+                      only for HTTP APIs.
+                    items:
+                      properties:
+                        serverNameToVerify:
+                          description: If you specify a server name, API Gateway uses
+                            it to verify the hostname on the integration's certificate.
+                            The server name is also included in the TLS handshake
+                            to support Server Name Indication (SNI) or virtual hosting.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_models.yaml b/package/crds/apigatewayv2.aws.upbound.io_models.yaml
index 07e599742f..1bb54c4571 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_models.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_models.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -162,11 +166,23 @@ spec:
                       in length.
                     type: string
                 required:
-                - contentType
-                - name
                 - region
-                - schema
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,14 +354,41 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: contentType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: schema is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schema)
           status:
             description: ModelStatus defines the observed state of Model.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
+                  contentType:
+                    description: The content-type for the model, for example, application/json.
+                      Must be between 1 and 256 characters in length.
+                    type: string
+                  description:
+                    description: Description of the model. Must be between 1 and 128
+                      characters in length.
+                    type: string
                   id:
                     description: Model identifier.
                     type: string
+                  name:
+                    description: Name of the model. Must be alphanumeric. Must be
+                      between 1 and 128 characters in length.
+                    type: string
+                  schema:
+                    description: Schema for the model. This should be a JSON schema
+                      draft 4 model. Must be less than or equal to 32768 characters
+                      in length.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_routeresponses.yaml b/package/crds/apigatewayv2.aws.upbound.io_routeresponses.yaml
index 3e7220c7d4..c30b59be7a 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_routeresponses.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_routeresponses.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -233,8 +237,22 @@ spec:
                     type: string
                 required:
                 - region
-                - routeResponseKey
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,14 +424,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: routeResponseKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeResponseKey)
           status:
             description: RouteResponseStatus defines the observed state of RouteResponse.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
                   id:
                     description: Route response identifier.
                     type: string
+                  modelSelectionExpression:
+                    description: The model selection expression for the route response.
+                    type: string
+                  responseModels:
+                    additionalProperties:
+                      type: string
+                    description: Response models for the route response.
+                    type: object
+                  routeId:
+                    description: Identifier of the aws_apigatewayv2_route.
+                    type: string
+                  routeResponseKey:
+                    description: Route response key.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_routes.yaml b/package/crds/apigatewayv2.aws.upbound.io_routes.yaml
index 3ae6bc78f9..7e86327b96 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_routes.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_routes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -360,8 +364,22 @@ spec:
                     type: object
                 required:
                 - region
-                - routeKey
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -533,14 +551,85 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: routeKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeKey)
           status:
             description: RouteStatus defines the observed state of Route.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API identifier.
+                    type: string
+                  apiKeyRequired:
+                    description: Boolean whether an API key is required for the route.
+                      Defaults to false. Supported only for WebSocket APIs.
+                    type: boolean
+                  authorizationScopes:
+                    description: Authorization scopes supported by this route. The
+                      scopes are used with a JWT authorizer to authorize the method
+                      invocation.
+                    items:
+                      type: string
+                    type: array
+                  authorizationType:
+                    description: Authorization type for the route. For WebSocket APIs,
+                      valid values are NONE for open access, AWS_IAM for using AWS
+                      IAM permissions, and CUSTOM for using a Lambda authorizer. For
+                      HTTP APIs, valid values are NONE for open access, JWT for using
+                      JSON Web Tokens, AWS_IAM for using AWS IAM permissions, and
+                      CUSTOM for using a Lambda authorizer. Defaults to NONE.
+                    type: string
+                  authorizerId:
+                    description: Identifier of the aws_apigatewayv2_authorizer resource
+                      to be associated with this route.
+                    type: string
                   id:
                     description: Route identifier.
                     type: string
+                  modelSelectionExpression:
+                    description: The model selection expression for the route. Supported
+                      only for WebSocket APIs.
+                    type: string
+                  operationName:
+                    description: Operation name for the route. Must be between 1 and
+                      64 characters in length.
+                    type: string
+                  requestModels:
+                    additionalProperties:
+                      type: string
+                    description: Request models for the route. Supported only for
+                      WebSocket APIs.
+                    type: object
+                  requestParameter:
+                    description: Request parameters for the route. Supported only
+                      for WebSocket APIs.
+                    items:
+                      properties:
+                        requestParameterKey:
+                          description: Request parameter key. This is a request data
+                            mapping parameter.
+                          type: string
+                        required:
+                          description: Boolean whether or not the parameter is required.
+                          type: boolean
+                      type: object
+                    type: array
+                  routeKey:
+                    description: Route key for the route. For HTTP APIs, the route
+                      key can be either $default, or a combination of an HTTP method
+                      and resource path, for example, GET /pets.
+                    type: string
+                  routeResponseSelectionExpression:
+                    description: The route response selection expression for the route.
+                      Supported only for WebSocket APIs.
+                    type: string
+                  target:
+                    description: Target for the route, of the form integrations/IntegrationID,
+                      where IntegrationID is the identifier of an aws_apigatewayv2_integration
+                      resource.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apigatewayv2.aws.upbound.io_stages.yaml b/package/crds/apigatewayv2.aws.upbound.io_stages.yaml
index 4117935abd..9c07649c93 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_stages.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_stages.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -327,6 +331,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -503,9 +522,73 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accessLogSettings:
+                    description: Settings for logging access in this stage. Use the
+                      aws_api_gateway_account resource to configure permissions for
+                      CloudWatch Logging.
+                    items:
+                      properties:
+                        destinationArn:
+                          description: ARN of the CloudWatch Logs log group to receive
+                            access logs. Any trailing :* is trimmed from the ARN.
+                          type: string
+                        format:
+                          description: Single line format of the access logs of data.
+                            Refer to log settings for HTTP or Websocket.
+                          type: string
+                      type: object
+                    type: array
+                  apiId:
+                    description: API identifier.
+                    type: string
                   arn:
                     description: ARN of the stage.
                     type: string
+                  autoDeploy:
+                    description: Whether updates to an API automatically trigger a
+                      new deployment. Defaults to false. Applicable for HTTP APIs.
+                    type: boolean
+                  clientCertificateId:
+                    description: Identifier of a client certificate for the stage.
+                      Use the aws_api_gateway_client_certificate resource to configure
+                      a client certificate. Supported only for WebSocket APIs.
+                    type: string
+                  defaultRouteSettings:
+                    description: Default route settings for the stage.
+                    items:
+                      properties:
+                        dataTraceEnabled:
+                          description: Whether data trace logging is enabled for the
+                            default route. Affects the log entries pushed to Amazon
+                            CloudWatch Logs. Defaults to false. Supported only for
+                            WebSocket APIs.
+                          type: boolean
+                        detailedMetricsEnabled:
+                          description: Whether detailed metrics are enabled for the
+                            default route. Defaults to false.
+                          type: boolean
+                        loggingLevel:
+                          description: 'Logging level for the default route. Affects
+                            the log entries pushed to Amazon CloudWatch Logs. Valid
+                            values: ERROR, INFO, OFF. Defaults to OFF. Supported only
+                            for WebSocket APIs.'
+                          type: string
+                        throttlingBurstLimit:
+                          description: Throttling burst limit for the default route.
+                          type: number
+                        throttlingRateLimit:
+                          description: Throttling rate limit for the default route.
+                          type: number
+                      type: object
+                    type: array
+                  deploymentId:
+                    description: Deployment identifier of the stage. Use the aws_apigatewayv2_deployment
+                      resource to configure a deployment.
+                    type: string
+                  description:
+                    description: Description for the stage. Must be less than or equal
+                      to 1024 characters in length.
+                    type: string
                   executionArn:
                     description: ARN prefix to be used in an aws_lambda_permission's
                       source_arn attribute. For WebSocket APIs this attribute can
@@ -521,6 +604,47 @@ spec:
                       wss://z4675bid1j.execute-api.eu-west-2.amazonaws.com/example-stage,
                       or https://z4675bid1j.execute-api.eu-west-2.amazonaws.com/
                     type: string
+                  routeSettings:
+                    description: Route settings for the stage.
+                    items:
+                      properties:
+                        dataTraceEnabled:
+                          description: Whether data trace logging is enabled for the
+                            route. Affects the log entries pushed to Amazon CloudWatch
+                            Logs. Defaults to false. Supported only for WebSocket
+                            APIs.
+                          type: boolean
+                        detailedMetricsEnabled:
+                          description: Whether detailed metrics are enabled for the
+                            route. Defaults to false.
+                          type: boolean
+                        loggingLevel:
+                          description: 'Logging level for the route. Affects the log
+                            entries pushed to Amazon CloudWatch Logs. Valid values:
+                            ERROR, INFO, OFF. Defaults to OFF. Supported only for
+                            WebSocket APIs.'
+                          type: string
+                        routeKey:
+                          description: Route key.
+                          type: string
+                        throttlingBurstLimit:
+                          description: Throttling burst limit for the route.
+                          type: number
+                        throttlingRateLimit:
+                          description: Throttling rate limit for the route.
+                          type: number
+                      type: object
+                    type: array
+                  stageVariables:
+                    additionalProperties:
+                      type: string
+                    description: Map that defines the stage variables for the stage.
+                    type: object
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apigatewayv2.aws.upbound.io_vpclinks.yaml b/package/crds/apigatewayv2.aws.upbound.io_vpclinks.yaml
index c468a8c380..0dd3750422 100644
--- a/package/crds/apigatewayv2.aws.upbound.io_vpclinks.yaml
+++ b/package/crds/apigatewayv2.aws.upbound.io_vpclinks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -242,9 +246,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -416,6 +434,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: VPCLinkStatus defines the observed state of VPCLink.
             properties:
@@ -427,6 +448,25 @@ spec:
                   id:
                     description: VPC Link identifier.
                     type: string
+                  name:
+                    description: Name of the VPC Link. Must be between 1 and 128 characters
+                      in length.
+                    type: string
+                  securityGroupIds:
+                    description: Security group IDs for the VPC Link.
+                    items:
+                      type: string
+                    type: array
+                  subnetIds:
+                    description: Subnet IDs for the VPC Link.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appautoscaling.aws.upbound.io_policies.yaml b/package/crds/appautoscaling.aws.upbound.io_policies.yaml
index 27434f0d2c..04e8350074 100644
--- a/package/crds/appautoscaling.aws.upbound.io_policies.yaml
+++ b/package/crds/appautoscaling.aws.upbound.io_policies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -464,6 +468,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -651,6 +670,161 @@ spec:
                     type: string
                   id:
                     type: string
+                  policyType:
+                    description: Policy type. Valid values are StepScaling and TargetTrackingScaling.
+                      Defaults to StepScaling. Certain services only support only
+                      one policy type. For more information see the Target Tracking
+                      Scaling Policies and Step Scaling Policies documentation.
+                    type: string
+                  resourceId:
+                    description: 'Resource type and unique identifier string for the
+                      resource associated with the scaling policy. Documentation can
+                      be found in the ResourceId parameter at: AWS Application Auto
+                      Scaling API Reference'
+                    type: string
+                  scalableDimension:
+                    description: 'Scalable dimension of the scalable target. Documentation
+                      can be found in the ScalableDimension parameter at: AWS Application
+                      Auto Scaling API Reference'
+                    type: string
+                  serviceNamespace:
+                    description: 'AWS service namespace of the scalable target. Documentation
+                      can be found in the ServiceNamespace parameter at: AWS Application
+                      Auto Scaling API Reference'
+                    type: string
+                  stepScalingPolicyConfiguration:
+                    description: Step scaling policy configuration, requires policy_type
+                      = "StepScaling" (default). See supported fields below.
+                    items:
+                      properties:
+                        adjustmentType:
+                          description: Whether the adjustment is an absolute number
+                            or a percentage of the current capacity. Valid values
+                            are ChangeInCapacity, ExactCapacity, and PercentChangeInCapacity.
+                          type: string
+                        cooldown:
+                          description: Amount of time, in seconds, after a scaling
+                            activity completes and before the next scaling activity
+                            can start.
+                          type: number
+                        metricAggregationType:
+                          description: Aggregation type for the policy's metrics.
+                            Valid values are "Minimum", "Maximum", and "Average".
+                            Without a value, AWS will treat the aggregation type as
+                            "Average".
+                          type: string
+                        minAdjustmentMagnitude:
+                          description: Minimum number to adjust your scalable dimension
+                            as a result of a scaling activity. If the adjustment type
+                            is PercentChangeInCapacity, the scaling policy changes
+                            the scalable dimension of the scalable target by this
+                            amount.
+                          type: number
+                        stepAdjustment:
+                          description: 'Set of adjustments that manage scaling. These
+                            have the following structure:'
+                          items:
+                            properties:
+                              metricIntervalLowerBound:
+                                description: Lower bound for the difference between
+                                  the alarm threshold and the CloudWatch metric. Without
+                                  a value, AWS will treat this bound as negative infinity.
+                                type: string
+                              metricIntervalUpperBound:
+                                description: Upper bound for the difference between
+                                  the alarm threshold and the CloudWatch metric. Without
+                                  a value, AWS will treat this bound as infinity.
+                                  The upper bound must be greater than the lower bound.
+                                type: string
+                              scalingAdjustment:
+                                description: Number of members by which to scale,
+                                  when the adjustment bounds are breached. A positive
+                                  value scales up. A negative value scales down.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  targetTrackingScalingPolicyConfiguration:
+                    description: Target tracking policy, requires policy_type = "TargetTrackingScaling".
+                      See supported fields below.
+                    items:
+                      properties:
+                        customizedMetricSpecification:
+                          description: 'Custom CloudWatch metric. Documentation can
+                            be found  at: AWS Customized Metric Specification. See
+                            supported fields below.'
+                          items:
+                            properties:
+                              dimensions:
+                                description: Configuration block(s) with the dimensions
+                                  of the metric if the metric was published with dimensions.
+                                  Detailed below.
+                                items:
+                                  properties:
+                                    name:
+                                      description: Name of the dimension.
+                                      type: string
+                                    value:
+                                      description: Value of the dimension.
+                                      type: string
+                                  type: object
+                                type: array
+                              metricName:
+                                description: Name of the metric.
+                                type: string
+                              namespace:
+                                description: Namespace of the metric.
+                                type: string
+                              statistic:
+                                description: 'Statistic of the metric. Valid values:
+                                  Average, Minimum, Maximum, SampleCount, and Sum.'
+                                type: string
+                              unit:
+                                description: Unit of the metric.
+                                type: string
+                            type: object
+                          type: array
+                        disableScaleIn:
+                          description: Whether scale in by the target tracking policy
+                            is disabled. If the value is true, scale in is disabled
+                            and the target tracking policy won't remove capacity from
+                            the scalable resource. Otherwise, scale in is enabled
+                            and the target tracking policy can remove capacity from
+                            the scalable resource. The default value is false.
+                          type: boolean
+                        predefinedMetricSpecification:
+                          description: Predefined metric. See supported fields below.
+                          items:
+                            properties:
+                              predefinedMetricType:
+                                description: Metric type.
+                                type: string
+                              resourceLabel:
+                                description: 'Reserved for future use if the predefined_metric_type
+                                  is not ALBRequestCountPerTarget. If the predefined_metric_type
+                                  is ALBRequestCountPerTarget, you must specify this
+                                  argument. Documentation can be found at: AWS Predefined
+                                  Scaling Metric Specification. Must be less than
+                                  or equal to 1023 characters in length.'
+                                type: string
+                            type: object
+                          type: array
+                        scaleInCooldown:
+                          description: Amount of time, in seconds, after a scale in
+                            activity completes before another scale in activity can
+                            start.
+                          type: number
+                        scaleOutCooldown:
+                          description: Amount of time, in seconds, after a scale out
+                            activity completes before another scale out activity can
+                            start.
+                          type: number
+                        targetValue:
+                          description: Target value for the metric.
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appautoscaling.aws.upbound.io_scheduledactions.yaml b/package/crds/appautoscaling.aws.upbound.io_scheduledactions.yaml
index 499cd63e5e..31e1456fe5 100644
--- a/package/crds/appautoscaling.aws.upbound.io_scheduledactions.yaml
+++ b/package/crds/appautoscaling.aws.upbound.io_scheduledactions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -353,11 +357,23 @@ spec:
                       or Pacific/Tahiti. Default is UTC.
                     type: string
                 required:
-                - name
                 - region
-                - scalableTargetAction
-                - schedule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -529,6 +545,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: scalableTargetAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scalableTargetAction)
+            - message: schedule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)
           status:
             description: ScheduledActionStatus defines the observed state of ScheduledAction.
             properties:
@@ -537,8 +560,67 @@ spec:
                   arn:
                     description: ARN of the scheduled action.
                     type: string
+                  endTime:
+                    description: Date and time for the scheduled action to end in
+                      RFC 3339 format. The timezone is not affected by the setting
+                      of timezone.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: Name of the scheduled action.
+                    type: string
+                  resourceId:
+                    description: 'Identifier of the resource associated with the scheduled
+                      action. Documentation can be found in the ResourceId parameter
+                      at: AWS Application Auto Scaling API Reference'
+                    type: string
+                  scalableDimension:
+                    description: 'Scalable dimension. Documentation can be found in
+                      the ScalableDimension parameter at: AWS Application Auto Scaling
+                      API Reference Example: ecs:service:DesiredCount'
+                    type: string
+                  scalableTargetAction:
+                    description: New minimum and maximum capacity. You can set both
+                      values or just one. See below
+                    items:
+                      properties:
+                        maxCapacity:
+                          description: Maximum capacity. At least one of max_capacity
+                            or min_capacity must be set.
+                          type: string
+                        minCapacity:
+                          description: Minimum capacity. At least one of min_capacity
+                            or max_capacity must be set.
+                          type: string
+                      type: object
+                    type: array
+                  schedule:
+                    description: 'Schedule for this action. The following formats
+                      are supported: At expressions - at(yyyy-mm-ddThh:mm:ss), Rate
+                      expressions - rate(valueunit), Cron expressions - cron(fields).
+                      Times for at expressions and cron expressions are evaluated
+                      using the time zone configured in timezone. Documentation can
+                      be found in the Timezone parameter at: AWS Application Auto
+                      Scaling API Reference'
+                    type: string
+                  serviceNamespace:
+                    description: 'Namespace of the AWS service. Documentation can
+                      be found in the ServiceNamespace parameter at: AWS Application
+                      Auto Scaling API Reference Example: ecs'
+                    type: string
+                  startTime:
+                    description: Date and time for the scheduled action to start in
+                      RFC 3339 format. The timezone is not affected by the setting
+                      of timezone.
+                    type: string
+                  timezone:
+                    description: Time zone used when setting a scheduled action by
+                      using an at or cron expression. Does not affect timezone for
+                      start_time and end_time. Valid values are the canonical names
+                      of the IANA time zones supported by Joda-Time, such as Etc/GMT+9
+                      or Pacific/Tahiti. Default is UTC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appautoscaling.aws.upbound.io_targets.yaml b/package/crds/appautoscaling.aws.upbound.io_targets.yaml
index c8482459fa..2b6b13db89 100644
--- a/package/crds/appautoscaling.aws.upbound.io_targets.yaml
+++ b/package/crds/appautoscaling.aws.upbound.io_targets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -172,13 +176,26 @@ spec:
                       Auto Scaling API Reference'
                     type: string
                 required:
-                - maxCapacity
-                - minCapacity
                 - region
                 - resourceId
                 - scalableDimension
                 - serviceNamespace
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -350,6 +367,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: maxCapacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxCapacity)
+            - message: minCapacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.minCapacity)
           status:
             description: TargetStatus defines the observed state of Target.
             properties:
@@ -357,6 +379,36 @@ spec:
                 properties:
                   id:
                     type: string
+                  maxCapacity:
+                    description: Max capacity of the scalable target.
+                    type: number
+                  minCapacity:
+                    description: Min capacity of the scalable target.
+                    type: number
+                  resourceId:
+                    description: 'Resource type and unique identifier string for the
+                      resource associated with the scaling policy. Documentation can
+                      be found in the ResourceId parameter at: AWS Application Auto
+                      Scaling API Reference'
+                    type: string
+                  roleArn:
+                    description: ARN of the IAM role that allows Application AutoScaling
+                      to modify your scalable target on your behalf. This defaults
+                      to an IAM Service-Linked Role for most services and custom IAM
+                      Roles are ignored by the API for those namespaces. See the AWS
+                      Application Auto Scaling documentation for more information
+                      about how this service interacts with IAM.
+                    type: string
+                  scalableDimension:
+                    description: 'Scalable dimension of the scalable target. Documentation
+                      can be found in the ScalableDimension parameter at: AWS Application
+                      Auto Scaling API Reference'
+                    type: string
+                  serviceNamespace:
+                    description: 'AWS service namespace of the scalable target. Documentation
+                      can be found in the ServiceNamespace parameter at: AWS Application
+                      Auto Scaling API Reference'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appconfig.aws.upbound.io_applications.yaml b/package/crds/appconfig.aws.upbound.io_applications.yaml
index 7e15482b43..27a7f45b94 100644
--- a/package/crds/appconfig.aws.upbound.io_applications.yaml
+++ b/package/crds/appconfig.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,9 +86,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ApplicationStatus defines the observed state of Application.
             properties:
@@ -264,9 +285,22 @@ spec:
                   arn:
                     description: ARN of the AppConfig Application.
                     type: string
+                  description:
+                    description: Description of the application. Can be at most 1024
+                      characters.
+                    type: string
                   id:
                     description: AppConfig application ID.
                     type: string
+                  name:
+                    description: Name for the application. Must be between 1 and 64
+                      characters in length.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appconfig.aws.upbound.io_configurationprofiles.yaml b/package/crds/appconfig.aws.upbound.io_configurationprofiles.yaml
index 46f10f4020..33d996286f 100644
--- a/package/crds/appconfig.aws.upbound.io_configurationprofiles.yaml
+++ b/package/crds/appconfig.aws.upbound.io_configurationprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -288,10 +292,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - locationUri
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -463,28 +480,84 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: locationUri is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.locationUri)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ConfigurationProfileStatus defines the observed state of
               ConfigurationProfile.
             properties:
               atProvider:
                 properties:
+                  applicationId:
+                    description: Application ID. Must be between 4 and 7 characters
+                      in length.
+                    type: string
                   arn:
                     description: ARN of the AppConfig Configuration Profile.
                     type: string
                   configurationProfileId:
                     description: The configuration profile ID.
                     type: string
+                  description:
+                    description: Description of the configuration profile. Can be
+                      at most 1024 characters.
+                    type: string
                   id:
                     description: AppConfig configuration profile ID and application
                       ID separated by a colon (:).
                     type: string
+                  locationUri:
+                    description: 'URI to locate the configuration. You can specify
+                      the AWS AppConfig hosted configuration store, Systems Manager
+                      (SSM) document, an SSM Parameter Store parameter, or an Amazon
+                      S3 object. For the hosted configuration store, specify hosted.
+                      For an SSM document, specify either the document name in the
+                      format ssm-document://<Document_name> or the ARN. For a parameter,
+                      specify either the parameter name in the format ssm-parameter://<Parameter_name>
+                      or the ARN. For an Amazon S3 object, specify the URI in the
+                      following format: s3://<bucket>/<objectKey>.'
+                    type: string
+                  name:
+                    description: Name for the configuration profile. Must be between
+                      1 and 64 characters in length.
+                    type: string
+                  retrievalRoleArn:
+                    description: ARN of an IAM role with permission to access the
+                      configuration at the specified location_uri. A retrieval role
+                      ARN is not required for configurations stored in the AWS AppConfig
+                      hosted configuration store. It is required for all other sources
+                      that store your configuration.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  type:
+                    description: 'Type of configurations contained in the profile.
+                      Valid values: AWS.AppConfig.FeatureFlags and AWS.Freeform.  Default:
+                      AWS.Freeform.'
+                    type: string
+                  validator:
+                    description: Set of methods for validating the configuration.
+                      Maximum of 2. See Validator below for more details.
+                    items:
+                      properties:
+                        type:
+                          description: 'Type of validator. Valid values: JSON_SCHEMA
+                            and LAMBDA.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appconfig.aws.upbound.io_deployments.yaml b/package/crds/appconfig.aws.upbound.io_deployments.yaml
index 50ceb684cc..28966b6562 100644
--- a/package/crds/appconfig.aws.upbound.io_deployments.yaml
+++ b/package/crds/appconfig.aws.upbound.io_deployments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -475,6 +479,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -651,12 +670,36 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applicationId:
+                    description: Application ID. Must be between 4 and 7 characters
+                      in length.
+                    type: string
                   arn:
                     description: ARN of the AppConfig Deployment.
                     type: string
+                  configurationProfileId:
+                    description: Configuration profile ID. Must be between 4 and 7
+                      characters in length.
+                    type: string
+                  configurationVersion:
+                    description: Configuration version to deploy. Can be at most 1024
+                      characters.
+                    type: string
                   deploymentNumber:
                     description: Deployment number.
                     type: number
+                  deploymentStrategyId:
+                    description: Deployment strategy ID or name of a predefined deployment
+                      strategy. See Predefined Deployment Strategies for more details.
+                    type: string
+                  description:
+                    description: Description of the deployment. Can be at most 1024
+                      characters.
+                    type: string
+                  environmentId:
+                    description: Environment ID. Must be between 4 and 7 characters
+                      in length.
+                    type: string
                   id:
                     description: AppConfig application ID, environment ID, and deployment
                       number separated by a slash (/).
@@ -664,6 +707,11 @@ spec:
                   state:
                     description: State of the deployment.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appconfig.aws.upbound.io_deploymentstrategies.yaml b/package/crds/appconfig.aws.upbound.io_deploymentstrategies.yaml
index 4887ebae57..0c842b12fb 100644
--- a/package/crds/appconfig.aws.upbound.io_deploymentstrategies.yaml
+++ b/package/crds/appconfig.aws.upbound.io_deploymentstrategies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -105,12 +109,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - deploymentDurationInMinutes
-                - growthFactor
-                - name
                 - region
-                - replicateTo
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -282,6 +297,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: deploymentDurationInMinutes is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deploymentDurationInMinutes)
+            - message: growthFactor is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.growthFactor)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: replicateTo is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicateTo)
           status:
             description: DeploymentStrategyStatus defines the observed state of DeploymentStrategy.
             properties:
@@ -290,9 +314,45 @@ spec:
                   arn:
                     description: ARN of the AppConfig Deployment Strategy.
                     type: string
+                  deploymentDurationInMinutes:
+                    description: Total amount of time for a deployment to last. Minimum
+                      value of 0, maximum value of 1440.
+                    type: number
+                  description:
+                    description: Description of the deployment strategy. Can be at
+                      most 1024 characters.
+                    type: string
+                  finalBakeTimeInMinutes:
+                    description: Amount of time AWS AppConfig monitors for alarms
+                      before considering the deployment to be complete and no longer
+                      eligible for automatic roll back. Minimum value of 0, maximum
+                      value of 1440.
+                    type: number
+                  growthFactor:
+                    description: Percentage of targets to receive a deployed configuration
+                      during each interval. Minimum value of 1.0, maximum value of
+                      100.0.
+                    type: number
+                  growthType:
+                    description: 'Algorithm used to define how percentage grows over
+                      time. Valid value: LINEAR and EXPONENTIAL. Defaults to LINEAR.'
+                    type: string
                   id:
                     description: AppConfig deployment strategy ID.
                     type: string
+                  name:
+                    description: Name for the deployment strategy. Must be between
+                      1 and 64 characters in length.
+                    type: string
+                  replicateTo:
+                    description: 'Where to save the deployment strategy. Valid values:
+                      NONE and SSM_DOCUMENT.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appconfig.aws.upbound.io_environments.yaml b/package/crds/appconfig.aws.upbound.io_environments.yaml
index 04b7294ad3..c5632cd25a 100644
--- a/package/crds/appconfig.aws.upbound.io_environments.yaml
+++ b/package/crds/appconfig.aws.upbound.io_environments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -330,9 +334,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -504,14 +522,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: EnvironmentStatus defines the observed state of Environment.
             properties:
               atProvider:
                 properties:
+                  applicationId:
+                    description: AppConfig application ID. Must be between 4 and 7
+                      characters in length.
+                    type: string
                   arn:
                     description: ARN of the AppConfig Environment.
                     type: string
+                  description:
+                    description: Description of the environment. Can be at most 1024
+                      characters.
+                    type: string
                   environmentId:
                     description: AppConfig environment ID.
                     type: string
@@ -519,10 +548,34 @@ spec:
                     description: AppConfig environment ID and application ID separated
                       by a colon (:).
                     type: string
+                  monitor:
+                    description: Set of Amazon CloudWatch alarms to monitor during
+                      the deployment process. Maximum of 5. See Monitor below for
+                      more details.
+                    items:
+                      properties:
+                        alarmArn:
+                          description: ARN of the Amazon CloudWatch alarm.
+                          type: string
+                        alarmRoleArn:
+                          description: ARN of an IAM role for AWS AppConfig to monitor
+                            alarm_arn.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: Name for the environment. Must be between 1 and 64
+                      characters in length.
+                    type: string
                   state:
                     description: State of the environment. Possible values are READY_FOR_DEPLOYMENT,
                       DEPLOYING, ROLLING_BACK or ROLLED_BACK.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appconfig.aws.upbound.io_extensionassociations.yaml b/package/crds/appconfig.aws.upbound.io_extensionassociations.yaml
index 5fa0633364..192e479e8a 100644
--- a/package/crds/appconfig.aws.upbound.io_extensionassociations.yaml
+++ b/package/crds/appconfig.aws.upbound.io_extensionassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -233,6 +237,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,6 +432,9 @@ spec:
                   arn:
                     description: ARN of the AppConfig Extension Association.
                     type: string
+                  extensionArn:
+                    description: The ARN of the extension defined in the association.
+                    type: string
                   extensionVersion:
                     description: The version number for the extension defined in the
                       association.
@@ -420,6 +442,15 @@ spec:
                   id:
                     description: AppConfig Extension Association ID.
                     type: string
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: The parameter names and values defined for the association.
+                    type: object
+                  resourceArn:
+                    description: The ARN of the application, configuration profile,
+                      or environment to associate with the extension.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appconfig.aws.upbound.io_extensions.yaml b/package/crds/appconfig.aws.upbound.io_extensions.yaml
index 352a932d08..04870a05fe 100644
--- a/package/crds/appconfig.aws.upbound.io_extensions.yaml
+++ b/package/crds/appconfig.aws.upbound.io_extensions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -308,10 +312,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - actionPoint
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -483,17 +500,94 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: actionPoint is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actionPoint)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ExtensionStatus defines the observed state of Extension.
             properties:
               atProvider:
                 properties:
+                  actionPoint:
+                    description: The action points defined in the extension. Detailed
+                      below.
+                    items:
+                      properties:
+                        action:
+                          description: An action defines the tasks the extension performs
+                            during the AppConfig workflow. Detailed below.
+                          items:
+                            properties:
+                              description:
+                                description: Information about the action.
+                                type: string
+                              name:
+                                description: The action name.
+                                type: string
+                              roleArn:
+                                description: An Amazon Resource Name (ARN) for an
+                                  Identity and Access Management assume role.
+                                type: string
+                              uri:
+                                description: 'The extension URI associated to the
+                                  action point in the extension definition. The URI
+                                  can be an Amazon Resource Name (ARN) for one of
+                                  the following: an Lambda function, an Amazon Simple
+                                  Queue Service queue, an Amazon Simple Notification
+                                  Service topic, or the Amazon EventBridge default
+                                  event bus.'
+                                type: string
+                            type: object
+                          type: array
+                        point:
+                          description: The point at which to perform the defined actions.
+                            Valid points are PRE_CREATE_HOSTED_CONFIGURATION_VERSION,
+                            PRE_START_DEPLOYMENT, ON_DEPLOYMENT_START, ON_DEPLOYMENT_STEP,
+                            ON_DEPLOYMENT_BAKING, ON_DEPLOYMENT_COMPLETE, ON_DEPLOYMENT_ROLLED_BACK.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: ARN of the AppConfig Extension.
                     type: string
+                  description:
+                    description: Information about the extension.
+                    type: string
                   id:
                     description: AppConfig Extension ID.
                     type: string
+                  name:
+                    description: A name for the extension. Each extension name in
+                      your account must be unique. Extension versions use the same
+                      name.
+                    type: string
+                  parameter:
+                    description: The parameters accepted by the extension. You specify
+                      parameter values when you associate the extension to an AppConfig
+                      resource by using the CreateExtensionAssociation API action.
+                      For Lambda extension actions, these parameters are included
+                      in the Lambda request object. Detailed below.
+                    items:
+                      properties:
+                        description:
+                          description: Information about the parameter.
+                          type: string
+                        name:
+                          description: The parameter name.
+                          type: string
+                        required:
+                          description: Determines if a parameter value must be specified
+                            in the extension association.
+                          type: boolean
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appconfig.aws.upbound.io_hostedconfigurationversions.yaml b/package/crds/appconfig.aws.upbound.io_hostedconfigurationversions.yaml
index 54fe38c741..4279a8ad9c 100644
--- a/package/crds/appconfig.aws.upbound.io_hostedconfigurationversions.yaml
+++ b/package/crds/appconfig.aws.upbound.io_hostedconfigurationversions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -251,10 +255,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - contentSecretRef
-                - contentType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -426,15 +443,33 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: contentSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentSecretRef)
+            - message: contentType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentType)
           status:
             description: HostedConfigurationVersionStatus defines the observed state
               of HostedConfigurationVersion.
             properties:
               atProvider:
                 properties:
+                  applicationId:
+                    description: Application ID.
+                    type: string
                   arn:
                     description: ARN of the AppConfig  hosted configuration version.
                     type: string
+                  configurationProfileId:
+                    description: Configuration profile ID.
+                    type: string
+                  contentType:
+                    description: Standard MIME type describing the format of the configuration
+                      content. For more information, see Content-Type.
+                    type: string
+                  description:
+                    description: Description of the configuration.
+                    type: string
                   id:
                     description: AppConfig application ID, configuration profile ID,
                       and version number separated by a slash (/).
diff --git a/package/crds/appflow.aws.upbound.io_flows.yaml b/package/crds/appflow.aws.upbound.io_flows.yaml
index f192f9bc1f..f3dec8e2df 100644
--- a/package/crds/appflow.aws.upbound.io_flows.yaml
+++ b/package/crds/appflow.aws.upbound.io_flows.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1389,12 +1393,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - destinationFlowConfig
                 - region
-                - sourceFlowConfig
-                - task
-                - triggerConfig
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1566,6 +1581,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destinationFlowConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationFlowConfig)
+            - message: sourceFlowConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceFlowConfig)
+            - message: task is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.task)
+            - message: triggerConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.triggerConfig)
           status:
             description: FlowStatus defines the observed state of Flow.
             properties:
@@ -1574,14 +1598,1094 @@ spec:
                   arn:
                     description: Flow's ARN.
                     type: string
-                  id:
+                  description:
+                    description: Description of the flow you want to create.
                     type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: Map of tags assigned to the resource, including those
-                      inherited from the provider default_tags configuration block.
-                    type: object
+                  destinationFlowConfig:
+                    description: A Destination Flow Config that controls how Amazon
+                      AppFlow places data in the destination connector.
+                    items:
+                      properties:
+                        apiVersion:
+                          description: API version that the destination connector
+                            uses.
+                          type: string
+                        connectorProfileName:
+                          description: Name of the connector profile. This name must
+                            be unique for each connector profile in the AWS account.
+                          type: string
+                        connectorType:
+                          description: Type of connector, such as Salesforce, Amplitude,
+                            and so on. Valid values are Salesforce, Singular, Slack,
+                            Redshift, S3, Marketo, Googleanalytics, Zendesk, Servicenow,
+                            Datadog, Trendmicro, Snowflake, Dynatrace, Infornexus,
+                            Amplitude, Veeva, EventBridge, LookoutMetrics, Upsolver,
+                            Honeycode, CustomerProfiles, SAPOData, and CustomConnector.
+                          type: string
+                        destinationConnectorProperties:
+                          description: This stores the information that is required
+                            to query a particular connector. See Destination Connector
+                            Properties for more information.
+                          items:
+                            properties:
+                              customConnector:
+                                description: Properties that are required to query
+                                  the custom Connector. See Custom Connector Destination
+                                  Properties for more details.
+                                items:
+                                  properties:
+                                    customProperties:
+                                      additionalProperties:
+                                        type: string
+                                      description: Custom properties that are specific
+                                        to the connector when it's used as a destination
+                                        in the flow. Maximum of 50 items.
+                                      type: object
+                                    entityName:
+                                      description: Entity specified in the custom
+                                        connector as a destination in the flow.
+                                      type: string
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    idFieldNames:
+                                      description: Name of the field that Amazon AppFlow
+                                        uses as an ID when performing a write operation
+                                        such as update, delete, or upsert.
+                                      items:
+                                        type: string
+                                      type: array
+                                    writeOperationType:
+                                      description: Type of write operation to be performed
+                                        in the custom connector when it's used as
+                                        destination. Valid values are INSERT, UPSERT,
+                                        UPDATE, and DELETE.
+                                      type: string
+                                  type: object
+                                type: array
+                              customerProfiles:
+                                description: Properties that are required to query
+                                  Amazon Connect Customer Profiles. See Customer Profiles
+                                  Destination Properties for more details.
+                                items:
+                                  properties:
+                                    domainName:
+                                      description: Unique name of the Amazon Connect
+                                        Customer Profiles domain.
+                                      type: string
+                                    objectTypeName:
+                                      description: Object specified in the Amazon
+                                        Connect Customer Profiles flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              eventBridge:
+                                description: Properties that are required to query
+                                  Amazon EventBridge. See Generic Destination Properties
+                                  for more details.
+                                items:
+                                  properties:
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              honeycode:
+                                description: Properties that are required to query
+                                  Amazon Honeycode. See Generic Destination Properties
+                                  for more details.
+                                items:
+                                  properties:
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              lookoutMetrics:
+                                items:
+                                  type: object
+                                type: array
+                              marketo:
+                                description: Properties that are required to query
+                                  Marketo. See Generic Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              redshift:
+                                description: Properties that are required to query
+                                  Amazon Redshift. See Redshift Destination Properties
+                                  for more details.
+                                items:
+                                  properties:
+                                    bucketPrefix:
+                                      description: Object key for the bucket in which
+                                        Amazon AppFlow places the destination files.
+                                      type: string
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    intermediateBucketName:
+                                      description: Intermediate bucket that Amazon
+                                        AppFlow uses when moving data into Amazon
+                                        Redshift.
+                                      type: string
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              s3:
+                                description: Properties that are required to query
+                                  Amazon S3. See S3 Destination Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    bucketName:
+                                      description: Amazon S3 bucket name in which
+                                        Amazon AppFlow places the transferred data.
+                                      type: string
+                                    bucketPrefix:
+                                      description: Object key for the bucket in which
+                                        Amazon AppFlow places the destination files.
+                                      type: string
+                                    s3OutputFormatConfig:
+                                      description: Configuration that determines how
+                                        Amazon AppFlow should format the flow output
+                                        data when Amazon S3 is used as the destination.
+                                        See S3 Output Format Config for more details.
+                                      items:
+                                        properties:
+                                          aggregationConfig:
+                                            description: Aggregation settings that
+                                              you can use to customize the output
+                                              format of your flow data. See Aggregation
+                                              Config for more details.
+                                            items:
+                                              properties:
+                                                aggregationType:
+                                                  description: Whether Amazon AppFlow
+                                                    aggregates the flow records into
+                                                    a single file, or leave them unaggregated.
+                                                    Valid values are None and SingleFile.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          fileType:
+                                            description: File type that Amazon AppFlow
+                                              places in the Amazon S3 bucket. Valid
+                                              values are CSV, JSON, and PARQUET.
+                                            type: string
+                                          prefixConfig:
+                                            description: Determines the prefix that
+                                              Amazon AppFlow applies to the folder
+                                              name in the Amazon S3 bucket. You can
+                                              name folders according to the flow frequency
+                                              and date. See Prefix Config for more
+                                              details.
+                                            items:
+                                              properties:
+                                                prefixFormat:
+                                                  description: Determines the level
+                                                    of granularity that's included
+                                                    in the prefix. Valid values are
+                                                    YEAR, MONTH, DAY, HOUR, and MINUTE.
+                                                  type: string
+                                                prefixType:
+                                                  description: Determines the format
+                                                    of the prefix, and whether it
+                                                    applies to the file name, file
+                                                    path, or both. Valid values are
+                                                    FILENAME, PATH, and PATH_AND_FILENAME.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              salesforce:
+                                description: Properties that are required to query
+                                  Salesforce. See Salesforce Destination Properties
+                                  for more details.
+                                items:
+                                  properties:
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    idFieldNames:
+                                      description: Name of the field that Amazon AppFlow
+                                        uses as an ID when performing a write operation
+                                        such as update, delete, or upsert.
+                                      items:
+                                        type: string
+                                      type: array
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                    writeOperationType:
+                                      description: Type of write operation to be performed
+                                        in the custom connector when it's used as
+                                        destination. Valid values are INSERT, UPSERT,
+                                        UPDATE, and DELETE.
+                                      type: string
+                                  type: object
+                                type: array
+                              sapoData:
+                                description: Properties that are required to query
+                                  SAPOData. See SAPOData Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    idFieldNames:
+                                      description: Name of the field that Amazon AppFlow
+                                        uses as an ID when performing a write operation
+                                        such as update, delete, or upsert.
+                                      items:
+                                        type: string
+                                      type: array
+                                    objectPath:
+                                      description: Object path specified in the SAPOData
+                                        flow destination.
+                                      type: string
+                                    successResponseHandlingConfig:
+                                      description: Determines how Amazon AppFlow handles
+                                        the success response that it gets from the
+                                        connector after placing data. See Success
+                                        Response Handling Config for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    writeOperationType:
+                                      description: Type of write operation to be performed
+                                        in the custom connector when it's used as
+                                        destination. Valid values are INSERT, UPSERT,
+                                        UPDATE, and DELETE.
+                                      type: string
+                                  type: object
+                                type: array
+                              snowflake:
+                                description: Properties that are required to query
+                                  Snowflake. See Snowflake Destination Properties
+                                  for more details.
+                                items:
+                                  properties:
+                                    bucketPrefix:
+                                      description: Object key for the bucket in which
+                                        Amazon AppFlow places the destination files.
+                                      type: string
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    intermediateBucketName:
+                                      description: Intermediate bucket that Amazon
+                                        AppFlow uses when moving data into Amazon
+                                        Redshift.
+                                      type: string
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              upsolver:
+                                description: Properties that are required to query
+                                  Upsolver. See Upsolver Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    bucketName:
+                                      description: Amazon S3 bucket name in which
+                                        Amazon AppFlow places the transferred data.
+                                      type: string
+                                    bucketPrefix:
+                                      description: Object key for the bucket in which
+                                        Amazon AppFlow places the destination files.
+                                      type: string
+                                    s3OutputFormatConfig:
+                                      description: Configuration that determines how
+                                        Amazon AppFlow should format the flow output
+                                        data when Amazon S3 is used as the destination.
+                                        See S3 Output Format Config for more details.
+                                      items:
+                                        properties:
+                                          aggregationConfig:
+                                            description: Aggregation settings that
+                                              you can use to customize the output
+                                              format of your flow data. See Aggregation
+                                              Config for more details.
+                                            items:
+                                              properties:
+                                                aggregationType:
+                                                  description: Whether Amazon AppFlow
+                                                    aggregates the flow records into
+                                                    a single file, or leave them unaggregated.
+                                                    Valid values are None and SingleFile.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          fileType:
+                                            description: File type that Amazon AppFlow
+                                              places in the Amazon S3 bucket. Valid
+                                              values are CSV, JSON, and PARQUET.
+                                            type: string
+                                          prefixConfig:
+                                            description: Determines the prefix that
+                                              Amazon AppFlow applies to the folder
+                                              name in the Amazon S3 bucket. You can
+                                              name folders according to the flow frequency
+                                              and date. See Prefix Config for more
+                                              details.
+                                            items:
+                                              properties:
+                                                prefixFormat:
+                                                  description: Determines the level
+                                                    of granularity that's included
+                                                    in the prefix. Valid values are
+                                                    YEAR, MONTH, DAY, HOUR, and MINUTE.
+                                                  type: string
+                                                prefixType:
+                                                  description: Determines the format
+                                                    of the prefix, and whether it
+                                                    applies to the file name, file
+                                                    path, or both. Valid values are
+                                                    FILENAME, PATH, and PATH_AND_FILENAME.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              zendesk:
+                                description: Properties that are required to query
+                                  Zendesk. See Zendesk Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    errorHandlingConfig:
+                                      description: Settings that determine how Amazon
+                                        AppFlow handles an error when placing data
+                                        in the destination. See Error Handling Config
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bucketName:
+                                            description: Amazon S3 bucket name in
+                                              which Amazon AppFlow places the transferred
+                                              data.
+                                            type: string
+                                          bucketPrefix:
+                                            description: Object key for the bucket
+                                              in which Amazon AppFlow places the destination
+                                              files.
+                                            type: string
+                                          failOnFirstDestinationError:
+                                            description: If the flow should fail after
+                                              the first instance of a failure when
+                                              attempting to place data in the destination.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    idFieldNames:
+                                      description: Name of the field that Amazon AppFlow
+                                        uses as an ID when performing a write operation
+                                        such as update, delete, or upsert.
+                                      items:
+                                        type: string
+                                      type: array
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                    writeOperationType:
+                                      description: Type of write operation to be performed
+                                        in the custom connector when it's used as
+                                        destination. Valid values are INSERT, UPSERT,
+                                        UPDATE, and DELETE.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  id:
+                    type: string
+                  kmsArn:
+                    description: ARN (Amazon Resource Name) of the Key Management
+                      Service (KMS) key you provide for encryption. This is required
+                      if you do not want to use the Amazon AppFlow-managed KMS key.
+                      If you don't provide anything here, Amazon AppFlow uses the
+                      Amazon AppFlow-managed KMS key.
+                    type: string
+                  sourceFlowConfig:
+                    description: The Source Flow Config that controls how Amazon AppFlow
+                      retrieves data from the source connector.
+                    items:
+                      properties:
+                        apiVersion:
+                          description: API version that the destination connector
+                            uses.
+                          type: string
+                        connectorProfileName:
+                          description: Name of the connector profile. This name must
+                            be unique for each connector profile in the AWS account.
+                          type: string
+                        connectorType:
+                          description: Type of connector, such as Salesforce, Amplitude,
+                            and so on. Valid values are Salesforce, Singular, Slack,
+                            Redshift, S3, Marketo, Googleanalytics, Zendesk, Servicenow,
+                            Datadog, Trendmicro, Snowflake, Dynatrace, Infornexus,
+                            Amplitude, Veeva, EventBridge, LookoutMetrics, Upsolver,
+                            Honeycode, CustomerProfiles, SAPOData, and CustomConnector.
+                          type: string
+                        incrementalPullConfig:
+                          description: Defines the configuration for a scheduled incremental
+                            data pull. If a valid configuration is provided, the fields
+                            specified in the configuration are used when querying
+                            for the incremental data pull. See Incremental Pull Config
+                            for more details.
+                          items:
+                            properties:
+                              datetimeTypeFieldName:
+                                description: Field that specifies the date time or
+                                  timestamp field as the criteria to use when importing
+                                  incremental records from the source.
+                                type: string
+                            type: object
+                          type: array
+                        sourceConnectorProperties:
+                          description: Information that is required to query a particular
+                            source connector. See Source Connector Properties for
+                            details.
+                          items:
+                            properties:
+                              amplitude:
+                                description: Information that is required for querying
+                                  Amplitude. See Generic Source Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              customConnector:
+                                description: Properties that are required to query
+                                  the custom Connector. See Custom Connector Destination
+                                  Properties for more details.
+                                items:
+                                  properties:
+                                    customProperties:
+                                      additionalProperties:
+                                        type: string
+                                      description: Custom properties that are specific
+                                        to the connector when it's used as a destination
+                                        in the flow. Maximum of 50 items.
+                                      type: object
+                                    entityName:
+                                      description: Entity specified in the custom
+                                        connector as a destination in the flow.
+                                      type: string
+                                  type: object
+                                type: array
+                              datadog:
+                                description: Information that is required for querying
+                                  Datadog. See Generic Source Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              dynatrace:
+                                description: Operation to be performed on the provided
+                                  Dynatrace source fields. Valid values are PROJECTION,
+                                  BETWEEN, EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION,
+                                  SUBTRACTION, MASK_ALL, MASK_FIRST_N, MASK_LAST_N,
+                                  VALIDATE_NON_NULL, VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE,
+                                  VALIDATE_NUMERIC, and NO_OP.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              googleAnalytics:
+                                description: Operation to be performed on the provided
+                                  Google Analytics source fields. Valid values are
+                                  PROJECTION and BETWEEN.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              inforNexus:
+                                description: Information that is required for querying
+                                  Infor Nexus. See Generic Source Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              marketo:
+                                description: Properties that are required to query
+                                  Marketo. See Generic Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              s3:
+                                description: Properties that are required to query
+                                  Amazon S3. See S3 Destination Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    bucketName:
+                                      description: Amazon S3 bucket name in which
+                                        Amazon AppFlow places the transferred data.
+                                      type: string
+                                    bucketPrefix:
+                                      description: Object key for the bucket in which
+                                        Amazon AppFlow places the destination files.
+                                      type: string
+                                    s3InputFormatConfig:
+                                      description: When you use Amazon S3 as the source,
+                                        the configuration format that you provide
+                                        the flow input data. See S3 Input Format Config
+                                        for details.
+                                      items:
+                                        properties:
+                                          s3InputFileType:
+                                            description: File type that Amazon AppFlow
+                                              gets from your Amazon S3 bucket. Valid
+                                              values are CSV and JSON.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              salesforce:
+                                description: Properties that are required to query
+                                  Salesforce. See Salesforce Destination Properties
+                                  for more details.
+                                items:
+                                  properties:
+                                    enableDynamicFieldUpdate:
+                                      description: Flag that enables dynamic fetching
+                                        of new (recently added) fields in the Salesforce
+                                        objects while running a flow.
+                                      type: boolean
+                                    includeDeletedRecords:
+                                      description: Whether Amazon AppFlow includes
+                                        deleted files in the flow run.
+                                      type: boolean
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              sapoData:
+                                description: Properties that are required to query
+                                  SAPOData. See SAPOData Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    objectPath:
+                                      description: Object path specified in the SAPOData
+                                        flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              serviceNow:
+                                description: Information that is required for querying
+                                  ServiceNow. See Generic Source Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              singular:
+                                description: Information that is required for querying
+                                  Singular. See Generic Source Properties for more
+                                  details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              slack:
+                                description: Information that is required for querying
+                                  Slack. See Generic Source Properties for more details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              trendmicro:
+                                description: Operation to be performed on the provided
+                                  Trend Micro source fields. Valid values are PROJECTION,
+                                  EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION, SUBTRACTION,
+                                  MASK_ALL, MASK_FIRST_N, MASK_LAST_N, VALIDATE_NON_NULL,
+                                  VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE, VALIDATE_NUMERIC,
+                                  and NO_OP.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              veeva:
+                                description: Information that is required for querying
+                                  Veeva. See Veeva Source Properties for more details.
+                                items:
+                                  properties:
+                                    documentType:
+                                      description: Document type specified in the
+                                        Veeva document extract flow.
+                                      type: string
+                                    includeAllVersions:
+                                      description: Boolean value to include All Versions
+                                        of files in Veeva document extract flow.
+                                      type: boolean
+                                    includeRenditions:
+                                      description: Boolean value to include file renditions
+                                        in Veeva document extract flow.
+                                      type: boolean
+                                    includeSourceFiles:
+                                      description: Boolean value to include source
+                                        files in Veeva document extract flow.
+                                      type: boolean
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              zendesk:
+                                description: Properties that are required to query
+                                  Zendesk. See Zendesk Destination Properties for
+                                  more details.
+                                items:
+                                  properties:
+                                    object:
+                                      description: Object specified in the flow destination.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: Map of tags assigned to the resource, including those
+                      inherited from the provider default_tags configuration block.
+                    type: object
+                  task:
+                    description: A Task that Amazon AppFlow performs while transferring
+                      the data in the flow run.
+                    items:
+                      properties:
+                        connectorOperator:
+                          description: Operation to be performed on the provided source
+                            fields. See Connector Operator for details.
+                          items:
+                            properties:
+                              amplitude:
+                                description: Information that is required for querying
+                                  Amplitude. See Generic Source Properties for more
+                                  details.
+                                type: string
+                              customConnector:
+                                description: Properties that are required to query
+                                  the custom Connector. See Custom Connector Destination
+                                  Properties for more details.
+                                type: string
+                              datadog:
+                                description: Information that is required for querying
+                                  Datadog. See Generic Source Properties for more
+                                  details.
+                                type: string
+                              dynatrace:
+                                description: Operation to be performed on the provided
+                                  Dynatrace source fields. Valid values are PROJECTION,
+                                  BETWEEN, EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION,
+                                  SUBTRACTION, MASK_ALL, MASK_FIRST_N, MASK_LAST_N,
+                                  VALIDATE_NON_NULL, VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE,
+                                  VALIDATE_NUMERIC, and NO_OP.
+                                type: string
+                              googleAnalytics:
+                                description: Operation to be performed on the provided
+                                  Google Analytics source fields. Valid values are
+                                  PROJECTION and BETWEEN.
+                                type: string
+                              inforNexus:
+                                description: Information that is required for querying
+                                  Infor Nexus. See Generic Source Properties for more
+                                  details.
+                                type: string
+                              marketo:
+                                description: Properties that are required to query
+                                  Marketo. See Generic Destination Properties for
+                                  more details.
+                                type: string
+                              s3:
+                                description: Properties that are required to query
+                                  Amazon S3. See S3 Destination Properties for more
+                                  details.
+                                type: string
+                              salesforce:
+                                description: Properties that are required to query
+                                  Salesforce. See Salesforce Destination Properties
+                                  for more details.
+                                type: string
+                              sapoData:
+                                description: Properties that are required to query
+                                  SAPOData. See SAPOData Destination Properties for
+                                  more details.
+                                type: string
+                              serviceNow:
+                                description: Information that is required for querying
+                                  ServiceNow. See Generic Source Properties for more
+                                  details.
+                                type: string
+                              singular:
+                                description: Information that is required for querying
+                                  Singular. See Generic Source Properties for more
+                                  details.
+                                type: string
+                              slack:
+                                description: Information that is required for querying
+                                  Slack. See Generic Source Properties for more details.
+                                type: string
+                              trendmicro:
+                                description: Operation to be performed on the provided
+                                  Trend Micro source fields. Valid values are PROJECTION,
+                                  EQUAL_TO, ADDITION, MULTIPLICATION, DIVISION, SUBTRACTION,
+                                  MASK_ALL, MASK_FIRST_N, MASK_LAST_N, VALIDATE_NON_NULL,
+                                  VALIDATE_NON_ZERO, VALIDATE_NON_NEGATIVE, VALIDATE_NUMERIC,
+                                  and NO_OP.
+                                type: string
+                              veeva:
+                                description: Information that is required for querying
+                                  Veeva. See Veeva Source Properties for more details.
+                                type: string
+                              zendesk:
+                                description: Properties that are required to query
+                                  Zendesk. See Zendesk Destination Properties for
+                                  more details.
+                                type: string
+                            type: object
+                          type: array
+                        destinationField:
+                          description: Field in a destination connector, or a field
+                            value against which Amazon AppFlow validates a source
+                            field.
+                          type: string
+                        sourceFields:
+                          description: Source fields to which a particular task is
+                            applied.
+                          items:
+                            type: string
+                          type: array
+                        taskProperties:
+                          additionalProperties:
+                            type: string
+                          description: Map used to store task-related information.
+                            The execution service looks for particular information
+                            based on the TaskType. Valid keys are VALUE, VALUES, DATA_TYPE,
+                            UPPER_BOUND, LOWER_BOUND, SOURCE_DATA_TYPE, DESTINATION_DATA_TYPE,
+                            VALIDATION_ACTION, MASK_VALUE, MASK_LENGTH, TRUNCATE_LENGTH,
+                            MATH_OPERATION_FIELDS_ORDER, CONCAT_FORMAT, SUBFIELD_CATEGORY_MAP,
+                            and EXCLUDE_SOURCE_FIELDS_LIST.
+                          type: object
+                        taskType:
+                          description: Particular task implementation that Amazon
+                            AppFlow performs. Valid values are Arithmetic, Filter,
+                            Map, Map_all, Mask, Merge, Passthrough, Truncate, and
+                            Validate.
+                          type: string
+                      type: object
+                    type: array
+                  triggerConfig:
+                    description: A Trigger that determine how and when the flow runs.
+                    items:
+                      properties:
+                        triggerProperties:
+                          description: Configuration details of a schedule-triggered
+                            flow as defined by the user. Currently, these settings
+                            only apply to the Scheduled trigger type. See Scheduled
+                            Trigger Properties for details.
+                          items:
+                            properties:
+                              scheduled:
+                                items:
+                                  properties:
+                                    dataPullMode:
+                                      description: Whether a scheduled flow has an
+                                        incremental data transfer or a complete data
+                                        transfer for each flow run. Valid values are
+                                        Incremental and Complete.
+                                      type: string
+                                    firstExecutionFrom:
+                                      description: Date range for the records to import
+                                        from the connector in the first flow run.
+                                        Must be a valid RFC3339 timestamp.
+                                      type: string
+                                    scheduleEndTime:
+                                      description: Scheduled end time for a schedule-triggered
+                                        flow. Must be a valid RFC3339 timestamp.
+                                      type: string
+                                    scheduleExpression:
+                                      description: Scheduling expression that determines
+                                        the rate at which the schedule will run, for
+                                        example rate(5minutes).
+                                      type: string
+                                    scheduleOffset:
+                                      description: Optional offset that is added to
+                                        the time interval for a schedule-triggered
+                                        flow. Maximum value of 36000.
+                                      type: number
+                                    scheduleStartTime:
+                                      description: Scheduled start time for a schedule-triggered
+                                        flow. Must be a valid RFC3339 timestamp.
+                                      type: string
+                                    timezone:
+                                      description: Time zone used when referring to
+                                        the date and time of a scheduled-triggered
+                                        flow, such as America/New_York.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        triggerType:
+                          description: Type of flow trigger. Valid values are Scheduled,
+                            Event, and OnDemand.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appintegrations.aws.upbound.io_eventintegrations.yaml b/package/crds/appintegrations.aws.upbound.io_eventintegrations.yaml
index b0355a495e..86d6c3851d 100644
--- a/package/crds/appintegrations.aws.upbound.io_eventintegrations.yaml
+++ b/package/crds/appintegrations.aws.upbound.io_eventintegrations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,10 +96,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - eventFilter
-                - eventbridgeBus
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -267,6 +284,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: eventFilter is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventFilter)
+            - message: eventbridgeBus is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventbridgeBus)
           status:
             description: EventIntegrationStatus defines the observed state of EventIntegration.
             properties:
@@ -275,10 +297,31 @@ spec:
                   arn:
                     description: ARN of the Event Integration.
                     type: string
+                  description:
+                    description: Description of the Event Integration.
+                    type: string
+                  eventFilter:
+                    description: Block that defines the configuration information
+                      for the event filter. The Event Filter block is documented below.
+                    items:
+                      properties:
+                        source:
+                          description: Source of the events.
+                          type: string
+                      type: object
+                    type: array
+                  eventbridgeBus:
+                    description: EventBridge bus.
+                    type: string
                   id:
                     description: Identifier of the Event Integration which is the
                       name of the Event Integration.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/applicationinsights.aws.upbound.io_applications.yaml b/package/crds/applicationinsights.aws.upbound.io_applications.yaml
index 45d682bd99..72fa261b54 100644
--- a/package/crds/applicationinsights.aws.upbound.io_applications.yaml
+++ b/package/crds/applicationinsights.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -104,6 +108,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -283,9 +302,42 @@ spec:
                   arn:
                     description: ARN of the Application.
                     type: string
+                  autoConfigEnabled:
+                    description: Indicates whether Application Insights automatically
+                      configures unmonitored resources in the resource group.
+                    type: boolean
+                  autoCreate:
+                    description: Configures all of the resources in the resource group
+                      by applying the recommended configurations.
+                    type: boolean
+                  cweMonitorEnabled:
+                    description: Indicates whether Application Insights can listen
+                      to CloudWatch events for the application resources, such as
+                      instance terminated, failed deployment, and others.
+                    type: boolean
+                  groupingType:
+                    description: Application Insights can create applications based
+                      on a resource group or on an account. To create an account-based
+                      application using all of the resources in the account, set this
+                      parameter to ACCOUNT_BASED.
+                    type: string
                   id:
                     description: Name of the resource group.
                     type: string
+                  opsCenterEnabled:
+                    description: When set to true, creates opsItems for any problems
+                      detected on an application.
+                    type: boolean
+                  opsItemSnsTopicArn:
+                    description: SNS topic provided to Application Insights that is
+                      associated to the created opsItem. Allows you to receive notifications
+                      for updates to the opsItem.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appmesh.aws.upbound.io_gatewayroutes.yaml b/package/crds/appmesh.aws.upbound.io_gatewayroutes.yaml
index 46221c43dc..6101a9f347 100644
--- a/package/crds/appmesh.aws.upbound.io_gatewayroutes.yaml
+++ b/package/crds/appmesh.aws.upbound.io_gatewayroutes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -538,11 +542,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - meshName
-                - name
                 - region
-                - spec
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -714,6 +730,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: meshName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.meshName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: spec is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)
           status:
             description: GatewayRouteStatus defines the observed state of GatewayRoute.
             properties:
@@ -731,15 +754,278 @@ spec:
                   lastUpdatedDate:
                     description: Last update date of the gateway route.
                     type: string
+                  meshName:
+                    description: Name of the service mesh in which to create the gateway
+                      route. Must be between 1 and 255 characters in length.
+                    type: string
+                  meshOwner:
+                    description: AWS account ID of the service mesh's owner. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  name:
+                    description: Name to use for the gateway route. Must be between
+                      1 and 255 characters in length.
+                    type: string
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
+                  spec:
+                    description: Gateway route specification to apply.
+                    items:
+                      properties:
+                        grpcRoute:
+                          description: Specification of a gRPC gateway route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    target:
+                                      description: Target that traffic is routed to
+                                        when a request matches the gateway route.
+                                      items:
+                                        properties:
+                                          virtualService:
+                                            description: Virtual service gateway route
+                                              target.
+                                            items:
+                                              properties:
+                                                virtualServiceName:
+                                                  description: Name of the virtual
+                                                    service that traffic is routed
+                                                    to. Must be between 1 and 255
+                                                    characters in length.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining a request match.
+                                items:
+                                  properties:
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                    serviceName:
+                                      description: Fully qualified domain name for
+                                        the service to match from the request.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        http2Route:
+                          description: Specification of an HTTP/2 gateway route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    rewrite:
+                                      description: Gateway route action to rewrite.
+                                      items:
+                                        properties:
+                                          hostname:
+                                            description: Host name to rewrite.
+                                            items:
+                                              properties:
+                                                defaultTargetHostname:
+                                                  description: 'Default target host
+                                                    name to write to. Valid values:
+                                                    ENABLED, DISABLED.'
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          prefix:
+                                            description: Specified beginning characters
+                                              to rewrite.
+                                            items:
+                                              properties:
+                                                defaultPrefix:
+                                                  description: 'Default prefix used
+                                                    to replace the incoming route
+                                                    prefix when rewritten. Valid values:
+                                                    ENABLED, DISABLED.'
+                                                  type: string
+                                                value:
+                                                  description: Value used to replace
+                                                    the incoming route prefix when
+                                                    rewritten.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    target:
+                                      description: Target that traffic is routed to
+                                        when a request matches the gateway route.
+                                      items:
+                                        properties:
+                                          virtualService:
+                                            description: Virtual service gateway route
+                                              target.
+                                            items:
+                                              properties:
+                                                virtualServiceName:
+                                                  description: Name of the virtual
+                                                    service that traffic is routed
+                                                    to. Must be between 1 and 255
+                                                    characters in length.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining a request match.
+                                items:
+                                  properties:
+                                    hostname:
+                                      description: Host name to rewrite.
+                                      items:
+                                        properties:
+                                          exact:
+                                            description: Exact host name to match
+                                              on.
+                                            type: string
+                                          suffix:
+                                            description: Specified ending characters
+                                              of the host name to match on.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                    prefix:
+                                      description: Specified beginning characters
+                                        to rewrite.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        httpRoute:
+                          description: Specification of an HTTP gateway route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    rewrite:
+                                      description: Gateway route action to rewrite.
+                                      items:
+                                        properties:
+                                          hostname:
+                                            description: Host name to rewrite.
+                                            items:
+                                              properties:
+                                                defaultTargetHostname:
+                                                  description: 'Default target host
+                                                    name to write to. Valid values:
+                                                    ENABLED, DISABLED.'
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          prefix:
+                                            description: Specified beginning characters
+                                              to rewrite.
+                                            items:
+                                              properties:
+                                                defaultPrefix:
+                                                  description: 'Default prefix used
+                                                    to replace the incoming route
+                                                    prefix when rewritten. Valid values:
+                                                    ENABLED, DISABLED.'
+                                                  type: string
+                                                value:
+                                                  description: Value used to replace
+                                                    the incoming route prefix when
+                                                    rewritten.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    target:
+                                      description: Target that traffic is routed to
+                                        when a request matches the gateway route.
+                                      items:
+                                        properties:
+                                          virtualService:
+                                            description: Virtual service gateway route
+                                              target.
+                                            items:
+                                              properties:
+                                                virtualServiceName:
+                                                  description: Name of the virtual
+                                                    service that traffic is routed
+                                                    to. Must be between 1 and 255
+                                                    characters in length.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining a request match.
+                                items:
+                                  properties:
+                                    hostname:
+                                      description: Host name to rewrite.
+                                      items:
+                                        properties:
+                                          exact:
+                                            description: Exact host name to match
+                                              on.
+                                            type: string
+                                          suffix:
+                                            description: Specified ending characters
+                                              of the host name to match on.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                    prefix:
+                                      description: Specified beginning characters
+                                        to rewrite.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  virtualGatewayName:
+                    description: Name of the virtual gateway to associate the gateway
+                      route with. Must be between 1 and 255 characters in length.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appmesh.aws.upbound.io_meshes.yaml b/package/crds/appmesh.aws.upbound.io_meshes.yaml
index fec908fd76..b7b1ebf795 100644
--- a/package/crds/appmesh.aws.upbound.io_meshes.yaml
+++ b/package/crds/appmesh.aws.upbound.io_meshes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,6 +96,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -286,6 +305,27 @@ spec:
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
+                  spec:
+                    description: Service mesh specification to apply.
+                    items:
+                      properties:
+                        egressFilter:
+                          description: Egress filter rules for the service mesh.
+                          items:
+                            properties:
+                              type:
+                                description: Egress filter type. By default, the type
+                                  is DROP_ALL. Valid values are ALLOW_ALL and DROP_ALL.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appmesh.aws.upbound.io_routes.yaml b/package/crds/appmesh.aws.upbound.io_routes.yaml
index 5694434432..d6ce73308c 100644
--- a/package/crds/appmesh.aws.upbound.io_routes.yaml
+++ b/package/crds/appmesh.aws.upbound.io_routes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1185,10 +1189,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
-                - spec
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1360,6 +1377,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: spec is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)
           status:
             description: RouteStatus defines the observed state of Route.
             properties:
@@ -1377,15 +1399,717 @@ spec:
                   lastUpdatedDate:
                     description: Last update date of the route.
                     type: string
+                  meshName:
+                    description: Name of the service mesh in which to create the route.
+                      Must be between 1 and 255 characters in length.
+                    type: string
+                  meshOwner:
+                    description: AWS account ID of the service mesh's owner. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  name:
+                    description: Name to use for the route. Must be between 1 and
+                      255 characters in length.
+                    type: string
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: Map of tags assigned to the resource, including those
-                      inherited from the provider default_tags configuration block.
-                    type: object
+                  spec:
+                    description: Route specification to apply.
+                    items:
+                      properties:
+                        grpcRoute:
+                          description: GRPC routing information for the route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    weightedTarget:
+                                      description: Targets that traffic is routed
+                                        to when a request matches the route. You can
+                                        specify one or more targets and their relative
+                                        weights with which to distribute traffic.
+                                      items:
+                                        properties:
+                                          port:
+                                            description: The port number to match
+                                              from the request.
+                                            type: number
+                                          virtualNode:
+                                            description: Virtual node to associate
+                                              with the weighted target. Must be between
+                                              1 and 255 characters in length.
+                                            type: string
+                                          weight:
+                                            description: Relative weight of the weighted
+                                              target. An integer between 0 and 100.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining an gRPC request
+                                  match.
+                                items:
+                                  properties:
+                                    metadata:
+                                      description: Data to match from the gRPC request.
+                                      items:
+                                        properties:
+                                          invert:
+                                            description: If true, the match is on
+                                              the opposite of the match criteria.
+                                              Default is false.
+                                            type: boolean
+                                          match:
+                                            description: Criteria for determining
+                                              an gRPC request match.
+                                            items:
+                                              properties:
+                                                exact:
+                                                  description: Value sent by the client
+                                                    must match the specified value
+                                                    exactly. Must be between 1 and
+                                                    255 characters in length.
+                                                  type: string
+                                                prefix:
+                                                  description: Value sent by the client
+                                                    must begin with the specified
+                                                    characters. Must be between 1
+                                                    and 255 characters in length.
+                                                  type: string
+                                                range:
+                                                  description: Object that specifies
+                                                    the range of numbers that the
+                                                    value sent by the client must
+                                                    be included in.
+                                                  items:
+                                                    properties:
+                                                      end:
+                                                        description: End of the range.
+                                                        type: number
+                                                      start:
+                                                        description: (Requited) Start
+                                                          of the range.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                                regex:
+                                                  description: Value sent by the client
+                                                    must include the specified characters.
+                                                    Must be between 1 and 255 characters
+                                                    in length.
+                                                  type: string
+                                                suffix:
+                                                  description: Value sent by the client
+                                                    must end with the specified characters.
+                                                    Must be between 1 and 255 characters
+                                                    in length.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          name:
+                                            description: Name to use for the route.
+                                              Must be between 1 and 255 characters
+                                              in length.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    methodName:
+                                      description: Method name to match from the request.
+                                        If you specify a name, you must also specify
+                                        a service_name.
+                                      type: string
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                    prefix:
+                                      description: Value sent by the client must begin
+                                        with the specified characters. Must be between
+                                        1 and 255 characters in length.
+                                      type: string
+                                    serviceName:
+                                      description: Fully qualified domain name for
+                                        the service to match from the request.
+                                      type: string
+                                  type: object
+                                type: array
+                              retryPolicy:
+                                description: Retry policy.
+                                items:
+                                  properties:
+                                    grpcRetryEvents:
+                                      description: 'List of gRPC retry events. Valid
+                                        values: cancelled, deadline-exceeded, internal,
+                                        resource-exhausted, unavailable.'
+                                      items:
+                                        type: string
+                                      type: array
+                                    httpRetryEvents:
+                                      description: 'List of HTTP retry events. Valid
+                                        values: client-error (HTTP status code 409),
+                                        gateway-error (HTTP status codes 502, 503,
+                                        and 504), server-error (HTTP status codes
+                                        500, 501, 502, 503, 504, 505, 506, 507, 508,
+                                        510, and 511), stream-error (retry on refused
+                                        stream).'
+                                      items:
+                                        type: string
+                                      type: array
+                                    maxRetries:
+                                      description: Maximum number of retries.
+                                      type: number
+                                    perRetryTimeout:
+                                      description: Per-retry timeout.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    tcpRetryEvents:
+                                      description: List of TCP retry events. The only
+                                        valid value is connection-error.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              timeout:
+                                description: Types of timeouts.
+                                items:
+                                  properties:
+                                    idle:
+                                      description: Idle timeout. An idle timeout bounds
+                                        the amount of time that a connection may be
+                                        idle.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    perRequest:
+                                      description: Per request timeout.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        http2Route:
+                          description: HTTP/2 routing information for the route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    weightedTarget:
+                                      description: Targets that traffic is routed
+                                        to when a request matches the route. You can
+                                        specify one or more targets and their relative
+                                        weights with which to distribute traffic.
+                                      items:
+                                        properties:
+                                          port:
+                                            description: The port number to match
+                                              from the request.
+                                            type: number
+                                          virtualNode:
+                                            description: Virtual node to associate
+                                              with the weighted target. Must be between
+                                              1 and 255 characters in length.
+                                            type: string
+                                          weight:
+                                            description: Relative weight of the weighted
+                                              target. An integer between 0 and 100.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining an gRPC request
+                                  match.
+                                items:
+                                  properties:
+                                    header:
+                                      description: Client request headers to match
+                                        on.
+                                      items:
+                                        properties:
+                                          invert:
+                                            description: If true, the match is on
+                                              the opposite of the match criteria.
+                                              Default is false.
+                                            type: boolean
+                                          match:
+                                            description: Criteria for determining
+                                              an gRPC request match.
+                                            items:
+                                              properties:
+                                                exact:
+                                                  description: Value sent by the client
+                                                    must match the specified value
+                                                    exactly. Must be between 1 and
+                                                    255 characters in length.
+                                                  type: string
+                                                prefix:
+                                                  description: Value sent by the client
+                                                    must begin with the specified
+                                                    characters. Must be between 1
+                                                    and 255 characters in length.
+                                                  type: string
+                                                range:
+                                                  description: Object that specifies
+                                                    the range of numbers that the
+                                                    value sent by the client must
+                                                    be included in.
+                                                  items:
+                                                    properties:
+                                                      end:
+                                                        description: End of the range.
+                                                        type: number
+                                                      start:
+                                                        description: (Requited) Start
+                                                          of the range.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                                regex:
+                                                  description: Value sent by the client
+                                                    must include the specified characters.
+                                                    Must be between 1 and 255 characters
+                                                    in length.
+                                                  type: string
+                                                suffix:
+                                                  description: Value sent by the client
+                                                    must end with the specified characters.
+                                                    Must be between 1 and 255 characters
+                                                    in length.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          name:
+                                            description: Name to use for the route.
+                                              Must be between 1 and 255 characters
+                                              in length.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    method:
+                                      description: 'Client request header method to
+                                        match on. Valid values: GET, HEAD, POST, PUT,
+                                        DELETE, CONNECT, OPTIONS, TRACE, PATCH.'
+                                      type: string
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                    prefix:
+                                      description: Value sent by the client must begin
+                                        with the specified characters. Must be between
+                                        1 and 255 characters in length.
+                                      type: string
+                                    scheme:
+                                      description: 'Client request header scheme to
+                                        match on. Valid values: http, https.'
+                                      type: string
+                                  type: object
+                                type: array
+                              retryPolicy:
+                                description: Retry policy.
+                                items:
+                                  properties:
+                                    httpRetryEvents:
+                                      description: 'List of HTTP retry events. Valid
+                                        values: client-error (HTTP status code 409),
+                                        gateway-error (HTTP status codes 502, 503,
+                                        and 504), server-error (HTTP status codes
+                                        500, 501, 502, 503, 504, 505, 506, 507, 508,
+                                        510, and 511), stream-error (retry on refused
+                                        stream).'
+                                      items:
+                                        type: string
+                                      type: array
+                                    maxRetries:
+                                      description: Maximum number of retries.
+                                      type: number
+                                    perRetryTimeout:
+                                      description: Per-retry timeout.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    tcpRetryEvents:
+                                      description: List of TCP retry events. The only
+                                        valid value is connection-error.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              timeout:
+                                description: Types of timeouts.
+                                items:
+                                  properties:
+                                    idle:
+                                      description: Idle timeout. An idle timeout bounds
+                                        the amount of time that a connection may be
+                                        idle.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    perRequest:
+                                      description: Per request timeout.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        httpRoute:
+                          description: HTTP routing information for the route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    weightedTarget:
+                                      description: Targets that traffic is routed
+                                        to when a request matches the route. You can
+                                        specify one or more targets and their relative
+                                        weights with which to distribute traffic.
+                                      items:
+                                        properties:
+                                          port:
+                                            description: The port number to match
+                                              from the request.
+                                            type: number
+                                          virtualNode:
+                                            description: Virtual node to associate
+                                              with the weighted target. Must be between
+                                              1 and 255 characters in length.
+                                            type: string
+                                          weight:
+                                            description: Relative weight of the weighted
+                                              target. An integer between 0 and 100.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining an gRPC request
+                                  match.
+                                items:
+                                  properties:
+                                    header:
+                                      description: Client request headers to match
+                                        on.
+                                      items:
+                                        properties:
+                                          invert:
+                                            description: If true, the match is on
+                                              the opposite of the match criteria.
+                                              Default is false.
+                                            type: boolean
+                                          match:
+                                            description: Criteria for determining
+                                              an gRPC request match.
+                                            items:
+                                              properties:
+                                                exact:
+                                                  description: Value sent by the client
+                                                    must match the specified value
+                                                    exactly. Must be between 1 and
+                                                    255 characters in length.
+                                                  type: string
+                                                prefix:
+                                                  description: Value sent by the client
+                                                    must begin with the specified
+                                                    characters. Must be between 1
+                                                    and 255 characters in length.
+                                                  type: string
+                                                range:
+                                                  description: Object that specifies
+                                                    the range of numbers that the
+                                                    value sent by the client must
+                                                    be included in.
+                                                  items:
+                                                    properties:
+                                                      end:
+                                                        description: End of the range.
+                                                        type: number
+                                                      start:
+                                                        description: (Requited) Start
+                                                          of the range.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                                regex:
+                                                  description: Value sent by the client
+                                                    must include the specified characters.
+                                                    Must be between 1 and 255 characters
+                                                    in length.
+                                                  type: string
+                                                suffix:
+                                                  description: Value sent by the client
+                                                    must end with the specified characters.
+                                                    Must be between 1 and 255 characters
+                                                    in length.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          name:
+                                            description: Name to use for the route.
+                                              Must be between 1 and 255 characters
+                                              in length.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    method:
+                                      description: 'Client request header method to
+                                        match on. Valid values: GET, HEAD, POST, PUT,
+                                        DELETE, CONNECT, OPTIONS, TRACE, PATCH.'
+                                      type: string
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                    prefix:
+                                      description: Value sent by the client must begin
+                                        with the specified characters. Must be between
+                                        1 and 255 characters in length.
+                                      type: string
+                                    scheme:
+                                      description: 'Client request header scheme to
+                                        match on. Valid values: http, https.'
+                                      type: string
+                                  type: object
+                                type: array
+                              retryPolicy:
+                                description: Retry policy.
+                                items:
+                                  properties:
+                                    httpRetryEvents:
+                                      description: 'List of HTTP retry events. Valid
+                                        values: client-error (HTTP status code 409),
+                                        gateway-error (HTTP status codes 502, 503,
+                                        and 504), server-error (HTTP status codes
+                                        500, 501, 502, 503, 504, 505, 506, 507, 508,
+                                        510, and 511), stream-error (retry on refused
+                                        stream).'
+                                      items:
+                                        type: string
+                                      type: array
+                                    maxRetries:
+                                      description: Maximum number of retries.
+                                      type: number
+                                    perRetryTimeout:
+                                      description: Per-retry timeout.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    tcpRetryEvents:
+                                      description: List of TCP retry events. The only
+                                        valid value is connection-error.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              timeout:
+                                description: Types of timeouts.
+                                items:
+                                  properties:
+                                    idle:
+                                      description: Idle timeout. An idle timeout bounds
+                                        the amount of time that a connection may be
+                                        idle.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    perRequest:
+                                      description: Per request timeout.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        priority:
+                          description: Priority for the route, between 0 and 1000.
+                            Routes are matched based on the specified value, where
+                            0 is the highest priority.
+                          type: number
+                        tcpRoute:
+                          description: TCP routing information for the route.
+                          items:
+                            properties:
+                              action:
+                                description: Action to take if a match is determined.
+                                items:
+                                  properties:
+                                    weightedTarget:
+                                      description: Targets that traffic is routed
+                                        to when a request matches the route. You can
+                                        specify one or more targets and their relative
+                                        weights with which to distribute traffic.
+                                      items:
+                                        properties:
+                                          port:
+                                            description: The port number to match
+                                              from the request.
+                                            type: number
+                                          virtualNode:
+                                            description: Virtual node to associate
+                                              with the weighted target. Must be between
+                                              1 and 255 characters in length.
+                                            type: string
+                                          weight:
+                                            description: Relative weight of the weighted
+                                              target. An integer between 0 and 100.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              match:
+                                description: Criteria for determining an gRPC request
+                                  match.
+                                items:
+                                  properties:
+                                    port:
+                                      description: The port number to match from the
+                                        request.
+                                      type: number
+                                  type: object
+                                type: array
+                              timeout:
+                                description: Types of timeouts.
+                                items:
+                                  properties:
+                                    idle:
+                                      description: Idle timeout. An idle timeout bounds
+                                        the amount of time that a connection may be
+                                        idle.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: Map of tags assigned to the resource, including those
+                      inherited from the provider default_tags configuration block.
+                    type: object
+                  virtualRouterName:
+                    description: Name of the virtual router in which to create the
+                      route. Must be between 1 and 255 characters in length.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appmesh.aws.upbound.io_virtualgateways.yaml b/package/crds/appmesh.aws.upbound.io_virtualgateways.yaml
index 9dce560657..05d9743eb7 100644
--- a/package/crds/appmesh.aws.upbound.io_virtualgateways.yaml
+++ b/package/crds/appmesh.aws.upbound.io_virtualgateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -653,11 +657,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - meshName
-                - name
                 - region
-                - spec
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -829,6 +845,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: meshName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.meshName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: spec is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)
           status:
             description: VirtualGatewayStatus defines the observed state of VirtualGateway.
             properties:
@@ -846,9 +869,435 @@ spec:
                   lastUpdatedDate:
                     description: Last update date of the virtual gateway.
                     type: string
+                  meshName:
+                    description: Name of the service mesh in which to create the virtual
+                      gateway. Must be between 1 and 255 characters in length.
+                    type: string
+                  meshOwner:
+                    description: AWS account ID of the service mesh's owner. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  name:
+                    description: Name to use for the virtual gateway. Must be between
+                      1 and 255 characters in length.
+                    type: string
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
+                  spec:
+                    description: Virtual gateway specification to apply.
+                    items:
+                      properties:
+                        backendDefaults:
+                          description: Defaults for backends.
+                          items:
+                            properties:
+                              clientPolicy:
+                                description: Default client policy for virtual gateway
+                                  backends.
+                                items:
+                                  properties:
+                                    tls:
+                                      description: Transport Layer Security (TLS)
+                                        client policy.
+                                      items:
+                                        properties:
+                                          certificate:
+                                            description: Virtual gateway's client's
+                                              Transport Layer Security (TLS) certificate.
+                                            items:
+                                              properties:
+                                                file:
+                                                  description: Local file certificate.
+                                                  items:
+                                                    properties:
+                                                      certificateChain:
+                                                        description: Certificate chain
+                                                          for the certificate.
+                                                        type: string
+                                                      privateKey:
+                                                        description: Private key for
+                                                          a certificate stored on
+                                                          the file system of the mesh
+                                                          endpoint that the proxy
+                                                          is running on.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                sds:
+                                                  description: A Secret Discovery
+                                                    Service certificate.
+                                                  items:
+                                                    properties:
+                                                      secretName:
+                                                        description: Name of the secret
+                                                          secret requested from the
+                                                          Secret Discovery Service
+                                                          provider representing Transport
+                                                          Layer Security (TLS) materials
+                                                          like a certificate or certificate
+                                                          chain.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          enforce:
+                                            description: Whether the policy is enforced.
+                                              Default is true.
+                                            type: boolean
+                                          ports:
+                                            description: One or more ports that the
+                                              policy is enforced for.
+                                            items:
+                                              type: number
+                                            type: array
+                                          validation:
+                                            description: TLS validation context.
+                                            items:
+                                              properties:
+                                                subjectAlternativeNames:
+                                                  description: SANs for a virtual
+                                                    gateway's listener's Transport
+                                                    Layer Security (TLS) validation
+                                                    context.
+                                                  items:
+                                                    properties:
+                                                      match:
+                                                        description: Criteria for
+                                                          determining a SAN's match.
+                                                        items:
+                                                          properties:
+                                                            exact:
+                                                              description: Values
+                                                                sent must match the
+                                                                specified values exactly.
+                                                              items:
+                                                                type: string
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                trust:
+                                                  description: TLS validation context
+                                                    trust.
+                                                  items:
+                                                    properties:
+                                                      acm:
+                                                        description: TLS validation
+                                                          context trust for an AWS
+                                                          Certificate Manager (ACM)
+                                                          certificate.
+                                                        items:
+                                                          properties:
+                                                            certificateAuthorityArns:
+                                                              description: One or
+                                                                more ACM ARNs.
+                                                              items:
+                                                                type: string
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                      file:
+                                                        description: Local file certificate.
+                                                        items:
+                                                          properties:
+                                                            certificateChain:
+                                                              description: Certificate
+                                                                chain for the certificate.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      sds:
+                                                        description: A Secret Discovery
+                                                          Service certificate.
+                                                        items:
+                                                          properties:
+                                                            secretName:
+                                                              description: Name of
+                                                                the secret secret
+                                                                requested from the
+                                                                Secret Discovery Service
+                                                                provider representing
+                                                                Transport Layer Security
+                                                                (TLS) materials like
+                                                                a certificate or certificate
+                                                                chain.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        listener:
+                          description: Listeners that the mesh endpoint is expected
+                            to receive inbound traffic from. You can specify one listener.
+                          items:
+                            properties:
+                              connectionPool:
+                                description: Connection pool information for the listener.
+                                items:
+                                  properties:
+                                    grpc:
+                                      description: Connection pool information for
+                                        gRPC listeners.
+                                      items:
+                                        properties:
+                                          maxRequests:
+                                            description: Maximum number of inflight
+                                              requests Envoy can concurrently support
+                                              across hosts in upstream cluster. Minimum
+                                              value of 1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    http:
+                                      description: Connection pool information for
+                                        HTTP listeners.
+                                      items:
+                                        properties:
+                                          maxConnections:
+                                            description: Maximum number of outbound
+                                              TCP connections Envoy can establish
+                                              concurrently with all hosts in upstream
+                                              cluster. Minimum value of 1.
+                                            type: number
+                                          maxPendingRequests:
+                                            description: Number of overflowing requests
+                                              after max_connections Envoy will queue
+                                              to upstream cluster. Minimum value of
+                                              1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    http2:
+                                      description: Connection pool information for
+                                        HTTP2 listeners.
+                                      items:
+                                        properties:
+                                          maxRequests:
+                                            description: Maximum number of inflight
+                                              requests Envoy can concurrently support
+                                              across hosts in upstream cluster. Minimum
+                                              value of 1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              healthCheck:
+                                description: Health check information for the listener.
+                                items:
+                                  properties:
+                                    healthyThreshold:
+                                      description: Number of consecutive successful
+                                        health checks that must occur before declaring
+                                        listener healthy.
+                                      type: number
+                                    intervalMillis:
+                                      description: Time period in milliseconds between
+                                        each health check execution.
+                                      type: number
+                                    path:
+                                      description: File path to write access logs
+                                        to. You can use /dev/stdout to send access
+                                        logs to standard out. Must be between 1 and
+                                        255 characters in length.
+                                      type: string
+                                    port:
+                                      description: Port used for the port mapping.
+                                      type: number
+                                    protocol:
+                                      description: Protocol used for the port mapping.
+                                        Valid values are http, http2, tcp and grpc.
+                                      type: string
+                                    timeoutMillis:
+                                      description: Amount of time to wait when receiving
+                                        a response from the health check, in milliseconds.
+                                      type: number
+                                    unhealthyThreshold:
+                                      description: Number of consecutive failed health
+                                        checks that must occur before declaring a
+                                        virtual gateway unhealthy.
+                                      type: number
+                                  type: object
+                                type: array
+                              portMapping:
+                                description: Port mapping information for the listener.
+                                items:
+                                  properties:
+                                    port:
+                                      description: Port used for the port mapping.
+                                      type: number
+                                    protocol:
+                                      description: Protocol used for the port mapping.
+                                        Valid values are http, http2, tcp and grpc.
+                                      type: string
+                                  type: object
+                                type: array
+                              tls:
+                                description: Transport Layer Security (TLS) client
+                                  policy.
+                                items:
+                                  properties:
+                                    certificate:
+                                      description: Virtual gateway's client's Transport
+                                        Layer Security (TLS) certificate.
+                                      items:
+                                        properties:
+                                          acm:
+                                            description: TLS validation context trust
+                                              for an AWS Certificate Manager (ACM)
+                                              certificate.
+                                            items:
+                                              properties:
+                                                certificateArn:
+                                                  description: ARN for the certificate.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          file:
+                                            description: Local file certificate.
+                                            items:
+                                              properties:
+                                                certificateChain:
+                                                  description: Certificate chain for
+                                                    the certificate.
+                                                  type: string
+                                                privateKey:
+                                                  description: Private key for a certificate
+                                                    stored on the file system of the
+                                                    mesh endpoint that the proxy is
+                                                    running on.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          sds:
+                                            description: A Secret Discovery Service
+                                              certificate.
+                                            items:
+                                              properties:
+                                                secretName:
+                                                  description: Name of the secret
+                                                    secret requested from the Secret
+                                                    Discovery Service provider representing
+                                                    Transport Layer Security (TLS)
+                                                    materials like a certificate or
+                                                    certificate chain.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    mode:
+                                      description: 'Listener''s TLS mode. Valid values:
+                                        DISABLED, PERMISSIVE, STRICT.'
+                                      type: string
+                                    validation:
+                                      description: TLS validation context.
+                                      items:
+                                        properties:
+                                          subjectAlternativeNames:
+                                            description: SANs for a virtual gateway's
+                                              listener's Transport Layer Security
+                                              (TLS) validation context.
+                                            items:
+                                              properties:
+                                                match:
+                                                  description: Criteria for determining
+                                                    a SAN's match.
+                                                  items:
+                                                    properties:
+                                                      exact:
+                                                        description: Values sent must
+                                                          match the specified values
+                                                          exactly.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          trust:
+                                            description: TLS validation context trust.
+                                            items:
+                                              properties:
+                                                file:
+                                                  description: Local file certificate.
+                                                  items:
+                                                    properties:
+                                                      certificateChain:
+                                                        description: Certificate chain
+                                                          for the certificate.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                sds:
+                                                  description: A Secret Discovery
+                                                    Service certificate.
+                                                  items:
+                                                    properties:
+                                                      secretName:
+                                                        description: Name of the secret
+                                                          secret requested from the
+                                                          Secret Discovery Service
+                                                          provider representing Transport
+                                                          Layer Security (TLS) materials
+                                                          like a certificate or certificate
+                                                          chain.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        logging:
+                          description: Inbound and outbound access logging information
+                            for the virtual gateway.
+                          items:
+                            properties:
+                              accessLog:
+                                description: Access log configuration for a virtual
+                                  gateway.
+                                items:
+                                  properties:
+                                    file:
+                                      description: Local file certificate.
+                                      items:
+                                        properties:
+                                          path:
+                                            description: File path to write access
+                                              logs to. You can use /dev/stdout to
+                                              send access logs to standard out. Must
+                                              be between 1 and 255 characters in length.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appmesh.aws.upbound.io_virtualnodes.yaml b/package/crds/appmesh.aws.upbound.io_virtualnodes.yaml
index 56badd5ac6..bacc8e1e17 100644
--- a/package/crds/appmesh.aws.upbound.io_virtualnodes.yaml
+++ b/package/crds/appmesh.aws.upbound.io_virtualnodes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1184,10 +1188,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - spec
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1359,6 +1376,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: spec is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)
           status:
             description: VirtualNodeStatus defines the observed state of VirtualNode.
             properties:
@@ -1376,9 +1398,848 @@ spec:
                   lastUpdatedDate:
                     description: Last update date of the virtual node.
                     type: string
+                  meshName:
+                    description: Name of the service mesh in which to create the virtual
+                      node. Must be between 1 and 255 characters in length.
+                    type: string
+                  meshOwner:
+                    description: AWS account ID of the service mesh's owner. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  name:
+                    description: Name to use for the virtual node. Must be between
+                      1 and 255 characters in length.
+                    type: string
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
+                  spec:
+                    description: Virtual node specification to apply.
+                    items:
+                      properties:
+                        backend:
+                          description: Backends to which the virtual node is expected
+                            to send outbound traffic.
+                          items:
+                            properties:
+                              virtualService:
+                                description: Virtual service to use as a backend for
+                                  a virtual node.
+                                items:
+                                  properties:
+                                    clientPolicy:
+                                      description: Client policy for the backend.
+                                      items:
+                                        properties:
+                                          tls:
+                                            description: Transport Layer Security
+                                              (TLS) client policy.
+                                            items:
+                                              properties:
+                                                certificate:
+                                                  description: Virtual node's client's
+                                                    Transport Layer Security (TLS)
+                                                    certificate.
+                                                  items:
+                                                    properties:
+                                                      file:
+                                                        description: Local file certificate.
+                                                        items:
+                                                          properties:
+                                                            certificateChain:
+                                                              description: Certificate
+                                                                chain for the certificate.
+                                                              type: string
+                                                            privateKey:
+                                                              description: Private
+                                                                key for a certificate
+                                                                stored on the file
+                                                                system of the mesh
+                                                                endpoint that the
+                                                                proxy is running on.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      sds:
+                                                        description: A Secret Discovery
+                                                          Service certificate.
+                                                        items:
+                                                          properties:
+                                                            secretName:
+                                                              description: Name of
+                                                                the secret secret
+                                                                requested from the
+                                                                Secret Discovery Service
+                                                                provider representing
+                                                                Transport Layer Security
+                                                                (TLS) materials like
+                                                                a certificate or certificate
+                                                                chain.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                enforce:
+                                                  description: Whether the policy
+                                                    is enforced. Default is true.
+                                                  type: boolean
+                                                ports:
+                                                  description: One or more ports that
+                                                    the policy is enforced for.
+                                                  items:
+                                                    type: number
+                                                  type: array
+                                                validation:
+                                                  description: TLS validation context.
+                                                  items:
+                                                    properties:
+                                                      subjectAlternativeNames:
+                                                        description: SANs for a TLS
+                                                          validation context.
+                                                        items:
+                                                          properties:
+                                                            match:
+                                                              description: Criteria
+                                                                for determining a
+                                                                SAN's match.
+                                                              items:
+                                                                properties:
+                                                                  exact:
+                                                                    description: Values
+                                                                      sent must match
+                                                                      the specified
+                                                                      values exactly.
+                                                                    items:
+                                                                      type: string
+                                                                    type: array
+                                                                type: object
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                      trust:
+                                                        description: TLS validation
+                                                          context trust.
+                                                        items:
+                                                          properties:
+                                                            acm:
+                                                              description: TLS validation
+                                                                context trust for
+                                                                an AWS Certificate
+                                                                Manager (ACM) certificate.
+                                                              items:
+                                                                properties:
+                                                                  certificateAuthorityArns:
+                                                                    description: One
+                                                                      or more ACM
+                                                                      ARNs.
+                                                                    items:
+                                                                      type: string
+                                                                    type: array
+                                                                type: object
+                                                              type: array
+                                                            file:
+                                                              description: Local file
+                                                                certificate.
+                                                              items:
+                                                                properties:
+                                                                  certificateChain:
+                                                                    description: Certificate
+                                                                      chain for the
+                                                                      certificate.
+                                                                    type: string
+                                                                type: object
+                                                              type: array
+                                                            sds:
+                                                              description: A Secret
+                                                                Discovery Service
+                                                                certificate.
+                                                              items:
+                                                                properties:
+                                                                  secretName:
+                                                                    description: Name
+                                                                      of the secret
+                                                                      secret requested
+                                                                      from the Secret
+                                                                      Discovery Service
+                                                                      provider representing
+                                                                      Transport Layer
+                                                                      Security (TLS)
+                                                                      materials like
+                                                                      a certificate
+                                                                      or certificate
+                                                                      chain.
+                                                                    type: string
+                                                                type: object
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    virtualServiceName:
+                                      description: Name of the virtual service that
+                                        is acting as a virtual node backend. Must
+                                        be between 1 and 255 characters in length.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        backendDefaults:
+                          description: Defaults for backends.
+                          items:
+                            properties:
+                              clientPolicy:
+                                description: Client policy for the backend.
+                                items:
+                                  properties:
+                                    tls:
+                                      description: Transport Layer Security (TLS)
+                                        client policy.
+                                      items:
+                                        properties:
+                                          certificate:
+                                            description: Virtual node's client's Transport
+                                              Layer Security (TLS) certificate.
+                                            items:
+                                              properties:
+                                                file:
+                                                  description: Local file certificate.
+                                                  items:
+                                                    properties:
+                                                      certificateChain:
+                                                        description: Certificate chain
+                                                          for the certificate.
+                                                        type: string
+                                                      privateKey:
+                                                        description: Private key for
+                                                          a certificate stored on
+                                                          the file system of the mesh
+                                                          endpoint that the proxy
+                                                          is running on.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                sds:
+                                                  description: A Secret Discovery
+                                                    Service certificate.
+                                                  items:
+                                                    properties:
+                                                      secretName:
+                                                        description: Name of the secret
+                                                          secret requested from the
+                                                          Secret Discovery Service
+                                                          provider representing Transport
+                                                          Layer Security (TLS) materials
+                                                          like a certificate or certificate
+                                                          chain.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          enforce:
+                                            description: Whether the policy is enforced.
+                                              Default is true.
+                                            type: boolean
+                                          ports:
+                                            description: One or more ports that the
+                                              policy is enforced for.
+                                            items:
+                                              type: number
+                                            type: array
+                                          validation:
+                                            description: TLS validation context.
+                                            items:
+                                              properties:
+                                                subjectAlternativeNames:
+                                                  description: SANs for a TLS validation
+                                                    context.
+                                                  items:
+                                                    properties:
+                                                      match:
+                                                        description: Criteria for
+                                                          determining a SAN's match.
+                                                        items:
+                                                          properties:
+                                                            exact:
+                                                              description: Values
+                                                                sent must match the
+                                                                specified values exactly.
+                                                              items:
+                                                                type: string
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                trust:
+                                                  description: TLS validation context
+                                                    trust.
+                                                  items:
+                                                    properties:
+                                                      acm:
+                                                        description: TLS validation
+                                                          context trust for an AWS
+                                                          Certificate Manager (ACM)
+                                                          certificate.
+                                                        items:
+                                                          properties:
+                                                            certificateAuthorityArns:
+                                                              description: One or
+                                                                more ACM ARNs.
+                                                              items:
+                                                                type: string
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                      file:
+                                                        description: Local file certificate.
+                                                        items:
+                                                          properties:
+                                                            certificateChain:
+                                                              description: Certificate
+                                                                chain for the certificate.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      sds:
+                                                        description: A Secret Discovery
+                                                          Service certificate.
+                                                        items:
+                                                          properties:
+                                                            secretName:
+                                                              description: Name of
+                                                                the secret secret
+                                                                requested from the
+                                                                Secret Discovery Service
+                                                                provider representing
+                                                                Transport Layer Security
+                                                                (TLS) materials like
+                                                                a certificate or certificate
+                                                                chain.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        listener:
+                          description: Listeners from which the virtual node is expected
+                            to receive inbound traffic.
+                          items:
+                            properties:
+                              connectionPool:
+                                description: Connection pool information for the listener.
+                                items:
+                                  properties:
+                                    grpc:
+                                      description: Connection pool information for
+                                        gRPC listeners.
+                                      items:
+                                        properties:
+                                          maxRequests:
+                                            description: Maximum number of inflight
+                                              requests Envoy can concurrently support
+                                              across hosts in upstream cluster. Minimum
+                                              value of 1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    http:
+                                      description: Connection pool information for
+                                        HTTP listeners.
+                                      items:
+                                        properties:
+                                          maxConnections:
+                                            description: Maximum number of outbound
+                                              TCP connections Envoy can establish
+                                              concurrently with all hosts in upstream
+                                              cluster. Minimum value of 1.
+                                            type: number
+                                          maxPendingRequests:
+                                            description: Number of overflowing requests
+                                              after max_connections Envoy will queue
+                                              to upstream cluster. Minimum value of
+                                              1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    http2:
+                                      description: Connection pool information for
+                                        HTTP2 listeners.
+                                      items:
+                                        properties:
+                                          maxRequests:
+                                            description: Maximum number of inflight
+                                              requests Envoy can concurrently support
+                                              across hosts in upstream cluster. Minimum
+                                              value of 1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    tcp:
+                                      description: Connection pool information for
+                                        TCP listeners.
+                                      items:
+                                        properties:
+                                          maxConnections:
+                                            description: Maximum number of outbound
+                                              TCP connections Envoy can establish
+                                              concurrently with all hosts in upstream
+                                              cluster. Minimum value of 1.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              healthCheck:
+                                description: Health check information for the listener.
+                                items:
+                                  properties:
+                                    healthyThreshold:
+                                      description: Number of consecutive successful
+                                        health checks that must occur before declaring
+                                        listener healthy.
+                                      type: number
+                                    intervalMillis:
+                                      description: Time period in milliseconds between
+                                        each health check execution.
+                                      type: number
+                                    path:
+                                      description: File path to write access logs
+                                        to. You can use /dev/stdout to send access
+                                        logs to standard out. Must be between 1 and
+                                        255 characters in length.
+                                      type: string
+                                    port:
+                                      description: Port used for the port mapping.
+                                      type: number
+                                    protocol:
+                                      description: Protocol used for the port mapping.
+                                        Valid values are http, http2, tcp and grpc.
+                                      type: string
+                                    timeoutMillis:
+                                      description: Amount of time to wait when receiving
+                                        a response from the health check, in milliseconds.
+                                      type: number
+                                    unhealthyThreshold:
+                                      description: Number of consecutive failed health
+                                        checks that must occur before declaring a
+                                        virtual node unhealthy.
+                                      type: number
+                                  type: object
+                                type: array
+                              outlierDetection:
+                                description: Outlier detection information for the
+                                  listener.
+                                items:
+                                  properties:
+                                    baseEjectionDuration:
+                                      description: Base amount of time for which a
+                                        host is ejected.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    interval:
+                                      description: Time interval between ejection
+                                        sweep analysis.
+                                      items:
+                                        properties:
+                                          unit:
+                                            description: 'Unit of time. Valid values:
+                                              ms, s.'
+                                            type: string
+                                          value:
+                                            description: Number of time units. Minimum
+                                              value of 0.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    maxEjectionPercent:
+                                      description: Maximum percentage of hosts in
+                                        load balancing pool for upstream service that
+                                        can be ejected. Will eject at least one host
+                                        regardless of the value. Minimum value of
+                                        0. Maximum value of 100.
+                                      type: number
+                                    maxServerErrors:
+                                      description: Number of consecutive 5xx errors
+                                        required for ejection. Minimum value of 1.
+                                      type: number
+                                  type: object
+                                type: array
+                              portMapping:
+                                description: Port mapping information for the listener.
+                                items:
+                                  properties:
+                                    port:
+                                      description: Port used for the port mapping.
+                                      type: number
+                                    protocol:
+                                      description: Protocol used for the port mapping.
+                                        Valid values are http, http2, tcp and grpc.
+                                      type: string
+                                  type: object
+                                type: array
+                              timeout:
+                                description: Timeouts for different protocols.
+                                items:
+                                  properties:
+                                    grpc:
+                                      description: Connection pool information for
+                                        gRPC listeners.
+                                      items:
+                                        properties:
+                                          idle:
+                                            description: Idle timeout. An idle timeout
+                                              bounds the amount of time that a connection
+                                              may be idle.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          perRequest:
+                                            description: Per request timeout.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    http:
+                                      description: Connection pool information for
+                                        HTTP listeners.
+                                      items:
+                                        properties:
+                                          idle:
+                                            description: Idle timeout. An idle timeout
+                                              bounds the amount of time that a connection
+                                              may be idle.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          perRequest:
+                                            description: Per request timeout.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    http2:
+                                      description: Connection pool information for
+                                        HTTP2 listeners.
+                                      items:
+                                        properties:
+                                          idle:
+                                            description: Idle timeout. An idle timeout
+                                              bounds the amount of time that a connection
+                                              may be idle.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          perRequest:
+                                            description: Per request timeout.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    tcp:
+                                      description: Connection pool information for
+                                        TCP listeners.
+                                      items:
+                                        properties:
+                                          idle:
+                                            description: Idle timeout. An idle timeout
+                                              bounds the amount of time that a connection
+                                              may be idle.
+                                            items:
+                                              properties:
+                                                unit:
+                                                  description: 'Unit of time. Valid
+                                                    values: ms, s.'
+                                                  type: string
+                                                value:
+                                                  description: Number of time units.
+                                                    Minimum value of 0.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              tls:
+                                description: Transport Layer Security (TLS) client
+                                  policy.
+                                items:
+                                  properties:
+                                    certificate:
+                                      description: Virtual node's client's Transport
+                                        Layer Security (TLS) certificate.
+                                      items:
+                                        properties:
+                                          acm:
+                                            description: TLS validation context trust
+                                              for an AWS Certificate Manager (ACM)
+                                              certificate.
+                                            items:
+                                              properties:
+                                                certificateArn:
+                                                  description: ARN for the certificate.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          file:
+                                            description: Local file certificate.
+                                            items:
+                                              properties:
+                                                certificateChain:
+                                                  description: Certificate chain for
+                                                    the certificate.
+                                                  type: string
+                                                privateKey:
+                                                  description: Private key for a certificate
+                                                    stored on the file system of the
+                                                    mesh endpoint that the proxy is
+                                                    running on.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          sds:
+                                            description: A Secret Discovery Service
+                                              certificate.
+                                            items:
+                                              properties:
+                                                secretName:
+                                                  description: Name of the secret
+                                                    secret requested from the Secret
+                                                    Discovery Service provider representing
+                                                    Transport Layer Security (TLS)
+                                                    materials like a certificate or
+                                                    certificate chain.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    mode:
+                                      description: 'Listener''s TLS mode. Valid values:
+                                        DISABLED, PERMISSIVE, STRICT.'
+                                      type: string
+                                    validation:
+                                      description: TLS validation context.
+                                      items:
+                                        properties:
+                                          subjectAlternativeNames:
+                                            description: SANs for a TLS validation
+                                              context.
+                                            items:
+                                              properties:
+                                                match:
+                                                  description: Criteria for determining
+                                                    a SAN's match.
+                                                  items:
+                                                    properties:
+                                                      exact:
+                                                        description: Values sent must
+                                                          match the specified values
+                                                          exactly.
+                                                        items:
+                                                          type: string
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          trust:
+                                            description: TLS validation context trust.
+                                            items:
+                                              properties:
+                                                file:
+                                                  description: Local file certificate.
+                                                  items:
+                                                    properties:
+                                                      certificateChain:
+                                                        description: Certificate chain
+                                                          for the certificate.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                sds:
+                                                  description: A Secret Discovery
+                                                    Service certificate.
+                                                  items:
+                                                    properties:
+                                                      secretName:
+                                                        description: Name of the secret
+                                                          secret requested from the
+                                                          Secret Discovery Service
+                                                          provider representing Transport
+                                                          Layer Security (TLS) materials
+                                                          like a certificate or certificate
+                                                          chain.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        logging:
+                          description: Inbound and outbound access logging information
+                            for the virtual node.
+                          items:
+                            properties:
+                              accessLog:
+                                description: Access log configuration for a virtual
+                                  node.
+                                items:
+                                  properties:
+                                    file:
+                                      description: Local file certificate.
+                                      items:
+                                        properties:
+                                          path:
+                                            description: File path to write access
+                                              logs to. You can use /dev/stdout to
+                                              send access logs to standard out. Must
+                                              be between 1 and 255 characters in length.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        serviceDiscovery:
+                          description: Service discovery information for the virtual
+                            node.
+                          items:
+                            properties:
+                              awsCloudMap:
+                                description: Any AWS Cloud Map information for the
+                                  virtual node.
+                                items:
+                                  properties:
+                                    attributes:
+                                      additionalProperties:
+                                        type: string
+                                      description: String map that contains attributes
+                                        with values that you can use to filter instances
+                                        by any custom attribute that you specified
+                                        when you registered the instance. Only instances
+                                        that match all of the specified key/value
+                                        pairs will be returned.
+                                      type: object
+                                    namespaceName:
+                                      description: Name of the AWS Cloud Map namespace
+                                        to use. Use the aws_service_discovery_http_namespace
+                                        resource to configure a Cloud Map namespace.
+                                        Must be between 1 and 1024 characters in length.
+                                      type: string
+                                    serviceName:
+                                      description: attribute of the dns object to
+                                        hostname.
+                                      type: string
+                                  type: object
+                                type: array
+                              dns:
+                                description: DNS service name for the virtual node.
+                                items:
+                                  properties:
+                                    hostname:
+                                      description: DNS host name for your virtual
+                                        node.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appmesh.aws.upbound.io_virtualrouters.yaml b/package/crds/appmesh.aws.upbound.io_virtualrouters.yaml
index e91e5401ef..f9f79ce39b 100644
--- a/package/crds/appmesh.aws.upbound.io_virtualrouters.yaml
+++ b/package/crds/appmesh.aws.upbound.io_virtualrouters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -191,10 +195,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - spec
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -366,6 +383,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: spec is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)
           status:
             description: VirtualRouterStatus defines the observed state of VirtualRouter.
             properties:
@@ -383,9 +405,51 @@ spec:
                   lastUpdatedDate:
                     description: Last update date of the virtual router.
                     type: string
+                  meshName:
+                    description: Name of the service mesh in which to create the virtual
+                      router. Must be between 1 and 255 characters in length.
+                    type: string
+                  meshOwner:
+                    description: AWS account ID of the service mesh's owner. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  name:
+                    description: Name to use for the virtual router. Must be between
+                      1 and 255 characters in length.
+                    type: string
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
+                  spec:
+                    description: Virtual router specification to apply.
+                    items:
+                      properties:
+                        listener:
+                          description: configuration block to the spec argument.
+                          items:
+                            properties:
+                              portMapping:
+                                description: Port mapping information for the listener.
+                                items:
+                                  properties:
+                                    port:
+                                      description: Port used for the port mapping.
+                                      type: number
+                                    protocol:
+                                      description: Protocol used for the port mapping.
+                                        Valid values are http,http2, tcp and grpc.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/appmesh.aws.upbound.io_virtualservices.yaml b/package/crds/appmesh.aws.upbound.io_virtualservices.yaml
index 6fea35a854..e333f323a7 100644
--- a/package/crds/appmesh.aws.upbound.io_virtualservices.yaml
+++ b/package/crds/appmesh.aws.upbound.io_virtualservices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -365,10 +369,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - spec
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -540,6 +557,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: spec is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spec)
           status:
             description: VirtualServiceStatus defines the observed state of VirtualService.
             properties:
@@ -557,9 +579,64 @@ spec:
                   lastUpdatedDate:
                     description: Last update date of the virtual service.
                     type: string
+                  meshName:
+                    description: Name of the service mesh in which to create the virtual
+                      service. Must be between 1 and 255 characters in length.
+                    type: string
+                  meshOwner:
+                    description: AWS account ID of the service mesh's owner. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  name:
+                    description: Name to use for the virtual service. Must be between
+                      1 and 255 characters in length.
+                    type: string
                   resourceOwner:
                     description: Resource owner's AWS account ID.
                     type: string
+                  spec:
+                    description: Virtual service specification to apply.
+                    items:
+                      properties:
+                        provider:
+                          description: App Mesh object that is acting as the provider
+                            for a virtual service. You can specify a single virtual
+                            node or virtual router.
+                          items:
+                            properties:
+                              virtualNode:
+                                description: Virtual node associated with a virtual
+                                  service.
+                                items:
+                                  properties:
+                                    virtualNodeName:
+                                      description: Name of the virtual node that is
+                                        acting as a service provider. Must be between
+                                        1 and 255 characters in length.
+                                      type: string
+                                  type: object
+                                type: array
+                              virtualRouter:
+                                description: Virtual router associated with a virtual
+                                  service.
+                                items:
+                                  properties:
+                                    virtualRouterName:
+                                      description: Name of the virtual router that
+                                        is acting as a service provider. Must be between
+                                        1 and 255 characters in length.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apprunner.aws.upbound.io_autoscalingconfigurationversions.yaml b/package/crds/apprunner.aws.upbound.io_autoscalingconfigurationversions.yaml
index 48e11b51fa..17fc9bbc31 100644
--- a/package/crds/apprunner.aws.upbound.io_autoscalingconfigurationversions.yaml
+++ b/package/crds/apprunner.aws.upbound.io_autoscalingconfigurationversions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -91,9 +95,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - autoScalingConfigurationName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,6 +283,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: autoScalingConfigurationName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.autoScalingConfigurationName)
           status:
             description: AutoScalingConfigurationVersionStatus defines the observed
               state of AutoScalingConfigurationVersion.
@@ -274,6 +295,9 @@ spec:
                   arn:
                     description: ARN of this auto scaling configuration version.
                     type: string
+                  autoScalingConfigurationName:
+                    description: Name of the auto scaling configuration.
+                    type: string
                   autoScalingConfigurationRevision:
                     description: The revision of this auto scaling configuration.
                     type: number
@@ -284,11 +308,29 @@ spec:
                       auto_scaling_configuration_revision among all configurations
                       that share the same auto_scaling_configuration_name.
                     type: boolean
+                  maxConcurrency:
+                    description: Maximal number of concurrent requests that you want
+                      an instance to process. When the number of concurrent requests
+                      goes over this limit, App Runner scales up your service.
+                    type: number
+                  maxSize:
+                    description: Maximal number of instances that App Runner provisions
+                      for your service.
+                    type: number
+                  minSize:
+                    description: Minimal number of instances that App Runner provisions
+                      for your service.
+                    type: number
                   status:
                     description: Current state of the auto scaling configuration.
                       An INACTIVE configuration revision has been deleted and can't
                       be used. It is permanently removed some time after deletion.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apprunner.aws.upbound.io_connections.yaml b/package/crds/apprunner.aws.upbound.io_connections.yaml
index 77ad06bcb6..b48e68680a 100644
--- a/package/crds/apprunner.aws.upbound.io_connections.yaml
+++ b/package/crds/apprunner.aws.upbound.io_connections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,9 +81,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - providerType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -251,6 +269,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: providerType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerType)
           status:
             description: ConnectionStatus defines the observed state of Connection.
             properties:
@@ -261,11 +282,19 @@ spec:
                     type: string
                   id:
                     type: string
+                  providerType:
+                    description: 'Source repository provider. Valid values: GITHUB.'
+                    type: string
                   status:
                     description: Current state of the App Runner connection. When
                       the state is AVAILABLE, you can use the connection to create
                       an aws_apprunner_service resource.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apprunner.aws.upbound.io_observabilityconfigurations.yaml b/package/crds/apprunner.aws.upbound.io_observabilityconfigurations.yaml
index 59f8be2bb4..4d5a862f03 100644
--- a/package/crds/apprunner.aws.upbound.io_observabilityconfigurations.yaml
+++ b/package/crds/apprunner.aws.upbound.io_observabilityconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -91,9 +95,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - observabilityConfigurationName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,6 +283,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: observabilityConfigurationName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.observabilityConfigurationName)
           status:
             description: ObservabilityConfigurationStatus defines the observed state
               of ObservabilityConfiguration.
@@ -281,6 +302,9 @@ spec:
                       observability_configuration_revision among all configurations
                       that share the same observability_configuration_name.
                     type: boolean
+                  observabilityConfigurationName:
+                    description: Name of the observability configuration.
+                    type: string
                   observabilityConfigurationRevision:
                     description: The revision of this observability configuration.
                     type: number
@@ -289,12 +313,30 @@ spec:
                       An INACTIVE configuration revision has been deleted and can't
                       be used. It is permanently removed some time after deletion.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  traceConfiguration:
+                    description: Configuration of the tracing feature within this
+                      observability configuration. If you don't specify it, App Runner
+                      doesn't enable tracing. See Trace Configuration below for more
+                      details.
+                    items:
+                      properties:
+                        vendor:
+                          description: 'Implementation provider chosen for tracing
+                            App Runner services. Valid values: AWSXRAY.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/apprunner.aws.upbound.io_services.yaml b/package/crds/apprunner.aws.upbound.io_services.yaml
index 785e474093..0505c071d1 100644
--- a/package/crds/apprunner.aws.upbound.io_services.yaml
+++ b/package/crds/apprunner.aws.upbound.io_services.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -649,9 +653,22 @@ spec:
                     type: object
                 required:
                 - region
-                - serviceName
-                - sourceConfiguration
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -823,6 +840,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: serviceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceName)
+            - message: sourceConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceConfiguration)
           status:
             description: ServiceStatus defines the observed state of Service.
             properties:
@@ -831,19 +853,343 @@ spec:
                   arn:
                     description: ARN of the App Runner service.
                     type: string
+                  autoScalingConfigurationArn:
+                    description: ARN of an App Runner automatic scaling configuration
+                      resource that you want to associate with your service. If not
+                      provided, App Runner associates the latest revision of a default
+                      auto scaling configuration.
+                    type: string
+                  encryptionConfiguration:
+                    description: (Forces new resource) An optional custom encryption
+                      key that App Runner uses to encrypt the copy of your source
+                      repository that it maintains and your service logs. By default,
+                      App Runner uses an AWS managed CMK. See Encryption Configuration
+                      below for more details.
+                    items:
+                      properties:
+                        kmsKey:
+                          description: ARN of the KMS key used for encryption.
+                          type: string
+                      type: object
+                    type: array
+                  healthCheckConfiguration:
+                    description: (Forces new resource) Settings of the health check
+                      that AWS App Runner performs to monitor the health of your service.
+                      See Health Check Configuration below for more details.
+                    items:
+                      properties:
+                        healthyThreshold:
+                          description: Number of consecutive checks that must succeed
+                            before App Runner decides that the service is healthy.
+                            Defaults to 1. Minimum value of 1. Maximum value of 20.
+                          type: number
+                        interval:
+                          description: Time interval, in seconds, between health checks.
+                            Defaults to 5. Minimum value of 1. Maximum value of 20.
+                          type: number
+                        path:
+                          description: URL to send requests to for health checks.
+                            Defaults to /. Minimum length of 0. Maximum length of
+                            51200.
+                          type: string
+                        protocol:
+                          description: 'IP protocol that App Runner uses to perform
+                            health checks for your service. Valid values: TCP, HTTP.
+                            Defaults to TCP. If you set protocol to HTTP, App Runner
+                            sends health check requests to the HTTP path specified
+                            by path.'
+                          type: string
+                        timeout:
+                          description: Time, in seconds, to wait for a health check
+                            response before deciding it failed. Defaults to 2. Minimum
+                            value of  1. Maximum value of 20.
+                          type: number
+                        unhealthyThreshold:
+                          description: Number of consecutive checks that must fail
+                            before App Runner decides that the service is unhealthy.
+                            Defaults to 5. Minimum value of  1. Maximum value of 20.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     type: string
+                  instanceConfiguration:
+                    description: The runtime configuration of instances (scaling units)
+                      of the App Runner service. See Instance Configuration below
+                      for more details.
+                    items:
+                      properties:
+                        cpu:
+                          description: 'Number of CPU units reserved for each instance
+                            of your App Runner service represented as a String. Defaults
+                            to 1024. Valid values: 1024|2048|(1|2) vCPU.'
+                          type: string
+                        instanceRoleArn:
+                          description: ARN of an IAM role that provides permissions
+                            to your App Runner service. These are permissions that
+                            your code needs when it calls any AWS APIs.
+                          type: string
+                        memory:
+                          description: 'Amount of memory, in MB or GB, reserved for
+                            each instance of your App Runner service. Defaults to
+                            2048. Valid values: 2048|3072|4096|(2|3|4) GB.'
+                          type: string
+                      type: object
+                    type: array
+                  networkConfiguration:
+                    description: Configuration settings related to network traffic
+                      of the web application that the App Runner service runs. See
+                      Network Configuration below for more details.
+                    items:
+                      properties:
+                        egressConfiguration:
+                          description: Network configuration settings for outbound
+                            message traffic. See Egress Configuration below for more
+                            details.
+                          items:
+                            properties:
+                              egressType:
+                                description: Type of egress configuration.Set to DEFAULT
+                                  for access to resources hosted on public networks.Set
+                                  to VPC to associate your service to a custom VPC
+                                  specified by VpcConnectorArn.
+                                type: string
+                              vpcConnectorArn:
+                                description: ARN of the App Runner VPC connector that
+                                  you want to associate with your App Runner service.
+                                  Only valid when EgressType = VPC.
+                                type: string
+                            type: object
+                          type: array
+                        ingressConfiguration:
+                          description: Network configuration settings for inbound
+                            network traffic. See Ingress Configuration below for more
+                            details.
+                          items:
+                            properties:
+                              isPubliclyAccessible:
+                                description: Specifies whether your App Runner service
+                                  is publicly accessible. To make the service publicly
+                                  accessible set it to True. To make the service privately
+                                  accessible, from only within an Amazon VPC set it
+                                  to False.
+                                type: boolean
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  observabilityConfiguration:
+                    description: The observability configuration of your service.
+                      See Observability Configuration below for more details.
+                    items:
+                      properties:
+                        observabilityConfigurationArn:
+                          description: ARN of the observability configuration that
+                            is associated with the service. Specified only when observability_enabled
+                            is true.
+                          type: string
+                        observabilityEnabled:
+                          description: When true, an observability configuration resource
+                            is associated with the service.
+                          type: boolean
+                      type: object
+                    type: array
                   serviceId:
                     description: An alphanumeric ID that App Runner generated for
                       this service. Unique within the AWS Region.
                     type: string
+                  serviceName:
+                    description: (Forces new resource) Name of the service.
+                    type: string
                   serviceUrl:
                     description: Subdomain URL that App Runner generated for this
                       service. You can use this URL to access your service web application.
                     type: string
+                  sourceConfiguration:
+                    description: The source to deploy to the App Runner service. Can
+                      be a code or an image repository. See Source Configuration below
+                      for more details.
+                    items:
+                      properties:
+                        authenticationConfiguration:
+                          description: Describes resources needed to authenticate
+                            access to some source repositories. See Authentication
+                            Configuration below for more details.
+                          items:
+                            properties:
+                              accessRoleArn:
+                                description: ARN of the IAM role that grants the App
+                                  Runner service access to a source repository. Required
+                                  for ECR image repositories (but not for ECR Public)
+                                type: string
+                              connectionArn:
+                                description: ARN of the App Runner connection that
+                                  enables the App Runner service to connect to a source
+                                  repository. Required for GitHub code repositories.
+                                type: string
+                            type: object
+                          type: array
+                        autoDeploymentsEnabled:
+                          description: Whether continuous integration from the source
+                            repository is enabled for the App Runner service. If set
+                            to true, each repository change (source code commit or
+                            new image version) starts a deployment. Defaults to true.
+                          type: boolean
+                        codeRepository:
+                          description: Description of a source code repository. See
+                            Code Repository below for more details.
+                          items:
+                            properties:
+                              codeConfiguration:
+                                description: Configuration for building and running
+                                  the service from a source code repository. See Code
+                                  Configuration below for more details.
+                                items:
+                                  properties:
+                                    codeConfigurationValues:
+                                      description: Basic configuration for building
+                                        and running the App Runner service. Use this
+                                        parameter to quickly launch an App Runner
+                                        service without providing an apprunner.yaml
+                                        file in the source code repository (or ignoring
+                                        the file if it exists). See Code Configuration
+                                        Values below for more details.
+                                      items:
+                                        properties:
+                                          buildCommand:
+                                            description: Command App Runner runs to
+                                              build your application.
+                                            type: string
+                                          port:
+                                            description: Port that your application
+                                              listens to in the container. Defaults
+                                              to "8080".
+                                            type: string
+                                          runtime:
+                                            description: 'Runtime environment type
+                                              for building and running an App Runner
+                                              service. Represents a programming language
+                                              runtime. Valid values: PYTHON_3, NODEJS_12,
+                                              NODEJS_14, NODEJS_16, CORRETTO_8, CORRETTO_11,
+                                              GO_1, DOTNET_6, PHP_81, RUBY_31.'
+                                            type: string
+                                          runtimeEnvironmentSecrets:
+                                            additionalProperties:
+                                              type: string
+                                            description: Secrets and parameters available
+                                              to your service as environment variables.
+                                              A map of key/value pairs.
+                                            type: object
+                                          runtimeEnvironmentVariables:
+                                            additionalProperties:
+                                              type: string
+                                            description: Environment variables available
+                                              to your running App Runner service.
+                                              A map of key/value pairs. Keys with
+                                              a prefix of AWSAPPRUNNER are reserved
+                                              for system use and aren't valid.
+                                            type: object
+                                          startCommand:
+                                            description: Command App Runner runs to
+                                              start the application in the source
+                                              image. If specified, this command overrides
+                                              the Docker image’s default start command.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    configurationSource:
+                                      description: 'Source of the App Runner configuration.
+                                        Valid values: REPOSITORY, API. Values are
+                                        interpreted as follows:'
+                                      type: string
+                                  type: object
+                                type: array
+                              repositoryUrl:
+                                description: Location of the repository that contains
+                                  the source code.
+                                type: string
+                              sourceCodeVersion:
+                                description: Version that should be used within the
+                                  source code repository. See Source Code Version
+                                  below for more details.
+                                items:
+                                  properties:
+                                    type:
+                                      description: 'Type of version identifier. For
+                                        a git-based repository, branches represent
+                                        versions. Valid values: BRANCH.'
+                                      type: string
+                                    value:
+                                      description: Source code version. For a git-based
+                                        repository, a branch name maps to a specific
+                                        version. App Runner uses the most recent commit
+                                        to the branch.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        imageRepository:
+                          description: Description of a source image repository. See
+                            Image Repository below for more details.
+                          items:
+                            properties:
+                              imageConfiguration:
+                                description: Configuration for running the identified
+                                  image. See Image Configuration below for more details.
+                                items:
+                                  properties:
+                                    port:
+                                      description: Port that your application listens
+                                        to in the container. Defaults to "8080".
+                                      type: string
+                                    runtimeEnvironmentSecrets:
+                                      additionalProperties:
+                                        type: string
+                                      description: Secrets and parameters available
+                                        to your service as environment variables.
+                                        A map of key/value pairs.
+                                      type: object
+                                    runtimeEnvironmentVariables:
+                                      additionalProperties:
+                                        type: string
+                                      description: Environment variables available
+                                        to your running App Runner service. A map
+                                        of key/value pairs. Keys with a prefix of
+                                        AWSAPPRUNNER are reserved for system use and
+                                        aren't valid.
+                                      type: object
+                                    startCommand:
+                                      description: Command App Runner runs to start
+                                        the application in the source image. If specified,
+                                        this command overrides the Docker image’s
+                                        default start command.
+                                      type: string
+                                  type: object
+                                type: array
+                              imageIdentifier:
+                                description: Identifier of an image. For an image
+                                  in Amazon Elastic Container Registry (Amazon ECR),
+                                  this is an image name. For the image name format,
+                                  see Pulling an image in the Amazon ECR User Guide.
+                                type: string
+                              imageRepositoryType:
+                                description: 'Type of the image repository. This reflects
+                                  the repository provider and whether the repository
+                                  is private or public. Valid values: ECR , ECR_PUBLIC.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   status:
                     description: Current state of the App Runner service.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/apprunner.aws.upbound.io_vpcconnectors.yaml b/package/crds/apprunner.aws.upbound.io_vpcconnectors.yaml
index 157cc49a35..e6b527c87b 100644
--- a/package/crds/apprunner.aws.upbound.io_vpcconnectors.yaml
+++ b/package/crds/apprunner.aws.upbound.io_vpcconnectors.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -249,8 +253,22 @@ spec:
                     type: string
                 required:
                 - region
-                - vpcConnectorName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -422,6 +440,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: vpcConnectorName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcConnectorName)
           status:
             description: VPCConnectorStatus defines the observed state of VPCConnector.
             properties:
@@ -432,18 +453,43 @@ spec:
                     type: string
                   id:
                     type: string
+                  securityGroups:
+                    description: List of IDs of security groups that App Runner should
+                      use for access to AWS resources under the specified subnets.
+                      If not specified, App Runner uses the default security group
+                      of the Amazon VPC. The default security group allows all outbound
+                      traffic.
+                    items:
+                      type: string
+                    type: array
                   status:
                     description: Current state of the VPC connector. If the status
                       of a connector revision is INACTIVE, it was deleted and can't
                       be used. Inactive connector revisions are permanently removed
                       some time after they are deleted.
                     type: string
+                  subnets:
+                    description: List of IDs of subnets that App Runner should use
+                      when it associates your service with a custom Amazon VPC. Specify
+                      IDs of subnets of a single Amazon VPC. App Runner determines
+                      the Amazon VPC from the subnets you specify.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  vpcConnectorName:
+                    description: Name for the VPC connector.
+                    type: string
                   vpcConnectorRevision:
                     description: 'The revision of VPC connector. It''s unique among
                       all the active connectors ("Status": "ACTIVE") that share the
diff --git a/package/crds/appstream.aws.upbound.io_directoryconfigs.yaml b/package/crds/appstream.aws.upbound.io_directoryconfigs.yaml
index 263c4dea4f..b96886481b 100644
--- a/package/crds/appstream.aws.upbound.io_directoryconfigs.yaml
+++ b/package/crds/appstream.aws.upbound.io_directoryconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -114,11 +118,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - directoryName
-                - organizationalUnitDistinguishedNames
                 - region
-                - serviceAccountCredentials
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -290,6 +306,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: directoryName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.directoryName)
+            - message: organizationalUnitDistinguishedNames is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.organizationalUnitDistinguishedNames)
+            - message: serviceAccountCredentials is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceAccountCredentials)
           status:
             description: DirectoryConfigStatus defines the observed state of DirectoryConfig.
             properties:
@@ -299,10 +322,35 @@ spec:
                     description: Date and time, in UTC and extended RFC 3339 format,
                       when the directory config was created.
                     type: string
+                  directoryName:
+                    description: Fully qualified name of the directory.
+                    type: string
                   id:
                     description: Unique identifier (ID) of the appstream directory
                       config.
                     type: string
+                  organizationalUnitDistinguishedNames:
+                    description: Distinguished names of the organizational units for
+                      computer accounts.
+                    items:
+                      type: string
+                    type: array
+                  serviceAccountCredentials:
+                    description: Configuration block for the name of the directory
+                      and organizational unit (OU) to use to join the directory config
+                      to a Microsoft Active Directory domain. See service_account_credentials
+                      below.
+                    items:
+                      properties:
+                        accountName:
+                          description: 'User name of the account. This account must
+                            have the following privileges: create computer objects,
+                            join computers to the domain, and change/reset the password
+                            on descendant computer objects for the organizational
+                            units specified.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appstream.aws.upbound.io_fleet.yaml b/package/crds/appstream.aws.upbound.io_fleet.yaml
index 808bdc9416..1eec5bae5e 100644
--- a/package/crds/appstream.aws.upbound.io_fleet.yaml
+++ b/package/crds/appstream.aws.upbound.io_fleet.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -324,11 +328,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - computeCapacity
-                - instanceType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -500,6 +516,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: computeCapacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.computeCapacity)
+            - message: instanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: FleetStatus defines the observed state of Fleet.
             properties:
@@ -517,6 +540,9 @@ spec:
                           description: Number of currently available instances that
                             can be used to stream sessions.
                           type: number
+                        desiredInstances:
+                          description: Desired number of streaming instances.
+                          type: number
                         inUse:
                           description: Number of instances in use for streaming.
                           type: number
@@ -530,17 +556,106 @@ spec:
                     description: Date and time, in UTC and extended RFC 3339 format,
                       when the fleet was created.
                     type: string
+                  description:
+                    description: Description to display.
+                    type: string
+                  disconnectTimeoutInSeconds:
+                    description: Amount of time that a streaming session remains active
+                      after users disconnect.
+                    type: number
+                  displayName:
+                    description: Human-readable friendly name for the AppStream fleet.
+                    type: string
+                  domainJoinInfo:
+                    description: Configuration block for the name of the directory
+                      and organizational unit (OU) to use to join the fleet to a Microsoft
+                      Active Directory domain. See below.
+                    items:
+                      properties:
+                        directoryName:
+                          description: Fully qualified name of the directory (for
+                            example, corp.example.com).
+                          type: string
+                        organizationalUnitDistinguishedName:
+                          description: Distinguished name of the organizational unit
+                            for computer accounts.
+                          type: string
+                      type: object
+                    type: array
+                  enableDefaultInternetAccess:
+                    description: Enables or disables default internet access for the
+                      fleet.
+                    type: boolean
+                  fleetType:
+                    description: 'Fleet type. Valid values are: ON_DEMAND, ALWAYS_ON'
+                    type: string
+                  iamRoleArn:
+                    description: ARN of the IAM role to apply to the fleet.
+                    type: string
                   id:
                     description: Unique identifier (ID) of the appstream fleet.
                     type: string
+                  idleDisconnectTimeoutInSeconds:
+                    description: Amount of time that users can be idle (inactive)
+                      before they are disconnected from their streaming session and
+                      the disconnect_timeout_in_seconds time interval begins.
+                    type: number
+                  imageArn:
+                    description: ARN of the public, private, or shared image to use.
+                    type: string
+                  imageName:
+                    description: Name of the image used to create the fleet.
+                    type: string
+                  instanceType:
+                    description: Instance type to use when launching fleet instances.
+                    type: string
+                  maxUserDurationInSeconds:
+                    description: Maximum amount of time that a streaming session can
+                      remain active, in seconds.
+                    type: number
+                  name:
+                    description: Unique name for the fleet.
+                    type: string
                   state:
                     description: State of the fleet. Can be STARTING, RUNNING, STOPPING
                       or STOPPED
                     type: string
+                  streamView:
+                    description: AppStream 2.0 view that is displayed to your users
+                      when they stream from the fleet. When APP is specified, only
+                      the windows of applications opened by users display. When DESKTOP
+                      is specified, the standard desktop that is provided by the operating
+                      system displays. If not specified, defaults to APP.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  vpcConfig:
+                    description: Configuration block for the VPC configuration for
+                      the image builder. See below.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: Identifiers of the security groups for the
+                            fleet or image builder.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: Identifiers of the subnets to which a network
+                            interface is attached from the fleet instance or image
+                            builder instance.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appstream.aws.upbound.io_fleetstackassociations.yaml b/package/crds/appstream.aws.upbound.io_fleetstackassociations.yaml
index 3e040320e1..d8242a5863 100644
--- a/package/crds/appstream.aws.upbound.io_fleetstackassociations.yaml
+++ b/package/crds/appstream.aws.upbound.io_fleetstackassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -400,11 +419,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  fleetName:
+                    description: Name of the fleet.
+                    type: string
                   id:
                     description: Unique ID of the appstream stack fleet association,
                       composed of the fleet_name and stack_name separated by a slash
                       (/).
                     type: string
+                  stackName:
+                    description: Name of the stack.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appstream.aws.upbound.io_imagebuilders.yaml b/package/crds/appstream.aws.upbound.io_imagebuilders.yaml
index be170b2faa..0ed3b9166d 100644
--- a/package/crds/appstream.aws.upbound.io_imagebuilders.yaml
+++ b/package/crds/appstream.aws.upbound.io_imagebuilders.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -304,9 +308,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - instanceType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -478,11 +496,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)
           status:
             description: ImageBuilderStatus defines the observed state of ImageBuilder.
             properties:
               atProvider:
                 properties:
+                  accessEndpoint:
+                    description: Set of interface VPC endpoint (interface endpoint)
+                      objects. Maximum of 4. See below.
+                    items:
+                      properties:
+                        endpointType:
+                          description: Type of interface endpoint.
+                          type: string
+                        vpceId:
+                          description: Identifier (ID) of the VPC in which the interface
+                            endpoint is used.
+                          type: string
+                      type: object
+                    type: array
+                  appstreamAgentVersion:
+                    description: Version of the AppStream 2.0 agent to use for this
+                      image builder.
+                    type: string
                   arn:
                     description: ARN of the appstream image builder.
                     type: string
@@ -490,23 +529,84 @@ spec:
                     description: Date and time, in UTC and extended RFC 3339 format,
                       when the image builder was created.
                     type: string
+                  description:
+                    description: Description to display.
+                    type: string
+                  displayName:
+                    description: Human-readable friendly name for the AppStream image
+                      builder.
+                    type: string
+                  domainJoinInfo:
+                    description: Configuration block for the name of the directory
+                      and organizational unit (OU) to use to join the image builder
+                      to a Microsoft Active Directory domain. See below.
+                    items:
+                      properties:
+                        directoryName:
+                          description: Fully qualified name of the directory (for
+                            example, corp.example.com).
+                          type: string
+                        organizationalUnitDistinguishedName:
+                          description: Distinguished name of the organizational unit
+                            for computer accounts.
+                          type: string
+                      type: object
+                    type: array
+                  enableDefaultInternetAccess:
+                    description: Enables or disables default internet access for the
+                      image builder.
+                    type: boolean
+                  iamRoleArn:
+                    description: ARN of the IAM role to apply to the image builder.
+                    type: string
                   id:
                     description: Name of the image builder.
                     type: string
+                  imageArn:
+                    description: ARN of the public, private, or shared image to use.
+                    type: string
                   imageName:
                     description: Name of the image used to create the image builder.
                     type: string
+                  instanceType:
+                    description: Instance type to use when launching the image builder.
+                    type: string
                   state:
                     description: 'State of the image builder. Can be: PENDING, UPDATING_AGENT,
                       RUNNING, STOPPING, STOPPED, REBOOTING, SNAPSHOTTING, DELETING,
                       FAILED, UPDATING, PENDING_QUALIFICATION'
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  vpcConfig:
+                    description: Configuration block for the VPC configuration for
+                      the image builder. See below.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: Identifiers of the security groups for the
+                            image builder or image builder.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: Identifiers of the subnets to which a network
+                            interface is attached from the image builder instance
+                            or image builder instance.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appstream.aws.upbound.io_stacks.yaml b/package/crds/appstream.aws.upbound.io_stacks.yaml
index 0eb896576c..f51f332458 100644
--- a/package/crds/appstream.aws.upbound.io_stacks.yaml
+++ b/package/crds/appstream.aws.upbound.io_stacks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -176,9 +180,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -350,11 +368,44 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: StackStatus defines the observed state of Stack.
             properties:
               atProvider:
                 properties:
+                  accessEndpoints:
+                    description: Set of configuration blocks defining the interface
+                      VPC endpoints. Users of the stack can connect to AppStream 2.0
+                      only through the specified endpoints. See access_endpoints below.
+                    items:
+                      properties:
+                        endpointType:
+                          description: Type of the interface endpoint. See the AccessEndpoint
+                            AWS API documentation for valid values.
+                          type: string
+                        vpceId:
+                          description: ID of the VPC in which the interface endpoint
+                            is used.
+                          type: string
+                      type: object
+                    type: array
+                  applicationSettings:
+                    description: Settings for application settings persistence. See
+                      application_settings below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether application settings should be persisted.
+                          type: boolean
+                        settingsGroup:
+                          description: Name of the settings group. Required when enabled
+                            is true. Can be up to 100 characters.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: ARN of the appstream stack.
                     type: string
@@ -362,13 +413,81 @@ spec:
                     description: Date and time, in UTC and extended RFC 3339 format,
                       when the stack was created.
                     type: string
+                  description:
+                    description: Description for the AppStream stack.
+                    type: string
+                  displayName:
+                    description: Stack name to display.
+                    type: string
+                  embedHostDomains:
+                    description: Domains where AppStream 2.0 streaming sessions can
+                      be embedded in an iframe. You must approve the domains that
+                      you want to host embedded AppStream 2.0 streaming sessions.
+                    items:
+                      type: string
+                    type: array
+                  feedbackUrl:
+                    description: URL that users are redirected to after they click
+                      the Send Feedback link. If no URL is specified, no Send Feedback
+                      link is displayed. .
+                    type: string
                   id:
                     description: Unique ID of the appstream stack.
                     type: string
+                  name:
+                    description: Unique name for the AppStream stack.
+                    type: string
+                  redirectUrl:
+                    description: URL that users are redirected to after their streaming
+                      session ends.
+                    type: string
+                  storageConnectors:
+                    description: Configuration block for the storage connectors to
+                      enable. See storage_connectors below.
+                    items:
+                      properties:
+                        connectorType:
+                          description: Type of storage connector. Valid values are
+                            HOMEFOLDERS, GOOGLE_DRIVE, or ONE_DRIVE.
+                          type: string
+                        domains:
+                          description: Names of the domains for the account.
+                          items:
+                            type: string
+                          type: array
+                        resourceIdentifier:
+                          description: ARN of the storage connector.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  userSettings:
+                    description: Configuration block for the actions that are enabled
+                      or disabled for users during their streaming sessions. If not
+                      provided, these settings are configured automatically by AWS.
+                      See user_settings below.
+                    items:
+                      properties:
+                        action:
+                          description: Action that is enabled or disabled. Valid values
+                            are CLIPBOARD_COPY_FROM_LOCAL_DEVICE,  CLIPBOARD_COPY_TO_LOCAL_DEVICE,
+                            FILE_UPLOAD, FILE_DOWNLOAD, PRINTING_TO_LOCAL_DEVICE,
+                            DOMAIN_PASSWORD_SIGNIN, or DOMAIN_SMART_CARD_SIGNIN.
+                          type: string
+                        permission:
+                          description: Whether the action is enabled or disabled.
+                            Valid values are ENABLED or DISABLED.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appstream.aws.upbound.io_users.yaml b/package/crds/appstream.aws.upbound.io_users.yaml
index 60bf9a4eb7..ff9c81d222 100644
--- a/package/crds/appstream.aws.upbound.io_users.yaml
+++ b/package/crds/appstream.aws.upbound.io_users.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -87,6 +91,21 @@ spec:
                 - authenticationType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -266,13 +285,29 @@ spec:
                   arn:
                     description: ARN of the appstream user.
                     type: string
+                  authenticationType:
+                    description: 'Authentication type for the user. You must specify
+                      USERPOOL. Valid values: API, SAML, USERPOOL'
+                    type: string
                   createdTime:
                     description: Date and time, in UTC and extended RFC 3339 format,
                       when the user was created.
                     type: string
+                  enabled:
+                    description: Whether the user in the user pool is enabled.
+                    type: boolean
+                  firstName:
+                    description: First name, or given name, of the user.
+                    type: string
                   id:
                     description: Unique ID of the appstream user.
                     type: string
+                  lastName:
+                    description: Last name, or surname, of the user.
+                    type: string
+                  sendEmailNotification:
+                    description: Send an email notification.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appstream.aws.upbound.io_userstackassociations.yaml b/package/crds/appstream.aws.upbound.io_userstackassociations.yaml
index df2f745f24..ac1a023e35 100644
--- a/package/crds/appstream.aws.upbound.io_userstackassociations.yaml
+++ b/package/crds/appstream.aws.upbound.io_userstackassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -304,6 +308,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -481,9 +500,23 @@ spec:
             properties:
               atProvider:
                 properties:
+                  authenticationType:
+                    description: Authentication type for the user.
+                    type: string
                   id:
                     description: Unique ID of the appstream User Stack association.
                     type: string
+                  sendEmailNotification:
+                    description: Whether a welcome email is sent to a user after the
+                      user is created in the user pool.
+                    type: boolean
+                  stackName:
+                    description: Name of the stack that is associated with the user.
+                    type: string
+                  userName:
+                    description: Email address of the user who is associated with
+                      the stack.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appsync.aws.upbound.io_apicaches.yaml b/package/crds/appsync.aws.upbound.io_apicaches.yaml
index 363bfbf6c8..ee63ac8fd6 100644
--- a/package/crds/appsync.aws.upbound.io_apicaches.yaml
+++ b/package/crds/appsync.aws.upbound.io_apicaches.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,11 +171,23 @@ spec:
                       T2_MEDIUM, R4_LARGE, R4_XLARGE, R4_2XLARGE, R4_4XLARGE, R4_8XLARGE.
                     type: string
                 required:
-                - apiCachingBehavior
                 - region
-                - ttl
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,14 +359,44 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: apiCachingBehavior is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.apiCachingBehavior)
+            - message: ttl is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ttl)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: APICacheStatus defines the observed state of APICache.
             properties:
               atProvider:
                 properties:
+                  apiCachingBehavior:
+                    description: Caching behavior. Valid values are FULL_REQUEST_CACHING
+                      and PER_RESOLVER_CACHING.
+                    type: string
+                  apiId:
+                    description: GraphQL API ID.
+                    type: string
+                  atRestEncryptionEnabled:
+                    description: At-rest encryption flag for cache. You cannot update
+                      this setting after creation.
+                    type: boolean
                   id:
                     description: AppSync API ID.
                     type: string
+                  transitEncryptionEnabled:
+                    description: Transit encryption flag when connecting to cache.
+                      You cannot update this setting after creation.
+                    type: boolean
+                  ttl:
+                    description: TTL in seconds for cache entries.
+                    type: number
+                  type:
+                    description: Cache instance type. Valid values are SMALL, MEDIUM,
+                      LARGE, XLARGE, LARGE_2X, LARGE_4X, LARGE_8X, LARGE_12X, T2_SMALL,
+                      T2_MEDIUM, R4_LARGE, R4_XLARGE, R4_2XLARGE, R4_4XLARGE, R4_8XLARGE.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appsync.aws.upbound.io_apikeys.yaml b/package/crds/appsync.aws.upbound.io_apikeys.yaml
index b34cb5a48d..66ea901873 100644
--- a/package/crds/appsync.aws.upbound.io_apikeys.yaml
+++ b/package/crds/appsync.aws.upbound.io_apikeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,6 +161,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,6 +352,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: ID of the associated AppSync API
+                    type: string
+                  description:
+                    description: API key description.
+                    type: string
+                  expires:
+                    description: RFC3339 string representation of the expiry date.
+                      Rounded down to nearest hour. By default, it is 7 days from
+                      the date of creation.
+                    type: string
                   id:
                     description: API Key ID (Formatted as ApiId:Key)
                     type: string
diff --git a/package/crds/appsync.aws.upbound.io_datasources.yaml b/package/crds/appsync.aws.upbound.io_datasources.yaml
index d532a9dc1d..81a290714f 100644
--- a/package/crds/appsync.aws.upbound.io_datasources.yaml
+++ b/package/crds/appsync.aws.upbound.io_datasources.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -441,8 +445,22 @@ spec:
                     type: string
                 required:
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -614,16 +632,152 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: DatasourceStatus defines the observed state of Datasource.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API ID for the GraphQL API for the data source.
+                    type: string
                   arn:
                     description: ARN
                     type: string
+                  description:
+                    description: Description of the data source.
+                    type: string
+                  dynamodbConfig:
+                    description: DynamoDB settings. See below
+                    items:
+                      properties:
+                        deltaSyncConfig:
+                          items:
+                            properties:
+                              baseTableTtl:
+                                type: number
+                              deltaSyncTableName:
+                                description: User-supplied name for the data source.
+                                type: string
+                              deltaSyncTableTtl:
+                                type: number
+                            type: object
+                          type: array
+                        region:
+                          description: AWS region of the DynamoDB table. Defaults
+                            to current region.
+                          type: string
+                        tableName:
+                          description: Name of the DynamoDB table.
+                          type: string
+                        useCallerCredentials:
+                          description: Set to true to use Amazon Cognito credentials
+                            with this data source.
+                          type: boolean
+                        versioned:
+                          type: boolean
+                      type: object
+                    type: array
+                  elasticsearchConfig:
+                    description: Amazon Elasticsearch settings. See below
+                    items:
+                      properties:
+                        endpoint:
+                          description: HTTP endpoint of the Elasticsearch domain.
+                          type: string
+                        region:
+                          description: AWS region of Elasticsearch domain. Defaults
+                            to current region.
+                          type: string
+                      type: object
+                    type: array
+                  httpConfig:
+                    description: HTTP settings. See below
+                    items:
+                      properties:
+                        authorizationConfig:
+                          description: Authorization configuration in case the HTTP
+                            endpoint requires authorization. See Authorization Config.
+                          items:
+                            properties:
+                              authorizationType:
+                                description: Authorization type that the HTTP endpoint
+                                  requires. Default values is AWS_IAM.
+                                type: string
+                              awsIamConfig:
+                                description: Identity and Access Management (IAM)
+                                  settings. See AWS IAM Config.
+                                items:
+                                  properties:
+                                    signingRegion:
+                                      description: Signing Amazon Web Services Region
+                                        for IAM authorization.
+                                      type: string
+                                    signingServiceName:
+                                      description: Signing service name for IAM authorization.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        endpoint:
+                          description: HTTP URL.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  lambdaConfig:
+                    description: AWS Lambda settings. See below
+                    items:
+                      properties:
+                        functionArn:
+                          description: ARN for the Lambda function.
+                          type: string
+                      type: object
+                    type: array
+                  relationalDatabaseConfig:
+                    description: AWS RDS settings. See Relational Database Config
+                    items:
+                      properties:
+                        httpEndpointConfig:
+                          description: Amazon RDS HTTP endpoint configuration. See
+                            HTTP Endpoint Config.
+                          items:
+                            properties:
+                              awsSecretStoreArn:
+                                description: AWS secret store ARN for database credentials.
+                                type: string
+                              databaseName:
+                                description: Logical database name.
+                                type: string
+                              dbClusterIdentifier:
+                                description: Amazon RDS cluster identifier.
+                                type: string
+                              region:
+                                description: AWS Region for RDS HTTP endpoint. Defaults
+                                  to current region.
+                                type: string
+                              schema:
+                                description: Logical schema name.
+                                type: string
+                            type: object
+                          type: array
+                        sourceType:
+                          description: 'Source type for the relational database. Valid
+                            values: RDS_HTTP_ENDPOINT.'
+                          type: string
+                      type: object
+                    type: array
+                  serviceRoleArn:
+                    description: IAM service role ARN for the data source.
+                    type: string
+                  type:
+                    description: 'Type of the Data Source. Valid values: AWS_LAMBDA,
+                      AMAZON_DYNAMODB, AMAZON_ELASTICSEARCH, HTTP, NONE, RELATIONAL_DATABASE.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appsync.aws.upbound.io_functions.yaml b/package/crds/appsync.aws.upbound.io_functions.yaml
index b13131ac4d..153af9a94c 100644
--- a/package/crds/appsync.aws.upbound.io_functions.yaml
+++ b/package/crds/appsync.aws.upbound.io_functions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -301,9 +305,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -475,20 +493,102 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: FunctionStatus defines the observed state of Function.
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: ID of the associated AppSync API.
+                    type: string
                   arn:
                     description: ARN of the Function object.
                     type: string
+                  code:
+                    description: The function code that contains the request and response
+                      functions. When code is used, the runtime is required. The runtime
+                      value must be APPSYNC_JS.
+                    type: string
+                  dataSource:
+                    description: Function data source name.
+                    type: string
+                  description:
+                    description: Function description.
+                    type: string
                   functionId:
                     description: Unique ID representing the Function object.
                     type: string
+                  functionVersion:
+                    description: Version of the request mapping template. Currently
+                      the supported value is 2018-05-29. Does not apply when specifying
+                      code.
+                    type: string
                   id:
                     description: API Function ID (Formatted as ApiId-FunctionId)
                     type: string
+                  maxBatchSize:
+                    description: Maximum batching size for a resolver. Valid values
+                      are between 0 and 2000.
+                    type: number
+                  name:
+                    description: Function name. The function name does not have to
+                      be unique.
+                    type: string
+                  requestMappingTemplate:
+                    description: Function request mapping template. Functions support
+                      only the 2018-05-29 version of the request mapping template.
+                    type: string
+                  responseMappingTemplate:
+                    description: Function response mapping template.
+                    type: string
+                  runtime:
+                    description: Describes a runtime used by an AWS AppSync pipeline
+                      resolver or AWS AppSync function. Specifies the name and version
+                      of the runtime to use. Note that if a runtime is specified,
+                      code must also be specified. See Runtime.
+                    items:
+                      properties:
+                        name:
+                          description: Function name. The function name does not have
+                            to be unique.
+                          type: string
+                        runtimeVersion:
+                          description: The version of the runtime to use. Currently,
+                            the only allowed version is 1.0.0.
+                          type: string
+                      type: object
+                    type: array
+                  syncConfig:
+                    description: Describes a Sync configuration for a resolver. See
+                      Sync Config.
+                    items:
+                      properties:
+                        conflictDetection:
+                          description: Conflict Detection strategy to use. Valid values
+                            are NONE and VERSION.
+                          type: string
+                        conflictHandler:
+                          description: Conflict Resolution strategy to perform in
+                            the event of a conflict. Valid values are NONE, OPTIMISTIC_CONCURRENCY,
+                            AUTOMERGE, and LAMBDA.
+                          type: string
+                        lambdaConflictHandlerConfig:
+                          description: Lambda Conflict Handler Config when configuring
+                            LAMBDA as the Conflict Handler. See Lambda Conflict Handler
+                            Config.
+                          items:
+                            properties:
+                              lambdaConflictHandlerArn:
+                                description: ARN for the Lambda function to use as
+                                  the Conflict Handler.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appsync.aws.upbound.io_graphqlapis.yaml b/package/crds/appsync.aws.upbound.io_graphqlapis.yaml
index 095147ab2a..0de1e35bdd 100644
--- a/package/crds/appsync.aws.upbound.io_graphqlapis.yaml
+++ b/package/crds/appsync.aws.upbound.io_graphqlapis.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -438,10 +442,23 @@ spec:
                       false.
                     type: boolean
                 required:
-                - authenticationType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -613,17 +630,195 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authenticationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authenticationType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: GraphQLAPIStatus defines the observed state of GraphQLAPI.
             properties:
               atProvider:
                 properties:
+                  additionalAuthenticationProvider:
+                    description: One or more additional authentication providers for
+                      the GraphqlApi. Defined below.
+                    items:
+                      properties:
+                        authenticationType:
+                          description: 'Authentication type. Valid values: API_KEY,
+                            AWS_IAM, AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA'
+                          type: string
+                        lambdaAuthorizerConfig:
+                          description: Nested argument containing Lambda authorizer
+                            configuration. Defined below.
+                          items:
+                            properties:
+                              authorizerResultTtlInSeconds:
+                                description: Number of seconds a response should be
+                                  cached for. The default is 5 minutes (300 seconds).
+                                  The Lambda function can override this by returning
+                                  a ttlOverride key in its response. A value of 0
+                                  disables caching of responses. Minimum value of
+                                  0. Maximum value of 3600.
+                                type: number
+                              authorizerUri:
+                                description: 'ARN of the Lambda function to be called
+                                  for authorization. Note: This Lambda function must
+                                  have a resource-based policy assigned to it, to
+                                  allow lambda:InvokeFunction from service principal
+                                  appsync.amazonaws.com.'
+                                type: string
+                              identityValidationExpression:
+                                description: Regular expression for validation of
+                                  tokens before the Lambda function is called.
+                                type: string
+                            type: object
+                          type: array
+                        openidConnectConfig:
+                          description: Nested argument containing OpenID Connect configuration.
+                            Defined below.
+                          items:
+                            properties:
+                              authTtl:
+                                description: Number of milliseconds a token is valid
+                                  after being authenticated.
+                                type: number
+                              clientId:
+                                description: Client identifier of the Relying party
+                                  at the OpenID identity provider. This identifier
+                                  is typically obtained when the Relying party is
+                                  registered with the OpenID identity provider. You
+                                  can specify a regular expression so the AWS AppSync
+                                  can validate against multiple client identifiers
+                                  at a time.
+                                type: string
+                              iatTtl:
+                                description: Number of milliseconds a token is valid
+                                  after being issued to a user.
+                                type: number
+                              issuer:
+                                description: Issuer for the OpenID Connect configuration.
+                                  The issuer returned by discovery MUST exactly match
+                                  the value of iss in the ID Token.
+                                type: string
+                            type: object
+                          type: array
+                        userPoolConfig:
+                          description: Amazon Cognito User Pool configuration. Defined
+                            below.
+                          items:
+                            properties:
+                              appIdClientRegex:
+                                description: Regular expression for validating the
+                                  incoming Amazon Cognito User Pool app client ID.
+                                type: string
+                              awsRegion:
+                                description: AWS region in which the user pool was
+                                  created.
+                                type: string
+                              userPoolId:
+                                description: User pool ID.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: ARN
                     type: string
+                  authenticationType:
+                    description: 'Authentication type. Valid values: API_KEY, AWS_IAM,
+                      AMAZON_COGNITO_USER_POOLS, OPENID_CONNECT, AWS_LAMBDA'
+                    type: string
                   id:
                     description: API ID
                     type: string
+                  lambdaAuthorizerConfig:
+                    description: Nested argument containing Lambda authorizer configuration.
+                      Defined below.
+                    items:
+                      properties:
+                        authorizerResultTtlInSeconds:
+                          description: Number of seconds a response should be cached
+                            for. The default is 5 minutes (300 seconds). The Lambda
+                            function can override this by returning a ttlOverride
+                            key in its response. A value of 0 disables caching of
+                            responses. Minimum value of 0. Maximum value of 3600.
+                          type: number
+                        authorizerUri:
+                          description: 'ARN of the Lambda function to be called for
+                            authorization. Note: This Lambda function must have a
+                            resource-based policy assigned to it, to allow lambda:InvokeFunction
+                            from service principal appsync.amazonaws.com.'
+                          type: string
+                        identityValidationExpression:
+                          description: Regular expression for validation of tokens
+                            before the Lambda function is called.
+                          type: string
+                      type: object
+                    type: array
+                  logConfig:
+                    description: Nested argument containing logging configuration.
+                      Defined below.
+                    items:
+                      properties:
+                        cloudwatchLogsRoleArn:
+                          description: Amazon Resource Name of the service role that
+                            AWS AppSync will assume to publish to Amazon CloudWatch
+                            logs in your account.
+                          type: string
+                        excludeVerboseContent:
+                          description: 'Set to TRUE to exclude sections that contain
+                            information such as headers, context, and evaluated mapping
+                            templates, regardless of logging  level. Valid values:
+                            true, false. Default value: false'
+                          type: boolean
+                        fieldLogLevel:
+                          description: 'Field logging level. Valid values: ALL, ERROR,
+                            NONE.'
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: User-supplied name for the GraphqlApi.
+                    type: string
+                  openidConnectConfig:
+                    description: Nested argument containing OpenID Connect configuration.
+                      Defined below.
+                    items:
+                      properties:
+                        authTtl:
+                          description: Number of milliseconds a token is valid after
+                            being authenticated.
+                          type: number
+                        clientId:
+                          description: Client identifier of the Relying party at the
+                            OpenID identity provider. This identifier is typically
+                            obtained when the Relying party is registered with the
+                            OpenID identity provider. You can specify a regular expression
+                            so the AWS AppSync can validate against multiple client
+                            identifiers at a time.
+                          type: string
+                        iatTtl:
+                          description: Number of milliseconds a token is valid after
+                            being issued to a user.
+                          type: number
+                        issuer:
+                          description: Issuer for the OpenID Connect configuration.
+                            The issuer returned by discovery MUST exactly match the
+                            value of iss in the ID Token.
+                          type: string
+                      type: object
+                    type: array
+                  schema:
+                    description: Schema definition, in GraphQL schema language format.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -636,6 +831,32 @@ spec:
                     description: Map of URIs associated with the APIE.g., uris["GRAPHQL"]
                       = https://ID.appsync-api.REGION.amazonaws.com/graphql
                     type: object
+                  userPoolConfig:
+                    description: Amazon Cognito User Pool configuration. Defined below.
+                    items:
+                      properties:
+                        appIdClientRegex:
+                          description: Regular expression for validating the incoming
+                            Amazon Cognito User Pool app client ID.
+                          type: string
+                        awsRegion:
+                          description: AWS region in which the user pool was created.
+                          type: string
+                        defaultAction:
+                          description: 'Action that you want your GraphQL API to take
+                            when a request that uses Amazon Cognito User Pool authentication
+                            doesn''t match the Amazon Cognito User Pool configuration.
+                            Valid: ALLOW and DENY'
+                          type: string
+                        userPoolId:
+                          description: User pool ID.
+                          type: string
+                      type: object
+                    type: array
+                  xrayEnabled:
+                    description: Whether tracing with X-ray is enabled. Defaults to
+                      false.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/appsync.aws.upbound.io_resolvers.yaml b/package/crds/appsync.aws.upbound.io_resolvers.yaml
index e0707530a7..aa6a0fedd0 100644
--- a/package/crds/appsync.aws.upbound.io_resolvers.yaml
+++ b/package/crds/appsync.aws.upbound.io_resolvers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -337,6 +341,21 @@ spec:
                 - region
                 - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -513,11 +532,122 @@ spec:
             properties:
               atProvider:
                 properties:
+                  apiId:
+                    description: API ID for the GraphQL API.
+                    type: string
                   arn:
                     description: ARN
                     type: string
+                  cachingConfig:
+                    description: The Caching Config. See Caching Config.
+                    items:
+                      properties:
+                        cachingKeys:
+                          description: The caching keys for a resolver that has caching
+                            activated. Valid values are entries from the $context.arguments,
+                            $context.source, and $context.identity maps.
+                          items:
+                            type: string
+                          type: array
+                        ttl:
+                          description: The TTL in seconds for a resolver that has
+                            caching activated. Valid values are between 1 and 3600
+                            seconds.
+                          type: number
+                      type: object
+                    type: array
+                  code:
+                    description: The function code that contains the request and response
+                      functions. When code is used, the runtime is required. The runtime
+                      value must be APPSYNC_JS.
+                    type: string
+                  dataSource:
+                    description: Data source name.
+                    type: string
+                  field:
+                    description: Field name from the schema defined in the GraphQL
+                      API.
+                    type: string
                   id:
                     type: string
+                  kind:
+                    description: Resolver type. Valid values are UNIT and PIPELINE.
+                    type: string
+                  maxBatchSize:
+                    description: Maximum batching size for a resolver. Valid values
+                      are between 0 and 2000.
+                    type: number
+                  pipelineConfig:
+                    description: The caching configuration for the resolver. See Pipeline
+                      Config.
+                    items:
+                      properties:
+                        functions:
+                          description: A list of Function objects.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  requestTemplate:
+                    description: Request mapping template for UNIT resolver or 'before
+                      mapping template' for PIPELINE resolver. Required for non-Lambda
+                      resolvers.
+                    type: string
+                  responseTemplate:
+                    description: Response mapping template for UNIT resolver or 'after
+                      mapping template' for PIPELINE resolver. Required for non-Lambda
+                      resolvers.
+                    type: string
+                  runtime:
+                    description: Describes a runtime used by an AWS AppSync pipeline
+                      resolver or AWS AppSync function. Specifies the name and version
+                      of the runtime to use. Note that if a runtime is specified,
+                      code must also be specified. See Runtime.
+                    items:
+                      properties:
+                        name:
+                          description: The name of the runtime to use. Currently,
+                            the only allowed value is APPSYNC_JS.
+                          type: string
+                        runtimeVersion:
+                          description: The version of the runtime to use. Currently,
+                            the only allowed version is 1.0.0.
+                          type: string
+                      type: object
+                    type: array
+                  syncConfig:
+                    description: Describes a Sync configuration for a resolver. See
+                      Sync Config.
+                    items:
+                      properties:
+                        conflictDetection:
+                          description: Conflict Detection strategy to use. Valid values
+                            are NONE and VERSION.
+                          type: string
+                        conflictHandler:
+                          description: Conflict Resolution strategy to perform in
+                            the event of a conflict. Valid values are NONE, OPTIMISTIC_CONCURRENCY,
+                            AUTOMERGE, and LAMBDA.
+                          type: string
+                        lambdaConflictHandlerConfig:
+                          description: Lambda Conflict Handler Config when configuring
+                            LAMBDA as the Conflict Handler. See Lambda Conflict Handler
+                            Config.
+                          items:
+                            properties:
+                              lambdaConflictHandlerArn:
+                                description: ARN for the Lambda function to use as
+                                  the Conflict Handler.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  type:
+                    description: Type name from the schema defined in the GraphQL
+                      API.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/athena.aws.upbound.io_databases.yaml b/package/crds/athena.aws.upbound.io_databases.yaml
index d8eec62aed..9f04eea5fa 100644
--- a/package/crds/athena.aws.upbound.io_databases.yaml
+++ b/package/crds/athena.aws.upbound.io_databases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -196,6 +200,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -372,9 +391,57 @@ spec:
             properties:
               atProvider:
                 properties:
+                  aclConfiguration:
+                    description: That an Amazon S3 canned ACL should be set to control
+                      ownership of stored query results. See ACL Configuration below.
+                    items:
+                      properties:
+                        s3AclOption:
+                          description: Amazon S3 canned ACL that Athena should specify
+                            when storing query results. Valid value is BUCKET_OWNER_FULL_CONTROL.
+                          type: string
+                      type: object
+                    type: array
+                  bucket:
+                    description: Name of S3 bucket to save the results of the query
+                      execution.
+                    type: string
+                  comment:
+                    description: Description of the database.
+                    type: string
+                  encryptionConfiguration:
+                    description: Encryption key block AWS Athena uses to decrypt the
+                      data in S3, such as an AWS Key Management Service (AWS KMS)
+                      key. See Encryption Configuration below.
+                    items:
+                      properties:
+                        encryptionOption:
+                          description: Type of key; one of SSE_S3, SSE_KMS, CSE_KMS
+                          type: string
+                        kmsKey:
+                          description: KMS key ARN or ID; required for key types SSE_KMS
+                            and CSE_KMS.
+                          type: string
+                      type: object
+                    type: array
+                  expectedBucketOwner:
+                    description: AWS account ID that you expect to be the owner of
+                      the Amazon S3 bucket.
+                    type: string
+                  forceDestroy:
+                    description: Boolean that indicates all tables should be deleted
+                      from the database so that the database can be destroyed without
+                      error. The tables are not recoverable.
+                    type: boolean
                   id:
                     description: Database name
                     type: string
+                  properties:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of custom metadata properties for the
+                      database definition.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/athena.aws.upbound.io_datacatalogs.yaml b/package/crds/athena.aws.upbound.io_datacatalogs.yaml
index cdb753158b..217b2b1833 100644
--- a/package/crds/athena.aws.upbound.io_datacatalogs.yaml
+++ b/package/crds/athena.aws.upbound.io_datacatalogs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -88,11 +92,23 @@ spec:
                       GLUE for AWS Glue Catalog, or HIVE for an external hive metastore.'
                     type: string
                 required:
-                - description
-                - parameters
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -264,6 +280,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: parameters is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parameters)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: DataCatalogStatus defines the observed state of DataCatalog.
             properties:
@@ -272,15 +295,34 @@ spec:
                   arn:
                     description: ARN of the data catalog.
                     type: string
+                  description:
+                    description: Description of the data catalog.
+                    type: string
                   id:
                     description: Name of the data catalog.
                     type: string
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: Key value pairs that specifies the Lambda function
+                      or functions to use for the data catalog. The mapping used depends
+                      on the catalog type.
+                    type: object
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  type:
+                    description: 'Type of data catalog: LAMBDA for a federated catalog,
+                      GLUE for AWS Glue Catalog, or HIVE for an external hive metastore.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/athena.aws.upbound.io_namedqueries.yaml b/package/crds/athena.aws.upbound.io_namedqueries.yaml
index 7c48f9e330..19fb3d2bf3 100644
--- a/package/crds/athena.aws.upbound.io_namedqueries.yaml
+++ b/package/crds/athena.aws.upbound.io_namedqueries.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -234,10 +238,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
-                - query
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -409,14 +426,38 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: query is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.query)
           status:
             description: NamedQueryStatus defines the observed state of NamedQuery.
             properties:
               atProvider:
                 properties:
+                  database:
+                    description: Database to which the query belongs.
+                    type: string
+                  description:
+                    description: Brief explanation of the query. Maximum length of
+                      1024.
+                    type: string
                   id:
                     description: Unique ID of the query.
                     type: string
+                  name:
+                    description: Plain language name for the query. Maximum length
+                      of 128.
+                    type: string
+                  query:
+                    description: Text of the query itself. In other words, all query
+                      statements. Maximum length of 262144.
+                    type: string
+                  workgroup:
+                    description: Workgroup to which the query belongs. Defaults to
+                      primary
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/athena.aws.upbound.io_workgroups.yaml b/package/crds/athena.aws.upbound.io_workgroups.yaml
index 9d81b67497..bbc10f9666 100644
--- a/package/crds/athena.aws.upbound.io_workgroups.yaml
+++ b/package/crds/athena.aws.upbound.io_workgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -274,6 +278,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -458,6 +477,17 @@ spec:
                       workgroup. Documented below.
                     items:
                       properties:
+                        bytesScannedCutoffPerQuery:
+                          description: Integer for the upper data usage limit (cutoff)
+                            for the amount of bytes a single query in a workgroup
+                            is allowed to scan. Must be at least 10485760.
+                          type: number
+                        enforceWorkgroupConfiguration:
+                          description: Boolean whether the settings for the workgroup
+                            override client-side settings. For more information, see
+                            Workgroup Settings Override Client-Side Settings. Defaults
+                            to true.
+                          type: boolean
                         engineVersion:
                           description: Configuration block for the Athena Engine Versioning.
                             For more information, see Athena Engine Versioning. See
@@ -469,13 +499,104 @@ spec:
                                   runs. If selected_engine_version is set to AUTO,
                                   the effective engine version is chosen by Athena.
                                 type: string
+                              selectedEngineVersion:
+                                description: Requested engine version. Defaults to
+                                  AUTO.
+                                type: string
+                            type: object
+                          type: array
+                        executionRole:
+                          description: Role used in a notebook session for accessing
+                            the user's resources.
+                          type: string
+                        publishCloudwatchMetricsEnabled:
+                          description: Boolean whether Amazon CloudWatch metrics are
+                            enabled for the workgroup. Defaults to true.
+                          type: boolean
+                        requesterPaysEnabled:
+                          description: If set to true , allows members assigned to
+                            a workgroup to reference Amazon S3 Requester Pays buckets
+                            in queries. If set to false , workgroup members cannot
+                            query data from Requester Pays buckets, and queries that
+                            retrieve data from Requester Pays buckets cause an error.
+                            The default is false . For more information about Requester
+                            Pays buckets, see Requester Pays Buckets in the Amazon
+                            Simple Storage Service Developer Guide.
+                          type: boolean
+                        resultConfiguration:
+                          description: Configuration block with result settings. See
+                            Result Configuration below.
+                          items:
+                            properties:
+                              aclConfiguration:
+                                description: That an Amazon S3 canned ACL should be
+                                  set to control ownership of stored query results.
+                                  See ACL Configuration below.
+                                items:
+                                  properties:
+                                    s3AclOption:
+                                      description: Amazon S3 canned ACL that Athena
+                                        should specify when storing query results.
+                                        Valid value is BUCKET_OWNER_FULL_CONTROL.
+                                      type: string
+                                  type: object
+                                type: array
+                              encryptionConfiguration:
+                                description: Configuration block with encryption settings.
+                                  See Encryption Configuration below.
+                                items:
+                                  properties:
+                                    encryptionOption:
+                                      description: Whether Amazon S3 server-side encryption
+                                        with Amazon S3-managed keys (SSE_S3), server-side
+                                        encryption with KMS-managed keys (SSE_KMS),
+                                        or client-side encryption with KMS-managed
+                                        keys (CSE_KMS) is used. If a query runs in
+                                        a workgroup and the workgroup overrides client-side
+                                        settings, then the workgroup's setting for
+                                        encryption is used. It specifies whether query
+                                        results must be encrypted, for all queries
+                                        that run in this workgroup.
+                                      type: string
+                                    kmsKeyArn:
+                                      description: For SSE_KMS and CSE_KMS, this is
+                                        the KMS key ARN.
+                                      type: string
+                                  type: object
+                                type: array
+                              expectedBucketOwner:
+                                description: AWS account ID that you expect to be
+                                  the owner of the Amazon S3 bucket.
+                                type: string
+                              outputLocation:
+                                description: Location in Amazon S3 where your query
+                                  results are stored, such as s3://path/to/query/bucket/.
+                                  For more information, see Queries and Query Result
+                                  Files.
+                                type: string
                             type: object
                           type: array
                       type: object
                     type: array
+                  description:
+                    description: Description of the workgroup.
+                    type: string
+                  forceDestroy:
+                    description: Option to delete the workgroup and its contents even
+                      if the workgroup contains any named queries.
+                    type: boolean
                   id:
                     description: Workgroup name
                     type: string
+                  state:
+                    description: State of the workgroup. Valid values are DISABLED
+                      or ENABLED. Defaults to ENABLED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/autoscaling.aws.upbound.io_attachments.yaml b/package/crds/autoscaling.aws.upbound.io_attachments.yaml
index cedfc5061d..628d2a7f36 100644
--- a/package/crds/autoscaling.aws.upbound.io_attachments.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_attachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -379,6 +383,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -555,8 +574,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  albTargetGroupArn:
+                    description: ARN of an ALB Target Group.
+                    type: string
+                  autoscalingGroupName:
+                    description: Name of ASG to associate with the ELB.
+                    type: string
+                  elb:
+                    description: Name of the ELB.
+                    type: string
                   id:
                     type: string
+                  lbTargetGroupArn:
+                    description: ARN of a load balancer target group.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscaling.aws.upbound.io_autoscalinggroups.yaml b/package/crds/autoscaling.aws.upbound.io_autoscalinggroups.yaml
index fff723d4e9..ca9ecc5558 100644
--- a/package/crds/autoscaling.aws.upbound.io_autoscalinggroups.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_autoscalinggroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1279,10 +1283,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - maxSize
-                - minSize
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1454,6 +1471,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: maxSize is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxSize)
+            - message: minSize is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.minSize)
           status:
             description: AutoscalingGroupStatus defines the observed state of AutoscalingGroup.
             properties:
@@ -1462,9 +1484,179 @@ spec:
                   arn:
                     description: ARN for this Auto Scaling Group
                     type: string
+                  availabilityZones:
+                    description: List of one or more availability zones for the group.
+                      Used for EC2-Classic, attaching a network interface via id from
+                      a launch template and default subnets when not specified with
+                      vpc_zone_identifier argument. Conflicts with vpc_zone_identifier.
+                    items:
+                      type: string
+                    type: array
+                  capacityRebalance:
+                    description: Whether capacity rebalance is enabled. Otherwise,
+                      capacity rebalance is disabled.
+                    type: boolean
+                  context:
+                    description: Reserved.
+                    type: string
+                  defaultCooldown:
+                    description: Amount of time, in seconds, after a scaling activity
+                      completes before another scaling activity can start.
+                    type: number
+                  defaultInstanceWarmup:
+                    description: Amount of time, in seconds, until a newly launched
+                      instance can contribute to the Amazon CloudWatch metrics. This
+                      delay lets an instance finish initializing before Amazon EC2
+                      Auto Scaling aggregates instance metrics, resulting in more
+                      reliable usage data. Set this value equal to the amount of time
+                      that it takes for resource consumption to become stable after
+                      an instance reaches the InService state. (See Set the default
+                      instance warmup for an Auto Scaling group)
+                    type: number
+                  desiredCapacity:
+                    description: Number of Amazon EC2 instances that should be running
+                      in the group. (See also Waiting for Capacity below.)
+                    type: number
+                  desiredCapacityType:
+                    description: 'The unit of measurement for the value specified
+                      for desired_capacity. Supported for attribute-based instance
+                      type selection only. Valid values: "units", "vcpu", "memory-mib".'
+                    type: string
+                  enabledMetrics:
+                    description: List of metrics to collect. The allowed values are
+                      defined by the underlying AWS API.
+                    items:
+                      type: string
+                    type: array
+                  forceDelete:
+                    description: Allows deleting the Auto Scaling Group without waiting
+                      for all instances in the pool to terminate.  You can force an
+                      Auto Scaling Group to delete even if it's in the process of
+                      scaling a resource.  This bypasses that behavior and potentially
+                      leaves resources dangling.
+                    type: boolean
+                  forceDeleteWarmPool:
+                    description: If this block is configured, add a Warm Pool to the
+                      specified Auto Scaling group. Defined below
+                    type: boolean
+                  healthCheckGracePeriod:
+                    description: Time (in seconds) after instance comes into service
+                      before checking health.
+                    type: number
+                  healthCheckType:
+                    description: '"EC2" or "ELB". Controls how health checking is
+                      done.'
+                    type: string
                   id:
                     description: Auto Scaling Group id.
                     type: string
+                  initialLifecycleHook:
+                    description: One or more Lifecycle Hooks to attach to the Auto
+                      Scaling Group before instances are launched. The syntax is exactly
+                      the same as the separate aws_autoscaling_lifecycle_hook resource,
+                      without the autoscaling_group_name attribute. Please note that
+                      this will only work when creating a new Auto Scaling Group.
+                      For all other use-cases, please use aws_autoscaling_lifecycle_hook
+                      resource.
+                    items:
+                      properties:
+                        defaultResult:
+                          type: string
+                        heartbeatTimeout:
+                          type: number
+                        lifecycleTransition:
+                          type: string
+                        name:
+                          description: Name of the Auto Scaling Group. Conflicts with
+                            name_prefix.
+                          type: string
+                        notificationMetadata:
+                          type: string
+                        notificationTargetArn:
+                          description: ARN for this Auto Scaling Group
+                          type: string
+                        roleArn:
+                          description: ARN for this Auto Scaling Group
+                          type: string
+                      type: object
+                    type: array
+                  instanceRefresh:
+                    description: If this block is configured, start an Instance Refresh
+                      when this Auto Scaling Group is updated. Defined below.
+                    items:
+                      properties:
+                        preferences:
+                          description: Override default parameters for Instance Refresh.
+                          items:
+                            properties:
+                              checkpointDelay:
+                                description: Number of seconds to wait after a checkpoint.
+                                  Defaults to 3600.
+                                type: string
+                              checkpointPercentages:
+                                description: List of percentages for each checkpoint.
+                                  Values must be unique and in ascending order. To
+                                  replace all instances, the final number must be
+                                  100.
+                                items:
+                                  type: number
+                                type: array
+                              instanceWarmup:
+                                description: Number of seconds until a newly launched
+                                  instance is configured and ready to use. Default
+                                  behavior is to use the Auto Scaling Group's health
+                                  check grace period.
+                                type: string
+                              minHealthyPercentage:
+                                description: Amount of capacity in the Auto Scaling
+                                  group that must remain healthy during an instance
+                                  refresh to allow the operation to continue, as a
+                                  percentage of the desired capacity of the Auto Scaling
+                                  group. Defaults to 90.
+                                type: number
+                              skipMatching:
+                                description: Replace instances that already have your
+                                  desired configuration. Defaults to false.
+                                type: boolean
+                            type: object
+                          type: array
+                        strategy:
+                          description: Strategy to use for instance refresh. The only
+                            allowed value is Rolling. See StartInstanceRefresh Action
+                            for more information.
+                          type: string
+                        triggers:
+                          description: Set of additional property names that will
+                            trigger an Instance Refresh. A refresh will always be
+                            triggered by a change in any of launch_configuration,
+                            launch_template, or mixed_instances_policy.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  launchConfiguration:
+                    description: Name of the launch configuration to use.
+                    type: string
+                  launchTemplate:
+                    description: Nested argument with Launch template specification
+                      to use to launch instances. See Launch Template below for more
+                      details.
+                    items:
+                      properties:
+                        id:
+                          description: ID of the launch template. Conflicts with name.
+                          type: string
+                        name:
+                          description: Name of the launch template. Conflicts with
+                            id.
+                          type: string
+                        version:
+                          description: 'Template version. Can be version number, $Latest,
+                            or $Default. (Default: $Default).'
+                          type: string
+                      type: object
+                    type: array
                   loadBalancers:
                     description: List of elastic load balancer names to add to the
                       autoscaling group names. Only valid for classic load balancers.
@@ -1472,11 +1664,486 @@ spec:
                     items:
                       type: string
                     type: array
-                  targetGroupArns:
-                    description: Set of aws_alb_target_group ARNs, for use with Application
-                      or Network Load Balancing.
+                  maxInstanceLifetime:
+                    description: Maximum amount of time, in seconds, that an instance
+                      can be in service, values must be either equal to 0 or between
+                      86400 and 31536000 seconds.
+                    type: number
+                  maxSize:
+                    description: Maximum size of the Auto Scaling Group.
+                    type: number
+                  metricsGranularity:
+                    description: Granularity to associate with the metrics to collect.
+                      The only valid value is 1Minute. Default is 1Minute.
+                    type: string
+                  minElbCapacity:
+                    description: Updates will not wait on ELB instance number changes.
+                      (See also Waiting for Capacity below.)
+                    type: number
+                  minSize:
+                    description: Minimum size of the Auto Scaling Group. (See also
+                      Waiting for Capacity below.)
+                    type: number
+                  mixedInstancesPolicy:
+                    description: Configuration block containing settings to define
+                      launch targets for Auto Scaling groups. See Mixed Instances
+                      Policy below for more details.
                     items:
-                      type: string
+                      properties:
+                        instancesDistribution:
+                          description: Nested argument containing settings on how
+                            to mix on-demand and Spot instances in the Auto Scaling
+                            group. Defined below.
+                          items:
+                            properties:
+                              onDemandAllocationStrategy:
+                                description: 'Strategy to use when launching on-demand
+                                  instances. Valid values: prioritized, lowest-price.
+                                  Default: prioritized.'
+                                type: string
+                              onDemandBaseCapacity:
+                                description: 'Absolute minimum amount of desired capacity
+                                  that must be fulfilled by on-demand instances. Default:
+                                  0.'
+                                type: number
+                              onDemandPercentageAboveBaseCapacity:
+                                description: 'Percentage split between on-demand and
+                                  Spot instances above the base on-demand capacity.
+                                  Default: 100.'
+                                type: number
+                              spotAllocationStrategy:
+                                description: 'How to allocate capacity across the
+                                  Spot pools. Valid values: lowest-price, capacity-optimized,
+                                  capacity-optimized-prioritized, and price-capacity-optimized.
+                                  Default: lowest-price.'
+                                type: string
+                              spotInstancePools:
+                                description: 'Number of Spot pools per availability
+                                  zone to allocate capacity. EC2 Auto Scaling selects
+                                  the cheapest Spot pools and evenly allocates Spot
+                                  capacity across the number of Spot pools that you
+                                  specify. Only available with spot_allocation_strategy
+                                  set to lowest-price. Otherwise it must be set to
+                                  0, if it has been defined before. Default: 2.'
+                                type: number
+                              spotMaxPrice:
+                                description: 'Maximum price per unit hour that the
+                                  user is willing to pay for the Spot instances. Default:
+                                  an empty string which means the on-demand price.'
+                                type: string
+                            type: object
+                          type: array
+                        launchTemplate:
+                          description: Nested argument containing launch template
+                            settings along with the overrides to specify multiple
+                            instance types and weights. Defined below.
+                          items:
+                            properties:
+                              launchTemplateSpecification:
+                                description: Nested argument defines the Launch Template.
+                                  Defined below.
+                                items:
+                                  properties:
+                                    launchTemplateId:
+                                      description: ID of the launch template. Conflicts
+                                        with launch_template_name.
+                                      type: string
+                                    launchTemplateName:
+                                      description: Name of the launch template. Conflicts
+                                        with launch_template_id.
+                                      type: string
+                                    version:
+                                      description: 'Template version. Can be version
+                                        number, $Latest, or $Default. (Default: $Default).'
+                                      type: string
+                                  type: object
+                                type: array
+                              override:
+                                description: List of nested arguments provides the
+                                  ability to specify multiple instance types. This
+                                  will override the same parameter in the launch template.
+                                  For on-demand instances, Auto Scaling considers
+                                  the order of preference of instance types to launch
+                                  based on the order specified in the overrides list.
+                                  Defined below.
+                                items:
+                                  properties:
+                                    instanceRequirements:
+                                      description: Override the instance type in the
+                                        Launch Template with instance types that satisfy
+                                        the requirements.
+                                      items:
+                                        properties:
+                                          acceleratorCount:
+                                            description: Block describing the minimum
+                                              and maximum number of accelerators (GPUs,
+                                              FPGAs, or AWS Inferentia chips). Default
+                                              is no minimum or maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          acceleratorManufacturers:
+                                            description: List of accelerator manufacturer
+                                              names. Default is any manufacturer.
+                                            items:
+                                              type: string
+                                            type: array
+                                          acceleratorNames:
+                                            description: List of accelerator names.
+                                              Default is any acclerator.
+                                            items:
+                                              type: string
+                                            type: array
+                                          acceleratorTotalMemoryMib:
+                                            description: Block describing the minimum
+                                              and maximum total memory of the accelerators.
+                                              Default is no minimum or maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          acceleratorTypes:
+                                            description: List of accelerator types.
+                                              Default is any accelerator type.
+                                            items:
+                                              type: string
+                                            type: array
+                                          bareMetal:
+                                            description: Indicate whether bare metal
+                                              instace types should be included, excluded,
+                                              or required. Default is excluded.
+                                            type: string
+                                          baselineEbsBandwidthMbps:
+                                            description: Block describing the minimum
+                                              and maximum baseline EBS bandwidth,
+                                              in Mbps. Default is no minimum or maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          burstablePerformance:
+                                            description: Indicate whether burstable
+                                              performance instance types should be
+                                              included, excluded, or required. Default
+                                              is excluded.
+                                            type: string
+                                          cpuManufacturers:
+                                            description: List of CPU manufacturer
+                                              names. Default is any manufacturer.
+                                            items:
+                                              type: string
+                                            type: array
+                                          excludedInstanceTypes:
+                                            description: 'List of instance types to
+                                              exclude. You can use strings with one
+                                              or more wild cards, represented by an
+                                              asterisk (*). The following are examples:
+                                              c5*, m5a.*, r*, *3*. For example, if
+                                              you specify c5*, you are excluding the
+                                              entire C5 instance family, which includes
+                                              all C5a and C5n instance types. If you
+                                              specify m5a.*, you are excluding all
+                                              the M5a instance types, but not the
+                                              M5n instance types. Maximum of 400 entries
+                                              in the list; each entry is limited to
+                                              30 characters. Default is no excluded
+                                              instance types.'
+                                            items:
+                                              type: string
+                                            type: array
+                                          instanceGenerations:
+                                            description: List of instance generation
+                                              names. Default is any generation.
+                                            items:
+                                              type: string
+                                            type: array
+                                          localStorage:
+                                            description: Indicate whether instance
+                                              types with local storage volumes are
+                                              included, excluded, or required. Default
+                                              is included.
+                                            type: string
+                                          localStorageTypes:
+                                            description: List of local storage type
+                                              names. Default any storage type.
+                                            items:
+                                              type: string
+                                            type: array
+                                          memoryGibPerVcpu:
+                                            description: Block describing the minimum
+                                              and maximum amount of memory (GiB) per
+                                              vCPU. Default is no minimum or maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          memoryMib:
+                                            description: Block describing the minimum
+                                              and maximum amount of memory (MiB).
+                                              Default is no maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          networkInterfaceCount:
+                                            description: Block describing the minimum
+                                              and maximum number of network interfaces.
+                                              Default is no minimum or maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          onDemandMaxPricePercentageOverLowestPrice:
+                                            description: Price protection threshold
+                                              for On-Demand Instances. This is the
+                                              maximum you’ll pay for an On-Demand
+                                              Instance, expressed as a percentage
+                                              higher than the cheapest M, C, or R
+                                              instance type with your specified attributes.
+                                              When Amazon EC2 Auto Scaling selects
+                                              instance types with your attributes,
+                                              we will exclude instance types whose
+                                              price is higher than your threshold.
+                                              The parameter accepts an integer, which
+                                              Amazon EC2 Auto Scaling interprets as
+                                              a percentage. To turn off price protection,
+                                              specify a high value, such as 999999.
+                                              Default is 20.
+                                            type: number
+                                          requireHibernateSupport:
+                                            description: Indicate whether instance
+                                              types must support On-Demand Instance
+                                              Hibernation, either true or false. Default
+                                              is false.
+                                            type: boolean
+                                          spotMaxPricePercentageOverLowestPrice:
+                                            description: Price protection threshold
+                                              for Spot Instances. This is the maximum
+                                              you’ll pay for a Spot Instance, expressed
+                                              as a percentage higher than the cheapest
+                                              M, C, or R instance type with your specified
+                                              attributes. When Amazon EC2 Auto Scaling
+                                              selects instance types with your attributes,
+                                              we will exclude instance types whose
+                                              price is higher than your threshold.
+                                              The parameter accepts an integer, which
+                                              Amazon EC2 Auto Scaling interprets as
+                                              a percentage. To turn off price protection,
+                                              specify a high value, such as 999999.
+                                              Default is 100.
+                                            type: number
+                                          totalLocalStorageGb:
+                                            description: Block describing the minimum
+                                              and maximum total local storage (GB).
+                                              Default is no minimum or maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          vcpuCount:
+                                            description: Block describing the minimum
+                                              and maximum number of vCPUs. Default
+                                              is no maximum.
+                                            items:
+                                              properties:
+                                                max:
+                                                  description: Maximum.
+                                                  type: number
+                                                min:
+                                                  description: Minimum.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    instanceType:
+                                      description: Override the instance type in the
+                                        Launch Template.
+                                      type: string
+                                    launchTemplateSpecification:
+                                      description: Nested argument defines the Launch
+                                        Template. Defined below.
+                                      items:
+                                        properties:
+                                          launchTemplateId:
+                                            description: ID of the launch template.
+                                              Conflicts with launch_template_name.
+                                            type: string
+                                          launchTemplateName:
+                                            description: Name of the launch template.
+                                              Conflicts with launch_template_id.
+                                            type: string
+                                          version:
+                                            description: 'Template version. Can be
+                                              version number, $Latest, or $Default.
+                                              (Default: $Default).'
+                                            type: string
+                                        type: object
+                                      type: array
+                                    weightedCapacity:
+                                      description: Number of capacity units, which
+                                        gives the instance type a proportional weight
+                                        to other instance types.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  placementGroup:
+                    description: Name of the placement group into which you'll launch
+                      your instances, if any.
+                    type: string
+                  protectFromScaleIn:
+                    description: in protection in the Amazon EC2 Auto Scaling User
+                      Guide.
+                    type: boolean
+                  serviceLinkedRoleArn:
+                    description: linked role that the ASG will use to call other AWS
+                      services
+                    type: string
+                  suspendedProcesses:
+                    description: List of processes to suspend for the Auto Scaling
+                      Group. The allowed values are Launch, Terminate, HealthCheck,
+                      ReplaceUnhealthy, AZRebalance, AlarmNotification, ScheduledActions,
+                      AddToLoadBalancer, InstanceRefresh. Note that if you suspend
+                      either the Launch or Terminate process types, it can prevent
+                      your Auto Scaling Group from functioning properly.
+                    items:
+                      type: string
+                    type: array
+                  tag:
+                    description: Configuration block(s) containing resource tags.
+                      Conflicts with tags. See Tag below for more details.
+                    items:
+                      properties:
+                        key:
+                          description: Key
+                          type: string
+                        propagateAtLaunch:
+                          description: Enables propagation of the tag to Amazon EC2
+                            instances launched via this ASG
+                          type: boolean
+                        value:
+                          description: Value
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    description: Key-value map of resource tags.
+                    items:
+                      additionalProperties:
+                        type: string
+                      type: object
+                    type: array
+                  targetGroupArns:
+                    description: Set of aws_alb_target_group ARNs, for use with Application
+                      or Network Load Balancing.
+                    items:
+                      type: string
+                    type: array
+                  terminationPolicies:
+                    description: List of policies to decide how the instances in the
+                      Auto Scaling Group should be terminated. The allowed values
+                      are OldestInstance, NewestInstance, OldestLaunchConfiguration,
+                      ClosestToNextInstanceHour, OldestLaunchTemplate, AllocationStrategy,
+                      Default. Additionally, the ARN of a Lambda function can be specified
+                      for custom termination policies.
+                    items:
+                      type: string
+                    type: array
+                  vpcZoneIdentifier:
+                    description: List of subnet IDs to launch resources in. Subnets
+                      automatically determine which availability zones the group will
+                      reside. Conflicts with availability_zones.
+                    items:
+                      type: string
+                    type: array
+                  waitForCapacityTimeout:
+                    description: (See also Waiting for Capacity below.
+                    type: string
+                  waitForElbCapacity:
+                    description: (Takes precedence over min_elb_capacity behavior.)
+                      (See also Waiting for Capacity below.)
+                    type: number
+                  warmPool:
+                    description: If this block is configured, add a Warm Pool to the
+                      specified Auto Scaling group. Defined below
+                    items:
+                      properties:
+                        instanceReusePolicy:
+                          description: Whether instances in the Auto Scaling group
+                            can be returned to the warm pool on scale in. The default
+                            is to terminate instances in the Auto Scaling group when
+                            the group scales in.
+                          items:
+                            properties:
+                              reuseOnScaleIn:
+                                description: Whether instances in the Auto Scaling
+                                  group can be returned to the warm pool on scale
+                                  in.
+                                type: boolean
+                            type: object
+                          type: array
+                        maxGroupPreparedCapacity:
+                          description: Total maximum number of instances that are
+                            allowed to be in the warm pool or in any state except
+                            Terminated for the Auto Scaling group.
+                          type: number
+                        minSize:
+                          description: Minimum size of the Auto Scaling Group. (See
+                            also Waiting for Capacity below.)
+                          type: number
+                        poolState:
+                          description: 'Sets the instance state to transition to after
+                            the lifecycle hooks finish. Valid values are: Stopped
+                            (default), Running or Hibernated.'
+                          type: string
+                      type: object
                     type: array
                 type: object
               conditions:
diff --git a/package/crds/autoscaling.aws.upbound.io_grouptags.yaml b/package/crds/autoscaling.aws.upbound.io_grouptags.yaml
index 03992a9dd6..74086f45ae 100644
--- a/package/crds/autoscaling.aws.upbound.io_grouptags.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_grouptags.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -168,8 +172,22 @@ spec:
                     type: array
                 required:
                 - region
-                - tag
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,14 +359,36 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: tag is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tag)
           status:
             description: GroupTagStatus defines the observed state of GroupTag.
             properties:
               atProvider:
                 properties:
+                  autoscalingGroupName:
+                    description: Name of the Autoscaling Group to apply the tag to.
+                    type: string
                   id:
                     description: ASG name and key, separated by a comma (,)
                     type: string
+                  tag:
+                    description: Tag to create. The tag block is documented below.
+                    items:
+                      properties:
+                        key:
+                          description: Tag name.
+                          type: string
+                        propagateAtLaunch:
+                          description: Whether to propagate the tags to instances
+                            launched by the ASG.
+                          type: boolean
+                        value:
+                          description: Tag value.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscaling.aws.upbound.io_launchconfigurations.yaml b/package/crds/autoscaling.aws.upbound.io_launchconfigurations.yaml
index 9860feb34f..7cd52fa3b2 100644
--- a/package/crds/autoscaling.aws.upbound.io_launchconfigurations.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_launchconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -239,10 +243,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - imageId
-                - instanceType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -414,6 +431,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: imageId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.imageId)
+            - message: instanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)
           status:
             description: LaunchConfigurationStatus defines the observed state of LaunchConfiguration.
             properties:
@@ -422,9 +444,174 @@ spec:
                   arn:
                     description: The Amazon Resource Name of the launch configuration.
                     type: string
+                  associatePublicIpAddress:
+                    description: Associate a public ip address with an instance in
+                      a VPC.
+                    type: boolean
+                  ebsBlockDevice:
+                    description: Additional EBS block devices to attach to the instance.
+                      See Block Devices below for details.
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          description: 'Whether the volume should be destroyed on
+                            instance termination (Default: true).'
+                          type: boolean
+                        deviceName:
+                          description: The name of the device to mount.
+                          type: string
+                        encrypted:
+                          description: Whether the volume should be encrypted or not.
+                            Defaults to false.
+                          type: boolean
+                        iops:
+                          description: The amount of provisioned IOPS. This must be
+                            set with a volume_type of "io1".
+                          type: number
+                        noDevice:
+                          description: Whether the device in the block device mapping
+                            of the AMI is suppressed.
+                          type: boolean
+                        snapshotId:
+                          description: The Snapshot ID to mount.
+                          type: string
+                        throughput:
+                          description: The throughput (MiBps) to provision for a gp3
+                            volume.
+                          type: number
+                        volumeSize:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        volumeType:
+                          description: The type of volume. Can be standard, gp2, gp3,
+                            st1, sc1 or io1.
+                          type: string
+                      type: object
+                    type: array
+                  ebsOptimized:
+                    description: If true, the launched EC2 instance will be EBS-optimized.
+                    type: boolean
+                  enableMonitoring:
+                    description: Enables/disables detailed monitoring. This is enabled
+                      by default.
+                    type: boolean
+                  ephemeralBlockDevice:
+                    description: Customize Ephemeral (also known as "Instance Store")
+                      volumes on the instance. See Block Devices below for details.
+                    items:
+                      properties:
+                        deviceName:
+                          description: The name of the block device to mount on the
+                            instance.
+                          type: string
+                        noDevice:
+                          description: Whether the device in the block device mapping
+                            of the AMI is suppressed.
+                          type: boolean
+                        virtualName:
+                          description: The Instance Store Device Name.
+                          type: string
+                      type: object
+                    type: array
+                  iamInstanceProfile:
+                    description: The name attribute of the IAM instance profile to
+                      associate with launched instances.
+                    type: string
                   id:
                     description: The ID of the launch configuration.
                     type: string
+                  imageId:
+                    description: The EC2 image ID to launch.
+                    type: string
+                  instanceType:
+                    description: The size of instance to launch.
+                    type: string
+                  keyName:
+                    description: The key name that should be used for the instance.
+                    type: string
+                  metadataOptions:
+                    description: The metadata options for the instance.
+                    items:
+                      properties:
+                        httpEndpoint:
+                          description: 'The state of the metadata service: enabled,
+                            disabled.'
+                          type: string
+                        httpPutResponseHopLimit:
+                          description: The desired HTTP PUT response hop limit for
+                            instance metadata requests.
+                          type: number
+                        httpTokens:
+                          description: 'If session tokens are required: optional,
+                            required.'
+                          type: string
+                      type: object
+                    type: array
+                  placementTenancy:
+                    description: The tenancy of the instance. Valid values are default
+                      or dedicated, see AWS's Create Launch Configuration for more
+                      details.
+                    type: string
+                  rootBlockDevice:
+                    description: Customize details about the root block device of
+                      the instance. See Block Devices below for details.
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          description: Whether the volume should be destroyed on instance
+                            termination. Defaults to true.
+                          type: boolean
+                        encrypted:
+                          description: Whether the volume should be encrypted or not.
+                            Defaults to false.
+                          type: boolean
+                        iops:
+                          description: The amount of provisioned IOPS. This must be
+                            set with a volume_type of io1.
+                          type: number
+                        throughput:
+                          description: The throughput (MiBps) to provision for a gp3
+                            volume.
+                          type: number
+                        volumeSize:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        volumeType:
+                          description: The type of volume. Can be standard, gp2, gp3,
+                            st1, sc1 or io1.
+                          type: string
+                      type: object
+                    type: array
+                  securityGroups:
+                    description: A list of associated security group IDS.
+                    items:
+                      type: string
+                    type: array
+                  spotPrice:
+                    description: The maximum price to use for reserving spot instances.
+                    type: string
+                  userData:
+                    description: The user data to provide when launching the instance.
+                      Do not pass gzip-compressed data via this argument; see user_data_base64
+                      instead.
+                    type: string
+                  userDataBase64:
+                    description: Can be used instead of user_data to pass base64-encoded
+                      binary data directly. Use this instead of user_data whenever
+                      the value is not a valid UTF-8 string. For example, gzip-encoded
+                      user data must be base64-encoded and passed via this argument
+                      to avoid corruption.
+                    type: string
+                  vpcClassicLinkId:
+                    description: The ID of a ClassicLink-enabled VPC. Only applies
+                      to EC2-Classic instances. (eg. vpc-2730681a)
+                    type: string
+                  vpcClassicLinkSecurityGroups:
+                    description: The IDs of one or more security groups for the specified
+                      ClassicLink-enabled VPC (eg. sg-46ae3d11).
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscaling.aws.upbound.io_lifecyclehooks.yaml b/package/crds/autoscaling.aws.upbound.io_lifecyclehooks.yaml
index 4e5fb5fab2..64802e3a60 100644
--- a/package/crds/autoscaling.aws.upbound.io_lifecyclehooks.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_lifecyclehooks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -252,9 +256,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - lifecycleTransition
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -426,13 +444,51 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: lifecycleTransition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lifecycleTransition)
           status:
             description: LifecycleHookStatus defines the observed state of LifecycleHook.
             properties:
               atProvider:
                 properties:
+                  autoscalingGroupName:
+                    description: Name of the Auto Scaling group to which you want
+                      to assign the lifecycle hook
+                    type: string
+                  defaultResult:
+                    description: Defines the action the Auto Scaling group should
+                      take when the lifecycle hook timeout elapses or if an unexpected
+                      failure occurs. The value for this parameter can be either CONTINUE
+                      or ABANDON. The default value for this parameter is ABANDON.
+                    type: string
+                  heartbeatTimeout:
+                    description: Defines the amount of time, in seconds, that can
+                      elapse before the lifecycle hook times out. When the lifecycle
+                      hook times out, Auto Scaling performs the action defined in
+                      the DefaultResult parameter
+                    type: number
                   id:
                     type: string
+                  lifecycleTransition:
+                    description: Instance state to which you want to attach the lifecycle
+                      hook. For a list of lifecycle hook types, see describe-lifecycle-hook-types
+                    type: string
+                  notificationMetadata:
+                    description: Contains additional information that you want to
+                      include any time Auto Scaling sends a message to the notification
+                      target.
+                    type: string
+                  notificationTargetArn:
+                    description: ARN of the notification target that Auto Scaling
+                      will use to notify you when an instance is in the transition
+                      state for the lifecycle hook. This ARN target can be either
+                      an SQS queue or an SNS topic.
+                    type: string
+                  roleArn:
+                    description: ARN of the IAM role that allows the Auto Scaling
+                      group to publish to the specified notification target.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscaling.aws.upbound.io_notifications.yaml b/package/crds/autoscaling.aws.upbound.io_notifications.yaml
index feb74bf1ac..2d1226dfb2 100644
--- a/package/crds/autoscaling.aws.upbound.io_notifications.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_notifications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,10 +160,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - groupNames
-                - notifications
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,13 +348,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: groupNames is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupNames)
+            - message: notifications is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.notifications)
           status:
             description: NotificationStatus defines the observed state of Notification.
             properties:
               atProvider:
                 properties:
+                  groupNames:
+                    description: List of AutoScaling Group Names
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  notifications:
+                    description: List of Notification Types that trigger notifications.
+                      Acceptable values are documented in the AWS documentation here
+                    items:
+                      type: string
+                    type: array
+                  topicArn:
+                    description: Topic ARN for notifications to be sent through
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscaling.aws.upbound.io_policies.yaml b/package/crds/autoscaling.aws.upbound.io_policies.yaml
index 4dd8fa46c9..fd2879eb5f 100644
--- a/package/crds/autoscaling.aws.upbound.io_policies.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_policies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -679,6 +683,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -855,13 +874,484 @@ spec:
             properties:
               atProvider:
                 properties:
+                  adjustmentType:
+                    description: Whether the adjustment is an absolute number or a
+                      percentage of the current capacity. Valid values are ChangeInCapacity,
+                      ExactCapacity, and PercentChangeInCapacity.
+                    type: string
                   arn:
                     description: ARN assigned by AWS to the scaling policy.
                     type: string
+                  autoscalingGroupName:
+                    description: Name of the autoscaling group.
+                    type: string
+                  cooldown:
+                    description: Amount of time, in seconds, after a scaling activity
+                      completes and before the next scaling activity can start.
+                    type: number
+                  enabled:
+                    description: 'Whether the scaling policy is enabled or disabled.
+                      Default: true.'
+                    type: boolean
+                  estimatedInstanceWarmup:
+                    description: Estimated time, in seconds, until a newly launched
+                      instance will contribute CloudWatch metrics. Without a value,
+                      AWS will default to the group's specified cooldown period.
+                    type: number
                   id:
                     description: Short name for the metric used in predictive scaling
                       policy.
                     type: string
+                  metricAggregationType:
+                    description: Aggregation type for the policy's metrics. Valid
+                      values are "Minimum", "Maximum", and "Average". Without a value,
+                      AWS will treat the aggregation type as "Average".
+                    type: string
+                  minAdjustmentMagnitude:
+                    description: Minimum value to scale by when adjustment_type is
+                      set to PercentChangeInCapacity.
+                    type: number
+                  policyType:
+                    description: Policy type, either "SimpleScaling", "StepScaling",
+                      "TargetTrackingScaling", or "PredictiveScaling". If this value
+                      isn't provided, AWS will default to "SimpleScaling."
+                    type: string
+                  predictiveScalingConfiguration:
+                    description: Predictive scaling policy configuration to use with
+                      Amazon EC2 Auto Scaling.
+                    items:
+                      properties:
+                        maxCapacityBreachBehavior:
+                          description: Defines the behavior that should be applied
+                            if the forecast capacity approaches or exceeds the maximum
+                            capacity of the Auto Scaling group. Valid values are HonorMaxCapacity
+                            or IncreaseMaxCapacity. Default is HonorMaxCapacity.
+                          type: string
+                        maxCapacityBuffer:
+                          description: Size of the capacity buffer to use when the
+                            forecast capacity is close to or exceeds the maximum capacity.
+                            Valid range is 0 to 100. If set to 0, Amazon EC2 Auto
+                            Scaling may scale capacity higher than the maximum capacity
+                            to equal but not exceed forecast capacity.
+                          type: string
+                        metricSpecification:
+                          description: This structure includes the metrics and target
+                            utilization to use for predictive scaling.
+                          items:
+                            properties:
+                              customizedCapacityMetricSpecification:
+                                description: Customized capacity metric specification.
+                                  The field is only valid when you use customized_load_metric_specification
+                                items:
+                                  properties:
+                                    metricDataQueries:
+                                      description: List of up to 10 structures that
+                                        defines custom capacity metric in predictive
+                                        scaling policy
+                                      items:
+                                        properties:
+                                          expression:
+                                            description: Math expression used on the
+                                              returned metric. You must specify either
+                                              expression or metric_stat, but not both.
+                                            type: string
+                                          id:
+                                            description: Short name for the metric
+                                              used in predictive scaling policy.
+                                            type: string
+                                          label:
+                                            description: Human-readable label for
+                                              this metric or expression.
+                                            type: string
+                                          metricStat:
+                                            description: Structure that defines CloudWatch
+                                              metric to be used in predictive scaling
+                                              policy. You must specify either expression
+                                              or metric_stat, but not both.
+                                            items:
+                                              properties:
+                                                metric:
+                                                  description: Structure that defines
+                                                    the CloudWatch metric to return,
+                                                    including the metric name, namespace,
+                                                    and dimensions.
+                                                  items:
+                                                    properties:
+                                                      dimensions:
+                                                        description: Dimensions of
+                                                          the metric.
+                                                        items:
+                                                          properties:
+                                                            name:
+                                                              description: Name of
+                                                                the dimension.
+                                                              type: string
+                                                            value:
+                                                              description: Value of
+                                                                the dimension.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      metricName:
+                                                        description: Name of the metric.
+                                                        type: string
+                                                      namespace:
+                                                        description: Namespace of
+                                                          the metric.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                stat:
+                                                  description: Statistic of the metrics
+                                                    to return.
+                                                  type: string
+                                                unit:
+                                                  description: Unit of the metrics
+                                                    to return.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          returnData:
+                                            description: Boolean that indicates whether
+                                              to return the timestamps and raw data
+                                              values of this metric, the default it
+                                              true
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              customizedLoadMetricSpecification:
+                                description: Customized load metric specification.
+                                items:
+                                  properties:
+                                    metricDataQueries:
+                                      description: List of up to 10 structures that
+                                        defines custom load metric in predictive scaling
+                                        policy
+                                      items:
+                                        properties:
+                                          expression:
+                                            description: Math expression used on the
+                                              returned metric. You must specify either
+                                              expression or metric_stat, but not both.
+                                            type: string
+                                          id:
+                                            description: Short name for the metric
+                                              used in predictive scaling policy.
+                                            type: string
+                                          label:
+                                            description: Human-readable label for
+                                              this metric or expression.
+                                            type: string
+                                          metricStat:
+                                            description: Structure that defines CloudWatch
+                                              metric to be used in predictive scaling
+                                              policy. You must specify either expression
+                                              or metric_stat, but not both.
+                                            items:
+                                              properties:
+                                                metric:
+                                                  description: Structure that defines
+                                                    the CloudWatch metric to return,
+                                                    including the metric name, namespace,
+                                                    and dimensions.
+                                                  items:
+                                                    properties:
+                                                      dimensions:
+                                                        description: Dimensions of
+                                                          the metric.
+                                                        items:
+                                                          properties:
+                                                            name:
+                                                              description: Name of
+                                                                the dimension.
+                                                              type: string
+                                                            value:
+                                                              description: Value of
+                                                                the dimension.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      metricName:
+                                                        description: Name of the metric.
+                                                        type: string
+                                                      namespace:
+                                                        description: Namespace of
+                                                          the metric.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                stat:
+                                                  description: Statistic of the metrics
+                                                    to return.
+                                                  type: string
+                                                unit:
+                                                  description: Unit of the metrics
+                                                    to return.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          returnData:
+                                            description: Boolean that indicates whether
+                                              to return the timestamps and raw data
+                                              values of this metric, the default it
+                                              true
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              customizedScalingMetricSpecification:
+                                description: Customized scaling metric specification.
+                                items:
+                                  properties:
+                                    metricDataQueries:
+                                      description: List of up to 10 structures that
+                                        defines custom scaling metric in predictive
+                                        scaling policy
+                                      items:
+                                        properties:
+                                          expression:
+                                            description: Math expression used on the
+                                              returned metric. You must specify either
+                                              expression or metric_stat, but not both.
+                                            type: string
+                                          id:
+                                            description: Short name for the metric
+                                              used in predictive scaling policy.
+                                            type: string
+                                          label:
+                                            description: Human-readable label for
+                                              this metric or expression.
+                                            type: string
+                                          metricStat:
+                                            description: Structure that defines CloudWatch
+                                              metric to be used in predictive scaling
+                                              policy. You must specify either expression
+                                              or metric_stat, but not both.
+                                            items:
+                                              properties:
+                                                metric:
+                                                  description: Structure that defines
+                                                    the CloudWatch metric to return,
+                                                    including the metric name, namespace,
+                                                    and dimensions.
+                                                  items:
+                                                    properties:
+                                                      dimensions:
+                                                        description: Dimensions of
+                                                          the metric.
+                                                        items:
+                                                          properties:
+                                                            name:
+                                                              description: Name of
+                                                                the dimension.
+                                                              type: string
+                                                            value:
+                                                              description: Value of
+                                                                the dimension.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      metricName:
+                                                        description: Name of the metric.
+                                                        type: string
+                                                      namespace:
+                                                        description: Namespace of
+                                                          the metric.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                stat:
+                                                  description: Statistic of the metrics
+                                                    to return.
+                                                  type: string
+                                                unit:
+                                                  description: Unit of the metrics
+                                                    to return.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          returnData:
+                                            description: Boolean that indicates whether
+                                              to return the timestamps and raw data
+                                              values of this metric, the default it
+                                              true
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              predefinedLoadMetricSpecification:
+                                description: Predefined load metric specification.
+                                items:
+                                  properties:
+                                    predefinedMetricType:
+                                      description: Metric type. Valid values are ASGTotalCPUUtilization,
+                                        ASGTotalNetworkIn, ASGTotalNetworkOut, or
+                                        ALBTargetGroupRequestCount.
+                                      type: string
+                                    resourceLabel:
+                                      description: Label that uniquely identifies
+                                        a specific Application Load Balancer target
+                                        group from which to determine the request
+                                        count served by your Auto Scaling group.
+                                      type: string
+                                  type: object
+                                type: array
+                              predefinedMetricPairSpecification:
+                                description: Metric pair specification from which
+                                  Amazon EC2 Auto Scaling determines the appropriate
+                                  scaling metric and load metric to use.
+                                items:
+                                  properties:
+                                    predefinedMetricType:
+                                      description: 'Which metrics to use. There are
+                                        two different types of metrics for each metric
+                                        type: one is a load metric and one is a scaling
+                                        metric. For example, if the metric type is
+                                        ASGCPUUtilization, the Auto Scaling group''s
+                                        total CPU metric is used as the load metric,
+                                        and the average CPU metric is used for the
+                                        scaling metric. Valid values are ASGCPUUtilization,
+                                        ASGNetworkIn, ASGNetworkOut, or ALBRequestCount.'
+                                      type: string
+                                    resourceLabel:
+                                      description: Label that uniquely identifies
+                                        a specific Application Load Balancer target
+                                        group from which to determine the request
+                                        count served by your Auto Scaling group.
+                                      type: string
+                                  type: object
+                                type: array
+                              predefinedScalingMetricSpecification:
+                                description: Predefined scaling metric specification.
+                                items:
+                                  properties:
+                                    predefinedMetricType:
+                                      description: Describes a scaling metric for
+                                        a predictive scaling policy. Valid values
+                                        are ASGAverageCPUUtilization, ASGAverageNetworkIn,
+                                        ASGAverageNetworkOut, or ALBRequestCountPerTarget.
+                                      type: string
+                                    resourceLabel:
+                                      description: Label that uniquely identifies
+                                        a specific Application Load Balancer target
+                                        group from which to determine the request
+                                        count served by your Auto Scaling group.
+                                      type: string
+                                  type: object
+                                type: array
+                              targetValue:
+                                description: Target value for the metric.
+                                type: number
+                            type: object
+                          type: array
+                        mode:
+                          description: Predictive scaling mode. Valid values are ForecastAndScale
+                            and ForecastOnly. Default is ForecastOnly.
+                          type: string
+                        schedulingBufferTime:
+                          description: Amount of time, in seconds, by which the instance
+                            launch time can be advanced. Minimum is 0.
+                          type: string
+                      type: object
+                    type: array
+                  scalingAdjustment:
+                    description: Number of instances by which to scale. adjustment_type
+                      determines the interpretation of this number (e.g., as an absolute
+                      number or as a percentage of the existing Auto Scaling group
+                      size). A positive increment adds to the current capacity and
+                      a negative value removes from the current capacity.
+                    type: number
+                  stepAdjustment:
+                    description: 'Set of adjustments that manage group scaling. These
+                      have the following structure:'
+                    items:
+                      properties:
+                        metricIntervalLowerBound:
+                          description: Lower bound for the difference between the
+                            alarm threshold and the CloudWatch metric. Without a value,
+                            AWS will treat this bound as negative infinity.
+                          type: string
+                        metricIntervalUpperBound:
+                          description: Upper bound for the difference between the
+                            alarm threshold and the CloudWatch metric. Without a value,
+                            AWS will treat this bound as positive infinity. The upper
+                            bound must be greater than the lower bound.
+                          type: string
+                        scalingAdjustment:
+                          description: Number of instances by which to scale. adjustment_type
+                            determines the interpretation of this number (e.g., as
+                            an absolute number or as a percentage of the existing
+                            Auto Scaling group size). A positive increment adds to
+                            the current capacity and a negative value removes from
+                            the current capacity.
+                          type: number
+                      type: object
+                    type: array
+                  targetTrackingConfiguration:
+                    description: 'Target tracking policy. These have the following
+                      structure:'
+                    items:
+                      properties:
+                        customizedMetricSpecification:
+                          description: Customized metric. Conflicts with predefined_metric_specification.
+                          items:
+                            properties:
+                              metricDimension:
+                                description: Dimensions of the metric.
+                                items:
+                                  properties:
+                                    name:
+                                      description: Name of the dimension.
+                                      type: string
+                                    value:
+                                      description: Value of the dimension.
+                                      type: string
+                                  type: object
+                                type: array
+                              metricName:
+                                description: Name of the metric.
+                                type: string
+                              namespace:
+                                description: Namespace of the metric.
+                                type: string
+                              statistic:
+                                description: Statistic of the metric.
+                                type: string
+                              unit:
+                                description: Unit of the metrics to return.
+                                type: string
+                            type: object
+                          type: array
+                        disableScaleIn:
+                          description: Whether scale in by the target tracking policy
+                            is disabled.
+                          type: boolean
+                        predefinedMetricSpecification:
+                          description: Predefined metric. Conflicts with customized_metric_specification.
+                          items:
+                            properties:
+                              predefinedMetricType:
+                                description: Describes a scaling metric for a predictive
+                                  scaling policy. Valid values are ASGAverageCPUUtilization,
+                                  ASGAverageNetworkIn, ASGAverageNetworkOut, or ALBRequestCountPerTarget.
+                                type: string
+                              resourceLabel:
+                                description: Label that uniquely identifies a specific
+                                  Application Load Balancer target group from which
+                                  to determine the request count served by your Auto
+                                  Scaling group.
+                                type: string
+                            type: object
+                          type: array
+                        targetValue:
+                          description: Target value for the metric.
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscaling.aws.upbound.io_schedules.yaml b/package/crds/autoscaling.aws.upbound.io_schedules.yaml
index f3f14bc7d2..2a9acb0dcc 100644
--- a/package/crds/autoscaling.aws.upbound.io_schedules.yaml
+++ b/package/crds/autoscaling.aws.upbound.io_schedules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -182,6 +186,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -361,8 +380,44 @@ spec:
                   arn:
                     description: ARN assigned by AWS to the autoscaling schedule.
                     type: string
+                  autoscalingGroupName:
+                    description: The name of the Auto Scaling group.
+                    type: string
+                  desiredCapacity:
+                    description: The initial capacity of the Auto Scaling group after
+                      the scheduled action runs and the capacity it attempts to maintain.
+                      Set to -1 if you don't want to change the desired capacity at
+                      the scheduled time. Defaults to 0.
+                    type: number
+                  endTime:
+                    description: The date and time for the recurring schedule to end,
+                      in UTC with the format "YYYY-MM-DDThh:mm:ssZ" (e.g. "2021-06-01T00:00:00Z").
+                    type: string
                   id:
                     type: string
+                  maxSize:
+                    description: The maximum size of the Auto Scaling group. Set to
+                      -1 if you don't want to change the maximum size at the scheduled
+                      time. Defaults to 0.
+                    type: number
+                  minSize:
+                    description: The minimum size of the Auto Scaling group. Set to
+                      -1 if you don't want to change the minimum size at the scheduled
+                      time. Defaults to 0.
+                    type: number
+                  recurrence:
+                    description: The recurring schedule for this action specified
+                      using the Unix cron syntax format.
+                    type: string
+                  startTime:
+                    description: The date and time for the recurring schedule to start,
+                      in UTC with the format "YYYY-MM-DDThh:mm:ssZ" (e.g. "2021-06-01T00:00:00Z").
+                    type: string
+                  timeZone:
+                    description: Specifies the time zone for a cron expression. Valid
+                      values are the canonical names of the IANA time zones (such
+                      as Etc/GMT+9 or Pacific/Tahiti).
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/autoscalingplans.aws.upbound.io_scalingplans.yaml b/package/crds/autoscalingplans.aws.upbound.io_scalingplans.yaml
index 18b0ceee33..b5bbe2dda0 100644
--- a/package/crds/autoscalingplans.aws.upbound.io_scalingplans.yaml
+++ b/package/crds/autoscalingplans.aws.upbound.io_scalingplans.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -310,11 +314,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - applicationSource
-                - name
                 - region
-                - scalingInstruction
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -486,14 +502,239 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: applicationSource is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.applicationSource)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: scalingInstruction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scalingInstruction)
           status:
             description: ScalingPlanStatus defines the observed state of ScalingPlan.
             properties:
               atProvider:
                 properties:
+                  applicationSource:
+                    description: CloudFormation stack or set of tags. You can create
+                      one scaling plan per application source.
+                    items:
+                      properties:
+                        cloudformationStackArn:
+                          description: ARN of a AWS CloudFormation stack.
+                          type: string
+                        tagFilter:
+                          description: Set of tags.
+                          items:
+                            properties:
+                              key:
+                                description: Tag key.
+                                type: string
+                              values:
+                                description: Tag values.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: Scaling plan identifier.
                     type: string
+                  name:
+                    description: Name of the scaling plan. Names cannot contain vertical
+                      bars, colons, or forward slashes.
+                    type: string
+                  scalingInstruction:
+                    description: Scaling instructions. More details can be found in
+                      the AWS Auto Scaling API Reference.
+                    items:
+                      properties:
+                        customizedLoadMetricSpecification:
+                          description: Customized load metric to use for predictive
+                            scaling. You must specify either customized_load_metric_specification
+                            or predefined_load_metric_specification when configuring
+                            predictive scaling. More details can be found in the AWS
+                            Auto Scaling API Reference.
+                          items:
+                            properties:
+                              dimensions:
+                                additionalProperties:
+                                  type: string
+                                description: Dimensions of the metric.
+                                type: object
+                              metricName:
+                                description: Name of the metric.
+                                type: string
+                              namespace:
+                                description: Namespace of the metric.
+                                type: string
+                              statistic:
+                                description: Statistic of the metric. Currently, the
+                                  value must always be Sum.
+                                type: string
+                              unit:
+                                description: Unit of the metric.
+                                type: string
+                            type: object
+                          type: array
+                        disableDynamicScaling:
+                          description: Boolean controlling whether dynamic scaling
+                            by AWS Auto Scaling is disabled. Defaults to false.
+                          type: boolean
+                        maxCapacity:
+                          description: Maximum capacity of the resource. The exception
+                            to this upper limit is if you specify a non-default setting
+                            for predictive_scaling_max_capacity_behavior.
+                          type: number
+                        minCapacity:
+                          description: Minimum capacity of the resource.
+                          type: number
+                        predefinedLoadMetricSpecification:
+                          description: Predefined load metric to use for predictive
+                            scaling. You must specify either predefined_load_metric_specification
+                            or customized_load_metric_specification when configuring
+                            predictive scaling. More details can be found in the AWS
+                            Auto Scaling API Reference.
+                          items:
+                            properties:
+                              predefinedLoadMetricType:
+                                description: 'Metric type. Valid values: ALBTargetGroupRequestCount,
+                                  ASGTotalCPUUtilization, ASGTotalNetworkIn, ASGTotalNetworkOut.'
+                                type: string
+                              resourceLabel:
+                                description: Identifies the resource associated with
+                                  the metric type.
+                                type: string
+                            type: object
+                          type: array
+                        predictiveScalingMaxCapacityBehavior:
+                          description: 'Defines the behavior that should be applied
+                            if the forecast capacity approaches or exceeds the maximum
+                            capacity specified for the resource. Valid values: SetForecastCapacityToMaxCapacity,
+                            SetMaxCapacityAboveForecastCapacity, SetMaxCapacityToForecastCapacity.'
+                          type: string
+                        predictiveScalingMaxCapacityBuffer:
+                          description: Size of the capacity buffer to use when the
+                            forecast capacity is close to or exceeds the maximum capacity.
+                          type: number
+                        predictiveScalingMode:
+                          description: 'Predictive scaling mode. Valid values: ForecastAndScale,
+                            ForecastOnly.'
+                          type: string
+                        resourceId:
+                          description: ID of the resource. This string consists of
+                            the resource type and unique identifier.
+                          type: string
+                        scalableDimension:
+                          description: 'Scalable dimension associated with the resource.
+                            Valid values: autoscaling:autoScalingGroup:DesiredCapacity,
+                            dynamodb:index:ReadCapacityUnits, dynamodb:index:WriteCapacityUnits,
+                            dynamodb:table:ReadCapacityUnits, dynamodb:table:WriteCapacityUnits,
+                            ecs:service:DesiredCount, ec2:spot-fleet-request:TargetCapacity,
+                            rds:cluster:ReadReplicaCount.'
+                          type: string
+                        scalingPolicyUpdateBehavior:
+                          description: 'Controls whether a resource''s externally
+                            created scaling policies are kept or replaced. Valid values:
+                            KeepExternalPolicies, ReplaceExternalPolicies. Defaults
+                            to KeepExternalPolicies.'
+                          type: string
+                        scheduledActionBufferTime:
+                          description: Amount of time, in seconds, to buffer the run
+                            time of scheduled scaling actions when scaling out.
+                          type: number
+                        serviceNamespace:
+                          description: 'Namespace of the AWS service. Valid values:
+                            autoscaling, dynamodb, ecs, ec2, rds.'
+                          type: string
+                        targetTrackingConfiguration:
+                          description: Structure that defines new target tracking
+                            configurations. Each of these structures includes a specific
+                            scaling metric and a target value for the metric, along
+                            with various parameters to use with dynamic scaling. More
+                            details can be found in the AWS Auto Scaling API Reference.
+                          items:
+                            properties:
+                              customizedScalingMetricSpecification:
+                                description: Customized metric. You can specify either
+                                  customized_scaling_metric_specification or predefined_scaling_metric_specification.
+                                  More details can be found in the AWS Auto Scaling
+                                  API Reference.
+                                items:
+                                  properties:
+                                    dimensions:
+                                      additionalProperties:
+                                        type: string
+                                      description: Dimensions of the metric.
+                                      type: object
+                                    metricName:
+                                      description: Name of the metric.
+                                      type: string
+                                    namespace:
+                                      description: Namespace of the metric.
+                                      type: string
+                                    statistic:
+                                      description: Statistic of the metric. Currently,
+                                        the value must always be Sum.
+                                      type: string
+                                    unit:
+                                      description: Unit of the metric.
+                                      type: string
+                                  type: object
+                                type: array
+                              disableScaleIn:
+                                description: Boolean indicating whether scale in by
+                                  the target tracking scaling policy is disabled.
+                                  Defaults to false.
+                                type: boolean
+                              estimatedInstanceWarmup:
+                                description: Estimated time, in seconds, until a newly
+                                  launched instance can contribute to the CloudWatch
+                                  metrics. This value is used only if the resource
+                                  is an Auto Scaling group.
+                                type: number
+                              predefinedScalingMetricSpecification:
+                                description: Predefined metric. You can specify either
+                                  predefined_scaling_metric_specification or customized_scaling_metric_specification.
+                                  More details can be found in the AWS Auto Scaling
+                                  API Reference.
+                                items:
+                                  properties:
+                                    predefinedScalingMetricType:
+                                      description: 'Metric type. Valid values: ALBRequestCountPerTarget,
+                                        ASGAverageCPUUtilization, ASGAverageNetworkIn,
+                                        ASGAverageNetworkOut, DynamoDBReadCapacityUtilization,
+                                        DynamoDBWriteCapacityUtilization, ECSServiceAverageCPUUtilization,
+                                        ECSServiceAverageMemoryUtilization, EC2SpotFleetRequestAverageCPUUtilization,
+                                        EC2SpotFleetRequestAverageNetworkIn, EC2SpotFleetRequestAverageNetworkOut,
+                                        RDSReaderAverageCPUUtilization, RDSReaderAverageDatabaseConnections.'
+                                      type: string
+                                    resourceLabel:
+                                      description: Identifies the resource associated
+                                        with the metric type.
+                                      type: string
+                                  type: object
+                                type: array
+                              scaleInCooldown:
+                                description: Amount of time, in seconds, after a scale
+                                  in activity completes before another scale in activity
+                                  can start. This value is not used if the scalable
+                                  resource is an Auto Scaling group.
+                                type: number
+                              scaleOutCooldown:
+                                description: Amount of time, in seconds, after a scale-out
+                                  activity completes before another scale-out activity
+                                  can start. This value is not used if the scalable
+                                  resource is an Auto Scaling group.
+                                type: number
+                              targetValue:
+                                description: Target value for the metric.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   scalingPlanVersion:
                     description: The version number of the scaling plan. This value
                       is always 1.
diff --git a/package/crds/aws.upbound.io_storeconfigs.yaml b/package/crds/aws.upbound.io_storeconfigs.yaml
index fc3426cdc5..9a3f1d62a4 100644
--- a/package/crds/aws.upbound.io_storeconfigs.yaml
+++ b/package/crds/aws.upbound.io_storeconfigs.yaml
@@ -120,14 +120,45 @@ spec:
                 required:
                 - auth
                 type: object
+              plugin:
+                description: Plugin configures External secret store as a plugin.
+                properties:
+                  configRef:
+                    description: ConfigRef contains store config reference info.
+                    properties:
+                      apiVersion:
+                        description: APIVersion of the referenced config.
+                        type: string
+                      kind:
+                        description: Kind of the referenced config.
+                        type: string
+                      name:
+                        description: Name of the referenced config.
+                        type: string
+                    required:
+                    - apiVersion
+                    - kind
+                    - name
+                    type: object
+                  endpoint:
+                    description: Endpoint is the endpoint of the gRPC server.
+                    type: string
+                type: object
               type:
                 default: Kubernetes
                 description: Type configures which secret store to be used. Only the
                   configuration block for this store will be used and others will
                   be ignored if provided. Default is Kubernetes.
+                enum:
+                - Kubernetes
+                - Vault
+                - Plugin
                 type: string
               vault:
-                description: Vault configures a Vault secret store.
+                description: 'Vault configures a Vault secret store. Deprecated: This
+                  API is scheduled to be removed in a future release. Vault should
+                  be used as a plugin going forward. See https://github.com/crossplane-contrib/ess-plugin-vault
+                  for more information.'
                 properties:
                   auth:
                     description: Auth configures an authentication method for Vault.
diff --git a/package/crds/backup.aws.upbound.io_frameworks.yaml b/package/crds/backup.aws.upbound.io_frameworks.yaml
index d19593bc26..dfc9ed6392 100644
--- a/package/crds/backup.aws.upbound.io_frameworks.yaml
+++ b/package/crds/backup.aws.upbound.io_frameworks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -146,10 +150,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - control
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -321,6 +338,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: control is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.control)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: FrameworkStatus defines the observed state of Framework.
             properties:
@@ -329,6 +351,67 @@ spec:
                   arn:
                     description: The ARN of the backup framework.
                     type: string
+                  control:
+                    description: One or more control blocks that make up the framework.
+                      Each control in the list has a name, input parameters, and scope.
+                      Detailed below.
+                    items:
+                      properties:
+                        inputParameter:
+                          description: 'One or more input parameter blocks. An example
+                            of a control with two parameters is: "backup plan frequency
+                            is at least daily and the retention period is at least
+                            1 year". The first parameter is daily. The second parameter
+                            is 1 year. Detailed below.'
+                          items:
+                            properties:
+                              name:
+                                description: The unique name of the framework. The
+                                  name must be between 1 and 256 characters, starting
+                                  with a letter, and consisting of letters, numbers,
+                                  and underscores.
+                                type: string
+                              value:
+                                description: The value of parameter, for example,
+                                  hourly.
+                                type: string
+                            type: object
+                          type: array
+                        name:
+                          description: The unique name of the framework. The name
+                            must be between 1 and 256 characters, starting with a
+                            letter, and consisting of letters, numbers, and underscores.
+                          type: string
+                        scope:
+                          description: 'The scope of a control. The control scope
+                            defines what the control will evaluate. Three examples
+                            of control scopes are: a specific backup plan, all backup
+                            plans with a specific tag, or all backup plans. Detailed
+                            below.'
+                          items:
+                            properties:
+                              complianceResourceIds:
+                                description: The ID of the only AWS resource that
+                                  you want your control scope to contain. Minimum
+                                  number of 1 item. Maximum number of 100 items.
+                                items:
+                                  type: string
+                                type: array
+                              complianceResourceTypes:
+                                description: Describes whether the control scope includes
+                                  one or more types of resources, such as EFS or RDS.
+                                items:
+                                  type: string
+                                type: array
+                              tags:
+                                additionalProperties:
+                                  type: string
+                                description: Key-value map of resource tags.
+                                type: object
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   creationTime:
                     description: The date and time that a framework is created, in
                       Unix format and Coordinated Universal Time (UTC).
@@ -338,9 +421,18 @@ spec:
                       are: CREATE_IN_PROGRESS | UPDATE_IN_PROGRESS | DELETE_IN_PROGRESS
                       | COMPLETED | FAILED.'
                     type: string
+                  description:
+                    description: The description of the framework with a maximum of
+                      1,024 characters
+                    type: string
                   id:
                     description: The id of the backup framework.
                     type: string
+                  name:
+                    description: The unique name of the framework. The name must be
+                      between 1 and 256 characters, starting with a letter, and consisting
+                      of letters, numbers, and underscores.
+                    type: string
                   status:
                     description: A framework consists of one or more controls. Each
                       control governs a resource, such as backup plans, backup selections,
@@ -348,6 +440,11 @@ spec:
                       recording on or off for each resource. For more information
                       refer to the AWS documentation for Framework Status
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/backup.aws.upbound.io_globalsettings.yaml b/package/crds/backup.aws.upbound.io_globalsettings.yaml
index 43961acfe5..a38d6d9b9d 100644
--- a/package/crds/backup.aws.upbound.io_globalsettings.yaml
+++ b/package/crds/backup.aws.upbound.io_globalsettings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -75,9 +79,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - globalSettings
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -249,11 +267,20 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: globalSettings is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.globalSettings)
           status:
             description: GlobalSettingsStatus defines the observed state of GlobalSettings.
             properties:
               atProvider:
                 properties:
+                  globalSettings:
+                    additionalProperties:
+                      type: string
+                    description: A list of resources along with the opt-in preferences
+                      for the account.
+                    type: object
                   id:
                     description: The AWS Account ID.
                     type: string
diff --git a/package/crds/backup.aws.upbound.io_plans.yaml b/package/crds/backup.aws.upbound.io_plans.yaml
index bbb3362682..2c73754be9 100644
--- a/package/crds/backup.aws.upbound.io_plans.yaml
+++ b/package/crds/backup.aws.upbound.io_plans.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -264,10 +268,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - rule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -439,17 +456,132 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: rule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)
           status:
             description: PlanStatus defines the observed state of Plan.
             properties:
               atProvider:
                 properties:
+                  advancedBackupSetting:
+                    description: An object that specifies backup options for each
+                      resource type.
+                    items:
+                      properties:
+                        backupOptions:
+                          additionalProperties:
+                            type: string
+                          description: Specifies the backup option for a selected
+                            resource. This option is only available for Windows VSS
+                            backup jobs. Set to { WindowsVSS = "enabled" } to enable
+                            Windows VSS backup option and create a VSS Windows backup.
+                          type: object
+                        resourceType:
+                          description: 'The type of AWS resource to be backed up.
+                            For VSS Windows backups, the only supported resource type
+                            is Amazon EC2. Valid values: EC2.'
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: The ARN of the backup plan.
                     type: string
                   id:
                     description: The id of the backup plan.
                     type: string
+                  name:
+                    description: The display name of a backup plan.
+                    type: string
+                  rule:
+                    description: A rule object that specifies a scheduled task that
+                      is used to back up a selection of resources.
+                    items:
+                      properties:
+                        completionWindow:
+                          description: The amount of time in minutes AWS Backup attempts
+                            a backup before canceling the job and returning an error.
+                          type: number
+                        copyAction:
+                          description: Configuration block(s) with copy operation
+                            settings. Detailed below.
+                          items:
+                            properties:
+                              destinationVaultArn:
+                                description: An Amazon Resource Name (ARN) that uniquely
+                                  identifies the destination backup vault for the
+                                  copied backup.
+                                type: string
+                              lifecycle:
+                                description: The lifecycle defines when a protected
+                                  resource is transitioned to cold storage and when
+                                  it expires.  Fields documented below.
+                                items:
+                                  properties:
+                                    coldStorageAfter:
+                                      description: Specifies the number of days after
+                                        creation that a recovery point is moved to
+                                        cold storage.
+                                      type: number
+                                    deleteAfter:
+                                      description: Specifies the number of days after
+                                        creation that a recovery point is deleted.
+                                        Must be 90 days greater than cold_storage_after.
+                                      type: number
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        enableContinuousBackup:
+                          description: Enable continuous backups for supported resources.
+                          type: boolean
+                        lifecycle:
+                          description: The lifecycle defines when a protected resource
+                            is transitioned to cold storage and when it expires.  Fields
+                            documented below.
+                          items:
+                            properties:
+                              coldStorageAfter:
+                                description: Specifies the number of days after creation
+                                  that a recovery point is moved to cold storage.
+                                type: number
+                              deleteAfter:
+                                description: Specifies the number of days after creation
+                                  that a recovery point is deleted. Must be 90 days
+                                  greater than cold_storage_after.
+                                type: number
+                            type: object
+                          type: array
+                        recoveryPointTags:
+                          additionalProperties:
+                            type: string
+                          description: Metadata that you can assign to help organize
+                            the resources that you create.
+                          type: object
+                        ruleName:
+                          description: An display name for a backup rule.
+                          type: string
+                        schedule:
+                          description: A CRON expression specifying when AWS Backup
+                            initiates a backup job.
+                          type: string
+                        startWindow:
+                          description: The amount of time in minutes before beginning
+                            a backup.
+                          type: number
+                        targetVaultName:
+                          description: The name of a logical container where backups
+                            are stored.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/backup.aws.upbound.io_regionsettings.yaml b/package/crds/backup.aws.upbound.io_regionsettings.yaml
index 96b6581c42..66c6784f27 100644
--- a/package/crds/backup.aws.upbound.io_regionsettings.yaml
+++ b/package/crds/backup.aws.upbound.io_regionsettings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -85,8 +89,22 @@ spec:
                     type: object
                 required:
                 - region
-                - resourceTypeOptInPreference
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,6 +276,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourceTypeOptInPreference is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceTypeOptInPreference)
           status:
             description: RegionSettingsStatus defines the observed state of RegionSettings.
             properties:
@@ -266,6 +287,21 @@ spec:
                   id:
                     description: The AWS region.
                     type: string
+                  resourceTypeManagementPreference:
+                    additionalProperties:
+                      type: boolean
+                    description: "A map of services along with the management preferences
+                      for the Region. \n WARNING: All parameters are required to be
+                      given: EFS, DynamoDB"
+                    type: object
+                  resourceTypeOptInPreference:
+                    additionalProperties:
+                      type: boolean
+                    description: "A map of services along with the opt-in preferences
+                      for the Region. \n WARNING: All parameters are required to be
+                      given: EFS, DynamoDB, EBS, EC2, FSx, S3, Aurora, RDS, Storage
+                      Gateway, VirtualMachine"
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/backup.aws.upbound.io_reportplans.yaml b/package/crds/backup.aws.upbound.io_reportplans.yaml
index 245524d51b..81b6a60179 100644
--- a/package/crds/backup.aws.upbound.io_reportplans.yaml
+++ b/package/crds/backup.aws.upbound.io_reportplans.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -137,11 +141,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - reportDeliveryChannel
-                - reportSetting
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -313,6 +329,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: reportDeliveryChannel is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reportDeliveryChannel)
+            - message: reportSetting is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reportSetting)
           status:
             description: ReportPlanStatus defines the observed state of ReportPlan.
             properties:
@@ -330,9 +353,73 @@ spec:
                       are: CREATE_IN_PROGRESS | UPDATE_IN_PROGRESS | DELETE_IN_PROGRESS
                       | COMPLETED.'
                     type: string
+                  description:
+                    description: The description of the report plan with a maximum
+                      of 1,024 characters
+                    type: string
                   id:
                     description: The id of the backup report plan.
                     type: string
+                  name:
+                    description: The unique name of the report plan. The name must
+                      be between 1 and 256 characters, starting with a letter, and
+                      consisting of letters, numbers, and underscores.
+                    type: string
+                  reportDeliveryChannel:
+                    description: An object that contains information about where and
+                      how to deliver your reports, specifically your Amazon S3 bucket
+                      name, S3 key prefix, and the formats of your reports. Detailed
+                      below.
+                    items:
+                      properties:
+                        formats:
+                          description: 'A list of the format of your reports: CSV,
+                            JSON, or both. If not specified, the default format is
+                            CSV.'
+                          items:
+                            type: string
+                          type: array
+                        s3BucketName:
+                          description: The unique name of the S3 bucket that receives
+                            your reports.
+                          type: string
+                        s3KeyPrefix:
+                          description: 'The prefix for where Backup Audit Manager
+                            delivers your reports to Amazon S3. The prefix is this
+                            part of the following path: s3://your-bucket-name/prefix/Backup/us-west-2/year/month/day/report-name.
+                            If not specified, there is no prefix.'
+                          type: string
+                      type: object
+                    type: array
+                  reportSetting:
+                    description: An object that identifies the report template for
+                      the report. Reports are built using a report template. Detailed
+                      below.
+                    items:
+                      properties:
+                        frameworkArns:
+                          description: Specifies the Amazon Resource Names (ARNs)
+                            of the frameworks a report covers.
+                          items:
+                            type: string
+                          type: array
+                        numberOfFrameworks:
+                          description: Specifies the number of frameworks a report
+                            covers.
+                          type: number
+                        reportTemplate:
+                          description: 'Identifies the report template for the report.
+                            Reports are built using a report template. The report
+                            templates are: RESOURCE_COMPLIANCE_REPORT | CONTROL_COMPLIANCE_REPORT
+                            | BACKUP_JOB_REPORT | COPY_JOB_REPORT | RESTORE_JOB_REPORT.'
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/backup.aws.upbound.io_selections.yaml b/package/crds/backup.aws.upbound.io_selections.yaml
index 70d0aaa70f..80d52664fb 100644
--- a/package/crds/backup.aws.upbound.io_selections.yaml
+++ b/package/crds/backup.aws.upbound.io_selections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -328,9 +332,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -502,14 +520,114 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SelectionStatus defines the observed state of Selection.
             properties:
               atProvider:
                 properties:
+                  condition:
+                    description: A list of conditions that you define to assign resources
+                      to your backup plans using tags.
+                    items:
+                      properties:
+                        stringEquals:
+                          items:
+                            properties:
+                              key:
+                                description: The key in a key-value pair.
+                                type: string
+                              value:
+                                description: The value in a key-value pair.
+                                type: string
+                            type: object
+                          type: array
+                        stringLike:
+                          items:
+                            properties:
+                              key:
+                                description: The key in a key-value pair.
+                                type: string
+                              value:
+                                description: The value in a key-value pair.
+                                type: string
+                            type: object
+                          type: array
+                        stringNotEquals:
+                          items:
+                            properties:
+                              key:
+                                description: The key in a key-value pair.
+                                type: string
+                              value:
+                                description: The value in a key-value pair.
+                                type: string
+                            type: object
+                          type: array
+                        stringNotLike:
+                          items:
+                            properties:
+                              key:
+                                description: The key in a key-value pair.
+                                type: string
+                              value:
+                                description: The value in a key-value pair.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  iamRoleArn:
+                    description: The ARN of the IAM role that AWS Backup uses to authenticate
+                      when restoring and backing up the target resource. See the AWS
+                      Backup Developer Guide for additional information about using
+                      AWS managed policies or creating custom policies attached to
+                      the IAM role.
+                    type: string
                   id:
                     description: Backup Selection identifier
                     type: string
+                  name:
+                    description: The display name of a resource selection document.
+                    type: string
+                  notResources:
+                    description: An array of strings that either contain Amazon Resource
+                      Names (ARNs) or match patterns of resources to exclude from
+                      a backup plan.
+                    items:
+                      type: string
+                    type: array
+                  planId:
+                    description: The backup plan ID to be associated with the selection
+                      of resources.
+                    type: string
+                  resources:
+                    description: An array of strings that either contain Amazon Resource
+                      Names (ARNs) or match patterns of resources to assign to a backup
+                      plan.
+                    items:
+                      type: string
+                    type: array
+                  selectionTag:
+                    description: Tag-based conditions used to specify a set of resources
+                      to assign to a backup plan.
+                    items:
+                      properties:
+                        key:
+                          description: The key in a key-value pair.
+                          type: string
+                        type:
+                          description: An operation, such as StringEquals, that is
+                            applied to a key-value pair used to filter resources in
+                            a selection.
+                          type: string
+                        value:
+                          description: The value in a key-value pair.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/backup.aws.upbound.io_vaultlockconfigurations.yaml b/package/crds/backup.aws.upbound.io_vaultlockconfigurations.yaml
index 445475450e..a90fe88958 100644
--- a/package/crds/backup.aws.upbound.io_vaultlockconfigurations.yaml
+++ b/package/crds/backup.aws.upbound.io_vaultlockconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,8 +360,25 @@ spec:
                   backupVaultArn:
                     description: The ARN of the vault.
                     type: string
+                  backupVaultName:
+                    description: Name of the backup vault to add a lock configuration
+                      for.
+                    type: string
+                  changeableForDays:
+                    description: The number of days before the lock date. If omitted
+                      creates a vault lock in governance mode, otherwise it will create
+                      a vault lock in compliance mode.
+                    type: number
                   id:
                     type: string
+                  maxRetentionDays:
+                    description: The maximum retention period that the vault retains
+                      its recovery points.
+                    type: number
+                  minRetentionDays:
+                    description: The minimum retention period that the vault retains
+                      its recovery points.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/backup.aws.upbound.io_vaultnotifications.yaml b/package/crds/backup.aws.upbound.io_vaultnotifications.yaml
index e1e79f68cb..87bdc27b85 100644
--- a/package/crds/backup.aws.upbound.io_vaultnotifications.yaml
+++ b/package/crds/backup.aws.upbound.io_vaultnotifications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,9 +232,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - backupVaultEvents
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +420,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: backupVaultEvents is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backupVaultEvents)
           status:
             description: VaultNotificationsStatus defines the observed state of VaultNotifications.
             properties:
@@ -410,9 +431,22 @@ spec:
                   backupVaultArn:
                     description: The ARN of the vault.
                     type: string
+                  backupVaultEvents:
+                    description: An array of events that indicate the status of jobs
+                      to back up resources to the backup vault.
+                    items:
+                      type: string
+                    type: array
+                  backupVaultName:
+                    description: Name of the backup vault to add notifications for.
+                    type: string
                   id:
                     description: The name of the vault.
                     type: string
+                  snsTopicArn:
+                    description: The Amazon Resource Name (ARN) that specifies the
+                      topic for a backup vault’s events
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/backup.aws.upbound.io_vaultpolicies.yaml b/package/crds/backup.aws.upbound.io_vaultpolicies.yaml
index 883bb2c762..d39c1a0fec 100644
--- a/package/crds/backup.aws.upbound.io_vaultpolicies.yaml
+++ b/package/crds/backup.aws.upbound.io_vaultpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,9 +152,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -322,6 +340,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: VaultPolicyStatus defines the observed state of VaultPolicy.
             properties:
@@ -330,9 +351,15 @@ spec:
                   backupVaultArn:
                     description: The ARN of the vault.
                     type: string
+                  backupVaultName:
+                    description: Name of the backup vault to add policy for.
+                    type: string
                   id:
                     description: The name of the vault.
                     type: string
+                  policy:
+                    description: The backup vault access policy document in JSON format.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/backup.aws.upbound.io_vaults.yaml b/package/crds/backup.aws.upbound.io_vaults.yaml
index 8a85ff0bca..bcccb0c40a 100644
--- a/package/crds/backup.aws.upbound.io_vaults.yaml
+++ b/package/crds/backup.aws.upbound.io_vaults.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,6 +162,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,13 +356,27 @@ spec:
                   arn:
                     description: The ARN of the vault.
                     type: string
+                  forceDestroy:
+                    description: A boolean that indicates that all recovery points
+                      stored in the vault are deleted so that the vault can be destroyed
+                      without error.
+                    type: boolean
                   id:
                     description: The name of the vault.
                     type: string
+                  kmsKeyArn:
+                    description: The server-side encryption key that is used to protect
+                      your backups.
+                    type: string
                   recoveryPoints:
                     description: The number of recovery points that are stored in
                       a backup vault.
                     type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/batch.aws.upbound.io_schedulingpolicies.yaml b/package/crds/batch.aws.upbound.io_schedulingpolicies.yaml
index b43e1b280d..14e792639a 100644
--- a/package/crds/batch.aws.upbound.io_schedulingpolicies.yaml
+++ b/package/crds/batch.aws.upbound.io_schedulingpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -107,6 +111,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -286,8 +305,42 @@ spec:
                   arn:
                     description: The Amazon Resource Name of the scheduling policy.
                     type: string
+                  fairSharePolicy:
+                    items:
+                      properties:
+                        computeReservation:
+                          description: A value used to reserve some of the available
+                            maximum vCPU for fair share identifiers that have not
+                            yet been used. For more information, see FairsharePolicy.
+                          type: number
+                        shareDecaySeconds:
+                          type: number
+                        shareDistribution:
+                          description: One or more share distribution blocks which
+                            define the weights for the fair share identifiers for
+                            the fair share policy. For more information, see FairsharePolicy.
+                            The share_distribution block is documented below.
+                          items:
+                            properties:
+                              shareIdentifier:
+                                description: A fair share identifier or fair share
+                                  identifier prefix. For more information, see ShareAttributes.
+                                type: string
+                              weightFactor:
+                                description: The weight factor for the fair share
+                                  identifier. For more information, see ShareAttributes.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/budgets.aws.upbound.io_budgetactions.yaml b/package/crds/budgets.aws.upbound.io_budgetactions.yaml
index 9c4ccb455d..323d5cb590 100644
--- a/package/crds/budgets.aws.upbound.io_budgetactions.yaml
+++ b/package/crds/budgets.aws.upbound.io_budgetactions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -430,14 +434,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - actionThreshold
-                - actionType
-                - approvalModel
-                - definition
-                - notificationType
                 - region
-                - subscriber
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -609,23 +622,158 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: actionThreshold is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actionThreshold)
+            - message: actionType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actionType)
+            - message: approvalModel is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.approvalModel)
+            - message: definition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)
+            - message: notificationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.notificationType)
+            - message: subscriber is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.subscriber)
           status:
             description: BudgetActionStatus defines the observed state of BudgetAction.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The ID of the target account for budget. Will use
+                      current user's account_id by default if omitted.
+                    type: string
                   actionId:
                     description: The id of the budget action.
                     type: string
+                  actionThreshold:
+                    description: The trigger threshold of the action. See Action Threshold.
+                    items:
+                      properties:
+                        actionThresholdType:
+                          description: The type of threshold for a notification. Valid
+                            values are PERCENTAGE or ABSOLUTE_VALUE.
+                          type: string
+                        actionThresholdValue:
+                          description: The threshold of a notification.
+                          type: number
+                      type: object
+                    type: array
+                  actionType:
+                    description: The type of action. This defines the type of tasks
+                      that can be carried out by this action. This field also determines
+                      the format for definition. Valid values are APPLY_IAM_POLICY,
+                      APPLY_SCP_POLICY, and RUN_SSM_DOCUMENTS.
+                    type: string
+                  approvalModel:
+                    description: This specifies if the action needs manual or automatic
+                      approval. Valid values are AUTOMATIC and MANUAL.
+                    type: string
                   arn:
                     description: The ARN of the budget action.
                     type: string
+                  budgetName:
+                    description: The name of a budget.
+                    type: string
+                  definition:
+                    description: Specifies all of the type-specific parameters. See
+                      Definition.
+                    items:
+                      properties:
+                        iamActionDefinition:
+                          description: The AWS Identity and Access Management (IAM)
+                            action definition details. See IAM Action Definition.
+                          items:
+                            properties:
+                              groups:
+                                description: A list of groups to be attached. There
+                                  must be at least one group.
+                                items:
+                                  type: string
+                                type: array
+                              policyArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  policy to be attached.
+                                type: string
+                              roles:
+                                description: A list of roles to be attached. There
+                                  must be at least one role.
+                                items:
+                                  type: string
+                                type: array
+                              users:
+                                description: A list of users to be attached. There
+                                  must be at least one user.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        scpActionDefinition:
+                          description: The service control policies (SCPs) action
+                            definition details. See SCP Action Definition.
+                          items:
+                            properties:
+                              policyId:
+                                description: The policy ID attached.
+                                type: string
+                              targetIds:
+                                description: A list of target IDs.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        ssmActionDefinition:
+                          description: The AWS Systems Manager (SSM) action definition
+                            details. See SSM Action Definition.
+                          items:
+                            properties:
+                              actionSubType:
+                                description: The action subType. Valid values are
+                                  STOP_EC2_INSTANCES or STOP_RDS_INSTANCES.
+                                type: string
+                              instanceIds:
+                                description: The EC2 and RDS instance IDs.
+                                items:
+                                  type: string
+                                type: array
+                              region:
+                                description: The Region to run the SSM document.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  executionRoleArn:
+                    description: The role passed for action execution and reversion.
+                      Roles and actions must be in the same account.
+                    type: string
                   id:
                     description: ID of resource.
                     type: string
+                  notificationType:
+                    description: The type of a notification. Valid values are ACTUAL
+                      or FORECASTED.
+                    type: string
                   status:
                     description: The status of the budget action.
                     type: string
+                  subscriber:
+                    description: A list of subscribers. See Subscriber.
+                    items:
+                      properties:
+                        address:
+                          description: The address that AWS sends budget notifications
+                            to, either an SNS topic or an email.
+                          type: string
+                        subscriptionType:
+                          description: The type of notification that AWS sends to
+                            a subscriber. Valid values are SNS or EMAIL.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/budgets.aws.upbound.io_budgets.yaml b/package/crds/budgets.aws.upbound.io_budgets.yaml
index e73965e878..c0473c3d94 100644
--- a/package/crds/budgets.aws.upbound.io_budgets.yaml
+++ b/package/crds/budgets.aws.upbound.io_budgets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -258,10 +262,23 @@ spec:
                       and DAILY.'
                     type: string
                 required:
-                - budgetType
                 - region
-                - timeUnit
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -433,11 +450,20 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: budgetType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.budgetType)
+            - message: timeUnit is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.timeUnit)
           status:
             description: BudgetStatus defines the observed state of Budget.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The ID of the target account for budget. Will use
+                      current user's account_id by default if omitted.
+                    type: string
                   arn:
                     description: The ARN of the budget.
                     type: string
@@ -446,9 +472,13 @@ spec:
                       the budget amount for an auto-adjusting budget.
                     items:
                       properties:
+                        autoAdjustType:
+                          type: string
                         historicalOptions:
                           items:
                             properties:
+                              budgetAdjustmentPeriod:
+                                type: number
                               lookbackAvailablePeriods:
                                 type: number
                             type: object
@@ -457,9 +487,162 @@ spec:
                           type: string
                       type: object
                     type: array
+                  budgetType:
+                    description: Whether this budget tracks monetary cost or usage.
+                    type: string
+                  costFilter:
+                    description: A list of CostFilter name/values pair to apply to
+                      budget.
+                    items:
+                      properties:
+                        name:
+                          description: The name of a budget. Unique within accounts.
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  costFilters:
+                    additionalProperties:
+                      type: string
+                    description: Map of CostFilters key/value pairs to apply to the
+                      budget.
+                    type: object
+                  costTypes:
+                    description: Object containing CostTypes The types of cost included
+                      in a budget, such as tax and subscriptions.
+                    items:
+                      properties:
+                        includeCredit:
+                          description: A boolean value whether to include credits
+                            in the cost budget. Defaults to true
+                          type: boolean
+                        includeDiscount:
+                          description: Whether a budget includes discounts. Defaults
+                            to true
+                          type: boolean
+                        includeOtherSubscription:
+                          description: A boolean value whether to include other subscription
+                            costs in the cost budget. Defaults to true
+                          type: boolean
+                        includeRecurring:
+                          description: A boolean value whether to include recurring
+                            costs in the cost budget. Defaults to true
+                          type: boolean
+                        includeRefund:
+                          description: A boolean value whether to include refunds
+                            in the cost budget. Defaults to true
+                          type: boolean
+                        includeSubscription:
+                          description: A boolean value whether to include subscriptions
+                            in the cost budget. Defaults to true
+                          type: boolean
+                        includeSupport:
+                          description: A boolean value whether to include support
+                            costs in the cost budget. Defaults to true
+                          type: boolean
+                        includeTax:
+                          description: A boolean value whether to include tax in the
+                            cost budget. Defaults to true
+                          type: boolean
+                        includeUpfront:
+                          description: A boolean value whether to include upfront
+                            costs in the cost budget. Defaults to true
+                          type: boolean
+                        useAmortized:
+                          description: Whether a budget uses the amortized rate. Defaults
+                            to false
+                          type: boolean
+                        useBlended:
+                          description: A boolean value whether to use blended costs
+                            in the cost budget. Defaults to false
+                          type: boolean
+                      type: object
+                    type: array
                   id:
                     description: id of resource.
                     type: string
+                  limitAmount:
+                    description: The amount of cost or usage being measured for a
+                      budget.
+                    type: string
+                  limitUnit:
+                    description: The unit of measurement used for the budget forecast,
+                      actual spend, or budget threshold, such as dollars or GB. See
+                      Spend documentation.
+                    type: string
+                  notification:
+                    description: Object containing Budget Notifications. Can be used
+                      multiple times to define more than one budget notification.
+                    items:
+                      properties:
+                        comparisonOperator:
+                          description: Comparison operator to use to evaluate the
+                            condition. Can be LESS_THAN, EQUAL_TO or GREATER_THAN.
+                          type: string
+                        notificationType:
+                          description: What kind of budget value to notify on. Can
+                            be ACTUAL or FORECASTED
+                          type: string
+                        subscriberEmailAddresses:
+                          description: E-Mail addresses to notify. Either this or
+                            subscriber_sns_topic_arns is required.
+                          items:
+                            type: string
+                          type: array
+                        subscriberSnsTopicArns:
+                          description: SNS topics to notify. Either this or subscriber_email_addresses
+                            is required.
+                          items:
+                            type: string
+                          type: array
+                        threshold:
+                          description: Threshold when the notification should be sent.
+                          type: number
+                        thresholdType:
+                          description: What kind of threshold is defined. Can be PERCENTAGE
+                            OR ABSOLUTE_VALUE.
+                          type: string
+                      type: object
+                    type: array
+                  plannedLimit:
+                    description: Object containing Planned Budget Limits. Can be used
+                      multiple times to plan more than one budget limit. See PlannedBudgetLimits
+                      documentation.
+                    items:
+                      properties:
+                        amount:
+                          description: The amount of cost or usage being measured
+                            for a budget.
+                          type: string
+                        startTime:
+                          description: 'The start time of the budget limit. Format:
+                            2017-01-01_12:00. See PlannedBudgetLimits documentation.'
+                          type: string
+                        unit:
+                          description: The unit of measurement used for the budget
+                            forecast, actual spend, or budget threshold, such as dollars
+                            or GB. See Spend documentation.
+                          type: string
+                      type: object
+                    type: array
+                  timePeriodEnd:
+                    description: 'The end of the time period covered by the budget.
+                      There are no restrictions on the end date. Format: 2017-01-01_12:00.'
+                    type: string
+                  timePeriodStart:
+                    description: 'The start of the time period covered by the budget.
+                      If you don''t specify a start date, AWS defaults to the start
+                      of your chosen time period. The start date must come before
+                      the end date. Format: 2017-01-01_12:00.'
+                    type: string
+                  timeUnit:
+                    description: 'The length of time until a budget resets the actual
+                      and forecasted spend. Valid values: MONTHLY, QUARTERLY, ANNUALLY,
+                      and DAILY.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ce.aws.upbound.io_anomalymonitors.yaml b/package/crds/ce.aws.upbound.io_anomalymonitors.yaml
index 6e04dea561..a1712ebde2 100644
--- a/package/crds/ce.aws.upbound.io_anomalymonitors.yaml
+++ b/package/crds/ce.aws.upbound.io_anomalymonitors.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -87,10 +91,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - monitorType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -262,6 +279,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: monitorType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.monitorType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AnomalyMonitorStatus defines the observed state of AnomalyMonitor.
             properties:
@@ -273,6 +295,24 @@ spec:
                   id:
                     description: Unique ID of the anomaly monitor. Same as arn.
                     type: string
+                  monitorDimension:
+                    description: 'The dimensions to evaluate. Valid values: SERVICE.'
+                    type: string
+                  monitorSpecification:
+                    description: A valid JSON representation for the Expression object.
+                    type: string
+                  monitorType:
+                    description: 'The possible type values. Valid values: DIMENSIONAL
+                      | CUSTOM.'
+                    type: string
+                  name:
+                    description: The name of the monitor.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectorgroups.yaml b/package/crds/chime.aws.upbound.io_voiceconnectorgroups.yaml
index 9000b0db22..8d9471e639 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectorgroups.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectorgroups.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,6 +171,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,6 +362,21 @@ spec:
             properties:
               atProvider:
                 properties:
+                  connector:
+                    description: The Amazon Chime Voice Connectors to route inbound
+                      calls to.
+                    items:
+                      properties:
+                        priority:
+                          description: The priority associated with the Amazon Chime
+                            Voice Connector, with 1 being the highest priority. Higher
+                            priority Amazon Chime Voice Connectors are attempted first.
+                          type: number
+                        voiceConnectorId:
+                          description: The Amazon Chime Voice Connector ID.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: Amazon Chime Voice Connector group ID.
                     type: string
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectorloggings.yaml b/package/crds/chime.aws.upbound.io_voiceconnectorloggings.yaml
index a4dbc5b76b..0e573c3c11 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectorloggings.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectorloggings.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,6 +163,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -336,9 +355,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  enableMediaMetricLogs:
+                    description: When true, enables logging of detailed media metrics
+                      for Voice Connectors to Amazon CloudWatch logs.
+                    type: boolean
+                  enableSipLogs:
+                    description: When true, enables SIP message logs for sending to
+                      Amazon CloudWatch Logs.
+                    type: boolean
                   id:
                     description: The Amazon Chime Voice Connector ID.
                     type: string
+                  voiceConnectorId:
+                    description: The Amazon Chime Voice Connector ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectororiginations.yaml b/package/crds/chime.aws.upbound.io_voiceconnectororiginations.yaml
index 9931d6704e..9c5fea030d 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectororiginations.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectororiginations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -190,8 +194,22 @@ spec:
                     type: object
                 required:
                 - region
-                - route
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -363,15 +381,56 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: route is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.route)
           status:
             description: VoiceConnectorOriginationStatus defines the observed state
               of VoiceConnectorOrigination.
             properties:
               atProvider:
                 properties:
+                  disabled:
+                    description: When origination settings are disabled, inbound calls
+                      are not enabled for your Amazon Chime Voice Connector.
+                    type: boolean
                   id:
                     description: The Amazon Chime Voice Connector ID.
                     type: string
+                  route:
+                    description: Set of call distribution properties defined for your
+                      SIP hosts. See route below for more details. Minimum of 1. Maximum
+                      of 20.
+                    items:
+                      properties:
+                        host:
+                          description: The FQDN or IP address to contact for origination
+                            traffic.
+                          type: string
+                        port:
+                          description: The designated origination route port. Defaults
+                            to 5060.
+                          type: number
+                        priority:
+                          description: The priority associated with the host, with
+                            1 being the highest priority. Higher priority hosts are
+                            attempted first.
+                          type: number
+                        protocol:
+                          description: The protocol to use for the origination route.
+                            Encryption-enabled Amazon Chime Voice Connectors use TCP
+                            protocol by default.
+                          type: string
+                        weight:
+                          description: The weight associated with the host. If hosts
+                            are equal in priority, calls are redistributed among them
+                            based on their relative weight.
+                          type: number
+                      type: object
+                    type: array
+                  voiceConnectorId:
+                    description: The Amazon Chime Voice Connector ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectors.yaml b/package/crds/chime.aws.upbound.io_voiceconnectors.yaml
index 6db3f76019..0c10e122b8 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectors.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectors.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,8 +83,22 @@ spec:
                     type: boolean
                 required:
                 - region
-                - requireEncryption
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,17 +270,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: requireEncryption is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.requireEncryption)
           status:
             description: VoiceConnectorStatus defines the observed state of VoiceConnector.
             properties:
               atProvider:
                 properties:
+                  awsRegion:
+                    description: 'The AWS Region in which the Amazon Chime Voice Connector
+                      is created. Default value: us-east-1'
+                    type: string
                   id:
                     type: string
                   outboundHostName:
                     description: The outbound host name for the Amazon Chime Voice
                       Connector.
                     type: string
+                  requireEncryption:
+                    description: When enabled, requires encryption for the Amazon
+                      Chime Voice Connector.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectorstreamings.yaml b/package/crds/chime.aws.upbound.io_voiceconnectorstreamings.yaml
index a257a49eca..572c4a8d0f 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectorstreamings.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectorstreamings.yaml
@@ -58,9 +58,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -164,9 +168,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - dataRetention
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,15 +356,35 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dataRetention is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataRetention)
           status:
             description: VoiceConnectorStreamingStatus defines the observed state
               of VoiceConnectorStreaming.
             properties:
               atProvider:
                 properties:
+                  dataRetention:
+                    description: The retention period, in hours, for the Amazon Kinesis
+                      data.
+                    type: number
+                  disabled:
+                    description: 'When true, media streaming to Amazon Kinesis is
+                      turned off. Default: false'
+                    type: boolean
                   id:
                     description: The Amazon Chime Voice Connector ID.
                     type: string
+                  streamingNotificationTargets:
+                    description: 'The streaming notification targets. Valid Values:
+                      EventBridge | SNS | SQS'
+                    items:
+                      type: string
+                    type: array
+                  voiceConnectorId:
+                    description: The Amazon Chime Voice Connector ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectorterminationcredentials.yaml b/package/crds/chime.aws.upbound.io_voiceconnectorterminationcredentials.yaml
index ab07da9069..d5aeda93af 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectorterminationcredentials.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectorterminationcredentials.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,9 +184,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - credentials
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -354,15 +372,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: credentials is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.credentials)
           status:
             description: VoiceConnectorTerminationCredentialsStatus defines the observed
               state of VoiceConnectorTerminationCredentials.
             properties:
               atProvider:
                 properties:
+                  credentials:
+                    description: List of termination SIP credentials.
+                    items:
+                      properties:
+                        username:
+                          description: RFC2617 compliant username associated with
+                            the SIP credentials.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: Amazon Chime Voice Connector ID.
                     type: string
+                  voiceConnectorId:
+                    description: Amazon Chime Voice Connector ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/chime.aws.upbound.io_voiceconnectorterminations.yaml b/package/crds/chime.aws.upbound.io_voiceconnectorterminations.yaml
index 947683fb23..7023609b49 100644
--- a/package/crds/chime.aws.upbound.io_voiceconnectorterminations.yaml
+++ b/package/crds/chime.aws.upbound.io_voiceconnectorterminations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -171,10 +175,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - callingRegions
-                - cidrAllowList
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -346,15 +363,45 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: callingRegions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.callingRegions)
+            - message: cidrAllowList is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cidrAllowList)
           status:
             description: VoiceConnectorTerminationStatus defines the observed state
               of VoiceConnectorTermination.
             properties:
               atProvider:
                 properties:
+                  callingRegions:
+                    description: The countries to which calls are allowed, in ISO
+                      3166-1 alpha-2 format.
+                    items:
+                      type: string
+                    type: array
+                  cidrAllowList:
+                    description: The IP addresses allowed to make calls, in CIDR format.
+                    items:
+                      type: string
+                    type: array
+                  cpsLimit:
+                    description: The limit on calls per second. Max value based on
+                      account service quota. Default value of 1.
+                    type: number
+                  defaultPhoneNumber:
+                    description: The default caller ID phone number.
+                    type: string
+                  disabled:
+                    description: When termination settings are disabled, outbound
+                      calls can not be made.
+                    type: boolean
                   id:
                     description: The Amazon Chime Voice Connector ID.
                     type: string
+                  voiceConnectorId:
+                    description: The Amazon Chime Voice Connector ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloud9.aws.upbound.io_environmentec2s.yaml b/package/crds/cloud9.aws.upbound.io_environmentec2s.yaml
index 6298d1bab6..8f3c8395c7 100644
--- a/package/crds/cloud9.aws.upbound.io_environmentec2s.yaml
+++ b/package/crds/cloud9.aws.upbound.io_environmentec2s.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,10 +182,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - instanceType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -353,6 +370,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: EnvironmentEC2Status defines the observed state of EnvironmentEC2.
             properties:
@@ -361,9 +383,45 @@ spec:
                   arn:
                     description: The ARN of the environment.
                     type: string
+                  automaticStopTimeMinutes:
+                    description: The number of minutes until the running instance
+                      is shut down after the environment has last been used.
+                    type: number
+                  connectionType:
+                    description: The connection type used for connecting to an Amazon
+                      EC2 environment. Valid values are CONNECT_SSH and CONNECT_SSM.
+                      For more information please refer AWS documentation for Cloud9.
+                    type: string
+                  description:
+                    description: The description of the environment.
+                    type: string
                   id:
                     description: The ID of the environment.
                     type: string
+                  imageId:
+                    description: The identifier for the Amazon Machine Image (AMI)
+                      that's used to create the EC2 instance. Valid values are
+                    type: string
+                  instanceType:
+                    description: The type of instance to connect to the environment,
+                      e.g., t2.micro.
+                    type: string
+                  name:
+                    description: The name of the environment.
+                    type: string
+                  ownerArn:
+                    description: The ARN of the environment owner. This can be ARN
+                      of any AWS IAM principal. Defaults to the environment's creator.
+                    type: string
+                  subnetId:
+                    description: The ID of the subnet in Amazon VPC that AWS Cloud9
+                      will use to communicate with the Amazon EC2 instance.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloud9.aws.upbound.io_environmentmemberships.yaml b/package/crds/cloud9.aws.upbound.io_environmentmemberships.yaml
index 2d5b655742..3c06f49c26 100644
--- a/package/crds/cloud9.aws.upbound.io_environmentmemberships.yaml
+++ b/package/crds/cloud9.aws.upbound.io_environmentmemberships.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -230,9 +234,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - permissions
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -404,15 +422,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: permissions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissions)
           status:
             description: EnvironmentMembershipStatus defines the observed state of
               EnvironmentMembership.
             properties:
               atProvider:
                 properties:
+                  environmentId:
+                    description: The ID of the environment that contains the environment
+                      member you want to add.
+                    type: string
                   id:
                     description: The ID of the environment membership.
                     type: string
+                  permissions:
+                    description: The type of environment member permissions you want
+                      to associate with this environment member. Allowed values are
+                      read-only and read-write .
+                    type: string
+                  userArn:
+                    description: The Amazon Resource Name (ARN) of the environment
+                      member you want to add.
+                    type: string
                   userId:
                     description: he user ID in AWS Identity and Access Management
                       (AWS IAM) of the environment member.
diff --git a/package/crds/cloudcontrol.aws.upbound.io_resources.yaml b/package/crds/cloudcontrol.aws.upbound.io_resources.yaml
index e859f046c4..086252e704 100644
--- a/package/crds/cloudcontrol.aws.upbound.io_resources.yaml
+++ b/package/crds/cloudcontrol.aws.upbound.io_resources.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,10 +184,23 @@ spec:
                     description: Identifier of the CloudFormation resource type version.
                     type: string
                 required:
-                - desiredState
                 - region
-                - typeName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -355,11 +372,20 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: desiredState is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.desiredState)
+            - message: typeName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.typeName)
           status:
             description: ResourceStatus defines the observed state of Resource.
             properties:
               atProvider:
                 properties:
+                  desiredState:
+                    description: JSON string matching the CloudFormation resource
+                      type schema with desired configuration.
+                    type: string
                   id:
                     type: string
                   properties:
@@ -368,6 +394,16 @@ spec:
                       can be referenced via the jsondecode() function, for example,
                       jsondecode(data.aws_cloudcontrolapi_resource.example.properties)["example"].
                     type: string
+                  roleArn:
+                    description: Amazon Resource Name (ARN) of the IAM Role to assume
+                      for operations.
+                    type: string
+                  typeName:
+                    description: CloudFormation resource type name. For example, AWS::EC2::VPC.
+                    type: string
+                  typeVersionId:
+                    description: Identifier of the CloudFormation resource type version.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudformation.aws.upbound.io_stacks.yaml b/package/crds/cloudformation.aws.upbound.io_stacks.yaml
index 00cc02fd13..c96330c2c5 100644
--- a/package/crds/cloudformation.aws.upbound.io_stacks.yaml
+++ b/package/crds/cloudformation.aws.upbound.io_stacks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -207,6 +211,21 @@ spec:
                 - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -383,14 +402,64 @@ spec:
             properties:
               atProvider:
                 properties:
+                  capabilities:
+                    description: 'A list of capabilities. Valid values: CAPABILITY_IAM,
+                      CAPABILITY_NAMED_IAM, or CAPABILITY_AUTO_EXPAND'
+                    items:
+                      type: string
+                    type: array
+                  disableRollback:
+                    description: Set to true to disable rollback of the stack if stack
+                      creation failed. Conflicts with on_failure.
+                    type: boolean
+                  iamRoleArn:
+                    description: The ARN of an IAM role that AWS CloudFormation assumes
+                      to create the stack. If you don't specify a value, AWS CloudFormation
+                      uses the role that was previously associated with the stack.
+                      If no role is available, AWS CloudFormation uses a temporary
+                      session that is generated from your user credentials.
+                    type: string
                   id:
                     description: A unique identifier of the stack.
                     type: string
+                  name:
+                    description: Stack name.
+                    type: string
+                  notificationArns:
+                    description: A list of SNS topic ARNs to publish stack related
+                      events.
+                    items:
+                      type: string
+                    type: array
+                  onFailure:
+                    description: 'Action to be taken if stack creation fails. This
+                      must be one of: DO_NOTHING, ROLLBACK, or DELETE. Conflicts with
+                      disable_rollback.'
+                    type: string
                   outputs:
                     additionalProperties:
                       type: string
                     description: A map of outputs from the stack.
                     type: object
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: A map of Parameter structures that specify input
+                      parameters for the stack.
+                    type: object
+                  policyBody:
+                    description: Structure containing the stack policy body. Conflicts
+                      w/ policy_url.
+                    type: string
+                  policyUrl:
+                    description: Location of a file containing the stack policy. Conflicts
+                      w/ policy_body.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -398,6 +467,18 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  templateBody:
+                    description: 'Structure containing the template body (max size:
+                      51,200 bytes).'
+                    type: string
+                  templateUrl:
+                    description: 'Location of a file containing the template body
+                      (max size: 460,800 bytes).'
+                    type: string
+                  timeoutInMinutes:
+                    description: The amount of time that can pass before the stack
+                      status becomes CREATE_FAILED.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudformation.aws.upbound.io_stacksets.yaml b/package/crds/cloudformation.aws.upbound.io_stacksets.yaml
index c21515ff52..79a319a1f9 100644
--- a/package/crds/cloudformation.aws.upbound.io_stacksets.yaml
+++ b/package/crds/cloudformation.aws.upbound.io_stacksets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -250,6 +254,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -426,15 +445,111 @@ spec:
             properties:
               atProvider:
                 properties:
+                  administrationRoleArn:
+                    description: Amazon Resource Number (ARN) of the IAM Role in the
+                      administrator account. This must be defined when using the SELF_MANAGED
+                      permission model.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the StackSet.
                     type: string
+                  autoDeployment:
+                    description: Configuration block containing the auto-deployment
+                      model for your StackSet. This can only be defined when using
+                      the SERVICE_MANAGED permission model.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether or not auto-deployment is enabled.
+                          type: boolean
+                        retainStacksOnAccountRemoval:
+                          description: Whether or not to retain stacks when the account
+                            is removed.
+                          type: boolean
+                      type: object
+                    type: array
+                  callAs:
+                    description: 'Specifies whether you are acting as an account administrator
+                      in the organization''s management account or as a delegated
+                      administrator in a member account. Valid values: SELF (default),
+                      DELEGATED_ADMIN.'
+                    type: string
+                  capabilities:
+                    description: 'A list of capabilities. Valid values: CAPABILITY_IAM,
+                      CAPABILITY_NAMED_IAM, CAPABILITY_AUTO_EXPAND.'
+                    items:
+                      type: string
+                    type: array
+                  description:
+                    description: Description of the StackSet.
+                    type: string
+                  executionRoleName:
+                    description: Name of the IAM Role in all target accounts for StackSet
+                      operations. Defaults to AWSCloudFormationStackSetExecutionRole
+                      when using the SELF_MANAGED permission model. This should not
+                      be defined when using the SERVICE_MANAGED permission model.
+                    type: string
                   id:
                     description: Name of the StackSet.
                     type: string
+                  operationPreferences:
+                    description: Preferences for how AWS CloudFormation performs a
+                      stack set update.
+                    items:
+                      properties:
+                        failureToleranceCount:
+                          description: The number of accounts, per Region, for which
+                            this operation can fail before AWS CloudFormation stops
+                            the operation in that Region.
+                          type: number
+                        failureTolerancePercentage:
+                          description: The percentage of accounts, per Region, for
+                            which this stack operation can fail before AWS CloudFormation
+                            stops the operation in that Region.
+                          type: number
+                        maxConcurrentCount:
+                          description: The maximum number of accounts in which to
+                            perform this operation at one time.
+                          type: number
+                        maxConcurrentPercentage:
+                          description: The maximum percentage of accounts in which
+                            to perform this operation at one time.
+                          type: number
+                        regionConcurrencyType:
+                          description: The concurrency type of deploying StackSets
+                            operations in Regions, could be in parallel or one Region
+                            at a time.
+                          type: string
+                        regionOrder:
+                          description: The order of the Regions in where you want
+                            to perform the stack operation.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of input parameters for the StackSet
+                      template. All template parameters, including those with a Default,
+                      must be configured or ignored with lifecycle configuration block
+                      ignore_changes argument. All NoEcho template parameters must
+                      be ignored with the lifecycle configuration block ignore_changes
+                      argument.
+                    type: object
+                  permissionModel:
+                    description: 'Describes how the IAM roles required for your StackSet
+                      are created. Valid values: SELF_MANAGED (default), SERVICE_MANAGED.'
+                    type: string
                   stackSetId:
                     description: Unique identifier of the StackSet.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -442,6 +557,16 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  templateBody:
+                    description: 'String containing the CloudFormation template body.
+                      Maximum size: 51,200 bytes. Conflicts with template_url.'
+                    type: string
+                  templateUrl:
+                    description: 'String containing the location of a file containing
+                      the CloudFormation template body. The URL must point to a template
+                      that is located in an Amazon S3 bucket. Maximum location file
+                      size: 460,800 bytes. Conflicts with template_body.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_cachepolicies.yaml b/package/crds/cloudfront.aws.upbound.io_cachepolicies.yaml
index 66f5aaaa64..c2e3fc168f 100644
--- a/package/crds/cloudfront.aws.upbound.io_cachepolicies.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_cachepolicies.yaml
@@ -61,9 +61,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -212,10 +216,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
-                - parametersInCacheKeyAndForwardedToOrigin
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -387,17 +404,151 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: parametersInCacheKeyAndForwardedToOrigin is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parametersInCacheKeyAndForwardedToOrigin)
           status:
             description: CachePolicyStatus defines the observed state of CachePolicy.
             properties:
               atProvider:
                 properties:
+                  comment:
+                    description: A comment to describe the cache policy.
+                    type: string
+                  defaultTtl:
+                    description: The default amount of time, in seconds, that you
+                      want objects to stay in the CloudFront cache before CloudFront
+                      sends another request to the origin to see if the object has
+                      been updated.
+                    type: number
                   etag:
                     description: The current version of the cache policy.
                     type: string
                   id:
                     description: The identifier for the cache policy.
                     type: string
+                  maxTtl:
+                    description: The maximum amount of time, in seconds, that objects
+                      stay in the CloudFront cache before CloudFront sends another
+                      request to the origin to see if the object has been updated.
+                    type: number
+                  minTtl:
+                    description: The minimum amount of time, in seconds, that you
+                      want objects to stay in the CloudFront cache before CloudFront
+                      sends another request to the origin to see if the object has
+                      been updated.
+                    type: number
+                  name:
+                    description: A unique name to identify the cache policy.
+                    type: string
+                  parametersInCacheKeyAndForwardedToOrigin:
+                    description: The HTTP headers, cookies, and URL query strings
+                      to include in the cache key. See Parameters In Cache Key And
+                      Forwarded To Origin for more information.
+                    items:
+                      properties:
+                        cookiesConfig:
+                          description: Object that determines whether any cookies
+                            in viewer requests (and if so, which cookies) are included
+                            in the cache key and automatically included in requests
+                            that CloudFront sends to the origin. See Cookies Config
+                            for more information.
+                          items:
+                            properties:
+                              cookieBehavior:
+                                description: Determines whether any cookies in viewer
+                                  requests are included in the cache key and automatically
+                                  included in requests that CloudFront sends to the
+                                  origin. Valid values are none, whitelist, allExcept,
+                                  all.
+                                type: string
+                              cookies:
+                                description: Object that contains a list of cookie
+                                  names. See Items for more information.
+                                items:
+                                  properties:
+                                    items:
+                                      description: A list of item names (cookies,
+                                        headers, or query strings).
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        enableAcceptEncodingBrotli:
+                          description: A flag that can affect whether the Accept-Encoding
+                            HTTP header is included in the cache key and included
+                            in requests that CloudFront sends to the origin.
+                          type: boolean
+                        enableAcceptEncodingGzip:
+                          description: A flag that can affect whether the Accept-Encoding
+                            HTTP header is included in the cache key and included
+                            in requests that CloudFront sends to the origin.
+                          type: boolean
+                        headersConfig:
+                          description: Object that determines whether any HTTP headers
+                            (and if so, which headers) are included in the cache key
+                            and automatically included in requests that CloudFront
+                            sends to the origin. See Headers Config for more information.
+                          items:
+                            properties:
+                              headerBehavior:
+                                description: Determines whether any HTTP headers are
+                                  included in the cache key and automatically included
+                                  in requests that CloudFront sends to the origin.
+                                  Valid values are none, whitelist.
+                                type: string
+                              headers:
+                                description: Object that contains a list of header
+                                  names. See Items for more information.
+                                items:
+                                  properties:
+                                    items:
+                                      description: A list of item names (cookies,
+                                        headers, or query strings).
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        queryStringsConfig:
+                          description: Object that determines whether any URL query
+                            strings in viewer requests (and if so, which query strings)
+                            are included in the cache key and automatically included
+                            in requests that CloudFront sends to the origin. See Query
+                            String Config for more information.
+                          items:
+                            properties:
+                              queryStringBehavior:
+                                description: Determines whether any URL query strings
+                                  in viewer requests are included in the cache key
+                                  and automatically included in requests that CloudFront
+                                  sends to the origin. Valid values are none, whitelist,
+                                  allExcept, all.
+                                type: string
+                              queryStrings:
+                                description: Object that contains a list of query
+                                  string names. See Items for more information.
+                                items:
+                                  properties:
+                                    items:
+                                      description: A list of item names (cookies,
+                                        headers, or query strings).
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_distributions.yaml b/package/crds/cloudfront.aws.upbound.io_distributions.yaml
index 31904be8e9..63d2fc42f1 100644
--- a/package/crds/cloudfront.aws.upbound.io_distributions.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_distributions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1130,13 +1134,23 @@ spec:
                       permissions assigned.
                     type: string
                 required:
-                - defaultCacheBehavior
-                - enabled
-                - origin
                 - region
-                - restrictions
-                - viewerCertificate
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1308,11 +1322,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: defaultCacheBehavior is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultCacheBehavior)
+            - message: enabled is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enabled)
+            - message: origin is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.origin)
+            - message: restrictions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.restrictions)
+            - message: viewerCertificate is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.viewerCertificate)
           status:
             description: DistributionStatus defines the observed state of Distribution.
             properties:
               atProvider:
                 properties:
+                  aliases:
+                    description: Extra CNAMEs (alternate domain names), if any, for
+                      this distribution.
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: 'ARN for the distribution. For example: arn:aws:cloudfront::123456789012:distribution/EDFDVBD632BHDS5,
                       where 123456789012 is your AWS account ID.'
@@ -1321,10 +1352,227 @@ spec:
                     description: Internal value used by CloudFront to allow future
                       updates to the distribution configuration.
                     type: string
+                  comment:
+                    description: Any comments you want to include about the distribution.
+                    type: string
+                  customErrorResponse:
+                    description: One or more custom error response elements (multiples
+                      allowed).
+                    items:
+                      properties:
+                        errorCachingMinTtl:
+                          description: Minimum amount of time you want HTTP error
+                            codes to stay in CloudFront caches before CloudFront queries
+                            your origin to see whether the object has been updated.
+                          type: number
+                        errorCode:
+                          description: 4xx or 5xx HTTP status code that you want to
+                            customize.
+                          type: number
+                        responseCode:
+                          description: HTTP status code that you want CloudFront to
+                            return with the custom error page to the viewer.
+                          type: number
+                        responsePagePath:
+                          description: Path of the custom error page (for example,
+                            /custom_404.html).
+                          type: string
+                      type: object
+                    type: array
+                  defaultCacheBehavior:
+                    description: Default cache behavior for this distribution (maximum
+                      one). Requires either cache_policy_id (preferred) or forwarded_values
+                      (deprecated) be set.
+                    items:
+                      properties:
+                        allowedMethods:
+                          description: Controls which HTTP methods CloudFront processes
+                            and forwards to your Amazon S3 bucket or your custom origin.
+                          items:
+                            type: string
+                          type: array
+                        cachePolicyId:
+                          description: Unique identifier of the cache policy that
+                            is attached to the cache behavior. If configuring the
+                            default_cache_behavior either cache_policy_id or forwarded_values
+                            must be set.
+                          type: string
+                        cachedMethods:
+                          description: Controls whether CloudFront caches the response
+                            to requests using the specified HTTP methods.
+                          items:
+                            type: string
+                          type: array
+                        compress:
+                          description: 'Whether you want CloudFront to automatically
+                            compress content for web requests that include Accept-Encoding:
+                            gzip in the request header (default: false).'
+                          type: boolean
+                        defaultTtl:
+                          description: Default amount of time (in seconds) that an
+                            object is in a CloudFront cache before CloudFront forwards
+                            another request in the absence of an Cache-Control max-age
+                            or Expires header.
+                          type: number
+                        fieldLevelEncryptionId:
+                          description: Field level encryption configuration ID.
+                          type: string
+                        forwardedValues:
+                          description: The forwarded values configuration that specifies
+                            how CloudFront handles query strings, cookies and headers
+                            (maximum one).
+                          items:
+                            properties:
+                              cookies:
+                                description: The forwarded values cookies that specifies
+                                  how CloudFront handles cookies (maximum one).
+                                items:
+                                  properties:
+                                    forward:
+                                      description: Whether you want CloudFront to
+                                        forward cookies to the origin that is associated
+                                        with this cache behavior. You can specify
+                                        all, none or whitelist. If whitelist, you
+                                        must include the subsequent whitelisted_names.
+                                      type: string
+                                    whitelistedNames:
+                                      description: If you have specified whitelist
+                                        to forward, the whitelisted cookies that you
+                                        want CloudFront to forward to your origin.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              headers:
+                                description: Headers, if any, that you want CloudFront
+                                  to vary upon for this cache behavior. Specify *
+                                  to include all headers.
+                                items:
+                                  type: string
+                                type: array
+                              queryString:
+                                description: Indicates whether you want CloudFront
+                                  to forward query strings to the origin that is associated
+                                  with this cache behavior.
+                                type: boolean
+                              queryStringCacheKeys:
+                                description: When specified, along with a value of
+                                  true for query_string, all query strings are forwarded,
+                                  however only the query string keys listed in this
+                                  argument are cached. When omitted with a value of
+                                  true for query_string, all query string keys are
+                                  cached.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        functionAssociation:
+                          description: A config block that triggers a cloudfront function
+                            with specific actions (maximum 2).
+                          items:
+                            properties:
+                              eventType:
+                                description: 'Specific event to trigger this function.
+                                  Valid values: viewer-request, origin-request, viewer-response,
+                                  origin-response.'
+                                type: string
+                              functionArn:
+                                description: ARN of the CloudFront function.
+                                type: string
+                            type: object
+                          type: array
+                        lambdaFunctionAssociation:
+                          description: A config block that triggers a lambda function
+                            with specific actions (maximum 4).
+                          items:
+                            properties:
+                              eventType:
+                                description: 'Specific event to trigger this function.
+                                  Valid values: viewer-request, origin-request, viewer-response,
+                                  origin-response.'
+                                type: string
+                              includeBody:
+                                description: 'When set to true it exposes the request
+                                  body to the lambda function. Defaults to false.
+                                  Valid values: true, false.'
+                                type: boolean
+                              lambdaArn:
+                                description: ARN of the Lambda function.
+                                type: string
+                            type: object
+                          type: array
+                        maxTtl:
+                          description: Maximum amount of time (in seconds) that an
+                            object is in a CloudFront cache before CloudFront forwards
+                            another request to your origin to determine whether the
+                            object has been updated. Only effective in the presence
+                            of Cache-Control max-age, Cache-Control s-maxage, and
+                            Expires headers.
+                          type: number
+                        minTtl:
+                          description: Minimum amount of time that you want objects
+                            to stay in CloudFront caches before CloudFront queries
+                            your origin to see whether the object has been updated.
+                            Defaults to 0 seconds.
+                          type: number
+                        originRequestPolicyId:
+                          description: Unique identifier of the origin request policy
+                            that is attached to the behavior.
+                          type: string
+                        realtimeLogConfigArn:
+                          description: ARN of the real-time log configuration that
+                            is attached to this cache behavior.
+                          type: string
+                        responseHeadersPolicyId:
+                          description: Identifier for a response headers policy.
+                          type: string
+                        smoothStreaming:
+                          description: Indicates whether you want to distribute media
+                            files in Microsoft Smooth Streaming format using the origin
+                            that is associated with this cache behavior.
+                          type: boolean
+                        targetOriginId:
+                          description: Value of ID for the origin that you want CloudFront
+                            to route requests to when a request matches the path pattern
+                            either for a cache behavior or for the default cache behavior.
+                          type: string
+                        trustedKeyGroups:
+                          description: List of key group IDs that CloudFront can use
+                            to validate signed URLs or signed cookies. See the CloudFront
+                            User Guide for more information about this feature.
+                          items:
+                            type: string
+                          type: array
+                        trustedSigners:
+                          description: List of AWS account IDs (or self) that you
+                            want to allow to create signed URLs for private content.
+                            See the CloudFront User Guide for more information about
+                            this feature.
+                          items:
+                            type: string
+                          type: array
+                        viewerProtocolPolicy:
+                          description: Use this element to specify the protocol that
+                            users can use to access the files in the origin specified
+                            by TargetOriginId when a request matches the path pattern
+                            in PathPattern. One of allow-all, https-only, or redirect-to-https.
+                          type: string
+                      type: object
+                    type: array
+                  defaultRootObject:
+                    description: Object that you want CloudFront to return (for example,
+                      index.html) when an end user requests the root URL.
+                    type: string
                   domainName:
                     description: DNS domain name of either the S3 bucket, or web site
                       of your custom origin.
                     type: string
+                  enabled:
+                    description: Whether the distribution is enabled to accept end
+                      user requests for content.
+                    type: boolean
                   etag:
                     description: 'Current version of the distribution''s information.
                       For example: E2QWRUHAPOMQZL.'
@@ -1334,37 +1582,436 @@ spec:
                       an Alias Resource Record Set to. This attribute is simply an
                       alias for the zone ID Z2FDTNDATAQYW2.
                     type: string
+                  httpVersion:
+                    description: Maximum HTTP version to support on the distribution.
+                      Allowed values are http1.1, http2, http2and3 and http3. The
+                      default is http2.
+                    type: string
                   id:
                     description: 'Identifier for the distribution. For example: EDFDVBD632BHDS5.'
                     type: string
                   inProgressValidationBatches:
                     description: Number of invalidation batches currently in progress.
                     type: number
+                  isIpv6Enabled:
+                    description: Whether the IPv6 is enabled for the distribution.
+                    type: boolean
                   lastModifiedTime:
                     description: Date and time the distribution was last modified.
                     type: string
-                  status:
-                    description: Current status of the distribution. Deployed if the
-                      distribution's information is fully propagated throughout the
-                      Amazon CloudFront system.
-                    type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: Map of tags assigned to the resource, including those
-                      inherited from the provider default_tags configuration block.
-                    type: object
-                  trustedKeyGroups:
-                    description: List of key group IDs that CloudFront can use to
-                      validate signed URLs or signed cookies. See the CloudFront User
-                      Guide for more information about this feature.
+                  loggingConfig:
+                    description: The logging configuration that controls how logs
+                      are written to your distribution (maximum one).
                     items:
                       properties:
-                        enabled:
-                          description: Whether the distribution is enabled to accept
-                            end user requests for content.
-                          type: boolean
-                        items:
+                        bucket:
+                          description: Amazon S3 bucket to store the access logs in,
+                            for example, myawslogbucket.s3.amazonaws.com.
+                          type: string
+                        includeCookies:
+                          description: 'Whether to include cookies in access logs
+                            (default: false).'
+                          type: boolean
+                        prefix:
+                          description: Prefix to the access log filenames for this
+                            distribution, for example, myprefix/.
+                          type: string
+                      type: object
+                    type: array
+                  orderedCacheBehavior:
+                    description: Ordered list of cache behaviors resource for this
+                      distribution. List from top to bottom in order of precedence.
+                      The topmost cache behavior will have precedence 0.
+                    items:
+                      properties:
+                        allowedMethods:
+                          description: Controls which HTTP methods CloudFront processes
+                            and forwards to your Amazon S3 bucket or your custom origin.
+                          items:
+                            type: string
+                          type: array
+                        cachePolicyId:
+                          description: Unique identifier of the cache policy that
+                            is attached to the cache behavior. If configuring the
+                            default_cache_behavior either cache_policy_id or forwarded_values
+                            must be set.
+                          type: string
+                        cachedMethods:
+                          description: Controls whether CloudFront caches the response
+                            to requests using the specified HTTP methods.
+                          items:
+                            type: string
+                          type: array
+                        compress:
+                          description: 'Whether you want CloudFront to automatically
+                            compress content for web requests that include Accept-Encoding:
+                            gzip in the request header (default: false).'
+                          type: boolean
+                        defaultTtl:
+                          description: Default amount of time (in seconds) that an
+                            object is in a CloudFront cache before CloudFront forwards
+                            another request in the absence of an Cache-Control max-age
+                            or Expires header.
+                          type: number
+                        fieldLevelEncryptionId:
+                          description: Field level encryption configuration ID.
+                          type: string
+                        forwardedValues:
+                          description: The forwarded values configuration that specifies
+                            how CloudFront handles query strings, cookies and headers
+                            (maximum one).
+                          items:
+                            properties:
+                              cookies:
+                                description: The forwarded values cookies that specifies
+                                  how CloudFront handles cookies (maximum one).
+                                items:
+                                  properties:
+                                    forward:
+                                      description: Whether you want CloudFront to
+                                        forward cookies to the origin that is associated
+                                        with this cache behavior. You can specify
+                                        all, none or whitelist. If whitelist, you
+                                        must include the subsequent whitelisted_names.
+                                      type: string
+                                    whitelistedNames:
+                                      description: If you have specified whitelist
+                                        to forward, the whitelisted cookies that you
+                                        want CloudFront to forward to your origin.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              headers:
+                                description: Headers, if any, that you want CloudFront
+                                  to vary upon for this cache behavior. Specify *
+                                  to include all headers.
+                                items:
+                                  type: string
+                                type: array
+                              queryString:
+                                description: Indicates whether you want CloudFront
+                                  to forward query strings to the origin that is associated
+                                  with this cache behavior.
+                                type: boolean
+                              queryStringCacheKeys:
+                                description: When specified, along with a value of
+                                  true for query_string, all query strings are forwarded,
+                                  however only the query string keys listed in this
+                                  argument are cached. When omitted with a value of
+                                  true for query_string, all query string keys are
+                                  cached.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        functionAssociation:
+                          description: A config block that triggers a cloudfront function
+                            with specific actions (maximum 2).
+                          items:
+                            properties:
+                              eventType:
+                                description: 'Specific event to trigger this function.
+                                  Valid values: viewer-request, origin-request, viewer-response,
+                                  origin-response.'
+                                type: string
+                              functionArn:
+                                description: ARN of the CloudFront function.
+                                type: string
+                            type: object
+                          type: array
+                        lambdaFunctionAssociation:
+                          description: A config block that triggers a lambda function
+                            with specific actions (maximum 4).
+                          items:
+                            properties:
+                              eventType:
+                                description: 'Specific event to trigger this function.
+                                  Valid values: viewer-request, origin-request, viewer-response,
+                                  origin-response.'
+                                type: string
+                              includeBody:
+                                description: 'When set to true it exposes the request
+                                  body to the lambda function. Defaults to false.
+                                  Valid values: true, false.'
+                                type: boolean
+                              lambdaArn:
+                                description: ARN of the Lambda function.
+                                type: string
+                            type: object
+                          type: array
+                        maxTtl:
+                          description: Maximum amount of time (in seconds) that an
+                            object is in a CloudFront cache before CloudFront forwards
+                            another request to your origin to determine whether the
+                            object has been updated. Only effective in the presence
+                            of Cache-Control max-age, Cache-Control s-maxage, and
+                            Expires headers.
+                          type: number
+                        minTtl:
+                          description: Minimum amount of time that you want objects
+                            to stay in CloudFront caches before CloudFront queries
+                            your origin to see whether the object has been updated.
+                            Defaults to 0 seconds.
+                          type: number
+                        originRequestPolicyId:
+                          description: Unique identifier of the origin request policy
+                            that is attached to the behavior.
+                          type: string
+                        pathPattern:
+                          description: Pattern (for example, images/*.jpg) that specifies
+                            which requests you want this cache behavior to apply to.
+                          type: string
+                        realtimeLogConfigArn:
+                          description: ARN of the real-time log configuration that
+                            is attached to this cache behavior.
+                          type: string
+                        responseHeadersPolicyId:
+                          description: Identifier for a response headers policy.
+                          type: string
+                        smoothStreaming:
+                          description: Indicates whether you want to distribute media
+                            files in Microsoft Smooth Streaming format using the origin
+                            that is associated with this cache behavior.
+                          type: boolean
+                        targetOriginId:
+                          description: Value of ID for the origin that you want CloudFront
+                            to route requests to when a request matches the path pattern
+                            either for a cache behavior or for the default cache behavior.
+                          type: string
+                        trustedKeyGroups:
+                          description: List of key group IDs that CloudFront can use
+                            to validate signed URLs or signed cookies. See the CloudFront
+                            User Guide for more information about this feature.
+                          items:
+                            type: string
+                          type: array
+                        trustedSigners:
+                          description: List of AWS account IDs (or self) that you
+                            want to allow to create signed URLs for private content.
+                            See the CloudFront User Guide for more information about
+                            this feature.
+                          items:
+                            type: string
+                          type: array
+                        viewerProtocolPolicy:
+                          description: Use this element to specify the protocol that
+                            users can use to access the files in the origin specified
+                            by TargetOriginId when a request matches the path pattern
+                            in PathPattern. One of allow-all, https-only, or redirect-to-https.
+                          type: string
+                      type: object
+                    type: array
+                  origin:
+                    description: One or more origins for this distribution (multiples
+                      allowed).
+                    items:
+                      properties:
+                        connectionAttempts:
+                          description: Number of times that CloudFront attempts to
+                            connect to the origin. Must be between 1-3. Defaults to
+                            3.
+                          type: number
+                        connectionTimeout:
+                          description: Number of seconds that CloudFront waits when
+                            trying to establish a connection to the origin. Must be
+                            between 1-10. Defaults to 10.
+                          type: number
+                        customHeader:
+                          description: One or more sub-resources with name and value
+                            parameters that specify header data that will be sent
+                            to the origin (multiples allowed).
+                          items:
+                            properties:
+                              name:
+                                type: string
+                              value:
+                                type: string
+                            type: object
+                          type: array
+                        customOriginConfig:
+                          description: The CloudFront custom origin configuration
+                            information. If an S3 origin is required, use origin_access_control_id
+                            or s3_origin_config instead.
+                          items:
+                            properties:
+                              httpPort:
+                                description: HTTP port the custom origin listens on.
+                                type: number
+                              httpsPort:
+                                description: HTTPS port the custom origin listens
+                                  on.
+                                type: number
+                              originKeepaliveTimeout:
+                                description: The Custom KeepAlive timeout, in seconds.
+                                  By default, AWS enforces a limit of 60. But you
+                                  can request an increase.
+                                type: number
+                              originProtocolPolicy:
+                                description: Origin protocol policy to apply to your
+                                  origin. One of http-only, https-only, or match-viewer.
+                                type: string
+                              originReadTimeout:
+                                description: The Custom Read timeout, in seconds.
+                                  By default, AWS enforces a limit of 60. But you
+                                  can request an increase.
+                                type: number
+                              originSslProtocols:
+                                description: SSL/TLS protocols that you want CloudFront
+                                  to use when communicating with your origin over
+                                  HTTPS. A list of one or more of SSLv3, TLSv1, TLSv1.1,
+                                  and TLSv1.2.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        domainName:
+                          description: DNS domain name of either the S3 bucket, or
+                            web site of your custom origin.
+                          type: string
+                        originAccessControlId:
+                          description: Unique identifier of a CloudFront origin access
+                            control for this origin.
+                          type: string
+                        originId:
+                          description: Unique identifier for the origin.
+                          type: string
+                        originPath:
+                          description: Optional element that causes CloudFront to
+                            request your content from a directory in your Amazon S3
+                            bucket or your custom origin.
+                          type: string
+                        originShield:
+                          description: The CloudFront Origin Shield configuration
+                            information. Using Origin Shield can help reduce the load
+                            on your origin. For more information, see Using Origin
+                            Shield in the Amazon CloudFront Developer Guide.
+                          items:
+                            properties:
+                              enabled:
+                                description: Whether the distribution is enabled to
+                                  accept end user requests for content.
+                                type: boolean
+                              originShieldRegion:
+                                description: AWS Region for Origin Shield. To specify
+                                  a region, use the region code, not the region name.
+                                  For example, specify the US East (Ohio) region as
+                                  us-east-2.
+                                type: string
+                            type: object
+                          type: array
+                        s3OriginConfig:
+                          description: The CloudFront S3 origin configuration information.
+                            If a custom origin is required, use custom_origin_config
+                            instead.
+                          items:
+                            properties:
+                              originAccessIdentity:
+                                description: The CloudFront origin access identity
+                                  to associate with the origin.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  originGroup:
+                    description: One or more origin_group for this distribution (multiples
+                      allowed).
+                    items:
+                      properties:
+                        failoverCriteria:
+                          description: The failover criteria for when to failover
+                            to the secondary origin.
+                          items:
+                            properties:
+                              statusCodes:
+                                description: List of HTTP status codes for the origin
+                                  group.
+                                items:
+                                  type: number
+                                type: array
+                            type: object
+                          type: array
+                        member:
+                          description: Ordered member configuration blocks assigned
+                            to the origin group, where the first member is the primary
+                            origin. You must specify two members.
+                          items:
+                            properties:
+                              originId:
+                                description: Unique identifier for the origin.
+                                type: string
+                            type: object
+                          type: array
+                        originId:
+                          description: Unique identifier for the origin.
+                          type: string
+                      type: object
+                    type: array
+                  priceClass:
+                    description: Price class for this distribution. One of PriceClass_All,
+                      PriceClass_200, PriceClass_100.
+                    type: string
+                  restrictions:
+                    description: The restriction configuration for this distribution
+                      (maximum one).
+                    items:
+                      properties:
+                        geoRestriction:
+                          items:
+                            properties:
+                              locations:
+                                description: ISO 3166-1-alpha-2 codes for which you
+                                  want CloudFront either to distribute your content
+                                  (whitelist) or not distribute your content (blacklist).
+                                  If the type is specified as none an empty array
+                                  can be used.
+                                items:
+                                  type: string
+                                type: array
+                              restrictionType:
+                                description: 'Method that you want to use to restrict
+                                  distribution of your content by country: none, whitelist,
+                                  or blacklist.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  retainOnDelete:
+                    description: 'If this is set, the distribution needs to be deleted
+                      manually afterwards. Default: false.'
+                    type: boolean
+                  status:
+                    description: Current status of the distribution. Deployed if the
+                      distribution's information is fully propagated throughout the
+                      Amazon CloudFront system.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: Map of tags assigned to the resource, including those
+                      inherited from the provider default_tags configuration block.
+                    type: object
+                  trustedKeyGroups:
+                    description: List of key group IDs that CloudFront can use to
+                      validate signed URLs or signed cookies. See the CloudFront User
+                      Guide for more information about this feature.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether the distribution is enabled to accept
+                            end user requests for content.
+                          type: boolean
+                        items:
                           description: List of nested attributes for each key group.
                           items:
                             properties:
@@ -1407,6 +2054,66 @@ spec:
                           type: array
                       type: object
                     type: array
+                  viewerCertificate:
+                    description: The SSL configuration for this distribution (maximum
+                      one).
+                    items:
+                      properties:
+                        acmCertificateArn:
+                          description: ARN of the AWS Certificate Manager certificate
+                            that you wish to use with this distribution. Specify this,
+                            cloudfront_default_certificate, or iam_certificate_id.  The
+                            ACM certificate must be in  US-EAST-1.
+                          type: string
+                        cloudfrontDefaultCertificate:
+                          description: true if you want viewers to use HTTPS to request
+                            your objects and you're using the CloudFront domain name
+                            for your distribution. Specify this, acm_certificate_arn,
+                            or iam_certificate_id.
+                          type: boolean
+                        iamCertificateId:
+                          description: IAM certificate identifier of the custom viewer
+                            certificate for this distribution if you are using a custom
+                            domain. Specify this, acm_certificate_arn, or cloudfront_default_certificate.
+                          type: string
+                        minimumProtocolVersion:
+                          description: 'Minimum version of the SSL protocol that you
+                            want CloudFront to use for HTTPS connections. Can only
+                            be set if cloudfront_default_certificate = false. See
+                            all possible values in this table under "Security policy."
+                            Some examples include: TLSv1.2_2019 and TLSv1.2_2021.
+                            Default: TLSv1. NOTE: If you are using a custom certificate
+                            (specified with acm_certificate_arn or iam_certificate_id),
+                            and have specified sni-only in ssl_support_method, TLSv1
+                            or later must be specified. If you have specified vip
+                            in ssl_support_method, only SSLv3 or TLSv1 can be specified.
+                            If you have specified cloudfront_default_certificate,
+                            TLSv1 must be specified.'
+                          type: string
+                        sslSupportMethod:
+                          description: 'How you want CloudFront to serve HTTPS requests.
+                            One of vip or sni-only. Required if you specify acm_certificate_arn
+                            or iam_certificate_id. NOTE: vip causes CloudFront to
+                            use a dedicated IP address and may incur extra charges.'
+                          type: string
+                      type: object
+                    type: array
+                  waitForDeployment:
+                    description: 'If enabled, the resource will wait for the distribution
+                      status to change from InProgress to Deployed. Setting this tofalse
+                      will skip the process. Default: true.'
+                    type: boolean
+                  webAclId:
+                    description: Unique identifier that specifies the AWS WAF web
+                      ACL, if any, to associate with this distribution. To specify
+                      a web ACL created using the latest version of AWS WAF (WAFv2),
+                      use the ACL ARN, for example aws_wafv2_web_acl.example.arn.
+                      To specify a web ACL created using AWS WAF Classic, use the
+                      ACL ID, for example aws_waf_web_acl.example.id. The WAF Web
+                      ACL must exist in the WAF Global (CloudFront) region and the
+                      credentials configuring this argument must have waf:GetWebACL
+                      permissions assigned.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionconfigs.yaml b/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionconfigs.yaml
index 3da3da3a06..3bddf24ac3 100644
--- a/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionconfigs.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionconfigs.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -247,10 +251,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - contentTypeProfileConfig
-                - queryArgProfileConfig
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -422,6 +439,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: contentTypeProfileConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.contentTypeProfileConfig)
+            - message: queryArgProfileConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.queryArgProfileConfig)
           status:
             description: FieldLevelEncryptionConfigStatus defines the observed state
               of FieldLevelEncryptionConfig.
@@ -432,6 +454,53 @@ spec:
                     description: Internal value used by CloudFront to allow future
                       updates to the Field Level Encryption Config.
                     type: string
+                  comment:
+                    description: An optional comment about the Field Level Encryption
+                      Config.
+                    type: string
+                  contentTypeProfileConfig:
+                    description: Content Type Profile Config specifies when to forward
+                      content if a content type isn't recognized and profiles to use
+                      as by default in a request if a query argument doesn't specify
+                      a profile to use.
+                    items:
+                      properties:
+                        contentTypeProfiles:
+                          description: Object that contains an attribute items that
+                            contains the list of configurations for a field-level
+                            encryption content type-profile. See Content Type Profile.
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  properties:
+                                    contentType:
+                                      description: he content type for a field-level
+                                        encryption content type-profile mapping. Valid
+                                        value is application/x-www-form-urlencoded.
+                                      type: string
+                                    format:
+                                      description: The format for a field-level encryption
+                                        content type-profile mapping. Valid value
+                                        is URLEncoded.
+                                      type: string
+                                    profileId:
+                                      description: The profile ID for a field-level
+                                        encryption content type-profile mapping.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        forwardWhenContentTypeIsUnknown:
+                          description: specifies what to do when an unknown content
+                            type is provided for the profile. If true, content is
+                            forwarded without being encrypted when the content type
+                            is unknown. If false (the default), an error is returned
+                            when the content type is unknown.
+                          type: boolean
+                      type: object
+                    type: array
                   etag:
                     description: 'The current version of the Field Level Encryption
                       Config. For example: E2QWRUHAPOMQZL.'
@@ -440,6 +509,40 @@ spec:
                     description: 'The identifier for the Field Level Encryption Config.
                       For example: K3D5EWEUDCCXON.'
                     type: string
+                  queryArgProfileConfig:
+                    description: Query Arg Profile Config that specifies when to forward
+                      content if a profile isn't found and the profile that can be
+                      provided as a query argument in a request.
+                    items:
+                      properties:
+                        forwardWhenQueryArgProfileIsUnknown:
+                          description: Flag to set if you want a request to be forwarded
+                            to the origin even if the profile specified by the field-level
+                            encryption query argument, fle-profile, is unknown.
+                          type: boolean
+                        queryArgProfiles:
+                          description: Object that contains an attribute items that
+                            contains the list ofrofiles specified for query argument-profile
+                            mapping for field-level encryption. see Query Arg Profile.
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  properties:
+                                    profileId:
+                                      description: The profile ID for a field-level
+                                        encryption content type-profile mapping.
+                                      type: string
+                                    queryArg:
+                                      description: Query argument for field-level
+                                        encryption query argument-profile mapping.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionprofiles.yaml b/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionprofiles.yaml
index 4a868cee69..21407d31cd 100644
--- a/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionprofiles.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_fieldlevelencryptionprofiles.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -195,10 +199,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - encryptionEntities
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -370,6 +387,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: encryptionEntities is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encryptionEntities)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: FieldLevelEncryptionProfileStatus defines the observed state
               of FieldLevelEncryptionProfile.
@@ -380,6 +402,45 @@ spec:
                     description: Internal value used by CloudFront to allow future
                       updates to the Field Level Encryption Profile.
                     type: string
+                  comment:
+                    description: An optional comment about the Field Level Encryption
+                      Profile.
+                    type: string
+                  encryptionEntities:
+                    description: The encryption entities config block for field-level
+                      encryption profiles that contains an attribute items which includes
+                      the encryption key and field pattern specifications.
+                    items:
+                      properties:
+                        items:
+                          items:
+                            properties:
+                              fieldPatterns:
+                                description: Object that contains an attribute items
+                                  that contains the list of field patterns in a field-level
+                                  encryption content type profile specify the fields
+                                  that you want to be encrypted.
+                                items:
+                                  properties:
+                                    items:
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              providerId:
+                                description: The provider associated with the public
+                                  key being used for encryption.
+                                type: string
+                              publicKeyId:
+                                description: The public key associated with a set
+                                  of field-level encryption patterns, to be used when
+                                  encrypting the fields that match the patterns.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   etag:
                     description: 'The current version of the Field Level Encryption
                       Profile. For example: E2QWRUHAPOMQZL.'
@@ -388,6 +449,9 @@ spec:
                     description: 'The identifier for the Field Level Encryption Profile.
                       For example: K3D5EWEUDCCXON.'
                     type: string
+                  name:
+                    description: The name of the Field Level Encryption Profile.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_functions.yaml b/package/crds/cloudfront.aws.upbound.io_functions.yaml
index deb7eda363..a5441e1a9b 100644
--- a/package/crds/cloudfront.aws.upbound.io_functions.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_functions.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -99,10 +103,23 @@ spec:
                       cloudfront-js-1.0 is valid.
                     type: string
                 required:
-                - codeSecretRef
                 - region
-                - runtime
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -274,6 +291,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: codeSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.codeSecretRef)
+            - message: runtime is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.runtime)
           status:
             description: FunctionStatus defines the observed state of Function.
             properties:
@@ -283,6 +305,9 @@ spec:
                     description: Amazon Resource Name (ARN) identifying your CloudFront
                       Function.
                     type: string
+                  comment:
+                    description: Comment.
+                    type: string
                   etag:
                     description: ETag hash of the function. This is the value for
                       the DEVELOPMENT stage of the function.
@@ -292,6 +317,14 @@ spec:
                   liveStageEtag:
                     description: ETag hash of any LIVE stage of the function.
                     type: string
+                  publish:
+                    description: Whether to publish creation/change as Live CloudFront
+                      Function Version. Defaults to true.
+                    type: boolean
+                  runtime:
+                    description: Identifier of the function's runtime. Currently only
+                      cloudfront-js-1.0 is valid.
+                    type: string
                   status:
                     description: Status of the function. Can be UNPUBLISHED, UNASSOCIATED
                       or ASSOCIATED.
diff --git a/package/crds/cloudfront.aws.upbound.io_keygroups.yaml b/package/crds/cloudfront.aws.upbound.io_keygroups.yaml
index a3807e00fb..2b06568d3d 100644
--- a/package/crds/cloudfront.aws.upbound.io_keygroups.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_keygroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,9 +161,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,17 +349,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: KeyGroupStatus defines the observed state of KeyGroup.
             properties:
               atProvider:
                 properties:
+                  comment:
+                    description: A comment to describe the key group..
+                    type: string
                   etag:
                     description: The identifier for this version of the key group.
                     type: string
                   id:
                     description: The identifier for the key group.
                     type: string
+                  items:
+                    description: A list of the identifiers of the public keys in the
+                      key group.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: A name to identify the key group.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_monitoringsubscriptions.yaml b/package/crds/cloudfront.aws.upbound.io_monitoringsubscriptions.yaml
index c8226352a3..bee8a79b9c 100644
--- a/package/crds/cloudfront.aws.upbound.io_monitoringsubscriptions.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_monitoringsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -173,9 +177,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - monitoringSubscription
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -347,16 +365,44 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: monitoringSubscription is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.monitoringSubscription)
           status:
             description: MonitoringSubscriptionStatus defines the observed state of
               MonitoringSubscription.
             properties:
               atProvider:
                 properties:
+                  distributionId:
+                    description: The ID of the distribution that you are enabling
+                      metrics for.
+                    type: string
                   id:
                     description: The ID of the CloudFront monitoring subscription,
                       which corresponds to the distribution_id.
                     type: string
+                  monitoringSubscription:
+                    description: A monitoring subscription. This structure contains
+                      information about whether additional CloudWatch metrics are
+                      enabled for a given CloudFront distribution.
+                    items:
+                      properties:
+                        realtimeMetricsSubscriptionConfig:
+                          description: A subscription configuration for additional
+                            CloudWatch metrics. See below.
+                          items:
+                            properties:
+                              realtimeMetricsSubscriptionStatus:
+                                description: A flag that indicates whether additional
+                                  CloudWatch metrics are enabled for a given CloudFront
+                                  distribution. Valid values are Enabled and Disabled.
+                                  See below.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_originaccesscontrols.yaml b/package/crds/cloudfront.aws.upbound.io_originaccesscontrols.yaml
index d88b12a3a8..09b53de5ec 100644
--- a/package/crds/cloudfront.aws.upbound.io_originaccesscontrols.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_originaccesscontrols.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -89,12 +93,23 @@ spec:
                       requests. Valid values: sigv4.'
                     type: string
                 required:
-                - name
-                - originAccessControlOriginType
                 - region
-                - signingBehavior
-                - signingProtocol
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -266,17 +281,46 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: originAccessControlOriginType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.originAccessControlOriginType)
+            - message: signingBehavior is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.signingBehavior)
+            - message: signingProtocol is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.signingProtocol)
           status:
             description: OriginAccessControlStatus defines the observed state of OriginAccessControl.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: The description of the Origin Access Control. It
+                      may be empty.
+                    type: string
                   etag:
                     description: The current version of this Origin Access Control.
                     type: string
                   id:
                     description: The unique identifier of this Origin Access Control.
                     type: string
+                  name:
+                    description: A name that identifies the Origin Access Control.
+                    type: string
+                  originAccessControlOriginType:
+                    description: The type of origin that this Origin Access Control
+                      is for. The only valid value is s3.
+                    type: string
+                  signingBehavior:
+                    description: 'Specifies which requests CloudFront signs. Specify
+                      always for the most common use case. Allowed values: always,
+                      never, no-override.'
+                    type: string
+                  signingProtocol:
+                    description: 'Determines how CloudFront signs (authenticates)
+                      requests. Valid values: sigv4.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_originaccessidentities.yaml b/package/crds/cloudfront.aws.upbound.io_originaccessidentities.yaml
index f8557e8b48..52dea7383e 100644
--- a/package/crds/cloudfront.aws.upbound.io_originaccessidentities.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_originaccessidentities.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -74,6 +78,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -259,6 +278,9 @@ spec:
                     description: A shortcut to the full path for the origin access
                       identity to use in CloudFront, see below.
                     type: string
+                  comment:
+                    description: An optional comment for the origin access identity.
+                    type: string
                   etag:
                     description: 'The current version of the origin access identity''s
                       information. For example: E2QWRUHAPOMQZL.'
diff --git a/package/crds/cloudfront.aws.upbound.io_originrequestpolicies.yaml b/package/crds/cloudfront.aws.upbound.io_originrequestpolicies.yaml
index 3aa1aea912..17d5f60e7d 100644
--- a/package/crds/cloudfront.aws.upbound.io_originrequestpolicies.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_originrequestpolicies.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -138,11 +142,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - cookiesConfig
-                - headersConfig
-                - queryStringsConfig
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -314,17 +330,88 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: cookiesConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cookiesConfig)
+            - message: headersConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.headersConfig)
+            - message: queryStringsConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.queryStringsConfig)
           status:
             description: OriginRequestPolicyStatus defines the observed state of OriginRequestPolicy.
             properties:
               atProvider:
                 properties:
+                  comment:
+                    description: Comment to describe the origin request policy.
+                    type: string
+                  cookiesConfig:
+                    description: Object that determines whether any cookies in viewer
+                      requests (and if so, which cookies) are included in the origin
+                      request key and automatically included in requests that CloudFront
+                      sends to the origin. See Cookies Config for more information.
+                    items:
+                      properties:
+                        cookieBehavior:
+                          type: string
+                        cookies:
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   etag:
                     description: The current version of the origin request policy.
                     type: string
+                  headersConfig:
+                    description: Object that determines whether any HTTP headers (and
+                      if so, which headers) are included in the origin request key
+                      and automatically included in requests that CloudFront sends
+                      to the origin. See Headers Config for more information.
+                    items:
+                      properties:
+                        headerBehavior:
+                          type: string
+                        headers:
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The identifier for the origin request policy.
                     type: string
+                  queryStringsConfig:
+                    description: Object that determines whether any URL query strings
+                      in viewer requests (and if so, which query strings) are included
+                      in the origin request key and automatically included in requests
+                      that CloudFront sends to the origin. See Query String Config
+                      for more information.
+                    items:
+                      properties:
+                        queryStringBehavior:
+                          type: string
+                        queryStrings:
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_publickeys.yaml b/package/crds/cloudfront.aws.upbound.io_publickeys.yaml
index 100d1ac32e..ec5749cec1 100644
--- a/package/crds/cloudfront.aws.upbound.io_publickeys.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_publickeys.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -94,9 +98,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - encodedKeySecretRef
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -268,6 +286,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: encodedKeySecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encodedKeySecretRef)
           status:
             description: PublicKeyStatus defines the observed state of PublicKey.
             properties:
@@ -277,6 +298,9 @@ spec:
                     description: Internal value used by CloudFront to allow future
                       updates to the public key configuration.
                     type: string
+                  comment:
+                    description: An optional comment about the public key.
+                    type: string
                   etag:
                     description: 'The current version of the public key. For example:
                       E2QWRUHAPOMQZL.'
@@ -285,6 +309,9 @@ spec:
                     description: 'The identifier for the public key. For example:
                       K3D5EWEUDCCXON.'
                     type: string
+                  name:
+                    description: The name for the public key.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_realtimelogconfigs.yaml b/package/crds/cloudfront.aws.upbound.io_realtimelogconfigs.yaml
index be16866b8d..2fe2cbf42d 100644
--- a/package/crds/cloudfront.aws.upbound.io_realtimelogconfigs.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_realtimelogconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -273,12 +277,23 @@ spec:
                       1 and 100, inclusive.
                     type: number
                 required:
-                - endpoint
-                - fields
-                - name
                 - region
-                - samplingRate
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -450,6 +465,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: endpoint is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpoint)
+            - message: fields is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fields)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: samplingRate is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.samplingRate)
           status:
             description: RealtimeLogConfigStatus defines the observed state of RealtimeLogConfig.
             properties:
@@ -459,9 +483,50 @@ spec:
                     description: The ARN (Amazon Resource Name) of the CloudFront
                       real-time log configuration.
                     type: string
+                  endpoint:
+                    description: The Amazon Kinesis data streams where real-time log
+                      data is sent.
+                    items:
+                      properties:
+                        kinesisStreamConfig:
+                          description: The Amazon Kinesis data stream configuration.
+                          items:
+                            properties:
+                              roleArn:
+                                description: The ARN of an IAM role that CloudFront
+                                  can use to send real-time log data to the Kinesis
+                                  data stream. See the AWS documentation for more
+                                  information.
+                                type: string
+                              streamArn:
+                                description: The ARN of the Kinesis data stream.
+                                type: string
+                            type: object
+                          type: array
+                        streamType:
+                          description: The type of data stream where real-time log
+                            data is sent. The only valid value is Kinesis.
+                          type: string
+                      type: object
+                    type: array
+                  fields:
+                    description: The fields that are included in each real-time log
+                      record. See the AWS documentation for supported values.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The ID of the CloudFront real-time log configuration.
                     type: string
+                  name:
+                    description: The unique name to identify this real-time log configuration.
+                    type: string
+                  samplingRate:
+                    description: The sampling rate for this real-time log configuration.
+                      The sampling rate determines the percentage of viewer requests
+                      that are represented in the real-time log data. An integer between
+                      1 and 100, inclusive.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudfront.aws.upbound.io_responseheaderspolicies.yaml b/package/crds/cloudfront.aws.upbound.io_responseheaderspolicies.yaml
index 4b56d8f4b1..b7675007c0 100644
--- a/package/crds/cloudfront.aws.upbound.io_responseheaderspolicies.yaml
+++ b/package/crds/cloudfront.aws.upbound.io_responseheaderspolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -360,9 +364,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -534,15 +552,279 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ResponseHeadersPolicyStatus defines the observed state of
               ResponseHeadersPolicy.
             properties:
               atProvider:
                 properties:
+                  comment:
+                    description: A comment to describe the response headers policy.
+                      The comment cannot be longer than 128 characters.
+                    type: string
+                  corsConfig:
+                    description: A configuration for a set of HTTP response headers
+                      that are used for Cross-Origin Resource Sharing (CORS). See
+                      Cors Config for more information.
+                    items:
+                      properties:
+                        accessControlAllowCredentials:
+                          description: A Boolean value that CloudFront uses as the
+                            value for the Access-Control-Allow-Credentials HTTP response
+                            header.
+                          type: boolean
+                        accessControlAllowHeaders:
+                          description: Object that contains an attribute items that
+                            contains a list of HTTP header names that CloudFront includes
+                            as values for the Access-Control-Allow-Headers HTTP response
+                            header.
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        accessControlAllowMethods:
+                          description: 'Object that contains an attribute items that
+                            contains a list of HTTP methods that CloudFront includes
+                            as values for the Access-Control-Allow-Methods HTTP response
+                            header. Valid values: GET | POST | OPTIONS | PUT | DELETE
+                            | HEAD | ALL'
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        accessControlAllowOrigins:
+                          description: Object that contains an attribute items that
+                            contains a list of origins that CloudFront can use as
+                            the value for the Access-Control-Allow-Origin HTTP response
+                            header.
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        accessControlExposeHeaders:
+                          description: Object that contains an attribute items that
+                            contains a list of HTTP headers that CloudFront includes
+                            as values for the Access-Control-Expose-Headers HTTP response
+                            header.
+                          items:
+                            properties:
+                              items:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        accessControlMaxAgeSec:
+                          description: A number that CloudFront uses as the value
+                            for the Access-Control-Max-Age HTTP response header.
+                          type: number
+                        originOverride:
+                          description: A Boolean value that determines how CloudFront
+                            behaves for the HTTP response header.
+                          type: boolean
+                      type: object
+                    type: array
+                  customHeadersConfig:
+                    description: Object that contains an attribute items that contains
+                      a list of custom headers. See Custom Header for more information.
+                    items:
+                      properties:
+                        items:
+                          items:
+                            properties:
+                              header:
+                                description: The HTTP response header name.
+                                type: string
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                              value:
+                                description: The value for the HTTP response header.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  etag:
+                    description: The current version of the response headers policy.
+                    type: string
                   id:
                     description: The identifier for the response headers policy.
                     type: string
+                  name:
+                    description: A unique name to identify the response headers policy.
+                    type: string
+                  securityHeadersConfig:
+                    description: A configuration for a set of security-related HTTP
+                      response headers. See Security Headers Config for more information.
+                    items:
+                      properties:
+                        contentSecurityPolicy:
+                          description: The policy directives and their values that
+                            CloudFront includes as values for the Content-Security-Policy
+                            HTTP response header. See Content Security Policy for
+                            more information.
+                          items:
+                            properties:
+                              contentSecurityPolicy:
+                                description: The policy directives and their values
+                                  that CloudFront includes as values for the Content-Security-Policy
+                                  HTTP response header. See Content Security Policy
+                                  for more information.
+                                type: string
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                            type: object
+                          type: array
+                        contentTypeOptions:
+                          description: Determines whether CloudFront includes the
+                            X-Content-Type-Options HTTP response header with its value
+                            set to nosniff. See Content Type Options for more information.
+                          items:
+                            properties:
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                            type: object
+                          type: array
+                        frameOptions:
+                          description: Determines whether CloudFront includes the
+                            X-Frame-Options HTTP response header and the header’s
+                            value. See Frame Options for more information.
+                          items:
+                            properties:
+                              frameOption:
+                                description: 'The value of the X-Frame-Options HTTP
+                                  response header. Valid values: DENY | SAMEORIGIN'
+                                type: string
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                            type: object
+                          type: array
+                        referrerPolicy:
+                          description: Determines whether CloudFront includes the
+                            Referrer-Policy HTTP response header and the header’s
+                            value. See Referrer Policy for more information.
+                          items:
+                            properties:
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                              referrerPolicy:
+                                description: Determines whether CloudFront includes
+                                  the Referrer-Policy HTTP response header and the
+                                  header’s value. See Referrer Policy for more information.
+                                type: string
+                            type: object
+                          type: array
+                        strictTransportSecurity:
+                          description: Determines whether CloudFront includes the
+                            Strict-Transport-Security HTTP response header and the
+                            header’s value. See Strict Transport Security for more
+                            information.
+                          items:
+                            properties:
+                              accessControlMaxAgeSec:
+                                description: A number that CloudFront uses as the
+                                  value for the Access-Control-Max-Age HTTP response
+                                  header.
+                                type: number
+                              includeSubdomains:
+                                description: Whether CloudFront includes the includeSubDomains
+                                  directive in the Strict-Transport-Security HTTP
+                                  response header.
+                                type: boolean
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                              preload:
+                                description: Whether CloudFront includes the preload
+                                  directive in the Strict-Transport-Security HTTP
+                                  response header.
+                                type: boolean
+                            type: object
+                          type: array
+                        xssProtection:
+                          description: Determine whether CloudFront includes the X-XSS-Protection
+                            HTTP response header and the header’s value. See XSS Protection
+                            for more information.
+                          items:
+                            properties:
+                              modeBlock:
+                                description: Whether CloudFront includes the mode=block
+                                  directive in the X-XSS-Protection header.
+                                type: boolean
+                              override:
+                                description: Whether CloudFront overrides a response
+                                  header with the same name received from the origin
+                                  with the header specifies here.
+                                type: boolean
+                              protection:
+                                description: A Boolean value that determines the value
+                                  of the X-XSS-Protection HTTP response header. When
+                                  this setting is true, the value of the X-XSS-Protection
+                                  header is 1. When this setting is false, the value
+                                  of the X-XSS-Protection header is 0.
+                                type: boolean
+                              reportUri:
+                                description: A reporting URI, which CloudFront uses
+                                  as the value of the report directive in the X-XSS-Protection
+                                  header. You cannot specify a report_uri when mode_block
+                                  is true.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  serverTimingHeadersConfig:
+                    description: A configuration for enabling the Server-Timing header
+                      in HTTP responses sent from CloudFront. See Server Timing Headers
+                      Config for more information.
+                    items:
+                      properties:
+                        enabled:
+                          description: A Whether CloudFront adds the Server-Timing
+                            header to HTTP responses that it sends in response to
+                            requests that match a cache behavior that's associated
+                            with this response headers policy.
+                          type: boolean
+                        samplingRate:
+                          description: 'A number 0–100 (inclusive) that specifies
+                            the percentage of responses that you want CloudFront to
+                            add the Server-Timing header to. Valid range: Minimum
+                            value of 0.0. Maximum value of 100.0.'
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudsearch.aws.upbound.io_domains.yaml b/package/crds/cloudsearch.aws.upbound.io_domains.yaml
index 9b4e241d9f..f8079fff30 100644
--- a/package/crds/cloudsearch.aws.upbound.io_domains.yaml
+++ b/package/crds/cloudsearch.aws.upbound.io_domains.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,6 +164,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -347,8 +366,94 @@ spec:
                     description: An internally generated unique identifier for the
                       domain.
                     type: string
+                  endpointOptions:
+                    description: Domain endpoint options. Documented below.
+                    items:
+                      properties:
+                        enforceHttps:
+                          description: Enables or disables the requirement that all
+                            requests to the domain arrive over HTTPS.
+                          type: boolean
+                        tlsSecurityPolicy:
+                          description: The minimum required TLS version. See the AWS
+                            documentation for valid values.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  indexField:
+                    description: The index fields for documents added to the domain.
+                      Documented below.
+                    items:
+                      properties:
+                        analysisScheme:
+                          description: The analysis scheme you want to use for a text
+                            field. The analysis scheme specifies the language-specific
+                            text processing options that are used during indexing.
+                          type: string
+                        defaultValue:
+                          description: The default value for the field. This value
+                            is used when no value is specified for the field in the
+                            document data.
+                          type: string
+                        facet:
+                          description: You can get facet information by enabling this.
+                          type: boolean
+                        highlight:
+                          description: You can highlight information.
+                          type: boolean
+                        name:
+                          description: The name of the CloudSearch domain.
+                          type: string
+                        return:
+                          description: You can enable returning the value of all searchable
+                            fields.
+                          type: boolean
+                        search:
+                          description: You can set whether this index should be searchable
+                            or not.
+                          type: boolean
+                        sort:
+                          description: You can enable the property to be sortable.
+                          type: boolean
+                        sourceFields:
+                          description: A comma-separated list of source fields to
+                            map to the field. Specifying a source field copies data
+                            from one field to another, enabling you to use the same
+                            source data in different ways by configuring different
+                            options for the fields.
+                          type: string
+                        type:
+                          description: 'The field type. Valid values: date, date-array,
+                            double, double-array, int, int-array, literal, literal-array,
+                            text, text-array.'
+                          type: string
+                      type: object
+                    type: array
+                  multiAz:
+                    description: Whether or not to maintain extra instances for the
+                      domain in a second Availability Zone to ensure high availability.
+                    type: boolean
+                  scalingParameters:
+                    description: Domain scaling parameters. Documented below.
+                    items:
+                      properties:
+                        desiredInstanceType:
+                          description: The instance type that you want to preconfigure
+                            for your domain. See the AWS documentation for valid values.
+                          type: string
+                        desiredPartitionCount:
+                          description: The number of partitions you want to preconfigure
+                            for your domain. Only valid when you select search.2xlarge
+                            as the instance type.
+                          type: number
+                        desiredReplicationCount:
+                          description: The number of replicas you want to preconfigure
+                            for each index partition.
+                          type: number
+                      type: object
+                    type: array
                   searchServiceEndpoint:
                     description: The service endpoint for requesting search results
                       from a search domain.
diff --git a/package/crds/cloudsearch.aws.upbound.io_domainserviceaccesspolicies.yaml b/package/crds/cloudsearch.aws.upbound.io_domainserviceaccesspolicies.yaml
index f84e047ca8..471a07f948 100644
--- a/package/crds/cloudsearch.aws.upbound.io_domainserviceaccesspolicies.yaml
+++ b/package/crds/cloudsearch.aws.upbound.io_domainserviceaccesspolicies.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,9 +156,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - accessPolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,12 +344,22 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accessPolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicy)
           status:
             description: DomainServiceAccessPolicyStatus defines the observed state
               of DomainServiceAccessPolicy.
             properties:
               atProvider:
                 properties:
+                  accessPolicy:
+                    description: The access rules you want to configure. These rules
+                      replace any existing rules. See the AWS documentation for details.
+                    type: string
+                  domainName:
+                    description: The CloudSearch domain name the policy applies to.
+                    type: string
                   id:
                     type: string
                 type: object
diff --git a/package/crds/cloudtrail.aws.upbound.io_eventdatastores.yaml b/package/crds/cloudtrail.aws.upbound.io_eventdatastores.yaml
index aea52fa0df..6f2858933c 100644
--- a/package/crds/cloudtrail.aws.upbound.io_eventdatastores.yaml
+++ b/package/crds/cloudtrail.aws.upbound.io_eventdatastores.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -166,9 +170,23 @@ spec:
                       is disabled. Default: true.'
                     type: boolean
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,23 +358,123 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: EventDataStoreStatus defines the observed state of EventDataStore.
             properties:
               atProvider:
                 properties:
+                  advancedEventSelector:
+                    description: The advanced event selectors to use to select the
+                      events for the data store. For more information about how to
+                      use advanced event selectors, see Log events by using advanced
+                      event selectors in the CloudTrail User Guide.
+                    items:
+                      properties:
+                        fieldSelector:
+                          description: Specifies the selector statements in an advanced
+                            event selector. Fields documented below.
+                          items:
+                            properties:
+                              endsWith:
+                                description: A list of values that includes events
+                                  that match the last few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              equals:
+                                description: A list of values that includes events
+                                  that match the exact value of the event record field
+                                  specified as the value of field. This is the only
+                                  valid operator that you can use with the readOnly,
+                                  eventCategory, and resources.type fields.
+                                items:
+                                  type: string
+                                type: array
+                              field:
+                                description: 'Specifies a field in an event record
+                                  on which to filter events to be logged. You can
+                                  specify only the following values: readOnly, eventSource,
+                                  eventName, eventCategory, resources.type, resources.ARN.'
+                                type: string
+                              notEndsWith:
+                                description: A list of values that excludes events
+                                  that match the last few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              notEquals:
+                                description: A list of values that excludes events
+                                  that match the exact value of the event record field
+                                  specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              notStartsWith:
+                                description: A list of values that excludes events
+                                  that match the first few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              startsWith:
+                                description: A list of values that includes events
+                                  that match the first few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        name:
+                          description: The name of the event data store.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: ARN of the event data store.
                     type: string
                   id:
                     description: Name of the event data store.
                     type: string
+                  multiRegionEnabled:
+                    description: 'Specifies whether the event data store includes
+                      events from all regions, or only from the region in which the
+                      event data store is created. Default: true.'
+                    type: boolean
+                  name:
+                    description: The name of the event data store.
+                    type: string
+                  organizationEnabled:
+                    description: 'Specifies whether an event data store collects events
+                      logged for an organization in AWS Organizations. Default: false.'
+                    type: boolean
+                  retentionPeriod:
+                    description: 'The retention period of the event data store, in
+                      days. You can set a retention period of up to 2555 days, the
+                      equivalent of seven years. Default: 2555.'
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  terminationProtectionEnabled:
+                    description: 'Specifies whether termination protection is enabled
+                      for the event data store. If termination protection is enabled,
+                      you cannot delete the event data store until termination protection
+                      is disabled. Default: true.'
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudtrail.aws.upbound.io_trails.yaml b/package/crds/cloudtrail.aws.upbound.io_trails.yaml
index 39baf56d7a..1df5c1f0a5 100644
--- a/package/crds/cloudtrail.aws.upbound.io_trails.yaml
+++ b/package/crds/cloudtrail.aws.upbound.io_trails.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -483,6 +487,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -659,15 +678,199 @@ spec:
             properties:
               atProvider:
                 properties:
+                  advancedEventSelector:
+                    description: Specifies an advanced event selector for enabling
+                      data event logging. Fields documented below. Conflicts with
+                      event_selector.
+                    items:
+                      properties:
+                        fieldSelector:
+                          description: Specifies the selector statements in an advanced
+                            event selector. Fields documented below.
+                          items:
+                            properties:
+                              endsWith:
+                                description: A list of values that includes events
+                                  that match the last few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              equals:
+                                description: A list of values that includes events
+                                  that match the exact value of the event record field
+                                  specified as the value of field. This is the only
+                                  valid operator that you can use with the readOnly,
+                                  eventCategory, and resources.type fields.
+                                items:
+                                  type: string
+                                type: array
+                              field:
+                                description: 'Field in an event record on which to
+                                  filter events to be logged. You can specify only
+                                  the following values: readOnly, eventSource, eventName,
+                                  eventCategory, resources.type, resources.ARN.'
+                                type: string
+                              notEndsWith:
+                                description: A list of values that excludes events
+                                  that match the last few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              notEquals:
+                                description: A list of values that excludes events
+                                  that match the exact value of the event record field
+                                  specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              notStartsWith:
+                                description: A list of values that excludes events
+                                  that match the first few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                              startsWith:
+                                description: A list of values that includes events
+                                  that match the first few characters of the event
+                                  record field specified as the value of field.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        name:
+                          description: Name of the trail.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: ARN of the trail.
                     type: string
+                  cloudWatchLogsGroupArn:
+                    description: Log group name using an ARN that represents the log
+                      group to which CloudTrail logs will be delivered. Note that
+                      CloudTrail requires the Log Stream wildcard.
+                    type: string
+                  cloudWatchLogsRoleArn:
+                    description: Role for the CloudWatch Logs endpoint to assume to
+                      write to a user’s log group.
+                    type: string
+                  enableLogFileValidation:
+                    description: Whether log file integrity validation is enabled.
+                      Defaults to false.
+                    type: boolean
+                  enableLogging:
+                    description: Enables logging for the trail. Defaults to true.
+                      Setting this to false will pause logging.
+                    type: boolean
+                  eventSelector:
+                    description: Specifies an event selector for enabling data event
+                      logging. Fields documented below. Please note the CloudTrail
+                      limits when configuring these. Conflicts with advanced_event_selector.
+                    items:
+                      properties:
+                        dataResource:
+                          description: Configuration block for data events. See details
+                            below.
+                          items:
+                            properties:
+                              type:
+                                description: 'Resource type in which you want to log
+                                  data events. You can specify only the following
+                                  value: "AWS::S3::Object", "AWS::Lambda::Function"
+                                  and "AWS::DynamoDB::Table".'
+                                type: string
+                              values:
+                                description: List of ARN strings or partial ARN strings
+                                  to specify selectors for data audit events over
+                                  data resources. ARN list is specific to single-valued
+                                  type. For example, arn:aws:s3:::<bucket name>/ for
+                                  all objects in a bucket, arn:aws:s3:::<bucket name>/key
+                                  for specific objects, arn:aws:lambda for all lambda
+                                  events within an account, arn:aws:lambda:<region>:<account
+                                  number>:function:<function name> for a specific
+                                  Lambda function, arn:aws:dynamodb for all DDB events
+                                  for all tables within an account, or arn:aws:dynamodb:<region>:<account
+                                  number>:table/<table name> for a specific DynamoDB
+                                  table.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        excludeManagementEventSources:
+                          description: 'A set of event sources to exclude. Valid values
+                            include: kms.amazonaws.com and rdsdata.amazonaws.com.
+                            include_management_events must be set totrue to allow
+                            this.'
+                          items:
+                            type: string
+                          type: array
+                        includeManagementEvents:
+                          description: Whether to include management events for your
+                            trail. Defaults to true.
+                          type: boolean
+                        readWriteType:
+                          description: Type of events to log. Valid values are ReadOnly,
+                            WriteOnly, All. Default value is All.
+                          type: string
+                      type: object
+                    type: array
                   homeRegion:
                     description: Region in which the trail was created.
                     type: string
                   id:
                     description: Name of the trail.
                     type: string
+                  includeGlobalServiceEvents:
+                    description: Whether the trail is publishing events from global
+                      services such as IAM to the log files. Defaults to true.
+                    type: boolean
+                  insightSelector:
+                    description: Configuration block for identifying unusual operational
+                      activity. See details below.
+                    items:
+                      properties:
+                        insightType:
+                          description: 'Type of insights to log on a trail. Valid
+                            values are: ApiCallRateInsight and ApiErrorRateInsight.'
+                          type: string
+                      type: object
+                    type: array
+                  isMultiRegionTrail:
+                    description: Whether the trail is created in the current region
+                      or in all regions. Defaults to false.
+                    type: boolean
+                  isOrganizationTrail:
+                    description: Whether the trail is an AWS Organizations trail.
+                      Organization trails log events for the master account and all
+                      member accounts. Can only be created in the organization master
+                      account. Defaults to false.
+                    type: boolean
+                  kmsKeyId:
+                    description: KMS key ARN to use to encrypt the logs delivered
+                      by CloudTrail.
+                    type: string
+                  s3BucketName:
+                    description: Name of the S3 bucket designated for publishing log
+                      files.
+                    type: string
+                  s3KeyPrefix:
+                    description: S3 key prefix that follows the name of the bucket
+                      you have designated for log file delivery.
+                    type: string
+                  snsTopicName:
+                    description: Name of the Amazon SNS topic defined for notification
+                      of log file delivery.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloudwatch.aws.upbound.io_compositealarms.yaml b/package/crds/cloudwatch.aws.upbound.io_compositealarms.yaml
index a71ec8ecf3..ab819dbadc 100644
--- a/package/crds/cloudwatch.aws.upbound.io_compositealarms.yaml
+++ b/package/crds/cloudwatch.aws.upbound.io_compositealarms.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -261,9 +265,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - alarmRule
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -435,11 +453,35 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: alarmRule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.alarmRule)
           status:
             description: CompositeAlarmStatus defines the observed state of CompositeAlarm.
             properties:
               atProvider:
                 properties:
+                  actionsEnabled:
+                    description: Indicates whether actions should be executed during
+                      any changes to the alarm state of the composite alarm. Defaults
+                      to true.
+                    type: boolean
+                  alarmActions:
+                    description: The set of actions to execute when this alarm transitions
+                      to the ALARM state from any other state. Each action is specified
+                      as an ARN. Up to 5 actions are allowed.
+                    items:
+                      type: string
+                    type: array
+                  alarmDescription:
+                    description: The description for the composite alarm.
+                    type: string
+                  alarmRule:
+                    description: An expression that specifies which other alarms are
+                      to be evaluated to determine this composite alarm's state. For
+                      syntax, see Creating a Composite Alarm. The maximum length is
+                      10240 characters.
+                    type: string
                   arn:
                     description: The ARN of the composite alarm.
                     type: string
@@ -447,6 +489,25 @@ spec:
                     description: The ID of the composite alarm resource, which is
                       equivalent to its alarm_name.
                     type: string
+                  insufficientDataActions:
+                    description: The set of actions to execute when this alarm transitions
+                      to the INSUFFICIENT_DATA state from any other state. Each action
+                      is specified as an ARN. Up to 5 actions are allowed.
+                    items:
+                      type: string
+                    type: array
+                  okActions:
+                    description: The set of actions to execute when this alarm transitions
+                      to an OK state from any other state. Each action is specified
+                      as an ARN. Up to 5 actions are allowed.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloudwatch.aws.upbound.io_dashboards.yaml b/package/crds/cloudwatch.aws.upbound.io_dashboards.yaml
index 6917202c79..c71ee99fbb 100644
--- a/package/crds/cloudwatch.aws.upbound.io_dashboards.yaml
+++ b/package/crds/cloudwatch.aws.upbound.io_dashboards.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -74,9 +78,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - dashboardBody
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -248,6 +266,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dashboardBody is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dashboardBody)
           status:
             description: DashboardStatus defines the observed state of Dashboard.
             properties:
@@ -256,6 +277,11 @@ spec:
                   dashboardArn:
                     description: The Amazon Resource Name (ARN) of the dashboard.
                     type: string
+                  dashboardBody:
+                    description: The detailed information about the dashboard, including
+                      what widgets are included and their location on the dashboard.
+                      You can read more about the body structure in the documentation.
+                    type: string
                   id:
                     type: string
                 type: object
diff --git a/package/crds/cloudwatch.aws.upbound.io_metricalarms.yaml b/package/crds/cloudwatch.aws.upbound.io_metricalarms.yaml
index a41bee8ec1..e452906ce4 100644
--- a/package/crds/cloudwatch.aws.upbound.io_metricalarms.yaml
+++ b/package/crds/cloudwatch.aws.upbound.io_metricalarms.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -255,10 +259,23 @@ spec:
                     description: The unit for the alarm's associated metric.
                     type: string
                 required:
-                - comparisonOperator
-                - evaluationPeriods
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -430,17 +447,183 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: comparisonOperator is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.comparisonOperator)
+            - message: evaluationPeriods is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.evaluationPeriods)
           status:
             description: MetricAlarmStatus defines the observed state of MetricAlarm.
             properties:
               atProvider:
                 properties:
+                  actionsEnabled:
+                    description: Indicates whether or not actions should be executed
+                      during any changes to the alarm's state. Defaults to true.
+                    type: boolean
+                  alarmActions:
+                    description: The list of actions to execute when this alarm transitions
+                      into an ALARM state from any other state. Each action is specified
+                      as an Amazon Resource Name (ARN).
+                    items:
+                      type: string
+                    type: array
+                  alarmDescription:
+                    description: The description for the alarm.
+                    type: string
                   arn:
                     description: The ARN of the CloudWatch Metric Alarm.
                     type: string
+                  comparisonOperator:
+                    description: 'The arithmetic operation to use when comparing the
+                      specified Statistic and Threshold. The specified Statistic value
+                      is used as the first operand. Either of the following is supported:
+                      GreaterThanOrEqualToThreshold, GreaterThanThreshold, LessThanThreshold,
+                      LessThanOrEqualToThreshold. Additionally, the values  LessThanLowerOrGreaterThanUpperThreshold,
+                      LessThanLowerThreshold, and GreaterThanUpperThreshold are used
+                      only for alarms based on anomaly detection models.'
+                    type: string
+                  datapointsToAlarm:
+                    description: The number of datapoints that must be breaching to
+                      trigger the alarm.
+                    type: number
+                  dimensions:
+                    additionalProperties:
+                      type: string
+                    description: The dimensions for the alarm's associated metric.  For
+                      the list of available dimensions see the AWS documentation here.
+                    type: object
+                  evaluateLowSampleCountPercentiles:
+                    description: 'Used only for alarms based on percentiles. If you
+                      specify ignore, the alarm state will not change during periods
+                      with too few data points to be statistically significant. If
+                      you specify evaluate or omit this parameter, the alarm will
+                      always be evaluated and possibly change state no matter how
+                      many data points are available. The following values are supported:
+                      ignore, and evaluate.'
+                    type: string
+                  evaluationPeriods:
+                    description: The number of periods over which data is compared
+                      to the specified threshold.
+                    type: number
+                  extendedStatistic:
+                    description: The percentile statistic for the metric associated
+                      with the alarm. Specify a value between p0.0 and p100.
+                    type: string
                   id:
                     description: The ID of the health check.
                     type: string
+                  insufficientDataActions:
+                    description: The list of actions to execute when this alarm transitions
+                      into an INSUFFICIENT_DATA state from any other state. Each action
+                      is specified as an Amazon Resource Name (ARN).
+                    items:
+                      type: string
+                    type: array
+                  metricName:
+                    description: The name for the alarm's associated metric. See docs
+                      for supported metrics.
+                    type: string
+                  metricQuery:
+                    description: Enables you to create an alarm based on a metric
+                      math expression. You may specify at most 20.
+                    items:
+                      properties:
+                        accountId:
+                          description: The ID of the account where the metrics are
+                            located, if this is a cross-account alarm.
+                          type: string
+                        expression:
+                          description: The math expression to be performed on the
+                            returned data, if this object is performing a math expression.
+                            This expression can use the id of the other metrics to
+                            refer to those metrics, and can also use the id of other
+                            expressions to use the result of those expressions. For
+                            more information about metric math expressions, see Metric
+                            Math Syntax and Functions in the Amazon CloudWatch User
+                            Guide.
+                          type: string
+                        id:
+                          description: A short name used to tie this object to the
+                            results in the response. If you are performing math expressions
+                            on this set of data, this name represents that data and
+                            can serve as a variable in the mathematical expression.
+                            The valid characters are letters, numbers, and underscore.
+                            The first character must be a lowercase letter.
+                          type: string
+                        label:
+                          description: A human-readable label for this metric or expression.
+                            This is especially useful if this is an expression, so
+                            that you know what the value represents.
+                          type: string
+                        metric:
+                          description: The metric to be returned, along with statistics,
+                            period, and units. Use this parameter only if this object
+                            is retrieving a metric and not performing a math expression
+                            on returned data.
+                          items:
+                            properties:
+                              dimensions:
+                                additionalProperties:
+                                  type: string
+                                description: The dimensions for this metric.  For
+                                  the list of available dimensions see the AWS documentation
+                                  here.
+                                type: object
+                              metricName:
+                                description: The name for this metric. See docs for
+                                  supported metrics.
+                                type: string
+                              namespace:
+                                description: The namespace for this metric. See docs
+                                  for the list of namespaces. See docs for supported
+                                  metrics.
+                                type: string
+                              period:
+                                description: The period in seconds over which the
+                                  specified stat is applied.
+                                type: number
+                              stat:
+                                description: The statistic to apply to this metric.
+                                  See docs for supported statistics.
+                                type: string
+                              unit:
+                                description: The unit for this metric.
+                                type: string
+                            type: object
+                          type: array
+                        returnData:
+                          description: Specify exactly one metric_query to be true
+                            to use that metric_query result as the alarm.
+                          type: boolean
+                      type: object
+                    type: array
+                  namespace:
+                    description: The namespace for the alarm's associated metric.
+                      See docs for the list of namespaces. See docs for supported
+                      metrics.
+                    type: string
+                  okActions:
+                    description: The list of actions to execute when this alarm transitions
+                      into an OK state from any other state. Each action is specified
+                      as an Amazon Resource Name (ARN).
+                    items:
+                      type: string
+                    type: array
+                  period:
+                    description: The period in seconds over which the specified statistic
+                      is applied.
+                    type: number
+                  statistic:
+                    description: 'The statistic to apply to the alarm''s associated
+                      metric. Either of the following is supported: SampleCount, Average,
+                      Sum, Minimum, Maximum'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -448,6 +631,25 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  threshold:
+                    description: The value against which the specified statistic is
+                      compared. This parameter is required for alarms based on static
+                      thresholds, but should not be used for alarms based on anomaly
+                      detection models.
+                    type: number
+                  thresholdMetricId:
+                    description: If this is an alarm based on an anomaly detection
+                      model, make this value match the ID of the ANOMALY_DETECTION_BAND
+                      function.
+                    type: string
+                  treatMissingData:
+                    description: 'Sets how this alarm is to handle missing data points.
+                      The following values are supported: missing, ignore, breaching
+                      and notBreaching. Defaults to missing.'
+                    type: string
+                  unit:
+                    description: The unit for the alarm's associated metric.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatch.aws.upbound.io_metricstreams.yaml b/package/crds/cloudwatch.aws.upbound.io_metricstreams.yaml
index 455db42959..3c06163572 100644
--- a/package/crds/cloudwatch.aws.upbound.io_metricstreams.yaml
+++ b/package/crds/cloudwatch.aws.upbound.io_metricstreams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -306,10 +310,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
-                - outputFormat
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -481,6 +498,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: outputFormat is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outputFormat)
           status:
             description: MetricStreamStatus defines the observed state of MetricStream.
             properties:
@@ -493,16 +515,95 @@ spec:
                     description: Date and time in RFC3339 format that the metric stream
                       was created.
                     type: string
+                  excludeFilter:
+                    description: List of exclusive metric filters. If you specify
+                      this parameter, the stream sends metrics from all metric namespaces
+                      except for the namespaces that you specify here. Conflicts with
+                      include_filter.
+                    items:
+                      properties:
+                        namespace:
+                          description: Name of the metric namespace in the filter.
+                          type: string
+                      type: object
+                    type: array
+                  firehoseArn:
+                    description: ARN of the Amazon Kinesis Firehose delivery stream
+                      to use for this metric stream.
+                    type: string
                   id:
                     type: string
+                  includeFilter:
+                    description: List of inclusive metric filters. If you specify
+                      this parameter, the stream sends only the metrics from the metric
+                      namespaces that you specify here. Conflicts with exclude_filter.
+                    items:
+                      properties:
+                        namespace:
+                          description: Name of the metric namespace in the filter.
+                          type: string
+                      type: object
+                    type: array
                   lastUpdateDate:
                     description: Date and time in RFC3339 format that the metric stream
                       was last updated.
                     type: string
+                  name:
+                    description: Friendly name of the metric stream. Conflicts with
+                      name_prefix.
+                    type: string
+                  outputFormat:
+                    description: Output format for the stream. Possible values are
+                      json and opentelemetry0.7. For more information about output
+                      formats, see Metric streams output formats.
+                    type: string
+                  roleArn:
+                    description: ARN of the IAM role that this metric stream will
+                      use to access Amazon Kinesis Firehose resources. For more information
+                      about role permissions, see Trust between CloudWatch and Kinesis
+                      Data Firehose.
+                    type: string
                   state:
                     description: State of the metric stream. Possible values are running
                       and stopped.
                     type: string
+                  statisticsConfiguration:
+                    description: For each entry in this array, you specify one or
+                      more metrics and the list of additional statistics to stream
+                      for those metrics. The additional statistics that you can stream
+                      depend on the stream's output_format. If the OutputFormat is
+                      json, you can stream any additional statistic that is supported
+                      by CloudWatch, listed in CloudWatch statistics definitions.
+                      If the OutputFormat is opentelemetry0.7, you can stream percentile
+                      statistics (p99 etc.). See details below.
+                    items:
+                      properties:
+                        additionalStatistics:
+                          description: The additional statistics to stream for the
+                            metrics listed in include_metrics.
+                          items:
+                            type: string
+                          type: array
+                        includeMetric:
+                          description: An array that defines the metrics that are
+                            to have additional statistics streamed. See details below.
+                          items:
+                            properties:
+                              metricName:
+                                description: The name of the metric.
+                                type: string
+                              namespace:
+                                description: The namespace of the metric.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_apidestinations.yaml b/package/crds/cloudwatchevents.aws.upbound.io_apidestinations.yaml
index a98f9a3944..5b1a69e7ab 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_apidestinations.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_apidestinations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -166,10 +170,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - httpMethod
-                - invocationEndpoint
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,6 +358,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: httpMethod is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.httpMethod)
+            - message: invocationEndpoint is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.invocationEndpoint)
           status:
             description: APIDestinationStatus defines the observed state of APIDestination.
             properties:
@@ -349,8 +371,30 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the event API Destination.
                     type: string
+                  connectionArn:
+                    description: ARN of the EventBridge Connection to use for the
+                      API Destination.
+                    type: string
+                  description:
+                    description: The description of the new API Destination. Maximum
+                      of 512 characters.
+                    type: string
+                  httpMethod:
+                    description: Select the HTTP method used for the invocation endpoint,
+                      such as GET, POST, PUT, etc.
+                    type: string
                   id:
                     type: string
+                  invocationEndpoint:
+                    description: URL endpoint to invoke as a target. This could be
+                      a valid endpoint generated by a partner service. You can include
+                      "*" as path parameters wildcards to be set from the Target HttpParameters.
+                    type: string
+                  invocationRateLimitPerSecond:
+                    description: Enter the maximum number of invocations per second
+                      to allow for this destination. Enter a value greater than 0
+                      (default 300).
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_archives.yaml b/package/crds/cloudwatchevents.aws.upbound.io_archives.yaml
index 9e96c322c0..3bb3d2e9bc 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_archives.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_archives.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -162,6 +166,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,8 +360,24 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the event archive.
                     type: string
+                  description:
+                    description: The description of the new event archive.
+                    type: string
+                  eventPattern:
+                    description: Instructs the new event archive to only capture events
+                      matched by this pattern. By default, it attempts to archive
+                      every event received in the event_source_arn.
+                    type: string
+                  eventSourceArn:
+                    description: Event bus source ARN from where these events should
+                      be archived.
+                    type: string
                   id:
                     type: string
+                  retentionDays:
+                    description: The maximum number of days to retain events in the
+                      new event archive. By default, it archives indefinitely.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_buses.yaml b/package/crds/cloudwatchevents.aws.upbound.io_buses.yaml
index 255e5df547..3bfa65d8f2 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_buses.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_buses.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,6 +84,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -259,8 +278,17 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the event bus.
                     type: string
+                  eventSourceName:
+                    description: The partner event source that the new event bus will
+                      be matched with. Must match name.
+                    type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_buspolicies.yaml b/package/crds/cloudwatchevents.aws.upbound.io_buspolicies.yaml
index b72076838e..24b1c13f91 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_buspolicies.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_buspolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,14 +343,24 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: BusPolicyStatus defines the observed state of BusPolicy.
             properties:
               atProvider:
                 properties:
+                  eventBusName:
+                    description: The event bus to set the permissions on. If you omit
+                      this, the permissions are set on the default event bus.
+                    type: string
                   id:
                     description: The name of the EventBridge event bus.
                     type: string
+                  policy:
+                    description: The text of the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_connections.yaml b/package/crds/cloudwatchevents.aws.upbound.io_connections.yaml
index 8bd784f92c..e9f6a6d023 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_connections.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_connections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -445,10 +449,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - authParameters
-                - authorizationType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -620,6 +637,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authParameters is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authParameters)
+            - message: authorizationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorizationType)
           status:
             description: ConnectionStatus defines the observed state of Connection.
             properties:
@@ -628,6 +650,206 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the connection.
                     type: string
+                  authParameters:
+                    description: Parameters used for authorization. A maximum of 1
+                      are allowed. Documented below.
+                    items:
+                      properties:
+                        apiKey:
+                          description: Parameters used for API_KEY authorization.
+                            An API key to include in the header for each authentication
+                            request. A maximum of 1 are allowed. Conflicts with basic
+                            and oauth. Documented below.
+                          items:
+                            properties:
+                              key:
+                                description: Header Name.
+                                type: string
+                            type: object
+                          type: array
+                        basic:
+                          description: Parameters used for BASIC authorization. A
+                            maximum of 1 are allowed. Conflicts with api_key and oauth.
+                            Documented below.
+                          items:
+                            properties:
+                              username:
+                                description: A username for the authorization.
+                                type: string
+                            type: object
+                          type: array
+                        invocationHttpParameters:
+                          description: Invocation Http Parameters are additional credentials
+                            used to sign each Invocation of the ApiDestination created
+                            from this Connection. If the ApiDestination Rule Target
+                            has additional HttpParameters, the values will be merged
+                            together, with the Connection Invocation Http Parameters
+                            taking precedence. Secret values are stored and managed
+                            by AWS Secrets Manager. A maximum of 1 are allowed. Documented
+                            below.
+                          items:
+                            properties:
+                              body:
+                                description: 'Contains additional body string parameters
+                                  for the connection. You can include up to 100 additional
+                                  body string parameters per request. Each additional
+                                  parameter counts towards the event payload size,
+                                  which cannot exceed 64 KB. Each parameter can contain
+                                  the following:'
+                                items:
+                                  properties:
+                                    isValueSecret:
+                                      description: Specified whether the value is
+                                        secret.
+                                      type: boolean
+                                    key:
+                                      description: Header Name.
+                                      type: string
+                                  type: object
+                                type: array
+                              header:
+                                description: 'Contains additional header parameters
+                                  for the connection. You can include up to 100 additional
+                                  body string parameters per request. Each additional
+                                  parameter counts towards the event payload size,
+                                  which cannot exceed 64 KB. Each parameter can contain
+                                  the following:'
+                                items:
+                                  properties:
+                                    isValueSecret:
+                                      description: Specified whether the value is
+                                        secret.
+                                      type: boolean
+                                    key:
+                                      description: Header Name.
+                                      type: string
+                                  type: object
+                                type: array
+                              queryString:
+                                description: 'Contains additional query string parameters
+                                  for the connection. You can include up to 100 additional
+                                  body string parameters per request. Each additional
+                                  parameter counts towards the event payload size,
+                                  which cannot exceed 64 KB. Each parameter can contain
+                                  the following:'
+                                items:
+                                  properties:
+                                    isValueSecret:
+                                      description: Specified whether the value is
+                                        secret.
+                                      type: boolean
+                                    key:
+                                      description: Header Name.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        oauth:
+                          description: Parameters used for OAUTH_CLIENT_CREDENTIALS
+                            authorization. A maximum of 1 are allowed. Conflicts with
+                            basic and api_key. Documented below.
+                          items:
+                            properties:
+                              authorizationEndpoint:
+                                description: The URL to the authorization endpoint.
+                                type: string
+                              clientParameters:
+                                description: Contains the client parameters for OAuth
+                                  authorization. Contains the following two parameters.
+                                items:
+                                  properties:
+                                    clientId:
+                                      description: The client ID for the credentials
+                                        to use for authorization. Created and stored
+                                        in AWS Secrets Manager.
+                                      type: string
+                                  type: object
+                                type: array
+                              httpMethod:
+                                description: A password for the authorization. Created
+                                  and stored in AWS Secrets Manager.
+                                type: string
+                              oauthHttpParameters:
+                                description: OAuth Http Parameters are additional
+                                  credentials used to sign the request to the authorization
+                                  endpoint to exchange the OAuth Client information
+                                  for an access token. Secret values are stored and
+                                  managed by AWS Secrets Manager. A maximum of 1 are
+                                  allowed. Documented below.
+                                items:
+                                  properties:
+                                    body:
+                                      description: 'Contains additional body string
+                                        parameters for the connection. You can include
+                                        up to 100 additional body string parameters
+                                        per request. Each additional parameter counts
+                                        towards the event payload size, which cannot
+                                        exceed 64 KB. Each parameter can contain the
+                                        following:'
+                                      items:
+                                        properties:
+                                          isValueSecret:
+                                            description: Specified whether the value
+                                              is secret.
+                                            type: boolean
+                                          key:
+                                            description: Header Name.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    header:
+                                      description: 'Contains additional header parameters
+                                        for the connection. You can include up to
+                                        100 additional body string parameters per
+                                        request. Each additional parameter counts
+                                        towards the event payload size, which cannot
+                                        exceed 64 KB. Each parameter can contain the
+                                        following:'
+                                      items:
+                                        properties:
+                                          isValueSecret:
+                                            description: Specified whether the value
+                                              is secret.
+                                            type: boolean
+                                          key:
+                                            description: Header Name.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    queryString:
+                                      description: 'Contains additional query string
+                                        parameters for the connection. You can include
+                                        up to 100 additional body string parameters
+                                        per request. Each additional parameter counts
+                                        towards the event payload size, which cannot
+                                        exceed 64 KB. Each parameter can contain the
+                                        following:'
+                                      items:
+                                        properties:
+                                          isValueSecret:
+                                            description: Specified whether the value
+                                              is secret.
+                                            type: boolean
+                                          key:
+                                            description: Header Name.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  authorizationType:
+                    description: Choose the type of authorization to use for the connection.
+                      One of API_KEY,BASIC,OAUTH_CLIENT_CREDENTIALS.
+                    type: string
+                  description:
+                    description: Enter a description for the connection. Maximum of
+                      512 characters.
+                    type: string
                   id:
                     type: string
                   secretArn:
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_permissions.yaml b/package/crds/cloudwatchevents.aws.upbound.io_permissions.yaml
index dc7c16993f..eb1018cc19 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_permissions.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_permissions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -259,10 +263,23 @@ spec:
                       you are granting permissions to.
                     type: string
                 required:
-                - principal
                 - region
-                - statementId
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -434,14 +451,54 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: principal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)
+            - message: statementId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statementId)
           status:
             description: PermissionStatus defines the observed state of Permission.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: The action that you are enabling the other account
+                      to perform. Defaults to events:PutEvents.
+                    type: string
+                  condition:
+                    description: Configuration block to limit the event bus permissions
+                      you are granting to only accounts that fulfill the condition.
+                      Specified below.
+                    items:
+                      properties:
+                        key:
+                          description: 'Key for the condition. Valid values: aws:PrincipalOrgID.'
+                          type: string
+                        type:
+                          description: 'Type of condition. Value values: StringEquals.'
+                          type: string
+                        value:
+                          description: Value for the key.
+                          type: string
+                      type: object
+                    type: array
+                  eventBusName:
+                    description: The event bus to set the permissions on. If you omit
+                      this, the permissions are set on the default event bus.
+                    type: string
                   id:
                     description: The statement ID of the EventBridge permission.
                     type: string
+                  principal:
+                    description: The 12-digit AWS account ID that you are permitting
+                      to put events to your default event bus. Specify * to permit
+                      any account to put events to your default event bus, optionally
+                      limited by condition.
+                    type: string
+                  statementId:
+                    description: An identifier string for the external account that
+                      you are granting permissions to.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_rules.yaml b/package/crds/cloudwatchevents.aws.upbound.io_rules.yaml
index 710e431f94..692810aa92 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_rules.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_rules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -249,6 +253,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -428,9 +447,41 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the rule.
                     type: string
+                  description:
+                    description: The description of the rule.
+                    type: string
+                  eventBusName:
+                    description: The event bus to associate with this rule. If you
+                      omit this, the default event bus is used.
+                    type: string
+                  eventPattern:
+                    description: The event pattern described a JSON object. At least
+                      one of schedule_expression or event_pattern is required. See
+                      full documentation of Events and Event Patterns in EventBridge
+                      for details.
+                    type: string
                   id:
                     description: The name of the rule.
                     type: string
+                  isEnabled:
+                    description: Whether the rule should be enabled (defaults to true).
+                    type: boolean
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) associated with the
+                      role that is used for target invocation.
+                    type: string
+                  scheduleExpression:
+                    description: The scheduling expression. For example, cron(0 20
+                      * * ? *) or rate(5 minutes). At least one of schedule_expression
+                      or event_pattern is required. Can only be used on the default
+                      event bus. For more information, refer to the AWS documentation
+                      Schedule Expressions for Rules.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloudwatchevents.aws.upbound.io_targets.yaml b/package/crds/cloudwatchevents.aws.upbound.io_targets.yaml
index 0fb071fe10..fd95a11868 100644
--- a/package/crds/cloudwatchevents.aws.upbound.io_targets.yaml
+++ b/package/crds/cloudwatchevents.aws.upbound.io_targets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -709,9 +713,23 @@ spec:
                       generate a random, unique id.
                     type: string
                 required:
-                - arn
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -883,13 +901,341 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: arn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.arn)
           status:
             description: TargetStatus defines the observed state of Target.
             properties:
               atProvider:
                 properties:
+                  arn:
+                    description: The Amazon Resource Name (ARN) of the target.
+                    type: string
+                  batchTarget:
+                    description: Parameters used when you are using the rule to invoke
+                      an Amazon Batch Job. Documented below. A maximum of 1 are allowed.
+                    items:
+                      properties:
+                        arraySize:
+                          description: The size of the array, if this is an array
+                            batch job. Valid values are integers between 2 and 10,000.
+                          type: number
+                        jobAttempts:
+                          description: The number of times to attempt to retry, if
+                            the job fails. Valid values are 1 to 10.
+                          type: number
+                        jobDefinition:
+                          description: The ARN or name of the job definition to use
+                            if the event target is an AWS Batch job. This job definition
+                            must already exist.
+                          type: string
+                        jobName:
+                          description: The name to use for this execution of the job,
+                            if the target is an AWS Batch job.
+                          type: string
+                      type: object
+                    type: array
+                  deadLetterConfig:
+                    description: Parameters used when you are providing a dead letter
+                      config. Documented below. A maximum of 1 are allowed.
+                    items:
+                      properties:
+                        arn:
+                          description: '- ARN of the SQS queue specified as the target
+                            for the dead-letter queue.'
+                          type: string
+                      type: object
+                    type: array
+                  ecsTarget:
+                    description: Parameters used when you are using the rule to invoke
+                      Amazon ECS Task. Documented below. A maximum of 1 are allowed.
+                    items:
+                      properties:
+                        capacityProviderStrategy:
+                          description: The capacity provider strategy to use for the
+                            task. If a capacity_provider_strategy specified, the launch_type
+                            parameter must be omitted. If no capacity_provider_strategy
+                            or launch_type is specified, the default capacity provider
+                            strategy for the cluster is used. Can be one or more.
+                            See below.
+                          items:
+                            properties:
+                              base:
+                                description: The base value designates how many tasks,
+                                  at a minimum, to run on the specified capacity provider.
+                                  Only one capacity provider in a capacity provider
+                                  strategy can have a base defined. Defaults to 0.
+                                type: number
+                              capacityProvider:
+                                description: Short name of the capacity provider.
+                                type: string
+                              weight:
+                                description: The weight value designates the relative
+                                  percentage of the total number of tasks launched
+                                  that should use the specified capacity provider.
+                                  The weight value is taken into consideration after
+                                  the base value, if defined, is satisfied.
+                                type: number
+                            type: object
+                          type: array
+                        enableEcsManagedTags:
+                          description: Specifies whether to enable Amazon ECS managed
+                            tags for the task.
+                          type: boolean
+                        enableExecuteCommand:
+                          description: Whether or not to enable the execute command
+                            functionality for the containers in this task. If true,
+                            this enables execute command functionality on all containers
+                            in the task.
+                          type: boolean
+                        group:
+                          description: Specifies an ECS task group for the task. The
+                            maximum length is 255 characters.
+                          type: string
+                        launchType:
+                          description: 'Specifies the launch type on which your task
+                            is running. The launch type that you specify here must
+                            match one of the launch type (compatibilities) of the
+                            target task. Valid values include: EC2, EXTERNAL, or FARGATE.'
+                          type: string
+                        networkConfiguration:
+                          description: Use this if the ECS task uses the awsvpc network
+                            mode. This specifies the VPC subnets and security groups
+                            associated with the task, and whether a public IP address
+                            is to be used. Required if launch_type is FARGATE because
+                            the awsvpc mode is required for Fargate tasks.
+                          items:
+                            properties:
+                              assignPublicIp:
+                                description: Assign a public IP address to the ENI
+                                  (Fargate launch type only). Valid values are true
+                                  or false. Defaults to false.
+                                type: boolean
+                              securityGroups:
+                                description: The security groups associated with the
+                                  task or service. If you do not specify a security
+                                  group, the default security group for the VPC is
+                                  used.
+                                items:
+                                  type: string
+                                type: array
+                              subnets:
+                                description: The subnets associated with the task
+                                  or service.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        placementConstraint:
+                          description: An array of placement constraint objects to
+                            use for the task. You can specify up to 10 constraints
+                            per task (including constraints in the task definition
+                            and those specified at runtime). See Below.
+                          items:
+                            properties:
+                              expression:
+                                description: Cluster Query Language expression to
+                                  apply to the constraint. Does not need to be specified
+                                  for the distinctInstance type. For more information,
+                                  see Cluster Query Language in the Amazon EC2 Container
+                                  Service Developer Guide.
+                                type: string
+                              type:
+                                description: Type of constraint. The only valid values
+                                  at this time are memberOf and distinctInstance.
+                                type: string
+                            type: object
+                          type: array
+                        platformVersion:
+                          description: Specifies the platform version for the task.
+                            Specify only the numeric portion of the platform version,
+                            such as 1.1.0. This is used only if LaunchType is FARGATE.
+                            For more information about valid platform versions, see
+                            AWS Fargate Platform Versions.
+                          type: string
+                        propagateTags:
+                          description: 'Specifies whether to propagate the tags from
+                            the task definition to the task. If no value is specified,
+                            the tags are not propagated. Tags can only be propagated
+                            to the task during task creation. The only valid value
+                            is: TASK_DEFINITION.'
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: A map of tags to assign to ecs resources.
+                          type: object
+                        taskCount:
+                          description: The number of tasks to create based on the
+                            TaskDefinition. Defaults to 1.
+                          type: number
+                        taskDefinitionArn:
+                          description: The ARN of the task definition to use if the
+                            event target is an Amazon ECS cluster.
+                          type: string
+                      type: object
+                    type: array
+                  eventBusName:
+                    description: The event bus to associate with the rule. If you
+                      omit this, the default event bus is used.
+                    type: string
+                  httpTarget:
+                    description: Parameters used when you are using the rule to invoke
+                      an API Gateway REST endpoint. Documented below. A maximum of
+                      1 is allowed.
+                    items:
+                      properties:
+                        headerParameters:
+                          additionalProperties:
+                            type: string
+                          description: Enables you to specify HTTP headers to add
+                            to the request.
+                          type: object
+                        pathParameterValues:
+                          description: The list of values that correspond sequentially
+                            to any path variables in your endpoint ARN (for example
+                            arn:aws:execute-api:us-east-1:123456:myapi/*/POST/pets/*).
+                          items:
+                            type: string
+                          type: array
+                        queryStringParameters:
+                          additionalProperties:
+                            type: string
+                          description: Represents keys/values of query string parameters
+                            that are appended to the invoked endpoint.
+                          type: object
+                      type: object
+                    type: array
                   id:
                     type: string
+                  input:
+                    description: Valid JSON text passed to the target. Conflicts with
+                      input_path and input_transformer.
+                    type: string
+                  inputPath:
+                    description: The value of the JSONPath that is used for extracting
+                      part of the matched event when passing it to the target. Conflicts
+                      with input and input_transformer.
+                    type: string
+                  inputTransformer:
+                    description: Parameters used when you are providing a custom input
+                      to a target based on certain event data. Conflicts with input
+                      and input_path.
+                    items:
+                      properties:
+                        inputPaths:
+                          additionalProperties:
+                            type: string
+                          description: Key value pairs specified in the form of JSONPath
+                            (for example, time = $.time)
+                          type: object
+                        inputTemplate:
+                          description: Template to customize data sent to the target.
+                            Must be valid JSON. To send a string value, the string
+                            value must include double quotes.g., "\"Your string goes
+                            here.\\nA new line.\""
+                          type: string
+                      type: object
+                    type: array
+                  kinesisTarget:
+                    description: Parameters used when you are using the rule to invoke
+                      an Amazon Kinesis Stream. Documented below. A maximum of 1 are
+                      allowed.
+                    items:
+                      properties:
+                        partitionKeyPath:
+                          description: The JSON path to be extracted from the event
+                            and used as the partition key.
+                          type: string
+                      type: object
+                    type: array
+                  redshiftTarget:
+                    description: Parameters used when you are using the rule to invoke
+                      an Amazon Redshift Statement. Documented below. A maximum of
+                      1 are allowed.
+                    items:
+                      properties:
+                        database:
+                          description: The name of the database.
+                          type: string
+                        dbUser:
+                          description: The database user name.
+                          type: string
+                        secretsManagerArn:
+                          description: The name or ARN of the secret that enables
+                            access to the database.
+                          type: string
+                        sql:
+                          description: The SQL statement text to run.
+                          type: string
+                        statementName:
+                          description: The name of the SQL statement.
+                          type: string
+                        withEvent:
+                          description: Indicates whether to send an event back to
+                            EventBridge after the SQL statement runs.
+                          type: boolean
+                      type: object
+                    type: array
+                  retryPolicy:
+                    description: Parameters used when you are providing retry policies.
+                      Documented below. A maximum of 1 are allowed.
+                    items:
+                      properties:
+                        maximumEventAgeInSeconds:
+                          description: The age in seconds to continue to make retry
+                            attempts.
+                          type: number
+                        maximumRetryAttempts:
+                          description: maximum number of retry attempts to make before
+                            the request fails
+                          type: number
+                      type: object
+                    type: array
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of the IAM role to
+                      be used for this target when the rule is triggered. Required
+                      if ecs_target is used or target in arn is EC2 instance, Kinesis
+                      data stream, Step Functions state machine, or Event Bus in different
+                      account or region.
+                    type: string
+                  rule:
+                    description: The name of the rule you want to add targets to.
+                    type: string
+                  runCommandTargets:
+                    description: Parameters used when you are using the rule to invoke
+                      Amazon EC2 Run Command. Documented below. A maximum of 5 are
+                      allowed.
+                    items:
+                      properties:
+                        key:
+                          description: Can be either tag:tag-key or InstanceIds.
+                          type: string
+                        values:
+                          description: If Key is tag:tag-key, Values is a list of
+                            tag values. If Key is InstanceIds, Values is a list of
+                            Amazon EC2 instance IDs.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  sqsTarget:
+                    description: Parameters used when you are using the rule to invoke
+                      an Amazon SQS Queue. Documented below. A maximum of 1 are allowed.
+                    items:
+                      properties:
+                        messageGroupId:
+                          description: The FIFO message group ID to use as the target.
+                          type: string
+                      type: object
+                    type: array
+                  targetId:
+                    description: The unique target assignment ID. If missing, will
+                      generate a random, unique id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_definitions.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_definitions.yaml
index 4314f2c87c..fe788d76f9 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_definitions.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_definitions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,10 +85,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
-                - queryString
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +273,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: queryString is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.queryString)
           status:
             description: DefinitionStatus defines the observed state of Definition.
             properties:
@@ -263,9 +285,21 @@ spec:
                 properties:
                   id:
                     type: string
+                  logGroupNames:
+                    description: Specific log groups to use with the query.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: The name of the query.
+                    type: string
                   queryDefinitionId:
                     description: The query definition ID.
                     type: string
+                  queryString:
+                    description: The query to save. You can read more about CloudWatch
+                      Logs Query Syntax in the documentation.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_destinationpolicies.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_destinationpolicies.yaml
index 6f3a667efc..c7ce94a601 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_destinationpolicies.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_destinationpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,9 +81,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - accessPolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -251,11 +269,22 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accessPolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicy)
           status:
             description: DestinationPolicyStatus defines the observed state of DestinationPolicy.
             properties:
               atProvider:
                 properties:
+                  accessPolicy:
+                    description: The policy document. This is a JSON formatted string.
+                    type: string
+                  forceUpdate:
+                    description: Specify true if you are updating an existing destination
+                      policy to grant permission to an organization ID instead of
+                      granting permission to individual AWS accounts.
+                    type: boolean
                   id:
                     type: string
                 type: object
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_destinations.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_destinations.yaml
index 1adbd3fe99..7a228f2c63 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_destinations.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_destinations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -230,6 +234,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -412,6 +431,15 @@ spec:
                     type: string
                   id:
                     type: string
+                  roleArn:
+                    description: The ARN of an IAM role that grants Amazon CloudWatch
+                      Logs permissions to put data into the target.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -419,6 +447,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetArn:
+                    description: The ARN of the target Amazon Kinesis stream resource
+                      for the destination.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_groups.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_groups.yaml
index 04f0247021..869129e60b 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_groups.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_groups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,6 +171,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -352,6 +371,29 @@ spec:
                     type: string
                   id:
                     type: string
+                  kmsKeyId:
+                    description: The ARN of the KMS Key to use when encrypting log
+                      data. Please note, after the AWS KMS CMK is disassociated from
+                      the log group, AWS CloudWatch Logs stops encrypting newly ingested
+                      data for the log group. All previously ingested data remains
+                      encrypted, and AWS CloudWatch Logs requires permissions for
+                      the CMK whenever the encrypted data is requested.
+                    type: string
+                  retentionInDays:
+                    description: 'Specifies the number of days you want to retain
+                      log events in the specified log group.  Possible values are:
+                      1, 3, 5, 7, 14, 30, 60, 90, 120, 150, 180, 365, 400, 545, 731,
+                      1096, 1827, 2192, 2557, 2922, 3288, 3653, and 0. If you select
+                      0, the events in the log group are always retained and never
+                      expire.'
+                    type: number
+                  skipDestroy:
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_metricfilters.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_metricfilters.yaml
index cb10f11d55..30186b9ec7 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_metricfilters.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_metricfilters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -194,10 +198,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - metricTransformation
-                - pattern
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -369,6 +386,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: metricTransformation is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricTransformation)
+            - message: pattern is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pattern)
           status:
             description: MetricFilterStatus defines the observed state of MetricFilter.
             properties:
@@ -377,6 +399,52 @@ spec:
                   id:
                     description: The name of the metric filter.
                     type: string
+                  logGroupName:
+                    description: The name of the log group to associate the metric
+                      filter with.
+                    type: string
+                  metricTransformation:
+                    description: A block defining collection of information needed
+                      to define how metric data gets emitted. See below.
+                    items:
+                      properties:
+                        defaultValue:
+                          description: The value to emit when a filter pattern does
+                            not match a log event. Conflicts with dimensions.
+                          type: string
+                        dimensions:
+                          additionalProperties:
+                            type: string
+                          description: Map of fields to use as dimensions for the
+                            metric. Up to 3 dimensions are allowed. Conflicts with
+                            default_value.
+                          type: object
+                        name:
+                          description: The name of the CloudWatch metric to which
+                            the monitored log information should be published (e.g.,
+                            ErrorCount)
+                          type: string
+                        namespace:
+                          description: The destination namespace of the CloudWatch
+                            metric.
+                          type: string
+                        unit:
+                          description: The unit to assign to the metric. If you omit
+                            this, the unit is set as None.
+                          type: string
+                        value:
+                          description: What to publish to the metric. For example,
+                            if you're counting the occurrences of a particular term
+                            like "Error", the value will be "1" for each occurrence.
+                            If you're counting the bytes transferred the published
+                            value will be the value in the log event.
+                          type: string
+                      type: object
+                    type: array
+                  pattern:
+                    description: A valid CloudWatch Logs filter pattern for extracting
+                      metric data out of ingested log events.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_resourcepolicies.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_resourcepolicies.yaml
index b0aff6b3fb..f1e9bf6708 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_resourcepolicies.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_resourcepolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -74,9 +78,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policyDocument
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -248,6 +266,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policyDocument is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyDocument)
           status:
             description: ResourcePolicyStatus defines the observed state of ResourcePolicy.
             properties:
@@ -256,6 +277,11 @@ spec:
                   id:
                     description: The name of the CloudWatch log resource policy
                     type: string
+                  policyDocument:
+                    description: Details of the resource policy, including the identity
+                      of the principal that is enabled to put logs to this account.
+                      This is formatted as a JSON string. Maximum length of 5120 characters.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_streams.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_streams.yaml
index 27a5ee503f..78bbd4ccbc 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_streams.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_streams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,9 +156,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,6 +344,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: StreamStatus defines the observed state of Stream.
             properties:
@@ -337,6 +358,14 @@ spec:
                     type: string
                   id:
                     type: string
+                  logGroupName:
+                    description: The name of the log group under which the log stream
+                      is to be created.
+                    type: string
+                  name:
+                    description: 'The name of the log stream. Must not be longer than
+                      512 characters and must not contain :'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cloudwatchlogs.aws.upbound.io_subscriptionfilters.yaml b/package/crds/cloudwatchlogs.aws.upbound.io_subscriptionfilters.yaml
index b6d5cdbab6..8157fa684d 100644
--- a/package/crds/cloudwatchlogs.aws.upbound.io_subscriptionfilters.yaml
+++ b/package/crds/cloudwatchlogs.aws.upbound.io_subscriptionfilters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -246,11 +250,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - filterPattern
-                - logGroupName
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -422,13 +438,51 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: filterPattern is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filterPattern)
+            - message: logGroupName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.logGroupName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SubscriptionFilterStatus defines the observed state of SubscriptionFilter.
             properties:
               atProvider:
                 properties:
+                  destinationArn:
+                    description: The ARN of the destination to deliver matching log
+                      events to. Kinesis stream or Lambda function ARN.
+                    type: string
+                  distribution:
+                    description: The method used to distribute log data to the destination.
+                      By default log data is grouped by log stream, but the grouping
+                      can be set to random for a more even distribution. This property
+                      is only applicable when the destination is an Amazon Kinesis
+                      stream. Valid values are "Random" and "ByLogStream".
+                    type: string
+                  filterPattern:
+                    description: A valid CloudWatch Logs filter pattern for subscribing
+                      to a filtered stream of log events. Use empty string "" to match
+                      everything. For more information, see the Amazon CloudWatch
+                      Logs User Guide.
+                    type: string
                   id:
                     type: string
+                  logGroupName:
+                    description: The name of the log group to associate the subscription
+                      filter with
+                    type: string
+                  name:
+                    description: A name for the subscription filter
+                    type: string
+                  roleArn:
+                    description: The ARN of an IAM role that grants Amazon CloudWatch
+                      Logs permissions to deliver ingested log events to the destination.
+                      If you use Lambda as a destination, you should skip this argument
+                      and use aws_lambda_permission resource for granting access from
+                      CloudWatch logs to the destination Lambda function.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/codecommit.aws.upbound.io_approvalruletemplateassociations.yaml b/package/crds/codecommit.aws.upbound.io_approvalruletemplateassociations.yaml
index eed4579463..2dd4fe02b9 100644
--- a/package/crds/codecommit.aws.upbound.io_approvalruletemplateassociations.yaml
+++ b/package/crds/codecommit.aws.upbound.io_approvalruletemplateassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -229,6 +233,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,10 +425,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  approvalRuleTemplateName:
+                    description: The name for the approval rule template.
+                    type: string
                   id:
                     description: The name of the approval rule template and name of
                       the repository, separated by a comma (,).
                     type: string
+                  repositoryName:
+                    description: The name of the repository that you want to associate
+                      with the template.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/codecommit.aws.upbound.io_approvalruletemplates.yaml b/package/crds/codecommit.aws.upbound.io_approvalruletemplates.yaml
index d473dc23a4..0d68dcd18d 100644
--- a/package/crds/codecommit.aws.upbound.io_approvalruletemplates.yaml
+++ b/package/crds/codecommit.aws.upbound.io_approvalruletemplates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,9 +81,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - content
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -251,6 +269,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: content is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)
           status:
             description: ApprovalRuleTemplateStatus defines the observed state of
               ApprovalRuleTemplate.
@@ -260,10 +281,18 @@ spec:
                   approvalRuleTemplateId:
                     description: The ID of the approval rule template
                     type: string
+                  content:
+                    description: The content of the approval rule template. Maximum
+                      of 3000 characters.
+                    type: string
                   creationDate:
                     description: The date the approval rule template was created,
                       in RFC3339 format.
                     type: string
+                  description:
+                    description: The description of the approval rule template. Maximum
+                      of 1000 characters.
+                    type: string
                   id:
                     type: string
                   lastModifiedDate:
diff --git a/package/crds/codecommit.aws.upbound.io_repositories.yaml b/package/crds/codecommit.aws.upbound.io_repositories.yaml
index 0b6a26ca08..b7f57a0ce8 100644
--- a/package/crds/codecommit.aws.upbound.io_repositories.yaml
+++ b/package/crds/codecommit.aws.upbound.io_repositories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -84,6 +88,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -269,11 +288,24 @@ spec:
                   cloneUrlSsh:
                     description: The URL to use for cloning the repository over SSH.
                     type: string
+                  defaultBranch:
+                    description: The default branch of the repository. The branch
+                      specified here needs to exist.
+                    type: string
+                  description:
+                    description: The description of the repository. This needs to
+                      be less than 1000 characters
+                    type: string
                   id:
                     type: string
                   repositoryId:
                     description: The ID of the repository
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/codecommit.aws.upbound.io_triggers.yaml b/package/crds/codecommit.aws.upbound.io_triggers.yaml
index 46e642ec33..0e06747dcb 100644
--- a/package/crds/codecommit.aws.upbound.io_triggers.yaml
+++ b/package/crds/codecommit.aws.upbound.io_triggers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -263,8 +267,22 @@ spec:
                     type: array
                 required:
                 - region
-                - trigger
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -436,6 +454,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: trigger is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.trigger)
           status:
             description: TriggerStatus defines the observed state of Trigger.
             properties:
@@ -446,6 +467,45 @@ spec:
                     type: string
                   id:
                     type: string
+                  repositoryName:
+                    description: The name for the repository. This needs to be less
+                      than 100 characters.
+                    type: string
+                  trigger:
+                    items:
+                      properties:
+                        branches:
+                          description: The branches that will be included in the trigger
+                            configuration. If no branches are specified, the trigger
+                            will apply to all branches.
+                          items:
+                            type: string
+                          type: array
+                        customData:
+                          description: Any custom data associated with the trigger
+                            that will be included in the information sent to the target
+                            of the trigger.
+                          type: string
+                        destinationArn:
+                          description: The ARN of the resource that is the target
+                            for a trigger. For example, the ARN of a topic in Amazon
+                            Simple Notification Service (SNS).
+                          type: string
+                        events:
+                          description: 'The repository events that will cause the
+                            trigger to run actions in another service, such as sending
+                            a notification through Amazon Simple Notification Service
+                            (SNS). If no events are specified, the trigger will run
+                            for all repository events. Event types include: all, updateReference,
+                            createReference, deleteReference.'
+                          items:
+                            type: string
+                          type: array
+                        name:
+                          description: The name of the trigger.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/codepipeline.aws.upbound.io_codepipelines.yaml b/package/crds/codepipeline.aws.upbound.io_codepipelines.yaml
index d6d4e082e6..0ddda72b43 100644
--- a/package/crds/codepipeline.aws.upbound.io_codepipelines.yaml
+++ b/package/crds/codepipeline.aws.upbound.io_codepipelines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -354,10 +358,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - artifactStore
                 - region
-                - stage
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -529,6 +546,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: artifactStore is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.artifactStore)
+            - message: stage is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stage)
           status:
             description: CodepipelineStatus defines the observed state of Codepipeline.
             properties:
@@ -537,9 +559,131 @@ spec:
                   arn:
                     description: The codepipeline ARN.
                     type: string
+                  artifactStore:
+                    description: One or more artifact_store blocks. Artifact stores
+                      are documented below.
+                    items:
+                      properties:
+                        encryptionKey:
+                          description: The encryption key block AWS CodePipeline uses
+                            to encrypt the data in the artifact store, such as an
+                            AWS Key Management Service (AWS KMS) key. If you don't
+                            specify a key, AWS CodePipeline uses the default key for
+                            Amazon Simple Storage Service (Amazon S3). An encryption_key
+                            block is documented below.
+                          items:
+                            properties:
+                              id:
+                                description: The KMS key ARN or ID
+                                type: string
+                              type:
+                                description: The type of key; currently only KMS is
+                                  supported
+                                type: string
+                            type: object
+                          type: array
+                        location:
+                          description: The location where AWS CodePipeline stores
+                            artifacts for a pipeline; currently only S3 is supported.
+                          type: string
+                        region:
+                          description: The region where the artifact store is located.
+                            Required for a cross-region CodePipeline, do not provide
+                            for a single-region CodePipeline.
+                          type: string
+                        type:
+                          description: The type of the artifact store, such as Amazon
+                            S3
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The codepipeline ID.
                     type: string
+                  roleArn:
+                    description: A service role Amazon Resource Name (ARN) that grants
+                      AWS CodePipeline permission to make calls to AWS services on
+                      your behalf.
+                    type: string
+                  stage:
+                    description: (Minimum of at least two stage blocks is required)
+                      A stage block. Stages are documented below.
+                    items:
+                      properties:
+                        action:
+                          description: The action(s) to include in the stage. Defined
+                            as an action block below
+                          items:
+                            properties:
+                              category:
+                                description: A category defines what kind of action
+                                  can be taken in the stage, and constrains the provider
+                                  type for the action. Possible values are Approval,
+                                  Build, Deploy, Invoke, Source and Test.
+                                type: string
+                              configuration:
+                                additionalProperties:
+                                  type: string
+                                description: A map of the action declaration's configuration.
+                                  Configurations options for action types and providers
+                                  can be found in the Pipeline Structure Reference
+                                  and Action Structure Reference documentation.
+                                type: object
+                              inputArtifacts:
+                                description: A list of artifact names to be worked
+                                  on.
+                                items:
+                                  type: string
+                                type: array
+                              name:
+                                description: The action declaration's name.
+                                type: string
+                              namespace:
+                                description: The namespace all output variables will
+                                  be accessed from.
+                                type: string
+                              outputArtifacts:
+                                description: A list of artifact names to output. Output
+                                  artifact names must be unique within a pipeline.
+                                items:
+                                  type: string
+                                type: array
+                              owner:
+                                description: The creator of the action being called.
+                                  Possible values are AWS, Custom and ThirdParty.
+                                type: string
+                              provider:
+                                description: The provider of the service being called
+                                  by the action. Valid providers are determined by
+                                  the action category. Provider names are listed in
+                                  the Action Structure Reference documentation.
+                                type: string
+                              region:
+                                description: The region in which to run the action.
+                                type: string
+                              roleArn:
+                                description: The ARN of the IAM service role that
+                                  will perform the declared action. This is assumed
+                                  through the roleArn for the pipeline.
+                                type: string
+                              runOrder:
+                                description: The order in which actions are run.
+                                type: number
+                              version:
+                                description: A string that identifies the action type.
+                                type: string
+                            type: object
+                          type: array
+                        name:
+                          description: The name of the stage.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/codepipeline.aws.upbound.io_customactiontypes.yaml b/package/crds/codepipeline.aws.upbound.io_customactiontypes.yaml
index 60838a7bfc..4d30f8a15e 100644
--- a/package/crds/codepipeline.aws.upbound.io_customactiontypes.yaml
+++ b/package/crds/codepipeline.aws.upbound.io_customactiontypes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,13 +185,23 @@ spec:
                     description: The version identifier of the custom action.
                     type: string
                 required:
-                - category
-                - inputArtifactDetails
-                - outputArtifactDetails
-                - providerName
                 - region
-                - version
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -359,6 +373,17 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: category is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.category)
+            - message: inputArtifactDetails is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputArtifactDetails)
+            - message: outputArtifactDetails is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outputArtifactDetails)
+            - message: providerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerName)
+            - message: version is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)
           status:
             description: CustomActionTypeStatus defines the observed state of CustomActionType.
             properties:
@@ -367,12 +392,110 @@ spec:
                   arn:
                     description: The action ARN.
                     type: string
+                  category:
+                    description: 'The category of the custom action. Valid values:
+                      Source, Build, Deploy, Test, Invoke, Approval'
+                    type: string
+                  configurationProperty:
+                    description: The configuration properties for the custom action.
+                      Max 10 items.
+                    items:
+                      properties:
+                        description:
+                          description: The description of the action configuration
+                            property.
+                          type: string
+                        key:
+                          description: Whether the configuration property is a key.
+                          type: boolean
+                        name:
+                          description: The name of the action configuration property.
+                          type: string
+                        queryable:
+                          description: Indicates that the property will be used in
+                            conjunction with PollForJobs.
+                          type: boolean
+                        required:
+                          description: Whether the configuration property is a required
+                            value.
+                          type: boolean
+                        secret:
+                          description: Whether the configuration property is secret.
+                          type: boolean
+                        type:
+                          description: 'The type of the configuration property. Valid
+                            values: String, Number, Boolean'
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: Composed of category, provider and version
                     type: string
+                  inputArtifactDetails:
+                    description: The details of the input artifact for the action.
+                    items:
+                      properties:
+                        maximumCount:
+                          description: 'The maximum number of artifacts allowed for
+                            the action type. Min: 0, Max: 5'
+                          type: number
+                        minimumCount:
+                          description: 'The minimum number of artifacts allowed for
+                            the action type. Min: 0, Max: 5'
+                          type: number
+                      type: object
+                    type: array
+                  outputArtifactDetails:
+                    description: The details of the output artifact of the action.
+                    items:
+                      properties:
+                        maximumCount:
+                          description: 'The maximum number of artifacts allowed for
+                            the action type. Min: 0, Max: 5'
+                          type: number
+                        minimumCount:
+                          description: 'The minimum number of artifacts allowed for
+                            the action type. Min: 0, Max: 5'
+                          type: number
+                      type: object
+                    type: array
                   owner:
                     description: The creator of the action being called.
                     type: string
+                  providerName:
+                    description: The provider of the service used in the custom action
+                    type: string
+                  settings:
+                    description: The settings for an action type.
+                    items:
+                      properties:
+                        entityUrlTemplate:
+                          description: The URL returned to the AWS CodePipeline console
+                            that provides a deep link to the resources of the external
+                            system.
+                          type: string
+                        executionUrlTemplate:
+                          description: The URL returned to the AWS CodePipeline console
+                            that contains a link to the top-level landing page for
+                            the external system.
+                          type: string
+                        revisionUrlTemplate:
+                          description: The URL returned to the AWS CodePipeline console
+                            that contains a link to the page where customers can update
+                            or change the configuration of the external action.
+                          type: string
+                        thirdPartyConfigurationUrl:
+                          description: The URL of a sign-up page where users can sign
+                            up for an external service and perform initial configuration
+                            of the action provided by that service.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -380,6 +503,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  version:
+                    description: The version identifier of the custom action.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/codepipeline.aws.upbound.io_webhooks.yaml b/package/crds/codepipeline.aws.upbound.io_webhooks.yaml
index cfdbf14af1..635563ecc5 100644
--- a/package/crds/codepipeline.aws.upbound.io_webhooks.yaml
+++ b/package/crds/codepipeline.aws.upbound.io_webhooks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -208,11 +212,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - authentication
-                - filter
                 - region
-                - targetAction
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -384,6 +400,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authentication is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authentication)
+            - message: filter is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filter)
+            - message: targetAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetAction)
           status:
             description: WebhookStatus defines the observed state of Webhook.
             properties:
@@ -392,9 +415,43 @@ spec:
                   arn:
                     description: The CodePipeline webhook's ARN.
                     type: string
+                  authentication:
+                    description: The type of authentication  to use. One of IP, GITHUB_HMAC,
+                      or UNAUTHENTICATED.
+                    type: string
+                  authenticationConfiguration:
+                    description: An auth block. Required for IP and GITHUB_HMAC. Auth
+                      blocks are documented below.
+                    items:
+                      properties:
+                        allowedIpRange:
+                          description: A valid CIDR block for IP filtering. Required
+                            for IP.
+                          type: string
+                      type: object
+                    type: array
+                  filter:
+                    description: One or more filter blocks. Filter blocks are documented
+                      below.
+                    items:
+                      properties:
+                        jsonPath:
+                          description: The JSON path to filter on.
+                          type: string
+                        matchEquals:
+                          description: The value to match on (e.g., refs/heads/{Branch}).
+                            See AWS docs for details.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The CodePipeline webhook's ARN.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -402,6 +459,14 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetAction:
+                    description: The name of the action in a pipeline you want to
+                      connect to the webhook. The action must be from the source (first)
+                      stage of the pipeline.
+                    type: string
+                  targetPipeline:
+                    description: The name of the pipeline.
+                    type: string
                   url:
                     description: The CodePipeline webhook's URL. POST events to this
                       endpoint to trigger the target.
diff --git a/package/crds/codestarconnections.aws.upbound.io_connections.yaml b/package/crds/codestarconnections.aws.upbound.io_connections.yaml
index 617322a541..6d3cb05ccb 100644
--- a/package/crds/codestarconnections.aws.upbound.io_connections.yaml
+++ b/package/crds/codestarconnections.aws.upbound.io_connections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -89,9 +93,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -263,6 +281,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ConnectionStatus defines the observed state of Connection.
             properties:
@@ -275,9 +296,29 @@ spec:
                     description: The codestar connection status. Possible values are
                       PENDING, AVAILABLE and ERROR.
                     type: string
+                  hostArn:
+                    description: The Amazon Resource Name (ARN) of the host associated
+                      with the connection. Conflicts with provider_type
+                    type: string
                   id:
                     description: The codestar connection ARN.
                     type: string
+                  name:
+                    description: The name of the connection to be created. The name
+                      must be unique in the calling AWS account. Changing name will
+                      create a new resource.
+                    type: string
+                  providerType:
+                    description: The name of the external provider where your third-party
+                      code repository is configured. Valid values are Bitbucket, GitHub
+                      or GitHubEnterpriseServer. Changing provider_type will create
+                      a new resource. Conflicts with host_arn
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/codestarconnections.aws.upbound.io_hosts.yaml b/package/crds/codestarconnections.aws.upbound.io_hosts.yaml
index 02bec227c0..b848ac414c 100644
--- a/package/crds/codestarconnections.aws.upbound.io_hosts.yaml
+++ b/package/crds/codestarconnections.aws.upbound.io_hosts.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -115,11 +119,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
-                - providerEndpoint
-                - providerType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -291,6 +307,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: providerEndpoint is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerEndpoint)
+            - message: providerType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerType)
           status:
             description: HostStatus defines the observed state of Host.
             properties:
@@ -302,11 +325,54 @@ spec:
                   id:
                     description: The CodeStar Host ARN.
                     type: string
+                  name:
+                    description: The name of the host to be created. The name must
+                      be unique in the calling AWS account.
+                    type: string
+                  providerEndpoint:
+                    description: The endpoint of the infrastructure to be represented
+                      by the host after it is created.
+                    type: string
+                  providerType:
+                    description: The name of the external provider where your third-party
+                      code repository is configured.
+                    type: string
                   status:
                     description: The CodeStar Host status. Possible values are PENDING,
                       AVAILABLE, VPC_CONFIG_DELETING, VPC_CONFIG_INITIALIZING, and
                       VPC_CONFIG_FAILED_INITIALIZATION.
                     type: string
+                  vpcConfiguration:
+                    description: The VPC configuration to be provisioned for the host.
+                      A VPC must be configured, and the infrastructure to be represented
+                      by the host must already be connected to the VPC.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: he ID of the security group or security groups
+                            associated with the Amazon VPC connected to the infrastructure
+                            where your provider type is installed.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: The ID of the subnet or subnets associated
+                            with the Amazon VPC connected to the infrastructure where
+                            your provider type is installed.
+                          items:
+                            type: string
+                          type: array
+                        tlsCertificate:
+                          description: The value of the Transport Layer Security (TLS)
+                            certificate associated with the infrastructure where your
+                            provider type is installed.
+                          type: string
+                        vpcId:
+                          description: The ID of the Amazon VPC connected to the infrastructure
+                            where your provider type is installed.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/codestarnotifications.aws.upbound.io_notificationrules.yaml b/package/crds/codestarnotifications.aws.upbound.io_notificationrules.yaml
index 83b33f0f53..09cbcd1324 100644
--- a/package/crds/codestarnotifications.aws.upbound.io_notificationrules.yaml
+++ b/package/crds/codestarnotifications.aws.upbound.io_notificationrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -262,11 +266,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - detailType
-                - eventTypeIds
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -438,6 +454,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: detailType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.detailType)
+            - message: eventTypeIds is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventTypeIds)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: NotificationRuleStatus defines the observed state of NotificationRule.
             properties:
@@ -446,9 +469,35 @@ spec:
                   arn:
                     description: The codestar notification rule ARN.
                     type: string
+                  detailType:
+                    description: The level of detail to include in the notifications
+                      for this resource. Possible values are BASIC and FULL.
+                    type: string
+                  eventTypeIds:
+                    description: A list of event types associated with this notification
+                      rule. For list of allowed events see here.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The codestar notification rule ARN.
                     type: string
+                  name:
+                    description: The name of notification rule.
+                    type: string
+                  resource:
+                    description: The ARN of the resource to associate with the notification
+                      rule.
+                    type: string
+                  status:
+                    description: The status of the notification rule. Possible values
+                      are ENABLED and DISABLED, default is ENABLED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -462,10 +511,18 @@ spec:
                       must be specified on creation.
                     items:
                       properties:
+                        address:
+                          description: The ARN of notification rule target. For example,
+                            a SNS Topic ARN.
+                          type: string
                         status:
                           description: The status of the notification rule. Possible
                             values are ENABLED and DISABLED, default is ENABLED.
                           type: string
+                        type:
+                          description: The type of the notification target. Default
+                            value is SNS.
+                          type: string
                       type: object
                     type: array
                 type: object
diff --git a/package/crds/cognitoidentity.aws.upbound.io_cognitoidentitypoolproviderprincipaltags.yaml b/package/crds/cognitoidentity.aws.upbound.io_cognitoidentitypoolproviderprincipaltags.yaml
index 3d310bf963..92e7e0994f 100644
--- a/package/crds/cognitoidentity.aws.upbound.io_cognitoidentitypoolproviderprincipaltags.yaml
+++ b/package/crds/cognitoidentity.aws.upbound.io_cognitoidentitypoolproviderprincipaltags.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -238,6 +242,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -417,6 +436,21 @@ spec:
                 properties:
                   id:
                     type: string
+                  identityPoolId:
+                    description: An identity pool ID.
+                    type: string
+                  identityProviderName:
+                    description: The name of the identity provider.
+                    type: string
+                  principalTags:
+                    additionalProperties:
+                      type: string
+                    description: String to string map of variables.
+                    type: object
+                  useDefaults:
+                    description: ':  use default (username and clientID) attribute
+                      mappings.'
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidentity.aws.upbound.io_poolrolesattachments.yaml b/package/crds/cognitoidentity.aws.upbound.io_poolrolesattachments.yaml
index b4d86cd508..2b5331f531 100644
--- a/package/crds/cognitoidentity.aws.upbound.io_poolrolesattachments.yaml
+++ b/package/crds/cognitoidentity.aws.upbound.io_poolrolesattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -289,8 +293,22 @@ spec:
                     type: object
                 required:
                 - region
-                - roles
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -462,6 +480,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: roles is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.roles)
           status:
             description: PoolRolesAttachmentStatus defines the observed state of PoolRolesAttachment.
             properties:
@@ -470,6 +491,63 @@ spec:
                   id:
                     description: The identity pool ID.
                     type: string
+                  identityPoolId:
+                    description: An identity pool ID in the format REGION_GUID.
+                    type: string
+                  roleMapping:
+                    description: A List of Role Mapping.
+                    items:
+                      properties:
+                        ambiguousRoleResolution:
+                          description: Specifies the action to be taken if either
+                            no rules match the claim value for the Rules type, or
+                            there is no cognito:preferred_role claim and there are
+                            multiple cognito:roles matches for the Token type. Required
+                            if you specify Token or Rules as the Type.
+                          type: string
+                        identityProvider:
+                          description: A string identifying the identity provider,
+                            for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".
+                            Depends on cognito_identity_providers set on aws_cognito_identity_pool
+                            resource or a aws_cognito_identity_provider resource.
+                          type: string
+                        mappingRule:
+                          description: The Rules Configuration to be used for mapping
+                            users to roles. You can specify up to 25 rules per identity
+                            provider. Rules are evaluated in order. The first one
+                            to match specifies the role.
+                          items:
+                            properties:
+                              claim:
+                                description: The claim name that must be present in
+                                  the token, for example, "isAdmin" or "paid".
+                                type: string
+                              matchType:
+                                description: The match condition that specifies how
+                                  closely the claim value in the IdP token must match
+                                  Value.
+                                type: string
+                              roleArn:
+                                description: The role ARN.
+                                type: string
+                              value:
+                                description: A brief string that the claim must match,
+                                  for example, "paid" or "yes".
+                                type: string
+                            type: object
+                          type: array
+                        type:
+                          description: The role mapping type.
+                          type: string
+                      type: object
+                    type: array
+                  roles:
+                    additionalProperties:
+                      type: string
+                    description: The map of roles associated with this pool. For a
+                      given role, the key will be either "authenticated" or "unauthenticated"
+                      and the value will be the Role ARN.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidentity.aws.upbound.io_pools.yaml b/package/crds/cognitoidentity.aws.upbound.io_pools.yaml
index 2566fc0e42..46cf0bc38e 100644
--- a/package/crds/cognitoidentity.aws.upbound.io_pools.yaml
+++ b/package/crds/cognitoidentity.aws.upbound.io_pools.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -281,9 +285,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - identityPoolName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -455,17 +473,77 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: identityPoolName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identityPoolName)
           status:
             description: PoolStatus defines the observed state of Pool.
             properties:
               atProvider:
                 properties:
+                  allowClassicFlow:
+                    description: Enables or disables the classic / basic authentication
+                      flow. Default is false.
+                    type: boolean
+                  allowUnauthenticatedIdentities:
+                    description: Whether the identity pool supports unauthenticated
+                      logins or not.
+                    type: boolean
                   arn:
                     description: The ARN of the identity pool.
                     type: string
+                  cognitoIdentityProviders:
+                    description: An array of Amazon Cognito Identity user pools and
+                      their client IDs.
+                    items:
+                      properties:
+                        clientId:
+                          description: The client ID for the Amazon Cognito Identity
+                            User Pool.
+                          type: string
+                        providerName:
+                          description: The provider name for an Amazon Cognito Identity
+                            User Pool.
+                          type: string
+                        serverSideTokenCheck:
+                          description: Whether server-side token validation is enabled
+                            for the identity provider’s token or not.
+                          type: boolean
+                      type: object
+                    type: array
+                  developerProviderName:
+                    description: The "domain" by which Cognito will refer to your
+                      users. This name acts as a placeholder that allows your backend
+                      and the Cognito service to communicate about the developer provider.
+                    type: string
                   id:
                     description: An identity pool ID, e.g. us-west-2_abc123.
                     type: string
+                  identityPoolName:
+                    description: The Cognito Identity Pool name.
+                    type: string
+                  openidConnectProviderArns:
+                    description: Set of OpendID Connect provider ARNs.
+                    items:
+                      type: string
+                    type: array
+                  samlProviderArns:
+                    description: An array of Amazon Resource Names (ARNs) of the SAML
+                      provider for your identity.
+                    items:
+                      type: string
+                    type: array
+                  supportedLoginProviders:
+                    additionalProperties:
+                      type: string
+                    description: Key-Value pairs mapping provider names to provider
+                      app IDs.
+                    type: object
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cognitoidp.aws.upbound.io_identityproviders.yaml b/package/crds/cognitoidp.aws.upbound.io_identityproviders.yaml
index 8536f25bb1..267d0553d7 100644
--- a/package/crds/cognitoidp.aws.upbound.io_identityproviders.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_identityproviders.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,11 +171,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - providerDetails
-                - providerName
-                - providerType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,13 +359,45 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: providerDetails is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerDetails)
+            - message: providerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerName)
+            - message: providerType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerType)
           status:
             description: IdentityProviderStatus defines the observed state of IdentityProvider.
             properties:
               atProvider:
                 properties:
+                  attributeMapping:
+                    additionalProperties:
+                      type: string
+                    description: The map of attribute mapping of user pool attributes.
+                      AttributeMapping in AWS API documentation
+                    type: object
                   id:
                     type: string
+                  idpIdentifiers:
+                    description: The list of identity providers.
+                    items:
+                      type: string
+                    type: array
+                  providerDetails:
+                    additionalProperties:
+                      type: string
+                    description: The map of identity details, such as access token
+                    type: object
+                  providerName:
+                    description: The provider name
+                    type: string
+                  providerType:
+                    description: The provider type.  See AWS API for valid values
+                    type: string
+                  userPoolId:
+                    description: The user pool id
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_resourceservers.yaml b/package/crds/cognitoidp.aws.upbound.io_resourceservers.yaml
index ec713fa793..570272039e 100644
--- a/package/crds/cognitoidp.aws.upbound.io_resourceservers.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_resourceservers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -165,10 +169,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - identifier
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,6 +357,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: identifier is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identifier)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ResourceServerStatus defines the observed state of ResourceServer.
             properties:
@@ -347,12 +369,32 @@ spec:
                 properties:
                   id:
                     type: string
+                  identifier:
+                    description: An identifier for the resource server.
+                    type: string
+                  name:
+                    description: A name for the resource server.
+                    type: string
+                  scope:
+                    description: A list of Authorization Scope.
+                    items:
+                      properties:
+                        scopeDescription:
+                          description: The scope description.
+                          type: string
+                        scopeName:
+                          description: The scope name.
+                          type: string
+                      type: object
+                    type: array
                   scopeIdentifiers:
                     description: A list of all scopes configured for this resource
                       server in the format identifier/scope_name.
                     items:
                       type: string
                     type: array
+                  userPoolId:
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_riskconfigurations.yaml b/package/crds/cognitoidp.aws.upbound.io_riskconfigurations.yaml
index 5d998962b3..fcb710c1b4 100644
--- a/package/crds/cognitoidp.aws.upbound.io_riskconfigurations.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_riskconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -366,6 +370,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -542,10 +561,200 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accountTakeoverRiskConfiguration:
+                    description: The account takeover risk configuration. See details
+                      below.
+                    items:
+                      properties:
+                        actions:
+                          description: Account takeover risk configuration actions.
+                            See details below.
+                          items:
+                            properties:
+                              highAction:
+                                description: Action to take for a high risk. See action
+                                  block below.
+                                items:
+                                  properties:
+                                    eventAction:
+                                      description: The action to take in response
+                                        to the account takeover action. Valid values
+                                        are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED
+                                        and NO_ACTION.
+                                      type: string
+                                    notify:
+                                      description: Whether to send a notification.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              lowAction:
+                                description: Action to take for a low risk. See action
+                                  block below.
+                                items:
+                                  properties:
+                                    eventAction:
+                                      description: The action to take in response
+                                        to the account takeover action. Valid values
+                                        are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED
+                                        and NO_ACTION.
+                                      type: string
+                                    notify:
+                                      description: Whether to send a notification.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              mediumAction:
+                                description: Action to take for a medium risk. See
+                                  action block below.
+                                items:
+                                  properties:
+                                    eventAction:
+                                      description: The action to take in response
+                                        to the account takeover action. Valid values
+                                        are BLOCK, MFA_IF_CONFIGURED, MFA_REQUIRED
+                                        and NO_ACTION.
+                                      type: string
+                                    notify:
+                                      description: Whether to send a notification.
+                                      type: boolean
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        notifyConfiguration:
+                          description: The notify configuration used to construct
+                            email notifications. See details below.
+                          items:
+                            properties:
+                              blockEmail:
+                                description: Email template used when a detected risk
+                                  event is blocked. See notify email type below.
+                                items:
+                                  properties:
+                                    htmlBody:
+                                      description: The email HTML body.
+                                      type: string
+                                    subject:
+                                      description: The email subject.
+                                      type: string
+                                    textBody:
+                                      description: The email text body.
+                                      type: string
+                                  type: object
+                                type: array
+                              from:
+                                description: The email address that is sending the
+                                  email. The address must be either individually verified
+                                  with Amazon Simple Email Service, or from a domain
+                                  that has been verified with Amazon SES.
+                                type: string
+                              mfaEmail:
+                                description: The multi-factor authentication (MFA)
+                                  email template used when MFA is challenged as part
+                                  of a detected risk. See notify email type below.
+                                items:
+                                  properties:
+                                    htmlBody:
+                                      description: The email HTML body.
+                                      type: string
+                                    subject:
+                                      description: The email subject.
+                                      type: string
+                                    textBody:
+                                      description: The email text body.
+                                      type: string
+                                  type: object
+                                type: array
+                              noActionEmail:
+                                description: The email template used when a detected
+                                  risk event is allowed. See notify email type below.
+                                items:
+                                  properties:
+                                    htmlBody:
+                                      description: The email HTML body.
+                                      type: string
+                                    subject:
+                                      description: The email subject.
+                                      type: string
+                                    textBody:
+                                      description: The email text body.
+                                      type: string
+                                  type: object
+                                type: array
+                              replyTo:
+                                description: The destination to which the receiver
+                                  of an email should reply to.
+                                type: string
+                              sourceArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  identity that is associated with the sending authorization
+                                  policy. This identity permits Amazon Cognito to
+                                  send for the email address specified in the From
+                                  parameter.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  clientId:
+                    description: The app client ID. When the client ID is not provided,
+                      the same risk configuration is applied to all the clients in
+                      the User Pool.
+                    type: string
+                  compromisedCredentialsRiskConfiguration:
+                    description: The compromised credentials risk configuration. See
+                      details below.
+                    items:
+                      properties:
+                        actions:
+                          description: The compromised credentials risk configuration
+                            actions. See details below.
+                          items:
+                            properties:
+                              eventAction:
+                                description: The action to take in response to the
+                                  account takeover action. Valid values are BLOCK,
+                                  MFA_IF_CONFIGURED, MFA_REQUIRED and NO_ACTION.
+                                type: string
+                            type: object
+                          type: array
+                        eventFilter:
+                          description: Perform the action for these events. The default
+                            is to perform all events if no event filter is specified.
+                            Valid values are SIGN_IN, PASSWORD_CHANGE, and SIGN_UP.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: 'The user pool ID. or The user pool ID and Client
                       Id separated by a : if the configuration is client specific.'
                     type: string
+                  riskExceptionConfiguration:
+                    description: The configuration to override the risk decision.
+                      See details below.
+                    items:
+                      properties:
+                        blockedIpRangeList:
+                          description: Overrides the risk decision to always block
+                            the pre-authentication requests. The IP range is in CIDR
+                            notation, a compact representation of an IP address and
+                            its routing prefix.
+                          items:
+                            type: string
+                          type: array
+                        skippedIpRangeList:
+                          description: Risk detection isn't performed on the IP addresses
+                            in this range list. The IP range is in CIDR notation.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  userPoolId:
+                    description: The user pool ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_usergroups.yaml b/package/crds/cognitoidp.aws.upbound.io_usergroups.yaml
index dd700123b4..496c5fda0e 100644
--- a/package/crds/cognitoidp.aws.upbound.io_usergroups.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_usergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,9 +235,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,13 +423,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: UserGroupStatus defines the observed state of UserGroup.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: The description of the user group.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: The name of the user group.
+                    type: string
+                  precedence:
+                    description: The precedence of the user group.
+                    type: number
+                  roleArn:
+                    description: The ARN of the IAM role to be associated with the
+                      user group.
+                    type: string
+                  userPoolId:
+                    description: The user pool ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_useringroups.yaml b/package/crds/cognitoidp.aws.upbound.io_useringroups.yaml
index 3fcd538d53..9cda8fe93e 100644
--- a/package/crds/cognitoidp.aws.upbound.io_useringroups.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_useringroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -304,6 +308,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -480,8 +499,18 @@ spec:
             properties:
               atProvider:
                 properties:
+                  groupName:
+                    description: The name of the group to which the user is to be
+                      added.
+                    type: string
                   id:
                     type: string
+                  userPoolId:
+                    description: The user pool ID of the user and group.
+                    type: string
+                  username:
+                    description: The username of the user to be added to the group.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_userpoolclients.yaml b/package/crds/cognitoidp.aws.upbound.io_userpoolclients.yaml
index 156da14c51..341334657e 100644
--- a/package/crds/cognitoidp.aws.upbound.io_userpoolclients.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_userpoolclients.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -448,9 +452,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -622,14 +640,169 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: UserPoolClientStatus defines the observed state of UserPoolClient.
             properties:
               atProvider:
                 properties:
+                  accessTokenValidity:
+                    description: Time limit, between 5 minutes and 1 day, after which
+                      the access token is no longer valid and cannot be used. This
+                      value will be overridden if you have entered a value in token_validity_units.
+                    type: number
+                  allowedOauthFlows:
+                    description: List of allowed OAuth flows (code, implicit, client_credentials).
+                    items:
+                      type: string
+                    type: array
+                  allowedOauthFlowsUserPoolClient:
+                    description: Whether the client is allowed to follow the OAuth
+                      protocol when interacting with Cognito user pools.
+                    type: boolean
+                  allowedOauthScopes:
+                    description: List of allowed OAuth scopes (phone, email, openid,
+                      profile, and aws.cognito.signin.user.admin).
+                    items:
+                      type: string
+                    type: array
+                  analyticsConfiguration:
+                    description: Configuration block for Amazon Pinpoint analytics
+                      for collecting metrics for this user pool. Detailed below.
+                    items:
+                      properties:
+                        applicationArn:
+                          description: Application ARN for an Amazon Pinpoint application.
+                            Conflicts with external_id and role_arn.
+                          type: string
+                        applicationId:
+                          description: Application ID for an Amazon Pinpoint application.
+                          type: string
+                        externalId:
+                          description: ID for the Analytics Configuration. Conflicts
+                            with application_arn.
+                          type: string
+                        roleArn:
+                          description: ARN of an IAM role that authorizes Amazon Cognito
+                            to publish events to Amazon Pinpoint analytics. Conflicts
+                            with application_arn.
+                          type: string
+                        userDataShared:
+                          description: If set to true, Amazon Cognito will include
+                            user data in the events it publishes to Amazon Pinpoint
+                            analytics.
+                          type: boolean
+                      type: object
+                    type: array
+                  authSessionValidity:
+                    description: Amazon Cognito creates a session token for each API
+                      request in an authentication flow. AuthSessionValidity is the
+                      duration, in minutes, of that session token. Your user pool
+                      native user must respond to each authentication challenge before
+                      the session expires. Valid values between 3 and 15. Default
+                      value is 3.
+                    type: number
+                  callbackUrls:
+                    description: List of allowed callback URLs for the identity providers.
+                    items:
+                      type: string
+                    type: array
+                  defaultRedirectUri:
+                    description: Default redirect URI. Must be in the list of callback
+                      URLs.
+                    type: string
+                  enablePropagateAdditionalUserContextData:
+                    description: Activates the propagation of additional user context
+                      data.
+                    type: boolean
+                  enableTokenRevocation:
+                    description: Enables or disables token revocation.
+                    type: boolean
+                  explicitAuthFlows:
+                    description: List of authentication flows (ADMIN_NO_SRP_AUTH,
+                      CUSTOM_AUTH_FLOW_ONLY, USER_PASSWORD_AUTH, ALLOW_ADMIN_USER_PASSWORD_AUTH,
+                      ALLOW_CUSTOM_AUTH, ALLOW_USER_PASSWORD_AUTH, ALLOW_USER_SRP_AUTH,
+                      ALLOW_REFRESH_TOKEN_AUTH).
+                    items:
+                      type: string
+                    type: array
+                  generateSecret:
+                    description: Should an application secret be generated.
+                    type: boolean
                   id:
                     description: ID of the user pool client.
                     type: string
+                  idTokenValidity:
+                    description: Time limit, between 5 minutes and 1 day, after which
+                      the ID token is no longer valid and cannot be used. This value
+                      will be overridden if you have entered a value in token_validity_units.
+                    type: number
+                  logoutUrls:
+                    description: List of allowed logout URLs for the identity providers.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: Name of the application client.
+                    type: string
+                  preventUserExistenceErrors:
+                    description: Choose which errors and responses are returned by
+                      Cognito APIs during authentication, account confirmation, and
+                      password recovery when the user does not exist in the user pool.
+                      When set to ENABLED and the user does not exist, authentication
+                      returns an error indicating either the username or password
+                      was incorrect, and account confirmation and password recovery
+                      return a response indicating a code was sent to a simulated
+                      destination. When set to LEGACY, those APIs will return a UserNotFoundException
+                      exception if the user does not exist in the user pool.
+                    type: string
+                  readAttributes:
+                    description: List of user pool attributes the application client
+                      can read from.
+                    items:
+                      type: string
+                    type: array
+                  refreshTokenValidity:
+                    description: Time limit in days refresh tokens are valid for.
+                    type: number
+                  supportedIdentityProviders:
+                    description: List of provider names for the identity providers
+                      that are supported on this client. Uses the provider_name attribute
+                      of aws_cognito_identity_provider resource(s), or the equivalent
+                      string(s).
+                    items:
+                      type: string
+                    type: array
+                  tokenValidityUnits:
+                    description: Configuration block for units in which the validity
+                      times are represented in. Detailed below.
+                    items:
+                      properties:
+                        accessToken:
+                          description: Time unit in for the value in access_token_validity,
+                            defaults to hours.
+                          type: string
+                        idToken:
+                          description: Time unit in for the value in id_token_validity,
+                            defaults to hours.
+                          type: string
+                        refreshToken:
+                          description: Time unit in for the value in refresh_token_validity,
+                            defaults to days.
+                          type: string
+                      type: object
+                    type: array
+                  userPoolId:
+                    description: User pool the client belongs to.
+                    type: string
+                  writeAttributes:
+                    description: List of user pool attributes the application client
+                      can write to.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_userpooldomains.yaml b/package/crds/cognitoidp.aws.upbound.io_userpooldomains.yaml
index 13bb74bd99..4530bd1117 100644
--- a/package/crds/cognitoidp.aws.upbound.io_userpooldomains.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_userpooldomains.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -227,9 +231,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - domain
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -401,6 +419,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domain is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domain)
           status:
             description: UserPoolDomainStatus defines the observed state of UserPoolDomain.
             properties:
@@ -409,16 +430,28 @@ spec:
                   awsAccountId:
                     description: The AWS account ID for the user pool owner.
                     type: string
+                  certificateArn:
+                    description: The ARN of an ISSUED ACM certificate in us-east-1
+                      for a custom domain.
+                    type: string
                   cloudfrontDistributionArn:
                     description: The URL of the CloudFront distribution. This is required
                       to generate the ALIAS aws_route53_record
                     type: string
+                  domain:
+                    description: For custom domains, this is the fully-qualified domain
+                      name, such as auth.example.com. For Amazon Cognito prefix domains,
+                      this is the prefix alone, such as auth.
+                    type: string
                   id:
                     type: string
                   s3Bucket:
                     description: The S3 bucket where the static files for this domain
                       are stored.
                     type: string
+                  userPoolId:
+                    description: The user pool ID.
+                    type: string
                   version:
                     description: The app version.
                     type: string
diff --git a/package/crds/cognitoidp.aws.upbound.io_userpools.yaml b/package/crds/cognitoidp.aws.upbound.io_userpools.yaml
index 5892b7be1e..07e2436c2f 100644
--- a/package/crds/cognitoidp.aws.upbound.io_userpools.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_userpools.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -624,9 +628,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -798,14 +816,84 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: UserPoolStatus defines the observed state of UserPool.
             properties:
               atProvider:
                 properties:
+                  accountRecoverySetting:
+                    description: Configuration block to define which verified available
+                      method a user can use to recover their forgotten password. Detailed
+                      below.
+                    items:
+                      properties:
+                        recoveryMechanism:
+                          description: 'List of Account Recovery Options of the following
+                            structure:'
+                          items:
+                            properties:
+                              name:
+                                description: Name of the user pool.
+                                type: string
+                              priority:
+                                description: Positive integer specifying priority
+                                  of a method with 1 being the highest priority.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  adminCreateUserConfig:
+                    description: Configuration block for creating a new user profile.
+                      Detailed below.
+                    items:
+                      properties:
+                        allowAdminCreateUserOnly:
+                          description: Set to True if only the administrator is allowed
+                            to create user profiles. Set to False if users can sign
+                            themselves up via an app.
+                          type: boolean
+                        inviteMessageTemplate:
+                          description: Invite message template structure. Detailed
+                            below.
+                          items:
+                            properties:
+                              emailMessage:
+                                description: Message template for email messages.
+                                  Must contain {username} and {####} placeholders,
+                                  for username and temporary password, respectively.
+                                type: string
+                              emailSubject:
+                                description: Subject line for email messages.
+                                type: string
+                              smsMessage:
+                                description: Message template for SMS messages. Must
+                                  contain {username} and {####} placeholders, for
+                                  username and temporary password, respectively.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  aliasAttributes:
+                    description: 'Attributes supported as an alias for this user pool.
+                      Valid values: phone_number, email, or preferred_username. Conflicts
+                      with username_attributes.'
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: ARN of the user pool.
                     type: string
+                  autoVerifiedAttributes:
+                    description: 'Attributes to be auto-verified. Valid values: email,
+                      phone_number.'
+                    items:
+                      type: string
+                    type: array
                   creationDate:
                     description: Date the user pool was created.
                     type: string
@@ -815,10 +903,74 @@ spec:
                       to host the sign-up and sign-in pages for your application.
                       For example: auth.example.com.'
                     type: string
+                  deletionProtection:
+                    description: When active, DeletionProtection prevents accidental
+                      deletion of your user pool. Before you can delete a user pool
+                      that you have protected against deletion, you must deactivate
+                      this feature. Valid values are ACTIVE and INACTIVE, Default
+                      value is INACTIVE.
+                    type: string
+                  deviceConfiguration:
+                    description: Configuration block for the user pool's device tracking.
+                      Detailed below.
+                    items:
+                      properties:
+                        challengeRequiredOnNewDevice:
+                          description: Whether a challenge is required on a new device.
+                            Only applicable to a new device.
+                          type: boolean
+                        deviceOnlyRememberedOnUserPrompt:
+                          description: Whether a device is only remembered on user
+                            prompt. false equates to "Always" remember, true is "User
+                            Opt In," and not using a device_configuration block is
+                            "No."
+                          type: boolean
+                      type: object
+                    type: array
                   domain:
                     description: Holds the domain prefix if the user pool has a domain
                       associated with it.
                     type: string
+                  emailConfiguration:
+                    description: Configuration block for configuring email. Detailed
+                      below.
+                    items:
+                      properties:
+                        configurationSet:
+                          description: Email configuration set name from SES.
+                          type: string
+                        emailSendingAccount:
+                          description: Email delivery method to use. COGNITO_DEFAULT
+                            for the default email functionality built into Cognito
+                            or DEVELOPER to use your Amazon SES configuration.
+                          type: string
+                        fromEmailAddress:
+                          description: Sender’s email address or sender’s display
+                            name with their email address (e.g., john@example.com,
+                            John Smith <john@example.com> or \"John Smith Ph.D.\"
+                            <john@example.com>). Escaped double quotes are required
+                            around display names that contain certain characters as
+                            specified in RFC 5322.
+                          type: string
+                        replyToEmailAddress:
+                          description: REPLY-TO email address.
+                          type: string
+                        sourceArn:
+                          description: ARN of the SES verified email identity to use.
+                            Required if email_sending_account is set to DEVELOPER.
+                          type: string
+                      type: object
+                    type: array
+                  emailVerificationMessage:
+                    description: String representing the email verification message.
+                      Conflicts with verification_message_template configuration block
+                      email_message argument.
+                    type: string
+                  emailVerificationSubject:
+                    description: String representing the email verification subject.
+                      Conflicts with verification_message_template configuration block
+                      email_subject argument.
+                    type: string
                   endpoint:
                     description: 'Endpoint name of the user pool. Example format:
                       cognito-idp.REGION.amazonaws.com/xxxx_yyyyy'
@@ -829,9 +981,257 @@ spec:
                   id:
                     description: ID of the user pool.
                     type: string
+                  lambdaConfig:
+                    description: Configuration block for the AWS Lambda triggers associated
+                      with the user pool. Detailed below.
+                    items:
+                      properties:
+                        createAuthChallenge:
+                          description: ARN of the lambda creating an authentication
+                            challenge.
+                          type: string
+                        customEmailSender:
+                          description: A custom email sender AWS Lambda trigger. See
+                            custom_email_sender Below.
+                          items:
+                            properties:
+                              lambdaArn:
+                                description: The Lambda Amazon Resource Name of the
+                                  Lambda function that Amazon Cognito triggers to
+                                  send email notifications to users.
+                                type: string
+                              lambdaVersion:
+                                description: The Lambda version represents the signature
+                                  of the "request" attribute in the "event" information
+                                  Amazon Cognito passes to your custom email Lambda
+                                  function. The only supported value is V1_0.
+                                type: string
+                            type: object
+                          type: array
+                        customMessage:
+                          description: Custom Message AWS Lambda trigger.
+                          type: string
+                        customSmsSender:
+                          description: A custom SMS sender AWS Lambda trigger. See
+                            custom_sms_sender Below.
+                          items:
+                            properties:
+                              lambdaArn:
+                                description: The Lambda Amazon Resource Name of the
+                                  Lambda function that Amazon Cognito triggers to
+                                  send SMS notifications to users.
+                                type: string
+                              lambdaVersion:
+                                description: The Lambda version represents the signature
+                                  of the "request" attribute in the "event" information
+                                  Amazon Cognito passes to your custom SMS Lambda
+                                  function. The only supported value is V1_0.
+                                type: string
+                            type: object
+                          type: array
+                        defineAuthChallenge:
+                          description: Defines the authentication challenge.
+                          type: string
+                        kmsKeyId:
+                          description: The Amazon Resource Name of Key Management
+                            Service Customer master keys. Amazon Cognito uses the
+                            key to encrypt codes and temporary passwords sent to CustomEmailSender
+                            and CustomSMSSender.
+                          type: string
+                        postAuthentication:
+                          description: Post-authentication AWS Lambda trigger.
+                          type: string
+                        postConfirmation:
+                          description: Post-confirmation AWS Lambda trigger.
+                          type: string
+                        preAuthentication:
+                          description: Pre-authentication AWS Lambda trigger.
+                          type: string
+                        preSignUp:
+                          description: Pre-registration AWS Lambda trigger.
+                          type: string
+                        preTokenGeneration:
+                          description: Allow to customize identity token claims before
+                            token generation.
+                          type: string
+                        userMigration:
+                          description: User migration Lambda config type.
+                          type: string
+                        verifyAuthChallengeResponse:
+                          description: Verifies the authentication challenge response.
+                          type: string
+                      type: object
+                    type: array
                   lastModifiedDate:
                     description: Date the user pool was last modified.
                     type: string
+                  mfaConfiguration:
+                    description: Multi-Factor Authentication (MFA) configuration for
+                      the User Pool. Defaults of OFF. Valid values are OFF (MFA Tokens
+                      are not required), ON (MFA is required for all users to sign
+                      in; requires at least one of sms_configuration or software_token_mfa_configuration
+                      to be configured), or OPTIONAL (MFA Will be required only for
+                      individual users who have MFA Enabled; requires at least one
+                      of sms_configuration or software_token_mfa_configuration to
+                      be configured).
+                    type: string
+                  name:
+                    description: Name of the user pool.
+                    type: string
+                  passwordPolicy:
+                    description: Configuration blocked for information about the user
+                      pool password policy. Detailed below.
+                    items:
+                      properties:
+                        minimumLength:
+                          description: Minimum length of the password policy that
+                            you have set.
+                          type: number
+                        requireLowercase:
+                          description: Whether you have required users to use at least
+                            one lowercase letter in their password.
+                          type: boolean
+                        requireNumbers:
+                          description: Whether you have required users to use at least
+                            one number in their password.
+                          type: boolean
+                        requireSymbols:
+                          description: Whether you have required users to use at least
+                            one symbol in their password.
+                          type: boolean
+                        requireUppercase:
+                          description: Whether you have required users to use at least
+                            one uppercase letter in their password.
+                          type: boolean
+                        temporaryPasswordValidityDays:
+                          description: In the password policy you have set, refers
+                            to the number of days a temporary password is valid. If
+                            the user does not sign-in during this time, their password
+                            will need to be reset by an administrator.
+                          type: number
+                      type: object
+                    type: array
+                  schema:
+                    description: Configuration block for the schema attributes of
+                      a user pool. Detailed below. Schema attributes from the standard
+                      attribute set only need to be specified if they are different
+                      from the default configuration. Attributes can be added, but
+                      not modified or removed. Maximum of 50 attributes.
+                    items:
+                      properties:
+                        attributeDataType:
+                          description: Attribute data type. Must be one of Boolean,
+                            Number, String, DateTime.
+                          type: string
+                        developerOnlyAttribute:
+                          description: Whether the attribute type is developer only.
+                          type: boolean
+                        mutable:
+                          description: Whether the attribute can be changed once it
+                            has been created.
+                          type: boolean
+                        name:
+                          description: Name of the user pool.
+                          type: string
+                        numberAttributeConstraints:
+                          description: Configuration block for the constraints for
+                            an attribute of the number type. Detailed below.
+                          items:
+                            properties:
+                              maxValue:
+                                description: Maximum value of an attribute that is
+                                  of the number data type.
+                                type: string
+                              minValue:
+                                description: Minimum value of an attribute that is
+                                  of the number data type.
+                                type: string
+                            type: object
+                          type: array
+                        required:
+                          description: Whether a user pool attribute is required.
+                            If the attribute is required and the user does not provide
+                            a value, registration or sign-in will fail.
+                          type: boolean
+                        stringAttributeConstraints:
+                          description: Constraints for an attribute of the string
+                            type. Detailed below.
+                          items:
+                            properties:
+                              maxLength:
+                                description: Maximum length of an attribute value
+                                  of the string type.
+                                type: string
+                              minLength:
+                                description: Minimum length of an attribute value
+                                  of the string type.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  smsAuthenticationMessage:
+                    description: String representing the SMS authentication message.
+                      The Message must contain the {####} placeholder, which will
+                      be replaced with the code.
+                    type: string
+                  smsConfiguration:
+                    description: Configuration block for Short Message Service (SMS)
+                      settings. Detailed below. These settings apply to SMS user verification
+                      and SMS Multi-Factor Authentication (MFA). Due to Cognito API
+                      restrictions, the SMS configuration cannot be removed without
+                      recreating the Cognito User Pool. For user data safety, this
+                      resource will ignore the removal of this configuration by disabling
+                      drift detection. To force resource recreation after this configuration
+                      has been applied, see the taint command.
+                    items:
+                      properties:
+                        externalId:
+                          description: External ID used in IAM role trust relationships.
+                            For more information about using external IDs, see How
+                            to Use an External ID When Granting Access to Your AWS
+                            Resources to a Third Party.
+                          type: string
+                        snsCallerArn:
+                          description: ARN of the Amazon SNS caller. This is usually
+                            the IAM role that you've given Cognito permission to assume.
+                          type: string
+                        snsRegion:
+                          description: The AWS Region to use with Amazon SNS integration.
+                            You can choose the same Region as your user pool, or a
+                            supported Legacy Amazon SNS alternate Region. Amazon Cognito
+                            resources in the Asia Pacific (Seoul) AWS Region must
+                            use your Amazon SNS configuration in the Asia Pacific
+                            (Tokyo) Region. For more information, see SMS message
+                            settings for Amazon Cognito user pools.
+                          type: string
+                      type: object
+                    type: array
+                  smsVerificationMessage:
+                    description: String representing the SMS verification message.
+                      Conflicts with verification_message_template configuration block
+                      sms_message argument.
+                    type: string
+                  softwareTokenMfaConfiguration:
+                    description: Configuration block for software token Mult-Factor
+                      Authentication (MFA) settings. Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Boolean whether to enable software token Multi-Factor
+                            (MFA) tokens, such as Time-based One-Time Password (TOTP).
+                            To disable software token MFA When sms_configuration is
+                            not present, the mfa_configuration argument must be set
+                            to OFF and the software_token_mfa_configuration configuration
+                            block must be fully removed.
+                          type: boolean
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -839,6 +1239,82 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userAttributeUpdateSettings:
+                    description: Configuration block for user attribute update settings.
+                      Detailed below.
+                    items:
+                      properties:
+                        attributesRequireVerificationBeforeUpdate:
+                          description: 'A list of attributes requiring verification
+                            before update. If set, the provided value(s) must also
+                            be set in auto_verified_attributes. Valid values: email,
+                            phone_number.'
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  userPoolAddOns:
+                    description: Configuration block for user pool add-ons to enable
+                      user pool advanced security mode features. Detailed below.
+                    items:
+                      properties:
+                        advancedSecurityMode:
+                          description: Mode for advanced security, must be one of
+                            OFF, AUDIT or ENFORCED.
+                          type: string
+                      type: object
+                    type: array
+                  usernameAttributes:
+                    description: Whether email addresses or phone numbers can be specified
+                      as usernames when a user signs up. Conflicts with alias_attributes.
+                    items:
+                      type: string
+                    type: array
+                  usernameConfiguration:
+                    description: Configuration block for username configuration. Detailed
+                      below.
+                    items:
+                      properties:
+                        caseSensitive:
+                          description: Whether username case sensitivity will be applied
+                            for all users in the user pool through Cognito APIs.
+                          type: boolean
+                      type: object
+                    type: array
+                  verificationMessageTemplate:
+                    description: Configuration block for verification message templates.
+                      Detailed below.
+                    items:
+                      properties:
+                        defaultEmailOption:
+                          description: Default email option. Must be either CONFIRM_WITH_CODE
+                            or CONFIRM_WITH_LINK. Defaults to CONFIRM_WITH_CODE.
+                          type: string
+                        emailMessage:
+                          description: Email message template. Must contain the {####}
+                            placeholder. Conflicts with email_verification_message
+                            argument.
+                          type: string
+                        emailMessageByLink:
+                          description: Email message template for sending a confirmation
+                            link to the user, it must contain the {##Click Here##}
+                            placeholder.
+                          type: string
+                        emailSubject:
+                          description: Subject line for the email message template.
+                            Conflicts with email_verification_subject argument.
+                          type: string
+                        emailSubjectByLink:
+                          description: Subject line for the email message template
+                            for sending a confirmation link to the user.
+                          type: string
+                        smsMessage:
+                          description: SMS message template. Must contain the {####}
+                            placeholder. Conflicts with sms_verification_message argument.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_userpooluicustomizations.yaml b/package/crds/cognitoidp.aws.upbound.io_userpooluicustomizations.yaml
index 65b8c6f704..a4f16f3b48 100644
--- a/package/crds/cognitoidp.aws.upbound.io_userpooluicustomizations.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_userpooluicustomizations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -236,6 +240,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,14 +432,29 @@ spec:
             properties:
               atProvider:
                 properties:
+                  clientId:
+                    description: The client ID for the client app. Defaults to ALL.
+                      If ALL is specified, the css and/or image_file settings will
+                      be used for every client that has no UI customization set previously.
+                    type: string
                   creationDate:
                     description: The creation date in RFC3339 format for the UI customization.
                     type: string
+                  css:
+                    description: The CSS values in the UI customization, provided
+                      as a String. At least one of css or image_file is required.
+                    type: string
                   cssVersion:
                     description: The CSS version number.
                     type: string
                   id:
                     type: string
+                  imageFile:
+                    description: The uploaded logo image for the UI customization,
+                      provided as a base64-encoded String. Drift detection is not
+                      possible for this argument. At least one of css or image_file
+                      is required.
+                    type: string
                   imageUrl:
                     description: The logo image URL for the UI customization.
                     type: string
@@ -428,6 +462,9 @@ spec:
                     description: The last-modified date in RFC3339 format for the
                       UI customization.
                     type: string
+                  userPoolId:
+                    description: The user pool ID for the user pool.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/cognitoidp.aws.upbound.io_users.yaml b/package/crds/cognitoidp.aws.upbound.io_users.yaml
index 70b8a345b4..dfb86fc839 100644
--- a/package/crds/cognitoidp.aws.upbound.io_users.yaml
+++ b/package/crds/cognitoidp.aws.upbound.io_users.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -249,6 +253,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -425,12 +444,62 @@ spec:
             properties:
               atProvider:
                 properties:
+                  attributes:
+                    additionalProperties:
+                      type: string
+                    description: A map that contains user attributes and attribute
+                      values to be set for the user.
+                    type: object
+                  clientMetadata:
+                    additionalProperties:
+                      type: string
+                    description: A map of custom key-value pairs that you can provide
+                      as input for any custom workflows that user creation triggers.
+                      Amazon Cognito does not store the client_metadata value. This
+                      data is available only to Lambda triggers that are assigned
+                      to a user pool to support custom workflows. If your user pool
+                      configuration does not include triggers, the ClientMetadata
+                      parameter serves no purpose. For more information, see Customizing
+                      User Pool Workflows with Lambda Triggers.
+                    type: object
                   creationDate:
                     type: string
+                  desiredDeliveryMediums:
+                    description: A list of mediums to the welcome message will be
+                      sent through. Allowed values are EMAIL and SMS. If it's provided,
+                      make sure you have also specified email attribute for the EMAIL
+                      medium and phone_number for the SMS. More than one value can
+                      be specified. Amazon Cognito does not store the desired_delivery_mediums
+                      value. Defaults to ["SMS"].
+                    items:
+                      type: string
+                    type: array
+                  enabled:
+                    description: Specifies whether the user should be enabled after
+                      creation. The welcome message will be sent regardless of the
+                      enabled value. The behavior can be changed with message_action
+                      argument. Defaults to true.
+                    type: boolean
+                  forceAliasCreation:
+                    description: If this parameter is set to True and the phone_number
+                      or email address specified in the attributes parameter already
+                      exists as an alias with a different user, Amazon Cognito will
+                      migrate the alias from the previous user to the newly created
+                      user. The previous user will no longer be able to log in using
+                      that alias. Amazon Cognito does not store the force_alias_creation
+                      value. Defaults to false.
+                    type: boolean
                   id:
                     type: string
                   lastModifiedDate:
                     type: string
+                  messageAction:
+                    description: Set to RESEND to resend the invitation message to
+                      a user that already exists and reset the expiration limit on
+                      the user's account. Set to SUPPRESS to suppress sending the
+                      message. Only one value can be specified. Amazon Cognito does
+                      not store the message_action value.
+                    type: string
                   mfaSettingList:
                     items:
                       type: string
@@ -444,6 +513,20 @@ spec:
                     description: unique user id that is never reassignable to another
                       user.
                     type: string
+                  userPoolId:
+                    description: The user pool ID for the user pool where the user
+                      will be created.
+                    type: string
+                  validationData:
+                    additionalProperties:
+                      type: string
+                    description: The user's validation data. This is an array of name-value
+                      pairs that contain user attributes and attribute values that
+                      you can use for custom validation, such as restricting the types
+                      of user accounts that can be registered. Amazon Cognito does
+                      not store the validation_data value. For more information, see
+                      Customizing User Pool Workflows with Lambda Triggers.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/configservice.aws.upbound.io_awsconfigurationrecorderstatuses.yaml b/package/crds/configservice.aws.upbound.io_awsconfigurationrecorderstatuses.yaml
index 869d37c927..e7b1b77302 100644
--- a/package/crds/configservice.aws.upbound.io_awsconfigurationrecorderstatuses.yaml
+++ b/package/crds/configservice.aws.upbound.io_awsconfigurationrecorderstatuses.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -74,9 +78,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - isEnabled
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -248,6 +266,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: isEnabled is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.isEnabled)
           status:
             description: AWSConfigurationRecorderStatusStatus defines the observed
               state of AWSConfigurationRecorderStatus.
@@ -256,6 +277,10 @@ spec:
                 properties:
                   id:
                     type: string
+                  isEnabled:
+                    description: Whether the configuration recorder should be enabled
+                      or disabled.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/configservice.aws.upbound.io_configrules.yaml b/package/crds/configservice.aws.upbound.io_configrules.yaml
index e7dd9b425b..b070c0d69e 100644
--- a/package/crds/configservice.aws.upbound.io_configrules.yaml
+++ b/package/crds/configservice.aws.upbound.io_configrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -273,8 +277,22 @@ spec:
                     type: object
                 required:
                 - region
-                - source
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -446,6 +464,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: source is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)
           status:
             description: ConfigRuleStatus defines the observed state of ConfigRule.
             properties:
@@ -454,11 +475,131 @@ spec:
                   arn:
                     description: The ARN of the config rule
                     type: string
+                  description:
+                    description: Description of the rule
+                    type: string
                   id:
                     type: string
+                  inputParameters:
+                    description: A string in JSON format that is passed to the AWS
+                      Config rule Lambda function.
+                    type: string
+                  maximumExecutionFrequency:
+                    description: The maximum frequency with which AWS Config runs
+                      evaluations for a rule.
+                    type: string
                   ruleId:
                     description: The ID of the config rule
                     type: string
+                  scope:
+                    description: Scope defines which resources can trigger an evaluation
+                      for the rule. See Source Below.
+                    items:
+                      properties:
+                        complianceResourceId:
+                          description: The IDs of the only AWS resource that you want
+                            to trigger an evaluation for the rule. If you specify
+                            a resource ID, you must specify one resource type for
+                            compliance_resource_types.
+                          type: string
+                        complianceResourceTypes:
+                          description: A list of resource types of only those AWS
+                            resources that you want to trigger an evaluation for the
+                            ruleE.g., AWS::EC2::Instance. You can only specify one
+                            type if you also specify a resource ID for compliance_resource_id.
+                            See relevant part of AWS Docs for available types.
+                          items:
+                            type: string
+                          type: array
+                        tagKey:
+                          description: The tag key that is applied to only those AWS
+                            resources that you want you want to trigger an evaluation
+                            for the rule.
+                          type: string
+                        tagValue:
+                          description: The tag value applied to only those AWS resources
+                            that you want to trigger an evaluation for the rule.
+                          type: string
+                      type: object
+                    type: array
+                  source:
+                    description: Source specifies the rule owner, the rule identifier,
+                      and the notifications that cause the function to evaluate your
+                      AWS resources. See Scope Below.
+                    items:
+                      properties:
+                        customPolicyDetails:
+                          description: Provides the runtime system, policy definition,
+                            and whether debug logging is enabled. Required when owner
+                            is set to CUSTOM_POLICY. See Custom Policy Details Below.
+                          items:
+                            properties:
+                              enableDebugLogDelivery:
+                                description: The boolean expression for enabling debug
+                                  logging for your Config Custom Policy rule. The
+                                  default value is false.
+                                type: boolean
+                              policyRuntime:
+                                description: The runtime system for your Config Custom
+                                  Policy rule. Guard is a policy-as-code language
+                                  that allows you to write policies that are enforced
+                                  by Config Custom Policy rules. For more information
+                                  about Guard, see the Guard GitHub Repository.
+                                type: string
+                              policyText:
+                                description: The policy definition containing the
+                                  logic for your Config Custom Policy rule.
+                                type: string
+                            type: object
+                          type: array
+                        owner:
+                          description: Indicates whether AWS or the customer owns
+                            and manages the AWS Config rule. Valid values are AWS,
+                            CUSTOM_LAMBDA or CUSTOM_POLICY. For more information about
+                            managed rules, see the AWS Config Managed Rules documentation.
+                            For more information about custom rules, see the AWS Config
+                            Custom Rules documentation. Custom Lambda Functions require
+                            permissions to allow the AWS Config service to invoke
+                            them, e.g., via the aws_lambda_permission resource.
+                          type: string
+                        sourceDetail:
+                          description: Provides the source and type of the event that
+                            causes AWS Config to evaluate your AWS resources. Only
+                            valid if owner is CUSTOM_LAMBDA or CUSTOM_POLICY. See
+                            Source Detail Below.
+                          items:
+                            properties:
+                              eventSource:
+                                description: The source of the event, such as an AWS
+                                  service, that triggers AWS Config to evaluate your
+                                  AWSresources. This defaults to aws.config and is
+                                  the only valid value.
+                                type: string
+                              maximumExecutionFrequency:
+                                description: The maximum frequency with which AWS
+                                  Config runs evaluations for a rule.
+                                type: string
+                              messageType:
+                                description: 'The type of notification that triggers
+                                  AWS Config to run an evaluation for a rule. You
+                                  canspecify the following notification types:'
+                                type: string
+                            type: object
+                          type: array
+                        sourceIdentifier:
+                          description: For AWS Config managed rules, a predefined
+                            identifier, e.g IAM_PASSWORD_POLICY. For custom Lambda
+                            rules, the identifier is the ARN of the Lambda Function,
+                            such as arn:aws:lambda:us-east-1:123456789012:function:custom_rule_name
+                            or the arn attribute of the aws_lambda_function resource.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/configservice.aws.upbound.io_configurationaggregators.yaml b/package/crds/configservice.aws.upbound.io_configurationaggregators.yaml
index dedf3d0cbb..c80f7cfafa 100644
--- a/package/crds/configservice.aws.upbound.io_configurationaggregators.yaml
+++ b/package/crds/configservice.aws.upbound.io_configurationaggregators.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -197,6 +201,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -374,11 +393,58 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accountAggregationSource:
+                    description: The account(s) to aggregate config data from as documented
+                      below.
+                    items:
+                      properties:
+                        accountIds:
+                          description: List of 12-digit account IDs of the account(s)
+                            being aggregated.
+                          items:
+                            type: string
+                          type: array
+                        allRegions:
+                          description: If true, aggregate existing AWS Config regions
+                            and future regions.
+                          type: boolean
+                        regions:
+                          description: List of source regions being aggregated.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: The ARN of the aggregator
                     type: string
                   id:
                     type: string
+                  organizationAggregationSource:
+                    description: The organization to aggregate config data from as
+                      documented below.
+                    items:
+                      properties:
+                        allRegions:
+                          description: If true, aggregate existing AWS Config regions
+                            and future regions.
+                          type: boolean
+                        regions:
+                          description: List of source regions being aggregated.
+                          items:
+                            type: string
+                          type: array
+                        roleArn:
+                          description: ARN of the IAM role used to retrieve AWS Organization
+                            details associated with the aggregator account.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/configservice.aws.upbound.io_configurationrecorders.yaml b/package/crds/configservice.aws.upbound.io_configurationrecorders.yaml
index 5a6d3f1700..aa488f5216 100644
--- a/package/crds/configservice.aws.upbound.io_configurationrecorders.yaml
+++ b/package/crds/configservice.aws.upbound.io_configurationrecorders.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,6 +182,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -358,6 +377,40 @@ spec:
                   id:
                     description: Name of the recorder
                     type: string
+                  recordingGroup:
+                    description: Recording group - see below.
+                    items:
+                      properties:
+                        allSupported:
+                          description: Specifies whether AWS Config records configuration
+                            changes for every supported type of regional resource
+                            (which includes any new type that will become supported
+                            in the future). Conflicts with resource_types. Defaults
+                            to true.
+                          type: boolean
+                        includeGlobalResourceTypes:
+                          description: Specifies whether AWS Config includes all supported
+                            types of global resources with the resources that it records.
+                            Requires all_supported = true. Conflicts with resource_types.
+                          type: boolean
+                        resourceTypes:
+                          description: A list that specifies the types of AWS resources
+                            for which AWS Config records configuration changes (for
+                            example, AWS::EC2::Instance or AWS::CloudTrail::Trail).
+                            See relevant part of AWS Docs for available types. In
+                            order to use this attribute, all_supported must be set
+                            to false.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  roleArn:
+                    description: Amazon Resource Name (ARN) of the IAM role. Used
+                      to make read or write requests to the delivery channel and to
+                      describe the AWS resources associated with the account. See
+                      AWS Docs for more details.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/configservice.aws.upbound.io_conformancepacks.yaml b/package/crds/configservice.aws.upbound.io_conformancepacks.yaml
index 4d9fcdf1d7..f690b04c70 100644
--- a/package/crds/configservice.aws.upbound.io_conformancepacks.yaml
+++ b/package/crds/configservice.aws.upbound.io_conformancepacks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -109,6 +113,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -288,8 +307,43 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the conformance pack.
                     type: string
+                  deliveryS3Bucket:
+                    description: Amazon S3 bucket where AWS Config stores conformance
+                      pack templates. Maximum length of 63.
+                    type: string
+                  deliveryS3KeyPrefix:
+                    description: The prefix for the Amazon S3 bucket. Maximum length
+                      of 1024.
+                    type: string
                   id:
                     type: string
+                  inputParameter:
+                    description: Set of configuration blocks describing input parameters
+                      passed to the conformance pack template. Documented below. When
+                      configured, the parameters must also be included in the template_body
+                      or in the template stored in Amazon S3 if using template_s3_uri.
+                    items:
+                      properties:
+                        parameterName:
+                          description: The input key.
+                          type: string
+                        parameterValue:
+                          description: The input value.
+                          type: string
+                      type: object
+                    type: array
+                  templateBody:
+                    description: A string containing full conformance pack template
+                      body. Maximum length of 51200. Drift detection is not possible
+                      with this argument.
+                    type: string
+                  templateS3Uri:
+                    description: Location of file, e.g., s3://bucketname/prefix, containing
+                      the template body. The uri must point to the conformance pack
+                      template that is located in an Amazon S3 bucket in the same
+                      region as the conformance pack. Maximum length of 1024. Drift
+                      detection is not possible with this argument.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/configservice.aws.upbound.io_deliverychannels.yaml b/package/crds/configservice.aws.upbound.io_deliverychannels.yaml
index debff1ba18..c64eeb4fa2 100644
--- a/package/crds/configservice.aws.upbound.io_deliverychannels.yaml
+++ b/package/crds/configservice.aws.upbound.io_deliverychannels.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -172,6 +176,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -351,6 +370,34 @@ spec:
                   id:
                     description: The name of the delivery channel.
                     type: string
+                  s3BucketName:
+                    description: The name of the S3 bucket used to store the configuration
+                      history.
+                    type: string
+                  s3KeyPrefix:
+                    description: The prefix for the specified S3 bucket.
+                    type: string
+                  s3KmsKeyArn:
+                    description: The ARN of the AWS KMS key used to encrypt objects
+                      delivered by AWS Config. Must belong to the same Region as the
+                      destination S3 bucket.
+                    type: string
+                  snapshotDeliveryProperties:
+                    description: Options for how AWS Config delivers configuration
+                      snapshots. See below
+                    items:
+                      properties:
+                        deliveryFrequency:
+                          description: '- The frequency with which AWS Config recurringly
+                            delivers configuration snapshotsE.g., One_Hour or Three_Hours.
+                            Valid values are listed here.'
+                          type: string
+                      type: object
+                    type: array
+                  snsTopicArn:
+                    description: The ARN of the SNS topic that AWS Config delivers
+                      notifications to.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/configservice.aws.upbound.io_remediationconfigurations.yaml b/package/crds/configservice.aws.upbound.io_remediationconfigurations.yaml
index eaca296031..4d43ee743a 100644
--- a/package/crds/configservice.aws.upbound.io_remediationconfigurations.yaml
+++ b/package/crds/configservice.aws.upbound.io_remediationconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -143,9 +147,22 @@ spec:
                     type: string
                 required:
                 - region
-                - targetId
-                - targetType
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -317,6 +334,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: targetId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetId)
+            - message: targetType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetType)
           status:
             description: RemediationConfigurationStatus defines the observed state
               of RemediationConfiguration.
@@ -326,8 +348,78 @@ spec:
                   arn:
                     description: ARN of the Config Remediation Configuration.
                     type: string
+                  automatic:
+                    description: Remediation is triggered automatically if true.
+                    type: boolean
+                  executionControls:
+                    description: Configuration block for execution controls. See below.
+                    items:
+                      properties:
+                        ssmControls:
+                          description: Configuration block for SSM controls. See below.
+                          items:
+                            properties:
+                              concurrentExecutionRatePercentage:
+                                description: Maximum percentage of remediation actions
+                                  allowed to run in parallel on the non-compliant
+                                  resources for that specific rule. The default value
+                                  is 10%.
+                                type: number
+                              errorPercentage:
+                                description: Percentage of errors that are allowed
+                                  before SSM stops running automations on non-compliant
+                                  resources for that specific rule. The default is
+                                  50%.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     type: string
+                  maximumAutomaticAttempts:
+                    description: Maximum number of failed attempts for auto-remediation.
+                      If you do not select a number, the default is 5.
+                    type: number
+                  parameter:
+                    description: Can be specified multiple times for each parameter.
+                      Each parameter block supports arguments below.
+                    items:
+                      properties:
+                        name:
+                          description: Name of the attribute.
+                          type: string
+                        resourceValue:
+                          description: Value is dynamic and changes at run-time.
+                          type: string
+                        staticValue:
+                          description: Value is static and does not change at run-time.
+                          type: string
+                        staticValues:
+                          description: List of static values.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  resourceType:
+                    description: Type of resource.
+                    type: string
+                  retryAttemptSeconds:
+                    description: Maximum time in seconds that AWS Config runs auto-remediation.
+                      If you do not select a number, the default is 60 seconds.
+                    type: number
+                  targetId:
+                    description: Target ID is the name of the public document.
+                    type: string
+                  targetType:
+                    description: Type of the target. Target executes remediation.
+                      For example, SSM document.
+                    type: string
+                  targetVersion:
+                    description: Version of the target. For example, version of the
+                      SSM document
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_botassociations.yaml b/package/crds/connect.aws.upbound.io_botassociations.yaml
index e43ebc4f79..25436ac27c 100644
--- a/package/crds/connect.aws.upbound.io_botassociations.yaml
+++ b/package/crds/connect.aws.upbound.io_botassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -238,9 +242,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - lexBot
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -412,6 +430,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: lexBot is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lexBot)
           status:
             description: BotAssociationStatus defines the observed state of BotAssociation.
             properties:
@@ -421,6 +442,24 @@ spec:
                     description: The Amazon Connect instance ID, Lex (V1) bot name,
                       and Lex (V1) bot region separated by colons (:).
                     type: string
+                  instanceId:
+                    description: The identifier of the Amazon Connect instance. You
+                      can find the instanceId in the ARN of the instance.
+                    type: string
+                  lexBot:
+                    description: Configuration information of an Amazon Lex (V1) bot.
+                      Detailed below.
+                    items:
+                      properties:
+                        lexRegion:
+                          description: The Region that the Amazon Lex (V1) bot was
+                            created in. Defaults to current region.
+                          type: string
+                        name:
+                          description: The name of the Amazon Lex (V1) bot.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_contactflowmodules.yaml b/package/crds/connect.aws.upbound.io_contactflowmodules.yaml
index 8858fa8944..c4819431c6 100644
--- a/package/crds/connect.aws.upbound.io_contactflowmodules.yaml
+++ b/package/crds/connect.aws.upbound.io_contactflowmodules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -174,9 +178,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -348,6 +366,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ContactFlowModuleStatus defines the observed state of ContactFlowModule.
             properties:
@@ -360,11 +381,43 @@ spec:
                   contactFlowModuleId:
                     description: The identifier of the Contact Flow Module.
                     type: string
+                  content:
+                    description: Specifies the content of the Contact Flow Module,
+                      provided as a JSON string, written in Amazon Connect Contact
+                      Flow Language. If defined, the filename argument cannot be used.
+                    type: string
+                  contentHash:
+                    description: Used to trigger updates. Must be set to a base64-encoded
+                      SHA256 hash of the Contact Flow Module source specified with
+                      filename. The usual way to set this is filebase64sha256("contact_flow_module.11.12
+                      and later) or base64sha256(file("contact_flow_module.11.11 and
+                      earlier), where "contact_flow_module.json" is the local filename
+                      of the Contact Flow Module source.
+                    type: string
+                  description:
+                    description: Specifies the description of the Contact Flow Module.
+                    type: string
+                  filename:
+                    description: The path to the Contact Flow Module source within
+                      the local filesystem. Conflicts with content.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the Contact Flow Module separated by a colon
                       (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  name:
+                    description: Specifies the name of the Contact Flow Module.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/connect.aws.upbound.io_contactflows.yaml b/package/crds/connect.aws.upbound.io_contactflows.yaml
index 8614c5b0ef..bf56bc6846 100644
--- a/package/crds/connect.aws.upbound.io_contactflows.yaml
+++ b/package/crds/connect.aws.upbound.io_contactflows.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,9 +184,23 @@ spec:
                       OUTBOUND_WHISPER, AGENT_TRANSFER, QUEUE_TRANSFER.'
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -354,6 +372,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ContactFlowStatus defines the observed state of ContactFlow.
             properties:
@@ -365,10 +386,42 @@ spec:
                   contactFlowId:
                     description: The identifier of the Contact Flow.
                     type: string
+                  content:
+                    description: Specifies the content of the Contact Flow, provided
+                      as a JSON string, written in Amazon Connect Contact Flow Language.
+                      If defined, the filename argument cannot be used.
+                    type: string
+                  contentHash:
+                    description: Used to trigger updates. Must be set to a base64-encoded
+                      SHA256 hash of the Contact Flow source specified with filename.
+                      The usual way to set this is filebase64sha256("mycontact_flow.11.12
+                      and later) or base64sha256(file("mycontact_flow.11.11 and earlier),
+                      where "mycontact_flow.json" is the local filename of the Contact
+                      Flow source.
+                    type: string
+                  description:
+                    description: Specifies the description of the Contact Flow.
+                    type: string
+                  filename:
+                    description: The path to the Contact Flow source within the local
+                      filesystem. Conflicts with content.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the Contact Flow separated by a colon (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  name:
+                    description: Specifies the name of the Contact Flow.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -376,6 +429,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: 'Specifies the type of the Contact Flow. Defaults
+                      to CONTACT_FLOW. Allowed Values are: CONTACT_FLOW, CUSTOMER_QUEUE,
+                      CUSTOMER_HOLD, CUSTOMER_WHISPER, AGENT_HOLD, AGENT_WHISPER,
+                      OUTBOUND_WHISPER, AGENT_TRANSFER, QUEUE_TRANSFER.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_hoursofoperations.yaml b/package/crds/connect.aws.upbound.io_hoursofoperations.yaml
index 3ee9365060..3134d7f4fe 100644
--- a/package/crds/connect.aws.upbound.io_hoursofoperations.yaml
+++ b/package/crds/connect.aws.upbound.io_hoursofoperations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -209,11 +213,23 @@ spec:
                     description: Specifies the time zone of the Hours of Operation.
                     type: string
                 required:
-                - config
-                - name
                 - region
-                - timeZone
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -385,6 +401,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: config is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.config)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: timeZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.timeZone)
           status:
             description: HoursOfOperationStatus defines the observed state of HoursOfOperation.
             properties:
@@ -393,6 +416,48 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Hours of Operation.
                     type: string
+                  config:
+                    description: 'One or more config blocks which define the configuration
+                      information for the hours of operation: day, start time, and
+                      end time . Config blocks are documented below.'
+                    items:
+                      properties:
+                        day:
+                          description: Specifies the day that the hours of operation
+                            applies to.
+                          type: string
+                        endTime:
+                          description: A end time block specifies the time that your
+                            contact center closes. The end_time is documented below.
+                          items:
+                            properties:
+                              hours:
+                                description: Specifies the hour of closing.
+                                type: number
+                              minutes:
+                                description: Specifies the minute of closing.
+                                type: number
+                            type: object
+                          type: array
+                        startTime:
+                          description: A start time block specifies the time that
+                            your contact center opens. The start_time is documented
+                            below.
+                          items:
+                            properties:
+                              hours:
+                                description: Specifies the hour of opening.
+                                type: number
+                              minutes:
+                                description: Specifies the minute of opening.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  description:
+                    description: Specifies the description of the Hours of Operation.
+                    type: string
                   hoursOfOperationArn:
                     description: (Deprecated) The Amazon Resource Name (ARN) of the
                       Hours of Operation.
@@ -405,6 +470,18 @@ spec:
                       and identifier of the Hours of Operation separated by a colon
                       (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  name:
+                    description: Specifies the name of the Hours of Operation.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -412,6 +489,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  timeZone:
+                    description: Specifies the time zone of the Hours of Operation.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_instances.yaml b/package/crds/connect.aws.upbound.io_instances.yaml
index 01f17cb5e5..8e61db9328 100644
--- a/package/crds/connect.aws.upbound.io_instances.yaml
+++ b/package/crds/connect.aws.upbound.io_instances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,11 +185,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - identityManagementType
-                - inboundCallsEnabled
-                - outboundCallsEnabled
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -357,6 +373,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: identityManagementType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identityManagementType)
+            - message: inboundCallsEnabled is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inboundCallsEnabled)
+            - message: outboundCallsEnabled is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outboundCallsEnabled)
           status:
             description: InstanceStatus defines the observed state of Instance.
             properties:
@@ -365,12 +388,51 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the instance.
                     type: string
+                  autoResolveBestVoicesEnabled:
+                    description: Specifies whether auto resolve best voices is enabled.
+                      Defaults to true.
+                    type: boolean
+                  contactFlowLogsEnabled:
+                    description: Specifies whether contact flow logs are enabled.
+                      Defaults to false.
+                    type: boolean
+                  contactLensEnabled:
+                    description: Specifies whether contact lens is enabled. Defaults
+                      to true.
+                    type: boolean
                   createdTime:
                     description: When the instance was created.
                     type: string
+                  directoryId:
+                    description: The identifier for the directory if identity_management_type
+                      is EXISTING_DIRECTORY.
+                    type: string
+                  earlyMediaEnabled:
+                    description: Specifies whether early media for outbound calls
+                      is enabled . Defaults to true if outbound calls is enabled.
+                    type: boolean
                   id:
                     description: The identifier of the instance.
                     type: string
+                  identityManagementType:
+                    description: 'Specifies the identity management type attached
+                      to the instance. Allowed Values are: SAML, CONNECT_MANAGED,
+                      EXISTING_DIRECTORY.'
+                    type: string
+                  inboundCallsEnabled:
+                    description: Specifies whether inbound calls are enabled.
+                    type: boolean
+                  instanceAlias:
+                    description: Specifies the name of the instance. Required if directory_id
+                      not specified.
+                    type: string
+                  multiPartyConferenceEnabled:
+                    description: Specifies whether multi-party calls/conference is
+                      enabled. Defaults to false.
+                    type: boolean
+                  outboundCallsEnabled:
+                    description: Specifies whether outbound calls are enabled.
+                    type: boolean
                   serviceRole:
                     description: The service role of the instance.
                     type: string
diff --git a/package/crds/connect.aws.upbound.io_instancestorageconfigs.yaml b/package/crds/connect.aws.upbound.io_instancestorageconfigs.yaml
index 2c72ad4d56..a62cab73df 100644
--- a/package/crds/connect.aws.upbound.io_instancestorageconfigs.yaml
+++ b/package/crds/connect.aws.upbound.io_instancestorageconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -672,9 +676,22 @@ spec:
                     type: array
                 required:
                 - region
-                - resourceType
-                - storageConfig
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -846,6 +863,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceType)
+            - message: storageConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageConfig)
           status:
             description: InstanceStorageConfigStatus defines the observed state of
               InstanceStorageConfig.
@@ -861,6 +883,115 @@ spec:
                     description: The identifier of the hosting Amazon Connect Instance,
                       association_id, and resource_type separated by a colon (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  resourceType:
+                    description: 'A valid resource type. Valid Values: CHAT_TRANSCRIPTS
+                      | CALL_RECORDINGS | SCHEDULED_REPORTS | MEDIA_STREAMS | CONTACT_TRACE_RECORDS
+                      | AGENT_EVENTS | REAL_TIME_CONTACT_ANALYSIS_SEGMENTS.'
+                    type: string
+                  storageConfig:
+                    description: Specifies the storage configuration options for the
+                      Connect Instance. Documented below.
+                    items:
+                      properties:
+                        kinesisFirehoseConfig:
+                          description: A block that specifies the configuration of
+                            the Kinesis Firehose delivery stream. Documented below.
+                          items:
+                            properties:
+                              firehoseArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  delivery stream.
+                                type: string
+                            type: object
+                          type: array
+                        kinesisStreamConfig:
+                          description: A block that specifies the configuration of
+                            the Kinesis data stream. Documented below.
+                          items:
+                            properties:
+                              streamArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  data stream.
+                                type: string
+                            type: object
+                          type: array
+                        kinesisVideoStreamConfig:
+                          description: A block that specifies the configuration of
+                            the Kinesis video stream. Documented below.
+                          items:
+                            properties:
+                              encryptionConfig:
+                                description: The encryption configuration. Documented
+                                  below.
+                                items:
+                                  properties:
+                                    encryptionType:
+                                      description: 'The type of encryption. Valid
+                                        Values: KMS.'
+                                      type: string
+                                    keyId:
+                                      description: The full ARN of the encryption
+                                        key. Be sure to provide the full ARN of the
+                                        encryption key, not just the ID.
+                                      type: string
+                                  type: object
+                                type: array
+                              prefix:
+                                description: The prefix of the video stream. Minimum
+                                  length of 1. Maximum length of 128. When read from
+                                  the state, the value returned is <prefix>-connect-<connect_instance_alias>-contact-
+                                  since the API appends additional details to the
+                                  prefix.
+                                type: string
+                              retentionPeriodHours:
+                                description: The number of hours data is retained
+                                  in the stream. Kinesis Video Streams retains the
+                                  data in a data store that is associated with the
+                                  stream. Minimum value of 0. Maximum value of 87600.
+                                  A value of 0, indicates that the stream does not
+                                  persist data.
+                                type: number
+                            type: object
+                          type: array
+                        s3Config:
+                          description: A block that specifies the configuration of
+                            S3 Bucket. Documented below.
+                          items:
+                            properties:
+                              bucketName:
+                                description: The S3 bucket name.
+                                type: string
+                              bucketPrefix:
+                                description: The S3 bucket prefix.
+                                type: string
+                              encryptionConfig:
+                                description: The encryption configuration. Documented
+                                  below.
+                                items:
+                                  properties:
+                                    encryptionType:
+                                      description: 'The type of encryption. Valid
+                                        Values: KMS.'
+                                      type: string
+                                    keyId:
+                                      description: The full ARN of the encryption
+                                        key. Be sure to provide the full ARN of the
+                                        encryption key, not just the ID.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        storageType:
+                          description: 'A valid storage type. Valid Values: S3 | KINESIS_VIDEO_STREAM
+                            | KINESIS_STREAM | KINESIS_FIREHOSE.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_lambdafunctionassociations.yaml b/package/crds/connect.aws.upbound.io_lambdafunctionassociations.yaml
index 6f1e7dee96..deb79b65fa 100644
--- a/package/crds/connect.aws.upbound.io_lambdafunctionassociations.yaml
+++ b/package/crds/connect.aws.upbound.io_lambdafunctionassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,6 +230,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -403,10 +422,18 @@ spec:
             properties:
               atProvider:
                 properties:
+                  functionArn:
+                    description: Amazon Resource Name (ARN) of the Lambda Function,
+                      omitting any version or alias qualifier.
+                    type: string
                   id:
                     description: The Amazon Connect instance ID and Lambda Function
                       ARN separated by a comma (,).
                     type: string
+                  instanceId:
+                    description: The identifier of the Amazon Connect instance. You
+                      can find the instanceId in the ARN of the instance.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_phonenumbers.yaml b/package/crds/connect.aws.upbound.io_phonenumbers.yaml
index 081af7a71a..ed3081f588 100644
--- a/package/crds/connect.aws.upbound.io_phonenumbers.yaml
+++ b/package/crds/connect.aws.upbound.io_phonenumbers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -168,10 +172,23 @@ spec:
                       | DID.'
                     type: string
                 required:
-                - countryCode
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,6 +360,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: countryCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.countryCode)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: PhoneNumberStatus defines the observed state of PhoneNumber.
             properties:
@@ -351,6 +373,13 @@ spec:
                   arn:
                     description: The ARN of the phone number.
                     type: string
+                  countryCode:
+                    description: The ISO country code. For a list of Valid values,
+                      refer to PhoneNumberCountryCode.
+                    type: string
+                  description:
+                    description: The description of the phone number.
+                    type: string
                   id:
                     description: The identifier of the phone number.
                     type: string
@@ -358,6 +387,12 @@ spec:
                     description: The phone number. Phone numbers are formatted [+]
                       [country code] [subscriber number including area code].
                     type: string
+                  prefix:
+                    description: The prefix of the phone number that is used to filter
+                      available phone numbers. If provided, it must contain + as part
+                      of the country code. Do not specify this argument when importing
+                      the resource.
+                    type: string
                   status:
                     description: A block that specifies status of the phone number.
                       Documented below.
@@ -372,6 +407,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -379,6 +419,14 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetArn:
+                    description: The Amazon Resource Name (ARN) for Amazon Connect
+                      instances that phone numbers are claimed to.
+                    type: string
+                  type:
+                    description: 'The type of phone number. Valid Values: TOLL_FREE
+                      | DID.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_queues.yaml b/package/crds/connect.aws.upbound.io_queues.yaml
index 208afdbd0d..02825241a2 100644
--- a/package/crds/connect.aws.upbound.io_queues.yaml
+++ b/package/crds/connect.aws.upbound.io_queues.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -268,9 +272,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -442,6 +460,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: QueueStatus defines the observed state of Queue.
             properties:
@@ -450,17 +471,68 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Queue.
                     type: string
+                  description:
+                    description: Specifies the description of the Queue.
+                    type: string
+                  hoursOfOperationId:
+                    description: Specifies the identifier of the Hours of Operation.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the Queue separated by a colon (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  maxContacts:
+                    description: Specifies the maximum number of contacts that can
+                      be in the queue before it is considered full. Minimum value
+                      of 0.
+                    type: number
+                  name:
+                    description: Specifies the name of the Queue.
+                    type: string
+                  outboundCallerConfig:
+                    description: A block that defines the outbound caller ID name,
+                      number, and outbound whisper flow. The Outbound Caller Config
+                      block is documented below.
+                    items:
+                      properties:
+                        outboundCallerIdName:
+                          description: Specifies the caller ID name.
+                          type: string
+                        outboundCallerIdNumberId:
+                          description: Specifies the caller ID number.
+                          type: string
+                        outboundFlowId:
+                          description: Specifies outbound whisper flow to be used
+                            during an outbound call.
+                          type: string
+                      type: object
+                    type: array
                   queueId:
                     description: The identifier for the Queue.
                     type: string
+                  quickConnectIds:
+                    description: Specifies a list of quick connects ids that determine
+                      the quick connects available to agents who are working the queue.
+                    items:
+                      type: string
+                    type: array
                   quickConnectIdsAssociated:
                     items:
                       type: string
                     type: array
+                  status:
+                    description: Specifies the description of the Queue. Valid values
+                      are ENABLED, DISABLED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/connect.aws.upbound.io_quickconnects.yaml b/package/crds/connect.aws.upbound.io_quickconnects.yaml
index 8cc0a28c25..5de16ca71e 100644
--- a/package/crds/connect.aws.upbound.io_quickconnects.yaml
+++ b/package/crds/connect.aws.upbound.io_quickconnects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -222,10 +226,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
-                - quickConnectConfig
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -397,6 +414,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: quickConnectConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.quickConnectConfig)
           status:
             description: QuickConnectStatus defines the observed state of QuickConnect.
             properties:
@@ -405,13 +427,83 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Quick Connect.
                     type: string
+                  description:
+                    description: Specifies the description of the Quick Connect.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the Quick Connect separated by a colon (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  name:
+                    description: Specifies the name of the Quick Connect.
+                    type: string
+                  quickConnectConfig:
+                    description: 'A block that defines the configuration information
+                      for the Quick Connect: quick_connect_type and one of phone_config,
+                      queue_config, user_config . The Quick Connect Config block is
+                      documented below.'
+                    items:
+                      properties:
+                        phoneConfig:
+                          description: Specifies the phone configuration of the Quick
+                            Connect. This is required only if quick_connect_type is
+                            PHONE_NUMBER. The phone_config block is documented below.
+                          items:
+                            properties:
+                              phoneNumber:
+                                description: Specifies the phone number in in E.164
+                                  format.
+                                type: string
+                            type: object
+                          type: array
+                        queueConfig:
+                          description: Specifies the queue configuration of the Quick
+                            Connect. This is required only if quick_connect_type is
+                            QUEUE. The queue_config block is documented below.
+                          items:
+                            properties:
+                              contactFlowId:
+                                description: Specifies the identifier of the contact
+                                  flow.
+                                type: string
+                              queueId:
+                                description: Specifies the identifier for the queue.
+                                type: string
+                            type: object
+                          type: array
+                        quickConnectType:
+                          description: Specifies the configuration type of the quick
+                            connect. valid values are PHONE_NUMBER, QUEUE, USER.
+                          type: string
+                        userConfig:
+                          description: Specifies the user configuration of the Quick
+                            Connect. This is required only if quick_connect_type is
+                            USER. The user_config block is documented below.
+                          items:
+                            properties:
+                              contactFlowId:
+                                description: Specifies the identifier of the contact
+                                  flow.
+                                type: string
+                              userId:
+                                description: Specifies the identifier for the user.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   quickConnectId:
                     description: The identifier for the Quick Connect.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/connect.aws.upbound.io_routingprofiles.yaml b/package/crds/connect.aws.upbound.io_routingprofiles.yaml
index 7bbee83012..57e99acf49 100644
--- a/package/crds/connect.aws.upbound.io_routingprofiles.yaml
+++ b/package/crds/connect.aws.upbound.io_routingprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -289,11 +293,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - description
-                - mediaConcurrencies
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -465,6 +481,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: mediaConcurrencies is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mediaConcurrencies)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RoutingProfileStatus defines the observed state of RoutingProfile.
             properties:
@@ -473,10 +496,45 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Routing Profile.
                     type: string
+                  defaultOutboundQueueId:
+                    description: Specifies the default outbound queue for the Routing
+                      Profile.
+                    type: string
+                  description:
+                    description: Specifies the description of the Routing Profile.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the Routing Profile separated by a colon (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  mediaConcurrencies:
+                    description: One or more media_concurrencies blocks that specify
+                      the channels that agents can handle in the Contact Control Panel
+                      (CCP) for this Routing Profile. The media_concurrencies block
+                      is documented below.
+                    items:
+                      properties:
+                        channel:
+                          description: Specifies the channels that agents can handle
+                            in the Contact Control Panel (CCP). Valid values are VOICE,
+                            CHAT, TASK.
+                          type: string
+                        concurrency:
+                          description: 'Specifies the number of contacts an agent
+                            can have on a channel simultaneously. Valid Range for
+                            VOICE: Minimum value of 1. Maximum value of 1. Valid Range
+                            for CHAT: Minimum value of 1. Maximum value of 10. Valid
+                            Range for TASK: Minimum value of 1. Maximum value of 10.'
+                          type: number
+                      type: object
+                    type: array
+                  name:
+                    description: Specifies the name of the Routing Profile.
+                    type: string
                   queueConfigs:
                     description: One or more queue_configs blocks that specify the
                       inbound queues associated with the routing profile. If no queue
@@ -484,9 +542,26 @@ spec:
                       block is documented below.
                     items:
                       properties:
+                        channel:
+                          description: Specifies the channels agents can handle in
+                            the Contact Control Panel (CCP) for this routing profile.
+                            Valid values are VOICE, CHAT, TASK.
+                          type: string
+                        delay:
+                          description: Specifies the delay, in seconds, that a contact
+                            should be in the queue before they are routed to an available
+                            agent
+                          type: number
+                        priority:
+                          description: Specifies the order in which contacts are to
+                            be handled for the queue.
+                          type: number
                         queueArn:
                           description: ARN for the queue.
                           type: string
+                        queueId:
+                          description: Specifies the identifier for the queue.
+                          type: string
                         queueName:
                           description: Name for the queue.
                           type: string
@@ -523,6 +598,11 @@ spec:
                   routingProfileId:
                     description: The identifier for the Routing Profile.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/connect.aws.upbound.io_securityprofiles.yaml b/package/crds/connect.aws.upbound.io_securityprofiles.yaml
index 817e02751a..94b9bd4ff7 100644
--- a/package/crds/connect.aws.upbound.io_securityprofiles.yaml
+++ b/package/crds/connect.aws.upbound.io_securityprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -163,9 +167,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,6 +355,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SecurityProfileStatus defines the observed state of SecurityProfile.
             properties:
@@ -345,18 +366,39 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Security Profile.
                     type: string
+                  description:
+                    description: Specifies the description of the Security Profile.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the Security Profile separated by a colon
                       (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  name:
+                    description: Specifies the name of the Security Profile.
+                    type: string
                   organizationResourceId:
                     description: The organization resource identifier for the security
                       profile.
                     type: string
+                  permissions:
+                    description: Specifies a list of permissions assigned to the security
+                      profile.
+                    items:
+                      type: string
+                    type: array
                   securityProfileId:
                     description: The identifier for the Security Profile.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/connect.aws.upbound.io_userhierarchystructures.yaml b/package/crds/connect.aws.upbound.io_userhierarchystructures.yaml
index 968beeaada..7c7adc4d54 100644
--- a/package/crds/connect.aws.upbound.io_userhierarchystructures.yaml
+++ b/package/crds/connect.aws.upbound.io_userhierarchystructures.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -218,9 +222,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - hierarchyStructure
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -392,6 +410,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: hierarchyStructure is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hierarchyStructure)
           status:
             description: UserHierarchyStructureStatus defines the observed state of
               UserHierarchyStructure.
@@ -416,6 +437,10 @@ spec:
                                 description: The identifier of the hosting Amazon
                                   Connect Instance.
                                 type: string
+                              name:
+                                description: The name of the user hierarchy level.
+                                  Must not be more than 50 characters.
+                                type: string
                             type: object
                           type: array
                         levelFour:
@@ -431,6 +456,10 @@ spec:
                                 description: The identifier of the hosting Amazon
                                   Connect Instance.
                                 type: string
+                              name:
+                                description: The name of the user hierarchy level.
+                                  Must not be more than 50 characters.
+                                type: string
                             type: object
                           type: array
                         levelOne:
@@ -446,6 +475,10 @@ spec:
                                 description: The identifier of the hosting Amazon
                                   Connect Instance.
                                 type: string
+                              name:
+                                description: The name of the user hierarchy level.
+                                  Must not be more than 50 characters.
+                                type: string
                             type: object
                           type: array
                         levelThree:
@@ -461,6 +494,10 @@ spec:
                                 description: The identifier of the hosting Amazon
                                   Connect Instance.
                                 type: string
+                              name:
+                                description: The name of the user hierarchy level.
+                                  Must not be more than 50 characters.
+                                type: string
                             type: object
                           type: array
                         levelTwo:
@@ -476,6 +513,10 @@ spec:
                                 description: The identifier of the hosting Amazon
                                   Connect Instance.
                                 type: string
+                              name:
+                                description: The name of the user hierarchy level.
+                                  Must not be more than 50 characters.
+                                type: string
                             type: object
                           type: array
                       type: object
@@ -483,6 +524,10 @@ spec:
                   id:
                     description: The identifier of the hosting Amazon Connect Instance.
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/connect.aws.upbound.io_users.yaml b/package/crds/connect.aws.upbound.io_users.yaml
index 61a4554bb7..809c8ca6cf 100644
--- a/package/crds/connect.aws.upbound.io_users.yaml
+++ b/package/crds/connect.aws.upbound.io_users.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -335,11 +339,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
-                - phoneConfig
                 - region
-                - securityProfileIds
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -511,6 +527,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: phoneConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.phoneConfig)
+            - message: securityProfileIds is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.securityProfileIds)
           status:
             description: UserStatus defines the observed state of User.
             properties:
@@ -519,10 +542,107 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the user.
                     type: string
+                  directoryUserId:
+                    description: The identifier of the user account in the directory
+                      used for identity management. If Amazon Connect cannot access
+                      the directory, you can specify this identifier to authenticate
+                      users. If you include the identifier, we assume that Amazon
+                      Connect cannot access the directory. Otherwise, the identity
+                      information is used to authenticate users from your directory.
+                      This parameter is required if you are using an existing directory
+                      for identity management in Amazon Connect when Amazon Connect
+                      cannot access your directory to authenticate users. If you are
+                      using SAML for identity management and include this parameter,
+                      an error is returned.
+                    type: string
+                  hierarchyGroupId:
+                    description: The identifier of the hierarchy group for the user.
+                    type: string
                   id:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the user separated by a colon (:).
                     type: string
+                  identityInfo:
+                    description: A block that contains information about the identity
+                      of the user. Documented below.
+                    items:
+                      properties:
+                        email:
+                          description: The email address. If you are using SAML for
+                            identity management and include this parameter, an error
+                            is returned. Note that updates to the email is supported.
+                            From the UpdateUserIdentityInfo API documentation it is
+                            strongly recommended to limit who has the ability to invoke
+                            UpdateUserIdentityInfo. Someone with that ability can
+                            change the login credentials of other users by changing
+                            their email address. This poses a security risk to your
+                            organization. They can change the email address of a user
+                            to the attacker's email address, and then reset the password
+                            through email. For more information, see Best Practices
+                            for Security Profiles in the Amazon Connect Administrator
+                            Guide.
+                          type: string
+                        firstName:
+                          description: The first name. This is required if you are
+                            using Amazon Connect or SAML for identity management.
+                            Minimum length of 1. Maximum length of 100.
+                          type: string
+                        lastName:
+                          description: The last name. This is required if you are
+                            using Amazon Connect or SAML for identity management.
+                            Minimum length of 1. Maximum length of 100.
+                          type: string
+                      type: object
+                    type: array
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  name:
+                    description: The user name for the account. For instances not
+                      using SAML for identity management, the user name can include
+                      up to 20 characters. If you are using SAML for identity management,
+                      the user name can include up to 64 characters from [a-zA-Z0-9_-.\@]+.
+                    type: string
+                  phoneConfig:
+                    description: A block that contains information about the phone
+                      settings for the user. Documented below.
+                    items:
+                      properties:
+                        afterContactWorkTimeLimit:
+                          description: The After Call Work (ACW) timeout setting,
+                            in seconds. Minimum value of 0.
+                          type: number
+                        autoAccept:
+                          description: When Auto-Accept Call is enabled for an available
+                            agent, the agent connects to contacts automatically.
+                          type: boolean
+                        deskPhoneNumber:
+                          description: The phone number for the user's desk phone.
+                            Required if phone_type is set as DESK_PHONE.
+                          type: string
+                        phoneType:
+                          description: The phone type. Valid values are DESK_PHONE
+                            and SOFT_PHONE.
+                          type: string
+                      type: object
+                    type: array
+                  routingProfileId:
+                    description: The identifier of the routing profile for the user.
+                    type: string
+                  securityProfileIds:
+                    description: A list of identifiers for the security profiles for
+                      the user. Specify a minimum of 1 and maximum of 10 security
+                      profile ids. For more information, see Best Practices for Security
+                      Profiles in the Amazon Connect Administrator Guide.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/connect.aws.upbound.io_vocabularies.yaml b/package/crds/connect.aws.upbound.io_vocabularies.yaml
index 1baac62f99..8e820755af 100644
--- a/package/crds/connect.aws.upbound.io_vocabularies.yaml
+++ b/package/crds/connect.aws.upbound.io_vocabularies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -171,11 +175,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - content
-                - languageCode
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -347,6 +363,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: content is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)
+            - message: languageCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: VocabularyStatus defines the observed state of Vocabulary.
             properties:
@@ -355,6 +378,14 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the vocabulary.
                     type: string
+                  content:
+                    description: The content of the custom vocabulary in plain-text
+                      format with a table of values. Each row in the table represents
+                      a word or a phrase, described with Phrase, IPA, SoundsLike,
+                      and DisplayAs fields. Separate the fields with TAB characters.
+                      For more information, see Create a custom vocabulary using a
+                      table. Minimum length of 1. Maximum length of 60000.
+                    type: string
                   failureReason:
                     description: The reason why the custom vocabulary was not created.
                     type: string
@@ -362,14 +393,35 @@ spec:
                     description: The identifier of the hosting Amazon Connect Instance
                       and identifier of the vocabulary separated by a colon (:).
                     type: string
+                  instanceId:
+                    description: Specifies the identifier of the hosting Amazon Connect
+                      Instance.
+                    type: string
+                  languageCode:
+                    description: The language code of the vocabulary entries. For
+                      a list of languages and their corresponding language codes,
+                      see What is Amazon Transcribe?. Valid Values are ar-AE, de-CH,
+                      de-DE, en-AB, en-AU, en-GB, en-IE, en-IN, en-US, en-WL, es-ES,
+                      es-US, fr-CA, fr-FR, hi-IN, it-IT, ja-JP, ko-KR, pt-BR, pt-PT,
+                      zh-CN.
+                    type: string
                   lastModifiedTime:
                     description: The timestamp when the custom vocabulary was last
                       modified.
                     type: string
+                  name:
+                    description: A unique name of the custom vocabulary. Must not
+                      be more than 140 characters.
+                    type: string
                   state:
                     description: The current state of the custom vocabulary. Valid
                       values are CREATION_IN_PROGRESS, ACTIVE, CREATION_FAILED, DELETE_IN_PROGRESS.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/cur.aws.upbound.io_reportdefinitions.yaml b/package/crds/cur.aws.upbound.io_reportdefinitions.yaml
index 51ff2dc6dc..d856673839 100644
--- a/package/crds/cur.aws.upbound.io_reportdefinitions.yaml
+++ b/package/crds/cur.aws.upbound.io_reportdefinitions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -188,13 +192,23 @@ spec:
                       and displayed.  Valid values are: DAILY, HOURLY, MONTHLY.'
                     type: string
                 required:
-                - additionalSchemaElements
-                - compression
-                - format
                 - region
-                - s3Region
-                - timeUnit
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -366,17 +380,74 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: additionalSchemaElements is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.additionalSchemaElements)
+            - message: compression is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.compression)
+            - message: format is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.format)
+            - message: s3Region is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.s3Region)
+            - message: timeUnit is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.timeUnit)
           status:
             description: ReportDefinitionStatus defines the observed state of ReportDefinition.
             properties:
               atProvider:
                 properties:
+                  additionalArtifacts:
+                    description: 'A list of additional artifacts. Valid values are:
+                      REDSHIFT, QUICKSIGHT, ATHENA. When ATHENA exists within additional_artifacts,
+                      no other artifact type can be declared and report_versioning
+                      must be OVERWRITE_REPORT.'
+                    items:
+                      type: string
+                    type: array
+                  additionalSchemaElements:
+                    description: 'A list of schema elements. Valid values are: RESOURCES.'
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: The Amazon Resource Name (ARN) specifying the cur
                       report.
                     type: string
+                  compression:
+                    description: 'Compression format for report. Valid values are:
+                      GZIP, ZIP, Parquet. If Parquet is used, then format must also
+                      be Parquet.'
+                    type: string
+                  format:
+                    description: 'Format for report. Valid values are: textORcsv,
+                      Parquet. If Parquet is used, then Compression must also be Parquet.'
+                    type: string
                   id:
                     type: string
+                  refreshClosedReports:
+                    description: Set to true to update your reports after they have
+                      been finalized if AWS detects charges related to previous months.
+                    type: boolean
+                  reportVersioning:
+                    description: 'Overwrite the previous version of each report or
+                      to deliver the report in addition to the previous versions.
+                      Valid values are: CREATE_NEW_REPORT and OVERWRITE_REPORT.'
+                    type: string
+                  s3Bucket:
+                    description: Name of the existing S3 bucket to hold generated
+                      reports.
+                    type: string
+                  s3Prefix:
+                    description: Report path prefix. Limited to 256 characters.
+                    type: string
+                  s3Region:
+                    description: Region of the existing S3 bucket to hold generated
+                      reports.
+                    type: string
+                  timeUnit:
+                    description: 'The frequency on which report data are measured
+                      and displayed.  Valid values are: DAILY, HOURLY, MONTHLY.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dataexchange.aws.upbound.io_datasets.yaml b/package/crds/dataexchange.aws.upbound.io_datasets.yaml
index a26dcaf26b..00788f158e 100644
--- a/package/crds/dataexchange.aws.upbound.io_datasets.yaml
+++ b/package/crds/dataexchange.aws.upbound.io_datasets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -84,11 +88,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - assetType
-                - description
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -260,6 +276,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: assetType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.assetType)
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: DataSetStatus defines the observed state of DataSet.
             properties:
@@ -268,9 +291,24 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this data set.
                     type: string
+                  assetType:
+                    description: 'The type of asset that is added to a data set. Valid
+                      values are: S3_SNAPSHOT, REDSHIFT_DATA_SHARE, and API_GATEWAY_API.'
+                    type: string
+                  description:
+                    description: A description for the data set.
+                    type: string
                   id:
                     description: The Id of the data set.
                     type: string
+                  name:
+                    description: The name of the data set.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dataexchange.aws.upbound.io_revisions.yaml b/package/crds/dataexchange.aws.upbound.io_revisions.yaml
index fb21b12d1e..1be8e8bbd5 100644
--- a/package/crds/dataexchange.aws.upbound.io_revisions.yaml
+++ b/package/crds/dataexchange.aws.upbound.io_revisions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,6 +161,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -336,12 +355,23 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this data set.
                     type: string
+                  comment:
+                    description: An optional comment about the revision.
+                    type: string
+                  dataSetId:
+                    description: The dataset id.
+                    type: string
                   id:
                     description: The Id of the data set.
                     type: string
                   revisionId:
                     description: The Id of the revision.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/datapipeline.aws.upbound.io_pipelines.yaml b/package/crds/datapipeline.aws.upbound.io_pipelines.yaml
index 35e9413bda..e32f862483 100644
--- a/package/crds/datapipeline.aws.upbound.io_pipelines.yaml
+++ b/package/crds/datapipeline.aws.upbound.io_pipelines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,9 +84,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -254,14 +272,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: PipelineStatus defines the observed state of Pipeline.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: The description of Pipeline.
+                    type: string
                   id:
                     description: The identifier of the client certificate.
                     type: string
+                  name:
+                    description: The name of Pipeline.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dax.aws.upbound.io_clusters.yaml b/package/crds/dax.aws.upbound.io_clusters.yaml
index c616e7f7cc..f0906abe42 100644
--- a/package/crds/dax.aws.upbound.io_clusters.yaml
+++ b/package/crds/dax.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -280,10 +284,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - nodeType
                 - region
-                - replicationFactor
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -455,6 +472,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: nodeType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.nodeType)
+            - message: replicationFactor is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicationFactor)
           status:
             description: ClusterStatus defines the observed state of Cluster.
             properties:
@@ -463,16 +485,43 @@ spec:
                   arn:
                     description: The ARN of the DAX cluster
                     type: string
+                  availabilityZones:
+                    description: List of Availability Zones in which the nodes will
+                      be created
+                    items:
+                      type: string
+                    type: array
                   clusterAddress:
                     description: The DNS name of the DAX cluster without the port
                       appended
                     type: string
+                  clusterEndpointEncryptionType:
+                    description: '–  The type of encryption the cluster''s endpoint
+                      should support. Valid values are: NONE and TLS. Default value
+                      is NONE.'
+                    type: string
                   configurationEndpoint:
                     description: The configuration endpoint for this DAX cluster,
                       consisting of a DNS name and a port number
                     type: string
+                  description:
+                    description: –  Description for the cluster
+                    type: string
+                  iamRoleArn:
+                    description: A valid Amazon Resource Name (ARN) that identifies
+                      an IAM role. At runtime, DAX will assume this role and use the
+                      role's permissions to access DynamoDB on your behalf
+                    type: string
                   id:
                     type: string
+                  maintenanceWindow:
+                    description: 'ddd:hh24:mi (24H Clock UTC). The minimum maintenance
+                      window is a 60 minute period. Example: sun:05:00-sun:09:00'
+                    type: string
+                  nodeType:
+                    description: –  The compute and memory capacity of the nodes.
+                      See Nodes for supported node types
+                    type: string
                   nodes:
                     description: List of node objects including id, address, port
                       and availability_zone. Referenceable e.g., as ${aws_dax_cluster.test.nodes.0.address}
@@ -489,9 +538,43 @@ spec:
                           type: number
                       type: object
                     type: array
+                  notificationTopicArn:
+                    description: east-1:012345678999:my_sns_topic
+                    type: string
+                  parameterGroupName:
+                    description: –  Name of the parameter group to associate with
+                      this DAX cluster
+                    type: string
                   port:
                     description: The port used by the configuration endpoint
                     type: number
+                  replicationFactor:
+                    description: node cluster, without any read replicas
+                    type: number
+                  securityGroupIds:
+                    description: –  One or more VPC security groups associated with
+                      the cluster
+                    items:
+                      type: string
+                    type: array
+                  serverSideEncryption:
+                    description: Encrypt at rest options
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether to enable encryption at rest. Defaults
+                            to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  subnetGroupName:
+                    description: –  Name of the subnet group to be used for the cluster
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dax.aws.upbound.io_parametergroups.yaml b/package/crds/dax.aws.upbound.io_parametergroups.yaml
index 2a2ad1de1a..c603b51d2f 100644
--- a/package/crds/dax.aws.upbound.io_parametergroups.yaml
+++ b/package/crds/dax.aws.upbound.io_parametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -89,6 +93,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,9 +284,24 @@ spec:
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: A description of the parameter group.
+                    type: string
                   id:
                     description: The name of the parameter group.
                     type: string
+                  parameters:
+                    description: –  The parameters of the parameter group.
+                    items:
+                      properties:
+                        name:
+                          description: The name of the parameter.
+                          type: string
+                        value:
+                          description: The value for the parameter.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dax.aws.upbound.io_subnetgroups.yaml b/package/crds/dax.aws.upbound.io_subnetgroups.yaml
index 943cc6b757..5b1ece7633 100644
--- a/package/crds/dax.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/dax.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,6 +160,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -332,9 +351,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: A description of the subnet group.
+                    type: string
                   id:
                     description: The name of the subnet group.
                     type: string
+                  subnetIds:
+                    description: –  A list of VPC subnet IDs for the subnet group.
+                    items:
+                      type: string
+                    type: array
                   vpcId:
                     description: – VPC ID of the subnet group.
                     type: string
diff --git a/package/crds/deploy.aws.upbound.io_apps.yaml b/package/crds/deploy.aws.upbound.io_apps.yaml
index bbdeae2ab1..be851c8e4c 100644
--- a/package/crds/deploy.aws.upbound.io_apps.yaml
+++ b/package/crds/deploy.aws.upbound.io_apps.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,6 +280,10 @@ spec:
                   arn:
                     description: The ARN of the CodeDeploy application.
                     type: string
+                  computePlatform:
+                    description: The compute platform can either be ECS, Lambda, or
+                      Server. Default is Server.
+                    type: string
                   githubAccountName:
                     description: The name for a connection to a GitHub account.
                     type: string
@@ -271,6 +294,11 @@ spec:
                     description: Whether the user has authenticated with GitHub for
                       the specified application.
                     type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/deploy.aws.upbound.io_deploymentconfigs.yaml b/package/crds/deploy.aws.upbound.io_deploymentconfigs.yaml
index fc5d6f2643..d4501d4054 100644
--- a/package/crds/deploy.aws.upbound.io_deploymentconfigs.yaml
+++ b/package/crds/deploy.aws.upbound.io_deploymentconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -136,6 +140,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -312,12 +331,77 @@ spec:
             properties:
               atProvider:
                 properties:
+                  computePlatform:
+                    description: The compute platform can be Server, Lambda, or ECS.
+                      Default is Server.
+                    type: string
                   deploymentConfigId:
                     description: The AWS Assigned deployment config id
                     type: string
                   id:
                     description: The deployment group's config name.
                     type: string
+                  minimumHealthyHosts:
+                    description: A minimum_healthy_hosts block. Required for Server
+                      compute platform. Minimum Healthy Hosts are documented below.
+                    items:
+                      properties:
+                        type:
+                          description: The type can either be FLEET_PERCENT or HOST_COUNT.
+                          type: string
+                        value:
+                          description: The value when the type is FLEET_PERCENT represents
+                            the minimum number of healthy instances as a percentage
+                            of the total number of instances in the deployment. If
+                            you specify FLEET_PERCENT, at the start of the deployment,
+                            AWS CodeDeploy converts the percentage to the equivalent
+                            number of instance and rounds up fractional instances.
+                            When the type is HOST_COUNT, the value represents the
+                            minimum number of healthy instances as an absolute value.
+                          type: number
+                      type: object
+                    type: array
+                  trafficRoutingConfig:
+                    description: A traffic_routing_config block. Traffic Routing Config
+                      is documented below.
+                    items:
+                      properties:
+                        timeBasedCanary:
+                          description: The time based canary configuration information.
+                            If type is TimeBasedLinear, use time_based_linear instead.
+                          items:
+                            properties:
+                              interval:
+                                description: The number of minutes between the first
+                                  and second traffic shifts of a TimeBasedCanary deployment.
+                                type: number
+                              percentage:
+                                description: The percentage of traffic to shift in
+                                  the first increment of a TimeBasedCanary deployment.
+                                type: number
+                            type: object
+                          type: array
+                        timeBasedLinear:
+                          description: The time based linear configuration information.
+                            If type is TimeBasedCanary, use time_based_canary instead.
+                          items:
+                            properties:
+                              interval:
+                                description: The number of minutes between the first
+                                  and second traffic shifts of a TimeBasedCanary deployment.
+                                type: number
+                              percentage:
+                                description: The percentage of traffic to shift in
+                                  the first increment of a TimeBasedCanary deployment.
+                                type: number
+                            type: object
+                          type: array
+                        type:
+                          description: Type of traffic routing config. One of TimeBasedCanary,
+                            TimeBasedLinear, AllAtOnce.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/deploy.aws.upbound.io_deploymentgroups.yaml b/package/crds/deploy.aws.upbound.io_deploymentgroups.yaml
index 7e3d08c411..85ddb72e18 100644
--- a/package/crds/deploy.aws.upbound.io_deploymentgroups.yaml
+++ b/package/crds/deploy.aws.upbound.io_deploymentgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -946,6 +950,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1122,18 +1141,322 @@ spec:
             properties:
               atProvider:
                 properties:
+                  alarmConfiguration:
+                    description: Configuration block of alarms associated with the
+                      deployment group (documented below).
+                    items:
+                      properties:
+                        alarms:
+                          description: A list of alarms configured for the deployment
+                            group. A maximum of 10 alarms can be added to a deployment
+                            group.
+                          items:
+                            type: string
+                          type: array
+                        enabled:
+                          description: Indicates whether the alarm configuration is
+                            enabled. This option is useful when you want to temporarily
+                            deactivate alarm monitoring for a deployment group without
+                            having to add the same alarms again later.
+                          type: boolean
+                        ignorePollAlarmFailure:
+                          description: Indicates whether a deployment should continue
+                            if information about the current state of alarms cannot
+                            be retrieved from CloudWatch. The default value is false.
+                          type: boolean
+                      type: object
+                    type: array
+                  appName:
+                    description: The name of the application.
+                    type: string
                   arn:
                     description: The ARN of the CodeDeploy deployment group.
                     type: string
+                  autoRollbackConfiguration:
+                    description: Configuration block of the automatic rollback configuration
+                      associated with the deployment group (documented below).
+                    items:
+                      properties:
+                        enabled:
+                          description: Indicates whether the alarm configuration is
+                            enabled. This option is useful when you want to temporarily
+                            deactivate alarm monitoring for a deployment group without
+                            having to add the same alarms again later.
+                          type: boolean
+                        events:
+                          description: The event type or types that trigger a rollback.
+                            Supported types are DEPLOYMENT_FAILURE and DEPLOYMENT_STOP_ON_ALARM.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  autoscalingGroups:
+                    description: Autoscaling groups associated with the deployment
+                      group.
+                    items:
+                      type: string
+                    type: array
+                  blueGreenDeploymentConfig:
+                    description: Configuration block of the blue/green deployment
+                      options for a deployment group (documented below).
+                    items:
+                      properties:
+                        deploymentReadyOption:
+                          description: Information about the action to take when newly
+                            provisioned instances are ready to receive traffic in
+                            a blue/green deployment (documented below).
+                          items:
+                            properties:
+                              actionOnTimeout:
+                                description: When to reroute traffic from an original
+                                  environment to a replacement environment in a blue/green
+                                  deployment.
+                                type: string
+                              waitTimeInMinutes:
+                                description: The number of minutes to wait before
+                                  the status of a blue/green deployment changed to
+                                  Stopped if rerouting is not started manually. Applies
+                                  only to the STOP_DEPLOYMENT option for action_on_timeout.
+                                type: number
+                            type: object
+                          type: array
+                        greenFleetProvisioningOption:
+                          description: Information about how instances are provisioned
+                            for a replacement environment in a blue/green deployment
+                            (documented below).
+                          items:
+                            properties:
+                              action:
+                                description: The method used to add instances to a
+                                  replacement environment.
+                                type: string
+                            type: object
+                          type: array
+                        terminateBlueInstancesOnDeploymentSuccess:
+                          description: Information about whether to terminate instances
+                            in the original fleet during a blue/green deployment (documented
+                            below).
+                          items:
+                            properties:
+                              action:
+                                description: The method used to add instances to a
+                                  replacement environment.
+                                type: string
+                              terminationWaitTimeInMinutes:
+                                description: The number of minutes to wait after a
+                                  successful blue/green deployment before terminating
+                                  instances from the original environment.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   computePlatform:
                     description: The destination platform type for the deployment.
                     type: string
+                  deploymentConfigName:
+                    description: The name of the group's deployment config. The default
+                      is "CodeDeployDefault.OneAtATime".
+                    type: string
                   deploymentGroupId:
                     description: The ID of the CodeDeploy deployment group.
                     type: string
+                  deploymentStyle:
+                    description: Configuration block of the type of deployment, either
+                      in-place or blue/green, you want to run and whether to route
+                      deployment traffic behind a load balancer (documented below).
+                    items:
+                      properties:
+                        deploymentOption:
+                          description: Indicates whether to route deployment traffic
+                            behind a load balancer. Valid Values are WITH_TRAFFIC_CONTROL
+                            or WITHOUT_TRAFFIC_CONTROL. Default is WITHOUT_TRAFFIC_CONTROL.
+                          type: string
+                        deploymentType:
+                          description: Indicates whether to run an in-place deployment
+                            or a blue/green deployment. Valid Values are IN_PLACE
+                            or BLUE_GREEN. Default is IN_PLACE.
+                          type: string
+                      type: object
+                    type: array
+                  ec2TagFilter:
+                    description: Tag filters associated with the deployment group.
+                      See the AWS docs for details.
+                    items:
+                      properties:
+                        key:
+                          description: The key of the tag filter.
+                          type: string
+                        type:
+                          description: The type of the tag filter, either KEY_ONLY,
+                            VALUE_ONLY, or KEY_AND_VALUE.
+                          type: string
+                        value:
+                          description: The value of the tag filter.
+                          type: string
+                      type: object
+                    type: array
+                  ec2TagSet:
+                    description: Configuration block(s) of Tag filters associated
+                      with the deployment group, which are also referred to as tag
+                      groups (documented below). See the AWS docs for details.
+                    items:
+                      properties:
+                        ec2TagFilter:
+                          description: Tag filters associated with the deployment
+                            group. See the AWS docs for details.
+                          items:
+                            properties:
+                              key:
+                                description: The key of the tag filter.
+                                type: string
+                              type:
+                                description: The type of the tag filter, either KEY_ONLY,
+                                  VALUE_ONLY, or KEY_AND_VALUE.
+                                type: string
+                              value:
+                                description: The value of the tag filter.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  ecsService:
+                    description: Configuration block(s) of the ECS services for a
+                      deployment group (documented below).
+                    items:
+                      properties:
+                        clusterName:
+                          description: The name of the ECS cluster.
+                          type: string
+                        serviceName:
+                          description: The name of the ECS service.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: Application name and deployment group name.
                     type: string
+                  loadBalancerInfo:
+                    description: Single configuration block of the load balancer to
+                      use in a blue/green deployment (documented below).
+                    items:
+                      properties:
+                        elbInfo:
+                          description: The Classic Elastic Load Balancer to use in
+                            a deployment. Conflicts with target_group_info and target_group_pair_info.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the target group that instances
+                                  in the original environment are deregistered from,
+                                  and instances in the replacement environment registered
+                                  with. For in-place deployments, the name of the
+                                  target group that instances are deregistered from,
+                                  so they are not serving traffic during a deployment,
+                                  and then re-registered with after the deployment
+                                  completes.
+                                type: string
+                            type: object
+                          type: array
+                        targetGroupInfo:
+                          description: The (Application/Network Load Balancer) target
+                            group to use in a deployment. Conflicts with elb_info
+                            and target_group_pair_info.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the target group that instances
+                                  in the original environment are deregistered from,
+                                  and instances in the replacement environment registered
+                                  with. For in-place deployments, the name of the
+                                  target group that instances are deregistered from,
+                                  so they are not serving traffic during a deployment,
+                                  and then re-registered with after the deployment
+                                  completes.
+                                type: string
+                            type: object
+                          type: array
+                        targetGroupPairInfo:
+                          description: The (Application/Network Load Balancer) target
+                            group pair to use in a deployment. Conflicts with elb_info
+                            and target_group_info.
+                          items:
+                            properties:
+                              prodTrafficRoute:
+                                description: Configuration block for the production
+                                  traffic route (documented below).
+                                items:
+                                  properties:
+                                    listenerArns:
+                                      description: List of Amazon Resource Names (ARNs)
+                                        of the load balancer listeners.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              targetGroup:
+                                description: Configuration blocks for a target group
+                                  within a target group pair (documented below).
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the target group that
+                                        instances in the original environment are
+                                        deregistered from, and instances in the replacement
+                                        environment registered with. For in-place
+                                        deployments, the name of the target group
+                                        that instances are deregistered from, so they
+                                        are not serving traffic during a deployment,
+                                        and then re-registered with after the deployment
+                                        completes.
+                                      type: string
+                                  type: object
+                                type: array
+                              testTrafficRoute:
+                                description: Configuration block for the test traffic
+                                  route (documented below).
+                                items:
+                                  properties:
+                                    listenerArns:
+                                      description: List of Amazon Resource Names (ARNs)
+                                        of the load balancer listeners.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  onPremisesInstanceTagFilter:
+                    description: On premise tag filters associated with the group.
+                      See the AWS docs for details.
+                    items:
+                      properties:
+                        key:
+                          description: The key of the tag filter.
+                          type: string
+                        type:
+                          description: The type of the tag filter, either KEY_ONLY,
+                            VALUE_ONLY, or KEY_AND_VALUE.
+                          type: string
+                        value:
+                          description: The value of the tag filter.
+                          type: string
+                      type: object
+                    type: array
+                  serviceRoleArn:
+                    description: The service role ARN that allows deployments.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -1141,6 +1464,29 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  triggerConfiguration:
+                    description: Configuration block(s) of the triggers for the deployment
+                      group (documented below).
+                    items:
+                      properties:
+                        triggerEvents:
+                          description: 'The event type or types for which notifications
+                            are triggered. Some values that are supported: DeploymentStart,
+                            DeploymentSuccess, DeploymentFailure, DeploymentStop,
+                            DeploymentRollback, InstanceStart, InstanceSuccess, InstanceFailure.  See
+                            the CodeDeploy documentation for all possible values.'
+                          items:
+                            type: string
+                          type: array
+                        triggerName:
+                          description: The name of the notification trigger.
+                          type: string
+                        triggerTargetArn:
+                          description: The ARN of the SNS topic through which notifications
+                            are sent.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/detective.aws.upbound.io_graphs.yaml b/package/crds/detective.aws.upbound.io_graphs.yaml
index 570492c684..ba6f3afd86 100644
--- a/package/crds/detective.aws.upbound.io_graphs.yaml
+++ b/package/crds/detective.aws.upbound.io_graphs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -262,6 +281,11 @@ spec:
                   id:
                     description: ARN of the Detective Graph.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/detective.aws.upbound.io_invitationaccepters.yaml b/package/crds/detective.aws.upbound.io_invitationaccepters.yaml
index 4c76723d49..f0f7859e7a 100644
--- a/package/crds/detective.aws.upbound.io_invitationaccepters.yaml
+++ b/package/crds/detective.aws.upbound.io_invitationaccepters.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,6 +153,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,6 +344,10 @@ spec:
             properties:
               atProvider:
                 properties:
+                  graphArn:
+                    description: ARN of the behavior graph that the member account
+                      is accepting the invitation for.
+                    type: string
                   id:
                     description: Unique identifier (ID) of the Detective invitation
                       accepter.
diff --git a/package/crds/detective.aws.upbound.io_members.yaml b/package/crds/detective.aws.upbound.io_members.yaml
index 7a88b65bd1..6b3a4ad783 100644
--- a/package/crds/detective.aws.upbound.io_members.yaml
+++ b/package/crds/detective.aws.upbound.io_members.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -163,10 +167,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - accountId
-                - emailAddress
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,16 +355,37 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)
+            - message: emailAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.emailAddress)
           status:
             description: MemberStatus defines the observed state of Member.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: AWS account ID for the account.
+                    type: string
                   administratorId:
                     description: AWS account ID for the administrator account.
                     type: string
+                  disableEmailNotification:
+                    description: If set to true, then the root user of the invited
+                      account will not receive an email notification. This notification
+                      is in addition to an alert that the root user receives in AWS
+                      Personal Health Dashboard. By default, this is set to false.
+                    type: boolean
                   disabledReason:
                     type: string
+                  emailAddress:
+                    description: Email address for the account.
+                    type: string
+                  graphArn:
+                    description: ARN of the behavior graph to invite the member accounts
+                      to contribute their data to.
+                    type: string
                   id:
                     description: Unique identifier (ID) of the Detective.
                     type: string
@@ -356,6 +394,11 @@ spec:
                       when an Amazon Detective membership invitation was last sent
                       to the account.
                     type: string
+                  message:
+                    description: A custom message to include in the invitation. Amazon
+                      Detective adds this message to the standard content that it
+                      sends for an invitation.
+                    type: string
                   status:
                     description: Current membership status of the member account.
                     type: string
diff --git a/package/crds/devicefarm.aws.upbound.io_devicepools.yaml b/package/crds/devicefarm.aws.upbound.io_devicepools.yaml
index bcebcfa980..c120530e73 100644
--- a/package/crds/devicefarm.aws.upbound.io_devicepools.yaml
+++ b/package/crds/devicefarm.aws.upbound.io_devicepools.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -184,10 +188,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - rule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -359,6 +376,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: rule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)
           status:
             description: DevicePoolStatus defines the observed state of DevicePool.
             properties:
@@ -367,8 +389,48 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this Device Pool
                     type: string
+                  description:
+                    description: The device pool's description.
+                    type: string
                   id:
                     type: string
+                  maxDevices:
+                    description: The number of devices that Device Farm can add to
+                      your device pool.
+                    type: number
+                  name:
+                    description: The name of the Device Pool
+                    type: string
+                  projectArn:
+                    description: The ARN of the project for the device pool.
+                    type: string
+                  rule:
+                    description: The device pool's rules. See Rule.
+                    items:
+                      properties:
+                        attribute:
+                          description: 'The rule''s stringified attribute. Valid values
+                            are: APPIUM_VERSION, ARN, AVAILABILITY, FLEET_TYPE, FORM_FACTOR,
+                            INSTANCE_ARN, INSTANCE_LABELS, MANUFACTURER, MODEL, OS_VERSION,
+                            PLATFORM, REMOTE_ACCESS_ENABLED, REMOTE_DEBUG_ENABLED.'
+                          type: string
+                        operator:
+                          description: 'Specifies how Device Farm compares the rule''s
+                            attribute to the value. For the operators that are supported
+                            by each attribute. Valid values are: EQUALS, NOT_IN, IN,
+                            GREATER_THAN, GREATER_THAN_OR_EQUALS, LESS_THAN, LESS_THAN_OR_EQUALS,
+                            CONTAINS.'
+                          type: string
+                        value:
+                          description: The rule's value.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/devicefarm.aws.upbound.io_instanceprofiles.yaml b/package/crds/devicefarm.aws.upbound.io_instanceprofiles.yaml
index 84c198ea36..05ad46b452 100644
--- a/package/crds/devicefarm.aws.upbound.io_instanceprofiles.yaml
+++ b/package/crds/devicefarm.aws.upbound.io_instanceprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -95,9 +99,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -269,6 +287,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: InstanceProfileStatus defines the observed state of InstanceProfile.
             properties:
@@ -277,8 +298,34 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this instance profile.
                     type: string
+                  description:
+                    description: The description of the instance profile.
+                    type: string
+                  excludeAppPackagesFromCleanup:
+                    description: An array of strings that specifies the list of app
+                      packages that should not be cleaned up from the device after
+                      a test run.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: The name for the instance profile.
+                    type: string
+                  packageCleanup:
+                    description: When set to true, Device Farm removes app packages
+                      after a test run. The default value is false for private devices.
+                    type: boolean
+                  rebootAfterUse:
+                    description: When set to true, Device Farm reboots the instance
+                      after a test run. The default value is true.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/devicefarm.aws.upbound.io_networkprofiles.yaml b/package/crds/devicefarm.aws.upbound.io_networkprofiles.yaml
index 8105b509d7..adb19c7823 100644
--- a/package/crds/devicefarm.aws.upbound.io_networkprofiles.yaml
+++ b/package/crds/devicefarm.aws.upbound.io_networkprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -194,9 +198,23 @@ spec:
                       from 0 to 100 percent.
                     type: number
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -368,6 +386,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: NetworkProfileStatus defines the observed state of NetworkProfile.
             properties:
@@ -376,8 +397,38 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this network profile.
                     type: string
+                  description:
+                    description: The description of the network profile.
+                    type: string
+                  downlinkBandwidthBits:
+                    description: The data throughput rate in bits per second, as an
+                      integer from 0 to 104857600. Default value is 104857600.
+                    type: number
+                  downlinkDelayMs:
+                    description: Delay time for all packets to destination in milliseconds
+                      as an integer from 0 to 2000.
+                    type: number
+                  downlinkJitterMs:
+                    description: Time variation in the delay of received packets in
+                      milliseconds as an integer from 0 to 2000.
+                    type: number
+                  downlinkLossPercent:
+                    description: Proportion of received packets that fail to arrive
+                      from 0 to 100 percent.
+                    type: number
                   id:
                     type: string
+                  name:
+                    description: The name for the network profile.
+                    type: string
+                  projectArn:
+                    description: The ARN of the project for the network profile.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -385,6 +436,26 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The type of network profile to create. Valid values
+                      are listed are PRIVATE and CURATED.
+                    type: string
+                  uplinkBandwidthBits:
+                    description: The data throughput rate in bits per second, as an
+                      integer from 0 to 104857600. Default value is 104857600.
+                    type: number
+                  uplinkDelayMs:
+                    description: Delay time for all packets to destination in milliseconds
+                      as an integer from 0 to 2000.
+                    type: number
+                  uplinkJitterMs:
+                    description: Time variation in the delay of received packets in
+                      milliseconds as an integer from 0 to 2000.
+                    type: number
+                  uplinkLossPercent:
+                    description: Proportion of received packets that fail to arrive
+                      from 0 to 100 percent.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/devicefarm.aws.upbound.io_projects.yaml b/package/crds/devicefarm.aws.upbound.io_projects.yaml
index 9d65e1f1ed..ecc04e52c3 100644
--- a/package/crds/devicefarm.aws.upbound.io_projects.yaml
+++ b/package/crds/devicefarm.aws.upbound.io_projects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,9 +86,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ProjectStatus defines the observed state of Project.
             properties:
@@ -264,8 +285,21 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this project
                     type: string
+                  defaultJobTimeoutMinutes:
+                    description: Sets the execution timeout value (in minutes) for
+                      a project. All test runs in this project use the specified execution
+                      timeout value unless overridden when scheduling a run.
+                    type: number
                   id:
                     type: string
+                  name:
+                    description: The name of the project
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/devicefarm.aws.upbound.io_testgridprojects.yaml b/package/crds/devicefarm.aws.upbound.io_testgridprojects.yaml
index 4a047d7536..a83e268f53 100644
--- a/package/crds/devicefarm.aws.upbound.io_testgridprojects.yaml
+++ b/package/crds/devicefarm.aws.upbound.io_testgridprojects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -340,9 +344,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -514,6 +532,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: TestGridProjectStatus defines the observed state of TestGridProject.
             properties:
@@ -522,8 +543,19 @@ spec:
                   arn:
                     description: The Amazon Resource Name of this Test Grid Project.
                     type: string
+                  description:
+                    description: Human-readable description of the project.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: The name of the Selenium testing project.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -531,6 +563,27 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcConfig:
+                    description: The VPC security groups and subnets that are attached
+                      to a project. See VPC Config below.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: A list of VPC security group IDs in your Amazon
+                            VPC.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: A list of VPC subnet IDs in your Amazon VPC.
+                          items:
+                            type: string
+                          type: array
+                        vpcId:
+                          description: The ID of the Amazon VPC.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/devicefarm.aws.upbound.io_uploads.yaml b/package/crds/devicefarm.aws.upbound.io_uploads.yaml
index e59048ae8b..ac604abf7d 100644
--- a/package/crds/devicefarm.aws.upbound.io_uploads.yaml
+++ b/package/crds/devicefarm.aws.upbound.io_uploads.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,10 +165,23 @@ spec:
                       list of values.
                     type: string
                 required:
-                - name
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -336,6 +353,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: UploadStatus defines the observed state of Upload.
             properties:
@@ -347,6 +369,9 @@ spec:
                   category:
                     description: The upload's category.
                     type: string
+                  contentType:
+                    description: The upload's content type (for example, application/octet-stream).
+                    type: string
                   id:
                     type: string
                   metadata:
@@ -355,6 +380,20 @@ spec:
                       is displayed in the AWS Device Farm console after the associated
                       app is uploaded.
                     type: string
+                  name:
+                    description: The upload's file name. The name should not contain
+                      any forward slashes (/). If you are uploading an iOS app, the
+                      file name must end with the .ipa extension. If you are uploading
+                      an Android app, the file name must end with the .apk extension.
+                      For all others, the file name must end with the .zip file extension.
+                    type: string
+                  projectArn:
+                    description: The ARN of the project for the upload.
+                    type: string
+                  type:
+                    description: The upload's upload type. See AWS Docs for valid
+                      list of values.
+                    type: string
                   url:
                     description: The presigned Amazon S3 URL that was used to store
                       a file using a PUT request.
diff --git a/package/crds/directconnect.aws.upbound.io_bgppeers.yaml b/package/crds/directconnect.aws.upbound.io_bgppeers.yaml
index da49fe86c5..c3baae720b 100644
--- a/package/crds/directconnect.aws.upbound.io_bgppeers.yaml
+++ b/package/crds/directconnect.aws.upbound.io_bgppeers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,10 +171,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - addressFamily
-                - bgpAsn
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -342,24 +359,52 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
           status:
             description: BGPPeerStatus defines the observed state of BGPPeer.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers on public virtual interfaces.
+                    type: string
                   awsDevice:
                     description: The Direct Connect endpoint on which the BGP peer
                       terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
                   bgpPeerId:
                     description: The ID of the BGP peer.
                     type: string
                   bgpStatus:
                     description: The Up/Down state of the BGP peer.
                     type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers on public virtual
+                      interfaces.
+                    type: string
                   id:
                     description: The ID of the BGP peer resource.
                     type: string
+                  virtualInterfaceId:
+                    description: The ID of the Direct Connect virtual interface on
+                      which to create the BGP peer.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_connectionassociations.yaml b/package/crds/directconnect.aws.upbound.io_connectionassociations.yaml
index 6e4bb85fb2..f83cda0568 100644
--- a/package/crds/directconnect.aws.upbound.io_connectionassociations.yaml
+++ b/package/crds/directconnect.aws.upbound.io_connectionassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -225,6 +229,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,8 +421,14 @@ spec:
             properties:
               atProvider:
                 properties:
+                  connectionId:
+                    description: The ID of the connection.
+                    type: string
                   id:
                     type: string
+                  lagId:
+                    description: The ID of the LAG with which to associate the connection.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_connections.yaml b/package/crds/directconnect.aws.upbound.io_connections.yaml
index 1c285d7a24..30e70ec006 100644
--- a/package/crds/directconnect.aws.upbound.io_connections.yaml
+++ b/package/crds/directconnect.aws.upbound.io_connections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -106,11 +110,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - bandwidth
-                - location
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -282,6 +298,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bandwidth is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bandwidth)
+            - message: location is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.location)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ConnectionStatus defines the observed state of Connection.
             properties:
@@ -294,6 +317,17 @@ spec:
                     description: The Direct Connect endpoint on which the physical
                       connection terminates.
                     type: string
+                  bandwidth:
+                    description: 'The bandwidth of the connection. Valid values for
+                      dedicated connections: 1Gbps, 10Gbps. Valid values for hosted
+                      connections: 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, 500Mbps,
+                      1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps. Case sensitive.'
+                    type: string
+                  encryptionMode:
+                    description: The connection MAC Security (MACsec) encryption mode.
+                      MAC Security (MACsec) is only available on dedicated connections.
+                      Valid values are no_encrypt, should_encrypt, and must_encrypt.
+                    type: string
                   hasLogicalRedundancy:
                     description: Indicates whether the connection supports a secondary
                       BGP peer in the same address family (IPv4/IPv6).
@@ -305,10 +339,18 @@ spec:
                     description: Boolean value representing if jumbo frames have been
                       enabled for this connection.
                     type: boolean
+                  location:
+                    description: The AWS Direct Connect location where the connection
+                      is located. See DescribeLocations for the list of AWS Direct
+                      Connect locations. Use locationCode.
+                    type: string
                   macsecCapable:
                     description: Boolean value indicating whether the connection supports
                       MAC Security (MACsec).
                     type: boolean
+                  name:
+                    description: The name of the connection.
+                    type: string
                   ownerAccountId:
                     description: The ID of the AWS account that owns the connection.
                     type: string
@@ -316,6 +358,24 @@ spec:
                     description: The MAC Security (MACsec) port link status of the
                       connection.
                     type: string
+                  providerName:
+                    description: The name of the service provider associated with
+                      the connection.
+                    type: string
+                  requestMacsec:
+                    description: 'Boolean value indicating whether you want the connection
+                      to support MAC Security (MACsec). MAC Security (MACsec) is only
+                      available on dedicated connections. See MACsec prerequisites
+                      for more information about MAC Security (MACsec) prerequisites.
+                      Default value: false.'
+                    type: boolean
+                  skipDestroy:
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/directconnect.aws.upbound.io_gatewayassociationproposals.yaml b/package/crds/directconnect.aws.upbound.io_gatewayassociationproposals.yaml
index e9c2ab38ae..07682c08db 100644
--- a/package/crds/directconnect.aws.upbound.io_gatewayassociationproposals.yaml
+++ b/package/crds/directconnect.aws.upbound.io_gatewayassociationproposals.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -313,6 +317,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -490,6 +509,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allowedPrefixes:
+                    description: VPC prefixes (CIDRs) to advertise to the Direct Connect
+                      gateway. Defaults to the CIDR block of the VPC associated with
+                      the Virtual Gateway. To enable drift detection, must be configured.
+                    items:
+                      type: string
+                    type: array
+                  associatedGatewayId:
+                    description: The ID of the VGW or transit gateway with which to
+                      associate the Direct Connect gateway.
+                    type: string
                   associatedGatewayOwnerAccountId:
                     description: The ID of the AWS account that owns the VGW or transit
                       gateway with which to associate the Direct Connect gateway.
@@ -498,6 +528,13 @@ spec:
                     description: The type of the associated gateway, transitGateway
                       or virtualPrivateGateway.
                     type: string
+                  dxGatewayId:
+                    description: Direct Connect Gateway identifier.
+                    type: string
+                  dxGatewayOwnerAccountId:
+                    description: AWS Account identifier of the Direct Connect Gateway's
+                      owner.
+                    type: string
                   id:
                     description: Direct Connect Gateway Association Proposal identifier.
                     type: string
diff --git a/package/crds/directconnect.aws.upbound.io_gatewayassociations.yaml b/package/crds/directconnect.aws.upbound.io_gatewayassociations.yaml
index 3b037c65bc..a561334ccd 100644
--- a/package/crds/directconnect.aws.upbound.io_gatewayassociations.yaml
+++ b/package/crds/directconnect.aws.upbound.io_gatewayassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -247,6 +251,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -423,6 +442,23 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allowedPrefixes:
+                    description: VPC prefixes (CIDRs) to advertise to the Direct Connect
+                      gateway. Defaults to the CIDR block of the VPC associated with
+                      the Virtual Gateway. To enable drift detection, must be configured.
+                    items:
+                      type: string
+                    type: array
+                  associatedGatewayId:
+                    description: The ID of the VGW or transit gateway with which to
+                      associate the Direct Connect gateway. Used for single account
+                      Direct Connect gateway associations.
+                    type: string
+                  associatedGatewayOwnerAccountId:
+                    description: The ID of the AWS account that owns the VGW or transit
+                      gateway with which to associate the Direct Connect gateway.
+                      Used for cross-account Direct Connect gateway associations.
+                    type: string
                   associatedGatewayType:
                     description: The type of the associated gateway, transitGateway
                       or virtualPrivateGateway.
@@ -430,6 +466,9 @@ spec:
                   dxGatewayAssociationId:
                     description: The ID of the Direct Connect gateway association.
                     type: string
+                  dxGatewayId:
+                    description: The ID of the Direct Connect gateway.
+                    type: string
                   dxGatewayOwnerAccountId:
                     description: The ID of the AWS account that owns the Direct Connect
                       gateway.
@@ -438,6 +477,14 @@ spec:
                     description: The ID of the Direct Connect gateway association
                       resource.
                     type: string
+                  proposalId:
+                    description: The ID of the Direct Connect gateway association
+                      proposal. Used for cross-account Direct Connect gateway associations.
+                    type: string
+                  vpnGatewayId:
+                    description: The ID of the Direct Connect gateway association
+                      resource.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_gateways.yaml b/package/crds/directconnect.aws.upbound.io_gateways.yaml
index 917142e19f..f9fff1f995 100644
--- a/package/crds/directconnect.aws.upbound.io_gateways.yaml
+++ b/package/crds/directconnect.aws.upbound.io_gateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,10 +81,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - amazonSideAsn
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,14 +269,27 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: amazonSideAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.amazonSideAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: GatewayStatus defines the observed state of Gateway.
             properties:
               atProvider:
                 properties:
+                  amazonSideAsn:
+                    description: The ASN to be configured on the Amazon side of the
+                      connection. The ASN must be in the private range of 64,512 to
+                      65,534 or 4,200,000,000 to 4,294,967,294.
+                    type: string
                   id:
                     description: The ID of the gateway.
                     type: string
+                  name:
+                    description: The name of the connection.
+                    type: string
                   ownerAccountId:
                     description: AWS Account ID of the gateway.
                     type: string
diff --git a/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaceaccepters.yaml b/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaceaccepters.yaml
index b7f382e18f..8f2e9039b3 100644
--- a/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaceaccepters.yaml
+++ b/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaceaccepters.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -238,6 +242,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -418,9 +437,18 @@ spec:
                   arn:
                     description: The ARN of the virtual interface.
                     type: string
+                  dxGatewayId:
+                    description: The ID of the Direct Connect gateway to which to
+                      connect the virtual interface.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -428,6 +456,14 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  virtualInterfaceId:
+                    description: The ID of the Direct Connect virtual interface to
+                      accept.
+                    type: string
+                  vpnGatewayId:
+                    description: The ID of the virtual private gateway to which to
+                      connect the virtual interface.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaces.yaml b/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaces.yaml
index aa1b48fd6c..f4d406147d 100644
--- a/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaces.yaml
+++ b/package/crds/directconnect.aws.upbound.io_hostedprivatevirtualinterfaces.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,13 +184,23 @@ spec:
                     description: The VLAN ID.
                     type: number
                 required:
-                - addressFamily
-                - bgpAsn
-                - name
-                - ownerAccountId
                 - region
-                - vlan
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -358,12 +372,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: ownerAccountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerAccountId)
+            - message: vlan is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)
           status:
             description: HostedPrivateVirtualInterfaceStatus defines the observed
               state of HostedPrivateVirtualInterface.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers.
+                    type: string
                   amazonSideAsn:
                     type: string
                   arn:
@@ -373,12 +405,42 @@ spec:
                     description: The Direct Connect endpoint on which the virtual
                       interface terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
+                  connectionId:
+                    description: The ID of the Direct Connect connection (or LAG)
+                      on which to create the virtual interface.
+                    type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
                   jumboFrameCapable:
                     description: Indicates whether jumbo frames (9001 MTU) are supported.
                     type: boolean
+                  mtu:
+                    description: The maximum transmission unit (MTU) is the size,
+                      in bytes, of the largest permissible packet that can be passed
+                      over the connection. The MTU of a virtual private interface
+                      can be either 1500 or 9001 (jumbo frames). Default is 1500.
+                    type: number
+                  name:
+                    description: The name for the virtual interface.
+                    type: string
+                  ownerAccountId:
+                    description: The AWS account that will own the new virtual interface.
+                    type: string
+                  vlan:
+                    description: The VLAN ID.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaceaccepters.yaml b/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaceaccepters.yaml
index e1f488e3d6..af6741de71 100644
--- a/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaceaccepters.yaml
+++ b/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaceaccepters.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,6 +161,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,6 +359,11 @@ spec:
                   id:
                     description: The ID of the virtual interface.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -347,6 +371,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  virtualInterfaceId:
+                    description: The ID of the Direct Connect virtual interface to
+                      accept.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaces.yaml b/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaces.yaml
index 9a3b6968fd..1f256c3038 100644
--- a/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaces.yaml
+++ b/package/crds/directconnect.aws.upbound.io_hostedpublicvirtualinterfaces.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,14 +184,23 @@ spec:
                     description: The VLAN ID.
                     type: number
                 required:
-                - addressFamily
-                - bgpAsn
-                - name
-                - ownerAccountId
                 - region
-                - routeFilterPrefixes
-                - vlan
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -359,12 +372,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: ownerAccountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerAccountId)
+            - message: routeFilterPrefixes is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeFilterPrefixes)
+            - message: vlan is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)
           status:
             description: HostedPublicVirtualInterfaceStatus defines the observed state
               of HostedPublicVirtualInterface.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers.
+                    type: string
                   amazonSideAsn:
                     type: string
                   arn:
@@ -374,9 +407,39 @@ spec:
                     description: The Direct Connect endpoint on which the virtual
                       interface terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
+                  connectionId:
+                    description: The ID of the Direct Connect connection (or LAG)
+                      on which to create the virtual interface.
+                    type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
+                  name:
+                    description: The name for the virtual interface.
+                    type: string
+                  ownerAccountId:
+                    description: The AWS account that will own the new virtual interface.
+                    type: string
+                  routeFilterPrefixes:
+                    description: A list of routes to be advertised to the AWS network
+                      in this region.
+                    items:
+                      type: string
+                    type: array
+                  vlan:
+                    description: The VLAN ID.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaceaccepters.yaml b/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaceaccepters.yaml
index 3213609d81..e89efea672 100644
--- a/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaceaccepters.yaml
+++ b/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaceaccepters.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -236,6 +240,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -416,9 +435,18 @@ spec:
                   arn:
                     description: The ARN of the virtual interface.
                     type: string
+                  dxGatewayId:
+                    description: The ID of the Direct Connect gateway to which to
+                      connect the virtual interface.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -426,6 +454,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  virtualInterfaceId:
+                    description: The ID of the Direct Connect virtual interface to
+                      accept.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaces.yaml b/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaces.yaml
index a187e1ff9c..82350c3d28 100644
--- a/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaces.yaml
+++ b/package/crds/directconnect.aws.upbound.io_hostedtransitvirtualinterfaces.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,13 +184,23 @@ spec:
                     description: The VLAN ID.
                     type: number
                 required:
-                - addressFamily
-                - bgpAsn
-                - name
-                - ownerAccountId
                 - region
-                - vlan
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -358,12 +372,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: ownerAccountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerAccountId)
+            - message: vlan is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)
           status:
             description: HostedTransitVirtualInterfaceStatus defines the observed
               state of HostedTransitVirtualInterface.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers.
+                    type: string
                   amazonSideAsn:
                     type: string
                   arn:
@@ -373,12 +405,42 @@ spec:
                     description: The Direct Connect endpoint on which the virtual
                       interface terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
+                  connectionId:
+                    description: The ID of the Direct Connect connection (or LAG)
+                      on which to create the virtual interface.
+                    type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
                   jumboFrameCapable:
                     description: Indicates whether jumbo frames (8500 MTU) are supported.
                     type: boolean
+                  mtu:
+                    description: The maximum transmission unit (MTU) is the size,
+                      in bytes, of the largest permissible packet that can be passed
+                      over the connection. The MTU of a virtual transit interface
+                      can be either 1500 or 8500 (jumbo frames). Default is 1500.
+                    type: number
+                  name:
+                    description: The name for the virtual interface.
+                    type: string
+                  ownerAccountId:
+                    description: The AWS account that will own the new virtual interface.
+                    type: string
+                  vlan:
+                    description: The VLAN ID.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_lags.yaml b/package/crds/directconnect.aws.upbound.io_lags.yaml
index e65717b9c6..926ccd069a 100644
--- a/package/crds/directconnect.aws.upbound.io_lags.yaml
+++ b/package/crds/directconnect.aws.upbound.io_lags.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -101,11 +105,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - connectionsBandwidth
-                - location
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -277,6 +293,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: connectionsBandwidth is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.connectionsBandwidth)
+            - message: location is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.location)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: LagStatus defines the observed state of Lag.
             properties:
@@ -285,6 +308,21 @@ spec:
                   arn:
                     description: The ARN of the LAG.
                     type: string
+                  connectionId:
+                    description: The ID of an existing dedicated connection to migrate
+                      to the LAG.
+                    type: string
+                  connectionsBandwidth:
+                    description: 'The bandwidth of the individual physical connections
+                      bundled by the LAG. Valid values: 50Mbps, 100Mbps, 200Mbps,
+                      300Mbps, 400Mbps, 500Mbps, 1Gbps, 2Gbps, 5Gbps, 10Gbps and 100Gbps.
+                      Case sensitive.'
+                    type: string
+                  forceDestroy:
+                    description: A boolean that indicates all connections associated
+                      with the LAG should be deleted so that the LAG can be destroyed
+                      without error. These objects are not recoverable.
+                    type: boolean
                   hasLogicalRedundancy:
                     description: Indicates whether the LAG supports a secondary BGP
                       peer in the same address family (IPv4/IPv6).
@@ -295,9 +333,26 @@ spec:
                   jumboFrameCapable:
                     description: Indicates whether jumbo frames (9001 MTU) are supported.
                     type: boolean
+                  location:
+                    description: The AWS Direct Connect location in which the LAG
+                      should be allocated. See DescribeLocations for the list of AWS
+                      Direct Connect locations. Use locationCode.
+                    type: string
+                  name:
+                    description: The name of the LAG.
+                    type: string
                   ownerAccountId:
                     description: The ID of the AWS account that owns the LAG.
                     type: string
+                  providerName:
+                    description: The name of the service provider associated with
+                      the LAG.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/directconnect.aws.upbound.io_privatevirtualinterfaces.yaml b/package/crds/directconnect.aws.upbound.io_privatevirtualinterfaces.yaml
index c3174b6544..3018075ce3 100644
--- a/package/crds/directconnect.aws.upbound.io_privatevirtualinterfaces.yaml
+++ b/package/crds/directconnect.aws.upbound.io_privatevirtualinterfaces.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -265,12 +269,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - addressFamily
-                - bgpAsn
-                - name
                 - region
-                - vlan
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -442,12 +457,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: vlan is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)
           status:
             description: PrivateVirtualInterfaceStatus defines the observed state
               of PrivateVirtualInterface.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers.
+                    type: string
                   amazonSideAsn:
                     type: string
                   arn:
@@ -457,12 +488,47 @@ spec:
                     description: The Direct Connect endpoint on which the virtual
                       interface terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
+                  connectionId:
+                    description: The ID of the Direct Connect connection (or LAG)
+                      on which to create the virtual interface.
+                    type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers.
+                    type: string
+                  dxGatewayId:
+                    description: The ID of the Direct Connect gateway to which to
+                      connect the virtual interface.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
                   jumboFrameCapable:
                     description: Indicates whether jumbo frames (9001 MTU) are supported.
                     type: boolean
+                  mtu:
+                    description: The maximum transmission unit (MTU) is the size,
+                      in bytes, of the largest permissible packet that can be passed
+                      over the connection. The MTU of a virtual private interface
+                      can be either 1500 or 9001 (jumbo frames). Default is 1500.
+                    type: number
+                  name:
+                    description: The name for the virtual interface.
+                    type: string
+                  sitelinkEnabled:
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -470,6 +536,13 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vlan:
+                    description: The VLAN ID.
+                    type: number
+                  vpnGatewayId:
+                    description: The ID of the virtual private gateway to which to
+                      connect the virtual interface.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_publicvirtualinterfaces.yaml b/package/crds/directconnect.aws.upbound.io_publicvirtualinterfaces.yaml
index a0c6389a88..194b79fcee 100644
--- a/package/crds/directconnect.aws.upbound.io_publicvirtualinterfaces.yaml
+++ b/package/crds/directconnect.aws.upbound.io_publicvirtualinterfaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,13 +185,23 @@ spec:
                     description: The VLAN ID.
                     type: number
                 required:
-                - addressFamily
-                - bgpAsn
-                - name
                 - region
-                - routeFilterPrefixes
-                - vlan
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -359,12 +373,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: routeFilterPrefixes is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routeFilterPrefixes)
+            - message: vlan is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)
           status:
             description: PublicVirtualInterfaceStatus defines the observed state of
               PublicVirtualInterface.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers.
+                    type: string
                   amazonSideAsn:
                     type: string
                   arn:
@@ -374,9 +406,38 @@ spec:
                     description: The Direct Connect endpoint on which the virtual
                       interface terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
+                  connectionId:
+                    description: The ID of the Direct Connect connection (or LAG)
+                      on which to create the virtual interface.
+                    type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
+                  name:
+                    description: The name for the virtual interface.
+                    type: string
+                  routeFilterPrefixes:
+                    description: A list of routes to be advertised to the AWS network
+                      in this region.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -384,6 +445,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vlan:
+                    description: The VLAN ID.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/directconnect.aws.upbound.io_transitvirtualinterfaces.yaml b/package/crds/directconnect.aws.upbound.io_transitvirtualinterfaces.yaml
index 7aa21312b8..563aa39eca 100644
--- a/package/crds/directconnect.aws.upbound.io_transitvirtualinterfaces.yaml
+++ b/package/crds/directconnect.aws.upbound.io_transitvirtualinterfaces.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -265,12 +269,23 @@ spec:
                     description: The VLAN ID.
                     type: number
                 required:
-                - addressFamily
-                - bgpAsn
-                - name
                 - region
-                - vlan
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -442,12 +457,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: vlan is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vlan)
           status:
             description: TransitVirtualInterfaceStatus defines the observed state
               of TransitVirtualInterface.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The address family for the BGP peer. ipv4  or ipv6.
+                    type: string
+                  amazonAddress:
+                    description: The IPv4 CIDR address to use to send traffic to Amazon.
+                      Required for IPv4 BGP peers.
+                    type: string
                   amazonSideAsn:
                     type: string
                   arn:
@@ -457,12 +488,47 @@ spec:
                     description: The Direct Connect endpoint on which the virtual
                       interface terminates.
                     type: string
+                  bgpAsn:
+                    description: The autonomous system (AS) number for Border Gateway
+                      Protocol (BGP) configuration.
+                    type: number
+                  bgpAuthKey:
+                    description: The authentication key for BGP configuration.
+                    type: string
+                  connectionId:
+                    description: The ID of the Direct Connect connection (or LAG)
+                      on which to create the virtual interface.
+                    type: string
+                  customerAddress:
+                    description: The IPv4 CIDR destination address to which Amazon
+                      should send traffic. Required for IPv4 BGP peers.
+                    type: string
+                  dxGatewayId:
+                    description: The ID of the Direct Connect gateway to which to
+                      connect the virtual interface.
+                    type: string
                   id:
                     description: The ID of the virtual interface.
                     type: string
                   jumboFrameCapable:
                     description: Indicates whether jumbo frames (8500 MTU) are supported.
                     type: boolean
+                  mtu:
+                    description: The maximum transmission unit (MTU) is the size,
+                      in bytes, of the largest permissible packet that can be passed
+                      over the connection. The MTU of a virtual transit interface
+                      can be either 1500 or 8500 (jumbo frames). Default is 1500.
+                    type: number
+                  name:
+                    description: The name for the virtual interface.
+                    type: string
+                  sitelinkEnabled:
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -470,6 +536,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vlan:
+                    description: The VLAN ID.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dlm.aws.upbound.io_lifecyclepolicies.yaml b/package/crds/dlm.aws.upbound.io_lifecyclepolicies.yaml
index 02c92a6ab7..164f414356 100644
--- a/package/crds/dlm.aws.upbound.io_lifecyclepolicies.yaml
+++ b/package/crds/dlm.aws.upbound.io_lifecyclepolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -697,10 +701,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - description
-                - policyDetails
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -872,6 +889,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: policyDetails is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyDetails)
           status:
             description: LifecyclePolicyStatus defines the observed state of LifecyclePolicy.
             properties:
@@ -880,9 +902,447 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the DLM Lifecycle Policy.
                     type: string
+                  description:
+                    description: A description for the DLM lifecycle policy.
+                    type: string
+                  executionRoleArn:
+                    description: The ARN of an IAM role that is able to be assumed
+                      by the DLM service.
+                    type: string
                   id:
                     description: Identifier of the DLM Lifecycle Policy.
                     type: string
+                  policyDetails:
+                    description: See the policy_details configuration block. Max of
+                      1.
+                    items:
+                      properties:
+                        action:
+                          description: The actions to be performed when the event-based
+                            policy is triggered. You can specify only one action per
+                            policy. This parameter is required for event-based policies
+                            only. If you are creating a snapshot or AMI policy, omit
+                            this parameter. See the action configuration block.
+                          items:
+                            properties:
+                              crossRegionCopy:
+                                description: The rule for copying shared snapshots
+                                  across Regions. See the cross_region_copy configuration
+                                  block.
+                                items:
+                                  properties:
+                                    encryptionConfiguration:
+                                      description: The encryption settings for the
+                                        copied snapshot. See the encryption_configuration
+                                        block. Max of 1 per action.
+                                      items:
+                                        properties:
+                                          cmkArn:
+                                            description: The Amazon Resource Name
+                                              (ARN) of the AWS KMS key to use for
+                                              EBS encryption. If this parameter is
+                                              not specified, the default KMS key for
+                                              the account is used.
+                                            type: string
+                                          encrypted:
+                                            description: To encrypt a copy of an unencrypted
+                                              snapshot when encryption by default
+                                              is not enabled, enable encryption using
+                                              this parameter. Copies of encrypted
+                                              snapshots are encrypted, even if this
+                                              parameter is false or when encryption
+                                              by default is not enabled.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    retainRule:
+                                      description: Specifies the retention rule for
+                                        cross-Region snapshot copies. See the retain_rule
+                                        block. Max of 1 per action.
+                                      items:
+                                        properties:
+                                          interval:
+                                            description: How often this lifecycle
+                                              policy should be evaluated. 1, 2,3,4,6,8,12
+                                              or 24 are valid values.
+                                            type: number
+                                          intervalUnit:
+                                            description: The unit for how often the
+                                              lifecycle policy should be evaluated.
+                                              HOURS is currently the only allowed
+                                              value and also the default value.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    target:
+                                      description: The target Region or the Amazon
+                                        Resource Name (ARN) of the target Outpost
+                                        for the snapshot copies.
+                                      type: string
+                                  type: object
+                                type: array
+                              name:
+                                description: A descriptive name for the action.
+                                type: string
+                            type: object
+                          type: array
+                        eventSource:
+                          description: The event that triggers the event-based policy.
+                            This parameter is required for event-based policies only.
+                            If you are creating a snapshot or AMI policy, omit this
+                            parameter. See the event_source configuration block.
+                          items:
+                            properties:
+                              parameters:
+                                description: A set of optional parameters for snapshot
+                                  and AMI lifecycle policies. See the parameters configuration
+                                  block.
+                                items:
+                                  properties:
+                                    descriptionRegex:
+                                      description: The snapshot description that can
+                                        trigger the policy. The description pattern
+                                        is specified using a regular expression. The
+                                        policy runs only if a snapshot with a description
+                                        that matches the specified pattern is shared
+                                        with your account.
+                                      type: string
+                                    eventType:
+                                      description: The type of event. Currently, only
+                                        shareSnapshot events are supported.
+                                      type: string
+                                    snapshotOwner:
+                                      description: The IDs of the AWS accounts that
+                                        can trigger policy by sharing snapshots with
+                                        your account. The policy only runs if one
+                                        of the specified AWS accounts shares a snapshot
+                                        with your account.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              type:
+                                description: The source of the event. Currently only
+                                  managed CloudWatch Events rules are supported. Valid
+                                  values are MANAGED_CWE.
+                                type: string
+                            type: object
+                          type: array
+                        parameters:
+                          description: A set of optional parameters for snapshot and
+                            AMI lifecycle policies. See the parameters configuration
+                            block.
+                          items:
+                            properties:
+                              excludeBootVolume:
+                                description: Indicates whether to exclude the root
+                                  volume from snapshots created using CreateSnapshots.
+                                  The default is false.
+                                type: boolean
+                              noReboot:
+                                description: Applies to AMI lifecycle policies only.
+                                  Indicates whether targeted instances are rebooted
+                                  when the lifecycle policy runs. true indicates that
+                                  targeted instances are not rebooted when the policy
+                                  runs. false indicates that target instances are
+                                  rebooted when the policy runs. The default is true
+                                  (instances are not rebooted).
+                                type: boolean
+                            type: object
+                          type: array
+                        policyType:
+                          description: The valid target resource types and actions
+                            a policy can manage. Specify EBS_SNAPSHOT_MANAGEMENT to
+                            create a lifecycle policy that manages the lifecycle of
+                            Amazon EBS snapshots. Specify IMAGE_MANAGEMENT to create
+                            a lifecycle policy that manages the lifecycle of EBS-backed
+                            AMIs. Specify EVENT_BASED_POLICY to create an event-based
+                            policy that performs specific actions when a defined event
+                            occurs in your AWS account. Default value is EBS_SNAPSHOT_MANAGEMENT.
+                          type: string
+                        resourceLocations:
+                          description: The location of the resources to backup. If
+                            the source resources are located in an AWS Region, specify
+                            CLOUD. If the source resources are located on an Outpost
+                            in your account, specify OUTPOST. If you specify OUTPOST,
+                            Amazon Data Lifecycle Manager backs up all resources of
+                            the specified type with matching target tags across all
+                            of the Outposts in your account. Valid values are CLOUD
+                            and OUTPOST.
+                          items:
+                            type: string
+                          type: array
+                        resourceTypes:
+                          description: A list of resource types that should be targeted
+                            by the lifecycle policy. Valid values are VOLUME and INSTANCE.
+                          items:
+                            type: string
+                          type: array
+                        schedule:
+                          description: See the schedule configuration block.
+                          items:
+                            properties:
+                              copyTags:
+                                description: Copy all user-defined tags on a source
+                                  volume to snapshots of the volume created by this
+                                  policy.
+                                type: boolean
+                              createRule:
+                                description: See the create_rule block. Max of 1 per
+                                  schedule.
+                                items:
+                                  properties:
+                                    cronExpression:
+                                      description: The schedule, as a Cron expression.
+                                        The schedule interval must be between 1 hour
+                                        and 1 year.
+                                      type: string
+                                    interval:
+                                      description: How often this lifecycle policy
+                                        should be evaluated. 1, 2,3,4,6,8,12 or 24
+                                        are valid values.
+                                      type: number
+                                    intervalUnit:
+                                      description: The unit for how often the lifecycle
+                                        policy should be evaluated. HOURS is currently
+                                        the only allowed value and also the default
+                                        value.
+                                      type: string
+                                    location:
+                                      description: Specifies the destination for snapshots
+                                        created by the policy. To create snapshots
+                                        in the same Region as the source resource,
+                                        specify CLOUD. To create snapshots on the
+                                        same Outpost as the source resource, specify
+                                        OUTPOST_LOCAL. If you omit this parameter,
+                                        CLOUD is used by default. If the policy targets
+                                        resources in an AWS Region, then you must
+                                        create snapshots in the same Region as the
+                                        source resource. If the policy targets resources
+                                        on an Outpost, then you can create snapshots
+                                        on the same Outpost as the source resource,
+                                        or in the Region of that Outpost. Valid values
+                                        are CLOUD and OUTPOST_LOCAL.
+                                      type: string
+                                    times:
+                                      description: A list of times in 24 hour clock
+                                        format that sets when the lifecycle policy
+                                        should be evaluated. Max of 1.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              crossRegionCopyRule:
+                                description: See the cross_region_copy_rule block.
+                                  Max of 3 per schedule.
+                                items:
+                                  properties:
+                                    cmkArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the AWS KMS key to use for EBS encryption.
+                                        If this parameter is not specified, the default
+                                        KMS key for the account is used.
+                                      type: string
+                                    copyTags:
+                                      description: Copy all user-defined tags on a
+                                        source volume to snapshots of the volume created
+                                        by this policy.
+                                      type: boolean
+                                    deprecateRule:
+                                      description: See the deprecate_rule block. Max
+                                        of 1 per schedule.
+                                      items:
+                                        properties:
+                                          interval:
+                                            description: How often this lifecycle
+                                              policy should be evaluated. 1, 2,3,4,6,8,12
+                                              or 24 are valid values.
+                                            type: number
+                                          intervalUnit:
+                                            description: The unit for how often the
+                                              lifecycle policy should be evaluated.
+                                              HOURS is currently the only allowed
+                                              value and also the default value.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    encrypted:
+                                      description: To encrypt a copy of an unencrypted
+                                        snapshot when encryption by default is not
+                                        enabled, enable encryption using this parameter.
+                                        Copies of encrypted snapshots are encrypted,
+                                        even if this parameter is false or when encryption
+                                        by default is not enabled.
+                                      type: boolean
+                                    retainRule:
+                                      description: Specifies the retention rule for
+                                        cross-Region snapshot copies. See the retain_rule
+                                        block. Max of 1 per action.
+                                      items:
+                                        properties:
+                                          interval:
+                                            description: How often this lifecycle
+                                              policy should be evaluated. 1, 2,3,4,6,8,12
+                                              or 24 are valid values.
+                                            type: number
+                                          intervalUnit:
+                                            description: The unit for how often the
+                                              lifecycle policy should be evaluated.
+                                              HOURS is currently the only allowed
+                                              value and also the default value.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    target:
+                                      description: The target Region or the Amazon
+                                        Resource Name (ARN) of the target Outpost
+                                        for the snapshot copies.
+                                      type: string
+                                  type: object
+                                type: array
+                              deprecateRule:
+                                description: See the deprecate_rule block. Max of
+                                  1 per schedule.
+                                items:
+                                  properties:
+                                    count:
+                                      description: Specifies the number of oldest
+                                        AMIs to deprecate. Must be an integer between
+                                        1 and 1000.
+                                      type: number
+                                    interval:
+                                      description: How often this lifecycle policy
+                                        should be evaluated. 1, 2,3,4,6,8,12 or 24
+                                        are valid values.
+                                      type: number
+                                    intervalUnit:
+                                      description: The unit for how often the lifecycle
+                                        policy should be evaluated. HOURS is currently
+                                        the only allowed value and also the default
+                                        value.
+                                      type: string
+                                  type: object
+                                type: array
+                              fastRestoreRule:
+                                description: See the fast_restore_rule block. Max
+                                  of 1 per schedule.
+                                items:
+                                  properties:
+                                    availabilityZones:
+                                      description: The Availability Zones in which
+                                        to enable fast snapshot restore.
+                                      items:
+                                        type: string
+                                      type: array
+                                    count:
+                                      description: Specifies the number of oldest
+                                        AMIs to deprecate. Must be an integer between
+                                        1 and 1000.
+                                      type: number
+                                    interval:
+                                      description: How often this lifecycle policy
+                                        should be evaluated. 1, 2,3,4,6,8,12 or 24
+                                        are valid values.
+                                      type: number
+                                    intervalUnit:
+                                      description: The unit for how often the lifecycle
+                                        policy should be evaluated. HOURS is currently
+                                        the only allowed value and also the default
+                                        value.
+                                      type: string
+                                  type: object
+                                type: array
+                              name:
+                                description: A descriptive name for the action.
+                                type: string
+                              retainRule:
+                                description: Specifies the retention rule for cross-Region
+                                  snapshot copies. See the retain_rule block. Max
+                                  of 1 per action.
+                                items:
+                                  properties:
+                                    count:
+                                      description: Specifies the number of oldest
+                                        AMIs to deprecate. Must be an integer between
+                                        1 and 1000.
+                                      type: number
+                                    interval:
+                                      description: How often this lifecycle policy
+                                        should be evaluated. 1, 2,3,4,6,8,12 or 24
+                                        are valid values.
+                                      type: number
+                                    intervalUnit:
+                                      description: The unit for how often the lifecycle
+                                        policy should be evaluated. HOURS is currently
+                                        the only allowed value and also the default
+                                        value.
+                                      type: string
+                                  type: object
+                                type: array
+                              shareRule:
+                                description: See the share_rule block. Max of 1 per
+                                  schedule.
+                                items:
+                                  properties:
+                                    targetAccounts:
+                                      description: The IDs of the AWS accounts with
+                                        which to share the snapshots.
+                                      items:
+                                        type: string
+                                      type: array
+                                    unshareInterval:
+                                      description: How often this lifecycle policy
+                                        should be evaluated. 1, 2,3,4,6,8,12 or 24
+                                        are valid values.
+                                      type: number
+                                    unshareIntervalUnit:
+                                      description: The unit for how often the lifecycle
+                                        policy should be evaluated. HOURS is currently
+                                        the only allowed value and also the default
+                                        value.
+                                      type: string
+                                  type: object
+                                type: array
+                              tagsToAdd:
+                                additionalProperties:
+                                  type: string
+                                description: A map of tag keys and their values. DLM
+                                  lifecycle policies will already tag the snapshot
+                                  with the tags on the volume. This configuration
+                                  adds extra tags on top of these.
+                                type: object
+                              variableTags:
+                                additionalProperties:
+                                  type: string
+                                description: A map of tag keys and variable values,
+                                  where the values are determined when the policy
+                                  is executed. Only $(instance-id) or $(timestamp)
+                                  are valid values. Can only be used when resource_types
+                                  is INSTANCE.
+                                type: object
+                            type: object
+                          type: array
+                        targetTags:
+                          additionalProperties:
+                            type: string
+                          description: A map of tag keys and their values. Any resources
+                            that match the resource_types and are tagged with any
+                            of these tags will be targeted.
+                          type: object
+                      type: object
+                    type: array
+                  state:
+                    description: Whether the lifecycle policy should be enabled or
+                      disabled. ENABLED or DISABLED are valid values. Defaults to
+                      ENABLED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dms.aws.upbound.io_certificates.yaml b/package/crds/dms.aws.upbound.io_certificates.yaml
index 730c8b0237..3270e3f934 100644
--- a/package/crds/dms.aws.upbound.io_certificates.yaml
+++ b/package/crds/dms.aws.upbound.io_certificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -114,6 +118,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -295,6 +314,11 @@ spec:
                     type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dms.aws.upbound.io_endpoints.yaml b/package/crds/dms.aws.upbound.io_endpoints.yaml
index af8e01e89c..21a4187c45 100644
--- a/package/crds/dms.aws.upbound.io_endpoints.yaml
+++ b/package/crds/dms.aws.upbound.io_endpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -802,10 +806,23 @@ spec:
                     description: User name to be used to login to the endpoint database.
                     type: string
                 required:
-                - endpointType
-                - engineName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -977,22 +994,531 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: endpointType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpointType)
+            - message: engineName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineName)
           status:
             description: EndpointStatus defines the observed state of Endpoint.
             properties:
               atProvider:
                 properties:
+                  certificateArn:
+                    description: ARN for the certificate.
+                    type: string
+                  databaseName:
+                    description: Name of the endpoint database.
+                    type: string
+                  elasticsearchSettings:
+                    description: Configuration block for OpenSearch settings. See
+                      below.
+                    items:
+                      properties:
+                        endpointUri:
+                          description: Endpoint for the OpenSearch cluster.
+                          type: string
+                        errorRetryDuration:
+                          description: Maximum number of seconds for which DMS retries
+                            failed API requests to the OpenSearch cluster. Default
+                            is 300.
+                          type: number
+                        fullLoadErrorPercentage:
+                          description: Maximum percentage of records that can fail
+                            to be written before a full load operation stops. Default
+                            is 10.
+                          type: number
+                        serviceAccessRoleArn:
+                          description: ARN of the IAM Role with permissions to write
+                            to the OpenSearch cluster.
+                          type: string
+                      type: object
+                    type: array
                   endpointArn:
                     description: ARN for the endpoint.
                     type: string
+                  endpointType:
+                    description: Type of endpoint. Valid values are source, target.
+                    type: string
+                  engineName:
+                    description: Type of engine for the endpoint. Valid values are
+                      aurora, aurora-postgresql, azuredb, db2, docdb, dynamodb, elasticsearch,
+                      kafka, kinesis, mariadb, mongodb, mysql, opensearch, oracle,
+                      postgres, redshift, s3, sqlserver, sybase. Please note that
+                      some of engine names are available only for target endpoint
+                      type (e.g. redshift).
+                    type: string
+                  extraConnectionAttributes:
+                    description: Additional attributes associated with the connection.
+                      For available attributes for a source Endpoint, see Sources
+                      for data migration. For available attributes for a target Endpoint,
+                      see Targets for data migration.
+                    type: string
                   id:
                     type: string
+                  kafkaSettings:
+                    description: Configuration block for Kafka settings. See below.
+                    items:
+                      properties:
+                        broker:
+                          description: Kafka broker location. Specify in the form
+                            broker-hostname-or-ip:port.
+                          type: string
+                        includeControlDetails:
+                          description: Shows detailed control information for table
+                            definition, column definition, and table and column changes
+                            in the Kafka message output. Default is false.
+                          type: boolean
+                        includeNullAndEmpty:
+                          description: Include NULL and empty columns for records
+                            migrated to the endpoint. Default is false.
+                          type: boolean
+                        includePartitionValue:
+                          description: Shows the partition value within the Kafka
+                            message output unless the partition type is schema-table-type.
+                            Default is false.
+                          type: boolean
+                        includeTableAlterOperations:
+                          description: Includes any data definition language (DDL)
+                            operations that change the table in the control data,
+                            such as rename-table, drop-table, add-column, drop-column,
+                            and rename-column. Default is false.
+                          type: boolean
+                        includeTransactionDetails:
+                          description: Provides detailed transaction information from
+                            the source database. This information includes a commit
+                            timestamp, a log position, and values for transaction_id,
+                            previous transaction_id, and transaction_record_id (the
+                            record offset within a transaction). Default is false.
+                          type: boolean
+                        messageFormat:
+                          description: Output format for the records created on the
+                            endpoint. Message format is JSON (default) or JSON_UNFORMATTED
+                            (a single line with no tab).
+                          type: string
+                        messageMaxBytes:
+                          description: Maximum size in bytes for records created on
+                            the endpoint Default is 1,000,000.
+                          type: number
+                        noHexPrefix:
+                          description: Set this optional parameter to true to avoid
+                            adding a '0x' prefix to raw data in hexadecimal format.
+                            For example, by default, AWS DMS adds a '0x' prefix to
+                            the LOB column type in hexadecimal format moving from
+                            an Oracle source to a Kafka target. Use the no_hex_prefix
+                            endpoint setting to enable migration of RAW data type
+                            columns without adding the '0x' prefix.
+                          type: boolean
+                        partitionIncludeSchemaTable:
+                          description: Prefixes schema and table names to partition
+                            values, when the partition type is primary-key-type. Doing
+                            this increases data distribution among Kafka partitions.
+                            For example, suppose that a SysBench schema has thousands
+                            of tables and each table has only limited range for a
+                            primary key. In this case, the same primary key is sent
+                            from thousands of tables to the same partition, which
+                            causes throttling. Default is false.
+                          type: boolean
+                        saslUsername:
+                          description: Secure user name you created when you first
+                            set up your MSK cluster to validate a client identity
+                            and make an encrypted connection between server and client
+                            using SASL-SSL authentication.
+                          type: string
+                        securityProtocol:
+                          description: Set secure connection to a Kafka target endpoint
+                            using Transport Layer Security (TLS). Options include
+                            ssl-encryption, ssl-authentication, and sasl-ssl. sasl-ssl
+                            requires sasl_username and sasl_password.
+                          type: string
+                        sslCaCertificateArn:
+                          description: ARN for the private certificate authority (CA)
+                            cert that AWS DMS uses to securely connect to your Kafka
+                            target endpoint.
+                          type: string
+                        sslClientCertificateArn:
+                          description: ARN of the client certificate used to securely
+                            connect to a Kafka target endpoint.
+                          type: string
+                        sslClientKeyArn:
+                          description: ARN for the client private key used to securely
+                            connect to a Kafka target endpoint.
+                          type: string
+                        topic:
+                          description: Kafka topic for migration. Default is kafka-default-topic.
+                          type: string
+                      type: object
+                    type: array
+                  kinesisSettings:
+                    description: Configuration block for Kinesis settings. See below.
+                    items:
+                      properties:
+                        includeControlDetails:
+                          description: Shows detailed control information for table
+                            definition, column definition, and table and column changes
+                            in the Kinesis message output. Default is false.
+                          type: boolean
+                        includeNullAndEmpty:
+                          description: Include NULL and empty columns in the target.
+                            Default is false.
+                          type: boolean
+                        includePartitionValue:
+                          description: Shows the partition value within the Kinesis
+                            message output, unless the partition type is schema-table-type.
+                            Default is false.
+                          type: boolean
+                        includeTableAlterOperations:
+                          description: Includes any data definition language (DDL)
+                            operations that change the table in the control data.
+                            Default is false.
+                          type: boolean
+                        includeTransactionDetails:
+                          description: Provides detailed transaction information from
+                            the source database. Default is false.
+                          type: boolean
+                        messageFormat:
+                          description: Output format for the records created. Default
+                            is json. Valid values are json and json-unformatted (a
+                            single line with no tab).
+                          type: string
+                        partitionIncludeSchemaTable:
+                          description: Prefixes schema and table names to partition
+                            values, when the partition type is primary-key-type. Default
+                            is false.
+                          type: boolean
+                        serviceAccessRoleArn:
+                          description: ARN of the IAM Role with permissions to write
+                            to the Kinesis data stream.
+                          type: string
+                        streamArn:
+                          description: ARN of the Kinesis data stream.
+                          type: string
+                      type: object
+                    type: array
+                  kmsKeyArn:
+                    description: ARN for the KMS key that will be used to encrypt
+                      the connection parameters. If you do not specify a value for
+                      kms_key_arn, then AWS DMS will use your default encryption key.
+                      AWS KMS creates the default encryption key for your AWS account.
+                      Your AWS account has a different default encryption key for
+                      each AWS region. To encrypt an S3 target with a KMS Key, use
+                      the parameter s3_settings.server_side_encryption_kms_key_id.
+                      When engine_name is redshift, kms_key_arn is the KMS Key for
+                      the Redshift target and the parameter redshift_settings.server_side_encryption_kms_key_id
+                      encrypts the S3 intermediate storage.
+                    type: string
+                  mongodbSettings:
+                    description: Configuration block for MongoDB settings. See below.
+                    items:
+                      properties:
+                        authMechanism:
+                          description: Authentication mechanism to access the MongoDB
+                            source endpoint. Default is default.
+                          type: string
+                        authSource:
+                          description: Authentication database name. Not used when
+                            auth_type is no. Default is admin.
+                          type: string
+                        authType:
+                          description: Authentication type to access the MongoDB source
+                            endpoint. Default is password.
+                          type: string
+                        docsToInvestigate:
+                          description: Number of documents to preview to determine
+                            the document organization. Use this setting when nesting_level
+                            is set to one. Default is 1000.
+                          type: string
+                        extractDocId:
+                          description: Document ID. Use this setting when nesting_level
+                            is set to none. Default is false.
+                          type: string
+                        nestingLevel:
+                          description: Specifies either document or table mode. Default
+                            is none. Valid values are one (table mode) and none (document
+                            mode).
+                          type: string
+                      type: object
+                    type: array
+                  port:
+                    description: Port used by the endpoint database.
+                    type: number
+                  redisSettings:
+                    items:
+                      properties:
+                        authType:
+                          description: Authentication type to access the MongoDB source
+                            endpoint. Default is password.
+                          type: string
+                        authUserName:
+                          description: The username provided with the auth-role option
+                            of the AuthType setting for a Redis target endpoint.
+                          type: string
+                        port:
+                          description: Port used by the endpoint database.
+                          type: number
+                        serverName:
+                          description: Host name of the server.
+                          type: string
+                        sslCaCertificateArn:
+                          description: The Amazon Resource Name (ARN) for the certificate
+                            authority (CA) that DMS uses to connect to your Redis
+                            target endpoint.
+                          type: string
+                        sslSecurityProtocol:
+                          description: The plaintext option doesn't provide Transport
+                            Layer Security (TLS) encryption for traffic between endpoint
+                            and database. Options include plaintext, ssl-encryption.
+                            The default is ssl-encryption.
+                          type: string
+                      type: object
+                    type: array
+                  redshiftSettings:
+                    description: Configuration block for Redshift settings. See below.
+                    items:
+                      properties:
+                        bucketFolder:
+                          description: Custom S3 Bucket Object prefix for intermediate
+                            storage.
+                          type: string
+                        bucketName:
+                          description: Custom S3 Bucket name for intermediate storage.
+                          type: string
+                        encryptionMode:
+                          description: The server-side encryption mode that you want
+                            to encrypt your intermediate .csv object files copied
+                            to S3. Defaults to SSE_S3. Valid values are SSE_S3 and
+                            SSE_KMS.
+                          type: string
+                        serverSideEncryptionKmsKeyId:
+                          description: ARN or Id of KMS Key to use when encryption_mode
+                            is SSE_KMS.
+                          type: string
+                        serviceAccessRoleArn:
+                          description: Amazon Resource Name (ARN) of the IAM Role
+                            with permissions to read from or write to the S3 Bucket
+                            for intermediate storage.
+                          type: string
+                      type: object
+                    type: array
+                  s3Settings:
+                    description: Configuration block for S3 settings. See below.
+                    items:
+                      properties:
+                        addColumnName:
+                          description: Whether to add column name information to the
+                            .csv output file. Default is false.
+                          type: boolean
+                        bucketFolder:
+                          description: S3 object prefix.
+                          type: string
+                        bucketName:
+                          description: S3 bucket name.
+                          type: string
+                        cannedAclForObjects:
+                          description: Predefined (canned) access control list for
+                            objects created in an S3 bucket. Valid values include
+                            none, private, public-read, public-read-write, authenticated-read,
+                            aws-exec-read, bucket-owner-read, and bucket-owner-full-control.
+                            Default is none.
+                          type: string
+                        cdcInsertsAndUpdates:
+                          description: Whether to write insert and update operations
+                            to .csv or .parquet output files. Default is false.
+                          type: boolean
+                        cdcInsertsOnly:
+                          description: Whether to write insert operations to .csv
+                            or .parquet output files. Default is false.
+                          type: boolean
+                        cdcMaxBatchInterval:
+                          description: Maximum length of the interval, defined in
+                            seconds, after which to output a file to Amazon S3. Default
+                            is 60.
+                          type: number
+                        cdcMinFileSize:
+                          description: 'Minimum file size condition as defined in
+                            kilobytes to output a file to Amazon S3. Default is 32000.
+                            NOTE: Previously, this setting was measured in megabytes
+                            but now represents kilobytes. Update configurations accordingly.'
+                          type: number
+                        cdcPath:
+                          description: Folder path of CDC files. For an S3 source,
+                            this setting is required if a task captures change data;
+                            otherwise, it's optional. If cdc_path is set, AWS DMS
+                            reads CDC files from this path and replicates the data
+                            changes to the target endpoint. Supported in AWS DMS versions
+                            3.4.2 and later.
+                          type: string
+                        compressionType:
+                          description: Set to compress target files. Default is NONE.
+                            Valid values are GZIP and NONE.
+                          type: string
+                        csvDelimiter:
+                          description: Delimiter used to separate columns in the source
+                            files. Default is ,.
+                          type: string
+                        csvNoSupValue:
+                          description: String to use for all columns not included
+                            in the supplemental log.
+                          type: string
+                        csvNullValue:
+                          description: String to as null when writing to the target.
+                          type: string
+                        csvRowDelimiter:
+                          description: Delimiter used to separate rows in the source
+                            files. Default is \n.
+                          type: string
+                        dataFormat:
+                          description: Output format for the files that AWS DMS uses
+                            to create S3 objects. Valid values are csv and parquet.
+                            Default is csv.
+                          type: string
+                        dataPageSize:
+                          description: Size of one data page in bytes. Default is
+                            1048576 (1 MiB).
+                          type: number
+                        datePartitionDelimiter:
+                          description: Date separating delimiter to use during folder
+                            partitioning. Valid values are SLASH, UNDERSCORE, DASH,
+                            and NONE. Default is SLASH.
+                          type: string
+                        datePartitionEnabled:
+                          description: Partition S3 bucket folders based on transaction
+                            commit dates. Default is false.
+                          type: boolean
+                        datePartitionSequence:
+                          description: Date format to use during folder partitioning.
+                            Use this parameter when date_partition_enabled is set
+                            to true. Valid values are YYYYMMDD, YYYYMMDDHH, YYYYMM,
+                            MMYYYYDD, and DDMMYYYY. Default is YYYYMMDD.
+                          type: string
+                        dictPageSizeLimit:
+                          description: Maximum size in bytes of an encoded dictionary
+                            page of a column. Default is 1048576 (1 MiB).
+                          type: number
+                        enableStatistics:
+                          description: Whether to enable statistics for Parquet pages
+                            and row groups. Default is true.
+                          type: boolean
+                        encodingType:
+                          description: Type of encoding to use. Value values are rle_dictionary,
+                            plain, and plain_dictionary. Default is rle_dictionary.
+                          type: string
+                        encryptionMode:
+                          description: Server-side encryption mode that you want to
+                            encrypt your .csv or .parquet object files copied to S3.
+                            Valid values are SSE_S3 and SSE_KMS. Default is SSE_S3.
+                          type: string
+                        externalTableDefinition:
+                          description: JSON document that describes how AWS DMS should
+                            interpret the data.
+                          type: string
+                        ignoreHeaderRows:
+                          description: When this value is set to 1, DMS ignores the
+                            first row header in a .csv file. Default is 0.
+                          type: number
+                        ignoreHeadersRow:
+                          description: Deprecated. This setting has no effect. Will
+                            be removed in a future version. This setting has no effect,
+                            is deprecated, and will be removed in a future version
+                          type: number
+                        includeOpForFullLoad:
+                          description: Whether to enable a full load to write INSERT
+                            operations to the .csv output files only to indicate how
+                            the rows were added to the source database. Default is
+                            false.
+                          type: boolean
+                        maxFileSize:
+                          description: Maximum size (in KB) of any .csv file to be
+                            created while migrating to an S3 target during full load.
+                            Valid values are from 1 to 1048576. Default is 1048576
+                            (1 GB).
+                          type: number
+                        parquetTimestampInMillisecond:
+                          description: '- Specifies the precision of any TIMESTAMP
+                            column values written to an S3 object file in .parquet
+                            format. Default is false.'
+                          type: boolean
+                        parquetVersion:
+                          description: Version of the .parquet file format. Default
+                            is parquet-1-0. Valid values are parquet-1-0 and parquet-2-0.
+                          type: string
+                        preserveTransactions:
+                          description: Whether DMS saves the transaction order for
+                            a CDC load on the S3 target specified by cdc_path. Default
+                            is false.
+                          type: boolean
+                        rfc4180:
+                          description: For an S3 source, whether each leading double
+                            quotation mark has to be followed by an ending double
+                            quotation mark. Default is true.
+                          type: boolean
+                        rowGroupLength:
+                          description: Number of rows in a row group. Default is 10000.
+                          type: number
+                        serverSideEncryptionKmsKeyId:
+                          description: ARN or Id of KMS Key to use when encryption_mode
+                            is SSE_KMS.
+                          type: string
+                        serviceAccessRoleArn:
+                          description: ARN of the IAM Role with permissions to read
+                            from or write to the S3 Bucket.
+                          type: string
+                        timestampColumnName:
+                          description: Column to add with timestamp information to
+                            the endpoint data for an Amazon S3 target.
+                          type: string
+                        useCsvNoSupValue:
+                          description: Whether to use csv_no_sup_value for columns
+                            not included in the supplemental log.
+                          type: boolean
+                        useTaskStartTimeForFullLoadTimestamp:
+                          description: When set to true, uses the task start time
+                            as the timestamp column value instead of the time data
+                            is written to target. For full load, when set to true,
+                            each row of the timestamp column contains the task start
+                            time. For CDC loads, each row of the timestamp column
+                            contains the transaction commit time. When set to false,
+                            the full load timestamp in the timestamp column increments
+                            with the time data arrives at the target. Default is false.
+                          type: boolean
+                      type: object
+                    type: array
+                  secretsManagerAccessRoleArn:
+                    description: ARN of the IAM role that specifies AWS DMS as the
+                      trusted entity and has the required permissions to access the
+                      value in SecretsManagerSecret.
+                    type: string
+                  secretsManagerArn:
+                    description: Full ARN, partial ARN, or friendly name of the SecretsManagerSecret
+                      that contains the endpoint connection details. Supported only
+                      when engine_name is aurora, aurora-postgresql, mariadb, mongodb,
+                      mysql, oracle, postgres, redshift, or sqlserver.
+                    type: string
+                  serverName:
+                    description: Host name of the server.
+                    type: string
+                  serviceAccessRole:
+                    description: ARN used by the service access IAM role for dynamodb
+                      endpoints.
+                    type: string
+                  sslMode:
+                    description: SSL mode to use for the connection. Valid values
+                      are none, require, verify-ca, verify-full
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  username:
+                    description: User name to be used to login to the endpoint database.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dms.aws.upbound.io_eventsubscriptions.yaml b/package/crds/dms.aws.upbound.io_eventsubscriptions.yaml
index 1464047c5d..e2cb5ebd1c 100644
--- a/package/crds/dms.aws.upbound.io_eventsubscriptions.yaml
+++ b/package/crds/dms.aws.upbound.io_eventsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -168,9 +172,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - eventCategories
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -342,6 +360,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: eventCategories is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventCategories)
           status:
             description: EventSubscriptionStatus defines the observed state of EventSubscription.
             properties:
@@ -350,8 +371,34 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the DMS Event Subscription.
                     type: string
+                  enabled:
+                    description: Whether the event subscription should be enabled.
+                    type: boolean
+                  eventCategories:
+                    description: List of event categories to listen for, see DescribeEventCategories
+                      for a canonical list.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  snsTopicArn:
+                    description: SNS topic arn to send events on.
+                    type: string
+                  sourceIds:
+                    description: Ids of sources to listen to.
+                    items:
+                      type: string
+                    type: array
+                  sourceType:
+                    description: 'Type of source for events. Valid values: replication-instance
+                      or replication-task'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dms.aws.upbound.io_replicationinstances.yaml b/package/crds/dms.aws.upbound.io_replicationinstances.yaml
index e476177f84..33a5a1e3b7 100644
--- a/package/crds/dms.aws.upbound.io_replicationinstances.yaml
+++ b/package/crds/dms.aws.upbound.io_replicationinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -364,8 +368,22 @@ spec:
                     type: array
                 required:
                 - region
-                - replicationInstanceClass
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -537,17 +555,73 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: replicationInstanceClass is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicationInstanceClass)
           status:
             description: ReplicationInstanceStatus defines the observed state of ReplicationInstance.
             properties:
               atProvider:
                 properties:
+                  allocatedStorage:
+                    description: The amount of storage (in gigabytes) to be initially
+                      allocated for the replication instance.
+                    type: number
+                  allowMajorVersionUpgrade:
+                    description: Indicates that major version upgrades are allowed.
+                    type: boolean
+                  applyImmediately:
+                    description: Indicates whether the changes should be applied immediately
+                      or during the next maintenance window. Only used when updating
+                      an existing resource.
+                    type: boolean
+                  autoMinorVersionUpgrade:
+                    description: Indicates that minor engine upgrades will be applied
+                      automatically to the replication instance during the maintenance
+                      window.
+                    type: boolean
+                  availabilityZone:
+                    description: The EC2 Availability Zone that the replication instance
+                      will be created in.
+                    type: string
+                  engineVersion:
+                    description: The engine version number of the replication instance.
+                    type: string
                   id:
                     type: string
+                  kmsKeyArn:
+                    description: The Amazon Resource Name (ARN) for the KMS key that
+                      will be used to encrypt the connection parameters. If you do
+                      not specify a value for kms_key_arn, then AWS DMS will use your
+                      default encryption key. AWS KMS creates the default encryption
+                      key for your AWS account. Your AWS account has a different default
+                      encryption key for each AWS region.
+                    type: string
+                  multiAz:
+                    description: Specifies if the replication instance is a multi-az
+                      deployment. You cannot set the availability_zone parameter if
+                      the multi_az parameter is set to true.
+                    type: boolean
+                  preferredMaintenanceWindow:
+                    description: The weekly time range during which system maintenance
+                      can occur, in Universal Coordinated Time (UTC).
+                    type: string
+                  publiclyAccessible:
+                    description: Specifies the accessibility options for the replication
+                      instance. A value of true represents an instance with a public
+                      IP address. A value of false represents an instance with a private
+                      IP address.
+                    type: boolean
                   replicationInstanceArn:
                     description: The Amazon Resource Name (ARN) of the replication
                       instance.
                     type: string
+                  replicationInstanceClass:
+                    description: The compute and memory capacity of the replication
+                      instance as specified by the replication instance class. See
+                      AWS DMS User Guide for available instance sizes and advice on
+                      which one to choose.
+                    type: string
                   replicationInstancePrivateIps:
                     description: A list of the private IP addresses of the replication
                       instance.
@@ -560,6 +634,15 @@ spec:
                     items:
                       type: string
                     type: array
+                  replicationSubnetGroupId:
+                    description: A subnet group to associate with the replication
+                      instance.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -567,6 +650,13 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcSecurityGroupIds:
+                    description: A list of VPC security group IDs to be used with
+                      the replication instance. The VPC security groups must work
+                      with the VPC containing the replication instance.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dms.aws.upbound.io_replicationsubnetgroups.yaml b/package/crds/dms.aws.upbound.io_replicationsubnetgroups.yaml
index f2d8a9a043..8449c20afa 100644
--- a/package/crds/dms.aws.upbound.io_replicationsubnetgroups.yaml
+++ b/package/crds/dms.aws.upbound.io_replicationsubnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,8 +165,22 @@ spec:
                     type: object
                 required:
                 - region
-                - replicationSubnetGroupDescription
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,6 +352,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: replicationSubnetGroupDescription is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replicationSubnetGroupDescription)
           status:
             description: ReplicationSubnetGroupStatus defines the observed state of
               ReplicationSubnetGroup.
@@ -344,6 +365,20 @@ spec:
                     type: string
                   replicationSubnetGroupArn:
                     type: string
+                  replicationSubnetGroupDescription:
+                    description: Description for the subnet group.
+                    type: string
+                  subnetIds:
+                    description: List of at least 2 EC2 subnet IDs for the subnet
+                      group. The subnets must cover at least 2 availability zones.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dms.aws.upbound.io_replicationtasks.yaml b/package/crds/dms.aws.upbound.io_replicationtasks.yaml
index 07b841e015..9e8aacea21 100644
--- a/package/crds/dms.aws.upbound.io_replicationtasks.yaml
+++ b/package/crds/dms.aws.upbound.io_replicationtasks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -335,10 +339,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - migrationType
                 - region
-                - tableMappings
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -510,20 +527,66 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: migrationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.migrationType)
+            - message: tableMappings is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tableMappings)
           status:
             description: ReplicationTaskStatus defines the observed state of ReplicationTask.
             properties:
               atProvider:
                 properties:
+                  cdcStartPosition:
+                    description: Indicates when you want a change data capture (CDC)
+                      operation to start. The value can be in date, checkpoint, or
+                      LSN/SCN format depending on the source engine. For more information,
+                      see Determining a CDC native start point.
+                    type: string
+                  cdcStartTime:
+                    description: The Unix timestamp integer for the start of the Change
+                      Data Capture (CDC) operation.
+                    type: string
                   id:
                     type: string
+                  migrationType:
+                    description: The migration type. Can be one of full-load | cdc
+                      | full-load-and-cdc.
+                    type: string
+                  replicationInstanceArn:
+                    description: The Amazon Resource Name (ARN) of the replication
+                      instance.
+                    type: string
                   replicationTaskArn:
                     description: The Amazon Resource Name (ARN) for the replication
                       task.
                     type: string
+                  replicationTaskSettings:
+                    description: An escaped JSON string that contains the task settings.
+                      For a complete list of task settings, see Task Settings for
+                      AWS Database Migration Service Tasks.
+                    type: string
+                  sourceEndpointArn:
+                    description: The Amazon Resource Name (ARN) string that uniquely
+                      identifies the source endpoint.
+                    type: string
+                  startReplicationTask:
+                    description: Whether to run or stop the replication task.
+                    type: boolean
                   status:
                     description: Replication Task status.
                     type: string
+                  tableMappings:
+                    description: An escaped JSON string that contains the table mappings.
+                      For information on table mapping see Using Table Mapping with
+                      an AWS Database Migration Service Task to Select and Filter
+                      Data
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -531,6 +594,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetEndpointArn:
+                    description: The Amazon Resource Name (ARN) string that uniquely
+                      identifies the target endpoint.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dms.aws.upbound.io_s3endpoints.yaml b/package/crds/dms.aws.upbound.io_s3endpoints.yaml
index 8350d5235c..430a1fd586 100644
--- a/package/crds/dms.aws.upbound.io_s3endpoints.yaml
+++ b/package/crds/dms.aws.upbound.io_s3endpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -498,10 +502,23 @@ spec:
                       is false.
                     type: boolean
                 required:
-                - bucketName
-                - endpointType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -673,33 +690,248 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bucketName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bucketName)
+            - message: endpointType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpointType)
           status:
             description: S3EndpointStatus defines the observed state of S3Endpoint.
             properties:
               atProvider:
                 properties:
+                  addColumnName:
+                    description: Whether to add column name information to the .csv
+                      output file. Default is false.
+                    type: boolean
+                  addTrailingPaddingCharacter:
+                    description: Whether to add padding. Default is false. (Ignored
+                      for source endpoints.)
+                    type: boolean
+                  bucketFolder:
+                    description: S3 object prefix.
+                    type: string
+                  bucketName:
+                    description: S3 bucket name.
+                    type: string
+                  cannedAclForObjects:
+                    description: Predefined (canned) access control list for objects
+                      created in an S3 bucket. Valid values include NONE, PRIVATE,
+                      PUBLIC_READ, PUBLIC_READ_WRITE, AUTHENTICATED_READ, AWS_EXEC_READ,
+                      BUCKET_OWNER_READ, and BUCKET_OWNER_FULL_CONTROL. (AWS default
+                      is NONE.)
+                    type: string
+                  cdcInsertsAndUpdates:
+                    description: Whether to write insert and update operations to
+                      .csv or .parquet output files. Default is false.
+                    type: boolean
+                  cdcInsertsOnly:
+                    description: Whether to write insert operations to .csv or .parquet
+                      output files. Default is false.
+                    type: boolean
+                  cdcMaxBatchInterval:
+                    description: Maximum length of the interval, defined in seconds,
+                      after which to output a file to Amazon S3. (AWS default is 60.)
+                    type: number
+                  cdcMinFileSize:
+                    description: Minimum file size condition as defined in kilobytes
+                      to output a file to Amazon S3. (AWS default is 32000 KB.)
+                    type: number
+                  cdcPath:
+                    description: Folder path of CDC files. If cdc_path is set, AWS
+                      DMS reads CDC files from this path and replicates the data changes
+                      to the target endpoint. Supported in AWS DMS versions 3.4.2
+                      and later.
+                    type: string
+                  certificateArn:
+                    description: ARN for the certificate.
+                    type: string
+                  compressionType:
+                    description: Set to compress target files. Valid values are GZIP
+                      and NONE. Default is NONE. (Ignored for source endpoints.)
+                    type: string
+                  csvDelimiter:
+                    description: Delimiter used to separate columns in the source
+                      files. Default is ,.
+                    type: string
+                  csvNoSupValue:
+                    description: Only applies if output files for a CDC load are written
+                      in .csv format. If use_csv_no_sup_value is set to true, string
+                      to use for all columns not included in the supplemental log.
+                      If you do not specify a string value, DMS uses the null value
+                      for these columns regardless of use_csv_no_sup_value. (Ignored
+                      for source endpoints.)
+                    type: string
+                  csvNullValue:
+                    description: String to as null when writing to the target. (AWS
+                      default is NULL.)
+                    type: string
+                  csvRowDelimiter:
+                    description: Delimiter used to separate rows in the source files.
+                      Default is newline (i.e., \n).
+                    type: string
+                  dataFormat:
+                    description: Output format for the files that AWS DMS uses to
+                      create S3 objects. Valid values are csv and parquet.  (Ignored
+                      for source endpoints -- only csv is valid.)
+                    type: string
+                  dataPageSize:
+                    description: Size of one data page in bytes. (AWS default is 1
+                      MiB, i.e., 1048576.)
+                    type: number
+                  datePartitionDelimiter:
+                    description: Date separating delimiter to use during folder partitioning.
+                      Valid values are SLASH, UNDERSCORE, DASH, and NONE. (AWS default
+                      is SLASH.) (Ignored for source endpoints.)
+                    type: string
+                  datePartitionEnabled:
+                    description: Partition S3 bucket folders based on transaction
+                      commit dates. Default is false. (Ignored for source endpoints.)
+                    type: boolean
+                  datePartitionSequence:
+                    description: Date format to use during folder partitioning. Use
+                      this parameter when date_partition_enabled is set to true. Valid
+                      values are YYYYMMDD, YYYYMMDDHH, YYYYMM, MMYYYYDD, and DDMMYYYY.
+                      (AWS default is YYYYMMDD.) (Ignored for source endpoints.)
+                    type: string
+                  datePartitionTimezone:
+                    description: Convert the current UTC time to a timezone. The conversion
+                      occurs when a date partition folder is created and a CDC filename
+                      is generated. The timezone format is Area/Location (e.g., Europe/Paris).
+                      Use this when date_partition_enabled is true. (Ignored for source
+                      endpoints.)
+                    type: string
+                  dictPageSizeLimit:
+                    description: Maximum size in bytes of an encoded dictionary page
+                      of a column. (AWS default is 1 MiB, i.e., 1048576.)
+                    type: number
+                  enableStatistics:
+                    description: Whether to enable statistics for Parquet pages and
+                      row groups. Default is true.
+                    type: boolean
+                  encodingType:
+                    description: Type of encoding to use. Value values are rle_dictionary,
+                      plain, and plain_dictionary. (AWS default is rle_dictionary.)
+                    type: string
+                  encryptionMode:
+                    description: Server-side encryption mode that you want to encrypt
+                      your .csv or .parquet object files copied to S3. Valid values
+                      are SSE_S3 and SSE_KMS. (AWS default is SSE_S3.) (Ignored for
+                      source endpoints -- only SSE_S3 is valid.)
+                    type: string
                   endpointArn:
                     description: ARN for the endpoint.
                     type: string
+                  endpointType:
+                    description: Type of endpoint. Valid values are source, target.
+                    type: string
                   engineDisplayName:
                     description: Expanded name for the engine name.
                     type: string
+                  expectedBucketOwner:
+                    description: Bucket owner to prevent sniping. Value is an AWS
+                      account ID.
+                    type: string
                   externalId:
                     description: Can be used for cross-account validation. Use it
                       in another account with aws_dms_s3_endpoint to create the endpoint
                       cross-account.
                     type: string
+                  externalTableDefinition:
+                    description: JSON document that describes how AWS DMS should interpret
+                      the data.
+                    type: string
                   id:
                     type: string
+                  ignoreHeaderRows:
+                    description: When this value is set to 1, DMS ignores the first
+                      row header in a .csv file. (AWS default is 0.)
+                    type: number
+                  includeOpForFullLoad:
+                    description: Whether to enable a full load to write INSERT operations
+                      to the .csv output files only to indicate how the rows were
+                      added to the source database. Default is false.
+                    type: boolean
+                  kmsKeyArn:
+                    description: ARN for the KMS key that will be used to encrypt
+                      the connection parameters. If you do not specify a value for
+                      kms_key_arn, then AWS DMS will use your default encryption key.
+                      AWS KMS creates the default encryption key for your AWS account.
+                      Your AWS account has a different default encryption key for
+                      each AWS region.
+                    type: string
+                  maxFileSize:
+                    description: Maximum size (in KB) of any .csv file to be created
+                      while migrating to an S3 target during full load. Valid values
+                      are from 1 to 1048576. (AWS default is 1 GB, i.e., 1048576.)
+                    type: number
+                  parquetTimestampInMillisecond:
+                    description: '- Specifies the precision of any TIMESTAMP column
+                      values written to an S3 object file in .parquet format. Default
+                      is false. (Ignored for source endpoints.)'
+                    type: boolean
+                  parquetVersion:
+                    description: Version of the .parquet file format. Valid values
+                      are parquet-1-0 and parquet-2-0. (AWS default is parquet-1-0.)
+                      (Ignored for source endpoints.)
+                    type: string
+                  preserveTransactions:
+                    description: Whether DMS saves the transaction order for a CDC
+                      load on the S3 target specified by cdc_path. Default is false.
+                      (Ignored for source endpoints.)
+                    type: boolean
+                  rfc4180:
+                    description: For an S3 source, whether each leading double quotation
+                      mark has to be followed by an ending double quotation mark.
+                      Default is true.
+                    type: boolean
+                  rowGroupLength:
+                    description: Number of rows in a row group. (AWS default is 10000.)
+                    type: number
+                  serverSideEncryptionKmsKeyId:
+                    description: When encryption_mode is SSE_KMS, ARN for the AWS
+                      KMS key. (Ignored for source endpoints -- only SSE_S3 encryption_mode
+                      is valid.)
+                    type: string
+                  serviceAccessRoleArn:
+                    description: ARN of the IAM role with permissions to the S3 Bucket.
+                    type: string
+                  sslMode:
+                    description: SSL mode to use for the connection. Valid values
+                      are none, require, verify-ca, verify-full. (AWS default is none.)
+                    type: string
                   status:
                     description: Status of the endpoint.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  timestampColumnName:
+                    description: Column to add with timestamp information to the endpoint
+                      data for an Amazon S3 target.
+                    type: string
+                  useCsvNoSupValue:
+                    description: Whether to use csv_no_sup_value for columns not included
+                      in the supplemental log. (Ignored for source endpoints.)
+                    type: boolean
+                  useTaskStartTimeForFullLoadTimestamp:
+                    description: When set to true, uses the task start time as the
+                      timestamp column value instead of the time data is written to
+                      target. For full load, when set to true, each row of the timestamp
+                      column contains the task start time. For CDC loads, each row
+                      of the timestamp column contains the transaction commit time.When
+                      set to false, the full load timestamp in the timestamp column
+                      increments with the time data arrives at the target. Default
+                      is false.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/docdb.aws.upbound.io_clusterinstances.yaml b/package/crds/docdb.aws.upbound.io_clusterinstances.yaml
index ef4502d875..4fcd48ea57 100644
--- a/package/crds/docdb.aws.upbound.io_clusterinstances.yaml
+++ b/package/crds/docdb.aws.upbound.io_clusterinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -198,9 +202,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - instanceClass
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -372,14 +390,38 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceClass is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)
           status:
             description: ClusterInstanceStatus defines the observed state of ClusterInstance.
             properties:
               atProvider:
                 properties:
+                  applyImmediately:
+                    description: Specifies whether any database modifications are
+                      applied immediately, or during the next maintenance window.
+                      Default isfalse.
+                    type: boolean
                   arn:
                     description: Amazon Resource Name (ARN) of cluster instance
                     type: string
+                  autoMinorVersionUpgrade:
+                    description: This parameter does not apply to Amazon DocumentDB.
+                      Amazon DocumentDB does not perform minor version upgrades regardless
+                      of the value set (see docs). Default true.
+                    type: boolean
+                  availabilityZone:
+                    description: The EC2 Availability Zone that the DB instance is
+                      created in. See docs about the details.
+                    type: string
+                  caCertIdentifier:
+                    description: The identifier of the CA certificate for the DB instance.
+                    type: string
+                  clusterIdentifier:
+                    description: The identifier of the aws_docdb_cluster in which
+                      to launch this instance.
+                    type: string
                   dbSubnetGroupName:
                     description: The DB subnet group to associate with this DB instance.
                     type: string
@@ -387,18 +429,39 @@ spec:
                     description: The region-unique, immutable identifier for the DB
                       instance.
                     type: string
+                  enablePerformanceInsights:
+                    description: A value that indicates whether to enable Performance
+                      Insights for the DB Instance. Default false. See [docs] (https://docs.aws.amazon.com/documentdb/latest/developerguide/performance-insights.html)
+                      about the details.
+                    type: boolean
                   endpoint:
                     description: The DNS address for this instance. May not be writable
                     type: string
+                  engine:
+                    description: 'The name of the database engine to be used for the
+                      DocDB instance. Defaults to docdb. Valid Values: docdb.'
+                    type: string
                   engineVersion:
                     description: The database engine version
                     type: string
                   id:
                     type: string
+                  instanceClass:
+                    description: The instance class to use. For details on CPU and
+                      memory, see Scaling for DocDB Instances. DocDB currently supports
+                      the below instance classes. Please see AWS Documentation for
+                      complete details.
+                    type: string
                   kmsKeyId:
                     description: The ARN for the KMS encryption key if one is set
                       to the cluster.
                     type: string
+                  performanceInsightsKmsKeyId:
+                    description: The KMS key identifier is the key ARN, key ID, alias
+                      ARN, or alias name for the KMS key. If you do not specify a
+                      value for PerformanceInsightsKMSKeyId, then Amazon DocumentDB
+                      uses your default KMS key.
+                    type: string
                   port:
                     description: The database port
                     type: number
@@ -406,11 +469,25 @@ spec:
                     description: The daily time range during which automated backups
                       are created if automated backups are enabled.
                     type: string
+                  preferredMaintenanceWindow:
+                    description: 'The window to perform maintenance in. Syntax: "ddd:hh24:mi-ddd:hh24:mi".
+                      Eg: "Mon:00:00-Mon:03:00".'
+                    type: string
+                  promotionTier:
+                    description: Default 0. Failover Priority setting on instance
+                      level. The reader who has lower tier has higher priority to
+                      get promoter to writer.
+                    type: number
                   publiclyAccessible:
                     type: boolean
                   storageEncrypted:
                     description: Specifies whether the DB cluster is encrypted.
                     type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/docdb.aws.upbound.io_clusterparametergroups.yaml b/package/crds/docdb.aws.upbound.io_clusterparametergroups.yaml
index 927273f0d6..d0e7249dae 100644
--- a/package/crds/docdb.aws.upbound.io_clusterparametergroups.yaml
+++ b/package/crds/docdb.aws.upbound.io_clusterparametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -103,9 +107,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -277,6 +295,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: ClusterParameterGroupStatus defines the observed state of
               ClusterParameterGroup.
@@ -286,9 +307,40 @@ spec:
                   arn:
                     description: The ARN of the documentDB cluster parameter group.
                     type: string
+                  description:
+                    description: The description of the documentDB cluster parameter
+                      group.
+                    type: string
+                  family:
+                    description: The family of the documentDB cluster parameter group.
+                    type: string
                   id:
                     description: The documentDB cluster parameter group name.
                     type: string
+                  parameter:
+                    description: A list of documentDB parameters to apply. Setting
+                      parameters to system default values may show a difference on
+                      imported resources.
+                    items:
+                      properties:
+                        applyMethod:
+                          description: Valid values are immediate and pending-reboot.
+                            Defaults to pending-reboot.
+                          type: string
+                        name:
+                          description: The name of the documentDB cluster parameter
+                            group.
+                          type: string
+                        value:
+                          description: The value of the documentDB parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/docdb.aws.upbound.io_clusters.yaml b/package/crds/docdb.aws.upbound.io_clusters.yaml
index 0d108d7a84..307eebe7ec 100644
--- a/package/crds/docdb.aws.upbound.io_clusters.yaml
+++ b/package/crds/docdb.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -335,6 +339,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -511,9 +530,23 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applyImmediately:
+                    description: Specifies whether any cluster modifications are applied
+                      immediately, or during the next maintenance window. Default
+                      is false.
+                    type: boolean
                   arn:
                     description: Amazon Resource Name (ARN) of cluster
                     type: string
+                  availabilityZones:
+                    description: A list of EC2 Availability Zones that instances in
+                      the DB cluster can be created in.
+                    items:
+                      type: string
+                    type: array
+                  backupRetentionPeriod:
+                    description: The days to retain backups for. Default 1
+                    type: number
                   clusterMembers:
                     description: – List of DocDB Instances that are a part of this
                       cluster
@@ -523,19 +556,94 @@ spec:
                   clusterResourceId:
                     description: The DocDB Cluster Resource ID
                     type: string
+                  dbClusterParameterGroupName:
+                    description: A cluster parameter group to associate with the cluster.
+                    type: string
+                  dbSubnetGroupName:
+                    description: A DB subnet group to associate with this DB instance.
+                    type: string
+                  deletionProtection:
+                    description: A value that indicates whether the DB cluster has
+                      deletion protection enabled. The database can't be deleted when
+                      deletion protection is enabled. By default, deletion protection
+                      is disabled.
+                    type: boolean
+                  enabledCloudwatchLogsExports:
+                    description: 'List of log types to export to cloudwatch. If omitted,
+                      no logs will be exported. The following log types are supported:
+                      audit, profiler.'
+                    items:
+                      type: string
+                    type: array
                   endpoint:
                     description: The DNS address of the DocDB instance
                     type: string
+                  engine:
+                    description: 'The name of the database engine to be used for this
+                      DB cluster. Defaults to docdb. Valid Values: docdb'
+                    type: string
+                  engineVersion:
+                    description: The database engine version. Updating this argument
+                      results in an outage.
+                    type: string
+                  finalSnapshotIdentifier:
+                    description: The name of your final DB snapshot when this DB cluster
+                      is deleted. If omitted, no final snapshot will be made.
+                    type: string
+                  globalClusterIdentifier:
+                    description: The global cluster identifier specified on aws_docdb_global_cluster.
+                    type: string
                   hostedZoneId:
                     description: The Route53 Hosted Zone ID of the endpoint
                     type: string
                   id:
                     description: The DocDB Cluster Identifier
                     type: string
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key. When specifying
+                      kms_key_id, storage_encrypted needs to be set to true.
+                    type: string
+                  masterUsername:
+                    description: Username for the master DB user.
+                    type: string
+                  port:
+                    description: The port on which the DB accepts connections
+                    type: number
+                  preferredBackupWindow:
+                    description: 'The daily time range during which automated backups
+                      are created if automated backups are enabled using the BackupRetentionPeriod
+                      parameter.Time in UTC Default: A 30-minute window selected at
+                      random from an 8-hour block of time per regionE.g., 04:00-09:00'
+                    type: string
+                  preferredMaintenanceWindow:
+                    description: The weekly time range during which system maintenance
+                      can occur, in (UTC) e.g., wed:04:00-wed:04:30
+                    type: string
                   readerEndpoint:
                     description: A read-only endpoint for the DocDB cluster, automatically
                       load-balanced across replicas
                     type: string
+                  skipFinalSnapshot:
+                    description: Determines whether a final DB snapshot is created
+                      before the DB cluster is deleted. If true is specified, no DB
+                      snapshot is created. If false is specified, a DB snapshot is
+                      created before the DB cluster is deleted, using the value from
+                      final_snapshot_identifier. Default is false.
+                    type: boolean
+                  snapshotIdentifier:
+                    description: Specifies whether or not to create this cluster from
+                      a snapshot. You can use either the name or ARN when specifying
+                      a DB cluster snapshot, or the ARN when specifying a DB snapshot.
+                    type: string
+                  storageEncrypted:
+                    description: Specifies whether the DB cluster is encrypted. The
+                      default is false.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -543,6 +651,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcSecurityGroupIds:
+                    description: List of VPC security groups to associate with the
+                      Cluster
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/docdb.aws.upbound.io_clustersnapshots.yaml b/package/crds/docdb.aws.upbound.io_clustersnapshots.yaml
index 936a19b206..0e46c35b7a 100644
--- a/package/crds/docdb.aws.upbound.io_clustersnapshots.yaml
+++ b/package/crds/docdb.aws.upbound.io_clustersnapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,6 +152,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -330,6 +349,10 @@ spec:
                     items:
                       type: string
                     type: array
+                  dbClusterIdentifier:
+                    description: The DocDB Cluster Identifier from which to take the
+                      snapshot.
+                    type: string
                   dbClusterSnapshotArn:
                     description: The Amazon Resource Name (ARN) for the DocDB Cluster
                       Snapshot.
diff --git a/package/crds/docdb.aws.upbound.io_eventsubscriptions.yaml b/package/crds/docdb.aws.upbound.io_eventsubscriptions.yaml
index 59f69966bb..20d2c9ef11 100644
--- a/package/crds/docdb.aws.upbound.io_eventsubscriptions.yaml
+++ b/package/crds/docdb.aws.upbound.io_eventsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,6 +182,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -362,9 +381,43 @@ spec:
                     description: The AWS customer account associated with the DocDB
                       event notification subscription
                     type: string
+                  enabled:
+                    description: A boolean flag to enable/disable the subscription.
+                      Defaults to true.
+                    type: boolean
+                  eventCategories:
+                    description: A list of event categories for a SourceType that
+                      you want to subscribe to. See https://docs.aws.amazon.com/documentdb/latest/developerguide/API_Event.html
+                      or run aws docdb describe-event-categories.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The name of the DocDB event notification subscription
                     type: string
+                  snsTopicArn:
+                    description: The Amazon Resource Name of the DocDB event notification
+                      subscription
+                    type: string
+                  sourceIds:
+                    description: A list of identifiers of the event sources for which
+                      events will be returned. If not specified, then all sources
+                      are included in the response. If specified, a source_type must
+                      also be specified.
+                    items:
+                      type: string
+                    type: array
+                  sourceType:
+                    description: The type of source that will be generating the events.
+                      Valid options are db-instance, db-cluster, db-parameter-group,
+                      db-security-group, db-cluster-snapshot. If not set, all sources
+                      will be subscribed to.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/docdb.aws.upbound.io_globalclusters.yaml b/package/crds/docdb.aws.upbound.io_globalclusters.yaml
index e7afce57b2..59b35faaeb 100644
--- a/package/crds/docdb.aws.upbound.io_globalclusters.yaml
+++ b/package/crds/docdb.aws.upbound.io_globalclusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -173,9 +177,23 @@ spec:
                       and encrypted.
                     type: boolean
                 required:
-                - globalClusterIdentifier
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -347,6 +365,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: globalClusterIdentifier is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.globalClusterIdentifier)
           status:
             description: GlobalClusterStatus defines the observed state of GlobalCluster.
             properties:
@@ -355,6 +376,28 @@ spec:
                   arn:
                     description: Global Cluster Amazon Resource Name (ARN)
                     type: string
+                  databaseName:
+                    description: Name for an automatically created database on cluster
+                      creation.
+                    type: string
+                  deletionProtection:
+                    description: If the Global Cluster should have deletion protection
+                      enabled. The database can't be deleted when this value is set
+                      to true. The default is false.
+                    type: boolean
+                  engine:
+                    description: 'Name of the database engine to be used for this
+                      DB cluster. Current Valid values: docdb. Defaults to docdb.
+                      Conflicts with source_db_cluster_identifier.'
+                    type: string
+                  engineVersion:
+                    description: Engine version of the global database. Upgrading
+                      the engine version will result in all cluster members being
+                      immediately updated and will.
+                    type: string
+                  globalClusterIdentifier:
+                    description: The global cluster identifier.
+                    type: string
                   globalClusterMembers:
                     description: Set of objects containing Global Cluster members.
                     items:
@@ -375,8 +418,17 @@ spec:
                   id:
                     description: DocDB Global Cluster.
                     type: string
+                  sourceDbClusterIdentifier:
+                    description: Amazon Resource Name (ARN) to use as the primary
+                      DB Cluster of the Global Cluster on creation.
+                    type: string
                   status:
                     type: string
+                  storageEncrypted:
+                    description: Specifies whether the DB cluster is encrypted. The
+                      default is false unless source_db_cluster_identifier is specified
+                      and encrypted.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/docdb.aws.upbound.io_subnetgroups.yaml b/package/crds/docdb.aws.upbound.io_subnetgroups.yaml
index 251c93a774..4307eaa84f 100644
--- a/package/crds/docdb.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/docdb.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,9 +359,22 @@ spec:
                   arn:
                     description: The ARN of the docDB subnet group.
                     type: string
+                  description:
+                    description: The description of the docDB subnet group.
+                    type: string
                   id:
                     description: The docDB subnet group name.
                     type: string
+                  subnetIds:
+                    description: A list of VPC subnet IDs.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ds.aws.upbound.io_conditionalforwarders.yaml b/package/crds/ds.aws.upbound.io_conditionalforwarders.yaml
index c1eb32cc06..b017861f65 100644
--- a/package/crds/ds.aws.upbound.io_conditionalforwarders.yaml
+++ b/package/crds/ds.aws.upbound.io_conditionalforwarders.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -155,10 +159,24 @@ spec:
                       for which forwarders will be used.
                     type: string
                 required:
-                - dnsIps
                 - region
                 - remoteDomainName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -330,14 +348,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dnsIps is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dnsIps)
           status:
             description: ConditionalForwarderStatus defines the observed state of
               ConditionalForwarder.
             properties:
               atProvider:
                 properties:
+                  directoryId:
+                    description: ID of directory.
+                    type: string
+                  dnsIps:
+                    description: A list of forwarder IP addresses.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  remoteDomainName:
+                    description: The fully qualified domain name of the remote domain
+                      for which forwarders will be used.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ds.aws.upbound.io_directories.yaml b/package/crds/ds.aws.upbound.io_directories.yaml
index fe719ef072..77977f35fb 100644
--- a/package/crds/ds.aws.upbound.io_directories.yaml
+++ b/package/crds/ds.aws.upbound.io_directories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -489,10 +493,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
-                - passwordSecretRef
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -664,6 +681,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: passwordSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.passwordSecretRef)
           status:
             description: DirectoryStatus defines the observed state of Directory.
             properties:
@@ -672,6 +694,10 @@ spec:
                   accessUrl:
                     description: The access URL for the directory, such as http://alias.awsapps.com.
                     type: string
+                  alias:
+                    description: The alias for the directory (must be unique amongst
+                      all aliases in AWS). Required for enable_sso.
+                    type: string
                   connectSettings:
                     description: Connector related information about the directory.
                       Fields documented below.
@@ -686,20 +712,73 @@ spec:
                           items:
                             type: string
                           type: array
+                        customerDnsIps:
+                          description: The DNS IP addresses of the domain to connect
+                            to.
+                          items:
+                            type: string
+                          type: array
+                        customerUsername:
+                          description: The username corresponding to the password
+                            provided.
+                          type: string
+                        subnetIds:
+                          description: The identifiers of the subnets for the directory
+                            servers (2 subnets in 2 different AZs).
+                          items:
+                            type: string
+                          type: array
+                        vpcId:
+                          description: The identifier of the VPC that the directory
+                            is in.
+                          type: string
                       type: object
                     type: array
+                  description:
+                    description: A textual description for the directory.
+                    type: string
+                  desiredNumberOfDomainControllers:
+                    description: The number of domain controllers desired in the directory.
+                      Minimum value of 2. Scaling of domain controllers is only supported
+                      for MicrosoftAD directories.
+                    type: number
                   dnsIpAddresses:
                     description: A list of IP addresses of the DNS servers for the
                       directory or connector.
                     items:
                       type: string
                     type: array
+                  edition:
+                    description: The MicrosoftAD edition (Standard or Enterprise).
+                      Defaults to Enterprise.
+                    type: string
+                  enableSso:
+                    description: Whether to enable single-sign on for the directory.
+                      Requires alias. Defaults to false.
+                    type: boolean
                   id:
                     description: The directory identifier.
                     type: string
+                  name:
+                    description: The fully qualified name for the directory, such
+                      as corp.example.com
+                    type: string
                   securityGroupId:
                     description: The ID of the security group created by the directory.
                     type: string
+                  shortName:
+                    description: The short name of the directory, such as CORP.
+                    type: string
+                  size:
+                    description: (For SimpleAD and ADConnector types) The size of
+                      the directory (Small or Large are accepted values). Large by
+                      default.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -707,6 +786,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The directory type (SimpleAD, ADConnector or MicrosoftAD
+                      are accepted values). Defaults to SimpleAD.
+                    type: string
                   vpcSettings:
                     description: VPC related information about the directory. Fields
                       documented below.
@@ -716,6 +799,16 @@ spec:
                           items:
                             type: string
                           type: array
+                        subnetIds:
+                          description: The identifiers of the subnets for the directory
+                            servers (2 subnets in 2 different AZs).
+                          items:
+                            type: string
+                          type: array
+                        vpcId:
+                          description: The identifier of the VPC that the directory
+                            is in.
+                          type: string
                       type: object
                     type: array
                 type: object
diff --git a/package/crds/ds.aws.upbound.io_shareddirectories.yaml b/package/crds/ds.aws.upbound.io_shareddirectories.yaml
index 4feb38ab10..7ec7a64ff0 100644
--- a/package/crds/ds.aws.upbound.io_shareddirectories.yaml
+++ b/package/crds/ds.aws.upbound.io_shareddirectories.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -187,8 +191,22 @@ spec:
                     type: array
                 required:
                 - region
-                - target
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -360,19 +378,44 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: target is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.target)
           status:
             description: SharedDirectoryStatus defines the observed state of SharedDirectory.
             properties:
               atProvider:
                 properties:
+                  directoryId:
+                    description: Identifier of the Managed Microsoft AD directory
+                      that you want to share with other accounts.
+                    type: string
                   id:
                     description: Identifier of the shared directory.
                     type: string
+                  method:
+                    description: Method used when sharing a directory. Valid values
+                      are ORGANIZATIONS and HANDSHAKE. Default is HANDSHAKE.
+                    type: string
                   sharedDirectoryId:
                     description: Identifier of the directory that is stored in the
                       directory consumer account that corresponds to the shared directory
                       in the owner account.
                     type: string
+                  target:
+                    description: Identifier for the directory consumer account with
+                      whom the directory is to be shared. See below.
+                    items:
+                      properties:
+                        id:
+                          description: Identifier of the directory consumer account.
+                          type: string
+                        type:
+                          description: Type of identifier to be used in the id field.
+                            Valid value is ACCOUNT. Default is ACCOUNT.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dynamodb.aws.upbound.io_contributorinsights.yaml b/package/crds/dynamodb.aws.upbound.io_contributorinsights.yaml
index 579dde729c..a50653fe02 100644
--- a/package/crds/dynamodb.aws.upbound.io_contributorinsights.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_contributorinsights.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,6 +154,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -328,6 +347,12 @@ spec:
                 properties:
                   id:
                     type: string
+                  indexName:
+                    description: The global secondary index name
+                    type: string
+                  tableName:
+                    description: The name of the table to enable contributor insights
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dynamodb.aws.upbound.io_globaltables.yaml b/package/crds/dynamodb.aws.upbound.io_globaltables.yaml
index 45a17671f2..c8e9a3abbe 100644
--- a/package/crds/dynamodb.aws.upbound.io_globaltables.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_globaltables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,8 +87,22 @@ spec:
                     type: array
                 required:
                 - region
-                - replica
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: replica is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.replica)
           status:
             description: GlobalTableStatus defines the observed state of GlobalTable.
             properties:
@@ -267,6 +288,17 @@ spec:
                   id:
                     description: The name of the DynamoDB Global Table
                     type: string
+                  replica:
+                    description: Underlying DynamoDB Table. At least 1 replica must
+                      be defined. See below.
+                    items:
+                      properties:
+                        regionName:
+                          description: AWS region name of replica DynamoDB TableE.g.,
+                            us-east-1
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dynamodb.aws.upbound.io_kinesisstreamingdestinations.yaml b/package/crds/dynamodb.aws.upbound.io_kinesisstreamingdestinations.yaml
index b1f9818c7b..cfcacb79f2 100644
--- a/package/crds/dynamodb.aws.upbound.io_kinesisstreamingdestinations.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_kinesisstreamingdestinations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,6 +230,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -407,6 +426,14 @@ spec:
                     description: The table_name and stream_arn separated by a comma
                       (,).
                     type: string
+                  streamArn:
+                    description: The ARN for a Kinesis data stream. This must exist
+                      in the same account and region as the DynamoDB table.
+                    type: string
+                  tableName:
+                    description: The name of the DynamoDB table. There can only be
+                      one Kinesis streaming destination for a given DynamoDB table.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dynamodb.aws.upbound.io_tableitems.yaml b/package/crds/dynamodb.aws.upbound.io_tableitems.yaml
index b4cbc42db1..89c1271451 100644
--- a/package/crds/dynamodb.aws.upbound.io_tableitems.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_tableitems.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,10 +163,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - hashKey
-                - item
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,13 +351,35 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: hashKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hashKey)
+            - message: item is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.item)
           status:
             description: TableItemStatus defines the observed state of TableItem.
             properties:
               atProvider:
                 properties:
+                  hashKey:
+                    description: Hash key to use for lookups and identification of
+                      the item
+                    type: string
                   id:
                     type: string
+                  item:
+                    description: JSON representation of a map of attribute name/value
+                      pairs, one for each attribute. Only the primary key attributes
+                      are required; you can optionally provide other attribute name-value
+                      pairs for the item.
+                    type: string
+                  rangeKey:
+                    description: Range key to use for lookups and identification of
+                      the item. Required if there is range key defined in the table.
+                    type: string
+                  tableName:
+                    description: Name of the table to contain the item.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dynamodb.aws.upbound.io_tablereplicas.yaml b/package/crds/dynamodb.aws.upbound.io_tablereplicas.yaml
index 9f59c171aa..b655a06ab5 100644
--- a/package/crds/dynamodb.aws.upbound.io_tablereplicas.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_tablereplicas.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -242,6 +246,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -421,10 +440,35 @@ spec:
                   arn:
                     description: ARN of the table replica.
                     type: string
+                  globalTableArn:
+                    description: ARN of the main or global table which this resource
+                      will replicate.
+                    type: string
                   id:
                     description: Name of the table and region of the main global table
                       joined with a semicolon (e.g., TableName:us-east-1).
                     type: string
+                  kmsKeyArn:
+                    description: 'ARN of the CMK that should be used for the AWS KMS
+                      encryption. This argument should only be used if the key is
+                      different from the default KMS-managed DynamoDB key, alias/aws/dynamodb.
+                      Note: This attribute will not be populated with the ARN of default
+                      keys.'
+                    type: string
+                  pointInTimeRecovery:
+                    description: Whether to enable Point In Time Recovery for the
+                      replica. Default is false.
+                    type: boolean
+                  tableClassOverride:
+                    description: Storage class of the table replica. Valid values
+                      are STANDARD and STANDARD_INFREQUENT_ACCESS. If not used, the
+                      table replica will use the same class as the global table.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/dynamodb.aws.upbound.io_tables.yaml b/package/crds/dynamodb.aws.upbound.io_tables.yaml
index 9769a97ae6..96c80d1768 100644
--- a/package/crds/dynamodb.aws.upbound.io_tables.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_tables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -305,6 +309,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -484,9 +503,121 @@ spec:
                   arn:
                     description: ARN of the table
                     type: string
+                  attribute:
+                    description: Set of nested attribute definitions. Only required
+                      for hash_key and range_key attributes. See below.
+                    items:
+                      properties:
+                        name:
+                          description: Name of the attribute
+                          type: string
+                        type:
+                          description: Attribute type. Valid values are S (string),
+                            N (number), B (binary).
+                          type: string
+                      type: object
+                    type: array
+                  billingMode:
+                    description: Controls how you are charged for read and write throughput
+                      and how you manage capacity. The valid values are PROVISIONED
+                      and PAY_PER_REQUEST. Defaults to PROVISIONED.
+                    type: string
+                  globalSecondaryIndex:
+                    description: Describe a GSI for the table; subject to the normal
+                      limits on the number of GSIs, projected attributes, etc. See
+                      below.
+                    items:
+                      properties:
+                        hashKey:
+                          description: Name of the hash key in the index; must be
+                            defined as an attribute in the resource.
+                          type: string
+                        name:
+                          description: Name of the index.
+                          type: string
+                        nonKeyAttributes:
+                          description: Only required with INCLUDE as a projection
+                            type; a list of attributes to project into the index.
+                            These do not need to be defined as attributes on the table.
+                          items:
+                            type: string
+                          type: array
+                        projectionType:
+                          description: One of ALL, INCLUDE or KEYS_ONLY where ALL
+                            projects every attribute into the index, KEYS_ONLY projects  into
+                            the index only the table and index hash_key and sort_key
+                            attributes ,  INCLUDE projects into the index all of the
+                            attributes that are defined in non_key_attributes in addition
+                            to the attributes that thatKEYS_ONLY project.
+                          type: string
+                        rangeKey:
+                          description: Name of the range key; must be defined
+                          type: string
+                        readCapacity:
+                          description: Number of read units for this index. Must be
+                            set if billing_mode is set to PROVISIONED.
+                          type: number
+                        writeCapacity:
+                          description: Number of write units for this index. Must
+                            be set if billing_mode is set to PROVISIONED.
+                          type: number
+                      type: object
+                    type: array
+                  hashKey:
+                    description: Attribute to use as the hash (partition) key. Must
+                      also be defined as an attribute. See below.
+                    type: string
                   id:
                     description: Name of the table
                     type: string
+                  localSecondaryIndex:
+                    description: Describe an LSI on the table; these can only be allocated
+                      at creation so you cannot change this definition after you have
+                      created the resource. See below.
+                    items:
+                      properties:
+                        name:
+                          description: Name of the index
+                          type: string
+                        nonKeyAttributes:
+                          description: Only required with INCLUDE as a projection
+                            type; a list of attributes to project into the index.
+                            These do not need to be defined as attributes on the table.
+                          items:
+                            type: string
+                          type: array
+                        projectionType:
+                          description: One of ALL, INCLUDE or KEYS_ONLY where ALL
+                            projects every attribute into the index, KEYS_ONLY projects  into
+                            the index only the table and index hash_key and sort_key
+                            attributes ,  INCLUDE projects into the index all of the
+                            attributes that are defined in non_key_attributes in addition
+                            to the attributes that thatKEYS_ONLY project.
+                          type: string
+                        rangeKey:
+                          description: Name of the range key.
+                          type: string
+                      type: object
+                    type: array
+                  pointInTimeRecovery:
+                    description: Enable point-in-time recovery options. See below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether to enable point-in-time recovery. It
+                            can take 10 minutes to enable for new tables. If the point_in_time_recovery
+                            block is not provided, this defaults to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  rangeKey:
+                    description: Attribute to use as the range (sort) key. Must also
+                      be defined as an attribute, see below.
+                    type: string
+                  readCapacity:
+                    description: Number of read units for this table. If the billing_mode
+                      is PROVISIONED, this field is required.
+                    type: number
                   replica:
                     description: Configuration block(s) with DynamoDB Global Tables
                       V2 (version 2019.11.21) replication configurations. See below.
@@ -495,6 +626,31 @@ spec:
                         arn:
                           description: ARN of the replica
                           type: string
+                        kmsKeyArn:
+                          description: 'ARN of the CMK that should be used for the
+                            AWS KMS encryption. This argument should only be used
+                            if the key is different from the default KMS-managed DynamoDB
+                            key, alias/aws/dynamodb. Note: This attribute will not
+                            be populated with the ARN of default keys.'
+                          type: string
+                        pointInTimeRecovery:
+                          description: Whether to enable Point In Time Recovery for
+                            the replica. Default is false.
+                          type: boolean
+                        propagateTags:
+                          description: 'Whether to propagate the global table''s tags
+                            to a replica. Default is false. Changes to tags only move
+                            in one direction: from global (source) to replica. In
+                            other words, tag drift on a replica will not trigger an
+                            update. Tag or replica changes on the global table, whether
+                            from drift or configuration changes, are propagated to
+                            replicas. Changing from true to false on a subsequent
+                            apply means replica tags are left as they were, unmanaged,
+                            not deleted.'
+                          type: boolean
+                        regionName:
+                          description: Region name of the replica.
+                          type: string
                         streamArn:
                           description: ARN of the Table Stream. Only available when
                             stream_enabled = true
@@ -509,10 +665,50 @@ spec:
                           type: string
                       type: object
                     type: array
+                  restoreDateTime:
+                    description: Time of the point-in-time recovery point to restore.
+                    type: string
+                  restoreSourceName:
+                    description: Name of the table to restore. Must match the name
+                      of an existing table.
+                    type: string
+                  restoreToLatestTime:
+                    description: If set, restores table to the most recent point-in-time
+                      recovery point.
+                    type: boolean
+                  serverSideEncryption:
+                    description: Encryption at rest options. AWS DynamoDB tables are
+                      automatically encrypted at rest with an AWS-owned Customer Master
+                      Key if this argument isn't specified. See below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether or not to enable encryption at rest
+                            using an AWS managed KMS customer master key (CMK). If
+                            enabled is false then server-side encryption is set to
+                            AWS-owned key (shown as DEFAULT in the AWS console). Potentially
+                            confusingly, if enabled is true and no kms_key_arn is
+                            specified then server-side encryption is set to the default
+                            KMS-managed key (shown as KMS in the AWS console). The
+                            AWS KMS documentation explains the difference between
+                            AWS-owned and KMS-managed keys.
+                          type: boolean
+                        kmsKeyArn:
+                          description: 'ARN of the CMK that should be used for the
+                            AWS KMS encryption. This argument should only be used
+                            if the key is different from the default KMS-managed DynamoDB
+                            key, alias/aws/dynamodb. Note: This attribute will not
+                            be populated with the ARN of default keys.'
+                          type: string
+                      type: object
+                    type: array
                   streamArn:
                     description: ARN of the Table Stream. Only available when stream_enabled
                       = true
                     type: string
+                  streamEnabled:
+                    description: Whether Streams are enabled.
+                    type: boolean
                   streamLabel:
                     description: Timestamp, in ISO 8601 format, for this stream. Note
                       that this timestamp is not a unique identifier for the stream
@@ -521,12 +717,43 @@ spec:
                       for creating CloudWatch Alarms. Only available when stream_enabled
                       = true.
                     type: string
+                  streamViewType:
+                    description: When an item in the table is modified, StreamViewType
+                      determines what information is written to the table's stream.
+                      Valid values are KEYS_ONLY, NEW_IMAGE, OLD_IMAGE, NEW_AND_OLD_IMAGES.
+                    type: string
+                  tableClass:
+                    description: Storage class of the table. Valid values are STANDARD
+                      and STANDARD_INFREQUENT_ACCESS.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  ttl:
+                    description: Configuration block for TTL. See below.
+                    items:
+                      properties:
+                        attributeName:
+                          description: Name of the table attribute to store the TTL
+                            timestamp in.
+                          type: string
+                        enabled:
+                          description: Whether TTL is enabled.
+                          type: boolean
+                      type: object
+                    type: array
+                  writeCapacity:
+                    description: Number of write units for this table. If the billing_mode
+                      is PROVISIONED, this field is required.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/dynamodb.aws.upbound.io_tags.yaml b/package/crds/dynamodb.aws.upbound.io_tags.yaml
index 2bfdd1e3ee..346568ee83 100644
--- a/package/crds/dynamodb.aws.upbound.io_tags.yaml
+++ b/package/crds/dynamodb.aws.upbound.io_tags.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,8 +86,22 @@ spec:
                 - key
                 - region
                 - resourceArn
-                - value
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -255,6 +273,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: value is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)
           status:
             description: TagStatus defines the observed state of Tag.
             properties:
@@ -264,6 +285,16 @@ spec:
                     description: DynamoDB resource identifier and key, separated by
                       a comma (,)
                     type: string
+                  key:
+                    description: Tag name.
+                    type: string
+                  resourceArn:
+                    description: Amazon Resource Name (ARN) of the DynamoDB resource
+                      to tag.
+                    type: string
+                  value:
+                    description: Tag value.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_amicopies.yaml b/package/crds/ec2.aws.upbound.io_amicopies.yaml
index 2044a24585..0352a16987 100644
--- a/package/crds/ec2.aws.upbound.io_amicopies.yaml
+++ b/package/crds/ec2.aws.upbound.io_amicopies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -259,10 +263,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - sourceAmiRegion
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -434,6 +451,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: sourceAmiRegion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceAmiRegion)
           status:
             description: AMICopyStatus defines the observed state of AMICopy.
             properties:
@@ -446,6 +468,16 @@ spec:
                     type: string
                   bootMode:
                     type: string
+                  deprecationTime:
+                    type: string
+                  description:
+                    type: string
+                  destinationOutpostArn:
+                    description: ARN of the Outpost to which to copy the AMI. Only
+                      specify this parameter when copying an AMI from an AWS Region
+                      to an Outpost. The AMI must be in the Region of the destination
+                      Outpost.
+                    type: string
                   ebsBlockDevice:
                     items:
                       properties:
@@ -476,6 +508,10 @@ spec:
                     type: array
                   enaSupport:
                     type: boolean
+                  encrypted:
+                    description: Whether the destination snapshots of the copied image
+                      should be encrypted. Defaults to false
+                    type: boolean
                   ephemeralBlockDevice:
                     items:
                       properties:
@@ -503,8 +539,16 @@ spec:
                   kernelId:
                     description: ID of the created AMI.
                     type: string
+                  kmsKeyId:
+                    description: Full ARN of the KMS Key to use when encrypting the
+                      snapshots of an image during a copy operation. If not specified,
+                      then the default AWS KMS Key will be used
+                    type: string
                   manageEbsSnapshots:
                     type: boolean
+                  name:
+                    description: Region-unique name for the AMI.
+                    type: string
                   ownerId:
                     description: ID of the created AMI.
                     type: string
@@ -523,8 +567,22 @@ spec:
                   rootSnapshotId:
                     description: ID of the created AMI.
                     type: string
+                  sourceAmiId:
+                    description: Id of the AMI to copy. This id must be valid in the
+                      region given by source_ami_region.
+                    type: string
+                  sourceAmiRegion:
+                    description: Region from which the AMI will be copied. This may
+                      be the same as the AWS provider region in order to create a
+                      copy within the same region.
+                    type: string
                   sriovNetSupport:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_amilaunchpermissions.yaml b/package/crds/ec2.aws.upbound.io_amilaunchpermissions.yaml
index d4b13a46c0..644dc1e8fc 100644
--- a/package/crds/ec2.aws.upbound.io_amilaunchpermissions.yaml
+++ b/package/crds/ec2.aws.upbound.io_amilaunchpermissions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,6 +164,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -336,9 +355,25 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: AWS account ID for the launch permission.
+                    type: string
+                  group:
+                    description: 'Name of the group for the launch permission. Valid
+                      values: "all".'
+                    type: string
                   id:
                     description: Launch permission ID.
                     type: string
+                  imageId:
+                    description: ID of the AMI.
+                    type: string
+                  organizationArn:
+                    description: ARN of an organization for the launch permission.
+                    type: string
+                  organizationalUnitArn:
+                    description: ARN of an organizational unit for the launch permission.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_amis.yaml b/package/crds/ec2.aws.upbound.io_amis.yaml
index 8b96ba31c0..d9ae2a827b 100644
--- a/package/crds/ec2.aws.upbound.io_amis.yaml
+++ b/package/crds/ec2.aws.upbound.io_amis.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -282,9 +286,23 @@ spec:
                       of further arguments that are required, as described below.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -456,20 +474,113 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AMIStatus defines the observed state of AMI.
             properties:
               atProvider:
                 properties:
+                  architecture:
+                    description: Machine architecture for created instances. Defaults
+                      to "x86_64".
+                    type: string
                   arn:
                     description: ARN of the AMI.
                     type: string
+                  bootMode:
+                    description: Boot mode of the AMI. For more information, see Boot
+                      modes in the Amazon Elastic Compute Cloud User Guide.
+                    type: string
+                  deprecationTime:
+                    description: 'Date and time to deprecate the AMI. If you specified
+                      a value for seconds, Amazon EC2 rounds the seconds to the nearest
+                      minute. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)'
+                    type: string
+                  description:
+                    description: Longer, human-readable description for the AMI.
+                    type: string
+                  ebsBlockDevice:
+                    description: Nested block describing an EBS block device that
+                      should be attached to created instances. The structure of this
+                      block is described below.
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          description: Boolean controlling whether the EBS volumes
+                            created to support each created instance will be deleted
+                            once that instance is terminated.
+                          type: boolean
+                        deviceName:
+                          description: Path at which the device is exposed to created
+                            instances.
+                          type: string
+                        encrypted:
+                          description: Boolean controlling whether the created EBS
+                            volumes will be encrypted. Can't be used with snapshot_id.
+                          type: boolean
+                        iops:
+                          description: Number of I/O operations per second the created
+                            volumes will support.
+                          type: number
+                        outpostArn:
+                          description: ARN of the Outpost on which the snapshot is
+                            stored.
+                          type: string
+                        snapshotId:
+                          description: ID of an EBS snapshot that will be used to
+                            initialize the created EBS volumes. If set, the volume_size
+                            attribute must be at least as large as the referenced
+                            snapshot.
+                          type: string
+                        throughput:
+                          description: Throughput that the EBS volume supports, in
+                            MiB/s. Only valid for volume_type of gp3.
+                          type: number
+                        volumeSize:
+                          description: Size of created volumes in GiB. If snapshot_id
+                            is set and volume_size is omitted then the volume will
+                            have the same size as the selected snapshot.
+                          type: number
+                        volumeType:
+                          description: 'Type of EBS volume to create. Can be standard,
+                            gp2, gp3, io1, io2, sc1 or st1 (Default: standard).'
+                          type: string
+                      type: object
+                    type: array
+                  enaSupport:
+                    description: Whether enhanced networking with ENA is enabled.
+                      Defaults to false.
+                    type: boolean
+                  ephemeralBlockDevice:
+                    description: Nested block describing an ephemeral block device
+                      that should be attached to created instances. The structure
+                      of this block is described below.
+                    items:
+                      properties:
+                        deviceName:
+                          description: Path at which the device is exposed to created
+                            instances.
+                          type: string
+                        virtualName:
+                          description: Name for the ephemeral device, of the form
+                            "ephemeralN" where N is a volume number starting from
+                            zero.
+                          type: string
+                      type: object
+                    type: array
                   hypervisor:
                     description: Hypervisor type of the image.
                     type: string
                   id:
                     description: ID of the created AMI.
                     type: string
+                  imageLocation:
+                    description: Path to an S3 object containing an image manifest,
+                      e.g., created by the ec2-upload-bundle command in the EC2 command
+                      line tools.
+                    type: string
                   imageOwnerAlias:
                     description: AWS account alias (for example, amazon, self) or
                       the AWS account ID of the AMI owner.
@@ -477,8 +588,21 @@ spec:
                   imageType:
                     description: Type of image.
                     type: string
+                  imdsSupport:
+                    description: If EC2 instances started from this image should require
+                      the use of the Instance Metadata Service V2 (IMDSv2), set this
+                      argument to v2.0. For more information, see Configure instance
+                      metadata options for new instances.
+                    type: string
+                  kernelId:
+                    description: ID of the kernel image (AKI) that will be used as
+                      the paravirtual kernel in created instances.
+                    type: string
                   manageEbsSnapshots:
                     type: boolean
+                  name:
+                    description: Region-unique name for the AMI.
+                    type: string
                   ownerId:
                     description: AWS account ID of the image owner.
                     type: string
@@ -493,19 +617,48 @@ spec:
                   public:
                     description: Whether the image has public launch permissions.
                     type: boolean
+                  ramdiskId:
+                    description: ID of an initrd image (ARI) that will be used when
+                      booting the created instances.
+                    type: string
+                  rootDeviceName:
+                    description: Name of the root device (for example, /dev/sda1,
+                      or /dev/xvda).
+                    type: string
                   rootSnapshotId:
                     description: Snapshot ID for the root volume (for EBS-backed AMIs)
                     type: string
+                  sriovNetSupport:
+                    description: When set to "simple" (the default), enables enhanced
+                      networking for created instances. No other value is supported
+                      at this time.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  tpmSupport:
+                    description: If the image is configured for NitroTPM support,
+                      the value is v2.0. For more information, see NitroTPM in the
+                      Amazon Elastic Compute Cloud User Guide.
+                    type: string
                   usageOperation:
                     description: Operation of the Amazon EC2 instance and the billing
                       code that is associated with the AMI.
                     type: string
+                  virtualizationType:
+                    description: Keyword to choose what virtualization mode created
+                      instances will use. Can be either "paravirtual" (the default)
+                      or "hvm". The choice of virtualization type changes the set
+                      of further arguments that are required, as described below.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_availabilityzonegroups.yaml b/package/crds/ec2.aws.upbound.io_availabilityzonegroups.yaml
index b2dcd13083..01be48a75d 100644
--- a/package/crds/ec2.aws.upbound.io_availabilityzonegroups.yaml
+++ b/package/crds/ec2.aws.upbound.io_availabilityzonegroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,9 +77,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - optInStatus
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -247,6 +265,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: optInStatus is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.optInStatus)
           status:
             description: AvailabilityZoneGroupStatus defines the observed state of
               AvailabilityZoneGroup.
@@ -256,6 +277,10 @@ spec:
                   id:
                     description: Name of the Availability Zone Group.
                     type: string
+                  optInStatus:
+                    description: 'Indicates whether to enable or disable Availability
+                      Zone Group. Valid values: opted-in or not-opted-in.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_capacityreservations.yaml b/package/crds/ec2.aws.upbound.io_capacityreservations.yaml
index b42fdd1cf0..c0688e6291 100644
--- a/package/crds/ec2.aws.upbound.io_capacityreservations.yaml
+++ b/package/crds/ec2.aws.upbound.io_capacityreservations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -126,12 +130,23 @@ spec:
                       Specify either default or dedicated.
                     type: string
                 required:
-                - availabilityZone
-                - instanceCount
-                - instancePlatform
-                - instanceType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -303,6 +318,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)
+            - message: instanceCount is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceCount)
+            - message: instancePlatform is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePlatform)
+            - message: instanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)
           status:
             description: CapacityReservationStatus defines the observed state of CapacityReservation.
             properties:
@@ -311,13 +335,65 @@ spec:
                   arn:
                     description: The ARN of the Capacity Reservation.
                     type: string
+                  availabilityZone:
+                    description: The Availability Zone in which to create the Capacity
+                      Reservation.
+                    type: string
+                  ebsOptimized:
+                    description: Indicates whether the Capacity Reservation supports
+                      EBS-optimized instances.
+                    type: boolean
+                  endDate:
+                    description: 'The date and time at which the Capacity Reservation
+                      expires. When a Capacity Reservation expires, the reserved capacity
+                      is released and you can no longer launch instances into it.
+                      Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)'
+                    type: string
+                  endDateType:
+                    description: Indicates the way in which the Capacity Reservation
+                      ends. Specify either unlimited or limited.
+                    type: string
+                  ephemeralStorage:
+                    description: Indicates whether the Capacity Reservation supports
+                      instances with temporary, block-level storage.
+                    type: boolean
                   id:
                     description: The Capacity Reservation ID.
                     type: string
+                  instanceCount:
+                    description: The number of instances for which to reserve capacity.
+                    type: number
+                  instanceMatchCriteria:
+                    description: Indicates the type of instance launches that the
+                      Capacity Reservation accepts. Specify either open or targeted.
+                    type: string
+                  instancePlatform:
+                    description: The type of operating system for which to reserve
+                      capacity. Valid options are Linux/UNIX, Red Hat Enterprise Linux,
+                      SUSE Linux, Windows, Windows with SQL Server, Windows with SQL
+                      Server Enterprise, Windows with SQL Server Standard or Windows
+                      with SQL Server Web.
+                    type: string
+                  instanceType:
+                    description: The instance type for which to reserve capacity.
+                    type: string
+                  outpostArn:
+                    description: The Amazon Resource Name (ARN) of the Outpost on
+                      which to create the Capacity Reservation.
+                    type: string
                   ownerId:
                     description: The ID of the AWS account that owns the Capacity
                       Reservation.
                     type: string
+                  placementGroupArn:
+                    description: The Amazon Resource Name (ARN) of the cluster placement
+                      group in which to create the Capacity Reservation.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -325,6 +401,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block
                     type: object
+                  tenancy:
+                    description: Indicates the tenancy of the Capacity Reservation.
+                      Specify either default or dedicated.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_carriergateways.yaml b/package/crds/ec2.aws.upbound.io_carriergateways.yaml
index 02e07bff47..b825996baf 100644
--- a/package/crds/ec2.aws.upbound.io_carriergateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_carriergateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,6 +156,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,6 +356,11 @@ spec:
                   ownerId:
                     description: The AWS account ID of the owner of the carrier gateway.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -344,6 +368,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The ID of the VPC to associate with the carrier gateway.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_customergateways.yaml b/package/crds/ec2.aws.upbound.io_customergateways.yaml
index 7e6c7db306..f741c82cb4 100644
--- a/package/crds/ec2.aws.upbound.io_customergateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_customergateways.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -95,10 +99,23 @@ spec:
                       at this time is "ipsec.1".
                     type: string
                 required:
-                - bgpAsn
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,6 +287,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bgpAsn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bgpAsn)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: CustomerGatewayStatus defines the observed state of CustomerGateway.
             properties:
@@ -278,9 +300,29 @@ spec:
                   arn:
                     description: The ARN of the customer gateway.
                     type: string
+                  bgpAsn:
+                    description: The gateway's Border Gateway Protocol (BGP) Autonomous
+                      System Number (ASN).
+                    type: string
+                  certificateArn:
+                    description: The Amazon Resource Name (ARN) for the customer gateway
+                      certificate.
+                    type: string
+                  deviceName:
+                    description: A name for the customer gateway device.
+                    type: string
                   id:
                     description: The amazon-assigned ID of the gateway.
                     type: string
+                  ipAddress:
+                    description: The IPv4 address for the customer gateway device's
+                      outside interface.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -288,6 +330,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The type of customer gateway. The only type AWS supports
+                      at this time is "ipsec.1".
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_defaultnetworkacls.yaml b/package/crds/ec2.aws.upbound.io_defaultnetworkacls.yaml
index b335883d9e..8671e03f58 100644
--- a/package/crds/ec2.aws.upbound.io_defaultnetworkacls.yaml
+++ b/package/crds/ec2.aws.upbound.io_defaultnetworkacls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -398,6 +402,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -577,13 +596,100 @@ spec:
                   arn:
                     description: ARN of the Default Network ACL
                     type: string
+                  defaultNetworkAclId:
+                    description: Network ACL ID to manage. This attribute is exported
+                      from aws_vpc, or manually found via the AWS Console.
+                    type: string
+                  egress:
+                    description: Configuration block for an egress rule. Detailed
+                      below.
+                    items:
+                      properties:
+                        action:
+                          description: The action to take.
+                          type: string
+                        cidrBlock:
+                          description: The CIDR block to match. This must be a valid
+                            network mask.
+                          type: string
+                        fromPort:
+                          description: The from port to match.
+                          type: number
+                        icmpCode:
+                          description: The ICMP type code to be used. Default 0.
+                          type: number
+                        icmpType:
+                          description: The ICMP type to be used. Default 0.
+                          type: number
+                        ipv6CidrBlock:
+                          description: The IPv6 CIDR block.
+                          type: string
+                        protocol:
+                          description: The protocol to match. If using the -1 'all'
+                            protocol, you must specify a from and to port of 0.
+                          type: string
+                        ruleNo:
+                          description: The rule number. Used for ordering.
+                          type: number
+                        toPort:
+                          description: The to port to match.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: ID of the Default Network ACL
                     type: string
+                  ingress:
+                    description: Configuration block for an ingress rule. Detailed
+                      below.
+                    items:
+                      properties:
+                        action:
+                          description: The action to take.
+                          type: string
+                        cidrBlock:
+                          description: The CIDR block to match. This must be a valid
+                            network mask.
+                          type: string
+                        fromPort:
+                          description: The from port to match.
+                          type: number
+                        icmpCode:
+                          description: The ICMP type code to be used. Default 0.
+                          type: number
+                        icmpType:
+                          description: The ICMP type to be used. Default 0.
+                          type: number
+                        ipv6CidrBlock:
+                          description: The IPv6 CIDR block.
+                          type: string
+                        protocol:
+                          description: The protocol to match. If using the -1 'all'
+                            protocol, you must specify a from and to port of 0.
+                          type: string
+                        ruleNo:
+                          description: The rule number. Used for ordering.
+                          type: number
+                        toPort:
+                          description: The to port to match.
+                          type: number
+                      type: object
+                    type: array
                   ownerId:
                     description: ID of the AWS account that owns the Default Network
                       ACL
                     type: string
+                  subnetIds:
+                    description: List of Subnet IDs to apply the ACL to. See the notes
+                      above on Managing Subnets in the Default Network ACL
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_defaultroutetables.yaml b/package/crds/ec2.aws.upbound.io_defaultroutetables.yaml
index 0a543f578c..14a3a67edb 100644
--- a/package/crds/ec2.aws.upbound.io_defaultroutetables.yaml
+++ b/package/crds/ec2.aws.upbound.io_defaultroutetables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -362,6 +366,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -541,12 +560,74 @@ spec:
                   arn:
                     description: The ARN of the route table.
                     type: string
+                  defaultRouteTableId:
+                    description: ID of the default route table.
+                    type: string
                   id:
                     description: ID of the route table.
                     type: string
                   ownerId:
                     description: ID of the AWS account that owns the route table.
                     type: string
+                  propagatingVgws:
+                    description: List of virtual gateways for propagation.
+                    items:
+                      type: string
+                    type: array
+                  route:
+                    description: Configuration block of routes. Detailed below. This
+                      argument is processed in attribute-as-blocks mode. This means
+                      that omitting this argument is interpreted as ignoring any existing
+                      routes. To remove all managed routes an empty list should be
+                      specified. See the example above.
+                    items:
+                      properties:
+                        cidrBlock:
+                          description: The CIDR block of the route.
+                          type: string
+                        coreNetworkArn:
+                          description: The Amazon Resource Name (ARN) of a core network.
+                          type: string
+                        destinationPrefixListId:
+                          description: The ID of a managed prefix list destination
+                            of the route.
+                          type: string
+                        egressOnlyGatewayId:
+                          description: Identifier of a VPC Egress Only Internet Gateway.
+                          type: string
+                        gatewayId:
+                          description: Identifier of a VPC internet gateway or a virtual
+                            private gateway.
+                          type: string
+                        instanceId:
+                          description: Identifier of an EC2 instance.
+                          type: string
+                        ipv6CidrBlock:
+                          description: The Ipv6 CIDR block of the route
+                          type: string
+                        natGatewayId:
+                          description: Identifier of a VPC NAT gateway.
+                          type: string
+                        networkInterfaceId:
+                          description: Identifier of an EC2 network interface.
+                          type: string
+                        transitGatewayId:
+                          description: Identifier of an EC2 Transit Gateway.
+                          type: string
+                        vpcEndpointId:
+                          description: Identifier of a VPC Endpoint. This route must
+                            be removed prior to VPC Endpoint deletion.
+                          type: string
+                        vpcPeeringConnectionId:
+                          description: Identifier of a VPC peering connection.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_defaultsecuritygroups.yaml b/package/crds/ec2.aws.upbound.io_defaultsecuritygroups.yaml
index 48ca300501..a0b2a287e9 100644
--- a/package/crds/ec2.aws.upbound.io_defaultsecuritygroups.yaml
+++ b/package/crds/ec2.aws.upbound.io_defaultsecuritygroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -255,6 +259,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -438,15 +457,122 @@ spec:
                   description:
                     description: Description of this rule.
                     type: string
+                  egress:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        cidrBlocks:
+                          description: List of CIDR blocks.
+                          items:
+                            type: string
+                          type: array
+                        description:
+                          description: Description of this rule.
+                          type: string
+                        fromPort:
+                          description: Start port (or ICMP type number if protocol
+                            is icmp)
+                          type: number
+                        ipv6CidrBlocks:
+                          description: List of IPv6 CIDR blocks.
+                          items:
+                            type: string
+                          type: array
+                        prefixListIds:
+                          description: List of prefix list IDs (for allowing access
+                            to VPC endpoints)
+                          items:
+                            type: string
+                          type: array
+                        protocol:
+                          description: Protocol. If you select a protocol of "-1"
+                            (semantically equivalent to all, which is not a valid
+                            value here), you must specify a from_port and to_port
+                            equal to 0. If not icmp, tcp, udp, or -1 use the protocol
+                            number.
+                          type: string
+                        securityGroups:
+                          description: List of security groups. A group name can be
+                            used relative to the default VPC. Otherwise, group ID.
+                          items:
+                            type: string
+                          type: array
+                        self:
+                          description: Whether the security group itself will be added
+                            as a source to this egress rule.
+                          type: boolean
+                        toPort:
+                          description: End range port (or ICMP code if protocol is
+                            icmp).
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: ID of the security group.
                     type: string
+                  ingress:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        cidrBlocks:
+                          description: List of CIDR blocks.
+                          items:
+                            type: string
+                          type: array
+                        description:
+                          description: Description of this rule.
+                          type: string
+                        fromPort:
+                          description: Start port (or ICMP type number if protocol
+                            is icmp)
+                          type: number
+                        ipv6CidrBlocks:
+                          description: List of IPv6 CIDR blocks.
+                          items:
+                            type: string
+                          type: array
+                        prefixListIds:
+                          description: List of prefix list IDs (for allowing access
+                            to VPC endpoints)
+                          items:
+                            type: string
+                          type: array
+                        protocol:
+                          description: Protocol. If you select a protocol of "-1"
+                            (semantically equivalent to all, which is not a valid
+                            value here), you must specify a from_port and to_port
+                            equal to 0. If not icmp, tcp, udp, or -1 use the protocol
+                            number.
+                          type: string
+                        securityGroups:
+                          description: List of security groups. A group name can be
+                            used relative to the default VPC. Otherwise, group ID.
+                          items:
+                            type: string
+                          type: array
+                        self:
+                          description: Whether the security group itself will be added
+                            as a source to this egress rule.
+                          type: boolean
+                        toPort:
+                          description: End range port (or ICMP code if protocol is
+                            icmp).
+                          type: number
+                      type: object
+                    type: array
                   name:
                     description: Name of the security group.
                     type: string
                   ownerId:
                     description: Owner ID.
                     type: string
+                  revokeRulesOnDelete:
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -454,6 +580,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: VPC ID. Note that changing the  It will be left in
+                      its current state.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_defaultsubnets.yaml b/package/crds/ec2.aws.upbound.io_defaultsubnets.yaml
index 6026ebae3a..27e373ce9a 100644
--- a/package/crds/ec2.aws.upbound.io_defaultsubnets.yaml
+++ b/package/crds/ec2.aws.upbound.io_defaultsubnets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -102,9 +106,23 @@ spec:
                       type: string
                     type: object
                 required:
-                - availabilityZone
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -276,6 +294,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)
           status:
             description: DefaultSubnetStatus defines the observed state of DefaultSubnet.
             properties:
@@ -283,6 +304,11 @@ spec:
                 properties:
                   arn:
                     type: string
+                  assignIpv6AddressOnCreation:
+                    type: boolean
+                  availabilityZone:
+                    description: is required
+                    type: string
                   availabilityZoneId:
                     description: ', cidr_block and vpc_id arguments become computed
                       attributes'
@@ -290,16 +316,44 @@ spec:
                   cidrBlock:
                     description: The IPv4 CIDR block assigned to the subnet
                     type: string
+                  customerOwnedIpv4Pool:
+                    type: string
+                  enableDns64:
+                    type: boolean
+                  enableResourceNameDnsARecordOnLaunch:
+                    type: boolean
+                  enableResourceNameDnsAaaaRecordOnLaunch:
+                    type: boolean
                   existingDefaultSubnet:
                     type: boolean
+                  forceDestroy:
+                    description: 'Whether destroying the resource deletes the default
+                      subnet. Default: false'
+                    type: boolean
                   id:
                     type: string
+                  ipv6CidrBlock:
+                    description: The IPv4 CIDR block assigned to the subnet
+                    type: string
                   ipv6CidrBlockAssociationId:
                     type: string
+                  ipv6Native:
+                    type: boolean
+                  mapCustomerOwnedIpOnLaunch:
+                    type: boolean
+                  mapPublicIpOnLaunch:
+                    description: is true
+                    type: boolean
                   outpostArn:
                     type: string
                   ownerId:
                     type: string
+                  privateDnsHostnameTypeOnLaunch:
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_defaultvpcdhcpoptions.yaml b/package/crds/ec2.aws.upbound.io_defaultvpcdhcpoptions.yaml
index 071953a4ed..c5492fb6e9 100644
--- a/package/crds/ec2.aws.upbound.io_defaultvpcdhcpoptions.yaml
+++ b/package/crds/ec2.aws.upbound.io_defaultvpcdhcpoptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,6 +84,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -278,6 +297,15 @@ spec:
                     type: string
                   ntpServers:
                     type: string
+                  ownerId:
+                    description: The ID of the AWS account that owns the DHCP options
+                      set.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_defaultvpcs.yaml b/package/crds/ec2.aws.upbound.io_defaultvpcs.yaml
index 59145a7714..bdefc3778d 100644
--- a/package/crds/ec2.aws.upbound.io_defaultvpcs.yaml
+++ b/package/crds/ec2.aws.upbound.io_defaultvpcs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -102,6 +106,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -280,6 +299,9 @@ spec:
                 properties:
                   arn:
                     type: string
+                  assignGeneratedIpv6CidrBlock:
+                    description: and instance_tenancy arguments become computed attributes
+                    type: boolean
                   cidrBlock:
                     description: and instance_tenancy arguments become computed attributes
                     type: string
@@ -291,8 +313,23 @@ spec:
                     type: string
                   dhcpOptionsId:
                     type: string
+                  enableClassiclink:
+                    type: boolean
+                  enableClassiclinkDnsSupport:
+                    type: boolean
+                  enableDnsHostnames:
+                    description: is true
+                    type: boolean
+                  enableDnsSupport:
+                    type: boolean
+                  enableNetworkAddressUsageMetrics:
+                    type: boolean
                   existingDefaultVpc:
                     type: boolean
+                  forceDestroy:
+                    description: 'Whether destroying the resource deletes the default
+                      VPC. Default: false'
+                    type: boolean
                   id:
                     type: string
                   instanceTenancy:
@@ -301,10 +338,23 @@ spec:
                     type: string
                   ipv6AssociationId:
                     type: string
+                  ipv6CidrBlock:
+                    description: and instance_tenancy arguments become computed attributes
+                    type: string
+                  ipv6CidrBlockNetworkBorderGroup:
+                    type: string
+                  ipv6IpamPoolId:
+                    type: string
+                  ipv6NetmaskLength:
+                    type: number
                   mainRouteTableId:
                     type: string
                   ownerId:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_ebsdefaultkmskeys.yaml b/package/crds/ec2.aws.upbound.io_ebsdefaultkmskeys.yaml
index 52456480a2..6a0ad2ba5d 100644
--- a/package/crds/ec2.aws.upbound.io_ebsdefaultkmskeys.yaml
+++ b/package/crds/ec2.aws.upbound.io_ebsdefaultkmskeys.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,6 +153,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,6 +346,10 @@ spec:
                 properties:
                   id:
                     type: string
+                  keyArn:
+                    description: The ARN of the AWS Key Management Service (AWS KMS)
+                      customer master key (CMK) to use to encrypt the EBS volume.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_ebsencryptionbydefaults.yaml b/package/crds/ec2.aws.upbound.io_ebsencryptionbydefaults.yaml
index 2c515a5964..ec100d0d92 100644
--- a/package/crds/ec2.aws.upbound.io_ebsencryptionbydefaults.yaml
+++ b/package/crds/ec2.aws.upbound.io_ebsencryptionbydefaults.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -253,6 +272,10 @@ spec:
             properties:
               atProvider:
                 properties:
+                  enabled:
+                    description: Whether or not default EBS encryption is enabled.
+                      Valid values are true or false. Defaults to true.
+                    type: boolean
                   id:
                     type: string
                 type: object
diff --git a/package/crds/ec2.aws.upbound.io_ebssnapshotcopies.yaml b/package/crds/ec2.aws.upbound.io_ebssnapshotcopies.yaml
index e7aa63c463..3633d01f84 100644
--- a/package/crds/ec2.aws.upbound.io_ebssnapshotcopies.yaml
+++ b/package/crds/ec2.aws.upbound.io_ebssnapshotcopies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -250,8 +254,22 @@ spec:
                     type: number
                 required:
                 - region
-                - sourceRegion
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -423,6 +441,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: sourceRegion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceRegion)
           status:
             description: EBSSnapshotCopyStatus defines the observed state of EBSSnapshotCopy.
             properties:
@@ -434,9 +455,18 @@ spec:
                   dataEncryptionKeyId:
                     description: The data encryption key identifier for the snapshot.
                     type: string
+                  description:
+                    description: A description of what the snapshot is.
+                    type: string
+                  encrypted:
+                    description: Whether the snapshot is encrypted.
+                    type: boolean
                   id:
                     description: The snapshot ID (e.g., snap-59fcb34e).
                     type: string
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key.
+                    type: string
                   outpostArn:
                     description: Amazon Resource Name (ARN) of the EBS Snapshot.
                     type: string
@@ -447,6 +477,25 @@ spec:
                   ownerId:
                     description: The AWS account ID of the snapshot owner.
                     type: string
+                  permanentRestore:
+                    description: Indicates whether to permanently restore an archived
+                      snapshot.
+                    type: boolean
+                  sourceRegion:
+                    description: The region of the source snapshot.
+                    type: string
+                  sourceSnapshotId:
+                    description: The ARN for the snapshot to be copied.
+                    type: string
+                  storageTier:
+                    description: The name of the storage tier. Valid values are archive
+                      and standard. Default value is standard.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -454,6 +503,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  temporaryRestoreDays:
+                    description: Specifies the number of days for which to temporarily
+                      restore an archived snapshot. Required for temporary restores
+                      only. The snapshot will be automatically re-archived after this
+                      period.
+                    type: number
                   volumeId:
                     description: The snapshot ID (e.g., snap-59fcb34e).
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_ebssnapshotimports.yaml b/package/crds/ec2.aws.upbound.io_ebssnapshotimports.yaml
index 9b66f55228..ce31a52fd7 100644
--- a/package/crds/ec2.aws.upbound.io_ebssnapshotimports.yaml
+++ b/package/crds/ec2.aws.upbound.io_ebssnapshotimports.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -237,9 +241,23 @@ spec:
                       period.
                     type: number
                 required:
-                - diskContainer
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -411,6 +429,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: diskContainer is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.diskContainer)
           status:
             description: EBSSnapshotImportStatus defines the observed state of EBSSnapshotImport.
             properties:
@@ -419,12 +440,78 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the EBS Snapshot.
                     type: string
+                  clientData:
+                    description: The client-specific data. Detailed below.
+                    items:
+                      properties:
+                        comment:
+                          description: A user-defined comment about the disk upload.
+                          type: string
+                        uploadEnd:
+                          description: The time that the disk upload ends.
+                          type: string
+                        uploadSize:
+                          description: The size of the uploaded disk image, in GiB.
+                          type: number
+                        uploadStart:
+                          description: The time that the disk upload starts.
+                          type: string
+                      type: object
+                    type: array
                   dataEncryptionKeyId:
                     description: The data encryption key identifier for the snapshot.
                     type: string
+                  description:
+                    description: The description string for the import snapshot task.
+                    type: string
+                  diskContainer:
+                    description: Information about the disk container. Detailed below.
+                    items:
+                      properties:
+                        description:
+                          description: The description of the disk image being imported.
+                          type: string
+                        format:
+                          description: The format of the disk image being imported.
+                            One of VHD or VMDK.
+                          type: string
+                        url:
+                          description: The URL to the Amazon S3-based disk image being
+                            imported. It can either be a https URL (https://..) or
+                            an Amazon S3 URL (s3://..). One of url or user_bucket
+                            must be set.
+                          type: string
+                        userBucket:
+                          description: The Amazon S3 bucket for the disk image. One
+                            of url or user_bucket must be set. Detailed below.
+                          items:
+                            properties:
+                              s3Bucket:
+                                description: The name of the Amazon S3 bucket where
+                                  the disk image is located.
+                                type: string
+                              s3Key:
+                                description: The file name of the disk image.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  encrypted:
+                    description: Specifies whether the destination snapshot of the
+                      imported image should be encrypted. The default KMS key for
+                      EBS is used unless you specify a non-default KMS key using KmsKeyId.
+                    type: boolean
                   id:
                     description: The snapshot ID (e.g., snap-59fcb34e).
                     type: string
+                  kmsKeyId:
+                    description: An identifier for the symmetric KMS key to use when
+                      creating the encrypted snapshot. This parameter is only required
+                      if you want to use a non-default KMS key; if this parameter
+                      is not specified, the default KMS key for EBS is used. If a
+                      KmsKeyId is specified, the Encrypted flag must also be set.
+                    type: string
                   outpostArn:
                     description: Amazon Resource Name (ARN) of the EBS Snapshot.
                     type: string
@@ -435,6 +522,24 @@ spec:
                   ownerId:
                     description: The AWS account ID of the EBS snapshot owner.
                     type: string
+                  permanentRestore:
+                    description: Indicates whether to permanently restore an archived
+                      snapshot.
+                    type: boolean
+                  roleName:
+                    description: 'The name of the IAM Role the VM Import/Export service
+                      will assume. This role needs certain permissions. See https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role.
+                      Default: vmimport'
+                    type: string
+                  storageTier:
+                    description: The name of the storage tier. Valid values are archive
+                      and standard. Default value is standard.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -442,6 +547,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  temporaryRestoreDays:
+                    description: Specifies the number of days for which to temporarily
+                      restore an archived snapshot. Required for temporary restores
+                      only. The snapshot will be automatically re-archived after this
+                      period.
+                    type: number
                   volumeId:
                     description: The snapshot ID (e.g., snap-59fcb34e).
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_ebssnapshots.yaml b/package/crds/ec2.aws.upbound.io_ebssnapshots.yaml
index c57c36b344..b2c28f05f0 100644
--- a/package/crds/ec2.aws.upbound.io_ebssnapshots.yaml
+++ b/package/crds/ec2.aws.upbound.io_ebssnapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -173,6 +177,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -355,6 +374,9 @@ spec:
                   dataEncryptionKeyId:
                     description: The data encryption key identifier for the snapshot.
                     type: string
+                  description:
+                    description: A description of what the snapshot is.
+                    type: string
                   encrypted:
                     description: Whether the snapshot is encrypted.
                     type: boolean
@@ -364,6 +386,10 @@ spec:
                   kmsKeyId:
                     description: The ARN for the KMS encryption key.
                     type: string
+                  outpostArn:
+                    description: The Amazon Resource Name (ARN) of the Outpost on
+                      which to create a local snapshot.
+                    type: string
                   ownerAlias:
                     description: Value from an Amazon-maintained list (amazon, aws-marketplace,
                       microsoft) of snapshot owners.
@@ -371,6 +397,19 @@ spec:
                   ownerId:
                     description: The AWS account ID of the EBS snapshot owner.
                     type: string
+                  permanentRestore:
+                    description: Indicates whether to permanently restore an archived
+                      snapshot.
+                    type: boolean
+                  storageTier:
+                    description: The name of the storage tier. Valid values are archive
+                      and standard. Default value is standard.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -378,6 +417,15 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  temporaryRestoreDays:
+                    description: Specifies the number of days for which to temporarily
+                      restore an archived snapshot. Required for temporary restores
+                      only. The snapshot will be automatically re-archived after this
+                      period.
+                    type: number
+                  volumeId:
+                    description: The Volume ID of which to make a snapshot.
+                    type: string
                   volumeSize:
                     description: The size of the drive in GiBs.
                     type: number
diff --git a/package/crds/ec2.aws.upbound.io_ebsvolumes.yaml b/package/crds/ec2.aws.upbound.io_ebsvolumes.yaml
index 780bf7cc33..37bbfd7779 100644
--- a/package/crds/ec2.aws.upbound.io_ebsvolumes.yaml
+++ b/package/crds/ec2.aws.upbound.io_ebsvolumes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -187,9 +191,23 @@ spec:
                       io1, io2, sc1 or st1 (Default: gp2).'
                     type: string
                 required:
-                - availabilityZone
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -361,6 +379,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)
           status:
             description: EBSVolumeStatus defines the observed state of EBSVolume.
             properties:
@@ -369,9 +390,46 @@ spec:
                   arn:
                     description: The volume ARN (e.g., arn:aws:ec2:us-east-1:0123456789012:volume/vol-59fcb34e).
                     type: string
+                  availabilityZone:
+                    description: The AZ where the EBS volume will exist.
+                    type: string
+                  encrypted:
+                    description: If true, the disk will be encrypted.
+                    type: boolean
+                  finalSnapshot:
+                    description: If true, snapshot will be created before volume deletion.
+                      Any tags on the volume will be migrated to the snapshot. By
+                      default set to false
+                    type: boolean
                   id:
                     description: The volume ID (e.g., vol-59fcb34e).
                     type: string
+                  iops:
+                    description: The amount of IOPS to provision for the disk. Only
+                      valid for type of io1, io2 or gp3.
+                    type: number
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key. When specifying
+                      kms_key_id, encrypted needs to be set to true.
+                    type: string
+                  multiAttachEnabled:
+                    description: Specifies whether to enable Amazon EBS Multi-Attach.
+                      Multi-Attach is supported on io1 and io2 volumes.
+                    type: boolean
+                  outpostArn:
+                    description: The Amazon Resource Name (ARN) of the Outpost.
+                    type: string
+                  size:
+                    description: The size of the drive in GiBs.
+                    type: number
+                  snapshotId:
+                    description: A snapshot to base the EBS volume off of.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -379,6 +437,14 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  throughput:
+                    description: The throughput that the volume supports, in MiB/s.
+                      Only valid for type of gp3.
+                    type: number
+                  type:
+                    description: 'The type of EBS volume. Can be standard, gp2, gp3,
+                      io1, io2, sc1 or st1 (Default: gp2).'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_egressonlyinternetgateways.yaml b/package/crds/ec2.aws.upbound.io_egressonlyinternetgateways.yaml
index e8fe0d5109..91c6b144f0 100644
--- a/package/crds/ec2.aws.upbound.io_egressonlyinternetgateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_egressonlyinternetgateways.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,6 +157,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,6 +352,11 @@ spec:
                   id:
                     description: The ID of the egress-only Internet gateway.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -340,6 +364,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The VPC ID to create in.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_eipassociations.yaml b/package/crds/ec2.aws.upbound.io_eipassociations.yaml
index 03ba52ff15..806fe19d45 100644
--- a/package/crds/ec2.aws.upbound.io_eipassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_eipassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -244,6 +248,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -420,8 +439,35 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allocationId:
+                    description: The allocation ID. This is required for EC2-VPC.
+                    type: string
+                  allowReassociation:
+                    description: Whether to allow an Elastic IP to be re-associated.
+                      Defaults to true in VPC.
+                    type: boolean
                   id:
                     type: string
+                  instanceId:
+                    description: The ID of the instance. This is required for EC2-Classic.
+                      For EC2-VPC, you can specify either the instance ID or the network
+                      interface ID, but not both. The operation fails if you specify
+                      an instance ID unless exactly one network interface is attached.
+                    type: string
+                  networkInterfaceId:
+                    description: The ID of the network interface. If the instance
+                      has more than one network interface, you must specify a network
+                      interface ID.
+                    type: string
+                  privateIpAddress:
+                    description: The primary or secondary private IP address to associate
+                      with the Elastic IP address. If no private IP address is specified,
+                      the Elastic IP address is associated with the primary private
+                      IP address.
+                    type: string
+                  publicIp:
+                    description: The Elastic IP address. This is required for EC2-Classic.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_eips.yaml b/package/crds/ec2.aws.upbound.io_eips.yaml
index 06021c10fe..7a80cf9e46 100644
--- a/package/crds/ec2.aws.upbound.io_eips.yaml
+++ b/package/crds/ec2.aws.upbound.io_eips.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -254,6 +258,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -430,10 +449,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  address:
+                    description: IP address from an EC2 BYOIP pool. This option is
+                      only available for VPC EIPs.
+                    type: string
                   allocationId:
                     description: ID that AWS assigns to represent the allocation of
                       the Elastic IP address for use with instances in a VPC.
                     type: string
+                  associateWithPrivateIp:
+                    description: User-specified primary or secondary private IP address
+                      to associate with the Elastic IP address. If no private IP address
+                      is specified, the Elastic IP address is associated with the
+                      primary private IP address.
+                    type: string
                   associationId:
                     description: ID representing the association of the address with
                       an instance in a VPC.
@@ -444,6 +473,11 @@ spec:
                   customerOwnedIp:
                     description: Customer owned IP.
                     type: string
+                  customerOwnedIpv4Pool:
+                    description: ID  of a customer-owned address pool. For more on
+                      customer owned IP addressed check out Customer-owned IP addresses
+                      guide.
+                    type: string
                   domain:
                     description: Indicates if this EIP is for use in VPC (vpc) or
                       EC2-Classic (standard).
@@ -451,6 +485,16 @@ spec:
                   id:
                     description: Contains the EIP allocation ID.
                     type: string
+                  instance:
+                    description: EC2 instance ID.
+                    type: string
+                  networkBorderGroup:
+                    description: Location from which the IP address is advertised.
+                      Use this parameter to limit the address to this location.
+                    type: string
+                  networkInterface:
+                    description: Network interface ID to associate with.
+                    type: string
                   privateDns:
                     description: The Private DNS associated with the Elastic IP address
                       (if in VPC).
@@ -464,6 +508,15 @@ spec:
                   publicIp:
                     description: Contains the public IP address.
                     type: string
+                  publicIpv4Pool:
+                    description: EC2 IPv4 address pool identifier or amazon. This
+                      option is only available for VPC EIPs.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -471,6 +524,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpc:
+                    description: Boolean if the EIP is in a VPC or not. Defaults to
+                      true unless the region supports EC2-Classic.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_flowlogs.yaml b/package/crds/ec2.aws.upbound.io_flowlogs.yaml
index 00d71cbb4c..82788e6595 100644
--- a/package/crds/ec2.aws.upbound.io_flowlogs.yaml
+++ b/package/crds/ec2.aws.upbound.io_flowlogs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -438,6 +442,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -617,9 +636,69 @@ spec:
                   arn:
                     description: The ARN of the Flow Log.
                     type: string
+                  destinationOptions:
+                    description: Describes the destination options for a flow log.
+                      More details below.
+                    items:
+                      properties:
+                        fileFormat:
+                          description: 'The format for the flow log. Default value:
+                            plain-text. Valid values: plain-text, parquet.'
+                          type: string
+                        hiveCompatiblePartitions:
+                          description: 'Indicates whether to use Hive-compatible prefixes
+                            for flow logs stored in Amazon S3. Default value: false.'
+                          type: boolean
+                        perHourPartition:
+                          description: 'Indicates whether to partition the flow log
+                            per hour. This reduces the cost and response time for
+                            queries. Default value: false.'
+                          type: boolean
+                      type: object
+                    type: array
+                  eniId:
+                    description: Elastic Network Interface ID to attach to
+                    type: string
+                  iamRoleArn:
+                    description: The ARN for the IAM role that's used to post flow
+                      logs to a CloudWatch Logs log group
+                    type: string
                   id:
                     description: The Flow Log ID
                     type: string
+                  logDestination:
+                    description: The ARN of the logging destination. Either log_destination
+                      or log_group_name must be set.
+                    type: string
+                  logDestinationType:
+                    description: 'The type of the logging destination. Valid values:
+                      cloud-watch-logs, s3, kinesis-data-firehose. Default: cloud-watch-logs.'
+                    type: string
+                  logFormat:
+                    description: The fields to include in the flow log record, in
+                      the order in which they should appear.
+                    type: string
+                  logGroupName:
+                    description: 'Deprecated: Use log_destination instead. The name
+                      of the CloudWatch log group. Either log_group_name or log_destination
+                      must be set.'
+                    type: string
+                  maxAggregationInterval:
+                    description: 'The maximum interval of time during which a flow
+                      of packets is captured and aggregated into a flow log record.
+                      Valid Values: 60 seconds (1 minute) or 600 seconds (10 minutes).
+                      Default: 600. When transit_gateway_id or transit_gateway_attachment_id
+                      is specified, max_aggregation_interval must be 60 seconds (1
+                      minute).'
+                    type: number
+                  subnetId:
+                    description: Subnet ID to attach to
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -627,6 +706,19 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  trafficType:
+                    description: 'The type of traffic to capture. Valid values: ACCEPT,REJECT,
+                      ALL.'
+                    type: string
+                  transitGatewayAttachmentId:
+                    description: Transit Gateway Attachment ID to attach to
+                    type: string
+                  transitGatewayId:
+                    description: Transit Gateway ID to attach to
+                    type: string
+                  vpcId:
+                    description: VPC ID to attach to
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_hosts.yaml b/package/crds/ec2.aws.upbound.io_hosts.yaml
index fc8be10962..097d02efb5 100644
--- a/package/crds/ec2.aws.upbound.io_hosts.yaml
+++ b/package/crds/ec2.aws.upbound.io_hosts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -105,9 +109,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - availabilityZone
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -279,6 +297,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)
           status:
             description: HostStatus defines the observed state of Host.
             properties:
@@ -287,14 +308,50 @@ spec:
                   arn:
                     description: The ARN of the Dedicated Host.
                     type: string
+                  autoPlacement:
+                    description: 'Indicates whether the host accepts any untargeted
+                      instance launches that match its instance type configuration,
+                      or if it only accepts Host tenancy instance launches that specify
+                      its unique host ID. Valid values: on, off. Default: on.'
+                    type: string
+                  availabilityZone:
+                    description: The Availability Zone in which to allocate the Dedicated
+                      Host.
+                    type: string
+                  hostRecovery:
+                    description: 'Indicates whether to enable or disable host recovery
+                      for the Dedicated Host. Valid values: on, off. Default: off.'
+                    type: string
                   id:
                     description: The ID of the allocated Dedicated Host. This is used
                       to launch an instance onto a specific host.
                     type: string
+                  instanceFamily:
+                    description: Specifies the instance family to be supported by
+                      the Dedicated Hosts. If you specify an instance family, the
+                      Dedicated Hosts support multiple instance types within that
+                      instance family. Exactly one of instance_family or instance_type
+                      must be specified.
+                    type: string
+                  instanceType:
+                    description: Specifies the instance type to be supported by the
+                      Dedicated Hosts. If you specify an instance type, the Dedicated
+                      Hosts support instances of the specified instance type only.
+                      Exactly one of instance_family or instance_type must be specified.
+                    type: string
+                  outpostArn:
+                    description: The Amazon Resource Name (ARN) of the AWS Outpost
+                      on which to allocate the Dedicated Host.
+                    type: string
                   ownerId:
                     description: The ID of the AWS account that owns the Dedicated
                       Host.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_instances.yaml b/package/crds/ec2.aws.upbound.io_instances.yaml
index c97af713b8..3dfacbc6aa 100644
--- a/package/crds/ec2.aws.upbound.io_instances.yaml
+++ b/package/crds/ec2.aws.upbound.io_instances.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -908,6 +912,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1084,9 +1103,82 @@ spec:
             properties:
               atProvider:
                 properties:
+                  ami:
+                    description: AMI to use for the instance. Required unless launch_template
+                      is specified and the Launch Template specifes an AMI. If an
+                      AMI is specified in the Launch Template, setting ami will override
+                      the AMI specified in the Launch Template.
+                    type: string
                   arn:
                     description: ARN of the instance.
                     type: string
+                  associatePublicIpAddress:
+                    description: Whether to associate a public IP address with an
+                      instance in a VPC.
+                    type: boolean
+                  availabilityZone:
+                    description: AZ to start the instance in.
+                    type: string
+                  capacityReservationSpecification:
+                    description: Describes an instance's Capacity Reservation targeting
+                      option. See Capacity Reservation Specification below for more
+                      details.
+                    items:
+                      properties:
+                        capacityReservationPreference:
+                          description: 'Indicates the instance''s Capacity Reservation
+                            preferences. Can be "open" or "none". (Default: "open").'
+                          type: string
+                        capacityReservationTarget:
+                          description: Information about the target Capacity Reservation.
+                            See Capacity Reservation Target below for more details.
+                          items:
+                            properties:
+                              capacityReservationId:
+                                description: ID of the Capacity Reservation in which
+                                  to run the instance.
+                                type: string
+                              capacityReservationResourceGroupArn:
+                                description: ARN of the Capacity Reservation resource
+                                  group in which to run the instance.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  cpuCoreCount:
+                    description: Sets the number of CPU cores for an instance. This
+                      option is only supported on creation of instance type that support
+                      CPU Options CPU Cores and Threads Per CPU Core Per Instance
+                      Type - specifying this option for unsupported instance types
+                      will return an error from the EC2 API.
+                    type: number
+                  cpuThreadsPerCore:
+                    description: If set to 1, hyperthreading is disabled on the launched
+                      instance. Defaults to 2 if not set. See Optimizing CPU Options
+                      for more information.
+                    type: number
+                  creditSpecification:
+                    description: Configuration block for customizing the credit specification
+                      of the instance. See Credit Specification below for more details.
+                      Removing this configuration on existing instances will only
+                      stop managing it. It will not change the configuration back
+                      to the default for the instance type.
+                    items:
+                      properties:
+                        cpuCredits:
+                          description: Credit option for CPU usage. Valid values include
+                            standard or unlimited. T3 instances are launched as unlimited
+                            by default. T2 instances are launched as standard by default.
+                          type: string
+                      type: object
+                    type: array
+                  disableApiStop:
+                    description: If true, enables EC2 Instance Stop Protection.
+                    type: boolean
+                  disableApiTermination:
+                    description: If true, enables EC2 Instance Termination Protection.
+                    type: boolean
                   ebsBlockDevice:
                     description: One or more configuration blocks with additional
                       EBS block devices to attach to the instance. Block device configurations
@@ -1095,20 +1187,244 @@ spec:
                       as an attribute reference, it is a set of objects.
                     items:
                       properties:
+                        deleteOnTermination:
+                          description: Whether the volume should be destroyed on instance
+                            termination. Defaults to true.
+                          type: boolean
+                        deviceName:
+                          description: Name of the device to mount.
+                          type: string
+                        encrypted:
+                          description: Enables EBS encryption on the volume. Defaults
+                            to false. Cannot be used with snapshot_id. Must be configured
+                            to perform drift detection.
+                          type: boolean
+                        iops:
+                          description: Amount of provisioned IOPS. Only valid for
+                            volume_type of io1, io2 or gp3.
+                          type: number
+                        kmsKeyId:
+                          description: Amazon Resource Name (ARN) of the KMS Key to
+                            use when encrypting the volume. Must be configured to
+                            perform drift detection.
+                          type: string
+                        snapshotId:
+                          description: Snapshot ID to mount.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Map of tags to assign to the device.
+                          type: object
+                        throughput:
+                          description: Throughput to provision for a volume in mebibytes
+                            per second (MiB/s). This is only valid for volume_type
+                            of gp3.
+                          type: number
                         volumeId:
                           description: ID of the volume. For example, the ID can be
                             accessed like this, aws_instance.web.ebs_block_device.2.volume_id.
                           type: string
+                        volumeSize:
+                          description: Size of the volume in gibibytes (GiB).
+                          type: number
+                        volumeType:
+                          description: Type of volume. Valid values include standard,
+                            gp2, gp3, io1, io2, sc1, or st1. Defaults to gp2.
+                          type: string
+                      type: object
+                    type: array
+                  ebsOptimized:
+                    description: If true, the launched EC2 instance will be EBS-optimized.
+                      Note that if this is not set on an instance type that is optimized
+                      by default then this will show as disabled but if the instance
+                      type is optimized by default then there is no need to set this
+                      and there is no effect to disabling it. See the EBS Optimized
+                      section of the AWS User Guide for more information.
+                    type: boolean
+                  enclaveOptions:
+                    description: Enable Nitro Enclaves on launched instances. See
+                      Enclave Options below for more details.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether Nitro Enclaves will be enabled on the
+                            instance. Defaults to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  ephemeralBlockDevice:
+                    description: One or more configuration blocks to customize Ephemeral
+                      (also known as "Instance Store") volumes on the instance. See
+                      Block Devices below for details. When accessing this as an attribute
+                      reference, it is a set of objects.
+                    items:
+                      properties:
+                        deviceName:
+                          description: Name of the block device to mount on the instance.
+                          type: string
+                        noDevice:
+                          description: Suppresses the specified device included in
+                            the AMI's block device mapping.
+                          type: boolean
+                        virtualName:
+                          description: Instance Store Device Name (e.g., ephemeral0).
+                          type: string
                       type: object
                     type: array
+                  getPasswordData:
+                    description: If true, wait for password data to become available
+                      and retrieve it. Useful for getting the administrator password
+                      for instances running Microsoft Windows. The password data is
+                      exported to the password_data attribute. See GetPasswordData
+                      for more information.
+                    type: boolean
+                  hibernation:
+                    description: If true, the launched EC2 instance will support hibernation.
+                    type: boolean
+                  hostId:
+                    description: ID of a dedicated host that the instance will be
+                      assigned to. Use when an instance is to be launched on a specific
+                      dedicated host.
+                    type: string
+                  hostResourceGroupArn:
+                    description: ARN of the host resource group in which to launch
+                      the instances. If you specify an ARN, omit the tenancy parameter
+                      or set it to host.
+                    type: string
+                  iamInstanceProfile:
+                    description: IAM Instance Profile to launch the instance with.
+                      Specified as the name of the Instance Profile. Ensure your credentials
+                      have the correct permission to assign the instance profile according
+                      to the EC2 documentation, notably iam:PassRole.
+                    type: string
                   id:
                     description: ID of the launch template. Conflicts with name.
                     type: string
+                  instanceInitiatedShutdownBehavior:
+                    description: Shutdown behavior for the instance. Amazon defaults
+                      this to stop for EBS-backed instances and terminate for instance-store
+                      instances. Cannot be set on instance-store instances. See Shutdown
+                      Behavior for more information.
+                    type: string
                   instanceState:
                     description: 'State of the instance. One of: pending, running,
                       shutting-down, terminated, stopping, stopped. See Instance Lifecycle
                       for more information.'
                     type: string
+                  instanceType:
+                    description: Instance type to use for the instance. Required unless
+                      launch_template is specified and the Launch Template specifies
+                      an instance type. If an instance type is specified in the Launch
+                      Template, setting instance_type will override the instance type
+                      specified in the Launch Template. Updates to this field will
+                      trigger a stop/start of the EC2 instance.
+                    type: string
+                  ipv6AddressCount:
+                    description: Number of IPv6 addresses to associate with the primary
+                      network interface. Amazon EC2 chooses the IPv6 addresses from
+                      the range of your subnet.
+                    type: number
+                  ipv6Addresses:
+                    description: Specify one or more IPv6 addresses from the range
+                      of the subnet to associate with the primary network interface
+                    items:
+                      type: string
+                    type: array
+                  keyName:
+                    description: Key name of the Key Pair to use for the instance;
+                      which can be managed using the .
+                    type: string
+                  launchTemplate:
+                    description: Specifies a Launch Template to configure the instance.
+                      Parameters configured on this resource will override the corresponding
+                      parameters in the Launch Template. See Launch Template Specification
+                      below for more details.
+                    items:
+                      properties:
+                        id:
+                          description: ID of the launch template. Conflicts with name.
+                          type: string
+                        name:
+                          description: Name of the launch template. Conflicts with
+                            id.
+                          type: string
+                        version:
+                          description: Template version. Can be a specific version
+                            number, $Latest or $Default. The default value is $Default.
+                          type: string
+                      type: object
+                    type: array
+                  maintenanceOptions:
+                    description: Maintenance and recovery options for the instance.
+                      See Maintenance Options below for more details.
+                    items:
+                      properties:
+                        autoRecovery:
+                          description: Automatic recovery behavior of the Instance.
+                            Can be "default" or "disabled". See Recover your instance
+                            for more details.
+                          type: string
+                      type: object
+                    type: array
+                  metadataOptions:
+                    description: Customize the metadata options of the instance. See
+                      Metadata Options below for more details.
+                    items:
+                      properties:
+                        httpEndpoint:
+                          description: Whether the metadata service is available.
+                            Valid values include enabled or disabled. Defaults to
+                            enabled.
+                          type: string
+                        httpPutResponseHopLimit:
+                          description: Desired HTTP PUT response hop limit for instance
+                            metadata requests. The larger the number, the further
+                            instance metadata requests can travel. Valid values are
+                            integer from 1 to 64. Defaults to 1.
+                          type: number
+                        httpTokens:
+                          description: Whether or not the metadata service requires
+                            session tokens, also referred to as Instance Metadata
+                            Service Version 2 (IMDSv2). Valid values include optional
+                            or required. Defaults to optional.
+                          type: string
+                        instanceMetadataTags:
+                          description: Enables or disables access to instance tags
+                            from the instance metadata service. Valid values include
+                            enabled or disabled. Defaults to disabled.
+                          type: string
+                      type: object
+                    type: array
+                  monitoring:
+                    description: If true, the launched EC2 instance will have detailed
+                      monitoring enabled. (Available since v0.6.0)
+                    type: boolean
+                  networkInterface:
+                    description: Customize network interfaces to be attached at instance
+                      boot time. See Network Interfaces below for more details.
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          description: Whether or not to delete the network interface
+                            on instance termination. Defaults to false. Currently,
+                            the only valid value is false, as this is only supported
+                            when creating new network interfaces when launching an
+                            instance.
+                          type: boolean
+                        deviceIndex:
+                          description: Integer index of the network interface attachment.
+                            Limited by instance type.
+                          type: number
+                        networkCardIndex:
+                          description: Integer index of the network card. Limited
+                            by instance type. The default index is 0.
+                          type: number
+                        networkInterfaceId:
+                          description: ID of the network interface to attach.
+                          type: string
+                      type: object
+                    type: array
                   outpostArn:
                     description: ARN of the Outpost the instance is assigned to.
                     type: string
@@ -1120,6 +1436,13 @@ spec:
                       be stored in the state file, as with all exported attributes.
                       See GetPasswordData for more information.
                     type: string
+                  placementGroup:
+                    description: Placement Group to start the instance in.
+                    type: string
+                  placementPartitionNumber:
+                    description: Number of the partition the instance is in. Valid
+                      only if the  strategy argument is set to "partition".
+                    type: number
                   primaryNetworkInterfaceId:
                     description: ID of the instance's primary network interface.
                     type: string
@@ -1128,6 +1451,35 @@ spec:
                       be used inside the Amazon EC2, and only available if you've
                       enabled DNS hostnames for your VPC.
                     type: string
+                  privateDnsNameOptions:
+                    description: Options for the instance hostname. The default values
+                      are inherited from the subnet. See Private DNS Name Options
+                      below for more details.
+                    items:
+                      properties:
+                        enableResourceNameDnsARecord:
+                          description: Indicates whether to respond to DNS queries
+                            for instance hostnames with DNS A records.
+                          type: boolean
+                        enableResourceNameDnsAaaaRecord:
+                          description: Indicates whether to respond to DNS queries
+                            for instance hostnames with DNS AAAA records.
+                          type: boolean
+                        hostnameType:
+                          description: 'Type of hostname for Amazon EC2 instances.
+                            For IPv4 only subnets, an instance DNS name must be based
+                            on the instance IPv4 address. For IPv6 native subnets,
+                            an instance DNS name must be based on the instance ID.
+                            For dual-stack subnets, you can specify whether DNS names
+                            use the instance IPv4 address or the instance ID. Valid
+                            values: ip-name and resource-name.'
+                          type: string
+                      type: object
+                    type: array
+                  privateIp:
+                    description: Private IP address to associate with the instance
+                      in a VPC.
+                    type: string
                   publicDns:
                     description: Public DNS name assigned to the instance. For EC2-VPC,
                       this is only available if you've enabled DNS hostnames for your
@@ -1146,26 +1498,124 @@ spec:
                       a list containing one object.
                     items:
                       properties:
+                        deleteOnTermination:
+                          description: Whether the volume should be destroyed on instance
+                            termination. Defaults to true.
+                          type: boolean
                         deviceName:
                           description: Device name, e.g., /dev/sdh or xvdh.
                           type: string
+                        encrypted:
+                          description: Whether to enable volume encryption. Defaults
+                            to false. Must be configured to perform drift detection.
+                          type: boolean
+                        iops:
+                          description: Amount of provisioned IOPS. Only valid for
+                            volume_type of io1, io2 or gp3.
+                          type: number
+                        kmsKeyId:
+                          description: Amazon Resource Name (ARN) of the KMS Key to
+                            use when encrypting the volume. Must be configured to
+                            perform drift detection.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Map of tags to assign to the device.
+                          type: object
+                        throughput:
+                          description: Throughput to provision for a volume in mebibytes
+                            per second (MiB/s). This is only valid for volume_type
+                            of gp3.
+                          type: number
                         volumeId:
                           description: ID of the volume. For example, the ID can be
                             accessed like this, aws_instance.web.root_block_device.0.volume_id.
                           type: string
+                        volumeSize:
+                          description: Size of the volume in gibibytes (GiB).
+                          type: number
+                        volumeType:
+                          description: Type of volume. Valid values include standard,
+                            gp2, gp3, io1, io2, sc1, or st1. Defaults to gp2.
+                          type: string
                       type: object
                     type: array
+                  secondaryPrivateIps:
+                    description: List of secondary private IPv4 addresses to assign
+                      to the instance's primary network interface (eth0) in a VPC.
+                      Can only be assigned to the primary network interface (eth0)
+                      attached at instance creation, not a pre-existing network interface
+                      i.e., referenced in a network_interface block. Refer to the
+                      Elastic network interfaces documentation to see the maximum
+                      number of private IP addresses allowed per instance type.
+                    items:
+                      type: string
+                    type: array
                   securityGroups:
                     description: List of security group names to associate with.
                     items:
                       type: string
                     type: array
+                  sourceDestCheck:
+                    description: Controls if traffic is routed to the instance when
+                      the destination address does not match the instance. Used for
+                      NAT or VPNs. Defaults true.
+                    type: boolean
+                  subnetId:
+                    description: VPC Subnet ID to launch in.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  tenancy:
+                    description: Tenancy of the instance (if the instance is running
+                      in a VPC). An instance with a tenancy of dedicated runs on single-tenant
+                      hardware. The host tenancy is not supported for the import-instance
+                      command. Valid values are default, dedicated, and host.
+                    type: string
+                  userData:
+                    description: User data to provide when launching the instance.
+                      Do not pass gzip-compressed data via this argument; see user_data_base64
+                      instead. Updates to this field will trigger a stop/start of
+                      the EC2 instance by default. If the user_data_replace_on_change
+                      is set then updates to this field will trigger a destroy and
+                      recreate.
+                    type: string
+                  userDataBase64:
+                    description: Can be used instead of user_data to pass base64-encoded
+                      binary data directly. Use this instead of user_data whenever
+                      the value is not a valid UTF-8 string. For example, gzip-encoded
+                      user data must be base64-encoded and passed via this argument
+                      to avoid corruption. Updates to this field will trigger a stop/start
+                      of the EC2 instance by default. If the user_data_replace_on_change
+                      is set then updates to this field will trigger a destroy and
+                      recreate.
+                    type: string
+                  userDataReplaceOnChange:
+                    description: When used in combination with user_data or user_data_base64
+                      will trigger a destroy and recreate when set to true. Defaults
+                      to false if not set.
+                    type: boolean
+                  volumeTags:
+                    additionalProperties:
+                      type: string
+                    description: Map of tags to assign, at instance-creation time,
+                      to root and EBS volumes.
+                    type: object
+                  vpcSecurityGroupIds:
+                    description: List of security group IDs to associate with.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_instancestates.yaml b/package/crds/ec2.aws.upbound.io_instancestates.yaml
index 808f8c552e..70e41bc3e6 100644
--- a/package/crds/ec2.aws.upbound.io_instancestates.yaml
+++ b/package/crds/ec2.aws.upbound.io_instancestates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,8 +162,22 @@ spec:
                     type: string
                 required:
                 - region
-                - state
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,14 +349,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: state is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.state)
           status:
             description: InstanceStateStatus defines the observed state of InstanceState.
             properties:
               atProvider:
                 properties:
+                  force:
+                    description: Whether to request a forced stop when state is stopped.
+                      Otherwise (i.e., state is running), ignored. When an instance
+                      is forced to stop, it does not flush file system caches or file
+                      system metadata, and you must subsequently perform file system
+                      check and repair. Not recommended for Windows instances. Defaults
+                      to false.
+                    type: boolean
                   id:
                     description: ID of the instance (matches instance_id).
                     type: string
+                  instanceId:
+                    description: ID of the instance.
+                    type: string
+                  state:
+                    description: '- State of the instance. Valid values are stopped,
+                      running.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_internetgateways.yaml b/package/crds/ec2.aws.upbound.io_internetgateways.yaml
index 43f5262bfa..360ebe4780 100644
--- a/package/crds/ec2.aws.upbound.io_internetgateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_internetgateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,6 +158,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,6 +359,11 @@ spec:
                     description: The ID of the AWS account that owns the internet
                       gateway.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -347,6 +371,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The VPC ID to create in.  See the aws_internet_gateway_attachment
+                      resource for an alternate way to attach an Internet Gateway
+                      to a VPC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_keypairs.yaml b/package/crds/ec2.aws.upbound.io_keypairs.yaml
index 172d9a86a0..11be502b68 100644
--- a/package/crds/ec2.aws.upbound.io_keypairs.yaml
+++ b/package/crds/ec2.aws.upbound.io_keypairs.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,9 +82,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - publicKey
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,6 +270,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: publicKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.publicKey)
           status:
             description: KeyPairStatus defines the observed state of KeyPair.
             properties:
@@ -273,6 +294,14 @@ spec:
                   keyType:
                     description: The type of key pair.
                     type: string
+                  publicKey:
+                    description: The public key material.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_launchtemplates.yaml b/package/crds/ec2.aws.upbound.io_launchtemplates.yaml
index 6e873d949d..253d1a9779 100644
--- a/package/crds/ec2.aws.upbound.io_launchtemplates.yaml
+++ b/package/crds/ec2.aws.upbound.io_launchtemplates.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1417,6 +1421,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1596,19 +1615,724 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the launch template.
                     type: string
+                  blockDeviceMappings:
+                    description: Specify volumes to attach to the instance besides
+                      the volumes specified by the AMI. See Block Devices below for
+                      details.
+                    items:
+                      properties:
+                        deviceName:
+                          description: The name of the device to mount.
+                          type: string
+                        ebs:
+                          description: Configure EBS volume properties.
+                          items:
+                            properties:
+                              deleteOnTermination:
+                                description: Whether the volume should be destroyed
+                                  on instance termination. See Preserving Amazon EBS
+                                  Volumes on Instance Termination for more information.
+                                type: string
+                              encrypted:
+                                description: Enables EBS encryption on the volume.
+                                  Cannot be used with snapshot_id.
+                                type: string
+                              iops:
+                                description: The amount of provisioned IOPS. This
+                                  must be set with a volume_type of "io1/io2".
+                                type: number
+                              kmsKeyId:
+                                description: The ARN of the AWS Key Management Service
+                                  (AWS KMS) customer master key (CMK) to use when
+                                  creating the encrypted volume. encrypted must be
+                                  set to true when this is set.
+                                type: string
+                              snapshotId:
+                                description: The Snapshot ID to mount.
+                                type: string
+                              throughput:
+                                description: The throughput to provision for a gp3
+                                  volume in MiB/s (specified as an integer, e.g.,
+                                  500), with a maximum of 1,000 MiB/s.
+                                type: number
+                              volumeSize:
+                                description: The size of the volume in gigabytes.
+                                type: number
+                              volumeType:
+                                description: The volume type. Can be one of standard,
+                                  gp2, gp3, io1, io2, sc1 or st1.
+                                type: string
+                            type: object
+                          type: array
+                        noDevice:
+                          description: Suppresses the specified device included in
+                            the AMI's block device mapping.
+                          type: string
+                        virtualName:
+                          description: The Instance Store Device Name (e.g., "ephemeral0").
+                          type: string
+                      type: object
+                    type: array
+                  capacityReservationSpecification:
+                    description: Targeting for EC2 capacity reservations. See Capacity
+                      Reservation Specification below for more details.
+                    items:
+                      properties:
+                        capacityReservationPreference:
+                          description: Indicates the instance's Capacity Reservation
+                            preferences. Can be open or none. (Default none).
+                          type: string
+                        capacityReservationTarget:
+                          description: 'Used to target a specific Capacity Reservation:'
+                          items:
+                            properties:
+                              capacityReservationId:
+                                description: The ID of the Capacity Reservation in
+                                  which to run the instance.
+                                type: string
+                              capacityReservationResourceGroupArn:
+                                description: The ARN of the Capacity Reservation resource
+                                  group in which to run the instance.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  cpuOptions:
+                    description: The CPU options for the instance. See CPU Options
+                      below for more details.
+                    items:
+                      properties:
+                        coreCount:
+                          description: The number of CPU cores for the instance.
+                          type: number
+                        threadsPerCore:
+                          description: The number of threads per CPU core. To disable
+                            Intel Hyper-Threading Technology for the instance, specify
+                            a value of 1. Otherwise, specify the default value of
+                            2.
+                          type: number
+                      type: object
+                    type: array
+                  creditSpecification:
+                    description: Customize the credit specification of the instance.
+                      See Credit Specification below for more details.
+                    items:
+                      properties:
+                        cpuCredits:
+                          description: The credit option for CPU usage. Can be "standard"
+                            or "unlimited". T3 instances are launched as unlimited
+                            by default. T2 instances are launched as standard by default.
+                          type: string
+                      type: object
+                    type: array
+                  defaultVersion:
+                    description: Default Version of the launch template.
+                    type: number
+                  description:
+                    description: Description of the launch template.
+                    type: string
+                  disableApiStop:
+                    description: If true, enables EC2 Instance Stop Protection.
+                    type: boolean
+                  disableApiTermination:
+                    description: If true, enables EC2 Instance Termination Protection
+                    type: boolean
+                  ebsOptimized:
+                    description: If true, the launched EC2 instance will be EBS-optimized.
+                    type: string
+                  elasticGpuSpecifications:
+                    description: The elastic GPU to attach to the instance. See Elastic
+                      GPU below for more details.
+                    items:
+                      properties:
+                        type:
+                          description: The Elastic GPU Type
+                          type: string
+                      type: object
+                    type: array
+                  elasticInferenceAccelerator:
+                    description: Configuration block containing an Elastic Inference
+                      Accelerator to attach to the instance. See Elastic Inference
+                      Accelerator below for more details.
+                    items:
+                      properties:
+                        type:
+                          description: Accelerator type.
+                          type: string
+                      type: object
+                    type: array
+                  enclaveOptions:
+                    description: Enable Nitro Enclaves on launched instances. See
+                      Enclave Options below for more details.
+                    items:
+                      properties:
+                        enabled:
+                          description: If set to true, Nitro Enclaves will be enabled
+                            on the instance.
+                          type: boolean
+                      type: object
+                    type: array
+                  hibernationOptions:
+                    description: The hibernation options for the instance. See Hibernation
+                      Options below for more details.
+                    items:
+                      properties:
+                        configured:
+                          description: If set to true, the launched EC2 instance will
+                            hibernation enabled.
+                          type: boolean
+                      type: object
+                    type: array
+                  iamInstanceProfile:
+                    description: The IAM Instance Profile to launch the instance with.
+                      See Instance Profile below for more details.
+                    items:
+                      properties:
+                        arn:
+                          description: The Amazon Resource Name (ARN) of the instance
+                            profile.
+                          type: string
+                        name:
+                          description: The name of the instance profile.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the launch template.
                     type: string
-                  latestVersion:
-                    description: The latest version of the launch template.
-                    type: number
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: A map of tags assigned to the resource, including
-                      those inherited from the provider default_tags configuration
-                      block.
-                    type: object
+                  imageId:
+                    description: The AMI from which to launch the instance.
+                    type: string
+                  instanceInitiatedShutdownBehavior:
+                    description: 'Shutdown behavior for the instance. Can be stop
+                      or terminate. (Default: stop).'
+                    type: string
+                  instanceMarketOptions:
+                    description: The market (purchasing) option for the instance.
+                      See Market Options below for details.
+                    items:
+                      properties:
+                        marketType:
+                          description: The market type. Can be spot.
+                          type: string
+                        spotOptions:
+                          description: The options for Spot Instance
+                          items:
+                            properties:
+                              blockDurationMinutes:
+                                description: The required duration in minutes. This
+                                  value must be a multiple of 60.
+                                type: number
+                              instanceInterruptionBehavior:
+                                description: 'The behavior when a Spot Instance is
+                                  interrupted. Can be hibernate, stop, or terminate.
+                                  (Default: terminate).'
+                                type: string
+                              maxPrice:
+                                description: The maximum hourly price you're willing
+                                  to pay for the Spot Instances.
+                                type: string
+                              spotInstanceType:
+                                description: The Spot Instance request type. Can be
+                                  one-time, or persistent.
+                                type: string
+                              validUntil:
+                                description: The end date of the request.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  instanceRequirements:
+                    description: The attribute requirements for the type of instance.
+                      If present then instance_type cannot be present.
+                    items:
+                      properties:
+                        acceleratorCount:
+                          description: Block describing the minimum and maximum number
+                            of accelerators (GPUs, FPGAs, or AWS Inferentia chips).
+                            Default is no minimum or maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        acceleratorManufacturers:
+                          description: List of accelerator manufacturer names. Default
+                            is any manufacturer.
+                          items:
+                            type: string
+                          type: array
+                        acceleratorNames:
+                          description: List of accelerator names. Default is any acclerator.
+                          items:
+                            type: string
+                          type: array
+                        acceleratorTotalMemoryMib:
+                          description: Block describing the minimum and maximum total
+                            memory of the accelerators. Default is no minimum or maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        acceleratorTypes:
+                          description: List of accelerator types. Default is any accelerator
+                            type.
+                          items:
+                            type: string
+                          type: array
+                        bareMetal:
+                          description: Indicate whether bare metal instace types should
+                            be included, excluded, or required. Default is excluded.
+                          type: string
+                        baselineEbsBandwidthMbps:
+                          description: Block describing the minimum and maximum baseline
+                            EBS bandwidth, in Mbps. Default is no minimum or maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        burstablePerformance:
+                          description: Indicate whether burstable performance instance
+                            types should be included, excluded, or required. Default
+                            is excluded.
+                          type: string
+                        cpuManufacturers:
+                          description: List of CPU manufacturer names. Default is
+                            any manufacturer.
+                          items:
+                            type: string
+                          type: array
+                        excludedInstanceTypes:
+                          description: 'List of instance types to exclude. You can
+                            use strings with one or more wild cards, represented by
+                            an asterisk (*). The following are examples: c5*, m5a.*,
+                            r*, *3*. For example, if you specify c5*, you are excluding
+                            the entire C5 instance family, which includes all C5a
+                            and C5n instance types. If you specify m5a.*, you are
+                            excluding all the M5a instance types, but not the M5n
+                            instance types. Maximum of 400 entries in the list; each
+                            entry is limited to 30 characters. Default is no excluded
+                            instance types.'
+                          items:
+                            type: string
+                          type: array
+                        instanceGenerations:
+                          description: List of instance generation names. Default
+                            is any generation.
+                          items:
+                            type: string
+                          type: array
+                        localStorage:
+                          description: Indicate whether instance types with local
+                            storage volumes are included, excluded, or required. Default
+                            is included.
+                          type: string
+                        localStorageTypes:
+                          description: List of local storage type names. Default any
+                            storage type.
+                          items:
+                            type: string
+                          type: array
+                        memoryGibPerVcpu:
+                          description: Block describing the minimum and maximum amount
+                            of memory (GiB) per vCPU. Default is no minimum or maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        memoryMib:
+                          description: Block describing the minimum and maximum amount
+                            of memory (MiB). Default is no maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        networkInterfaceCount:
+                          description: Block describing the minimum and maximum number
+                            of network interfaces. Default is no minimum or maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        onDemandMaxPricePercentageOverLowestPrice:
+                          description: The price protection threshold for On-Demand
+                            Instances. This is the maximum you’ll pay for an On-Demand
+                            Instance, expressed as a percentage higher than the cheapest
+                            M, C, or R instance type with your specified attributes.
+                            When Amazon EC2 Auto Scaling selects instance types with
+                            your attributes, we will exclude instance types whose
+                            price is higher than your threshold. The parameter accepts
+                            an integer, which Amazon EC2 Auto Scaling interprets as
+                            a percentage. To turn off price protection, specify a
+                            high value, such as 999999. Default is 20.
+                          type: number
+                        requireHibernateSupport:
+                          description: Indicate whether instance types must support
+                            On-Demand Instance Hibernation, either true or false.
+                            Default is false.
+                          type: boolean
+                        spotMaxPricePercentageOverLowestPrice:
+                          description: The price protection threshold for Spot Instances.
+                            This is the maximum you’ll pay for a Spot Instance, expressed
+                            as a percentage higher than the cheapest M, C, or R instance
+                            type with your specified attributes. When Amazon EC2 Auto
+                            Scaling selects instance types with your attributes, we
+                            will exclude instance types whose price is higher than
+                            your threshold. The parameter accepts an integer, which
+                            Amazon EC2 Auto Scaling interprets as a percentage. To
+                            turn off price protection, specify a high value, such
+                            as 999999. Default is 100.
+                          type: number
+                        totalLocalStorageGb:
+                          description: Block describing the minimum and maximum total
+                            local storage (GB). Default is no minimum or maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                        vcpuCount:
+                          description: Block describing the minimum and maximum number
+                            of vCPUs. Default is no maximum.
+                          items:
+                            properties:
+                              max:
+                                description: Maximum.
+                                type: number
+                              min:
+                                description: Minimum.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  instanceType:
+                    description: The type of the instance. If present then instance_requirements
+                      cannot be present.
+                    type: string
+                  kernelId:
+                    description: The kernel ID.
+                    type: string
+                  keyName:
+                    description: The key name to use for the instance.
+                    type: string
+                  latestVersion:
+                    description: The latest version of the launch template.
+                    type: number
+                  licenseSpecification:
+                    description: A list of license specifications to associate with.
+                      See License Specification below for more details.
+                    items:
+                      properties:
+                        licenseConfigurationArn:
+                          description: ARN of the license configuration.
+                          type: string
+                      type: object
+                    type: array
+                  maintenanceOptions:
+                    description: The maintenance options for the instance. See Maintenance
+                      Options below for more details.
+                    items:
+                      properties:
+                        autoRecovery:
+                          description: Disables the automatic recovery behavior of
+                            your instance or sets it to default. Can be "default"
+                            or "disabled". See Recover your instance for more details.
+                          type: string
+                      type: object
+                    type: array
+                  metadataOptions:
+                    description: Customize the metadata options for the instance.
+                      See Metadata Options below for more details.
+                    items:
+                      properties:
+                        httpEndpoint:
+                          description: 'Whether the metadata service is available.
+                            Can be "enabled" or "disabled". (Default: "enabled").'
+                          type: string
+                        httpProtocolIpv6:
+                          description: 'Enables or disables the IPv6 endpoint for
+                            the instance metadata service. (Default: disabled).'
+                          type: string
+                        httpPutResponseHopLimit:
+                          description: 'The desired HTTP PUT response hop limit for
+                            instance metadata requests. The larger the number, the
+                            further instance metadata requests can travel. Can be
+                            an integer from 1 to 64. (Default: 1).'
+                          type: number
+                        httpTokens:
+                          description: 'Whether or not the metadata service requires
+                            session tokens, also referred to as Instance Metadata
+                            Service Version 2 (IMDSv2). Can be "optional" or "required".
+                            (Default: "optional").'
+                          type: string
+                        instanceMetadataTags:
+                          description: 'Enables or disables access to instance tags
+                            from the instance metadata service. (Default: disabled).'
+                          type: string
+                      type: object
+                    type: array
+                  monitoring:
+                    description: The monitoring option for the instance. See Monitoring
+                      below for more details.
+                    items:
+                      properties:
+                        enabled:
+                          description: If true, the launched EC2 instance will have
+                            detailed monitoring enabled.
+                          type: boolean
+                      type: object
+                    type: array
+                  name:
+                    description: The name of the launch template.
+                    type: string
+                  networkInterfaces:
+                    description: Customize network interfaces to be attached at instance
+                      boot time. See Network Interfaces below for more details.
+                    items:
+                      properties:
+                        associateCarrierIpAddress:
+                          description: Associate a Carrier IP address with eth0 for
+                            a new network interface. Use this option when you launch
+                            an instance in a Wavelength Zone and want to associate
+                            a Carrier IP address with the network interface. Boolean
+                            value, can be left unset.
+                          type: string
+                        associatePublicIpAddress:
+                          description: Associate a public ip address with the network
+                            interface. Boolean value, can be left unset.
+                          type: string
+                        deleteOnTermination:
+                          description: Whether the network interface should be destroyed
+                            on instance termination.
+                          type: string
+                        description:
+                          description: Description of the network interface.
+                          type: string
+                        deviceIndex:
+                          description: The integer index of the network interface
+                            attachment.
+                          type: number
+                        interfaceType:
+                          description: The type of network interface. To create an
+                            Elastic Fabric Adapter (EFA), specify efa.
+                          type: string
+                        ipv4AddressCount:
+                          description: The number of secondary private IPv4 addresses
+                            to assign to a network interface. Conflicts with ipv4_addresses
+                          type: number
+                        ipv4Addresses:
+                          description: One or more private IPv4 addresses to associate.
+                            Conflicts with ipv4_address_count
+                          items:
+                            type: string
+                          type: array
+                        ipv4PrefixCount:
+                          description: The number of IPv4 prefixes to be automatically
+                            assigned to the network interface. Conflicts with ipv4_prefixes
+                          type: number
+                        ipv4Prefixes:
+                          description: One or more IPv4 prefixes to be assigned to
+                            the network interface. Conflicts with ipv4_prefix_count
+                          items:
+                            type: string
+                          type: array
+                        ipv6AddressCount:
+                          description: The number of IPv6 addresses to assign to a
+                            network interface. Conflicts with ipv6_addresses
+                          type: number
+                        ipv6Addresses:
+                          description: One or more specific IPv6 addresses from the
+                            IPv6 CIDR block range of your subnet. Conflicts with ipv6_address_count
+                          items:
+                            type: string
+                          type: array
+                        ipv6PrefixCount:
+                          description: The number of IPv6 prefixes to be automatically
+                            assigned to the network interface. Conflicts with ipv6_prefixes
+                          type: number
+                        ipv6Prefixes:
+                          description: One or more IPv6 prefixes to be assigned to
+                            the network interface. Conflicts with ipv6_prefix_count
+                          items:
+                            type: string
+                          type: array
+                        networkCardIndex:
+                          description: The index of the network card. Some instance
+                            types support multiple network cards. The primary network
+                            interface must be assigned to network card index 0. The
+                            default is network card index 0.
+                          type: number
+                        networkInterfaceId:
+                          description: The ID of the network interface to attach.
+                          type: string
+                        privateIpAddress:
+                          description: The primary private IPv4 address.
+                          type: string
+                        securityGroups:
+                          description: A list of security group IDs to associate.
+                          items:
+                            type: string
+                          type: array
+                        subnetId:
+                          description: The VPC Subnet ID to associate.
+                          type: string
+                      type: object
+                    type: array
+                  placement:
+                    description: The placement of the instance. See Placement below
+                      for more details.
+                    items:
+                      properties:
+                        affinity:
+                          description: The affinity setting for an instance on a Dedicated
+                            Host.
+                          type: string
+                        availabilityZone:
+                          description: The Availability Zone for the instance.
+                          type: string
+                        groupName:
+                          description: The name of the placement group for the instance.
+                          type: string
+                        hostId:
+                          description: The ID of the Dedicated Host for the instance.
+                          type: string
+                        hostResourceGroupArn:
+                          description: The ARN of the Host Resource Group in which
+                            to launch instances.
+                          type: string
+                        partitionNumber:
+                          description: The number of the partition the instance should
+                            launch in. Valid only if the placement group strategy
+                            is set to partition.
+                          type: number
+                        spreadDomain:
+                          description: Reserved for future use.
+                          type: string
+                        tenancy:
+                          description: The tenancy of the instance (if the instance
+                            is running in a VPC). Can be default, dedicated, or host.
+                          type: string
+                      type: object
+                    type: array
+                  privateDnsNameOptions:
+                    description: The options for the instance hostname. The default
+                      values are inherited from the subnet. See Private DNS Name Options
+                      below for more details.
+                    items:
+                      properties:
+                        enableResourceNameDnsARecord:
+                          description: Indicates whether to respond to DNS queries
+                            for instance hostnames with DNS A records.
+                          type: boolean
+                        enableResourceNameDnsAaaaRecord:
+                          description: Indicates whether to respond to DNS queries
+                            for instance hostnames with DNS AAAA records.
+                          type: boolean
+                        hostnameType:
+                          description: 'The type of hostname for Amazon EC2 instances.
+                            For IPv4 only subnets, an instance DNS name must be based
+                            on the instance IPv4 address. For IPv6 native subnets,
+                            an instance DNS name must be based on the instance ID.
+                            For dual-stack subnets, you can specify whether DNS names
+                            use the instance IPv4 address or the instance ID. Valid
+                            values: ip-name and resource-name.'
+                          type: string
+                      type: object
+                    type: array
+                  ramDiskId:
+                    description: The ID of the RAM disk.
+                    type: string
+                  securityGroupNames:
+                    description: A list of security group names to associate with.
+                      If you are creating Instances in a VPC, use vpc_security_group_ids
+                      instead.
+                    items:
+                      type: string
+                    type: array
+                  tagSpecifications:
+                    description: The tags to apply to the resources during launch.
+                      See Tag Specifications below for more details.
+                    items:
+                      properties:
+                        resourceType:
+                          description: The type of resource to tag.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: A map of tags to assign to the resource.
+                          type: object
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: A map of tags assigned to the resource, including
+                      those inherited from the provider default_tags configuration
+                      block.
+                    type: object
+                  updateDefaultVersion:
+                    description: Whether to update Default Version each update. Conflicts
+                      with default_version.
+                    type: boolean
+                  userData:
+                    description: The base64-encoded user data to provide when launching
+                      the instance.
+                    type: string
+                  vpcSecurityGroupIds:
+                    description: A list of security group IDs to associate with. Conflicts
+                      with network_interfaces.security_groups
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_mainroutetableassociations.yaml b/package/crds/ec2.aws.upbound.io_mainroutetableassociations.yaml
index 8a982eeb3a..2483f61d6a 100644
--- a/package/crds/ec2.aws.upbound.io_mainroutetableassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_mainroutetableassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,6 +230,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -409,6 +428,14 @@ spec:
                   originalRouteTableId:
                     description: Used internally, see Notes below
                     type: string
+                  routeTableId:
+                    description: The ID of the Route Table to set as the new main
+                      route table for the target VPC
+                    type: string
+                  vpcId:
+                    description: The ID of the VPC whose main route table should be
+                      set
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_managedprefixlistentries.yaml b/package/crds/ec2.aws.upbound.io_managedprefixlistentries.yaml
index 2f52db3ddb..0a02d37da7 100644
--- a/package/crds/ec2.aws.upbound.io_managedprefixlistentries.yaml
+++ b/package/crds/ec2.aws.upbound.io_managedprefixlistentries.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -230,6 +234,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -407,9 +426,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  cidr:
+                    description: CIDR block of this entry.
+                    type: string
+                  description:
+                    description: Description of this entry. Due to API limitations,
+                      updating only the description of an entry requires recreating
+                      the entry.
+                    type: string
                   id:
                     description: ID of the managed prefix list entry.
                     type: string
+                  prefixListId:
+                    description: CIDR block of this entry.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_managedprefixlists.yaml b/package/crds/ec2.aws.upbound.io_managedprefixlists.yaml
index 2c291ce4f1..e06c482c07 100644
--- a/package/crds/ec2.aws.upbound.io_managedprefixlists.yaml
+++ b/package/crds/ec2.aws.upbound.io_managedprefixlists.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -179,11 +183,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - addressFamily
-                - maxEntries
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -355,20 +371,59 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
+            - message: maxEntries is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.maxEntries)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ManagedPrefixListStatus defines the observed state of ManagedPrefixList.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: Address family (IPv4 or IPv6) of this prefix list.
+                    type: string
                   arn:
                     description: ARN of the prefix list.
                     type: string
+                  entry:
+                    description: Configuration block for prefix list entry. Detailed
+                      below. Different entries may have overlapping CIDR blocks, but
+                      a particular CIDR should not be duplicated.
+                    items:
+                      properties:
+                        cidr:
+                          description: CIDR block of this entry.
+                          type: string
+                        description:
+                          description: Description of this entry. Due to API limitations,
+                            updating only the description of an existing entry requires
+                            temporarily removing and re-adding the entry.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: ID of the prefix list.
                     type: string
+                  maxEntries:
+                    description: Maximum number of entries that this prefix list can
+                      contain.
+                    type: number
+                  name:
+                    description: Name of this resource. The name must not start with
+                      com.amazonaws.
+                    type: string
                   ownerId:
                     description: ID of the AWS account that owns this prefix list.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_natgateways.yaml b/package/crds/ec2.aws.upbound.io_natgateways.yaml
index 052b4a5bf7..cff40cdb47 100644
--- a/package/crds/ec2.aws.upbound.io_natgateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_natgateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -239,6 +243,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -415,6 +434,14 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allocationId:
+                    description: The Allocation ID of the Elastic IP address for the
+                      gateway. Required for connectivity_type of public.
+                    type: string
+                  connectivityType:
+                    description: Connectivity type for the gateway. Valid values are
+                      private and public. Defaults to public.
+                    type: string
                   id:
                     description: The ID of the NAT Gateway.
                     type: string
@@ -422,9 +449,23 @@ spec:
                     description: The ID of the network interface associated with the
                       NAT gateway.
                     type: string
+                  privateIp:
+                    description: The private IPv4 address to assign to the NAT gateway.
+                      If you don't provide an address, a private IPv4 address will
+                      be automatically assigned.
+                    type: string
                   publicIp:
                     description: The Elastic IP address associated with the NAT gateway.
                     type: string
+                  subnetId:
+                    description: The Subnet ID of the subnet in which to place the
+                      gateway.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_networkaclrules.yaml b/package/crds/ec2.aws.upbound.io_networkaclrules.yaml
index fabb2288ab..d3d4a89e90 100644
--- a/package/crds/ec2.aws.upbound.io_networkaclrules.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkaclrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,11 +185,23 @@ spec:
                     description: The to port to match.
                     type: number
                 required:
-                - protocol
                 - region
-                - ruleAction
-                - ruleNumber
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -357,14 +373,60 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: protocol is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)
+            - message: ruleAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleAction)
+            - message: ruleNumber is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleNumber)
           status:
             description: NetworkACLRuleStatus defines the observed state of NetworkACLRule.
             properties:
               atProvider:
                 properties:
+                  cidrBlock:
+                    description: The network range to allow or deny, in CIDR notation
+                      (for example 172.16.0.0/24 ).
+                    type: string
+                  egress:
+                    description: Indicates whether this is an egress rule (rule is
+                      applied to traffic leaving the subnet). Default false.
+                    type: boolean
+                  fromPort:
+                    description: The from port to match.
+                    type: number
+                  icmpCode:
+                    description: 'ICMP protocol: The ICMP code. Required if specifying
+                      ICMP for the protocolE.g., -1'
+                    type: number
+                  icmpType:
+                    description: 'ICMP protocol: The ICMP type. Required if specifying
+                      ICMP for the protocolE.g., -1'
+                    type: number
                   id:
                     description: The ID of the network ACL Rule
                     type: string
+                  ipv6CidrBlock:
+                    description: The IPv6 CIDR block to allow or deny.
+                    type: string
+                  networkAclId:
+                    description: The ID of the network ACL.
+                    type: string
+                  protocol:
+                    description: The protocol. A value of -1 means all protocols.
+                    type: string
+                  ruleAction:
+                    description: 'Indicates whether to allow or deny the traffic that
+                      matches the rule. Accepted values: allow | deny'
+                    type: string
+                  ruleNumber:
+                    description: The rule number for the entry (for example, 100).
+                      ACL entries are processed in ascending order by rule number.
+                    type: number
+                  toPort:
+                    description: The to port to match.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_networkacls.yaml b/package/crds/ec2.aws.upbound.io_networkacls.yaml
index 75f8522219..fe750f2c4b 100644
--- a/package/crds/ec2.aws.upbound.io_networkacls.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkacls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -234,6 +238,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -491,6 +510,16 @@ spec:
                   ownerId:
                     description: The ID of the AWS account that owns the network ACL.
                     type: string
+                  subnetIds:
+                    description: A list of Subnet IDs to apply the ACL to
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -498,6 +527,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The ID of the associated VPC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_networkinsightsanalyses.yaml b/package/crds/ec2.aws.upbound.io_networkinsightsanalyses.yaml
index 3191690cc2..a8669320c9 100644
--- a/package/crds/ec2.aws.upbound.io_networkinsightsanalyses.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkinsightsanalyses.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -166,6 +170,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -890,6 +909,11 @@ spec:
                           type: array
                       type: object
                     type: array
+                  filterInArns:
+                    description: A list of ARNs for resources the path must traverse.
+                    items:
+                      type: string
+                    type: array
                   forwardPathComponents:
                     description: The components in the path from source to destination.
                       See the AWS documentation for details.
@@ -1184,6 +1208,10 @@ spec:
                   id:
                     description: ID of the Network Insights Analysis.
                     type: string
+                  networkInsightsPathId:
+                    description: ID of the Network Insights Path to run an analysis
+                      on.
+                    type: string
                   pathFound:
                     description: Set to true if the destination was reachable.
                     type: boolean
@@ -1489,12 +1517,22 @@ spec:
                     description: A message to provide more context when the status
                       is failed.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  waitForCompletion:
+                    description: 'If enabled, the resource will wait for the Network
+                      Insights Analysis status to change to succeeded or failed. Setting
+                      this to false will skip the process. Default: true.'
+                    type: boolean
                   warningMessage:
                     description: The warning message.
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_networkinsightspaths.yaml b/package/crds/ec2.aws.upbound.io_networkinsightspaths.yaml
index 0096135581..f4f65ac027 100644
--- a/package/crds/ec2.aws.upbound.io_networkinsightspaths.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkinsightspaths.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -247,9 +251,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - protocol
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -421,6 +439,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: protocol is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)
           status:
             description: NetworkInsightsPathStatus defines the observed state of NetworkInsightsPath.
             properties:
@@ -429,9 +450,37 @@ spec:
                   arn:
                     description: ARN of the Network Insights Path.
                     type: string
+                  destination:
+                    description: ID of the resource which is the source of the path.
+                      Can be an Instance, Internet Gateway, Network Interface, Transit
+                      Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
+                    type: string
+                  destinationIp:
+                    description: IP address of the destination resource.
+                    type: string
+                  destinationPort:
+                    description: Destination port to analyze access to.
+                    type: number
                   id:
                     description: ID of the Network Insights Path.
                     type: string
+                  protocol:
+                    description: Protocol to use for analysis. Valid options are tcp
+                      or udp.
+                    type: string
+                  source:
+                    description: ID of the resource which is the source of the path.
+                      Can be an Instance, Internet Gateway, Network Interface, Transit
+                      Gateway, VPC Endpoint, VPC Peering Connection or VPN Gateway.
+                    type: string
+                  sourceIp:
+                    description: IP address of the source resource.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_networkinterfaceattachments.yaml b/package/crds/ec2.aws.upbound.io_networkinterfaceattachments.yaml
index b721fd0774..2da26ae82e 100644
--- a/package/crds/ec2.aws.upbound.io_networkinterfaceattachments.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkinterfaceattachments.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -227,9 +231,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - deviceIndex
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -401,6 +419,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: deviceIndex is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deviceIndex)
           status:
             description: NetworkInterfaceAttachmentStatus defines the observed state
               of NetworkInterfaceAttachment.
@@ -410,8 +431,17 @@ spec:
                   attachmentId:
                     description: The ENI Attachment ID.
                     type: string
+                  deviceIndex:
+                    description: Network interface index (int).
+                    type: number
                   id:
                     type: string
+                  instanceId:
+                    description: Instance ID to attach.
+                    type: string
+                  networkInterfaceId:
+                    description: ENI ID to attach.
+                    type: string
                   status:
                     description: The status of the Network Interface Attachment.
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_networkinterfaces.yaml b/package/crds/ec2.aws.upbound.io_networkinterfaces.yaml
index 4162aed737..2537022f6d 100644
--- a/package/crds/ec2.aws.upbound.io_networkinterfaces.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkinterfaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -315,6 +319,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -510,9 +529,62 @@ spec:
                           type: string
                       type: object
                     type: array
+                  description:
+                    description: Description for the network interface.
+                    type: string
                   id:
                     description: ID of the network interface.
                     type: string
+                  interfaceType:
+                    description: Type of network interface to create. Set to efa for
+                      Elastic Fabric Adapter. Changing interface_type will cause the
+                      resource to be destroyed and re-created.
+                    type: string
+                  ipv4PrefixCount:
+                    description: Number of IPv4 prefixes that AWS automatically assigns
+                      to the network interface.
+                    type: number
+                  ipv4Prefixes:
+                    description: One or more IPv4 prefixes assigned to the network
+                      interface.
+                    items:
+                      type: string
+                    type: array
+                  ipv6AddressCount:
+                    description: Number of IPv6 addresses to assign to a network interface.
+                      You can't use this option if specifying specific ipv6_addresses.
+                      If your subnet has the AssignIpv6AddressOnCreation attribute
+                      set to true, you can specify 0 to override this setting.
+                    type: number
+                  ipv6AddressList:
+                    description: List of private IPs to assign to the ENI in sequential
+                      order.
+                    items:
+                      type: string
+                    type: array
+                  ipv6AddressListEnabled:
+                    description: Whether ipv6_address_list is allowed and controls
+                      the IPs to assign to the ENI and ipv6_addresses and ipv6_address_count
+                      become read-only. Default false.
+                    type: boolean
+                  ipv6Addresses:
+                    description: One or more specific IPv6 addresses from the IPv6
+                      CIDR block range of your subnet. Addresses are assigned without
+                      regard to order. You can't use this option if you're specifying
+                      ipv6_address_count.
+                    items:
+                      type: string
+                    type: array
+                  ipv6PrefixCount:
+                    description: Number of IPv6 prefixes that AWS automatically assigns
+                      to the network interface.
+                    type: number
+                  ipv6Prefixes:
+                    description: One or more IPv6 prefixes assigned to the network
+                      interface.
+                    items:
+                      type: string
+                    type: array
                   macAddress:
                     description: MAC address of the network interface.
                     type: string
@@ -525,6 +597,47 @@ spec:
                   privateDnsName:
                     description: Private DNS name of the network interface (IPv4).
                     type: string
+                  privateIp:
+                    type: string
+                  privateIpList:
+                    description: List of private IPs to assign to the ENI in sequential
+                      order. Requires setting private_ip_list_enabled to true.
+                    items:
+                      type: string
+                    type: array
+                  privateIpListEnabled:
+                    description: Whether private_ip_list is allowed and controls the
+                      IPs to assign to the ENI and private_ips and private_ips_count
+                      become read-only. Default false.
+                    type: boolean
+                  privateIps:
+                    description: List of private IPs to assign to the ENI without
+                      regard to order.
+                    items:
+                      type: string
+                    type: array
+                  privateIpsCount:
+                    description: Number of secondary private IPs to assign to the
+                      ENI. The total number of private IPs will be 1 + private_ips_count,
+                      as a primary private IP will be assiged to an ENI by default.
+                    type: number
+                  securityGroups:
+                    description: List of security group IDs to assign to the ENI.
+                    items:
+                      type: string
+                    type: array
+                  sourceDestCheck:
+                    description: Whether to enable source destination checking for
+                      the ENI. Default true.
+                    type: boolean
+                  subnetId:
+                    description: Subnet ID to create the ENI in.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_networkinterfacesgattachments.yaml b/package/crds/ec2.aws.upbound.io_networkinterfacesgattachments.yaml
index 7e86a2fb0c..5f0904b778 100644
--- a/package/crds/ec2.aws.upbound.io_networkinterfacesgattachments.yaml
+++ b/package/crds/ec2.aws.upbound.io_networkinterfacesgattachments.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -224,6 +228,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -403,6 +422,12 @@ spec:
                 properties:
                   id:
                     type: string
+                  networkInterfaceId:
+                    description: The ID of the network interface to attach to.
+                    type: string
+                  securityGroupId:
+                    description: The ID of the security group.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_placementgroups.yaml b/package/crds/ec2.aws.upbound.io_placementgroups.yaml
index 51e0cf35bf..5dc7131629 100644
--- a/package/crds/ec2.aws.upbound.io_placementgroups.yaml
+++ b/package/crds/ec2.aws.upbound.io_placementgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -90,8 +94,22 @@ spec:
                     type: object
                 required:
                 - region
-                - strategy
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -263,6 +281,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: strategy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.strategy)
           status:
             description: PlacementGroupStatus defines the observed state of PlacementGroup.
             properties:
@@ -274,9 +295,29 @@ spec:
                   id:
                     description: The name of the placement group.
                     type: string
+                  partitionCount:
+                    description: The number of partitions to create in the placement
+                      group.  Can only be specified when the strategy is set to "partition".  Valid
+                      values are 1 - 7 (default is 2).
+                    type: number
                   placementGroupId:
                     description: The ID of the placement group.
                     type: string
+                  spreadLevel:
+                    description: Determines how placement groups spread instances.
+                      Can only be used when the strategy is set to "spread". Can be
+                      "host" or "rack". "host" can only be used for Outpost placement
+                      groups.
+                    type: string
+                  strategy:
+                    description: The placement strategy. Can be "cluster", "partition"
+                      or "spread".
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_routes.yaml b/package/crds/ec2.aws.upbound.io_routes.yaml
index 3f005f0cc7..46d9cfaa62 100644
--- a/package/crds/ec2.aws.upbound.io_routes.yaml
+++ b/package/crds/ec2.aws.upbound.io_routes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -853,6 +857,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1029,20 +1048,68 @@ spec:
             properties:
               atProvider:
                 properties:
+                  carrierGatewayId:
+                    description: Identifier of a carrier gateway. This attribute can
+                      only be used when the VPC contains a subnet which is associated
+                      with a Wavelength Zone.
+                    type: string
+                  coreNetworkArn:
+                    description: The Amazon Resource Name (ARN) of a core network.
+                    type: string
+                  destinationCidrBlock:
+                    description: The destination CIDR block.
+                    type: string
+                  destinationIpv6CidrBlock:
+                    description: The destination IPv6 CIDR block.
+                    type: string
+                  destinationPrefixListId:
+                    description: The ID of a managed prefix list destination.
+                    type: string
+                  egressOnlyGatewayId:
+                    description: Identifier of a VPC Egress Only Internet Gateway.
+                    type: string
+                  gatewayId:
+                    description: Identifier of a VPC internet gateway or a virtual
+                      private gateway.
+                    type: string
                   id:
                     description: Route identifier computed from the routing table
                       identifier and route destination.
                     type: string
+                  instanceId:
+                    description: Identifier of an EC2 instance.
+                    type: string
                   instanceOwnerId:
                     description: The AWS account ID of the owner of the EC2 instance.
                     type: string
+                  localGatewayId:
+                    description: Identifier of a Outpost local gateway.
+                    type: string
+                  natGatewayId:
+                    description: Identifier of a VPC NAT gateway.
+                    type: string
+                  networkInterfaceId:
+                    description: Identifier of an EC2 network interface.
+                    type: string
                   origin:
                     description: How the route was created - CreateRouteTable, CreateRoute
                       or EnableVgwRoutePropagation.
                     type: string
+                  routeTableId:
+                    description: The ID of the routing table.
+                    type: string
                   state:
                     description: The state of the route - active or blackhole.
                     type: string
+                  transitGatewayId:
+                    description: Identifier of an EC2 Transit Gateway.
+                    type: string
+                  vpcEndpointId:
+                    description: Identifier of a VPC Endpoint.
+                    type: string
+                  vpcPeeringConnectionId:
+                    description: Identifier of a VPC peering connection.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_routetableassociations.yaml b/package/crds/ec2.aws.upbound.io_routetableassociations.yaml
index 54235eb7b7..877db94d36 100644
--- a/package/crds/ec2.aws.upbound.io_routetableassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_routetableassociations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -305,6 +309,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -482,9 +501,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  gatewayId:
+                    description: The gateway ID to create an association. Conflicts
+                      with subnet_id.
+                    type: string
                   id:
                     description: The ID of the association
                     type: string
+                  routeTableId:
+                    description: The ID of the routing table to associate with.
+                    type: string
+                  subnetId:
+                    description: The subnet ID to create an association. Conflicts
+                      with gateway_id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_routetables.yaml b/package/crds/ec2.aws.upbound.io_routetables.yaml
index fa3842f9b8..9398fc5220 100644
--- a/package/crds/ec2.aws.upbound.io_routetables.yaml
+++ b/package/crds/ec2.aws.upbound.io_routetables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,6 +156,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -398,6 +417,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -405,6 +429,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The VPC ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_securitygrouprules.yaml b/package/crds/ec2.aws.upbound.io_securitygrouprules.yaml
index 79fe00757d..57c32f9222 100644
--- a/package/crds/ec2.aws.upbound.io_securitygrouprules.yaml
+++ b/package/crds/ec2.aws.upbound.io_securitygrouprules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -341,12 +345,23 @@ spec:
                       (inbound) or egress (outbound).
                     type: string
                 required:
-                - fromPort
-                - protocol
                 - region
-                - toPort
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -518,19 +533,76 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: fromPort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fromPort)
+            - message: protocol is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)
+            - message: toPort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.toPort)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: SecurityGroupRuleStatus defines the observed state of SecurityGroupRule.
             properties:
               atProvider:
                 properties:
+                  cidrBlocks:
+                    description: List of CIDR blocks. Cannot be specified with source_security_group_id
+                      or self.
+                    items:
+                      type: string
+                    type: array
+                  description:
+                    description: Description of the rule.
+                    type: string
+                  fromPort:
+                    description: Start port (or ICMP type number if protocol is "icmp"
+                      or "icmpv6").
+                    type: number
                   id:
                     description: ID of the security group rule.
                     type: string
+                  ipv6CidrBlocks:
+                    description: List of IPv6 CIDR blocks. Cannot be specified with
+                      source_security_group_id or self.
+                    items:
+                      type: string
+                    type: array
+                  prefixListIds:
+                    description: List of Prefix List IDs.
+                    items:
+                      type: string
+                    type: array
+                  protocol:
+                    description: Protocol. If not icmp, icmpv6, tcp, udp, or all use
+                      the protocol number
+                    type: string
+                  securityGroupId:
+                    description: Security group to apply this rule to.
+                    type: string
                   securityGroupRuleId:
                     description: If the aws_security_group_rule resource has a single
                       source or destination then this is the AWS Security Group Rule
                       resource ID. Otherwise it is empty.
                     type: string
+                  self:
+                    description: Whether the security group itself will be added as
+                      a source to this ingress rule. Cannot be specified with cidr_blocks,
+                      ipv6_cidr_blocks, or source_security_group_id.
+                    type: boolean
+                  sourceSecurityGroupId:
+                    description: Security group id to allow access to/from, depending
+                      on the type. Cannot be specified with cidr_blocks, ipv6_cidr_blocks,
+                      or self.
+                    type: string
+                  toPort:
+                    description: End port (or ICMP code if protocol is "icmp").
+                    type: number
+                  type:
+                    description: Type of rule being created. Valid options are ingress
+                      (inbound) or egress (outbound).
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_securitygroups.yaml b/package/crds/ec2.aws.upbound.io_securitygroups.yaml
index 4fe2cb50bb..4cd41c2d04 100644
--- a/package/crds/ec2.aws.upbound.io_securitygroups.yaml
+++ b/package/crds/ec2.aws.upbound.io_securitygroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -169,6 +173,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -348,6 +367,12 @@ spec:
                   arn:
                     description: ARN of the security group.
                     type: string
+                  description:
+                    description: 'Security group description. Cannot be "". NOTE:
+                      This field maps to the AWS GroupDescription attribute, for which
+                      there is no Update API. If you''d like to classify your security
+                      groups in a way that can be updated, use tags.'
+                    type: string
                   egress:
                     description: Configuration block for egress rules. Can be specified
                       multiple times for each egress rule. Each egress block supports
@@ -463,9 +488,25 @@ spec:
                           type: number
                       type: object
                     type: array
+                  name:
+                    description: Name of the security group.
+                    type: string
                   ownerId:
                     description: Owner ID.
                     type: string
+                  revokeRulesOnDelete:
+                    description: This is normally not needed, however certain AWS
+                      services such as Elastic Map Reduce may automatically add required
+                      rules to security groups used with the service, and those rules
+                      may contain a cyclic dependency that prevent the security groups
+                      from being destroyed without removing the dependency first.
+                      Default false.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -473,6 +514,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: VPC ID. Defaults to the region's default VPC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_serialconsoleaccesses.yaml b/package/crds/ec2.aws.upbound.io_serialconsoleaccesses.yaml
index 9c35983b44..0b7f6ce142 100644
--- a/package/crds/ec2.aws.upbound.io_serialconsoleaccesses.yaml
+++ b/package/crds/ec2.aws.upbound.io_serialconsoleaccesses.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,6 +271,10 @@ spec:
             properties:
               atProvider:
                 properties:
+                  enabled:
+                    description: Whether or not serial console access is enabled.
+                      Valid values are true or false. Defaults to true.
+                    type: boolean
                   id:
                     type: string
                 type: object
diff --git a/package/crds/ec2.aws.upbound.io_snapshotcreatevolumepermissions.yaml b/package/crds/ec2.aws.upbound.io_snapshotcreatevolumepermissions.yaml
index d1e9e45f18..951b0cf488 100644
--- a/package/crds/ec2.aws.upbound.io_snapshotcreatevolumepermissions.yaml
+++ b/package/crds/ec2.aws.upbound.io_snapshotcreatevolumepermissions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - accountId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,15 +342,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)
           status:
             description: SnapshotCreateVolumePermissionStatus defines the observed
               state of SnapshotCreateVolumePermission.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: An AWS Account ID to add create volume permissions.
+                      The AWS Account cannot be the snapshot's owner
+                    type: string
                   id:
                     description: A combination of "snapshot_id-account_id".
                     type: string
+                  snapshotId:
+                    description: A snapshot ID
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_spotdatafeedsubscriptions.yaml b/package/crds/ec2.aws.upbound.io_spotdatafeedsubscriptions.yaml
index e93b968859..ecd1921308 100644
--- a/package/crds/ec2.aws.upbound.io_spotdatafeedsubscriptions.yaml
+++ b/package/crds/ec2.aws.upbound.io_spotdatafeedsubscriptions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,9 +82,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - bucket
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,14 +270,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bucket is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bucket)
           status:
             description: SpotDatafeedSubscriptionStatus defines the observed state
               of SpotDatafeedSubscription.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: The Amazon S3 bucket in which to store the Spot instance
+                      data feed.
+                    type: string
                   id:
                     type: string
+                  prefix:
+                    description: Path of folder inside bucket to place spot pricing
+                      data.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_spotfleetrequests.yaml b/package/crds/ec2.aws.upbound.io_spotfleetrequests.yaml
index 44f41660b4..eaae810468 100644
--- a/package/crds/ec2.aws.upbound.io_spotfleetrequests.yaml
+++ b/package/crds/ec2.aws.upbound.io_spotfleetrequests.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -848,10 +852,23 @@ spec:
                   waitForFulfillment:
                     type: boolean
                 required:
-                - iamFleetRole
                 - region
-                - targetCapacity
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1023,26 +1040,562 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: iamFleetRole is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.iamFleetRole)
+            - message: targetCapacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetCapacity)
           status:
             description: SpotFleetRequestStatus defines the observed state of SpotFleetRequest.
             properties:
               atProvider:
                 properties:
+                  allocationStrategy:
+                    description: 'Indicates how to allocate the target capacity across
+                      the Spot pools specified by the Spot fleet request. Valid values:
+                      lowestPrice, diversified, capacityOptimized, capacityOptimizedPrioritized,
+                      and priceCapacityOptimized. The default is lowestPrice.'
+                    type: string
                   clientToken:
                     type: string
+                  excessCapacityTerminationPolicy:
+                    description: Indicates whether running Spot instances should be
+                      terminated if the target capacity of the Spot fleet request
+                      is decreased below the current size of the Spot fleet.
+                    type: string
+                  fleetType:
+                    description: The type of fleet request. Indicates whether the
+                      Spot Fleet only requests the target capacity or also attempts
+                      to maintain it. Default is maintain.
+                    type: string
+                  iamFleetRole:
+                    description: Grants the Spot fleet permission to terminate Spot
+                      instances on your behalf when you cancel its Spot fleet request
+                      using CancelSpotFleetRequests or when the Spot fleet request
+                      expires, if you set terminateInstancesWithExpiration.
+                    type: string
                   id:
                     description: The ID of the launch template. Conflicts with name.
                     type: string
-                  spotRequestState:
-                    description: The state of the Spot fleet request.
+                  instanceInterruptionBehaviour:
+                    description: Indicates whether a Spot instance stops or terminates
+                      when it is interrupted. Default is terminate.
                     type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: A map of tags assigned to the resource, including
-                      those inherited from the provider default_tags configuration
-                      block.
-                    type: object
+                  instancePoolsToUseCount:
+                    description: The number of Spot pools across which to allocate
+                      your target Spot capacity. Valid only when allocation_strategy
+                      is set to lowestPrice. Spot Fleet selects the cheapest Spot
+                      pools and evenly allocates your target Spot capacity across
+                      the number of Spot pools that you specify.
+                    type: number
+                  launchSpecification:
+                    description: Used to define the launch configuration of the spot-fleet
+                      request. Can be specified multiple times to define different
+                      bids across different markets and instance types. Conflicts
+                      with launch_template_config. At least one of launch_specification
+                      or launch_template_config is required.
+                    items:
+                      properties:
+                        ami:
+                          type: string
+                        associatePublicIpAddress:
+                          type: boolean
+                        availabilityZone:
+                          description: The availability zone in which to place the
+                            request.
+                          type: string
+                        ebsBlockDevice:
+                          items:
+                            properties:
+                              deleteOnTermination:
+                                type: boolean
+                              deviceName:
+                                description: The name of the launch template. Conflicts
+                                  with id.
+                                type: string
+                              encrypted:
+                                type: boolean
+                              iops:
+                                type: number
+                              kmsKeyId:
+                                description: The ID of the launch template. Conflicts
+                                  with name.
+                                type: string
+                              snapshotId:
+                                description: The ID of the launch template. Conflicts
+                                  with name.
+                                type: string
+                              throughput:
+                                type: number
+                              volumeSize:
+                                type: number
+                              volumeType:
+                                type: string
+                            type: object
+                          type: array
+                        ebsOptimized:
+                          type: boolean
+                        ephemeralBlockDevice:
+                          items:
+                            properties:
+                              deviceName:
+                                description: The name of the launch template. Conflicts
+                                  with id.
+                                type: string
+                              virtualName:
+                                description: The name of the launch template. Conflicts
+                                  with id.
+                                type: string
+                            type: object
+                          type: array
+                        iamInstanceProfile:
+                          type: string
+                        iamInstanceProfileArn:
+                          description: takes aws_iam_instance_profile attribute arn
+                            as input.
+                          type: string
+                        instanceType:
+                          description: The type of instance to request.
+                          type: string
+                        keyName:
+                          description: The name of the launch template. Conflicts
+                            with id.
+                          type: string
+                        monitoring:
+                          type: boolean
+                        placementGroup:
+                          type: string
+                        placementTenancy:
+                          type: string
+                        rootBlockDevice:
+                          items:
+                            properties:
+                              deleteOnTermination:
+                                type: boolean
+                              encrypted:
+                                type: boolean
+                              iops:
+                                type: number
+                              kmsKeyId:
+                                description: The ID of the launch template. Conflicts
+                                  with name.
+                                type: string
+                              throughput:
+                                type: number
+                              volumeSize:
+                                type: number
+                              volumeType:
+                                type: string
+                            type: object
+                          type: array
+                        spotPrice:
+                          description: The maximum bid price per unit hour.
+                          type: string
+                        subnetId:
+                          description: The subnet in which to launch the requested
+                            instance.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of resource tags.
+                          type: object
+                        userData:
+                          type: string
+                        vpcSecurityGroupIds:
+                          items:
+                            type: string
+                          type: array
+                        weightedCapacity:
+                          description: The capacity added to the fleet by a fulfilled
+                            request.
+                          type: string
+                      type: object
+                    type: array
+                  launchTemplateConfig:
+                    description: Launch template configuration block. See Launch Template
+                      Configs below for more details. Conflicts with launch_specification.
+                      At least one of launch_specification or launch_template_config
+                      is required.
+                    items:
+                      properties:
+                        launchTemplateSpecification:
+                          description: Launch template specification. See Launch Template
+                            Specification below for more details.
+                          items:
+                            properties:
+                              id:
+                                description: The ID of the launch template. Conflicts
+                                  with name.
+                                type: string
+                              name:
+                                description: The name of the launch template. Conflicts
+                                  with id.
+                                type: string
+                              version:
+                                description: Template version. Unlike the autoscaling
+                                  equivalent, does not support $Latest or $Default,
+                                  so use the launch_template resource's attribute,
+                                  e.g., "${aws_launch_template.foo.latest_version}".
+                                  It will use the default version if omitted.
+                                type: string
+                            type: object
+                          type: array
+                        overrides:
+                          description: One or more override configurations. See Overrides
+                            below for more details.
+                          items:
+                            properties:
+                              availabilityZone:
+                                description: The availability zone in which to place
+                                  the request.
+                                type: string
+                              instanceRequirements:
+                                description: The instance requirements. See below.
+                                items:
+                                  properties:
+                                    acceleratorCount:
+                                      description: Block describing the minimum and
+                                        maximum number of accelerators (GPUs, FPGAs,
+                                        or AWS Inferentia chips). Default is no minimum
+                                        or maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    acceleratorManufacturers:
+                                      description: List of accelerator manufacturer
+                                        names. Default is any manufacturer.
+                                      items:
+                                        type: string
+                                      type: array
+                                    acceleratorNames:
+                                      description: List of accelerator names. Default
+                                        is any acclerator.
+                                      items:
+                                        type: string
+                                      type: array
+                                    acceleratorTotalMemoryMib:
+                                      description: Block describing the minimum and
+                                        maximum total memory of the accelerators.
+                                        Default is no minimum or maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    acceleratorTypes:
+                                      description: List of accelerator types. Default
+                                        is any accelerator type.
+                                      items:
+                                        type: string
+                                      type: array
+                                    bareMetal:
+                                      description: Indicate whether bare metal instace
+                                        types should be included, excluded, or required.
+                                        Default is excluded.
+                                      type: string
+                                    baselineEbsBandwidthMbps:
+                                      description: Block describing the minimum and
+                                        maximum baseline EBS bandwidth, in Mbps. Default
+                                        is no minimum or maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    burstablePerformance:
+                                      description: Indicate whether burstable performance
+                                        instance types should be included, excluded,
+                                        or required. Default is excluded.
+                                      type: string
+                                    cpuManufacturers:
+                                      description: List of CPU manufacturer names.
+                                        Default is any manufacturer.
+                                      items:
+                                        type: string
+                                      type: array
+                                    excludedInstanceTypes:
+                                      description: 'List of instance types to exclude.
+                                        You can use strings with one or more wild
+                                        cards, represented by an asterisk (*). The
+                                        following are examples: c5*, m5a.*, r*, *3*.
+                                        For example, if you specify c5*, you are excluding
+                                        the entire C5 instance family, which includes
+                                        all C5a and C5n instance types. If you specify
+                                        m5a.*, you are excluding all the M5a instance
+                                        types, but not the M5n instance types. Maximum
+                                        of 400 entries in the list; each entry is
+                                        limited to 30 characters. Default is no excluded
+                                        instance types.'
+                                      items:
+                                        type: string
+                                      type: array
+                                    instanceGenerations:
+                                      description: List of instance generation names.
+                                        Default is any generation.
+                                      items:
+                                        type: string
+                                      type: array
+                                    localStorage:
+                                      description: Indicate whether instance types
+                                        with local storage volumes are included, excluded,
+                                        or required. Default is included.
+                                      type: string
+                                    localStorageTypes:
+                                      description: List of local storage type names.
+                                        Default any storage type.
+                                      items:
+                                        type: string
+                                      type: array
+                                    memoryGibPerVcpu:
+                                      description: Block describing the minimum and
+                                        maximum amount of memory (GiB) per vCPU. Default
+                                        is no minimum or maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    memoryMib:
+                                      description: Block describing the minimum and
+                                        maximum amount of memory (MiB). Default is
+                                        no maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    networkInterfaceCount:
+                                      description: Block describing the minimum and
+                                        maximum number of network interfaces. Default
+                                        is no minimum or maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    onDemandMaxPricePercentageOverLowestPrice:
+                                      description: The price protection threshold
+                                        for On-Demand Instances. This is the maximum
+                                        you’ll pay for an On-Demand Instance, expressed
+                                        as a percentage higher than the cheapest M,
+                                        C, or R instance type with your specified
+                                        attributes. When Amazon EC2 Auto Scaling selects
+                                        instance types with your attributes, we will
+                                        exclude instance types whose price is higher
+                                        than your threshold. The parameter accepts
+                                        an integer, which Amazon EC2 Auto Scaling
+                                        interprets as a percentage. To turn off price
+                                        protection, specify a high value, such as
+                                        999999. Default is 20.
+                                      type: number
+                                    requireHibernateSupport:
+                                      description: Indicate whether instance types
+                                        must support On-Demand Instance Hibernation,
+                                        either true or false. Default is false.
+                                      type: boolean
+                                    spotMaxPricePercentageOverLowestPrice:
+                                      description: The price protection threshold
+                                        for Spot Instances. This is the maximum you’ll
+                                        pay for a Spot Instance, expressed as a percentage
+                                        higher than the cheapest M, C, or R instance
+                                        type with your specified attributes. When
+                                        Amazon EC2 Auto Scaling selects instance types
+                                        with your attributes, we will exclude instance
+                                        types whose price is higher than your threshold.
+                                        The parameter accepts an integer, which Amazon
+                                        EC2 Auto Scaling interprets as a percentage.
+                                        To turn off price protection, specify a high
+                                        value, such as 999999. Default is 100.
+                                      type: number
+                                    totalLocalStorageGb:
+                                      description: Block describing the minimum and
+                                        maximum total local storage (GB). Default
+                                        is no minimum or maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    vcpuCount:
+                                      description: Block describing the minimum and
+                                        maximum number of vCPUs. Default is no maximum.
+                                      items:
+                                        properties:
+                                          max:
+                                            description: Maximum.
+                                            type: number
+                                          min:
+                                            description: Minimum.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              instanceType:
+                                description: The type of instance to request.
+                                type: string
+                              priority:
+                                description: The priority for the launch template
+                                  override. The lower the number, the higher the priority.
+                                  If no number is set, the launch template override
+                                  has the lowest priority.
+                                type: number
+                              spotPrice:
+                                description: The maximum bid price per unit hour.
+                                type: string
+                              subnetId:
+                                description: The subnet in which to launch the requested
+                                  instance.
+                                type: string
+                              weightedCapacity:
+                                description: The capacity added to the fleet by a
+                                  fulfilled request.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  loadBalancers:
+                    description: A list of elastic load balancer names to add to the
+                      Spot fleet.
+                    items:
+                      type: string
+                    type: array
+                  onDemandAllocationStrategy:
+                    description: 'The order of the launch template overrides to use
+                      in fulfilling On-Demand capacity. the possible values are: lowestPrice
+                      and prioritized. the default is lowestPrice.'
+                    type: string
+                  onDemandMaxTotalPrice:
+                    description: The maximum amount per hour for On-Demand Instances
+                      that you're willing to pay. When the maximum amount you're willing
+                      to pay is reached, the fleet stops launching instances even
+                      if it hasn’t met the target capacity.
+                    type: string
+                  onDemandTargetCapacity:
+                    description: The number of On-Demand units to request. If the
+                      request type is maintain, you can specify a target capacity
+                      of 0 and add capacity later.
+                    type: number
+                  replaceUnhealthyInstances:
+                    description: Indicates whether Spot fleet should replace unhealthy
+                      instances. Default false.
+                    type: boolean
+                  spotMaintenanceStrategies:
+                    description: Nested argument containing maintenance strategies
+                      for managing your Spot Instances that are at an elevated risk
+                      of being interrupted. Defined below.
+                    items:
+                      properties:
+                        capacityRebalance:
+                          description: Nested argument containing the capacity rebalance
+                            for your fleet request. Defined below.
+                          items:
+                            properties:
+                              replacementStrategy:
+                                description: 'The replacement strategy to use. Only
+                                  available for spot fleets with fleet_type set to
+                                  maintain. Valid values: launch.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  spotPrice:
+                    description: The maximum bid price per unit hour.
+                    type: string
+                  spotRequestState:
+                    description: The state of the Spot fleet request.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: A map of tags assigned to the resource, including
+                      those inherited from the provider default_tags configuration
+                      block.
+                    type: object
+                  targetCapacity:
+                    description: The number of units to request. You can choose to
+                      set the target capacity in terms of instances or a performance
+                      characteristic that is important to your application workload,
+                      such as vCPUs, memory, or I/O.
+                    type: number
+                  targetCapacityUnitType:
+                    description: The unit for the target capacity. This can only be
+                      done with instance_requirements defined
+                    type: string
+                  targetGroupArns:
+                    description: A list of aws_alb_target_group ARNs, for use with
+                      Application Load Balancing.
+                    items:
+                      type: string
+                    type: array
+                  terminateInstancesOnDelete:
+                    description: Indicates whether running Spot instances should be
+                      terminated when the resource is deleted (and the Spot fleet
+                      request cancelled). If no value is specified, the value of the
+                      terminate_instances_with_expiration argument is used.
+                    type: string
+                  terminateInstancesWithExpiration:
+                    description: Indicates whether running Spot instances should be
+                      terminated when the Spot fleet request expires.
+                    type: boolean
+                  validFrom:
+                    description: The start date and time of the request, in UTC RFC3339
+                      format(for example, YYYY-MM-DDTHH:MM:SSZ). The default is to
+                      start fulfilling the request immediately.
+                    type: string
+                  validUntil:
+                    description: The end date and time of the request, in UTC RFC3339
+                      format(for example, YYYY-MM-DDTHH:MM:SSZ). At this point, no
+                      new Spot instance requests are placed or enabled to fulfill
+                      the request.
+                    type: string
+                  waitForFulfillment:
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_spotinstancerequests.yaml b/package/crds/ec2.aws.upbound.io_spotinstancerequests.yaml
index 693aaaef15..a14c7e1477 100644
--- a/package/crds/ec2.aws.upbound.io_spotinstancerequests.yaml
+++ b/package/crds/ec2.aws.upbound.io_spotinstancerequests.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -508,6 +512,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -684,25 +703,205 @@ spec:
             properties:
               atProvider:
                 properties:
+                  ami:
+                    type: string
                   arn:
                     type: string
+                  associatePublicIpAddress:
+                    type: boolean
+                  availabilityZone:
+                    type: string
+                  blockDurationMinutes:
+                    description: The required duration for the Spot instances, in
+                      minutes. This value must be a multiple of 60 (60, 120, 180,
+                      240, 300, or 360). The duration period starts as soon as your
+                      Spot instance receives its instance ID. At the end of the duration
+                      period, Amazon EC2 marks the Spot instance for termination and
+                      provides a Spot instance termination notice, which gives the
+                      instance a two-minute warning before it terminates. Note that
+                      you can't specify an Availability Zone group or a launch group
+                      if you specify a duration.
+                    type: number
+                  capacityReservationSpecification:
+                    items:
+                      properties:
+                        capacityReservationPreference:
+                          type: string
+                        capacityReservationTarget:
+                          items:
+                            properties:
+                              capacityReservationId:
+                                description: The Spot Instance Request ID.
+                                type: string
+                              capacityReservationResourceGroupArn:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  cpuCoreCount:
+                    type: number
+                  cpuThreadsPerCore:
+                    type: number
+                  creditSpecification:
+                    items:
+                      properties:
+                        cpuCredits:
+                          type: string
+                      type: object
+                    type: array
+                  disableApiStop:
+                    type: boolean
+                  disableApiTermination:
+                    type: boolean
                   ebsBlockDevice:
                     items:
                       properties:
+                        deleteOnTermination:
+                          type: boolean
+                        deviceName:
+                          type: string
+                        encrypted:
+                          type: boolean
+                        iops:
+                          type: number
+                        kmsKeyId:
+                          description: The Spot Instance Request ID.
+                          type: string
+                        snapshotId:
+                          description: The Spot Instance Request ID.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of resource tags.
+                          type: object
+                        throughput:
+                          type: number
                         volumeId:
                           description: The Spot Instance Request ID.
                           type: string
+                        volumeSize:
+                          type: number
+                        volumeType:
+                          type: string
+                      type: object
+                    type: array
+                  ebsOptimized:
+                    type: boolean
+                  enclaveOptions:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                      type: object
+                    type: array
+                  ephemeralBlockDevice:
+                    items:
+                      properties:
+                        deviceName:
+                          type: string
+                        noDevice:
+                          type: boolean
+                        virtualName:
+                          type: string
                       type: object
                     type: array
+                  getPasswordData:
+                    type: boolean
+                  hibernation:
+                    type: boolean
+                  hostId:
+                    description: The Spot Instance Request ID.
+                    type: string
+                  hostResourceGroupArn:
+                    type: string
+                  iamInstanceProfile:
+                    type: string
                   id:
                     description: The Spot Instance Request ID.
                     type: string
+                  instanceInitiatedShutdownBehavior:
+                    type: string
+                  instanceInterruptionBehavior:
+                    description: Indicates Spot instance behavior when it is interrupted.
+                      Valid values are terminate, stop, or hibernate. Default value
+                      is terminate.
+                    type: string
                   instanceState:
                     type: string
+                  instanceType:
+                    type: string
+                  ipv6AddressCount:
+                    type: number
+                  ipv6Addresses:
+                    items:
+                      type: string
+                    type: array
+                  keyName:
+                    type: string
+                  launchGroup:
+                    description: A launch group is a group of spot instances that
+                      launch together and terminate together. If left empty instances
+                      are launched and terminated individually.
+                    type: string
+                  launchTemplate:
+                    items:
+                      properties:
+                        id:
+                          description: The Spot Instance Request ID.
+                          type: string
+                        name:
+                          type: string
+                        version:
+                          type: string
+                      type: object
+                    type: array
+                  maintenanceOptions:
+                    items:
+                      properties:
+                        autoRecovery:
+                          type: string
+                      type: object
+                    type: array
+                  metadataOptions:
+                    items:
+                      properties:
+                        httpEndpoint:
+                          type: string
+                        httpPutResponseHopLimit:
+                          type: number
+                        httpTokens:
+                          type: string
+                        instanceMetadataTags:
+                          description: Key-value map of resource tags.
+                          type: string
+                      type: object
+                    type: array
+                  monitoring:
+                    type: boolean
+                  networkInterface:
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          type: boolean
+                        deviceIndex:
+                          type: number
+                        networkCardIndex:
+                          type: number
+                        networkInterfaceId:
+                          description: The Spot Instance Request ID.
+                          type: string
+                      type: object
+                    type: array
                   outpostArn:
                     type: string
                   passwordData:
                     type: string
+                  placementGroup:
+                    type: string
+                  placementPartitionNumber:
+                    type: number
                   primaryNetworkInterfaceId:
                     description: The Spot Instance Request ID.
                     type: string
@@ -711,6 +910,20 @@ spec:
                       only be used inside the Amazon EC2, and only available if you've
                       enabled DNS hostnames for your VPC
                     type: string
+                  privateDnsNameOptions:
+                    items:
+                      properties:
+                        enableResourceNameDnsARecord:
+                          type: boolean
+                        enableResourceNameDnsAaaaRecord:
+                          type: boolean
+                        hostnameType:
+                          type: string
+                      type: object
+                    type: array
+                  privateIp:
+                    description: The private IP address assigned to the instance
+                    type: string
                   publicDns:
                     description: The public DNS name assigned to the instance. For
                       EC2-VPC, this is only available if you've enabled DNS hostnames
@@ -723,13 +936,43 @@ spec:
                   rootBlockDevice:
                     items:
                       properties:
+                        deleteOnTermination:
+                          type: boolean
                         deviceName:
                           type: string
+                        encrypted:
+                          type: boolean
+                        iops:
+                          type: number
+                        kmsKeyId:
+                          description: The Spot Instance Request ID.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of resource tags.
+                          type: object
+                        throughput:
+                          type: number
                         volumeId:
                           description: The Spot Instance Request ID.
                           type: string
+                        volumeSize:
+                          type: number
+                        volumeType:
+                          type: string
                       type: object
                     type: array
+                  secondaryPrivateIps:
+                    items:
+                      type: string
+                    type: array
+                  securityGroups:
+                    items:
+                      type: string
+                    type: array
+                  sourceDestCheck:
+                    type: boolean
                   spotBidStatus:
                     description: The current bid status of the Spot Instance Request.
                     type: string
@@ -737,9 +980,24 @@ spec:
                     description: The Instance ID (if any) that is currently fulfilling
                       the Spot Instance request.
                     type: string
+                  spotPrice:
+                    description: The maximum price to request on the spot market.
+                    type: string
                   spotRequestState:
                     description: The current request state of the Spot Instance Request.
                     type: string
+                  spotType:
+                    description: If set to one-time, after the instance is terminated,
+                      the spot request will be closed.
+                    type: string
+                  subnetId:
+                    description: The Spot Instance Request ID.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -747,6 +1005,37 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  tenancy:
+                    type: string
+                  userData:
+                    type: string
+                  userDataBase64:
+                    type: string
+                  userDataReplaceOnChange:
+                    type: boolean
+                  validFrom:
+                    description: The start date and time of the request, in UTC RFC3339
+                      format(for example, YYYY-MM-DDTHH:MM:SSZ). The default is to
+                      start fulfilling the request immediately.
+                    type: string
+                  validUntil:
+                    description: The end date and time of the request, in UTC RFC3339
+                      format(for example, YYYY-MM-DDTHH:MM:SSZ). At this point, no
+                      new Spot instance requests are placed or enabled to fulfill
+                      the request. The default end date is 7 days from the current
+                      date.
+                    type: string
+                  volumeTags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  vpcSecurityGroupIds:
+                    items:
+                      type: string
+                    type: array
+                  waitForFulfillment:
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_subnetcidrreservations.yaml b/package/crds/ec2.aws.upbound.io_subnetcidrreservations.yaml
index 72e27c855d..f86de6d8aa 100644
--- a/package/crds/ec2.aws.upbound.io_subnetcidrreservations.yaml
+++ b/package/crds/ec2.aws.upbound.io_subnetcidrreservations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -155,10 +159,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - cidrBlock
                 - region
-                - reservationType
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -330,18 +347,36 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: cidrBlock is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cidrBlock)
+            - message: reservationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reservationType)
           status:
             description: SubnetCidrReservationStatus defines the observed state of
               SubnetCidrReservation.
             properties:
               atProvider:
                 properties:
+                  cidrBlock:
+                    description: The CIDR block for the reservation.
+                    type: string
+                  description:
+                    description: A brief description of the reservation.
+                    type: string
                   id:
                     description: ID of the CIDR reservation.
                     type: string
                   ownerId:
                     description: ID of the AWS account that owns this CIDR reservation.
                     type: string
+                  reservationType:
+                    description: 'The type of reservation to create. Valid values:
+                      explicit, prefix'
+                    type: string
+                  subnetId:
+                    description: The ID of the subnet to create the reservation for.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_subnets.yaml b/package/crds/ec2.aws.upbound.io_subnets.yaml
index 23283d0a0a..1a6a58fe85 100644
--- a/package/crds/ec2.aws.upbound.io_subnets.yaml
+++ b/package/crds/ec2.aws.upbound.io_subnets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -215,6 +219,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -394,15 +413,83 @@ spec:
                   arn:
                     description: The ARN of the subnet.
                     type: string
+                  assignIpv6AddressOnCreation:
+                    description: Specify true to indicate that network interfaces
+                      created in the specified subnet should be assigned an IPv6 address.
+                      Default is false
+                    type: boolean
+                  availabilityZone:
+                    description: AZ for the subnet.
+                    type: string
+                  availabilityZoneId:
+                    description: AZ ID of the subnet. This argument is not supported
+                      in all regions or partitions. If necessary, use availability_zone
+                      instead.
+                    type: string
+                  cidrBlock:
+                    description: The IPv4 CIDR block for the subnet.
+                    type: string
+                  customerOwnedIpv4Pool:
+                    description: The customer owned IPv4 address pool. Typically used
+                      with the map_customer_owned_ip_on_launch argument. The outpost_arn
+                      argument must be specified when configured.
+                    type: string
+                  enableDns64:
+                    description: 'Indicates whether DNS queries made to the Amazon-provided
+                      DNS Resolver in this subnet should return synthetic IPv6 addresses
+                      for IPv4-only destinations. Default: false.'
+                    type: boolean
+                  enableResourceNameDnsARecordOnLaunch:
+                    description: 'Indicates whether to respond to DNS queries for
+                      instance hostnames with DNS A records. Default: false.'
+                    type: boolean
+                  enableResourceNameDnsAaaaRecordOnLaunch:
+                    description: 'Indicates whether to respond to DNS queries for
+                      instance hostnames with DNS AAAA records. Default: false.'
+                    type: boolean
                   id:
                     description: The ID of the subnet
                     type: string
+                  ipv6CidrBlock:
+                    description: The IPv6 network range for the subnet, in CIDR notation.
+                      The subnet size must use a /64 prefix length.
+                    type: string
                   ipv6CidrBlockAssociationId:
                     description: The association ID for the IPv6 CIDR block.
                     type: string
+                  ipv6Native:
+                    description: 'Indicates whether to create an IPv6-only subnet.
+                      Default: false.'
+                    type: boolean
+                  mapCustomerOwnedIpOnLaunch:
+                    description: Specify true to indicate that network interfaces
+                      created in the subnet should be assigned a customer owned IP
+                      address. The customer_owned_ipv4_pool and outpost_arn arguments
+                      must be specified when set to true. Default is false.
+                    type: boolean
+                  mapPublicIpOnLaunch:
+                    description: Specify true to indicate that instances launched
+                      into the subnet should be assigned a public IP address. Default
+                      is false.
+                    type: boolean
+                  outpostArn:
+                    description: The Amazon Resource Name (ARN) of the Outpost.
+                    type: string
                   ownerId:
                     description: The ID of the AWS account that owns the subnet.
                     type: string
+                  privateDnsHostnameTypeOnLaunch:
+                    description: 'The type of hostnames to assign to instances in
+                      the subnet at launch. For IPv6-only subnets, an instance DNS
+                      name must be based on the instance ID. For dual-stack and IPv4-only
+                      subnets, you can specify whether DNS names use the instance
+                      IPv4 address or the instance ID. Valid values: ip-name, resource-name.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -410,6 +497,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The VPC ID.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_tags.yaml b/package/crds/ec2.aws.upbound.io_tags.yaml
index 50b7b78303..23719f25b6 100644
--- a/package/crds/ec2.aws.upbound.io_tags.yaml
+++ b/package/crds/ec2.aws.upbound.io_tags.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,8 +85,22 @@ spec:
                 - key
                 - region
                 - resourceId
-                - value
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -254,6 +272,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: value is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)
           status:
             description: TagStatus defines the observed state of Tag.
             properties:
@@ -263,6 +284,15 @@ spec:
                     description: EC2 resource identifier and key, separated by a comma
                       (,)
                     type: string
+                  key:
+                    description: The tag name.
+                    type: string
+                  resourceId:
+                    description: The ID of the EC2 resource to manage the tag for.
+                    type: string
+                  value:
+                    description: The value of the tag.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_trafficmirrorfilterrules.yaml b/package/crds/ec2.aws.upbound.io_trafficmirrorfilterrules.yaml
index 3b87e740e1..0b57227aba 100644
--- a/package/crds/ec2.aws.upbound.io_trafficmirrorfilterrules.yaml
+++ b/package/crds/ec2.aws.upbound.io_trafficmirrorfilterrules.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -207,13 +211,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - destinationCidrBlock
                 - region
-                - ruleAction
-                - ruleNumber
-                - sourceCidrBlock
-                - trafficDirection
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -385,6 +399,17 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destinationCidrBlock is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationCidrBlock)
+            - message: ruleAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleAction)
+            - message: ruleNumber is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleNumber)
+            - message: sourceCidrBlock is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceCidrBlock)
+            - message: trafficDirection is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.trafficDirection)
           status:
             description: TrafficMirrorFilterRuleStatus defines the observed state
               of TrafficMirrorFilterRule.
@@ -394,9 +419,71 @@ spec:
                   arn:
                     description: ARN of the traffic mirror filter rule.
                     type: string
+                  description:
+                    description: Description of the traffic mirror filter rule.
+                    type: string
+                  destinationCidrBlock:
+                    description: Destination CIDR block to assign to the Traffic Mirror
+                      rule.
+                    type: string
+                  destinationPortRange:
+                    description: Destination port range. Supported only when the protocol
+                      is set to TCP(6) or UDP(17). See Traffic mirror port range documented
+                      below
+                    items:
+                      properties:
+                        fromPort:
+                          description: Starting port of the range
+                          type: number
+                        toPort:
+                          description: Ending port of the range
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: Name of the traffic mirror filter rule.
                     type: string
+                  protocol:
+                    description: Protocol number, for example 17 (UDP), to assign
+                      to the Traffic Mirror rule. For information about the protocol
+                      value, see Protocol Numbers on the Internet Assigned Numbers
+                      Authority (IANA) website.
+                    type: number
+                  ruleAction:
+                    description: Action to take (accept | reject) on the filtered
+                      traffic. Valid values are accept and reject
+                    type: string
+                  ruleNumber:
+                    description: Number of the Traffic Mirror rule. This number must
+                      be unique for each Traffic Mirror rule in a given direction.
+                      The rules are processed in ascending order by rule number.
+                    type: number
+                  sourceCidrBlock:
+                    description: Source CIDR block to assign to the Traffic Mirror
+                      rule.
+                    type: string
+                  sourcePortRange:
+                    description: Source port range. Supported only when the protocol
+                      is set to TCP(6) or UDP(17). See Traffic mirror port range documented
+                      below
+                    items:
+                      properties:
+                        fromPort:
+                          description: Starting port of the range
+                          type: number
+                        toPort:
+                          description: Ending port of the range
+                          type: number
+                      type: object
+                    type: array
+                  trafficDirection:
+                    description: Direction of traffic to be captured. Valid values
+                      are ingress and egress
+                    type: string
+                  trafficMirrorFilterId:
+                    description: ID of the traffic mirror filter to which this rule
+                      should be added
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_trafficmirrorfilters.yaml b/package/crds/ec2.aws.upbound.io_trafficmirrorfilters.yaml
index f36e506e1e..5400160fa5 100644
--- a/package/crds/ec2.aws.upbound.io_trafficmirrorfilters.yaml
+++ b/package/crds/ec2.aws.upbound.io_trafficmirrorfilters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -85,6 +89,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -264,9 +283,23 @@ spec:
                   arn:
                     description: The ARN of the traffic mirror filter.
                     type: string
+                  description:
+                    description: A description of the filter.
+                    type: string
                   id:
                     description: The name of the filter.
                     type: string
+                  networkServices:
+                    description: 'List of amazon network services that should be mirrored.
+                      Valid values: amazon-dns.'
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayconnectpeers.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayconnectpeers.yaml
index 0c3e6b591d..7f74dd47c0 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayconnectpeers.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayconnectpeers.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -185,10 +189,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - insideCidrBlocks
-                - peerAddress
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -360,6 +377,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: insideCidrBlocks is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.insideCidrBlocks)
+            - message: peerAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.peerAddress)
           status:
             description: TransitGatewayConnectPeerStatus defines the observed state
               of TransitGatewayConnectPeer.
@@ -369,9 +391,39 @@ spec:
                   arn:
                     description: EC2 Transit Gateway Connect Peer ARN
                     type: string
+                  bgpAsn:
+                    description: The BGP ASN number assigned customer device. If not
+                      provided, it will use the same BGP ASN as is associated with
+                      Transit Gateway.
+                    type: string
                   id:
                     description: EC2 Transit Gateway Connect Peer identifier
                     type: string
+                  insideCidrBlocks:
+                    description: 'The CIDR block that will be used for addressing
+                      within the tunnel. It must contain exactly one IPv4 CIDR block
+                      and up to one IPv6 CIDR block. The IPv4 CIDR block must be /29
+                      size and must be within 169.254.0.0/16 range, with exception
+                      of: 169.254.0.0/29, 169.254.1.0/29, 169.254.2.0/29, 169.254.3.0/29,
+                      169.254.4.0/29, 169.254.5.0/29, 169.254.169.248/29. The IPv6
+                      CIDR block must be /125 size and must be within fd00::/8. The
+                      first IP from each CIDR block is assigned for customer gateway,
+                      the second and third is for Transit Gateway (An example: from
+                      range 169.254.100.0/29, .1 is assigned to customer gateway and
+                      .2 and .3 are assigned to Transit Gateway)'
+                    items:
+                      type: string
+                    type: array
+                  peerAddress:
+                    description: The IP addressed assigned to customer device, which
+                      will be used as tunnel endpoint. It can be IPv4 or IPv6 address,
+                      but must be the same address family as transit_gateway_address
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -379,6 +431,16 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayAddress:
+                    description: The IP address assigned to Transit Gateway, which
+                      will be used as tunnel endpoint. This address must be from associated
+                      Transit Gateway CIDR block. The address must be from the same
+                      address family as peer_address. If not set explicitly, it will
+                      be selected from associated Transit Gateway CIDR blocks
+                    type: string
+                  transitGatewayAttachmentId:
+                    description: The Transit Gateway Connect
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayconnects.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayconnects.yaml
index d5f2e3ad46..1268861079 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayconnects.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayconnects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -248,6 +252,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -428,6 +447,15 @@ spec:
                   id:
                     description: EC2 Transit Gateway Attachment identifier
                     type: string
+                  protocol:
+                    description: 'The tunnel protocol. Valida values: gre. Default
+                      is gre.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -435,6 +463,24 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayDefaultRouteTableAssociation:
+                    description: 'Boolean whether the Connect should be associated
+                      with the EC2 Transit Gateway association default route table.
+                      This cannot be configured or perform drift detection with Resource
+                      Access Manager shared EC2 Transit Gateways. Default value: true.'
+                    type: boolean
+                  transitGatewayDefaultRouteTablePropagation:
+                    description: 'Boolean whether the Connect should propagate routes
+                      with the EC2 Transit Gateway propagation default route table.
+                      This cannot be configured or perform drift detection with Resource
+                      Access Manager shared EC2 Transit Gateways. Default value: true.'
+                    type: boolean
+                  transitGatewayId:
+                    description: Identifier of EC2 Transit Gateway.
+                    type: string
+                  transportAttachmentId:
+                    description: The underlaying VPC attachment
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomainassociations.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomainassociations.yaml
index 808acdccda..b24f163194 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomainassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomainassociations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -306,6 +310,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -487,6 +506,16 @@ spec:
                     description: EC2 Transit Gateway Multicast Domain Association
                       identifier.
                     type: string
+                  subnetId:
+                    description: The ID of the subnet to associate with the transit
+                      gateway multicast domain.
+                    type: string
+                  transitGatewayAttachmentId:
+                    description: The ID of the transit gateway attachment.
+                    type: string
+                  transitGatewayMulticastDomainId:
+                    description: The ID of the transit gateway multicast domain.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomains.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomains.yaml
index 4f66b36241..b551f7afd4 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomains.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastdomains.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -170,6 +174,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -351,13 +370,34 @@ spec:
                     description: EC2 Transit Gateway Multicast Domain Amazon Resource
                       Name (ARN).
                     type: string
+                  autoAcceptSharedAssociations:
+                    description: 'Whether to automatically accept cross-account subnet
+                      associations that are associated with the EC2 Transit Gateway
+                      Multicast Domain. Valid values: disable, enable. Default value:
+                      disable.'
+                    type: string
                   id:
                     description: EC2 Transit Gateway Multicast Domain identifier.
                     type: string
+                  igmpv2Support:
+                    description: 'Whether to enable Internet Group Management Protocol
+                      (IGMP) version 2 for the EC2 Transit Gateway Multicast Domain.
+                      Valid values: disable, enable. Default value: disable.'
+                    type: string
                   ownerId:
                     description: Identifier of the AWS account that owns the EC2 Transit
                       Gateway Multicast Domain.
                     type: string
+                  staticSourcesSupport:
+                    description: 'Whether to enable support for statically configuring
+                      multicast group sources for the EC2 Transit Gateway Multicast
+                      Domain. Valid values: disable, enable. Default value: disable.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -365,6 +405,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayId:
+                    description: EC2 Transit Gateway identifier. The EC2 Transit Gateway
+                      must have multicast_support enabled.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupmembers.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupmembers.yaml
index 71df2d1233..bfa51a4a9e 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupmembers.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupmembers.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,9 +235,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - groupIpAddress
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,15 +423,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: groupIpAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupIpAddress)
           status:
             description: TransitGatewayMulticastGroupMemberStatus defines the observed
               state of TransitGatewayMulticastGroupMember.
             properties:
               atProvider:
                 properties:
+                  groupIpAddress:
+                    description: The IP address assigned to the transit gateway multicast
+                      group.
+                    type: string
                   id:
                     description: EC2 Transit Gateway Multicast Group Member identifier.
                     type: string
+                  networkInterfaceId:
+                    description: The group members' network interface ID to register
+                      with the transit gateway multicast group.
+                    type: string
+                  transitGatewayMulticastDomainId:
+                    description: The ID of the transit gateway multicast domain.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupsources.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupsources.yaml
index 0132a4eee8..f376f566f7 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupsources.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaymulticastgroupsources.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,9 +235,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - groupIpAddress
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,15 +423,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: groupIpAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupIpAddress)
           status:
             description: TransitGatewayMulticastGroupSourceStatus defines the observed
               state of TransitGatewayMulticastGroupSource.
             properties:
               atProvider:
                 properties:
+                  groupIpAddress:
+                    description: The IP address assigned to the transit gateway multicast
+                      group.
+                    type: string
                   id:
                     description: EC2 Transit Gateway Multicast Group Member identifier.
                     type: string
+                  networkInterfaceId:
+                    description: The group members' network interface ID to register
+                      with the transit gateway multicast group.
+                    type: string
+                  transitGatewayMulticastDomainId:
+                    description: The ID of the transit gateway multicast domain.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachmentaccepters.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachmentaccepters.yaml
index d65b0a0189..025ce26c12 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachmentaccepters.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachmentaccepters.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,6 +161,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -346,6 +365,11 @@ spec:
                   peerTransitGatewayId:
                     description: Identifier of EC2 Transit Gateway to peer with.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -353,6 +377,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayAttachmentId:
+                    description: The ID of the EC2 Transit Gateway Peering Attachment
+                      to manage.
+                    type: string
                   transitGatewayId:
                     description: Identifier of EC2 Transit Gateway.
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachments.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachments.yaml
index 35de7e1124..1a03cea1bd 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachments.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaypeeringattachments.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -238,9 +242,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - peerRegion
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -412,6 +430,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: peerRegion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.peerRegion)
           status:
             description: TransitGatewayPeeringAttachmentStatus defines the observed
               state of TransitGatewayPeeringAttachment.
@@ -421,6 +442,21 @@ spec:
                   id:
                     description: EC2 Transit Gateway Attachment identifier
                     type: string
+                  peerAccountId:
+                    description: Account ID of EC2 Transit Gateway to peer with. Defaults
+                      to the account ID the AWS provider is currently connected to.
+                    type: string
+                  peerRegion:
+                    description: Region of EC2 Transit Gateway to peer with.
+                    type: string
+                  peerTransitGatewayId:
+                    description: Identifier of EC2 Transit Gateway to peer with.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -428,6 +464,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayId:
+                    description: Identifier of EC2 Transit Gateway.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewaypolicytables.yaml b/package/crds/ec2.aws.upbound.io_transitgatewaypolicytables.yaml
index 2aaac0c1e1..5ae0afb3e7 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewaypolicytables.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewaypolicytables.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -155,6 +159,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -342,6 +361,11 @@ spec:
                   state:
                     description: The state of the EC2 Transit Gateway Policy Table.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -349,6 +373,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayId:
+                    description: EC2 Transit Gateway identifier.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayprefixlistreferences.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayprefixlistreferences.yaml
index 34b1eee812..e04b072fff 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayprefixlistreferences.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayprefixlistreferences.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -310,6 +314,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -487,14 +506,27 @@ spec:
             properties:
               atProvider:
                 properties:
+                  blackhole:
+                    description: Indicates whether to drop traffic that matches the
+                      Prefix List. Defaults to false.
+                    type: boolean
                   id:
                     description: EC2 Transit Gateway Route Table identifier and EC2
                       Prefix List identifier, separated by an underscore (_)
                     type: string
+                  prefixListId:
+                    description: Identifier of EC2 Prefix List.
+                    type: string
                   prefixListOwnerId:
                     description: EC2 Transit Gateway Route Table identifier and EC2
                       Prefix List identifier, separated by an underscore (_)
                     type: string
+                  transitGatewayAttachmentId:
+                    description: Identifier of EC2 Transit Gateway Attachment.
+                    type: string
+                  transitGatewayRouteTableId:
+                    description: Identifier of EC2 Transit Gateway Route Table.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayroutes.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayroutes.yaml
index d481907c01..5bf72f0b35 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayroutes.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayroutes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -233,9 +237,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - destinationCidrBlock
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -407,15 +425,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destinationCidrBlock is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationCidrBlock)
           status:
             description: TransitGatewayRouteStatus defines the observed state of TransitGatewayRoute.
             properties:
               atProvider:
                 properties:
+                  blackhole:
+                    description: Indicates whether to drop traffic that matches this
+                      route (default to false).
+                    type: boolean
+                  destinationCidrBlock:
+                    description: IPv4 or IPv6 RFC1924 CIDR used for destination matches.
+                      Routing decisions are based on the most specific match.
+                    type: string
                   id:
                     description: EC2 Transit Gateway Route Table identifier combined
                       with destination
                     type: string
+                  transitGatewayAttachmentId:
+                    description: Identifier of EC2 Transit Gateway Attachment .
+                    type: string
+                  transitGatewayRouteTableId:
+                    description: Identifier of EC2 Transit Gateway Route Table.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayroutetableassociations.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayroutetableassociations.yaml
index fbc40fdc0c..2b37083f8c 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayroutetableassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayroutetableassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -415,6 +434,12 @@ spec:
                   resourceType:
                     description: Type of the resource
                     type: string
+                  transitGatewayAttachmentId:
+                    description: Identifier of EC2 Transit Gateway Attachment.
+                    type: string
+                  transitGatewayRouteTableId:
+                    description: Identifier of EC2 Transit Gateway Route Table.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayroutetablepropagations.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayroutetablepropagations.yaml
index 145d5f84f6..9dd80c69cc 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayroutetablepropagations.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayroutetablepropagations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -415,6 +434,12 @@ spec:
                   resourceType:
                     description: Type of the resource
                     type: string
+                  transitGatewayAttachmentId:
+                    description: Identifier of EC2 Transit Gateway Attachment.
+                    type: string
+                  transitGatewayRouteTableId:
+                    description: Identifier of EC2 Transit Gateway Route Table.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayroutetables.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayroutetables.yaml
index 709bd63c01..0acbb59032 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayroutetables.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayroutetables.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,6 +157,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -345,6 +364,11 @@ spec:
                   id:
                     description: EC2 Transit Gateway Route Table identifier
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -352,6 +376,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayId:
+                    description: Identifier of EC2 Transit Gateway.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgateways.yaml b/package/crds/ec2.aws.upbound.io_transitgateways.yaml
index 3f753956a9..024c0c115f 100644
--- a/package/crds/ec2.aws.upbound.io_transitgateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -119,6 +123,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -295,15 +314,47 @@ spec:
             properties:
               atProvider:
                 properties:
+                  amazonSideAsn:
+                    description: 'Private Autonomous System Number (ASN) for the Amazon
+                      side of a BGP session. The range is 64512 to 65534 for 16-bit
+                      ASNs and 4200000000 to 4294967294 for 32-bit ASNs. Default value:
+                      64512.'
+                    type: number
                   arn:
                     description: EC2 Transit Gateway Amazon Resource Name (ARN)
                     type: string
                   associationDefaultRouteTableId:
                     description: Identifier of the default association route table
                     type: string
+                  autoAcceptSharedAttachments:
+                    description: 'Whether resource attachment requests are automatically
+                      accepted. Valid values: disable, enable. Default value: disable.'
+                    type: string
+                  defaultRouteTableAssociation:
+                    description: 'Whether resource attachments are automatically associated
+                      with the default association route table. Valid values: disable,
+                      enable. Default value: enable.'
+                    type: string
+                  defaultRouteTablePropagation:
+                    description: 'Whether resource attachments automatically propagate
+                      routes to the default propagation route table. Valid values:
+                      disable, enable. Default value: enable.'
+                    type: string
+                  description:
+                    description: Description of the EC2 Transit Gateway.
+                    type: string
+                  dnsSupport:
+                    description: 'Whether DNS support is enabled. Valid values: disable,
+                      enable. Default value: enable.'
+                    type: string
                   id:
                     description: EC2 Transit Gateway identifier
                     type: string
+                  multicastSupport:
+                    description: 'Whether Multicast support is enabled. Required to
+                      use ec2_transit_gateway_multicast_domain. Valid values: disable,
+                      enable. Default value: disable.'
+                    type: string
                   ownerId:
                     description: Identifier of the AWS account that owns the EC2 Transit
                       Gateway
@@ -311,6 +362,11 @@ spec:
                   propagationDefaultRouteTableId:
                     description: Identifier of the default propagation route table
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -318,6 +374,17 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayCidrBlocks:
+                    description: One or more IPv4 or IPv6 CIDR blocks for the transit
+                      gateway. Must be a size /24 CIDR block or larger for IPv4, or
+                      a size /64 CIDR block or larger for IPv6.
+                    items:
+                      type: string
+                    type: array
+                  vpnEcmpSupport:
+                    description: 'Whether VPN Equal Cost Multipath Protocol support
+                      is enabled. Valid values: disable, enable. Default value: enable.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachmentaccepters.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachmentaccepters.yaml
index e1cc4052f1..72da456f52 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachmentaccepters.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachmentaccepters.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -165,6 +169,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -362,6 +381,11 @@ spec:
                     items:
                       type: string
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -369,6 +393,19 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayAttachmentId:
+                    description: The ID of the EC2 Transit Gateway Attachment to manage.
+                    type: string
+                  transitGatewayDefaultRouteTableAssociation:
+                    description: 'Boolean whether the VPC Attachment should be associated
+                      with the EC2 Transit Gateway association default route table.
+                      Default value: true.'
+                    type: boolean
+                  transitGatewayDefaultRouteTablePropagation:
+                    description: 'Boolean whether the VPC Attachment should propagate
+                      routes with the EC2 Transit Gateway propagation default route
+                      table. Default value: true.'
+                    type: boolean
                   transitGatewayId:
                     description: Identifier of EC2 Transit Gateway.
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachments.yaml b/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachments.yaml
index ad87c378f9..719140aba2 100644
--- a/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachments.yaml
+++ b/package/crds/ec2.aws.upbound.io_transitgatewayvpcattachments.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -338,6 +342,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -515,9 +534,33 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applianceModeSupport:
+                    description: 'Whether Appliance Mode support is enabled. If enabled,
+                      a traffic flow between a source and destination uses the same
+                      Availability Zone for the VPC attachment for the lifetime of
+                      that flow. Valid values: disable, enable. Default value: disable.'
+                    type: string
+                  dnsSupport:
+                    description: 'Whether DNS support is enabled. Valid values: disable,
+                      enable. Default value: enable.'
+                    type: string
                   id:
                     description: EC2 Transit Gateway Attachment identifier
                     type: string
+                  ipv6Support:
+                    description: 'Whether IPv6 support is enabled. Valid values: disable,
+                      enable. Default value: disable.'
+                    type: string
+                  subnetIds:
+                    description: Identifiers of EC2 Subnets.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -525,6 +568,25 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transitGatewayDefaultRouteTableAssociation:
+                    description: 'Boolean whether the VPC Attachment should be associated
+                      with the EC2 Transit Gateway association default route table.
+                      This cannot be configured or perform drift detection with Resource
+                      Access Manager shared EC2 Transit Gateways. Default value: true.'
+                    type: boolean
+                  transitGatewayDefaultRouteTablePropagation:
+                    description: 'Boolean whether the VPC Attachment should propagate
+                      routes with the EC2 Transit Gateway propagation default route
+                      table. This cannot be configured or perform drift detection
+                      with Resource Access Manager shared EC2 Transit Gateways. Default
+                      value: true.'
+                    type: boolean
+                  transitGatewayId:
+                    description: Identifier of EC2 Transit Gateway.
+                    type: string
+                  vpcId:
+                    description: Identifier of EC2 VPC.
+                    type: string
                   vpcOwnerId:
                     description: Identifier of the AWS account that owns the EC2 VPC.
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_volumeattachments.yaml b/package/crds/ec2.aws.upbound.io_volumeattachments.yaml
index 19f3dbdbe5..0dbf4034de 100644
--- a/package/crds/ec2.aws.upbound.io_volumeattachments.yaml
+++ b/package/crds/ec2.aws.upbound.io_volumeattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -241,9 +245,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - deviceName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -415,13 +433,42 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: deviceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deviceName)
           status:
             description: VolumeAttachmentStatus defines the observed state of VolumeAttachment.
             properties:
               atProvider:
                 properties:
+                  deviceName:
+                    description: The device name to expose to the instance (for example,
+                      /dev/sdh or xvdh).  See Device Naming on Linux Instances and
+                      Device Naming on Windows Instances for more information.
+                    type: string
+                  forceDetach:
+                    description: Set to true if you want to force the volume to detach.
+                      Useful if previous attempts failed, but use this option only
+                      as a last resort, as this can result in data loss. See Detaching
+                      an Amazon EBS Volume from an Instance for more information.
+                    type: boolean
                   id:
                     type: string
+                  instanceId:
+                    description: ID of the Instance to attach to
+                    type: string
+                  skipDestroy:
+                    description: This is useful when destroying an instance which
+                      has volumes created by some other means attached.
+                    type: boolean
+                  stopInstanceBeforeDetaching:
+                    description: Set this to true to ensure that the target instance
+                      is stopped before trying to detach the volume. Stops the instance,
+                      if it is not already stopped.
+                    type: boolean
+                  volumeId:
+                    description: ID of the Volume to be attached
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcdhcpoptions.yaml b/package/crds/ec2.aws.upbound.io_vpcdhcpoptions.yaml
index 72a6bf55c4..e717e0d679 100644
--- a/package/crds/ec2.aws.upbound.io_vpcdhcpoptions.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcdhcpoptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -104,6 +108,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -283,13 +302,46 @@ spec:
                   arn:
                     description: The ARN of the DHCP Options Set.
                     type: string
+                  domainName:
+                    description: the suffix domain name to use by default when resolving
+                      non Fully Qualified Domain Names. In other words, this is what
+                      ends up being the search value in the /etc/resolv.conf file.
+                    type: string
+                  domainNameServers:
+                    description: List of name servers to configure in /etc/resolv.conf.
+                      If you want to use the default AWS nameservers you should set
+                      this to AmazonProvidedDNS.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The ID of the DHCP Options Set.
                     type: string
+                  netbiosNameServers:
+                    description: List of NETBIOS name servers.
+                    items:
+                      type: string
+                    type: array
+                  netbiosNodeType:
+                    description: The NetBIOS node type (1, 2, 4, or 8). AWS recommends
+                      to specify 2 since broadcast and multicast are not supported
+                      in their network. For more information about these node types,
+                      see RFC 2132.
+                    type: string
+                  ntpServers:
+                    description: List of NTP servers to configure.
+                    items:
+                      type: string
+                    type: array
                   ownerId:
                     description: The ID of the AWS account that owns the DHCP options
                       set.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpcdhcpoptionsassociations.yaml b/package/crds/ec2.aws.upbound.io_vpcdhcpoptionsassociations.yaml
index 4cc7a60d19..89aab4221b 100644
--- a/package/crds/ec2.aws.upbound.io_vpcdhcpoptionsassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcdhcpoptionsassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,9 +424,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  dhcpOptionsId:
+                    description: The ID of the DHCP Options Set to associate to the
+                      VPC.
+                    type: string
                   id:
                     description: The ID of the DHCP Options Set Association.
                     type: string
+                  vpcId:
+                    description: The ID of the VPC to which we would like to associate
+                      a DHCP Options Set.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpointconnectionnotifications.yaml b/package/crds/ec2.aws.upbound.io_vpcendpointconnectionnotifications.yaml
index f3f6979c26..6e8207df8a 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpointconnectionnotifications.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpointconnectionnotifications.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -235,9 +239,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - connectionEvents
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -409,12 +427,24 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: connectionEvents is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.connectionEvents)
           status:
             description: VPCEndpointConnectionNotificationStatus defines the observed
               state of VPCEndpointConnectionNotification.
             properties:
               atProvider:
                 properties:
+                  connectionEvents:
+                    description: One or more endpoint events for which to receive
+                      notifications.
+                    items:
+                      type: string
+                    type: array
+                  connectionNotificationArn:
+                    description: The ARN of the SNS topic for the notifications.
+                    type: string
                   id:
                     description: The ID of the VPC connection notification.
                     type: string
@@ -424,6 +454,14 @@ spec:
                   state:
                     description: The state of the notification.
                     type: string
+                  vpcEndpointId:
+                    description: The ID of the VPC Endpoint to receive notifications
+                      for.
+                    type: string
+                  vpcEndpointServiceId:
+                    description: The ID of the VPC Endpoint Service to receive notifications
+                      for.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpointroutetableassociations.yaml b/package/crds/ec2.aws.upbound.io_vpcendpointroutetableassociations.yaml
index 5a27d8dd6e..5a5ba62324 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpointroutetableassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpointroutetableassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,6 +230,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,6 +425,14 @@ spec:
                   id:
                     description: A hash of the EC2 Route Table and VPC Endpoint identifiers.
                     type: string
+                  routeTableId:
+                    description: Identifier of the EC2 Route Table to be associated
+                      with the VPC Endpoint.
+                    type: string
+                  vpcEndpointId:
+                    description: Identifier of the VPC Endpoint with which the EC2
+                      Route Table will be associated.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpoints.yaml b/package/crds/ec2.aws.upbound.io_vpcendpoints.yaml
index f9c5981634..dae9b17c99 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpoints.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -267,6 +271,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -446,6 +465,10 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the VPC endpoint.
                     type: string
+                  autoAccept:
+                    description: Accept the VPC endpoint (the VPC endpoint and service
+                      need to be in the same AWS account).
+                    type: boolean
                   cidrBlocks:
                     description: The list of CIDR blocks for the exposed AWS service.
                       Applicable for endpoints of type Gateway.
@@ -465,9 +488,24 @@ spec:
                           type: string
                       type: object
                     type: array
+                  dnsOptions:
+                    description: The DNS options for the endpoint. See dns_options
+                      below.
+                    items:
+                      properties:
+                        dnsRecordIpType:
+                          description: The DNS records created for the endpoint. Valid
+                            values are ipv4, dualstack, service-defined, and ipv6.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the VPC endpoint.
                     type: string
+                  ipAddressType:
+                    description: The IP address type for the endpoint. Valid values
+                      are ipv4, dualstack, and ipv6.
+                    type: string
                   networkInterfaceIds:
                     description: One or more network interfaces for the VPC Endpoint.
                       Applicable for endpoints of type Interface.
@@ -477,10 +515,21 @@ spec:
                   ownerId:
                     description: The ID of the AWS account that owns the VPC endpoint.
                     type: string
+                  policy:
+                    description: A policy to attach to the endpoint that controls
+                      access to the service. This is a JSON formatted string. Defaults
+                      to full access. All Gateway and some Interface endpoints support
+                      policies - see the relevant AWS documentation for more details.
+                    type: string
                   prefixListId:
                     description: The prefix list ID of the exposed AWS service. Applicable
                       for endpoints of type Gateway.
                     type: string
+                  privateDnsEnabled:
+                    description: Whether or not to associate a private hosted zone
+                      with the specified VPC. Applicable for endpoints of type Interface.
+                      Defaults to false.
+                    type: boolean
                   requesterManaged:
                     description: Whether or not the VPC Endpoint is being managed
                       by its service - true or false.
@@ -499,6 +548,12 @@ spec:
                     items:
                       type: string
                     type: array
+                  serviceName:
+                    description: The service name. For AWS services the service name
+                      is usually in the form com.amazonaws.<region>.<service> (the
+                      SageMaker Notebook service is an exception to this rule, the
+                      service name is in the form aws.sagemaker.<region>.notebook).
+                    type: string
                   state:
                     description: The state of the VPC endpoint.
                     type: string
@@ -509,6 +564,11 @@ spec:
                     items:
                       type: string
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -516,6 +576,13 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcEndpointType:
+                    description: The VPC endpoint type, Gateway, GatewayLoadBalancer,
+                      or Interface. Defaults to Gateway.
+                    type: string
+                  vpcId:
+                    description: The ID of the VPC in which the endpoint will be used.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpointsecuritygroupassociations.yaml b/package/crds/ec2.aws.upbound.io_vpcendpointsecuritygroupassociations.yaml
index b32922aabd..9836c8879c 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpointsecuritygroupassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpointsecuritygroupassociations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -234,6 +238,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -414,6 +433,21 @@ spec:
                   id:
                     description: The ID of the association.
                     type: string
+                  replaceDefaultAssociation:
+                    description: Whether this association should replace the association
+                      with the VPC's default security group that is created when no
+                      security groups are specified during VPC endpoint creation.
+                      At most 1 association per-VPC endpoint should be configured
+                      with replace_default_association = true.
+                    type: boolean
+                  securityGroupId:
+                    description: The ID of the security group to be associated with
+                      the VPC endpoint.
+                    type: string
+                  vpcEndpointId:
+                    description: The ID of the VPC endpoint with which the security
+                      group will be associated.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpointserviceallowedprincipals.yaml b/package/crds/ec2.aws.upbound.io_vpcendpointserviceallowedprincipals.yaml
index 7542777a78..ced2ab1b60 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpointserviceallowedprincipals.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpointserviceallowedprincipals.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,9 +156,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - principalArn
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,6 +344,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: principalArn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principalArn)
           status:
             description: VPCEndpointServiceAllowedPrincipalStatus defines the observed
               state of VPCEndpointServiceAllowedPrincipal.
@@ -335,6 +356,12 @@ spec:
                   id:
                     description: The ID of the association.
                     type: string
+                  principalArn:
+                    description: The ARN of the principal to allow permissions.
+                    type: string
+                  vpcEndpointServiceId:
+                    description: The ID of the VPC endpoint service to allow permission.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpointservices.yaml b/package/crds/ec2.aws.upbound.io_vpcendpointservices.yaml
index b186d8c5cd..ae958d4250 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpointservices.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpointservices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -100,9 +104,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - acceptanceRequired
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -274,11 +292,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: acceptanceRequired is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.acceptanceRequired)
           status:
             description: VPCEndpointServiceStatus defines the observed state of VPCEndpointService.
             properties:
               atProvider:
                 properties:
+                  acceptanceRequired:
+                    description: Whether or not VPC endpoint connection requests to
+                      the service must be accepted by the service owner - true or
+                      false.
+                    type: boolean
                   allowedPrincipals:
                     description: The ARNs of one or more principals allowed to discover
                       the endpoint service.
@@ -300,6 +326,12 @@ spec:
                     items:
                       type: string
                     type: array
+                  gatewayLoadBalancerArns:
+                    description: Amazon Resource Names (ARNs) of one or more Gateway
+                      Load Balancers for the endpoint service.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The ID of the VPC endpoint service.
                     type: string
@@ -307,6 +339,15 @@ spec:
                     description: Whether or not the service manages its VPC endpoints
                       - true or false.
                     type: boolean
+                  networkLoadBalancerArns:
+                    description: Amazon Resource Names (ARNs) of one or more Network
+                      Load Balancers for the endpoint service.
+                    items:
+                      type: string
+                    type: array
+                  privateDnsName:
+                    description: The private DNS name for the service.
+                    type: string
                   privateDnsNameConfiguration:
                     description: List of objects containing information about the
                       endpoint service private DNS name configuration.
@@ -338,6 +379,17 @@ spec:
                   state:
                     description: The state of the VPC endpoint service.
                     type: string
+                  supportedIpAddressTypes:
+                    description: The supported IP address types. The possible values
+                      are ipv4 and ipv6.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpcendpointsubnetassociations.yaml b/package/crds/ec2.aws.upbound.io_vpcendpointsubnetassociations.yaml
index b32fa1618e..a732d554c6 100644
--- a/package/crds/ec2.aws.upbound.io_vpcendpointsubnetassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcendpointsubnetassociations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -227,6 +231,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -407,6 +426,14 @@ spec:
                   id:
                     description: The ID of the association.
                     type: string
+                  subnetId:
+                    description: The ID of the subnet to be associated with the VPC
+                      endpoint.
+                    type: string
+                  vpcEndpointId:
+                    description: The ID of the VPC endpoint with which the subnet
+                      will be associated.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcipampoolcidrallocations.yaml b/package/crds/ec2.aws.upbound.io_vpcipampoolcidrallocations.yaml
index 2238887439..bfd5b69b95 100644
--- a/package/crds/ec2.aws.upbound.io_vpcipampoolcidrallocations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcipampoolcidrallocations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -166,6 +170,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,12 +362,32 @@ spec:
             properties:
               atProvider:
                 properties:
+                  cidr:
+                    description: The CIDR you want to assign to the pool.
+                    type: string
+                  description:
+                    description: The description for the allocation.
+                    type: string
+                  disallowedCidrs:
+                    description: Exclude a particular CIDR range from being returned
+                      by the pool.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The ID of the allocation.
                     type: string
                   ipamPoolAllocationId:
                     description: The ID of the allocation.
                     type: string
+                  ipamPoolId:
+                    description: The ID of the pool to which you want to assign a
+                      CIDR.
+                    type: string
+                  netmaskLength:
+                    description: 'The netmask length of the CIDR you would like to
+                      allocate to the IPAM pool. Valid Values: 0-128.'
+                    type: number
                   resourceId:
                     description: The ID of the resource.
                     type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpcipampoolcidrs.yaml b/package/crds/ec2.aws.upbound.io_vpcipampoolcidrs.yaml
index ba10560377..451495aeba 100644
--- a/package/crds/ec2.aws.upbound.io_vpcipampoolcidrs.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcipampoolcidrs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -174,6 +178,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -350,6 +369,27 @@ spec:
             properties:
               atProvider:
                 properties:
+                  cidr:
+                    description: The CIDR you want to assign to the pool. Conflicts
+                      with netmask_length.
+                    type: string
+                  cidrAuthorizationContext:
+                    description: A signed document that proves that you are authorized
+                      to bring the specified IP address range to Amazon using BYOIP.
+                      This is not stored in the state file. See cidr_authorization_context
+                      for more information.
+                    items:
+                      properties:
+                        message:
+                          description: The plain-text authorization message for the
+                            prefix and account.
+                          type: string
+                        signature:
+                          description: The signed authorization message for the prefix
+                            and account.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the IPAM Pool Cidr concatenated with the
                       IPAM Pool ID.
@@ -357,6 +397,15 @@ spec:
                   ipamPoolCidrId:
                     description: The unique ID generated by AWS for the pool cidr.
                     type: string
+                  ipamPoolId:
+                    description: The ID of the pool to which you want to assign a
+                      CIDR.
+                    type: string
+                  netmaskLength:
+                    description: If provided, the cidr provisioned into the specified
+                      pool will be the next available cidr given this declared netmask
+                      length. Conflicts with cidr.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcipampools.yaml b/package/crds/ec2.aws.upbound.io_vpcipampools.yaml
index e75d782f40..8c35c5d8de 100644
--- a/package/crds/ec2.aws.upbound.io_vpcipampools.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcipampools.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -289,9 +293,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - addressFamily
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -463,24 +481,101 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addressFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addressFamily)
           status:
             description: VPCIpamPoolStatus defines the observed state of VPCIpamPool.
             properties:
               atProvider:
                 properties:
+                  addressFamily:
+                    description: The IP protocol assigned to this pool. You must choose
+                      either IPv4 or IPv6 protocol for a pool.
+                    type: string
+                  allocationDefaultNetmaskLength:
+                    description: A default netmask length for allocations added to
+                      this pool. If, for example, the CIDR assigned to this pool is
+                      10.0.0.0/8 and you enter 16 here, new allocations will default
+                      to 10.0.0.0/16 (unless you provide a different netmask value
+                      when you create the new allocation).
+                    type: number
+                  allocationMaxNetmaskLength:
+                    description: The maximum netmask length that will be required
+                      for CIDR allocations in this pool.
+                    type: number
+                  allocationMinNetmaskLength:
+                    description: The minimum netmask length that will be required
+                      for CIDR allocations in this pool.
+                    type: number
+                  allocationResourceTags:
+                    additionalProperties:
+                      type: string
+                    description: Tags that are required for resources that use CIDRs
+                      from this IPAM pool. Resources that do not have these tags will
+                      not be allowed to allocate space from the pool. If the resources
+                      have their tags changed after they have allocated space or if
+                      the allocation tagging requirements are changed on the pool,
+                      the resource may be marked as noncompliant.
+                    type: object
                   arn:
                     description: Amazon Resource Name (ARN) of IPAM
                     type: string
+                  autoImport:
+                    description: If you include this argument, IPAM automatically
+                      imports any VPCs you have in your scope that fall within the
+                      CIDR range in the pool.
+                    type: boolean
+                  awsService:
+                    description: 'Limits which AWS service the pool can be used in.
+                      Only useable on public scopes. Valid Values: ec2.'
+                    type: string
+                  description:
+                    description: A description for the IPAM pool.
+                    type: string
                   id:
                     description: The ID of the IPAM
                     type: string
+                  ipamScopeId:
+                    description: The ID of the scope in which you would like to create
+                      the IPAM pool.
+                    type: string
                   ipamScopeType:
                     type: string
+                  locale:
+                    description: 'The locale in which you would like to create the
+                      IPAM pool. Locale is the Region where you want to make an IPAM
+                      pool available for allocations. You can only create pools with
+                      locales that match the operating Regions of the IPAM. You can
+                      only create VPCs from a pool whose locale matches the VPC''s
+                      Region. Possible values: Any AWS region, such as us-east-1.'
+                    type: string
                   poolDepth:
                     type: number
+                  publicIpSource:
+                    description: The IP address source for pools in the public scope.
+                      Only used for provisioning IP address CIDRs to pools in the
+                      public scope. Valid values are byoip or amazon. Default is byoip.
+                    type: string
+                  publiclyAdvertisable:
+                    description: Defines whether or not IPv6 pool space is publicly
+                      advertisable over the internet. This argument is required if
+                      address_family = "ipv6" and public_ip_source = "byoip", default
+                      is false. This option is not available for IPv4 pool space or
+                      if public_ip_source = "amazon".
+                    type: boolean
+                  sourceIpamPoolId:
+                    description: The ID of the source IPAM pool. Use this argument
+                      to create a child pool within an existing pool.
+                    type: string
                   state:
                     description: The ID of the IPAM
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpcipams.yaml b/package/crds/ec2.aws.upbound.io_vpcipams.yaml
index 47283a492d..191df523ef 100644
--- a/package/crds/ec2.aws.upbound.io_vpcipams.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcipams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -100,9 +104,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - operatingRegions
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -274,6 +292,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: operatingRegions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.operatingRegions)
           status:
             description: VPCIpamStatus defines the observed state of VPCIpam.
             properties:
@@ -282,15 +303,39 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of IPAM
                     type: string
+                  cascade:
+                    description: Enables you to quickly delete an IPAM, private scopes,
+                      pools in private scopes, and any allocations in the pools in
+                      private scopes.
+                    type: boolean
                   defaultResourceDiscoveryAssociationId:
                     description: The ID of the IPAM
                     type: string
                   defaultResourceDiscoveryId:
                     description: The ID of the IPAM
                     type: string
+                  description:
+                    description: A description for the IPAM.
+                    type: string
                   id:
                     description: The ID of the IPAM
                     type: string
+                  operatingRegions:
+                    description: Determines which locales can be chosen when you create
+                      pools. Locale is the Region where you want to make an IPAM pool
+                      available for allocations. You can only create pools with locales
+                      that match the operating Regions of the IPAM. You can only create
+                      VPCs from a pool whose locale matches the VPC's Region. You
+                      specify a region using the region_name parameter. You must set
+                      your provider block region as an operating_region.
+                    items:
+                      properties:
+                        regionName:
+                          description: The name of the Region you want to add to the
+                            IPAM.
+                          type: string
+                      type: object
+                    type: array
                   privateDefaultScopeId:
                     description: 'The ID of the IPAM''s private scope. A scope is
                       a top-level container in IPAM. Each scope represents an IP-independent
@@ -312,6 +357,11 @@ spec:
                   scopeCount:
                     description: The number of scopes in the IPAM.
                     type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpcipamscopes.yaml b/package/crds/ec2.aws.upbound.io_vpcipamscopes.yaml
index 351ae4cc57..3673c6b895 100644
--- a/package/crds/ec2.aws.upbound.io_vpcipamscopes.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcipamscopes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,6 +160,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,6 +353,9 @@ spec:
                 properties:
                   arn:
                     type: string
+                  description:
+                    description: A description for the scope you're creating.
+                    type: string
                   id:
                     description: The ID of the IPAM Scope.
                     type: string
@@ -341,6 +363,10 @@ spec:
                     description: The ARN of the IPAM for which you're creating this
                       scope.
                     type: string
+                  ipamId:
+                    description: The ID of the IPAM for which you're creating this
+                      scope.
+                    type: string
                   ipamScopeType:
                     type: string
                   isDefault:
@@ -349,6 +375,11 @@ spec:
                   poolCount:
                     description: Count of pools under this scope
                     type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpcipv4cidrblockassociations.yaml b/package/crds/ec2.aws.upbound.io_vpcipv4cidrblockassociations.yaml
index 6c0c5cc566..a212f1965c 100644
--- a/package/crds/ec2.aws.upbound.io_vpcipv4cidrblockassociations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcipv4cidrblockassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -164,6 +168,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,9 +360,28 @@ spec:
             properties:
               atProvider:
                 properties:
+                  cidrBlock:
+                    description: The IPv4 CIDR block for the VPC. CIDR can be explicitly
+                      set or it can be derived from IPAM using ipv4_netmask_length.
+                    type: string
                   id:
                     description: The ID of the VPC CIDR association
                     type: string
+                  ipv4IpamPoolId:
+                    description: The ID of an IPv4 IPAM pool you want to use for allocating
+                      this VPC's CIDR. IPAM is a VPC feature that you can use to automate
+                      your IP address management workflows including assigning, tracking,
+                      troubleshooting, and auditing IP addresses across AWS Regions
+                      and accounts. Using IPAM you can monitor IP address usage throughout
+                      your AWS Organization.
+                    type: string
+                  ipv4NetmaskLength:
+                    description: The netmask length of the IPv4 CIDR you want to allocate
+                      to this VPC. Requires specifying a ipv4_ipam_pool_id.
+                    type: number
+                  vpcId:
+                    description: The ID of the VPC to make the association with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionaccepters.yaml b/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionaccepters.yaml
index 39b52b437e..dc6ca99544 100644
--- a/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionaccepters.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionaccepters.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -205,6 +209,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -385,6 +404,33 @@ spec:
                   acceptStatus:
                     description: The status of the VPC Peering Connection request.
                     type: string
+                  accepter:
+                    description: A configuration block that describes [VPC Peering
+                      Connection] (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
+                      options set for the accepter VPC.
+                    items:
+                      properties:
+                        allowClassicLinkToRemoteVpc:
+                          description: Indicates whether a local ClassicLink connection
+                            can communicate with the peer VPC over the VPC Peering
+                            Connection.
+                          type: boolean
+                        allowRemoteVpcDnsResolution:
+                          description: Indicates whether a local VPC can resolve public
+                            DNS hostnames to private IP addresses when queried from
+                            instances in a peer VPC.
+                          type: boolean
+                        allowVpcToRemoteClassicLink:
+                          description: Indicates whether a local VPC can communicate
+                            with a ClassicLink connection in the peer VPC over the
+                            VPC Peering Connection.
+                          type: boolean
+                      type: object
+                    type: array
+                  autoAccept:
+                    description: Whether or not to accept the peering request. Defaults
+                      to false.
+                    type: boolean
                   id:
                     description: The ID of the VPC Peering Connection.
                     type: string
@@ -398,6 +444,34 @@ spec:
                   peerVpcId:
                     description: The ID of the requester VPC.
                     type: string
+                  requester:
+                    description: A configuration block that describes [VPC Peering
+                      Connection] (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
+                      options set for the requester VPC.
+                    items:
+                      properties:
+                        allowClassicLinkToRemoteVpc:
+                          description: Indicates whether a local ClassicLink connection
+                            can communicate with the peer VPC over the VPC Peering
+                            Connection.
+                          type: boolean
+                        allowRemoteVpcDnsResolution:
+                          description: Indicates whether a local VPC can resolve public
+                            DNS hostnames to private IP addresses when queried from
+                            instances in a peer VPC.
+                          type: boolean
+                        allowVpcToRemoteClassicLink:
+                          description: Indicates whether a local VPC can communicate
+                            with a ClassicLink connection in the peer VPC over the
+                            VPC Peering Connection.
+                          type: boolean
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -408,6 +482,9 @@ spec:
                   vpcId:
                     description: The ID of the accepter VPC.
                     type: string
+                  vpcPeeringConnectionId:
+                    description: The VPC Peering Connection ID to manage.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionoptions.yaml b/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionoptions.yaml
index 682e050f78..ae4aac98b2 100644
--- a/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionoptions.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcpeeringconnectionoptions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -206,6 +210,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -383,9 +402,68 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accepter:
+                    description: An optional configuration block that allows for [VPC
+                      Peering Connection] (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
+                      options to be set for the VPC that accepts the peering connection
+                      (a maximum of one).
+                    items:
+                      properties:
+                        allowClassicLinkToRemoteVpc:
+                          description: Allow a local linked EC2-Classic instance to
+                            communicate with instances in a peer VPC. This enables
+                            an outbound communication from the local ClassicLink connection
+                            to the remote VPC. This option is not supported for inter-region
+                            VPC peering.
+                          type: boolean
+                        allowRemoteVpcDnsResolution:
+                          description: Allow a local VPC to resolve public DNS hostnames
+                            to private IP addresses when queried from instances in
+                            the peer VPC.
+                          type: boolean
+                        allowVpcToRemoteClassicLink:
+                          description: Allow a local VPC to communicate with a linked
+                            EC2-Classic instance in a peer VPC. This enables an outbound
+                            communication from the local VPC to the remote ClassicLink
+                            connection. This option is not supported for inter-region
+                            VPC peering.
+                          type: boolean
+                      type: object
+                    type: array
                   id:
                     description: The ID of the VPC Peering Connection Options.
                     type: string
+                  requester:
+                    description: A optional configuration block that allows for [VPC
+                      Peering Connection] (https://docs.aws.amazon.com/vpc/latest/peering/what-is-vpc-peering.html)
+                      options to be set for the VPC that requests the peering connection
+                      (a maximum of one).
+                    items:
+                      properties:
+                        allowClassicLinkToRemoteVpc:
+                          description: Allow a local linked EC2-Classic instance to
+                            communicate with instances in a peer VPC. This enables
+                            an outbound communication from the local ClassicLink connection
+                            to the remote VPC. This option is not supported for inter-region
+                            VPC peering.
+                          type: boolean
+                        allowRemoteVpcDnsResolution:
+                          description: Allow a local VPC to resolve public DNS hostnames
+                            to private IP addresses when queried from instances in
+                            the peer VPC.
+                          type: boolean
+                        allowVpcToRemoteClassicLink:
+                          description: Allow a local VPC to communicate with a linked
+                            EC2-Classic instance in a peer VPC. This enables an outbound
+                            communication from the local VPC to the remote ClassicLink
+                            connection. This option is not supported for inter-region
+                            VPC peering.
+                          type: boolean
+                      type: object
+                    type: array
+                  vpcPeeringConnectionId:
+                    description: The ID of the requester VPC peering connection.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcpeeringconnections.yaml b/package/crds/ec2.aws.upbound.io_vpcpeeringconnections.yaml
index 4336480733..ab4163fdcf 100644
--- a/package/crds/ec2.aws.upbound.io_vpcpeeringconnections.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcpeeringconnections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -243,6 +247,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -448,9 +467,27 @@ spec:
                           type: boolean
                       type: object
                     type: array
+                  autoAccept:
+                    description: Accept the peering (both VPCs need to be in the same
+                      AWS account and region).
+                    type: boolean
                   id:
                     description: The ID of the VPC Peering Connection.
                     type: string
+                  peerOwnerId:
+                    description: The AWS account ID of the owner of the peer VPC.
+                      Defaults to the account ID the AWS provider is currently connected
+                      to.
+                    type: string
+                  peerRegion:
+                    description: The region of the accepter VPC of the VPC Peering
+                      Connection. auto_accept must be false, and use the aws_vpc_peering_connection_accepter
+                      to manage the accepter side.
+                    type: string
+                  peerVpcId:
+                    description: The ID of the VPC with which you are creating the
+                      VPC Peering Connection.
+                    type: string
                   requester:
                     description: A optional configuration block that allows for VPC
                       Peering Connection options to be set for the VPC that requests
@@ -476,6 +513,11 @@ spec:
                           type: boolean
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -483,6 +525,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The ID of the requester VPC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpcs.yaml b/package/crds/ec2.aws.upbound.io_vpcs.yaml
index b24cbb42e8..d4e2164f94 100644
--- a/package/crds/ec2.aws.upbound.io_vpcs.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpcs.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +421,16 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of VPC
                     type: string
+                  assignGeneratedIpv6CidrBlock:
+                    description: Requests an Amazon-provided IPv6 CIDR block with
+                      a /56 prefix length for the VPC. You cannot specify the range
+                      of IP addresses, or the size of the CIDR block. Default is false.
+                      Conflicts with ipv6_ipam_pool_id
+                    type: boolean
+                  cidrBlock:
+                    description: The IPv4 CIDR block for the VPC. CIDR can be explicitly
+                      set or it can be derived from IPAM using ipv4_netmask_length.
+                    type: string
                   defaultNetworkAclId:
                     description: The ID of the network ACL created by default on VPC
                       creation
@@ -417,12 +446,77 @@ spec:
                   dhcpOptionsId:
                     description: The ID of the VPC
                     type: string
+                  enableClassiclink:
+                    description: A boolean flag to enable/disable ClassicLink for
+                      the VPC. Only valid in regions and accounts that support EC2
+                      Classic. See the ClassicLink documentation for more information.
+                      Defaults false.
+                    type: boolean
+                  enableClassiclinkDnsSupport:
+                    description: A boolean flag to enable/disable ClassicLink DNS
+                      Support for the VPC. Only valid in regions and accounts that
+                      support EC2 Classic.
+                    type: boolean
+                  enableDnsHostnames:
+                    description: A boolean flag to enable/disable DNS hostnames in
+                      the VPC. Defaults false.
+                    type: boolean
+                  enableDnsSupport:
+                    description: A boolean flag to enable/disable DNS support in the
+                      VPC. Defaults to true.
+                    type: boolean
+                  enableNetworkAddressUsageMetrics:
+                    description: Indicates whether Network Address Usage metrics are
+                      enabled for your VPC. Defaults to false.
+                    type: boolean
                   id:
                     description: The ID of the VPC
                     type: string
+                  instanceTenancy:
+                    description: A tenancy option for instances launched into the
+                      VPC. Default is default, which ensures that EC2 instances launched
+                      in this VPC use the EC2 instance tenancy attribute specified
+                      when the EC2 instance is launched. The only other option is
+                      dedicated, which ensures that EC2 instances launched in this
+                      VPC are run on dedicated tenancy instances regardless of the
+                      tenancy attribute specified at launch. This has a dedicated
+                      per region fee of $2 per hour, plus an hourly per instance usage
+                      fee.
+                    type: string
+                  ipv4IpamPoolId:
+                    description: The ID of an IPv4 IPAM pool you want to use for allocating
+                      this VPC's CIDR. IPAM is a VPC feature that you can use to automate
+                      your IP address management workflows including assigning, tracking,
+                      troubleshooting, and auditing IP addresses across AWS Regions
+                      and accounts. Using IPAM you can monitor IP address usage throughout
+                      your AWS Organization.
+                    type: string
+                  ipv4NetmaskLength:
+                    description: The netmask length of the IPv4 CIDR you want to allocate
+                      to this VPC. Requires specifying a ipv4_ipam_pool_id.
+                    type: number
                   ipv6AssociationId:
                     description: The association ID for the IPv6 CIDR block.
                     type: string
+                  ipv6CidrBlock:
+                    description: IPv6 CIDR block to request from an IPAM Pool. Can
+                      be set explicitly or derived from IPAM using ipv6_netmask_length.
+                    type: string
+                  ipv6CidrBlockNetworkBorderGroup:
+                    description: By default when an IPv6 CIDR is assigned to a VPC
+                      a default ipv6_cidr_block_network_border_group will be set to
+                      the region of the VPC. This can be changed to restrict advertisement
+                      of public addresses to specific Network Border Groups such as
+                      LocalZones.
+                    type: string
+                  ipv6IpamPoolId:
+                    description: IPAM Pool ID for a IPv6 pool. Conflicts with assign_generated_ipv6_cidr_block.
+                    type: string
+                  ipv6NetmaskLength:
+                    description: 'Netmask length to request from IPAM Pool. Conflicts
+                      with ipv6_cidr_block. This can be omitted if IPAM pool as a
+                      allocation_default_netmask_length set. Valid values: 56.'
+                    type: number
                   mainRouteTableId:
                     description: The ID of the main route table associated with this
                       VPC. Note that you can change a VPC's main route table by using
@@ -431,6 +525,11 @@ spec:
                   ownerId:
                     description: The ID of the AWS account that owns the VPC.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ec2.aws.upbound.io_vpnconnectionroutes.yaml b/package/crds/ec2.aws.upbound.io_vpnconnectionroutes.yaml
index 66ed8b6fe6..1ee9999d01 100644
--- a/package/crds/ec2.aws.upbound.io_vpnconnectionroutes.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpnconnectionroutes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,9 +153,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - destinationCidrBlock
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,13 +341,23 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destinationCidrBlock is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationCidrBlock)
           status:
             description: VPNConnectionRouteStatus defines the observed state of VPNConnectionRoute.
             properties:
               atProvider:
                 properties:
+                  destinationCidrBlock:
+                    description: The CIDR block associated with the local subnet of
+                      the customer network.
+                    type: string
                   id:
                     type: string
+                  vpnConnectionId:
+                    description: The ID of the VPN connection.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpnconnections.yaml b/package/crds/ec2.aws.upbound.io_vpnconnections.yaml
index acc332987e..c07d41bb42 100644
--- a/package/crds/ec2.aws.upbound.io_vpnconnections.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpnconnections.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -730,6 +734,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -915,9 +934,35 @@ spec:
                   coreNetworkAttachmentArn:
                     description: The ARN of the core network attachment.
                     type: string
+                  customerGatewayId:
+                    description: The ID of the customer gateway.
+                    type: string
+                  enableAcceleration:
+                    description: Indicate whether to enable acceleration for the VPN
+                      connection. Supports only EC2 Transit Gateway.
+                    type: boolean
                   id:
                     description: The amazon-assigned ID of the VPN connection.
                     type: string
+                  localIpv4NetworkCidr:
+                    description: The IPv4 CIDR on the customer gateway (on-premises)
+                      side of the VPN connection.
+                    type: string
+                  localIpv6NetworkCidr:
+                    description: The IPv6 CIDR on the customer gateway (on-premises)
+                      side of the VPN connection.
+                    type: string
+                  outsideIpAddressType:
+                    description: Indicates if a Public S2S VPN or Private S2S VPN
+                      over AWS Direct Connect. Valid values are PublicIpv4 | PrivateIpv4
+                    type: string
+                  remoteIpv4NetworkCidr:
+                    description: The IPv4 CIDR on the AWS side of the VPN connection.
+                    type: string
+                  remoteIpv6NetworkCidr:
+                    description: The IPv6 CIDR on the customer gateway (on-premises)
+                      side of the VPN connection.
+                    type: string
                   routes:
                     description: The static routes associated with the VPN connection.
                       Detailed below.
@@ -935,6 +980,15 @@ spec:
                           type: string
                       type: object
                     type: array
+                  staticRoutesOnly:
+                    description: Whether the VPN connection uses static routes exclusively.
+                      Static routes must be used for devices that don't support BGP.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -947,6 +1001,14 @@ spec:
                       argument), the attachment ID. See also the aws_ec2_tag resource
                       for tagging the EC2 Transit Gateway VPN Attachment.
                     type: string
+                  transitGatewayId:
+                    description: The ID of the EC2 Transit Gateway.
+                    type: string
+                  transportTransitGatewayAttachmentId:
+                    description: . The attachment ID of the Transit Gateway attachment
+                      to Direct Connect Gateway. The ID is obtained through a data
+                      source only.
+                    type: string
                   tunnel1Address:
                     description: The public IP address of the first VPN tunnel.
                     type: string
@@ -960,6 +1022,138 @@ spec:
                     description: The RFC 6890 link-local address of the first VPN
                       tunnel (Customer Gateway Side).
                     type: string
+                  tunnel1DpdTimeoutAction:
+                    description: The action to take after DPD timeout occurs for the
+                      first VPN tunnel. Specify restart to restart the IKE initiation.
+                      Specify clear to end the IKE session. Valid values are clear
+                      | none | restart.
+                    type: string
+                  tunnel1DpdTimeoutSeconds:
+                    description: The number of seconds after which a DPD timeout occurs
+                      for the first VPN tunnel. Valid value is equal or higher than
+                      30.
+                    type: number
+                  tunnel1IkeVersions:
+                    description: The IKE versions that are permitted for the first
+                      VPN tunnel. Valid values are ikev1 | ikev2.
+                    items:
+                      type: string
+                    type: array
+                  tunnel1InsideCidr:
+                    description: The CIDR block of the inside IP addresses for the
+                      first VPN tunnel. Valid value is a size /30 CIDR block from
+                      the 169.254.0.0/16 range.
+                    type: string
+                  tunnel1InsideIpv6Cidr:
+                    description: The range of inside IPv6 addresses for the first
+                      VPN tunnel. Supports only EC2 Transit Gateway. Valid value is
+                      a size /126 CIDR block from the local fd00::/8 range.
+                    type: string
+                  tunnel1LogOptions:
+                    description: Options for logging VPN tunnel activity. See Log
+                      Options below for more details.
+                    items:
+                      properties:
+                        cloudwatchLogOptions:
+                          description: Options for sending VPN tunnel logs to CloudWatch.
+                            See CloudWatch Log Options below for more details.
+                          items:
+                            properties:
+                              logEnabled:
+                                description: Enable or disable VPN tunnel logging
+                                  feature. The default is false.
+                                type: boolean
+                              logGroupArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  CloudWatch log group to send logs to.
+                                type: string
+                              logOutputFormat:
+                                description: 'Set log format. Default format is json.
+                                  Possible values are: json and text. The default
+                                  is json.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tunnel1Phase1DhGroupNumbers:
+                    description: List of one or more Diffie-Hellman group numbers
+                      that are permitted for the first VPN tunnel for phase 1 IKE
+                      negotiations. Valid values are  2 | 14 | 15 | 16 | 17 | 18 |
+                      19 | 20 | 21 | 22 | 23 | 24.
+                    items:
+                      type: number
+                    type: array
+                  tunnel1Phase1EncryptionAlgorithms:
+                    description: List of one or more encryption algorithms that are
+                      permitted for the first VPN tunnel for phase 1 IKE negotiations.
+                      Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+                    items:
+                      type: string
+                    type: array
+                  tunnel1Phase1IntegrityAlgorithms:
+                    description: One or more integrity algorithms that are permitted
+                      for the first VPN tunnel for phase 1 IKE negotiations. Valid
+                      values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+                    items:
+                      type: string
+                    type: array
+                  tunnel1Phase1LifetimeSeconds:
+                    description: The lifetime for phase 1 of the IKE negotiation for
+                      the first VPN tunnel, in seconds. Valid value is between 900
+                      and 28800.
+                    type: number
+                  tunnel1Phase2DhGroupNumbers:
+                    description: List of one or more Diffie-Hellman group numbers
+                      that are permitted for the first VPN tunnel for phase 2 IKE
+                      negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18
+                      | 19 | 20 | 21 | 22 | 23 | 24.
+                    items:
+                      type: number
+                    type: array
+                  tunnel1Phase2EncryptionAlgorithms:
+                    description: List of one or more encryption algorithms that are
+                      permitted for the first VPN tunnel for phase 2 IKE negotiations.
+                      Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+                    items:
+                      type: string
+                    type: array
+                  tunnel1Phase2IntegrityAlgorithms:
+                    description: List of one or more integrity algorithms that are
+                      permitted for the first VPN tunnel for phase 2 IKE negotiations.
+                      Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+                    items:
+                      type: string
+                    type: array
+                  tunnel1Phase2LifetimeSeconds:
+                    description: The lifetime for phase 2 of the IKE negotiation for
+                      the first VPN tunnel, in seconds. Valid value is between 900
+                      and 3600.
+                    type: number
+                  tunnel1RekeyFuzzPercentage:
+                    description: The percentage of the rekey window for the first
+                      VPN tunnel (determined by tunnel1_rekey_margin_time_seconds)
+                      during which the rekey time is randomly selected. Valid value
+                      is between 0 and 100.
+                    type: number
+                  tunnel1RekeyMarginTimeSeconds:
+                    description: The margin time, in seconds, before the phase 2 lifetime
+                      expires, during which the AWS side of the first VPN connection
+                      performs an IKE rekey. The exact time of the rekey is randomly
+                      selected based on the value for tunnel1_rekey_fuzz_percentage.
+                      Valid value is between 60 and half of tunnel1_phase2_lifetime_seconds.
+                    type: number
+                  tunnel1ReplayWindowSize:
+                    description: The number of packets in an IKE replay window for
+                      the first VPN tunnel. Valid value is between 64 and 2048.
+                    type: number
+                  tunnel1StartupAction:
+                    description: The action to take when the establishing the tunnel
+                      for the first VPN connection. By default, your customer gateway
+                      device must initiate the IKE negotiation and bring up the tunnel.
+                      Specify start for AWS to initiate the IKE negotiation. Valid
+                      values are add | start.
+                    type: string
                   tunnel1VgwInsideAddress:
                     description: The RFC 6890 link-local address of the first VPN
                       tunnel (VPN Gateway Side).
@@ -977,10 +1171,151 @@ spec:
                     description: The RFC 6890 link-local address of the second VPN
                       tunnel (Customer Gateway Side).
                     type: string
+                  tunnel2DpdTimeoutAction:
+                    description: The action to take after DPD timeout occurs for the
+                      second VPN tunnel. Specify restart to restart the IKE initiation.
+                      Specify clear to end the IKE session. Valid values are clear
+                      | none | restart.
+                    type: string
+                  tunnel2DpdTimeoutSeconds:
+                    description: The number of seconds after which a DPD timeout occurs
+                      for the second VPN tunnel. Valid value is equal or higher than
+                      30.
+                    type: number
+                  tunnel2IkeVersions:
+                    description: The IKE versions that are permitted for the second
+                      VPN tunnel. Valid values are ikev1 | ikev2.
+                    items:
+                      type: string
+                    type: array
+                  tunnel2InsideCidr:
+                    description: The CIDR block of the inside IP addresses for the
+                      second VPN tunnel. Valid value is a size /30 CIDR block from
+                      the 169.254.0.0/16 range.
+                    type: string
+                  tunnel2InsideIpv6Cidr:
+                    description: The range of inside IPv6 addresses for the second
+                      VPN tunnel. Supports only EC2 Transit Gateway. Valid value is
+                      a size /126 CIDR block from the local fd00::/8 range.
+                    type: string
+                  tunnel2LogOptions:
+                    description: Options for logging VPN tunnel activity. See Log
+                      Options below for more details.
+                    items:
+                      properties:
+                        cloudwatchLogOptions:
+                          description: Options for sending VPN tunnel logs to CloudWatch.
+                            See CloudWatch Log Options below for more details.
+                          items:
+                            properties:
+                              logEnabled:
+                                description: Enable or disable VPN tunnel logging
+                                  feature. The default is false.
+                                type: boolean
+                              logGroupArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  CloudWatch log group to send logs to.
+                                type: string
+                              logOutputFormat:
+                                description: 'Set log format. Default format is json.
+                                  Possible values are: json and text. The default
+                                  is json.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tunnel2Phase1DhGroupNumbers:
+                    description: List of one or more Diffie-Hellman group numbers
+                      that are permitted for the second VPN tunnel for phase 1 IKE
+                      negotiations. Valid values are  2 | 14 | 15 | 16 | 17 | 18 |
+                      19 | 20 | 21 | 22 | 23 | 24.
+                    items:
+                      type: number
+                    type: array
+                  tunnel2Phase1EncryptionAlgorithms:
+                    description: List of one or more encryption algorithms that are
+                      permitted for the second VPN tunnel for phase 1 IKE negotiations.
+                      Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+                    items:
+                      type: string
+                    type: array
+                  tunnel2Phase1IntegrityAlgorithms:
+                    description: One or more integrity algorithms that are permitted
+                      for the second VPN tunnel for phase 1 IKE negotiations. Valid
+                      values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+                    items:
+                      type: string
+                    type: array
+                  tunnel2Phase1LifetimeSeconds:
+                    description: The lifetime for phase 1 of the IKE negotiation for
+                      the second VPN tunnel, in seconds. Valid value is between 900
+                      and 28800.
+                    type: number
+                  tunnel2Phase2DhGroupNumbers:
+                    description: List of one or more Diffie-Hellman group numbers
+                      that are permitted for the second VPN tunnel for phase 2 IKE
+                      negotiations. Valid values are 2 | 5 | 14 | 15 | 16 | 17 | 18
+                      | 19 | 20 | 21 | 22 | 23 | 24.
+                    items:
+                      type: number
+                    type: array
+                  tunnel2Phase2EncryptionAlgorithms:
+                    description: List of one or more encryption algorithms that are
+                      permitted for the second VPN tunnel for phase 2 IKE negotiations.
+                      Valid values are AES128 | AES256 | AES128-GCM-16 | AES256-GCM-16.
+                    items:
+                      type: string
+                    type: array
+                  tunnel2Phase2IntegrityAlgorithms:
+                    description: List of one or more integrity algorithms that are
+                      permitted for the second VPN tunnel for phase 2 IKE negotiations.
+                      Valid values are SHA1 | SHA2-256 | SHA2-384 | SHA2-512.
+                    items:
+                      type: string
+                    type: array
+                  tunnel2Phase2LifetimeSeconds:
+                    description: The lifetime for phase 2 of the IKE negotiation for
+                      the second VPN tunnel, in seconds. Valid value is between 900
+                      and 3600.
+                    type: number
+                  tunnel2RekeyFuzzPercentage:
+                    description: The percentage of the rekey window for the second
+                      VPN tunnel (determined by tunnel2_rekey_margin_time_seconds)
+                      during which the rekey time is randomly selected. Valid value
+                      is between 0 and 100.
+                    type: number
+                  tunnel2RekeyMarginTimeSeconds:
+                    description: The margin time, in seconds, before the phase 2 lifetime
+                      expires, during which the AWS side of the second VPN connection
+                      performs an IKE rekey. The exact time of the rekey is randomly
+                      selected based on the value for tunnel2_rekey_fuzz_percentage.
+                      Valid value is between 60 and half of tunnel2_phase2_lifetime_seconds.
+                    type: number
+                  tunnel2ReplayWindowSize:
+                    description: The number of packets in an IKE replay window for
+                      the second VPN tunnel. Valid value is between 64 and 2048.
+                    type: number
+                  tunnel2StartupAction:
+                    description: The action to take when the establishing the tunnel
+                      for the second VPN connection. By default, your customer gateway
+                      device must initiate the IKE negotiation and bring up the tunnel.
+                      Specify start for AWS to initiate the IKE negotiation. Valid
+                      values are add | start.
+                    type: string
                   tunnel2VgwInsideAddress:
                     description: The RFC 6890 link-local address of the second VPN
                       tunnel (VPN Gateway Side).
                     type: string
+                  tunnelInsideIpVersion:
+                    description: Indicate whether the VPN tunnels process IPv4 or
+                      IPv6 traffic. Valid values are ipv4 | ipv6. ipv6 Supports only
+                      EC2 Transit Gateway.
+                    type: string
+                  type:
+                    description: The type of VPN connection. The only type AWS supports
+                      at this time is "ipsec.1".
+                    type: string
                   vgwTelemetry:
                     description: Telemetry for the VPN tunnels. Detailed below.
                     items:
@@ -1007,6 +1342,9 @@ spec:
                           type: string
                       type: object
                     type: array
+                  vpnGatewayId:
+                    description: The ID of the Virtual Private Gateway.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpngatewayattachments.yaml b/package/crds/ec2.aws.upbound.io_vpngatewayattachments.yaml
index 6f9be31a2b..65789a2f96 100644
--- a/package/crds/ec2.aws.upbound.io_vpngatewayattachments.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpngatewayattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +421,12 @@ spec:
                 properties:
                   id:
                     type: string
+                  vpcId:
+                    description: The ID of the VPC.
+                    type: string
+                  vpnGatewayId:
+                    description: The ID of the Virtual Private Gateway.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpngatewayroutepropagations.yaml b/package/crds/ec2.aws.upbound.io_vpngatewayroutepropagations.yaml
index f550e999fc..ed2cbe1980 100644
--- a/package/crds/ec2.aws.upbound.io_vpngatewayroutepropagations.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpngatewayroutepropagations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -227,6 +231,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,6 +425,14 @@ spec:
                 properties:
                   id:
                     type: string
+                  routeTableId:
+                    description: The id of the aws_route_table to propagate routes
+                      into.
+                    type: string
+                  vpnGatewayId:
+                    description: The id of the aws_vpn_gateway to propagate routes
+                      from.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ec2.aws.upbound.io_vpngateways.yaml b/package/crds/ec2.aws.upbound.io_vpngateways.yaml
index 06f6469bac..4e3ff3e421 100644
--- a/package/crds/ec2.aws.upbound.io_vpngateways.yaml
+++ b/package/crds/ec2.aws.upbound.io_vpngateways.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,6 +164,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -336,12 +355,25 @@ spec:
             properties:
               atProvider:
                 properties:
+                  amazonSideAsn:
+                    description: The Autonomous System Number (ASN) for the Amazon
+                      side of the gateway. If you don't specify an ASN, the virtual
+                      private gateway is created with the default ASN.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the VPN Gateway.
                     type: string
+                  availabilityZone:
+                    description: The Availability Zone for the virtual private gateway.
+                    type: string
                   id:
                     description: The ID of the VPN Gateway.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -349,6 +381,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcId:
+                    description: The VPC ID to create in.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecr.aws.upbound.io_lifecyclepolicies.yaml b/package/crds/ecr.aws.upbound.io_lifecyclepolicies.yaml
index 3936374793..327a68e7be 100644
--- a/package/crds/ecr.aws.upbound.io_lifecyclepolicies.yaml
+++ b/package/crds/ecr.aws.upbound.io_lifecyclepolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,6 +342,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: LifecyclePolicyStatus defines the observed state of LifecyclePolicy.
             properties:
@@ -331,9 +352,17 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: The policy document. This is a JSON formatted string.
+                      See more details about Policy Parameters in the official AWS
+                      docs.
+                    type: string
                   registryId:
                     description: The registry ID where the repository was created.
                     type: string
+                  repository:
+                    description: Name of the repository to apply the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecr.aws.upbound.io_pullthroughcacherules.yaml b/package/crds/ecr.aws.upbound.io_pullthroughcacherules.yaml
index a7b10d1ff1..40f5d01de3 100644
--- a/package/crds/ecr.aws.upbound.io_pullthroughcacherules.yaml
+++ b/package/crds/ecr.aws.upbound.io_pullthroughcacherules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,10 +81,23 @@ spec:
                       to use as the source.
                     type: string
                 required:
-                - ecrRepositoryPrefix
                 - region
-                - upstreamRegistryUrl
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,17 +269,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: ecrRepositoryPrefix is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ecrRepositoryPrefix)
+            - message: upstreamRegistryUrl is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.upstreamRegistryUrl)
           status:
             description: PullThroughCacheRuleStatus defines the observed state of
               PullThroughCacheRule.
             properties:
               atProvider:
                 properties:
+                  ecrRepositoryPrefix:
+                    description: The repository name prefix to use when caching images
+                      from the source registry.
+                    type: string
                   id:
                     type: string
                   registryId:
                     description: The registry ID where the repository was created.
                     type: string
+                  upstreamRegistryUrl:
+                    description: The registry URL of the upstream public registry
+                      to use as the source.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecr.aws.upbound.io_registrypolicies.yaml b/package/crds/ecr.aws.upbound.io_registrypolicies.yaml
index 9737ba7d10..cf4e024973 100644
--- a/package/crds/ecr.aws.upbound.io_registrypolicies.yaml
+++ b/package/crds/ecr.aws.upbound.io_registrypolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: RegistryPolicyStatus defines the observed state of RegistryPolicy.
             properties:
@@ -253,6 +274,9 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: The policy document. This is a JSON formatted string
+                    type: string
                   registryId:
                     description: The registry ID where the registry was created.
                     type: string
diff --git a/package/crds/ecr.aws.upbound.io_registryscanningconfigurations.yaml b/package/crds/ecr.aws.upbound.io_registryscanningconfigurations.yaml
index bdf3951547..14a777f264 100644
--- a/package/crds/ecr.aws.upbound.io_registryscanningconfigurations.yaml
+++ b/package/crds/ecr.aws.upbound.io_registryscanningconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -105,8 +109,22 @@ spec:
                     type: string
                 required:
                 - region
-                - scanType
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -278,6 +296,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: scanType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scanType)
           status:
             description: RegistryScanningConfigurationStatus defines the observed
               state of RegistryScanningConfiguration.
@@ -290,6 +311,34 @@ spec:
                     description: The registry ID the scanning configuration applies
                       to.
                     type: string
+                  rule:
+                    description: One or multiple blocks specifying scanning rules
+                      to determine which repository filters are used and at what frequency
+                      scanning will occur. See below for schema.
+                    items:
+                      properties:
+                        repositoryFilter:
+                          description: One or more repository filter blocks, containing
+                            a filter  and a filter_type .
+                          items:
+                            properties:
+                              filter:
+                                type: string
+                              filterType:
+                                type: string
+                            type: object
+                          type: array
+                        scanFrequency:
+                          description: The frequency that scans are performed at for
+                            a private registry. Can be SCAN_ON_PUSH, CONTINUOUS_SCAN,
+                            or MANUAL.
+                          type: string
+                      type: object
+                    type: array
+                  scanType:
+                    description: the scanning type to set for the registry. Can be
+                      either ENHANCED or BASIC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecr.aws.upbound.io_replicationconfigurations.yaml b/package/crds/ecr.aws.upbound.io_replicationconfigurations.yaml
index 6347ee795b..3afccff5ef 100644
--- a/package/crds/ecr.aws.upbound.io_replicationconfigurations.yaml
+++ b/package/crds/ecr.aws.upbound.io_replicationconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -127,6 +131,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -310,6 +329,51 @@ spec:
                     description: The account ID of the destination registry to replicate
                       to.
                     type: string
+                  replicationConfiguration:
+                    description: Replication configuration for a registry. See Replication
+                      Configuration.
+                    items:
+                      properties:
+                        rule:
+                          description: The replication rules for a replication configuration.
+                            A maximum of 10 are allowed per replication_configuration.
+                            See Rule
+                          items:
+                            properties:
+                              destination:
+                                description: the details of a replication destination.
+                                  A maximum of 25 are allowed per rule. See Destination.
+                                items:
+                                  properties:
+                                    region:
+                                      description: A Region to replicate to.
+                                      type: string
+                                    registryId:
+                                      description: The account ID of the destination
+                                        registry to replicate to.
+                                      type: string
+                                  type: object
+                                type: array
+                              repositoryFilter:
+                                description: filters for a replication rule. See Repository
+                                  Filter.
+                                items:
+                                  properties:
+                                    filter:
+                                      description: The repository filter details.
+                                      type: string
+                                    filterType:
+                                      description: The repository filter type. The
+                                        only supported value is PREFIX_MATCH, which
+                                        is a repository name prefix specified with
+                                        the filter parameter.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecr.aws.upbound.io_repositories.yaml b/package/crds/ecr.aws.upbound.io_repositories.yaml
index bf64617fc3..2f273d079f 100644
--- a/package/crds/ecr.aws.upbound.io_repositories.yaml
+++ b/package/crds/ecr.aws.upbound.io_repositories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -191,6 +195,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -370,14 +389,56 @@ spec:
                   arn:
                     description: Full ARN of the repository.
                     type: string
+                  encryptionConfiguration:
+                    description: Encryption configuration for the repository. See
+                      below for schema.
+                    items:
+                      properties:
+                        encryptionType:
+                          description: The encryption type to use for the repository.
+                            Valid values are AES256 or KMS. Defaults to AES256.
+                          type: string
+                        kmsKey:
+                          description: The ARN of the KMS key to use when encryption_type
+                            is KMS. If not specified, uses the default AWS managed
+                            key for ECR.
+                          type: string
+                      type: object
+                    type: array
+                  forceDelete:
+                    description: If true, will delete the repository even if it contains
+                      images. Defaults to false.
+                    type: boolean
                   id:
                     type: string
+                  imageScanningConfiguration:
+                    description: Configuration block that defines image scanning configuration
+                      for the repository. By default, image scanning must be manually
+                      triggered. See the ECR User Guide for more information about
+                      image scanning.
+                    items:
+                      properties:
+                        scanOnPush:
+                          description: Indicates whether images are scanned after
+                            being pushed to the repository (true) or not scanned (false).
+                          type: boolean
+                      type: object
+                    type: array
+                  imageTagMutability:
+                    description: 'The tag mutability setting for the repository. Must
+                      be one of: MUTABLE or IMMUTABLE. Defaults to MUTABLE.'
+                    type: string
                   registryId:
                     description: The registry ID where the repository was created.
                     type: string
                   repositoryUrl:
                     description: The URL of the repository (in the form aws_account_id.dkr.ecr.region.amazonaws.com/repositoryName).
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ecr.aws.upbound.io_repositorypolicies.yaml b/package/crds/ecr.aws.upbound.io_repositorypolicies.yaml
index 8e14c8135f..848fefc8a0 100644
--- a/package/crds/ecr.aws.upbound.io_repositorypolicies.yaml
+++ b/package/crds/ecr.aws.upbound.io_repositorypolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,9 +152,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -322,6 +340,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: RepositoryPolicyStatus defines the observed state of RepositoryPolicy.
             properties:
@@ -329,9 +350,15 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: The policy document. This is a JSON formatted string
+                    type: string
                   registryId:
                     description: The registry ID where the repository was created.
                     type: string
+                  repository:
+                    description: Name of the repository to apply the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecrpublic.aws.upbound.io_repositories.yaml b/package/crds/ecrpublic.aws.upbound.io_repositories.yaml
index 95f8d5e0ed..4f8e10dd18 100644
--- a/package/crds/ecrpublic.aws.upbound.io_repositories.yaml
+++ b/package/crds/ecrpublic.aws.upbound.io_repositories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -126,6 +130,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -305,6 +324,56 @@ spec:
                   arn:
                     description: Full ARN of the repository.
                     type: string
+                  catalogData:
+                    description: Catalog data configuration for the repository. See
+                      below for schema.
+                    items:
+                      properties:
+                        aboutText:
+                          description: A detailed description of the contents of the
+                            repository. It is publicly visible in the Amazon ECR Public
+                            Gallery. The text must be in markdown format.
+                          type: string
+                        architectures:
+                          description: 'The system architecture that the images in
+                            the repository are compatible with. On the Amazon ECR
+                            Public Gallery, the following supported architectures
+                            will appear as badges on the repository and are used as
+                            search filters: ARM, ARM 64, x86, x86-64'
+                          items:
+                            type: string
+                          type: array
+                        description:
+                          description: A short description of the contents of the
+                            repository. This text appears in both the image details
+                            and also when searching for repositories on the Amazon
+                            ECR Public Gallery.
+                          type: string
+                        logoImageBlob:
+                          description: The base64-encoded repository logo payload.
+                            (Only visible for verified accounts) Note that drift detection
+                            is disabled for this attribute.
+                          type: string
+                        operatingSystems:
+                          description: 'The operating systems that the images in the
+                            repository are compatible with. On the Amazon ECR Public
+                            Gallery, the following supported operating systems will
+                            appear as badges on the repository and are used as search
+                            filters: Linux, Windows'
+                          items:
+                            type: string
+                          type: array
+                        usageText:
+                          description: Detailed information on how to use the contents
+                            of the repository. It is publicly visible in the Amazon
+                            ECR Public Gallery. The usage text provides context, support
+                            information, and additional usage details for users of
+                            the repository. The text must be in markdown format.
+                          type: string
+                      type: object
+                    type: array
+                  forceDestroy:
+                    type: boolean
                   id:
                     description: The repository name.
                     type: string
@@ -314,6 +383,11 @@ spec:
                   repositoryUri:
                     description: The URI of the repository.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ecrpublic.aws.upbound.io_repositorypolicies.yaml b/package/crds/ecrpublic.aws.upbound.io_repositorypolicies.yaml
index 4986484926..8dd9e4d2c5 100644
--- a/package/crds/ecrpublic.aws.upbound.io_repositorypolicies.yaml
+++ b/package/crds/ecrpublic.aws.upbound.io_repositorypolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,6 +342,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: RepositoryPolicyStatus defines the observed state of RepositoryPolicy.
             properties:
@@ -331,9 +352,15 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: The policy document. This is a JSON formatted string
+                    type: string
                   registryId:
                     description: The registry ID where the repository was created.
                     type: string
+                  repositoryName:
+                    description: Name of the repository to apply the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecs.aws.upbound.io_accountsettingdefaults.yaml b/package/crds/ecs.aws.upbound.io_accountsettingdefaults.yaml
index 0f755a03aa..312b284996 100644
--- a/package/crds/ecs.aws.upbound.io_accountsettingdefaults.yaml
+++ b/package/crds/ecs.aws.upbound.io_accountsettingdefaults.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,10 +82,23 @@ spec:
                       disabled.
                     type: string
                 required:
-                - name
                 - region
-                - value
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -253,6 +270,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: value is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)
           status:
             description: AccountSettingDefaultStatus defines the observed state of
               AccountSettingDefault.
@@ -262,8 +284,17 @@ spec:
                   id:
                     description: ARN that identifies the account setting.
                     type: string
+                  name:
+                    description: Name of the account setting to set. Valid values
+                      are serviceLongArnFormat, taskLongArnFormat, containerInstanceLongArnFormat,
+                      awsvpcTrunking and containerInsights.
+                    type: string
                   principalArn:
                     type: string
+                  value:
+                    description: State of the setting. Valid values are enabled and
+                      disabled.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecs.aws.upbound.io_capacityproviders.yaml b/package/crds/ecs.aws.upbound.io_capacityproviders.yaml
index e20f531e75..f4d64dd94b 100644
--- a/package/crds/ecs.aws.upbound.io_capacityproviders.yaml
+++ b/package/crds/ecs.aws.upbound.io_capacityproviders.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -197,9 +201,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - autoScalingGroupProvider
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -371,6 +389,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: autoScalingGroupProvider is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.autoScalingGroupProvider)
           status:
             description: CapacityProviderStatus defines the observed state of CapacityProvider.
             properties:
@@ -379,9 +400,59 @@ spec:
                   arn:
                     description: ARN that identifies the capacity provider.
                     type: string
+                  autoScalingGroupProvider:
+                    description: Configuration block for the provider for the ECS
+                      auto scaling group. Detailed below.
+                    items:
+                      properties:
+                        autoScalingGroupArn:
+                          description: '- ARN of the associated auto scaling group.'
+                          type: string
+                        managedScaling:
+                          description: '- Configuration block defining the parameters
+                            of the auto scaling. Detailed below.'
+                          items:
+                            properties:
+                              instanceWarmupPeriod:
+                                description: Period of time, in seconds, after a newly
+                                  launched Amazon EC2 instance can contribute to CloudWatch
+                                  metrics for Auto Scaling group. If this parameter
+                                  is omitted, the default value of 300 seconds is
+                                  used.
+                                type: number
+                              maximumScalingStepSize:
+                                description: Maximum step adjustment size. A number
+                                  between 1 and 10,000.
+                                type: number
+                              minimumScalingStepSize:
+                                description: Minimum step adjustment size. A number
+                                  between 1 and 10,000.
+                                type: number
+                              status:
+                                description: Whether auto scaling is managed by ECS.
+                                  Valid values are ENABLED and DISABLED.
+                                type: string
+                              targetCapacity:
+                                description: Target utilization for the capacity provider.
+                                  A number between 1 and 100.
+                                type: number
+                            type: object
+                          type: array
+                        managedTerminationProtection:
+                          description: '- Enables or disables container-aware termination
+                            of instances in the auto scaling group when scale-in happens.
+                            Valid values are ENABLED and DISABLED.'
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: ARN that identifies the capacity provider.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ecs.aws.upbound.io_clustercapacityproviders.yaml b/package/crds/ecs.aws.upbound.io_clustercapacityproviders.yaml
index 5fd9e8f2a5..73f0811fad 100644
--- a/package/crds/ecs.aws.upbound.io_clustercapacityproviders.yaml
+++ b/package/crds/ecs.aws.upbound.io_clustercapacityproviders.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,6 +185,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -358,6 +377,40 @@ spec:
             properties:
               atProvider:
                 properties:
+                  capacityProviders:
+                    description: Set of names of one or more capacity providers to
+                      associate with the cluster. Valid values also include FARGATE
+                      and FARGATE_SPOT.
+                    items:
+                      type: string
+                    type: array
+                  clusterName:
+                    description: Name of the ECS cluster to manage capacity providers
+                      for.
+                    type: string
+                  defaultCapacityProviderStrategy:
+                    description: Set of capacity provider strategies to use by default
+                      for the cluster. Detailed below.
+                    items:
+                      properties:
+                        base:
+                          description: The number of tasks, at a minimum, to run on
+                            the specified capacity provider. Only one capacity provider
+                            in a capacity provider strategy can have a base defined.
+                            Defaults to 0.
+                          type: number
+                        capacityProvider:
+                          description: Name of the capacity provider.
+                          type: string
+                        weight:
+                          description: The relative percentage of the total number
+                            of launched tasks that should use the specified capacity
+                            provider. The weight value is taken into consideration
+                            after the base count of tasks has been satisfied. Defaults
+                            to 0.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: Same as cluster_name.
                     type: string
diff --git a/package/crds/ecs.aws.upbound.io_clusters.yaml b/package/crds/ecs.aws.upbound.io_clusters.yaml
index e890f268be..db4b3a2e6f 100644
--- a/package/crds/ecs.aws.upbound.io_clusters.yaml
+++ b/package/crds/ecs.aws.upbound.io_clusters.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -185,6 +189,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -371,9 +390,117 @@ spec:
                     items:
                       type: string
                     type: array
+                  configuration:
+                    description: The execute command configuration for the cluster.
+                      Detailed below.
+                    items:
+                      properties:
+                        executeCommandConfiguration:
+                          description: The details of the execute command configuration.
+                            Detailed below.
+                          items:
+                            properties:
+                              kmsKeyId:
+                                description: The AWS Key Management Service key ID
+                                  to encrypt the data between the local client and
+                                  the container.
+                                type: string
+                              logConfiguration:
+                                description: The log configuration for the results
+                                  of the execute command actions Required when logging
+                                  is OVERRIDE. Detailed below.
+                                items:
+                                  properties:
+                                    cloudWatchEncryptionEnabled:
+                                      description: Whether or not to enable encryption
+                                        on the CloudWatch logs. If not specified,
+                                        encryption will be disabled.
+                                      type: boolean
+                                    cloudWatchLogGroupName:
+                                      description: The name of the CloudWatch log
+                                        group to send logs to.
+                                      type: string
+                                    s3BucketEncryptionEnabled:
+                                      description: Whether or not to enable encryption
+                                        on the logs sent to S3. If not specified,
+                                        encryption will be disabled.
+                                      type: boolean
+                                    s3BucketName:
+                                      description: The name of the S3 bucket to send
+                                        logs to.
+                                      type: string
+                                    s3KeyPrefix:
+                                      description: An optional folder in the S3 bucket
+                                        to place logs in.
+                                      type: string
+                                  type: object
+                                type: array
+                              logging:
+                                description: The log setting to use for redirecting
+                                  logs for your execute command results. Valid values
+                                  are NONE, DEFAULT, and OVERRIDE.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  defaultCapacityProviderStrategy:
+                    description: Configuration block for capacity provider strategy
+                      to use by default for the cluster. Can be one or more. Detailed
+                      below.
+                    items:
+                      properties:
+                        base:
+                          description: The number of tasks, at a minimum, to run on
+                            the specified capacity provider. Only one capacity provider
+                            in a capacity provider strategy can have a base defined.
+                          type: number
+                        capacityProvider:
+                          description: The short name of the capacity provider.
+                          type: string
+                        weight:
+                          description: The relative percentage of the total number
+                            of launched tasks that should use the specified capacity
+                            provider.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: ARN that identifies the cluster.
                     type: string
+                  serviceConnectDefaults:
+                    description: Configures a default Service Connect namespace. Detailed
+                      below.
+                    items:
+                      properties:
+                        namespace:
+                          description: The ARN of the aws_service_discovery_http_namespace
+                            that's used when you create a service and don't specify
+                            a Service Connect configuration.
+                          type: string
+                      type: object
+                    type: array
+                  setting:
+                    description: Configuration block(s) with cluster settings. For
+                      example, this can be used to enable CloudWatch Container Insights
+                      for a cluster. Detailed below.
+                    items:
+                      properties:
+                        name:
+                          description: 'Name of the setting to manage. Valid values:
+                            containerInsights.'
+                          type: string
+                        value:
+                          description: The value to assign to the setting. Valid values
+                            are enabled and disabled.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ecs.aws.upbound.io_services.yaml b/package/crds/ecs.aws.upbound.io_services.yaml
index 6a8cf9c5c8..494db00d6e 100644
--- a/package/crds/ecs.aws.upbound.io_services.yaml
+++ b/package/crds/ecs.aws.upbound.io_services.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -851,6 +855,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1027,9 +1046,363 @@ spec:
             properties:
               atProvider:
                 properties:
+                  alarms:
+                    description: Information about the CloudWatch alarms. See below.
+                    items:
+                      properties:
+                        alarmNames:
+                          items:
+                            type: string
+                          type: array
+                        enable:
+                          description: Determines whether to use the CloudWatch alarm
+                            option in the service deployment process.
+                          type: boolean
+                        rollback:
+                          description: Determines whether to configure Amazon ECS
+                            to roll back the service if a service deployment fails.
+                            If rollback is used, when a service deployment fails,
+                            the service is rolled back to the last deployment that
+                            completed successfully.
+                          type: boolean
+                      type: object
+                    type: array
+                  capacityProviderStrategy:
+                    description: Capacity provider strategies to use for the service.
+                      Can be one or more. These can be updated without destroying
+                      and recreating the service only if force_new_deployment = true
+                      and not changing from 0 capacity_provider_strategy blocks to
+                      greater than 0, or vice versa. See below.
+                    items:
+                      properties:
+                        base:
+                          description: Number of tasks, at a minimum, to run on the
+                            specified capacity provider. Only one capacity provider
+                            in a capacity provider strategy can have a base defined.
+                          type: number
+                        capacityProvider:
+                          description: Short name of the capacity provider.
+                          type: string
+                        weight:
+                          description: Relative percentage of the total number of
+                            launched tasks that should use the specified capacity
+                            provider.
+                          type: number
+                      type: object
+                    type: array
+                  cluster:
+                    description: Name of an ECS cluster.
+                    type: string
+                  deploymentCircuitBreaker:
+                    description: Configuration block for deployment circuit breaker.
+                      See below.
+                    items:
+                      properties:
+                        enable:
+                          description: Whether to enable the deployment circuit breaker
+                            logic for the service.
+                          type: boolean
+                        rollback:
+                          description: Whether to enable Amazon ECS to roll back the
+                            service if a service deployment fails. If rollback is
+                            enabled, when a service deployment fails, the service
+                            is rolled back to the last deployment that completed successfully.
+                          type: boolean
+                      type: object
+                    type: array
+                  deploymentController:
+                    description: Configuration block for deployment controller configuration.
+                      See below.
+                    items:
+                      properties:
+                        type:
+                          description: 'Type of deployment controller. Valid values:
+                            CODE_DEPLOY, ECS, EXTERNAL. Default: ECS.'
+                          type: string
+                      type: object
+                    type: array
+                  deploymentMaximumPercent:
+                    description: Upper limit (as a percentage of the service's desiredCount)
+                      of the number of running tasks that can be running in a service
+                      during a deployment. Not valid when using the DAEMON scheduling
+                      strategy.
+                    type: number
+                  deploymentMinimumHealthyPercent:
+                    description: Lower limit (as a percentage of the service's desiredCount)
+                      of the number of running tasks that must remain running and
+                      healthy in a service during a deployment.
+                    type: number
+                  desiredCount:
+                    description: Number of instances of the task definition to place
+                      and keep running. Defaults to 0. Do not specify if using the
+                      DAEMON scheduling strategy.
+                    type: number
+                  enableEcsManagedTags:
+                    description: Specifies whether to enable Amazon ECS managed tags
+                      for the tasks within the service.
+                    type: boolean
+                  enableExecuteCommand:
+                    description: Specifies whether to enable Amazon ECS Exec for the
+                      tasks within the service.
+                    type: boolean
+                  forceNewDeployment:
+                    description: Enable to force a new task deployment of the service.
+                      This can be used to update tasks to use a newer Docker image
+                      with same image/tag combination (e.g., myimage:latest), roll
+                      Fargate tasks onto a newer platform version, or immediately
+                      deploy ordered_placement_strategy and placement_constraints
+                      updates.
+                    type: boolean
+                  healthCheckGracePeriodSeconds:
+                    description: Seconds to ignore failing load balancer health checks
+                      on newly instantiated tasks to prevent premature shutdown, up
+                      to 2147483647. Only valid for services configured to use load
+                      balancers.
+                    type: number
+                  iamRole:
+                    description: ARN of the IAM role that allows Amazon ECS to make
+                      calls to your load balancer on your behalf. This parameter is
+                      required if you are using a load balancer with your service,
+                      but only if your task definition does not use the awsvpc network
+                      mode. If using awsvpc network mode, do not specify this role.
+                      If your account has already created the Amazon ECS service-linked
+                      role, that role is used by default for your service unless you
+                      specify a role here.
+                    type: string
                   id:
                     description: ARN that identifies the service.
                     type: string
+                  launchType:
+                    description: Launch type on which to run your service. The valid
+                      values are EC2, FARGATE, and EXTERNAL. Defaults to EC2.
+                    type: string
+                  loadBalancer:
+                    description: Configuration block for load balancers. See below.
+                    items:
+                      properties:
+                        containerName:
+                          description: Name of the container to associate with the
+                            load balancer (as it appears in a container definition).
+                          type: string
+                        containerPort:
+                          description: Port on the container to associate with the
+                            load balancer.
+                          type: number
+                        elbName:
+                          description: Name of the ELB (Classic) to associate with
+                            the service.
+                          type: string
+                        targetGroupArn:
+                          description: ARN of the Load Balancer target group to associate
+                            with the service.
+                          type: string
+                      type: object
+                    type: array
+                  networkConfiguration:
+                    description: Network configuration for the service. This parameter
+                      is required for task definitions that use the awsvpc network
+                      mode to receive their own Elastic Network Interface, and it
+                      is not supported for other network modes. See below.
+                    items:
+                      properties:
+                        assignPublicIp:
+                          description: Assign a public IP address to the ENI (Fargate
+                            launch type only). Valid values are true or false. Default
+                            false.
+                          type: boolean
+                        securityGroups:
+                          description: Security groups associated with the task or
+                            service. If you do not specify a security group, the default
+                            security group for the VPC is used.
+                          items:
+                            type: string
+                          type: array
+                        subnets:
+                          description: Subnets associated with the task or service.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  orderedPlacementStrategy:
+                    description: Service level strategy rules that are taken into
+                      consideration during task placement. List from top to bottom
+                      in order of precedence. Updates to this configuration will take
+                      effect next task deployment unless force_new_deployment is enabled.
+                      The maximum number of ordered_placement_strategy blocks is 5.
+                      See below.
+                    items:
+                      properties:
+                        field:
+                          description: For the spread placement strategy, valid values
+                            are instanceId (or host, which has the same effect), or
+                            any platform or custom attribute that is applied to a
+                            container instance. For the binpack type, valid values
+                            are memory and cpu. For the random type, this attribute
+                            is not needed. For more information, see Placement Strategy.
+                          type: string
+                        type:
+                          description: 'Type of placement strategy. Must be one of:
+                            binpack, random, or spread'
+                          type: string
+                      type: object
+                    type: array
+                  placementConstraints:
+                    description: Rules that are taken into consideration during task
+                      placement. Updates to this configuration will take effect next
+                      task deployment unless force_new_deployment is enabled. Maximum
+                      number of placement_constraints is 10. See below.
+                    items:
+                      properties:
+                        expression:
+                          description: Cluster Query Language expression to apply
+                            to the constraint. Does not need to be specified for the
+                            distinctInstance type. For more information, see Cluster
+                            Query Language in the Amazon EC2 Container Service Developer
+                            Guide.
+                          type: string
+                        type:
+                          description: Type of constraint. The only valid values at
+                            this time are memberOf and distinctInstance.
+                          type: string
+                      type: object
+                    type: array
+                  platformVersion:
+                    description: Platform version on which to run your service. Only
+                      applicable for launch_type set to FARGATE. Defaults to LATEST.
+                      More information about Fargate platform versions can be found
+                      in the AWS ECS User Guide.
+                    type: string
+                  propagateTags:
+                    description: Specifies whether to propagate the tags from the
+                      task definition or the service to the tasks. The valid values
+                      are SERVICE and TASK_DEFINITION.
+                    type: string
+                  schedulingStrategy:
+                    description: Scheduling strategy to use for the service. The valid
+                      values are REPLICA and DAEMON. Defaults to REPLICA. Note that
+                      Tasks using the Fargate launch type or the .
+                    type: string
+                  serviceConnectConfiguration:
+                    description: The ECS Service Connect configuration for this service
+                      to discover and connect to services, and be discovered by, and
+                      connected from, other services within a namespace. See below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Specifies whether to use Service Connect with
+                            this service.
+                          type: boolean
+                        logConfiguration:
+                          description: The log configuration for the container. See
+                            below.
+                          items:
+                            properties:
+                              logDriver:
+                                description: The log driver to use for the container.
+                                type: string
+                              options:
+                                additionalProperties:
+                                  type: string
+                                description: The configuration options to send to
+                                  the log driver.
+                                type: object
+                              secretOption:
+                                description: The secrets to pass to the log configuration.
+                                  See below.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the secret.
+                                      type: string
+                                    valueFrom:
+                                      description: The secret to expose to the container.
+                                        The supported values are either the full ARN
+                                        of the AWS Secrets Manager secret or the full
+                                        ARN of the parameter in the SSM Parameter
+                                        Store.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        namespace:
+                          description: The namespace name or ARN of the aws_service_discovery_http_namespace
+                            for use with Service Connect.
+                          type: string
+                        service:
+                          description: The list of Service Connect service objects.
+                            See below.
+                          items:
+                            properties:
+                              clientAlias:
+                                description: The list of client aliases for this Service
+                                  Connect service. You use these to assign names that
+                                  can be used by client applications. The maximum
+                                  number of client aliases that you can have in this
+                                  list is 1. See below.
+                                items:
+                                  properties:
+                                    dnsName:
+                                      description: The name that you use in the applications
+                                        of client tasks to connect to this service.
+                                      type: string
+                                    port:
+                                      description: The listening port number for the
+                                        Service Connect proxy. This port is available
+                                        inside of all of the tasks within the same
+                                        namespace.
+                                      type: number
+                                  type: object
+                                type: array
+                              discoveryName:
+                                description: The name of the new AWS Cloud Map service
+                                  that Amazon ECS creates for this Amazon ECS service.
+                                type: string
+                              ingressPortOverride:
+                                description: The port number for the Service Connect
+                                  proxy to listen on.
+                                type: number
+                              portName:
+                                description: The name of one of the portMappings from
+                                  all the containers in the task definition of this
+                                  Amazon ECS service.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  serviceRegistries:
+                    description: Service discovery registries for the service. The
+                      maximum number of service_registries blocks is 1. See below.
+                    items:
+                      properties:
+                        containerName:
+                          description: Container name value, already specified in
+                            the task definition, to be used for your service discovery
+                            service.
+                          type: string
+                        containerPort:
+                          description: Port value, already specified in the task definition,
+                            to be used for your service discovery service.
+                          type: number
+                        port:
+                          description: Port value used if your Service Discovery service
+                            specified an SRV record.
+                          type: number
+                        registryArn:
+                          description: ARN of the Service Registry. The currently
+                            supported service registry is Amazon Route 53 Auto Naming
+                            Service(aws_service_discovery_service). For more information,
+                            see Service
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -1037,6 +1410,22 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  taskDefinition:
+                    description: Family and revision (family:revision) or full ARN
+                      of the task definition that you want to run in your service.
+                      Required unless using the EXTERNAL deployment controller. If
+                      a revision is not specified, the latest ACTIVE revision is used.
+                    type: string
+                  triggers:
+                    additionalProperties:
+                      type: string
+                    description: Map of arbitrary keys and values that, when changed,
+                      will trigger an in-place update (redeployment). Useful with
+                      timestamp(). See example above.
+                    type: object
+                  waitForSteadyState:
+                    description: Default false.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ecs.aws.upbound.io_taskdefinitions.yaml b/package/crds/ecs.aws.upbound.io_taskdefinitions.yaml
index 9c148afed6..f70c58c663 100644
--- a/package/crds/ecs.aws.upbound.io_taskdefinitions.yaml
+++ b/package/crds/ecs.aws.upbound.io_taskdefinitions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -451,10 +455,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - containerDefinitions
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -626,6 +643,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: containerDefinitions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.containerDefinitions)
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: TaskDefinitionStatus defines the observed state of TaskDefinition.
             properties:
@@ -635,17 +657,306 @@ spec:
                     description: Full ARN of the Task Definition (including both family
                       and revision).
                     type: string
+                  containerDefinitions:
+                    description: A list of valid container definitions provided as
+                      a single valid JSON document. Please note that you should only
+                      provide values that are part of the container definition document.
+                      For a detailed description of what parameters are available,
+                      see the Task Definition Parameters section from the official
+                      Developer Guide.
+                    type: string
+                  cpu:
+                    description: Number of cpu units used by the task. If the requires_compatibilities
+                      is FARGATE this field is required.
+                    type: string
+                  ephemeralStorage:
+                    description: The amount of ephemeral storage to allocate for the
+                      task. This parameter is used to expand the total amount of ephemeral
+                      storage available, beyond the default amount, for tasks hosted
+                      on AWS Fargate. See Ephemeral Storage.
+                    items:
+                      properties:
+                        sizeInGib:
+                          description: The total amount, in GiB, of ephemeral storage
+                            to set for the task. The minimum supported value is 21
+                            GiB and the maximum supported value is 200 GiB.
+                          type: number
+                      type: object
+                    type: array
+                  executionRoleArn:
+                    description: ARN of the task execution role that the Amazon ECS
+                      container agent and the Docker daemon can assume.
+                    type: string
+                  family:
+                    description: A unique name for your task definition.
+                    type: string
                   id:
                     type: string
+                  inferenceAccelerator:
+                    description: Configuration block(s) with Inference Accelerators
+                      settings. Detailed below.
+                    items:
+                      properties:
+                        deviceName:
+                          description: Elastic Inference accelerator device name.
+                            The deviceName must also be referenced in a container
+                            definition as a ResourceRequirement.
+                          type: string
+                        deviceType:
+                          description: Elastic Inference accelerator type to use.
+                          type: string
+                      type: object
+                    type: array
+                  ipcMode:
+                    description: IPC resource namespace to be used for the containers
+                      in the task The valid values are host, task, and none.
+                    type: string
+                  memory:
+                    description: Amount (in MiB) of memory used by the task. If the
+                      requires_compatibilities is FARGATE this field is required.
+                    type: string
+                  networkMode:
+                    description: Docker networking mode to use for the containers
+                      in the task. Valid values are none, bridge, awsvpc, and host.
+                    type: string
+                  pidMode:
+                    description: Process namespace to use for the containers in the
+                      task. The valid values are host and task.
+                    type: string
+                  placementConstraints:
+                    description: Configuration block for rules that are taken into
+                      consideration during task placement. Maximum number of placement_constraints
+                      is 10. Detailed below.
+                    items:
+                      properties:
+                        expression:
+                          description: Cluster Query Language expression to apply
+                            to the constraint. For more information, see Cluster Query
+                            Language in the Amazon EC2 Container Service Developer
+                            Guide.
+                          type: string
+                        type:
+                          description: Type of constraint. Use memberOf to restrict
+                            selection to a group of valid candidates. Note that distinctInstance
+                            is not supported in task definitions.
+                          type: string
+                      type: object
+                    type: array
+                  proxyConfiguration:
+                    description: Configuration block for the App Mesh proxy. Detailed
+                      below.
+                    items:
+                      properties:
+                        containerName:
+                          description: Name of the container that will serve as the
+                            App Mesh proxy.
+                          type: string
+                        properties:
+                          additionalProperties:
+                            type: string
+                          description: Set of network configuration parameters to
+                            provide the Container Network Interface (CNI) plugin,
+                            specified a key-value mapping.
+                          type: object
+                        type:
+                          description: Proxy type. The default value is APPMESH. The
+                            only supported value is APPMESH.
+                          type: string
+                      type: object
+                    type: array
+                  requiresCompatibilities:
+                    description: Set of launch types required by the task. The valid
+                      values are EC2 and FARGATE.
+                    items:
+                      type: string
+                    type: array
                   revision:
                     description: Revision of the task in a particular family.
                     type: number
+                  runtimePlatform:
+                    description: Configuration block for runtime_platform that containers
+                      in your task may use.
+                    items:
+                      properties:
+                        cpuArchitecture:
+                          description: Must be set to either X86_64 or ARM64; see
+                            cpu architecture
+                          type: string
+                        operatingSystemFamily:
+                          description: If the requires_compatibilities is FARGATE
+                            this field is required; must be set to a valid option
+                            from the operating system family in the runtime platform
+                            setting
+                          type: string
+                      type: object
+                    type: array
+                  skipDestroy:
+                    description: Whether to retain the old revision when the resource
+                      is destroyed or replacement is necessary. Default is false.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  taskRoleArn:
+                    description: ARN of IAM role that allows your Amazon ECS container
+                      task to make calls to other AWS services.
+                    type: string
+                  volume:
+                    description: Configuration block for volumes that containers in
+                      your task may use. Detailed below.
+                    items:
+                      properties:
+                        dockerVolumeConfiguration:
+                          description: Configuration block to configure a docker volume.
+                            Detailed below.
+                          items:
+                            properties:
+                              autoprovision:
+                                description: 'If this value is true, the Docker volume
+                                  is created if it does not already exist. Note: This
+                                  field is only used if the scope is shared.'
+                                type: boolean
+                              driver:
+                                description: Docker volume driver to use. The driver
+                                  value must match the driver name provided by Docker
+                                  because it is used for task placement.
+                                type: string
+                              driverOpts:
+                                additionalProperties:
+                                  type: string
+                                description: Map of Docker driver specific options.
+                                type: object
+                              labels:
+                                additionalProperties:
+                                  type: string
+                                description: Map of custom metadata to add to your
+                                  Docker volume.
+                                type: object
+                              scope:
+                                description: Scope for the Docker volume, which determines
+                                  its lifecycle, either task or shared.  Docker volumes
+                                  that are scoped to a task are automatically provisioned
+                                  when the task starts and destroyed when the task
+                                  stops. Docker volumes that are scoped as shared
+                                  persist after the task stops.
+                                type: string
+                            type: object
+                          type: array
+                        efsVolumeConfiguration:
+                          description: Configuration block for an EFS volume. Detailed
+                            below.
+                          items:
+                            properties:
+                              authorizationConfig:
+                                description: Configuration block for authorization
+                                  for the Amazon EFS file system. Detailed below.
+                                items:
+                                  properties:
+                                    accessPointId:
+                                      description: Access point ID to use. If an access
+                                        point is specified, the root directory value
+                                        will be relative to the directory set for
+                                        the access point. If specified, transit encryption
+                                        must be enabled in the EFSVolumeConfiguration.
+                                      type: string
+                                    iam:
+                                      description: 'Whether or not to use the Amazon
+                                        ECS task IAM role defined in a task definition
+                                        when mounting the Amazon EFS file system.
+                                        If enabled, transit encryption must be enabled
+                                        in the EFSVolumeConfiguration. Valid values:
+                                        ENABLED, DISABLED. If this parameter is omitted,
+                                        the default value of DISABLED is used.'
+                                      type: string
+                                  type: object
+                                type: array
+                              fileSystemId:
+                                description: ID of the EFS File System.
+                                type: string
+                              rootDirectory:
+                                description: Directory within the Amazon EFS file
+                                  system to mount as the root directory inside the
+                                  host. If this parameter is omitted, the root of
+                                  the Amazon EFS volume will be used. Specifying /
+                                  will have the same effect as omitting this parameter.
+                                  This argument is ignored when using authorization_config.
+                                type: string
+                              transitEncryption:
+                                description: 'Whether or not to enable encryption
+                                  for Amazon EFS data in transit between the Amazon
+                                  ECS host and the Amazon EFS server. Transit encryption
+                                  must be enabled if Amazon EFS IAM authorization
+                                  is used. Valid values: ENABLED, DISABLED. If this
+                                  parameter is omitted, the default value of DISABLED
+                                  is used.'
+                                type: string
+                              transitEncryptionPort:
+                                description: Port to use for transit encryption. If
+                                  you do not specify a transit encryption port, it
+                                  will use the port selection strategy that the Amazon
+                                  EFS mount helper uses.
+                                type: number
+                            type: object
+                          type: array
+                        fsxWindowsFileServerVolumeConfiguration:
+                          description: Configuration block for an FSX Windows File
+                            Server volume. Detailed below.
+                          items:
+                            properties:
+                              authorizationConfig:
+                                description: Configuration block for authorization
+                                  for the Amazon FSx for Windows File Server file
+                                  system detailed below.
+                                items:
+                                  properties:
+                                    credentialsParameter:
+                                      description: The authorization credential option
+                                        to use. The authorization credential options
+                                        can be provided using either the Amazon Resource
+                                        Name (ARN) of an AWS Secrets Manager secret
+                                        or AWS Systems Manager Parameter Store parameter.
+                                        The ARNs refer to the stored credentials.
+                                      type: string
+                                    domain:
+                                      description: A fully qualified domain name hosted
+                                        by an AWS Directory Service Managed Microsoft
+                                        AD (Active Directory) or self-hosted AD on
+                                        Amazon EC2.
+                                      type: string
+                                  type: object
+                                type: array
+                              fileSystemId:
+                                description: The Amazon FSx for Windows File Server
+                                  file system ID to use.
+                                type: string
+                              rootDirectory:
+                                description: The directory within the Amazon FSx for
+                                  Windows File Server file system to mount as the
+                                  root directory inside the host.
+                                type: string
+                            type: object
+                          type: array
+                        hostPath:
+                          description: Path on the host container instance that is
+                            presented to the container. If not set, ECS will create
+                            a nonpersistent data volume that starts empty and is deleted
+                            after the task has finished.
+                          type: string
+                        name:
+                          description: Name of the volume. This name is referenced
+                            in the sourceVolume parameter of container definition
+                            in the mountPoints section.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/efs.aws.upbound.io_accesspoints.yaml b/package/crds/efs.aws.upbound.io_accesspoints.yaml
index 1b98421bba..3e1c653f51 100644
--- a/package/crds/efs.aws.upbound.io_accesspoints.yaml
+++ b/package/crds/efs.aws.upbound.io_accesspoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -213,6 +217,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -395,12 +414,74 @@ spec:
                   fileSystemArn:
                     description: ARN of the file system.
                     type: string
+                  fileSystemId:
+                    description: ID of the file system for which the access point
+                      is intended.
+                    type: string
                   id:
                     description: ID of the access point.
                     type: string
                   ownerId:
                     description: ID of the access point.
                     type: string
+                  posixUser:
+                    description: Operating system user and group applied to all file
+                      system requests made using the access point. Detailed below.
+                    items:
+                      properties:
+                        gid:
+                          description: POSIX group ID used for all file system operations
+                            using this access point.
+                          type: number
+                        secondaryGids:
+                          description: Secondary POSIX group IDs used for all file
+                            system operations using this access point.
+                          items:
+                            type: number
+                          type: array
+                        uid:
+                          description: POSIX user ID used for all file system operations
+                            using this access point.
+                          type: number
+                      type: object
+                    type: array
+                  rootDirectory:
+                    description: Directory on the Amazon EFS file system that the
+                      access point provides access to. Detailed below.
+                    items:
+                      properties:
+                        creationInfo:
+                          description: POSIX IDs and permissions to apply to the access
+                            point's Root Directory. See Creation Info below.
+                          items:
+                            properties:
+                              ownerGid:
+                                description: POSIX group ID to apply to the root_directory.
+                                type: number
+                              ownerUid:
+                                description: POSIX user ID to apply to the root_directory.
+                                type: number
+                              permissions:
+                                description: POSIX permissions to apply to the RootDirectory,
+                                  in the format of an octal number representing the
+                                  file's mode bits.
+                                type: string
+                            type: object
+                          type: array
+                        path:
+                          description: Path on the EFS file system to expose as the
+                            root directory to NFS clients using the access point to
+                            access the EFS file system. A path can have up to four
+                            subdirectories. If the specified path does not exist,
+                            you are required to provide creation_info.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/efs.aws.upbound.io_backuppolicies.yaml b/package/crds/efs.aws.upbound.io_backuppolicies.yaml
index 1ef702db0b..97328cb0a7 100644
--- a/package/crds/efs.aws.upbound.io_backuppolicies.yaml
+++ b/package/crds/efs.aws.upbound.io_backuppolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,9 +161,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - backupPolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,11 +349,27 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: backupPolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.backupPolicy)
           status:
             description: BackupPolicyStatus defines the observed state of BackupPolicy.
             properties:
               atProvider:
                 properties:
+                  backupPolicy:
+                    description: A backup_policy object (documented below).
+                    items:
+                      properties:
+                        status:
+                          description: 'A status of the backup policy. Valid values:
+                            ENABLED, DISABLED.'
+                          type: string
+                      type: object
+                    type: array
+                  fileSystemId:
+                    description: The ID of the EFS file system.
+                    type: string
                   id:
                     description: The ID that identifies the file system (e.g., fs-ccfc0d65).
                     type: string
diff --git a/package/crds/efs.aws.upbound.io_filesystempolicies.yaml b/package/crds/efs.aws.upbound.io_filesystempolicies.yaml
index 9cbd349eea..3eba75b025 100644
--- a/package/crds/efs.aws.upbound.io_filesystempolicies.yaml
+++ b/package/crds/efs.aws.upbound.io_filesystempolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,9 +163,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,14 +351,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: FileSystemPolicyStatus defines the observed state of FileSystemPolicy.
             properties:
               atProvider:
                 properties:
+                  bypassPolicyLockoutSafetyCheck:
+                    description: A flag to indicate whether to bypass the aws_efs_file_system_policy
+                      lockout safety check. The policy lockout safety check determines
+                      whether the policy in the request will prevent the principal
+                      making the request will be locked out from making future PutFileSystemPolicy
+                      requests on the file system. Set bypass_policy_lockout_safety_check
+                      to true only when you intend to prevent the principal that is
+                      making the request from making a subsequent PutFileSystemPolicy
+                      request on the file system. The default value is false.
+                    type: boolean
+                  fileSystemId:
+                    description: The ID of the EFS file system.
+                    type: string
                   id:
                     description: The ID that identifies the file system (e.g., fs-ccfc0d65).
                     type: string
+                  policy:
+                    description: The JSON formatted file system policy for the EFS
+                      file system. see Docs for more info.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/efs.aws.upbound.io_filesystems.yaml b/package/crds/efs.aws.upbound.io_filesystems.yaml
index 0000dbebba..d8b72563fa 100644
--- a/package/crds/efs.aws.upbound.io_filesystems.yaml
+++ b/package/crds/efs.aws.upbound.io_filesystems.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -199,6 +203,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -382,12 +401,48 @@ spec:
                     description: The identifier of the Availability Zone in which
                       the file system's One Zone storage classes exist.
                     type: string
+                  availabilityZoneName:
+                    description: the AWS Availability Zone in which to create the
+                      file system. Used to create a file system that uses One Zone
+                      storage classes. See user guide for more information.
+                    type: string
+                  creationToken:
+                    description: A unique name (a maximum of 64 characters are allowed)
+                      used as reference when creating the Elastic File System to ensure
+                      idempotent file system creation. See Elastic File System user
+                      guide for more information.
+                    type: string
                   dnsName:
                     description: The DNS name for the filesystem per documented convention.
                     type: string
+                  encrypted:
+                    description: If true, the disk will be encrypted.
+                    type: boolean
                   id:
                     description: The ID that identifies the file system (e.g., fs-ccfc0d65).
                     type: string
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key. When specifying
+                      kms_key_id, encrypted needs to be set to true.
+                    type: string
+                  lifecyclePolicy:
+                    description: A file system lifecycle policy object (documented
+                      below).
+                    items:
+                      properties:
+                        transitionToIa:
+                          description: 'Indicates how long it takes to transition
+                            files to the IA storage class. Valid values: AFTER_1_DAY,
+                            AFTER_7_DAYS, AFTER_14_DAYS, AFTER_30_DAYS, AFTER_60_DAYS,
+                            or AFTER_90_DAYS.'
+                          type: string
+                        transitionToPrimaryStorageClass:
+                          description: 'Describes the policy used to transition a
+                            file from infequent access storage to primary storage.
+                            Valid values: AFTER_1_ACCESS.'
+                          type: string
+                      type: object
+                    type: array
                   numberOfMountTargets:
                     description: The current number of mount targets that the file
                       system has.
@@ -397,6 +452,15 @@ spec:
                       the file system was createdby an IAM user, the parent account
                       to which the user belongs is the owner.
                     type: string
+                  performanceMode:
+                    description: 'The file system performance mode. Can be either
+                      "generalPurpose" or "maxIO" (Default: "generalPurpose").'
+                    type: string
+                  provisionedThroughputInMibps:
+                    description: The throughput, measured in MiB/s, that you want
+                      to provision for the file system. Only applicable with throughput_mode
+                      set to provisioned.
+                    type: number
                   sizeInBytes:
                     description: The latest known metered size (in bytes) of data
                       stored in the file system, the value is not the exact size that
@@ -417,6 +481,11 @@ spec:
                           type: number
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -424,6 +493,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  throughputMode:
+                    description: 'Throughput mode for the file system. Defaults to
+                      bursting. Valid values: bursting, provisioned, or elastic. When
+                      using provisioned, also set provisioned_throughput_in_mibps.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/efs.aws.upbound.io_mounttargets.yaml b/package/crds/efs.aws.upbound.io_mounttargets.yaml
index 709f883bd8..9b1244bb0f 100644
--- a/package/crds/efs.aws.upbound.io_mounttargets.yaml
+++ b/package/crds/efs.aws.upbound.io_mounttargets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -313,6 +317,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -503,9 +522,18 @@ spec:
                   fileSystemArn:
                     description: Amazon Resource Name of the file system.
                     type: string
+                  fileSystemId:
+                    description: The ID of the file system for which the mount target
+                      is intended.
+                    type: string
                   id:
                     description: The ID of the mount target.
                     type: string
+                  ipAddress:
+                    description: The address (within the address range of the specified
+                      subnet) at which the file system may be mounted via the mount
+                      target.
+                    type: string
                   mountTargetDnsName:
                     description: The DNS name for the given subnet/AZ per documented
                       convention.
@@ -517,6 +545,16 @@ spec:
                   ownerId:
                     description: AWS account ID that owns the resource.
                     type: string
+                  securityGroups:
+                    description: A list of up to 5 VPC security group IDs (that must
+                      be for the same VPC as subnet specified) in effect for the mount
+                      target.
+                    items:
+                      type: string
+                    type: array
+                  subnetId:
+                    description: The ID of the subnet to add the mount target in.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/efs.aws.upbound.io_replicationconfigurations.yaml b/package/crds/efs.aws.upbound.io_replicationconfigurations.yaml
index 18fe82bb32..c2c309dd8c 100644
--- a/package/crds/efs.aws.upbound.io_replicationconfigurations.yaml
+++ b/package/crds/efs.aws.upbound.io_replicationconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -168,9 +172,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - destination
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -342,6 +360,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)
           status:
             description: ReplicationConfigurationStatus defines the observed state
               of ReplicationConfiguration.
@@ -355,9 +376,24 @@ spec:
                     description: A destination configuration block (documented below).
                     items:
                       properties:
+                        availabilityZoneName:
+                          description: The availability zone in which the replica
+                            should be created. If specified, the replica will be created
+                            with One Zone storage. If omitted, regional storage will
+                            be used.
+                          type: string
                         fileSystemId:
                           description: The fs ID of the replica.
                           type: string
+                        kmsKeyId:
+                          description: The Key ID, ARN, alias, or alias ARN of the
+                            KMS key that should be used to encrypt the replica file
+                            system. If omitted, the default KMS key for EFS /aws/elasticfilesystem
+                            will be used.
+                          type: string
+                        region:
+                          description: The region in which the replica should be created.
+                          type: string
                         status:
                           description: The status of the replication.
                           type: string
@@ -373,6 +409,9 @@ spec:
                     description: The Amazon Resource Name (ARN) of the current source
                       file system in the replication configuration.
                     type: string
+                  sourceFileSystemId:
+                    description: The ID of the file system that is to be replicated.
+                    type: string
                   sourceFileSystemRegion:
                     description: The AWS Region in which the source Amazon EFS file
                       system is located.
diff --git a/package/crds/eks.aws.upbound.io_addons.yaml b/package/crds/eks.aws.upbound.io_addons.yaml
index ac458ede99..2f95240eb8 100644
--- a/package/crds/eks.aws.upbound.io_addons.yaml
+++ b/package/crds/eks.aws.upbound.io_addons.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -256,9 +260,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - addonName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -430,14 +448,35 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: addonName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.addonName)
           status:
             description: AddonStatus defines the observed state of Addon.
             properties:
               atProvider:
                 properties:
+                  addonName:
+                    description: on. The name must match one of the names returned
+                      by describe-addon-versions.
+                    type: string
+                  addonVersion:
+                    description: on. The version must match one of the versions returned
+                      by describe-addon-versions.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the EKS add-on.
                     type: string
+                  clusterName:
+                    description: 100 characters in length. Must begin with an alphanumeric
+                      character, and must only contain alphanumeric characters, dashes
+                      and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
+                    type: string
+                  configurationValues:
+                    description: custom configuration values for addons with single
+                      JSON string. This JSON string value must match the JSON schema
+                      derived from describe-addon-configuration.
+                    type: string
                   createdAt:
                     description: Date and time in RFC3339 format that the EKS add-on
                       was created.
@@ -450,6 +489,30 @@ spec:
                     description: Date and time in RFC3339 format that the EKS add-on
                       was updated.
                     type: string
+                  preserve:
+                    description: Indicates if you want to preserve the created resources
+                      when deleting the EKS add-on.
+                    type: boolean
+                  resolveConflicts:
+                    description: Define how to resolve parameter value conflicts when
+                      migrating an existing add-on to an Amazon EKS add-on or when
+                      applying version updates to the add-on. Valid values are NONE,
+                      OVERWRITE and PRESERVE. For more details check UpdateAddon API
+                      Docs.
+                    type: string
+                  serviceAccountRoleArn:
+                    description: The Amazon Resource Name (ARN) of an existing IAM
+                      role to bind to the add-on's service account. The role must
+                      be assigned the IAM permissions required by the add-on. If you
+                      don't specify an existing IAM role, then the add-on uses the
+                      permissions assigned to the node IAM role. For more information,
+                      see Amazon EKS node IAM role in the Amazon EKS User Guide.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/eks.aws.upbound.io_clusterauths.yaml b/package/crds/eks.aws.upbound.io_clusterauths.yaml
index bbe105b473..a910859a56 100644
--- a/package/crds/eks.aws.upbound.io_clusterauths.yaml
+++ b/package/crds/eks.aws.upbound.io_clusterauths.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,6 +162,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
diff --git a/package/crds/eks.aws.upbound.io_clusters.yaml b/package/crds/eks.aws.upbound.io_clusters.yaml
index 991ce9e438..bf3c2df9d8 100644
--- a/package/crds/eks.aws.upbound.io_clusters.yaml
+++ b/package/crds/eks.aws.upbound.io_clusters.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -479,8 +483,22 @@ spec:
                     type: array
                 required:
                 - region
-                - vpcConfig
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -652,6 +670,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: vpcConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcConfig)
           status:
             description: ClusterStatus defines the observed state of Cluster.
             properties:
@@ -681,6 +702,42 @@ spec:
                     description: Unix epoch timestamp in seconds for when the cluster
                       was created.
                     type: string
+                  enabledClusterLogTypes:
+                    description: List of the desired control plane logging to enable.
+                      For more information, see Amazon EKS Control Plane Logging.
+                    items:
+                      type: string
+                    type: array
+                  encryptionConfig:
+                    description: Configuration block with encryption configuration
+                      for the cluster. Only available on Kubernetes 1.13 and above
+                      clusters created after March 6, 2020. Detailed below.
+                    items:
+                      properties:
+                        provider:
+                          description: Configuration block with provider for encryption.
+                            Detailed below.
+                          items:
+                            properties:
+                              keyArn:
+                                description: ARN of the Key Management Service (KMS)
+                                  customer master key (CMK). The CMK must be symmetric,
+                                  created in the same region as the cluster, and if
+                                  the CMK was created in a different account, the
+                                  user must have access to the CMK. For more information,
+                                  see Allowing Users in Other Accounts to Use a CMK
+                                  in the AWS Key Management Service Developer Guide.
+                                type: string
+                            type: object
+                          type: array
+                        resources:
+                          description: 'List of strings with resources to be encrypted.
+                            Valid values: secrets.'
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   endpoint:
                     description: Endpoint for your Kubernetes API server.
                     type: string
@@ -712,6 +769,24 @@ spec:
                       for the cluster. Detailed below.
                     items:
                       properties:
+                        ipFamily:
+                          description: The IP family used to assign Kubernetes pod
+                            and service addresses. Valid values are ipv4 (default)
+                            and ipv6. You can only specify an IP family when you create
+                            a cluster, changing this value will force a new cluster
+                            to be created.
+                          type: string
+                        serviceIpv4Cidr:
+                          description: 'The CIDR block to assign Kubernetes pod and
+                            service IP addresses from. If you don''t specify a block,
+                            Kubernetes assigns addresses from either the 10.100.0.0/16
+                            or 172.20.0.0/16 CIDR blocks. We recommend that you specify
+                            a block that does not overlap with resources in other
+                            networks that are peered or connected to your VPC. You
+                            can only specify a custom CIDR block when you create a
+                            cluster, changing this value will force a new cluster
+                            to be created. The block must meet the following requirements:'
+                          type: string
                         serviceIpv6Cidr:
                           description: The CIDR block that Kubernetes pod and service
                             IP addresses are assigned from if you specified ipv6 for
@@ -722,19 +797,82 @@ spec:
                           type: string
                       type: object
                     type: array
+                  outpostConfig:
+                    description: Configuration block representing the configuration
+                      of your local Amazon EKS cluster on an AWS Outpost. This block
+                      isn't available for creating Amazon EKS clusters on the AWS
+                      cloud.
+                    items:
+                      properties:
+                        controlPlaneInstanceType:
+                          description: 'The Amazon EC2 instance type that you want
+                            to use for your local Amazon EKS cluster on Outposts.
+                            The instance type that you specify is used for all Kubernetes
+                            control plane instances. The instance type can''t be changed
+                            after cluster creation. Choose an instance type based
+                            on the number of nodes that your cluster will have. If
+                            your cluster will have:'
+                          type: string
+                        controlPlanePlacement:
+                          description: 'An object representing the placement configuration
+                            for all the control plane instances of your local Amazon
+                            EKS cluster on AWS Outpost. The following arguments are
+                            supported in the control_plane_placement configuration
+                            block:'
+                          items:
+                            properties:
+                              groupName:
+                                description: The name of the placement group for the
+                                  Kubernetes control plane instances. This setting
+                                  can't be changed after cluster creation.
+                                type: string
+                            type: object
+                          type: array
+                        outpostArns:
+                          description: The ARN of the Outpost that you want to use
+                            for your local Amazon EKS cluster on Outposts. This argument
+                            is a list of arns, but only a single Outpost ARN is supported
+                            currently.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   platformVersion:
                     description: Platform version for the cluster.
                     type: string
+                  roleArn:
+                    description: ARN of the IAM role that provides permissions for
+                      the Kubernetes control plane to make calls to AWS API operations
+                      on your behalf. Ensure the resource configuration includes explicit
+                      dependencies on the IAM Role permissions by adding depends_on
+                      if using the aws_iam_role_policy resource or aws_iam_role_policy_attachment
+                      resource, otherwise EKS cannot delete EKS managed EC2 infrastructure
+                      such as Security Groups on EKS Cluster deletion.
+                    type: string
                   status:
                     description: Status of the EKS cluster. One of CREATING, ACTIVE,
                       DELETING, FAILED.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  version:
+                    description: –  Desired Kubernetes master version. If you do not
+                      specify a value, the latest available version at resource creation
+                      is used and no upgrades will occur except those automatically
+                      triggered by EKS. The value must be configured and increased
+                      to upgrade the version when desired. Downgrades are not supported
+                      by EKS.
+                    type: string
                   vpcConfig:
                     description: Configuration block for the VPC associated with your
                       cluster. Amazon EKS VPC resources have specific requirements
@@ -749,6 +887,35 @@ spec:
                             Amazon EKS for the cluster. Managed node groups use this
                             security group for control-plane-to-data-plane communication.
                           type: string
+                        endpointPrivateAccess:
+                          description: Whether the Amazon EKS private API server endpoint
+                            is enabled. Default is false.
+                          type: boolean
+                        endpointPublicAccess:
+                          description: Whether the Amazon EKS public API server endpoint
+                            is enabled. Default is true.
+                          type: boolean
+                        publicAccessCidrs:
+                          description: List of CIDR blocks. Indicates which CIDR blocks
+                            can access the Amazon EKS public API server endpoint when
+                            enabled. EKS defaults this to a list with 0.0.0.0/0.
+                          items:
+                            type: string
+                          type: array
+                        securityGroupIds:
+                          description: account elastic network interfaces that Amazon
+                            EKS creates to use to allow communication between your
+                            worker nodes and the Kubernetes control plane.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: account elastic network interfaces in these
+                            subnets to allow communication between your worker nodes
+                            and the Kubernetes control plane.
+                          items:
+                            type: string
+                          type: array
                         vpcId:
                           description: ID of the VPC associated with your cluster.
                           type: string
diff --git a/package/crds/eks.aws.upbound.io_fargateprofiles.yaml b/package/crds/eks.aws.upbound.io_fargateprofiles.yaml
index c7aae5ca2d..d8ee31a192 100644
--- a/package/crds/eks.aws.upbound.io_fargateprofiles.yaml
+++ b/package/crds/eks.aws.upbound.io_fargateprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -332,8 +336,22 @@ spec:
                     type: object
                 required:
                 - region
-                - selector
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -505,6 +523,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: selector is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.selector)
           status:
             description: FargateProfileStatus defines the observed state of FargateProfile.
             properties:
@@ -513,13 +534,50 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the EKS Fargate Profile.
                     type: string
+                  clusterName:
+                    description: 100 characters in length. Must begin with an alphanumeric
+                      character, and must only contain alphanumeric characters, dashes
+                      and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
+                    type: string
                   id:
                     description: EKS Cluster name and EKS Fargate Profile name separated
                       by a colon (:).
                     type: string
+                  podExecutionRoleArn:
+                    description: –  Amazon Resource Name (ARN) of the IAM Role that
+                      provides permissions for the EKS Fargate Profile.
+                    type: string
+                  selector:
+                    description: Configuration block(s) for selecting Kubernetes Pods
+                      to execute with this EKS Fargate Profile. Detailed below.
+                    items:
+                      properties:
+                        labels:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of Kubernetes labels for selection.
+                          type: object
+                        namespace:
+                          description: Kubernetes namespace for selection.
+                          type: string
+                      type: object
+                    type: array
                   status:
                     description: Status of the EKS Fargate Profile.
                     type: string
+                  subnetIds:
+                    description: '–  Identifiers of private EC2 Subnets to associate
+                      with the EKS Fargate Profile. These subnets must have the following
+                      resource tag: kubernetes.io/cluster/CLUSTER_NAME (where CLUSTER_NAME
+                      is replaced with the name of the EKS Cluster).'
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/eks.aws.upbound.io_identityproviderconfigs.yaml b/package/crds/eks.aws.upbound.io_identityproviderconfigs.yaml
index dc5dfb9850..517586e0d3 100644
--- a/package/crds/eks.aws.upbound.io_identityproviderconfigs.yaml
+++ b/package/crds/eks.aws.upbound.io_identityproviderconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -189,9 +193,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - oidc
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -363,6 +381,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: oidc is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.oidc)
           status:
             description: IdentityProviderConfigStatus defines the observed state of
               IdentityProviderConfig.
@@ -373,13 +394,57 @@ spec:
                     description: Amazon Resource Name (ARN) of the EKS Identity Provider
                       Configuration.
                     type: string
+                  clusterName:
+                    description: –  Name of the EKS Cluster.
+                    type: string
                   id:
                     description: EKS Cluster name and EKS Identity Provider Configuration
                       name separated by a colon (:).
                     type: string
+                  oidc:
+                    description: Nested attribute containing OpenID Connect identity
+                      provider information for the cluster. Detailed below.
+                    items:
+                      properties:
+                        clientId:
+                          description: –  Client ID for the OpenID Connect identity
+                            provider.
+                          type: string
+                        groupsClaim:
+                          description: The JWT claim that the provider will use to
+                            return groups.
+                          type: string
+                        groupsPrefix:
+                          description: A prefix that is prepended to group claims
+                            e.g., oidc:.
+                          type: string
+                        issuerUrl:
+                          description: Issuer URL for the OpenID Connect identity
+                            provider.
+                          type: string
+                        requiredClaims:
+                          additionalProperties:
+                            type: string
+                          description: The key value pairs that describe required
+                            claims in the identity token.
+                          type: object
+                        usernameClaim:
+                          description: The JWT claim that the provider will use as
+                            the username.
+                          type: string
+                        usernamePrefix:
+                          description: A prefix that is prepended to username claims.
+                          type: string
+                      type: object
+                    type: array
                   status:
                     description: Status of the EKS Identity Provider Configuration.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/eks.aws.upbound.io_nodegroups.yaml b/package/crds/eks.aws.upbound.io_nodegroups.yaml
index 4156380fab..c979c9f0e5 100644
--- a/package/crds/eks.aws.upbound.io_nodegroups.yaml
+++ b/package/crds/eks.aws.upbound.io_nodegroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -615,8 +619,22 @@ spec:
                     type: object
                 required:
                 - region
-                - scalingConfig
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -788,18 +806,114 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: scalingConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scalingConfig)
           status:
             description: NodeGroupStatus defines the observed state of NodeGroup.
             properties:
               atProvider:
                 properties:
+                  amiType:
+                    description: Type of Amazon Machine Image (AMI) associated with
+                      the EKS Node Group. See the AWS documentation for valid values.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the EKS Node Group.
                     type: string
+                  capacityType:
+                    description: 'Type of capacity associated with the EKS Node Group.
+                      Valid values: ON_DEMAND, SPOT.'
+                    type: string
+                  clusterName:
+                    description: 100 characters in length. Must begin with an alphanumeric
+                      character, and must only contain alphanumeric characters, dashes
+                      and underscores (^[0-9A-Za-z][A-Za-z0-9\-_]+$).
+                    type: string
+                  diskSize:
+                    description: Disk size in GiB for worker nodes. Defaults to 50
+                      for Windows, 20 all other node groups.
+                    type: number
+                  forceUpdateVersion:
+                    description: Force version update if existing pods are unable
+                      to be drained due to a pod disruption budget issue.
+                    type: boolean
                   id:
                     description: EKS Cluster name and EKS Node Group name separated
                       by a colon (:).
                     type: string
+                  instanceTypes:
+                    description: List of instance types associated with the EKS Node
+                      Group. Defaults to ["t3.medium"].
+                    items:
+                      type: string
+                    type: array
+                  labels:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of Kubernetes labels. Only labels that
+                      are applied with the EKS API are managed by this argument. Other
+                      Kubernetes labels applied to the EKS Node Group will not be
+                      managed.
+                    type: object
+                  launchTemplate:
+                    description: Configuration block with Launch Template settings.
+                      Detailed below.
+                    items:
+                      properties:
+                        id:
+                          description: Identifier of the EC2 Launch Template. Conflicts
+                            with name.
+                          type: string
+                        name:
+                          description: Name of the EC2 Launch Template. Conflicts
+                            with id.
+                          type: string
+                        version:
+                          description: EC2 Launch Template version number. While the
+                            API accepts values like $Default and $Latest, the API
+                            will convert the value to the associated version number
+                            (e.g., 1). Using the default_version or latest_version
+                            attribute of the aws_launch_template resource or data
+                            source is recommended for this argument.
+                          type: string
+                      type: object
+                    type: array
+                  nodeRoleArn:
+                    description: –  Amazon Resource Name (ARN) of the IAM Role that
+                      provides permissions for the EKS Node Group.
+                    type: string
+                  releaseVersion:
+                    description: –  AMI version of the EKS Node Group. Defaults to
+                      latest version for Kubernetes version.
+                    type: string
+                  remoteAccess:
+                    description: Configuration block with remote access settings.
+                      Detailed below.
+                    items:
+                      properties:
+                        ec2SshKey:
+                          description: EC2 Key Pair name that provides access for
+                            remote communication with the worker nodes in the EKS
+                            Node Group. If you specify this configuration, but do
+                            not specify source_security_group_ids when you create
+                            an EKS Node Group, either port 3389 for Windows, or port
+                            22 for all other operating systems is opened on the worker
+                            nodes to the Internet (0.0.0.0/0). For Windows nodes,
+                            this will allow you to use RDP, for all others this allows
+                            you to SSH into the worker nodes.
+                          type: string
+                        sourceSecurityGroupIds:
+                          description: Set of EC2 Security Group IDs to allow SSH
+                            access (port 22) from on the worker nodes. If you specify
+                            ec2_ssh_key, but do not specify this configuration when
+                            you create an EKS Node Group, port 22 on the worker nodes
+                            is opened to the Internet (0.0.0.0/0).
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   resources:
                     description: List of objects containing information about underlying
                       resources.
@@ -821,9 +935,39 @@ spec:
                           type: string
                       type: object
                     type: array
+                  scalingConfig:
+                    description: Configuration block with scaling settings. Detailed
+                      below.
+                    items:
+                      properties:
+                        desiredSize:
+                          description: Desired number of worker nodes.
+                          type: number
+                        maxSize:
+                          description: Maximum number of worker nodes.
+                          type: number
+                        minSize:
+                          description: Minimum number of worker nodes.
+                          type: number
+                      type: object
+                    type: array
                   status:
                     description: Status of the EKS Node Group.
                     type: string
+                  subnetIds:
+                    description: Identifiers of EC2 Subnets to associate with the
+                      EKS Node Group. Amazon EKS managed node groups can be launched
+                      in both public and private subnets. If you plan to deploy load
+                      balancers to a subnet, the private subnet must have tag kubernetes.io/role/internal-elb,
+                      the public subnet must have tag kubernetes.io/role/elb.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -831,6 +975,41 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  taint:
+                    description: The Kubernetes taints to be applied to the nodes
+                      in the node group. Maximum of 50 taints per node group. Detailed
+                      below.
+                    items:
+                      properties:
+                        effect:
+                          description: 'The effect of the taint. Valid values: NO_SCHEDULE,
+                            NO_EXECUTE, PREFER_NO_SCHEDULE.'
+                          type: string
+                        key:
+                          description: The key of the taint. Maximum length of 63.
+                          type: string
+                        value:
+                          description: The value of the taint. Maximum length of 63.
+                          type: string
+                      type: object
+                    type: array
+                  updateConfig:
+                    items:
+                      properties:
+                        maxUnavailable:
+                          description: Desired max number of unavailable worker nodes
+                            during node group update.
+                          type: number
+                        maxUnavailablePercentage:
+                          description: Desired max percentage of unavailable worker
+                            nodes during node group update.
+                          type: number
+                      type: object
+                    type: array
+                  version:
+                    description: –  Kubernetes version. Defaults to EKS Cluster Kubernetes
+                      version.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elasticache.aws.upbound.io_clusters.yaml b/package/crds/elasticache.aws.upbound.io_clusters.yaml
index 734e8504aa..689e43f790 100644
--- a/package/crds/elasticache.aws.upbound.io_clusters.yaml
+++ b/package/crds/elasticache.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -400,6 +404,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -576,9 +595,35 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applyImmediately:
+                    description: Whether any database modifications are applied immediately,
+                      or during the next maintenance window. Default is false. See
+                      Amazon ElastiCache Documentation for more information..
+                    type: boolean
                   arn:
                     description: The ARN of the created ElastiCache Cluster.
                     type: string
+                  autoMinorVersionUpgrade:
+                    description: Specifies whether minor version engine upgrades will
+                      be applied automatically to the underlying Cache Cluster instances
+                      during the maintenance window. Only supported for engine type
+                      "redis" and if the engine version is 6 or higher. Defaults to
+                      true.
+                    type: string
+                  availabilityZone:
+                    description: 'Availability Zone for the cache cluster. If you
+                      want to create cache nodes in multi-az, use preferred_availability_zones
+                      instead. Default: System chosen Availability Zone. Changing
+                      this value will re-create the resource.'
+                    type: string
+                  azMode:
+                    description: Whether the nodes in this Memcached node group are
+                      created in a single Availability Zone or created across multiple
+                      Availability Zones in the cluster's region. Valid values for
+                      this parameter are single-az or cross-az, default is single-az.
+                      If you want to choose cross-az, num_cache_nodes must be greater
+                      than 1.
+                    type: string
                   cacheNodes:
                     description: List of node objects including id, address, port
                       and availability_zone.
@@ -610,13 +655,165 @@ spec:
                     description: (Memcached only) Configuration endpoint to allow
                       host discovery.
                     type: string
+                  engine:
+                    description: –  Name of the cache engine to be used for this cache
+                      cluster. Valid values are memcached or redis.
+                    type: string
+                  engineVersion:
+                    description: –  Version number of the cache engine to be used.
+                      If not set, defaults to the latest version. See Describe Cache
+                      Engine Versions in the AWS Documentation for supported versions.
+                      When engine is redis and the version is 6 or higher, the major
+                      and minor version can be set, e.g., 6.2, or the minor version
+                      can be unspecified which will use the latest version at creation
+                      time, e.g., 6.x. Otherwise, specify the full version desired,
+                      e.g., 5.0.6. The actual engine version used is returned in the
+                      attribute engine_version_actual, see Attributes Reference below.
+                    type: string
                   engineVersionActual:
                     description: Because ElastiCache pulls the latest minor or patch
                       for a version, this attribute returns the running version of
                       the cache engine.
                     type: string
+                  finalSnapshotIdentifier:
+                    description: Name of your final cluster snapshot. If omitted,
+                      no final snapshot will be made.
+                    type: string
                   id:
                     type: string
+                  ipDiscovery:
+                    description: The IP version to advertise in the discovery protocol.
+                      Valid values are ipv4 or ipv6.
+                    type: string
+                  logDeliveryConfiguration:
+                    description: Specifies the destination and format of Redis SLOWLOG
+                      or Redis Engine Log. See the documentation on Amazon ElastiCache.
+                      See Log Delivery Configuration below for more details.
+                    items:
+                      properties:
+                        destination:
+                          description: Name of either the CloudWatch Logs LogGroup
+                            or Kinesis Data Firehose resource.
+                          type: string
+                        destinationType:
+                          description: For CloudWatch Logs use cloudwatch-logs or
+                            for Kinesis Data Firehose use kinesis-firehose.
+                          type: string
+                        logFormat:
+                          description: Valid values are json or text
+                          type: string
+                        logType:
+                          description: Valid values are  slow-log or engine-log. Max
+                            1 of each.
+                          type: string
+                      type: object
+                    type: array
+                  maintenanceWindow:
+                    description: 'ddd:hh24:mi (24H Clock UTC). The minimum maintenance
+                      window is a 60 minute period. Example: sun:05:00-sun:09:00.'
+                    type: string
+                  networkType:
+                    description: The IP versions for cache cluster connections. IPv6
+                      is supported with Redis engine 6.2 onword or Memcached version
+                      1.6.6 for all Nitro system instances. Valid values are ipv4,
+                      ipv6 or dual_stack.
+                    type: string
+                  nodeType:
+                    description: create the resource.
+                    type: string
+                  notificationTopicArn:
+                    description: east-1:012345678999:my_sns_topic.
+                    type: string
+                  numCacheNodes:
+                    description: –  The initial number of cache nodes that the cache
+                      cluster will have. For Redis, this value must be 1. For Memcached,
+                      this value must be between 1 and 40. If this number is reduced
+                      on subsequent runs, the highest numbered nodes will be removed.
+                    type: number
+                  outpostMode:
+                    description: Specify the outpost mode that will apply to the cache
+                      cluster creation. Valid values are "single-outpost" and "cross-outpost",
+                      however AWS currently only supports "single-outpost" mode.
+                    type: string
+                  parameterGroupName:
+                    description: –  The name of the parameter group to associate with
+                      this cache cluster.
+                    type: string
+                  port:
+                    description: create the resource.
+                    type: number
+                  preferredAvailabilityZones:
+                    description: 'List of the Availability Zones in which cache nodes
+                      are created. If you are creating your cluster in an Amazon VPC
+                      you can only locate nodes in Availability Zones that are associated
+                      with the subnets in the selected subnet group. The number of
+                      Availability Zones listed must equal the value of num_cache_nodes.
+                      If you want all the nodes in the same Availability Zone, use
+                      availability_zone instead, or repeat the Availability Zone multiple
+                      times in the list. Default: System chosen Availability Zones.
+                      Detecting drift of existing node availability zone is not currently
+                      supported. Updating this argument by itself to migrate existing
+                      node availability zones is not currently supported and will
+                      show a perpetual difference.'
+                    items:
+                      type: string
+                    type: array
+                  preferredOutpostArn:
+                    description: The outpost ARN in which the cache cluster will be
+                      created.
+                    type: string
+                  replicationGroupId:
+                    description: ID of the replication group to which this cluster
+                      should belong. If this parameter is specified, the cluster is
+                      added to the specified replication group as a read replica;
+                      otherwise, the cluster is a standalone primary that is not part
+                      of any replication group.
+                    type: string
+                  securityGroupIds:
+                    description: –  One or more VPC security groups associated with
+                      the cache cluster
+                    items:
+                      type: string
+                    type: array
+                  securityGroupNames:
+                    description: create the resource.
+                    items:
+                      type: string
+                    type: array
+                  snapshotArns:
+                    description: element string list containing an Amazon Resource
+                      Name (ARN) of a Redis RDB snapshot file stored in Amazon S3.
+                      The object name cannot contain any commas. Changing snapshot_arns
+                      forces a new resource.
+                    items:
+                      type: string
+                    type: array
+                  snapshotName:
+                    description: Name of a snapshot from which to restore data into
+                      the new node group. Changing snapshot_name forces a new resource.
+                    type: string
+                  snapshotRetentionLimit:
+                    description: Number of days for which ElastiCache will retain
+                      automatic cache cluster snapshots before deleting them. For
+                      example, if you set SnapshotRetentionLimit to 5, then a snapshot
+                      that was taken today will be retained for 5 days before being
+                      deleted. If the value of SnapshotRetentionLimit is set to zero
+                      (0), backups are turned off. Please note that setting a snapshot_retention_limit
+                      is not supported on cache.t1.micro cache nodes
+                    type: number
+                  snapshotWindow:
+                    description: 'Daily time range (in UTC) during which ElastiCache
+                      will begin taking a daily snapshot of your cache cluster. Example:
+                      05:00-09:00'
+                    type: string
+                  subnetGroupName:
+                    description: create the resource.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elasticache.aws.upbound.io_parametergroups.yaml b/package/crds/elasticache.aws.upbound.io_parametergroups.yaml
index d3e6b9d33f..d460b1d1b0 100644
--- a/package/crds/elasticache.aws.upbound.io_parametergroups.yaml
+++ b/package/crds/elasticache.aws.upbound.io_parametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -98,10 +102,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -273,6 +290,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ParameterGroupStatus defines the observed state of ParameterGroup.
             properties:
@@ -281,9 +303,35 @@ spec:
                   arn:
                     description: The AWS ARN associated with the parameter group.
                     type: string
+                  description:
+                    description: The description of the ElastiCache parameter group.
+                    type: string
+                  family:
+                    description: The family of the ElastiCache parameter group.
+                    type: string
                   id:
                     description: The ElastiCache parameter group name.
                     type: string
+                  name:
+                    description: The name of the ElastiCache parameter group.
+                    type: string
+                  parameter:
+                    description: A list of ElastiCache parameters to apply.
+                    items:
+                      properties:
+                        name:
+                          description: The name of the ElastiCache parameter group.
+                          type: string
+                        value:
+                          description: The value of the ElastiCache parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml b/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml
index 2d5b718ee5..b4bc136e35 100644
--- a/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml
+++ b/package/crds/elasticache.aws.upbound.io_replicationgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -556,6 +560,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -732,30 +751,198 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applyImmediately:
+                    description: Specifies whether any modifications are applied immediately,
+                      or during the next maintenance window. Default is false.
+                    type: boolean
                   arn:
                     description: ARN of the created ElastiCache Replication Group.
                     type: string
+                  atRestEncryptionEnabled:
+                    description: Whether to enable encryption at rest.
+                    type: boolean
+                  autoMinorVersionUpgrade:
+                    description: Specifies whether minor version engine upgrades will
+                      be applied automatically to the underlying Cache Cluster instances
+                      during the maintenance window. Only supported for engine type
+                      "redis" and if the engine version is 6 or higher. Defaults to
+                      true.
+                    type: string
+                  automaticFailoverEnabled:
+                    description: Specifies whether a read-only replica will be automatically
+                      promoted to read/write primary if the existing primary fails.
+                      If enabled, num_cache_clusters must be greater than 1. Must
+                      be enabled for Redis (cluster mode enabled) replication groups.
+                      Defaults to false.
+                    type: boolean
+                  availabilityZones:
+                    description: List of EC2 availability zones in which the replication
+                      group's cache clusters will be created. The order of the availability
+                      zones in the list is not considered.
+                    items:
+                      type: string
+                    type: array
                   clusterEnabled:
                     description: Indicates if cluster mode is enabled.
                     type: boolean
+                  clusterMode:
+                    description: Create a native Redis cluster. automatic_failover_enabled
+                      must be set to true. Cluster Mode documented below. Only 1 cluster_mode
+                      block is allowed. Note that configuring this block does not
+                      enable cluster mode, i.e., data sharding, this requires using
+                      a parameter group that has the parameter cluster-enabled set
+                      to true.
+                    items:
+                      properties:
+                        numNodeGroups:
+                          description: Number of node groups (shards) for this Redis
+                            replication group. Changing this number will trigger a
+                            resizing operation before other settings modifications.
+                          type: number
+                        replicasPerNodeGroup:
+                          description: Number of replica nodes in each node group.
+                            Changing this number will trigger a resizing operation
+                            before other settings modifications. Valid values are
+                            0 to 5.
+                          type: number
+                      type: object
+                    type: array
                   configurationEndpointAddress:
                     description: Address of the replication group configuration endpoint
                       when cluster mode is enabled.
                     type: string
+                  dataTieringEnabled:
+                    description: Enables data tiering. Data tiering is only supported
+                      for replication groups using the r6gd node type. This parameter
+                      must be set to true when using r6gd nodes.
+                    type: boolean
+                  description:
+                    description: created description for the replication group. Must
+                      not be empty.
+                    type: string
+                  engine:
+                    description: Name of the cache engine to be used for the clusters
+                      in this replication group. The only valid value is redis.
+                    type: string
+                  engineVersion:
+                    description: Version number of the cache engine to be used for
+                      the cache clusters in this replication group. If the version
+                      is 6 or higher, the major and minor version can be set, e.g.,
+                      6.2, or the minor version can be unspecified which will use
+                      the latest version at creation time, e.g., 6.x. Otherwise, specify
+                      the full version desired, e.g., 5.0.6. The actual engine version
+                      used is returned in the attribute engine_version_actual, see
+                      Attributes Reference below.
+                    type: string
                   engineVersionActual:
                     description: Because ElastiCache pulls the latest minor or patch
                       for a version, this attribute returns the running version of
                       the cache engine.
                     type: string
+                  finalSnapshotIdentifier:
+                    description: The name of your final node group (shard) snapshot.
+                      ElastiCache creates the snapshot from the primary node in the
+                      cluster. If omitted, no final snapshot will be made.
+                    type: string
+                  globalReplicationGroupId:
+                    description: The ID of the global replication group to which this
+                      replication group should belong. If this parameter is specified,
+                      the replication group is added to the specified global replication
+                      group as a secondary replication group; otherwise, the replication
+                      group is not part of any global replication group. If global_replication_group_id
+                      is set, the num_node_groups parameter (or the num_node_groups
+                      parameter of the deprecated cluster_mode block) cannot be set.
+                    type: string
                   id:
                     description: ID of the ElastiCache Replication Group.
                     type: string
+                  kmsKeyId:
+                    description: The ARN of the key that you wish to use if encrypting
+                      at rest. If not supplied, uses service managed encryption. Can
+                      be specified only if at_rest_encryption_enabled = true.
+                    type: string
+                  logDeliveryConfiguration:
+                    description: Specifies the destination and format of Redis SLOWLOG
+                      or Redis Engine Log. See the documentation on Amazon ElastiCache.
+                      See Log Delivery Configuration below for more details.
+                    items:
+                      properties:
+                        destination:
+                          description: Name of either the CloudWatch Logs LogGroup
+                            or Kinesis Data Firehose resource.
+                          type: string
+                        destinationType:
+                          description: For CloudWatch Logs use cloudwatch-logs or
+                            for Kinesis Data Firehose use kinesis-firehose.
+                          type: string
+                        logFormat:
+                          description: Valid values are json or text
+                          type: string
+                        logType:
+                          description: Valid values are  slow-log or engine-log. Max
+                            1 of each.
+                          type: string
+                      type: object
+                    type: array
+                  maintenanceWindow:
+                    description: 'ddd:hh24:mi (24H Clock UTC). The minimum maintenance
+                      window is a 60 minute period. Example: sun:05:00-sun:09:00'
+                    type: string
                   memberClusters:
                     description: Identifiers of all the nodes that are part of this
                       replication group.
                     items:
                       type: string
                     type: array
+                  multiAzEnabled:
+                    description: Specifies whether to enable Multi-AZ Support for
+                      the replication group. If true, automatic_failover_enabled must
+                      also be enabled. Defaults to false.
+                    type: boolean
+                  nodeType:
+                    description: Instance class to be used. See AWS documentation
+                      for information on supported node types and guidance on selecting
+                      node types. Required unless global_replication_group_id is set.
+                      Cannot be set if global_replication_group_id is set.
+                    type: string
+                  notificationTopicArn:
+                    description: east-1:012345678999:my_sns_topic
+                    type: string
+                  numCacheClusters:
+                    description: 00#.
+                    type: number
+                  numNodeGroups:
+                    description: Number of node groups (shards) for this Redis replication
+                      group. Changing this number will trigger a resizing operation
+                      before other settings modifications.
+                    type: number
+                  numberCacheClusters:
+                    description: Number of cache clusters (primary and replicas) this
+                      replication group will have. If Multi-AZ is enabled, the value
+                      of this parameter must be at least 2. Updates will occur before
+                      other modifications. Conflicts with num_cache_clusters, num_node_groups,
+                      or the deprecated cluster_mode. Defaults to 1.
+                    type: number
+                  parameterGroupName:
+                    description: Name of the parameter group to associate with this
+                      replication group. If this argument is omitted, the default
+                      cache parameter group for the specified engine is used. To enable
+                      "cluster mode", i.e., data sharding, use a parameter group that
+                      has the parameter cluster-enabled set to true.
+                    type: string
+                  port:
+                    description: –  Port number on which each of the cache nodes will
+                      accept connections. For Memcache the default is 11211, and for
+                      Redis the default port is 6379.
+                    type: number
+                  preferredCacheClusterAzs:
+                    description: List of EC2 availability zones in which the replication
+                      group's cache clusters will be created. The order of the availability
+                      zones in the list is considered. The first item in the list
+                      will be the primary node. Ignored when updating.
+                    items:
+                      type: string
+                    type: array
                   primaryEndpointAddress:
                     description: (Redis only) Address of the endpoint for the primary
                       node in the replication group, if the cluster mode is disabled.
@@ -764,12 +951,83 @@ spec:
                     description: (Redis only) Address of the endpoint for the reader
                       node in the replication group, if the cluster mode is disabled.
                     type: string
+                  replicasPerNodeGroup:
+                    description: Number of replica nodes in each node group. Changing
+                      this number will trigger a resizing operation before other settings
+                      modifications. Valid values are 0 to 5.
+                    type: number
+                  replicationGroupDescription:
+                    description: created description for the replication group. Must
+                      not be empty.
+                    type: string
+                  securityGroupIds:
+                    description: One or more Amazon VPC security groups associated
+                      with this replication group. Use this parameter only when you
+                      are creating a replication group in an Amazon Virtual Private
+                      Cloud
+                    items:
+                      type: string
+                    type: array
+                  securityGroupNames:
+                    description: List of cache security group names to associate with
+                      this replication group.
+                    items:
+                      type: string
+                    type: array
+                  snapshotArns:
+                    description: –  List of ARNs that identify Redis RDB snapshot
+                      files stored in Amazon S3. The names object names cannot contain
+                      any commas.
+                    items:
+                      type: string
+                    type: array
+                  snapshotName:
+                    description: Name of a snapshot from which to restore data into
+                      the new node group. Changing the snapshot_name forces a new
+                      resource.
+                    type: string
+                  snapshotRetentionLimit:
+                    description: Number of days for which ElastiCache will retain
+                      automatic cache cluster snapshots before deleting them. For
+                      example, if you set SnapshotRetentionLimit to 5, then a snapshot
+                      that was taken today will be retained for 5 days before being
+                      deleted. If the value of snapshot_retention_limit is set to
+                      zero (0), backups are turned off. Please note that setting a
+                      snapshot_retention_limit is not supported on cache.t1.micro
+                      cache nodes
+                    type: number
+                  snapshotWindow:
+                    description: 'Daily time range (in UTC) during which ElastiCache
+                      will begin taking a daily snapshot of your cache cluster. The
+                      minimum snapshot window is a 60 minute period. Example: 05:00-09:00'
+                    type: string
+                  subnetGroupName:
+                    description: Name of the cache subnet group to be used for the
+                      replication group.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  transitEncryptionEnabled:
+                    description: Whether to enable encryption in transit.
+                    type: boolean
+                  userGroupIds:
+                    description: 'User Group ID to associate with the replication
+                      group. Only a maximum of one (1) user group ID is valid. NOTE:
+                      This argument is a set because the AWS specification allows
+                      for multiple IDs. However, in practice, AWS only allows a maximum
+                      size of one.'
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elasticache.aws.upbound.io_subnetgroups.yaml b/package/crds/elasticache.aws.upbound.io_subnetgroups.yaml
index 978a0c139f..90d5f09fb7 100644
--- a/package/crds/elasticache.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/elasticache.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -339,8 +358,21 @@ spec:
                 properties:
                   arn:
                     type: string
+                  description:
+                    description: –  Description for the cache subnet group.
+                    type: string
                   id:
                     type: string
+                  subnetIds:
+                    description: –  List of VPC Subnet IDs for the cache subnet group
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elasticache.aws.upbound.io_usergroups.yaml b/package/crds/elasticache.aws.upbound.io_usergroups.yaml
index 9237166dc2..4e59c148b1 100644
--- a/package/crds/elasticache.aws.upbound.io_usergroups.yaml
+++ b/package/crds/elasticache.aws.upbound.io_usergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,9 +165,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - engine
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -335,14 +353,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: engine is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engine)
           status:
             description: UserGroupStatus defines the observed state of UserGroup.
             properties:
               atProvider:
                 properties:
+                  arn:
+                    description: The ARN that identifies the user group.
+                    type: string
+                  engine:
+                    description: The current supported value is REDIS.
+                    type: string
                   id:
                     description: The user group identifier.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -350,6 +382,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userIds:
+                    description: The list of user IDs that belong to the user group.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elasticache.aws.upbound.io_users.yaml b/package/crds/elasticache.aws.upbound.io_users.yaml
index c61112c709..a1e1fe6366 100644
--- a/package/crds/elasticache.aws.upbound.io_users.yaml
+++ b/package/crds/elasticache.aws.upbound.io_users.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -112,11 +116,23 @@ spec:
                     description: The username of the user.
                     type: string
                 required:
-                - accessString
-                - engine
                 - region
-                - userName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -288,17 +304,45 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accessString is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessString)
+            - message: engine is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engine)
+            - message: userName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userName)
           status:
             description: UserStatus defines the observed state of User.
             properties:
               atProvider:
                 properties:
+                  accessString:
+                    description: Access permissions string used for this user. See
+                      Specifying Permissions Using an Access String for more details.
+                    type: string
+                  arn:
+                    description: The ARN of the created ElastiCache User.
+                    type: string
+                  engine:
+                    description: The current supported value is REDIS.
+                    type: string
                   id:
                     type: string
+                  noPasswordRequired:
+                    description: Indicates a password is not required for this user.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  userName:
+                    description: The username of the user.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elasticbeanstalk.aws.upbound.io_applications.yaml b/package/crds/elasticbeanstalk.aws.upbound.io_applications.yaml
index ee8311745b..5436a226fb 100644
--- a/package/crds/elasticbeanstalk.aws.upbound.io_applications.yaml
+++ b/package/crds/elasticbeanstalk.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -179,6 +183,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -355,12 +374,44 @@ spec:
             properties:
               atProvider:
                 properties:
+                  appversionLifecycle:
+                    items:
+                      properties:
+                        deleteSourceFromS3:
+                          description: Set to true to delete a version's source bundle
+                            from S3 when the application version is deleted.
+                          type: boolean
+                        maxAgeInDays:
+                          description: The number of days to retain an application
+                            version ('max_age_in_days' and 'max_count' cannot be enabled
+                            simultaneously.).
+                          type: number
+                        maxCount:
+                          description: The maximum number of application versions
+                            to retain ('max_age_in_days' and 'max_count' cannot be
+                            enabled simultaneously.).
+                          type: number
+                        serviceRole:
+                          description: The ARN of an IAM service role under which
+                            the application version is deleted.  Elastic Beanstalk
+                            must have permission to assume this role.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: The ARN assigned by AWS for this Elastic Beanstalk
                       Application.
                     type: string
+                  description:
+                    description: Short description of the application
+                    type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elasticbeanstalk.aws.upbound.io_applicationversions.yaml b/package/crds/elasticbeanstalk.aws.upbound.io_applicationversions.yaml
index b971989d90..ddde7b597f 100644
--- a/package/crds/elasticbeanstalk.aws.upbound.io_applicationversions.yaml
+++ b/package/crds/elasticbeanstalk.aws.upbound.io_applicationversions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -239,9 +243,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - application
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,16 +431,43 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: application is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.application)
           status:
             description: ApplicationVersionStatus defines the observed state of ApplicationVersion.
             properties:
               atProvider:
                 properties:
+                  application:
+                    description: Name of the Beanstalk Application the version is
+                      associated with.
+                    type: string
                   arn:
                     description: ARN assigned by AWS for this Elastic Beanstalk Application.
                     type: string
+                  bucket:
+                    description: S3 bucket that contains the Application Version source
+                      bundle.
+                    type: string
+                  description:
+                    description: Short description of the Application Version.
+                    type: string
+                  forceDelete:
+                    description: On delete, force an Application Version to be deleted
+                      when it may be in use by multiple Elastic Beanstalk Environments.
+                    type: boolean
                   id:
                     type: string
+                  key:
+                    description: S3 object that is the Application Version source
+                      bundle.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elasticbeanstalk.aws.upbound.io_configurationtemplates.yaml b/package/crds/elasticbeanstalk.aws.upbound.io_configurationtemplates.yaml
index 6c5694feeb..aa9028365e 100644
--- a/package/crds/elasticbeanstalk.aws.upbound.io_configurationtemplates.yaml
+++ b/package/crds/elasticbeanstalk.aws.upbound.io_configurationtemplates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -186,6 +190,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -363,8 +382,44 @@ spec:
             properties:
               atProvider:
                 properties:
+                  application:
+                    description: –  name of the application to associate with this
+                      configuration template
+                    type: string
+                  description:
+                    description: Short description of the Template
+                    type: string
+                  environmentId:
+                    description: –  The ID of the environment used with this configuration
+                      template
+                    type: string
                   id:
                     type: string
+                  setting:
+                    description: –  Option settings to configure the new Environment.
+                      These override specific values that are set as defaults. The
+                      format is detailed below in Option Settings
+                    items:
+                      properties:
+                        name:
+                          description: A unique name for this Template.
+                          type: string
+                        namespace:
+                          description: unique namespace identifying the option's associated
+                            AWS resource
+                          type: string
+                        resource:
+                          description: resource name for scheduled action
+                          type: string
+                        value:
+                          description: value for the configuration option
+                          type: string
+                      type: object
+                    type: array
+                  solutionStackName:
+                    description: –  A solution stack to base your Template off of.
+                      Example stacks can be found in the Amazon API documentation
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elasticsearch.aws.upbound.io_domainpolicies.yaml b/package/crds/elasticsearch.aws.upbound.io_domainpolicies.yaml
index a4406c8337..e8b302f841 100644
--- a/package/crds/elasticsearch.aws.upbound.io_domainpolicies.yaml
+++ b/package/crds/elasticsearch.aws.upbound.io_domainpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - accessPolicies
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,11 +343,21 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accessPolicies is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicies)
           status:
             description: DomainPolicyStatus defines the observed state of DomainPolicy.
             properties:
               atProvider:
                 properties:
+                  accessPolicies:
+                    description: IAM policy document specifying the access policies
+                      for the domain
+                    type: string
+                  domainName:
+                    description: Name of the domain.
+                    type: string
                   id:
                     type: string
                 type: object
diff --git a/package/crds/elasticsearch.aws.upbound.io_domains.yaml b/package/crds/elasticsearch.aws.upbound.io_domains.yaml
index 219cf48ac3..4937d5e920 100644
--- a/package/crds/elasticsearch.aws.upbound.io_domains.yaml
+++ b/package/crds/elasticsearch.aws.upbound.io_domains.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -526,6 +530,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -702,12 +721,270 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accessPolicies:
+                    description: IAM policy document specifying the access policies
+                      for the domain.
+                    type: string
+                  advancedOptions:
+                    additionalProperties:
+                      type: string
+                    description: Key-value string pairs to specify advanced configuration
+                      options.
+                    type: object
+                  advancedSecurityOptions:
+                    description: Configuration block for fine-grained access control.
+                      Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether advanced security is enabled.
+                          type: boolean
+                        internalUserDatabaseEnabled:
+                          description: Whether the internal user database is enabled.
+                            If not set, defaults to false by the AWS API.
+                          type: boolean
+                        masterUserOptions:
+                          description: Configuration block for the main user. Detailed
+                            below.
+                          items:
+                            properties:
+                              masterUserArn:
+                                description: ARN for the main user. Only specify if
+                                  internal_user_database_enabled is not set or set
+                                  to false.
+                                type: string
+                              masterUserName:
+                                description: Main user's username, which is stored
+                                  in the Amazon Elasticsearch Service domain's internal
+                                  database. Only specify if internal_user_database_enabled
+                                  is set to true.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: ARN of the domain.
                     type: string
+                  autoTuneOptions:
+                    description: Configuration block for the Auto-Tune options of
+                      the domain. Detailed below.
+                    items:
+                      properties:
+                        desiredState:
+                          description: 'The Auto-Tune desired state for the domain.
+                            Valid values: ENABLED or DISABLED.'
+                          type: string
+                        maintenanceSchedule:
+                          description: Configuration block for Auto-Tune maintenance
+                            windows. Can be specified multiple times for each maintenance
+                            window. Detailed below.
+                          items:
+                            properties:
+                              cronExpressionForRecurrence:
+                                description: A cron expression specifying the recurrence
+                                  pattern for an Auto-Tune maintenance schedule.
+                                type: string
+                              duration:
+                                description: Configuration block for the duration
+                                  of the Auto-Tune maintenance window. Detailed below.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'The unit of time specifying the
+                                        duration of an Auto-Tune maintenance window.
+                                        Valid values: HOURS.'
+                                      type: string
+                                    value:
+                                      description: An integer specifying the value
+                                        of the duration of an Auto-Tune maintenance
+                                        window.
+                                      type: number
+                                  type: object
+                                type: array
+                              startAt:
+                                description: Date and time at which to start the Auto-Tune
+                                  maintenance schedule in RFC3339 format.
+                                type: string
+                            type: object
+                          type: array
+                        rollbackOnDisable:
+                          description: 'Whether to roll back to default Auto-Tune
+                            settings when disabling Auto-Tune. Valid values: DEFAULT_ROLLBACK
+                            or NO_ROLLBACK.'
+                          type: string
+                      type: object
+                    type: array
+                  clusterConfig:
+                    description: Configuration block for the cluster of the domain.
+                      Detailed below.
+                    items:
+                      properties:
+                        coldStorageOptions:
+                          description: Configuration block containing cold storage
+                            configuration. Detailed below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Boolean to enable cold storage for an
+                                  Elasticsearch domain. Defaults to false. Master
+                                  and ultrawarm nodes must be enabled for cold storage.
+                                type: boolean
+                            type: object
+                          type: array
+                        dedicatedMasterCount:
+                          description: Number of dedicated main nodes in the cluster.
+                          type: number
+                        dedicatedMasterEnabled:
+                          description: Whether dedicated main nodes are enabled for
+                            the cluster.
+                          type: boolean
+                        dedicatedMasterType:
+                          description: Instance type of the dedicated main nodes in
+                            the cluster.
+                          type: string
+                        instanceCount:
+                          description: Number of instances in the cluster.
+                          type: number
+                        instanceType:
+                          description: Instance type of data nodes in the cluster.
+                          type: string
+                        warmCount:
+                          description: Number of warm nodes in the cluster. Valid
+                            values are between 2 and 150. warm_count can be only and
+                            must be set when warm_enabled is set to true.
+                          type: number
+                        warmEnabled:
+                          description: Whether to enable warm storage.
+                          type: boolean
+                        warmType:
+                          description: Instance type for the Elasticsearch cluster's
+                            warm nodes. Valid values are ultrawarm1.medium.elasticsearch,
+                            ultrawarm1.large.elasticsearch and ultrawarm1.xlarge.elasticsearch.
+                            warm_type can be only and must be set when warm_enabled
+                            is set to true.
+                          type: string
+                        zoneAwarenessConfig:
+                          description: Configuration block containing zone awareness
+                            settings. Detailed below.
+                          items:
+                            properties:
+                              availabilityZoneCount:
+                                description: 'Number of Availability Zones for the
+                                  domain to use with zone_awareness_enabled. Defaults
+                                  to 2. Valid values: 2 or 3.'
+                                type: number
+                            type: object
+                          type: array
+                        zoneAwarenessEnabled:
+                          description: Whether zone awareness is enabled, set to true
+                            for multi-az deployment. To enable awareness with three
+                            Availability Zones, the availability_zone_count within
+                            the zone_awareness_config must be set to 3.
+                          type: boolean
+                      type: object
+                    type: array
+                  cognitoOptions:
+                    description: Configuration block for authenticating Kibana with
+                      Cognito. Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether Amazon Cognito authentication with
+                            Kibana is enabled or not.
+                          type: boolean
+                        identityPoolId:
+                          description: ID of the Cognito Identity Pool to use.
+                          type: string
+                        roleArn:
+                          description: ARN of the IAM role that has the AmazonESCognitoAccess
+                            policy attached.
+                          type: string
+                        userPoolId:
+                          description: ID of the Cognito User Pool to use.
+                          type: string
+                      type: object
+                    type: array
+                  domainEndpointOptions:
+                    description: Configuration block for domain endpoint HTTP(S) related
+                      options. Detailed below.
+                    items:
+                      properties:
+                        customEndpoint:
+                          description: Fully qualified domain for your custom endpoint.
+                          type: string
+                        customEndpointCertificateArn:
+                          description: ACM certificate ARN for your custom endpoint.
+                          type: string
+                        customEndpointEnabled:
+                          description: Whether to enable custom endpoint for the Elasticsearch
+                            domain.
+                          type: boolean
+                        enforceHttps:
+                          description: Whether or not to require HTTPS. Defaults to
+                            true.
+                          type: boolean
+                        tlsSecurityPolicy:
+                          description: 'Name of the TLS security policy that needs
+                            to be applied to the HTTPS endpoint. Valid values:  Policy-Min-TLS-1-0-2019-07
+                            and Policy-Min-TLS-1-2-2019-07.'
+                          type: string
+                      type: object
+                    type: array
                   domainId:
                     description: Unique identifier for the domain.
                     type: string
+                  ebsOptions:
+                    description: Configuration block for EBS related options, may
+                      be required based on chosen instance size. Detailed below.
+                    items:
+                      properties:
+                        ebsEnabled:
+                          description: Whether EBS volumes are attached to data nodes
+                            in the domain.
+                          type: boolean
+                        iops:
+                          description: Baseline input/output (I/O) performance of
+                            EBS volumes attached to data nodes. Applicable only for
+                            the GP3 and Provisioned IOPS EBS volume types.
+                          type: number
+                        throughput:
+                          description: Specifies the throughput (in MiB/s) of the
+                            EBS volumes attached to data nodes. Applicable only for
+                            the gp3 volume type. Valid values are between 125 and
+                            1000.
+                          type: number
+                        volumeSize:
+                          description: Size of EBS volumes attached to data nodes
+                            (in GiB).
+                          type: number
+                        volumeType:
+                          description: Type of EBS volumes attached to data nodes.
+                          type: string
+                      type: object
+                    type: array
+                  elasticsearchVersion:
+                    description: Version of Elasticsearch to deploy. Defaults to 1.5.
+                    type: string
+                  encryptAtRest:
+                    description: Configuration block for encrypt at rest options.
+                      Only available for certain instance types. Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether to enable encryption at rest. If the
+                            encrypt_at_rest block is not provided then this defaults
+                            to false. Enabling encryption on new domains requires
+                            elasticsearch_version 5.1 or greater.
+                          type: boolean
+                        kmsKeyId:
+                          description: KMS key ARN to encrypt the Elasticsearch domain
+                            with. If not specified then it defaults to using the aws/es
+                            service KMS key. Note that KMS will accept a KMS key ID
+                            but will return the key ARN.
+                          type: string
+                      type: object
+                    type: array
                   endpoint:
                     description: Domain-specific endpoint used to submit index, search,
                       and data upload requests.
@@ -718,6 +995,60 @@ spec:
                     description: Domain-specific endpoint for kibana without https
                       scheme.
                     type: string
+                  logPublishingOptions:
+                    description: Configuration block for publishing slow and application
+                      logs to CloudWatch Logs. This block can be declared multiple
+                      times, for each log_type, within the same resource. Detailed
+                      below.
+                    items:
+                      properties:
+                        cloudwatchLogGroupArn:
+                          description: ARN of the Cloudwatch log group to which log
+                            needs to be published.
+                          type: string
+                        enabled:
+                          description: Whether given log publishing option is enabled
+                            or not.
+                          type: boolean
+                        logType:
+                          description: 'Type of Elasticsearch log. Valid values: INDEX_SLOW_LOGS,
+                            SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, AUDIT_LOGS.'
+                          type: string
+                      type: object
+                    type: array
+                  nodeToNodeEncryption:
+                    description: Configuration block for node-to-node encryption options.
+                      Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether to enable node-to-node encryption.
+                            If the node_to_node_encryption block is not provided then
+                            this defaults to false. Enabling node-to-node encryption
+                            of a new domain requires an elasticsearch_version of 6.0
+                            or greater.
+                          type: boolean
+                      type: object
+                    type: array
+                  snapshotOptions:
+                    description: Configuration block for snapshot related options.
+                      Detailed below. DEPRECATED. For domains running Elasticsearch
+                      5.3 and later, Amazon ES takes hourly automated snapshots, making
+                      this setting irrelevant. For domains running earlier versions
+                      of Elasticsearch, Amazon ES takes daily automated snapshots.
+                    items:
+                      properties:
+                        automatedSnapshotStartHour:
+                          description: Hour during which the service takes an automated
+                            daily snapshot of the indices in the domain.
+                          type: number
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -737,6 +1068,19 @@ spec:
                           items:
                             type: string
                           type: array
+                        securityGroupIds:
+                          description: List of VPC Security Group IDs to be applied
+                            to the Elasticsearch domain endpoints. If omitted, the
+                            default Security Group for the VPC will be used.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: List of VPC Subnet IDs for the Elasticsearch
+                            domain endpoints to be created in.
+                          items:
+                            type: string
+                          type: array
                         vpcId:
                           description: If the domain was created inside a VPC, the
                             ID of the VPC.
diff --git a/package/crds/elasticsearch.aws.upbound.io_domainsamloptions.yaml b/package/crds/elasticsearch.aws.upbound.io_domainsamloptions.yaml
index ecc8ff4b54..1433e4595c 100644
--- a/package/crds/elasticsearch.aws.upbound.io_domainsamloptions.yaml
+++ b/package/crds/elasticsearch.aws.upbound.io_domainsamloptions.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -135,6 +139,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -315,6 +334,49 @@ spec:
                     description: The name of the domain the SAML options are associated
                       with.
                     type: string
+                  samlOptions:
+                    description: The SAML authentication options for an AWS Elasticsearch
+                      Domain.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether SAML authentication is enabled.
+                          type: boolean
+                        idp:
+                          description: Information from your identity provider.
+                          items:
+                            properties:
+                              entityId:
+                                description: The unique Entity ID of the application
+                                  in SAML Identity Provider.
+                                type: string
+                              metadataContent:
+                                description: The Metadata of the SAML application
+                                  in xml format.
+                                type: string
+                            type: object
+                          type: array
+                        masterBackendRole:
+                          description: This backend role from the SAML IdP receives
+                            full permissions to the cluster, equivalent to a new master
+                            user.
+                          type: string
+                        rolesKey:
+                          description: Element of the SAML assertion to use for backend
+                            roles. Default is roles.
+                          type: string
+                        sessionTimeoutMinutes:
+                          description: Duration of a session in minutes after a user
+                            logs in. Default is 60. Maximum value is 1,440.
+                          type: number
+                        subjectKey:
+                          description: Custom SAML attribute to use for user names.
+                            Default is an empty string - "". This will cause Elasticsearch
+                            to use the NameID element of the Subject, which is the
+                            default location for name identifiers in the SAML specification.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elastictranscoder.aws.upbound.io_pipelines.yaml b/package/crds/elastictranscoder.aws.upbound.io_pipelines.yaml
index 22211ca902..ff3de6e5db 100644
--- a/package/crds/elastictranscoder.aws.upbound.io_pipelines.yaml
+++ b/package/crds/elastictranscoder.aws.upbound.io_pipelines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -499,6 +503,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -678,9 +697,139 @@ spec:
                   arn:
                     description: The ARN of the Elastictranscoder pipeline.
                     type: string
+                  awsKmsKeyArn:
+                    description: The AWS Key Management Service (AWS KMS) key that
+                      you want to use with this pipeline.
+                    type: string
+                  contentConfig:
+                    description: The ContentConfig object specifies information about
+                      the Amazon S3 bucket in which you want Elastic Transcoder to
+                      save transcoded files and playlists. (documented below)
+                    items:
+                      properties:
+                        bucket:
+                          description: The Amazon S3 bucket in which you want Elastic
+                            Transcoder to save transcoded files and playlists.
+                          type: string
+                        storageClass:
+                          description: The Amazon S3 storage class, Standard or ReducedRedundancy,
+                            that you want Elastic Transcoder to assign to the files
+                            and playlists that it stores in your Amazon S3 bucket.
+                          type: string
+                      type: object
+                    type: array
+                  contentConfigPermissions:
+                    description: The permissions for the content_config object. (documented
+                      below)
+                    items:
+                      properties:
+                        access:
+                          description: The permission that you want to give to the
+                            AWS user that you specified in content_config_permissions.grantee.
+                            Valid values are Read, ReadAcp, WriteAcp or FullControl.
+                          items:
+                            type: string
+                          type: array
+                        grantee:
+                          description: The AWS user or group that you want to have
+                            access to transcoded files and playlists.
+                          type: string
+                        granteeType:
+                          description: Specify the type of value that appears in the
+                            content_config_permissions.grantee object. Valid values
+                            are Canonical, Email or Group.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the Elastictranscoder pipeline.
                     type: string
+                  inputBucket:
+                    description: The Amazon S3 bucket in which you saved the media
+                      files that you want to transcode and the graphics that you want
+                      to use as watermarks.
+                    type: string
+                  name:
+                    description: The name of the pipeline. Maximum 40 characters
+                    type: string
+                  notifications:
+                    description: The Amazon Simple Notification Service (Amazon SNS)
+                      topic that you want to notify to report job status. (documented
+                      below)
+                    items:
+                      properties:
+                        completed:
+                          description: The topic ARN for the Amazon SNS topic that
+                            you want to notify when Elastic Transcoder has finished
+                            processing a job in this pipeline.
+                          type: string
+                        error:
+                          description: The topic ARN for the Amazon SNS topic that
+                            you want to notify when Elastic Transcoder encounters
+                            an error condition while processing a job in this pipeline.
+                          type: string
+                        progressing:
+                          description: The topic ARN for the Amazon Simple Notification
+                            Service (Amazon SNS) topic that you want to notify when
+                            Elastic Transcoder has started to process a job in this
+                            pipeline.
+                          type: string
+                        warning:
+                          description: The topic ARN for the Amazon SNS topic that
+                            you want to notify when Elastic Transcoder encounters
+                            a warning condition while processing a job in this pipeline.
+                          type: string
+                      type: object
+                    type: array
+                  outputBucket:
+                    description: The Amazon S3 bucket in which you want Elastic Transcoder
+                      to save the transcoded files.
+                    type: string
+                  role:
+                    description: The IAM Amazon Resource Name (ARN) for the role that
+                      you want Elastic Transcoder to use to transcode jobs for this
+                      pipeline.
+                    type: string
+                  thumbnailConfig:
+                    description: The ThumbnailConfig object specifies information
+                      about the Amazon S3 bucket in which you want Elastic Transcoder
+                      to save thumbnail files. (documented below)
+                    items:
+                      properties:
+                        bucket:
+                          description: The Amazon S3 bucket in which you want Elastic
+                            Transcoder to save transcoded files and playlists.
+                          type: string
+                        storageClass:
+                          description: The Amazon S3 storage class, Standard or ReducedRedundancy,
+                            that you want Elastic Transcoder to assign to the files
+                            and playlists that it stores in your Amazon S3 bucket.
+                          type: string
+                      type: object
+                    type: array
+                  thumbnailConfigPermissions:
+                    description: The permissions for the thumbnail_config object.
+                      (documented below)
+                    items:
+                      properties:
+                        access:
+                          description: The permission that you want to give to the
+                            AWS user that you specified in content_config_permissions.grantee.
+                            Valid values are Read, ReadAcp, WriteAcp or FullControl.
+                          items:
+                            type: string
+                          type: array
+                        grantee:
+                          description: The AWS user or group that you want to have
+                            access to transcoded files and playlists.
+                          type: string
+                        granteeType:
+                          description: Specify the type of value that appears in the
+                            content_config_permissions.grantee object. Valid values
+                            are Canonical, Email or Group.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elastictranscoder.aws.upbound.io_presets.yaml b/package/crds/elastictranscoder.aws.upbound.io_presets.yaml
index 8f0e3e729e..6b460c96a9 100644
--- a/package/crds/elastictranscoder.aws.upbound.io_presets.yaml
+++ b/package/crds/elastictranscoder.aws.upbound.io_presets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -342,9 +346,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - container
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -516,6 +534,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: container is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.container)
           status:
             description: PresetStatus defines the observed state of Preset.
             properties:
@@ -525,11 +546,284 @@ spec:
                     description: Amazon Resource Name (ARN) of the Elastic Transcoder
                       Preset.
                     type: string
+                  audio:
+                    description: Audio parameters object (documented below).
+                    items:
+                      properties:
+                        audioPackingMode:
+                          description: The method of organizing audio channels and
+                            tracks. Use Audio:Channels to specify the number of channels
+                            in your output, and Audio:AudioPackingMode to specify
+                            the number of tracks and their relation to the channels.
+                            If you do not specify an Audio:AudioPackingMode, Elastic
+                            Transcoder uses SingleTrack.
+                          type: string
+                        bitRate:
+                          description: The bit rate of the audio stream in the output
+                            file, in kilobits/second. Enter an integer between 64
+                            and 320, inclusive.
+                          type: string
+                        channels:
+                          description: The number of audio channels in the output
+                            file
+                          type: string
+                        codec:
+                          description: The audio codec for the output file. Valid
+                            values are AAC, flac, mp2, mp3, pcm, and vorbis.
+                          type: string
+                        sampleRate:
+                          description: 'The sample rate of the audio stream in the
+                            output file, in hertz. Valid values are: auto, 22050,
+                            32000, 44100, 48000, 96000'
+                          type: string
+                      type: object
+                    type: array
+                  audioCodecOptions:
+                    description: Codec options for the audio parameters (documented
+                      below)
+                    items:
+                      properties:
+                        bitDepth:
+                          description: The bit depth of a sample is how many bits
+                            of information are included in the audio samples. Valid
+                            values are 16 and 24. (FLAC/PCM Only)
+                          type: string
+                        bitOrder:
+                          description: The order the bits of a PCM sample are stored
+                            in. The supported value is LittleEndian. (PCM Only)
+                          type: string
+                        profile:
+                          description: If you specified AAC for Audio:Codec, choose
+                            the AAC profile for the output file.
+                          type: string
+                        signed:
+                          description: Whether audio samples are represented with
+                            negative and positive numbers (signed) or only positive
+                            numbers (unsigned). The supported value is Signed. (PCM
+                            Only)
+                          type: string
+                      type: object
+                    type: array
+                  container:
+                    description: The container type for the output file. Valid values
+                      are flac, flv, fmp4, gif, mp3, mp4, mpg, mxf, oga, ogg, ts,
+                      and webm.
+                    type: string
+                  description:
+                    description: A description of the preset (maximum 255 characters)
+                    type: string
                   id:
                     description: A unique identifier for the settings for one watermark.
                       The value of Id can be up to 40 characters long. You can specify
                       settings for up to four watermarks.
                     type: string
+                  name:
+                    description: The name of the preset. (maximum 40 characters)
+                    type: string
+                  thumbnails:
+                    description: Thumbnail parameters object (documented below)
+                    items:
+                      properties:
+                        aspectRatio:
+                          description: 'The aspect ratio of thumbnails. The following
+                            values are valid: auto, 1:1, 4:3, 3:2, 16:9'
+                          type: string
+                        format:
+                          description: The format of thumbnails, if any. Valid formats
+                            are jpg and png.
+                          type: string
+                        interval:
+                          description: The approximate number of seconds between thumbnails.
+                            The value must be an integer. The actual interval can
+                            vary by several seconds from one thumbnail to the next.
+                          type: string
+                        maxHeight:
+                          description: The maximum height of thumbnails, in pixels.
+                            If you specify auto, Elastic Transcoder uses 1080 (Full
+                            HD) as the default value. If you specify a numeric value,
+                            enter an even integer between 32 and 3072, inclusive.
+                          type: string
+                        maxWidth:
+                          description: The maximum width of thumbnails, in pixels.
+                            If you specify auto, Elastic Transcoder uses 1920 (Full
+                            HD) as the default value. If you specify a numeric value,
+                            enter an even integer between 32 and 4096, inclusive.
+                          type: string
+                        paddingPolicy:
+                          description: When you set PaddingPolicy to Pad, Elastic
+                            Transcoder might add black bars to the top and bottom
+                            and/or left and right sides of thumbnails to make the
+                            total size of the thumbnails match the values that you
+                            specified for thumbnail MaxWidth and MaxHeight settings.
+                          type: string
+                        resolution:
+                          description: The width and height of thumbnail files in
+                            pixels, in the format WidthxHeight, where both values
+                            are even integers. The values cannot exceed the width
+                            and height that you specified in the Video:Resolution
+                            object. (To better control resolution and aspect ratio
+                            of thumbnails, we recommend that you use the thumbnail
+                            values max_width, max_height, sizing_policy, and padding_policy
+                            instead of resolution and aspect_ratio. The two groups
+                            of settings are mutually exclusive. Do not use them together)
+                          type: string
+                        sizingPolicy:
+                          description: 'A value that controls scaling of thumbnails.
+                            Valid values are: Fit, Fill, Stretch, Keep, ShrinkToFit,
+                            and ShrinkToFill.'
+                          type: string
+                      type: object
+                    type: array
+                  type:
+                    type: string
+                  video:
+                    description: Video parameters object (documented below)
+                    items:
+                      properties:
+                        aspectRatio:
+                          description: 'The aspect ratio of thumbnails. The following
+                            values are valid: auto, 1:1, 4:3, 3:2, 16:9'
+                          type: string
+                        bitRate:
+                          description: The bit rate of the audio stream in the output
+                            file, in kilobits/second. Enter an integer between 64
+                            and 320, inclusive.
+                          type: string
+                        codec:
+                          description: The audio codec for the output file. Valid
+                            values are AAC, flac, mp2, mp3, pcm, and vorbis.
+                          type: string
+                        displayAspectRatio:
+                          description: The value that Elastic Transcoder adds to the
+                            metadata in the output file. If you set DisplayAspectRatio
+                            to auto, Elastic Transcoder chooses an aspect ratio that
+                            ensures square pixels. If you specify another option,
+                            Elastic Transcoder sets that value in the output file.
+                          type: string
+                        fixedGop:
+                          description: Whether to use a fixed value for Video:FixedGOP.
+                            Not applicable for containers of type gif. Valid values
+                            are true and false. Also known as, Fixed Number of Frames
+                            Between Keyframes.
+                          type: string
+                        frameRate:
+                          description: 'The frames per second for the video stream
+                            in the output file. The following values are valid: auto,
+                            10, 15, 23.97, 24, 25, 29.97, 30, 50, 60.'
+                          type: string
+                        keyframesMaxDist:
+                          description: The maximum number of frames between key frames.
+                            Not applicable for containers of type gif.
+                          type: string
+                        maxFrameRate:
+                          description: If you specify auto for FrameRate, Elastic
+                            Transcoder uses the frame rate of the input video for
+                            the frame rate of the output video, up to the maximum
+                            frame rate. If you do not specify a MaxFrameRate, Elastic
+                            Transcoder will use a default of 30.
+                          type: string
+                        maxHeight:
+                          description: The maximum height of thumbnails, in pixels.
+                            If you specify auto, Elastic Transcoder uses 1080 (Full
+                            HD) as the default value. If you specify a numeric value,
+                            enter an even integer between 32 and 3072, inclusive.
+                          type: string
+                        maxWidth:
+                          description: The maximum width of thumbnails, in pixels.
+                            If you specify auto, Elastic Transcoder uses 1920 (Full
+                            HD) as the default value. If you specify a numeric value,
+                            enter an even integer between 32 and 4096, inclusive.
+                          type: string
+                        paddingPolicy:
+                          description: When you set PaddingPolicy to Pad, Elastic
+                            Transcoder might add black bars to the top and bottom
+                            and/or left and right sides of thumbnails to make the
+                            total size of the thumbnails match the values that you
+                            specified for thumbnail MaxWidth and MaxHeight settings.
+                          type: string
+                        resolution:
+                          description: The width and height of thumbnail files in
+                            pixels, in the format WidthxHeight, where both values
+                            are even integers. The values cannot exceed the width
+                            and height that you specified in the Video:Resolution
+                            object. (To better control resolution and aspect ratio
+                            of thumbnails, we recommend that you use the thumbnail
+                            values max_width, max_height, sizing_policy, and padding_policy
+                            instead of resolution and aspect_ratio. The two groups
+                            of settings are mutually exclusive. Do not use them together)
+                          type: string
+                        sizingPolicy:
+                          description: 'A value that controls scaling of thumbnails.
+                            Valid values are: Fit, Fill, Stretch, Keep, ShrinkToFit,
+                            and ShrinkToFill.'
+                          type: string
+                      type: object
+                    type: array
+                  videoCodecOptions:
+                    additionalProperties:
+                      type: string
+                    description: Codec options for the video parameters
+                    type: object
+                  videoWatermarks:
+                    description: Watermark parameters for the video parameters (documented
+                      below)
+                    items:
+                      properties:
+                        horizontalAlign:
+                          description: The horizontal position of the watermark unless
+                            you specify a nonzero value for horzontal_offset.
+                          type: string
+                        horizontalOffset:
+                          description: The amount by which you want the horizontal
+                            position of the watermark to be offset from the position
+                            specified by horizontal_align.
+                          type: string
+                        id:
+                          description: A unique identifier for the settings for one
+                            watermark. The value of Id can be up to 40 characters
+                            long. You can specify settings for up to four watermarks.
+                          type: string
+                        maxHeight:
+                          description: The maximum height of thumbnails, in pixels.
+                            If you specify auto, Elastic Transcoder uses 1080 (Full
+                            HD) as the default value. If you specify a numeric value,
+                            enter an even integer between 32 and 3072, inclusive.
+                          type: string
+                        maxWidth:
+                          description: The maximum width of thumbnails, in pixels.
+                            If you specify auto, Elastic Transcoder uses 1920 (Full
+                            HD) as the default value. If you specify a numeric value,
+                            enter an even integer between 32 and 4096, inclusive.
+                          type: string
+                        opacity:
+                          description: A percentage that indicates how much you want
+                            a watermark to obscure the video in the location where
+                            it appears.
+                          type: string
+                        sizingPolicy:
+                          description: 'A value that controls scaling of thumbnails.
+                            Valid values are: Fit, Fill, Stretch, Keep, ShrinkToFit,
+                            and ShrinkToFill.'
+                          type: string
+                        target:
+                          description: A value that determines how Elastic Transcoder
+                            interprets values that you specified for video_watermarks.horizontal_offset,
+                            video_watermarks.vertical_offset, video_watermarks.max_width,
+                            and video_watermarks.max_height. Valid values are Content
+                            and Frame.
+                          type: string
+                        verticalAlign:
+                          description: The vertical position of the watermark unless
+                            you specify a nonzero value for vertical_align. Valid
+                            values are Top, Bottom, Center.
+                          type: string
+                        verticalOffset:
+                          description: The amount by which you want the vertical position
+                            of the watermark to be offset from the position specified
+                            by vertical_align
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_appcookiestickinesspolicies.yaml b/package/crds/elb.aws.upbound.io_appcookiestickinesspolicies.yaml
index 28e4b81f17..8a4486a823 100644
--- a/package/crds/elb.aws.upbound.io_appcookiestickinesspolicies.yaml
+++ b/package/crds/elb.aws.upbound.io_appcookiestickinesspolicies.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,10 +160,24 @@ spec:
                       be created in.
                     type: string
                 required:
-                - cookieName
                 - lbPort
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,15 +349,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: cookieName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cookieName)
           status:
             description: AppCookieStickinessPolicyStatus defines the observed state
               of AppCookieStickinessPolicy.
             properties:
               atProvider:
                 properties:
+                  cookieName:
+                    description: Application cookie whose lifetime the ELB's cookie
+                      should follow.
+                    type: string
                   id:
                     description: ID of the policy.
                     type: string
+                  lbPort:
+                    description: Load balancer port to which the policy should be
+                      applied. This must be an active listener on the load balancer.
+                    type: number
+                  loadBalancer:
+                    description: Name of load balancer to which the policy should
+                      be attached.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_attachments.yaml b/package/crds/elb.aws.upbound.io_attachments.yaml
index 1a7826c07a..d34b3e8a20 100644
--- a/package/crds/elb.aws.upbound.io_attachments.yaml
+++ b/package/crds/elb.aws.upbound.io_attachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -399,8 +418,14 @@ spec:
             properties:
               atProvider:
                 properties:
+                  elb:
+                    description: The name of the ELB.
+                    type: string
                   id:
                     type: string
+                  instance:
+                    description: Instance ID to place in the ELB pool.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_backendserverpolicies.yaml b/package/crds/elb.aws.upbound.io_backendserverpolicies.yaml
index e085547e99..77ec360135 100644
--- a/package/crds/elb.aws.upbound.io_backendserverpolicies.yaml
+++ b/package/crds/elb.aws.upbound.io_backendserverpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,9 +157,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - instancePort
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,6 +345,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instancePort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePort)
           status:
             description: BackendServerPolicyStatus defines the observed state of BackendServerPolicy.
             properties:
@@ -335,6 +356,17 @@ spec:
                   id:
                     description: The ID of the policy.
                     type: string
+                  instancePort:
+                    description: The instance port to apply the policy to.
+                    type: number
+                  loadBalancerName:
+                    description: The load balancer to attach the policy to.
+                    type: string
+                  policyNames:
+                    description: List of Policy Names to apply to the backend server.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_elbs.yaml b/package/crds/elb.aws.upbound.io_elbs.yaml
index 75f70eafbc..bd41489036 100644
--- a/package/crds/elb.aws.upbound.io_elbs.yaml
+++ b/package/crds/elb.aws.upbound.io_elbs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -361,9 +365,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - listener
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -535,26 +553,154 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: listener is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.listener)
           status:
             description: ELBStatus defines the observed state of ELB.
             properties:
               atProvider:
                 properties:
+                  accessLogs:
+                    description: An Access Logs block. Access Logs documented below.
+                    items:
+                      properties:
+                        bucket:
+                          description: The S3 bucket name to store the logs in.
+                          type: string
+                        bucketPrefix:
+                          description: The S3 bucket prefix. Logs are stored in the
+                            root if not configured.
+                          type: string
+                        enabled:
+                          description: Boolean to enable / disable access_logs. Default
+                            is true
+                          type: boolean
+                        interval:
+                          description: 'The publishing interval in minutes. Valid
+                            values: 5 and 60. Default: 60'
+                          type: number
+                      type: object
+                    type: array
                   arn:
                     description: The ARN of the ELB
                     type: string
+                  availabilityZones:
+                    description: The AZ's to serve traffic in.
+                    items:
+                      type: string
+                    type: array
+                  connectionDraining:
+                    description: 'Boolean to enable connection draining. Default:
+                      false'
+                    type: boolean
+                  connectionDrainingTimeout:
+                    description: 'The time in seconds to allow for connections to
+                      drain. Default: 300'
+                    type: number
+                  crossZoneLoadBalancing:
+                    description: 'Enable cross-zone load balancing. Default: true'
+                    type: boolean
+                  desyncMitigationMode:
+                    description: Determines how the load balancer handles requests
+                      that might pose a security risk to an application due to HTTP
+                      desync. Valid values are monitor, defensive (default), strictest.
+                    type: string
                   dnsName:
                     description: The DNS name of the ELB
                     type: string
+                  healthCheck:
+                    description: A health_check block. Health Check documented below.
+                    items:
+                      properties:
+                        healthyThreshold:
+                          description: The number of checks before the instance is
+                            declared healthy.
+                          type: number
+                        interval:
+                          description: 'The publishing interval in minutes. Valid
+                            values: 5 and 60. Default: 60'
+                          type: number
+                        target:
+                          description: 'The target of the check. Valid pattern is
+                            "${PROTOCOL}:${PORT}${PATH}", where PROTOCOL values are:'
+                          type: string
+                        timeout:
+                          description: The length of time before the check times out.
+                          type: number
+                        unhealthyThreshold:
+                          description: The number of checks before the instance is
+                            declared unhealthy.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: The name of the ELB
                     type: string
+                  idleTimeout:
+                    description: 'The time in seconds that the connection is allowed
+                      to be idle. Default: 60'
+                    type: number
+                  instances:
+                    description: A list of instance ids to place in the ELB pool.
+                    items:
+                      type: string
+                    type: array
+                  internal:
+                    description: If true, ELB will be an internal ELB.
+                    type: boolean
+                  listener:
+                    description: A list of listener blocks. Listeners documented below.
+                    items:
+                      properties:
+                        instancePort:
+                          description: The port on the instance to route to
+                          type: number
+                        instanceProtocol:
+                          description: The protocol to use to the instance. Valid
+                            values are HTTP, HTTPS, TCP, or SSL
+                          type: string
+                        lbPort:
+                          description: The port to listen on for the load balancer
+                          type: number
+                        lbProtocol:
+                          description: The protocol to listen on. Valid values are
+                            HTTP, HTTPS, TCP, or SSL
+                          type: string
+                        sslCertificateId:
+                          description: The ARN of an SSL certificate you have uploaded
+                            to AWS IAM. Note ECDSA-specific restrictions below.  Only
+                            valid when
+                          type: string
+                      type: object
+                    type: array
+                  securityGroups:
+                    description: A list of security group IDs to assign to the ELB.
+                      Only valid if creating an ELB within a VPC
+                    items:
+                      type: string
+                    type: array
+                  sourceSecurityGroup:
+                    description: The name of the security group that you can use as
+                      part of your inbound rules for your load balancer's back-end
+                      application instances. Use this for Classic or Default VPC only.
+                    type: string
                   sourceSecurityGroupId:
                     description: The ID of the security group that you can use as
                       part of your inbound rules for your load balancer's back-end
                       application instances. Only available on ELBs launched in a
                       VPC.
                     type: string
+                  subnets:
+                    description: A list of subnet IDs to attach to the ELB.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elb.aws.upbound.io_lbcookiestickinesspolicies.yaml b/package/crds/elb.aws.upbound.io_lbcookiestickinesspolicies.yaml
index b6a49084be..bb085276ab 100644
--- a/package/crds/elb.aws.upbound.io_lbcookiestickinesspolicies.yaml
+++ b/package/crds/elb.aws.upbound.io_lbcookiestickinesspolicies.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,10 +162,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - lbPort
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,15 +350,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: lbPort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lbPort)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: LBCookieStickinessPolicyStatus defines the observed state
               of LBCookieStickinessPolicy.
             properties:
               atProvider:
                 properties:
+                  cookieExpirationPeriod:
+                    description: The time period after which the session cookie should
+                      be considered stale, expressed in seconds.
+                    type: number
                   id:
                     description: The ID of the policy.
                     type: string
+                  lbPort:
+                    description: The load balancer port to which the policy should
+                      be applied. This must be an active listener on the load balancer.
+                    type: number
+                  loadBalancer:
+                    description: The load balancer to which the policy should be attached.
+                    type: string
+                  name:
+                    description: The name of the stickiness policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_lbsslnegotiationpolicies.yaml b/package/crds/elb.aws.upbound.io_lbsslnegotiationpolicies.yaml
index b58fdf5274..1c139817b4 100644
--- a/package/crds/elb.aws.upbound.io_lbsslnegotiationpolicies.yaml
+++ b/package/crds/elb.aws.upbound.io_lbsslnegotiationpolicies.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -176,10 +180,23 @@ spec:
                       will trigger a redeployment.
                     type: object
                 required:
-                - lbPort
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -351,15 +368,49 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: lbPort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.lbPort)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: LBSSLNegotiationPolicyStatus defines the observed state of
               LBSSLNegotiationPolicy.
             properties:
               atProvider:
                 properties:
+                  attribute:
+                    description: 'An SSL Negotiation policy attribute. Each has two
+                      properties:'
+                    items:
+                      properties:
+                        name:
+                          description: The name of the SSL negotiation policy.
+                          type: string
+                        value:
+                          description: The value of the attribute
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the policy.
                     type: string
+                  lbPort:
+                    description: The load balancer port to which the policy should
+                      be applied. This must be an active listener on the load balancer.
+                    type: number
+                  loadBalancer:
+                    description: The load balancer to which the policy should be attached.
+                    type: string
+                  name:
+                    description: The name of the SSL negotiation policy.
+                    type: string
+                  triggers:
+                    additionalProperties:
+                      type: string
+                    description: Map of arbitrary keys and values that, when changed,
+                      will trigger a redeployment.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_listenerpolicies.yaml b/package/crds/elb.aws.upbound.io_listenerpolicies.yaml
index 75842ae3a4..2050627e5c 100644
--- a/package/crds/elb.aws.upbound.io_listenerpolicies.yaml
+++ b/package/crds/elb.aws.upbound.io_listenerpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,9 +164,23 @@ spec:
                       will trigger an update.
                     type: object
                 required:
-                - loadBalancerPort
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,6 +352,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: loadBalancerPort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.loadBalancerPort)
           status:
             description: ListenerPolicyStatus defines the observed state of ListenerPolicy.
             properties:
@@ -342,6 +363,24 @@ spec:
                   id:
                     description: The ID of the policy.
                     type: string
+                  loadBalancerName:
+                    description: The load balancer to attach the policy to.
+                    type: string
+                  loadBalancerPort:
+                    description: The load balancer listener port to apply the policy
+                      to.
+                    type: number
+                  policyNames:
+                    description: List of Policy Names to apply to the backend server.
+                    items:
+                      type: string
+                    type: array
+                  triggers:
+                    additionalProperties:
+                      type: string
+                    description: Map of arbitrary keys and values that, when changed,
+                      will trigger an update.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_policies.yaml b/package/crds/elb.aws.upbound.io_policies.yaml
index 39d645f631..475735c2b0 100644
--- a/package/crds/elb.aws.upbound.io_policies.yaml
+++ b/package/crds/elb.aws.upbound.io_policies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -237,10 +241,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policyName
-                - policyTypeName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -412,6 +429,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policyName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyName)
+            - message: policyTypeName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policyTypeName)
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -420,6 +442,25 @@ spec:
                   id:
                     description: The ID of the policy.
                     type: string
+                  loadBalancerName:
+                    description: The load balancer on which the policy is defined.
+                    type: string
+                  policyAttribute:
+                    description: Policy attribute to apply to the policy.
+                    items:
+                      properties:
+                        name:
+                          type: string
+                        value:
+                          type: string
+                      type: object
+                    type: array
+                  policyName:
+                    description: The name of the load balancer policy.
+                    type: string
+                  policyTypeName:
+                    description: The policy type.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elb.aws.upbound.io_proxyprotocolpolicies.yaml b/package/crds/elb.aws.upbound.io_proxyprotocolpolicies.yaml
index e6c88a6705..bc80a568f7 100644
--- a/package/crds/elb.aws.upbound.io_proxyprotocolpolicies.yaml
+++ b/package/crds/elb.aws.upbound.io_proxyprotocolpolicies.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,9 +157,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - instancePorts
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,6 +345,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instancePorts is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePorts)
           status:
             description: ProxyProtocolPolicyStatus defines the observed state of ProxyProtocolPolicy.
             properties:
@@ -335,6 +356,16 @@ spec:
                   id:
                     description: The ID of the policy.
                     type: string
+                  instancePorts:
+                    description: List of instance ports to which the policy should
+                      be applied. This can be specified if the protocol is SSL or
+                      TCP.
+                    items:
+                      type: string
+                    type: array
+                  loadBalancer:
+                    description: The load balancer to which the policy should be attached.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elbv2.aws.upbound.io_lblistenerrules.yaml b/package/crds/elbv2.aws.upbound.io_lblistenerrules.yaml
index b64710ba60..6ddf646f8e 100644
--- a/package/crds/elbv2.aws.upbound.io_lblistenerrules.yaml
+++ b/package/crds/elbv2.aws.upbound.io_lblistenerrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -959,10 +963,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - action
-                - condition
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1134,17 +1151,390 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: condition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.condition)
           status:
             description: LBListenerRuleStatus defines the observed state of LBListenerRule.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: An Action block. Action blocks are documented below.
+                    items:
+                      properties:
+                        authenticateCognito:
+                          description: Information for creating an authenticate action
+                            using Cognito. Required if type is authenticate-cognito.
+                          items:
+                            properties:
+                              authenticationRequestExtraParams:
+                                additionalProperties:
+                                  type: string
+                                description: 'The query parameters to include in the
+                                  redirect request to the authorization endpoint.
+                                  Max: 10.'
+                                type: object
+                              onUnauthenticatedRequest:
+                                description: 'The behavior if the user is not authenticated.
+                                  Valid values: deny, allow and authenticate'
+                                type: string
+                              scope:
+                                description: The set of user claims to be requested
+                                  from the IdP.
+                                type: string
+                              sessionCookieName:
+                                description: The name of the cookie used to maintain
+                                  session information.
+                                type: string
+                              sessionTimeout:
+                                description: The maximum duration of the authentication
+                                  session, in seconds.
+                                type: number
+                              userPoolArn:
+                                description: The ARN of the Cognito user pool.
+                                type: string
+                              userPoolClientId:
+                                description: The ID of the Cognito user pool client.
+                                type: string
+                              userPoolDomain:
+                                description: The domain prefix or fully-qualified
+                                  domain name of the Cognito user pool.
+                                type: string
+                            type: object
+                          type: array
+                        authenticateOidc:
+                          description: Information for creating an authenticate action
+                            using OIDC. Required if type is authenticate-oidc.
+                          items:
+                            properties:
+                              authenticationRequestExtraParams:
+                                additionalProperties:
+                                  type: string
+                                description: 'The query parameters to include in the
+                                  redirect request to the authorization endpoint.
+                                  Max: 10.'
+                                type: object
+                              authorizationEndpoint:
+                                description: The authorization endpoint of the IdP.
+                                type: string
+                              clientId:
+                                description: The OAuth 2.0 client identifier.
+                                type: string
+                              issuer:
+                                description: The OIDC issuer identifier of the IdP.
+                                type: string
+                              onUnauthenticatedRequest:
+                                description: 'The behavior if the user is not authenticated.
+                                  Valid values: deny, allow and authenticate'
+                                type: string
+                              scope:
+                                description: The set of user claims to be requested
+                                  from the IdP.
+                                type: string
+                              sessionCookieName:
+                                description: The name of the cookie used to maintain
+                                  session information.
+                                type: string
+                              sessionTimeout:
+                                description: The maximum duration of the authentication
+                                  session, in seconds.
+                                type: number
+                              tokenEndpoint:
+                                description: The token endpoint of the IdP.
+                                type: string
+                              userInfoEndpoint:
+                                description: The user info endpoint of the IdP.
+                                type: string
+                            type: object
+                          type: array
+                        fixedResponse:
+                          description: Information for creating an action that returns
+                            a custom HTTP response. Required if type is fixed-response.
+                          items:
+                            properties:
+                              contentType:
+                                description: The content type. Valid values are text/plain,
+                                  text/css, text/html, application/javascript and
+                                  application/json.
+                                type: string
+                              messageBody:
+                                description: The message body.
+                                type: string
+                              statusCode:
+                                description: The HTTP redirect code. The redirect
+                                  is either permanent (HTTP_301) or temporary (HTTP_302).
+                                type: string
+                            type: object
+                          type: array
+                        forward:
+                          description: Information for creating an action that distributes
+                            requests among one or more target groups. Specify only
+                            if type is forward. If you specify both forward block
+                            and target_group_arn attribute, you can specify only one
+                            target group using forward and it must be the same target
+                            group specified in target_group_arn.
+                          items:
+                            properties:
+                              stickiness:
+                                description: The target group stickiness for the rule.
+                                items:
+                                  properties:
+                                    duration:
+                                      description: The time period, in seconds, during
+                                        which requests from a client should be routed
+                                        to the same target group. The range is 1-604800
+                                        seconds (7 days).
+                                      type: number
+                                    enabled:
+                                      description: Indicates whether target group
+                                        stickiness is enabled.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              targetGroup:
+                                description: One or more target groups block.
+                                items:
+                                  properties:
+                                    arn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the target group.
+                                      type: string
+                                    weight:
+                                      description: The weight. The range is 0 to 999.
+                                      type: number
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        order:
+                          type: number
+                        redirect:
+                          description: Information for creating a redirect action.
+                            Required if type is redirect.
+                          items:
+                            properties:
+                              host:
+                                description: 'The hostname. This component is not
+                                  percent-encoded. The hostname can contain #{host}.
+                                  Defaults to #{host}.'
+                                type: string
+                              path:
+                                description: 'The absolute path, starting with the
+                                  leading "/". This component is not percent-encoded.
+                                  The path can contain #{host}, #{path}, and #{port}.
+                                  Defaults to /#{path}.'
+                                type: string
+                              port:
+                                description: 'The port. Specify a value from 1 to
+                                  65535 or #{port}. Defaults to #{port}.'
+                                type: string
+                              protocol:
+                                description: 'The protocol. Valid values are HTTP,
+                                  HTTPS, or #{protocol}. Defaults to #{protocol}.'
+                                type: string
+                              query:
+                                description: 'The query parameters, URL-encoded when
+                                  necessary, but not percent-encoded. Do not include
+                                  the leading "?". Defaults to #{query}.'
+                                type: string
+                              statusCode:
+                                description: The HTTP redirect code. The redirect
+                                  is either permanent (HTTP_301) or temporary (HTTP_302).
+                                type: string
+                            type: object
+                          type: array
+                        targetGroupArn:
+                          description: The ARN of the Target Group to which to route
+                            traffic. Specify only if type is forward and you want
+                            to route to a single target group. To route to one or
+                            more target groups, use a forward block instead.
+                          type: string
+                        type:
+                          description: The type of routing action. Valid values are
+                            forward, redirect, fixed-response, authenticate-cognito
+                            and authenticate-oidc.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: The ARN of the rule (matches id)
                     type: string
+                  condition:
+                    description: A Condition block. Multiple condition blocks of different
+                      types can be set and all must be satisfied for the rule to match.
+                      Condition blocks are documented below.
+                    items:
+                      properties:
+                        hostHeader:
+                          description: 'Contains a single values item which is a list
+                            of host header patterns to match. The maximum size of
+                            each pattern is 128 characters. Comparison is case insensitive.
+                            Wildcard characters supported: * (matches 0 or more characters)
+                            and ? (matches exactly 1 character). Only one pattern
+                            needs to match for the condition to be satisfied.'
+                          items:
+                            properties:
+                              values:
+                                description: 'Query string pairs or values to match.
+                                  Query String Value blocks documented below. Multiple
+                                  values blocks can be specified, see example above.
+                                  Maximum size of each string is 128 characters. Comparison
+                                  is case insensitive. Wildcard characters supported:
+                                  * (matches 0 or more characters) and ? (matches
+                                  exactly 1 character). To search for a literal ''*''
+                                  or ''?'' character in a query string, escape the
+                                  character with a backslash (\). Only one pair needs
+                                  to match for the condition to be satisfied.'
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        httpHeader:
+                          description: HTTP headers to match. HTTP Header block fields
+                            documented below.
+                          items:
+                            properties:
+                              httpHeaderName:
+                                description: Name of HTTP header to search. The maximum
+                                  size is 40 characters. Comparison is case insensitive.
+                                  Only RFC7240 characters are supported. Wildcards
+                                  are not supported. You cannot use HTTP header condition
+                                  to specify the host header, use a host-header condition
+                                  instead.
+                                type: string
+                              values:
+                                description: 'List of header value patterns to match.
+                                  Maximum size of each pattern is 128 characters.
+                                  Comparison is case insensitive. Wildcard characters
+                                  supported: * (matches 0 or more characters) and
+                                  ? (matches exactly 1 character). If the same header
+                                  appears multiple times in the request they will
+                                  be searched in order until a match is found. Only
+                                  one pattern needs to match for the condition to
+                                  be satisfied. To require that all of the strings
+                                  are a match, create one condition block per string.'
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        httpRequestMethod:
+                          description: Contains a single values item which is a list
+                            of HTTP request methods or verbs to match. Maximum size
+                            is 40 characters. Only allowed characters are A-Z, hyphen
+                            (-) and underscore (_). Comparison is case sensitive.
+                            Wildcards are not supported. Only one needs to match for
+                            the condition to be satisfied. AWS recommends that GET
+                            and HEAD requests are routed in the same way because the
+                            response to a HEAD request may be cached.
+                          items:
+                            properties:
+                              values:
+                                description: 'Query string pairs or values to match.
+                                  Query String Value blocks documented below. Multiple
+                                  values blocks can be specified, see example above.
+                                  Maximum size of each string is 128 characters. Comparison
+                                  is case insensitive. Wildcard characters supported:
+                                  * (matches 0 or more characters) and ? (matches
+                                  exactly 1 character). To search for a literal ''*''
+                                  or ''?'' character in a query string, escape the
+                                  character with a backslash (\). Only one pair needs
+                                  to match for the condition to be satisfied.'
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        pathPattern:
+                          description: 'Contains a single values item which is a list
+                            of path patterns to match against the request URL. Maximum
+                            size of each pattern is 128 characters. Comparison is
+                            case sensitive. Wildcard characters supported: * (matches
+                            0 or more characters) and ? (matches exactly 1 character).
+                            Only one pattern needs to match for the condition to be
+                            satisfied. Path pattern is compared only to the path of
+                            the URL, not to its query string. To compare against the
+                            query string, use a query_string condition.'
+                          items:
+                            properties:
+                              values:
+                                description: 'Query string pairs or values to match.
+                                  Query String Value blocks documented below. Multiple
+                                  values blocks can be specified, see example above.
+                                  Maximum size of each string is 128 characters. Comparison
+                                  is case insensitive. Wildcard characters supported:
+                                  * (matches 0 or more characters) and ? (matches
+                                  exactly 1 character). To search for a literal ''*''
+                                  or ''?'' character in a query string, escape the
+                                  character with a backslash (\). Only one pair needs
+                                  to match for the condition to be satisfied.'
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        queryString:
+                          description: Query strings to match. Query String block
+                            fields documented below.
+                          items:
+                            properties:
+                              key:
+                                description: Query string key pattern to match.
+                                type: string
+                              value:
+                                description: Query string value pattern to match.
+                                type: string
+                            type: object
+                          type: array
+                        sourceIp:
+                          description: Contains a single values item which is a list
+                            of source IP CIDR notations to match. You can use both
+                            IPv4 and IPv6 addresses. Wildcards are not supported.
+                            Condition is satisfied if the source IP address of the
+                            request matches one of the CIDR blocks. Condition is not
+                            satisfied by the addresses in the X-Forwarded-For header,
+                            use http_header condition instead.
+                          items:
+                            properties:
+                              values:
+                                description: 'Query string pairs or values to match.
+                                  Query String Value blocks documented below. Multiple
+                                  values blocks can be specified, see example above.
+                                  Maximum size of each string is 128 characters. Comparison
+                                  is case insensitive. Wildcard characters supported:
+                                  * (matches 0 or more characters) and ? (matches
+                                  exactly 1 character). To search for a literal ''*''
+                                  or ''?'' character in a query string, escape the
+                                  character with a backslash (\). Only one pair needs
+                                  to match for the condition to be satisfied.'
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The ARN of the rule (matches arn)
                     type: string
+                  listenerArn:
+                    description: The ARN of the listener to which to attach the rule.
+                    type: string
+                  priority:
+                    description: The priority for the rule between 1 and 50000. Leaving
+                      it unset will automatically set the rule with next available
+                      priority after currently existing highest rule. A listener can't
+                      have multiple rules with the same priority.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elbv2.aws.upbound.io_lblisteners.yaml b/package/crds/elbv2.aws.upbound.io_lblisteners.yaml
index 63b724be21..8311ed5ecd 100644
--- a/package/crds/elbv2.aws.upbound.io_lblisteners.yaml
+++ b/package/crds/elbv2.aws.upbound.io_lblisteners.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -579,9 +583,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - defaultAction
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -753,17 +771,259 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: defaultAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultAction)
           status:
             description: LBListenerStatus defines the observed state of LBListener.
             properties:
               atProvider:
                 properties:
+                  alpnPolicy:
+                    description: Name of the Application-Layer Protocol Negotiation
+                      (ALPN) policy. Can be set if protocol is TLS. Valid values are
+                      HTTP1Only, HTTP2Only, HTTP2Optional, HTTP2Preferred, and None.
+                    type: string
                   arn:
                     description: ARN of the listener (matches id).
                     type: string
+                  certificateArn:
+                    description: ARN of the default SSL server certificate. Exactly
+                      one certificate is required if the protocol is HTTPS. For adding
+                      additional SSL certificates, see the aws_lb_listener_certificate
+                      resource.
+                    type: string
+                  defaultAction:
+                    description: Configuration block for default actions. Detailed
+                      below.
+                    items:
+                      properties:
+                        authenticateCognito:
+                          description: Configuration block for using Amazon Cognito
+                            to authenticate users. Specify only when type is authenticate-cognito.
+                            Detailed below.
+                          items:
+                            properties:
+                              authenticationRequestExtraParams:
+                                additionalProperties:
+                                  type: string
+                                description: 'Query parameters to include in the redirect
+                                  request to the authorization endpoint. Max: 10.
+                                  Detailed below.'
+                                type: object
+                              onUnauthenticatedRequest:
+                                description: Behavior if the user is not authenticated.
+                                  Valid values are deny, allow and authenticate.
+                                type: string
+                              scope:
+                                description: Set of user claims to be requested from
+                                  the IdP.
+                                type: string
+                              sessionCookieName:
+                                description: Name of the cookie used to maintain session
+                                  information.
+                                type: string
+                              sessionTimeout:
+                                description: Maximum duration of the authentication
+                                  session, in seconds.
+                                type: number
+                              userPoolArn:
+                                description: ARN of the Cognito user pool.
+                                type: string
+                              userPoolClientId:
+                                description: ID of the Cognito user pool client.
+                                type: string
+                              userPoolDomain:
+                                description: Domain prefix or fully-qualified domain
+                                  name of the Cognito user pool.
+                                type: string
+                            type: object
+                          type: array
+                        authenticateOidc:
+                          description: Configuration block for an identity provider
+                            that is compliant with OpenID Connect (OIDC). Specify
+                            only when type is authenticate-oidc. Detailed below.
+                          items:
+                            properties:
+                              authenticationRequestExtraParams:
+                                additionalProperties:
+                                  type: string
+                                description: 'Query parameters to include in the redirect
+                                  request to the authorization endpoint. Max: 10.'
+                                type: object
+                              authorizationEndpoint:
+                                description: Authorization endpoint of the IdP.
+                                type: string
+                              clientId:
+                                description: OAuth 2.0 client identifier.
+                                type: string
+                              issuer:
+                                description: OIDC issuer identifier of the IdP.
+                                type: string
+                              onUnauthenticatedRequest:
+                                description: 'Behavior if the user is not authenticated.
+                                  Valid values: deny, allow and authenticate'
+                                type: string
+                              scope:
+                                description: Set of user claims to be requested from
+                                  the IdP.
+                                type: string
+                              sessionCookieName:
+                                description: Name of the cookie used to maintain session
+                                  information.
+                                type: string
+                              sessionTimeout:
+                                description: Maximum duration of the authentication
+                                  session, in seconds.
+                                type: number
+                              tokenEndpoint:
+                                description: Token endpoint of the IdP.
+                                type: string
+                              userInfoEndpoint:
+                                description: User info endpoint of the IdP.
+                                type: string
+                            type: object
+                          type: array
+                        fixedResponse:
+                          description: Information for creating an action that returns
+                            a custom HTTP response. Required if type is fixed-response.
+                          items:
+                            properties:
+                              contentType:
+                                description: Content type. Valid values are text/plain,
+                                  text/css, text/html, application/javascript and
+                                  application/json.
+                                type: string
+                              messageBody:
+                                description: Message body.
+                                type: string
+                              statusCode:
+                                description: HTTP response code. Valid values are
+                                  2XX, 4XX, or 5XX.
+                                type: string
+                            type: object
+                          type: array
+                        forward:
+                          description: Configuration block for creating an action
+                            that distributes requests among one or more target groups.
+                            Specify only if type is forward. If you specify both forward
+                            block and target_group_arn attribute, you can specify
+                            only one target group using forward and it must be the
+                            same target group specified in target_group_arn. Detailed
+                            below.
+                          items:
+                            properties:
+                              stickiness:
+                                description: Configuration block for target group
+                                  stickiness for the rule. Detailed below.
+                                items:
+                                  properties:
+                                    duration:
+                                      description: Time period, in seconds, during
+                                        which requests from a client should be routed
+                                        to the same target group. The range is 1-604800
+                                        seconds (7 days).
+                                      type: number
+                                    enabled:
+                                      description: Whether target group stickiness
+                                        is enabled. Default is false.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              targetGroup:
+                                description: Set of 1-5 target group blocks. Detailed
+                                  below.
+                                items:
+                                  properties:
+                                    arn:
+                                      description: ARN of the target group.
+                                      type: string
+                                    weight:
+                                      description: Weight. The range is 0 to 999.
+                                      type: number
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        order:
+                          description: Order for the action. This value is required
+                            for rules with multiple actions. The action with the lowest
+                            value for order is performed first. Valid values are between
+                            1 and 50000.
+                          type: number
+                        redirect:
+                          description: Configuration block for creating a redirect
+                            action. Required if type is redirect. Detailed below.
+                          items:
+                            properties:
+                              host:
+                                description: 'Hostname. This component is not percent-encoded.
+                                  The hostname can contain #{host}. Defaults to #{host}.'
+                                type: string
+                              path:
+                                description: 'Absolute path, starting with the leading
+                                  "/". This component is not percent-encoded. The
+                                  path can contain #{host}, #{path}, and #{port}.
+                                  Defaults to /#{path}.'
+                                type: string
+                              port:
+                                description: 'Port. Specify a value from 1 to 65535
+                                  or #{port}. Defaults to #{port}.'
+                                type: string
+                              protocol:
+                                description: 'Protocol. Valid values are HTTP, HTTPS,
+                                  or #{protocol}. Defaults to #{protocol}.'
+                                type: string
+                              query:
+                                description: 'Query parameters, URL-encoded when necessary,
+                                  but not percent-encoded. Do not include the leading
+                                  "?". Defaults to #{query}.'
+                                type: string
+                              statusCode:
+                                description: HTTP redirect code. The redirect is either
+                                  permanent (HTTP_301) or temporary (HTTP_302).
+                                type: string
+                            type: object
+                          type: array
+                        targetGroupArn:
+                          description: ARN of the Target Group to which to route traffic.
+                            Specify only if type is forward and you want to route
+                            to a single target group. To route to one or more target
+                            groups, use a forward block instead.
+                          type: string
+                        type:
+                          description: Type of routing action. Valid values are forward,
+                            redirect, fixed-response, authenticate-cognito and authenticate-oidc.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: ARN of the listener (matches arn).
                     type: string
+                  loadBalancerArn:
+                    description: ARN of the load balancer.
+                    type: string
+                  port:
+                    description: Port on which the load balancer is listening. Not
+                      valid for Gateway Load Balancers.
+                    type: number
+                  protocol:
+                    description: Protocol for connections from clients to the load
+                      balancer. For Application Load Balancers, valid values are HTTP
+                      and HTTPS, with a default of HTTP. For Network Load Balancers,
+                      valid values are TCP, TLS, UDP, and TCP_UDP. Not valid to use
+                      UDP or TCP_UDP if dual-stack mode is enabled. Not valid for
+                      Gateway Load Balancers.
+                    type: string
+                  sslPolicy:
+                    description: Name of the SSL Policy for the listener. Required
+                      if protocol is HTTPS or TLS.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elbv2.aws.upbound.io_lbs.yaml b/package/crds/elbv2.aws.upbound.io_lbs.yaml
index cdec1dc6ab..240242343a 100644
--- a/package/crds/elbv2.aws.upbound.io_lbs.yaml
+++ b/package/crds/elbv2.aws.upbound.io_lbs.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -501,6 +505,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -677,27 +696,146 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accessLogs:
+                    description: An Access Logs block. Access Logs documented below.
+                    items:
+                      properties:
+                        bucket:
+                          description: The S3 bucket name to store the logs in.
+                          type: string
+                        enabled:
+                          description: Boolean to enable / disable access_logs. Defaults
+                            to false, even when bucket is specified.
+                          type: boolean
+                        prefix:
+                          description: The S3 bucket prefix. Logs are stored in the
+                            root if not configured.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: The ARN of the load balancer (matches id).
                     type: string
                   arnSuffix:
                     description: The ARN suffix for use with CloudWatch Metrics.
                     type: string
+                  customerOwnedIpv4Pool:
+                    description: The ID of the customer owned ipv4 pool to use for
+                      this load balancer.
+                    type: string
+                  desyncMitigationMode:
+                    description: Determines how the load balancer handles requests
+                      that might pose a security risk to an application due to HTTP
+                      desync. Valid values are monitor, defensive (default), strictest.
+                    type: string
                   dnsName:
                     description: The DNS name of the load balancer.
                     type: string
+                  dropInvalidHeaderFields:
+                    description: Indicates whether HTTP headers with header fields
+                      that are not valid are removed by the load balancer (true) or
+                      routed to targets (false). The default is false. Elastic Load
+                      Balancing requires that message header names contain only alphanumeric
+                      characters and hyphens. Only valid for Load Balancers of type
+                      application.
+                    type: boolean
+                  enableCrossZoneLoadBalancing:
+                    description: If true, cross-zone load balancing of the load balancer
+                      will be enabled. For network and gateway type load balancers,
+                      this feature is disabled by default (false). For application
+                      load balancer this feature is always enabled (true) and cannot
+                      be disabled. Defaults to false.
+                    type: boolean
+                  enableDeletionProtection:
+                    description: If true, deletion of the load balancer will be disabled
+                      via the AWS API. Defaults to false.
+                    type: boolean
+                  enableHttp2:
+                    description: Indicates whether HTTP/2 is enabled in application
+                      load balancers. Defaults to true.
+                    type: boolean
+                  enableWafFailOpen:
+                    description: Indicates whether to allow a WAF-enabled load balancer
+                      to route requests to targets if it is unable to forward the
+                      request to AWS WAF. Defaults to false.
+                    type: boolean
                   id:
                     description: The ARN of the load balancer (matches arn).
                     type: string
+                  idleTimeout:
+                    description: 'The time in seconds that the connection is allowed
+                      to be idle. Only valid for Load Balancers of type application.
+                      Default: 60.'
+                    type: number
+                  internal:
+                    description: If true, the LB will be internal.
+                    type: boolean
+                  ipAddressType:
+                    description: The type of IP addresses used by the subnets for
+                      your load balancer. The possible values are ipv4 and dualstack.
+                    type: string
+                  loadBalancerType:
+                    description: The type of load balancer to create. Possible values
+                      are application, gateway, or network. The default value is application.
+                    type: string
+                  name:
+                    description: The name of the LB. This name must be unique within
+                      your AWS account, can have a maximum of 32 characters, must
+                      contain only alphanumeric characters or hyphens, and must not
+                      begin or end with a hyphen.
+                    type: string
+                  preserveHostHeader:
+                    description: Indicates whether the Application Load Balancer should
+                      preserve the Host header in the HTTP request and send it to
+                      the target without any change. Defaults to false.
+                    type: boolean
+                  securityGroups:
+                    description: A list of security group IDs to assign to the LB.
+                      Only valid for Load Balancers of type application.
+                    items:
+                      type: string
+                    type: array
                   subnetMapping:
                     description: A subnet mapping block as documented below.
                     items:
                       properties:
+                        allocationId:
+                          description: The allocation ID of the Elastic IP address
+                            for an internet-facing load balancer.
+                          type: string
+                        ipv6Address:
+                          description: The IPv6 address. You associate IPv6 CIDR blocks
+                            with your VPC and choose the subnets where you launch
+                            both internet-facing and internal Application Load Balancers
+                            or Network Load Balancers.
+                          type: string
                         outpostId:
                           description: ID of the Outpost containing the load balancer.
                           type: string
+                        privateIpv4Address:
+                          description: The private IPv4 address for an internal load
+                            balancer.
+                          type: string
+                        subnetId:
+                          description: ID of the subnet of which to attach to the
+                            load balancer. You can specify only one subnet per Availability
+                            Zone.
+                          type: string
                       type: object
                     type: array
+                  subnets:
+                    description: A list of subnet IDs to attach to the LB. Subnets
+                      cannot be updated for Load Balancers of type network. Changing
+                      this value for load balancers of type network will force a recreation
+                      of the resource.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/elbv2.aws.upbound.io_lbtargetgroupattachments.yaml b/package/crds/elbv2.aws.upbound.io_lbtargetgroupattachments.yaml
index 0271501209..a76ac5f769 100644
--- a/package/crds/elbv2.aws.upbound.io_lbtargetgroupattachments.yaml
+++ b/package/crds/elbv2.aws.upbound.io_lbtargetgroupattachments.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -164,8 +168,22 @@ spec:
                     type: string
                 required:
                 - region
-                - targetId
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,15 +355,37 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: targetId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetId)
           status:
             description: LBTargetGroupAttachmentStatus defines the observed state
               of LBTargetGroupAttachment.
             properties:
               atProvider:
                 properties:
+                  availabilityZone:
+                    description: The Availability Zone where the IP address of the
+                      target is to be registered. If the private ip address is outside
+                      of the VPC scope, this value must be set to 'all'.
+                    type: string
                   id:
                     description: A unique identifier for the attachment
                     type: string
+                  port:
+                    description: The port on which targets receive traffic.
+                    type: number
+                  targetGroupArn:
+                    description: The ARN of the target group with which to register
+                      targets
+                    type: string
+                  targetId:
+                    description: The ID of the target. This is the Instance ID for
+                      an instance, or the container ID for an ECS container. If the
+                      target type is ip, specify an IP address. If the target type
+                      is lambda, specify the arn of lambda. If the target type is
+                      alb, specify the arn of alb.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/elbv2.aws.upbound.io_lbtargetgroups.yaml b/package/crds/elbv2.aws.upbound.io_lbtargetgroups.yaml
index b162b4441a..eedc29ea9e 100644
--- a/package/crds/elbv2.aws.upbound.io_lbtargetgroups.yaml
+++ b/package/crds/elbv2.aws.upbound.io_lbtargetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -331,9 +335,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -505,6 +523,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: LBTargetGroupStatus defines the observed state of LBTargetGroup.
             properties:
@@ -516,9 +537,164 @@ spec:
                   arnSuffix:
                     description: ARN suffix for use with CloudWatch Metrics.
                     type: string
+                  connectionTermination:
+                    description: Whether to terminate connections at the end of the
+                      deregistration timeout on Network Load Balancers. See doc for
+                      more information. Default is false.
+                    type: boolean
+                  deregistrationDelay:
+                    description: Amount time for Elastic Load Balancing to wait before
+                      changing the state of a deregistering target from draining to
+                      unused. The range is 0-3600 seconds. The default value is 300
+                      seconds.
+                    type: string
+                  healthCheck:
+                    description: Health Check configuration block. Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether health checks are enabled. Defaults
+                            to true.
+                          type: boolean
+                        healthyThreshold:
+                          description: Number of consecutive health check successes
+                            required before considering a target healthy. The range
+                            is 2-10. Defaults to 3.
+                          type: number
+                        interval:
+                          description: Approximate amount of time, in seconds, between
+                            health checks of an individual target. The range is 5-300.
+                            For lambda target groups, it needs to be greater than
+                            the timeout of the underlying lambda. Defaults to 30.
+                          type: number
+                        matcher:
+                          description: 299" or "0-99"). Required for HTTP/HTTPS/GRPC
+                            ALB. Only applies to Application Load Balancers (i.e.,
+                            HTTP/HTTPS/GRPC) not Network Load Balancers (i.e., TCP).
+                          type: string
+                        path:
+                          description: (May be required) Destination for the health
+                            check request. Required for HTTP/HTTPS ALB and HTTP NLB.
+                            Only applies to HTTP/HTTPS.
+                          type: string
+                        port:
+                          description: The port the load balancer uses when performing
+                            health checks on targets. Default is traffic-port.
+                          type: string
+                        protocol:
+                          description: Protocol the load balancer uses when performing
+                            health checks on targets. Must be either TCP, HTTP, or
+                            HTTPS. The TCP protocol is not supported for health checks
+                            if the protocol of the target group is HTTP or HTTPS.
+                            Defaults to HTTP.
+                          type: string
+                        timeout:
+                          description: Amount of time, in seconds, during which no
+                            response from a target means a failed health check. The
+                            range is 2–120 seconds. For target groups with a protocol
+                            of HTTP, the default is 6 seconds. For target groups with
+                            a protocol of TCP, TLS or HTTPS, the default is 10 seconds.
+                            For target groups with a protocol of GENEVE, the default
+                            is 5 seconds. If the target type is lambda, the default
+                            is 30 seconds.
+                          type: number
+                        unhealthyThreshold:
+                          description: Number of consecutive health check failures
+                            required before considering a target unhealthy. The range
+                            is 2-10. Defaults to 3.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: ARN of the Target Group (matches arn).
                     type: string
+                  ipAddressType:
+                    description: The type of IP addresses used by the target group,
+                      only supported when target type is set to ip. Possible values
+                      are ipv4 or ipv6.
+                    type: string
+                  lambdaMultiValueHeadersEnabled:
+                    description: Whether the request and response headers exchanged
+                      between the load balancer and the Lambda function include arrays
+                      of values or strings. Only applies when target_type is lambda.
+                      Default is false.
+                    type: boolean
+                  loadBalancingAlgorithmType:
+                    description: Determines how the load balancer selects targets
+                      when routing requests. Only applicable for Application Load
+                      Balancer Target Groups. The value is round_robin or least_outstanding_requests.
+                      The default is round_robin.
+                    type: string
+                  name:
+                    description: Name of the target group.
+                    type: string
+                  port:
+                    description: (May be required, Forces new resource) Port on which
+                      targets receive traffic, unless overridden when registering
+                      a specific target. Required when target_type is instance, ip
+                      or alb. Does not apply when target_type is lambda.
+                    type: number
+                  preserveClientIp:
+                    description: Whether client IP preservation is enabled. See doc
+                      for more information.
+                    type: string
+                  protocol:
+                    description: (May be required, Forces new resource) Protocol to
+                      use for routing traffic to the targets. Should be one of GENEVE,
+                      HTTP, HTTPS, TCP, TCP_UDP, TLS, or UDP. Required when target_type
+                      is instance, ip or alb. Does not apply when target_type is lambda.
+                    type: string
+                  protocolVersion:
+                    description: Only applicable when protocol is HTTP or HTTPS. The
+                      protocol version. Specify GRPC to send requests to targets using
+                      gRPC. Specify HTTP2 to send requests to targets using HTTP/2.
+                      The default is HTTP1, which sends requests to targets using
+                      HTTP/1.1
+                    type: string
+                  proxyProtocolV2:
+                    description: Whether to enable support for proxy protocol v2 on
+                      Network Load Balancers. See doc for more information. Default
+                      is false.
+                    type: boolean
+                  slowStart:
+                    description: Amount time for targets to warm up before the load
+                      balancer sends them a full share of requests. The range is 30-900
+                      seconds or 0 to disable. The default value is 0 seconds.
+                    type: number
+                  stickiness:
+                    description: Stickiness configuration block. Detailed below.
+                    items:
+                      properties:
+                        cookieDuration:
+                          description: Only used when the type is lb_cookie. The time
+                            period, in seconds, during which requests from a client
+                            should be routed to the same target. After this time period
+                            expires, the load balancer-generated cookie is considered
+                            stale. The range is 1 second to 1 week (604800 seconds).
+                            The default value is 1 day (86400 seconds).
+                          type: number
+                        cookieName:
+                          description: Name of the application based cookie. AWSALB,
+                            AWSALBAPP, and AWSALBTG prefixes are reserved and cannot
+                            be used. Only needed when type is app_cookie.
+                          type: string
+                        enabled:
+                          description: Whether health checks are enabled. Defaults
+                            to true.
+                          type: boolean
+                        type:
+                          description: The type of sticky sessions. The only current
+                            possible values are lb_cookie, app_cookie for ALBs, source_ip
+                            for NLBs, and source_ip_dest_ip, source_ip_dest_ip_proto
+                            for GWLBs.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -526,6 +702,35 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetFailover:
+                    description: Target failover block. Only applicable for Gateway
+                      Load Balancer target groups. See target_failover for more information.
+                    items:
+                      properties:
+                        onDeregistration:
+                          description: 'Indicates how the GWLB handles existing flows
+                            when a target is deregistered. Possible values are rebalance
+                            and no_rebalance. Must match the attribute value set for
+                            on_unhealthy. Default: no_rebalance.'
+                          type: string
+                        onUnhealthy:
+                          description: 'Indicates how the GWLB handles existing flows
+                            when a target is unhealthy. Possible values are rebalance
+                            and no_rebalance. Must match the attribute value set for
+                            on_deregistration. Default: no_rebalance.'
+                          type: string
+                      type: object
+                    type: array
+                  targetType:
+                    description: (May be required, Forces new resource) Type of target
+                      that you must specify when registering targets with this target
+                      group. See doc for supported values. The default is instance.
+                    type: string
+                  vpcId:
+                    description: Identifier of the VPC in which to create the target
+                      group. Required when target_type is instance, ip or alb. Does
+                      not apply when target_type is lambda.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/emr.aws.upbound.io_securityconfigurations.yaml b/package/crds/emr.aws.upbound.io_securityconfigurations.yaml
index 499fd621c6..9f300c547c 100644
--- a/package/crds/emr.aws.upbound.io_securityconfigurations.yaml
+++ b/package/crds/emr.aws.upbound.io_securityconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - configuration
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,12 +264,18 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: configuration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.configuration)
           status:
             description: SecurityConfigurationStatus defines the observed state of
               SecurityConfiguration.
             properties:
               atProvider:
                 properties:
+                  configuration:
+                    description: A JSON formatted Security Configuration
+                    type: string
                   creationDate:
                     description: Date the Security Configuration was created
                     type: string
diff --git a/package/crds/emrserverless.aws.upbound.io_applications.yaml b/package/crds/emrserverless.aws.upbound.io_applications.yaml
index 4a9c928885..30510bbec9 100644
--- a/package/crds/emrserverless.aws.upbound.io_applications.yaml
+++ b/package/crds/emrserverless.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -203,11 +207,23 @@ spec:
                       as spark or hive.
                     type: string
                 required:
-                - name
                 - region
-                - releaseLabel
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -379,23 +395,154 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: releaseLabel is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.releaseLabel)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: ApplicationStatus defines the observed state of Application.
             properties:
               atProvider:
                 properties:
+                  architecture:
+                    description: –  The CPU architecture of an application. Valid
+                      values are ARM64 or X86_64. Default value is X86_64.
+                    type: string
                   arn:
                     description: ARN of the cluster.
                     type: string
+                  autoStartConfiguration:
+                    description: –  The configuration for an application to automatically
+                      start on job submission.
+                    items:
+                      properties:
+                        enabled:
+                          description: Enables the application to automatically start
+                            on job submission. Defaults to true.
+                          type: boolean
+                      type: object
+                    type: array
+                  autoStopConfiguration:
+                    description: –  The configuration for an application to automatically
+                      stop after a certain amount of time being idle.
+                    items:
+                      properties:
+                        enabled:
+                          description: Enables the application to automatically start
+                            on job submission. Defaults to true.
+                          type: boolean
+                        idleTimeoutMinutes:
+                          description: The amount of idle time in minutes after which
+                            your application will automatically stop. Defaults to
+                            15 minutes.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: The ID of the cluster.
                     type: string
+                  initialCapacity:
+                    description: –  The capacity to initialize when the application
+                      is created.
+                    items:
+                      properties:
+                        initialCapacityConfig:
+                          description: The initial capacity configuration per worker.
+                          items:
+                            properties:
+                              workerConfiguration:
+                                description: The resource configuration of the initial
+                                  capacity configuration.
+                                items:
+                                  properties:
+                                    cpu:
+                                      description: The maximum allowed CPU for an
+                                        application.
+                                      type: string
+                                    disk:
+                                      description: The maximum allowed disk for an
+                                        application.
+                                      type: string
+                                    memory:
+                                      description: The maximum allowed resources for
+                                        an application.
+                                      type: string
+                                  type: object
+                                type: array
+                              workerCount:
+                                description: The number of workers in the initial
+                                  capacity configuration.
+                                type: number
+                            type: object
+                          type: array
+                        initialCapacityType:
+                          description: The worker type for an analytics framework.
+                            For Spark applications, the key can either be set to Driver
+                            or Executor. For Hive applications, it can be set to HiveDriver
+                            or TezTask.
+                          type: string
+                      type: object
+                    type: array
+                  maximumCapacity:
+                    description: –  The maximum capacity to allocate when the application
+                      is created. This is cumulative across all workers at any given
+                      point in time, not just when an application is created. No new
+                      resources will be created once any one of the defined limits
+                      is hit.
+                    items:
+                      properties:
+                        cpu:
+                          description: The maximum allowed CPU for an application.
+                          type: string
+                        disk:
+                          description: The maximum allowed disk for an application.
+                          type: string
+                        memory:
+                          description: The maximum allowed resources for an application.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: –  The name of the application.
+                    type: string
+                  networkConfiguration:
+                    description: –  The network configuration for customer VPC connectivity.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: The array of security group Ids for customer
+                            VPC connectivity.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: The array of subnet Ids for customer VPC connectivity.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  releaseLabel:
+                    description: –  The EMR release version associated with the application.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  type:
+                    description: –  The type of application you want to start, such
+                      as spark or hive.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/evidently.aws.upbound.io_features.yaml b/package/crds/evidently.aws.upbound.io_features.yaml
index 81b9ec669b..52f819d411 100644
--- a/package/crds/evidently.aws.upbound.io_features.yaml
+++ b/package/crds/evidently.aws.upbound.io_features.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -220,8 +224,22 @@ spec:
                     type: array
                 required:
                 - region
-                - variations
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -393,6 +411,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: variations is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.variations)
           status:
             description: FeatureStatus defines the observed state of Feature.
             properties:
@@ -404,6 +425,26 @@ spec:
                   createdTime:
                     description: The date and time that the feature is created.
                     type: string
+                  defaultVariation:
+                    description: The name of the variation to use as the default variation.
+                      The default variation is served to users who are not allocated
+                      to any ongoing launches or experiments of this feature. This
+                      variation must also be listed in the variations structure. If
+                      you omit default_variation, the first variation listed in the
+                      variations structure is used as the default variation.
+                    type: string
+                  description:
+                    description: Specifies the description of the feature.
+                    type: string
+                  entityOverrides:
+                    additionalProperties:
+                      type: string
+                    description: Specify users that should always be served a specific
+                      variation of a feature. Each user is specified by a key-value
+                      pair . For each key, specify a user by entering their user ID,
+                      account ID, or some other identifier. For the value, specify
+                      the name of the variation that they are to be served.
+                    type: object
                   evaluationRules:
                     description: One or more blocks that define the evaluation rules
                       for the feature. Detailed below
@@ -419,6 +460,11 @@ spec:
                           type: string
                       type: object
                     type: array
+                  evaluationStrategy:
+                    description: Specify ALL_RULES to activate the traffic allocation
+                      specified by any ongoing launches or experiments. Specify DEFAULT_VARIATION
+                      to serve the default variation to all users instead.
+                    type: string
                   id:
                     description: The feature name and the project name or arn separated
                       by a colon (:).
@@ -427,10 +473,19 @@ spec:
                     description: The date and time that the feature was most recently
                       updated.
                     type: string
+                  project:
+                    description: The name or ARN of the project that is to contain
+                      the new feature.
+                    type: string
                   status:
                     description: The current state of the feature. Valid values are
                       AVAILABLE and UPDATING.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -442,6 +497,46 @@ spec:
                     description: 'Defines the type of value used to define the different
                       feature variations. Valid Values: STRING, LONG, DOUBLE, BOOLEAN.'
                     type: string
+                  variations:
+                    description: One or more blocks that contain the configuration
+                      of the feature's different variations. Detailed below
+                    items:
+                      properties:
+                        name:
+                          description: The name of the variation. Minimum length of
+                            1. Maximum length of 127.
+                          type: string
+                        value:
+                          description: A block that specifies the value assigned to
+                            this variation. Detailed below
+                          items:
+                            properties:
+                              boolValue:
+                                description: If this feature uses the Boolean variation
+                                  type, this field contains the Boolean value of this
+                                  variation.
+                                type: string
+                              doubleValue:
+                                description: If this feature uses the double integer
+                                  variation type, this field contains the double integer
+                                  value of this variation.
+                                type: string
+                              longValue:
+                                description: If this feature uses the long variation
+                                  type, this field contains the long value of this
+                                  variation. Minimum value of -9007199254740991. Maximum
+                                  value of 9007199254740991.
+                                type: string
+                              stringValue:
+                                description: If this feature uses the string variation
+                                  type, this field contains the string value of this
+                                  variation. Minimum length of 0. Maximum length of
+                                  512.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/evidently.aws.upbound.io_projects.yaml b/package/crds/evidently.aws.upbound.io_projects.yaml
index 87f2a27751..0e6a38d003 100644
--- a/package/crds/evidently.aws.upbound.io_projects.yaml
+++ b/package/crds/evidently.aws.upbound.io_projects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -116,9 +120,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -290,6 +308,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ProjectStatus defines the observed state of Project.
             properties:
@@ -308,6 +329,45 @@ spec:
                   createdTime:
                     description: The date and time that the project is created.
                     type: string
+                  dataDelivery:
+                    description: A block that contains information about where Evidently
+                      is to store evaluation events for longer term storage, if you
+                      choose to do so. If you choose not to store these events, Evidently
+                      deletes them after using them to produce metrics and other experiment
+                      results that you can view. See below.
+                    items:
+                      properties:
+                        cloudwatchLogs:
+                          description: A block that defines the CloudWatch Log Group
+                            that stores the evaluation events. See below.
+                          items:
+                            properties:
+                              logGroup:
+                                description: The name of the log group where the project
+                                  stores evaluation events.
+                                type: string
+                            type: object
+                          type: array
+                        s3Destination:
+                          description: A block that defines the S3 bucket and prefix
+                            that stores the evaluation events. See below.
+                          items:
+                            properties:
+                              bucket:
+                                description: The name of the bucket in which Evidently
+                                  stores evaluation events.
+                                type: string
+                              prefix:
+                                description: The bucket prefix in which Evidently
+                                  stores evaluation events.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  description:
+                    description: Specifies the description of the project.
+                    type: string
                   experimentCount:
                     description: The number of experiments currently in the project.
                       This includes all experiments that have been created and not
@@ -328,10 +388,18 @@ spec:
                       This includes all launches that have been created and not deleted,
                       whether they are ongoing or not.
                     type: number
+                  name:
+                    description: A name for the project.
+                    type: string
                   status:
                     description: The current state of the project. Valid values are
                       AVAILABLE and UPDATING.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/evidently.aws.upbound.io_segments.yaml b/package/crds/evidently.aws.upbound.io_segments.yaml
index 2782f8e667..9eb4fbbe38 100644
--- a/package/crds/evidently.aws.upbound.io_segments.yaml
+++ b/package/crds/evidently.aws.upbound.io_segments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,9 +85,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - pattern
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -255,6 +273,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: pattern is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.pattern)
           status:
             description: SegmentStatus defines the observed state of Segment.
             properties:
@@ -266,6 +287,9 @@ spec:
                   createdTime:
                     description: The date and time that the segment is created.
                     type: string
+                  description:
+                    description: Specifies the description of the segment.
+                    type: string
                   experimentCount:
                     description: The number of experiments that this segment is used
                       in. This count includes all current experiments, not just those
@@ -283,6 +307,15 @@ spec:
                       in. This count includes all current launches, not just those
                       that are currently running.
                     type: number
+                  pattern:
+                    description: The pattern to use for the segment. For more information
+                      about pattern syntax, see Segment rule pattern syntax.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/firehose.aws.upbound.io_deliverystreams.yaml b/package/crds/firehose.aws.upbound.io_deliverystreams.yaml
index 60452c94b8..8cc0a7075a 100644
--- a/package/crds/firehose.aws.upbound.io_deliverystreams.yaml
+++ b/package/crds/firehose.aws.upbound.io_deliverystreams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -2402,10 +2406,23 @@ spec:
                       Defaults to LATEST.
                     type: string
                 required:
-                - destination
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -2577,37 +2594,1246 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: DeliveryStreamStatus defines the observed state of DeliveryStream.
             properties:
               atProvider:
                 properties:
+                  arn:
+                    description: The Amazon Resource Name (ARN) specifying the Stream
+                    type: string
+                  destination:
+                    description: –  This is the destination to where the data is delivered.
+                      The only options are s3 (Deprecated, use extended_s3 instead),
+                      extended_s3, redshift, elasticsearch, splunk, and http_endpoint.
+                    type: string
+                  destinationId:
+                    type: string
                   elasticsearchConfiguration:
                     description: Configuration options if elasticsearch is the destination.
                       More details are given below.
                     items:
                       properties:
+                        bufferingInterval:
+                          description: Buffer incoming data for the specified period
+                            of time, in seconds between 60 to 900, before delivering
+                            it to the destination.  The default value is 300s.
+                          type: number
+                        bufferingSize:
+                          description: Buffer incoming data to the specified size,
+                            in MBs between 1 to 100, before delivering it to the destination.  The
+                            default value is 5MB.
+                          type: number
+                        cloudwatchLoggingOptions:
+                          description: The CloudWatch Logging Options for the delivery
+                            stream. More details are given below
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              logGroupName:
+                                description: The CloudWatch group name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                              logStreamName:
+                                description: The CloudWatch log stream name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                            type: object
+                          type: array
+                        clusterEndpoint:
+                          description: The endpoint to use when communicating with
+                            the cluster. Conflicts with domain_arn.
+                          type: string
+                        domainArn:
+                          description: The ARN of the Amazon ES domain.  The pattern
+                            needs to be arn:.*.  Conflicts with cluster_endpoint.
+                          type: string
+                        indexName:
+                          description: The Elasticsearch index name.
+                          type: string
+                        indexRotationPeriod:
+                          description: The Elasticsearch index rotation period.  Index
+                            rotation appends a timestamp to the IndexName to facilitate
+                            expiration of old data.  Valid values are NoRotation,
+                            OneHour, OneDay, OneWeek, and OneMonth.  The default value
+                            is OneDay.
+                          type: string
+                        processingConfiguration:
+                          description: The data processing configuration.  More details
+                            are given below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              processors:
+                                description: Array of data processors. More details
+                                  are given below
+                                items:
+                                  properties:
+                                    parameters:
+                                      description: Array of processor parameters.
+                                        More details are given below
+                                      items:
+                                        properties:
+                                          parameterName:
+                                            description: 'Parameter name. Valid Values:
+                                              LambdaArn, NumberOfRetries, MetadataExtractionQuery,
+                                              JsonParsingEngine, RoleArn, BufferSizeInMBs,
+                                              BufferIntervalInSeconds, SubRecordType,
+                                              Delimiter. Validation is done against
+                                              AWS SDK constants; so that values not
+                                              explicitly listed may also work.'
+                                            type: string
+                                          parameterValue:
+                                            description: Parameter value. Must be
+                                              between 1 and 512 length (inclusive).
+                                              When providing a Lambda ARN, you should
+                                              specify the resource version as well.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    type:
+                                      description: 'The type of processor. Valid Values:
+                                        RecordDeAggregation, Lambda, MetadataExtraction,
+                                        AppendDelimiterToRecord. Validation is done
+                                        against AWS SDK constants; so that values
+                                        not explicitly listed may also work.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        retryDuration:
+                          description: The length of time during which Firehose retries
+                            delivery after a failure, starting from the initial request
+                            and including the first attempt. The default value is
+                            3600 seconds (60 minutes). Firehose does not retry if
+                            the value of DurationInSeconds is 0 (zero) or if the first
+                            delivery attempt takes longer than the current value.
+                          type: number
+                        roleArn:
+                          description: The ARN of the AWS credentials.
+                          type: string
+                        s3BackupMode:
+                          description: The Amazon S3 backup mode.  Valid values are
+                            Disabled and Enabled.  Default value is Disabled.
+                          type: string
+                        typeName:
+                          description: The Elasticsearch type name with maximum length
+                            of 100 characters.
+                          type: string
                         vpcConfig:
                           description: The VPC configuration for the delivery stream
                             to connect to Elastic Search associated with the VPC.
                             More details are given below
                           items:
                             properties:
+                              roleArn:
+                                description: The ARN of the AWS credentials.
+                                type: string
+                              securityGroupIds:
+                                description: A list of security group IDs to associate
+                                  with Kinesis Firehose.
+                                items:
+                                  type: string
+                                type: array
+                              subnetIds:
+                                description: A list of subnet IDs to associate with
+                                  Kinesis Firehose.
+                                items:
+                                  type: string
+                                type: array
                               vpcId:
                                 type: string
                             type: object
                           type: array
                       type: object
                     type: array
-                  id:
-                    type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: A map of tags assigned to the resource, including
-                      those inherited from the provider default_tags configuration
-                      block.
-                    type: object
+                  extendedS3Configuration:
+                    description: Enhanced configuration options for the s3 destination.
+                      More details are given below.
+                    items:
+                      properties:
+                        bucketArn:
+                          description: The ARN of the S3 bucket
+                          type: string
+                        bufferInterval:
+                          description: Buffer incoming data for the specified period
+                            of time, in seconds, before delivering it to the destination.
+                            The default value is 300.
+                          type: number
+                        bufferSize:
+                          description: Buffer incoming data to the specified size,
+                            in MBs, before delivering it to the destination. The default
+                            value is 5. We recommend setting SizeInMBs to a value
+                            greater than the amount of data you typically ingest into
+                            the delivery stream in 10 seconds. For example, if you
+                            typically ingest data at 1 MB/sec set SizeInMBs to be
+                            10 MB or higher.
+                          type: number
+                        cloudwatchLoggingOptions:
+                          description: The CloudWatch Logging Options for the delivery
+                            stream. More details are given below
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              logGroupName:
+                                description: The CloudWatch group name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                              logStreamName:
+                                description: The CloudWatch log stream name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                            type: object
+                          type: array
+                        compressionFormat:
+                          description: The compression format. If no value is specified,
+                            the default is UNCOMPRESSED. Other supported values are
+                            GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+                          type: string
+                        dataFormatConversionConfiguration:
+                          description: Nested argument for the serializer, deserializer,
+                            and schema for converting data from the JSON format to
+                            the Parquet or ORC format before writing it to Amazon
+                            S3. More details given below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              inputFormatConfiguration:
+                                description: Nested argument that specifies the deserializer
+                                  that you want Kinesis Data Firehose to use to convert
+                                  the format of your data from JSON. More details
+                                  below.
+                                items:
+                                  properties:
+                                    deserializer:
+                                      description: Nested argument that specifies
+                                        which deserializer to use. You can choose
+                                        either the Apache Hive JSON SerDe or the OpenX
+                                        JSON SerDe. More details below.
+                                      items:
+                                        properties:
+                                          hiveJsonSerDe:
+                                            description: Nested argument that specifies
+                                              the native Hive / HCatalog JsonSerDe.
+                                              More details below.
+                                            items:
+                                              properties:
+                                                timestampFormats:
+                                                  description: A list of how you want
+                                                    Kinesis Data Firehose to parse
+                                                    the date and time stamps that
+                                                    may be present in your input data
+                                                    JSON. To specify these format
+                                                    strings, follow the pattern syntax
+                                                    of JodaTime's DateTimeFormat format
+                                                    strings. For more information,
+                                                    see Class DateTimeFormat. You
+                                                    can also use the special value
+                                                    millis to parse time stamps in
+                                                    epoch milliseconds. If you don't
+                                                    specify a format, Kinesis Data
+                                                    Firehose uses java.sql.Timestamp::valueOf
+                                                    by default.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          openXJsonSerDe:
+                                            description: Nested argument that specifies
+                                              the OpenX SerDe. More details below.
+                                            items:
+                                              properties:
+                                                caseInsensitive:
+                                                  description: When set to true, which
+                                                    is the default, Kinesis Data Firehose
+                                                    converts JSON keys to lowercase
+                                                    before deserializing them.
+                                                  type: boolean
+                                                columnToJsonKeyMappings:
+                                                  additionalProperties:
+                                                    type: string
+                                                  description: A map of column names
+                                                    to JSON keys that aren't identical
+                                                    to the column names. This is useful
+                                                    when the JSON contains keys that
+                                                    are Hive keywords. For example,
+                                                    timestamp is a Hive keyword. If
+                                                    you have a JSON key named timestamp,
+                                                    set this parameter to { ts = "timestamp"
+                                                    } to map this key to a column
+                                                    named ts.
+                                                  type: object
+                                                convertDotsInJsonKeysToUnderscores:
+                                                  description: When set to true, specifies
+                                                    that the names of the keys include
+                                                    dots and that you want Kinesis
+                                                    Data Firehose to replace them
+                                                    with underscores. This is useful
+                                                    because Apache Hive does not allow
+                                                    dots in column names. For example,
+                                                    if the JSON contains a key whose
+                                                    name is "a.b", you can define
+                                                    the column name to be "a_b" when
+                                                    using this option. Defaults to
+                                                    false.
+                                                  type: boolean
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              outputFormatConfiguration:
+                                description: Nested argument that specifies the serializer
+                                  that you want Kinesis Data Firehose to use to convert
+                                  the format of your data to the Parquet or ORC format.
+                                  More details below.
+                                items:
+                                  properties:
+                                    serializer:
+                                      description: Nested argument that specifies
+                                        which serializer to use. You can choose either
+                                        the ORC SerDe or the Parquet SerDe. More details
+                                        below.
+                                      items:
+                                        properties:
+                                          orcSerDe:
+                                            description: Nested argument that specifies
+                                              converting data to the ORC format before
+                                              storing it in Amazon S3. For more information,
+                                              see Apache ORC. More details below.
+                                            items:
+                                              properties:
+                                                blockSizeBytes:
+                                                  description: The Hadoop Distributed
+                                                    File System (HDFS) block size.
+                                                    This is useful if you intend to
+                                                    copy the data from Amazon S3 to
+                                                    HDFS before querying. The default
+                                                    is 256 MiB and the minimum is
+                                                    64 MiB. Kinesis Data Firehose
+                                                    uses this value for padding calculations.
+                                                  type: number
+                                                bloomFilterColumns:
+                                                  description: A list of column names
+                                                    for which you want Kinesis Data
+                                                    Firehose to create bloom filters.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                bloomFilterFalsePositiveProbability:
+                                                  description: The Bloom filter false
+                                                    positive probability (FPP). The
+                                                    lower the FPP, the bigger the
+                                                    Bloom filter. The default value
+                                                    is 0.05, the minimum is 0, and
+                                                    the maximum is 1.
+                                                  type: number
+                                                compression:
+                                                  description: The compression code
+                                                    to use over data blocks. The possible
+                                                    values are UNCOMPRESSED, SNAPPY,
+                                                    and GZIP, with the default being
+                                                    SNAPPY. Use SNAPPY for higher
+                                                    decompression speed. Use GZIP
+                                                    if the compression ratio is more
+                                                    important than speed.
+                                                  type: string
+                                                dictionaryKeyThreshold:
+                                                  description: A float that represents
+                                                    the fraction of the total number
+                                                    of non-null rows. To turn off
+                                                    dictionary encoding, set this
+                                                    fraction to a number that is less
+                                                    than the number of distinct keys
+                                                    in a dictionary. To always use
+                                                    dictionary encoding, set this
+                                                    threshold to 1.
+                                                  type: number
+                                                enablePadding:
+                                                  description: Set this to true to
+                                                    indicate that you want stripes
+                                                    to be padded to the HDFS block
+                                                    boundaries. This is useful if
+                                                    you intend to copy the data from
+                                                    Amazon S3 to HDFS before querying.
+                                                    The default is false.
+                                                  type: boolean
+                                                formatVersion:
+                                                  description: The version of the
+                                                    file to write. The possible values
+                                                    are V0_11 and V0_12. The default
+                                                    is V0_12.
+                                                  type: string
+                                                paddingTolerance:
+                                                  description: A float between 0 and
+                                                    1 that defines the tolerance for
+                                                    block padding as a decimal fraction
+                                                    of stripe size. The default value
+                                                    is 0.05, which means 5 percent
+                                                    of stripe size. For the default
+                                                    values of 64 MiB ORC stripes and
+                                                    256 MiB HDFS blocks, the default
+                                                    block padding tolerance of 5 percent
+                                                    reserves a maximum of 3.2 MiB
+                                                    for padding within the 256 MiB
+                                                    block. In such a case, if the
+                                                    available size within the block
+                                                    is more than 3.2 MiB, a new, smaller
+                                                    stripe is inserted to fit within
+                                                    that space. This ensures that
+                                                    no stripe crosses block boundaries
+                                                    and causes remote reads within
+                                                    a node-local task. Kinesis Data
+                                                    Firehose ignores this parameter
+                                                    when enable_padding is false.
+                                                  type: number
+                                                rowIndexStride:
+                                                  description: The number of rows
+                                                    between index entries. The default
+                                                    is 10000 and the minimum is 1000.
+                                                  type: number
+                                                stripeSizeBytes:
+                                                  description: The number of bytes
+                                                    in each stripe. The default is
+                                                    64 MiB and the minimum is 8 MiB.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          parquetSerDe:
+                                            description: Nested argument that specifies
+                                              converting data to the Parquet format
+                                              before storing it in Amazon S3. For
+                                              more information, see Apache Parquet.
+                                              More details below.
+                                            items:
+                                              properties:
+                                                blockSizeBytes:
+                                                  description: The Hadoop Distributed
+                                                    File System (HDFS) block size.
+                                                    This is useful if you intend to
+                                                    copy the data from Amazon S3 to
+                                                    HDFS before querying. The default
+                                                    is 256 MiB and the minimum is
+                                                    64 MiB. Kinesis Data Firehose
+                                                    uses this value for padding calculations.
+                                                  type: number
+                                                compression:
+                                                  description: The compression code
+                                                    to use over data blocks. The possible
+                                                    values are UNCOMPRESSED, SNAPPY,
+                                                    and GZIP, with the default being
+                                                    SNAPPY. Use SNAPPY for higher
+                                                    decompression speed. Use GZIP
+                                                    if the compression ratio is more
+                                                    important than speed.
+                                                  type: string
+                                                enableDictionaryCompression:
+                                                  description: Indicates whether to
+                                                    enable dictionary compression.
+                                                  type: boolean
+                                                maxPaddingBytes:
+                                                  description: The maximum amount
+                                                    of padding to apply. This is useful
+                                                    if you intend to copy the data
+                                                    from Amazon S3 to HDFS before
+                                                    querying. The default is 0.
+                                                  type: number
+                                                pageSizeBytes:
+                                                  description: The Parquet page size.
+                                                    Column chunks are divided into
+                                                    pages. A page is conceptually
+                                                    an indivisible unit (in terms
+                                                    of compression and encoding).
+                                                    The minimum value is 64 KiB and
+                                                    the default is 1 MiB.
+                                                  type: number
+                                                writerVersion:
+                                                  description: Indicates the version
+                                                    of row format to output. The possible
+                                                    values are V1 and V2. The default
+                                                    is V1.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              schemaConfiguration:
+                                description: Nested argument that specifies the AWS
+                                  Glue Data Catalog table that contains the column
+                                  information. More details below.
+                                items:
+                                  properties:
+                                    catalogId:
+                                      description: The ID of the AWS Glue Data Catalog.
+                                        If you don't supply this, the AWS account
+                                        ID is used by default.
+                                      type: string
+                                    databaseName:
+                                      description: Specifies the name of the AWS Glue
+                                        database that contains the schema for the
+                                        output data.
+                                      type: string
+                                    region:
+                                      description: If you don't specify an AWS Region,
+                                        the default is the current region.
+                                      type: string
+                                    roleArn:
+                                      description: The ARN of the AWS credentials.
+                                      type: string
+                                    tableName:
+                                      description: Specifies the AWS Glue table that
+                                        contains the column information that constitutes
+                                        your data schema.
+                                      type: string
+                                    versionId:
+                                      description: Specifies the table version for
+                                        the output data schema. Defaults to LATEST.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        dynamicPartitioningConfiguration:
+                          description: The configuration for dynamic partitioning.
+                            See Dynamic Partitioning Configuration below for more
+                            details. Required when using dynamic partitioning.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              retryDuration:
+                                description: The length of time during which Firehose
+                                  retries delivery after a failure, starting from
+                                  the initial request and including the first attempt.
+                                  The default value is 3600 seconds (60 minutes).
+                                  Firehose does not retry if the value of DurationInSeconds
+                                  is 0 (zero) or if the first delivery attempt takes
+                                  longer than the current value.
+                                type: number
+                            type: object
+                          type: array
+                        errorOutputPrefix:
+                          description: Prefix added to failed records before writing
+                            them to S3. Not currently supported for redshift destination.
+                            This prefix appears immediately following the bucket name.
+                            For information about how to specify this prefix, see
+                            Custom Prefixes for Amazon S3 Objects.
+                          type: string
+                        kmsKeyArn:
+                          description: Specifies the KMS key ARN the stream will use
+                            to encrypt data. If not set, no encryption will be used.
+                          type: string
+                        prefix:
+                          description: The "YYYY/MM/DD/HH" time format prefix is automatically
+                            used for delivered S3 files. You can specify an extra
+                            prefix to be added in front of the time format prefix.
+                            Note that if the prefix ends with a slash, it appears
+                            as a folder in the S3 bucket
+                          type: string
+                        processingConfiguration:
+                          description: The data processing configuration.  More details
+                            are given below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              processors:
+                                description: Array of data processors. More details
+                                  are given below
+                                items:
+                                  properties:
+                                    parameters:
+                                      description: Array of processor parameters.
+                                        More details are given below
+                                      items:
+                                        properties:
+                                          parameterName:
+                                            description: 'Parameter name. Valid Values:
+                                              LambdaArn, NumberOfRetries, MetadataExtractionQuery,
+                                              JsonParsingEngine, RoleArn, BufferSizeInMBs,
+                                              BufferIntervalInSeconds, SubRecordType,
+                                              Delimiter. Validation is done against
+                                              AWS SDK constants; so that values not
+                                              explicitly listed may also work.'
+                                            type: string
+                                          parameterValue:
+                                            description: Parameter value. Must be
+                                              between 1 and 512 length (inclusive).
+                                              When providing a Lambda ARN, you should
+                                              specify the resource version as well.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    type:
+                                      description: 'The type of processor. Valid Values:
+                                        RecordDeAggregation, Lambda, MetadataExtraction,
+                                        AppendDelimiterToRecord. Validation is done
+                                        against AWS SDK constants; so that values
+                                        not explicitly listed may also work.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        roleArn:
+                          description: The ARN of the AWS credentials.
+                          type: string
+                        s3BackupConfiguration:
+                          description: The configuration for backup in Amazon S3.
+                            Required if s3_backup_mode is Enabled. Supports the same
+                            fields as s3_configuration object.
+                          items:
+                            properties:
+                              bucketArn:
+                                description: The ARN of the S3 bucket
+                                type: string
+                              bufferInterval:
+                                description: Buffer incoming data for the specified
+                                  period of time, in seconds, before delivering it
+                                  to the destination. The default value is 300.
+                                type: number
+                              bufferSize:
+                                description: Buffer incoming data to the specified
+                                  size, in MBs, before delivering it to the destination.
+                                  The default value is 5. We recommend setting SizeInMBs
+                                  to a value greater than the amount of data you typically
+                                  ingest into the delivery stream in 10 seconds. For
+                                  example, if you typically ingest data at 1 MB/sec
+                                  set SizeInMBs to be 10 MB or higher.
+                                type: number
+                              cloudwatchLoggingOptions:
+                                description: The CloudWatch Logging Options for the
+                                  delivery stream. More details are given below
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Enables or disables the logging.
+                                        Defaults to false.
+                                      type: boolean
+                                    logGroupName:
+                                      description: The CloudWatch group name for logging.
+                                        This value is required if enabled is true.
+                                      type: string
+                                    logStreamName:
+                                      description: The CloudWatch log stream name
+                                        for logging. This value is required if enabled
+                                        is true.
+                                      type: string
+                                  type: object
+                                type: array
+                              compressionFormat:
+                                description: The compression format. If no value is
+                                  specified, the default is UNCOMPRESSED. Other supported
+                                  values are GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+                                type: string
+                              errorOutputPrefix:
+                                description: Prefix added to failed records before
+                                  writing them to S3. Not currently supported for
+                                  redshift destination. This prefix appears immediately
+                                  following the bucket name. For information about
+                                  how to specify this prefix, see Custom Prefixes
+                                  for Amazon S3 Objects.
+                                type: string
+                              kmsKeyArn:
+                                description: Specifies the KMS key ARN the stream
+                                  will use to encrypt data. If not set, no encryption
+                                  will be used.
+                                type: string
+                              prefix:
+                                description: The "YYYY/MM/DD/HH" time format prefix
+                                  is automatically used for delivered S3 files. You
+                                  can specify an extra prefix to be added in front
+                                  of the time format prefix. Note that if the prefix
+                                  ends with a slash, it appears as a folder in the
+                                  S3 bucket
+                                type: string
+                              roleArn:
+                                description: The ARN of the AWS credentials.
+                                type: string
+                            type: object
+                          type: array
+                        s3BackupMode:
+                          description: The Amazon S3 backup mode.  Valid values are
+                            Disabled and Enabled.  Default value is Disabled.
+                          type: string
+                      type: object
+                    type: array
+                  httpEndpointConfiguration:
+                    description: Configuration options if http_endpoint is the destination.
+                      requires the user to also specify a s3_configuration block.  More
+                      details are given below.
+                    items:
+                      properties:
+                        bufferingInterval:
+                          description: Buffer incoming data for the specified period
+                            of time, in seconds between 60 to 900, before delivering
+                            it to the destination.  The default value is 300s.
+                          type: number
+                        bufferingSize:
+                          description: Buffer incoming data to the specified size,
+                            in MBs between 1 to 100, before delivering it to the destination.  The
+                            default value is 5MB.
+                          type: number
+                        cloudwatchLoggingOptions:
+                          description: The CloudWatch Logging Options for the delivery
+                            stream. More details are given below
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              logGroupName:
+                                description: The CloudWatch group name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                              logStreamName:
+                                description: The CloudWatch log stream name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                            type: object
+                          type: array
+                        name:
+                          description: The HTTP endpoint name.
+                          type: string
+                        processingConfiguration:
+                          description: The data processing configuration.  More details
+                            are given below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              processors:
+                                description: Array of data processors. More details
+                                  are given below
+                                items:
+                                  properties:
+                                    parameters:
+                                      description: Array of processor parameters.
+                                        More details are given below
+                                      items:
+                                        properties:
+                                          parameterName:
+                                            description: 'Parameter name. Valid Values:
+                                              LambdaArn, NumberOfRetries, MetadataExtractionQuery,
+                                              JsonParsingEngine, RoleArn, BufferSizeInMBs,
+                                              BufferIntervalInSeconds, SubRecordType,
+                                              Delimiter. Validation is done against
+                                              AWS SDK constants; so that values not
+                                              explicitly listed may also work.'
+                                            type: string
+                                          parameterValue:
+                                            description: Parameter value. Must be
+                                              between 1 and 512 length (inclusive).
+                                              When providing a Lambda ARN, you should
+                                              specify the resource version as well.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    type:
+                                      description: 'The type of processor. Valid Values:
+                                        RecordDeAggregation, Lambda, MetadataExtraction,
+                                        AppendDelimiterToRecord. Validation is done
+                                        against AWS SDK constants; so that values
+                                        not explicitly listed may also work.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        requestConfiguration:
+                          description: The request configuration.  More details are
+                            given below.
+                          items:
+                            properties:
+                              commonAttributes:
+                                description: Describes the metadata sent to the HTTP
+                                  endpoint destination. More details are given below
+                                items:
+                                  properties:
+                                    name:
+                                      description: The HTTP endpoint name.
+                                      type: string
+                                    value:
+                                      description: The value of the HTTP endpoint
+                                        common attribute.
+                                      type: string
+                                  type: object
+                                type: array
+                              contentEncoding:
+                                description: Kinesis Data Firehose uses the content
+                                  encoding to compress the body of a request before
+                                  sending the request to the destination. Valid values
+                                  are NONE and GZIP.  Default value is NONE.
+                                type: string
+                            type: object
+                          type: array
+                        retryDuration:
+                          description: The length of time during which Firehose retries
+                            delivery after a failure, starting from the initial request
+                            and including the first attempt. The default value is
+                            3600 seconds (60 minutes). Firehose does not retry if
+                            the value of DurationInSeconds is 0 (zero) or if the first
+                            delivery attempt takes longer than the current value.
+                          type: number
+                        roleArn:
+                          description: The ARN of the AWS credentials.
+                          type: string
+                        s3BackupMode:
+                          description: The Amazon S3 backup mode.  Valid values are
+                            Disabled and Enabled.  Default value is Disabled.
+                          type: string
+                        url:
+                          description: The HTTP endpoint URL to which Kinesis Firehose
+                            sends your data.
+                          type: string
+                      type: object
+                    type: array
+                  id:
+                    type: string
+                  kinesisSourceConfiguration:
+                    description: Allows the ability to specify the kinesis stream
+                      that is used as the source of the firehose delivery stream.
+                    items:
+                      properties:
+                        kinesisStreamArn:
+                          description: The kinesis stream used as the source of the
+                            firehose delivery stream.
+                          type: string
+                        roleArn:
+                          description: The ARN of the AWS credentials.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: A name to identify the stream. This is unique to
+                      the AWS account and region the Stream is created in. When using
+                      for WAF logging, name must be prefixed with aws-waf-logs-. See
+                      AWS Documentation for more details.
+                    type: string
+                  redshiftConfiguration:
+                    description: Configuration options if redshift is the destination.
+                      Using redshift_configuration requires the user to also specify
+                      a s3_configuration block. More details are given below.
+                    items:
+                      properties:
+                        cloudwatchLoggingOptions:
+                          description: The CloudWatch Logging Options for the delivery
+                            stream. More details are given below
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              logGroupName:
+                                description: The CloudWatch group name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                              logStreamName:
+                                description: The CloudWatch log stream name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                            type: object
+                          type: array
+                        clusterJdbcurl:
+                          description: The jdbcurl of the redshift cluster.
+                          type: string
+                        copyOptions:
+                          description: Copy options for copying the data from the
+                            s3 intermediate bucket into redshift, for example to change
+                            the default delimiter. For valid values, see the AWS documentation
+                          type: string
+                        dataTableColumns:
+                          description: The data table columns that will be targeted
+                            by the copy command.
+                          type: string
+                        dataTableName:
+                          description: The name of the table in the redshift cluster
+                            that the s3 bucket will copy to.
+                          type: string
+                        processingConfiguration:
+                          description: The data processing configuration.  More details
+                            are given below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              processors:
+                                description: Array of data processors. More details
+                                  are given below
+                                items:
+                                  properties:
+                                    parameters:
+                                      description: Array of processor parameters.
+                                        More details are given below
+                                      items:
+                                        properties:
+                                          parameterName:
+                                            description: 'Parameter name. Valid Values:
+                                              LambdaArn, NumberOfRetries, MetadataExtractionQuery,
+                                              JsonParsingEngine, RoleArn, BufferSizeInMBs,
+                                              BufferIntervalInSeconds, SubRecordType,
+                                              Delimiter. Validation is done against
+                                              AWS SDK constants; so that values not
+                                              explicitly listed may also work.'
+                                            type: string
+                                          parameterValue:
+                                            description: Parameter value. Must be
+                                              between 1 and 512 length (inclusive).
+                                              When providing a Lambda ARN, you should
+                                              specify the resource version as well.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    type:
+                                      description: 'The type of processor. Valid Values:
+                                        RecordDeAggregation, Lambda, MetadataExtraction,
+                                        AppendDelimiterToRecord. Validation is done
+                                        against AWS SDK constants; so that values
+                                        not explicitly listed may also work.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        retryDuration:
+                          description: The length of time during which Firehose retries
+                            delivery after a failure, starting from the initial request
+                            and including the first attempt. The default value is
+                            3600 seconds (60 minutes). Firehose does not retry if
+                            the value of DurationInSeconds is 0 (zero) or if the first
+                            delivery attempt takes longer than the current value.
+                          type: number
+                        roleArn:
+                          description: The ARN of the AWS credentials.
+                          type: string
+                        s3BackupConfiguration:
+                          description: The configuration for backup in Amazon S3.
+                            Required if s3_backup_mode is Enabled. Supports the same
+                            fields as s3_configuration object.
+                          items:
+                            properties:
+                              bucketArn:
+                                description: The ARN of the S3 bucket
+                                type: string
+                              bufferInterval:
+                                description: Buffer incoming data for the specified
+                                  period of time, in seconds, before delivering it
+                                  to the destination. The default value is 300.
+                                type: number
+                              bufferSize:
+                                description: Buffer incoming data to the specified
+                                  size, in MBs, before delivering it to the destination.
+                                  The default value is 5. We recommend setting SizeInMBs
+                                  to a value greater than the amount of data you typically
+                                  ingest into the delivery stream in 10 seconds. For
+                                  example, if you typically ingest data at 1 MB/sec
+                                  set SizeInMBs to be 10 MB or higher.
+                                type: number
+                              cloudwatchLoggingOptions:
+                                description: The CloudWatch Logging Options for the
+                                  delivery stream. More details are given below
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Enables or disables the logging.
+                                        Defaults to false.
+                                      type: boolean
+                                    logGroupName:
+                                      description: The CloudWatch group name for logging.
+                                        This value is required if enabled is true.
+                                      type: string
+                                    logStreamName:
+                                      description: The CloudWatch log stream name
+                                        for logging. This value is required if enabled
+                                        is true.
+                                      type: string
+                                  type: object
+                                type: array
+                              compressionFormat:
+                                description: The compression format. If no value is
+                                  specified, the default is UNCOMPRESSED. Other supported
+                                  values are GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+                                type: string
+                              errorOutputPrefix:
+                                description: Prefix added to failed records before
+                                  writing them to S3. Not currently supported for
+                                  redshift destination. This prefix appears immediately
+                                  following the bucket name. For information about
+                                  how to specify this prefix, see Custom Prefixes
+                                  for Amazon S3 Objects.
+                                type: string
+                              kmsKeyArn:
+                                description: Specifies the KMS key ARN the stream
+                                  will use to encrypt data. If not set, no encryption
+                                  will be used.
+                                type: string
+                              prefix:
+                                description: The "YYYY/MM/DD/HH" time format prefix
+                                  is automatically used for delivered S3 files. You
+                                  can specify an extra prefix to be added in front
+                                  of the time format prefix. Note that if the prefix
+                                  ends with a slash, it appears as a folder in the
+                                  S3 bucket
+                                type: string
+                              roleArn:
+                                description: The ARN of the AWS credentials.
+                                type: string
+                            type: object
+                          type: array
+                        s3BackupMode:
+                          description: The Amazon S3 backup mode.  Valid values are
+                            Disabled and Enabled.  Default value is Disabled.
+                          type: string
+                        username:
+                          description: The username that the firehose delivery stream
+                            will assume. It is strongly recommended that the username
+                            and password provided is used exclusively for Amazon Kinesis
+                            Firehose purposes, and that the permissions for the account
+                            are restricted for Amazon Redshift INSERT permissions.
+                          type: string
+                      type: object
+                    type: array
+                  s3Configuration:
+                    description: Required for non-S3 destinations. For S3 destination,
+                      use extended_s3_configuration instead. Configuration options
+                      for the s3 destination (or the intermediate bucket if the destination
+                      is redshift). More details are given below.
+                    items:
+                      properties:
+                        bucketArn:
+                          description: The ARN of the S3 bucket
+                          type: string
+                        bufferInterval:
+                          description: Buffer incoming data for the specified period
+                            of time, in seconds, before delivering it to the destination.
+                            The default value is 300.
+                          type: number
+                        bufferSize:
+                          description: Buffer incoming data to the specified size,
+                            in MBs, before delivering it to the destination. The default
+                            value is 5. We recommend setting SizeInMBs to a value
+                            greater than the amount of data you typically ingest into
+                            the delivery stream in 10 seconds. For example, if you
+                            typically ingest data at 1 MB/sec set SizeInMBs to be
+                            10 MB or higher.
+                          type: number
+                        cloudwatchLoggingOptions:
+                          description: The CloudWatch Logging Options for the delivery
+                            stream. More details are given below
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              logGroupName:
+                                description: The CloudWatch group name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                              logStreamName:
+                                description: The CloudWatch log stream name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                            type: object
+                          type: array
+                        compressionFormat:
+                          description: The compression format. If no value is specified,
+                            the default is UNCOMPRESSED. Other supported values are
+                            GZIP, ZIP, Snappy, & HADOOP_SNAPPY.
+                          type: string
+                        errorOutputPrefix:
+                          description: Prefix added to failed records before writing
+                            them to S3. Not currently supported for redshift destination.
+                            This prefix appears immediately following the bucket name.
+                            For information about how to specify this prefix, see
+                            Custom Prefixes for Amazon S3 Objects.
+                          type: string
+                        kmsKeyArn:
+                          description: Specifies the KMS key ARN the stream will use
+                            to encrypt data. If not set, no encryption will be used.
+                          type: string
+                        prefix:
+                          description: The "YYYY/MM/DD/HH" time format prefix is automatically
+                            used for delivered S3 files. You can specify an extra
+                            prefix to be added in front of the time format prefix.
+                            Note that if the prefix ends with a slash, it appears
+                            as a folder in the S3 bucket
+                          type: string
+                        roleArn:
+                          description: The ARN of the AWS credentials.
+                          type: string
+                      type: object
+                    type: array
+                  serverSideEncryption:
+                    description: Encrypt at rest options. Server-side encryption should
+                      not be enabled when a kinesis stream is configured as the source
+                      of the firehose delivery stream.
+                    items:
+                      properties:
+                        enabled:
+                          description: Enables or disables the logging. Defaults to
+                            false.
+                          type: boolean
+                        keyArn:
+                          description: Amazon Resource Name (ARN) of the encryption
+                            key. Required when key_type is CUSTOMER_MANAGED_CMK.
+                          type: string
+                        keyType:
+                          description: Type of encryption key. Default is AWS_OWNED_CMK.
+                            Valid values are AWS_OWNED_CMK and CUSTOMER_MANAGED_CMK
+                          type: string
+                      type: object
+                    type: array
+                  splunkConfiguration:
+                    description: Configuration options if splunk is the destination.
+                      More details are given below.
+                    items:
+                      properties:
+                        cloudwatchLoggingOptions:
+                          description: The CloudWatch Logging Options for the delivery
+                            stream. More details are given below
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              logGroupName:
+                                description: The CloudWatch group name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                              logStreamName:
+                                description: The CloudWatch log stream name for logging.
+                                  This value is required if enabled is true.
+                                type: string
+                            type: object
+                          type: array
+                        hecAcknowledgmentTimeout:
+                          description: The amount of time, in seconds between 180
+                            and 600, that Kinesis Firehose waits to receive an acknowledgment
+                            from Splunk after it sends it data.
+                          type: number
+                        hecEndpoint:
+                          description: The HTTP Event Collector (HEC) endpoint to
+                            which Kinesis Firehose sends your data.
+                          type: string
+                        hecEndpointType:
+                          description: The HEC endpoint type. Valid values are Raw
+                            or Event. The default value is Raw.
+                          type: string
+                        hecToken:
+                          description: The GUID that you obtain from your Splunk cluster
+                            when you create a new HEC endpoint.
+                          type: string
+                        processingConfiguration:
+                          description: The data processing configuration.  More details
+                            are given below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Enables or disables the logging. Defaults
+                                  to false.
+                                type: boolean
+                              processors:
+                                description: Array of data processors. More details
+                                  are given below
+                                items:
+                                  properties:
+                                    parameters:
+                                      description: Array of processor parameters.
+                                        More details are given below
+                                      items:
+                                        properties:
+                                          parameterName:
+                                            description: 'Parameter name. Valid Values:
+                                              LambdaArn, NumberOfRetries, MetadataExtractionQuery,
+                                              JsonParsingEngine, RoleArn, BufferSizeInMBs,
+                                              BufferIntervalInSeconds, SubRecordType,
+                                              Delimiter. Validation is done against
+                                              AWS SDK constants; so that values not
+                                              explicitly listed may also work.'
+                                            type: string
+                                          parameterValue:
+                                            description: Parameter value. Must be
+                                              between 1 and 512 length (inclusive).
+                                              When providing a Lambda ARN, you should
+                                              specify the resource version as well.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    type:
+                                      description: 'The type of processor. Valid Values:
+                                        RecordDeAggregation, Lambda, MetadataExtraction,
+                                        AppendDelimiterToRecord. Validation is done
+                                        against AWS SDK constants; so that values
+                                        not explicitly listed may also work.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        retryDuration:
+                          description: The length of time during which Firehose retries
+                            delivery after a failure, starting from the initial request
+                            and including the first attempt. The default value is
+                            3600 seconds (60 minutes). Firehose does not retry if
+                            the value of DurationInSeconds is 0 (zero) or if the first
+                            delivery attempt takes longer than the current value.
+                          type: number
+                        s3BackupMode:
+                          description: The Amazon S3 backup mode.  Valid values are
+                            Disabled and Enabled.  Default value is Disabled.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: A map of tags assigned to the resource, including
+                      those inherited from the provider default_tags configuration
+                      block.
+                    type: object
+                  versionId:
+                    description: Specifies the table version for the output data schema.
+                      Defaults to LATEST.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/fis.aws.upbound.io_experimenttemplates.yaml b/package/crds/fis.aws.upbound.io_experimenttemplates.yaml
index fd2caa9beb..e0fbcf8daa 100644
--- a/package/crds/fis.aws.upbound.io_experimenttemplates.yaml
+++ b/package/crds/fis.aws.upbound.io_experimenttemplates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -295,11 +299,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - action
-                - description
                 - region
-                - stopCondition
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -471,18 +487,157 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: stopCondition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.stopCondition)
           status:
             description: ExperimentTemplateStatus defines the observed state of ExperimentTemplate.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: Action to be performed during an experiment. See
+                      below.
+                    items:
+                      properties:
+                        actionId:
+                          description: ID of the action. To find out what actions
+                            are supported see AWS FIS actions reference.
+                          type: string
+                        description:
+                          description: Description of the action.
+                          type: string
+                        name:
+                          description: Friendly name of the action.
+                          type: string
+                        parameter:
+                          description: Parameter(s) for the action, if applicable.
+                            See below.
+                          items:
+                            properties:
+                              key:
+                                description: Parameter name.
+                                type: string
+                              value:
+                                description: Parameter value.
+                                type: string
+                            type: object
+                          type: array
+                        startAfter:
+                          description: Set of action names that must complete before
+                            this action can be executed.
+                          items:
+                            type: string
+                          type: array
+                        target:
+                          description: Action's target, if applicable. See below.
+                          items:
+                            properties:
+                              key:
+                                description: Tag key.
+                                type: string
+                              value:
+                                description: Target name, referencing a corresponding
+                                  target.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  description:
+                    description: Description for the experiment template.
+                    type: string
                   id:
                     description: Experiment Template ID.
                     type: string
+                  roleArn:
+                    description: ARN of an IAM role that grants the AWS FIS service
+                      permission to perform service actions on your behalf.
+                    type: string
+                  stopCondition:
+                    description: When an ongoing experiment should be stopped. See
+                      below.
+                    items:
+                      properties:
+                        source:
+                          description: Source of the condition. One of none, aws:cloudwatch:alarm.
+                          type: string
+                        value:
+                          description: ARN of the CloudWatch alarm. Required if the
+                            source is a CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  target:
+                    description: Target of an action. See below.
+                    items:
+                      properties:
+                        filter:
+                          description: Filter(s) for the target. Filters can be used
+                            to select resources based on specific attributes returned
+                            by the respective describe action of the resource type.
+                            For more information, see Targets for AWS FIS. See below.
+                          items:
+                            properties:
+                              path:
+                                description: Attribute path for the filter.
+                                type: string
+                              values:
+                                description: Set of attribute values for the filter.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        name:
+                          description: Friendly name given to the target.
+                          type: string
+                        resourceArns:
+                          description: Set of ARNs of the resources to target with
+                            an action. Conflicts with resource_tag.
+                          items:
+                            type: string
+                          type: array
+                        resourceTag:
+                          description: Tag(s) the resources need to have to be considered
+                            a valid target for an action. Conflicts with resource_arns.
+                            See below.
+                          items:
+                            properties:
+                              key:
+                                description: Tag key.
+                                type: string
+                              value:
+                                description: Tag value.
+                                type: string
+                            type: object
+                          type: array
+                        resourceType:
+                          description: AWS resource type. The resource type must be
+                            supported for the specified action. To find out what resource
+                            types are supported, see Targets for AWS FIS.
+                          type: string
+                        selectionMode:
+                          description: Scopes the identified resources. Valid values
+                            are ALL (all identified resources), COUNT(n) (randomly
+                            select n of the identified resources), PERCENT(n) (randomly
+                            select n percent of the identified resources).
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/fsx.aws.upbound.io_backups.yaml b/package/crds/fsx.aws.upbound.io_backups.yaml
index d039a0004f..87d7b785bb 100644
--- a/package/crds/fsx.aws.upbound.io_backups.yaml
+++ b/package/crds/fsx.aws.upbound.io_backups.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,6 +162,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,6 +356,10 @@ spec:
                   arn:
                     description: Amazon Resource Name of the backup.
                     type: string
+                  fileSystemId:
+                    description: The ID of the file system to back up. Required if
+                      backing up Lustre or Windows file systems.
+                    type: string
                   id:
                     description: Identifier of the backup, e.g., fs-12345678
                     type: string
@@ -348,6 +371,11 @@ spec:
                   ownerId:
                     description: AWS account identifier that created the file system.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -358,6 +386,10 @@ spec:
                   type:
                     description: The type of the file system backup.
                     type: string
+                  volumeId:
+                    description: The ID of the volume to back up. Required if backing
+                      up a ONTAP Volume.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/fsx.aws.upbound.io_datarepositoryassociations.yaml b/package/crds/fsx.aws.upbound.io_datarepositoryassociations.yaml
index 4bf10cd3f1..9ef652adb9 100644
--- a/package/crds/fsx.aws.upbound.io_datarepositoryassociations.yaml
+++ b/package/crds/fsx.aws.upbound.io_datarepositoryassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -237,10 +241,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - dataRepositoryPath
-                - fileSystemPath
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -412,6 +429,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dataRepositoryPath is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataRepositoryPath)
+            - message: fileSystemPath is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fileSystemPath)
           status:
             description: DataRepositoryAssociationStatus defines the observed state
               of DataRepositoryAssociation.
@@ -425,10 +447,102 @@ spec:
                     description: Identifier of the data repository association, e.g.,
                       dra-12345678
                     type: string
+                  batchImportMetaDataOnCreate:
+                    description: Set to true to run an import data repository task
+                      to import metadata from the data repository to the file system
+                      after the data repository association is created. Defaults to
+                      false.
+                    type: boolean
+                  dataRepositoryPath:
+                    description: The path to the Amazon S3 data repository that will
+                      be linked to the file system. The path must be an S3 bucket
+                      s3://myBucket/myPrefix/. This path specifies where in the S3
+                      data repository files will be imported from or exported to.
+                      The same S3 bucket cannot be linked more than once to the same
+                      file system.
+                    type: string
+                  deleteDataInFilesystem:
+                    description: Set to true to delete files from the file system
+                      upon deleting this data repository association. Defaults to
+                      false.
+                    type: boolean
+                  fileSystemId:
+                    description: The ID of the Amazon FSx file system to on which
+                      to create a data repository association.
+                    type: string
+                  fileSystemPath:
+                    description: A path on the file system that points to a high-level
+                      directory (such as /ns1/) or subdirectory (such as /ns1/subdir/)
+                      that will be mapped 1-1 with data_repository_path. The leading
+                      forward slash in the name is required. Two data repository associations
+                      cannot have overlapping file system paths. For example, if a
+                      data repository is associated with file system path /ns1/, then
+                      you cannot link another data repository with file system path
+                      /ns1/ns2. This path specifies where in your file system files
+                      will be exported from or imported to. This file system directory
+                      can be linked to only one Amazon S3 bucket, and no other S3
+                      bucket can be linked to the directory.
+                    type: string
                   id:
                     description: Identifier of the data repository association, e.g.,
                       dra-12345678
                     type: string
+                  importedFileChunkSize:
+                    description: For files imported from a data repository, this value
+                      determines the stripe count and maximum amount of data per file
+                      (in MiB) stored on a single physical disk. The maximum number
+                      of disks that a single file can be striped across is limited
+                      by the total number of disks that make up the file system.
+                    type: number
+                  s3:
+                    description: See the s3 configuration block. Max of 1. The configuration
+                      for an Amazon S3 data repository linked to an Amazon FSx Lustre
+                      file system with a data repository association. The configuration
+                      defines which file events (new, changed, or deleted files or
+                      directories) are automatically imported from the linked data
+                      repository to the file system or automatically exported from
+                      the file system to the data repository.
+                    items:
+                      properties:
+                        autoExportPolicy:
+                          description: Specifies the type of updated objects that
+                            will be automatically exported from your file system to
+                            the linked S3 bucket. See the events configuration block.
+                          items:
+                            properties:
+                              events:
+                                description: A list of file event types to automatically
+                                  export to your linked S3 bucket or import from the
+                                  linked S3 bucket. Valid values are NEW, CHANGED,
+                                  DELETED. Max of 3.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        autoImportPolicy:
+                          description: Specifies the type of updated objects that
+                            will be automatically imported from the linked S3 bucket
+                            to your file system. See the events configuration block.
+                          items:
+                            properties:
+                              events:
+                                description: A list of file event types to automatically
+                                  export to your linked S3 bucket or import from the
+                                  linked S3 bucket. Valid values are NEW, CHANGED,
+                                  DELETED. Max of 3.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/fsx.aws.upbound.io_lustrefilesystems.yaml b/package/crds/fsx.aws.upbound.io_lustrefilesystems.yaml
index 83733101e0..e8cd9aed78 100644
--- a/package/crds/fsx.aws.upbound.io_lustrefilesystems.yaml
+++ b/package/crds/fsx.aws.upbound.io_lustrefilesystems.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -442,6 +446,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -621,12 +640,110 @@ spec:
                   arn:
                     description: Amazon Resource Name of the file system.
                     type: string
+                  autoImportPolicy:
+                    description: How Amazon FSx keeps your file and directory listings
+                      up to date as you add or modify objects in your linked S3 bucket.
+                      see Auto Import Data Repo for more details. Only supported on
+                      PERSISTENT_1 deployment types.
+                    type: string
+                  automaticBackupRetentionDays:
+                    description: The number of days to retain automatic backups. Setting
+                      this to 0 disables automatic backups. You can retain automatic
+                      backups for a maximum of 90 days. only valid for PERSISTENT_1
+                      and PERSISTENT_2 deployment_type.
+                    type: number
+                  backupId:
+                    description: The ID of the source backup to create the filesystem
+                      from.
+                    type: string
+                  copyTagsToBackups:
+                    description: A boolean flag indicating whether tags for the file
+                      system should be copied to backups. Applicable for PERSISTENT_1
+                      and PERSISTENT_2 deployment_type. The default value is false.
+                    type: boolean
+                  dailyAutomaticBackupStartTime:
+                    description: A recurring daily time, in the format HH:MM. HH is
+                      the zero-padded hour of the day (0-23), and MM is the zero-padded
+                      minute of the hour. For example, 05:00 specifies 5 AM daily.
+                      only valid for PERSISTENT_1 and PERSISTENT_2 deployment_type.
+                      Requires automatic_backup_retention_days to be set.
+                    type: string
+                  dataCompressionType:
+                    description: Sets the data compression configuration for the file
+                      system. Valid values are LZ4 and NONE. Default value is NONE.
+                      Unsetting this value reverts the compression type back to NONE.
+                    type: string
+                  deploymentType:
+                    description: '- The filesystem deployment type. One of: SCRATCH_1,
+                      SCRATCH_2, PERSISTENT_1, PERSISTENT_2.'
+                    type: string
                   dnsName:
                     description: DNS name for the file system, e.g., fs-12345678.fsx.us-west-2.amazonaws.com
                     type: string
+                  driveCacheType:
+                    description: '- The type of drive cache used by PERSISTENT_1 filesystems
+                      that are provisioned with HDD storage_type. Required for HDD
+                      storage_type, set to either READ or NONE.'
+                    type: string
+                  exportPath:
+                    description: S3 URI (with optional prefix) where the root of your
+                      Amazon FSx file system is exported. Can only be specified with
+                      import_path argument and the path must use the same Amazon S3
+                      bucket as specified in import_path. Set equal to import_path
+                      to overwrite files on export. Defaults to s3://{IMPORT BUCKET}/FSxLustre{CREATION
+                      TIMESTAMP}. Only supported on PERSISTENT_1 deployment types.
+                    type: string
+                  fileSystemTypeVersion:
+                    description: Sets the Lustre version for the file system that
+                      you're creating. Valid values are 2.10 for SCRATCH_1, SCRATCH_2
+                      and PERSISTENT_1 deployment types. Valid values for 2.12 include
+                      all deployment types.
+                    type: string
                   id:
                     description: Identifier of the file system, e.g., fs-12345678
                     type: string
+                  importPath:
+                    description: S3 URI (with optional prefix) that you're using as
+                      the data repository for your FSx for Lustre file system. For
+                      example, s3://example-bucket/optional-prefix/. Only supported
+                      on PERSISTENT_1 deployment types.
+                    type: string
+                  importedFileChunkSize:
+                    description: For files imported from a data repository, this value
+                      determines the stripe count and maximum amount of data per file
+                      (in MiB) stored on a single physical disk. Can only be specified
+                      with import_path argument. Defaults to 1024. Minimum of 1 and
+                      maximum of 512000. Only supported on PERSISTENT_1 deployment
+                      types.
+                    type: number
+                  kmsKeyId:
+                    description: ARN for the KMS Key to encrypt the file system at
+                      rest, applicable for PERSISTENT_1 and PERSISTENT_2 deployment_type.
+                      Defaults to an AWS managed KMS Key.
+                    type: string
+                  logConfiguration:
+                    description: The Lustre logging configuration used when creating
+                      an Amazon FSx for Lustre file system. When logging is enabled,
+                      Lustre logs error and warning events for data repositories associated
+                      with your file system to Amazon CloudWatch Logs.
+                    items:
+                      properties:
+                        destination:
+                          description: The Amazon Resource Name (ARN) that specifies
+                            the destination of the logs. The name of the Amazon CloudWatch
+                            Logs log group must begin with the /aws/fsx prefix. If
+                            you do not provide a destination, Amazon FSx will create
+                            and use a log stream in the CloudWatch Logs /aws/fsx/lustre
+                            log group.
+                          type: string
+                        level:
+                          description: Sets which data repository events are logged
+                            by Amazon FSx. Valid values are WARN_ONLY, FAILURE_ONLY,
+                            ERROR_ONLY, WARN_ERROR and DISABLED. Default value is
+                            DISABLED.
+                          type: string
+                      type: object
+                    type: array
                   mountName:
                     description: The value to be used when mounting the filesystem.
                     type: string
@@ -641,6 +758,48 @@ spec:
                   ownerId:
                     description: AWS account identifier that created the file system.
                     type: string
+                  perUnitStorageThroughput:
+                    description: '- Describes the amount of read and write throughput
+                      for each 1 tebibyte of storage, in MB/s/TiB, required for the
+                      PERSISTENT_1 and PERSISTENT_2 deployment_type. Valid values
+                      for PERSISTENT_1 deployment_type and SSD storage_type are 50,
+                      100, 200. Valid values for PERSISTENT_1 deployment_type and
+                      HDD storage_type are 12, 40. Valid values for PERSISTENT_2 deployment_type
+                      and  SSD storage_type are 125, 250, 500, 1000.'
+                    type: number
+                  securityGroupIds:
+                    description: A list of IDs for the security groups that apply
+                      to the specified network interfaces created for file system
+                      access. These security groups will apply to all network interfaces.
+                    items:
+                      type: string
+                    type: array
+                  storageCapacity:
+                    description: The storage capacity (GiB) of the file system. Minimum
+                      of 1200. See more details at Allowed values for Fsx storage
+                      capacity. Update is allowed only for SCRATCH_2, PERSISTENT_1
+                      and PERSISTENT_2 deployment types, See more details at Fsx Storage
+                      Capacity Update. Required when not creating filesystem for a
+                      backup.
+                    type: number
+                  storageType:
+                    description: '- The filesystem storage type. Either SSD or HDD,
+                      defaults to SSD. HDD is only supported on PERSISTENT_1 deployment
+                      types.'
+                    type: string
+                  subnetIds:
+                    description: A list of IDs for the subnets that the file system
+                      will be accessible from. File systems currently support only
+                      one subnet. The file server is also launched in that subnet's
+                      Availability Zone.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -652,6 +811,10 @@ spec:
                     description: Identifier of the Virtual Private Cloud for the file
                       system.
                     type: string
+                  weeklyMaintenanceStartTime:
+                    description: The preferred start time (in d:HH:MM format) to perform
+                      weekly maintenance, in the UTC time zone.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/fsx.aws.upbound.io_ontapfilesystems.yaml b/package/crds/fsx.aws.upbound.io_ontapfilesystems.yaml
index 6f7304b78c..3d9d0c53b2 100644
--- a/package/crds/fsx.aws.upbound.io_ontapfilesystems.yaml
+++ b/package/crds/fsx.aws.upbound.io_ontapfilesystems.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -476,10 +480,23 @@ spec:
                       weekly maintenance, in the UTC time zone.
                     type: string
                 required:
-                - deploymentType
                 - region
-                - throughputCapacity
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -651,6 +668,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: deploymentType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.deploymentType)
+            - message: throughputCapacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.throughputCapacity)
           status:
             description: OntapFileSystemStatus defines the observed state of OntapFileSystem.
             properties:
@@ -659,9 +681,46 @@ spec:
                   arn:
                     description: Amazon Resource Name of the file system.
                     type: string
+                  automaticBackupRetentionDays:
+                    description: The number of days to retain automatic backups. Setting
+                      this to 0 disables automatic backups. You can retain automatic
+                      backups for a maximum of 90 days.
+                    type: number
+                  dailyAutomaticBackupStartTime:
+                    description: A recurring daily time, in the format HH:MM. HH is
+                      the zero-padded hour of the day (0-23), and MM is the zero-padded
+                      minute of the hour. For example, 05:00 specifies 5 AM daily.
+                      Requires automatic_backup_retention_days to be set.
+                    type: string
+                  deploymentType:
+                    description: '- The filesystem deployment type. Supports MULTI_AZ_1
+                      and SINGLE_AZ_1.'
+                    type: string
+                  diskIopsConfiguration:
+                    description: The SSD IOPS configuration for the Amazon FSx for
+                      NetApp ONTAP file system. See Disk Iops Configuration Below.
+                    items:
+                      properties:
+                        iops:
+                          description: '- The total number of SSD IOPS provisioned
+                            for the file system.'
+                          type: number
+                        mode:
+                          description: '- Specifies whether the number of IOPS for
+                            the file system is using the system. Valid values are
+                            AUTOMATIC and USER_PROVISIONED. Default value is AUTOMATIC.'
+                          type: string
+                      type: object
+                    type: array
                   dnsName:
                     description: DNS name for the file system, e.g., fs-12345678.fsx.us-west-2.amazonaws.com
                     type: string
+                  endpointIpAddressRange:
+                    description: Specifies the IP address range in which the endpoints
+                      to access your file system will be created. By default, Amazon
+                      FSx selects an unused IP address range for you from the 198.19.*
+                      range.
+                    type: string
                   endpoints:
                     description: The endpoints that are used to access data or to
                       manage the file system using the NetApp ONTAP CLI, REST API,
@@ -704,6 +763,10 @@ spec:
                   id:
                     description: Identifier of the file system, e.g., fs-12345678
                     type: string
+                  kmsKeyId:
+                    description: ARN for the KMS Key to encrypt the file system at
+                      rest, Defaults to an AWS managed KMS Key.
+                    type: string
                   networkInterfaceIds:
                     description: Set of Elastic Network Interface identifiers from
                       which the file system is accessible The first network interface
@@ -714,6 +777,44 @@ spec:
                   ownerId:
                     description: AWS account identifier that created the file system.
                     type: string
+                  preferredSubnetId:
+                    description: The ID for a subnet. A subnet is a range of IP addresses
+                      in your virtual private cloud (VPC).
+                    type: string
+                  routeTableIds:
+                    description: Specifies the VPC route tables in which your file
+                      system's endpoints will be created. You should specify all VPC
+                      route tables associated with the subnets in which your clients
+                      are located. By default, Amazon FSx selects your VPC's default
+                      route table.
+                    items:
+                      type: string
+                    type: array
+                  securityGroupIds:
+                    description: A list of IDs for the security groups that apply
+                      to the specified network interfaces created for file system
+                      access. These security groups will apply to all network interfaces.
+                    items:
+                      type: string
+                    type: array
+                  storageCapacity:
+                    description: The storage capacity (GiB) of the file system. Valid
+                      values between 1024 and 196608.
+                    type: number
+                  storageType:
+                    description: '- The filesystem storage type. defaults to SSD.'
+                    type: string
+                  subnetIds:
+                    description: A list of IDs for the subnets that the file system
+                      will be accessible from. Upto 2 subnets can be provided.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -721,10 +822,19 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  throughputCapacity:
+                    description: Sets the throughput capacity (in MBps) for the file
+                      system that you're creating. Valid values are 128, 256, 512,
+                      1024, and 2048.
+                    type: number
                   vpcId:
                     description: Identifier of the Virtual Private Cloud for the file
                       system.
                     type: string
+                  weeklyMaintenanceStartTime:
+                    description: The preferred start time (in d:HH:MM format) to perform
+                      weekly maintenance, in the UTC time zone.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/fsx.aws.upbound.io_ontapstoragevirtualmachines.yaml b/package/crds/fsx.aws.upbound.io_ontapstoragevirtualmachines.yaml
index 0f35dd8ef2..db50d1c073 100644
--- a/package/crds/fsx.aws.upbound.io_ontapstoragevirtualmachines.yaml
+++ b/package/crds/fsx.aws.upbound.io_ontapstoragevirtualmachines.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -260,9 +264,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -434,12 +452,69 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: OntapStorageVirtualMachineStatus defines the observed state
               of OntapStorageVirtualMachine.
             properties:
               atProvider:
                 properties:
+                  activeDirectoryConfiguration:
+                    description: Configuration block that Amazon FSx uses to join
+                      the FSx ONTAP Storage Virtual Machine(SVM) to your Microsoft
+                      Active Directory (AD) directory. Detailed below.
+                    items:
+                      properties:
+                        netbiosName:
+                          description: The NetBIOS name of the Active Directory computer
+                            object that will be created for your SVM. This is often
+                            the same as the SVM name but can be different. AWS limits
+                            to 15 characters because of standard NetBIOS naming limits.
+                          type: string
+                        selfManagedActiveDirectoryConfiguration:
+                          description: Configuration block that Amazon FSx uses to
+                            join the FSx ONTAP Storage Virtual Machine(SVM) to your
+                            Microsoft Active Directory (AD) directory. Detailed below.
+                          items:
+                            properties:
+                              dnsIps:
+                                description: A list of up to three IP addresses of
+                                  DNS servers or domain controllers in the self-managed
+                                  AD directory.
+                                items:
+                                  type: string
+                                type: array
+                              domainName:
+                                description: The fully qualified domain name of the
+                                  self-managed AD directory. For example, corp.example.com.
+                                type: string
+                              fileSystemAdministratorsGroup:
+                                description: The name of the domain group whose members
+                                  are granted administrative privileges for the SVM.
+                                  The group that you specify must already exist in
+                                  your domain. Defaults to Domain Admins.
+                                type: string
+                              organizationalUnitDistinguishedName:
+                                description: The fully qualified distinguished name
+                                  of the organizational unit within your self-managed
+                                  AD directory that the Windows File Server instance
+                                  will join. For example, OU=FSx,DC=yourdomain,DC=corp,DC=com.
+                                  Only accepts OU as the direct parent of the SVM.
+                                  If none is provided, the SVM is created in the default
+                                  location of your self-managed AD directory. To learn
+                                  more, see RFC 2253.
+                                type: string
+                              username:
+                                description: The user name for the service account
+                                  on your self-managed AD domain that Amazon FSx will
+                                  use to join to your AD domain.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: Amazon Resource Name of the storage virtual machine.
                     type: string
@@ -524,13 +599,32 @@ spec:
                           type: array
                       type: object
                     type: array
+                  fileSystemId:
+                    description: The ID of the Amazon FSx ONTAP File System that this
+                      SVM will be created on.
+                    type: string
                   id:
                     description: Identifier of the storage virtual machine, e.g.,
                       svm-12345678
                     type: string
+                  name:
+                    description: The name of the SVM. You can use a maximum of 47
+                      alphanumeric characters, plus the underscore (_) special character.
+                    type: string
+                  rootVolumeSecurityStyle:
+                    description: Specifies the root volume security style, Valid values
+                      are UNIX, NTFS, and MIXED. All volumes created under this SVM
+                      will inherit the root security style unless the security style
+                      is specified on the volume. Default value is UNIX.
+                    type: string
                   subtype:
                     description: Describes the SVM's subtype, e.g. DEFAULT
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/fsx.aws.upbound.io_windowsfilesystems.yaml b/package/crds/fsx.aws.upbound.io_windowsfilesystems.yaml
index 089a394308..855396a31d 100644
--- a/package/crds/fsx.aws.upbound.io_windowsfilesystems.yaml
+++ b/package/crds/fsx.aws.upbound.io_windowsfilesystems.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -560,8 +564,22 @@ spec:
                     type: string
                 required:
                 - region
-                - throughputCapacity
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -733,14 +751,85 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: throughputCapacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.throughputCapacity)
           status:
             description: WindowsFileSystemStatus defines the observed state of WindowsFileSystem.
             properties:
               atProvider:
                 properties:
+                  activeDirectoryId:
+                    description: The ID for an existing Microsoft Active Directory
+                      instance that the file system should join when it's created.
+                      Cannot be specified with self_managed_active_directory.
+                    type: string
+                  aliases:
+                    description: An array DNS alias names that you want to associate
+                      with the Amazon FSx file system.  For more information, see
+                      Working with DNS Aliases
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: Amazon Resource Name of the file system.
                     type: string
+                  auditLogConfiguration:
+                    description: The configuration that Amazon FSx for Windows File
+                      Server uses to audit and log user accesses of files, folders,
+                      and file shares on the Amazon FSx for Windows File Server file
+                      system. See below.
+                    items:
+                      properties:
+                        auditLogDestination:
+                          description: The Amazon Resource Name (ARN) for the destination
+                            of the audit logs. The destination can be any Amazon CloudWatch
+                            Logs log group ARN or Amazon Kinesis Data Firehose delivery
+                            stream ARN. Can be specified when file_access_audit_log_level
+                            and file_share_access_audit_log_level are not set to DISABLED.
+                            The name of the Amazon CloudWatch Logs log group must
+                            begin with the /aws/fsx prefix. The name of the Amazon
+                            Kinesis Data Firehouse delivery stream must begin with
+                            the aws-fsx prefix. If you do not provide a destination
+                            in audit_log_destionation, Amazon FSx will create and
+                            use a log stream in the CloudWatch Logs /aws/fsx/windows
+                            log group.
+                          type: string
+                        fileAccessAuditLogLevel:
+                          description: Sets which attempt type is logged by Amazon
+                            FSx for file and folder accesses. Valid values are SUCCESS_ONLY,
+                            FAILURE_ONLY, SUCCESS_AND_FAILURE, and DISABLED. Default
+                            value is DISABLED.
+                          type: string
+                        fileShareAccessAuditLogLevel:
+                          description: Sets which attempt type is logged by Amazon
+                            FSx for file share accesses. Valid values are SUCCESS_ONLY,
+                            FAILURE_ONLY, SUCCESS_AND_FAILURE, and DISABLED. Default
+                            value is DISABLED.
+                          type: string
+                      type: object
+                    type: array
+                  automaticBackupRetentionDays:
+                    description: The number of days to retain automatic backups. Minimum
+                      of 0 and maximum of 90. Defaults to 7. Set to 0 to disable.
+                    type: number
+                  backupId:
+                    description: The ID of the source backup to create the filesystem
+                      from.
+                    type: string
+                  copyTagsToBackups:
+                    description: A boolean flag indicating whether tags on the file
+                      system should be copied to backups. Defaults to false.
+                    type: boolean
+                  dailyAutomaticBackupStartTime:
+                    description: The preferred time (in HH:MM format) to take daily
+                      automatic backups, in the UTC time zone.
+                    type: string
+                  deploymentType:
+                    description: Specifies the file system deployment type, valid
+                      values are MULTI_AZ_1, SINGLE_AZ_1 and SINGLE_AZ_2. Default
+                      value is SINGLE_AZ_1.
+                    type: string
                   dnsName:
                     description: DNS name for the file system, e.g., fs-12345678.corp.example.com
                       (domain name matching the Active Directory domain name)
@@ -748,6 +837,10 @@ spec:
                   id:
                     description: Identifier of the file system, e.g., fs-12345678
                     type: string
+                  kmsKeyId:
+                    description: ARN for the KMS Key to encrypt the file system at
+                      rest. Defaults to an AWS managed KMS Key.
+                    type: string
                   networkInterfaceIds:
                     description: Set of Elastic Network Interface identifiers from
                       which the file system is accessible.
@@ -761,12 +854,98 @@ spec:
                     description: The IP address of the primary, or preferred, file
                       server.
                     type: string
+                  preferredSubnetId:
+                    description: Specifies the subnet in which you want the preferred
+                      file server to be located. Required for when deployment type
+                      is MULTI_AZ_1.
+                    type: string
                   remoteAdministrationEndpoint:
                     description: For MULTI_AZ_1 deployment types, use this endpoint
                       when performing administrative tasks on the file system using
                       Amazon FSx Remote PowerShell. For SINGLE_AZ_1 deployment types,
                       this is the DNS name of the file system.
                     type: string
+                  securityGroupIds:
+                    description: A list of IDs for the security groups that apply
+                      to the specified network interfaces created for file system
+                      access. These security groups will apply to all network interfaces.
+                    items:
+                      type: string
+                    type: array
+                  selfManagedActiveDirectory:
+                    description: Configuration block that Amazon FSx uses to join
+                      the Windows File Server instance to your self-managed (including
+                      on-premises) Microsoft Active Directory (AD) directory. Cannot
+                      be specified with active_directory_id. Detailed below.
+                    items:
+                      properties:
+                        dnsIps:
+                          description: A list of up to two IP addresses of DNS servers
+                            or domain controllers in the self-managed AD directory.
+                            The IP addresses need to be either in the same VPC CIDR
+                            range as the file system or in the private IP version
+                            4 (IPv4) address ranges as specified in RFC 1918.
+                          items:
+                            type: string
+                          type: array
+                        domainName:
+                          description: The fully qualified domain name of the self-managed
+                            AD directory. For example, corp.example.com.
+                          type: string
+                        fileSystemAdministratorsGroup:
+                          description: The name of the domain group whose members
+                            are granted administrative privileges for the file system.
+                            Administrative privileges include taking ownership of
+                            files and folders, and setting audit controls (audit ACLs)
+                            on files and folders. The group that you specify must
+                            already exist in your domain. Defaults to Domain Admins.
+                          type: string
+                        organizationalUnitDistinguishedName:
+                          description: The fully qualified distinguished name of the
+                            organizational unit within your self-managed AD directory
+                            that the Windows File Server instance will join. For example,
+                            OU=FSx,DC=yourdomain,DC=corp,DC=com. Only accepts OU as
+                            the direct parent of the file system. If none is provided,
+                            the FSx file system is created in the default location
+                            of your self-managed AD directory. To learn more, see
+                            RFC 2253.
+                          type: string
+                        username:
+                          description: The user name for the service account on your
+                            self-managed AD domain that Amazon FSx will use to join
+                            to your AD domain.
+                          type: string
+                      type: object
+                    type: array
+                  skipFinalBackup:
+                    description: When enabled, will skip the default final backup
+                      taken when the file system is deleted. This configuration must
+                      be applied separately before attempting to delete the resource
+                      to have the desired behavior. Defaults to false.
+                    type: boolean
+                  storageCapacity:
+                    description: Storage capacity (GiB) of the file system. Minimum
+                      of 32 and maximum of 65536. If the storage type is set to HDD
+                      the minimum value is 2000. Required when not creating filesystem
+                      for a backup.
+                    type: number
+                  storageType:
+                    description: Specifies the storage type, Valid values are SSD
+                      and HDD. HDD is supported on SINGLE_AZ_2 and MULTI_AZ_1 Windows
+                      file system deployment types. Default value is SSD.
+                    type: string
+                  subnetIds:
+                    description: A list of IDs for the subnets that the file system
+                      will be accessible from. To specify more than a single subnet
+                      set deployment_type to MULTI_AZ_1.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -774,10 +953,18 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  throughputCapacity:
+                    description: Throughput (megabytes per second) of the file system
+                      in power of 2 increments. Minimum of 8 and maximum of 2048.
+                    type: number
                   vpcId:
                     description: Identifier of the Virtual Private Cloud for the file
                       system.
                     type: string
+                  weeklyMaintenanceStartTime:
+                    description: The preferred start time (in d:HH:MM format) to perform
+                      weekly maintenance, in the UTC time zone.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/gamelift.aws.upbound.io_aliases.yaml b/package/crds/gamelift.aws.upbound.io_aliases.yaml
index e0254624d6..ff3fce36e5 100644
--- a/package/crds/gamelift.aws.upbound.io_aliases.yaml
+++ b/package/crds/gamelift.aws.upbound.io_aliases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -100,10 +104,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - routingStrategy
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -275,6 +292,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: routingStrategy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.routingStrategy)
           status:
             description: AliasStatus defines the observed state of Alias.
             properties:
@@ -283,9 +305,38 @@ spec:
                   arn:
                     description: Alias ARN.
                     type: string
+                  description:
+                    description: Description of the alias.
+                    type: string
                   id:
                     description: Alias ID.
                     type: string
+                  name:
+                    description: Name of the alias.
+                    type: string
+                  routingStrategy:
+                    description: Specifies the fleet and/or routing type to use for
+                      the alias.
+                    items:
+                      properties:
+                        fleetId:
+                          description: ID of the GameLift Fleet to point the alias
+                            to.
+                          type: string
+                        message:
+                          description: Message text to be used with the TERMINAL routing
+                            strategy.
+                          type: string
+                        type:
+                          description: Type of routing strategyE.g., SIMPLE or TERMINAL
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/gamelift.aws.upbound.io_builds.yaml b/package/crds/gamelift.aws.upbound.io_builds.yaml
index 5d4bdfa913..c70542e9bf 100644
--- a/package/crds/gamelift.aws.upbound.io_builds.yaml
+++ b/package/crds/gamelift.aws.upbound.io_builds.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -334,11 +338,23 @@ spec:
                     description: Version that is associated with this build.
                     type: string
                 required:
-                - name
-                - operatingSystem
                 - region
-                - storageLocation
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -510,6 +526,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: operatingSystem is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.operatingSystem)
+            - message: storageLocation is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageLocation)
           status:
             description: BuildStatus defines the observed state of Build.
             properties:
@@ -521,6 +544,40 @@ spec:
                   id:
                     description: GameLift Build ID.
                     type: string
+                  name:
+                    description: Name of the build
+                    type: string
+                  operatingSystem:
+                    description: Operating system that the game server binaries are
+                      built to run onE.g., WINDOWS_2012, AMAZON_LINUX or AMAZON_LINUX_2.
+                    type: string
+                  storageLocation:
+                    description: Information indicating where your game build files
+                      are stored. See below.
+                    items:
+                      properties:
+                        bucket:
+                          description: Name of your S3 bucket.
+                          type: string
+                        key:
+                          description: Name of the zip file containing your build
+                            files.
+                          type: string
+                        objectVersion:
+                          description: A specific version of the file. If not set,
+                            the latest version of the file is retrieved.
+                          type: string
+                        roleArn:
+                          description: ARN of the access role that allows Amazon GameLift
+                            to access your S3 bucket.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -528,6 +585,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  version:
+                    description: Version that is associated with this build.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/gamelift.aws.upbound.io_fleet.yaml b/package/crds/gamelift.aws.upbound.io_fleet.yaml
index 27433664f4..4d69d119b7 100644
--- a/package/crds/gamelift.aws.upbound.io_fleet.yaml
+++ b/package/crds/gamelift.aws.upbound.io_fleet.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -353,10 +357,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - ec2InstanceType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -528,6 +545,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: ec2InstanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ec2InstanceType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: FleetStatus defines the observed state of Fleet.
             properties:
@@ -539,19 +561,149 @@ spec:
                   buildArn:
                     description: Build ARN.
                     type: string
+                  buildId:
+                    description: ID of the GameLift Build to be deployed on the fleet.
+                    type: string
+                  certificateConfiguration:
+                    description: Prompts GameLift to generate a TLS/SSL certificate
+                      for the fleet. See certificate_configuration.
+                    items:
+                      properties:
+                        certificateType:
+                          description: Indicates whether a TLS/SSL certificate is
+                            generated for a fleet. Valid values are DISABLED and GENERATED.
+                            Default value is DISABLED.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: Human-readable description of the fleet.
+                    type: string
+                  ec2InboundPermission:
+                    description: Range of IP addresses and port settings that permit
+                      inbound traffic to access server processes running on the fleet.
+                      See below.
+                    items:
+                      properties:
+                        fromPort:
+                          description: Starting value for a range of allowed port
+                            numbers.
+                          type: number
+                        ipRange:
+                          description: Range of allowed IP addresses expressed in
+                            CIDR notationE.g., 000.000.000.000/[subnet mask] or 0.0.0.0/[subnet
+                            mask].
+                          type: string
+                        protocol:
+                          description: Network communication protocol used by the
+                            fleetE.g., TCP or UDP
+                          type: string
+                        toPort:
+                          description: Ending value for a range of allowed port numbers.
+                            Port numbers are end-inclusive. This value must be higher
+                            than from_port.
+                          type: number
+                      type: object
+                    type: array
+                  ec2InstanceType:
+                    description: Name of an EC2 instance typeE.g., t2.micro
+                    type: string
+                  fleetType:
+                    description: Type of fleet. This value must be ON_DEMAND or SPOT.
+                      Defaults to ON_DEMAND.
+                    type: string
                   id:
                     description: Fleet ID.
                     type: string
+                  instanceRoleArn:
+                    description: ARN of an IAM role that instances in the fleet can
+                      assume.
+                    type: string
                   logPaths:
                     items:
                       type: string
                     type: array
+                  metricGroups:
+                    description: List of names of metric groups to add this fleet
+                      to. A metric group tracks metrics across all fleets in the group.
+                      Defaults to default.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: The name of the fleet.
+                    type: string
+                  newGameSessionProtectionPolicy:
+                    description: Game session protection policy to apply to all instances
+                      in this fleetE.g., FullProtection. Defaults to NoProtection.
+                    type: string
                   operatingSystem:
                     description: Operating system of the fleet's computing resources.
                     type: string
+                  resourceCreationLimitPolicy:
+                    description: Policy that limits the number of game sessions an
+                      individual player can create over a span of time for this fleet.
+                      See below.
+                    items:
+                      properties:
+                        newGameSessionsPerCreator:
+                          description: Maximum number of game sessions that an individual
+                            can create during the policy period.
+                          type: number
+                        policyPeriodInMinutes:
+                          description: Time span used in evaluating the resource creation
+                            limit policy.
+                          type: number
+                      type: object
+                    type: array
+                  runtimeConfiguration:
+                    description: Instructions for launching server processes on each
+                      instance in the fleet. See below.
+                    items:
+                      properties:
+                        gameSessionActivationTimeoutSeconds:
+                          description: Maximum amount of time (in seconds) that a
+                            game session can remain in status ACTIVATING.
+                          type: number
+                        maxConcurrentGameSessionActivations:
+                          description: Maximum number of game sessions with status
+                            ACTIVATING to allow on an instance simultaneously.
+                          type: number
+                        serverProcess:
+                          description: Collection of server process configurations
+                            that describe which server processes to run on each instance
+                            in a fleet. See below.
+                          items:
+                            properties:
+                              concurrentExecutions:
+                                description: Number of server processes using this
+                                  configuration to run concurrently on an instance.
+                                type: number
+                              launchPath:
+                                description: 'Location of the server executable in
+                                  a game build. All game builds are installed on instances
+                                  at the root : for Windows instances C:\game, and
+                                  for Linux instances /local/game.'
+                                type: string
+                              parameters:
+                                description: Optional list of parameters to pass to
+                                  the server executable on launch.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   scriptArn:
                     description: Script ARN.
                     type: string
+                  scriptId:
+                    description: ID of the GameLift Script to be deployed on the fleet.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/gamelift.aws.upbound.io_gamesessionqueues.yaml b/package/crds/gamelift.aws.upbound.io_gamesessionqueues.yaml
index 60527ca6e7..3746463583 100644
--- a/package/crds/gamelift.aws.upbound.io_gamesessionqueues.yaml
+++ b/package/crds/gamelift.aws.upbound.io_gamesessionqueues.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -182,6 +186,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -361,8 +380,40 @@ spec:
                   arn:
                     description: Game Session Queue ARN.
                     type: string
+                  destinations:
+                    description: List of fleet/alias ARNs used by session queue for
+                      placing game sessions.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  notificationTarget:
+                    description: An SNS topic ARN that is set up to receive game session
+                      placement notifications.
+                    type: string
+                  playerLatencyPolicy:
+                    description: One or more policies used to choose fleet based on
+                      player latency. See below.
+                    items:
+                      properties:
+                        maximumIndividualPlayerLatencyMilliseconds:
+                          description: Maximum latency value that is allowed for any
+                            player.
+                          type: number
+                        policyDurationSeconds:
+                          description: Length of time that the policy is enforced
+                            while placing a new game session. Absence of value for
+                            this attribute means that the policy is enforced until
+                            the queue times out.
+                          type: number
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -370,6 +421,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  timeoutInSeconds:
+                    description: Maximum time a game session request can remain in
+                      the queue.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/gamelift.aws.upbound.io_scripts.yaml b/package/crds/gamelift.aws.upbound.io_scripts.yaml
index 0365bd6c3e..c4fda7874e 100644
--- a/package/crds/gamelift.aws.upbound.io_scripts.yaml
+++ b/package/crds/gamelift.aws.upbound.io_scripts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -335,9 +339,23 @@ spec:
                       files. Maximum size of a zip file is 5 MB.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -509,6 +527,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ScriptStatus defines the observed state of Script.
             properties:
@@ -520,6 +541,36 @@ spec:
                   id:
                     description: GameLift Script ID.
                     type: string
+                  name:
+                    description: Name of the script
+                    type: string
+                  storageLocation:
+                    description: Information indicating where your game script files
+                      are stored. See below.
+                    items:
+                      properties:
+                        bucket:
+                          description: Name of your S3 bucket.
+                          type: string
+                        key:
+                          description: Name of the zip file containing your script
+                            files.
+                          type: string
+                        objectVersion:
+                          description: A specific version of the file. If not set,
+                            the latest version of the file is retrieved.
+                          type: string
+                        roleArn:
+                          description: ARN of the access role that allows Amazon GameLift
+                            to access your S3 bucket.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -527,6 +578,14 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  version:
+                    description: Version that is associated with this script.
+                    type: string
+                  zipFile:
+                    description: A data object containing your Realtime scripts and
+                      dependencies as a zip  file. The zip file can have one or multiple
+                      files. Maximum size of a zip file is 5 MB.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glacier.aws.upbound.io_vaultlocks.yaml b/package/crds/glacier.aws.upbound.io_vaultlocks.yaml
index c4e062ad9b..d39c6cda0c 100644
--- a/package/crds/glacier.aws.upbound.io_vaultlocks.yaml
+++ b/package/crds/glacier.aws.upbound.io_vaultlocks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -162,10 +166,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - completeLock
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,14 +354,39 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: completeLock is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.completeLock)
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: VaultLockStatus defines the observed state of VaultLock.
             properties:
               atProvider:
                 properties:
+                  completeLock:
+                    description: Boolean whether to permanently apply this Glacier
+                      Lock Policy. Once completed, this cannot be undone. If set to
+                      false, the Glacier Lock Policy remains in a testing mode for
+                      24 hours. Changing this from false to true will show as resource
+                      recreation, which is expected. Changing this from true to false
+                      is not possible unless the Glacier Vault is recreated at the
+                      same time.
+                    type: boolean
                   id:
                     description: Glacier Vault name.
                     type: string
+                  ignoreDeletionError:
+                    description: This should only be used in conjunction with complete_lock
+                      being set to true.
+                    type: boolean
+                  policy:
+                    description: JSON string containing the IAM policy to apply as
+                      the Glacier Vault Lock policy.
+                    type: string
+                  vaultName:
+                    description: The name of the Glacier Vault.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glacier.aws.upbound.io_vaults.yaml b/package/crds/glacier.aws.upbound.io_vaults.yaml
index d9ced8bc39..82d2795754 100644
--- a/package/crds/glacier.aws.upbound.io_vaults.yaml
+++ b/package/crds/glacier.aws.upbound.io_vaults.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -176,6 +180,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -352,6 +371,12 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accessPolicy:
+                    description: The policy document. This is a JSON formatted string.
+                      The heredoc syntax or file function is helpful here. Use the
+                      Glacier Developer Guide for more information on Glacier Vault
+                      Policy
+                    type: string
                   arn:
                     description: The ARN of the vault.
                     type: string
@@ -360,6 +385,28 @@ spec:
                   location:
                     description: The URI of the vault that was created.
                     type: string
+                  notification:
+                    description: The notifications for the Vault. Fields documented
+                      below.
+                    items:
+                      properties:
+                        events:
+                          description: You can configure a vault to publish a notification
+                            for ArchiveRetrievalCompleted and InventoryRetrievalCompleted
+                            events.
+                          items:
+                            type: string
+                          type: array
+                        snsTopic:
+                          description: The SNS Topic ARN.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/globalaccelerator.aws.upbound.io_accelerators.yaml b/package/crds/globalaccelerator.aws.upbound.io_accelerators.yaml
index 5cce75fbf4..469d04c6c4 100644
--- a/package/crds/globalaccelerator.aws.upbound.io_accelerators.yaml
+++ b/package/crds/globalaccelerator.aws.upbound.io_accelerators.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -112,9 +116,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -286,14 +304,41 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AcceleratorStatus defines the observed state of Accelerator.
             properties:
               atProvider:
                 properties:
+                  attributes:
+                    description: The attributes of the accelerator. Fields documented
+                      below.
+                    items:
+                      properties:
+                        flowLogsEnabled:
+                          description: 'Indicates whether flow logs are enabled. Defaults
+                            to false. Valid values: true, false.'
+                          type: boolean
+                        flowLogsS3Bucket:
+                          description: The name of the Amazon S3 bucket for the flow
+                            logs. Required if flow_logs_enabled is true.
+                          type: string
+                        flowLogsS3Prefix:
+                          description: The prefix for the location in the Amazon S3
+                            bucket for the flow logs. Required if flow_logs_enabled
+                            is true.
+                          type: string
+                      type: object
+                    type: array
                   dnsName:
                     description: The DNS name of the accelerator. For example, a5d53ff5ee6bca4ce.awsglobalaccelerator.com.
                     type: string
+                  enabled:
+                    description: 'Indicates whether the accelerator is enabled. Defaults
+                      to true. Valid values: true, false.'
+                    type: boolean
                   hostedZoneId:
                     description: '-  The Global Accelerator Route 53 zone ID that
                       can be used to route an Alias Resource Record Set to the Global
@@ -303,6 +348,17 @@ spec:
                   id:
                     description: The Amazon Resource Name (ARN) of the accelerator.
                     type: string
+                  ipAddressType:
+                    description: 'The value for the address type. Defaults to IPV4.
+                      Valid values: IPV4, DUAL_STACK.'
+                    type: string
+                  ipAddresses:
+                    description: 'The IP addresses to use for BYOIP accelerators.
+                      If not specified, the service assigns IP addresses. Valid values:
+                      1 or 2 IPv4 addresses.'
+                    items:
+                      type: string
+                    type: array
                   ipSets:
                     description: IP address set associated with the accelerator.
                     items:
@@ -320,6 +376,14 @@ spec:
                           type: string
                       type: object
                     type: array
+                  name:
+                    description: The name of the accelerator.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/globalaccelerator.aws.upbound.io_endpointgroups.yaml b/package/crds/globalaccelerator.aws.upbound.io_endpointgroups.yaml
index 70f1d7a33e..692f593bd9 100644
--- a/package/crds/globalaccelerator.aws.upbound.io_endpointgroups.yaml
+++ b/package/crds/globalaccelerator.aws.upbound.io_endpointgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -407,9 +426,90 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the endpoint group.
                     type: string
+                  endpointConfiguration:
+                    description: The list of endpoint objects. Fields documented below.
+                    items:
+                      properties:
+                        clientIpPreservationEnabled:
+                          description: Indicates whether client IP address preservation
+                            is enabled for an Application Load Balancer endpoint.
+                            See the AWS documentation for more details. The default
+                            value is false.
+                          type: boolean
+                        endpointId:
+                          description: An ID for the endpoint. If the endpoint is
+                            a Network Load Balancer or Application Load Balancer,
+                            this is the Amazon Resource Name (ARN) of the resource.
+                            If the endpoint is an Elastic IP address, this is the
+                            Elastic IP address allocation ID.
+                          type: string
+                        weight:
+                          description: The weight associated with the endpoint. When
+                            you add weights to endpoints, you configure AWS Global
+                            Accelerator to route traffic based on proportions that
+                            you specify.
+                          type: number
+                      type: object
+                    type: array
+                  endpointGroupRegion:
+                    description: The name of the AWS Region where the endpoint group
+                      is located.
+                    type: string
+                  healthCheckIntervalSeconds:
+                    description: The time—10 seconds or 30 seconds—between each health
+                      check for an endpoint. The default value is 30.
+                    type: number
+                  healthCheckPath:
+                    description: If the protocol is HTTP/S, then this specifies the
+                      path that is the destination for health check targets. The default
+                      value is slash (/).
+                    type: string
+                  healthCheckPort:
+                    description: The port that AWS Global Accelerator uses to check
+                      the health of endpoints that are part of this endpoint group.
+                      The default port is the listener port that this endpoint group
+                      is associated with. If listener port is a list of ports, Global
+                      Accelerator uses the first port in the list.
+                    type: number
+                  healthCheckProtocol:
+                    description: The protocol that AWS Global Accelerator uses to
+                      check the health of endpoints that are part of this endpoint
+                      group. The default value is TCP.
+                    type: string
                   id:
                     description: The Amazon Resource Name (ARN) of the endpoint group.
                     type: string
+                  listenerArn:
+                    description: The Amazon Resource Name (ARN) of the listener.
+                    type: string
+                  portOverride:
+                    description: Override specific listener ports used to route traffic
+                      to endpoints that are part of this endpoint group. Fields documented
+                      below.
+                    items:
+                      properties:
+                        endpointPort:
+                          description: The endpoint port that you want a listener
+                            port to be mapped to. This is the port on the endpoint,
+                            such as the Application Load Balancer or Amazon EC2 instance.
+                          type: number
+                        listenerPort:
+                          description: The listener port that you want to map to a
+                            specific endpoint port. This is the port that user traffic
+                            arrives to the Global Accelerator on.
+                          type: number
+                      type: object
+                    type: array
+                  thresholdCount:
+                    description: The number of consecutive health checks required
+                      to set the state of a healthy endpoint to unhealthy, or to set
+                      an unhealthy endpoint to healthy. The default value is 3.
+                    type: number
+                  trafficDialPercentage:
+                    description: The percentage of traffic to send to an AWS Region.
+                      Additional traffic is distributed to other endpoint groups for
+                      this listener. The default value is 100.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/globalaccelerator.aws.upbound.io_listeners.yaml b/package/crds/globalaccelerator.aws.upbound.io_listeners.yaml
index ac90134ab0..8db0e12782 100644
--- a/package/crds/globalaccelerator.aws.upbound.io_listeners.yaml
+++ b/package/crds/globalaccelerator.aws.upbound.io_listeners.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -171,10 +175,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - portRange
-                - protocol
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -346,14 +363,48 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: portRange is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.portRange)
+            - message: protocol is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)
           status:
             description: ListenerStatus defines the observed state of Listener.
             properties:
               atProvider:
                 properties:
+                  acceleratorArn:
+                    description: The Amazon Resource Name (ARN) of your accelerator.
+                    type: string
+                  clientAffinity:
+                    description: 'Direct all requests from a user to the same endpoint.
+                      Valid values are NONE, SOURCE_IP. Default: NONE. If NONE, Global
+                      Accelerator uses the "five-tuple" properties of source IP address,
+                      source port, destination IP address, destination port, and protocol
+                      to select the hash value. If SOURCE_IP, Global Accelerator uses
+                      the "two-tuple" properties of source (client) IP address and
+                      destination IP address to select the hash value.'
+                    type: string
                   id:
                     description: The Amazon Resource Name (ARN) of the listener.
                     type: string
+                  portRange:
+                    description: The list of port ranges for the connections from
+                      clients to the accelerator. Fields documented below.
+                    items:
+                      properties:
+                        fromPort:
+                          description: The first port in the range of ports, inclusive.
+                          type: number
+                        toPort:
+                          description: The last port in the range of ports, inclusive.
+                          type: number
+                      type: object
+                    type: array
+                  protocol:
+                    description: The protocol for the connections from clients to
+                      the accelerator. Valid values are TCP, UDP.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_catalogdatabases.yaml b/package/crds/glue.aws.upbound.io_catalogdatabases.yaml
index 4cc1ba39ad..9f51b27abe 100644
--- a/package/crds/glue.aws.upbound.io_catalogdatabases.yaml
+++ b/package/crds/glue.aws.upbound.io_catalogdatabases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -128,6 +132,21 @@ spec:
                 - catalogId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -307,9 +326,62 @@ spec:
                   arn:
                     description: ARN of the Glue Catalog Database.
                     type: string
+                  catalogId:
+                    description: ID of the Glue Catalog to create the database in.
+                      If omitted, this defaults to the AWS Account ID.
+                    type: string
+                  createTableDefaultPermission:
+                    description: Creates a set of default permissions on the table
+                      for principals. See create_table_default_permission below.
+                    items:
+                      properties:
+                        permissions:
+                          description: The permissions that are granted to the principal.
+                          items:
+                            type: string
+                          type: array
+                        principal:
+                          description: The principal who is granted permissions..
+                            See principal below.
+                          items:
+                            properties:
+                              dataLakePrincipalIdentifier:
+                                description: An identifier for the Lake Formation
+                                  principal.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  description:
+                    description: Description of the database.
+                    type: string
                   id:
                     description: Catalog ID and name of the database
                     type: string
+                  locationUri:
+                    description: Location of the database (for example, an HDFS path).
+                    type: string
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: List of key-value pairs that define parameters and
+                      properties of the database.
+                    type: object
+                  targetDatabase:
+                    description: Configuration block for a target database for resource
+                      linking. See target_database below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: ID of the Data Catalog in which the database
+                            resides.
+                          type: string
+                        databaseName:
+                          description: Name of the catalog database.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_catalogtables.yaml b/package/crds/glue.aws.upbound.io_catalogtables.yaml
index bd0d74708a..6f607d9a99 100644
--- a/package/crds/glue.aws.upbound.io_catalogtables.yaml
+++ b/package/crds/glue.aws.upbound.io_catalogtables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -412,6 +416,21 @@ spec:
                 - catalogId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -591,18 +610,260 @@ spec:
                   arn:
                     description: The ARN of the Glue Table.
                     type: string
+                  catalogId:
+                    description: ID of the Glue Catalog and database to create the
+                      table in. If omitted, this defaults to the AWS Account ID plus
+                      the database name.
+                    type: string
+                  databaseName:
+                    description: Name of the metadata database where the table metadata
+                      resides. For Hive compatibility, this must be all lowercase.
+                    type: string
+                  description:
+                    description: Description of the table.
+                    type: string
                   id:
                     description: Catalog ID, Database name and of the name table.
                     type: string
+                  owner:
+                    description: Owner of the table.
+                    type: string
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: Properties associated with this table, as a list
+                      of key-value pairs.
+                    type: object
                   partitionIndex:
                     description: Configuration block for a maximum of 3 partition
                       indexes. See partition_index below.
                     items:
                       properties:
+                        indexName:
+                          description: Name of the partition index.
+                          type: string
                         indexStatus:
                           type: string
+                        keys:
+                          description: Keys for the partition index.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  partitionKeys:
+                    description: Configuration block of columns by which the table
+                      is partitioned. Only primitive types are supported as partition
+                      keys. See partition_keys below.
+                    items:
+                      properties:
+                        comment:
+                          description: Free-form text comment.
+                          type: string
+                        name:
+                          description: Name of the Partition Key.
+                          type: string
+                        type:
+                          description: Datatype of data in the Partition Key.
+                          type: string
+                      type: object
+                    type: array
+                  retention:
+                    description: Retention time for this table.
+                    type: number
+                  storageDescriptor:
+                    description: Configuration block for information about the physical
+                      storage of this table. For more information, refer to the Glue
+                      Developer Guide. See storage_descriptor below.
+                    items:
+                      properties:
+                        bucketColumns:
+                          description: List of reducer grouping columns, clustering
+                            columns, and bucketing columns in the table.
+                          items:
+                            type: string
+                          type: array
+                        columns:
+                          description: Configuration block for columns in the table.
+                            See columns below.
+                          items:
+                            properties:
+                              comment:
+                                description: Free-form text comment.
+                                type: string
+                              name:
+                                description: Name of the Column.
+                                type: string
+                              parameters:
+                                additionalProperties:
+                                  type: string
+                                description: Key-value pairs defining properties associated
+                                  with the column.
+                                type: object
+                              type:
+                                description: Datatype of data in the Column.
+                                type: string
+                            type: object
+                          type: array
+                        compressed:
+                          description: Whether the data in the table is compressed.
+                          type: boolean
+                        inputFormat:
+                          description: 'Input format: SequenceFileInputFormat (binary),
+                            or TextInputFormat, or a custom format.'
+                          type: string
+                        location:
+                          description: Physical location of the table. By default
+                            this takes the form of the warehouse location, followed
+                            by the database location in the warehouse, followed by
+                            the table name.
+                          type: string
+                        numberOfBuckets:
+                          description: Must be specified if the table contains any
+                            dimension columns.
+                          type: number
+                        outputFormat:
+                          description: 'Output format: SequenceFileOutputFormat (binary),
+                            or IgnoreKeyTextOutputFormat, or a custom format.'
+                          type: string
+                        parameters:
+                          additionalProperties:
+                            type: string
+                          description: User-supplied properties in key-value form.
+                          type: object
+                        schemaReference:
+                          description: Object that references a schema stored in the
+                            AWS Glue Schema Registry. When creating a table, you can
+                            pass an empty list of columns for the schema, and instead
+                            use a schema reference. See Schema Reference below.
+                          items:
+                            properties:
+                              schemaId:
+                                description: Configuration block that contains schema
+                                  identity fields. Either this or the schema_version_id
+                                  has to be provided. See schema_id below.
+                                items:
+                                  properties:
+                                    registryName:
+                                      description: Name of the schema registry that
+                                        contains the schema. Must be provided when
+                                        schema_name is specified and conflicts with
+                                        schema_arn.
+                                      type: string
+                                    schemaArn:
+                                      description: ARN of the schema. One of schema_arn
+                                        or schema_name has to be provided.
+                                      type: string
+                                    schemaName:
+                                      description: Name of the schema. One of schema_arn
+                                        or schema_name has to be provided.
+                                      type: string
+                                  type: object
+                                type: array
+                              schemaVersionId:
+                                description: Unique ID assigned to a version of the
+                                  schema. Either this or the schema_id has to be provided.
+                                type: string
+                              schemaVersionNumber:
+                                description: Version number of the schema.
+                                type: number
+                            type: object
+                          type: array
+                        serDeInfo:
+                          description: Configuration block for serialization and deserialization
+                            ("SerDe") information. See ser_de_info below.
+                          items:
+                            properties:
+                              name:
+                                description: Name of the SerDe.
+                                type: string
+                              parameters:
+                                additionalProperties:
+                                  type: string
+                                description: Map of initialization parameters for
+                                  the SerDe, in key-value form.
+                                type: object
+                              serializationLibrary:
+                                description: Usually the class that implements the
+                                  SerDe. An example is org.apache.hadoop.hive.serde2.columnar.ColumnarSerDe.
+                                type: string
+                            type: object
+                          type: array
+                        skewedInfo:
+                          description: Configuration block with information about
+                            values that appear very frequently in a column (skewed
+                            values). See skewed_info below.
+                          items:
+                            properties:
+                              skewedColumnNames:
+                                description: List of names of columns that contain
+                                  skewed values.
+                                items:
+                                  type: string
+                                type: array
+                              skewedColumnValueLocationMaps:
+                                additionalProperties:
+                                  type: string
+                                description: List of values that appear so frequently
+                                  as to be considered skewed.
+                                type: object
+                              skewedColumnValues:
+                                description: Map of skewed values to the columns that
+                                  contain them.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        sortColumns:
+                          description: Configuration block for the sort order of each
+                            bucket in the table. See sort_columns below.
+                          items:
+                            properties:
+                              column:
+                                description: Name of the column.
+                                type: string
+                              sortOrder:
+                                description: Whether the column is sorted in ascending
+                                  (1) or descending order (0).
+                                type: number
+                            type: object
+                          type: array
+                        storedAsSubDirectories:
+                          description: Whether the table data is stored in subdirectories.
+                          type: boolean
+                      type: object
+                    type: array
+                  tableType:
+                    description: Type of this table (EXTERNAL_TABLE, VIRTUAL_VIEW,
+                      etc.). While optional, some Athena DDL queries such as ALTER
+                      TABLE and SHOW CREATE TABLE will fail if this argument is empty.
+                    type: string
+                  targetTable:
+                    description: Configuration block of a target table for resource
+                      linking. See target_table below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: ID of the Data Catalog in which the table resides.
+                          type: string
+                        databaseName:
+                          description: Name of the catalog database that contains
+                            the target table.
+                          type: string
+                        name:
+                          description: Name of the target table.
+                          type: string
                       type: object
                     type: array
+                  viewExpandedText:
+                    description: If the table is a view, the expanded text of the
+                      view; otherwise null.
+                    type: string
+                  viewOriginalText:
+                    description: If the table is a view, the original text of the
+                      view; otherwise null.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_classifiers.yaml b/package/crds/glue.aws.upbound.io_classifiers.yaml
index cbeb960226..852535cba3 100644
--- a/package/crds/glue.aws.upbound.io_classifiers.yaml
+++ b/package/crds/glue.aws.upbound.io_classifiers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -169,6 +173,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -345,9 +364,99 @@ spec:
             properties:
               atProvider:
                 properties:
+                  csvClassifier:
+                    description: A classifier for Csv content. Defined below.
+                    items:
+                      properties:
+                        allowSingleColumn:
+                          description: Enables the processing of files that contain
+                            only one column.
+                          type: boolean
+                        containsHeader:
+                          description: Indicates whether the CSV file contains a header.
+                            This can be one of "ABSENT", "PRESENT", or "UNKNOWN".
+                          type: string
+                        customDatatypeConfigured:
+                          description: A custom symbol to denote what combines content
+                            into a single column value. It must be different from
+                            the column delimiter.
+                          type: boolean
+                        customDatatypes:
+                          description: A list of supported custom datatypes. Valid
+                            values are BINARY, BOOLEAN, DATE, DECIMAL, DOUBLE, FLOAT,
+                            INT, LONG, SHORT, STRING, TIMESTAMP.
+                          items:
+                            type: string
+                          type: array
+                        delimiter:
+                          description: The delimiter used in the Csv to separate columns.
+                          type: string
+                        disableValueTrimming:
+                          description: Specifies whether to trim column values.
+                          type: boolean
+                        header:
+                          description: A list of strings representing column names.
+                          items:
+                            type: string
+                          type: array
+                        quoteSymbol:
+                          description: A custom symbol to denote what combines content
+                            into a single column value. It must be different from
+                            the column delimiter.
+                          type: string
+                      type: object
+                    type: array
+                  grokClassifier:
+                    description: –  A classifier that uses grok patterns. Defined
+                      below.
+                    items:
+                      properties:
+                        classification:
+                          description: An identifier of the data format that the classifier
+                            matches, such as Twitter, JSON, Omniture logs, Amazon
+                            CloudWatch Logs, and so on.
+                          type: string
+                        customPatterns:
+                          description: Custom grok patterns used by this classifier.
+                          type: string
+                        grokPattern:
+                          description: The grok pattern used by this classifier.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: Name of the classifier
                     type: string
+                  jsonClassifier:
+                    description: –  A classifier for JSON content. Defined below.
+                    items:
+                      properties:
+                        jsonPath:
+                          description: A JsonPath string defining the JSON data for
+                            the classifier to classify. AWS Glue supports a subset
+                            of JsonPath, as described in Writing JsonPath Custom Classifiers.
+                          type: string
+                      type: object
+                    type: array
+                  xmlClassifier:
+                    description: –  A classifier for XML content. Defined below.
+                    items:
+                      properties:
+                        classification:
+                          description: An identifier of the data format that the classifier
+                            matches.
+                          type: string
+                        rowTag:
+                          description: The XML tag designating the element that contains
+                            each record in an XML document being parsed. Note that
+                            this cannot identify a self-closing element (closed by
+                            />). An empty row element that contains only attributes
+                            can be parsed as long as it ends with a closing tag (for
+                            example, <row item_a="A" item_b="B"></row> is okay, but
+                            <row item_a="A" item_b="B" /> is not).
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_connections.yaml b/package/crds/glue.aws.upbound.io_connections.yaml
index 384865847e..1334118de9 100644
--- a/package/crds/glue.aws.upbound.io_connections.yaml
+++ b/package/crds/glue.aws.upbound.io_connections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -281,6 +285,21 @@ spec:
                 - catalogId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -460,9 +479,53 @@ spec:
                   arn:
                     description: The ARN of the Glue Connection.
                     type: string
+                  catalogId:
+                    description: –  The ID of the Data Catalog in which to create
+                      the connection. If none is supplied, the AWS account ID is used
+                      by default.
+                    type: string
+                  connectionType:
+                    description: '–  The type of the connection. Supported are: CUSTOM,
+                      JDBC, KAFKA, MARKETPLACE, MONGODB, and NETWORK. Defaults to
+                      JBDC.'
+                    type: string
+                  description:
+                    description: –  Description of the connection.
+                    type: string
                   id:
                     description: Catalog ID and name of the connection
                     type: string
+                  matchCriteria:
+                    description: –  A list of criteria that can be used in selecting
+                      this connection.
+                    items:
+                      type: string
+                    type: array
+                  physicalConnectionRequirements:
+                    description: A map of physical connection requirements, such as
+                      VPC and SecurityGroup. Defined below.
+                    items:
+                      properties:
+                        availabilityZone:
+                          description: The availability zone of the connection. This
+                            field is redundant and implied by subnet_id, but is currently
+                            an api requirement.
+                          type: string
+                        securityGroupIdList:
+                          description: The security group ID list used by the connection.
+                          items:
+                            type: string
+                          type: array
+                        subnetId:
+                          description: The subnet ID used by the connection.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/glue.aws.upbound.io_crawlers.yaml b/package/crds/glue.aws.upbound.io_crawlers.yaml
index e0ff066d69..6830793d8c 100644
--- a/package/crds/glue.aws.upbound.io_crawlers.yaml
+++ b/package/crds/glue.aws.upbound.io_crawlers.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -709,6 +713,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -888,9 +907,253 @@ spec:
                   arn:
                     description: The ARN of the crawler
                     type: string
+                  catalogTarget:
+                    items:
+                      properties:
+                        connectionName:
+                          description: The name of the connection to use to connect
+                            to the JDBC target.
+                          type: string
+                        databaseName:
+                          description: Glue database where results are written.
+                          type: string
+                        dlqEventQueueArn:
+                          description: The ARN of the dead-letter SQS queue.
+                          type: string
+                        eventQueueArn:
+                          description: The ARN of the SQS queue to receive S3 notifications
+                            from.
+                          type: string
+                        tables:
+                          description: A list of catalog tables to be synchronized.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  classifiers:
+                    description: List of custom classifiers. By default, all AWS classifiers
+                      are included in a crawl, but these custom classifiers always
+                      override the default classifiers for a given classification.
+                    items:
+                      type: string
+                    type: array
+                  configuration:
+                    description: JSON string of configuration information. For more
+                      details see Setting Crawler Configuration Options.
+                    type: string
+                  databaseName:
+                    description: Glue database where results are written.
+                    type: string
+                  deltaTarget:
+                    items:
+                      properties:
+                        connectionName:
+                          description: The name of the connection to use to connect
+                            to the JDBC target.
+                          type: string
+                        deltaTables:
+                          description: A list of the Amazon S3 paths to the Delta
+                            tables.
+                          items:
+                            type: string
+                          type: array
+                        writeManifest:
+                          description: Specifies whether to write the manifest files
+                            to the Delta table path.
+                          type: boolean
+                      type: object
+                    type: array
+                  description:
+                    description: Description of the crawler.
+                    type: string
+                  dynamodbTarget:
+                    description: List of nested DynamoDB target arguments. See Dynamodb
+                      Target below.
+                    items:
+                      properties:
+                        path:
+                          description: The name of the DynamoDB table to crawl.
+                          type: string
+                        scanAll:
+                          description: Indicates whether to scan all the records,
+                            or to sample rows from the table. Scanning all the records
+                            can take a long time when the table is not a high throughput
+                            table.  defaults to true.
+                          type: boolean
+                        scanRate:
+                          description: The percentage of the configured read capacity
+                            units to use by the AWS Glue crawler. The valid values
+                            are null or a value between 0.1 to 1.5.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: Crawler name
                     type: string
+                  jdbcTarget:
+                    description: List of nested JBDC target arguments. See JDBC Target
+                      below.
+                    items:
+                      properties:
+                        connectionName:
+                          description: The name of the connection to use to connect
+                            to the JDBC target.
+                          type: string
+                        enableAdditionalMetadata:
+                          description: Specify a value of RAWTYPES or COMMENTS to
+                            enable additional metadata intable responses. RAWTYPES
+                            provides the native-level datatype. COMMENTS provides
+                            comments associated with a column or table in the database.
+                          items:
+                            type: string
+                          type: array
+                        exclusions:
+                          description: A list of glob patterns used to exclude from
+                            the crawl.
+                          items:
+                            type: string
+                          type: array
+                        path:
+                          description: The name of the DynamoDB table to crawl.
+                          type: string
+                      type: object
+                    type: array
+                  lakeFormationConfiguration:
+                    description: Specifies Lake Formation configuration settings for
+                      the crawler. See Lake Formation Configuration below.
+                    items:
+                      properties:
+                        accountId:
+                          description: Required for cross account crawls. For same
+                            account crawls as the target data, this can omitted.
+                          type: string
+                        useLakeFormationCredentials:
+                          description: Specifies whether to use Lake Formation credentials
+                            for the crawler instead of the IAM role credentials.
+                          type: boolean
+                      type: object
+                    type: array
+                  lineageConfiguration:
+                    description: Specifies data lineage configuration settings for
+                      the crawler. See Lineage Configuration below.
+                    items:
+                      properties:
+                        crawlerLineageSettings:
+                          description: 'Specifies whether data lineage is enabled
+                            for the crawler. Valid values are: ENABLE and DISABLE.
+                            Default value is Disable.'
+                          type: string
+                      type: object
+                    type: array
+                  mongodbTarget:
+                    description: List nested MongoDB target arguments. See MongoDB
+                      Target below.
+                    items:
+                      properties:
+                        connectionName:
+                          description: The name of the connection to use to connect
+                            to the JDBC target.
+                          type: string
+                        path:
+                          description: The name of the DynamoDB table to crawl.
+                          type: string
+                        scanAll:
+                          description: Indicates whether to scan all the records,
+                            or to sample rows from the table. Scanning all the records
+                            can take a long time when the table is not a high throughput
+                            table.  defaults to true.
+                          type: boolean
+                      type: object
+                    type: array
+                  recrawlPolicy:
+                    description: A policy that specifies whether to crawl the entire
+                      dataset again, or to crawl only folders that were added since
+                      the last crawler run.. See Recrawl Policy below.
+                    items:
+                      properties:
+                        recrawlBehavior:
+                          description: 'Specifies whether to crawl the entire dataset
+                            again, crawl only folders that were added since the last
+                            crawler run, or crawl what S3 notifies the crawler of
+                            via SQS. Valid Values are: CRAWL_EVENT_MODE, CRAWL_EVERYTHING
+                            and CRAWL_NEW_FOLDERS_ONLY. Default value is CRAWL_EVERYTHING.'
+                          type: string
+                      type: object
+                    type: array
+                  role:
+                    description: The IAM role friendly name (including path without
+                      leading slash), or ARN of an IAM role, used by the crawler to
+                      access other resources.
+                    type: string
+                  s3Target:
+                    description: List nested Amazon S3 target arguments. See S3 Target
+                      below.
+                    items:
+                      properties:
+                        connectionName:
+                          description: The name of the connection to use to connect
+                            to the JDBC target.
+                          type: string
+                        dlqEventQueueArn:
+                          description: The ARN of the dead-letter SQS queue.
+                          type: string
+                        eventQueueArn:
+                          description: The ARN of the SQS queue to receive S3 notifications
+                            from.
+                          type: string
+                        exclusions:
+                          description: A list of glob patterns used to exclude from
+                            the crawl.
+                          items:
+                            type: string
+                          type: array
+                        path:
+                          description: The name of the DynamoDB table to crawl.
+                          type: string
+                        sampleSize:
+                          description: Sets the number of files in each leaf folder
+                            to be crawled when crawling sample files in a dataset.
+                            If not set, all the files are crawled. A valid value is
+                            an integer between 1 and 249.
+                          type: number
+                      type: object
+                    type: array
+                  schedule:
+                    description: 'Based Schedules for Jobs and Crawlers. For example,
+                      to run something every day at 12:15 UTC, you would specify:
+                      cron(15 12 * * ? *).'
+                    type: string
+                  schemaChangePolicy:
+                    description: Policy for the crawler's update and deletion behavior.
+                      See Schema Change Policy below.
+                    items:
+                      properties:
+                        deleteBehavior:
+                          description: 'The deletion behavior when the crawler finds
+                            a deleted object. Valid values: LOG, DELETE_FROM_DATABASE,
+                            or DEPRECATE_IN_DATABASE. Defaults to DEPRECATE_IN_DATABASE.'
+                          type: string
+                        updateBehavior:
+                          description: 'The update behavior when the crawler finds
+                            a changed schema. Valid values: LOG or UPDATE_IN_DATABASE.
+                            Defaults to UPDATE_IN_DATABASE.'
+                          type: string
+                      type: object
+                    type: array
+                  securityConfiguration:
+                    description: The name of Security Configuration to be used by
+                      the crawler
+                    type: string
+                  tablePrefix:
+                    description: The table prefix used for catalog tables that are
+                      created.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/glue.aws.upbound.io_datacatalogencryptionsettings.yaml b/package/crds/glue.aws.upbound.io_datacatalogencryptionsettings.yaml
index 1075d32cf3..b3d94bd55c 100644
--- a/package/crds/glue.aws.upbound.io_datacatalogencryptionsettings.yaml
+++ b/package/crds/glue.aws.upbound.io_datacatalogencryptionsettings.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -290,9 +294,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - dataCatalogEncryptionSettings
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -464,12 +482,68 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dataCatalogEncryptionSettings is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataCatalogEncryptionSettings)
           status:
             description: DataCatalogEncryptionSettingsStatus defines the observed
               state of DataCatalogEncryptionSettings.
             properties:
               atProvider:
                 properties:
+                  catalogId:
+                    description: –  The ID of the Data Catalog to set the security
+                      configuration for. If none is provided, the AWS account ID is
+                      used by default.
+                    type: string
+                  dataCatalogEncryptionSettings:
+                    description: –  The security configuration to set. see Data Catalog
+                      Encryption Settings.
+                    items:
+                      properties:
+                        connectionPasswordEncryption:
+                          description: When connection password protection is enabled,
+                            the Data Catalog uses a customer-provided key to encrypt
+                            the password as part of CreateConnection or UpdateConnection
+                            and store it in the ENCRYPTED_PASSWORD field in the connection
+                            properties. You can enable catalog encryption or only
+                            password encryption. see Connection Password Encryption.
+                          items:
+                            properties:
+                              awsKmsKeyId:
+                                description: A KMS key ARN that is used to encrypt
+                                  the connection password. If connection password
+                                  protection is enabled, the caller of CreateConnection
+                                  and UpdateConnection needs at least kms:Encrypt
+                                  permission on the specified AWS KMS key, to encrypt
+                                  passwords before storing them in the Data Catalog.
+                                type: string
+                              returnConnectionPasswordEncrypted:
+                                description: When set to true, passwords remain encrypted
+                                  in the responses of GetConnection and GetConnections.
+                                  This encryption takes effect independently of the
+                                  catalog encryption.
+                                type: boolean
+                            type: object
+                          type: array
+                        encryptionAtRest:
+                          description: Specifies the encryption-at-rest configuration
+                            for the Data Catalog. see Encryption At Rest.
+                          items:
+                            properties:
+                              catalogEncryptionMode:
+                                description: The encryption-at-rest mode for encrypting
+                                  Data Catalog data. Valid values are DISABLED and
+                                  SSE-KMS.
+                                type: string
+                              sseAwsKmsKeyId:
+                                description: The ARN of the AWS KMS key to use for
+                                  encryption at rest.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The ID of the Data Catalog to set the security configuration
                       for.
diff --git a/package/crds/glue.aws.upbound.io_jobs.yaml b/package/crds/glue.aws.upbound.io_jobs.yaml
index dff2a3deef..634f1f1335 100644
--- a/package/crds/glue.aws.upbound.io_jobs.yaml
+++ b/package/crds/glue.aws.upbound.io_jobs.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -254,9 +258,23 @@ spec:
                       a job runs. Accepts a value of Standard, G.1X, or G.2X.
                     type: string
                 required:
-                - command
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -428,6 +446,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: command is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.command)
           status:
             description: JobStatus defines the observed state of Job.
             properties:
@@ -436,9 +457,111 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of Glue Job
                     type: string
+                  command:
+                    description: –  The command of the job. Defined below.
+                    items:
+                      properties:
+                        name:
+                          description: –  The name you assign to this job. It must
+                            be unique in your account.
+                          type: string
+                        pythonVersion:
+                          description: The Python version being used to execute a
+                            Python shell job. Allowed values are 2, 3 or 3.9. Version
+                            3 refers to Python 3.6.
+                          type: string
+                        scriptLocation:
+                          description: Specifies the S3 path to a script that executes
+                            a job.
+                          type: string
+                      type: object
+                    type: array
+                  connections:
+                    description: –  The list of connections used for this job.
+                    items:
+                      type: string
+                    type: array
+                  defaultArguments:
+                    additionalProperties:
+                      type: string
+                    description: execution script consumes, as well as arguments that
+                      AWS Glue itself consumes. For information about how to specify
+                      and consume your own Job arguments, see the Calling AWS Glue
+                      APIs in Python topic in the developer guide. For information
+                      about the key-value pairs that AWS Glue consumes to set up your
+                      job, see the Special Parameters Used by AWS Glue topic in the
+                      developer guide.
+                    type: object
+                  description:
+                    description: –  Description of the job.
+                    type: string
+                  executionClass:
+                    description: 'Indicates whether the job is run with a standard
+                      or flexible execution class. The standard execution class is
+                      ideal for time-sensitive workloads that require fast job startup
+                      and dedicated resources. Valid value: FLEX, STANDARD.'
+                    type: string
+                  executionProperty:
+                    description: –  Execution property of the job. Defined below.
+                    items:
+                      properties:
+                        maxConcurrentRuns:
+                          description: The maximum number of concurrent runs allowed
+                            for a job. The default is 1.
+                          type: number
+                      type: object
+                    type: array
+                  glueVersion:
+                    description: The version of glue to use, for example "1.0". For
+                      information about available versions, see the AWS Glue Release
+                      Notes.
+                    type: string
                   id:
                     description: Job name
                     type: string
+                  maxCapacity:
+                    description: –  The maximum number of AWS Glue data processing
+                      units (DPUs) that can be allocated when this job runs. Required
+                      when pythonshell is set, accept either 0.0625 or 1.0. Use number_of_workers
+                      and worker_type arguments instead with glue_version 2.0 and
+                      above.
+                    type: number
+                  maxRetries:
+                    description: –  The maximum number of times to retry this job
+                      if it fails.
+                    type: number
+                  nonOverridableArguments:
+                    additionalProperties:
+                      type: string
+                    description: overridable arguments for this job, specified as
+                      name-value pairs.
+                    type: object
+                  notificationProperty:
+                    description: Notification property of the job. Defined below.
+                    items:
+                      properties:
+                        notifyDelayAfter:
+                          description: After a job run starts, the number of minutes
+                            to wait before sending a job run delay notification.
+                          type: number
+                      type: object
+                    type: array
+                  numberOfWorkers:
+                    description: The number of workers of a defined workerType that
+                      are allocated when a job runs.
+                    type: number
+                  roleArn:
+                    description: –  The ARN of the IAM role associated with this job.
+                    type: string
+                  securityConfiguration:
+                    description: The name of the Security Configuration to be associated
+                      with the job.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -446,6 +569,15 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  timeout:
+                    description: –  The job timeout in minutes. The default is 2880
+                      minutes (48 hours) for glueetl and pythonshell jobs, and null
+                      (unlimited) for gluestreaming jobs.
+                    type: number
+                  workerType:
+                    description: The type of predefined worker that is allocated when
+                      a job runs. Accepts a value of Standard, G.1X, or G.2X.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_registries.yaml b/package/crds/glue.aws.upbound.io_registries.yaml
index f27e93b236..db9f5521e3 100644
--- a/package/crds/glue.aws.upbound.io_registries.yaml
+++ b/package/crds/glue.aws.upbound.io_registries.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,9 +277,17 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of Glue Registry.
                     type: string
+                  description:
+                    description: –  A description of the registry.
+                    type: string
                   id:
                     description: Amazon Resource Name (ARN) of Glue Registry.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/glue.aws.upbound.io_resourcepolicies.yaml b/package/crds/glue.aws.upbound.io_resourcepolicies.yaml
index 99586a605c..fcb19215df 100644
--- a/package/crds/glue.aws.upbound.io_resourcepolicies.yaml
+++ b/package/crds/glue.aws.upbound.io_resourcepolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,9 +81,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -251,13 +269,24 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: ResourcePolicyStatus defines the observed state of ResourcePolicy.
             properties:
               atProvider:
                 properties:
+                  enableHybrid:
+                    description: Indicates that you are using both methods to grant
+                      cross-account. Valid values are TRUE and FALSE.
+                    type: string
                   id:
                     type: string
+                  policy:
+                    description: –  The policy to be applied to the aws glue data
+                      catalog.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_schemas.yaml b/package/crds/glue.aws.upbound.io_schemas.yaml
index c05cf93eb8..0356f86c29 100644
--- a/package/crds/glue.aws.upbound.io_schemas.yaml
+++ b/package/crds/glue.aws.upbound.io_schemas.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -170,12 +174,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - compatibility
-                - dataFormat
                 - region
-                - schemaDefinition
-                - schemaName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -347,6 +362,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: compatibility is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.compatibility)
+            - message: dataFormat is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataFormat)
+            - message: schemaDefinition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schemaDefinition)
+            - message: schemaName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schemaName)
           status:
             description: SchemaStatus defines the observed state of Schema.
             properties:
@@ -355,6 +379,18 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the schema.
                     type: string
+                  compatibility:
+                    description: 'The compatibility mode of the schema. Values values
+                      are: NONE, DISABLED, BACKWARD, BACKWARD_ALL, FORWARD, FORWARD_ALL,
+                      FULL, and FULL_ALL.'
+                    type: string
+                  dataFormat:
+                    description: The data format of the schema definition. Valid values
+                      are AVRO, JSON and PROTOBUF.
+                    type: string
+                  description:
+                    description: –  A description of the schema.
+                    type: string
                   id:
                     description: Amazon Resource Name (ARN) of the schema.
                     type: string
@@ -366,6 +402,10 @@ spec:
                     description: The next version of the schema associated with the
                       returned schema definition.
                     type: number
+                  registryArn:
+                    description: The ARN of the Glue Registry to create the schema
+                      in.
+                    type: string
                   registryName:
                     description: The name of the Glue Registry.
                     type: string
@@ -373,6 +413,18 @@ spec:
                     description: The version number of the checkpoint (the last time
                       the compatibility mode was changed).
                     type: number
+                  schemaDefinition:
+                    description: The schema definition using the data_format setting
+                      for schema_name.
+                    type: string
+                  schemaName:
+                    description: –  The Name of the schema.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/glue.aws.upbound.io_securityconfigurations.yaml b/package/crds/glue.aws.upbound.io_securityconfigurations.yaml
index fe08626c73..acfc2ea084 100644
--- a/package/crds/glue.aws.upbound.io_securityconfigurations.yaml
+++ b/package/crds/glue.aws.upbound.io_securityconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -364,9 +368,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - encryptionConfiguration
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -538,12 +556,66 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: encryptionConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encryptionConfiguration)
           status:
             description: SecurityConfigurationStatus defines the observed state of
               SecurityConfiguration.
             properties:
               atProvider:
                 properties:
+                  encryptionConfiguration:
+                    description: –  Configuration block containing encryption configuration.
+                      Detailed below.
+                    items:
+                      properties:
+                        cloudwatchEncryption:
+                          items:
+                            properties:
+                              cloudwatchEncryptionMode:
+                                description: 'Encryption mode to use for CloudWatch
+                                  data. Valid values: DISABLED, SSE-KMS. Default value:
+                                  DISABLED.'
+                                type: string
+                              kmsKeyArn:
+                                description: Amazon Resource Name (ARN) of the KMS
+                                  key to be used to encrypt the data.
+                                type: string
+                            type: object
+                          type: array
+                        jobBookmarksEncryption:
+                          items:
+                            properties:
+                              jobBookmarksEncryptionMode:
+                                description: 'Encryption mode to use for job bookmarks
+                                  data. Valid values: CSE-KMS, DISABLED. Default value:
+                                  DISABLED.'
+                                type: string
+                              kmsKeyArn:
+                                description: Amazon Resource Name (ARN) of the KMS
+                                  key to be used to encrypt the data.
+                                type: string
+                            type: object
+                          type: array
+                        s3Encryption:
+                          description: A s3_encryption  block as described below,
+                            which contains encryption configuration for S3 data.
+                          items:
+                            properties:
+                              kmsKeyArn:
+                                description: Amazon Resource Name (ARN) of the KMS
+                                  key to be used to encrypt the data.
+                                type: string
+                              s3EncryptionMode:
+                                description: 'Encryption mode to use for S3 data.
+                                  Valid values: DISABLED, SSE-KMS, SSE-S3. Default
+                                  value: DISABLED.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: Glue security configuration name
                     type: string
diff --git a/package/crds/glue.aws.upbound.io_triggers.yaml b/package/crds/glue.aws.upbound.io_triggers.yaml
index 6c6483976c..21e3182e6c 100644
--- a/package/crds/glue.aws.upbound.io_triggers.yaml
+++ b/package/crds/glue.aws.upbound.io_triggers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -515,10 +519,23 @@ spec:
                       triggers.
                     type: string
                 required:
-                - actions
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -690,22 +707,145 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: actions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.actions)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: TriggerStatus defines the observed state of Trigger.
             properties:
               atProvider:
                 properties:
+                  actions:
+                    description: –  List of actions initiated by this trigger when
+                      it fires. See Actions Below.
+                    items:
+                      properties:
+                        arguments:
+                          additionalProperties:
+                            type: string
+                          description: Arguments to be passed to the job. You can
+                            specify arguments here that your own job-execution script
+                            consumes, as well as arguments that AWS Glue itself consumes.
+                          type: object
+                        crawlerName:
+                          description: The name of the crawler to be executed. Conflicts
+                            with job_name.
+                          type: string
+                        jobName:
+                          description: The name of a job to be executed. Conflicts
+                            with crawler_name.
+                          type: string
+                        notificationProperty:
+                          description: Specifies configuration properties of a job
+                            run notification. See Notification Property details below.
+                          items:
+                            properties:
+                              notifyDelayAfter:
+                                description: After a job run starts, the number of
+                                  minutes to wait before sending a job run delay notification.
+                                type: number
+                            type: object
+                          type: array
+                        securityConfiguration:
+                          description: The name of the Security Configuration structure
+                            to be used with this action.
+                          type: string
+                        timeout:
+                          description: The job run timeout in minutes. It overrides
+                            the timeout value of the job.
+                          type: number
+                      type: object
+                    type: array
                   arn:
                     description: Amazon Resource Name (ARN) of Glue Trigger
                     type: string
+                  description:
+                    description: –  A description of the new trigger.
+                    type: string
+                  enabled:
+                    description: –  Start the trigger. Defaults to true.
+                    type: boolean
+                  eventBatchingCondition:
+                    description: Batch condition that must be met (specified number
+                      of events received or batch time window expired) before EventBridge
+                      event trigger fires. See Event Batching Condition.
+                    items:
+                      properties:
+                        batchSize:
+                          description: Number of events that must be received from
+                            Amazon EventBridge before EventBridge  event trigger fires.
+                          type: number
+                        batchWindow:
+                          description: Window of time in seconds after which EventBridge
+                            event trigger fires. Window starts when first event is
+                            received. Default value is 900.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: Trigger name
                     type: string
+                  predicate:
+                    description: –  A predicate to specify when the new trigger should
+                      fire. Required when trigger type is CONDITIONAL. See Predicate
+                      Below.
+                    items:
+                      properties:
+                        conditions:
+                          description: A list of the conditions that determine when
+                            the trigger will fire. See Conditions.
+                          items:
+                            properties:
+                              crawlState:
+                                description: The condition crawl state. Currently,
+                                  the values supported are RUNNING, SUCCEEDED, CANCELLED,
+                                  and FAILED. If this is specified, crawler_name must
+                                  also be specified. Conflicts with state.
+                                type: string
+                              crawlerName:
+                                description: The name of the crawler to be executed.
+                                  Conflicts with job_name.
+                                type: string
+                              jobName:
+                                description: The name of a job to be executed. Conflicts
+                                  with crawler_name.
+                                type: string
+                              logicalOperator:
+                                description: A logical operator. Defaults to EQUALS.
+                                type: string
+                              state:
+                                description: The condition job state. Currently, the
+                                  values supported are SUCCEEDED, STOPPED, TIMEOUT
+                                  and FAILED. If this is specified, job_name must
+                                  also be specified. Conflicts with crawler_state.
+                                type: string
+                            type: object
+                          type: array
+                        logical:
+                          description: How to handle multiple conditions. Defaults
+                            to AND. Valid values are AND or ANY.
+                          type: string
+                      type: object
+                    type: array
+                  schedule:
+                    description: Based Schedules for Jobs and Crawlers
+                    type: string
+                  startOnCreation:
+                    description: –  Set to true to start SCHEDULED and CONDITIONAL
+                      triggers when created. True is not supported for ON_DEMAND triggers.
+                    type: boolean
                   state:
                     description: The condition job state. Currently, the values supported
                       are SUCCEEDED, STOPPED, TIMEOUT and FAILED. If this is specified,
                       job_name must also be specified. Conflicts with crawler_state.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -713,6 +853,16 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: –  The type of trigger. Valid values are CONDITIONAL,
+                      EVENT, ON_DEMAND, and SCHEDULED.
+                    type: string
+                  workflowName:
+                    description: A workflow to which the trigger should be associated
+                      to. Every workflow graph (DAG) needs a starting trigger (ON_DEMAND
+                      or SCHEDULED type) and can contain multiple additional CONDITIONAL
+                      triggers.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_userdefinedfunctions.yaml b/package/crds/glue.aws.upbound.io_userdefinedfunctions.yaml
index bef5c5aa47..57a6bd6002 100644
--- a/package/crds/glue.aws.upbound.io_userdefinedfunctions.yaml
+++ b/package/crds/glue.aws.upbound.io_userdefinedfunctions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,11 +182,23 @@ spec:
                     type: array
                 required:
                 - catalogId
-                - className
-                - ownerName
-                - ownerType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -354,6 +370,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: className is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.className)
+            - message: ownerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerName)
+            - message: ownerType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ownerType)
           status:
             description: UserDefinedFunctionStatus defines the observed state of UserDefinedFunction.
             properties:
@@ -362,12 +385,42 @@ spec:
                   arn:
                     description: The ARN of the Glue User Defined Function.
                     type: string
+                  catalogId:
+                    description: ID of the Glue Catalog to create the function in.
+                      If omitted, this defaults to the AWS Account ID.
+                    type: string
+                  className:
+                    description: The Java class that contains the function code.
+                    type: string
                   createTime:
                     description: The time at which the function was created.
                     type: string
+                  databaseName:
+                    description: The name of the Database to create the Function.
+                    type: string
                   id:
                     description: The id of the Glue User Defined Function.
                     type: string
+                  ownerName:
+                    description: The owner of the function.
+                    type: string
+                  ownerType:
+                    description: The owner type. can be one of USER, ROLE, and GROUP.
+                    type: string
+                  resourceUris:
+                    description: The configuration block for Resource URIs. See resource
+                      uris below for more details.
+                    items:
+                      properties:
+                        resourceType:
+                          description: The type of the resource. can be one of JAR,
+                            FILE, and ARCHIVE.
+                          type: string
+                        uri:
+                          description: The URI for accessing the resource.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/glue.aws.upbound.io_workflows.yaml b/package/crds/glue.aws.upbound.io_workflows.yaml
index 4fbf4110ef..d1809f5f8e 100644
--- a/package/crds/glue.aws.upbound.io_workflows.yaml
+++ b/package/crds/glue.aws.upbound.io_workflows.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -91,6 +95,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,9 +289,29 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of Glue Workflow
                     type: string
+                  defaultRunProperties:
+                    additionalProperties:
+                      type: string
+                    description: –  A map of default run properties for this workflow.
+                      These properties are passed to all jobs associated to the workflow.
+                    type: object
+                  description:
+                    description: –  Description of the workflow.
+                    type: string
                   id:
                     description: Workflow name
                     type: string
+                  maxConcurrentRuns:
+                    description: Prevents exceeding the maximum number of concurrent
+                      runs of any of the component jobs. If you leave this parameter
+                      blank, there is no limit to the number of concurrent workflow
+                      runs.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/grafana.aws.upbound.io_licenseassociations.yaml b/package/crds/grafana.aws.upbound.io_licenseassociations.yaml
index 25d73f1492..84ead23fd8 100644
--- a/package/crds/grafana.aws.upbound.io_licenseassociations.yaml
+++ b/package/crds/grafana.aws.upbound.io_licenseassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,9 +153,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - licenseType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,6 +341,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: licenseType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.licenseType)
           status:
             description: LicenseAssociationStatus defines the observed state of LicenseAssociation.
             properties:
@@ -338,6 +359,13 @@ spec:
                     description: If license_type is set to ENTERPRISE, this is the
                       expiration date of the enterprise license.
                     type: string
+                  licenseType:
+                    description: The type of license for the workspace license association.
+                      Valid values are ENTERPRISE and ENTERPRISE_FREE_TRIAL.
+                    type: string
+                  workspaceId:
+                    description: The workspace id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/grafana.aws.upbound.io_roleassociations.yaml b/package/crds/grafana.aws.upbound.io_roleassociations.yaml
index e424659c8a..2ac6c2c694 100644
--- a/package/crds/grafana.aws.upbound.io_roleassociations.yaml
+++ b/package/crds/grafana.aws.upbound.io_roleassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,8 +165,22 @@ spec:
                     type: object
                 required:
                 - region
-                - role
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,13 +352,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: role is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.role)
           status:
             description: RoleAssociationStatus defines the observed state of RoleAssociation.
             properties:
               atProvider:
                 properties:
+                  groupIds:
+                    description: The AWS SSO group ids to be assigned the role given
+                      in role.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  role:
+                    description: The grafana role. Valid values can be found here.
+                    type: string
+                  userIds:
+                    description: The AWS SSO user ids to be assigned the role given
+                      in role.
+                    items:
+                      type: string
+                    type: array
+                  workspaceId:
+                    description: The workspace id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/grafana.aws.upbound.io_workspaceapikeys.yaml b/package/crds/grafana.aws.upbound.io_workspaceapikeys.yaml
index d6b5dcf46f..b82ee17582 100644
--- a/package/crds/grafana.aws.upbound.io_workspaceapikeys.yaml
+++ b/package/crds/grafana.aws.upbound.io_workspaceapikeys.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,11 +163,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - keyName
-                - keyRole
                 - region
-                - secondsToLive
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -335,6 +351,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: keyName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyName)
+            - message: keyRole is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.keyRole)
+            - message: secondsToLive is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.secondsToLive)
           status:
             description: WorkspaceAPIKeyStatus defines the observed state of WorkspaceAPIKey.
             properties:
@@ -346,6 +369,22 @@ spec:
                     description: The key token in JSON format. Use this value as a
                       bearer token to authenticate HTTP requests to the workspace.
                     type: string
+                  keyName:
+                    description: Specifies the name of the API key. Key names must
+                      be unique to the workspace.
+                    type: string
+                  keyRole:
+                    description: Specifies the permission level of the API key. Valid
+                      values are VIEWER, EDITOR, or ADMIN.
+                    type: string
+                  secondsToLive:
+                    description: Specifies the time in seconds until the API key expires.
+                      Keys can be valid for up to 30 days.
+                    type: number
+                  workspaceId:
+                    description: The ID of the workspace that the API key is valid
+                      for.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/grafana.aws.upbound.io_workspaces.yaml b/package/crds/grafana.aws.upbound.io_workspaces.yaml
index 63cda733ef..7da3b81649 100644
--- a/package/crds/grafana.aws.upbound.io_workspaces.yaml
+++ b/package/crds/grafana.aws.upbound.io_workspaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,11 +235,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - accountAccessType
-                - authenticationProviders
-                - permissionType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -407,14 +423,47 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accountAccessType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountAccessType)
+            - message: authenticationProviders is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authenticationProviders)
+            - message: permissionType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissionType)
           status:
             description: WorkspaceStatus defines the observed state of Workspace.
             properties:
               atProvider:
                 properties:
+                  accountAccessType:
+                    description: The type of account access for the workspace. Valid
+                      values are CURRENT_ACCOUNT and ORGANIZATION. If ORGANIZATION
+                      is specified, then organizational_units must also be present.
+                    type: string
                   arn:
                     description: The Amazon Resource Name (ARN) of the Grafana workspace.
                     type: string
+                  authenticationProviders:
+                    description: The authentication providers for the workspace. Valid
+                      values are AWS_SSO, SAML, or both.
+                    items:
+                      type: string
+                    type: array
+                  configuration:
+                    description: The configuration string for the workspace that you
+                      create. For more information about the format and configuration
+                      options available, see Working in your Grafana workspace.
+                    type: string
+                  dataSources:
+                    description: The data sources for the workspace. Valid values
+                      are AMAZON_OPENSEARCH_SERVICE, ATHENA, CLOUDWATCH, PROMETHEUS,
+                      REDSHIFT, SITEWISE, TIMESTREAM, XRAY
+                    items:
+                      type: string
+                    type: array
+                  description:
+                    description: The workspace description.
+                    type: string
                   endpoint:
                     description: The endpoint of the Grafana workspace.
                     type: string
@@ -423,14 +472,74 @@ spec:
                     type: string
                   id:
                     type: string
+                  name:
+                    description: The Grafana workspace name.
+                    type: string
+                  notificationDestinations:
+                    description: The notification destinations. If a data source is
+                      specified here, Amazon Managed Grafana will create IAM roles
+                      and permissions needed to use these destinations. Must be set
+                      to SNS.
+                    items:
+                      type: string
+                    type: array
+                  organizationRoleName:
+                    description: The role name that the workspace uses to access resources
+                      through Amazon Organizations.
+                    type: string
+                  organizationalUnits:
+                    description: The Amazon Organizations organizational units that
+                      the workspace is authorized to use data sources from.
+                    items:
+                      type: string
+                    type: array
+                  permissionType:
+                    description: The permission type of the workspace. If SERVICE_MANAGED
+                      is specified, the IAM roles and IAM policy attachments are generated
+                      automatically. If CUSTOMER_MANAGED is specified, the IAM roles
+                      and IAM policy attachments will not be created.
+                    type: string
+                  roleArn:
+                    description: The IAM role ARN that the workspace assumes.
+                    type: string
                   samlConfigurationStatus:
                     type: string
+                  stackSetName:
+                    description: The AWS CloudFormation stack set name that provisions
+                      IAM roles to be used by the workspace.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  vpcConfiguration:
+                    description: The configuration settings for an Amazon VPC that
+                      contains data sources for your Grafana workspace to connect
+                      to. See VPC Configuration below.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: '- The list of Amazon EC2 security group IDs
+                            attached to the Amazon VPC for your Grafana workspace
+                            to connect.'
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: '- The list of Amazon EC2 subnet IDs created
+                            in the Amazon VPC for your Grafana workspace to connect.'
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/grafana.aws.upbound.io_workspacesamlconfigurations.yaml b/package/crds/grafana.aws.upbound.io_workspacesamlconfigurations.yaml
index b242a41209..0c5f7ddc41 100644
--- a/package/crds/grafana.aws.upbound.io_workspacesamlconfigurations.yaml
+++ b/package/crds/grafana.aws.upbound.io_workspacesamlconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -190,9 +194,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - editorRoleValues
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -364,17 +382,67 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: editorRoleValues is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.editorRoleValues)
           status:
             description: WorkspaceSAMLConfigurationStatus defines the observed state
               of WorkspaceSAMLConfiguration.
             properties:
               atProvider:
                 properties:
+                  adminRoleValues:
+                    description: The admin role values.
+                    items:
+                      type: string
+                    type: array
+                  allowedOrganizations:
+                    description: The allowed organizations.
+                    items:
+                      type: string
+                    type: array
+                  editorRoleValues:
+                    description: The editor role values.
+                    items:
+                      type: string
+                    type: array
+                  emailAssertion:
+                    description: The email assertion.
+                    type: string
+                  groupsAssertion:
+                    description: The groups assertion.
+                    type: string
                   id:
                     type: string
+                  idpMetadataUrl:
+                    description: The IDP Metadata URL. Note that either idp_metadata_url
+                      or idp_metadata_xml (but not both) must be specified.
+                    type: string
+                  idpMetadataXml:
+                    description: The IDP Metadata XML. Note that either idp_metadata_url
+                      or idp_metadata_xml (but not both) must be specified.
+                    type: string
+                  loginAssertion:
+                    description: The login assertion.
+                    type: string
+                  loginValidityDuration:
+                    description: The login validity duration.
+                    type: number
+                  nameAssertion:
+                    description: The name assertion.
+                    type: string
+                  orgAssertion:
+                    description: The org assertion.
+                    type: string
+                  roleAssertion:
+                    description: The role assertion.
+                    type: string
                   status:
                     description: The status of the SAML configuration.
                     type: string
+                  workspaceId:
+                    description: The workspace id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/guardduty.aws.upbound.io_detectors.yaml b/package/crds/guardduty.aws.upbound.io_detectors.yaml
index 7712c4217c..72d8ebd125 100644
--- a/package/crds/guardduty.aws.upbound.io_detectors.yaml
+++ b/package/crds/guardduty.aws.upbound.io_detectors.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -170,6 +174,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -352,9 +371,96 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the GuardDuty detector
                     type: string
+                  datasources:
+                    description: Describes which data sources will be enabled for
+                      the detector. See Data Sources below for more details.
+                    items:
+                      properties:
+                        kubernetes:
+                          description: Configures Kubernetes protection. See Kubernetes
+                            and Kubernetes Audit Logs below for more details.
+                          items:
+                            properties:
+                              auditLogs:
+                                description: Configures Kubernetes audit logs as a
+                                  data source for Kubernetes protection. See Kubernetes
+                                  Audit Logs below for more details.
+                                items:
+                                  properties:
+                                    enable:
+                                      description: If true, enables Malware Protection
+                                        as data source for the detector. Defaults
+                                        to true.
+                                      type: boolean
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        malwareProtection:
+                          description: Configures Malware Protection. See Malware
+                            Protection, Scan EC2 instance with findings and EBS volumes
+                            below for more details.
+                          items:
+                            properties:
+                              scanEc2InstanceWithFindings:
+                                description: Configure whether Malware Protection
+                                  is enabled as data source for EC2 instances with
+                                  findings for the detector. See Scan EC2 instance
+                                  with findings below for more details.
+                                items:
+                                  properties:
+                                    ebsVolumes:
+                                      description: Configure whether scanning EBS
+                                        volumes is enabled as data source for the
+                                        detector for instances with findings. See
+                                        EBS volumes below for more details.
+                                      items:
+                                        properties:
+                                          enable:
+                                            description: If true, enables Malware
+                                              Protection as data source for the detector.
+                                              Defaults to true.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        s3Logs:
+                          description: Configures S3 protection. See S3 Logs below
+                            for more details.
+                          items:
+                            properties:
+                              enable:
+                                description: If true, enables S3 protection. Defaults
+                                  to true.
+                                type: boolean
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  enable:
+                    description: Enable monitoring and feedback reporting. Setting
+                      to false is equivalent to "suspending" GuardDuty. Defaults to
+                      true.
+                    type: boolean
+                  findingPublishingFrequency:
+                    description: 'Specifies the frequency of notifications sent for
+                      subsequent finding occurrences. If the detector is a GuardDuty
+                      member account, the value is determined by the GuardDuty primary
+                      account and cannot be modified, otherwise defaults to SIX_HOURS.
+                      Valid values for standalone and primary accounts: FIFTEEN_MINUTES,
+                      ONE_HOUR, SIX_HOURS. See AWS Documentation for more information.'
+                    type: string
                   id:
                     description: The ID of the GuardDuty detector
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/guardduty.aws.upbound.io_filters.yaml b/package/crds/guardduty.aws.upbound.io_filters.yaml
index 4c49904496..7153693708 100644
--- a/package/crds/guardduty.aws.upbound.io_filters.yaml
+++ b/package/crds/guardduty.aws.upbound.io_filters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -212,11 +216,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - action
-                - findingCriteria
-                - rank
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -388,18 +404,89 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: findingCriteria is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.findingCriteria)
+            - message: rank is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rank)
           status:
             description: FilterStatus defines the observed state of Filter.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: Specifies the action that is to be applied to the
+                      findings that match the filter. Can be one of ARCHIVE or NOOP.
+                    type: string
                   arn:
                     description: The ARN of the GuardDuty filter.
                     type: string
+                  description:
+                    description: Description of the filter.
+                    type: string
+                  detectorId:
+                    description: ID of a GuardDuty detector, attached to your account.
+                    type: string
+                  findingCriteria:
+                    description: Represents the criteria to be used in the filter
+                      for querying findings. Contains one or more criterion blocks,
+                      documented below.
+                    items:
+                      properties:
+                        criterion:
+                          items:
+                            properties:
+                              equals:
+                                description: List of string values to be evaluated.
+                                items:
+                                  type: string
+                                type: array
+                              field:
+                                description: The name of the field to be evaluated.
+                                  The full list of field names can be found in AWS
+                                  documentation.
+                                type: string
+                              greaterThan:
+                                description: A value to be evaluated. Accepts either
+                                  an integer or a date in RFC 3339 format.
+                                type: string
+                              greaterThanOrEqual:
+                                description: A value to be evaluated. Accepts either
+                                  an integer or a date in RFC 3339 format.
+                                type: string
+                              lessThan:
+                                description: A value to be evaluated. Accepts either
+                                  an integer or a date in RFC 3339 format.
+                                type: string
+                              lessThanOrEqual:
+                                description: A value to be evaluated. Accepts either
+                                  an integer or a date in RFC 3339 format.
+                                type: string
+                              notEquals:
+                                description: List of string values to be evaluated.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: A compound field, consisting of the ID of the GuardDuty
                       detector and the name of the filter.
                     type: string
+                  rank:
+                    description: Specifies the position of the filter in the list
+                      of current filters. Also specifies the order in which this filter
+                      is applied to the findings.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/guardduty.aws.upbound.io_members.yaml b/package/crds/guardduty.aws.upbound.io_members.yaml
index e3ff55895f..f469792801 100644
--- a/package/crds/guardduty.aws.upbound.io_members.yaml
+++ b/package/crds/guardduty.aws.upbound.io_members.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -240,9 +244,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - email
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -414,14 +432,38 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: email is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)
           status:
             description: MemberStatus defines the observed state of Member.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: AWS account ID for member account.
+                    type: string
+                  detectorId:
+                    description: The detector ID of the GuardDuty account where you
+                      want to create member accounts.
+                    type: string
+                  disableEmailNotification:
+                    description: Boolean whether an email notification is sent to
+                      the accounts. Defaults to false.
+                    type: boolean
+                  email:
+                    description: Email address for member account.
+                    type: string
                   id:
                     description: The ID of the GuardDuty member
                     type: string
+                  invitationMessage:
+                    description: Message for invitation.
+                    type: string
+                  invite:
+                    description: Boolean whether to invite the account to GuardDuty
+                      as a member. Defaults to false.
+                    type: boolean
                   relationshipStatus:
                     description: The status of the relationship between the member
                       account and its primary account. More information can be found
diff --git a/package/crds/iam.aws.upbound.io_accesskeys.yaml b/package/crds/iam.aws.upbound.io_accesskeys.yaml
index 04f1ef6995..6b417add92 100644
--- a/package/crds/iam.aws.upbound.io_accesskeys.yaml
+++ b/package/crds/iam.aws.upbound.io_accesskeys.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,6 +158,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -350,6 +369,21 @@ spec:
                     description: Fingerprint of the PGP key used to encrypt the secret.
                       This attribute is not available for imported resources.
                     type: string
+                  pgpKey:
+                    description: Either a base-64 encoded PGP public key, or a keybase
+                      username in the form keybase:some_person_that_exists, for use
+                      in the encrypted_secret output attribute. If providing a base-64
+                      encoded PGP public key, make sure to provide the "raw" version
+                      and not the "armored" one (e.g. avoid passing the -a option
+                      to gpg --export).
+                    type: string
+                  status:
+                    description: Access key status to apply. Defaults to Active. Valid
+                      values are Active and Inactive.
+                    type: string
+                  user:
+                    description: IAM user to associate with this access key.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_accountaliases.yaml b/package/crds/iam.aws.upbound.io_accountaliases.yaml
index 7854eaa52a..383c223992 100644
--- a/package/crds/iam.aws.upbound.io_accountaliases.yaml
+++ b/package/crds/iam.aws.upbound.io_accountaliases.yaml
@@ -55,15 +55,34 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
                 type: string
               forProvider:
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
diff --git a/package/crds/iam.aws.upbound.io_accountpasswordpolicies.yaml b/package/crds/iam.aws.upbound.io_accountpasswordpolicies.yaml
index 64f34aff20..3294ad95c2 100644
--- a/package/crds/iam.aws.upbound.io_accountpasswordpolicies.yaml
+++ b/package/crds/iam.aws.upbound.io_accountpasswordpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -97,6 +101,21 @@ spec:
                       passwords.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -274,13 +293,45 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allowUsersToChangePassword:
+                    description: Whether to allow users to change their own password
+                    type: boolean
                   expirePasswords:
                     description: Indicates whether passwords in the account expire.
                       Returns true if max_password_age contains a value greater than
                       0. Returns false if it is 0 or not present.
                     type: boolean
+                  hardExpiry:
+                    description: Whether users are prevented from setting a new password
+                      after their password has expired (i.e., require administrator
+                      reset)
+                    type: boolean
                   id:
                     type: string
+                  maxPasswordAge:
+                    description: The number of days that an user password is valid.
+                    type: number
+                  minimumPasswordLength:
+                    description: Minimum length to require for user passwords.
+                    type: number
+                  passwordReusePrevention:
+                    description: The number of previous passwords that users are prevented
+                      from reusing.
+                    type: number
+                  requireLowercaseCharacters:
+                    description: Whether to require lowercase characters for user
+                      passwords.
+                    type: boolean
+                  requireNumbers:
+                    description: Whether to require numbers for user passwords.
+                    type: boolean
+                  requireSymbols:
+                    description: Whether to require symbols for user passwords.
+                    type: boolean
+                  requireUppercaseCharacters:
+                    description: Whether to require uppercase characters for user
+                      passwords.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_groupmemberships.yaml b/package/crds/iam.aws.upbound.io_groupmemberships.yaml
index f28b83ef68..e24ce59b16 100644
--- a/package/crds/iam.aws.upbound.io_groupmemberships.yaml
+++ b/package/crds/iam.aws.upbound.io_groupmemberships.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -225,9 +229,22 @@ spec:
                     items:
                       type: string
                     type: array
-                required:
-                - name
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -399,13 +416,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: GroupMembershipStatus defines the observed state of GroupMembership.
             properties:
               atProvider:
                 properties:
+                  group:
+                    description: –  The IAM Group name to attach the list of users
+                      to
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: The name to identify the Group Membership
+                    type: string
+                  users:
+                    description: A list of IAM User names to associate with the Group
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_grouppolicyattachments.yaml b/package/crds/iam.aws.upbound.io_grouppolicyattachments.yaml
index 68071aa3ad..138ab08b06 100644
--- a/package/crds/iam.aws.upbound.io_grouppolicyattachments.yaml
+++ b/package/crds/iam.aws.upbound.io_grouppolicyattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -217,6 +221,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -394,8 +413,14 @@ spec:
             properties:
               atProvider:
                 properties:
+                  group:
+                    description: The group the policy should be applied to
+                    type: string
                   id:
                     type: string
+                  policyArn:
+                    description: The ARN of the policy you want to apply
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_groups.yaml b/package/crds/iam.aws.upbound.io_groups.yaml
index d85a6fcb7a..ca34d948e8 100644
--- a/package/crds/iam.aws.upbound.io_groups.yaml
+++ b/package/crds/iam.aws.upbound.io_groups.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -67,6 +71,21 @@ spec:
                     description: Path in which to create the group.
                     type: string
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -249,6 +268,9 @@ spec:
                   id:
                     description: The group's ID.
                     type: string
+                  path:
+                    description: Path in which to create the group.
+                    type: string
                   uniqueId:
                     description: The unique ID assigned by AWS.
                     type: string
diff --git a/package/crds/iam.aws.upbound.io_instanceprofiles.yaml b/package/crds/iam.aws.upbound.io_instanceprofiles.yaml
index f24903f6db..165fc1d887 100644
--- a/package/crds/iam.aws.upbound.io_instanceprofiles.yaml
+++ b/package/crds/iam.aws.upbound.io_instanceprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -155,6 +159,21 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,6 +359,23 @@ spec:
                   id:
                     description: Instance profile's ID.
                     type: string
+                  path:
+                    description: Path to the instance profile. For more information
+                      about paths, see IAM Identifiers in the IAM User Guide. Can
+                      be a string of characters consisting of either a forward slash
+                      (/) by itself or a string that must begin and end with forward
+                      slashes. Can include any ASCII character from the ! (\u0021)
+                      through the DEL character (\u007F), including most punctuation
+                      characters, digits, and upper and lowercase letters.
+                    type: string
+                  role:
+                    description: Name of the role to add to the profile.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_openidconnectproviders.yaml b/package/crds/iam.aws.upbound.io_openidconnectproviders.yaml
index 8bac23efcc..9ac558ac8d 100644
--- a/package/crds/iam.aws.upbound.io_openidconnectproviders.yaml
+++ b/package/crds/iam.aws.upbound.io_openidconnectproviders.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -88,11 +92,22 @@ spec:
                     description: The URL of the identity provider. Corresponds to
                       the iss claim.
                     type: string
-                required:
-                - clientIdList
-                - thumbprintList
-                - url
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -264,6 +279,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: clientIdList is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.clientIdList)
+            - message: thumbprintList is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.thumbprintList)
+            - message: url is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.url)
           status:
             description: OpenIDConnectProviderStatus defines the observed state of
               OpenIDConnectProvider.
@@ -273,8 +295,22 @@ spec:
                   arn:
                     description: The ARN assigned by AWS for this provider.
                     type: string
+                  clientIdList:
+                    description: A list of client IDs (also known as audiences). When
+                      a mobile or web app registers with an OpenID Connect provider,
+                      they establish a value that identifies the application. (This
+                      is the value that's sent as the client_id parameter on OAuth
+                      requests.)
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -282,6 +318,16 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  thumbprintList:
+                    description: A list of server certificate thumbprints for the
+                      OpenID Connect (OIDC) identity provider's server certificate(s).
+                    items:
+                      type: string
+                    type: array
+                  url:
+                    description: The URL of the identity provider. Corresponds to
+                      the iss claim.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_policies.yaml b/package/crds/iam.aws.upbound.io_policies.yaml
index 27d161c5e2..1d824a5e52 100644
--- a/package/crds/iam.aws.upbound.io_policies.yaml
+++ b/package/crds/iam.aws.upbound.io_policies.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,9 +82,22 @@ spec:
                       type: string
                     description: Key-value map of resource tags.
                     type: object
-                required:
-                - policy
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,6 +269,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -260,12 +280,27 @@ spec:
                   arn:
                     description: The ARN assigned by AWS to this policy.
                     type: string
+                  description:
+                    description: Description of the IAM policy.
+                    type: string
                   id:
                     description: The ARN assigned by AWS to this policy.
                     type: string
+                  path:
+                    description: Path in which to create the policy. See IAM Identifiers
+                      for more information.
+                    type: string
+                  policy:
+                    description: The policy document. This is a JSON formatted string
+                    type: string
                   policyId:
                     description: The policy's ID.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_rolepolicyattachments.yaml b/package/crds/iam.aws.upbound.io_rolepolicyattachments.yaml
index 487d26f0e8..ed9418d223 100644
--- a/package/crds/iam.aws.upbound.io_rolepolicyattachments.yaml
+++ b/package/crds/iam.aws.upbound.io_rolepolicyattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -218,6 +222,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -397,6 +416,13 @@ spec:
                 properties:
                   id:
                     type: string
+                  policyArn:
+                    description: The ARN of the policy you want to apply
+                    type: string
+                  role:
+                    description: The name of the IAM role to which the policy should
+                      be applied
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_roles.yaml b/package/crds/iam.aws.upbound.io_roles.yaml
index 0857d6a214..c77bd9eeb0 100644
--- a/package/crds/iam.aws.upbound.io_roles.yaml
+++ b/package/crds/iam.aws.upbound.io_roles.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,9 +96,22 @@ spec:
                       type: string
                     description: Key-value map of resource tags.
                     type: object
-                required:
-                - assumeRolePolicy
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -266,6 +283,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: assumeRolePolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.assumeRolePolicy)
           status:
             description: RoleStatus defines the observed state of Role.
             properties:
@@ -274,9 +294,20 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) specifying the role.
                     type: string
+                  assumeRolePolicy:
+                    description: Policy that grants an entity permission to assume
+                      the role.
+                    type: string
                   createDate:
                     description: Creation date of the IAM role.
                     type: string
+                  description:
+                    description: Description of the role.
+                    type: string
+                  forceDetachPolicies:
+                    description: Whether to force detaching any policies the role
+                      has before destroying it. Defaults to false.
+                    type: boolean
                   id:
                     description: Name of the role.
                     type: string
@@ -301,6 +332,24 @@ spec:
                     items:
                       type: string
                     type: array
+                  maxSessionDuration:
+                    description: Maximum session duration (in seconds) that you want
+                      to set for the specified role. If you do not specify a value
+                      for this setting, the default maximum of one hour is applied.
+                      This setting can have a value from 1 hour to 12 hours.
+                    type: number
+                  path:
+                    description: Path to the role. See IAM Identifiers for more information.
+                    type: string
+                  permissionsBoundary:
+                    description: ARN of the policy that is used to set the permissions
+                      boundary for the role.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_samlproviders.yaml b/package/crds/iam.aws.upbound.io_samlproviders.yaml
index b8267c28b2..446a981e19 100644
--- a/package/crds/iam.aws.upbound.io_samlproviders.yaml
+++ b/package/crds/iam.aws.upbound.io_samlproviders.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,9 +77,22 @@ spec:
                       type: string
                     description: Key-value map of resource tags.
                     type: object
-                required:
-                - samlMetadataDocument
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -247,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: samlMetadataDocument is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.samlMetadataDocument)
           status:
             description: SAMLProviderStatus defines the observed state of SAMLProvider.
             properties:
@@ -257,6 +277,15 @@ spec:
                     type: string
                   id:
                     type: string
+                  samlMetadataDocument:
+                    description: An XML document generated by an identity provider
+                      that supports SAML 2.0.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_servercertificates.yaml b/package/crds/iam.aws.upbound.io_servercertificates.yaml
index b89358a433..a1d93df385 100644
--- a/package/crds/iam.aws.upbound.io_servercertificates.yaml
+++ b/package/crds/iam.aws.upbound.io_servercertificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -98,10 +102,22 @@ spec:
                       type: string
                     description: Key-value map of resource tags.
                     type: object
-                required:
-                - certificateBody
-                - privateKeySecretRef
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -273,6 +289,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: certificateBody is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateBody)
+            - message: privateKeySecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.privateKeySecretRef)
           status:
             description: ServerCertificateStatus defines the observed state of ServerCertificate.
             properties:
@@ -282,6 +303,12 @@ spec:
                     description: The Amazon Resource Name (ARN) specifying the server
                       certificate.
                     type: string
+                  certificateBody:
+                    description: encoded format.
+                    type: string
+                  certificateChain:
+                    description: encoded public key certificates of the chain.
+                    type: string
                   expiration:
                     description: Date and time in RFC3339 format on which the certificate
                       is set to expire.
@@ -289,6 +316,17 @@ spec:
                   id:
                     description: The unique Server Certificate name
                     type: string
+                  path:
+                    description: The IAM path for the server certificate.  If it is
+                      not included, it defaults to a slash (/). If this certificate
+                      is for use with AWS CloudFront, the path must be in format /cloudfront/your_path_here.
+                      See IAM Identifiers for more details on IAM Paths.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_servicelinkedroles.yaml b/package/crds/iam.aws.upbound.io_servicelinkedroles.yaml
index f010bd79f7..b7ed8ef50c 100644
--- a/package/crds/iam.aws.upbound.io_servicelinkedroles.yaml
+++ b/package/crds/iam.aws.upbound.io_servicelinkedroles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,9 +87,22 @@ spec:
                       type: string
                     description: Key-value map of resource tags.
                     type: object
-                required:
-                - awsServiceName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -257,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: awsServiceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.awsServiceName)
           status:
             description: ServiceLinkedRoleStatus defines the observed state of ServiceLinkedRole.
             properties:
@@ -265,9 +285,23 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) specifying the role.
                     type: string
+                  awsServiceName:
+                    description: 'The AWS service to which this role is attached.
+                      You use a string similar to a URL but without the http:// in
+                      front. For example: elasticbeanstalk.amazonaws.com. To find
+                      the full list of services that support service-linked roles,
+                      check the docs.'
+                    type: string
                   createDate:
                     description: The creation date of the IAM role.
                     type: string
+                  customSuffix:
+                    description: Additional string appended to the role name. Not
+                      all AWS services support custom suffixes.
+                    type: string
+                  description:
+                    description: The description of the role.
+                    type: string
                   id:
                     description: The Amazon Resource Name (ARN) of the role.
                     type: string
@@ -277,6 +311,11 @@ spec:
                   path:
                     description: The path of the role.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_servicespecificcredentials.yaml b/package/crds/iam.aws.upbound.io_servicespecificcredentials.yaml
index a05c5a3448..4f8bd742c9 100644
--- a/package/crds/iam.aws.upbound.io_servicespecificcredentials.yaml
+++ b/package/crds/iam.aws.upbound.io_servicespecificcredentials.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,9 +158,22 @@ spec:
                             type: string
                         type: object
                     type: object
-                required:
-                - serviceName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -328,6 +345,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: serviceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceName)
           status:
             description: ServiceSpecificCredentialStatus defines the observed state
               of ServiceSpecificCredential.
@@ -338,6 +358,11 @@ spec:
                     description: 'The combination of service_name and user_name as
                       such: service_name:user_name:service_specific_credential_id.'
                     type: string
+                  serviceName:
+                    description: The name of the AWS service that is to be associated
+                      with the credentials. The service you specify here is the only
+                      service that can be accessed using these credentials.
+                    type: string
                   serviceSpecificCredentialId:
                     description: The unique identifier for the service-specific credential.
                     type: string
@@ -347,6 +372,17 @@ spec:
                       name combined with the ID number of the AWS account, as in jane-at-123456789012,
                       for example.
                     type: string
+                  status:
+                    description: The status to be assigned to the service-specific
+                      credential. Valid values are Active and Inactive. Default value
+                      is Active.
+                    type: string
+                  userName:
+                    description: The name of the IAM user that is to be associated
+                      with the credentials. The new service-specific credentials have
+                      the same permissions as the associated user except that they
+                      can be used only to access the specified service.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_signingcertificates.yaml b/package/crds/iam.aws.upbound.io_signingcertificates.yaml
index 53598f2f79..5b2e9262eb 100644
--- a/package/crds/iam.aws.upbound.io_signingcertificates.yaml
+++ b/package/crds/iam.aws.upbound.io_signingcertificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -77,10 +81,22 @@ spec:
                     description: –  The name of the user the signing certificate is
                       for.
                     type: string
-                required:
-                - certificateBody
-                - userName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,17 +268,35 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: certificateBody is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.certificateBody)
+            - message: userName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userName)
           status:
             description: SigningCertificateStatus defines the observed state of SigningCertificate.
             properties:
               atProvider:
                 properties:
+                  certificateBody:
+                    description: encoded format.
+                    type: string
                   certificateId:
                     description: The ID for the signing certificate.
                     type: string
                   id:
                     description: The certificate_id:user_name
                     type: string
+                  status:
+                    description: –   The status you want to assign to the certificate.
+                      Active means that the certificate can be used for programmatic
+                      calls to Amazon Web Services Inactive means that the certificate
+                      cannot be used.
+                    type: string
+                  userName:
+                    description: –  The name of the user the signing certificate is
+                      for.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_usergroupmemberships.yaml b/package/crds/iam.aws.upbound.io_usergroupmemberships.yaml
index aca4809817..af93657cc9 100644
--- a/package/crds/iam.aws.upbound.io_usergroupmemberships.yaml
+++ b/package/crds/iam.aws.upbound.io_usergroupmemberships.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -399,8 +418,16 @@ spec:
             properties:
               atProvider:
                 properties:
+                  groups:
+                    description: A list of IAM Groups to add the user to
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  user:
+                    description: The name of the IAM User to add to groups
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_userloginprofiles.yaml b/package/crds/iam.aws.upbound.io_userloginprofiles.yaml
index 102d9e6657..1e972c16aa 100644
--- a/package/crds/iam.aws.upbound.io_userloginprofiles.yaml
+++ b/package/crds/iam.aws.upbound.io_userloginprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -155,6 +159,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -344,6 +363,23 @@ spec:
                     description: The plain text password, only available when pgp_key
                       is not provided.
                     type: string
+                  passwordLength:
+                    description: The length of the generated password on resource
+                      creation. Only applies on resource creation. Drift detection
+                      is not possible with this argument. Default value is 20.
+                    type: number
+                  passwordResetRequired:
+                    description: Whether the user should be forced to reset the generated
+                      password on resource creation. Only applies on resource creation.
+                    type: boolean
+                  pgpKey:
+                    description: Either a base-64 encoded PGP public key, or a keybase
+                      username in the form keybase:username. Only applies on resource
+                      creation. Drift detection is not possible with this argument.
+                    type: string
+                  user:
+                    description: The IAM user's name.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_userpolicyattachments.yaml b/package/crds/iam.aws.upbound.io_userpolicyattachments.yaml
index 1c6f32b548..76a1841b6d 100644
--- a/package/crds/iam.aws.upbound.io_userpolicyattachments.yaml
+++ b/package/crds/iam.aws.upbound.io_userpolicyattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -217,6 +221,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -396,6 +415,12 @@ spec:
                 properties:
                   id:
                     type: string
+                  policyArn:
+                    description: The ARN of the policy you want to apply
+                    type: string
+                  user:
+                    description: The user the policy should be applied to
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_users.yaml b/package/crds/iam.aws.upbound.io_users.yaml
index 72df0edf1e..2745c24173 100644
--- a/package/crds/iam.aws.upbound.io_users.yaml
+++ b/package/crds/iam.aws.upbound.io_users.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -85,6 +89,21 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -264,8 +283,29 @@ spec:
                   arn:
                     description: The ARN assigned by AWS for this user.
                     type: string
+                  forceDestroy:
+                    description: when destroying this user, destroy even if it has
+                      non-Upbound official provider-managed iam access keys, login
+                      profile or mfa devices. without force_destroy a user with non-Upbound
+                      official provider-managed access keys and login profile will
+                      fail to be destroyed. delete user even if it has non-Upbound
+                      official provider-managed iam access keys, login profile or
+                      mfa devices
+                    type: boolean
                   id:
                     type: string
+                  path:
+                    description: Path in which to create the user.
+                    type: string
+                  permissionsBoundary:
+                    description: The ARN of the policy that is used to set the permissions
+                      boundary for the user.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iam.aws.upbound.io_usersshkeys.yaml b/package/crds/iam.aws.upbound.io_usersshkeys.yaml
index 0713cf127b..d143258196 100644
--- a/package/crds/iam.aws.upbound.io_usersshkeys.yaml
+++ b/package/crds/iam.aws.upbound.io_usersshkeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,10 +160,22 @@ spec:
                             type: string
                         type: object
                     type: object
-                required:
-                - encoding
-                - publicKey
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,19 +347,43 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: encoding is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encoding)
+            - message: publicKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.publicKey)
           status:
             description: UserSSHKeyStatus defines the observed state of UserSSHKey.
             properties:
               atProvider:
                 properties:
+                  encoding:
+                    description: Specifies the public key encoding format to use in
+                      the response. To retrieve the public key in ssh-rsa format,
+                      use SSH. To retrieve the public key in PEM format, use PEM.
+                    type: string
                   fingerprint:
                     description: The MD5 message digest of the SSH public key.
                     type: string
                   id:
                     type: string
+                  publicKey:
+                    description: The SSH public key. The public key must be encoded
+                      in ssh-rsa format or PEM format.
+                    type: string
                   sshPublicKeyId:
                     description: The unique identifier for the SSH public key.
                     type: string
+                  status:
+                    description: The status to assign to the SSH public key. Active
+                      means the key can be used for authentication with an AWS CodeCommit
+                      repository. Inactive means the key cannot be used. Default is
+                      active.
+                    type: string
+                  username:
+                    description: The name of the IAM user to associate the SSH public
+                      key with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iam.aws.upbound.io_virtualmfadevices.yaml b/package/crds/iam.aws.upbound.io_virtualmfadevices.yaml
index 03e0cf076f..1ecffc9737 100644
--- a/package/crds/iam.aws.upbound.io_virtualmfadevices.yaml
+++ b/package/crds/iam.aws.upbound.io_virtualmfadevices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,9 +80,22 @@ spec:
                     description: The name of the virtual MFA device. Use with path
                       to uniquely identify a virtual MFA device.
                     type: string
-                required:
-                - virtualMfaDeviceName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -250,6 +267,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: virtualMfaDeviceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.virtualMfaDeviceName)
           status:
             description: VirtualMfaDeviceStatus defines the observed state of VirtualMfaDevice.
             properties:
@@ -265,12 +285,20 @@ spec:
                     type: string
                   id:
                     type: string
+                  path:
+                    description: –  The path for the virtual MFA device.
+                    type: string
                   qrCodePng:
                     description: A QR code PNG image that encodes otpauth://totp/$virtualMFADeviceName@$AccountName?secret=$Base32String
                       where $virtualMFADeviceName is one of the create call arguments.
                       AccountName is the user name if set (otherwise, the account
                       ID otherwise), and Base32String is the seed in base32 format.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -278,6 +306,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  virtualMfaDeviceName:
+                    description: The name of the virtual MFA device. Use with path
+                      to uniquely identify a virtual MFA device.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/imagebuilder.aws.upbound.io_components.yaml b/package/crds/imagebuilder.aws.upbound.io_components.yaml
index e2a924c6e6..bbfbb0daf0 100644
--- a/package/crds/imagebuilder.aws.upbound.io_components.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_components.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -183,11 +187,23 @@ spec:
                     description: Version of the component.
                     type: string
                 required:
-                - name
-                - platform
                 - region
-                - version
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -359,6 +375,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: platform is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platform)
+            - message: version is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)
           status:
             description: ComponentStatus defines the observed state of Component.
             properties:
@@ -367,17 +390,51 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the component.
                     type: string
+                  changeDescription:
+                    description: Change description of the component.
+                    type: string
+                  data:
+                    description: Inline YAML string with data of the component. Exactly
+                      one of data and uri can be specified.
+                    type: string
                   dateCreated:
                     description: Date the component was created.
                     type: string
+                  description:
+                    description: Description of the component.
+                    type: string
                   encrypted:
                     description: Encryption status of the component.
                     type: boolean
                   id:
                     type: string
+                  kmsKeyId:
+                    description: Amazon Resource Name (ARN) of the Key Management
+                      Service (KMS) Key used to encrypt the component.
+                    type: string
+                  name:
+                    description: Name of the component.
+                    type: string
                   owner:
                     description: Owner of the component.
                     type: string
+                  platform:
+                    description: Platform of the component.
+                    type: string
+                  skipDestroy:
+                    description: Whether to retain the old version when the resource
+                      is destroyed or replacement is necessary. Defaults to false.
+                    type: boolean
+                  supportedOsVersions:
+                    description: Set of Operating Systems (OS) supported by the component.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -388,6 +445,13 @@ spec:
                   type:
                     description: Type of the component.
                     type: string
+                  uri:
+                    description: S3 URI with data of the component. Exactly one of
+                      data and uri can be specified.
+                    type: string
+                  version:
+                    description: Version of the component.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/imagebuilder.aws.upbound.io_containerrecipes.yaml b/package/crds/imagebuilder.aws.upbound.io_containerrecipes.yaml
index dd03d940b8..171d4ba70e 100644
--- a/package/crds/imagebuilder.aws.upbound.io_containerrecipes.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_containerrecipes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -452,14 +456,23 @@ spec:
                       test workflows.
                     type: string
                 required:
-                - component
-                - containerType
-                - name
-                - parentImage
                 - region
-                - targetRepository
-                - version
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -631,6 +644,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: component is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.component)
+            - message: containerType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.containerType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: parentImage is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parentImage)
+            - message: targetRepository is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetRepository)
+            - message: version is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)
           status:
             description: ContainerRecipeStatus defines the observed state of ContainerRecipe.
             properties:
@@ -639,21 +665,147 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the container recipe.
                     type: string
+                  component:
+                    description: Ordered configuration block(s) with components for
+                      the container recipe. Detailed below.
+                    items:
+                      properties:
+                        componentArn:
+                          description: Amazon Resource Name (ARN) of the Image Builder
+                            Component to associate.
+                          type: string
+                        parameter:
+                          description: Configuration block(s) for parameters to configure
+                            the component. Detailed below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the component parameter.
+                                type: string
+                              value:
+                                description: The value for the named component parameter.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  containerType:
+                    description: 'The type of the container to create. Valid values:
+                      DOCKER.'
+                    type: string
                   dateCreated:
                     description: Date the container recipe was created.
                     type: string
+                  description:
+                    description: The description of the container recipe.
+                    type: string
+                  dockerfileTemplateData:
+                    description: The Dockerfile template used to build the image as
+                      an inline data blob.
+                    type: string
+                  dockerfileTemplateUri:
+                    description: The Amazon S3 URI for the Dockerfile that will be
+                      used to build the container image.
+                    type: string
                   encrypted:
                     description: A flag that indicates if the target container is
                       encrypted.
                     type: boolean
                   id:
                     type: string
+                  instanceConfiguration:
+                    description: Configuration block used to configure an instance
+                      for building and testing container images. Detailed below.
+                    items:
+                      properties:
+                        blockDeviceMapping:
+                          description: Configuration block(s) with block device mappings
+                            for the container recipe. Detailed below.
+                          items:
+                            properties:
+                              deviceName:
+                                description: Name of the device. For example, /dev/sda
+                                  or /dev/xvdb.
+                                type: string
+                              ebs:
+                                description: Configuration block with Elastic Block
+                                  Storage (EBS) block device mapping settings. Detailed
+                                  below.
+                                items:
+                                  properties:
+                                    deleteOnTermination:
+                                      description: Whether to delete the volume on
+                                        termination. Defaults to unset, which is the
+                                        value inherited from the parent image.
+                                      type: string
+                                    encrypted:
+                                      description: Whether to encrypt the volume.
+                                        Defaults to unset, which is the value inherited
+                                        from the parent image.
+                                      type: string
+                                    iops:
+                                      description: Number of Input/Output (I/O) operations
+                                        per second to provision for an io1 or io2
+                                        volume.
+                                      type: number
+                                    kmsKeyId:
+                                      description: Amazon Resource Name (ARN) of the
+                                        Key Management Service (KMS) Key for encryption.
+                                      type: string
+                                    snapshotId:
+                                      description: Identifier of the EC2 Volume Snapshot.
+                                      type: string
+                                    throughput:
+                                      description: For GP3 volumes only. The throughput
+                                        in MiB/s that the volume supports.
+                                      type: number
+                                    volumeSize:
+                                      description: Size of the volume, in GiB.
+                                      type: number
+                                    volumeType:
+                                      description: Type of the volume. For example,
+                                        gp2 or io2.
+                                      type: string
+                                  type: object
+                                type: array
+                              noDevice:
+                                description: Set to true to remove a mapping from
+                                  the parent image.
+                                type: boolean
+                              virtualName:
+                                description: Virtual device name. For example, ephemeral0.
+                                  Instance store volumes are numbered starting from
+                                  0.
+                                type: string
+                            type: object
+                          type: array
+                        image:
+                          description: The AMI ID to use as the base image for a container
+                            build and test instance. If not specified, Image Builder
+                            will use the appropriate ECS-optimized AMI as a base image.
+                          type: string
+                      type: object
+                    type: array
+                  kmsKeyId:
+                    description: The KMS key used to encrypt the container image.
+                    type: string
+                  name:
+                    description: The name of the container recipe.
+                    type: string
                   owner:
                     description: Owner of the container recipe.
                     type: string
+                  parentImage:
+                    description: The base image for the container recipe.
+                    type: string
                   platform:
                     description: Platform of the container recipe.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -661,6 +813,29 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetRepository:
+                    description: The destination repository for the container image.
+                      Detailed below.
+                    items:
+                      properties:
+                        repositoryName:
+                          description: The name of the container repository where
+                            the output container image is stored. This name is prefixed
+                            by the repository location.
+                          type: string
+                        service:
+                          description: 'The service in which this image is registered.
+                            Valid values: ECR.'
+                          type: string
+                      type: object
+                    type: array
+                  version:
+                    description: Version of the container recipe.
+                    type: string
+                  workingDirectory:
+                    description: The working directory to be used during build and
+                      test workflows.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/imagebuilder.aws.upbound.io_distributionconfigurations.yaml b/package/crds/imagebuilder.aws.upbound.io_distributionconfigurations.yaml
index 5f15ca05b6..b6aea9dbad 100644
--- a/package/crds/imagebuilder.aws.upbound.io_distributionconfigurations.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_distributionconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -283,10 +287,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - distribution
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -458,6 +475,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: distribution is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.distribution)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: DistributionConfigurationStatus defines the observed state
               of DistributionConfiguration.
@@ -473,8 +495,209 @@ spec:
                   dateUpdated:
                     description: Date the distribution configuration was updated.
                     type: string
+                  description:
+                    description: Description of the distribution configuration.
+                    type: string
+                  distribution:
+                    description: One or more configuration blocks with distribution
+                      settings. Detailed below.
+                    items:
+                      properties:
+                        amiDistributionConfiguration:
+                          description: Configuration block with Amazon Machine Image
+                            (AMI) distribution settings. Detailed below.
+                          items:
+                            properties:
+                              amiTags:
+                                additionalProperties:
+                                  type: string
+                                description: Key-value map of tags to apply to the
+                                  distributed AMI.
+                                type: object
+                              description:
+                                description: Description to apply to the distributed
+                                  AMI.
+                                type: string
+                              kmsKeyId:
+                                description: Amazon Resource Name (ARN) of the Key
+                                  Management Service (KMS) Key to encrypt the distributed
+                                  AMI.
+                                type: string
+                              launchPermission:
+                                description: Configuration block of EC2 launch permissions
+                                  to apply to the distributed AMI. Detailed below.
+                                items:
+                                  properties:
+                                    organizationArns:
+                                      description: Set of AWS Organization ARNs to
+                                        assign.
+                                      items:
+                                        type: string
+                                      type: array
+                                    organizationalUnitArns:
+                                      description: Set of AWS Organizational Unit
+                                        ARNs to assign.
+                                      items:
+                                        type: string
+                                      type: array
+                                    userGroups:
+                                      description: Set of EC2 launch permission user
+                                        groups to assign. Use all to distribute a
+                                        public AMI.
+                                      items:
+                                        type: string
+                                      type: array
+                                    userIds:
+                                      description: Set of AWS Account identifiers
+                                        to assign.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              name:
+                                description: Name to apply to the distributed AMI.
+                                type: string
+                              targetAccountIds:
+                                description: Set of AWS Account identifiers to distribute
+                                  the AMI.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        containerDistributionConfiguration:
+                          description: Configuration block with container distribution
+                            settings. Detailed below.
+                          items:
+                            properties:
+                              containerTags:
+                                description: Set of tags that are attached to the
+                                  container distribution configuration.
+                                items:
+                                  type: string
+                                type: array
+                              description:
+                                description: Description of the container distribution
+                                  configuration.
+                                type: string
+                              targetRepository:
+                                description: Configuration block with the destination
+                                  repository for the container distribution configuration.
+                                items:
+                                  properties:
+                                    repositoryName:
+                                      description: The name of the container repository
+                                        where the output container image is stored.
+                                        This name is prefixed by the repository location.
+                                      type: string
+                                    service:
+                                      description: 'The service in which this image
+                                        is registered. Valid values: ECR.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        fastLaunchConfiguration:
+                          description: Set of Windows faster-launching configurations
+                            to use for AMI distribution. Detailed below.
+                          items:
+                            properties:
+                              accountId:
+                                description: The owner account ID for the fast-launch
+                                  enabled Windows AMI.
+                                type: string
+                              enabled:
+                                description: A Boolean that represents the current
+                                  state of faster launching for the Windows AMI. Set
+                                  to true to start using Windows faster launching,
+                                  or false to stop using it.
+                                type: boolean
+                              launchTemplate:
+                                description: Configuration block for the launch template
+                                  that the fast-launch enabled Windows AMI uses when
+                                  it launches Windows instances to create pre-provisioned
+                                  snapshots. Detailed below.
+                                items:
+                                  properties:
+                                    launchTemplateId:
+                                      description: The ID of the launch template to
+                                        use for faster launching for a Windows AMI.
+                                      type: string
+                                    launchTemplateName:
+                                      description: The name of the launch template
+                                        to use for faster launching for a Windows
+                                        AMI.
+                                      type: string
+                                    launchTemplateVersion:
+                                      description: The version of the launch template
+                                        to use for faster launching for a Windows
+                                        AMI.
+                                      type: string
+                                  type: object
+                                type: array
+                              maxParallelLaunches:
+                                description: The maximum number of parallel instances
+                                  that are launched for creating resources.
+                                type: number
+                              snapshotConfiguration:
+                                description: Configuration block for managing the
+                                  number of snapshots that are created from pre-provisioned
+                                  instances for the Windows AMI when faster launching
+                                  is enabled. Detailed below.
+                                items:
+                                  properties:
+                                    targetResourceCount:
+                                      description: The number of pre-provisioned snapshots
+                                        to keep on hand for a fast-launch enabled
+                                        Windows AMI.
+                                      type: number
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        launchTemplateConfiguration:
+                          description: Set of launch template configuration settings
+                            that apply to image distribution. Detailed below.
+                          items:
+                            properties:
+                              accountId:
+                                description: The account ID that this configuration
+                                  applies to.
+                                type: string
+                              default:
+                                description: Indicates whether to set the specified
+                                  Amazon EC2 launch template as the default launch
+                                  template. Defaults to true.
+                                type: boolean
+                              launchTemplateId:
+                                description: The ID of the Amazon EC2 launch template
+                                  to use.
+                                type: string
+                            type: object
+                          type: array
+                        licenseConfigurationArns:
+                          description: Set of Amazon Resource Names (ARNs) of License
+                            Manager License Configurations.
+                          items:
+                            type: string
+                          type: array
+                        region:
+                          description: AWS Region for the distribution.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: Name of the distribution configuration.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/imagebuilder.aws.upbound.io_imagepipelines.yaml b/package/crds/imagebuilder.aws.upbound.io_imagepipelines.yaml
index d1a4bbfa17..1bfcce9715 100644
--- a/package/crds/imagebuilder.aws.upbound.io_imagepipelines.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_imagepipelines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -296,9 +300,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -470,6 +488,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ImagePipelineStatus defines the observed state of ImagePipeline.
             properties:
@@ -478,6 +499,9 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the image pipeline.
                     type: string
+                  containerRecipeArn:
+                    description: Amazon Resource Name (ARN) of the container recipe.
+                    type: string
                   dateCreated:
                     description: Date the image pipeline was created.
                     type: string
@@ -490,11 +514,83 @@ spec:
                   dateUpdated:
                     description: Date the image pipeline was updated.
                     type: string
+                  description:
+                    description: Description of the image pipeline.
+                    type: string
+                  distributionConfigurationArn:
+                    description: Amazon Resource Name (ARN) of the Image Builder Distribution
+                      Configuration.
+                    type: string
+                  enhancedImageMetadataEnabled:
+                    description: Whether additional information about the image being
+                      created is collected. Defaults to true.
+                    type: boolean
                   id:
                     type: string
+                  imageRecipeArn:
+                    description: Amazon Resource Name (ARN) of the image recipe.
+                    type: string
+                  imageTestsConfiguration:
+                    description: Configuration block with image tests configuration.
+                      Detailed below.
+                    items:
+                      properties:
+                        imageTestsEnabled:
+                          description: Whether image tests are enabled. Defaults to
+                            true.
+                          type: boolean
+                        timeoutMinutes:
+                          description: Number of minutes before image tests time out.
+                            Valid values are between 60 and 1440. Defaults to 720.
+                          type: number
+                      type: object
+                    type: array
+                  infrastructureConfigurationArn:
+                    description: Amazon Resource Name (ARN) of the Image Builder Infrastructure
+                      Configuration.
+                    type: string
+                  name:
+                    description: Name of the image pipeline.
+                    type: string
                   platform:
                     description: Platform of the image pipeline.
                     type: string
+                  schedule:
+                    description: Configuration block with schedule settings. Detailed
+                      below.
+                    items:
+                      properties:
+                        pipelineExecutionStartCondition:
+                          description: Condition when the pipeline should trigger
+                            a new image build. Valid values are EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE
+                            and EXPRESSION_MATCH_ONLY. Defaults to EXPRESSION_MATCH_AND_DEPENDENCY_UPDATES_AVAILABLE.
+                          type: string
+                        scheduleExpression:
+                          description: Cron expression of how often the pipeline start
+                            condition is evaluated. For example, cron(0 0 * * ? *)
+                            is evaluated every day at midnight UTC. Configurations
+                            using the five field syntax that was previously accepted
+                            by the API, such as cron(0 0 * * *), must be updated to
+                            the six field syntax. For more information, see the Image
+                            Builder User Guide.
+                          type: string
+                        timezone:
+                          description: The timezone that applies to the scheduling
+                            expression. For example, "Etc/UTC", "America/Los_Angeles"
+                            in the IANA timezone format. If not specified this defaults
+                            to UTC.
+                          type: string
+                      type: object
+                    type: array
+                  status:
+                    description: Status of the image pipeline. Valid values are DISABLED
+                      and ENABLED. Defaults to ENABLED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/imagebuilder.aws.upbound.io_imagerecipes.yaml b/package/crds/imagebuilder.aws.upbound.io_imagerecipes.yaml
index 6766894e66..c169affe38 100644
--- a/package/crds/imagebuilder.aws.upbound.io_imagerecipes.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_imagerecipes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -275,12 +279,23 @@ spec:
                       test workflows.
                     type: string
                 required:
-                - component
-                - name
-                - parentImage
                 - region
-                - version
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -452,6 +467,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: component is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.component)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: parentImage is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parentImage)
+            - message: version is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)
           status:
             description: ImageRecipeStatus defines the observed state of ImageRecipe.
             properties:
@@ -460,17 +484,126 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the image recipe.
                     type: string
+                  blockDeviceMapping:
+                    description: Configuration block(s) with block device mappings
+                      for the image recipe. Detailed below.
+                    items:
+                      properties:
+                        deviceName:
+                          description: Name of the device. For example, /dev/sda or
+                            /dev/xvdb.
+                          type: string
+                        ebs:
+                          description: Configuration block with Elastic Block Storage
+                            (EBS) block device mapping settings. Detailed below.
+                          items:
+                            properties:
+                              deleteOnTermination:
+                                description: Whether to delete the volume on termination.
+                                  Defaults to unset, which is the value inherited
+                                  from the parent image.
+                                type: string
+                              encrypted:
+                                description: Whether to encrypt the volume. Defaults
+                                  to unset, which is the value inherited from the
+                                  parent image.
+                                type: string
+                              iops:
+                                description: Number of Input/Output (I/O) operations
+                                  per second to provision for an io1 or io2 volume.
+                                type: number
+                              kmsKeyId:
+                                description: Amazon Resource Name (ARN) of the Key
+                                  Management Service (KMS) Key for encryption.
+                                type: string
+                              snapshotId:
+                                description: Identifier of the EC2 Volume Snapshot.
+                                type: string
+                              throughput:
+                                description: For GP3 volumes only. The throughput
+                                  in MiB/s that the volume supports.
+                                type: number
+                              volumeSize:
+                                description: Size of the volume, in GiB.
+                                type: number
+                              volumeType:
+                                description: Type of the volume. For example, gp2
+                                  or io2.
+                                type: string
+                            type: object
+                          type: array
+                        noDevice:
+                          description: Set to true to remove a mapping from the parent
+                            image.
+                          type: boolean
+                        virtualName:
+                          description: Virtual device name. For example, ephemeral0.
+                            Instance store volumes are numbered starting from 0.
+                          type: string
+                      type: object
+                    type: array
+                  component:
+                    description: Ordered configuration block(s) with components for
+                      the image recipe. Detailed below.
+                    items:
+                      properties:
+                        componentArn:
+                          description: Amazon Resource Name (ARN) of the Image Builder
+                            Component to associate.
+                          type: string
+                        parameter:
+                          description: Configuration block(s) for parameters to configure
+                            the component. Detailed below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the component parameter.
+                                type: string
+                              value:
+                                description: The value for the named component parameter.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   dateCreated:
                     description: Date the image recipe was created.
                     type: string
+                  description:
+                    description: Description of the image recipe.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: Name of the image recipe.
+                    type: string
                   owner:
                     description: Owner of the image recipe.
                     type: string
+                  parentImage:
+                    description: The image recipe uses this image as a base from which
+                      to build your customized image. The value can be the base image
+                      ARN or an AMI ID.
+                    type: string
                   platform:
                     description: Platform of the image recipe.
                     type: string
+                  systemsManagerAgent:
+                    description: Configuration block for the Systems Manager Agent
+                      installed by default by Image Builder. Detailed below.
+                    items:
+                      properties:
+                        uninstallAfterBuild:
+                          description: Whether to remove the Systems Manager Agent
+                            after the image has been built. Defaults to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -478,6 +611,20 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userDataBase64:
+                    description: Base64 encoded user data. Use this to provide commands
+                      or a command script to run when you launch your build instance.
+                    type: string
+                  version:
+                    description: 'The semantic version of the image recipe, which
+                      specifies the version in the following format, with numeric
+                      values in each position to indicate a specific version: major.minor.patch.
+                      For example: 1.0.0.'
+                    type: string
+                  workingDirectory:
+                    description: The working directory to be used during build and
+                      test workflows.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/imagebuilder.aws.upbound.io_images.yaml b/package/crds/imagebuilder.aws.upbound.io_images.yaml
index f0be878d1a..4571719974 100644
--- a/package/crds/imagebuilder.aws.upbound.io_images.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_images.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -334,6 +338,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -513,11 +532,44 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the image.
                     type: string
+                  containerRecipeArn:
+                    description: '- Amazon Resource Name (ARN) of the container recipe.'
+                    type: string
                   dateCreated:
                     description: Date the image was created.
                     type: string
+                  distributionConfigurationArn:
+                    description: Amazon Resource Name (ARN) of the Image Builder Distribution
+                      Configuration.
+                    type: string
+                  enhancedImageMetadataEnabled:
+                    description: Whether additional information about the image being
+                      created is collected. Defaults to true.
+                    type: boolean
                   id:
                     type: string
+                  imageRecipeArn:
+                    description: Amazon Resource Name (ARN) of the image recipe.
+                    type: string
+                  imageTestsConfiguration:
+                    description: Configuration block with image tests configuration.
+                      Detailed below.
+                    items:
+                      properties:
+                        imageTestsEnabled:
+                          description: Whether image tests are enabled. Defaults to
+                            true.
+                          type: boolean
+                        timeoutMinutes:
+                          description: Number of minutes before image tests time out.
+                            Valid values are between 60 and 1440. Defaults to 720.
+                          type: number
+                      type: object
+                    type: array
+                  infrastructureConfigurationArn:
+                    description: Amazon Resource Name (ARN) of the Image Builder Infrastructure
+                      Configuration.
+                    type: string
                   name:
                     description: Name of the AMI.
                     type: string
@@ -555,6 +607,11 @@ spec:
                   platform:
                     description: Platform of the image.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/imagebuilder.aws.upbound.io_infrastructureconfigurations.yaml b/package/crds/imagebuilder.aws.upbound.io_infrastructureconfigurations.yaml
index 1cb84ab9ce..7989cc191f 100644
--- a/package/crds/imagebuilder.aws.upbound.io_infrastructureconfigurations.yaml
+++ b/package/crds/imagebuilder.aws.upbound.io_infrastructureconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -604,9 +608,23 @@ spec:
                       the pipeline fails. Defaults to false.
                     type: boolean
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -778,6 +796,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: InfrastructureConfigurationStatus defines the observed state
               of InfrastructureConfiguration.
@@ -793,9 +814,86 @@ spec:
                   dateUpdated:
                     description: Date when the configuration was updated.
                     type: string
+                  description:
+                    description: Description for the configuration.
+                    type: string
                   id:
                     description: Amazon Resource Name (ARN) of the configuration.
                     type: string
+                  instanceMetadataOptions:
+                    description: Configuration block with instance metadata options
+                      for the HTTP requests that pipeline builds use to launch EC2
+                      build and test instances. Detailed below.
+                    items:
+                      properties:
+                        httpPutResponseHopLimit:
+                          description: The number of hops that an instance can traverse
+                            to reach its destonation.
+                          type: number
+                        httpTokens:
+                          description: 'Whether a signed token is required for instance
+                            metadata retrieval requests. Valid values: required, optional.'
+                          type: string
+                      type: object
+                    type: array
+                  instanceProfileName:
+                    description: Name of IAM Instance Profile.
+                    type: string
+                  instanceTypes:
+                    description: Set of EC2 Instance Types.
+                    items:
+                      type: string
+                    type: array
+                  keyPair:
+                    description: Name of EC2 Key Pair.
+                    type: string
+                  logging:
+                    description: Configuration block with logging settings. Detailed
+                      below.
+                    items:
+                      properties:
+                        s3Logs:
+                          description: Configuration block with S3 logging settings.
+                            Detailed below.
+                          items:
+                            properties:
+                              s3BucketName:
+                                description: Name of the S3 Bucket.
+                                type: string
+                              s3KeyPrefix:
+                                description: Prefix to use for S3 logs. Defaults to
+                                  /.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: Name for the configuration.
+                    type: string
+                  resourceTags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags to assign to infrastructure
+                      created by the configuration.
+                    type: object
+                  securityGroupIds:
+                    description: Set of EC2 Security Group identifiers.
+                    items:
+                      type: string
+                    type: array
+                  snsTopicArn:
+                    description: Amazon Resource Name (ARN) of SNS Topic.
+                    type: string
+                  subnetId:
+                    description: EC2 Subnet identifier. Also requires security_group_ids
+                      argument.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -803,6 +901,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  terminateInstanceOnFailure:
+                    description: Enable if the instance should be terminated when
+                      the pipeline fails. Defaults to false.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/inspector.aws.upbound.io_assessmenttargets.yaml b/package/crds/inspector.aws.upbound.io_assessmenttargets.yaml
index a17f8386e2..3b02ebbb0d 100644
--- a/package/crds/inspector.aws.upbound.io_assessmenttargets.yaml
+++ b/package/crds/inspector.aws.upbound.io_assessmenttargets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,9 +157,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,6 +345,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AssessmentTargetStatus defines the observed state of AssessmentTarget.
             properties:
@@ -337,6 +358,15 @@ spec:
                     type: string
                   id:
                     type: string
+                  name:
+                    description: The name of the assessment target.
+                    type: string
+                  resourceGroupArn:
+                    description: Inspector Resource Group Amazon Resource Name (ARN)
+                      stating tags for instance matching. If not specified, all EC2
+                      instances in the current AWS account and region are included
+                      in the assessment target.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/inspector.aws.upbound.io_assessmenttemplates.yaml b/package/crds/inspector.aws.upbound.io_assessmenttemplates.yaml
index 238b32d921..f09bd202c9 100644
--- a/package/crds/inspector.aws.upbound.io_assessmenttemplates.yaml
+++ b/package/crds/inspector.aws.upbound.io_assessmenttemplates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -260,11 +264,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - duration
-                - name
                 - region
-                - rulesPackageArns
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -436,6 +452,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: duration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.duration)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: rulesPackageArns is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rulesPackageArns)
           status:
             description: AssessmentTemplateStatus defines the observed state of AssessmentTemplate.
             properties:
@@ -444,8 +467,42 @@ spec:
                   arn:
                     description: The template assessment ARN.
                     type: string
+                  duration:
+                    description: The duration of the inspector run.
+                    type: number
+                  eventSubscription:
+                    description: A block that enables sending notifications about
+                      a specified assessment template event to a designated SNS topic.
+                      See Event Subscriptions for details.
+                    items:
+                      properties:
+                        event:
+                          description: The event for which you want to receive SNS
+                            notifications. Valid values are ASSESSMENT_RUN_STARTED,
+                            ASSESSMENT_RUN_COMPLETED, ASSESSMENT_RUN_STATE_CHANGED,
+                            and FINDING_REPORTED.
+                          type: string
+                        topicArn:
+                          description: The ARN of the SNS topic to which notifications
+                            are sent.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: The name of the assessment template.
+                    type: string
+                  rulesPackageArns:
+                    description: The rules to be used during the run.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -453,6 +510,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetArn:
+                    description: The assessment target ARN to attach the template
+                      to.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/inspector.aws.upbound.io_resourcegroups.yaml b/package/crds/inspector.aws.upbound.io_resourcegroups.yaml
index 592aa994c9..a651f1a74d 100644
--- a/package/crds/inspector.aws.upbound.io_resourcegroups.yaml
+++ b/package/crds/inspector.aws.upbound.io_resourcegroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -75,8 +79,22 @@ spec:
                     type: object
                 required:
                 - region
-                - tags
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -248,6 +266,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: tags is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tags)
           status:
             description: ResourceGroupStatus defines the observed state of ResourceGroup.
             properties:
@@ -258,6 +279,11 @@ spec:
                     type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/inspector2.aws.upbound.io_enablers.yaml b/package/crds/inspector2.aws.upbound.io_enablers.yaml
index 47a18afa4d..eb39f4abd7 100644
--- a/package/crds/inspector2.aws.upbound.io_enablers.yaml
+++ b/package/crds/inspector2.aws.upbound.io_enablers.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,10 +83,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - accountIds
                 - region
-                - resourceTypes
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -254,13 +271,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accountIds is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountIds)
+            - message: resourceTypes is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceTypes)
           status:
             description: EnablerStatus defines the observed state of Enabler.
             properties:
               atProvider:
                 properties:
+                  accountIds:
+                    description: Set of account IDs.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  resourceTypes:
+                    description: Type of resources to scan. Valid values are EC2,
+                      ECR, and LAMBDA.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_certificates.yaml b/package/crds/iot.aws.upbound.io_certificates.yaml
index 76deca4aae..143c630a42 100644
--- a/package/crds/iot.aws.upbound.io_certificates.yaml
+++ b/package/crds/iot.aws.upbound.io_certificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -118,9 +122,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - active
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -292,14 +310,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: active is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.active)
           status:
             description: CertificateStatus defines the observed state of Certificate.
             properties:
               atProvider:
                 properties:
+                  active:
+                    description: Boolean flag to indicate if the certificate should
+                      be active
+                    type: boolean
                   arn:
                     description: The ARN of the created certificate.
                     type: string
+                  csr:
+                    description: The certificate signing request. Review CreateCertificateFromCsr
+                      for more information on generating a certificate from a certificate
+                      signing request (CSR). If none is specified both the certificate
+                      and keys will be generated, review CreateKeysAndCertificate
+                      for more information on generating keys and a certificate.
+                    type: string
                   id:
                     description: The internal ID assigned to this certificate.
                     type: string
diff --git a/package/crds/iot.aws.upbound.io_indexingconfigurations.yaml b/package/crds/iot.aws.upbound.io_indexingconfigurations.yaml
index 3fe90bfde8..7316ccbc40 100644
--- a/package/crds/iot.aws.upbound.io_indexingconfigurations.yaml
+++ b/package/crds/iot.aws.upbound.io_indexingconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -165,6 +169,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -344,6 +363,96 @@ spec:
                 properties:
                   id:
                     type: string
+                  thingGroupIndexingConfiguration:
+                    description: Thing group indexing configuration. See below.
+                    items:
+                      properties:
+                        customField:
+                          description: A list of thing group fields to index. This
+                            list cannot contain any managed fields. See below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the field.
+                                type: string
+                              type:
+                                description: 'The data type of the field. Valid values:
+                                  Number, String, Boolean.'
+                                type: string
+                            type: object
+                          type: array
+                        managedField:
+                          description: Contains fields that are indexed and whose
+                            types are already known by the Fleet Indexing service.
+                            See below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the field.
+                                type: string
+                              type:
+                                description: 'The data type of the field. Valid values:
+                                  Number, String, Boolean.'
+                                type: string
+                            type: object
+                          type: array
+                        thingGroupIndexingMode:
+                          description: 'Thing group indexing mode. Valid values: OFF,
+                            ON.'
+                          type: string
+                      type: object
+                    type: array
+                  thingIndexingConfiguration:
+                    description: Thing indexing configuration. See below.
+                    items:
+                      properties:
+                        customField:
+                          description: Contains custom field names and their data
+                            type. See below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the field.
+                                type: string
+                              type:
+                                description: 'The data type of the field. Valid values:
+                                  Number, String, Boolean.'
+                                type: string
+                            type: object
+                          type: array
+                        deviceDefenderIndexingMode:
+                          description: 'Device Defender indexing mode. Valid values:
+                            VIOLATIONS, OFF. Default: OFF.'
+                          type: string
+                        managedField:
+                          description: Contains fields that are indexed and whose
+                            types are already known by the Fleet Indexing service.
+                            See below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the field.
+                                type: string
+                              type:
+                                description: 'The data type of the field. Valid values:
+                                  Number, String, Boolean.'
+                                type: string
+                            type: object
+                          type: array
+                        namedShadowIndexingMode:
+                          description: 'Named shadow indexing mode. Valid values:
+                            ON, OFF. Default: OFF.'
+                          type: string
+                        thingConnectivityIndexingMode:
+                          description: 'Thing connectivity indexing mode. Valid values:
+                            STATUS, OFF. Default: OFF.'
+                          type: string
+                        thingIndexingMode:
+                          description: 'Thing indexing mode. Valid values: REGISTRY,
+                            REGISTRY_AND_SHADOW, OFF.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_loggingoptions.yaml b/package/crds/iot.aws.upbound.io_loggingoptions.yaml
index 58af06fd94..f83a39f588 100644
--- a/package/crds/iot.aws.upbound.io_loggingoptions.yaml
+++ b/package/crds/iot.aws.upbound.io_loggingoptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,9 +157,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - defaultLogLevel
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,13 +345,27 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: defaultLogLevel is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultLogLevel)
           status:
             description: LoggingOptionsStatus defines the observed state of LoggingOptions.
             properties:
               atProvider:
                 properties:
+                  defaultLogLevel:
+                    description: 'The default logging level. Valid Values: "DEBUG",
+                      "INFO", "ERROR", "WARN", "DISABLED".'
+                    type: string
+                  disableAllLogs:
+                    description: If true all logs are disabled. The default is false.
+                    type: boolean
                   id:
                     type: string
+                  roleArn:
+                    description: The ARN of the role that allows IoT to write to Cloudwatch
+                      logs.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_policies.yaml b/package/crds/iot.aws.upbound.io_policies.yaml
index 341ad295b3..f462eccaae 100644
--- a/package/crds/iot.aws.upbound.io_policies.yaml
+++ b/package/crds/iot.aws.upbound.io_policies.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -259,6 +280,10 @@ spec:
                     type: string
                   id:
                     type: string
+                  policy:
+                    description: The policy document. This is a JSON formatted string.
+                      Use the IoT Developer Guide for more information on IoT Policies.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_policyattachments.yaml b/package/crds/iot.aws.upbound.io_policyattachments.yaml
index 2ad65dd0cb..120d14711d 100644
--- a/package/crds/iot.aws.upbound.io_policyattachments.yaml
+++ b/package/crds/iot.aws.upbound.io_policyattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -401,6 +420,12 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: The name of the policy to attach.
+                    type: string
+                  target:
+                    description: The identity to which the policy is attached.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_provisioningtemplates.yaml b/package/crds/iot.aws.upbound.io_provisioningtemplates.yaml
index 8718f525fa..13b9ce9be1 100644
--- a/package/crds/iot.aws.upbound.io_provisioningtemplates.yaml
+++ b/package/crds/iot.aws.upbound.io_provisioningtemplates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,8 +185,22 @@ spec:
                     type: string
                 required:
                 - region
-                - templateBody
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -354,6 +372,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: templateBody is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.templateBody)
           status:
             description: ProvisioningTemplateStatus defines the observed state of
               ProvisioningTemplate.
@@ -366,8 +387,40 @@ spec:
                   defaultVersionId:
                     description: The default version of the fleet provisioning template.
                     type: number
+                  description:
+                    description: The description of the fleet provisioning template.
+                    type: string
+                  enabled:
+                    description: True to enable the fleet provisioning template, otherwise
+                      false.
+                    type: boolean
                   id:
                     type: string
+                  preProvisioningHook:
+                    description: Creates a pre-provisioning hook template. Details
+                      below.
+                    items:
+                      properties:
+                        payloadVersion:
+                          description: The version of the payload that was sent to
+                            the target function. The only valid (and the default)
+                            payload version is "2020-04-01".
+                          type: string
+                        targetArn:
+                          description: The ARN of the target function.
+                          type: string
+                      type: object
+                    type: array
+                  provisioningRoleArn:
+                    description: The role ARN for the role associated with the fleet
+                      provisioning template. This IoT role grants permission to provision
+                      a device.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -375,6 +428,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  templateBody:
+                    description: The JSON formatted contents of the fleet provisioning
+                      template.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_rolealiases.yaml b/package/crds/iot.aws.upbound.io_rolealiases.yaml
index 84a18251d9..5707c9d0cb 100644
--- a/package/crds/iot.aws.upbound.io_rolealiases.yaml
+++ b/package/crds/iot.aws.upbound.io_rolealiases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,9 +158,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - alias
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -328,16 +346,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: alias is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.alias)
           status:
             description: RoleAliasStatus defines the observed state of RoleAlias.
             properties:
               atProvider:
                 properties:
+                  alias:
+                    description: The name of the role alias.
+                    type: string
                   arn:
                     description: The ARN assigned by AWS to this role alias.
                     type: string
+                  credentialDuration:
+                    description: The duration of the credential, in seconds. If you
+                      do not specify a value for this setting, the default maximum
+                      of one hour is applied. This setting can have a value from 900
+                      seconds (15 minutes) to 43200 seconds (12 hours).
+                    type: number
                   id:
                     type: string
+                  roleArn:
+                    description: The identity of the role to which the alias refers.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_thinggroupmemberships.yaml b/package/crds/iot.aws.upbound.io_thinggroupmemberships.yaml
index d384039de5..96f8534a44 100644
--- a/package/crds/iot.aws.upbound.io_thinggroupmemberships.yaml
+++ b/package/crds/iot.aws.upbound.io_thinggroupmemberships.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,9 +87,22 @@ spec:
                     type: string
                 required:
                 - region
-                - thingGroupName
-                - thingName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -257,6 +274,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: thingGroupName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.thingGroupName)
+            - message: thingName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.thingName)
           status:
             description: ThingGroupMembershipStatus defines the observed state of
               ThingGroupMembership.
@@ -266,6 +288,19 @@ spec:
                   id:
                     description: The membership ID.
                     type: string
+                  overrideDynamicGroup:
+                    description: Override dynamic thing groups with static thing groups
+                      when 10-group limit is reached. If a thing belongs to 10 thing
+                      groups, and one or more of those groups are dynamic thing groups,
+                      adding a thing to a static group removes the thing from the
+                      last dynamic group.
+                    type: boolean
+                  thingGroupName:
+                    description: The name of the group to which you are adding a thing.
+                    type: string
+                  thingName:
+                    description: The name of the thing to add to a group.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_thinggroups.yaml b/package/crds/iot.aws.upbound.io_thinggroups.yaml
index 1c7095d170..2848c5cb75 100644
--- a/package/crds/iot.aws.upbound.io_thinggroups.yaml
+++ b/package/crds/iot.aws.upbound.io_thinggroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -172,6 +176,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -375,6 +394,34 @@ spec:
                           type: array
                       type: object
                     type: array
+                  parentGroupName:
+                    description: The name of the parent Thing Group.
+                    type: string
+                  properties:
+                    description: The Thing Group properties. Defined below.
+                    items:
+                      properties:
+                        attributePayload:
+                          description: The Thing Group attributes. Defined below.
+                          items:
+                            properties:
+                              attributes:
+                                additionalProperties:
+                                  type: string
+                                description: Key-value map.
+                                type: object
+                            type: object
+                          type: array
+                        description:
+                          description: A description of the Thing Group.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iot.aws.upbound.io_thingprincipalattachments.yaml b/package/crds/iot.aws.upbound.io_thingprincipalattachments.yaml
index 03ed2b23b7..a0243ac7f5 100644
--- a/package/crds/iot.aws.upbound.io_thingprincipalattachments.yaml
+++ b/package/crds/iot.aws.upbound.io_thingprincipalattachments.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -225,6 +229,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -404,6 +423,13 @@ spec:
                 properties:
                   id:
                     type: string
+                  principal:
+                    description: The AWS IoT Certificate ARN or Amazon Cognito Identity
+                      ID.
+                    type: string
+                  thing:
+                    description: The name of the thing.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/iot.aws.upbound.io_things.yaml b/package/crds/iot.aws.upbound.io_things.yaml
index ddb0ab49d0..f532985aed 100644
--- a/package/crds/iot.aws.upbound.io_things.yaml
+++ b/package/crds/iot.aws.upbound.io_things.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,11 +277,19 @@ spec:
                   arn:
                     description: The ARN of the thing.
                     type: string
+                  attributes:
+                    additionalProperties:
+                      type: string
+                    description: Map of attributes of the thing.
+                    type: object
                   defaultClientId:
                     description: The default client ID.
                     type: string
                   id:
                     type: string
+                  thingTypeName:
+                    description: The thing type name.
+                    type: string
                   version:
                     description: The current version of the thing record in the registry.
                     type: number
diff --git a/package/crds/iot.aws.upbound.io_thingtypes.yaml b/package/crds/iot.aws.upbound.io_thingtypes.yaml
index ed6d7517c3..30b93cfedf 100644
--- a/package/crds/iot.aws.upbound.io_thingtypes.yaml
+++ b/package/crds/iot.aws.upbound.io_thingtypes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -96,9 +100,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,6 +288,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ThingTypeStatus defines the observed state of ThingType.
             properties:
@@ -278,8 +299,35 @@ spec:
                   arn:
                     description: The ARN of the created AWS IoT Thing Type.
                     type: string
+                  deprecated:
+                    description: Whether the thing type is deprecated. If true, no
+                      new things could be associated with this type.
+                    type: boolean
                   id:
                     type: string
+                  name:
+                    description: The name of the thing type.
+                    type: string
+                  properties:
+                    description: ', Configuration block that can contain the following
+                      properties of the thing type:'
+                    items:
+                      properties:
+                        description:
+                          description: The description of the thing type.
+                          type: string
+                        searchableAttributes:
+                          description: A list of searchable thing attribute names.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/iot.aws.upbound.io_topicrules.yaml b/package/crds/iot.aws.upbound.io_topicrules.yaml
index 0d5d1ee465..e6e3b017f0 100644
--- a/package/crds/iot.aws.upbound.io_topicrules.yaml
+++ b/package/crds/iot.aws.upbound.io_topicrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1345,11 +1349,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - enabled
                 - region
-                - sql
-                - sqlVersion
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1521,6 +1537,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: enabled is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enabled)
+            - message: sql is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sql)
+            - message: sqlVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sqlVersion)
           status:
             description: TopicRuleStatus defines the observed state of TopicRule.
             properties:
@@ -1529,16 +1552,826 @@ spec:
                   arn:
                     description: The ARN of the topic rule
                     type: string
-                  id:
-                    description: The unique identifier for the document you are storing.
+                  cloudwatchAlarm:
+                    items:
+                      properties:
+                        alarmName:
+                          description: The CloudWatch alarm name.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        stateReason:
+                          description: The reason for the alarm change.
+                          type: string
+                        stateValue:
+                          description: 'The value of the alarm state. Acceptable values
+                            are: OK, ALARM, INSUFFICIENT_DATA.'
+                          type: string
+                      type: object
+                    type: array
+                  cloudwatchLogs:
+                    items:
+                      properties:
+                        logGroupName:
+                          description: The CloudWatch log group name.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  cloudwatchMetric:
+                    items:
+                      properties:
+                        metricName:
+                          description: The CloudWatch metric name.
+                          type: string
+                        metricNamespace:
+                          description: The CloudWatch metric namespace name.
+                          type: string
+                        metricTimestamp:
+                          description: An optional Unix timestamp (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#about_timestamp).
+                          type: string
+                        metricUnit:
+                          description: 'The metric unit (supported units can be found
+                            here: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#Unit)'
+                          type: string
+                        metricValue:
+                          description: The CloudWatch metric value.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: The description of the rule.
                     type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: A map of tags assigned to the resource, including
-                      those inherited from the provider default_tags configuration
-                      block.
-                    type: object
+                  dynamodb:
+                    items:
+                      properties:
+                        hashKeyField:
+                          description: The hash key name.
+                          type: string
+                        hashKeyType:
+                          description: The hash key type. Valid values are "STRING"
+                            or "NUMBER".
+                          type: string
+                        hashKeyValue:
+                          description: The hash key value.
+                          type: string
+                        operation:
+                          description: The operation. Valid values are "INSERT", "UPDATE",
+                            or "DELETE".
+                          type: string
+                        payloadField:
+                          description: The action payload.
+                          type: string
+                        rangeKeyField:
+                          description: The range key name.
+                          type: string
+                        rangeKeyType:
+                          description: The range key type. Valid values are "STRING"
+                            or "NUMBER".
+                          type: string
+                        rangeKeyValue:
+                          description: The range key value.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        tableName:
+                          description: The name of the DynamoDB table.
+                          type: string
+                      type: object
+                    type: array
+                  dynamodbv2:
+                    items:
+                      properties:
+                        putItem:
+                          description: Configuration block with DynamoDB Table to
+                            which the message will be written. Nested arguments below.
+                          items:
+                            properties:
+                              tableName:
+                                description: The name of the DynamoDB table.
+                                type: string
+                            type: object
+                          type: array
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  elasticsearch:
+                    items:
+                      properties:
+                        endpoint:
+                          description: The endpoint of your Elasticsearch domain.
+                          type: string
+                        id:
+                          description: The unique identifier for the document you
+                            are storing.
+                          type: string
+                        index:
+                          description: The Elasticsearch index where you want to store
+                            your data.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        type:
+                          description: The type of document you are storing.
+                          type: string
+                      type: object
+                    type: array
+                  enabled:
+                    description: Specifies whether the rule is enabled.
+                    type: boolean
+                  errorAction:
+                    description: Configuration block with error action to be associated
+                      with the rule. See the documentation for cloudwatch_alarm, cloudwatch_logs,
+                      cloudwatch_metric, dynamodb, dynamodbv2, elasticsearch, firehose,
+                      http, iot_analytics, iot_events, kafka, kinesis, lambda, republish,
+                      s3, sns, sqs, step_functions, timestream configuration blocks
+                      for further configuration details.
+                    items:
+                      properties:
+                        cloudwatchAlarm:
+                          items:
+                            properties:
+                              alarmName:
+                                description: The CloudWatch alarm name.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              stateReason:
+                                description: The reason for the alarm change.
+                                type: string
+                              stateValue:
+                                description: 'The value of the alarm state. Acceptable
+                                  values are: OK, ALARM, INSUFFICIENT_DATA.'
+                                type: string
+                            type: object
+                          type: array
+                        cloudwatchLogs:
+                          items:
+                            properties:
+                              logGroupName:
+                                description: The CloudWatch log group name.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                            type: object
+                          type: array
+                        cloudwatchMetric:
+                          items:
+                            properties:
+                              metricName:
+                                description: The CloudWatch metric name.
+                                type: string
+                              metricNamespace:
+                                description: The CloudWatch metric namespace name.
+                                type: string
+                              metricTimestamp:
+                                description: An optional Unix timestamp (http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#about_timestamp).
+                                type: string
+                              metricUnit:
+                                description: 'The metric unit (supported units can
+                                  be found here: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/cloudwatch_concepts.html#Unit)'
+                                type: string
+                              metricValue:
+                                description: The CloudWatch metric value.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                            type: object
+                          type: array
+                        dynamodb:
+                          items:
+                            properties:
+                              hashKeyField:
+                                description: The hash key name.
+                                type: string
+                              hashKeyType:
+                                description: The hash key type. Valid values are "STRING"
+                                  or "NUMBER".
+                                type: string
+                              hashKeyValue:
+                                description: The hash key value.
+                                type: string
+                              operation:
+                                description: The operation. Valid values are "INSERT",
+                                  "UPDATE", or "DELETE".
+                                type: string
+                              payloadField:
+                                description: The action payload.
+                                type: string
+                              rangeKeyField:
+                                description: The range key name.
+                                type: string
+                              rangeKeyType:
+                                description: The range key type. Valid values are
+                                  "STRING" or "NUMBER".
+                                type: string
+                              rangeKeyValue:
+                                description: The range key value.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              tableName:
+                                description: The name of the DynamoDB table.
+                                type: string
+                            type: object
+                          type: array
+                        dynamodbv2:
+                          items:
+                            properties:
+                              putItem:
+                                description: Configuration block with DynamoDB Table
+                                  to which the message will be written. Nested arguments
+                                  below.
+                                items:
+                                  properties:
+                                    tableName:
+                                      description: The name of the DynamoDB table.
+                                      type: string
+                                  type: object
+                                type: array
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                            type: object
+                          type: array
+                        elasticsearch:
+                          items:
+                            properties:
+                              endpoint:
+                                description: The endpoint of your Elasticsearch domain.
+                                type: string
+                              id:
+                                description: The unique identifier for the document
+                                  you are storing.
+                                type: string
+                              index:
+                                description: The Elasticsearch index where you want
+                                  to store your data.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              type:
+                                description: The type of document you are storing.
+                                type: string
+                            type: object
+                          type: array
+                        firehose:
+                          items:
+                            properties:
+                              deliveryStreamName:
+                                description: The delivery stream name.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              separator:
+                                description: 'A character separator that is used to
+                                  separate records written to the Firehose stream.
+                                  Valid values are: ''\n'' (newline), ''\t'' (tab),
+                                  ''\r\n'' (Windows newline), '','' (comma).'
+                                type: string
+                            type: object
+                          type: array
+                        http:
+                          items:
+                            properties:
+                              confirmationUrl:
+                                description: The HTTPS URL used to verify ownership
+                                  of url.
+                                type: string
+                              httpHeader:
+                                description: Custom HTTP header IoT Core should send.
+                                  It is possible to define more than one custom header.
+                                items:
+                                  properties:
+                                    key:
+                                      description: The name of the HTTP header.
+                                      type: string
+                                    value:
+                                      description: The value of the HTTP header.
+                                      type: string
+                                  type: object
+                                type: array
+                              url:
+                                description: The HTTPS URL.
+                                type: string
+                            type: object
+                          type: array
+                        iotAnalytics:
+                          items:
+                            properties:
+                              channelName:
+                                description: Name of AWS IOT Analytics channel.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                            type: object
+                          type: array
+                        iotEvents:
+                          items:
+                            properties:
+                              inputName:
+                                description: The name of the AWS IoT Events input.
+                                type: string
+                              messageId:
+                                description: Use this to ensure that only one input
+                                  (message) with a given messageId is processed by
+                                  an AWS IoT Events detector.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                            type: object
+                          type: array
+                        kafka:
+                          items:
+                            properties:
+                              clientProperties:
+                                additionalProperties:
+                                  type: string
+                                description: Properties of the Apache Kafka producer
+                                  client. For more info, see the AWS documentation.
+                                type: object
+                              destinationArn:
+                                description: The ARN of Kafka action's VPC aws_iot_topic_rule_destination
+                                  .
+                                type: string
+                              key:
+                                description: The name of the HTTP header.
+                                type: string
+                              partition:
+                                description: The Kafka message partition.
+                                type: string
+                              topic:
+                                description: The Kafka topic for messages to be sent
+                                  to the Kafka broker.
+                                type: string
+                            type: object
+                          type: array
+                        kinesis:
+                          items:
+                            properties:
+                              partitionKey:
+                                description: The partition key.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              streamName:
+                                description: The name of the Amazon Kinesis stream.
+                                type: string
+                            type: object
+                          type: array
+                        lambda:
+                          items:
+                            properties:
+                              functionArn:
+                                description: The ARN of the Lambda function.
+                                type: string
+                            type: object
+                          type: array
+                        republish:
+                          items:
+                            properties:
+                              qos:
+                                description: The Quality of Service (QoS) level to
+                                  use when republishing messages. Valid values are
+                                  0 or 1. The default value is 0.
+                                type: number
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              topic:
+                                description: The Kafka topic for messages to be sent
+                                  to the Kafka broker.
+                                type: string
+                            type: object
+                          type: array
+                        s3:
+                          items:
+                            properties:
+                              bucketName:
+                                description: The Amazon S3 bucket name.
+                                type: string
+                              cannedAcl:
+                                description: The Amazon S3 canned ACL that controls
+                                  access to the object identified by the object key.
+                                  Valid values.
+                                type: string
+                              key:
+                                description: The name of the HTTP header.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                            type: object
+                          type: array
+                        sns:
+                          items:
+                            properties:
+                              messageFormat:
+                                description: The message format of the message to
+                                  publish. Accepted values are "JSON" and "RAW".
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              targetArn:
+                                description: The ARN of the SNS topic.
+                                type: string
+                            type: object
+                          type: array
+                        sqs:
+                          items:
+                            properties:
+                              queueUrl:
+                                description: The URL of the Amazon SQS queue.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              useBase64:
+                                description: Specifies whether to use Base64 encoding.
+                                type: boolean
+                            type: object
+                          type: array
+                        stepFunctions:
+                          items:
+                            properties:
+                              executionNamePrefix:
+                                description: The prefix used to generate, along with
+                                  a UUID, the unique state machine execution name.
+                                type: string
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              stateMachineName:
+                                description: The name of the Step Functions state
+                                  machine whose execution will be started.
+                                type: string
+                            type: object
+                          type: array
+                        timestream:
+                          items:
+                            properties:
+                              databaseName:
+                                description: The name of an Amazon Timestream database.
+                                type: string
+                              dimension:
+                                description: Configuration blocks with metadata attributes
+                                  of the time series that are written in each measure
+                                  record. Nested arguments below.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the rule.
+                                      type: string
+                                    value:
+                                      description: The value of the HTTP header.
+                                      type: string
+                                  type: object
+                                type: array
+                              roleArn:
+                                description: The IAM role ARN that allows access to
+                                  the CloudWatch alarm.
+                                type: string
+                              tableName:
+                                description: The name of the DynamoDB table.
+                                type: string
+                              timestamp:
+                                description: Configuration block specifying an application-defined
+                                  value to replace the default value assigned to the
+                                  Timestream record's timestamp in the time column.
+                                  Nested arguments below.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'The precision of the timestamp
+                                        value that results from the expression described
+                                        in value. Valid values: SECONDS, MILLISECONDS,
+                                        MICROSECONDS, NANOSECONDS.'
+                                      type: string
+                                    value:
+                                      description: The value of the HTTP header.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  firehose:
+                    items:
+                      properties:
+                        deliveryStreamName:
+                          description: The delivery stream name.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        separator:
+                          description: 'A character separator that is used to separate
+                            records written to the Firehose stream. Valid values are:
+                            ''\n'' (newline), ''\t'' (tab), ''\r\n'' (Windows newline),
+                            '','' (comma).'
+                          type: string
+                      type: object
+                    type: array
+                  http:
+                    items:
+                      properties:
+                        confirmationUrl:
+                          description: The HTTPS URL used to verify ownership of url.
+                          type: string
+                        httpHeader:
+                          description: Custom HTTP header IoT Core should send. It
+                            is possible to define more than one custom header.
+                          items:
+                            properties:
+                              key:
+                                description: The name of the HTTP header.
+                                type: string
+                              value:
+                                description: The value of the HTTP header.
+                                type: string
+                            type: object
+                          type: array
+                        url:
+                          description: The HTTPS URL.
+                          type: string
+                      type: object
+                    type: array
+                  id:
+                    description: The unique identifier for the document you are storing.
+                    type: string
+                  iotAnalytics:
+                    items:
+                      properties:
+                        channelName:
+                          description: Name of AWS IOT Analytics channel.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  iotEvents:
+                    items:
+                      properties:
+                        inputName:
+                          description: The name of the AWS IoT Events input.
+                          type: string
+                        messageId:
+                          description: Use this to ensure that only one input (message)
+                            with a given messageId is processed by an AWS IoT Events
+                            detector.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  kafka:
+                    items:
+                      properties:
+                        clientProperties:
+                          additionalProperties:
+                            type: string
+                          description: Properties of the Apache Kafka producer client.
+                            For more info, see the AWS documentation.
+                          type: object
+                        destinationArn:
+                          description: The ARN of Kafka action's VPC aws_iot_topic_rule_destination
+                            .
+                          type: string
+                        key:
+                          description: The name of the HTTP header.
+                          type: string
+                        partition:
+                          description: The Kafka message partition.
+                          type: string
+                        topic:
+                          description: The Kafka topic for messages to be sent to
+                            the Kafka broker.
+                          type: string
+                      type: object
+                    type: array
+                  kinesis:
+                    items:
+                      properties:
+                        partitionKey:
+                          description: The partition key.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        streamName:
+                          description: The name of the Amazon Kinesis stream.
+                          type: string
+                      type: object
+                    type: array
+                  lambda:
+                    items:
+                      properties:
+                        functionArn:
+                          description: The ARN of the Lambda function.
+                          type: string
+                      type: object
+                    type: array
+                  republish:
+                    items:
+                      properties:
+                        qos:
+                          description: The Quality of Service (QoS) level to use when
+                            republishing messages. Valid values are 0 or 1. The default
+                            value is 0.
+                          type: number
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        topic:
+                          description: The Kafka topic for messages to be sent to
+                            the Kafka broker.
+                          type: string
+                      type: object
+                    type: array
+                  s3:
+                    items:
+                      properties:
+                        bucketName:
+                          description: The Amazon S3 bucket name.
+                          type: string
+                        cannedAcl:
+                          description: The Amazon S3 canned ACL that controls access
+                            to the object identified by the object key. Valid values.
+                          type: string
+                        key:
+                          description: The name of the HTTP header.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                      type: object
+                    type: array
+                  sns:
+                    items:
+                      properties:
+                        messageFormat:
+                          description: The message format of the message to publish.
+                            Accepted values are "JSON" and "RAW".
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        targetArn:
+                          description: The ARN of the SNS topic.
+                          type: string
+                      type: object
+                    type: array
+                  sql:
+                    description: The SQL statement used to query the topic. For more
+                      information, see AWS IoT SQL Reference (http://docs.aws.amazon.com/iot/latest/developerguide/iot-rules.html#aws-iot-sql-reference)
+                      in the AWS IoT Developer Guide.
+                    type: string
+                  sqlVersion:
+                    description: The version of the SQL rules engine to use when evaluating
+                      the rule.
+                    type: string
+                  sqs:
+                    items:
+                      properties:
+                        queueUrl:
+                          description: The URL of the Amazon SQS queue.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        useBase64:
+                          description: Specifies whether to use Base64 encoding.
+                          type: boolean
+                      type: object
+                    type: array
+                  stepFunctions:
+                    items:
+                      properties:
+                        executionNamePrefix:
+                          description: The prefix used to generate, along with a UUID,
+                            the unique state machine execution name.
+                          type: string
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        stateMachineName:
+                          description: The name of the Step Functions state machine
+                            whose execution will be started.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: A map of tags assigned to the resource, including
+                      those inherited from the provider default_tags configuration
+                      block.
+                    type: object
+                  timestream:
+                    items:
+                      properties:
+                        databaseName:
+                          description: The name of an Amazon Timestream database.
+                          type: string
+                        dimension:
+                          description: Configuration blocks with metadata attributes
+                            of the time series that are written in each measure record.
+                            Nested arguments below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the rule.
+                                type: string
+                              value:
+                                description: The value of the HTTP header.
+                                type: string
+                            type: object
+                          type: array
+                        roleArn:
+                          description: The IAM role ARN that allows access to the
+                            CloudWatch alarm.
+                          type: string
+                        tableName:
+                          description: The name of the DynamoDB table.
+                          type: string
+                        timestamp:
+                          description: Configuration block specifying an application-defined
+                            value to replace the default value assigned to the Timestream
+                            record's timestamp in the time column. Nested arguments
+                            below.
+                          items:
+                            properties:
+                              unit:
+                                description: 'The precision of the timestamp value
+                                  that results from the expression described in value.
+                                  Valid values: SECONDS, MILLISECONDS, MICROSECONDS,
+                                  NANOSECONDS.'
+                                type: string
+                              value:
+                                description: The value of the HTTP header.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ivs.aws.upbound.io_channels.yaml b/package/crds/ivs.aws.upbound.io_channels.yaml
index 0a1a25e4eb..9e0f16ee17 100644
--- a/package/crds/ivs.aws.upbound.io_channels.yaml
+++ b/package/crds/ivs.aws.upbound.io_channels.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,6 +96,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -271,21 +290,43 @@ spec:
                   arn:
                     description: ARN of the Channel.
                     type: string
+                  authorized:
+                    description: If true, channel is private (enabled for playback
+                      authorization).
+                    type: boolean
                   id:
                     type: string
                   ingestEndpoint:
                     description: Channel ingest endpoint, part of the definition of
                       an ingest server, used when setting up streaming software.
                     type: string
+                  latencyMode:
+                    description: 'Channel latency mode. Valid values: NORMAL, LOW.'
+                    type: string
+                  name:
+                    description: Channel name.
+                    type: string
                   playbackUrl:
                     description: Channel playback URL.
                     type: string
+                  recordingConfigurationArn:
+                    description: Recording configuration ARN.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  type:
+                    description: 'Channel type, which determines the allowable resolution
+                      and bitrate. Valid values: STANDARD, BASIC.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ivs.aws.upbound.io_recordingconfigurations.yaml b/package/crds/ivs.aws.upbound.io_recordingconfigurations.yaml
index 549efcb3d6..6ed03e8bbd 100644
--- a/package/crds/ivs.aws.upbound.io_recordingconfigurations.yaml
+++ b/package/crds/ivs.aws.upbound.io_recordingconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -120,9 +124,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - destinationConfiguration
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -294,6 +312,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destinationConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinationConfiguration)
           status:
             description: RecordingConfigurationStatus defines the observed state of
               RecordingConfiguration.
@@ -303,17 +324,64 @@ spec:
                   arn:
                     description: ARN of the Recording Configuration.
                     type: string
+                  destinationConfiguration:
+                    description: Object containing destination configuration for where
+                      recorded video will be stored.
+                    items:
+                      properties:
+                        s3:
+                          description: S3 destination configuration where recorded
+                            videos will be stored.
+                          items:
+                            properties:
+                              bucketName:
+                                description: S3 bucket name where recorded videos
+                                  will be stored.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: Recording Configuration name.
+                    type: string
+                  recordingReconnectWindowSeconds:
+                    description: If a broadcast disconnects and then reconnects within
+                      the specified interval, the multiple streams will be considered
+                      a single broadcast and merged together.
+                    type: number
                   state:
                     description: The current state of the Recording Configuration.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  thumbnailConfiguration:
+                    description: Object containing information to enable/disable the
+                      recording of thumbnails for a live session and modify the interval
+                      at which thumbnails are generated for the live session.
+                    items:
+                      properties:
+                        recordingMode:
+                          description: 'Thumbnail recording mode. Valid values: DISABLED,
+                            INTERVAL.'
+                          type: string
+                        targetIntervalSeconds:
+                          description: The targeted thumbnail-generation interval
+                            in seconds.
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kafka.aws.upbound.io_clusters.yaml b/package/crds/kafka.aws.upbound.io_clusters.yaml
index 5217709dd1..f17c58ad52 100644
--- a/package/crds/kafka.aws.upbound.io_clusters.yaml
+++ b/package/crds/kafka.aws.upbound.io_clusters.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -873,12 +877,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - brokerNodeGroupInfo
-                - clusterName
-                - kafkaVersion
-                - numberOfBrokerNodes
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1050,6 +1065,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: brokerNodeGroupInfo is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.brokerNodeGroupInfo)
+            - message: clusterName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.clusterName)
+            - message: kafkaVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.kafkaVersion)
+            - message: numberOfBrokerNodes is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.numberOfBrokerNodes)
           status:
             description: ClusterStatus defines the observed state of Cluster.
             properties:
@@ -1125,12 +1149,307 @@ spec:
                       alphabetically. AWS may not always return all endpoints so the
                       values may not be stable across applies.
                     type: string
+                  brokerNodeGroupInfo:
+                    description: Configuration block for the broker nodes of the Kafka
+                      cluster.
+                    items:
+                      properties:
+                        azDistribution:
+                          description: The distribution of broker nodes across availability
+                            zones (documentation). Currently the only valid value
+                            is DEFAULT.
+                          type: string
+                        clientSubnets:
+                          description: A list of subnets to connect to in client VPC
+                            (documentation).
+                          items:
+                            type: string
+                          type: array
+                        connectivityInfo:
+                          description: Information about the cluster access configuration.
+                            See below. For security reasons, you can't turn on public
+                            access while creating an MSK cluster. However, you can
+                            update an existing cluster to make it publicly accessible.
+                            You can also create a new cluster and then update it to
+                            make it publicly accessible (documentation).
+                          items:
+                            properties:
+                              publicAccess:
+                                description: Access control settings for brokers.
+                                  See below.
+                                items:
+                                  properties:
+                                    type:
+                                      description: 'Public access type. Valida values:
+                                        DISABLED, SERVICE_PROVIDED_EIPS.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        ebsVolumeSize:
+                          description: The size in GiB of the EBS volume for the data
+                            drive on each broker node.
+                          type: number
+                        instanceType:
+                          description: Specify the instance type to use for the kafka
+                            brokersE.g., kafka.m5.large. (Pricing info)
+                          type: string
+                        securityGroups:
+                          description: A list of the security groups to associate
+                            with the elastic network interfaces to control who can
+                            communicate with the cluster.
+                          items:
+                            type: string
+                          type: array
+                        storageInfo:
+                          description: A block that contains information about storage
+                            volumes attached to MSK broker nodes. See below.
+                          items:
+                            properties:
+                              ebsStorageInfo:
+                                description: A block that contains EBS volume information.
+                                  See below.
+                                items:
+                                  properties:
+                                    provisionedThroughput:
+                                      description: A block that contains EBS volume
+                                        provisioned throughput information. To provision
+                                        storage throughput, you must choose broker
+                                        type kafka.m5.4xlarge or larger. See below.
+                                      items:
+                                        properties:
+                                          enabled:
+                                            description: 'Controls whether provisioned
+                                              throughput is enabled or not. Default
+                                              value: false.'
+                                            type: boolean
+                                          volumeThroughput:
+                                            description: Throughput value of the EBS
+                                              volumes for the data drive on each kafka
+                                              broker node in MiB per second. The minimum
+                                              value is 250. The maximum value varies
+                                              between broker type. You can refer to
+                                              the valid values for the maximum volume
+                                              throughput at the following documentation
+                                              on throughput bottlenecks
+                                            type: number
+                                        type: object
+                                      type: array
+                                    volumeSize:
+                                      description: The size in GiB of the EBS volume
+                                        for the data drive on each broker node. Minimum
+                                        value of 1 and maximum value of 16384.
+                                      type: number
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  clientAuthentication:
+                    description: Configuration block for specifying a client authentication.
+                      See below.
+                    items:
+                      properties:
+                        sasl:
+                          description: Configuration block for specifying SASL client
+                            authentication. See below.
+                          items:
+                            properties:
+                              iam:
+                                description: Enables IAM client authentication. Defaults
+                                  to false.
+                                type: boolean
+                              scram:
+                                description: Enables SCRAM client authentication via
+                                  AWS Secrets Manager. Defaults to false.
+                                type: boolean
+                            type: object
+                          type: array
+                        tls:
+                          description: Configuration block for specifying TLS client
+                            authentication. See below.
+                          items:
+                            properties:
+                              certificateAuthorityArns:
+                                description: List of ACM Certificate Authority Amazon
+                                  Resource Names (ARNs).
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        unauthenticated:
+                          description: Enables unauthenticated access.
+                          type: boolean
+                      type: object
+                    type: array
+                  clusterName:
+                    description: Name of the MSK cluster.
+                    type: string
+                  configurationInfo:
+                    description: Configuration block for specifying a MSK Configuration
+                      to attach to Kafka brokers. See below.
+                    items:
+                      properties:
+                        arn:
+                          description: Amazon Resource Name (ARN) of the MSK Configuration
+                            to use in the cluster.
+                          type: string
+                        revision:
+                          description: Revision of the MSK Configuration to use in
+                            the cluster.
+                          type: number
+                      type: object
+                    type: array
                   currentVersion:
                     description: Current version of the MSK Cluster used for updates,
                       e.g., K13V1IB3VIYZZH
                     type: string
+                  encryptionInfo:
+                    description: Configuration block for specifying encryption. See
+                      below.
+                    items:
+                      properties:
+                        encryptionAtRestKmsKeyArn:
+                          description: The ARN of the KMS key used for encryption
+                            at rest of the broker data volumes.
+                          type: string
+                        encryptionInTransit:
+                          description: Configuration block to specify encryption in
+                            transit. See below.
+                          items:
+                            properties:
+                              clientBroker:
+                                description: 'Encryption setting for data in transit
+                                  between clients and brokers. Valid values: TLS,
+                                  TLS_PLAINTEXT, and PLAINTEXT. Default value is TLS.'
+                                type: string
+                              inCluster:
+                                description: 'Whether data communication among broker
+                                  nodes is encrypted. Default value: true.'
+                                type: boolean
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  enhancedMonitoring:
+                    description: Specify the desired enhanced MSK CloudWatch monitoring
+                      level. See Monitoring Amazon MSK with Amazon CloudWatch
+                    type: string
                   id:
                     type: string
+                  kafkaVersion:
+                    description: Specify the desired Kafka software version.
+                    type: string
+                  loggingInfo:
+                    description: Configuration block for streaming broker logs to
+                      Cloudwatch/S3/Kinesis Firehose. See below.
+                    items:
+                      properties:
+                        brokerLogs:
+                          description: Configuration block for Broker Logs settings
+                            for logging info. See below.
+                          items:
+                            properties:
+                              cloudwatchLogs:
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: 'Controls whether provisioned throughput
+                                        is enabled or not. Default value: false.'
+                                      type: boolean
+                                    logGroup:
+                                      description: Name of the Cloudwatch Log Group
+                                        to deliver logs to.
+                                      type: string
+                                  type: object
+                                type: array
+                              firehose:
+                                items:
+                                  properties:
+                                    deliveryStream:
+                                      description: Name of the Kinesis Data Firehose
+                                        delivery stream to deliver logs to.
+                                      type: string
+                                    enabled:
+                                      description: 'Controls whether provisioned throughput
+                                        is enabled or not. Default value: false.'
+                                      type: boolean
+                                  type: object
+                                type: array
+                              s3:
+                                items:
+                                  properties:
+                                    bucket:
+                                      description: Name of the S3 bucket to deliver
+                                        logs to.
+                                      type: string
+                                    enabled:
+                                      description: 'Controls whether provisioned throughput
+                                        is enabled or not. Default value: false.'
+                                      type: boolean
+                                    prefix:
+                                      description: Prefix to append to the folder
+                                        name.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  numberOfBrokerNodes:
+                    description: The desired total number of broker nodes in the kafka
+                      cluster.  It must be a multiple of the number of specified client
+                      subnets.
+                    type: number
+                  openMonitoring:
+                    description: Configuration block for JMX and Node monitoring for
+                      the MSK cluster. See below.
+                    items:
+                      properties:
+                        prometheus:
+                          description: Configuration block for Prometheus settings
+                            for open monitoring. See below.
+                          items:
+                            properties:
+                              jmxExporter:
+                                description: Configuration block for JMX Exporter.
+                                  See below.
+                                items:
+                                  properties:
+                                    enabledInBroker:
+                                      description: Indicates whether you want to enable
+                                        or disable the JMX Exporter.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              nodeExporter:
+                                description: Configuration block for Node Exporter.
+                                  See below.
+                                items:
+                                  properties:
+                                    enabledInBroker:
+                                      description: Indicates whether you want to enable
+                                        or disable the JMX Exporter.
+                                      type: boolean
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  storageMode:
+                    description: 'Controls storage mode for supported storage tiers.
+                      Valid values are: LOCAL or TIERED.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kafka.aws.upbound.io_configurations.yaml b/package/crds/kafka.aws.upbound.io_configurations.yaml
index cd4f946d74..9db2c10bf2 100644
--- a/package/crds/kafka.aws.upbound.io_configurations.yaml
+++ b/package/crds/kafka.aws.upbound.io_configurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -86,10 +90,23 @@ spec:
                       properties are documented in the MSK Developer Guide.
                     type: string
                 required:
-                - name
                 - region
-                - serverProperties
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,6 +278,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: serverProperties is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serverProperties)
           status:
             description: ConfigurationStatus defines the observed state of Configuration.
             properties:
@@ -269,11 +291,27 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the configuration.
                     type: string
+                  description:
+                    description: Description of the configuration.
+                    type: string
                   id:
                     type: string
+                  kafkaVersions:
+                    description: List of Apache Kafka versions which can use this
+                      configuration.
+                    items:
+                      type: string
+                    type: array
                   latestRevision:
                     description: Latest revision of the configuration.
                     type: number
+                  name:
+                    description: Name of the configuration.
+                    type: string
+                  serverProperties:
+                    description: Contents of the server.properties file. Supported
+                      properties are documented in the MSK Developer Guide.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kendra.aws.upbound.io_datasources.yaml b/package/crds/kendra.aws.upbound.io_datasources.yaml
index ce98d92231..9136209235 100644
--- a/package/crds/kendra.aws.upbound.io_datasources.yaml
+++ b/package/crds/kendra.aws.upbound.io_datasources.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1121,10 +1125,23 @@ spec:
                       list of values, refer to Valid Values for Type.
                     type: string
                 required:
-                - name
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1296,6 +1313,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: DataSourceStatus defines the observed state of DataSource.
             properties:
@@ -1304,34 +1326,660 @@ spec:
                   arn:
                     description: ARN of the Data Source.
                     type: string
-                  createdAt:
-                    description: The Unix timestamp of when the Data Source was created.
-                    type: string
-                  dataSourceId:
-                    description: The unique identifiers of the Data Source.
-                    type: string
-                  errorMessage:
-                    description: When the Status field value is FAILED, the ErrorMessage
-                      field contains a description of the error that caused the Data
-                      Source to fail.
-                    type: string
-                  id:
-                    description: The unique identifiers of the Data Source and index
-                      separated by a slash (/).
-                    type: string
-                  status:
-                    description: The current status of the Data Source. When the status
-                      is ACTIVE the Data Source is ready to use. When the status is
-                      FAILED, the error_message field contains the reason that the
-                      Data Source failed.
-                    type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: A map of tags assigned to the resource, including
-                      those inherited from the provider default_tags configuration
-                      block.
-                    type: object
+                  configuration:
+                    description: A block with the configuration information to connect
+                      to your Data Source repository. You can't specify the configuration
+                      argument when the type parameter is set to CUSTOM. Detailed
+                      below.
+                    items:
+                      properties:
+                        s3Configuration:
+                          description: A block that provides the configuration information
+                            to connect to an Amazon S3 bucket as your data source.
+                            Detailed below.
+                          items:
+                            properties:
+                              accessControlListConfiguration:
+                                description: A block that provides the path to the
+                                  S3 bucket that contains the user context filtering
+                                  files for the data source. For the format of the
+                                  file, see Access control for S3 data sources. Detailed
+                                  below.
+                                items:
+                                  properties:
+                                    keyPath:
+                                      description: Path to the AWS S3 bucket that
+                                        contains the ACL files.
+                                      type: string
+                                  type: object
+                                type: array
+                              bucketName:
+                                description: The name of the bucket that contains
+                                  the documents.
+                                type: string
+                              documentsMetadataConfiguration:
+                                description: A block that defines the Ddcument metadata
+                                  files that contain information such as the document
+                                  access control information, source URI, document
+                                  author, and custom attributes. Each metadata file
+                                  contains metadata about a single document. Detailed
+                                  below.
+                                items:
+                                  properties:
+                                    s3Prefix:
+                                      description: A prefix used to filter metadata
+                                        configuration files in the AWS S3 bucket.
+                                        The S3 bucket might contain multiple metadata
+                                        files. Use s3_prefix to include only the desired
+                                        metadata files.
+                                      type: string
+                                  type: object
+                                type: array
+                              exclusionPatterns:
+                                description: A list of glob patterns for documents
+                                  that should not be indexed. If a document that matches
+                                  an inclusion prefix or inclusion pattern also matches
+                                  an exclusion pattern, the document is not indexed.
+                                  Refer to Exclusion Patterns for more examples.
+                                items:
+                                  type: string
+                                type: array
+                              inclusionPatterns:
+                                description: A list of glob patterns for documents
+                                  that should be indexed. If a document that matches
+                                  an inclusion pattern also matches an exclusion pattern,
+                                  the document is not indexed. Refer to Inclusion
+                                  Patterns for more examples.
+                                items:
+                                  type: string
+                                type: array
+                              inclusionPrefixes:
+                                description: A list of S3 prefixes for the documents
+                                  that should be included in the index.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        webCrawlerConfiguration:
+                          description: A block that provides the configuration information
+                            required for Amazon Kendra Web Crawler. Detailed below.
+                          items:
+                            properties:
+                              authenticationConfiguration:
+                                description: A block with the configuration information
+                                  required to connect to websites using authentication.
+                                  You can connect to websites using basic authentication
+                                  of user name and password. You use a secret in AWS
+                                  Secrets Manager to store your authentication credentials.
+                                  You must provide the website host name and port
+                                  number. For example, the host name of https://a.example.com/page1.html
+                                  is "a.example.com" and the port is 443, the standard
+                                  port for HTTPS. Detailed below.
+                                items:
+                                  properties:
+                                    basicAuthentication:
+                                      description: The list of configuration information
+                                        that's required to connect to and crawl a
+                                        website host using basic authentication credentials.
+                                        The list includes the name and port number
+                                        of the website host. Detailed below.
+                                      items:
+                                        properties:
+                                          credentials:
+                                            description: Your secret ARN, which you
+                                              can create in AWS Secrets Manager. You
+                                              use a secret if basic authentication
+                                              credentials are required to connect
+                                              to a website. The secret stores your
+                                              credentials of user name and password.
+                                            type: string
+                                          host:
+                                            description: The name of the website host
+                                              you want to connect to using authentication
+                                              credentials. For example, the host name
+                                              of https://a.example.com/page1.html
+                                              is "a.example.com".
+                                            type: string
+                                          port:
+                                            description: The port number of the website
+                                              host you want to connect to using authentication
+                                              credentials. For example, the port for
+                                              https://a.example.com/page1.html is
+                                              443, the standard port for HTTPS.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              crawlDepth:
+                                description: Specifies the number of levels in a website
+                                  that you want to crawl. The first level begins from
+                                  the website seed or starting point URL. For example,
+                                  if a website has 3 levels – index level (i.e. seed
+                                  in this example), sections level, and subsections
+                                  level – and you are only interested in crawling
+                                  information up to the sections level (i.e. levels
+                                  0-1), you can set your depth to 1. The default crawl
+                                  depth is set to 2. Minimum value of 0. Maximum value
+                                  of 10.
+                                type: number
+                              maxContentSizePerPageInMegaBytes:
+                                description: The maximum size (in MB) of a webpage
+                                  or attachment to crawl. Files larger than this size
+                                  (in MB) are skipped/not crawled. The default maximum
+                                  size of a webpage or attachment is set to 50 MB.
+                                  Minimum value of 1.0e-06. Maximum value of 50.
+                                type: number
+                              maxLinksPerPage:
+                                description: The maximum number of URLs on a webpage
+                                  to include when crawling a website. This number
+                                  is per webpage. As a website’s webpages are crawled,
+                                  any URLs the webpages link to are also crawled.
+                                  URLs on a webpage are crawled in order of appearance.
+                                  The default maximum links per page is 100. Minimum
+                                  value of 1. Maximum value of 1000.
+                                type: number
+                              maxUrlsPerMinuteCrawlRate:
+                                description: The maximum number of URLs crawled per
+                                  website host per minute. The default maximum number
+                                  of URLs crawled per website host per minute is 300.
+                                  Minimum value of 1. Maximum value of 300.
+                                type: number
+                              proxyConfiguration:
+                                description: Configuration information required to
+                                  connect to your internal websites via a web proxy.
+                                  You must provide the website host name and port
+                                  number. For example, the host name of https://a.example.com/page1.html
+                                  is "a.example.com" and the port is 443, the standard
+                                  port for HTTPS. Web proxy credentials are optional
+                                  and you can use them to connect to a web proxy server
+                                  that requires basic authentication. To store web
+                                  proxy credentials, you use a secret in AWS Secrets
+                                  Manager. Detailed below.
+                                items:
+                                  properties:
+                                    credentials:
+                                      description: Your secret ARN, which you can
+                                        create in AWS Secrets Manager. You use a secret
+                                        if basic authentication credentials are required
+                                        to connect to a website. The secret stores
+                                        your credentials of user name and password.
+                                      type: string
+                                    host:
+                                      description: The name of the website host you
+                                        want to connect to using authentication credentials.
+                                        For example, the host name of https://a.example.com/page1.html
+                                        is "a.example.com".
+                                      type: string
+                                    port:
+                                      description: The port number of the website
+                                        host you want to connect to using authentication
+                                        credentials. For example, the port for https://a.example.com/page1.html
+                                        is 443, the standard port for HTTPS.
+                                      type: number
+                                  type: object
+                                type: array
+                              urlExclusionPatterns:
+                                description: 'A list of regular expression patterns
+                                  to exclude certain URLs to crawl. URLs that match
+                                  the patterns are excluded from the index. URLs that
+                                  don''t match the patterns are included in the index.
+                                  If a URL matches both an inclusion and exclusion
+                                  pattern, the exclusion pattern takes precedence
+                                  and the URL file isn''t included in the index. Array
+                                  Members: Minimum number of 0 items. Maximum number
+                                  of 100 items. Length Constraints: Minimum length
+                                  of 1. Maximum length of 150.'
+                                items:
+                                  type: string
+                                type: array
+                              urlInclusionPatterns:
+                                description: 'A list of regular expression patterns
+                                  to include certain URLs to crawl. URLs that match
+                                  the patterns are included in the index. URLs that
+                                  don''t match the patterns are excluded from the
+                                  index. If a URL matches both an inclusion and exclusion
+                                  pattern, the exclusion pattern takes precedence
+                                  and the URL file isn''t included in the index. Array
+                                  Members: Minimum number of 0 items. Maximum number
+                                  of 100 items. Length Constraints: Minimum length
+                                  of 1. Maximum length of 150.'
+                                items:
+                                  type: string
+                                type: array
+                              urls:
+                                description: A block that specifies the seed or starting
+                                  point URLs of the websites or the sitemap URLs of
+                                  the websites you want to crawl. You can include
+                                  website subdomains. You can list up to 100 seed
+                                  URLs and up to 3 sitemap URLs. You can only crawl
+                                  websites that use the secure communication protocol,
+                                  Hypertext Transfer Protocol Secure (HTTPS). If you
+                                  receive an error when crawling a website, it could
+                                  be that the website is blocked from crawling. When
+                                  selecting websites to index, you must adhere to
+                                  the Amazon Acceptable Use Policy and all other Amazon
+                                  terms. Remember that you must only use Amazon Kendra
+                                  Web Crawler to index your own webpages, or webpages
+                                  that you have authorization to index. Detailed below.
+                                items:
+                                  properties:
+                                    seedUrlConfiguration:
+                                      description: A block that specifies the configuration
+                                        of the seed or starting point URLs of the
+                                        websites you want to crawl. You can choose
+                                        to crawl only the website host names, or the
+                                        website host names with subdomains, or the
+                                        website host names with subdomains and other
+                                        domains that the webpages link to. You can
+                                        list up to 100 seed URLs. Detailed below.
+                                      items:
+                                        properties:
+                                          seedUrls:
+                                            description: 'The list of seed or starting
+                                              point URLs of the websites you want
+                                              to crawl. The list can include a maximum
+                                              of 100 seed URLs. Array Members: Minimum
+                                              number of 0 items. Maximum number of
+                                              100 items. Length Constraints: Minimum
+                                              length of 1. Maximum length of 2048.'
+                                            items:
+                                              type: string
+                                            type: array
+                                          webCrawlerMode:
+                                            description: 'The default mode is set
+                                              to HOST_ONLY. You can choose one of
+                                              the following modes:'
+                                            type: string
+                                        type: object
+                                      type: array
+                                    siteMapsConfiguration:
+                                      description: A block that specifies the configuration
+                                        of the sitemap URLs of the websites you want
+                                        to crawl. Only URLs belonging to the same
+                                        website host names are crawled. You can list
+                                        up to 3 sitemap URLs. Detailed below.
+                                      items:
+                                        properties:
+                                          siteMaps:
+                                            description: The list of sitemap URLs
+                                              of the websites you want to crawl. The
+                                              list can include a maximum of 3 sitemap
+                                              URLs.
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  createdAt:
+                    description: The Unix timestamp of when the Data Source was created.
+                    type: string
+                  customDocumentEnrichmentConfiguration:
+                    description: A block with the configuration information for altering
+                      document metadata and content during the document ingestion
+                      process. For more information on how to create, modify and delete
+                      document metadata, or make other content alterations when you
+                      ingest documents into Amazon Kendra, see Customizing document
+                      metadata during the ingestion process. Detailed below.
+                    items:
+                      properties:
+                        inlineConfigurations:
+                          description: Configuration information to alter document
+                            attributes or metadata fields and content when ingesting
+                            documents into Amazon Kendra. Minimum number of 0 items.
+                            Maximum number of 100 items. Detailed below.
+                          items:
+                            properties:
+                              condition:
+                                description: Configuration of the condition used for
+                                  the target document attribute or metadata field
+                                  when ingesting documents into Amazon Kendra. See
+                                  Document Attribute Condition.
+                                items:
+                                  properties:
+                                    conditionDocumentAttributeKey:
+                                      description: The identifier of the document
+                                        attribute used for the condition. For example,
+                                        _source_uri could be an identifier for the
+                                        attribute or metadata field that contains
+                                        source URIs associated with the documents.
+                                        Amazon Kendra currently does not support _document_body
+                                        as an attribute key used for the condition.
+                                      type: string
+                                    conditionOnValue:
+                                      description: The value used by the operator.
+                                        For example, you can specify the value 'financial'
+                                        for strings in the _source_uri field that
+                                        partially match or contain this value. See
+                                        Document Attribute Value.
+                                      items:
+                                        properties:
+                                          dateValue:
+                                            description: A date expressed as an ISO
+                                              8601 string. It is important for the
+                                              time zone to be included in the ISO
+                                              8601 date-time format. As of this writing
+                                              only UTC is supported. For example,
+                                              2012-03-25T12:30:10+00:00.
+                                            type: string
+                                          longValue:
+                                            description: A long integer value.
+                                            type: number
+                                          stringListValue:
+                                            description: A list of strings.
+                                            items:
+                                              type: string
+                                            type: array
+                                          stringValue:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    operator:
+                                      description: 'The condition operator. For example,
+                                        you can use Contains to partially match a
+                                        string. Valid Values: GreaterThan | GreaterThanOrEquals
+                                        | LessThan | LessThanOrEquals | Equals | NotEquals
+                                        | Contains | NotContains | Exists | NotExists
+                                        | BeginsWith.'
+                                      type: string
+                                  type: object
+                                type: array
+                              documentContentDeletion:
+                                description: TRUE to delete content if the condition
+                                  used for the target attribute is met.
+                                type: boolean
+                              target:
+                                description: Configuration of the target document
+                                  attribute or metadata field when ingesting documents
+                                  into Amazon Kendra. You can also include a value.
+                                  Detailed below.
+                                items:
+                                  properties:
+                                    targetDocumentAttributeKey:
+                                      description: The identifier of the target document
+                                        attribute or metadata field. For example,
+                                        'Department' could be an identifier for the
+                                        target attribute or metadata field that includes
+                                        the department names associated with the documents.
+                                      type: string
+                                    targetDocumentAttributeValue:
+                                      description: The target value you want to create
+                                        for the target attribute. For example, 'Finance'
+                                        could be the target value for the target attribute
+                                        key 'Department'. See Document Attribute Value.
+                                      items:
+                                        properties:
+                                          dateValue:
+                                            description: A date expressed as an ISO
+                                              8601 string. It is important for the
+                                              time zone to be included in the ISO
+                                              8601 date-time format. As of this writing
+                                              only UTC is supported. For example,
+                                              2012-03-25T12:30:10+00:00.
+                                            type: string
+                                          longValue:
+                                            description: A long integer value.
+                                            type: number
+                                          stringListValue:
+                                            description: A list of strings.
+                                            items:
+                                              type: string
+                                            type: array
+                                          stringValue:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    targetDocumentAttributeValueDeletion:
+                                      description: TRUE to delete the existing target
+                                        value for your specified target attribute
+                                        key. You cannot create a target value and
+                                        set this to TRUE. To create a target value
+                                        (TargetDocumentAttributeValue), set this to
+                                        FALSE.
+                                      type: boolean
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        postExtractionHookConfiguration:
+                          description: A block that specifies the configuration information
+                            for invoking a Lambda function in AWS Lambda on the structured
+                            documents with their metadata and text extracted. You
+                            can use a Lambda function to apply advanced logic for
+                            creating, modifying, or deleting document metadata and
+                            content. For more information, see Advanced data manipulation.
+                            Detailed below.
+                          items:
+                            properties:
+                              invocationCondition:
+                                description: A block that specifies the condition
+                                  used for when a Lambda function should be invoked.
+                                  For example, you can specify a condition that if
+                                  there are empty date-time values, then Amazon Kendra
+                                  should invoke a function that inserts the current
+                                  date-time. See Document Attribute Condition.
+                                items:
+                                  properties:
+                                    conditionDocumentAttributeKey:
+                                      description: The identifier of the document
+                                        attribute used for the condition. For example,
+                                        _source_uri could be an identifier for the
+                                        attribute or metadata field that contains
+                                        source URIs associated with the documents.
+                                        Amazon Kendra currently does not support _document_body
+                                        as an attribute key used for the condition.
+                                      type: string
+                                    conditionOnValue:
+                                      description: The value used by the operator.
+                                        For example, you can specify the value 'financial'
+                                        for strings in the _source_uri field that
+                                        partially match or contain this value. See
+                                        Document Attribute Value.
+                                      items:
+                                        properties:
+                                          dateValue:
+                                            description: A date expressed as an ISO
+                                              8601 string. It is important for the
+                                              time zone to be included in the ISO
+                                              8601 date-time format. As of this writing
+                                              only UTC is supported. For example,
+                                              2012-03-25T12:30:10+00:00.
+                                            type: string
+                                          longValue:
+                                            description: A long integer value.
+                                            type: number
+                                          stringListValue:
+                                            description: A list of strings.
+                                            items:
+                                              type: string
+                                            type: array
+                                          stringValue:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    operator:
+                                      description: 'The condition operator. For example,
+                                        you can use Contains to partially match a
+                                        string. Valid Values: GreaterThan | GreaterThanOrEquals
+                                        | LessThan | LessThanOrEquals | Equals | NotEquals
+                                        | Contains | NotContains | Exists | NotExists
+                                        | BeginsWith.'
+                                      type: string
+                                  type: object
+                                type: array
+                              lambdaArn:
+                                description: The Amazon Resource Name (ARN) of a Lambda
+                                  Function that can manipulate your document metadata
+                                  fields or attributes and content.
+                                type: string
+                              s3Bucket:
+                                description: Stores the original, raw documents or
+                                  the structured, parsed documents before and after
+                                  altering them. For more information, see Data contracts
+                                  for Lambda functions.
+                                type: string
+                            type: object
+                          type: array
+                        preExtractionHookConfiguration:
+                          description: Configuration information for invoking a Lambda
+                            function in AWS Lambda on the original or raw documents
+                            before extracting their metadata and text. You can use
+                            a Lambda function to apply advanced logic for creating,
+                            modifying, or deleting document metadata and content.
+                            For more information, see Advanced data manipulation.
+                            Detailed below.
+                          items:
+                            properties:
+                              invocationCondition:
+                                description: A block that specifies the condition
+                                  used for when a Lambda function should be invoked.
+                                  For example, you can specify a condition that if
+                                  there are empty date-time values, then Amazon Kendra
+                                  should invoke a function that inserts the current
+                                  date-time. See Document Attribute Condition.
+                                items:
+                                  properties:
+                                    conditionDocumentAttributeKey:
+                                      description: The identifier of the document
+                                        attribute used for the condition. For example,
+                                        _source_uri could be an identifier for the
+                                        attribute or metadata field that contains
+                                        source URIs associated with the documents.
+                                        Amazon Kendra currently does not support _document_body
+                                        as an attribute key used for the condition.
+                                      type: string
+                                    conditionOnValue:
+                                      description: The value used by the operator.
+                                        For example, you can specify the value 'financial'
+                                        for strings in the _source_uri field that
+                                        partially match or contain this value. See
+                                        Document Attribute Value.
+                                      items:
+                                        properties:
+                                          dateValue:
+                                            description: A date expressed as an ISO
+                                              8601 string. It is important for the
+                                              time zone to be included in the ISO
+                                              8601 date-time format. As of this writing
+                                              only UTC is supported. For example,
+                                              2012-03-25T12:30:10+00:00.
+                                            type: string
+                                          longValue:
+                                            description: A long integer value.
+                                            type: number
+                                          stringListValue:
+                                            description: A list of strings.
+                                            items:
+                                              type: string
+                                            type: array
+                                          stringValue:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    operator:
+                                      description: 'The condition operator. For example,
+                                        you can use Contains to partially match a
+                                        string. Valid Values: GreaterThan | GreaterThanOrEquals
+                                        | LessThan | LessThanOrEquals | Equals | NotEquals
+                                        | Contains | NotContains | Exists | NotExists
+                                        | BeginsWith.'
+                                      type: string
+                                  type: object
+                                type: array
+                              lambdaArn:
+                                description: The Amazon Resource Name (ARN) of a Lambda
+                                  Function that can manipulate your document metadata
+                                  fields or attributes and content.
+                                type: string
+                              s3Bucket:
+                                description: Stores the original, raw documents or
+                                  the structured, parsed documents before and after
+                                  altering them. For more information, see Data contracts
+                                  for Lambda functions.
+                                type: string
+                            type: object
+                          type: array
+                        roleArn:
+                          description: The Amazon Resource Name (ARN) of a role with
+                            permission to run pre_extraction_hook_configuration and
+                            post_extraction_hook_configuration for altering document
+                            metadata and content during the document ingestion process.
+                            For more information, see IAM roles for Amazon Kendra.
+                          type: string
+                      type: object
+                    type: array
+                  dataSourceId:
+                    description: The unique identifiers of the Data Source.
+                    type: string
+                  description:
+                    description: A description for the Data Source connector.
+                    type: string
+                  errorMessage:
+                    description: When the Status field value is FAILED, the ErrorMessage
+                      field contains a description of the error that caused the Data
+                      Source to fail.
+                    type: string
+                  id:
+                    description: The unique identifiers of the Data Source and index
+                      separated by a slash (/).
+                    type: string
+                  indexId:
+                    description: The identifier of the index for your Amazon Kendra
+                      data_source.
+                    type: string
+                  languageCode:
+                    description: The code for a language. This allows you to support
+                      a language for all documents when creating the Data Source connector.
+                      English is supported by default. For more information on supported
+                      languages, including their codes, see Adding documents in languages
+                      other than English.
+                    type: string
+                  name:
+                    description: A name for your Data Source connector.
+                    type: string
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of a role with permission
+                      to access the data source connector. For more information, see
+                      IAM roles for Amazon Kendra. You can't specify the role_arn
+                      parameter when the type parameter is set to CUSTOM. The role_arn
+                      parameter is required for all other data sources.
+                    type: string
+                  schedule:
+                    description: Sets the frequency for Amazon Kendra to check the
+                      documents in your Data Source repository and update the index.
+                      If you don't set a schedule Amazon Kendra will not periodically
+                      update the index. You can call the StartDataSourceSyncJob API
+                      to update the index.
+                    type: string
+                  status:
+                    description: The current status of the Data Source. When the status
+                      is ACTIVE the Data Source is ready to use. When the status is
+                      FAILED, the error_message field contains the reason that the
+                      Data Source failed.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: A map of tags assigned to the resource, including
+                      those inherited from the provider default_tags configuration
+                      block.
+                    type: object
+                  type:
+                    description: The type of data source repository. For an updated
+                      list of values, refer to Valid Values for Type.
+                    type: string
                   updatedAt:
                     description: The Unix timestamp of when the Data Source was last
                       updated.
diff --git a/package/crds/kendra.aws.upbound.io_experiences.yaml b/package/crds/kendra.aws.upbound.io_experiences.yaml
index 0be359098f..3bb9748508 100644
--- a/package/crds/kendra.aws.upbound.io_experiences.yaml
+++ b/package/crds/kendra.aws.upbound.io_experiences.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -277,9 +281,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -451,6 +469,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ExperienceStatus defines the observed state of Experience.
             properties:
@@ -459,6 +480,54 @@ spec:
                   arn:
                     description: ARN of the Experience.
                     type: string
+                  configuration:
+                    description: Configuration information for your Amazon Kendra
+                      experience. Detailed below.
+                    items:
+                      properties:
+                        contentSourceConfiguration:
+                          description: The identifiers of your data sources and FAQs.
+                            Or, you can specify that you want to use documents indexed
+                            via the BatchPutDocument API. Detailed below.
+                          items:
+                            properties:
+                              dataSourceIds:
+                                description: The identifiers of the data sources you
+                                  want to use for your Amazon Kendra experience. Maximum
+                                  number of 100 items.
+                                items:
+                                  type: string
+                                type: array
+                              directPutContent:
+                                description: Whether to use documents you indexed
+                                  directly using the BatchPutDocument API. Defaults
+                                  to false.
+                                type: boolean
+                              faqIds:
+                                description: The identifier of the FAQs that you want
+                                  to use for your Amazon Kendra experience. Maximum
+                                  number of 100 items.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        userIdentityConfiguration:
+                          description: The AWS SSO field name that contains the identifiers
+                            of your users, such as their emails. Detailed below.
+                          items:
+                            properties:
+                              identityAttributeName:
+                                description: The AWS SSO field name that contains
+                                  the identifiers of your users, such as their emails.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  description:
+                    description: A description for your Amazon Kendra experience.
+                    type: string
                   endpoints:
                     description: Shows the endpoint URLs for your Amazon Kendra experiences.
                       The URLs are unique and fully hosted by AWS.
@@ -480,6 +549,19 @@ spec:
                     description: The unique identifiers of the experience and index
                       separated by a slash (/).
                     type: string
+                  indexId:
+                    description: The identifier of the index for your Amazon Kendra
+                      experience.
+                    type: string
+                  name:
+                    description: A name for your Amazon Kendra experience.
+                    type: string
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of a role with permission
+                      to access Query API, QuerySuggestions API, SubmitFeedback API,
+                      and AWS SSO that stores your user and group information. For
+                      more information, see IAM roles for Amazon Kendra.
+                    type: string
                   status:
                     description: The current processing status of your Amazon Kendra
                       experience.
diff --git a/package/crds/kendra.aws.upbound.io_indices.yaml b/package/crds/kendra.aws.upbound.io_indices.yaml
index 6e43548d13..a6517d16bf 100644
--- a/package/crds/kendra.aws.upbound.io_indices.yaml
+++ b/package/crds/kendra.aws.upbound.io_indices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -378,9 +382,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -552,6 +570,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: IndexStatus defines the observed state of Index.
             properties:
@@ -560,9 +581,128 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Index.
                     type: string
+                  capacityUnits:
+                    description: A block that sets the number of additional document
+                      storage and query capacity units that should be used by the
+                      index. Detailed below.
+                    items:
+                      properties:
+                        queryCapacityUnits:
+                          description: The amount of extra query capacity for an index
+                            and GetQuerySuggestions capacity. For more information,
+                            refer to QueryCapacityUnits.
+                          type: number
+                        storageCapacityUnits:
+                          description: The amount of extra storage capacity for an
+                            index. A single capacity unit provides 30 GB of storage
+                            space or 100,000 documents, whichever is reached first.
+                            Minimum value of 0.
+                          type: number
+                      type: object
+                    type: array
                   createdAt:
                     description: The Unix datetime that the index was created.
                     type: string
+                  description:
+                    description: The description of the Index.
+                    type: string
+                  documentMetadataConfigurationUpdates:
+                    description: One or more blocks that specify the configuration
+                      settings for any metadata applied to the documents in the index.
+                      Minimum number of 0 items. Maximum number of 500 items. If specified,
+                      you must define all elements, including those that are provided
+                      by default. These index fields are documented at Amazon Kendra
+                      Index documentation. For an example resource that defines these
+                      default index fields, refer to the default example above. For
+                      an example resource that appends additional index fields, refer
+                      to the append example above. All arguments for each block must
+                      be specified. Note that blocks cannot be removed since index
+                      fields cannot be deleted. This argument is detailed below.
+                    items:
+                      properties:
+                        name:
+                          description: The name of the index field. Minimum length
+                            of 1. Maximum length of 30.
+                          type: string
+                        relevance:
+                          description: A block that provides manual tuning parameters
+                            to determine how the field affects the search results.
+                            Detailed below
+                          items:
+                            properties:
+                              duration:
+                                description: Specifies the time period that the boost
+                                  applies to. For more information, refer to Duration.
+                                type: string
+                              freshness:
+                                description: Indicates that this field determines
+                                  how "fresh" a document is. For more information,
+                                  refer to Freshness.
+                                type: boolean
+                              importance:
+                                description: The relative importance of the field
+                                  in the search. Larger numbers provide more of a
+                                  boost than smaller numbers. Minimum value of 1.
+                                  Maximum value of 10.
+                                type: number
+                              rankOrder:
+                                description: Determines how values should be interpreted.
+                                  For more information, refer to RankOrder.
+                                type: string
+                              valuesImportanceMap:
+                                additionalProperties:
+                                  type: number
+                                description: A list of values that should be given
+                                  a different boost when they appear in the result
+                                  list. For more information, refer to ValueImportanceMap.
+                                type: object
+                            type: object
+                          type: array
+                        search:
+                          description: A block that provides information about how
+                            the field is used during a search. Documented below. Detailed
+                            below
+                          items:
+                            properties:
+                              displayable:
+                                description: Determines whether the field is returned
+                                  in the query response. The default is true.
+                                type: boolean
+                              facetable:
+                                description: Indicates that the field can be used
+                                  to create search facets, a count of results for
+                                  each value in the field. The default is false.
+                                type: boolean
+                              searchable:
+                                description: Determines whether the field is used
+                                  in the search. If the Searchable field is true,
+                                  you can use relevance tuning to manually tune how
+                                  Amazon Kendra weights the field in the search. The
+                                  default is true for string fields and false for
+                                  number and date fields.
+                                type: boolean
+                              sortable:
+                                description: Determines whether the field can be used
+                                  to sort the results of a query. If you specify sorting
+                                  on a field that does not have Sortable set to true,
+                                  Amazon Kendra returns an exception. The default
+                                  is false.
+                                type: boolean
+                            type: object
+                          type: array
+                        type:
+                          description: The data type of the index field. Valid values
+                            are STRING_VALUE, STRING_LIST_VALUE, LONG_VALUE, DATE_VALUE.
+                          type: string
+                      type: object
+                    type: array
+                  edition:
+                    description: The Amazon Kendra edition to use for the index. Choose
+                      DEVELOPER_EDITION for indexes intended for development, testing,
+                      or proof of concept. Use ENTERPRISE_EDITION for your production
+                      databases. Once you set the edition for an index, it can't be
+                      changed. Defaults to ENTERPRISE_EDITION
+                    type: string
                   errorMessage:
                     description: When the Status field value is FAILED, this contains
                       a message that explains why.
@@ -603,12 +743,40 @@ spec:
                           type: array
                       type: object
                     type: array
+                  name:
+                    description: Specifies the name of the Index.
+                    type: string
+                  roleArn:
+                    description: An AWS Identity and Access Management (IAM) role
+                      that gives Amazon Kendra permissions to access your Amazon CloudWatch
+                      logs and metrics. This is also the role you use when you call
+                      the BatchPutDocument API to index documents from an Amazon S3
+                      bucket.
+                    type: string
+                  serverSideEncryptionConfiguration:
+                    description: A block that specifies the identifier of the AWS
+                      KMS customer managed key (CMK) that's used to encrypt data indexed
+                      by Amazon Kendra. Amazon Kendra doesn't support asymmetric CMKs.
+                      Detailed below.
+                    items:
+                      properties:
+                        kmsKeyId:
+                          description: The identifier of the AWS KMScustomer master
+                            key (CMK). Amazon Kendra doesn't support asymmetric CMKs.
+                          type: string
+                      type: object
+                    type: array
                   status:
                     description: The current status of the index. When the value is
                       ACTIVE, the index is ready for use. If the Status field value
                       is FAILED, the error_message field contains a message that explains
                       why.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -619,6 +787,85 @@ spec:
                   updatedAt:
                     description: The Unix datetime that the index was last updated.
                     type: string
+                  userContextPolicy:
+                    description: The user context policy. Valid values are ATTRIBUTE_FILTER
+                      or USER_TOKEN. For more information, refer to UserContextPolicy.
+                      Defaults to ATTRIBUTE_FILTER.
+                    type: string
+                  userGroupResolutionConfiguration:
+                    description: A block that enables fetching access levels of groups
+                      and users from an AWS Single Sign-On identity source. To configure
+                      this, see UserGroupResolutionConfiguration. Detailed below.
+                    items:
+                      properties:
+                        userGroupResolutionMode:
+                          description: The identity store provider (mode) you want
+                            to use to fetch access levels of groups and users. AWS
+                            Single Sign-On is currently the only available mode. Your
+                            users and groups must exist in an AWS SSO identity source
+                            in order to use this mode. Valid Values are AWS_SSO or
+                            NONE.
+                          type: string
+                      type: object
+                    type: array
+                  userTokenConfigurations:
+                    description: A block that specifies the user token configuration.
+                      Detailed below.
+                    items:
+                      properties:
+                        jsonTokenTypeConfiguration:
+                          description: A block that specifies the information about
+                            the JSON token type configuration. Detailed below.
+                          items:
+                            properties:
+                              groupAttributeField:
+                                description: The group attribute field. Minimum length
+                                  of 1. Maximum length of 2048.
+                                type: string
+                              userNameAttributeField:
+                                description: The user name attribute field. Minimum
+                                  length of 1. Maximum length of 2048.
+                                type: string
+                            type: object
+                          type: array
+                        jwtTokenTypeConfiguration:
+                          description: A block that specifies the information about
+                            the JWT token type configuration. Detailed below.
+                          items:
+                            properties:
+                              claimRegex:
+                                description: The regular expression that identifies
+                                  the claim. Minimum length of 1. Maximum length of
+                                  100.
+                                type: string
+                              groupAttributeField:
+                                description: The group attribute field. Minimum length
+                                  of 1. Maximum length of 2048.
+                                type: string
+                              issuer:
+                                description: The issuer of the token. Minimum length
+                                  of 1. Maximum length of 65.
+                                type: string
+                              keyLocation:
+                                description: The location of the key. Valid values
+                                  are URL or SECRET_MANAGER
+                                type: string
+                              secretsManagerArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  secret.
+                                type: string
+                              url:
+                                description: The signing key URL. Valid pattern is
+                                  ^(https?|ftp|file):\/\/([^\s]*)
+                                type: string
+                              userNameAttributeField:
+                                description: The user name attribute field. Minimum
+                                  length of 1. Maximum length of 2048.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kendra.aws.upbound.io_querysuggestionsblocklists.yaml b/package/crds/kendra.aws.upbound.io_querysuggestionsblocklists.yaml
index 756ca03bd2..42900760a9 100644
--- a/package/crds/kendra.aws.upbound.io_querysuggestionsblocklists.yaml
+++ b/package/crds/kendra.aws.upbound.io_querysuggestionsblocklists.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -329,10 +333,23 @@ spec:
                       matching keys will overwrite those defined at the provider-level.
                     type: object
                 required:
-                - name
                 - region
-                - sourceS3Path
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -504,6 +521,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: sourceS3Path is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceS3Path)
           status:
             description: QuerySuggestionsBlockListStatus defines the observed state
               of QuerySuggestionsBlockList.
@@ -513,13 +535,47 @@ spec:
                   arn:
                     description: ARN of the block list.
                     type: string
+                  description:
+                    description: The description for a block list.
+                    type: string
                   id:
                     type: string
+                  indexId:
+                    description: The identifier of the index for a block list.
+                    type: string
+                  name:
+                    description: The name for the block list.
+                    type: string
                   querySuggestionsBlockListId:
                     description: The unique indentifier of the block list.
                     type: string
+                  roleArn:
+                    description: The IAM (Identity and Access Management) role used
+                      to access the block list text file in S3.
+                    type: string
+                  sourceS3Path:
+                    description: The S3 path where your block list text file sits
+                      in S3. Detailed below.
+                    items:
+                      properties:
+                        bucket:
+                          description: The name of the S3 bucket that contains the
+                            file.
+                          type: string
+                        key:
+                          description: The name of the file.
+                          type: string
+                      type: object
+                    type: array
                   status:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags. If configured with
+                      a provider default_tags configuration block present, tags with
+                      matching keys will overwrite those defined at the provider-level.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kendra.aws.upbound.io_thesaurus.yaml b/package/crds/kendra.aws.upbound.io_thesaurus.yaml
index a1fa742093..eb10f0c44b 100644
--- a/package/crds/kendra.aws.upbound.io_thesaurus.yaml
+++ b/package/crds/kendra.aws.upbound.io_thesaurus.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -400,10 +404,23 @@ spec:
                       matching keys will overwrite those defined at the provider-level.
                     type: object
                 required:
-                - name
                 - region
-                - sourceS3Path
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -575,6 +592,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: sourceS3Path is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sourceS3Path)
           status:
             description: ThesaurusStatus defines the observed state of Thesaurus.
             properties:
@@ -583,13 +605,47 @@ spec:
                   arn:
                     description: ARN of the thesaurus.
                     type: string
+                  description:
+                    description: The description for a thesaurus.
+                    type: string
                   id:
                     description: The unique identifiers of the thesaurus and index
                       separated by a slash (/).
                     type: string
+                  indexId:
+                    description: The identifier of the index for a thesaurus.
+                    type: string
+                  name:
+                    description: The name for the thesaurus.
+                    type: string
+                  roleArn:
+                    description: The IAM (Identity and Access Management) role used
+                      to access the thesaurus file in S3.
+                    type: string
+                  sourceS3Path:
+                    description: The S3 path where your thesaurus file sits in S3.
+                      Detailed below.
+                    items:
+                      properties:
+                        bucket:
+                          description: The name of the S3 bucket that contains the
+                            file.
+                          type: string
+                        key:
+                          description: The name of the file.
+                          type: string
+                      type: object
+                    type: array
                   status:
                     description: The current status of the thesaurus.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags. If configured with
+                      a provider default_tags configuration block present, tags with
+                      matching keys will overwrite those defined at the provider-level.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/keyspaces.aws.upbound.io_keyspaces.yaml b/package/crds/keyspaces.aws.upbound.io_keyspaces.yaml
index 91e8648628..0bae85f326 100644
--- a/package/crds/keyspaces.aws.upbound.io_keyspaces.yaml
+++ b/package/crds/keyspaces.aws.upbound.io_keyspaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,6 +277,11 @@ spec:
                   id:
                     description: The name of the keyspace.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/keyspaces.aws.upbound.io_tables.yaml b/package/crds/keyspaces.aws.upbound.io_tables.yaml
index 7ce8aa286b..76990b8592 100644
--- a/package/crds/keyspaces.aws.upbound.io_tables.yaml
+++ b/package/crds/keyspaces.aws.upbound.io_tables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -300,9 +304,22 @@ spec:
                     type: array
                 required:
                 - region
-                - schemaDefinition
-                - tableName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -474,6 +491,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: schemaDefinition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schemaDefinition)
+            - message: tableName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tableName)
           status:
             description: TableStatus defines the observed state of Table.
             properties:
@@ -482,8 +504,137 @@ spec:
                   arn:
                     description: The ARN of the table.
                     type: string
+                  capacitySpecification:
+                    description: Specifies the read/write throughput capacity mode
+                      for the table.
+                    items:
+                      properties:
+                        readCapacityUnits:
+                          description: The throughput capacity specified for read
+                            operations defined in read capacity units (RCUs).
+                          type: number
+                        throughputMode:
+                          description: 'The read/write throughput capacity mode for
+                            a table. Valid values: PAY_PER_REQUEST, PROVISIONED. The
+                            default value is PAY_PER_REQUEST.'
+                          type: string
+                        writeCapacityUnits:
+                          description: The throughput capacity specified for write
+                            operations defined in write capacity units (WCUs).
+                          type: number
+                      type: object
+                    type: array
+                  comment:
+                    description: A description of the table.
+                    items:
+                      properties:
+                        message:
+                          description: A description of the table.
+                          type: string
+                      type: object
+                    type: array
+                  defaultTimeToLive:
+                    description: The default Time to Live setting in seconds for the
+                      table. More information can be found in the Developer Guide.
+                    type: number
+                  encryptionSpecification:
+                    description: Specifies how the encryption key for encryption at
+                      rest is managed for the table. More information can be found
+                      in the Developer Guide.
+                    items:
+                      properties:
+                        kmsKeyIdentifier:
+                          description: The Amazon Resource Name (ARN) of the customer
+                            managed KMS key.
+                          type: string
+                        type:
+                          description: 'The encryption option specified for the table.
+                            Valid values: AWS_OWNED_KMS_KEY, CUSTOMER_MANAGED_KMS_KEY.
+                            The default value is AWS_OWNED_KMS_KEY.'
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  keyspaceName:
+                    description: The name of the keyspace that the table is going
+                      to be created in.
+                    type: string
+                  pointInTimeRecovery:
+                    description: Specifies if point-in-time recovery is enabled or
+                      disabled for the table. More information can be found in the
+                      Developer Guide.
+                    items:
+                      properties:
+                        status:
+                          description: 'Valid values: ENABLED, DISABLED. The default
+                            value is DISABLED.'
+                          type: string
+                      type: object
+                    type: array
+                  schemaDefinition:
+                    description: Describes the schema of the table.
+                    items:
+                      properties:
+                        clusteringKey:
+                          description: The columns that are part of the clustering
+                            key of the table.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the column.
+                                type: string
+                              orderBy:
+                                description: 'The order modifier. Valid values: ASC,
+                                  DESC.'
+                                type: string
+                            type: object
+                          type: array
+                        column:
+                          description: The regular columns of the table.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the column.
+                                type: string
+                              type:
+                                description: 'The encryption option specified for
+                                  the table. Valid values: AWS_OWNED_KMS_KEY, CUSTOMER_MANAGED_KMS_KEY.
+                                  The default value is AWS_OWNED_KMS_KEY.'
+                                type: string
+                            type: object
+                          type: array
+                        partitionKey:
+                          description: The columns that are part of the partition
+                            key of the table .
+                          items:
+                            properties:
+                              name:
+                                description: The name of the column.
+                                type: string
+                            type: object
+                          type: array
+                        staticColumn:
+                          description: The columns that have been defined as STATIC.
+                            Static columns store values that are shared by all rows
+                            in the same partition.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the column.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tableName:
+                    description: The name of the table.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -491,6 +642,17 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  ttl:
+                    description: Enables Time to Live custom settings for the table.
+                      More information can be found in the Developer Guide.
+                    items:
+                      properties:
+                        status:
+                          description: 'Valid values: ENABLED, DISABLED. The default
+                            value is DISABLED.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kinesis.aws.upbound.io_streamconsumers.yaml b/package/crds/kinesis.aws.upbound.io_streamconsumers.yaml
index 58804bc0fa..d1a48bbad4 100644
--- a/package/crds/kinesis.aws.upbound.io_streamconsumers.yaml
+++ b/package/crds/kinesis.aws.upbound.io_streamconsumers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,9 +153,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,6 +341,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: StreamConsumerStatus defines the observed state of StreamConsumer.
             properties:
@@ -338,6 +359,13 @@ spec:
                   id:
                     description: Amazon Resource Name (ARN) of the stream consumer.
                     type: string
+                  name:
+                    description: Name of the stream consumer.
+                    type: string
+                  streamArn:
+                    description: –  Amazon Resource Name (ARN) of the data stream
+                      the consumer is registered with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kinesis.aws.upbound.io_streams.yaml b/package/crds/kinesis.aws.upbound.io_streams.yaml
index 44fd483c70..be838c6331 100644
--- a/package/crds/kinesis.aws.upbound.io_streams.yaml
+++ b/package/crds/kinesis.aws.upbound.io_streams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -197,6 +201,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -377,9 +396,60 @@ spec:
                     description: The Amazon Resource Name (ARN) specifying the Stream
                       (same as id)
                     type: string
+                  encryptionType:
+                    description: The encryption type to use. The only acceptable values
+                      are NONE or KMS. The default value is NONE.
+                    type: string
+                  enforceConsumerDeletion:
+                    description: A boolean that indicates all registered consumers
+                      should be deregistered from the stream so that the stream can
+                      be destroyed without error. The default value is false.
+                    type: boolean
                   id:
                     description: The unique Stream id
                     type: string
+                  kmsKeyId:
+                    description: The GUID for the customer-managed KMS key to use
+                      for encryption. You can also use a Kinesis-owned master key
+                      by specifying the alias alias/aws/kinesis.
+                    type: string
+                  retentionPeriod:
+                    description: Length of time data records are accessible after
+                      they are added to the stream. The maximum value of a stream's
+                      retention period is 8760 hours. Minimum value is 24. Default
+                      is 24.
+                    type: number
+                  shardCount:
+                    description: –  The number of shards that the stream will use.
+                      If the stream_mode is PROVISIONED, this field is required. Amazon
+                      has guidelines for specifying the Stream size that should be
+                      referenced when creating a Kinesis stream. See Amazon Kinesis
+                      Streams for more.
+                    type: number
+                  shardLevelMetrics:
+                    description: A list of shard-level CloudWatch metrics which can
+                      be enabled for the stream. See Monitoring with CloudWatch for
+                      more. Note that the value ALL should not be used; instead you
+                      should provide an explicit list of metrics you wish to enable.
+                    items:
+                      type: string
+                    type: array
+                  streamModeDetails:
+                    description: Indicates the capacity mode of the data stream. Detailed
+                      below.
+                    items:
+                      properties:
+                        streamMode:
+                          description: Specifies the capacity mode of the stream.
+                            Must be either PROVISIONED or ON_DEMAND.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kinesisanalytics.aws.upbound.io_applications.yaml b/package/crds/kinesisanalytics.aws.upbound.io_applications.yaml
index 58001c6cc8..45d0bc8b03 100644
--- a/package/crds/kinesisanalytics.aws.upbound.io_applications.yaml
+++ b/package/crds/kinesisanalytics.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -946,6 +950,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1133,11 +1152,24 @@ spec:
                         id:
                           description: The ARN of the Kinesis Analytics Application.
                           type: string
+                        logStreamArn:
+                          description: The ARN of the CloudWatch Log Stream.
+                          type: string
+                        roleArn:
+                          description: The ARN of the IAM Role used to send application
+                            messages.
+                          type: string
                       type: object
                     type: array
+                  code:
+                    description: SQL Code to transform input data, and generate output.
+                    type: string
                   createTimestamp:
                     description: The Timestamp when the application version was created.
                     type: string
+                  description:
+                    description: Description of the application.
+                    type: string
                   id:
                     description: The ARN of the Kinesis Analytics Application.
                     type: string
@@ -1149,17 +1181,138 @@ spec:
                         id:
                           description: The ARN of the Kinesis Analytics Application.
                           type: string
+                        kinesisFirehose:
+                          description: The Kinesis Firehose configuration for the
+                            streaming source. Conflicts with kinesis_stream. See Kinesis
+                            Firehose below for more details.
+                          items:
+                            properties:
+                              resourceArn:
+                                description: The ARN of the Lambda function.
+                                type: string
+                              roleArn:
+                                description: The IAM Role ARN to read the data.
+                                type: string
+                            type: object
+                          type: array
+                        kinesisStream:
+                          description: The Kinesis Stream configuration for the streaming
+                            source. Conflicts with kinesis_firehose. See Kinesis Stream
+                            below for more details.
+                          items:
+                            properties:
+                              resourceArn:
+                                description: The ARN of the Lambda function.
+                                type: string
+                              roleArn:
+                                description: The IAM Role ARN to read the data.
+                                type: string
+                            type: object
+                          type: array
+                        namePrefix:
+                          description: The Name Prefix to use when creating an in-application
+                            stream.
+                          type: string
+                        parallelism:
+                          description: The number of Parallel in-application streams
+                            to create. See Parallelism below for more details.
+                          items:
+                            properties:
+                              count:
+                                description: The Count of streams.
+                                type: number
+                            type: object
+                          type: array
+                        processingConfiguration:
+                          description: The Processing Configuration to transform records
+                            as they are received from the stream. See Processing Configuration
+                            below for more details.
+                          items:
+                            properties:
+                              lambda:
+                                description: The Lambda function configuration. See
+                                  Lambda below for more details.
+                                items:
+                                  properties:
+                                    resourceArn:
+                                      description: The ARN of the Lambda function.
+                                      type: string
+                                    roleArn:
+                                      description: The IAM Role ARN to read the data.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
                         schema:
                           description: The Schema format of the data in the streaming
                             source. See Source Schema below for more details.
                           items:
                             properties:
+                              recordColumns:
+                                description: The Record Column mapping for the streaming
+                                  source data element. See Record Columns below for
+                                  more details.
+                                items:
+                                  properties:
+                                    mapping:
+                                      description: The Mapping reference to the data
+                                        element.
+                                      type: string
+                                    name:
+                                      description: Name of the column.
+                                      type: string
+                                    sqlType:
+                                      description: The SQL Type of the column.
+                                      type: string
+                                  type: object
+                                type: array
+                              recordEncoding:
+                                description: The Encoding of the record in the streaming
+                                  source.
+                                type: string
                               recordFormat:
                                 description: The Record Format and mapping information
                                   to schematize a record. See Record Format below
                                   for more details.
                                 items:
                                   properties:
+                                    mappingParameters:
+                                      description: The Mapping Information for the
+                                        record format. See Mapping Parameters below
+                                        for more details.
+                                      items:
+                                        properties:
+                                          csv:
+                                            description: Mapping information when
+                                              the record format uses delimiters. See
+                                              CSV Mapping Parameters below for more
+                                              details.
+                                            items:
+                                              properties:
+                                                recordColumnDelimiter:
+                                                  description: The Column Delimiter.
+                                                  type: string
+                                                recordRowDelimiter:
+                                                  description: The Row Delimiter.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          json:
+                                            description: Mapping information when
+                                              JSON is the record format on the streaming
+                                              source. See JSON Mapping Parameters
+                                              below for more details.
+                                            items:
+                                              properties:
+                                                recordRowPath:
+                                                  description: Path to the top-level
+                                                    parent that contains the records.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
                                     recordFormatType:
                                       description: The Format Type of the records
                                         on the output stream. Can be CSV or JSON.
@@ -1168,6 +1321,18 @@ spec:
                                 type: array
                             type: object
                           type: array
+                        startingPositionConfiguration:
+                          description: The point at which the application starts processing
+                            records from the streaming source. See Starting Position
+                            Configuration below for more details.
+                          items:
+                            properties:
+                              startingPosition:
+                                description: 'The starting position on the stream.
+                                  Valid values: LAST_STOPPED_POINT, NOW, TRIM_HORIZON.'
+                                type: string
+                            type: object
+                          type: array
                         streamNames:
                           items:
                             type: string
@@ -1185,6 +1350,61 @@ spec:
                         id:
                           description: The ARN of the Kinesis Analytics Application.
                           type: string
+                        kinesisFirehose:
+                          description: The Kinesis Firehose configuration for the
+                            destination stream. Conflicts with kinesis_stream. See
+                            Kinesis Firehose below for more details.
+                          items:
+                            properties:
+                              resourceArn:
+                                description: The ARN of the Lambda function.
+                                type: string
+                              roleArn:
+                                description: The IAM Role ARN to read the data.
+                                type: string
+                            type: object
+                          type: array
+                        kinesisStream:
+                          description: The Kinesis Stream configuration for the destination
+                            stream. Conflicts with kinesis_firehose. See Kinesis Stream
+                            below for more details.
+                          items:
+                            properties:
+                              resourceArn:
+                                description: The ARN of the Lambda function.
+                                type: string
+                              roleArn:
+                                description: The IAM Role ARN to read the data.
+                                type: string
+                            type: object
+                          type: array
+                        lambda:
+                          description: The Lambda function destination. See Lambda
+                            below for more details.
+                          items:
+                            properties:
+                              resourceArn:
+                                description: The ARN of the Lambda function.
+                                type: string
+                              roleArn:
+                                description: The IAM Role ARN to read the data.
+                                type: string
+                            type: object
+                          type: array
+                        name:
+                          description: The Name of the in-application stream.
+                          type: string
+                        schema:
+                          description: The Schema format of the data written to the
+                            destination. See Destination Schema below for more details.
+                          items:
+                            properties:
+                              recordFormatType:
+                                description: The Format Type of the records on the
+                                  output stream. Can be CSV or JSON.
+                                type: string
+                            type: object
+                          type: array
                       type: object
                     type: array
                   referenceDataSources:
@@ -1195,17 +1415,92 @@ spec:
                         id:
                           description: The ARN of the Kinesis Analytics Application.
                           type: string
+                        s3:
+                          description: The S3 configuration for the reference data
+                            source. See S3 Reference below for more details.
+                          items:
+                            properties:
+                              bucketArn:
+                                description: The S3 Bucket ARN.
+                                type: string
+                              fileKey:
+                                description: The File Key name containing reference
+                                  data.
+                                type: string
+                              roleArn:
+                                description: The IAM Role ARN to read the data.
+                                type: string
+                            type: object
+                          type: array
                         schema:
                           description: The Schema format of the data in the streaming
                             source. See Source Schema below for more details.
                           items:
                             properties:
+                              recordColumns:
+                                description: The Record Column mapping for the streaming
+                                  source data element. See Record Columns below for
+                                  more details.
+                                items:
+                                  properties:
+                                    mapping:
+                                      description: The Mapping reference to the data
+                                        element.
+                                      type: string
+                                    name:
+                                      description: Name of the column.
+                                      type: string
+                                    sqlType:
+                                      description: The SQL Type of the column.
+                                      type: string
+                                  type: object
+                                type: array
+                              recordEncoding:
+                                description: The Encoding of the record in the streaming
+                                  source.
+                                type: string
                               recordFormat:
                                 description: The Record Format and mapping information
                                   to schematize a record. See Record Format below
                                   for more details.
                                 items:
                                   properties:
+                                    mappingParameters:
+                                      description: The Mapping Information for the
+                                        record format. See Mapping Parameters below
+                                        for more details.
+                                      items:
+                                        properties:
+                                          csv:
+                                            description: Mapping information when
+                                              the record format uses delimiters. See
+                                              CSV Mapping Parameters below for more
+                                              details.
+                                            items:
+                                              properties:
+                                                recordColumnDelimiter:
+                                                  description: The Column Delimiter.
+                                                  type: string
+                                                recordRowDelimiter:
+                                                  description: The Row Delimiter.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          json:
+                                            description: Mapping information when
+                                              JSON is the record format on the streaming
+                                              source. See JSON Mapping Parameters
+                                              below for more details.
+                                            items:
+                                              properties:
+                                                recordRowPath:
+                                                  description: Path to the top-level
+                                                    parent that contains the records.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
                                     recordFormatType:
                                       description: The Format Type of the records
                                         on the output stream. Can be CSV or JSON.
@@ -1214,11 +1509,26 @@ spec:
                                 type: array
                             type: object
                           type: array
+                        tableName:
+                          description: The in-application Table Name.
+                          type: string
                       type: object
                     type: array
+                  startApplication:
+                    description: Whether to start or stop the Kinesis Analytics Application.
+                      To start an application, an input with a defined starting_position
+                      must be configured. To modify an application's starting position,
+                      first stop the application by setting start_application = false,
+                      then update starting_position and set start_application = true.
+                    type: boolean
                   status:
                     description: The Status of the application.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kinesisanalyticsv2.aws.upbound.io_applications.yaml b/package/crds/kinesisanalyticsv2.aws.upbound.io_applications.yaml
index 0de2668f7a..5bafa40c2e 100644
--- a/package/crds/kinesisanalyticsv2.aws.upbound.io_applications.yaml
+++ b/package/crds/kinesisanalyticsv2.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1464,8 +1468,22 @@ spec:
                     type: object
                 required:
                 - region
-                - runtimeEnvironment
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1637,6 +1655,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: runtimeEnvironment is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.runtimeEnvironment)
           status:
             description: ApplicationStatus defines the observed state of Application.
             properties:
@@ -1646,84 +1667,673 @@ spec:
                     description: The application's configuration
                     items:
                       properties:
-                        sqlApplicationConfiguration:
-                          description: The configuration of a SQL-based application.
+                        applicationCodeConfiguration:
+                          description: The code location and type parameters for the
+                            application.
                           items:
                             properties:
-                              input:
-                                description: The input stream used by the application.
+                              codeContent:
+                                description: The location and type of the application
+                                  code.
                                 items:
                                   properties:
-                                    inAppStreamNames:
+                                    s3ContentLocation:
+                                      description: Information about the Amazon S3
+                                        bucket containing the application code.
                                       items:
-                                        type: string
+                                        properties:
+                                          bucketArn:
+                                            description: The ARN for the S3 bucket
+                                              containing the application code.
+                                            type: string
+                                          fileKey:
+                                            description: The file key for the object
+                                              containing the application code.
+                                            type: string
+                                          objectVersion:
+                                            description: The version of the object
+                                              containing the application code.
+                                            type: string
+                                        type: object
                                       type: array
-                                    inputId:
-                                      description: The application identifier.
+                                    textContent:
+                                      description: The text-format code for the application.
                                       type: string
                                   type: object
                                 type: array
-                              output:
-                                description: The destination streams used by the application.
+                              codeContentType:
+                                description: 'Specifies whether the code content is
+                                  in text or zip format. Valid values: PLAINTEXT,
+                                  ZIPFILE.'
+                                type: string
+                            type: object
+                          type: array
+                        applicationSnapshotConfiguration:
+                          description: Describes whether snapshots are enabled for
+                            a Flink-based application.
+                          items:
+                            properties:
+                              snapshotsEnabled:
+                                description: Describes whether snapshots are enabled
+                                  for a Flink-based Kinesis Data Analytics application.
+                                type: boolean
+                            type: object
+                          type: array
+                        environmentProperties:
+                          description: Describes execution properties for a Flink-based
+                            application.
+                          items:
+                            properties:
+                              propertyGroup:
+                                description: Describes the execution property groups.
                                 items:
                                   properties:
-                                    outputId:
-                                      description: The application identifier.
+                                    propertyGroupId:
+                                      description: The key of the application execution
+                                        property key-value map.
                                       type: string
+                                    propertyMap:
+                                      additionalProperties:
+                                        type: string
+                                      description: Application execution property
+                                        key-value map.
+                                      type: object
                                   type: object
                                 type: array
-                              referenceDataSource:
-                                description: The reference data source used by the
-                                  application.
+                            type: object
+                          type: array
+                        flinkApplicationConfiguration:
+                          description: The configuration of a Flink-based application.
+                          items:
+                            properties:
+                              checkpointConfiguration:
+                                description: Describes an application's checkpointing
+                                  configuration.
                                 items:
                                   properties:
-                                    referenceId:
-                                      description: The application identifier.
+                                    checkpointInterval:
+                                      description: Describes the interval in milliseconds
+                                        between checkpoint operations.
+                                      type: number
+                                    checkpointingEnabled:
+                                      description: Describes whether checkpointing
+                                        is enabled for a Flink-based Kinesis Data
+                                        Analytics application.
+                                      type: boolean
+                                    configurationType:
+                                      description: 'Describes whether the application
+                                        uses Kinesis Data Analytics'' default checkpointing
+                                        behavior. Valid values: CUSTOM, DEFAULT. Set
+                                        this attribute to CUSTOM in order for any
+                                        specified checkpointing_enabled, checkpoint_interval,
+                                        or min_pause_between_checkpoints attribute
+                                        values to be effective. If this attribute
+                                        is set to DEFAULT, the application will always
+                                        use the following values:'
+                                      type: string
+                                    minPauseBetweenCheckpoints:
+                                      description: Describes the minimum time in milliseconds
+                                        after a checkpoint operation completes that
+                                        a new checkpoint operation can start.
+                                      type: number
+                                  type: object
+                                type: array
+                              monitoringConfiguration:
+                                description: Describes configuration parameters for
+                                  CloudWatch logging for an application.
+                                items:
+                                  properties:
+                                    configurationType:
+                                      description: 'Describes whether the application
+                                        uses Kinesis Data Analytics'' default checkpointing
+                                        behavior. Valid values: CUSTOM, DEFAULT. Set
+                                        this attribute to CUSTOM in order for any
+                                        specified checkpointing_enabled, checkpoint_interval,
+                                        or min_pause_between_checkpoints attribute
+                                        values to be effective. If this attribute
+                                        is set to DEFAULT, the application will always
+                                        use the following values:'
+                                      type: string
+                                    logLevel:
+                                      description: 'Describes the verbosity of the
+                                        CloudWatch Logs for an application. Valid
+                                        values: DEBUG, ERROR, INFO, WARN.'
+                                      type: string
+                                    metricsLevel:
+                                      description: 'Describes the granularity of the
+                                        CloudWatch Logs for an application. Valid
+                                        values: APPLICATION, OPERATOR, PARALLELISM,
+                                        TASK.'
+                                      type: string
+                                  type: object
+                                type: array
+                              parallelismConfiguration:
+                                description: Describes parameters for how an application
+                                  executes multiple tasks simultaneously.
+                                items:
+                                  properties:
+                                    autoScalingEnabled:
+                                      description: Describes whether the Kinesis Data
+                                        Analytics service can increase the parallelism
+                                        of the application in response to increased
+                                        throughput.
+                                      type: boolean
+                                    configurationType:
+                                      description: 'Describes whether the application
+                                        uses Kinesis Data Analytics'' default checkpointing
+                                        behavior. Valid values: CUSTOM, DEFAULT. Set
+                                        this attribute to CUSTOM in order for any
+                                        specified checkpointing_enabled, checkpoint_interval,
+                                        or min_pause_between_checkpoints attribute
+                                        values to be effective. If this attribute
+                                        is set to DEFAULT, the application will always
+                                        use the following values:'
                                       type: string
+                                    parallelism:
+                                      description: Describes the initial number of
+                                        parallel tasks that a Flink-based Kinesis
+                                        Data Analytics application can perform.
+                                      type: number
+                                    parallelismPerKpu:
+                                      description: Describes the number of parallel
+                                        tasks that a Flink-based Kinesis Data Analytics
+                                        application can perform per Kinesis Processing
+                                        Unit (KPU) used by the application.
+                                      type: number
                                   type: object
                                 type: array
                             type: object
                           type: array
-                        vpcConfiguration:
-                          description: The VPC configuration of a Flink-based application.
+                        runConfiguration:
+                          description: Describes the starting properties for a Flink-based
+                            application.
                           items:
                             properties:
-                              vpcConfigurationId:
-                                description: The application identifier.
-                                type: string
-                              vpcId:
-                                description: The application identifier.
-                                type: string
+                              applicationRestoreConfiguration:
+                                description: The restore behavior of a restarting
+                                  application.
+                                items:
+                                  properties:
+                                    applicationRestoreType:
+                                      description: 'Specifies how the application
+                                        should be restored. Valid values: RESTORE_FROM_CUSTOM_SNAPSHOT,
+                                        RESTORE_FROM_LATEST_SNAPSHOT, SKIP_RESTORE_FROM_SNAPSHOT.'
+                                      type: string
+                                    snapshotName:
+                                      description: The identifier of an existing snapshot
+                                        of application state to use to restart an
+                                        application. The application uses this value
+                                        if RESTORE_FROM_CUSTOM_SNAPSHOT is specified
+                                        for application_restore_type.
+                                      type: string
+                                  type: object
+                                type: array
+                              flinkRunConfiguration:
+                                description: The starting parameters for a Flink-based
+                                  Kinesis Data Analytics application.
+                                items:
+                                  properties:
+                                    allowNonRestoredState:
+                                      description: When restoring from a snapshot,
+                                        specifies whether the runtime is allowed to
+                                        skip a state that cannot be mapped to the
+                                        new program. Default is false.
+                                      type: boolean
+                                  type: object
+                                type: array
                             type: object
                           type: array
-                      type: object
-                    type: array
-                  arn:
-                    description: The ARN of the application.
-                    type: string
-                  cloudwatchLoggingOptions:
-                    description: A CloudWatch log stream to monitor application configuration
-                      errors.
-                    items:
-                      properties:
-                        cloudwatchLoggingOptionId:
-                          description: The application identifier.
-                          type: string
-                      type: object
-                    type: array
-                  createTimestamp:
-                    description: The current timestamp when the application was created.
-                    type: string
-                  id:
-                    description: The application identifier.
-                    type: string
-                  lastUpdateTimestamp:
-                    description: The current timestamp when the application was last
-                      updated.
-                    type: string
-                  status:
-                    description: The status of the application.
-                    type: string
+                        sqlApplicationConfiguration:
+                          description: The configuration of a SQL-based application.
+                          items:
+                            properties:
+                              input:
+                                description: The input stream used by the application.
+                                items:
+                                  properties:
+                                    inAppStreamNames:
+                                      items:
+                                        type: string
+                                      type: array
+                                    inputId:
+                                      description: The application identifier.
+                                      type: string
+                                    inputParallelism:
+                                      description: Describes the number of in-application
+                                        streams to create.
+                                      items:
+                                        properties:
+                                          count:
+                                            description: The number of in-application
+                                              streams to create.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    inputProcessingConfiguration:
+                                      description: The input processing configuration
+                                        for the input. An input processor transforms
+                                        records as they are received from the stream,
+                                        before the application's SQL code executes.
+                                      items:
+                                        properties:
+                                          inputLambdaProcessor:
+                                            description: Describes the Lambda function
+                                              that is used to preprocess the records
+                                              in the stream before being processed
+                                              by your application code.
+                                            items:
+                                              properties:
+                                                resourceArn:
+                                                  description: The ARN of the Lambda
+                                                    function that operates on records
+                                                    in the stream.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    inputSchema:
+                                      description: Describes the format of the data
+                                        in the streaming source, and how each data
+                                        element maps to corresponding columns in the
+                                        in-application stream that is being created.
+                                      items:
+                                        properties:
+                                          recordColumn:
+                                            description: Describes the mapping of
+                                              each data element in the streaming source
+                                              to the corresponding column in the in-application
+                                              stream.
+                                            items:
+                                              properties:
+                                                mapping:
+                                                  description: A reference to the
+                                                    data element in the streaming
+                                                    input or the reference data source.
+                                                  type: string
+                                                name:
+                                                  description: The name of the application.
+                                                  type: string
+                                                sqlType:
+                                                  description: The type of column
+                                                    created in the in-application
+                                                    input stream or reference table.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          recordEncoding:
+                                            description: Specifies the encoding of
+                                              the records in the streaming source.
+                                              For example, UTF-8.
+                                            type: string
+                                          recordFormat:
+                                            description: Specifies the format of the
+                                              records on the streaming source.
+                                            items:
+                                              properties:
+                                                mappingParameters:
+                                                  description: Provides additional
+                                                    mapping information specific to
+                                                    the record format (such as JSON,
+                                                    CSV, or record fields delimited
+                                                    by some delimiter) on the streaming
+                                                    source.
+                                                  items:
+                                                    properties:
+                                                      csvMappingParameters:
+                                                        description: Provides additional
+                                                          mapping information when
+                                                          the record format uses delimiters
+                                                          (for example, CSV).
+                                                        items:
+                                                          properties:
+                                                            recordColumnDelimiter:
+                                                              description: The column
+                                                                delimiter. For example,
+                                                                in a CSV format, a
+                                                                comma (,) is the typical
+                                                                column delimiter.
+                                                              type: string
+                                                            recordRowDelimiter:
+                                                              description: The row
+                                                                delimiter. For example,
+                                                                in a CSV format, \n
+                                                                is the typical row
+                                                                delimiter.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      jsonMappingParameters:
+                                                        description: Provides additional
+                                                          mapping information when
+                                                          JSON is the record format
+                                                          on the streaming source.
+                                                        items:
+                                                          properties:
+                                                            recordRowPath:
+                                                              description: The path
+                                                                to the top-level parent
+                                                                that contains the
+                                                                records.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                recordFormatType:
+                                                  description: 'The type of record
+                                                    format. Valid values: CSV, JSON.'
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    inputStartingPositionConfiguration:
+                                      description: The point at which the application
+                                        starts processing records from the streaming
+                                        source.
+                                      items:
+                                        properties:
+                                          inputStartingPosition:
+                                            description: 'The starting position on
+                                              the stream. Valid values: LAST_STOPPED_POINT,
+                                              NOW, TRIM_HORIZON.'
+                                            type: string
+                                        type: object
+                                      type: array
+                                    kinesisFirehoseInput:
+                                      description: If the streaming source is a Kinesis
+                                        Data Firehose delivery stream, identifies
+                                        the delivery stream's ARN.
+                                      items:
+                                        properties:
+                                          resourceArn:
+                                            description: The ARN of the Lambda function
+                                              that operates on records in the stream.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    kinesisStreamsInput:
+                                      description: If the streaming source is a Kinesis
+                                        data stream, identifies the stream's Amazon
+                                        Resource Name (ARN).
+                                      items:
+                                        properties:
+                                          resourceArn:
+                                            description: The ARN of the Lambda function
+                                              that operates on records in the stream.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    namePrefix:
+                                      description: The name prefix to use when creating
+                                        an in-application stream.
+                                      type: string
+                                  type: object
+                                type: array
+                              output:
+                                description: The destination streams used by the application.
+                                items:
+                                  properties:
+                                    destinationSchema:
+                                      description: Describes the data format when
+                                        records are written to the destination.
+                                      items:
+                                        properties:
+                                          recordFormatType:
+                                            description: 'The type of record format.
+                                              Valid values: CSV, JSON.'
+                                            type: string
+                                        type: object
+                                      type: array
+                                    kinesisFirehoseOutput:
+                                      description: Identifies a Kinesis Data Firehose
+                                        delivery stream as the destination.
+                                      items:
+                                        properties:
+                                          resourceArn:
+                                            description: The ARN of the Lambda function
+                                              that operates on records in the stream.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    kinesisStreamsOutput:
+                                      description: Identifies a Kinesis data stream
+                                        as the destination.
+                                      items:
+                                        properties:
+                                          resourceArn:
+                                            description: The ARN of the Lambda function
+                                              that operates on records in the stream.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    lambdaOutput:
+                                      description: Identifies a Lambda function as
+                                        the destination.
+                                      items:
+                                        properties:
+                                          resourceArn:
+                                            description: The ARN of the Lambda function
+                                              that operates on records in the stream.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    name:
+                                      description: The name of the application.
+                                      type: string
+                                    outputId:
+                                      description: The application identifier.
+                                      type: string
+                                  type: object
+                                type: array
+                              referenceDataSource:
+                                description: The reference data source used by the
+                                  application.
+                                items:
+                                  properties:
+                                    referenceId:
+                                      description: The application identifier.
+                                      type: string
+                                    referenceSchema:
+                                      description: Describes the format of the data
+                                        in the streaming source, and how each data
+                                        element maps to corresponding columns created
+                                        in the in-application stream.
+                                      items:
+                                        properties:
+                                          recordColumn:
+                                            description: Describes the mapping of
+                                              each data element in the streaming source
+                                              to the corresponding column in the in-application
+                                              stream.
+                                            items:
+                                              properties:
+                                                mapping:
+                                                  description: A reference to the
+                                                    data element in the streaming
+                                                    input or the reference data source.
+                                                  type: string
+                                                name:
+                                                  description: The name of the application.
+                                                  type: string
+                                                sqlType:
+                                                  description: The type of column
+                                                    created in the in-application
+                                                    input stream or reference table.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          recordEncoding:
+                                            description: Specifies the encoding of
+                                              the records in the streaming source.
+                                              For example, UTF-8.
+                                            type: string
+                                          recordFormat:
+                                            description: Specifies the format of the
+                                              records on the streaming source.
+                                            items:
+                                              properties:
+                                                mappingParameters:
+                                                  description: Provides additional
+                                                    mapping information specific to
+                                                    the record format (such as JSON,
+                                                    CSV, or record fields delimited
+                                                    by some delimiter) on the streaming
+                                                    source.
+                                                  items:
+                                                    properties:
+                                                      csvMappingParameters:
+                                                        description: Provides additional
+                                                          mapping information when
+                                                          the record format uses delimiters
+                                                          (for example, CSV).
+                                                        items:
+                                                          properties:
+                                                            recordColumnDelimiter:
+                                                              description: The column
+                                                                delimiter. For example,
+                                                                in a CSV format, a
+                                                                comma (,) is the typical
+                                                                column delimiter.
+                                                              type: string
+                                                            recordRowDelimiter:
+                                                              description: The row
+                                                                delimiter. For example,
+                                                                in a CSV format, \n
+                                                                is the typical row
+                                                                delimiter.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      jsonMappingParameters:
+                                                        description: Provides additional
+                                                          mapping information when
+                                                          JSON is the record format
+                                                          on the streaming source.
+                                                        items:
+                                                          properties:
+                                                            recordRowPath:
+                                                              description: The path
+                                                                to the top-level parent
+                                                                that contains the
+                                                                records.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                recordFormatType:
+                                                  description: 'The type of record
+                                                    format. Valid values: CSV, JSON.'
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    s3ReferenceDataSource:
+                                      description: Identifies the S3 bucket and object
+                                        that contains the reference data.
+                                      items:
+                                        properties:
+                                          bucketArn:
+                                            description: The ARN for the S3 bucket
+                                              containing the application code.
+                                            type: string
+                                          fileKey:
+                                            description: The file key for the object
+                                              containing the application code.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    tableName:
+                                      description: The name of the in-application
+                                        table to create.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        vpcConfiguration:
+                          description: The VPC configuration of a Flink-based application.
+                          items:
+                            properties:
+                              securityGroupIds:
+                                description: The Security Group IDs used by the VPC
+                                  configuration.
+                                items:
+                                  type: string
+                                type: array
+                              subnetIds:
+                                description: The Subnet IDs used by the VPC configuration.
+                                items:
+                                  type: string
+                                type: array
+                              vpcConfigurationId:
+                                description: The application identifier.
+                                type: string
+                              vpcId:
+                                description: The application identifier.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  arn:
+                    description: The ARN of the application.
+                    type: string
+                  cloudwatchLoggingOptions:
+                    description: A CloudWatch log stream to monitor application configuration
+                      errors.
+                    items:
+                      properties:
+                        cloudwatchLoggingOptionId:
+                          description: The application identifier.
+                          type: string
+                        logStreamArn:
+                          description: The ARN of the CloudWatch log stream to receive
+                            application messages.
+                          type: string
+                      type: object
+                    type: array
+                  createTimestamp:
+                    description: The current timestamp when the application was created.
+                    type: string
+                  description:
+                    description: A summary description of the application.
+                    type: string
+                  forceStop:
+                    description: Whether to force stop an unresponsive Flink-based
+                      application.
+                    type: boolean
+                  id:
+                    description: The application identifier.
+                    type: string
+                  lastUpdateTimestamp:
+                    description: The current timestamp when the application was last
+                      updated.
+                    type: string
+                  runtimeEnvironment:
+                    description: 'The runtime environment for the application. Valid
+                      values: SQL-1_0, FLINK-1_6, FLINK-1_8, FLINK-1_11, FLINK-1_13,
+                      FLINK-1_15.'
+                    type: string
+                  serviceExecutionRole:
+                    description: The ARN of the IAM role used by the application to
+                      access Kinesis data streams, Kinesis Data Firehose delivery
+                      streams, Amazon S3 objects, and other external resources.
+                    type: string
+                  startApplication:
+                    description: Whether to start or stop the application.
+                    type: boolean
+                  status:
+                    description: The status of the application.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kinesisanalyticsv2.aws.upbound.io_applicationsnapshots.yaml b/package/crds/kinesisanalyticsv2.aws.upbound.io_applicationsnapshots.yaml
index 9bef84c1a8..b9cbbc919e 100644
--- a/package/crds/kinesisanalyticsv2.aws.upbound.io_applicationsnapshots.yaml
+++ b/package/crds/kinesisanalyticsv2.aws.upbound.io_applicationsnapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,6 +155,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,6 +346,11 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applicationName:
+                    description: The name of an existing  Kinesis Analytics v2 Application.
+                      Note that the application must be running for a snapshot to
+                      be created.
+                    type: string
                   applicationVersionId:
                     description: The current application version ID when the snapshot
                       was created.
diff --git a/package/crds/kinesisvideo.aws.upbound.io_streams.yaml b/package/crds/kinesisvideo.aws.upbound.io_streams.yaml
index b4c337a1bf..86c9398028 100644
--- a/package/crds/kinesisvideo.aws.upbound.io_streams.yaml
+++ b/package/crds/kinesisvideo.aws.upbound.io_streams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -174,9 +178,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -348,6 +366,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: StreamStatus defines the observed state of Stream.
             properties:
@@ -360,9 +381,41 @@ spec:
                   creationTime:
                     description: A time stamp that indicates when the stream was created.
                     type: string
+                  dataRetentionInHours:
+                    description: –  The number of hours that you want to retain the
+                      data in the stream. Kinesis Video Streams retains the data in
+                      a data store that is associated with the stream. The default
+                      value is 0, indicating that the stream does not persist data.
+                    type: number
+                  deviceName:
+                    description: The name of the device that is writing to the stream.
+                      In the current implementation, Kinesis Video Streams does not
+                      use this name.
+                    type: string
                   id:
                     description: The unique Stream id
                     type: string
+                  kmsKeyId:
+                    description: The ID of the AWS Key Management Service (AWS KMS)
+                      key that you want Kinesis Video Streams to use to encrypt stream
+                      data. If no key ID is specified, the default, Kinesis Video-managed
+                      key (aws/kinesisvideo) is used.
+                    type: string
+                  mediaType:
+                    description: The media type of the stream. Consumers of the stream
+                      can use this information when processing the stream. For more
+                      information about media types, see Media Types. If you choose
+                      to specify the MediaType, see Naming Requirements for guidelines.
+                    type: string
+                  name:
+                    description: A name to identify the stream. This is unique to
+                      the AWS account and region the Stream is created in.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kms.aws.upbound.io_aliases.yaml b/package/crds/kms.aws.upbound.io_aliases.yaml
index e644dc8b3b..65abf83422 100644
--- a/package/crds/kms.aws.upbound.io_aliases.yaml
+++ b/package/crds/kms.aws.upbound.io_aliases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,6 +152,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,6 +352,10 @@ spec:
                     description: The Amazon Resource Name (ARN) of the target key
                       identifier.
                     type: string
+                  targetKeyId:
+                    description: Identifier for the key for which the alias is for,
+                      can be either an ARN or key_id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kms.aws.upbound.io_ciphertexts.yaml b/package/crds/kms.aws.upbound.io_ciphertexts.yaml
index e1ccefe644..ec80274017 100644
--- a/package/crds/kms.aws.upbound.io_ciphertexts.yaml
+++ b/package/crds/kms.aws.upbound.io_ciphertexts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -169,9 +173,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - plaintextSecretRef
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,6 +361,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: plaintextSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.plaintextSecretRef)
           status:
             description: CiphertextStatus defines the observed state of Ciphertext.
             properties:
@@ -351,8 +372,17 @@ spec:
                   ciphertextBlob:
                     description: Base64 encoded ciphertext
                     type: string
+                  context:
+                    additionalProperties:
+                      type: string
+                    description: An optional mapping that makes up the encryption
+                      context.
+                    type: object
                   id:
                     type: string
+                  keyId:
+                    description: Globally unique key ID for the customer master key.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kms.aws.upbound.io_externalkeys.yaml b/package/crds/kms.aws.upbound.io_externalkeys.yaml
index 4ae611f5d4..1606e2a910 100644
--- a/package/crds/kms.aws.upbound.io_externalkeys.yaml
+++ b/package/crds/kms.aws.upbound.io_externalkeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -131,6 +135,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -310,6 +329,27 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the key.
                     type: string
+                  bypassPolicyLockoutSafetyCheck:
+                    description: Specifies whether to disable the policy lockout check
+                      performed when creating or updating the key's policy. Setting
+                      this value to true increases the risk that the key becomes unmanageable.
+                      For more information, refer to the scenario in the Default Key
+                      Policy section in the AWS Key Management Service Developer Guide.
+                      Defaults to false.
+                    type: boolean
+                  deletionWindowInDays:
+                    description: Duration in days after which the key is deleted after
+                      destruction of the resource. Must be between 7 and 30 days.
+                      Defaults to 30.
+                    type: number
+                  description:
+                    description: Description of the key.
+                    type: string
+                  enabled:
+                    description: Specifies whether the key is enabled. Keys pending
+                      import can only be false. Imported keys default to true unless
+                      expired.
+                    type: boolean
                   expirationModel:
                     description: Whether the key material expires. Empty when pending
                       key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
@@ -324,6 +364,19 @@ spec:
                     description: The cryptographic operations for which you can use
                       the CMK.
                     type: string
+                  multiRegion:
+                    description: Indicates whether the KMS key is a multi-Region (true)
+                      or regional (false) key. Defaults to false.
+                    type: boolean
+                  policy:
+                    description: A key policy JSON document. If you do not provide
+                      a key policy, AWS KMS attaches a default key policy to the CMK.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -331,6 +384,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  validTo:
+                    description: 'Time at which the imported key material expires.
+                      When the key material expires, AWS KMS deletes the key material
+                      and the CMK becomes unusable. If not specified, key material
+                      does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kms.aws.upbound.io_grants.yaml b/package/crds/kms.aws.upbound.io_grants.yaml
index 1da909a6a4..20ad4fc538 100644
--- a/package/crds/kms.aws.upbound.io_grants.yaml
+++ b/package/crds/kms.aws.upbound.io_grants.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -283,9 +287,23 @@ spec:
                       the grant by using RetireGrant operation in ARN format.
                     type: string
                 required:
-                - operations
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -457,11 +475,49 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: operations is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.operations)
           status:
             description: GrantStatus defines the observed state of Grant.
             properties:
               atProvider:
                 properties:
+                  constraints:
+                    description: A structure that you can use to allow certain operations
+                      in the grant only when the desired encryption context is present.
+                      For more information about encryption context, see Encryption
+                      Context.
+                    items:
+                      properties:
+                        encryptionContextEquals:
+                          additionalProperties:
+                            type: string
+                          description: A list of key-value pairs that must match the
+                            encryption context in subsequent cryptographic operation
+                            requests. The grant allows the operation only when the
+                            encryption context in the request is the same as the encryption
+                            context specified in this constraint. Conflicts with encryption_context_subset.
+                          type: object
+                        encryptionContextSubset:
+                          additionalProperties:
+                            type: string
+                          description: A list of key-value pairs that must be included
+                            in the encryption context of subsequent cryptographic
+                            operation requests. The grant allows the cryptographic
+                            operation only when the encryption context in the request
+                            includes the key-value pairs specified in this constraint,
+                            although it can include additional key-value pairs. Conflicts
+                            with encryption_context_equals.
+                          type: object
+                      type: object
+                    type: array
+                  grantCreationTokens:
+                    description: A list of grant tokens to be used when creating the
+                      grant. See Grant Tokens for more information about grant tokens.
+                    items:
+                      type: string
+                    type: array
                   grantId:
                     description: The unique identifier for the grant.
                     type: string
@@ -469,8 +525,41 @@ spec:
                     description: The grant token for the created grant. For more information,
                       see Grant Tokens.
                     type: string
+                  granteePrincipal:
+                    description: The principal that is given permission to perform
+                      the operations that the grant permits in ARN format.
+                    type: string
                   id:
                     type: string
+                  keyId:
+                    description: The unique identifier for the customer master key
+                      (CMK) that the grant applies to. Specify the key ID or the Amazon
+                      Resource Name (ARN) of the CMK. To specify a CMK in a different
+                      AWS account, you must use the key ARN.
+                    type: string
+                  name:
+                    description: A friendly name for identifying the grant.
+                    type: string
+                  operations:
+                    description: 'A list of operations that the grant permits. The
+                      permitted values are: Decrypt, Encrypt, GenerateDataKey, GenerateDataKeyWithoutPlaintext,
+                      ReEncryptFrom, ReEncryptTo, Sign, Verify, GetPublicKey, CreateGrant,
+                      RetireGrant, DescribeKey, GenerateDataKeyPair, or GenerateDataKeyPairWithoutPlaintext.'
+                    items:
+                      type: string
+                    type: array
+                  retireOnDelete:
+                    description: (Defaults to false, Forces new resources) If set
+                      to false (the default) the grants will be revoked upon deletion,
+                      and if set to true the grants will try to be retired upon deletion.
+                      Note that retiring grants requires special permissions, hence
+                      why we default to revoking grants. See RetireGrant for more
+                      information.
+                    type: boolean
+                  retiringPrincipal:
+                    description: The principal that is given permission to retire
+                      the grant by using RetireGrant operation in ARN format.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kms.aws.upbound.io_keys.yaml b/package/crds/kms.aws.upbound.io_keys.yaml
index c89dbda221..356de7f8b0 100644
--- a/package/crds/kms.aws.upbound.io_keys.yaml
+++ b/package/crds/kms.aws.upbound.io_keys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -132,6 +136,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -311,11 +330,72 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the key.
                     type: string
+                  bypassPolicyLockoutSafetyCheck:
+                    description: A flag to indicate whether to bypass the key policy
+                      lockout safety check. Setting this value to true increases the
+                      risk that the KMS key becomes unmanageable. Do not set this
+                      value to true indiscriminately. For more information, refer
+                      to the scenario in the Default Key Policy section in the AWS
+                      Key Management Service Developer Guide. The default value is
+                      false.
+                    type: boolean
+                  customKeyStoreId:
+                    description: ID of the KMS Custom Key Store where the key will
+                      be stored instead of KMS (eg CloudHSM).
+                    type: string
+                  customerMasterKeySpec:
+                    description: 'Specifies whether the key contains a symmetric key
+                      or an asymmetric key pair and the encryption algorithms or signing
+                      algorithms that the key supports. Valid values: SYMMETRIC_DEFAULT,  RSA_2048,
+                      RSA_3072, RSA_4096, HMAC_256, ECC_NIST_P256, ECC_NIST_P384,
+                      ECC_NIST_P521, or ECC_SECG_P256K1. Defaults to SYMMETRIC_DEFAULT.
+                      For help with choosing a key spec, see the AWS KMS Developer
+                      Guide.'
+                    type: string
+                  deletionWindowInDays:
+                    description: The waiting period, specified in number of days.
+                      After the waiting period ends, AWS KMS deletes the KMS key.
+                      If you specify a value, it must be between 7 and 30, inclusive.
+                      If you do not specify a value, it defaults to 30. If the KMS
+                      key is a multi-Region primary key with replicas, the waiting
+                      period begins when the last of its replica keys is deleted.
+                      Otherwise, the waiting period begins immediately.
+                    type: number
+                  description:
+                    description: The description of the key as viewed in AWS console.
+                    type: string
+                  enableKeyRotation:
+                    description: Specifies whether key rotation is enabled. Defaults
+                      to false.
+                    type: boolean
                   id:
                     type: string
+                  isEnabled:
+                    description: Specifies whether the key is enabled. Defaults to
+                      true.
+                    type: boolean
                   keyId:
                     description: The globally unique identifier for the key.
                     type: string
+                  keyUsage:
+                    description: 'Specifies the intended use of the key. Valid values:
+                      ENCRYPT_DECRYPT, SIGN_VERIFY, or GENERATE_VERIFY_MAC. Defaults
+                      to ENCRYPT_DECRYPT.'
+                    type: string
+                  multiRegion:
+                    description: Indicates whether the KMS key is a multi-Region (true)
+                      or regional (false) key. Defaults to false.
+                    type: boolean
+                  policy:
+                    description: A valid policy JSON document. Although this is a
+                      key policy, not an IAM policy, an aws_iam_policy_document, in
+                      the form that designates a principal, can be used.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/kms.aws.upbound.io_replicaexternalkeys.yaml b/package/crds/kms.aws.upbound.io_replicaexternalkeys.yaml
index 8db72bb720..ee5e165225 100644
--- a/package/crds/kms.aws.upbound.io_replicaexternalkeys.yaml
+++ b/package/crds/kms.aws.upbound.io_replicaexternalkeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -210,6 +214,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -391,6 +410,30 @@ spec:
                       The key ARNs of related multi-Region keys differ only in the
                       Region value.
                     type: string
+                  bypassPolicyLockoutSafetyCheck:
+                    description: A flag to indicate whether to bypass the key policy
+                      lockout safety check. Setting this value to true increases the
+                      risk that the KMS key becomes unmanageable. Do not set this
+                      value to true indiscriminately. For more information, refer
+                      to the scenario in the Default Key Policy section in the AWS
+                      Key Management Service Developer Guide. The default value is
+                      false.
+                    type: boolean
+                  deletionWindowInDays:
+                    description: The waiting period, specified in number of days.
+                      After the waiting period ends, AWS KMS deletes the KMS key.
+                      If you specify a value, it must be between 7 and 30, inclusive.
+                      If you do not specify a value, it defaults to 30.
+                    type: number
+                  description:
+                    description: A description of the KMS key.
+                    type: string
+                  enabled:
+                    description: Specifies whether the replica key is enabled. Disabled
+                      KMS keys cannot be used in cryptographic operations. Keys pending
+                      import can only be false. Imported keys default to true unless
+                      expired.
+                    type: boolean
                   expirationModel:
                     description: Whether the key material expires. Empty when pending
                       key material import, otherwise KEY_MATERIAL_EXPIRES or KEY_MATERIAL_DOES_NOT_EXPIRE.
@@ -408,6 +451,22 @@ spec:
                     description: The cryptographic operations for which you can use
                       the KMS key. This is a shared property of multi-Region keys.
                     type: string
+                  policy:
+                    description: The key policy to attach to the KMS key. If you do
+                      not specify a key policy, AWS KMS attaches the default key policy
+                      to the KMS key.
+                    type: string
+                  primaryKeyArn:
+                    description: The ARN of the multi-Region primary key to replicate.
+                      The primary key must be in a different AWS Region of the same
+                      AWS Partition. You can create only one replica of a given primary
+                      key in each AWS Region.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -415,6 +474,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  validTo:
+                    description: 'Time at which the imported key material expires.
+                      When the key material expires, AWS KMS deletes the key material
+                      and the key becomes unusable. If not specified, key material
+                      does not expire. Valid values: RFC3339 time string (YYYY-MM-DDTHH:MM:SSZ)'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/kms.aws.upbound.io_replicakeys.yaml b/package/crds/kms.aws.upbound.io_replicakeys.yaml
index 450c17b1ef..3106916616 100644
--- a/package/crds/kms.aws.upbound.io_replicakeys.yaml
+++ b/package/crds/kms.aws.upbound.io_replicakeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -183,6 +187,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -364,6 +383,29 @@ spec:
                       The key ARNs of related multi-Region keys differ only in the
                       Region value.
                     type: string
+                  bypassPolicyLockoutSafetyCheck:
+                    description: A flag to indicate whether to bypass the key policy
+                      lockout safety check. Setting this value to true increases the
+                      risk that the KMS key becomes unmanageable. Do not set this
+                      value to true indiscriminately. For more information, refer
+                      to the scenario in the Default Key Policy section in the AWS
+                      Key Management Service Developer Guide. The default value is
+                      false.
+                    type: boolean
+                  deletionWindowInDays:
+                    description: The waiting period, specified in number of days.
+                      After the waiting period ends, AWS KMS deletes the KMS key.
+                      If you specify a value, it must be between 7 and 30, inclusive.
+                      If you do not specify a value, it defaults to 30.
+                    type: number
+                  description:
+                    description: A description of the KMS key.
+                    type: string
+                  enabled:
+                    description: Specifies whether the replica key is enabled. Disabled
+                      KMS keys cannot be used in cryptographic operations. The default
+                      value is true.
+                    type: boolean
                   id:
                     type: string
                   keyId:
@@ -382,6 +424,22 @@ spec:
                     description: The cryptographic operations for which you can use
                       the KMS key. This is a shared property of multi-Region keys.
                     type: string
+                  policy:
+                    description: The key policy to attach to the KMS key. If you do
+                      not specify a key policy, AWS KMS attaches the default key policy
+                      to the KMS key.
+                    type: string
+                  primaryKeyArn:
+                    description: The ARN of the multi-Region primary key to replicate.
+                      The primary key must be in a different AWS Region of the same
+                      AWS Partition. You can create only one replica of a given primary
+                      key in each AWS Region.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lakeformation.aws.upbound.io_datalakesettings.yaml b/package/crds/lakeformation.aws.upbound.io_datalakesettings.yaml
index cc2630eeac..94df38b474 100644
--- a/package/crds/lakeformation.aws.upbound.io_datalakesettings.yaml
+++ b/package/crds/lakeformation.aws.upbound.io_datalakesettings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -129,6 +133,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -305,8 +324,66 @@ spec:
             properties:
               atProvider:
                 properties:
+                  admins:
+                    description: –  Set of ARNs of AWS Lake Formation principals (IAM
+                      users or roles).
+                    items:
+                      type: string
+                    type: array
+                  catalogId:
+                    description: –  Identifier for the Data Catalog. By default, the
+                      account ID.
+                    type: string
+                  createDatabaseDefaultPermissions:
+                    description: Up to three configuration blocks of principal permissions
+                      for default create database permissions. Detailed below.
+                    items:
+                      properties:
+                        permissions:
+                          description: List of permissions that are granted to the
+                            principal. Valid values may include ALL, SELECT, ALTER,
+                            DROP, DELETE, INSERT, DESCRIBE, and CREATE_TABLE. For
+                            more details, see Lake Formation Permissions Reference.
+                          items:
+                            type: string
+                          type: array
+                        principal:
+                          description: Principal who is granted permissions. To enforce
+                            metadata and underlying data access control only by IAM
+                            on new databases and tables set principal to IAM_ALLOWED_PRINCIPALS
+                            and permissions to ["ALL"].
+                          type: string
+                      type: object
+                    type: array
+                  createTableDefaultPermissions:
+                    description: Up to three configuration blocks of principal permissions
+                      for default create table permissions. Detailed below.
+                    items:
+                      properties:
+                        permissions:
+                          description: List of permissions that are granted to the
+                            principal. Valid values may include ALL, SELECT, ALTER,
+                            DROP, DELETE, INSERT, and DESCRIBE. For more details,
+                            see Lake Formation Permissions Reference.
+                          items:
+                            type: string
+                          type: array
+                        principal:
+                          description: Principal who is granted permissions. To enforce
+                            metadata and underlying data access control only by IAM
+                            on new databases and tables set principal to IAM_ALLOWED_PRINCIPALS
+                            and permissions to ["ALL"].
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  trustedResourceOwners:
+                    description: owning account IDs that the caller's account can
+                      use to share their user access details (user ARNs).
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lakeformation.aws.upbound.io_permissions.yaml b/package/crds/lakeformation.aws.upbound.io_permissions.yaml
index e2faaf9efe..e8714d8ead 100644
--- a/package/crds/lakeformation.aws.upbound.io_permissions.yaml
+++ b/package/crds/lakeformation.aws.upbound.io_permissions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -480,10 +484,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - permissions
-                - principal
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -655,13 +672,181 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: permissions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissions)
+            - message: principal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)
           status:
             description: PermissionsStatus defines the observed state of Permissions.
             properties:
               atProvider:
                 properties:
+                  catalogId:
+                    description: –  Identifier for the Data Catalog. By default, the
+                      account ID. The Data Catalog is the persistent metadata store.
+                      It contains database definitions, table definitions, and other
+                      control information to manage your Lake Formation environment.
+                    type: string
+                  catalogResource:
+                    description: Whether the permissions are to be granted for the
+                      Data Catalog. Defaults to false.
+                    type: boolean
+                  dataLocation:
+                    description: Configuration block for a data location resource.
+                      Detailed below.
+                    items:
+                      properties:
+                        arn:
+                          description: –  Amazon Resource Name (ARN) that uniquely
+                            identifies the data location resource.
+                          type: string
+                        catalogId:
+                          description: Identifier for the Data Catalog where the location
+                            is registered with Lake Formation. By default, it is the
+                            account ID of the caller.
+                          type: string
+                      type: object
+                    type: array
+                  database:
+                    description: Configuration block for a database resource. Detailed
+                      below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: Identifier for the Data Catalog. By default,
+                            it is the account ID of the caller.
+                          type: string
+                        name:
+                          description: –  Name of the database resource. Unique to
+                            the Data Catalog.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  lfTag:
+                    description: Configuration block for an LF-tag resource. Detailed
+                      below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: Identifier for the Data Catalog. By default,
+                            it is the account ID of the caller.
+                          type: string
+                        key:
+                          description: name for the tag.
+                          type: string
+                        values:
+                          description: A list of possible values an attribute can
+                            take.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  lfTagPolicy:
+                    description: Configuration block for an LF-tag policy resource.
+                      Detailed below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: Identifier for the Data Catalog. By default,
+                            it is the account ID of the caller.
+                          type: string
+                        expression:
+                          description: A list of tag conditions that apply to the
+                            resource's tag policy. Configuration block for tag conditions
+                            that apply to the policy. See expression below.
+                          items:
+                            properties:
+                              key:
+                                description: name of an LF-Tag.
+                                type: string
+                              values:
+                                description: A list of possible values of an LF-Tag.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        resourceType:
+                          description: –  The resource type for which the tag policy
+                            applies. Valid values are DATABASE and TABLE.
+                          type: string
+                      type: object
+                    type: array
+                  permissions:
+                    description: –  List of permissions granted to the principal.
+                      Valid values may include ALL, ALTER, ASSOCIATE, CREATE_DATABASE,
+                      CREATE_TABLE, DATA_LOCATION_ACCESS, DELETE, DESCRIBE, DROP,
+                      INSERT, and SELECT. For details on each permission, see Lake
+                      Formation Permissions Reference.
+                    items:
+                      type: string
+                    type: array
+                  permissionsWithGrantOption:
+                    description: Subset of permissions which the principal can pass.
+                    items:
+                      type: string
+                    type: array
+                  principal:
+                    description: account permissions. For more information, see Lake
+                      Formation Permissions Reference.
+                    type: string
+                  table:
+                    description: Configuration block for a table resource. Detailed
+                      below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: Identifier for the Data Catalog. By default,
+                            it is the account ID of the caller.
+                          type: string
+                        databaseName:
+                          description: –  Name of the database for the table. Unique
+                            to a Data Catalog.
+                          type: string
+                        name:
+                          description: Name of the table.
+                          type: string
+                        wildcard:
+                          description: Whether to use a wildcard representing every
+                            table under a database. Defaults to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  tableWithColumns:
+                    description: Configuration block for a table with columns resource.
+                      Detailed below.
+                    items:
+                      properties:
+                        catalogId:
+                          description: Identifier for the Data Catalog. By default,
+                            it is the account ID of the caller.
+                          type: string
+                        columnNames:
+                          description: Set of column names for the table.
+                          items:
+                            type: string
+                          type: array
+                        databaseName:
+                          description: –  Name of the database for the table with
+                            columns resource. Unique to the Data Catalog.
+                          type: string
+                        excludedColumnNames:
+                          description: Set of column names for the table to exclude.
+                          items:
+                            type: string
+                          type: array
+                        name:
+                          description: –  Name of the table resource.
+                          type: string
+                        wildcard:
+                          description: Whether to use a column wildcard.
+                          type: boolean
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lakeformation.aws.upbound.io_resources.yaml b/package/crds/lakeformation.aws.upbound.io_resources.yaml
index 9b0673e9cf..604ba07827 100644
--- a/package/crds/lakeformation.aws.upbound.io_resources.yaml
+++ b/package/crds/lakeformation.aws.upbound.io_resources.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,9 +153,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - arn
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,17 +341,27 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: arn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.arn)
           status:
             description: ResourceStatus defines the observed state of Resource.
             properties:
               atProvider:
                 properties:
+                  arn:
+                    description: –  Amazon Resource Name (ARN) of the resource, an
+                      S3 path.
+                    type: string
                   id:
                     type: string
                   lastModified:
                     description: The date and time the resource was last modified
                       in RFC 3339 format.
                     type: string
+                  roleArn:
+                    description: linked role must exist and is used.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_aliases.yaml b/package/crds/lambda.aws.upbound.io_aliases.yaml
index 062972b97b..6108cffa07 100644
--- a/package/crds/lambda.aws.upbound.io_aliases.yaml
+++ b/package/crds/lambda.aws.upbound.io_aliases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -166,9 +170,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - functionVersion
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,6 +358,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: functionVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.functionVersion)
           status:
             description: AliasStatus defines the observed state of Alias.
             properties:
@@ -349,12 +370,36 @@ spec:
                     description: The Amazon Resource Name (ARN) identifying your Lambda
                       function alias.
                     type: string
+                  description:
+                    description: Description of the alias.
+                    type: string
+                  functionName:
+                    description: Lambda Function name or ARN.
+                    type: string
+                  functionVersion:
+                    description: 'Lambda function version for which you are creating
+                      the alias. Pattern: (\$LATEST|[0-9]+).'
+                    type: string
                   id:
                     type: string
                   invokeArn:
                     description: The ARN to be used for invoking Lambda Function from
                       API Gateway - to be used in aws_api_gateway_integration's uri
                     type: string
+                  routingConfig:
+                    description: The Lambda alias' route configuration settings. Fields
+                      documented below
+                    items:
+                      properties:
+                        additionalVersionWeights:
+                          additionalProperties:
+                            type: number
+                          description: A map that defines the proportion of events
+                            that should be sent to different versions of a lambda
+                            function.
+                          type: object
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_codesigningconfigs.yaml b/package/crds/lambda.aws.upbound.io_codesigningconfigs.yaml
index 210cd274b2..8dc663e3b9 100644
--- a/package/crds/lambda.aws.upbound.io_codesigningconfigs.yaml
+++ b/package/crds/lambda.aws.upbound.io_codesigningconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -186,9 +190,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - allowedPublishers
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -360,11 +378,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: allowedPublishers is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.allowedPublishers)
           status:
             description: CodeSigningConfigStatus defines the observed state of CodeSigningConfig.
             properties:
               atProvider:
                 properties:
+                  allowedPublishers:
+                    description: A configuration block of allowed publishers as signing
+                      profiles for this code signing configuration. Detailed below.
+                    items:
+                      properties:
+                        signingProfileVersionArns:
+                          description: The Amazon Resource Name (ARN) for each of
+                            the signing profiles. A signing profile defines a trusted
+                            user who can sign a code package.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: The Amazon Resource Name (ARN) of the code signing
                       configuration.
@@ -372,12 +407,31 @@ spec:
                   configId:
                     description: Unique identifier for the code signing configuration.
                     type: string
+                  description:
+                    description: Descriptive name for this code signing configuration.
+                    type: string
                   id:
                     type: string
                   lastModified:
                     description: The date and time that the code signing configuration
                       was last modified.
                     type: string
+                  policies:
+                    description: A configuration block of code signing policies that
+                      define the actions to take if the validation checks fail. Detailed
+                      below.
+                    items:
+                      properties:
+                        untrustedArtifactOnDeployment:
+                          description: 'Code signing configuration policy for deployment
+                            validation failure. If you set the policy to Enforce,
+                            Lambda blocks the deployment request if code-signing validation
+                            checks fail. If you set the policy to Warn, Lambda allows
+                            the deployment and creates a CloudWatch log. Valid values:
+                            Warn, Enforce. Default value: Warn.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_eventsourcemappings.yaml b/package/crds/lambda.aws.upbound.io_eventsourcemappings.yaml
index 3750c5fbac..6c82d8d692 100644
--- a/package/crds/lambda.aws.upbound.io_eventsourcemappings.yaml
+++ b/package/crds/lambda.aws.upbound.io_eventsourcemappings.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -364,6 +368,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -540,11 +559,94 @@ spec:
             properties:
               atProvider:
                 properties:
+                  amazonManagedKafkaEventSourceConfig:
+                    description: Additional configuration block for Amazon Managed
+                      Kafka sources. Incompatible with "self_managed_event_source"
+                      and "self_managed_kafka_event_source_config". Detailed below.
+                    items:
+                      properties:
+                        consumerGroupId:
+                          description: A Kafka consumer group ID between 1 and 200
+                            characters for use when creating this event source mapping.
+                            If one is not specified, this value will be automatically
+                            generated. See AmazonManagedKafkaEventSourceConfig Syntax.
+                          type: string
+                      type: object
+                    type: array
+                  batchSize:
+                    description: The largest number of records that Lambda will retrieve
+                      from your event source at the time of invocation. Defaults to
+                      100 for DynamoDB, Kinesis, MQ and MSK, 10 for SQS.
+                    type: number
+                  bisectBatchOnFunctionError:
+                    description: If the function returns an error, split the batch
+                      in two and retry. Only available for stream sources (DynamoDB
+                      and Kinesis). Defaults to false.
+                    type: boolean
+                  destinationConfig:
+                    description: An Amazon SQS queue or Amazon SNS topic destination
+                      for failed records. Only available for stream sources (DynamoDB
+                      and Kinesis). Detailed below.
+                    items:
+                      properties:
+                        onFailure:
+                          description: The destination configuration for failed invocations.
+                            Detailed below.
+                          items:
+                            properties:
+                              destinationArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  destination resource.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  enabled:
+                    description: Determines if the mapping will be enabled on creation.
+                      Defaults to true.
+                    type: boolean
+                  eventSourceArn:
+                    description: The event source ARN - this is required for Kinesis
+                      stream, DynamoDB stream, SQS queue, MQ broker or MSK cluster.  It
+                      is incompatible with a Self Managed Kafka source.
+                    type: string
+                  filterCriteria:
+                    description: The criteria to use for event filtering Kinesis stream,
+                      DynamoDB stream, SQS queue event sources. Detailed below.
+                    items:
+                      properties:
+                        filter:
+                          description: A set of up to 5 filter. If an event satisfies
+                            at least one, Lambda sends the event to the function or
+                            adds it to the next batch. Detailed below.
+                          items:
+                            properties:
+                              pattern:
+                                description: A filter pattern up to 4096 characters.
+                                  See Filter Rule Syntax.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   functionArn:
                     description: 'The the ARN of the Lambda function the event source
                       mapping is sending events to. (Note: this is a computed value
                       that differs from function_name above.)'
                     type: string
+                  functionName:
+                    description: The name or the ARN of the Lambda function that will
+                      be subscribing to events.
+                    type: string
+                  functionResponseTypes:
+                    description: 'A list of current response type enums applied to
+                      the event source mapping for AWS Lambda checkpointing. Only
+                      available for SQS and stream sources (DynamoDB and Kinesis).
+                      Valid values: ReportBatchItemFailures.'
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
                   lastModified:
@@ -554,6 +656,122 @@ spec:
                     description: The result of the last AWS Lambda invocation of your
                       Lambda function.
                     type: string
+                  maximumBatchingWindowInSeconds:
+                    description: The maximum amount of time to gather records before
+                      invoking the function, in seconds (between 0 and 300). Records
+                      will continue to buffer (or accumulate in the case of an SQS
+                      queue event source) until either maximum_batching_window_in_seconds
+                      expires or batch_size has been met. For streaming event sources,
+                      defaults to as soon as records are available in the stream.
+                      If the batch it reads from the stream/queue only has one record
+                      in it, Lambda only sends one record to the function. Only available
+                      for stream sources (DynamoDB and Kinesis) and SQS standard queues.
+                    type: number
+                  maximumRecordAgeInSeconds:
+                    description: The maximum age of a record that Lambda sends to
+                      a function for processing. Only available for stream sources
+                      (DynamoDB and Kinesis). Must be either -1 (forever, and the
+                      default value) or between 60 and 604800 (inclusive).
+                    type: number
+                  maximumRetryAttempts:
+                    description: The maximum number of times to retry when the function
+                      returns an error. Only available for stream sources (DynamoDB
+                      and Kinesis). Minimum and default of -1 (forever), maximum of
+                      10000.
+                    type: number
+                  parallelizationFactor:
+                    description: The number of batches to process from each shard
+                      concurrently. Only available for stream sources (DynamoDB and
+                      Kinesis). Minimum and default of 1, maximum of 10.
+                    type: number
+                  queues:
+                    description: The name of the Amazon MQ broker destination queue
+                      to consume. Only available for MQ sources. A single queue name
+                      must be specified.
+                    items:
+                      type: string
+                    type: array
+                  scalingConfig:
+                    description: Scaling configuration of the event source. Only available
+                      for SQS queues. Detailed below.
+                    items:
+                      properties:
+                        maximumConcurrency:
+                          description: Limits the number of concurrent instances that
+                            the Amazon SQS event source can invoke. Must be between
+                            2 and 1000. See Configuring maximum concurrency for Amazon
+                            SQS event sources.
+                          type: number
+                      type: object
+                    type: array
+                  selfManagedEventSource:
+                    description: For Self Managed Kafka sources, the location of the
+                      self managed cluster. If set, configuration must also include
+                      source_access_configuration. Detailed below.
+                    items:
+                      properties:
+                        endpoints:
+                          additionalProperties:
+                            type: string
+                          description: A map of endpoints for the self managed source.  For
+                            Kafka self-managed sources, the key should be KAFKA_BOOTSTRAP_SERVERS
+                            and the value should be a string with a comma separated
+                            list of broker endpoints.
+                          type: object
+                      type: object
+                    type: array
+                  selfManagedKafkaEventSourceConfig:
+                    description: Additional configuration block for Self Managed Kafka
+                      sources. Incompatible with "event_source_arn" and "amazon_managed_kafka_event_source_config".
+                      Detailed below.
+                    items:
+                      properties:
+                        consumerGroupId:
+                          description: A Kafka consumer group ID between 1 and 200
+                            characters for use when creating this event source mapping.
+                            If one is not specified, this value will be automatically
+                            generated. See SelfManagedKafkaEventSourceConfig Syntax.
+                          type: string
+                      type: object
+                    type: array
+                  sourceAccessConfiguration:
+                    description: ':  For Self Managed Kafka sources, the access configuration
+                      for the source. If set, configuration must also include self_managed_event_source.
+                      Detailed below.'
+                    items:
+                      properties:
+                        type:
+                          description: The type of this configuration.  For Self Managed
+                            Kafka you will need to supply blocks for type VPC_SUBNET
+                            and VPC_SECURITY_GROUP.
+                          type: string
+                        uri:
+                          description: The URI for this configuration.  For type VPC_SUBNET
+                            the value should be subnet:subnet_id where subnet_id is
+                            the value you would find in an aws_subnet resource's id
+                            attribute.  For type VPC_SECURITY_GROUP the value should
+                            be security_group:security_group_id where security_group_id
+                            is the value you would find in an aws_security_group resource's
+                            id attribute.
+                          type: string
+                      type: object
+                    type: array
+                  startingPosition:
+                    description: The position in the stream where AWS Lambda should
+                      start reading. Must be one of AT_TIMESTAMP (Kinesis only), LATEST
+                      or TRIM_HORIZON if getting events from Kinesis, DynamoDB, MSK
+                      or Self Managed Apache Kafka. Must not be provided if getting
+                      events from SQS. More information about these positions can
+                      be found in the AWS DynamoDB Streams API Reference and AWS Kinesis
+                      API Reference.
+                    type: string
+                  startingPositionTimestamp:
+                    description: A timestamp in RFC3339 format of the data record
+                      which to start reading when using starting_position set to AT_TIMESTAMP.
+                      If a record with this exact timestamp does not exist, the next
+                      later record is chosen. If the timestamp is older than the current
+                      trim horizon, the oldest available record is chosen.
+                    type: string
                   state:
                     description: The state of the event source mapping.
                     type: string
@@ -561,6 +779,18 @@ spec:
                     description: The reason the event source mapping is in its current
                       state.
                     type: string
+                  topics:
+                    description: The name of the Kafka topics. Only available for
+                      MSK sources. A single topic name must be specified.
+                    items:
+                      type: string
+                    type: array
+                  tumblingWindowInSeconds:
+                    description: The duration in seconds of a processing window for
+                      AWS Lambda streaming analytics. The range is between 1 second
+                      up to 900 seconds. Only available for stream sources (DynamoDB
+                      and Kinesis).
+                    type: number
                   uuid:
                     description: The UUID of the created event source mapping.
                     type: string
diff --git a/package/crds/lambda.aws.upbound.io_functioneventinvokeconfigs.yaml b/package/crds/lambda.aws.upbound.io_functioneventinvokeconfigs.yaml
index 71732e3965..60834fa08d 100644
--- a/package/crds/lambda.aws.upbound.io_functioneventinvokeconfigs.yaml
+++ b/package/crds/lambda.aws.upbound.io_functioneventinvokeconfigs.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -280,9 +284,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - functionName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -454,16 +472,68 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: functionName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.functionName)
           status:
             description: FunctionEventInvokeConfigStatus defines the observed state
               of FunctionEventInvokeConfig.
             properties:
               atProvider:
                 properties:
+                  destinationConfig:
+                    description: Configuration block with destination configuration.
+                      See below for details.
+                    items:
+                      properties:
+                        onFailure:
+                          description: Configuration block with destination configuration
+                            for failed asynchronous invocations. See below for details.
+                          items:
+                            properties:
+                              destination:
+                                description: Amazon Resource Name (ARN) of the destination
+                                  resource. See the Lambda Developer Guide for acceptable
+                                  resource types and associated IAM permissions.
+                                type: string
+                            type: object
+                          type: array
+                        onSuccess:
+                          description: Configuration block with destination configuration
+                            for successful asynchronous invocations. See below for
+                            details.
+                          items:
+                            properties:
+                              destination:
+                                description: Amazon Resource Name (ARN) of the destination
+                                  resource. See the Lambda Developer Guide for acceptable
+                                  resource types and associated IAM permissions.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  functionName:
+                    description: Name or Amazon Resource Name (ARN) of the Lambda
+                      Function, omitting any version or alias qualifier.
+                    type: string
                   id:
                     description: Fully qualified Lambda Function name or Amazon Resource
                       Name (ARN)
                     type: string
+                  maximumEventAgeInSeconds:
+                    description: Maximum age of a request that Lambda sends to a function
+                      for processing in seconds. Valid values between 60 and 21600.
+                    type: number
+                  maximumRetryAttempts:
+                    description: Maximum number of times to retry when the function
+                      returns an error. Valid values between 0 and 2. Defaults to
+                      2.
+                    type: number
+                  qualifier:
+                    description: Lambda Function published version, $LATEST, or Lambda
+                      Alias name.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_functions.yaml b/package/crds/lambda.aws.upbound.io_functions.yaml
index 61aebf5644..a946807852 100644
--- a/package/crds/lambda.aws.upbound.io_functions.yaml
+++ b/package/crds/lambda.aws.upbound.io_functions.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -851,6 +855,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1027,19 +1046,144 @@ spec:
             properties:
               atProvider:
                 properties:
+                  architectures:
+                    description: Instruction set architecture for your Lambda function.
+                      Valid values are ["x86_64"] and ["arm64"]. Default is ["x86_64"].
+                      Removing this attribute, function's architecture stay the same.
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: Amazon Resource Name (ARN) identifying your Lambda
                       Function.
                     type: string
+                  codeSigningConfigArn:
+                    description: To enable code signing for this function, specify
+                      the ARN of a code-signing configuration. A code-signing configuration
+                      includes a set of signing profiles, which define the trusted
+                      publishers for this function.
+                    type: string
+                  deadLetterConfig:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        targetArn:
+                          description: ARN of an SNS topic or SQS queue to notify
+                            when an invocation fails. If this option is used, the
+                            function's IAM role must be granted suitable access to
+                            write to the target object, which means allowing either
+                            the sns:Publish or sqs:SendMessage action on this ARN,
+                            depending on which service is targeted.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: Description of what your Lambda Function does.
+                    type: string
+                  environment:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        variables:
+                          additionalProperties:
+                            type: string
+                          description: Map of environment variables that are accessible
+                            from the function code during execution. If provided at
+                            least one key must be present.
+                          type: object
+                      type: object
+                    type: array
+                  ephemeralStorage:
+                    description: The amount of Ephemeral storage(/tmp) to allocate
+                      for the Lambda Function in MB. This parameter is used to expand
+                      the total amount of Ephemeral storage available, beyond the
+                      default amount of 512MB. Detailed below.
+                    items:
+                      properties:
+                        size:
+                          description: The size of the Lambda function Ephemeral storage(/tmp)
+                            represented in MB. The minimum supported ephemeral_storage
+                            value defaults to 512MB and the maximum supported value
+                            is 10240MB.
+                          type: number
+                      type: object
+                    type: array
+                  fileSystemConfig:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        arn:
+                          description: Amazon Resource Name (ARN) of the Amazon EFS
+                            Access Point that provides access to the file system.
+                          type: string
+                        localMountPath:
+                          description: Path where the function can access the file
+                            system, starting with /mnt/.
+                          type: string
+                      type: object
+                    type: array
+                  handler:
+                    description: Function entrypoint in your code.
+                    type: string
                   id:
                     type: string
+                  imageConfig:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        command:
+                          description: Parameters that you want to pass in with entry_point.
+                          items:
+                            type: string
+                          type: array
+                        entryPoint:
+                          description: Entry point to your application, which is typically
+                            the location of the runtime executable.
+                          items:
+                            type: string
+                          type: array
+                        workingDirectory:
+                          description: Working directory.
+                          type: string
+                      type: object
+                    type: array
+                  imageUri:
+                    description: ECR image URI containing the function's deployment
+                      package. Exactly one of filename, image_uri,  or s3_bucket must
+                      be specified.
+                    type: string
                   invokeArn:
                     description: ARN to be used for invoking Lambda Function from
                       API Gateway - to be used in aws_api_gateway_integration's uri.
                     type: string
+                  kmsKeyArn:
+                    description: Amazon Resource Name (ARN) of the AWS Key Management
+                      Service (KMS) key that is used to encrypt environment variables.
+                      If this configuration is not provided when environment variables
+                      are in use, AWS Lambda uses a default service key. To fix the
+                      perpetual difference, remove this configuration.
+                    type: string
                   lastModified:
                     description: Date this resource was last modified.
                     type: string
+                  layers:
+                    description: List of Lambda Layer Version ARNs (maximum of 5)
+                      to attach to your Lambda Function. See Lambda Layers
+                    items:
+                      type: string
+                    type: array
+                  memorySize:
+                    description: Amount of memory in MB your Lambda Function can use
+                      at runtime. Defaults to 128. See Limits
+                    type: number
+                  packageType:
+                    description: Lambda deployment package type. Valid values are
+                      Zip and Image. Defaults to Zip.
+                    type: string
+                  publish:
+                    description: Whether to publish creation/change as new Lambda
+                      Function Version. Defaults to false.
+                    type: boolean
                   qualifiedArn:
                     description: ARN identifying your Lambda Function Version (if
                       versioning is enabled via publish = true).
@@ -1049,6 +1193,53 @@ spec:
                       be used for invoking Lambda Function from API Gateway - to be
                       used in aws_api_gateway_integration's uri.
                     type: string
+                  replaceSecurityGroupsOnDestroy:
+                    description: Whether to replace the security groups on associated
+                      lambda network interfaces upon destruction. Removing these security
+                      groups from orphaned network interfaces can speed up security
+                      group deletion times by avoiding a dependency on AWS's internal
+                      cleanup operations. By default, the ENI security groups will
+                      be replaced with the default security group in the function's
+                      VPC. Set the replacement_security_group_ids attribute to use
+                      a custom list of security groups for replacement.
+                    type: boolean
+                  replacementSecurityGroupIds:
+                    description: List of security group IDs to assign to orphaned
+                      Lambda function network interfaces upon destruction. replace_security_groups_on_destroy
+                      must be set to true to use this attribute.
+                    items:
+                      type: string
+                    type: array
+                  reservedConcurrentExecutions:
+                    description: Amount of reserved concurrent executions for this
+                      lambda function. A value of 0 disables lambda from being triggered
+                      and -1 removes any concurrency limitations. Defaults to Unreserved
+                      Concurrency Limits -1. See Managing Concurrency
+                    type: number
+                  role:
+                    description: Amazon Resource Name (ARN) of the function's execution
+                      role. The role provides the function's identity and access to
+                      AWS services and resources.
+                    type: string
+                  runtime:
+                    description: Identifier of the function's runtime. See Runtimes
+                      for valid values.
+                    type: string
+                  s3Bucket:
+                    description: S3 bucket location containing the function's deployment
+                      package. This bucket must reside in the same AWS region where
+                      you are creating the Lambda function. Exactly one of filename,
+                      image_uri, or s3_bucket must be specified. When s3_bucket is
+                      set, s3_key is required.
+                    type: string
+                  s3Key:
+                    description: S3 key of an object containing the function's deployment
+                      package. When s3_bucket is set, s3_key is required.
+                    type: string
+                  s3ObjectVersion:
+                    description: Object version containing the function's deployment
+                      package. Conflicts with filename and image_uri.
+                    type: string
                   signingJobArn:
                     description: ARN of the signing job.
                     type: string
@@ -1059,15 +1250,32 @@ spec:
                     description: Snap start settings block. Detailed below.
                     items:
                       properties:
+                        applyOn:
+                          description: Conditions where snap start is enabled. Valid
+                            values are PublishedVersions.
+                          type: string
                         optimizationStatus:
                           description: Optimization status of the snap start configuration.
                             Valid values are On and Off.
                           type: string
                       type: object
                     type: array
+                  sourceCodeHash:
+                    description: Used to trigger updates. Must be set to a base64-encoded
+                      SHA256 hash of the package file specified with either filename
+                      or s3_key. The usual way to set this is filebase64sha256("file.11.12
+                      and later) or base64sha256(file("file.11.11 and earlier), where
+                      "file.zip" is the local filename of the lambda function source
+                      archive.
+                    type: string
                   sourceCodeSize:
                     description: Size in bytes of the function .zip file.
                     type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -1075,6 +1283,26 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  timeout:
+                    description: Amount of time your Lambda Function has to run in
+                      seconds. Defaults to 3. See Limits.
+                    type: number
+                  tracingConfig:
+                    description: Configuration block. Detailed below.
+                    items:
+                      properties:
+                        mode:
+                          description: Whether to sample and trace a subset of incoming
+                            requests with AWS X-Ray. Valid values are PassThrough
+                            and Active. If PassThrough, Lambda will only trace the
+                            request from an upstream service if it contains a tracing
+                            header with "sampled=1". If Active, Lambda will respect
+                            any tracing header it receives from an upstream service.
+                            If no tracing header is received, Lambda will call X-Ray
+                            for a tracing decision.
+                          type: string
+                      type: object
+                    type: array
                   version:
                     description: Latest published version of your Lambda Function.
                     type: string
@@ -1082,6 +1310,18 @@ spec:
                     description: Configuration block. Detailed below.
                     items:
                       properties:
+                        securityGroupIds:
+                          description: List of security group IDs associated with
+                            the Lambda function.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: List of subnet IDs associated with the Lambda
+                            function.
+                          items:
+                            type: string
+                          type: array
                         vpcId:
                           description: ID of the VPC.
                           type: string
diff --git a/package/crds/lambda.aws.upbound.io_functionurls.yaml b/package/crds/lambda.aws.upbound.io_functionurls.yaml
index 984a02f820..ecfd0fb6ec 100644
--- a/package/crds/lambda.aws.upbound.io_functionurls.yaml
+++ b/package/crds/lambda.aws.upbound.io_functionurls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -200,9 +204,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - authorizationType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -374,20 +392,81 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authorizationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authorizationType)
           status:
             description: FunctionURLStatus defines the observed state of FunctionURL.
             properties:
               atProvider:
                 properties:
+                  authorizationType:
+                    description: The type of authentication that the function URL
+                      uses. Set to "AWS_IAM" to restrict access to authenticated IAM
+                      users only. Set to "NONE" to bypass IAM authentication and create
+                      a public endpoint. See the AWS documentation for more details.
+                    type: string
+                  cors:
+                    description: The cross-origin resource sharing (CORS) settings
+                      for the function URL. Documented below.
+                    items:
+                      properties:
+                        allowCredentials:
+                          description: Whether to allow cookies or other credentials
+                            in requests to the function URL. The default is false.
+                          type: boolean
+                        allowHeaders:
+                          description: 'The HTTP headers that origins can include
+                            in requests to the function URL. For example: ["date",
+                            "keep-alive", "x-custom-header"].'
+                          items:
+                            type: string
+                          type: array
+                        allowMethods:
+                          description: 'The HTTP methods that are allowed when calling
+                            the function URL. For example: ["GET", "POST", "DELETE"],
+                            or the wildcard character (["*"]).'
+                          items:
+                            type: string
+                          type: array
+                        allowOrigins:
+                          description: 'The origins that can access the function URL.
+                            You can list any number of specific origins (or the wildcard
+                            character ("*")), separated by a comma. For example: ["https://www.example.com",
+                            "http://localhost:60905"].'
+                          items:
+                            type: string
+                          type: array
+                        exposeHeaders:
+                          description: The HTTP headers in your function response
+                            that you want to expose to origins that call the function
+                            URL.
+                          items:
+                            type: string
+                          type: array
+                        maxAge:
+                          description: The maximum amount of time, in seconds, that
+                            web browsers can cache results of a preflight request.
+                            By default, this is set to 0, which means that the browser
+                            doesn't cache results. The maximum value is 86400.
+                          type: number
+                      type: object
+                    type: array
                   functionArn:
                     description: The Amazon Resource Name (ARN) of the function.
                     type: string
+                  functionName:
+                    description: The name (or ARN) of the Lambda function.
+                    type: string
                   functionUrl:
                     description: The HTTP URL endpoint for the function in the format
                       https://<url_id>.lambda-url.<region>.on.aws.
                     type: string
                   id:
                     type: string
+                  qualifier:
+                    description: The alias name or "$LATEST".
+                    type: string
                   urlId:
                     description: A generated ID for the endpoint.
                     type: string
diff --git a/package/crds/lambda.aws.upbound.io_invocations.yaml b/package/crds/lambda.aws.upbound.io_invocations.yaml
index c2677c85c2..d833158fa8 100644
--- a/package/crds/lambda.aws.upbound.io_invocations.yaml
+++ b/package/crds/lambda.aws.upbound.io_invocations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,9 +162,23 @@ spec:
                       will trigger a re-invocation.
                     type: object
                 required:
-                - input
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -332,16 +350,35 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: input is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.input)
           status:
             description: InvocationStatus defines the observed state of Invocation.
             properties:
               atProvider:
                 properties:
+                  functionName:
+                    description: Name of the lambda function.
+                    type: string
                   id:
                     type: string
+                  input:
+                    description: JSON payload to the lambda function.
+                    type: string
+                  qualifier:
+                    description: Qualifier (i.e., version) of the lambda function.
+                      Defaults to $LATEST.
+                    type: string
                   result:
                     description: String result of the lambda function invocation.
                     type: string
+                  triggers:
+                    additionalProperties:
+                      type: string
+                    description: Map of arbitrary keys and values that, when changed,
+                      will trigger a re-invocation.
+                    type: object
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_layerversionpermissions.yaml b/package/crds/lambda.aws.upbound.io_layerversionpermissions.yaml
index 83c79dd4f3..c36a46b89d 100644
--- a/package/crds/lambda.aws.upbound.io_layerversionpermissions.yaml
+++ b/package/crds/lambda.aws.upbound.io_layerversionpermissions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -97,13 +101,23 @@ spec:
                       of a layer.'
                     type: number
                 required:
-                - action
-                - layerName
-                - principal
                 - region
-                - statementId
-                - versionNumber
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -275,23 +289,62 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: layerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.layerName)
+            - message: principal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)
+            - message: statementId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statementId)
+            - message: versionNumber is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.versionNumber)
           status:
             description: LayerVersionPermissionStatus defines the observed state of
               LayerVersionPermission.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: Action, which will be allowed. lambda:GetLayerVersion
+                      value is suggested by AWS documantation.
+                    type: string
                   id:
                     description: The layer_name and version_number, separated by a
                       comma (,).
                     type: string
+                  layerName:
+                    description: The name or ARN of the Lambda Layer, which you want
+                      to grant access to.
+                    type: string
+                  organizationId:
+                    description: An identifier of AWS Organization, which should be
+                      able to use your Lambda Layer. principal should be equal to
+                      * if organization_id provided.
+                    type: string
                   policy:
                     description: Full Lambda Layer Permission policy.
                     type: string
+                  principal:
+                    description: AWS account ID which should be able to use your Lambda
+                      Layer. * can be used here, if you want to share your Lambda
+                      Layer widely.
+                    type: string
                   revisionId:
                     description: A unique identifier for the current revision of the
                       policy.
                     type: string
+                  statementId:
+                    description: The name of Lambda Layer Permission, for example
+                      dev-account - human readable note about what is this permission
+                      for.
+                    type: string
+                  versionNumber:
+                    description: 'Version of Lambda Layer, which you want to grant
+                      access to. Note: permissions only apply to a single version
+                      of a layer.'
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_layerversions.yaml b/package/crds/lambda.aws.upbound.io_layerversions.yaml
index a6d04474dc..03e4491e3e 100644
--- a/package/crds/lambda.aws.upbound.io_layerversions.yaml
+++ b/package/crds/lambda.aws.upbound.io_layerversions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -123,9 +127,23 @@ spec:
                       archive.
                     type: string
                 required:
-                - layerName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -297,6 +315,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: layerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.layerName)
           status:
             description: LayerVersionStatus defines the observed state of LayerVersion.
             properties:
@@ -305,20 +326,73 @@ spec:
                   arn:
                     description: ARN of the Lambda Layer with version.
                     type: string
+                  compatibleArchitectures:
+                    description: List of Architectures this layer is compatible with.
+                      Currently x86_64 and arm64 can be specified.
+                    items:
+                      type: string
+                    type: array
+                  compatibleRuntimes:
+                    description: List of Runtimes this layer is compatible with. Up
+                      to 5 runtimes can be specified.
+                    items:
+                      type: string
+                    type: array
                   createdDate:
                     description: Date this resource was created.
                     type: string
+                  description:
+                    description: Description of what your Lambda Layer does.
+                    type: string
+                  filename:
+                    description: prefixed options cannot be used.
+                    type: string
                   id:
                     type: string
                   layerArn:
                     description: ARN of the Lambda Layer without version.
                     type: string
+                  layerName:
+                    description: Unique name for your Lambda Layer
+                    type: string
+                  licenseInfo:
+                    description: License info for your Lambda Layer. See License Info.
+                    type: string
+                  s3Bucket:
+                    description: S3 bucket location containing the function's deployment
+                      package. Conflicts with filename. This bucket must reside in
+                      the same AWS region where you are creating the Lambda function.
+                    type: string
+                  s3Key:
+                    description: S3 key of an object containing the function's deployment
+                      package. Conflicts with filename.
+                    type: string
+                  s3ObjectVersion:
+                    description: Object version containing the function's deployment
+                      package. Conflicts with filename.
+                    type: string
                   signingJobArn:
                     description: ARN of a signing job.
                     type: string
                   signingProfileVersionArn:
                     description: ARN for a signing profile version.
                     type: string
+                  skipDestroy:
+                    description: Whether to retain the old version of a previously
+                      deployed Lambda Layer. Default is false. When this is not set
+                      to true, changing any of compatible_architectures, compatible_runtimes,
+                      description, filename, layer_name, license_info, s3_bucket,
+                      s3_key, s3_object_version, or source_code_hash forces deletion
+                      of the existing layer version and creation of a new layer version.
+                    type: boolean
+                  sourceCodeHash:
+                    description: Used to trigger updates. Must be set to a base64-encoded
+                      SHA256 hash of the package file specified with either filename
+                      or s3_key. The usual way to set this is ${filebase64sha256("file.11.12
+                      or later) or ${base64sha256(file("file.11.11 and earlier), where
+                      "file.zip" is the local filename of the lambda layer source
+                      archive.
+                    type: string
                   sourceCodeSize:
                     description: Size in bytes of the function .zip file.
                     type: number
diff --git a/package/crds/lambda.aws.upbound.io_permissions.yaml b/package/crds/lambda.aws.upbound.io_permissions.yaml
index 4d4c145174..4aa81e1002 100644
--- a/package/crds/lambda.aws.upbound.io_permissions.yaml
+++ b/package/crds/lambda.aws.upbound.io_permissions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -268,10 +272,23 @@ spec:
                     description: A statement identifier prefix. Conflicts with statement_id.
                     type: string
                 required:
-                - action
-                - principal
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -443,13 +460,71 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: principal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)
           status:
             description: PermissionStatus defines the observed state of Permission.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: The AWS Lambda action you want to allow in this statement.
+                      (e.g., lambda:InvokeFunction)
+                    type: string
+                  eventSourceToken:
+                    description: The Event Source Token to validate.  Used with Alexa
+                      Skills.
+                    type: string
+                  functionName:
+                    description: Name of the Lambda function whose resource policy
+                      you are updating
+                    type: string
+                  functionUrlAuthType:
+                    description: 'Lambda Function URLs authentication type. Valid
+                      values are: AWS_IAM or NONE. Only supported for lambda:InvokeFunctionUrl
+                      action.'
+                    type: string
                   id:
                     type: string
+                  principal:
+                    description: The principal who is getting this permission e.g.,
+                      s3.amazonaws.com, an AWS account ID, or AWS IAM principal, or
+                      AWS service principal such as events.amazonaws.com or sns.amazonaws.com.
+                    type: string
+                  principalOrgId:
+                    description: The identifier for your organization in AWS Organizations.
+                      Use this to grant permissions to all the AWS accounts under
+                      this organization.
+                    type: string
+                  qualifier:
+                    description: Query parameter to specify function version or alias
+                      name. The permission will then apply to the specific qualified
+                      ARN e.g., arn:aws:lambda:aws-region:acct-id:function:function-name:2
+                    type: string
+                  sourceAccount:
+                    description: This parameter is used when allowing cross-account
+                      access, or for S3 and SES. The AWS account ID (without a hyphen)
+                      of the source owner.
+                    type: string
+                  sourceArn:
+                    description: When the principal is an AWS service, the ARN of
+                      the specific resource within that service to grant permission
+                      to. Without this, any resource from principal will be granted
+                      permission – even if that resource is from another account.
+                      For S3, this should be the ARN of the S3 Bucket. For EventBridge
+                      events, this should be the ARN of the EventBridge Rule. For
+                      API Gateway, this should be the ARN of the API, as described
+                      here.
+                    type: string
+                  statementId:
+                    description: A unique statement identifier.
+                    type: string
+                  statementIdPrefix:
+                    description: A statement identifier prefix. Conflicts with statement_id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lambda.aws.upbound.io_provisionedconcurrencyconfigs.yaml b/package/crds/lambda.aws.upbound.io_provisionedconcurrencyconfigs.yaml
index b7e8db1fda..121562d09e 100644
--- a/package/crds/lambda.aws.upbound.io_provisionedconcurrencyconfigs.yaml
+++ b/package/crds/lambda.aws.upbound.io_provisionedconcurrencyconfigs.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,11 +85,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - functionName
-                - provisionedConcurrentExecutions
-                - qualifier
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -257,16 +273,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: functionName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.functionName)
+            - message: provisionedConcurrentExecutions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.provisionedConcurrentExecutions)
+            - message: qualifier is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.qualifier)
           status:
             description: ProvisionedConcurrencyConfigStatus defines the observed state
               of ProvisionedConcurrencyConfig.
             properties:
               atProvider:
                 properties:
+                  functionName:
+                    description: Name or Amazon Resource Name (ARN) of the Lambda
+                      Function.
+                    type: string
                   id:
                     description: Lambda Function name and qualifier separated by a
                       colon (:).
                     type: string
+                  provisionedConcurrentExecutions:
+                    description: Amount of capacity to allocate. Must be greater than
+                      or equal to 1.
+                    type: number
+                  qualifier:
+                    description: Lambda Function version or Lambda Alias name.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lexmodels.aws.upbound.io_botaliases.yaml b/package/crds/lexmodels.aws.upbound.io_botaliases.yaml
index b820d2b197..6a826e9ea5 100644
--- a/package/crds/lexmodels.aws.upbound.io_botaliases.yaml
+++ b/package/crds/lexmodels.aws.upbound.io_botaliases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -126,10 +130,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - botName
-                - botVersion
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -301,6 +318,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: botName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.botName)
+            - message: botVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.botVersion)
           status:
             description: BotAliasStatus defines the observed state of BotAlias.
             properties:
@@ -309,6 +331,12 @@ spec:
                   arn:
                     description: The ARN of the bot alias.
                     type: string
+                  botName:
+                    description: The name of the bot.
+                    type: string
+                  botVersion:
+                    description: The name of the bot.
+                    type: string
                   checksum:
                     description: Checksum of the bot alias.
                     type: string
@@ -317,12 +345,38 @@ spec:
                       logs for the alias. Attributes are documented under conversation_logs.
                     items:
                       properties:
+                        iamRoleArn:
+                          description: The Amazon Resource Name (ARN) of the IAM role
+                            used to write your logs to CloudWatch Logs or an S3 bucket.
+                            Must be between 20 and 2048 characters in length.
+                          type: string
                         logSettings:
                           description: The settings for your conversation logs. You
                             can log text, audio, or both. Attributes are documented
                             under log_settings.
                           items:
                             properties:
+                              destination:
+                                description: The destination where logs are delivered.
+                                  Options are CLOUDWATCH_LOGS or S3.
+                                type: string
+                              kmsKeyArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  key used to encrypt audio logs in an S3 bucket.
+                                  This can only be specified when destination is set
+                                  to S3. Must be between 20 and 2048 characters in
+                                  length.
+                                type: string
+                              logType:
+                                description: The type of logging that is enabled.
+                                  Options are AUDIO or TEXT.
+                                type: string
+                              resourceArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  CloudWatch Logs log group or S3 bucket where the
+                                  logs are delivered. Must be less than or equal to
+                                  2048 characters in length.
+                                type: string
                               resourcePrefix:
                                 description: (Computed) The prefix of the S3 object
                                   key for AUDIO logs or the log stream name for TEXT
@@ -335,6 +389,10 @@ spec:
                   createdDate:
                     description: The date that the bot alias was created.
                     type: string
+                  description:
+                    description: A description of the alias. Must be less than or
+                      equal to 200 characters in length.
+                    type: string
                   id:
                     type: string
                   lastUpdatedDate:
diff --git a/package/crds/lexmodels.aws.upbound.io_bots.yaml b/package/crds/lexmodels.aws.upbound.io_bots.yaml
index 80f399fe37..a0b326696e 100644
--- a/package/crds/lexmodels.aws.upbound.io_bots.yaml
+++ b/package/crds/lexmodels.aws.upbound.io_bots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -234,11 +238,23 @@ spec:
                       see Available Voices in the Amazon Polly Developer Guide.
                     type: string
                 required:
-                - abortStatement
-                - childDirected
-                - intent
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -410,11 +426,51 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: abortStatement is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.abortStatement)
+            - message: childDirected is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.childDirected)
+            - message: intent is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.intent)
           status:
             description: BotStatus defines the observed state of Bot.
             properties:
               atProvider:
                 properties:
+                  abortStatement:
+                    description: The message that Amazon Lex uses to abort a conversation.
+                      Attributes are documented under statement.
+                    items:
+                      properties:
+                        message:
+                          description: A set of messages, each of which provides a
+                            message string and its type. You can specify the message
+                            string in plain text or in Speech Synthesis Markup Language
+                            (SSML). Attributes are documented under message.
+                          items:
+                            properties:
+                              content:
+                                description: The text of the message.
+                                type: string
+                              contentType:
+                                description: The content type of the message string.
+                                type: string
+                              groupNumber:
+                                description: Identifies the message group that the
+                                  message belongs to. When a group is assigned to
+                                  a message, Amazon Lex returns one message from each
+                                  group in the response.
+                                type: number
+                            type: object
+                          type: array
+                        responseCard:
+                          description: 'The response card. Amazon Lex will substitute
+                            session attributes and slot values into the response card.
+                            For more information, see Example: Using a Response Card.'
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     type: string
                   checksum:
@@ -422,19 +478,131 @@ spec:
                       was created. The checksum is not included as an argument because
                       the resource will add it automatically when updating the bot.
                     type: string
+                  childDirected:
+                    description: By specifying true, you confirm that your use of
+                      Amazon Lex is related to a website, program, or other application
+                      that is directed or targeted, in whole or in part, to children
+                      under age 13 and subject to COPPA. For more information see
+                      the Amazon Lex FAQ and the Amazon Lex PutBot API Docs.
+                    type: boolean
+                  clarificationPrompt:
+                    description: The message that Amazon Lex uses when it doesn't
+                      understand the user's request. Attributes are documented under
+                      prompt.
+                    items:
+                      properties:
+                        maxAttempts:
+                          description: The number of times to prompt the user for
+                            information.
+                          type: number
+                        message:
+                          description: A set of messages, each of which provides a
+                            message string and its type. You can specify the message
+                            string in plain text or in Speech Synthesis Markup Language
+                            (SSML). Attributes are documented under message.
+                          items:
+                            properties:
+                              content:
+                                description: The text of the message.
+                                type: string
+                              contentType:
+                                description: The content type of the message string.
+                                type: string
+                              groupNumber:
+                                description: Identifies the message group that the
+                                  message belongs to. When a group is assigned to
+                                  a message, Amazon Lex returns one message from each
+                                  group in the response.
+                                type: number
+                            type: object
+                          type: array
+                        responseCard:
+                          description: 'The response card. Amazon Lex will substitute
+                            session attributes and slot values into the response card.
+                            For more information, see Example: Using a Response Card.'
+                          type: string
+                      type: object
+                    type: array
+                  createVersion:
+                    description: Determines if a new bot version is created when the
+                      initial resource is created and on each update. Defaults to
+                      false.
+                    type: boolean
                   createdDate:
                     description: The date when the bot version was created.
                     type: string
+                  description:
+                    description: A description of the bot. Must be less than or equal
+                      to 200 characters in length.
+                    type: string
+                  detectSentiment:
+                    description: When set to true user utterances are sent to Amazon
+                      Comprehend for sentiment analysis. If you don't specify detectSentiment,
+                      the default is false.
+                    type: boolean
+                  enableModelImprovements:
+                    description: Set to true to enable access to natural language
+                      understanding improvements. When you set the enable_model_improvements
+                      parameter to true you can use the nlu_intent_confidence_threshold
+                      parameter to configure confidence scores. For more information,
+                      see Confidence Scores. You can only set the enable_model_improvements
+                      parameter in certain Regions. If you set the parameter to true,
+                      your bot has access to accuracy improvements. For more information
+                      see the Amazon Lex Bot PutBot API Docs.
+                    type: boolean
                   failureReason:
                     description: If status is FAILED, Amazon Lex provides the reason
                       that it failed to build the bot.
                     type: string
                   id:
                     type: string
+                  idleSessionTtlInSeconds:
+                    description: The maximum time in seconds that Amazon Lex retains
+                      the data gathered in a conversation. Default is 300. Must be
+                      a number between 60 and 86400 (inclusive).
+                    type: number
+                  intent:
+                    description: A set of Intent objects. Each intent represents a
+                      command that a user can express. Attributes are documented under
+                      intent. Can have up to 250 Intent objects.
+                    items:
+                      properties:
+                        intentName:
+                          description: The name of the intent. Must be less than or
+                            equal to 100 characters in length.
+                          type: string
+                        intentVersion:
+                          description: The version of the intent. Must be less than
+                            or equal to 64 characters in length.
+                          type: string
+                      type: object
+                    type: array
                   lastUpdatedDate:
                     description: The date when the $LATEST version of this bot was
                       updated.
                     type: string
+                  locale:
+                    description: Specifies the target locale for the bot. Any intent
+                      used in the bot must be compatible with the locale of the bot.
+                      For available locales, see Amazon Lex Bot PutBot API Docs. Default
+                      is en-US.
+                    type: string
+                  nluIntentConfidenceThreshold:
+                    description: Determines the threshold where Amazon Lex will insert
+                      the AMAZON.FallbackIntent, AMAZON.KendraSearchIntent, or both
+                      when returning alternative intents in a PostContent or PostText
+                      response. AMAZON.FallbackIntent and AMAZON.KendraSearchIntent
+                      are only inserted if they are configured for the bot. For more
+                      information see Amazon Lex Bot PutBot API Docs This value requires
+                      enable_model_improvements to be set to true and the default
+                      is 0. Must be a float between 0 and 1.
+                    type: number
+                  processBehavior:
+                    description: If you set the process_behavior element to BUILD,
+                      Amazon Lex builds the bot so that it can be run. If you set
+                      the element to SAVE Amazon Lex saves the bot, but doesn't build
+                      it. Default is SAVE.
+                    type: string
                   status:
                     description: When you send a request to create or update a bot,
                       Amazon Lex sets the status response element to BUILDING. After
@@ -446,6 +614,12 @@ spec:
                   version:
                     description: The version of the bot.
                     type: string
+                  voiceId:
+                    description: The Amazon Polly voice ID that you want Amazon Lex
+                      to use for voice interactions with the user. The locale configured
+                      for the voice must match the locale of the bot. For more information,
+                      see Available Voices in the Amazon Polly Developer Guide.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lexmodels.aws.upbound.io_intents.yaml b/package/crds/lexmodels.aws.upbound.io_intents.yaml
index 586088adec..ab92a18dd8 100644
--- a/package/crds/lexmodels.aws.upbound.io_intents.yaml
+++ b/package/crds/lexmodels.aws.upbound.io_intents.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -514,9 +518,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - fulfillmentActivity
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -688,6 +706,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: fulfillmentActivity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fulfillmentActivity)
           status:
             description: IntentStatus defines the observed state of Intent.
             properties:
@@ -701,15 +722,412 @@ spec:
                       was created. The checksum is not included as an argument because
                       the resource will add it automatically when updating the intent.
                     type: string
+                  conclusionStatement:
+                    description: The statement that you want Amazon Lex to convey
+                      to the user after the intent is successfully fulfilled by the
+                      Lambda function. This element is relevant only if you provide
+                      a Lambda function in the fulfillment_activity. If you return
+                      the intent to the client application, you can't specify this
+                      element. The follow_up_prompt and conclusion_statement are mutually
+                      exclusive. You can specify only one. Attributes are documented
+                      under statement.
+                    items:
+                      properties:
+                        message:
+                          description: A set of messages, each of which provides a
+                            message string and its type. You can specify the message
+                            string in plain text or in Speech Synthesis Markup Language
+                            (SSML). Attributes are documented under message. Must
+                            contain between 1 and 15 messages.
+                          items:
+                            properties:
+                              content:
+                                description: The text of the message. Must be less
+                                  than or equal to 1000 characters in length.
+                                type: string
+                              contentType:
+                                description: The content type of the message string.
+                                type: string
+                              groupNumber:
+                                description: Identifies the message group that the
+                                  message belongs to. When a group is assigned to
+                                  a message, Amazon Lex returns one message from each
+                                  group in the response. Must be a number between
+                                  1 and 5 (inclusive).
+                                type: number
+                            type: object
+                          type: array
+                        responseCard:
+                          description: 'The response card. Amazon Lex will substitute
+                            session attributes and slot values into the response card.
+                            For more information, see Example: Using a Response Card.
+                            Must be less than or equal to 50000 characters in length.'
+                          type: string
+                      type: object
+                    type: array
+                  confirmationPrompt:
+                    description: Prompts the user to confirm the intent. This question
+                      should have a yes or no answer. You you must provide both the
+                      rejection_statement and confirmation_prompt, or neither. Attributes
+                      are documented under prompt.
+                    items:
+                      properties:
+                        maxAttempts:
+                          description: The number of times to prompt the user for
+                            information. Must be a number between 1 and 5 (inclusive).
+                          type: number
+                        message:
+                          description: A set of messages, each of which provides a
+                            message string and its type. You can specify the message
+                            string in plain text or in Speech Synthesis Markup Language
+                            (SSML). Attributes are documented under message. Must
+                            contain between 1 and 15 messages.
+                          items:
+                            properties:
+                              content:
+                                description: The text of the message. Must be less
+                                  than or equal to 1000 characters in length.
+                                type: string
+                              contentType:
+                                description: The content type of the message string.
+                                type: string
+                              groupNumber:
+                                description: Identifies the message group that the
+                                  message belongs to. When a group is assigned to
+                                  a message, Amazon Lex returns one message from each
+                                  group in the response. Must be a number between
+                                  1 and 5 (inclusive).
+                                type: number
+                            type: object
+                          type: array
+                        responseCard:
+                          description: 'The response card. Amazon Lex will substitute
+                            session attributes and slot values into the response card.
+                            For more information, see Example: Using a Response Card.
+                            Must be less than or equal to 50000 characters in length.'
+                          type: string
+                      type: object
+                    type: array
+                  createVersion:
+                    description: Determines if a new slot type version is created
+                      when the initial resource is created and on each update. Defaults
+                      to false.
+                    type: boolean
                   createdDate:
                     description: The date when the intent version was created.
                     type: string
+                  description:
+                    description: A description of the intent. Must be less than or
+                      equal to 200 characters in length.
+                    type: string
+                  dialogCodeHook:
+                    description: Specifies a Lambda function to invoke for each user
+                      input. You can invoke this Lambda function to personalize user
+                      interaction. Attributes are documented under code_hook.
+                    items:
+                      properties:
+                        messageVersion:
+                          description: The version of the request-response that you
+                            want Amazon Lex to use to invoke your Lambda function.
+                            For more information, see Using Lambda Functions. Must
+                            be less than or equal to 5 characters in length.
+                          type: string
+                        uri:
+                          description: The Amazon Resource Name (ARN) of the Lambda
+                            function.
+                          type: string
+                      type: object
+                    type: array
+                  followUpPrompt:
+                    description: Amazon Lex uses this prompt to solicit additional
+                      activity after fulfilling an intent. For example, after the
+                      OrderPizza intent is fulfilled, you might prompt the user to
+                      order a drink. The follow_up_prompt field and the conclusion_statement
+                      field are mutually exclusive. You can specify only one. Attributes
+                      are documented under follow_up_prompt.
+                    items:
+                      properties:
+                        prompt:
+                          description: Prompts for information from the user. Attributes
+                            are documented under prompt.
+                          items:
+                            properties:
+                              maxAttempts:
+                                description: The number of times to prompt the user
+                                  for information. Must be a number between 1 and
+                                  5 (inclusive).
+                                type: number
+                              message:
+                                description: A set of messages, each of which provides
+                                  a message string and its type. You can specify the
+                                  message string in plain text or in Speech Synthesis
+                                  Markup Language (SSML). Attributes are documented
+                                  under message. Must contain between 1 and 15 messages.
+                                items:
+                                  properties:
+                                    content:
+                                      description: The text of the message. Must be
+                                        less than or equal to 1000 characters in length.
+                                      type: string
+                                    contentType:
+                                      description: The content type of the message
+                                        string.
+                                      type: string
+                                    groupNumber:
+                                      description: Identifies the message group that
+                                        the message belongs to. When a group is assigned
+                                        to a message, Amazon Lex returns one message
+                                        from each group in the response. Must be a
+                                        number between 1 and 5 (inclusive).
+                                      type: number
+                                  type: object
+                                type: array
+                              responseCard:
+                                description: 'The response card. Amazon Lex will substitute
+                                  session attributes and slot values into the response
+                                  card. For more information, see Example: Using a
+                                  Response Card. Must be less than or equal to 50000
+                                  characters in length.'
+                                type: string
+                            type: object
+                          type: array
+                        rejectionStatement:
+                          description: If the user answers "no" to the question defined
+                            in the prompt field, Amazon Lex responds with this statement
+                            to acknowledge that the intent was canceled. Attributes
+                            are documented below under statement.
+                          items:
+                            properties:
+                              message:
+                                description: A set of messages, each of which provides
+                                  a message string and its type. You can specify the
+                                  message string in plain text or in Speech Synthesis
+                                  Markup Language (SSML). Attributes are documented
+                                  under message. Must contain between 1 and 15 messages.
+                                items:
+                                  properties:
+                                    content:
+                                      description: The text of the message. Must be
+                                        less than or equal to 1000 characters in length.
+                                      type: string
+                                    contentType:
+                                      description: The content type of the message
+                                        string.
+                                      type: string
+                                    groupNumber:
+                                      description: Identifies the message group that
+                                        the message belongs to. When a group is assigned
+                                        to a message, Amazon Lex returns one message
+                                        from each group in the response. Must be a
+                                        number between 1 and 5 (inclusive).
+                                      type: number
+                                  type: object
+                                type: array
+                              responseCard:
+                                description: 'The response card. Amazon Lex will substitute
+                                  session attributes and slot values into the response
+                                  card. For more information, see Example: Using a
+                                  Response Card. Must be less than or equal to 50000
+                                  characters in length.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  fulfillmentActivity:
+                    description: Describes how the intent is fulfilled. For example,
+                      after a user provides all of the information for a pizza order,
+                      fulfillment_activity defines how the bot places an order with
+                      a local pizza store. Attributes are documented under fulfillment_activity.
+                    items:
+                      properties:
+                        codeHook:
+                          description: A description of the Lambda function that is
+                            run to fulfill the intent. Required if type is CodeHook.
+                            Attributes are documented under code_hook.
+                          items:
+                            properties:
+                              messageVersion:
+                                description: The version of the request-response that
+                                  you want Amazon Lex to use to invoke your Lambda
+                                  function. For more information, see Using Lambda
+                                  Functions. Must be less than or equal to 5 characters
+                                  in length.
+                                type: string
+                              uri:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lambda function.
+                                type: string
+                            type: object
+                          type: array
+                        type:
+                          description: How the intent should be fulfilled, either
+                            by running a Lambda function or by returning the slot
+                            data to the client application. Type can be either ReturnIntent
+                            or CodeHook, as documented here.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
                   lastUpdatedDate:
                     description: The date when the $LATEST version of this intent
                       was updated.
                     type: string
+                  parentIntentSignature:
+                    description: A unique identifier for the built-in intent to base
+                      this intent on. To find the signature for an intent, see Standard
+                      Built-in Intents in the Alexa Skills Kit.
+                    type: string
+                  rejectionStatement:
+                    description: When the user answers "no" to the question defined
+                      in confirmation_prompt, Amazon Lex responds with this statement
+                      to acknowledge that the intent was canceled. You must provide
+                      both the rejection_statement and the confirmation_prompt, or
+                      neither. Attributes are documented under statement.
+                    items:
+                      properties:
+                        message:
+                          description: A set of messages, each of which provides a
+                            message string and its type. You can specify the message
+                            string in plain text or in Speech Synthesis Markup Language
+                            (SSML). Attributes are documented under message. Must
+                            contain between 1 and 15 messages.
+                          items:
+                            properties:
+                              content:
+                                description: The text of the message. Must be less
+                                  than or equal to 1000 characters in length.
+                                type: string
+                              contentType:
+                                description: The content type of the message string.
+                                type: string
+                              groupNumber:
+                                description: Identifies the message group that the
+                                  message belongs to. When a group is assigned to
+                                  a message, Amazon Lex returns one message from each
+                                  group in the response. Must be a number between
+                                  1 and 5 (inclusive).
+                                type: number
+                            type: object
+                          type: array
+                        responseCard:
+                          description: 'The response card. Amazon Lex will substitute
+                            session attributes and slot values into the response card.
+                            For more information, see Example: Using a Response Card.
+                            Must be less than or equal to 50000 characters in length.'
+                          type: string
+                      type: object
+                    type: array
+                  sampleUtterances:
+                    description: An array of utterances (strings) that a user might
+                      say to signal the intent. For example, "I want {PizzaSize} pizza",
+                      "Order {Quantity} {PizzaSize} pizzas". In each utterance, a
+                      slot name is enclosed in curly braces. Must have between 1 and
+                      10 items in the list, and each item must be less than or equal
+                      to 200 characters in length.
+                    items:
+                      type: string
+                    type: array
+                  slot:
+                    description: An list of intent slots. At runtime, Amazon Lex elicits
+                      required slot values from the user using prompts defined in
+                      the slots. Attributes are documented under slot.
+                    items:
+                      properties:
+                        description:
+                          description: A description of the bot. Must be less than
+                            or equal to 200 characters in length.
+                          type: string
+                        name:
+                          description: The name of the intent slot that you want to
+                            create. The name is case sensitive. Must be less than
+                            or equal to 100 characters in length.
+                          type: string
+                        priority:
+                          description: Directs Lex the order in which to elicit this
+                            slot value from the user. For example, if the intent has
+                            two slots with priorities 1 and 2, AWS Lex first elicits
+                            a value for the slot with priority 1. If multiple slots
+                            share the same priority, the order in which Lex elicits
+                            values is arbitrary. Must be between 1 and 100.
+                          type: number
+                        responseCard:
+                          description: 'The response card. Amazon Lex will substitute
+                            session attributes and slot values into the response card.
+                            For more information, see Example: Using a Response Card.
+                            Must be less than or equal to 50000 characters in length.'
+                          type: string
+                        sampleUtterances:
+                          description: If you know a specific pattern with which users
+                            might respond to an Amazon Lex request for a slot value,
+                            you can provide those utterances to improve accuracy.
+                            This is optional. In most cases, Amazon Lex is capable
+                            of understanding user utterances. Must have between 1
+                            and 10 items in the list, and each item must be less than
+                            or equal to 200 characters in length.
+                          items:
+                            type: string
+                          type: array
+                        slotConstraint:
+                          description: Specifies whether the slot is required or optional.
+                          type: string
+                        slotType:
+                          description: The type of the slot, either a custom slot
+                            type that you defined or one of the built-in slot types.
+                            Must be less than or equal to 100 characters in length.
+                          type: string
+                        slotTypeVersion:
+                          description: The version of the slot type. Must be less
+                            than or equal to 64 characters in length.
+                          type: string
+                        valueElicitationPrompt:
+                          description: The prompt that Amazon Lex uses to elicit the
+                            slot value from the user. Attributes are documented under
+                            prompt.
+                          items:
+                            properties:
+                              maxAttempts:
+                                description: The number of times to prompt the user
+                                  for information. Must be a number between 1 and
+                                  5 (inclusive).
+                                type: number
+                              message:
+                                description: A set of messages, each of which provides
+                                  a message string and its type. You can specify the
+                                  message string in plain text or in Speech Synthesis
+                                  Markup Language (SSML). Attributes are documented
+                                  under message. Must contain between 1 and 15 messages.
+                                items:
+                                  properties:
+                                    content:
+                                      description: The text of the message. Must be
+                                        less than or equal to 1000 characters in length.
+                                      type: string
+                                    contentType:
+                                      description: The content type of the message
+                                        string.
+                                      type: string
+                                    groupNumber:
+                                      description: Identifies the message group that
+                                        the message belongs to. When a group is assigned
+                                        to a message, Amazon Lex returns one message
+                                        from each group in the response. Must be a
+                                        number between 1 and 5 (inclusive).
+                                      type: number
+                                  type: object
+                                type: array
+                              responseCard:
+                                description: 'The response card. Amazon Lex will substitute
+                                  session attributes and slot values into the response
+                                  card. For more information, see Example: Using a
+                                  Response Card. Must be less than or equal to 50000
+                                  characters in length.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   version:
                     description: The version of the bot.
                     type: string
diff --git a/package/crds/lexmodels.aws.upbound.io_slottypes.yaml b/package/crds/lexmodels.aws.upbound.io_slottypes.yaml
index 59f6d3b1d0..ef11740f5e 100644
--- a/package/crds/lexmodels.aws.upbound.io_slottypes.yaml
+++ b/package/crds/lexmodels.aws.upbound.io_slottypes.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -109,9 +113,23 @@ spec:
                       otherwise null is returned. Defaults to ORIGINAL_VALUE.
                     type: string
                 required:
-                - enumerationValue
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -283,6 +301,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: enumerationValue is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enumerationValue)
           status:
             description: SlotTypeStatus defines the observed state of SlotType.
             properties:
@@ -294,15 +315,53 @@ spec:
                       because the resource will add it automatically when updating
                       the slot type.
                     type: string
+                  createVersion:
+                    description: Determines if a new slot type version is created
+                      when the initial resource is created and on each update. Defaults
+                      to false.
+                    type: boolean
                   createdDate:
                     description: The date when the slot type version was created.
                     type: string
+                  description:
+                    description: A description of the slot type. Must be less than
+                      or equal to 200 characters in length.
+                    type: string
+                  enumerationValue:
+                    description: A list of EnumerationValue objects that defines the
+                      values that the slot type can take. Each value can have a list
+                      of synonyms, which are additional values that help train the
+                      machine learning model about the values that it resolves for
+                      a slot. Attributes are documented under enumeration_value.
+                    items:
+                      properties:
+                        synonyms:
+                          description: Additional values related to the slot type
+                            value. Each item must be less than or equal to 140 characters
+                            in length.
+                          items:
+                            type: string
+                          type: array
+                        value:
+                          description: The value of the slot type. Must be less than
+                            or equal to 140 characters in length.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
                   lastUpdatedDate:
                     description: The date when the $LATEST version of this slot type
                       was updated.
                     type: string
+                  valueSelectionStrategy:
+                    description: Determines the slot resolution strategy that Amazon
+                      Lex uses to return slot type values. ORIGINAL_VALUE returns
+                      the value entered by the user if the user value is similar to
+                      the slot value. TOP_RESOLUTION returns the first value in the
+                      resolution list if there is a resolution list for the slot,
+                      otherwise null is returned. Defaults to ORIGINAL_VALUE.
+                    type: string
                   version:
                     description: The version of the slot type.
                     type: string
diff --git a/package/crds/licensemanager.aws.upbound.io_associations.yaml b/package/crds/licensemanager.aws.upbound.io_associations.yaml
index e08ec52829..378f56a010 100644
--- a/package/crds/licensemanager.aws.upbound.io_associations.yaml
+++ b/package/crds/licensemanager.aws.upbound.io_associations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -223,6 +227,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +421,12 @@ spec:
                   id:
                     description: The license configuration ARN.
                     type: string
+                  licenseConfigurationArn:
+                    description: ARN of the license configuration.
+                    type: string
+                  resourceArn:
+                    description: ARN of the resource associated with the license configuration.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/licensemanager.aws.upbound.io_licenseconfigurations.yaml b/package/crds/licensemanager.aws.upbound.io_licenseconfigurations.yaml
index feeac3984d..94d070c003 100644
--- a/package/crds/licensemanager.aws.upbound.io_licenseconfigurations.yaml
+++ b/package/crds/licensemanager.aws.upbound.io_licenseconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -95,10 +99,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - licenseCountingType
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,6 +287,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: licenseCountingType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.licenseCountingType)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: LicenseConfigurationStatus defines the observed state of
               LicenseConfiguration.
@@ -279,12 +301,38 @@ spec:
                   arn:
                     description: The license configuration ARN.
                     type: string
+                  description:
+                    description: Description of the license configuration.
+                    type: string
                   id:
                     description: The license configuration ARN.
                     type: string
+                  licenseCount:
+                    description: Number of licenses managed by the license configuration.
+                    type: number
+                  licenseCountHardLimit:
+                    description: Sets the number of available licenses as a hard limit.
+                    type: boolean
+                  licenseCountingType:
+                    description: Dimension to use to track license inventory. Specify
+                      either vCPU, Instance, Core or Socket.
+                    type: string
+                  licenseRules:
+                    description: Array of configured License Manager rules.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: Name of the license configuration.
+                    type: string
                   ownerAccountId:
                     description: Account ID of the owner of the license configuration.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lightsail.aws.upbound.io_buckets.yaml b/package/crds/lightsail.aws.upbound.io_buckets.yaml
index 5f1a70cdaf..dccbf84a3c 100644
--- a/package/crds/lightsail.aws.upbound.io_buckets.yaml
+++ b/package/crds/lightsail.aws.upbound.io_buckets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,9 +84,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - bundleId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -254,6 +272,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bundleId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bundleId)
           status:
             description: BucketStatus defines the observed state of Bucket.
             properties:
@@ -266,6 +287,12 @@ spec:
                     description: The resource Availability Zone. Follows the format
                       us-east-2a (case-sensitive).
                     type: string
+                  bundleId:
+                    description: '- The ID of the bundle to use for the bucket. A
+                      bucket bundle specifies the monthly cost, storage space, and
+                      data transfer quota for a bucket. Use the get-bucket-bundles
+                      cli command to get a list of bundle IDs that you can specify.'
+                    type: string
                   createdAt:
                     description: The timestamp when the bucket was created.
                     type: string
@@ -278,6 +305,11 @@ spec:
                       in Lightsail. This code enables our support team to look up
                       your Lightsail information more easily.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lightsail.aws.upbound.io_certificates.yaml b/package/crds/lightsail.aws.upbound.io_certificates.yaml
index a1731a68e4..938cfec62c 100644
--- a/package/crds/lightsail.aws.upbound.io_certificates.yaml
+++ b/package/crds/lightsail.aws.upbound.io_certificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -87,6 +91,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -269,6 +288,10 @@ spec:
                   createdAt:
                     description: The timestamp when the instance was created.
                     type: string
+                  domainName:
+                    description: A domain name for which the certificate should be
+                      issued.
+                    type: string
                   domainValidationOptions:
                     description: Set of domain validation objects which can be used
                       to complete certificate validation. Can have more than one element,
@@ -291,6 +314,18 @@ spec:
                   id:
                     description: The name of the lightsail certificate (matches name).
                     type: string
+                  subjectAlternativeNames:
+                    description: Set of domains that should be SANs in the issued
+                      certificate. domain_name attribute is automatically added as
+                      a Subject Alternative Name.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lightsail.aws.upbound.io_containerservices.yaml b/package/crds/lightsail.aws.upbound.io_containerservices.yaml
index b78103ad94..e39987cefa 100644
--- a/package/crds/lightsail.aws.upbound.io_containerservices.yaml
+++ b/package/crds/lightsail.aws.upbound.io_containerservices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -144,10 +148,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - power
                 - region
-                - scale
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -319,6 +336,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: power is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.power)
+            - message: scale is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scale)
           status:
             description: ContainerServiceStatus defines the observed state of ContainerService.
             properties:
@@ -336,6 +358,16 @@ spec:
                   id:
                     description: Same as name.
                     type: string
+                  isDisabled:
+                    description: A Boolean value indicating whether the container
+                      service is disabled. Defaults to false.
+                    type: boolean
+                  power:
+                    description: 'The power specification for the container service.
+                      The power specifies the amount of memory, the number of vCPUs,
+                      and the monthly price of each node of the container service.
+                      Possible values: nano, micro, small, medium, large, xlarge.'
+                    type: string
                   powerId:
                     description: The ID of the power of the container service.
                     type: string
@@ -367,6 +399,10 @@ spec:
                             Role below for more details.
                           items:
                             properties:
+                              isActive:
+                                description: A Boolean value that indicates whether
+                                  to activate the role. The default is false.
+                                type: boolean
                               principalArn:
                                 description: The principal ARN of the container service.
                                   The principal ARN can be used to create a trust
@@ -379,13 +415,50 @@ spec:
                           type: array
                       type: object
                     type: array
+                  publicDomainNames:
+                    description: The public domain names to use with the container
+                      service, such as example.com and www.example.com. You can specify
+                      up to four public domain names for a container service. The
+                      domain names that you specify are used when you create a deployment
+                      with a container configured as the public endpoint of your container
+                      service. If you don't specify public domain names, then you
+                      can use the default domain of the container service. Defined
+                      below.
+                    items:
+                      properties:
+                        certificate:
+                          items:
+                            properties:
+                              certificateName:
+                                description: The name for the container service. Names
+                                  must be of length 1 to 63, and be unique within
+                                  each AWS Region in your Lightsail account.
+                                type: string
+                              domainNames:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   resourceType:
                     description: The Lightsail resource type of the container service
                       (i.e., ContainerService).
                     type: string
+                  scale:
+                    description: The scale specification for the container service.
+                      The scale specifies the allocated compute nodes of the container
+                      service.
+                    type: number
                   state:
                     description: The current state of the container service.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lightsail.aws.upbound.io_diskattachments.yaml b/package/crds/lightsail.aws.upbound.io_diskattachments.yaml
index 3fc5335bbc..457369660b 100644
--- a/package/crds/lightsail.aws.upbound.io_diskattachments.yaml
+++ b/package/crds/lightsail.aws.upbound.io_diskattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,9 +230,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - diskPath
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -400,15 +418,27 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: diskPath is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.diskPath)
           status:
             description: DiskAttachmentStatus defines the observed state of DiskAttachment.
             properties:
               atProvider:
                 properties:
+                  diskName:
+                    description: The name of the Lightsail Disk.
+                    type: string
+                  diskPath:
+                    description: The disk path to expose to the instance.
+                    type: string
                   id:
                     description: 'A combination of attributes to create a unique id:
                       disk_name,instance_name'
                     type: string
+                  instanceName:
+                    description: The name of the Lightsail Instance to attach to.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lightsail.aws.upbound.io_disks.yaml b/package/crds/lightsail.aws.upbound.io_disks.yaml
index 89537d4805..ad8e1e0def 100644
--- a/package/crds/lightsail.aws.upbound.io_disks.yaml
+++ b/package/crds/lightsail.aws.upbound.io_disks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,10 +84,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - availabilityZone
                 - region
-                - sizeInGb
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -255,6 +272,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)
+            - message: sizeInGb is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sizeInGb)
           status:
             description: DiskStatus defines the observed state of Disk.
             properties:
@@ -263,18 +285,29 @@ spec:
                   arn:
                     description: The ARN of the Lightsail load balancer.
                     type: string
+                  availabilityZone:
+                    description: The Availability Zone in which to create your disk.
+                    type: string
                   createdAt:
                     description: The timestamp when the load balancer was created.
                     type: string
                   id:
                     description: The name of the disk  (matches name).
                     type: string
+                  sizeInGb:
+                    description: The instance port the load balancer will connect.
+                    type: number
                   supportCode:
                     description: The support code for the disk. Include this code
                       in your email to support when you have questions about a disk
                       in Lightsail. This code enables our support team to look up
                       your Lightsail information more easily.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lightsail.aws.upbound.io_domainentries.yaml b/package/crds/lightsail.aws.upbound.io_domainentries.yaml
index 3a9e300480..fda801715b 100644
--- a/package/crds/lightsail.aws.upbound.io_domainentries.yaml
+++ b/package/crds/lightsail.aws.upbound.io_domainentries.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,9 +160,23 @@ spec:
                     type: string
                 required:
                 - region
-                - target
                 - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -330,15 +348,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: target is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.target)
           status:
             description: DomainEntryStatus defines the observed state of DomainEntry.
             properties:
               atProvider:
                 properties:
+                  domainName:
+                    description: The name of the Lightsail domain in which to create
+                      the entry
+                    type: string
                   id:
                     description: 'A combination of attributes to create a unique id:
                       name_domain_name_type_target'
                     type: string
+                  isAlias:
+                    description: If the entry should be an alias Defaults to false
+                    type: boolean
+                  target:
+                    description: Target of the domain entry
+                    type: string
+                  type:
+                    description: Type of record
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lightsail.aws.upbound.io_domains.yaml b/package/crds/lightsail.aws.upbound.io_domains.yaml
index 445f5d4d1c..a477d84010 100644
--- a/package/crds/lightsail.aws.upbound.io_domains.yaml
+++ b/package/crds/lightsail.aws.upbound.io_domains.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - domainName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domainName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)
           status:
             description: DomainStatus defines the observed state of Domain.
             properties:
@@ -254,6 +275,9 @@ spec:
                   arn:
                     description: The ARN of the Lightsail domain
                     type: string
+                  domainName:
+                    description: The name of the Lightsail domain to manage
+                    type: string
                   id:
                     description: The name used for this domain
                     type: string
diff --git a/package/crds/lightsail.aws.upbound.io_instancepublicports.yaml b/package/crds/lightsail.aws.upbound.io_instancepublicports.yaml
index 04e6f37abf..0d1d8eeb23 100644
--- a/package/crds/lightsail.aws.upbound.io_instancepublicports.yaml
+++ b/package/crds/lightsail.aws.upbound.io_instancepublicports.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -184,9 +188,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - portInfo
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -358,6 +376,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: portInfo is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.portInfo)
           status:
             description: InstancePublicPortsStatus defines the observed state of InstancePublicPorts.
             properties:
@@ -366,6 +387,42 @@ spec:
                   id:
                     description: ID of the resource.
                     type: string
+                  instanceName:
+                    description: Name of the Lightsail Instance.
+                    type: string
+                  portInfo:
+                    description: Configuration block with port information. AWS closes
+                      all currently open ports that are not included in the port_info.
+                      Detailed below.
+                    items:
+                      properties:
+                        cidrListAliases:
+                          description: Set of CIDR aliases that define access for
+                            a preconfigured range of IP addresses.
+                          items:
+                            type: string
+                          type: array
+                        cidrs:
+                          description: Set of CIDR blocks.
+                          items:
+                            type: string
+                          type: array
+                        fromPort:
+                          description: First port in a range of open ports on an instance.
+                          type: number
+                        ipv6Cidrs:
+                          items:
+                            type: string
+                          type: array
+                        protocol:
+                          description: IP protocol name. Valid values are tcp, all,
+                            udp, and icmp.
+                          type: string
+                        toPort:
+                          description: Last port in a range of open ports on an instance.
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lightsail.aws.upbound.io_instances.yaml b/package/crds/lightsail.aws.upbound.io_instances.yaml
index c33e648c38..b720a2476c 100644
--- a/package/crds/lightsail.aws.upbound.io_instances.yaml
+++ b/package/crds/lightsail.aws.upbound.io_instances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -125,11 +129,23 @@ spec:
                       user data
                     type: string
                 required:
-                - availabilityZone
-                - blueprintId
-                - bundleId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -301,14 +317,56 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZone is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZone)
+            - message: blueprintId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.blueprintId)
+            - message: bundleId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bundleId)
           status:
             description: InstanceStatus defines the observed state of Instance.
             properties:
               atProvider:
                 properties:
+                  addOn:
+                    description: The add on configuration for the instance. Detailed
+                      below.
+                    items:
+                      properties:
+                        snapshotTime:
+                          description: The daily time when an automatic snapshot will
+                            be created. Must be in HH:00 format, and in an hourly
+                            increment and specified in Coordinated Universal Time
+                            (UTC). The snapshot will be automatically created between
+                            the time specified and up to 45 minutes after.
+                          type: string
+                        status:
+                          description: 'The status of the add on. Valid Values: Enabled,
+                            Disabled.'
+                          type: string
+                        type:
+                          description: The add-on type. There is currently only one
+                            valid type AutoSnapshot.
+                          type: string
+                      type: object
+                    type: array
                   arn:
                     description: The ARN of the Lightsail instance (matches id).
                     type: string
+                  availabilityZone:
+                    description: The Availability Zone in which to create your instance
+                      (see list below)
+                    type: string
+                  blueprintId:
+                    description: 'The ID for a virtual private server image. A list
+                      of available blueprint IDs can be obtained using the AWS CLI
+                      command: aws lightsail get-blueprints'
+                    type: string
+                  bundleId:
+                    description: The bundle of specification information (see list
+                      below)
+                    type: string
                   cpuCount:
                     description: The number of vCPUs the instance has.
                     type: number
@@ -318,6 +376,10 @@ spec:
                   id:
                     description: The ARN of the Lightsail instance (matches arn).
                     type: string
+                  ipAddressType:
+                    description: 'The IP address type of the Lightsail Instance. Valid
+                      Values: dualstack | ipv4.'
+                    type: string
                   ipv6Address:
                     description: (Deprecated) The first IPv6 address of the Lightsail
                       instance. Use ipv6_addresses attribute instead.
@@ -331,6 +393,10 @@ spec:
                     description: A Boolean value indicating whether this instance
                       has a static IP assigned to it.
                     type: boolean
+                  keyPairName:
+                    description: The name of your key pair. Created in the Lightsail
+                      console (cannot use aws_key_pair at this time)
+                    type: string
                   privateIpAddress:
                     description: The private IP address of the instance.
                     type: string
@@ -340,6 +406,11 @@ spec:
                   ramSize:
                     description: The amount of RAM in GB on the instance (e.g., 1.0).
                     type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -347,6 +418,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userData:
+                    description: launch script to configure server with additional
+                      user data
+                    type: string
                   username:
                     description: The user name for connecting to the instance (e.g.,
                       ec2-user).
diff --git a/package/crds/lightsail.aws.upbound.io_keypairs.yaml b/package/crds/lightsail.aws.upbound.io_keypairs.yaml
index 5310835dd5..29bdea0538 100644
--- a/package/crds/lightsail.aws.upbound.io_keypairs.yaml
+++ b/package/crds/lightsail.aws.upbound.io_keypairs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,6 +86,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -277,10 +296,21 @@ spec:
                   id:
                     description: The name used for this key pair
                     type: string
+                  name:
+                    description: The name of the Lightsail Key Pair
+                    type: string
+                  pgpKey:
+                    description: –  An optional PGP key to encrypt the resulting private
+                      key material. Only used when creating a new key pair
+                    type: string
                   privateKey:
                     description: the private key, base64 encoded. This is only populated
                       when creating a new key, and when no pgp_key is provided
                     type: string
+                  publicKey:
+                    description: The public key material. This public key will be
+                      imported into Lightsail
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lightsail.aws.upbound.io_lbattachments.yaml b/package/crds/lightsail.aws.upbound.io_lbattachments.yaml
index c314336abe..be435ef5f7 100644
--- a/package/crds/lightsail.aws.upbound.io_lbattachments.yaml
+++ b/package/crds/lightsail.aws.upbound.io_lbattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -225,6 +229,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,6 +424,12 @@ spec:
                     description: 'A combination of attributes to create a unique id:
                       lb_name,instance_name'
                     type: string
+                  instanceName:
+                    description: The name of the instance to attach to the load balancer.
+                    type: string
+                  lbName:
+                    description: The name of the Lightsail load balancer.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lightsail.aws.upbound.io_lbcertificates.yaml b/package/crds/lightsail.aws.upbound.io_lbcertificates.yaml
index 24eabbc0e6..b7f29c8fbe 100644
--- a/package/crds/lightsail.aws.upbound.io_lbcertificates.yaml
+++ b/package/crds/lightsail.aws.upbound.io_lbcertificates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,6 +163,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,6 +360,10 @@ spec:
                   createdAt:
                     description: The timestamp when the instance was created.
                     type: string
+                  domainName:
+                    description: The domain name (e.g., example.com) for your SSL/TLS
+                      certificate.
+                    type: string
                   domainValidationRecords:
                     items:
                       properties:
@@ -361,6 +384,17 @@ spec:
                     description: 'A combination of attributes to create a unique id:
                       lb_name,name'
                     type: string
+                  lbName:
+                    description: The load balancer name where you want to create the
+                      SSL/TLS certificate.
+                    type: string
+                  subjectAlternativeNames:
+                    description: Set of domains that should be SANs in the issued
+                      certificate. domain_name attribute is automatically added as
+                      a Subject Alternative Name.
+                    items:
+                      type: string
+                    type: array
                   supportCode:
                     type: string
                 type: object
diff --git a/package/crds/lightsail.aws.upbound.io_lbs.yaml b/package/crds/lightsail.aws.upbound.io_lbs.yaml
index 2c387761e2..04d2aec9e3 100644
--- a/package/crds/lightsail.aws.upbound.io_lbs.yaml
+++ b/package/crds/lightsail.aws.upbound.io_lbs.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,9 +86,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - instancePort
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instancePort is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instancePort)
           status:
             description: LBStatus defines the observed state of LB.
             properties:
@@ -270,9 +291,18 @@ spec:
                   dnsName:
                     description: The DNS name of the load balancer.
                     type: string
+                  healthCheckPath:
+                    description: The health check path of the load balancer. Default
+                      value "/".
+                    type: string
                   id:
                     description: The name used for this load balancer (matches name).
                     type: string
+                  instancePort:
+                    description: The instance port the load balancer will connect.
+                    type: number
+                  ipAddressType:
+                    type: string
                   protocol:
                     description: The protocol of the load balancer.
                     type: string
@@ -287,6 +317,11 @@ spec:
                       in Lightsail. This code enables our support team to look up
                       your Lightsail information more easily.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/lightsail.aws.upbound.io_lbstickinesspolicies.yaml b/package/crds/lightsail.aws.upbound.io_lbstickinesspolicies.yaml
index cde5a84626..cf8c227e0a 100644
--- a/package/crds/lightsail.aws.upbound.io_lbstickinesspolicies.yaml
+++ b/package/crds/lightsail.aws.upbound.io_lbstickinesspolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,10 +82,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - cookieDuration
-                - enabled
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -253,11 +270,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: cookieDuration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cookieDuration)
+            - message: enabled is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.enabled)
           status:
             description: LBStickinessPolicyStatus defines the observed state of LBStickinessPolicy.
             properties:
               atProvider:
                 properties:
+                  cookieDuration:
+                    description: The cookie duration in seconds. This determines the
+                      length of the session stickiness.
+                    type: number
+                  enabled:
+                    description: '- The Session Stickiness state of the load balancer.
+                      true to activate session stickiness or false to deactivate session
+                      stickiness.'
+                    type: boolean
                   id:
                     description: The name used for this load balancer (matches lb_name).
                     type: string
diff --git a/package/crds/lightsail.aws.upbound.io_staticipattachments.yaml b/package/crds/lightsail.aws.upbound.io_staticipattachments.yaml
index fa09be216b..3d40b5e0c6 100644
--- a/package/crds/lightsail.aws.upbound.io_staticipattachments.yaml
+++ b/package/crds/lightsail.aws.upbound.io_staticipattachments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,9 +425,16 @@ spec:
                 properties:
                   id:
                     type: string
+                  instanceName:
+                    description: The name of the Lightsail instance to attach the
+                      IP to
+                    type: string
                   ipAddress:
                     description: The allocated static IP address
                     type: string
+                  staticIpName:
+                    description: The name of the allocated static IP
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/lightsail.aws.upbound.io_staticips.yaml b/package/crds/lightsail.aws.upbound.io_staticips.yaml
index 639e0864de..27487b848d 100644
--- a/package/crds/lightsail.aws.upbound.io_staticips.yaml
+++ b/package/crds/lightsail.aws.upbound.io_staticips.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: StaticIPStatus defines the observed state of StaticIP.
             properties:
@@ -259,6 +280,9 @@ spec:
                   ipAddress:
                     description: The allocated static IP address
                     type: string
+                  name:
+                    description: The name for the allocated static IP
+                    type: string
                   supportCode:
                     description: The support code.
                     type: string
diff --git a/package/crds/location.aws.upbound.io_geofencecollections.yaml b/package/crds/location.aws.upbound.io_geofencecollections.yaml
index 04db8bce48..f9ccf320f9 100644
--- a/package/crds/location.aws.upbound.io_geofencecollections.yaml
+++ b/package/crds/location.aws.upbound.io_geofencecollections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,6 +160,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,8 +360,20 @@ spec:
                     description: The timestamp for when the geofence collection resource
                       was created in ISO 8601 format.
                     type: string
+                  description:
+                    description: The optional description for the geofence collection.
+                    type: string
                   id:
                     type: string
+                  kmsKeyId:
+                    description: A key identifier for an AWS KMS customer managed
+                      key assigned to the Amazon Location resource.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/location.aws.upbound.io_placeindices.yaml b/package/crds/location.aws.upbound.io_placeindices.yaml
index 55774d6841..bdb66b7e4d 100644
--- a/package/crds/location.aws.upbound.io_placeindices.yaml
+++ b/package/crds/location.aws.upbound.io_placeindices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -93,9 +97,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - dataSource
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -267,6 +285,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dataSource is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataSource)
           status:
             description: PlaceIndexStatus defines the observed state of PlaceIndex.
             properties:
@@ -276,12 +297,36 @@ spec:
                     description: The timestamp for when the place index resource was
                       created in ISO 8601 format.
                     type: string
+                  dataSource:
+                    description: Specifies the geospatial data provider for the new
+                      place index.
+                    type: string
+                  dataSourceConfiguration:
+                    description: Configuration block with the data storage option
+                      chosen for requesting Places. Detailed below.
+                    items:
+                      properties:
+                        intendedUse:
+                          description: 'Specifies how the results of an operation
+                            will be stored by the caller. Valid values: SingleUse,
+                            Storage. Default: SingleUse.'
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: The optional description for the place index resource.
+                    type: string
                   id:
                     type: string
                   indexArn:
                     description: The Amazon Resource Name (ARN) for the place index
                       resource. Used to specify a resource across AWS.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/location.aws.upbound.io_routecalculators.yaml b/package/crds/location.aws.upbound.io_routecalculators.yaml
index 294b009571..2ffc31d008 100644
--- a/package/crds/location.aws.upbound.io_routecalculators.yaml
+++ b/package/crds/location.aws.upbound.io_routecalculators.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,9 +86,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - dataSource
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dataSource is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dataSource)
           status:
             description: RouteCalculatorStatus defines the observed state of RouteCalculator.
             properties:
@@ -269,8 +290,21 @@ spec:
                     description: The timestamp for when the route calculator resource
                       was created in ISO 8601 format.
                     type: string
+                  dataSource:
+                    description: Specifies the data provider of traffic and road network
+                      data.
+                    type: string
+                  description:
+                    description: The optional description for the route calculator
+                      resource.
+                    type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/location.aws.upbound.io_trackerassociations.yaml b/package/crds/location.aws.upbound.io_trackerassociations.yaml
index f0901bd3b3..466e280147 100644
--- a/package/crds/location.aws.upbound.io_trackerassociations.yaml
+++ b/package/crds/location.aws.upbound.io_trackerassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -404,8 +423,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  consumerArn:
+                    description: The Amazon Resource Name (ARN) for the geofence collection
+                      to be associated to tracker resource. Used when you need to
+                      specify a resource across all AWS.
+                    type: string
                   id:
                     type: string
+                  trackerName:
+                    description: The name of the tracker resource to be associated
+                      with a geofence collection.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/location.aws.upbound.io_trackers.yaml b/package/crds/location.aws.upbound.io_trackers.yaml
index d974951aa4..edf441b617 100644
--- a/package/crds/location.aws.upbound.io_trackers.yaml
+++ b/package/crds/location.aws.upbound.io_trackers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,8 +360,25 @@ spec:
                     description: The timestamp for when the tracker resource was created
                       in ISO 8601 format.
                     type: string
+                  description:
+                    description: The optional description for the tracker resource.
+                    type: string
                   id:
                     type: string
+                  kmsKeyId:
+                    description: A key identifier for an AWS KMS customer managed
+                      key assigned to the Amazon Location resource.
+                    type: string
+                  positionFiltering:
+                    description: 'The position filtering method of the tracker resource.
+                      Valid values: TimeBased, DistanceBased, AccuracyBased. Default:
+                      TimeBased.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/macie2.aws.upbound.io_accounts.yaml b/package/crds/macie2.aws.upbound.io_accounts.yaml
index 9c4eb3730c..d6b47c1cca 100644
--- a/package/crds/macie2.aws.upbound.io_accounts.yaml
+++ b/package/crds/macie2.aws.upbound.io_accounts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,6 +87,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -263,6 +282,13 @@ spec:
                     description: The date and time, in UTC and extended RFC 3339 format,
                       when the Amazon Macie account was created.
                     type: string
+                  findingPublishingFrequency:
+                    description: Specifies how often to publish updates to policy
+                      findings for the account. This includes publishing updates to
+                      AWS Security Hub and Amazon EventBridge (formerly called Amazon
+                      CloudWatch Events). Valid values are FIFTEEN_MINUTES, ONE_HOUR
+                      or SIX_HOURS.
+                    type: string
                   id:
                     description: The unique identifier (ID) of the macie account.
                     type: string
@@ -271,6 +297,11 @@ spec:
                       role that allows Macie to monitor and analyze data in AWS resources
                       for the account.
                     type: string
+                  status:
+                    description: Specifies the status for the account. To enable Amazon
+                      Macie and start all Macie activities for the account, set this
+                      value to ENABLED. Valid values are ENABLED or PAUSED.
+                    type: string
                   updatedAt:
                     description: The date and time, in UTC and extended RFC 3339 format,
                       of the most recent change to the status of the Macie account.
diff --git a/package/crds/macie2.aws.upbound.io_classificationjobs.yaml b/package/crds/macie2.aws.upbound.io_classificationjobs.yaml
index 05ae59757e..008ce261f9 100644
--- a/package/crds/macie2.aws.upbound.io_classificationjobs.yaml
+++ b/package/crds/macie2.aws.upbound.io_classificationjobs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -494,10 +498,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - jobType
                 - region
-                - s3JobDefinition
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -669,6 +686,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: jobType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.jobType)
+            - message: s3JobDefinition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.s3JobDefinition)
           status:
             description: ClassificationJobStatus defines the observed state of ClassificationJob.
             properties:
@@ -678,16 +700,438 @@ spec:
                     description: The date and time, in UTC and extended RFC 3339 format,
                       when the job was created.
                     type: string
+                  customDataIdentifierIds:
+                    description: The custom data identifiers to use for data analysis
+                      and classification.
+                    items:
+                      type: string
+                    type: array
+                  description:
+                    description: A custom description of the job. The description
+                      can contain as many as 200 characters.
+                    type: string
                   id:
                     description: The unique identifier (ID) of the macie classification
                       job.
                     type: string
+                  initialRun:
+                    description: Specifies whether to analyze all existing, eligible
+                      objects immediately after the job is created.
+                    type: boolean
                   jobArn:
                     type: string
                   jobId:
                     description: The unique identifier (ID) of the macie classification
                       job.
                     type: string
+                  jobStatus:
+                    description: 'The status for the job. Valid values are: CANCELLED,
+                      RUNNING and USER_PAUSED'
+                    type: string
+                  jobType:
+                    description: 'The schedule for running the job. Valid values are:
+                      ONE_TIME - Run the job only once. If you specify this value,
+                      don''t specify a value for the schedule_frequency property.
+                      SCHEDULED - Run the job on a daily, weekly, or monthly basis.
+                      If you specify this value, use the schedule_frequency property
+                      to define the recurrence pattern for the job.'
+                    type: string
+                  name:
+                    description: A custom name for the job. The name can contain as
+                      many as 500 characters. Conflicts with name_prefix.
+                    type: string
+                  s3JobDefinition:
+                    description: The S3 buckets that contain the objects to analyze,
+                      and the scope of that analysis. (documented below)
+                    items:
+                      properties:
+                        bucketCriteria:
+                          description: The property- and tag-based conditions that
+                            determine which S3 buckets to include or exclude from
+                            the analysis. Conflicts with bucket_definitions. (documented
+                            below)
+                          items:
+                            properties:
+                              excludes:
+                                description: The property- or tag-based conditions
+                                  that determine which objects to exclude from the
+                                  analysis. (documented below)
+                                items:
+                                  properties:
+                                    and:
+                                      description: An array of conditions, one for
+                                        each condition that determines which objects
+                                        to include or exclude from the job. (documented
+                                        below)
+                                      items:
+                                        properties:
+                                          simpleCriterion:
+                                            description: A property-based condition
+                                              that defines a property, operator, and
+                                              one or more values for including or
+                                              excluding an S3 buckets from the job.
+                                              (documented below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                key:
+                                                  description: The object property
+                                                    to use in the condition.
+                                                  type: string
+                                                values:
+                                                  description: An array that lists
+                                                    the values to use in the condition.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          tagCriterion:
+                                            description: A tag-based condition that
+                                              defines the operator and tag keys or
+                                              tag key and value pairs for including
+                                              or excluding an S3 buckets from the
+                                              job. (documented below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                tagValues:
+                                                  description: The tag keys or tag
+                                                    key and value pairs to use in
+                                                    the condition.
+                                                  items:
+                                                    properties:
+                                                      key:
+                                                        description: The object property
+                                                          to use in the condition.
+                                                        type: string
+                                                      value:
+                                                        description: The tag value.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              includes:
+                                description: The property- or tag-based conditions
+                                  that determine which objects to include in the analysis.
+                                  (documented below)
+                                items:
+                                  properties:
+                                    and:
+                                      description: An array of conditions, one for
+                                        each condition that determines which objects
+                                        to include or exclude from the job. (documented
+                                        below)
+                                      items:
+                                        properties:
+                                          simpleCriterion:
+                                            description: A property-based condition
+                                              that defines a property, operator, and
+                                              one or more values for including or
+                                              excluding an S3 buckets from the job.
+                                              (documented below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                key:
+                                                  description: The object property
+                                                    to use in the condition.
+                                                  type: string
+                                                values:
+                                                  description: An array that lists
+                                                    the values to use in the condition.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          tagCriterion:
+                                            description: A tag-based condition that
+                                              defines the operator and tag keys or
+                                              tag key and value pairs for including
+                                              or excluding an S3 buckets from the
+                                              job. (documented below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                tagValues:
+                                                  description: The tag keys or tag
+                                                    key and value pairs to use in
+                                                    the condition.
+                                                  items:
+                                                    properties:
+                                                      key:
+                                                        description: The object property
+                                                          to use in the condition.
+                                                        type: string
+                                                      value:
+                                                        description: The tag value.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        bucketDefinitions:
+                          description: An array of objects, one for each AWS account
+                            that owns buckets to analyze. Each object specifies the
+                            account ID for an account and one or more buckets to analyze
+                            for the account. Conflicts with bucket_criteria. (documented
+                            below)
+                          items:
+                            properties:
+                              accountId:
+                                description: The unique identifier for the AWS account
+                                  that owns the buckets.
+                                type: string
+                              buckets:
+                                description: An array that lists the names of the
+                                  buckets.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        scoping:
+                          description: The property- and tag-based conditions that
+                            determine which objects to include or exclude from the
+                            analysis. (documented below)
+                          items:
+                            properties:
+                              excludes:
+                                description: The property- or tag-based conditions
+                                  that determine which objects to exclude from the
+                                  analysis. (documented below)
+                                items:
+                                  properties:
+                                    and:
+                                      description: An array of conditions, one for
+                                        each condition that determines which objects
+                                        to include or exclude from the job. (documented
+                                        below)
+                                      items:
+                                        properties:
+                                          simpleScopeTerm:
+                                            description: A property-based condition
+                                              that defines a property, operator, and
+                                              one or more values for including or
+                                              excluding an object from the job. (documented
+                                              below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                key:
+                                                  description: The object property
+                                                    to use in the condition.
+                                                  type: string
+                                                values:
+                                                  description: An array that lists
+                                                    the values to use in the condition.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          tagScopeTerm:
+                                            description: A tag-based condition that
+                                              defines the operator and tag keys or
+                                              tag key and value pairs for including
+                                              or excluding an object from the job.
+                                              (documented below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                key:
+                                                  description: The object property
+                                                    to use in the condition.
+                                                  type: string
+                                                tagValues:
+                                                  description: The tag keys or tag
+                                                    key and value pairs to use in
+                                                    the condition.
+                                                  items:
+                                                    properties:
+                                                      key:
+                                                        description: The object property
+                                                          to use in the condition.
+                                                        type: string
+                                                      value:
+                                                        description: The tag value.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                target:
+                                                  description: The type of object
+                                                    to apply the condition to. The
+                                                    only valid value is S3_OBJECT.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              includes:
+                                description: The property- or tag-based conditions
+                                  that determine which objects to include in the analysis.
+                                  (documented below)
+                                items:
+                                  properties:
+                                    and:
+                                      description: An array of conditions, one for
+                                        each condition that determines which objects
+                                        to include or exclude from the job. (documented
+                                        below)
+                                      items:
+                                        properties:
+                                          simpleScopeTerm:
+                                            description: A property-based condition
+                                              that defines a property, operator, and
+                                              one or more values for including or
+                                              excluding an object from the job. (documented
+                                              below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                key:
+                                                  description: The object property
+                                                    to use in the condition.
+                                                  type: string
+                                                values:
+                                                  description: An array that lists
+                                                    the values to use in the condition.
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          tagScopeTerm:
+                                            description: A tag-based condition that
+                                              defines the operator and tag keys or
+                                              tag key and value pairs for including
+                                              or excluding an object from the job.
+                                              (documented below)
+                                            items:
+                                              properties:
+                                                comparator:
+                                                  description: 'The operator to use
+                                                    in a condition. Valid values are:
+                                                    EQ, GT, GTE, LT, LTE, NE, CONTAINS,
+                                                    STARTS_WITH'
+                                                  type: string
+                                                key:
+                                                  description: The object property
+                                                    to use in the condition.
+                                                  type: string
+                                                tagValues:
+                                                  description: The tag keys or tag
+                                                    key and value pairs to use in
+                                                    the condition.
+                                                  items:
+                                                    properties:
+                                                      key:
+                                                        description: The object property
+                                                          to use in the condition.
+                                                        type: string
+                                                      value:
+                                                        description: The tag value.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                target:
+                                                  description: The type of object
+                                                    to apply the condition to. The
+                                                    only valid value is S3_OBJECT.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  samplingPercentage:
+                    description: The sampling depth, as a percentage, to apply when
+                      processing objects. This value determines the percentage of
+                      eligible objects that the job analyzes. If this value is less
+                      than 100, Amazon Macie selects the objects to analyze at random,
+                      up to the specified percentage, and analyzes all the data in
+                      those objects.
+                    type: number
+                  scheduleFrequency:
+                    description: The recurrence pattern for running the job. To run
+                      the job only once, don't specify a value for this property and
+                      set the value for the job_type property to ONE_TIME. (documented
+                      below)
+                    items:
+                      properties:
+                        dailySchedule:
+                          description: Specifies a daily recurrence pattern for running
+                            the job.
+                          type: boolean
+                        monthlySchedule:
+                          description: Specifies a monthly recurrence pattern for
+                            running the job.
+                          type: number
+                        weeklySchedule:
+                          description: Specifies a weekly recurrence pattern for running
+                            the job.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/macie2.aws.upbound.io_customdataidentifiers.yaml b/package/crds/macie2.aws.upbound.io_customdataidentifiers.yaml
index b6707d2b1e..4eb74e980b 100644
--- a/package/crds/macie2.aws.upbound.io_customdataidentifiers.yaml
+++ b/package/crds/macie2.aws.upbound.io_customdataidentifiers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -115,6 +119,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -300,10 +319,54 @@ spec:
                     description: The date and time, in UTC and extended RFC 3339 format,
                       when the Amazon Macie account was created.
                     type: string
+                  description:
+                    description: A custom description of the custom data identifier.
+                      The description can contain as many as 512 characters.
+                    type: string
                   id:
                     description: The unique identifier (ID) of the macie custom data
                       identifier.
                     type: string
+                  ignoreWords:
+                    description: An array that lists specific character sequences
+                      (ignore words) to exclude from the results. If the text matched
+                      by the regular expression is the same as any string in this
+                      array, Amazon Macie ignores it. The array can contain as many
+                      as 10 ignore words. Each ignore word can contain 4 - 90 characters.
+                      Ignore words are case sensitive.
+                    items:
+                      type: string
+                    type: array
+                  keywords:
+                    description: An array that lists specific character sequences
+                      (keywords), one of which must be within proximity (maximum_match_distance)
+                      of the regular expression to match. The array can contain as
+                      many as 50 keywords. Each keyword can contain 3 - 90 characters.
+                      Keywords aren't case sensitive.
+                    items:
+                      type: string
+                    type: array
+                  maximumMatchDistance:
+                    description: The maximum number of characters that can exist between
+                      text that matches the regex pattern and the character sequences
+                      specified by the keywords array. Macie includes or excludes
+                      a result based on the proximity of a keyword to text that matches
+                      the regex pattern. The distance can be 1 - 300 characters. The
+                      default value is 50.
+                    type: number
+                  name:
+                    description: A custom name for the custom data identifier. The
+                      name can contain as many as 128 characters. Conflicts with name_prefix.
+                    type: string
+                  regex:
+                    description: The regular expression (regex) that defines the pattern
+                      to match. The expression can contain as many as 512 characters.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/macie2.aws.upbound.io_findingsfilters.yaml b/package/crds/macie2.aws.upbound.io_findingsfilters.yaml
index 84e1dd18f9..8f6183da3e 100644
--- a/package/crds/macie2.aws.upbound.io_findingsfilters.yaml
+++ b/package/crds/macie2.aws.upbound.io_findingsfilters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,10 +157,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - action
-                - findingCriteria
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -328,18 +345,105 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: findingCriteria is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.findingCriteria)
           status:
             description: FindingsFilterStatus defines the observed state of FindingsFilter.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: 'The action to perform on findings that meet the
+                      filter criteria (finding_criteria). Valid values are: ARCHIVE,
+                      suppress (automatically archive) the findings; and, NOOP, don''t
+                      perform any action on the findings.'
+                    type: string
                   arn:
                     description: The Amazon Resource Name (ARN) of the Findings Filter.
                     type: string
+                  description:
+                    description: A custom description of the filter. The description
+                      can contain as many as 512 characters.
+                    type: string
+                  findingCriteria:
+                    description: The criteria to use to filter findings.
+                    items:
+                      properties:
+                        criterion:
+                          description: A condition that specifies the property, operator,
+                            and one or more values to use to filter the results.  (documented
+                            below)
+                          items:
+                            properties:
+                              eq:
+                                description: The value for the property matches (equals)
+                                  the specified value. If you specify multiple values,
+                                  Amazon Macie uses OR logic to join the values.
+                                items:
+                                  type: string
+                                type: array
+                              eqExactMatch:
+                                description: The value for the property exclusively
+                                  matches (equals an exact match for) all the specified
+                                  values. If you specify multiple values, Amazon Macie
+                                  uses AND logic to join the values.
+                                items:
+                                  type: string
+                                type: array
+                              field:
+                                description: The name of the field to be evaluated.
+                                type: string
+                              gt:
+                                description: The value for the property is greater
+                                  than the specified value.
+                                type: string
+                              gte:
+                                description: The value for the property is greater
+                                  than or equal to the specified value.
+                                type: string
+                              lt:
+                                description: The value for the property is less than
+                                  the specified value.
+                                type: string
+                              lte:
+                                description: The value for the property is less than
+                                  or equal to the specified value.
+                                type: string
+                              neq:
+                                description: The value for the property doesn't match
+                                  (doesn't equal) the specified value. If you specify
+                                  multiple values, Amazon Macie uses OR logic to join
+                                  the values.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The unique identifier (ID) of the macie Findings
                       Filter.
                     type: string
+                  name:
+                    description: A custom name for the filter. The name must contain
+                      at least 3 characters and can contain as many as 64 characters.
+                      Conflicts with name_prefix.
+                    type: string
+                  position:
+                    description: The position of the filter in the list of saved filters
+                      on the Amazon Macie console. This value also determines the
+                      order in which the filter is applied to findings, relative to
+                      other filters that are also applied to the findings.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/macie2.aws.upbound.io_invitationaccepters.yaml b/package/crds/macie2.aws.upbound.io_invitationaccepters.yaml
index d3aea78f53..77ab7d193b 100644
--- a/package/crds/macie2.aws.upbound.io_invitationaccepters.yaml
+++ b/package/crds/macie2.aws.upbound.io_invitationaccepters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,9 +77,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - administratorAccountId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -247,11 +265,18 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: administratorAccountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.administratorAccountId)
           status:
             description: InvitationAccepterStatus defines the observed state of InvitationAccepter.
             properties:
               atProvider:
                 properties:
+                  administratorAccountId:
+                    description: The AWS account ID for the account that sent the
+                      invitation.
+                    type: string
                   id:
                     description: The unique identifier (ID) of the macie invitation
                       accepter.
diff --git a/package/crds/macie2.aws.upbound.io_members.yaml b/package/crds/macie2.aws.upbound.io_members.yaml
index dd0d36db30..2bd875892a 100644
--- a/package/crds/macie2.aws.upbound.io_members.yaml
+++ b/package/crds/macie2.aws.upbound.io_members.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -101,10 +105,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - accountId
-                - email
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -276,20 +293,47 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)
+            - message: email is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)
           status:
             description: MemberStatus defines the observed state of Member.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The AWS account ID for the account.
+                    type: string
                   administratorAccountId:
                     description: The AWS account ID for the administrator account.
                     type: string
                   arn:
                     description: The Amazon Resource Name (ARN) of the account.
                     type: string
+                  email:
+                    description: The email address for the account.
+                    type: string
                   id:
                     description: The unique identifier (ID) of the macie Member.
                     type: string
+                  invitationDisableEmailNotification:
+                    description: Specifies whether to send an email notification to
+                      the root user of each account that the invitation will be sent
+                      to. This notification is in addition to an alert that the root
+                      user receives in AWS Personal Health Dashboard. To send an email
+                      notification to the root user of each account, set this value
+                      to true.
+                    type: boolean
+                  invitationMessage:
+                    description: A custom message to include in the invitation. Amazon
+                      Macie adds this message to the standard content that it sends
+                      for an invitation.
+                    type: string
+                  invite:
+                    description: Send an invitation to a member
+                    type: boolean
                   invitedAt:
                     description: The date and time, in UTC and extended RFC 3339 format,
                       when an Amazon Macie membership invitation was last sent to
@@ -303,6 +347,16 @@ spec:
                     description: The current status of the relationship between the
                       account and the administrator account.
                     type: string
+                  status:
+                    description: Specifies the status for the account. To enable Amazon
+                      Macie and start all Macie activities for the account, set this
+                      value to ENABLED. Valid values are ENABLED or PAUSED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/mediaconvert.aws.upbound.io_queues.yaml b/package/crds/mediaconvert.aws.upbound.io_queues.yaml
index 6e3980c1b8..a479dce0f1 100644
--- a/package/crds/mediaconvert.aws.upbound.io_queues.yaml
+++ b/package/crds/mediaconvert.aws.upbound.io_queues.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -111,6 +115,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -290,9 +309,45 @@ spec:
                   arn:
                     description: The Arn of the queue
                     type: string
+                  description:
+                    description: A description of the queue
+                    type: string
                   id:
                     description: The same as name
                     type: string
+                  pricingPlan:
+                    description: Specifies whether the pricing plan for the queue
+                      is on-demand or reserved. Valid values are ON_DEMAND or RESERVED.
+                      Default to ON_DEMAND.
+                    type: string
+                  reservationPlanSettings:
+                    description: A detail pricing plan of the  reserved queue. See
+                      below.
+                    items:
+                      properties:
+                        commitment:
+                          description: The length of the term of your reserved queue
+                            pricing plan commitment. Valid value is ONE_YEAR.
+                          type: string
+                        renewalType:
+                          description: Specifies whether the term of your reserved
+                            queue pricing plan. Valid values are AUTO_RENEW or EXPIRE.
+                          type: string
+                        reservedSlots:
+                          description: Specifies the number of reserved transcode
+                            slots (RTS) for queue.
+                          type: number
+                      type: object
+                    type: array
+                  status:
+                    description: A status of the queue. Valid values are ACTIVE or
+                      RESERVED. Default to PAUSED.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/medialive.aws.upbound.io_channels.yaml b/package/crds/medialive.aws.upbound.io_channels.yaml
index da92c3653d..e6f602c185 100644
--- a/package/crds/medialive.aws.upbound.io_channels.yaml
+++ b/package/crds/medialive.aws.upbound.io_channels.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -2820,14 +2824,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - channelClass
-                - destinations
-                - encoderSettings
-                - inputAttachments
-                - inputSpecification
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -2999,6 +3012,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: channelClass is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.channelClass)
+            - message: destinations is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destinations)
+            - message: encoderSettings is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.encoderSettings)
+            - message: inputAttachments is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputAttachments)
+            - message: inputSpecification is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputSpecification)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ChannelStatus defines the observed state of Channel.
             properties:
@@ -3007,23 +3033,2488 @@ spec:
                   arn:
                     description: ARN of the Channel.
                     type: string
+                  cdiInputSpecification:
+                    description: Specification of CDI inputs for this channel. See
+                      CDI Input Specification for more details.
+                    items:
+                      properties:
+                        resolution:
+                          description: '- Maximum CDI input resolution.'
+                          type: string
+                      type: object
+                    type: array
+                  channelClass:
+                    description: Concise argument description.
+                    type: string
                   channelId:
                     description: ID of the channel in MediaPackage that is the destination
                       for this output group.
                     type: string
-                  id:
-                    description: User-specified id. Ths is used in an output group
-                      or an output.
-                    type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    type: object
-                  vpc:
-                    description: Settings for the VPC outputs.
+                  destinations:
+                    description: Destinations for channel. See Destinations for more
+                      details.
                     items:
                       properties:
-                        availabilityZones:
+                        id:
+                          description: User-specified id. Ths is used in an output
+                            group or an output.
+                          type: string
+                        mediaPackageSettings:
+                          description: Destination settings for a MediaPackage output;
+                            one destination for both encoders. See Media Package Settings
+                            for more details.
+                          items:
+                            properties:
+                              channelId:
+                                description: ID of the channel in MediaPackage that
+                                  is the destination for this output group.
+                                type: string
+                            type: object
+                          type: array
+                        multiplexSettings:
+                          description: Destination settings for a Multiplex output;
+                            one destination for both encoders. See Multiplex Settings
+                            for more details.
+                          items:
+                            properties:
+                              multiplexId:
+                                description: The ID of the Multiplex that the encoder
+                                  is providing output to.
+                                type: string
+                              programName:
+                                description: The program name of the Multiplex program
+                                  that the encoder is providing output to.
+                                type: string
+                            type: object
+                          type: array
+                        settings:
+                          description: Destination settings for a standard output;
+                            one destination for each redundant encoder. See Settings
+                            for more details.
+                          items:
+                            properties:
+                              passwordParam:
+                                description: Key used to extract the password from
+                                  EC2 Parameter store.
+                                type: string
+                              streamName:
+                                description: Stream name RTMP destinations (URLs of
+                                  type rtmp://)
+                                type: string
+                              url:
+                                description: A URL specifying a destination.
+                                type: string
+                              username:
+                                description: Username for destination.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  encoderSettings:
+                    description: Encoder settings. See Encoder Settings for more details.
+                    items:
+                      properties:
+                        audioDescriptions:
+                          description: Audio descriptions for the channel. See Audio
+                            Descriptions for more details.
+                          items:
+                            properties:
+                              audioNormalizationSettings:
+                                description: Advanced audio normalization settings.
+                                  See Audio Normalization Settings for more details.
+                                items:
+                                  properties:
+                                    algorithm:
+                                      description: Audio normalization algorithm to
+                                        use. itu17701 conforms to the CALM Act specification,
+                                        itu17702 to the EBU R-128 specification.
+                                      type: string
+                                    algorithmControl:
+                                      description: Algorithm control for the audio
+                                        description.
+                                      type: string
+                                    targetLkfs:
+                                      description: Target LKFS (loudness) to adjust
+                                        volume to.
+                                      type: number
+                                  type: object
+                                type: array
+                              audioSelectorName:
+                                description: The name of the audio selector used as
+                                  the source for this AudioDescription.
+                                type: string
+                              audioType:
+                                description: Applies only if audioTypeControl is useConfigured.
+                                  The values for audioType are defined in ISO-IEC
+                                  13818-1.
+                                type: string
+                              audioTypeControl:
+                                description: Determined how audio type is determined.
+                                type: string
+                              audioWatermarkSettings:
+                                description: Settings to configure one or more solutions
+                                  that insert audio watermarks in the audio encode.
+                                  See Audio Watermark Settings for more details.
+                                items:
+                                  properties:
+                                    nielsenWatermarksSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          nielsenCbetSettings:
+                                            description: Used to insert watermarks
+                                              of type Nielsen CBET. See Nielsen CBET
+                                              Settings for more details.
+                                            items:
+                                              properties:
+                                                cbetCheckDigitString:
+                                                  type: string
+                                                cbetStepaside:
+                                                  description: Determines the method
+                                                    of CBET insertion mode when prior
+                                                    encoding is detected on the same
+                                                    layer.
+                                                  type: string
+                                                csid:
+                                                  description: CBET source ID to use
+                                                    in the watermark.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          nielsenDistributionType:
+                                            description: Distribution types to assign
+                                              to the watermarks. Options are PROGRAM_CONTENT
+                                              and FINAL_DISTRIBUTOR.
+                                            type: string
+                                          nielsenNaesIiNwSettings:
+                                            description: Used to insert watermarks
+                                              of type Nielsen NAES, II (N2) and Nielsen
+                                              NAES VI (NW). See Nielsen NAES II NW
+                                              Settings for more details.
+                                            items:
+                                              properties:
+                                                checkDigitString:
+                                                  type: string
+                                                sid:
+                                                  description: The Nielsen Source
+                                                    ID to include in the watermark.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              codecSettings:
+                                description: Audio codec settings. See Audio Codec
+                                  Settings for more details.
+                                items:
+                                  properties:
+                                    aacSettings:
+                                      description: Aac Settings. See AAC Settings
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bitrate:
+                                            description: Average bitrate in bits/second.
+                                            type: number
+                                          codingMode:
+                                            description: Mono, Stereo, or 5.1 channel
+                                              layout.
+                                            type: string
+                                          inputType:
+                                            description: Set to "broadcasterMixedAd"
+                                              when input contains pre-mixed main audio
+                                              + AD (narration) as a stereo pair.
+                                            type: string
+                                          profile:
+                                            description: AAC profile.
+                                            type: string
+                                          rateControlMode:
+                                            description: The rate control mode.
+                                            type: string
+                                          rawFormat:
+                                            description: Sets LATM/LOAS AAC output
+                                              for raw containers.
+                                            type: string
+                                          sampleRate:
+                                            description: Sample rate in Hz.
+                                            type: number
+                                          spec:
+                                            description: Use MPEG-2 AAC audio instead
+                                              of MPEG-4 AAC audio for raw or MPEG-2
+                                              Transport Stream containers.
+                                            type: string
+                                          vbrQuality:
+                                            description: VBR Quality Level - Only
+                                              used if rateControlMode is VBR.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    ac3Settings:
+                                      description: Ac3 Settings. See AC3 Settings
+                                        for more details.
+                                      items:
+                                        properties:
+                                          bitrate:
+                                            description: Average bitrate in bits/second.
+                                            type: number
+                                          bitstreamMode:
+                                            description: Specifies the bitstream mode
+                                              (bsmod) for the emitted AC-3 stream.
+                                            type: string
+                                          codingMode:
+                                            description: Mono, Stereo, or 5.1 channel
+                                              layout.
+                                            type: string
+                                          dialnorm:
+                                            description: Sets the dialnorm of the
+                                              output.
+                                            type: number
+                                          drcProfile:
+                                            description: If set to filmStandard, adds
+                                              dynamic range compression signaling
+                                              to the output bitstream as defined in
+                                              the Dolby Digital specification.
+                                            type: string
+                                          lfeFilter:
+                                            description: When set to enabled, applies
+                                              a 120Hz lowpass filter to the LFE channel
+                                              prior to encoding.
+                                            type: string
+                                          metadataControl:
+                                            description: Metadata control.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    eac3AtmosSettings:
+                                      description: '- Eac3 Atmos Settings. See EAC3
+                                        Atmos Settings'
+                                      items:
+                                        properties:
+                                          bitrate:
+                                            description: Average bitrate in bits/second.
+                                            type: number
+                                          codingMode:
+                                            description: Mono, Stereo, or 5.1 channel
+                                              layout.
+                                            type: string
+                                          dialnorm:
+                                            description: Sets the dialnorm of the
+                                              output.
+                                            type: number
+                                          drcLine:
+                                            description: Sets the Dolby dynamic range
+                                              compression profile.
+                                            type: string
+                                          drcRf:
+                                            description: Sets the profile for heavy
+                                              Dolby dynamic range compression.
+                                            type: string
+                                          heightTrim:
+                                            description: Height dimensional trim.
+                                            type: number
+                                          surroundTrim:
+                                            description: Surround dimensional trim.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    eac3Settings:
+                                      description: '- Eac3 Settings. See EAC3 Settings'
+                                      items:
+                                        properties:
+                                          attenuationControl:
+                                            description: Sets the attenuation control.
+                                            type: string
+                                          bitrate:
+                                            description: Average bitrate in bits/second.
+                                            type: number
+                                          bitstreamMode:
+                                            description: Specifies the bitstream mode
+                                              (bsmod) for the emitted AC-3 stream.
+                                            type: string
+                                          codingMode:
+                                            description: Mono, Stereo, or 5.1 channel
+                                              layout.
+                                            type: string
+                                          dcFilter:
+                                            type: string
+                                          dialnorm:
+                                            description: Sets the dialnorm of the
+                                              output.
+                                            type: number
+                                          drcLine:
+                                            description: Sets the Dolby dynamic range
+                                              compression profile.
+                                            type: string
+                                          drcRf:
+                                            description: Sets the profile for heavy
+                                              Dolby dynamic range compression.
+                                            type: string
+                                          lfeControl:
+                                            type: string
+                                          lfeFilter:
+                                            description: When set to enabled, applies
+                                              a 120Hz lowpass filter to the LFE channel
+                                              prior to encoding.
+                                            type: string
+                                          loRoCenterMixLevel:
+                                            description: H264 level.
+                                            type: number
+                                          loRoSurroundMixLevel:
+                                            description: H264 level.
+                                            type: number
+                                          ltRtCenterMixLevel:
+                                            description: H264 level.
+                                            type: number
+                                          ltRtSurroundMixLevel:
+                                            description: H264 level.
+                                            type: number
+                                          metadataControl:
+                                            description: Metadata control.
+                                            type: string
+                                          passthroughControl:
+                                            type: string
+                                          phaseControl:
+                                            type: string
+                                          stereoDownmix:
+                                            type: string
+                                          surroundExMode:
+                                            type: string
+                                          surroundMode:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    mp2Settings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          bitrate:
+                                            description: Average bitrate in bits/second.
+                                            type: number
+                                          codingMode:
+                                            description: Mono, Stereo, or 5.1 channel
+                                              layout.
+                                            type: string
+                                          sampleRate:
+                                            description: Sample rate in Hz.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    passThroughSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        type: object
+                                      type: array
+                                    wavSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          bitDepth:
+                                            type: number
+                                          codingMode:
+                                            description: Mono, Stereo, or 5.1 channel
+                                              layout.
+                                            type: string
+                                          sampleRate:
+                                            description: Sample rate in Hz.
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              languageCode:
+                                description: When specified this field indicates the
+                                  three letter language code of the caption track
+                                  to extract from the source.
+                                type: string
+                              languageCodeControl:
+                                type: string
+                              name:
+                                description: Name of the Channel.
+                                type: string
+                              remixSettings:
+                                description: Destination settings for a standard output;
+                                  one destination for each redundant encoder. See
+                                  Settings for more details.
+                                items:
+                                  properties:
+                                    channelMappings:
+                                      items:
+                                        properties:
+                                          inputChannelLevels:
+                                            items:
+                                              properties:
+                                                gain:
+                                                  type: number
+                                                inputChannel:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          outputChannel:
+                                            type: number
+                                        type: object
+                                      type: array
+                                    channelsIn:
+                                      type: number
+                                    channelsOut:
+                                      type: number
+                                  type: object
+                                type: array
+                              streamName:
+                                description: Stream name RTMP destinations (URLs of
+                                  type rtmp://)
+                                type: string
+                            type: object
+                          type: array
+                        availBlanking:
+                          description: Settings for ad avail blanking. See Avail Blanking
+                            for more details.
+                          items:
+                            properties:
+                              availBlankingImage:
+                                description: Blanking image to be used. See Avail
+                                  Blanking Image for more details.
+                                items:
+                                  properties:
+                                    passwordParam:
+                                      description: Key used to extract the password
+                                        from EC2 Parameter store.
+                                      type: string
+                                    uri:
+                                      description: Path to a file accessible to the
+                                        live stream.
+                                      type: string
+                                    username:
+                                      description: Username for destination.
+                                      type: string
+                                  type: object
+                                type: array
+                              state:
+                                description: When set to enabled, causes video, audio
+                                  and captions to be blanked when insertion metadata
+                                  is added.
+                                type: string
+                            type: object
+                          type: array
+                        outputGroups:
+                          description: Output groups for the channel. See Output Groups
+                            for more details.
+                          items:
+                            properties:
+                              name:
+                                description: Name of the Channel.
+                                type: string
+                              outputGroupSettings:
+                                description: Settings associated with the output group.
+                                  See Output Group Settings for more details.
+                                items:
+                                  properties:
+                                    archiveGroupSettings:
+                                      description: Archive group settings. See Archive
+                                        Group Settings for more details.
+                                      items:
+                                        properties:
+                                          archiveCdnSettings:
+                                            description: Parameters that control the
+                                              interactions with the CDN. See Archive
+                                              CDN Settings for more details.
+                                            items:
+                                              properties:
+                                                archiveS3Settings:
+                                                  description: Archive S3 Settings.
+                                                    See Archive S3 Settings for more
+                                                    details.
+                                                  items:
+                                                    properties:
+                                                      cannedAcl:
+                                                        description: Specify the canned
+                                                          ACL to apply to each S3
+                                                          request.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          destination:
+                                            description: A director and base filename
+                                              where archive files should be written.
+                                              See Destination for more details.
+                                            items:
+                                              properties:
+                                                destinationRefId:
+                                                  description: Reference ID for the
+                                                    destination.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          rolloverInterval:
+                                            description: Number of seconds to write
+                                              to archive file before closing and starting
+                                              a new one.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    frameCaptureGroupSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          destination:
+                                            description: A director and base filename
+                                              where archive files should be written.
+                                              See Destination for more details.
+                                            items:
+                                              properties:
+                                                destinationRefId:
+                                                  description: Reference ID for the
+                                                    destination.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          frameCaptureCdnSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                frameCaptureS3Settings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      cannedAcl:
+                                                        description: Specify the canned
+                                                          ACL to apply to each S3
+                                                          request.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    hlsGroupSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          adMarkers:
+                                            description: The ad marker type for this
+                                              output group.
+                                            items:
+                                              type: string
+                                            type: array
+                                          baseUrlContent:
+                                            type: string
+                                          baseUrlContent1:
+                                            type: string
+                                          baseUrlManifest:
+                                            type: string
+                                          baseUrlManifest1:
+                                            type: string
+                                          captionLanguageMappings:
+                                            items:
+                                              properties:
+                                                captionChannel:
+                                                  type: number
+                                                languageCode:
+                                                  description: When specified this
+                                                    field indicates the three letter
+                                                    language code of the caption track
+                                                    to extract from the source.
+                                                  type: string
+                                                languageDescription:
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          captionLanguageSetting:
+                                            type: string
+                                          clientCache:
+                                            type: string
+                                          codecSpecification:
+                                            type: string
+                                          constantIv:
+                                            type: string
+                                          destination:
+                                            description: A director and base filename
+                                              where archive files should be written.
+                                              See Destination for more details.
+                                            items:
+                                              properties:
+                                                destinationRefId:
+                                                  description: Reference ID for the
+                                                    destination.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          directoryStructure:
+                                            type: string
+                                          discontinuityTags:
+                                            description: Key-value map of resource
+                                              tags.
+                                            type: string
+                                          encryptionType:
+                                            type: string
+                                          hlsCdnSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                hlsAkamaiSettings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      connectionRetryInterval:
+                                                        description: Number of seconds
+                                                          to wait before retrying
+                                                          connection to the flash
+                                                          media server if the connection
+                                                          is lost.
+                                                        type: number
+                                                      filecacheDuration:
+                                                        type: number
+                                                      httpTransferMode:
+                                                        type: string
+                                                      numRetries:
+                                                        description: Number of retry
+                                                          attempts.
+                                                        type: number
+                                                      restartDelay:
+                                                        description: Number of seconds
+                                                          to wait until a restart
+                                                          is initiated.
+                                                        type: number
+                                                      salt:
+                                                        type: string
+                                                      token:
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                hlsBasicPutSettings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      connectionRetryInterval:
+                                                        description: Number of seconds
+                                                          to wait before retrying
+                                                          connection to the flash
+                                                          media server if the connection
+                                                          is lost.
+                                                        type: number
+                                                      filecacheDuration:
+                                                        type: number
+                                                      numRetries:
+                                                        description: Number of retry
+                                                          attempts.
+                                                        type: number
+                                                      restartDelay:
+                                                        description: Number of seconds
+                                                          to wait until a restart
+                                                          is initiated.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                                hlsMediaStoreSettings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      connectionRetryInterval:
+                                                        description: Number of seconds
+                                                          to wait before retrying
+                                                          connection to the flash
+                                                          media server if the connection
+                                                          is lost.
+                                                        type: number
+                                                      filecacheDuration:
+                                                        type: number
+                                                      mediaStoreStorageClass:
+                                                        type: string
+                                                      numRetries:
+                                                        description: Number of retry
+                                                          attempts.
+                                                        type: number
+                                                      restartDelay:
+                                                        description: Number of seconds
+                                                          to wait until a restart
+                                                          is initiated.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                                hlsS3Settings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      cannedAcl:
+                                                        description: Specify the canned
+                                                          ACL to apply to each S3
+                                                          request.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                hlsWebdavSettings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      connectionRetryInterval:
+                                                        description: Number of seconds
+                                                          to wait before retrying
+                                                          connection to the flash
+                                                          media server if the connection
+                                                          is lost.
+                                                        type: number
+                                                      filecacheDuration:
+                                                        type: number
+                                                      httpTransferMode:
+                                                        type: string
+                                                      numRetries:
+                                                        description: Number of retry
+                                                          attempts.
+                                                        type: number
+                                                      restartDelay:
+                                                        description: Number of seconds
+                                                          to wait until a restart
+                                                          is initiated.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          hlsId3SegmentTagging:
+                                            type: string
+                                          iframeOnlyPlaylists:
+                                            type: string
+                                          incompleteSegmentBehavior:
+                                            type: string
+                                          indexNSegments:
+                                            type: number
+                                          inputLossAction:
+                                            description: Controls the behavior of
+                                              the RTMP group if input becomes unavailable.
+                                            type: string
+                                          ivInManifest:
+                                            type: string
+                                          ivSource:
+                                            description: The source for the timecode
+                                              that will be associated with the events
+                                              outputs.
+                                            type: string
+                                          keepSegments:
+                                            type: number
+                                          keyFormat:
+                                            type: string
+                                          keyFormatVersions:
+                                            type: string
+                                          keyProviderSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                staticKeySettings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      keyProviderServer:
+                                                        items:
+                                                          properties:
+                                                            passwordParam:
+                                                              description: Key used
+                                                                to extract the password
+                                                                from EC2 Parameter
+                                                                store.
+                                                              type: string
+                                                            uri:
+                                                              description: Path to
+                                                                a file accessible
+                                                                to the live stream.
+                                                              type: string
+                                                            username:
+                                                              description: Username
+                                                                for destination.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      staticKeyValue:
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          manifestCompression:
+                                            type: string
+                                          manifestDurationFormat:
+                                            type: string
+                                          minSegmentLength:
+                                            type: number
+                                          mode:
+                                            type: string
+                                          outputSelection:
+                                            type: string
+                                          programDateTime:
+                                            type: string
+                                          programDateTimeClock:
+                                            type: string
+                                          programDateTimePeriod:
+                                            type: number
+                                          redundantManifest:
+                                            type: string
+                                          segmentLength:
+                                            type: number
+                                          segmentsPerSubdirectory:
+                                            type: number
+                                          streamInfResolution:
+                                            description: '- Maximum CDI input resolution.'
+                                            type: string
+                                          timedMetadataId3Frame:
+                                            description: Indicates ID3 frame that
+                                              has the timecode.
+                                            type: string
+                                          timedMetadataId3Period:
+                                            type: number
+                                          timestampDeltaMilliseconds:
+                                            type: number
+                                          tsFileMode:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    mediaPackageGroupSettings:
+                                      description: Media package group settings. See
+                                        Media Package Group Settings for more details.
+                                      items:
+                                        properties:
+                                          destination:
+                                            description: A director and base filename
+                                              where archive files should be written.
+                                              See Destination for more details.
+                                            items:
+                                              properties:
+                                                destinationRefId:
+                                                  description: Reference ID for the
+                                                    destination.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    msSmoothGroupSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          acquisitionPointId:
+                                            description: User-specified id. Ths is
+                                              used in an output group or an output.
+                                            type: string
+                                          audioOnlyTimecodecControl:
+                                            type: string
+                                          certificateMode:
+                                            description: Setting to allow self signed
+                                              or verified RTMP certificates.
+                                            type: string
+                                          connectionRetryInterval:
+                                            description: Number of seconds to wait
+                                              before retrying connection to the flash
+                                              media server if the connection is lost.
+                                            type: number
+                                          destination:
+                                            description: A director and base filename
+                                              where archive files should be written.
+                                              See Destination for more details.
+                                            items:
+                                              properties:
+                                                destinationRefId:
+                                                  description: Reference ID for the
+                                                    destination.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          eventId:
+                                            description: User-specified id. Ths is
+                                              used in an output group or an output.
+                                            type: number
+                                          eventIdMode:
+                                            type: string
+                                          eventStopBehavior:
+                                            type: string
+                                          filecacheDuration:
+                                            type: number
+                                          fragmentLength:
+                                            type: number
+                                          inputLossAction:
+                                            description: Controls the behavior of
+                                              the RTMP group if input becomes unavailable.
+                                            type: string
+                                          numRetries:
+                                            description: Number of retry attempts.
+                                            type: number
+                                          restartDelay:
+                                            description: Number of seconds to wait
+                                              until a restart is initiated.
+                                            type: number
+                                          segmentationMode:
+                                            type: string
+                                          sendDelayMs:
+                                            type: number
+                                          sparseTrackType:
+                                            type: string
+                                          streamManifestBehavior:
+                                            type: string
+                                          timestampOffset:
+                                            type: string
+                                          timestampOffsetMode:
+                                            type: string
+                                        type: object
+                                      type: array
+                                    multiplexGroupSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        type: object
+                                      type: array
+                                    rtmpGroupSettings:
+                                      description: RTMP group settings. See RTMP Group
+                                        Settings for more details.
+                                      items:
+                                        properties:
+                                          adMarkers:
+                                            description: The ad marker type for this
+                                              output group.
+                                            items:
+                                              type: string
+                                            type: array
+                                          authenticationScheme:
+                                            description: Authentication scheme to
+                                              use when connecting with CDN.
+                                            type: string
+                                          cacheFullBehavior:
+                                            description: Controls behavior when content
+                                              cache fills up.
+                                            type: string
+                                          cacheLength:
+                                            description: Cache length in seconds,
+                                              is used to calculate buffer size.
+                                            type: number
+                                          captionData:
+                                            description: Controls the types of data
+                                              that passes to onCaptionInfo outputs.
+                                            type: string
+                                          inputLossAction:
+                                            description: Controls the behavior of
+                                              the RTMP group if input becomes unavailable.
+                                            type: string
+                                          restartDelay:
+                                            description: Number of seconds to wait
+                                              until a restart is initiated.
+                                            type: number
+                                        type: object
+                                      type: array
+                                    udpGroupSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          inputLossAction:
+                                            description: Controls the behavior of
+                                              the RTMP group if input becomes unavailable.
+                                            type: string
+                                          timedMetadataId3Frame:
+                                            description: Indicates ID3 frame that
+                                              has the timecode.
+                                            type: string
+                                          timedMetadataId3Period:
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              outputs:
+                                description: List of outputs. See Outputs for more
+                                  details.
+                                items:
+                                  properties:
+                                    audioDescriptionNames:
+                                      description: The names of the audio descriptions
+                                        used as audio sources for the output.
+                                      items:
+                                        type: string
+                                      type: array
+                                    captionDescriptionNames:
+                                      description: The names of the caption descriptions
+                                        used as caption sources for the output.
+                                      items:
+                                        type: string
+                                      type: array
+                                    outputName:
+                                      description: The name used to identify an output.
+                                      type: string
+                                    outputSettings:
+                                      description: Settings for output. See Output
+                                        Settings for more details.
+                                      items:
+                                        properties:
+                                          archiveOutputSettings:
+                                            description: Archive output settings.
+                                              See Archive Output Settings for more
+                                              details.
+                                            items:
+                                              properties:
+                                                containerSettings:
+                                                  description: Settings specific to
+                                                    the container type of the file.
+                                                    See Container Settings for more
+                                                    details.
+                                                  items:
+                                                    properties:
+                                                      m2tsSettings:
+                                                        description: M2ts Settings.
+                                                          See M2ts Settings for more
+                                                          details.
+                                                        items:
+                                                          properties:
+                                                            absentInputAudioBehavior:
+                                                              type: string
+                                                            arib:
+                                                              type: string
+                                                            aribCaptionsPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            aribCaptionsPidControl:
+                                                              type: string
+                                                            audioBufferModel:
+                                                              type: string
+                                                            audioFramesPerPes:
+                                                              type: number
+                                                            audioPids:
+                                                              type: string
+                                                            audioStreamType:
+                                                              type: string
+                                                            bitrate:
+                                                              description: Average
+                                                                bitrate in bits/second.
+                                                              type: number
+                                                            bufferModel:
+                                                              type: string
+                                                            ccDescriptor:
+                                                              type: string
+                                                            dvbNitSettings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  networkId:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: number
+                                                                  networkName:
+                                                                    description: Name
+                                                                      of the Channel.
+                                                                    type: string
+                                                                  repInterval:
+                                                                    type: number
+                                                                type: object
+                                                              type: array
+                                                            dvbSdtSettings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  outputSdt:
+                                                                    type: string
+                                                                  repInterval:
+                                                                    type: number
+                                                                  serviceName:
+                                                                    description: Name
+                                                                      of the Channel.
+                                                                    type: string
+                                                                  serviceProviderName:
+                                                                    description: Name
+                                                                      of the Channel.
+                                                                    type: string
+                                                                type: object
+                                                              type: array
+                                                            dvbSubPids:
+                                                              type: string
+                                                            dvbTdtSettings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  repInterval:
+                                                                    type: number
+                                                                type: object
+                                                              type: array
+                                                            dvbTeletextPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            ebif:
+                                                              type: string
+                                                            ebpAudioInterval:
+                                                              type: string
+                                                            ebpLookaheadMs:
+                                                              type: number
+                                                            ebpPlacement:
+                                                              type: string
+                                                            ecmPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            esRateInPes:
+                                                              type: string
+                                                            etvPlatformPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            etvSignalPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            fragmentTime:
+                                                              type: number
+                                                            klv:
+                                                              type: string
+                                                            klvDataPids:
+                                                              type: string
+                                                            nielsenId3Behavior:
+                                                              type: string
+                                                            nullPacketBitrate:
+                                                              description: Average
+                                                                bitrate in bits/second.
+                                                              type: number
+                                                            patInterval:
+                                                              type: number
+                                                            pcrControl:
+                                                              type: string
+                                                            pcrPeriod:
+                                                              type: number
+                                                            pcrPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            pmtInterval:
+                                                              type: number
+                                                            pmtPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            programNum:
+                                                              type: number
+                                                            rateMode:
+                                                              type: string
+                                                            scte27Pids:
+                                                              type: string
+                                                            scte35Control:
+                                                              type: string
+                                                            scte35Pid:
+                                                              description: PID from
+                                                                which to read SCTE-35
+                                                                messages.
+                                                              type: string
+                                                            segmentationMarkers:
+                                                              type: string
+                                                            segmentationStyle:
+                                                              type: string
+                                                            segmentationTime:
+                                                              type: number
+                                                            timedMetadataBehavior:
+                                                              type: string
+                                                            timedMetadataPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            transportStreamId:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: number
+                                                            videoPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      rawSettings:
+                                                        description: Raw Settings.
+                                                          This can be set as an empty
+                                                          block.
+                                                        items:
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                extension:
+                                                  description: Output file extension.
+                                                  type: string
+                                                nameModifier:
+                                                  description: String concatenated
+                                                    to the end of the destination
+                                                    filename. Required for multiple
+                                                    outputs of the same type.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          frameCaptureOutputSettings:
+                                            description: Settings for output. See
+                                              Output Settings for more details.
+                                            items:
+                                              properties:
+                                                nameModifier:
+                                                  description: String concatenated
+                                                    to the end of the destination
+                                                    filename. Required for multiple
+                                                    outputs of the same type.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          hlsOutputSettings:
+                                            description: Settings for output. See
+                                              Output Settings for more details.
+                                            items:
+                                              properties:
+                                                h265PackagingType:
+                                                  type: string
+                                                hlsSettings:
+                                                  description: Destination settings
+                                                    for a standard output; one destination
+                                                    for each redundant encoder. See
+                                                    Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      audioOnlyHlsSettings:
+                                                        description: Destination settings
+                                                          for a standard output; one
+                                                          destination for each redundant
+                                                          encoder. See Settings for
+                                                          more details.
+                                                        items:
+                                                          properties:
+                                                            audioGroupId:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            audioOnlyImage:
+                                                              items:
+                                                                properties:
+                                                                  passwordParam:
+                                                                    description: Key
+                                                                      used to extract
+                                                                      the password
+                                                                      from EC2 Parameter
+                                                                      store.
+                                                                    type: string
+                                                                  uri:
+                                                                    description: Path
+                                                                      to a file accessible
+                                                                      to the live
+                                                                      stream.
+                                                                    type: string
+                                                                  username:
+                                                                    description: Username
+                                                                      for destination.
+                                                                    type: string
+                                                                type: object
+                                                              type: array
+                                                            audioTrackType:
+                                                              type: string
+                                                            segmentType:
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      fmp4HlsSettings:
+                                                        description: Destination settings
+                                                          for a standard output; one
+                                                          destination for each redundant
+                                                          encoder. See Settings for
+                                                          more details.
+                                                        items:
+                                                          properties:
+                                                            audioRenditionSets:
+                                                              type: string
+                                                            nielsenId3Behavior:
+                                                              type: string
+                                                            timedMetadataBehavior:
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      frameCaptureHlsSettings:
+                                                        description: Destination settings
+                                                          for a standard output; one
+                                                          destination for each redundant
+                                                          encoder. See Settings for
+                                                          more details.
+                                                        items:
+                                                          type: object
+                                                        type: array
+                                                      standardHlsSettings:
+                                                        description: Destination settings
+                                                          for a standard output; one
+                                                          destination for each redundant
+                                                          encoder. See Settings for
+                                                          more details.
+                                                        items:
+                                                          properties:
+                                                            audioRenditionSets:
+                                                              type: string
+                                                            m3u8Settings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  audioFramesPerPes:
+                                                                    type: number
+                                                                  audioPids:
+                                                                    type: string
+                                                                  ecmPid:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: string
+                                                                  nielsenId3Behavior:
+                                                                    type: string
+                                                                  patInterval:
+                                                                    type: number
+                                                                  pcrControl:
+                                                                    type: string
+                                                                  pcrPeriod:
+                                                                    type: number
+                                                                  pcrPid:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: string
+                                                                  pmtInterval:
+                                                                    type: number
+                                                                  pmtPid:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: string
+                                                                  programNum:
+                                                                    type: number
+                                                                  scte35Behavior:
+                                                                    type: string
+                                                                  scte35Pid:
+                                                                    description: PID
+                                                                      from which to
+                                                                      read SCTE-35
+                                                                      messages.
+                                                                    type: string
+                                                                  timedMetadataBehavior:
+                                                                    type: string
+                                                                  timedMetadataPid:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: string
+                                                                  transportStreamId:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: number
+                                                                  videoPid:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: string
+                                                                type: object
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                nameModifier:
+                                                  description: String concatenated
+                                                    to the end of the destination
+                                                    filename. Required for multiple
+                                                    outputs of the same type.
+                                                  type: string
+                                                segmentModifier:
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          mediaPackageOutputSettings:
+                                            description: Media package output settings.
+                                              This can be set as an empty block.
+                                            items:
+                                              type: object
+                                            type: array
+                                          msSmoothOutputSettings:
+                                            description: Settings for output. See
+                                              Output Settings for more details.
+                                            items:
+                                              properties:
+                                                h265PackagingType:
+                                                  type: string
+                                                nameModifier:
+                                                  description: String concatenated
+                                                    to the end of the destination
+                                                    filename. Required for multiple
+                                                    outputs of the same type.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          multiplexOutputSettings:
+                                            description: Multiplex output settings.
+                                              See Multiplex Output Settings for more
+                                              details.
+                                            items:
+                                              properties:
+                                                destination:
+                                                  description: A director and base
+                                                    filename where archive files should
+                                                    be written. See Destination for
+                                                    more details.
+                                                  items:
+                                                    properties:
+                                                      destinationRefId:
+                                                        description: Reference ID
+                                                          for the destination.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          rtmpOutputSettings:
+                                            description: RTMP output settings. See
+                                              RTMP Output Settings for more details.
+                                            items:
+                                              properties:
+                                                certficateMode:
+                                                  type: string
+                                                connectionRetryInterval:
+                                                  description: Number of seconds to
+                                                    wait before retrying connection
+                                                    to the flash media server if the
+                                                    connection is lost.
+                                                  type: number
+                                                destination:
+                                                  description: A director and base
+                                                    filename where archive files should
+                                                    be written. See Destination for
+                                                    more details.
+                                                  items:
+                                                    properties:
+                                                      destinationRefId:
+                                                        description: Reference ID
+                                                          for the destination.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                numRetries:
+                                                  description: Number of retry attempts.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          udpOutputSettings:
+                                            description: UDP output settings. See
+                                              UDP Output Settings for more details
+                                            items:
+                                              properties:
+                                                bufferMsec:
+                                                  description: UDP output buffering
+                                                    in milliseconds.
+                                                  type: number
+                                                containerSettings:
+                                                  description: Settings specific to
+                                                    the container type of the file.
+                                                    See Container Settings for more
+                                                    details.
+                                                  items:
+                                                    properties:
+                                                      m2tsSettings:
+                                                        description: M2ts Settings.
+                                                          See M2ts Settings for more
+                                                          details.
+                                                        items:
+                                                          properties:
+                                                            absentInputAudioBehavior:
+                                                              type: string
+                                                            arib:
+                                                              type: string
+                                                            aribCaptionsPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            aribCaptionsPidControl:
+                                                              type: string
+                                                            audioBufferModel:
+                                                              type: string
+                                                            audioFramesPerPes:
+                                                              type: number
+                                                            audioPids:
+                                                              type: string
+                                                            audioStreamType:
+                                                              type: string
+                                                            bitrate:
+                                                              description: Average
+                                                                bitrate in bits/second.
+                                                              type: number
+                                                            bufferModel:
+                                                              type: string
+                                                            ccDescriptor:
+                                                              type: string
+                                                            dvbNitSettings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  networkId:
+                                                                    description: User-specified
+                                                                      id. Ths is used
+                                                                      in an output
+                                                                      group or an
+                                                                      output.
+                                                                    type: number
+                                                                  networkName:
+                                                                    description: Name
+                                                                      of the Channel.
+                                                                    type: string
+                                                                  repInterval:
+                                                                    type: number
+                                                                type: object
+                                                              type: array
+                                                            dvbSdtSettings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  outputSdt:
+                                                                    type: string
+                                                                  repInterval:
+                                                                    type: number
+                                                                  serviceName:
+                                                                    description: Name
+                                                                      of the Channel.
+                                                                    type: string
+                                                                  serviceProviderName:
+                                                                    description: Name
+                                                                      of the Channel.
+                                                                    type: string
+                                                                type: object
+                                                              type: array
+                                                            dvbSubPids:
+                                                              type: string
+                                                            dvbTdtSettings:
+                                                              description: Destination
+                                                                settings for a standard
+                                                                output; one destination
+                                                                for each redundant
+                                                                encoder. See Settings
+                                                                for more details.
+                                                              items:
+                                                                properties:
+                                                                  repInterval:
+                                                                    type: number
+                                                                type: object
+                                                              type: array
+                                                            dvbTeletextPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            ebif:
+                                                              type: string
+                                                            ebpAudioInterval:
+                                                              type: string
+                                                            ebpLookaheadMs:
+                                                              type: number
+                                                            ebpPlacement:
+                                                              type: string
+                                                            ecmPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            esRateInPes:
+                                                              type: string
+                                                            etvPlatformPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            etvSignalPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            fragmentTime:
+                                                              type: number
+                                                            klv:
+                                                              type: string
+                                                            klvDataPids:
+                                                              type: string
+                                                            nielsenId3Behavior:
+                                                              type: string
+                                                            nullPacketBitrate:
+                                                              description: Average
+                                                                bitrate in bits/second.
+                                                              type: number
+                                                            patInterval:
+                                                              type: number
+                                                            pcrControl:
+                                                              type: string
+                                                            pcrPeriod:
+                                                              type: number
+                                                            pcrPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            pmtInterval:
+                                                              type: number
+                                                            pmtPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            programNum:
+                                                              type: number
+                                                            rateMode:
+                                                              type: string
+                                                            scte27Pids:
+                                                              type: string
+                                                            scte35Control:
+                                                              type: string
+                                                            scte35Pid:
+                                                              description: PID from
+                                                                which to read SCTE-35
+                                                                messages.
+                                                              type: string
+                                                            segmentationMarkers:
+                                                              type: string
+                                                            segmentationStyle:
+                                                              type: string
+                                                            segmentationTime:
+                                                              type: number
+                                                            timedMetadataBehavior:
+                                                              type: string
+                                                            timedMetadataPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                            transportStreamId:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: number
+                                                            videoPid:
+                                                              description: User-specified
+                                                                id. Ths is used in
+                                                                an output group or
+                                                                an output.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                                destination:
+                                                  description: A director and base
+                                                    filename where archive files should
+                                                    be written. See Destination for
+                                                    more details.
+                                                  items:
+                                                    properties:
+                                                      destinationRefId:
+                                                        description: Reference ID
+                                                          for the destination.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                                fecOutputSettings:
+                                                  description: Settings for output.
+                                                    See Output Settings for more details.
+                                                  items:
+                                                    properties:
+                                                      columnDepth:
+                                                        description: The height of
+                                                          the FEC protection matrix.
+                                                        type: number
+                                                      includeFec:
+                                                        description: Enables column
+                                                          only or column and row based
+                                                          FEC.
+                                                        type: string
+                                                      rowLength:
+                                                        description: The width of
+                                                          the FEC protection matrix.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    videoDescriptionName:
+                                      description: The name of the video description
+                                        used as video source for the output.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        timecodeConfig:
+                          description: Contains settings used to acquire and adjust
+                            timecode information from inputs. See Timecode Config
+                            for more details.
+                          items:
+                            properties:
+                              source:
+                                description: The source for the timecode that will
+                                  be associated with the events outputs.
+                                type: string
+                              syncThreshold:
+                                description: Threshold in frames beyond which output
+                                  timecode is resynchronized to the input timecode.
+                                type: number
+                            type: object
+                          type: array
+                        videoDescriptions:
+                          description: Video Descriptions. See Video Descriptions
+                            for more details.
+                          items:
+                            properties:
+                              codecSettings:
+                                description: Audio codec settings. See Audio Codec
+                                  Settings for more details.
+                                items:
+                                  properties:
+                                    frameCaptureSettings:
+                                      description: Frame capture settings. See Frame
+                                        Capture Settings for more details.
+                                      items:
+                                        properties:
+                                          captureInterval:
+                                            description: The frequency at which to
+                                              capture frames for inclusion in the
+                                              output.
+                                            type: number
+                                          captureIntervalUnits:
+                                            description: Unit for the frame capture
+                                              interval.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    h264Settings:
+                                      description: H264 settings. See H264 Settings
+                                        for more details.
+                                      items:
+                                        properties:
+                                          adaptiveQuantization:
+                                            description: Enables or disables adaptive
+                                              quantization.
+                                            type: string
+                                          afdSignaling:
+                                            description: Indicates that AFD values
+                                              will be written into the output stream.
+                                            type: string
+                                          bitrate:
+                                            description: Average bitrate in bits/second.
+                                            type: number
+                                          bufFillPct:
+                                            type: number
+                                          bufSize:
+                                            description: Size of buffer in bits.
+                                            type: number
+                                          colorMetadata:
+                                            description: Includes color space metadata
+                                              in the output.
+                                            type: string
+                                          entropyEncoding:
+                                            description: Entropy encoding mode.
+                                            type: string
+                                          filterSettings:
+                                            description: Filters to apply to an encode.
+                                              See H264 Filter Settings for more details.
+                                            items:
+                                              properties:
+                                                temporalFilterSettings:
+                                                  description: Temporal filter settings.
+                                                    See Temporal Filter Settings
+                                                  items:
+                                                    properties:
+                                                      postFilterSharpening:
+                                                        description: Post filter sharpening.
+                                                        type: string
+                                                      strength:
+                                                        description: Filter strength.
+                                                        type: string
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          fixedAfd:
+                                            description: Four bit AFD value to write
+                                              on all frames of video in the output
+                                              stream.
+                                            type: string
+                                          flickerAq:
+                                            type: string
+                                          forceFieldPictures:
+                                            description: Controls whether coding is
+                                              performed on a field basis or on a frame
+                                              basis.
+                                            type: string
+                                          framerateControl:
+                                            description: Indicates how the output
+                                              video frame rate is specified.
+                                            type: string
+                                          framerateDenominator:
+                                            description: Framerate denominator.
+                                            type: number
+                                          framerateNumerator:
+                                            description: Framerate numerator.
+                                            type: number
+                                          gopBReference:
+                                            description: GOP-B reference.
+                                            type: string
+                                          gopClosedCadence:
+                                            description: Frequency of closed GOPs.
+                                            type: number
+                                          gopNumBFrames:
+                                            description: Number of B-frames between
+                                              reference frames.
+                                            type: number
+                                          gopSize:
+                                            description: GOP size in units of either
+                                              frames of seconds per gop_size_units.
+                                            type: number
+                                          gopSizeUnits:
+                                            description: Indicates if the gop_size
+                                              is specified in frames or seconds.
+                                            type: string
+                                          level:
+                                            description: H264 level.
+                                            type: string
+                                          lookAheadRateControl:
+                                            description: Amount of lookahead.
+                                            type: string
+                                          maxBitrate:
+                                            description: Set the maximum bitrate in
+                                              order to accommodate expected spikes
+                                              in the complexity of the video.
+                                            type: number
+                                          minIInterval:
+                                            type: number
+                                          numRefFrames:
+                                            description: Number of reference frames
+                                              to use.
+                                            type: number
+                                          parControl:
+                                            description: Indicates how the output
+                                              pixel aspect ratio is specified.
+                                            type: string
+                                          parDenominator:
+                                            description: Pixel Aspect Ratio denominator.
+                                            type: number
+                                          parNumerator:
+                                            description: Pixel Aspect Ratio numerator.
+                                            type: number
+                                          profile:
+                                            description: AAC profile.
+                                            type: string
+                                          qualityLevel:
+                                            description: Quality level.
+                                            type: string
+                                          qvbrQualityLevel:
+                                            description: Controls the target quality
+                                              for the video encode.
+                                            type: number
+                                          rateControlMode:
+                                            description: The rate control mode.
+                                            type: string
+                                          scanType:
+                                            description: Sets the scan type of the
+                                              output.
+                                            type: string
+                                          sceneChangeDetect:
+                                            description: Scene change detection.
+                                            type: string
+                                          slices:
+                                            description: Number of slices per picture.
+                                            type: number
+                                          softness:
+                                            description: Softness.
+                                            type: number
+                                          spatialAq:
+                                            description: Makes adjustments within
+                                              each frame based on spatial variation
+                                              of content complexity.
+                                            type: string
+                                          subgopLength:
+                                            description: Subgop length.
+                                            type: string
+                                          syntax:
+                                            description: Produces a bitstream compliant
+                                              with SMPTE RP-2027.
+                                            type: string
+                                          temporalAq:
+                                            description: Makes adjustments within
+                                              each frame based on temporal variation
+                                              of content complexity.
+                                            type: string
+                                          timecodeInsertion:
+                                            description: Determines how timecodes
+                                              should be inserted into the video elementary
+                                              stream.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              height:
+                                description: Output video height in pixels.
+                                type: number
+                              name:
+                                description: Name of the Channel.
+                                type: string
+                              respondToAfd:
+                                description: Indicate how to respond to the AFD values
+                                  that might be in the input video.
+                                type: string
+                              scalingBehavior:
+                                description: Behavior on how to scale.
+                                type: string
+                              sharpness:
+                                description: Changes the strength of the anti-alias
+                                  filter used for scaling.
+                                type: number
+                              width:
+                                description: Output video width in pixels.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  id:
+                    description: User-specified id. Ths is used in an output group
+                      or an output.
+                    type: string
+                  inputAttachments:
+                    description: Input attachments for the channel. See Input Attachments
+                      for more details.
+                    items:
+                      properties:
+                        automaticInputFailoverSettings:
+                          description: Destination settings for a standard output;
+                            one destination for each redundant encoder. See Settings
+                            for more details.
+                          items:
+                            properties:
+                              errorClearTimeMsec:
+                                type: number
+                              failoverCondition:
+                                items:
+                                  properties:
+                                    failoverConditionSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          audioSilenceSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                audioSelectorName:
+                                                  description: The name of the audio
+                                                    selector used as the source for
+                                                    this AudioDescription.
+                                                  type: string
+                                                audioSilenceThresholdMsec:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          inputLossSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                inputLossThresholdMsec:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          videoBlackSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                blackDetectThreshold:
+                                                  type: number
+                                                videoBlackThresholdMsec:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              inputPreference:
+                                type: string
+                              secondaryInputId:
+                                description: The ID of the input.
+                                type: string
+                            type: object
+                          type: array
+                        inputAttachmentName:
+                          description: User-specified name for the attachment.
+                          type: string
+                        inputId:
+                          description: The ID of the input.
+                          type: string
+                        inputSettings:
+                          description: Settings of an input. See Input Settings for
+                            more details
+                          items:
+                            properties:
+                              audioSelector:
+                                items:
+                                  properties:
+                                    name:
+                                      description: Name of the Channel.
+                                      type: string
+                                    selectorSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          audioHlsRenditionSelection:
+                                            items:
+                                              properties:
+                                                groupId:
+                                                  description: User-specified id.
+                                                    Ths is used in an output group
+                                                    or an output.
+                                                  type: string
+                                                name:
+                                                  description: Name of the Channel.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          audioLanguageSelection:
+                                            items:
+                                              properties:
+                                                languageCode:
+                                                  description: When specified this
+                                                    field indicates the three letter
+                                                    language code of the caption track
+                                                    to extract from the source.
+                                                  type: string
+                                                languageSelectionPolicy:
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          audioPidSelection:
+                                            items:
+                                              properties:
+                                                pid:
+                                                  description: User-specified id.
+                                                    Ths is used in an output group
+                                                    or an output.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          audioTrackSelection:
+                                            items:
+                                              properties:
+                                                track:
+                                                  items:
+                                                    properties:
+                                                      track:
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              captionSelector:
+                                items:
+                                  properties:
+                                    languageCode:
+                                      description: When specified this field indicates
+                                        the three letter language code of the caption
+                                        track to extract from the source.
+                                      type: string
+                                    name:
+                                      description: Name of the Channel.
+                                      type: string
+                                    selectorSettings:
+                                      description: Destination settings for a standard
+                                        output; one destination for each redundant
+                                        encoder. See Settings for more details.
+                                      items:
+                                        properties:
+                                          ancillarySourceSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                sourceAncillaryChannelNumber:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          dvbTdtSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                ocrLanguage:
+                                                  type: string
+                                                pid:
+                                                  description: User-specified id.
+                                                    Ths is used in an output group
+                                                    or an output.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          embeddedSourceSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                convert608To708:
+                                                  type: string
+                                                scte20Detection:
+                                                  type: string
+                                                source608ChannelNumber:
+                                                  type: number
+                                                source608TrackNumber:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          scte20SourceSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                convert608To708:
+                                                  type: string
+                                                source608ChannelNumber:
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          scte27SourceSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                ocrLanguage:
+                                                  type: string
+                                                pid:
+                                                  description: User-specified id.
+                                                    Ths is used in an output group
+                                                    or an output.
+                                                  type: number
+                                              type: object
+                                            type: array
+                                          teletextSourceSettings:
+                                            description: Destination settings for
+                                              a standard output; one destination for
+                                              each redundant encoder. See Settings
+                                              for more details.
+                                            items:
+                                              properties:
+                                                outputRectangle:
+                                                  items:
+                                                    properties:
+                                                      height:
+                                                        description: Output video
+                                                          height in pixels.
+                                                        type: number
+                                                      leftOffset:
+                                                        type: number
+                                                      topOffset:
+                                                        type: number
+                                                      width:
+                                                        description: Output video
+                                                          width in pixels.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                                pageNumber:
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              deblockFilter:
+                                description: Enable or disable the deblock filter
+                                  when filtering.
+                                type: string
+                              denoiseFilter:
+                                description: Enable or disable the denoise filter
+                                  when filtering.
+                                type: string
+                              filterStrength:
+                                description: Adjusts the magnitude of filtering from
+                                  1 (minimal) to 5 (strongest).
+                                type: number
+                              inputFilter:
+                                description: Turns on the filter for the input.
+                                type: string
+                              networkInputSettings:
+                                description: Input settings. See Network Input Settings
+                                  for more details.
+                                items:
+                                  properties:
+                                    hlsInputSettings:
+                                      description: Specifies HLS input settings when
+                                        the uri is for a HLS manifest. See HLS Input
+                                        Settings for more details.
+                                      items:
+                                        properties:
+                                          bandwidth:
+                                            description: The bitrate is specified
+                                              in bits per second, as in an HLS manifest.
+                                            type: number
+                                          bufferSegments:
+                                            description: Buffer segments.
+                                            type: number
+                                          retries:
+                                            description: The number of consecutive
+                                              times that attempts to read a manifest
+                                              or segment must fail before the input
+                                              is considered unavailable.
+                                            type: number
+                                          retryInterval:
+                                            description: The number of seconds between
+                                              retries when an attempt to read a manifest
+                                              or segment fails.
+                                            type: number
+                                          scte35Source:
+                                            description: The source for the timecode
+                                              that will be associated with the events
+                                              outputs.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    serverValidation:
+                                      description: Check HTTPS server certificates.
+                                      type: string
+                                  type: object
+                                type: array
+                              scte35Pid:
+                                description: PID from which to read SCTE-35 messages.
+                                type: number
+                              smpte2038DataPreference:
+                                description: Specifies whether to extract applicable
+                                  ancillary data from a SMPTE-2038 source in the input.
+                                type: string
+                              sourceEndBehavior:
+                                description: Loop input if it is a file.
+                                type: string
+                              videoSelector:
+                                items:
+                                  properties:
+                                    colorSpace:
+                                      type: string
+                                    colorSpaceUsage:
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  inputSpecification:
+                    description: Specification of network and file inputs for the
+                      channel.
+                    items:
+                      properties:
+                        codec:
+                          type: string
+                        inputResolution:
+                          description: '- Maximum CDI input resolution.'
+                          type: string
+                        maximumBitrate:
+                          description: Average bitrate in bits/second.
+                          type: string
+                      type: object
+                    type: array
+                  logLevel:
+                    description: The log level to write to Cloudwatch logs.
+                    type: string
+                  maintenance:
+                    description: Maintenance settings for this channel. See Maintenance
+                      for more details.
+                    items:
+                      properties:
+                        maintenanceDay:
+                          description: The day of the week to use for maintenance.
+                          type: string
+                        maintenanceStartTime:
+                          description: The hour maintenance will start.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: Name of the Channel.
+                    type: string
+                  roleArn:
+                    description: Concise argument description.
+                    type: string
+                  startChannel:
+                    description: 'Whether to start/stop channel. Default: false'
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    type: object
+                  vpc:
+                    description: Settings for the VPC outputs.
+                    items:
+                      properties:
+                        availabilityZones:
+                          items:
+                            type: string
+                          type: array
+                        publicAddressAllocationIds:
+                          items:
+                            type: string
+                          type: array
+                        securityGroupIds:
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
                           items:
                             type: string
                           type: array
diff --git a/package/crds/medialive.aws.upbound.io_inputs.yaml b/package/crds/medialive.aws.upbound.io_inputs.yaml
index 56b982830e..b068695162 100644
--- a/package/crds/medialive.aws.upbound.io_inputs.yaml
+++ b/package/crds/medialive.aws.upbound.io_inputs.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -240,10 +244,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -415,6 +432,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: InputStatus defines the observed state of Input.
             properties:
@@ -428,25 +450,112 @@ spec:
                     items:
                       type: string
                     type: array
+                  destinations:
+                    description: Destination settings for PUSH type inputs. See Destinations
+                      for more details.
+                    items:
+                      properties:
+                        streamName:
+                          description: A unique name for the location the RTMP stream
+                            is being pushed to.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The unique ID for the device.
                     type: string
                   inputClass:
                     description: The input class.
                     type: string
+                  inputDevices:
+                    description: Settings for the devices. See Input Devices for more
+                      details.
+                    items:
+                      properties:
+                        id:
+                          description: The unique ID for the device.
+                          type: string
+                      type: object
+                    type: array
                   inputPartnerIds:
                     description: A list of IDs for all Inputs which are partners of
                       this one.
                     items:
                       type: string
                     type: array
+                  inputSecurityGroups:
+                    description: List of input security groups.
+                    items:
+                      type: string
+                    type: array
                   inputSourceType:
                     description: Source type of the input.
                     type: string
+                  mediaConnectFlows:
+                    description: A list of the MediaConnect Flows. See Media Connect
+                      Flows for more details.
+                    items:
+                      properties:
+                        flowArn:
+                          description: The ARN of the MediaConnect Flow
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: Name of the input.
+                    type: string
+                  roleArn:
+                    description: The ARN of the role this input assumes during and
+                      after creation.
+                    type: string
+                  sources:
+                    description: The source URLs for a PULL-type input. See Sources
+                      for more details.
+                    items:
+                      properties:
+                        passwordParam:
+                          description: The key used to extract the password from EC2
+                            Parameter store.
+                          type: string
+                        url:
+                          description: The URL where the stream is pulled from.
+                          type: string
+                        username:
+                          description: The username for the input source.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  type:
+                    description: The different types of inputs that AWS Elemental
+                      MediaLive supports.
+                    type: string
+                  vpc:
+                    description: Settings for a private VPC Input. See VPC for more
+                      details.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          description: A list of up to 5 EC2 VPC security group IDs
+                            to attach to the Input.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: A list of 2 VPC subnet IDs from the same VPC.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/medialive.aws.upbound.io_inputsecuritygroups.yaml b/package/crds/medialive.aws.upbound.io_inputsecuritygroups.yaml
index b4af66e8e9..7df084cbd9 100644
--- a/package/crds/medialive.aws.upbound.io_inputsecuritygroups.yaml
+++ b/package/crds/medialive.aws.upbound.io_inputsecuritygroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -86,8 +90,22 @@ spec:
                     type: array
                 required:
                 - region
-                - whitelistRules
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -259,6 +277,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: whitelistRules is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.whitelistRules)
           status:
             description: InputSecurityGroupStatus defines the observed state of InputSecurityGroup.
             properties:
@@ -275,10 +296,24 @@ spec:
                     items:
                       type: string
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  whitelistRules:
+                    description: Whitelist rules. See Whitelist Rules for more details.
+                    items:
+                      properties:
+                        cidr:
+                          description: The IPv4 CIDR that's whitelisted.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/medialive.aws.upbound.io_multiplices.yaml b/package/crds/medialive.aws.upbound.io_multiplices.yaml
index 90ba53315f..9d831094aa 100644
--- a/package/crds/medialive.aws.upbound.io_multiplices.yaml
+++ b/package/crds/medialive.aws.upbound.io_multiplices.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -107,10 +111,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - availabilityZones
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -282,6 +299,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: availabilityZones is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.availabilityZones)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: MultiplexStatus defines the observed state of Multiplex.
             properties:
@@ -290,8 +312,44 @@ spec:
                   arn:
                     description: ARN of the Multiplex.
                     type: string
+                  availabilityZones:
+                    description: A list of availability zones. You must specify exactly
+                      two.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  multiplexSettings:
+                    description: Multiplex settings. See Multiplex Settings for more
+                      details.
+                    items:
+                      properties:
+                        maximumVideoBufferDelayMilliseconds:
+                          description: Maximum video buffer delay.
+                          type: number
+                        transportStreamBitrate:
+                          description: Transport stream bit rate.
+                          type: number
+                        transportStreamId:
+                          description: Unique ID for each multiplex.
+                          type: number
+                        transportStreamReservedBitrate:
+                          description: Transport stream reserved bit rate.
+                          type: number
+                      type: object
+                    type: array
+                  name:
+                    description: name of Multiplex.
+                    type: string
+                  startMultiplex:
+                    description: Whether to start the Multiplex. Defaults to false.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/mediapackage.aws.upbound.io_channels.yaml b/package/crds/mediapackage.aws.upbound.io_channels.yaml
index 0bcd83ce1a..437b84a7f3 100644
--- a/package/crds/mediapackage.aws.upbound.io_channels.yaml
+++ b/package/crds/mediapackage.aws.upbound.io_channels.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,9 +84,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - channelId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -254,6 +272,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: channelId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.channelId)
           status:
             description: ChannelStatus defines the observed state of Channel.
             properties:
@@ -262,6 +283,12 @@ spec:
                   arn:
                     description: The ARN of the channel
                     type: string
+                  channelId:
+                    description: A unique identifier describing the channel
+                    type: string
+                  description:
+                    description: A description of the channel
+                    type: string
                   hlsIngest:
                     description: A single item list of HLS ingest information
                     items:
@@ -286,6 +313,11 @@ spec:
                   id:
                     description: The same as channel_id
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/mediastore.aws.upbound.io_containerpolicies.yaml b/package/crds/mediastore.aws.upbound.io_containerpolicies.yaml
index 3b353a6cec..655acc77ad 100644
--- a/package/crds/mediastore.aws.upbound.io_containerpolicies.yaml
+++ b/package/crds/mediastore.aws.upbound.io_containerpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,13 +342,22 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: ContainerPolicyStatus defines the observed state of ContainerPolicy.
             properties:
               atProvider:
                 properties:
+                  containerName:
+                    description: The name of the container.
+                    type: string
                   id:
                     type: string
+                  policy:
+                    description: The contents of the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/mediastore.aws.upbound.io_containers.yaml b/package/crds/mediastore.aws.upbound.io_containers.yaml
index c2a01007d8..8f92164290 100644
--- a/package/crds/mediastore.aws.upbound.io_containers.yaml
+++ b/package/crds/mediastore.aws.upbound.io_containers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -260,6 +279,11 @@ spec:
                     type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/memorydb.aws.upbound.io_acls.yaml b/package/crds/memorydb.aws.upbound.io_acls.yaml
index 20e6d0c37d..4b9ae315b7 100644
--- a/package/crds/memorydb.aws.upbound.io_acls.yaml
+++ b/package/crds/memorydb.aws.upbound.io_acls.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,6 +85,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -266,6 +285,11 @@ spec:
                   minimumEngineVersion:
                     description: The minimum engine version supported by the ACL.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -273,6 +297,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userNames:
+                    description: Set of MemoryDB user names to be included in this
+                      ACL.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/memorydb.aws.upbound.io_clusters.yaml b/package/crds/memorydb.aws.upbound.io_clusters.yaml
index 39ce1c9eed..c918ea83d2 100644
--- a/package/crds/memorydb.aws.upbound.io_clusters.yaml
+++ b/package/crds/memorydb.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -395,10 +399,23 @@ spec:
                       to true.
                     type: boolean
                 required:
-                - aclName
-                - nodeType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -570,14 +587,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: aclName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.aclName)
+            - message: nodeType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.nodeType)
           status:
             description: ClusterStatus defines the observed state of Cluster.
             properties:
               atProvider:
                 properties:
+                  aclName:
+                    description: The name of the Access Control List to associate
+                      with the cluster.
+                    type: string
                   arn:
                     description: The ARN of the cluster.
                     type: string
+                  autoMinorVersionUpgrade:
+                    description: When set to true, the cluster will automatically
+                      receive minor engine version upgrades after launch. Defaults
+                      to true.
+                    type: boolean
                   clusterEndpoint:
                     items:
                       properties:
@@ -590,13 +621,66 @@ spec:
                           type: number
                       type: object
                     type: array
+                  dataTiering:
+                    description: Enables data tiering. This option is not supported
+                      by all instance types. For more information, see Data tiering.
+                    type: boolean
+                  description:
+                    description: Description for the cluster.
+                    type: string
                   enginePatchVersion:
                     description: Patch version number of the Redis engine used by
                       the cluster.
                     type: string
+                  engineVersion:
+                    description: Version number of the Redis engine to be used for
+                      the cluster. Downgrades are not supported.
+                    type: string
+                  finalSnapshotName:
+                    description: Name of the final cluster snapshot to be created
+                      when this resource is deleted. If omitted, no final snapshot
+                      will be made.
+                    type: string
                   id:
                     description: Same as name.
                     type: string
+                  kmsKeyArn:
+                    description: ARN of the KMS key used to encrypt the cluster at
+                      rest.
+                    type: string
+                  maintenanceWindow:
+                    description: 'Specifies the weekly time range during which maintenance
+                      on the cluster is performed. Specify as a range in the format
+                      ddd:hh24:mi-ddd:hh24:mi (24H Clock UTC). The minimum maintenance
+                      window is a 60 minute period. Example: sun:23:00-mon:01:30.'
+                    type: string
+                  nodeType:
+                    description: The compute and memory capacity of the nodes in the
+                      cluster. See AWS documentation on supported node types as well
+                      as vertical scaling.
+                    type: string
+                  numReplicasPerShard:
+                    description: The number of replicas to apply to each shard, up
+                      to a maximum of 5. Defaults to 1 (i.e. 2 nodes per shard).
+                    type: number
+                  numShards:
+                    description: The number of shards in the cluster. Defaults to
+                      1.
+                    type: number
+                  parameterGroupName:
+                    description: The name of the parameter group associated with the
+                      cluster.
+                    type: string
+                  port:
+                    description: The port number on which each of the nodes accepts
+                      connections. Defaults to 6379.
+                    type: number
+                  securityGroupIds:
+                    description: Set of VPC Security Group ID-s to associate with
+                      this cluster.
+                    items:
+                      type: string
+                    type: array
                   shards:
                     description: Set of shards in this cluster.
                     items:
@@ -643,6 +727,40 @@ spec:
                           type: string
                       type: object
                     type: array
+                  snapshotArns:
+                    description: List of ARN-s that uniquely identify RDB snapshot
+                      files stored in S3. The snapshot files will be used to populate
+                      the new cluster. Object names in the ARN-s cannot contain any
+                      commas.
+                    items:
+                      type: string
+                    type: array
+                  snapshotName:
+                    description: The name of a snapshot from which to restore data
+                      into the new cluster.
+                    type: string
+                  snapshotRetentionLimit:
+                    description: The number of days for which MemoryDB retains automatic
+                      snapshots before deleting them. When set to 0, automatic backups
+                      are disabled. Defaults to 0.
+                    type: number
+                  snapshotWindow:
+                    description: 'The daily time range (in UTC) during which MemoryDB
+                      begins taking a daily snapshot of your shard. Example: 05:00-09:00.'
+                    type: string
+                  snsTopicArn:
+                    description: ARN of the SNS topic to which cluster notifications
+                      are sent.
+                    type: string
+                  subnetGroupName:
+                    description: The name of the subnet group to be used for the cluster.
+                      Defaults to a subnet group consisting of default VPC subnets.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -650,6 +768,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  tlsEnabled:
+                    description: A flag to enable in-transit encryption on the cluster.
+                      When set to false, the acl_name must be open-access. Defaults
+                      to true.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/memorydb.aws.upbound.io_parametergroups.yaml b/package/crds/memorydb.aws.upbound.io_parametergroups.yaml
index cc520bc485..7193674a36 100644
--- a/package/crds/memorydb.aws.upbound.io_parametergroups.yaml
+++ b/package/crds/memorydb.aws.upbound.io_parametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -98,9 +102,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -272,6 +290,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: ParameterGroupStatus defines the observed state of ParameterGroup.
             properties:
@@ -280,9 +301,35 @@ spec:
                   arn:
                     description: The ARN of the parameter group.
                     type: string
+                  description:
+                    description: Description for the parameter group.
+                    type: string
+                  family:
+                    description: The engine version that the parameter group can be
+                      used with.
+                    type: string
                   id:
                     description: Same as name.
                     type: string
+                  parameter:
+                    description: Set of MemoryDB parameters to apply. Any parameters
+                      not specified will fall back to their family defaults. Detailed
+                      below.
+                    items:
+                      properties:
+                        name:
+                          description: The name of the parameter.
+                          type: string
+                        value:
+                          description: The value of the parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/memorydb.aws.upbound.io_snapshots.yaml b/package/crds/memorydb.aws.upbound.io_snapshots.yaml
index faf0308d62..10f3cde7a5 100644
--- a/package/crds/memorydb.aws.upbound.io_snapshots.yaml
+++ b/package/crds/memorydb.aws.upbound.io_snapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -229,6 +233,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -461,13 +480,25 @@ spec:
                           type: string
                       type: object
                     type: array
+                  clusterName:
+                    description: Name of the MemoryDB cluster to take a snapshot of.
+                    type: string
                   id:
                     description: The name of the snapshot.
                     type: string
+                  kmsKeyArn:
+                    description: ARN of the KMS key used to encrypt the snapshot at
+                      rest.
+                    type: string
                   source:
                     description: Indicates whether the snapshot is from an automatic
                       backup (automated) or was created manually (manual).
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/memorydb.aws.upbound.io_subnetgroups.yaml b/package/crds/memorydb.aws.upbound.io_subnetgroups.yaml
index f82f87bd62..f83dde4a61 100644
--- a/package/crds/memorydb.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/memorydb.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -162,6 +166,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,9 +360,23 @@ spec:
                   arn:
                     description: The ARN of the subnet group.
                     type: string
+                  description:
+                    description: Description for the subnet group.
+                    type: string
                   id:
                     description: The name of the subnet group.
                     type: string
+                  subnetIds:
+                    description: Set of VPC Subnet ID-s for the subnet group. At least
+                      one subnet must be provided.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/mq.aws.upbound.io_brokers.yaml b/package/crds/mq.aws.upbound.io_brokers.yaml
index 9a9f829f33..2c77b22739 100644
--- a/package/crds/mq.aws.upbound.io_brokers.yaml
+++ b/package/crds/mq.aws.upbound.io_brokers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -467,13 +471,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - brokerName
-                - engineType
-                - engineVersion
-                - hostInstanceType
                 - region
-                - user
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -645,14 +659,91 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: brokerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.brokerName)
+            - message: engineType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineType)
+            - message: engineVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineVersion)
+            - message: hostInstanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hostInstanceType)
+            - message: user is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.user)
           status:
             description: BrokerStatus defines the observed state of Broker.
             properties:
               atProvider:
                 properties:
+                  applyImmediately:
+                    description: Specifies whether any broker modifications are applied
+                      immediately, or during the next maintenance window. Default
+                      is false.
+                    type: boolean
                   arn:
                     description: ARN of the broker.
                     type: string
+                  authenticationStrategy:
+                    description: Authentication strategy used to secure the broker.
+                      Valid values are simple and ldap. ldap is not supported for
+                      engine_type RabbitMQ.
+                    type: string
+                  autoMinorVersionUpgrade:
+                    description: Whether to automatically upgrade to new minor versions
+                      of brokers as Amazon MQ makes releases available.
+                    type: boolean
+                  brokerName:
+                    description: Name of the broker.
+                    type: string
+                  configuration:
+                    description: Configuration block for broker configuration. Applies
+                      to engine_type of ActiveMQ only. Detailed below.
+                    items:
+                      properties:
+                        id:
+                          description: The Configuration ID.
+                          type: string
+                        revision:
+                          description: Revision of the Configuration.
+                          type: number
+                      type: object
+                    type: array
+                  deploymentMode:
+                    description: Deployment mode of the broker. Valid values are SINGLE_INSTANCE,
+                      ACTIVE_STANDBY_MULTI_AZ, and CLUSTER_MULTI_AZ. Default is SINGLE_INSTANCE.
+                    type: string
+                  encryptionOptions:
+                    description: Configuration block containing encryption options.
+                      Detailed below.
+                    items:
+                      properties:
+                        kmsKeyId:
+                          description: Amazon Resource Name (ARN) of Key Management
+                            Service (KMS) Customer Master Key (CMK) to use for encryption
+                            at rest. Requires setting use_aws_owned_key to false.
+                            To perform drift detection when AWS-managed CMKs or customer-managed
+                            CMKs are in use, this value must be configured.
+                          type: string
+                        useAwsOwnedKey:
+                          description: Whether to enable an AWS-owned KMS CMK that
+                            is not in your account. Defaults to true. Setting to false
+                            without configuring kms_key_id will create an AWS-managed
+                            CMK aliased to aws/mq in your account.
+                          type: boolean
+                      type: object
+                    type: array
+                  engineType:
+                    description: Type of broker engine. Valid values are ActiveMQ
+                      and RabbitMQ.
+                    type: string
+                  engineVersion:
+                    description: Version of the broker engine. See the AmazonMQ Broker
+                      Engine docs for supported versions. For example, 5.15.0.
+                    type: string
+                  hostInstanceType:
+                    description: Broker's instance type. For example, mq.t3.micro,
+                      mq.m5.large.
+                    type: string
                   id:
                     description: Unique ID that Amazon MQ generates for the broker.
                     type: string
@@ -677,6 +768,117 @@ spec:
                           type: string
                       type: object
                     type: array
+                  ldapServerMetadata:
+                    description: Configuration block for the LDAP server used to authenticate
+                      and authorize connections to the broker. Not supported for engine_type
+                      RabbitMQ. Detailed below. (Currently, AWS may not process changes
+                      to LDAP server metadata.)
+                    items:
+                      properties:
+                        hosts:
+                          description: List of a fully qualified domain name of the
+                            LDAP server and an optional failover server.
+                          items:
+                            type: string
+                          type: array
+                        roleBase:
+                          description: Fully qualified name of the directory to search
+                            for a user’s groups.
+                          type: string
+                        roleName:
+                          description: Specifies the LDAP attribute that identifies
+                            the group name attribute in the object returned from the
+                            group membership query.
+                          type: string
+                        roleSearchMatching:
+                          description: Search criteria for groups.
+                          type: string
+                        roleSearchSubtree:
+                          description: Whether the directory search scope is the entire
+                            sub-tree.
+                          type: boolean
+                        serviceAccountUsername:
+                          description: Service account username.
+                          type: string
+                        userBase:
+                          description: Fully qualified name of the directory where
+                            you want to search for users.
+                          type: string
+                        userRoleName:
+                          description: Specifies the name of the LDAP attribute for
+                            the user group membership.
+                          type: string
+                        userSearchMatching:
+                          description: Search criteria for users.
+                          type: string
+                        userSearchSubtree:
+                          description: Whether the directory search scope is the entire
+                            sub-tree.
+                          type: boolean
+                      type: object
+                    type: array
+                  logs:
+                    description: Configuration block for the logging configuration
+                      of the broker. Detailed below.
+                    items:
+                      properties:
+                        audit:
+                          description: Enables audit logging. Auditing is only possible
+                            for engine_type of ActiveMQ. User management action made
+                            using JMX or the ActiveMQ Web Console is logged. Defaults
+                            to false.
+                          type: string
+                        general:
+                          description: Enables general logging via CloudWatch. Defaults
+                            to false.
+                          type: boolean
+                      type: object
+                    type: array
+                  maintenanceWindowStartTime:
+                    description: Configuration block for the maintenance window start
+                      time. Detailed below.
+                    items:
+                      properties:
+                        dayOfWeek:
+                          description: Day of the week, e.g., MONDAY, TUESDAY, or
+                            WEDNESDAY.
+                          type: string
+                        timeOfDay:
+                          description: Time, in 24-hour format, e.g., 02:00.
+                          type: string
+                        timeZone:
+                          description: Time zone in either the Country/City format
+                            or the UTC offset format, e.g., CET.
+                          type: string
+                      type: object
+                    type: array
+                  publiclyAccessible:
+                    description: Whether to enable connections from applications outside
+                      of the VPC that hosts the broker's subnets.
+                    type: boolean
+                  securityGroups:
+                    description: List of security group IDs assigned to the broker.
+                    items:
+                      type: string
+                    type: array
+                  storageType:
+                    description: Storage type of the broker. For engine_type ActiveMQ,
+                      the valid values are efs and ebs, and the AWS-default is efs.
+                      For engine_type RabbitMQ, only ebs is supported. When using
+                      ebs, only the mq.m5 broker instance type family is supported.
+                    type: string
+                  subnetIds:
+                    description: List of subnet IDs in which to launch the broker.
+                      A SINGLE_INSTANCE deployment requires one subnet. An ACTIVE_STANDBY_MULTI_AZ
+                      deployment requires multiple subnets.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -684,6 +886,29 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  user:
+                    description: Configuration block for broker users. For engine_type
+                      of RabbitMQ, Amazon MQ does not return broker users preventing
+                      this resource from making user updates and drift detection.
+                      Detailed below.
+                    items:
+                      properties:
+                        consoleAccess:
+                          description: Whether to enable access to the ActiveMQ Web
+                            Console for the user. Applies to engine_type of ActiveMQ
+                            only.
+                          type: boolean
+                        groups:
+                          description: List of groups (20 maximum) to which the ActiveMQ
+                            user belongs. Applies to engine_type of ActiveMQ only.
+                          items:
+                            type: string
+                          type: array
+                        username:
+                          description: Username of the user.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/mq.aws.upbound.io_configurations.yaml b/package/crds/mq.aws.upbound.io_configurations.yaml
index eb1212fcaf..df1c2e1851 100644
--- a/package/crds/mq.aws.upbound.io_configurations.yaml
+++ b/package/crds/mq.aws.upbound.io_configurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -96,12 +100,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - data
-                - engineType
-                - engineVersion
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -273,6 +288,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: data is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.data)
+            - message: engineType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineType)
+            - message: engineVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineVersion)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ConfigurationStatus defines the observed state of Configuration.
             properties:
@@ -281,12 +305,39 @@ spec:
                   arn:
                     description: ARN of the configuration.
                     type: string
+                  authenticationStrategy:
+                    description: Authentication strategy associated with the configuration.
+                      Valid values are simple and ldap. ldap is not supported for
+                      engine_type RabbitMQ.
+                    type: string
+                  data:
+                    description: Broker configuration in XML format. See official
+                      docs for supported parameters and format of the XML.
+                    type: string
+                  description:
+                    description: Description of the configuration.
+                    type: string
+                  engineType:
+                    description: Type of broker engine. Valid values are ActiveMQ
+                      and RabbitMQ.
+                    type: string
+                  engineVersion:
+                    description: Version of the broker engine.
+                    type: string
                   id:
                     description: Unique ID that Amazon MQ generates for the configuration.
                     type: string
                   latestRevision:
                     description: Latest revision of the configuration.
                     type: number
+                  name:
+                    description: Name of the configuration.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/neptune.aws.upbound.io_clusterendpoints.yaml b/package/crds/neptune.aws.upbound.io_clusterendpoints.yaml
index 2d5f2b0fc4..805d3d0532 100644
--- a/package/crds/neptune.aws.upbound.io_clusterendpoints.yaml
+++ b/package/crds/neptune.aws.upbound.io_clusterendpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -169,9 +173,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - endpointType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,6 +361,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: endpointType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.endpointType)
           status:
             description: ClusterEndpointStatus defines the observed state of ClusterEndpoint.
             properties:
@@ -352,12 +373,39 @@ spec:
                     description: The Neptune Cluster Endpoint Amazon Resource Name
                       (ARN).
                     type: string
+                  clusterIdentifier:
+                    description: The DB cluster identifier of the DB cluster associated
+                      with the endpoint.
+                    type: string
                   endpoint:
                     description: The DNS address of the endpoint.
                     type: string
+                  endpointType:
+                    description: 'The type of the endpoint. One of: READER, WRITER,
+                      ANY.'
+                    type: string
+                  excludedMembers:
+                    description: List of DB instance identifiers that aren't part
+                      of the custom endpoint group. All other eligible instances are
+                      reachable through the custom endpoint. Only relevant if the
+                      list of static members is empty.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The Neptune Cluster Endpoint Identifier.
                     type: string
+                  staticMembers:
+                    description: List of DB instance identifiers that are part of
+                      the custom endpoint group.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/neptune.aws.upbound.io_clusterinstances.yaml b/package/crds/neptune.aws.upbound.io_clusterinstances.yaml
index aa8fb7ecb2..040969643b 100644
--- a/package/crds/neptune.aws.upbound.io_clusterinstances.yaml
+++ b/package/crds/neptune.aws.upbound.io_clusterinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -351,9 +355,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - instanceClass
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -525,6 +543,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceClass is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)
           status:
             description: ClusterInstanceStatus defines the observed state of ClusterInstance.
             properties:
@@ -534,9 +555,27 @@ spec:
                     description: The hostname of the instance. See also endpoint and
                       port.
                     type: string
+                  applyImmediately:
+                    description: Specifies whether any instance modifications are
+                      applied immediately, or during the next maintenance window.
+                      Default isfalse.
+                    type: boolean
                   arn:
                     description: Amazon Resource Name (ARN) of neptune instance
                     type: string
+                  autoMinorVersionUpgrade:
+                    description: Indicates that minor engine upgrades will be applied
+                      automatically to the instance during the maintenance window.
+                      Default is true.
+                    type: boolean
+                  availabilityZone:
+                    description: The EC2 Availability Zone that the neptune instance
+                      is created in.
+                    type: string
+                  clusterIdentifier:
+                    description: The identifier of the aws_neptune_cluster in which
+                      to launch this instance.
+                    type: string
                   dbiResourceId:
                     description: The region-unique, immutable identifier for the neptune
                       instance.
@@ -544,16 +583,61 @@ spec:
                   endpoint:
                     description: The connection endpoint in address:port format.
                     type: string
+                  engine:
+                    description: 'The name of the database engine to be used for the
+                      neptune instance. Defaults to neptune. Valid Values: neptune.'
+                    type: string
+                  engineVersion:
+                    description: The neptune engine version.
+                    type: string
                   id:
                     description: The Instance identifier
                     type: string
+                  instanceClass:
+                    description: The instance class to use.
+                    type: string
                   kmsKeyArn:
                     description: The ARN for the KMS encryption key if one is set
                       to the neptune cluster.
                     type: string
+                  neptuneParameterGroupName:
+                    description: The name of the neptune parameter group to associate
+                      with this instance.
+                    type: string
+                  neptuneSubnetGroupName:
+                    description: 'A subnet group to associate with this neptune instance.
+                      NOTE: This must match the neptune_subnet_group_name of the attached
+                      aws_neptune_cluster.'
+                    type: string
+                  port:
+                    description: The port on which the DB accepts connections. Defaults
+                      to 8182.
+                    type: number
+                  preferredBackupWindow:
+                    description: 'The daily time range during which automated backups
+                      are created if automated backups are enabled. Eg: "04:00-09:00"'
+                    type: string
+                  preferredMaintenanceWindow:
+                    description: 'The window to perform maintenance in. Syntax: "ddd:hh24:mi-ddd:hh24:mi".
+                      Eg: "Mon:00:00-Mon:03:00".'
+                    type: string
+                  promotionTier:
+                    description: Default 0. Failover Priority setting on instance
+                      level. The reader who has lower tier has higher priority to
+                      get promoter to writer.
+                    type: number
+                  publiclyAccessible:
+                    description: Bool to control if instance is publicly accessible.
+                      Default is false.
+                    type: boolean
                   storageEncrypted:
                     description: Specifies whether the neptune cluster is encrypted.
                     type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/neptune.aws.upbound.io_clusterparametergroups.yaml b/package/crds/neptune.aws.upbound.io_clusterparametergroups.yaml
index ccd04e0b3a..ea13740cfc 100644
--- a/package/crds/neptune.aws.upbound.io_clusterparametergroups.yaml
+++ b/package/crds/neptune.aws.upbound.io_clusterparametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -100,9 +104,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -274,6 +292,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: ClusterParameterGroupStatus defines the observed state of
               ClusterParameterGroup.
@@ -283,9 +304,37 @@ spec:
                   arn:
                     description: The ARN of the neptune cluster parameter group.
                     type: string
+                  description:
+                    description: The description of the neptune cluster parameter
+                      group.
+                    type: string
+                  family:
+                    description: The family of the neptune cluster parameter group.
+                    type: string
                   id:
                     description: The neptune cluster parameter group name.
                     type: string
+                  parameter:
+                    description: A list of neptune parameters to apply.
+                    items:
+                      properties:
+                        applyMethod:
+                          description: Valid values are immediate and pending-reboot.
+                            Defaults to pending-reboot.
+                          type: string
+                        name:
+                          description: The name of the neptune cluster parameter group.
+                          type: string
+                        value:
+                          description: The value of the neptune parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/neptune.aws.upbound.io_clusters.yaml b/package/crds/neptune.aws.upbound.io_clusters.yaml
index 11f8cd367e..35807bcbac 100644
--- a/package/crds/neptune.aws.upbound.io_clusters.yaml
+++ b/package/crds/neptune.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -731,6 +735,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -907,9 +926,29 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allowMajorVersionUpgrade:
+                    description: Specifies whether upgrades between different major
+                      versions are allowed. You must set it to true when providing
+                      an engine_version parameter that uses a different major version
+                      than the DB cluster's current version. Default is false.
+                    type: boolean
+                  applyImmediately:
+                    description: Specifies whether any cluster modifications are applied
+                      immediately, or during the next maintenance window. Default
+                      is false.
+                    type: boolean
                   arn:
                     description: The Neptune Cluster Amazon Resource Name (ARN)
                     type: string
+                  availabilityZones:
+                    description: A list of EC2 Availability Zones that instances in
+                      the Neptune cluster can be created in.
+                    items:
+                      type: string
+                    type: array
+                  backupRetentionPeriod:
+                    description: The days to retain backups for. Default 1
+                    type: number
                   clusterMembers:
                     description: – List of Neptune Instances that are a part of this
                       cluster
@@ -919,19 +958,133 @@ spec:
                   clusterResourceId:
                     description: The Neptune Cluster Resource ID
                     type: string
+                  copyTagsToSnapshot:
+                    description: If set to true, tags are copied to any snapshot of
+                      the DB cluster that is created.
+                    type: boolean
+                  deletionProtection:
+                    description: A value that indicates whether the DB cluster has
+                      deletion protection enabled.The database can't be deleted when
+                      deletion protection is enabled. By default, deletion protection
+                      is disabled.
+                    type: boolean
+                  enableCloudwatchLogsExports:
+                    description: A list of the log types this DB cluster is configured
+                      to export to Cloudwatch Logs. Currently only supports audit.
+                    items:
+                      type: string
+                    type: array
                   endpoint:
                     description: The DNS address of the Neptune instance
                     type: string
+                  engine:
+                    description: The name of the database engine to be used for this
+                      Neptune cluster. Defaults to neptune.
+                    type: string
+                  engineVersion:
+                    description: The database engine version.
+                    type: string
+                  finalSnapshotIdentifier:
+                    description: The name of your final Neptune snapshot when this
+                      Neptune cluster is deleted. If omitted, no final snapshot will
+                      be made.
+                    type: string
+                  globalClusterIdentifier:
+                    description: The global cluster identifier specified on aws_neptune_global_cluster.
+                    type: string
                   hostedZoneId:
                     description: The Route53 Hosted Zone ID of the endpoint
                     type: string
+                  iamDatabaseAuthenticationEnabled:
+                    description: Specifies whether or not mappings of AWS Identity
+                      and Access Management (IAM) accounts to database accounts is
+                      enabled.
+                    type: boolean
+                  iamRoles:
+                    description: A List of ARNs for the IAM roles to associate to
+                      the Neptune Cluster.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The Neptune Cluster Identifier
                     type: string
+                  kmsKeyArn:
+                    description: The ARN for the KMS encryption key. When specifying
+                      kms_key_arn, storage_encrypted needs to be set to true.
+                    type: string
+                  neptuneClusterParameterGroupName:
+                    description: A cluster parameter group to associate with the cluster.
+                    type: string
+                  neptuneInstanceParameterGroupName:
+                    description: The name of the DB parameter group to apply to all
+                      instances of the DB cluster.
+                    type: string
+                  neptuneSubnetGroupName:
+                    description: A Neptune subnet group to associate with this Neptune
+                      instance.
+                    type: string
+                  port:
+                    description: The port on which the Neptune accepts connections.
+                      Default is 8182.
+                    type: number
+                  preferredBackupWindow:
+                    description: 'The daily time range during which automated backups
+                      are created if automated backups are enabled using the BackupRetentionPeriod
+                      parameter. Time in UTC. Default: A 30-minute window selected
+                      at random from an 8-hour block of time per regionE.g., 04:00-09:00'
+                    type: string
+                  preferredMaintenanceWindow:
+                    description: The weekly time range during which system maintenance
+                      can occur, in (UTC) e.g., wed:04:00-wed:04:30
+                    type: string
                   readerEndpoint:
                     description: A read-only endpoint for the Neptune cluster, automatically
                       load-balanced across replicas
                     type: string
+                  replicationSourceIdentifier:
+                    description: ARN of a source Neptune cluster or Neptune instance
+                      if this Neptune cluster is to be created as a Read Replica.
+                    type: string
+                  serverlessV2ScalingConfiguration:
+                    description: If set, create the Neptune cluster as a serverless
+                      one. See Serverless for example block attributes.
+                    items:
+                      properties:
+                        maxCapacity:
+                          description: ': (default: 128) The maximum Neptune Capacity
+                            Units (NCUs) for this cluster. Must be lower or equal
+                            than 128. See AWS Documentation for more details.'
+                          type: number
+                        minCapacity:
+                          description: ': (default: 2.5) The minimum Neptune Capacity
+                            Units (NCUs) for this cluster. Must be greater or equal
+                            than 2.5. See AWS Documentation for more details.'
+                          type: number
+                      type: object
+                    type: array
+                  skipFinalSnapshot:
+                    description: Determines whether a final Neptune snapshot is created
+                      before the Neptune cluster is deleted. If true is specified,
+                      no Neptune snapshot is created. If false is specified, a Neptune
+                      snapshot is created before the Neptune cluster is deleted, using
+                      the value from final_snapshot_identifier. Default is false.
+                    type: boolean
+                  snapshotIdentifier:
+                    description: Specifies whether or not to create this cluster from
+                      a snapshot. You can use either the name or ARN when specifying
+                      a Neptune cluster snapshot, or the ARN when specifying a Neptune
+                      snapshot.
+                    type: string
+                  storageEncrypted:
+                    description: Specifies whether the Neptune cluster is encrypted.
+                      The default is false if not specified.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -939,6 +1092,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcSecurityGroupIds:
+                    description: List of VPC security groups to associate with the
+                      Cluster
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/neptune.aws.upbound.io_clustersnapshots.yaml b/package/crds/neptune.aws.upbound.io_clustersnapshots.yaml
index a66cf26192..ed82e7698a 100644
--- a/package/crds/neptune.aws.upbound.io_clustersnapshots.yaml
+++ b/package/crds/neptune.aws.upbound.io_clustersnapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,6 +152,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,6 +353,10 @@ spec:
                     items:
                       type: string
                     type: array
+                  dbClusterIdentifier:
+                    description: The DB Cluster Identifier from which to take the
+                      snapshot.
+                    type: string
                   dbClusterSnapshotArn:
                     description: The Amazon Resource Name (ARN) for the DB Cluster
                       Snapshot.
diff --git a/package/crds/neptune.aws.upbound.io_eventsubscriptions.yaml b/package/crds/neptune.aws.upbound.io_eventsubscriptions.yaml
index 9f6e06d8a3..69ad91b94e 100644
--- a/package/crds/neptune.aws.upbound.io_eventsubscriptions.yaml
+++ b/package/crds/neptune.aws.upbound.io_eventsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -177,6 +181,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -361,9 +380,42 @@ spec:
                     description: The AWS customer account associated with the Neptune
                       event notification subscription.
                     type: string
+                  enabled:
+                    description: A boolean flag to enable/disable the subscription.
+                      Defaults to true.
+                    type: boolean
+                  eventCategories:
+                    description: A list of event categories for a source_type that
+                      you want to subscribe to. Run aws neptune describe-event-categories
+                      to find all the event categories.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The name of the Neptune event notification subscription.
                     type: string
+                  snsTopicArn:
+                    description: The ARN of the SNS topic to send events to.
+                    type: string
+                  sourceIds:
+                    description: A list of identifiers of the event sources for which
+                      events will be returned. If not specified, then all sources
+                      are included in the response. If specified, a source_type must
+                      also be specified.
+                    items:
+                      type: string
+                    type: array
+                  sourceType:
+                    description: The type of source that will be generating the events.
+                      Valid options are db-instance, db-security-group, db-parameter-group,
+                      db-snapshot, db-cluster or db-cluster-snapshot. If not set,
+                      all sources will be subscribed to.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/neptune.aws.upbound.io_globalclusters.yaml b/package/crds/neptune.aws.upbound.io_globalclusters.yaml
index 2f3c3a3e0f..2f81985280 100644
--- a/package/crds/neptune.aws.upbound.io_globalclusters.yaml
+++ b/package/crds/neptune.aws.upbound.io_globalclusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,6 +171,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -346,6 +365,20 @@ spec:
                   arn:
                     description: Global Cluster Amazon Resource Name (ARN)
                     type: string
+                  deletionProtection:
+                    description: If the Global Cluster should have deletion protection
+                      enabled. The database can't be deleted when this value is set
+                      to true. The default is false.
+                    type: boolean
+                  engine:
+                    description: 'Name of the database engine to be used for this
+                      DB cluster. Current Valid values: neptune. Conflicts with source_db_cluster_identifier.'
+                    type: string
+                  engineVersion:
+                    description: Engine version of the global database. Upgrading
+                      the engine version will result in all cluster members being
+                      immediately updated and will.
+                    type: string
                   globalClusterMembers:
                     description: Set of objects containing Global Cluster members.
                     items:
@@ -366,8 +399,17 @@ spec:
                   id:
                     description: Neptune Global Cluster.
                     type: string
+                  sourceDbClusterIdentifier:
+                    description: Amazon Resource Name (ARN) to use as the primary
+                      DB Cluster of the Global Cluster on creation.
+                    type: string
                   status:
                     type: string
+                  storageEncrypted:
+                    description: Specifies whether the DB cluster is encrypted. The
+                      default is false unless source_db_cluster_identifier is specified
+                      and encrypted.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/neptune.aws.upbound.io_parametergroups.yaml b/package/crds/neptune.aws.upbound.io_parametergroups.yaml
index 2c66cf3067..4559e090f9 100644
--- a/package/crds/neptune.aws.upbound.io_parametergroups.yaml
+++ b/package/crds/neptune.aws.upbound.io_parametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -100,9 +104,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -274,6 +292,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: ParameterGroupStatus defines the observed state of ParameterGroup.
             properties:
@@ -283,9 +304,37 @@ spec:
                     description: The Neptune parameter group Amazon Resource Name
                       (ARN).
                     type: string
+                  description:
+                    description: The description of the Neptune parameter group.
+                    type: string
+                  family:
+                    description: The family of the Neptune parameter group.
+                    type: string
                   id:
                     description: The Neptune parameter group name.
                     type: string
+                  parameter:
+                    description: A list of Neptune parameters to apply.
+                    items:
+                      properties:
+                        applyMethod:
+                          description: The apply method of the Neptune parameter.
+                            Valid values are immediate and pending-reboot. Defaults
+                            to pending-reboot.
+                          type: string
+                        name:
+                          description: The name of the Neptune parameter group.
+                          type: string
+                        value:
+                          description: The value of the Neptune parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/neptune.aws.upbound.io_subnetgroups.yaml b/package/crds/neptune.aws.upbound.io_subnetgroups.yaml
index 22f23ce734..a0a71606fd 100644
--- a/package/crds/neptune.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/neptune.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,9 +359,22 @@ spec:
                   arn:
                     description: The ARN of the neptune subnet group.
                     type: string
+                  description:
+                    description: The description of the neptune subnet group.
+                    type: string
                   id:
                     description: The neptune subnet group name.
                     type: string
+                  subnetIds:
+                    description: A list of VPC subnet IDs.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/networkfirewall.aws.upbound.io_firewallpolicies.yaml b/package/crds/networkfirewall.aws.upbound.io_firewallpolicies.yaml
index 037d3c9c0c..45e9a8c691 100644
--- a/package/crds/networkfirewall.aws.upbound.io_firewallpolicies.yaml
+++ b/package/crds/networkfirewall.aws.upbound.io_firewallpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -346,9 +350,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - firewallPolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -520,6 +538,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: firewallPolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.firewallPolicy)
           status:
             description: FirewallPolicyStatus defines the observed state of FirewallPolicy.
             properties:
@@ -529,10 +550,187 @@ spec:
                     description: The Amazon Resource Name (ARN) that identifies the
                       firewall policy.
                     type: string
+                  description:
+                    description: A friendly description of the firewall policy.
+                    type: string
+                  encryptionConfiguration:
+                    description: KMS encryption configuration settings. See Encryption
+                      Configuration below for details.
+                    items:
+                      properties:
+                        keyId:
+                          description: The ID of the customer managed key. You can
+                            use any of the key identifiers that KMS supports, unless
+                            you're using a key that's managed by another account.
+                            If you're using a key managed by another account, then
+                            specify the key ARN.
+                          type: string
+                        type:
+                          description: The type of AWS KMS key to use for encryption
+                            of your Network Firewall resources. Valid values are CUSTOMER_KMS
+                            and AWS_OWNED_KMS_KEY.
+                          type: string
+                      type: object
+                    type: array
+                  firewallPolicy:
+                    description: A configuration block describing the rule groups
+                      and policy actions to use in the firewall policy. See Firewall
+                      Policy below for details.
+                    items:
+                      properties:
+                        statefulDefaultActions:
+                          description: Set of actions to take on a packet if it does
+                            not match any stateful rules in the policy. This can only
+                            be specified if the policy has a stateful_engine_options
+                            block with a rule_order value of STRICT_ORDER. You can
+                            specify one of either or neither values of aws:drop_strict
+                            or aws:drop_established, as well as any combination of
+                            aws:alert_strict and aws:alert_established.
+                          items:
+                            type: string
+                          type: array
+                        statefulEngineOptions:
+                          description: A configuration block that defines options
+                            on how the policy handles stateful rules. See Stateful
+                            Engine Options below for details.
+                          items:
+                            properties:
+                              ruleOrder:
+                                description: 'Indicates how to manage the order of
+                                  stateful rule evaluation for the policy. Default
+                                  value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER,
+                                  STRICT_ORDER.'
+                                type: string
+                            type: object
+                          type: array
+                        statefulRuleGroupReference:
+                          description: Set of configuration blocks containing references
+                            to the stateful rule groups that are used in the policy.
+                            See Stateful Rule Group Reference below for details.
+                          items:
+                            properties:
+                              override:
+                                description: Configuration block for override values
+                                items:
+                                  properties:
+                                    action:
+                                      description: The action that changes the rule
+                                        group from DROP to ALERT . This only applies
+                                        to managed rule groups.
+                                      type: string
+                                  type: object
+                                type: array
+                              priority:
+                                description: An integer setting that indicates the
+                                  order in which to run the stateless rule groups
+                                  in a single policy. AWS Network Firewall applies
+                                  each stateless rule group to a packet starting with
+                                  the group that has the lowest priority setting.
+                                type: number
+                              resourceArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  stateless rule group.
+                                type: string
+                            type: object
+                          type: array
+                        statelessCustomAction:
+                          description: Set of configuration blocks describing the
+                            custom action definitions that are available for use in
+                            the firewall policy's stateless_default_actions. See Stateless
+                            Custom Action below for details.
+                          items:
+                            properties:
+                              actionDefinition:
+                                description: A configuration block describing the
+                                  custom action associated with the action_name. See
+                                  Action Definition below for details.
+                                items:
+                                  properties:
+                                    publishMetricAction:
+                                      description: A configuration block describing
+                                        the stateless inspection criteria that publishes
+                                        the specified metrics to Amazon CloudWatch
+                                        for the matching packet. You can pair this
+                                        custom action with any of the standard stateless
+                                        rule actions. See Publish Metric Action below
+                                        for details.
+                                      items:
+                                        properties:
+                                          dimension:
+                                            description: Set of configuration blocks
+                                              describing dimension settings to use
+                                              for Amazon CloudWatch custom metrics.
+                                              See Dimension below for more details.
+                                            items:
+                                              properties:
+                                                value:
+                                                  description: The string value to
+                                                    use in the custom metric dimension.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              actionName:
+                                description: A friendly name of the custom action.
+                                type: string
+                            type: object
+                          type: array
+                        statelessDefaultActions:
+                          description: 'Set of actions to take on a packet if it does
+                            not match any of the stateless rules in the policy. You
+                            must specify one of the standard actions including: aws:drop,
+                            aws:pass, or aws:forward_to_sfe. In addition, you can
+                            specify custom actions that are compatible with your standard
+                            action choice. If you want non-matching packets to be
+                            forwarded for stateful inspection, specify aws:forward_to_sfe.'
+                          items:
+                            type: string
+                          type: array
+                        statelessFragmentDefaultActions:
+                          description: 'Set of actions to take on a fragmented packet
+                            if it does not match any of the stateless rules in the
+                            policy. You must specify one of the standard actions including:
+                            aws:drop, aws:pass, or aws:forward_to_sfe. In addition,
+                            you can specify custom actions that are compatible with
+                            your standard action choice. If you want non-matching
+                            packets to be forwarded for stateful inspection, specify
+                            aws:forward_to_sfe.'
+                          items:
+                            type: string
+                          type: array
+                        statelessRuleGroupReference:
+                          description: Set of configuration blocks containing references
+                            to the stateless rule groups that are used in the policy.
+                            See Stateless Rule Group Reference below for details.
+                          items:
+                            properties:
+                              priority:
+                                description: An integer setting that indicates the
+                                  order in which to run the stateless rule groups
+                                  in a single policy. AWS Network Firewall applies
+                                  each stateless rule group to a packet starting with
+                                  the group that has the lowest priority setting.
+                                type: number
+                              resourceArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  stateless rule group.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The Amazon Resource Name (ARN) that identifies the
                       firewall policy.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/networkfirewall.aws.upbound.io_firewalls.yaml b/package/crds/networkfirewall.aws.upbound.io_firewalls.yaml
index 6eefc60fa7..c2d4650ac0 100644
--- a/package/crds/networkfirewall.aws.upbound.io_firewalls.yaml
+++ b/package/crds/networkfirewall.aws.upbound.io_firewalls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -362,10 +366,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
-                - subnetMapping
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -537,6 +554,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: subnetMapping is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.subnetMapping)
           status:
             description: FirewallStatus defines the observed state of Firewall.
             properties:
@@ -546,6 +568,41 @@ spec:
                     description: The Amazon Resource Name (ARN) that identifies the
                       firewall.
                     type: string
+                  deleteProtection:
+                    description: A boolean flag indicating whether it is possible
+                      to delete the firewall. Defaults to false.
+                    type: boolean
+                  description:
+                    description: A friendly description of the firewall.
+                    type: string
+                  encryptionConfiguration:
+                    description: KMS encryption configuration settings. See Encryption
+                      Configuration below for details.
+                    items:
+                      properties:
+                        keyId:
+                          description: The ID of the customer managed key. You can
+                            use any of the key identifiers that KMS supports, unless
+                            you're using a key that's managed by another account.
+                            If you're using a key managed by another account, then
+                            specify the key ARN.
+                          type: string
+                        type:
+                          description: The type of AWS KMS key to use for encryption
+                            of your Network Firewall resources. Valid values are CUSTOMER_KMS
+                            and AWS_OWNED_KMS_KEY.
+                          type: string
+                      type: object
+                    type: array
+                  firewallPolicyArn:
+                    description: The Amazon Resource Name (ARN) of the VPC Firewall
+                      policy.
+                    type: string
+                  firewallPolicyChangeProtection:
+                    description: (Option) A boolean flag indicating whether it is
+                      possible to change the associated firewall policy. Defaults
+                      to false.
+                    type: boolean
                   firewallStatus:
                     description: Nested list of information about the current status
                       of the firewall.
@@ -586,6 +643,34 @@ spec:
                     description: The Amazon Resource Name (ARN) that identifies the
                       firewall.
                     type: string
+                  name:
+                    description: A friendly name of the firewall.
+                    type: string
+                  subnetChangeProtection:
+                    description: A boolean flag indicating whether it is possible
+                      to change the associated subnet(s). Defaults to false.
+                    type: boolean
+                  subnetMapping:
+                    description: Set of configuration blocks describing the public
+                      subnets. Each subnet must belong to a different Availability
+                      Zone in the VPC. AWS Network Firewall creates a firewall endpoint
+                      in each subnet. See Subnet Mapping below for details.
+                    items:
+                      properties:
+                        ipAddressType:
+                          description: 'The subnet''s IP address type. Valida values:
+                            "DUALSTACK", "IPV4".'
+                          type: string
+                        subnetId:
+                          description: The unique identifier for the subnet.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -596,6 +681,10 @@ spec:
                   updateToken:
                     description: A string token used when updating a firewall.
                     type: string
+                  vpcId:
+                    description: The unique identifier of the VPC where AWS Network
+                      Firewall should create the firewall.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkfirewall.aws.upbound.io_loggingconfigurations.yaml b/package/crds/networkfirewall.aws.upbound.io_loggingconfigurations.yaml
index b7f54cc52d..bc345f6dd3 100644
--- a/package/crds/networkfirewall.aws.upbound.io_loggingconfigurations.yaml
+++ b/package/crds/networkfirewall.aws.upbound.io_loggingconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -188,9 +192,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - loggingConfiguration
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -362,16 +380,57 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: loggingConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.loggingConfiguration)
           status:
             description: LoggingConfigurationStatus defines the observed state of
               LoggingConfiguration.
             properties:
               atProvider:
                 properties:
+                  firewallArn:
+                    description: The Amazon Resource Name (ARN) of the Network Firewall
+                      firewall.
+                    type: string
                   id:
                     description: The Amazon Resource Name (ARN) of the associated
                       firewall.
                     type: string
+                  loggingConfiguration:
+                    description: A configuration block describing how AWS Network
+                      Firewall performs logging for a firewall. See Logging Configuration
+                      below for details.
+                    items:
+                      properties:
+                        logDestinationConfig:
+                          description: Set of configuration blocks describing the
+                            logging details for a firewall. See Log Destination Config
+                            below for details. At most, only two blocks can be specified;
+                            one for FLOW logs and one for ALERT logs.
+                          items:
+                            properties:
+                              logDestination:
+                                additionalProperties:
+                                  type: string
+                                description: A map describing the logging destination
+                                  for the chosen log_destination_type.
+                                type: object
+                              logDestinationType:
+                                description: 'The location to send logs to. Valid
+                                  values: S3, CloudWatchLogs, KinesisDataFirehose.'
+                                type: string
+                              logType:
+                                description: 'The type of log to send. Valid values:
+                                  ALERT or FLOW. Alert logs report traffic that matches
+                                  a StatefulRule with an action setting that sends
+                                  a log message. Flow logs are standard network traffic
+                                  flow logs.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkfirewall.aws.upbound.io_rulegroups.yaml b/package/crds/networkfirewall.aws.upbound.io_rulegroups.yaml
index 8a9a8b41b5..b68000028d 100644
--- a/package/crds/networkfirewall.aws.upbound.io_rulegroups.yaml
+++ b/package/crds/networkfirewall.aws.upbound.io_rulegroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -758,11 +762,23 @@ spec:
                       values include: STATEFUL or STATELESS.'
                     type: string
                 required:
-                - capacity
-                - name
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -934,6 +950,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: capacity is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.capacity)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: RuleGroupStatus defines the observed state of RuleGroup.
             properties:
@@ -943,17 +966,553 @@ spec:
                     description: The Amazon Resource Name (ARN) that identifies the
                       rule group.
                     type: string
+                  capacity:
+                    description: The maximum number of operating resources that this
+                      rule group can use. For a stateless rule group, the capacity
+                      required is the sum of the capacity requirements of the individual
+                      rules. For a stateful rule group, the minimum capacity required
+                      is the number of individual rules.
+                    type: number
+                  description:
+                    description: A friendly description of the rule group.
+                    type: string
+                  encryptionConfiguration:
+                    description: KMS encryption configuration settings. See Encryption
+                      Configuration below for details.
+                    items:
+                      properties:
+                        keyId:
+                          description: The ID of the customer managed key. You can
+                            use any of the key identifiers that KMS supports, unless
+                            you're using a key that's managed by another account.
+                            If you're using a key managed by another account, then
+                            specify the key ARN.
+                          type: string
+                        type:
+                          description: The type of AWS KMS key to use for encryption
+                            of your Network Firewall resources. Valid values are CUSTOMER_KMS
+                            and AWS_OWNED_KMS_KEY.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The Amazon Resource Name (ARN) that identifies the
                       rule group.
                     type: string
-                  tagsAll:
-                    additionalProperties:
-                      type: string
-                    description: A map of tags assigned to the resource, including
-                      those inherited from the provider default_tags configuration
-                      block.
-                    type: object
+                  name:
+                    description: A friendly name of the rule group.
+                    type: string
+                  ruleGroup:
+                    description: A configuration block that defines the rule group
+                      rules. Required unless rules is specified. See Rule Group below
+                      for details.
+                    items:
+                      properties:
+                        referenceSets:
+                          description: A configuration block that defines the IP Set
+                            References for the rule group. See Reference Sets below
+                            for details.
+                          items:
+                            properties:
+                              ipSetReferences:
+                                items:
+                                  properties:
+                                    ipSetReference:
+                                      description: Set of configuration blocks that
+                                        define the IP Reference information. See IP
+                                        Set Reference below for details.
+                                      items:
+                                        properties:
+                                          referenceArn:
+                                            description: Set of Managed Prefix IP
+                                              ARN(s)
+                                            type: string
+                                        type: object
+                                      type: array
+                                    key:
+                                      description: An unique alphanumeric string to
+                                        identify the port_set.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        ruleVariables:
+                          description: A configuration block that defines additional
+                            settings available to use in the rules defined in the
+                            rule group. Can only be specified for stateful rule groups.
+                            See Rule Variables below for details.
+                          items:
+                            properties:
+                              ipSets:
+                                description: Set of configuration blocks that define
+                                  IP address information. See IP Sets below for details.
+                                items:
+                                  properties:
+                                    ipSet:
+                                      description: A configuration block that defines
+                                        a set of IP addresses. See IP Set below for
+                                        details.
+                                      items:
+                                        properties:
+                                          definition:
+                                            description: Set of port ranges.
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      type: array
+                                    key:
+                                      description: An unique alphanumeric string to
+                                        identify the port_set.
+                                      type: string
+                                  type: object
+                                type: array
+                              portSets:
+                                description: Set of configuration blocks that define
+                                  port range information. See Port Sets below for
+                                  details.
+                                items:
+                                  properties:
+                                    key:
+                                      description: An unique alphanumeric string to
+                                        identify the port_set.
+                                      type: string
+                                    portSet:
+                                      description: A configuration block that defines
+                                        a set of port ranges. See Port Set below for
+                                        details.
+                                      items:
+                                        properties:
+                                          definition:
+                                            description: Set of port ranges.
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        rulesSource:
+                          description: A configuration block that defines the stateful
+                            or stateless rules for the rule group. See Rules Source
+                            below for details.
+                          items:
+                            properties:
+                              rulesSourceList:
+                                description: A configuration block containing stateful
+                                  inspection criteria for a domain list rule group.
+                                  See Rules Source List below for details.
+                                items:
+                                  properties:
+                                    generatedRulesType:
+                                      description: 'String value to specify whether
+                                        domains in the target list are allowed or
+                                        denied access. Valid values: ALLOWLIST, DENYLIST.'
+                                      type: string
+                                    targetTypes:
+                                      description: 'Set of types of domain specifications
+                                        that are provided in the targets argument.
+                                        Valid values: HTTP_HOST, TLS_SNI.'
+                                      items:
+                                        type: string
+                                      type: array
+                                    targets:
+                                      description: Set of domains that you want to
+                                        inspect for in your traffic flows.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              rulesString:
+                                description: The fully qualified name of a file in
+                                  an S3 bucket that contains Suricata compatible intrusion
+                                  preventions system (IPS) rules or the Suricata rules
+                                  as a string. These rules contain stateful inspection
+                                  criteria and the action to take for traffic that
+                                  matches the criteria.
+                                type: string
+                              statefulRule:
+                                description: Set of configuration blocks containing
+                                  stateful inspection criteria for 5-tuple rules to
+                                  be used together in a rule group. See Stateful Rule
+                                  below for details.
+                                items:
+                                  properties:
+                                    action:
+                                      description: 'Action to take with packets in
+                                        a traffic flow when the flow matches the stateful
+                                        rule criteria. For all actions, AWS Network
+                                        Firewall performs the specified action and
+                                        discontinues stateful inspection of the traffic
+                                        flow. Valid values: ALERT, DROP or PASS.'
+                                      type: string
+                                    header:
+                                      description: A configuration block containing
+                                        the stateful 5-tuple inspection criteria for
+                                        the rule, used to inspect traffic flows. See
+                                        Header below for details.
+                                      items:
+                                        properties:
+                                          destination:
+                                            description: Set of configuration blocks
+                                              describing the destination IP address
+                                              and address ranges to inspect for, in
+                                              CIDR notation. If not specified, this
+                                              matches with any destination address.
+                                              See Destination below for details.
+                                            type: string
+                                          destinationPort:
+                                            description: Set of configuration blocks
+                                              describing the destination ports to
+                                              inspect for. If not specified, this
+                                              matches with any destination port. See
+                                              Destination Port below for details.
+                                            type: string
+                                          direction:
+                                            description: 'The direction of traffic
+                                              flow to inspect. Valid values: ANY or
+                                              FORWARD.'
+                                            type: string
+                                          protocol:
+                                            description: 'The protocol to inspect.
+                                              Valid values: IP, TCP, UDP, ICMP, HTTP,
+                                              FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP,
+                                              IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.'
+                                            type: string
+                                          source:
+                                            description: Set of configuration blocks
+                                              describing the source IP address and
+                                              address ranges to inspect for, in CIDR
+                                              notation. If not specified, this matches
+                                              with any source address. See Source
+                                              below for details.
+                                            type: string
+                                          sourcePort:
+                                            description: Set of configuration blocks
+                                              describing the source ports to inspect
+                                              for. If not specified, this matches
+                                              with any source port. See Source Port
+                                              below for details.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    ruleOption:
+                                      description: Set of configuration blocks containing
+                                        additional settings for a stateful rule. See
+                                        Rule Option below for details.
+                                      items:
+                                        properties:
+                                          keyword:
+                                            description: Keyword defined by open source
+                                              detection systems like Snort or Suricata
+                                              for stateful rule inspection. See Snort
+                                              General Rule Options or Suricata Rule
+                                              Options for more details.
+                                            type: string
+                                          settings:
+                                            description: Set of strings for additional
+                                              settings to use in stateful rule inspection.
+                                            items:
+                                              type: string
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              statelessRulesAndCustomActions:
+                                description: A configuration block containing stateless
+                                  inspection criteria for a stateless rule group.
+                                  See Stateless Rules and Custom Actions below for
+                                  details.
+                                items:
+                                  properties:
+                                    customAction:
+                                      description: Set of configuration blocks containing
+                                        custom action definitions that are available
+                                        for use by the set of stateless rule. See
+                                        Custom Action below for details.
+                                      items:
+                                        properties:
+                                          actionDefinition:
+                                            description: A configuration block describing
+                                              the custom action associated with the
+                                              action_name. See Action Definition below
+                                              for details.
+                                            items:
+                                              properties:
+                                                publishMetricAction:
+                                                  description: A configuration block
+                                                    describing the stateless inspection
+                                                    criteria that publishes the specified
+                                                    metrics to Amazon CloudWatch for
+                                                    the matching packet. You can pair
+                                                    this custom action with any of
+                                                    the standard stateless rule actions.
+                                                    See Publish Metric Action below
+                                                    for details.
+                                                  items:
+                                                    properties:
+                                                      dimension:
+                                                        description: Set of configuration
+                                                          blocks containing the dimension
+                                                          settings to use for Amazon
+                                                          CloudWatch custom metrics.
+                                                          See Dimension below for
+                                                          details.
+                                                        items:
+                                                          properties:
+                                                            value:
+                                                              description: The value
+                                                                to use in the custom
+                                                                metric dimension.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                          actionName:
+                                            description: A friendly name of the custom
+                                              action.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    statelessRule:
+                                      description: Set of configuration blocks containing
+                                        the stateless rules for use in the stateless
+                                        rule group. See Stateless Rule below for details.
+                                      items:
+                                        properties:
+                                          priority:
+                                            description: A setting that indicates
+                                              the order in which to run this rule
+                                              relative to all of the rules that are
+                                              defined for a stateless rule group.
+                                              AWS Network Firewall evaluates the rules
+                                              in a rule group starting with the lowest
+                                              priority setting.
+                                            type: number
+                                          ruleDefinition:
+                                            description: A configuration block defining
+                                              the stateless 5-tuple packet inspection
+                                              criteria and the action to take on a
+                                              packet that matches the criteria. See
+                                              Rule Definition below for details.
+                                            items:
+                                              properties:
+                                                actions:
+                                                  description: 'Set of actions to
+                                                    take on a packet that matches
+                                                    one of the stateless rule definition''s
+                                                    match_attributes. For every rule
+                                                    you must specify 1 standard action,
+                                                    and you can add custom actions.
+                                                    Standard actions include: aws:pass,
+                                                    aws:drop, aws:forward_to_sfe.'
+                                                  items:
+                                                    type: string
+                                                  type: array
+                                                matchAttributes:
+                                                  description: A configuration block
+                                                    containing criteria for AWS Network
+                                                    Firewall to use to inspect an
+                                                    individual packet in stateless
+                                                    rule inspection. See Match Attributes
+                                                    below for details.
+                                                  items:
+                                                    properties:
+                                                      destination:
+                                                        description: Set of configuration
+                                                          blocks describing the destination
+                                                          IP address and address ranges
+                                                          to inspect for, in CIDR
+                                                          notation. If not specified,
+                                                          this matches with any destination
+                                                          address. See Destination
+                                                          below for details.
+                                                        items:
+                                                          properties:
+                                                            addressDefinition:
+                                                              description: An IP address
+                                                                or a block of IP addresses
+                                                                in CIDR notation.
+                                                                AWS Network Firewall
+                                                                supports all address
+                                                                ranges for IPv4.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      destinationPort:
+                                                        description: Set of configuration
+                                                          blocks describing the destination
+                                                          ports to inspect for. If
+                                                          not specified, this matches
+                                                          with any destination port.
+                                                          See Destination Port below
+                                                          for details.
+                                                        items:
+                                                          properties:
+                                                            fromPort:
+                                                              description: The lower
+                                                                limit of the port
+                                                                range. This must be
+                                                                less than or equal
+                                                                to the to_port.
+                                                              type: number
+                                                            toPort:
+                                                              description: The upper
+                                                                limit of the port
+                                                                range. This must be
+                                                                greater than or equal
+                                                                to the from_port.
+                                                              type: number
+                                                          type: object
+                                                        type: array
+                                                      protocols:
+                                                        description: Set of protocols
+                                                          to inspect for, specified
+                                                          using the protocol's assigned
+                                                          internet protocol number
+                                                          (IANA). If not specified,
+                                                          this matches with any protocol.
+                                                        items:
+                                                          type: number
+                                                        type: array
+                                                      source:
+                                                        description: Set of configuration
+                                                          blocks describing the source
+                                                          IP address and address ranges
+                                                          to inspect for, in CIDR
+                                                          notation. If not specified,
+                                                          this matches with any source
+                                                          address. See Source below
+                                                          for details.
+                                                        items:
+                                                          properties:
+                                                            addressDefinition:
+                                                              description: An IP address
+                                                                or a block of IP addresses
+                                                                in CIDR notation.
+                                                                AWS Network Firewall
+                                                                supports all address
+                                                                ranges for IPv4.
+                                                              type: string
+                                                          type: object
+                                                        type: array
+                                                      sourcePort:
+                                                        description: Set of configuration
+                                                          blocks describing the source
+                                                          ports to inspect for. If
+                                                          not specified, this matches
+                                                          with any source port. See
+                                                          Source Port below for details.
+                                                        items:
+                                                          properties:
+                                                            fromPort:
+                                                              description: The lower
+                                                                limit of the port
+                                                                range. This must be
+                                                                less than or equal
+                                                                to the to_port.
+                                                              type: number
+                                                            toPort:
+                                                              description: The upper
+                                                                limit of the port
+                                                                range. This must be
+                                                                greater than or equal
+                                                                to the from_port.
+                                                              type: number
+                                                          type: object
+                                                        type: array
+                                                      tcpFlag:
+                                                        description: Set of configuration
+                                                          blocks containing the TCP
+                                                          flags and masks to inspect
+                                                          for. If not specified, this
+                                                          matches with any settings.
+                                                        items:
+                                                          properties:
+                                                            flags:
+                                                              description: 'Set of
+                                                                flags to look for
+                                                                in a packet. This
+                                                                setting can only specify
+                                                                values that are also
+                                                                specified in masks.
+                                                                Valid values: FIN,
+                                                                SYN, RST, PSH, ACK,
+                                                                URG, ECE, CWR.'
+                                                              items:
+                                                                type: string
+                                                              type: array
+                                                            masks:
+                                                              description: 'Set of
+                                                                flags to consider
+                                                                in the inspection.
+                                                                To inspect all flags,
+                                                                leave this empty.
+                                                                Valid values: FIN,
+                                                                SYN, RST, PSH, ACK,
+                                                                URG, ECE, CWR.'
+                                                              items:
+                                                                type: string
+                                                              type: array
+                                                          type: object
+                                                        type: array
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        statefulRuleOptions:
+                          description: A configuration block that defines stateful
+                            rule options for the rule group. See Stateful Rule Options
+                            below for details.
+                          items:
+                            properties:
+                              ruleOrder:
+                                description: 'Indicates how to manage the order of
+                                  the rule evaluation for the rule group. Default
+                                  value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER,
+                                  STRICT_ORDER.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  rules:
+                    description: The stateful rule group rules specifications in Suricata
+                      file format, with one rule per line. Use this to import your
+                      existing Suricata compatible rule groups. Required unless rule_group
+                      is specified.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
+                  tagsAll:
+                    additionalProperties:
+                      type: string
+                    description: A map of tags assigned to the resource, including
+                      those inherited from the provider default_tags configuration
+                      block.
+                    type: object
+                  type:
+                    description: 'Whether the rule group is stateless (containing
+                      stateless rules) or stateful (containing stateful rules). Valid
+                      values include: STATEFUL or STATELESS.'
+                    type: string
                   updateToken:
                     description: A string token used when updating the rule group.
                     type: string
diff --git a/package/crds/networkmanager.aws.upbound.io_attachmentaccepters.yaml b/package/crds/networkmanager.aws.upbound.io_attachmentaccepters.yaml
index f027486505..248e16a242 100644
--- a/package/crds/networkmanager.aws.upbound.io_attachmentaccepters.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_attachmentaccepters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -404,9 +423,16 @@ spec:
             properties:
               atProvider:
                 properties:
+                  attachmentId:
+                    description: The ID of the attachment.
+                    type: string
                   attachmentPolicyRuleNumber:
                     description: The policy rule number associated with the attachment.
                     type: number
+                  attachmentType:
+                    description: The type of attachment. Valid values can be found
+                      in the AWS Documentation
+                    type: string
                   coreNetworkArn:
                     description: The ARN of a core network.
                     type: string
diff --git a/package/crds/networkmanager.aws.upbound.io_connectattachments.yaml b/package/crds/networkmanager.aws.upbound.io_connectattachments.yaml
index fca474d651..a953282982 100644
--- a/package/crds/networkmanager.aws.upbound.io_connectattachments.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_connectattachments.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -314,9 +318,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - options
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -488,6 +506,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: options is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.options)
           status:
             description: ConnectAttachmentStatus defines the observed state of ConnectAttachment.
             properties:
@@ -508,9 +529,24 @@ spec:
                   coreNetworkArn:
                     description: The ARN of a core network.
                     type: string
+                  coreNetworkId:
+                    description: The ID of a core network where you want to create
+                      the attachment.
+                    type: string
+                  edgeLocation:
+                    description: The Region where the edge is located.
+                    type: string
                   id:
                     description: The ID of the attachment.
                     type: string
+                  options:
+                    description: Options for creating an attachment.
+                    items:
+                      properties:
+                        protocol:
+                          type: string
+                      type: object
+                    type: array
                   ownerAccountId:
                     description: The ID of the attachment account owner.
                     type: string
@@ -523,6 +559,11 @@ spec:
                   state:
                     description: The state of the attachment.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -530,6 +571,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  transportAttachmentId:
+                    description: The ID of the attachment between the two connections.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_connections.yaml b/package/crds/networkmanager.aws.upbound.io_connections.yaml
index d93b020186..f2f0d330b8 100644
--- a/package/crds/networkmanager.aws.upbound.io_connections.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_connections.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -319,6 +323,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -498,8 +517,31 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the connection.
                     type: string
+                  connectedDeviceId:
+                    description: The ID of the second device in the connection.
+                    type: string
+                  connectedLinkId:
+                    description: The ID of the link for the second device.
+                    type: string
+                  description:
+                    description: A description of the connection.
+                    type: string
+                  deviceId:
+                    description: The ID of the first device in the connection.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the global network.
+                    type: string
                   id:
                     type: string
+                  linkId:
+                    description: The ID of the link for the first device.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/networkmanager.aws.upbound.io_corenetworks.yaml b/package/crds/networkmanager.aws.upbound.io_corenetworks.yaml
index b1f4dd8c13..40fcfbd499 100644
--- a/package/crds/networkmanager.aws.upbound.io_corenetworks.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_corenetworks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -192,6 +196,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -371,9 +390,39 @@ spec:
                   arn:
                     description: Core Network Amazon Resource Name (ARN).
                     type: string
+                  basePolicyRegion:
+                    description: The base policy created by setting the create_base_policy
+                      argument to true requires a region to be set in the edge-locations,
+                      location key. If base_policy_region is not specified, the region
+                      used in the base policy defaults to the region specified in
+                      the provider block.
+                    type: string
+                  createBasePolicy:
+                    description: Specifies whether to create a base policy when a
+                      core network is created or updated. A base policy is created
+                      and set to LIVE to allow attachments to the core network (e.g.
+                      VPC Attachments) before applying a policy document provided
+                      using the aws_networkmanager_core_network_policy_attachment
+                      resource. This base policy is needed if your core network does
+                      not have any LIVE policies (e.g. a core network resource created
+                      without the policy_document argument) and your policy document
+                      has static routes pointing to VPC attachments and you want to
+                      attach your VPCs to the core network before applying the desired
+                      policy document. Valid values are true or false. Conflicts with
+                      policy_document. An example of a base policy created is shown
+                      below. The region specified in the location key can be configured
+                      using the base_policy_region argument. If base_policy_region
+                      is not specified, the region defaults to the region specified
+                      in the provider block. This base policy is overridden with the
+                      policy that you specify in the aws_networkmanager_core_network_policy_attachment
+                      resource.
+                    type: boolean
                   createdAt:
                     description: Timestamp when a core network was created.
                     type: string
+                  description:
+                    description: Description of the Core Network.
+                    type: string
                   edges:
                     description: One or more blocks detailing the edges within a core
                       network. Detailed below.
@@ -392,9 +441,20 @@ spec:
                           type: array
                       type: object
                     type: array
+                  globalNetworkId:
+                    description: The ID of the global network that a core network
+                      will be a part of.
+                    type: string
                   id:
                     description: Core Network ID.
                     type: string
+                  policyDocument:
+                    description: Policy document for creating a core network. Note
+                      that updating this argument will result in the new policy document
+                      version being set as the LATEST and LIVE policy document. Refer
+                      to the Core network policies documentation for more information.
+                      Conflicts with create_base_policy.
+                    type: string
                   segments:
                     description: One or more blocks detailing the segments within
                       a core network. Detailed below.
@@ -418,6 +478,11 @@ spec:
                   state:
                     description: Current state of a core network.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/networkmanager.aws.upbound.io_customergatewayassociations.yaml b/package/crds/networkmanager.aws.upbound.io_customergatewayassociations.yaml
index 9a7c4a084f..4d74d1b96a 100644
--- a/package/crds/networkmanager.aws.upbound.io_customergatewayassociations.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_customergatewayassociations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -310,6 +314,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -487,8 +506,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  customerGatewayArn:
+                    description: The Amazon Resource Name (ARN) of the customer gateway.
+                    type: string
+                  deviceId:
+                    description: The ID of the device.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the global network.
+                    type: string
                   id:
                     type: string
+                  linkId:
+                    description: The ID of the link.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_devices.yaml b/package/crds/networkmanager.aws.upbound.io_devices.yaml
index 48082c4cdb..6d61ef5735 100644
--- a/package/crds/networkmanager.aws.upbound.io_devices.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_devices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -277,6 +281,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -456,8 +475,58 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the device.
                     type: string
+                  awsLocation:
+                    description: The AWS location of the device. Documented below.
+                    items:
+                      properties:
+                        subnetArn:
+                          description: The Amazon Resource Name (ARN) of the subnet
+                            that the device is located in.
+                          type: string
+                        zone:
+                          description: The Zone that the device is located in. Specify
+                            the ID of an Availability Zone, Local Zone, Wavelength
+                            Zone, or an Outpost.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: A description of the device.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the global network.
+                    type: string
                   id:
                     type: string
+                  location:
+                    description: The location of the device. Documented below.
+                    items:
+                      properties:
+                        address:
+                          description: The physical address.
+                          type: string
+                        latitude:
+                          description: The latitude.
+                          type: string
+                        longitude:
+                          description: The longitude.
+                          type: string
+                      type: object
+                    type: array
+                  model:
+                    description: The model of device.
+                    type: string
+                  serialNumber:
+                    description: The serial number of the device.
+                    type: string
+                  siteId:
+                    description: The ID of the site.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -465,6 +534,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The type of device.
+                    type: string
+                  vendor:
+                    description: The vendor of the device.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_globalnetworks.yaml b/package/crds/networkmanager.aws.upbound.io_globalnetworks.yaml
index 0056a4310a..8cc3e86828 100644
--- a/package/crds/networkmanager.aws.upbound.io_globalnetworks.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_globalnetworks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,8 +277,16 @@ spec:
                   arn:
                     description: Global Network Amazon Resource Name (ARN)
                     type: string
+                  description:
+                    description: Description of the Global Network.
+                    type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/networkmanager.aws.upbound.io_linkassociations.yaml b/package/crds/networkmanager.aws.upbound.io_linkassociations.yaml
index 35775c266b..ba7f068d50 100644
--- a/package/crds/networkmanager.aws.upbound.io_linkassociations.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_linkassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -303,6 +307,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -479,8 +498,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  deviceId:
+                    description: The ID of the device.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the global network.
+                    type: string
                   id:
                     type: string
+                  linkId:
+                    description: The ID of the link.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_links.yaml b/package/crds/networkmanager.aws.upbound.io_links.yaml
index db567dc5a7..94a6fa7a48 100644
--- a/package/crds/networkmanager.aws.upbound.io_links.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_links.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -249,9 +253,23 @@ spec:
                     description: The type of the link.
                     type: string
                 required:
-                - bandwidth
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -423,6 +441,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bandwidth is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bandwidth)
           status:
             description: LinkStatus defines the observed state of Link.
             properties:
@@ -431,8 +452,38 @@ spec:
                   arn:
                     description: Link Amazon Resource Name (ARN).
                     type: string
+                  bandwidth:
+                    description: The upload speed and download speed in Mbps. Documented
+                      below.
+                    items:
+                      properties:
+                        downloadSpeed:
+                          description: Download speed in Mbps.
+                          type: number
+                        uploadSpeed:
+                          description: Upload speed in Mbps.
+                          type: number
+                      type: object
+                    type: array
+                  description:
+                    description: A description of the link.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the global network.
+                    type: string
                   id:
                     type: string
+                  providerName:
+                    description: The provider of the link.
+                    type: string
+                  siteId:
+                    description: The ID of the site.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -440,6 +491,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The type of the link.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_sites.yaml b/package/crds/networkmanager.aws.upbound.io_sites.yaml
index e2e3c1d745..70b52455b9 100644
--- a/package/crds/networkmanager.aws.upbound.io_sites.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_sites.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -172,6 +176,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -351,8 +370,34 @@ spec:
                   arn:
                     description: Site Amazon Resource Name (ARN)
                     type: string
+                  description:
+                    description: Description of the Site.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the Global Network to create the site in.
+                    type: string
                   id:
                     type: string
+                  location:
+                    description: The site location as documented below.
+                    items:
+                      properties:
+                        address:
+                          description: Address of the location.
+                          type: string
+                        latitude:
+                          description: Latitude of the location.
+                          type: string
+                        longitude:
+                          description: Longitude of the location.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/networkmanager.aws.upbound.io_transitgatewayconnectpeerassociations.yaml b/package/crds/networkmanager.aws.upbound.io_transitgatewayconnectpeerassociations.yaml
index 67e7bd43b1..3e892dd10e 100644
--- a/package/crds/networkmanager.aws.upbound.io_transitgatewayconnectpeerassociations.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_transitgatewayconnectpeerassociations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -310,6 +314,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -487,8 +506,20 @@ spec:
             properties:
               atProvider:
                 properties:
+                  deviceId:
+                    description: The ID of the device.
+                    type: string
+                  globalNetworkId:
+                    description: The ID of the global network.
+                    type: string
                   id:
                     type: string
+                  linkId:
+                    description: The ID of the link.
+                    type: string
+                  transitGatewayConnectPeerArn:
+                    description: The Amazon Resource Name (ARN) of the Connect peer.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_transitgatewayregistrations.yaml b/package/crds/networkmanager.aws.upbound.io_transitgatewayregistrations.yaml
index 4602e32f0a..9b805782a5 100644
--- a/package/crds/networkmanager.aws.upbound.io_transitgatewayregistrations.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_transitgatewayregistrations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,8 +424,14 @@ spec:
             properties:
               atProvider:
                 properties:
+                  globalNetworkId:
+                    description: The ID of the Global Network to register to.
+                    type: string
                   id:
                     type: string
+                  transitGatewayArn:
+                    description: The ARN of the Transit Gateway to register.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/networkmanager.aws.upbound.io_vpcattachments.yaml b/package/crds/networkmanager.aws.upbound.io_vpcattachments.yaml
index e6182c39bd..8510fb482c 100644
--- a/package/crds/networkmanager.aws.upbound.io_vpcattachments.yaml
+++ b/package/crds/networkmanager.aws.upbound.io_vpcattachments.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -324,6 +328,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -512,12 +531,30 @@ spec:
                   coreNetworkArn:
                     description: The ARN of a core network.
                     type: string
+                  coreNetworkId:
+                    description: The ID of a core network for the VPC attachment.
+                    type: string
                   edgeLocation:
                     description: The Region where the edge is located.
                     type: string
                   id:
                     description: The ID of the attachment.
                     type: string
+                  options:
+                    description: Options for the VPC attachment.
+                    items:
+                      properties:
+                        applianceModeSupport:
+                          description: Indicates whether appliance mode is supported.
+                            If enabled, traffic flow between a source and destination
+                            use the same Availability Zone for the VPC attachment
+                            for the lifetime of that flow.
+                          type: boolean
+                        ipv6Support:
+                          description: Indicates whether IPv6 is supported.
+                          type: boolean
+                      type: object
+                    type: array
                   ownerAccountId:
                     description: The ID of the attachment account owner.
                     type: string
@@ -530,6 +567,16 @@ spec:
                   state:
                     description: The state of the attachment.
                     type: string
+                  subnetArns:
+                    description: The subnet ARN of the VPC attachment.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -537,6 +584,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcArn:
+                    description: The ARN of the VPC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opensearch.aws.upbound.io_domainpolicies.yaml b/package/crds/opensearch.aws.upbound.io_domainpolicies.yaml
index 81ee9f9b91..985a4670fa 100644
--- a/package/crds/opensearch.aws.upbound.io_domainpolicies.yaml
+++ b/package/crds/opensearch.aws.upbound.io_domainpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,9 +153,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - accessPolicies
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,11 +341,21 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accessPolicies is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accessPolicies)
           status:
             description: DomainPolicyStatus defines the observed state of DomainPolicy.
             properties:
               atProvider:
                 properties:
+                  accessPolicies:
+                    description: IAM policy document specifying the access policies
+                      for the domain
+                    type: string
+                  domainName:
+                    description: Name of the domain.
+                    type: string
                   id:
                     type: string
                 type: object
diff --git a/package/crds/opensearch.aws.upbound.io_domains.yaml b/package/crds/opensearch.aws.upbound.io_domains.yaml
index c31085cf91..62012ccda4 100644
--- a/package/crds/opensearch.aws.upbound.io_domains.yaml
+++ b/package/crds/opensearch.aws.upbound.io_domains.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -530,9 +534,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - domainName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -704,6 +722,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domainName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)
           status:
             description: DomainStatus defines the observed state of Domain.
             properties:
@@ -712,22 +733,340 @@ spec:
                   accessPolicies:
                     description: ', are prefaced with es: for both.'
                     type: string
+                  advancedOptions:
+                    additionalProperties:
+                      type: string
+                    description: Key-value string pairs to specify advanced configuration
+                      options.
+                    type: object
+                  advancedSecurityOptions:
+                    description: Configuration block for fine-grained access control.
+                      Detailed below.
+                    items:
+                      properties:
+                        anonymousAuthEnabled:
+                          description: Whether Anonymous auth is enabled. Enables
+                            fine-grained access control on an existing domain. Ignored
+                            unless advanced_security_options are enabled. Can only
+                            be enabled on an existing domain.
+                          type: boolean
+                        enabled:
+                          description: Whether advanced security is enabled.
+                          type: boolean
+                        internalUserDatabaseEnabled:
+                          description: Whether the internal user database is enabled.
+                            Default is false.
+                          type: boolean
+                        masterUserOptions:
+                          description: Configuration block for the main user. Detailed
+                            below.
+                          items:
+                            properties:
+                              masterUserArn:
+                                description: ARN for the main user. Only specify if
+                                  internal_user_database_enabled is not set or set
+                                  to false.
+                                type: string
+                              masterUserName:
+                                description: Main user's username, which is stored
+                                  in the Amazon OpenSearch Service domain's internal
+                                  database. Only specify if internal_user_database_enabled
+                                  is set to true.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   arn:
                     description: ARN of the domain.
                     type: string
+                  autoTuneOptions:
+                    description: Configuration block for the Auto-Tune options of
+                      the domain. Detailed below.
+                    items:
+                      properties:
+                        desiredState:
+                          description: 'Auto-Tune desired state for the domain. Valid
+                            values: ENABLED or DISABLED.'
+                          type: string
+                        maintenanceSchedule:
+                          description: Configuration block for Auto-Tune maintenance
+                            windows. Can be specified multiple times for each maintenance
+                            window. Detailed below.
+                          items:
+                            properties:
+                              cronExpressionForRecurrence:
+                                description: A cron expression specifying the recurrence
+                                  pattern for an Auto-Tune maintenance schedule.
+                                type: string
+                              duration:
+                                description: Configuration block for the duration
+                                  of the Auto-Tune maintenance window. Detailed below.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'Unit of time specifying the duration
+                                        of an Auto-Tune maintenance window. Valid
+                                        values: HOURS.'
+                                      type: string
+                                    value:
+                                      description: An integer specifying the value
+                                        of the duration of an Auto-Tune maintenance
+                                        window.
+                                      type: number
+                                  type: object
+                                type: array
+                              startAt:
+                                description: Date and time at which to start the Auto-Tune
+                                  maintenance schedule in RFC3339 format.
+                                type: string
+                            type: object
+                          type: array
+                        rollbackOnDisable:
+                          description: 'Whether to roll back to default Auto-Tune
+                            settings when disabling Auto-Tune. Valid values: DEFAULT_ROLLBACK
+                            or NO_ROLLBACK.'
+                          type: string
+                      type: object
+                    type: array
+                  clusterConfig:
+                    description: Configuration block for the cluster of the domain.
+                      Detailed below.
+                    items:
+                      properties:
+                        coldStorageOptions:
+                          description: Configuration block containing cold storage
+                            configuration. Detailed below.
+                          items:
+                            properties:
+                              enabled:
+                                description: Boolean to enable cold storage for an
+                                  OpenSearch domain. Defaults to false. Master and
+                                  ultrawarm nodes must be enabled for cold storage.
+                                type: boolean
+                            type: object
+                          type: array
+                        dedicatedMasterCount:
+                          description: Number of dedicated main nodes in the cluster.
+                          type: number
+                        dedicatedMasterEnabled:
+                          description: Whether dedicated main nodes are enabled for
+                            the cluster.
+                          type: boolean
+                        dedicatedMasterType:
+                          description: Instance type of the dedicated main nodes in
+                            the cluster.
+                          type: string
+                        instanceCount:
+                          description: Number of instances in the cluster.
+                          type: number
+                        instanceType:
+                          description: Instance type of data nodes in the cluster.
+                          type: string
+                        warmCount:
+                          description: Number of warm nodes in the cluster. Valid
+                            values are between 2 and 150. warm_count can be only and
+                            must be set when warm_enabled is set to true.
+                          type: number
+                        warmEnabled:
+                          description: Whether to enable warm storage.
+                          type: boolean
+                        warmType:
+                          description: Instance type for the OpenSearch cluster's
+                            warm nodes. Valid values are ultrawarm1.medium.search,
+                            ultrawarm1.large.search and ultrawarm1.xlarge.search.
+                            warm_type can be only and must be set when warm_enabled
+                            is set to true.
+                          type: string
+                        zoneAwarenessConfig:
+                          description: Configuration block containing zone awareness
+                            settings. Detailed below.
+                          items:
+                            properties:
+                              availabilityZoneCount:
+                                description: 'Number of Availability Zones for the
+                                  domain to use with zone_awareness_enabled. Defaults
+                                  to 2. Valid values: 2 or 3.'
+                                type: number
+                            type: object
+                          type: array
+                        zoneAwarenessEnabled:
+                          description: Whether zone awareness is enabled, set to true
+                            for multi-az deployment. To enable awareness with three
+                            Availability Zones, the availability_zone_count within
+                            the zone_awareness_config must be set to 3.
+                          type: boolean
+                      type: object
+                    type: array
+                  cognitoOptions:
+                    description: Configuration block for authenticating Kibana with
+                      Cognito. Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether Amazon Cognito authentication with
+                            Kibana is enabled or not. Default is false.
+                          type: boolean
+                        identityPoolId:
+                          description: ID of the Cognito Identity Pool to use.
+                          type: string
+                        roleArn:
+                          description: ARN of the IAM role that has the AmazonOpenSearchServiceCognitoAccess
+                            policy attached.
+                          type: string
+                        userPoolId:
+                          description: ID of the Cognito User Pool to use.
+                          type: string
+                      type: object
+                    type: array
+                  domainEndpointOptions:
+                    description: Configuration block for domain endpoint HTTP(S) related
+                      options. Detailed below.
+                    items:
+                      properties:
+                        customEndpoint:
+                          description: Fully qualified domain for your custom endpoint.
+                          type: string
+                        customEndpointCertificateArn:
+                          description: ACM certificate ARN for your custom endpoint.
+                          type: string
+                        customEndpointEnabled:
+                          description: Whether to enable custom endpoint for the OpenSearch
+                            domain.
+                          type: boolean
+                        enforceHttps:
+                          description: Whether or not to require HTTPS. Defaults to
+                            true.
+                          type: boolean
+                        tlsSecurityPolicy:
+                          description: 'Name of the TLS security policy that needs
+                            to be applied to the HTTPS endpoint. Valid values:  Policy-Min-TLS-1-0-2019-07
+                            and Policy-Min-TLS-1-2-2019-07.'
+                          type: string
+                      type: object
+                    type: array
                   domainId:
                     description: Unique identifier for the domain.
                     type: string
+                  domainName:
+                    description: Name of the domain.
+                    type: string
+                  ebsOptions:
+                    description: Configuration block for EBS related options, may
+                      be required based on chosen instance size. Detailed below.
+                    items:
+                      properties:
+                        ebsEnabled:
+                          description: Whether EBS volumes are attached to data nodes
+                            in the domain.
+                          type: boolean
+                        iops:
+                          description: Baseline input/output (I/O) performance of
+                            EBS volumes attached to data nodes. Applicable only for
+                            the GP3 and Provisioned IOPS EBS volume types.
+                          type: number
+                        throughput:
+                          description: Specifies the throughput (in MiB/s) of the
+                            EBS volumes attached to data nodes. Applicable only for
+                            the gp3 volume type. Valid values are between 125 and
+                            1000.
+                          type: number
+                        volumeSize:
+                          description: Size of EBS volumes attached to data nodes
+                            (in GiB).
+                          type: number
+                        volumeType:
+                          description: Type of EBS volumes attached to data nodes.
+                          type: string
+                      type: object
+                    type: array
+                  encryptAtRest:
+                    description: Configuration block for encrypt at rest options.
+                      Only available for certain instance types. Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether to enable encryption at rest. If the
+                            encrypt_at_rest block is not provided then this defaults
+                            to false. Enabling encryption on new domains requires
+                            an engine_version of OpenSearch_X.Y or Elasticsearch_5.1
+                            or greater.
+                          type: boolean
+                        kmsKeyId:
+                          description: KMS key ARN to encrypt the Elasticsearch domain
+                            with. If not specified then it defaults to using the aws/es
+                            service KMS key. Note that KMS will accept a KMS key ID
+                            but will return the key ARN.
+                          type: string
+                      type: object
+                    type: array
                   endpoint:
                     description: Domain-specific endpoint used to submit index, search,
                       and data upload requests.
                     type: string
+                  engineVersion:
+                    description: while Elasticsearch has elasticsearch_version
+                    type: string
                   id:
                     type: string
                   kibanaEndpoint:
                     description: Domain-specific endpoint for kibana without https
                       scheme.
                     type: string
+                  logPublishingOptions:
+                    description: Configuration block for publishing slow and application
+                      logs to CloudWatch Logs. This block can be declared multiple
+                      times, for each log_type, within the same resource. Detailed
+                      below.
+                    items:
+                      properties:
+                        cloudwatchLogGroupArn:
+                          description: ARN of the Cloudwatch log group to which log
+                            needs to be published.
+                          type: string
+                        enabled:
+                          description: Whether given log publishing option is enabled
+                            or not.
+                          type: boolean
+                        logType:
+                          description: 'Type of OpenSearch log. Valid values: INDEX_SLOW_LOGS,
+                            SEARCH_SLOW_LOGS, ES_APPLICATION_LOGS, AUDIT_LOGS.'
+                          type: string
+                      type: object
+                    type: array
+                  nodeToNodeEncryption:
+                    description: Configuration block for node-to-node encryption options.
+                      Detailed below.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether to enable node-to-node encryption.
+                            If the node_to_node_encryption block is not provided then
+                            this defaults to false. Enabling node-to-node encryption
+                            of a new domain requires an engine_version of OpenSearch_X.Y
+                            or Elasticsearch_6.0 or greater.
+                          type: boolean
+                      type: object
+                    type: array
+                  snapshotOptions:
+                    description: Configuration block for snapshot related options.
+                      Detailed below. DEPRECATED. For domains running OpenSearch 5.3
+                      and later, Amazon OpenSearch takes hourly automated snapshots,
+                      making this setting irrelevant. For domains running earlier
+                      versions, OpenSearch takes daily automated snapshots.
+                    items:
+                      properties:
+                        automatedSnapshotStartHour:
+                          description: Hour during which the service takes an automated
+                            daily snapshot of the indices in the domain.
+                          type: number
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -747,6 +1086,19 @@ spec:
                           items:
                             type: string
                           type: array
+                        securityGroupIds:
+                          description: List of VPC Security Group IDs to be applied
+                            to the OpenSearch domain endpoints. If omitted, the default
+                            Security Group for the VPC will be used.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: List of VPC Subnet IDs for the OpenSearch domain
+                            endpoints to be created in.
+                          items:
+                            type: string
+                          type: array
                         vpcId:
                           description: If the domain was created inside a VPC, the
                             ID of the VPC.
diff --git a/package/crds/opensearch.aws.upbound.io_domainsamloptions.yaml b/package/crds/opensearch.aws.upbound.io_domainsamloptions.yaml
index f990a4d2a5..e50bd3d5d4 100644
--- a/package/crds/opensearch.aws.upbound.io_domainsamloptions.yaml
+++ b/package/crds/opensearch.aws.upbound.io_domainsamloptions.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -209,6 +213,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -385,10 +404,54 @@ spec:
             properties:
               atProvider:
                 properties:
+                  domainName:
+                    description: Name of the domain.
+                    type: string
                   id:
                     description: Name of the domain the SAML options are associated
                       with.
                     type: string
+                  samlOptions:
+                    description: SAML authentication options for an AWS OpenSearch
+                      Domain.
+                    items:
+                      properties:
+                        enabled:
+                          description: Whether SAML authentication is enabled.
+                          type: boolean
+                        idp:
+                          description: Information from your identity provider.
+                          items:
+                            properties:
+                              entityId:
+                                description: Unique Entity ID of the application in
+                                  SAML Identity Provider.
+                                type: string
+                              metadataContent:
+                                description: Metadata of the SAML application in xml
+                                  format.
+                                type: string
+                            type: object
+                          type: array
+                        masterBackendRole:
+                          description: This backend role from the SAML IdP receives
+                            full permissions to the cluster, equivalent to a new master
+                            user.
+                          type: string
+                        rolesKey:
+                          description: Element of the SAML assertion to use for backend
+                            roles. Default is roles.
+                          type: string
+                        sessionTimeoutMinutes:
+                          description: Duration of a session in minutes after a user
+                            logs in. Default is 60. Maximum value is 1,440.
+                          type: number
+                        subjectKey:
+                          description: Element of the SAML assertion to use for username.
+                            Default is NameID.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_applications.yaml b/package/crds/opsworks.aws.upbound.io_applications.yaml
index f635743a20..e7c7e51054 100644
--- a/package/crds/opsworks.aws.upbound.io_applications.yaml
+++ b/package/crds/opsworks.aws.upbound.io_applications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -304,10 +308,22 @@ spec:
                     description: Opsworks application type. One of aws-flow-ruby,
                       java, rails, php, nodejs, static or other.
                     type: string
-                required:
-                - name
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -479,14 +495,125 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: ApplicationStatus defines the observed state of Application.
             properties:
               atProvider:
                 properties:
+                  appSource:
+                    description: SCM configuration of the app as described below.
+                    items:
+                      properties:
+                        revision:
+                          description: For sources that are version-aware, the revision
+                            to use.
+                          type: string
+                        type:
+                          description: The type of source to use. For example, "archive".
+                          type: string
+                        url:
+                          description: The URL where the app resource can be found.
+                          type: string
+                        username:
+                          description: Username to use when authenticating to the
+                            source.
+                          type: string
+                      type: object
+                    type: array
+                  autoBundleOnDeploy:
+                    description: Run bundle install when deploying for application
+                      of type rails.
+                    type: string
+                  awsFlowRubySettings:
+                    description: Specify activity and workflow workers for your app
+                      using the aws-flow gem.
+                    type: string
+                  dataSourceArn:
+                    description: The data source's ARN.
+                    type: string
+                  dataSourceDatabaseName:
+                    description: The database name.
+                    type: string
+                  dataSourceType:
+                    description: The data source's type one of AutoSelectOpsworksMysqlInstance,
+                      OpsworksMysqlInstance, or RdsDbInstance.
+                    type: string
+                  description:
+                    description: A description of the app.
+                    type: string
+                  documentRoot:
+                    description: Subfolder for the document root for application of
+                      type rails.
+                    type: string
+                  domains:
+                    description: A list of virtual host alias.
+                    items:
+                      type: string
+                    type: array
+                  enableSsl:
+                    description: Whether to enable SSL for the app. This must be set
+                      in order to let ssl_configuration.private_key, ssl_configuration.certificate
+                      and ssl_configuration.chain take effect.
+                    type: boolean
+                  environment:
+                    description: Object to define environment variables.  Object is
+                      described below.
+                    items:
+                      properties:
+                        key:
+                          description: Variable name.
+                          type: string
+                        secure:
+                          description: Set visibility of the variable value to true
+                            or false.
+                          type: boolean
+                        value:
+                          description: Variable value.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The id of the application.
                     type: string
+                  name:
+                    description: A human-readable name for the application.
+                    type: string
+                  railsEnv:
+                    description: The name of the Rails environment for application
+                      of type rails.
+                    type: string
+                  shortName:
+                    description: A short, machine-readable name for the application.
+                      This can only be defined on resource creation and ignored on
+                      resource update.
+                    type: string
+                  sslConfiguration:
+                    description: The SSL configuration of the app. Object is described
+                      below.
+                    items:
+                      properties:
+                        certificate:
+                          description: The contents of the certificate's domain.crt
+                            file.
+                          type: string
+                        chain:
+                          description: Can be used to specify an intermediate certificate
+                            authority key or client authentication.
+                          type: string
+                      type: object
+                    type: array
+                  stackId:
+                    description: ID of the stack the application will belong to.
+                    type: string
+                  type:
+                    description: Opsworks application type. One of aws-flow-ruby,
+                      java, rails, php, nodejs, static or other.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_customlayers.yaml b/package/crds/opsworks.aws.upbound.io_customlayers.yaml
index eca41cb5f2..fecd27f6ad 100644
--- a/package/crds/opsworks.aws.upbound.io_customlayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_customlayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -503,10 +507,22 @@ spec:
                   useEbsOptimizedInstances:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
-                required:
-                - name
-                - shortName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -678,6 +694,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: shortName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.shortName)
           status:
             description: CustomLayerStatus defines the observed state of CustomLayer.
             properties:
@@ -686,9 +707,288 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    description: Will create an EBS volume and connect it to the layer's
+                      instances. See Cloudwatch Configuration.
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          description: A block the specifies how an opsworks logs
+                            look like. See Log Streams.
+                          items:
+                            properties:
+                              batchCount:
+                                description: Specifies the max number of log events
+                                  in a batch, up to 10000. The default value is 1000.
+                                type: number
+                              batchSize:
+                                description: Specifies the maximum size of log events
+                                  in a batch, in bytes, up to 1048576 bytes. The default
+                                  value is 32768 bytes.
+                                type: number
+                              bufferDuration:
+                                description: Specifies the time duration for the batching
+                                  of log events. The minimum value is 5000 and default
+                                  value is 5000.
+                                type: number
+                              datetimeFormat:
+                                description: Specifies how the timestamp is extracted
+                                  from logs. For more information, see the CloudWatch
+                                  Logs Agent Reference (https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AgentReference.html).
+                                type: string
+                              encoding:
+                                description: Specifies the encoding of the log file
+                                  so that the file can be read correctly. The default
+                                  is utf_8.
+                                type: string
+                              file:
+                                description: Specifies log files that you want to
+                                  push to CloudWatch Logs. File can point to a specific
+                                  file or multiple files (by using wild card characters
+                                  such as /var/log/system.log*).
+                                type: string
+                              fileFingerprintLines:
+                                description: Specifies the range of lines for identifying
+                                  a file. The valid values are one number, or two
+                                  dash-delimited numbers, such as 1, 2-5. The default
+                                  value is 1.
+                                type: string
+                              initialPosition:
+                                description: Specifies where to start to read data
+                                  (start_of_file or end_of_file). The default is start_of_file.
+                                type: string
+                              logGroupName:
+                                description: Specifies the destination log group.
+                                  A log group is created automatically if it doesn't
+                                  already exist.
+                                type: string
+                              multilineStartPattern:
+                                description: Specifies the pattern for identifying
+                                  the start of a log message.
+                                type: string
+                              timeZone:
+                                description: Specifies the time zone of log event
+                                  time stamps.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: Will create an EBS volume and connect it to the layer's
+                      instances. See EBS Volume.
+                    items:
+                      properties:
+                        encrypted:
+                          description: Encrypt the volume.
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    description: Load-based auto scaling configuration. See Load Based
+                      AutoScaling
+                    items:
+                      properties:
+                        downscaling:
+                          description: The downscaling settings, as defined below,
+                            used for load-based autoscaling
+                          items:
+                            properties:
+                              alarms:
+                                description: Custom Cloudwatch auto scaling alarms,
+                                  to be used as thresholds. This parameter takes a
+                                  list of up to five alarm names, which are case sensitive
+                                  and must be in the same region as the stack.
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                description: The CPU utilization threshold, as a percent
+                                  of the available CPU. A value of -1 disables the
+                                  threshold.
+                                type: number
+                              ignoreMetricsTime:
+                                description: The amount of time (in minutes) after
+                                  a scaling event occurs that AWS OpsWorks Stacks
+                                  should ignore metrics and suppress additional scaling
+                                  events.
+                                type: number
+                              instanceCount:
+                                description: The number of instances to add or remove
+                                  when the load exceeds a threshold.
+                                type: number
+                              loadThreshold:
+                                description: The load threshold. A value of -1 disables
+                                  the threshold.
+                                type: number
+                              memoryThreshold:
+                                description: The memory utilization threshold, as
+                                  a percent of the available memory. A value of -1
+                                  disables the threshold.
+                                type: number
+                              thresholdsWaitTime:
+                                description: The amount of time, in minutes, that
+                                  the load must exceed a threshold before more instances
+                                  are added or removed.
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          description: Whether load-based auto scaling is enabled
+                            for the layer.
+                          type: boolean
+                        upscaling:
+                          description: The upscaling settings, as defined below, used
+                            for load-based autoscaling
+                          items:
+                            properties:
+                              alarms:
+                                description: Custom Cloudwatch auto scaling alarms,
+                                  to be used as thresholds. This parameter takes a
+                                  list of up to five alarm names, which are case sensitive
+                                  and must be in the same region as the stack.
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                description: The CPU utilization threshold, as a percent
+                                  of the available CPU. A value of -1 disables the
+                                  threshold.
+                                type: number
+                              ignoreMetricsTime:
+                                description: The amount of time (in minutes) after
+                                  a scaling event occurs that AWS OpsWorks Stacks
+                                  should ignore metrics and suppress additional scaling
+                                  events.
+                                type: number
+                              instanceCount:
+                                description: The number of instances to add or remove
+                                  when the load exceeds a threshold.
+                                type: number
+                              loadThreshold:
+                                description: The load threshold. A value of -1 disables
+                                  the threshold.
+                                type: number
+                              memoryThreshold:
+                                description: The memory utilization threshold, as
+                                  a percent of the available memory. A value of -1
+                                  disables the threshold.
+                                type: number
+                              thresholdsWaitTime:
+                                description: The amount of time, in minutes, that
+                                  the load must exceed a threshold before more instances
+                                  are added or removed.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  shortName:
+                    description: A short, machine-readable name for the layer, which
+                      will be used to identify it in the Chef node JSON.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -696,6 +996,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_ecsclusterlayers.yaml b/package/crds/opsworks.aws.upbound.io_ecsclusterlayers.yaml
index b797b05318..1166516033 100644
--- a/package/crds/opsworks.aws.upbound.io_ecsclusterlayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_ecsclusterlayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -491,6 +495,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -670,13 +689,209 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  ecsClusterArn:
+                    description: The ECS Cluster ARN of the layer.
+                    type: string
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_ganglialayers.yaml b/package/crds/opsworks.aws.upbound.io_ganglialayers.yaml
index ccf9a0f7e6..9e2288af8c 100644
--- a/package/crds/opsworks.aws.upbound.io_ganglialayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_ganglialayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -424,9 +428,22 @@ spec:
                     description: (Optiona) The username to use for Ganglia. Defaults
                       to "opsworks".
                     type: string
-                required:
-                - password
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -598,6 +615,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: password is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.password)
           status:
             description: GangliaLayerStatus defines the observed state of GangliaLayer.
             properties:
@@ -606,9 +626,202 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  password:
+                    description: The password to use for Ganglia.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -616,6 +829,16 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  url:
+                    description: The URL path to use for Ganglia. Defaults to "/ganglia".
+                    type: string
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
+                  username:
+                    description: (Optiona) The username to use for Ganglia. Defaults
+                      to "opsworks".
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_haproxylayers.yaml b/package/crds/opsworks.aws.upbound.io_haproxylayers.yaml
index 9a050bcad9..00d1ad541f 100644
--- a/package/crds/opsworks.aws.upbound.io_haproxylayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_haproxylayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -434,9 +438,22 @@ spec:
                   useEbsOptimizedInstances:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
-                required:
-                - statsPassword
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -608,6 +625,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: statsPassword is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.statsPassword)
           status:
             description: HAProxyLayerStatus defines the observed state of HAProxyLayer.
             properties:
@@ -616,9 +636,219 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
+                  healthcheckMethod:
+                    description: HTTP method to use for instance healthchecks. Defaults
+                      to "OPTIONS".
+                    type: string
+                  healthcheckUrl:
+                    description: URL path to use for instance healthchecks. Defaults
+                      to "/".
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  statsEnabled:
+                    description: Whether to enable HAProxy stats.
+                    type: boolean
+                  statsPassword:
+                    description: The password to use for HAProxy stats.
+                    type: string
+                  statsUrl:
+                    description: The HAProxy stats URL. Defaults to "/haproxy?stats".
+                    type: string
+                  statsUser:
+                    description: The username for HAProxy stats. Defaults to "opsworks".
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -626,6 +856,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_instances.yaml b/package/crds/opsworks.aws.upbound.io_instances.yaml
index 659e4c1aef..8e6b9706d0 100644
--- a/package/crds/opsworks.aws.upbound.io_instances.yaml
+++ b/package/crds/opsworks.aws.upbound.io_instances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -534,6 +538,21 @@ spec:
                       instances will use. Valid values are paravirtual or hvm.
                     type: string
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -710,15 +729,120 @@ spec:
             properties:
               atProvider:
                 properties:
+                  agentVersion:
+                    description: OpsWorks agent to install. Default is INHERIT.
+                    type: string
+                  amiId:
+                    description: AMI to use for the instance.  If an AMI is specified,
+                      os must be Custom.
+                    type: string
+                  architecture:
+                    description: Machine architecture for created instances.  Valid
+                      values are x86_64 or i386. The default is x86_64.
+                    type: string
+                  autoScalingType:
+                    description: Creates load-based or time-based instances.  Valid
+                      values are load, timer.
+                    type: string
+                  availabilityZone:
+                    description: Name of the availability zone where instances will
+                      be created by default.
+                    type: string
+                  createdAt:
+                    description: Time that the instance was created.
+                    type: string
+                  deleteEbs:
+                    description: Whether to delete EBS volume on deletion. Default
+                      is true.
+                    type: boolean
+                  deleteEip:
+                    description: Whether to delete the Elastic IP on deletion.
+                    type: boolean
+                  ebsBlockDevice:
+                    description: Configuration block for additional EBS block devices
+                      to attach to the instance. See Block Devices below.
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          description: Whether the volume should be destroyed on instance
+                            termination. Default is true.
+                          type: boolean
+                        deviceName:
+                          description: Name of the device to mount.
+                          type: string
+                        iops:
+                          description: Amount of provisioned IOPS. This must be set
+                            with a volume_type of io1.
+                          type: number
+                        snapshotId:
+                          description: Snapshot ID to mount.
+                          type: string
+                        volumeSize:
+                          description: Size of the volume in gigabytes.
+                          type: number
+                        volumeType:
+                          description: Type of volume. Valid values are standard,
+                            gp2, or io1. Default is standard.
+                          type: string
+                      type: object
+                    type: array
+                  ebsOptimized:
+                    description: Whether the launched EC2 instance will be EBS-optimized.
+                    type: boolean
                   ec2InstanceId:
                     description: EC2 instance ID.
                     type: string
+                  ecsClusterArn:
+                    description: ECS cluster's ARN for container instances.
+                    type: string
+                  elasticIp:
+                    description: Instance Elastic IP address.
+                    type: string
+                  ephemeralBlockDevice:
+                    description: Configuration block for ephemeral (also known as
+                      "Instance Store") volumes on the instance. See Block Devices
+                      below.
+                    items:
+                      properties:
+                        deviceName:
+                          description: Name of the block device to mount on the instance.
+                          type: string
+                        virtualName:
+                          description: The Instance Store Device Name (e.g., ephemeral0).
+                          type: string
+                      type: object
+                    type: array
+                  hostname:
+                    description: Instance's host name.
+                    type: string
                   id:
                     description: ID of the OpsWorks instance.
                     type: string
+                  infrastructureClass:
+                    description: 'For registered instances, infrastructure class:
+                      ec2 or on-premises.'
+                    type: string
+                  installUpdatesOnBoot:
+                    description: Controls where to install OS and package updates
+                      when the instance boots.  Default is true.
+                    type: boolean
+                  instanceProfileArn:
+                    description: ARN of the instance's IAM profile.
+                    type: string
+                  instanceType:
+                    description: Type of instance to start.
+                    type: string
                   lastServiceErrorId:
                     description: ID of the last service error.
                     type: string
+                  layerIds:
+                    description: List of the layers the instance will belong to.
+                    items:
+                      type: string
+                    type: array
+                  os:
+                    description: Name of operating system that will be installed.
+                    type: string
                   platform:
                     description: Instance's platform.
                     type: string
@@ -756,15 +880,75 @@ spec:
                     description: For registered instances, the reported operating
                       system version.
                     type: string
+                  rootBlockDevice:
+                    description: Configuration block for the root block device of
+                      the instance. See Block Devices below.
+                    items:
+                      properties:
+                        deleteOnTermination:
+                          description: Whether the volume should be destroyed on instance
+                            termination. Default is true.
+                          type: boolean
+                        iops:
+                          description: Amount of provisioned IOPS. This must be set
+                            with a volume_type of io1.
+                          type: number
+                        volumeSize:
+                          description: Size of the volume in gigabytes.
+                          type: number
+                        volumeType:
+                          description: Type of volume. Valid values are standard,
+                            gp2, or io1. Default is standard.
+                          type: string
+                      type: object
+                    type: array
+                  rootDeviceType:
+                    description: Name of the type of root device instances will have
+                      by default. Valid values are ebs or instance-store.
+                    type: string
                   rootDeviceVolumeId:
                     description: Root device volume ID.
                     type: string
+                  securityGroupIds:
+                    description: Associated security groups.
+                    items:
+                      type: string
+                    type: array
                   sshHostDsaKeyFingerprint:
                     description: SSH key's Deep Security Agent (DSA) fingerprint.
                     type: string
                   sshHostRsaKeyFingerprint:
                     description: SSH key's RSA fingerprint.
                     type: string
+                  sshKeyName:
+                    description: Name of the SSH keypair that instances will have
+                      by default.
+                    type: string
+                  stackId:
+                    description: Identifier of the stack the instance will belong
+                      to.
+                    type: string
+                  state:
+                    description: Desired state of the instance. Valid values are running
+                      or stopped.
+                    type: string
+                  status:
+                    description: Instance status. Will be one of booting, connection_lost,
+                      online, pending, rebooting, requested, running_setup, setup_failed,
+                      shutting_down, start_failed, stop_failed, stopped, stopping,
+                      terminated, or terminating.
+                    type: string
+                  subnetId:
+                    description: Subnet ID to attach to.
+                    type: string
+                  tenancy:
+                    description: Instance tenancy to use. Valid values are default,
+                      dedicated or host.
+                    type: string
+                  virtualizationType:
+                    description: Keyword to choose what virtualization mode created
+                      instances will use. Valid values are paravirtual or hvm.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_javaapplayers.yaml b/package/crds/opsworks.aws.upbound.io_javaapplayers.yaml
index c872246860..4ca5d1055e 100644
--- a/package/crds/opsworks.aws.upbound.io_javaapplayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_javaapplayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -432,6 +436,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -608,12 +627,219 @@ spec:
             properties:
               atProvider:
                 properties:
+                  appServer:
+                    description: Keyword for the application container to use. Defaults
+                      to "tomcat".
+                    type: string
+                  appServerVersion:
+                    description: Version of the selected application container to
+                      use. Defaults to "7".
+                    type: string
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  jvmOptions:
+                    description: Options to set for the JVM.
+                    type: string
+                  jvmType:
+                    description: Keyword for the type of JVM to use. Defaults to openjdk.
+                    type: string
+                  jvmVersion:
+                    description: Version of JVM to use. Defaults to "7".
+                    type: string
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -621,6 +847,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_memcachedlayers.yaml b/package/crds/opsworks.aws.upbound.io_memcachedlayers.yaml
index 540dab8c62..afbad0f5d1 100644
--- a/package/crds/opsworks.aws.upbound.io_memcachedlayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_memcachedlayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -419,6 +423,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -595,12 +614,206 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allocatedMemory:
+                    description: Amount of memory to allocate for the cache on each
+                      instance, in megabytes. Defaults to 512MB.
+                    type: number
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -608,6 +821,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_mysqllayers.yaml b/package/crds/opsworks.aws.upbound.io_mysqllayers.yaml
index 6cdeef2886..3b54293e7b 100644
--- a/package/crds/opsworks.aws.upbound.io_mysqllayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_mysqllayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -422,6 +426,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -601,9 +620,206 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  rootPassword:
+                    description: Root password to use for MySQL.
+                    type: string
+                  rootPasswordOnAllInstances:
+                    description: Whether to set the root user password to all instances
+                      in the stack so they can access the instances in this layer.
+                    type: boolean
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -611,6 +827,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_nodejsapplayers.yaml b/package/crds/opsworks.aws.upbound.io_nodejsapplayers.yaml
index 65cccbda6a..81da319c1d 100644
--- a/package/crds/opsworks.aws.upbound.io_nodejsapplayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_nodejsapplayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -418,6 +422,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -597,9 +616,202 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  nodejsVersion:
+                    description: The version of NodeJS to use. Defaults to "0.10.38".
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -607,6 +819,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_permissions.yaml b/package/crds/opsworks.aws.upbound.io_permissions.yaml
index c728a42c0a..0b85ae9310 100644
--- a/package/crds/opsworks.aws.upbound.io_permissions.yaml
+++ b/package/crds/opsworks.aws.upbound.io_permissions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -229,6 +233,21 @@ spec:
                         type: object
                     type: object
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,11 +424,29 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allowSsh:
+                    description: Whether the user is allowed to use SSH to communicate
+                      with the instance
+                    type: boolean
+                  allowSudo:
+                    description: Whether the user is allowed to use sudo to elevate
+                      privileges
+                    type: boolean
                   id:
                     description: The computed id of the permission. Please note that
                       this is only used internally to identify the permission. This
                       value is not used in aws.
                     type: string
+                  level:
+                    description: The users permission level. Mus be one of deny, show,
+                      deploy, manage, iam_only
+                    type: string
+                  stackId:
+                    description: The stack to set the permissions for
+                    type: string
+                  userArn:
+                    description: The user's IAM ARN to set permissions for
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_phpapplayers.yaml b/package/crds/opsworks.aws.upbound.io_phpapplayers.yaml
index baa3249cf4..d64be3cd0f 100644
--- a/package/crds/opsworks.aws.upbound.io_phpapplayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_phpapplayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -415,6 +419,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -594,9 +613,199 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -604,6 +813,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_railsapplayers.yaml b/package/crds/opsworks.aws.upbound.io_railsapplayers.yaml
index 44c300295b..07c77896a4 100644
--- a/package/crds/opsworks.aws.upbound.io_railsapplayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_railsapplayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -434,6 +438,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -610,12 +629,221 @@ spec:
             properties:
               atProvider:
                 properties:
+                  appServer:
+                    description: Keyword for the app server to use. Defaults to "apache_passenger".
+                    type: string
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  bundlerVersion:
+                    description: When OpsWorks is managing Bundler, which version
+                      to use. Defaults to "1.5.3".
+                    type: string
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    description: Custom JSON attributes to apply to the layer.
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  manageBundler:
+                    description: Whether OpsWorks should manage bundler. On by default.
+                    type: boolean
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  passengerVersion:
+                    description: The version of Passenger to use. Defaults to "4.0.46".
+                    type: string
+                  rubyVersion:
+                    description: The version of Ruby to use. Defaults to "2.0.0".
+                    type: string
+                  rubygemsVersion:
+                    description: The version of RubyGems to use. Defaults to "2.2.2".
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -623,6 +851,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_rdsdbinstances.yaml b/package/crds/opsworks.aws.upbound.io_rdsdbinstances.yaml
index 051e796729..4cdd7c0957 100644
--- a/package/crds/opsworks.aws.upbound.io_rdsdbinstances.yaml
+++ b/package/crds/opsworks.aws.upbound.io_rdsdbinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -238,10 +242,22 @@ spec:
                             type: string
                         type: object
                     type: object
-                required:
-                - dbPasswordSecretRef
-                - dbUser
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,16 +429,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dbPasswordSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbPasswordSecretRef)
+            - message: dbUser is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbUser)
           status:
             description: RDSDBInstanceStatus defines the observed state of RDSDBInstance.
             properties:
               atProvider:
                 properties:
+                  dbUser:
+                    description: A db username
+                    type: string
                   id:
                     description: The computed id. Please note that this is only used
                       internally to identify the stack <-> instance relation. This
                       value is not used in aws.
                     type: string
+                  rdsDbInstanceArn:
+                    description: The db instance to register for this stack. Changing
+                      this will force a new resource.
+                    type: string
+                  stackId:
+                    description: The stack to register a db instance for. Changing
+                      this will force a new resource.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_stacks.yaml b/package/crds/opsworks.aws.upbound.io_stacks.yaml
index f4624a403b..25e82cf7d6 100644
--- a/package/crds/opsworks.aws.upbound.io_stacks.yaml
+++ b/package/crds/opsworks.aws.upbound.io_stacks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -503,9 +507,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -677,18 +695,115 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: StackStatus defines the observed state of Stack.
             properties:
               atProvider:
                 properties:
+                  agentVersion:
+                    description: If set to "LATEST", OpsWorks will automatically install
+                      the latest version.
+                    type: string
                   arn:
                     type: string
+                  berkshelfVersion:
+                    description: If manage_berkshelf is enabled, the version of Berkshelf
+                      to use.
+                    type: string
+                  color:
+                    description: Color to paint next to the stack's resources in the
+                      OpsWorks console.
+                    type: string
+                  configurationManagerName:
+                    description: Name of the configuration manager to use. Defaults
+                      to "Chef".
+                    type: string
+                  configurationManagerVersion:
+                    description: Version of the configuration manager to use. Defaults
+                      to "11.4".
+                    type: string
+                  customCookbooksSource:
+                    description: When use_custom_cookbooks is set, provide this sub-object
+                      as described below.
+                    items:
+                      properties:
+                        revision:
+                          description: For sources that are version-aware, the revision
+                            to use.
+                          type: string
+                        type:
+                          description: The type of source to use. For example, "archive".
+                          type: string
+                        url:
+                          description: The URL where the cookbooks resource can be
+                            found.
+                          type: string
+                        username:
+                          description: Username to use when authenticating to the
+                            source.
+                          type: string
+                      type: object
+                    type: array
+                  customJson:
+                    description: User defined JSON passed to "Chef". Use a "here doc"
+                      for multiline JSON.
+                    type: string
+                  defaultAvailabilityZone:
+                    description: Name of the availability zone where instances will
+                      be created by default. Cannot be set when vpc_id is set.
+                    type: string
+                  defaultInstanceProfileArn:
+                    description: The ARN of an IAM Instance Profile that created instances
+                      will have by default.
+                    type: string
+                  defaultOs:
+                    description: Name of OS that will be installed on instances by
+                      default.
+                    type: string
+                  defaultRootDeviceType:
+                    description: Name of the type of root device instances will have
+                      by default.
+                    type: string
+                  defaultSshKeyName:
+                    description: Name of the SSH keypair that instances will have
+                      by default.
+                    type: string
+                  defaultSubnetId:
+                    description: ID of the subnet in which instances will be created
+                      by default. Required if vpc_id is set to a VPC other than the
+                      default VPC, and forbidden if it isn't.
+                    type: string
+                  hostnameTheme:
+                    description: Keyword representing the naming scheme that will
+                      be used for instance hostnames within this stack.
+                    type: string
                   id:
                     description: The id of the stack.
                     type: string
+                  manageBerkshelf:
+                    description: Boolean value controlling whether Opsworks will run
+                      Berkshelf for this stack.
+                    type: boolean
+                  name:
+                    description: The name of the stack.
+                    type: string
+                  region:
+                    description: The name of the region where the stack will exist.
+                    type: string
+                  serviceRoleArn:
+                    description: The ARN of an IAM role that the OpsWorks service
+                      will act as.
+                    type: string
                   stackEndpoint:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -696,6 +811,18 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useCustomCookbooks:
+                    description: Boolean value controlling whether the custom cookbook
+                      settings are enabled.
+                    type: boolean
+                  useOpsworksSecurityGroups:
+                    description: Boolean value controlling whether the standard OpsWorks
+                      security groups apply to created instances.
+                    type: boolean
+                  vpcId:
+                    description: ID of the VPC that this stack belongs to. Defaults
+                      to the region's default VPC.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_staticweblayers.yaml b/package/crds/opsworks.aws.upbound.io_staticweblayers.yaml
index f6e49c860c..ebb6ceec42 100644
--- a/package/crds/opsworks.aws.upbound.io_staticweblayers.yaml
+++ b/package/crds/opsworks.aws.upbound.io_staticweblayers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -414,6 +418,21 @@ spec:
                     description: Whether to use EBS-optimized instances.
                     type: boolean
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -593,9 +612,198 @@ spec:
                   arn:
                     description: The Amazon Resource Name(ARN) of the layer.
                     type: string
+                  autoAssignElasticIps:
+                    description: Whether to automatically assign an elastic IP address
+                      to the layer's instances.
+                    type: boolean
+                  autoAssignPublicIps:
+                    description: For stacks belonging to a VPC, whether to automatically
+                      assign a public IP address to each of the layer's instances.
+                    type: boolean
+                  autoHealing:
+                    description: Whether to enable auto-healing for the layer.
+                    type: boolean
+                  cloudwatchConfiguration:
+                    items:
+                      properties:
+                        enabled:
+                          type: boolean
+                        logStreams:
+                          items:
+                            properties:
+                              batchCount:
+                                type: number
+                              batchSize:
+                                type: number
+                              bufferDuration:
+                                type: number
+                              datetimeFormat:
+                                type: string
+                              encoding:
+                                type: string
+                              file:
+                                type: string
+                              fileFingerprintLines:
+                                type: string
+                              initialPosition:
+                                type: string
+                              logGroupName:
+                                description: A human-readable name for the layer.
+                                type: string
+                              multilineStartPattern:
+                                type: string
+                              timeZone:
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  customConfigureRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customDeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customInstanceProfileArn:
+                    description: The ARN of an IAM profile that will be used for the
+                      layer's instances.
+                    type: string
+                  customJson:
+                    type: string
+                  customSecurityGroupIds:
+                    description: Ids for a set of security groups to apply to the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  customSetupRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customShutdownRecipes:
+                    items:
+                      type: string
+                    type: array
+                  customUndeployRecipes:
+                    items:
+                      type: string
+                    type: array
+                  drainElbOnShutdown:
+                    description: Whether to enable Elastic Load Balancing connection
+                      draining.
+                    type: boolean
+                  ebsVolume:
+                    description: ebs_volume blocks, as described below, will each
+                      create an EBS volume and connect it to the layer's instances.
+                    items:
+                      properties:
+                        encrypted:
+                          type: boolean
+                        iops:
+                          description: For PIOPS volumes, the IOPS per disk.
+                          type: number
+                        mountPoint:
+                          description: The path to mount the EBS volume on the layer's
+                            instances.
+                          type: string
+                        numberOfDisks:
+                          description: The number of disks to use for the EBS volume.
+                          type: number
+                        raidLevel:
+                          description: The RAID level to use for the volume.
+                          type: string
+                        size:
+                          description: The size of the volume in gigabytes.
+                          type: number
+                        type:
+                          description: The type of volume to create. This may be standard
+                            (the default), io1 or gp2.
+                          type: string
+                      type: object
+                    type: array
+                  elasticLoadBalancer:
+                    description: Name of an Elastic Load Balancer to attach to this
+                      layer
+                    type: string
                   id:
                     description: The id of the layer.
                     type: string
+                  installUpdatesOnBoot:
+                    description: Whether to install OS and package updates on each
+                      instance when it boots.
+                    type: boolean
+                  instanceShutdownTimeout:
+                    description: The time, in seconds, that OpsWorks will wait for
+                      Chef to complete after triggering the Shutdown event.
+                    type: number
+                  loadBasedAutoScaling:
+                    items:
+                      properties:
+                        downscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                        enable:
+                          type: boolean
+                        upscaling:
+                          items:
+                            properties:
+                              alarms:
+                                items:
+                                  type: string
+                                type: array
+                              cpuThreshold:
+                                type: number
+                              ignoreMetricsTime:
+                                type: number
+                              instanceCount:
+                                type: number
+                              loadThreshold:
+                                type: number
+                              memoryThreshold:
+                                type: number
+                              thresholdsWaitTime:
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  name:
+                    description: A human-readable name for the layer.
+                    type: string
+                  stackId:
+                    description: ID of the stack the layer will belong to.
+                    type: string
+                  systemPackages:
+                    description: Names of a set of system packages to install on the
+                      layer's instances.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -603,6 +811,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  useEbsOptimizedInstances:
+                    description: Whether to use EBS-optimized instances.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/opsworks.aws.upbound.io_userprofiles.yaml b/package/crds/opsworks.aws.upbound.io_userprofiles.yaml
index f966349031..98217933af 100644
--- a/package/crds/opsworks.aws.upbound.io_userprofiles.yaml
+++ b/package/crds/opsworks.aws.upbound.io_userprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,22 @@ spec:
                             type: string
                         type: object
                     type: object
-                required:
-                - sshUsername
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,14 +342,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: sshUsername is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.sshUsername)
           status:
             description: UserProfileStatus defines the observed state of UserProfile.
             properties:
               atProvider:
                 properties:
+                  allowSelfManagement:
+                    description: Whether users can specify their own SSH public key
+                      through the My Settings page
+                    type: boolean
                   id:
                     description: Same value as user_arn
                     type: string
+                  sshPublicKey:
+                    description: The users public key
+                    type: string
+                  sshUsername:
+                    description: The ssh username, with witch this user wants to log
+                      in
+                    type: string
+                  userArn:
+                    description: The user's IAM ARN
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/organizations.aws.upbound.io_accounts.yaml b/package/crds/organizations.aws.upbound.io_accounts.yaml
index c62c375256..8c51d70d57 100644
--- a/package/crds/organizations.aws.upbound.io_accounts.yaml
+++ b/package/crds/organizations.aws.upbound.io_accounts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -107,10 +111,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - email
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -282,6 +299,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: email is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AccountStatus defines the observed state of Account.
             properties:
@@ -290,9 +312,34 @@ spec:
                   arn:
                     description: The ARN for this account.
                     type: string
+                  closeOnDeletion:
+                    description: If true, a deletion event will close the account.
+                      Otherwise, it will only remove from the organization. This is
+                      not supported for GovCloud accounts.
+                    type: boolean
+                  createGovcloud:
+                    description: Whether to also create a GovCloud account. The GovCloud
+                      account is tied to the main (commercial) account this resource
+                      creates. If true, the GovCloud account ID is available in the
+                      govcloud_id attribute.
+                    type: boolean
+                  email:
+                    description: Email address of the owner to assign to the new member
+                      account. This email address must not already be associated with
+                      another AWS account.
+                    type: string
                   govcloudId:
                     description: ID for a GovCloud account created with the account.
                     type: string
+                  iamUserAccessToBilling:
+                    description: If set to ALLOW, the new account enables IAM users
+                      and roles to access account billing information if they have
+                      the required permissions. If set to DENY, then only the root
+                      user (and no roles) of the new account can access account billing
+                      information. If this is unset, the AWS API will default this
+                      to ALLOW. If the resource is created and this option is changed,
+                      it will try to recreate the account.
+                    type: string
                   id:
                     description: The AWS account id
                     type: string
@@ -300,8 +347,21 @@ spec:
                     type: string
                   joinedTimestamp:
                     type: string
+                  name:
+                    description: Friendly name for the member account.
+                    type: string
+                  parentId:
+                    description: Parent Organizational Unit ID or Root ID for the
+                      account. Defaults to the Organization default Root ID. A configuration
+                      must be present for this argument to perform drift detection.
+                    type: string
                   status:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/organizations.aws.upbound.io_delegatedadministrators.yaml b/package/crds/organizations.aws.upbound.io_delegatedadministrators.yaml
index 973e01c51b..b944b9dbec 100644
--- a/package/crds/organizations.aws.upbound.io_delegatedadministrators.yaml
+++ b/package/crds/organizations.aws.upbound.io_delegatedadministrators.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,8 +157,22 @@ spec:
                     type: string
                 required:
                 - region
-                - servicePrincipal
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,12 +344,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: servicePrincipal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.servicePrincipal)
           status:
             description: DelegatedAdministratorStatus defines the observed state of
               DelegatedAdministrator.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The account ID number of the member account in the
+                      organization to register as a delegated administrator.
+                    type: string
                   arn:
                     description: The Amazon Resource Name (ARN) of the delegated administrator's
                       account.
@@ -358,6 +383,10 @@ spec:
                     description: The friendly name of the delegated administrator's
                       account.
                     type: string
+                  servicePrincipal:
+                    description: The service principal of the AWS service for which
+                      you want to make the member account a delegated administrator.
+                    type: string
                   status:
                     description: The status of the delegated administrator's account
                       in the organization.
diff --git a/package/crds/organizations.aws.upbound.io_organizationalunits.yaml b/package/crds/organizations.aws.upbound.io_organizationalunits.yaml
index eb91108cc7..c6ae1172b9 100644
--- a/package/crds/organizations.aws.upbound.io_organizationalunits.yaml
+++ b/package/crds/organizations.aws.upbound.io_organizationalunits.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,10 +85,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
-                - parentId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +273,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: parentId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parentId)
           status:
             description: OrganizationalUnitStatus defines the observed state of OrganizationalUnit.
             properties:
@@ -287,6 +309,18 @@ spec:
                   id:
                     description: Identifier of the account
                     type: string
+                  name:
+                    description: The name for the organizational unit
+                    type: string
+                  parentId:
+                    description: ID of the parent organizational unit, which may be
+                      the root
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/organizations.aws.upbound.io_organizations.yaml b/package/crds/organizations.aws.upbound.io_organizations.yaml
index a1144fb883..5cb3e9846d 100644
--- a/package/crds/organizations.aws.upbound.io_organizations.yaml
+++ b/package/crds/organizations.aws.upbound.io_organizations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -93,6 +97,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -295,6 +314,28 @@ spec:
                   arn:
                     description: ARN of the account
                     type: string
+                  awsServiceAccessPrincipals:
+                    description: List of AWS service principal names for which you
+                      want to enable integration with your organization. This is typically
+                      in the form of a URL, such as service-abbreviation.amazonaws.com.
+                      Organization must have feature_set set to ALL. Some services
+                      do not support enablement via this endpoint, see warning in
+                      aws docs.
+                    items:
+                      type: string
+                    type: array
+                  enabledPolicyTypes:
+                    description: List of Organizations policy types to enable in the
+                      Organization Root. Organization must have feature_set set to
+                      ALL. For additional information about valid policy types (e.g.,
+                      AISERVICES_OPT_OUT_POLICY, BACKUP_POLICY, SERVICE_CONTROL_POLICY,
+                      and TAG_POLICY), see the AWS Organizations API Reference.
+                    items:
+                      type: string
+                    type: array
+                  featureSet:
+                    description: Specify "ALL" (default) or "CONSOLIDATED_BILLING".
+                    type: string
                   id:
                     description: Identifier of the account
                     type: string
diff --git a/package/crds/organizations.aws.upbound.io_policies.yaml b/package/crds/organizations.aws.upbound.io_policies.yaml
index 789ab0bb2b..28e01109fd 100644
--- a/package/crds/organizations.aws.upbound.io_policies.yaml
+++ b/package/crds/organizations.aws.upbound.io_policies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -101,10 +105,23 @@ spec:
                       Defaults to SERVICE_CONTROL_POLICY.
                     type: string
                 required:
-                - content
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -276,6 +293,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: content is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: PolicyStatus defines the observed state of Policy.
             properties:
@@ -284,9 +306,36 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the policy.
                     type: string
+                  content:
+                    description: The policy content to add to the new policy. For
+                      example, if you create a service control policy (SCP), this
+                      string must be JSON text that specifies the permissions that
+                      admins in attached accounts can delegate to their users, groups,
+                      and roles. For more information about the SCP syntax, see the
+                      Service Control Policy Syntax documentation and for more information
+                      on the Tag Policy syntax, see the Tag Policy Syntax documentation.
+                    type: string
+                  description:
+                    description: A description to assign to the policy.
+                    type: string
                   id:
                     description: The unique identifier (ID) of the policy.
                     type: string
+                  name:
+                    description: The friendly name to assign to the policy.
+                    type: string
+                  skipDestroy:
+                    description: If set to true, destroy will not delete the policy
+                      and instead just remove the resource from state. This can be
+                      useful in situations where the policies (and the associated
+                      attachment) must be preserved to meet the AWS minimum requirement
+                      of 1 attached policy.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -294,6 +343,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The type of policy to create. Valid values are AISERVICES_OPT_OUT_POLICY,
+                      BACKUP_POLICY, SERVICE_CONTROL_POLICY (SCP), and TAG_POLICY.
+                      Defaults to SERVICE_CONTROL_POLICY.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/organizations.aws.upbound.io_policyattachments.yaml b/package/crds/organizations.aws.upbound.io_policyattachments.yaml
index ae1f1774a4..c3496dfcde 100644
--- a/package/crds/organizations.aws.upbound.io_policyattachments.yaml
+++ b/package/crds/organizations.aws.upbound.io_policyattachments.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,8 +164,22 @@ spec:
                     type: string
                 required:
                 - region
-                - targetId
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,6 +351,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: targetId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetId)
           status:
             description: PolicyAttachmentStatus defines the observed state of PolicyAttachment.
             properties:
@@ -340,6 +361,20 @@ spec:
                 properties:
                   id:
                     type: string
+                  policyId:
+                    description: The unique identifier (ID) of the policy that you
+                      want to attach to the target.
+                    type: string
+                  skipDestroy:
+                    description: If set to true, destroy will not detach the policy
+                      and instead just remove the resource from state. This can be
+                      useful in situations where the attachment must be preserved
+                      to meet the AWS minimum requirement of 1 attached policy.
+                    type: boolean
+                  targetId:
+                    description: The unique identifier (ID) of the root, organizational
+                      unit, or account number that you want to attach the policy to.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/pinpoint.aws.upbound.io_apps.yaml b/package/crds/pinpoint.aws.upbound.io_apps.yaml
index 03d01e2179..0db3292885 100644
--- a/package/crds/pinpoint.aws.upbound.io_apps.yaml
+++ b/package/crds/pinpoint.aws.upbound.io_apps.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -141,6 +145,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,8 +342,79 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the PinPoint Application
                     type: string
+                  campaignHook:
+                    description: Specifies settings for invoking an AWS Lambda function
+                      that customizes a segment for a campaign
+                    items:
+                      properties:
+                        lambdaFunctionName:
+                          description: Lambda function name or ARN to be called for
+                            delivery. Conflicts with web_url
+                          type: string
+                        mode:
+                          description: What mode Lambda should be invoked in. Valid
+                            values for this parameter are DELIVERY, FILTER.
+                          type: string
+                        webUrl:
+                          description: Web URL to call for hook. If the URL has authentication
+                            specified it will be added as authentication to the request.
+                            Conflicts with lambda_function_name
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  limits:
+                    description: The default campaign limits for the app. These limits
+                      apply to each campaign for the app, unless the campaign overrides
+                      the default with limits of its own
+                    items:
+                      properties:
+                        daily:
+                          description: The maximum number of messages that the campaign
+                            can send daily.
+                          type: number
+                        maximumDuration:
+                          description: The length of time (in seconds) that the campaign
+                            can run before it ends and message deliveries stop. This
+                            duration begins at the scheduled start time for the campaign.
+                            The minimum value is 60.
+                          type: number
+                        messagesPerSecond:
+                          description: The number of messages that the campaign can
+                            send per second. The minimum value is 50, and the maximum
+                            is 20000.
+                          type: number
+                        total:
+                          description: The maximum total number of messages that the
+                            campaign can send.
+                          type: number
+                      type: object
+                    type: array
+                  name:
+                    description: The application name
+                    type: string
+                  quietTime:
+                    description: The default quiet time for the app. Each campaign
+                      for this app sends no messages during this time unless the campaign
+                      overrides the default with a quiet time of its own
+                    items:
+                      properties:
+                        end:
+                          description: The default end time for quiet time in ISO
+                            8601 format. Required if start is set
+                          type: string
+                        start:
+                          description: The default start time for quiet time in ISO
+                            8601 format. Required if end is set
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/pinpoint.aws.upbound.io_smschannels.yaml b/package/crds/pinpoint.aws.upbound.io_smschannels.yaml
index 21d4f453ee..03a642665b 100644
--- a/package/crds/pinpoint.aws.upbound.io_smschannels.yaml
+++ b/package/crds/pinpoint.aws.upbound.io_smschannels.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,6 +161,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -333,11 +352,24 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applicationId:
+                    description: The application ID.
+                    type: string
+                  enabled:
+                    description: Whether the channel is enabled or disabled. Defaults
+                      to true.
+                    type: boolean
                   id:
                     type: string
                   promotionalMessagesPerSecond:
                     description: Promotional messages per second that can be sent.
                     type: number
+                  senderId:
+                    description: Sender identifier of your messages.
+                    type: string
+                  shortCode:
+                    description: The Short Code registered with the phone provider.
+                    type: string
                   transactionalMessagesPerSecond:
                     description: Transactional messages per second that can be sent.
                     type: number
diff --git a/package/crds/qldb.aws.upbound.io_ledgers.yaml b/package/crds/qldb.aws.upbound.io_ledgers.yaml
index f3030a1224..8c8dbd8e52 100644
--- a/package/crds/qldb.aws.upbound.io_ledgers.yaml
+++ b/package/crds/qldb.aws.upbound.io_ledgers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -163,9 +167,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - permissionsMode
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,6 +355,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: permissionsMode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.permissionsMode)
           status:
             description: LedgerStatus defines the observed state of Ledger.
             properties:
@@ -345,9 +366,30 @@ spec:
                   arn:
                     description: The ARN of the QLDB Ledger
                     type: string
+                  deletionProtection:
+                    description: The deletion protection for the QLDB Ledger instance.
+                      By default it is true.
+                    type: boolean
                   id:
                     description: The Name of the QLDB Ledger
                     type: string
+                  kmsKey:
+                    description: The key in AWS Key Management Service (AWS KMS) to
+                      use for encryption of data at rest in the ledger. For more information,
+                      see the AWS documentation. Valid values are "AWS_OWNED_KMS_KEY"
+                      to use an AWS KMS key that is owned and managed by AWS on your
+                      behalf, or the ARN of a valid symmetric customer managed KMS
+                      key.
+                    type: string
+                  permissionsMode:
+                    description: The permissions mode for the QLDB ledger instance.
+                      Specify either ALLOW_ALL or STANDARD.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/qldb.aws.upbound.io_streams.yaml b/package/crds/qldb.aws.upbound.io_streams.yaml
index b97b3f481c..812b765b0e 100644
--- a/package/crds/qldb.aws.upbound.io_streams.yaml
+++ b/package/crds/qldb.aws.upbound.io_streams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -346,11 +350,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - inclusiveStartTime
-                - kinesisConfiguration
                 - region
-                - streamName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -522,6 +538,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: inclusiveStartTime is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inclusiveStartTime)
+            - message: kinesisConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.kinesisConfiguration)
+            - message: streamName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.streamName)
           status:
             description: StreamStatus defines the observed state of Stream.
             properties:
@@ -530,9 +553,62 @@ spec:
                   arn:
                     description: The ARN of the QLDB Stream.
                     type: string
+                  exclusiveEndTime:
+                    description: 'The exclusive date and time that specifies when
+                      the stream ends. If you don''t define this parameter, the stream
+                      runs indefinitely until you cancel it. It must be in ISO 8601
+                      date and time format and in Universal Coordinated Time (UTC).
+                      For example: "2019-06-13T21:36:34Z".'
+                    type: string
                   id:
                     description: The ID of the QLDB Stream.
                     type: string
+                  inclusiveStartTime:
+                    description: 'The inclusive start date and time from which to
+                      start streaming journal data. This parameter must be in ISO
+                      8601 date and time format and in Universal Coordinated Time
+                      (UTC). For example: "2019-06-13T21:36:34Z".  This cannot be
+                      in the future and must be before exclusive_end_time.  If you
+                      provide a value that is before the ledger''s CreationDateTime,
+                      QLDB effectively defaults it to the ledger''s CreationDateTime.'
+                    type: string
+                  kinesisConfiguration:
+                    description: The configuration settings of the Kinesis Data Streams
+                      destination for your stream request. Documented below.
+                    items:
+                      properties:
+                        aggregationEnabled:
+                          description: 'Enables QLDB to publish multiple data records
+                            in a single Kinesis Data Streams record, increasing the
+                            number of records sent per API call. Default: true.'
+                          type: boolean
+                        streamArn:
+                          description: The Amazon Resource Name (ARN) of the Kinesis
+                            Data Streams resource.
+                          type: string
+                      type: object
+                    type: array
+                  ledgerName:
+                    description: The name of the QLDB ledger.
+                    type: string
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of the IAM role that
+                      grants QLDB permissions for a journal stream to write data records
+                      to a Kinesis Data Streams resource.
+                    type: string
+                  streamName:
+                    description: The name that you want to assign to the QLDB journal
+                      stream. User-defined names can help identify and indicate the
+                      purpose of a stream.  Your stream name must be unique among
+                      other active streams for a given ledger. Stream names have the
+                      same naming constraints as ledger names, as defined in the Amazon
+                      QLDB Developer Guide.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/quicksight.aws.upbound.io_groups.yaml b/package/crds/quicksight.aws.upbound.io_groups.yaml
index 9b96f9651e..64749eadef 100644
--- a/package/crds/quicksight.aws.upbound.io_groups.yaml
+++ b/package/crds/quicksight.aws.upbound.io_groups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -84,9 +88,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - groupName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,6 +276,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: groupName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupName)
           status:
             description: GroupStatus defines the observed state of Group.
             properties:
@@ -266,8 +287,23 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of group
                     type: string
+                  awsAccountId:
+                    description: The ID for the AWS account that the group is in.
+                      Currently, you use the ID for the AWS account that contains
+                      your Amazon QuickSight account.
+                    type: string
+                  description:
+                    description: A description for the group.
+                    type: string
+                  groupName:
+                    description: A name for the group.
+                    type: string
                   id:
                     type: string
+                  namespace:
+                    description: The namespace. Currently, you should set this to
+                      default.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/quicksight.aws.upbound.io_users.yaml b/package/crds/quicksight.aws.upbound.io_users.yaml
index 8d0c03aef5..d4c013af67 100644
--- a/package/crds/quicksight.aws.upbound.io_users.yaml
+++ b/package/crds/quicksight.aws.upbound.io_users.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -106,11 +110,23 @@ spec:
                       role can be one of the following: READER, AUTHOR, or ADMIN'
                     type: string
                 required:
-                - email
-                - identityType
                 - region
-                - userRole
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -282,6 +298,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: email is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)
+            - message: identityType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.identityType)
+            - message: userRole is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userRole)
           status:
             description: UserStatus defines the observed state of User.
             properties:
@@ -290,8 +313,45 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the user
                     type: string
+                  awsAccountId:
+                    description: The ID for the AWS account that the user is in. Currently,
+                      you use the ID for the AWS account that contains your Amazon
+                      QuickSight account.
+                    type: string
+                  email:
+                    description: The email address of the user that you want to register.
+                    type: string
+                  iamArn:
+                    description: The ARN of the IAM user or role that you are registering
+                      with Amazon QuickSight.
+                    type: string
                   id:
                     type: string
+                  identityType:
+                    description: Amazon QuickSight supports several ways of managing
+                      the identity of users. This parameter accepts either  IAM or
+                      QUICKSIGHT. If IAM is specified, the iam_arn must also be specified.
+                    type: string
+                  namespace:
+                    description: The Amazon Quicksight namespace to create the user
+                      in. Defaults to default.
+                    type: string
+                  sessionName:
+                    description: The name of the IAM session to use when assuming
+                      roles that can embed QuickSight dashboards. Only valid for registering
+                      users using an assumed IAM role. Additionally, if registering
+                      multiple users using the same IAM role, each user needs to have
+                      a unique session name.
+                    type: string
+                  userName:
+                    description: The Amazon QuickSight user name that you want to
+                      create for the user you are registering. Only valid for registering
+                      a user with identity_type set to QUICKSIGHT.
+                    type: string
+                  userRole:
+                    description: 'The Amazon QuickSight role of the user. The user
+                      role can be one of the following: READER, AUTHOR, or ADMIN'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ram.aws.upbound.io_resourceassociations.yaml b/package/crds/ram.aws.upbound.io_resourceassociations.yaml
index 22799166d4..3dd928a699 100644
--- a/package/crds/ram.aws.upbound.io_resourceassociations.yaml
+++ b/package/crds/ram.aws.upbound.io_resourceassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,8 +154,22 @@ spec:
                     type: object
                 required:
                 - region
-                - resourceArn
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,6 +341,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourceArn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceArn)
           status:
             description: ResourceAssociationStatus defines the observed state of ResourceAssociation.
             properties:
@@ -331,6 +352,13 @@ spec:
                   id:
                     description: The Amazon Resource Name (ARN) of the resource share.
                     type: string
+                  resourceArn:
+                    description: Amazon Resource Name (ARN) of the resource to associate
+                      with the RAM Resource Share.
+                    type: string
+                  resourceShareArn:
+                    description: Amazon Resource Name (ARN) of the RAM Resource Share.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ram.aws.upbound.io_resourceshares.yaml b/package/crds/ram.aws.upbound.io_resourceshares.yaml
index a64fdf236e..6e30d5e53d 100644
--- a/package/crds/ram.aws.upbound.io_resourceshares.yaml
+++ b/package/crds/ram.aws.upbound.io_resourceshares.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -91,9 +95,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,17 +283,42 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ResourceShareStatus defines the observed state of ResourceShare.
             properties:
               atProvider:
                 properties:
+                  allowExternalPrincipals:
+                    description: Indicates whether principals outside your organization
+                      can be associated with a resource share.
+                    type: boolean
                   arn:
                     description: The Amazon Resource Name (ARN) of the resource share.
                     type: string
                   id:
                     description: The Amazon Resource Name (ARN) of the resource share.
                     type: string
+                  name:
+                    description: The name of the resource share.
+                    type: string
+                  permissionArns:
+                    description: Specifies the Amazon Resource Names (ARNs) of the
+                      RAM permission to associate with the resource share. If you
+                      do not specify an ARN for the permission, RAM automatically
+                      attaches the default version of the permission for each resource
+                      type. You can associate only one permission with each resource
+                      type included in the resource share.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_clusteractivitystreams.yaml b/package/crds/rds.aws.upbound.io_clusteractivitystreams.yaml
index ccb29c65b8..89bca6518a 100644
--- a/package/crds/rds.aws.upbound.io_clusteractivitystreams.yaml
+++ b/package/crds/rds.aws.upbound.io_clusteractivitystreams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -236,9 +240,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - mode
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -410,12 +428,21 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: mode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mode)
           status:
             description: ClusterActivityStreamStatus defines the observed state of
               ClusterActivityStream.
             properties:
               atProvider:
                 properties:
+                  engineNativeAuditFieldsIncluded:
+                    description: Specifies whether the database activity stream includes
+                      engine-native audit fields. This option only applies to an Oracle
+                      DB instance. By default, no engine-native audit fields are included.
+                      Defaults false.
+                    type: boolean
                   id:
                     description: The Amazon Resource Name (ARN) of the DB cluster.
                     type: string
@@ -423,6 +450,21 @@ spec:
                     description: The name of the Amazon Kinesis data stream to be
                       used for the database activity stream.
                     type: string
+                  kmsKeyId:
+                    description: The AWS KMS key identifier for encrypting messages
+                      in the database activity stream. The AWS KMS key identifier
+                      is the key ARN, key ID, alias ARN, or alias name for the KMS
+                      key.
+                    type: string
+                  mode:
+                    description: 'Specifies the mode of the database activity stream.
+                      Database events such as a change or access generate an activity
+                      stream event. The database session can handle these events either
+                      synchronously or asynchronously. One of: sync, async.'
+                    type: string
+                  resourceArn:
+                    description: The Amazon Resource Name (ARN) of the DB cluster.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_clusterendpoints.yaml b/package/crds/rds.aws.upbound.io_clusterendpoints.yaml
index 5dc62a1ccf..7d7f19e602 100644
--- a/package/crds/rds.aws.upbound.io_clusterendpoints.yaml
+++ b/package/crds/rds.aws.upbound.io_clusterendpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -167,9 +171,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - customEndpointType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,6 +359,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: customEndpointType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.customEndpointType)
           status:
             description: ClusterEndpointStatus defines the observed state of ClusterEndpoint.
             properties:
@@ -349,12 +370,37 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of cluster
                     type: string
+                  clusterIdentifier:
+                    description: The cluster identifier.
+                    type: string
+                  customEndpointType:
+                    description: 'The type of the endpoint. One of: READER , ANY .'
+                    type: string
                   endpoint:
                     description: A custom endpoint for the Aurora cluster
                     type: string
+                  excludedMembers:
+                    description: List of DB instance identifiers that aren't part
+                      of the custom endpoint group. All other eligible instances are
+                      reachable through the custom endpoint. Only relevant if the
+                      list of static members is empty. Conflicts with static_members.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The RDS Cluster Endpoint Identifier
                     type: string
+                  staticMembers:
+                    description: List of DB instance identifiers that are part of
+                      the custom endpoint group. Conflicts with excluded_members.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_clusterinstances.yaml b/package/crds/rds.aws.upbound.io_clusterinstances.yaml
index 5b9b768e9e..21bae76d95 100644
--- a/package/crds/rds.aws.upbound.io_clusterinstances.yaml
+++ b/package/crds/rds.aws.upbound.io_clusterinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -463,9 +467,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - instanceClass
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -637,14 +655,51 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceClass is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)
           status:
             description: ClusterInstanceStatus defines the observed state of ClusterInstance.
             properties:
               atProvider:
                 properties:
+                  applyImmediately:
+                    description: Specifies whether any database modifications are
+                      applied immediately, or during the next maintenance window.
+                      Default isfalse.
+                    type: boolean
                   arn:
                     description: Amazon Resource Name (ARN) of cluster instance
                     type: string
+                  autoMinorVersionUpgrade:
+                    description: Indicates that minor engine upgrades will be applied
+                      automatically to the DB instance during the maintenance window.
+                      Default true.
+                    type: boolean
+                  availabilityZone:
+                    description: The EC2 Availability Zone that the DB instance is
+                      created in. See docs about the details.
+                    type: string
+                  caCertIdentifier:
+                    description: The identifier of the CA certificate for the DB instance.
+                    type: string
+                  clusterIdentifier:
+                    description: The identifier of the aws_rds_cluster in which to
+                      launch this instance.
+                    type: string
+                  copyTagsToSnapshot:
+                    description: defined tags from the DB instance to snapshots of
+                      the DB instance. Default false.
+                    type: boolean
+                  dbParameterGroupName:
+                    description: The name of the DB parameter group to associate with
+                      this instance.
+                    type: string
+                  dbSubnetGroupName:
+                    description: 'A DB subnet group to associate with this DB instance.
+                      NOTE: This must match the db_subnet_group_name of the attached
+                      aws_rds_cluster.'
+                    type: string
                   dbiResourceId:
                     description: The region-unique, immutable identifier for the DB
                       instance.
@@ -652,25 +707,93 @@ spec:
                   endpoint:
                     description: The DNS address for this instance. May not be writable
                     type: string
+                  engine:
+                    description: 'The name of the database engine to be used for the
+                      RDS instance. Defaults to aurora. Valid Values: aurora, aurora-mysql,
+                      aurora-postgresql. For information on the difference between
+                      the available Aurora MySQL engines see Comparison between Aurora
+                      MySQL 1 and Aurora MySQL 2 in the Amazon RDS User Guide.'
+                    type: string
+                  engineVersion:
+                    description: The database engine version.
+                    type: string
                   engineVersionActual:
                     description: The database engine version
                     type: string
                   id:
                     description: The Instance identifier
                     type: string
+                  instanceClass:
+                    description: The instance class to use. For details on CPU and
+                      memory, see Scaling Aurora DB Instances. Aurora uses db.* instance
+                      classes/types. Please see AWS Documentation for currently available
+                      instance classes and complete details.
+                    type: string
                   kmsKeyId:
                     description: The ARN for the KMS encryption key if one is set
                       to the cluster.
                     type: string
+                  monitoringInterval:
+                    description: 'The interval, in seconds, between points when Enhanced
+                      Monitoring metrics are collected for the DB instance. To disable
+                      collecting Enhanced Monitoring metrics, specify 0. The default
+                      is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60.'
+                    type: number
+                  monitoringRoleArn:
+                    description: The ARN for the IAM role that permits RDS to send
+                      enhanced monitoring metrics to CloudWatch Logs. You can find
+                      more information on the AWS Documentation what IAM permissions
+                      are needed to allow Enhanced Monitoring for RDS Instances.
+                    type: string
                   networkType:
                     description: The network type of the DB instance.
                     type: string
+                  performanceInsightsEnabled:
+                    description: Specifies whether Performance Insights is enabled
+                      or not.
+                    type: boolean
+                  performanceInsightsKmsKeyId:
+                    description: ARN for the KMS key to encrypt Performance Insights
+                      data. When specifying performance_insights_kms_key_id, performance_insights_enabled
+                      needs to be set to true.
+                    type: string
+                  performanceInsightsRetentionPeriod:
+                    description: Amount of time in days to retain Performance Insights
+                      data. Valid values are 7, 731 (2 years) or a multiple of 31.
+                      When specifying performance_insights_retention_period, performance_insights_enabled
+                      needs to be set to true. Defaults to '7'.
+                    type: number
                   port:
                     description: The database port
                     type: number
+                  preferredBackupWindow:
+                    description: 'The daily time range during which automated backups
+                      are created if automated backups are enabled. Eg: "04:00-09:00".
+                      NOTE: If preferred_backup_window is set at the cluster level,
+                      this argument must be omitted.'
+                    type: string
+                  preferredMaintenanceWindow:
+                    description: 'The window to perform maintenance in. Syntax: "ddd:hh24:mi-ddd:hh24:mi".
+                      Eg: "Mon:00:00-Mon:03:00".'
+                    type: string
+                  promotionTier:
+                    description: Default 0. Failover Priority setting on instance
+                      level. The reader who has lower tier has higher priority to
+                      get promoted to writer.
+                    type: number
+                  publiclyAccessible:
+                    description: Bool to control if instance is publicly accessible.
+                      Default false. See the documentation on Creating DB Instances
+                      for more details on controlling this property.
+                    type: boolean
                   storageEncrypted:
                     description: Specifies whether the DB cluster is encrypted.
                     type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_clusterparametergroups.yaml b/package/crds/rds.aws.upbound.io_clusterparametergroups.yaml
index 4252fcb929..fb1be7dec4 100644
--- a/package/crds/rds.aws.upbound.io_clusterparametergroups.yaml
+++ b/package/crds/rds.aws.upbound.io_clusterparametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -103,9 +107,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -277,6 +295,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: ClusterParameterGroupStatus defines the observed state of
               ClusterParameterGroup.
@@ -286,9 +307,40 @@ spec:
                   arn:
                     description: The ARN of the db cluster parameter group.
                     type: string
+                  description:
+                    description: The description of the DB cluster parameter group.
+                    type: string
+                  family:
+                    description: The family of the DB cluster parameter group.
+                    type: string
                   id:
                     description: The db cluster parameter group name.
                     type: string
+                  parameter:
+                    description: A list of DB parameters to apply. Note that parameters
+                      may differ from a family to an other. Full list of all parameters
+                      can be discovered via aws rds describe-db-cluster-parameters
+                      after initial creation of the group.
+                    items:
+                      properties:
+                        applyMethod:
+                          description: '"immediate" (default), or "pending-reboot".
+                            Some engines can''t apply some parameters without a reboot,
+                            and you will need to specify "pending-reboot" here.'
+                          type: string
+                        name:
+                          description: The name of the DB cluster parameter group.
+                          type: string
+                        value:
+                          description: The value of the DB parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_clusterroleassociations.yaml b/package/crds/rds.aws.upbound.io_clusterroleassociations.yaml
index 4af156bc20..f5a49ef8f7 100644
--- a/package/crds/rds.aws.upbound.io_clusterroleassociations.yaml
+++ b/package/crds/rds.aws.upbound.io_clusterroleassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,9 +232,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - featureName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,16 +420,32 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: featureName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureName)
           status:
             description: ClusterRoleAssociationStatus defines the observed state of
               ClusterRoleAssociation.
             properties:
               atProvider:
                 properties:
+                  dbClusterIdentifier:
+                    description: DB Cluster Identifier to associate with the IAM Role.
+                    type: string
+                  featureName:
+                    description: Name of the feature for association. This can be
+                      found in the AWS documentation relevant to the integration or
+                      a full list is available in the SupportedFeatureNames list returned
+                      by AWS CLI rds describe-db-engine-versions.
+                    type: string
                   id:
                     description: DB Cluster Identifier and IAM Role ARN separated
                       by a comma (,)
                     type: string
+                  roleArn:
+                    description: Amazon Resource Name (ARN) of the IAM Role to associate
+                      with the DB Cluster.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_clusters.yaml b/package/crds/rds.aws.upbound.io_clusters.yaml
index 7ecbc43edd..322a98fe2c 100644
--- a/package/crds/rds.aws.upbound.io_clusters.yaml
+++ b/package/crds/rds.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -784,6 +788,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -960,21 +979,145 @@ spec:
             properties:
               atProvider:
                 properties:
+                  allocatedStorage:
+                    description: The amount of storage in gibibytes (GiB) to allocate
+                      to each DB instance in the Multi-AZ DB cluster. (This setting
+                      is required to create a Multi-AZ DB cluster).
+                    type: number
+                  allowMajorVersionUpgrade:
+                    description: Enable to allow major engine version upgrades when
+                      changing engine versions. Defaults to false.
+                    type: boolean
+                  applyImmediately:
+                    description: Specifies whether any cluster modifications are applied
+                      immediately, or during the next maintenance window. Default
+                      is false. See Amazon RDS Documentation for more information.
+                    type: boolean
                   arn:
                     description: Amazon Resource Name (ARN) of cluster
                     type: string
+                  availabilityZones:
+                    description: List of EC2 Availability Zones for the DB cluster
+                      storage where DB cluster instances can be created. We recommend
+                      specifying 3 AZs or using the  if necessary. A maximum of 3
+                      AZs can be configured.
+                    items:
+                      type: string
+                    type: array
+                  backtrackWindow:
+                    description: The target backtrack window, in seconds. Only available
+                      for aurora and aurora-mysql engines currently. To disable backtracking,
+                      set this value to 0. Defaults to 0. Must be between 0 and 259200
+                      (72 hours)
+                    type: number
+                  backupRetentionPeriod:
+                    description: The days to retain backups for. Default 1
+                    type: number
+                  clusterMembers:
+                    description: – List of RDS Instances that are a part of this cluster
+                    items:
+                      type: string
+                    type: array
                   clusterResourceId:
                     description: The RDS Cluster Resource ID
                     type: string
+                  copyTagsToSnapshot:
+                    description: –  Copy all Cluster tags to snapshots. Default is
+                      false.
+                    type: boolean
+                  databaseName:
+                    description: 'Name for an automatically created database on cluster
+                      creation. There are different naming restrictions per database
+                      engine: RDS Naming Constraints'
+                    type: string
+                  dbClusterInstanceClass:
+                    description: The compute and memory capacity of each DB instance
+                      in the Multi-AZ DB cluster, for example db.m6g.xlarge. Not all
+                      DB instance classes are available in all AWS Regions, or for
+                      all database engines. For the full list of DB instance classes
+                      and availability for your engine, see DB instance class in the
+                      Amazon RDS User Guide. (This setting is required to create a
+                      Multi-AZ DB cluster).
+                    type: string
+                  dbClusterParameterGroupName:
+                    description: A cluster parameter group to associate with the cluster.
+                    type: string
+                  dbInstanceParameterGroupName:
+                    description: Instance parameter group to associate with all instances
+                      of the DB cluster. The db_instance_parameter_group_name parameter
+                      is only valid in combination with the allow_major_version_upgrade
+                      parameter.
+                    type: string
+                  dbSubnetGroupName:
+                    description: 'A DB subnet group to associate with this DB instance.
+                      NOTE: This must match the db_subnet_group_name specified on
+                      every aws_rds_cluster_instance in the cluster.'
+                    type: string
+                  deletionProtection:
+                    description: If the DB instance should have deletion protection
+                      enabled. The database can't be deleted when this value is set
+                      to true. The default is false.
+                    type: boolean
+                  enableGlobalWriteForwarding:
+                    description: Whether cluster should forward writes to an associated
+                      global cluster. Applied to secondary clusters to enable them
+                      to forward writes to an aws_rds_global_cluster's primary cluster.
+                      See the Aurora Userguide documentation for more information.
+                    type: boolean
+                  enableHttpEndpoint:
+                    description: Enable HTTP endpoint (data API). Only valid when
+                      engine_mode is set to serverless.
+                    type: boolean
+                  enabledCloudwatchLogsExports:
+                    description: 'Set of log types to export to cloudwatch. If omitted,
+                      no logs will be exported. The following log types are supported:
+                      audit, error, general, slowquery, postgresql (PostgreSQL).'
+                    items:
+                      type: string
+                    type: array
                   endpoint:
                     description: The DNS address of the RDS instance
                     type: string
+                  engine:
+                    description: 'The name of the database engine to be used for this
+                      DB cluster. Defaults to aurora. Valid Values: aurora, aurora-mysql,
+                      aurora-postgresql, mysql, postgres. (Note that mysql and postgres
+                      are Multi-AZ RDS clusters).'
+                    type: string
+                  engineMode:
+                    description: 'The database engine mode. Valid values: global (only
+                      valid for Aurora MySQL 1.21 and earlier), multimaster, parallelquery,
+                      provisioned, serverless. Defaults to: provisioned. See the RDS
+                      User Guide for limitations when using serverless.'
+                    type: string
+                  engineVersion:
+                    description: The database engine version. Updating this argument
+                      results in an outage. See the Aurora MySQL and Aurora Postgres
+                      documentation for your configured engine to determine this value.
+                      For example with Aurora MySQL 2, a potential value for this
+                      argument is 5.7.mysql_aurora.2.03.2. The value can contain a
+                      partial version where supported by the API. The actual engine
+                      version used is returned in the attribute engine_version_actual,
+                      , see Attributes Reference below.
+                    type: string
                   engineVersionActual:
                     description: The running version of the database.
                     type: string
+                  finalSnapshotIdentifier:
+                    description: The name of your final DB snapshot when this DB cluster
+                      is deleted. If omitted, no final snapshot will be made.
+                    type: string
+                  globalClusterIdentifier:
+                    description: The global cluster identifier specified on aws_rds_global_cluster.
+                    type: string
                   hostedZoneId:
                     description: The Route53 Hosted Zone ID of the endpoint
                     type: string
+                  iamDatabaseAuthenticationEnabled:
+                    description: Specifies whether or not mappings of AWS Identity
+                      and Access Management (IAM) accounts to database accounts is
+                      enabled. Please see AWS Documentation for availability and limitations.
+                    type: boolean
                   iamRoles:
                     description: A List of ARNs for the IAM roles to associate to
                       the RDS Cluster.
@@ -984,10 +1127,192 @@ spec:
                   id:
                     description: The RDS Cluster Identifier
                     type: string
+                  iops:
+                    description: The amount of Provisioned IOPS (input/output operations
+                      per second) to be initially allocated for each DB instance in
+                      the Multi-AZ DB cluster. For information about valid Iops values,
+                      see Amazon RDS Provisioned IOPS storage to improve performance
+                      in the Amazon RDS User Guide. (This setting is required to create
+                      a Multi-AZ DB cluster). Must be a multiple between .5 and 50
+                      of the storage amount for the DB cluster.
+                    type: number
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key. When specifying
+                      kms_key_id, storage_encrypted needs to be set to true.
+                    type: string
+                  masterUsername:
+                    description: Username for the master DB user. Please refer to
+                      the RDS Naming Constraints. This argument does not support in-place
+                      updates and cannot be changed during a restore from snapshot.
+                    type: string
+                  networkType:
+                    description: 'The network type of the cluster. Valid values: IPV4,
+                      DUAL.'
+                    type: string
+                  port:
+                    description: The port on which the DB accepts connections
+                    type: number
+                  preferredBackupWindow:
+                    description: 'The daily time range during which automated backups
+                      are created if automated backups are enabled using the BackupRetentionPeriod
+                      parameter.Time in UTC. Default: A 30-minute window selected
+                      at random from an 8-hour block of time per regionE.g., 04:00-09:00'
+                    type: string
+                  preferredMaintenanceWindow:
+                    description: The weekly time range during which system maintenance
+                      can occur, in (UTC) e.g., wed:04:00-wed:04:30
+                    type: string
                   readerEndpoint:
                     description: A read-only endpoint for the Aurora cluster, automatically
                       load-balanced across replicas
                     type: string
+                  replicationSourceIdentifier:
+                    description: ARN of a source DB cluster or DB instance if this
+                      DB cluster is to be created as a Read Replica.
+                    type: string
+                  restoreToPointInTime:
+                    description: Nested attribute for point in time restore. More
+                      details below.
+                    items:
+                      properties:
+                        restoreToTime:
+                          description: Date and time in UTC format to restore the
+                            database cluster to. Conflicts with use_latest_restorable_time.
+                          type: string
+                        restoreType:
+                          description: Type of restore to be performed. Valid options
+                            are full-copy (default) and copy-on-write.
+                          type: string
+                        sourceClusterIdentifier:
+                          description: The identifier of the source database cluster
+                            from which to restore.
+                          type: string
+                        useLatestRestorableTime:
+                          description: Set to true to restore the database cluster
+                            to the latest restorable backup time. Defaults to false.
+                            Conflicts with restore_to_time.
+                          type: boolean
+                      type: object
+                    type: array
+                  s3Import:
+                    description: The port on which the DB accepts connections
+                    items:
+                      properties:
+                        bucketName:
+                          description: The bucket name where your backup is stored
+                          type: string
+                        bucketPrefix:
+                          description: Can be blank, but is the path to your backup
+                          type: string
+                        ingestionRole:
+                          description: Role applied to load the data.
+                          type: string
+                        sourceEngine:
+                          description: Source engine for the backup
+                          type: string
+                        sourceEngineVersion:
+                          description: Version of the source engine used to make the
+                            backup
+                          type: string
+                      type: object
+                    type: array
+                  scalingConfiguration:
+                    description: Nested attribute with scaling properties. Only valid
+                      when engine_mode is set to serverless. More details below.
+                    items:
+                      properties:
+                        autoPause:
+                          description: Whether to enable automatic pause. A DB cluster
+                            can be paused only when it's idle (it has no connections).
+                            If a DB cluster is paused for more than seven days, the
+                            DB cluster might be backed up with a snapshot. In this
+                            case, the DB cluster is restored when there is a request
+                            to connect to it. Defaults to true.
+                          type: boolean
+                        maxCapacity:
+                          description: The maximum capacity for an Aurora DB cluster
+                            in serverless DB engine mode. The maximum capacity must
+                            be greater than or equal to the minimum capacity. Valid
+                            Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64,
+                            128, 256. Valid Aurora PostgreSQL capacity values are
+                            (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 16.
+                          type: number
+                        minCapacity:
+                          description: The minimum capacity for an Aurora DB cluster
+                            in serverless DB engine mode. The minimum capacity must
+                            be lesser than or equal to the maximum capacity. Valid
+                            Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64,
+                            128, 256. Valid Aurora PostgreSQL capacity values are
+                            (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 1.
+                          type: number
+                        secondsUntilAutoPause:
+                          description: The time, in seconds, before an Aurora DB cluster
+                            in serverless mode is paused. Valid values are 300 through
+                            86400. Defaults to 300.
+                          type: number
+                        timeoutAction:
+                          description: 'The action to take when the timeout is reached.
+                            Valid values: ForceApplyCapacityChange, RollbackCapacityChange.
+                            Defaults to RollbackCapacityChange. See documentation.'
+                          type: string
+                      type: object
+                    type: array
+                  serverlessv2ScalingConfiguration:
+                    description: Nested attribute with scaling properties for ServerlessV2.
+                      Only valid when engine_mode is set to provisioned. More details
+                      below.
+                    items:
+                      properties:
+                        maxCapacity:
+                          description: The maximum capacity for an Aurora DB cluster
+                            in serverless DB engine mode. The maximum capacity must
+                            be greater than or equal to the minimum capacity. Valid
+                            Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64,
+                            128, 256. Valid Aurora PostgreSQL capacity values are
+                            (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 16.
+                          type: number
+                        minCapacity:
+                          description: The minimum capacity for an Aurora DB cluster
+                            in serverless DB engine mode. The minimum capacity must
+                            be lesser than or equal to the maximum capacity. Valid
+                            Aurora MySQL capacity values are 1, 2, 4, 8, 16, 32, 64,
+                            128, 256. Valid Aurora PostgreSQL capacity values are
+                            (2, 4, 8, 16, 32, 64, 192, and 384). Defaults to 1.
+                          type: number
+                      type: object
+                    type: array
+                  skipFinalSnapshot:
+                    description: Determines whether a final DB snapshot is created
+                      before the DB cluster is deleted. If true is specified, no DB
+                      snapshot is created. If false is specified, a DB snapshot is
+                      created before the DB cluster is deleted, using the value from
+                      final_snapshot_identifier. Default is false.
+                    type: boolean
+                  snapshotIdentifier:
+                    description: Specifies whether or not to create this cluster from
+                      a snapshot. You can use either the name or ARN when specifying
+                      a DB cluster snapshot, or the ARN when specifying a DB snapshot.
+                    type: string
+                  sourceRegion:
+                    description: The source region for an encrypted replica DB cluster.
+                    type: string
+                  storageEncrypted:
+                    description: Specifies whether the DB cluster is encrypted. The
+                      default is false for provisioned engine_mode and true for serverless
+                      engine_mode. When restoring an unencrypted snapshot_identifier,
+                      the kms_key_id argument must be provided to encrypt the restored
+                      cluster.
+                    type: boolean
+                  storageType:
+                    description: 'Specifies the storage type to be associated with
+                      the DB cluster. (This setting is required to create a Multi-AZ
+                      DB cluster). Valid values: io1, Default: io1.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -995,6 +1320,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcSecurityGroupIds:
+                    description: List of VPC security groups to associate with the
+                      Cluster
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_clustersnapshots.yaml b/package/crds/rds.aws.upbound.io_clustersnapshots.yaml
index faa0d4d609..1a1b41511d 100644
--- a/package/crds/rds.aws.upbound.io_clustersnapshots.yaml
+++ b/package/crds/rds.aws.upbound.io_clustersnapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,9 +158,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - dbClusterSnapshotIdentifier
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -328,6 +346,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: dbClusterSnapshotIdentifier is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.dbClusterSnapshotIdentifier)
           status:
             description: ClusterSnapshotStatus defines the observed state of ClusterSnapshot.
             properties:
@@ -342,10 +363,17 @@ spec:
                     items:
                       type: string
                     type: array
+                  dbClusterIdentifier:
+                    description: The DB Cluster Identifier from which to take the
+                      snapshot.
+                    type: string
                   dbClusterSnapshotArn:
                     description: The Amazon Resource Name (ARN) for the DB Cluster
                       Snapshot.
                     type: string
+                  dbClusterSnapshotIdentifier:
+                    description: The Identifier for the snapshot.
+                    type: string
                   engine:
                     description: Name of the database engine.
                     type: string
@@ -378,6 +406,11 @@ spec:
                   storageEncrypted:
                     description: Whether the DB cluster snapshot is encrypted.
                     type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_dbinstanceautomatedbackupsreplications.yaml b/package/crds/rds.aws.upbound.io_dbinstanceautomatedbackupsreplications.yaml
index a1fd672a25..36a6fd301f 100644
--- a/package/crds/rds.aws.upbound.io_dbinstanceautomatedbackupsreplications.yaml
+++ b/package/crds/rds.aws.upbound.io_dbinstanceautomatedbackupsreplications.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -237,6 +241,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -418,6 +437,25 @@ spec:
                     description: The Amazon Resource Name (ARN) of the replicated
                       automated backups.
                     type: string
+                  kmsKeyId:
+                    description: The AWS KMS key identifier for encryption of the
+                      replicated automated backups. The KMS key ID is the Amazon Resource
+                      Name (ARN) for the KMS encryption key in the destination AWS
+                      Region, for example, arn:aws:kms:us-east-1:123456789012:key/AKIAIOSFODNN7EXAMPLE.
+                    type: string
+                  preSignedUrl:
+                    description: A URL that contains a Signature Version 4 signed
+                      request for the StartDBInstanceAutomatedBackupsReplication action
+                      to be called in the AWS Region of the source DB instance.
+                    type: string
+                  retentionPeriod:
+                    description: The retention period for the replicated automated
+                      backups, defaults to 7.
+                    type: number
+                  sourceDbInstanceArn:
+                    description: The Amazon Resource Name (ARN) of the source DB instance
+                      for the replicated automated backups, for example, arn:aws:rds:us-west-2:123456789012:db:mydatabase.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_dbsnapshotcopies.yaml b/package/crds/rds.aws.upbound.io_dbsnapshotcopies.yaml
index fbd882ce92..19de2417b9 100644
--- a/package/crds/rds.aws.upbound.io_dbsnapshotcopies.yaml
+++ b/package/crds/rds.aws.upbound.io_dbsnapshotcopies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -247,8 +251,22 @@ spec:
                     type: string
                 required:
                 - region
-                - targetDbSnapshotIdentifier
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -420,6 +438,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: targetDbSnapshotIdentifier is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetDbSnapshotIdentifier)
           status:
             description: DBSnapshotCopyStatus defines the observed state of DBSnapshotCopy.
             properties:
@@ -433,9 +454,15 @@ spec:
                     description: Specifies the name of the Availability Zone the DB
                       instance was located in at the time of the DB snapshot.
                     type: string
+                  copyTags:
+                    description: Whether to copy existing tags. Defaults to false.
+                    type: boolean
                   dbSnapshotArn:
                     description: The Amazon Resource Name (ARN) for the DB snapshot.
                     type: string
+                  destinationRegion:
+                    description: The Destination region to place snapshot copy.
+                    type: string
                   encrypted:
                     description: Specifies whether the DB snapshot is encrypted.
                     type: boolean
@@ -452,13 +479,27 @@ spec:
                     description: Specifies the Provisioned IOPS (I/O operations per
                       second) value of the DB instance at the time of the snapshot.
                     type: number
+                  kmsKeyId:
+                    description: KMS key ID.
+                    type: string
                   licenseModel:
                     description: License model information for the restored DB instance.
                     type: string
+                  optionGroupName:
+                    description: The name of an option group to associate with the
+                      copy of the snapshot.
+                    type: string
                   port:
                     type: number
+                  presignedUrl:
+                    description: he URL that contains a Signature Version 4 signed
+                      request.
+                    type: string
                   snapshotType:
                     type: string
+                  sourceDbSnapshotIdentifier:
+                    description: Snapshot identifier of the source snapshot.
+                    type: string
                   sourceRegion:
                     description: The region that the DB snapshot was created in or
                       copied from.
@@ -466,6 +507,11 @@ spec:
                   storageType:
                     description: Specifies the storage type associated with DB snapshot.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -473,6 +519,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetCustomAvailabilityZone:
+                    description: The external custom Availability Zone.
+                    type: string
+                  targetDbSnapshotIdentifier:
+                    description: The Identifier for the snapshot.
+                    type: string
                   vpcId:
                     description: Provides the VPC ID associated with the DB snapshot.
                     type: string
diff --git a/package/crds/rds.aws.upbound.io_eventsubscriptions.yaml b/package/crds/rds.aws.upbound.io_eventsubscriptions.yaml
index 57a030980f..4c83eefd28 100644
--- a/package/crds/rds.aws.upbound.io_eventsubscriptions.yaml
+++ b/package/crds/rds.aws.upbound.io_eventsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -177,6 +181,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -361,9 +380,42 @@ spec:
                     description: The AWS customer account associated with the RDS
                       event notification subscription
                     type: string
+                  enabled:
+                    description: A boolean flag to enable/disable the subscription.
+                      Defaults to true.
+                    type: boolean
+                  eventCategories:
+                    description: A list of event categories for a SourceType that
+                      you want to subscribe to. See http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_Events.html
+                      or run aws rds describe-event-categories.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The name of the RDS event notification subscription
                     type: string
+                  snsTopic:
+                    description: The SNS topic to send events to.
+                    type: string
+                  sourceIds:
+                    description: A list of identifiers of the event sources for which
+                      events will be returned. If not specified, then all sources
+                      are included in the response. If specified, a source_type must
+                      also be specified.
+                    items:
+                      type: string
+                    type: array
+                  sourceType:
+                    description: The type of source that will be generating the events.
+                      Valid options are db-instance, db-security-group, db-parameter-group,
+                      db-snapshot, db-cluster or db-cluster-snapshot. If not set,
+                      all sources will be subscribed to.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_globalclusters.yaml b/package/crds/rds.aws.upbound.io_globalclusters.yaml
index a9c6d0a9c7..e62c55cc5b 100644
--- a/package/crds/rds.aws.upbound.io_globalclusters.yaml
+++ b/package/crds/rds.aws.upbound.io_globalclusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -180,6 +184,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -359,8 +378,35 @@ spec:
                   arn:
                     description: RDS Global Cluster Amazon Resource Name (ARN)
                     type: string
+                  databaseName:
+                    description: Name for an automatically created database on cluster
+                      creation.
+                    type: string
+                  deletionProtection:
+                    description: If the Global Cluster should have deletion protection
+                      enabled. The database can't be deleted when this value is set
+                      to true. The default is false.
+                    type: boolean
+                  engine:
+                    description: 'Name of the database engine to be used for this
+                      DB cluster. Valid values: aurora, aurora-mysql, aurora-postgresql.
+                      Defaults to aurora. Conflicts with source_db_cluster_identifier.'
+                    type: string
+                  engineVersion:
+                    description: 'Engine version of the Aurora global database. The
+                      engine, engine_version, and instance_class (on the aws_rds_cluster_instance)
+                      must together support global databases. See Using Amazon Aurora
+                      global databases for more information. NOTE: To avoid an inconsistent
+                      final plan error while upgrading, use the lifecycle ignore_changes
+                      for engine_version meta argument on the associated aws_rds_cluster
+                      resource as shown above in Upgrading Engine Versions example.'
+                    type: string
                   engineVersionActual:
                     type: string
+                  forceDestroy:
+                    description: Enable to remove DB Cluster members from Global Cluster
+                      on destroy. Required with source_db_cluster_identifier.
+                    type: boolean
                   globalClusterMembers:
                     description: Set of objects containing Global Cluster members.
                     items:
@@ -381,6 +427,15 @@ spec:
                   id:
                     description: RDS Global Cluster identifier
                     type: string
+                  sourceDbClusterIdentifier:
+                    description: Amazon Resource Name (ARN) to use as the primary
+                      DB Cluster of the Global Cluster on creation.
+                    type: string
+                  storageEncrypted:
+                    description: Specifies whether the DB cluster is encrypted. The
+                      default is false unless source_db_cluster_identifier is specified
+                      and encrypted.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_instanceroleassociations.yaml b/package/crds/rds.aws.upbound.io_instanceroleassociations.yaml
index 9cf570321f..13f322d0fc 100644
--- a/package/crds/rds.aws.upbound.io_instanceroleassociations.yaml
+++ b/package/crds/rds.aws.upbound.io_instanceroleassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -230,9 +234,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - featureName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -404,16 +422,33 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: featureName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureName)
           status:
             description: InstanceRoleAssociationStatus defines the observed state
               of InstanceRoleAssociation.
             properties:
               atProvider:
                 properties:
+                  dbInstanceIdentifier:
+                    description: DB Instance Identifier to associate with the IAM
+                      Role.
+                    type: string
+                  featureName:
+                    description: Name of the feature for association. This can be
+                      found in the AWS documentation relevant to the integration or
+                      a full list is available in the SupportedFeatureNames list returned
+                      by AWS CLI rds describe-db-engine-versions.
+                    type: string
                   id:
                     description: DB Instance Identifier and IAM Role ARN separated
                       by a comma (,)
                     type: string
+                  roleArn:
+                    description: Amazon Resource Name (ARN) of the IAM Role to associate
+                      with the DB Instance.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_instances.yaml b/package/crds/rds.aws.upbound.io_instances.yaml
index cd4a61a4c3..4533cd5e4b 100644
--- a/package/crds/rds.aws.upbound.io_instances.yaml
+++ b/package/crds/rds.aws.upbound.io_instances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -764,9 +768,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - instanceClass
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -938,6 +956,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceClass is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceClass)
           status:
             description: InstanceStatus defines the observed state of Instance.
             properties:
@@ -947,36 +968,389 @@ spec:
                     description: The hostname of the RDS instance. See also endpoint
                       and port.
                     type: string
+                  allocatedStorage:
+                    description: The allocated storage in gibibytes. If max_allocated_storage
+                      is configured, this argument represents the initial storage
+                      allocation and differences from the configuration will be ignored
+                      automatically when Storage Autoscaling occurs. If replicate_source_db
+                      is set, the value is ignored during the creation of the instance.
+                    type: number
+                  allowMajorVersionUpgrade:
+                    description: Indicates that major version upgrades are allowed.
+                      Changing this parameter does not result in an outage and the
+                      change is asynchronously applied as soon as possible.
+                    type: boolean
+                  applyImmediately:
+                    description: Specifies whether any database modifications are
+                      applied immediately, or during the next maintenance window.
+                      Default is false. See Amazon RDS Documentation for more information.
+                    type: boolean
                   arn:
                     description: The ARN of the RDS instance.
                     type: string
+                  autoMinorVersionUpgrade:
+                    description: Indicates that minor engine upgrades will be applied
+                      automatically to the DB instance during the maintenance window.
+                      Defaults to true.
+                    type: boolean
+                  availabilityZone:
+                    description: The AZ for the RDS instance.
+                    type: string
+                  backupRetentionPeriod:
+                    description: The days to retain backups for. Must be between 0
+                      and 35. Default is 0. Must be greater than 0 if the database
+                      is used as a source for a Read Replica, uses low-downtime updates,
+                      or will use RDS Blue/Green deployments.
+                    type: number
+                  backupWindow:
+                    description: 'The daily time range (in UTC) during which automated
+                      backups are created if they are enabled. Example: "09:46-10:16".
+                      Must not overlap with maintenance_window.'
+                    type: string
+                  blueGreenUpdate:
+                    description: Enables low-downtime updates using RDS Blue/Green
+                      deployments. See blue_green_update below
+                    items:
+                      properties:
+                        enabled:
+                          description: Enables [low-downtime updates](#Low-Downtime
+                            Updates) when true. Default is false.
+                          type: boolean
+                      type: object
+                    type: array
+                  caCertIdentifier:
+                    description: The identifier of the CA certificate for the DB instance.
+                    type: string
+                  characterSetName:
+                    description: The character set name to use for DB encoding in
+                      Oracle and Microsoft SQL instances (collation). This can't be
+                      changed. See Oracle Character Sets Supported in Amazon RDS or
+                      Server-Level Collation for Microsoft SQL Server for more information.
+                    type: string
+                  copyTagsToSnapshot:
+                    description: –  Copy all Instance tags to snapshots. Default is
+                      false.
+                    type: boolean
+                  customIamInstanceProfile:
+                    description: The instance profile associated with the underlying
+                      Amazon EC2 instance of an RDS Custom DB instance.
+                    type: string
+                  customerOwnedIpEnabled:
+                    description: Indicates whether to enable a customer-owned IP address
+                      (CoIP) for an RDS on Outposts DB instance. See CoIP for RDS
+                      on Outposts for more information.
+                    type: boolean
+                  dbName:
+                    description: The name of the database to create when the DB instance
+                      is created. If this parameter is not specified, no database
+                      is created in the DB instance. Note that this does not apply
+                      for Oracle or SQL Server engines. See the AWS documentation
+                      for more details on what applies for those engines. If you are
+                      providing an Oracle db name, it needs to be in all upper case.
+                      Cannot be specified for a replica.
+                    type: string
+                  dbSubnetGroupName:
+                    description: Name of DB subnet group. DB instance will be created
+                      in the VPC associated with the DB subnet group. If unspecified,
+                      will be created in the default VPC, or in EC2 Classic, if available.
+                      When working with read replicas, it should be specified only
+                      if the source database specifies an instance in another AWS
+                      Region. See DBSubnetGroupName in API action CreateDBInstanceReadReplica
+                      for additional read replica contraints.
+                    type: string
+                  deleteAutomatedBackups:
+                    description: Specifies whether to remove automated backups immediately
+                      after the DB instance is deleted. Default is true.
+                    type: boolean
+                  deletionProtection:
+                    description: If the DB instance should have deletion protection
+                      enabled. The database can't be deleted when this value is set
+                      to true. The default is false.
+                    type: boolean
+                  domain:
+                    description: The ID of the Directory Service Active Directory
+                      domain to create the instance in.
+                    type: string
+                  domainIamRoleName:
+                    description: The name of the IAM role to be used when making API
+                      calls to the Directory Service.
+                    type: string
+                  enabledCloudwatchLogsExports:
+                    description: 'Set of log types to enable for exporting to CloudWatch
+                      logs. If omitted, no logs will be exported. Valid values (depending
+                      on engine). MySQL and MariaDB: audit, error, general, slowquery.
+                      PostgreSQL: postgresql, upgrade. MSSQL: agent , error. Oracle:
+                      alert, audit, listener, trace.'
+                    items:
+                      type: string
+                    type: array
                   endpoint:
                     description: The connection endpoint in address:port format.
                     type: string
+                  engine:
+                    description: The database engine to use.  For supported values,
+                      see the Engine parameter in API action CreateDBInstance. Cannot
+                      be specified for a replica. Note that for Amazon Aurora instances
+                      the engine must match the DB cluster's engine'. For information
+                      on the difference between the available Aurora MySQL engines
+                      see Comparison between Aurora MySQL 1 and Aurora MySQL 2 in
+                      the Amazon RDS User Guide.
+                    type: string
+                  engineVersion:
+                    description: The engine version to use. If auto_minor_version_upgrade
+                      is enabled, you can provide a prefix of the version such as
+                      5.7 (for 5.7.10). The actual engine version used is returned
+                      in the attribute engine_version_actual, see Attributes Reference
+                      below. For supported values, see the EngineVersion parameter
+                      in API action CreateDBInstance. Note that for Amazon Aurora
+                      instances the engine version must match the DB cluster's engine
+                      version'. Cannot be specified for a replica.
+                    type: string
                   engineVersionActual:
                     description: The running version of the database.
                     type: string
+                  finalSnapshotIdentifier:
+                    description: The name of your final DB snapshot when this DB instance
+                      is deleted. Must be provided if skip_final_snapshot is set to
+                      false. The value must begin with a letter, only contain alphanumeric
+                      characters and hyphens, and not end with a hyphen or contain
+                      two consecutive hyphens. Must not be provided when deleting
+                      a read replica.
+                    type: string
                   hostedZoneId:
                     description: The canonical hosted zone ID of the DB instance (to
                       be used in a Route 53 Alias record).
                     type: string
+                  iamDatabaseAuthenticationEnabled:
+                    description: Specifies whether mappings of AWS Identity and Access
+                      Management (IAM) accounts to database accounts is enabled.
+                    type: boolean
                   id:
                     description: The RDS instance ID.
                     type: string
+                  instanceClass:
+                    description: The instance type of the RDS instance.
+                    type: string
+                  iops:
+                    description: The amount of provisioned IOPS. Setting this implies
+                      a storage_type of "io1". Can only be set when storage_type is
+                      "io1" or "gp3". Cannot be specified for gp3 storage if the allocated_storage
+                      value is below a per-engine threshold. See the RDS User Guide
+                      for details.
+                    type: number
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key. If creating an
+                      encrypted replica, set this to the destination KMS ARN.
+                    type: string
                   latestRestorableTime:
                     description: The latest time, in UTC RFC3339 format, to which
                       a database can be restored with point-in-time restore.
                     type: string
+                  licenseModel:
+                    description: License model information for this DB instance.
+                    type: string
+                  maintenanceWindow:
+                    description: 'The window to perform maintenance in. Syntax: "ddd:hh24:mi-ddd:hh24:mi".
+                      Eg: "Mon:00:00-Mon:03:00". See RDS Maintenance Window docs for
+                      more information.'
+                    type: string
+                  maxAllocatedStorage:
+                    description: When configured, the upper limit to which Amazon
+                      RDS can automatically scale the storage of the DB instance.
+                      Configuring this will automatically ignore differences to allocated_storage.
+                      Must be greater than or equal to allocated_storage or 0 to disable
+                      Storage Autoscaling.
+                    type: number
+                  monitoringInterval:
+                    description: 'The interval, in seconds, between points when Enhanced
+                      Monitoring metrics are collected for the DB instance. To disable
+                      collecting Enhanced Monitoring metrics, specify 0. The default
+                      is 0. Valid Values: 0, 1, 5, 10, 15, 30, 60.'
+                    type: number
+                  monitoringRoleArn:
+                    description: The ARN for the IAM role that permits RDS to send
+                      enhanced monitoring metrics to CloudWatch Logs. You can find
+                      more information on the AWS Documentation what IAM permissions
+                      are needed to allow Enhanced Monitoring for RDS Instances.
+                    type: string
+                  multiAz:
+                    description: Specifies if the RDS instance is multi-AZ
+                    type: boolean
+                  name:
+                    description: The name of the database to create when the DB instance
+                      is created. If this parameter is not specified, no database
+                      is created in the DB instance. Note that this does not apply
+                      for Oracle or SQL Server engines. See the AWS documentation
+                      for more details on what applies for those engines. If you are
+                      providing an Oracle db name, it needs to be in all upper case.
+                      Cannot be specified for a replica.
+                    type: string
+                  ncharCharacterSetName:
+                    description: The national character set is used in the NCHAR,
+                      NVARCHAR2, and NCLOB data types for Oracle instances. This can't
+                      be changed. See Oracle Character Sets Supported in Amazon RDS.
+                    type: string
+                  networkType:
+                    description: 'The network type of the DB instance. Valid values:
+                      IPV4, DUAL.'
+                    type: string
+                  optionGroupName:
+                    description: Name of the DB option group to associate.
+                    type: string
+                  parameterGroupName:
+                    description: Name of the DB parameter group to associate.
+                    type: string
+                  performanceInsightsEnabled:
+                    description: Specifies whether Performance Insights are enabled.
+                      Defaults to false.
+                    type: boolean
+                  performanceInsightsKmsKeyId:
+                    description: The ARN for the KMS key to encrypt Performance Insights
+                      data. When specifying performance_insights_kms_key_id, performance_insights_enabled
+                      needs to be set to true. Once KMS key is set, it can never be
+                      changed.
+                    type: string
+                  performanceInsightsRetentionPeriod:
+                    description: Amount of time in days to retain Performance Insights
+                      data. Valid values are 7, 731 (2 years) or a multiple of 31.
+                      When specifying performance_insights_retention_period, performance_insights_enabled
+                      needs to be set to true. Defaults to '7'.
+                    type: number
+                  port:
+                    description: The port on which the DB accepts connections.
+                    type: number
+                  publiclyAccessible:
+                    description: Bool to control if instance is publicly accessible.
+                      Default is false.
+                    type: boolean
+                  replicaMode:
+                    description: Specifies whether the replica is in either mounted
+                      or open-read-only mode. This attribute is only supported by
+                      Oracle instances. Oracle replicas operate in open-read-only
+                      mode unless otherwise specified. See Working with Oracle Read
+                      Replicas for more information.
+                    type: string
                   replicas:
                     items:
                       type: string
                     type: array
+                  replicateSourceDb:
+                    description: Specifies that this resource is a Replicate database,
+                      and to use this value as the source database. This correlates
+                      to the identifier of another Amazon RDS Database to replicate
+                      (if replicating within a single region) or ARN of the Amazon
+                      RDS Database to replicate (if replicating cross-region). Note
+                      that if you are creating a cross-region replica of an encrypted
+                      database you will also need to specify a kms_key_id. See DB
+                      Instance Replication and Working with PostgreSQL and MySQL Read
+                      Replicas for more information on using Replication.
+                    type: string
                   resourceId:
                     description: The RDS Resource ID of this instance.
                     type: string
+                  restoreToPointInTime:
+                    description: A configuration block for restoring a DB instance
+                      to an arbitrary point in time. Requires the identifier argument
+                      to be set with the name of the new DB instance to be created.
+                      See Restore To Point In Time below for details.
+                    items:
+                      properties:
+                        restoreTime:
+                          description: The date and time to restore from. Value must
+                            be a time in Universal Coordinated Time (UTC) format and
+                            must be before the latest restorable time for the DB instance.
+                            Cannot be specified with use_latest_restorable_time.
+                          type: string
+                        sourceDbInstanceAutomatedBackupsArn:
+                          description: The ARN of the automated backup from which
+                            to restore. Required if source_db_instance_identifier
+                            or source_dbi_resource_id is not specified.
+                          type: string
+                        sourceDbInstanceIdentifier:
+                          description: The identifier of the source DB instance from
+                            which to restore. Must match the identifier of an existing
+                            DB instance. Required if source_db_instance_automated_backups_arn
+                            or source_dbi_resource_id is not specified.
+                          type: string
+                        sourceDbiResourceId:
+                          description: The resource ID of the source DB instance from
+                            which to restore. Required if source_db_instance_identifier
+                            or source_db_instance_automated_backups_arn is not specified.
+                          type: string
+                        useLatestRestorableTime:
+                          description: A boolean value that indicates whether the
+                            DB instance is restored from the latest backup time. Defaults
+                            to false. Cannot be specified with restore_time.
+                          type: boolean
+                      type: object
+                    type: array
+                  s3Import:
+                    description: Restore from a Percona Xtrabackup in S3.  See Importing
+                      Data into an Amazon RDS MySQL DB Instance
+                    items:
+                      properties:
+                        bucketName:
+                          description: The bucket name where your backup is stored
+                          type: string
+                        bucketPrefix:
+                          description: Can be blank, but is the path to your backup
+                          type: string
+                        ingestionRole:
+                          description: Role applied to load the data.
+                          type: string
+                        sourceEngine:
+                          description: Source engine for the backup
+                          type: string
+                        sourceEngineVersion:
+                          description: Version of the source engine used to make the
+                            backup
+                          type: string
+                      type: object
+                    type: array
+                  securityGroupNames:
+                    description: List of DB Security Groups to associate. Only used
+                      for DB Instances on the .
+                    items:
+                      type: string
+                    type: array
+                  skipFinalSnapshot:
+                    description: Determines whether a final DB snapshot is created
+                      before the DB instance is deleted. If true is specified, no
+                      DBSnapshot is created. If false is specified, a DB snapshot
+                      is created before the DB instance is deleted, using the value
+                      from final_snapshot_identifier. Default is false.
+                    type: boolean
+                  snapshotIdentifier:
+                    description: 'Specifies whether or not to create this database
+                      from a snapshot. This correlates to the snapshot ID you''d find
+                      in the RDS console, e.g: rds:production-2015-06-26-06-05.'
+                    type: string
                   status:
                     description: The RDS instance status.
                     type: string
+                  storageEncrypted:
+                    description: Specifies whether the DB instance is encrypted. Note
+                      that if you are creating a cross-region read replica this field
+                      is ignored and you should instead declare kms_key_id with a
+                      valid ARN. The default is false if not specified.
+                    type: boolean
+                  storageThroughput:
+                    description: The storage throughput value for the DB instance.
+                      Can only be set when storage_type is "gp3". Cannot be specified
+                      if the allocated_storage value is below a per-engine threshold.
+                      See the RDS User Guide for details.
+                    type: number
+                  storageType:
+                    description: One of "standard" (magnetic), "gp2" (general purpose
+                      SSD), "gp3" (general purpose SSD that needs iops independently)
+                      or "io1" (provisioned IOPS SSD). The default is "io1" if iops
+                      is specified, "gp2" if not.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -984,6 +1358,20 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  timezone:
+                    description: Time zone of the DB instance. timezone is currently
+                      only supported by Microsoft SQL Server. The timezone can only
+                      be set on creation. See MSSQL User Guide for more information.
+                    type: string
+                  username:
+                    description: Username for the master DB user. Cannot be specified
+                      for a replica.
+                    type: string
+                  vpcSecurityGroupIds:
+                    description: List of VPC security groups to associate.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_optiongroups.yaml b/package/crds/rds.aws.upbound.io_optiongroups.yaml
index 69b4b37210..f90aab9ee1 100644
--- a/package/crds/rds.aws.upbound.io_optiongroups.yaml
+++ b/package/crds/rds.aws.upbound.io_optiongroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -131,10 +135,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - engineName
-                - majorEngineVersion
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -306,6 +323,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: engineName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineName)
+            - message: majorEngineVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.majorEngineVersion)
           status:
             description: OptionGroupStatus defines the observed state of OptionGroup.
             properties:
@@ -314,9 +336,66 @@ spec:
                   arn:
                     description: The ARN of the db option group.
                     type: string
+                  engineName:
+                    description: Specifies the name of the engine that this option
+                      group should be associated with.
+                    type: string
                   id:
                     description: The db option group name.
                     type: string
+                  majorEngineVersion:
+                    description: Specifies the major version of the engine that this
+                      option group should be associated with.
+                    type: string
+                  option:
+                    description: A list of Options to apply.
+                    items:
+                      properties:
+                        dbSecurityGroupMemberships:
+                          description: A list of DB Security Groups for which the
+                            option is enabled.
+                          items:
+                            type: string
+                          type: array
+                        optionName:
+                          description: The Name of the Option (e.g., MEMCACHED).
+                          type: string
+                        optionSettings:
+                          description: A list of option settings to apply.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the option group. Must be
+                                  lowercase, to match as it is stored in AWS.
+                                type: string
+                              value:
+                                description: The Value of the setting.
+                                type: string
+                            type: object
+                          type: array
+                        port:
+                          description: The Port number when connecting to the Option
+                            (e.g., 11211).
+                          type: number
+                        version:
+                          description: The version of the option (e.g., 13.1.0.0).
+                          type: string
+                        vpcSecurityGroupMemberships:
+                          description: A list of VPC Security Groups for which the
+                            option is enabled.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  optionGroupDescription:
+                    description: The description of the option group.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_parametergroups.yaml b/package/crds/rds.aws.upbound.io_parametergroups.yaml
index 113f9c409d..f751b3bebf 100644
--- a/package/crds/rds.aws.upbound.io_parametergroups.yaml
+++ b/package/crds/rds.aws.upbound.io_parametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -103,9 +107,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -277,6 +295,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
           status:
             description: ParameterGroupStatus defines the observed state of ParameterGroup.
             properties:
@@ -285,9 +306,40 @@ spec:
                   arn:
                     description: The ARN of the db parameter group.
                     type: string
+                  description:
+                    description: The description of the DB parameter group.
+                    type: string
+                  family:
+                    description: The family of the DB parameter group.
+                    type: string
                   id:
                     description: The db parameter group name.
                     type: string
+                  parameter:
+                    description: A list of DB parameters to apply. Note that parameters
+                      may differ from a family to an other. Full list of all parameters
+                      can be discovered via aws rds describe-db-parameters after initial
+                      creation of the group.
+                    items:
+                      properties:
+                        applyMethod:
+                          description: '"immediate" (default), or "pending-reboot".
+                            Some engines can''t apply some parameters without a reboot,
+                            and you will need to specify "pending-reboot" here.'
+                          type: string
+                        name:
+                          description: The name of the DB parameter group.
+                          type: string
+                        value:
+                          description: The value of the DB parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_proxies.yaml b/package/crds/rds.aws.upbound.io_proxies.yaml
index cd9c2e0ed7..19fcbabe6b 100644
--- a/package/crds/rds.aws.upbound.io_proxies.yaml
+++ b/package/crds/rds.aws.upbound.io_proxies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -384,11 +388,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - auth
-                - engineFamily
                 - region
-                - vpcSubnetIds
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -560,6 +576,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: auth is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.auth)
+            - message: engineFamily is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.engineFamily)
+            - message: vpcSubnetIds is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcSubnetIds)
           status:
             description: ProxyStatus defines the observed state of Proxy.
             properties:
@@ -568,14 +591,89 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) for the proxy.
                     type: string
+                  auth:
+                    description: Configuration block(s) with authorization mechanisms
+                      to connect to the associated instances or clusters. Described
+                      below.
+                    items:
+                      properties:
+                        authScheme:
+                          description: The type of authentication that the proxy uses
+                            for connections from the proxy to the underlying database.
+                            One of SECRETS.
+                          type: string
+                        clientPasswordAuthType:
+                          description: The type of authentication the proxy uses for
+                            connections from clients. Valid values are MYSQL_NATIVE_PASSWORD,
+                            POSTGRES_SCRAM_SHA_256, POSTGRES_MD5, and SQL_SERVER_AUTHENTICATION.
+                          type: string
+                        description:
+                          description: A user-specified description about the authentication
+                            used by a proxy to log in as a specific database user.
+                          type: string
+                        iamAuth:
+                          description: Whether to require or disallow AWS Identity
+                            and Access Management (IAM) authentication for connections
+                            to the proxy. One of DISABLED, REQUIRED.
+                          type: string
+                        secretArn:
+                          description: The Amazon Resource Name (ARN) representing
+                            the secret that the proxy uses to authenticate to the
+                            RDS DB instance or Aurora DB cluster. These secrets are
+                            stored within Amazon Secrets Manager.
+                          type: string
+                        username:
+                          description: The name of the database user to which the
+                            proxy connects.
+                          type: string
+                      type: object
+                    type: array
+                  debugLogging:
+                    description: Whether the proxy includes detailed information about
+                      SQL statements in its logs. This information helps you to debug
+                      issues involving SQL behavior or the performance and scalability
+                      of the proxy connections. The debug information includes the
+                      text of SQL statements that you submit through the proxy. Thus,
+                      only enable this setting when needed for debugging, and only
+                      when you have security measures in place to safeguard any sensitive
+                      information that appears in the logs.
+                    type: boolean
                   endpoint:
                     description: The endpoint that you can use to connect to the proxy.
                       You include the endpoint value in the connection string for
                       a database client application.
                     type: string
+                  engineFamily:
+                    description: The kinds of databases that the proxy can connect
+                      to. This value determines which database network protocol the
+                      proxy recognizes when it interprets network traffic to and from
+                      the database. The engine family applies to MySQL and PostgreSQL
+                      for both RDS and Aurora. Valid values are MYSQL and POSTGRESQL.
+                    type: string
                   id:
                     description: The Amazon Resource Name (ARN) for the proxy.
                     type: string
+                  idleClientTimeout:
+                    description: The number of seconds that a connection to the proxy
+                      can be inactive before the proxy disconnects it. You can set
+                      this value higher or lower than the connection timeout limit
+                      for the associated database.
+                    type: number
+                  requireTls:
+                    description: A Boolean parameter that specifies whether Transport
+                      Layer Security (TLS) encryption is required for connections
+                      to the proxy. By enabling this setting, you can enforce encrypted
+                      TLS connections to the proxy.
+                    type: boolean
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of the IAM role that
+                      the proxy uses to access secrets in AWS Secrets Manager.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -583,6 +681,18 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcSecurityGroupIds:
+                    description: One or more VPC security group IDs to associate with
+                      the new proxy.
+                    items:
+                      type: string
+                    type: array
+                  vpcSubnetIds:
+                    description: One or more VPC subnet IDs to associate with the
+                      new proxy.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_proxydefaulttargetgroups.yaml b/package/crds/rds.aws.upbound.io_proxydefaulttargetgroups.yaml
index 9b3d5b7cd5..9d73efb649 100644
--- a/package/crds/rds.aws.upbound.io_proxydefaulttargetgroups.yaml
+++ b/package/crds/rds.aws.upbound.io_proxydefaulttargetgroups.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -200,6 +204,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -381,6 +400,61 @@ spec:
                     description: The Amazon Resource Name (ARN) representing the target
                       group.
                     type: string
+                  connectionPoolConfig:
+                    description: The settings that determine the size and behavior
+                      of the connection pool for the target group.
+                    items:
+                      properties:
+                        connectionBorrowTimeout:
+                          description: The number of seconds for a proxy to wait for
+                            a connection to become available in the connection pool.
+                            Only applies when the proxy has opened its maximum number
+                            of connections and all connections are busy with client
+                            sessions.
+                          type: number
+                        initQuery:
+                          description: One or more SQL statements for the proxy to
+                            run when opening each new database connection. Typically
+                            used with SET statements to make sure that each connection
+                            has identical settings such as time zone and character
+                            set. This setting is empty by default. For multiple statements,
+                            use semicolons as the separator. You can also include
+                            multiple variables in a single SET statement, such as
+                            SET x=1, y=2.
+                          type: string
+                        maxConnectionsPercent:
+                          description: The maximum size of the connection pool for
+                            each target in a target group. For Aurora MySQL, it is
+                            expressed as a percentage of the max_connections setting
+                            for the RDS DB instance or Aurora DB cluster used by the
+                            target group.
+                          type: number
+                        maxIdleConnectionsPercent:
+                          description: Controls how actively the proxy closes idle
+                            database connections in the connection pool. A high value
+                            enables the proxy to leave a high percentage of idle connections
+                            open. A low value causes the proxy to close idle client
+                            connections and return the underlying database connections
+                            to the connection pool. For Aurora MySQL, it is expressed
+                            as a percentage of the max_connections setting for the
+                            RDS DB instance or Aurora DB cluster used by the target
+                            group.
+                          type: number
+                        sessionPinningFilters:
+                          description: Each item in the list represents a class of
+                            SQL operations that normally cause all later statements
+                            in a session using a proxy to be pinned to the same underlying
+                            database connection. Including an item in the list exempts
+                            that class of SQL operations from the pinning behavior.
+                            Currently, the only allowed value is EXCLUDE_VARIABLE_SETS.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  dbProxyName:
+                    description: Name of the RDS DB Proxy.
+                    type: string
                   id:
                     description: Name of the RDS DB Proxy.
                     type: string
diff --git a/package/crds/rds.aws.upbound.io_proxyendpoints.yaml b/package/crds/rds.aws.upbound.io_proxyendpoints.yaml
index a95e9a1a93..71c351140c 100644
--- a/package/crds/rds.aws.upbound.io_proxyendpoints.yaml
+++ b/package/crds/rds.aws.upbound.io_proxyendpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -246,8 +250,22 @@ spec:
                     type: array
                 required:
                 - region
-                - vpcSubnetIds
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -419,6 +437,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: vpcSubnetIds is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.vpcSubnetIds)
           status:
             description: ProxyEndpointStatus defines the observed state of ProxyEndpoint.
             properties:
@@ -427,6 +448,10 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) for the proxy endpoint.
                     type: string
+                  dbProxyName:
+                    description: The name of the DB proxy associated with the DB proxy
+                      endpoint that you create.
+                    type: string
                   endpoint:
                     description: The endpoint that you can use to connect to the proxy.
                       You include the endpoint value in the connection string for
@@ -440,13 +465,35 @@ spec:
                     description: Indicates whether this endpoint is the default endpoint
                       for the associated DB proxy.
                     type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  targetRole:
+                    description: Indicates whether the DB proxy endpoint can be used
+                      for read/write or read-only operations. The default is READ_WRITE.
+                      Valid values are READ_WRITE and READ_ONLY.
+                    type: string
                   vpcId:
                     description: The VPC ID of the DB proxy endpoint.
                     type: string
+                  vpcSecurityGroupIds:
+                    description: One or more VPC security group IDs to associate with
+                      the new proxy.
+                    items:
+                      type: string
+                    type: array
+                  vpcSubnetIds:
+                    description: One or more VPC subnet IDs to associate with the
+                      new proxy.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rds.aws.upbound.io_proxytargets.yaml b/package/crds/rds.aws.upbound.io_proxytargets.yaml
index a49d6e36f5..e97b9cbeb3 100644
--- a/package/crds/rds.aws.upbound.io_proxytargets.yaml
+++ b/package/crds/rds.aws.upbound.io_proxytargets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,8 +232,22 @@ spec:
                     type: string
                 required:
                 - region
-                - targetGroupName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -401,11 +419,23 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: targetGroupName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetGroupName)
           status:
             description: ProxyTargetStatus defines the observed state of ProxyTarget.
             properties:
               atProvider:
                 properties:
+                  dbClusterIdentifier:
+                    description: DB cluster identifier.
+                    type: string
+                  dbInstanceIdentifier:
+                    description: DB instance identifier.
+                    type: string
+                  dbProxyName:
+                    description: The name of the DB proxy.
+                    type: string
                   endpoint:
                     description: Hostname for the target RDS DB Instance. Only returned
                       for RDS_INSTANCE type.
@@ -427,6 +457,9 @@ spec:
                     description: Amazon Resource Name (ARN) for the DB instance or
                       DB cluster. Currently not returned by the RDS API.
                     type: string
+                  targetGroupName:
+                    description: The name of the target group.
+                    type: string
                   trackedClusterId:
                     description: DB Cluster identifier for the DB Instance target.
                       Not returned unless manually importing an RDS_INSTANCE target
diff --git a/package/crds/rds.aws.upbound.io_securitygroups.yaml b/package/crds/rds.aws.upbound.io_securitygroups.yaml
index 71e2b29608..7f6b1cb72d 100644
--- a/package/crds/rds.aws.upbound.io_securitygroups.yaml
+++ b/package/crds/rds.aws.upbound.io_securitygroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -96,9 +100,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - ingress
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,6 +288,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: ingress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ingress)
           status:
             description: SecurityGroupStatus defines the observed state of SecurityGroup.
             properties:
@@ -278,9 +299,36 @@ spec:
                   arn:
                     description: The arn of the DB security group.
                     type: string
+                  description:
+                    description: The description of the DB security group.
+                    type: string
                   id:
                     description: The db security group ID.
                     type: string
+                  ingress:
+                    description: A list of ingress rules.
+                    items:
+                      properties:
+                        cidr:
+                          description: The CIDR block to accept
+                          type: string
+                        securityGroupId:
+                          description: The ID of the security group to authorize
+                          type: string
+                        securityGroupName:
+                          description: The name of the security group to authorize
+                          type: string
+                        securityGroupOwnerId:
+                          description: The owner Id of the security group provided
+                            by security_group_name.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_snapshots.yaml b/package/crds/rds.aws.upbound.io_snapshots.yaml
index b280505753..29f2419e0a 100644
--- a/package/crds/rds.aws.upbound.io_snapshots.yaml
+++ b/package/crds/rds.aws.upbound.io_snapshots.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,6 +157,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,6 +356,10 @@ spec:
                     description: Specifies the name of the Availability Zone the DB
                       instance was located in at the time of the DB snapshot.
                     type: string
+                  dbInstanceIdentifier:
+                    description: The DB Instance Identifier from which to take the
+                      snapshot.
+                    type: string
                   dbSnapshotArn:
                     description: The Amazon Resource Name (ARN) for the DB snapshot.
                     type: string
@@ -383,6 +406,11 @@ spec:
                   storageType:
                     description: Specifies the storage type associated with DB snapshot.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rds.aws.upbound.io_subnetgroups.yaml b/package/crds/rds.aws.upbound.io_subnetgroups.yaml
index 1b1c921596..03abb5b591 100644
--- a/package/crds/rds.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/rds.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,14 +359,27 @@ spec:
                   arn:
                     description: The ARN of the db subnet group.
                     type: string
+                  description:
+                    description: The description of the DB subnet group.
+                    type: string
                   id:
                     description: The db subnet group name.
                     type: string
+                  subnetIds:
+                    description: A list of VPC subnet IDs.
+                    items:
+                      type: string
+                    type: array
                   supportedNetworkTypes:
                     description: The network type of the db subnet group.
                     items:
                       type: string
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_authenticationprofiles.yaml b/package/crds/redshift.aws.upbound.io_authenticationprofiles.yaml
index 9b8a7f369f..89f7a5c163 100644
--- a/package/crds/redshift.aws.upbound.io_authenticationprofiles.yaml
+++ b/package/crds/redshift.aws.upbound.io_authenticationprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -74,9 +78,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - authenticationProfileContent
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -248,12 +266,20 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authenticationProfileContent is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authenticationProfileContent)
           status:
             description: AuthenticationProfileStatus defines the observed state of
               AuthenticationProfile.
             properties:
               atProvider:
                 properties:
+                  authenticationProfileContent:
+                    description: The content of the authentication profile in JSON
+                      format. The maximum length of the JSON string is determined
+                      by a quota for your account.
+                    type: string
                   id:
                     description: The name of the authentication profile.
                     type: string
diff --git a/package/crds/redshift.aws.upbound.io_clusters.yaml b/package/crds/redshift.aws.upbound.io_clusters.yaml
index a477714ef1..cb1ce7201f 100644
--- a/package/crds/redshift.aws.upbound.io_clusters.yaml
+++ b/package/crds/redshift.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -625,9 +629,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - nodeType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -799,14 +817,54 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: nodeType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.nodeType)
           status:
             description: ClusterStatus defines the observed state of Cluster.
             properties:
               atProvider:
                 properties:
+                  allowVersionUpgrade:
+                    description: If true , major version upgrades can be applied during
+                      the maintenance window to the Amazon Redshift engine that is
+                      running on the cluster. Default is true.
+                    type: boolean
+                  applyImmediately:
+                    description: Specifies whether any cluster modifications are applied
+                      immediately, or during the next maintenance window. Default
+                      is false.
+                    type: boolean
+                  aquaConfigurationStatus:
+                    description: The value represents how the cluster is configured
+                      to use AQUA (Advanced Query Accelerator) after the cluster is
+                      restored. Possible values are enabled, disabled, and auto. Requires
+                      Cluster reboot.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of cluster
                     type: string
+                  automatedSnapshotRetentionPeriod:
+                    description: The number of days that automated snapshots are retained.
+                      If the value is 0, automated snapshots are disabled. Even if
+                      automated snapshots are disabled, you can still create manual
+                      snapshots when you want with create-cluster-snapshot. Default
+                      is 1.
+                    type: number
+                  availabilityZone:
+                    description: The EC2 Availability Zone (AZ) in which you want
+                      Amazon Redshift to provision the cluster. For example, if you
+                      have several EC2 instances running in a specific Availability
+                      Zone, then you might want the cluster to be provisioned in the
+                      same zone in order to decrease network latency. Can only be
+                      changed if availability_zone_relocation_enabled is true.
+                    type: string
+                  availabilityZoneRelocationEnabled:
+                    description: If true, the cluster can be relocated to another
+                      availabity zone, either automatically by AWS or when requested.
+                      Default is false. Available for use on clusters from the RA3
+                      instance family.
+                    type: boolean
                   clusterNodes:
                     description: The nodes in the cluster. Cluster node blocks are
                       documented below
@@ -824,12 +882,202 @@ spec:
                           type: string
                       type: object
                     type: array
+                  clusterParameterGroupName:
+                    description: The name of the parameter group to be associated
+                      with this cluster.
+                    type: string
+                  clusterPublicKey:
+                    description: The public key for the cluster
+                    type: string
+                  clusterRevisionNumber:
+                    description: The specific revision number of the database in the
+                      cluster
+                    type: string
+                  clusterSecurityGroups:
+                    description: A list of security groups to be associated with this
+                      cluster.
+                    items:
+                      type: string
+                    type: array
+                  clusterSubnetGroupName:
+                    description: The name of a cluster subnet group to be associated
+                      with this cluster. If this parameter is not provided the resulting
+                      cluster will be deployed outside virtual private cloud (VPC).
+                    type: string
+                  clusterType:
+                    description: The cluster type to use. Either single-node or multi-node.
+                    type: string
+                  clusterVersion:
+                    description: The version of the Amazon Redshift engine software
+                      that you want to deploy on the cluster. The version selected
+                      runs on all the nodes in the cluster.
+                    type: string
+                  databaseName:
+                    description: The name of the first database to be created when
+                      the cluster is created. If you do not provide a name, Amazon
+                      Redshift will create a default database called dev.
+                    type: string
+                  defaultIamRoleArn:
+                    description: The Amazon Resource Name (ARN) for the IAM role that
+                      was set as default for the cluster when the cluster was created.
+                    type: string
                   dnsName:
                     description: The DNS name of the cluster
                     type: string
+                  elasticIp:
+                    description: The Elastic IP (EIP) address for the cluster.
+                    type: string
+                  encrypted:
+                    description: If true , the data in the cluster is encrypted at
+                      rest.
+                    type: boolean
+                  endpoint:
+                    description: The connection endpoint
+                    type: string
+                  enhancedVpcRouting:
+                    description: If true , enhanced VPC routing is enabled.
+                    type: boolean
+                  finalSnapshotIdentifier:
+                    description: The identifier of the final snapshot that is to be
+                      created immediately before deleting the cluster. If this parameter
+                      is provided, skip_final_snapshot must be false.
+                    type: string
+                  iamRoles:
+                    description: A list of IAM Role ARNs to associate with the cluster.
+                      A Maximum of 10 can be associated to the cluster at any time.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The Redshift Cluster ID.
                     type: string
+                  kmsKeyId:
+                    description: The ARN for the KMS encryption key. When specifying
+                      kms_key_id, encrypted needs to be set to true.
+                    type: string
+                  logging:
+                    description: Logging, documented below.
+                    items:
+                      properties:
+                        bucketName:
+                          description: The name of an existing S3 bucket where the
+                            log files are to be stored. Must be in the same region
+                            as the cluster and the cluster must have read bucket and
+                            put object permissions. For more information on the permissions
+                            required for the bucket, please read the AWS documentation
+                          type: string
+                        enable:
+                          description: Enables logging information such as queries
+                            and connection attempts, for the specified Amazon Redshift
+                            cluster.
+                          type: boolean
+                        logDestinationType:
+                          description: The log destination type. An enum with possible
+                            values of s3 and cloudwatch.
+                          type: string
+                        logExports:
+                          description: The collection of exported log types. Log types
+                            include the connection log, user log and user activity
+                            log. Required when log_destination_type is cloudwatch.
+                            Valid log types are connectionlog, userlog, and useractivitylog.
+                          items:
+                            type: string
+                          type: array
+                        s3KeyPrefix:
+                          description: The prefix applied to the log file names.
+                          type: string
+                      type: object
+                    type: array
+                  maintenanceTrackName:
+                    description: The name of the maintenance track for the restored
+                      cluster. When you take a snapshot, the snapshot inherits the
+                      MaintenanceTrack value from the cluster. The snapshot might
+                      be on a different track than the cluster that was the source
+                      for the snapshot. For example, suppose that you take a snapshot
+                      of  a cluster that is on the current track and then change the
+                      cluster to be on the trailing track. In this case, the snapshot
+                      and the source cluster are on different tracks. Default value
+                      is current.
+                    type: string
+                  manualSnapshotRetentionPeriod:
+                    description: The default number of days to retain a manual snapshot.
+                      If the value is -1, the snapshot is retained indefinitely. This
+                      setting doesn't change the retention period of existing snapshots.
+                      Valid values are between -1 and 3653. Default value is -1.
+                    type: number
+                  masterUsername:
+                    description: Username for the master DB user.
+                    type: string
+                  nodeType:
+                    description: The node type to be provisioned for the cluster.
+                    type: string
+                  numberOfNodes:
+                    description: The number of compute nodes in the cluster. This
+                      parameter is required when the ClusterType parameter is specified
+                      as multi-node. Default is 1.
+                    type: number
+                  ownerAccount:
+                    description: The AWS customer account used to create or copy the
+                      snapshot. Required if you are restoring a snapshot you do not
+                      own, optional if you own the snapshot.
+                    type: string
+                  port:
+                    description: The port number on which the cluster accepts incoming
+                      connections. Valid values are between 1115 and 65535. The cluster
+                      is accessible only via the JDBC and ODBC connection strings.
+                      Part of the connection string requires the port on which the
+                      cluster will listen for incoming connections. Default port is
+                      5439.
+                    type: number
+                  preferredMaintenanceWindow:
+                    description: 'The weekly time range (in UTC) during which automated
+                      cluster maintenance can occur. Format: ddd:hh24:mi-ddd:hh24:mi'
+                    type: string
+                  publiclyAccessible:
+                    description: If true, the cluster can be accessed from a public
+                      network. Default is true.
+                    type: boolean
+                  skipFinalSnapshot:
+                    description: Determines whether a final snapshot of the cluster
+                      is created before Amazon Redshift deletes the cluster. If true
+                      , a final cluster snapshot is not created. If false , a final
+                      cluster snapshot is created before the cluster is deleted. Default
+                      is false.
+                    type: boolean
+                  snapshotClusterIdentifier:
+                    description: The name of the cluster the source snapshot was created
+                      from.
+                    type: string
+                  snapshotCopy:
+                    description: Configuration of automatic copy of snapshots from
+                      one region to another. Documented below.
+                    items:
+                      properties:
+                        destinationRegion:
+                          description: The destination region that you want to copy
+                            snapshots to.
+                          type: string
+                        grantName:
+                          description: The name of the snapshot copy grant to use
+                            when snapshots of an AWS KMS-encrypted cluster are copied
+                            to the destination region.
+                          type: string
+                        retentionPeriod:
+                          description: The number of days to retain automated snapshots
+                            in the destination region after they are copied from the
+                            source region. Defaults to 7.
+                          type: number
+                      type: object
+                    type: array
+                  snapshotIdentifier:
+                    description: The name of the snapshot from which to create the
+                      new cluster.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -837,6 +1085,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcSecurityGroupIds:
+                    description: A list of Virtual Private Cloud (VPC) security groups
+                      to be associated with the cluster.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/redshift.aws.upbound.io_eventsubscriptions.yaml b/package/crds/redshift.aws.upbound.io_eventsubscriptions.yaml
index 6a4596cd20..1677aa7396 100644
--- a/package/crds/redshift.aws.upbound.io_eventsubscriptions.yaml
+++ b/package/crds/redshift.aws.upbound.io_eventsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -182,6 +186,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -366,11 +385,49 @@ spec:
                     description: The AWS customer account associated with the Redshift
                       event notification subscription
                     type: string
+                  enabled:
+                    description: A boolean flag to enable/disable the subscription.
+                      Defaults to true.
+                    type: boolean
+                  eventCategories:
+                    description: A list of event categories for a SourceType that
+                      you want to subscribe to. See https://docs.aws.amazon.com/redshift/latest/mgmt/working-with-event-notifications.html
+                      or run aws redshift describe-event-categories.
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: The name of the Redshift event notification subscription
                     type: string
+                  severity:
+                    description: The event severity to be published by the notification
+                      subscription. Valid options are INFO or ERROR. Default value
+                      of INFO.
+                    type: string
+                  snsTopicArn:
+                    description: The ARN of the SNS topic to send events to.
+                    type: string
+                  sourceIds:
+                    description: A list of identifiers of the event sources for which
+                      events will be returned. If not specified, then all sources
+                      are included in the response. If specified, a source_type must
+                      also be specified.
+                    items:
+                      type: string
+                    type: array
+                  sourceType:
+                    description: The type of source that will be generating the events.
+                      Valid options are cluster, cluster-parameter-group, cluster-security-group,
+                      cluster-snapshot, or scheduled-action. If not set, all sources
+                      will be subscribed to.
+                    type: string
                   status:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_hsmclientcertificates.yaml b/package/crds/redshift.aws.upbound.io_hsmclientcertificates.yaml
index 131797f487..da58f2e03e 100644
--- a/package/crds/redshift.aws.upbound.io_hsmclientcertificates.yaml
+++ b/package/crds/redshift.aws.upbound.io_hsmclientcertificates.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,6 +82,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,6 +284,11 @@ spec:
                     type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_hsmconfigurations.yaml b/package/crds/redshift.aws.upbound.io_hsmconfigurations.yaml
index 76dc72fe6c..b3b648ecc7 100644
--- a/package/crds/redshift.aws.upbound.io_hsmconfigurations.yaml
+++ b/package/crds/redshift.aws.upbound.io_hsmconfigurations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -109,13 +113,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - description
-                - hsmIpAddress
-                - hsmPartitionName
-                - hsmPartitionPasswordSecretRef
-                - hsmServerPublicCertificate
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -287,6 +301,17 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: hsmIpAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmIpAddress)
+            - message: hsmPartitionName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmPartitionName)
+            - message: hsmPartitionPasswordSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmPartitionPasswordSecretRef)
+            - message: hsmServerPublicCertificate is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.hsmServerPublicCertificate)
           status:
             description: HSMConfigurationStatus defines the observed state of HSMConfiguration.
             properties:
@@ -295,8 +320,29 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the Hsm Client Certificate.
                     type: string
+                  description:
+                    description: A text description of the HSM configuration to be
+                      created.
+                    type: string
+                  hsmIpAddress:
+                    description: The IP address that the Amazon Redshift cluster must
+                      use to access the HSM.
+                    type: string
+                  hsmPartitionName:
+                    description: The name of the partition in the HSM where the Amazon
+                      Redshift clusters will store their database encryption keys.
+                    type: string
+                  hsmServerPublicCertificate:
+                    description: The HSMs public certificate file. When using Cloud
+                      HSM, the file name is server.pem.
+                    type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_parametergroups.yaml b/package/crds/redshift.aws.upbound.io_parametergroups.yaml
index 54f7cfeea0..68822fedd5 100644
--- a/package/crds/redshift.aws.upbound.io_parametergroups.yaml
+++ b/package/crds/redshift.aws.upbound.io_parametergroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -98,10 +102,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - family
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -273,6 +290,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: family is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.family)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ParameterGroupStatus defines the observed state of ParameterGroup.
             properties:
@@ -281,9 +303,35 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of parameter group
                     type: string
+                  description:
+                    description: The description of the Redshift parameter group.
+                    type: string
+                  family:
+                    description: The family of the Redshift parameter group.
+                    type: string
                   id:
                     description: The Redshift parameter group name.
                     type: string
+                  name:
+                    description: The name of the Redshift parameter group.
+                    type: string
+                  parameter:
+                    description: A list of Redshift parameters to apply.
+                    items:
+                      properties:
+                        name:
+                          description: The name of the Redshift parameter group.
+                          type: string
+                        value:
+                          description: The value of the Redshift parameter.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_scheduledactions.yaml b/package/crds/redshift.aws.upbound.io_scheduledactions.yaml
index 9ab1bd3c00..0613a1847c 100644
--- a/package/crds/redshift.aws.upbound.io_scheduledactions.yaml
+++ b/package/crds/redshift.aws.upbound.io_scheduledactions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -225,9 +229,22 @@ spec:
                     type: array
                 required:
                 - region
-                - schedule
-                - targetAction
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -399,14 +416,95 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: schedule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)
+            - message: targetAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetAction)
           status:
             description: ScheduledActionStatus defines the observed state of ScheduledAction.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: The description of the scheduled action.
+                    type: string
+                  enable:
+                    description: Whether to enable the scheduled action. Default is
+                      true .
+                    type: boolean
+                  endTime:
+                    description: The end time in UTC when the schedule is active,
+                      in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ).
+                    type: string
+                  iamRole:
+                    description: The IAM role to assume to run the scheduled action.
+                    type: string
                   id:
                     description: The Redshift Scheduled Action name.
                     type: string
+                  schedule:
+                    description: The schedule of action. The schedule is defined format
+                      of "at expression" or "cron expression", for example at(2016-03-04T17:27:00)
+                      or cron(0 10 ? * MON *). See Scheduled Action for more information.
+                    type: string
+                  startTime:
+                    description: The start time in UTC when the schedule is active,
+                      in UTC RFC3339 format(for example, YYYY-MM-DDTHH:MM:SSZ).
+                    type: string
+                  targetAction:
+                    description: Target action. Documented below.
+                    items:
+                      properties:
+                        pauseCluster:
+                          description: An action that runs a PauseCluster API operation.
+                            Documented below.
+                          items:
+                            properties:
+                              clusterIdentifier:
+                                description: The identifier of the cluster to be paused.
+                                type: string
+                            type: object
+                          type: array
+                        resizeCluster:
+                          description: An action that runs a ResizeCluster API operation.
+                            Documented below.
+                          items:
+                            properties:
+                              classic:
+                                description: 'A boolean value indicating whether the
+                                  resize operation is using the classic resize process.
+                                  Default: false.'
+                                type: boolean
+                              clusterIdentifier:
+                                description: The unique identifier for the cluster
+                                  to resize.
+                                type: string
+                              clusterType:
+                                description: The new cluster type for the specified
+                                  cluster.
+                                type: string
+                              nodeType:
+                                description: The new node type for the nodes you are
+                                  adding.
+                                type: string
+                              numberOfNodes:
+                                description: The new number of nodes for the cluster.
+                                type: number
+                            type: object
+                          type: array
+                        resumeCluster:
+                          description: An action that runs a ResumeCluster API operation.
+                            Documented below.
+                          items:
+                            properties:
+                              clusterIdentifier:
+                                description: The identifier of the cluster to be resumed.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/redshift.aws.upbound.io_snapshotcopygrants.yaml b/package/crds/redshift.aws.upbound.io_snapshotcopygrants.yaml
index 4155352219..b7e1b3c7e8 100644
--- a/package/crds/redshift.aws.upbound.io_snapshotcopygrants.yaml
+++ b/package/crds/redshift.aws.upbound.io_snapshotcopygrants.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,8 +163,22 @@ spec:
                     type: object
                 required:
                 - region
-                - snapshotCopyGrantName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -332,6 +350,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: snapshotCopyGrantName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.snapshotCopyGrantName)
           status:
             description: SnapshotCopyGrantStatus defines the observed state of SnapshotCopyGrant.
             properties:
@@ -342,6 +363,21 @@ spec:
                     type: string
                   id:
                     type: string
+                  kmsKeyId:
+                    description: The unique identifier for the customer master key
+                      (CMK) that the grant applies to. Specify the key ID or the Amazon
+                      Resource Name (ARN) of the CMK. To specify a CMK in a different
+                      AWS account, you must use the key ARN. If not specified, the
+                      default key is used.
+                    type: string
+                  snapshotCopyGrantName:
+                    description: A friendly name for identifying the grant.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_snapshotscheduleassociations.yaml b/package/crds/redshift.aws.upbound.io_snapshotscheduleassociations.yaml
index 9c1c96f119..74a81324b7 100644
--- a/package/crds/redshift.aws.upbound.io_snapshotscheduleassociations.yaml
+++ b/package/crds/redshift.aws.upbound.io_snapshotscheduleassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -226,6 +230,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -403,8 +422,14 @@ spec:
             properties:
               atProvider:
                 properties:
+                  clusterIdentifier:
+                    description: The cluster identifier.
+                    type: string
                   id:
                     type: string
+                  scheduleIdentifier:
+                    description: The snapshot schedule identifier.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/redshift.aws.upbound.io_snapshotschedules.yaml b/package/crds/redshift.aws.upbound.io_snapshotschedules.yaml
index f36dc6536e..b825853a4e 100644
--- a/package/crds/redshift.aws.upbound.io_snapshotschedules.yaml
+++ b/package/crds/redshift.aws.upbound.io_snapshotschedules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -89,9 +93,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - definitions
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -263,6 +281,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: definitions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definitions)
           status:
             description: SnapshotScheduleStatus defines the observed state of SnapshotSchedule.
             properties:
@@ -272,8 +293,28 @@ spec:
                     description: Amazon Resource Name (ARN) of the Redshift Snapshot
                       Schedule.
                     type: string
+                  definitions:
+                    description: The definition of the snapshot schedule. The definition
+                      is made up of schedule expressions, for example cron(30 12 *)
+                      or rate(12 hours).
+                    items:
+                      type: string
+                    type: array
+                  description:
+                    description: The description of the snapshot schedule.
+                    type: string
+                  forceDestroy:
+                    description: Whether to destroy all associated clusters with this
+                      snapshot schedule on deletion. Must be enabled and applied before
+                      attempting deletion.
+                    type: boolean
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_subnetgroups.yaml b/package/crds/redshift.aws.upbound.io_subnetgroups.yaml
index c60f3fdd5c..18790aeabb 100644
--- a/package/crds/redshift.aws.upbound.io_subnetgroups.yaml
+++ b/package/crds/redshift.aws.upbound.io_subnetgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,6 +165,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,9 +360,22 @@ spec:
                     description: Amazon Resource Name (ARN) of the Redshift Subnet
                       group name
                     type: string
+                  description:
+                    description: The description of the Redshift Subnet group.
+                    type: string
                   id:
                     description: The Redshift Subnet group ID.
                     type: string
+                  subnetIds:
+                    description: An array of VPC subnet IDs.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/redshift.aws.upbound.io_usagelimits.yaml b/package/crds/redshift.aws.upbound.io_usagelimits.yaml
index 7a125751ff..0659ed8b7c 100644
--- a/package/crds/redshift.aws.upbound.io_usagelimits.yaml
+++ b/package/crds/redshift.aws.upbound.io_usagelimits.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,11 +182,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - amount
-                - featureType
-                - limitType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -354,18 +370,61 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: amount is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.amount)
+            - message: featureType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureType)
+            - message: limitType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.limitType)
           status:
             description: UsageLimitStatus defines the observed state of UsageLimit.
             properties:
               atProvider:
                 properties:
+                  amount:
+                    description: The limit amount. If time-based, this amount is in
+                      minutes. If data-based, this amount is in terabytes (TB). The
+                      value must be a positive number.
+                    type: number
                   arn:
                     description: Amazon Resource Name (ARN) of the Redshift Usage
                       Limit.
                     type: string
+                  breachAction:
+                    description: The action that Amazon Redshift takes when the limit
+                      is reached. The default is log. Valid values are log, emit-metric,
+                      and disable.
+                    type: string
+                  clusterIdentifier:
+                    description: The identifier of the cluster that you want to limit
+                      usage.
+                    type: string
+                  featureType:
+                    description: The Amazon Redshift feature that you want to limit.
+                      Valid values are spectrum, concurrency-scaling, and cross-region-datasharing.
+                    type: string
                   id:
                     description: The Redshift Usage Limit ID.
                     type: string
+                  limitType:
+                    description: The type of limit. Depending on the feature type,
+                      this can be based on a time duration or data size. If FeatureType
+                      is spectrum, then LimitType must be data-scanned. If FeatureType
+                      is concurrency-scaling, then LimitType must be time. If FeatureType
+                      is cross-region-datasharing, then LimitType must be data-scanned.
+                      Valid values are data-scanned, and time.
+                    type: string
+                  period:
+                    description: The time period that the amount applies to. A weekly
+                      period begins on Sunday. The default is monthly. Valid values
+                      are daily, weekly, and monthly.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/resourcegroups.aws.upbound.io_groups.yaml b/package/crds/resourcegroups.aws.upbound.io_groups.yaml
index 07f560ac6a..4e8b86db96 100644
--- a/package/crds/resourcegroups.aws.upbound.io_groups.yaml
+++ b/package/crds/resourcegroups.aws.upbound.io_groups.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -126,6 +130,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -305,8 +324,57 @@ spec:
                   arn:
                     description: The ARN assigned by AWS for this resource group.
                     type: string
+                  configuration:
+                    description: A configuration associates the resource group with
+                      an AWS service and specifies how the service can interact with
+                      the resources in the group. See below for details.
+                    items:
+                      properties:
+                        parameters:
+                          description: A collection of parameters for this group configuration
+                            item. See below for details.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the group configuration parameter.
+                                type: string
+                              values:
+                                description: The value or values to be used for the
+                                  specified parameter.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        type:
+                          description: Specifies the type of group configuration item.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: A description of the resource group.
+                    type: string
                   id:
                     type: string
+                  resourceQuery:
+                    description: A resource_query block. Resource queries are documented
+                      below.
+                    items:
+                      properties:
+                        query:
+                          description: The resource query as a JSON string.
+                          type: string
+                        type:
+                          description: The type of the resource query. Defaults to
+                            TAG_FILTERS_1_0.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rolesanywhere.aws.upbound.io_profiles.yaml b/package/crds/rolesanywhere.aws.upbound.io_profiles.yaml
index 428cf21260..404b9ff2d8 100644
--- a/package/crds/rolesanywhere.aws.upbound.io_profiles.yaml
+++ b/package/crds/rolesanywhere.aws.upbound.io_profiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -179,9 +183,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -353,6 +371,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ProfileStatus defines the observed state of Profile.
             properties:
@@ -361,9 +382,43 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the Profile
                     type: string
+                  durationSeconds:
+                    description: The number of seconds the vended session credentials
+                      are valid for. Defaults to 3600.
+                    type: number
+                  enabled:
+                    description: Whether or not the Profile is enabled.
+                    type: boolean
                   id:
                     description: The Profile ID.
                     type: string
+                  managedPolicyArns:
+                    description: A list of managed policy ARNs that apply to the vended
+                      session credentials.
+                    items:
+                      type: string
+                    type: array
+                  name:
+                    description: The name of the Profile.
+                    type: string
+                  requireInstanceProperties:
+                    description: Specifies whether instance properties are required
+                      in CreateSession requests with this profile.
+                    type: boolean
+                  roleArns:
+                    description: A list of IAM roles that this profile can assume
+                    items:
+                      type: string
+                    type: array
+                  sessionPolicy:
+                    description: A session policy that applies to the trust boundary
+                      of the vended session credentials.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/route53.aws.upbound.io_delegationsets.yaml b/package/crds/route53.aws.upbound.io_delegationsets.yaml
index d8166d1405..796aca0cb1 100644
--- a/package/crds/route53.aws.upbound.io_delegationsets.yaml
+++ b/package/crds/route53.aws.upbound.io_delegationsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -75,6 +79,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -264,6 +283,10 @@ spec:
                     items:
                       type: string
                     type: array
+                  referenceName:
+                    description: This is a reference name used in Caller Reference
+                      (helpful for identifying single delegation set amongst others)
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_healthchecks.yaml b/package/crds/route53.aws.upbound.io_healthchecks.yaml
index fdc6e1ee90..6f4d9ae6f5 100644
--- a/package/crds/route53.aws.upbound.io_healthchecks.yaml
+++ b/package/crds/route53.aws.upbound.io_healthchecks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -246,8 +250,22 @@ spec:
                     type: string
                 required:
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -419,6 +437,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: HealthCheckStatus defines the observed state of HealthCheck.
             properties:
@@ -427,9 +448,105 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Health Check.
                     type: string
+                  childHealthThreshold:
+                    description: The minimum number of child health checks that must
+                      be healthy for Route 53 to consider the parent health check
+                      to be healthy. Valid values are integers between 0 and 256,
+                      inclusive
+                    type: number
+                  childHealthchecks:
+                    description: For a specified parent health check, a list of HealthCheckId
+                      values for the associated child health checks.
+                    items:
+                      type: string
+                    type: array
+                  cloudwatchAlarmName:
+                    description: The name of the CloudWatch alarm.
+                    type: string
+                  cloudwatchAlarmRegion:
+                    description: The CloudWatchRegion that the CloudWatch alarm was
+                      created in.
+                    type: string
+                  disabled:
+                    description: 'A boolean value that stops Route 53 from performing
+                      health checks. When set to true, Route 53 will do the following
+                      depending on the type of health check:'
+                    type: boolean
+                  enableSni:
+                    description: 'A boolean value that indicates whether Route53 should
+                      send the fqdn to the endpoint when performing the health check.
+                      This defaults to AWS'' defaults: when the type is "HTTPS" enable_sni
+                      defaults to true, when type is anything else enable_sni defaults
+                      to false.'
+                    type: boolean
+                  failureThreshold:
+                    description: The number of consecutive health checks that an endpoint
+                      must pass or fail.
+                    type: number
+                  fqdn:
+                    description: The fully qualified domain name of the endpoint to
+                      be checked.
+                    type: string
                   id:
                     description: The id of the health check
                     type: string
+                  insufficientDataHealthStatus:
+                    description: The status of the health check when CloudWatch has
+                      insufficient data about the state of associated alarm. Valid
+                      values are Healthy , Unhealthy and LastKnownStatus.
+                    type: string
+                  invertHealthcheck:
+                    description: A boolean value that indicates whether the status
+                      of health check should be inverted. For example, if a health
+                      check is healthy but Inverted is True , then Route 53 considers
+                      the health check to be unhealthy.
+                    type: boolean
+                  ipAddress:
+                    description: The IP address of the endpoint to be checked.
+                    type: string
+                  measureLatency:
+                    description: A Boolean value that indicates whether you want Route
+                      53 to measure the latency between health checkers in multiple
+                      AWS regions and your endpoint and to display CloudWatch latency
+                      graphs in the Route 53 console.
+                    type: boolean
+                  port:
+                    description: The port of the endpoint to be checked.
+                    type: number
+                  referenceName:
+                    description: This is a reference name used in Caller Reference
+                      (helpful for identifying single health_check set amongst others)
+                    type: string
+                  regions:
+                    description: A list of AWS regions that you want Amazon Route
+                      53 health checkers to check the specified endpoint from.
+                    items:
+                      type: string
+                    type: array
+                  requestInterval:
+                    description: The number of seconds between the time that Amazon
+                      Route 53 gets a response from your endpoint and the time that
+                      it sends the next health-check request.
+                    type: number
+                  resourcePath:
+                    description: The path that you want Amazon Route 53 to request
+                      when performing health checks.
+                    type: string
+                  routingControlArn:
+                    description: The Amazon Resource Name (ARN) for the Route 53 Application
+                      Recovery Controller routing control. This is used when health
+                      check type is RECOVERY_CONTROL
+                    type: string
+                  searchString:
+                    description: String searched in the first 5120 bytes of the response
+                      body for check to be considered healthy. Only valid with HTTP_STR_MATCH
+                      and HTTPS_STR_MATCH.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -437,6 +554,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: The protocol to use when performing health checks.
+                      Valid values are HTTP, HTTPS, HTTP_STR_MATCH, HTTPS_STR_MATCH,
+                      TCP, CALCULATED, CLOUDWATCH_METRIC and RECOVERY_CONTROL.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_hostedzonednssecs.yaml b/package/crds/route53.aws.upbound.io_hostedzonednssecs.yaml
index abd9d210d3..eb6bcde21d 100644
--- a/package/crds/route53.aws.upbound.io_hostedzonednssecs.yaml
+++ b/package/crds/route53.aws.upbound.io_hostedzonednssecs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,6 +155,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,9 +346,16 @@ spec:
             properties:
               atProvider:
                 properties:
+                  hostedZoneId:
+                    description: Identifier of the Route 53 Hosted Zone.
+                    type: string
                   id:
                     description: Route 53 Hosted Zone identifier.
                     type: string
+                  signingStatus:
+                    description: 'Hosted Zone signing status. Valid values: SIGNING,
+                      NOT_SIGNING. Defaults to SIGNING.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_records.yaml b/package/crds/route53.aws.upbound.io_records.yaml
index e47fa43d4a..f2d4f0a0b7 100644
--- a/package/crds/route53.aws.upbound.io_records.yaml
+++ b/package/crds/route53.aws.upbound.io_records.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -361,10 +365,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -536,16 +553,152 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: RecordStatus defines the observed state of Record.
             properties:
               atProvider:
                 properties:
+                  alias:
+                    description: An alias block. Conflicts with ttl & records. Documented
+                      below.
+                    items:
+                      properties:
+                        evaluateTargetHealth:
+                          description: Set to true if you want Route 53 to determine
+                            whether to respond to DNS queries using this resource
+                            record set by checking the health of the resource record
+                            set. Some resources have special requirements, see related
+                            part of documentation.
+                          type: boolean
+                        name:
+                          description: The name of the record.
+                          type: string
+                        zoneId:
+                          description: The ID of the hosted zone to contain this record.
+                          type: string
+                      type: object
+                    type: array
+                  allowOverwrite:
+                    description: false by default. This configuration is not recommended
+                      for most environments.
+                    type: boolean
+                  cidrRoutingPolicy:
+                    description: A block indicating a routing policy based on the
+                      IP network ranges of requestors. Conflicts with any other routing
+                      policy. Documented below.
+                    items:
+                      properties:
+                        collectionId:
+                          description: The CIDR collection ID. See the aws_route53_cidr_collection
+                            resource for more details.
+                          type: string
+                        locationName:
+                          description: The CIDR collection location name. See the
+                            aws_route53_cidr_location resource for more details. A
+                            location_name with an asterisk "*" can be used to create
+                            a default CIDR record. collection_id is still required
+                            for default record.
+                          type: string
+                      type: object
+                    type: array
+                  failoverRoutingPolicy:
+                    description: A block indicating the routing behavior when associated
+                      health check fails. Conflicts with any other routing policy.
+                      Documented below.
+                    items:
+                      properties:
+                        type:
+                          description: The record type. Valid values are A, AAAA,
+                            CAA, CNAME, DS, MX, NAPTR, NS, PTR, SOA, SPF, SRV and
+                            TXT.
+                          type: string
+                      type: object
+                    type: array
                   fqdn:
                     description: FQDN built using the zone domain and name.
                     type: string
+                  geolocationRoutingPolicy:
+                    description: A block indicating a routing policy based on the
+                      geolocation of the requestor. Conflicts with any other routing
+                      policy. Documented below.
+                    items:
+                      properties:
+                        continent:
+                          description: A two-letter continent code. See http://docs.aws.amazon.com/Route53/latest/APIReference/API_GetGeoLocation.html
+                            for code details. Either continent or country must be
+                            specified.
+                          type: string
+                        country:
+                          description: A two-character country code or * to indicate
+                            a default resource record set.
+                          type: string
+                        subdivision:
+                          description: A subdivision code for a country.
+                          type: string
+                      type: object
+                    type: array
+                  healthCheckId:
+                    description: The health check the record should be associated
+                      with.
+                    type: string
                   id:
                     type: string
+                  latencyRoutingPolicy:
+                    description: A block indicating a routing policy based on the
+                      latency between the requestor and an AWS region. Conflicts with
+                      any other routing policy. Documented below.
+                    items:
+                      properties:
+                        region:
+                          description: An AWS region from which to measure latency.
+                            See http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-latency
+                          type: string
+                      type: object
+                    type: array
+                  multivalueAnswerRoutingPolicy:
+                    description: Set to true to indicate a multivalue answer routing
+                      policy. Conflicts with any other routing policy.
+                    type: boolean
+                  name:
+                    description: The name of the record.
+                    type: string
+                  records:
+                    description: A string list of records.g., "first255characters\"\"morecharacters").
+                    items:
+                      type: string
+                    type: array
+                  setIdentifier:
+                    description: Unique identifier to differentiate records with routing
+                      policies from one another. Required if using cidr_routing_policy,
+                      failover_routing_policy, geolocation_routing_policy, latency_routing_policy,
+                      multivalue_answer_routing_policy, or weighted_routing_policy.
+                    type: string
+                  ttl:
+                    description: The TTL of the record.
+                    type: number
+                  type:
+                    description: The record type. Valid values are A, AAAA, CAA, CNAME,
+                      DS, MX, NAPTR, NS, PTR, SOA, SPF, SRV and TXT.
+                    type: string
+                  weightedRoutingPolicy:
+                    description: A block indicating a weighted routing policy. Conflicts
+                      with any other routing policy. Documented below.
+                    items:
+                      properties:
+                        weight:
+                          description: A numeric value indicating the relative weight
+                            of the record. See http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html#routing-policy-weighted.
+                          type: number
+                      type: object
+                    type: array
+                  zoneId:
+                    description: The ID of the hosted zone to contain this record.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_resolverconfigs.yaml b/package/crds/route53.aws.upbound.io_resolverconfigs.yaml
index ff336c13d3..57385d7f26 100644
--- a/package/crds/route53.aws.upbound.io_resolverconfigs.yaml
+++ b/package/crds/route53.aws.upbound.io_resolverconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - autodefinedReverseFlag
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,11 +342,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: autodefinedReverseFlag is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.autodefinedReverseFlag)
           status:
             description: ResolverConfigStatus defines the observed state of ResolverConfig.
             properties:
               atProvider:
                 properties:
+                  autodefinedReverseFlag:
+                    description: 'Indicates whether or not the Resolver will create
+                      autodefined rules for reverse DNS lookups. Valid values: ENABLE,
+                      DISABLE.'
+                    type: string
                   id:
                     description: The ID of the resolver configuration.
                     type: string
@@ -336,6 +362,9 @@ spec:
                     description: The AWS account ID of the owner of the VPC that this
                       resolver configuration applies to.
                     type: string
+                  resourceId:
+                    description: The ID of the VPC that the configuration is for.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_trafficpolicies.yaml b/package/crds/route53.aws.upbound.io_trafficpolicies.yaml
index 95930d6be0..24ceaf7c61 100644
--- a/package/crds/route53.aws.upbound.io_trafficpolicies.yaml
+++ b/package/crds/route53.aws.upbound.io_trafficpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,10 +84,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - document
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -255,14 +272,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: document is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.document)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: TrafficPolicyStatus defines the observed state of TrafficPolicy.
             properties:
               atProvider:
                 properties:
+                  comment:
+                    description: Comment for the traffic policy.
+                    type: string
+                  document:
+                    description: Policy document. This is a JSON formatted string.
+                      For more information about building Route53 traffic policy documents,
+                      see the AWS Route53 Traffic Policy document format
+                    type: string
                   id:
                     description: ID of the traffic policy
                     type: string
+                  name:
+                    description: Name of the traffic policy.
+                    type: string
                   type:
                     description: DNS type of the resource record sets that Amazon
                       Route 53 creates when you use a traffic policy to create a traffic
diff --git a/package/crds/route53.aws.upbound.io_trafficpolicyinstances.yaml b/package/crds/route53.aws.upbound.io_trafficpolicyinstances.yaml
index 9c40597613..867cc58e32 100644
--- a/package/crds/route53.aws.upbound.io_trafficpolicyinstances.yaml
+++ b/package/crds/route53.aws.upbound.io_trafficpolicyinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -237,11 +241,23 @@ spec:
                       zone.
                     type: number
                 required:
-                - name
                 - region
-                - trafficPolicyVersion
-                - ttl
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,15 +429,44 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: trafficPolicyVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.trafficPolicyVersion)
+            - message: ttl is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ttl)
           status:
             description: TrafficPolicyInstanceStatus defines the observed state of
               TrafficPolicyInstance.
             properties:
               atProvider:
                 properties:
+                  hostedZoneId:
+                    description: ID of the hosted zone that you want Amazon Route
+                      53 to create resource record sets in by using the configuration
+                      in a traffic policy.
+                    type: string
                   id:
                     description: ID of traffic policy instance.
                     type: string
+                  name:
+                    description: Domain name for which Amazon Route 53 responds to
+                      DNS queries by using the resource record sets that Route 53
+                      creates for this traffic policy instance.
+                    type: string
+                  trafficPolicyId:
+                    description: ID of the traffic policy that you want to use to
+                      create resource record sets in the specified hosted zone.
+                    type: string
+                  trafficPolicyVersion:
+                    description: Version of the traffic policy
+                    type: number
+                  ttl:
+                    description: TTL that you want Amazon Route 53 to assign to all
+                      the resource record sets that it creates in the specified hosted
+                      zone.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_vpcassociationauthorizations.yaml b/package/crds/route53.aws.upbound.io_vpcassociationauthorizations.yaml
index 5e3ffd3627..8f5bf6e3f9 100644
--- a/package/crds/route53.aws.upbound.io_vpcassociationauthorizations.yaml
+++ b/package/crds/route53.aws.upbound.io_vpcassociationauthorizations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,6 +235,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -411,6 +430,18 @@ spec:
                   id:
                     description: The calculated unique identifier for the association.
                     type: string
+                  vpcId:
+                    description: The VPC to authorize for association with the private
+                      hosted zone.
+                    type: string
+                  vpcRegion:
+                    description: The VPC's region. Defaults to the region of the AWS
+                      provider.
+                    type: string
+                  zoneId:
+                    description: The ID of the private hosted zone that you want to
+                      authorize associating a VPC with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53.aws.upbound.io_zones.yaml b/package/crds/route53.aws.upbound.io_zones.yaml
index ccb83c2b39..a91d1b78b3 100644
--- a/package/crds/route53.aws.upbound.io_zones.yaml
+++ b/package/crds/route53.aws.upbound.io_zones.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -252,9 +256,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -426,6 +444,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ZoneStatus defines the observed state of Zone.
             properties:
@@ -434,8 +455,21 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the Hosted Zone.
                     type: string
+                  comment:
+                    description: A comment for the hosted zone.
+                    type: string
+                  delegationSetId:
+                    description: The ID of the reusable delegation set whose NS records
+                      you want to assign to the hosted zone. Conflicts with vpc as
+                      delegation sets can only be used for public zones.
+                    type: string
+                  forceDestroy:
+                    type: boolean
                   id:
                     type: string
+                  name:
+                    description: This is the name of the hosted zone.
+                    type: string
                   nameServers:
                     description: A list of name servers in associated (or default)
                       delegation set. Find more about delegation sets in AWS docs.
@@ -445,6 +479,11 @@ spec:
                   primaryNameServer:
                     description: The Route 53 name server that created the SOA record.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -452,6 +491,22 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpc:
+                    description: Configuration block(s) specifying VPC(s) to associate
+                      with a private hosted zone. Conflicts with the delegation_set_id
+                      argument in this resource and any aws_route53_zone_association
+                      resource specifying the same zone ID. Detailed below.
+                    items:
+                      properties:
+                        vpcId:
+                          description: ID of the VPC to associate.
+                          type: string
+                        vpcRegion:
+                          description: Region of the VPC to associate. Defaults to
+                            AWS provider region.
+                          type: string
+                      type: object
+                    type: array
                   zoneId:
                     description: The Hosted Zone ID. This can be referenced by zone
                       records.
diff --git a/package/crds/route53recoverycontrolconfig.aws.upbound.io_clusters.yaml b/package/crds/route53recoverycontrolconfig.aws.upbound.io_clusters.yaml
index a69c780e99..eacbf4b300 100644
--- a/package/crds/route53recoverycontrolconfig.aws.upbound.io_clusters.yaml
+++ b/package/crds/route53recoverycontrolconfig.aws.upbound.io_clusters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       like your resource to be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ClusterStatus defines the observed state of Cluster.
             properties:
@@ -269,6 +290,9 @@ spec:
                     type: array
                   id:
                     type: string
+                  name:
+                    description: Unique name describing the cluster.
+                    type: string
                   status:
                     description: Status of cluster. PENDING when it is being created,
                       PENDING_DELETION when it is being deleted and DEPLOYED otherwise.
diff --git a/package/crds/route53recoverycontrolconfig.aws.upbound.io_controlpanels.yaml b/package/crds/route53recoverycontrolconfig.aws.upbound.io_controlpanels.yaml
index af4029e624..52d0b27cad 100644
--- a/package/crds/route53recoverycontrolconfig.aws.upbound.io_controlpanels.yaml
+++ b/package/crds/route53recoverycontrolconfig.aws.upbound.io_controlpanels.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,6 +343,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ControlPanelStatus defines the observed state of ControlPanel.
             properties:
@@ -333,11 +354,18 @@ spec:
                   arn:
                     description: ARN of the control panel.
                     type: string
+                  clusterArn:
+                    description: ARN of the cluster in which this control panel will
+                      reside.
+                    type: string
                   defaultControlPanel:
                     description: Whether a control panel is default.
                     type: boolean
                   id:
                     type: string
+                  name:
+                    description: Name describing the control panel.
+                    type: string
                   routingControlCount:
                     description: Number routing controls in a control panel.
                     type: number
diff --git a/package/crds/route53recoverycontrolconfig.aws.upbound.io_routingcontrols.yaml b/package/crds/route53recoverycontrolconfig.aws.upbound.io_routingcontrols.yaml
index 29fa1d3ee6..d9ae197067 100644
--- a/package/crds/route53recoverycontrolconfig.aws.upbound.io_routingcontrols.yaml
+++ b/package/crds/route53recoverycontrolconfig.aws.upbound.io_routingcontrols.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -230,9 +234,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -404,6 +422,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RoutingControlStatus defines the observed state of RoutingControl.
             properties:
@@ -412,8 +433,19 @@ spec:
                   arn:
                     description: ARN of the routing control.
                     type: string
+                  clusterArn:
+                    description: ARN of the cluster in which this routing control
+                      will reside.
+                    type: string
+                  controlPanelArn:
+                    description: ARN of the control panel in which this routing control
+                      will reside.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: The name describing the routing control.
+                    type: string
                   status:
                     description: Status of routing control. PENDING when it is being
                       created/updated, PENDING_DELETION when it is being deleted,
diff --git a/package/crds/route53recoverycontrolconfig.aws.upbound.io_safetyrules.yaml b/package/crds/route53recoverycontrolconfig.aws.upbound.io_safetyrules.yaml
index 0b1fb56dc7..8a269b3cbc 100644
--- a/package/crds/route53recoverycontrolconfig.aws.upbound.io_safetyrules.yaml
+++ b/package/crds/route53recoverycontrolconfig.aws.upbound.io_safetyrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -276,11 +280,23 @@ spec:
                       any request against the target routing controls will fail.
                     type: number
                 required:
-                - name
                 - region
-                - ruleConfig
-                - waitPeriodMs
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -452,6 +468,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: ruleConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleConfig)
+            - message: waitPeriodMs is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.waitPeriodMs)
           status:
             description: SafetyRuleStatus defines the observed state of SafetyRule.
             properties:
@@ -460,13 +483,63 @@ spec:
                   arn:
                     description: ARN of the safety rule.
                     type: string
+                  assertedControls:
+                    description: Routing controls that are part of transactions that
+                      are evaluated to determine if a request to change a routing
+                      control state is allowed.
+                    items:
+                      type: string
+                    type: array
+                  controlPanelArn:
+                    description: ARN of the control panel in which this safety rule
+                      will reside.
+                    type: string
+                  gatingControls:
+                    description: Gating controls for the new gating rule. That is,
+                      routing controls that are evaluated by the rule configuration
+                      that you specify.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: Name describing the safety rule.
+                    type: string
+                  ruleConfig:
+                    description: Configuration block for safety rule criteria. See
+                      below.
+                    items:
+                      properties:
+                        inverted:
+                          description: Logical negation of the rule.
+                          type: boolean
+                        threshold:
+                          description: Number of controls that must be set when you
+                            specify an ATLEAST type rule.
+                          type: number
+                        type:
+                          description: Rule type. Valid values are ATLEAST, AND, and
+                            OR.
+                          type: string
+                      type: object
+                    type: array
                   status:
                     description: Status of the safety rule. PENDING when it is being
                       created/updated, PENDING_DELETION when it is being deleted,
                       and DEPLOYED otherwise.
                     type: string
+                  targetControls:
+                    description: Routing controls that can only be set or unset if
+                      the specified rule_config evaluates to true for the specified
+                      gating_controls.
+                    items:
+                      type: string
+                    type: array
+                  waitPeriodMs:
+                    description: Evaluation period, in milliseconds (ms), during which
+                      any request against the target routing controls will fail.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53recoveryreadiness.aws.upbound.io_cells.yaml b/package/crds/route53recoveryreadiness.aws.upbound.io_cells.yaml
index b6f0dfda2f..db7d1d626c 100644
--- a/package/crds/route53recoveryreadiness.aws.upbound.io_cells.yaml
+++ b/package/crds/route53recoveryreadiness.aws.upbound.io_cells.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,6 +86,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,6 +280,12 @@ spec:
                   arn:
                     description: ARN of the cell
                     type: string
+                  cells:
+                    description: List of cell arns to add as nested fault domains
+                      within this cell.
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
                   parentReadinessScopes:
@@ -269,6 +294,11 @@ spec:
                     items:
                       type: string
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/route53recoveryreadiness.aws.upbound.io_readinesschecks.yaml b/package/crds/route53recoveryreadiness.aws.upbound.io_readinesschecks.yaml
index 03159ce343..621e1e070c 100644
--- a/package/crds/route53recoveryreadiness.aws.upbound.io_readinesschecks.yaml
+++ b/package/crds/route53recoveryreadiness.aws.upbound.io_readinesschecks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,8 +83,22 @@ spec:
                     type: object
                 required:
                 - region
-                - resourceSetName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,6 +270,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourceSetName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceSetName)
           status:
             description: ReadinessCheckStatus defines the observed state of ReadinessCheck.
             properties:
@@ -262,6 +283,15 @@ spec:
                     type: string
                   id:
                     type: string
+                  resourceSetName:
+                    description: Name describing the resource set that will be monitored
+                      for readiness.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/route53recoveryreadiness.aws.upbound.io_recoverygroups.yaml b/package/crds/route53recoveryreadiness.aws.upbound.io_recoverygroups.yaml
index d15a596c76..fdbc2b6d25 100644
--- a/package/crds/route53recoveryreadiness.aws.upbound.io_recoverygroups.yaml
+++ b/package/crds/route53recoveryreadiness.aws.upbound.io_recoverygroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,6 +86,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,8 +280,19 @@ spec:
                   arn:
                     description: ARN of the recovery group
                     type: string
+                  cells:
+                    description: List of cell arns to add as nested fault domains
+                      within this recovery group
+                    items:
+                      type: string
+                    type: array
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/route53recoveryreadiness.aws.upbound.io_resourcesets.yaml b/package/crds/route53recoveryreadiness.aws.upbound.io_resourcesets.yaml
index ae0a55d759..0b50151173 100644
--- a/package/crds/route53recoveryreadiness.aws.upbound.io_resourcesets.yaml
+++ b/package/crds/route53recoveryreadiness.aws.upbound.io_resourcesets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,9 +232,22 @@ spec:
                     type: object
                 required:
                 - region
-                - resourceSetType
-                - resources
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -402,6 +419,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourceSetType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceSetType)
+            - message: resources is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resources)
           status:
             description: ResourceSetStatus defines the observed state of ResourceSet.
             properties:
@@ -412,6 +434,9 @@ spec:
                     type: string
                   id:
                     type: string
+                  resourceSetType:
+                    description: Type of the resources in the resource set.
+                    type: string
                   resources:
                     description: List of resources to add to this resource set. See
                       below.
@@ -421,8 +446,76 @@ spec:
                           description: Unique identified for DNS Target Resources,
                             use for readiness checks.
                           type: string
+                        dnsTargetResource:
+                          description: Component for DNS/Routing Control Readiness
+                            Checks.
+                          items:
+                            properties:
+                              domainName:
+                                description: DNS Name that acts as the ingress point
+                                  to a portion of application.
+                                type: string
+                              hostedZoneArn:
+                                description: Hosted Zone ARN that contains the DNS
+                                  record with the provided name of target resource.
+                                type: string
+                              recordSetId:
+                                description: Route53 record set id to uniquely identify
+                                  a record given a domain_name and a record_type.
+                                type: string
+                              recordType:
+                                description: Type of DNS Record of target resource.
+                                type: string
+                              targetResource:
+                                description: Target resource the R53 record specified
+                                  with the above params points to.
+                                items:
+                                  properties:
+                                    nlbResource:
+                                      description: NLB resource a DNS Target Resource
+                                        points to. Required if r53_resource is not
+                                        set.
+                                      items:
+                                        properties:
+                                          arn:
+                                            description: NLB resource ARN.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    r53Resource:
+                                      description: Route53 resource a DNS Target Resource
+                                        record points to.
+                                      items:
+                                        properties:
+                                          domainName:
+                                            description: Domain name that is targeted.
+                                            type: string
+                                          recordSetId:
+                                            description: Resource record set ID that
+                                              is targeted.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        readinessScopes:
+                          description: Recovery group ARN or cell ARN that contains
+                            this resource set.
+                          items:
+                            type: string
+                          type: array
+                        resourceArn:
+                          description: ARN of the resource.
+                          type: string
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/route53resolver.aws.upbound.io_endpoints.yaml b/package/crds/route53resolver.aws.upbound.io_endpoints.yaml
index ad416a22a4..d5d84f8d86 100644
--- a/package/crds/route53resolver.aws.upbound.io_endpoints.yaml
+++ b/package/crds/route53resolver.aws.upbound.io_endpoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -259,10 +263,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - direction
-                - ipAddress
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -434,6 +451,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: direction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.direction)
+            - message: ipAddress is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ipAddress)
           status:
             description: EndpointStatus defines the observed state of Endpoint.
             properties:
@@ -442,6 +464,13 @@ spec:
                   arn:
                     description: The ARN of the Route 53 Resolver endpoint.
                     type: string
+                  direction:
+                    description: The direction of DNS queries to or from the Route
+                      53 Resolver endpoint. Valid values are INBOUND (resolver forwards
+                      DNS queries to the DNS service for a VPC from your network or
+                      another VPC) or OUTBOUND (resolver forwards DNS queries from
+                      the DNS service for a VPC to your network or another VPC).
+                    type: string
                   hostVpcId:
                     description: The ID of the VPC that you want to create the resolver
                       endpoint in.
@@ -456,11 +485,32 @@ spec:
                       network to your VPCs (for inbound endpoints). Described below.
                     items:
                       properties:
+                        ip:
+                          description: The IP address in the subnet that you want
+                            to use for DNS queries.
+                          type: string
                         ipId:
                           description: The ID of the Route 53 Resolver endpoint.
                           type: string
+                        subnetId:
+                          description: The ID of the subnet that contains the IP address.
+                          type: string
                       type: object
                     type: array
+                  name:
+                    description: The friendly name of the Route 53 Resolver endpoint.
+                    type: string
+                  securityGroupIds:
+                    description: The ID of one or more security groups that you want
+                      to use to control access to this VPC.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/route53resolver.aws.upbound.io_ruleassociations.yaml b/package/crds/route53resolver.aws.upbound.io_ruleassociations.yaml
index e40d1f4dad..43f4d18a90 100644
--- a/package/crds/route53resolver.aws.upbound.io_ruleassociations.yaml
+++ b/package/crds/route53resolver.aws.upbound.io_ruleassociations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,6 +235,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -410,6 +429,18 @@ spec:
                   id:
                     description: The ID of the resolver rule association.
                     type: string
+                  name:
+                    description: A name for the association that you're creating between
+                      a resolver rule and a VPC.
+                    type: string
+                  resolverRuleId:
+                    description: The ID of the resolver rule that you want to associate
+                      with the VPC.
+                    type: string
+                  vpcId:
+                    description: The ID of the VPC that you want to associate the
+                      resolver rule with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/route53resolver.aws.upbound.io_rules.yaml b/package/crds/route53resolver.aws.upbound.io_rules.yaml
index ff0caf7052..bf143ad179 100644
--- a/package/crds/route53resolver.aws.upbound.io_rules.yaml
+++ b/package/crds/route53resolver.aws.upbound.io_rules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -185,10 +189,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - domainName
                 - region
-                - ruleType
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -360,6 +377,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domainName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)
+            - message: ruleType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleType)
           status:
             description: RuleStatus defines the observed state of Rule.
             properties:
@@ -368,19 +390,42 @@ spec:
                   arn:
                     description: The ARN (Amazon Resource Name) for the resolver rule.
                     type: string
+                  domainName:
+                    description: DNS queries for this domain name are forwarded to
+                      the IP addresses that are specified using target_ip.
+                    type: string
                   id:
                     description: The ID of the resolver rule.
                     type: string
+                  name:
+                    description: A friendly name that lets you easily find a rule
+                      in the Resolver dashboard in the Route 53 console.
+                    type: string
                   ownerId:
                     description: When a rule is shared with another AWS account, the
                       account ID of the account that the rule is shared with.
                     type: string
+                  resolverEndpointId:
+                    description: The ID of the outbound resolver endpoint that you
+                      want to use to route DNS queries to the IP addresses that you
+                      specify using target_ip. This argument should only be specified
+                      for FORWARD type rules.
+                    type: string
+                  ruleType:
+                    description: The rule type. Valid values are FORWARD, SYSTEM and
+                      RECURSIVE.
+                    type: string
                   shareStatus:
                     description: Whether the rules is shared and, if so, whether the
                       current account is sharing the rule with another account, or
                       another account is sharing the rule with the current account.
                       Values are NOT_SHARED, SHARED_BY_ME or SHARED_WITH_ME
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -388,6 +433,22 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetIp:
+                    description: Configuration block(s) indicating the IPs that you
+                      want Resolver to forward DNS queries to (documented below).
+                      This argument should only be specified for FORWARD type rules.
+                    items:
+                      properties:
+                        ip:
+                          description: One IP address that you want to forward DNS
+                            queries to. You can specify only IPv4 addresses.
+                          type: string
+                        port:
+                          description: The port at ip that you want to forward DNS
+                            queries to. Default value is 53
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/rum.aws.upbound.io_appmonitors.yaml b/package/crds/rum.aws.upbound.io_appmonitors.yaml
index b83da4ae26..6a36370297 100644
--- a/package/crds/rum.aws.upbound.io_appmonitors.yaml
+++ b/package/crds/rum.aws.upbound.io_appmonitors.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -163,9 +167,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - domain
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -337,11 +355,77 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domain is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domain)
           status:
             description: AppMonitorStatus defines the observed state of AppMonitor.
             properties:
               atProvider:
                 properties:
+                  appMonitorConfiguration:
+                    description: configuration data for the app monitor. See app_monitor_configuration
+                      below.
+                    items:
+                      properties:
+                        allowCookies:
+                          description: If you set this to true, RUM web client sets
+                            two cookies, a session cookie  and a user cookie. The
+                            cookies allow the RUM web client to collect data relating
+                            to the number of users an application has and the behavior
+                            of the application across a sequence of events. Cookies
+                            are stored in the top-level domain of the current page.
+                          type: boolean
+                        enableXray:
+                          description: If you set this to true, RUM enables X-Ray
+                            tracing for the user sessions  that RUM samples. RUM adds
+                            an X-Ray trace header to allowed HTTP requests. It also
+                            records an X-Ray segment for allowed HTTP requests.
+                          type: boolean
+                        excludedPages:
+                          description: A list of URLs in your website or application
+                            to exclude from RUM data collection.
+                          items:
+                            type: string
+                          type: array
+                        favoritePages:
+                          description: A list of pages in the CloudWatch RUM console
+                            that are to be displayed with a "favorite" icon.
+                          items:
+                            type: string
+                          type: array
+                        guestRoleArn:
+                          description: The ARN of the guest IAM role that is attached
+                            to the Amazon Cognito identity pool that is used to authorize
+                            the sending of data to RUM.
+                          type: string
+                        identityPoolId:
+                          description: The ID of the Amazon Cognito identity pool
+                            that is used to authorize the sending of data to RUM.
+                          type: string
+                        includedPages:
+                          description: If this app monitor is to collect data from
+                            only certain pages in your application, this structure
+                            lists those pages.
+                          items:
+                            type: string
+                          type: array
+                        sessionSampleRate:
+                          description: Specifies the percentage of user sessions to
+                            use for RUM data collection. Choosing a higher percentage
+                            gives you more data but also incurs more costs. The number
+                            you specify is the percentage of user sessions that will
+                            be used. Default value is 0.1.
+                          type: number
+                        telemetries:
+                          description: An array that lists the types of telemetry
+                            data that this app monitor is to collect. Valid values
+                            are errors, performance, and http.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   appMonitorId:
                     description: The unique ID of the app monitor. Useful for JS templates.
                     type: string
@@ -349,13 +433,44 @@ spec:
                     description: The Amazon Resource Name (ARN) specifying the app
                       monitor.
                     type: string
+                  customEvents:
+                    description: Specifies whether this app monitor allows the web
+                      client to define and send custom events. If you omit this parameter,
+                      custom events are DISABLED. See custom_events below.
+                    items:
+                      properties:
+                        status:
+                          description: Specifies whether this app monitor allows the
+                            web client to define and send custom events. The default
+                            is for custom events to be DISABLED. Valid values are
+                            DISABLED and ENABLED.
+                          type: string
+                      type: object
+                    type: array
+                  cwLogEnabled:
+                    description: Data collected by RUM is kept by RUM for 30 days
+                      and then deleted. This parameter  specifies whether RUM sends
+                      a copy of this telemetry data to Amazon CloudWatch Logs in your
+                      account. This enables you to keep the telemetry data for more
+                      than 30 days, but it does incur Amazon CloudWatch Logs charges.
+                      Default value is false.
+                    type: boolean
                   cwLogGroup:
                     description: The name of the log group where the copies are stored.
                     type: string
+                  domain:
+                    description: The top-level internet domain name for which your
+                      application has administrative authority.
+                    type: string
                   id:
                     description: The CloudWatch RUM name as it is the identifier of
                       a RUM.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/rum.aws.upbound.io_metricsdestinations.yaml b/package/crds/rum.aws.upbound.io_metricsdestinations.yaml
index 3fb97f1927..eab8f7852d 100644
--- a/package/crds/rum.aws.upbound.io_metricsdestinations.yaml
+++ b/package/crds/rum.aws.upbound.io_metricsdestinations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -235,9 +239,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - destination
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -409,11 +427,34 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)
           status:
             description: MetricsDestinationStatus defines the observed state of MetricsDestination.
             properties:
               atProvider:
                 properties:
+                  appMonitorName:
+                    description: The name of the CloudWatch RUM app monitor that will
+                      send the metrics.
+                    type: string
+                  destination:
+                    description: Defines the destination to send the metrics to. Valid
+                      values are CloudWatch and Evidently. If you specify Evidently,
+                      you must also specify the ARN of the CloudWatchEvidently experiment
+                      that is to be the destination and an IAM role that has permission
+                      to write to the experiment.
+                    type: string
+                  destinationArn:
+                    description: Use this parameter only if Destination is Evidently.
+                      This parameter specifies the ARN of the Evidently experiment
+                      that will receive the extended metrics.
+                    type: string
+                  iamRoleArn:
+                    description: This parameter is required if Destination is Evidently.
+                      If Destination is CloudWatch, do not use this parameter.
+                    type: string
                   id:
                     description: The name of the CloudWatch RUM app monitor that will
                       send the metrics.
diff --git a/package/crds/s3.aws.upbound.io_bucketaccelerateconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketaccelerateconfigurations.yaml
index 7c98b1a7cc..96c5862be3 100644
--- a/package/crds/s3.aws.upbound.io_bucketaccelerateconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketaccelerateconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -154,8 +158,22 @@ spec:
                     type: string
                 required:
                 - region
-                - status
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,16 +345,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: status is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.status)
           status:
             description: BucketAccelerateConfigurationStatus defines the observed
               state of BucketAccelerateConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  status:
+                    description: 'Transfer acceleration state of the bucket. Valid
+                      values: Enabled, Suspended.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketacls.yaml b/package/crds/s3.aws.upbound.io_bucketacls.yaml
index a4900de88b..f79d68c800 100644
--- a/package/crds/s3.aws.upbound.io_bucketacls.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketacls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -213,6 +217,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,12 +425,53 @@ spec:
                                     displayName:
                                       description: Display name of the owner.
                                       type: string
+                                    emailAddress:
+                                      description: Email address of the grantee. See
+                                        Regions and Endpoints for supported AWS regions
+                                        where this argument can be specified.
+                                      type: string
+                                    id:
+                                      description: ID of the owner.
+                                      type: string
+                                    type:
+                                      description: 'Type of grantee. Valid values:
+                                        CanonicalUser, AmazonCustomerByEmail, Group.'
+                                      type: string
+                                    uri:
+                                      description: URI of the grantee group.
+                                      type: string
                                   type: object
                                 type: array
+                              permission:
+                                description: Logging permissions assigned to the grantee
+                                  for the bucket.
+                                type: string
+                            type: object
+                          type: array
+                        owner:
+                          description: Configuration block of the bucket owner's display
+                            name and ID. See below.
+                          items:
+                            properties:
+                              displayName:
+                                description: Display name of the owner.
+                                type: string
+                              id:
+                                description: ID of the owner.
+                                type: string
                             type: object
                           type: array
                       type: object
                     type: array
+                  acl:
+                    description: Canned ACL to apply to the bucket.
+                    type: string
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket, expected_bucket_owner (if configured),
                       and acl (if configured) separated by commas (,).
diff --git a/package/crds/s3.aws.upbound.io_bucketanalyticsconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketanalyticsconfigurations.yaml
index 5162bb1cd8..fd197be37e 100644
--- a/package/crds/s3.aws.upbound.io_bucketanalyticsconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketanalyticsconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -309,9 +313,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -483,14 +501,87 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: BucketAnalyticsConfigurationStatus defines the observed state
               of BucketAnalyticsConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket this analytics configuration is
+                      associated with.
+                    type: string
+                  filter:
+                    description: Object filtering that accepts a prefix, tags, or
+                      a logical AND of prefix and tags (documented below).
+                    items:
+                      properties:
+                        prefix:
+                          description: Object prefix for filtering.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of resource tags.
+                          type: object
+                      type: object
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: Unique identifier of the analytics configuration
+                      for the bucket.
+                    type: string
+                  storageClassAnalysis:
+                    description: Configuration for the analytics data export (documented
+                      below).
+                    items:
+                      properties:
+                        dataExport:
+                          description: Data export configuration (documented below).
+                          items:
+                            properties:
+                              destination:
+                                description: Specifies the destination for the exported
+                                  analytics data (documented below).
+                                items:
+                                  properties:
+                                    s3BucketDestination:
+                                      description: Analytics data export currently
+                                        only supports an S3 bucket destination (documented
+                                        below).
+                                      items:
+                                        properties:
+                                          bucketAccountId:
+                                            description: Account ID that owns the
+                                              destination bucket.
+                                            type: string
+                                          bucketArn:
+                                            description: ARN of the destination bucket.
+                                            type: string
+                                          format:
+                                            description: 'Output format of exported
+                                              analytics data. Allowed values: CSV.
+                                              Default value: CSV.'
+                                            type: string
+                                          prefix:
+                                            description: Object prefix for filtering.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              outputSchemaVersion:
+                                description: 'Schema version of exported analytics
+                                  data. Allowed values: V_1. Default value: V_1.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketcorsconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketcorsconfigurations.yaml
index 3218930b06..87c6e5a626 100644
--- a/package/crds/s3.aws.upbound.io_bucketcorsconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketcorsconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -193,9 +197,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - corsRule
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -367,12 +385,62 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: corsRule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.corsRule)
           status:
             description: BucketCorsConfigurationStatus defines the observed state
               of BucketCorsConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  corsRule:
+                    description: Set of origins and methods (cross-origin access that
+                      you want to allow). See below. You can configure up to 100 rules.
+                    items:
+                      properties:
+                        allowedHeaders:
+                          description: Set of Headers that are specified in the Access-Control-Request-Headers
+                            header.
+                          items:
+                            type: string
+                          type: array
+                        allowedMethods:
+                          description: Set of HTTP methods that you allow the origin
+                            to execute. Valid values are GET, PUT, HEAD, POST, and
+                            DELETE.
+                          items:
+                            type: string
+                          type: array
+                        allowedOrigins:
+                          description: Set of origins you want customers to be able
+                            to access the bucket from.
+                          items:
+                            type: string
+                          type: array
+                        exposeHeaders:
+                          description: Set of headers in the response that you want
+                            customers to be able to access from their applications
+                            (for example, from a JavaScript XMLHttpRequest object).
+                          items:
+                            type: string
+                          type: array
+                        id:
+                          description: Unique identifier for the rule. The value cannot
+                            be longer than 255 characters.
+                          type: string
+                        maxAgeSeconds:
+                          description: Time in seconds that your browser is to cache
+                            the preflight response for the specified resource.
+                          type: number
+                      type: object
+                    type: array
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
diff --git a/package/crds/s3.aws.upbound.io_bucketintelligenttieringconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketintelligenttieringconfigurations.yaml
index 6ce6995eef..e419fbd059 100644
--- a/package/crds/s3.aws.upbound.io_bucketintelligenttieringconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketintelligenttieringconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -190,10 +194,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
-                - tiering
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -365,14 +382,63 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: tiering is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.tiering)
           status:
             description: BucketIntelligentTieringConfigurationStatus defines the observed
               state of BucketIntelligentTieringConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket this intelligent tiering configuration
+                      is associated with.
+                    type: string
+                  filter:
+                    description: Bucket filter. The configuration only includes objects
+                      that meet the filter's criteria (documented below).
+                    items:
+                      properties:
+                        prefix:
+                          description: Object key name prefix that identifies the
+                            subset of objects to which the configuration applies.
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of resource tags.
+                          type: object
+                      type: object
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: Unique name used to identify the S3 Intelligent-Tiering
+                      configuration for the bucket.
+                    type: string
+                  status:
+                    description: 'Specifies the status of the configuration. Valid
+                      values: Enabled, Disabled.'
+                    type: string
+                  tiering:
+                    description: S3 Intelligent-Tiering storage class tiers of the
+                      configuration (documented below).
+                    items:
+                      properties:
+                        accessTier:
+                          description: 'S3 Intelligent-Tiering access tier. Valid
+                            values: ARCHIVE_ACCESS, DEEP_ARCHIVE_ACCESS.'
+                          type: string
+                        days:
+                          description: Number of consecutive days of no access after
+                            which an object will be eligible to be transitioned to
+                            the corresponding tier.
+                          type: number
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketinventories.yaml b/package/crds/s3.aws.upbound.io_bucketinventories.yaml
index db718cf58b..d179251d8e 100644
--- a/package/crds/s3.aws.upbound.io_bucketinventories.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketinventories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -332,12 +336,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - destination
-                - includedObjectVersions
-                - name
                 - region
-                - schedule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -509,13 +524,124 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)
+            - message: includedObjectVersions is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.includedObjectVersions)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: schedule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)
           status:
             description: BucketInventoryStatus defines the observed state of BucketInventory.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the source bucket that inventory lists the
+                      objects for.
+                    type: string
+                  destination:
+                    description: Contains information about where to publish the inventory
+                      results (documented below).
+                    items:
+                      properties:
+                        bucket:
+                          description: Name of the source bucket that inventory lists
+                            the objects for.
+                          items:
+                            properties:
+                              accountId:
+                                description: ID of the account that owns the destination
+                                  bucket. Recommended to be set to prevent problems
+                                  if the destination bucket ownership changes.
+                                type: string
+                              bucketArn:
+                                description: Amazon S3 bucket ARN of the destination.
+                                type: string
+                              encryption:
+                                description: Contains the type of server-side encryption
+                                  to use to encrypt the inventory (documented below).
+                                items:
+                                  properties:
+                                    sseKms:
+                                      description: Specifies to use server-side encryption
+                                        with AWS KMS-managed keys to encrypt the inventory
+                                        file (documented below).
+                                      items:
+                                        properties:
+                                          keyId:
+                                            description: ARN of the KMS customer master
+                                              key (CMK) used to encrypt the inventory
+                                              file.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    sseS3:
+                                      description: Specifies to use server-side encryption
+                                        with Amazon S3-managed keys (SSE-S3) to encrypt
+                                        the inventory file.
+                                      items:
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              format:
+                                description: Specifies the output format of the inventory
+                                  results. Can be CSV, ORC or Parquet.
+                                type: string
+                              prefix:
+                                description: Prefix that an object must have to be
+                                  included in the inventory results.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  enabled:
+                    description: Specifies whether the inventory is enabled or disabled.
+                    type: boolean
+                  filter:
+                    description: Specifies an inventory filter. The inventory only
+                      includes objects that meet the filter's criteria (documented
+                      below).
+                    items:
+                      properties:
+                        prefix:
+                          description: Prefix that an object must have to be included
+                            in the inventory results.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  includedObjectVersions:
+                    description: 'Object versions to include in the inventory list.
+                      Valid values: All, Current.'
+                    type: string
+                  name:
+                    description: Unique identifier of the inventory configuration
+                      for the bucket.
+                    type: string
+                  optionalFields:
+                    description: List of optional fields that are included in the
+                      inventory results. Please refer to the S3 documentation for
+                      more details.
+                    items:
+                      type: string
+                    type: array
+                  schedule:
+                    description: Specifies the schedule for generating inventory results
+                      (documented below).
+                    items:
+                      properties:
+                        frequency:
+                          description: 'Specifies how frequently inventory results
+                            are produced. Valid values: Daily, Weekly.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketlifecycleconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketlifecycleconfigurations.yaml
index 50f4f08531..e2d3619a7d 100644
--- a/package/crds/s3.aws.upbound.io_bucketlifecycleconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketlifecycleconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -353,8 +357,22 @@ spec:
                     type: array
                 required:
                 - region
-                - rule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -526,15 +544,217 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: rule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)
           status:
             description: BucketLifecycleConfigurationStatus defines the observed state
               of BucketLifecycleConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the source S3 bucket you want Amazon S3 to
+                      monitor.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner. If the bucket
+                      is owned by a different account, the request will fail with
+                      an HTTP 403 (Access Denied) error.
+                    type: string
                   id:
                     description: and status)
                     type: string
+                  rule:
+                    description: List of configuration blocks describing the rules
+                      managing the replication. See below.
+                    items:
+                      properties:
+                        abortIncompleteMultipartUpload:
+                          description: Configuration block that specifies the days
+                            since the initiation of an incomplete multipart upload
+                            that Amazon S3 will wait before permanently removing all
+                            parts of the upload. See below.
+                          items:
+                            properties:
+                              daysAfterInitiation:
+                                description: Number of days after which Amazon S3
+                                  aborts an incomplete multipart upload.
+                                type: number
+                            type: object
+                          type: array
+                        expiration:
+                          description: Configuration block that specifies the expiration
+                            for the lifecycle of the object in the form of date, days
+                            and, whether the object has a delete marker. See below.
+                          items:
+                            properties:
+                              date:
+                                description: Date objects are transitioned to the
+                                  specified storage class. The date value must be
+                                  in RFC3339 format and set to midnight UTC e.g. 2023-01-13T00:00:00Z.
+                                type: string
+                              days:
+                                description: Number of days after creation when objects
+                                  are transitioned to the specified storage class.
+                                  The value must be a positive integer. If both days
+                                  and date are not specified, defaults to 0. Valid
+                                  values depend on storage_class, see Transition objects
+                                  using Amazon S3 Lifecycle for more details.
+                                type: number
+                              expiredObjectDeleteMarker:
+                                description: Indicates whether Amazon S3 will remove
+                                  a delete marker with no noncurrent versions. If
+                                  set to true, the delete marker will be expired;
+                                  if set to false the policy takes no action.
+                                type: boolean
+                            type: object
+                          type: array
+                        filter:
+                          description: Configuration block used to identify objects
+                            that a Lifecycle Rule applies to. See below. If not specified,
+                            the rule will default to using prefix.
+                          items:
+                            properties:
+                              and:
+                                description: Configuration block used to apply a logical
+                                  AND to two or more predicates. See below. The Lifecycle
+                                  Rule will apply to any object matching all the predicates
+                                  configured inside the and block.
+                                items:
+                                  properties:
+                                    objectSizeGreaterThan:
+                                      description: Minimum object size (in bytes)
+                                        to which the rule applies.
+                                      type: number
+                                    objectSizeLessThan:
+                                      description: Maximum object size (in bytes)
+                                        to which the rule applies.
+                                      type: number
+                                    prefix:
+                                      description: DEPRECATED Use filter instead.
+                                        This has been deprecated by Amazon S3. Prefix
+                                        identifying one or more objects to which the
+                                        rule applies. Defaults to an empty string
+                                        ("") if filter is not specified.
+                                      type: string
+                                    tags:
+                                      additionalProperties:
+                                        type: string
+                                      description: Key-value map of resource tags.
+                                        All of these tags must exist in the object's
+                                        tag set in order for the rule to apply.
+                                      type: object
+                                  type: object
+                                type: array
+                              objectSizeGreaterThan:
+                                description: Minimum object size (in bytes) to which
+                                  the rule applies.
+                                type: string
+                              objectSizeLessThan:
+                                description: Maximum object size (in bytes) to which
+                                  the rule applies.
+                                type: string
+                              prefix:
+                                description: DEPRECATED Use filter instead. This has
+                                  been deprecated by Amazon S3. Prefix identifying
+                                  one or more objects to which the rule applies. Defaults
+                                  to an empty string ("") if filter is not specified.
+                                type: string
+                              tag:
+                                description: Configuration block for specifying a
+                                  tag key and value. See below.
+                                items:
+                                  properties:
+                                    key:
+                                      description: Name of the object key.
+                                      type: string
+                                    value:
+                                      description: Value of the tag.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        id:
+                          description: Unique identifier for the rule. The value cannot
+                            be longer than 255 characters.
+                          type: string
+                        noncurrentVersionExpiration:
+                          description: Configuration block that specifies when noncurrent
+                            object versions expire. See below.
+                          items:
+                            properties:
+                              newerNoncurrentVersions:
+                                description: Number of noncurrent versions Amazon
+                                  S3 will retain. Must be a non-zero positive integer.
+                                type: string
+                              noncurrentDays:
+                                description: Number of days an object is noncurrent
+                                  before Amazon S3 can perform the associated action.
+                                type: number
+                            type: object
+                          type: array
+                        noncurrentVersionTransition:
+                          description: Set of configuration blocks that specify the
+                            transition rule for the lifecycle rule that describes
+                            when noncurrent objects transition to a specific storage
+                            class. See below.
+                          items:
+                            properties:
+                              newerNoncurrentVersions:
+                                description: Number of noncurrent versions Amazon
+                                  S3 will retain. Must be a non-zero positive integer.
+                                type: string
+                              noncurrentDays:
+                                description: Number of days an object is noncurrent
+                                  before Amazon S3 can perform the associated action.
+                                type: number
+                              storageClass:
+                                description: 'Class of storage used to store the object.
+                                  Valid Values: GLACIER, STANDARD_IA, ONEZONE_IA,
+                                  INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.'
+                                type: string
+                            type: object
+                          type: array
+                        prefix:
+                          description: DEPRECATED Use filter instead. This has been
+                            deprecated by Amazon S3. Prefix identifying one or more
+                            objects to which the rule applies. Defaults to an empty
+                            string ("") if filter is not specified.
+                          type: string
+                        status:
+                          description: 'Whether the rule is currently being applied.
+                            Valid values: Enabled or Disabled.'
+                          type: string
+                        transition:
+                          description: Set of configuration blocks that specify when
+                            an Amazon S3 object transitions to a specified storage
+                            class. See below.
+                          items:
+                            properties:
+                              date:
+                                description: Date objects are transitioned to the
+                                  specified storage class. The date value must be
+                                  in RFC3339 format and set to midnight UTC e.g. 2023-01-13T00:00:00Z.
+                                type: string
+                              days:
+                                description: Number of days after creation when objects
+                                  are transitioned to the specified storage class.
+                                  The value must be a positive integer. If both days
+                                  and date are not specified, defaults to 0. Valid
+                                  values depend on storage_class, see Transition objects
+                                  using Amazon S3 Lifecycle for more details.
+                                type: number
+                              storageClass:
+                                description: 'Class of storage used to store the object.
+                                  Valid Values: GLACIER, STANDARD_IA, ONEZONE_IA,
+                                  INTELLIGENT_TIERING, DEEP_ARCHIVE, GLACIER_IR.'
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketloggings.yaml b/package/crds/s3.aws.upbound.io_bucketloggings.yaml
index d7074a3b74..ab3a3fecd4 100644
--- a/package/crds/s3.aws.upbound.io_bucketloggings.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketloggings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -267,8 +271,22 @@ spec:
                     type: string
                 required:
                 - region
-                - targetPrefix
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -440,15 +458,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: targetPrefix is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targetPrefix)
           status:
             description: BucketLoggingStatus defines the observed state of BucketLogging.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  targetBucket:
+                    description: Name of the bucket where you want Amazon S3 to store
+                      server access logs.
+                    type: string
                   targetGrant:
                     description: Set of configuration blocks with information for
                       granting permissions. See below.
@@ -461,10 +492,32 @@ spec:
                             properties:
                               displayName:
                                 type: string
+                              emailAddress:
+                                description: Email address of the grantee. See Regions
+                                  and Endpoints for supported AWS regions where this
+                                  argument can be specified.
+                                type: string
+                              id:
+                                description: Canonical user ID of the grantee.
+                                type: string
+                              type:
+                                description: 'Type of grantee. Valid values: CanonicalUser,
+                                  AmazonCustomerByEmail, Group.'
+                                type: string
+                              uri:
+                                description: URI of the grantee group.
+                                type: string
                             type: object
                           type: array
+                        permission:
+                          description: 'Logging permissions assigned to the grantee
+                            for the bucket. Valid values: FULL_CONTROL, READ, WRITE.'
+                          type: string
                       type: object
                     type: array
+                  targetPrefix:
+                    description: Prefix for all log object keys.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketmetrics.yaml b/package/crds/s3.aws.upbound.io_bucketmetrics.yaml
index 73dc90949b..baff14d3f7 100644
--- a/package/crds/s3.aws.upbound.io_bucketmetrics.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketmetrics.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -164,9 +168,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,13 +356,38 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: BucketMetricStatus defines the observed state of BucketMetric.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket to put metric configuration.
+                    type: string
+                  filter:
+                    description: Object filtering that accepts a prefix, tags, or
+                      a logical AND of prefix and tags (documented below).
+                    items:
+                      properties:
+                        prefix:
+                          description: Object prefix for filtering (singular).
+                          type: string
+                        tags:
+                          additionalProperties:
+                            type: string
+                          description: Key-value map of resource tags.
+                          type: object
+                      type: object
+                    type: array
                   id:
                     type: string
+                  name:
+                    description: Unique identifier of the metrics configuration for
+                      the bucket. Must be less than or equal to 64 characters in length.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketnotifications.yaml b/package/crds/s3.aws.upbound.io_bucketnotifications.yaml
index 21637ef806..7a15d61efc 100644
--- a/package/crds/s3.aws.upbound.io_bucketnotifications.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketnotifications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -381,6 +385,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -557,9 +576,88 @@ spec:
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket for notification configuration.
+                    type: string
+                  eventbridge:
+                    description: Whether to enable Amazon EventBridge notifications.
+                    type: boolean
                   id:
                     description: Unique identifier for each of the notification configurations.
                     type: string
+                  lambdaFunction:
+                    description: Used to configure notifications to a Lambda Function.
+                      See below.
+                    items:
+                      properties:
+                        events:
+                          description: Event for which to send notifications.
+                          items:
+                            type: string
+                          type: array
+                        filterPrefix:
+                          description: Object key name prefix.
+                          type: string
+                        filterSuffix:
+                          description: Object key name suffix.
+                          type: string
+                        id:
+                          description: Unique identifier for each of the notification
+                            configurations.
+                          type: string
+                        lambdaFunctionArn:
+                          description: Lambda function ARN.
+                          type: string
+                      type: object
+                    type: array
+                  queue:
+                    description: Notification configuration to SQS Queue. See below.
+                    items:
+                      properties:
+                        events:
+                          description: Specifies event for which to send notifications.
+                          items:
+                            type: string
+                          type: array
+                        filterPrefix:
+                          description: Object key name prefix.
+                          type: string
+                        filterSuffix:
+                          description: Object key name suffix.
+                          type: string
+                        id:
+                          description: Unique identifier for each of the notification
+                            configurations.
+                          type: string
+                        queueArn:
+                          description: SQS queue ARN.
+                          type: string
+                      type: object
+                    type: array
+                  topic:
+                    description: Notification configuration to SNS Topic. See below.
+                    items:
+                      properties:
+                        events:
+                          description: Event for which to send notifications.
+                          items:
+                            type: string
+                          type: array
+                        filterPrefix:
+                          description: Object key name prefix.
+                          type: string
+                        filterSuffix:
+                          description: Object key name suffix.
+                          type: string
+                        id:
+                          description: Unique identifier for each of the notification
+                            configurations.
+                          type: string
+                        topicArn:
+                          description: SNS topic ARN.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketobjectlockconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketobjectlockconfigurations.yaml
index 9590c9a345..f4811891ae 100644
--- a/package/crds/s3.aws.upbound.io_bucketobjectlockconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketobjectlockconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -206,6 +210,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -383,10 +402,48 @@ spec:
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  objectLockEnabled:
+                    description: 'Indicates whether this bucket has an Object Lock
+                      configuration enabled. Defaults to Enabled. Valid values: Enabled.'
+                    type: string
+                  rule:
+                    description: Configuration block for specifying the Object Lock
+                      rule for the specified object. See below.
+                    items:
+                      properties:
+                        defaultRetention:
+                          description: Configuration block for specifying the default
+                            Object Lock retention settings for new objects placed
+                            in the specified bucket. See below.
+                          items:
+                            properties:
+                              days:
+                                description: Number of days that you want to specify
+                                  for the default retention period.
+                                type: number
+                              mode:
+                                description: 'Default Object Lock retention mode you
+                                  want to apply to new objects placed in the specified
+                                  bucket. Valid values: COMPLIANCE, GOVERNANCE.'
+                                type: string
+                              years:
+                                description: Number of years that you want to specify
+                                  for the default retention period.
+                                type: number
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketobjects.yaml b/package/crds/s3.aws.upbound.io_bucketobjects.yaml
index d51d90eaa2..5ac5361e25 100644
--- a/package/crds/s3.aws.upbound.io_bucketobjects.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketobjects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -326,9 +330,23 @@ spec:
                     description: Target URL for website redirect.
                     type: string
                 required:
-                - key
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -500,14 +518,125 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: key is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)
           status:
             description: BucketObjectStatus defines the observed state of BucketObject.
             properties:
               atProvider:
                 properties:
+                  acl:
+                    description: Canned ACL to apply. Valid values are private, public-read,
+                      public-read-write, aws-exec-read, authenticated-read, bucket-owner-read,
+                      and bucket-owner-full-control. Defaults to private.
+                    type: string
+                  bucket:
+                    description: Name of the bucket to put the file in. Alternatively,
+                      an S3 access point ARN can be specified.
+                    type: string
+                  bucketKeyEnabled:
+                    description: Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.
+                    type: boolean
+                  cacheControl:
+                    description: Caching behavior along the request/reply chain Read
+                      w3c cache_control for further details.
+                    type: string
+                  content:
+                    description: Literal string value to use as the object content,
+                      which will be uploaded as UTF-8-encoded text.
+                    type: string
+                  contentBase64:
+                    description: Base64-encoded data that will be decoded and uploaded
+                      as raw bytes for the object content. This allows safely uploading
+                      non-UTF8 binary data, but is recommended only for small content
+                      such as the result of the gzipbase64 function with small text
+                      strings. For larger objects, use source to stream the content
+                      from a disk file.
+                    type: string
+                  contentDisposition:
+                    description: Presentational information for the object. Read w3c
+                      content_disposition for further information.
+                    type: string
+                  contentEncoding:
+                    description: Content encodings that have been applied to the object
+                      and thus what decoding mechanisms must be applied to obtain
+                      the media-type referenced by the Content-Type header field.
+                      Read w3c content encoding for further information.
+                    type: string
+                  contentLanguage:
+                    description: Language the content is in e.g., en-US or en-GB.
+                    type: string
+                  contentType:
+                    description: Standard MIME type describing the format of the object
+                      data, e.g., application/octet-stream. All Valid MIME Types are
+                      valid for this input.
+                    type: string
+                  etag:
+                    description: Triggers updates when the value changes.11.11.11
+                      or earlier). This attribute is not compatible with KMS encryption,
+                      kms_key_id or server_side_encryption = "aws:kms" (see source_hash
+                      instead).
+                    type: string
+                  forceDestroy:
+                    description: Whether to allow the object to be deleted by removing
+                      any legal hold on any object version. Default is false. This
+                      value should be set to true only if the bucket has S3 object
+                      lock enabled.
+                    type: boolean
                   id:
                     description: key of the resource supplied above
                     type: string
+                  key:
+                    description: Name of the object once it is in the bucket.
+                    type: string
+                  kmsKeyId:
+                    description: ARN of the KMS Key to use for object encryption.
+                      If the S3 Bucket has server-side encryption enabled, that value
+                      will automatically be used. If referencing the aws_kms_key resource,
+                      use the arn attribute. If referencing the aws_kms_alias data
+                      source or resource, use the target_key_arn attribute.
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Map of keys/values to provision metadata (will be
+                      automatically prefixed by x-amz-meta-, note that only lowercase
+                      label are currently supported by the AWS Go API).
+                    type: object
+                  objectLockLegalHoldStatus:
+                    description: Legal hold status that you want to apply to the specified
+                      object. Valid values are ON and OFF.
+                    type: string
+                  objectLockMode:
+                    description: Object lock retention mode that you want to apply
+                      to this object. Valid values are GOVERNANCE and COMPLIANCE.
+                    type: string
+                  objectLockRetainUntilDate:
+                    description: Date and time, in RFC3339 format, when this object's
+                      object lock will expire.
+                    type: string
+                  serverSideEncryption:
+                    description: Server-side encryption of the object in S3. Valid
+                      values are "AES256" and "aws:kms".
+                    type: string
+                  source:
+                    description: Path to a file that will be read and uploaded as
+                      raw bytes for the object content.
+                    type: string
+                  sourceHash:
+                    description: Triggers updates like etag but useful to address
+                      etag encryption limitations.11.12 or later). (The value is only
+                      stored in state and not saved by AWS.)
+                    type: string
+                  storageClass:
+                    description: Storage Class for the object. Defaults to "STANDARD".
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -518,6 +647,9 @@ spec:
                     description: Unique version ID value for the object, if bucket
                       versioning is enabled.
                     type: string
+                  websiteRedirect:
+                    description: Target URL for website redirect.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketownershipcontrols.yaml b/package/crds/s3.aws.upbound.io_bucketownershipcontrols.yaml
index 274cde07e6..36ae71a032 100644
--- a/package/crds/s3.aws.upbound.io_bucketownershipcontrols.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketownershipcontrols.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -161,8 +165,22 @@ spec:
                     type: array
                 required:
                 - region
-                - rule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -334,15 +352,33 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: rule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)
           status:
             description: BucketOwnershipControlsStatus defines the observed state
               of BucketOwnershipControls.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket that you want to associate this
+                      access point with.
+                    type: string
                   id:
                     description: S3 Bucket name.
                     type: string
+                  rule:
+                    description: Configuration block(s) with Ownership Controls rules.
+                      Detailed below.
+                    items:
+                      properties:
+                        objectOwnership:
+                          description: 'Object ownership. Valid values: BucketOwnerPreferred,
+                            ObjectWriter or BucketOwnerEnforced'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketpolicies.yaml b/package/crds/s3.aws.upbound.io_bucketpolicies.yaml
index 4f26eca78e..caa5ff31da 100644
--- a/package/crds/s3.aws.upbound.io_bucketpolicies.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,9 +155,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -325,13 +343,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: BucketPolicyStatus defines the observed state of BucketPolicy.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket to which to apply the policy.
+                    type: string
                   id:
                     type: string
+                  policy:
+                    description: 'Text of the policy. Although this is a bucket policy
+                      rather than an IAM policy, the aws_iam_policy_document data
+                      source may be used, so long as it specifies a principal. Note:
+                      Bucket policies are limited to 20 KB in size.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketpublicaccessblocks.yaml b/package/crds/s3.aws.upbound.io_bucketpublicaccessblocks.yaml
index 5ea616e220..8c5f9b884e 100644
--- a/package/crds/s3.aws.upbound.io_bucketpublicaccessblocks.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketpublicaccessblocks.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -176,6 +180,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -353,10 +372,41 @@ spec:
             properties:
               atProvider:
                 properties:
+                  blockPublicAcls:
+                    description: 'Whether Amazon S3 should block public ACLs for this
+                      bucket. Defaults to false. Enabling this setting does not affect
+                      existing policies or ACLs. When set to true causes the following
+                      behavior:'
+                    type: boolean
+                  blockPublicPolicy:
+                    description: 'Whether Amazon S3 should block public bucket policies
+                      for this bucket. Defaults to false. Enabling this setting does
+                      not affect the existing bucket policy. When set to true causes
+                      Amazon S3 to:'
+                    type: boolean
+                  bucket:
+                    description: S3 Bucket to which this Public Access Block configuration
+                      should be applied.
+                    type: string
                   id:
                     description: Name of the S3 bucket the configuration is attached
                       to
                     type: string
+                  ignorePublicAcls:
+                    description: 'Whether Amazon S3 should ignore public ACLs for
+                      this bucket. Defaults to false. Enabling this setting does not
+                      affect the persistence of any existing ACLs and doesn''t prevent
+                      new public ACLs from being set. When set to true causes Amazon
+                      S3 to:'
+                    type: boolean
+                  restrictPublicBuckets:
+                    description: 'Whether Amazon S3 should restrict public bucket
+                      policies for this bucket. Defaults to false. Enabling this setting
+                      does not affect the previously stored bucket policy, except
+                      that public and cross-account access within the public bucket
+                      policy, including non-public delegation to specific accounts,
+                      is blocked. When set to true:'
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketreplicationconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketreplicationconfigurations.yaml
index 1fdad731cb..a4c15afdbc 100644
--- a/package/crds/s3.aws.upbound.io_bucketreplicationconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketreplicationconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -598,8 +602,22 @@ spec:
                     type: object
                 required:
                 - region
-                - rule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -771,15 +789,272 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: rule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)
           status:
             description: BucketReplicationConfigurationStatus defines the observed
               state of BucketReplicationConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the source S3 bucket you want Amazon S3 to
+                      monitor.
+                    type: string
                   id:
                     description: S3 source bucket name.
                     type: string
+                  role:
+                    description: ARN of the IAM role for Amazon S3 to assume when
+                      replicating the objects.
+                    type: string
+                  rule:
+                    description: List of configuration blocks describing the rules
+                      managing the replication. See below.
+                    items:
+                      properties:
+                        deleteMarkerReplication:
+                          description: Whether delete markers are replicated. This
+                            argument is only valid with V2 replication configurations
+                            (i.e., when filter is used)documented below.
+                          items:
+                            properties:
+                              status:
+                                description: Whether delete markers should be replicated.
+                                  Either "Enabled" or "Disabled".
+                                type: string
+                            type: object
+                          type: array
+                        destination:
+                          description: Specifies the destination for the rule. See
+                            below.
+                          items:
+                            properties:
+                              accessControlTranslation:
+                                description: Configuration block that specifies the
+                                  overrides to use for object owners on replication.
+                                  See below. Specify this only in a cross-account
+                                  scenario (where source and destination bucket owners
+                                  are not the same), and you want to change replica
+                                  ownership to the AWS account that owns the destination
+                                  bucket. If this is not specified in the replication
+                                  configuration, the replicas are owned by same AWS
+                                  account that owns the source object. Must be used
+                                  in conjunction with account owner override configuration.
+                                items:
+                                  properties:
+                                    owner:
+                                      description: 'Specifies the replica ownership.
+                                        For default and valid values, see PUT bucket
+                                        replication in the Amazon S3 API Reference.
+                                        Valid values: Destination.'
+                                      type: string
+                                  type: object
+                                type: array
+                              account:
+                                description: Account ID to specify the replica ownership.
+                                  Must be used in conjunction with access_control_translation
+                                  override configuration.
+                                type: string
+                              bucket:
+                                description: ARN of the bucket where you want Amazon
+                                  S3 to store the results.
+                                type: string
+                              encryptionConfiguration:
+                                description: Configuration block that provides information
+                                  about encryption. See below. If source_selection_criteria
+                                  is specified, you must specify this element.
+                                items:
+                                  properties:
+                                    replicaKmsKeyId:
+                                      description: ID (Key ARN or Alias ARN) of the
+                                        customer managed AWS KMS key stored in AWS
+                                        Key Management Service (KMS) for the destination
+                                        bucket.
+                                      type: string
+                                  type: object
+                                type: array
+                              metrics:
+                                description: Configuration block that specifies replication
+                                  metrics-related settings enabling replication metrics
+                                  and events. See below.
+                                items:
+                                  properties:
+                                    eventThreshold:
+                                      description: Configuration block that specifies
+                                        the time threshold for emitting the s3:Replication:OperationMissedThreshold
+                                        event. See below.
+                                      items:
+                                        properties:
+                                          minutes:
+                                            description: 'Time in minutes. Valid values:
+                                              15.'
+                                            type: number
+                                        type: object
+                                      type: array
+                                    status:
+                                      description: Whether the existing objects should
+                                        be replicated. Either "Enabled" or "Disabled".
+                                      type: string
+                                  type: object
+                                type: array
+                              replicationTime:
+                                description: Configuration block that specifies S3
+                                  Replication Time Control (S3 RTC), including whether
+                                  S3 RTC is enabled and the time when all objects
+                                  and operations on objects must be replicated. See
+                                  below. Replication Time Control must be used in
+                                  conjunction with metrics.
+                                items:
+                                  properties:
+                                    status:
+                                      description: Whether the existing objects should
+                                        be replicated. Either "Enabled" or "Disabled".
+                                      type: string
+                                    time:
+                                      description: Configuration block specifying
+                                        the time by which replication should be complete
+                                        for all objects and operations on objects.
+                                        See below.
+                                      items:
+                                        properties:
+                                          minutes:
+                                            description: 'Time in minutes. Valid values:
+                                              15.'
+                                            type: number
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              storageClass:
+                                description: The storage class used to store the object.
+                                  By default, Amazon S3 uses the storage class of
+                                  the source object to create the object replica.
+                                type: string
+                            type: object
+                          type: array
+                        existingObjectReplication:
+                          description: Replicate existing objects in the source bucket
+                            according to the rule configurations. See below.
+                          items:
+                            properties:
+                              status:
+                                description: Whether the existing objects should be
+                                  replicated. Either "Enabled" or "Disabled".
+                                type: string
+                            type: object
+                          type: array
+                        filter:
+                          description: Filter that identifies subset of objects to
+                            which the replication rule applies. See below. If not
+                            specified, the rule will default to using prefix.
+                          items:
+                            properties:
+                              and:
+                                description: Configuration block for specifying rule
+                                  filters. This element is required only if you specify
+                                  more than one filter. See and below for more details.
+                                items:
+                                  properties:
+                                    prefix:
+                                      description: Object key name prefix identifying
+                                        one or more objects to which the rule applies.
+                                        Must be less than or equal to 1024 characters
+                                        in length. Defaults to an empty string ("")
+                                        if filter is not specified.
+                                      type: string
+                                    tags:
+                                      additionalProperties:
+                                        type: string
+                                      description: Map of tags (key and value pairs)
+                                        that identifies a subset of objects to which
+                                        the rule applies. The rule applies only to
+                                        objects having all the tags in its tagset.
+                                      type: object
+                                  type: object
+                                type: array
+                              prefix:
+                                description: Object key name prefix identifying one
+                                  or more objects to which the rule applies. Must
+                                  be less than or equal to 1024 characters in length.
+                                  Defaults to an empty string ("") if filter is not
+                                  specified.
+                                type: string
+                              tag:
+                                description: Configuration block for specifying a
+                                  tag key and value. See below.
+                                items:
+                                  properties:
+                                    key:
+                                      description: Name of the object key.
+                                      type: string
+                                    value:
+                                      description: Value of the tag.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        id:
+                          description: Unique identifier for the rule. Must be less
+                            than or equal to 255 characters in length.
+                          type: string
+                        prefix:
+                          description: Object key name prefix identifying one or more
+                            objects to which the rule applies. Must be less than or
+                            equal to 1024 characters in length. Defaults to an empty
+                            string ("") if filter is not specified.
+                          type: string
+                        priority:
+                          description: Priority associated with the rule. Priority
+                            should only be set if filter is configured. If not provided,
+                            defaults to 0. Priority must be unique between multiple
+                            rules.
+                          type: number
+                        sourceSelectionCriteria:
+                          description: Specifies special object selection criteria.
+                            See below.
+                          items:
+                            properties:
+                              replicaModifications:
+                                description: Configuration block that you can specify
+                                  for selections for modifications on replicas. Amazon
+                                  S3 doesn't replicate replica modifications by default.
+                                  In the latest version of replication configuration
+                                  (when filter is specified), you can specify this
+                                  element and set the status to Enabled to replicate
+                                  modifications on replicas.
+                                items:
+                                  properties:
+                                    status:
+                                      description: Whether the existing objects should
+                                        be replicated. Either "Enabled" or "Disabled".
+                                      type: string
+                                  type: object
+                                type: array
+                              sseKmsEncryptedObjects:
+                                description: Configuration block for filter information
+                                  for the selection of Amazon S3 objects encrypted
+                                  with AWS KMS. If specified, replica_kms_key_id in
+                                  destination encryption_configuration must be specified
+                                  as well.
+                                items:
+                                  properties:
+                                    status:
+                                      description: Whether the existing objects should
+                                        be replicated. Either "Enabled" or "Disabled".
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        status:
+                          description: Status of the rule. Either "Enabled" or "Disabled".
+                            The rule is ignored if status is not "Enabled".
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketrequestpaymentconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketrequestpaymentconfigurations.yaml
index 80d652ae3d..73de9f6bb5 100644
--- a/package/crds/s3.aws.upbound.io_bucketrequestpaymentconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketrequestpaymentconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,9 +157,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - payer
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,16 +345,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: payer is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.payer)
           status:
             description: BucketRequestPaymentConfigurationStatus defines the observed
               state of BucketRequestPaymentConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  payer:
+                    description: 'Specifies who pays for the download and request
+                      fees. Valid values: BucketOwner, Requester.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_buckets.yaml b/package/crds/s3.aws.upbound.io_buckets.yaml
index 4b255a2829..f2eec1b2a3 100644
--- a/package/crds/s3.aws.upbound.io_buckets.yaml
+++ b/package/crds/s3.aws.upbound.io_buckets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -89,6 +93,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,6 +345,14 @@ spec:
                           type: number
                       type: object
                     type: array
+                  forceDestroy:
+                    description: Boolean that indicates all objects (including any
+                      locked objects) should be deleted from the bucket when the bucket
+                      is destroyed so that the bucket can be destroyed without error.
+                      These objects are not recoverable. This only deletes objects
+                      when the bucket is destroyed, not when setting this parameter
+                      to true.
+                    type: boolean
                   grant:
                     description: An ACL policy grant. See Grant below for details.
                       Conflicts with acl. Use the resource aws_s3_bucket_acl instead.
@@ -512,6 +539,11 @@ spec:
                           type: array
                       type: object
                     type: array
+                  objectLockEnabled:
+                    description: Indicates whether this bucket has an Object Lock
+                      configuration enabled. Valid values are true or false. This
+                      argument is not supported in all regions or partitions.
+                    type: boolean
                   policy:
                     description: Valid bucket policy JSON document. In this case,
                       please make sure you use the verbose/specific version of the
@@ -726,6 +758,11 @@ spec:
                           type: array
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/s3.aws.upbound.io_bucketserversideencryptionconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketserversideencryptionconfigurations.yaml
index 50fe1aedc2..b2046b4654 100644
--- a/package/crds/s3.aws.upbound.io_bucketserversideencryptionconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketserversideencryptionconfigurations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -262,8 +266,22 @@ spec:
                     type: array
                 required:
                 - region
-                - rule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -435,16 +453,54 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: rule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rule)
           status:
             description: BucketServerSideEncryptionConfigurationStatus defines the
               observed state of BucketServerSideEncryptionConfiguration.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: ID (name) of the bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  rule:
+                    description: Set of server-side encryption configuration rules.
+                      See below. Currently, only a single rule is supported.
+                    items:
+                      properties:
+                        applyServerSideEncryptionByDefault:
+                          description: Single object for setting server-side encryption
+                            by default. See below.
+                          items:
+                            properties:
+                              kmsMasterKeyId:
+                                description: AWS KMS master key ID used for the SSE-KMS
+                                  encryption. This can only be used when you set the
+                                  value of sse_algorithm as aws:kms. The default aws/s3
+                                  AWS KMS master key is used if this element is absent
+                                  while the sse_algorithm is aws:kms.
+                                type: string
+                              sseAlgorithm:
+                                description: Server-side encryption algorithm to use.
+                                  Valid values are AES256 and aws:kms
+                                type: string
+                            type: object
+                          type: array
+                        bucketKeyEnabled:
+                          description: Whether or not to use Amazon S3 Bucket Keys
+                            for SSE-KMS.
+                          type: boolean
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketversionings.yaml b/package/crds/s3.aws.upbound.io_bucketversionings.yaml
index 4438e0da00..6cfa7e6188 100644
--- a/package/crds/s3.aws.upbound.io_bucketversionings.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketversionings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -174,8 +178,22 @@ spec:
                     type: array
                 required:
                 - region
-                - versioningConfiguration
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -347,15 +365,47 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: versioningConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.versioningConfiguration)
           status:
             description: BucketVersioningStatus defines the observed state of BucketVersioning.
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the S3 bucket.
+                    type: string
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  mfa:
+                    description: Concatenation of the authentication device's serial
+                      number, a space, and the value that is displayed on your authentication
+                      device.
+                    type: string
+                  versioningConfiguration:
+                    description: Configuration block for the versioning parameters.
+                      See below.
+                    items:
+                      properties:
+                        mfaDelete:
+                          description: 'Specifies whether MFA delete is enabled in
+                            the bucket versioning configuration. Valid values: Enabled
+                            or Disabled.'
+                          type: string
+                        status:
+                          description: 'Versioning state of the bucket. Valid values:
+                            Enabled, Suspended, or Disabled. Disabled should only
+                            be used when creating or importing resources that correspond
+                            to unversioned S3 buckets.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_bucketwebsiteconfigurations.yaml b/package/crds/s3.aws.upbound.io_bucketwebsiteconfigurations.yaml
index c168eb6782..1c20b2dd03 100644
--- a/package/crds/s3.aws.upbound.io_bucketwebsiteconfigurations.yaml
+++ b/package/crds/s3.aws.upbound.io_bucketwebsiteconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -261,6 +265,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -438,10 +457,118 @@ spec:
             properties:
               atProvider:
                 properties:
+                  bucket:
+                    description: Name of the bucket.
+                    type: string
+                  errorDocument:
+                    description: Name of the error document for the website. See below.
+                    items:
+                      properties:
+                        key:
+                          description: Object key name to use when a 4XX class error
+                            occurs.
+                          type: string
+                      type: object
+                    type: array
+                  expectedBucketOwner:
+                    description: Account ID of the expected bucket owner.
+                    type: string
                   id:
                     description: The bucket or bucket and expected_bucket_owner separated
                       by a comma (,) if the latter is provided.
                     type: string
+                  indexDocument:
+                    description: Name of the index document for the website. See below.
+                    items:
+                      properties:
+                        suffix:
+                          description: Suffix that is appended to a request that is
+                            for a directory on the website endpoint. For example,
+                            if the suffix is index.html and you make a request to
+                            samplebucket/images/, the data that is returned will be
+                            for the object with the key name images/index.html. The
+                            suffix must not be empty and must not include a slash
+                            character.
+                          type: string
+                      type: object
+                    type: array
+                  redirectAllRequestsTo:
+                    description: Redirect behavior for every request to this bucket's
+                      website endpoint. See below. Conflicts with error_document,
+                      index_document, and routing_rule.
+                    items:
+                      properties:
+                        hostName:
+                          description: Name of the host where requests are redirected.
+                          type: string
+                        protocol:
+                          description: 'Protocol to use when redirecting requests.
+                            The default is the protocol that is used in the original
+                            request. Valid values: http, https.'
+                          type: string
+                      type: object
+                    type: array
+                  routingRule:
+                    description: List of rules that define when a redirect is applied
+                      and the redirect behavior. See below.
+                    items:
+                      properties:
+                        condition:
+                          description: Configuration block for describing a condition
+                            that must be met for the specified redirect to apply.
+                            See below.
+                          items:
+                            properties:
+                              httpErrorCodeReturnedEquals:
+                                description: HTTP error code when the redirect is
+                                  applied. If specified with key_prefix_equals, then
+                                  both must be true for the redirect to be applied.
+                                type: string
+                              keyPrefixEquals:
+                                description: Object key name prefix when the redirect
+                                  is applied. If specified with http_error_code_returned_equals,
+                                  then both must be true for the redirect to be applied.
+                                type: string
+                            type: object
+                          type: array
+                        redirect:
+                          description: Configuration block for redirect information.
+                            See below.
+                          items:
+                            properties:
+                              hostName:
+                                description: Name of the host where requests are redirected.
+                                type: string
+                              httpRedirectCode:
+                                description: HTTP redirect code to use on the response.
+                                type: string
+                              protocol:
+                                description: 'Protocol to use when redirecting requests.
+                                  The default is the protocol that is used in the
+                                  original request. Valid values: http, https.'
+                                type: string
+                              replaceKeyPrefixWith:
+                                description: Object key prefix to use in the redirect
+                                  request. For example, to redirect requests for all
+                                  pages with prefix docs/ (objects in the docs/ folder)
+                                  to documents/, you can set a condition block with
+                                  key_prefix_equals set to docs/ and in the redirect
+                                  set replace_key_prefix_with to /documents.
+                                type: string
+                              replaceKeyWith:
+                                description: Specific object key to use in the redirect
+                                  request. For example, redirect request to error.html.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  routingRules:
+                    description: JSON array containing routing rules describing redirect
+                      behavior and when redirects are applied. Use this parameter
+                      when your routing rules contain empty String values ("") as
+                      seen in the example above.
+                    type: string
                   websiteDomain:
                     description: Domain of the website endpoint. This is used to create
                       Route 53 alias records.
diff --git a/package/crds/s3.aws.upbound.io_objectcopies.yaml b/package/crds/s3.aws.upbound.io_objectcopies.yaml
index 7830545dfb..6a18705b74 100644
--- a/package/crds/s3.aws.upbound.io_objectcopies.yaml
+++ b/package/crds/s3.aws.upbound.io_objectcopies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -337,11 +341,23 @@ spec:
                     description: Specifies a target URL for website redirect.
                     type: string
                 required:
-                - bucket
-                - key
                 - region
-                - source
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -513,11 +529,77 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: bucket is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.bucket)
+            - message: key is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)
+            - message: source is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)
           status:
             description: ObjectCopyStatus defines the observed state of ObjectCopy.
             properties:
               atProvider:
                 properties:
+                  acl:
+                    description: Canned ACL to apply. Defaults to private. Valid values
+                      are private, public-read, public-read-write, authenticated-read,
+                      aws-exec-read, bucket-owner-read, and bucket-owner-full-control.
+                      Conflicts with grant.
+                    type: string
+                  bucket:
+                    description: Name of the bucket to put the file in.
+                    type: string
+                  bucketKeyEnabled:
+                    type: boolean
+                  cacheControl:
+                    description: Specifies caching behavior along the request/reply
+                      chain Read w3c cache_control for further details.
+                    type: string
+                  contentDisposition:
+                    description: Specifies presentational information for the object.
+                      Read w3c content_disposition for further information.
+                    type: string
+                  contentEncoding:
+                    description: Specifies what content encodings have been applied
+                      to the object and thus what decoding mechanisms must be applied
+                      to obtain the media-type referenced by the Content-Type header
+                      field. Read w3c content encoding for further information.
+                    type: string
+                  contentLanguage:
+                    description: Language the content is in e.g., en-US or en-GB.
+                    type: string
+                  contentType:
+                    description: Standard MIME type describing the format of the object
+                      data, e.g., application/octet-stream. All Valid MIME Types are
+                      valid for this input.
+                    type: string
+                  copyIfMatch:
+                    description: Copies the object if its entity tag (ETag) matches
+                      the specified tag.
+                    type: string
+                  copyIfModifiedSince:
+                    description: Copies the object if it has been modified since the
+                      specified time, in RFC3339 format.
+                    type: string
+                  copyIfNoneMatch:
+                    description: Copies the object if its entity tag (ETag) is different
+                      than the specified ETag.
+                    type: string
+                  copyIfUnmodifiedSince:
+                    description: Copies the object if it hasn't been modified since
+                      the specified time, in RFC3339 format.
+                    type: string
+                  customerAlgorithm:
+                    description: Specifies the algorithm to use to when encrypting
+                      the object (for example, AES256).
+                    type: string
+                  customerKeyMd5:
+                    description: Specifies the 128-bit MD5 digest of the encryption
+                      key according to RFC 1321. Amazon S3 uses this header for a
+                      message integrity check to ensure that the encryption key was
+                      transmitted without error.
+                    type: string
                   etag:
                     description: ETag generated for the object (an MD5 sum of the
                       object content). For plaintext objects or objects encrypted
@@ -528,25 +610,147 @@ spec:
                       More information on possible values can be found on Common Response
                       Headers.
                     type: string
+                  expectedBucketOwner:
+                    description: Account id of the expected destination bucket owner.
+                      If the destination bucket is owned by a different account, the
+                      request will fail with an HTTP 403 (Access Denied) error.
+                    type: string
+                  expectedSourceBucketOwner:
+                    description: Account id of the expected source bucket owner. If
+                      the source bucket is owned by a different account, the request
+                      will fail with an HTTP 403 (Access Denied) error.
+                    type: string
                   expiration:
                     description: If the object expiration is configured, this attribute
                       will be set.
                     type: string
+                  expires:
+                    description: Date and time at which the object is no longer cacheable,
+                      in RFC3339 format.
+                    type: string
+                  forceDestroy:
+                    description: Allow the object to be deleted by removing any legal
+                      hold on any object version. Default is false. This value should
+                      be set to true only if the bucket has S3 object lock enabled.
+                    type: boolean
+                  grant:
+                    description: Configuration block for header grants. Documented
+                      below. Conflicts with acl.
+                    items:
+                      properties:
+                        email:
+                          description: Email address of the grantee. Used only when
+                            type is AmazonCustomerByEmail.
+                          type: string
+                        id:
+                          description: Canonical user ID of the grantee. Used only
+                            when type is CanonicalUser.
+                          type: string
+                        permissions:
+                          description: List of permissions to grant to grantee. Valid
+                            values are READ, READ_ACP, WRITE_ACP, FULL_CONTROL.
+                          items:
+                            type: string
+                          type: array
+                        type:
+                          description: '- Type of grantee. Valid values are CanonicalUser,
+                            Group, and AmazonCustomerByEmail.'
+                          type: string
+                        uri:
+                          description: URI of the grantee group. Used only when type
+                            is Group.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: Canonical user ID of the grantee. Used only when
                       type is CanonicalUser.
                     type: string
+                  key:
+                    description: Name of the object once it is in the bucket.
+                    type: string
                   lastModified:
                     description: Returns the date that the object was last modified,
                       in RFC3339 format.
                     type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Map of keys/values to provision metadata (will be
+                      automatically prefixed by x-amz-meta-, note that only lowercase
+                      label are currently supported by the AWS Go API).
+                    type: object
+                  metadataDirective:
+                    description: Specifies whether the metadata is copied from the
+                      source object or replaced with metadata provided in the request.
+                      Valid values are COPY and REPLACE.
+                    type: string
+                  objectLockLegalHoldStatus:
+                    description: The legal hold status that you want to apply to the
+                      specified object. Valid values are ON and OFF.
+                    type: string
+                  objectLockMode:
+                    description: Object lock retention mode that you want to apply
+                      to this object. Valid values are GOVERNANCE and COMPLIANCE.
+                    type: string
+                  objectLockRetainUntilDate:
+                    description: Date and time, in RFC3339 format, when this object's
+                      object lock will expire.
+                    type: string
                   requestCharged:
                     description: If present, indicates that the requester was successfully
                       charged for the request.
                     type: boolean
+                  requestPayer:
+                    description: Confirms that the requester knows that they will
+                      be charged for the request. Bucket owners need not specify this
+                      parameter in their requests. For information about downloading
+                      objects from requester pays buckets, see Downloading Objects
+                      in Requestor Pays Buckets (https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectsinRequesterPaysBuckets.html)
+                      in the Amazon S3 Developer Guide. If included, the only valid
+                      value is requester.
+                    type: string
+                  serverSideEncryption:
+                    description: Specifies server-side encryption of the object in
+                      S3. Valid values are AES256 and aws:kms.
+                    type: string
+                  source:
+                    description: Specifies the source object for the copy operation.
+                      You specify the value in one of two formats. For objects not
+                      accessed through an access point, specify the name of the source
+                      bucket and the key of the source object, separated by a slash
+                      (/). For example, testbucket/test1.json. For objects accessed
+                      through access points, specify the ARN of the object as accessed
+                      through the access point, in the format arn:aws:s3:<Region>:<account-id>:accesspoint/<access-point-name>/object/<key>.
+                      For example, arn:aws:s3:us-west-2:9999912999:accesspoint/my-access-point/object/testbucket/test1.json.
+                    type: string
+                  sourceCustomerAlgorithm:
+                    description: Specifies the algorithm to use when decrypting the
+                      source object (for example, AES256).
+                    type: string
+                  sourceCustomerKeyMd5:
+                    description: Specifies the 128-bit MD5 digest of the encryption
+                      key according to RFC 1321. Amazon S3 uses this header for a
+                      message integrity check to ensure that the encryption key was
+                      transmitted without error.
+                    type: string
                   sourceVersionId:
                     description: Version of the copied object in the source bucket.
                     type: string
+                  storageClass:
+                    description: Specifies the desired storage class for the object.
+                      Defaults to STANDARD.
+                    type: string
+                  taggingDirective:
+                    description: Specifies whether the object tag-set are copied from
+                      the source object or replaced with tag-set provided in the request.
+                      Valid values are COPY and REPLACE.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -556,6 +760,9 @@ spec:
                   versionId:
                     description: Version ID of the newly created copy.
                     type: string
+                  websiteRedirect:
+                    description: Specifies a target URL for website redirect.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3.aws.upbound.io_objects.yaml b/package/crds/s3.aws.upbound.io_objects.yaml
index 4d9e103267..237f6cbb9e 100644
--- a/package/crds/s3.aws.upbound.io_objects.yaml
+++ b/package/crds/s3.aws.upbound.io_objects.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -328,9 +332,23 @@ spec:
                     description: Target URL for website redirect.
                     type: string
                 required:
-                - key
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -502,14 +520,127 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: key is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)
           status:
             description: ObjectStatus defines the observed state of Object.
             properties:
               atProvider:
                 properties:
+                  acl:
+                    description: Canned ACL to apply. Valid values are private, public-read,
+                      public-read-write, aws-exec-read, authenticated-read, bucket-owner-read,
+                      and bucket-owner-full-control. Defaults to private.
+                    type: string
+                  bucket:
+                    description: Name of the bucket to put the file in. Alternatively,
+                      an S3 access point ARN can be specified.
+                    type: string
+                  bucketKeyEnabled:
+                    description: Whether or not to use Amazon S3 Bucket Keys for SSE-KMS.
+                    type: boolean
+                  cacheControl:
+                    description: Caching behavior along the request/reply chain Read
+                      w3c cache_control for further details.
+                    type: string
+                  content:
+                    description: Literal string value to use as the object content,
+                      which will be uploaded as UTF-8-encoded text.
+                    type: string
+                  contentBase64:
+                    description: Base64-encoded data that will be decoded and uploaded
+                      as raw bytes for the object content. This allows safely uploading
+                      non-UTF8 binary data, but is recommended only for small content
+                      such as the result of the gzipbase64 function with small text
+                      strings. For larger objects, use source to stream the content
+                      from a disk file.
+                    type: string
+                  contentDisposition:
+                    description: Presentational information for the object. Read w3c
+                      content_disposition for further information.
+                    type: string
+                  contentEncoding:
+                    description: Content encodings that have been applied to the object
+                      and thus what decoding mechanisms must be applied to obtain
+                      the media-type referenced by the Content-Type header field.
+                      Read w3c content encoding for further information.
+                    type: string
+                  contentLanguage:
+                    description: Language the content is in e.g., en-US or en-GB.
+                    type: string
+                  contentType:
+                    description: Standard MIME type describing the format of the object
+                      data, e.g., application/octet-stream. All Valid MIME Types are
+                      valid for this input.
+                    type: string
+                  etag:
+                    description: Triggers updates when the value changes.11.11.11
+                      or earlier). This attribute is not compatible with KMS encryption,
+                      kms_key_id or server_side_encryption = "aws:kms", also if an
+                      object is larger than 16 MB, the AWS Management Console will
+                      upload or copy that object as a Multipart Upload, and therefore
+                      the ETag will not be an MD5 digest (see source_hash instead).
+                    type: string
+                  forceDestroy:
+                    description: Whether to allow the object to be deleted by removing
+                      any legal hold on any object version. Default is false. This
+                      value should be set to true only if the bucket has S3 object
+                      lock enabled.
+                    type: boolean
                   id:
                     description: key of the resource supplied above
                     type: string
+                  key:
+                    description: Name of the object once it is in the bucket.
+                    type: string
+                  kmsKeyId:
+                    description: ARN of the KMS Key to use for object encryption.
+                      If the S3 Bucket has server-side encryption enabled, that value
+                      will automatically be used. If referencing the aws_kms_key resource,
+                      use the arn attribute. If referencing the aws_kms_alias data
+                      source or resource, use the target_key_arn attribute.
+                    type: string
+                  metadata:
+                    additionalProperties:
+                      type: string
+                    description: Map of keys/values to provision metadata (will be
+                      automatically prefixed by x-amz-meta-, note that only lowercase
+                      label are currently supported by the AWS Go API).
+                    type: object
+                  objectLockLegalHoldStatus:
+                    description: Legal hold status that you want to apply to the specified
+                      object. Valid values are ON and OFF.
+                    type: string
+                  objectLockMode:
+                    description: Object lock retention mode that you want to apply
+                      to this object. Valid values are GOVERNANCE and COMPLIANCE.
+                    type: string
+                  objectLockRetainUntilDate:
+                    description: Date and time, in RFC3339 format, when this object's
+                      object lock will expire.
+                    type: string
+                  serverSideEncryption:
+                    description: Server-side encryption of the object in S3. Valid
+                      values are "AES256" and "aws:kms".
+                    type: string
+                  source:
+                    description: Path to a file that will be read and uploaded as
+                      raw bytes for the object content.
+                    type: string
+                  sourceHash:
+                    description: Triggers updates like etag but useful to address
+                      etag encryption limitations.11.12 or later). (The value is only
+                      stored in state and not saved by AWS.)
+                    type: string
+                  storageClass:
+                    description: Storage Class for the object. Defaults to "STANDARD".
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -520,6 +651,9 @@ spec:
                     description: Unique version ID value for the object, if bucket
                       versioning is enabled.
                     type: string
+                  websiteRedirect:
+                    description: Target URL for website redirect.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3control.aws.upbound.io_accesspointpolicies.yaml b/package/crds/s3control.aws.upbound.io_accesspointpolicies.yaml
index 6de95dd710..aa7803a438 100644
--- a/package/crds/s3control.aws.upbound.io_accesspointpolicies.yaml
+++ b/package/crds/s3control.aws.upbound.io_accesspointpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,9 +156,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -326,11 +344,18 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: AccessPointPolicyStatus defines the observed state of AccessPointPolicy.
             properties:
               atProvider:
                 properties:
+                  accessPointArn:
+                    description: The ARN of the access point that you want to associate
+                      with the specified policy.
+                    type: string
                   hasPublicAccessPolicy:
                     description: Indicates whether this access point currently has
                       a policy that allows public access.
@@ -339,6 +364,10 @@ spec:
                     description: The AWS account ID and access point name separated
                       by a colon (:).
                     type: string
+                  policy:
+                    description: The policy that you want to apply to the specified
+                      access point.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3control.aws.upbound.io_accesspoints.yaml b/package/crds/s3control.aws.upbound.io_accesspoints.yaml
index 01d04093ed..39c5ed0aa3 100644
--- a/package/crds/s3control.aws.upbound.io_accesspoints.yaml
+++ b/package/crds/s3control.aws.upbound.io_accesspoints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -291,9 +295,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -465,17 +483,33 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: AccessPointStatus defines the observed state of AccessPoint.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: AWS account ID for the owner of the bucket for which
+                      you want to create an access point.
+                    type: string
                   alias:
                     description: Alias of the S3 Access Point.
                     type: string
                   arn:
                     description: ARN of the S3 Access Point.
                     type: string
+                  bucket:
+                    description: Name of an AWS Partition S3 Bucket or the ARN of
+                      S3 on Outposts Bucket that you want to associate this access
+                      point with.
+                    type: string
+                  bucketAccountId:
+                    description: AWS account ID associated with the S3 bucket associated
+                      with this access point.
+                    type: string
                   domainName:
                     description: 'DNS domain name of the S3 Access Point in the format
                       name-account_id.s3-accesspoint.region.amazonaws.com. Note: S3
@@ -496,6 +530,9 @@ spec:
                       AWS account ID and access point name separated by a colon (:).
                       For S3 on Outposts Bucket, the ARN of the Access Point.
                     type: string
+                  name:
+                    description: Name you want to assign to this access point.
+                    type: string
                   networkOrigin:
                     description: Indicates whether this access point allows access
                       from the public Internet. Values are VPC (the access point doesn't
@@ -503,6 +540,63 @@ spec:
                       point allows access from the public Internet, subject to the
                       access point and bucket access policies).
                     type: string
+                  policy:
+                    description: Valid JSON document that specifies the policy that
+                      you want to apply to this access point. Removing policy from
+                      your configuration or setting policy to null or an empty string
+                      (i.e., policy = "") will not delete the policy since it could
+                      have been set by aws_s3control_access_point_policy. To remove
+                      the policy, set it to "{}" (an empty JSON document).
+                    type: string
+                  publicAccessBlockConfiguration:
+                    description: Configuration block to manage the PublicAccessBlock
+                      configuration that you want to apply to this Amazon S3 bucket.
+                      You can enable the configuration options in any combination.
+                      Detailed below.
+                    items:
+                      properties:
+                        blockPublicAcls:
+                          description: 'Whether Amazon S3 should block public ACLs
+                            for buckets in this account. Defaults to true. Enabling
+                            this setting does not affect existing policies or ACLs.
+                            When set to true causes the following behavior:'
+                          type: boolean
+                        blockPublicPolicy:
+                          description: 'Whether Amazon S3 should block public bucket
+                            policies for buckets in this account. Defaults to true.
+                            Enabling this setting does not affect existing bucket
+                            policies. When set to true causes Amazon S3 to:'
+                          type: boolean
+                        ignorePublicAcls:
+                          description: 'Whether Amazon S3 should ignore public ACLs
+                            for buckets in this account. Defaults to true. Enabling
+                            this setting does not affect the persistence of any existing
+                            ACLs and doesn''t prevent new public ACLs from being set.
+                            When set to true causes Amazon S3 to:'
+                          type: boolean
+                        restrictPublicBuckets:
+                          description: 'Whether Amazon S3 should restrict public bucket
+                            policies for buckets in this account. Defaults to true.
+                            Enabling this setting does not affect previously stored
+                            bucket policies, except that public and cross-account
+                            access within any public bucket policy, including non-public
+                            delegation to specific accounts, is blocked. When set
+                            to true:'
+                          type: boolean
+                      type: object
+                    type: array
+                  vpcConfiguration:
+                    description: Configuration block to restrict access to this access
+                      point to requests from the specified Virtual Private Cloud (VPC).
+                      Required for S3 on Outposts. Detailed below.
+                    items:
+                      properties:
+                        vpcId:
+                          description: This access point will only allow connections
+                            from the specified VPC ID.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3control.aws.upbound.io_accountpublicaccessblocks.yaml b/package/crds/s3control.aws.upbound.io_accountpublicaccessblocks.yaml
index 3bfc51864c..b70d261939 100644
--- a/package/crds/s3control.aws.upbound.io_accountpublicaccessblocks.yaml
+++ b/package/crds/s3control.aws.upbound.io_accountpublicaccessblocks.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -102,6 +106,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -279,9 +298,39 @@ spec:
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: AWS account ID to configure.
+                    type: string
+                  blockPublicAcls:
+                    description: 'Whether Amazon S3 should block public ACLs for buckets
+                      in this account. Defaults to false. Enabling this setting does
+                      not affect existing policies or ACLs. When set to true causes
+                      the following behavior:'
+                    type: boolean
+                  blockPublicPolicy:
+                    description: 'Whether Amazon S3 should block public bucket policies
+                      for buckets in this account. Defaults to false. Enabling this
+                      setting does not affect existing bucket policies. When set to
+                      true causes Amazon S3 to:'
+                    type: boolean
                   id:
                     description: AWS account ID
                     type: string
+                  ignorePublicAcls:
+                    description: 'Whether Amazon S3 should ignore public ACLs for
+                      buckets in this account. Defaults to false. Enabling this setting
+                      does not affect the persistence of any existing ACLs and doesn''t
+                      prevent new public ACLs from being set. When set to true causes
+                      Amazon S3 to:'
+                    type: boolean
+                  restrictPublicBuckets:
+                    description: 'Whether Amazon S3 should restrict public bucket
+                      policies for buckets in this account. Defaults to false. Enabling
+                      this setting does not affect previously stored bucket policies,
+                      except that public and cross-account access within any public
+                      bucket policy, including non-public delegation to specific accounts,
+                      is blocked. When set to true:'
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3control.aws.upbound.io_multiregionaccesspointpolicies.yaml b/package/crds/s3control.aws.upbound.io_multiregionaccesspointpolicies.yaml
index 25e540f463..4612a9e320 100644
--- a/package/crds/s3control.aws.upbound.io_multiregionaccesspointpolicies.yaml
+++ b/package/crds/s3control.aws.upbound.io_multiregionaccesspointpolicies.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -96,9 +100,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - details
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,12 +288,37 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: details is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.details)
           status:
             description: MultiRegionAccessPointPolicyStatus defines the observed state
               of MultiRegionAccessPointPolicy.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The AWS account ID for the owner of the Multi-Region
+                      Access Point.
+                    type: string
+                  details:
+                    description: A configuration block containing details about the
+                      policy for the Multi-Region Access Point. See Details Configuration
+                      Block below for more details
+                    items:
+                      properties:
+                        name:
+                          description: The name of the Multi-Region Access Point.
+                          type: string
+                        policy:
+                          description: A valid JSON document that specifies the policy
+                            that you want to associate with this Multi-Region Access
+                            Point. Once applied, the policy can be edited, but not
+                            deleted. For more information, see the documentation on
+                            Multi-Region Access Point Permissions.
+                          type: string
+                      type: object
+                    type: array
                   established:
                     description: The last established policy for the Multi-Region
                       Access Point.
diff --git a/package/crds/s3control.aws.upbound.io_multiregionaccesspoints.yaml b/package/crds/s3control.aws.upbound.io_multiregionaccesspoints.yaml
index ade93c8382..df1bcc04b0 100644
--- a/package/crds/s3control.aws.upbound.io_multiregionaccesspoints.yaml
+++ b/package/crds/s3control.aws.upbound.io_multiregionaccesspoints.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -222,9 +226,23 @@ spec:
                       resource to be created in.
                     type: string
                 required:
-                - details
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -396,12 +414,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: details is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.details)
           status:
             description: MultiRegionAccessPointStatus defines the observed state of
               MultiRegionAccessPoint.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The AWS account ID for the owner of the buckets for
+                      which you want to create a Multi-Region Access Point.
+                    type: string
                   alias:
                     description: The alias for the Multi-Region Access Point.
                     type: string
@@ -409,6 +434,69 @@ spec:
                     description: Amazon Resource Name (ARN) of the Multi-Region Access
                       Point.
                     type: string
+                  details:
+                    description: A configuration block containing details about the
+                      Multi-Region Access Point. See Details Configuration Block below
+                      for more details
+                    items:
+                      properties:
+                        name:
+                          description: The name of the Multi-Region Access Point.
+                          type: string
+                        publicAccessBlock:
+                          description: Configuration block to manage the PublicAccessBlock
+                            configuration that you want to apply to this Multi-Region
+                            Access Point. You can enable the configuration options
+                            in any combination. See Public Access Block Configuration
+                            below for more details.
+                          items:
+                            properties:
+                              blockPublicAcls:
+                                description: 'Whether Amazon S3 should block public
+                                  ACLs for buckets in this account. Defaults to true.
+                                  Enabling this setting does not affect existing policies
+                                  or ACLs. When set to true causes the following behavior:'
+                                type: boolean
+                              blockPublicPolicy:
+                                description: 'Whether Amazon S3 should block public
+                                  bucket policies for buckets in this account. Defaults
+                                  to true. Enabling this setting does not affect existing
+                                  bucket policies. When set to true causes Amazon
+                                  S3 to:'
+                                type: boolean
+                              ignorePublicAcls:
+                                description: 'Whether Amazon S3 should ignore public
+                                  ACLs for buckets in this account. Defaults to true.
+                                  Enabling this setting does not affect the persistence
+                                  of any existing ACLs and doesn''t prevent new public
+                                  ACLs from being set. When set to true causes Amazon
+                                  S3 to:'
+                                type: boolean
+                              restrictPublicBuckets:
+                                description: 'Whether Amazon S3 should restrict public
+                                  bucket policies for buckets in this account. Defaults
+                                  to true. Enabling this setting does not affect previously
+                                  stored bucket policies, except that public and cross-account
+                                  access within any public bucket policy, including
+                                  non-public delegation to specific accounts, is blocked.
+                                  When set to true:'
+                                type: boolean
+                            type: object
+                          type: array
+                        region:
+                          description: The Region configuration block to specify the
+                            bucket associated with the Multi-Region Access Point.
+                            See Region Configuration below for more details.
+                          items:
+                            properties:
+                              bucket:
+                                description: The name of the associated bucket for
+                                  the Region.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   domainName:
                     description: The DNS domain name of the S3 Multi-Region Access
                       Point in the format alias.accesspoint.s3-global.amazonaws.com.
diff --git a/package/crds/s3control.aws.upbound.io_objectlambdaaccesspointpolicies.yaml b/package/crds/s3control.aws.upbound.io_objectlambdaaccesspointpolicies.yaml
index 87c6826bbf..fafb4c4fce 100644
--- a/package/crds/s3control.aws.upbound.io_objectlambdaaccesspointpolicies.yaml
+++ b/package/crds/s3control.aws.upbound.io_objectlambdaaccesspointpolicies.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,9 +160,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -330,12 +348,19 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: ObjectLambdaAccessPointPolicyStatus defines the observed
               state of ObjectLambdaAccessPointPolicy.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The AWS account ID for the account that owns the
+                      Object Lambda Access Point.
+                    type: string
                   hasPublicAccessPolicy:
                     description: Indicates whether this access point currently has
                       a policy that allows public access.
@@ -344,6 +369,12 @@ spec:
                     description: The AWS account ID and access point name separated
                       by a colon (:).
                     type: string
+                  name:
+                    description: The name of the Object Lambda Access Point.
+                    type: string
+                  policy:
+                    description: The Object Lambda Access Point resource policy document.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3control.aws.upbound.io_objectlambdaaccesspoints.yaml b/package/crds/s3control.aws.upbound.io_objectlambdaaccesspoints.yaml
index 5ee69040a4..2d3757d869 100644
--- a/package/crds/s3control.aws.upbound.io_objectlambdaaccesspoints.yaml
+++ b/package/crds/s3control.aws.upbound.io_objectlambdaaccesspoints.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -312,10 +316,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - configuration
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -487,20 +504,92 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: configuration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.configuration)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ObjectLambdaAccessPointStatus defines the observed state
               of ObjectLambdaAccessPoint.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The AWS account ID for the owner of the bucket for
+                      which you want to create an Object Lambda Access Point.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the Object Lambda Access
                       Point.
                     type: string
+                  configuration:
+                    description: A configuration block containing details about the
+                      Object Lambda Access Point. See Configuration below for more
+                      details.
+                    items:
+                      properties:
+                        allowedFeatures:
+                          description: 'Allowed features. Valid values: GetObject-Range,
+                            GetObject-PartNumber.'
+                          items:
+                            type: string
+                          type: array
+                        cloudWatchMetricsEnabled:
+                          description: Whether or not the CloudWatch metrics configuration
+                            is enabled.
+                          type: boolean
+                        supportingAccessPoint:
+                          description: Standard access point associated with the Object
+                            Lambda Access Point.
+                          type: string
+                        transformationConfiguration:
+                          description: List of transformation configurations for the
+                            Object Lambda Access Point. See Transformation Configuration
+                            below for more details.
+                          items:
+                            properties:
+                              actions:
+                                description: 'The actions of an Object Lambda Access
+                                  Point configuration. Valid values: GetObject.'
+                                items:
+                                  type: string
+                                type: array
+                              contentTransformation:
+                                description: The content transformation of an Object
+                                  Lambda Access Point configuration. See Content Transformation
+                                  below for more details.
+                                items:
+                                  properties:
+                                    awsLambda:
+                                      description: Configuration for an AWS Lambda
+                                        function. See AWS Lambda below for more details.
+                                      items:
+                                        properties:
+                                          functionArn:
+                                            description: The Amazon Resource Name
+                                              (ARN) of the AWS Lambda function.
+                                            type: string
+                                          functionPayload:
+                                            description: Additional JSON that provides
+                                              supplemental data to the Lambda function
+                                              used to transform objects.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The AWS account ID and access point name separated
                       by a colon (:).
                     type: string
+                  name:
+                    description: The name for this Object Lambda Access Point.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/s3control.aws.upbound.io_storagelensconfigurations.yaml b/package/crds/s3control.aws.upbound.io_storagelensconfigurations.yaml
index ac08a66ff8..a08a0f3304 100644
--- a/package/crds/s3control.aws.upbound.io_storagelensconfigurations.yaml
+++ b/package/crds/s3control.aws.upbound.io_storagelensconfigurations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -460,10 +464,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - configId
                 - region
-                - storageLensConfiguration
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -635,18 +652,312 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: configId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.configId)
+            - message: storageLensConfiguration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.storageLensConfiguration)
           status:
             description: StorageLensConfigurationStatus defines the observed state
               of StorageLensConfiguration.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The AWS account ID for the S3 Storage Lens configuration.
+                    type: string
                   arn:
                     description: Amazon Resource Name (ARN) of the S3 Storage Lens
                       configuration.
                     type: string
+                  configId:
+                    description: The ID of the S3 Storage Lens configuration.
+                    type: string
                   id:
                     type: string
+                  storageLensConfiguration:
+                    description: The S3 Storage Lens configuration. See Storage Lens
+                      Configuration below for more details.
+                    items:
+                      properties:
+                        accountLevel:
+                          description: level configurations of the S3 Storage Lens
+                            configuration. See Account Level below for more details.
+                          items:
+                            properties:
+                              activityMetrics:
+                                description: S3 Storage Lens activity metrics. See
+                                  Activity Metrics below for more details.
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Whether the activity metrics are
+                                        enabled.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              advancedCostOptimizationMetrics:
+                                description: optimization metrics for S3 Storage Lens.
+                                  See Advanced Cost-Optimization Metrics below for
+                                  more details.
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Whether the S3 Storage Lens configuration
+                                        is enabled.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              advancedDataProtectionMetrics:
+                                description: protection metrics for S3 Storage Lens.
+                                  See Advanced Data-Protection Metrics below for more
+                                  details.
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Whether the S3 Storage Lens configuration
+                                        is enabled.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              bucketLevel:
+                                description: level configuration. See Bucket Level
+                                  below for more details.
+                                items:
+                                  properties:
+                                    activityMetrics:
+                                      description: S3 Storage Lens activity metrics.
+                                        See Activity Metrics below for more details.
+                                      items:
+                                        properties:
+                                          enabled:
+                                            description: Whether the S3 Storage Lens
+                                              configuration is enabled.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    advancedCostOptimizationMetrics:
+                                      description: optimization metrics for S3 Storage
+                                        Lens. See Advanced Cost-Optimization Metrics
+                                        below for more details.
+                                      items:
+                                        properties:
+                                          enabled:
+                                            description: Whether the S3 Storage Lens
+                                              configuration is enabled.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    advancedDataProtectionMetrics:
+                                      description: protection metrics for S3 Storage
+                                        Lens. See Advanced Data-Protection Metrics
+                                        below for more details.
+                                      items:
+                                        properties:
+                                          enabled:
+                                            description: Whether the S3 Storage Lens
+                                              configuration is enabled.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    detailedStatusCodeMetrics:
+                                      description: Detailed status code metrics for
+                                        S3 Storage Lens. See Detailed Status Code
+                                        Metrics below for more details.
+                                      items:
+                                        properties:
+                                          enabled:
+                                            description: Whether the S3 Storage Lens
+                                              configuration is enabled.
+                                            type: boolean
+                                        type: object
+                                      type: array
+                                    prefixLevel:
+                                      description: level metrics for S3 Storage Lens.
+                                        See Prefix Level below for more details.
+                                      items:
+                                        properties:
+                                          storageMetrics:
+                                            description: level storage metrics for
+                                              S3 Storage Lens. See Prefix Level Storage
+                                              Metrics below for more details.
+                                            items:
+                                              properties:
+                                                enabled:
+                                                  description: Whether the S3 Storage
+                                                    Lens configuration is enabled.
+                                                  type: boolean
+                                                selectionCriteria:
+                                                  description: Selection criteria.
+                                                    See Selection Criteria below for
+                                                    more details.
+                                                  items:
+                                                    properties:
+                                                      delimiter:
+                                                        description: The delimiter
+                                                          of the selection criteria
+                                                          being used.
+                                                        type: string
+                                                      maxDepth:
+                                                        description: The max depth
+                                                          of the selection criteria.
+                                                        type: number
+                                                      minStorageBytesPercentage:
+                                                        description: The minimum number
+                                                          of storage bytes percentage
+                                                          whose metrics will be selected.
+                                                        type: number
+                                                    type: object
+                                                  type: array
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              detailedStatusCodeMetrics:
+                                description: Detailed status code metrics for S3 Storage
+                                  Lens. See Detailed Status Code Metrics below for
+                                  more details.
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Whether the S3 Storage Lens configuration
+                                        is enabled.
+                                      type: boolean
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        awsOrg:
+                          description: The Amazon Web Services organization for the
+                            S3 Storage Lens configuration. See AWS Org below for more
+                            details.
+                          items:
+                            properties:
+                              arn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  bucket.
+                                type: string
+                            type: object
+                          type: array
+                        dataExport:
+                          description: Properties of S3 Storage Lens metrics export
+                            including the destination, schema and format. See Data
+                            Export below for more details.
+                          items:
+                            properties:
+                              cloudWatchMetrics:
+                                description: Amazon CloudWatch publishing for S3 Storage
+                                  Lens metrics. See Cloud Watch Metrics below for
+                                  more details.
+                                items:
+                                  properties:
+                                    enabled:
+                                      description: Whether the S3 Storage Lens configuration
+                                        is enabled.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              s3BucketDestination:
+                                description: The bucket where the S3 Storage Lens
+                                  metrics export will be located. See S3 Bucket Destination
+                                  below for more details.
+                                items:
+                                  properties:
+                                    accountId:
+                                      description: The account ID of the owner of
+                                        the S3 Storage Lens metrics export bucket.
+                                      type: string
+                                    arn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the bucket.
+                                      type: string
+                                    encryption:
+                                      description: Encryption of the metrics exports
+                                        in this bucket. See Encryption below for more
+                                        details.
+                                      items:
+                                        properties:
+                                          sseKms:
+                                            description: KMS encryption. See SSE KMS
+                                              below for more details.
+                                            items:
+                                              properties:
+                                                keyId:
+                                                  description: KMS key ARN.
+                                                  type: string
+                                              type: object
+                                            type: array
+                                          sseS3:
+                                            description: S3 encryption. An empty configuration
+                                              block {} should be used.
+                                            items:
+                                              type: object
+                                            type: array
+                                        type: object
+                                      type: array
+                                    format:
+                                      description: 'The export format. Valid values:
+                                        CSV, Parquet.'
+                                      type: string
+                                    outputSchemaVersion:
+                                      description: 'The schema version of the export
+                                        file. Valid values: V_1.'
+                                      type: string
+                                    prefix:
+                                      description: The prefix of the destination bucket
+                                        where the metrics export will be delivered.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        enabled:
+                          description: Whether the S3 Storage Lens configuration is
+                            enabled.
+                          type: boolean
+                        exclude:
+                          description: What is excluded in this configuration. Conflicts
+                            with include. See Exclude below for more details.
+                          items:
+                            properties:
+                              buckets:
+                                description: List of S3 bucket ARNs.
+                                items:
+                                  type: string
+                                type: array
+                              regions:
+                                description: List of AWS Regions.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        include:
+                          description: What is included in this configuration. Conflicts
+                            with exclude. See Include below for more details.
+                          items:
+                            properties:
+                              buckets:
+                                description: List of S3 bucket ARNs.
+                                items:
+                                  type: string
+                                type: array
+                              regions:
+                                description: List of AWS Regions.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_appimageconfigs.yaml b/package/crds/sagemaker.aws.upbound.io_appimageconfigs.yaml
index 961aac1ca5..b4d819fd1b 100644
--- a/package/crds/sagemaker.aws.upbound.io_appimageconfigs.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_appimageconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -123,6 +127,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -306,6 +325,54 @@ spec:
                   id:
                     description: The name of the App Image Config.
                     type: string
+                  kernelGatewayImageConfig:
+                    description: The configuration for the file system and kernels
+                      in a SageMaker image running as a KernelGateway app. See Kernel
+                      Gateway Image Config details below.
+                    items:
+                      properties:
+                        fileSystemConfig:
+                          description: The URL where the Git repository is located.
+                            See File System Config details below.
+                          items:
+                            properties:
+                              defaultGid:
+                                description: The default POSIX group ID (GID). If
+                                  not specified, defaults to 100. Valid values are
+                                  0 and 100.
+                                type: number
+                              defaultUid:
+                                description: The default POSIX user ID (UID). If not
+                                  specified, defaults to 1000. Valid values are 0
+                                  and 1000.
+                                type: number
+                              mountPath:
+                                description: The path within the image to mount the
+                                  user's EFS home directory. The directory should
+                                  be empty. If not specified, defaults to /home/sagemaker-user.
+                                type: string
+                            type: object
+                          type: array
+                        kernelSpec:
+                          description: The default branch for the Git repository.
+                            See Kernel Spec details below.
+                          items:
+                            properties:
+                              displayName:
+                                description: The display name of the kernel.
+                                type: string
+                              name:
+                                description: The name of the kernel.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_apps.yaml b/package/crds/sagemaker.aws.upbound.io_apps.yaml
index fd7e7200fc..2715217eef 100644
--- a/package/crds/sagemaker.aws.upbound.io_apps.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_apps.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -264,10 +268,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - appName
-                - appType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -439,17 +456,65 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: appName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.appName)
+            - message: appType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.appType)
           status:
             description: AppStatus defines the observed state of App.
             properties:
               atProvider:
                 properties:
+                  appName:
+                    description: The name of the app.
+                    type: string
+                  appType:
+                    description: The type of app. Valid values are JupyterServer,
+                      KernelGateway, RStudioServerPro, RSessionGateway and TensorBoard.
+                    type: string
                   arn:
                     description: The Amazon Resource Name (ARN) of the app.
                     type: string
+                  domainId:
+                    description: The domain ID.
+                    type: string
                   id:
                     description: The Amazon Resource Name (ARN) of the app.
                     type: string
+                  resourceSpec:
+                    description: The instance type and the Amazon Resource Name (ARN)
+                      of the SageMaker image created on the instance.See Resource
+                      Spec below.
+                    items:
+                      properties:
+                        instanceType:
+                          description: The instance type that the image version runs
+                            on. For valid values see SageMaker Instance Types.
+                          type: string
+                        lifecycleConfigArn:
+                          description: The Amazon Resource Name (ARN) of the Lifecycle
+                            Configuration attached to the Resource.
+                          type: string
+                        sagemakerImageArn:
+                          description: The ARN of the SageMaker image that the image
+                            version belongs to.
+                          type: string
+                        sagemakerImageVersionArn:
+                          description: The ARN of the image version created on the
+                            instance.
+                          type: string
+                      type: object
+                    type: array
+                  spaceName:
+                    description: The name of the space. At least on of user_profile_name
+                      or space_name required.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -457,6 +522,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userProfileName:
+                    description: The user profile name. At least on of user_profile_name
+                      or space_name required.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_coderepositories.yaml b/package/crds/sagemaker.aws.upbound.io_coderepositories.yaml
index 4920bc3e5d..a683e1c9b2 100644
--- a/package/crds/sagemaker.aws.upbound.io_coderepositories.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_coderepositories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -174,9 +178,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - gitConfig
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -348,6 +366,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: gitConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.gitConfig)
           status:
             description: CodeRepositoryStatus defines the observed state of CodeRepository.
             properties:
@@ -357,9 +378,34 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Code Repository.
                     type: string
+                  gitConfig:
+                    description: Specifies details about the repository. see Git Config
+                      details below.
+                    items:
+                      properties:
+                        branch:
+                          description: The default branch for the Git repository.
+                          type: string
+                        repositoryUrl:
+                          description: The URL where the Git repository is located.
+                          type: string
+                        secretArn:
+                          description: 'The Amazon Resource Name (ARN) of the AWS
+                            Secrets Manager secret that contains the credentials used
+                            to access the git repository. The secret must have a staging
+                            label of AWSCURRENT and must be in the following format:
+                            {"username": UserName, "password": Password}'
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The name of the Code Repository.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_devicefleet.yaml b/package/crds/sagemaker.aws.upbound.io_devicefleet.yaml
index 6b6170e3b6..ebc452fa59 100644
--- a/package/crds/sagemaker.aws.upbound.io_devicefleet.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_devicefleet.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,9 +182,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - outputConfig
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -352,6 +370,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: outputConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.outputConfig)
           status:
             description: DeviceFleetStatus defines the observed state of DeviceFleet.
             properties:
@@ -361,11 +382,45 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Device Fleet.
                     type: string
+                  description:
+                    description: A description of the fleet.
+                    type: string
+                  enableIotRoleAlias:
+                    description: 'Whether to create an AWS IoT Role Alias during device
+                      fleet creation. The name of the role alias generated will match
+                      this pattern: "SageMakerEdge-{DeviceFleetName}".'
+                    type: boolean
                   id:
                     description: The name of the Device Fleet.
                     type: string
                   iotRoleAlias:
                     type: string
+                  outputConfig:
+                    description: Specifies details about the repository. see Output
+                      Config details below.
+                    items:
+                      properties:
+                        kmsKeyId:
+                          description: The AWS Key Management Service (AWS KMS) key
+                            that Amazon SageMaker uses to encrypt data on the storage
+                            volume after compilation job. If you don't provide a KMS
+                            key ID, Amazon SageMaker uses the default KMS key for
+                            Amazon S3 for your role's account.
+                          type: string
+                        s3OutputLocation:
+                          description: The Amazon Simple Storage (S3) bucker URI.
+                          type: string
+                      type: object
+                    type: array
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) that has access to
+                      AWS Internet of Things (IoT).
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_devices.yaml b/package/crds/sagemaker.aws.upbound.io_devices.yaml
index 9cc2053ad0..5f81a26479 100644
--- a/package/crds/sagemaker.aws.upbound.io_devices.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_devices.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -166,9 +170,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - device
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,6 +358,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: device is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.device)
           status:
             description: DeviceStatus defines the observed state of Device.
             properties:
@@ -351,6 +372,26 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Device.
                     type: string
+                  device:
+                    description: The device to register with SageMaker Edge Manager.
+                      See Device details below.
+                    items:
+                      properties:
+                        description:
+                          description: A description for the device.
+                          type: string
+                        deviceName:
+                          description: The name of the device.
+                          type: string
+                        iotThingName:
+                          description: Amazon Web Services Internet of Things (IoT)
+                            object name.
+                          type: string
+                      type: object
+                    type: array
+                  deviceFleetName:
+                    description: The name of the Device Fleet.
+                    type: string
                   id:
                     description: The id is constructed from device-fleet-name/device-name.
                     type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_domains.yaml b/package/crds/sagemaker.aws.upbound.io_domains.yaml
index 941edc4bb0..bd44386b00 100644
--- a/package/crds/sagemaker.aws.upbound.io_domains.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_domains.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1002,11 +1006,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - authMode
-                - defaultUserSettings
-                - domainName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1178,15 +1194,444 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: authMode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.authMode)
+            - message: defaultUserSettings is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultUserSettings)
+            - message: domainName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domainName)
           status:
             description: DomainStatus defines the observed state of Domain.
             properties:
               atProvider:
                 properties:
+                  appNetworkAccessType:
+                    description: Specifies the VPC used for non-EFS traffic. The default
+                      value is PublicInternetOnly. Valid values are PublicInternetOnly
+                      and VpcOnly.
+                    type: string
+                  appSecurityGroupManagement:
+                    description: The entity that creates and manages the required
+                      security groups for inter-app communication in VPCOnly mode.
+                      Valid values are Service and Customer.* domain_settings -  The
+                      domain settings. See Domain Settings below.
+                    type: string
                   arn:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Domain.
                     type: string
+                  authMode:
+                    description: The mode of authentication that members use to access
+                      the domain. Valid values are IAM and SSO.
+                    type: string
+                  defaultSpaceSettings:
+                    description: The default space settings. See Default Space Settings
+                      below.
+                    items:
+                      properties:
+                        executionRole:
+                          description: The execution role for the space.
+                          type: string
+                        jupyterServerAppSettings:
+                          description: The Jupyter server's app settings. See Jupyter
+                            Server App Settings below.
+                          items:
+                            properties:
+                              codeRepository:
+                                description: A list of Git repositories that SageMaker
+                                  automatically displays to users for cloning in the
+                                  JupyterServer application. see Code Repository below.
+                                items:
+                                  properties:
+                                    repositoryUrl:
+                                      description: The URL of the Git repository.
+                                      type: string
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type that the image
+                                        version runs on.. For valid values see SageMaker
+                                        Instance Types.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The ARN of the SageMaker image
+                                        that the image version belongs to.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        kernelGatewayAppSettings:
+                          description: The kernel gateway app settings. See Kernel
+                            Gateway App Settings below.
+                          items:
+                            properties:
+                              customImage:
+                                description: A list of custom SageMaker images that
+                                  are configured to run as a KernelGateway app. see
+                                  Custom Image below.
+                                items:
+                                  properties:
+                                    appImageConfigName:
+                                      description: The name of the App Image Config.
+                                      type: string
+                                    imageName:
+                                      description: The name of the Custom Image.
+                                      type: string
+                                    imageVersionNumber:
+                                      description: The version number of the Custom
+                                        Image.
+                                      type: number
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type that the image
+                                        version runs on.. For valid values see SageMaker
+                                        Instance Types.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The ARN of the SageMaker image
+                                        that the image version belongs to.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        securityGroups:
+                          description: The security groups for the Amazon Virtual
+                            Private Cloud that the space uses for communication.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  defaultUserSettings:
+                    description: The default user settings. See Default User Settings
+                      below.* domain_name -  The domain name.
+                    items:
+                      properties:
+                        canvasAppSettings:
+                          description: The Canvas app settings. See Canvas App Settings
+                            below.
+                          items:
+                            properties:
+                              timeSeriesForecastingSettings:
+                                description: Time series forecast settings for the
+                                  Canvas app. see Time Series Forecasting Settings
+                                  below.
+                                items:
+                                  properties:
+                                    amazonForecastRoleArn:
+                                      description: The IAM role that Canvas passes
+                                        to Amazon Forecast for time series forecasting.
+                                        By default, Canvas uses the execution role
+                                        specified in the UserProfile that launches
+                                        the Canvas app. If an execution role is not
+                                        specified in the UserProfile, Canvas uses
+                                        the execution role specified in the Domain
+                                        that owns the UserProfile. To allow time series
+                                        forecasting, this IAM role should have the
+                                        AmazonSageMakerCanvasForecastAccess policy
+                                        attached and forecast.amazonaws.com added
+                                        in the trust relationship as a service principal.
+                                      type: string
+                                    status:
+                                      description: Describes whether time series forecasting
+                                        is enabled or disabled in the Canvas app.
+                                        Valid values are ENABLED and DISABLED.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        executionRole:
+                          description: The execution role ARN for the user.
+                          type: string
+                        jupyterServerAppSettings:
+                          description: The Jupyter server's app settings. See Jupyter
+                            Server App Settings below.
+                          items:
+                            properties:
+                              codeRepository:
+                                description: A list of Git repositories that SageMaker
+                                  automatically displays to users for cloning in the
+                                  JupyterServer application. see Code Repository below.
+                                items:
+                                  properties:
+                                    repositoryUrl:
+                                      description: The URL of the Git repository.
+                                      type: string
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type that the image
+                                        version runs on.. For valid values see SageMaker
+                                        Instance Types.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The ARN of the SageMaker image
+                                        that the image version belongs to.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        kernelGatewayAppSettings:
+                          description: The kernel gateway app settings. See Kernel
+                            Gateway App Settings below.
+                          items:
+                            properties:
+                              customImage:
+                                description: A list of custom SageMaker images that
+                                  are configured to run as a KernelGateway app. see
+                                  Custom Image below.
+                                items:
+                                  properties:
+                                    appImageConfigName:
+                                      description: The name of the App Image Config.
+                                      type: string
+                                    imageName:
+                                      description: The name of the Custom Image.
+                                      type: string
+                                    imageVersionNumber:
+                                      description: The version number of the Custom
+                                        Image.
+                                      type: number
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type that the image
+                                        version runs on.. For valid values see SageMaker
+                                        Instance Types.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The ARN of the SageMaker image
+                                        that the image version belongs to.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        rSessionAppSettings:
+                          description: The RSession app settings. See RSession App
+                            Settings below.
+                          items:
+                            properties:
+                              customImage:
+                                description: A list of custom SageMaker images that
+                                  are configured to run as a KernelGateway app. see
+                                  Custom Image below.
+                                items:
+                                  properties:
+                                    appImageConfigName:
+                                      description: The name of the App Image Config.
+                                      type: string
+                                    imageName:
+                                      description: The name of the Custom Image.
+                                      type: string
+                                    imageVersionNumber:
+                                      description: The version number of the Custom
+                                        Image.
+                                      type: number
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type that the image
+                                        version runs on.. For valid values see SageMaker
+                                        Instance Types.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The ARN of the SageMaker image
+                                        that the image version belongs to.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        securityGroups:
+                          description: A list of security group IDs that will be attached
+                            to the user.
+                          items:
+                            type: string
+                          type: array
+                        sharingSettings:
+                          description: The sharing settings. See Sharing Settings
+                            below.
+                          items:
+                            properties:
+                              notebookOutputOption:
+                                description: Whether to include the notebook cell
+                                  output when sharing the notebook. The default is
+                                  Disabled. Valid values are Allowed and Disabled.
+                                type: string
+                              s3KmsKeyId:
+                                description: When notebook_output_option is Allowed,
+                                  the AWS Key Management Service (KMS) encryption
+                                  key ID used to encrypt the notebook cell output
+                                  in the Amazon S3 bucket.
+                                type: string
+                              s3OutputPath:
+                                description: When notebook_output_option is Allowed,
+                                  the Amazon S3 bucket used to save the notebook cell
+                                  output.
+                                type: string
+                            type: object
+                          type: array
+                        tensorBoardAppSettings:
+                          description: The TensorBoard app settings. See TensorBoard
+                            App Settings below.
+                          items:
+                            properties:
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type that the image
+                                        version runs on.. For valid values see SageMaker
+                                        Instance Types.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The ARN of the SageMaker image
+                                        that the image version belongs to.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  domainName:
+                    type: string
+                  domainSettings:
+                    description: The domain's settings.
+                    items:
+                      properties:
+                        executionRoleIdentityConfig:
+                          description: The configuration for attaching a SageMaker
+                            user profile name to the execution role as a sts:SourceIdentity
+                            key AWS Docs. Valid values are USER_PROFILE_NAME and DISABLED.
+                          type: string
+                        securityGroupIds:
+                          description: The security groups for the Amazon Virtual
+                            Private Cloud that the Domain uses for communication between
+                            Domain-level apps and user apps.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   homeEfsFileSystemId:
                     description: The ID of the Amazon Elastic File System (EFS) managed
                       by this Domain.
@@ -1194,6 +1639,24 @@ spec:
                   id:
                     description: The ID of the Domain.
                     type: string
+                  kmsKeyId:
+                    description: The AWS KMS customer managed CMK used to encrypt
+                      the EFS volume attached to the domain.
+                    type: string
+                  retentionPolicy:
+                    description: The retention policy for this domain, which specifies
+                      whether resources will be retained after the Domain is deleted.
+                      By default, all resources are retained. See Retention Policy
+                      below.
+                    items:
+                      properties:
+                        homeEfsFileSystem:
+                          description: The retention policy for data stored on an
+                            Amazon Elastic File System (EFS) volume. Valid values
+                            are Retain or Delete.  Default value is Retain.
+                          type: string
+                      type: object
+                    type: array
                   securityGroupIdForDomainBoundary:
                     description: The ID of the security group that authorizes traffic
                       between the RSessionGateway apps and the RStudioServerPro app.
@@ -1201,6 +1664,16 @@ spec:
                   singleSignOnManagedApplicationInstanceId:
                     description: The SSO managed application instance ID.
                     type: string
+                  subnetIds:
+                    description: The VPC subnets that Studio uses for communication.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -1211,6 +1684,10 @@ spec:
                   url:
                     description: The domain's URL.
                     type: string
+                  vpcId:
+                    description: The ID of the Amazon Virtual Private Cloud (VPC)
+                      that Studio uses for communication.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_endpointconfigurations.yaml b/package/crds/sagemaker.aws.upbound.io_endpointconfigurations.yaml
index ad5736966e..dbda22a2a0 100644
--- a/package/crds/sagemaker.aws.upbound.io_endpointconfigurations.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_endpointconfigurations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -528,9 +532,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - productionVariants
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -702,6 +720,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: productionVariants is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.productionVariants)
           status:
             description: EndpointConfigurationStatus defines the observed state of
               EndpointConfiguration.
@@ -712,8 +733,293 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this endpoint configuration.
                     type: string
+                  asyncInferenceConfig:
+                    description: Specifies configuration for how an endpoint performs
+                      asynchronous inference.
+                    items:
+                      properties:
+                        clientConfig:
+                          description: Configures the behavior of the client used
+                            by Amazon SageMaker to interact with the model container
+                            during asynchronous inference.
+                          items:
+                            properties:
+                              maxConcurrentInvocationsPerInstance:
+                                description: The maximum number of concurrent requests
+                                  sent by the SageMaker client to the model container.
+                                  If no value is provided, Amazon SageMaker will choose
+                                  an optimal value for you.
+                                type: number
+                            type: object
+                          type: array
+                        outputConfig:
+                          description: Specifies the configuration for asynchronous
+                            inference invocation outputs.
+                          items:
+                            properties:
+                              kmsKeyId:
+                                description: The Amazon Web Services Key Management
+                                  Service (Amazon Web Services KMS) key that Amazon
+                                  SageMaker uses to encrypt the asynchronous inference
+                                  output in Amazon S3.
+                                type: string
+                              notificationConfig:
+                                description: Specifies the configuration for notifications
+                                  of inference results for asynchronous inference.
+                                items:
+                                  properties:
+                                    errorTopic:
+                                      description: Amazon SNS topic to post a notification
+                                        to when inference fails. If no topic is provided,
+                                        no notification is sent on failure.
+                                      type: string
+                                    successTopic:
+                                      description: Amazon SNS topic to post a notification
+                                        to when inference completes successfully.
+                                        If no topic is provided, no notification is
+                                        sent on success.
+                                      type: string
+                                  type: object
+                                type: array
+                              s3OutputPath:
+                                description: The Amazon S3 location to upload inference
+                                  responses to.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  dataCaptureConfig:
+                    description: Specifies the parameters to capture input/output
+                      of SageMaker models endpoints. Fields are documented below.
+                    items:
+                      properties:
+                        captureContentTypeHeader:
+                          description: The content type headers to capture. Fields
+                            are documented below.
+                          items:
+                            properties:
+                              csvContentTypes:
+                                description: The CSV content type headers to capture.
+                                items:
+                                  type: string
+                                type: array
+                              jsonContentTypes:
+                                description: The JSON content type headers to capture.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        captureOptions:
+                          description: Specifies what data to capture. Fields are
+                            documented below.
+                          items:
+                            properties:
+                              captureMode:
+                                description: Specifies the data to be captured. Should
+                                  be one of Input or Output.
+                                type: string
+                            type: object
+                          type: array
+                        destinationS3Uri:
+                          description: The URL for S3 location where the captured
+                            data is stored.
+                          type: string
+                        enableCapture:
+                          description: Flag to enable data capture. Defaults to false.
+                          type: boolean
+                        initialSamplingPercentage:
+                          description: Portion of data to capture. Should be between
+                            0 and 100.
+                          type: number
+                        kmsKeyId:
+                          description: Amazon Resource Name (ARN) of a AWS Key Management
+                            Service key that Amazon SageMaker uses to encrypt the
+                            captured data on Amazon S3.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  kmsKeyArn:
+                    description: Amazon Resource Name (ARN) of a AWS Key Management
+                      Service key that Amazon SageMaker uses to encrypt data on the
+                      storage volume attached to the ML compute instance that hosts
+                      the endpoint.
+                    type: string
+                  productionVariants:
+                    description: An list of ProductionVariant objects, one for each
+                      model that you want to host at this endpoint. Fields are documented
+                      below.
+                    items:
+                      properties:
+                        acceleratorType:
+                          description: The size of the Elastic Inference (EI) instance
+                            to use for the production variant.
+                          type: string
+                        containerStartupHealthCheckTimeoutInSeconds:
+                          description: The timeout value, in seconds, for your inference
+                            container to pass health check by SageMaker Hosting. For
+                            more information about health check, see How Your Container
+                            Should Respond to Health Check (Ping) Requests. Valid
+                            values between 60 and 3600.
+                          type: number
+                        coreDumpConfig:
+                          description: Specifies configuration for a core dump from
+                            the model container when the process crashes. Fields are
+                            documented below.
+                          items:
+                            properties:
+                              destinationS3Uri:
+                                description: The Amazon S3 bucket to send the core
+                                  dump to.
+                                type: string
+                              kmsKeyId:
+                                description: The Amazon Web Services Key Management
+                                  Service (Amazon Web Services KMS) key that SageMaker
+                                  uses to encrypt the core dump data at rest using
+                                  Amazon S3 server-side encryption.
+                                type: string
+                            type: object
+                          type: array
+                        initialInstanceCount:
+                          description: Initial number of instances used for auto-scaling.
+                          type: number
+                        initialVariantWeight:
+                          description: Determines initial traffic distribution among
+                            all of the models that you specify in the endpoint configuration.
+                            If unspecified, it defaults to 1.0.
+                          type: number
+                        instanceType:
+                          description: The type of instance to start.
+                          type: string
+                        modelDataDownloadTimeoutInSeconds:
+                          description: The timeout value, in seconds, to download
+                            and extract the model that you want to host from Amazon
+                            S3 to the individual inference instance associated with
+                            this production variant. Valid values between 60 and 3600.
+                          type: number
+                        modelName:
+                          description: The name of the model to use.
+                          type: string
+                        serverlessConfig:
+                          description: Specifies configuration for how an endpoint
+                            performs asynchronous inference.
+                          items:
+                            properties:
+                              maxConcurrency:
+                                description: The maximum number of concurrent invocations
+                                  your serverless endpoint can process. Valid values
+                                  are between 1 and 200.
+                                type: number
+                              memorySizeInMb:
+                                description: 'The memory size of your serverless endpoint.
+                                  Valid values are in 1 GB increments: 1024 MB, 2048
+                                  MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.'
+                                type: number
+                            type: object
+                          type: array
+                        variantName:
+                          description: The name of the variant.
+                          type: string
+                        volumeSizeInGb:
+                          description: The size, in GB, of the ML storage volume attached
+                            to individual inference instance associated with the production
+                            variant. Valid values between 1 and 512.
+                          type: number
+                      type: object
+                    type: array
+                  shadowProductionVariants:
+                    description: Array of ProductionVariant objects. There is one
+                      for each model that you want to host at this endpoint in shadow
+                      mode with production traffic replicated from the model specified
+                      on ProductionVariants.If you use this field, you can only specify
+                      one variant for ProductionVariants and one variant for ShadowProductionVariants.
+                      Fields are documented below.
+                    items:
+                      properties:
+                        acceleratorType:
+                          description: The size of the Elastic Inference (EI) instance
+                            to use for the production variant.
+                          type: string
+                        containerStartupHealthCheckTimeoutInSeconds:
+                          description: The timeout value, in seconds, for your inference
+                            container to pass health check by SageMaker Hosting. For
+                            more information about health check, see How Your Container
+                            Should Respond to Health Check (Ping) Requests. Valid
+                            values between 60 and 3600.
+                          type: number
+                        coreDumpConfig:
+                          description: Specifies configuration for a core dump from
+                            the model container when the process crashes. Fields are
+                            documented below.
+                          items:
+                            properties:
+                              destinationS3Uri:
+                                description: The Amazon S3 bucket to send the core
+                                  dump to.
+                                type: string
+                              kmsKeyId:
+                                description: The Amazon Web Services Key Management
+                                  Service (Amazon Web Services KMS) key that SageMaker
+                                  uses to encrypt the core dump data at rest using
+                                  Amazon S3 server-side encryption.
+                                type: string
+                            type: object
+                          type: array
+                        initialInstanceCount:
+                          description: Initial number of instances used for auto-scaling.
+                          type: number
+                        initialVariantWeight:
+                          description: Determines initial traffic distribution among
+                            all of the models that you specify in the endpoint configuration.
+                            If unspecified, it defaults to 1.0.
+                          type: number
+                        instanceType:
+                          description: The type of instance to start.
+                          type: string
+                        modelDataDownloadTimeoutInSeconds:
+                          description: The timeout value, in seconds, to download
+                            and extract the model that you want to host from Amazon
+                            S3 to the individual inference instance associated with
+                            this production variant. Valid values between 60 and 3600.
+                          type: number
+                        modelName:
+                          description: The name of the model to use.
+                          type: string
+                        serverlessConfig:
+                          description: Specifies configuration for how an endpoint
+                            performs asynchronous inference.
+                          items:
+                            properties:
+                              maxConcurrency:
+                                description: The maximum number of concurrent invocations
+                                  your serverless endpoint can process. Valid values
+                                  are between 1 and 200.
+                                type: number
+                              memorySizeInMb:
+                                description: 'The memory size of your serverless endpoint.
+                                  Valid values are in 1 GB increments: 1024 MB, 2048
+                                  MB, 3072 MB, 4096 MB, 5120 MB, or 6144 MB.'
+                                type: number
+                            type: object
+                          type: array
+                        variantName:
+                          description: The name of the variant.
+                          type: string
+                        volumeSizeInGb:
+                          description: The size, in GB, of the ML storage volume attached
+                            to individual inference instance associated with the production
+                            variant. Valid values between 1 and 512.
+                          type: number
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_featuregroups.yaml b/package/crds/sagemaker.aws.upbound.io_featuregroups.yaml
index c41a5e7564..e1f3a5f028 100644
--- a/package/crds/sagemaker.aws.upbound.io_featuregroups.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_featuregroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -249,11 +253,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - eventTimeFeatureName
-                - featureDefinition
-                - recordIdentifierFeatureName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -425,6 +441,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: eventTimeFeatureName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventTimeFeatureName)
+            - message: featureDefinition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.featureDefinition)
+            - message: recordIdentifierFeatureName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.recordIdentifierFeatureName)
           status:
             description: FeatureGroupStatus defines the observed state of FeatureGroup.
             properties:
@@ -434,8 +457,111 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this feature_group.
                     type: string
+                  description:
+                    description: A free-form description of a Feature Group.
+                    type: string
+                  eventTimeFeatureName:
+                    description: The name of the feature that stores the EventTime
+                      of a Record in a Feature Group.
+                    type: string
+                  featureDefinition:
+                    description: A list of Feature names and types. See Feature Definition
+                      Below.
+                    items:
+                      properties:
+                        featureName:
+                          description: 'The name of a feature. feature_name cannot
+                            be any of the following: is_deleted, write_time, api_invocation_time.'
+                          type: string
+                        featureType:
+                          description: The value type of a feature. Valid values are
+                            Integral, Fractional, or String.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
+                  offlineStoreConfig:
+                    description: The Offline Feature Store Configuration. See Offline
+                      Store Config Below.
+                    items:
+                      properties:
+                        dataCatalogConfig:
+                          description: The meta data of the Glue table that is autogenerated
+                            when an OfflineStore is created. See Data Catalog Config
+                            Below.
+                          items:
+                            properties:
+                              catalog:
+                                description: The name of the Glue table catalog.
+                                type: string
+                              database:
+                                description: The name of the Glue table database.
+                                type: string
+                              tableName:
+                                description: The name of the Glue table.
+                                type: string
+                            type: object
+                          type: array
+                        disableGlueTableCreation:
+                          description: Set to true to turn Online Store On.
+                          type: boolean
+                        s3StorageConfig:
+                          description: The Amazon Simple Storage (Amazon S3) location
+                            of OfflineStore. See S3 Storage Config Below.
+                          items:
+                            properties:
+                              kmsKeyId:
+                                description: The AWS Key Management Service (KMS)
+                                  key ID of the key used to encrypt any objects written
+                                  into the OfflineStore S3 location.
+                                type: string
+                              s3Uri:
+                                description: The S3 URI, or location in Amazon S3,
+                                  of OfflineStore.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  onlineStoreConfig:
+                    description: The Online Feature Store Configuration. See Online
+                      Store Config Below.
+                    items:
+                      properties:
+                        enableOnlineStore:
+                          description: Set to true to disable the automatic creation
+                            of an AWS Glue table when configuring an OfflineStore.
+                          type: boolean
+                        securityConfig:
+                          description: Security config for at-rest encryption of your
+                            OnlineStore. See Security Config Below.
+                          items:
+                            properties:
+                              kmsKeyId:
+                                description: The AWS Key Management Service (KMS)
+                                  key ID of the key used to encrypt any objects written
+                                  into the OfflineStore S3 location.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  recordIdentifierFeatureName:
+                    description: The name of the Feature whose value uniquely identifies
+                      a Record defined in the Feature Store. Only the latest record
+                      per identifier value will be stored in the Online Store.
+                    type: string
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of the IAM execution
+                      role used to persist data into the Offline Store if an offline_store_config
+                      is provided.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_images.yaml b/package/crds/sagemaker.aws.upbound.io_images.yaml
index b1ded2341a..2c420bb9e3 100644
--- a/package/crds/sagemaker.aws.upbound.io_images.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_images.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -160,6 +164,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -340,9 +359,25 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Image.
                     type: string
+                  description:
+                    description: The description of the image.
+                    type: string
+                  displayName:
+                    description: The display name of the image. When the image is
+                      added to a domain (must be unique to the domain).
+                    type: string
                   id:
                     description: The name of the Image.
                     type: string
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of an IAM role that
+                      enables Amazon SageMaker to perform tasks on your behalf.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_imageversions.yaml b/package/crds/sagemaker.aws.upbound.io_imageversions.yaml
index 98b8009847..e56d9296e1 100644
--- a/package/crds/sagemaker.aws.upbound.io_imageversions.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_imageversions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -149,9 +153,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - baseImage
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,6 +341,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: baseImage is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.baseImage)
           status:
             description: ImageVersionStatus defines the observed state of ImageVersion.
             properties:
@@ -332,6 +353,10 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Image Version.
                     type: string
+                  baseImage:
+                    description: The registry path of the container image on which
+                      this image version is based.
+                    type: string
                   containerImage:
                     description: The registry path of the container image that contains
                       this image version.
@@ -343,6 +368,9 @@ spec:
                     description: The Amazon Resource Name (ARN) of the image the version
                       is based on.
                     type: string
+                  imageName:
+                    description: The name of the image. Must be unique to your account.
+                    type: string
                   version:
                     type: number
                 type: object
diff --git a/package/crds/sagemaker.aws.upbound.io_modelpackagegrouppolicies.yaml b/package/crds/sagemaker.aws.upbound.io_modelpackagegrouppolicies.yaml
index c17b25ede6..b058c60adf 100644
--- a/package/crds/sagemaker.aws.upbound.io_modelpackagegrouppolicies.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_modelpackagegrouppolicies.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -151,8 +155,22 @@ spec:
                     type: string
                 required:
                 - region
-                - resourcePolicy
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,6 +342,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourcePolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourcePolicy)
           status:
             description: ModelPackageGroupPolicyStatus defines the observed state
               of ModelPackageGroupPolicy.
@@ -333,6 +354,11 @@ spec:
                   id:
                     description: The name of the Model Package Package Group.
                     type: string
+                  modelPackageGroupName:
+                    description: The name of the model package group.
+                    type: string
+                  resourcePolicy:
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_modelpackagegroups.yaml b/package/crds/sagemaker.aws.upbound.io_modelpackagegroups.yaml
index eb91956f99..fcd0108c0c 100644
--- a/package/crds/sagemaker.aws.upbound.io_modelpackagegroups.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_modelpackagegroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -262,6 +281,14 @@ spec:
                   id:
                     description: The name of the Model Package Group.
                     type: string
+                  modelPackageGroupDescription:
+                    description: A description for the model group.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_models.yaml b/package/crds/sagemaker.aws.upbound.io_models.yaml
index 76dee3e81e..dbe5fc655d 100644
--- a/package/crds/sagemaker.aws.upbound.io_models.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_models.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -333,6 +337,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -513,8 +532,165 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this model.
                     type: string
+                  container:
+                    description: Specifies containers in the inference pipeline. If
+                      not specified, the primary_container argument is required. Fields
+                      are documented below.
+                    items:
+                      properties:
+                        containerHostname:
+                          description: The DNS host name for the container.
+                          type: string
+                        environment:
+                          additionalProperties:
+                            type: string
+                          description: Environment variables for the Docker container.
+                            A list of key value pairs.
+                          type: object
+                        image:
+                          description: The registry path where the inference code
+                            image is stored in Amazon ECR.
+                          type: string
+                        imageConfig:
+                          description: Specifies whether the model container is in
+                            Amazon ECR or a private Docker registry accessible from
+                            your Amazon Virtual Private Cloud (VPC). For more information
+                            see Using a Private Docker Registry for Real-Time Inference
+                            Containers. see Image Config.
+                          items:
+                            properties:
+                              repositoryAccessMode:
+                                description: 'Specifies whether the model container
+                                  is in Amazon ECR or a private Docker registry accessible
+                                  from your Amazon Virtual Private Cloud (VPC). Allowed
+                                  values are: Platform and Vpc.'
+                                type: string
+                              repositoryAuthConfig:
+                                description: Specifies an authentication configuration
+                                  for the private docker registry where your model
+                                  image is hosted. Specify a value for this property
+                                  only if you specified Vpc as the value for the RepositoryAccessMode
+                                  field, and the private Docker registry where the
+                                  model image is hosted requires authentication. see
+                                  Repository Auth Config.
+                                items:
+                                  properties:
+                                    repositoryCredentialsProviderArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of an AWS Lambda function that provides credentials
+                                        to authenticate to the private Docker registry
+                                        where your model image is hosted. For information
+                                        about how to create an AWS Lambda function,
+                                        see Create a Lambda function with the console
+                                        in the AWS Lambda Developer Guide.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        mode:
+                          description: The container hosts value SingleModel/MultiModel.
+                            The default value is SingleModel.
+                          type: string
+                        modelDataUrl:
+                          description: The URL for the S3 location where model artifacts
+                            are stored.
+                          type: string
+                      type: object
+                    type: array
+                  enableNetworkIsolation:
+                    description: Isolates the model container. No inbound or outbound
+                      network calls can be made to or from the model container.
+                    type: boolean
+                  executionRoleArn:
+                    description: A role that SageMaker can assume to access model
+                      artifacts and docker images for deployment.
+                    type: string
                   id:
                     type: string
+                  inferenceExecutionConfig:
+                    description: Specifies details of how containers in a multi-container
+                      endpoint are called. see Inference Execution Config.
+                    items:
+                      properties:
+                        mode:
+                          description: The container hosts value SingleModel/MultiModel.
+                            The default value is SingleModel.
+                          type: string
+                      type: object
+                    type: array
+                  primaryContainer:
+                    description: The primary docker image containing inference code
+                      that is used when the model is deployed for predictions.  If
+                      not specified, the container argument is required. Fields are
+                      documented below.
+                    items:
+                      properties:
+                        containerHostname:
+                          description: The DNS host name for the container.
+                          type: string
+                        environment:
+                          additionalProperties:
+                            type: string
+                          description: Environment variables for the Docker container.
+                            A list of key value pairs.
+                          type: object
+                        image:
+                          description: The registry path where the inference code
+                            image is stored in Amazon ECR.
+                          type: string
+                        imageConfig:
+                          description: Specifies whether the model container is in
+                            Amazon ECR or a private Docker registry accessible from
+                            your Amazon Virtual Private Cloud (VPC). For more information
+                            see Using a Private Docker Registry for Real-Time Inference
+                            Containers. see Image Config.
+                          items:
+                            properties:
+                              repositoryAccessMode:
+                                description: 'Specifies whether the model container
+                                  is in Amazon ECR or a private Docker registry accessible
+                                  from your Amazon Virtual Private Cloud (VPC). Allowed
+                                  values are: Platform and Vpc.'
+                                type: string
+                              repositoryAuthConfig:
+                                description: Specifies an authentication configuration
+                                  for the private docker registry where your model
+                                  image is hosted. Specify a value for this property
+                                  only if you specified Vpc as the value for the RepositoryAccessMode
+                                  field, and the private Docker registry where the
+                                  model image is hosted requires authentication. see
+                                  Repository Auth Config.
+                                items:
+                                  properties:
+                                    repositoryCredentialsProviderArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of an AWS Lambda function that provides credentials
+                                        to authenticate to the private Docker registry
+                                        where your model image is hosted. For information
+                                        about how to create an AWS Lambda function,
+                                        see Create a Lambda function with the console
+                                        in the AWS Lambda Developer Guide.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        mode:
+                          description: The container hosts value SingleModel/MultiModel.
+                            The default value is SingleModel.
+                          type: string
+                        modelDataUrl:
+                          description: The URL for the S3 location where model artifacts
+                            are stored.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -522,6 +698,21 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpcConfig:
+                    description: Specifies the VPC that you want your model to connect
+                      to. VpcConfig is used in hosting services and in batch transform.
+                    items:
+                      properties:
+                        securityGroupIds:
+                          items:
+                            type: string
+                          type: array
+                        subnets:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_notebookinstancelifecycleconfigurations.yaml b/package/crds/sagemaker.aws.upbound.io_notebookinstancelifecycleconfigurations.yaml
index e17baebab6..84226e3ae3 100644
--- a/package/crds/sagemaker.aws.upbound.io_notebookinstancelifecycleconfigurations.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_notebookinstancelifecycleconfigurations.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,6 +86,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,6 +284,15 @@ spec:
                     type: string
                   id:
                     type: string
+                  onCreate:
+                    description: A shell script (base64-encoded) that runs only once
+                      when the SageMaker Notebook Instance is created.
+                    type: string
+                  onStart:
+                    description: A shell script (base64-encoded) that runs every time
+                      the SageMaker Notebook Instance is started including the time
+                      it's created.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_notebookinstances.yaml b/package/crds/sagemaker.aws.upbound.io_notebookinstances.yaml
index 706e27f088..7873fa010d 100644
--- a/package/crds/sagemaker.aws.upbound.io_notebookinstances.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_notebookinstances.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -456,9 +460,23 @@ spec:
                       to the notebook instance. The default value is 5 GB.
                     type: number
                 required:
-                - instanceType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -630,23 +648,115 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceType)
           status:
             description: NotebookInstanceStatus defines the observed state of NotebookInstance.
             properties:
               atProvider:
                 properties:
+                  acceleratorTypes:
+                    description: 'A list of Elastic Inference (EI) instance types
+                      to associate with this notebook instance. See Elastic Inference
+                      Accelerator for more details. Valid values: ml.eia1.medium,
+                      ml.eia1.large, ml.eia1.xlarge, ml.eia2.medium, ml.eia2.large,
+                      ml.eia2.xlarge.'
+                    items:
+                      type: string
+                    type: array
+                  additionalCodeRepositories:
+                    description: An array of up to three Git repositories to associate
+                      with the notebook instance. These can be either the names of
+                      Git repositories stored as resources in your account, or the
+                      URL of Git repositories in AWS CodeCommit or in any other Git
+                      repository. These repositories are cloned at the same level
+                      as the default repository of your notebook instance.
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this notebook instance.
                     type: string
+                  defaultCodeRepository:
+                    description: The Git repository associated with the notebook instance
+                      as its default code repository. This can be either the name
+                      of a Git repository stored as a resource in your account, or
+                      the URL of a Git repository in AWS CodeCommit or in any other
+                      Git repository.
+                    type: string
+                  directInternetAccess:
+                    description: 'Set to Disabled to disable internet access to notebook.
+                      Requires security_groups and subnet_id to be set. Supported
+                      values: Enabled (Default) or Disabled. If set to Disabled, the
+                      notebook instance will be able to access resources only in your
+                      VPC, and will not be able to connect to Amazon SageMaker training
+                      and endpoint services unless your configure a NAT Gateway in
+                      your VPC.'
+                    type: string
                   id:
                     description: The name of the notebook instance.
                     type: string
+                  instanceMetadataServiceConfiguration:
+                    description: Information on the IMDS configuration of the notebook
+                      instance. Conflicts with instance_metadata_service_configuration.
+                      see details below.
+                    items:
+                      properties:
+                        minimumInstanceMetadataServiceVersion:
+                          description: Indicates the minimum IMDS version that the
+                            notebook instance supports. When passed "1" is passed.
+                            This means that both IMDSv1 and IMDSv2 are supported.
+                            Valid values are 1 and 2.
+                          type: string
+                      type: object
+                    type: array
+                  instanceType:
+                    description: The name of ML compute instance type.
+                    type: string
+                  kmsKeyId:
+                    description: The AWS Key Management Service (AWS KMS) key that
+                      Amazon SageMaker uses to encrypt the model artifacts at rest
+                      using Amazon S3 server-side encryption.
+                    type: string
+                  lifecycleConfigName:
+                    description: The name of a lifecycle configuration to associate
+                      with the notebook instance.
+                    type: string
                   networkInterfaceId:
                     description: The network interface ID that Amazon SageMaker created
                       at the time of creating the instance. Only available when setting
                       subnet_id.
                     type: string
+                  platformIdentifier:
+                    description: The platform identifier of the notebook instance
+                      runtime environment. This value can be either notebook-al1-v1,
+                      notebook-al2-v1, or  notebook-al2-v2, depending on which version
+                      of Amazon Linux you require.
+                    type: string
+                  roleArn:
+                    description: The ARN of the IAM role to be used by the notebook
+                      instance which allows SageMaker to call other services on your
+                      behalf.
+                    type: string
+                  rootAccess:
+                    description: Whether root access is Enabled or Disabled for users
+                      of the notebook instance. The default value is Enabled.
+                    type: string
+                  securityGroups:
+                    description: The associated security groups.
+                    items:
+                      type: string
+                    type: array
+                  subnetId:
+                    description: The VPC subnet ID.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -658,6 +768,10 @@ spec:
                     description: The URL that you use to connect to the Jupyter notebook
                       that is running in your notebook instance.
                     type: string
+                  volumeSize:
+                    description: The size, in GB, of the ML storage volume to attach
+                      to the notebook instance. The default value is 5 GB.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_servicecatalogportfoliostatuses.yaml b/package/crds/sagemaker.aws.upbound.io_servicecatalogportfoliostatuses.yaml
index 5630aab78a..6442a9240e 100644
--- a/package/crds/sagemaker.aws.upbound.io_servicecatalogportfoliostatuses.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_servicecatalogportfoliostatuses.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,8 +80,22 @@ spec:
                     type: string
                 required:
                 - region
-                - status
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -249,6 +267,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: status is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.status)
           status:
             description: ServicecatalogPortfolioStatusStatus defines the observed
               state of ServicecatalogPortfolioStatus.
@@ -259,6 +280,10 @@ spec:
                     description: The AWS Region the Servicecatalog portfolio status
                       resides in.
                     type: string
+                  status:
+                    description: Whether Service Catalog is enabled or disabled in
+                      SageMaker. Valid values are Enabled and Disabled.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_spaces.yaml b/package/crds/sagemaker.aws.upbound.io_spaces.yaml
index 6c0cd4a75f..165b66023b 100644
--- a/package/crds/sagemaker.aws.upbound.io_spaces.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_spaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -273,8 +277,22 @@ spec:
                     type: object
                 required:
                 - region
-                - spaceName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -446,6 +464,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: spaceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.spaceName)
           status:
             description: SpaceStatus defines the observed state of Space.
             properties:
@@ -454,6 +475,9 @@ spec:
                   arn:
                     description: The space's Amazon Resource Name (ARN).
                     type: string
+                  domainId:
+                    description: The ID of the associated Domain.
+                    type: string
                   homeEfsFileSystemUid:
                     description: The ID of the space's profile in the Amazon Elastic
                       File System volume.
@@ -461,6 +485,124 @@ spec:
                   id:
                     description: The space's Amazon Resource Name (ARN).
                     type: string
+                  spaceName:
+                    description: The name of the space.
+                    type: string
+                  spaceSettings:
+                    description: A collection of space settings. See Space Settings
+                      below.
+                    items:
+                      properties:
+                        jupyterServerAppSettings:
+                          description: The Jupyter server's app settings. See Jupyter
+                            Server App Settings below.
+                          items:
+                            properties:
+                              codeRepository:
+                                description: A list of Git repositories that SageMaker
+                                  automatically displays to users for cloning in the
+                                  JupyterServer application. see Code Repository below.
+                                items:
+                                  properties:
+                                    repositoryUrl:
+                                      description: The URL of the Git repository.
+                                      type: string
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the SageMaker image created on the instance.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        kernelGatewayAppSettings:
+                          description: The kernel gateway app settings. See Kernel
+                            Gateway App Settings below.
+                          items:
+                            properties:
+                              customImage:
+                                description: A list of custom SageMaker images that
+                                  are configured to run as a KernelGateway app. see
+                                  Custom Image below.
+                                items:
+                                  properties:
+                                    appImageConfigName:
+                                      description: The name of the App Image Config.
+                                      type: string
+                                    imageName:
+                                      description: The name of the Custom Image.
+                                      type: string
+                                    imageVersionNumber:
+                                      description: The version number of the Custom
+                                        Image.
+                                      type: number
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the SageMaker image created on the instance.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_studiolifecycleconfigs.yaml b/package/crds/sagemaker.aws.upbound.io_studiolifecycleconfigs.yaml
index 8045f92e92..703b4fc276 100644
--- a/package/crds/sagemaker.aws.upbound.io_studiolifecycleconfigs.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_studiolifecycleconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,9 +87,22 @@ spec:
                     type: object
                 required:
                 - region
-                - studioLifecycleConfigAppType
-                - studioLifecycleConfigContent
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -257,6 +274,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: studioLifecycleConfigAppType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.studioLifecycleConfigAppType)
+            - message: studioLifecycleConfigContent is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.studioLifecycleConfigContent)
           status:
             description: StudioLifecycleConfigStatus defines the observed state of
               StudioLifecycleConfig.
@@ -270,6 +292,19 @@ spec:
                   id:
                     description: The name of the Studio Lifecycle Config.
                     type: string
+                  studioLifecycleConfigAppType:
+                    description: The App type that the Lifecycle Configuration is
+                      attached to. Valid values are JupyterServer and KernelGateway.
+                    type: string
+                  studioLifecycleConfigContent:
+                    description: The content of your Studio Lifecycle Configuration
+                      script. This content must be base64 encoded.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sagemaker.aws.upbound.io_userprofiles.yaml b/package/crds/sagemaker.aws.upbound.io_userprofiles.yaml
index b76724e67c..b65fe5a699 100644
--- a/package/crds/sagemaker.aws.upbound.io_userprofiles.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_userprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -433,8 +437,22 @@ spec:
                     type: array
                 required:
                 - region
-                - userProfileName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -606,6 +624,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: userProfileName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.userProfileName)
           status:
             description: UserProfileStatus defines the observed state of UserProfile.
             properties:
@@ -614,6 +635,9 @@ spec:
                   arn:
                     description: The user profile Amazon Resource Name (ARN).
                     type: string
+                  domainId:
+                    description: The ID of the associated Domain.
+                    type: string
                   homeEfsFileSystemUid:
                     description: The ID of the user's profile in the Amazon Elastic
                       File System (EFS) volume.
@@ -621,6 +645,24 @@ spec:
                   id:
                     description: The user profile Amazon Resource Name (ARN).
                     type: string
+                  singleSignOnUserIdentifier:
+                    description: A specifier for the type of value specified in single_sign_on_user_value.
+                      Currently, the only supported value is UserName. If the Domain's
+                      AuthMode is SSO, this field is required. If the Domain's AuthMode
+                      is not SSO, this field cannot be specified.
+                    type: string
+                  singleSignOnUserValue:
+                    description: The username of the associated AWS Single Sign-On
+                      User for this User Profile. If the Domain's AuthMode is SSO,
+                      this field is required, and must match a valid username of a
+                      user in your directory. If the Domain's AuthMode is not SSO,
+                      this field cannot be specified.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -628,6 +670,263 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  userProfileName:
+                    description: The name for the User Profile.
+                    type: string
+                  userSettings:
+                    description: The user settings. See User Settings below.
+                    items:
+                      properties:
+                        canvasAppSettings:
+                          description: The Canvas app settings. See Canvas App Settings
+                            below.
+                          items:
+                            properties:
+                              timeSeriesForecastingSettings:
+                                description: Time series forecast settings for the
+                                  Canvas app. see Time Series Forecasting Settings
+                                  below.
+                                items:
+                                  properties:
+                                    amazonForecastRoleArn:
+                                      description: The IAM role that Canvas passes
+                                        to Amazon Forecast for time series forecasting.
+                                        By default, Canvas uses the execution role
+                                        specified in the UserProfile that launches
+                                        the Canvas app. If an execution role is not
+                                        specified in the UserProfile, Canvas uses
+                                        the execution role specified in the Domain
+                                        that owns the UserProfile. To allow time series
+                                        forecasting, this IAM role should have the
+                                        AmazonSageMakerCanvasForecastAccess policy
+                                        attached and forecast.amazonaws.com added
+                                        in the trust relationship as a service principal.
+                                      type: string
+                                    status:
+                                      description: Describes whether time series forecasting
+                                        is enabled or disabled in the Canvas app.
+                                        Valid values are ENABLED and DISABLED.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        executionRole:
+                          description: The execution role ARN for the user.
+                          type: string
+                        jupyterServerAppSettings:
+                          description: The Jupyter server's app settings. See Jupyter
+                            Server App Settings below.
+                          items:
+                            properties:
+                              codeRepository:
+                                description: A list of Git repositories that SageMaker
+                                  automatically displays to users for cloning in the
+                                  JupyterServer application. see Code Repository below.
+                                items:
+                                  properties:
+                                    repositoryUrl:
+                                      description: The URL of the Git repository.
+                                      type: string
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the SageMaker image created on the instance.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        kernelGatewayAppSettings:
+                          description: The kernel gateway app settings. See Kernel
+                            Gateway App Settings below.
+                          items:
+                            properties:
+                              customImage:
+                                description: A list of custom SageMaker images that
+                                  are configured to run as a KernelGateway app. see
+                                  Custom Image below.
+                                items:
+                                  properties:
+                                    appImageConfigName:
+                                      description: The name of the App Image Config.
+                                      type: string
+                                    imageName:
+                                      description: The name of the Custom Image.
+                                      type: string
+                                    imageVersionNumber:
+                                      description: The version number of the Custom
+                                        Image.
+                                      type: number
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the SageMaker image created on the instance.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                              lifecycleConfigArns:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Lifecycle Configurations.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                        rSessionAppSettings:
+                          description: The RSession app settings. See RSession App
+                            Settings below.
+                          items:
+                            properties:
+                              customImage:
+                                description: A list of custom SageMaker images that
+                                  are configured to run as a KernelGateway app. see
+                                  Custom Image below.
+                                items:
+                                  properties:
+                                    appImageConfigName:
+                                      description: The name of the App Image Config.
+                                      type: string
+                                    imageName:
+                                      description: The name of the Custom Image.
+                                      type: string
+                                    imageVersionNumber:
+                                      description: The version number of the Custom
+                                        Image.
+                                      type: number
+                                  type: object
+                                type: array
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the SageMaker image created on the instance.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        securityGroups:
+                          description: The security groups.
+                          items:
+                            type: string
+                          type: array
+                        sharingSettings:
+                          description: The sharing settings. See Sharing Settings
+                            below.
+                          items:
+                            properties:
+                              notebookOutputOption:
+                                description: Whether to include the notebook cell
+                                  output when sharing the notebook. The default is
+                                  Disabled. Valid values are Allowed and Disabled.
+                                type: string
+                              s3KmsKeyId:
+                                description: When notebook_output_option is Allowed,
+                                  the AWS Key Management Service (KMS) encryption
+                                  key ID used to encrypt the notebook cell output
+                                  in the Amazon S3 bucket.
+                                type: string
+                              s3OutputPath:
+                                description: When notebook_output_option is Allowed,
+                                  the Amazon S3 bucket used to save the notebook cell
+                                  output.
+                                type: string
+                            type: object
+                          type: array
+                        tensorBoardAppSettings:
+                          description: The TensorBoard app settings. See TensorBoard
+                            App Settings below.
+                          items:
+                            properties:
+                              defaultResourceSpec:
+                                description: The default instance type and the Amazon
+                                  Resource Name (ARN) of the SageMaker image created
+                                  on the instance. see Default Resource Spec below.
+                                items:
+                                  properties:
+                                    instanceType:
+                                      description: The instance type.
+                                      type: string
+                                    lifecycleConfigArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the Lifecycle Configuration attached to
+                                        the Resource.
+                                      type: string
+                                    sagemakerImageArn:
+                                      description: The Amazon Resource Name (ARN)
+                                        of the SageMaker image created on the instance.
+                                      type: string
+                                    sagemakerImageVersionArn:
+                                      description: The ARN of the image version created
+                                        on the instance.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sagemaker.aws.upbound.io_workforces.yaml b/package/crds/sagemaker.aws.upbound.io_workforces.yaml
index 4ffe1ac331..805c5e5d14 100644
--- a/package/crds/sagemaker.aws.upbound.io_workforces.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_workforces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -345,6 +349,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -525,9 +544,75 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Workforce.
                     type: string
+                  cognitoConfig:
+                    description: Use this parameter to configure an Amazon Cognito
+                      private workforce. A single Cognito workforce is created using
+                      and corresponds to a single Amazon Cognito user pool. Conflicts
+                      with oidc_config. see Cognito Config details below.
+                    items:
+                      properties:
+                        clientId:
+                          description: The client ID for your Amazon Cognito user
+                            pool.
+                          type: string
+                        userPool:
+                          description: ID for your Amazon Cognito user pool.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The name of the Workforce.
                     type: string
+                  oidcConfig:
+                    description: Use this parameter to configure a private workforce
+                      using your own OIDC Identity Provider. Conflicts with cognito_config.
+                      see OIDC Config details below.
+                    items:
+                      properties:
+                        authorizationEndpoint:
+                          description: The OIDC IdP authorization endpoint used to
+                            configure your private workforce.
+                          type: string
+                        clientId:
+                          description: The client ID for your Amazon Cognito user
+                            pool.
+                          type: string
+                        issuer:
+                          description: The OIDC IdP issuer used to configure your
+                            private workforce.
+                          type: string
+                        jwksUri:
+                          description: The OIDC IdP JSON Web Key Set (Jwks) URI used
+                            to configure your private workforce.
+                          type: string
+                        logoutEndpoint:
+                          description: The OIDC IdP logout endpoint used to configure
+                            your private workforce.
+                          type: string
+                        tokenEndpoint:
+                          description: The OIDC IdP token endpoint used to configure
+                            your private workforce.
+                          type: string
+                        userInfoEndpoint:
+                          description: The OIDC IdP user information endpoint used
+                            to configure your private workforce.
+                          type: string
+                      type: object
+                    type: array
+                  sourceIpConfig:
+                    description: A list of IP address ranges Used to create an allow
+                      list of IP addresses for a private workforce. By default, a
+                      workforce isn't restricted to specific IP addresses. see Source
+                      Ip Config details below.
+                    items:
+                      properties:
+                        cidrs:
+                          description: A list of up to 10 CIDR values.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   subdomain:
                     description: The subdomain for your OIDC Identity Provider.
                     type: string
@@ -536,10 +621,26 @@ spec:
                       Config details below.
                     items:
                       properties:
+                        securityGroupIds:
+                          description: The VPC security group IDs. The security groups
+                            must be for the same VPC as specified in the subnet.
+                          items:
+                            type: string
+                          type: array
+                        subnets:
+                          description: The ID of the subnets in the VPC that you want
+                            to connect.
+                          items:
+                            type: string
+                          type: array
                         vpcEndpointId:
                           description: The IDs for the VPC service endpoints of your
                             VPC workforce.
                           type: string
+                        vpcId:
+                          description: The ID of the VPC that the workforce uses for
+                            communication.
+                          type: string
                       type: object
                     type: array
                 type: object
diff --git a/package/crds/sagemaker.aws.upbound.io_workteams.yaml b/package/crds/sagemaker.aws.upbound.io_workteams.yaml
index 5efe536fc0..8ed50c17ef 100644
--- a/package/crds/sagemaker.aws.upbound.io_workteams.yaml
+++ b/package/crds/sagemaker.aws.upbound.io_workteams.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -458,10 +462,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - description
-                - memberDefinition
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -633,6 +650,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: memberDefinition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.memberDefinition)
           status:
             description: WorkteamStatus defines the observed state of Workteam.
             properties:
@@ -642,12 +664,81 @@ spec:
                     description: The Amazon Resource Name (ARN) assigned by AWS to
                       this Workteam.
                     type: string
+                  description:
+                    description: A description of the work team.
+                    type: string
                   id:
                     description: The name of the Workteam.
                     type: string
+                  memberDefinition:
+                    description: A list of Member Definitions that contains objects
+                      that identify the workers that make up the work team. Workforces
+                      can be created using Amazon Cognito or your own OIDC Identity
+                      Provider (IdP). For private workforces created using Amazon
+                      Cognito use cognito_member_definition. For workforces created
+                      using your own OIDC identity provider (IdP) use oidc_member_definition.
+                      Do not provide input for both of these parameters in a single
+                      request. see Member Definition details below.
+                    items:
+                      properties:
+                        cognitoMemberDefinition:
+                          description: The Amazon Cognito user group that is part
+                            of the work team. See Cognito Member Definition details
+                            below.
+                          items:
+                            properties:
+                              clientId:
+                                description: An identifier for an application client.
+                                  You must create the app client ID using Amazon Cognito.
+                                type: string
+                              userGroup:
+                                description: An identifier for a user group.
+                                type: string
+                              userPool:
+                                description: An identifier for a user pool. The user
+                                  pool must be in the same region as the service that
+                                  you are calling.
+                                type: string
+                            type: object
+                          type: array
+                        oidcMemberDefinition:
+                          description: A list user groups that exist in your OIDC
+                            Identity Provider (IdP). One to ten groups can be used
+                            to create a single private work team. See Cognito Member
+                            Definition details below.
+                          items:
+                            properties:
+                              groups:
+                                description: A list of comma separated strings that
+                                  identifies user groups in your OIDC IdP. Each user
+                                  group is made up of a group of private workers.
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  notificationConfiguration:
+                    description: Configures notification of workers regarding available
+                      or expiring work items. see Notification Configuration details
+                      below.
+                    items:
+                      properties:
+                        notificationTopicArn:
+                          description: The ARN for the SNS topic to which notifications
+                            should be published.
+                          type: string
+                      type: object
+                    type: array
                   subdomain:
                     description: The subdomain for your OIDC Identity Provider.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -655,6 +746,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  workforceName:
+                    description: The name of the Workteam (must be unique).
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/scheduler.aws.upbound.io_schedulegroups.yaml b/package/crds/scheduler.aws.upbound.io_schedulegroups.yaml
index b991f4ee02..42b848c4cd 100644
--- a/package/crds/scheduler.aws.upbound.io_schedulegroups.yaml
+++ b/package/crds/scheduler.aws.upbound.io_schedulegroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -267,9 +286,17 @@ spec:
                   lastModificationDate:
                     description: Time at which the schedule group was last modified.
                     type: string
+                  name:
+                    description: Name of the schedule group. Conflicts with name_prefix.
+                    type: string
                   state:
                     description: State of the schedule group. Can be ACTIVE or DELETING.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/scheduler.aws.upbound.io_schedules.yaml b/package/crds/scheduler.aws.upbound.io_schedules.yaml
index cf02cc45a1..c986b7be7e 100644
--- a/package/crds/scheduler.aws.upbound.io_schedules.yaml
+++ b/package/crds/scheduler.aws.upbound.io_schedules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -617,11 +621,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - flexibleTimeWindow
                 - region
-                - scheduleExpression
-                - target
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -793,6 +809,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: flexibleTimeWindow is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.flexibleTimeWindow)
+            - message: scheduleExpression is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scheduleExpression)
+            - message: target is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.target)
           status:
             description: ScheduleStatus defines the observed state of Schedule.
             properties:
@@ -802,9 +825,312 @@ spec:
                     description: ARN of the SQS queue specified as the destination
                       for the dead-letter queue.
                     type: string
+                  description:
+                    description: Brief description of the schedule.
+                    type: string
+                  endDate:
+                    description: 'The date, in UTC, before which the schedule can
+                      invoke its target. Depending on the schedule''s recurrence expression,
+                      invocations might stop on, or before, the end date you specify.
+                      EventBridge Scheduler ignores the end date for one-time schedules.
+                      Example: 2030-01-01T01:00:00Z.'
+                    type: string
+                  flexibleTimeWindow:
+                    description: Configures a time window during which EventBridge
+                      Scheduler invokes the schedule. Detailed below.
+                    items:
+                      properties:
+                        maximumWindowInMinutes:
+                          description: Maximum time window during which a schedule
+                            can be invoked. Ranges from 1 to 1440 minutes.
+                          type: number
+                        mode:
+                          description: 'Determines whether the schedule is invoked
+                            within a flexible time window. One of: OFF, FLEXIBLE.'
+                          type: string
+                      type: object
+                    type: array
+                  groupName:
+                    description: Name of the schedule group to associate with this
+                      schedule. When omitted, the default schedule group is used.
+                    type: string
                   id:
                     description: Name of the schedule.
                     type: string
+                  kmsKeyArn:
+                    description: ARN for the customer managed KMS key that EventBridge
+                      Scheduler will use to encrypt and decrypt your data.
+                    type: string
+                  name:
+                    description: Name of the schedule. Conflicts with name_prefix.
+                    type: string
+                  scheduleExpression:
+                    description: Defines when the schedule runs. Read more in Schedule
+                      types on EventBridge Scheduler.
+                    type: string
+                  scheduleExpressionTimezone:
+                    description: 'Timezone in which the scheduling expression is evaluated.
+                      Defaults to UTC. Example: Australia/Sydney.'
+                    type: string
+                  startDate:
+                    description: 'The date, in UTC, after which the schedule can begin
+                      invoking its target. Depending on the schedule''s recurrence
+                      expression, invocations might occur on, or after, the start
+                      date you specify. EventBridge Scheduler ignores the start date
+                      for one-time schedules. Example: 2030-01-01T01:00:00Z.'
+                    type: string
+                  state:
+                    description: 'Specifies whether the schedule is enabled or disabled.
+                      One of: ENABLED (default), DISABLED.'
+                    type: string
+                  target:
+                    description: Configures the target of the schedule. Detailed below.
+                    items:
+                      properties:
+                        arn:
+                          description: ARN of the target of this schedule, such as
+                            a SQS queue or ECS cluster. For universal targets, this
+                            is a Service ARN specific to the target service.
+                          type: string
+                        deadLetterConfig:
+                          description: Information about an Amazon SQS queue that
+                            EventBridge Scheduler uses as a dead-letter queue for
+                            your schedule. If specified, EventBridge Scheduler delivers
+                            failed events that could not be successfully delivered
+                            to a target to the queue. Detailed below.
+                          items:
+                            properties:
+                              arn:
+                                description: ARN of the target of this schedule, such
+                                  as a SQS queue or ECS cluster. For universal targets,
+                                  this is a Service ARN specific to the target service.
+                                type: string
+                            type: object
+                          type: array
+                        ecsParameters:
+                          description: Templated target type for the Amazon ECS RunTask
+                            API operation. Detailed below.
+                          items:
+                            properties:
+                              capacityProviderStrategy:
+                                description: Up to 6 capacity provider strategies
+                                  to use for the task. Detailed below.
+                                items:
+                                  properties:
+                                    base:
+                                      description: How many tasks, at a minimum, to
+                                        run on the specified capacity provider. Only
+                                        one capacity provider in a capacity provider
+                                        strategy can have a base defined. Ranges from
+                                        0 (default) to 100000.
+                                      type: number
+                                    capacityProvider:
+                                      description: Short name of the capacity provider.
+                                      type: string
+                                    weight:
+                                      description: Designates the relative percentage
+                                        of the total number of tasks launched that
+                                        should use the specified capacity provider.
+                                        The weight value is taken into consideration
+                                        after the base value, if defined, is satisfied.
+                                        Ranges from from 0 to 1000.
+                                      type: number
+                                  type: object
+                                type: array
+                              enableEcsManagedTags:
+                                description: Specifies whether to enable Amazon ECS
+                                  managed tags for the task. For more information,
+                                  see Tagging Your Amazon ECS Resources in the Amazon
+                                  ECS Developer Guide.
+                                type: boolean
+                              enableExecuteCommand:
+                                description: Specifies whether to enable the execute
+                                  command functionality for the containers in this
+                                  task.
+                                type: boolean
+                              group:
+                                description: Specifies an ECS task group for the task.
+                                  At most 255 characters.
+                                type: string
+                              launchType:
+                                description: 'Specifies the launch type on which your
+                                  task is running. The launch type that you specify
+                                  here must match one of the launch type (compatibilities)
+                                  of the target task. One of: EC2, FARGATE, EXTERNAL.'
+                                type: string
+                              networkConfiguration:
+                                description: Configures the networking associated
+                                  with the task. Detailed below.
+                                items:
+                                  properties:
+                                    assignPublicIp:
+                                      description: 'Specifies whether the task''s
+                                        elastic network interface receives a public
+                                        IP address. You can specify ENABLED only when
+                                        the launch_type is set to FARGATE. One of:
+                                        ENABLED, DISABLED.'
+                                      type: boolean
+                                    securityGroups:
+                                      description: Set of 1 to 5 Security Group ID-s
+                                        to be associated with the task. These security
+                                        groups must all be in the same VPC.
+                                      items:
+                                        type: string
+                                      type: array
+                                    subnets:
+                                      description: Set of 1 to 16 subnets to be associated
+                                        with the task. These subnets must all be in
+                                        the same VPC.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              placementConstraints:
+                                description: A set of up to 10 placement constraints
+                                  to use for the task. Detailed below.
+                                items:
+                                  properties:
+                                    expression:
+                                      description: A cluster query language expression
+                                        to apply to the constraint. You cannot specify
+                                        an expression if the constraint type is distinctInstance.
+                                        For more information, see Cluster query language
+                                        in the Amazon ECS Developer Guide.
+                                      type: string
+                                    type:
+                                      description: 'The type of placement strategy.
+                                        One of: random, spread, binpack.'
+                                      type: string
+                                  type: object
+                                type: array
+                              placementStrategy:
+                                description: A set of up to 5 placement strategies.
+                                  Detailed below.
+                                items:
+                                  properties:
+                                    field:
+                                      description: The field to apply the placement
+                                        strategy against.
+                                      type: string
+                                    type:
+                                      description: 'The type of placement strategy.
+                                        One of: random, spread, binpack.'
+                                      type: string
+                                  type: object
+                                type: array
+                              platformVersion:
+                                description: Specifies the platform version for the
+                                  task. Specify only the numeric portion of the platform
+                                  version, such as 1.1.0.
+                                type: string
+                              propagateTags:
+                                description: 'Specifies whether to propagate the tags
+                                  from the task definition to the task. One of: TASK_DEFINITION.'
+                                type: string
+                              referenceId:
+                                description: Reference ID to use for the task.
+                                type: string
+                              tags:
+                                additionalProperties:
+                                  type: string
+                                description: Key-value map of resource tags.
+                                type: object
+                              taskCount:
+                                description: The number of tasks to create. Ranges
+                                  from 1 (default) to 10.
+                                type: number
+                              taskDefinitionArn:
+                                description: ARN of the task definition to use.
+                                type: string
+                            type: object
+                          type: array
+                        eventbridgeParameters:
+                          description: Templated target type for the EventBridge PutEvents
+                            API operation. Detailed below.
+                          items:
+                            properties:
+                              detailType:
+                                description: Free-form string used to decide what
+                                  fields to expect in the event detail. Up to 128
+                                  characters.
+                                type: string
+                              source:
+                                description: Source of the event.
+                                type: string
+                            type: object
+                          type: array
+                        input:
+                          description: Text, or well-formed JSON, passed to the target.
+                            Read more in Universal target.
+                          type: string
+                        kinesisParameters:
+                          description: Templated target type for the Amazon Kinesis
+                            PutRecord API operation. Detailed below.
+                          items:
+                            properties:
+                              partitionKey:
+                                description: Specifies the shard to which EventBridge
+                                  Scheduler sends the event. Up to 256 characters.
+                                type: string
+                            type: object
+                          type: array
+                        retryPolicy:
+                          description: Information about the retry policy settings.
+                            Detailed below.
+                          items:
+                            properties:
+                              maximumEventAgeInSeconds:
+                                description: Maximum amount of time, in seconds, to
+                                  continue to make retry attempts. Ranges from 60
+                                  to 86400 (default).
+                                type: number
+                              maximumRetryAttempts:
+                                description: Maximum number of retry attempts to make
+                                  before the request fails. Ranges from 0 to 185 (default).
+                                type: number
+                            type: object
+                          type: array
+                        roleArn:
+                          description: ARN of the IAM role that EventBridge Scheduler
+                            will use for this target when the schedule is invoked.
+                            Read more in Set up the execution role.
+                          type: string
+                        sagemakerPipelineParameters:
+                          description: Templated target type for the Amazon SageMaker
+                            StartPipelineExecution API operation. Detailed below.
+                          items:
+                            properties:
+                              pipelineParameter:
+                                description: Set of up to 200 parameter names and
+                                  values to use when executing the SageMaker Model
+                                  Building Pipeline. Detailed below.
+                                items:
+                                  properties:
+                                    name:
+                                      description: Name of parameter to start execution
+                                        of a SageMaker Model Building Pipeline.
+                                      type: string
+                                    value:
+                                      description: Value of parameter to start execution
+                                        of a SageMaker Model Building Pipeline.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        sqsParameters:
+                          description: The templated target type for the Amazon SQS
+                            SendMessage API operation. Detailed below.
+                          items:
+                            properties:
+                              messageGroupId:
+                                description: FIFO message group ID to use as the target.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/schemas.aws.upbound.io_discoverers.yaml b/package/crds/schemas.aws.upbound.io_discoverers.yaml
index c3970a5983..d7e5a1882f 100644
--- a/package/crds/schemas.aws.upbound.io_discoverers.yaml
+++ b/package/crds/schemas.aws.upbound.io_discoverers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -159,6 +163,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,9 +357,22 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the discoverer.
                     type: string
+                  description:
+                    description: The description of the discoverer. Maximum of 256
+                      characters.
+                    type: string
                   id:
                     description: The ID of the discoverer.
                     type: string
+                  sourceArn:
+                    description: The ARN of the event bus to discover event schemas
+                      on.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/schemas.aws.upbound.io_registries.yaml b/package/crds/schemas.aws.upbound.io_registries.yaml
index e7ae775c49..4badcd8062 100644
--- a/package/crds/schemas.aws.upbound.io_registries.yaml
+++ b/package/crds/schemas.aws.upbound.io_registries.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -80,6 +84,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -259,8 +278,17 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the discoverer.
                     type: string
+                  description:
+                    description: The description of the discoverer. Maximum of 256
+                      characters.
+                    type: string
                   id:
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/schemas.aws.upbound.io_schemas.yaml b/package/crds/schemas.aws.upbound.io_schemas.yaml
index d34bb02216..fea8463c55 100644
--- a/package/crds/schemas.aws.upbound.io_schemas.yaml
+++ b/package/crds/schemas.aws.upbound.io_schemas.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -165,11 +169,23 @@ spec:
                     description: 'The type of the schema. Valid values: OpenApi3.'
                     type: string
                 required:
-                - content
-                - name
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -341,6 +357,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: content is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: SchemaStatus defines the observed state of Schema.
             properties:
@@ -349,11 +372,31 @@ spec:
                   arn:
                     description: The Amazon Resource Name (ARN) of the discoverer.
                     type: string
+                  content:
+                    description: The schema specification. Must be a valid Open API
+                      3.0 spec.
+                    type: string
+                  description:
+                    description: The description of the schema. Maximum of 256 characters.
+                    type: string
                   id:
                     type: string
                   lastModified:
                     description: The last modified date of the schema.
                     type: string
+                  name:
+                    description: The name of the schema. Maximum of 385 characters
+                      consisting of lower case letters, upper case letters, ., -,
+                      _, @.
+                    type: string
+                  registryName:
+                    description: The name of the registry in which this schema belongs.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -361,6 +404,9 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: 'The type of the schema. Valid values: OpenApi3.'
+                    type: string
                   version:
                     description: The version of the schema.
                     type: string
diff --git a/package/crds/secretsmanager.aws.upbound.io_secretpolicies.yaml b/package/crds/secretsmanager.aws.upbound.io_secretpolicies.yaml
index 686bcad7f9..19485c40e8 100644
--- a/package/crds/secretsmanager.aws.upbound.io_secretpolicies.yaml
+++ b/package/crds/secretsmanager.aws.upbound.io_secretpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -157,9 +161,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,14 +349,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: SecretPolicyStatus defines the observed state of SecretPolicy.
             properties:
               atProvider:
                 properties:
+                  blockPublicPolicy:
+                    description: Makes an optional API call to Zelkova to validate
+                      the Resource Policy to prevent broad access to your secret.
+                    type: boolean
                   id:
                     description: Amazon Resource Name (ARN) of the secret.
                     type: string
+                  policy:
+                    description: Valid JSON document representing a resource policy.
+                      Unlike aws_secretsmanager_secret, where policy can be set to
+                      "{}" to delete the policy, "{}" is not a valid policy since
+                      policy is required.
+                    type: string
+                  secretArn:
+                    description: Secret ARN.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/secretsmanager.aws.upbound.io_secretrotations.yaml b/package/crds/secretsmanager.aws.upbound.io_secretrotations.yaml
index 0b85e828f4..43725b4455 100644
--- a/package/crds/secretsmanager.aws.upbound.io_secretrotations.yaml
+++ b/package/crds/secretsmanager.aws.upbound.io_secretrotations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -241,8 +245,22 @@ spec:
                     type: object
                 required:
                 - region
-                - rotationRules
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -414,6 +432,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: rotationRules is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rotationRules)
           status:
             description: SecretRotationStatus defines the observed state of SecretRotation.
             properties:
@@ -426,6 +447,27 @@ spec:
                     description: Specifies whether automatic rotation is enabled for
                       this secret.
                     type: boolean
+                  rotationLambdaArn:
+                    description: Specifies the ARN of the Lambda function that can
+                      rotate the secret.
+                    type: string
+                  rotationRules:
+                    description: A structure that defines the rotation configuration
+                      for this secret. Defined below.
+                    items:
+                      properties:
+                        automaticallyAfterDays:
+                          description: Specifies the number of days between automatic
+                            scheduled rotations of the secret.
+                          type: number
+                      type: object
+                    type: array
+                  secretId:
+                    description: Specifies the secret to which you want to add a new
+                      version. You can specify either the Amazon Resource Name (ARN)
+                      or the friendly name of the secret. The secret must already
+                      exist.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/secretsmanager.aws.upbound.io_secrets.yaml b/package/crds/secretsmanager.aws.upbound.io_secrets.yaml
index 50c596db15..da22f4bbab 100644
--- a/package/crds/secretsmanager.aws.upbound.io_secrets.yaml
+++ b/package/crds/secretsmanager.aws.upbound.io_secrets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -196,6 +200,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -375,9 +394,31 @@ spec:
                   arn:
                     description: ARN of the secret.
                     type: string
+                  description:
+                    description: Description of the secret.
+                    type: string
+                  forceOverwriteReplicaSecret:
+                    description: Accepts boolean value to specify whether to overwrite
+                      a secret with the same name in the destination Region.
+                    type: boolean
                   id:
                     description: ARN of the secret.
                     type: string
+                  kmsKeyId:
+                    description: ARN or Id of the AWS KMS key to be used to encrypt
+                      the secret values in the versions stored in this secret. If
+                      you don't specify this value, then Secrets Manager defaults
+                      to using the AWS account's default KMS key (the one named aws/secretsmanager).
+                      If the default KMS key with that name doesn't yet exist, then
+                      AWS Secrets Manager creates it for you automatically the first
+                      time.
+                    type: string
+                  name:
+                    description: 'Friendly name of the new secret. The secret name
+                      can consist of uppercase letters, lowercase letters, digits,
+                      and any of the following characters: /_+=.@- Conflicts with
+                      name_prefix.'
+                    type: string
                   policy:
                     description: Valid JSON document representing a resource policy.
                       Removing policy from your configuration or setting policy to
@@ -385,15 +426,31 @@ spec:
                       the policy since it could have been set by aws_secretsmanager_secret_policy.
                       To delete the policy, set it to "{}" (an empty JSON document).
                     type: string
+                  recoveryWindowInDays:
+                    description: Number of days that AWS Secrets Manager waits before
+                      it can delete the secret. This value can be 0 to force deletion
+                      without recovery or range from 7 to 30 days. The default value
+                      is 30.
+                    type: number
                   replica:
                     description: Configuration block to support secret replication.
                       See details below.
                     items:
                       properties:
+                        kmsKeyId:
+                          description: ARN, Key ID, or Alias of the AWS KMS key within
+                            the region secret is replicated to. If one is not specified,
+                            then Secrets Manager defaults to using the AWS account's
+                            default KMS key (aws/secretsmanager) in the region or
+                            creates one for use if non-existent.
+                          type: string
                         lastAccessedDate:
                           description: Date that you last accessed the secret in the
                             Region.
                           type: string
+                        region:
+                          description: Region for replicating the secret.
+                          type: string
                         status:
                           description: Status can be InProgress, Failed, or InSync.
                           type: string
@@ -430,6 +487,11 @@ spec:
                           type: number
                       type: object
                     type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/secretsmanager.aws.upbound.io_secretversions.yaml b/package/crds/secretsmanager.aws.upbound.io_secretversions.yaml
index a8552c82fe..1c70cb9d76 100644
--- a/package/crds/secretsmanager.aws.upbound.io_secretversions.yaml
+++ b/package/crds/secretsmanager.aws.upbound.io_secretversions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -203,6 +207,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -386,9 +405,27 @@ spec:
                     description: A pipe delimited combination of secret ID and version
                       ID.
                     type: string
+                  secretId:
+                    description: Specifies the secret to which you want to add a new
+                      version. You can specify either the Amazon Resource Name (ARN)
+                      or the friendly name of the secret. The secret must already
+                      exist.
+                    type: string
                   versionId:
                     description: The unique identifier of the version of the secret.
                     type: string
+                  versionStages:
+                    description: Specifies a list of staging labels that are attached
+                      to this version of the secret. A staging label must be unique
+                      to a single version of the secret. If you specify a staging
+                      label that's already associated with a different version of
+                      the same secret then that staging label is automatically removed
+                      from the other version and attached to this version. If you
+                      do not specify a value, then AWS Secrets Manager automatically
+                      moves the staging label AWSCURRENT to this new version on creation.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/securityhub.aws.upbound.io_accounts.yaml b/package/crds/securityhub.aws.upbound.io_accounts.yaml
index 90e6380ffe..6ae0e3c2c1 100644
--- a/package/crds/securityhub.aws.upbound.io_accounts.yaml
+++ b/package/crds/securityhub.aws.upbound.io_accounts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -71,6 +75,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
diff --git a/package/crds/securityhub.aws.upbound.io_actiontargets.yaml b/package/crds/securityhub.aws.upbound.io_actiontargets.yaml
index 08911ff90d..b5c1f65db6 100644
--- a/package/crds/securityhub.aws.upbound.io_actiontargets.yaml
+++ b/package/crds/securityhub.aws.upbound.io_actiontargets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -75,10 +79,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - description
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -250,6 +267,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: description is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.description)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ActionTargetStatus defines the observed state of ActionTarget.
             properties:
@@ -259,8 +281,14 @@ spec:
                     description: Amazon Resource Name (ARN) of the Security Hub custom
                       action target.
                     type: string
+                  description:
+                    description: The name of the custom action target.
+                    type: string
                   id:
                     type: string
+                  name:
+                    description: The description for the custom action target.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/securityhub.aws.upbound.io_findingaggregators.yaml b/package/crds/securityhub.aws.upbound.io_findingaggregators.yaml
index 93ef8db5c1..230081b5d8 100644
--- a/package/crds/securityhub.aws.upbound.io_findingaggregators.yaml
+++ b/package/crds/securityhub.aws.upbound.io_findingaggregators.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -82,9 +86,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - linkingMode
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: linkingMode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.linkingMode)
           status:
             description: FindingAggregatorStatus defines the observed state of FindingAggregator.
             properties:
@@ -263,6 +284,19 @@ spec:
                 properties:
                   id:
                     type: string
+                  linkingMode:
+                    description: Indicates whether to aggregate findings from all
+                      of the available Regions or from a specified list. The options
+                      are ALL_REGIONS, ALL_REGIONS_EXCEPT_SPECIFIED or SPECIFIED_REGIONS.
+                      When ALL_REGIONS or ALL_REGIONS_EXCEPT_SPECIFIED are used, Security
+                      Hub will automatically aggregate findings from new Regions as
+                      Security Hub supports them and you opt into them.
+                    type: string
+                  specifiedRegions:
+                    description: List of regions to include or exclude
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/securityhub.aws.upbound.io_insights.yaml b/package/crds/securityhub.aws.upbound.io_insights.yaml
index 39a47b8e14..d0c8773efd 100644
--- a/package/crds/securityhub.aws.upbound.io_insights.yaml
+++ b/package/crds/securityhub.aws.upbound.io_insights.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -1909,11 +1913,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - filters
-                - groupByAttribute
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -2085,6 +2101,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: filters is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filters)
+            - message: groupByAttribute is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupByAttribute)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: InsightStatus defines the observed state of Insight.
             properties:
@@ -2093,8 +2116,1611 @@ spec:
                   arn:
                     description: ARN of the insight.
                     type: string
-                  id:
-                    description: ARN of the insight.
+                  filters:
+                    description: A configuration block including one or more (up to
+                      10 distinct) attributes used to filter the findings included
+                      in the insight. The insight only includes findings that match
+                      criteria defined in the filters. See filters below for more
+                      details.
+                    items:
+                      properties:
+                        awsAccountId:
+                          description: AWS account ID that a finding is generated
+                            in. See String_Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        companyName:
+                          description: The name of the findings provider (company)
+                            that owns the solution (product) that generates findings.
+                            See String_Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        complianceStatus:
+                          description: Exclusive to findings that are generated as
+                            the result of a check run against a specific rule in a
+                            supported standard, such as CIS AWS Foundations. Contains
+                            security standard-related finding details. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        confidence:
+                          description: A finding's confidence. Confidence is defined
+                            as the likelihood that a finding accurately identifies
+                            the behavior or issue that it was intended to identify.
+                            Confidence is scored on a 0-100 basis using a ratio scale,
+                            where 0 means zero percent confidence and 100 means 100
+                            percent confidence. See Number Filter below for more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        createdAt:
+                          description: An ISO8601-formatted timestamp that indicates
+                            when the security-findings provider captured the potential
+                            security issue that a finding captured. See Date Filter
+                            below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        criticality:
+                          description: The level of importance assigned to the resources
+                            associated with the finding. A score of 0 means that the
+                            underlying resources have no criticality, and a score
+                            of 100 is reserved for the most critical resources. See
+                            Number Filter below for more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        description:
+                          description: A finding's description. See String Filter
+                            below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsConfidence:
+                          description: The finding provider value for the finding
+                            confidence. Confidence is defined as the likelihood that
+                            a finding accurately identifies the behavior or issue
+                            that it was intended to identify. Confidence is scored
+                            on a 0-100 basis using a ratio scale, where 0 means zero
+                            percent confidence and 100 means 100 percent confidence.
+                            See Number Filter below for more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsCriticality:
+                          description: The finding provider value for the level of
+                            importance assigned to the resources associated with the
+                            findings. A score of 0 means that the underlying resources
+                            have no criticality, and a score of 100 is reserved for
+                            the most critical resources. See Number Filter below for
+                            more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsRelatedFindingsId:
+                          description: The finding identifier of a related finding
+                            that is identified by the finding provider. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsRelatedFindingsProductArn:
+                          description: The ARN of the solution that generated a related
+                            finding that is identified by the finding provider. See
+                            String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsSeverityLabel:
+                          description: The finding provider value for the severity
+                            label. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsSeverityOriginal:
+                          description: The finding provider's original value for the
+                            severity. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        findingProviderFieldsTypes:
+                          description: 'One or more finding types that the finding
+                            provider assigned to the finding. Uses the format of namespace/category/classifier
+                            that classify a finding. Valid namespace values include:
+                            Software and Configuration Checks, TTPs, Effects, Unusual
+                            Behaviors, and Sensitive Data Identifications. See String
+                            Filter below for more details.'
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        firstObservedAt:
+                          description: An ISO8601-formatted timestamp that indicates
+                            when the security-findings provider first observed the
+                            potential security issue that a finding captured. See
+                            Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        generatorId:
+                          description: The identifier for the solution-specific component
+                            (a discrete unit of logic) that generated a finding. See
+                            String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        id:
+                          description: The security findings provider-specific identifier
+                            for a finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        keyword:
+                          description: A keyword for a finding. See Keyword Filter
+                            below for more details.
+                          items:
+                            properties:
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        lastObservedAt:
+                          description: An ISO8601-formatted timestamp that indicates
+                            when the security-findings provider most recently observed
+                            the potential security issue that a finding captured.
+                            See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        malwareName:
+                          description: The name of the malware that was observed.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        malwarePath:
+                          description: The filesystem path of the malware that was
+                            observed. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        malwareState:
+                          description: The state of the malware that was observed.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        malwareType:
+                          description: The type of the malware that was observed.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        networkDestinationDomain:
+                          description: The destination domain of network-related information
+                            about a finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        networkDestinationIpv4:
+                          description: The destination IPv4 address of network-related
+                            information about a finding. See Ip Filter below for more
+                            details.
+                          items:
+                            properties:
+                              cidr:
+                                description: A finding's CIDR value.
+                                type: string
+                            type: object
+                          type: array
+                        networkDestinationIpv6:
+                          description: The destination IPv6 address of network-related
+                            information about a finding. See Ip Filter below for more
+                            details.
+                          items:
+                            properties:
+                              cidr:
+                                description: A finding's CIDR value.
+                                type: string
+                            type: object
+                          type: array
+                        networkDestinationPort:
+                          description: The destination port of network-related information
+                            about a finding. See Number Filter below for more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        networkDirection:
+                          description: Indicates the direction of network traffic
+                            associated with a finding. See String Filter below for
+                            more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        networkProtocol:
+                          description: The protocol of network-related information
+                            about a finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        networkSourceDomain:
+                          description: The source domain of network-related information
+                            about a finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        networkSourceIpv4:
+                          description: The source IPv4 address of network-related
+                            information about a finding. See Ip Filter below for more
+                            details.
+                          items:
+                            properties:
+                              cidr:
+                                description: A finding's CIDR value.
+                                type: string
+                            type: object
+                          type: array
+                        networkSourceIpv6:
+                          description: The source IPv6 address of network-related
+                            information about a finding. See Ip Filter below for more
+                            details.
+                          items:
+                            properties:
+                              cidr:
+                                description: A finding's CIDR value.
+                                type: string
+                            type: object
+                          type: array
+                        networkSourceMac:
+                          description: The source media access control (MAC) address
+                            of network-related information about a finding. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        networkSourcePort:
+                          description: The source port of network-related information
+                            about a finding. See Number Filter below for more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        noteText:
+                          description: The text of a note. See String Filter below
+                            for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        noteUpdatedAt:
+                          description: The timestamp of when the note was updated.
+                            See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        noteUpdatedBy:
+                          description: The principal that created a note. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        processLaunchedAt:
+                          description: The date/time that the process was launched.
+                            See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        processName:
+                          description: The name of the process. See String Filter
+                            below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        processParentPid:
+                          description: The parent process ID. See Number Filter below
+                            for more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        processPath:
+                          description: The path to the process executable. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        processPid:
+                          description: The process ID. See Number Filter below for
+                            more details.
+                          items:
+                            properties:
+                              eq:
+                                description: The equal-to condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                              gte:
+                                description: The greater-than-equal condition to be
+                                  applied to a single field when querying for findings,
+                                  provided as a String.
+                                type: string
+                              lte:
+                                description: The less-than-equal condition to be applied
+                                  to a single field when querying for findings, provided
+                                  as a String.
+                                type: string
+                            type: object
+                          type: array
+                        processTerminatedAt:
+                          description: The date/time that the process was terminated.
+                            See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        productArn:
+                          description: The ARN generated by Security Hub that uniquely
+                            identifies a third-party company (security findings provider)
+                            after this provider's product (solution that generates
+                            findings) is registered with Security Hub. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        productFields:
+                          description: A data type where security-findings providers
+                            can include additional solution-specific details that
+                            aren't part of the defined AwsSecurityFinding format.
+                            See Map Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              key:
+                                description: The key of the map filter. For example,
+                                  for ResourceTags, Key identifies the name of the
+                                  tag. For UserDefinedFields, Key is the name of the
+                                  field.
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        productName:
+                          description: The name of the solution (product) that generates
+                            findings. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        recommendationText:
+                          description: The recommendation of what to do about the
+                            issue described in a finding. See String Filter below
+                            for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        recordState:
+                          description: The updated record state for the finding. See
+                            String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        relatedFindingsId:
+                          description: The solution-generated identifier for a related
+                            finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        relatedFindingsProductArn:
+                          description: The ARN of the solution that generated a related
+                            finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceIamInstanceProfileArn:
+                          description: The IAM profile ARN of the instance. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceImageId:
+                          description: The Amazon Machine Image (AMI) ID of the instance.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceIpv4Addresses:
+                          description: The IPv4 addresses associated with the instance.
+                            See Ip Filter below for more details.
+                          items:
+                            properties:
+                              cidr:
+                                description: A finding's CIDR value.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceIpv6Addresses:
+                          description: The IPv6 addresses associated with the instance.
+                            See Ip Filter below for more details.
+                          items:
+                            properties:
+                              cidr:
+                                description: A finding's CIDR value.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceKeyName:
+                          description: The key name associated with the instance.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceLaunchedAt:
+                          description: The date and time the instance was launched.
+                            See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceSubnetId:
+                          description: The identifier of the subnet that the instance
+                            was launched in. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceType:
+                          description: The instance type of the instance. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsEc2InstanceVpcId:
+                          description: The identifier of the VPC that the instance
+                            was launched in. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsIamAccessKeyCreatedAt:
+                          description: The creation date/time of the IAM access key
+                            related to a finding. See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsIamAccessKeyStatus:
+                          description: The status of the IAM access key related to
+                            a finding. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsIamAccessKeyUserName:
+                          description: The user associated with the IAM access key
+                            related to a finding. See String Filter below for more
+                            details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsS3BucketOwnerId:
+                          description: The canonical user ID of the owner of the S3
+                            bucket. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceAwsS3BucketOwnerName:
+                          description: The display name of the owner of the S3 bucket.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceContainerImageId:
+                          description: The identifier of the image related to a finding.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceContainerImageName:
+                          description: The name of the image related to a finding.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceContainerLaunchedAt:
+                          description: The date/time that the container was started.
+                            See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        resourceContainerName:
+                          description: The name of the container related to a finding.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceDetailsOther:
+                          description: The details of a resource that doesn't have
+                            a specific subfield for the resource type defined. See
+                            Map Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              key:
+                                description: The key of the map filter. For example,
+                                  for ResourceTags, Key identifies the name of the
+                                  tag. For UserDefinedFields, Key is the name of the
+                                  field.
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceId:
+                          description: The canonical identifier for the given resource
+                            type. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourcePartition:
+                          description: The canonical AWS partition name that the Region
+                            is assigned to. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceRegion:
+                          description: The canonical AWS external Region name where
+                            this resource is located. See String Filter below for
+                            more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceTags:
+                          description: A list of AWS tags associated with a resource
+                            at the time the finding was processed. See Map Filter
+                            below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              key:
+                                description: The key of the map filter. For example,
+                                  for ResourceTags, Key identifies the name of the
+                                  tag. For UserDefinedFields, Key is the name of the
+                                  field.
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        resourceType:
+                          description: Specifies the type of the resource that details
+                            are provided for. See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        severityLabel:
+                          description: The label of a finding's severity. See String
+                            Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        sourceUrl:
+                          description: A URL that links to a page about the current
+                            finding in the security-findings provider's solution.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        threatIntelIndicatorCategory:
+                          description: The category of a threat intelligence indicator.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        threatIntelIndicatorLastObservedAt:
+                          description: The date/time of the last observation of a
+                            threat intelligence indicator. See Date Filter below for
+                            more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        threatIntelIndicatorSource:
+                          description: The source of the threat intelligence. See
+                            String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        threatIntelIndicatorSourceUrl:
+                          description: The URL for more details from the source of
+                            the threat intelligence. See String Filter below for more
+                            details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        threatIntelIndicatorType:
+                          description: The type of a threat intelligence indicator.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        threatIntelIndicatorValue:
+                          description: The value of a threat intelligence indicator.
+                            See String Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        title:
+                          description: A finding's title. See String Filter below
+                            for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        type:
+                          description: A finding type in the format of namespace/category/classifier
+                            that classifies a finding. See String Filter below for
+                            more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        updatedAt:
+                          description: An ISO8601-formatted timestamp that indicates
+                            when the security-findings provider last updated the finding
+                            record. See Date Filter below for more details.
+                          items:
+                            properties:
+                              dateRange:
+                                description: A configuration block of the date range
+                                  for the date filter. See date_range below for more
+                                  details.
+                                items:
+                                  properties:
+                                    unit:
+                                      description: 'A date range unit for the date
+                                        filter. Valid values: DAYS.'
+                                      type: string
+                                    value:
+                                      description: A value for the keyword.
+                                      type: number
+                                  type: object
+                                type: array
+                              end:
+                                description: An end date for the date filter. Required
+                                  with start if date_range is not specified.
+                                type: string
+                              start:
+                                description: A start date for the date filter. Required
+                                  with end if date_range is not specified.
+                                type: string
+                            type: object
+                          type: array
+                        userDefinedValues:
+                          description: A list of name/value string pairs associated
+                            with the finding. These are custom, user-defined fields
+                            added to a finding. See Map Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              key:
+                                description: The key of the map filter. For example,
+                                  for ResourceTags, Key identifies the name of the
+                                  tag. For UserDefinedFields, Key is the name of the
+                                  field.
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        verificationState:
+                          description: The veracity of a finding. See String Filter
+                            below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                        workflowStatus:
+                          description: The status of the investigation into a finding.
+                            See Workflow Status Filter below for more details.
+                          items:
+                            properties:
+                              comparison:
+                                description: 'The condition to apply to a string value
+                                  when querying for findings. Valid values include:
+                                  EQUALS and NOT_EQUALS.'
+                                type: string
+                              value:
+                                description: A value for the keyword.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  groupByAttribute:
+                    description: The attribute used to group the findings for the
+                      insight e.g., if an insight is grouped by ResourceId, then the
+                      insight produces a list of resource identifiers.
+                    type: string
+                  id:
+                    description: ARN of the insight.
+                    type: string
+                  name:
+                    description: The name of the custom insight.
                     type: string
                 type: object
               conditions:
diff --git a/package/crds/securityhub.aws.upbound.io_inviteaccepters.yaml b/package/crds/securityhub.aws.upbound.io_inviteaccepters.yaml
index 8119efe4a5..12a8cc99c7 100644
--- a/package/crds/securityhub.aws.upbound.io_inviteaccepters.yaml
+++ b/package/crds/securityhub.aws.upbound.io_inviteaccepters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,6 +154,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -331,6 +350,10 @@ spec:
                   invitationId:
                     description: The ID of the invitation.
                     type: string
+                  masterId:
+                    description: The account ID of the master Security Hub account
+                      whose invitation you're accepting.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/securityhub.aws.upbound.io_members.yaml b/package/crds/securityhub.aws.upbound.io_members.yaml
index 2b195b5cc9..f7170c60d9 100644
--- a/package/crds/securityhub.aws.upbound.io_members.yaml
+++ b/package/crds/securityhub.aws.upbound.io_members.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,10 +83,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - accountId
-                - email
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -254,14 +271,29 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: accountId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.accountId)
+            - message: email is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)
           status:
             description: MemberStatus defines the observed state of Member.
             properties:
               atProvider:
                 properties:
+                  accountId:
+                    description: The ID of the member AWS account.
+                    type: string
+                  email:
+                    description: The email of the member AWS account.
+                    type: string
                   id:
                     description: The ID of the member AWS account (matches account_id).
                     type: string
+                  invite:
+                    description: Boolean whether to invite the account to Security
+                      Hub as a member. Defaults to false.
+                    type: boolean
                   masterId:
                     description: The ID of the master Security Hub AWS account.
                     type: string
diff --git a/package/crds/securityhub.aws.upbound.io_productsubscriptions.yaml b/package/crds/securityhub.aws.upbound.io_productsubscriptions.yaml
index 11579bdc2b..604f73c4ac 100644
--- a/package/crds/securityhub.aws.upbound.io_productsubscriptions.yaml
+++ b/package/crds/securityhub.aws.upbound.io_productsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,9 +77,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - productArn
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -247,6 +265,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: productArn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.productArn)
           status:
             description: ProductSubscriptionStatus defines the observed state of ProductSubscription.
             properties:
@@ -259,6 +280,10 @@ spec:
                     type: string
                   id:
                     type: string
+                  productArn:
+                    description: The ARN of the product that generates findings that
+                      you want to import into Security Hub - see below.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/securityhub.aws.upbound.io_standardssubscriptions.yaml b/package/crds/securityhub.aws.upbound.io_standardssubscriptions.yaml
index 79ece70c43..2ca0c70253 100644
--- a/package/crds/securityhub.aws.upbound.io_standardssubscriptions.yaml
+++ b/package/crds/securityhub.aws.upbound.io_standardssubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,8 +77,22 @@ spec:
                     type: string
                 required:
                 - region
-                - standardsArn
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: standardsArn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.standardsArn)
           status:
             description: StandardsSubscriptionStatus defines the observed state of
               StandardsSubscription.
@@ -256,6 +277,9 @@ spec:
                     description: The ARN of a resource that represents your subscription
                       to a supported standard.
                     type: string
+                  standardsArn:
+                    description: The ARN of a standard - see below.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/serverlessrepo.aws.upbound.io_cloudformationstacks.yaml b/package/crds/serverlessrepo.aws.upbound.io_cloudformationstacks.yaml
index 65c158b9a1..88b1d85965 100644
--- a/package/crds/serverlessrepo.aws.upbound.io_cloudformationstacks.yaml
+++ b/package/crds/serverlessrepo.aws.upbound.io_cloudformationstacks.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -99,11 +103,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - applicationId
-                - capabilities
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -275,19 +291,55 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: applicationId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.applicationId)
+            - message: capabilities is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.capabilities)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: CloudFormationStackStatus defines the observed state of CloudFormationStack.
             properties:
               atProvider:
                 properties:
+                  applicationId:
+                    description: The ARN of the application from the Serverless Application
+                      Repository.
+                    type: string
+                  capabilities:
+                    description: A list of capabilities. Valid values are CAPABILITY_IAM,
+                      CAPABILITY_NAMED_IAM, CAPABILITY_RESOURCE_POLICY, or CAPABILITY_AUTO_EXPAND
+                    items:
+                      type: string
+                    type: array
                   id:
                     description: A unique identifier of the stack.
                     type: string
+                  name:
+                    description: The name of the stack to create. The resource deployed
+                      in AWS will be prefixed with serverlessrepo-
+                    type: string
                   outputs:
                     additionalProperties:
                       type: string
                     description: A map of outputs from the stack.
                     type: object
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: A map of Parameter structures that specify input
+                      parameters for the stack.
+                    type: object
+                  semanticVersion:
+                    description: The version of the application to deploy. If not
+                      supplied, deploys the latest version.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/servicecatalog.aws.upbound.io_budgetresourceassociations.yaml b/package/crds/servicecatalog.aws.upbound.io_budgetresourceassociations.yaml
index 3822fde2f4..611077932f 100644
--- a/package/crds/servicecatalog.aws.upbound.io_budgetresourceassociations.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_budgetresourceassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -224,6 +228,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -401,9 +420,15 @@ spec:
             properties:
               atProvider:
                 properties:
+                  budgetName:
+                    description: Budget name.
+                    type: string
                   id:
                     description: Identifier of the association.
                     type: string
+                  resourceId:
+                    description: Resource identifier.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_constraints.yaml b/package/crds/servicecatalog.aws.upbound.io_constraints.yaml
index 892768d6b5..a5311ef6b1 100644
--- a/package/crds/servicecatalog.aws.upbound.io_constraints.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_constraints.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -240,10 +244,23 @@ spec:
                       RESOURCE_UPDATE, STACKSET, and TEMPLATE.
                     type: string
                 required:
-                - parameters
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -415,19 +432,45 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: parameters is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.parameters)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: ConstraintStatus defines the observed state of Constraint.
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: 'Language code. Valid values: en (English), jp (Japanese),
+                      zh (Chinese). Default value is en.'
+                    type: string
+                  description:
+                    description: Description of the constraint.
+                    type: string
                   id:
                     description: Constraint identifier.
                     type: string
                   owner:
                     description: Owner of the constraint.
                     type: string
+                  parameters:
+                    description: Constraint parameters in JSON format. The syntax
+                      depends on the constraint type. See details below.
+                    type: string
+                  portfolioId:
+                    description: Portfolio identifier.
+                    type: string
+                  productId:
+                    description: Product identifier.
+                    type: string
                   status:
                     type: string
+                  type:
+                    description: Type of constraint. Valid values are LAUNCH, NOTIFICATION,
+                      RESOURCE_UPDATE, STACKSET, and TEMPLATE.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_portfolios.yaml b/package/crds/servicecatalog.aws.upbound.io_portfolios.yaml
index e93d9cbb5a..6498d358f7 100644
--- a/package/crds/servicecatalog.aws.upbound.io_portfolios.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_portfolios.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,10 +87,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
-                - providerName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,6 +275,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: providerName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.providerName)
           status:
             description: PortfolioStatus defines the observed state of Portfolio.
             properties:
@@ -267,9 +289,23 @@ spec:
                     type: string
                   createdTime:
                     type: string
+                  description:
+                    description: Description of the portfolio
+                    type: string
                   id:
                     description: The ID of the Service Catalog Portfolio.
                     type: string
+                  name:
+                    description: The name of the portfolio.
+                    type: string
+                  providerName:
+                    description: Name of the person or organization who owns the portfolio.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/servicecatalog.aws.upbound.io_portfolioshares.yaml b/package/crds/servicecatalog.aws.upbound.io_portfolioshares.yaml
index 4bd037f3c1..4a9136dc3e 100644
--- a/package/crds/servicecatalog.aws.upbound.io_portfolioshares.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_portfolioshares.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -175,10 +179,23 @@ spec:
                       to be accepted. Organizational shares are automatically accepted.
                     type: boolean
                 required:
-                - principalId
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -350,11 +367,20 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: principalId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principalId)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: PortfolioShareStatus defines the observed state of PortfolioShare.
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: 'Language code. Valid values: en (English), jp (Japanese),
+                      zh (Chinese). Default value is en.'
+                    type: string
                   accepted:
                     description: Whether the shared portfolio is imported by the recipient
                       account. If the recipient is organizational, the share is automatically
@@ -362,6 +388,33 @@ spec:
                     type: boolean
                   id:
                     type: string
+                  portfolioId:
+                    description: Portfolio identifier.
+                    type: string
+                  principalId:
+                    description: Identifier of the principal with whom you will share
+                      the portfolio. Valid values AWS account IDs and ARNs of AWS
+                      Organizations and organizational units.
+                    type: string
+                  sharePrincipals:
+                    description: Enables or disables Principal sharing when creating
+                      the portfolio share. If this flag is not provided, principal
+                      sharing is disabled.
+                    type: boolean
+                  shareTagOptions:
+                    description: Whether to enable sharing of aws_servicecatalog_tag_option
+                      resources when creating the portfolio share.
+                    type: boolean
+                  type:
+                    description: Type of portfolio share. Valid values are ACCOUNT
+                      (an external account), ORGANIZATION (a share to every account
+                      in an organization), ORGANIZATIONAL_UNIT, ORGANIZATION_MEMBER_ACCOUNT
+                      (a share to an account in an organization).
+                    type: string
+                  waitForAcceptance:
+                    description: Whether to wait (up to the timeout) for the share
+                      to be accepted. Organizational shares are automatically accepted.
+                    type: boolean
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_principalportfolioassociations.yaml b/package/crds/servicecatalog.aws.upbound.io_principalportfolioassociations.yaml
index 300399aa63..9a65856084 100644
--- a/package/crds/servicecatalog.aws.upbound.io_principalportfolioassociations.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_principalportfolioassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -231,9 +235,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - acceptLanguage
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,15 +423,33 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: acceptLanguage is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.acceptLanguage)
           status:
             description: PrincipalPortfolioAssociationStatus defines the observed
               state of PrincipalPortfolioAssociation.
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: 'Language code. Valid values: en (English), jp (Japanese),
+                      zh (Chinese). Default value is en.'
+                    type: string
                   id:
                     description: Identifier of the association.
                     type: string
+                  portfolioId:
+                    description: Portfolio identifier.
+                    type: string
+                  principalArn:
+                    description: Principal ARN.
+                    type: string
+                  principalType:
+                    description: Principal type. Setting this argument empty (e.g.,
+                      principal_type = "") will result in an error. Valid value is
+                      IAM. Default is IAM.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_productportfolioassociations.yaml b/package/crds/servicecatalog.aws.upbound.io_productportfolioassociations.yaml
index 26ccf0999a..e48cdfaf46 100644
--- a/package/crds/servicecatalog.aws.upbound.io_productportfolioassociations.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_productportfolioassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -229,9 +233,23 @@ spec:
                     description: Identifier of the source portfolio.
                     type: string
                 required:
-                - acceptLanguage
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -403,15 +421,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: acceptLanguage is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.acceptLanguage)
           status:
             description: ProductPortfolioAssociationStatus defines the observed state
               of ProductPortfolioAssociation.
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: 'Language code. Valid values: en (English), jp (Japanese),
+                      zh (Chinese). Default value is en.'
+                    type: string
                   id:
                     description: Identifier of the association.
                     type: string
+                  portfolioId:
+                    description: Portfolio identifier.
+                    type: string
+                  productId:
+                    description: Product identifier.
+                    type: string
+                  sourcePortfolioId:
+                    description: Identifier of the source portfolio.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_products.yaml b/package/crds/servicecatalog.aws.upbound.io_products.yaml
index 67fb4c66b5..778887db89 100644
--- a/package/crds/servicecatalog.aws.upbound.io_products.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_products.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -139,12 +143,23 @@ spec:
                       MARKETPLACE.
                     type: string
                 required:
-                - name
-                - owner
-                - provisioningArtifactParameters
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -316,17 +331,36 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: owner is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.owner)
+            - message: provisioningArtifactParameters is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.provisioningArtifactParameters)
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: ProductStatus defines the observed state of Product.
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: 'Language code. Valid values: en (English), jp (Japanese),
+                      zh (Chinese). Default value is en.'
+                    type: string
                   arn:
                     description: ARN of the product.
                     type: string
                   createdTime:
                     description: Time when the product was created.
                     type: string
+                  description:
+                    description: Description of the product.
+                    type: string
+                  distributor:
+                    description: Distributor (i.e., vendor) of the product.
+                    type: string
                   hasDefaultPath:
                     description: Whether the product has a default path. If the product
                       does not have a default path, call ListLaunchPaths to disambiguate
@@ -337,9 +371,65 @@ spec:
                   id:
                     description: Product ID. For example, prod-dnigbtea24ste.
                     type: string
+                  name:
+                    description: Name of the product.
+                    type: string
+                  owner:
+                    description: Owner of the product.
+                    type: string
+                  provisioningArtifactParameters:
+                    description: Configuration block for provisioning artifact (i.e.,
+                      version) parameters. Detailed below.
+                    items:
+                      properties:
+                        description:
+                          description: Description of the provisioning artifact (i.e.,
+                            version), including how it differs from the previous provisioning
+                            artifact.
+                          type: string
+                        disableTemplateValidation:
+                          description: Whether AWS Service Catalog stops validating
+                            the specified provisioning artifact template even if it
+                            is invalid.
+                          type: boolean
+                        name:
+                          description: Name of the provisioning artifact (for example,
+                            v1, v2beta). No spaces are allowed.
+                          type: string
+                        templatePhysicalId:
+                          description: Template source as the physical ID of the resource
+                            that contains the template. Currently only supports CloudFormation
+                            stack ARN. Specify the physical ID as arn:[partition]:cloudformation:[region]:[account
+                            ID]:stack/[stack name]/[resource ID].
+                          type: string
+                        templateUrl:
+                          description: Template source as URL of the CloudFormation
+                            template in Amazon S3.
+                          type: string
+                        type:
+                          description: 'Type of provisioning artifact. Valid values:
+                            CLOUD_FORMATION_TEMPLATE, MARKETPLACE_AMI, MARKETPLACE_CAR
+                            (Marketplace Clusters and AWS Resources).'
+                          type: string
+                      type: object
+                    type: array
                   status:
                     description: Status of the product.
                     type: string
+                  supportDescription:
+                    description: Support information about the product.
+                    type: string
+                  supportEmail:
+                    description: Contact email for product support.
+                    type: string
+                  supportUrl:
+                    description: Contact URL for product support.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -347,6 +437,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: Type of product. Valid values are CLOUD_FORMATION_TEMPLATE,
+                      MARKETPLACE.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_provisioningartifacts.yaml b/package/crds/servicecatalog.aws.upbound.io_provisioningartifacts.yaml
index 538a14337d..80790fb6c8 100644
--- a/package/crds/servicecatalog.aws.upbound.io_provisioningartifacts.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_provisioningartifacts.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -194,6 +198,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -371,13 +390,61 @@ spec:
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: 'Language code. Valid values: en (English), jp (Japanese),
+                      zh (Chinese). The default value is en.'
+                    type: string
+                  active:
+                    description: Whether the product version is active. Inactive provisioning
+                      artifacts are invisible to end users. End users cannot launch
+                      or update a provisioned product from an inactive provisioning
+                      artifact. Default is true.
+                    type: boolean
                   createdTime:
                     description: Time when the provisioning artifact was created.
                     type: string
+                  description:
+                    description: Description of the provisioning artifact (i.e., version),
+                      including how it differs from the previous provisioning artifact.
+                    type: string
+                  disableTemplateValidation:
+                    description: Whether AWS Service Catalog stops validating the
+                      specified provisioning artifact template even if it is invalid.
+                    type: boolean
+                  guidance:
+                    description: Information set by the administrator to provide guidance
+                      to end users about which provisioning artifacts to use. Valid
+                      values are DEFAULT and DEPRECATED. The default is DEFAULT. Users
+                      are able to make updates to a provisioned product of a deprecated
+                      version but cannot launch new provisioned products using a deprecated
+                      version.
+                    type: string
                   id:
                     description: Provisioning Artifact identifier and product identifier
                       separated by a colon.
                     type: string
+                  name:
+                    description: Name of the provisioning artifact (for example, v1,
+                      v2beta). No spaces are allowed.
+                    type: string
+                  productId:
+                    description: Identifier of the product.
+                    type: string
+                  templatePhysicalId:
+                    description: Template source as the physical ID of the resource
+                      that contains the template. Currently only supports CloudFormation
+                      stack ARN. Specify the physical ID as arn:[partition]:cloudformation:[region]:[account
+                      ID]:stack/[stack name]/[resource ID].
+                    type: string
+                  templateUrl:
+                    description: Template source as URL of the CloudFormation template
+                      in Amazon S3.
+                    type: string
+                  type:
+                    description: 'Type of provisioning artifact. Valid values: CLOUD_FORMATION_TEMPLATE,
+                      MARKETPLACE_AMI, MARKETPLACE_CAR (Marketplace Clusters and AWS
+                      Resources).'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_serviceactions.yaml b/package/crds/servicecatalog.aws.upbound.io_serviceactions.yaml
index 3a9b40cc20..106912c090 100644
--- a/package/crds/servicecatalog.aws.upbound.io_serviceactions.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_serviceactions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -110,10 +114,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - definition
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -285,14 +302,57 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: definition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ServiceActionStatus defines the observed state of ServiceAction.
             properties:
               atProvider:
                 properties:
+                  acceptLanguage:
+                    description: Language code. Valid values are en (English), jp
+                      (Japanese), and zh (Chinese). Default is en.
+                    type: string
+                  definition:
+                    description: Self-service action definition configuration block.
+                      Detailed below.
+                    items:
+                      properties:
+                        assumeRole:
+                          description: ARN of the role that performs the self-service
+                            actions on your behalf. For example, arn:aws:iam::12345678910:role/ActionRole.
+                            To reuse the provisioned product launch role, set to LAUNCH_ROLE.
+                          type: string
+                        name:
+                          description: Name of the SSM document. For example, AWS-RestartEC2Instance.
+                            If you are using a shared SSM document, you must provide
+                            the ARN instead of the name.
+                          type: string
+                        parameters:
+                          description: 'List of parameters in JSON format. For example:
+                            [{\"Name\":\"InstanceId\",\"Type\":\"TARGET\"}] or [{\"Name\":\"InstanceId\",\"Type\":\"TEXT_VALUE\"}].'
+                          type: string
+                        type:
+                          description: Service action definition type. Valid value
+                            is SSM_AUTOMATION. Default is SSM_AUTOMATION.
+                          type: string
+                        version:
+                          description: SSM document version. For example, 1.
+                          type: string
+                      type: object
+                    type: array
+                  description:
+                    description: Self-service action description.
+                    type: string
                   id:
                     description: Identifier of the service action.
                     type: string
+                  name:
+                    description: Self-service action name.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_tagoptionresourceassociations.yaml b/package/crds/servicecatalog.aws.upbound.io_tagoptionresourceassociations.yaml
index e1b18ffe7d..e067dc2082 100644
--- a/package/crds/servicecatalog.aws.upbound.io_tagoptionresourceassociations.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_tagoptionresourceassociations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -224,6 +228,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -413,9 +432,15 @@ spec:
                   resourceDescription:
                     description: Description of the resource.
                     type: string
+                  resourceId:
+                    description: Resource identifier.
+                    type: string
                   resourceName:
                     description: Description of the resource.
                     type: string
+                  tagOptionId:
+                    description: Tag Option identifier.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicecatalog.aws.upbound.io_tagoptions.yaml b/package/crds/servicecatalog.aws.upbound.io_tagoptions.yaml
index cc519f4350..60926d45e8 100644
--- a/package/crds/servicecatalog.aws.upbound.io_tagoptions.yaml
+++ b/package/crds/servicecatalog.aws.upbound.io_tagoptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,10 +82,23 @@ spec:
                     description: Tag option value.
                     type: string
                 required:
-                - key
                 - region
-                - value
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -253,16 +270,30 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: key is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)
+            - message: value is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)
           status:
             description: TagOptionStatus defines the observed state of TagOption.
             properties:
               atProvider:
                 properties:
+                  active:
+                    description: Whether tag option is active. Default is true.
+                    type: boolean
                   id:
                     description: Identifier (e.g., tag-pjtvagohlyo3m).
                     type: string
+                  key:
+                    description: Tag option key.
+                    type: string
                   owner:
                     type: string
+                  value:
+                    description: Tag option value.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicediscovery.aws.upbound.io_httpnamespaces.yaml b/package/crds/servicediscovery.aws.upbound.io_httpnamespaces.yaml
index 2162842195..3172b7ac5e 100644
--- a/package/crds/servicediscovery.aws.upbound.io_httpnamespaces.yaml
+++ b/package/crds/servicediscovery.aws.upbound.io_httpnamespaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,9 +85,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -255,6 +273,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: HTTPNamespaceStatus defines the observed state of HTTPNamespace.
             properties:
@@ -264,12 +285,24 @@ spec:
                     description: The ARN that Amazon Route 53 assigns to the namespace
                       when you create it.
                     type: string
+                  description:
+                    description: The description that you specify for the namespace
+                      when you create it.
+                    type: string
                   httpName:
                     description: The name of an HTTP namespace.
                     type: string
                   id:
                     description: The ID of a namespace.
                     type: string
+                  name:
+                    description: The name of the http namespace.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/servicediscovery.aws.upbound.io_privatednsnamespaces.yaml b/package/crds/servicediscovery.aws.upbound.io_privatednsnamespaces.yaml
index 53563f95f5..5bb0bb87a4 100644
--- a/package/crds/servicediscovery.aws.upbound.io_privatednsnamespaces.yaml
+++ b/package/crds/servicediscovery.aws.upbound.io_privatednsnamespaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,9 +162,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -332,6 +350,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: PrivateDNSNamespaceStatus defines the observed state of PrivateDNSNamespace.
             properties:
@@ -341,6 +362,10 @@ spec:
                     description: The ARN that Amazon Route 53 assigns to the namespace
                       when you create it.
                     type: string
+                  description:
+                    description: The description that you specify for the namespace
+                      when you create it.
+                    type: string
                   hostedZone:
                     description: The ID for the hosted zone that Amazon Route 53 creates
                       when you create a namespace.
@@ -348,6 +373,14 @@ spec:
                   id:
                     description: The ID of a namespace.
                     type: string
+                  name:
+                    description: The name of the namespace.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -355,6 +388,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  vpc:
+                    description: The ID of VPC that you want to associate the namespace
+                      with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicediscovery.aws.upbound.io_publicdnsnamespaces.yaml b/package/crds/servicediscovery.aws.upbound.io_publicdnsnamespaces.yaml
index 1abe5d20bc..14daa9b688 100644
--- a/package/crds/servicediscovery.aws.upbound.io_publicdnsnamespaces.yaml
+++ b/package/crds/servicediscovery.aws.upbound.io_publicdnsnamespaces.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,9 +85,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -255,6 +273,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: PublicDNSNamespaceStatus defines the observed state of PublicDNSNamespace.
             properties:
@@ -264,6 +285,10 @@ spec:
                     description: The ARN that Amazon Route 53 assigns to the namespace
                       when you create it.
                     type: string
+                  description:
+                    description: The description that you specify for the namespace
+                      when you create it.
+                    type: string
                   hostedZone:
                     description: The ID for the hosted zone that Amazon Route 53 creates
                       when you create a namespace.
@@ -271,6 +296,14 @@ spec:
                   id:
                     description: The ID of a namespace.
                     type: string
+                  name:
+                    description: The name of the namespace.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/servicediscovery.aws.upbound.io_services.yaml b/package/crds/servicediscovery.aws.upbound.io_services.yaml
index 127de079d2..be8c7cdf1f 100644
--- a/package/crds/servicediscovery.aws.upbound.io_services.yaml
+++ b/package/crds/servicediscovery.aws.upbound.io_services.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -246,9 +250,23 @@ spec:
                       only valid value is HTTP.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -420,6 +438,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ServiceStatus defines the observed state of Service.
             properties:
@@ -428,9 +449,97 @@ spec:
                   arn:
                     description: The ARN of the service.
                     type: string
+                  description:
+                    description: The description of the service.
+                    type: string
+                  dnsConfig:
+                    description: A complex type that contains information about the
+                      resource record sets that you want Amazon Route 53 to create
+                      when you register an instance.
+                    items:
+                      properties:
+                        dnsRecords:
+                          description: An array that contains one DnsRecord object
+                            for each resource record set.
+                          items:
+                            properties:
+                              ttl:
+                                description: The amount of time, in seconds, that
+                                  you want DNS resolvers to cache the settings for
+                                  this resource record set.
+                                type: number
+                              type:
+                                description: 'The type of the resource, which indicates
+                                  the value that Amazon Route 53 returns in response
+                                  to DNS queries. Valid Values: A, AAAA, SRV, CNAME'
+                                type: string
+                            type: object
+                          type: array
+                        namespaceId:
+                          description: The ID of the namespace to use for DNS configuration.
+                          type: string
+                        routingPolicy:
+                          description: 'The routing policy that you want to apply
+                            to all records that Route 53 creates when you register
+                            an instance and specify the service. Valid Values: MULTIVALUE,
+                            WEIGHTED'
+                          type: string
+                      type: object
+                    type: array
+                  forceDestroy:
+                    description: A boolean that indicates all instances should be
+                      deleted from the service so that the service can be destroyed
+                      without error. These instances are not recoverable.
+                    type: boolean
+                  healthCheckConfig:
+                    description: A complex type that contains settings for an optional
+                      health check. Only for Public DNS namespaces.
+                    items:
+                      properties:
+                        failureThreshold:
+                          description: The number of consecutive health checks. Maximum
+                            value of 10.
+                          type: number
+                        resourcePath:
+                          description: The path that you want Route 53 to request
+                            when performing health checks. Route 53 automatically
+                            adds the DNS name for the service. If you don't specify
+                            a value, the default value is /.
+                          type: string
+                        type:
+                          description: 'The type of health check that you want to
+                            create, which indicates how Route 53 determines whether
+                            an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP'
+                          type: string
+                      type: object
+                    type: array
+                  healthCheckCustomConfig:
+                    description: A complex type that contains settings for ECS managed
+                      health checks.
+                    items:
+                      properties:
+                        failureThreshold:
+                          description: The number of 30-second intervals that you
+                            want service discovery to wait before it changes the health
+                            status of a service instance.  Maximum value of 10.
+                          type: number
+                      type: object
+                    type: array
                   id:
                     description: The ID of the service.
                     type: string
+                  name:
+                    description: The name of the service.
+                    type: string
+                  namespaceId:
+                    description: The ID of the namespace that you want to use to create
+                      the service.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -438,6 +547,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  type:
+                    description: If present, specifies that the service instances
+                      are only discoverable using the DiscoverInstances API operation.
+                      No DNS records is registered for the service instances. The
+                      only valid value is HTTP.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/servicequotas.aws.upbound.io_servicequotas.yaml b/package/crds/servicequotas.aws.upbound.io_servicequotas.yaml
index 283a752f62..ca31b6fdf4 100644
--- a/package/crds/servicequotas.aws.upbound.io_servicequotas.yaml
+++ b/package/crds/servicequotas.aws.upbound.io_servicequotas.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -86,11 +90,23 @@ spec:
                       of the pending request.
                     type: number
                 required:
-                - quotaCode
                 - region
-                - serviceCode
-                - value
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -262,6 +278,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: quotaCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.quotaCode)
+            - message: serviceCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceCode)
+            - message: value is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)
           status:
             description: ServiceQuotaStatus defines the observed state of ServiceQuota.
             properties:
@@ -280,6 +303,11 @@ spec:
                     description: Service code and quota code, separated by a front
                       slash (/)
                     type: string
+                  quotaCode:
+                    description: 'Code of the service quota to track. For example:
+                      L-F678F1CE. Available values can be found with the AWS CLI service-quotas
+                      list-service-quotas command.'
+                    type: string
                   quotaName:
                     description: Name of the quota.
                     type: string
@@ -289,9 +317,21 @@ spec:
                     type: string
                   requestStatus:
                     type: string
+                  serviceCode:
+                    description: 'Code of the service to track. For example: vpc.
+                      Available values can be found with the AWS CLI service-quotas
+                      list-services command.'
+                    type: string
                   serviceName:
                     description: Name of the service.
                     type: string
+                  value:
+                    description: Float specifying the desired value for the service
+                      quota. If the desired value is higher than the current value,
+                      a quota increase request is submitted. When a known request
+                      is submitted and pending, the value reflects the desired value
+                      of the pending request.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_activereceiptrulesets.yaml b/package/crds/ses.aws.upbound.io_activereceiptrulesets.yaml
index 2ce34eccfc..8de6726b47 100644
--- a/package/crds/ses.aws.upbound.io_activereceiptrulesets.yaml
+++ b/package/crds/ses.aws.upbound.io_activereceiptrulesets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,8 +77,22 @@ spec:
                     type: string
                 required:
                 - region
-                - ruleSetName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: ruleSetName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleSetName)
           status:
             description: ActiveReceiptRuleSetStatus defines the observed state of
               ActiveReceiptRuleSet.
@@ -258,6 +279,9 @@ spec:
                   id:
                     description: The SES receipt rule set name.
                     type: string
+                  ruleSetName:
+                    description: The name of the rule set
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_configurationsets.yaml b/package/crds/ses.aws.upbound.io_configurationsets.yaml
index 9d4171de53..34c8b25696 100644
--- a/package/crds/ses.aws.upbound.io_configurationsets.yaml
+++ b/package/crds/ses.aws.upbound.io_configurationsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -108,6 +112,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -287,6 +306,22 @@ spec:
                   arn:
                     description: SES configuration set ARN.
                     type: string
+                  deliveryOptions:
+                    description: Whether messages that use the configuration set are
+                      required to use TLS. See below.
+                    items:
+                      properties:
+                        tlsPolicy:
+                          description: 'Whether messages that use the configuration
+                            set are required to use Transport Layer Security (TLS).
+                            If the value is Require, messages are only delivered if
+                            a TLS connection can be established. If the value is Optional,
+                            messages can be delivered in plain text if a TLS connection
+                            can''t be established. Valid values: Require or Optional.
+                            Defaults to Optional.'
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: SES configuration set name.
                     type: string
@@ -295,6 +330,27 @@ spec:
                       the configuration set were last reset. Resetting these metrics
                       is known as a fresh start.
                     type: string
+                  reputationMetricsEnabled:
+                    description: Whether or not Amazon SES publishes reputation metrics
+                      for the configuration set, such as bounce and complaint rates,
+                      to Amazon CloudWatch. The default value is false.
+                    type: boolean
+                  sendingEnabled:
+                    description: Whether email sending is enabled or disabled for
+                      the configuration set. The default value is true.
+                    type: boolean
+                  trackingOptions:
+                    description: 'Domain that is used to redirect email recipients
+                      to an Amazon SES-operated domain. See below. NOTE: This functionality
+                      is best effort.'
+                    items:
+                      properties:
+                        customRedirectDomain:
+                          description: Custom subdomain that is used to redirect email
+                            recipients to the Amazon SES event tracking domain.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_domaindkims.yaml b/package/crds/ses.aws.upbound.io_domaindkims.yaml
index 319ae5e2ff..c7f4d58168 100644
--- a/package/crds/ses.aws.upbound.io_domaindkims.yaml
+++ b/package/crds/ses.aws.upbound.io_domaindkims.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -71,6 +75,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
diff --git a/package/crds/ses.aws.upbound.io_domainidentities.yaml b/package/crds/ses.aws.upbound.io_domainidentities.yaml
index 09de2b2696..d23b690016 100644
--- a/package/crds/ses.aws.upbound.io_domainidentities.yaml
+++ b/package/crds/ses.aws.upbound.io_domainidentities.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - domain
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: domain is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.domain)
           status:
             description: DomainIdentityStatus defines the observed state of DomainIdentity.
             properties:
@@ -254,6 +275,9 @@ spec:
                   arn:
                     description: The ARN of the domain identity.
                     type: string
+                  domain:
+                    description: The domain name to assign to SES
+                    type: string
                   id:
                     type: string
                   verificationToken:
diff --git a/package/crds/ses.aws.upbound.io_domainmailfroms.yaml b/package/crds/ses.aws.upbound.io_domainmailfroms.yaml
index e147c67513..17213e3f5d 100644
--- a/package/crds/ses.aws.upbound.io_domainmailfroms.yaml
+++ b/package/crds/ses.aws.upbound.io_domainmailfroms.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -158,9 +162,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - mailFromDomain
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -332,14 +350,31 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: mailFromDomain is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.mailFromDomain)
           status:
             description: DomainMailFromStatus defines the observed state of DomainMailFrom.
             properties:
               atProvider:
                 properties:
+                  behaviorOnMxFailure:
+                    description: The action that you want Amazon SES to take if it
+                      cannot successfully read the required MX record when you send
+                      an email. Defaults to UseDefaultValue. See the SES API documentation
+                      for more information.
+                    type: string
+                  domain:
+                    description: Verified domain name or email identity to generate
+                      DKIM tokens for.
+                    type: string
                   id:
                     description: The domain name.
                     type: string
+                  mailFromDomain:
+                    description: Subdomain (of above domain) which is to be used as
+                      MAIL FROM address
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_emailidentities.yaml b/package/crds/ses.aws.upbound.io_emailidentities.yaml
index ff421ee268..6224bbe258 100644
--- a/package/crds/ses.aws.upbound.io_emailidentities.yaml
+++ b/package/crds/ses.aws.upbound.io_emailidentities.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -72,9 +76,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - email
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: email is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.email)
           status:
             description: EmailIdentityStatus defines the observed state of EmailIdentity.
             properties:
@@ -254,6 +275,9 @@ spec:
                   arn:
                     description: The ARN of the email identity.
                     type: string
+                  email:
+                    description: The email address to assign to SES.
+                    type: string
                   id:
                     type: string
                 type: object
diff --git a/package/crds/ses.aws.upbound.io_eventdestinations.yaml b/package/crds/ses.aws.upbound.io_eventdestinations.yaml
index f2a290a889..bdde874f1d 100644
--- a/package/crds/ses.aws.upbound.io_eventdestinations.yaml
+++ b/package/crds/ses.aws.upbound.io_eventdestinations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -428,9 +432,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - matchingTypes
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -602,6 +620,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: matchingTypes is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.matchingTypes)
           status:
             description: EventDestinationStatus defines the observed state of EventDestination.
             properties:
@@ -610,9 +631,59 @@ spec:
                   arn:
                     description: The SES event destination ARN.
                     type: string
+                  cloudwatchDestination:
+                    description: CloudWatch destination for the events
+                    items:
+                      properties:
+                        defaultValue:
+                          description: The default value for the event
+                          type: string
+                        dimensionName:
+                          description: The name for the dimension
+                          type: string
+                        valueSource:
+                          description: The source for the value. May be any of "messageTag",
+                            "emailHeader" or "linkTag".
+                          type: string
+                      type: object
+                    type: array
+                  configurationSetName:
+                    description: The name of the configuration set
+                    type: string
+                  enabled:
+                    description: If true, the event destination will be enabled
+                    type: boolean
                   id:
                     description: The SES event destination name.
                     type: string
+                  kinesisDestination:
+                    description: Send the events to a kinesis firehose destination
+                    items:
+                      properties:
+                        roleArn:
+                          description: The ARN of the role that has permissions to
+                            access the Kinesis Stream
+                          type: string
+                        streamArn:
+                          description: The ARN of the Kinesis Stream
+                          type: string
+                      type: object
+                    type: array
+                  matchingTypes:
+                    description: A list of matching types. May be any of "send", "reject",
+                      "bounce", "complaint", "delivery", "open", "click", or "renderingFailure".
+                    items:
+                      type: string
+                    type: array
+                  snsDestination:
+                    description: Send the events to an SNS Topic destination
+                    items:
+                      properties:
+                        topicArn:
+                          description: The ARN of the SNS topic
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_identitynotificationtopics.yaml b/package/crds/ses.aws.upbound.io_identitynotificationtopics.yaml
index aa3e95bebd..f5e89ebdc8 100644
--- a/package/crds/ses.aws.upbound.io_identitynotificationtopics.yaml
+++ b/package/crds/ses.aws.upbound.io_identitynotificationtopics.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -236,9 +240,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - notificationType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -410,6 +428,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: notificationType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.notificationType)
           status:
             description: IdentityNotificationTopicStatus defines the observed state
               of IdentityNotificationTopic.
@@ -418,6 +439,24 @@ spec:
                 properties:
                   id:
                     type: string
+                  identity:
+                    description: The identity for which the Amazon SNS topic will
+                      be set. You can specify an identity by using its name or by
+                      using its Amazon Resource Name (ARN).
+                    type: string
+                  includeOriginalHeaders:
+                    description: Whether SES should include original email headers
+                      in SNS notifications of this type. false by default.
+                    type: boolean
+                  notificationType:
+                    description: 'The type of notifications that will be published
+                      to the specified Amazon SNS topic. Valid Values: Bounce, Complaint
+                      or Delivery.'
+                    type: string
+                  topicArn:
+                    description: The Amazon Resource Name (ARN) of the Amazon SNS
+                      topic. Can be set to "" (an empty string) to disable publishing.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_identitypolicies.yaml b/package/crds/ses.aws.upbound.io_identitypolicies.yaml
index 90b65e9ac3..0cd9f5f45b 100644
--- a/package/crds/ses.aws.upbound.io_identitypolicies.yaml
+++ b/package/crds/ses.aws.upbound.io_identitypolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -153,10 +157,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -328,6 +345,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: IdentityPolicyStatus defines the observed state of IdentityPolicy.
             properties:
@@ -335,6 +357,15 @@ spec:
                 properties:
                   id:
                     type: string
+                  identity:
+                    description: Name or Amazon Resource Name (ARN) of the SES Identity.
+                    type: string
+                  name:
+                    description: Name of the policy.
+                    type: string
+                  policy:
+                    description: JSON string of the policy.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_receiptfilters.yaml b/package/crds/ses.aws.upbound.io_receiptfilters.yaml
index e47b421282..79310d14cc 100644
--- a/package/crds/ses.aws.upbound.io_receiptfilters.yaml
+++ b/package/crds/ses.aws.upbound.io_receiptfilters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,10 +80,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - cidr
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -251,6 +268,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: cidr is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cidr)
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: ReceiptFilterStatus defines the observed state of ReceiptFilter.
             properties:
@@ -259,9 +281,16 @@ spec:
                   arn:
                     description: The SES receipt filter ARN.
                     type: string
+                  cidr:
+                    description: The IP address or address range to filter, in CIDR
+                      notation
+                    type: string
                   id:
                     description: The SES receipt filter name.
                     type: string
+                  policy:
+                    description: Block or Allow
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_receiptrules.yaml b/package/crds/ses.aws.upbound.io_receiptrules.yaml
index f7b666ac68..70e2bdcb2b 100644
--- a/package/crds/ses.aws.upbound.io_receiptrules.yaml
+++ b/package/crds/ses.aws.upbound.io_receiptrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -242,10 +246,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
-                - ruleSetName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -417,17 +434,171 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: ruleSetName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleSetName)
           status:
             description: ReceiptRuleStatus defines the observed state of ReceiptRule.
             properties:
               atProvider:
                 properties:
+                  addHeaderAction:
+                    description: A list of Add Header Action blocks. Documented below.
+                    items:
+                      properties:
+                        headerName:
+                          description: The name of the header to add
+                          type: string
+                        headerValue:
+                          description: The value of the header to add
+                          type: string
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                      type: object
+                    type: array
+                  after:
+                    description: The name of the rule to place this rule after
+                    type: string
                   arn:
                     description: The SES receipt rule ARN.
                     type: string
+                  bounceAction:
+                    description: A list of Bounce Action blocks. Documented below.
+                    items:
+                      properties:
+                        message:
+                          description: The message to send
+                          type: string
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                        sender:
+                          description: The email address of the sender
+                          type: string
+                        smtpReplyCode:
+                          description: The RFC 5321 SMTP reply code
+                          type: string
+                        statusCode:
+                          description: The RFC 3463 SMTP enhanced status code
+                          type: string
+                        topicArn:
+                          description: The ARN of an SNS topic to notify
+                          type: string
+                      type: object
+                    type: array
+                  enabled:
+                    description: If true, the rule will be enabled
+                    type: boolean
                   id:
                     description: The SES receipt rule name.
                     type: string
+                  lambdaAction:
+                    description: A list of Lambda Action blocks. Documented below.
+                    items:
+                      properties:
+                        functionArn:
+                          description: The ARN of the Lambda function to invoke
+                          type: string
+                        invocationType:
+                          description: Event or RequestResponse
+                          type: string
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                        topicArn:
+                          description: The ARN of an SNS topic to notify
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: The name of the rule
+                    type: string
+                  recipients:
+                    description: A list of email addresses
+                    items:
+                      type: string
+                    type: array
+                  ruleSetName:
+                    description: The name of the rule set
+                    type: string
+                  s3Action:
+                    description: A list of S3 Action blocks. Documented below.
+                    items:
+                      properties:
+                        bucketName:
+                          description: The name of the S3 bucket
+                          type: string
+                        kmsKeyArn:
+                          description: The ARN of the KMS key
+                          type: string
+                        objectKeyPrefix:
+                          description: The key prefix of the S3 bucket
+                          type: string
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                        topicArn:
+                          description: The ARN of an SNS topic to notify
+                          type: string
+                      type: object
+                    type: array
+                  scanEnabled:
+                    description: If true, incoming emails will be scanned for spam
+                      and viruses
+                    type: boolean
+                  snsAction:
+                    description: A list of SNS Action blocks. Documented below.
+                    items:
+                      properties:
+                        encoding:
+                          description: The encoding to use for the email within the
+                            Amazon SNS notification. Default value is UTF-8.
+                          type: string
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                        topicArn:
+                          description: The ARN of an SNS topic to notify
+                          type: string
+                      type: object
+                    type: array
+                  stopAction:
+                    description: A list of Stop Action blocks. Documented below.
+                    items:
+                      properties:
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                        scope:
+                          description: The scope to apply. The only acceptable value
+                            is RuleSet.
+                          type: string
+                        topicArn:
+                          description: The ARN of an SNS topic to notify
+                          type: string
+                      type: object
+                    type: array
+                  tlsPolicy:
+                    description: Require or Optional
+                    type: string
+                  workmailAction:
+                    description: A list of WorkMail Action blocks. Documented below.
+                    items:
+                      properties:
+                        organizationArn:
+                          description: The ARN of the WorkMail organization
+                          type: string
+                        position:
+                          description: The position of the action in the receipt rule
+                          type: number
+                        topicArn:
+                          description: The ARN of an SNS topic to notify
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_receiptrulesets.yaml b/package/crds/ses.aws.upbound.io_receiptrulesets.yaml
index 909b686e31..6139aab65f 100644
--- a/package/crds/ses.aws.upbound.io_receiptrulesets.yaml
+++ b/package/crds/ses.aws.upbound.io_receiptrulesets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -73,8 +77,22 @@ spec:
                     type: string
                 required:
                 - region
-                - ruleSetName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -246,6 +264,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: ruleSetName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ruleSetName)
           status:
             description: ReceiptRuleSetStatus defines the observed state of ReceiptRuleSet.
             properties:
@@ -257,6 +278,9 @@ spec:
                   id:
                     description: SES receipt rule set name.
                     type: string
+                  ruleSetName:
+                    description: Name of the rule set.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ses.aws.upbound.io_templates.yaml b/package/crds/ses.aws.upbound.io_templates.yaml
index 357acd1771..19d8fd0ee6 100644
--- a/package/crds/ses.aws.upbound.io_templates.yaml
+++ b/package/crds/ses.aws.upbound.io_templates.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,6 +87,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -262,9 +281,21 @@ spec:
                   arn:
                     description: The ARN of the SES template
                     type: string
+                  html:
+                    description: The HTML body of the email. Must be less than 500KB
+                      in size, including both the text and HTML parts.
+                    type: string
                   id:
                     description: The name of the SES template
                     type: string
+                  subject:
+                    description: The subject line of the email.
+                    type: string
+                  text:
+                    description: The email body that will be visible to recipients
+                      whose email clients do not display HTML. Must be less than 500KB
+                      in size, including both the text and HTML parts.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sesv2.aws.upbound.io_configurationseteventdestinations.yaml b/package/crds/sesv2.aws.upbound.io_configurationseteventdestinations.yaml
index ac4c716dc4..6cd91b1f08 100644
--- a/package/crds/sesv2.aws.upbound.io_configurationseteventdestinations.yaml
+++ b/package/crds/sesv2.aws.upbound.io_configurationseteventdestinations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -572,10 +576,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - eventDestination
-                - eventDestinationName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -747,12 +764,116 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: eventDestination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventDestination)
+            - message: eventDestinationName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.eventDestinationName)
           status:
             description: ConfigurationSetEventDestinationStatus defines the observed
               state of ConfigurationSetEventDestination.
             properties:
               atProvider:
                 properties:
+                  configurationSetName:
+                    description: The name of the configuration set.
+                    type: string
+                  eventDestination:
+                    description: A name that identifies the event destination within
+                      the configuration set.
+                    items:
+                      properties:
+                        cloudWatchDestination:
+                          description: An object that defines an Amazon CloudWatch
+                            destination for email events. See cloud_watch_destination
+                            below
+                          items:
+                            properties:
+                              dimensionConfiguration:
+                                description: An array of objects that define the dimensions
+                                  to use when you send email events to Amazon CloudWatch.
+                                  See dimension_configuration below.
+                                items:
+                                  properties:
+                                    defaultDimensionValue:
+                                      description: The default value of the dimension
+                                        that is published to Amazon CloudWatch if
+                                        you don't provide the value of the dimension
+                                        when you send an email. ( dimension_name -  The
+                                        name of an Amazon CloudWatch dimension associated
+                                        with an email sending metric.
+                                      type: string
+                                    dimensionName:
+                                      type: string
+                                    dimensionValueSource:
+                                      description: 'The location where the Amazon
+                                        SES API v2 finds the value of a dimension
+                                        to publish to Amazon CloudWatch. Valid values:
+                                        MESSAGE_TAG, EMAIL_HEADER, LINK_TAG.'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        enabled:
+                          description: 'When the event destination is enabled, the
+                            specified event types are sent to the destinations. Default:
+                            false.'
+                          type: boolean
+                        kinesisFirehoseDestination:
+                          description: An object that defines an Amazon Kinesis Data
+                            Firehose destination for email events. See kinesis_firehose_destination
+                            below.
+                          items:
+                            properties:
+                              deliveryStreamArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Amazon Kinesis Data Firehose stream that the Amazon
+                                  SES API v2 sends email events to.
+                                type: string
+                              iamRoleArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  IAM role that the Amazon SES API v2 uses to send
+                                  email events to the Amazon Kinesis Data Firehose
+                                  stream.
+                                type: string
+                            type: object
+                          type: array
+                        matchingEventTypes:
+                          description: '- An array that specifies which events the
+                            Amazon SES API v2 should send to the destinations. Valid
+                            values: SEND, REJECT, BOUNCE, COMPLAINT, DELIVERY, OPEN,
+                            CLICK, RENDERING_FAILURE, DELIVERY_DELAY, SUBSCRIPTION.'
+                          items:
+                            type: string
+                          type: array
+                        pinpointDestination:
+                          description: An object that defines an Amazon Pinpoint project
+                            destination for email events. See pinpoint_destination
+                            below.
+                          items:
+                            properties:
+                              applicationArn:
+                                type: string
+                            type: object
+                          type: array
+                        snsDestination:
+                          description: An object that defines an Amazon SNS destination
+                            for email events. See sns_destination below.
+                          items:
+                            properties:
+                              topicArn:
+                                description: The Amazon Resource Name (ARN) of the
+                                  Amazon SNS topic to publish email events to.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  eventDestinationName:
+                    description: An object that defines the event destination. See
+                      event_destination below.
+                    type: string
                   id:
                     description: A pipe-delimited string combining configuration_set_name
                       and event_destination_name.
diff --git a/package/crds/sesv2.aws.upbound.io_configurationsets.yaml b/package/crds/sesv2.aws.upbound.io_configurationsets.yaml
index 69cb0c0888..694f063fab 100644
--- a/package/crds/sesv2.aws.upbound.io_configurationsets.yaml
+++ b/package/crds/sesv2.aws.upbound.io_configurationsets.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -145,6 +149,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,6 +343,23 @@ spec:
                   arn:
                     description: ARN of the Configuration Set.
                     type: string
+                  deliveryOptions:
+                    description: An object that defines the dedicated IP pool that
+                      is used to send emails that you send using the configuration
+                      set.
+                    items:
+                      properties:
+                        sendingPoolName:
+                          description: The name of the dedicated IP pool to associate
+                            with the configuration set.
+                          type: string
+                        tlsPolicy:
+                          description: 'Specifies whether messages that use the configuration
+                            set are required to use Transport Layer Security (TLS).
+                            Valid values: REQUIRE, OPTIONAL.'
+                          type: string
+                      type: object
+                    type: array
                   id:
                     type: string
                   reputationOptions:
@@ -338,12 +374,60 @@ spec:
                             is given a fresh start, your reputation metrics are calculated
                             starting from the date of the fresh start.
                           type: string
+                        reputationMetricsEnabled:
+                          description: If true, tracking of reputation metrics is
+                            enabled for the configuration set. If false, tracking
+                            of reputation metrics is disabled for the configuration
+                            set.
+                          type: boolean
                       type: object
                     type: array
+                  sendingOptions:
+                    description: An object that defines whether or not Amazon SES
+                      can send email that you send using the configuration set.
+                    items:
+                      properties:
+                        sendingEnabled:
+                          description: If true, email sending is enabled for the configuration
+                            set. If false, email sending is disabled for the configuration
+                            set.
+                          type: boolean
+                      type: object
+                    type: array
+                  suppressionOptions:
+                    description: An object that contains information about the suppression
+                      list preferences for your account.
+                    items:
+                      properties:
+                        suppressedReasons:
+                          description: 'A list that contains the reasons that email
+                            addresses are automatically added to the suppression list
+                            for your account. Valid values: BOUNCE, COMPLAINT.'
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  trackingOptions:
+                    description: An object that defines the open and click tracking
+                      options for emails that you send using the configuration set.
+                    items:
+                      properties:
+                        customRedirectDomain:
+                          description: The domain to use for tracking open and click
+                            events.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sesv2.aws.upbound.io_dedicatedippools.yaml b/package/crds/sesv2.aws.upbound.io_dedicatedippools.yaml
index 467d7aac1f..7e4e5bc9c4 100644
--- a/package/crds/sesv2.aws.upbound.io_dedicatedippools.yaml
+++ b/package/crds/sesv2.aws.upbound.io_dedicatedippools.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -79,6 +83,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -260,6 +279,15 @@ spec:
                     type: string
                   id:
                     type: string
+                  scalingMode:
+                    description: 'IP pool scaling mode. Valid values: STANDARD, MANAGED.
+                      If omitted, the AWS API will default to a standard pool.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sesv2.aws.upbound.io_emailidentities.yaml b/package/crds/sesv2.aws.upbound.io_emailidentities.yaml
index 0070e97b7d..e804cdad29 100644
--- a/package/crds/sesv2.aws.upbound.io_emailidentities.yaml
+++ b/package/crds/sesv2.aws.upbound.io_emailidentities.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -178,6 +182,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -357,6 +376,11 @@ spec:
                   arn:
                     description: ARN of the Email Identity.
                     type: string
+                  configurationSetName:
+                    description: The configuration set to use by default when sending
+                      from this identity. Note that any configuration set defined
+                      in the email sending request takes precedence.
+                    type: string
                   dkimSigningAttributes:
                     description: The configuration of the DKIM authentication settings
                       for an email domain identity.
@@ -366,10 +390,26 @@ spec:
                           description: '[Easy DKIM] The key length of the DKIM key
                             pair in use.'
                           type: string
+                        domainSigningPrivateKey:
+                          description: '[Bring Your Own DKIM] A private key that''s
+                            used to generate a DKIM signature. The private key must
+                            use 1024 or 2048-bit RSA encryption, and must be encoded
+                            using base64 encoding.'
+                          type: string
+                        domainSigningSelector:
+                          description: '[Bring Your Own DKIM] A string that''s used
+                            to identify a public key in the DNS configuration for
+                            a domain.'
+                          type: string
                         lastKeyGenerationTimestamp:
                           description: '[Easy DKIM] The last time a key pair was generated
                             for this identity.'
                           type: string
+                        nextSigningKeyLength:
+                          description: '[Easy DKIM] The key length of the future DKIM
+                            key pair to be generated. This can be changed at most
+                            once per day. Valid values: RSA_1024_BIT, RSA_2048_BIT.'
+                          type: string
                         signingAttributesOrigin:
                           description: A string that indicates how DKIM was configured
                             for the identity. AWS_SES indicates that DKIM was configured
@@ -403,6 +443,11 @@ spec:
                     description: 'The email identity type. Valid values: EMAIL_ADDRESS,
                       DOMAIN.'
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sesv2.aws.upbound.io_emailidentityfeedbackattributes.yaml b/package/crds/sesv2.aws.upbound.io_emailidentityfeedbackattributes.yaml
index 2d44d57cdb..fea9dc6fa9 100644
--- a/package/crds/sesv2.aws.upbound.io_emailidentityfeedbackattributes.yaml
+++ b/package/crds/sesv2.aws.upbound.io_emailidentityfeedbackattributes.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -253,6 +272,10 @@ spec:
             properties:
               atProvider:
                 properties:
+                  emailForwardingEnabled:
+                    description: Sets the feedback forwarding configuration for the
+                      identity.
+                    type: boolean
                   id:
                     type: string
                 type: object
diff --git a/package/crds/sesv2.aws.upbound.io_emailidentitymailfromattributes.yaml b/package/crds/sesv2.aws.upbound.io_emailidentitymailfromattributes.yaml
index a96b1670c4..440c71bf13 100644
--- a/package/crds/sesv2.aws.upbound.io_emailidentitymailfromattributes.yaml
+++ b/package/crds/sesv2.aws.upbound.io_emailidentitymailfromattributes.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -81,6 +85,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -258,8 +277,17 @@ spec:
             properties:
               atProvider:
                 properties:
+                  behaviorOnMxFailure:
+                    description: 'The action to take if the required MX record isn''t
+                      found when you send an email. Valid values: USE_DEFAULT_VALUE,
+                      REJECT_MESSAGE.'
+                    type: string
                   id:
                     type: string
+                  mailFromDomain:
+                    description: The custom MAIL FROM domain that you want the verified
+                      identity to use. Required if behavior_on_mx_failure is REJECT_MESSAGE.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sfn.aws.upbound.io_activities.yaml b/package/crds/sfn.aws.upbound.io_activities.yaml
index 52a876a4aa..843e43459b 100644
--- a/package/crds/sfn.aws.upbound.io_activities.yaml
+++ b/package/crds/sfn.aws.upbound.io_activities.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,6 +80,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -259,6 +278,11 @@ spec:
                     description: The Amazon Resource Name (ARN) that identifies the
                       created activity.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/sfn.aws.upbound.io_statemachines.yaml b/package/crds/sfn.aws.upbound.io_statemachines.yaml
index ca2cc8d42d..68c5824e3d 100644
--- a/package/crds/sfn.aws.upbound.io_statemachines.yaml
+++ b/package/crds/sfn.aws.upbound.io_statemachines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -196,9 +200,23 @@ spec:
                       EXPRESS.'
                     type: string
                 required:
-                - definition
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -370,6 +388,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: definition is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.definition)
           status:
             description: StateMachineStatus defines the observed state of StateMachine.
             properties:
@@ -381,13 +402,49 @@ spec:
                   creationDate:
                     description: The date the state machine was created.
                     type: string
+                  definition:
+                    description: The Amazon States Language definition of the state
+                      machine.
+                    type: string
                   id:
                     description: The ARN of the state machine.
                     type: string
+                  loggingConfiguration:
+                    description: Defines what execution history events are logged
+                      and where they are logged. The logging_configuration parameter
+                      is only valid when type is set to EXPRESS. Defaults to OFF.
+                      For more information see Logging Express Workflows and Log Levels
+                      in the AWS Step Functions User Guide.
+                    items:
+                      properties:
+                        includeExecutionData:
+                          description: Determines whether execution data is included
+                            in your log. When set to false, data is excluded.
+                          type: boolean
+                        level:
+                          description: 'Defines which category of execution history
+                            events are logged. Valid values: ALL, ERROR, FATAL, OFF'
+                          type: string
+                        logDestination:
+                          description: Amazon Resource Name (ARN) of a CloudWatch
+                            log group. Make sure the State Machine has the correct
+                            IAM policies for logging. The ARN must end with :*
+                          type: string
+                      type: object
+                    type: array
+                  roleArn:
+                    description: The Amazon Resource Name (ARN) of the IAM role to
+                      use for this state machine.
+                    type: string
                   status:
                     description: The current status of the state machine. Either ACTIVE
                       or DELETING.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -395,6 +452,24 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  tracingConfiguration:
+                    description: Selects whether AWS X-Ray tracing is enabled.
+                    items:
+                      properties:
+                        enabled:
+                          description: When set to true, AWS X-Ray tracing is enabled.
+                            Make sure the State Machine has the correct IAM policies
+                            for logging. See the AWS Step Functions Developer Guide
+                            for details.
+                          type: boolean
+                      type: object
+                    type: array
+                  type:
+                    description: 'Determines whether a Standard or Express state machine
+                      is created. The default is STANDARD. You cannot update the type
+                      of a state machine once it has been created. Valid values: STANDARD,
+                      EXPRESS.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/signer.aws.upbound.io_signingjobs.yaml b/package/crds/signer.aws.upbound.io_signingjobs.yaml
index 2298668903..089478de01 100644
--- a/package/crds/signer.aws.upbound.io_signingjobs.yaml
+++ b/package/crds/signer.aws.upbound.io_signingjobs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -208,10 +212,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - destination
                 - region
-                - source
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -383,6 +400,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)
+            - message: source is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)
           status:
             description: SigningJobStatus defines the observed state of SigningJob.
             properties:
@@ -396,8 +418,34 @@ spec:
                     description: Date and time in RFC3339 format that the signing
                       job was created.
                     type: string
+                  destination:
+                    description: The S3 bucket in which to save your signed object.
+                      See Destination below for details.
+                    items:
+                      properties:
+                        s3:
+                          description: 'A configuration block describing the S3 Source
+                            object: See S3 Source below for details.'
+                          items:
+                            properties:
+                              bucket:
+                                description: Name of the S3 bucket.
+                                type: string
+                              prefix:
+                                description: An Amazon S3 object key prefix that you
+                                  can use to limit signed objects keys to begin with
+                                  the specified prefix.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   id:
                     type: string
+                  ignoreSigningJobFailure:
+                    description: Set this argument to true to ignore signing job failures
+                      and retrieve failed status and reason. Default false.
+                    type: boolean
                   jobId:
                     description: The ID of the signing job on output.
                     type: string
@@ -415,6 +463,9 @@ spec:
                     description: The platform to which your signed code image will
                       be distributed.
                     type: string
+                  profileName:
+                    description: The name of the profile to initiate the signing operation.
+                    type: string
                   profileVersion:
                     description: The version of the signing profile used to initiate
                       the signing job.
@@ -460,6 +511,31 @@ spec:
                           type: array
                       type: object
                     type: array
+                  source:
+                    description: The S3 bucket that contains the object to sign. See
+                      Source below for details.
+                    items:
+                      properties:
+                        s3:
+                          description: 'A configuration block describing the S3 Source
+                            object: See S3 Source below for details.'
+                          items:
+                            properties:
+                              bucket:
+                                description: Name of the S3 bucket.
+                                type: string
+                              key:
+                                description: Key name of the object that contains
+                                  your unsigned code.
+                                type: string
+                              version:
+                                description: Version of your source image in your
+                                  version enabled S3 bucket.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                   status:
                     description: Status of the signing job.
                     type: string
diff --git a/package/crds/signer.aws.upbound.io_signingprofilepermissions.yaml b/package/crds/signer.aws.upbound.io_signingprofilepermissions.yaml
index 5c8adcbe71..bcd8aace5a 100644
--- a/package/crds/signer.aws.upbound.io_signingprofilepermissions.yaml
+++ b/package/crds/signer.aws.upbound.io_signingprofilepermissions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -242,10 +246,23 @@ spec:
                     description: A statement identifier prefix. Conflicts with statement_id.
                     type: string
                 required:
-                - action
-                - principal
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -417,14 +434,41 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: action is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.action)
+            - message: principal is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.principal)
           status:
             description: SigningProfilePermissionStatus defines the observed state
               of SigningProfilePermission.
             properties:
               atProvider:
                 properties:
+                  action:
+                    description: 'An AWS Signer action permitted as part of cross-account
+                      permissions. Valid values: signer:StartSigningJob, signer:GetSigningProfile,
+                      or signer:RevokeSignature.'
+                    type: string
                   id:
                     type: string
+                  principal:
+                    description: The AWS principal to be granted a cross-account permission.
+                    type: string
+                  profileName:
+                    description: Name of the signing profile to add the cross-account
+                      permissions.
+                    type: string
+                  profileVersion:
+                    description: The signing profile version that a permission applies
+                      to.
+                    type: string
+                  statementId:
+                    description: A unique statement identifier.
+                    type: string
+                  statementIdPrefix:
+                    description: A statement identifier prefix. Conflicts with statement_id.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/signer.aws.upbound.io_signingprofiles.yaml b/package/crds/signer.aws.upbound.io_signingprofiles.yaml
index e5a0df08a9..b0943e4d0e 100644
--- a/package/crds/signer.aws.upbound.io_signingprofiles.yaml
+++ b/package/crds/signer.aws.upbound.io_signingprofiles.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -91,9 +95,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - platformId
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -265,6 +283,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: platformId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platformId)
           status:
             description: SigningProfileStatus defines the observed state of SigningProfile.
             properties:
@@ -279,6 +300,10 @@ spec:
                     description: A human-readable name for the signing platform associated
                       with the signing profile.
                     type: string
+                  platformId:
+                    description: The ID of the platform that is used by the target
+                      signing profile.
+                    type: string
                   revocationRecord:
                     description: Revocation information for a signing profile.
                     items:
@@ -291,9 +316,24 @@ spec:
                           type: string
                       type: object
                     type: array
+                  signatureValidityPeriod:
+                    description: The validity period for a signing job.
+                    items:
+                      properties:
+                        type:
+                          type: string
+                        value:
+                          type: number
+                      type: object
+                    type: array
                   status:
                     description: The status of the target signing profile.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/simpledb.aws.upbound.io_domains.yaml b/package/crds/simpledb.aws.upbound.io_domains.yaml
index 39452f6288..8ce1180190 100644
--- a/package/crds/simpledb.aws.upbound.io_domains.yaml
+++ b/package/crds/simpledb.aws.upbound.io_domains.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -71,6 +75,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
diff --git a/package/crds/sns.aws.upbound.io_platformapplications.yaml b/package/crds/sns.aws.upbound.io_platformapplications.yaml
index c8a950320c..0b85f5ff10 100644
--- a/package/crds/sns.aws.upbound.io_platformapplications.yaml
+++ b/package/crds/sns.aws.upbound.io_platformapplications.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -295,10 +299,23 @@ spec:
                       delivered messages.
                     type: string
                 required:
-                - platform
-                - platformCredentialSecretRef
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -470,17 +487,66 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: platform is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platform)
+            - message: platformCredentialSecretRef is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.platformCredentialSecretRef)
           status:
             description: PlatformApplicationStatus defines the observed state of PlatformApplication.
             properties:
               atProvider:
                 properties:
+                  applePlatformBundleId:
+                    description: The bundle identifier that's assigned to your iOS
+                      app. May only include alphanumeric characters, hyphens (-),
+                      and periods (.).
+                    type: string
+                  applePlatformTeamId:
+                    description: The identifier that's assigned to your Apple developer
+                      account team. Must be 10 alphanumeric characters.
+                    type: string
                   arn:
                     description: The ARN of the SNS platform application
                     type: string
+                  eventDeliveryFailureTopicArn:
+                    description: The ARN of the SNS Topic triggered when a delivery
+                      to any of the platform endpoints associated with your platform
+                      application encounters a permanent failure.
+                    type: string
+                  eventEndpointCreatedTopicArn:
+                    description: The ARN of the SNS Topic triggered when a new platform
+                      endpoint is added to your platform application.
+                    type: string
+                  eventEndpointDeletedTopicArn:
+                    description: The ARN of the SNS Topic triggered when an existing
+                      platform endpoint is deleted from your platform application.
+                    type: string
+                  eventEndpointUpdatedTopicArn:
+                    description: The ARN of the SNS Topic triggered when an existing
+                      platform endpoint is changed from your platform application.
+                    type: string
+                  failureFeedbackRoleArn:
+                    description: The IAM role ARN permitted to receive failure feedback
+                      for this application and give SNS write access to use CloudWatch
+                      logs on your behalf.
+                    type: string
                   id:
                     description: The ARN of the SNS platform application
                     type: string
+                  platform:
+                    description: The platform that the app is registered with. See
+                      Platform for supported platforms.
+                    type: string
+                  successFeedbackRoleArn:
+                    description: The IAM role ARN permitted to receive success feedback
+                      for this application and give SNS write access to use CloudWatch
+                      logs on your behalf.
+                    type: string
+                  successFeedbackSampleRate:
+                    description: The sample rate percentage (0-100) of successfully
+                      delivered messages.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sns.aws.upbound.io_smspreferences.yaml b/package/crds/sns.aws.upbound.io_smspreferences.yaml
index 791e6a7f3f..82470a017f 100644
--- a/package/crds/sns.aws.upbound.io_smspreferences.yaml
+++ b/package/crds/sns.aws.upbound.io_smspreferences.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -169,6 +173,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -345,8 +364,33 @@ spec:
             properties:
               atProvider:
                 properties:
+                  defaultSenderId:
+                    description: A string, such as your business brand, that is displayed
+                      as the sender on the receiving device.
+                    type: string
+                  defaultSmsType:
+                    description: 'The type of SMS message that you will send by default.
+                      Possible values are: Promotional, Transactional'
+                    type: string
+                  deliveryStatusIamRoleArn:
+                    description: The ARN of the IAM role that allows Amazon SNS to
+                      write logs about SMS deliveries in CloudWatch Logs.
+                    type: string
+                  deliveryStatusSuccessSamplingRate:
+                    description: The percentage of successful SMS deliveries for which
+                      Amazon SNS will write logs in CloudWatch Logs. The value must
+                      be between 0 and 100.
+                    type: string
                   id:
                     type: string
+                  monthlySpendLimit:
+                    description: The maximum amount in USD that you are willing to
+                      spend each month to send SMS messages.
+                    type: number
+                  usageReportS3Bucket:
+                    description: The name of the Amazon S3 bucket to receive daily
+                      SMS usage reports from Amazon SNS.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sns.aws.upbound.io_topicpolicies.yaml b/package/crds/sns.aws.upbound.io_topicpolicies.yaml
index de158e3f3b..86d8a10a07 100644
--- a/package/crds/sns.aws.upbound.io_topicpolicies.yaml
+++ b/package/crds/sns.aws.upbound.io_topicpolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,9 +152,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -322,16 +340,25 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: TopicPolicyStatus defines the observed state of TopicPolicy.
             properties:
               atProvider:
                 properties:
+                  arn:
+                    description: The ARN of the SNS topic
+                    type: string
                   id:
                     type: string
                   owner:
                     description: The AWS Account ID of the SNS topic owner
                     type: string
+                  policy:
+                    description: The fully-formed AWS policy as JSON.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sns.aws.upbound.io_topics.yaml b/package/crds/sns.aws.upbound.io_topics.yaml
index 98de48b2d2..3ede76c3ca 100644
--- a/package/crds/sns.aws.upbound.io_topics.yaml
+++ b/package/crds/sns.aws.upbound.io_topics.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -889,6 +893,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -1065,16 +1084,100 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applicationFailureFeedbackRoleArn:
+                    description: IAM role for failure feedback
+                    type: string
+                  applicationSuccessFeedbackRoleArn:
+                    description: The IAM role permitted to receive success feedback
+                      for this topic
+                    type: string
+                  applicationSuccessFeedbackSampleRate:
+                    description: Percentage of success to sample
+                    type: number
                   arn:
                     description: The ARN of the SNS topic, as a more obvious property
                       (clone of id)
                     type: string
+                  contentBasedDeduplication:
+                    description: Enables content-based deduplication for FIFO topics.
+                      For more information, see the related documentation
+                    type: boolean
+                  deliveryPolicy:
+                    description: The SNS delivery policy. More on AWS documentation
+                    type: string
+                  displayName:
+                    description: The display name for the topic
+                    type: string
+                  fifoTopic:
+                    description: Boolean indicating whether or not to create a FIFO
+                      (first-in-first-out) topic (default is false).
+                    type: boolean
+                  firehoseFailureFeedbackRoleArn:
+                    description: IAM role for failure feedback
+                    type: string
+                  firehoseSuccessFeedbackRoleArn:
+                    description: The IAM role permitted to receive success feedback
+                      for this topic
+                    type: string
+                  firehoseSuccessFeedbackSampleRate:
+                    description: Percentage of success to sample
+                    type: number
+                  httpFailureFeedbackRoleArn:
+                    description: IAM role for failure feedback
+                    type: string
+                  httpSuccessFeedbackRoleArn:
+                    description: The IAM role permitted to receive success feedback
+                      for this topic
+                    type: string
+                  httpSuccessFeedbackSampleRate:
+                    description: Percentage of success to sample
+                    type: number
                   id:
                     description: The ARN of the SNS topic
                     type: string
+                  kmsMasterKeyId:
+                    description: The ID of an AWS-managed customer master key (CMK)
+                      for Amazon SNS or a custom CMK. For more information, see Key
+                      Terms
+                    type: string
+                  lambdaFailureFeedbackRoleArn:
+                    description: IAM role for failure feedback
+                    type: string
+                  lambdaSuccessFeedbackRoleArn:
+                    description: The IAM role permitted to receive success feedback
+                      for this topic
+                    type: string
+                  lambdaSuccessFeedbackSampleRate:
+                    description: Percentage of success to sample
+                    type: number
                   owner:
                     description: The AWS Account ID of the SNS topic owner
                     type: string
+                  policy:
+                    description: The fully-formed AWS policy as JSON.
+                    type: string
+                  signatureVersion:
+                    description: If SignatureVersion should be 1 (SHA1) or 2 (SHA256).
+                      The signature version corresponds to the hashing algorithm used
+                      while creating the signature of the notifications, subscription
+                      confirmations, or unsubscribe confirmation messages sent by
+                      Amazon SNS.
+                    type: number
+                  sqsFailureFeedbackRoleArn:
+                    description: IAM role for failure feedback
+                    type: string
+                  sqsSuccessFeedbackRoleArn:
+                    description: The IAM role permitted to receive success feedback
+                      for this topic
+                    type: string
+                  sqsSuccessFeedbackSampleRate:
+                    description: Percentage of success to sample
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -1082,6 +1185,10 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  tracingConfig:
+                    description: 'Tracing mode of an Amazon SNS topic. Valid values:
+                      "PassThrough", "Active".'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sns.aws.upbound.io_topicsubscriptions.yaml b/package/crds/sns.aws.upbound.io_topicsubscriptions.yaml
index 996eac8153..10dd5cc31f 100644
--- a/package/crds/sns.aws.upbound.io_topicsubscriptions.yaml
+++ b/package/crds/sns.aws.upbound.io_topicsubscriptions.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -337,9 +341,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - protocol
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -511,6 +529,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: protocol is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.protocol)
           status:
             description: TopicSubscriptionStatus defines the observed state of TopicSubscription.
             properties:
@@ -519,10 +540,37 @@ spec:
                   arn:
                     description: ARN of the subscription.
                     type: string
+                  confirmationTimeoutInMinutes:
+                    description: Integer indicating number of minutes to wait in retrying
+                      mode for fetching subscription arn before marking it as failure.
+                      Only applicable for http and https protocols. Default is 1.
+                    type: number
                   confirmationWasAuthenticated:
                     description: Whether the subscription confirmation request was
                       authenticated.
                     type: boolean
+                  deliveryPolicy:
+                    description: JSON String with the delivery policy (retries, backoff,
+                      etc.) that will be used in the subscription - this only applies
+                      to HTTP/S subscriptions. Refer to the SNS docs for more details.
+                    type: string
+                  endpoint:
+                    description: Endpoint to send data to. The contents vary with
+                      the protocol. See details below.
+                    type: string
+                  endpointAutoConfirms:
+                    description: Whether the endpoint is capable of auto confirming
+                      subscription (e.g., PagerDuty). Default is false.
+                    type: boolean
+                  filterPolicy:
+                    description: JSON String with the filter policy that will be used
+                      in the subscription to filter messages seen by the target resource.
+                      Refer to the SNS docs for more details.
+                    type: string
+                  filterPolicyScope:
+                    description: Whether the filter_policy applies to MessageAttributes
+                      (default) or MessageBody.
+                    type: string
                   id:
                     description: ARN of the subscription.
                     type: string
@@ -532,6 +580,28 @@ spec:
                   pendingConfirmation:
                     description: Whether the subscription has not been confirmed.
                     type: boolean
+                  protocol:
+                    description: 'Protocol to use. Valid values are: sqs, sms, lambda,
+                      firehose, and application. Protocols email, email-json, http
+                      and https are also valid but partially supported. See details
+                      below.'
+                    type: string
+                  rawMessageDelivery:
+                    description: Whether to enable raw message delivery (the original
+                      message is directly passed, not wrapped in JSON with the original
+                      message in the message property). Default is false.
+                    type: boolean
+                  redrivePolicy:
+                    description: JSON String with the redrive policy that will be
+                      used in the subscription. Refer to the SNS docs for more details.
+                    type: string
+                  subscriptionRoleArn:
+                    description: ARN of the IAM role to publish to Kinesis Data Firehose
+                      delivery stream. Refer to SNS docs.
+                    type: string
+                  topicArn:
+                    description: ARN of the SNS topic to subscribe to.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sqs.aws.upbound.io_queuepolicies.yaml b/package/crds/sqs.aws.upbound.io_queuepolicies.yaml
index c5fd9d4937..a09e13d9d6 100644
--- a/package/crds/sqs.aws.upbound.io_queuepolicies.yaml
+++ b/package/crds/sqs.aws.upbound.io_queuepolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -148,9 +152,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - policy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -322,6 +340,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: policy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.policy)
           status:
             description: QueuePolicyStatus defines the observed state of QueuePolicy.
             properties:
@@ -329,6 +350,12 @@ spec:
                 properties:
                   id:
                     type: string
+                  policy:
+                    description: The JSON policy for the SQS queue.
+                    type: string
+                  queueUrl:
+                    description: The URL of the SQS Queue to which to attach the policy
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sqs.aws.upbound.io_queueredriveallowpolicies.yaml b/package/crds/sqs.aws.upbound.io_queueredriveallowpolicies.yaml
index fec626cf05..39f99ab8ee 100644
--- a/package/crds/sqs.aws.upbound.io_queueredriveallowpolicies.yaml
+++ b/package/crds/sqs.aws.upbound.io_queueredriveallowpolicies.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - redriveAllowPolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,6 +342,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: redriveAllowPolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.redriveAllowPolicy)
           status:
             description: QueueRedriveAllowPolicyStatus defines the observed state
               of QueueRedriveAllowPolicy.
@@ -332,6 +353,13 @@ spec:
                 properties:
                   id:
                     type: string
+                  queueUrl:
+                    description: The URL of the SQS Queue to which to attach the policy
+                    type: string
+                  redriveAllowPolicy:
+                    description: The JSON redrive allow policy for the SQS queue.
+                      Learn more in the Amazon SQS dead-letter queues documentation.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sqs.aws.upbound.io_queueredrivepolicies.yaml b/package/crds/sqs.aws.upbound.io_queueredrivepolicies.yaml
index 5c09a7078a..03d689b897 100644
--- a/package/crds/sqs.aws.upbound.io_queueredrivepolicies.yaml
+++ b/package/crds/sqs.aws.upbound.io_queueredrivepolicies.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - redrivePolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,6 +342,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: redrivePolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.redrivePolicy)
           status:
             description: QueueRedrivePolicyStatus defines the observed state of QueueRedrivePolicy.
             properties:
@@ -331,6 +352,14 @@ spec:
                 properties:
                   id:
                     type: string
+                  queueUrl:
+                    description: The URL of the SQS Queue to which to attach the policy
+                    type: string
+                  redrivePolicy:
+                    description: 'The JSON redrive policy for the SQS queue. Accepts
+                      two key/val pairs: deadLetterTargetArn and maxReceiveCount.
+                      Learn more in the Amazon SQS dead-letter queues documentation.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/sqs.aws.upbound.io_queues.yaml b/package/crds/sqs.aws.upbound.io_queues.yaml
index 2f0f0db263..ba494c1cc1 100644
--- a/package/crds/sqs.aws.upbound.io_queues.yaml
+++ b/package/crds/sqs.aws.upbound.io_queues.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,6 +160,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -335,9 +354,90 @@ spec:
                   arn:
                     description: The ARN of the SQS queue
                     type: string
+                  contentBasedDeduplication:
+                    description: Enables content-based deduplication for FIFO queues.
+                      For more information, see the related documentation
+                    type: boolean
+                  deduplicationScope:
+                    description: Specifies whether message deduplication occurs at
+                      the message group or queue level. Valid values are messageGroup
+                      and queue (default).
+                    type: string
+                  delaySeconds:
+                    description: The time in seconds that the delivery of all messages
+                      in the queue will be delayed. An integer from 0 to 900 (15 minutes).
+                      The default for this attribute is 0 seconds.
+                    type: number
+                  fifoQueue:
+                    description: Boolean designating a FIFO queue. If not set, it
+                      defaults to false making it standard.
+                    type: boolean
+                  fifoThroughputLimit:
+                    description: Specifies whether the FIFO queue throughput quota
+                      applies to the entire queue or per message group. Valid values
+                      are perQueue (default) and perMessageGroupId.
+                    type: string
                   id:
                     description: The URL for the created Amazon SQS queue.
                     type: string
+                  kmsDataKeyReusePeriodSeconds:
+                    description: The length of time, in seconds, for which Amazon
+                      SQS can reuse a data key to encrypt or decrypt messages before
+                      calling AWS KMS again. An integer representing seconds, between
+                      60 seconds (1 minute) and 86,400 seconds (24 hours). The default
+                      is 300 (5 minutes).
+                    type: number
+                  kmsMasterKeyId:
+                    description: The ID of an AWS-managed customer master key (CMK)
+                      for Amazon SQS or a custom CMK. For more information, see Key
+                      Terms.
+                    type: string
+                  maxMessageSize:
+                    description: The limit of how many bytes a message can contain
+                      before Amazon SQS rejects it. An integer from 1024 bytes (1
+                      KiB) up to 262144 bytes (256 KiB). The default for this attribute
+                      is 262144 (256 KiB).
+                    type: number
+                  messageRetentionSeconds:
+                    description: The number of seconds Amazon SQS retains a message.
+                      Integer representing seconds, from 60 (1 minute) to 1209600
+                      (14 days). The default for this attribute is 345600 (4 days).
+                    type: number
+                  name:
+                    description: The name of the queue. Queue names must be made up
+                      of only uppercase and lowercase ASCII letters, numbers, underscores,
+                      and hyphens, and must be between 1 and 80 characters long. For
+                      a FIFO (first-in-first-out) queue, the name must end with the
+                      .fifo suffix. Conflicts with name_prefix
+                    type: string
+                  policy:
+                    description: The JSON policy for the SQS queue.
+                    type: string
+                  receiveWaitTimeSeconds:
+                    description: The time for which a ReceiveMessage call will wait
+                      for a message to arrive (long polling) before returning. An
+                      integer from 0 to 20 (seconds). The default for this attribute
+                      is 0, meaning that the call will return immediately.
+                    type: number
+                  redriveAllowPolicy:
+                    description: The JSON policy to set up the Dead Letter Queue redrive
+                      permission, see AWS docs.
+                    type: string
+                  redrivePolicy:
+                    description: 'The JSON policy to set up the Dead Letter Queue,
+                      see AWS docs. Note: when specifying maxReceiveCount, you must
+                      specify it as an integer (5), and not a string ("5").'
+                    type: string
+                  sqsManagedSseEnabled:
+                    description: Boolean to enable server-side encryption (SSE) of
+                      message content with SQS-owned encryption keys. See Encryption
+                      at rest.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -348,6 +448,11 @@ spec:
                   url:
                     description: 'Same as id: The URL for the created Amazon SQS queue.'
                     type: string
+                  visibilityTimeoutSeconds:
+                    description: The visibility timeout for the queue. An integer
+                      from 0 to 43200 (12 hours). The default for this attribute is
+                      30. For more information about visibility timeout, see AWS docs.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_activations.yaml b/package/crds/ssm.aws.upbound.io_activations.yaml
index b20557b600..fd31024dfc 100644
--- a/package/crds/ssm.aws.upbound.io_activations.yaml
+++ b/package/crds/ssm.aws.upbound.io_activations.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -169,6 +173,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -349,16 +368,40 @@ spec:
                     description: The code the system generates when it processes the
                       activation.
                     type: string
+                  description:
+                    description: The description of the resource that you want to
+                      register.
+                    type: string
+                  expirationDate:
+                    description: UTC timestamp in RFC3339 format by which this activation
+                      request should expire. The default value is 24 hours from resource
+                      creation time.
+                    type: string
                   expired:
                     description: If the current activation has expired.
                     type: boolean
+                  iamRole:
+                    description: The IAM Role to attach to the managed instance.
+                    type: string
                   id:
                     description: The activation ID.
                     type: string
+                  name:
+                    description: The default name of the registered managed instance.
+                    type: string
                   registrationCount:
                     description: The number of managed instances that are currently
                       registered using this activation.
                     type: number
+                  registrationLimit:
+                    description: The maximum number of managed instances you want
+                      to register. The default value is 1 instance.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ssm.aws.upbound.io_associations.yaml b/package/crds/ssm.aws.upbound.io_associations.yaml
index 1a1320aa51..d788418e0f 100644
--- a/package/crds/ssm.aws.upbound.io_associations.yaml
+++ b/package/crds/ssm.aws.upbound.io_associations.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -243,6 +247,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -419,14 +438,108 @@ spec:
             properties:
               atProvider:
                 properties:
+                  applyOnlyAtCronInterval:
+                    description: 'By default, when you create a new or update associations,
+                      the system runs it immediately and then according to the schedule
+                      you specified. Enable this option if you do not want an association
+                      to run immediately after you create or update it. This parameter
+                      is not supported for rate expressions. Default: false.'
+                    type: boolean
                   arn:
                     description: The ARN of the SSM association
                     type: string
                   associationId:
                     description: The ID of the SSM association.
                     type: string
+                  associationName:
+                    description: The descriptive name for the association.
+                    type: string
+                  automationTargetParameterName:
+                    description: Specify the target for the association. This target
+                      is required for associations that use an Automation document
+                      and target resources by using rate controls. This should be
+                      set to the SSM document parameter that will define how your
+                      automation will branch out.
+                    type: string
+                  complianceSeverity:
+                    description: 'The compliance severity for the association. Can
+                      be one of the following: UNSPECIFIED, LOW, MEDIUM, HIGH or CRITICAL'
+                    type: string
+                  documentVersion:
+                    description: The document version you want to associate with the
+                      target(s). Can be a specific version or the default version.
+                    type: string
                   id:
                     type: string
+                  instanceId:
+                    description: The instance ID to apply an SSM document to. Use
+                      targets with key InstanceIds for document schema versions 2.0
+                      and above.
+                    type: string
+                  maxConcurrency:
+                    description: The maximum number of targets allowed to run the
+                      association at the same time. You can specify a number, for
+                      example 10, or a percentage of the target set, for example 10%.
+                    type: string
+                  maxErrors:
+                    description: The number of errors that are allowed before the
+                      system stops sending requests to run the association on additional
+                      targets. You can specify a number, for example 10, or a percentage
+                      of the target set, for example 10%.
+                    type: string
+                  name:
+                    description: The name of the SSM document to apply.
+                    type: string
+                  outputLocation:
+                    description: An output location block. Output Location is documented
+                      below.
+                    items:
+                      properties:
+                        s3BucketName:
+                          description: The S3 bucket name.
+                          type: string
+                        s3KeyPrefix:
+                          description: The S3 bucket prefix. Results stored in the
+                            root if not configured.
+                          type: string
+                        s3Region:
+                          description: The S3 bucket region.
+                          type: string
+                      type: object
+                    type: array
+                  parameters:
+                    additionalProperties:
+                      type: string
+                    description: A block of arbitrary string parameters to pass to
+                      the SSM document.
+                    type: object
+                  scheduleExpression:
+                    description: A cron or rate expression that specifies when the
+                      association runs.
+                    type: string
+                  targets:
+                    description: A block containing the targets of the SSM association.
+                      Targets are documented below. AWS currently supports a maximum
+                      of 5 targets.
+                    items:
+                      properties:
+                        key:
+                          description: Either InstanceIds or tag:Tag Name to specify
+                            an EC2 tag.
+                          type: string
+                        values:
+                          description: A list of instance IDs or tag values. AWS currently
+                            limits this list size to one value.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  waitForSuccessTimeoutSeconds:
+                    description: The number of seconds to wait for the association
+                      status to be Success. If Success status is not reached within
+                      the given time, create opration will fail.
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_defaultpatchbaselines.yaml b/package/crds/ssm.aws.upbound.io_defaultpatchbaselines.yaml
index a0ee160163..eef6249db8 100644
--- a/package/crds/ssm.aws.upbound.io_defaultpatchbaselines.yaml
+++ b/package/crds/ssm.aws.upbound.io_defaultpatchbaselines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -228,6 +232,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -405,8 +424,19 @@ spec:
             properties:
               atProvider:
                 properties:
+                  baselineId:
+                    description: ID of the patch baseline. Can be an ID or an ARN.
+                      When specifying an AWS-provided patch baseline, must be the
+                      ARN.
+                    type: string
                   id:
                     type: string
+                  operatingSystem:
+                    description: The operating system the patch baseline applies to.
+                      Valid values are AMAZON_LINUX, AMAZON_LINUX_2, AMAZON_LINUX_2022,
+                      CENTOS, DEBIAN, MACOS, ORACLE_LINUX, RASPBIAN, REDHAT_ENTERPRISE_LINUX,
+                      ROCKY_LINUX, SUSE, UBUNTU, and WINDOWS.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_documents.yaml b/package/crds/ssm.aws.upbound.io_documents.yaml
index 3906cfed8c..263ad77180 100644
--- a/package/crds/ssm.aws.upbound.io_documents.yaml
+++ b/package/crds/ssm.aws.upbound.io_documents.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -127,10 +131,23 @@ spec:
                       cannot be changed for an existing document version.
                     type: string
                 required:
-                - content
-                - documentType
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -302,6 +319,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: content is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.content)
+            - message: documentType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.documentType)
           status:
             description: DocumentStatus defines the observed state of Document.
             properties:
@@ -309,6 +331,30 @@ spec:
                 properties:
                   arn:
                     type: string
+                  attachmentsSource:
+                    description: One or more configuration blocks describing attachments
+                      sources to a version of a document. Defined below.
+                    items:
+                      properties:
+                        key:
+                          description: 'The key describing the location of an attachment
+                            to a document. Valid key types include: SourceUrl and
+                            S3FileUrl'
+                          type: string
+                        name:
+                          description: The name of the document attachment file
+                          type: string
+                        values:
+                          description: The value describing the location of an attachment
+                            to a document
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  content:
+                    description: The JSON or YAML content of the document.
+                    type: string
                   createdDate:
                     description: The date the document was created.
                     type: string
@@ -318,6 +364,14 @@ spec:
                   description:
                     description: The description of the document.
                     type: string
+                  documentFormat:
+                    description: 'The format of the document. Valid document types
+                      include: JSON and YAML'
+                    type: string
+                  documentType:
+                    description: 'The type of the document. Valid document types include:
+                      Automation, Command, Package, Policy, and Session'
+                    type: string
                   documentVersion:
                     description: The document version.
                     type: string
@@ -355,6 +409,12 @@ spec:
                           type: string
                       type: object
                     type: array
+                  permissions:
+                    additionalProperties:
+                      type: string
+                    description: Additional Permissions to attach to the document.
+                      See Permissions below for details.
+                    type: object
                   platformTypes:
                     description: A list of OS platforms compatible with this SSM document,
                       either "Windows" or "Linux".
@@ -368,6 +428,11 @@ spec:
                     description: '"Creating", "Active" or "Deleting". The current
                       status of the document.'
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -375,6 +440,18 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  targetType:
+                    description: The target type which defines the kinds of resources
+                      the document can run on. For example, /AWS::EC2::Instance. For
+                      a list of valid resource types, see AWS Resource Types Reference
+                      (http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html)
+                    type: string
+                  versionName:
+                    description: A field specifying the version of the artifact you
+                      are creating with the document. For example, "Release 12, Update
+                      6". This value is unique across all versions of a document and
+                      cannot be changed for an existing document version.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_maintenancewindows.yaml b/package/crds/ssm.aws.upbound.io_maintenancewindows.yaml
index 6041748a91..604115c9e9 100644
--- a/package/crds/ssm.aws.upbound.io_maintenancewindows.yaml
+++ b/package/crds/ssm.aws.upbound.io_maintenancewindows.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -117,12 +121,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - cutoff
-                - duration
-                - name
                 - region
-                - schedule
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -294,14 +309,71 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: cutoff is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.cutoff)
+            - message: duration is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.duration)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: schedule is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.schedule)
           status:
             description: MaintenanceWindowStatus defines the observed state of MaintenanceWindow.
             properties:
               atProvider:
                 properties:
+                  allowUnassociatedTargets:
+                    description: Whether targets must be registered with the Maintenance
+                      Window before tasks can be defined for those targets.
+                    type: boolean
+                  cutoff:
+                    description: The number of hours before the end of the Maintenance
+                      Window that Systems Manager stops scheduling new tasks for execution.
+                    type: number
+                  description:
+                    description: A description for the maintenance window.
+                    type: string
+                  duration:
+                    description: The duration of the Maintenance Window in hours.
+                    type: number
+                  enabled:
+                    description: 'Whether the maintenance window is enabled. Default:
+                      true.'
+                    type: boolean
+                  endDate:
+                    description: Timestamp in ISO-8601 extended format when to no
+                      longer run the maintenance window.
+                    type: string
                   id:
                     description: The ID of the maintenance window.
                     type: string
+                  name:
+                    description: The name of the maintenance window.
+                    type: string
+                  schedule:
+                    description: The schedule of the Maintenance Window in the form
+                      of a cron or rate expression.
+                    type: string
+                  scheduleOffset:
+                    description: The number of days to wait after the date and time
+                      specified by a CRON expression before running the maintenance
+                      window.
+                    type: number
+                  scheduleTimezone:
+                    description: 'Timezone for schedule in Internet Assigned Numbers
+                      Authority (IANA) Time Zone Database format. For example: America/Los_Angeles,
+                      etc/UTC, or Asia/Seoul.'
+                    type: string
+                  startDate:
+                    description: Timestamp in ISO-8601 extended format when to begin
+                      the maintenance window.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ssm.aws.upbound.io_maintenancewindowtargets.yaml b/package/crds/ssm.aws.upbound.io_maintenancewindowtargets.yaml
index c7f9a9c7de..71c7b36a8a 100644
--- a/package/crds/ssm.aws.upbound.io_maintenancewindowtargets.yaml
+++ b/package/crds/ssm.aws.upbound.io_maintenancewindowtargets.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -184,9 +188,22 @@ spec:
                     type: object
                 required:
                 - region
-                - resourceType
-                - targets
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -358,15 +375,55 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: resourceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceType)
+            - message: targets is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.targets)
           status:
             description: MaintenanceWindowTargetStatus defines the observed state
               of MaintenanceWindowTarget.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: The description of the maintenance window target.
+                    type: string
                   id:
                     description: The ID of the maintenance window target.
                     type: string
+                  name:
+                    description: The name of the maintenance window target.
+                    type: string
+                  ownerInformation:
+                    description: User-provided value that will be included in any
+                      CloudWatch events raised while running tasks for these targets
+                      in this Maintenance Window.
+                    type: string
+                  resourceType:
+                    description: The type of target being registered with the Maintenance
+                      Window. Possible values are INSTANCE and RESOURCE_GROUP.
+                    type: string
+                  targets:
+                    description: The targets to register with the maintenance window.
+                      In other words, the instances to run commands on when the maintenance
+                      window runs. You can specify targets using instance IDs, resource
+                      group names, or tags that have been applied to instances. For
+                      more information about these examples formats see (https://docs.aws.amazon.com/systems-manager/latest/userguide/mw-cli-tutorial-targets-examples.html)
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  windowId:
+                    description: The Id of the maintenance window to register the
+                      target with.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_maintenancewindowtasks.yaml b/package/crds/ssm.aws.upbound.io_maintenancewindowtasks.yaml
index 03da375648..b3208d99f5 100644
--- a/package/crds/ssm.aws.upbound.io_maintenancewindowtasks.yaml
+++ b/package/crds/ssm.aws.upbound.io_maintenancewindowtasks.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -801,8 +805,22 @@ spec:
                     type: object
                 required:
                 - region
-                - taskType
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -974,6 +992,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: taskType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.taskType)
           status:
             description: MaintenanceWindowTaskStatus defines the observed state of
               MaintenanceWindowTask.
@@ -983,9 +1004,231 @@ spec:
                   arn:
                     description: The ARN of the maintenance window task.
                     type: string
+                  cutoffBehavior:
+                    description: Indicates whether tasks should continue to run after
+                      the cutoff time specified in the maintenance windows is reached.
+                      Valid values are CONTINUE_TASK and CANCEL_TASK.
+                    type: string
+                  description:
+                    description: The description of the maintenance window task.
+                    type: string
                   id:
                     description: The ID of the maintenance window task.
                     type: string
+                  maxConcurrency:
+                    description: The maximum number of targets this task can be run
+                      for in parallel.
+                    type: string
+                  maxErrors:
+                    description: The maximum number of errors allowed before this
+                      task stops being scheduled.
+                    type: string
+                  name:
+                    description: The name of the maintenance window task.
+                    type: string
+                  priority:
+                    description: The priority of the task in the Maintenance Window,
+                      the lower the number the higher the priority. Tasks in a Maintenance
+                      Window are scheduled in priority order with tasks that have
+                      the same priority scheduled in parallel.
+                    type: number
+                  serviceRoleArn:
+                    description: The role that should be assumed when executing the
+                      task. If a role is not provided, Systems Manager uses your account's
+                      service-linked role. If no service-linked role for Systems Manager
+                      exists in your account, it is created for you.
+                    type: string
+                  targets:
+                    description: The targets (either instances or window target ids).
+                      Instances are specified using Key=InstanceIds,Values=instanceid1,instanceid2.
+                      Window target ids are specified using Key=WindowTargetIds,Values=window
+                      target id1, window target id2.
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        values:
+                          description: The array of strings.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  taskArn:
+                    description: The ARN of the task to execute.
+                    type: string
+                  taskInvocationParameters:
+                    description: Configuration block with parameters for task execution.
+                    items:
+                      properties:
+                        automationParameters:
+                          description: The parameters for an AUTOMATION task type.
+                            Documented below.
+                          items:
+                            properties:
+                              documentVersion:
+                                description: The version of an Automation document
+                                  to use during task execution.
+                                type: string
+                              parameter:
+                                description: The parameters for the RUN_COMMAND task
+                                  execution. Documented below.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the maintenance window
+                                        task.
+                                      type: string
+                                    values:
+                                      description: The array of strings.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        lambdaParameters:
+                          description: The parameters for a LAMBDA task type. Documented
+                            below.
+                          items:
+                            properties:
+                              clientContext:
+                                description: Pass client-specific information to the
+                                  Lambda function that you are invoking.
+                                type: string
+                              qualifier:
+                                description: Specify a Lambda function version or
+                                  alias name.
+                                type: string
+                            type: object
+                          type: array
+                        runCommandParameters:
+                          description: The parameters for a RUN_COMMAND task type.
+                            Documented below.
+                          items:
+                            properties:
+                              cloudwatchConfig:
+                                description: Configuration options for sending command
+                                  output to CloudWatch Logs. Documented below.
+                                items:
+                                  properties:
+                                    cloudwatchLogGroupName:
+                                      description: 'The name of the CloudWatch log
+                                        group where you want to send command output.
+                                        If you don''t specify a group name, Systems
+                                        Manager automatically creates a log group
+                                        for you. The log group uses the following
+                                        naming format: aws/ssm/SystemsManagerDocumentName.'
+                                      type: string
+                                    cloudwatchOutputEnabled:
+                                      description: Enables Systems Manager to send
+                                        command output to CloudWatch Logs.
+                                      type: boolean
+                                  type: object
+                                type: array
+                              comment:
+                                description: Information about the command(s) to execute.
+                                type: string
+                              documentHash:
+                                description: The SHA-256 or SHA-1 hash created by
+                                  the system when the document was created. SHA-1
+                                  hashes have been deprecated.
+                                type: string
+                              documentHashType:
+                                description: 'SHA-256 or SHA-1. SHA-1 hashes have
+                                  been deprecated. Valid values: Sha256 and Sha1'
+                                type: string
+                              documentVersion:
+                                description: The version of an Automation document
+                                  to use during task execution.
+                                type: string
+                              notificationConfig:
+                                description: Configurations for sending notifications
+                                  about command status changes on a per-instance basis.
+                                  Documented below.
+                                items:
+                                  properties:
+                                    notificationArn:
+                                      description: An Amazon Resource Name (ARN) for
+                                        a Simple Notification Service (SNS) topic.
+                                        Run Command pushes notifications about command
+                                        status changes to this topic.
+                                      type: string
+                                    notificationEvents:
+                                      description: 'The different events for which
+                                        you can receive notifications. Valid values:
+                                        All, InProgress, Success, TimedOut, Cancelled,
+                                        and Failed'
+                                      items:
+                                        type: string
+                                      type: array
+                                    notificationType:
+                                      description: 'When specified with Command, receive
+                                        notification when the status of a command
+                                        changes. When specified with Invocation, for
+                                        commands sent to multiple instances, receive
+                                        notification on a per-instance basis when
+                                        the status of a command changes. Valid values:
+                                        Command and Invocation'
+                                      type: string
+                                  type: object
+                                type: array
+                              outputS3Bucket:
+                                description: The name of the Amazon S3 bucket.
+                                type: string
+                              outputS3KeyPrefix:
+                                description: The Amazon S3 bucket subfolder.
+                                type: string
+                              parameter:
+                                description: The parameters for the RUN_COMMAND task
+                                  execution. Documented below.
+                                items:
+                                  properties:
+                                    name:
+                                      description: The name of the maintenance window
+                                        task.
+                                      type: string
+                                    values:
+                                      description: The array of strings.
+                                      items:
+                                        type: string
+                                      type: array
+                                  type: object
+                                type: array
+                              serviceRoleArn:
+                                description: The role that should be assumed when
+                                  executing the task. If a role is not provided, Systems
+                                  Manager uses your account's service-linked role.
+                                  If no service-linked role for Systems Manager exists
+                                  in your account, it is created for you.
+                                type: string
+                              timeoutSeconds:
+                                description: If this time is reached and the command
+                                  has not already started executing, it doesn't run.
+                                type: number
+                            type: object
+                          type: array
+                        stepFunctionsParameters:
+                          description: The parameters for a STEP_FUNCTIONS task type.
+                            Documented below.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the maintenance window task.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  taskType:
+                    description: 'The type of task being registered. Valid values:
+                      AUTOMATION, LAMBDA, RUN_COMMAND or STEP_FUNCTIONS.'
+                    type: string
+                  windowId:
+                    description: The Id of the maintenance window to register the
+                      task with.
+                    type: string
                   windowTaskId:
                     description: The ID of the maintenance window task.
                     type: string
diff --git a/package/crds/ssm.aws.upbound.io_parameters.yaml b/package/crds/ssm.aws.upbound.io_parameters.yaml
index 4d9ce53900..039444482f 100644
--- a/package/crds/ssm.aws.upbound.io_parameters.yaml
+++ b/package/crds/ssm.aws.upbound.io_parameters.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -131,8 +135,22 @@ spec:
                     type: object
                 required:
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -304,19 +322,64 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: ParameterStatus defines the observed state of Parameter.
             properties:
               atProvider:
                 properties:
+                  allowedPattern:
+                    description: Regular expression used to validate the parameter
+                      value.
+                    type: string
+                  arn:
+                    description: ARN of the parameter.
+                    type: string
+                  dataType:
+                    description: 'Data type of the parameter. Valid values: text,
+                      aws:ssm:integration and aws:ec2:image for AMI format, see the
+                      Native parameter support for Amazon Machine Image IDs.'
+                    type: string
+                  description:
+                    description: Description of the parameter.
+                    type: string
                   id:
                     type: string
+                  insecureValue:
+                    description: Value of the parameter. This argument is not valid
+                      with a type of SecureString.
+                    type: string
+                  keyId:
+                    description: KMS key ID or ARN for encrypting a SecureString.
+                    type: string
+                  overwrite:
+                    description: Overwrite an existing parameter.
+                    type: boolean
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     description: Map of tags assigned to the resource, including those
                       inherited from the provider default_tags configuration block.
                     type: object
+                  tier:
+                    description: Parameter tier to assign to the parameter. If not
+                      specified, will use the default parameter tier for the region.
+                      Valid tiers are Standard, Advanced, and Intelligent-Tiering.
+                      Downgrading an Advanced tier parameter to Standard will recreate
+                      the resource. For more information on parameter tiers, see the
+                      AWS SSM Parameter tier comparison and guide.
+                    type: string
+                  type:
+                    description: Type of the parameter. Valid types are String, StringList
+                      and SecureString.
+                    type: string
                   version:
                     description: Version of the parameter.
                     type: number
diff --git a/package/crds/ssm.aws.upbound.io_patchbaselines.yaml b/package/crds/ssm.aws.upbound.io_patchbaselines.yaml
index 77435ee025..a336c23e14 100644
--- a/package/crds/ssm.aws.upbound.io_patchbaselines.yaml
+++ b/package/crds/ssm.aws.upbound.io_patchbaselines.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -213,9 +217,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -387,17 +405,152 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: PatchBaselineStatus defines the observed state of PatchBaseline.
             properties:
               atProvider:
                 properties:
+                  approvalRule:
+                    description: A set of rules used to include patches in the baseline.
+                      Up to 10 approval rules can be specified. See approval_rule
+                      below.
+                    items:
+                      properties:
+                        approveAfterDays:
+                          description: 'The number of days after the release date
+                            of each patch matched by the rule the patch is marked
+                            as approved in the patch baseline. Valid Range: 0 to 100.
+                            Conflicts with approve_until_date.'
+                          type: number
+                        approveUntilDate:
+                          description: The cutoff date for auto approval of released
+                            patches. Any patches released on or before this date are
+                            installed automatically. Date is formatted as YYYY-MM-DD.
+                            Conflicts with approve_after_days
+                          type: string
+                        complianceLevel:
+                          description: The compliance level for patches approved by
+                            this rule. Valid values are CRITICAL, HIGH, MEDIUM, LOW,
+                            INFORMATIONAL, and UNSPECIFIED. The default value is UNSPECIFIED.
+                          type: string
+                        enableNonSecurity:
+                          description: Boolean enabling the application of non-security
+                            updates. The default value is false. Valid for Linux instances
+                            only.
+                          type: boolean
+                        patchFilter:
+                          description: The patch filter group that defines the criteria
+                            for the rule. Up to 5 patch filters can be specified per
+                            approval rule using Key/Value pairs. Valid combinations
+                            of these Keys and the operating_system value can be found
+                            in the SSM DescribePatchProperties API Reference. Valid
+                            Values are exact values for the patch property given as
+                            the key, or a wildcard *, which matches all values.
+                          items:
+                            properties:
+                              key:
+                                type: string
+                              values:
+                                items:
+                                  type: string
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  approvedPatches:
+                    description: A list of explicitly approved patches for the baseline.
+                      Cannot be specified with approval_rule.
+                    items:
+                      type: string
+                    type: array
+                  approvedPatchesComplianceLevel:
+                    description: The compliance level for approved patches. This means
+                      that if an approved patch is reported as missing, this is the
+                      severity of the compliance violation. Valid values are CRITICAL,
+                      HIGH, MEDIUM, LOW, INFORMATIONAL, UNSPECIFIED. The default value
+                      is UNSPECIFIED.
+                    type: string
+                  approvedPatchesEnableNonSecurity:
+                    description: Indicates whether the list of approved patches includes
+                      non-security updates that should be applied to the instances.
+                      Applies to Linux instances only.
+                    type: boolean
                   arn:
                     description: The ARN of the patch baseline.
                     type: string
+                  description:
+                    description: The description of the patch baseline.
+                    type: string
+                  globalFilter:
+                    description: A set of global filters used to exclude patches from
+                      the baseline. Up to 4 global filters can be specified using
+                      Key/Value pairs. Valid Keys are PRODUCT, CLASSIFICATION, MSRC_SEVERITY,
+                      and PATCH_ID.
+                    items:
+                      properties:
+                        key:
+                          type: string
+                        values:
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
                   id:
                     description: The ID of the patch baseline.
                     type: string
+                  name:
+                    description: The name of the patch baseline.
+                    type: string
+                  operatingSystem:
+                    description: The operating system the patch baseline applies to.
+                      Valid values are AMAZON_LINUX, AMAZON_LINUX_2, AMAZON_LINUX_2022,
+                      CENTOS, DEBIAN, MACOS, ORACLE_LINUX, RASPBIAN, REDHAT_ENTERPRISE_LINUX,
+                      ROCKY_LINUX, SUSE, UBUNTU, and WINDOWS. The default value is
+                      WINDOWS.
+                    type: string
+                  rejectedPatches:
+                    description: A list of rejected patches.
+                    items:
+                      type: string
+                    type: array
+                  rejectedPatchesAction:
+                    description: The action for Patch Manager to take on patches included
+                      in the rejected_patches list. Valid values are ALLOW_AS_DEPENDENCY
+                      and BLOCK.
+                    type: string
+                  source:
+                    description: Configuration block with alternate sources for patches.
+                      Applies to Linux instances only. See source below.
+                    items:
+                      properties:
+                        configuration:
+                          description: The value of the yum repo configuration. For
+                            information about other options available for your yum
+                            repository configuration, see the dnf.conf documentation
+                          type: string
+                        name:
+                          description: The name specified to identify the patch source.
+                          type: string
+                        products:
+                          description: The specific operating system versions a patch
+                            repository applies to, such as "Ubuntu16.04", "AmazonLinux2016.09",
+                            "RedhatEnterpriseLinux7.2" or "Suse12.7". For lists of
+                            supported product values, see PatchFilter.
+                          items:
+                            type: string
+                          type: array
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/ssm.aws.upbound.io_patchgroups.yaml b/package/crds/ssm.aws.upbound.io_patchgroups.yaml
index 42dfdda5b8..25b15b80c7 100644
--- a/package/crds/ssm.aws.upbound.io_patchgroups.yaml
+++ b/package/crds/ssm.aws.upbound.io_patchgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,9 +154,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - patchGroup
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -324,15 +342,26 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: patchGroup is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.patchGroup)
           status:
             description: PatchGroupStatus defines the observed state of PatchGroup.
             properties:
               atProvider:
                 properties:
+                  baselineId:
+                    description: The ID of the patch baseline to register the patch
+                      group with.
+                    type: string
                   id:
                     description: The name of the patch group and ID of the patch baseline
                       separated by a comma (,).
                     type: string
+                  patchGroup:
+                    description: The name of the patch group that should be registered
+                      with the patch baseline.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_resourcedatasyncs.yaml b/package/crds/ssm.aws.upbound.io_resourcedatasyncs.yaml
index 46c89fdb19..ea556f7722 100644
--- a/package/crds/ssm.aws.upbound.io_resourcedatasyncs.yaml
+++ b/package/crds/ssm.aws.upbound.io_resourcedatasyncs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -248,8 +252,22 @@ spec:
                     type: array
                 required:
                 - region
-                - s3Destination
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -421,6 +439,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: s3Destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.s3Destination)
           status:
             description: ResourceDataSyncStatus defines the observed state of ResourceDataSync.
             properties:
@@ -428,6 +449,31 @@ spec:
                 properties:
                   id:
                     type: string
+                  s3Destination:
+                    description: Amazon S3 configuration details for the sync.
+                    items:
+                      properties:
+                        bucketName:
+                          description: Name of S3 bucket where the aggregated data
+                            is stored.
+                          type: string
+                        kmsKeyArn:
+                          description: ARN of an encryption key for a destination
+                            in Amazon S3.
+                          type: string
+                        prefix:
+                          description: Prefix for the bucket.
+                          type: string
+                        region:
+                          description: Region with the bucket targeted by the Resource
+                            Data Sync.
+                          type: string
+                        syncFormat:
+                          description: A supported sync format. Only JsonSerDe is
+                            currently supported. Defaults to JsonSerDe.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssm.aws.upbound.io_servicesettings.yaml b/package/crds/ssm.aws.upbound.io_servicesettings.yaml
index ffcbb4a4ac..28c5ee76b5 100644
--- a/package/crds/ssm.aws.upbound.io_servicesettings.yaml
+++ b/package/crds/ssm.aws.upbound.io_servicesettings.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -76,9 +80,22 @@ spec:
                     type: string
                 required:
                 - region
-                - settingId
-                - settingValue
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -250,6 +267,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: settingId is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingId)
+            - message: settingValue is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.settingValue)
           status:
             description: ServiceSettingStatus defines the observed state of ServiceSetting.
             properties:
@@ -260,6 +282,12 @@ spec:
                     type: string
                   id:
                     type: string
+                  settingId:
+                    description: ID of the service setting.
+                    type: string
+                  settingValue:
+                    description: Value of the service setting.
+                    type: string
                   status:
                     description: Status of the service setting. Value can be Default,
                       Customized or PendingUpdate.
diff --git a/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml b/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml
index 5d30dc3794..550f0184af 100644
--- a/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml
+++ b/package/crds/ssoadmin.aws.upbound.io_accountassignments.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -99,6 +103,21 @@ spec:
                 - region
                 - targetId
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -280,6 +299,29 @@ spec:
                       principal_type, target_id, target_type, permission_set_arn,
                       instance_arn separated by commas (,).
                     type: string
+                  instanceArn:
+                    description: The Amazon Resource Name (ARN) of the SSO Instance.
+                    type: string
+                  permissionSetArn:
+                    description: The Amazon Resource Name (ARN) of the Permission
+                      Set that the admin wants to grant the principal access to.
+                    type: string
+                  principalId:
+                    description: An identifier for an object in SSO, such as a user
+                      or group. PrincipalIds are GUIDs (For example, f81d4fae-7dec-11d0-a765-00a0c91e6bf6).
+                    type: string
+                  principalType:
+                    description: 'The entity type for which the assignment will be
+                      created. Valid values: USER, GROUP.'
+                    type: string
+                  targetId:
+                    description: An AWS account identifier, typically a 10-12 digit
+                      string.
+                    type: string
+                  targetType:
+                    description: 'The entity type for which the assignment will be
+                      created. Valid values: AWS_ACCOUNT.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssoadmin.aws.upbound.io_managedpolicyattachments.yaml b/package/crds/ssoadmin.aws.upbound.io_managedpolicyattachments.yaml
index 406ba065a0..d84fbd1c52 100644
--- a/package/crds/ssoadmin.aws.upbound.io_managedpolicyattachments.yaml
+++ b/package/crds/ssoadmin.aws.upbound.io_managedpolicyattachments.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -162,6 +166,21 @@ spec:
                 - managedPolicyArn
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -343,9 +362,21 @@ spec:
                     description: The Amazon Resource Names (ARNs) of the Managed Policy,
                       Permission Set, and SSO Instance, separated by a comma (,).
                     type: string
+                  instanceArn:
+                    description: The Amazon Resource Name (ARN) of the SSO Instance
+                      under which the operation will be executed.
+                    type: string
+                  managedPolicyArn:
+                    description: The IAM managed policy Amazon Resource Name (ARN)
+                      to be attached to the Permission Set.
+                    type: string
                   managedPolicyName:
                     description: The name of the IAM Managed Policy.
                     type: string
+                  permissionSetArn:
+                    description: The Amazon Resource Name (ARN) of the Permission
+                      Set.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssoadmin.aws.upbound.io_permissionsetinlinepolicies.yaml b/package/crds/ssoadmin.aws.upbound.io_permissionsetinlinepolicies.yaml
index bddbde9aff..95797d8ce7 100644
--- a/package/crds/ssoadmin.aws.upbound.io_permissionsetinlinepolicies.yaml
+++ b/package/crds/ssoadmin.aws.upbound.io_permissionsetinlinepolicies.yaml
@@ -57,9 +57,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -232,9 +236,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - inlinePolicy
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -406,6 +424,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: inlinePolicy is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inlinePolicy)
           status:
             description: PermissionSetInlinePolicyStatus defines the observed state
               of PermissionSetInlinePolicy.
@@ -416,6 +437,17 @@ spec:
                     description: The Amazon Resource Names (ARNs) of the Permission
                       Set and SSO Instance, separated by a comma (,).
                     type: string
+                  inlinePolicy:
+                    description: The IAM inline policy to attach to a Permission Set.
+                    type: string
+                  instanceArn:
+                    description: The Amazon Resource Name (ARN) of the SSO Instance
+                      under which the operation will be executed.
+                    type: string
+                  permissionSetArn:
+                    description: The Amazon Resource Name (ARN) of the Permission
+                      Set.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/ssoadmin.aws.upbound.io_permissionsets.yaml b/package/crds/ssoadmin.aws.upbound.io_permissionsets.yaml
index 6ed6df3d9d..aa4bc29035 100644
--- a/package/crds/ssoadmin.aws.upbound.io_permissionsets.yaml
+++ b/package/crds/ssoadmin.aws.upbound.io_permissionsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,10 +96,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - instanceArn
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -267,6 +284,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: instanceArn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.instanceArn)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: PermissionSetStatus defines the observed state of PermissionSet.
             properties:
@@ -280,10 +302,33 @@ spec:
                     description: The date the Permission Set was created in RFC3339
                       format.
                     type: string
+                  description:
+                    description: The description of the Permission Set.
+                    type: string
                   id:
                     description: The Amazon Resource Names (ARNs) of the Permission
                       Set and SSO Instance, separated by a comma (,).
                     type: string
+                  instanceArn:
+                    description: The Amazon Resource Name (ARN) of the SSO Instance
+                      under which the operation will be executed.
+                    type: string
+                  name:
+                    description: The name of the Permission Set.
+                    type: string
+                  relayState:
+                    description: The relay state URL used to redirect users within
+                      the application during the federation authentication process.
+                    type: string
+                  sessionDuration:
+                    description: 'The length of time that the application user sessions
+                      are valid in the ISO-8601 standard. Default: PT1H.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/swf.aws.upbound.io_domains.yaml b/package/crds/swf.aws.upbound.io_domains.yaml
index d389529a68..3f73e6afb7 100644
--- a/package/crds/swf.aws.upbound.io_domains.yaml
+++ b/package/crds/swf.aws.upbound.io_domains.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -83,8 +87,22 @@ spec:
                     type: string
                 required:
                 - region
-                - workflowExecutionRetentionPeriodInDays
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -256,6 +274,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: workflowExecutionRetentionPeriodInDays is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.workflowExecutionRetentionPeriodInDays)
           status:
             description: DomainStatus defines the observed state of Domain.
             properties:
@@ -264,9 +285,17 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN)
                     type: string
+                  description:
+                    description: The domain description.
+                    type: string
                   id:
                     description: The name of the domain.
                     type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -274,6 +303,11 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  workflowExecutionRetentionPeriodInDays:
+                    description: Length of time that SWF will continue to retain information
+                      about the workflow execution after the workflow execution is
+                      complete, must be between 0 and 90 days.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/timestreamwrite.aws.upbound.io_databases.yaml b/package/crds/timestreamwrite.aws.upbound.io_databases.yaml
index 799f93bf8b..8678d543a0 100644
--- a/package/crds/timestreamwrite.aws.upbound.io_databases.yaml
+++ b/package/crds/timestreamwrite.aws.upbound.io_databases.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -156,6 +160,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -338,10 +357,22 @@ spec:
                   id:
                     description: The name of the Timestream database.
                     type: string
+                  kmsKeyId:
+                    description: The ARN (not Alias ARN) of the KMS key to be used
+                      to encrypt the data stored in the database. If the KMS key is
+                      not specified, the database will be encrypted with a Timestream
+                      managed KMS key located in your account. Refer to AWS managed
+                      KMS keys for more info.
+                    type: string
                   tableCount:
                     description: The total number of tables found within the Timestream
                       database.
                     type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/timestreamwrite.aws.upbound.io_tables.yaml b/package/crds/timestreamwrite.aws.upbound.io_tables.yaml
index 5c9ace7ed7..c3c62e5ceb 100644
--- a/package/crds/timestreamwrite.aws.upbound.io_tables.yaml
+++ b/package/crds/timestreamwrite.aws.upbound.io_tables.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -229,6 +233,21 @@ spec:
                 - region
                 - tableName
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -408,10 +427,89 @@ spec:
                   arn:
                     description: The ARN that uniquely identifies this table.
                     type: string
+                  databaseName:
+                    description: –  The name of the Timestream database.
+                    type: string
                   id:
                     description: The table_name and database_name separated by a colon
                       (:).
                     type: string
+                  magneticStoreWriteProperties:
+                    description: Contains properties to set on the table when enabling
+                      magnetic store writes. See Magnetic Store Write Properties below
+                      for more details.
+                    items:
+                      properties:
+                        enableMagneticStoreWrites:
+                          description: A flag to enable magnetic store writes.
+                          type: boolean
+                        magneticStoreRejectedDataLocation:
+                          description: The location to write error reports for records
+                            rejected asynchronously during magnetic store writes.
+                            See Magnetic Store Rejected Data Location below for more
+                            details.
+                          items:
+                            properties:
+                              s3Configuration:
+                                description: Configuration of an S3 location to write
+                                  error reports for records rejected, asynchronously,
+                                  during magnetic store writes. See S3 Configuration
+                                  below for more details.
+                                items:
+                                  properties:
+                                    bucketName:
+                                      description: Bucket name of the customer S3
+                                        bucket.
+                                      type: string
+                                    encryptionOption:
+                                      description: Encryption option for the customer
+                                        s3 location. Options are S3 server side encryption
+                                        with an S3-managed key or KMS managed key.
+                                        Valid values are SSE_KMS and SSE_S3.
+                                      type: string
+                                    kmsKeyId:
+                                      description: KMS key arn for the customer s3
+                                        location when encrypting with a KMS managed
+                                        key.
+                                      type: string
+                                    objectKeyPrefix:
+                                      description: Object key prefix for the customer
+                                        S3 location.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  retentionProperties:
+                    description: The retention duration for the memory store and magnetic
+                      store. See Retention Properties below for more details. If not
+                      provided, magnetic_store_retention_period_in_days default to
+                      73000 and memory_store_retention_period_in_hours defaults to
+                      6.
+                    items:
+                      properties:
+                        magneticStoreRetentionPeriodInDays:
+                          description: The duration for which data must be stored
+                            in the magnetic store. Minimum value of 1. Maximum value
+                            of 73000.
+                          type: number
+                        memoryStoreRetentionPeriodInHours:
+                          description: The duration for which data must be stored
+                            in the memory store. Minimum value of 1. Maximum value
+                            of 8766.
+                          type: number
+                      type: object
+                    type: array
+                  tableName:
+                    description: The name of the Timestream table.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/transcribe.aws.upbound.io_languagemodels.yaml b/package/crds/transcribe.aws.upbound.io_languagemodels.yaml
index a3e1ff9b10..ec6850bf28 100644
--- a/package/crds/transcribe.aws.upbound.io_languagemodels.yaml
+++ b/package/crds/transcribe.aws.upbound.io_languagemodels.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -174,11 +178,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - baseModelName
-                - inputDataConfig
-                - languageCode
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -350,6 +366,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: baseModelName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.baseModelName)
+            - message: inputDataConfig is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.inputDataConfig)
+            - message: languageCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)
           status:
             description: LanguageModelStatus defines the observed state of LanguageModel.
             properties:
@@ -358,9 +381,37 @@ spec:
                   arn:
                     description: ARN of the LanguageModel.
                     type: string
+                  baseModelName:
+                    description: Name of reference base model.
+                    type: string
                   id:
                     description: LanguageModel name.
                     type: string
+                  inputDataConfig:
+                    description: The input data config for the LanguageModel. See
+                      Input Data Config for more details.
+                    items:
+                      properties:
+                        dataAccessRoleArn:
+                          description: IAM role with access to S3 bucket.
+                          type: string
+                        s3Uri:
+                          description: S3 URI where training data is located.
+                          type: string
+                        tuningDataS3Uri:
+                          description: S3 URI where tuning data is located.
+                          type: string
+                      type: object
+                    type: array
+                  languageCode:
+                    description: The language code you selected for your language
+                      model. Refer to the supported languages page for accepted codes.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/transcribe.aws.upbound.io_vocabularies.yaml b/package/crds/transcribe.aws.upbound.io_vocabularies.yaml
index 2bc8cadf66..9c6fc64b97 100644
--- a/package/crds/transcribe.aws.upbound.io_vocabularies.yaml
+++ b/package/crds/transcribe.aws.upbound.io_vocabularies.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -86,9 +90,23 @@ spec:
                       contains your custom vocabulary.
                     type: string
                 required:
-                - languageCode
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -260,6 +278,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: languageCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)
           status:
             description: VocabularyStatus defines the observed state of Vocabulary.
             properties:
@@ -274,10 +295,28 @@ spec:
                   id:
                     description: Name of the Vocabulary.
                     type: string
+                  languageCode:
+                    description: The language code you selected for your vocabulary.
+                    type: string
+                  phrases:
+                    description: '- A list of terms to include in the vocabulary.
+                      Conflicts with vocabulary_file_uri'
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  vocabularyFileUri:
+                    description: The Amazon S3 location (URI) of the text file that
+                      contains your custom vocabulary.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/transcribe.aws.upbound.io_vocabularyfilters.yaml b/package/crds/transcribe.aws.upbound.io_vocabularyfilters.yaml
index 099206363a..e769c4c71e 100644
--- a/package/crds/transcribe.aws.upbound.io_vocabularyfilters.yaml
+++ b/package/crds/transcribe.aws.upbound.io_vocabularyfilters.yaml
@@ -54,9 +54,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -87,9 +91,23 @@ spec:
                       type: string
                     type: array
                 required:
-                - languageCode
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,6 +279,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: languageCode is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.languageCode)
           status:
             description: VocabularyFilterStatus defines the observed state of VocabularyFilter.
             properties:
@@ -275,10 +296,29 @@ spec:
                   id:
                     description: VocabularyFilter name.
                     type: string
+                  languageCode:
+                    description: The language code you selected for your vocabulary
+                      filter. Refer to the supported languages page for accepted codes.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
                     type: object
+                  vocabularyFilterFileUri:
+                    description: The Amazon S3 location (URI) of the text file that
+                      contains your custom VocabularyFilter. Conflicts with words.
+                    type: string
+                  words:
+                    description: '- A list of terms to include in the vocabulary.
+                      Conflicts with vocabulary_file_uri'
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/transfer.aws.upbound.io_servers.yaml b/package/crds/transfer.aws.upbound.io_servers.yaml
index c9c1b0746e..c58df5ef95 100644
--- a/package/crds/transfer.aws.upbound.io_servers.yaml
+++ b/package/crds/transfer.aws.upbound.io_servers.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -496,6 +500,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -675,9 +694,82 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of Transfer Server
                     type: string
+                  certificate:
+                    description: The Amazon Resource Name (ARN) of the AWS Certificate
+                      Manager (ACM) certificate. This is required when protocols is
+                      set to FTPS
+                    type: string
+                  directoryId:
+                    description: The directory service ID of the directory service
+                      you want to connect to with an identity_provider_type of AWS_DIRECTORY_SERVICE.
+                    type: string
+                  domain:
+                    description: 'The domain of the storage system that is used for
+                      file transfers. Valid values are: S3 and EFS. The default value
+                      is S3.'
+                    type: string
                   endpoint:
                     description: The endpoint of the Transfer Server (e.g., s-12345678.server.transfer.REGION.amazonaws.com)
                     type: string
+                  endpointDetails:
+                    description: The virtual private cloud (VPC) endpoint settings
+                      that you want to configure for your SFTP server. Fields documented
+                      below.
+                    items:
+                      properties:
+                        addressAllocationIds:
+                          description: A list of address allocation IDs that are required
+                            to attach an Elastic IP address to your SFTP server's
+                            endpoint. This property can only be used when endpoint_type
+                            is set to VPC.
+                          items:
+                            type: string
+                          type: array
+                        securityGroupIds:
+                          description: A list of security groups IDs that are available
+                            to attach to your server's endpoint. If no security groups
+                            are specified, the VPC's default security groups are automatically
+                            assigned to your endpoint. This property can only be used
+                            when endpoint_type is set to VPC.
+                          items:
+                            type: string
+                          type: array
+                        subnetIds:
+                          description: A list of subnet IDs that are required to host
+                            your SFTP server endpoint in your VPC. This property can
+                            only be used when endpoint_type is set to VPC.
+                          items:
+                            type: string
+                          type: array
+                        vpcEndpointId:
+                          description: The ID of the VPC endpoint. This property can
+                            only be used when endpoint_type is set to VPC_ENDPOINT
+                          type: string
+                        vpcId:
+                          description: The VPC ID of the virtual private cloud in
+                            which the SFTP server's endpoint will be hosted. This
+                            property can only be used when endpoint_type is set to
+                            VPC.
+                          type: string
+                      type: object
+                    type: array
+                  endpointType:
+                    description: The type of endpoint that you want your SFTP server
+                      connect to. If you connect to a VPC (or VPC_ENDPOINT), your
+                      SFTP server isn't accessible over the public internet. If you
+                      want to connect your SFTP server via public internet, set PUBLIC.  Defaults
+                      to PUBLIC.
+                    type: string
+                  forceDestroy:
+                    description: A boolean that indicates all users associated with
+                      the server should be deleted so that the Server can be destroyed
+                      without error. The default value is false. This option only
+                      applies to servers configured with a SERVICE_MANAGED identity_provider_type.
+                    type: boolean
+                  function:
+                    description: The ARN for a lambda function to use for the Identity
+                      provider.
+                    type: string
                   hostKeyFingerprint:
                     description: This value contains the message-digest algorithm
                       (MD5) hash of the server's host key. This value is equivalent
@@ -687,6 +779,49 @@ spec:
                   id:
                     description: The Server ID of the Transfer Server (e.g., s-12345678)
                     type: string
+                  identityProviderType:
+                    description: The mode of authentication enabled for this service.
+                      The default value is SERVICE_MANAGED, which allows you to store
+                      and access SFTP user credentials within the service. API_GATEWAY
+                      indicates that user authentication requires a call to an API
+                      Gateway endpoint URL provided by you to integrate an identity
+                      provider of your choice. Using AWS_DIRECTORY_SERVICE will allow
+                      for authentication against AWS Managed Active Directory or Microsoft
+                      Active Directory in your on-premises environment, or in AWS
+                      using AD Connectors. Use the AWS_LAMBDA value to directly use
+                      a Lambda function as your identity provider. If you choose this
+                      value, you must specify the ARN for the lambda function in the
+                      function argument.
+                    type: string
+                  invocationRole:
+                    description: Amazon Resource Name (ARN) of the IAM role used to
+                      authenticate the user account with an identity_provider_type
+                      of API_GATEWAY.
+                    type: string
+                  loggingRole:
+                    description: Amazon Resource Name (ARN) of an IAM role that allows
+                      the service to write your SFTP users’ activity to your Amazon
+                      CloudWatch logs for monitoring and auditing purposes.
+                    type: string
+                  protocols:
+                    description: 'Specifies the file transfer protocol or protocols
+                      over which your file transfer protocol client can connect to
+                      your server''s endpoint. This defaults to SFTP . The available
+                      protocols are:'
+                    items:
+                      type: string
+                    type: array
+                  securityPolicyName:
+                    description: 'Specifies the name of the security policy that is
+                      attached to the server. Possible values are TransferSecurityPolicy-2018-11,
+                      TransferSecurityPolicy-2020-06, TransferSecurityPolicy-FIPS-2020-06
+                      and TransferSecurityPolicy-2022-03. Default value is: TransferSecurityPolicy-2018-11.'
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -694,6 +829,34 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  url:
+                    description: '- URL of the service endpoint used to authenticate
+                      users with an identity_provider_type of API_GATEWAY.'
+                    type: string
+                  workflowDetails:
+                    description: Specifies the workflow details. See Workflow Details
+                      below.
+                    items:
+                      properties:
+                        onUpload:
+                          description: 'A trigger that starts a workflow: the workflow
+                            begins to execute after a file is uploaded. See Workflow
+                            Detail below.'
+                          items:
+                            properties:
+                              executionRole:
+                                description: Includes the necessary permissions for
+                                  S3, EFS, and Lambda operations that Transfer can
+                                  assume, so that all workflow steps can operate on
+                                  the required resources.
+                                type: string
+                              workflowId:
+                                description: A unique identifier for the workflow.
+                                type: string
+                            type: object
+                          type: array
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/transfer.aws.upbound.io_sshkeys.yaml b/package/crds/transfer.aws.upbound.io_sshkeys.yaml
index e952744a63..a4b331f94c 100644
--- a/package/crds/transfer.aws.upbound.io_sshkeys.yaml
+++ b/package/crds/transfer.aws.upbound.io_sshkeys.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -227,9 +231,23 @@ spec:
                         type: object
                     type: object
                 required:
-                - body
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -401,13 +419,28 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: body is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.body)
           status:
             description: SSHKeyStatus defines the observed state of SSHKey.
             properties:
               atProvider:
                 properties:
+                  body:
+                    description: (Requirement) The public key portion of an SSH key
+                      pair.
+                    type: string
                   id:
                     type: string
+                  serverId:
+                    description: (Requirement) The Server ID of the Transfer Server
+                      (e.g., s-12345678)
+                    type: string
+                  userName:
+                    description: (Requirement) The name of the user account that is
+                      assigned to one or more servers.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/transfer.aws.upbound.io_tags.yaml b/package/crds/transfer.aws.upbound.io_tags.yaml
index 5307813ebd..0066a0625c 100644
--- a/package/crds/transfer.aws.upbound.io_tags.yaml
+++ b/package/crds/transfer.aws.upbound.io_tags.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -152,10 +156,23 @@ spec:
                     description: Tag value.
                     type: string
                 required:
-                - key
                 - region
-                - value
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -327,6 +344,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: key is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.key)
+            - message: value is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.value)
           status:
             description: TagStatus defines the observed state of Tag.
             properties:
@@ -336,6 +358,16 @@ spec:
                     description: Transfer Family resource identifier and key, separated
                       by a comma (,)
                     type: string
+                  key:
+                    description: Tag name.
+                    type: string
+                  resourceArn:
+                    description: Amazon Resource Name (ARN) of the Transfer Family
+                      resource to tag.
+                    type: string
+                  value:
+                    description: Tag value.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/transfer.aws.upbound.io_users.yaml b/package/crds/transfer.aws.upbound.io_users.yaml
index 41b2c0cf65..0d47056734 100644
--- a/package/crds/transfer.aws.upbound.io_users.yaml
+++ b/package/crds/transfer.aws.upbound.io_users.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -294,6 +298,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -473,8 +492,79 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of Transfer User
                     type: string
+                  homeDirectory:
+                    description: The landing directory (folder) for a user when they
+                      log in to the server using their SFTP client.  It should begin
+                      with a /.  The first item in the path is the name of the home
+                      bucket (accessible as ${Transfer:HomeBucket} in the policy)
+                      and the rest is the home directory (accessible as ${Transfer:HomeDirectory}
+                      in the policy). For example, /example-bucket-1234/username would
+                      set the home bucket to example-bucket-1234 and the home directory
+                      to username.
+                    type: string
+                  homeDirectoryMappings:
+                    description: Logical directory mappings that specify what S3 paths
+                      and keys should be visible to your user and how you want to
+                      make them visible. See Home Directory Mappings below.
+                    items:
+                      properties:
+                        entry:
+                          description: Represents an entry and a target.
+                          type: string
+                        target:
+                          description: Represents the map target.
+                          type: string
+                      type: object
+                    type: array
+                  homeDirectoryType:
+                    description: The type of landing directory (folder) you mapped
+                      for your users' home directory. Valid values are PATH and LOGICAL.
+                    type: string
                   id:
                     type: string
+                  policy:
+                    description: An IAM JSON policy document that scopes down user
+                      access to portions of their Amazon S3 bucket. IAM variables
+                      you can use inside this policy include ${Transfer:UserName},
+                      ${Transfer:HomeDirectory}, and ${Transfer:HomeBucket}.  These
+                      are evaluated on-the-fly when navigating the bucket.
+                    type: string
+                  posixProfile:
+                    description: Specifies the full POSIX identity, including user
+                      ID (Uid), group ID (Gid), and any secondary groups IDs (SecondaryGids),
+                      that controls your users' access to your Amazon EFS file systems.
+                      See Posix Profile below.
+                    items:
+                      properties:
+                        gid:
+                          description: The POSIX group ID used for all EFS operations
+                            by this user.
+                          type: number
+                        secondaryGids:
+                          description: The secondary POSIX group IDs used for all
+                            EFS operations by this user.
+                          items:
+                            type: number
+                          type: array
+                        uid:
+                          description: The POSIX user ID used for all EFS operations
+                            by this user.
+                          type: number
+                      type: object
+                    type: array
+                  role:
+                    description: Amazon Resource Name (ARN) of an IAM role that allows
+                      the service to controls your user’s access to your Amazon S3
+                      bucket.
+                    type: string
+                  serverId:
+                    description: The Server ID of the Transfer Server (e.g., s-12345678)
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/transfer.aws.upbound.io_workflows.yaml b/package/crds/transfer.aws.upbound.io_workflows.yaml
index 860723b9d0..cd746cf5c0 100644
--- a/package/crds/transfer.aws.upbound.io_workflows.yaml
+++ b/package/crds/transfer.aws.upbound.io_workflows.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -489,8 +493,22 @@ spec:
                     type: object
                 required:
                 - region
-                - steps
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -662,6 +680,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: steps is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.steps)
           status:
             description: WorkflowStatus defines the observed state of Workflow.
             properties:
@@ -670,9 +691,338 @@ spec:
                   arn:
                     description: The Workflow ARN.
                     type: string
+                  description:
+                    description: A textual description for the workflow.
+                    type: string
                   id:
                     description: The Workflow id.
                     type: string
+                  onExceptionSteps:
+                    description: Specifies the steps (actions) to take if errors are
+                      encountered during execution of the workflow. See Workflow Steps
+                      below.
+                    items:
+                      properties:
+                        copyStepDetails:
+                          description: Details for a step that performs a file copy.
+                            See Copy Step Details below.
+                          items:
+                            properties:
+                              destinationFileLocation:
+                                description: Specifies the location for the file being
+                                  copied. Use ${Transfer:username} in this field to
+                                  parametrize the destination prefix by username.
+                                items:
+                                  properties:
+                                    efsFileLocation:
+                                      description: Specifies the details for the EFS
+                                        file being copied.
+                                      items:
+                                        properties:
+                                          fileSystemId:
+                                            description: The ID of the file system,
+                                              assigned by Amazon EFS.
+                                            type: string
+                                          path:
+                                            description: The pathname for the folder
+                                              being used by a workflow.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    s3FileLocation:
+                                      description: Specifies the details for the S3
+                                        file being copied.
+                                      items:
+                                        properties:
+                                          bucket:
+                                            description: Specifies the S3 bucket for
+                                              the customer input file.
+                                            type: string
+                                          key:
+                                            description: The name assigned to the
+                                              file when it was created in S3. You
+                                              use the object key to retrieve the object.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              overwriteExisting:
+                                description: A flag that indicates whether or not
+                                  to overwrite an existing file of the same name.
+                                  The default is FALSE. Valid values are TRUE and
+                                  FALSE.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                            type: object
+                          type: array
+                        customStepDetails:
+                          description: Details for a step that invokes a lambda function.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                              target:
+                                description: The ARN for the lambda function that
+                                  is being called.
+                                type: string
+                              timeoutSeconds:
+                                description: Timeout, in seconds, for the step.
+                                type: number
+                            type: object
+                          type: array
+                        deleteStepDetails:
+                          description: Details for a step that deletes the file.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                            type: object
+                          type: array
+                        tagStepDetails:
+                          description: Details for a step that creates one or more
+                            tags.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                              tags:
+                                description: Key-value map of resource tags.
+                                items:
+                                  properties:
+                                    key:
+                                      description: The name assigned to the file when
+                                        it was created in S3. You use the object key
+                                        to retrieve the object.
+                                      type: string
+                                    value:
+                                      description: The value that corresponds to the
+                                        key.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        type:
+                          description: One of the following step types are supported.
+                            COPY, CUSTOM, DELETE, and TAG.
+                          type: string
+                      type: object
+                    type: array
+                  steps:
+                    description: Specifies the details for the steps that are in the
+                      specified workflow. See Workflow Steps below.
+                    items:
+                      properties:
+                        copyStepDetails:
+                          description: Details for a step that performs a file copy.
+                            See Copy Step Details below.
+                          items:
+                            properties:
+                              destinationFileLocation:
+                                description: Specifies the location for the file being
+                                  copied. Use ${Transfer:username} in this field to
+                                  parametrize the destination prefix by username.
+                                items:
+                                  properties:
+                                    efsFileLocation:
+                                      description: Specifies the details for the EFS
+                                        file being copied.
+                                      items:
+                                        properties:
+                                          fileSystemId:
+                                            description: The ID of the file system,
+                                              assigned by Amazon EFS.
+                                            type: string
+                                          path:
+                                            description: The pathname for the folder
+                                              being used by a workflow.
+                                            type: string
+                                        type: object
+                                      type: array
+                                    s3FileLocation:
+                                      description: Specifies the details for the S3
+                                        file being copied.
+                                      items:
+                                        properties:
+                                          bucket:
+                                            description: Specifies the S3 bucket for
+                                              the customer input file.
+                                            type: string
+                                          key:
+                                            description: The name assigned to the
+                                              file when it was created in S3. You
+                                              use the object key to retrieve the object.
+                                            type: string
+                                        type: object
+                                      type: array
+                                  type: object
+                                type: array
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              overwriteExisting:
+                                description: A flag that indicates whether or not
+                                  to overwrite an existing file of the same name.
+                                  The default is FALSE. Valid values are TRUE and
+                                  FALSE.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                            type: object
+                          type: array
+                        customStepDetails:
+                          description: Details for a step that invokes a lambda function.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                              target:
+                                description: The ARN for the lambda function that
+                                  is being called.
+                                type: string
+                              timeoutSeconds:
+                                description: Timeout, in seconds, for the step.
+                                type: number
+                            type: object
+                          type: array
+                        deleteStepDetails:
+                          description: Details for a step that deletes the file.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                            type: object
+                          type: array
+                        tagStepDetails:
+                          description: Details for a step that creates one or more
+                            tags.
+                          items:
+                            properties:
+                              name:
+                                description: The name of the step, used as an identifier.
+                                type: string
+                              sourceFileLocation:
+                                description: 'Specifies which file to use as input
+                                  to the workflow step: either the output from the
+                                  previous step, or the originally uploaded file for
+                                  the workflow. Enter ${previous.file} to use the
+                                  previous file as the input. In this case, this workflow
+                                  step uses the output file from the previous workflow
+                                  step as input. This is the default value. Enter
+                                  ${original.file} to use the originally-uploaded
+                                  file location as input for this step.'
+                                type: string
+                              tags:
+                                description: Key-value map of resource tags.
+                                items:
+                                  properties:
+                                    key:
+                                      description: The name assigned to the file when
+                                        it was created in S3. You use the object key
+                                        to retrieve the object.
+                                      type: string
+                                    value:
+                                      description: The value that corresponds to the
+                                        key.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                        type:
+                          description: One of the following step types are supported.
+                            COPY, CUSTOM, DELETE, and TAG.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/vpc.aws.upbound.io_networkperformancemetricsubscriptions.yaml b/package/crds/vpc.aws.upbound.io_networkperformancemetricsubscriptions.yaml
index bd67d1049f..6e79246c5c 100644
--- a/package/crds/vpc.aws.upbound.io_networkperformancemetricsubscriptions.yaml
+++ b/package/crds/vpc.aws.upbound.io_networkperformancemetricsubscriptions.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -86,10 +90,23 @@ spec:
                       Valid values: p50. Default: p50.'
                     type: string
                 required:
-                - destination
                 - region
-                - source
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -261,17 +278,38 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: destination is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.destination)
+            - message: source is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.source)
           status:
             description: NetworkPerformanceMetricSubscriptionStatus defines the observed
               state of NetworkPerformanceMetricSubscription.
             properties:
               atProvider:
                 properties:
+                  destination:
+                    description: The target Region or Availability Zone that the metric
+                      subscription is enabled for. For example, eu-west-1.
+                    type: string
                   id:
                     type: string
+                  metric:
+                    description: 'The metric used for the enabled subscription. Valid
+                      values: aggregate-latency. Default: aggregate-latency.'
+                    type: string
                   period:
                     description: The data aggregation time for the subscription.
                     type: string
+                  source:
+                    description: The source Region or Availability Zone that the metric
+                      subscription is enabled for. For example, us-east-1.
+                    type: string
+                  statistic:
+                    description: 'The statistic used for the enabled subscription.
+                      Valid values: p50. Default: p50.'
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_bytematchsets.yaml b/package/crds/waf.aws.upbound.io_bytematchsets.yaml
index 3423c43217..a5b420d352 100644
--- a/package/crds/waf.aws.upbound.io_bytematchsets.yaml
+++ b/package/crds/waf.aws.upbound.io_bytematchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -125,9 +129,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -299,14 +317,67 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ByteMatchSetStatus defines the observed state of ByteMatchSet.
             properties:
               atProvider:
                 properties:
+                  byteMatchTuples:
+                    description: Specifies the bytes (typically a string that corresponds
+                      with ASCII characters) that you want to search for in web requests,
+                      the location in requests that you want to search, and other
+                      settings.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: The part of a web request that you want to
+                            search, such as a specified header or a query string.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        positionalConstraint:
+                          description: Within the portion of a web request that you
+                            want to search (for example, in the query string, if any),
+                            specify where you want to search. e.g., CONTAINS, CONTAINS_WORD
+                            or EXACTLY. See docs for all supported values.
+                          type: string
+                        targetString:
+                          description: The value that you want to search for within
+                            the field specified by field_to_match, e.g., badrefer1.
+                            See docs for all supported values.
+                          type: string
+                        textTransformation:
+                          description: Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. If you specify a transformation, AWS
+                            WAF performs the transformation on target_string before
+                            inspecting a request for a match. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the WAF Byte Match Set.
                     type: string
+                  name:
+                    description: The name or description of the Byte Match Set.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_geomatchsets.yaml b/package/crds/waf.aws.upbound.io_geomatchsets.yaml
index d3b8a037f8..e5187fcd8a 100644
--- a/package/crds/waf.aws.upbound.io_geomatchsets.yaml
+++ b/package/crds/waf.aws.upbound.io_geomatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,9 +96,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -266,6 +284,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: GeoMatchSetStatus defines the observed state of GeoMatchSet.
             properties:
@@ -274,9 +295,29 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN)
                     type: string
+                  geoMatchConstraint:
+                    description: The GeoMatchConstraint objects which contain the
+                      country that you want AWS WAF to search for.
+                    items:
+                      properties:
+                        type:
+                          description: The type of geographical area you want AWS
+                            WAF to search for. Currently Country is the only valid
+                            value.
+                          type: string
+                        value:
+                          description: The country that you want AWS WAF to search
+                            for. This is the two-letter country code, e.g., US, CA,
+                            RU, CN, etc. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the WAF GeoMatchSet.
                     type: string
+                  name:
+                    description: The name or description of the GeoMatchSet.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_ipsets.yaml b/package/crds/waf.aws.upbound.io_ipsets.yaml
index 56727f794f..348ba6c8cc 100644
--- a/package/crds/waf.aws.upbound.io_ipsets.yaml
+++ b/package/crds/waf.aws.upbound.io_ipsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -90,9 +94,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -264,6 +282,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: IPSetStatus defines the observed state of IPSet.
             properties:
@@ -275,6 +296,24 @@ spec:
                   id:
                     description: The ID of the WAF IPSet.
                     type: string
+                  ipSetDescriptors:
+                    description: One or more pairs specifying the IP address type
+                      (IPV4 or IPV6) and the IP address range (in CIDR format) from
+                      which web requests originate.
+                    items:
+                      properties:
+                        type:
+                          description: Type of the IP address - IPV4 or IPV6.
+                          type: string
+                        value:
+                          description: An IPv4 or IPv6 address specified via CIDR
+                            notationE.g., 192.0.2.44/32 or 1111:0000:0000:0000:0000:0000:0000:0000/64
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: The name or description of the IPSet.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_ratebasedrules.yaml b/package/crds/waf.aws.upbound.io_ratebasedrules.yaml
index 2a397dab04..0ffcd13052 100644
--- a/package/crds/waf.aws.upbound.io_ratebasedrules.yaml
+++ b/package/crds/waf.aws.upbound.io_ratebasedrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -193,12 +197,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - metricName
-                - name
-                - rateKey
-                - rateLimit
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -370,6 +385,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: metricName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: rateKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateKey)
+            - message: rateLimit is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateLimit)
           status:
             description: RateBasedRuleStatus defines the observed state of RateBasedRule.
             properties:
@@ -381,6 +405,51 @@ spec:
                   id:
                     description: The ID of the WAF rule.
                     type: string
+                  metricName:
+                    description: The name or description for the Amazon CloudWatch
+                      metric of this rule.
+                    type: string
+                  name:
+                    description: The name or description of the rule.
+                    type: string
+                  predicates:
+                    description: The objects to include in a rule (documented below).
+                    items:
+                      properties:
+                        dataId:
+                          description: A unique identifier for a predicate in the
+                            rule, such as Byte Match Set ID or IPSet ID.
+                          type: string
+                        negated:
+                          description: Set this to false if you want to allow, block,
+                            or count requests based on the settings in the specified
+                            ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet,
+                            or SizeConstraintSet. For example, if an IPSet includes
+                            the IP address 192.0.2.44, AWS WAF will allow or block
+                            requests based on that IP address. If set to true, AWS
+                            WAF will allow, block, or count requests based on all
+                            IP addresses except 192.0.2.44.
+                          type: boolean
+                        type:
+                          description: 'The type of predicate in a rule. Valid values:
+                            ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint,
+                            SqlInjectionMatch, or XssMatch.'
+                          type: string
+                      type: object
+                    type: array
+                  rateKey:
+                    description: Valid value is IP.
+                    type: string
+                  rateLimit:
+                    description: The maximum number of requests, which have an identical
+                      value in the field specified by the RateKey, allowed in a five-minute
+                      period. Minimum value is 100.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/waf.aws.upbound.io_regexmatchsets.yaml b/package/crds/waf.aws.upbound.io_regexmatchsets.yaml
index 842fbc3c08..55530ea9b6 100644
--- a/package/crds/waf.aws.upbound.io_regexmatchsets.yaml
+++ b/package/crds/waf.aws.upbound.io_regexmatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -191,9 +195,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -365,6 +383,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RegexMatchSetStatus defines the observed state of RegexMatchSet.
             properties:
@@ -376,6 +397,45 @@ spec:
                   id:
                     description: The ID of the WAF Regex Match Set.
                     type: string
+                  name:
+                    description: The name or description of the Regex Match Set.
+                    type: string
+                  regexMatchTuple:
+                    description: The regular expression pattern that you want AWS
+                      WAF to search for in web requests, the location in requests
+                      that you want AWS WAF to search, and other settings. See below.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: The part of a web request that you want to
+                            search, such as a specified header or a query string.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        regexPatternSetId:
+                          description: The ID of a Regex Pattern Set.
+                          type: string
+                        textTransformation:
+                          description: Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_regexpatternsets.yaml b/package/crds/waf.aws.upbound.io_regexpatternsets.yaml
index d1c3402a0c..08b10dc8dc 100644
--- a/package/crds/waf.aws.upbound.io_regexpatternsets.yaml
+++ b/package/crds/waf.aws.upbound.io_regexpatternsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,9 +82,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,6 +270,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RegexPatternSetStatus defines the observed state of RegexPatternSet.
             properties:
@@ -263,6 +284,15 @@ spec:
                   id:
                     description: The ID of the WAF Regex Pattern Set.
                     type: string
+                  name:
+                    description: The name or description of the Regex Pattern Set.
+                    type: string
+                  regexPatternStrings:
+                    description: A list of regular expression (regex) patterns that
+                      you want AWS WAF to search for, such as B[a@]dB[o0]t.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_rules.yaml b/package/crds/waf.aws.upbound.io_rules.yaml
index 69b294b20a..6153dabcd9 100644
--- a/package/crds/waf.aws.upbound.io_rules.yaml
+++ b/package/crds/waf.aws.upbound.io_rules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -186,10 +190,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - metricName
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -361,6 +378,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: metricName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RuleStatus defines the observed state of Rule.
             properties:
@@ -372,6 +394,44 @@ spec:
                   id:
                     description: The ID of the WAF rule.
                     type: string
+                  metricName:
+                    description: The name or description for the Amazon CloudWatch
+                      metric of this rule. The name can contain only alphanumeric
+                      characters (A-Z, a-z, 0-9); the name can't contain whitespace.
+                    type: string
+                  name:
+                    description: The name or description of the rule.
+                    type: string
+                  predicates:
+                    description: The objects to include in a rule (documented below).
+                    items:
+                      properties:
+                        dataId:
+                          description: A unique identifier for a predicate in the
+                            rule, such as Byte Match Set ID or IPSet ID.
+                          type: string
+                        negated:
+                          description: Set this to false if you want to allow, block,
+                            or count requests based on the settings in the specified
+                            waf_byte_match_set, waf_ipset, aws_waf_size_constraint_set,
+                            aws_waf_sql_injection_match_set or aws_waf_xss_match_set.
+                            For example, if an IPSet includes the IP address 192.0.2.44,
+                            AWS WAF will allow or block requests based on that IP
+                            address. If set to true, AWS WAF will allow, block, or
+                            count requests based on all IP addresses except 192.0.2.44.
+                          type: boolean
+                        type:
+                          description: 'The type of predicate in a rule. Valid values:
+                            ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint,
+                            SqlInjectionMatch, or XssMatch.'
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/waf.aws.upbound.io_sizeconstraintsets.yaml b/package/crds/waf.aws.upbound.io_sizeconstraintsets.yaml
index eab9c82d7e..1836120e8c 100644
--- a/package/crds/waf.aws.upbound.io_sizeconstraintsets.yaml
+++ b/package/crds/waf.aws.upbound.io_sizeconstraintsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -124,9 +128,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -298,6 +316,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SizeConstraintSetStatus defines the observed state of SizeConstraintSet.
             properties:
@@ -309,6 +330,54 @@ spec:
                   id:
                     description: The ID of the WAF Size Constraint Set.
                     type: string
+                  name:
+                    description: The name or description of the Size Constraint Set.
+                    type: string
+                  sizeConstraints:
+                    description: Specifies the parts of web requests that you want
+                      to inspect the size of.
+                    items:
+                      properties:
+                        comparisonOperator:
+                          description: The type of comparison you want to perform.
+                            e.g., EQ, NE, LT, GT. See docs for all supported values.
+                          type: string
+                        fieldToMatch:
+                          description: Specifies where in a web request to look for
+                            the size constraint.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        size:
+                          description: The size in bytes that you want to compare
+                            against the size of the specified field_to_match. Valid
+                            values are between 0 - 21474836480 bytes (0 - 20 GB).
+                          type: number
+                        textTransformation:
+                          description: 'Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. If you specify a transformation, AWS
+                            WAF performs the transformation on field_to_match before
+                            inspecting a request for a match. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values. Note: if you
+                            choose BODY as type, you must choose NONE because CloudFront
+                            forwards only the first 8192 bytes for inspection.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_sqlinjectionmatchsets.yaml b/package/crds/waf.aws.upbound.io_sqlinjectionmatchsets.yaml
index 079c9f820a..547fc36d19 100644
--- a/package/crds/waf.aws.upbound.io_sqlinjectionmatchsets.yaml
+++ b/package/crds/waf.aws.upbound.io_sqlinjectionmatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -113,9 +117,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -287,6 +305,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SQLInjectionMatchSetStatus defines the observed state of
               SQLInjectionMatchSet.
@@ -296,6 +317,45 @@ spec:
                   id:
                     description: The ID of the WAF SQL Injection Match Set.
                     type: string
+                  name:
+                    description: The name or description of the SQL Injection Match
+                      Set.
+                    type: string
+                  sqlInjectionMatchTuples:
+                    description: The parts of web requests that you want AWS WAF to
+                      inspect for malicious SQL code and, if you want AWS WAF to inspect
+                      a header, the name of the header.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: Specifies where in a web request to look for
+                            snippets of malicious SQL code.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        textTransformation:
+                          description: Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. If you specify a transformation, AWS
+                            WAF performs the transformation on field_to_match before
+                            inspecting a request for a match. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/waf.aws.upbound.io_webacls.yaml b/package/crds/waf.aws.upbound.io_webacls.yaml
index 48c0a3b3ce..6869d4ed8a 100644
--- a/package/crds/waf.aws.upbound.io_webacls.yaml
+++ b/package/crds/waf.aws.upbound.io_webacls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -343,11 +347,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - defaultAction
-                - metricName
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -519,6 +535,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: defaultAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultAction)
+            - message: metricName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: WebACLStatus defines the observed state of WebACL.
             properties:
@@ -527,9 +550,117 @@ spec:
                   arn:
                     description: The ARN of the WAF WebACL.
                     type: string
+                  defaultAction:
+                    description: Configuration block with action that you want AWS
+                      WAF to take when a request doesn't match the criteria in any
+                      of the rules that are associated with the web ACL. Detailed
+                      below.
+                    items:
+                      properties:
+                        type:
+                          description: Specifies how you want AWS WAF to respond to
+                            requests that don't match the criteria in any of the rules.
+                            e.g., ALLOW or BLOCK
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the WAF WebACL.
                     type: string
+                  loggingConfiguration:
+                    description: Configuration block to enable WAF logging. Detailed
+                      below.
+                    items:
+                      properties:
+                        logDestination:
+                          description: Amazon Resource Name (ARN) of Kinesis Firehose
+                            Delivery Stream
+                          type: string
+                        redactedFields:
+                          description: Configuration block containing parts of the
+                            request that you want redacted from the logs. Detailed
+                            below.
+                          items:
+                            properties:
+                              fieldToMatch:
+                                description: Set of configuration blocks for fields
+                                  to redact. Detailed below.
+                                items:
+                                  properties:
+                                    data:
+                                      description: When the value of type is HEADER,
+                                        enter the name of the header that you want
+                                        the WAF to search, for example, User-Agent
+                                        or Referer. If the value of type is any other
+                                        value, omit data.
+                                      type: string
+                                    type:
+                                      description: 'valid values are: BLOCK, ALLOW,
+                                        or COUNT'
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  metricName:
+                    description: The name or description for the Amazon CloudWatch
+                      metric of this web ACL.
+                    type: string
+                  name:
+                    description: The name or description of the web ACL.
+                    type: string
+                  rules:
+                    description: Configuration blocks containing rules to associate
+                      with the web ACL and the settings for each rule. Detailed below.
+                    items:
+                      properties:
+                        action:
+                          description: The action that CloudFront or AWS WAF takes
+                            when a web request matches the conditions in the rule.
+                            Not used if type is GROUP.
+                          items:
+                            properties:
+                              type:
+                                description: 'valid values are: BLOCK, ALLOW, or COUNT'
+                                type: string
+                            type: object
+                          type: array
+                        overrideAction:
+                          description: Override the action that a group requests CloudFront
+                            or AWS WAF takes when a web request matches the conditions
+                            in the rule. Only used if type is GROUP.
+                          items:
+                            properties:
+                              type:
+                                description: 'valid values are: BLOCK, ALLOW, or COUNT'
+                                type: string
+                            type: object
+                          type: array
+                        priority:
+                          description: Specifies the order in which the rules in a
+                            WebACL are evaluated. Rules with a lower value are evaluated
+                            before rules with a higher value.
+                          type: number
+                        ruleId:
+                          description: ID of the associated WAF (Global) rule (e.g.,
+                            aws_waf_rule). WAF (Regional) rules cannot be used.
+                          type: string
+                        type:
+                          description: The rule type, either REGULAR, as defined by
+                            Rule, RATE_BASED, as defined by RateBasedRule, or GROUP,
+                            as defined by RuleGroup. The default is REGULAR. If you
+                            add a RATE_BASED rule, you need to set type as RATE_BASED.
+                            If you add a GROUP rule, you need to set type as GROUP.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/waf.aws.upbound.io_xssmatchsets.yaml b/package/crds/waf.aws.upbound.io_xssmatchsets.yaml
index b717e8ec6b..fe87aef2a8 100644
--- a/package/crds/waf.aws.upbound.io_xssmatchsets.yaml
+++ b/package/crds/waf.aws.upbound.io_xssmatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -111,9 +115,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -285,6 +303,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: XSSMatchSetStatus defines the observed state of XSSMatchSet.
             properties:
@@ -296,6 +317,43 @@ spec:
                   id:
                     description: The ID of the WAF XssMatchSet.
                     type: string
+                  name:
+                    description: The name or description of the SizeConstraintSet.
+                    type: string
+                  xssMatchTuples:
+                    description: The parts of web requests that you want to inspect
+                      for cross-site scripting attacks.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: Specifies where in a web request to look for
+                            cross-site scripting attacks.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        textTransformation:
+                          description: Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. If you specify a transformation, AWS
+                            WAF performs the transformation on target_string before
+                            inspecting a request for a match. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_bytematchsets.yaml b/package/crds/wafregional.aws.upbound.io_bytematchsets.yaml
index bc34463ac2..4ba1ffc95a 100644
--- a/package/crds/wafregional.aws.upbound.io_bytematchsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_bytematchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -115,9 +119,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -289,14 +307,57 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: ByteMatchSetStatus defines the observed state of ByteMatchSet.
             properties:
               atProvider:
                 properties:
+                  byteMatchTuples:
+                    description: Settings for the ByteMatchSet, such as the bytes
+                      (typically a string that corresponds with ASCII characters)
+                      that you want AWS WAF to search for in web requests. ByteMatchTuple
+                      documented below.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: Settings for the ByteMatchTuple. FieldToMatch
+                            documented below.
+                          items:
+                            properties:
+                              data:
+                                description: When the value of Type is HEADER, enter
+                                  the name of the header that you want AWS WAF to
+                                  search, for example, User-Agent or Referer. If the
+                                  value of Type is any other value, omit Data.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string.
+                                type: string
+                            type: object
+                          type: array
+                        positionalConstraint:
+                          description: Within the portion of a web request that you
+                            want to search.
+                          type: string
+                        targetString:
+                          description: The value that you want AWS WAF to search for.
+                            The maximum length of the value is 50 bytes.
+                          type: string
+                        textTransformation:
+                          description: The formatting way for web request.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the WAF ByteMatchSet.
                     type: string
+                  name:
+                    description: The name or description of the ByteMatchSet.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_geomatchsets.yaml b/package/crds/wafregional.aws.upbound.io_geomatchsets.yaml
index 62f09d1780..4b5e2ae4c6 100644
--- a/package/crds/wafregional.aws.upbound.io_geomatchsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_geomatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -92,9 +96,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -266,14 +284,37 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: GeoMatchSetStatus defines the observed state of GeoMatchSet.
             properties:
               atProvider:
                 properties:
+                  geoMatchConstraint:
+                    description: The Geo Match Constraint objects which contain the
+                      country that you want AWS WAF to search for.
+                    items:
+                      properties:
+                        type:
+                          description: The type of geographical area you want AWS
+                            WAF to search for. Currently Country is the only valid
+                            value.
+                          type: string
+                        value:
+                          description: The country that you want AWS WAF to search
+                            for. This is the two-letter country code, e.g., US, CA,
+                            RU, CN, etc. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the WAF Regional Geo Match Set.
                     type: string
+                  name:
+                    description: The name or description of the Geo Match Set.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_ipsets.yaml b/package/crds/wafregional.aws.upbound.io_ipsets.yaml
index f380d84b39..9fe1fd86ea 100644
--- a/package/crds/wafregional.aws.upbound.io_ipsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_ipsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -89,9 +93,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -263,6 +281,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: IPSetStatus defines the observed state of IPSet.
             properties:
@@ -274,6 +295,23 @@ spec:
                   id:
                     description: The ID of the WAF IPSet.
                     type: string
+                  ipSetDescriptor:
+                    description: One or more pairs specifying the IP address type
+                      (IPV4 or IPV6) and the IP address range (in CIDR notation) from
+                      which web requests originate.
+                    items:
+                      properties:
+                        type:
+                          description: The string like IPV4 or IPV6.
+                          type: string
+                        value:
+                          description: The CIDR notation.
+                          type: string
+                      type: object
+                    type: array
+                  name:
+                    description: The name or description of the IPSet.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_ratebasedrules.yaml b/package/crds/wafregional.aws.upbound.io_ratebasedrules.yaml
index 08fbd7e9f1..647d94e8af 100644
--- a/package/crds/wafregional.aws.upbound.io_ratebasedrules.yaml
+++ b/package/crds/wafregional.aws.upbound.io_ratebasedrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -195,12 +199,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - metricName
-                - name
-                - rateKey
-                - rateLimit
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -372,6 +387,15 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: metricName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: rateKey is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateKey)
+            - message: rateLimit is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.rateLimit)
           status:
             description: RateBasedRuleStatus defines the observed state of RateBasedRule.
             properties:
@@ -383,6 +407,51 @@ spec:
                   id:
                     description: The ID of the WAF Regional Rate Based Rule.
                     type: string
+                  metricName:
+                    description: The name or description for the Amazon CloudWatch
+                      metric of this rule.
+                    type: string
+                  name:
+                    description: The name or description of the rule.
+                    type: string
+                  predicate:
+                    description: The objects to include in a rule (documented below).
+                    items:
+                      properties:
+                        dataId:
+                          description: A unique identifier for a predicate in the
+                            rule, such as Byte Match Set ID or IPSet ID.
+                          type: string
+                        negated:
+                          description: Set this to false if you want to allow, block,
+                            or count requests based on the settings in the specified
+                            ByteMatchSet, IPSet, SqlInjectionMatchSet, XssMatchSet,
+                            or SizeConstraintSet. For example, if an IPSet includes
+                            the IP address 192.0.2.44, AWS WAF will allow or block
+                            requests based on that IP address. If set to true, AWS
+                            WAF will allow, block, or count requests based on all
+                            IP addresses except 192.0.2.44.
+                          type: boolean
+                        type:
+                          description: 'The type of predicate in a rule. Valid values:
+                            ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint,
+                            SqlInjectionMatch, or XssMatch.'
+                          type: string
+                      type: object
+                    type: array
+                  rateKey:
+                    description: Valid value is IP.
+                    type: string
+                  rateLimit:
+                    description: The maximum number of requests, which have an identical
+                      value in the field specified by the RateKey, allowed in a five-minute
+                      period. Minimum value is 100.
+                    type: number
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/wafregional.aws.upbound.io_regexmatchsets.yaml b/package/crds/wafregional.aws.upbound.io_regexmatchsets.yaml
index 6014df727a..c9676d34b6 100644
--- a/package/crds/wafregional.aws.upbound.io_regexmatchsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_regexmatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -191,9 +195,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -365,6 +383,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RegexMatchSetStatus defines the observed state of RegexMatchSet.
             properties:
@@ -373,6 +394,45 @@ spec:
                   id:
                     description: The ID of the WAF Regional Regex Match Set.
                     type: string
+                  name:
+                    description: The name or description of the Regex Match Set.
+                    type: string
+                  regexMatchTuple:
+                    description: The regular expression pattern that you want AWS
+                      WAF to search for in web requests, the location in requests
+                      that you want AWS WAF to search, and other settings. See below.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: The part of a web request that you want to
+                            search, such as a specified header or a query string.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        regexPatternSetId:
+                          description: The ID of a Regex Pattern Set.
+                          type: string
+                        textTransformation:
+                          description: Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_regexpatternsets.yaml b/package/crds/wafregional.aws.upbound.io_regexpatternsets.yaml
index 14918f4b5c..59fe432b3a 100644
--- a/package/crds/wafregional.aws.upbound.io_regexpatternsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_regexpatternsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -78,9 +82,23 @@ spec:
                       be created in.
                     type: string
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -252,6 +270,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RegexPatternSetStatus defines the observed state of RegexPatternSet.
             properties:
@@ -260,6 +281,15 @@ spec:
                   id:
                     description: The ID of the WAF Regional Regex Pattern Set.
                     type: string
+                  name:
+                    description: The name or description of the Regex Pattern Set.
+                    type: string
+                  regexPatternStrings:
+                    description: A list of regular expression (regex) patterns that
+                      you want AWS WAF to search for, such as B[a@]dB[o0]t.
+                    items:
+                      type: string
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_rules.yaml b/package/crds/wafregional.aws.upbound.io_rules.yaml
index c30e049cfe..d867e75507 100644
--- a/package/crds/wafregional.aws.upbound.io_rules.yaml
+++ b/package/crds/wafregional.aws.upbound.io_rules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -181,10 +185,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - metricName
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -356,6 +373,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: metricName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: RuleStatus defines the observed state of Rule.
             properties:
@@ -367,6 +389,37 @@ spec:
                   id:
                     description: The ID of the WAF Regional Rule.
                     type: string
+                  metricName:
+                    description: The name or description for the Amazon CloudWatch
+                      metric of this rule.
+                    type: string
+                  name:
+                    description: The name or description of the rule.
+                    type: string
+                  predicate:
+                    description: The objects to include in a rule (documented below).
+                    items:
+                      properties:
+                        dataId:
+                          description: The unique identifier of a predicate, such
+                            as the ID of a ByteMatchSet or IPSet.
+                          type: string
+                        negated:
+                          description: Whether to use the settings or the negated
+                            settings that you specified in the objects.
+                          type: boolean
+                        type:
+                          description: 'The type of predicate in a rule. Valid values:
+                            ByteMatch, GeoMatch, IPMatch, RegexMatch, SizeConstraint,
+                            SqlInjectionMatch, or XssMatch'
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/wafregional.aws.upbound.io_sizeconstraintsets.yaml b/package/crds/wafregional.aws.upbound.io_sizeconstraintsets.yaml
index d2407131e4..41255a1722 100644
--- a/package/crds/wafregional.aws.upbound.io_sizeconstraintsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_sizeconstraintsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -124,9 +128,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -298,6 +316,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SizeConstraintSetStatus defines the observed state of SizeConstraintSet.
             properties:
@@ -308,6 +329,54 @@ spec:
                   id:
                     description: The ID of the WAF Size Constraint Set.
                     type: string
+                  name:
+                    description: The name or description of the Size Constraint Set.
+                    type: string
+                  sizeConstraints:
+                    description: Specifies the parts of web requests that you want
+                      to inspect the size of.
+                    items:
+                      properties:
+                        comparisonOperator:
+                          description: The type of comparison you want to perform.
+                            e.g., EQ, NE, LT, GT. See docs for all supported values.
+                          type: string
+                        fieldToMatch:
+                          description: Specifies where in a web request to look for
+                            the size constraint.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        size:
+                          description: The size in bytes that you want to compare
+                            against the size of the specified field_to_match. Valid
+                            values are between 0 - 21474836480 bytes (0 - 20 GB).
+                          type: number
+                        textTransformation:
+                          description: 'Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. If you specify a transformation, AWS
+                            WAF performs the transformation on field_to_match before
+                            inspecting a request for a match. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values. Note: if you
+                            choose BODY as type, you must choose NONE because CloudFront
+                            forwards only the first 8192 bytes for inspection.'
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_sqlinjectionmatchsets.yaml b/package/crds/wafregional.aws.upbound.io_sqlinjectionmatchsets.yaml
index 9dc59fa6b4..e08f4bfceb 100644
--- a/package/crds/wafregional.aws.upbound.io_sqlinjectionmatchsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_sqlinjectionmatchsets.yaml
@@ -56,9 +56,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -113,9 +117,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -287,6 +305,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: SQLInjectionMatchSetStatus defines the observed state of
               SQLInjectionMatchSet.
@@ -296,6 +317,44 @@ spec:
                   id:
                     description: The ID of the WAF SqlInjectionMatchSet.
                     type: string
+                  name:
+                    description: The name or description of the SizeConstraintSet.
+                    type: string
+                  sqlInjectionMatchTuple:
+                    description: The parts of web requests that you want AWS WAF to
+                      inspect for malicious SQL code and, if you want AWS WAF to inspect
+                      a header, the name of the header.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: Specifies where in a web request to look for
+                            snippets of malicious SQL code.
+                          items:
+                            properties:
+                              data:
+                                description: When type is HEADER, enter the name of
+                                  the header that you want to search, e.g., User-Agent
+                                  or Referer. If type is any other value, omit this
+                                  field.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified string. e.g.,
+                                  HEADER, METHOD or BODY. See docs for all supported
+                                  values.
+                                type: string
+                            type: object
+                          type: array
+                        textTransformation:
+                          description: Text transformations used to eliminate unusual
+                            formatting that attackers use in web requests in an effort
+                            to bypass AWS WAF. If you specify a transformation, AWS
+                            WAF performs the transformation on field_to_match before
+                            inspecting a request for a match. e.g., CMD_LINE, HTML_ENTITY_DECODE
+                            or NONE. See docs for all supported values.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafregional.aws.upbound.io_webacls.yaml b/package/crds/wafregional.aws.upbound.io_webacls.yaml
index 5fccb50bc7..d7a932b3cc 100644
--- a/package/crds/wafregional.aws.upbound.io_webacls.yaml
+++ b/package/crds/wafregional.aws.upbound.io_webacls.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -356,11 +360,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - defaultAction
-                - metricName
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -532,6 +548,13 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: defaultAction is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.defaultAction)
+            - message: metricName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.metricName)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: WebACLStatus defines the observed state of WebACL.
             properties:
@@ -540,9 +563,128 @@ spec:
                   arn:
                     description: Amazon Resource Name (ARN) of the WAF Regional WebACL.
                     type: string
+                  defaultAction:
+                    description: The action that you want AWS WAF Regional to take
+                      when a request doesn't match the criteria in any of the rules
+                      that are associated with the web ACL.
+                    items:
+                      properties:
+                        type:
+                          description: Specifies how you want AWS WAF Regional to
+                            respond to requests that match the settings in a ruleE.g.,
+                            ALLOW, BLOCK or COUNT
+                          type: string
+                      type: object
+                    type: array
                   id:
                     description: The ID of the WAF Regional WebACL.
                     type: string
+                  loggingConfiguration:
+                    description: Configuration block to enable WAF logging. Detailed
+                      below.
+                    items:
+                      properties:
+                        logDestination:
+                          description: Amazon Resource Name (ARN) of Kinesis Firehose
+                            Delivery Stream
+                          type: string
+                        redactedFields:
+                          description: Configuration block containing parts of the
+                            request that you want redacted from the logs. Detailed
+                            below.
+                          items:
+                            properties:
+                              fieldToMatch:
+                                description: Set of configuration blocks for fields
+                                  to redact. Detailed below.
+                                items:
+                                  properties:
+                                    data:
+                                      description: When the value of type is HEADER,
+                                        enter the name of the header that you want
+                                        the WAF to search, for example, User-Agent
+                                        or Referer. If the value of type is any other
+                                        value, omit data.
+                                      type: string
+                                    type:
+                                      description: Specifies how you want AWS WAF
+                                        Regional to respond to requests that match
+                                        the settings in a rule. Valid values for action
+                                        are ALLOW, BLOCK or COUNT. Valid values for
+                                        override_action are COUNT and NONE.
+                                      type: string
+                                  type: object
+                                type: array
+                            type: object
+                          type: array
+                      type: object
+                    type: array
+                  metricName:
+                    description: The name or description for the Amazon CloudWatch
+                      metric of this web ACL.
+                    type: string
+                  name:
+                    description: The name or description of the web ACL.
+                    type: string
+                  rule:
+                    description: Set of configuration blocks containing rules for
+                      the web ACL. Detailed below.
+                    items:
+                      properties:
+                        action:
+                          description: Configuration block of the action that CloudFront
+                            or AWS WAF takes when a web request matches the conditions
+                            in the rule.  Not used if type is GROUP. Detailed below.
+                          items:
+                            properties:
+                              type:
+                                description: Specifies how you want AWS WAF Regional
+                                  to respond to requests that match the settings in
+                                  a rule. Valid values for action are ALLOW, BLOCK
+                                  or COUNT. Valid values for override_action are COUNT
+                                  and NONE.
+                                type: string
+                            type: object
+                          type: array
+                        overrideAction:
+                          description: Configuration block of the override the action
+                            that a group requests CloudFront or AWS WAF takes when
+                            a web request matches the conditions in the rule.  Only
+                            used if type is GROUP. Detailed below.
+                          items:
+                            properties:
+                              type:
+                                description: Specifies how you want AWS WAF Regional
+                                  to respond to requests that match the settings in
+                                  a rule. Valid values for action are ALLOW, BLOCK
+                                  or COUNT. Valid values for override_action are COUNT
+                                  and NONE.
+                                type: string
+                            type: object
+                          type: array
+                        priority:
+                          description: Specifies the order in which the rules in a
+                            WebACL are evaluated. Rules with a lower value are evaluated
+                            before rules with a higher value.
+                          type: number
+                        ruleId:
+                          description: ID of the associated WAF (Regional) rule (e.g.,
+                            aws_wafregional_rule). WAF (Global) rules cannot be used.
+                          type: string
+                        type:
+                          description: The rule type, either REGULAR, as defined by
+                            Rule, RATE_BASED, as defined by RateBasedRule, or GROUP,
+                            as defined by RuleGroup. The default is REGULAR. If you
+                            add a RATE_BASED rule, you need to set type as RATE_BASED.
+                            If you add a GROUP rule, you need to set type as GROUP.
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/wafregional.aws.upbound.io_xssmatchsets.yaml b/package/crds/wafregional.aws.upbound.io_xssmatchsets.yaml
index d6838afedb..e02b488479 100644
--- a/package/crds/wafregional.aws.upbound.io_xssmatchsets.yaml
+++ b/package/crds/wafregional.aws.upbound.io_xssmatchsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -107,9 +111,23 @@ spec:
                       type: object
                     type: array
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -281,6 +299,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: XSSMatchSetStatus defines the observed state of XSSMatchSet.
             properties:
@@ -289,6 +310,39 @@ spec:
                   id:
                     description: The ID of the Regional WAF XSS Match Set.
                     type: string
+                  name:
+                    description: The name of the set
+                    type: string
+                  xssMatchTuple:
+                    description: The parts of web requests that you want to inspect
+                      for cross-site scripting attacks.
+                    items:
+                      properties:
+                        fieldToMatch:
+                          description: Specifies where in a web request to look for
+                            cross-site scripting attacks.
+                          items:
+                            properties:
+                              data:
+                                description: When the value of type is HEADER, enter
+                                  the name of the header that you want the WAF to
+                                  search, for example, User-Agent or Referer. If the
+                                  value of type is any other value, omit data.
+                                type: string
+                              type:
+                                description: The part of the web request that you
+                                  want AWS WAF to search for a specified stringE.g.,
+                                  HEADER or METHOD
+                                type: string
+                            type: object
+                          type: array
+                        textTransformation:
+                          description: Which text transformation, if any, to perform
+                            on the web request before inspecting the request for cross-site
+                            scripting attacks.
+                          type: string
+                      type: object
+                    type: array
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/wafv2.aws.upbound.io_ipsets.yaml b/package/crds/wafv2.aws.upbound.io_ipsets.yaml
index 0d3cea47e2..e9a32cdb72 100644
--- a/package/crds/wafv2.aws.upbound.io_ipsets.yaml
+++ b/package/crds/wafv2.aws.upbound.io_ipsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -97,11 +101,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - ipAddressVersion
-                - name
                 - region
-                - scope
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -273,19 +289,54 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: ipAddressVersion is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.ipAddressVersion)
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: scope is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)
           status:
             description: IPSetStatus defines the observed state of IPSet.
             properties:
               atProvider:
                 properties:
+                  addresses:
+                    description: Contains an array of strings that specify one or
+                      more IP addresses or blocks of IP addresses in Classless Inter-Domain
+                      Routing (CIDR) notation. AWS WAF supports all address ranges
+                      for IP versions IPv4 and IPv6.
+                    items:
+                      type: string
+                    type: array
                   arn:
                     description: The Amazon Resource Name (ARN) of the IP set.
                     type: string
+                  description:
+                    description: A friendly description of the IP set.
+                    type: string
                   id:
                     description: A unique identifier for the IP set.
                     type: string
+                  ipAddressVersion:
+                    description: Specify IPV4 or IPV6. Valid values are IPV4 or IPV6.
+                    type: string
                   lockToken:
                     type: string
+                  name:
+                    description: A friendly name of the IP set.
+                    type: string
+                  scope:
+                    description: Specifies whether this is for an AWS CloudFront distribution
+                      or for a regional application. Valid values are CLOUDFRONT or
+                      REGIONAL. To work with CloudFront, you must also specify the
+                      Region US East (N. Virginia).
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/wafv2.aws.upbound.io_regexpatternsets.yaml b/package/crds/wafv2.aws.upbound.io_regexpatternsets.yaml
index 0dc21dbede..69e4d8380b 100644
--- a/package/crds/wafv2.aws.upbound.io_regexpatternsets.yaml
+++ b/package/crds/wafv2.aws.upbound.io_regexpatternsets.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -102,10 +106,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
-                - scope
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -277,6 +294,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
+            - message: scope is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.scope)
           status:
             description: RegexPatternSetStatus defines the observed state of RegexPatternSet.
             properties:
@@ -286,11 +308,42 @@ spec:
                     description: The Amazon Resource Name (ARN) that identifies the
                       cluster.
                     type: string
+                  description:
+                    description: A friendly description of the regular expression
+                      pattern set.
+                    type: string
                   id:
                     description: A unique identifier for the set.
                     type: string
                   lockToken:
                     type: string
+                  name:
+                    description: A friendly name of the regular expression pattern
+                      set.
+                    type: string
+                  regularExpression:
+                    description: One or more blocks of regular expression patterns
+                      that you want AWS WAF to search for, such as B[a@]dB[o0]t. See
+                      Regular Expression below for details.
+                    items:
+                      properties:
+                        regexString:
+                          description: The string representing the regular expression,
+                            see the AWS WAF documentation for more information.
+                          type: string
+                      type: object
+                    type: array
+                  scope:
+                    description: Specifies whether this is for an AWS CloudFront distribution
+                      or for a regional application. Valid values are CLOUDFRONT or
+                      REGIONAL. To work with CloudFront, you must also specify the
+                      region us-east-1 (N. Virginia) on the AWS provider.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/workspaces.aws.upbound.io_directories.yaml b/package/crds/workspaces.aws.upbound.io_directories.yaml
index 6b8cbdcbe2..3337d94ef4 100644
--- a/package/crds/workspaces.aws.upbound.io_directories.yaml
+++ b/package/crds/workspaces.aws.upbound.io_directories.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -418,6 +422,21 @@ spec:
                 required:
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -600,6 +619,10 @@ spec:
                   customerUserName:
                     description: The user name for the service account.
                     type: string
+                  directoryId:
+                    description: The directory identifier for registration in WorkSpaces
+                      service.
+                    type: string
                   directoryName:
                     description: The name of the directory.
                     type: string
@@ -619,11 +642,57 @@ spec:
                   id:
                     description: The WorkSpaces directory identifier.
                     type: string
+                  ipGroupIds:
+                    description: The identifiers of the IP access control groups associated
+                      with the directory.
+                    items:
+                      type: string
+                    type: array
                   registrationCode:
                     description: The registration code for the directory. This is
                       the code that users enter in their Amazon WorkSpaces client
                       application to connect to the directory.
                     type: string
+                  selfServicePermissions:
+                    description: service capabilities. Defined below.
+                    items:
+                      properties:
+                        changeComputeType:
+                          description: –  Whether WorkSpaces directory users can change
+                            the compute type (bundle) for their workspace. Default
+                            false.
+                          type: boolean
+                        increaseVolumeSize:
+                          description: –  Whether WorkSpaces directory users can increase
+                            the volume size of the drives on their workspace. Default
+                            false.
+                          type: boolean
+                        rebuildWorkspace:
+                          description: –  Whether WorkSpaces directory users can rebuild
+                            the operating system of a workspace to its original state.
+                            Default false.
+                          type: boolean
+                        restartWorkspace:
+                          description: –  Whether WorkSpaces directory users can restart
+                            their workspace. Default true.
+                          type: boolean
+                        switchRunningMode:
+                          description: –  Whether WorkSpaces directory users can switch
+                            the running mode of their workspace. Default false.
+                          type: boolean
+                      type: object
+                    type: array
+                  subnetIds:
+                    description: The identifiers of the subnets where the directory
+                      resides.
+                    items:
+                      type: string
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -631,6 +700,75 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  workspaceAccessProperties:
+                    description: –  Specifies which devices and operating systems
+                      users can use to access their WorkSpaces. Defined below.
+                    items:
+                      properties:
+                        deviceTypeAndroid:
+                          description: –  Indicates whether users can use Android
+                            devices to access their WorkSpaces.
+                          type: string
+                        deviceTypeChromeos:
+                          description: –  Indicates whether users can use Chromebooks
+                            to access their WorkSpaces.
+                          type: string
+                        deviceTypeIos:
+                          description: –  Indicates whether users can use iOS devices
+                            to access their WorkSpaces.
+                          type: string
+                        deviceTypeLinux:
+                          description: –  Indicates whether users can use Linux clients
+                            to access their WorkSpaces.
+                          type: string
+                        deviceTypeOsx:
+                          description: –  Indicates whether users can use macOS clients
+                            to access their WorkSpaces.
+                          type: string
+                        deviceTypeWeb:
+                          description: –  Indicates whether users can access their
+                            WorkSpaces through a web browser.
+                          type: string
+                        deviceTypeWindows:
+                          description: –  Indicates whether users can use Windows
+                            clients to access their WorkSpaces.
+                          type: string
+                        deviceTypeZeroclient:
+                          description: –  Indicates whether users can use zero client
+                            devices to access their WorkSpaces.
+                          type: string
+                      type: object
+                    type: array
+                  workspaceCreationProperties:
+                    description: –  Default properties that are used for creating
+                      WorkSpaces. Defined below.
+                    items:
+                      properties:
+                        customSecurityGroupId:
+                          description: –  The identifier of your custom security group.
+                            Should relate to the same VPC, where workspaces reside
+                            in.
+                          type: string
+                        defaultOu:
+                          description: –  The default organizational unit (OU) for
+                            your WorkSpace directories. Should conform "OU=<value>,DC=<value>,...,DC=<value>"
+                            pattern.
+                          type: string
+                        enableInternetAccess:
+                          description: –  Indicates whether internet access is enabled
+                            for your WorkSpaces.
+                          type: boolean
+                        enableMaintenanceMode:
+                          description: –  Indicates whether maintenance mode is enabled
+                            for your WorkSpaces. For more information, see WorkSpace
+                            Maintenance..
+                          type: boolean
+                        userEnabledAsLocalAdministrator:
+                          description: –  Indicates whether users are local administrators
+                            of their WorkSpaces.
+                          type: boolean
+                      type: object
+                    type: array
                   workspaceSecurityGroupId:
                     description: The identifier of the security group that is assigned
                       to new WorkSpaces.
diff --git a/package/crds/workspaces.aws.upbound.io_ipgroups.yaml b/package/crds/workspaces.aws.upbound.io_ipgroups.yaml
index 889ded832f..28a5392d74 100644
--- a/package/crds/workspaces.aws.upbound.io_ipgroups.yaml
+++ b/package/crds/workspaces.aws.upbound.io_ipgroups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -96,9 +100,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - name
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -270,14 +288,42 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: name is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.name)
           status:
             description: IPGroupStatus defines the observed state of IPGroup.
             properties:
               atProvider:
                 properties:
+                  description:
+                    description: The description of the IP group.
+                    type: string
                   id:
                     description: The IP group identifier.
                     type: string
+                  name:
+                    description: The name of the IP group.
+                    type: string
+                  rules:
+                    description: One or more pairs specifying the IP group rule (in
+                      CIDR format) from which web requests originate.
+                    items:
+                      properties:
+                        description:
+                          description: The description of the IP group.
+                          type: string
+                        source:
+                          description: The IP address range, in CIDR notation, e.g.,
+                            10.0.0.0/16
+                          type: string
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/xray.aws.upbound.io_encryptionconfigs.yaml b/package/crds/xray.aws.upbound.io_encryptionconfigs.yaml
index b36ac925e4..a97f65ae19 100644
--- a/package/crds/xray.aws.upbound.io_encryptionconfigs.yaml
+++ b/package/crds/xray.aws.upbound.io_encryptionconfigs.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -150,8 +154,22 @@ spec:
                     type: string
                 required:
                 - region
-                - type
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -323,6 +341,9 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: type is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.type)
           status:
             description: EncryptionConfigStatus defines the observed state of EncryptionConfig.
             properties:
@@ -331,6 +352,13 @@ spec:
                   id:
                     description: Region name.
                     type: string
+                  keyId:
+                    description: An AWS KMS customer master key (CMK) ARN.
+                    type: string
+                  type:
+                    description: The type of encryption. Set to KMS to use your own
+                      key for encryption. Set to NONE for default encryption.
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.
diff --git a/package/crds/xray.aws.upbound.io_groups.yaml b/package/crds/xray.aws.upbound.io_groups.yaml
index 0748dbe106..1602194207 100644
--- a/package/crds/xray.aws.upbound.io_groups.yaml
+++ b/package/crds/xray.aws.upbound.io_groups.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -96,10 +100,23 @@ spec:
                     description: Key-value map of resource tags.
                     type: object
                 required:
-                - filterExpression
-                - groupName
                 - region
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -271,6 +288,11 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: filterExpression is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.filterExpression)
+            - message: groupName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.groupName)
           status:
             description: GroupStatus defines the observed state of Group.
             properties:
@@ -279,9 +301,34 @@ spec:
                   arn:
                     description: The ARN of the Group.
                     type: string
+                  filterExpression:
+                    description: The filter expression defining criteria by which
+                      to group traces. more info can be found in official docs.
+                    type: string
+                  groupName:
+                    description: The name of the group.
+                    type: string
                   id:
                     description: The ARN of the Group.
                     type: string
+                  insightsConfiguration:
+                    description: Configuration options for enabling insights.
+                    items:
+                      properties:
+                        insightsEnabled:
+                          description: Specifies whether insights are enabled.
+                          type: boolean
+                        notificationsEnabled:
+                          description: Specifies whether insight notifications are
+                            enabled.
+                          type: boolean
+                      type: object
+                    type: array
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
diff --git a/package/crds/xray.aws.upbound.io_samplingrules.yaml b/package/crds/xray.aws.upbound.io_samplingrules.yaml
index 530328c629..9be03c2136 100644
--- a/package/crds/xray.aws.upbound.io_samplingrules.yaml
+++ b/package/crds/xray.aws.upbound.io_samplingrules.yaml
@@ -55,9 +55,13 @@ spec:
             properties:
               deletionPolicy:
                 default: Delete
-                description: DeletionPolicy specifies what will happen to the underlying
+                description: 'DeletionPolicy specifies what will happen to the underlying
                   external when this managed resource is deleted - either "Delete"
-                  or "Orphan" the external resource.
+                  or "Orphan" the external resource. This field is planned to be deprecated
+                  in favor of the ManagementPolicy field in a future release. Currently,
+                  both could be set independently and non-default values would be
+                  honored if the feature flag is enabled. See the design doc for more
+                  information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
                 enum:
                 - Orphan
                 - Delete
@@ -116,18 +120,23 @@ spec:
                     description: The version of the sampling rule format (1 )
                     type: number
                 required:
-                - fixedRate
-                - host
-                - httpMethod
-                - priority
                 - region
-                - reservoirSize
-                - resourceArn
-                - serviceName
-                - serviceType
-                - urlPath
-                - version
                 type: object
+              managementPolicy:
+                default: FullControl
+                description: 'THIS IS AN ALPHA FIELD. Do not use it in production.
+                  It is not honored unless the relevant Crossplane feature flag is
+                  enabled, and may be changed or removed without notice. ManagementPolicy
+                  specifies the level of control Crossplane has over the managed external
+                  resource. This field is planned to replace the DeletionPolicy field
+                  in a future release. Currently, both could be set independently
+                  and non-default values would be honored if the feature flag is enabled.
+                  See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223'
+                enum:
+                - FullControl
+                - ObserveOnly
+                - OrphanOnDelete
+                type: string
               providerConfigRef:
                 default:
                   name: default
@@ -299,6 +308,27 @@ spec:
             required:
             - forProvider
             type: object
+            x-kubernetes-validations:
+            - message: fixedRate is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.fixedRate)
+            - message: host is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.host)
+            - message: httpMethod is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.httpMethod)
+            - message: priority is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.priority)
+            - message: reservoirSize is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.reservoirSize)
+            - message: resourceArn is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.resourceArn)
+            - message: serviceName is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceName)
+            - message: serviceType is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.serviceType)
+            - message: urlPath is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.urlPath)
+            - message: version is a required parameter
+              rule: self.managementPolicy == 'ObserveOnly' || has(self.forProvider.version)
           status:
             description: SamplingRuleStatus defines the observed state of SamplingRule.
             properties:
@@ -307,9 +337,50 @@ spec:
                   arn:
                     description: The ARN of the sampling rule.
                     type: string
+                  attributes:
+                    additionalProperties:
+                      type: string
+                    description: Matches attributes derived from the request.
+                    type: object
+                  fixedRate:
+                    description: The percentage of matching requests to instrument,
+                      after the reservoir is exhausted.
+                    type: number
+                  host:
+                    description: Matches the hostname from a request URL.
+                    type: string
+                  httpMethod:
+                    description: Matches the HTTP method of a request.
+                    type: string
                   id:
                     description: The name of the sampling rule.
                     type: string
+                  priority:
+                    description: The priority of the sampling rule.
+                    type: number
+                  reservoirSize:
+                    description: A fixed number of matching requests to instrument
+                      per second, prior to applying the fixed rate. The reservoir
+                      is not used directly by services, but applies to all services
+                      using the rule collectively.
+                    type: number
+                  resourceArn:
+                    description: Matches the ARN of the AWS resource on which the
+                      service runs.
+                    type: string
+                  serviceName:
+                    description: Matches the name that the service uses to identify
+                      itself in segments.
+                    type: string
+                  serviceType:
+                    description: Matches the origin that the service uses to identify
+                      its type in segments.
+                    type: string
+                  tags:
+                    additionalProperties:
+                      type: string
+                    description: Key-value map of resource tags.
+                    type: object
                   tagsAll:
                     additionalProperties:
                       type: string
@@ -317,6 +388,12 @@ spec:
                       those inherited from the provider default_tags configuration
                       block.
                     type: object
+                  urlPath:
+                    description: Matches the path from a request URL.
+                    type: string
+                  version:
+                    description: The version of the sampling rule format (1 )
+                    type: number
                 type: object
               conditions:
                 description: Conditions of the resource.